@agjs/tsforge 0.3.4 → 0.4.0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@agjs/tsforge",
   "type": "module",
-  "version": "0.3.4",
+  "version": "0.4.0",
   "license": "MIT",
   "description": "TypeScript coding harness with a deterministic gate, stack-aware guardrails, and stream-level correction.",
   "repository": {
@@ -38,6 +38,7 @@
     "eslint-plugin-react": "^7.37.5",
     "eslint-plugin-react-hooks": "^7.1.1",
     "eslint-plugin-jsx-a11y": "^6.10.2",
+    "eslint-plugin-sonarjs": "4.0.3",
     "eslint": "10.4.0",
     "prettier": "3.8.3",
     "typescript": "6.0.3",

package/scripts/build-rules-md.ts

@@ -131,6 +131,7 @@ const categoryOrder = [
   "testing",
   "stack-layout",
   "ci",
+  "container",
 ] as const;
 
 const rulesByCategory = new Map<string, (typeof META_RULES)[number][]>();
@@ -172,9 +173,11 @@ out.push(
   "- GraphQL/WebSocket/OpenAPI contract rules (until OpenAPI dep + parser)"
 );
 out.push(
-  "- Container/Kubernetes YAML hardening (future meta-rules when Dockerfile/k8s detected)"
+  "- Kubernetes / Compose YAML hardening (Dockerfile hardening now ships as container meta-rules)"
+);
+out.push(
+  "- MCP-server security pack (the AI-SDK pack now covers `ai`/`openai`/Anthropic clients)"
 );
-out.push("- LLM/MCP security packs (opt-in when AI SDK deps detected)");
 out.push("- FSD layer DAG / full authorization taint tracking");
 out.push("- Lighthouse / bundle-analyzer CI gates");
 out.push("- Violation ratcheting / baseline snapshots (Phase 5)");

package/src/cli.ts

@@ -774,7 +774,7 @@ async function baseGate(
   }
 
   if (args.web) {
-    const web = buildWebGate("react");
+    const web = buildWebGate("react", undefined, args.dir);
 
     return { accept: web.command, gateLabel: web.label };
   }
@@ -980,7 +980,7 @@ async function repl(args: ICliArgs): Promise<number> {
       `\n  ↳ scaffolding a ${frameworkLabel(framework)} project\n`
     );
     await setUpWebProject(args.dir, framework);
-    session.setGate(buildWebGate(framework).command);
+    session.setGate(buildWebGate(framework, undefined, args.dir).command);
     session.setFix(buildWebFix(framework));
     session.setIncrementalCheck(buildWebTscCheck());
     session.guide(webGuidance(framework));

package/src/detect-gate.ts

@@ -442,7 +442,8 @@ function packEnvPrefix(
 
 export function buildWebGate(
   framework: WebFramework,
-  packs: readonly string[] = WEB_PACKS
+  packs: readonly string[] = WEB_PACKS,
+  cwd: string = process.cwd()
 ): IGate {
   const template = WEB_TEMPLATES[framework];
   const ignores = template.eslintIgnore
@@ -478,8 +479,21 @@ export function buildWebGate(
   // fails fast.
   const stubs = `bun "${STUB_CHECK}" .`;
 
+  // Type-aware async correctness (no-floating-promises / no-misused-promises) —
+  // the CORE gate already runs this via typeAwareLintPart(), but the web gate
+  // historically did not, so a dropped `await` in a handler/effect/mutation passed.
+  // Splice it in after the syntactic lint when the scaffold has a tsconfig (it
+  // always does), reusing the SHIPPED strict.type-aware config verbatim.
+  const typeAware = existsSync(join(cwd, "tsconfig.json"))
+    ? `bun "${ESLINT_BIN}" --no-config-lookup -c "${TYPE_AWARE_CONFIG}" ${ignores} --format json .`.replace(
+        /\s+/g,
+        " "
+      )
+    : null;
+  const lintChain = typeAware === null ? lint : `${lint} && ${typeAware}`;
+
   return {
-    command: `${build} && ${tsc} && ${lint} && ${stubs} && ${format} && ${render}`,
+    command: `${build} && ${tsc} && ${lintChain} && ${stubs} && ${format} && ${render}`,
     label: `${template.label} (build + behaviour smoke)`,
   };
 }

package/src/loop/feedback/meta-rule-docs.ts

@@ -86,4 +86,14 @@ export const META_RULE_DOCS: Record<string, string> = {
 
   "no-github-context-in-shell":
     "Pass github.event values through env: instead of interpolating them directly in run: shell scripts.",
+
+  // Container
+  "dockerfile-base-image-pinned":
+    "Pin every Dockerfile FROM to an explicit non-latest tag (e.g. node:24.3.0-bookworm) or a @sha256: digest; build-stage references and scratch are exempt.",
+
+  "dockerfile-non-root-user":
+    "Add a non-root USER instruction (after the install steps) so the container process does not run as root.",
+
+  "dockerfile-no-secrets-in-env-arg":
+    "Do not assign secret-looking ENV/ARG literals (names ending in _KEY/_TOKEN/_SECRET/_PASSWORD) — they bake into image layers; inject them at runtime via --env-file, a secret manager, or a BuildKit --secret mount.",
 };

package/src/loop/prompt/prompt.ts

@@ -15,6 +15,7 @@ export const SYSTEM = [
   "The harness also AUTO-FIXES mechanical formatting on every file you write — blank lines, braces, quotes, semicolons, import order, `prefer-template`. NEVER hand-fix or chase those, and do NOT run `tsc`/`eslint`/the gate yourself to look for them. Fix only what the gate explicitly hands back (`as`/`any`/`!`, `I`-prefix, real type errors), then stop.",
   "Test hypotheses by RUNNING them, never by reasoning them out. Unsure about an edge case, rounding, or ordering (`Math.floor(100/3)`, largest-remainder ties)? `run` a quick `bun -e '…console.log(…)'`, or write a throwaway `scratch/check.ts` importing your impl and `run` it. `scratch/` is yours — the gate ignores it.",
   "The gate is `tsc` strict + eslint with every rule an error, so write TypeScript that satisfies it: interfaces are `I`-prefixed; `===`; no `var`; never the non-null `!` — guard index access (`const x = arr[i]; if (x === undefined) {...}`); no `any` and no `as` — type every parameter (e.g. `.reduce((acc: number, r: number) => …, 0)`); explicit boolean conditions. When the gate flags errors in read-only files (tests/types), they come from your editable file being missing or wrong-shaped and vanish once it's correct — don't edit them.",
+  "Keep functions small: the gate caps cognitive complexity at 20 and nesting depth at 4. If a function grows long or deeply nested, extract named helpers instead of one sprawling block. Always `await` promises (or `void` them deliberately) — a floating promise is a gate error.",
 ].join("\n");
 
 /** Appended to SYSTEM for from-scratch, NON-web utility builds when the simplicity

package/src/meta-rules/context.ts

@@ -133,6 +133,55 @@ function collectWorkflowFiles(root: string): string[] {
   return out.sort();
 }
 
+/** True for a Dockerfile-shaped name: `Dockerfile`, `Dockerfile.<x>`, `<x>.Dockerfile`. */
+function isDockerfileName(entry: string): boolean {
+  return (
+    entry === "Dockerfile" ||
+    entry.startsWith("Dockerfile.") ||
+    entry.endsWith(".Dockerfile")
+  );
+}
+
+/** Dockerfiles at the root and one directory level down (e.g. docker/, apps/*). */
+function collectDockerfiles(root: string): string[] {
+  const out: string[] = [];
+
+  const scanDir = (dir: string, relBase: string): void => {
+    let entries: string[];
+
+    try {
+      entries = readdirSync(dir);
+    } catch {
+      return;
+    }
+
+    for (const entry of entries) {
+      if (IGNORE_SEGMENTS.has(entry)) {
+        continue;
+      }
+
+      const full = join(dir, entry);
+      const rel = relBase === "" ? entry : join(relBase, entry);
+
+      try {
+        const stat = statSync(full);
+
+        if (stat.isFile() && isDockerfileName(entry)) {
+          out.push(rel);
+        } else if (stat.isDirectory() && relBase === "") {
+          scanDir(full, entry); // one level only
+        }
+      } catch {
+        // Skip unreadable entries
+      }
+    }
+  };
+
+  scanDir(root, "");
+
+  return out.sort();
+}
+
 /** Parse package.json, returning null on error. */
 function parsePackageJson(root: string): Record<string, unknown> | null {
   const pkgPath = join(root, "package.json");
@@ -196,6 +245,7 @@ export function buildMetaRuleContext(
     sourceFiles: collectSourceFiles(root),
     configFiles: collectConfigFiles(root),
     workflowFiles: collectWorkflowFiles(root),
+    dockerfiles: collectDockerfiles(root),
     activePacks,
     readFile,
   };

package/src/meta-rules/meta-rules.types.ts

@@ -10,7 +10,8 @@ export type MetaRuleCategory =
   | "source-text"
   | "testing"
   | "stack-layout"
-  | "ci";
+  | "ci"
+  | "container";
 
 /** A single rule violation (file, rule, message). */
 export interface IMetaRuleViolation {
@@ -30,6 +31,7 @@ export interface IMetaRuleContext {
   readonly sourceFiles: readonly string[]; // repo-relative .ts/.tsx
   readonly configFiles: readonly string[]; // tsconfig*, eslint*, package.json, *.config.*
   readonly workflowFiles: readonly string[]; // .github/workflows/*.yml|yaml
+  readonly dockerfiles: readonly string[]; // Dockerfile, Dockerfile.*, *.Dockerfile (root + 1 level)
   readonly activePacks: readonly string[]; // pack ids from stack detection
   readonly readFile: (relPath: string) => string | null; // cached, safe
 }

package/src/meta-rules/registry.ts

@@ -25,6 +25,9 @@ import { workflowPermissionsExplicitRule } from "./rules/ci/workflow-permissions
 import { workflowPermissionsLeastPrivilegeRule } from "./rules/ci/workflow-permissions-least-privilege";
 import { noPullRequestTargetUntrustedCheckoutRule } from "./rules/ci/no-pull-request-target-untrusted-checkout";
 import { noGithubContextInShellRule } from "./rules/ci/no-github-context-in-shell";
+import { dockerfileBaseImagePinnedRule } from "./rules/docker/dockerfile-base-image-pinned";
+import { dockerfileNonRootUserRule } from "./rules/docker/dockerfile-non-root-user";
+import { dockerfileNoSecretsInEnvArgRule } from "./rules/docker/dockerfile-no-secrets-in-env-arg";
 
 /**
  * All available meta-rules, ordered by category for readability.
@@ -66,4 +69,9 @@ export const META_RULES: readonly IMetaRule[] = [
   workflowPermissionsLeastPrivilegeRule,
   noPullRequestTargetUntrustedCheckoutRule,
   noGithubContextInShellRule,
+
+  // Container
+  dockerfileBaseImagePinnedRule,
+  dockerfileNonRootUserRule,
+  dockerfileNoSecretsInEnvArgRule,
 ];

package/src/meta-rules/rules/docker/dockerfile-base-image-pinned.ts

@@ -0,0 +1,73 @@
+import type { IMetaRule, IMetaRuleViolation } from "../../meta-rules.types";
+import { dockerInstructionLines } from "./utils";
+
+/**
+ * Every `FROM` must pin its base image to an explicit, non-floating tag (or a
+ * digest). `latest` (or no tag) changes underneath you between builds with no
+ * diff — non-reproducible images and silent base-image drift.
+ */
+const FROM_PATTERN = /^(?<ref>\S+)(?:\s+[Aa][Ss]\s+(?<stage>\S+))?/u;
+
+/** The tag of an image ref, or null when untagged. Splits on the LAST `/` so a
+ *  registry host:port (which also contains `:`) is not mistaken for a tag. */
+function imageTag(ref: string): string | null {
+  const lastSlash = ref.lastIndexOf("/");
+  const finalSegment = lastSlash === -1 ? ref : ref.slice(lastSlash + 1);
+  const colon = finalSegment.indexOf(":");
+
+  return colon === -1 ? null : finalSegment.slice(colon + 1);
+}
+
+export const dockerfileBaseImagePinnedRule: IMetaRule = {
+  id: "dockerfile-base-image-pinned",
+  category: "container",
+  description:
+    "Dockerfile FROM instructions must pin an explicit non-latest tag (or a digest) so image builds are reproducible.",
+  severity: "error",
+  run(ctx) {
+    const violations: IMetaRuleViolation[] = [];
+    const stages = new Set<string>();
+
+    for (const line of dockerInstructionLines(ctx)) {
+      if (line.instruction !== "FROM") {
+        continue;
+      }
+
+      const match = FROM_PATTERN.exec(line.args);
+      const ref = match?.groups?.ref;
+      const stage = match?.groups?.stage;
+
+      if (stage !== undefined) {
+        stages.add(stage.toLowerCase());
+      }
+
+      if (ref === undefined) {
+        continue;
+      }
+
+      // Skip references to an earlier build stage and the empty `scratch` base.
+      if (stages.has(ref.toLowerCase()) || ref.toLowerCase() === "scratch") {
+        continue;
+      }
+
+      const pinnedByDigest = ref.includes("@sha256:");
+      const tag = imageTag(ref);
+
+      if (pinnedByDigest || (tag !== null && tag !== "latest")) {
+        continue;
+      }
+
+      const reason =
+        tag === "latest" ? "uses the floating `latest` tag" : "has no tag";
+
+      violations.push({
+        file: line.file,
+        ruleId: "dockerfile-base-image-pinned",
+        severity: "error",
+        message: `Line ${line.lineNo}: \`FROM ${ref}\` ${reason} — pin an explicit version (e.g. \`node:24.3.0-bookworm\`) or a \`@sha256:\` digest for reproducible builds.`,
+      });
+    }
+
+    return violations;
+  },
+};

package/src/meta-rules/rules/docker/dockerfile-no-secrets-in-env-arg.ts

@@ -0,0 +1,67 @@
+import type { IMetaRule, IMetaRuleViolation } from "../../meta-rules.types";
+import { dockerInstructionLines } from "./utils";
+
+/**
+ * Secrets must not be baked into the image via `ENV`/`ARG` literals — they
+ * persist in every image layer and `docker history`, readable by anyone who
+ * pulls the image. Inject them at runtime (`--env-file`, a secret manager, or
+ * BuildKit `--secret`) instead.
+ */
+const SECRET_NAME =
+  /(^|_)(KEY|TOKEN|SECRET|SECRETS|PASSWORD|PASSWD|CREDENTIAL|CREDENTIALS)(_|$)/u;
+
+/** The `NAME=value` (or `NAME value`) pairs declared on one ENV/ARG line. */
+function declaredName(args: string): string | null {
+  const eq = args.indexOf("=");
+  const name = eq === -1 ? args.split(/\s+/u)[0] : args.slice(0, eq);
+
+  return name === undefined || name.length === 0 ? null : name.trim();
+}
+
+/** True when the line actually assigns a value (vs. a bare build-time `ARG`). */
+function hasAssignedValue(instruction: string, args: string): boolean {
+  if (args.includes("=")) {
+    const value = args.slice(args.indexOf("=") + 1).trim();
+
+    return value.length > 0;
+  }
+
+  // `ENV NAME value` form assigns; bare `ARG NAME` does not.
+  return instruction === "ENV" && /\S+\s+\S/u.test(args);
+}
+
+export const dockerfileNoSecretsInEnvArgRule: IMetaRule = {
+  id: "dockerfile-no-secrets-in-env-arg",
+  category: "container",
+  description:
+    "Dockerfiles must not assign secret-looking ENV/ARG values (KEY/TOKEN/SECRET/PASSWORD) — they bake into image layers. Inject secrets at runtime.",
+  severity: "error",
+  run(ctx) {
+    const violations: IMetaRuleViolation[] = [];
+
+    for (const line of dockerInstructionLines(ctx)) {
+      if (line.instruction !== "ENV" && line.instruction !== "ARG") {
+        continue;
+      }
+
+      const name = declaredName(line.args);
+
+      if (
+        name === null ||
+        !SECRET_NAME.test(name.toUpperCase()) ||
+        !hasAssignedValue(line.instruction, line.args)
+      ) {
+        continue;
+      }
+
+      violations.push({
+        file: line.file,
+        ruleId: "dockerfile-no-secrets-in-env-arg",
+        severity: "error",
+        message: `Line ${line.lineNo}: \`${line.instruction} ${name}=…\` bakes a secret into the image layers (visible in \`docker history\`). Inject it at runtime via \`--env-file\`/secret manager or a BuildKit \`--secret\` mount.`,
+      });
+    }
+
+    return violations;
+  },
+};

package/src/meta-rules/rules/docker/dockerfile-non-root-user.ts

@@ -0,0 +1,58 @@
+import type { IMetaRule, IMetaRuleViolation } from "../../meta-rules.types";
+import { dockerInstructionLines } from "./utils";
+
+/**
+ * A Dockerfile must drop privileges with a non-root `USER` instruction. Running
+ * the container process as root is the default and a standard container-escape
+ * amplifier; a single `USER app` (after install steps) closes it.
+ */
+const ROOT_USERS = new Set(["root", "0", "0:0"]);
+
+/** The user name/uid from a `USER` arg (`USER node` / `USER node:node`). */
+function userName(args: string): string {
+  return args.trim().toLowerCase();
+}
+
+export const dockerfileNonRootUserRule: IMetaRule = {
+  id: "dockerfile-non-root-user",
+  category: "container",
+  description:
+    "Dockerfiles must declare a non-root USER so the container process does not run as root.",
+  severity: "error",
+  run(ctx) {
+    const violations: IMetaRuleViolation[] = [];
+    const lines = dockerInstructionLines(ctx);
+    const byFile = new Map<string, boolean>();
+
+    // Seed every READABLE Dockerfile as "no non-root USER seen yet" (readFile is
+    // cached, so this does not re-hit disk).
+    for (const file of ctx.dockerfiles) {
+      if (ctx.readFile(file) !== null) {
+        byFile.set(file, false);
+      }
+    }
+
+    for (const line of lines) {
+      if (line.instruction !== "USER") {
+        continue;
+      }
+
+      if (!ROOT_USERS.has(userName(line.args))) {
+        byFile.set(line.file, true);
+      }
+    }
+
+    for (const [file, hasNonRoot] of byFile) {
+      if (!hasNonRoot) {
+        violations.push({
+          file,
+          ruleId: "dockerfile-non-root-user",
+          severity: "error",
+          message: `${file} never drops to a non-root USER — add \`USER <non-root>\` after the install steps so the container does not run as root.`,
+        });
+      }
+    }
+
+    return violations;
+  },
+};

package/src/meta-rules/rules/docker/utils.ts

@@ -0,0 +1,58 @@
+import type { IMetaRuleContext } from "../../meta-rules.types";
+
+/** One meaningful Dockerfile instruction line (comments + blanks stripped). */
+export interface IDockerLine {
+  readonly file: string;
+  readonly lineNo: number; // 1-based
+  readonly instruction: string; // upper-cased keyword, e.g. "FROM"
+  readonly args: string; // everything after the keyword, trimmed
+  readonly raw: string;
+}
+
+const INSTRUCTION_PATTERN = /^\s*(?<keyword>[A-Za-z]+)\s+(?<args>.*\S)\s*$/u;
+
+/** Parse every Dockerfile in the context into instruction lines. Continuation
+ *  lines (`\` at EOL) and comments are skipped — good enough for the textual
+ *  hardening checks (base-image pin, USER, secret literals). */
+export function dockerInstructionLines(
+  ctx: Pick<IMetaRuleContext, "dockerfiles" | "readFile">
+): IDockerLine[] {
+  const out: IDockerLine[] = [];
+
+  for (const file of ctx.dockerfiles) {
+    const text = ctx.readFile(file);
+
+    if (text === null) {
+      continue;
+    }
+
+    const lines = text.split("\n");
+
+    for (let i = 0; i < lines.length; i += 1) {
+      const raw = lines[i] ?? "";
+      const trimmed = raw.trim();
+
+      if (trimmed.length === 0 || trimmed.startsWith("#")) {
+        continue;
+      }
+
+      const match = INSTRUCTION_PATTERN.exec(raw);
+      const keyword = match?.groups?.keyword;
+      const args = match?.groups?.args;
+
+      if (keyword === undefined || args === undefined) {
+        continue;
+      }
+
+      out.push({
+        file,
+        lineNo: i + 1,
+        instruction: keyword.toUpperCase(),
+        args: args.trim(),
+        raw,
+      });
+    }
+  }
+
+  return out;
+}

package/src/rule-packs/ai-sdk/index.ts

@@ -0,0 +1,28 @@
+import type { TSESLint } from "@typescript-eslint/utils";
+
+import { noApiKeyInClientRule } from "./rules/no-api-key-in-client";
+import { requireCompletionTokenLimitRule } from "./rules/require-completion-token-limit";
+import { noUserInputInSystemPromptRule } from "./rules/no-user-input-in-system-prompt";
+import type { IRulePack } from "../rule-packs.types";
+
+const rules: Record<string, TSESLint.RuleModule<string, readonly unknown[]>> = {
+  "no-api-key-in-client": noApiKeyInClientRule,
+  "require-completion-token-limit": requireCompletionTokenLimitRule,
+  "no-user-input-in-system-prompt": noUserInputInSystemPromptRule,
+};
+
+export const aiSdkPack: IRulePack = {
+  id: "ai-sdk",
+  description:
+    "LLM/AI-SDK security and cost guardrails: no provider key in client bundles, bounded completion tokens, and no request data spliced into the system prompt",
+  rules,
+  // Structural checks block (error); the injection heuristic warns until proven
+  // precise — a false positive on an un-bypassable gate would deadlock the model.
+  rulesConfig: {
+    "no-api-key-in-client": "error",
+    "require-completion-token-limit": "error",
+    "no-user-input-in-system-prompt": "warn",
+  },
+};
+
+export default aiSdkPack;

package/src/rule-packs/ai-sdk/rules/no-api-key-in-client.ts

@@ -0,0 +1,92 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+
+import { createRule } from "../../create-rule";
+
+export const RULE_NAME = "no-api-key-in-client";
+
+type MessageIds = "clientProvider";
+
+// Providers whose constructor / factory takes an API key. Building one in a
+// `"use client"` file ships the key into the browser bundle.
+const PROVIDER_CONSTRUCTORS = new Set([
+  "OpenAI",
+  "Anthropic",
+  "GoogleGenerativeAI",
+]);
+const PROVIDER_FACTORIES = new Set([
+  "createOpenAI",
+  "createAnthropic",
+  "createGoogleGenerativeAI",
+  "createAzure",
+  "createMistral",
+]);
+
+/** True when the file opens with a `"use client"` directive (client component). */
+function hasUseClientDirective(
+  body: readonly TSESTree.ProgramStatement[]
+): boolean {
+  for (const stmt of body) {
+    if (stmt.type !== AST_NODE_TYPES.ExpressionStatement) {
+      return false; // directives must lead; first non-expression ends the prologue
+    }
+
+    const expr = stmt.expression;
+
+    if (expr.type === AST_NODE_TYPES.Literal && expr.value === "use client") {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/** `new OpenAI(...)` etc. */
+function isProviderConstruction(node: TSESTree.NewExpression): boolean {
+  return (
+    node.callee.type === AST_NODE_TYPES.Identifier &&
+    PROVIDER_CONSTRUCTORS.has(node.callee.name)
+  );
+}
+
+/** `createOpenAI(...)` etc. */
+function isProviderFactory(node: TSESTree.CallExpression): boolean {
+  return (
+    node.callee.type === AST_NODE_TYPES.Identifier &&
+    PROVIDER_FACTORIES.has(node.callee.name)
+  );
+}
+
+export const noApiKeyInClientRule = createRule<[], MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow constructing an AI provider client in a client component — it leaks the API key into the browser bundle. Call the model from a server route/action.",
+    },
+    schema: [],
+    messages: {
+      clientProvider:
+        "Do not create an AI provider client in a `'use client'` file — the API key would ship to the browser. Move the call to a server route or server action.",
+    },
+  },
+  defaultOptions: [],
+  create(context) {
+    if (!hasUseClientDirective(context.sourceCode.ast.body)) {
+      return {};
+    }
+
+    return {
+      NewExpression(node: TSESTree.NewExpression) {
+        if (isProviderConstruction(node)) {
+          context.report({ node, messageId: "clientProvider" });
+        }
+      },
+      CallExpression(node: TSESTree.CallExpression) {
+        if (isProviderFactory(node)) {
+          context.report({ node, messageId: "clientProvider" });
+        }
+      },
+    };
+  },
+});

package/src/rule-packs/ai-sdk/rules/no-user-input-in-system-prompt.ts

@@ -0,0 +1,91 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+
+import { createRule } from "../../create-rule";
+
+export const RULE_NAME = "no-user-input-in-system-prompt";
+
+type MessageIds = "dynamicSystemPrompt";
+
+/** A value built by interpolation/concatenation rather than a constant string —
+ *  the shape that splices request data into the system prompt (injection). A
+ *  plain string, identifier, or constant template (no `${}`) is fine. */
+function isDynamicString(node: TSESTree.Node): boolean {
+  if (node.type === AST_NODE_TYPES.TemplateLiteral) {
+    return node.expressions.length > 0;
+  }
+
+  return node.type === AST_NODE_TYPES.BinaryExpression && node.operator === "+";
+}
+
+/** Find a non-computed string-keyed property on an object literal. */
+function findProperty(
+  obj: TSESTree.ObjectExpression,
+  name: string
+): TSESTree.Property | null {
+  for (const p of obj.properties) {
+    if (
+      p.type === AST_NODE_TYPES.Property &&
+      !p.computed &&
+      p.key.type === AST_NODE_TYPES.Identifier &&
+      p.key.name === name
+    ) {
+      return p;
+    }
+  }
+
+  return null;
+}
+
+/** True when the object is a chat message with `role: "system"`. */
+function isSystemMessage(obj: TSESTree.ObjectExpression): boolean {
+  const role = findProperty(obj, "role");
+
+  return (
+    role !== null &&
+    role.value.type === AST_NODE_TYPES.Literal &&
+    role.value.value === "system"
+  );
+}
+
+export const noUserInputInSystemPromptRule = createRule<[], MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "suggestion",
+    docs: {
+      description:
+        "Warn when a system prompt is built by string interpolation/concatenation — splicing request data into the system role enables prompt injection. Keep the system prompt constant; pass user input as a user message.",
+    },
+    schema: [],
+    messages: {
+      dynamicSystemPrompt:
+        "System prompt is built dynamically — do not interpolate request/user data into the system role (prompt injection). Keep it a constant and pass user input as a `user` message.",
+    },
+  },
+  defaultOptions: [],
+  create(context) {
+    const reportIfDynamic = (value: TSESTree.Node | null): void => {
+      if (value !== null && isDynamicString(value)) {
+        context.report({ node: value, messageId: "dynamicSystemPrompt" });
+      }
+    };
+
+    return {
+      // Vercel AI SDK: `{ system: `...${x}...` }`
+      "Property[key.name='system']"(node: TSESTree.Property) {
+        if (!node.computed) {
+          reportIfDynamic(node.value);
+        }
+      },
+      // Chat messages: `{ role: "system", content: `...${x}...` }`
+      ObjectExpression(node: TSESTree.ObjectExpression) {
+        if (!isSystemMessage(node)) {
+          return;
+        }
+
+        const content = findProperty(node, "content");
+
+        reportIfDynamic(content === null ? null : content.value);
+      },
+    };
+  },
+});

package/src/rule-packs/ai-sdk/rules/require-completion-token-limit.ts

@@ -0,0 +1,112 @@
+import { AST_NODE_TYPES, type TSESTree } from "@typescript-eslint/utils";
+
+import { createRule } from "../../create-rule";
+
+export const RULE_NAME = "require-completion-token-limit";
+
+type MessageIds = "missingLimit";
+
+// Vercel AI SDK top-level generators.
+const VERCEL_FNS = new Set([
+  "generateText",
+  "streamText",
+  "generateObject",
+  "streamObject",
+]);
+// Provider-SDK members that own a `.create(...)` completion call.
+const CREATE_OWNERS = new Set(["completions", "messages", "responses"]);
+// Any of these keys bounds the output, across SDKs.
+const TOKEN_KEYS = new Set([
+  "maxTokens",
+  "max_tokens",
+  "maxOutputTokens",
+  "max_output_tokens",
+  "max_completion_tokens",
+]);
+
+/** The options object literal for a Vercel generator call, or null. */
+function vercelOptionsArg(
+  node: TSESTree.CallExpression
+): TSESTree.ObjectExpression | null {
+  if (node.callee.type !== AST_NODE_TYPES.Identifier) {
+    return null;
+  }
+
+  if (!VERCEL_FNS.has(node.callee.name)) {
+    return null;
+  }
+
+  const arg = node.arguments[0];
+
+  return arg?.type === AST_NODE_TYPES.ObjectExpression ? arg : null;
+}
+
+/** The options object for an `x.<owner>.create({...})` SDK call, or null. */
+function createCallOptionsArg(
+  node: TSESTree.CallExpression
+): TSESTree.ObjectExpression | null {
+  const callee = node.callee;
+
+  if (
+    callee.type !== AST_NODE_TYPES.MemberExpression ||
+    callee.computed ||
+    callee.property.type !== AST_NODE_TYPES.Identifier ||
+    callee.property.name !== "create"
+  ) {
+    return null;
+  }
+
+  const owner = callee.object;
+
+  if (
+    owner.type !== AST_NODE_TYPES.MemberExpression ||
+    owner.computed ||
+    owner.property.type !== AST_NODE_TYPES.Identifier ||
+    !CREATE_OWNERS.has(owner.property.name)
+  ) {
+    return null;
+  }
+
+  const arg = node.arguments[0];
+
+  return arg?.type === AST_NODE_TYPES.ObjectExpression ? arg : null;
+}
+
+/** True when the object literal sets one of the recognized token-limit keys. */
+function hasTokenLimit(obj: TSESTree.ObjectExpression): boolean {
+  return obj.properties.some(
+    (p) =>
+      p.type === AST_NODE_TYPES.Property &&
+      !p.computed &&
+      p.key.type === AST_NODE_TYPES.Identifier &&
+      TOKEN_KEYS.has(p.key.name)
+  );
+}
+
+export const requireCompletionTokenLimitRule = createRule<[], MessageIds>({
+  name: RULE_NAME,
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Require a token limit (maxTokens / max_tokens) on AI completion calls to bound runaway cost and latency.",
+    },
+    schema: [],
+    messages: {
+      missingLimit:
+        "AI completion call has no token limit — set `maxTokens` (Vercel AI SDK) or `max_tokens` (OpenAI/Anthropic) to bound cost and latency.",
+    },
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CallExpression(node: TSESTree.CallExpression) {
+        const options = vercelOptionsArg(node) ?? createCallOptionsArg(node);
+
+        if (options !== null && !hasTokenLimit(options)) {
+          context.report({ node, messageId: "missingLimit" });
+        }
+      },
+    };
+  },
+});

package/src/rule-packs/index.ts

@@ -1,6 +1,7 @@
 import type { TSESLint } from "@typescript-eslint/utils";
 
 import type { IRulePack } from "./rule-packs.types";
+import { aiSdkPack } from "./ai-sdk";
 import { authorizationPack } from "./authorization";
 import { bullmqPack } from "./bullmq";
 import { commentHygienePack } from "./comment-hygiene";
@@ -25,6 +26,7 @@ import { PACK_REGISTRY } from "../stack-detection";
 
 /** Registry of all available rule packs, keyed by pack ID. */
 export const RULE_PACKS = {
+  "ai-sdk": aiSdkPack,
   authorization: authorizationPack,
   bullmq: bullmqPack,
   "code-flow": codeFlowPack,

package/src/stack-detection/packs.ts

@@ -222,6 +222,25 @@ export const PACK_REGISTRY = {
     appliesWhen: { anyDeps: ["i18next", "react-i18next"] },
     guidance: "Keep i18n keys organized and validated.",
   } as const satisfies IRulePackDescriptor,
+
+  "ai-sdk": {
+    id: "ai-sdk",
+    label: "AI SDK Security",
+    description:
+      "LLM/AI-SDK security and cost guardrails: no provider key in client bundles, bounded completion tokens, no request data in the system prompt",
+    category: "library",
+    appliesWhen: {
+      anyDeps: [
+        "ai",
+        "openai",
+        "@anthropic-ai/sdk",
+        "@ai-sdk/openai",
+        "@ai-sdk/anthropic",
+      ],
+    },
+    guidance:
+      "Call models server-side, bound output tokens, and keep the system prompt constant.",
+  } as const satisfies IRulePackDescriptor,
 } as const;
 
 /** Ordered list of always-on pack IDs (for deterministic ordering). */

package/strict.eslint.config.mjs

@@ -13,6 +13,7 @@
 // map of bare rule names to "error" | "warn" | "off").
 import tseslint from "typescript-eslint";
 import stylistic from "@stylistic/eslint-plugin";
+import sonarjs from "eslint-plugin-sonarjs";
 
 // Load stack-aware packs if TSFORGE_PACKS env var is set
 let packConfig = [];
@@ -56,8 +57,19 @@ export default tseslint.config(
     plugins: {
       "@typescript-eslint": tseslint.plugin,
       "@stylistic": stylistic,
+      sonarjs,
     },
     rules: {
+      // Concern-mixing / copy-paste ceiling (syntactic — no type info needed).
+      // cc <= 20 is the house rule tsforge holds ITSELF to (eslint.config.js); it
+      // forces the model to decompose a sprawling function into named helpers
+      // instead of one un-reviewable block. Not auto-fixable, so it surfaces as a
+      // hand-fix error — the intended "split this up" signal. max-depth/max-params
+      // are zero-dep ESLint-core complements.
+      "sonarjs/cognitive-complexity": ["error", 20],
+      "sonarjs/no-identical-functions": "error",
+      "max-depth": ["error", 4],
+      "max-params": ["error", 4],
       // The idioms the model habitually violates — all caught WITHOUT type info.
       "@typescript-eslint/consistent-type-assertions": [
         "error",

package/strict.web.eslint.config.mjs

@@ -13,6 +13,7 @@ import stylistic from "@stylistic/eslint-plugin";
 import pluginReact from "eslint-plugin-react";
 import pluginReactHooks from "eslint-plugin-react-hooks";
 import pluginJsxA11y from "eslint-plugin-jsx-a11y";
+import sonarjs from "eslint-plugin-sonarjs";
 
 // Load stack-aware packs if TSFORGE_PACKS env var is set
 let packConfig = [];
@@ -112,6 +113,7 @@ export default tseslint.config(
       "@stylistic": stylistic,
       react: pluginReact,
       "react-hooks": pluginReactHooks,
+      sonarjs,
       boringstack: { rules: { "one-component-per-file": oneComponentPerFile } },
       ...packConfig
         .filter(
@@ -125,6 +127,13 @@ export default tseslint.config(
       // literal/tuple data (and it makes a fixed array a tuple, so literal-index
       // access is defined, not `T | undefined`). Instead we ban only the
       // value-changing forms (`x as Foo`, `<Foo>x`) via AST selectors below.
+      // Concern-mixing / copy-paste ceiling (syntactic — mirrors the core config).
+      // cc <= 20 forces decomposition into named helpers; max-depth/max-params are
+      // zero-dep ESLint-core complements.
+      "sonarjs/cognitive-complexity": ["error", 20],
+      "sonarjs/no-identical-functions": "error",
+      "max-depth": ["error", 4],
+      "max-params": ["error", 4],
       "@typescript-eslint/no-explicit-any": "error",
       "@typescript-eslint/no-non-null-assertion": "error",
       "@typescript-eslint/no-inferrable-types": "error",