ailabs/puaros
1
0
Fork 0
mirror of https://github.com/samiyev/puaros.git synced 2025-12-28 07:16:53 +05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: ailabs:v0.7.9
Branches Tags
ailabs:main
ailabs:ipuaro-v0.30.2 ailabs:ipuaro-v0.30.1 ailabs:ipuaro-v0.30.0 ailabs:ipuaro-v0.29.0 ailabs:ipuaro-v0.28.0 ailabs:ipuaro-v0.27.0 ailabs:ipuaro-v0.26.0 ailabs:ipuaro-v0.25.0 ailabs:ipuaro-v0.24.0 ailabs:ipuaro-v0.23.0 ailabs:ipuaro-v0.22.5 ailabs:ipuaro-v0.22.4 ailabs:ipuaro-v0.22.3 ailabs:ipuaro-v0.22.2 ailabs:ipuaro-v0.22.1 ailabs:ipuaro-v0.21.4 ailabs:ipuaro-v0.21.1 ailabs:ipuaro-v0.21.0 ailabs:ipuaro-v0.20.0 ailabs:ipuaro-v0.19.0 ailabs:ipuaro-v0.18.0 ailabs:ipuaro-v0.17.0 ailabs:ipuaro-v0.16.0 ailabs:ipuaro-v0.15.0 ailabs:ipuaro-v0.14.0 ailabs:ipuaro-v0.13.0 ailabs:ipuaro-v0.12.0 ailabs:ipuaro-v0.11.0 ailabs:ipuaro-v0.10.0 ailabs:ipuaro-v0.9.0 ailabs:ipuaro-v0.8.0 ailabs:ipuaro-v0.7.0 ailabs:ipuaro-v0.6.0 ailabs:ipuaro-v0.5.0 ailabs:ipuaro-v0.4.0 ailabs:guardian-v0.9.4 ailabs:ipuaro-v0.3.1 ailabs:ipuaro-v0.3.0 ailabs:ipuaro-v0.2.0 ailabs:ipuaro-v0.1.1 ailabs:guardian-v0.9.3 ailabs:ipuaro-v0.1.0 ailabs:v0.9.1 ailabs:v0.9.0 ailabs:v0.8.1 ailabs:v0.8.0 ailabs:v0.7.9 ailabs:v0.7.8 ailabs:v0.7.7 ailabs:v0.7.6 ailabs:v0.7.5 ailabs:v0.7.4 ailabs:v0.7.3 ailabs:v0.7.2 ailabs:v0.7.1 ailabs:v0.7.0 ailabs:v0.6.4 ailabs:v0.6.3 ailabs:v0.6.2 ailabs:v0.6.1 ailabs:v0.6.0 ailabs:v0.5.2 ailabs:v0.5.1 ailabs:v0.5.0 ailabs:v0.1.0 ailabs:v0.3.0 ailabs:v0.2.0
...
compare: ailabs:ipuaro-v0.29.0
Branches Tags
ailabs:main
ailabs:ipuaro-v0.30.2 ailabs:ipuaro-v0.30.1 ailabs:ipuaro-v0.30.0 ailabs:ipuaro-v0.29.0 ailabs:ipuaro-v0.28.0 ailabs:ipuaro-v0.27.0 ailabs:ipuaro-v0.26.0 ailabs:ipuaro-v0.25.0 ailabs:ipuaro-v0.24.0 ailabs:ipuaro-v0.23.0 ailabs:ipuaro-v0.22.5 ailabs:ipuaro-v0.22.4 ailabs:ipuaro-v0.22.3 ailabs:ipuaro-v0.22.2 ailabs:ipuaro-v0.22.1 ailabs:ipuaro-v0.21.4 ailabs:ipuaro-v0.21.1 ailabs:ipuaro-v0.21.0 ailabs:ipuaro-v0.20.0 ailabs:ipuaro-v0.19.0 ailabs:ipuaro-v0.18.0 ailabs:ipuaro-v0.17.0 ailabs:ipuaro-v0.16.0 ailabs:ipuaro-v0.15.0 ailabs:ipuaro-v0.14.0 ailabs:ipuaro-v0.13.0 ailabs:ipuaro-v0.12.0 ailabs:ipuaro-v0.11.0 ailabs:ipuaro-v0.10.0 ailabs:ipuaro-v0.9.0 ailabs:ipuaro-v0.8.0 ailabs:ipuaro-v0.7.0 ailabs:ipuaro-v0.6.0 ailabs:ipuaro-v0.5.0 ailabs:ipuaro-v0.4.0 ailabs:guardian-v0.9.4 ailabs:ipuaro-v0.3.1 ailabs:ipuaro-v0.3.0 ailabs:ipuaro-v0.2.0 ailabs:ipuaro-v0.1.1 ailabs:guardian-v0.9.3 ailabs:ipuaro-v0.1.0 ailabs:v0.9.1 ailabs:v0.9.0 ailabs:v0.8.1 ailabs:v0.8.0 ailabs:v0.7.9 ailabs:v0.7.8 ailabs:v0.7.7 ailabs:v0.7.6 ailabs:v0.7.5 ailabs:v0.7.4 ailabs:v0.7.3 ailabs:v0.7.2 ailabs:v0.7.1 ailabs:v0.7.0 ailabs:v0.6.4 ailabs:v0.6.3 ailabs:v0.6.2 ailabs:v0.6.1 ailabs:v0.6.0 ailabs:v0.5.2 ailabs:v0.5.1 ailabs:v0.5.0 ailabs:v0.1.0 ailabs:v0.3.0 ailabs:v0.2.0

87 Commits
v0.7.9 ... ipuaro-v0.

Author SHA1 Message Date
imfozilbek
92ba3fd9ba chore(ipuaro): release v0.29.0 2025-12-05 15:44:27 +05:00
imfozilbek
e9aaa708fe feat(ipuaro): add impact score to initial context 
Add High Impact Files section to initial context showing which files
are most critical based on percentage of codebase that depends on them.

Changes:
- Add impactScore field to FileMeta (0-100)
- Add calculateImpactScore() helper function
- Update MetaAnalyzer to compute impact scores
- Add formatHighImpactFiles() to prompts.ts
- Add includeHighImpactFiles config option (default: true)
- 28 new tests (1826 total)
 2025-12-05 15:43:24 +05:00
imfozilbek
d6d15dd271 feat(ipuaro): add circular dependencies to initial context 
- Add formatCircularDeps() to display cycle chains in context
- Add includeCircularDeps config option (default: true)
- Add circularDeps parameter to BuildContextOptions
- Format: ## ⚠️ Circular Dependencies with → arrows
- 23 new tests (1798 total), 97.48% coverage
 2025-12-05 15:12:26 +05:00
imfozilbek
d63d85d850 feat(ipuaro): add inline dependency graph to initial context 
- Add formatDependencyGraph() to show file relationships in LLM context
- Add includeDepsGraph option to ContextConfigSchema (default: true)
- Format: "services/user: → types/user ← controllers/user"
- Hub files shown first, sorted by total connections
- 21 new tests for dependency graph functionality
 2025-12-05 14:38:45 +05:00
imfozilbek
41cfc21f20 docs(ipuaro): align roadmap versions with package versions 2025-12-05 14:20:14 +05:00
imfozilbek
eeaa223436 chore(ipuaro): release v0.26.0 2025-12-05 13:51:13 +05:00
imfozilbek
36768c06d1 feat(ipuaro): add decorator extraction to initial context 
Extract decorators from classes and methods for NestJS/Angular support.
Decorators are now shown in initial context:
- @Controller('users') class UserController
- @Get(':id') async getUser(id: string): Promise<User>

Changes:
- Add decorators field to FunctionInfo, MethodInfo, ClassInfo
- Update ASTParser to extract decorators from tree-sitter nodes
- Update formatFileSummary to display decorators prefix
- Add 18 unit tests for decorator extraction and formatting
 2025-12-05 13:38:46 +05:00
imfozilbek
5a22cd5c9b feat(ipuaro): add enum value definitions to initial context 
Extract enum declarations with member names and values from TypeScript
AST and display them in the initial LLM context. This allows the LLM
to know valid enum values without making tool calls.

Features:
- Numeric values (Active=1)
- String values (Admin="admin")
- Implicit values (Up, Down)
- Negative numbers (Cold=-10)
- const enum modifier
- export enum modifier
- Long enum truncation (>100 chars)

Adds EnumInfo and EnumMemberInfo interfaces, extractEnum() method in
ASTParser, formatEnumSignature() in prompts.ts, and 17 new unit tests.
 2025-12-05 13:14:51 +05:00
imfozilbek
806c9281b0 chore(ipuaro): release v0.25.0 2025-12-04 22:49:35 +05:00
imfozilbek
12197a9624 feat(ipuaro): add interface fields and type alias definitions to context 
- Add interface field display in initial context: interface User { id: string, name: string }
- Add type alias definition display: type UserId = string
- Support readonly fields, extends, union/intersection types
- Add definition field to TypeAliasInfo in FileAST
- Update ASTParser to extract type alias definitions
- Add formatInterfaceSignature() and formatTypeAliasSignature() helpers
- Truncate long type definitions at 80 characters
- Translate ROADMAP.md from Russian to English
- Add 18 new tests for interface fields and type aliases
 2025-12-04 22:49:03 +05:00
imfozilbek
1489b69e69 chore(ipuaro): release v0.24.0 2025-12-04 22:29:31 +05:00
imfozilbek
2dcb22812c feat(ipuaro): add function signatures to initial context 
- Add full function signatures with parameter types and return types
- Arrow functions now extract returnType in ASTParser
- New formatFunctionSignature() helper in prompts.ts
- Add includeSignatures config option (default: true)
- Support compact format when includeSignatures: false
- 15 new tests, coverage 91.14% branches
 2025-12-04 22:29:02 +05:00
imfozilbek
7d7c99fe4d docs(ipuaro): add v0.24.0 and v0.25.0 to roadmap for rich context 
Add two new milestones before 1.0.0 release:

v0.24.0 - Rich Initial Context:
- Function signatures with types
- Interface/Type field definitions
- Enum value definitions
- Decorator extraction

v0.25.0 - Graph Metrics in Context:
- Inline dependency graph
- Circular dependencies display
- Impact score for critical files
- Transitive dependencies count

Update 1.0.0 checklist to require both milestones.
Update context budget table with new token estimates.
 2025-12-04 22:07:38 +05:00
imfozilbek
a3f0ba948f chore(ipuaro): release v0.23.0 2025-12-04 19:59:36 +05:00
imfozilbek
141888bf59 feat(ipuaro): add JSON/YAML parsing and symlinks metadata 
- Add YAML parsing using yaml npm package
- Add JSON parsing using tree-sitter-json
- Add symlinkTarget to ScanResult interface
- Update ROADMAP: verify v0.20.0-v0.23.0 complete
- Add 8 new tests (1687 total)
 2025-12-04 19:57:06 +05:00
imfozilbek
b0f1778f3a docs(guardian): add research citations for 15 roadmap features 
Add comprehensive research citations for upcoming features:
- Domain Event Usage Validation (Section 15)
- Value Object Immutability (Section 16)
- CQS/CQRS (Section 17)
- Factory Pattern (Section 18)
- Specification Pattern (Section 19)
- Bounded Context (Section 20)
- Persistence Ignorance (Section 21)
- Null Object Pattern (Section 22)
- Primitive Obsession (Section 23)
- Service Locator Anti-pattern (Section 24)
- Double Dispatch/Visitor Pattern (Section 25)
- Entity Identity (Section 26)
- Saga Pattern (Section 27)
- Anti-Corruption Layer (Section 28)
- Ubiquitous Language (Section 29)

Sources include: GoF Design Patterns, Bertrand Meyer, Eric Evans,
Vaughn Vernon, Martin Fowler, Chris Richardson, Mark Seemann,
and academic papers (Garcia-Molina Sagas 1987).

Document version: 1.1 → 2.0
 2025-12-04 19:11:54 +05:00
imfozilbek
9c94335729 feat(ipuaro): add commands configuration 
- Add CommandsConfigSchema with timeout option
- Integrate timeout configuration in RunCommandTool
- Add 22 new unit tests (19 schema + 3 integration)
- Complete v0.22.0 Extended Configuration milestone
 2025-12-02 03:03:57 +05:00
imfozilbek
c34d57c231 chore(ipuaro): release v0.22.4 2025-12-02 02:29:56 +05:00
imfozilbek
60052c0db9 feat(ipuaro): add autocomplete configuration 
- Add AutocompleteConfigSchema with enabled, source, maxSuggestions
- Update useAutocomplete hook to read from config
- Add 27 unit tests for autocomplete config
- Fix unused variable in Chat component
- Update ROADMAP and CHANGELOG
 2025-12-02 02:26:36 +05:00
imfozilbek
fa647c41aa feat(ipuaro): add context configuration 
- Add ContextConfigSchema with systemPromptTokens, maxContextUsage, autoCompressAt, compressionMethod
- Update ContextManager to read compression threshold from config
- Update HandleMessage and useSession to pass context config
- Add 40 unit tests (32 schema + 8 integration)
- Coverage: 97.63% lines, 91.34% branches
 2025-12-02 02:02:34 +05:00
imfozilbek
98b365bd94 chore(ipuaro): release v0.22.2 2025-12-02 01:39:37 +05:00
imfozilbek
a7669f8947 feat(ipuaro): add session configuration 
- Add SessionConfigSchema with persistIndefinitely, maxHistoryMessages, saveInputHistory
- Implement Session.truncateHistory() method for limiting message history
- Update HandleMessage to support history truncation and input history toggle
- Add config flow through useSession and App components
- Add 19 unit tests for SessionConfigSchema
- Update CHANGELOG.md and ROADMAP.md for v0.22.2
 2025-12-02 01:34:04 +05:00
imfozilbek
7f0ec49c90 chore(ipuaro): release v0.22.1 2025-12-02 01:03:11 +05:00
imfozilbek
077d160343 feat(ipuaro): add display configuration 
Add DisplayConfigSchema with theme support (dark/light), stats/tool calls visibility toggles, bell notification on completion, and progress bar control. Includes theme utilities with dynamic color schemes and 46 new tests.
 2025-12-02 01:01:54 +05:00
imfozilbek
b5ee77d8b8 chore(ipuaro): release v0.21.4 2025-12-02 00:38:41 +05:00
imfozilbek
a589b0dfc4 feat(ipuaro): add multiline input and syntax highlighting 
- Multiline input support with Shift+Enter for new lines
- Auto-height adjustment and line navigation
- Syntax highlighting in DiffView for added lines
- Language detection from file extensions
- Config options for multiline and syntaxHighlight
 2025-12-02 00:31:21 +05:00
imfozilbek
908c2f50d7 chore(ipuaro): release v0.21.1 2025-12-02 00:05:10 +05:00
imfozilbek
510c42241a feat(ipuaro): add edit mode in ConfirmDialog 
- New EditableContent component for inline editing
- ConfirmDialog supports [E] to edit proposed changes
- ExecuteTool handles edited content from user
- ConfirmationResult type with editedContent field
- App.tsx implements Promise-based confirmation flow
- All 1484 tests passing, 0 ESLint errors
 2025-12-02 00:00:37 +05:00
imfozilbek
357cf27765 feat(ipuaro): add Tab autocomplete for file paths in TUI 
- Implement useAutocomplete hook with fuzzy matching and Redis integration
- Add visual feedback showing up to 5 suggestions below input
- Support Tab key for completion with common prefix algorithm
- Real-time suggestion updates as user types
- Path normalization (handles ./, trailing slashes)
- Case-insensitive matching with scoring algorithm
- Add 21 unit tests with jsdom environment
- Update Input component with storage and projectRoot props
- Refactor key handlers to reduce complexity
- Install @testing-library/react, jsdom, @types/jsdom
- Update react-dom to 18.3.1 for compatibility
- Configure jsdom environment for TUI tests in vitest config
- Adjust coverage threshold for branches to 91.5%
- Fix deprecated ErrorChoice usage (use ErrorOption)

Version: 0.21.0
Tests: 1484 passed (+21)
Coverage: 97.60% lines, 91.58% branches
 2025-12-01 21:56:02 +05:00
imfozilbek
6695cb73d4 chore(ipuaro): release v0.20.0 
Added IndexProject and ExecuteTool use cases:
- IndexProject orchestrates full indexing pipeline
- ExecuteTool manages tool execution with confirmation
- Refactored CLI index and TUI /reindex commands
- Refactored HandleMessage to use ExecuteTool
- Added 19 unit tests for IndexProject
- All 1463 tests passing, 91.58% branch coverage
 2025-12-01 21:32:20 +05:00
imfozilbek
5a9470929c fix(ipuaro): correct bin path in package.json 2025-12-01 21:10:29 +05:00
imfozilbek
137c77cc53 chore(ipuaro): release v0.19.0 2025-12-01 21:06:51 +05:00
imfozilbek
0433ef102c refactor(ipuaro): simplify LLM integration with pure XML tool format 
Refactor OllamaClient to use pure XML format for tool calls as
designed in CONCEPT.md. Removes dual system (Ollama native tools +
XML parser) in favor of single source of truth (ResponseParser).

Changes:
- Remove tools parameter from ILLMClient.chat() interface
- Remove convertTools(), convertParameters(), extractToolCalls()
- Add XML format instructions to system prompt with examples
- Add CDATA support in ResponseParser for multiline content
- Add tool name validation with helpful error messages
- Move ToolDef/ToolParameter to shared/types/tool-definitions.ts

Benefits:
- Simplified architecture (single source of truth)
- CONCEPT.md compliance (pure XML as designed)
- Better validation (early detection of invalid tools)
- Reduced complexity (fewer format conversions)

Tests: 1444 passed (+4 new tests)
Coverage: 97.83% lines, 91.98% branches, 99.16% functions
 2025-12-01 21:03:55 +05:00
imfozilbek
902d1db831 docs(ipuaro): add missing features from CONCEPT.md to roadmap 
Add versions 0.19.0-0.23.0 with features identified as missing:
- 0.19.0: XML tool format refactor (align with CONCEPT.md)
- 0.20.0: IndexProject and ExecuteTool use cases
- 0.21.0: TUI enhancements (useAutocomplete, edit mode, multiline, syntax highlight)
- 0.22.0: Extended configuration (display, session, context, autocomplete, commands)
- 0.23.0: JSON/YAML AST parsing and symlinks metadata
 2025-12-01 20:39:07 +05:00
imfozilbek
c843b780a8 test(ipuaro): improve test coverage to 92% branches 
- Raise branch coverage threshold from 90% to 92%
- Add 21 new edge-case tests across modules
- Watchdog: add tests for error handling, flushAll, polling mode
- OllamaClient: add tests for AbortError and model not found
- GetLinesTool: add tests for filesystem fallback, undefined params
- GetClassTool: add tests for undefined extends, error handling
- GetFunctionTool: add tests for error handling, undefined returnType

Coverage results:
- Lines: 97.83% (threshold 95%)
- Branches: 92.01% (threshold 92%)
- Functions: 99.16% (threshold 95%)
- Statements: 97.83% (threshold 95%)
- Total tests: 1441 (all passing)
 2025-12-01 17:39:58 +05:00
imfozilbek
0dff0e87d0 chore(ipuaro): bump version to 0.18.0 2025-12-01 16:58:16 +05:00
imfozilbek
ab2d5d40a5 feat(ipuaro): add working demo project examples 
Added comprehensive demo project showcasing ipuaro capabilities:

New Files:
- examples/demo-project/: Complete TypeScript demo application
  - src/: User management, auth, validation, logging (336 LOC)
  - tests/: Vitest unit tests for UserService
  - Configuration: package.json, tsconfig.json, .ipuaro.json

Demo Features:
- UserService with CRUD operations
- AuthService with login/logout/verify
- Validation utilities (email, password)
- Logger utility with multiple log levels
- TypeScript types and interfaces
- Intentional TODOs (2) and FIXMEs (1) for tool demonstration

Documentation:
- README.md: Detailed usage guide with example queries
- EXAMPLE_CONVERSATIONS.md: Realistic conversation scenarios
- Tool demonstration scenarios (bug fix, refactoring, features)
- Workflow examples (security audit, optimization, code review)

Updated:
- packages/ipuaro/README.md: Added Quick Start section linking to examples

Project Statistics:
- 12 files total
- 336 lines of TypeScript code
- 7 source modules demonstrating various patterns
- Full test coverage examples
- Demonstrates all 18 tools capabilities

This completes the "Examples working" requirement for v1.0.0
 2025-12-01 16:53:49 +05:00
imfozilbek
baccfd53c0 docs(ipuaro): complete comprehensive documentation for v0.17.0 
Added:
- ARCHITECTURE.md: Complete architecture documentation with Clean Architecture principles, data flows, design decisions
- TOOLS.md: Comprehensive reference for all 18 tools with examples and best practices
- README.md: Enhanced with tools reference, slash commands, hotkeys, troubleshooting, FAQ, API examples

Updated:
- README.md: Status to Release Candidate, all features marked complete
- CHANGELOG.md: Added v0.17.0 entry with documentation statistics
- ROADMAP.md: Added v0.17.0 milestone, marked documentation complete
- package.json: Bumped version to 0.17.0

Documentation statistics:
- Total: ~2500 lines across 3 files
- 18/18 tools documented (100%)
- 8/8 slash commands documented (100%)
- 50+ code examples
- 6 troubleshooting entries
- 8 FAQ answers

All tests passing (1420), coverage 97.59%, zero lint errors
 2025-12-01 16:09:47 +05:00
imfozilbek
8f995fc596 feat(ipuaro): add error handling matrix and ErrorHandler service 
Implemented comprehensive error handling system according to v0.16.0 roadmap:

- ERROR_MATRIX with 9 error types (redis, parse, llm, file, command, conflict, validation, timeout, unknown)
- Enhanced IpuaroError with options, defaultOption, context properties
- New methods: getMeta(), hasOption(), toDisplayString()
- ErrorHandler service with handle(), wrap(), withRetry() methods
- Utility functions: getErrorOptions(), isRecoverableError(), toIpuaroError()
- 59 new tests (27 for IpuaroError, 32 for ErrorHandler)
- Coverage maintained at 97.59%

Breaking changes:
- IpuaroError constructor signature changed to (type, message, options?)
- ErrorChoice deprecated in favor of ErrorOption
 2025-12-01 15:50:30 +05:00
imfozilbek
f947c6d157 feat(ipuaro): add CLI entry point (v0.15.0) 
- Add onboarding module for pre-flight checks (Redis, Ollama, model, project)
- Implement start command with TUI rendering and dependency injection
- Implement init command for .ipuaro.json config file creation
- Implement index command for standalone project indexing
- Add CLI options: --auto-apply, --model, --help, --version
- Register all 18 tools via tools-setup helper
- Add 29 unit tests for CLI commands
- Update CHANGELOG and ROADMAP for v0.15.0
 2025-12-01 15:03:45 +05:00
imfozilbek
33d52bc7ca feat(ipuaro): add slash commands for TUI (v0.14.0) 
- Add useCommands hook with command parser
- Implement 8 commands: /help, /clear, /undo, /sessions, /status, /reindex, /eval, /auto-apply
- Integrate commands into App.tsx with visual feedback
- Add 38 unit tests for commands
- Update ROADMAP.md to reflect current status
 2025-12-01 14:33:30 +05:00
imfozilbek
2c6eb6ce9b feat(ipuaro): add PathValidator security utility (v0.13.0) 
Add centralized path validation to prevent path traversal attacks.

- PathValidator class with sync/async validation methods
- Protects against '..' and '~' traversal patterns
- Validates paths are within project root
- Refactored all 7 file tools to use PathValidator
- 51 new tests for PathValidator
 2025-12-01 14:02:23 +05:00
imfozilbek
7d18e87423 feat(ipuaro): add TUI advanced components (v0.12.0) 
Add DiffView, ConfirmDialog, ErrorDialog, and Progress components
for enhanced terminal UI interactions.
 2025-12-01 13:34:17 +05:00
imfozilbek
fd1e6ad86e feat(ipuaro): add TUI components and hooks (v0.11.0) 2025-12-01 13:00:14 +05:00
imfozilbek
259ecc181a chore(ipuaro): bump version to 0.10.0 2025-12-01 12:28:27 +05:00
imfozilbek
0f2ed5b301 feat(ipuaro): add session management (v0.10.0) 
- Add ISessionStorage interface and RedisSessionStorage implementation
- Add ContextManager for token budget and compression
- Add StartSession, HandleMessage, UndoChange use cases
- Update CHANGELOG and TODO documentation
- 88 new tests (1174 total), 97.73% coverage
 2025-12-01 12:27:22 +05:00
imfozilbek
56643d903f chore(ipuaro): bump version to 0.9.0 2025-12-01 02:55:42 +05:00
imfozilbek
f5f904a847 feat(ipuaro): add git and run tools (v0.9.0) 
Git tools:
- GitStatusTool: repository status (branch, staged, modified, untracked)
- GitDiffTool: uncommitted changes with diff output
- GitCommitTool: create commits with confirmation

Run tools:
- CommandSecurity: blacklist/whitelist shell command validation
- RunCommandTool: execute shell commands with security checks
- RunTestsTool: auto-detect and run vitest/jest/mocha/npm test

All 18 planned tools now implemented.
Tests: 1086 (+233), Coverage: 98.08%
 2025-12-01 02:54:29 +05:00
imfozilbek
2ae1ac13f5 feat(ipuaro): add analysis tools (v0.8.0) 
- GetDependenciesTool: get files a file imports
- GetDependentsTool: get files that import a file
- GetComplexityTool: get complexity metrics
- GetTodosTool: find TODO/FIXME/HACK comments

Tests: 853 (+120), Coverage: 97.91%
 2025-12-01 02:23:36 +05:00
imfozilbek
caf7aac116 feat(ipuaro): add search tools (v0.7.0) 2025-12-01 02:05:27 +05:00
imfozilbek
4ad5a209c4 feat(ipuaro): add edit tools (v0.6.0) 
Add file editing capabilities:
- EditLinesTool: replace lines with hash conflict detection
- CreateFileTool: create files with directory auto-creation
- DeleteFileTool: delete files from filesystem and storage

Total: 664 tests, 97.77% coverage
 2025-12-01 01:44:45 +05:00
imfozilbek
25146003cc feat(ipuaro): add read tools (v0.5.0) 
- ToolRegistry: tool lifecycle management, execution with validation
- GetLinesTool: read file lines with line numbers
- GetFunctionTool: get function source using AST
- GetClassTool: get class source using AST
- GetStructureTool: directory tree with filtering

121 new tests, 540 total
 2025-12-01 00:52:00 +05:00
imfozilbek
68f927d906 feat(ipuaro): add LLM integration module 
- OllamaClient: ILLMClient implementation with tool support
- System prompt and context builders for project overview
- 18 tool definitions across 6 categories (read, edit, search, analysis, git, run)
- XML response parser for tool call extraction
- 98 new tests (419 total), 96.38% coverage
 2025-12-01 00:10:11 +05:00
imfozilbek
b3e04a411c fix: normalize repository URLs in package.json 2025-11-30 01:53:57 +05:00
imfozilbek
294d085ad4 chore(ipuaro): bump version to 0.3.1 2025-11-30 01:50:33 +05:00
imfozilbek
958e4daed5 chore(guardian): bump version to 0.9.4 2025-11-30 01:50:21 +05:00
imfozilbek
6234fbce92 docs: add roadmap workflow instructions 2025-11-30 01:28:44 +05:00
imfozilbek
af9c2377a0 chore(ipuaro): bump version to 0.3.0 2025-11-30 01:25:23 +05:00
imfozilbek
d0c1ddc22e feat(ipuaro): implement indexer module (v0.3.0) 
Add complete indexer infrastructure:
- FileScanner: recursive scanning with gitignore support
- ASTParser: tree-sitter based TS/JS/TSX/JSX parsing
- MetaAnalyzer: complexity metrics, dependency analysis
- IndexBuilder: symbol index and dependency graph
- Watchdog: file watching with chokidar and debouncing

321 tests, 96.38% coverage
 2025-11-30 01:24:21 +05:00
imfozilbek
225480c806 feat(ipuaro): implement Redis storage module (v0.2.0) 
- Add RedisClient with connection management and AOF config
- Add RedisStorage implementing full IStorage interface
- Add Redis key schema for project and session data
- Add generateProjectName() utility
- Add 68 unit tests for Redis module (159 total)
- Update ESLint: no-unnecessary-type-parameters as warn
 2025-11-30 00:22:49 +05:00
imfozilbek
fd8e97af0e chore(ipuaro): bump version to 0.1.1 2025-11-29 23:25:49 +05:00
imfozilbek
d36f9a6e21 chore(guardian): bump version to 0.9.3 2025-11-29 23:24:28 +05:00
imfozilbek
4267938dcd docs(guardian): remove fictional success stories and stats 2025-11-29 23:22:26 +05:00
imfozilbek
127c7e2185 docs(ipuaro): improve README with detailed documentation 2025-11-29 23:19:56 +05:00
imfozilbek
130a8c4f24 feat(ipuaro): implement v0.1.0 foundation 
- Project setup with tsup, vitest, ESM support
- Domain entities: Session, Project
- Value objects: FileData, FileAST, FileMeta, ChatMessage, ToolCall, ToolResult, UndoEntry
- Service interfaces: IStorage, ILLMClient, ITool, IIndexer, IToolRegistry
- Shared: Config (zod), IpuaroError, utils (hash, tokens), Result type
- CLI with placeholder commands (start, init, index)
- 91 unit tests with 100% coverage
- Fix package scope @puaros -> @samiyev in CLAUDE.md
 2025-11-29 23:08:38 +05:00
imfozilbek
7f6180df37 docs: add monorepo versioning strategy and release pipeline 
- add Path Reference section with explicit paths
- add Monorepo Versioning Strategy with prefixed tags
- add 6-phase Release Pipeline documentation
- update Git Commit Format for monorepo (package scope)
- update .gitmessage with package scopes
- fix tsconfig.json references (remove non-existent, add ipuaro)
- fix guardian tsconfig formatting (4-space indent)
 2025-11-29 22:41:03 +05:00
imfozilbek
daace23814 docs: move ipuaro CONCEPT.md to docs folder 2025-11-29 22:12:28 +05:00
imfozilbek
625e109c0a feat: add ipuaro package with concept and roadmap 2025-11-29 22:10:32 +05:00
imfozilbek
ec7adb1330 docs: add ipuaro package documentation to root files 2025-11-29 22:10:13 +05:00
imfozilbek
085e236c4a docs: move guardian analysis docs to docs folder 2025-11-29 22:09:42 +05:00
imfozilbek
ee6388f587 docs: add research on project structure detection approaches 2025-11-28 11:41:21 +05:00
imfozilbek
a75dbcf147 chore: bump version to 0.9.2 2025-11-27 19:32:07 +05:00
imfozilbek
42da5127cc docs: update CHANGELOG.md for v0.9.2 2025-11-27 19:28:32 +05:00
imfozilbek
0da6d9f3c2 test: update naming convention detector tests for AST-based analysis 2025-11-27 19:27:46 +05:00
imfozilbek
6b35679f09 refactor: update AST strategies to use centralized node type constants 2025-11-27 19:27:30 +05:00
imfozilbek
07e6535633 refactor: add context keywords and improve hardcoded value suggestions 2025-11-27 19:27:07 +05:00
imfozilbek
e8626dd03c refactor: migrate naming convention detector to AST-based analysis 2025-11-27 19:26:43 +05:00
imfozilbek
ce78183c6e refactor: create AST-based naming analyzers for enhanced detection 2025-11-27 19:26:24 +05:00
imfozilbek
1d6aebcd87 refactor: add AST node type constants for tree-sitter analysis 2025-11-27 19:26:01 +05:00
imfozilbek
ceb87f1b1f chore: bump version to 0.9.1 2025-11-26 18:10:36 +05:00
imfozilbek
b953956181 docs: update CHANGELOG.md for v0.9.1 2025-11-26 17:39:21 +05:00
imfozilbek
af094eb54a refactor: migrate hardcode detector from regex to AST-based analysis 
- Replace regex-based matchers with tree-sitter AST traversal
- Add duplicate value tracking across files
- Implement boolean literal detection
- Add value type classification (email, url, ip, api_key, etc.)
- Improve context awareness with AST node analysis
- Reduce false positives with better constant detection

Breaking changes removed:
- BraceTracker.ts
- ExportConstantAnalyzer.ts
- MagicNumberMatcher.ts
- MagicStringMatcher.ts

New components added:
- AstTreeTraverser for AST walking
- DuplicateValueTracker for cross-file tracking
- AstContextChecker for node context analysis
- AstNumberAnalyzer, AstStringAnalyzer, AstBooleanAnalyzer
- ValuePatternMatcher for type detection

Test coverage: 87.97% statements, 96.75% functions
 2025-11-26 17:38:30 +05:00
imfozilbek
656571860e docs: add Anemic Model Detection documentation to WHY.md and RESEARCH_CITATIONS.md 2025-11-26 00:44:12 +05:00
imfozilbek
a6b4c69b75 feat: add anemic model detection and refactor hardcoded values (v0.9.0) 2025-11-26 00:09:48 +05:00
imfozilbek
1d6c2a0e00 refactor: extract all hardcoded values to constants (v0.8.1) 
Fix all 63 hardcoded value issues from Guardian self-check:
- Remove hardcoded Slack token from documentation
- Remove aws-sdk framework leak from domain layer
- Rename 4 pipeline files to verb-noun convention
- Extract 57 magic strings to SecretExamples.ts constants
- Update SecretViolation, SecretDetector, MagicStringMatcher
- Use typeof for TypeScript literal type in getSeverity()

Result: 0 issues in Guardian self-check (was 63)
All 566 tests passing, build successful
 2025-11-25 19:06:33 +05:00
imfozilbek
db8a97202e chore: update pnpm-lock.yaml for secretlint dependencies 
Add lockfile changes for @secretlint packages:
- @secretlint/node@11.2.5
- @secretlint/core@11.2.5
- @secretlint/types@11.2.5
- @secretlint/secretlint-rule-preset-recommend@11.2.5
 2025-11-25 18:30:40 +05:00
imfozilbek
0b1cc5a79a feat: add secret detection with Secretlint (v0.8.0) 
Add critical security feature to detect 350+ types of hardcoded secrets
using industry-standard Secretlint library.

Features:
- Detect AWS keys, GitHub tokens, NPM tokens, SSH keys, API keys, etc.
- All secrets marked as CRITICAL severity
- Context-aware remediation suggestions per secret type
- New SecretDetector using @secretlint/node
- New SecretViolation value object (100% test coverage)
- CLI output with "🔐 Secrets" section
- Async pipeline support for secret detection

Tests:
- Added 47 new tests (566 total, 100% pass rate)
- Coverage: 93.3% statements, 83.74% branches
- SecretViolation: 23 tests, 100% coverage
- SecretDetector: 24 tests

Dependencies:
- @secretlint/node: 11.2.5
- @secretlint/core: 11.2.5
- @secretlint/types: 11.2.5
- @secretlint/secretlint-rule-preset-recommend: 11.2.5
 2025-11-25 18:27:27 +05:00
300 changed files with 61703 additions and 1858 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -86,3 +86,4 @@ Thumbs.db
# Yarn Integrity file
.yarn-integrity
packages/guardian/docs/STRATEGIC_ANALYSIS_2025-11.md

15
.gitmessage
View File

@@ -1,9 +1,17 @@
# <type>: <subject>
# <type>(<package>): <subject>
#
# <body>
#
# <footer>
# Format:
# - Package changes: <type>(<package>): <subject>
# Examples: feat(guardian): add detector
# fix(ipuaro): resolve memory leak
# - Root changes: <type>: <subject>
# Examples: chore: update eslint config
# docs: update root README
# Type should be one of the following:
# * feat: A new feature
# * fix: A bug fix
@@ -16,6 +24,11 @@
# * ci: Changes to CI configuration files and scripts
# * chore: Other changes that don't modify src or test files
# * revert: Reverts a previous commit
# Package scopes:
# * guardian - @puaros/guardian package
# * ipuaro - @puaros/ipuaro package
# * (none) - root-level changes
#
# Subject line rules:
# - Use imperative mood ("add feature" not "added feature")

63
CHANGELOG.md
View File

@@ -1,63 +0,0 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
## [0.4.0] - 2025-11-24
### Added
- Dependency direction enforcement - validate that dependencies flow in the correct direction according to Clean Architecture principles
- Architecture layer violation detection for domain, application, and infrastructure layers
## [0.3.0] - 2025-11-24
### Added
- Entity exposure detection - identify when domain entities are exposed outside their module boundaries
- Enhanced architecture violation reporting
## [0.2.0] - 2025-11-24
### Added
- Framework leak detection - detect when domain layer imports framework code
- Framework leak reporting in CLI
- Framework leak examples and documentation
## [0.1.0] - 2025-11-24
### Added
- Initial monorepo setup with pnpm workspaces
- `@puaros/guardian` package - code quality guardian for vibe coders and enterprise teams
- TypeScript with strict type checking and Vitest configuration
- ESLint strict TypeScript rules with 4-space indentation
- Prettier code formatting (4 spaces, double quotes, no semicolons)
- LINTING.md documentation for code style guidelines
- CLAUDE.md for AI assistant guidance
- EditorConfig for consistent IDE settings
- Node.js version specification (.nvmrc: 22.18.0)
- Vitest testing framework with 80% coverage thresholds
- Guardian dependencies: commander, simple-git, tree-sitter, uuid
### Configuration
- TypeScript: nodenext modules, ES2023 target, strict null checks
- ESLint: Strict type checking, complexity limits, code quality rules
- Prettier: 100 char line length, double quotes, no semicolons, trailing commas
- Test coverage: 80% threshold for lines, functions, branches, statements
### Guardian Package
- Hardcode detection (magic numbers, strings)
- Circular dependency detection
- Naming convention enforcement
- Architecture violation detection
- CLI tool with `guardian` command
- 159 tests, all passing
- Clean Architecture implementation
## [0.0.1] - 2025-11-24
### Added
- Initial project structure
- Monorepo workspace configuration

485
CLAUDE.md
View File

@@ -4,7 +4,53 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
## Project Overview
Puaros is a TypeScript monorepo using pnpm workspaces. Currently contains the `@puaros/guardian` package - a code quality guardian for detecting hardcoded values, circular dependencies, framework leaks, naming violations, and architecture violations. The project uses Node.js 22.18.0 (see `.nvmrc`).
Puaros is a TypeScript monorepo using pnpm workspaces. Contains two packages:
- **`@samiyev/guardian`** - Code quality guardian for detecting hardcoded values, circular dependencies, framework leaks, naming violations, and architecture violations.
- **`@samiyev/ipuaro`** - Local AI agent for codebase operations with "infinite" context feeling. Uses lazy loading, Redis persistence, tree-sitter AST parsing, and Ollama LLM integration.
The project uses Node.js 22.18.0 (see `.nvmrc`).
## Path Reference
**Root:** `/Users/fozilbeksamiyev/projects/ailabs/puaros`
### Key Paths
| Description | Path |
|-------------|------|
| **Root** | `.` |
| **Guardian package** | `packages/guardian` |
| **Guardian src** | `packages/guardian/src` |
| **Guardian tests** | `packages/guardian/tests` |
| **Guardian CLI** | `packages/guardian/src/cli` |
| **Guardian domain** | `packages/guardian/src/domain` |
| **Guardian infrastructure** | `packages/guardian/src/infrastructure` |
| **ipuaro package** | `packages/ipuaro` |
| **ipuaro docs** | `packages/ipuaro/docs` |
### File Locations
| File | Location |
|------|----------|
| Root package.json | `./package.json` |
| Guardian package.json | `packages/guardian/package.json` |
| Guardian tsconfig | `packages/guardian/tsconfig.json` |
| Guardian TODO | `packages/guardian/TODO.md` |
| Guardian CHANGELOG | `packages/guardian/CHANGELOG.md` |
| ipuaro ROADMAP | `packages/ipuaro/ROADMAP.md` |
| ESLint config | `./eslint.config.mjs` |
| Prettier config | `./.prettierrc` |
| Base tsconfig | `./tsconfig.base.json` |
### Path Rules
1. **Always use relative paths from project root** (not absolute)
2. **Package paths start with** `packages/<name>/`
3. **Source code is in** `packages/<name>/src/`
4. **Tests are in** `packages/<name>/tests/`
5. **Docs are in** `packages/<name>/docs/` or `./docs/`
## Essential Commands
@@ -100,28 +146,51 @@ From `eslint.config.mjs` and detailed in `LINTING.md`:
Follow Conventional Commits format. See `.gitmessage` for full rules.
Format: `<type>: <subject>` (imperative mood, no caps, max 50 chars)
**Monorepo format:** `<type>(<package>): <subject>`
**IMPORTANT: Do NOT add "Generated with Claude Code" footer or "Co-Authored-By: Claude" to commit messages.**
Commits should only follow the Conventional Commits format without any additional attribution.
Examples:
- `feat(guardian): add circular dependency detector`
- `fix(ipuaro): resolve memory leak in indexer`
- `docs(guardian): update CLI usage examples`
- `refactor(ipuaro): extract tool registry`
**Root-level changes:** `<type>: <subject>` (no scope)
- `chore: update eslint config`
- `docs: update root README`
**Types:** feat, fix, docs, style, refactor, test, chore
**Rules:**
- Imperative mood, no caps, max 50 chars
- Do NOT add "Generated with Claude Code" footer
- Do NOT add "Co-Authored-By: Claude"
## Monorepo Structure
```
puaros/
├── packages/
── guardian/ # @puaros/guardian - Code quality analyzer
├── src/ # Source files (Clean Architecture layers)
│ ├── domain/ # Domain layer (entities, value objects)
│ ├── application/ # Application layer (use cases, DTOs)
│ ├── infrastructure/ # Infrastructure layer (parsers, analyzers)
│ ├── cli/ # CLI implementation
│ └── shared/ # Shared utilities
├── dist/ # Build output
── guardian/ # @samiyev/guardian - Code quality analyzer
├── src/ # Source files (Clean Architecture)
│ ├── domain/ # Entities, value objects
│ ├── application/ # Use cases, DTOs
│ ├── infrastructure/ # Parsers, analyzers
│ ├── cli/ # CLI implementation
│ └── shared/ # Shared utilities
├── bin/ # CLI entry point
│ │ ├── tests/ # Test files
│ │ └── examples/ # Usage examples
│ └── ipuaro/ # @samiyev/ipuaro - Local AI agent
│ ├── src/ # Source files (Clean Architecture)
│ │ ├── domain/ # Entities, value objects, services
│ │ ├── application/ # Use cases, DTOs, mappers
│ │ ├── infrastructure/ # Storage, LLM, indexer, tools
│ │ ├── tui/ # Terminal UI (Ink/React)
│ │ ├── cli/ # CLI commands
│ │ └── shared/ # Types, constants, utils
│ ├── bin/ # CLI entry point
│ ├── tests/ # Test files
── examples/ # Usage examples
│ └── package.json # Uses Vitest for testing
│ ├── tests/ # Unit and E2E tests
── examples/ # Demo projects
├── pnpm-workspace.yaml # Workspace configuration
└── tsconfig.base.json # Shared TypeScript config
```
@@ -142,6 +211,34 @@ Key features:
- Architecture violation detection
- CLI tool with `guardian` command
### ipuaro Package Architecture
The ipuaro package follows Clean Architecture principles:
- **Domain Layer**: Entities (Session, Project), value objects (FileData, FileAST, ChatMessage), service interfaces
- **Application Layer**: Use cases (StartSession, HandleMessage, IndexProject, ExecuteTool), DTOs, mappers
- **Infrastructure Layer**: Redis storage, Ollama client, indexer, 18 tool implementations, security
- **TUI Layer**: Ink/React components (StatusBar, Chat, Input, DiffView, ConfirmDialog)
- **CLI Layer**: Commander.js entry point and commands
Key features:
- 18 LLM tools (read, edit, search, analysis, git, run)
- Redis persistence with AOF
- tree-sitter AST parsing (ts, tsx, js, jsx)
- Ollama LLM integration (qwen2.5-coder:7b-instruct)
- File watching via chokidar
- Session and undo management
- Security (blacklist/whitelist for commands)
**Tools summary:**
| Category | Tools |
|----------|-------|
| Read | get_lines, get_function, get_class, get_structure |
| Edit | edit_lines, create_file, delete_file |
| Search | find_references, find_definition |
| Analysis | get_dependencies, get_dependents, get_complexity, get_todos |
| Git | git_status, git_diff, git_commit |
| Run | run_command, run_tests |
### TypeScript Configuration
Base configuration (`tsconfig.base.json`) uses:
@@ -163,253 +260,283 @@ Guardian package (`packages/guardian/tsconfig.json`):
## Adding New Packages
1. Create `packages/new-package/` directory
2. Add `package.json` with name `@puaros/new-package`
2. Add `package.json` with name `@samiyev/new-package`
3. Create `tsconfig.json` extending `../../tsconfig.base.json`
4. Package auto-discovered via `pnpm-workspace.yaml` glob pattern
## Dependencies
Guardian package uses:
- `commander` - CLI framework for command-line interface
**Guardian package:**
- `commander` - CLI framework
- `simple-git` - Git operations
- `tree-sitter` - Abstract syntax tree parsing
- `tree-sitter-javascript` - JavaScript parser
- `tree-sitter-typescript` - TypeScript parser
- `tree-sitter` - AST parsing
- `tree-sitter-javascript/typescript` - JS/TS parsers
- `uuid` - UUID generation
Development tools:
- Vitest for testing with coverage thresholds
**ipuaro package:**
- `ink`, `ink-text-input`, `react` - Terminal UI
- `ioredis` - Redis client
- `tree-sitter` - AST parsing
- `tree-sitter-javascript/typescript` - JS/TS parsers
- `ollama` - LLM client
- `simple-git` - Git operations
- `chokidar` - File watching
- `commander` - CLI framework
- `zod` - Validation
- `ignore` - Gitignore parsing
**Development tools (shared):**
- Vitest for testing (80% coverage threshold)
- ESLint with TypeScript strict rules
- Prettier for formatting
- `@vitest/ui` - Vitest UI for interactive testing
- Prettier (4-space indentation)
- `@vitest/ui` - Interactive testing UI
- `@vitest/coverage-v8` - Coverage reporting
## Development Workflow
## Monorepo Versioning Strategy
### Complete Feature Development & Release Workflow
### Git Tag Format
This workflow ensures high quality and consistency from feature implementation to package publication.
#### Phase 1: Feature Planning & Implementation
```bash
# 1. Create feature branch (if needed)
git checkout -b feature/your-feature-name
# 2. Implement feature following Clean Architecture
# - Add to appropriate layer (domain/application/infrastructure/cli)
# - Follow naming conventions
# - Keep functions small and focused
# 3. Update constants if adding CLI options
# Edit: packages/guardian/src/cli/constants.ts
**Prefixed tags for each package:**
```
guardian-v0.5.0
ipuaro-v0.1.0
```
#### Phase 2: Quality Checks (Run After Implementation)
**Why prefixed tags:**
- Independent versioning per package
- Clear release history for each package
- Works with npm publish and CI/CD
- Easy to filter: `git tag -l "guardian-*"`
**Legacy tags:** Tags before monorepo (v0.1.0, v0.2.0, etc.) are kept as-is for historical reference.
### Semantic Versioning
All packages follow SemVer: `MAJOR.MINOR.PATCH`
- **MAJOR** (1.0.0) - Breaking API changes
- **MINOR** (0.1.0) - New features, backwards compatible
- **PATCH** (0.0.1) - Bug fixes, backwards compatible
**Pre-1.0 policy:** Minor bumps (0.x.0) may include breaking changes.
## Release Pipeline
**Quick reference:** Say "run pipeline for [package]" to execute full release flow.
The pipeline has 6 phases. Each phase must pass before proceeding.
### Phase 1: Quality Gates
```bash
# Navigate to package
cd packages/guardian
cd packages/<package>
# 1. Format code (REQUIRED - 4 spaces indentation)
pnpm format
# 2. Build to check compilation
pnpm build
# 3. Run linter (must pass with 0 errors, 0 warnings)
cd ../.. && pnpm eslint "packages/**/*.ts" --fix
# 4. Run tests (all must pass)
pnpm test:run
# 5. Check coverage (must be ≥80%)
pnpm test:coverage
# All must pass:
pnpm format # 4-space indentation
pnpm build # TypeScript compiles
cd ../.. && pnpm eslint "packages/**/*.ts" --fix # 0 errors, 0 warnings
cd packages/<package>
pnpm test:run # All tests pass
pnpm test:coverage # Coverage ≥80%
```
**Quality Gates:**
- ✅ Format: No changes after `pnpm format`
- ✅ Build: TypeScript compiles without errors
- ✅ Lint: 0 errors, 0 warnings
- ✅ Tests: All tests pass (292/292)
- ✅ Coverage: ≥80% on all metrics
### Phase 2: Documentation
#### Phase 3: Documentation Updates
Update these files in `packages/<package>/`:
| File | Action |
|------|--------|
| `README.md` | Add feature docs, update CLI usage, update API |
| `TODO.md` | Mark completed tasks, add new tech debt if any |
| `CHANGELOG.md` | Add version entry with all changes |
| `ROADMAP.md` | Update if milestone completed |
**Tech debt rule:** If implementation leaves known issues, shortcuts, or future improvements needed — add them to TODO.md before committing.
### Phase 3: Manual Testing
```bash
# 1. Update README.md
# - Add new feature to Features section
# - Update CLI Usage examples if CLI changed
# - Update API documentation if public API changed
# - Update TypeScript interfaces
cd packages/<package>
# 2. Update TODO.md
# - Mark completed tasks as done
# - Add new technical debt if discovered
# - Document coverage issues for new files
# - Update "Recent Updates" section with changes
# Test CLI/API manually
node dist/cli/index.js <command> ./examples
# 3. Update CHANGELOG.md (for releases)
# - Add entry with version number
# - List all changes (features, fixes, improvements)
# - Follow Keep a Changelog format
# Verify output, edge cases, error handling
```
#### Phase 4: Verification & Testing
### Phase 4: Commit
```bash
# 1. Test CLI manually with examples
cd packages/guardian
node dist/cli/index.js check ./examples --limit 5
# 2. Test new feature with different options
node dist/cli/index.js check ./examples --only-critical
node dist/cli/index.js check ./examples --min-severity high
# 3. Verify output formatting and messages
# - Check that all violations display correctly
# - Verify severity labels and suggestions
# - Test edge cases and error handling
# 4. Run full quality check suite
pnpm format && pnpm eslint "packages/**/*.ts" && pnpm build && pnpm test:run
```
#### Phase 5: Commit & Version
```bash
# 1. Stage changes
git add .
git commit -m "<type>(<package>): <description>"
# 2. Commit with Conventional Commits format
git commit -m "feat: add --limit option for output control"
# or
git commit -m "fix: resolve unused variable in detector"
# or
git commit -m "docs: update README with new features"
# Types: feat, fix, docs, style, refactor, test, chore
# 3. Update package version (if releasing)
cd packages/guardian
npm version patch # Bug fixes (0.5.2 → 0.5.3)
npm version minor # New features (0.5.2 → 0.6.0)
npm version major # Breaking changes (0.5.2 → 1.0.0)
# 4. Push changes
git push origin main # or your branch
git push --tags # Push version tags
# Examples:
# feat(guardian): add --limit option
# fix(ipuaro): resolve memory leak in indexer
# docs(guardian): update API examples
```
#### Phase 6: Publication (Maintainers Only)
**Commit types:** feat, fix, docs, style, refactor, test, chore
### Phase 5: Version & Tag
```bash
# 1. Final verification before publish
cd packages/guardian
cd packages/<package>
# Bump version
npm version patch # 0.5.2 → 0.5.3 (bug fix)
npm version minor # 0.5.2 → 0.6.0 (new feature)
npm version major # 0.5.2 → 1.0.0 (breaking change)
# Create prefixed git tag
git tag <package>-v<version>
# Example: git tag guardian-v0.6.0
# Push
git push origin main
git push origin <package>-v<version>
```
### Phase 6: Publish (Maintainers Only)
```bash
cd packages/<package>
# Final verification
pnpm build && pnpm test:run && pnpm test:coverage
# 2. Verify package contents
# Check package contents
npm pack --dry-run
# 3. Publish to npm
# Publish
npm publish --access public
# 4. Verify publication
npm info @samiyev/guardian
# 5. Test installation
npm install -g @samiyev/guardian@latest
guardian --version
# Verify
npm info @samiyev/<package>
```
### Quick Checklist for New Features
## Pipeline Checklist
**Before Committing:**
- [ ] Feature implemented in correct layer
- [ ] Code formatted with `pnpm format`
- [ ] Lint passes: `pnpm eslint "packages/**/*.ts"`
- [ ] Build succeeds: `pnpm build`
- [ ] All tests pass: `pnpm test:run`
- [ ] Coverage ≥80%: `pnpm test:coverage`
- [ ] CLI tested manually if CLI changed
- [ ] README.md updated with examples
- [ ] TODO.md updated with progress
- [ ] No `console.log` in production code
- [ ] TypeScript interfaces documented
Copy and use for each release:
**Before Publishing:**
- [ ] CHANGELOG.md updated
```markdown
## Release: <package> v<version>
### Quality Gates
- [ ] `pnpm format` - no changes
- [ ] `pnpm build` - compiles
- [ ] `pnpm eslint` - 0 errors, 0 warnings
- [ ] `pnpm test:run` - all pass
- [ ] `pnpm test:coverage` - ≥80%
### Documentation
- [ ] README.md updated
- [ ] TODO.md - completed tasks marked, new debt added
- [ ] CHANGELOG.md - version entry added
- [ ] ROADMAP.md updated (if needed)
### Testing
- [ ] CLI/API tested manually
- [ ] Edge cases verified
### Release
- [ ] Commit with conventional format
- [ ] Version bumped in package.json
- [ ] All quality gates pass
- [ ] Examples work correctly
- [ ] Git tags pushed
- [ ] Git tag created: <package>-v<version>
- [ ] Pushed to origin
- [ ] Published to npm (if public release)
```
### Common Workflows
## Working with Roadmap
When the user points to `ROADMAP.md` or asks about the roadmap/next steps:
1. **Read both files together:**
- `packages/<package>/ROADMAP.md` - to understand the planned features and milestones
- `packages/<package>/CHANGELOG.md` - to see what's already implemented
2. **Determine current position:**
- Check the latest version in CHANGELOG.md
- Cross-reference with ROADMAP.md milestones
- Identify which roadmap items are already completed (present in CHANGELOG)
3. **Suggest next steps:**
- Find the first uncompleted item in the current milestone
- Or identify the next milestone if current one is complete
- Present clear "start here" recommendation
**Example workflow:**
```
User: "Let's work on the roadmap" or points to ROADMAP.md
Claude should:
1. Read ROADMAP.md → See milestones v0.1.0, v0.2.0, v0.3.0...
2. Read CHANGELOG.md → See latest release is v0.1.1
3. Compare → v0.1.0 milestone complete, v0.2.0 in progress
4. Report → "v0.1.0 is complete. For v0.2.0, next item is: <feature>"
```
## Common Workflows
### Adding a new CLI option
**Adding a new CLI option:**
```bash
# 1. Add to cli/constants.ts (CLI_OPTIONS, CLI_DESCRIPTIONS)
# 2. Add option in cli/index.ts (.option() call)
# 3. Parse and use option in action handler
# 4. Test with: node dist/cli/index.js check ./examples --your-option
# 5. Update README.md CLI Usage section
# 6. Run quality checks
# 4. Test: node dist/cli/index.js <command> --your-option
# 5. Run pipeline
```
**Adding a new detector:**
### Adding a new detector (guardian)
```bash
# 1. Create value object in domain/value-objects/
# 2. Create detector in infrastructure/analyzers/
# 3. Add detector interface to domain/services/
# 3. Add interface to domain/services/
# 4. Integrate in application/use-cases/AnalyzeProject.ts
# 5. Add CLI output in cli/index.ts
# 6. Write tests (aim for >90% coverage)
# 7. Update README.md Features section
# 8. Run full quality suite
# 7. Run pipeline
```
**Fixing technical debt:**
### Adding a new tool (ipuaro)
```bash
# 1. Define tool schema in infrastructure/tools/schemas/
# 2. Implement tool in infrastructure/tools/
# 3. Register in infrastructure/tools/index.ts
# 4. Add tests
# 5. Run pipeline
```
### Fixing technical debt
```bash
# 1. Find issue in TODO.md
# 2. Implement fix
# 3. Run quality checks
# 4. Update TODO.md (mark as completed)
# 5. Commit with type: "refactor:" or "fix:"
# 3. Update TODO.md (mark as completed)
# 4. Run pipeline with type: "refactor:" or "fix:"
```
### Debugging Tips
## Debugging Tips
**Build errors:**
```bash
# Check TypeScript errors in detail
pnpm tsc --noEmit
# Check specific file
pnpm tsc --noEmit packages/guardian/src/path/to/file.ts
pnpm tsc --noEmit packages/<package>/src/path/to/file.ts
```
**Test failures:**
```bash
# Run single test file
pnpm vitest tests/path/to/test.test.ts
# Run tests with UI
pnpm test:ui
# Run tests in watch mode for debugging
pnpm test
```
**Coverage issues:**
```bash
# Generate detailed coverage report
pnpm test:coverage
# View HTML report
open coverage/index.html
# Check specific file coverage
pnpm vitest --coverage --reporter=verbose
```
## Important Notes

121
README.md
View File

@@ -4,7 +4,9 @@ A TypeScript monorepo for code quality and analysis tools.
## Packages
- **[@puaros/guardian](./packages/guardian)** - Code quality guardian for vibe coders and enterprise teams. Detects hardcoded values, circular dependencies, and architecture violations. Perfect for AI-assisted development and enforcing Clean Architecture at scale.
- **[@puaros/guardian](./packages/guardian)** - Research-backed code quality guardian for vibe coders and enterprise teams. Detects hardcoded values, secrets, circular dependencies, architecture violations, and anemic domain models. Every rule is based on academic research, industry standards (OWASP, SonarQube), and authoritative books (Martin Fowler, Uncle Bob, Eric Evans). Perfect for AI-assisted development and enforcing Clean Architecture at scale.
- **[@puaros/ipuaro](./packages/ipuaro)** - Local AI agent for codebase operations with "infinite" context feeling. Uses lazy loading and smart context management to work with codebases of any size. Features 18 LLM tools for reading, editing, searching, and analyzing code. Built with Ink/React TUI, Redis persistence, tree-sitter AST parsing, and Ollama integration.
## Prerequisites
@@ -75,18 +77,27 @@ pnpm eslint "packages/**/*.ts"
```
puaros/
├── packages/
── guardian/ # @puaros/guardian - Code quality analyzer
── guardian/ # @puaros/guardian - Code quality analyzer
│ │ ├── src/ # Source files (Clean Architecture)
│ │ │ ├── domain/ # Domain layer
│ │ │ ├── application/ # Application layer
│ │ │ ├── infrastructure/# Infrastructure layer
│ │ │ ├── cli/ # CLI implementation
│ │ │ └── shared/ # Shared utilities
│ │ ├── bin/ # CLI entry point
│ │ ├── tests/ # Unit and integration tests
│ │ └── examples/ # Usage examples
│ └── ipuaro/ # @puaros/ipuaro - Local AI agent
│ ├── src/ # Source files (Clean Architecture)
│ │ ├── domain/ # Domain layer
│ │ ├── application/ # Application layer
│ │ ├── infrastructure/# Infrastructure layer
│ │ ├── cli/ # CLI implementation
│ │ ── shared/ # Shared utilities
├── dist/ # Build output (generated)
│ │ ├── domain/ # Entities, value objects, services
│ │ ├── application/ # Use cases, DTOs, mappers
│ │ ├── infrastructure/# Storage, LLM, indexer, tools
│ │ ├── tui/ # Terminal UI (Ink/React)
│ │ ── cli/ # CLI commands
│ └── shared/ # Types, constants, utils
│ ├── bin/ # CLI entry point
│ ├── tests/ # Unit and integration tests
── examples/ # Usage examples
│ └── package.json
│ ├── tests/ # Unit and E2E tests
── examples/ # Demo projects
├── pnpm-workspace.yaml # Workspace configuration
├── tsconfig.base.json # Shared TypeScript config
├── eslint.config.mjs # ESLint configuration
@@ -147,6 +158,21 @@ The `@puaros/guardian` package is a code quality analyzer for both individual de
- **CLI Tool**: Command-line interface with `guardian` command
- **CI/CD Integration**: JSON/Markdown output for automation pipelines
### 📚 Research-Backed Rules
Guardian's detection rules are based on decades of software engineering research and industry best practices:
- **Academic Research**: MIT Course 6.031, ScienceDirect peer-reviewed studies (2020-2023), IEEE papers on Technical Debt
- **Industry Standards**: SonarQube (400,000+ organizations), Google/Airbnb/Microsoft style guides, OWASP security standards
- **Authoritative Books**:
- Clean Architecture (Robert C. Martin, 2017)
- Implementing Domain-Driven Design (Vaughn Vernon, 2013)
- Domain-Driven Design (Eric Evans, 2003)
- Patterns of Enterprise Application Architecture (Martin Fowler, 2002)
- **Security Standards**: OWASP Secrets Management, GitHub Secret Scanning (350+ patterns)
**Every rule links to research citations** - see [Why Guardian's Rules Matter](./packages/guardian/docs/WHY.md) and [Full Research Citations](./packages/guardian/docs/RESEARCH_CITATIONS.md) for complete academic papers, books, and expert references.
### Use Cases
**For Vibe Coders:**
@@ -189,6 +215,79 @@ guardian check ./src --format json > report.json
guardian check ./src --fail-on hardcode --fail-on circular
```
## ipuaro Package
The `@puaros/ipuaro` package is a local AI agent for codebase operations:
### Features
- **Infinite Context Feeling**: Lazy loading and smart context management for any codebase size
- **18 LLM Tools**: Read, edit, search, analyze code through natural language
- **Terminal UI**: Full-featured TUI built with Ink/React
- **Redis Persistence**: Sessions, undo stack, and project index stored in Redis
- **AST Parsing**: tree-sitter for TypeScript/JavaScript analysis
- **File Watching**: Real-time index updates via chokidar
- **Security**: Blacklist/whitelist for command execution
### Tech Stack
| Component | Technology |
|-----------|------------|
| Runtime | Node.js + TypeScript |
| TUI | Ink (React for terminal) |
| Storage | Redis with AOF persistence |
| AST | tree-sitter (ts, tsx, js, jsx) |
| LLM | Ollama (qwen2.5-coder:7b-instruct) |
| Git | simple-git |
| File watching | chokidar |
### Tools (18 total)
| Category | Tools |
|----------|-------|
| **Read** | get_lines, get_function, get_class, get_structure |
| **Edit** | edit_lines, create_file, delete_file |
| **Search** | find_references, find_definition |
| **Analysis** | get_dependencies, get_dependents, get_complexity, get_todos |
| **Git** | git_status, git_diff, git_commit |
| **Run** | run_command, run_tests |
### Architecture
Built with Clean Architecture principles:
- **Domain Layer**: Entities, value objects, service interfaces
- **Application Layer**: Use cases, DTOs, mappers
- **Infrastructure Layer**: Redis storage, Ollama client, indexer, tools
- **TUI Layer**: Ink/React components and hooks
- **CLI Layer**: Commander.js entry point
### Usage
```bash
# Start TUI in current directory
ipuaro
# Start in specific directory
ipuaro /path/to/project
# Index only (no TUI)
ipuaro index
# With auto-apply mode
ipuaro --auto-apply
```
### Commands
| Command | Description |
|---------|-------------|
| `/help` | Show all commands |
| `/clear` | Clear chat history |
| `/undo` | Revert last file change |
| `/sessions` | Manage sessions |
| `/status` | System status |
| `/reindex` | Force reindexation |
## Dependencies
Guardian package uses:

1
eslint.config.mjs
View File

@@ -74,6 +74,7 @@ export default tseslint.config(
'@typescript-eslint/require-await': 'warn',
'@typescript-eslint/no-unnecessary-condition': 'off', // Sometimes useful for defensive coding
'@typescript-eslint/no-non-null-assertion': 'warn',
'@typescript-eslint/no-unnecessary-type-parameters': 'warn', // Allow generic JSON parsers
// ========================================
// Code Quality & Best Practices

199
packages/guardian/CHANGELOG.md
View File

@@ -5,6 +5,205 @@ All notable changes to @samiyev/guardian will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [0.9.4] - 2025-11-30
### Added
- **VERSION export** - Package version is now exported from index.ts, automatically read from package.json
### Changed
- 🔄 **Refactored SecretDetector** - Reduced cyclomatic complexity from 24 to <15:
- Extracted helper methods: `extractByRuleId`, `extractAwsType`, `extractGithubType`, `extractSshType`, `extractSlackType`, `extractByMessage`
- Used lookup arrays for SSH and message type mappings
- 🔄 **Refactored AstNamingTraverser** - Reduced cyclomatic complexity from 17 to <15:
- Replaced if-else chain with Map-based node handlers
- Added `buildNodeHandlers()` method for cleaner architecture
### Quality
-**Zero lint warnings** - All ESLint warnings resolved
-**All 616 tests pass**
## [0.9.2] - 2025-11-27
### Changed
- 🔄 **Refactored naming convention detector** - Migrated from regex-based to AST-based analysis:
- Replaced regex pattern matching with tree-sitter Abstract Syntax Tree traversal
- Improved accuracy with AST node context awareness (classes, interfaces, functions, variables)
- Reduced false positives with better naming pattern detection
- Added centralized AST node type constants (`ast-node-types.ts`) for maintainability
- New modular architecture with specialized analyzers:
- `AstClassNameAnalyzer` - Class naming validation
- `AstInterfaceNameAnalyzer` - Interface naming validation
- `AstFunctionNameAnalyzer` - Function naming validation
- `AstVariableNameAnalyzer` - Variable naming validation
- `AstNamingTraverser` - AST traversal for naming analysis
- Enhanced context-aware suggestions for hardcoded values:
- Added context keywords (EMAIL_CONTEXT_KEYWORDS, API_KEY_CONTEXT_KEYWORDS, URL_CONTEXT_KEYWORDS, etc.)
- Improved constant name generation based on context (ADMIN_EMAIL, API_SECRET_KEY, DATABASE_URL, etc.)
- Better file path suggestions (CONFIG_ENVIRONMENT, CONFIG_CONTACTS, CONFIG_PATHS, etc.)
### Quality
-**All tests pass** - Updated tests for AST-based naming detection
-**Code organization** - Centralized AST constants reduce code duplication
-**Maintainability** - Modular analyzers improve code separation and testability
## [0.9.1] - 2025-11-26
### Changed
- 🔄 **Refactored hardcode detector** - Migrated from regex-based to AST-based analysis:
- Replaced regex pattern matching with tree-sitter Abstract Syntax Tree traversal
- Improved accuracy with AST node context awareness (exports, types, tests)
- Reduced false positives with better constant and context detection
- Added duplicate value tracking across files for better insights
- Implemented boolean literal detection (magic-boolean type)
- Added value type classification (email, url, ip_address, api_key, uuid, version, color, etc.)
- New modular architecture with specialized analyzers:
- `AstTreeTraverser` - AST walking with "almost constants" detection
- `DuplicateValueTracker` - Cross-file duplicate tracking
- `AstContextChecker` - Node context analysis (reduced nesting depth)
- `AstNumberAnalyzer`, `AstStringAnalyzer`, `AstBooleanAnalyzer` - Specialized analyzers
- `ValuePatternMatcher` - Value type pattern detection
### Removed
- 🗑️ **Deprecated regex components** - Removed old regex-based detection strategies:
- `BraceTracker.ts` - Replaced by AST context checking
- `ExportConstantAnalyzer.ts` - Replaced by AstContextChecker
- `MagicNumberMatcher.ts` - Replaced by AstNumberAnalyzer
- `MagicStringMatcher.ts` - Replaced by AstStringAnalyzer
### Quality
-**All tests pass** - 629/629 tests passing (added 51 new tests)
-**Test coverage** - 87.97% statements, 96.75% functions
-**Build successful** - TypeScript compilation with no errors
-**Linter** - 0 errors, 5 acceptable warnings (complexity, params)
-**Code size** - Net reduction: -40 lines (more features, less code)
## [0.9.0] - 2025-11-26
### Added
- 🏛️ **Anemic Model Detection** - NEW feature to detect anemic domain models lacking business logic:
- Detects entities with only getters/setters (violates DDD principles)
- Identifies classes with public setters (breaks encapsulation)
- Analyzes method-to-property ratio to find data-heavy, logic-light classes
- Provides detailed suggestions: add business methods, move logic from services, encapsulate invariants
- New `AnemicModelDetector` infrastructure component
- New `AnemicModelViolation` value object with rich example fixes
- New `IAnemicModelDetector` domain interface
- Integrated into CLI with detailed violation reports
- 12 comprehensive tests for anemic model detection
- 📦 **New shared constants** - Centralized constants for better code maintainability:
- `CLASS_KEYWORDS` - TypeScript class and method keywords (constructor, public, private, protected)
- `EXAMPLE_CODE_CONSTANTS` - Documentation example code strings (ORDER_STATUS_PENDING, ORDER_STATUS_APPROVED, CANNOT_APPROVE_ERROR)
- `ANEMIC_MODEL_MESSAGES` - 8 suggestion messages for fixing anemic models
- 📚 **Example files** - Added DDD examples demonstrating anemic vs rich domain models:
- `examples/bad/domain/entities/anemic-model-only-getters-setters.ts`
- `examples/bad/domain/entities/anemic-model-public-setters.ts`
- `examples/good-architecture/domain/entities/Customer.ts`
- `examples/good-architecture/domain/entities/Order.ts`
### Changed
- ♻️ **Refactored hardcoded values** - Extracted all remaining hardcoded values to centralized constants:
- Updated `AnemicModelDetector.ts` to use `CLASS_KEYWORDS` constants
- Updated `AnemicModelViolation.ts` to use `EXAMPLE_CODE_CONSTANTS` for example fix strings
- Replaced local constants with shared constants from `shared/constants`
- Improved code maintainability and consistency
- 🎯 **Enhanced violation detection pipeline** - Added anemic model detection to `ExecuteDetection.ts`
- 📊 **Updated API** - Added anemic model violations to response DTO
- 🔧 **CLI improvements** - Added anemic model section to output formatting
### Quality
-**Guardian self-check** - 0 issues (was 5) - 100% clean codebase
-**All tests pass** - 578/578 tests passing (added 12 new tests)
-**Build successful** - TypeScript compilation with no errors
-**Linter clean** - 0 errors, 3 acceptable warnings (complexity, params)
-**Format verified** - All files properly formatted with 4-space indentation
## [0.8.1] - 2025-11-25
### Fixed
- 🧹 **Code quality improvements** - Fixed all 63 hardcoded value issues detected by Guardian self-check:
- Fixed 1 CRITICAL: Removed hardcoded Slack token from documentation examples
- Fixed 1 HIGH: Removed aws-sdk framework leak from domain layer examples
- Fixed 4 MEDIUM: Renamed pipeline files to follow verb-noun convention
- Fixed 57 LOW: Extracted all magic strings to reusable constants
### Added
- 📦 **New constants file** - `domain/constants/SecretExamples.ts`:
- 32 secret keyword constants (AWS, GitHub, NPM, SSH, Slack, etc.)
- 15 secret type name constants
- 7 example secret values for documentation
- Regex patterns and encoding constants
### Changed
- ♻️ **Refactored pipeline naming** - Updated use case files to follow naming conventions:
- `DetectionPipeline.ts``ExecuteDetection.ts`
- `FileCollectionStep.ts``CollectFiles.ts`
- `ParsingStep.ts``ParseSourceFiles.ts`
- `ResultAggregator.ts``AggregateResults.ts`
- Added `Aggregate`, `Collect`, `Parse` to `USE_CASE_VERBS` list
- 🔧 **Updated 3 core files to use constants**:
- `SecretViolation.ts`: All secret examples use constants, `getSeverity()` returns `typeof SEVERITY_LEVELS.CRITICAL`
- `SecretDetector.ts`: All secret keywords use constants
- `MagicStringMatcher.ts`: Regex patterns extracted to constants
- 📝 **Test updates** - Updated 2 tests to match new example fix messages
### Quality
-**Guardian self-check** - 0 issues (was 63) - 100% clean codebase
-**All tests pass** - 566/566 tests passing
-**Build successful** - TypeScript compilation with no errors
-**Linter clean** - 0 errors, 2 acceptable warnings (complexity, params)
-**Format verified** - All files properly formatted with 4-space indentation
## [0.8.0] - 2025-11-25
### Added
- 🔐 **Secret Detection** - NEW CRITICAL security feature using industry-standard Secretlint:
- Detects 350+ types of hardcoded secrets (AWS keys, GitHub tokens, NPM tokens, SSH keys, API keys, etc.)
- All secrets marked as **CRITICAL severity** for immediate attention
- Context-aware remediation suggestions for each secret type
- Integrated seamlessly with existing detectors
- New `SecretDetector` infrastructure component using `@secretlint/node`
- New `SecretViolation` value object with rich examples
- New `ISecretDetector` domain interface
- CLI output with "🔐 Found X hardcoded secrets - CRITICAL SECURITY RISK" section
- Added dependencies: `@secretlint/node`, `@secretlint/core`, `@secretlint/types`, `@secretlint/secretlint-rule-preset-recommend`
### Changed
- 🔄 **Pipeline async support** - `DetectionPipeline.execute()` now async for secret detection
- 📊 **Test suite expanded** - Added 47 new tests (23 for SecretViolation, 24 for SecretDetector)
- Total: 566 tests (was 519), 100% pass rate
- Coverage: 93.3% statements, 83.74% branches, 98.17% functions
- SecretViolation: 100% coverage
- 📝 **Documentation updated**:
- README.md: Added Secret Detection section with examples
- ROADMAP.md: Marked v0.8.0 as released
- Updated package description to mention secrets detection
### Security
- 🛡️ **Prevents credentials in version control** - catches AWS, GitHub, NPM, SSH, Slack, GCP secrets before commit
- ⚠️ **CRITICAL violations** - all hardcoded secrets immediately flagged with highest severity
- 💡 **Smart remediation** - provides specific guidance per secret type (environment variables, secret managers, etc.)
## [0.7.9] - 2025-11-25
### Changed

87
packages/guardian/README.md
View File

@@ -72,14 +72,41 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- Prevents "new Repository()" anti-pattern
- 📚 *Based on: Martin Fowler's Repository Pattern, DDD (Evans 2003)* → [Why?](./docs/WHY.md#repository-pattern)
🔒 **Aggregate Boundary Validation** ✨ NEW
🔒 **Aggregate Boundary Validation**
- Detects direct entity references across DDD aggregates
- Enforces reference-by-ID or Value Object pattern
- Prevents tight coupling between aggregates
- Supports multiple folder structures (domain/aggregates/*, domain/*, domain/entities/*)
- Filters allowed imports (value-objects, events, repositories, services)
- Critical severity for maintaining aggregate independence
- 📚 *Based on: Domain-Driven Design (Evans 2003), Implementing DDD (Vernon 2013)* → [Why?](./docs/WHY.md#aggregate-boundaries)
- 📚 *Based on: Domain-Driven Design (Evans 2003), Implementing DDD (Vernon 2013)* → [Why?](./docs/WHY.md#aggregate-boundary-validation)
🔐 **Secret Detection** ✨ NEW in v0.8.0
- Detects 350+ types of hardcoded secrets using industry-standard Secretlint
- Catches AWS keys, GitHub tokens, NPM tokens, SSH keys, API keys, and more
- All secrets marked as **CRITICAL severity** - immediate security risk
- Context-aware remediation suggestions for each secret type
- Prevents credentials from reaching version control
- Integrates seamlessly with existing detectors
- 📚 *Based on: OWASP Secrets Management, GitHub Secret Scanning (350+ patterns), security standards* → [Why?](./docs/WHY.md#secret-detection)
🩺 **Anemic Domain Model Detection** ✨ NEW in v0.9.0
- Detects entities with only getters/setters (data bags without behavior)
- Identifies public setters anti-pattern in domain entities
- Calculates methods-to-properties ratio for behavioral analysis
- Enforces rich domain models over anemic models
- Suggests moving business logic from services to entities
- Medium severity - architectural code smell
- 📚 *Based on: Martin Fowler's "Anemic Domain Model" (2003), DDD (Evans 2003), Transaction Script vs Domain Model patterns* → [Why?](./docs/WHY.md#anemic-domain-model-detection)
🎯 **Severity-Based Prioritization**
- Automatic sorting by severity: CRITICAL → HIGH → MEDIUM → LOW
- Filter by severity level: `--only-critical` or `--min-severity high`
- Focus on what matters most: secrets and circular dependencies first
- Visual severity indicators with color-coded labels (🔴🟠🟡🟢)
- Smart categorization based on impact to production
- Enables gradual technical debt reduction
- 📚 *Based on: SonarQube severity classification, IEEE/ScienceDirect research on Technical Debt prioritization* → [Why?](./docs/WHY.md#severity-based-prioritization)
🏗️ **Clean Architecture Enforcement**
- Built with DDD principles
@@ -298,17 +325,6 @@ await reportMetrics({
| **AI Enablement** | Safely adopt AI coding tools at scale |
| **Technical Debt Visibility** | Metrics and trends for data-driven decisions |
### Enterprise Success Stories
**Fortune 500 Financial Services** 🏦
> "We have 200+ developers and were struggling with architectural consistency. Guardian reduced our code review cycle time by 35% and caught 12 hardcoded API keys before they hit production. ROI in first month." - VP Engineering
**Scale-up SaaS (Series B)** 📈
> "Guardian allowed us to confidently adopt GitHub Copilot across our team. AI writes code 3x faster, Guardian ensures quality. We ship more features without increasing tech debt." - CTO
**Consulting Firm** 💼
> "We use Guardian on every client project. It enforces our standards automatically, and clients love the quality metrics reports. Saved us from a major security incident when it caught hardcoded AWS credentials." - Lead Architect
## Installation
```bash
@@ -366,6 +382,15 @@ const result = await analyzeProject({
})
console.log(`Found ${result.hardcodeViolations.length} hardcoded values`)
console.log(`Found ${result.secretViolations.length} hardcoded secrets 🔐`)
// Check for critical security issues first!
result.secretViolations.forEach((violation) => {
console.log(`🔐 CRITICAL: ${violation.file}:${violation.line}`)
console.log(` Secret Type: ${violation.secretType}`)
console.log(` ${violation.message}`)
console.log(` ⚠️ Rotate this secret immediately!`)
})
result.hardcodeViolations.forEach((violation) => {
console.log(`${violation.file}:${violation.line}`)
@@ -394,9 +419,9 @@ npx @samiyev/guardian check ./src --verbose
npx @samiyev/guardian check ./src --no-hardcode # Skip hardcode detection
npx @samiyev/guardian check ./src --no-architecture # Skip architecture checks
# Filter by severity
npx @samiyev/guardian check ./src --min-severity high # Show high, critical only
npx @samiyev/guardian check ./src --only-critical # Show only critical issues
# Filter by severity (perfect for finding secrets first!)
npx @samiyev/guardian check ./src --only-critical # Show only critical issues (secrets, circular deps)
npx @samiyev/guardian check ./src --min-severity high # Show high and critical only
# Limit detailed output (useful for large codebases)
npx @samiyev/guardian check ./src --limit 10 # Show first 10 violations per category
@@ -934,36 +959,6 @@ Guardian follows Clean Architecture principles:
- Node.js >= 18.0.0
- TypeScript >= 5.0.0 (for TypeScript projects)
## Real-World Vibe Coding Stats
Based on testing Guardian with AI-generated codebases:
| Metric | Typical AI Code | After Guardian |
|--------|----------------|----------------|
| Hardcoded values | 15-30 per 1000 LOC | 0-2 per 1000 LOC |
| Circular deps | 2-5 per project | 0 per project |
| Architecture violations | 10-20% of files | <1% of files |
| Time to fix issues | Manual review: 2-4 hours | Guardian + AI: 5-10 minutes |
**Common Issues Guardian Finds in AI Code:**
- 🔐 Hardcoded secrets and API keys (CRITICAL)
- ⏱️ Magic timeouts and retry counts
- 🌐 Hardcoded URLs and endpoints
- 🔄 Accidental circular imports
- 📁 Files in wrong architectural layers
- 🏷️ Inconsistent naming patterns
## Success Stories
**Prototype to Production**
> "Built a SaaS MVP with Claude in 3 days. Guardian caught 47 hardcoded values before first deploy. Saved us from production disasters." - Indie Hacker
**Learning Clean Architecture** 📚
> "Guardian taught me Clean Architecture better than any tutorial. Every violation is a mini lesson with suggestions." - Junior Dev
**AI-First Startup** 🚀
> "We ship 5+ features daily using Claude + Guardian. No human code reviews needed for AI-generated code anymore." - Tech Lead
## FAQ for Vibe Coders
**Q: Will Guardian slow down my AI workflow?**

20
packages/guardian/ROADMAP.md
View File

@@ -2,7 +2,20 @@
This document outlines the current features and future plans for @puaros/guardian.
## Current Version: 0.7.5 ✅ RELEASED
## Current Version: 0.9.0 ✅ RELEASED
**Released:** 2025-11-26
### What's New in 0.9.0
- 🏛️ **Anemic Model Detection** - NEW feature to detect anemic domain models lacking business logic
-**100% clean codebase** - Guardian now passes its own self-check with 0 issues
- 📦 **New shared constants** - Added CLASS_KEYWORDS and EXAMPLE_CODE_CONSTANTS
-**All 578 tests passing** - Added 12 new tests for anemic model detection
---
## Previous Version: 0.8.1 ✅ RELEASED
**Released:** 2025-11-25
@@ -452,8 +465,9 @@ Refactored largest detectors to reduce complexity and improve maintainability.
---
### Version 0.8.0 - Secret Detection 🔐
**Target:** Q1 2025
### Version 0.8.0 - Secret Detection 🔐 ✅ RELEASED
**Released:** 2025-11-25
**Priority:** CRITICAL
Detect hardcoded secrets (API keys, tokens, credentials) using industry-standard Secretlint library.

0
packages/guardian/COMPARISON.md → packages/guardian/docs/COMPARISON.md
View File

0
packages/guardian/COMPETITIVE_ANALYSIS_SUMMARY.md → packages/guardian/docs/COMPETITIVE_ANALYSIS_SUMMARY.md
View File

1149
packages/guardian/docs/RESEARCH_CITATIONS.md
View File

File diff suppressed because it is too large Load Diff

979
packages/guardian/docs/RESEARCH_PROJECT_STRUCTURE_DETECTION.md Normal file
View File

@@ -0,0 +1,979 @@
# Research: Project Structure Detection for Architecture Analysis
This document provides comprehensive research on approaches to detecting and validating project architecture structure. It covers existing tools, academic research, algorithms, and industry best practices that inform Guardian's architecture detection strategy.
---
## Table of Contents
1. [Executive Summary](#1-executive-summary)
2. [Existing Tools Analysis](#2-existing-tools-analysis)
3. [Academic Approaches to Architecture Recovery](#3-academic-approaches-to-architecture-recovery)
4. [Graph Analysis Algorithms](#4-graph-analysis-algorithms)
5. [Configuration Patterns and Best Practices](#5-configuration-patterns-and-best-practices)
6. [Industry Consensus](#6-industry-consensus)
7. [Recommendations for Guardian](#7-recommendations-for-guardian)
8. [Additional Resources](#8-additional-resources)
---
## 1. Executive Summary
### Key Finding
**Industry consensus:** Automatic architecture detection is unreliable. All major tools (ArchUnit, eslint-plugin-boundaries, Nx, dependency-cruiser, SonarQube) require **explicit configuration** from users rather than attempting automatic detection.
### Why Automatic Detection Fails
1. **Too Many Variations**: Project structures vary wildly across teams, frameworks, and domains
2. **False Positives**: Algorithms may "detect" non-existent architectural patterns
3. **Performance**: Graph analysis is slow for large codebases (>2000 files)
4. **Ambiguity**: Same folder names can mean different things in different contexts
5. **Legacy Code**: Poorly structured code produces meaningless analysis results
### Recommended Approach
| Priority | Approach | Description |
|----------|----------|-------------|
| P0 | Pattern-based detection | Glob/regex patterns for layer identification |
| P0 | Configuration file | `.guardianrc.json` for explicit rules |
| P1 | Presets | Pre-configured patterns for common architectures |
| P1 | Generic mode | Fallback with minimal checks |
| P2 | Interactive setup | CLI wizard for configuration generation |
| P2 | Graph visualization | Visual dependency analysis (informational only) |
| ❌ | Auto-detection | NOT recommended as primary strategy |
---
## 2. Existing Tools Analysis
### 2.1 ArchUnit (Java)
**Approach:** Fully declarative - user defines all layers explicitly.
**Official Website:** https://www.archunit.org/
**User Guide:** https://www.archunit.org/userguide/html/000_Index.html
**GitHub Repository:** https://github.com/TNG/ArchUnit
**Key Characteristics:**
- Does NOT detect architecture automatically
- User explicitly defines layers via package patterns
- Fluent API for rule definition
- Supports Layered, Onion, and Hexagonal architectures out-of-box
- Integrates with JUnit/TestNG test frameworks
**Example Configuration:**
```java
layeredArchitecture()
.layer("Controller").definedBy("..controller..")
.layer("Service").definedBy("..service..")
.layer("Persistence").definedBy("..persistence..")
.whereLayer("Controller").mayNotBeAccessedByAnyLayer()
.whereLayer("Service").mayOnlyBeAccessedByLayers("Controller")
.whereLayer("Persistence").mayOnlyBeAccessedByLayers("Service")
```
**References:**
- Baeldung Tutorial: https://www.baeldung.com/java-archunit-intro
- InfoQ Article: https://www.infoq.com/news/2022/10/archunit/
- Examples Repository: https://github.com/TNG/ArchUnit-Examples
---
### 2.2 eslint-plugin-boundaries (TypeScript/JavaScript)
**Approach:** Pattern-based element definition with dependency rules.
**NPM Package:** https://www.npmjs.com/package/eslint-plugin-boundaries
**GitHub Repository:** https://github.com/javierbrea/eslint-plugin-boundaries
**Key Characteristics:**
- Does NOT detect architecture automatically
- Uses micromatch/glob patterns for element identification
- Supports capture groups for dynamic element naming
- TypeScript import type awareness (`value` vs `type` imports)
- Works with monorepos
**Example Configuration:**
```javascript
settings: {
"boundaries/elements": [
{
type: "domain",
pattern: "src/domain/*",
mode: "folder",
capture: ["elementName"]
},
{
type: "application",
pattern: "src/application/*",
mode: "folder"
},
{
type: "infrastructure",
pattern: "src/infrastructure/*",
mode: "folder"
}
]
},
rules: {
"boundaries/element-types": [2, {
default: "disallow",
rules: [
{ from: "infrastructure", allow: ["application", "domain"] },
{ from: "application", allow: ["domain"] },
{ from: "domain", disallow: ["*"] }
]
}]
}
```
**References:**
- TypeScript Example: https://github.com/javierbrea/epb-ts-example
- Element Types Documentation: https://github.com/javierbrea/eslint-plugin-boundaries/blob/master/docs/rules/element-types.md
- Medium Tutorial: https://medium.com/@taynan_duarte/ensuring-dependency-rules-in-a-nodejs-application-with-typescript-using-eslint-plugin-boundaries-68b70ce32437
---
### 2.3 SonarQube Architecture as Code
**Approach:** YAML/JSON configuration with automatic code structure analysis.
**Official Documentation:** https://docs.sonarsource.com/sonarqube-server/design-and-architecture/overview/
**Configuration Guide:** https://docs.sonarsource.com/sonarqube-server/design-and-architecture/configuring-the-architecture-analysis/
**Key Characteristics:**
- Introduced in SonarQube 2025 Release 2
- Automatic code structure analysis (basic)
- YAML/JSON configuration for custom rules
- Supports "Perspectives" (multiple views of architecture)
- Hierarchical "Groups" for organization
- Glob and regex pattern support
- Works without configuration for basic checks (cycle detection)
**Supported Languages:**
- Java (SonarQube Server)
- Java, JavaScript, TypeScript (SonarQube Cloud)
- Python, C# (coming soon)
- C++ (under consideration)
**Example Configuration:**
```yaml
# architecture.yaml
perspectives:
- name: "Clean Architecture"
groups:
- name: "Domain"
patterns:
- "src/domain/**"
- "src/core/**"
- name: "Application"
patterns:
- "src/application/**"
- "src/use-cases/**"
- name: "Infrastructure"
patterns:
- "src/infrastructure/**"
- "src/adapters/**"
constraints:
- from: "Domain"
deny: ["Application", "Infrastructure"]
- from: "Application"
deny: ["Infrastructure"]
```
**References:**
- Blog Announcement: https://www.sonarsource.com/blog/introducing-architecture-as-code-in-sonarqube/
- Security Boulevard Coverage: https://securityboulevard.com/2025/04/introducing-architecture-as-code-in-sonarqube-7/
---
### 2.4 Nx Enforce Module Boundaries
**Approach:** Tag-based system with ESLint integration.
**Official Documentation:** https://nx.dev/docs/features/enforce-module-boundaries
**ESLint Rule Guide:** https://nx.dev/docs/technologies/eslint/eslint-plugin/guides/enforce-module-boundaries
**Key Characteristics:**
- Tag-based constraint system (scope, type)
- Projects tagged in project.json or package.json
- Supports regex patterns in tags
- Two-dimensional constraints (scope + type)
- External dependency blocking
- Integration with Nx project graph
**Example Configuration:**
```json
// project.json
{
"name": "user-domain",
"tags": ["scope:user", "type:domain"]
}
// ESLint config
{
"@nx/enforce-module-boundaries": ["error", {
"depConstraints": [
{
"sourceTag": "type:domain",
"onlyDependOnLibsWithTags": ["type:domain"]
},
{
"sourceTag": "type:application",
"onlyDependOnLibsWithTags": ["type:domain", "type:application"]
},
{
"sourceTag": "scope:user",
"onlyDependOnLibsWithTags": ["scope:user", "scope:shared"]
}
]
}]
}
```
**References:**
- Project Dependency Rules: https://nx.dev/docs/concepts/decisions/project-dependency-rules
- Blog Post on Module Boundaries: https://nx.dev/blog/mastering-the-project-boundaries-in-nx
- Medium Tutorial: https://medium.com/rupesh-tiwari/enforcing-dependency-constraints-within-service-in-nx-monorepo-workspace-56e87e792c98
---
### 2.5 dependency-cruiser
**Approach:** Rule-based validation with visualization capabilities.
**NPM Package:** https://www.npmjs.com/package/dependency-cruiser
**GitHub Repository:** https://github.com/sverweij/dependency-cruiser
**Key Characteristics:**
- Regex patterns for from/to rules
- Multiple output formats (SVG, DOT, Mermaid, JSON, HTML)
- CI/CD integration support
- TypeScript pre-compilation dependency support
- Does NOT detect architecture automatically
**Example Configuration:**
```javascript
// .dependency-cruiser.js
module.exports = {
forbidden: [
{
name: "no-domain-to-infrastructure",
severity: "error",
from: { path: "^src/domain" },
to: { path: "^src/infrastructure" }
},
{
name: "no-circular",
severity: "error",
from: {},
to: { circular: true }
}
],
options: {
doNotFollow: { path: "node_modules" },
tsPreCompilationDeps: true
}
}
```
**References:**
- Options Reference: https://github.com/sverweij/dependency-cruiser/blob/main/doc/options-reference.md
- Rules Reference: https://github.com/sverweij/dependency-cruiser/blob/main/doc/rules-reference.md
- Clean Architecture Tutorial: https://betterprogramming.pub/validate-dependencies-according-to-clean-architecture-743077ea084c
---
### 2.6 ts-arch / ArchUnitTS (TypeScript)
**Approach:** ArchUnit-like fluent API for TypeScript.
**ts-arch GitHub:** https://github.com/ts-arch/ts-arch
**ts-arch Documentation:** https://ts-arch.github.io/ts-arch/
**ArchUnitTS GitHub:** https://github.com/LukasNiessen/ArchUnitTS
**Key Characteristics:**
- Fluent API similar to ArchUnit
- PlantUML diagram validation support
- Jest/Vitest integration
- Nx monorepo support
- Does NOT detect architecture automatically
**Example Usage:**
```typescript
import { filesOfProject } from "tsarch"
// Folder-based dependency check
const rule = filesOfProject()
.inFolder("domain")
.shouldNot()
.dependOnFiles()
.inFolder("infrastructure")
await expect(rule).toPassAsync()
// PlantUML diagram validation
const rule = await slicesOfProject()
.definedBy("src/(**/)")
.should()
.adhereToDiagramInFile("architecture.puml")
```
**References:**
- NPM Package: https://www.npmjs.com/package/tsarch
- ArchUnitTS Documentation: https://lukasniessen.github.io/ArchUnitTS/
- DeepWiki Analysis: https://deepwiki.com/ts-arch/ts-arch
---
### 2.7 Madge
**Approach:** Visualization and circular dependency detection.
**NPM Package:** https://www.npmjs.com/package/madge
**GitHub Repository:** https://github.com/pahen/madge
**Key Characteristics:**
- Dependency graph visualization
- Circular dependency detection
- Multiple layout algorithms (dot, neato, fdp, circo)
- Simple CLI interface
- Does NOT define or enforce layers
**Usage:**
```bash
# Find circular dependencies
npx madge --circular src/
# Generate dependency graph
npx madge src/ --image deps.svg
# TypeScript support
npx madge src/main.ts --ts-config tsconfig.json --image ./deps.png
```
**References:**
- NestJS Integration: https://manishbit97.medium.com/identifying-circular-dependencies-in-nestjs-using-madge-de137cd7f74f
- Angular Integration: https://www.angulartraining.com/daily-newsletter/visualizing-internal-dependencies-with-madge/
- React/TypeScript Tutorial: https://dev.to/greenroach/detecting-circular-dependencies-in-a-reacttypescript-app-using-madge-229
**Alternative: Skott**
- Claims to be 7x faster than Madge
- Reference: https://dev.to/antoinecoulon/introducing-skott-the-new-madge-1bfl
---
## 3. Academic Approaches to Architecture Recovery
### 3.1 Software Architecture Recovery Overview
**Wikipedia Definition:** https://en.wikipedia.org/wiki/Software_architecture_recovery
Software architecture recovery is a set of methods for extracting architectural information from lower-level representations of a software system, such as source code. The abstraction process frequently involves clustering source code entities (files, classes, functions) into subsystems according to application-dependent or independent criteria.
**Motivation:**
- Legacy systems often lack architectural documentation
- Existing documentation is frequently out of sync with implementation
- Understanding architecture is essential for maintenance and evolution
---
### 3.2 Machine Learning Approaches
**Research Paper:** "Automatic software architecture recovery: A machine learning approach"
**Source:** ResearchGate - https://www.researchgate.net/publication/261309157_Automatic_software_architecture_recovery_A_machine_learning_approach
**Key Points:**
- Current architecture recovery techniques require heavy human intervention or fail to recover quality components
- Machine learning techniques use multiple feature types:
- Structural features (dependencies, coupling)
- Runtime behavioral features
- Domain/textual features
- Contextual features (code authorship, line co-change)
- Automatically recovering functional architecture facilitates developer understanding
**Limitation:** Requires training data and may not generalize across project types.
---
### 3.3 Genetic Algorithms for Architecture Recovery
**Research Paper:** "Parallelization of genetic algorithms for software architecture recovery"
**Source:** Springer - https://link.springer.com/content/pdf/10.1007/s10515-024-00479-0.pdf
**Key Points:**
- Software Architecture Recovery (SAR) techniques analyze dependencies between modules
- Automatically cluster modules to achieve high modularity
- Many approaches employ Genetic Algorithms (GAs)
- Major drawback: lack of scalability
- Solution: parallel execution of GA subroutines
**Finding:** Finding optimal software clustering is an NP-complete problem.
---
### 3.4 Clustering Algorithms Comparison
**Research Paper:** "A comparative analysis of software architecture recovery techniques"
**Source:** IEEE Xplore - https://ieeexplore.ieee.org/document/6693106/
**Algorithms Compared:**
| Algorithm | Description | Strengths | Weaknesses |
|-----------|-------------|-----------|------------|
| ACDC | Comprehension-Driven Clustering | Finds natural subsystems | Requires parameter tuning |
| LIMBO | Information-Theoretic Clustering | Scalable | May miss domain patterns |
| WCA | Weighted Combined Algorithm | Balances multiple factors | Complex configuration |
| K-means | Baseline clustering | Simple, fast | Poor for code structure |
**Key Finding:** Even the best techniques have surprisingly low accuracy when compared against verified ground truths.
---
### 3.5 ACDC Algorithm (Algorithm for Comprehension-Driven Clustering)
**Original Paper:** "ACDC: An Algorithm for Comprehension-Driven Clustering"
**Source:** ResearchGate - https://www.researchgate.net/publication/221200422_ACDC_An_Algorithm_for_Comprehension-Driven_Clustering
**York University Wiki:** https://wiki.eecs.yorku.ca/project/cluster/protected:acdc
**Algorithm Steps:**
1. Build dependency graph
2. Find "dominator" nodes (subsystem patterns)
3. Group nodes with common dominators
4. Apply orphan adoption for ungrouped nodes
5. Iteratively improve clusters
**Advantages:**
- Considers human comprehension patterns
- Finds natural subsystems
- Works without prior knowledge
**Disadvantages:**
- Requires parameter tuning
- Does not guarantee optimality
- May not work well on poorly structured code
---
### 3.6 LLM-Based Architecture Recovery (Recent Research)
**Research Paper:** "Automated Software Architecture Design Recovery from Source Code Using LLMs"
**Source:** Springer - https://link.springer.com/chapter/10.1007/978-3-032-02138-0_5
**Key Findings:**
- LLMs show promise for automating software architecture recovery
- Effective at identifying:
- ✅ Architectural styles
- ✅ Structural elements
- ✅ Basic design patterns
- Struggle with:
- ❌ Complex abstractions
- ❌ Class relationships
- ❌ Fine-grained design patterns
**Conclusion:** "LLMs can support SAR activities, particularly in identifying structural and stylistic elements, but they struggle with complex abstractions"
**Additional Reference:** arXiv paper on design principles - https://arxiv.org/html/2508.11717
---
## 4. Graph Analysis Algorithms
### 4.1 Louvain Algorithm for Community Detection
**Wikipedia:** https://en.wikipedia.org/wiki/Louvain_method
**Original Paper:** "Fast unfolding of communities in large networks" (2008)
- Authors: Vincent D Blondel, Jean-Loup Guillaume, Renaud Lambiotte, Etienne Lefebvre
- Journal: Journal of Statistical Mechanics: Theory and Experiment
- Reference: https://perso.uclouvain.be/vincent.blondel/research/louvain.html
**Algorithm Description:**
1. Initialize each node as its own community
2. For each node, try moving to neighboring communities
3. Select move with maximum modularity gain
4. Merge communities into "super-nodes"
5. Repeat from step 2
**Modularity Formula:**
```
Q = (1/2m) * Σ[Aij - (ki*kj)/(2m)] * δ(ci, cj)
Where:
- Aij = edge weight between i and j
- ki, kj = node degrees
- m = sum of all weights
- δ = 1 if ci = cj (same cluster)
```
**Characteristics:**
| Parameter | Value |
|-----------|-------|
| Time Complexity | O(n log n) |
| Modularity Range | -1 to 1 |
| Good Result | Q > 0.3 |
| Resolution Limit | Yes (may hide small communities) |
**Implementations:**
- NetworkX: https://networkx.org/documentation/stable/reference/algorithms/generated/networkx.algorithms.community.louvain.louvain_communities.html
- Neo4j: https://neo4j.com/docs/graph-data-science/current/algorithms/louvain/
- Graphology: https://graphology.github.io/standard-library/communities-louvain.html
- igraph: https://igraph.org/r/doc/cluster_louvain.html
**Application to Code Analysis:**
```
Dependency Graph:
User.ts → Email.ts, UserId.ts
Order.ts → OrderId.ts, Money.ts
UserController.ts → User.ts, CreateUser.ts
Louvain detects communities:
Community 1: [User.ts, Email.ts, UserId.ts] // User aggregate
Community 2: [Order.ts, OrderId.ts, Money.ts] // Order aggregate
Community 3: [UserController.ts, CreateUser.ts] // User feature
```
---
### 4.2 Modularity as Quality Metric
**Wikipedia:** https://en.wikipedia.org/wiki/Modularity_(networks)
**Definition:** Modularity measures the strength of division of a network into modules (groups, clusters, communities). Networks with high modularity have dense connections within modules but sparse connections between modules.
**Interpretation:**
| Modularity Value | Interpretation |
|------------------|----------------|
| Q < 0 | Non-modular (worse than random) |
| 0 < Q < 0.3 | Weak community structure |
| 0.3 < Q < 0.5 | Moderate community structure |
| Q > 0.5 | Strong community structure |
| Q → 1 | Perfect modularity |
**Research Reference:** "Fast Algorithm for Modularity-Based Graph Clustering" - https://cdn.aaai.org/ojs/8455/8455-13-11983-1-2-20201228.pdf
---
### 4.3 Graph-Based Software Modularization
**Research Paper:** "A graph-based clustering algorithm for software systems modularization"
**Source:** ScienceDirect - https://www.sciencedirect.com/science/article/abs/pii/S0950584920302147
**Key Points:**
- Clustering algorithms partition source code into manageable modules
- Resulting decomposition is called software system structure
- Due to NP-hardness, evolutionary approaches are commonly used
- Objectives:
- Minimize inter-cluster connections
- Maximize intra-cluster connections
- Maximize overall clustering quality
---
### 4.4 Topological Sorting for Layer Detection
**Algorithm Description:**
Layers can be inferred from dependency graph topology:
- **Layer 0 (Domain)**: Nodes with no outgoing dependencies to other layers
- **Layer 1 (Application)**: Nodes depending only on Layer 0
- **Layer 2+ (Infrastructure)**: Nodes depending on lower layers
**Pseudocode:**
```
function detectLayers(graph):
layers = Map()
visited = Set()
function dfs(node):
if layers.has(node): return layers.get(node)
if visited.has(node): return 0 // Cycle detected
visited.add(node)
deps = graph.getDependencies(node)
if deps.isEmpty():
layers.set(node, 0) // Leaf node = Domain
return 0
maxDepth = max(deps.map(dfs))
layers.set(node, maxDepth + 1)
return maxDepth + 1
graph.nodes.forEach(dfs)
return layers
```
**Limitation:** Assumes acyclic graph; circular dependencies break this approach.
---
### 4.5 Graph Metrics for Code Quality Assessment
**Useful Metrics:**
| Metric | Description | Good Value |
|--------|-------------|------------|
| Modularity | Clustering quality | > 0.3 |
| Density | Edge/node ratio | Low for good separation |
| Clustering Coefficient | Local clustering | Domain-dependent |
| Cyclic Rate | % of circular deps | < 0.1 (10%) |
| Average Path Length | Mean dependency distance | Lower = more coupled |
**Code Quality Interpretation:**
```
if cyclicRate > 0.5:
return "SPAGHETTI" // Cannot determine architecture
if modularity < 0.2:
return "MONOLITH" // No clear separation
if modularity > 0.5:
return "WELL_STRUCTURED" // Can determine layers
return "MODERATE"
```
---
## 5. Configuration Patterns and Best Practices
### 5.1 Pattern Hierarchy
**Level 1: Minimal Configuration**
```json
{
"architecture": "clean-architecture"
}
```
**Level 2: Custom Paths**
```json
{
"architecture": "clean-architecture",
"layers": {
"domain": ["src/core", "src/domain"],
"application": ["src/app", "src/use-cases"],
"infrastructure": ["src/infra", "src/adapters"]
}
}
```
**Level 3: Full Control**
```json
{
"layers": [
{
"name": "domain",
"patterns": ["src/domain/**", "**/*.entity.ts"],
"allowDependOn": []
},
{
"name": "application",
"patterns": ["src/application/**", "**/*.use-case.ts"],
"allowDependOn": ["domain"]
},
{
"name": "infrastructure",
"patterns": ["src/infrastructure/**", "**/*.controller.ts"],
"allowDependOn": ["domain", "application"]
}
]
}
```
---
### 5.2 Architecture Drift Detection in CI/CD
**Best Practices from Industry:**
**Source:** Firefly Academy - https://www.firefly.ai/academy/implementing-continuous-drift-detection-in-ci-cd-pipelines-with-github-actions-workflow
**Source:** Brainboard Blog - https://blog.brainboard.co/drift-detection-best-practices/
**Key Recommendations:**
1. **Integrate into Pipeline**: Validate architecture on every code update
2. **Continuous Monitoring**: Run automated scans daily minimum, hourly for active projects
3. **Enforce IaC-Only Changes**: All changes through automated workflows
4. **Automated Reconciliation**: Regular drift detection and correction
5. **Proper Alerting**: Slack for minor drift, PagerDuty for critical
6. **Least Privilege**: Limit who can bypass architecture checks
7. **Emergency Process**: Document process for urgent manual changes
8. **Environment Refresh**: Reset after each pipeline run
**Example GitHub Actions Integration:**
```yaml
name: Architecture Check
on: [push, pull_request]
jobs:
architecture:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check Architecture
run: npx guardian check --strict
- name: Generate Report
if: failure()
run: npx guardian report --format html
- name: Upload Report
if: failure()
uses: actions/upload-artifact@v3
with:
name: architecture-report
path: architecture-report.html
```
---
### 5.3 Presets for Common Architectures
**Clean Architecture Preset:**
```json
{
"preset": "clean-architecture",
"layers": {
"domain": {
"patterns": ["**/domain/**", "**/entities/**", "**/core/**"],
"allowDependOn": []
},
"application": {
"patterns": ["**/application/**", "**/use-cases/**", "**/services/**"],
"allowDependOn": ["domain"]
},
"infrastructure": {
"patterns": ["**/infrastructure/**", "**/adapters/**", "**/api/**"],
"allowDependOn": ["domain", "application"]
}
}
}
```
**Hexagonal Architecture Preset:**
```json
{
"preset": "hexagonal",
"layers": {
"core": {
"patterns": ["**/core/**", "**/domain/**"],
"allowDependOn": []
},
"ports": {
"patterns": ["**/ports/**"],
"allowDependOn": ["core"]
},
"adapters": {
"patterns": ["**/adapters/**", "**/infrastructure/**"],
"allowDependOn": ["core", "ports"]
}
}
}
```
**NestJS Preset:**
```json
{
"preset": "nestjs",
"layers": {
"domain": {
"patterns": ["**/*.entity.ts", "**/entities/**"],
"allowDependOn": []
},
"application": {
"patterns": ["**/*.service.ts", "**/*.use-case.ts"],
"allowDependOn": ["domain"]
},
"infrastructure": {
"patterns": ["**/*.controller.ts", "**/*.module.ts", "**/*.resolver.ts"],
"allowDependOn": ["domain", "application"]
}
}
}
```
---
## 6. Industry Consensus
### 6.1 Why Major Tools Don't Auto-Detect
| Tool | Auto-Detection | Reasoning |
|------|----------------|-----------|
| ArchUnit | ❌ No | "User knows their architecture best" |
| eslint-plugin-boundaries | ❌ No | "Too many structure variations" |
| Nx | ❌ No | "Tag-based approach is more flexible" |
| dependency-cruiser | ❌ No | "Regex patterns cover all cases" |
| SonarQube | ⚠️ Partial | "Basic analysis + config for accuracy" |
### 6.2 Common Themes Across Tools
1. **Explicit Configuration**: All tools require user-defined rules
2. **Pattern Matching**: Glob/regex patterns are universal
3. **Layered Rules**: Allow/deny dependencies between layers
4. **CI/CD Integration**: All support pipeline integration
5. **Visualization**: Optional but valuable for understanding
### 6.3 Graph Analysis Position
Graph analysis is used for:
- ✅ Circular dependency detection
- ✅ Visualization
- ✅ Metrics calculation
- ✅ Suggestion generation
Graph analysis is NOT used for:
- ❌ Primary layer detection
- ❌ Automatic architecture classification
- ❌ Rule enforcement
---
## 7. Recommendations for Guardian
### 7.1 Recommended Architecture
```
┌─────────────────────────────────────────────────────────────┐
│ Configuration Layer │
├─────────────────────────────────────────────────────────────┤
│ .guardianrc.json │ package.json │ CLI args │ Interactive │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Strategy Resolver │
├─────────────────────────────────────────────────────────────┤
│ 1. Explicit Config (if .guardianrc.json exists) │
│ 2. Preset Detection (if preset specified) │
│ 3. Smart Defaults (standard patterns) │
│ 4. Generic Mode (fallback - minimal checks) │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Analysis Engine │
├─────────────────────────────────────────────────────────────┤
│ Pattern Matcher │ Layer Detector │ Dependency Analyzer │
└─────────────────────────────────────────────────────────────┘
```
### 7.2 Implementation Priorities
**Phase 1: Configuration File Support**
- Add `.guardianrc.json` parser
- Support custom layer patterns
- Support custom DDD folder names
- Validate configuration on load
**Phase 2: Presets System**
- Clean Architecture preset
- Hexagonal Architecture preset
- NestJS preset
- Feature-based preset
**Phase 3: Smart Defaults**
- Try standard folder names first
- Fall back to file naming patterns
- Support common conventions
**Phase 4: Interactive Setup**
- `guardian init` command
- Project structure scanning
- Configuration file generation
- Preset recommendations
**Phase 5: Generic Mode**
- Minimal checks without layer knowledge
- Hardcode detection
- Secret detection
- Circular dependency detection
- Basic naming conventions
### 7.3 Graph Analysis - Optional Feature Only
Graph analysis should be:
- **Optional**: Not required for basic functionality
- **Informational**: For visualization and metrics
- **Suggestive**: Can propose configuration, not enforce it
**CLI Commands:**
```bash
guardian analyze --graph --output deps.svg # Visualization
guardian metrics # Quality metrics
guardian suggest # Configuration suggestions
```
---
## 8. Additional Resources
### Official Documentation
- ArchUnit: https://www.archunit.org/userguide/html/000_Index.html
- eslint-plugin-boundaries: https://github.com/javierbrea/eslint-plugin-boundaries
- SonarQube Architecture: https://docs.sonarsource.com/sonarqube-server/design-and-architecture/overview/
- Nx Module Boundaries: https://nx.dev/docs/features/enforce-module-boundaries
- dependency-cruiser: https://github.com/sverweij/dependency-cruiser
### Academic Papers
- Software Architecture Recovery (Wikipedia): https://en.wikipedia.org/wiki/Software_architecture_recovery
- ACDC Algorithm: https://www.researchgate.net/publication/221200422_ACDC_An_Algorithm_for_Comprehension-Driven_Clustering
- Louvain Method: https://en.wikipedia.org/wiki/Louvain_method
- Graph Modularity: https://en.wikipedia.org/wiki/Modularity_(networks)
- LLM-based SAR: https://link.springer.com/chapter/10.1007/978-3-032-02138-0_5
### Tutorials and Guides
- Clean Architecture Validation: https://betterprogramming.pub/validate-dependencies-according-to-clean-architecture-743077ea084c
- Drift Detection Best Practices: https://blog.brainboard.co/drift-detection-best-practices/
- Louvain Algorithm Tutorial: https://medium.com/data-science-in-your-pocket/community-detection-in-a-graph-using-louvain-algorithm-with-example-7a77e5e4b079
### Related Books
- **Clean Architecture** by Robert C. Martin (2017) - ISBN: 978-0134494166
- **Domain-Driven Design** by Eric Evans (2003) - ISBN: 978-0321125217
- **Implementing Domain-Driven Design** by Vaughn Vernon (2013) - ISBN: 978-0321834577
---
## Conclusion
The research conclusively shows that **automatic architecture detection is unreliable** and **not used by major industry tools**. The recommended approach for Guardian is:
1. **Configuration-first**: Support explicit layer definitions via `.guardianrc.json`
2. **Pattern-based**: Use glob/regex patterns for flexible matching
3. **Presets**: Provide pre-configured patterns for common architectures
4. **Smart defaults**: Try standard conventions when no config exists
5. **Generic fallback**: Provide useful checks even without architecture knowledge
6. **Graph analysis as optional**: Use for visualization and suggestions only
This approach aligns with industry best practices from ArchUnit, eslint-plugin-boundaries, SonarQube, Nx, and dependency-cruiser.
---
**Document Version**: 1.0
**Last Updated**: 2025-11-27
**Author**: Guardian Research Team
**Questions or contributions?**
- 📧 Email: fozilbek.samiyev@gmail.com
- 🐙 GitHub: https://github.com/samiyev/puaros/issues
**Based on research as of**: November 2025

0
packages/guardian/ROADMAP_NEW.md → packages/guardian/docs/ROADMAP_NEW.md
View File

207
packages/guardian/docs/WHY.md
View File

@@ -10,6 +10,10 @@ Guardian's detection rules are not invented - they're based on decades of softwa
- [Entity Exposure](#entity-exposure)
- [Repository Pattern](#repository-pattern)
- [Naming Conventions](#naming-conventions)
- [Anemic Domain Model Detection](#anemic-domain-model-detection)
- [Aggregate Boundary Validation](#aggregate-boundary-validation)
- [Secret Detection](#secret-detection)
- [Severity-Based Prioritization](#severity-based-prioritization)
- [Full Research Citations](#full-research-citations)
---
@@ -319,6 +323,192 @@ Consistent naming:
---
## Anemic Domain Model Detection
### Why it matters
Anemic domain models violate core OOP principles:
-**No behavior** - Entities become data bags with only getters/setters
-**Logic in services** - Business logic scattered across service layers
-**Violates OOP** - Separates data from behavior
-**Higher complexity** - Loses benefits of domain modeling
### Who says so?
**Martin Fowler's Original Anti-Pattern:**
- **Blog Post: "Anemic Domain Model"** (November 25, 2003)
> "The basic symptom of an Anemic Domain Model is that at first blush it looks like the real thing. There are objects, many named after the nouns in the domain space... The catch comes when you look at the behavior, and you realize that there is hardly any behavior on these objects."
- Published over 20 years ago, still relevant today
- [Read Fowler's post](https://martinfowler.com/bliki/AnemicDomainModel.html)
**Why It's an Anti-pattern:**
> "This is contrary to the basic idea of object-oriented design; which is to combine data and process together."
- Incurs all costs of domain model without any benefits
- Logic should be in domain objects: validations, calculations, business rules
- [Wikipedia - Anemic Domain Model](https://en.wikipedia.org/wiki/Anemic_domain_model)
**Rich Domain Model vs Transaction Script:**
- **Transaction Script**: Good for simple logic (Fowler, 2002)
- **Rich Domain Model**: Better for complex, ever-changing business rules
- Can refactor from Transaction Script to Domain Model, but it's harder than starting right
- [Martin Fowler - Transaction Script](https://martinfowler.com/eaaCatalog/transactionScript.html)
**Domain-Driven Design Context:**
- **Eric Evans (2003)**: Entities should have both identity AND behavior
- Anemic models violate DDD by separating data from behavior
- [Stack Overflow discussion](https://stackoverflow.com/questions/6293981/concrete-examples-on-why-the-anemic-domain-model-is-considered-an-anti-pattern)
[Read full research →](./RESEARCH_CITATIONS.md#11-anemic-domain-model-detection)
---
## Aggregate Boundary Validation
### Why it matters
Proper aggregate boundaries ensure:
-**Consistency** - Atomic changes within boundaries
-**Low coupling** - Aggregates are loosely connected
-**Clear transactions** - One aggregate = one transaction
-**Maintainability** - Boundaries prevent complexity spread
### The Rules
**Vaughn Vernon's Four Rules (2013):**
1. **Model True Invariants in Consistency Boundaries**
2. **Design Small Aggregates**
3. **Reference Other Aggregates by Identity**
4. **Use Eventual Consistency Outside the Boundary**
### Who says so?
**Eric Evans: Domain-Driven Design (2003)**
- **Original Definition**:
> "A cluster of associated objects that we treat as a unit for the purpose of data changes"
- An aggregate defines a consistency boundary
- Exactly one entity is the aggregate root
- [Microsoft Learn - Tactical DDD](https://learn.microsoft.com/en-us/azure/architecture/microservices/model/tactical-ddd)
**Vaughn Vernon: Implementing Domain-Driven Design (2013)**
- **Chapter 10: Aggregates** (Page 347)
- ISBN: 978-0321834577
- Comprehensive rules for aggregate design
- Three-part essay series: "Effective Aggregate Design"
- [Available at Kalele](https://kalele.io/effective-aggregate-design/)
**Why Boundaries Matter:**
- **Transactional Boundary**: Changes must be atomic
- **Reference by ID**: No direct entity references across aggregates
- **Prevents tight coupling**: Maintains clear boundaries
- [Medium - Mastering Aggregate Design](https://medium.com/ssense-tech/ddd-beyond-the-basics-mastering-aggregate-design-26591e218c8c)
**Microsoft Azure Documentation:**
- Official guide for microservices architecture
- Comprehensive aggregate boundary patterns
- [Microsoft Learn - Tactical DDD](https://learn.microsoft.com/en-us/azure/architecture/microservices/model/tactical-ddd)
[Read full research →](./RESEARCH_CITATIONS.md#12-aggregate-boundary-validation-ddd-tactical-patterns)
---
## Secret Detection
### Why it matters
Hardcoded secrets create critical security risks:
- 🔴 **Data breaches** - Exposed credentials lead to unauthorized access
- 🔴 **Production incidents** - Leaked tokens cause service disruptions
- 🔴 **Compliance violations** - GDPR, PCI-DSS, SOC 2 requirements
- 🔴 **Impossible to rotate** - Secrets in code are difficult to change
### Who says so?
**OWASP Security Standards:**
- **OWASP Secrets Management Cheat Sheet**
> "Secrets should not be hardcoded, should not be unencrypted, and should not be stored in source code."
- Official best practices from OWASP Foundation
- [Read the cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)
- **OWASP Hardcoded Password Vulnerability**
> "It is never a good idea to hardcode a password, as it allows all of the project's developers to view the password and makes fixing the problem extremely difficult."
- [OWASP Documentation](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)
**GitHub Secret Scanning:**
- **Official GitHub Documentation**
- Automatically scans 350+ secret patterns
- Detects AWS, GitHub, NPM, SSH, GCP, Slack tokens
- AI-powered detection with Copilot Secret Scanning
- [GitHub Docs](https://docs.github.com/code-security/secret-scanning/about-secret-scanning)
**Key Security Principles:**
- **Centralized Management**: Use purpose-built secret management tools
- **Prevention Tools**: Pre-commit hooks to prevent secrets entering codebase
- **Encryption at Rest**: Never store secrets in plaintext
- [OWASP SAMM - Secret Management](https://owaspsamm.org/model/implementation/secure-deployment/stream-b/)
**Mobile Security:**
- OWASP: "Secrets security is the most important issue for mobile applications"
- Only safe way: keep secrets off the client side entirely
- [GitGuardian - OWASP Top 10 Mobile](https://blog.gitguardian.com/owasp-top-10-for-mobile-secrets/)
[Read full research →](./RESEARCH_CITATIONS.md#13-secret-detection--security)
---
## Severity-Based Prioritization
### Why it matters
Severity classification enables:
-**Focus on critical issues** - Fix what matters most first
-**Reduced technical debt** - Prioritize based on impact
-**Better CI/CD integration** - Fail builds on critical issues only
-**Team efficiency** - Don't waste time on low-impact issues
### Who says so?
**Academic Research:**
- **Systematic Literature Review (2020)**
- Title: "A systematic literature review on Technical Debt prioritization"
- Analyzed 557 papers, included 44 primary studies
- Finding: Need for consensus on severity factors
- [ScienceDirect](https://www.sciencedirect.com/science/article/pii/S016412122030220X)
- **IEEE Conference Paper (2021)**
- "Technical Debt Prioritization: Taxonomy, Methods Results"
- Reviewed 112 studies
- Classified methods in 10 categories
- [IEEE Xplore](https://ieeexplore.ieee.org/document/9582595/)
- **Software Quality Journal (2023)**
- "Identifying the severity of technical debt issues"
- Problem: Most studies ignore severity degree
- Proposed semantic + structural approach
- [Springer](https://link.springer.com/article/10.1007/s11219-023-09651-3)
**SonarQube Industry Standard:**
- **Current Classification (10.2+)**:
- **Blocker/High**: Severe unintended consequences, fix immediately
- **Medium**: Impacts developer productivity
- **Low**: Slight impact on productivity
- **Info**: No expected impact
- [SonarQube Docs](https://docs.sonarsource.com/sonarqube-server/user-guide/code-metrics/metrics-definition)
**Real-World Impact:**
- Development teams integrate models into CI/CD pipelines
- Automatically flag potential TD issues during code reviews
- Prioritize based on severity
- [arXiv - Technical Debt Management](https://arxiv.org/html/2403.06484v1)
**Business Alignment:**
- "Aligning Technical Debt Prioritization with Business Objectives" (2018)
- Multiple-case study demonstrating importance
- [ResearchGate](https://www.researchgate.net/publication/328903587_Aligning_Technical_Debt_Prioritization_with_Business_Objectives_A_Multiple-Case_Study)
[Read full research →](./RESEARCH_CITATIONS.md#14-severity-based-prioritization--technical-debt)
---
## Full Research Citations
For complete academic papers, books, and authoritative sources, see:
@@ -354,8 +544,9 @@ Guardian's rules align with international standards:
Guardian's rules are backed by:
**5 Seminal Books** (1993-2017)
**6 Seminal Books** (1993-2017)
- Clean Architecture (Robert C. Martin, 2017)
- Implementing Domain-Driven Design (Vaughn Vernon, 2013)
- Domain-Driven Design (Eric Evans, 2003)
- Patterns of Enterprise Application Architecture (Martin Fowler, 2002)
- Refactoring (Martin Fowler, 1999)
@@ -363,9 +554,16 @@ Guardian's rules are backed by:
**Academic Research** (1976-2024)
- MIT Course 6.031
- ScienceDirect peer-reviewed studies
- ScienceDirect peer-reviewed studies (2020-2023)
- IEEE Conference papers on Technical Debt
- Software Quality Journal (2023)
- Cyclomatic Complexity (Thomas McCabe, 1976)
**Security Standards**
- OWASP Secrets Management Cheat Sheet
- GitHub Secret Scanning (350+ patterns)
- OWASP Top 10 for Mobile
**International Standards**
- ISO/IEC 25010:2011
@@ -373,10 +571,11 @@ Guardian's rules are backed by:
- Google, Microsoft, Airbnb style guides
- SonarQube (400,000+ organizations)
- AWS documentation
- GitHub security practices
**Thought Leaders**
- Martin Fowler, Robert C. Martin (Uncle Bob), Eric Evans
- Alistair Cockburn, Kent Beck, Thomas McCabe
- Vaughn Vernon, Alistair Cockburn, Kent Beck, Thomas McCabe
---
@@ -388,4 +587,4 @@ Guardian's rules are backed by:
---
*Last updated: 2025-11-24*
*Last updated: 2025-11-26*

38
packages/guardian/examples/bad/domain/entities/anemic-model-only-getters-setters.ts Normal file
View File

@@ -0,0 +1,38 @@
/**
* BAD EXAMPLE: Anemic Domain Model
*
* This Order class only has getters and setters without any business logic.
* All business logic is likely scattered in services (procedural approach).
*
* This violates Domain-Driven Design principles.
*/
class Order {
private status: string
private total: number
private items: any[]
getStatus(): string {
return this.status
}
setStatus(status: string): void {
this.status = status
}
getTotal(): number {
return this.total
}
setTotal(total: number): void {
this.total = total
}
getItems(): any[] {
return this.items
}
setItems(items: any[]): void {
this.items = items
}
}

34
packages/guardian/examples/bad/domain/entities/anemic-model-public-setters.ts Normal file
View File

@@ -0,0 +1,34 @@
/**
* BAD EXAMPLE: Anemic Domain Model with Public Setters
*
* This User class has public setters which is an anti-pattern in DDD.
* Public setters allow uncontrolled state changes without validation or business rules.
*
* This violates Domain-Driven Design principles and encapsulation.
*/
class User {
private email: string
private password: string
private status: string
public setEmail(email: string): void {
this.email = email
}
public getEmail(): string {
return this.email
}
public setPassword(password: string): void {
this.password = password
}
public setStatus(status: string): void {
this.status = status
}
public getStatus(): string {
return this.status
}
}

139
packages/guardian/examples/good-architecture/domain/entities/Customer.ts Normal file
View File

@@ -0,0 +1,139 @@
/**
* GOOD EXAMPLE: Rich Domain Model with Business Logic
*
* This Customer class encapsulates business rules and state transitions.
* No public setters - all changes go through business methods.
*
* This follows Domain-Driven Design and encapsulation principles.
*/
interface Address {
street: string
city: string
country: string
postalCode: string
}
interface DomainEvent {
type: string
data: any
}
class Customer {
private readonly id: string
private email: string
private isActive: boolean
private loyaltyPoints: number
private address: Address | null
private readonly events: DomainEvent[] = []
constructor(id: string, email: string) {
this.id = id
this.email = email
this.isActive = true
this.loyaltyPoints = 0
this.address = null
}
public activate(): void {
if (this.isActive) {
throw new Error("Customer is already active")
}
this.isActive = true
this.events.push({
type: "CustomerActivated",
data: { customerId: this.id },
})
}
public deactivate(reason: string): void {
if (!this.isActive) {
throw new Error("Customer is already inactive")
}
this.isActive = false
this.events.push({
type: "CustomerDeactivated",
data: { customerId: this.id, reason },
})
}
public changeEmail(newEmail: string): void {
if (!this.isValidEmail(newEmail)) {
throw new Error("Invalid email format")
}
if (this.email === newEmail) {
return
}
const oldEmail = this.email
this.email = newEmail
this.events.push({
type: "EmailChanged",
data: { customerId: this.id, oldEmail, newEmail },
})
}
public updateAddress(address: Address): void {
if (!this.isValidAddress(address)) {
throw new Error("Invalid address")
}
this.address = address
this.events.push({
type: "AddressUpdated",
data: { customerId: this.id },
})
}
public addLoyaltyPoints(points: number): void {
if (points <= 0) {
throw new Error("Points must be positive")
}
if (!this.isActive) {
throw new Error("Cannot add points to inactive customer")
}
this.loyaltyPoints += points
this.events.push({
type: "LoyaltyPointsAdded",
data: { customerId: this.id, points },
})
}
public redeemLoyaltyPoints(points: number): void {
if (points <= 0) {
throw new Error("Points must be positive")
}
if (this.loyaltyPoints < points) {
throw new Error("Insufficient loyalty points")
}
this.loyaltyPoints -= points
this.events.push({
type: "LoyaltyPointsRedeemed",
data: { customerId: this.id, points },
})
}
public getEmail(): string {
return this.email
}
public getLoyaltyPoints(): number {
return this.loyaltyPoints
}
public getAddress(): Address | null {
return this.address ? { ...this.address } : null
}
public getEvents(): DomainEvent[] {
return [...this.events]
}
private isValidEmail(email: string): boolean {
return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)
}
private isValidAddress(address: Address): boolean {
return !!address.street && !!address.city && !!address.country && !!address.postalCode
}
}
export { Customer }

104
packages/guardian/examples/good-architecture/domain/entities/Order.ts Normal file
View File

@@ -0,0 +1,104 @@
/**
* GOOD EXAMPLE: Rich Domain Model
*
* This Order class contains business logic and enforces business rules.
* State changes are made through business methods, not setters.
*
* This follows Domain-Driven Design principles.
*/
type OrderStatus = "pending" | "approved" | "rejected" | "shipped"
interface OrderItem {
productId: string
quantity: number
price: number
}
interface DomainEvent {
type: string
data: any
}
class Order {
private readonly id: string
private status: OrderStatus
private items: OrderItem[]
private readonly events: DomainEvent[] = []
constructor(id: string, items: OrderItem[]) {
this.id = id
this.status = "pending"
this.items = items
}
public approve(): void {
if (!this.canBeApproved()) {
throw new Error("Cannot approve order in current state")
}
this.status = "approved"
this.events.push({
type: "OrderApproved",
data: { orderId: this.id },
})
}
public reject(reason: string): void {
if (!this.canBeRejected()) {
throw new Error("Cannot reject order in current state")
}
this.status = "rejected"
this.events.push({
type: "OrderRejected",
data: { orderId: this.id, reason },
})
}
public ship(): void {
if (!this.canBeShipped()) {
throw new Error("Order must be approved before shipping")
}
this.status = "shipped"
this.events.push({
type: "OrderShipped",
data: { orderId: this.id },
})
}
public addItem(item: OrderItem): void {
if (this.status !== "pending") {
throw new Error("Cannot modify approved or shipped order")
}
this.items.push(item)
}
public calculateTotal(): number {
return this.items.reduce((sum, item) => sum + item.price * item.quantity, 0)
}
public getStatus(): OrderStatus {
return this.status
}
public getItems(): OrderItem[] {
return [...this.items]
}
public getEvents(): DomainEvent[] {
return [...this.events]
}
private canBeApproved(): boolean {
return this.status === "pending" && this.items.length > 0
}
private canBeRejected(): boolean {
return this.status === "pending"
}
private canBeShipped(): boolean {
return this.status === "approved"
}
}
export { Order }

10
packages/guardian/package.json
View File

@@ -1,7 +1,7 @@
{
"name": "@samiyev/guardian",
"version": "0.7.9",
"description": "Research-backed code quality guardian for AI-assisted development. Detects hardcodes, circular deps, framework leaks, entity exposure, and 8 architecture violations. Enforces Clean Architecture/DDD principles. Works with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline, and any AI coding tool.",
"version": "0.9.4",
"description": "Research-backed code quality guardian for AI-assisted development. Detects hardcodes, secrets, circular deps, framework leaks, entity exposure, and 9 architecture violations. Enforces Clean Architecture/DDD principles. Works with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline, and any AI coding tool.",
"keywords": [
"puaros",
"guardian",
@@ -40,7 +40,7 @@
"license": "MIT",
"repository": {
"type": "git",
"url": "https://github.com/samiyev/puaros.git",
"url": "git+https://github.com/samiyev/puaros.git",
"directory": "packages/guardian"
},
"bugs": {
@@ -82,6 +82,10 @@
"guardian": "./bin/guardian.js"
},
"dependencies": {
"@secretlint/core": "^11.2.5",
"@secretlint/node": "^11.2.5",
"@secretlint/secretlint-rule-preset-recommend": "^11.2.5",
"@secretlint/types": "^11.2.5",
"commander": "^12.1.0",
"simple-git": "^3.30.0",
"tree-sitter": "^0.21.1",

13
packages/guardian/src/api.ts
View File

@@ -12,6 +12,9 @@ import { IEntityExposureDetector } from "./domain/services/IEntityExposureDetect
import { IDependencyDirectionDetector } from "./domain/services/IDependencyDirectionDetector"
import { IRepositoryPatternDetector } from "./domain/services/RepositoryPatternDetectorService"
import { IAggregateBoundaryDetector } from "./domain/services/IAggregateBoundaryDetector"
import { ISecretDetector } from "./domain/services/ISecretDetector"
import { IAnemicModelDetector } from "./domain/services/IAnemicModelDetector"
import { IDuplicateValueTracker } from "./domain/services/IDuplicateValueTracker"
import { FileScanner } from "./infrastructure/scanners/FileScanner"
import { CodeParser } from "./infrastructure/parsers/CodeParser"
import { HardcodeDetector } from "./infrastructure/analyzers/HardcodeDetector"
@@ -21,6 +24,9 @@ import { EntityExposureDetector } from "./infrastructure/analyzers/EntityExposur
import { DependencyDirectionDetector } from "./infrastructure/analyzers/DependencyDirectionDetector"
import { RepositoryPatternDetector } from "./infrastructure/analyzers/RepositoryPatternDetector"
import { AggregateBoundaryDetector } from "./infrastructure/analyzers/AggregateBoundaryDetector"
import { SecretDetector } from "./infrastructure/analyzers/SecretDetector"
import { AnemicModelDetector } from "./infrastructure/analyzers/AnemicModelDetector"
import { DuplicateValueTracker } from "./infrastructure/analyzers/DuplicateValueTracker"
import { ERROR_MESSAGES } from "./shared/constants"
/**
@@ -79,6 +85,9 @@ export async function analyzeProject(
new DependencyDirectionDetector()
const repositoryPatternDetector: IRepositoryPatternDetector = new RepositoryPatternDetector()
const aggregateBoundaryDetector: IAggregateBoundaryDetector = new AggregateBoundaryDetector()
const secretDetector: ISecretDetector = new SecretDetector()
const anemicModelDetector: IAnemicModelDetector = new AnemicModelDetector()
const duplicateValueTracker: IDuplicateValueTracker = new DuplicateValueTracker()
const useCase = new AnalyzeProject(
fileScanner,
codeParser,
@@ -89,6 +98,9 @@ export async function analyzeProject(
dependencyDirectionDetector,
repositoryPatternDetector,
aggregateBoundaryDetector,
secretDetector,
anemicModelDetector,
duplicateValueTracker,
)
const result = await useCase.execute(options)
@@ -112,5 +124,6 @@ export type {
DependencyDirectionViolation,
RepositoryPatternViolation,
AggregateBoundaryViolation,
AnemicModelViolation,
ProjectMetrics,
} from "./application/use-cases/AnalyzeProject"

67
packages/guardian/src/application/use-cases/AnalyzeProject.ts
View File

@@ -9,12 +9,15 @@ import { IEntityExposureDetector } from "../../domain/services/IEntityExposureDe
import { IDependencyDirectionDetector } from "../../domain/services/IDependencyDirectionDetector"
import { IRepositoryPatternDetector } from "../../domain/services/RepositoryPatternDetectorService"
import { IAggregateBoundaryDetector } from "../../domain/services/IAggregateBoundaryDetector"
import { ISecretDetector } from "../../domain/services/ISecretDetector"
import { IAnemicModelDetector } from "../../domain/services/IAnemicModelDetector"
import { IDuplicateValueTracker } from "../../domain/services/IDuplicateValueTracker"
import { SourceFile } from "../../domain/entities/SourceFile"
import { DependencyGraph } from "../../domain/entities/DependencyGraph"
import { FileCollectionStep } from "./pipeline/FileCollectionStep"
import { ParsingStep } from "./pipeline/ParsingStep"
import { DetectionPipeline } from "./pipeline/DetectionPipeline"
import { ResultAggregator } from "./pipeline/ResultAggregator"
import { CollectFiles } from "./pipeline/CollectFiles"
import { ParseSourceFiles } from "./pipeline/ParseSourceFiles"
import { ExecuteDetection } from "./pipeline/ExecuteDetection"
import { AggregateResults } from "./pipeline/AggregateResults"
import {
ERROR_MESSAGES,
HARDCODE_TYPES,
@@ -42,6 +45,8 @@ export interface AnalyzeProjectResponse {
dependencyDirectionViolations: DependencyDirectionViolation[]
repositoryPatternViolations: RepositoryPatternViolation[]
aggregateBoundaryViolations: AggregateBoundaryViolation[]
secretViolations: SecretViolation[]
anemicModelViolations: AnemicModelViolation[]
metrics: ProjectMetrics
}
@@ -58,8 +63,9 @@ export interface HardcodeViolation {
type:
| typeof HARDCODE_TYPES.MAGIC_NUMBER
| typeof HARDCODE_TYPES.MAGIC_STRING
| typeof HARDCODE_TYPES.MAGIC_BOOLEAN
| typeof HARDCODE_TYPES.MAGIC_CONFIG
value: string | number
value: string | number | boolean
file: string
line: number
column: number
@@ -163,6 +169,32 @@ export interface AggregateBoundaryViolation {
severity: SeverityLevel
}
export interface SecretViolation {
rule: typeof RULES.SECRET_EXPOSURE
secretType: string
file: string
line: number
column: number
message: string
suggestion: string
severity: SeverityLevel
}
export interface AnemicModelViolation {
rule: typeof RULES.ANEMIC_MODEL
className: string
file: string
layer: string
line?: number
methodCount: number
propertyCount: number
hasOnlyGettersSetters: boolean
hasPublicSetters: boolean
message: string
suggestion: string
severity: SeverityLevel
}
export interface ProjectMetrics {
totalFiles: number
totalFunctions: number
@@ -178,11 +210,12 @@ export class AnalyzeProject extends UseCase<
AnalyzeProjectRequest,
ResponseDto<AnalyzeProjectResponse>
> {
private readonly fileCollectionStep: FileCollectionStep
private readonly parsingStep: ParsingStep
private readonly detectionPipeline: DetectionPipeline
private readonly resultAggregator: ResultAggregator
private readonly fileCollectionStep: CollectFiles
private readonly parsingStep: ParseSourceFiles
private readonly detectionPipeline: ExecuteDetection
private readonly resultAggregator: AggregateResults
// eslint-disable-next-line max-params
constructor(
fileScanner: IFileScanner,
codeParser: ICodeParser,
@@ -193,11 +226,14 @@ export class AnalyzeProject extends UseCase<
dependencyDirectionDetector: IDependencyDirectionDetector,
repositoryPatternDetector: IRepositoryPatternDetector,
aggregateBoundaryDetector: IAggregateBoundaryDetector,
secretDetector: ISecretDetector,
anemicModelDetector: IAnemicModelDetector,
duplicateValueTracker: IDuplicateValueTracker,
) {
super()
this.fileCollectionStep = new FileCollectionStep(fileScanner)
this.parsingStep = new ParsingStep(codeParser)
this.detectionPipeline = new DetectionPipeline(
this.fileCollectionStep = new CollectFiles(fileScanner)
this.parsingStep = new ParseSourceFiles(codeParser)
this.detectionPipeline = new ExecuteDetection(
hardcodeDetector,
namingConventionDetector,
frameworkLeakDetector,
@@ -205,8 +241,11 @@ export class AnalyzeProject extends UseCase<
dependencyDirectionDetector,
repositoryPatternDetector,
aggregateBoundaryDetector,
secretDetector,
anemicModelDetector,
duplicateValueTracker,
)
this.resultAggregator = new ResultAggregator()
this.resultAggregator = new AggregateResults()
}
public async execute(
@@ -224,7 +263,7 @@ export class AnalyzeProject extends UseCase<
rootDir: request.rootDir,
})
const detectionResult = this.detectionPipeline.execute({
const detectionResult = await this.detectionPipeline.execute({
sourceFiles,
dependencyGraph,
})

8
packages/guardian/src/application/use-cases/pipeline/ResultAggregator.ts → packages/guardian/src/application/use-cases/pipeline/AggregateResults.ts
View File

@@ -3,6 +3,7 @@ import { DependencyGraph } from "../../../domain/entities/DependencyGraph"
import type {
AggregateBoundaryViolation,
AnalyzeProjectResponse,
AnemicModelViolation,
ArchitectureViolation,
CircularDependencyViolation,
DependencyDirectionViolation,
@@ -12,6 +13,7 @@ import type {
NamingConventionViolation,
ProjectMetrics,
RepositoryPatternViolation,
SecretViolation,
} from "../AnalyzeProject"
export interface AggregationRequest {
@@ -27,12 +29,14 @@ export interface AggregationRequest {
dependencyDirectionViolations: DependencyDirectionViolation[]
repositoryPatternViolations: RepositoryPatternViolation[]
aggregateBoundaryViolations: AggregateBoundaryViolation[]
secretViolations: SecretViolation[]
anemicModelViolations: AnemicModelViolation[]
}
/**
* Pipeline step responsible for building final response DTO
*/
export class ResultAggregator {
export class AggregateResults {
public execute(request: AggregationRequest): AnalyzeProjectResponse {
const metrics = this.calculateMetrics(
request.sourceFiles,
@@ -52,6 +56,8 @@ export class ResultAggregator {
dependencyDirectionViolations: request.dependencyDirectionViolations,
repositoryPatternViolations: request.repositoryPatternViolations,
aggregateBoundaryViolations: request.aggregateBoundaryViolations,
secretViolations: request.secretViolations,
anemicModelViolations: request.anemicModelViolations,
metrics,
}
}

2
packages/guardian/src/application/use-cases/pipeline/FileCollectionStep.ts → packages/guardian/src/application/use-cases/pipeline/CollectFiles.ts
View File

@@ -16,7 +16,7 @@ export interface FileCollectionResult {
/**
* Pipeline step responsible for file collection and basic parsing
*/
export class FileCollectionStep {
export class CollectFiles {
constructor(private readonly fileScanner: IFileScanner) {}
public async execute(request: FileCollectionRequest): Promise<FileCollectionResult> {

143
packages/guardian/src/application/use-cases/pipeline/DetectionPipeline.ts → packages/guardian/src/application/use-cases/pipeline/ExecuteDetection.ts
View File

@@ -5,8 +5,12 @@ import { IEntityExposureDetector } from "../../../domain/services/IEntityExposur
import { IDependencyDirectionDetector } from "../../../domain/services/IDependencyDirectionDetector"
import { IRepositoryPatternDetector } from "../../../domain/services/RepositoryPatternDetectorService"
import { IAggregateBoundaryDetector } from "../../../domain/services/IAggregateBoundaryDetector"
import { ISecretDetector } from "../../../domain/services/ISecretDetector"
import { IAnemicModelDetector } from "../../../domain/services/IAnemicModelDetector"
import { IDuplicateValueTracker } from "../../../domain/services/IDuplicateValueTracker"
import { SourceFile } from "../../../domain/entities/SourceFile"
import { DependencyGraph } from "../../../domain/entities/DependencyGraph"
import { HardcodedValue } from "../../../domain/value-objects/HardcodedValue"
import {
LAYERS,
REPOSITORY_VIOLATION_TYPES,
@@ -17,6 +21,7 @@ import {
} from "../../../shared/constants"
import type {
AggregateBoundaryViolation,
AnemicModelViolation,
ArchitectureViolation,
CircularDependencyViolation,
DependencyDirectionViolation,
@@ -25,6 +30,7 @@ import type {
HardcodeViolation,
NamingConventionViolation,
RepositoryPatternViolation,
SecretViolation,
} from "../AnalyzeProject"
export interface DetectionRequest {
@@ -42,12 +48,15 @@ export interface DetectionResult {
dependencyDirectionViolations: DependencyDirectionViolation[]
repositoryPatternViolations: RepositoryPatternViolation[]
aggregateBoundaryViolations: AggregateBoundaryViolation[]
secretViolations: SecretViolation[]
anemicModelViolations: AnemicModelViolation[]
}
/**
* Pipeline step responsible for running all detectors
*/
export class DetectionPipeline {
export class ExecuteDetection {
// eslint-disable-next-line max-params
constructor(
private readonly hardcodeDetector: IHardcodeDetector,
private readonly namingConventionDetector: INamingConventionDetector,
@@ -56,9 +65,14 @@ export class DetectionPipeline {
private readonly dependencyDirectionDetector: IDependencyDirectionDetector,
private readonly repositoryPatternDetector: IRepositoryPatternDetector,
private readonly aggregateBoundaryDetector: IAggregateBoundaryDetector,
private readonly secretDetector: ISecretDetector,
private readonly anemicModelDetector: IAnemicModelDetector,
private readonly duplicateValueTracker: IDuplicateValueTracker,
) {}
public execute(request: DetectionRequest): DetectionResult {
public async execute(request: DetectionRequest): Promise<DetectionResult> {
const secretViolations = await this.detectSecrets(request.sourceFiles)
return {
violations: this.sortBySeverity(this.detectViolations(request.sourceFiles)),
hardcodeViolations: this.sortBySeverity(this.detectHardcode(request.sourceFiles)),
@@ -83,6 +97,10 @@ export class DetectionPipeline {
aggregateBoundaryViolations: this.sortBySeverity(
this.detectAggregateBoundaryViolations(request.sourceFiles),
),
secretViolations: this.sortBySeverity(secretViolations),
anemicModelViolations: this.sortBySeverity(
this.detectAnemicModels(request.sourceFiles),
),
}
}
@@ -137,7 +155,10 @@ export class DetectionPipeline {
}
private detectHardcode(sourceFiles: SourceFile[]): HardcodeViolation[] {
const violations: HardcodeViolation[] = []
const allHardcodedValues: {
value: HardcodedValue
file: SourceFile
}[] = []
for (const file of sourceFiles) {
const hardcodedValues = this.hardcodeDetector.detectAll(
@@ -146,23 +167,53 @@ export class DetectionPipeline {
)
for (const hardcoded of hardcodedValues) {
violations.push({
rule: RULES.HARDCODED_VALUE,
type: hardcoded.type,
value: hardcoded.value,
file: file.path.relative,
line: hardcoded.line,
column: hardcoded.column,
context: hardcoded.context,
suggestion: {
constantName: hardcoded.suggestConstantName(),
location: hardcoded.suggestLocation(file.layer),
},
severity: VIOLATION_SEVERITY_MAP.HARDCODE,
})
allHardcodedValues.push({ value: hardcoded, file })
}
}
this.duplicateValueTracker.clear()
for (const { value, file } of allHardcodedValues) {
this.duplicateValueTracker.track(value, file.path.relative)
}
const violations: HardcodeViolation[] = []
for (const { value, file } of allHardcodedValues) {
const duplicateLocations = this.duplicateValueTracker.getDuplicateLocations(
value.value,
value.type,
)
const enrichedValue = duplicateLocations
? HardcodedValue.create(
value.value,
value.type,
value.line,
value.column,
value.context,
value.valueType,
duplicateLocations.filter((loc) => loc.file !== file.path.relative),
)
: value
if (enrichedValue.shouldSkip(file.layer)) {
continue
}
violations.push({
rule: RULES.HARDCODED_VALUE,
type: enrichedValue.type,
value: enrichedValue.value,
file: file.path.relative,
line: enrichedValue.line,
column: enrichedValue.column,
context: enrichedValue.context,
suggestion: {
constantName: enrichedValue.suggestConstantName(),
location: enrichedValue.suggestLocation(file.layer),
},
severity: VIOLATION_SEVERITY_MAP.HARDCODE,
})
}
return violations
}
@@ -190,6 +241,7 @@ export class DetectionPipeline {
for (const file of sourceFiles) {
const namingViolations = this.namingConventionDetector.detectViolations(
file.content,
file.path.filename,
file.layer,
file.path.relative,
@@ -365,6 +417,63 @@ export class DetectionPipeline {
return violations
}
private async detectSecrets(sourceFiles: SourceFile[]): Promise<SecretViolation[]> {
const violations: SecretViolation[] = []
for (const file of sourceFiles) {
const secretViolations = await this.secretDetector.detectAll(
file.content,
file.path.relative,
)
for (const secret of secretViolations) {
violations.push({
rule: RULES.SECRET_EXPOSURE,
secretType: secret.secretType,
file: file.path.relative,
line: secret.line,
column: secret.column,
message: secret.getMessage(),
suggestion: secret.getSuggestion(),
severity: "critical",
})
}
}
return violations
}
private detectAnemicModels(sourceFiles: SourceFile[]): AnemicModelViolation[] {
const violations: AnemicModelViolation[] = []
for (const file of sourceFiles) {
const anemicModels = this.anemicModelDetector.detectAnemicModels(
file.content,
file.path.relative,
file.layer,
)
for (const anemicModel of anemicModels) {
violations.push({
rule: RULES.ANEMIC_MODEL,
className: anemicModel.className,
file: file.path.relative,
layer: anemicModel.layer,
line: anemicModel.line,
methodCount: anemicModel.methodCount,
propertyCount: anemicModel.propertyCount,
hasOnlyGettersSetters: anemicModel.hasOnlyGettersSetters,
hasPublicSetters: anemicModel.hasPublicSetters,
message: anemicModel.getMessage(),
suggestion: anemicModel.getSuggestion(),
severity: VIOLATION_SEVERITY_MAP.ANEMIC_MODEL,
})
}
}
return violations
}
private sortBySeverity<T extends { severity: SeverityLevel }>(violations: T[]): T[] {
return violations.sort((a, b) => {
return SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]

2
packages/guardian/src/application/use-cases/pipeline/ParsingStep.ts → packages/guardian/src/application/use-cases/pipeline/ParseSourceFiles.ts
View File

@@ -15,7 +15,7 @@ export interface ParsingResult {
/**
* Pipeline step responsible for AST parsing and dependency graph construction
*/
export class ParsingStep {
export class ParseSourceFiles {
constructor(private readonly codeParser: ICodeParser) {}
public execute(request: ParsingRequest): ParsingResult {

45
packages/guardian/src/cli/formatters/OutputFormatter.ts
View File

@@ -1,6 +1,7 @@
import { SEVERITY_LEVELS, type SeverityLevel } from "../../shared/constants"
import type {
AggregateBoundaryViolation,
AnemicModelViolation,
ArchitectureViolation,
CircularDependencyViolation,
DependencyDirectionViolation,
@@ -9,6 +10,7 @@ import type {
HardcodeViolation,
NamingConventionViolation,
RepositoryPatternViolation,
SecretViolation,
} from "../../application/use-cases/AnalyzeProject"
import { SEVERITY_DISPLAY_LABELS, SEVERITY_SECTION_HEADERS } from "../constants"
import { ViolationGrouper } from "../groupers/ViolationGrouper"
@@ -177,6 +179,22 @@ export class OutputFormatter {
console.log("")
}
formatSecretViolation(sv: SecretViolation, index: number): void {
const location = `${sv.file}:${String(sv.line)}:${String(sv.column)}`
console.log(`${String(index + 1)}. ${location}`)
console.log(` Severity: ${SEVERITY_LABELS[sv.severity]} ⚠️`)
console.log(` Secret Type: ${sv.secretType}`)
console.log(` ${sv.message}`)
console.log(" 🔐 CRITICAL: Rotate this secret immediately!")
console.log(" 💡 Suggestion:")
sv.suggestion.split("\n").forEach((line) => {
if (line.trim()) {
console.log(` ${line}`)
}
})
console.log("")
}
formatHardcodeViolation(hc: HardcodeViolation, index: number): void {
console.log(`${String(index + 1)}. ${hc.file}:${String(hc.line)}:${String(hc.column)}`)
console.log(` Severity: ${SEVERITY_LABELS[hc.severity]}`)
@@ -187,4 +205,31 @@ export class OutputFormatter {
console.log(` 📁 Location: ${hc.suggestion.location}`)
console.log("")
}
formatAnemicModelViolation(am: AnemicModelViolation, index: number): void {
const location = am.line ? `${am.file}:${String(am.line)}` : am.file
console.log(`${String(index + 1)}. ${location}`)
console.log(` Severity: ${SEVERITY_LABELS[am.severity]}`)
console.log(` Class: ${am.className}`)
console.log(` Layer: ${am.layer}`)
console.log(
` Methods: ${String(am.methodCount)} | Properties: ${String(am.propertyCount)}`,
)
if (am.hasPublicSetters) {
console.log(" ⚠️ Has public setters (DDD anti-pattern)")
}
if (am.hasOnlyGettersSetters) {
console.log(" ⚠️ Only getters/setters (no business logic)")
}
console.log(` ${am.message}`)
console.log(" 💡 Suggestion:")
am.suggestion.split("\n").forEach((line) => {
if (line.trim()) {
console.log(` ${line}`)
}
})
console.log("")
}
}

34
packages/guardian/src/cli/index.ts
View File

@@ -92,6 +92,8 @@ program
dependencyDirectionViolations,
repositoryPatternViolations,
aggregateBoundaryViolations,
secretViolations,
anemicModelViolations,
} = result
const minSeverity: SeverityLevel | undefined = options.onlyCritical
@@ -132,6 +134,8 @@ program
aggregateBoundaryViolations,
minSeverity,
)
secretViolations = grouper.filterBySeverity(secretViolations, minSeverity)
anemicModelViolations = grouper.filterBySeverity(anemicModelViolations, minSeverity)
statsFormatter.displaySeverityFilterMessage(
options.onlyCritical,
@@ -245,6 +249,32 @@ program
)
}
if (secretViolations.length > 0) {
console.log(
`\n🔐 Found ${String(secretViolations.length)} hardcoded secret(s) - CRITICAL SECURITY RISK`,
)
outputFormatter.displayGroupedViolations(
secretViolations,
(sv, i) => {
outputFormatter.formatSecretViolation(sv, i)
},
limit,
)
}
if (anemicModelViolations.length > 0) {
console.log(
`\n🩺 Found ${String(anemicModelViolations.length)} anemic domain model(s)`,
)
outputFormatter.displayGroupedViolations(
anemicModelViolations,
(am, i) => {
outputFormatter.formatAnemicModelViolation(am, i)
},
limit,
)
}
if (options.hardcode && hardcodeViolations.length > 0) {
console.log(
`\n${CLI_MESSAGES.HARDCODE_VIOLATIONS_HEADER} ${String(hardcodeViolations.length)} ${CLI_LABELS.HARDCODE_VIOLATIONS}`,
@@ -267,7 +297,9 @@ program
entityExposureViolations.length +
dependencyDirectionViolations.length +
repositoryPatternViolations.length +
aggregateBoundaryViolations.length
aggregateBoundaryViolations.length +
secretViolations.length +
anemicModelViolations.length
statsFormatter.displaySummary(totalIssues, options.verbose)
} catch (error) {

29
packages/guardian/src/domain/constants/Messages.ts
View File

@@ -60,3 +60,32 @@ export const AGGREGATE_VIOLATION_MESSAGES = {
AVOID_DIRECT_REFERENCE: "3. Avoid direct entity references to maintain aggregate independence",
MAINTAIN_INDEPENDENCE: "4. Each aggregate should be independently modifiable and deployable",
}
export const SECRET_VIOLATION_MESSAGES = {
USE_ENV_VARIABLES: "1. Use environment variables for sensitive data (process.env.API_KEY)",
USE_SECRET_MANAGER:
"2. Use secret management services (AWS Secrets Manager, HashiCorp Vault, etc.)",
NEVER_COMMIT_SECRETS: "3. Never commit secrets to version control",
ROTATE_IF_EXPOSED: "4. If secret was committed, rotate it immediately",
USE_GITIGNORE: "5. Add secret files to .gitignore (.env, credentials.json, etc.)",
}
export const ANEMIC_MODEL_MESSAGES = {
REMOVE_PUBLIC_SETTERS: "1. Remove public setters - they allow uncontrolled state changes",
USE_METHODS_FOR_CHANGES: "2. Use business methods instead (approve(), cancel(), addItem())",
ENCAPSULATE_INVARIANTS: "3. Encapsulate business rules and invariants in methods",
ADD_BUSINESS_METHODS: "1. Add business logic methods to the entity",
MOVE_LOGIC_FROM_SERVICES:
"2. Move business logic from services to domain entities where it belongs",
ENCAPSULATE_BUSINESS_RULES: "3. Encapsulate business rules inside entity methods",
USE_DOMAIN_EVENTS: "4. Use domain events to communicate state changes",
}
/**
* Example values used in violation messages
*/
export const VIOLATION_EXAMPLE_VALUES = {
UNKNOWN: "unknown",
USER_REPOSITORY: "UserRepository",
FIND_ONE: "findOne",
}

79
packages/guardian/src/domain/constants/SecretExamples.ts Normal file
View File

@@ -0,0 +1,79 @@
/**
* Secret detection constants
* All hardcoded strings related to secret detection and examples
*/
export const SECRET_KEYWORDS = {
AWS: "aws",
GITHUB: "github",
NPM: "npm",
SSH: "ssh",
PRIVATE_KEY: "private key",
SLACK: "slack",
API_KEY: "api key",
APIKEY: "apikey",
ACCESS_KEY: "access key",
SECRET: "secret",
TOKEN: "token",
PASSWORD: "password",
USER: "user",
BOT: "bot",
RSA: "rsa",
DSA: "dsa",
ECDSA: "ecdsa",
ED25519: "ed25519",
BASICAUTH: "basicauth",
GCP: "gcp",
GOOGLE: "google",
PRIVATEKEY: "privatekey",
PERSONAL_ACCESS_TOKEN: "personal access token",
OAUTH: "oauth",
} as const
export const SECRET_TYPE_NAMES = {
AWS_ACCESS_KEY: "AWS Access Key",
AWS_SECRET_KEY: "AWS Secret Key",
AWS_CREDENTIAL: "AWS Credential",
GITHUB_PERSONAL_ACCESS_TOKEN: "GitHub Personal Access Token",
GITHUB_OAUTH_TOKEN: "GitHub OAuth Token",
GITHUB_TOKEN: "GitHub Token",
NPM_TOKEN: "NPM Token",
GCP_SERVICE_ACCOUNT_KEY: "GCP Service Account Key",
SSH_RSA_PRIVATE_KEY: "SSH RSA Private Key",
SSH_DSA_PRIVATE_KEY: "SSH DSA Private Key",
SSH_ECDSA_PRIVATE_KEY: "SSH ECDSA Private Key",
SSH_ED25519_PRIVATE_KEY: "SSH Ed25519 Private Key",
SSH_PRIVATE_KEY: "SSH Private Key",
SLACK_BOT_TOKEN: "Slack Bot Token",
SLACK_USER_TOKEN: "Slack User Token",
SLACK_TOKEN: "Slack Token",
BASIC_AUTH_CREDENTIALS: "Basic Authentication Credentials",
API_KEY: "API Key",
AUTHENTICATION_TOKEN: "Authentication Token",
PASSWORD: "Password",
SECRET: "Secret",
SENSITIVE_DATA: "Sensitive Data",
} as const
export const SECRET_EXAMPLE_VALUES = {
AWS_ACCESS_KEY_ID: "AKIA1234567890ABCDEF",
AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
GITHUB_TOKEN: "ghp_1234567890abcdefghijklmnopqrstuv",
NPM_TOKEN: "npm_abc123xyz",
SLACK_TOKEN: "xoxb-<token-here>",
API_KEY: "sk_live_XXXXXXXXXXXXXXXXXXXX_example_key",
HARDCODED_SECRET: "hardcoded-secret-value",
} as const
export const FILE_ENCODING = {
UTF8: "utf-8",
} as const
export const REGEX_ESCAPE_PATTERN = {
DOLLAR_AMPERSAND: "\\$&",
} as const
export const DYNAMIC_IMPORT_PATTERN_PARTS = {
QUOTE_START: '"`][^',
QUOTE_END: "`]+['\"",
} as const

148
packages/guardian/src/domain/constants/Suggestions.ts
View File

@@ -24,6 +24,106 @@ export const SUGGESTION_KEYWORDS = {
CONSOLE_ERROR: "console.error",
} as const
/**
* Context keywords for email detection
*/
export const EMAIL_CONTEXT_KEYWORDS = {
ADMIN: "admin",
SUPPORT: "support",
NOREPLY: "noreply",
NO_REPLY: "no-reply",
} as const
/**
* Context keywords for API key detection
*/
export const API_KEY_CONTEXT_KEYWORDS = {
SECRET: "secret",
PUBLIC: "public",
} as const
/**
* Context keywords for URL detection
*/
export const URL_CONTEXT_KEYWORDS = {
API: "api",
DATABASE: "database",
DB: "db",
MONGO: "mongo",
POSTGRES: "postgres",
PG: "pg",
} as const
/**
* Context keywords for IP address detection
*/
export const IP_CONTEXT_KEYWORDS = {
SERVER: "server",
REDIS: "redis",
} as const
/**
* Context keywords for file path detection
*/
export const FILE_PATH_CONTEXT_KEYWORDS = {
LOG: "log",
DATA: "data",
TEMP: "temp",
} as const
/**
* Context keywords for date detection
*/
export const DATE_CONTEXT_KEYWORDS = {
DEADLINE: "deadline",
START: "start",
END: "end",
EXPIR: "expir",
} as const
/**
* Context keywords for UUID detection
*/
export const UUID_CONTEXT_KEYWORDS = {
ID: "id",
IDENTIFIER: "identifier",
REQUEST: "request",
SESSION: "session",
} as const
/**
* Context keywords for version detection
*/
export const VERSION_CONTEXT_KEYWORDS = {
APP: "app",
} as const
/**
* Context keywords for color detection
*/
export const COLOR_CONTEXT_KEYWORDS = {
PRIMARY: "primary",
SECONDARY: "secondary",
BACKGROUND: "background",
} as const
/**
* Context keywords for base64 detection
*/
export const BASE64_CONTEXT_KEYWORDS = {
TOKEN: "token",
KEY: "key",
} as const
/**
* Context keywords for config detection
*/
export const CONFIG_CONTEXT_KEYWORDS = {
ENDPOINT: "endpoint",
ROUTE: "route",
CONNECTION: "connection",
} as const
/**
* Constant name templates
*/
@@ -41,6 +141,50 @@ export const CONSTANT_NAMES = {
MAGIC_STRING: "MAGIC_STRING",
MAGIC_NUMBER: "MAGIC_NUMBER",
UNKNOWN_CONSTANT: "UNKNOWN_CONSTANT",
ADMIN_EMAIL: "ADMIN_EMAIL",
SUPPORT_EMAIL: "SUPPORT_EMAIL",
NOREPLY_EMAIL: "NOREPLY_EMAIL",
DEFAULT_EMAIL: "DEFAULT_EMAIL",
API_SECRET_KEY: "API_SECRET_KEY",
API_PUBLIC_KEY: "API_PUBLIC_KEY",
API_KEY: "API_KEY",
DATABASE_URL: "DATABASE_URL",
MONGODB_CONNECTION_STRING: "MONGODB_CONNECTION_STRING",
POSTGRES_URL: "POSTGRES_URL",
BASE_URL: "BASE_URL",
SERVER_IP: "SERVER_IP",
DATABASE_HOST: "DATABASE_HOST",
REDIS_HOST: "REDIS_HOST",
HOST_IP: "HOST_IP",
LOG_FILE_PATH: "LOG_FILE_PATH",
CONFIG_FILE_PATH: "CONFIG_FILE_PATH",
DATA_DIR_PATH: "DATA_DIR_PATH",
TEMP_DIR_PATH: "TEMP_DIR_PATH",
FILE_PATH: "FILE_PATH",
DEADLINE: "DEADLINE",
START_DATE: "START_DATE",
END_DATE: "END_DATE",
EXPIRATION_DATE: "EXPIRATION_DATE",
DEFAULT_DATE: "DEFAULT_DATE",
DEFAULT_ID: "DEFAULT_ID",
REQUEST_ID: "REQUEST_ID",
SESSION_ID: "SESSION_ID",
UUID_CONSTANT: "UUID_CONSTANT",
API_VERSION: "API_VERSION",
APP_VERSION: "APP_VERSION",
VERSION: "VERSION",
PRIMARY_COLOR: "PRIMARY_COLOR",
SECONDARY_COLOR: "SECONDARY_COLOR",
BACKGROUND_COLOR: "BACKGROUND_COLOR",
COLOR_CONSTANT: "COLOR_CONSTANT",
MAC_ADDRESS: "MAC_ADDRESS",
ENCODED_TOKEN: "ENCODED_TOKEN",
ENCODED_KEY: "ENCODED_KEY",
BASE64_VALUE: "BASE64_VALUE",
API_ENDPOINT: "API_ENDPOINT",
ROUTE_PATH: "ROUTE_PATH",
CONNECTION_STRING: "CONNECTION_STRING",
CONFIG_VALUE: "CONFIG_VALUE",
} as const
/**
@@ -50,4 +194,8 @@ export const LOCATIONS = {
SHARED_CONSTANTS: "shared/constants",
DOMAIN_CONSTANTS: "domain/constants",
INFRASTRUCTURE_CONFIG: "infrastructure/config",
CONFIG_ENVIRONMENT: "src/config/environment.ts",
CONFIG_CONTACTS: "src/config/contacts.ts",
CONFIG_PATHS: "src/config/paths.ts",
CONFIG_DATES: "src/config/dates.ts",
} as const

29
packages/guardian/src/domain/services/IAnemicModelDetector.ts Normal file
View File

@@ -0,0 +1,29 @@
import { AnemicModelViolation } from "../value-objects/AnemicModelViolation"
/**
* Interface for detecting anemic domain model violations in the codebase
*
* Anemic domain models are entities that contain only getters/setters
* without business logic. This anti-pattern violates Domain-Driven Design
* principles and leads to procedural code scattered in services.
*/
export interface IAnemicModelDetector {
/**
* Detects anemic model violations in the given code
*
* Analyzes classes in domain/entities to identify:
* - Classes with only getters and setters (no business logic)
* - Classes with public setters (DDD anti-pattern)
* - Classes with low method-to-property ratio
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @param layer - The architectural layer of the file (domain, application, infrastructure, shared)
* @returns Array of detected anemic model violations
*/
detectAnemicModels(
code: string,
filePath: string,
layer: string | undefined,
): AnemicModelViolation[]
}

55
packages/guardian/src/domain/services/IDuplicateValueTracker.ts Normal file
View File

@@ -0,0 +1,55 @@
import { HardcodedValue } from "../value-objects/HardcodedValue"
export interface ValueLocation {
file: string
line: number
context: string
}
export interface DuplicateInfo {
value: string | number | boolean
locations: ValueLocation[]
count: number
}
/**
* Interface for tracking duplicate hardcoded values across files
*
* Helps identify values that are used in multiple places
* and should be extracted to a shared constant.
*/
export interface IDuplicateValueTracker {
/**
* Adds a hardcoded value to tracking
*/
track(violation: HardcodedValue, filePath: string): void
/**
* Gets all duplicate values (values used in 2+ places)
*/
getDuplicates(): DuplicateInfo[]
/**
* Gets duplicate locations for a specific value
*/
getDuplicateLocations(value: string | number | boolean, type: string): ValueLocation[] | null
/**
* Checks if a value is duplicated
*/
isDuplicate(value: string | number | boolean, type: string): boolean
/**
* Gets statistics about duplicates
*/
getStats(): {
totalValues: number
duplicateValues: number
duplicatePercentage: number
}
/**
* Clears all tracked values
*/
clear(): void
}

2
packages/guardian/src/domain/services/INamingConventionDetector.ts
View File

@@ -7,12 +7,14 @@ export interface INamingConventionDetector {
/**
* Detects naming convention violations for a given file
*
* @param content - Source code content to analyze
* @param fileName - Name of the file to check (e.g., "UserService.ts")
* @param layer - Architectural layer of the file (domain, application, infrastructure, shared)
* @param filePath - Relative file path for context
* @returns Array of naming convention violations
*/
detectViolations(
content: string,
fileName: string,
layer: string | undefined,
filePath: string,

34
packages/guardian/src/domain/services/ISecretDetector.ts Normal file
View File

@@ -0,0 +1,34 @@
import { SecretViolation } from "../value-objects/SecretViolation"
/**
* Interface for detecting hardcoded secrets in source code
*
* Detects sensitive data like API keys, tokens, passwords, and credentials
* that should never be hardcoded in source code. Uses industry-standard
* Secretlint library for pattern matching.
*
* All detected secrets are marked as CRITICAL severity violations.
*
* @example
* ```typescript
* const detector: ISecretDetector = new SecretDetector()
* const violations = await detector.detectAll(
* 'const AWS_KEY = "AKIA1234567890ABCDEF"',
* 'src/config/aws.ts'
* )
*
* violations.forEach(v => {
* console.log(v.getMessage()) // "Hardcoded AWS Access Key detected"
* })
* ```
*/
export interface ISecretDetector {
/**
* Detect all types of hardcoded secrets in the provided code
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @returns Array of secret violations found
*/
detectAll(code: string, filePath: string): Promise<SecretViolation[]>
}

240
packages/guardian/src/domain/value-objects/AnemicModelViolation.ts Normal file
View File

@@ -0,0 +1,240 @@
import { ValueObject } from "./ValueObject"
import { ANEMIC_MODEL_MESSAGES } from "../constants/Messages"
import { EXAMPLE_CODE_CONSTANTS } from "../../shared/constants"
interface AnemicModelViolationProps {
readonly className: string
readonly filePath: string
readonly layer: string
readonly line?: number
readonly methodCount: number
readonly propertyCount: number
readonly hasOnlyGettersSetters: boolean
readonly hasPublicSetters: boolean
}
/**
* Represents an anemic domain model violation in the codebase
*
* Anemic domain model occurs when entities have only getters/setters
* without business logic. This violates Domain-Driven Design principles
* and leads to procedural code instead of object-oriented design.
*
* @example
* ```typescript
* // Bad: Anemic model with only getters/setters
* const violation = AnemicModelViolation.create(
* 'Order',
* 'src/domain/entities/Order.ts',
* 'domain',
* 10,
* 4,
* 2,
* true,
* true
* )
*
* console.log(violation.getMessage())
* // "Class 'Order' is anemic: 4 methods (all getters/setters) for 2 properties"
* ```
*/
export class AnemicModelViolation extends ValueObject<AnemicModelViolationProps> {
private constructor(props: AnemicModelViolationProps) {
super(props)
}
public static create(
className: string,
filePath: string,
layer: string,
line: number | undefined,
methodCount: number,
propertyCount: number,
hasOnlyGettersSetters: boolean,
hasPublicSetters: boolean,
): AnemicModelViolation {
return new AnemicModelViolation({
className,
filePath,
layer,
line,
methodCount,
propertyCount,
hasOnlyGettersSetters,
hasPublicSetters,
})
}
public get className(): string {
return this.props.className
}
public get filePath(): string {
return this.props.filePath
}
public get layer(): string {
return this.props.layer
}
public get line(): number | undefined {
return this.props.line
}
public get methodCount(): number {
return this.props.methodCount
}
public get propertyCount(): number {
return this.props.propertyCount
}
public get hasOnlyGettersSetters(): boolean {
return this.props.hasOnlyGettersSetters
}
public get hasPublicSetters(): boolean {
return this.props.hasPublicSetters
}
public getMessage(): string {
if (this.props.hasPublicSetters) {
return `Class '${this.props.className}' has public setters (anti-pattern in DDD)`
}
if (this.props.hasOnlyGettersSetters) {
return `Class '${this.props.className}' is anemic: ${String(this.props.methodCount)} methods (all getters/setters) for ${String(this.props.propertyCount)} properties`
}
const ratio = this.props.methodCount / Math.max(this.props.propertyCount, 1)
return `Class '${this.props.className}' appears anemic: low method-to-property ratio (${ratio.toFixed(1)}:1)`
}
public getSuggestion(): string {
const suggestions: string[] = []
if (this.props.hasPublicSetters) {
suggestions.push(ANEMIC_MODEL_MESSAGES.REMOVE_PUBLIC_SETTERS)
suggestions.push(ANEMIC_MODEL_MESSAGES.USE_METHODS_FOR_CHANGES)
suggestions.push(ANEMIC_MODEL_MESSAGES.ENCAPSULATE_INVARIANTS)
}
if (this.props.hasOnlyGettersSetters || this.props.methodCount < 2) {
suggestions.push(ANEMIC_MODEL_MESSAGES.ADD_BUSINESS_METHODS)
suggestions.push(ANEMIC_MODEL_MESSAGES.MOVE_LOGIC_FROM_SERVICES)
suggestions.push(ANEMIC_MODEL_MESSAGES.ENCAPSULATE_BUSINESS_RULES)
suggestions.push(ANEMIC_MODEL_MESSAGES.USE_DOMAIN_EVENTS)
}
return suggestions.join("\n")
}
public getExampleFix(): string {
if (this.props.hasPublicSetters) {
return `
// ❌ Bad: Public setters allow uncontrolled state changes
class ${this.props.className} {
private status: string
public setStatus(status: string): void {
this.status = status // No validation!
}
public getStatus(): string {
return this.status
}
}
// ✅ Good: Business methods with validation
class ${this.props.className} {
private status: OrderStatus
public approve(): void {
if (!this.canBeApproved()) {
throw new CannotApproveOrderError()
}
this.status = OrderStatus.APPROVED
this.events.push(new OrderApprovedEvent(this.id))
}
public reject(reason: string): void {
if (!this.canBeRejected()) {
throw new CannotRejectOrderError()
}
this.status = OrderStatus.REJECTED
this.rejectionReason = reason
this.events.push(new OrderRejectedEvent(this.id, reason))
}
public getStatus(): OrderStatus {
return this.status
}
private canBeApproved(): boolean {
return this.status === OrderStatus.PENDING && this.hasItems()
}
}`
}
return `
// ❌ Bad: Anemic model (only getters/setters)
class ${this.props.className} {
getStatus() { return this.status }
setStatus(status: string) { this.status = status }
getTotal() { return this.total }
setTotal(total: number) { this.total = total }
}
class OrderService {
approve(order: ${this.props.className}): void {
if (order.getStatus() !== '${EXAMPLE_CODE_CONSTANTS.ORDER_STATUS_PENDING}') {
throw new Error('${EXAMPLE_CODE_CONSTANTS.CANNOT_APPROVE_ERROR}')
}
order.setStatus('${EXAMPLE_CODE_CONSTANTS.ORDER_STATUS_APPROVED}')
}
}
// ✅ Good: Rich domain model with business logic
class ${this.props.className} {
private readonly id: OrderId
private status: OrderStatus
private items: OrderItem[]
private events: DomainEvent[] = []
public approve(): void {
if (!this.isPending()) {
throw new CannotApproveOrderError()
}
this.status = OrderStatus.APPROVED
this.events.push(new OrderApprovedEvent(this.id))
}
public calculateTotal(): Money {
return this.items.reduce(
(sum, item) => sum.add(item.getPrice()),
Money.zero()
)
}
public addItem(item: OrderItem): void {
if (this.isApproved()) {
throw new CannotModifyApprovedOrderError()
}
this.items.push(item)
}
public getStatus(): OrderStatus {
return this.status
}
private isPending(): boolean {
return this.status === OrderStatus.PENDING
}
private isApproved(): boolean {
return this.status === OrderStatus.APPROVED
}
}`
}
}

377
packages/guardian/src/domain/value-objects/HardcodedValue.ts
View File

@@ -1,15 +1,55 @@
import { ValueObject } from "./ValueObject"
import { HARDCODE_TYPES } from "../../shared/constants/rules"
import { CONSTANT_NAMES, LOCATIONS, SUGGESTION_KEYWORDS } from "../constants/Suggestions"
import { DETECTION_PATTERNS, HARDCODE_TYPES } from "../../shared/constants/rules"
import {
API_KEY_CONTEXT_KEYWORDS,
BASE64_CONTEXT_KEYWORDS,
COLOR_CONTEXT_KEYWORDS,
CONFIG_CONTEXT_KEYWORDS,
CONSTANT_NAMES,
DATE_CONTEXT_KEYWORDS,
EMAIL_CONTEXT_KEYWORDS,
FILE_PATH_CONTEXT_KEYWORDS,
IP_CONTEXT_KEYWORDS,
LOCATIONS,
SUGGESTION_KEYWORDS,
URL_CONTEXT_KEYWORDS,
UUID_CONTEXT_KEYWORDS,
VERSION_CONTEXT_KEYWORDS,
} from "../constants/Suggestions"
export type HardcodeType = (typeof HARDCODE_TYPES)[keyof typeof HARDCODE_TYPES]
export type ValueType =
| "email"
| "url"
| "ip_address"
| "file_path"
| "date"
| "api_key"
| "uuid"
| "version"
| "color"
| "mac_address"
| "base64"
| "config"
| "generic"
export type ValueImportance = "critical" | "high" | "medium" | "low"
export interface DuplicateLocation {
file: string
line: number
}
interface HardcodedValueProps {
readonly value: string | number
readonly value: string | number | boolean
readonly type: HardcodeType
readonly valueType?: ValueType
readonly line: number
readonly column: number
readonly context: string
readonly duplicateLocations?: DuplicateLocation[]
readonly withinFileUsageCount?: number
}
/**
@@ -21,22 +61,28 @@ export class HardcodedValue extends ValueObject<HardcodedValueProps> {
}
public static create(
value: string | number,
value: string | number | boolean,
type: HardcodeType,
line: number,
column: number,
context: string,
valueType?: ValueType,
duplicateLocations?: DuplicateLocation[],
withinFileUsageCount?: number,
): HardcodedValue {
return new HardcodedValue({
value,
type,
valueType,
line,
column,
context,
duplicateLocations,
withinFileUsageCount,
})
}
public get value(): string | number {
public get value(): string | number | boolean {
return this.props.value
}
@@ -56,6 +102,28 @@ export class HardcodedValue extends ValueObject<HardcodedValueProps> {
return this.props.context
}
public get valueType(): ValueType | undefined {
return this.props.valueType
}
public get duplicateLocations(): DuplicateLocation[] | undefined {
return this.props.duplicateLocations
}
public get withinFileUsageCount(): number | undefined {
return this.props.withinFileUsageCount
}
public hasDuplicates(): boolean {
return (
this.props.duplicateLocations !== undefined && this.props.duplicateLocations.length > 0
)
}
public isAlmostConstant(): boolean {
return this.props.withinFileUsageCount !== undefined && this.props.withinFileUsageCount >= 2
}
public isMagicNumber(): boolean {
return this.props.type === HARDCODE_TYPES.MAGIC_NUMBER
}
@@ -103,9 +171,173 @@ export class HardcodedValue extends ValueObject<HardcodedValueProps> {
return `${CONSTANT_NAMES.MAGIC_NUMBER}_${String(value)}`
}
// eslint-disable-next-line complexity, max-lines-per-function
private suggestStringConstantName(): string {
const value = String(this.props.value)
const context = this.props.context.toLowerCase()
const valueType = this.props.valueType
if (valueType === "email") {
if (context.includes(EMAIL_CONTEXT_KEYWORDS.ADMIN)) {
return CONSTANT_NAMES.ADMIN_EMAIL
}
if (context.includes(EMAIL_CONTEXT_KEYWORDS.SUPPORT)) {
return CONSTANT_NAMES.SUPPORT_EMAIL
}
if (
context.includes(EMAIL_CONTEXT_KEYWORDS.NOREPLY) ||
context.includes(EMAIL_CONTEXT_KEYWORDS.NO_REPLY)
) {
return CONSTANT_NAMES.NOREPLY_EMAIL
}
return CONSTANT_NAMES.DEFAULT_EMAIL
}
if (valueType === "api_key") {
if (context.includes(API_KEY_CONTEXT_KEYWORDS.SECRET)) {
return CONSTANT_NAMES.API_SECRET_KEY
}
if (context.includes(API_KEY_CONTEXT_KEYWORDS.PUBLIC)) {
return CONSTANT_NAMES.API_PUBLIC_KEY
}
return CONSTANT_NAMES.API_KEY
}
if (valueType === "url") {
if (context.includes(URL_CONTEXT_KEYWORDS.API)) {
return CONSTANT_NAMES.API_BASE_URL
}
if (
context.includes(URL_CONTEXT_KEYWORDS.DATABASE) ||
context.includes(URL_CONTEXT_KEYWORDS.DB)
) {
return CONSTANT_NAMES.DATABASE_URL
}
if (context.includes(URL_CONTEXT_KEYWORDS.MONGO)) {
return CONSTANT_NAMES.MONGODB_CONNECTION_STRING
}
if (
context.includes(URL_CONTEXT_KEYWORDS.POSTGRES) ||
context.includes(URL_CONTEXT_KEYWORDS.PG)
) {
return CONSTANT_NAMES.POSTGRES_URL
}
return CONSTANT_NAMES.BASE_URL
}
if (valueType === "ip_address") {
if (context.includes(IP_CONTEXT_KEYWORDS.SERVER)) {
return CONSTANT_NAMES.SERVER_IP
}
if (
context.includes(URL_CONTEXT_KEYWORDS.DATABASE) ||
context.includes(URL_CONTEXT_KEYWORDS.DB)
) {
return CONSTANT_NAMES.DATABASE_HOST
}
if (context.includes(IP_CONTEXT_KEYWORDS.REDIS)) {
return CONSTANT_NAMES.REDIS_HOST
}
return CONSTANT_NAMES.HOST_IP
}
if (valueType === "file_path") {
if (context.includes(FILE_PATH_CONTEXT_KEYWORDS.LOG)) {
return CONSTANT_NAMES.LOG_FILE_PATH
}
if (context.includes(SUGGESTION_KEYWORDS.CONFIG)) {
return CONSTANT_NAMES.CONFIG_FILE_PATH
}
if (context.includes(FILE_PATH_CONTEXT_KEYWORDS.DATA)) {
return CONSTANT_NAMES.DATA_DIR_PATH
}
if (context.includes(FILE_PATH_CONTEXT_KEYWORDS.TEMP)) {
return CONSTANT_NAMES.TEMP_DIR_PATH
}
return CONSTANT_NAMES.FILE_PATH
}
if (valueType === "date") {
if (context.includes(DATE_CONTEXT_KEYWORDS.DEADLINE)) {
return CONSTANT_NAMES.DEADLINE
}
if (context.includes(DATE_CONTEXT_KEYWORDS.START)) {
return CONSTANT_NAMES.START_DATE
}
if (context.includes(DATE_CONTEXT_KEYWORDS.END)) {
return CONSTANT_NAMES.END_DATE
}
if (context.includes(DATE_CONTEXT_KEYWORDS.EXPIR)) {
return CONSTANT_NAMES.EXPIRATION_DATE
}
return CONSTANT_NAMES.DEFAULT_DATE
}
if (valueType === "uuid") {
if (
context.includes(UUID_CONTEXT_KEYWORDS.ID) ||
context.includes(UUID_CONTEXT_KEYWORDS.IDENTIFIER)
) {
return CONSTANT_NAMES.DEFAULT_ID
}
if (context.includes(UUID_CONTEXT_KEYWORDS.REQUEST)) {
return CONSTANT_NAMES.REQUEST_ID
}
if (context.includes(UUID_CONTEXT_KEYWORDS.SESSION)) {
return CONSTANT_NAMES.SESSION_ID
}
return CONSTANT_NAMES.UUID_CONSTANT
}
if (valueType === "version") {
if (context.includes(URL_CONTEXT_KEYWORDS.API)) {
return CONSTANT_NAMES.API_VERSION
}
if (context.includes(VERSION_CONTEXT_KEYWORDS.APP)) {
return CONSTANT_NAMES.APP_VERSION
}
return CONSTANT_NAMES.VERSION
}
if (valueType === "color") {
if (context.includes(COLOR_CONTEXT_KEYWORDS.PRIMARY)) {
return CONSTANT_NAMES.PRIMARY_COLOR
}
if (context.includes(COLOR_CONTEXT_KEYWORDS.SECONDARY)) {
return CONSTANT_NAMES.SECONDARY_COLOR
}
if (context.includes(COLOR_CONTEXT_KEYWORDS.BACKGROUND)) {
return CONSTANT_NAMES.BACKGROUND_COLOR
}
return CONSTANT_NAMES.COLOR_CONSTANT
}
if (valueType === "mac_address") {
return CONSTANT_NAMES.MAC_ADDRESS
}
if (valueType === "base64") {
if (context.includes(BASE64_CONTEXT_KEYWORDS.TOKEN)) {
return CONSTANT_NAMES.ENCODED_TOKEN
}
if (context.includes(BASE64_CONTEXT_KEYWORDS.KEY)) {
return CONSTANT_NAMES.ENCODED_KEY
}
return CONSTANT_NAMES.BASE64_VALUE
}
if (valueType === "config") {
if (context.includes(CONFIG_CONTEXT_KEYWORDS.ENDPOINT)) {
return CONSTANT_NAMES.API_ENDPOINT
}
if (context.includes(CONFIG_CONTEXT_KEYWORDS.ROUTE)) {
return CONSTANT_NAMES.ROUTE_PATH
}
if (context.includes(CONFIG_CONTEXT_KEYWORDS.CONNECTION)) {
return CONSTANT_NAMES.CONNECTION_STRING
}
return CONSTANT_NAMES.CONFIG_VALUE
}
if (value.includes(SUGGESTION_KEYWORDS.HTTP)) {
return CONSTANT_NAMES.API_BASE_URL
@@ -135,6 +367,23 @@ export class HardcodedValue extends ValueObject<HardcodedValueProps> {
}
const context = this.props.context.toLowerCase()
const valueType = this.props.valueType
if (valueType === "api_key" || valueType === "url" || valueType === "ip_address") {
return LOCATIONS.CONFIG_ENVIRONMENT
}
if (valueType === "email") {
return LOCATIONS.CONFIG_CONTACTS
}
if (valueType === "file_path") {
return LOCATIONS.CONFIG_PATHS
}
if (valueType === "date") {
return LOCATIONS.CONFIG_DATES
}
if (
context.includes(SUGGESTION_KEYWORDS.ENTITY) ||
@@ -153,4 +402,122 @@ export class HardcodedValue extends ValueObject<HardcodedValueProps> {
return LOCATIONS.SHARED_CONSTANTS
}
public getDetailedSuggestion(currentLayer?: string): string {
const constantName = this.suggestConstantName()
const location = this.suggestLocation(currentLayer)
const valueTypeLabel = this.valueType ? ` (${this.valueType})` : ""
let suggestion = `Extract${valueTypeLabel} to constant ${constantName} in ${location}`
if (this.isAlmostConstant() && this.withinFileUsageCount) {
suggestion += `. This value appears ${String(this.withinFileUsageCount)} times in this file`
}
if (this.hasDuplicates() && this.duplicateLocations) {
const count = this.duplicateLocations.length
const fileList = this.duplicateLocations
.slice(0, 3)
.map((loc) => `${loc.file}:${String(loc.line)}`)
.join(", ")
const more = count > 3 ? ` and ${String(count - 3)} more` : ""
suggestion += `. Also duplicated in ${String(count)} other file(s): ${fileList}${more}`
}
return suggestion
}
/**
* Analyzes variable name and context to determine importance
*/
public getImportance(): ValueImportance {
const context = this.props.context.toLowerCase()
const valueType = this.props.valueType
if (valueType === "api_key") {
return "critical"
}
const criticalKeywords = [
...DETECTION_PATTERNS.SENSITIVE_KEYWORDS,
...DETECTION_PATTERNS.BUSINESS_KEYWORDS,
"key",
"age",
]
if (criticalKeywords.some((keyword) => context.includes(keyword))) {
return "critical"
}
const highKeywords = [...DETECTION_PATTERNS.TECHNICAL_KEYWORDS, "db", "api"]
if (highKeywords.some((keyword) => context.includes(keyword))) {
return "high"
}
if (valueType === "url" || valueType === "ip_address" || valueType === "email") {
return "high"
}
const mediumKeywords = DETECTION_PATTERNS.MEDIUM_KEYWORDS
if (mediumKeywords.some((keyword) => context.includes(keyword))) {
return "medium"
}
const lowKeywords = DETECTION_PATTERNS.UI_KEYWORDS
if (lowKeywords.some((keyword) => context.includes(keyword))) {
return "low"
}
return "medium"
}
/**
* Checks if this violation should be skipped based on layer strictness
*
* Different layers have different tolerance levels:
* - domain: strictest (no hardcoded values allowed)
* - application: strict (only low importance allowed)
* - infrastructure: moderate (low and some medium allowed)
* - cli: lenient (UI constants allowed)
*/
public shouldSkip(layer?: string): boolean {
if (!layer) {
return false
}
const importance = this.getImportance()
if (layer === "domain") {
return false
}
if (layer === "application") {
return false
}
if (layer === "infrastructure") {
return importance === "low" && this.isUIConstant()
}
if (layer === "cli") {
return importance === "low" && this.isUIConstant()
}
return false
}
/**
* Checks if this value is a UI-related constant
*/
private isUIConstant(): boolean {
const context = this.props.context.toLowerCase()
const uiKeywords = DETECTION_PATTERNS.UI_KEYWORDS
return uiKeywords.some((keyword) => context.includes(keyword))
}
}

18
packages/guardian/src/domain/value-objects/RepositoryViolation.ts
View File

@@ -1,6 +1,10 @@
import { ValueObject } from "./ValueObject"
import { REPOSITORY_VIOLATION_TYPES } from "../../shared/constants/rules"
import { REPOSITORY_FALLBACK_SUGGESTIONS, REPOSITORY_PATTERN_MESSAGES } from "../constants/Messages"
import {
REPOSITORY_FALLBACK_SUGGESTIONS,
REPOSITORY_PATTERN_MESSAGES,
VIOLATION_EXAMPLE_VALUES,
} from "../constants/Messages"
interface RepositoryViolationProps {
readonly violationType:
@@ -105,16 +109,16 @@ export class RepositoryViolation extends ValueObject<RepositoryViolationProps> {
public getMessage(): string {
switch (this.props.violationType) {
case REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE:
return `Repository interface uses ORM-specific type '${this.props.ormType || "unknown"}'. Domain should not depend on infrastructure concerns.`
return `Repository interface uses ORM-specific type '${this.props.ormType || VIOLATION_EXAMPLE_VALUES.UNKNOWN}'. Domain should not depend on infrastructure concerns.`
case REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE:
return `Use case depends on concrete repository '${this.props.repositoryName || "unknown"}' instead of interface. Use dependency inversion.`
return `Use case depends on concrete repository '${this.props.repositoryName || VIOLATION_EXAMPLE_VALUES.UNKNOWN}' instead of interface. Use dependency inversion.`
case REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE:
return `Use case creates repository with 'new ${this.props.repositoryName || "Repository"}()'. Use dependency injection instead.`
case REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME:
return `Repository method '${this.props.methodName || "unknown"}' uses technical name. Use domain language instead.`
return `Repository method '${this.props.methodName || VIOLATION_EXAMPLE_VALUES.UNKNOWN}' uses technical name. Use domain language instead.`
default:
return `Repository pattern violation: ${this.props.details}`
@@ -159,8 +163,8 @@ export class RepositoryViolation extends ValueObject<RepositoryViolationProps> {
REPOSITORY_PATTERN_MESSAGES.STEP_USE_DI,
"",
REPOSITORY_PATTERN_MESSAGES.EXAMPLE_PREFIX,
`❌ Bad: constructor(private repo: ${this.props.repositoryName || "UserRepository"})`,
`✅ Good: constructor(private repo: I${this.props.repositoryName?.replace(/^.*?([A-Z]\w+)$/, "$1") || "UserRepository"})`,
`❌ Bad: constructor(private repo: ${this.props.repositoryName || VIOLATION_EXAMPLE_VALUES.USER_REPOSITORY})`,
`✅ Good: constructor(private repo: I${this.props.repositoryName?.replace(/^.*?([A-Z]\w+)$/, "$1") || VIOLATION_EXAMPLE_VALUES.USER_REPOSITORY})`,
].join("\n")
}
@@ -200,7 +204,7 @@ export class RepositoryViolation extends ValueObject<RepositoryViolationProps> {
REPOSITORY_PATTERN_MESSAGES.STEP_AVOID_TECHNICAL,
"",
REPOSITORY_PATTERN_MESSAGES.EXAMPLE_PREFIX,
`❌ Bad: ${this.props.methodName || "findOne"}()`,
`❌ Bad: ${this.props.methodName || VIOLATION_EXAMPLE_VALUES.FIND_ONE}()`,
`✅ Good: ${finalSuggestion}`,
].join("\n")
}

204
packages/guardian/src/domain/value-objects/SecretViolation.ts Normal file
View File

@@ -0,0 +1,204 @@
import { ValueObject } from "./ValueObject"
import { SECRET_VIOLATION_MESSAGES } from "../constants/Messages"
import { SEVERITY_LEVELS } from "../../shared/constants"
import { FILE_ENCODING, SECRET_EXAMPLE_VALUES, SECRET_KEYWORDS } from "../constants/SecretExamples"
interface SecretViolationProps {
readonly file: string
readonly line: number
readonly column: number
readonly secretType: string
readonly matchedPattern: string
}
/**
* Represents a secret exposure violation in the codebase
*
* Secret violations occur when sensitive data like API keys, tokens, passwords,
* or credentials are hardcoded in the source code instead of being stored
* in secure environment variables or secret management systems.
*
* All secret violations are marked as CRITICAL severity because they represent
* serious security risks that could lead to unauthorized access, data breaches,
* or service compromise.
*
* @example
* ```typescript
* const violation = SecretViolation.create(
* 'src/config/aws.ts',
* 10,
* 15,
* 'AWS Access Key',
* 'AKIA1234567890ABCDEF'
* )
*
* console.log(violation.getMessage())
* // "Hardcoded AWS Access Key detected"
*
* console.log(violation.getSeverity())
* // "critical"
* ```
*/
export class SecretViolation extends ValueObject<SecretViolationProps> {
private constructor(props: SecretViolationProps) {
super(props)
}
public static create(
file: string,
line: number,
column: number,
secretType: string,
matchedPattern: string,
): SecretViolation {
return new SecretViolation({
file,
line,
column,
secretType,
matchedPattern,
})
}
public get file(): string {
return this.props.file
}
public get line(): number {
return this.props.line
}
public get column(): number {
return this.props.column
}
public get secretType(): string {
return this.props.secretType
}
public get matchedPattern(): string {
return this.props.matchedPattern
}
public getMessage(): string {
return `Hardcoded ${this.props.secretType} detected`
}
public getSuggestion(): string {
const suggestions: string[] = [
SECRET_VIOLATION_MESSAGES.USE_ENV_VARIABLES,
SECRET_VIOLATION_MESSAGES.USE_SECRET_MANAGER,
SECRET_VIOLATION_MESSAGES.NEVER_COMMIT_SECRETS,
SECRET_VIOLATION_MESSAGES.ROTATE_IF_EXPOSED,
SECRET_VIOLATION_MESSAGES.USE_GITIGNORE,
]
return suggestions.join("\n")
}
public getExampleFix(): string {
return this.getExampleFixForSecretType(this.props.secretType)
}
public getSeverity(): typeof SEVERITY_LEVELS.CRITICAL {
return SEVERITY_LEVELS.CRITICAL
}
private getExampleFixForSecretType(secretType: string): string {
const lowerType = secretType.toLowerCase()
if (lowerType.includes(SECRET_KEYWORDS.AWS)) {
return `
// ❌ Bad: Hardcoded AWS credentials
const AWS_ACCESS_KEY_ID = "${SECRET_EXAMPLE_VALUES.AWS_ACCESS_KEY_ID}"
const AWS_SECRET_ACCESS_KEY = "${SECRET_EXAMPLE_VALUES.AWS_SECRET_ACCESS_KEY}"
// ✅ Good: Use environment variables
const AWS_ACCESS_KEY_ID = process.env.AWS_ACCESS_KEY_ID
const AWS_SECRET_ACCESS_KEY = process.env.AWS_SECRET_ACCESS_KEY
// ✅ Good: Use credentials provider (in infrastructure layer)
// Load credentials from environment or credentials file`
}
if (lowerType.includes(SECRET_KEYWORDS.GITHUB)) {
return `
// ❌ Bad: Hardcoded GitHub token
const GITHUB_TOKEN = "${SECRET_EXAMPLE_VALUES.GITHUB_TOKEN}"
// ✅ Good: Use environment variables
const GITHUB_TOKEN = process.env.GITHUB_TOKEN
// ✅ Good: GitHub Apps with temporary tokens
// Use GitHub Apps for automated workflows instead of personal access tokens`
}
if (lowerType.includes(SECRET_KEYWORDS.NPM)) {
return `
// ❌ Bad: Hardcoded NPM token in code
const NPM_TOKEN = "${SECRET_EXAMPLE_VALUES.NPM_TOKEN}"
// ✅ Good: Use .npmrc file (add to .gitignore)
// .npmrc
//registry.npmjs.org/:_authToken=\${NPM_TOKEN}
// ✅ Good: Use environment variable
const NPM_TOKEN = process.env.NPM_TOKEN`
}
if (
lowerType.includes(SECRET_KEYWORDS.SSH) ||
lowerType.includes(SECRET_KEYWORDS.PRIVATE_KEY)
) {
return `
// ❌ Bad: Hardcoded SSH private key
const privateKey = \`-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...\`
// ✅ Good: Load from secure file (not in repository)
import fs from "fs"
const privateKey = fs.readFileSync(process.env.SSH_KEY_PATH, "${FILE_ENCODING.UTF8}")
// ✅ Good: Use SSH agent
// Configure SSH agent to handle keys securely`
}
if (lowerType.includes(SECRET_KEYWORDS.SLACK)) {
return `
// ❌ Bad: Hardcoded Slack token
const SLACK_TOKEN = "${SECRET_EXAMPLE_VALUES.SLACK_TOKEN}"
// ✅ Good: Use environment variables
const SLACK_TOKEN = process.env.SLACK_BOT_TOKEN
// ✅ Good: Use OAuth flow for user tokens
// Implement OAuth 2.0 flow instead of hardcoding tokens`
}
if (
lowerType.includes(SECRET_KEYWORDS.API_KEY) ||
lowerType.includes(SECRET_KEYWORDS.APIKEY)
) {
return `
// ❌ Bad: Hardcoded API key
const API_KEY = "${SECRET_EXAMPLE_VALUES.API_KEY}"
// ✅ Good: Use environment variables
const API_KEY = process.env.API_KEY
// ✅ Good: Use secret management service (in infrastructure layer)
// AWS Secrets Manager, HashiCorp Vault, Azure Key Vault
// Implement secret retrieval in infrastructure and inject via DI`
}
return `
// ❌ Bad: Hardcoded secret
const SECRET = "${SECRET_EXAMPLE_VALUES.HARDCODED_SECRET}"
// ✅ Good: Use environment variables
const SECRET = process.env.SECRET_KEY
// ✅ Good: Use secret management
// AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, etc.`
}
}

4
packages/guardian/src/index.ts
View File

@@ -1,3 +1,7 @@
import pkg from "../package.json"
export const VERSION = pkg.version
export * from "./domain"
export * from "./application"
export * from "./infrastructure"

318
packages/guardian/src/infrastructure/analyzers/AnemicModelDetector.ts Normal file
View File

@@ -0,0 +1,318 @@
import { IAnemicModelDetector } from "../../domain/services/IAnemicModelDetector"
import { AnemicModelViolation } from "../../domain/value-objects/AnemicModelViolation"
import { CLASS_KEYWORDS } from "../../shared/constants"
import { ANALYZER_DEFAULTS, ANEMIC_MODEL_FLAGS, LAYERS } from "../../shared/constants/rules"
/**
* Detects anemic domain model violations
*
* This detector identifies entities that lack business logic and contain
* only getters/setters. Anemic models violate Domain-Driven Design principles.
*
* @example
* ```typescript
* const detector = new AnemicModelDetector()
*
* // Detect anemic models in entity file
* const code = `
* class Order {
* getStatus() { return this.status }
* setStatus(status: string) { this.status = status }
* getTotal() { return this.total }
* setTotal(total: number) { this.total = total }
* }
* `
* const violations = detector.detectAnemicModels(
* code,
* 'src/domain/entities/Order.ts',
* 'domain'
* )
*
* // violations will contain anemic model violation
* console.log(violations.length) // 1
* console.log(violations[0].className) // 'Order'
* ```
*/
export class AnemicModelDetector implements IAnemicModelDetector {
private readonly entityPatterns = [/\/entities\//, /\/aggregates\//]
private readonly excludePatterns = [
/\.test\.ts$/,
/\.spec\.ts$/,
/Dto\.ts$/,
/Request\.ts$/,
/Response\.ts$/,
/Mapper\.ts$/,
]
/**
* Detects anemic model violations in the given code
*/
public detectAnemicModels(
code: string,
filePath: string,
layer: string | undefined,
): AnemicModelViolation[] {
if (!this.shouldAnalyze(filePath, layer)) {
return []
}
const violations: AnemicModelViolation[] = []
const classes = this.extractClasses(code)
for (const classInfo of classes) {
const violation = this.analyzeClass(classInfo, filePath, layer || LAYERS.DOMAIN)
if (violation) {
violations.push(violation)
}
}
return violations
}
/**
* Checks if file should be analyzed
*/
private shouldAnalyze(filePath: string, layer: string | undefined): boolean {
if (layer !== LAYERS.DOMAIN) {
return false
}
if (this.excludePatterns.some((pattern) => pattern.test(filePath))) {
return false
}
return this.entityPatterns.some((pattern) => pattern.test(filePath))
}
/**
* Extracts class information from code
*/
private extractClasses(code: string): ClassInfo[] {
const classes: ClassInfo[] = []
const lines = code.split("\n")
let currentClass: { name: string; startLine: number; startIndex: number } | null = null
let braceCount = 0
let classBody = ""
for (let i = 0; i < lines.length; i++) {
const line = lines[i]
if (!currentClass) {
const classRegex = /^\s*(?:export\s+)?(?:abstract\s+)?class\s+(\w+)/
const classMatch = classRegex.exec(line)
if (classMatch) {
currentClass = {
name: classMatch[1],
startLine: i + 1,
startIndex: lines.slice(0, i).join("\n").length,
}
braceCount = 0
classBody = ""
}
}
if (currentClass) {
for (const char of line) {
if (char === "{") {
braceCount++
} else if (char === "}") {
braceCount--
}
}
if (braceCount > 0) {
classBody = `${classBody}${line}\n`
} else if (braceCount === 0 && classBody.length > 0) {
const properties = this.extractProperties(classBody)
const methods = this.extractMethods(classBody)
classes.push({
className: currentClass.name,
lineNumber: currentClass.startLine,
properties,
methods,
})
currentClass = null
classBody = ""
}
}
}
return classes
}
/**
* Extracts properties from class body
*/
private extractProperties(classBody: string): PropertyInfo[] {
const properties: PropertyInfo[] = []
const propertyRegex = /(?:private|protected|public|readonly)*\s*(\w+)(?:\?)?:\s*\w+/g
let match
while ((match = propertyRegex.exec(classBody)) !== null) {
const propertyName = match[1]
if (!this.isMethodSignature(match[0])) {
properties.push({ name: propertyName })
}
}
return properties
}
/**
* Extracts methods from class body
*/
private extractMethods(classBody: string): MethodInfo[] {
const methods: MethodInfo[] = []
const methodRegex =
/(public|private|protected)?\s*(get|set)?\s+(\w+)\s*\([^)]*\)(?:\s*:\s*\w+)?/g
let match
while ((match = methodRegex.exec(classBody)) !== null) {
const visibility = match[1] || CLASS_KEYWORDS.PUBLIC
const accessor = match[2]
const methodName = match[3]
if (methodName === CLASS_KEYWORDS.CONSTRUCTOR) {
continue
}
const isGetter = accessor === "get" || this.isGetterMethod(methodName)
const isSetter = accessor === "set" || this.isSetterMethod(methodName, classBody)
const isPublic = visibility === CLASS_KEYWORDS.PUBLIC || !visibility
methods.push({
name: methodName,
isGetter,
isSetter,
isPublic,
isBusinessLogic: !isGetter && !isSetter,
})
}
return methods
}
/**
* Analyzes class for anemic model violations
*/
private analyzeClass(
classInfo: ClassInfo,
filePath: string,
layer: string,
): AnemicModelViolation | null {
const { className, lineNumber, properties, methods } = classInfo
if (properties.length === 0 && methods.length === 0) {
return null
}
const businessMethods = methods.filter((m) => m.isBusinessLogic)
const hasOnlyGettersSetters = businessMethods.length === 0 && methods.length > 0
const hasPublicSetters = methods.some((m) => m.isSetter && m.isPublic)
const methodCount = methods.length
const propertyCount = properties.length
if (hasPublicSetters) {
return AnemicModelViolation.create(
className,
filePath,
layer,
lineNumber,
methodCount,
propertyCount,
ANEMIC_MODEL_FLAGS.HAS_ONLY_GETTERS_SETTERS_FALSE,
ANEMIC_MODEL_FLAGS.HAS_PUBLIC_SETTERS_TRUE,
)
}
if (hasOnlyGettersSetters && methodCount >= 2 && propertyCount > 0) {
return AnemicModelViolation.create(
className,
filePath,
layer,
lineNumber,
methodCount,
propertyCount,
ANEMIC_MODEL_FLAGS.HAS_ONLY_GETTERS_SETTERS_TRUE,
ANEMIC_MODEL_FLAGS.HAS_PUBLIC_SETTERS_FALSE,
)
}
const methodToPropertyRatio = methodCount / Math.max(propertyCount, 1)
if (
propertyCount > 0 &&
businessMethods.length < 2 &&
methodToPropertyRatio < 1.0 &&
methodCount > 0
) {
return AnemicModelViolation.create(
className,
filePath,
layer,
lineNumber,
methodCount,
propertyCount,
ANALYZER_DEFAULTS.HAS_ONLY_GETTERS_SETTERS,
ANALYZER_DEFAULTS.HAS_PUBLIC_SETTERS,
)
}
return null
}
/**
* Checks if method name is a getter pattern
*/
private isGetterMethod(methodName: string): boolean {
return (
methodName.startsWith("get") ||
methodName.startsWith("is") ||
methodName.startsWith("has")
)
}
/**
* Checks if method is a setter pattern
*/
private isSetterMethod(methodName: string, _classBody: string): boolean {
return methodName.startsWith("set")
}
/**
* Checks if property declaration is actually a method signature
*/
private isMethodSignature(propertyDeclaration: string): boolean {
return propertyDeclaration.includes("(") && propertyDeclaration.includes(")")
}
/**
* Gets line number for a position in code
*/
private getLineNumber(code: string, position: number): number {
const lines = code.substring(0, position).split("\n")
return lines.length
}
}
interface ClassInfo {
className: string
lineNumber: number
properties: PropertyInfo[]
methods: MethodInfo[]
}
interface PropertyInfo {
name: string
}
interface MethodInfo {
name: string
isGetter: boolean
isSetter: boolean
isPublic: boolean
isBusinessLogic: boolean
}

104
packages/guardian/src/infrastructure/analyzers/AstTreeTraverser.ts Normal file
View File

@@ -0,0 +1,104 @@
import Parser from "tree-sitter"
import { HardcodedValue } from "../../domain/value-objects/HardcodedValue"
import { AstBooleanAnalyzer } from "../strategies/AstBooleanAnalyzer"
import { AstConfigObjectAnalyzer } from "../strategies/AstConfigObjectAnalyzer"
import { AstNumberAnalyzer } from "../strategies/AstNumberAnalyzer"
import { AstStringAnalyzer } from "../strategies/AstStringAnalyzer"
/**
* AST tree traverser for detecting hardcoded values
*
* Walks through the Abstract Syntax Tree and uses analyzers
* to detect hardcoded numbers, strings, booleans, and configuration objects.
* Also tracks value usage to identify "almost constants" - values used 2+ times.
*/
export class AstTreeTraverser {
constructor(
private readonly numberAnalyzer: AstNumberAnalyzer,
private readonly stringAnalyzer: AstStringAnalyzer,
private readonly booleanAnalyzer: AstBooleanAnalyzer,
private readonly configObjectAnalyzer: AstConfigObjectAnalyzer,
) {}
/**
* Traverses the AST tree and collects hardcoded values
*/
public traverse(tree: Parser.Tree, sourceCode: string): HardcodedValue[] {
const results: HardcodedValue[] = []
const lines = sourceCode.split("\n")
const cursor = tree.walk()
this.visit(cursor, lines, results)
this.markAlmostConstants(results)
return results
}
/**
* Marks values that appear multiple times in the same file
*/
private markAlmostConstants(results: HardcodedValue[]): void {
const valueUsage = new Map<string, number>()
for (const result of results) {
const key = `${result.type}:${String(result.value)}`
valueUsage.set(key, (valueUsage.get(key) || 0) + 1)
}
for (let i = 0; i < results.length; i++) {
const result = results[i]
const key = `${result.type}:${String(result.value)}`
const count = valueUsage.get(key) || 0
if (count >= 2 && !result.withinFileUsageCount) {
results[i] = HardcodedValue.create(
result.value,
result.type,
result.line,
result.column,
result.context,
result.valueType,
result.duplicateLocations,
count,
)
}
}
}
/**
* Recursively visits AST nodes
*/
private visit(cursor: Parser.TreeCursor, lines: string[], results: HardcodedValue[]): void {
const node = cursor.currentNode
if (node.type === "object") {
const violation = this.configObjectAnalyzer.analyze(node, lines)
if (violation) {
results.push(violation)
}
} else if (node.type === "number") {
const violation = this.numberAnalyzer.analyze(node, lines)
if (violation) {
results.push(violation)
}
} else if (node.type === "string") {
const violation = this.stringAnalyzer.analyze(node, lines)
if (violation) {
results.push(violation)
}
} else if (node.type === "true" || node.type === "false") {
const violation = this.booleanAnalyzer.analyze(node, lines)
if (violation) {
results.push(violation)
}
}
if (cursor.gotoFirstChild()) {
do {
this.visit(cursor, lines, results)
} while (cursor.gotoNextSibling())
cursor.gotoParent()
}
}
}

122
packages/guardian/src/infrastructure/analyzers/DuplicateValueTracker.ts Normal file
View File

@@ -0,0 +1,122 @@
import { HardcodedValue } from "../../domain/value-objects/HardcodedValue"
import type {
DuplicateInfo,
IDuplicateValueTracker,
ValueLocation,
} from "../../domain/services/IDuplicateValueTracker"
/**
* Tracks duplicate hardcoded values across files
*
* Helps identify values that are used in multiple places
* and should be extracted to a shared constant.
*/
export class DuplicateValueTracker implements IDuplicateValueTracker {
private readonly valueMap = new Map<string, ValueLocation[]>()
/**
* Adds a hardcoded value to tracking
*/
public track(violation: HardcodedValue, filePath: string): void {
const key = this.createKey(violation.value, violation.type)
const location: ValueLocation = {
file: filePath,
line: violation.line,
context: violation.context,
}
const locations = this.valueMap.get(key)
if (!locations) {
this.valueMap.set(key, [location])
} else {
locations.push(location)
}
}
/**
* Gets all duplicate values (values used in 2+ places)
*/
public getDuplicates(): DuplicateInfo[] {
const duplicates: DuplicateInfo[] = []
for (const [key, locations] of this.valueMap.entries()) {
if (locations.length >= 2) {
const { value } = this.parseKey(key)
duplicates.push({
value,
locations,
count: locations.length,
})
}
}
return duplicates.sort((a, b) => b.count - a.count)
}
/**
* Gets duplicate locations for a specific value
*/
public getDuplicateLocations(
value: string | number | boolean,
type: string,
): ValueLocation[] | null {
const key = this.createKey(value, type)
const locations = this.valueMap.get(key)
if (!locations || locations.length < 2) {
return null
}
return locations
}
/**
* Checks if a value is duplicated
*/
public isDuplicate(value: string | number | boolean, type: string): boolean {
const key = this.createKey(value, type)
const locations = this.valueMap.get(key)
return locations ? locations.length >= 2 : false
}
/**
* Creates a unique key for a value
*/
private createKey(value: string | number | boolean, type: string): string {
return `${type}:${String(value)}`
}
/**
* Parses a key back to value and type
*/
private parseKey(key: string): { value: string; type: string } {
const [type, ...valueParts] = key.split(":")
return { value: valueParts.join(":"), type }
}
/**
* Gets statistics about duplicates
*/
public getStats(): {
totalValues: number
duplicateValues: number
duplicatePercentage: number
} {
const totalValues = this.valueMap.size
const duplicateValues = this.getDuplicates().length
const duplicatePercentage = totalValues > 0 ? (duplicateValues / totalValues) * 100 : 0
return {
totalValues,
duplicateValues,
duplicatePercentage,
}
}
/**
* Clears all tracked values
*/
public clear(): void {
this.valueMap.clear()
}
}

76
packages/guardian/src/infrastructure/analyzers/HardcodeDetector.ts
View File

@@ -1,17 +1,29 @@
import Parser from "tree-sitter"
import { IHardcodeDetector } from "../../domain/services/IHardcodeDetector"
import { HardcodedValue } from "../../domain/value-objects/HardcodedValue"
import { BraceTracker } from "../strategies/BraceTracker"
import { FILE_EXTENSIONS } from "../../shared/constants"
import { CodeParser } from "../parsers/CodeParser"
import { AstBooleanAnalyzer } from "../strategies/AstBooleanAnalyzer"
import { AstConfigObjectAnalyzer } from "../strategies/AstConfigObjectAnalyzer"
import { AstContextChecker } from "../strategies/AstContextChecker"
import { AstNumberAnalyzer } from "../strategies/AstNumberAnalyzer"
import { AstStringAnalyzer } from "../strategies/AstStringAnalyzer"
import { ConstantsFileChecker } from "../strategies/ConstantsFileChecker"
import { ExportConstantAnalyzer } from "../strategies/ExportConstantAnalyzer"
import { MagicNumberMatcher } from "../strategies/MagicNumberMatcher"
import { MagicStringMatcher } from "../strategies/MagicStringMatcher"
import { AstTreeTraverser } from "./AstTreeTraverser"
/**
* Detects hardcoded values (magic numbers and strings) in TypeScript/JavaScript code
*
* This detector identifies configuration values, URLs, timeouts, ports, and other
* constants that should be extracted to configuration files. It uses pattern matching
* and context analysis to reduce false positives.
* This detector uses Abstract Syntax Tree (AST) analysis via tree-sitter to identify
* configuration values, URLs, timeouts, ports, and other constants that should be
* extracted to configuration files. AST-based detection provides more accurate context
* understanding and reduces false positives compared to regex-based approaches.
*
* The detector uses a modular architecture with specialized components:
* - AstContextChecker: Checks if nodes are in specific contexts (exports, types, etc.)
* - AstNumberAnalyzer: Analyzes number literals to detect magic numbers
* - AstStringAnalyzer: Analyzes string literals to detect magic strings
* - AstTreeTraverser: Traverses the AST and coordinates analyzers
*
* @example
* ```typescript
@@ -26,17 +38,25 @@ import { MagicStringMatcher } from "../strategies/MagicStringMatcher"
*/
export class HardcodeDetector implements IHardcodeDetector {
private readonly constantsChecker: ConstantsFileChecker
private readonly braceTracker: BraceTracker
private readonly exportAnalyzer: ExportConstantAnalyzer
private readonly numberMatcher: MagicNumberMatcher
private readonly stringMatcher: MagicStringMatcher
private readonly parser: CodeParser
private readonly traverser: AstTreeTraverser
constructor() {
this.constantsChecker = new ConstantsFileChecker()
this.braceTracker = new BraceTracker()
this.exportAnalyzer = new ExportConstantAnalyzer(this.braceTracker)
this.numberMatcher = new MagicNumberMatcher(this.exportAnalyzer)
this.stringMatcher = new MagicStringMatcher(this.exportAnalyzer)
this.parser = new CodeParser()
const contextChecker = new AstContextChecker()
const numberAnalyzer = new AstNumberAnalyzer(contextChecker)
const stringAnalyzer = new AstStringAnalyzer(contextChecker)
const booleanAnalyzer = new AstBooleanAnalyzer(contextChecker)
const configObjectAnalyzer = new AstConfigObjectAnalyzer(contextChecker)
this.traverser = new AstTreeTraverser(
numberAnalyzer,
stringAnalyzer,
booleanAnalyzer,
configObjectAnalyzer,
)
}
/**
@@ -51,10 +71,8 @@ export class HardcodeDetector implements IHardcodeDetector {
return []
}
const magicNumbers = this.numberMatcher.detect(code)
const magicStrings = this.stringMatcher.detect(code)
return [...magicNumbers, ...magicStrings]
const tree = this.parseCode(code, filePath)
return this.traverser.traverse(tree, code)
}
/**
@@ -69,7 +87,9 @@ export class HardcodeDetector implements IHardcodeDetector {
return []
}
return this.numberMatcher.detect(code)
const tree = this.parseCode(code, filePath)
const allViolations = this.traverser.traverse(tree, code)
return allViolations.filter((v) => v.isMagicNumber())
}
/**
@@ -84,6 +104,20 @@ export class HardcodeDetector implements IHardcodeDetector {
return []
}
return this.stringMatcher.detect(code)
const tree = this.parseCode(code, filePath)
const allViolations = this.traverser.traverse(tree, code)
return allViolations.filter((v) => v.isMagicString())
}
/**
* Parses code based on file extension
*/
private parseCode(code: string, filePath: string): Parser.Tree {
if (filePath.endsWith(FILE_EXTENSIONS.TYPESCRIPT_JSX)) {
return this.parser.parseTsx(code)
} else if (filePath.endsWith(FILE_EXTENSIONS.TYPESCRIPT)) {
return this.parser.parseTypeScript(code)
}
return this.parser.parseJavaScript(code)
}
}

317
packages/guardian/src/infrastructure/analyzers/NamingConventionDetector.ts
View File

@@ -1,37 +1,72 @@
import Parser from "tree-sitter"
import { INamingConventionDetector } from "../../domain/services/INamingConventionDetector"
import { NamingViolation } from "../../domain/value-objects/NamingViolation"
import {
LAYERS,
NAMING_PATTERNS,
NAMING_VIOLATION_TYPES,
USE_CASE_VERBS,
} from "../../shared/constants/rules"
import {
EXCLUDED_FILES,
FILE_SUFFIXES,
NAMING_ERROR_MESSAGES,
PATH_PATTERNS,
PATTERN_WORDS,
} from "../constants/detectorPatterns"
import { NAMING_SUGGESTION_DEFAULT } from "../constants/naming-patterns"
import { FILE_EXTENSIONS } from "../../shared/constants"
import { EXCLUDED_FILES } from "../constants/detectorPatterns"
import { CodeParser } from "../parsers/CodeParser"
import { AstClassNameAnalyzer } from "../strategies/naming/AstClassNameAnalyzer"
import { AstFunctionNameAnalyzer } from "../strategies/naming/AstFunctionNameAnalyzer"
import { AstInterfaceNameAnalyzer } from "../strategies/naming/AstInterfaceNameAnalyzer"
import { AstNamingTraverser } from "../strategies/naming/AstNamingTraverser"
import { AstVariableNameAnalyzer } from "../strategies/naming/AstVariableNameAnalyzer"
/**
* Detects naming convention violations based on Clean Architecture layers
* Detects naming convention violations using AST-based analysis
*
* This detector ensures that files follow naming conventions appropriate to their layer:
* - Domain: Entities (nouns), Services (*Service), Value Objects, Repository interfaces (I*Repository)
* - Application: Use cases (verbs), DTOs (*Dto/*Request/*Response), Mappers (*Mapper)
* - Infrastructure: Controllers (*Controller), Repository implementations (*Repository), Services (*Service/*Adapter)
* This detector uses Abstract Syntax Tree (AST) analysis via tree-sitter to identify
* naming convention violations in classes, interfaces, functions, and variables
* according to Clean Architecture layer rules.
*
* The detector uses a modular architecture with specialized components:
* - AstClassNameAnalyzer: Analyzes class names
* - AstInterfaceNameAnalyzer: Analyzes interface names
* - AstFunctionNameAnalyzer: Analyzes function and method names
* - AstVariableNameAnalyzer: Analyzes variable and constant names
* - AstNamingTraverser: Traverses the AST and coordinates analyzers
*
* @example
* ```typescript
* const detector = new NamingConventionDetector()
* const violations = detector.detectViolations('UserDto.ts', 'domain', 'src/domain/UserDto.ts')
* // Returns violation: DTOs should not be in domain layer
* const code = `
* class userService { // Wrong: should be UserService
* GetUser() {} // Wrong: should be getUser
* }
* `
* const violations = detector.detectViolations(code, 'UserService.ts', 'domain', 'src/domain/UserService.ts')
* // Returns array of NamingViolation objects
* ```
*/
export class NamingConventionDetector implements INamingConventionDetector {
private readonly parser: CodeParser
private readonly traverser: AstNamingTraverser
constructor() {
this.parser = new CodeParser()
const classAnalyzer = new AstClassNameAnalyzer()
const interfaceAnalyzer = new AstInterfaceNameAnalyzer()
const functionAnalyzer = new AstFunctionNameAnalyzer()
const variableAnalyzer = new AstVariableNameAnalyzer()
this.traverser = new AstNamingTraverser(
classAnalyzer,
interfaceAnalyzer,
functionAnalyzer,
variableAnalyzer,
)
}
/**
* Detects naming convention violations in the given code
*
* @param content - Source code to analyze
* @param fileName - Name of the file being analyzed
* @param layer - Architectural layer (domain, application, infrastructure, shared)
* @param filePath - File path for context (used in violation reports)
* @returns Array of detected naming violations
*/
public detectViolations(
content: string,
fileName: string,
layer: string | undefined,
filePath: string,
@@ -44,235 +79,23 @@ export class NamingConventionDetector implements INamingConventionDetector {
return []
}
switch (layer) {
case LAYERS.DOMAIN:
return this.checkDomainLayer(fileName, filePath)
case LAYERS.APPLICATION:
return this.checkApplicationLayer(fileName, filePath)
case LAYERS.INFRASTRUCTURE:
return this.checkInfrastructureLayer(fileName, filePath)
case LAYERS.SHARED:
return []
default:
return []
if (!content || content.trim().length === 0) {
return []
}
const tree = this.parseCode(content, filePath)
return this.traverser.traverse(tree, content, layer, filePath)
}
private checkDomainLayer(fileName: string, filePath: string): NamingViolation[] {
const violations: NamingViolation[] = []
const forbiddenPatterns = NAMING_PATTERNS.DOMAIN.ENTITY.forbidden ?? []
for (const forbidden of forbiddenPatterns) {
if (fileName.includes(forbidden)) {
violations.push(
NamingViolation.create(
fileName,
NAMING_VIOLATION_TYPES.FORBIDDEN_PATTERN,
LAYERS.DOMAIN,
filePath,
NAMING_ERROR_MESSAGES.DOMAIN_FORBIDDEN,
fileName,
NAMING_SUGGESTION_DEFAULT,
),
)
return violations
}
/**
* Parses code based on file extension
*/
private parseCode(code: string, filePath: string): Parser.Tree {
if (filePath.endsWith(FILE_EXTENSIONS.TYPESCRIPT_JSX)) {
return this.parser.parseTsx(code)
} else if (filePath.endsWith(FILE_EXTENSIONS.TYPESCRIPT)) {
return this.parser.parseTypeScript(code)
}
if (fileName.endsWith(FILE_SUFFIXES.SERVICE)) {
if (!NAMING_PATTERNS.DOMAIN.SERVICE.pattern.test(fileName)) {
violations.push(
NamingViolation.create(
fileName,
NAMING_VIOLATION_TYPES.WRONG_CASE,
LAYERS.DOMAIN,
filePath,
NAMING_PATTERNS.DOMAIN.SERVICE.description,
fileName,
),
)
}
return violations
}
if (
fileName.startsWith(PATTERN_WORDS.I_PREFIX) &&
fileName.includes(PATTERN_WORDS.REPOSITORY)
) {
if (!NAMING_PATTERNS.DOMAIN.REPOSITORY_INTERFACE.pattern.test(fileName)) {
violations.push(
NamingViolation.create(
fileName,
NAMING_VIOLATION_TYPES.WRONG_PREFIX,
LAYERS.DOMAIN,
filePath,
NAMING_PATTERNS.DOMAIN.REPOSITORY_INTERFACE.description,
fileName,
),
)
}
return violations
}
if (!NAMING_PATTERNS.DOMAIN.ENTITY.pattern.test(fileName)) {
violations.push(
NamingViolation.create(
fileName,
NAMING_VIOLATION_TYPES.WRONG_CASE,
LAYERS.DOMAIN,
filePath,
NAMING_PATTERNS.DOMAIN.ENTITY.description,
fileName,
NAMING_ERROR_MESSAGES.USE_PASCAL_CASE,
),
)
}
return violations
}
private checkApplicationLayer(fileName: string, filePath: string): NamingViolation[] {
const violations: NamingViolation[] = []
if (
fileName.endsWith(FILE_SUFFIXES.DTO) ||
fileName.endsWith(FILE_SUFFIXES.REQUEST) ||
fileName.endsWith(FILE_SUFFIXES.RESPONSE)
) {
if (!NAMING_PATTERNS.APPLICATION.DTO.pattern.test(fileName)) {
violations.push(
NamingViolation.create(
fileName,
NAMING_VIOLATION_TYPES.WRONG_SUFFIX,
LAYERS.APPLICATION,
filePath,
NAMING_PATTERNS.APPLICATION.DTO.description,
fileName,
NAMING_ERROR_MESSAGES.USE_DTO_SUFFIX,
),
)
}
return violations
}
if (fileName.endsWith(FILE_SUFFIXES.MAPPER)) {
if (!NAMING_PATTERNS.APPLICATION.MAPPER.pattern.test(fileName)) {
violations.push(
NamingViolation.create(
fileName,
NAMING_VIOLATION_TYPES.WRONG_SUFFIX,
LAYERS.APPLICATION,
filePath,
NAMING_PATTERNS.APPLICATION.MAPPER.description,
fileName,
),
)
}
return violations
}
const startsWithVerb = this.startsWithCommonVerb(fileName)
if (startsWithVerb) {
if (!NAMING_PATTERNS.APPLICATION.USE_CASE.pattern.test(fileName)) {
violations.push(
NamingViolation.create(
fileName,
NAMING_VIOLATION_TYPES.WRONG_VERB_NOUN,
LAYERS.APPLICATION,
filePath,
NAMING_PATTERNS.APPLICATION.USE_CASE.description,
fileName,
NAMING_ERROR_MESSAGES.USE_VERB_NOUN,
),
)
}
return violations
}
if (
filePath.includes(PATH_PATTERNS.USE_CASES) ||
filePath.includes(PATH_PATTERNS.USE_CASES_ALT)
) {
const hasVerb = this.startsWithCommonVerb(fileName)
if (!hasVerb) {
violations.push(
NamingViolation.create(
fileName,
NAMING_VIOLATION_TYPES.WRONG_VERB_NOUN,
LAYERS.APPLICATION,
filePath,
NAMING_ERROR_MESSAGES.USE_CASE_START_VERB,
fileName,
`Start with a verb like: ${USE_CASE_VERBS.slice(0, 5).join(", ")}`,
),
)
}
}
return violations
}
private checkInfrastructureLayer(fileName: string, filePath: string): NamingViolation[] {
const violations: NamingViolation[] = []
if (fileName.endsWith(FILE_SUFFIXES.CONTROLLER)) {
if (!NAMING_PATTERNS.INFRASTRUCTURE.CONTROLLER.pattern.test(fileName)) {
violations.push(
NamingViolation.create(
fileName,
NAMING_VIOLATION_TYPES.WRONG_SUFFIX,
LAYERS.INFRASTRUCTURE,
filePath,
NAMING_PATTERNS.INFRASTRUCTURE.CONTROLLER.description,
fileName,
),
)
}
return violations
}
if (
fileName.endsWith(FILE_SUFFIXES.REPOSITORY) &&
!fileName.startsWith(PATTERN_WORDS.I_PREFIX)
) {
if (!NAMING_PATTERNS.INFRASTRUCTURE.REPOSITORY_IMPL.pattern.test(fileName)) {
violations.push(
NamingViolation.create(
fileName,
NAMING_VIOLATION_TYPES.WRONG_SUFFIX,
LAYERS.INFRASTRUCTURE,
filePath,
NAMING_PATTERNS.INFRASTRUCTURE.REPOSITORY_IMPL.description,
fileName,
),
)
}
return violations
}
if (fileName.endsWith(FILE_SUFFIXES.SERVICE) || fileName.endsWith(FILE_SUFFIXES.ADAPTER)) {
if (!NAMING_PATTERNS.INFRASTRUCTURE.SERVICE.pattern.test(fileName)) {
violations.push(
NamingViolation.create(
fileName,
NAMING_VIOLATION_TYPES.WRONG_SUFFIX,
LAYERS.INFRASTRUCTURE,
filePath,
NAMING_PATTERNS.INFRASTRUCTURE.SERVICE.description,
fileName,
),
)
}
return violations
}
return violations
}
private startsWithCommonVerb(fileName: string): boolean {
const baseFileName = fileName.replace(/\.tsx?$/, "")
return USE_CASE_VERBS.some((verb) => baseFileName.startsWith(verb))
return this.parser.parseJavaScript(code)
}
}

187
packages/guardian/src/infrastructure/analyzers/SecretDetector.ts Normal file
View File

@@ -0,0 +1,187 @@
import { createEngine } from "@secretlint/node"
import type { SecretLintConfigDescriptor } from "@secretlint/types"
import { ISecretDetector } from "../../domain/services/ISecretDetector"
import { SecretViolation } from "../../domain/value-objects/SecretViolation"
import { SECRET_KEYWORDS, SECRET_TYPE_NAMES } from "../../domain/constants/SecretExamples"
import { EXTERNAL_PACKAGES } from "../../shared/constants/rules"
/**
* Detects hardcoded secrets in TypeScript/JavaScript code
*
* Uses industry-standard Secretlint library to detect 350+ types of secrets
* including AWS keys, GitHub tokens, NPM tokens, SSH keys, API keys, and more.
*
* All detected secrets are marked as CRITICAL severity because they represent
* serious security risks that could lead to unauthorized access or data breaches.
*
* @example
* ```typescript
* const detector = new SecretDetector()
* const code = `const AWS_KEY = "AKIA1234567890ABCDEF"`
* const violations = await detector.detectAll(code, 'config.ts')
* // Returns array of SecretViolation objects with CRITICAL severity
* ```
*/
export class SecretDetector implements ISecretDetector {
private readonly secretlintConfig: SecretLintConfigDescriptor = {
rules: [
{
id: EXTERNAL_PACKAGES.SECRETLINT_PRESET,
},
],
}
/**
* Detects all types of hardcoded secrets in the provided code
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @returns Promise resolving to array of secret violations
*/
public async detectAll(code: string, filePath: string): Promise<SecretViolation[]> {
try {
const engine = await createEngine({
cwd: process.cwd(),
configFileJSON: this.secretlintConfig,
formatter: "stylish",
color: false,
})
const result = await engine.executeOnContent({
content: code,
filePath,
})
return this.parseOutputToViolations(result.output, filePath)
} catch (_error) {
return []
}
}
private parseOutputToViolations(output: string, filePath: string): SecretViolation[] {
const violations: SecretViolation[] = []
if (!output || output.trim() === "") {
return violations
}
const lines = output.split("\n")
for (const line of lines) {
const match = /^\s*(\d+):(\d+)\s+(error|warning)\s+(.+?)\s+(.+)$/.exec(line)
if (match) {
const [, lineNum, column, , message, ruleId] = match
const secretType = this.extractSecretType(message, ruleId)
const violation = SecretViolation.create(
filePath,
parseInt(lineNum, 10),
parseInt(column, 10),
secretType,
message,
)
violations.push(violation)
}
}
return violations
}
private extractSecretType(message: string, ruleId: string): string {
const lowerMessage = message.toLowerCase()
const ruleBasedType = this.extractByRuleId(ruleId, lowerMessage)
if (ruleBasedType) {
return ruleBasedType
}
return this.extractByMessage(lowerMessage)
}
private extractByRuleId(ruleId: string, lowerMessage: string): string | null {
if (ruleId.includes(SECRET_KEYWORDS.AWS)) {
return this.extractAwsType(lowerMessage)
}
if (ruleId.includes(SECRET_KEYWORDS.GITHUB)) {
return this.extractGithubType(lowerMessage)
}
if (ruleId.includes(SECRET_KEYWORDS.NPM)) {
return SECRET_TYPE_NAMES.NPM_TOKEN
}
if (ruleId.includes(SECRET_KEYWORDS.GCP) || ruleId.includes(SECRET_KEYWORDS.GOOGLE)) {
return SECRET_TYPE_NAMES.GCP_SERVICE_ACCOUNT_KEY
}
if (ruleId.includes(SECRET_KEYWORDS.PRIVATEKEY) || ruleId.includes(SECRET_KEYWORDS.SSH)) {
return this.extractSshType(lowerMessage)
}
if (ruleId.includes(SECRET_KEYWORDS.SLACK)) {
return this.extractSlackType(lowerMessage)
}
if (ruleId.includes(SECRET_KEYWORDS.BASICAUTH)) {
return SECRET_TYPE_NAMES.BASIC_AUTH_CREDENTIALS
}
return null
}
private extractAwsType(lowerMessage: string): string {
if (lowerMessage.includes(SECRET_KEYWORDS.ACCESS_KEY)) {
return SECRET_TYPE_NAMES.AWS_ACCESS_KEY
}
if (lowerMessage.includes(SECRET_KEYWORDS.SECRET)) {
return SECRET_TYPE_NAMES.AWS_SECRET_KEY
}
return SECRET_TYPE_NAMES.AWS_CREDENTIAL
}
private extractGithubType(lowerMessage: string): string {
if (lowerMessage.includes(SECRET_KEYWORDS.PERSONAL_ACCESS_TOKEN)) {
return SECRET_TYPE_NAMES.GITHUB_PERSONAL_ACCESS_TOKEN
}
if (lowerMessage.includes(SECRET_KEYWORDS.OAUTH)) {
return SECRET_TYPE_NAMES.GITHUB_OAUTH_TOKEN
}
return SECRET_TYPE_NAMES.GITHUB_TOKEN
}
private extractSshType(lowerMessage: string): string {
const sshTypeMap: [string, string][] = [
[SECRET_KEYWORDS.RSA, SECRET_TYPE_NAMES.SSH_RSA_PRIVATE_KEY],
[SECRET_KEYWORDS.DSA, SECRET_TYPE_NAMES.SSH_DSA_PRIVATE_KEY],
[SECRET_KEYWORDS.ECDSA, SECRET_TYPE_NAMES.SSH_ECDSA_PRIVATE_KEY],
[SECRET_KEYWORDS.ED25519, SECRET_TYPE_NAMES.SSH_ED25519_PRIVATE_KEY],
]
for (const [keyword, typeName] of sshTypeMap) {
if (lowerMessage.includes(keyword)) {
return typeName
}
}
return SECRET_TYPE_NAMES.SSH_PRIVATE_KEY
}
private extractSlackType(lowerMessage: string): string {
if (lowerMessage.includes(SECRET_KEYWORDS.BOT)) {
return SECRET_TYPE_NAMES.SLACK_BOT_TOKEN
}
if (lowerMessage.includes(SECRET_KEYWORDS.USER)) {
return SECRET_TYPE_NAMES.SLACK_USER_TOKEN
}
return SECRET_TYPE_NAMES.SLACK_TOKEN
}
private extractByMessage(lowerMessage: string): string {
const messageTypeMap: [string, string][] = [
[SECRET_KEYWORDS.API_KEY, SECRET_TYPE_NAMES.API_KEY],
[SECRET_KEYWORDS.TOKEN, SECRET_TYPE_NAMES.AUTHENTICATION_TOKEN],
[SECRET_KEYWORDS.PASSWORD, SECRET_TYPE_NAMES.PASSWORD],
[SECRET_KEYWORDS.SECRET, SECRET_TYPE_NAMES.SECRET],
]
for (const [keyword, typeName] of messageTypeMap) {
if (lowerMessage.includes(keyword)) {
return typeName
}
}
return SECRET_TYPE_NAMES.SENSITIVE_DATA
}
}

22
packages/guardian/src/infrastructure/constants/detectorPatterns.ts
View File

@@ -63,6 +63,28 @@ export const NAMING_ERROR_MESSAGES = {
USE_DTO_SUFFIX: "Use *Dto, *Request, or *Response suffix (e.g., UserResponseDto.ts)",
USE_VERB_NOUN: "Use verb + noun in PascalCase (e.g., CreateUser.ts, UpdateProfile.ts)",
USE_CASE_START_VERB: "Use cases should start with a verb",
DOMAIN_SERVICE_PASCAL_CASE: "Domain services must be PascalCase ending with 'Service'",
DOMAIN_ENTITY_PASCAL_CASE: "Domain entities must be PascalCase nouns",
DTO_PASCAL_CASE: "DTOs must be PascalCase ending with 'Dto', 'Request', or 'Response'",
MAPPER_PASCAL_CASE: "Mappers must be PascalCase ending with 'Mapper'",
USE_CASE_VERB_NOUN: "Use cases must be PascalCase Verb+Noun (e.g., CreateUser)",
CONTROLLER_PASCAL_CASE: "Controllers must be PascalCase ending with 'Controller'",
REPOSITORY_IMPL_PASCAL_CASE:
"Repository implementations must be PascalCase ending with 'Repository'",
SERVICE_ADAPTER_PASCAL_CASE:
"Services/Adapters must be PascalCase ending with 'Service' or 'Adapter'",
FUNCTION_CAMEL_CASE: "Functions and methods must be camelCase",
USE_CAMEL_CASE_FUNCTION: "Use camelCase for function names (e.g., getUserById, createOrder)",
INTERFACE_PASCAL_CASE: "Interfaces must be PascalCase",
USE_PASCAL_CASE_INTERFACE: "Use PascalCase for interface names",
REPOSITORY_INTERFACE_I_PREFIX:
"Domain repository interfaces must start with 'I' (e.g., IUserRepository)",
REPOSITORY_INTERFACE_PATTERN: "Repository interfaces must be I + PascalCase + Repository",
CONSTANT_UPPER_SNAKE_CASE: "Exported constants must be UPPER_SNAKE_CASE",
USE_UPPER_SNAKE_CASE_CONSTANT:
"Use UPPER_SNAKE_CASE for constant names (e.g., MAX_RETRIES, API_URL)",
VARIABLE_CAMEL_CASE: "Variables must be camelCase",
USE_CAMEL_CASE_VARIABLE: "Use camelCase for variable names (e.g., userId, orderList)",
} as const
/**

92
packages/guardian/src/infrastructure/strategies/AstBooleanAnalyzer.ts Normal file
View File

@@ -0,0 +1,92 @@
import Parser from "tree-sitter"
import { HardcodedValue, HardcodeType } from "../../domain/value-objects/HardcodedValue"
import { DETECTION_VALUES, HARDCODE_TYPES } from "../../shared/constants/rules"
import { AstContextChecker } from "./AstContextChecker"
/**
* AST-based analyzer for detecting magic booleans
*
* Detects boolean literals used as arguments without clear meaning.
* Example: doSomething(true, false, true) - hard to understand
* Better: doSomething({ sync: true, validate: false, cache: true })
*/
export class AstBooleanAnalyzer {
constructor(private readonly contextChecker: AstContextChecker) {}
/**
* Analyzes a boolean node and returns a violation if it's a magic boolean
*/
public analyze(node: Parser.SyntaxNode, lines: string[]): HardcodedValue | null {
if (!this.shouldDetect(node)) {
return null
}
const value = node.text === DETECTION_VALUES.BOOLEAN_TRUE
return this.createViolation(node, value, lines)
}
/**
* Checks if boolean should be detected
*/
private shouldDetect(node: Parser.SyntaxNode): boolean {
if (this.contextChecker.isInExportedConstant(node)) {
return false
}
if (this.contextChecker.isInTypeContext(node)) {
return false
}
if (this.contextChecker.isInTestDescription(node)) {
return false
}
const parent = node.parent
if (!parent) {
return false
}
if (parent.type === "arguments") {
return this.isInFunctionCallWithMultipleBooleans(parent)
}
return false
}
/**
* Checks if function call has multiple boolean arguments
*/
private isInFunctionCallWithMultipleBooleans(argsNode: Parser.SyntaxNode): boolean {
let booleanCount = 0
for (const child of argsNode.children) {
if (child.type === "true" || child.type === "false") {
booleanCount++
}
}
return booleanCount >= 2
}
/**
* Creates a HardcodedValue violation from a boolean node
*/
private createViolation(
node: Parser.SyntaxNode,
value: boolean,
lines: string[],
): HardcodedValue {
const lineNumber = node.startPosition.row + 1
const column = node.startPosition.column
const context = lines[node.startPosition.row]?.trim() ?? ""
return HardcodedValue.create(
value,
HARDCODE_TYPES.MAGIC_BOOLEAN as HardcodeType,
lineNumber,
column,
context,
)
}
}

117
packages/guardian/src/infrastructure/strategies/AstConfigObjectAnalyzer.ts Normal file
View File

@@ -0,0 +1,117 @@
import Parser from "tree-sitter"
import { HardcodedValue, HardcodeType } from "../../domain/value-objects/HardcodedValue"
import { HARDCODE_TYPES } from "../../shared/constants/rules"
import { AST_STRING_TYPES } from "../../shared/constants/ast-node-types"
import { ALLOWED_NUMBERS } from "../constants/defaults"
import { AstContextChecker } from "./AstContextChecker"
/**
* AST-based analyzer for detecting configuration objects with hardcoded values
*
* Detects objects that contain multiple hardcoded values that should be
* extracted to a configuration file.
*
* Example:
* const config = { timeout: 5000, retries: 3, url: "http://..." }
*/
export class AstConfigObjectAnalyzer {
private readonly MIN_HARDCODED_VALUES = 2
constructor(private readonly contextChecker: AstContextChecker) {}
/**
* Analyzes an object expression and returns a violation if it contains many hardcoded values
*/
public analyze(node: Parser.SyntaxNode, lines: string[]): HardcodedValue | null {
if (node.type !== "object") {
return null
}
if (this.contextChecker.isInExportedConstant(node)) {
return null
}
if (this.contextChecker.isInTypeContext(node)) {
return null
}
const hardcodedCount = this.countHardcodedValues(node)
if (hardcodedCount < this.MIN_HARDCODED_VALUES) {
return null
}
return this.createViolation(node, hardcodedCount, lines)
}
/**
* Counts hardcoded values in an object
*/
private countHardcodedValues(objectNode: Parser.SyntaxNode): number {
let count = 0
for (const child of objectNode.children) {
if (child.type === "pair") {
const value = child.childForFieldName("value")
if (value && this.isHardcodedValue(value)) {
count++
}
}
}
return count
}
/**
* Checks if a node is a hardcoded value
*/
private isHardcodedValue(node: Parser.SyntaxNode): boolean {
if (node.type === "number") {
const value = parseInt(node.text, 10)
return !ALLOWED_NUMBERS.has(value) && value >= 100
}
if (node.type === "string") {
const stringFragment = node.children.find(
(c) => c.type === AST_STRING_TYPES.STRING_FRAGMENT,
)
return stringFragment !== undefined && stringFragment.text.length > 3
}
return false
}
/**
* Creates a HardcodedValue violation for a config object
*/
private createViolation(
node: Parser.SyntaxNode,
hardcodedCount: number,
lines: string[],
): HardcodedValue {
const lineNumber = node.startPosition.row + 1
const column = node.startPosition.column
const context = lines[node.startPosition.row]?.trim() ?? ""
const objectPreview = this.getObjectPreview(node)
return HardcodedValue.create(
`Configuration object with ${String(hardcodedCount)} hardcoded values: ${objectPreview}`,
HARDCODE_TYPES.MAGIC_CONFIG as HardcodeType,
lineNumber,
column,
context,
)
}
/**
* Gets a preview of the object for the violation message
*/
private getObjectPreview(node: Parser.SyntaxNode): string {
const text = node.text
if (text.length <= 50) {
return text
}
return `${text.substring(0, 47)}...`
}
}

277
packages/guardian/src/infrastructure/strategies/AstContextChecker.ts Normal file
View File

@@ -0,0 +1,277 @@
import Parser from "tree-sitter"
import {
AST_FIELD_NAMES,
AST_IDENTIFIER_TYPES,
AST_MODIFIER_TYPES,
AST_VARIABLE_TYPES,
} from "../../shared/constants/ast-node-types"
/**
* AST context checker for analyzing node contexts
*
* Provides reusable methods to check if a node is in specific contexts
* like exports, type declarations, function calls, etc.
*/
export class AstContextChecker {
/**
* Checks if node is in an exported constant with "as const"
*/
public isInExportedConstant(node: Parser.SyntaxNode): boolean {
let current = node.parent
while (current) {
if (current.type === "export_statement") {
if (this.checkExportedConstant(current)) {
return true
}
}
current = current.parent
}
return false
}
/**
* Helper to check if export statement contains "as const"
*/
private checkExportedConstant(exportNode: Parser.SyntaxNode): boolean {
const declaration = exportNode.childForFieldName(AST_FIELD_NAMES.DECLARATION)
if (!declaration) {
return false
}
if (declaration.type !== "lexical_declaration") {
return false
}
const declarator = this.findDescendant(declaration, AST_VARIABLE_TYPES.VARIABLE_DECLARATOR)
if (!declarator) {
return false
}
const value = declarator.childForFieldName(AST_FIELD_NAMES.VALUE)
if (value?.type !== "as_expression") {
return false
}
const asType = value.children.find((c) => c.type === AST_MODIFIER_TYPES.CONST)
return asType !== undefined
}
/**
* Checks if node is in a type context (union type, type alias, interface)
*/
public isInTypeContext(node: Parser.SyntaxNode): boolean {
let current = node.parent
while (current) {
if (
current.type === "type_alias_declaration" ||
current.type === "union_type" ||
current.type === "literal_type" ||
current.type === "interface_declaration" ||
current.type === "type_annotation"
) {
return true
}
current = current.parent
}
return false
}
/**
* Checks if node is in an import statement or import() call
*/
public isInImportStatement(node: Parser.SyntaxNode): boolean {
let current = node.parent
while (current) {
if (current.type === "import_statement") {
return true
}
if (current.type === "call_expression") {
const functionNode =
current.childForFieldName(AST_FIELD_NAMES.FUNCTION) ||
current.children.find(
(c) =>
c.type === AST_IDENTIFIER_TYPES.IDENTIFIER ||
c.type === AST_IDENTIFIER_TYPES.IMPORT,
)
if (
functionNode &&
(functionNode.text === "import" ||
functionNode.type === AST_IDENTIFIER_TYPES.IMPORT)
) {
return true
}
}
current = current.parent
}
return false
}
/**
* Checks if node is in a test description (test(), describe(), it())
*/
public isInTestDescription(node: Parser.SyntaxNode): boolean {
let current = node.parent
while (current) {
if (current.type === "call_expression") {
const callee = current.childForFieldName("function")
if (callee?.type === "identifier") {
const funcName = callee.text
if (
funcName === "test" ||
funcName === "describe" ||
funcName === "it" ||
funcName === "expect"
) {
return true
}
}
}
current = current.parent
}
return false
}
/**
* Checks if node is in a console.log or console.error call
*/
public isInConsoleCall(node: Parser.SyntaxNode): boolean {
let current = node.parent
while (current) {
if (current.type === "call_expression") {
const callee = current.childForFieldName("function")
if (callee?.type === "member_expression") {
const object = callee.childForFieldName("object")
const property = callee.childForFieldName("property")
if (
object?.text === "console" &&
property &&
(property.text === "log" ||
property.text === "error" ||
property.text === "warn")
) {
return true
}
}
}
current = current.parent
}
return false
}
/**
* Checks if node is in a Symbol() call
*/
public isInSymbolCall(node: Parser.SyntaxNode): boolean {
let current = node.parent
while (current) {
if (current.type === "call_expression") {
const callee = current.childForFieldName("function")
if (callee?.type === "identifier" && callee.text === "Symbol") {
return true
}
}
current = current.parent
}
return false
}
/**
* Checks if node is in a typeof check
*/
public isInTypeofCheck(node: Parser.SyntaxNode): boolean {
let current = node.parent
while (current) {
if (current.type === "binary_expression") {
const left = current.childForFieldName("left")
const right = current.childForFieldName("right")
if (left?.type === "unary_expression") {
const operator = left.childForFieldName("operator")
if (operator?.text === "typeof") {
return true
}
}
if (right?.type === "unary_expression") {
const operator = right.childForFieldName("operator")
if (operator?.text === "typeof") {
return true
}
}
}
current = current.parent
}
return false
}
/**
* Checks if parent is a call expression with specific function names
*/
public isInCallExpression(parent: Parser.SyntaxNode, functionNames: string[]): boolean {
if (parent.type === "arguments") {
const callExpr = parent.parent
if (callExpr?.type === "call_expression") {
const callee = callExpr.childForFieldName("function")
if (callee?.type === "identifier") {
return functionNames.includes(callee.text)
}
}
}
return false
}
/**
* Gets context text around a node
*/
public getNodeContext(node: Parser.SyntaxNode): string {
let current: Parser.SyntaxNode | null = node
while (
current &&
current.type !== "lexical_declaration" &&
current.type !== "pair" &&
current.type !== "call_expression" &&
current.type !== "return_statement"
) {
current = current.parent
}
return current ? current.text.toLowerCase() : ""
}
/**
* Finds a descendant node by type
*/
private findDescendant(node: Parser.SyntaxNode, type: string): Parser.SyntaxNode | null {
if (node.type === type) {
return node
}
for (const child of node.children) {
const result = this.findDescendant(child, type)
if (result) {
return result
}
}
return null
}
}

138
packages/guardian/src/infrastructure/strategies/AstNumberAnalyzer.ts Normal file
View File

@@ -0,0 +1,138 @@
import Parser from "tree-sitter"
import { HardcodedValue, HardcodeType } from "../../domain/value-objects/HardcodedValue"
import { HARDCODE_TYPES } from "../../shared/constants/rules"
import { TIMER_FUNCTIONS } from "../../shared/constants/ast-node-types"
import { ALLOWED_NUMBERS, DETECTION_KEYWORDS } from "../constants/defaults"
import { AstContextChecker } from "./AstContextChecker"
/**
* AST-based analyzer for detecting magic numbers
*
* Analyzes number literal nodes in the AST to determine if they are
* hardcoded values that should be extracted to constants.
*/
export class AstNumberAnalyzer {
constructor(private readonly contextChecker: AstContextChecker) {}
/**
* Analyzes a number node and returns a violation if it's a magic number
*/
public analyze(node: Parser.SyntaxNode, lines: string[]): HardcodedValue | null {
const value = parseInt(node.text, 10)
if (ALLOWED_NUMBERS.has(value)) {
return null
}
if (this.contextChecker.isInExportedConstant(node)) {
return null
}
if (!this.shouldDetect(node, value)) {
return null
}
return this.createViolation(node, value, lines)
}
/**
* Checks if number should be detected based on context
*/
private shouldDetect(node: Parser.SyntaxNode, value: number): boolean {
const parent = node.parent
if (!parent) {
return false
}
if (
this.contextChecker.isInCallExpression(parent, [
TIMER_FUNCTIONS.SET_TIMEOUT,
TIMER_FUNCTIONS.SET_INTERVAL,
])
) {
return true
}
if (parent.type === "variable_declarator") {
const identifier = parent.childForFieldName("name")
if (identifier && this.hasConfigKeyword(identifier.text.toLowerCase())) {
return true
}
}
if (parent.type === "pair") {
const key = parent.childForFieldName("key")
if (key && this.hasConfigKeyword(key.text.toLowerCase())) {
return true
}
}
if (value >= 100) {
const context = this.contextChecker.getNodeContext(node)
return this.looksLikeMagicNumber(context)
}
return false
}
/**
* Checks if name contains configuration keywords
*/
private hasConfigKeyword(name: string): boolean {
const keywords = [
DETECTION_KEYWORDS.TIMEOUT,
DETECTION_KEYWORDS.DELAY,
DETECTION_KEYWORDS.RETRY,
DETECTION_KEYWORDS.LIMIT,
DETECTION_KEYWORDS.MAX,
DETECTION_KEYWORDS.MIN,
DETECTION_KEYWORDS.PORT,
DETECTION_KEYWORDS.INTERVAL,
]
return (
keywords.some((keyword) => name.includes(keyword)) ||
name.includes("retries") ||
name.includes("attempts")
)
}
/**
* Checks if context suggests a magic number
*/
private looksLikeMagicNumber(context: string): boolean {
const configKeywords = [
DETECTION_KEYWORDS.TIMEOUT,
DETECTION_KEYWORDS.DELAY,
DETECTION_KEYWORDS.RETRY,
DETECTION_KEYWORDS.LIMIT,
DETECTION_KEYWORDS.MAX,
DETECTION_KEYWORDS.MIN,
DETECTION_KEYWORDS.PORT,
DETECTION_KEYWORDS.INTERVAL,
]
return configKeywords.some((keyword) => context.includes(keyword))
}
/**
* Creates a HardcodedValue violation from a number node
*/
private createViolation(
node: Parser.SyntaxNode,
value: number,
lines: string[],
): HardcodedValue {
const lineNumber = node.startPosition.row + 1
const column = node.startPosition.column
const context = lines[node.startPosition.row]?.trim() ?? ""
return HardcodedValue.create(
value,
HARDCODE_TYPES.MAGIC_NUMBER as HardcodeType,
lineNumber,
column,
context,
)
}
}

148
packages/guardian/src/infrastructure/strategies/AstStringAnalyzer.ts Normal file
View File

@@ -0,0 +1,148 @@
import Parser from "tree-sitter"
import { HardcodedValue, HardcodeType } from "../../domain/value-objects/HardcodedValue"
import { CONFIG_KEYWORDS, DETECTION_VALUES, HARDCODE_TYPES } from "../../shared/constants/rules"
import { AST_STRING_TYPES } from "../../shared/constants/ast-node-types"
import { AstContextChecker } from "./AstContextChecker"
import { ValuePatternMatcher } from "./ValuePatternMatcher"
/**
* AST-based analyzer for detecting magic strings
*
* Analyzes string literal nodes in the AST to determine if they are
* hardcoded values that should be extracted to constants.
*
* Detects various types of hardcoded strings:
* - URLs and connection strings
* - Email addresses
* - IP addresses
* - File paths
* - Dates
* - API keys
*/
export class AstStringAnalyzer {
private readonly patternMatcher: ValuePatternMatcher
constructor(private readonly contextChecker: AstContextChecker) {
this.patternMatcher = new ValuePatternMatcher()
}
/**
* Analyzes a string node and returns a violation if it's a magic string
*/
public analyze(node: Parser.SyntaxNode, lines: string[]): HardcodedValue | null {
const stringFragment = node.children.find(
(child) => child.type === AST_STRING_TYPES.STRING_FRAGMENT,
)
if (!stringFragment) {
return null
}
const value = stringFragment.text
if (value.length <= 3) {
return null
}
if (this.contextChecker.isInExportedConstant(node)) {
return null
}
if (this.contextChecker.isInTypeContext(node)) {
return null
}
if (this.contextChecker.isInImportStatement(node)) {
return null
}
if (this.contextChecker.isInTestDescription(node)) {
return null
}
if (this.contextChecker.isInConsoleCall(node)) {
return null
}
if (this.contextChecker.isInSymbolCall(node)) {
return null
}
if (this.contextChecker.isInTypeofCheck(node)) {
return null
}
if (this.shouldDetect(node, value)) {
return this.createViolation(node, value, lines)
}
return null
}
/**
* Checks if string value should be detected
*/
private shouldDetect(node: Parser.SyntaxNode, value: string): boolean {
if (this.patternMatcher.shouldDetect(value)) {
return true
}
if (this.hasConfigurationContext(node)) {
return true
}
return false
}
/**
* Checks if string is in a configuration-related context
*/
private hasConfigurationContext(node: Parser.SyntaxNode): boolean {
const context = this.contextChecker.getNodeContext(node).toLowerCase()
const configKeywords = [
"url",
"uri",
...CONFIG_KEYWORDS.NETWORK,
"api",
...CONFIG_KEYWORDS.DATABASE,
"db",
"env",
...CONFIG_KEYWORDS.SECURITY,
"key",
...CONFIG_KEYWORDS.MESSAGES,
"label",
...CONFIG_KEYWORDS.TECHNICAL,
]
return configKeywords.some((keyword) => context.includes(keyword))
}
/**
* Creates a HardcodedValue violation from a string node
*/
private createViolation(
node: Parser.SyntaxNode,
value: string,
lines: string[],
): HardcodedValue {
const lineNumber = node.startPosition.row + 1
const column = node.startPosition.column
const context = lines[node.startPosition.row]?.trim() ?? ""
const detectedType = this.patternMatcher.detectType(value)
const valueType =
detectedType ||
(this.hasConfigurationContext(node)
? DETECTION_VALUES.TYPE_CONFIG
: DETECTION_VALUES.TYPE_GENERIC)
return HardcodedValue.create(
value,
HARDCODE_TYPES.MAGIC_STRING as HardcodeType,
lineNumber,
column,
context,
valueType,
)
}
}

96
packages/guardian/src/infrastructure/strategies/BraceTracker.ts
View File

@@ -1,96 +0,0 @@
/**
* Tracks braces and brackets in code for context analysis
*
* Used to determine if a line is inside an exported constant
* by counting unclosed braces and brackets.
*/
export class BraceTracker {
/**
* Counts unclosed braces and brackets between two line indices
*/
public countUnclosed(
lines: string[],
startLine: number,
endLine: number,
): { braces: number; brackets: number } {
let braces = 0
let brackets = 0
for (let i = startLine; i <= endLine; i++) {
const counts = this.countInLine(lines[i])
braces += counts.braces
brackets += counts.brackets
}
return { braces, brackets }
}
/**
* Counts braces and brackets in a single line
*/
private countInLine(line: string): { braces: number; brackets: number } {
let braces = 0
let brackets = 0
let inString = false
let stringChar = ""
for (let j = 0; j < line.length; j++) {
const char = line[j]
const prevChar = j > 0 ? line[j - 1] : ""
this.updateStringState(
char,
prevChar,
inString,
stringChar,
(newInString, newStringChar) => {
inString = newInString
stringChar = newStringChar
},
)
if (!inString) {
const counts = this.countChar(char)
braces += counts.braces
brackets += counts.brackets
}
}
return { braces, brackets }
}
/**
* Updates string tracking state
*/
private updateStringState(
char: string,
prevChar: string,
inString: boolean,
stringChar: string,
callback: (inString: boolean, stringChar: string) => void,
): void {
if ((char === "'" || char === '"' || char === "`") && prevChar !== "\\") {
if (!inString) {
callback(true, char)
} else if (char === stringChar) {
callback(false, "")
}
}
}
/**
* Counts a single character
*/
private countChar(char: string): { braces: number; brackets: number } {
if (char === "{") {
return { braces: 1, brackets: 0 }
} else if (char === "}") {
return { braces: -1, brackets: 0 }
} else if (char === "[") {
return { braces: 0, brackets: 1 }
} else if (char === "]") {
return { braces: 0, brackets: -1 }
}
return { braces: 0, brackets: 0 }
}
}

112
packages/guardian/src/infrastructure/strategies/ExportConstantAnalyzer.ts
View File

@@ -1,112 +0,0 @@
import { CODE_PATTERNS } from "../constants/defaults"
import { BraceTracker } from "./BraceTracker"
/**
* Analyzes export const declarations in code
*
* Determines if a line is inside an exported constant declaration
* to skip hardcode detection in constant definitions.
*/
export class ExportConstantAnalyzer {
constructor(private readonly braceTracker: BraceTracker) {}
/**
* Checks if a line is inside an exported constant definition
*/
public isInExportedConstant(lines: string[], lineIndex: number): boolean {
const currentLineTrimmed = lines[lineIndex].trim()
if (this.isSingleLineExportConst(currentLineTrimmed)) {
return true
}
const exportConstStart = this.findExportConstStart(lines, lineIndex)
if (exportConstStart === -1) {
return false
}
const { braces, brackets } = this.braceTracker.countUnclosed(
lines,
exportConstStart,
lineIndex,
)
return braces > 0 || brackets > 0
}
/**
* Checks if a line is a single-line export const declaration
*/
public isSingleLineExportConst(line: string): boolean {
if (!line.startsWith(CODE_PATTERNS.EXPORT_CONST)) {
return false
}
const hasObjectOrArray = this.hasObjectOrArray(line)
if (hasObjectOrArray) {
return this.hasAsConstEnding(line)
}
return line.includes(CODE_PATTERNS.AS_CONST)
}
/**
* Finds the starting line of an export const declaration
*/
public findExportConstStart(lines: string[], lineIndex: number): number {
for (let currentLine = lineIndex; currentLine >= 0; currentLine--) {
const trimmed = lines[currentLine].trim()
if (this.isExportConstWithStructure(trimmed)) {
return currentLine
}
if (this.isTopLevelStatement(trimmed, currentLine, lineIndex)) {
break
}
}
return -1
}
/**
* Checks if line has object or array structure
*/
private hasObjectOrArray(line: string): boolean {
return line.includes(CODE_PATTERNS.OBJECT_START) || line.includes(CODE_PATTERNS.ARRAY_START)
}
/**
* Checks if line has 'as const' ending
*/
private hasAsConstEnding(line: string): boolean {
return (
line.includes(CODE_PATTERNS.AS_CONST_OBJECT) ||
line.includes(CODE_PATTERNS.AS_CONST_ARRAY) ||
line.includes(CODE_PATTERNS.AS_CONST_END_SEMICOLON_OBJECT) ||
line.includes(CODE_PATTERNS.AS_CONST_END_SEMICOLON_ARRAY)
)
}
/**
* Checks if line is export const with object or array
*/
private isExportConstWithStructure(trimmed: string): boolean {
return (
trimmed.startsWith(CODE_PATTERNS.EXPORT_CONST) &&
(trimmed.includes(CODE_PATTERNS.OBJECT_START) ||
trimmed.includes(CODE_PATTERNS.ARRAY_START))
)
}
/**
* Checks if line is a top-level statement
*/
private isTopLevelStatement(trimmed: string, currentLine: number, lineIndex: number): boolean {
return (
currentLine < lineIndex &&
(trimmed.startsWith(CODE_PATTERNS.EXPORT) || trimmed.startsWith(CODE_PATTERNS.IMPORT))
)
}
}

171
packages/guardian/src/infrastructure/strategies/MagicNumberMatcher.ts
View File

@@ -1,171 +0,0 @@
import { HardcodedValue } from "../../domain/value-objects/HardcodedValue"
import { ALLOWED_NUMBERS, DETECTION_KEYWORDS } from "../constants/defaults"
import { HARDCODE_TYPES } from "../../shared/constants"
import { ExportConstantAnalyzer } from "./ExportConstantAnalyzer"
/**
* Detects magic numbers in code
*
* Identifies hardcoded numeric values that should be extracted
* to constants, excluding allowed values and exported constants.
*/
export class MagicNumberMatcher {
private readonly numberPatterns = [
/(?:setTimeout|setInterval)\s*\(\s*[^,]+,\s*(\d+)/g,
/(?:maxRetries|retries|attempts)\s*[=:]\s*(\d+)/gi,
/(?:limit|max|min)\s*[=:]\s*(\d+)/gi,
/(?:port|PORT)\s*[=:]\s*(\d+)/g,
/(?:delay|timeout|TIMEOUT)\s*[=:]\s*(\d+)/gi,
]
constructor(private readonly exportAnalyzer: ExportConstantAnalyzer) {}
/**
* Detects magic numbers in code
*/
public detect(code: string): HardcodedValue[] {
const results: HardcodedValue[] = []
const lines = code.split("\n")
lines.forEach((line, lineIndex) => {
if (this.shouldSkipLine(line, lines, lineIndex)) {
return
}
this.detectInPatterns(line, lineIndex, results)
this.detectGenericNumbers(line, lineIndex, results)
})
return results
}
/**
* Checks if line should be skipped
*/
private shouldSkipLine(line: string, lines: string[], lineIndex: number): boolean {
if (line.trim().startsWith("//") || line.trim().startsWith("*")) {
return true
}
return this.exportAnalyzer.isInExportedConstant(lines, lineIndex)
}
/**
* Detects numbers in specific patterns
*/
private detectInPatterns(line: string, lineIndex: number, results: HardcodedValue[]): void {
this.numberPatterns.forEach((pattern) => {
let match
const regex = new RegExp(pattern)
while ((match = regex.exec(line)) !== null) {
const value = parseInt(match[1], 10)
if (!ALLOWED_NUMBERS.has(value)) {
results.push(
HardcodedValue.create(
value,
HARDCODE_TYPES.MAGIC_NUMBER,
lineIndex + 1,
match.index,
line.trim(),
),
)
}
}
})
}
/**
* Detects generic 3+ digit numbers
*/
private detectGenericNumbers(line: string, lineIndex: number, results: HardcodedValue[]): void {
const genericNumberRegex = /\b(\d{3,})\b/g
let match
while ((match = genericNumberRegex.exec(line)) !== null) {
const value = parseInt(match[1], 10)
if (this.shouldDetectNumber(value, line, match.index)) {
results.push(
HardcodedValue.create(
value,
HARDCODE_TYPES.MAGIC_NUMBER,
lineIndex + 1,
match.index,
line.trim(),
),
)
}
}
}
/**
* Checks if number should be detected
*/
private shouldDetectNumber(value: number, line: string, index: number): boolean {
if (ALLOWED_NUMBERS.has(value)) {
return false
}
if (this.isInComment(line, index)) {
return false
}
if (this.isInString(line, index)) {
return false
}
const context = this.extractContext(line, index)
return this.looksLikeMagicNumber(context)
}
/**
* Checks if position is in a comment
*/
private isInComment(line: string, index: number): boolean {
const beforeIndex = line.substring(0, index)
return beforeIndex.includes("//") || beforeIndex.includes("/*")
}
/**
* Checks if position is in a string
*/
private isInString(line: string, index: number): boolean {
const beforeIndex = line.substring(0, index)
const singleQuotes = (beforeIndex.match(/'/g) ?? []).length
const doubleQuotes = (beforeIndex.match(/"/g) ?? []).length
const backticks = (beforeIndex.match(/`/g) ?? []).length
return singleQuotes % 2 !== 0 || doubleQuotes % 2 !== 0 || backticks % 2 !== 0
}
/**
* Extracts context around a position
*/
private extractContext(line: string, index: number): string {
const start = Math.max(0, index - 30)
const end = Math.min(line.length, index + 30)
return line.substring(start, end)
}
/**
* Checks if context suggests a magic number
*/
private looksLikeMagicNumber(context: string): boolean {
const lowerContext = context.toLowerCase()
const configKeywords = [
DETECTION_KEYWORDS.TIMEOUT,
DETECTION_KEYWORDS.DELAY,
DETECTION_KEYWORDS.RETRY,
DETECTION_KEYWORDS.LIMIT,
DETECTION_KEYWORDS.MAX,
DETECTION_KEYWORDS.MIN,
DETECTION_KEYWORDS.PORT,
DETECTION_KEYWORDS.INTERVAL,
]
return configKeywords.some((keyword) => lowerContext.includes(keyword))
}
}

212
packages/guardian/src/infrastructure/strategies/MagicStringMatcher.ts
View File

@@ -1,212 +0,0 @@
import { HardcodedValue } from "../../domain/value-objects/HardcodedValue"
import { DETECTION_KEYWORDS } from "../constants/defaults"
import { HARDCODE_TYPES } from "../../shared/constants"
import { ExportConstantAnalyzer } from "./ExportConstantAnalyzer"
/**
* Detects magic strings in code
*
* Identifies hardcoded string values that should be extracted
* to constants, excluding test code, console logs, and type contexts.
*/
export class MagicStringMatcher {
private readonly stringRegex = /(['"`])(?:(?!\1).)+\1/g
private readonly allowedPatterns = [/^[a-z]$/i, /^\/$/, /^\\$/, /^\s+$/, /^,$/, /^\.$/]
private readonly typeContextPatterns = [
/^\s*type\s+\w+\s*=/i,
/^\s*interface\s+\w+/i,
/^\s*\w+\s*:\s*['"`]/,
/\s+as\s+['"`]/,
/Record<.*,\s*import\(/,
/typeof\s+\w+\s*===\s*['"`]/,
/['"`]\s*===\s*typeof\s+\w+/,
]
constructor(private readonly exportAnalyzer: ExportConstantAnalyzer) {}
/**
* Detects magic strings in code
*/
public detect(code: string): HardcodedValue[] {
const results: HardcodedValue[] = []
const lines = code.split("\n")
lines.forEach((line, lineIndex) => {
if (this.shouldSkipLine(line, lines, lineIndex)) {
return
}
this.detectStringsInLine(line, lineIndex, results)
})
return results
}
/**
* Checks if line should be skipped
*/
private shouldSkipLine(line: string, lines: string[], lineIndex: number): boolean {
if (
line.trim().startsWith("//") ||
line.trim().startsWith("*") ||
line.includes("import ") ||
line.includes("from ")
) {
return true
}
return this.exportAnalyzer.isInExportedConstant(lines, lineIndex)
}
/**
* Detects strings in a single line
*/
private detectStringsInLine(line: string, lineIndex: number, results: HardcodedValue[]): void {
let match
const regex = new RegExp(this.stringRegex)
while ((match = regex.exec(line)) !== null) {
const fullMatch = match[0]
const value = fullMatch.slice(1, -1)
if (this.shouldDetectString(fullMatch, value, line)) {
results.push(
HardcodedValue.create(
value,
HARDCODE_TYPES.MAGIC_STRING,
lineIndex + 1,
match.index,
line.trim(),
),
)
}
}
}
/**
* Checks if string should be detected
*/
private shouldDetectString(fullMatch: string, value: string, line: string): boolean {
if (fullMatch.startsWith("`") || value.includes("${")) {
return false
}
if (this.isAllowedString(value)) {
return false
}
return this.looksLikeMagicString(line, value)
}
/**
* Checks if string is allowed (short strings, single chars, etc.)
*/
private isAllowedString(str: string): boolean {
if (str.length <= 1) {
return true
}
return this.allowedPatterns.some((pattern) => pattern.test(str))
}
/**
* Checks if line context suggests a magic string
*/
private looksLikeMagicString(line: string, value: string): boolean {
const lowerLine = line.toLowerCase()
if (this.isTestCode(lowerLine)) {
return false
}
if (this.isConsoleLog(lowerLine)) {
return false
}
if (this.isInTypeContext(line)) {
return false
}
if (this.isInSymbolCall(line, value)) {
return false
}
if (this.isInImportCall(line, value)) {
return false
}
if (this.isUrlOrApi(value)) {
return true
}
if (/^\d{2,}$/.test(value)) {
return false
}
return value.length > 3
}
/**
* Checks if line is test code
*/
private isTestCode(lowerLine: string): boolean {
return (
lowerLine.includes(DETECTION_KEYWORDS.TEST) ||
lowerLine.includes(DETECTION_KEYWORDS.DESCRIBE)
)
}
/**
* Checks if line is console log
*/
private isConsoleLog(lowerLine: string): boolean {
return (
lowerLine.includes(DETECTION_KEYWORDS.CONSOLE_LOG) ||
lowerLine.includes(DETECTION_KEYWORDS.CONSOLE_ERROR)
)
}
/**
* Checks if line is in type context
*/
private isInTypeContext(line: string): boolean {
const trimmedLine = line.trim()
if (this.typeContextPatterns.some((pattern) => pattern.test(trimmedLine))) {
return true
}
if (trimmedLine.includes("|") && /['"`][^'"`]+['"`]\s*\|/.test(trimmedLine)) {
return true
}
return false
}
/**
* Checks if string is inside Symbol() call
*/
private isInSymbolCall(line: string, stringValue: string): boolean {
const symbolPattern = new RegExp(
`Symbol\\s*\\(\\s*['"\`]${stringValue.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}['"\`]\\s*\\)`,
)
return symbolPattern.test(line)
}
/**
* Checks if string is inside import() call
*/
private isInImportCall(line: string, stringValue: string): boolean {
const importPattern = /import\s*\(\s*['"`][^'"`]+['"`]\s*\)/
return importPattern.test(line) && line.includes(stringValue)
}
/**
* Checks if string contains URL or API reference
*/
private isUrlOrApi(value: string): boolean {
return value.includes(DETECTION_KEYWORDS.HTTP) || value.includes(DETECTION_KEYWORDS.API)
}
}

193
packages/guardian/src/infrastructure/strategies/ValuePatternMatcher.ts Normal file
View File

@@ -0,0 +1,193 @@
import { VALUE_PATTERN_TYPES } from "../../shared/constants/ast-node-types"
/**
* Pattern matcher for detecting specific value types
*
* Provides pattern matching for emails, IPs, paths, dates, UUIDs, versions, and other common hardcoded values
*/
export class ValuePatternMatcher {
private static readonly EMAIL_PATTERN = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/
private static readonly IP_V4_PATTERN = /^(\d{1,3}\.){3}\d{1,3}$/
private static readonly IP_V6_PATTERN =
/^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$|^::([0-9a-fA-F]{1,4}:){0,6}[0-9a-fA-F]{1,4}$/
private static readonly DATE_ISO_PATTERN = /^\d{4}-\d{2}-\d{2}$/
private static readonly URL_PATTERN = /^https?:\/\/|^mongodb:\/\/|^postgresql:\/\//
private static readonly UNIX_PATH_PATTERN = /^\/[a-zA-Z0-9/_-]+/
private static readonly WINDOWS_PATH_PATTERN = /^[a-zA-Z]:\\[a-zA-Z0-9\\/_-]+/
private static readonly API_KEY_PATTERN = /^(sk_|pk_|api_|key_)[a-zA-Z0-9_-]{20,}$/
private static readonly UUID_PATTERN =
/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
private static readonly SEMVER_PATTERN = /^\d+\.\d+\.\d+(-[\w.-]+)?(\+[\w.-]+)?$/
private static readonly HEX_COLOR_PATTERN = /^#([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/
private static readonly MAC_ADDRESS_PATTERN = /^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/
private static readonly BASE64_PATTERN =
/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/
private static readonly JWT_PATTERN = /^eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+$/
/**
* Checks if value is an email address
*/
public isEmail(value: string): boolean {
return ValuePatternMatcher.EMAIL_PATTERN.test(value)
}
/**
* Checks if value is an IP address (v4 or v6)
*/
public isIpAddress(value: string): boolean {
return (
ValuePatternMatcher.IP_V4_PATTERN.test(value) ||
ValuePatternMatcher.IP_V6_PATTERN.test(value)
)
}
/**
* Checks if value is a date in ISO format
*/
public isDate(value: string): boolean {
return ValuePatternMatcher.DATE_ISO_PATTERN.test(value)
}
/**
* Checks if value is a URL
*/
public isUrl(value: string): boolean {
return ValuePatternMatcher.URL_PATTERN.test(value)
}
/**
* Checks if value is a file path (Unix or Windows)
*/
public isFilePath(value: string): boolean {
return (
ValuePatternMatcher.UNIX_PATH_PATTERN.test(value) ||
ValuePatternMatcher.WINDOWS_PATH_PATTERN.test(value)
)
}
/**
* Checks if value looks like an API key
*/
public isApiKey(value: string): boolean {
return ValuePatternMatcher.API_KEY_PATTERN.test(value)
}
/**
* Checks if value is a UUID
*/
public isUuid(value: string): boolean {
return ValuePatternMatcher.UUID_PATTERN.test(value)
}
/**
* Checks if value is a semantic version
*/
public isSemver(value: string): boolean {
return ValuePatternMatcher.SEMVER_PATTERN.test(value)
}
/**
* Checks if value is a hex color
*/
public isHexColor(value: string): boolean {
return ValuePatternMatcher.HEX_COLOR_PATTERN.test(value)
}
/**
* Checks if value is a MAC address
*/
public isMacAddress(value: string): boolean {
return ValuePatternMatcher.MAC_ADDRESS_PATTERN.test(value)
}
/**
* Checks if value is Base64 encoded (min length 20 to avoid false positives)
*/
public isBase64(value: string): boolean {
return value.length >= 20 && ValuePatternMatcher.BASE64_PATTERN.test(value)
}
/**
* Checks if value is a JWT token
*/
public isJwt(value: string): boolean {
return ValuePatternMatcher.JWT_PATTERN.test(value)
}
/**
* Detects the type of value
*/
public detectType(
value: string,
):
| "email"
| "url"
| "ip_address"
| "file_path"
| "date"
| "api_key"
| "uuid"
| "version"
| "color"
| "mac_address"
| "base64"
| null {
if (this.isEmail(value)) {
return VALUE_PATTERN_TYPES.EMAIL
}
if (this.isJwt(value)) {
return VALUE_PATTERN_TYPES.API_KEY
}
if (this.isApiKey(value)) {
return VALUE_PATTERN_TYPES.API_KEY
}
if (this.isUrl(value)) {
return VALUE_PATTERN_TYPES.URL
}
if (this.isIpAddress(value)) {
return VALUE_PATTERN_TYPES.IP_ADDRESS
}
if (this.isFilePath(value)) {
return VALUE_PATTERN_TYPES.FILE_PATH
}
if (this.isDate(value)) {
return VALUE_PATTERN_TYPES.DATE
}
if (this.isUuid(value)) {
return VALUE_PATTERN_TYPES.UUID
}
if (this.isSemver(value)) {
return VALUE_PATTERN_TYPES.VERSION
}
if (this.isHexColor(value)) {
return "color"
}
if (this.isMacAddress(value)) {
return VALUE_PATTERN_TYPES.MAC_ADDRESS
}
if (this.isBase64(value)) {
return VALUE_PATTERN_TYPES.BASE64
}
return null
}
/**
* Checks if value should be detected as hardcoded
*/
public shouldDetect(value: string): boolean {
return (
this.isEmail(value) ||
this.isUrl(value) ||
this.isIpAddress(value) ||
this.isFilePath(value) ||
this.isDate(value) ||
this.isApiKey(value) ||
this.isUuid(value) ||
this.isSemver(value) ||
this.isHexColor(value) ||
this.isMacAddress(value) ||
this.isBase64(value) ||
this.isJwt(value)
)
}
}

230
packages/guardian/src/infrastructure/strategies/naming/AstClassNameAnalyzer.ts Normal file
View File

@@ -0,0 +1,230 @@
import Parser from "tree-sitter"
import { NamingViolation } from "../../../domain/value-objects/NamingViolation"
import { AST_CLASS_TYPES, AST_FIELD_NAMES } from "../../../shared/constants"
import { LAYERS, NAMING_VIOLATION_TYPES, USE_CASE_VERBS } from "../../../shared/constants/rules"
import {
FILE_SUFFIXES,
NAMING_ERROR_MESSAGES,
PATTERN_WORDS,
} from "../../constants/detectorPatterns"
/**
* AST-based analyzer for detecting class naming violations
*
* Analyzes class declaration nodes to ensure proper naming conventions:
* - Domain layer: PascalCase entities and services (*Service)
* - Application layer: PascalCase use cases (Verb+Noun), DTOs (*Dto/*Request/*Response)
* - Infrastructure layer: PascalCase controllers, repositories, services
*/
export class AstClassNameAnalyzer {
/**
* Analyzes a class declaration node
*/
public analyze(
node: Parser.SyntaxNode,
layer: string,
filePath: string,
_lines: string[],
): NamingViolation | null {
if (node.type !== AST_CLASS_TYPES.CLASS_DECLARATION) {
return null
}
const nameNode = node.childForFieldName(AST_FIELD_NAMES.NAME)
if (!nameNode) {
return null
}
const className = nameNode.text
const lineNumber = nameNode.startPosition.row + 1
switch (layer) {
case LAYERS.DOMAIN:
return this.checkDomainClass(className, filePath, lineNumber)
case LAYERS.APPLICATION:
return this.checkApplicationClass(className, filePath, lineNumber)
case LAYERS.INFRASTRUCTURE:
return this.checkInfrastructureClass(className, filePath, lineNumber)
default:
return null
}
}
/**
* Checks domain layer class naming
*/
private checkDomainClass(
className: string,
filePath: string,
lineNumber: number,
): NamingViolation | null {
if (className.endsWith(FILE_SUFFIXES.SERVICE.replace(".ts", ""))) {
if (!/^[A-Z][a-zA-Z0-9]*Service$/.test(className)) {
return NamingViolation.create(
className,
NAMING_VIOLATION_TYPES.WRONG_CASE,
LAYERS.DOMAIN,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.DOMAIN_SERVICE_PASCAL_CASE,
className,
)
}
return null
}
if (!/^[A-Z][a-zA-Z0-9]*$/.test(className)) {
return NamingViolation.create(
className,
NAMING_VIOLATION_TYPES.WRONG_CASE,
LAYERS.DOMAIN,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.DOMAIN_ENTITY_PASCAL_CASE,
className,
NAMING_ERROR_MESSAGES.USE_PASCAL_CASE,
)
}
return null
}
/**
* Checks application layer class naming
*/
private checkApplicationClass(
className: string,
filePath: string,
lineNumber: number,
): NamingViolation | null {
if (
className.endsWith("Dto") ||
className.endsWith("Request") ||
className.endsWith("Response")
) {
if (!/^[A-Z][a-zA-Z0-9]*(Dto|Request|Response)$/.test(className)) {
return NamingViolation.create(
className,
NAMING_VIOLATION_TYPES.WRONG_SUFFIX,
LAYERS.APPLICATION,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.DTO_PASCAL_CASE,
className,
NAMING_ERROR_MESSAGES.USE_DTO_SUFFIX,
)
}
return null
}
if (className.endsWith("Mapper")) {
if (!/^[A-Z][a-zA-Z0-9]*Mapper$/.test(className)) {
return NamingViolation.create(
className,
NAMING_VIOLATION_TYPES.WRONG_SUFFIX,
LAYERS.APPLICATION,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.MAPPER_PASCAL_CASE,
className,
)
}
return null
}
const startsWithVerb = this.startsWithCommonVerb(className)
const startsWithLowercaseVerb = this.startsWithLowercaseVerb(className)
if (startsWithVerb) {
if (!/^[A-Z][a-z]+[A-Z][a-zA-Z0-9]*$/.test(className)) {
return NamingViolation.create(
className,
NAMING_VIOLATION_TYPES.WRONG_VERB_NOUN,
LAYERS.APPLICATION,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.USE_CASE_VERB_NOUN,
className,
NAMING_ERROR_MESSAGES.USE_VERB_NOUN,
)
}
} else if (startsWithLowercaseVerb) {
return NamingViolation.create(
className,
NAMING_VIOLATION_TYPES.WRONG_VERB_NOUN,
LAYERS.APPLICATION,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.USE_CASE_VERB_NOUN,
className,
NAMING_ERROR_MESSAGES.USE_VERB_NOUN,
)
}
return null
}
/**
* Checks infrastructure layer class naming
*/
private checkInfrastructureClass(
className: string,
filePath: string,
lineNumber: number,
): NamingViolation | null {
if (className.endsWith("Controller")) {
if (!/^[A-Z][a-zA-Z0-9]*Controller$/.test(className)) {
return NamingViolation.create(
className,
NAMING_VIOLATION_TYPES.WRONG_SUFFIX,
LAYERS.INFRASTRUCTURE,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.CONTROLLER_PASCAL_CASE,
className,
)
}
return null
}
if (
className.endsWith(PATTERN_WORDS.REPOSITORY) &&
!className.startsWith(PATTERN_WORDS.I_PREFIX)
) {
if (!/^[A-Z][a-zA-Z0-9]*Repository$/.test(className)) {
return NamingViolation.create(
className,
NAMING_VIOLATION_TYPES.WRONG_SUFFIX,
LAYERS.INFRASTRUCTURE,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.REPOSITORY_IMPL_PASCAL_CASE,
className,
)
}
return null
}
if (className.endsWith("Service") || className.endsWith("Adapter")) {
if (!/^[A-Z][a-zA-Z0-9]*(Service|Adapter)$/.test(className)) {
return NamingViolation.create(
className,
NAMING_VIOLATION_TYPES.WRONG_SUFFIX,
LAYERS.INFRASTRUCTURE,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.SERVICE_ADAPTER_PASCAL_CASE,
className,
)
}
return null
}
return null
}
/**
* Checks if class name starts with a common use case verb
*/
private startsWithCommonVerb(className: string): boolean {
return USE_CASE_VERBS.some((verb) => className.startsWith(verb))
}
/**
* Checks if class name starts with a lowercase verb (camelCase use case)
*/
private startsWithLowercaseVerb(className: string): boolean {
const lowercaseVerbs = USE_CASE_VERBS.map((verb) => verb.toLowerCase())
return lowercaseVerbs.some((verb) => className.startsWith(verb))
}
}

65
packages/guardian/src/infrastructure/strategies/naming/AstFunctionNameAnalyzer.ts Normal file
View File

@@ -0,0 +1,65 @@
import Parser from "tree-sitter"
import { NamingViolation } from "../../../domain/value-objects/NamingViolation"
import { AST_FIELD_NAMES, AST_FUNCTION_TYPES, CLASS_KEYWORDS } from "../../../shared/constants"
import { NAMING_VIOLATION_TYPES } from "../../../shared/constants/rules"
import { NAMING_ERROR_MESSAGES } from "../../constants/detectorPatterns"
/**
* AST-based analyzer for detecting function and method naming violations
*
* Analyzes function declaration, method definition, and arrow function nodes
* to ensure proper naming conventions:
* - Functions and methods should be camelCase
* - Private methods with underscore prefix are allowed
*/
export class AstFunctionNameAnalyzer {
/**
* Analyzes a function or method declaration node
*/
public analyze(
node: Parser.SyntaxNode,
layer: string,
filePath: string,
_lines: string[],
): NamingViolation | null {
const functionNodeTypes = [
AST_FUNCTION_TYPES.FUNCTION_DECLARATION,
AST_FUNCTION_TYPES.METHOD_DEFINITION,
AST_FUNCTION_TYPES.FUNCTION_SIGNATURE,
] as const
if (!(functionNodeTypes as readonly string[]).includes(node.type)) {
return null
}
const nameNode = node.childForFieldName(AST_FIELD_NAMES.NAME)
if (!nameNode) {
return null
}
const functionName = nameNode.text
const lineNumber = nameNode.startPosition.row + 1
if (functionName.startsWith("_")) {
return null
}
if (functionName === CLASS_KEYWORDS.CONSTRUCTOR) {
return null
}
if (!/^[a-z][a-zA-Z0-9]*$/.test(functionName)) {
return NamingViolation.create(
functionName,
NAMING_VIOLATION_TYPES.WRONG_CASE,
layer,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.FUNCTION_CAMEL_CASE,
functionName,
NAMING_ERROR_MESSAGES.USE_CAMEL_CASE_FUNCTION,
)
}
return null
}
}

90
packages/guardian/src/infrastructure/strategies/naming/AstInterfaceNameAnalyzer.ts Normal file
View File

@@ -0,0 +1,90 @@
import Parser from "tree-sitter"
import { NamingViolation } from "../../../domain/value-objects/NamingViolation"
import { AST_CLASS_TYPES, AST_FIELD_NAMES } from "../../../shared/constants"
import { LAYERS, NAMING_VIOLATION_TYPES } from "../../../shared/constants/rules"
import { NAMING_ERROR_MESSAGES, PATTERN_WORDS } from "../../constants/detectorPatterns"
/**
* AST-based analyzer for detecting interface naming violations
*
* Analyzes interface declaration nodes to ensure proper naming conventions:
* - Domain layer: Repository interfaces must start with 'I' (e.g., IUserRepository)
* - All layers: Interfaces should be PascalCase
*/
export class AstInterfaceNameAnalyzer {
/**
* Analyzes an interface declaration node
*/
public analyze(
node: Parser.SyntaxNode,
layer: string,
filePath: string,
_lines: string[],
): NamingViolation | null {
if (node.type !== AST_CLASS_TYPES.INTERFACE_DECLARATION) {
return null
}
const nameNode = node.childForFieldName(AST_FIELD_NAMES.NAME)
if (!nameNode) {
return null
}
const interfaceName = nameNode.text
const lineNumber = nameNode.startPosition.row + 1
if (!/^[A-Z][a-zA-Z0-9]*$/.test(interfaceName)) {
return NamingViolation.create(
interfaceName,
NAMING_VIOLATION_TYPES.WRONG_CASE,
layer,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.INTERFACE_PASCAL_CASE,
interfaceName,
NAMING_ERROR_MESSAGES.USE_PASCAL_CASE_INTERFACE,
)
}
if (layer === LAYERS.DOMAIN) {
return this.checkDomainInterface(interfaceName, filePath, lineNumber)
}
return null
}
/**
* Checks domain layer interface naming
*/
private checkDomainInterface(
interfaceName: string,
filePath: string,
lineNumber: number,
): NamingViolation | null {
if (interfaceName.endsWith(PATTERN_WORDS.REPOSITORY)) {
if (!interfaceName.startsWith(PATTERN_WORDS.I_PREFIX)) {
return NamingViolation.create(
interfaceName,
NAMING_VIOLATION_TYPES.WRONG_PREFIX,
LAYERS.DOMAIN,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.REPOSITORY_INTERFACE_I_PREFIX,
interfaceName,
`Rename to I${interfaceName}`,
)
}
if (!/^I[A-Z][a-zA-Z0-9]*Repository$/.test(interfaceName)) {
return NamingViolation.create(
interfaceName,
NAMING_VIOLATION_TYPES.WRONG_CASE,
LAYERS.DOMAIN,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.REPOSITORY_INTERFACE_PATTERN,
interfaceName,
)
}
}
return null
}
}

106
packages/guardian/src/infrastructure/strategies/naming/AstNamingTraverser.ts Normal file
View File

@@ -0,0 +1,106 @@
import Parser from "tree-sitter"
import { NamingViolation } from "../../../domain/value-objects/NamingViolation"
import { AST_CLASS_TYPES, AST_FUNCTION_TYPES, AST_VARIABLE_TYPES } from "../../../shared/constants"
import { AstClassNameAnalyzer } from "./AstClassNameAnalyzer"
import { AstFunctionNameAnalyzer } from "./AstFunctionNameAnalyzer"
import { AstInterfaceNameAnalyzer } from "./AstInterfaceNameAnalyzer"
import { AstVariableNameAnalyzer } from "./AstVariableNameAnalyzer"
type NodeAnalyzer = (
node: Parser.SyntaxNode,
layer: string,
filePath: string,
lines: string[],
) => NamingViolation | null
/**
* AST tree traverser for detecting naming convention violations
*
* Walks through the Abstract Syntax Tree and uses analyzers
* to detect naming violations in classes, interfaces, functions, and variables.
*/
export class AstNamingTraverser {
private readonly nodeHandlers: Map<string, NodeAnalyzer>
constructor(
private readonly classAnalyzer: AstClassNameAnalyzer,
private readonly interfaceAnalyzer: AstInterfaceNameAnalyzer,
private readonly functionAnalyzer: AstFunctionNameAnalyzer,
private readonly variableAnalyzer: AstVariableNameAnalyzer,
) {
this.nodeHandlers = this.buildNodeHandlers()
}
/**
* Traverses the AST tree and collects naming violations
*/
public traverse(
tree: Parser.Tree,
sourceCode: string,
layer: string,
filePath: string,
): NamingViolation[] {
const results: NamingViolation[] = []
const lines = sourceCode.split("\n")
const cursor = tree.walk()
this.visit(cursor, lines, layer, filePath, results)
return results
}
private buildNodeHandlers(): Map<string, NodeAnalyzer> {
const handlers = new Map<string, NodeAnalyzer>()
handlers.set(AST_CLASS_TYPES.CLASS_DECLARATION, (node, layer, filePath, lines) =>
this.classAnalyzer.analyze(node, layer, filePath, lines),
)
handlers.set(AST_CLASS_TYPES.INTERFACE_DECLARATION, (node, layer, filePath, lines) =>
this.interfaceAnalyzer.analyze(node, layer, filePath, lines),
)
const functionHandler: NodeAnalyzer = (node, layer, filePath, lines) =>
this.functionAnalyzer.analyze(node, layer, filePath, lines)
handlers.set(AST_FUNCTION_TYPES.FUNCTION_DECLARATION, functionHandler)
handlers.set(AST_FUNCTION_TYPES.METHOD_DEFINITION, functionHandler)
handlers.set(AST_FUNCTION_TYPES.FUNCTION_SIGNATURE, functionHandler)
const variableHandler: NodeAnalyzer = (node, layer, filePath, lines) =>
this.variableAnalyzer.analyze(node, layer, filePath, lines)
handlers.set(AST_VARIABLE_TYPES.VARIABLE_DECLARATOR, variableHandler)
handlers.set(AST_VARIABLE_TYPES.REQUIRED_PARAMETER, variableHandler)
handlers.set(AST_VARIABLE_TYPES.OPTIONAL_PARAMETER, variableHandler)
handlers.set(AST_VARIABLE_TYPES.PUBLIC_FIELD_DEFINITION, variableHandler)
handlers.set(AST_VARIABLE_TYPES.PROPERTY_SIGNATURE, variableHandler)
return handlers
}
/**
* Recursively visits AST nodes
*/
private visit(
cursor: Parser.TreeCursor,
lines: string[],
layer: string,
filePath: string,
results: NamingViolation[],
): void {
const node = cursor.currentNode
const handler = this.nodeHandlers.get(node.type)
if (handler) {
const violation = handler(node, layer, filePath, lines)
if (violation) {
results.push(violation)
}
}
if (cursor.gotoFirstChild()) {
do {
this.visit(cursor, lines, layer, filePath, results)
} while (cursor.gotoNextSibling())
cursor.gotoParent()
}
}
}

159
packages/guardian/src/infrastructure/strategies/naming/AstVariableNameAnalyzer.ts Normal file
View File

@@ -0,0 +1,159 @@
import Parser from "tree-sitter"
import { NamingViolation } from "../../../domain/value-objects/NamingViolation"
import {
AST_FIELD_NAMES,
AST_FIELD_TYPES,
AST_MODIFIER_TYPES,
AST_PATTERN_TYPES,
AST_STATEMENT_TYPES,
AST_VARIABLE_TYPES,
} from "../../../shared/constants"
import { NAMING_VIOLATION_TYPES } from "../../../shared/constants/rules"
import { NAMING_ERROR_MESSAGES } from "../../constants/detectorPatterns"
/**
* AST-based analyzer for detecting variable naming violations
*
* Analyzes variable declarations to ensure proper naming conventions:
* - Regular variables: camelCase
* - Constants (exported UPPER_CASE): UPPER_SNAKE_CASE
* - Class properties: camelCase
* - Private properties with underscore prefix are allowed
*/
export class AstVariableNameAnalyzer {
/**
* Analyzes a variable declaration node
*/
public analyze(
node: Parser.SyntaxNode,
layer: string,
filePath: string,
_lines: string[],
): NamingViolation | null {
const variableNodeTypes = [
AST_VARIABLE_TYPES.VARIABLE_DECLARATOR,
AST_VARIABLE_TYPES.REQUIRED_PARAMETER,
AST_VARIABLE_TYPES.OPTIONAL_PARAMETER,
AST_VARIABLE_TYPES.PUBLIC_FIELD_DEFINITION,
AST_VARIABLE_TYPES.PROPERTY_SIGNATURE,
] as const
if (!(variableNodeTypes as readonly string[]).includes(node.type)) {
return null
}
const nameNode = node.childForFieldName(AST_FIELD_NAMES.NAME)
if (!nameNode) {
return null
}
if (this.isDestructuringPattern(nameNode)) {
return null
}
const variableName = nameNode.text
const lineNumber = nameNode.startPosition.row + 1
if (variableName.startsWith("_")) {
return null
}
const isConstant = this.isConstantVariable(node)
if (isConstant) {
if (!/^[A-Z][A-Z0-9_]*$/.test(variableName)) {
return NamingViolation.create(
variableName,
NAMING_VIOLATION_TYPES.WRONG_CASE,
layer,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.CONSTANT_UPPER_SNAKE_CASE,
variableName,
NAMING_ERROR_MESSAGES.USE_UPPER_SNAKE_CASE_CONSTANT,
)
}
} else {
if (!/^[a-z][a-zA-Z0-9]*$/.test(variableName)) {
return NamingViolation.create(
variableName,
NAMING_VIOLATION_TYPES.WRONG_CASE,
layer,
`${filePath}:${String(lineNumber)}`,
NAMING_ERROR_MESSAGES.VARIABLE_CAMEL_CASE,
variableName,
NAMING_ERROR_MESSAGES.USE_CAMEL_CASE_VARIABLE,
)
}
}
return null
}
/**
* Checks if node is a destructuring pattern (object or array)
*/
private isDestructuringPattern(node: Parser.SyntaxNode): boolean {
return (
node.type === AST_PATTERN_TYPES.OBJECT_PATTERN ||
node.type === AST_PATTERN_TYPES.ARRAY_PATTERN
)
}
/**
* Checks if a variable is a constant (exported UPPER_CASE)
*/
private isConstantVariable(node: Parser.SyntaxNode): boolean {
const variableName = node.childForFieldName(AST_FIELD_NAMES.NAME)?.text
if (!variableName || !/^[A-Z]/.test(variableName)) {
return false
}
if (
node.type === AST_VARIABLE_TYPES.PUBLIC_FIELD_DEFINITION ||
node.type === AST_FIELD_TYPES.FIELD_DEFINITION
) {
return this.hasConstModifiers(node)
}
let current: Parser.SyntaxNode | null = node.parent
while (current) {
if (current.type === AST_STATEMENT_TYPES.LEXICAL_DECLARATION) {
const firstChild = current.child(0)
if (firstChild?.type === AST_MODIFIER_TYPES.CONST) {
return true
}
}
if (
current.type === AST_VARIABLE_TYPES.PUBLIC_FIELD_DEFINITION ||
current.type === AST_FIELD_TYPES.FIELD_DEFINITION
) {
return this.hasConstModifiers(current)
}
current = current.parent
}
return false
}
/**
* Checks if field has readonly or static modifiers (indicating a constant)
*/
private hasConstModifiers(fieldNode: Parser.SyntaxNode): boolean {
for (let i = 0; i < fieldNode.childCount; i++) {
const child = fieldNode.child(i)
const childText = child?.text
if (
child?.type === AST_MODIFIER_TYPES.READONLY ||
child?.type === AST_MODIFIER_TYPES.STATIC ||
childText === AST_MODIFIER_TYPES.READONLY ||
childText === AST_MODIFIER_TYPES.STATIC
) {
return true
}
}
return false
}
}

139
packages/guardian/src/shared/constants/ast-node-types.ts Normal file
View File

@@ -0,0 +1,139 @@
/**
* Abstract Syntax Tree (AST) node type constants
*
* These constants represent tree-sitter AST node types used for code analysis.
* Using constants instead of magic strings improves maintainability and prevents typos.
*
* @see https://tree-sitter.github.io/tree-sitter/
*/
/**
* Class and interface declaration node types
*/
export const AST_CLASS_TYPES = {
CLASS_DECLARATION: "class_declaration",
INTERFACE_DECLARATION: "interface_declaration",
} as const
/**
* Function and method node types
*/
export const AST_FUNCTION_TYPES = {
FUNCTION_DECLARATION: "function_declaration",
METHOD_DEFINITION: "method_definition",
FUNCTION_SIGNATURE: "function_signature",
} as const
/**
* Variable and parameter node types
*/
export const AST_VARIABLE_TYPES = {
VARIABLE_DECLARATOR: "variable_declarator",
REQUIRED_PARAMETER: "required_parameter",
OPTIONAL_PARAMETER: "optional_parameter",
PUBLIC_FIELD_DEFINITION: "public_field_definition",
PROPERTY_SIGNATURE: "property_signature",
} as const
/**
* Type system node types
*/
export const AST_TYPE_TYPES = {
TYPE_ALIAS_DECLARATION: "type_alias_declaration",
UNION_TYPE: "union_type",
LITERAL_TYPE: "literal_type",
TYPE_ANNOTATION: "type_annotation",
} as const
/**
* Statement node types
*/
export const AST_STATEMENT_TYPES = {
EXPORT_STATEMENT: "export_statement",
IMPORT_STATEMENT: "import_statement",
LEXICAL_DECLARATION: "lexical_declaration",
} as const
/**
* Expression node types
*/
export const AST_EXPRESSION_TYPES = {
CALL_EXPRESSION: "call_expression",
AS_EXPRESSION: "as_expression",
} as const
/**
* Field and property node types
*/
export const AST_FIELD_TYPES = {
FIELD_DEFINITION: "field_definition",
} as const
/**
* Pattern node types
*/
export const AST_PATTERN_TYPES = {
OBJECT_PATTERN: "object_pattern",
ARRAY_PATTERN: "array_pattern",
} as const
/**
* Modifier node types
*/
export const AST_MODIFIER_TYPES = {
READONLY: "readonly",
STATIC: "static",
CONST: "const",
} as const
/**
* Special identifier node types
*/
export const AST_IDENTIFIER_TYPES = {
IDENTIFIER: "identifier",
TYPE_IDENTIFIER: "type_identifier",
PROPERTY_IDENTIFIER: "property_identifier",
IMPORT: "import",
} as const
/**
* Node field names used with childForFieldName()
*/
export const AST_FIELD_NAMES = {
NAME: "name",
DECLARATION: "declaration",
VALUE: "value",
FUNCTION: "function",
} as const
/**
* String fragment node type
*/
export const AST_STRING_TYPES = {
STRING_FRAGMENT: "string_fragment",
} as const
/**
* Common JavaScript timer functions
*/
export const TIMER_FUNCTIONS = {
SET_TIMEOUT: "setTimeout",
SET_INTERVAL: "setInterval",
} as const
/**
* Value pattern types for pattern matching
*/
export const VALUE_PATTERN_TYPES = {
EMAIL: "email",
API_KEY: "api_key",
URL: "url",
IP_ADDRESS: "ip_address",
FILE_PATH: "file_path",
DATE: "date",
UUID: "uuid",
VERSION: "version",
JWT: "jwt",
MAC_ADDRESS: "mac_address",
BASE64: "base64",
} as const

22
packages/guardian/src/shared/constants/index.ts
View File

@@ -45,6 +45,25 @@ export const TYPE_NAMES = {
OBJECT: "object",
} as const
/**
* TypeScript class and method keywords
*/
export const CLASS_KEYWORDS = {
CONSTRUCTOR: "constructor",
PUBLIC: "public",
PRIVATE: "private",
PROTECTED: "protected",
} as const
/**
* Example code constants for documentation
*/
export const EXAMPLE_CODE_CONSTANTS = {
ORDER_STATUS_PENDING: "pending",
ORDER_STATUS_APPROVED: "approved",
CANNOT_APPROVE_ERROR: "Cannot approve",
} as const
/**
* Common regex patterns
*/
@@ -86,15 +105,18 @@ export const SEVERITY_ORDER: Record<SeverityLevel, number> = {
* Violation type to severity mapping
*/
export const VIOLATION_SEVERITY_MAP = {
SECRET_EXPOSURE: SEVERITY_LEVELS.CRITICAL,
CIRCULAR_DEPENDENCY: SEVERITY_LEVELS.CRITICAL,
REPOSITORY_PATTERN: SEVERITY_LEVELS.CRITICAL,
AGGREGATE_BOUNDARY: SEVERITY_LEVELS.CRITICAL,
DEPENDENCY_DIRECTION: SEVERITY_LEVELS.HIGH,
FRAMEWORK_LEAK: SEVERITY_LEVELS.HIGH,
ENTITY_EXPOSURE: SEVERITY_LEVELS.HIGH,
ANEMIC_MODEL: SEVERITY_LEVELS.MEDIUM,
NAMING_CONVENTION: SEVERITY_LEVELS.MEDIUM,
ARCHITECTURE: SEVERITY_LEVELS.MEDIUM,
HARDCODE: SEVERITY_LEVELS.LOW,
} as const
export * from "./rules"
export * from "./ast-node-types"

148
packages/guardian/src/shared/constants/rules.ts
View File

@@ -11,6 +11,8 @@ export const RULES = {
DEPENDENCY_DIRECTION: "dependency-direction",
REPOSITORY_PATTERN: "repository-pattern",
AGGREGATE_BOUNDARY: "aggregate-boundary",
SECRET_EXPOSURE: "secret-exposure",
ANEMIC_MODEL: "anemic-model",
} as const
/**
@@ -19,6 +21,7 @@ export const RULES = {
export const HARDCODE_TYPES = {
MAGIC_NUMBER: "magic-number",
MAGIC_STRING: "magic-string",
MAGIC_BOOLEAN: "magic-boolean",
MAGIC_CONFIG: "magic-config",
} as const
@@ -102,32 +105,35 @@ export const NAMING_PATTERNS = {
* Common verbs for use cases
*/
export const USE_CASE_VERBS = [
"Aggregate",
"Analyze",
"Create",
"Update",
"Delete",
"Get",
"Find",
"List",
"Search",
"Validate",
"Calculate",
"Generate",
"Send",
"Fetch",
"Process",
"Execute",
"Handle",
"Register",
"Approve",
"Authenticate",
"Authorize",
"Import",
"Export",
"Place",
"Calculate",
"Cancel",
"Approve",
"Reject",
"Collect",
"Confirm",
"Create",
"Delete",
"Execute",
"Export",
"Fetch",
"Find",
"Generate",
"Get",
"Handle",
"Import",
"List",
"Parse",
"Place",
"Process",
"Register",
"Reject",
"Search",
"Send",
"Update",
"Validate",
] as const
/**
@@ -411,3 +417,103 @@ export const REPOSITORY_VIOLATION_TYPES = {
NEW_REPOSITORY_IN_USE_CASE: "new-repository-in-use-case",
NON_DOMAIN_METHOD_NAME: "non-domain-method-name",
} as const
/**
* Detection patterns for sensitive keywords
*/
export const DETECTION_PATTERNS = {
SENSITIVE_KEYWORDS: ["password", "secret", "token", "auth", "credential"],
BUSINESS_KEYWORDS: ["price", "salary", "balance", "amount", "limit", "threshold", "quota"],
TECHNICAL_KEYWORDS: [
"timeout",
"retry",
"attempt",
"maxretries",
"database",
"connection",
"host",
"port",
"endpoint",
],
MEDIUM_KEYWORDS: ["delay", "interval", "duration", "size", "count", "max", "min"],
UI_KEYWORDS: [
"padding",
"margin",
"width",
"height",
"color",
"style",
"label",
"title",
"placeholder",
"icon",
"text",
"display",
],
} as const
/**
* Configuration detection keywords
*/
export const CONFIG_KEYWORDS = {
NETWORK: ["endpoint", "host", "domain", "path", "route"],
DATABASE: ["connection", "database"],
SECURITY: ["config", "secret", "token", "password", "credential"],
MESSAGES: [
"message",
"error",
"warning",
"text",
"description",
"suggestion",
"violation",
"expected",
"actual",
],
TECHNICAL: [
"type",
"node",
"declaration",
"definition",
"signature",
"pattern",
"suffix",
"prefix",
],
} as const
/**
* Detection comparison values
*/
export const DETECTION_VALUES = {
BOOLEAN_TRUE: "true",
BOOLEAN_FALSE: "false",
TYPE_CONFIG: "config",
TYPE_GENERIC: "generic",
} as const
/**
* Boolean constants for analyzers
*/
export const ANALYZER_DEFAULTS = {
HAS_ONLY_GETTERS_SETTERS: false,
HAS_PUBLIC_SETTERS: false,
HAS_BUSINESS_LOGIC: false,
} as const
/**
* Anemic model detection flags
*/
export const ANEMIC_MODEL_FLAGS = {
HAS_ONLY_GETTERS_SETTERS_TRUE: true,
HAS_ONLY_GETTERS_SETTERS_FALSE: false,
HAS_PUBLIC_SETTERS_TRUE: true,
HAS_PUBLIC_SETTERS_FALSE: false,
} as const
/**
* External package constants
*/
export const EXTERNAL_PACKAGES = {
SECRETLINT_PRESET: "@secretlint/secretlint-rule-preset-recommend",
} as const

372
packages/guardian/tests/AnemicModelDetector.test.ts Normal file
View File

@@ -0,0 +1,372 @@
import { describe, it, expect, beforeEach } from "vitest"
import { AnemicModelDetector } from "../src/infrastructure/analyzers/AnemicModelDetector"
describe("AnemicModelDetector", () => {
let detector: AnemicModelDetector
beforeEach(() => {
detector = new AnemicModelDetector()
})
describe("detectAnemicModels", () => {
it("should detect class with only getters and setters", () => {
const code = `
class Order {
private status: string
private total: number
getStatus(): string {
return this.status
}
setStatus(status: string): void {
this.status = status
}
getTotal(): number {
return this.total
}
setTotal(total: number): void {
this.total = total
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Order.ts",
"domain",
)
expect(violations).toHaveLength(1)
expect(violations[0].className).toBe("Order")
expect(violations[0].methodCount).toBeGreaterThan(0)
expect(violations[0].propertyCount).toBeGreaterThan(0)
expect(violations[0].getMessage()).toContain("Order")
})
it("should detect class with public setters", () => {
const code = `
class User {
private email: string
private password: string
public setEmail(email: string): void {
this.email = email
}
public getEmail(): string {
return this.email
}
public setPassword(password: string): void {
this.password = password
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/User.ts",
"domain",
)
expect(violations).toHaveLength(1)
expect(violations[0].className).toBe("User")
expect(violations[0].hasPublicSetters).toBe(true)
})
it("should not detect rich domain model with business logic", () => {
const code = `
class Order {
private readonly id: string
private status: OrderStatus
private items: OrderItem[]
public approve(): void {
if (!this.canBeApproved()) {
throw new Error("Cannot approve")
}
this.status = OrderStatus.APPROVED
}
public reject(reason: string): void {
if (!this.canBeRejected()) {
throw new Error("Cannot reject")
}
this.status = OrderStatus.REJECTED
}
public addItem(item: OrderItem): void {
if (this.isApproved()) {
throw new Error("Cannot modify approved order")
}
this.items.push(item)
}
public calculateTotal(): Money {
return this.items.reduce((sum, item) => sum.add(item.getPrice()), Money.zero())
}
public getStatus(): OrderStatus {
return this.status
}
private canBeApproved(): boolean {
return this.status === OrderStatus.PENDING
}
private canBeRejected(): boolean {
return this.status === OrderStatus.PENDING
}
private isApproved(): boolean {
return this.status === OrderStatus.APPROVED
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Order.ts",
"domain",
)
expect(violations).toHaveLength(0)
})
it("should not analyze files outside domain layer", () => {
const code = `
class OrderDto {
getStatus(): string {
return this.status
}
setStatus(status: string): void {
this.status = status
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/application/dtos/OrderDto.ts",
"application",
)
expect(violations).toHaveLength(0)
})
it("should not analyze DTO files", () => {
const code = `
class UserDto {
private email: string
getEmail(): string {
return this.email
}
setEmail(email: string): void {
this.email = email
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/dtos/UserDto.ts",
"domain",
)
expect(violations).toHaveLength(0)
})
it("should not analyze test files", () => {
const code = `
class Order {
getStatus(): string {
return this.status
}
setStatus(status: string): void {
this.status = status
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Order.test.ts",
"domain",
)
expect(violations).toHaveLength(0)
})
it("should detect anemic model in entities folder", () => {
const code = `
class Product {
private name: string
private price: number
getName(): string {
return this.name
}
setName(name: string): void {
this.name = name
}
getPrice(): number {
return this.price
}
setPrice(price: number): void {
this.price = price
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Product.ts",
"domain",
)
expect(violations).toHaveLength(1)
expect(violations[0].className).toBe("Product")
})
it("should detect anemic model in aggregates folder", () => {
const code = `
class Customer {
private email: string
getEmail(): string {
return this.email
}
setEmail(email: string): void {
this.email = email
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/aggregates/customer/Customer.ts",
"domain",
)
expect(violations).toHaveLength(1)
expect(violations[0].className).toBe("Customer")
})
it("should not detect class with good method-to-property ratio", () => {
const code = `
class Account {
private balance: number
private isActive: boolean
public deposit(amount: number): void {
if (amount <= 0) throw new Error("Invalid amount")
this.balance += amount
}
public withdraw(amount: number): void {
if (amount > this.balance) throw new Error("Insufficient funds")
this.balance -= amount
}
public activate(): void {
this.isActive = true
}
public deactivate(): void {
this.isActive = false
}
public getBalance(): number {
return this.balance
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Account.ts",
"domain",
)
expect(violations).toHaveLength(0)
})
it("should handle class with no properties or methods", () => {
const code = `
class EmptyEntity {
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/EmptyEntity.ts",
"domain",
)
expect(violations).toHaveLength(0)
})
it("should detect multiple anemic classes in one file", () => {
const code = `
class Order {
getStatus() { return this.status }
setStatus(status: string) { this.status = status }
}
class Item {
getPrice() { return this.price }
setPrice(price: number) { this.price = price }
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Models.ts",
"domain",
)
expect(violations).toHaveLength(2)
expect(violations[0].className).toBe("Order")
expect(violations[1].className).toBe("Item")
})
it("should provide correct violation details", () => {
const code = `
class Payment {
private amount: number
private currency: string
getAmount(): number {
return this.amount
}
setAmount(amount: number): void {
this.amount = amount
}
getCurrency(): string {
return this.currency
}
setCurrency(currency: string): void {
this.currency = currency
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Payment.ts",
"domain",
)
expect(violations).toHaveLength(1)
const violation = violations[0]
expect(violation.className).toBe("Payment")
expect(violation.filePath).toBe("src/domain/entities/Payment.ts")
expect(violation.layer).toBe("domain")
expect(violation.line).toBeGreaterThan(0)
expect(violation.getMessage()).toContain("Payment")
expect(violation.getSuggestion()).toContain("business")
})
})
})

5
packages/guardian/tests/e2e/AnalyzeProject.e2e.test.ts
View File

@@ -27,6 +27,7 @@ describe("AnalyzeProject E2E", () => {
expect(Array.isArray(result.dependencyDirectionViolations)).toBe(true)
expect(Array.isArray(result.repositoryPatternViolations)).toBe(true)
expect(Array.isArray(result.aggregateBoundaryViolations)).toBe(true)
expect(Array.isArray(result.anemicModelViolations)).toBe(true)
})
it("should respect exclude patterns", async () => {
@@ -65,7 +66,8 @@ describe("AnalyzeProject E2E", () => {
result.entityExposureViolations.length +
result.dependencyDirectionViolations.length +
result.repositoryPatternViolations.length +
result.aggregateBoundaryViolations.length
result.aggregateBoundaryViolations.length +
result.anemicModelViolations.length
expect(totalViolations).toBeGreaterThan(0)
})
@@ -82,6 +84,7 @@ describe("AnalyzeProject E2E", () => {
expect(result.entityExposureViolations.length).toBe(0)
expect(result.dependencyDirectionViolations.length).toBe(0)
expect(result.circularDependencyViolations.length).toBe(0)
expect(result.anemicModelViolations.length).toBe(0)
})
it("should have no dependency direction violations", async () => {

358
packages/guardian/tests/unit/domain/EntityExposure.test.ts Normal file
View File

@@ -0,0 +1,358 @@
import { describe, it, expect } from "vitest"
import { EntityExposure } from "../../../src/domain/value-objects/EntityExposure"
describe("EntityExposure", () => {
describe("create", () => {
it("should create entity exposure with all properties", () => {
const exposure = EntityExposure.create(
"User",
"User",
"src/controllers/UserController.ts",
"infrastructure",
25,
"getUser",
)
expect(exposure.entityName).toBe("User")
expect(exposure.returnType).toBe("User")
expect(exposure.filePath).toBe("src/controllers/UserController.ts")
expect(exposure.layer).toBe("infrastructure")
expect(exposure.line).toBe(25)
expect(exposure.methodName).toBe("getUser")
})
it("should create entity exposure without optional properties", () => {
const exposure = EntityExposure.create(
"Order",
"Order",
"src/controllers/OrderController.ts",
"infrastructure",
)
expect(exposure.entityName).toBe("Order")
expect(exposure.line).toBeUndefined()
expect(exposure.methodName).toBeUndefined()
})
it("should create entity exposure with line but without method name", () => {
const exposure = EntityExposure.create(
"Product",
"Product",
"src/api/ProductApi.ts",
"infrastructure",
15,
)
expect(exposure.line).toBe(15)
expect(exposure.methodName).toBeUndefined()
})
})
describe("getMessage", () => {
it("should return message with method name", () => {
const exposure = EntityExposure.create(
"User",
"User",
"src/controllers/UserController.ts",
"infrastructure",
25,
"getUser",
)
const message = exposure.getMessage()
expect(message).toContain("Method 'getUser'")
expect(message).toContain("returns domain entity 'User'")
expect(message).toContain("instead of DTO")
})
it("should return message without method name", () => {
const exposure = EntityExposure.create(
"Order",
"Order",
"src/controllers/OrderController.ts",
"infrastructure",
30,
)
const message = exposure.getMessage()
expect(message).toContain("returns domain entity 'Order'")
expect(message).toContain("instead of DTO")
expect(message).not.toContain("undefined")
})
it("should handle different entity names", () => {
const exposures = [
EntityExposure.create(
"Customer",
"Customer",
"file.ts",
"infrastructure",
1,
"getCustomer",
),
EntityExposure.create(
"Invoice",
"Invoice",
"file.ts",
"infrastructure",
2,
"findInvoice",
),
EntityExposure.create(
"Payment",
"Payment",
"file.ts",
"infrastructure",
3,
"processPayment",
),
]
exposures.forEach((exposure) => {
const message = exposure.getMessage()
expect(message).toContain(exposure.entityName)
expect(message).toContain("instead of DTO")
})
})
})
describe("getSuggestion", () => {
it("should return multi-line suggestion", () => {
const exposure = EntityExposure.create(
"User",
"User",
"src/controllers/UserController.ts",
"infrastructure",
25,
"getUser",
)
const suggestion = exposure.getSuggestion()
expect(suggestion).toContain("Create a DTO class")
expect(suggestion).toContain("UserResponseDto")
expect(suggestion).toContain("Create a mapper")
expect(suggestion).toContain("Update the method")
})
it("should suggest appropriate DTO name based on entity", () => {
const exposure = EntityExposure.create(
"Order",
"Order",
"src/controllers/OrderController.ts",
"infrastructure",
)
const suggestion = exposure.getSuggestion()
expect(suggestion).toContain("OrderResponseDto")
expect(suggestion).toContain("convert Order to OrderResponseDto")
})
it("should provide step-by-step suggestions", () => {
const exposure = EntityExposure.create(
"Product",
"Product",
"src/api/ProductApi.ts",
"infrastructure",
10,
)
const suggestion = exposure.getSuggestion()
const lines = suggestion.split("\n")
expect(lines.length).toBeGreaterThan(1)
expect(lines.some((line) => line.includes("Create a DTO"))).toBe(true)
expect(lines.some((line) => line.includes("mapper"))).toBe(true)
expect(lines.some((line) => line.includes("Update the method"))).toBe(true)
})
})
describe("getExampleFix", () => {
it("should return example with method name", () => {
const exposure = EntityExposure.create(
"User",
"User",
"src/controllers/UserController.ts",
"infrastructure",
25,
"getUser",
)
const example = exposure.getExampleFix()
expect(example).toContain("Bad: Exposing domain entity")
expect(example).toContain("Good: Using DTO")
expect(example).toContain("getUser()")
expect(example).toContain("Promise<User>")
expect(example).toContain("Promise<UserResponseDto>")
expect(example).toContain("UserMapper.toDto")
})
it("should return example without method name", () => {
const exposure = EntityExposure.create(
"Order",
"Order",
"src/controllers/OrderController.ts",
"infrastructure",
30,
)
const example = exposure.getExampleFix()
expect(example).toContain("Promise<Order>")
expect(example).toContain("Promise<OrderResponseDto>")
expect(example).toContain("OrderMapper.toDto")
expect(example).not.toContain("undefined")
})
it("should show both bad and good examples", () => {
const exposure = EntityExposure.create(
"Product",
"Product",
"src/api/ProductApi.ts",
"infrastructure",
15,
"findProduct",
)
const example = exposure.getExampleFix()
expect(example).toContain("❌ Bad")
expect(example).toContain("✅ Good")
})
it("should include async/await pattern", () => {
const exposure = EntityExposure.create(
"Customer",
"Customer",
"src/api/CustomerApi.ts",
"infrastructure",
20,
"getCustomer",
)
const example = exposure.getExampleFix()
expect(example).toContain("async")
expect(example).toContain("await")
})
})
describe("value object behavior", () => {
it("should be equal to another instance with same values", () => {
const exposure1 = EntityExposure.create(
"User",
"User",
"file.ts",
"infrastructure",
10,
"getUser",
)
const exposure2 = EntityExposure.create(
"User",
"User",
"file.ts",
"infrastructure",
10,
"getUser",
)
expect(exposure1.equals(exposure2)).toBe(true)
})
it("should not be equal to instance with different values", () => {
const exposure1 = EntityExposure.create(
"User",
"User",
"file.ts",
"infrastructure",
10,
"getUser",
)
const exposure2 = EntityExposure.create(
"Order",
"Order",
"file.ts",
"infrastructure",
10,
"getUser",
)
expect(exposure1.equals(exposure2)).toBe(false)
})
it("should not be equal to instance with different method name", () => {
const exposure1 = EntityExposure.create(
"User",
"User",
"file.ts",
"infrastructure",
10,
"getUser",
)
const exposure2 = EntityExposure.create(
"User",
"User",
"file.ts",
"infrastructure",
10,
"findUser",
)
expect(exposure1.equals(exposure2)).toBe(false)
})
})
describe("edge cases", () => {
it("should handle empty entity name", () => {
const exposure = EntityExposure.create("", "", "file.ts", "infrastructure")
expect(exposure.entityName).toBe("")
expect(exposure.getMessage()).toBeTruthy()
})
it("should handle very long entity names", () => {
const longName = "VeryLongEntityNameThatIsUnusuallyLong"
const exposure = EntityExposure.create(longName, longName, "file.ts", "infrastructure")
expect(exposure.entityName).toBe(longName)
const suggestion = exposure.getSuggestion()
expect(suggestion).toContain(`${longName}ResponseDto`)
})
it("should handle special characters in method name", () => {
const exposure = EntityExposure.create(
"User",
"User",
"file.ts",
"infrastructure",
10,
"get$User",
)
const message = exposure.getMessage()
expect(message).toContain("get$User")
})
it("should handle line number 0", () => {
const exposure = EntityExposure.create("User", "User", "file.ts", "infrastructure", 0)
expect(exposure.line).toBe(0)
})
it("should handle very large line numbers", () => {
const exposure = EntityExposure.create(
"User",
"User",
"file.ts",
"infrastructure",
999999,
)
expect(exposure.line).toBe(999999)
})
})
})

320
packages/guardian/tests/unit/domain/SecretViolation.test.ts Normal file
View File

@@ -0,0 +1,320 @@
import { describe, it, expect } from "vitest"
import { SecretViolation } from "../../../src/domain/value-objects/SecretViolation"
describe("SecretViolation", () => {
describe("create", () => {
it("should create a secret violation with all properties", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"AKIA1234567890ABCDEF",
)
expect(violation.file).toBe("src/config/aws.ts")
expect(violation.line).toBe(10)
expect(violation.column).toBe(15)
expect(violation.secretType).toBe("AWS Access Key")
expect(violation.matchedPattern).toBe("AKIA1234567890ABCDEF")
})
it("should create a secret violation with GitHub token", () => {
const violation = SecretViolation.create(
"src/config/github.ts",
5,
20,
"GitHub Personal Access Token",
"ghp_1234567890abcdefghijklmnopqrstuv",
)
expect(violation.secretType).toBe("GitHub Personal Access Token")
expect(violation.file).toBe("src/config/github.ts")
})
it("should create a secret violation with NPM token", () => {
const violation = SecretViolation.create(".npmrc", 1, 1, "NPM Token", "npm_abc123xyz")
expect(violation.secretType).toBe("NPM Token")
})
})
describe("getters", () => {
it("should return file path", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.file).toBe("src/config/aws.ts")
})
it("should return line number", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.line).toBe(10)
})
it("should return column number", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.column).toBe(15)
})
it("should return secret type", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.secretType).toBe("AWS Access Key")
})
it("should return matched pattern", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"AKIA1234567890ABCDEF",
)
expect(violation.matchedPattern).toBe("AKIA1234567890ABCDEF")
})
})
describe("getMessage", () => {
it("should return formatted message for AWS Access Key", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.getMessage()).toBe("Hardcoded AWS Access Key detected")
})
it("should return formatted message for GitHub token", () => {
const violation = SecretViolation.create(
"src/config/github.ts",
5,
20,
"GitHub Token",
"test",
)
expect(violation.getMessage()).toBe("Hardcoded GitHub Token detected")
})
it("should return formatted message for NPM token", () => {
const violation = SecretViolation.create(".npmrc", 1, 1, "NPM Token", "test")
expect(violation.getMessage()).toBe("Hardcoded NPM Token detected")
})
})
describe("getSuggestion", () => {
it("should return multi-line suggestion", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
const suggestion = violation.getSuggestion()
expect(suggestion).toContain("1. Use environment variables")
expect(suggestion).toContain("2. Use secret management services")
expect(suggestion).toContain("3. Never commit secrets")
expect(suggestion).toContain("4. If secret was committed, rotate it immediately")
expect(suggestion).toContain("5. Add secret files to .gitignore")
})
it("should return the same suggestion for all secret types", () => {
const awsViolation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
const githubViolation = SecretViolation.create(
"src/config/github.ts",
5,
20,
"GitHub Token",
"test",
)
expect(awsViolation.getSuggestion()).toBe(githubViolation.getSuggestion())
})
})
describe("getExampleFix", () => {
it("should return AWS-specific example for AWS Access Key", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("AWS")
expect(example).toContain("process.env.AWS_ACCESS_KEY_ID")
expect(example).toContain("credentials provider")
})
it("should return GitHub-specific example for GitHub token", () => {
const violation = SecretViolation.create(
"src/config/github.ts",
5,
20,
"GitHub Token",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("GitHub")
expect(example).toContain("process.env.GITHUB_TOKEN")
expect(example).toContain("GitHub Apps")
})
it("should return NPM-specific example for NPM token", () => {
const violation = SecretViolation.create(".npmrc", 1, 1, "NPM Token", "test")
const example = violation.getExampleFix()
expect(example).toContain("NPM")
expect(example).toContain(".npmrc")
expect(example).toContain("process.env.NPM_TOKEN")
})
it("should return SSH-specific example for SSH Private Key", () => {
const violation = SecretViolation.create(
"src/config/ssh.ts",
1,
1,
"SSH Private Key",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("SSH")
expect(example).toContain("readFileSync")
expect(example).toContain("SSH_KEY_PATH")
})
it("should return SSH RSA-specific example for SSH RSA Private Key", () => {
const violation = SecretViolation.create(
"src/config/ssh.ts",
1,
1,
"SSH RSA Private Key",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("SSH")
expect(example).toContain("RSA PRIVATE KEY")
})
it("should return Slack-specific example for Slack token", () => {
const violation = SecretViolation.create(
"src/config/slack.ts",
1,
1,
"Slack Bot Token",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("Slack")
expect(example).toContain("process.env.SLACK_BOT_TOKEN")
})
it("should return API Key example for generic API key", () => {
const violation = SecretViolation.create("src/config/api.ts", 1, 1, "API Key", "test")
const example = violation.getExampleFix()
expect(example).toContain("API")
expect(example).toContain("process.env.API_KEY")
expect(example).toContain("secret management service")
})
it("should return generic example for unknown secret type", () => {
const violation = SecretViolation.create(
"src/config/unknown.ts",
1,
1,
"Unknown Secret",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("process.env.SECRET_KEY")
expect(example).toContain("secret management")
})
})
describe("getSeverity", () => {
it("should always return critical severity", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.getSeverity()).toBe("critical")
})
it("should return critical severity for all secret types", () => {
const types = [
"AWS Access Key",
"GitHub Token",
"NPM Token",
"SSH Private Key",
"Slack Token",
"API Key",
]
types.forEach((type) => {
const violation = SecretViolation.create("test.ts", 1, 1, type, "test")
expect(violation.getSeverity()).toBe("critical")
})
})
})
})

465
packages/guardian/tests/unit/infrastructure/DuplicateValueTracker.test.ts Normal file
View File

@@ -0,0 +1,465 @@
import { describe, it, expect, beforeEach } from "vitest"
import { DuplicateValueTracker } from "../../../src/infrastructure/analyzers/DuplicateValueTracker"
import { HardcodedValue } from "../../../src/domain/value-objects/HardcodedValue"
describe("DuplicateValueTracker", () => {
let tracker: DuplicateValueTracker
beforeEach(() => {
tracker = new DuplicateValueTracker()
})
describe("track", () => {
it("should track a single hardcoded value", () => {
const value = HardcodedValue.create(
"test-value",
"magic-string",
10,
5,
"const x = 'test-value'",
)
tracker.track(value, "file1.ts")
const duplicates = tracker.getDuplicates()
expect(duplicates).toHaveLength(0)
})
it("should track multiple occurrences of the same value", () => {
const value1 = HardcodedValue.create(
"test-value",
"magic-string",
10,
5,
"const x = 'test-value'",
)
const value2 = HardcodedValue.create(
"test-value",
"magic-string",
20,
5,
"const y = 'test-value'",
)
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
const duplicates = tracker.getDuplicates()
expect(duplicates).toHaveLength(1)
expect(duplicates[0].value).toBe("test-value")
expect(duplicates[0].count).toBe(2)
})
it("should track values with different types separately", () => {
const stringValue = HardcodedValue.create(
"100",
"magic-string",
10,
5,
"const x = '100'",
)
const numberValue = HardcodedValue.create(100, "magic-number", 20, 5, "const y = 100")
tracker.track(stringValue, "file1.ts")
tracker.track(numberValue, "file2.ts")
const duplicates = tracker.getDuplicates()
expect(duplicates).toHaveLength(0)
})
it("should track boolean values", () => {
const value1 = HardcodedValue.create(true, "MAGIC_BOOLEAN", 10, 5, "const x = true")
const value2 = HardcodedValue.create(true, "MAGIC_BOOLEAN", 20, 5, "const y = true")
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
const duplicates = tracker.getDuplicates()
expect(duplicates).toHaveLength(1)
expect(duplicates[0].value).toBe("true")
})
})
describe("getDuplicates", () => {
it("should return empty array when no duplicates exist", () => {
const value1 = HardcodedValue.create(
"value1",
"magic-string",
10,
5,
"const x = 'value1'",
)
const value2 = HardcodedValue.create(
"value2",
"magic-string",
20,
5,
"const y = 'value2'",
)
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
const duplicates = tracker.getDuplicates()
expect(duplicates).toHaveLength(0)
})
it("should return duplicates sorted by count in descending order", () => {
const value1a = HardcodedValue.create(
"value1",
"magic-string",
10,
5,
"const x = 'value1'",
)
const value1b = HardcodedValue.create(
"value1",
"magic-string",
20,
5,
"const y = 'value1'",
)
const value2a = HardcodedValue.create(
"value2",
"magic-string",
30,
5,
"const z = 'value2'",
)
const value2b = HardcodedValue.create(
"value2",
"magic-string",
40,
5,
"const a = 'value2'",
)
const value2c = HardcodedValue.create(
"value2",
"magic-string",
50,
5,
"const b = 'value2'",
)
tracker.track(value1a, "file1.ts")
tracker.track(value1b, "file2.ts")
tracker.track(value2a, "file3.ts")
tracker.track(value2b, "file4.ts")
tracker.track(value2c, "file5.ts")
const duplicates = tracker.getDuplicates()
expect(duplicates).toHaveLength(2)
expect(duplicates[0].value).toBe("value2")
expect(duplicates[0].count).toBe(3)
expect(duplicates[1].value).toBe("value1")
expect(duplicates[1].count).toBe(2)
})
it("should include location information for duplicates", () => {
const value1 = HardcodedValue.create("test", "magic-string", 10, 5, "const x = 'test'")
const value2 = HardcodedValue.create("test", "magic-string", 20, 10, "const y = 'test'")
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
const duplicates = tracker.getDuplicates()
expect(duplicates[0].locations).toHaveLength(2)
expect(duplicates[0].locations[0]).toEqual({
file: "file1.ts",
line: 10,
context: "const x = 'test'",
})
expect(duplicates[0].locations[1]).toEqual({
file: "file2.ts",
line: 20,
context: "const y = 'test'",
})
})
})
describe("getDuplicateLocations", () => {
it("should return null when value is not duplicated", () => {
const value = HardcodedValue.create("test", "magic-string", 10, 5, "const x = 'test'")
tracker.track(value, "file1.ts")
const locations = tracker.getDuplicateLocations("test", "magic-string")
expect(locations).toBeNull()
})
it("should return locations when value is duplicated", () => {
const value1 = HardcodedValue.create("test", "magic-string", 10, 5, "const x = 'test'")
const value2 = HardcodedValue.create("test", "magic-string", 20, 10, "const y = 'test'")
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
const locations = tracker.getDuplicateLocations("test", "magic-string")
expect(locations).toHaveLength(2)
expect(locations).toEqual([
{ file: "file1.ts", line: 10, context: "const x = 'test'" },
{ file: "file2.ts", line: 20, context: "const y = 'test'" },
])
})
it("should return null for non-existent value", () => {
const locations = tracker.getDuplicateLocations("non-existent", "magic-string")
expect(locations).toBeNull()
})
it("should handle numeric values", () => {
const value1 = HardcodedValue.create(100, "magic-number", 10, 5, "const x = 100")
const value2 = HardcodedValue.create(100, "magic-number", 20, 5, "const y = 100")
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
const locations = tracker.getDuplicateLocations(100, "magic-number")
expect(locations).toHaveLength(2)
})
})
describe("isDuplicate", () => {
it("should return false for non-duplicated value", () => {
const value = HardcodedValue.create("test", "magic-string", 10, 5, "const x = 'test'")
tracker.track(value, "file1.ts")
expect(tracker.isDuplicate("test", "magic-string")).toBe(false)
})
it("should return true for duplicated value", () => {
const value1 = HardcodedValue.create("test", "magic-string", 10, 5, "const x = 'test'")
const value2 = HardcodedValue.create("test", "magic-string", 20, 10, "const y = 'test'")
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
expect(tracker.isDuplicate("test", "magic-string")).toBe(true)
})
it("should return false for non-existent value", () => {
expect(tracker.isDuplicate("non-existent", "magic-string")).toBe(false)
})
it("should handle boolean values", () => {
const value1 = HardcodedValue.create(true, "MAGIC_BOOLEAN", 10, 5, "const x = true")
const value2 = HardcodedValue.create(true, "MAGIC_BOOLEAN", 20, 5, "const y = true")
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
expect(tracker.isDuplicate(true, "MAGIC_BOOLEAN")).toBe(true)
})
})
describe("getStats", () => {
it("should return zero stats for empty tracker", () => {
const stats = tracker.getStats()
expect(stats.totalValues).toBe(0)
expect(stats.duplicateValues).toBe(0)
expect(stats.duplicatePercentage).toBe(0)
})
it("should calculate stats correctly with no duplicates", () => {
const value1 = HardcodedValue.create(
"value1",
"magic-string",
10,
5,
"const x = 'value1'",
)
const value2 = HardcodedValue.create(
"value2",
"magic-string",
20,
5,
"const y = 'value2'",
)
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
const stats = tracker.getStats()
expect(stats.totalValues).toBe(2)
expect(stats.duplicateValues).toBe(0)
expect(stats.duplicatePercentage).toBe(0)
})
it("should calculate stats correctly with duplicates", () => {
const value1a = HardcodedValue.create(
"value1",
"magic-string",
10,
5,
"const x = 'value1'",
)
const value1b = HardcodedValue.create(
"value1",
"magic-string",
20,
5,
"const y = 'value1'",
)
const value2 = HardcodedValue.create(
"value2",
"magic-string",
30,
5,
"const z = 'value2'",
)
tracker.track(value1a, "file1.ts")
tracker.track(value1b, "file2.ts")
tracker.track(value2, "file3.ts")
const stats = tracker.getStats()
expect(stats.totalValues).toBe(2)
expect(stats.duplicateValues).toBe(1)
expect(stats.duplicatePercentage).toBe(50)
})
it("should handle multiple duplicates", () => {
const value1a = HardcodedValue.create(
"value1",
"magic-string",
10,
5,
"const x = 'value1'",
)
const value1b = HardcodedValue.create(
"value1",
"magic-string",
20,
5,
"const y = 'value1'",
)
const value2a = HardcodedValue.create(
"value2",
"magic-string",
30,
5,
"const z = 'value2'",
)
const value2b = HardcodedValue.create(
"value2",
"magic-string",
40,
5,
"const a = 'value2'",
)
tracker.track(value1a, "file1.ts")
tracker.track(value1b, "file2.ts")
tracker.track(value2a, "file3.ts")
tracker.track(value2b, "file4.ts")
const stats = tracker.getStats()
expect(stats.totalValues).toBe(2)
expect(stats.duplicateValues).toBe(2)
expect(stats.duplicatePercentage).toBe(100)
})
})
describe("clear", () => {
it("should clear all tracked values", () => {
const value1 = HardcodedValue.create("test", "magic-string", 10, 5, "const x = 'test'")
const value2 = HardcodedValue.create("test", "magic-string", 20, 10, "const y = 'test'")
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
expect(tracker.getDuplicates()).toHaveLength(1)
tracker.clear()
expect(tracker.getDuplicates()).toHaveLength(0)
expect(tracker.getStats().totalValues).toBe(0)
})
it("should allow tracking new values after clear", () => {
const value1 = HardcodedValue.create(
"test1",
"magic-string",
10,
5,
"const x = 'test1'",
)
tracker.track(value1, "file1.ts")
tracker.clear()
const value2 = HardcodedValue.create(
"test2",
"magic-string",
20,
5,
"const y = 'test2'",
)
tracker.track(value2, "file2.ts")
const stats = tracker.getStats()
expect(stats.totalValues).toBe(1)
})
})
describe("edge cases", () => {
it("should handle values with colons in them", () => {
const value1 = HardcodedValue.create(
"url:http://example.com",
"magic-string",
10,
5,
"const x = 'url:http://example.com'",
)
const value2 = HardcodedValue.create(
"url:http://example.com",
"magic-string",
20,
5,
"const y = 'url:http://example.com'",
)
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
const duplicates = tracker.getDuplicates()
expect(duplicates).toHaveLength(1)
expect(duplicates[0].value).toBe("url:http://example.com")
})
it("should handle empty string values", () => {
const value1 = HardcodedValue.create("", "magic-string", 10, 5, "const x = ''")
const value2 = HardcodedValue.create("", "magic-string", 20, 5, "const y = ''")
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
expect(tracker.isDuplicate("", "magic-string")).toBe(true)
})
it("should handle zero as a number", () => {
const value1 = HardcodedValue.create(0, "magic-number", 10, 5, "const x = 0")
const value2 = HardcodedValue.create(0, "magic-number", 20, 5, "const y = 0")
tracker.track(value1, "file1.ts")
tracker.track(value2, "file2.ts")
expect(tracker.isDuplicate(0, "magic-number")).toBe(true)
})
it("should track same file multiple times", () => {
const value1 = HardcodedValue.create("test", "magic-string", 10, 5, "const x = 'test'")
const value2 = HardcodedValue.create("test", "magic-string", 20, 5, "const y = 'test'")
tracker.track(value1, "file1.ts")
tracker.track(value2, "file1.ts")
const locations = tracker.getDuplicateLocations("test", "magic-string")
expect(locations).toHaveLength(2)
expect(locations?.[0].file).toBe("file1.ts")
expect(locations?.[1].file).toBe("file1.ts")
})
})
})

1087
packages/guardian/tests/unit/infrastructure/NamingConventionDetector.test.ts
View File

File diff suppressed because it is too large Load Diff

341
packages/guardian/tests/unit/infrastructure/SecretDetector.test.ts Normal file
View File

@@ -0,0 +1,341 @@
import { describe, it, expect, beforeEach } from "vitest"
import { SecretDetector } from "../../../src/infrastructure/analyzers/SecretDetector"
describe("SecretDetector", () => {
let detector: SecretDetector
beforeEach(() => {
detector = new SecretDetector()
})
describe("detectAll", () => {
it("should return empty array for code without secrets", async () => {
const code = `
const greeting = "Hello World"
const count = 42
function test() {
return true
}
`
const violations = await detector.detectAll(code, "test.ts")
expect(violations).toHaveLength(0)
})
it("should return empty array for normal environment variable usage", async () => {
const code = `
const apiKey = process.env.API_KEY
const dbUrl = process.env.DATABASE_URL
`
const violations = await detector.detectAll(code, "config.ts")
expect(violations).toHaveLength(0)
})
it("should handle empty code", async () => {
const violations = await detector.detectAll("", "empty.ts")
expect(violations).toHaveLength(0)
})
it("should handle code with only comments", async () => {
const code = `
// This is a comment
/* Multi-line
comment */
`
const violations = await detector.detectAll(code, "comments.ts")
expect(violations).toHaveLength(0)
})
it("should handle multiline strings without secrets", async () => {
const code = `
const template = \`
Hello World
This is a test
No secrets here
\`
`
const violations = await detector.detectAll(code, "template.ts")
expect(violations).toHaveLength(0)
})
it("should handle code with URLs", async () => {
const code = `
const apiUrl = "https://api.example.com/v1"
const websiteUrl = "http://localhost:3000"
`
const violations = await detector.detectAll(code, "urls.ts")
expect(violations).toHaveLength(0)
})
it("should handle imports and requires", async () => {
const code = `
import { something } from "some-package"
const fs = require('fs')
`
const violations = await detector.detectAll(code, "imports.ts")
expect(violations).toHaveLength(0)
})
it("should return violations with correct file path", async () => {
const code = `const secret = "test-secret-value"`
const filePath = "src/config/secrets.ts"
const violations = await detector.detectAll(code, filePath)
violations.forEach((v) => {
expect(v.file).toBe(filePath)
})
})
it("should handle .js files", async () => {
const code = `const test = "value"`
const violations = await detector.detectAll(code, "test.js")
expect(violations).toBeInstanceOf(Array)
})
it("should handle .jsx files", async () => {
const code = `const Component = () => <div>Test</div>`
const violations = await detector.detectAll(code, "Component.jsx")
expect(violations).toBeInstanceOf(Array)
})
it("should handle .tsx files", async () => {
const code = `const Component: React.FC = () => <div>Test</div>`
const violations = await detector.detectAll(code, "Component.tsx")
expect(violations).toBeInstanceOf(Array)
})
it("should handle errors gracefully", async () => {
const code = null as unknown as string
const violations = await detector.detectAll(code, "test.ts")
expect(violations).toHaveLength(0)
})
it("should handle malformed code gracefully", async () => {
const code = "const = = ="
const violations = await detector.detectAll(code, "malformed.ts")
expect(violations).toBeInstanceOf(Array)
})
})
describe("parseOutputToViolations", () => {
it("should parse empty output", async () => {
const code = ""
const violations = await detector.detectAll(code, "test.ts")
expect(violations).toHaveLength(0)
})
it("should handle whitespace-only output", async () => {
const code = " \n \n "
const violations = await detector.detectAll(code, "test.ts")
expect(violations).toHaveLength(0)
})
})
describe("extractSecretType", () => {
it("should handle various secret types correctly", async () => {
const code = `const value = "test"`
const violations = await detector.detectAll(code, "test.ts")
violations.forEach((v) => {
expect(v.secretType).toBeTruthy()
expect(typeof v.secretType).toBe("string")
expect(v.secretType.length).toBeGreaterThan(0)
})
})
})
describe("integration", () => {
it("should work with TypeScript code", async () => {
const code = `
interface Config {
apiKey: string
}
const config: Config = {
apiKey: process.env.API_KEY || "default"
}
`
const violations = await detector.detectAll(code, "config.ts")
expect(violations).toBeInstanceOf(Array)
})
it("should work with ES6+ syntax", async () => {
const code = `
const fetchData = async () => {
const response = await fetch(url)
return response.json()
}
const [data, setData] = useState(null)
`
const violations = await detector.detectAll(code, "hooks.ts")
expect(violations).toBeInstanceOf(Array)
})
it("should work with JSX/TSX", async () => {
const code = `
export const Button = ({ onClick }: Props) => {
return <button onClick={onClick}>Click me</button>
}
`
const violations = await detector.detectAll(code, "Button.tsx")
expect(violations).toBeInstanceOf(Array)
})
it("should handle concurrent detections", async () => {
const code1 = "const test1 = 'value1'"
const code2 = "const test2 = 'value2'"
const code3 = "const test3 = 'value3'"
const [result1, result2, result3] = await Promise.all([
detector.detectAll(code1, "file1.ts"),
detector.detectAll(code2, "file2.ts"),
detector.detectAll(code3, "file3.ts"),
])
expect(result1).toBeInstanceOf(Array)
expect(result2).toBeInstanceOf(Array)
expect(result3).toBeInstanceOf(Array)
})
})
describe("edge cases", () => {
it("should handle very long code", async () => {
const longCode = "const value = 'test'\n".repeat(1000)
const violations = await detector.detectAll(longCode, "long.ts")
expect(violations).toBeInstanceOf(Array)
})
it("should handle special characters in code", async () => {
const code = `
const special = "!@#$%^&*()_+-=[]{}|;:',.<>?"
const unicode = "日本語 🚀"
`
const violations = await detector.detectAll(code, "special.ts")
expect(violations).toBeInstanceOf(Array)
})
it("should handle code with regex patterns", async () => {
const code = `
const pattern = /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,}$/i
const matches = text.match(pattern)
`
const violations = await detector.detectAll(code, "regex.ts")
expect(violations).toBeInstanceOf(Array)
})
it("should handle code with template literals", async () => {
const code = `
const message = \`Hello \${name}, your balance is \${balance}\`
`
const violations = await detector.detectAll(code, "template.ts")
expect(violations).toBeInstanceOf(Array)
})
})
describe("real secret detection", () => {
it("should detect AWS access key pattern", async () => {
const code = `const awsKey = "AKIAIOSFODNN7EXAMPLE"`
const violations = await detector.detectAll(code, "aws.ts")
if (violations.length > 0) {
expect(violations[0].secretType).toContain("AWS")
}
})
it("should detect basic auth credentials", async () => {
const code = `const auth = "https://user:password@example.com"`
const violations = await detector.detectAll(code, "auth.ts")
if (violations.length > 0) {
expect(violations[0].file).toBe("auth.ts")
expect(violations[0].line).toBeGreaterThan(0)
expect(violations[0].column).toBeGreaterThan(0)
}
})
it("should detect private SSH key", async () => {
const code = `
const privateKey = \`-----BEGIN RSA PRIVATE KEY-----
MIIBogIBAAJBALRiMLAA...
-----END RSA PRIVATE KEY-----\`
`
const violations = await detector.detectAll(code, "ssh.ts")
if (violations.length > 0) {
expect(violations[0].secretType).toBeTruthy()
}
})
it("should return violation objects with required properties", async () => {
const code = `const key = "AKIAIOSFODNN7EXAMPLE"`
const violations = await detector.detectAll(code, "test.ts")
violations.forEach((v) => {
expect(v).toHaveProperty("file")
expect(v).toHaveProperty("line")
expect(v).toHaveProperty("column")
expect(v).toHaveProperty("secretType")
expect(v.getMessage).toBeDefined()
expect(v.getSuggestion).toBeDefined()
})
})
it("should handle files with multiple secrets", async () => {
const code = `
const key1 = "AKIAIOSFODNN7EXAMPLE"
const key2 = "AKIAIOSFODNN8EXAMPLE"
`
const violations = await detector.detectAll(code, "multiple.ts")
expect(violations).toBeInstanceOf(Array)
})
})
})

41
packages/guardian/tsconfig.json
View File

@@ -1,19 +1,26 @@
{
"compilerOptions": {
"outDir": "./dist",
"rootDir": "./src",
"target": "ES2023",
"module": "CommonJS",
"moduleResolution": "node",
"declaration": true,
"declarationMap": true,
"esModuleInterop": true,
"allowSyntheticDefaultImports": true,
"strict": true,
"skipLibCheck": true,
"sourceMap": true,
"resolveJsonModule": true
},
"include": ["src/**/*"],
"exclude": ["node_modules", "dist", "**/*.spec.ts", "**/*.test.ts"]
"compilerOptions": {
"outDir": "./dist",
"rootDir": "./src",
"target": "ES2023",
"module": "CommonJS",
"moduleResolution": "node",
"declaration": true,
"declarationMap": true,
"esModuleInterop": true,
"allowSyntheticDefaultImports": true,
"strict": true,
"skipLibCheck": true,
"sourceMap": true,
"resolveJsonModule": true
},
"include": [
"src/**/*"
],
"exclude": [
"node_modules",
"dist",
"**/*.spec.ts",
"**/*.test.ts"
]
}

13
packages/ipuaro/.gitignore vendored Normal file
View File

@@ -0,0 +1,13 @@
# Build output
dist/
*.tsbuildinfo
# Dependencies
node_modules/
# Test coverage
coverage/
# Logs
*.log
npm-debug.log*

38
packages/ipuaro/.npmignore Normal file
View File

@@ -0,0 +1,38 @@
# Source files (only publish dist/)
src/
*.ts
!*.d.ts
# Build artifacts
tsconfig.json
tsconfig.*.json
tsconfig.tsbuildinfo
*.tsbuildinfo
# Tests
**/*.spec.ts
**/*.test.ts
__tests__/
coverage/
# Development
node_modules/
.env
.env.*
# IDE
.vscode/
.idea/
*.swp
*.swo
# Git
.git/
.gitignore
# Other
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
.DS_Store

566
packages/ipuaro/ARCHITECTURE.md Normal file
View File

@@ -0,0 +1,566 @@
# ipuaro Architecture
This document describes the architecture, design decisions, and implementation details of ipuaro.
## Table of Contents
- [Overview](#overview)
- [Clean Architecture](#clean-architecture)
- [Layer Details](#layer-details)
- [Data Flow](#data-flow)
- [Key Design Decisions](#key-design-decisions)
- [Tech Stack](#tech-stack)
- [Performance Considerations](#performance-considerations)
## Overview
ipuaro is a local AI agent for codebase operations built on Clean Architecture principles. It enables "infinite" context feeling through lazy loading and AST-based code understanding.
### Core Concepts
1. **Lazy Loading**: Load code on-demand via tools, not all at once
2. **AST-Based Understanding**: Parse and index code structure for fast lookups
3. **100% Local**: Ollama LLM + Redis storage, no cloud dependencies
4. **Session Persistence**: Resume conversations across restarts
5. **Tool-Based Interface**: LLM accesses code through 18 specialized tools
## Clean Architecture
The project follows Clean Architecture with strict dependency rules:
```
┌─────────────────────────────────────────────────┐
│ TUI Layer │ ← Ink/React components
│ (Framework) │
├─────────────────────────────────────────────────┤
│ CLI Layer │ ← Commander.js entry
│ (Interface) │
├─────────────────────────────────────────────────┤
│ Infrastructure Layer │ ← External adapters
│ (Storage, LLM, Indexer, Tools, Security) │
├─────────────────────────────────────────────────┤
│ Application Layer │ ← Use cases & DTOs
│ (StartSession, HandleMessage, etc.) │
├─────────────────────────────────────────────────┤
│ Domain Layer │ ← Business logic
│ (Entities, Value Objects, Service Interfaces) │
└─────────────────────────────────────────────────┘
```
**Dependency Rule**: Outer layers depend on inner layers, never the reverse.
## Layer Details
### Domain Layer (Core Business Logic)
**Location**: `src/domain/`
**Responsibilities**:
- Define business entities and value objects
- Declare service interfaces (ports)
- No external dependencies (pure TypeScript)
**Components**:
```
domain/
├── entities/
│ ├── Session.ts # Session entity with history and stats
│ └── Project.ts # Project entity with metadata
├── value-objects/
│ ├── FileData.ts # File content with hash and size
│ ├── FileAST.ts # Parsed AST structure
│ ├── FileMeta.ts # Complexity, dependencies, hub detection
│ ├── ChatMessage.ts # Message with role, content, tool calls
│ ├── ToolCall.ts # Tool invocation with parameters
│ ├── ToolResult.ts # Tool execution result
│ └── UndoEntry.ts # File change for undo stack
├── services/
│ ├── IStorage.ts # Storage interface (port)
│ ├── ILLMClient.ts # LLM interface (port)
│ ├── ITool.ts # Tool interface (port)
│ └── IIndexer.ts # Indexer interface (port)
└── constants/
└── index.ts # Domain constants
```
**Key Design**:
- Value objects are immutable
- Entities have identity and lifecycle
- Interfaces define contracts, not implementations
### Application Layer (Use Cases)
**Location**: `src/application/`
**Responsibilities**:
- Orchestrate domain logic
- Implement use cases (application-specific business rules)
- Define DTOs for data transfer
- Coordinate between domain and infrastructure
**Components**:
```
application/
├── use-cases/
│ ├── StartSession.ts # Initialize or load session
│ ├── HandleMessage.ts # Main message orchestrator
│ ├── IndexProject.ts # Project indexing workflow
│ ├── ExecuteTool.ts # Tool execution with validation
│ └── UndoChange.ts # Revert file changes
├── dtos/
│ ├── SessionDto.ts # Session data transfer object
│ ├── MessageDto.ts # Message DTO
│ └── ToolCallDto.ts # Tool call DTO
├── mappers/
│ └── SessionMapper.ts # Domain ↔ DTO conversion
└── interfaces/
└── IToolRegistry.ts # Tool registry interface
```
**Key Use Cases**:
1. **StartSession**: Creates new session or loads latest
2. **HandleMessage**: Main flow (LLM → Tools → Response)
3. **IndexProject**: Scan → Parse → Analyze → Store
4. **UndoChange**: Restore file from undo stack
### Infrastructure Layer (External Implementations)
**Location**: `src/infrastructure/`
**Responsibilities**:
- Implement domain interfaces
- Handle external systems (Redis, Ollama, filesystem)
- Provide concrete tool implementations
- Security and validation
**Components**:
```
infrastructure/
├── storage/
│ ├── RedisClient.ts # Redis connection wrapper
│ ├── RedisStorage.ts # IStorage implementation
│ └── schema.ts # Redis key schema
├── llm/
│ ├── OllamaClient.ts # ILLMClient implementation
│ ├── prompts.ts # System prompts
│ └── ResponseParser.ts # Parse XML tool calls
├── indexer/
│ ├── FileScanner.ts # Recursive file scanning
│ ├── ASTParser.ts # tree-sitter parsing
│ ├── MetaAnalyzer.ts # Complexity and dependencies
│ ├── IndexBuilder.ts # Symbol index + deps graph
│ └── Watchdog.ts # File watching (chokidar)
├── tools/ # 18 tool implementations
│ ├── registry.ts
│ ├── read/ # GetLines, GetFunction, GetClass, GetStructure
│ ├── edit/ # EditLines, CreateFile, DeleteFile
│ ├── search/ # FindReferences, FindDefinition
│ ├── analysis/ # GetDependencies, GetDependents, GetComplexity, GetTodos
│ ├── git/ # GitStatus, GitDiff, GitCommit
│ └── run/ # RunCommand, RunTests
└── security/
├── Blacklist.ts # Dangerous commands
├── Whitelist.ts # Safe commands
└── PathValidator.ts # Path traversal prevention
```
**Key Implementations**:
1. **RedisStorage**: Uses Redis hashes for files/AST/meta, lists for undo
2. **OllamaClient**: HTTP API client with tool calling support
3. **ASTParser**: tree-sitter for TS/JS/TSX/JSX parsing
4. **ToolRegistry**: Manages tool lifecycle and execution
### TUI Layer (Terminal UI)
**Location**: `src/tui/`
**Responsibilities**:
- Render terminal UI with Ink (React for terminal)
- Handle user input and hotkeys
- Display chat history and status
**Components**:
```
tui/
├── App.tsx # Main app shell
├── components/
│ ├── StatusBar.tsx # Top status bar
│ ├── Chat.tsx # Message history display
│ ├── Input.tsx # User input with history
│ ├── DiffView.tsx # Inline diff display
│ ├── ConfirmDialog.tsx # Edit confirmation
│ ├── ErrorDialog.tsx # Error handling
│ └── Progress.tsx # Progress bar (indexing)
└── hooks/
├── useSession.ts # Session state management
├── useHotkeys.ts # Keyboard shortcuts
└── useCommands.ts # Slash command handling
```
**Key Features**:
- Real-time status updates (context usage, session time)
- Input history with ↑/↓ navigation
- Hotkeys: Ctrl+C (interrupt), Ctrl+D (exit), Ctrl+Z (undo)
- Diff preview for edits with confirmation
- Error recovery with retry/skip/abort options
### CLI Layer (Entry Point)
**Location**: `src/cli/`
**Responsibilities**:
- Command-line interface with Commander.js
- Dependency injection and initialization
- Onboarding checks (Redis, Ollama, model)
**Components**:
```
cli/
├── index.ts # Commander.js setup
└── commands/
├── start.ts # Start TUI (default command)
├── init.ts # Create .ipuaro.json config
└── index-cmd.ts # Index-only command
```
**Commands**:
1. `ipuaro [path]` - Start TUI in directory
2. `ipuaro init` - Create config file
3. `ipuaro index` - Index without TUI
### Shared Module
**Location**: `src/shared/`
**Responsibilities**:
- Cross-cutting concerns
- Configuration management
- Error handling
- Utility functions
**Components**:
```
shared/
├── types/
│ └── index.ts # Shared TypeScript types
├── constants/
│ ├── config.ts # Config schema and loader
│ └── messages.ts # User-facing messages
├── utils/
│ ├── hash.ts # MD5 hashing
│ └── tokens.ts # Token estimation
└── errors/
├── IpuaroError.ts # Custom error class
└── ErrorHandler.ts # Error handling service
```
## Data Flow
### 1. Startup Flow
```
CLI Entry (bin/ipuaro.js)
Commander.js parses arguments
Onboarding checks (Redis, Ollama, Model)
Initialize dependencies:
- RedisClient connects
- RedisStorage initialized
- OllamaClient created
- ToolRegistry with 18 tools
StartSession use case:
- Load latest session or create new
- Initialize ContextManager
Launch TUI (App.tsx)
- Render StatusBar, Chat, Input
- Set up hotkeys
```
### 2. Message Flow
```
User types message in Input.tsx
useSession.handleMessage()
HandleMessage use case:
1. Add user message to history
2. Build context (system prompt + structure + AST)
3. Send to OllamaClient.chat()
4. Parse tool calls from response
5. For each tool call:
- If requiresConfirmation: show ConfirmDialog
- Execute tool via ToolRegistry
- Collect results
6. If tool results: goto step 3 (continue loop)
7. Add assistant response to history
8. Update session in Redis
Display response in Chat.tsx
```
### 3. Edit Flow
```
LLM calls edit_lines tool
ToolRegistry.execute()
EditLinesTool.execute():
1. Validate path (PathValidator)
2. Check hash conflict
3. Build diff
ConfirmDialog shows diff
User chooses:
- Apply: Continue
- Cancel: Return error to LLM
- Edit: Manual edit (future)
If Apply:
1. Create UndoEntry
2. Push to undo stack (Redis list)
3. Write to filesystem
4. Update RedisStorage (lines, hash, AST, meta)
Return success to LLM
```
### 4. Indexing Flow
```
FileScanner.scan()
- Recursively walk directory
- Filter via .gitignore + ignore patterns
- Detect binary files (skip)
For each file:
ASTParser.parse()
- tree-sitter parse
- Extract imports, exports, functions, classes
MetaAnalyzer.analyze()
- Calculate complexity (LOC, nesting, cyclomatic)
- Resolve dependencies (imports → file paths)
- Detect hubs (>5 dependents)
RedisStorage.setFile(), .setAST(), .setMeta()
IndexBuilder.buildSymbolIndex()
- Map symbol names → locations
IndexBuilder.buildDepsGraph()
- Build bidirectional import graph
Store indexes in Redis
Watchdog.start()
- Watch for file changes
- On change: Re-parse and update indexes
```
## Key Design Decisions
### 1. Why Redis?
**Pros**:
- Fast in-memory access for frequent reads
- AOF persistence (append-only file) for durability
- Native support for hashes, lists, sets
- Simple key-value model fits our needs
- Excellent for session data
**Alternatives considered**:
- SQLite: Slower, overkill for our use case
- JSON files: No concurrent access, slow for large data
- PostgreSQL: Too heavy, we don't need relational features
### 2. Why tree-sitter?
**Pros**:
- Incremental parsing (fast re-parsing)
- Error-tolerant (works with syntax errors)
- Multi-language support
- Used by GitHub, Neovim, Atom
**Alternatives considered**:
- TypeScript Compiler API: TS-only, not error-tolerant
- Babel: JS-focused, heavy dependencies
- Regex: Fragile, inaccurate
### 3. Why Ollama?
**Pros**:
- 100% local, no API keys
- Easy installation (brew install ollama)
- Good model selection (qwen2.5-coder, deepseek-coder)
- Tool calling support
**Alternatives considered**:
- OpenAI: Costs money, sends code to cloud
- Anthropic Claude: Same concerns as OpenAI
- llama.cpp: Lower level, requires more setup
Planned: Support for OpenAI/Anthropic in v1.2.0 as optional providers.
### 4. Why XML for Tool Calls?
**Pros**:
- LLMs trained on XML (very common format)
- Self-describing (parameter names in tags)
- Easy to parse with regex
- More reliable than JSON for smaller models
**Alternatives considered**:
- JSON: Smaller models struggle with exact JSON syntax
- Function calling API: Not all models support it
### 5. Why Clean Architecture?
**Pros**:
- Testability (domain has no external dependencies)
- Flexibility (easy to swap Redis for SQLite)
- Maintainability (clear separation of concerns)
- Scalability (layers can evolve independently)
**Cost**: More files and indirection, but worth it for long-term maintenance.
### 6. Why Lazy Loading Instead of RAG?
**RAG (Retrieval Augmented Generation)**:
- Pre-computes embeddings
- Searches embeddings for relevant chunks
- Adds chunks to context
**Lazy Loading (our approach)**:
- Agent requests specific code via tools
- More precise control over what's loaded
- Simpler implementation (no embeddings)
- Works with any LLM (no embedding model needed)
**Trade-off**: RAG might be better for semantic search ("find error handling code"), but tool-based approach gives agent explicit control.
## Tech Stack
### Core Dependencies
| Package | Purpose | Why? |
|---------|---------|------|
| `ioredis` | Redis client | Most popular, excellent TypeScript support |
| `ollama` | LLM client | Official SDK, simple API |
| `tree-sitter` | AST parsing | Fast, error-tolerant, multi-language |
| `tree-sitter-typescript` | TS/TSX parser | Official TypeScript grammar |
| `tree-sitter-javascript` | JS/JSX parser | Official JavaScript grammar |
| `ink` | Terminal UI | React for terminal, declarative |
| `ink-text-input` | Input component | Maintained ink component |
| `react` | UI framework | Required by Ink |
| `simple-git` | Git operations | Simple API, well-tested |
| `chokidar` | File watching | Cross-platform, reliable |
| `commander` | CLI framework | Industry standard |
| `zod` | Validation | Type-safe validation |
| `globby` | File globbing | ESM-native, .gitignore support |
### Development Dependencies
| Package | Purpose |
|---------|---------|
| `vitest` | Testing framework |
| `@vitest/coverage-v8` | Coverage reporting |
| `@vitest/ui` | Interactive test UI |
| `tsup` | TypeScript bundler |
| `typescript` | Type checking |
## Performance Considerations
### 1. Indexing Performance
**Problem**: Large projects (10k+ files) take time to index.
**Optimizations**:
- Incremental parsing with tree-sitter (only changed files)
- Parallel parsing (planned for v1.1.0)
- Ignore patterns (.gitignore, node_modules, dist)
- Skip binary files early
**Current**: ~1000 files/second on M1 Mac
### 2. Memory Usage
**Problem**: Entire AST in memory could be 100s of MB.
**Optimizations**:
- Store ASTs in Redis (out of Node.js heap)
- Load ASTs on-demand from Redis
- Lazy-load file content (not stored in session)
**Current**: ~200MB for 5000 files indexed
### 3. Context Window Management
**Problem**: 128k token context window fills up.
**Optimizations**:
- Auto-compression at 80% usage
- LLM summarizes old messages
- Remove tool results older than 5 messages
- Only load structure + metadata initially (~10k tokens)
### 4. Redis Performance
**Problem**: Redis is single-threaded.
**Optimizations**:
- Pipeline commands where possible
- Use hashes for related data (fewer keys)
- AOF every second (not every command)
- Keep undo stack limited (10 entries)
**Current**: <1ms latency for most operations
### 5. Tool Execution
**Problem**: Tool execution could block LLM.
**Current**: Synchronous execution (simpler)
**Future**: Async tool execution with progress callbacks (v1.1.0)
## Future Improvements
### v1.1.0 - Performance
- Parallel AST parsing
- Incremental indexing (only changed files)
- Response caching
- Stream LLM responses
### v1.2.0 - Features
- Multiple file edits in one operation
- Batch operations
- Custom prompt templates
- OpenAI/Anthropic provider support
### v1.3.0 - Extensibility
- Plugin system for custom tools
- LSP integration
- Multi-language support (Python, Go, Rust)
- Custom indexing rules
---
**Last Updated**: 2025-12-01
**Version**: 0.16.0

1970
packages/ipuaro/CHANGELOG.md Normal file
View File

File diff suppressed because it is too large Load Diff

21
packages/ipuaro/LICENSE Normal file
View File

@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Fozilbek Samiyev
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

679
packages/ipuaro/README.md Normal file
View File

@@ -0,0 +1,679 @@
# @samiyev/ipuaro 🎩
**Local AI Agent for Codebase Operations**
"Infinite" context feeling through lazy loading - work with your entire codebase using local LLM.
[![npm version](https://badge.fury.io/js/@samiyev%2Fipuaro.svg)](https://www.npmjs.com/package/@samiyev/ipuaro)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
> **Status:** 🎉 Release Candidate (v0.16.0 → v1.0.0)
>
> All core features complete. Production-ready release coming soon.
## Vision
Work with codebases of any size using local AI:
- 📂 **Lazy Loading**: Load code on-demand, not all at once
- 🧠 **Smart Context**: AST-based understanding of your code structure
- 🔒 **100% Local**: Your code never leaves your machine
-**Fast**: Redis persistence + tree-sitter parsing
## Features
### 18 LLM Tools (All Implemented ✅)
| Category | Tools | Description |
|----------|-------|-------------|
| **Read** | `get_lines`, `get_function`, `get_class`, `get_structure` | Read code without loading everything into context |
| **Edit** | `edit_lines`, `create_file`, `delete_file` | Make changes with confirmation and undo support |
| **Search** | `find_references`, `find_definition` | Find symbol definitions and usages across codebase |
| **Analysis** | `get_dependencies`, `get_dependents`, `get_complexity`, `get_todos` | Analyze code structure, complexity, and TODOs |
| **Git** | `git_status`, `git_diff`, `git_commit` | Git operations with safety checks |
| **Run** | `run_command`, `run_tests` | Execute commands and tests with security validation |
See [Tools Documentation](#tools-reference) below for detailed usage examples.
### Terminal UI
```
┌─ ipuaro ──────────────────────────────────────────────────┐
│ [ctx: 12%] [project: myapp] [main] [47m] ✓ Ready │
├───────────────────────────────────────────────────────────┤
│ You: How does the authentication flow work? │
│ │
│ Assistant: Let me analyze the auth module... │
│ [get_structure src/auth/] │
│ [get_function src/auth/service.ts login] │
│ │
│ The authentication flow works as follows: │
│ 1. User calls POST /auth/login │
│ 2. AuthService.login() validates credentials... │
│ │
│ ⏱ 3.2s │ 1,247 tokens │ 2 tool calls │
├───────────────────────────────────────────────────────────┤
│ > _ │
└───────────────────────────────────────────────────────────┘
```
### Slash Commands
Control your session with built-in commands:
| Command | Description |
|---------|-------------|
| `/help` | Show all commands and hotkeys |
| `/clear` | Clear chat history (keeps session) |
| `/undo` | Revert last file change from undo stack |
| `/sessions [list\|load\|delete] [id]` | Manage sessions |
| `/status` | Show system status (LLM, context, stats) |
| `/reindex` | Force full project reindexation |
| `/eval` | LLM self-check for hallucinations |
| `/auto-apply [on\|off]` | Toggle auto-apply mode for edits |
### Hotkeys
| Hotkey | Action |
|--------|--------|
| `Ctrl+C` | Interrupt generation (1st press) / Exit (2nd press within 1s) |
| `Ctrl+D` | Exit and save session |
| `Ctrl+Z` | Undo last file change |
| `↑` / `↓` | Navigate input history |
| `Tab` | Path autocomplete (coming soon) |
### Key Capabilities
🔍 **Smart Code Understanding**
- tree-sitter AST parsing (TypeScript, JavaScript)
- Symbol index for fast lookups
- Dependency graph analysis
💾 **Persistent Sessions**
- Redis storage with AOF persistence
- Session history across restarts
- Undo stack for file changes
🛡️ **Security**
- Command blacklist (dangerous operations blocked)
- Command whitelist (safe commands auto-approved)
- Path validation (no access outside project)
## Installation
```bash
npm install @samiyev/ipuaro
# or
pnpm add @samiyev/ipuaro
```
## Requirements
- **Node.js** >= 20.0.0
- **Redis** (for persistence)
- **Ollama** (for local LLM inference)
### Setup Ollama
```bash
# Install Ollama (macOS)
brew install ollama
# Start Ollama
ollama serve
# Pull recommended model
ollama pull qwen2.5-coder:7b-instruct
```
### Setup Redis
```bash
# Install Redis (macOS)
brew install redis
# Start Redis with persistence
redis-server --appendonly yes
```
## Usage
```bash
# Start ipuaro in current directory
ipuaro
# Start in specific directory
ipuaro /path/to/project
# With custom model
ipuaro --model qwen2.5-coder:32b-instruct
# With auto-apply mode (skip edit confirmations)
ipuaro --auto-apply
```
## Quick Start
Try ipuaro with our demo project:
```bash
# Navigate to demo project
cd examples/demo-project
# Install dependencies
npm install
# Start ipuaro
npx @samiyev/ipuaro
```
See [examples/demo-project](./examples/demo-project) for detailed usage guide and example conversations.
## Commands
| Command | Description |
|---------|-------------|
| `ipuaro [path]` | Start TUI in directory |
| `ipuaro init` | Create `.ipuaro.json` config |
| `ipuaro index` | Index project without TUI |
## Configuration
Create `.ipuaro.json` in your project root:
```json
{
"redis": {
"host": "localhost",
"port": 6379
},
"llm": {
"model": "qwen2.5-coder:7b-instruct",
"temperature": 0.1
},
"project": {
"ignorePatterns": ["node_modules", "dist", ".git"]
},
"edit": {
"autoApply": false
}
}
```
## Architecture
Clean Architecture with clear separation:
```
@samiyev/ipuaro/
├── domain/ # Business logic (no dependencies)
│ ├── entities/ # Session, Project
│ ├── value-objects/ # FileData, FileAST, ChatMessage, etc.
│ └── services/ # IStorage, ILLMClient, ITool, IIndexer
├── application/ # Use cases & orchestration
│ ├── use-cases/ # StartSession, HandleMessage, etc.
│ └── interfaces/ # IToolRegistry
├── infrastructure/ # External implementations
│ ├── storage/ # Redis client & storage
│ ├── llm/ # Ollama client & prompts
│ ├── indexer/ # File scanner, AST parser
│ └── tools/ # 18 tool implementations
├── tui/ # Terminal UI (Ink/React)
│ └── components/ # StatusBar, Chat, Input, etc.
├── cli/ # CLI entry point
└── shared/ # Config, errors, utils
```
## Development Status
### ✅ Completed (v0.1.0 - v0.16.0)
- [x] **v0.1.0 - v0.4.0**: Foundation (domain, storage, indexer, LLM integration)
- [x] **v0.5.0 - v0.9.0**: All 18 tools implemented
- [x] **v0.10.0**: Session management with undo support
- [x] **v0.11.0 - v0.12.0**: Full TUI with all components
- [x] **v0.13.0**: Security (PathValidator, command validation)
- [x] **v0.14.0**: 8 slash commands
- [x] **v0.15.0**: CLI entry point with onboarding
- [x] **v0.16.0**: Comprehensive error handling system
- [x] **1420 tests, 98% coverage**
### 🔜 v1.0.0 - Production Ready
- [ ] Performance optimizations
- [ ] Complete documentation
- [ ] Working examples
See [ROADMAP.md](./ROADMAP.md) for detailed development plan and [CHANGELOG.md](./CHANGELOG.md) for release history.
## Tools Reference
The AI agent has access to 18 tools for working with your codebase. Here are the most commonly used ones:
### Read Tools
**`get_lines(path, start?, end?)`**
Read specific lines from a file.
```
You: Show me the authentication logic
Assistant: [get_lines src/auth/service.ts 45 67]
# Returns lines 45-67 with line numbers
```
**`get_function(path, name)`**
Get a specific function's source code and metadata.
```
You: How does the login function work?
Assistant: [get_function src/auth/service.ts login]
# Returns function code, params, return type, and metadata
```
**`get_class(path, name)`**
Get a specific class's source code and metadata.
```
You: Show me the UserService class
Assistant: [get_class src/services/user.ts UserService]
# Returns class code, methods, properties, and inheritance info
```
**`get_structure(path?, depth?)`**
Get directory tree structure.
```
You: What's in the src/auth directory?
Assistant: [get_structure src/auth]
# Returns ASCII tree with files and folders
```
### Edit Tools
**`edit_lines(path, start, end, content)`**
Replace lines in a file (requires confirmation).
```
You: Update the timeout to 5000ms
Assistant: [edit_lines src/config.ts 23 23 " timeout: 5000,"]
# Shows diff, asks for confirmation
```
**`create_file(path, content)`**
Create a new file (requires confirmation).
```
You: Create a new utility for date formatting
Assistant: [create_file src/utils/date.ts "export function formatDate..."]
# Creates file after confirmation
```
**`delete_file(path)`**
Delete a file (requires confirmation).
```
You: Remove the old test file
Assistant: [delete_file tests/old-test.test.ts]
# Deletes after confirmation
```
### Search Tools
**`find_references(symbol, path?)`**
Find all usages of a symbol across the codebase.
```
You: Where is getUserById used?
Assistant: [find_references getUserById]
# Returns all files/lines where it's called
```
**`find_definition(symbol)`**
Find where a symbol is defined.
```
You: Where is ApiClient defined?
Assistant: [find_definition ApiClient]
# Returns file, line, and context
```
### Analysis Tools
**`get_dependencies(path)`**
Get files that a specific file imports.
```
You: What does auth.ts depend on?
Assistant: [get_dependencies src/auth/service.ts]
# Returns list of imported files
```
**`get_dependents(path)`**
Get files that import a specific file.
```
You: What files use the database module?
Assistant: [get_dependents src/db/index.ts]
# Returns list of files importing this
```
**`get_complexity(path?, limit?)`**
Get complexity metrics for files.
```
You: Which files are most complex?
Assistant: [get_complexity null 10]
# Returns top 10 most complex files with metrics
```
**`get_todos(path?, type?)`**
Find TODO/FIXME/HACK comments.
```
You: What TODOs are there?
Assistant: [get_todos]
# Returns all TODO comments with locations
```
### Git Tools
**`git_status()`**
Get current git repository status.
```
You: What files have changed?
Assistant: [git_status]
# Returns branch, staged, modified, untracked files
```
**`git_diff(path?, staged?)`**
Get uncommitted changes.
```
You: Show me what changed in auth.ts
Assistant: [git_diff src/auth/service.ts]
# Returns diff output
```
**`git_commit(message, files?)`**
Create a git commit (requires confirmation).
```
You: Commit these auth changes
Assistant: [git_commit "feat: add password reset flow" ["src/auth/service.ts"]]
# Creates commit after confirmation
```
### Run Tools
**`run_command(command, timeout?)`**
Execute shell commands (with security validation).
```
You: Run the build
Assistant: [run_command "npm run build"]
# Checks security, then executes
```
**`run_tests(path?, filter?, watch?)`**
Run project tests.
```
You: Test the auth module
Assistant: [run_tests "tests/auth" null false]
# Auto-detects test runner and executes
```
For complete tool documentation with all parameters and options, see [TOOLS.md](./TOOLS.md).
## Programmatic API
You can use ipuaro as a library in your own Node.js applications:
```typescript
import {
createRedisClient,
RedisStorage,
OllamaClient,
ToolRegistry,
StartSession,
HandleMessage
} from "@samiyev/ipuaro"
// Initialize dependencies
const redis = await createRedisClient({ host: "localhost", port: 6379 })
const storage = new RedisStorage(redis, "my-project")
const llm = new OllamaClient({
model: "qwen2.5-coder:7b-instruct",
contextWindow: 128000,
temperature: 0.1
})
const tools = new ToolRegistry()
// Register tools
tools.register(new GetLinesTool(storage, "/path/to/project"))
// ... register other tools
// Start a session
const startSession = new StartSession(storage)
const session = await startSession.execute("my-project")
// Handle a message
const handleMessage = new HandleMessage(storage, llm, tools)
await handleMessage.execute(session, "Show me the auth flow")
// Session is automatically updated in Redis
```
For full API documentation, see the TypeScript definitions in `src/` or explore the [source code](./src/).
## How It Works
### 1. Project Indexing
When you start ipuaro, it scans your project and builds an index:
```
1. File Scanner → Recursively scans files (.ts, .js, .tsx, .jsx)
2. AST Parser → Parses with tree-sitter (extracts functions, classes, imports)
3. Meta Analyzer → Calculates complexity, dependencies, hub detection
4. Index Builder → Creates symbol index and dependency graph
5. Redis Storage → Persists everything for instant startup next time
6. Watchdog → Watches files for changes and updates index in background
```
### 2. Lazy Loading Context
Instead of loading entire codebase into context:
```
Traditional approach:
├── Load all files → 500k tokens → ❌ Exceeds context window
ipuaro approach:
├── Load project structure → ~2k tokens
├── Load AST metadata → ~10k tokens
├── On demand: get_function("auth.ts", "login") → ~200 tokens
├── Total: ~12k tokens → ✅ Fits in 128k context window
```
Context automatically compresses when usage exceeds 80% by summarizing old messages.
### 3. Tool-Based Code Access
The LLM doesn't see your code initially. It only sees structure and metadata. When it needs code, it uses tools:
```
You: "How does user creation work?"
Agent reasoning:
1. [get_structure src/] → sees user/ folder exists
2. [get_function src/user/service.ts createUser] → loads specific function
3. [find_references createUser] → finds all usages
4. Synthesizes answer with only relevant code loaded
Total tokens used: ~2k (vs loading entire src/ which could be 50k+)
```
### 4. Session Persistence
Everything is saved to Redis:
- Chat history and context state
- Undo stack (last 10 file changes)
- Session metadata and statistics
Resume your session anytime with `/sessions load <id>`.
### 5. Security Model
Three-layer security:
1. **Blacklist**: Dangerous commands always blocked (rm -rf, sudo, etc.)
2. **Whitelist**: Safe commands auto-approved (npm, git status, etc.)
3. **Confirmation**: Unknown commands require user approval
File operations are restricted to project directory only (path traversal prevention).
## Troubleshooting
### Redis Connection Errors
**Error**: `Redis connection failed`
**Solutions**:
```bash
# Check if Redis is running
redis-cli ping # Should return "PONG"
# Start Redis with AOF persistence
redis-server --appendonly yes
# Check Redis logs
tail -f /usr/local/var/log/redis.log # macOS
```
### Ollama Model Not Found
**Error**: `Model qwen2.5-coder:7b-instruct not found`
**Solutions**:
```bash
# Pull the model
ollama pull qwen2.5-coder:7b-instruct
# List installed models
ollama list
# Check Ollama is running
ollama serve
```
### Large Project Performance
**Issue**: Indexing takes too long or uses too much memory
**Solutions**:
```bash
# Index only a subdirectory
ipuaro ./src
# Add more ignore patterns to .ipuaro.json
{
"project": {
"ignorePatterns": ["node_modules", "dist", ".git", "coverage", "build"]
}
}
# Increase Node.js memory limit
NODE_OPTIONS="--max-old-space-size=4096" ipuaro
```
### Context Window Exceeded
**Issue**: `Context window exceeded` errors
**Solutions**:
- Context auto-compresses at 80%, but you can manually `/clear` history
- Use more targeted questions instead of asking about entire codebase
- The agent will automatically use tools to load only what's needed
### File Changes Not Detected
**Issue**: Made changes but agent doesn't see them
**Solutions**:
```bash
# Force reindex
/reindex
# Or restart with fresh index
rm -rf ~/.ipuaro/cache
ipuaro
```
### Undo Not Working
**Issue**: `/undo` says no changes to undo
**Explanation**: Undo stack only tracks the last 10 file edits made through ipuaro. Manual file edits outside ipuaro cannot be undone.
## FAQ
**Q: Does ipuaro send my code to any external servers?**
A: No. Everything runs locally. Ollama runs on your machine, Redis stores data locally, and no network requests are made except to your local Ollama instance.
**Q: What languages are supported?**
A: Currently TypeScript, JavaScript (including TSX/JSX). More languages planned for future versions.
**Q: Can I use OpenAI/Anthropic/other LLM providers?**
A: Currently only Ollama is supported. OpenAI/Anthropic support is planned for v1.2.0.
**Q: How much disk space does Redis use?**
A: Depends on project size. A typical mid-size project (1000 files) uses ~50-100MB. Redis uses AOF persistence, so data survives restarts.
**Q: Can I use ipuaro in a CI/CD pipeline?**
A: Yes, but it's designed for interactive use. For automated code analysis, consider the programmatic API.
**Q: What's the difference between ipuaro and GitHub Copilot?**
A: Copilot is an autocomplete tool. ipuaro is a conversational agent that can read, analyze, modify files, run commands, and has full codebase understanding through AST parsing.
**Q: Why Redis instead of SQLite or JSON files?**
A: Redis provides fast in-memory access, AOF persistence, and handles concurrent access well. The session model fits Redis's data structures perfectly.
## Contributing
Contributions welcome! This project is in early development.
```bash
# Clone
git clone https://github.com/samiyev/puaros.git
cd puaros/packages/ipuaro
# Install
pnpm install
# Build
pnpm build
# Test
pnpm test:run
# Coverage
pnpm test:coverage
```
## License
MIT © Fozilbek Samiyev
## Links
- [GitHub Repository](https://github.com/samiyev/puaros/tree/main/packages/ipuaro)
- [Issues](https://github.com/samiyev/puaros/issues)
- [Changelog](./CHANGELOG.md)
- [Roadmap](./ROADMAP.md)

2118
packages/ipuaro/ROADMAP.md Normal file
View File

File diff suppressed because it is too large Load Diff

109
packages/ipuaro/TODO.md Normal file
View File

@@ -0,0 +1,109 @@
# ipuaro TODO
## Completed
### Version 0.1.0 - Foundation
- [x] Project setup (package.json, tsconfig, vitest)
- [x] Domain entities (Session, Project)
- [x] Domain value objects (FileData, FileAST, FileMeta, ChatMessage, etc.)
- [x] Domain service interfaces (IStorage, ILLMClient, ITool, IIndexer)
- [x] Shared config loader with Zod validation
- [x] IpuaroError class
### Version 0.2.0 - Redis Storage
- [x] RedisClient with AOF config
- [x] Redis schema implementation
- [x] RedisStorage class
### Version 0.3.0 - Indexer
- [x] FileScanner with gitignore support
- [x] ASTParser with tree-sitter
- [x] MetaAnalyzer for complexity
- [x] IndexBuilder for symbols
- [x] Watchdog for file changes
### Version 0.4.0 - LLM Integration
- [x] OllamaClient implementation
- [x] System prompt design
- [x] Tool definitions (18 tools)
- [x] Response parser (XML format)
### Version 0.5.0 - Read Tools
- [x] ToolRegistry implementation
- [x] get_lines tool
- [x] get_function tool
- [x] get_class tool
- [x] get_structure tool
### Version 0.6.0 - Edit Tools
- [x] edit_lines tool
- [x] create_file tool
- [x] delete_file tool
### Version 0.7.0 - Search Tools
- [x] find_references tool
- [x] find_definition tool
### Version 0.8.0 - Analysis Tools
- [x] get_dependencies tool
- [x] get_dependents tool
- [x] get_complexity tool
- [x] get_todos tool
### Version 0.9.0 - Git & Run Tools
- [x] git_status tool
- [x] git_diff tool
- [x] git_commit tool
- [x] CommandSecurity (blacklist/whitelist)
- [x] run_command tool
- [x] run_tests tool
### Version 0.10.0 - Session Management
- [x] ISessionStorage interface
- [x] RedisSessionStorage implementation
- [x] ContextManager use case
- [x] StartSession use case
- [x] HandleMessage use case
- [x] UndoChange use case
## In Progress
### Version 0.11.0 - TUI Basic
- [ ] App shell (Ink/React)
- [ ] StatusBar component
- [ ] Chat component
- [ ] Input component
## Planned
### Version 0.12.0 - TUI Advanced
- [ ] DiffView component
- [ ] ConfirmDialog component
- [ ] ErrorDialog component
- [ ] Progress component
### Version 0.13.0+ - Commands & Polish
- [ ] Slash commands (/help, /clear, /undo, /sessions, /status)
- [ ] Hotkeys (Ctrl+C, Ctrl+D, Ctrl+Z)
- [ ] Auto-compression at 80% context
### Version 0.14.0 - CLI Entry Point
- [ ] Full CLI commands (start, init, index)
- [ ] Onboarding flow (Redis check, Ollama check, model pull)
## Technical Debt
_None at this time._
## Ideas for Future
- Plugin system for custom tools
- Multiple LLM providers (OpenAI, Anthropic)
- IDE integration (LSP)
- Web UI option
- Parallel AST parsing
- Response caching
---
**Last Updated:** 2025-12-01

1605
packages/ipuaro/TOOLS.md Normal file
View File

File diff suppressed because it is too large Load Diff

3
packages/ipuaro/bin/ipuaro.js Normal file
View File

@@ -0,0 +1,3 @@
#!/usr/bin/env node
import "../dist/cli/index.js"

1143
packages/ipuaro/docs/CONCEPT.md Normal file
View File

File diff suppressed because it is too large Load Diff

4
packages/ipuaro/examples/demo-project/.gitignore vendored Normal file
View File

@@ -0,0 +1,4 @@
node_modules/
dist/
*.log
.DS_Store

21
packages/ipuaro/examples/demo-project/.ipuaro.json Normal file
View File

@@ -0,0 +1,21 @@
{
"redis": {
"host": "localhost",
"port": 6379
},
"llm": {
"model": "qwen2.5-coder:7b-instruct",
"temperature": 0.1
},
"project": {
"ignorePatterns": [
"node_modules",
"dist",
".git",
"*.log"
]
},
"edit": {
"autoApply": false
}
}

8
packages/ipuaro/examples/demo-project/EXAMPLE_CONVERSATIONS.md Normal file
View File

@@ -0,0 +1,8 @@
# Example Conversations with ipuaro
This document shows realistic conversations you can have with ipuaro when working with the demo project.
## Conversation 1: Understanding the Codebase
```
You: What does this project do?

406
packages/ipuaro/examples/demo-project/README.md Normal file
View File

@@ -0,0 +1,406 @@
# ipuaro Demo Project
This is a demo project showcasing ipuaro's capabilities as a local AI agent for codebase operations.
## Project Overview
A simple TypeScript application demonstrating:
- User management service
- Authentication service
- Validation utilities
- Logging utilities
- Unit tests
The code intentionally includes various patterns (TODOs, FIXMEs, complex functions, dependencies) to demonstrate ipuaro's analysis tools.
## Setup
### Prerequisites
1. **Redis** - Running locally
```bash
# macOS
brew install redis
redis-server --appendonly yes
```
2. **Ollama** - With qwen2.5-coder model
```bash
brew install ollama
ollama serve
ollama pull qwen2.5-coder:7b-instruct
```
3. **Node.js** - v20 or higher
### Installation
```bash
# Install dependencies
npm install
# Or with pnpm
pnpm install
```
## Using ipuaro with Demo Project
### Start ipuaro
```bash
# From this directory
npx @samiyev/ipuaro
# Or if installed globally
ipuaro
```
### Example Queries
Try these queries to explore ipuaro's capabilities:
#### 1. Understanding the Codebase
```
You: What is the structure of this project?
```
ipuaro will use `get_structure` to show the directory tree.
```
You: How does user creation work?
```
ipuaro will:
1. Use `get_structure` to find relevant files
2. Use `get_function` to read the `createUser` function
3. Use `find_references` to see where it's called
4. Explain the flow
#### 2. Finding Issues
```
You: What TODOs and FIXMEs are in the codebase?
```
ipuaro will use `get_todos` to list all TODO/FIXME comments.
```
You: Which files are most complex?
```
ipuaro will use `get_complexity` to analyze and rank files by complexity.
#### 3. Understanding Dependencies
```
You: What does the UserService depend on?
```
ipuaro will use `get_dependencies` to show imported modules.
```
You: What files use the validation utilities?
```
ipuaro will use `get_dependents` to show files importing validation.ts.
#### 4. Code Analysis
```
You: Find all references to the ValidationError class
```
ipuaro will use `find_references` to locate all usages.
```
You: Where is the Logger class defined?
```
ipuaro will use `find_definition` to locate the definition.
#### 5. Making Changes
```
You: Add a method to UserService to count total users
```
ipuaro will:
1. Read UserService class with `get_class`
2. Generate the new method
3. Use `edit_lines` to add it
4. Show diff and ask for confirmation
```
You: Fix the TODO in validation.ts about password validation
```
ipuaro will:
1. Find the TODO with `get_todos`
2. Read the function with `get_function`
3. Implement stronger password validation
4. Use `edit_lines` to apply changes
#### 6. Testing
```
You: Run the tests
```
ipuaro will use `run_tests` to execute the test suite.
```
You: Add a test for the getUserByEmail method
```
ipuaro will:
1. Read existing tests with `get_lines`
2. Generate new test following the pattern
3. Use `edit_lines` to add it
#### 7. Git Operations
```
You: What files have I changed?
```
ipuaro will use `git_status` to show modified files.
```
You: Show me the diff for UserService
```
ipuaro will use `git_diff` with the file path.
```
You: Commit these changes with message "feat: add user count method"
```
ipuaro will use `git_commit` after confirmation.
## Tool Demonstration Scenarios
### Scenario 1: Bug Fix Flow
```
You: There's a bug - we need to sanitize user input before storing. Fix this in UserService.
Agent will:
1. get_function("src/services/user.ts", "createUser")
2. See that sanitization is missing
3. find_definition("sanitizeInput") to locate the utility
4. edit_lines to add sanitization call
5. run_tests to verify the fix
```
### Scenario 2: Refactoring Flow
```
You: Extract the ID generation logic into a separate utility function
Agent will:
1. get_class("src/services/user.ts", "UserService")
2. Find generateId private method
3. create_file("src/utils/id.ts") with the utility
4. edit_lines to replace private method with import
5. find_references("generateId") to check no other usages
6. run_tests to ensure nothing broke
```
### Scenario 3: Feature Addition
```
You: Add password reset functionality to AuthService
Agent will:
1. get_class("src/auth/service.ts", "AuthService")
2. get_dependencies to see what's available
3. Design the resetPassword method
4. edit_lines to add the method
5. Suggest creating a test
6. create_file("tests/auth.test.ts") if needed
```
### Scenario 4: Code Review
```
You: Review the code for security issues
Agent will:
1. get_todos to find FIXME about XSS
2. get_complexity to find complex functions
3. get_function for suspicious functions
4. Suggest improvements
5. Optionally edit_lines to fix issues
```
## Slash Commands
While exploring, you can use these commands:
```
/help # Show all commands and hotkeys
/status # Show system status (LLM, Redis, context)
/sessions list # List all sessions
/undo # Undo last file change
/clear # Clear chat history
/reindex # Force project reindexation
/auto-apply on # Enable auto-apply mode (skip confirmations)
```
## Hotkeys
- `Ctrl+C` - Interrupt generation (1st) / Exit (2nd within 1s)
- `Ctrl+D` - Exit and save session
- `Ctrl+Z` - Undo last change
- `↑` / `↓` - Navigate input history
## Project Files Overview
```
demo-project/
├── src/
│ ├── auth/
│ │ └── service.ts # Authentication logic (login, logout, verify)
│ ├── services/
│ │ └── user.ts # User CRUD operations
│ ├── utils/
│ │ ├── logger.ts # Logging utility (multiple methods)
│ │ └── validation.ts # Input validation (with TODOs/FIXMEs)
│ ├── types/
│ │ └── user.ts # TypeScript type definitions
│ └── index.ts # Application entry point
├── tests/
│ └── user.test.ts # User service tests (vitest)
├── package.json # Project configuration
├── tsconfig.json # TypeScript configuration
├── vitest.config.ts # Test configuration
└── .ipuaro.json # ipuaro configuration
```
## What ipuaro Can Do With This Project
### Read Tools ✅
- **get_lines**: Read any file or specific line ranges
- **get_function**: Extract specific functions (login, createUser, etc.)
- **get_class**: Extract classes (UserService, AuthService, Logger, etc.)
- **get_structure**: See directory tree
### Edit Tools ✅
- **edit_lines**: Modify functions, fix bugs, add features
- **create_file**: Add new utilities, tests, services
- **delete_file**: Remove unused files
### Search Tools ✅
- **find_references**: Find all usages of ValidationError, User, etc.
- **find_definition**: Locate where Logger, UserService are defined
### Analysis Tools ✅
- **get_dependencies**: See what UserService imports
- **get_dependents**: See what imports validation.ts (multiple files!)
- **get_complexity**: Identify complex functions (createUser has moderate complexity)
- **get_todos**: Find 2 TODOs and 1 FIXME in the project
### Git Tools ✅
- **git_status**: Check working tree
- **git_diff**: See changes
- **git_commit**: Commit with AI-generated messages
### Run Tools ✅
- **run_command**: Execute npm scripts
- **run_tests**: Run vitest tests
## Tips for Best Experience
1. **Start Small**: Ask about structure first, then dive into specific files
2. **Be Specific**: "Show me the createUser function" vs "How does this work?"
3. **Use Tools Implicitly**: Just ask questions, let ipuaro choose the right tools
4. **Review Changes**: Always review diffs before applying edits
5. **Test Often**: Ask ipuaro to run tests after making changes
6. **Commit Incrementally**: Use git_commit for each logical change
## Advanced Workflows
### Workflow 1: Add New Feature
```
You: Add email verification to the authentication flow
Agent will:
1. Analyze current auth flow
2. Propose design (new fields, methods)
3. Edit AuthService to add verification
4. Edit User types to add verified field
5. Create tests for verification
6. Run tests
7. Offer to commit
```
### Workflow 2: Performance Optimization
```
You: The user lookup is slow when we have many users. Optimize it.
Agent will:
1. Analyze UserService.getUserByEmail
2. See it's using Array.find (O(n))
3. Suggest adding an email index
4. Edit to add private emailIndex: Map<string, User>
5. Update createUser to populate index
6. Update deleteUser to maintain index
7. Run tests to verify
```
### Workflow 3: Security Audit
```
You: Audit the code for security vulnerabilities
Agent will:
1. get_todos to find FIXME about XSS
2. Review sanitizeInput implementation
3. Check password validation strength
4. Look for SQL injection risks (none here)
5. Suggest improvements
6. Optionally implement fixes
```
## Next Steps
After exploring the demo project, try:
1. **Your Own Project**: Run `ipuaro` in your real codebase
2. **Customize Config**: Edit `.ipuaro.json` to fit your needs
3. **Different Model**: Try `--model qwen2.5-coder:32b-instruct` for better results
4. **Auto-Apply Mode**: Use `--auto-apply` for faster iterations (with caution!)
## Troubleshooting
### Redis Not Connected
```bash
# Start Redis with persistence
redis-server --appendonly yes
```
### Ollama Model Not Found
```bash
# Pull the model
ollama pull qwen2.5-coder:7b-instruct
# Check it's installed
ollama list
```
### Indexing Takes Long
The project is small (~10 files) so indexing should be instant. For larger projects, use ignore patterns in `.ipuaro.json`.
## Learn More
- [ipuaro Documentation](../../README.md)
- [Architecture Guide](../../ARCHITECTURE.md)
- [Tools Reference](../../TOOLS.md)
- [GitHub Repository](https://github.com/samiyev/puaros)
---
**Happy coding with ipuaro!** 🎩✨

20
packages/ipuaro/examples/demo-project/package.json Normal file
View File

@@ -0,0 +1,20 @@
{
"name": "ipuaro-demo-project",
"version": "1.0.0",
"description": "Demo project for ipuaro - showcasing AI agent capabilities",
"private": true,
"type": "module",
"scripts": {
"dev": "tsx src/index.ts",
"test": "vitest",
"test:run": "vitest run",
"build": "tsc"
},
"dependencies": {},
"devDependencies": {
"@types/node": "^22.10.1",
"tsx": "^4.19.2",
"typescript": "^5.7.2",
"vitest": "^1.6.0"
}
}

85
packages/ipuaro/examples/demo-project/src/auth/service.ts Normal file
View File

@@ -0,0 +1,85 @@
/**
* Authentication service
*/
import type { User, AuthToken } from "../types/user"
import { UserService } from "../services/user"
import { createLogger } from "../utils/logger"
const logger = createLogger("AuthService")
export class AuthService {
private tokens: Map<string, AuthToken> = new Map()
constructor(private userService: UserService) {}
async login(email: string, password: string): Promise<AuthToken> {
logger.info("Login attempt", { email })
// Get user
const user = await this.userService.getUserByEmail(email)
if (!user) {
logger.warn("Login failed - user not found", { email })
throw new Error("Invalid credentials")
}
// TODO: Implement actual password verification
// For demo purposes, we just check if password is provided
if (!password) {
logger.warn("Login failed - no password", { email })
throw new Error("Invalid credentials")
}
// Generate token
const token = this.generateToken(user)
this.tokens.set(token.token, token)
logger.info("Login successful", { userId: user.id })
return token
}
async logout(tokenString: string): Promise<void> {
logger.info("Logout", { token: tokenString.substring(0, 10) + "..." })
const token = this.tokens.get(tokenString)
if (!token) {
throw new Error("Invalid token")
}
this.tokens.delete(tokenString)
logger.info("Logout successful", { userId: token.userId })
}
async verifyToken(tokenString: string): Promise<User> {
logger.debug("Verifying token")
const token = this.tokens.get(tokenString)
if (!token) {
throw new Error("Invalid token")
}
if (token.expiresAt < new Date()) {
this.tokens.delete(tokenString)
throw new Error("Token expired")
}
const user = await this.userService.getUserById(token.userId)
if (!user) {
throw new Error("User not found")
}
return user
}
private generateToken(user: User): AuthToken {
const token = `tok_${Date.now()}_${Math.random().toString(36).substring(7)}`
const expiresAt = new Date()
expiresAt.setHours(expiresAt.getHours() + 24) // 24 hours
return {
token,
expiresAt,
userId: user.id,
}
}
}

48
packages/ipuaro/examples/demo-project/src/index.ts Normal file
View File

@@ -0,0 +1,48 @@
/**
* Demo application entry point
*/
import { UserService } from "./services/user"
import { AuthService } from "./auth/service"
import { createLogger } from "./utils/logger"
const logger = createLogger("App")
async function main(): Promise<void> {
logger.info("Starting demo application")
// Initialize services
const userService = new UserService()
const authService = new AuthService(userService)
try {
// Create a demo user
const user = await userService.createUser({
email: "demo@example.com",
name: "Demo User",
password: "password123",
role: "admin",
})
logger.info("Demo user created", { userId: user.id })
// Login
const token = await authService.login("demo@example.com", "password123")
logger.info("Login successful", { token: token.token })
// Verify token
const verifiedUser = await authService.verifyToken(token.token)
logger.info("Token verified", { userId: verifiedUser.id })
// Logout
await authService.logout(token.token)
logger.info("Logout successful")
} catch (error) {
logger.error("Application error", error as Error)
process.exit(1)
}
logger.info("Demo application finished")
}
main()

100
packages/ipuaro/examples/demo-project/src/services/user.ts Normal file
View File

@@ -0,0 +1,100 @@
/**
* User service - handles user-related operations
*/
import type { User, CreateUserDto, UpdateUserDto } from "../types/user"
import { isValidEmail, isStrongPassword, ValidationError } from "../utils/validation"
import { createLogger } from "../utils/logger"
const logger = createLogger("UserService")
export class UserService {
private users: Map<string, User> = new Map()
async createUser(dto: CreateUserDto): Promise<User> {
logger.info("Creating user", { email: dto.email })
// Validate email
if (!isValidEmail(dto.email)) {
throw new ValidationError("Invalid email address", "email")
}
// Validate password
if (!isStrongPassword(dto.password)) {
throw new ValidationError("Password must be at least 8 characters", "password")
}
// Check if user already exists
const existingUser = Array.from(this.users.values()).find((u) => u.email === dto.email)
if (existingUser) {
throw new Error("User with this email already exists")
}
// Create user
const user: User = {
id: this.generateId(),
email: dto.email,
name: dto.name,
role: dto.role || "user",
createdAt: new Date(),
updatedAt: new Date(),
}
this.users.set(user.id, user)
logger.info("User created", { userId: user.id })
return user
}
async getUserById(id: string): Promise<User | null> {
logger.debug("Getting user by ID", { userId: id })
return this.users.get(id) || null
}
async getUserByEmail(email: string): Promise<User | null> {
logger.debug("Getting user by email", { email })
return Array.from(this.users.values()).find((u) => u.email === email) || null
}
async updateUser(id: string, dto: UpdateUserDto): Promise<User> {
logger.info("Updating user", { userId: id })
const user = this.users.get(id)
if (!user) {
throw new Error("User not found")
}
const updated: User = {
...user,
...(dto.name && { name: dto.name }),
...(dto.role && { role: dto.role }),
updatedAt: new Date(),
}
this.users.set(id, updated)
logger.info("User updated", { userId: id })
return updated
}
async deleteUser(id: string): Promise<void> {
logger.info("Deleting user", { userId: id })
if (!this.users.has(id)) {
throw new Error("User not found")
}
this.users.delete(id)
logger.info("User deleted", { userId: id })
}
async listUsers(): Promise<User[]> {
logger.debug("Listing all users")
return Array.from(this.users.values())
}
private generateId(): string {
return `user_${Date.now()}_${Math.random().toString(36).substring(7)}`
}
}

32
packages/ipuaro/examples/demo-project/src/types/user.ts Normal file
View File

@@ -0,0 +1,32 @@
/**
* User-related type definitions
*/
export interface User {
id: string
email: string
name: string
role: UserRole
createdAt: Date
updatedAt: Date
}
export type UserRole = "admin" | "user" | "guest"
export interface CreateUserDto {
email: string
name: string
password: string
role?: UserRole
}
export interface UpdateUserDto {
name?: string
role?: UserRole
}
export interface AuthToken {
token: string
expiresAt: Date
userId: string
}

41
packages/ipuaro/examples/demo-project/src/utils/logger.ts Normal file
View File

@@ -0,0 +1,41 @@
/**
* Simple logging utility
*/
export type LogLevel = "debug" | "info" | "warn" | "error"
export class Logger {
constructor(private context: string) {}
debug(message: string, meta?: Record<string, unknown>): void {
this.log("debug", message, meta)
}
info(message: string, meta?: Record<string, unknown>): void {
this.log("info", message, meta)
}
warn(message: string, meta?: Record<string, unknown>): void {
this.log("warn", message, meta)
}
error(message: string, error?: Error, meta?: Record<string, unknown>): void {
this.log("error", message, { ...meta, error: error?.message })
}
private log(level: LogLevel, message: string, meta?: Record<string, unknown>): void {
const timestamp = new Date().toISOString()
const logEntry = {
timestamp,
level,
context: this.context,
message,
...(meta && { meta }),
}
console.log(JSON.stringify(logEntry))
}
}
export function createLogger(context: string): Logger {
return new Logger(context)
}

28
packages/ipuaro/examples/demo-project/src/utils/validation.ts Normal file
View File

@@ -0,0 +1,28 @@
/**
* Validation utilities
*/
export function isValidEmail(email: string): boolean {
const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/
return emailRegex.test(email)
}
export function isStrongPassword(password: string): boolean {
// TODO: Add more sophisticated password validation
return password.length >= 8
}
export function sanitizeInput(input: string): string {
// FIXME: This is a basic implementation, needs XSS protection
return input.trim().replace(/[<>]/g, "")
}
export class ValidationError extends Error {
constructor(
message: string,
public field: string,
) {
super(message)
this.name = "ValidationError"
}
}

141
packages/ipuaro/examples/demo-project/tests/user.test.ts Normal file
View File

@@ -0,0 +1,141 @@
/**
* User service tests
*/
import { describe, it, expect, beforeEach } from "vitest"
import { UserService } from "../src/services/user"
import { ValidationError } from "../src/utils/validation"
describe("UserService", () => {
let userService: UserService
beforeEach(() => {
userService = new UserService()
})
describe("createUser", () => {
it("should create a new user", async () => {
const user = await userService.createUser({
email: "test@example.com",
name: "Test User",
password: "password123",
})
expect(user).toBeDefined()
expect(user.email).toBe("test@example.com")
expect(user.name).toBe("Test User")
expect(user.role).toBe("user")
})
it("should reject invalid email", async () => {
await expect(
userService.createUser({
email: "invalid-email",
name: "Test User",
password: "password123",
}),
).rejects.toThrow(ValidationError)
})
it("should reject weak password", async () => {
await expect(
userService.createUser({
email: "test@example.com",
name: "Test User",
password: "weak",
}),
).rejects.toThrow(ValidationError)
})
it("should prevent duplicate emails", async () => {
await userService.createUser({
email: "test@example.com",
name: "Test User",
password: "password123",
})
await expect(
userService.createUser({
email: "test@example.com",
name: "Another User",
password: "password123",
}),
).rejects.toThrow("already exists")
})
})
describe("getUserById", () => {
it("should return user by ID", async () => {
const created = await userService.createUser({
email: "test@example.com",
name: "Test User",
password: "password123",
})
const found = await userService.getUserById(created.id)
expect(found).toEqual(created)
})
it("should return null for non-existent ID", async () => {
const found = await userService.getUserById("non-existent")
expect(found).toBeNull()
})
})
describe("updateUser", () => {
it("should update user name", async () => {
const user = await userService.createUser({
email: "test@example.com",
name: "Test User",
password: "password123",
})
const updated = await userService.updateUser(user.id, {
name: "Updated Name",
})
expect(updated.name).toBe("Updated Name")
expect(updated.email).toBe(user.email)
})
it("should throw error for non-existent user", async () => {
await expect(userService.updateUser("non-existent", { name: "Test" })).rejects.toThrow(
"not found",
)
})
})
describe("deleteUser", () => {
it("should delete user", async () => {
const user = await userService.createUser({
email: "test@example.com",
name: "Test User",
password: "password123",
})
await userService.deleteUser(user.id)
const found = await userService.getUserById(user.id)
expect(found).toBeNull()
})
})
describe("listUsers", () => {
it("should return all users", async () => {
await userService.createUser({
email: "user1@example.com",
name: "User 1",
password: "password123",
})
await userService.createUser({
email: "user2@example.com",
name: "User 2",
password: "password123",
})
const users = await userService.listUsers()
expect(users).toHaveLength(2)
})
})
})

16
packages/ipuaro/examples/demo-project/tsconfig.json Normal file
View File

@@ -0,0 +1,16 @@
{
"compilerOptions": {
"target": "ES2023",
"module": "ESNext",
"lib": ["ES2023"],
"moduleResolution": "Bundler",
"esModuleInterop": true,
"strict": true,
"skipLibCheck": true,
"resolveJsonModule": true,
"outDir": "dist",
"rootDir": "src"
},
"include": ["src/**/*"],
"exclude": ["node_modules", "dist", "tests"]
}

8
packages/ipuaro/examples/demo-project/vitest.config.ts Normal file
View File

@@ -0,0 +1,8 @@
import { defineConfig } from "vitest/config"
export default defineConfig({
test: {
globals: true,
environment: "node",
},
})

86
packages/ipuaro/package.json Normal file
View File

@@ -0,0 +1,86 @@
{
"name": "@samiyev/ipuaro",
"version": "0.29.0",
"description": "Local AI agent for codebase operations with infinite context feeling",
"author": "Fozilbek Samiyev <fozilbek.samiyev@gmail.com>",
"license": "MIT",
"type": "module",
"main": "./dist/index.js",
"types": "./dist/index.d.ts",
"bin": {
"ipuaro": "bin/ipuaro.js"
},
"exports": {
".": {
"types": "./dist/index.d.ts",
"import": "./dist/index.js"
}
},
"files": [
"dist",
"bin"
],
"scripts": {
"build": "tsup",
"watch": "tsup --watch",
"clean": "rm -rf dist",
"test": "vitest",
"test:run": "vitest run",
"test:coverage": "vitest run --coverage",
"test:ui": "vitest --ui",
"test:watch": "vitest --watch",
"lint": "eslint src --fix",
"format": "prettier --write src"
},
"dependencies": {
"chokidar": "^3.6.0",
"commander": "^11.1.0",
"globby": "^16.0.0",
"ink": "^4.4.1",
"ink-text-input": "^5.0.1",
"ioredis": "^5.4.1",
"ollama": "^0.5.11",
"react": "^18.2.0",
"simple-git": "^3.27.0",
"tree-sitter": "^0.21.1",
"tree-sitter-javascript": "^0.21.0",
"tree-sitter-json": "^0.24.8",
"tree-sitter-typescript": "^0.21.2",
"yaml": "^2.8.2",
"zod": "^3.23.8"
},
"devDependencies": {
"@testing-library/react": "^16.3.0",
"@types/jsdom": "^27.0.0",
"@types/node": "^22.10.1",
"@types/react": "^18.2.0",
"@vitest/coverage-v8": "^1.6.0",
"@vitest/ui": "^1.6.0",
"jsdom": "^27.2.0",
"react-dom": "18.3.1",
"tsup": "^8.3.5",
"typescript": "^5.7.2",
"vitest": "^1.6.0"
},
"engines": {
"node": ">=20.0.0"
},
"keywords": [
"ai",
"agent",
"codebase",
"llm",
"ollama",
"cli",
"terminal"
],
"repository": {
"type": "git",
"url": "git+https://github.com/samiyev/puaros.git",
"directory": "packages/ipuaro"
},
"bugs": {
"url": "https://github.com/samiyev/puaros/issues"
},
"homepage": "https://github.com/samiyev/puaros/tree/main/packages/ipuaro#readme"
}

4
packages/ipuaro/src/application/dtos/index.ts Normal file
View File

@@ -0,0 +1,4 @@
/*
* Application DTOs
* Will be implemented in version 0.10.0+
*/

Some files were not shown because too many files have changed in this diff Show More