@archpublicwebsite/eslint-config 1.0.22 → 1.0.30

package/README.md

@@ -2,6 +2,36 @@
 
 Reusable ESLint flat config and git-hook toolkit for Archipelago projects.
 
+## Last Month Updates (May-Jun 2026)
+
+Here are the most important recent changes:
+
+- The installer can now create key setup files automatically when they are missing.
+- The `pre-commit` hook is now more resilient when project config is incomplete.
+- The security scanner is more accurate and produces fewer false positives.
+- A strict account/signature validation mode is available via `REQUIRE_VERIFIED_ACCOUNT=1`.
+
+When `REQUIRE_VERIFIED_ACCOUNT=1` is enabled:
+
+- `pre-commit` checks `user.name`, `user.email`, and `commit.gpgsign=true`.
+- `pre-push` rejects commits whose signature status is not `G`.
+
+Quick start:
+
+```bash
+pnpm install
+node node_modules/@archpublicwebsite/eslint-config/tools/setup/install.mjs
+pnpm lint:check
+pnpm typecheck
+```
+
+Enable strict verification only when needed:
+
+```bash
+REQUIRE_VERIFIED_ACCOUNT=1 git commit
+REQUIRE_VERIFIED_ACCOUNT=1 git push
+```
+
 ## What this package includes
 
 This package ships a ready-to-use flat config plus setup scripts for local project automation:
@@ -82,9 +112,14 @@ The setup merges ESLint-related settings into `.vscode/settings.json`:
 {
   "eslint.useFlatConfig": true,
   "eslint.validate": [
-    "javascript", "javascriptreact",
-    "typescript", "typescriptreact",
-    "vue", "json", "jsonc", "markdown"
+    "javascript",
+    "javascriptreact",
+    "typescript",
+    "typescriptreact",
+    "vue",
+    "json",
+    "jsonc",
+    "markdown"
   ],
   "editor.codeActionsOnSave": {
     "source.fixAll.eslint": "explicit",
@@ -96,6 +131,43 @@ The setup merges ESLint-related settings into `.vscode/settings.json`:
 
 Existing settings are preserved. Only the ESLint-related keys are added or updated.
 
+## Troubleshooting (Nuxt)
+
+If you see errors like:
+
+- `Cannot find module '~/composables'`
+- `Cannot find name 'useRoute'`
+- `Cannot find name 'useRuntimeConfig'`
+- `'<script setup ...>' expected` in `.vue` files
+
+Use this checklist:
+
+1. Ensure root `tsconfig.json` extends Nuxt types:
+
+```json
+{
+  "extends": "./.nuxt/tsconfig.json"
+}
+```
+
+2. Generate Nuxt type files:
+
+```bash
+npx nuxi prepare
+```
+
+3. Confirm VS Code uses Volar for Vue files (disable Vetur).
+4. Re-run setup script:
+
+```bash
+node node_modules/@archpublicwebsite/eslint-config/tools/setup/install.mjs
+```
+
+Note:
+
+- The setup now writes workspace settings that disable Vetur validators to prevent false Vue/TS errors.
+- After running setup, restart VS Code (`Developer: Reload Window`) so the language server state is refreshed.
+
 ## Public API
 
 The package exports:

package/lint-staged.config.mjs

@@ -1,5 +1,7 @@
 const config = {
-  '*.{js,mjs,cjs,ts,tsx,vue}': ['eslint --fix', 'prettier --write'],
+  // Keep JS/TS/Vue formatting and lint fixes in one engine (ESLint)
+  // so save behavior and pre-commit output stay consistent.
+  '*.{js,mjs,cjs,ts,tsx,vue}': ['eslint --fix'],
   '*.{json,md,yml,yaml,css,scss,html}': ['prettier --write'],
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@archpublicwebsite/eslint-config",
-  "version": "1.0.22",
+  "version": "1.0.30",
   "author": "Archipelago Hotels",
   "description": "Reusable ESLint flat config and git-hook toolkit for Archipelago projects",
   "type": "module",

package/tools/git-hooks/pre-commit.mjs

@@ -1,7 +1,7 @@
 import { dirname, join } from 'node:path'
 import { fileURLToPath } from 'node:url'
 import { existsSync } from 'node:fs'
-import { hasCommand, run } from './shared.mjs'
+import { hasCommand, run, runSafe } from './shared.mjs'
 
 const __dirname = dirname(fileURLToPath(import.meta.url))
 const SCAN_SCRIPT = join(__dirname, '..', 'security', 'scan.mjs')
@@ -15,11 +15,96 @@ function runIfExists(scriptPath, command) {
   run(command, { stdio: 'inherit' })
 }
 
+function quoteShellArg(value) {
+  const escaped = String(value).replaceAll("'", '\'"\'"\'')
+  return `'${escaped}'`
+}
+
+function getStagedLintTargets() {
+  const output = runSafe('git diff --cached --name-only --diff-filter=ACMR')
+  if (!output) {
+    return []
+  }
+
+  return output
+    .split('\n')
+    .map(line => line.trim())
+    .filter(Boolean)
+    // Keep this check focused on app/source code files that should match
+    // editor save behavior. Tooling files are validated by lint-staged itself.
+    .filter(filePath => /\.(js|ts|tsx|vue)$/.test(filePath))
+}
+
+function ensureEslintFlatConfig() {
+  const hasFlatConfig =
+    existsSync('./eslint.config.mjs') || existsSync('./eslint.config.js') || existsSync('./eslint.config.cjs')
+
+  if (hasFlatConfig) {
+    return
+  }
+
+  const installerPath = join(__dirname, '..', 'setup', 'install.mjs')
+  console.log('\nMissing eslint.config.* detected. Running setup installer to auto-create required config...')
+  run(`node "${installerPath}"`, { stdio: 'inherit' })
+
+  const configCreated =
+    existsSync('./eslint.config.mjs') || existsSync('./eslint.config.js') || existsSync('./eslint.config.cjs')
+
+  if (!configCreated) {
+    console.error('\nCOMMIT FAILED: eslint.config.* is still missing after setup.')
+    console.error('Run: node node_modules/@archpublicwebsite/eslint-config/tools/setup/install.mjs')
+    process.exit(1)
+  }
+}
+
+function verifySaveEquivalentLintState() {
+  const lintTargets = getStagedLintTargets()
+  if (lintTargets.length === 0) {
+    return
+  }
+
+  const targetArgs = lintTargets.map(quoteShellArg).join(' ')
+  console.log('\nVerifying staged code with ESLint check...')
+
+  try {
+    run(`pnpm exec eslint --no-error-on-unmatched-pattern ${targetArgs}`, { stdio: 'inherit' })
+  } catch {
+    console.error('\nCOMMIT FAILED: staged code still has ESLint issues after auto-fix.')
+    console.error('Fix the remaining issues, stage again, then commit.')
+    process.exit(1)
+  }
+}
+
 if (!hasCommand('pnpm')) {
   console.error('\nCOMMIT FAILED: pnpm is required but not found.\n')
   process.exit(1)
 }
 
+function enforceVerifiedAccountIfEnabled() {
+  if (process.env.REQUIRE_VERIFIED_ACCOUNT !== '1') {
+    return
+  }
+
+  const userEmail = runSafe('git config --get user.email')
+  const userName = runSafe('git config --get user.name')
+  const commitSign = runSafe('git config --get commit.gpgsign').toLowerCase()
+
+  if (!userEmail || !userName) {
+    console.error('\nCOMMIT FAILED: REQUIRE_VERIFIED_ACCOUNT=1 but git user identity is incomplete.\n')
+    console.error('Set both user.name and user.email first.')
+    process.exit(1)
+  }
+
+  if (commitSign !== 'true') {
+    console.error('\nCOMMIT FAILED: REQUIRE_VERIFIED_ACCOUNT=1 but commit signing is disabled.\n')
+    console.error('Run: git config commit.gpgsign true')
+    process.exit(1)
+  }
+}
+
+// ── 0. Optional strict verified-account gate ─────────────────────────────────
+enforceVerifiedAccountIfEnabled()
+
 // ── 1. Security scan — blocks on critical/high findings ───────────────────────
 run(`node "${SCAN_SCRIPT}"`, { stdio: 'inherit' })
 
@@ -33,6 +118,8 @@ if (process.env.SKIP_GLOBAL_SCAN === '1') {
 }
 
 // ── 3. Lint-staged — auto-fix & format staged files ───────────────────────────
+ensureEslintFlatConfig()
+
 console.log('\nRunning lint-staged (auto-fix staged files)...')
 if (existsSync('./lint-staged.config.mjs')) {
   run('pnpm exec lint-staged --config lint-staged.config.mjs', { stdio: 'inherit' })
@@ -41,4 +128,7 @@ if (existsSync('./lint-staged.config.mjs')) {
   run('pnpm exec lint-staged', { stdio: 'inherit' })
 }
 
+// ── 4. Save-equivalent verification (same lint result as editor save) ────────
+verifySaveEquivalentLintState()
+
 console.log('\nCOMMIT CHECKS PASSED\n')

package/tools/git-hooks/pre-push.mjs

@@ -90,6 +90,76 @@ function collectPushFiles(refs) {
   return [...seen]
 }
 
+/**
+ * Collect commits in push range(s).
+ * @param {{ localSha: string, remoteSha: string }[]} refs
+ * @returns {string[]}
+ */
+function collectPushCommits(refs) {
+  const seen = new Set()
+  for (const { localSha, remoteSha } of refs) {
+    const range = remoteSha === ZERO_SHA ? localSha : `${remoteSha}..${localSha}`
+    const output = runSafe(`git rev-list ${range}`)
+    if (!output) continue
+    for (const sha of output.split('\n').filter(Boolean)) {
+      seen.add(sha)
+    }
+  }
+  return [...seen]
+}
+
+/**
+ * Enforce signed + verified commits in push range when REQUIRE_VERIFIED_ACCOUNT=1.
+ * Git signature status reference (%G?):
+ *   G = good signature, N = no signature, B = bad signature, etc.
+ * @param {string[]} commits
+ */
+function enforceVerifiedAccountIfEnabled(commits) {
+  if (process.env.REQUIRE_VERIFIED_ACCOUNT !== '1') {
+    return
+  }
+
+  const userEmail = runSafe('git config --get user.email')
+  const userName = runSafe('git config --get user.name')
+  const commitSign = runSafe('git config --get commit.gpgsign').toLowerCase()
+
+  if (!userEmail || !userName) {
+    process.stderr.write(
+      `\n${YLW}${BOLD}✖  PUSH BLOCKED${R} — REQUIRE_VERIFIED_ACCOUNT=1 but git user identity is incomplete.\n`
+    )
+    process.exit(1)
+  }
+
+  if (commitSign !== 'true') {
+    process.stderr.write(
+      `\n${YLW}${BOLD}✖  PUSH BLOCKED${R} — REQUIRE_VERIFIED_ACCOUNT=1 but commit signing is disabled.\n`
+    )
+    process.stderr.write(`${DIM}Run: git config commit.gpgsign true${R}\n\n`)
+    process.exit(1)
+  }
+
+  const invalid = []
+  for (const sha of commits) {
+    const status = runSafe(`git log -1 --format=%G? ${sha}`)
+    if (status !== 'G') {
+      const subject = runSafe(`git log -1 --format=%s ${sha}`)
+      invalid.push({ sha, status: status || '?', subject })
+    }
+  }
+
+  if (invalid.length > 0) {
+    process.stderr.write(`\n${YLW}${BOLD}✖  PUSH BLOCKED${R} — found unverified commit signature(s).\n`)
+    invalid.slice(0, 10).forEach(({ sha, status, subject }) => {
+      process.stderr.write(`  - ${sha.slice(0, 10)}  status=${status}  ${subject}\n`)
+    })
+    if (invalid.length > 10) {
+      process.stderr.write(`  ...and ${invalid.length - 10} more\n`)
+    }
+    process.stderr.write(`${DIM}Set REQUIRE_VERIFIED_ACCOUNT=0 to disable this gate.${R}\n\n`)
+    process.exit(1)
+  }
+}
+
 // ─── Scan committed files ──────────────────────────────────────────────────────
 
 /**
@@ -222,6 +292,10 @@ function main() {
 
   const repoRoot = getRepoRoot()
   const refs = parsePushRefs()
+  const commits = refs.length > 0 ? collectPushCommits(refs) : [runSafe('git rev-parse HEAD')].filter(Boolean)
+
+  // ── 0. Optional strict verified-account gate ───────────────────────────────
+  enforceVerifiedAccountIfEnabled(commits)
 
   printScanHeader('@archipelago/pre-push', 'full-branch security gate')
 

package/tools/security/scanner.mjs

@@ -160,7 +160,28 @@ export function levenshtein(a, b) {
  * @returns {string|null}
  */
 export function detectTyposquat(pkgName) {
-  const bare = pkgName.startsWith('@') ? (pkgName.split('/')[1] ?? pkgName) : pkgName
+  const trustedScopes = new Set(['@storybook', '@types', '@vitejs', '@vitest', '@nuxt', '@vue', '@typescript-eslint'])
+
+  if (pkgName.startsWith('@')) {
+    const [scope = '', scopedName = ''] = pkgName.split('/')
+    // Trusted namespaces publish many package variants (vue3, react-vite, etc.)
+    // and should not be treated as typosquat candidates.
+    if (trustedScopes.has(scope)) return null
+
+    const bareScoped = scopedName || pkgName
+    if (bareScoped.length < 3) return null
+    for (const popular of POPULAR_PACKAGES) {
+      if (bareScoped === popular) return null
+      // Skip legit version-suffixed variants like vue3/react18.
+      if (bareScoped === `${popular}2` || bareScoped === `${popular}3` || bareScoped === `${popular}18`) {
+        return null
+      }
+      if (levenshtein(bareScoped.toLowerCase(), popular.toLowerCase()) === 1) return popular
+    }
+    return null
+  }
+
+  const bare = pkgName
   if (bare.length < 3) return null
   for (const popular of POPULAR_PACKAGES) {
     if (bare === popular) return null

package/tools/setup/install.mjs

@@ -27,6 +27,11 @@ function writeIfMissing(filePath, content) {
   return true
 }
 
+function isNuxtProject(projectRoot) {
+  const nuxtConfigNames = ['nuxt.config.ts', 'nuxt.config.js', 'nuxt.config.mjs', 'nuxt.config.cjs']
+  return nuxtConfigNames.some(fileName => existsSync(join(projectRoot, fileName)))
+}
+
 // ─── .editorconfig ──────────────────────────────────────────────────────────
 
 function ensureEditorConfig(projectRoot) {
@@ -137,6 +142,79 @@ export default config
   }
 }
 
+// ─── tsconfig.base.json ──────────────────────────────────────────────────────
+// Shared TypeScript compiler settings used by every package and app.
+// Includes @vue/typescript-plugin so the IDE delegates .vue file handling to
+// Volar instead of the plain TS server (eliminates "Cannot find name 'div'" etc.)
+
+function ensureTsConfigBase(projectRoot) {
+  const tsconfigBasePath = join(projectRoot, 'tsconfig.base.json')
+  const content = `{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "lib": ["DOM", "DOM.Iterable", "ES2020"],
+    "strict": true,
+    "jsx": "preserve",
+    "resolveJsonModule": true,
+    "skipLibCheck": true,
+    "types": ["vite/client"],
+    "plugins": [
+      {
+        "name": "@vue/typescript-plugin",
+        "languages": ["vue"]
+      }
+    ]
+  }
+}
+`
+  if (writeIfMissing(tsconfigBasePath, content)) log('Created tsconfig.base.json')
+}
+
+// ─── tsconfig.json ───────────────────────────────────────────────────────────
+// Root TypeScript project file that extends tsconfig.base.json.
+// Covers src/ and packages/ source; excludes apps/ (each app owns its tsconfig).
+// Add path aliases here as workspace packages grow.
+
+function ensureTsConfig(projectRoot) {
+  const tsconfigPath = join(projectRoot, 'tsconfig.json')
+  const nonNuxtContent = `{
+  "extends": "./tsconfig.base.json",
+  "compilerOptions": {
+    "paths": {}
+  },
+  "include": [
+    "**/*.ts",
+    "**/*.tsx",
+    "**/*.vue",
+    "**/*.d.ts",
+    "vite.config.ts"
+  ],
+  "exclude": [
+    "node_modules",
+    "**/dist/**",
+    "**/.nuxt/**",
+    "**/.output/**"
+  ]
+}
+`
+
+  // Nuxt projects must extend .nuxt/tsconfig.json so aliases (`~/`, `#imports`)
+  // and auto-imported composables (`useRoute`, `useRuntimeConfig`, etc.) resolve.
+  const nuxtContent = `{
+  "extends": "./.nuxt/tsconfig.json"
+}
+`
+
+  const nuxtProject = isNuxtProject(projectRoot)
+  const content = nuxtProject ? nuxtContent : nonNuxtContent
+
+  if (writeIfMissing(tsconfigPath, content)) {
+    log(nuxtProject ? 'Created tsconfig.json (Nuxt mode)' : 'Created tsconfig.json')
+  }
+}
+
 function ensureCommitlintConfig(projectRoot) {
   const commitlintConfigPath = join(projectRoot, 'commitlint.config.cjs')
   const content = `module.exports = require('@archpublicwebsite/eslint-config/commitlint')
@@ -357,6 +435,8 @@ function main() {
 
   ensureEditorConfig(projectRoot)
   ensureEslintUserIgnore(projectRoot)
+  ensureTsConfigBase(projectRoot)
+  ensureTsConfig(projectRoot)
   ensureEslintConfig(projectRoot)
   ensurePrettierConfig(projectRoot)
   ensurePrettierIgnore(projectRoot)

package/tools/setup/vscode.mjs

@@ -20,7 +20,13 @@ const VSCODE_ESLINT_SETTINGS = {
 
   // Volar + TS integration for Vue 3 SFC template diagnostics
   'vue.server.hybridMode': true,
-  'volar.takeOverMode.enabled': true,
+
+  // Defensive guard: if Vetur is installed globally, disable its validators
+  // to avoid conflicting diagnostics like "'<script setup ...>' expected".
+  'vetur.validation.template': false,
+  'vetur.validation.script': false,
+  'vetur.validation.style': false,
+  'vetur.experimental.templateInterpolationService': false,
 
   // Prevent duplicate/broken diagnostics from built-in TS/JS validators
   // (vue-tsc + Volar remain the source of truth for Vue type diagnostics).
@@ -36,7 +42,7 @@ const VSCODE_ESLINT_SETTINGS = {
 
   // Auto-fix on save via ESLint
   'editor.codeActionsOnSave': {
-    'source.fixAll.eslint': 'explicit',
+    'source.fixAll.eslint': true,
     'source.organizeImports': 'never',
   },
 
@@ -57,7 +63,7 @@ const VSCODE_ESLINT_SETTINGS = {
     'editor.defaultFormatter': 'dbaeumer.vscode-eslint',
   },
   '[vue]': {
-    'editor.defaultFormatter': 'Vue.volar',
+    'editor.defaultFormatter': 'dbaeumer.vscode-eslint',
   },
   '[json]': {
     'editor.defaultFormatter': 'dbaeumer.vscode-eslint',