@archpublicwebsite/eslint-config 1.0.22 → 1.0.23

package/README.md

@@ -2,6 +2,36 @@
 
 Reusable ESLint flat config and git-hook toolkit for Archipelago projects.
 
+## Update 1 Bulan Terakhir (Mei-Jun 2026)
+
+Ringkasan perubahan terbaru yang paling penting:
+
+- Installer sekarang bisa membuat file setup utama otomatis saat belum ada.
+- Hook `pre-commit` lebih tahan error saat config belum lengkap.
+- Security scanner lebih akurat dan mengurangi false positive.
+- Ada opsi validasi akun/signature ketat lewat `REQUIRE_VERIFIED_ACCOUNT=1`.
+
+Jika `REQUIRE_VERIFIED_ACCOUNT=1` aktif:
+
+- `pre-commit` akan cek `user.name`, `user.email`, dan `commit.gpgsign=true`.
+- `pre-push` akan menolak commit yang status signature-nya bukan `G`.
+
+Cara pakai cepat:
+
+```bash
+pnpm install
+node node_modules/@archpublicwebsite/eslint-config/tools/setup/install.mjs
+pnpm lint:check
+pnpm typecheck
+```
+
+Aktifkan strict verification hanya saat dibutuhkan:
+
+```bash
+REQUIRE_VERIFIED_ACCOUNT=1 git commit
+REQUIRE_VERIFIED_ACCOUNT=1 git push
+```
+
 ## What this package includes
 
 This package ships a ready-to-use flat config plus setup scripts for local project automation:
@@ -82,9 +112,14 @@ The setup merges ESLint-related settings into `.vscode/settings.json`:
 {
   "eslint.useFlatConfig": true,
   "eslint.validate": [
-    "javascript", "javascriptreact",
-    "typescript", "typescriptreact",
-    "vue", "json", "jsonc", "markdown"
+    "javascript",
+    "javascriptreact",
+    "typescript",
+    "typescriptreact",
+    "vue",
+    "json",
+    "jsonc",
+    "markdown"
   ],
   "editor.codeActionsOnSave": {
     "source.fixAll.eslint": "explicit",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@archpublicwebsite/eslint-config",
-  "version": "1.0.22",
+  "version": "1.0.23",
   "author": "Archipelago Hotels",
   "description": "Reusable ESLint flat config and git-hook toolkit for Archipelago projects",
   "type": "module",

package/tools/git-hooks/pre-commit.mjs

@@ -1,7 +1,7 @@
 import { dirname, join } from 'node:path'
 import { fileURLToPath } from 'node:url'
 import { existsSync } from 'node:fs'
-import { hasCommand, run } from './shared.mjs'
+import { hasCommand, run, runSafe } from './shared.mjs'
 
 const __dirname = dirname(fileURLToPath(import.meta.url))
 const SCAN_SCRIPT = join(__dirname, '..', 'security', 'scan.mjs')
@@ -20,6 +20,31 @@ if (!hasCommand('pnpm')) {
   process.exit(1)
 }
 
+function enforceVerifiedAccountIfEnabled() {
+  if (process.env.REQUIRE_VERIFIED_ACCOUNT !== '1') {
+    return
+  }
+
+  const userEmail = runSafe('git config --get user.email')
+  const userName = runSafe('git config --get user.name')
+  const commitSign = runSafe('git config --get commit.gpgsign').toLowerCase()
+
+  if (!userEmail || !userName) {
+    console.error('\nCOMMIT FAILED: REQUIRE_VERIFIED_ACCOUNT=1 but git user identity is incomplete.\n')
+    console.error('Set both user.name and user.email first.')
+    process.exit(1)
+  }
+
+  if (commitSign !== 'true') {
+    console.error('\nCOMMIT FAILED: REQUIRE_VERIFIED_ACCOUNT=1 but commit signing is disabled.\n')
+    console.error('Run: git config commit.gpgsign true')
+    process.exit(1)
+  }
+}
+
+// ── 0. Optional strict verified-account gate ─────────────────────────────────
+enforceVerifiedAccountIfEnabled()
+
 // ── 1. Security scan — blocks on critical/high findings ───────────────────────
 run(`node "${SCAN_SCRIPT}"`, { stdio: 'inherit' })
 

package/tools/git-hooks/pre-push.mjs

@@ -90,6 +90,76 @@ function collectPushFiles(refs) {
   return [...seen]
 }
 
+/**
+ * Collect commits in push range(s).
+ * @param {{ localSha: string, remoteSha: string }[]} refs
+ * @returns {string[]}
+ */
+function collectPushCommits(refs) {
+  const seen = new Set()
+  for (const { localSha, remoteSha } of refs) {
+    const range = remoteSha === ZERO_SHA ? localSha : `${remoteSha}..${localSha}`
+    const output = runSafe(`git rev-list ${range}`)
+    if (!output) continue
+    for (const sha of output.split('\n').filter(Boolean)) {
+      seen.add(sha)
+    }
+  }
+  return [...seen]
+}
+
+/**
+ * Enforce signed + verified commits in push range when REQUIRE_VERIFIED_ACCOUNT=1.
+ * Git signature status reference (%G?):
+ *   G = good signature, N = no signature, B = bad signature, etc.
+ * @param {string[]} commits
+ */
+function enforceVerifiedAccountIfEnabled(commits) {
+  if (process.env.REQUIRE_VERIFIED_ACCOUNT !== '1') {
+    return
+  }
+
+  const userEmail = runSafe('git config --get user.email')
+  const userName = runSafe('git config --get user.name')
+  const commitSign = runSafe('git config --get commit.gpgsign').toLowerCase()
+
+  if (!userEmail || !userName) {
+    process.stderr.write(
+      `\n${YLW}${BOLD}✖  PUSH BLOCKED${R} — REQUIRE_VERIFIED_ACCOUNT=1 but git user identity is incomplete.\n`
+    )
+    process.exit(1)
+  }
+
+  if (commitSign !== 'true') {
+    process.stderr.write(
+      `\n${YLW}${BOLD}✖  PUSH BLOCKED${R} — REQUIRE_VERIFIED_ACCOUNT=1 but commit signing is disabled.\n`
+    )
+    process.stderr.write(`${DIM}Run: git config commit.gpgsign true${R}\n\n`)
+    process.exit(1)
+  }
+
+  const invalid = []
+  for (const sha of commits) {
+    const status = runSafe(`git log -1 --format=%G? ${sha}`)
+    if (status !== 'G') {
+      const subject = runSafe(`git log -1 --format=%s ${sha}`)
+      invalid.push({ sha, status: status || '?', subject })
+    }
+  }
+
+  if (invalid.length > 0) {
+    process.stderr.write(`\n${YLW}${BOLD}✖  PUSH BLOCKED${R} — found unverified commit signature(s).\n`)
+    invalid.slice(0, 10).forEach(({ sha, status, subject }) => {
+      process.stderr.write(`  - ${sha.slice(0, 10)}  status=${status}  ${subject}\n`)
+    })
+    if (invalid.length > 10) {
+      process.stderr.write(`  ...and ${invalid.length - 10} more\n`)
+    }
+    process.stderr.write(`${DIM}Set REQUIRE_VERIFIED_ACCOUNT=0 to disable this gate.${R}\n\n`)
+    process.exit(1)
+  }
+}
+
 // ─── Scan committed files ──────────────────────────────────────────────────────
 
 /**
@@ -222,6 +292,10 @@ function main() {
 
   const repoRoot = getRepoRoot()
   const refs = parsePushRefs()
+  const commits = refs.length > 0 ? collectPushCommits(refs) : [runSafe('git rev-parse HEAD')].filter(Boolean)
+
+  // ── 0. Optional strict verified-account gate ───────────────────────────────
+  enforceVerifiedAccountIfEnabled(commits)
 
   printScanHeader('@archipelago/pre-push', 'full-branch security gate')
 

package/tools/security/scanner.mjs

@@ -160,7 +160,28 @@ export function levenshtein(a, b) {
  * @returns {string|null}
  */
 export function detectTyposquat(pkgName) {
-  const bare = pkgName.startsWith('@') ? (pkgName.split('/')[1] ?? pkgName) : pkgName
+  const trustedScopes = new Set(['@storybook', '@types', '@vitejs', '@vitest', '@nuxt', '@vue', '@typescript-eslint'])
+
+  if (pkgName.startsWith('@')) {
+    const [scope = '', scopedName = ''] = pkgName.split('/')
+    // Trusted namespaces publish many package variants (vue3, react-vite, etc.)
+    // and should not be treated as typosquat candidates.
+    if (trustedScopes.has(scope)) return null
+
+    const bareScoped = scopedName || pkgName
+    if (bareScoped.length < 3) return null
+    for (const popular of POPULAR_PACKAGES) {
+      if (bareScoped === popular) return null
+      // Skip legit version-suffixed variants like vue3/react18.
+      if (bareScoped === `${popular}2` || bareScoped === `${popular}3` || bareScoped === `${popular}18`) {
+        return null
+      }
+      if (levenshtein(bareScoped.toLowerCase(), popular.toLowerCase()) === 1) return popular
+    }
+    return null
+  }
+
+  const bare = pkgName
   if (bare.length < 3) return null
   for (const popular of POPULAR_PACKAGES) {
     if (bare === popular) return null

package/tools/setup/install.mjs

@@ -137,6 +137,67 @@ export default config
   }
 }
 
+// ─── tsconfig.base.json ──────────────────────────────────────────────────────
+// Shared TypeScript compiler settings used by every package and app.
+// Includes @vue/typescript-plugin so the IDE delegates .vue file handling to
+// Volar instead of the plain TS server (eliminates "Cannot find name 'div'" etc.)
+
+function ensureTsConfigBase(projectRoot) {
+  const tsconfigBasePath = join(projectRoot, 'tsconfig.base.json')
+  const content = `{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "lib": ["DOM", "DOM.Iterable", "ES2020"],
+    "strict": true,
+    "jsx": "preserve",
+    "resolveJsonModule": true,
+    "skipLibCheck": true,
+    "types": ["vite/client"],
+    "plugins": [
+      {
+        "name": "@vue/typescript-plugin",
+        "languages": ["vue"]
+      }
+    ]
+  }
+}
+`
+  if (writeIfMissing(tsconfigBasePath, content)) log('Created tsconfig.base.json')
+}
+
+// ─── tsconfig.json ───────────────────────────────────────────────────────────
+// Root TypeScript project file that extends tsconfig.base.json.
+// Covers src/ and packages/ source; excludes apps/ (each app owns its tsconfig).
+// Add path aliases here as workspace packages grow.
+
+function ensureTsConfig(projectRoot) {
+  const tsconfigPath = join(projectRoot, 'tsconfig.json')
+  const content = `{
+  "extends": "./tsconfig.base.json",
+  "compilerOptions": {
+    "paths": {}
+  },
+  "include": [
+    "src/**/*.ts",
+    "src/**/*.vue",
+    "packages/**/*.ts",
+    "packages/**/*.vue",
+    "vite.config.ts"
+  ],
+  "exclude": [
+    "apps/**",
+    "node_modules",
+    "**/dist/**",
+    "**/.nuxt/**",
+    "**/.output/**"
+  ]
+}
+`
+  if (writeIfMissing(tsconfigPath, content)) log('Created tsconfig.json')
+}
+
 function ensureCommitlintConfig(projectRoot) {
   const commitlintConfigPath = join(projectRoot, 'commitlint.config.cjs')
   const content = `module.exports = require('@archpublicwebsite/eslint-config/commitlint')
@@ -357,6 +418,8 @@ function main() {
 
   ensureEditorConfig(projectRoot)
   ensureEslintUserIgnore(projectRoot)
+  ensureTsConfigBase(projectRoot)
+  ensureTsConfig(projectRoot)
   ensureEslintConfig(projectRoot)
   ensurePrettierConfig(projectRoot)
   ensurePrettierIgnore(projectRoot)