npm - @agjs/tsforge - Versions diffs - 0.1.19 → 0.2.1 - Mend

@agjs/tsforge 0.1.19 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (122) hide show

package/src/rule-packs/fastify/rules/test-inject-must-close-app.ts ADDED Viewed

@@ -0,0 +1,44 @@
+import type { TSESTree } from "@typescript-eslint/utils";
+import { createRule } from "../../create-rule";
+import { isTestFile } from "../../react-component-architecture/utils";
+import { nodeContainsMemberCall } from "../utils/fastifyChain";
+export const RULE_NAME = "test-inject-must-close-app";
+type MessageIds = "missingAppClose";
+export const testInjectMustCloseAppRule = createRule<[], MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Test files using fastify.inject must register teardown that calls app.close() to drain connections.",
+    },
+    schema: [],
+    messages: {
+      missingAppClose:
+        "Tests using `.inject(...)` must call `app.close()` in an `after`/`t.after` hook to drain connection pools.",
+    },
+  },
+  defaultOptions: [],
+  create(context) {
+    const filename = context.filename;
+    if (!isTestFile(filename)) {
+      return {};
+    }
+    return {
+      "Program:exit"(program: TSESTree.Program) {
+        const usesInject = nodeContainsMemberCall(program, "inject");
+        const closesApp = nodeContainsMemberCall(program, "close");
+        if (usesInject && !closesApp) {
+          context.report({ node: program, messageId: "missingAppClose" });
+        }
+      },
+    };
+  },
+});

package/src/rule-packs/fastify/utils/fastifyChain.ts ADDED Viewed

@@ -0,0 +1,231 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+import { walkSome } from "../../utils";
+export const ROUTE_METHODS = new Set([
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "head",
+  "options",
+  "all",
+]);
+export const MUTATING_METHODS = new Set(["post", "put", "patch"]);
+/** Collect identifiers bound to a Fastify instance (`Fastify()` / `require('fastify')()`). */
+export function collectFastifyVariables(
+  program: TSESTree.Program
+): Set<string> {
+  const vars = new Set<string>();
+  for (const statement of program.body) {
+    if (statement.type !== AST_NODE_TYPES.VariableDeclaration) {
+      continue;
+    }
+    for (const decl of statement.declarations) {
+      if (decl.id.type !== AST_NODE_TYPES.Identifier || decl.init === null) {
+        continue;
+      }
+      if (isFastifyFactoryCall(decl.init)) {
+        vars.add(decl.id.name);
+      }
+    }
+  }
+  return vars;
+}
+function isFastifyFactoryCall(node: TSESTree.Expression): boolean {
+  if (node.type !== AST_NODE_TYPES.CallExpression) {
+    return false;
+  }
+  const callee = node.callee;
+  if (callee.type === AST_NODE_TYPES.CallExpression) {
+    return isFastifyFactoryCall(callee);
+  }
+  if (callee.type === AST_NODE_TYPES.Identifier && callee.name === "Fastify") {
+    return true;
+  }
+  if (
+    callee.type === AST_NODE_TYPES.MemberExpression &&
+    !callee.computed &&
+    callee.property.type === AST_NODE_TYPES.Identifier &&
+    callee.property.name === "default" &&
+    callee.object.type === AST_NODE_TYPES.Identifier &&
+    callee.object.name === "Fastify"
+  ) {
+    return true;
+  }
+  return false;
+}
+export function getRouteMethodName(
+  node: TSESTree.CallExpression,
+  fastifyVars: ReadonlySet<string>
+): string | null {
+  const callee = node.callee;
+  if (callee.type !== AST_NODE_TYPES.MemberExpression || callee.computed) {
+    return null;
+  }
+  if (
+    callee.object.type !== AST_NODE_TYPES.Identifier ||
+    !fastifyVars.has(callee.object.name)
+  ) {
+    return null;
+  }
+  if (callee.property.type !== AST_NODE_TYPES.Identifier) {
+    return null;
+  }
+  const method = callee.property.name;
+  return ROUTE_METHODS.has(method) ? method : null;
+}
+export function findRouteOptionsArg(
+  node: TSESTree.CallExpression
+): TSESTree.ObjectExpression | null {
+  const firstArg = node.arguments[0];
+  if (
+    firstArg?.type === AST_NODE_TYPES.ObjectExpression &&
+    node.arguments.length >= 2
+  ) {
+    return firstArg;
+  }
+  const secondArg = node.arguments[1];
+  if (secondArg?.type === AST_NODE_TYPES.ObjectExpression) {
+    return secondArg;
+  }
+  return null;
+}
+export function findObjectProperty(
+  object: TSESTree.ObjectExpression,
+  keyName: string
+): TSESTree.Property | null {
+  for (const prop of object.properties) {
+    if (prop.type !== AST_NODE_TYPES.Property || prop.computed) {
+      continue;
+    }
+    const key = prop.key;
+    if (key.type === AST_NODE_TYPES.Identifier && key.name === keyName) {
+      return prop;
+    }
+    if (key.type === AST_NODE_TYPES.Literal && key.value === keyName) {
+      return prop;
+    }
+  }
+  return null;
+}
+export function findNestedProperty(
+  object: TSESTree.ObjectExpression,
+  ...keys: string[]
+): TSESTree.Property | null {
+  let current: TSESTree.ObjectExpression | null = object;
+  for (let index = 0; index < keys.length; index += 1) {
+    const keyName = keys[index];
+    if (current === null || keyName === undefined) {
+      return null;
+    }
+    const prop = findObjectProperty(current, keyName);
+    if (prop === null) {
+      return null;
+    }
+    if (index === keys.length - 1) {
+      return prop;
+    }
+    if (prop.value.type === AST_NODE_TYPES.ObjectExpression) {
+      current = prop.value;
+    } else {
+      return null;
+    }
+  }
+  return null;
+}
+export function getRouteHandler(
+  node: TSESTree.CallExpression
+): TSESTree.ArrowFunctionExpression | TSESTree.FunctionExpression | null {
+  for (const arg of node.arguments) {
+    if (
+      arg.type === AST_NODE_TYPES.ArrowFunctionExpression ||
+      arg.type === AST_NODE_TYPES.FunctionExpression
+    ) {
+      return arg;
+    }
+  }
+  return null;
+}
+export function nodeContainsCallNamed(
+  root: TSESTree.Node,
+  objectName: string,
+  methodName: string
+): boolean {
+  return walkSome(root, (node) => {
+    if (node.type !== AST_NODE_TYPES.CallExpression) {
+      return false;
+    }
+    const callee = node.callee;
+    return (
+      callee.type === AST_NODE_TYPES.MemberExpression &&
+      !callee.computed &&
+      callee.object.type === AST_NODE_TYPES.Identifier &&
+      callee.object.name === objectName &&
+      callee.property.type === AST_NODE_TYPES.Identifier &&
+      callee.property.name === methodName
+    );
+  });
+}
+export function nodeContainsMemberCall(
+  root: TSESTree.Node,
+  methodName: string
+): boolean {
+  return walkSome(root, (node) => {
+    if (node.type !== AST_NODE_TYPES.CallExpression) {
+      return false;
+    }
+    const callee = node.callee;
+    return (
+      callee.type === AST_NODE_TYPES.MemberExpression &&
+      !callee.computed &&
+      callee.property.type === AST_NODE_TYPES.Identifier &&
+      callee.property.name === methodName
+    );
+  });
+}

package/src/rule-packs/index.ts CHANGED Viewed

@@ -1,30 +1,37 @@
 import type { TSESLint } from "@typescript-eslint/utils";
 import type { IRulePack } from "./rule-packs.types";
+import { authorizationPack } from "./authorization";
 import { bullmqPack } from "./bullmq";
 import { commentHygienePack } from "./comment-hygiene";
 import { codeFlowPack } from "./code-flow";
 import { drizzlePack } from "./drizzle";
 import { elysiaPack } from "./elysia";
 import { envAccessPack } from "./env-access";
+import { fastifyPack } from "./fastify";
 import { i18nKeysPack } from "./i18n-keys";
 import { jwtCookiesPack } from "./jwt-cookies";
 import { moduleBoundariesPack } from "./module-boundaries";
 import { nextjsPack } from "./nextjs";
 import { oauthSecurityPack } from "./oauth-security";
 import { reactComponentArchitecturePack } from "./react-component-architecture";
+import { runtimeBoundariesPack } from "./runtime-boundaries";
+import { securityPack } from "./security";
 import { structuredLoggingPack } from "./structured-logging";
 import { tanstackQueryPack } from "./tanstack-query";
 import { testConventionsPack } from "./test-conventions";
+import { typescriptCorePack } from "./typescript-core";
 import { PACK_REGISTRY } from "../stack-detection";
 /** Registry of all available rule packs, keyed by pack ID. */
 export const RULE_PACKS = {
+  authorization: authorizationPack,
   bullmq: bullmqPack,
   "code-flow": codeFlowPack,
   "comment-hygiene": commentHygienePack,
   drizzle: drizzlePack,
   elysia: elysiaPack,
+  fastify: fastifyPack,
   "env-access": envAccessPack,
   "i18n-keys": i18nKeysPack,
   "jwt-cookies": jwtCookiesPack,
@@ -32,9 +39,12 @@ export const RULE_PACKS = {
   nextjs: nextjsPack,
   "oauth-security": oauthSecurityPack,
   "react-component-architecture": reactComponentArchitecturePack,
+  "runtime-boundaries": runtimeBoundariesPack,
+  security: securityPack,
   "structured-logging": structuredLoggingPack,
   "tanstack-query": tanstackQueryPack,
   "test-conventions": testConventionsPack,
+  "typescript-core": typescriptCorePack,
 } as const;
 export type IRulePackId = keyof typeof RULE_PACKS;

package/src/rule-packs/jwt-cookies/index.ts CHANGED Viewed

@@ -2,13 +2,20 @@ import type { TSESLint } from "@typescript-eslint/utils";
 import { authCookieMustBeHttpOnlyRule } from "./rules/auth-cookie-must-be-httponly";
 import { authCookieMustBeSecureInProdRule } from "./rules/auth-cookie-must-be-secure-in-prod";
+import { authCookieMustSetMaxAgeOrExpiresRule } from "./rules/auth-cookie-must-set-maxage-or-expires";
+import { authCookieMustSetSameSiteRule } from "./rules/auth-cookie-must-set-samesite";
 import { bcryptRoundsMinRule } from "./rules/bcrypt-rounds-min";
+import { jwtMustVerifyNotDecodeRule } from "./rules/jwt-must-verify-not-decode";
 import type { IRulePack } from "../rule-packs.types";
 const rules: Record<string, TSESLint.RuleModule<string, readonly unknown[]>> = {
   "auth-cookie-must-be-httponly": authCookieMustBeHttpOnlyRule,
   "auth-cookie-must-be-secure-in-prod": authCookieMustBeSecureInProdRule,
+  "auth-cookie-must-set-maxage-or-expires":
+    authCookieMustSetMaxAgeOrExpiresRule,
+  "auth-cookie-must-set-samesite": authCookieMustSetSameSiteRule,
   "bcrypt-rounds-min": bcryptRoundsMinRule,
+  "jwt-must-verify-not-decode": jwtMustVerifyNotDecodeRule,
 };
 export const jwtCookiesPack: IRulePack = {
@@ -18,7 +25,10 @@ export const jwtCookiesPack: IRulePack = {
   rulesConfig: {
     "auth-cookie-must-be-httponly": "error",
     "auth-cookie-must-be-secure-in-prod": "error",
+    "auth-cookie-must-set-maxage-or-expires": "warn",
+    "auth-cookie-must-set-samesite": "error",
     "bcrypt-rounds-min": "error",
+    "jwt-must-verify-not-decode": "error",
   },
 };

package/src/rule-packs/jwt-cookies/rules/auth-cookie-must-set-maxage-or-expires.ts ADDED Viewed

@@ -0,0 +1,132 @@
+import type { JSONSchema4 } from "@typescript-eslint/utils/json-schema";
+import { createRule } from "../../create-rule";
+import {
+  DEFAULT_AUTH_COOKIE_NAMES,
+  DEFAULT_SET_COOKIE_FUNCTIONS,
+  DEFAULT_TRUSTED_CONFIG_NAMES,
+  lookupCookieOption,
+  matchAuthCookieSet,
+} from "../utils";
+export const RULE_NAME = "auth-cookie-must-set-maxage-or-expires";
+export interface IAuthCookieMustSetMaxAgeOrExpiresOptions {
+  readonly authCookieNames?: readonly string[];
+  readonly trustedConfigNames?: readonly string[];
+  readonly setCookieFunctions?: readonly string[];
+}
+type RuleOptions = [IAuthCookieMustSetMaxAgeOrExpiresOptions];
+type MessageIds = "missingLifetime";
+const optionSchema: JSONSchema4 = {
+  type: "object",
+  additionalProperties: false,
+  properties: {
+    authCookieNames: {
+      type: "array",
+      items: { type: "string" },
+      uniqueItems: true,
+      minItems: 1,
+    },
+    trustedConfigNames: {
+      type: "array",
+      items: { type: "string" },
+      uniqueItems: true,
+    },
+    setCookieFunctions: {
+      type: "array",
+      items: { type: "string" },
+      uniqueItems: true,
+      minItems: 1,
+    },
+  },
+};
+export const authCookieMustSetMaxAgeOrExpiresRule = createRule<
+  RuleOptions,
+  MessageIds
+>({
+  name: RULE_NAME,
+  meta: {
+    type: "suggestion",
+    docs: {
+      description:
+        "Auth-cookie writes should set `maxAge` or `expires` so session cookies do not live forever by default.",
+    },
+    schema: [optionSchema],
+    messages: {
+      missingLifetime:
+        "Auth cookie '{{name}}' missing `maxAge` or `expires` — session cookies without a lifetime persist until cleared.",
+    },
+  },
+  defaultOptions: [
+    {
+      authCookieNames: [...DEFAULT_AUTH_COOKIE_NAMES],
+      trustedConfigNames: [...DEFAULT_TRUSTED_CONFIG_NAMES],
+      setCookieFunctions: [...DEFAULT_SET_COOKIE_FUNCTIONS],
+    },
+  ],
+  create(context, [options]) {
+    const authCookieNames = new Set(
+      options.authCookieNames ?? DEFAULT_AUTH_COOKIE_NAMES
+    );
+    const trustedConfigNames = new Set(
+      options.trustedConfigNames ?? DEFAULT_TRUSTED_CONFIG_NAMES
+    );
+    const setCookieFunctions = new Set(
+      options.setCookieFunctions ?? DEFAULT_SET_COOKIE_FUNCTIONS
+    );
+    return {
+      CallExpression(node) {
+        const match = matchAuthCookieSet(
+          node,
+          authCookieNames,
+          setCookieFunctions
+        );
+        if (match === null) {
+          return;
+        }
+        if (match.optionsNode === null) {
+          context.report({
+            node,
+            messageId: "missingLifetime",
+            data: { name: match.cookieName },
+          });
+          return;
+        }
+        const maxAge = lookupCookieOption(
+          match.optionsNode,
+          "maxAge",
+          trustedConfigNames
+        );
+        const expires = lookupCookieOption(
+          match.optionsNode,
+          "expires",
+          trustedConfigNames
+        );
+        if (
+          maxAge.hasTrustedSpread ||
+          expires.hasTrustedSpread ||
+          maxAge.value !== null ||
+          expires.value !== null
+        ) {
+          return;
+        }
+        context.report({
+          node,
+          messageId: "missingLifetime",
+          data: { name: match.cookieName },
+        });
+      },
+    };
+  },
+});

package/src/rule-packs/jwt-cookies/rules/auth-cookie-must-set-samesite.ts ADDED Viewed

@@ -0,0 +1,151 @@
+import { AST_NODE_TYPES } from "@typescript-eslint/utils";
+import type { JSONSchema4 } from "@typescript-eslint/utils/json-schema";
+import { createRule } from "../../create-rule";
+import {
+  DEFAULT_AUTH_COOKIE_NAMES,
+  DEFAULT_SET_COOKIE_FUNCTIONS,
+  DEFAULT_TRUSTED_CONFIG_NAMES,
+  lookupCookieOption,
+  matchAuthCookieSet,
+} from "../utils";
+export const RULE_NAME = "auth-cookie-must-set-samesite";
+export interface IAuthCookieMustSetSameSiteOptions {
+  readonly authCookieNames?: readonly string[];
+  readonly trustedConfigNames?: readonly string[];
+  readonly setCookieFunctions?: readonly string[];
+}
+type RuleOptions = [IAuthCookieMustSetSameSiteOptions];
+type MessageIds = "missingSameSite";
+const optionSchema: JSONSchema4 = {
+  type: "object",
+  additionalProperties: false,
+  properties: {
+    authCookieNames: {
+      type: "array",
+      items: { type: "string" },
+      uniqueItems: true,
+      minItems: 1,
+    },
+    trustedConfigNames: {
+      type: "array",
+      items: { type: "string" },
+      uniqueItems: true,
+    },
+    setCookieFunctions: {
+      type: "array",
+      items: { type: "string" },
+      uniqueItems: true,
+      minItems: 1,
+    },
+  },
+};
+export const authCookieMustSetSameSiteRule = createRule<
+  RuleOptions,
+  MessageIds
+>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Auth-cookie writes must set `sameSite` (`strict` or `lax`) — missing SameSite allows cross-site cookie delivery.",
+    },
+    schema: [optionSchema],
+    messages: {
+      missingSameSite:
+        "Auth cookie '{{name}}' missing `sameSite` — set `sameSite: 'strict'` or `'lax'` to limit cross-site delivery.",
+    },
+  },
+  defaultOptions: [
+    {
+      authCookieNames: [...DEFAULT_AUTH_COOKIE_NAMES],
+      trustedConfigNames: [...DEFAULT_TRUSTED_CONFIG_NAMES],
+      setCookieFunctions: [...DEFAULT_SET_COOKIE_FUNCTIONS],
+    },
+  ],
+  create(context, [options]) {
+    const authCookieNames = new Set(
+      options.authCookieNames ?? DEFAULT_AUTH_COOKIE_NAMES
+    );
+    const trustedConfigNames = new Set(
+      options.trustedConfigNames ?? DEFAULT_TRUSTED_CONFIG_NAMES
+    );
+    const setCookieFunctions = new Set(
+      options.setCookieFunctions ?? DEFAULT_SET_COOKIE_FUNCTIONS
+    );
+    return {
+      CallExpression(node) {
+        const match = matchAuthCookieSet(
+          node,
+          authCookieNames,
+          setCookieFunctions
+        );
+        if (match === null) {
+          return;
+        }
+        if (match.optionsNode === null) {
+          context.report({
+            node,
+            messageId: "missingSameSite",
+            data: { name: match.cookieName },
+          });
+          return;
+        }
+        const { value, hasTrustedSpread } = lookupCookieOption(
+          match.optionsNode,
+          "sameSite",
+          trustedConfigNames
+        );
+        if (hasTrustedSpread) {
+          if (
+            value !== null &&
+            value.type === AST_NODE_TYPES.Literal &&
+            value.value === "none"
+          ) {
+            context.report({
+              node: value,
+              messageId: "missingSameSite",
+              data: { name: match.cookieName },
+            });
+          }
+          return;
+        }
+        if (value === null) {
+          context.report({
+            node,
+            messageId: "missingSameSite",
+            data: { name: match.cookieName },
+          });
+          return;
+        }
+        if (
+          value.type === AST_NODE_TYPES.Literal &&
+          value.value !== "strict" &&
+          value.value !== "lax"
+        ) {
+          context.report({
+            node: value,
+            messageId: "missingSameSite",
+            data: { name: match.cookieName },
+          });
+        }
+      },
+    };
+  },
+});