@archpublicwebsite/eslint-config 1.0.21 → 1.0.23

package/README.md

@@ -2,6 +2,36 @@
 
 Reusable ESLint flat config and git-hook toolkit for Archipelago projects.
 
+## Update 1 Bulan Terakhir (Mei-Jun 2026)
+
+Ringkasan perubahan terbaru yang paling penting:
+
+- Installer sekarang bisa membuat file setup utama otomatis saat belum ada.
+- Hook `pre-commit` lebih tahan error saat config belum lengkap.
+- Security scanner lebih akurat dan mengurangi false positive.
+- Ada opsi validasi akun/signature ketat lewat `REQUIRE_VERIFIED_ACCOUNT=1`.
+
+Jika `REQUIRE_VERIFIED_ACCOUNT=1` aktif:
+
+- `pre-commit` akan cek `user.name`, `user.email`, dan `commit.gpgsign=true`.
+- `pre-push` akan menolak commit yang status signature-nya bukan `G`.
+
+Cara pakai cepat:
+
+```bash
+pnpm install
+node node_modules/@archpublicwebsite/eslint-config/tools/setup/install.mjs
+pnpm lint:check
+pnpm typecheck
+```
+
+Aktifkan strict verification hanya saat dibutuhkan:
+
+```bash
+REQUIRE_VERIFIED_ACCOUNT=1 git commit
+REQUIRE_VERIFIED_ACCOUNT=1 git push
+```
+
 ## What this package includes
 
 This package ships a ready-to-use flat config plus setup scripts for local project automation:
@@ -82,9 +112,14 @@ The setup merges ESLint-related settings into `.vscode/settings.json`:
 {
   "eslint.useFlatConfig": true,
   "eslint.validate": [
-    "javascript", "javascriptreact",
-    "typescript", "typescriptreact",
-    "vue", "json", "jsonc", "markdown"
+    "javascript",
+    "javascriptreact",
+    "typescript",
+    "typescriptreact",
+    "vue",
+    "json",
+    "jsonc",
+    "markdown"
   ],
   "editor.codeActionsOnSave": {
     "source.fixAll.eslint": "explicit",
@@ -120,6 +155,16 @@ If you are extending or regenerating this package, keep the workflow explicit:
 - Re-run the package setup flow when changing VS Code or hook behavior.
 - Prefer explicit examples that show what the consumer project should add.
 
+## Refactor/New File Rules
+
+When refactoring or creating component files, keep every package aligned to the shared eslint-config contract:
+
+1. Keep each package `eslint.config.mjs` on `createArchipelagoConfig(...)` from `@archpublicwebsite/eslint-config`.
+2. Do not add package-local parser stacks that diverge from the shared config unless there is an approved exception.
+3. Run `pnpm lint:check` and `pnpm typecheck` before commit.
+4. If a package needs custom lint behavior, add it as a small override block in that package config while preserving shared base rules.
+5. For new projects or clones, run the setup script so required files (`eslint.config.mjs`, `lint-staged.config.mjs`, hooks, VSCode settings) are auto-created when missing.
+
 ## Manual setup
 
 If you need to rerun the bootstrap manually:

package/eslint.config.mjs

@@ -87,10 +87,8 @@ export function createArchipelagoConfig(...overrides) {
           },
           // document.write / document.writeln
           {
-            selector:
-              'CallExpression[callee.object.name="document"][callee.property.name=/^write(ln)?$/]',
-            message:
-              '[security/xss] document.write() is deprecated and a direct XSS sink — remove it',
+            selector: 'CallExpression[callee.object.name="document"][callee.property.name=/^write(ln)?$/]',
+            message: '[security/xss] document.write() is deprecated and a direct XSS sink — remove it',
           },
           // Object.__proto__ assignment (belt-and-suspenders with no-prototype-builtins)
           {
@@ -168,16 +166,19 @@ export function createArchipelagoConfig(...overrides) {
       rules: {
         'no-restricted-imports': [
           'error',
-          { name: 'child_process',      message: 'child_process is not allowed in build config files — supply-chain risk' },
-          { name: 'node:child_process', message: 'child_process is not allowed in build config files — supply-chain risk' },
-          { name: 'http',               message: 'http is not allowed in build config files — exfiltration risk' },
-          { name: 'node:http',          message: 'http is not allowed in build config files — exfiltration risk' },
-          { name: 'https',              message: 'https is not allowed in build config files — exfiltration risk' },
-          { name: 'node:https',         message: 'https is not allowed in build config files — exfiltration risk' },
-          { name: 'dns',                message: 'dns is not allowed in build config files — DNS tunnelling risk' },
-          { name: 'node:dns',           message: 'dns is not allowed in build config files — DNS tunnelling risk' },
-          { name: 'net',                message: 'net is not allowed in build config files — reverse-shell risk' },
-          { name: 'node:net',           message: 'net is not allowed in build config files — reverse-shell risk' },
+          { name: 'child_process', message: 'child_process is not allowed in build config files — supply-chain risk' },
+          {
+            name: 'node:child_process',
+            message: 'child_process is not allowed in build config files — supply-chain risk',
+          },
+          { name: 'http', message: 'http is not allowed in build config files — exfiltration risk' },
+          { name: 'node:http', message: 'http is not allowed in build config files — exfiltration risk' },
+          { name: 'https', message: 'https is not allowed in build config files — exfiltration risk' },
+          { name: 'node:https', message: 'https is not allowed in build config files — exfiltration risk' },
+          { name: 'dns', message: 'dns is not allowed in build config files — DNS tunnelling risk' },
+          { name: 'node:dns', message: 'dns is not allowed in build config files — DNS tunnelling risk' },
+          { name: 'net', message: 'net is not allowed in build config files — reverse-shell risk' },
+          { name: 'node:net', message: 'net is not allowed in build config files — reverse-shell risk' },
         ],
       },
     },
@@ -202,11 +203,12 @@ export function createArchipelagoConfig(...overrides) {
         'antfu/if-newline': 'off',
         'antfu/no-import-dist': 'off',
 
-        // ── Compatibility mode for existing codebases ─────────────────────
-        // Keep the security-sensitive rules as errors, but avoid blocking
-        // commits on purely stylistic differences in current components/tools.
-        'style/semi': 'off',
-        'style/quotes': 'off',
+        // ── Canonical style enforcement ─────────────────────────────────────
+        // No semicolons — matches every component in the codebase.
+        // Adding a `;` in any .ts / .vue file will surface as a lint error.
+        'style/semi': ['error', 'never'],
+        // Single quotes — consistent with all current component files.
+        'style/quotes': ['error', 'single', { avoidEscape: true, allowTemplateLiterals: 'never' }],
         'style/quote-props': 'off',
         'style/no-multi-spaces': 'off',
         'style/key-spacing': 'off',
@@ -239,10 +241,13 @@ export function createArchipelagoConfig(...overrides) {
         'vue/attribute-hyphenation': 'off',
         'vue/define-macros-order': 'off',
         'vue/no-v-html': 'off',
-        'vue/max-attributes-per-line': ['error', {
-          singleline: 3,
-          multiline: 1,
-        }],
+        'vue/max-attributes-per-line': [
+          'error',
+          {
+            singleline: 3,
+            multiline: 1,
+          },
+        ],
         'vue/max-len': 'off',
 
         // ── TypeScript ───────────────────────────────────────────────────────
@@ -308,6 +313,6 @@ export function createArchipelagoConfig(...overrides) {
       },
     },
 
-    ...overrides,
+    ...overrides
   )
 }

package/lint-staged.config.mjs

@@ -1,11 +1,6 @@
 const config = {
-  '*.{js,mjs,cjs,ts,tsx,vue}': [
-    'eslint --fix',
-    'prettier --write',
-  ],
-  '*.{json,md,yml,yaml,css,scss,html}': [
-    'prettier --write',
-  ],
+  '*.{js,mjs,cjs,ts,tsx,vue}': ['eslint --fix', 'prettier --write'],
+  '*.{json,md,yml,yaml,css,scss,html}': ['prettier --write'],
 }
 
 export default config

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@archpublicwebsite/eslint-config",
-  "version": "1.0.21",
+  "version": "1.0.23",
   "author": "Archipelago Hotels",
   "description": "Reusable ESLint flat config and git-hook toolkit for Archipelago projects",
   "type": "module",

package/tools/git-hooks/pre-commit.mjs

@@ -1,10 +1,10 @@
 import { dirname, join } from 'node:path'
 import { fileURLToPath } from 'node:url'
 import { existsSync } from 'node:fs'
-import { hasCommand, run } from './shared.mjs'
+import { hasCommand, run, runSafe } from './shared.mjs'
 
 const __dirname = dirname(fileURLToPath(import.meta.url))
-const SCAN_SCRIPT = join(__dirname, '../security/scan.mjs')
+const SCAN_SCRIPT = join(__dirname, '..', 'security', 'scan.mjs')
 
 function runIfExists(scriptPath, command) {
   if (!existsSync(scriptPath)) {
@@ -20,6 +20,31 @@ if (!hasCommand('pnpm')) {
   process.exit(1)
 }
 
+function enforceVerifiedAccountIfEnabled() {
+  if (process.env.REQUIRE_VERIFIED_ACCOUNT !== '1') {
+    return
+  }
+
+  const userEmail = runSafe('git config --get user.email')
+  const userName = runSafe('git config --get user.name')
+  const commitSign = runSafe('git config --get commit.gpgsign').toLowerCase()
+
+  if (!userEmail || !userName) {
+    console.error('\nCOMMIT FAILED: REQUIRE_VERIFIED_ACCOUNT=1 but git user identity is incomplete.\n')
+    console.error('Set both user.name and user.email first.')
+    process.exit(1)
+  }
+
+  if (commitSign !== 'true') {
+    console.error('\nCOMMIT FAILED: REQUIRE_VERIFIED_ACCOUNT=1 but commit signing is disabled.\n')
+    console.error('Run: git config commit.gpgsign true')
+    process.exit(1)
+  }
+}
+
+// ── 0. Optional strict verified-account gate ─────────────────────────────────
+enforceVerifiedAccountIfEnabled()
+
 // ── 1. Security scan — blocks on critical/high findings ───────────────────────
 run(`node "${SCAN_SCRIPT}"`, { stdio: 'inherit' })
 
@@ -28,13 +53,17 @@ run(`node "${SCAN_SCRIPT}"`, { stdio: 'inherit' })
 runIfExists('./safe-reinstall.sh', 'bash ./safe-reinstall.sh --check-only')
 if (process.env.SKIP_GLOBAL_SCAN === '1') {
   console.log('\nSkipping global IOC scan (SKIP_GLOBAL_SCAN=1).')
-}
-else {
+} else {
   runIfExists('./scan-global.sh', 'bash ./scan-global.sh')
 }
 
 // ── 3. Lint-staged — auto-fix & format staged files ───────────────────────────
 console.log('\nRunning lint-staged (auto-fix staged files)...')
-run('pnpm lint-staged', { stdio: 'inherit' })
+if (existsSync('./lint-staged.config.mjs')) {
+  run('pnpm exec lint-staged --config lint-staged.config.mjs', { stdio: 'inherit' })
+} else {
+  // Fallback to package.json "lint-staged" block when config file is missing.
+  run('pnpm exec lint-staged', { stdio: 'inherit' })
+}
 
 console.log('\nCOMMIT CHECKS PASSED\n')

package/tools/git-hooks/pre-push.mjs

@@ -54,13 +54,21 @@ const ZERO_SHA = '0000000000000000000000000000000000000000'
  */
 function parsePushRefs() {
   let stdin = ''
-  try { stdin = readFileSync('/dev/stdin', 'utf8') }
-  catch { return [] }
+  try {
+    stdin = readFileSync('/dev/stdin', 'utf8')
+  } catch {
+    return []
+  }
 
-  return stdin.trim().split('\n').filter(Boolean).map((line) => {
-    const parts = line.trim().split(/\s+/)
-    return { localSha: parts[1] ?? '', remoteSha: parts[3] ?? ZERO_SHA }
-  }).filter(({ localSha }) => localSha && localSha !== ZERO_SHA)
+  return stdin
+    .trim()
+    .split('\n')
+    .filter(Boolean)
+    .map(line => {
+      const parts = line.trim().split(/\s+/)
+      return { localSha: parts[1] ?? '', remoteSha: parts[3] ?? ZERO_SHA }
+    })
+    .filter(({ localSha }) => localSha && localSha !== ZERO_SHA)
 }
 
 // ─── Collect files in push range ───────────────────────────────────────────────
@@ -82,6 +90,76 @@ function collectPushFiles(refs) {
   return [...seen]
 }
 
+/**
+ * Collect commits in push range(s).
+ * @param {{ localSha: string, remoteSha: string }[]} refs
+ * @returns {string[]}
+ */
+function collectPushCommits(refs) {
+  const seen = new Set()
+  for (const { localSha, remoteSha } of refs) {
+    const range = remoteSha === ZERO_SHA ? localSha : `${remoteSha}..${localSha}`
+    const output = runSafe(`git rev-list ${range}`)
+    if (!output) continue
+    for (const sha of output.split('\n').filter(Boolean)) {
+      seen.add(sha)
+    }
+  }
+  return [...seen]
+}
+
+/**
+ * Enforce signed + verified commits in push range when REQUIRE_VERIFIED_ACCOUNT=1.
+ * Git signature status reference (%G?):
+ *   G = good signature, N = no signature, B = bad signature, etc.
+ * @param {string[]} commits
+ */
+function enforceVerifiedAccountIfEnabled(commits) {
+  if (process.env.REQUIRE_VERIFIED_ACCOUNT !== '1') {
+    return
+  }
+
+  const userEmail = runSafe('git config --get user.email')
+  const userName = runSafe('git config --get user.name')
+  const commitSign = runSafe('git config --get commit.gpgsign').toLowerCase()
+
+  if (!userEmail || !userName) {
+    process.stderr.write(
+      `\n${YLW}${BOLD}✖  PUSH BLOCKED${R} — REQUIRE_VERIFIED_ACCOUNT=1 but git user identity is incomplete.\n`
+    )
+    process.exit(1)
+  }
+
+  if (commitSign !== 'true') {
+    process.stderr.write(
+      `\n${YLW}${BOLD}✖  PUSH BLOCKED${R} — REQUIRE_VERIFIED_ACCOUNT=1 but commit signing is disabled.\n`
+    )
+    process.stderr.write(`${DIM}Run: git config commit.gpgsign true${R}\n\n`)
+    process.exit(1)
+  }
+
+  const invalid = []
+  for (const sha of commits) {
+    const status = runSafe(`git log -1 --format=%G? ${sha}`)
+    if (status !== 'G') {
+      const subject = runSafe(`git log -1 --format=%s ${sha}`)
+      invalid.push({ sha, status: status || '?', subject })
+    }
+  }
+
+  if (invalid.length > 0) {
+    process.stderr.write(`\n${YLW}${BOLD}✖  PUSH BLOCKED${R} — found unverified commit signature(s).\n`)
+    invalid.slice(0, 10).forEach(({ sha, status, subject }) => {
+      process.stderr.write(`  - ${sha.slice(0, 10)}  status=${status}  ${subject}\n`)
+    })
+    if (invalid.length > 10) {
+      process.stderr.write(`  ...and ${invalid.length - 10} more\n`)
+    }
+    process.stderr.write(`${DIM}Set REQUIRE_VERIFIED_ACCOUNT=0 to disable this gate.${R}\n\n`)
+    process.exit(1)
+  }
+}
+
 // ─── Scan committed files ──────────────────────────────────────────────────────
 
 /**
@@ -98,10 +176,14 @@ function scanFiles(files, repoRoot) {
   let skipped = 0
 
   for (const filePath of files) {
-    if (shouldSkip(filePath)) { skipped++; continue }
+    if (shouldSkip(filePath)) {
+      skipped++
+      continue
+    }
 
-    const content = runSafe(`git show "HEAD:${filePath}"`)
-      || (() => {
+    const content =
+      runSafe(`git show "HEAD:${filePath}"`) ||
+      (() => {
         const abs = join(repoRoot, filePath)
         return existsSync(abs) ? readFileSync(abs, 'utf8') : ''
       })()
@@ -111,7 +193,7 @@ function scanFiles(files, repoRoot) {
     const lines = content.split('\n')
     findings.push(
       ...collectPatternFindings(lines, isConfigFile(filePath), filePath),
-      ...collectObfuscatedLineFindings(lines, filePath),
+      ...collectObfuscatedLineFindings(lines, filePath)
     )
   }
 
@@ -133,24 +215,29 @@ function scanDependencies(repoRoot) {
   if (!existsSync(pkgJsonPath)) return []
 
   let pkg
-  try { pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8')) }
-  catch { return [] }
+  try {
+    pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8'))
+  } catch {
+    return []
+  }
 
   const depFields = ['dependencies', 'devDependencies', 'peerDependencies', 'optionalDependencies']
-  return depFields.flatMap((field) => {
+  return depFields.flatMap(field => {
     const deps = pkg[field]
     if (!deps || typeof deps !== 'object') return []
-    return Object.keys(deps).flatMap((name) => {
+    return Object.keys(deps).flatMap(name => {
       const similar = detectTyposquat(name)
       return similar
-        ? [{
-            pkg: name,
-            patternId: 'typosquat',
-            severity: 'high',
-            message: `Possible typosquat of "${similar}" in ${field} — verify the package name`,
-            lineContent: `"${name}" is 1 edit away from "${similar}"`,
-            category: 'supply-chain',
-          }]
+        ? [
+            {
+              pkg: name,
+              patternId: 'typosquat',
+              severity: 'high',
+              message: `Possible typosquat of "${similar}" in ${field} — verify the package name`,
+              lineContent: `"${name}" is 1 edit away from "${similar}"`,
+              category: 'supply-chain',
+            },
+          ]
         : []
     })
   })
@@ -166,7 +253,7 @@ function runAudit() {
     return []
   }
 
-  process.stdout.write(`\nRunning pnpm audit --audit-level=high...\n`)
+  process.stdout.write('\nRunning pnpm audit --audit-level=high...\n')
   const result = runSafe('pnpm audit --audit-level=high 2>&1')
   if (!result) return []
 
@@ -176,14 +263,16 @@ function runAudit() {
   if (hasVulns) {
     console.log(`\n${BOLD}pnpm audit output:${R}`)
     console.log(`${DIM}${result}${R}`)
-    return [{
-      pkg: 'pnpm-audit',
-      patternId: 'known-cve',
-      severity: 'high',
-      message: `pnpm audit detected known CVEs — run 'pnpm audit --fix' or pin safe versions`,
-      lineContent: lines.find(l => /vulnerabilit/i.test(l)) ?? result.slice(0, 120),
-      category: 'supply-chain',
-    }]
+    return [
+      {
+        pkg: 'pnpm-audit',
+        patternId: 'known-cve',
+        severity: 'high',
+        message: "pnpm audit detected known CVEs — run 'pnpm audit --fix' or pin safe versions",
+        lineContent: lines.find(l => /vulnerabilit/i.test(l)) ?? result.slice(0, 120),
+        category: 'supply-chain',
+      },
+    ]
   }
 
   process.stdout.write(`${GRN}pnpm audit: no known vulnerabilities found.${R}\n`)
@@ -195,25 +284,30 @@ function runAudit() {
 function main() {
   if (process.env.SKIP_SECURITY_SCAN === '1') {
     process.stderr.write(
-      `\n${YLW}${BOLD}⚠  SKIP_SECURITY_SCAN=1 — pre-push security checks bypassed.${R}\n`
-      + `${YLW}   This bypass is intentional and has been logged.${R}\n\n`,
+      `\n${YLW}${BOLD}⚠  SKIP_SECURITY_SCAN=1 — pre-push security checks bypassed.${R}\n` +
+        `${YLW}   This bypass is intentional and has been logged.${R}\n\n`
     )
     return
   }
 
   const repoRoot = getRepoRoot()
   const refs = parsePushRefs()
+  const commits = refs.length > 0 ? collectPushCommits(refs) : [runSafe('git rev-parse HEAD')].filter(Boolean)
+
+  // ── 0. Optional strict verified-account gate ───────────────────────────────
+  enforceVerifiedAccountIfEnabled(commits)
 
   printScanHeader('@archipelago/pre-push', 'full-branch security gate')
 
-  const files = refs.length > 0
-    ? collectPushFiles(refs)
-    : (runSafe('git diff-tree --no-commit-id --name-only -r HEAD') || '')
-        .split('\n')
-        .filter(f => SCAN_EXTENSIONS.has(extname(f)))
+  const files =
+    refs.length > 0
+      ? collectPushFiles(refs)
+      : (runSafe('git diff-tree --no-commit-id --name-only -r HEAD') || '')
+          .split('\n')
+          .filter(f => SCAN_EXTENSIONS.has(extname(f)))
 
-  const fileFindings  = scanFiles(files, repoRoot)
-  const depsFindings  = scanDependencies(repoRoot)
+  const fileFindings = scanFiles(files, repoRoot)
+  const depsFindings = scanDependencies(repoRoot)
   const auditFindings = runAudit()
 
   const allFindings = sortFindings([...fileFindings, ...depsFindings, ...auditFindings])

package/tools/security/patterns.mjs

@@ -147,7 +147,8 @@ export const FILE_PATTERNS = [
   {
     id: 'shuffle-cipher-iife',
     severity: 'critical',
-    message: 'Shuffle-cipher IIFE — RC4-variant string decoder used to hide payload strings (seen in event-stream attack)',
+    message:
+      'Shuffle-cipher IIFE — RC4-variant string decoder used to hide payload strings (seen in event-stream attack)',
     // Matches: (function(l,e){ ... })("...", number)  — the typical 2-arg encoded-string bootstrapper
     // [\s\S] instead of [^}] so the body can contain nested {}
     regex: /\(function\s*\(\w\s*,\s*\w\)[\s\S]{20,}?\}\)\s*\(\s*["'][^"']{4,}["']\s*,\s*\d{4,}\s*\)/,
@@ -178,7 +179,8 @@ export const FILE_PATTERNS = [
   {
     id: 'function-constructor-via-array',
     severity: 'critical',
-    message: 'Function constructor accessed via decoded array — used to run hidden payload without calling new Function() directly',
+    message:
+      'Function constructor accessed via decoded array — used to run hidden payload without calling new Function() directly',
     // Matches: var x = sfL[EKc]  where the array was built from a string decoder
     // Generalised: identifier assigned from identifier[short-identifier] then called as a function
     regex: /=\s*\w{2,5}\s*\[\s*\w{2,5}\s*\]\s*;[^;]{0,60}=\s*\w{2,5}\s*\(\s*\w+\s*,\s*\w{2,5}\s*\(\s*\w+\s*\)\s*\)/,
@@ -234,7 +236,8 @@ export const FILE_PATTERNS = [
   {
     id: 'vue-v-html',
     severity: 'medium',
-    message: 'v-html directive detected — ensure content is sanitised (e.g. DOMPurify) and never bind unsanitised user input',
+    message:
+      'v-html directive detected — ensure content is sanitised (e.g. DOMPurify) and never bind unsanitised user input',
     // Matches both :v-html and v-html= in .vue template strings captured in JS
     regex: /v-html\s*=/,
     category: 'xss',
@@ -306,8 +309,11 @@ export const FILE_PATTERNS = [
   },
   {
     id: 'path-traversal-dotdot',
-    severity: 'critical',
-    message: 'Literal path traversal sequence (../) in source — remove or validate user-supplied path segments',
+    // Downgraded to medium: internal tooling uses join(__dirname, '..', 'security', ...)
+    // which is safe fixed-path navigation, not user-supplied input. Only upgrade back
+    // to 'critical' if you start accepting external path segments at runtime.
+    severity: 'medium',
+    message: 'Literal path traversal sequence (../) in source — verify this is not user-supplied input',
     regex: /['"]\.\.[/\\]/,
     category: 'path-traversal',
   },
@@ -452,15 +458,7 @@ export const CONFIG_FILE_PATTERNS = [
 // ─── Extension allow-list ──────────────────────────────────────────────────────
 
 /** Source file extensions to include in the scan. */
-export const SCAN_EXTENSIONS = new Set([
-  '.js',
-  '.mjs',
-  '.cjs',
-  '.ts',
-  '.mts',
-  '.cts',
-  '.vue',
-])
+export const SCAN_EXTENSIONS = new Set(['.js', '.mjs', '.cjs', '.ts', '.mts', '.cts', '.vue'])
 
 // ─── Typosquatting reference list ──────────────────────────────────────────────
 
@@ -470,29 +468,83 @@ export const SCAN_EXTENSIONS = new Set([
  */
 export const POPULAR_PACKAGES = [
   // Frameworks & meta-frameworks
-  'react', 'vue', 'svelte', 'angular', 'next', 'nuxt', 'remix', 'astro',
+  'react',
+  'vue',
+  'svelte',
+  'angular',
+  'next',
+  'nuxt',
+  'remix',
+  'astro',
   // Build tools
-  'vite', 'webpack', 'rollup', 'parcel', 'esbuild', 'turbopack',
+  'vite',
+  'webpack',
+  'rollup',
+  'parcel',
+  'esbuild',
+  'turbopack',
   // Styling
-  'tailwindcss', 'postcss', 'autoprefixer', 'sass', 'less',
+  'tailwindcss',
+  'postcss',
+  'autoprefixer',
+  'sass',
+  'less',
   // Utility libraries
-  'lodash', 'axios', 'dayjs', 'moment', 'date-fns', 'zod', 'yup',
+  'lodash',
+  'axios',
+  'dayjs',
+  'moment',
+  'date-fns',
+  'zod',
+  'yup',
   // State management
-  'pinia', 'vuex', 'redux', 'mobx', 'zustand', 'jotai',
+  'pinia',
+  'vuex',
+  'redux',
+  'mobx',
+  'zustand',
+  'jotai',
   // Routing
-  'react-router', 'vue-router',
+  'react-router',
+  'vue-router',
   // Testing
-  'vitest', 'jest', 'mocha', 'chai', 'playwright', 'cypress',
+  'vitest',
+  'jest',
+  'mocha',
+  'chai',
+  'playwright',
+  'cypress',
   // TypeScript
-  'typescript', 'ts-node', 'tsx',
+  'typescript',
+  'ts-node',
+  'tsx',
   // Linting
-  'eslint', 'prettier', 'stylelint',
+  'eslint',
+  'prettier',
+  'stylelint',
   // Security / auth
-  'bcrypt', 'jsonwebtoken', 'passport', 'helmet', 'cors',
+  'bcrypt',
+  'jsonwebtoken',
+  'passport',
+  'helmet',
+  'cors',
   // Database
-  'prisma', 'sequelize', 'mongoose', 'typeorm', 'knex', 'drizzle-orm',
+  'prisma',
+  'sequelize',
+  'mongoose',
+  'typeorm',
+  'knex',
+  'drizzle-orm',
   // Node utilities
-  'express', 'fastify', 'koa', 'hapi', 'socket.io', 'ws', 'nodemailer',
+  'express',
+  'fastify',
+  'koa',
+  'hapi',
+  'socket.io',
+  'ws',
+  'nodemailer',
   // Package tooling
-  'pnpm', 'yarn', 'npm',
+  'pnpm',
+  'yarn',
+  'npm',
 ]