ailabs/puaros
1
0
Fork 0
mirror of https://github.com/samiyev/puaros.git synced 2025-12-27 23:06:54 +05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: ailabs:v0.7.9
Branches Tags
ailabs:main
ailabs:ipuaro-v0.30.2 ailabs:ipuaro-v0.30.1 ailabs:ipuaro-v0.30.0 ailabs:ipuaro-v0.29.0 ailabs:ipuaro-v0.28.0 ailabs:ipuaro-v0.27.0 ailabs:ipuaro-v0.26.0 ailabs:ipuaro-v0.25.0 ailabs:ipuaro-v0.24.0 ailabs:ipuaro-v0.23.0 ailabs:ipuaro-v0.22.5 ailabs:ipuaro-v0.22.4 ailabs:ipuaro-v0.22.3 ailabs:ipuaro-v0.22.2 ailabs:ipuaro-v0.22.1 ailabs:ipuaro-v0.21.4 ailabs:ipuaro-v0.21.1 ailabs:ipuaro-v0.21.0 ailabs:ipuaro-v0.20.0 ailabs:ipuaro-v0.19.0 ailabs:ipuaro-v0.18.0 ailabs:ipuaro-v0.17.0 ailabs:ipuaro-v0.16.0 ailabs:ipuaro-v0.15.0 ailabs:ipuaro-v0.14.0 ailabs:ipuaro-v0.13.0 ailabs:ipuaro-v0.12.0 ailabs:ipuaro-v0.11.0 ailabs:ipuaro-v0.10.0 ailabs:ipuaro-v0.9.0 ailabs:ipuaro-v0.8.0 ailabs:ipuaro-v0.7.0 ailabs:ipuaro-v0.6.0 ailabs:ipuaro-v0.5.0 ailabs:ipuaro-v0.4.0 ailabs:guardian-v0.9.4 ailabs:ipuaro-v0.3.1 ailabs:ipuaro-v0.3.0 ailabs:ipuaro-v0.2.0 ailabs:ipuaro-v0.1.1 ailabs:guardian-v0.9.3 ailabs:ipuaro-v0.1.0 ailabs:v0.9.1 ailabs:v0.9.0 ailabs:v0.8.1 ailabs:v0.8.0 ailabs:v0.7.9 ailabs:v0.7.8 ailabs:v0.7.7 ailabs:v0.7.6 ailabs:v0.7.5 ailabs:v0.7.4 ailabs:v0.7.3 ailabs:v0.7.2 ailabs:v0.7.1 ailabs:v0.7.0 ailabs:v0.6.4 ailabs:v0.6.3 ailabs:v0.6.2 ailabs:v0.6.1 ailabs:v0.6.0 ailabs:v0.5.2 ailabs:v0.5.1 ailabs:v0.5.0 ailabs:v0.1.0 ailabs:v0.3.0 ailabs:v0.2.0
...
compare: ailabs:v0.9.0
Branches Tags
ailabs:main
ailabs:ipuaro-v0.30.2 ailabs:ipuaro-v0.30.1 ailabs:ipuaro-v0.30.0 ailabs:ipuaro-v0.29.0 ailabs:ipuaro-v0.28.0 ailabs:ipuaro-v0.27.0 ailabs:ipuaro-v0.26.0 ailabs:ipuaro-v0.25.0 ailabs:ipuaro-v0.24.0 ailabs:ipuaro-v0.23.0 ailabs:ipuaro-v0.22.5 ailabs:ipuaro-v0.22.4 ailabs:ipuaro-v0.22.3 ailabs:ipuaro-v0.22.2 ailabs:ipuaro-v0.22.1 ailabs:ipuaro-v0.21.4 ailabs:ipuaro-v0.21.1 ailabs:ipuaro-v0.21.0 ailabs:ipuaro-v0.20.0 ailabs:ipuaro-v0.19.0 ailabs:ipuaro-v0.18.0 ailabs:ipuaro-v0.17.0 ailabs:ipuaro-v0.16.0 ailabs:ipuaro-v0.15.0 ailabs:ipuaro-v0.14.0 ailabs:ipuaro-v0.13.0 ailabs:ipuaro-v0.12.0 ailabs:ipuaro-v0.11.0 ailabs:ipuaro-v0.10.0 ailabs:ipuaro-v0.9.0 ailabs:ipuaro-v0.8.0 ailabs:ipuaro-v0.7.0 ailabs:ipuaro-v0.6.0 ailabs:ipuaro-v0.5.0 ailabs:ipuaro-v0.4.0 ailabs:guardian-v0.9.4 ailabs:ipuaro-v0.3.1 ailabs:ipuaro-v0.3.0 ailabs:ipuaro-v0.2.0 ailabs:ipuaro-v0.1.1 ailabs:guardian-v0.9.3 ailabs:ipuaro-v0.1.0 ailabs:v0.9.1 ailabs:v0.9.0 ailabs:v0.8.1 ailabs:v0.8.0 ailabs:v0.7.9 ailabs:v0.7.8 ailabs:v0.7.7 ailabs:v0.7.6 ailabs:v0.7.5 ailabs:v0.7.4 ailabs:v0.7.3 ailabs:v0.7.2 ailabs:v0.7.1 ailabs:v0.7.0 ailabs:v0.6.4 ailabs:v0.6.3 ailabs:v0.6.2 ailabs:v0.6.1 ailabs:v0.6.0 ailabs:v0.5.2 ailabs:v0.5.1 ailabs:v0.5.0 ailabs:v0.1.0 ailabs:v0.3.0 ailabs:v0.2.0

4 Commits
v0.7.9 ... v0.9.0

Author SHA1 Message Date
imfozilbek
a6b4c69b75 feat: add anemic model detection and refactor hardcoded values (v0.9.0) 2025-11-26 00:09:48 +05:00
imfozilbek
1d6c2a0e00 refactor: extract all hardcoded values to constants (v0.8.1) 
Fix all 63 hardcoded value issues from Guardian self-check:
- Remove hardcoded Slack token from documentation
- Remove aws-sdk framework leak from domain layer
- Rename 4 pipeline files to verb-noun convention
- Extract 57 magic strings to SecretExamples.ts constants
- Update SecretViolation, SecretDetector, MagicStringMatcher
- Use typeof for TypeScript literal type in getSeverity()

Result: 0 issues in Guardian self-check (was 63)
All 566 tests passing, build successful
 2025-11-25 19:06:33 +05:00
imfozilbek
db8a97202e chore: update pnpm-lock.yaml for secretlint dependencies 
Add lockfile changes for @secretlint packages:
- @secretlint/node@11.2.5
- @secretlint/core@11.2.5
- @secretlint/types@11.2.5
- @secretlint/secretlint-rule-preset-recommend@11.2.5
 2025-11-25 18:30:40 +05:00
imfozilbek
0b1cc5a79a feat: add secret detection with Secretlint (v0.8.0) 
Add critical security feature to detect 350+ types of hardcoded secrets
using industry-standard Secretlint library.

Features:
- Detect AWS keys, GitHub tokens, NPM tokens, SSH keys, API keys, etc.
- All secrets marked as CRITICAL severity
- Context-aware remediation suggestions per secret type
- New SecretDetector using @secretlint/node
- New SecretViolation value object (100% test coverage)
- CLI output with "🔐 Secrets" section
- Async pipeline support for secret detection

Tests:
- Added 47 new tests (566 total, 100% pass rate)
- Coverage: 93.3% statements, 83.74% branches
- SecretViolation: 23 tests, 100% coverage
- SecretDetector: 24 tests

Dependencies:
- @secretlint/node: 11.2.5
- @secretlint/core: 11.2.5
- @secretlint/types: 11.2.5
- @secretlint/secretlint-rule-preset-recommend: 11.2.5
 2025-11-25 18:27:27 +05:00
32 changed files with 3133 additions and 53 deletions
Expand all files Collapse all files

119
packages/guardian/CHANGELOG.md
View File

@@ -5,6 +5,125 @@ All notable changes to @samiyev/guardian will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [0.9.0] - 2025-11-26
### Added
- 🏛️ **Anemic Model Detection** - NEW feature to detect anemic domain models lacking business logic:
- Detects entities with only getters/setters (violates DDD principles)
- Identifies classes with public setters (breaks encapsulation)
- Analyzes method-to-property ratio to find data-heavy, logic-light classes
- Provides detailed suggestions: add business methods, move logic from services, encapsulate invariants
- New `AnemicModelDetector` infrastructure component
- New `AnemicModelViolation` value object with rich example fixes
- New `IAnemicModelDetector` domain interface
- Integrated into CLI with detailed violation reports
- 12 comprehensive tests for anemic model detection
- 📦 **New shared constants** - Centralized constants for better code maintainability:
- `CLASS_KEYWORDS` - TypeScript class and method keywords (constructor, public, private, protected)
- `EXAMPLE_CODE_CONSTANTS` - Documentation example code strings (ORDER_STATUS_PENDING, ORDER_STATUS_APPROVED, CANNOT_APPROVE_ERROR)
- `ANEMIC_MODEL_MESSAGES` - 8 suggestion messages for fixing anemic models
- 📚 **Example files** - Added DDD examples demonstrating anemic vs rich domain models:
- `examples/bad/domain/entities/anemic-model-only-getters-setters.ts`
- `examples/bad/domain/entities/anemic-model-public-setters.ts`
- `examples/good-architecture/domain/entities/Customer.ts`
- `examples/good-architecture/domain/entities/Order.ts`
### Changed
- ♻️ **Refactored hardcoded values** - Extracted all remaining hardcoded values to centralized constants:
- Updated `AnemicModelDetector.ts` to use `CLASS_KEYWORDS` constants
- Updated `AnemicModelViolation.ts` to use `EXAMPLE_CODE_CONSTANTS` for example fix strings
- Replaced local constants with shared constants from `shared/constants`
- Improved code maintainability and consistency
- 🎯 **Enhanced violation detection pipeline** - Added anemic model detection to `ExecuteDetection.ts`
- 📊 **Updated API** - Added anemic model violations to response DTO
- 🔧 **CLI improvements** - Added anemic model section to output formatting
### Quality
-**Guardian self-check** - 0 issues (was 5) - 100% clean codebase
-**All tests pass** - 578/578 tests passing (added 12 new tests)
-**Build successful** - TypeScript compilation with no errors
-**Linter clean** - 0 errors, 3 acceptable warnings (complexity, params)
-**Format verified** - All files properly formatted with 4-space indentation
## [0.8.1] - 2025-11-25
### Fixed
- 🧹 **Code quality improvements** - Fixed all 63 hardcoded value issues detected by Guardian self-check:
- Fixed 1 CRITICAL: Removed hardcoded Slack token from documentation examples
- Fixed 1 HIGH: Removed aws-sdk framework leak from domain layer examples
- Fixed 4 MEDIUM: Renamed pipeline files to follow verb-noun convention
- Fixed 57 LOW: Extracted all magic strings to reusable constants
### Added
- 📦 **New constants file** - `domain/constants/SecretExamples.ts`:
- 32 secret keyword constants (AWS, GitHub, NPM, SSH, Slack, etc.)
- 15 secret type name constants
- 7 example secret values for documentation
- Regex patterns and encoding constants
### Changed
- ♻️ **Refactored pipeline naming** - Updated use case files to follow naming conventions:
- `DetectionPipeline.ts``ExecuteDetection.ts`
- `FileCollectionStep.ts``CollectFiles.ts`
- `ParsingStep.ts``ParseSourceFiles.ts`
- `ResultAggregator.ts``AggregateResults.ts`
- Added `Aggregate`, `Collect`, `Parse` to `USE_CASE_VERBS` list
- 🔧 **Updated 3 core files to use constants**:
- `SecretViolation.ts`: All secret examples use constants, `getSeverity()` returns `typeof SEVERITY_LEVELS.CRITICAL`
- `SecretDetector.ts`: All secret keywords use constants
- `MagicStringMatcher.ts`: Regex patterns extracted to constants
- 📝 **Test updates** - Updated 2 tests to match new example fix messages
### Quality
-**Guardian self-check** - 0 issues (was 63) - 100% clean codebase
-**All tests pass** - 566/566 tests passing
-**Build successful** - TypeScript compilation with no errors
-**Linter clean** - 0 errors, 2 acceptable warnings (complexity, params)
-**Format verified** - All files properly formatted with 4-space indentation
## [0.8.0] - 2025-11-25
### Added
- 🔐 **Secret Detection** - NEW CRITICAL security feature using industry-standard Secretlint:
- Detects 350+ types of hardcoded secrets (AWS keys, GitHub tokens, NPM tokens, SSH keys, API keys, etc.)
- All secrets marked as **CRITICAL severity** for immediate attention
- Context-aware remediation suggestions for each secret type
- Integrated seamlessly with existing detectors
- New `SecretDetector` infrastructure component using `@secretlint/node`
- New `SecretViolation` value object with rich examples
- New `ISecretDetector` domain interface
- CLI output with "🔐 Found X hardcoded secrets - CRITICAL SECURITY RISK" section
- Added dependencies: `@secretlint/node`, `@secretlint/core`, `@secretlint/types`, `@secretlint/secretlint-rule-preset-recommend`
### Changed
- 🔄 **Pipeline async support** - `DetectionPipeline.execute()` now async for secret detection
- 📊 **Test suite expanded** - Added 47 new tests (23 for SecretViolation, 24 for SecretDetector)
- Total: 566 tests (was 519), 100% pass rate
- Coverage: 93.3% statements, 83.74% branches, 98.17% functions
- SecretViolation: 100% coverage
- 📝 **Documentation updated**:
- README.md: Added Secret Detection section with examples
- ROADMAP.md: Marked v0.8.0 as released
- Updated package description to mention secrets detection
### Security
- 🛡️ **Prevents credentials in version control** - catches AWS, GitHub, NPM, SSH, Slack, GCP secrets before commit
- ⚠️ **CRITICAL violations** - all hardcoded secrets immediately flagged with highest severity
- 💡 **Smart remediation** - provides specific guidance per secret type (environment variables, secret managers, etc.)
## [0.7.9] - 2025-11-25
### Changed

26
packages/guardian/README.md
View File

@@ -72,7 +72,7 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- Prevents "new Repository()" anti-pattern
- 📚 *Based on: Martin Fowler's Repository Pattern, DDD (Evans 2003)* → [Why?](./docs/WHY.md#repository-pattern)
🔒 **Aggregate Boundary Validation** ✨ NEW
🔒 **Aggregate Boundary Validation**
- Detects direct entity references across DDD aggregates
- Enforces reference-by-ID or Value Object pattern
- Prevents tight coupling between aggregates
@@ -81,6 +81,15 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- Critical severity for maintaining aggregate independence
- 📚 *Based on: Domain-Driven Design (Evans 2003), Implementing DDD (Vernon 2013)* → [Why?](./docs/WHY.md#aggregate-boundaries)
🔐 **Secret Detection** ✨ NEW in v0.8.0
- Detects 350+ types of hardcoded secrets using industry-standard Secretlint
- Catches AWS keys, GitHub tokens, NPM tokens, SSH keys, API keys, and more
- All secrets marked as **CRITICAL severity** - immediate security risk
- Context-aware remediation suggestions for each secret type
- Prevents credentials from reaching version control
- Integrates seamlessly with existing detectors
- 📚 *Based on: OWASP Top 10, CWE-798 (Hardcoded Credentials), NIST Security Guidelines* → [Learn more](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)
🏗️ **Clean Architecture Enforcement**
- Built with DDD principles
- Layered architecture (Domain, Application, Infrastructure)
@@ -366,6 +375,15 @@ const result = await analyzeProject({
})
console.log(`Found ${result.hardcodeViolations.length} hardcoded values`)
console.log(`Found ${result.secretViolations.length} hardcoded secrets 🔐`)
// Check for critical security issues first!
result.secretViolations.forEach((violation) => {
console.log(`🔐 CRITICAL: ${violation.file}:${violation.line}`)
console.log(` Secret Type: ${violation.secretType}`)
console.log(` ${violation.message}`)
console.log(` ⚠️ Rotate this secret immediately!`)
})
result.hardcodeViolations.forEach((violation) => {
console.log(`${violation.file}:${violation.line}`)
@@ -394,9 +412,9 @@ npx @samiyev/guardian check ./src --verbose
npx @samiyev/guardian check ./src --no-hardcode # Skip hardcode detection
npx @samiyev/guardian check ./src --no-architecture # Skip architecture checks
# Filter by severity
npx @samiyev/guardian check ./src --min-severity high # Show high, critical only
npx @samiyev/guardian check ./src --only-critical # Show only critical issues
# Filter by severity (perfect for finding secrets first!)
npx @samiyev/guardian check ./src --only-critical # Show only critical issues (secrets, circular deps)
npx @samiyev/guardian check ./src --min-severity high # Show high and critical only
# Limit detailed output (useful for large codebases)
npx @samiyev/guardian check ./src --limit 10 # Show first 10 violations per category

20
packages/guardian/ROADMAP.md
View File

@@ -2,7 +2,20 @@
This document outlines the current features and future plans for @puaros/guardian.
## Current Version: 0.7.5 ✅ RELEASED
## Current Version: 0.9.0 ✅ RELEASED
**Released:** 2025-11-26
### What's New in 0.9.0
- 🏛️ **Anemic Model Detection** - NEW feature to detect anemic domain models lacking business logic
-**100% clean codebase** - Guardian now passes its own self-check with 0 issues
- 📦 **New shared constants** - Added CLASS_KEYWORDS and EXAMPLE_CODE_CONSTANTS
-**All 578 tests passing** - Added 12 new tests for anemic model detection
---
## Previous Version: 0.8.1 ✅ RELEASED
**Released:** 2025-11-25
@@ -452,8 +465,9 @@ Refactored largest detectors to reduce complexity and improve maintainability.
---
### Version 0.8.0 - Secret Detection 🔐
**Target:** Q1 2025
### Version 0.8.0 - Secret Detection 🔐 ✅ RELEASED
**Released:** 2025-11-25
**Priority:** CRITICAL
Detect hardcoded secrets (API keys, tokens, credentials) using industry-standard Secretlint library.

38
packages/guardian/examples/bad/domain/entities/anemic-model-only-getters-setters.ts Normal file
View File

@@ -0,0 +1,38 @@
/**
* BAD EXAMPLE: Anemic Domain Model
*
* This Order class only has getters and setters without any business logic.
* All business logic is likely scattered in services (procedural approach).
*
* This violates Domain-Driven Design principles.
*/
class Order {
private status: string
private total: number
private items: any[]
getStatus(): string {
return this.status
}
setStatus(status: string): void {
this.status = status
}
getTotal(): number {
return this.total
}
setTotal(total: number): void {
this.total = total
}
getItems(): any[] {
return this.items
}
setItems(items: any[]): void {
this.items = items
}
}

34
packages/guardian/examples/bad/domain/entities/anemic-model-public-setters.ts Normal file
View File

@@ -0,0 +1,34 @@
/**
* BAD EXAMPLE: Anemic Domain Model with Public Setters
*
* This User class has public setters which is an anti-pattern in DDD.
* Public setters allow uncontrolled state changes without validation or business rules.
*
* This violates Domain-Driven Design principles and encapsulation.
*/
class User {
private email: string
private password: string
private status: string
public setEmail(email: string): void {
this.email = email
}
public getEmail(): string {
return this.email
}
public setPassword(password: string): void {
this.password = password
}
public setStatus(status: string): void {
this.status = status
}
public getStatus(): string {
return this.status
}
}

139
packages/guardian/examples/good-architecture/domain/entities/Customer.ts Normal file
View File

@@ -0,0 +1,139 @@
/**
* GOOD EXAMPLE: Rich Domain Model with Business Logic
*
* This Customer class encapsulates business rules and state transitions.
* No public setters - all changes go through business methods.
*
* This follows Domain-Driven Design and encapsulation principles.
*/
interface Address {
street: string
city: string
country: string
postalCode: string
}
interface DomainEvent {
type: string
data: any
}
class Customer {
private readonly id: string
private email: string
private isActive: boolean
private loyaltyPoints: number
private address: Address | null
private readonly events: DomainEvent[] = []
constructor(id: string, email: string) {
this.id = id
this.email = email
this.isActive = true
this.loyaltyPoints = 0
this.address = null
}
public activate(): void {
if (this.isActive) {
throw new Error("Customer is already active")
}
this.isActive = true
this.events.push({
type: "CustomerActivated",
data: { customerId: this.id },
})
}
public deactivate(reason: string): void {
if (!this.isActive) {
throw new Error("Customer is already inactive")
}
this.isActive = false
this.events.push({
type: "CustomerDeactivated",
data: { customerId: this.id, reason },
})
}
public changeEmail(newEmail: string): void {
if (!this.isValidEmail(newEmail)) {
throw new Error("Invalid email format")
}
if (this.email === newEmail) {
return
}
const oldEmail = this.email
this.email = newEmail
this.events.push({
type: "EmailChanged",
data: { customerId: this.id, oldEmail, newEmail },
})
}
public updateAddress(address: Address): void {
if (!this.isValidAddress(address)) {
throw new Error("Invalid address")
}
this.address = address
this.events.push({
type: "AddressUpdated",
data: { customerId: this.id },
})
}
public addLoyaltyPoints(points: number): void {
if (points <= 0) {
throw new Error("Points must be positive")
}
if (!this.isActive) {
throw new Error("Cannot add points to inactive customer")
}
this.loyaltyPoints += points
this.events.push({
type: "LoyaltyPointsAdded",
data: { customerId: this.id, points },
})
}
public redeemLoyaltyPoints(points: number): void {
if (points <= 0) {
throw new Error("Points must be positive")
}
if (this.loyaltyPoints < points) {
throw new Error("Insufficient loyalty points")
}
this.loyaltyPoints -= points
this.events.push({
type: "LoyaltyPointsRedeemed",
data: { customerId: this.id, points },
})
}
public getEmail(): string {
return this.email
}
public getLoyaltyPoints(): number {
return this.loyaltyPoints
}
public getAddress(): Address | null {
return this.address ? { ...this.address } : null
}
public getEvents(): DomainEvent[] {
return [...this.events]
}
private isValidEmail(email: string): boolean {
return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)
}
private isValidAddress(address: Address): boolean {
return !!address.street && !!address.city && !!address.country && !!address.postalCode
}
}
export { Customer }

104
packages/guardian/examples/good-architecture/domain/entities/Order.ts Normal file
View File

@@ -0,0 +1,104 @@
/**
* GOOD EXAMPLE: Rich Domain Model
*
* This Order class contains business logic and enforces business rules.
* State changes are made through business methods, not setters.
*
* This follows Domain-Driven Design principles.
*/
type OrderStatus = "pending" | "approved" | "rejected" | "shipped"
interface OrderItem {
productId: string
quantity: number
price: number
}
interface DomainEvent {
type: string
data: any
}
class Order {
private readonly id: string
private status: OrderStatus
private items: OrderItem[]
private readonly events: DomainEvent[] = []
constructor(id: string, items: OrderItem[]) {
this.id = id
this.status = "pending"
this.items = items
}
public approve(): void {
if (!this.canBeApproved()) {
throw new Error("Cannot approve order in current state")
}
this.status = "approved"
this.events.push({
type: "OrderApproved",
data: { orderId: this.id },
})
}
public reject(reason: string): void {
if (!this.canBeRejected()) {
throw new Error("Cannot reject order in current state")
}
this.status = "rejected"
this.events.push({
type: "OrderRejected",
data: { orderId: this.id, reason },
})
}
public ship(): void {
if (!this.canBeShipped()) {
throw new Error("Order must be approved before shipping")
}
this.status = "shipped"
this.events.push({
type: "OrderShipped",
data: { orderId: this.id },
})
}
public addItem(item: OrderItem): void {
if (this.status !== "pending") {
throw new Error("Cannot modify approved or shipped order")
}
this.items.push(item)
}
public calculateTotal(): number {
return this.items.reduce((sum, item) => sum + item.price * item.quantity, 0)
}
public getStatus(): OrderStatus {
return this.status
}
public getItems(): OrderItem[] {
return [...this.items]
}
public getEvents(): DomainEvent[] {
return [...this.events]
}
private canBeApproved(): boolean {
return this.status === "pending" && this.items.length > 0
}
private canBeRejected(): boolean {
return this.status === "pending"
}
private canBeShipped(): boolean {
return this.status === "approved"
}
}
export { Order }

8
packages/guardian/package.json
View File

@@ -1,7 +1,7 @@
{
"name": "@samiyev/guardian",
"version": "0.7.9",
"description": "Research-backed code quality guardian for AI-assisted development. Detects hardcodes, circular deps, framework leaks, entity exposure, and 8 architecture violations. Enforces Clean Architecture/DDD principles. Works with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline, and any AI coding tool.",
"version": "0.9.0",
"description": "Research-backed code quality guardian for AI-assisted development. Detects hardcodes, secrets, circular deps, framework leaks, entity exposure, and 9 architecture violations. Enforces Clean Architecture/DDD principles. Works with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline, and any AI coding tool.",
"keywords": [
"puaros",
"guardian",
@@ -82,6 +82,10 @@
"guardian": "./bin/guardian.js"
},
"dependencies": {
"@secretlint/core": "^11.2.5",
"@secretlint/node": "^11.2.5",
"@secretlint/secretlint-rule-preset-recommend": "^11.2.5",
"@secretlint/types": "^11.2.5",
"commander": "^12.1.0",
"simple-git": "^3.30.0",
"tree-sitter": "^0.21.1",

9
packages/guardian/src/api.ts
View File

@@ -12,6 +12,8 @@ import { IEntityExposureDetector } from "./domain/services/IEntityExposureDetect
import { IDependencyDirectionDetector } from "./domain/services/IDependencyDirectionDetector"
import { IRepositoryPatternDetector } from "./domain/services/RepositoryPatternDetectorService"
import { IAggregateBoundaryDetector } from "./domain/services/IAggregateBoundaryDetector"
import { ISecretDetector } from "./domain/services/ISecretDetector"
import { IAnemicModelDetector } from "./domain/services/IAnemicModelDetector"
import { FileScanner } from "./infrastructure/scanners/FileScanner"
import { CodeParser } from "./infrastructure/parsers/CodeParser"
import { HardcodeDetector } from "./infrastructure/analyzers/HardcodeDetector"
@@ -21,6 +23,8 @@ import { EntityExposureDetector } from "./infrastructure/analyzers/EntityExposur
import { DependencyDirectionDetector } from "./infrastructure/analyzers/DependencyDirectionDetector"
import { RepositoryPatternDetector } from "./infrastructure/analyzers/RepositoryPatternDetector"
import { AggregateBoundaryDetector } from "./infrastructure/analyzers/AggregateBoundaryDetector"
import { SecretDetector } from "./infrastructure/analyzers/SecretDetector"
import { AnemicModelDetector } from "./infrastructure/analyzers/AnemicModelDetector"
import { ERROR_MESSAGES } from "./shared/constants"
/**
@@ -79,6 +83,8 @@ export async function analyzeProject(
new DependencyDirectionDetector()
const repositoryPatternDetector: IRepositoryPatternDetector = new RepositoryPatternDetector()
const aggregateBoundaryDetector: IAggregateBoundaryDetector = new AggregateBoundaryDetector()
const secretDetector: ISecretDetector = new SecretDetector()
const anemicModelDetector: IAnemicModelDetector = new AnemicModelDetector()
const useCase = new AnalyzeProject(
fileScanner,
codeParser,
@@ -89,6 +95,8 @@ export async function analyzeProject(
dependencyDirectionDetector,
repositoryPatternDetector,
aggregateBoundaryDetector,
secretDetector,
anemicModelDetector,
)
const result = await useCase.execute(options)
@@ -112,5 +120,6 @@ export type {
DependencyDirectionViolation,
RepositoryPatternViolation,
AggregateBoundaryViolation,
AnemicModelViolation,
ProjectMetrics,
} from "./application/use-cases/AnalyzeProject"

60
packages/guardian/src/application/use-cases/AnalyzeProject.ts
View File

@@ -9,12 +9,14 @@ import { IEntityExposureDetector } from "../../domain/services/IEntityExposureDe
import { IDependencyDirectionDetector } from "../../domain/services/IDependencyDirectionDetector"
import { IRepositoryPatternDetector } from "../../domain/services/RepositoryPatternDetectorService"
import { IAggregateBoundaryDetector } from "../../domain/services/IAggregateBoundaryDetector"
import { ISecretDetector } from "../../domain/services/ISecretDetector"
import { IAnemicModelDetector } from "../../domain/services/IAnemicModelDetector"
import { SourceFile } from "../../domain/entities/SourceFile"
import { DependencyGraph } from "../../domain/entities/DependencyGraph"
import { FileCollectionStep } from "./pipeline/FileCollectionStep"
import { ParsingStep } from "./pipeline/ParsingStep"
import { DetectionPipeline } from "./pipeline/DetectionPipeline"
import { ResultAggregator } from "./pipeline/ResultAggregator"
import { CollectFiles } from "./pipeline/CollectFiles"
import { ParseSourceFiles } from "./pipeline/ParseSourceFiles"
import { ExecuteDetection } from "./pipeline/ExecuteDetection"
import { AggregateResults } from "./pipeline/AggregateResults"
import {
ERROR_MESSAGES,
HARDCODE_TYPES,
@@ -42,6 +44,8 @@ export interface AnalyzeProjectResponse {
dependencyDirectionViolations: DependencyDirectionViolation[]
repositoryPatternViolations: RepositoryPatternViolation[]
aggregateBoundaryViolations: AggregateBoundaryViolation[]
secretViolations: SecretViolation[]
anemicModelViolations: AnemicModelViolation[]
metrics: ProjectMetrics
}
@@ -163,6 +167,32 @@ export interface AggregateBoundaryViolation {
severity: SeverityLevel
}
export interface SecretViolation {
rule: typeof RULES.SECRET_EXPOSURE
secretType: string
file: string
line: number
column: number
message: string
suggestion: string
severity: SeverityLevel
}
export interface AnemicModelViolation {
rule: typeof RULES.ANEMIC_MODEL
className: string
file: string
layer: string
line?: number
methodCount: number
propertyCount: number
hasOnlyGettersSetters: boolean
hasPublicSetters: boolean
message: string
suggestion: string
severity: SeverityLevel
}
export interface ProjectMetrics {
totalFiles: number
totalFunctions: number
@@ -178,10 +208,10 @@ export class AnalyzeProject extends UseCase<
AnalyzeProjectRequest,
ResponseDto<AnalyzeProjectResponse>
> {
private readonly fileCollectionStep: FileCollectionStep
private readonly parsingStep: ParsingStep
private readonly detectionPipeline: DetectionPipeline
private readonly resultAggregator: ResultAggregator
private readonly fileCollectionStep: CollectFiles
private readonly parsingStep: ParseSourceFiles
private readonly detectionPipeline: ExecuteDetection
private readonly resultAggregator: AggregateResults
constructor(
fileScanner: IFileScanner,
@@ -193,11 +223,13 @@ export class AnalyzeProject extends UseCase<
dependencyDirectionDetector: IDependencyDirectionDetector,
repositoryPatternDetector: IRepositoryPatternDetector,
aggregateBoundaryDetector: IAggregateBoundaryDetector,
secretDetector: ISecretDetector,
anemicModelDetector: IAnemicModelDetector,
) {
super()
this.fileCollectionStep = new FileCollectionStep(fileScanner)
this.parsingStep = new ParsingStep(codeParser)
this.detectionPipeline = new DetectionPipeline(
this.fileCollectionStep = new CollectFiles(fileScanner)
this.parsingStep = new ParseSourceFiles(codeParser)
this.detectionPipeline = new ExecuteDetection(
hardcodeDetector,
namingConventionDetector,
frameworkLeakDetector,
@@ -205,8 +237,10 @@ export class AnalyzeProject extends UseCase<
dependencyDirectionDetector,
repositoryPatternDetector,
aggregateBoundaryDetector,
secretDetector,
anemicModelDetector,
)
this.resultAggregator = new ResultAggregator()
this.resultAggregator = new AggregateResults()
}
public async execute(
@@ -224,7 +258,7 @@ export class AnalyzeProject extends UseCase<
rootDir: request.rootDir,
})
const detectionResult = this.detectionPipeline.execute({
const detectionResult = await this.detectionPipeline.execute({
sourceFiles,
dependencyGraph,
})

8
packages/guardian/src/application/use-cases/pipeline/ResultAggregator.ts → packages/guardian/src/application/use-cases/pipeline/AggregateResults.ts
View File

@@ -3,6 +3,7 @@ import { DependencyGraph } from "../../../domain/entities/DependencyGraph"
import type {
AggregateBoundaryViolation,
AnalyzeProjectResponse,
AnemicModelViolation,
ArchitectureViolation,
CircularDependencyViolation,
DependencyDirectionViolation,
@@ -12,6 +13,7 @@ import type {
NamingConventionViolation,
ProjectMetrics,
RepositoryPatternViolation,
SecretViolation,
} from "../AnalyzeProject"
export interface AggregationRequest {
@@ -27,12 +29,14 @@ export interface AggregationRequest {
dependencyDirectionViolations: DependencyDirectionViolation[]
repositoryPatternViolations: RepositoryPatternViolation[]
aggregateBoundaryViolations: AggregateBoundaryViolation[]
secretViolations: SecretViolation[]
anemicModelViolations: AnemicModelViolation[]
}
/**
* Pipeline step responsible for building final response DTO
*/
export class ResultAggregator {
export class AggregateResults {
public execute(request: AggregationRequest): AnalyzeProjectResponse {
const metrics = this.calculateMetrics(
request.sourceFiles,
@@ -52,6 +56,8 @@ export class ResultAggregator {
dependencyDirectionViolations: request.dependencyDirectionViolations,
repositoryPatternViolations: request.repositoryPatternViolations,
aggregateBoundaryViolations: request.aggregateBoundaryViolations,
secretViolations: request.secretViolations,
anemicModelViolations: request.anemicModelViolations,
metrics,
}
}

2
packages/guardian/src/application/use-cases/pipeline/FileCollectionStep.ts → packages/guardian/src/application/use-cases/pipeline/CollectFiles.ts
View File

@@ -16,7 +16,7 @@ export interface FileCollectionResult {
/**
* Pipeline step responsible for file collection and basic parsing
*/
export class FileCollectionStep {
export class CollectFiles {
constructor(private readonly fileScanner: IFileScanner) {}
public async execute(request: FileCollectionRequest): Promise<FileCollectionResult> {

75
packages/guardian/src/application/use-cases/pipeline/DetectionPipeline.ts → packages/guardian/src/application/use-cases/pipeline/ExecuteDetection.ts
View File

@@ -5,6 +5,8 @@ import { IEntityExposureDetector } from "../../../domain/services/IEntityExposur
import { IDependencyDirectionDetector } from "../../../domain/services/IDependencyDirectionDetector"
import { IRepositoryPatternDetector } from "../../../domain/services/RepositoryPatternDetectorService"
import { IAggregateBoundaryDetector } from "../../../domain/services/IAggregateBoundaryDetector"
import { ISecretDetector } from "../../../domain/services/ISecretDetector"
import { IAnemicModelDetector } from "../../../domain/services/IAnemicModelDetector"
import { SourceFile } from "../../../domain/entities/SourceFile"
import { DependencyGraph } from "../../../domain/entities/DependencyGraph"
import {
@@ -17,6 +19,7 @@ import {
} from "../../../shared/constants"
import type {
AggregateBoundaryViolation,
AnemicModelViolation,
ArchitectureViolation,
CircularDependencyViolation,
DependencyDirectionViolation,
@@ -25,6 +28,7 @@ import type {
HardcodeViolation,
NamingConventionViolation,
RepositoryPatternViolation,
SecretViolation,
} from "../AnalyzeProject"
export interface DetectionRequest {
@@ -42,12 +46,14 @@ export interface DetectionResult {
dependencyDirectionViolations: DependencyDirectionViolation[]
repositoryPatternViolations: RepositoryPatternViolation[]
aggregateBoundaryViolations: AggregateBoundaryViolation[]
secretViolations: SecretViolation[]
anemicModelViolations: AnemicModelViolation[]
}
/**
* Pipeline step responsible for running all detectors
*/
export class DetectionPipeline {
export class ExecuteDetection {
constructor(
private readonly hardcodeDetector: IHardcodeDetector,
private readonly namingConventionDetector: INamingConventionDetector,
@@ -56,9 +62,13 @@ export class DetectionPipeline {
private readonly dependencyDirectionDetector: IDependencyDirectionDetector,
private readonly repositoryPatternDetector: IRepositoryPatternDetector,
private readonly aggregateBoundaryDetector: IAggregateBoundaryDetector,
private readonly secretDetector: ISecretDetector,
private readonly anemicModelDetector: IAnemicModelDetector,
) {}
public execute(request: DetectionRequest): DetectionResult {
public async execute(request: DetectionRequest): Promise<DetectionResult> {
const secretViolations = await this.detectSecrets(request.sourceFiles)
return {
violations: this.sortBySeverity(this.detectViolations(request.sourceFiles)),
hardcodeViolations: this.sortBySeverity(this.detectHardcode(request.sourceFiles)),
@@ -83,6 +93,10 @@ export class DetectionPipeline {
aggregateBoundaryViolations: this.sortBySeverity(
this.detectAggregateBoundaryViolations(request.sourceFiles),
),
secretViolations: this.sortBySeverity(secretViolations),
anemicModelViolations: this.sortBySeverity(
this.detectAnemicModels(request.sourceFiles),
),
}
}
@@ -365,6 +379,63 @@ export class DetectionPipeline {
return violations
}
private async detectSecrets(sourceFiles: SourceFile[]): Promise<SecretViolation[]> {
const violations: SecretViolation[] = []
for (const file of sourceFiles) {
const secretViolations = await this.secretDetector.detectAll(
file.content,
file.path.relative,
)
for (const secret of secretViolations) {
violations.push({
rule: RULES.SECRET_EXPOSURE,
secretType: secret.secretType,
file: file.path.relative,
line: secret.line,
column: secret.column,
message: secret.getMessage(),
suggestion: secret.getSuggestion(),
severity: "critical",
})
}
}
return violations
}
private detectAnemicModels(sourceFiles: SourceFile[]): AnemicModelViolation[] {
const violations: AnemicModelViolation[] = []
for (const file of sourceFiles) {
const anemicModels = this.anemicModelDetector.detectAnemicModels(
file.content,
file.path.relative,
file.layer,
)
for (const anemicModel of anemicModels) {
violations.push({
rule: RULES.ANEMIC_MODEL,
className: anemicModel.className,
file: file.path.relative,
layer: anemicModel.layer,
line: anemicModel.line,
methodCount: anemicModel.methodCount,
propertyCount: anemicModel.propertyCount,
hasOnlyGettersSetters: anemicModel.hasOnlyGettersSetters,
hasPublicSetters: anemicModel.hasPublicSetters,
message: anemicModel.getMessage(),
suggestion: anemicModel.getSuggestion(),
severity: VIOLATION_SEVERITY_MAP.ANEMIC_MODEL,
})
}
}
return violations
}
private sortBySeverity<T extends { severity: SeverityLevel }>(violations: T[]): T[] {
return violations.sort((a, b) => {
return SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]

2
packages/guardian/src/application/use-cases/pipeline/ParsingStep.ts → packages/guardian/src/application/use-cases/pipeline/ParseSourceFiles.ts
View File

@@ -15,7 +15,7 @@ export interface ParsingResult {
/**
* Pipeline step responsible for AST parsing and dependency graph construction
*/
export class ParsingStep {
export class ParseSourceFiles {
constructor(private readonly codeParser: ICodeParser) {}
public execute(request: ParsingRequest): ParsingResult {

45
packages/guardian/src/cli/formatters/OutputFormatter.ts
View File

@@ -1,6 +1,7 @@
import { SEVERITY_LEVELS, type SeverityLevel } from "../../shared/constants"
import type {
AggregateBoundaryViolation,
AnemicModelViolation,
ArchitectureViolation,
CircularDependencyViolation,
DependencyDirectionViolation,
@@ -9,6 +10,7 @@ import type {
HardcodeViolation,
NamingConventionViolation,
RepositoryPatternViolation,
SecretViolation,
} from "../../application/use-cases/AnalyzeProject"
import { SEVERITY_DISPLAY_LABELS, SEVERITY_SECTION_HEADERS } from "../constants"
import { ViolationGrouper } from "../groupers/ViolationGrouper"
@@ -177,6 +179,22 @@ export class OutputFormatter {
console.log("")
}
formatSecretViolation(sv: SecretViolation, index: number): void {
const location = `${sv.file}:${String(sv.line)}:${String(sv.column)}`
console.log(`${String(index + 1)}. ${location}`)
console.log(` Severity: ${SEVERITY_LABELS[sv.severity]} ⚠️`)
console.log(` Secret Type: ${sv.secretType}`)
console.log(` ${sv.message}`)
console.log(" 🔐 CRITICAL: Rotate this secret immediately!")
console.log(" 💡 Suggestion:")
sv.suggestion.split("\n").forEach((line) => {
if (line.trim()) {
console.log(` ${line}`)
}
})
console.log("")
}
formatHardcodeViolation(hc: HardcodeViolation, index: number): void {
console.log(`${String(index + 1)}. ${hc.file}:${String(hc.line)}:${String(hc.column)}`)
console.log(` Severity: ${SEVERITY_LABELS[hc.severity]}`)
@@ -187,4 +205,31 @@ export class OutputFormatter {
console.log(` 📁 Location: ${hc.suggestion.location}`)
console.log("")
}
formatAnemicModelViolation(am: AnemicModelViolation, index: number): void {
const location = am.line ? `${am.file}:${String(am.line)}` : am.file
console.log(`${String(index + 1)}. ${location}`)
console.log(` Severity: ${SEVERITY_LABELS[am.severity]}`)
console.log(` Class: ${am.className}`)
console.log(` Layer: ${am.layer}`)
console.log(
` Methods: ${String(am.methodCount)} | Properties: ${String(am.propertyCount)}`,
)
if (am.hasPublicSetters) {
console.log(" ⚠️ Has public setters (DDD anti-pattern)")
}
if (am.hasOnlyGettersSetters) {
console.log(" ⚠️ Only getters/setters (no business logic)")
}
console.log(` ${am.message}`)
console.log(" 💡 Suggestion:")
am.suggestion.split("\n").forEach((line) => {
if (line.trim()) {
console.log(` ${line}`)
}
})
console.log("")
}
}

34
packages/guardian/src/cli/index.ts
View File

@@ -92,6 +92,8 @@ program
dependencyDirectionViolations,
repositoryPatternViolations,
aggregateBoundaryViolations,
secretViolations,
anemicModelViolations,
} = result
const minSeverity: SeverityLevel | undefined = options.onlyCritical
@@ -132,6 +134,8 @@ program
aggregateBoundaryViolations,
minSeverity,
)
secretViolations = grouper.filterBySeverity(secretViolations, minSeverity)
anemicModelViolations = grouper.filterBySeverity(anemicModelViolations, minSeverity)
statsFormatter.displaySeverityFilterMessage(
options.onlyCritical,
@@ -245,6 +249,32 @@ program
)
}
if (secretViolations.length > 0) {
console.log(
`\n🔐 Found ${String(secretViolations.length)} hardcoded secret(s) - CRITICAL SECURITY RISK`,
)
outputFormatter.displayGroupedViolations(
secretViolations,
(sv, i) => {
outputFormatter.formatSecretViolation(sv, i)
},
limit,
)
}
if (anemicModelViolations.length > 0) {
console.log(
`\n🩺 Found ${String(anemicModelViolations.length)} anemic domain model(s)`,
)
outputFormatter.displayGroupedViolations(
anemicModelViolations,
(am, i) => {
outputFormatter.formatAnemicModelViolation(am, i)
},
limit,
)
}
if (options.hardcode && hardcodeViolations.length > 0) {
console.log(
`\n${CLI_MESSAGES.HARDCODE_VIOLATIONS_HEADER} ${String(hardcodeViolations.length)} ${CLI_LABELS.HARDCODE_VIOLATIONS}`,
@@ -267,7 +297,9 @@ program
entityExposureViolations.length +
dependencyDirectionViolations.length +
repositoryPatternViolations.length +
aggregateBoundaryViolations.length
aggregateBoundaryViolations.length +
secretViolations.length +
anemicModelViolations.length
statsFormatter.displaySummary(totalIssues, options.verbose)
} catch (error) {

20
packages/guardian/src/domain/constants/Messages.ts
View File

@@ -60,3 +60,23 @@ export const AGGREGATE_VIOLATION_MESSAGES = {
AVOID_DIRECT_REFERENCE: "3. Avoid direct entity references to maintain aggregate independence",
MAINTAIN_INDEPENDENCE: "4. Each aggregate should be independently modifiable and deployable",
}
export const SECRET_VIOLATION_MESSAGES = {
USE_ENV_VARIABLES: "1. Use environment variables for sensitive data (process.env.API_KEY)",
USE_SECRET_MANAGER:
"2. Use secret management services (AWS Secrets Manager, HashiCorp Vault, etc.)",
NEVER_COMMIT_SECRETS: "3. Never commit secrets to version control",
ROTATE_IF_EXPOSED: "4. If secret was committed, rotate it immediately",
USE_GITIGNORE: "5. Add secret files to .gitignore (.env, credentials.json, etc.)",
}
export const ANEMIC_MODEL_MESSAGES = {
REMOVE_PUBLIC_SETTERS: "1. Remove public setters - they allow uncontrolled state changes",
USE_METHODS_FOR_CHANGES: "2. Use business methods instead (approve(), cancel(), addItem())",
ENCAPSULATE_INVARIANTS: "3. Encapsulate business rules and invariants in methods",
ADD_BUSINESS_METHODS: "1. Add business logic methods to the entity",
MOVE_LOGIC_FROM_SERVICES:
"2. Move business logic from services to domain entities where it belongs",
ENCAPSULATE_BUSINESS_RULES: "3. Encapsulate business rules inside entity methods",
USE_DOMAIN_EVENTS: "4. Use domain events to communicate state changes",
}

79
packages/guardian/src/domain/constants/SecretExamples.ts Normal file
View File

@@ -0,0 +1,79 @@
/**
* Secret detection constants
* All hardcoded strings related to secret detection and examples
*/
export const SECRET_KEYWORDS = {
AWS: "aws",
GITHUB: "github",
NPM: "npm",
SSH: "ssh",
PRIVATE_KEY: "private key",
SLACK: "slack",
API_KEY: "api key",
APIKEY: "apikey",
ACCESS_KEY: "access key",
SECRET: "secret",
TOKEN: "token",
PASSWORD: "password",
USER: "user",
BOT: "bot",
RSA: "rsa",
DSA: "dsa",
ECDSA: "ecdsa",
ED25519: "ed25519",
BASICAUTH: "basicauth",
GCP: "gcp",
GOOGLE: "google",
PRIVATEKEY: "privatekey",
PERSONAL_ACCESS_TOKEN: "personal access token",
OAUTH: "oauth",
} as const
export const SECRET_TYPE_NAMES = {
AWS_ACCESS_KEY: "AWS Access Key",
AWS_SECRET_KEY: "AWS Secret Key",
AWS_CREDENTIAL: "AWS Credential",
GITHUB_PERSONAL_ACCESS_TOKEN: "GitHub Personal Access Token",
GITHUB_OAUTH_TOKEN: "GitHub OAuth Token",
GITHUB_TOKEN: "GitHub Token",
NPM_TOKEN: "NPM Token",
GCP_SERVICE_ACCOUNT_KEY: "GCP Service Account Key",
SSH_RSA_PRIVATE_KEY: "SSH RSA Private Key",
SSH_DSA_PRIVATE_KEY: "SSH DSA Private Key",
SSH_ECDSA_PRIVATE_KEY: "SSH ECDSA Private Key",
SSH_ED25519_PRIVATE_KEY: "SSH Ed25519 Private Key",
SSH_PRIVATE_KEY: "SSH Private Key",
SLACK_BOT_TOKEN: "Slack Bot Token",
SLACK_USER_TOKEN: "Slack User Token",
SLACK_TOKEN: "Slack Token",
BASIC_AUTH_CREDENTIALS: "Basic Authentication Credentials",
API_KEY: "API Key",
AUTHENTICATION_TOKEN: "Authentication Token",
PASSWORD: "Password",
SECRET: "Secret",
SENSITIVE_DATA: "Sensitive Data",
} as const
export const SECRET_EXAMPLE_VALUES = {
AWS_ACCESS_KEY_ID: "AKIA1234567890ABCDEF",
AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
GITHUB_TOKEN: "ghp_1234567890abcdefghijklmnopqrstuv",
NPM_TOKEN: "npm_abc123xyz",
SLACK_TOKEN: "xoxb-<token-here>",
API_KEY: "sk_live_XXXXXXXXXXXXXXXXXXXX_example_key",
HARDCODED_SECRET: "hardcoded-secret-value",
} as const
export const FILE_ENCODING = {
UTF8: "utf-8",
} as const
export const REGEX_ESCAPE_PATTERN = {
DOLLAR_AMPERSAND: "\\$&",
} as const
export const DYNAMIC_IMPORT_PATTERN_PARTS = {
QUOTE_START: '"`][^',
QUOTE_END: "`]+['\"",
} as const

29
packages/guardian/src/domain/services/IAnemicModelDetector.ts Normal file
View File

@@ -0,0 +1,29 @@
import { AnemicModelViolation } from "../value-objects/AnemicModelViolation"
/**
* Interface for detecting anemic domain model violations in the codebase
*
* Anemic domain models are entities that contain only getters/setters
* without business logic. This anti-pattern violates Domain-Driven Design
* principles and leads to procedural code scattered in services.
*/
export interface IAnemicModelDetector {
/**
* Detects anemic model violations in the given code
*
* Analyzes classes in domain/entities to identify:
* - Classes with only getters and setters (no business logic)
* - Classes with public setters (DDD anti-pattern)
* - Classes with low method-to-property ratio
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @param layer - The architectural layer of the file (domain, application, infrastructure, shared)
* @returns Array of detected anemic model violations
*/
detectAnemicModels(
code: string,
filePath: string,
layer: string | undefined,
): AnemicModelViolation[]
}

34
packages/guardian/src/domain/services/ISecretDetector.ts Normal file
View File

@@ -0,0 +1,34 @@
import { SecretViolation } from "../value-objects/SecretViolation"
/**
* Interface for detecting hardcoded secrets in source code
*
* Detects sensitive data like API keys, tokens, passwords, and credentials
* that should never be hardcoded in source code. Uses industry-standard
* Secretlint library for pattern matching.
*
* All detected secrets are marked as CRITICAL severity violations.
*
* @example
* ```typescript
* const detector: ISecretDetector = new SecretDetector()
* const violations = await detector.detectAll(
* 'const AWS_KEY = "AKIA1234567890ABCDEF"',
* 'src/config/aws.ts'
* )
*
* violations.forEach(v => {
* console.log(v.getMessage()) // "Hardcoded AWS Access Key detected"
* })
* ```
*/
export interface ISecretDetector {
/**
* Detect all types of hardcoded secrets in the provided code
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @returns Array of secret violations found
*/
detectAll(code: string, filePath: string): Promise<SecretViolation[]>
}

240
packages/guardian/src/domain/value-objects/AnemicModelViolation.ts Normal file
View File

@@ -0,0 +1,240 @@
import { ValueObject } from "./ValueObject"
import { ANEMIC_MODEL_MESSAGES } from "../constants/Messages"
import { EXAMPLE_CODE_CONSTANTS } from "../../shared/constants"
interface AnemicModelViolationProps {
readonly className: string
readonly filePath: string
readonly layer: string
readonly line?: number
readonly methodCount: number
readonly propertyCount: number
readonly hasOnlyGettersSetters: boolean
readonly hasPublicSetters: boolean
}
/**
* Represents an anemic domain model violation in the codebase
*
* Anemic domain model occurs when entities have only getters/setters
* without business logic. This violates Domain-Driven Design principles
* and leads to procedural code instead of object-oriented design.
*
* @example
* ```typescript
* // Bad: Anemic model with only getters/setters
* const violation = AnemicModelViolation.create(
* 'Order',
* 'src/domain/entities/Order.ts',
* 'domain',
* 10,
* 4,
* 2,
* true,
* true
* )
*
* console.log(violation.getMessage())
* // "Class 'Order' is anemic: 4 methods (all getters/setters) for 2 properties"
* ```
*/
export class AnemicModelViolation extends ValueObject<AnemicModelViolationProps> {
private constructor(props: AnemicModelViolationProps) {
super(props)
}
public static create(
className: string,
filePath: string,
layer: string,
line: number | undefined,
methodCount: number,
propertyCount: number,
hasOnlyGettersSetters: boolean,
hasPublicSetters: boolean,
): AnemicModelViolation {
return new AnemicModelViolation({
className,
filePath,
layer,
line,
methodCount,
propertyCount,
hasOnlyGettersSetters,
hasPublicSetters,
})
}
public get className(): string {
return this.props.className
}
public get filePath(): string {
return this.props.filePath
}
public get layer(): string {
return this.props.layer
}
public get line(): number | undefined {
return this.props.line
}
public get methodCount(): number {
return this.props.methodCount
}
public get propertyCount(): number {
return this.props.propertyCount
}
public get hasOnlyGettersSetters(): boolean {
return this.props.hasOnlyGettersSetters
}
public get hasPublicSetters(): boolean {
return this.props.hasPublicSetters
}
public getMessage(): string {
if (this.props.hasPublicSetters) {
return `Class '${this.props.className}' has public setters (anti-pattern in DDD)`
}
if (this.props.hasOnlyGettersSetters) {
return `Class '${this.props.className}' is anemic: ${String(this.props.methodCount)} methods (all getters/setters) for ${String(this.props.propertyCount)} properties`
}
const ratio = this.props.methodCount / Math.max(this.props.propertyCount, 1)
return `Class '${this.props.className}' appears anemic: low method-to-property ratio (${ratio.toFixed(1)}:1)`
}
public getSuggestion(): string {
const suggestions: string[] = []
if (this.props.hasPublicSetters) {
suggestions.push(ANEMIC_MODEL_MESSAGES.REMOVE_PUBLIC_SETTERS)
suggestions.push(ANEMIC_MODEL_MESSAGES.USE_METHODS_FOR_CHANGES)
suggestions.push(ANEMIC_MODEL_MESSAGES.ENCAPSULATE_INVARIANTS)
}
if (this.props.hasOnlyGettersSetters || this.props.methodCount < 2) {
suggestions.push(ANEMIC_MODEL_MESSAGES.ADD_BUSINESS_METHODS)
suggestions.push(ANEMIC_MODEL_MESSAGES.MOVE_LOGIC_FROM_SERVICES)
suggestions.push(ANEMIC_MODEL_MESSAGES.ENCAPSULATE_BUSINESS_RULES)
suggestions.push(ANEMIC_MODEL_MESSAGES.USE_DOMAIN_EVENTS)
}
return suggestions.join("\n")
}
public getExampleFix(): string {
if (this.props.hasPublicSetters) {
return `
// ❌ Bad: Public setters allow uncontrolled state changes
class ${this.props.className} {
private status: string
public setStatus(status: string): void {
this.status = status // No validation!
}
public getStatus(): string {
return this.status
}
}
// ✅ Good: Business methods with validation
class ${this.props.className} {
private status: OrderStatus
public approve(): void {
if (!this.canBeApproved()) {
throw new CannotApproveOrderError()
}
this.status = OrderStatus.APPROVED
this.events.push(new OrderApprovedEvent(this.id))
}
public reject(reason: string): void {
if (!this.canBeRejected()) {
throw new CannotRejectOrderError()
}
this.status = OrderStatus.REJECTED
this.rejectionReason = reason
this.events.push(new OrderRejectedEvent(this.id, reason))
}
public getStatus(): OrderStatus {
return this.status
}
private canBeApproved(): boolean {
return this.status === OrderStatus.PENDING && this.hasItems()
}
}`
}
return `
// ❌ Bad: Anemic model (only getters/setters)
class ${this.props.className} {
getStatus() { return this.status }
setStatus(status: string) { this.status = status }
getTotal() { return this.total }
setTotal(total: number) { this.total = total }
}
class OrderService {
approve(order: ${this.props.className}): void {
if (order.getStatus() !== '${EXAMPLE_CODE_CONSTANTS.ORDER_STATUS_PENDING}') {
throw new Error('${EXAMPLE_CODE_CONSTANTS.CANNOT_APPROVE_ERROR}')
}
order.setStatus('${EXAMPLE_CODE_CONSTANTS.ORDER_STATUS_APPROVED}')
}
}
// ✅ Good: Rich domain model with business logic
class ${this.props.className} {
private readonly id: OrderId
private status: OrderStatus
private items: OrderItem[]
private events: DomainEvent[] = []
public approve(): void {
if (!this.isPending()) {
throw new CannotApproveOrderError()
}
this.status = OrderStatus.APPROVED
this.events.push(new OrderApprovedEvent(this.id))
}
public calculateTotal(): Money {
return this.items.reduce(
(sum, item) => sum.add(item.getPrice()),
Money.zero()
)
}
public addItem(item: OrderItem): void {
if (this.isApproved()) {
throw new CannotModifyApprovedOrderError()
}
this.items.push(item)
}
public getStatus(): OrderStatus {
return this.status
}
private isPending(): boolean {
return this.status === OrderStatus.PENDING
}
private isApproved(): boolean {
return this.status === OrderStatus.APPROVED
}
}`
}
}

204
packages/guardian/src/domain/value-objects/SecretViolation.ts Normal file
View File

@@ -0,0 +1,204 @@
import { ValueObject } from "./ValueObject"
import { SECRET_VIOLATION_MESSAGES } from "../constants/Messages"
import { SEVERITY_LEVELS } from "../../shared/constants"
import { FILE_ENCODING, SECRET_EXAMPLE_VALUES, SECRET_KEYWORDS } from "../constants/SecretExamples"
interface SecretViolationProps {
readonly file: string
readonly line: number
readonly column: number
readonly secretType: string
readonly matchedPattern: string
}
/**
* Represents a secret exposure violation in the codebase
*
* Secret violations occur when sensitive data like API keys, tokens, passwords,
* or credentials are hardcoded in the source code instead of being stored
* in secure environment variables or secret management systems.
*
* All secret violations are marked as CRITICAL severity because they represent
* serious security risks that could lead to unauthorized access, data breaches,
* or service compromise.
*
* @example
* ```typescript
* const violation = SecretViolation.create(
* 'src/config/aws.ts',
* 10,
* 15,
* 'AWS Access Key',
* 'AKIA1234567890ABCDEF'
* )
*
* console.log(violation.getMessage())
* // "Hardcoded AWS Access Key detected"
*
* console.log(violation.getSeverity())
* // "critical"
* ```
*/
export class SecretViolation extends ValueObject<SecretViolationProps> {
private constructor(props: SecretViolationProps) {
super(props)
}
public static create(
file: string,
line: number,
column: number,
secretType: string,
matchedPattern: string,
): SecretViolation {
return new SecretViolation({
file,
line,
column,
secretType,
matchedPattern,
})
}
public get file(): string {
return this.props.file
}
public get line(): number {
return this.props.line
}
public get column(): number {
return this.props.column
}
public get secretType(): string {
return this.props.secretType
}
public get matchedPattern(): string {
return this.props.matchedPattern
}
public getMessage(): string {
return `Hardcoded ${this.props.secretType} detected`
}
public getSuggestion(): string {
const suggestions: string[] = [
SECRET_VIOLATION_MESSAGES.USE_ENV_VARIABLES,
SECRET_VIOLATION_MESSAGES.USE_SECRET_MANAGER,
SECRET_VIOLATION_MESSAGES.NEVER_COMMIT_SECRETS,
SECRET_VIOLATION_MESSAGES.ROTATE_IF_EXPOSED,
SECRET_VIOLATION_MESSAGES.USE_GITIGNORE,
]
return suggestions.join("\n")
}
public getExampleFix(): string {
return this.getExampleFixForSecretType(this.props.secretType)
}
public getSeverity(): typeof SEVERITY_LEVELS.CRITICAL {
return SEVERITY_LEVELS.CRITICAL
}
private getExampleFixForSecretType(secretType: string): string {
const lowerType = secretType.toLowerCase()
if (lowerType.includes(SECRET_KEYWORDS.AWS)) {
return `
// ❌ Bad: Hardcoded AWS credentials
const AWS_ACCESS_KEY_ID = "${SECRET_EXAMPLE_VALUES.AWS_ACCESS_KEY_ID}"
const AWS_SECRET_ACCESS_KEY = "${SECRET_EXAMPLE_VALUES.AWS_SECRET_ACCESS_KEY}"
// ✅ Good: Use environment variables
const AWS_ACCESS_KEY_ID = process.env.AWS_ACCESS_KEY_ID
const AWS_SECRET_ACCESS_KEY = process.env.AWS_SECRET_ACCESS_KEY
// ✅ Good: Use credentials provider (in infrastructure layer)
// Load credentials from environment or credentials file`
}
if (lowerType.includes(SECRET_KEYWORDS.GITHUB)) {
return `
// ❌ Bad: Hardcoded GitHub token
const GITHUB_TOKEN = "${SECRET_EXAMPLE_VALUES.GITHUB_TOKEN}"
// ✅ Good: Use environment variables
const GITHUB_TOKEN = process.env.GITHUB_TOKEN
// ✅ Good: GitHub Apps with temporary tokens
// Use GitHub Apps for automated workflows instead of personal access tokens`
}
if (lowerType.includes(SECRET_KEYWORDS.NPM)) {
return `
// ❌ Bad: Hardcoded NPM token in code
const NPM_TOKEN = "${SECRET_EXAMPLE_VALUES.NPM_TOKEN}"
// ✅ Good: Use .npmrc file (add to .gitignore)
// .npmrc
//registry.npmjs.org/:_authToken=\${NPM_TOKEN}
// ✅ Good: Use environment variable
const NPM_TOKEN = process.env.NPM_TOKEN`
}
if (
lowerType.includes(SECRET_KEYWORDS.SSH) ||
lowerType.includes(SECRET_KEYWORDS.PRIVATE_KEY)
) {
return `
// ❌ Bad: Hardcoded SSH private key
const privateKey = \`-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...\`
// ✅ Good: Load from secure file (not in repository)
import fs from "fs"
const privateKey = fs.readFileSync(process.env.SSH_KEY_PATH, "${FILE_ENCODING.UTF8}")
// ✅ Good: Use SSH agent
// Configure SSH agent to handle keys securely`
}
if (lowerType.includes(SECRET_KEYWORDS.SLACK)) {
return `
// ❌ Bad: Hardcoded Slack token
const SLACK_TOKEN = "${SECRET_EXAMPLE_VALUES.SLACK_TOKEN}"
// ✅ Good: Use environment variables
const SLACK_TOKEN = process.env.SLACK_BOT_TOKEN
// ✅ Good: Use OAuth flow for user tokens
// Implement OAuth 2.0 flow instead of hardcoding tokens`
}
if (
lowerType.includes(SECRET_KEYWORDS.API_KEY) ||
lowerType.includes(SECRET_KEYWORDS.APIKEY)
) {
return `
// ❌ Bad: Hardcoded API key
const API_KEY = "${SECRET_EXAMPLE_VALUES.API_KEY}"
// ✅ Good: Use environment variables
const API_KEY = process.env.API_KEY
// ✅ Good: Use secret management service (in infrastructure layer)
// AWS Secrets Manager, HashiCorp Vault, Azure Key Vault
// Implement secret retrieval in infrastructure and inject via DI`
}
return `
// ❌ Bad: Hardcoded secret
const SECRET = "${SECRET_EXAMPLE_VALUES.HARDCODED_SECRET}"
// ✅ Good: Use environment variables
const SECRET = process.env.SECRET_KEY
// ✅ Good: Use secret management
// AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, etc.`
}
}

318
packages/guardian/src/infrastructure/analyzers/AnemicModelDetector.ts Normal file
View File

@@ -0,0 +1,318 @@
import { IAnemicModelDetector } from "../../domain/services/IAnemicModelDetector"
import { AnemicModelViolation } from "../../domain/value-objects/AnemicModelViolation"
import { CLASS_KEYWORDS } from "../../shared/constants"
import { LAYERS } from "../../shared/constants/rules"
/**
* Detects anemic domain model violations
*
* This detector identifies entities that lack business logic and contain
* only getters/setters. Anemic models violate Domain-Driven Design principles.
*
* @example
* ```typescript
* const detector = new AnemicModelDetector()
*
* // Detect anemic models in entity file
* const code = `
* class Order {
* getStatus() { return this.status }
* setStatus(status: string) { this.status = status }
* getTotal() { return this.total }
* setTotal(total: number) { this.total = total }
* }
* `
* const violations = detector.detectAnemicModels(
* code,
* 'src/domain/entities/Order.ts',
* 'domain'
* )
*
* // violations will contain anemic model violation
* console.log(violations.length) // 1
* console.log(violations[0].className) // 'Order'
* ```
*/
export class AnemicModelDetector implements IAnemicModelDetector {
private readonly entityPatterns = [/\/entities\//, /\/aggregates\//]
private readonly excludePatterns = [
/\.test\.ts$/,
/\.spec\.ts$/,
/Dto\.ts$/,
/Request\.ts$/,
/Response\.ts$/,
/Mapper\.ts$/,
]
/**
* Detects anemic model violations in the given code
*/
public detectAnemicModels(
code: string,
filePath: string,
layer: string | undefined,
): AnemicModelViolation[] {
if (!this.shouldAnalyze(filePath, layer)) {
return []
}
const violations: AnemicModelViolation[] = []
const classes = this.extractClasses(code)
for (const classInfo of classes) {
const violation = this.analyzeClass(classInfo, filePath, layer || LAYERS.DOMAIN)
if (violation) {
violations.push(violation)
}
}
return violations
}
/**
* Checks if file should be analyzed
*/
private shouldAnalyze(filePath: string, layer: string | undefined): boolean {
if (layer !== LAYERS.DOMAIN) {
return false
}
if (this.excludePatterns.some((pattern) => pattern.test(filePath))) {
return false
}
return this.entityPatterns.some((pattern) => pattern.test(filePath))
}
/**
* Extracts class information from code
*/
private extractClasses(code: string): ClassInfo[] {
const classes: ClassInfo[] = []
const lines = code.split("\n")
let currentClass: { name: string; startLine: number; startIndex: number } | null = null
let braceCount = 0
let classBody = ""
for (let i = 0; i < lines.length; i++) {
const line = lines[i]
if (!currentClass) {
const classRegex = /^\s*(?:export\s+)?(?:abstract\s+)?class\s+(\w+)/
const classMatch = classRegex.exec(line)
if (classMatch) {
currentClass = {
name: classMatch[1],
startLine: i + 1,
startIndex: lines.slice(0, i).join("\n").length,
}
braceCount = 0
classBody = ""
}
}
if (currentClass) {
for (const char of line) {
if (char === "{") {
braceCount++
} else if (char === "}") {
braceCount--
}
}
if (braceCount > 0) {
classBody = `${classBody}${line}\n`
} else if (braceCount === 0 && classBody.length > 0) {
const properties = this.extractProperties(classBody)
const methods = this.extractMethods(classBody)
classes.push({
className: currentClass.name,
lineNumber: currentClass.startLine,
properties,
methods,
})
currentClass = null
classBody = ""
}
}
}
return classes
}
/**
* Extracts properties from class body
*/
private extractProperties(classBody: string): PropertyInfo[] {
const properties: PropertyInfo[] = []
const propertyRegex = /(?:private|protected|public|readonly)*\s*(\w+)(?:\?)?:\s*\w+/g
let match
while ((match = propertyRegex.exec(classBody)) !== null) {
const propertyName = match[1]
if (!this.isMethodSignature(match[0])) {
properties.push({ name: propertyName })
}
}
return properties
}
/**
* Extracts methods from class body
*/
private extractMethods(classBody: string): MethodInfo[] {
const methods: MethodInfo[] = []
const methodRegex =
/(public|private|protected)?\s*(get|set)?\s+(\w+)\s*\([^)]*\)(?:\s*:\s*\w+)?/g
let match
while ((match = methodRegex.exec(classBody)) !== null) {
const visibility = match[1] || CLASS_KEYWORDS.PUBLIC
const accessor = match[2]
const methodName = match[3]
if (methodName === CLASS_KEYWORDS.CONSTRUCTOR) {
continue
}
const isGetter = accessor === "get" || this.isGetterMethod(methodName)
const isSetter = accessor === "set" || this.isSetterMethod(methodName, classBody)
const isPublic = visibility === CLASS_KEYWORDS.PUBLIC || !visibility
methods.push({
name: methodName,
isGetter,
isSetter,
isPublic,
isBusinessLogic: !isGetter && !isSetter,
})
}
return methods
}
/**
* Analyzes class for anemic model violations
*/
private analyzeClass(
classInfo: ClassInfo,
filePath: string,
layer: string,
): AnemicModelViolation | null {
const { className, lineNumber, properties, methods } = classInfo
if (properties.length === 0 && methods.length === 0) {
return null
}
const businessMethods = methods.filter((m) => m.isBusinessLogic)
const hasOnlyGettersSetters = businessMethods.length === 0 && methods.length > 0
const hasPublicSetters = methods.some((m) => m.isSetter && m.isPublic)
const methodCount = methods.length
const propertyCount = properties.length
if (hasPublicSetters) {
return AnemicModelViolation.create(
className,
filePath,
layer,
lineNumber,
methodCount,
propertyCount,
false,
true,
)
}
if (hasOnlyGettersSetters && methodCount >= 2 && propertyCount > 0) {
return AnemicModelViolation.create(
className,
filePath,
layer,
lineNumber,
methodCount,
propertyCount,
true,
false,
)
}
const methodToPropertyRatio = methodCount / Math.max(propertyCount, 1)
if (
propertyCount > 0 &&
businessMethods.length < 2 &&
methodToPropertyRatio < 1.0 &&
methodCount > 0
) {
return AnemicModelViolation.create(
className,
filePath,
layer,
lineNumber,
methodCount,
propertyCount,
false,
false,
)
}
return null
}
/**
* Checks if method name is a getter pattern
*/
private isGetterMethod(methodName: string): boolean {
return (
methodName.startsWith("get") ||
methodName.startsWith("is") ||
methodName.startsWith("has")
)
}
/**
* Checks if method is a setter pattern
*/
private isSetterMethod(methodName: string, _classBody: string): boolean {
return methodName.startsWith("set")
}
/**
* Checks if property declaration is actually a method signature
*/
private isMethodSignature(propertyDeclaration: string): boolean {
return propertyDeclaration.includes("(") && propertyDeclaration.includes(")")
}
/**
* Gets line number for a position in code
*/
private getLineNumber(code: string, position: number): number {
const lines = code.substring(0, position).split("\n")
return lines.length
}
}
interface ClassInfo {
className: string
lineNumber: number
properties: PropertyInfo[]
methods: MethodInfo[]
}
interface PropertyInfo {
name: string
}
interface MethodInfo {
name: string
isGetter: boolean
isSetter: boolean
isPublic: boolean
isBusinessLogic: boolean
}

168
packages/guardian/src/infrastructure/analyzers/SecretDetector.ts Normal file
View File

@@ -0,0 +1,168 @@
import { createEngine } from "@secretlint/node"
import type { SecretLintConfigDescriptor } from "@secretlint/types"
import { ISecretDetector } from "../../domain/services/ISecretDetector"
import { SecretViolation } from "../../domain/value-objects/SecretViolation"
import { SECRET_KEYWORDS, SECRET_TYPE_NAMES } from "../../domain/constants/SecretExamples"
/**
* Detects hardcoded secrets in TypeScript/JavaScript code
*
* Uses industry-standard Secretlint library to detect 350+ types of secrets
* including AWS keys, GitHub tokens, NPM tokens, SSH keys, API keys, and more.
*
* All detected secrets are marked as CRITICAL severity because they represent
* serious security risks that could lead to unauthorized access or data breaches.
*
* @example
* ```typescript
* const detector = new SecretDetector()
* const code = `const AWS_KEY = "AKIA1234567890ABCDEF"`
* const violations = await detector.detectAll(code, 'config.ts')
* // Returns array of SecretViolation objects with CRITICAL severity
* ```
*/
export class SecretDetector implements ISecretDetector {
private readonly secretlintConfig: SecretLintConfigDescriptor = {
rules: [
{
id: "@secretlint/secretlint-rule-preset-recommend",
},
],
}
/**
* Detects all types of hardcoded secrets in the provided code
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @returns Promise resolving to array of secret violations
*/
public async detectAll(code: string, filePath: string): Promise<SecretViolation[]> {
try {
const engine = await createEngine({
cwd: process.cwd(),
configFileJSON: this.secretlintConfig,
formatter: "stylish",
color: false,
})
const result = await engine.executeOnContent({
content: code,
filePath,
})
return this.parseOutputToViolations(result.output, filePath)
} catch (_error) {
return []
}
}
private parseOutputToViolations(output: string, filePath: string): SecretViolation[] {
const violations: SecretViolation[] = []
if (!output || output.trim() === "") {
return violations
}
const lines = output.split("\n")
for (const line of lines) {
const match = /^\s*(\d+):(\d+)\s+(error|warning)\s+(.+?)\s+(.+)$/.exec(line)
if (match) {
const [, lineNum, column, , message, ruleId] = match
const secretType = this.extractSecretType(message, ruleId)
const violation = SecretViolation.create(
filePath,
parseInt(lineNum, 10),
parseInt(column, 10),
secretType,
message,
)
violations.push(violation)
}
}
return violations
}
private extractSecretType(message: string, ruleId: string): string {
if (ruleId.includes(SECRET_KEYWORDS.AWS)) {
if (message.toLowerCase().includes(SECRET_KEYWORDS.ACCESS_KEY)) {
return SECRET_TYPE_NAMES.AWS_ACCESS_KEY
}
if (message.toLowerCase().includes(SECRET_KEYWORDS.SECRET)) {
return SECRET_TYPE_NAMES.AWS_SECRET_KEY
}
return SECRET_TYPE_NAMES.AWS_CREDENTIAL
}
if (ruleId.includes(SECRET_KEYWORDS.GITHUB)) {
if (message.toLowerCase().includes(SECRET_KEYWORDS.PERSONAL_ACCESS_TOKEN)) {
return SECRET_TYPE_NAMES.GITHUB_PERSONAL_ACCESS_TOKEN
}
if (message.toLowerCase().includes(SECRET_KEYWORDS.OAUTH)) {
return SECRET_TYPE_NAMES.GITHUB_OAUTH_TOKEN
}
return SECRET_TYPE_NAMES.GITHUB_TOKEN
}
if (ruleId.includes(SECRET_KEYWORDS.NPM)) {
return SECRET_TYPE_NAMES.NPM_TOKEN
}
if (ruleId.includes(SECRET_KEYWORDS.GCP) || ruleId.includes(SECRET_KEYWORDS.GOOGLE)) {
return SECRET_TYPE_NAMES.GCP_SERVICE_ACCOUNT_KEY
}
if (ruleId.includes(SECRET_KEYWORDS.PRIVATEKEY) || ruleId.includes(SECRET_KEYWORDS.SSH)) {
if (message.toLowerCase().includes(SECRET_KEYWORDS.RSA)) {
return SECRET_TYPE_NAMES.SSH_RSA_PRIVATE_KEY
}
if (message.toLowerCase().includes(SECRET_KEYWORDS.DSA)) {
return SECRET_TYPE_NAMES.SSH_DSA_PRIVATE_KEY
}
if (message.toLowerCase().includes(SECRET_KEYWORDS.ECDSA)) {
return SECRET_TYPE_NAMES.SSH_ECDSA_PRIVATE_KEY
}
if (message.toLowerCase().includes(SECRET_KEYWORDS.ED25519)) {
return SECRET_TYPE_NAMES.SSH_ED25519_PRIVATE_KEY
}
return SECRET_TYPE_NAMES.SSH_PRIVATE_KEY
}
if (ruleId.includes(SECRET_KEYWORDS.SLACK)) {
if (message.toLowerCase().includes(SECRET_KEYWORDS.BOT)) {
return SECRET_TYPE_NAMES.SLACK_BOT_TOKEN
}
if (message.toLowerCase().includes(SECRET_KEYWORDS.USER)) {
return SECRET_TYPE_NAMES.SLACK_USER_TOKEN
}
return SECRET_TYPE_NAMES.SLACK_TOKEN
}
if (ruleId.includes(SECRET_KEYWORDS.BASICAUTH)) {
return SECRET_TYPE_NAMES.BASIC_AUTH_CREDENTIALS
}
if (message.toLowerCase().includes(SECRET_KEYWORDS.API_KEY)) {
return SECRET_TYPE_NAMES.API_KEY
}
if (message.toLowerCase().includes(SECRET_KEYWORDS.TOKEN)) {
return SECRET_TYPE_NAMES.AUTHENTICATION_TOKEN
}
if (message.toLowerCase().includes(SECRET_KEYWORDS.PASSWORD)) {
return SECRET_TYPE_NAMES.PASSWORD
}
if (message.toLowerCase().includes(SECRET_KEYWORDS.SECRET)) {
return SECRET_TYPE_NAMES.SECRET
}
return SECRET_TYPE_NAMES.SENSITIVE_DATA
}
}

14
packages/guardian/src/infrastructure/strategies/MagicStringMatcher.ts
View File

@@ -2,6 +2,10 @@ import { HardcodedValue } from "../../domain/value-objects/HardcodedValue"
import { DETECTION_KEYWORDS } from "../constants/defaults"
import { HARDCODE_TYPES } from "../../shared/constants"
import { ExportConstantAnalyzer } from "./ExportConstantAnalyzer"
import {
DYNAMIC_IMPORT_PATTERN_PARTS,
REGEX_ESCAPE_PATTERN,
} from "../../domain/constants/SecretExamples"
/**
* Detects magic strings in code
@@ -189,9 +193,11 @@ export class MagicStringMatcher {
* Checks if string is inside Symbol() call
*/
private isInSymbolCall(line: string, stringValue: string): boolean {
const symbolPattern = new RegExp(
`Symbol\\s*\\(\\s*['"\`]${stringValue.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}['"\`]\\s*\\)`,
const escapedValue = stringValue.replace(
/[.*+?^${}()|[\]\\]/g,
REGEX_ESCAPE_PATTERN.DOLLAR_AMPERSAND,
)
const symbolPattern = new RegExp(`Symbol\\s*\\(\\s*['"\`]${escapedValue}['"\`]\\s*\\)`)
return symbolPattern.test(line)
}
@@ -199,7 +205,9 @@ export class MagicStringMatcher {
* Checks if string is inside import() call
*/
private isInImportCall(line: string, stringValue: string): boolean {
const importPattern = /import\s*\(\s*['"`][^'"`]+['"`]\s*\)/
const importPattern = new RegExp(
`import\\s*\\(\\s*['${DYNAMIC_IMPORT_PATTERN_PARTS.QUOTE_START}'${DYNAMIC_IMPORT_PATTERN_PARTS.QUOTE_END}"]\\s*\\)`,
)
return importPattern.test(line) && line.includes(stringValue)
}

21
packages/guardian/src/shared/constants/index.ts
View File

@@ -45,6 +45,25 @@ export const TYPE_NAMES = {
OBJECT: "object",
} as const
/**
* TypeScript class and method keywords
*/
export const CLASS_KEYWORDS = {
CONSTRUCTOR: "constructor",
PUBLIC: "public",
PRIVATE: "private",
PROTECTED: "protected",
} as const
/**
* Example code constants for documentation
*/
export const EXAMPLE_CODE_CONSTANTS = {
ORDER_STATUS_PENDING: "pending",
ORDER_STATUS_APPROVED: "approved",
CANNOT_APPROVE_ERROR: "Cannot approve",
} as const
/**
* Common regex patterns
*/
@@ -86,12 +105,14 @@ export const SEVERITY_ORDER: Record<SeverityLevel, number> = {
* Violation type to severity mapping
*/
export const VIOLATION_SEVERITY_MAP = {
SECRET_EXPOSURE: SEVERITY_LEVELS.CRITICAL,
CIRCULAR_DEPENDENCY: SEVERITY_LEVELS.CRITICAL,
REPOSITORY_PATTERN: SEVERITY_LEVELS.CRITICAL,
AGGREGATE_BOUNDARY: SEVERITY_LEVELS.CRITICAL,
DEPENDENCY_DIRECTION: SEVERITY_LEVELS.HIGH,
FRAMEWORK_LEAK: SEVERITY_LEVELS.HIGH,
ENTITY_EXPOSURE: SEVERITY_LEVELS.HIGH,
ANEMIC_MODEL: SEVERITY_LEVELS.MEDIUM,
NAMING_CONVENTION: SEVERITY_LEVELS.MEDIUM,
ARCHITECTURE: SEVERITY_LEVELS.MEDIUM,
HARDCODE: SEVERITY_LEVELS.LOW,

47
packages/guardian/src/shared/constants/rules.ts
View File

@@ -11,6 +11,8 @@ export const RULES = {
DEPENDENCY_DIRECTION: "dependency-direction",
REPOSITORY_PATTERN: "repository-pattern",
AGGREGATE_BOUNDARY: "aggregate-boundary",
SECRET_EXPOSURE: "secret-exposure",
ANEMIC_MODEL: "anemic-model",
} as const
/**
@@ -102,32 +104,35 @@ export const NAMING_PATTERNS = {
* Common verbs for use cases
*/
export const USE_CASE_VERBS = [
"Aggregate",
"Analyze",
"Create",
"Update",
"Delete",
"Get",
"Find",
"List",
"Search",
"Validate",
"Calculate",
"Generate",
"Send",
"Fetch",
"Process",
"Execute",
"Handle",
"Register",
"Approve",
"Authenticate",
"Authorize",
"Import",
"Export",
"Place",
"Calculate",
"Cancel",
"Approve",
"Reject",
"Collect",
"Confirm",
"Create",
"Delete",
"Execute",
"Export",
"Fetch",
"Find",
"Generate",
"Get",
"Handle",
"Import",
"List",
"Parse",
"Place",
"Process",
"Register",
"Reject",
"Search",
"Send",
"Update",
"Validate",
] as const
/**

372
packages/guardian/tests/AnemicModelDetector.test.ts Normal file
View File

@@ -0,0 +1,372 @@
import { describe, it, expect, beforeEach } from "vitest"
import { AnemicModelDetector } from "../src/infrastructure/analyzers/AnemicModelDetector"
describe("AnemicModelDetector", () => {
let detector: AnemicModelDetector
beforeEach(() => {
detector = new AnemicModelDetector()
})
describe("detectAnemicModels", () => {
it("should detect class with only getters and setters", () => {
const code = `
class Order {
private status: string
private total: number
getStatus(): string {
return this.status
}
setStatus(status: string): void {
this.status = status
}
getTotal(): number {
return this.total
}
setTotal(total: number): void {
this.total = total
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Order.ts",
"domain",
)
expect(violations).toHaveLength(1)
expect(violations[0].className).toBe("Order")
expect(violations[0].methodCount).toBeGreaterThan(0)
expect(violations[0].propertyCount).toBeGreaterThan(0)
expect(violations[0].getMessage()).toContain("Order")
})
it("should detect class with public setters", () => {
const code = `
class User {
private email: string
private password: string
public setEmail(email: string): void {
this.email = email
}
public getEmail(): string {
return this.email
}
public setPassword(password: string): void {
this.password = password
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/User.ts",
"domain",
)
expect(violations).toHaveLength(1)
expect(violations[0].className).toBe("User")
expect(violations[0].hasPublicSetters).toBe(true)
})
it("should not detect rich domain model with business logic", () => {
const code = `
class Order {
private readonly id: string
private status: OrderStatus
private items: OrderItem[]
public approve(): void {
if (!this.canBeApproved()) {
throw new Error("Cannot approve")
}
this.status = OrderStatus.APPROVED
}
public reject(reason: string): void {
if (!this.canBeRejected()) {
throw new Error("Cannot reject")
}
this.status = OrderStatus.REJECTED
}
public addItem(item: OrderItem): void {
if (this.isApproved()) {
throw new Error("Cannot modify approved order")
}
this.items.push(item)
}
public calculateTotal(): Money {
return this.items.reduce((sum, item) => sum.add(item.getPrice()), Money.zero())
}
public getStatus(): OrderStatus {
return this.status
}
private canBeApproved(): boolean {
return this.status === OrderStatus.PENDING
}
private canBeRejected(): boolean {
return this.status === OrderStatus.PENDING
}
private isApproved(): boolean {
return this.status === OrderStatus.APPROVED
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Order.ts",
"domain",
)
expect(violations).toHaveLength(0)
})
it("should not analyze files outside domain layer", () => {
const code = `
class OrderDto {
getStatus(): string {
return this.status
}
setStatus(status: string): void {
this.status = status
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/application/dtos/OrderDto.ts",
"application",
)
expect(violations).toHaveLength(0)
})
it("should not analyze DTO files", () => {
const code = `
class UserDto {
private email: string
getEmail(): string {
return this.email
}
setEmail(email: string): void {
this.email = email
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/dtos/UserDto.ts",
"domain",
)
expect(violations).toHaveLength(0)
})
it("should not analyze test files", () => {
const code = `
class Order {
getStatus(): string {
return this.status
}
setStatus(status: string): void {
this.status = status
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Order.test.ts",
"domain",
)
expect(violations).toHaveLength(0)
})
it("should detect anemic model in entities folder", () => {
const code = `
class Product {
private name: string
private price: number
getName(): string {
return this.name
}
setName(name: string): void {
this.name = name
}
getPrice(): number {
return this.price
}
setPrice(price: number): void {
this.price = price
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Product.ts",
"domain",
)
expect(violations).toHaveLength(1)
expect(violations[0].className).toBe("Product")
})
it("should detect anemic model in aggregates folder", () => {
const code = `
class Customer {
private email: string
getEmail(): string {
return this.email
}
setEmail(email: string): void {
this.email = email
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/aggregates/customer/Customer.ts",
"domain",
)
expect(violations).toHaveLength(1)
expect(violations[0].className).toBe("Customer")
})
it("should not detect class with good method-to-property ratio", () => {
const code = `
class Account {
private balance: number
private isActive: boolean
public deposit(amount: number): void {
if (amount <= 0) throw new Error("Invalid amount")
this.balance += amount
}
public withdraw(amount: number): void {
if (amount > this.balance) throw new Error("Insufficient funds")
this.balance -= amount
}
public activate(): void {
this.isActive = true
}
public deactivate(): void {
this.isActive = false
}
public getBalance(): number {
return this.balance
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Account.ts",
"domain",
)
expect(violations).toHaveLength(0)
})
it("should handle class with no properties or methods", () => {
const code = `
class EmptyEntity {
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/EmptyEntity.ts",
"domain",
)
expect(violations).toHaveLength(0)
})
it("should detect multiple anemic classes in one file", () => {
const code = `
class Order {
getStatus() { return this.status }
setStatus(status: string) { this.status = status }
}
class Item {
getPrice() { return this.price }
setPrice(price: number) { this.price = price }
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Models.ts",
"domain",
)
expect(violations).toHaveLength(2)
expect(violations[0].className).toBe("Order")
expect(violations[1].className).toBe("Item")
})
it("should provide correct violation details", () => {
const code = `
class Payment {
private amount: number
private currency: string
getAmount(): number {
return this.amount
}
setAmount(amount: number): void {
this.amount = amount
}
getCurrency(): string {
return this.currency
}
setCurrency(currency: string): void {
this.currency = currency
}
}
`
const violations = detector.detectAnemicModels(
code,
"src/domain/entities/Payment.ts",
"domain",
)
expect(violations).toHaveLength(1)
const violation = violations[0]
expect(violation.className).toBe("Payment")
expect(violation.filePath).toBe("src/domain/entities/Payment.ts")
expect(violation.layer).toBe("domain")
expect(violation.line).toBeGreaterThan(0)
expect(violation.getMessage()).toContain("Payment")
expect(violation.getSuggestion()).toContain("business")
})
})
})

5
packages/guardian/tests/e2e/AnalyzeProject.e2e.test.ts
View File

@@ -27,6 +27,7 @@ describe("AnalyzeProject E2E", () => {
expect(Array.isArray(result.dependencyDirectionViolations)).toBe(true)
expect(Array.isArray(result.repositoryPatternViolations)).toBe(true)
expect(Array.isArray(result.aggregateBoundaryViolations)).toBe(true)
expect(Array.isArray(result.anemicModelViolations)).toBe(true)
})
it("should respect exclude patterns", async () => {
@@ -65,7 +66,8 @@ describe("AnalyzeProject E2E", () => {
result.entityExposureViolations.length +
result.dependencyDirectionViolations.length +
result.repositoryPatternViolations.length +
result.aggregateBoundaryViolations.length
result.aggregateBoundaryViolations.length +
result.anemicModelViolations.length
expect(totalViolations).toBeGreaterThan(0)
})
@@ -82,6 +84,7 @@ describe("AnalyzeProject E2E", () => {
expect(result.entityExposureViolations.length).toBe(0)
expect(result.dependencyDirectionViolations.length).toBe(0)
expect(result.circularDependencyViolations.length).toBe(0)
expect(result.anemicModelViolations.length).toBe(0)
})
it("should have no dependency direction violations", async () => {

320
packages/guardian/tests/unit/domain/SecretViolation.test.ts Normal file
View File

@@ -0,0 +1,320 @@
import { describe, it, expect } from "vitest"
import { SecretViolation } from "../../../src/domain/value-objects/SecretViolation"
describe("SecretViolation", () => {
describe("create", () => {
it("should create a secret violation with all properties", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"AKIA1234567890ABCDEF",
)
expect(violation.file).toBe("src/config/aws.ts")
expect(violation.line).toBe(10)
expect(violation.column).toBe(15)
expect(violation.secretType).toBe("AWS Access Key")
expect(violation.matchedPattern).toBe("AKIA1234567890ABCDEF")
})
it("should create a secret violation with GitHub token", () => {
const violation = SecretViolation.create(
"src/config/github.ts",
5,
20,
"GitHub Personal Access Token",
"ghp_1234567890abcdefghijklmnopqrstuv",
)
expect(violation.secretType).toBe("GitHub Personal Access Token")
expect(violation.file).toBe("src/config/github.ts")
})
it("should create a secret violation with NPM token", () => {
const violation = SecretViolation.create(".npmrc", 1, 1, "NPM Token", "npm_abc123xyz")
expect(violation.secretType).toBe("NPM Token")
})
})
describe("getters", () => {
it("should return file path", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.file).toBe("src/config/aws.ts")
})
it("should return line number", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.line).toBe(10)
})
it("should return column number", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.column).toBe(15)
})
it("should return secret type", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.secretType).toBe("AWS Access Key")
})
it("should return matched pattern", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"AKIA1234567890ABCDEF",
)
expect(violation.matchedPattern).toBe("AKIA1234567890ABCDEF")
})
})
describe("getMessage", () => {
it("should return formatted message for AWS Access Key", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.getMessage()).toBe("Hardcoded AWS Access Key detected")
})
it("should return formatted message for GitHub token", () => {
const violation = SecretViolation.create(
"src/config/github.ts",
5,
20,
"GitHub Token",
"test",
)
expect(violation.getMessage()).toBe("Hardcoded GitHub Token detected")
})
it("should return formatted message for NPM token", () => {
const violation = SecretViolation.create(".npmrc", 1, 1, "NPM Token", "test")
expect(violation.getMessage()).toBe("Hardcoded NPM Token detected")
})
})
describe("getSuggestion", () => {
it("should return multi-line suggestion", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
const suggestion = violation.getSuggestion()
expect(suggestion).toContain("1. Use environment variables")
expect(suggestion).toContain("2. Use secret management services")
expect(suggestion).toContain("3. Never commit secrets")
expect(suggestion).toContain("4. If secret was committed, rotate it immediately")
expect(suggestion).toContain("5. Add secret files to .gitignore")
})
it("should return the same suggestion for all secret types", () => {
const awsViolation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
const githubViolation = SecretViolation.create(
"src/config/github.ts",
5,
20,
"GitHub Token",
"test",
)
expect(awsViolation.getSuggestion()).toBe(githubViolation.getSuggestion())
})
})
describe("getExampleFix", () => {
it("should return AWS-specific example for AWS Access Key", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("AWS")
expect(example).toContain("process.env.AWS_ACCESS_KEY_ID")
expect(example).toContain("credentials provider")
})
it("should return GitHub-specific example for GitHub token", () => {
const violation = SecretViolation.create(
"src/config/github.ts",
5,
20,
"GitHub Token",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("GitHub")
expect(example).toContain("process.env.GITHUB_TOKEN")
expect(example).toContain("GitHub Apps")
})
it("should return NPM-specific example for NPM token", () => {
const violation = SecretViolation.create(".npmrc", 1, 1, "NPM Token", "test")
const example = violation.getExampleFix()
expect(example).toContain("NPM")
expect(example).toContain(".npmrc")
expect(example).toContain("process.env.NPM_TOKEN")
})
it("should return SSH-specific example for SSH Private Key", () => {
const violation = SecretViolation.create(
"src/config/ssh.ts",
1,
1,
"SSH Private Key",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("SSH")
expect(example).toContain("readFileSync")
expect(example).toContain("SSH_KEY_PATH")
})
it("should return SSH RSA-specific example for SSH RSA Private Key", () => {
const violation = SecretViolation.create(
"src/config/ssh.ts",
1,
1,
"SSH RSA Private Key",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("SSH")
expect(example).toContain("RSA PRIVATE KEY")
})
it("should return Slack-specific example for Slack token", () => {
const violation = SecretViolation.create(
"src/config/slack.ts",
1,
1,
"Slack Bot Token",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("Slack")
expect(example).toContain("process.env.SLACK_BOT_TOKEN")
})
it("should return API Key example for generic API key", () => {
const violation = SecretViolation.create("src/config/api.ts", 1, 1, "API Key", "test")
const example = violation.getExampleFix()
expect(example).toContain("API")
expect(example).toContain("process.env.API_KEY")
expect(example).toContain("secret management service")
})
it("should return generic example for unknown secret type", () => {
const violation = SecretViolation.create(
"src/config/unknown.ts",
1,
1,
"Unknown Secret",
"test",
)
const example = violation.getExampleFix()
expect(example).toContain("process.env.SECRET_KEY")
expect(example).toContain("secret management")
})
})
describe("getSeverity", () => {
it("should always return critical severity", () => {
const violation = SecretViolation.create(
"src/config/aws.ts",
10,
15,
"AWS Access Key",
"test",
)
expect(violation.getSeverity()).toBe("critical")
})
it("should return critical severity for all secret types", () => {
const types = [
"AWS Access Key",
"GitHub Token",
"NPM Token",
"SSH Private Key",
"Slack Token",
"API Key",
]
types.forEach((type) => {
const violation = SecretViolation.create("test.ts", 1, 1, type, "test")
expect(violation.getSeverity()).toBe("critical")
})
})
})
})

277
packages/guardian/tests/unit/infrastructure/SecretDetector.test.ts Normal file
View File

@@ -0,0 +1,277 @@
import { describe, it, expect, beforeEach } from "vitest"
import { SecretDetector } from "../../../src/infrastructure/analyzers/SecretDetector"
describe("SecretDetector", () => {
let detector: SecretDetector
beforeEach(() => {
detector = new SecretDetector()
})
describe("detectAll", () => {
it("should return empty array for code without secrets", async () => {
const code = `
const greeting = "Hello World"
const count = 42
function test() {
return true
}
`
const violations = await detector.detectAll(code, "test.ts")
expect(violations).toHaveLength(0)
})
it("should return empty array for normal environment variable usage", async () => {
const code = `
const apiKey = process.env.API_KEY
const dbUrl = process.env.DATABASE_URL
`
const violations = await detector.detectAll(code, "config.ts")
expect(violations).toHaveLength(0)
})
it("should handle empty code", async () => {
const violations = await detector.detectAll("", "empty.ts")
expect(violations).toHaveLength(0)
})
it("should handle code with only comments", async () => {
const code = `
// This is a comment
/* Multi-line
comment */
`
const violations = await detector.detectAll(code, "comments.ts")
expect(violations).toHaveLength(0)
})
it("should handle multiline strings without secrets", async () => {
const code = `
const template = \`
Hello World
This is a test
No secrets here
\`
`
const violations = await detector.detectAll(code, "template.ts")
expect(violations).toHaveLength(0)
})
it("should handle code with URLs", async () => {
const code = `
const apiUrl = "https://api.example.com/v1"
const websiteUrl = "http://localhost:3000"
`
const violations = await detector.detectAll(code, "urls.ts")
expect(violations).toHaveLength(0)
})
it("should handle imports and requires", async () => {
const code = `
import { something } from "some-package"
const fs = require('fs')
`
const violations = await detector.detectAll(code, "imports.ts")
expect(violations).toHaveLength(0)
})
it("should return violations with correct file path", async () => {
const code = `const secret = "test-secret-value"`
const filePath = "src/config/secrets.ts"
const violations = await detector.detectAll(code, filePath)
violations.forEach((v) => {
expect(v.file).toBe(filePath)
})
})
it("should handle .js files", async () => {
const code = `const test = "value"`
const violations = await detector.detectAll(code, "test.js")
expect(violations).toBeInstanceOf(Array)
})
it("should handle .jsx files", async () => {
const code = `const Component = () => <div>Test</div>`
const violations = await detector.detectAll(code, "Component.jsx")
expect(violations).toBeInstanceOf(Array)
})
it("should handle .tsx files", async () => {
const code = `const Component: React.FC = () => <div>Test</div>`
const violations = await detector.detectAll(code, "Component.tsx")
expect(violations).toBeInstanceOf(Array)
})
it("should handle errors gracefully", async () => {
const code = null as unknown as string
const violations = await detector.detectAll(code, "test.ts")
expect(violations).toHaveLength(0)
})
it("should handle malformed code gracefully", async () => {
const code = "const = = ="
const violations = await detector.detectAll(code, "malformed.ts")
expect(violations).toBeInstanceOf(Array)
})
})
describe("parseOutputToViolations", () => {
it("should parse empty output", async () => {
const code = ""
const violations = await detector.detectAll(code, "test.ts")
expect(violations).toHaveLength(0)
})
it("should handle whitespace-only output", async () => {
const code = " \n \n "
const violations = await detector.detectAll(code, "test.ts")
expect(violations).toHaveLength(0)
})
})
describe("extractSecretType", () => {
it("should handle various secret types correctly", async () => {
const code = `const value = "test"`
const violations = await detector.detectAll(code, "test.ts")
violations.forEach((v) => {
expect(v.secretType).toBeTruthy()
expect(typeof v.secretType).toBe("string")
expect(v.secretType.length).toBeGreaterThan(0)
})
})
})
describe("integration", () => {
it("should work with TypeScript code", async () => {
const code = `
interface Config {
apiKey: string
}
const config: Config = {
apiKey: process.env.API_KEY || "default"
}
`
const violations = await detector.detectAll(code, "config.ts")
expect(violations).toBeInstanceOf(Array)
})
it("should work with ES6+ syntax", async () => {
const code = `
const fetchData = async () => {
const response = await fetch(url)
return response.json()
}
const [data, setData] = useState(null)
`
const violations = await detector.detectAll(code, "hooks.ts")
expect(violations).toBeInstanceOf(Array)
})
it("should work with JSX/TSX", async () => {
const code = `
export const Button = ({ onClick }: Props) => {
return <button onClick={onClick}>Click me</button>
}
`
const violations = await detector.detectAll(code, "Button.tsx")
expect(violations).toBeInstanceOf(Array)
})
it("should handle concurrent detections", async () => {
const code1 = "const test1 = 'value1'"
const code2 = "const test2 = 'value2'"
const code3 = "const test3 = 'value3'"
const [result1, result2, result3] = await Promise.all([
detector.detectAll(code1, "file1.ts"),
detector.detectAll(code2, "file2.ts"),
detector.detectAll(code3, "file3.ts"),
])
expect(result1).toBeInstanceOf(Array)
expect(result2).toBeInstanceOf(Array)
expect(result3).toBeInstanceOf(Array)
})
})
describe("edge cases", () => {
it("should handle very long code", async () => {
const longCode = "const value = 'test'\n".repeat(1000)
const violations = await detector.detectAll(longCode, "long.ts")
expect(violations).toBeInstanceOf(Array)
})
it("should handle special characters in code", async () => {
const code = `
const special = "!@#$%^&*()_+-=[]{}|;:',.<>?"
const unicode = "日本語 🚀"
`
const violations = await detector.detectAll(code, "special.ts")
expect(violations).toBeInstanceOf(Array)
})
it("should handle code with regex patterns", async () => {
const code = `
const pattern = /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,}$/i
const matches = text.match(pattern)
`
const violations = await detector.detectAll(code, "regex.ts")
expect(violations).toBeInstanceOf(Array)
})
it("should handle code with template literals", async () => {
const code = `
const message = \`Hello \${name}, your balance is \${balance}\`
`
const violations = await detector.detectAll(code, "template.ts")
expect(violations).toBeInstanceOf(Array)
})
})
})

315
pnpm-lock.yaml generated
View File

@@ -80,6 +80,18 @@ importers:
packages/guardian:
dependencies:
'@secretlint/core':
specifier: ^11.2.5
version: 11.2.5
'@secretlint/node':
specifier: ^11.2.5
version: 11.2.5
'@secretlint/secretlint-rule-preset-recommend':
specifier: ^11.2.5
version: 11.2.5
'@secretlint/types':
specifier: ^11.2.5
version: 11.2.5
commander:
specifier: ^12.1.0
version: 12.1.0
@@ -154,6 +166,12 @@ packages:
resolution: {integrity: sha512-J4Jarr0SohdrHcb40gTL4wGPCQ952IMWF1G/MSAQfBAPvA9ZKApYhpxcY7PmehVePve+ujpus1dGsJ7dPxz8Kg==}
engines: {node: ^18.19.1 || ^20.11.1 || >=22.0.0, npm: ^6.11.0 || ^7.5.6 || >=8.0.0, yarn: '>= 1.13.0'}
'@azu/format-text@1.0.2':
resolution: {integrity: sha512-Swi4N7Edy1Eqq82GxgEECXSSLyn6GOb5htRFPzBDdUkECGXtlf12ynO5oJSpWKPwCaUssOu7NfhDcCWpIC6Ywg==}
'@azu/style-format@1.0.1':
resolution: {integrity: sha512-AHcTojlNBdD/3/KxIKlg8sxIWHfOtQszLvOpagLTO+bjC3u7SAszu1lf//u7JJC50aUSH+BVWDD/KvaA6Gfn5g==}
'@babel/code-frame@7.27.1':
resolution: {integrity: sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg==}
engines: {node: '>=6.9.0'}
@@ -1040,6 +1058,40 @@ packages:
cpu: [x64]
os: [win32]
'@secretlint/config-loader@11.2.5':
resolution: {integrity: sha512-pUiH5xc3x8RLEDq+0dCz65v4kohtfp68I7qmYPuymTwHodzjyJ089ZbNdN1ZX8SZV4xZLQsFIrRLn1lJ55QyyQ==}
engines: {node: '>=20.0.0'}
'@secretlint/core@11.2.5':
resolution: {integrity: sha512-PZNpBd6+KVya2tA3o1oC2kTWYKju8lZG9phXyQY7geWKf+a+fInN4/HSYfCQS495oyTSjhc9qI0mNQEw83PY2Q==}
engines: {node: '>=20.0.0'}
'@secretlint/formatter@11.2.5':
resolution: {integrity: sha512-9XBMeveo1eKXMC9zLjA6nd2lb5JjUgjj8NUpCo1Il8jO4YJ12k7qXZk3T/QJup+Kh0ThpHO03D9C1xLDIPIEPQ==}
engines: {node: '>=20.0.0'}
'@secretlint/node@11.2.5':
resolution: {integrity: sha512-nPdtUsTzDzBJzFiKh80/H5+2ZRRogtDuHhnNiGtF7LSHp8YsQHU5piAVbESdV0AmUjbWijAjscIsWqvtU+2JUQ==}
engines: {node: '>=20.0.0'}
'@secretlint/profiler@11.2.5':
resolution: {integrity: sha512-evQ2PeO3Ub0apWIPaXJy8lMDO1OFgvgQhZd+MhYLcLHgR559EtJ9V02Sh5c10wTLkLAtJ+czlJg2kmlt0nm8fw==}
'@secretlint/resolver@11.2.5':
resolution: {integrity: sha512-Zn9+Gj7cRNjEDX8d1NYZNjTG9/Wjlc8N+JvARFYYYu6JxfbtkabhFxzwxBLkRZ2ZCkPCCnuXJwepcgfVXSPsng==}
'@secretlint/secretlint-rule-preset-recommend@11.2.5':
resolution: {integrity: sha512-FAnp/dPdbvHEw50aF9JMPF/OwW58ULvVXEsk+mXTtBD09VJZhG0vFum8WzxMbB98Eo4xDddGzYtE3g27pBOaQA==}
engines: {node: '>=20.0.0'}
'@secretlint/source-creator@11.2.5':
resolution: {integrity: sha512-+ApoNDS4uIaLb2PG9PPEP9Zu1HDBWpxSd/+Qlb3MzKTwp2BG9sbUhvpGgxuIHFn7pMWQU60DhzYJJUBpbXZEHQ==}
engines: {node: '>=20.0.0'}
'@secretlint/types@11.2.5':
resolution: {integrity: sha512-iA7E+uXuiEydOwv8glEYM4tCHnl8C7wTgLxg+3upHhH/iSSnefWfoRqrJwVBhwxPg4MDoypVI7Oal7bX7/ne+w==}
engines: {node: '>=20.0.0'}
'@sinclair/typebox@0.34.41':
resolution: {integrity: sha512-6gS8pZzSXdyRHTIqoqSVknxolr1kzfy4/CeDnrzsVz8TTIWUbOBr6gnzOmTYJ3eXQNh4IYHIGi5aIL7sOZ2G/g==}
@@ -1052,6 +1104,21 @@ packages:
'@standard-schema/spec@1.0.0':
resolution: {integrity: sha512-m2bOd0f2RT9k8QJx1JN85cZYyH1RqFBdlwtkSlf4tBDYLCiiZnv1fIIwacK6cqwXavOydf0NPToMQgpKq+dVlA==}
'@textlint/ast-node-types@15.4.0':
resolution: {integrity: sha512-IqY8i7IOGuvy05wZxISB7Me1ZyrvhaQGgx6DavfQjH3cfwpPFdDbDYmMXMuSv2xLS1kDB1kYKBV7fL2Vi16lRA==}
'@textlint/linter-formatter@15.4.0':
resolution: {integrity: sha512-rfqOZmnI1Wwc/Pa4LK+vagvVPmvxf9oRsBRqIOB04DwhucingZyAIJI/TyG18DIDYbP2aFXBZ3oOvyAxHe/8PQ==}
'@textlint/module-interop@15.4.0':
resolution: {integrity: sha512-uGf+SFIfzOLCbZI0gp+2NLsrkSArsvEWulPP6lJuKp7yRHadmy7Xf/YHORe46qhNyyxc8PiAfiixHJSaHGUrGg==}
'@textlint/resolver@15.4.0':
resolution: {integrity: sha512-Vh/QceKZQHFJFG4GxxIsKM1Xhwv93mbtKHmFE5/ybal1mIKHdqF03Z9Guaqt6Sx/AeNUshq0hkMOEhEyEWnehQ==}
'@textlint/types@15.4.0':
resolution: {integrity: sha512-ZMwJgw/xjxJufOD+IB7I2Enl9Si4Hxo04B76RwUZ5cKBKzOPcmd6WvGe2F7jqdgmTdGnfMU+Bo/joQrjPNIWqg==}
'@tokenizer/inflate@0.3.1':
resolution: {integrity: sha512-4oeoZEBQdLdt5WmP/hx1KZ6D3/Oid/0cUb2nk4F0pTDAWy+KCH3/EnAkZF/bvckWo8I33EqBm01lIPgmgc8rCA==}
engines: {node: '>=18'}
@@ -1488,6 +1555,10 @@ packages:
resolution: {integrity: sha512-gKXj5ALrKWQLsYG9jlTRmR/xKluxHV+Z9QEwNIgCfM1/uwPMCuzVVnh5mwTd+OuBZcwSIMbqssNWRm1lE51QaQ==}
engines: {node: '>=8'}
ansi-escapes@7.2.0:
resolution: {integrity: sha512-g6LhBsl+GBPRWGWsBtutpzBYuIIdBkLEvad5C/va/74Db018+5TZiyA26cZJAr3Rft5lprVqOIPxf5Vid6tqAw==}
engines: {node: '>=18'}
ansi-regex@5.0.1:
resolution: {integrity: sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==}
engines: {node: '>=8'}
@@ -1538,6 +1609,10 @@ packages:
ast-v8-to-istanbul@0.3.8:
resolution: {integrity: sha512-szgSZqUxI5T8mLKvS7WTjF9is+MVbOeLADU73IseOcrqhxr/VAvy6wfoVE39KnKzA7JRhjF5eUagNlHwvZPlKQ==}
astral-regex@2.0.0:
resolution: {integrity: sha512-Z7tMw1ytTXt5jqMcOP+OQteU1VuNK9Y02uuJtKQ1Sv69jXQKKg5cibLwGJow8yzZP+eAc18EmLGPal0bp36rvQ==}
engines: {node: '>=8'}
asynckit@0.4.0:
resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
@@ -1576,9 +1651,16 @@ packages:
resolution: {integrity: sha512-a28v2eWrrRWPpJSzxc+mKwm0ZtVx/G8SepdQZDArnXYU/XS+IF6mp8aB/4E+hH1tyGCoDo3KlUCdlSxGDsRkAw==}
hasBin: true
binaryextensions@6.11.0:
resolution: {integrity: sha512-sXnYK/Ij80TO3lcqZVV2YgfKN5QjUWIRk/XSm2J/4bd/lPko3lvk0O4ZppH6m+6hB2/GTu+ptNwVFe1xh+QLQw==}
engines: {node: '>=4'}
bl@4.1.0:
resolution: {integrity: sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==}
boundary@2.0.0:
resolution: {integrity: sha512-rJKn5ooC9u8q13IMCrW0RSp31pxBCHE3y9V/tp3TdWSLf8Em3p6Di4NBpfzbJge9YjjFEsD0RtFEjtvHL5VyEA==}
brace-expansion@1.1.12:
resolution: {integrity: sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==}
@@ -1638,6 +1720,10 @@ packages:
resolution: {integrity: sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==}
engines: {node: '>=10'}
chalk@5.6.2:
resolution: {integrity: sha512-7NzBL0rN6fMUW+f7A6Io4h40qQlG+xGmtMxfbnH/K7TAtt8JQWVQK+6g0UXKMeVJoyV5EkkNsErQ8pVD3bLHbA==}
engines: {node: ^12.17.0 || ^14.13 || >=16.0.0}
char-regex@1.0.2:
resolution: {integrity: sha512-kWWXztvZ5SBQV+eRgKFeh8q5sLuZY2+8WUIzlxWVTg+oGwY14qylx1KbKzHd8P6ZYkAg0xyIDU9JMHhyJMZ1jw==}
engines: {node: '>=10'}
@@ -1801,6 +1887,10 @@ packages:
eastasianwidth@0.2.0:
resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==}
editions@6.22.0:
resolution: {integrity: sha512-UgGlf8IW75je7HZjNDpJdCv4cGJWIi6yumFdZ0R7A8/CIhQiWUjyGLCxdHpd8bmyD1gnkfUNK0oeOXqUS2cpfQ==}
engines: {ecmascript: '>= es5', node: '>=4'}
electron-to-chromium@1.5.259:
resolution: {integrity: sha512-I+oLXgpEJzD6Cwuwt1gYjxsDmu/S/Kd41mmLA3O+/uH2pFRO/DvOjUyGozL8j3KeLV6WyZ7ssPwELMsXCcsJAQ==}
@@ -1818,6 +1908,10 @@ packages:
resolution: {integrity: sha512-d4lC8xfavMeBjzGr2vECC3fsGXziXZQyJxD868h2M/mBI3PwAuODxAkLkq5HYuvrPYcUtiLzsTo8U3PgX3Ocww==}
engines: {node: '>=10.13.0'}
environment@1.1.0:
resolution: {integrity: sha512-xUtoPkMggbz0MPyPiIWr1Kp4aeWJjDZ6SMvURhimjdZgsRuDplF5/s9hcgGhyXMhs+6vpnuoiZ2kFiu3FMnS8Q==}
engines: {node: '>=18'}
error-ex@1.3.4:
resolution: {integrity: sha512-sqQamAnR14VgCr1A618A3sGrygcpK+HEbenA/HiEAkkUwcZIIB/tgWqHFxWgOyDh4nB4JCRimh79dR5Ywc9MDQ==}
@@ -2249,6 +2343,10 @@ packages:
resolution: {integrity: sha512-HGYWWS/ehqTV3xN10i23tkPkpH46MLCIMFNCaaKNavAXTF1RkqxawEPtnjnGZ6XKSInBKkiOA5BKS+aZiY3AvA==}
engines: {node: '>=8'}
istextorbinary@9.5.0:
resolution: {integrity: sha512-5mbUj3SiZXCuRf9fT3ibzbSSEWiy63gFfksmGfdOzujPjW3k+z8WvIBxcJHBoQNlaZaiyB25deviif2+osLmLw==}
engines: {node: '>=4'}
iterare@1.2.1:
resolution: {integrity: sha512-RKYVTCjAnRthyJes037NX/IiqeidgN1xc3j1RjFfECFp28A1GVwK9nA+i0rJPaHqSZwygLzRnFlzUuHFoWWy+Q==}
engines: {node: '>=6'}
@@ -2473,6 +2571,9 @@ packages:
lodash.merge@4.6.2:
resolution: {integrity: sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==}
lodash.truncate@4.4.2:
resolution: {integrity: sha512-jttmRe7bRse52OsWIMDLaXxWqRAmtIUccAQ3garviCqJjafXOfNMO0yMfNpdD6zbGaTU0P5Nz7e7gAT6cKmJRw==}
lodash@4.17.21:
resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}
@@ -2657,6 +2758,10 @@ packages:
resolution: {integrity: sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==}
engines: {node: '>=10'}
p-map@7.0.4:
resolution: {integrity: sha512-tkAQEw8ysMzmkhgw8k+1U/iPhWNhykKnSk4Rd5zLoPJCuJaGRPo6YposrZgaxHKzDHdDWWZvE/Sk7hsL2X/CpQ==}
engines: {node: '>=18'}
p-try@2.2.0:
resolution: {integrity: sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==}
engines: {node: '>=6'}
@@ -2725,6 +2830,9 @@ packages:
resolution: {integrity: sha512-HRDzbaKjC+AOWVXxAU/x54COGeIv9eb+6CkDSQoNTt4XyWoIJvuPsXizxu/Fr23EiekbtZwmh1IcIG/l/a10GQ==}
engines: {node: '>=8'}
pluralize@2.0.0:
resolution: {integrity: sha512-TqNZzQCD4S42De9IfnnBvILN7HAW7riLqsCyp8lgjXeysyPlX5HhqKAcJHHHb9XskE4/a+7VGC9zzx8Ls0jOAw==}
pluralize@8.0.0:
resolution: {integrity: sha512-Nc3IT5yHzflTfbjgqWcCPpo7DaKy4FnpB0l/zCAW0Tc7jxAiuqSxHasntB3D7887LSrA93kDJ9IXovxJYxyLCA==}
engines: {node: '>=4'}
@@ -2767,6 +2875,9 @@ packages:
randombytes@2.1.0:
resolution: {integrity: sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==}
rc-config-loader@4.1.3:
resolution: {integrity: sha512-kD7FqML7l800i6pS6pvLyIE2ncbk9Du8Q0gp/4hMPhJU6ZxApkoLcGD8ZeqgiAlfwZ6BlETq6qqe+12DUL207w==}
react-is@18.3.1:
resolution: {integrity: sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==}
@@ -2894,6 +3005,10 @@ packages:
resolution: {integrity: sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q==}
engines: {node: '>=8'}
slice-ansi@4.0.0:
resolution: {integrity: sha512-qMCMfhY040cVHT43K9BFygqYbUPFZKHOg7K73mtTWJRb8pyP3fzf4Ixd5SzdEJQ6MRUg/WBnOLxghZtKKurENQ==}
engines: {node: '>=10'}
source-map-js@1.2.1:
resolution: {integrity: sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==}
engines: {node: '>=0.10.0'}
@@ -2972,6 +3087,9 @@ packages:
resolution: {integrity: sha512-KIy5nylvC5le1OdaaoCJ07L+8iQzJHGH6pWDuzS+d07Cu7n1MZ2x26P8ZKIWfbK02+XIL8Mp4RkWeqdUCrDMfg==}
engines: {node: '>=18'}
structured-source@4.0.0:
resolution: {integrity: sha512-qGzRFNJDjFieQkl/sVOI2dUjHKRyL9dAJi2gCPGJLbJHBIkyOHxjuocpIEfbLioX+qSJpvbYdT49/YCdMznKxA==}
superagent@10.2.3:
resolution: {integrity: sha512-y/hkYGeXAj7wUMjxRbB21g/l6aAEituGXM9Rwl4o20+SX3e8YOSV6BxFXl+dL3Uk0mjSL3kCbNkwURm8/gEDig==}
engines: {node: '>=14.18.0'}
@@ -2988,6 +3106,10 @@ packages:
resolution: {integrity: sha512-MpUEN2OodtUzxvKQl72cUF7RQ5EiHsGvSsVG0ia9c5RbWGL2CI4C7EpPS8UTBIplnlzZiNuV56w+FuNxy3ty2Q==}
engines: {node: '>=10'}
supports-hyperlinks@3.2.0:
resolution: {integrity: sha512-zFObLMyZeEwzAoKCyu1B91U79K2t7ApXuQfo8OuxwXLDgcKxuwM+YvcbIhm6QWqz7mHUH1TVytR1PwVVjEuMig==}
engines: {node: '>=14.18'}
symbol-observable@4.0.0:
resolution: {integrity: sha512-b19dMThMV4HVFynSAM1++gBHAbk2Tc/osgLIBZMKsyqh34jb2e8Os7T6ZW/Bt3pJFdBTd2JwAnAAEQV7rSNvcQ==}
engines: {node: '>=0.10'}
@@ -2996,10 +3118,18 @@ packages:
resolution: {integrity: sha512-MeQTA1r0litLUf0Rp/iisCaL8761lKAZHaimlbGK4j0HysC4PLfqygQj9srcs0m2RdtDYnF8UuYyKpbjHYp7Jw==}
engines: {node: ^14.18.0 || >=16.0.0}
table@6.9.0:
resolution: {integrity: sha512-9kY+CygyYM6j02t5YFHbNz2FN5QmYGv9zAjVp4lCDjlCw7amdckXlEt/bjMhUIfj4ThGRE4gCUH5+yGnNuPo5A==}
engines: {node: '>=10.0.0'}
tapable@2.3.0:
resolution: {integrity: sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==}
engines: {node: '>=6'}
terminal-link@4.0.0:
resolution: {integrity: sha512-lk+vH+MccxNqgVqSnkMVKx4VLJfnLjDBGzH16JVZjKE2DoxP57s6/vt6JmXV5I3jBcfGrxNrYtC+mPtU7WJztA==}
engines: {node: '>=18'}
terser-webpack-plugin@5.3.14:
resolution: {integrity: sha512-vkZjpUjb6OMS7dhV+tILUW6BhpDR7P2L/aQSAv+Uwk+m8KATX9EccViHTJR2qDtACKPIYndLGCyl3FMo+r2LMw==}
engines: {node: '>= 10.13.0'}
@@ -3025,6 +3155,13 @@ packages:
resolution: {integrity: sha512-cAGWPIyOHU6zlmg88jwm7VRyXnMN7iV68OGAbYDk/Mh/xC/pzVPlQtY6ngoIH/5/tciuhGfvESU8GrHrcxD56w==}
engines: {node: '>=8'}
text-table@0.2.0:
resolution: {integrity: sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==}
textextensions@6.11.0:
resolution: {integrity: sha512-tXJwSr9355kFJI3lbCkPpUH5cP8/M0GGy2xLO34aZCjMXBaK3SoPnZwr/oWmo1FdCnELcs4npdCIOFtq9W3ruQ==}
engines: {node: '>=4'}
tinybench@2.9.0:
resolution: {integrity: sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==}
@@ -3217,6 +3354,10 @@ packages:
resolution: {integrity: sha512-kiGUalWN+rgBJ/1OHZsBtU4rXZOfj/7rKQxULKlIzwzQSvMJUUNgPwJEEh7gU6xEVxC0ahoOBvN2YI8GH6FNgA==}
engines: {node: '>=10.12.0'}
version-range@4.15.0:
resolution: {integrity: sha512-Ck0EJbAGxHwprkzFO966t4/5QkRuzh+/I1RxhLgUKKwEn+Cd8NwM60mE3AqBZg5gYODoXW0EFsQvbZjRlvdqbg==}
engines: {node: '>=4'}
vite@7.2.4:
resolution: {integrity: sha512-NL8jTlbo0Tn4dUEXEsUg8KeyG/Lkmc4Fnzb8JXN/Ykm9G4HNImjtABMJgkQoVjOBN/j2WAwDTRytdqJbZsah7w==}
engines: {node: ^20.19.0 || >=22.12.0}
@@ -3441,6 +3582,12 @@ snapshots:
transitivePeerDependencies:
- chokidar
'@azu/format-text@1.0.2': {}
'@azu/style-format@1.0.1':
dependencies:
'@azu/format-text': 1.0.2
'@babel/code-frame@7.27.1':
dependencies:
'@babel/helper-validator-identifier': 7.28.5
@@ -4344,6 +4491,68 @@ snapshots:
'@rollup/rollup-win32-x64-msvc@4.53.3':
optional: true
'@secretlint/config-loader@11.2.5':
dependencies:
'@secretlint/profiler': 11.2.5
'@secretlint/resolver': 11.2.5
'@secretlint/types': 11.2.5
ajv: 8.17.1
debug: 4.4.3
rc-config-loader: 4.1.3
transitivePeerDependencies:
- supports-color
'@secretlint/core@11.2.5':
dependencies:
'@secretlint/profiler': 11.2.5
'@secretlint/types': 11.2.5
debug: 4.4.3
structured-source: 4.0.0
transitivePeerDependencies:
- supports-color
'@secretlint/formatter@11.2.5':
dependencies:
'@secretlint/resolver': 11.2.5
'@secretlint/types': 11.2.5
'@textlint/linter-formatter': 15.4.0
'@textlint/module-interop': 15.4.0
'@textlint/types': 15.4.0
chalk: 5.6.2
debug: 4.4.3
pluralize: 8.0.0
strip-ansi: 7.1.2
table: 6.9.0
terminal-link: 4.0.0
transitivePeerDependencies:
- supports-color
'@secretlint/node@11.2.5':
dependencies:
'@secretlint/config-loader': 11.2.5
'@secretlint/core': 11.2.5
'@secretlint/formatter': 11.2.5
'@secretlint/profiler': 11.2.5
'@secretlint/source-creator': 11.2.5
'@secretlint/types': 11.2.5
debug: 4.4.3
p-map: 7.0.4
transitivePeerDependencies:
- supports-color
'@secretlint/profiler@11.2.5': {}
'@secretlint/resolver@11.2.5': {}
'@secretlint/secretlint-rule-preset-recommend@11.2.5': {}
'@secretlint/source-creator@11.2.5':
dependencies:
'@secretlint/types': 11.2.5
istextorbinary: 9.5.0
'@secretlint/types@11.2.5': {}
'@sinclair/typebox@0.34.41': {}
'@sinonjs/commons@3.0.1':
@@ -4356,6 +4565,35 @@ snapshots:
'@standard-schema/spec@1.0.0': {}
'@textlint/ast-node-types@15.4.0': {}
'@textlint/linter-formatter@15.4.0':
dependencies:
'@azu/format-text': 1.0.2
'@azu/style-format': 1.0.1
'@textlint/module-interop': 15.4.0
'@textlint/resolver': 15.4.0
'@textlint/types': 15.4.0
chalk: 4.1.2
debug: 4.4.3
js-yaml: 3.14.2
lodash: 4.17.21
pluralize: 2.0.0
string-width: 4.2.3
strip-ansi: 6.0.1
table: 6.9.0
text-table: 0.2.0
transitivePeerDependencies:
- supports-color
'@textlint/module-interop@15.4.0': {}
'@textlint/resolver@15.4.0': {}
'@textlint/types@15.4.0':
dependencies:
'@textlint/ast-node-types': 15.4.0
'@tokenizer/inflate@0.3.1':
dependencies:
debug: 4.4.3
@@ -4865,6 +5103,10 @@ snapshots:
dependencies:
type-fest: 0.21.3
ansi-escapes@7.2.0:
dependencies:
environment: 1.1.0
ansi-regex@5.0.1: {}
ansi-regex@6.2.2: {}
@@ -4904,6 +5146,8 @@ snapshots:
estree-walker: 3.0.3
js-tokens: 9.0.1
astral-regex@2.0.0: {}
asynckit@0.4.0: {}
babel-jest@30.2.0(@babel/core@7.28.5):
@@ -4964,12 +5208,18 @@ snapshots:
baseline-browser-mapping@2.8.31: {}
binaryextensions@6.11.0:
dependencies:
editions: 6.22.0
bl@4.1.0:
dependencies:
buffer: 5.7.1
inherits: 2.0.4
readable-stream: 3.6.2
boundary@2.0.0: {}
brace-expansion@1.1.12:
dependencies:
balanced-match: 1.0.2
@@ -5031,6 +5281,8 @@ snapshots:
ansi-styles: 4.3.0
supports-color: 7.2.0
chalk@5.6.2: {}
char-regex@1.0.2: {}
chardet@2.1.1: {}
@@ -5155,6 +5407,10 @@ snapshots:
eastasianwidth@0.2.0: {}
editions@6.22.0:
dependencies:
version-range: 4.15.0
electron-to-chromium@1.5.259: {}
emittery@0.13.1: {}
@@ -5168,6 +5424,8 @@ snapshots:
graceful-fs: 4.2.11
tapable: 2.3.0
environment@1.1.0: {}
error-ex@1.3.4:
dependencies:
is-arrayish: 0.2.1
@@ -5647,6 +5905,12 @@ snapshots:
html-escaper: 2.0.2
istanbul-lib-report: 3.0.1
istextorbinary@9.5.0:
dependencies:
binaryextensions: 6.11.0
editions: 6.22.0
textextensions: 6.11.0
iterare@1.2.1: {}
jackspeak@3.4.3:
@@ -6041,6 +6305,8 @@ snapshots:
lodash.merge@4.6.2: {}
lodash.truncate@4.4.2: {}
lodash@4.17.21: {}
log-symbols@4.1.0:
@@ -6204,6 +6470,8 @@ snapshots:
dependencies:
p-limit: 3.1.0
p-map@7.0.4: {}
p-try@2.2.0: {}
package-json-from-dist@1.0.1: {}
@@ -6255,6 +6523,8 @@ snapshots:
dependencies:
find-up: 4.1.0
pluralize@2.0.0: {}
pluralize@8.0.0: {}
postcss@8.5.6:
@@ -6291,6 +6561,15 @@ snapshots:
dependencies:
safe-buffer: 5.2.1
rc-config-loader@4.1.3:
dependencies:
debug: 4.4.3
js-yaml: 4.1.1
json5: 2.2.3
require-from-string: 2.0.2
transitivePeerDependencies:
- supports-color
react-is@18.3.1: {}
readable-stream@3.6.2:
@@ -6441,6 +6720,12 @@ snapshots:
slash@3.0.0: {}
slice-ansi@4.0.0:
dependencies:
ansi-styles: 4.3.0
astral-regex: 2.0.0
is-fullwidth-code-point: 3.0.0
source-map-js@1.2.1: {}
source-map-support@0.5.13:
@@ -6510,6 +6795,10 @@ snapshots:
dependencies:
'@tokenizer/token': 0.3.0
structured-source@4.0.0:
dependencies:
boundary: 2.0.0
superagent@10.2.3:
dependencies:
component-emitter: 1.3.1
@@ -6539,14 +6828,32 @@ snapshots:
dependencies:
has-flag: 4.0.0
supports-hyperlinks@3.2.0:
dependencies:
has-flag: 4.0.0
supports-color: 7.2.0
symbol-observable@4.0.0: {}
synckit@0.11.11:
dependencies:
'@pkgr/core': 0.2.9
table@6.9.0:
dependencies:
ajv: 8.17.1
lodash.truncate: 4.4.2
slice-ansi: 4.0.0
string-width: 4.2.3
strip-ansi: 6.0.1
tapable@2.3.0: {}
terminal-link@4.0.0:
dependencies:
ansi-escapes: 7.2.0
supports-hyperlinks: 3.2.0
terser-webpack-plugin@5.3.14(webpack@5.100.2):
dependencies:
'@jridgewell/trace-mapping': 0.3.31
@@ -6569,6 +6876,12 @@ snapshots:
glob: 7.2.3
minimatch: 3.1.2
text-table@0.2.0: {}
textextensions@6.11.0:
dependencies:
editions: 6.22.0
tinybench@2.9.0: {}
tinyexec@0.3.2: {}
@@ -6770,6 +7083,8 @@ snapshots:
'@types/istanbul-lib-coverage': 2.0.6
convert-source-map: 2.0.0
version-range@4.15.0: {}
vite@7.2.4(@types/node@22.19.1)(terser@5.44.1)(tsx@4.20.6):
dependencies:
esbuild: 0.25.12