@freshguard/freshguard-core 0.13.2 → 0.15.0

package/CHANGELOG.md

@@ -7,7 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.15.0] - 2026-02-12
+
 ### Added
+- **SKILL.md agent skills directory** — instruction-style documentation for AI coding agents, wired via `agentskills` field in package.json
+- **Per-export API reference** in README — tables for monitoring functions, connectors, metadata storage, errors, and key types
+- **"When to use this"** paragraph in README for quick orientation
+- **Compatibility section** in README documenting Node, TypeScript, and ESM requirements
+
+### Changed
+- JSDoc comments now preserved in shipped `.d.ts` files (`removeComments: false` in tsconfig)
+- Enhanced JSDoc on all 9 connector constructors with `@param`, `@example` tags
+- Added module-level JSDoc to `connectors/index`, `monitor/index`, `metadata/index`, `db/index`
+- Added `@example` to `MonitoringRule`, `CheckResult`, and `DataSource` type interfaces
+- Improved `createDatabase()` JSDoc with usage example
 - Documentation site with versioned API reference
 
 ## [0.12.0] - 2026-02-10
@@ -148,7 +161,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Drizzle ORM database schema and migrations
 - MIT license
 
-[Unreleased]: https://github.com/freshguard-dev/freshguard-core/compare/v0.12.0...HEAD
+[Unreleased]: https://github.com/freshguard-dev/freshguard-core/compare/v0.15.0...HEAD
+[0.15.0]: https://github.com/freshguard-dev/freshguard-core/compare/v0.12.0...v0.15.0
 [0.12.0]: https://github.com/freshguard-dev/freshguard-core/compare/v0.11.3...v0.12.0
 [0.11.3]: https://github.com/freshguard-dev/freshguard-core/compare/v0.11.2...v0.11.3
 [0.11.2]: https://github.com/freshguard-dev/freshguard-core/compare/v0.11.1...v0.11.2

package/README.md

@@ -6,7 +6,9 @@
 [![npm version](https://img.shields.io/npm/v/@freshguard/freshguard-core.svg)](https://www.npmjs.com/package/@freshguard/freshguard-core)
 [![Docs](https://img.shields.io/badge/docs-website-blue)](https://freshguard-dev.github.io/freshguard-core)
 
-Monitor when your data pipelines go stale. Supports PostgreSQL, DuckDB, BigQuery, Snowflake, MySQL, and Redshift. Self-hosted. Free forever.
+Monitor when your data pipelines go stale. Supports PostgreSQL, DuckDB, BigQuery, Snowflake, MySQL, Redshift, SQL Server, Azure SQL, and Azure Synapse. Self-hosted. Free forever.
+
+**When to use this:** You run data pipelines (ETL/ELT) that land data into a warehouse or database and you need to know — programmatically — when a table stops updating, row counts look wrong, or the schema drifts. Install this package in a Node.js script, a cron job, or a long-running process and it will check your tables and tell you what's stale. No dashboard, no vendor lock-in, no account required.
 
 ## Install
 
@@ -52,6 +54,63 @@ if (result.status === 'alert') {
 - **Volume anomaly detection** — Alert when row counts deviate from a calculated baseline
 - **Schema change detection** — Alert when columns are added, removed, or modified
 
+## API at a glance
+
+### Monitoring functions
+
+| Export | Description |
+|---|---|
+| `checkFreshness(connector, rule)` | Returns `'alert'` when `MAX(timestampColumn)` exceeds `toleranceMinutes` |
+| `checkVolumeAnomaly(connector, rule)` | Returns `'alert'` when current row count deviates from the historical baseline |
+| `checkSchemaChanges(connector, rule)` | Returns `'alert'` when columns are added, removed, or modified |
+
+### Connectors
+
+| Export | Database |
+|---|---|
+| `PostgresConnector` | PostgreSQL |
+| `DuckDBConnector` | DuckDB (local file / `:memory:`) |
+| `BigQueryConnector` | Google BigQuery |
+| `SnowflakeConnector` | Snowflake |
+| `MySQLConnector` | MySQL |
+| `RedshiftConnector` | Amazon Redshift |
+| `MSSQLConnector` | SQL Server |
+| `AzureSQLConnector` | Azure SQL Database |
+| `SynapseConnector` | Azure Synapse Analytics |
+
+All connectors accept a `ConnectorConfig` (host, port, database, username, password, ssl) and an optional `SecurityConfig` override.
+
+### Metadata storage
+
+| Export | Description |
+|---|---|
+| `createMetadataStorage(config?)` | Factory — returns DuckDB (default) or PostgreSQL metadata store |
+| `DuckDBMetadataStorage` | Embedded DuckDB storage (zero-setup) |
+| `PostgreSQLMetadataStorage` | PostgreSQL-backed shared storage |
+
+### Database utilities
+
+| Export | Description |
+|---|---|
+| `createDatabase(connectionString)` | Create a Drizzle ORM connection to the FreshGuard PostgreSQL schema |
+| `schema` | Drizzle table definitions |
+
+### Error classes
+
+| Export | Thrown when |
+|---|---|
+| `FreshGuardError` | Base class for all FreshGuard errors |
+| `SecurityError` | SQL injection attempt or blocked query |
+| `ConnectionError` | Database connection failure |
+| `TimeoutError` | Query or connection timeout exceeded |
+| `QueryError` | Query execution failure |
+| `ConfigurationError` | Invalid configuration |
+| `MonitoringError` | Monitoring logic failure |
+
+### Key types
+
+`MonitoringRule`, `CheckResult`, `DataSource`, `SourceCredentials`, `ConnectorConfig`, `CheckStatus`, `RuleType`, `DataSourceType`, `SchemaChanges`, `ColumnChange`, `FreshGuardConfig`
+
 ## Documentation
 
 **[Read the full docs](https://freshguard-dev.github.io/freshguard-core)** — guides, API reference, examples, and self-hosting instructions.
@@ -75,6 +134,9 @@ if (result.status === 'alert') {
 | Snowflake | `SnowflakeConnector` | 0.2.0 |
 | MySQL | `MySQLConnector` | 0.11.0 |
 | Redshift | `RedshiftConnector` | 0.11.0 |
+| SQL Server | `MSSQLConnector` | 0.14.0 |
+| Azure SQL Database | `AzureSQLConnector` | 0.14.0 |
+| Azure Synapse Analytics | `SynapseConnector` | 0.14.0 |
 
 ## CLI
 
@@ -85,6 +147,17 @@ pnpm exec freshguard test
 pnpm exec freshguard run
 ```
 
+## Compatibility
+
+| Requirement | Version |
+|---|---|
+| Node.js | >=20.0.0 |
+| TypeScript | >=5.3 (ships `.d.ts` + declaration maps) |
+| Module system | ESM only (`"type": "module"`) |
+| Package manager | pnpm >=10 (npm/yarn work for consumers) |
+
+This package follows **semver**. Breaking changes only land in major version bumps. The current version is **0.x** (pre-1.0), so minor versions may contain breaking changes — check [CHANGELOG.md](CHANGELOG.md) before upgrading.
+
 ## Architecture
 
 This is the **open-source core** (MIT licensed). It contains all monitoring logic, connectors, and CLI tooling. It does not include multi-tenant features, authentication, or dashboards — those are part of [FreshGuard Cloud](https://freshguard.dev).

package/SKILL.md

@@ -0,0 +1,229 @@
+# FreshGuard Core — Agent Skill
+
+## When to use this library
+
+Use `@freshguard/freshguard-core` when you need to **programmatically check whether data in a database table is fresh, whether row counts are normal, or whether the schema has changed**. It is the right tool when:
+
+- A user asks you to monitor a data pipeline for staleness.
+- A user wants alerts when a table stops updating or row counts look wrong.
+- A user needs to detect schema drift (added/removed/modified columns).
+- You need to connect to PostgreSQL, DuckDB, BigQuery, Snowflake, MySQL, Redshift, SQL Server, Azure SQL, or Azure Synapse and run read-only health checks.
+
+Do **not** use this library for writing data, running arbitrary queries, or building dashboards.
+
+---
+
+## Installation
+
+```bash
+pnpm install @freshguard/freshguard-core
+```
+
+All imports come from the single entry point:
+
+```typescript
+import { checkFreshness, PostgresConnector, ... } from '@freshguard/freshguard-core';
+```
+
+---
+
+## Core operations
+
+### 1. Check data freshness
+
+Detect when a table hasn't been updated within an expected window.
+
+```typescript
+import { checkFreshness, PostgresConnector } from '@freshguard/freshguard-core';
+
+// 1. Create a connector
+const connector = new PostgresConnector({
+  host: 'localhost', port: 5432,
+  database: 'analytics',
+  username: 'readonly',
+  password: process.env.DB_PASSWORD!,
+  ssl: true,
+});
+
+// 2. Define a rule
+const rule = {
+  id: 'orders-freshness',
+  sourceId: 'prod_pg',
+  name: 'Orders Freshness',
+  tableName: 'orders',
+  ruleType: 'freshness' as const,
+  toleranceMinutes: 60,          // alert if data is older than 60 min
+  timestampColumn: 'updated_at', // column to check
+  checkIntervalMinutes: 5,
+  isActive: true,
+  createdAt: new Date(),
+  updatedAt: new Date(),
+};
+
+// 3. Run the check
+const result = await checkFreshness(connector, rule);
+
+// 4. Inspect the result
+if (result.status === 'alert') {
+  console.log(`Data is ${result.lagMinutes} minutes stale`);
+}
+// result.status is 'ok' | 'alert' | 'failed'
+```
+
+### 2. Detect volume anomalies
+
+Alert when a table's row count deviates from its historical baseline.
+
+```typescript
+import { checkVolumeAnomaly, PostgresConnector } from '@freshguard/freshguard-core';
+
+const connector = new PostgresConnector({ /* ... */ });
+
+const rule = {
+  id: 'orders-volume',
+  sourceId: 'prod_pg',
+  name: 'Orders Volume',
+  tableName: 'orders',
+  ruleType: 'volume_anomaly' as const,
+  baselineWindowDays: 14,
+  deviationThresholdPercent: 30, // alert if >30% deviation
+  checkIntervalMinutes: 60,
+  isActive: true,
+  createdAt: new Date(),
+  updatedAt: new Date(),
+};
+
+// Provide metadata storage so the baseline can be calculated from history
+import { createMetadataStorage } from '@freshguard/freshguard-core';
+const storage = await createMetadataStorage(); // embedded DuckDB
+
+const result = await checkVolumeAnomaly(connector, rule, storage);
+
+if (result.status === 'alert') {
+  console.log(`Row count deviation: ${result.deviation}% from baseline ${result.baselineAverage}`);
+}
+```
+
+### 3. Detect schema changes
+
+Alert when columns are added, removed, or modified.
+
+```typescript
+import { checkSchemaChanges, PostgresConnector } from '@freshguard/freshguard-core';
+
+const connector = new PostgresConnector({ /* ... */ });
+
+const rule = {
+  id: 'orders-schema',
+  sourceId: 'prod_pg',
+  name: 'Orders Schema',
+  tableName: 'orders',
+  ruleType: 'schema_change' as const,
+  trackColumnChanges: true,
+  checkIntervalMinutes: 60,
+  isActive: true,
+  createdAt: new Date(),
+  updatedAt: new Date(),
+};
+
+const storage = await createMetadataStorage();
+const result = await checkSchemaChanges(connector, rule, storage);
+
+if (result.status === 'alert' && result.schemaChanges) {
+  console.log(result.schemaChanges.summary);
+  // e.g. "2 columns added, 1 column removed"
+}
+```
+
+---
+
+## Connector setup
+
+Every connector takes a `ConnectorConfig` object:
+
+```typescript
+interface ConnectorConfig {
+  host: string;
+  port: number;
+  database: string;
+  username: string;
+  password: string;
+  ssl?: boolean;          // default: true
+  timeout?: number;       // connection timeout ms (default: 30000)
+  queryTimeout?: number;  // query timeout ms (default: 10000)
+  maxRows?: number;       // max rows returned (default: 1000)
+}
+```
+
+| Connector | Notes |
+|---|---|
+| `PostgresConnector` | Standard PostgreSQL |
+| `DuckDBConnector` | `database` = file path or `':memory:'` |
+| `BigQueryConnector` | `database` = GCP project ID |
+| `SnowflakeConnector` | `host` = `<account>.snowflakecomputing.com` |
+| `MySQLConnector` | Standard MySQL, port 3306 |
+| `RedshiftConnector` | PostgreSQL wire protocol, port 5439 |
+| `MSSQLConnector` | SQL Server, port 1433 |
+| `AzureSQLConnector` | `host` = `<server>.database.windows.net` |
+| `SynapseConnector` | `host` = `<workspace>.sql.azuresynapse.net` |
+
+---
+
+## Metadata storage
+
+Volume anomaly and schema change checks need historical data. Pass a
+`MetadataStorage` instance as the third argument:
+
+```typescript
+import { createMetadataStorage } from '@freshguard/freshguard-core';
+
+// Embedded DuckDB (zero-setup, default)
+const storage = await createMetadataStorage();
+
+// Custom DuckDB path
+const storage = await createMetadataStorage({ type: 'duckdb', path: './meta.db' });
+
+// PostgreSQL (shared across workers)
+const storage = await createMetadataStorage({
+  type: 'postgresql',
+  url: 'postgresql://user:pass@host:5432/freshguard_meta',
+});
+```
+
+---
+
+## Error handling
+
+All errors extend `FreshGuardError`. Catch specific subclasses:
+
+```typescript
+import {
+  SecurityError,
+  ConnectionError,
+  TimeoutError,
+  QueryError,
+  ConfigurationError,
+} from '@freshguard/freshguard-core';
+
+try {
+  const result = await checkFreshness(connector, rule);
+} catch (err) {
+  if (err instanceof ConnectionError) {
+    // database unreachable
+  } else if (err instanceof TimeoutError) {
+    // query or connection timed out
+  } else if (err instanceof SecurityError) {
+    // blocked query (SQL injection prevention)
+  }
+}
+```
+
+---
+
+## Key types
+
+- **`MonitoringRule`** — defines what table to check, which algorithm, and the thresholds.
+- **`CheckResult`** — the outcome: `status` (`'ok'` | `'alert'` | `'failed'`), plus `lagMinutes`, `deviation`, `schemaChanges`, etc.
+- **`ConnectorConfig`** — database connection credentials.
+- **`DataSource`** — a registered database with metadata.
+- **`FreshGuardConfig`** — top-level config for self-hosted deployments.

package/dist/cli/index.d.ts

@@ -1,3 +1,16 @@
 #!/usr/bin/env node
+/**
+ * FreshGuard CLI - Secure Command-Line Interface
+ * Simple command-line interface for self-hosters with built-in security measures
+ *
+ * Security features:
+ * - Secure credential handling with environment variables
+ * - Input validation to prevent command injection
+ * - No sensitive data logging
+ * - Safe file path handling
+ * - Connection validation with timeouts
+ *
+ * @module @freshguard/freshguard-core/cli
+ */
 export {};
 //# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":""}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;GAYG"}

package/dist/cli/index.js

@@ -1,4 +1,17 @@
 #!/usr/bin/env node
+/**
+ * FreshGuard CLI - Secure Command-Line Interface
+ * Simple command-line interface for self-hosters with built-in security measures
+ *
+ * Security features:
+ * - Secure credential handling with environment variables
+ * - Input validation to prevent command injection
+ * - No sensitive data logging
+ * - Safe file path handling
+ * - Connection validation with timeouts
+ *
+ * @module @freshguard/freshguard-core/cli
+ */
 import { readFile, writeFile, existsSync, mkdirSync } from 'fs';
 import { join, resolve, dirname } from 'path';
 import { promisify } from 'util';
@@ -7,8 +20,11 @@ import { DuckDBConnector } from '../connectors/duckdb.js';
 import { BigQueryConnector } from '../connectors/bigquery.js';
 import { SnowflakeConnector } from '../connectors/snowflake.js';
 import { ConfigurationError, ConnectionError, ErrorHandler } from '../errors/index.js';
+// Import validators if needed for future CLI validation
+// import { validateTableName } from '../validators/index.js';
 const readFileAsync = promisify(readFile);
 const writeFileAsync = promisify(writeFile);
+// Security: Define allowed configuration file paths to prevent path traversal
 const ALLOWED_CONFIG_DIRS = [
     process.cwd(),
     join(process.cwd(), '.freshguard'),
@@ -23,6 +39,7 @@ async function main() {
             printHelp();
             process.exit(0);
         }
+        // Security: Validate command to prevent injection
         if (!isValidCommand(command)) {
             console.error(`❌ Invalid command: ${command}`);
             process.exit(1);
@@ -55,21 +72,30 @@ async function main() {
         }
     }
     catch (error) {
+        // Security: Use error sanitization to prevent information disclosure
         const userMessage = ErrorHandler.getUserMessage(error);
         console.error(`❌ Error: ${userMessage}`);
+        // Only show stack trace in development mode
         if (process.env.NODE_ENV === 'development' && error instanceof Error) {
             console.error('Stack trace:', error.stack);
         }
         process.exit(1);
     }
 }
+/**
+ * Security: Validate command to prevent injection attacks
+ */
 function isValidCommand(cmd) {
     const validCommands = ['init', 'test', 'run', 'version', '-v', '--version', 'help', '-h', '--help'];
     return validCommands.includes(cmd) && /^[a-zA-Z-]+$/.test(cmd);
 }
+/**
+ * Security: Validate file path to prevent directory traversal
+ */
 function validateConfigPath(filePath) {
     try {
         const resolvedPath = resolve(filePath);
+        // Check if path is within allowed directories
         const isAllowed = ALLOWED_CONFIG_DIRS.some(allowedDir => {
             const resolvedAllowedDir = resolve(allowedDir);
             return resolvedPath.startsWith(resolvedAllowedDir);
@@ -83,8 +109,12 @@ function validateConfigPath(filePath) {
         throw new ConfigurationError('Invalid configuration file path');
     }
 }
+/**
+ * Initialize FreshGuard configuration with secure credential handling
+ */
 async function handleInit() {
     console.log('🚀 FreshGuard Init\n');
+    // Security: Get database URL from environment or prompt securely
     const dbUrl = process.env.FRESHGUARD_DATABASE_URL;
     let dbType = 'postgres';
     if (!dbUrl) {
@@ -92,6 +122,7 @@ async function handleInit() {
         console.log('Please set your database connection string as an environment variable:');
         console.log('');
         console.log('For PostgreSQL:');
+        // eslint-disable-next-line no-secrets/no-secrets
         console.log('  export FRESHGUARD_DATABASE_URL="postgresql://user:password@localhost:5432/database?sslmode=require"');
         console.log('');
         console.log('For DuckDB:');
@@ -100,16 +131,21 @@ async function handleInit() {
         console.log('Then run: freshguard init');
         return;
     }
+    // Security: Parse URL safely without exposing credentials in logs
     try {
         const config = parseSecureConnectionString(dbUrl);
         dbType = config.type;
         console.log('✅ Database URL detected');
         console.log(`📊 Database type: ${dbType}`);
         console.log(`🔒 SSL required: ${config.ssl ? 'Yes' : 'No'}`);
+        // Create configuration directory if it doesn't exist
         const configDir = dirname(validateConfigPath(DEFAULT_CONFIG_FILE));
+        // eslint-disable-next-line security/detect-non-literal-fs-filename
         if (!existsSync(configDir)) {
+            // eslint-disable-next-line security/detect-non-literal-fs-filename
             mkdirSync(configDir, { recursive: true });
         }
+        // Create initial configuration
         const initialConfig = {
             connections: {
                 default: {
@@ -133,6 +169,9 @@ async function handleInit() {
         throw new ConfigurationError('Failed to parse database connection string. Please check the format.');
     }
 }
+/**
+ * Test database connection with security validation
+ */
 async function handleTest() {
     console.log('🔍 Testing database connection...\n');
     const config = await loadConfig();
@@ -143,11 +182,14 @@ async function handleTest() {
     const connConfig = config.connections[connectionName];
     let connector;
     try {
+        // Create connector with security validation
         connector = createSecureConnector(connConfig.type, connConfig);
         console.log(`📊 Testing ${connConfig.type} connection...`);
+        // Test connection with timeout
         const testResult = await connector.testConnection();
         if (testResult) {
             console.log('✅ Connection successful!');
+            // Test basic operations
             try {
                 const tables = await connector.listTables();
                 console.log(`📋 Found ${tables.length} tables`);
@@ -165,6 +207,7 @@ async function handleTest() {
         }
     }
     catch (error) {
+        // Security: Don't expose detailed connection errors
         console.log('❌ Connection failed');
         if (process.env.NODE_ENV === 'development') {
             console.log('Debug info:', ErrorHandler.getUserMessage(error));
@@ -175,6 +218,9 @@ async function handleTest() {
         process.exit(1);
     }
 }
+/**
+ * Run monitoring scheduler with secure operations
+ */
 async function handleRun() {
     console.log('⏱️  Starting FreshGuard monitoring scheduler...\n');
     const config = await loadConfig();
@@ -188,6 +234,7 @@ async function handleRun() {
     const connector = createSecureConnector(connConfig.type, connConfig);
     console.log(`📊 Using ${connConfig.type} connection`);
     console.log(`🔒 Security mode: ${config.securityMode ?? 'strict'}`);
+    // Verify connection before starting
     const isConnected = await connector.testConnection();
     if (!isConnected) {
         throw new ConnectionError('Cannot connect to database');
@@ -201,26 +248,36 @@ async function handleRun() {
     console.log('   - Setting up alerting');
     console.log('');
     console.log('Press Ctrl+C to stop...');
+    // Simple monitoring loop (production would use proper scheduler)
     process.on('SIGINT', () => {
         console.log('\n🛑 Shutting down gracefully...');
         process.exit(0);
     });
+    // Basic monitoring loop - this would be more sophisticated in production
     while (true) {
         try {
             console.log('🔍 Running health checks...');
+            // This is where real monitoring logic would go
+            // For now, just test the connection periodically
             await connector.testConnection();
             console.log('✅ Health check completed');
+            // Wait 1 minute between checks
             await new Promise(resolve => setTimeout(resolve, 60000));
         }
         catch (error) {
             console.error('❌ Monitoring check failed:', ErrorHandler.getUserMessage(error));
+            // Continue monitoring even if one check fails
             await new Promise(resolve => setTimeout(resolve, 60000));
         }
     }
 }
+/**
+ * Parse connection string securely without exposing credentials
+ */
 function parseSecureConnectionString(connectionString) {
     try {
         const url = new URL(connectionString);
+        // Determine database type from protocol
         let type;
         switch (url.protocol) {
             case 'postgresql:':
@@ -239,11 +296,12 @@ function parseSecureConnectionString(connectionString) {
             default:
                 throw new ConfigurationError(`Unsupported database protocol: ${url.protocol}`);
         }
+        // Security: Extract credentials from environment variables instead of URL when possible
         const config = {
             type,
             host: url.hostname ?? 'localhost',
             port: url.port ? parseInt(url.port, 10) : getDefaultPort(type),
-            database: url.pathname.slice(1) ?? '',
+            database: url.pathname.slice(1) ?? '', // Remove leading slash
             username: url.username ?? process.env.FRESHGUARD_DB_USER ?? '',
             password: url.password ?? process.env.FRESHGUARD_DB_PASSWORD ?? '',
             ssl: url.searchParams.get('sslmode') !== 'disable' && url.searchParams.get('ssl') !== 'false',
@@ -254,6 +312,9 @@ function parseSecureConnectionString(connectionString) {
         throw new ConfigurationError('Invalid database connection string format');
     }
 }
+/**
+ * Get default port for database type
+ */
 function getDefaultPort(type) {
     switch (type) {
         case 'postgres': return 5432;
@@ -263,6 +324,9 @@ function getDefaultPort(type) {
         default: return 0;
     }
 }
+/**
+ * Create secure database connector
+ */
 function createSecureConnector(type, config) {
     switch (type) {
         case 'postgres':
@@ -277,14 +341,19 @@ function createSecureConnector(type, config) {
             throw new ConfigurationError(`Unsupported connector type: ${type}`);
     }
 }
+/**
+ * Load configuration from secure file path
+ */
 async function loadConfig() {
     try {
         const configPath = validateConfigPath(DEFAULT_CONFIG_FILE);
+        // eslint-disable-next-line security/detect-non-literal-fs-filename
         if (!existsSync(configPath)) {
             throw new ConfigurationError('Configuration file not found. Run: freshguard init');
         }
         const configData = await readFileAsync(configPath, 'utf8');
         const config = JSON.parse(configData);
+        // Validate configuration structure
         if (!config.connections || Object.keys(config.connections).length === 0) {
             throw new ConfigurationError('No connections configured');
         }
@@ -297,6 +366,9 @@ async function loadConfig() {
         throw new ConfigurationError('Failed to load configuration file');
     }
 }
+/**
+ * Get command line flag value
+ */
 function getFlag(flag) {
     const flagIndex = args.indexOf(flag);
     if (flagIndex !== -1 && flagIndex + 1 < args.length) {
@@ -319,6 +391,7 @@ function printHelp() {
     console.log('');
     console.log('Examples:');
     console.log('  # Set database URL and initialize');
+    // eslint-disable-next-line no-secrets/no-secrets
     console.log('  export FRESHGUARD_DATABASE_URL="postgresql://user:pass@localhost:5432/db"');
     console.log('  freshguard init');
     console.log('');