@gobing-ai/ts-rule-engine 0.2.6 → 0.2.7

package/src/evaluators/exit-code-evaluator.ts

@@ -11,27 +11,45 @@ import {
 export class ExitCodeEvaluator implements RuleEvaluator {
     constructor(private readonly executor: ProcessExecutor = new NodeProcessExecutor()) {}
 
-    /** Run configured command and emit a finding on non-zero exit. */
+    /** Run configured command and emit a finding unless the exit code matches `successCode`. */
     async evaluate(rule: ConstraintRule, context: RuleContext): Promise<RuleEvaluationResult> {
         const config = rule.evaluator.config ?? {};
         const command = stringConfig(config, 'command');
         const args = arrayConfig(config, 'args', []);
-        const result = await this.executor.run({ command, args, cwd: context.workdir, rejectOnError: false });
-        if (result.exitCode === 0) return { findings: [], fixes: [] };
+        const successCode = numberConfig(config, 'successCode', 0);
+        const timeout = numberConfig(config, 'timeout', 60_000);
+        const result = await this.executor.run({
+            command,
+            args,
+            cwd: context.workdir,
+            timeout,
+            rejectOnError: false,
+            label: 'exit-code',
+        });
+        if (result.exitCode === successCode) return { findings: [], fixes: [] };
+
+        const template = stringConfig(
+            config,
+            'message',
+            `Command failed (exit {code}): ${command} ${args.join(' ')}`.trim(),
+        );
+        const message = template.replaceAll('{code}', String(result.exitCode));
         return {
-            findings: [
-                createFinding(rule, `Command failed: ${command} ${args.join(' ')}`.trim(), null, {
-                    code: 'exit-code:failed',
-                }),
-            ],
+            findings: [createFinding(rule, message, null, { code: 'exit-code:failed' })],
             fixes: [],
         };
     }
 }
 
-function stringConfig(config: Record<string, unknown>, key: string): string {
+function numberConfig(config: Record<string, unknown>, key: string, fallback: number): number {
+    const value = config[key];
+    return typeof value === 'number' && Number.isFinite(value) ? value : fallback;
+}
+
+function stringConfig(config: Record<string, unknown>, key: string, fallback?: string): string {
     const value = config[key];
     if (typeof value === 'string') return value;
+    if (fallback !== undefined) return fallback;
     throw new Error(`exit-code evaluator requires string config "${key}"`);
 }
 

package/src/evaluators/forbidden-import-evaluator.ts

@@ -5,15 +5,45 @@ import {
     type RuleEvaluationResult,
     type RuleEvaluator,
 } from '../types';
-import { discoverFiles, readWorkdirFile } from './file-utils';
+import { discoverFiles, matchesGlob, readWorkdirFile } from './file-utils';
 
-/** Detects imports matching forbidden package or path prefixes. */
-export class ForbiddenImportEvaluator implements RuleEvaluator {
-    constructor() {}
+/** A forbidden entry: either an exact import specifier or a raw source pattern. */
+type ForbiddenEntry =
+    | { specifier: string; includeRequire?: boolean }
+    | { pattern: string; matchMode?: 'import' | 'usage' };
+
+/** Compiled scan entry derived from config. */
+interface ScanEntry {
+    regex: RegExp;
+    label: string;
+}
 
-    /** Evaluate import declarations against configured forbidden prefixes. */
+/**
+ * Detects forbidden imports / API usage.
+ *
+ * Two config shapes are supported:
+ * - Simple: `{ patterns: string[] }` — substring match against any import specifier,
+ *   scoped by the rule's own `include` / `exclude`.
+ * - Structured: `{ forbidden: [...], scope: { include, exclude } }` — each forbidden
+ *   entry is an exact `specifier` (also matching require/dynamic forms unless
+ *   `includeRequire:false`) or a raw `pattern`, scoped by `scope.include` /
+ *   `scope.exclude` globs.
+ */
+export class ForbiddenImportEvaluator implements RuleEvaluator {
+    /** Evaluate import/usage against the configured forbidden set. */
     async evaluate(rule: ConstraintRule, context: RuleContext): Promise<RuleEvaluationResult> {
         const config = rule.evaluator.config ?? {};
+        return Array.isArray(config.forbidden)
+            ? this.evaluateStructured(rule, context, config)
+            : this.evaluateSimple(rule, context, config);
+    }
+
+    /** Legacy path: `{ patterns: string[] }`, substring-matched against import specifiers. */
+    private async evaluateSimple(
+        rule: ConstraintRule,
+        context: RuleContext,
+        config: Record<string, unknown>,
+    ): Promise<RuleEvaluationResult> {
         const forbidden = arrayConfig(config, 'patterns');
         const files = await discoverFiles({
             workdir: context.workdir,
@@ -24,8 +54,7 @@ export class ForbiddenImportEvaluator implements RuleEvaluator {
         for (const file of files) {
             const lines = (await readWorkdirFile(context.workdir, file)).split('\n');
             for (const [index, line] of lines.entries()) {
-                const imported = /(?:from\s+|import\s*\(|^\s*import\s*)['"](?<specifier>[^'"]+)['"]/.exec(line)?.groups
-                    ?.specifier;
+                const imported = importSpecifier(line);
                 if (imported === undefined) continue;
                 const matched = forbidden.find((pattern) => imported.includes(pattern));
                 if (matched !== undefined) {
@@ -40,6 +69,67 @@ export class ForbiddenImportEvaluator implements RuleEvaluator {
         }
         return { findings, fixes: [] };
     }
+
+    /** Structured path: `{ forbidden: [...], scope: { include, exclude } }`. */
+    private async evaluateStructured(
+        rule: ConstraintRule,
+        context: RuleContext,
+        config: Record<string, unknown>,
+    ): Promise<RuleEvaluationResult> {
+        const scope = config.scope as { include?: unknown; exclude?: unknown } | undefined;
+        const include = stringArray(scope?.include);
+        if (include === undefined) {
+            throw new Error('forbidden-import evaluator requires string[] config "scope.include"');
+        }
+        const exclude = stringArray(scope?.exclude) ?? [];
+        const entries = (config.forbidden as ForbiddenEntry[]).map(compileEntry);
+
+        // Discover all source files, then apply scope globs precisely (discoverFiles'
+        // include matching is intentionally loose, so it cannot do `**`-anchored scoping).
+        const files = (await discoverFiles({ workdir: context.workdir }))
+            .filter((file) => include.some((glob) => matchesGlob(file, glob)))
+            .filter((file) => !exclude.some((glob) => matchesGlob(file, glob)));
+
+        const findings = [];
+        for (const file of files) {
+            const lines = (await readWorkdirFile(context.workdir, file)).split('\n');
+            for (const [index, line] of lines.entries()) {
+                const hit = entries.find((entry) => entry.regex.test(line));
+                if (hit !== undefined) {
+                    findings.push(
+                        createFinding(rule, `Forbidden import/usage of "${hit.label}"`, file, {
+                            line: index + 1,
+                            code: 'import:forbidden',
+                        }),
+                    );
+                }
+            }
+        }
+        return { findings, fixes: [] };
+    }
+}
+
+/** Extract the specifier from an import/require/dynamic-import line, if any. */
+function importSpecifier(line: string): string | undefined {
+    return /(?:from\s+|import\s*\(|^\s*import\s*)['"](?<specifier>[^'"]+)['"]/.exec(line)?.groups?.specifier;
+}
+
+/** Compile a forbidden entry into a line-matching regex. */
+function compileEntry(entry: ForbiddenEntry): ScanEntry {
+    if ('specifier' in entry) {
+        const spec = escapeRegExp(entry.specifier);
+        const boundary = `(?:/|['"])`;
+        const source =
+            entry.includeRequire === false
+                ? `from\\s+['"]${spec}${boundary}`
+                : `(?:from\\s+|require\\(\\s*|import\\(\\s*)['"]${spec}${boundary}`;
+        return { regex: new RegExp(source), label: entry.specifier };
+    }
+    return { regex: new RegExp(entry.pattern), label: entry.pattern };
+}
+
+function escapeRegExp(value: string): string {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 }
 
 function arrayConfig(config: Record<string, unknown>, key: string): string[] {
@@ -48,3 +138,7 @@ function arrayConfig(config: Record<string, unknown>, key: string): string[] {
     if (typeof value === 'string') return [value];
     throw new Error(`forbidden-import evaluator requires string[] config "${key}"`);
 }
+
+function stringArray(value: unknown): string[] | undefined {
+    return Array.isArray(value) && value.every((item) => typeof item === 'string') ? (value as string[]) : undefined;
+}

package/src/evaluators/import-boundary-evaluator.ts

@@ -0,0 +1,135 @@
+import {
+    type ConstraintRule,
+    createFinding,
+    type RuleContext,
+    type RuleEvaluationResult,
+    type RuleEvaluator,
+} from '../types';
+import { discoverFiles, matchesGlob, readWorkdirFile } from './file-utils';
+
+/**
+ * A forbidden entry within a boundary declaration.
+ *
+ * - String form: substring match against any import/export/require/dynamic-import specifier.
+ * - Object form: regex `pattern` matched against the full line (mode `usage`) or import lines
+ *   only (mode `import`).
+ */
+type ForbiddenEntry =
+    | string
+    | {
+          /** Regex pattern to match against lines. */
+          pattern: string;
+          /** `import` = restrict to import/export/require lines; `usage` = any line. Default: `import`. */
+          mode?: 'import' | 'usage';
+          /** Explicit syntax hint (informational, not enforced differently from `mode`). */
+          syntax?: string;
+      };
+
+/** A compiled boundary ready for file scanning. */
+interface CompiledBoundary {
+    scope: string;
+    excludePatterns: string[];
+    forbidden: Array<{ regex: RegExp; label: string; importOnly: boolean }>;
+}
+
+/**
+ * Enforces architectural import boundaries without spawning a subprocess.
+ *
+ * Files matching a boundary's `scope` glob are scanned in-memory. Each forbidden
+ * entry is either a string (matched as an import-specifier substring) or an object
+ * with a `pattern` regex and an optional `mode` (`import` | `usage`).
+ *
+ * ## Options (in `evaluator.config`)
+ * - `boundaries` — non-empty array of boundary declarations:
+ *   - `scope` — glob pattern selecting files this boundary applies to.
+ *   - `forbidden` — array of strings or `{ pattern, mode?, syntax? }` objects.
+ *   - `exclude` — optional globs within the scope to ignore.
+ */
+export class ImportBoundaryEvaluator implements RuleEvaluator {
+    /** Evaluate import boundaries across all in-scope files. */
+    async evaluate(rule: ConstraintRule, context: RuleContext): Promise<RuleEvaluationResult> {
+        const config = rule.evaluator.config ?? {};
+        const boundaries = config.boundaries;
+        if (!Array.isArray(boundaries) || boundaries.length === 0) {
+            throw new Error('import-boundary evaluator requires non-empty array config "boundaries"');
+        }
+
+        const compiled = (boundaries as unknown as BoundaryDecl[]).map((b) => compileBoundary(b));
+
+        // Discover all files once; filter per boundary below.
+        const allFiles = await discoverFiles({ workdir: context.workdir });
+
+        const findings = [];
+        for (const boundary of compiled) {
+            const inScope = allFiles
+                .filter((file) => matchesGlob(file, boundary.scope))
+                .filter((file) => !boundary.excludePatterns.some((ex) => matchesGlob(file, ex)));
+
+            for (const file of inScope) {
+                const content = await readWorkdirFile(context.workdir, file);
+                const lines = content.split('\n');
+                for (const [index, line] of lines.entries()) {
+                    for (const entry of boundary.forbidden) {
+                        if (entry.importOnly && !isImportLine(line)) continue;
+                        if (entry.regex.test(line)) {
+                            findings.push(
+                                createFinding(rule, `forbidden in boundary "${boundary.scope}": ${entry.label}`, file, {
+                                    line: index + 1,
+                                    code: 'import-boundary:violation',
+                                }),
+                            );
+                        }
+                    }
+                }
+            }
+        }
+
+        return { findings, fixes: [] };
+    }
+}
+
+/** Raw shape of one boundary declaration from the config. */
+interface BoundaryDecl {
+    scope: string;
+    forbidden: ForbiddenEntry[];
+    exclude?: string[];
+}
+
+/** Compile a raw boundary declaration into a scan-ready form. */
+function compileBoundary(decl: BoundaryDecl): CompiledBoundary {
+    return {
+        scope: decl.scope,
+        excludePatterns: decl.exclude ?? [],
+        forbidden: decl.forbidden.map((entry) => compileEntry(entry)),
+    };
+}
+
+/** Compile one forbidden entry into a regex + metadata. */
+function compileEntry(entry: ForbiddenEntry): { regex: RegExp; label: string; importOnly: boolean } {
+    if (typeof entry === 'string') {
+        // String form: match as an import specifier substring.
+        const escaped = escapeRegExp(entry);
+        return {
+            regex: new RegExp(`(?:from\\s+|require\\(\\s*|import\\(\\s*)['"](?:[^'"]*)?${escaped}(?:[^'"]*)?['"]`),
+            label: entry,
+            importOnly: true,
+        };
+    }
+
+    // Object form with `pattern`.
+    const importOnly = (entry.mode ?? 'import') !== 'usage';
+    return {
+        regex: new RegExp(entry.pattern),
+        label: entry.pattern,
+        importOnly,
+    };
+}
+
+/** Return true when a source line is an import/export/require/dynamic-import statement. */
+function isImportLine(line: string): boolean {
+    return /(?:^\s*import\b|^\s*export\b.*\bfrom\b|(?:from|require|import)\s*\(?\s*['"])/.test(line);
+}
+
+function escapeRegExp(value: string): string {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}

package/src/evaluators/path-evaluator.ts

@@ -7,8 +7,18 @@ import {
     type RuleEvaluationResult,
     type RuleEvaluator,
 } from '../types';
+import { discoverFiles, matchesGlob } from './file-utils';
 
-/** Evaluates file or directory existence constraints. */
+/**
+ * Evaluates file/directory presence constraints.
+ *
+ * Two config shapes are supported:
+ * - Glob form: `{ must: 'present' | 'absent' }` scoped by the rule's `include` /
+ *   `exclude` globs. `present` flags each include glob that matches zero files;
+ *   `absent` flags each in-scope file that exists.
+ * - Explicit form: `{ paths: string[], mode?: 'require' | 'forbid' }` — checks the
+ *   exact paths relative to the workdir (`require` = must exist, `forbid` = must not).
+ */
 export class PathEvaluator implements RuleEvaluator {
     private readonly fs: NodeFileSystem;
 
@@ -16,9 +26,62 @@ export class PathEvaluator implements RuleEvaluator {
         this.fs = new NodeFileSystem();
     }
 
-    /** Evaluate required or forbidden paths. */
+    /** Evaluate required or forbidden paths in either config form. */
     async evaluate(rule: ConstraintRule, context: RuleContext): Promise<RuleEvaluationResult> {
         const config = rule.evaluator.config ?? {};
+        const must = config.must;
+        if (must === 'present' || must === 'absent') {
+            return this.evaluateGlob(rule, context, must);
+        }
+        return this.evaluateExplicit(rule, context, config);
+    }
+
+    /** Glob form driven by `must` + the rule's include/exclude globs. */
+    private async evaluateGlob(
+        rule: ConstraintRule,
+        context: RuleContext,
+        must: 'present' | 'absent',
+    ): Promise<RuleEvaluationResult> {
+        const include = rule.include ?? ['**'];
+        const exclude = rule.exclude ?? [];
+        const files = await discoverFiles({ workdir: context.workdir });
+        const inScope = (file: string) =>
+            include.some((glob) => matchesGlob(file, glob)) && !exclude.some((glob) => matchesGlob(file, glob));
+        const findings = [];
+
+        if (must === 'present') {
+            for (const pattern of include) {
+                const present = files.some(
+                    (file) => matchesGlob(file, pattern) && !exclude.some((g) => matchesGlob(file, g)),
+                );
+                if (!present) {
+                    findings.push(
+                        createFinding(rule, `expected files matching "${pattern}", but none found`, pattern, {
+                            code: 'path:missing',
+                        }),
+                    );
+                }
+            }
+        } else {
+            for (const file of files) {
+                if (inScope(file)) {
+                    findings.push(
+                        createFinding(rule, 'file should be absent (forbidden by rule)', file, {
+                            code: 'path:forbidden',
+                        }),
+                    );
+                }
+            }
+        }
+        return { findings, fixes: [] };
+    }
+
+    /** Explicit form: exact `paths` checked with `mode` require/forbid. */
+    private async evaluateExplicit(
+        rule: ConstraintRule,
+        context: RuleContext,
+        config: Record<string, unknown>,
+    ): Promise<RuleEvaluationResult> {
         const paths = arrayConfig(config, 'paths');
         const mode = stringConfig(config, 'mode', 'require');
         const findings = [];
@@ -39,7 +102,7 @@ function arrayConfig(config: Record<string, unknown>, key: string): string[] {
     const value = config[key];
     if (Array.isArray(value) && value.every((item) => typeof item === 'string')) return value;
     if (typeof value === 'string') return [value];
-    throw new Error(`path evaluator requires string[] config "${key}"`);
+    throw new Error(`path evaluator requires config "${key}" (string[]) or "must" (present|absent)`);
 }
 
 function stringConfig(config: Record<string, unknown>, key: string, fallback: string): string {

package/src/evaluators/regex-evaluator.ts

@@ -14,26 +14,38 @@ export class RegexEvaluator implements RuleEvaluator {
     /** Evaluate regex-based presence or absence constraints. */
     async evaluate(rule: ConstraintRule, context: RuleContext): Promise<RuleEvaluationResult> {
         const config = rule.evaluator.config ?? {};
-        const pattern = stringConfig(config, 'pattern');
+        const { pattern, flags } = normalizePattern(
+            stringConfig(config, 'pattern'),
+            stringConfig(config, 'flags', ''),
+            config.multiline === true,
+        );
         const mode = stringConfig(config, 'mode', 'forbid');
-        const flags = stringConfig(config, 'flags', 'm');
         const regex = new RegExp(pattern, flags);
         const files = await discoverFiles({ workdir: context.workdir, include: rule.include, exclude: rule.exclude });
         const findings = [];
 
         for (const file of files) {
             const content = await readWorkdirFile(context.workdir, file);
-            regex.lastIndex = 0;
-            const match = regex.exec(content);
-            if (mode === 'require' && match === null) {
-                findings.push(
-                    createFinding(rule, `Required pattern not found: ${pattern}`, file, { code: 'regex:missing' }),
-                );
+            if (mode === 'require') {
+                regex.lastIndex = 0;
+                if (!regex.test(content)) {
+                    findings.push(
+                        createFinding(rule, `required pattern not found: ${pattern}`, file, { code: 'regex:missing' }),
+                    );
+                }
+                continue;
             }
-            if (mode !== 'require' && match !== null) {
-                findings.push(
-                    createFinding(rule, `Forbidden pattern found: ${pattern}`, file, { code: 'regex:found' }),
-                );
+            // forbid: report each matching line so findings carry precise locations.
+            for (const [index, line] of content.split('\n').entries()) {
+                regex.lastIndex = 0;
+                if (regex.test(line)) {
+                    findings.push(
+                        createFinding(rule, `forbidden pattern found: ${pattern}`, file, {
+                            line: index + 1,
+                            code: 'regex:found',
+                        }),
+                    );
+                }
             }
         }
 
@@ -41,6 +53,35 @@ export class RegexEvaluator implements RuleEvaluator {
     }
 }
 
+/**
+ * Normalize a pattern + flags for JS `RegExp`.
+ *
+ * Accepts a leading `(?i)`/`(?im)` inline flag group (ripgrep/PCRE style) and
+ * folds it into the JS flags. `multiline` adds the `s` (dotAll) flag so `.`
+ * spans newlines, matching the old `--multiline` behavior. `m` is always set so
+ * `^`/`$` work per line.
+ */
+function normalizePattern(
+    rawPattern: string,
+    rawFlags: string,
+    multiline: boolean,
+): { pattern: string; flags: string } {
+    const flagSet = new Set<string>(['m']);
+    for (const flag of rawFlags) {
+        if ('gimsuy'.includes(flag)) flagSet.add(flag);
+    }
+    let pattern = rawPattern;
+    const inline = /^\(\?([a-z]+)\)/.exec(pattern);
+    if (inline) {
+        for (const flag of inline[1] ?? '') {
+            if ('imsu'.includes(flag)) flagSet.add(flag);
+        }
+        pattern = pattern.slice(inline[0].length);
+    }
+    if (multiline) flagSet.add('s');
+    return { pattern, flags: [...flagSet].join('') };
+}
+
 function stringConfig(config: Record<string, unknown>, key: string, fallback?: string): string {
     const value = config[key];
     if (typeof value === 'string') return value;

package/src/evaluators/schema-artifact-evaluator.ts

@@ -0,0 +1,134 @@
+import { resolve } from 'node:path';
+import { NodeFileSystem } from '@gobing-ai/ts-runtime';
+import {
+    type ConstraintRule,
+    createFinding,
+    type RuleContext,
+    type RuleEvaluationResult,
+    type RuleEvaluator,
+} from '../types';
+
+/**
+ * Evaluates JSON schema artifact files for structural integrity.
+ *
+ * Pure JS — no subprocess. Validates JSON validity, title, required properties,
+ * `$defs` / `definitions` entries, and the presence of a top-level `required` array.
+ *
+ * ## Options (in `evaluator.config`)
+ * - `file` — path to the JSON file relative to the workdir (required).
+ * - `requiredTitle` — expected `title` value (optional).
+ * - `requiredProperties` — top-level `properties` keys that must exist (optional).
+ * - `requiredDefs` — `$defs` or `definitions` keys that must exist (optional).
+ * - `requireRequiredArray` — enforce that `required` is a non-empty array (default: `false`).
+ */
+export class SchemaArtifactEvaluator implements RuleEvaluator {
+    private readonly fs: NodeFileSystem;
+
+    constructor() {
+        this.fs = new NodeFileSystem();
+    }
+
+    /** Evaluate the configured JSON schema artifact. */
+    async evaluate(rule: ConstraintRule, context: RuleContext): Promise<RuleEvaluationResult> {
+        const config = rule.evaluator.config ?? {};
+        const file = config.file;
+        if (typeof file !== 'string' || file.length === 0) {
+            throw new Error('schema-artifact evaluator requires string config "file"');
+        }
+
+        const requiredTitle = typeof config.requiredTitle === 'string' ? config.requiredTitle : undefined;
+        const requiredProperties = stringArray(config.requiredProperties);
+        const requiredDefs = stringArray(config.requiredDefs);
+        const requireRequiredArray = config.requireRequiredArray === true;
+
+        // Check existence.
+        const absolutePath = resolve(context.workdir, file);
+        const exists = await this.fs.exists(absolutePath);
+        if (!exists) {
+            return {
+                findings: [
+                    createFinding(rule, 'schema artifact not found', file, {
+                        code: 'schema-artifact:missing',
+                    }),
+                ],
+                fixes: [],
+            };
+        }
+
+        // Read and parse.
+        let schema: Record<string, unknown>;
+        try {
+            const raw = await this.fs.readFile(absolutePath);
+            schema = JSON.parse(raw) as Record<string, unknown>;
+        } catch (err) {
+            return {
+                findings: [
+                    createFinding(rule, `invalid JSON: ${(err as Error).message}`, file, {
+                        code: 'schema-artifact:invalid',
+                    }),
+                ],
+                fixes: [],
+            };
+        }
+
+        const findings = [];
+
+        // Validate title.
+        if (requiredTitle !== undefined && schema.title !== requiredTitle) {
+            findings.push(
+                createFinding(
+                    rule,
+                    `${file} title expected '${requiredTitle}', got '${(schema.title as string | undefined) ?? '(missing)'}'`,
+                    file,
+                    { code: 'schema-artifact:violation' },
+                ),
+            );
+        }
+
+        // Validate required array.
+        if (requireRequiredArray && !Array.isArray(schema.required)) {
+            findings.push(
+                createFinding(rule, `${file} missing 'required' array at top level`, file, {
+                    code: 'schema-artifact:violation',
+                }),
+            );
+        }
+
+        // Validate properties.
+        if (requiredProperties !== undefined) {
+            const props = schema.properties as Record<string, unknown> | undefined;
+            for (const prop of requiredProperties) {
+                if (!props || !(prop in props)) {
+                    findings.push(
+                        createFinding(rule, `${file} missing properties.${prop}`, file, {
+                            code: 'schema-artifact:violation',
+                        }),
+                    );
+                }
+            }
+        }
+
+        // Validate $defs / definitions.
+        if (requiredDefs !== undefined) {
+            const defs =
+                (schema.$defs as Record<string, unknown> | undefined) ??
+                (schema.definitions as Record<string, unknown> | undefined);
+            for (const def of requiredDefs) {
+                if (!defs || !(def in defs)) {
+                    findings.push(
+                        createFinding(rule, `${file} missing $defs.${def}`, file, {
+                            code: 'schema-artifact:violation',
+                        }),
+                    );
+                }
+            }
+        }
+
+        return { findings, fixes: [] };
+    }
+}
+
+/** Return a string array if value is a string array, otherwise undefined. */
+function stringArray(value: unknown): string[] | undefined {
+    return Array.isArray(value) && value.every((item) => typeof item === 'string') ? (value as string[]) : undefined;
+}