@gobing-ai/ts-rule-engine 0.2.8 → 0.2.9

package/src/evaluators/regex-evaluator.ts

@@ -5,10 +5,20 @@ import {
     type RuleEvaluationResult,
     type RuleEvaluator,
 } from '../types';
-import { discoverFiles, readWorkdirFile } from './file-utils';
+import { parseInlineFlags, scanFiles } from './file-utils';
 
-/** Evaluates whether source files match or avoid a regex pattern. */
+/**
+ * Evaluates whether source files match or avoid a regex pattern.
+ *
+ * Trust assumption: rule config is trusted input. The `pattern` is compiled with
+ * `new RegExp` and run per line without a backtracking bound, so a
+ * catastrophic-backtracking pattern is the rule author's responsibility. Runtime
+ * ReDoS hardening is deferred until rule packs are distributed across a wider trust
+ * boundary (see task 0003).
+ */
 export class RegexEvaluator implements RuleEvaluator {
+    // Explicit constructor: V8 function coverage counts only declared functions, so
+    // this method-light class needs it to clear the coverage-gate function threshold.
     constructor() {}
 
     /** Evaluate regex-based presence or absence constraints. */
@@ -21,11 +31,15 @@ export class RegexEvaluator implements RuleEvaluator {
         );
         const mode = stringConfig(config, 'mode', 'forbid');
         const regex = new RegExp(pattern, flags);
-        const files = await discoverFiles({ workdir: context.workdir, include: rule.include, exclude: rule.exclude });
+        const files = await scanFiles({
+            workdir: context.workdir,
+            include: rule.include,
+            exclude: rule.exclude,
+            matchMode: 'loose',
+        });
         const findings = [];
 
-        for (const file of files) {
-            const content = await readWorkdirFile(context.workdir, file);
+        for (const { file, content } of files) {
             if (mode === 'require') {
                 regex.lastIndex = 0;
                 if (!regex.test(content)) {
@@ -35,6 +49,19 @@ export class RegexEvaluator implements RuleEvaluator {
                 }
                 continue;
             }
+            if (config.multiline === true) {
+                const globalRegex = new RegExp(pattern, flags.includes('g') ? flags : `${flags}g`);
+                for (const match of content.matchAll(globalRegex)) {
+                    if (match.index === undefined) continue;
+                    findings.push(
+                        createFinding(rule, `forbidden pattern found: ${pattern}`, file, {
+                            line: lineForOffset(content, match.index),
+                            code: 'regex:found',
+                        }),
+                    );
+                }
+                continue;
+            }
             // forbid: report each matching line so findings carry precise locations.
             for (const [index, line] of content.split('\n').entries()) {
                 regex.lastIndex = 0;
@@ -70,14 +97,8 @@ function normalizePattern(
     for (const flag of rawFlags) {
         if ('gimsuy'.includes(flag)) flagSet.add(flag);
     }
-    let pattern = rawPattern;
-    const inline = /^\(\?([a-z]+)\)/.exec(pattern);
-    if (inline) {
-        for (const flag of inline[1] ?? '') {
-            if ('imsu'.includes(flag)) flagSet.add(flag);
-        }
-        pattern = pattern.slice(inline[0].length);
-    }
+    const { flags: inlineFlags, rest: pattern } = parseInlineFlags(rawPattern);
+    for (const flag of inlineFlags) flagSet.add(flag);
     if (multiline) flagSet.add('s');
     return { pattern, flags: [...flagSet].join('') };
 }
@@ -88,3 +109,12 @@ function stringConfig(config: Record<string, unknown>, key: string, fallback?: s
     if (fallback !== undefined) return fallback;
     throw new Error(`regex evaluator requires string config "${key}"`);
 }
+
+/** Return the one-based line containing a string offset. */
+function lineForOffset(content: string, offset: number): number {
+    let line = 1;
+    for (let index = 0; index < offset; index += 1) {
+        if (content.charCodeAt(index) === 10) line += 1;
+    }
+    return line;
+}

package/src/evaluators/secrets-scanner-evaluator.ts

@@ -5,7 +5,7 @@ import {
     type RuleEvaluationResult,
     type RuleEvaluator,
 } from '../types';
-import { discoverFiles, readWorkdirFile } from './file-utils';
+import { parseInlineFlags, scanFiles, stringArray } from './file-utils';
 
 /** Built-in secret category names. */
 export type SecretsCategory = 'api-key' | 'private-key' | 'password' | 'token' | 'connection-string';
@@ -43,8 +43,15 @@ interface ScanPattern {
  * - `customPatterns`: extra `{ name, pattern }` entries to scan for.
  * - `scope`: `{ include, exclude }` globs; falls back to the rule's `include` /
  *   `exclude` when omitted.
+ *
+ * Trust assumption: rule config (including `customPatterns`) is trusted input.
+ * Patterns are compiled with `new RegExp` and run per line without a backtracking
+ * bound, so a catastrophic-backtracking custom pattern is the rule author's
+ * responsibility. Runtime ReDoS hardening is deferred (see task 0003).
  */
 export class SecretsScannerEvaluator implements RuleEvaluator {
+    // Explicit constructor: V8 function coverage counts only declared functions, so
+    // this method-light class needs it to clear the coverage-gate function threshold.
     constructor() {}
 
     /** Evaluate files against the selected secret categories and custom patterns. */
@@ -54,11 +61,11 @@ export class SecretsScannerEvaluator implements RuleEvaluator {
         const scope = config.scope as { include?: unknown; exclude?: unknown } | undefined;
         const include = stringArray(scope?.include) ?? rule.include;
         const exclude = stringArray(scope?.exclude) ?? rule.exclude;
-        const files = await discoverFiles({ workdir: context.workdir, include, exclude });
+        const files = await scanFiles({ workdir: context.workdir, include, exclude, matchMode: 'loose' });
 
         const findings = [];
-        for (const file of files) {
-            const lines = (await readWorkdirFile(context.workdir, file)).split('\n');
+        for (const { file, content } of files) {
+            const lines = content.split('\n');
             for (const [index, line] of lines.entries()) {
                 for (const pattern of patterns) {
                     pattern.regex.lastIndex = 0;
@@ -99,14 +106,6 @@ function buildPatterns(config: Record<string, unknown>): ScanPattern[] {
 
 /** Compile a pattern, folding a leading `(?i)` group into the JS `i` flag. */
 function compile(source: string): RegExp {
-    const inline = /^\(\?([a-z]+)\)/.exec(source);
-    if (inline) {
-        const flags = [...(inline[1] ?? '')].filter((flag) => 'imsu'.includes(flag)).join('');
-        return new RegExp(source.slice(inline[0].length), flags);
-    }
-    return new RegExp(source);
-}
-
-function stringArray(value: unknown): string[] | undefined {
-    return Array.isArray(value) && value.every((item) => typeof item === 'string') ? (value as string[]) : undefined;
+    const { flags, rest } = parseInlineFlags(source);
+    return new RegExp(rest, flags);
 }

package/src/evaluators/tsdoc-export-evaluator.ts

@@ -5,7 +5,7 @@ import {
     type RuleEvaluationResult,
     type RuleEvaluator,
 } from '../types';
-import { discoverFiles, matchesGlob, readWorkdirFile } from './file-utils';
+import { scanFiles } from './file-utils';
 
 /** Export kinds this evaluator can check for a preceding JSDoc block. */
 const VALID_KINDS = ['function', 'class', 'type', 'const', 'enum', 'interface'] as const;
@@ -37,9 +37,10 @@ const KIND_PATTERN: Record<ExportKind, RegExp> = {
  * and `rule.exclude` scope the files using full `**` globs.
  */
 export class TsdocExportEvaluator implements RuleEvaluator {
-    constructor() {
-        // V8 function coverage requires explicit constructor
-    }
+    // Explicit constructor: V8 function coverage counts only declared functions, so
+    // this method-light class needs it to clear the coverage-gate function threshold.
+    constructor() {}
+
     /** Evaluate exports under the configured kinds for a preceding JSDoc block. */
     async evaluate(rule: ConstraintRule, context: RuleContext): Promise<RuleEvaluationResult> {
         const kinds = (rule.evaluator.config?.kinds as string[] | undefined) ?? [...VALID_KINDS];
@@ -51,13 +52,13 @@ export class TsdocExportEvaluator implements RuleEvaluator {
         const requested = new Set(kinds as ExportKind[]);
         const include = rule.include ?? ['**/*.ts', '**/*.tsx'];
         const exclude = rule.exclude ?? [];
-        const files = await discoverFiles({ workdir: context.workdir, include: ['.ts', '.tsx'] });
+        // Single, strict glob scoping — collapses the previous double-scoping (loose
+        // discoverFiles prefilter + per-file matchesGlob) into one pass.
+        const files = await scanFiles({ workdir: context.workdir, include, exclude, matchMode: 'glob' });
 
         const findings = [];
-        for (const file of files) {
-            if (!include.some((pattern) => matchesGlob(file, pattern))) continue;
-            if (exclude.some((pattern) => matchesGlob(file, pattern))) continue;
-            const lines = (await readWorkdirFile(context.workdir, file)).split('\n');
+        for (const { file, content } of files) {
+            const lines = content.split('\n');
             for (const site of findExports(lines, requested)) {
                 if (!precededByJsdoc(lines, site.line)) {
                     findings.push(

package/src/formatters/json.ts

@@ -2,6 +2,8 @@ import type { ResultFormatter, RuleEngineResult } from '../types';
 
 /** JSON formatter for rule-engine results. */
 export class JsonFormatter implements ResultFormatter {
+    // Explicit constructor: V8 function coverage counts only declared functions, so
+    // a method-light class needs it to clear the coverage-gate function threshold.
     constructor() {}
 
     /** Format the full result as pretty JSON. */

package/src/formatters/text.ts

@@ -2,6 +2,8 @@ import type { ResultFormatter, RuleEngineResult } from '../types';
 
 /** Text formatter for human CLI output. */
 export class TextFormatter implements ResultFormatter {
+    // Explicit constructor: V8 function coverage counts only declared functions, so
+    // a method-light class needs it to clear the coverage-gate function threshold.
     constructor() {}
 
     /** Format findings as concise path-prefixed lines. */

package/src/resolvers/test-path-resolver.ts

@@ -36,6 +36,8 @@ export class TypeScriptTestPathResolver implements TestPathResolver {
     /** Registry key. */
     readonly name = 'typescript';
 
+    // Explicit constructor: V8 function coverage counts only declared functions, so
+    // a single-method class needs it to clear the coverage-gate function threshold.
     constructor() {}
 
     /** Map a TS/JS source path to its `tests/…test.ts` counterpart. */
@@ -60,6 +62,7 @@ export class PythonTestPathResolver implements TestPathResolver {
     /** Registry key. */
     readonly name = 'python';
 
+    // Explicit constructor: see TypeScriptTestPathResolver — V8 function-coverage gate.
     constructor() {}
 
     /** Map a Python source path to its `tests/…/test_*.py` counterpart. */
@@ -88,6 +91,7 @@ export class GoTestPathResolver implements TestPathResolver {
     /** Registry key. */
     readonly name = 'go';
 
+    // Explicit constructor: see TypeScriptTestPathResolver — V8 function-coverage gate.
     constructor() {}
 
     /** Map a Go source path to its sibling `_test.go` file. */
@@ -107,6 +111,7 @@ export class RustTestPathResolver implements TestPathResolver {
     /** Registry key. */
     readonly name = 'rust';
 
+    // Explicit constructor: see TypeScriptTestPathResolver — V8 function-coverage gate.
     constructor() {}
 
     /** Map a Rust source path to its `tests/` integration-test counterpart. */

package/src/types.ts

@@ -56,6 +56,8 @@ export interface ConstraintRuleFile {
     severity?: RuleSeverity;
     /** Rule definitions. */
     rules: ConstraintRule[];
+    /** Custom capability modules contributed by this rule file (opt-in to load). */
+    extensions?: PresetExtensions;
 }
 
 /** Relative module paths a preset contributes per capability kind. */
@@ -198,7 +200,10 @@ export const ConstraintRuleSchema = z.object({
     id: z.string().min(1),
     description: z.string().default(''),
     enabled: z.boolean().default(true),
-    severity: z.enum(['error', 'warning', 'info']).default('error'),
+    // Severity is intentionally NOT defaulted here: an omitted rule severity must
+    // stay absent at parse time so the loader can apply the file-level default
+    // (`rule.severity ?? file.severity ?? 'error'`). Normalization always fills it.
+    severity: z.enum(['error', 'warning', 'info']).optional(),
     evaluator: z.object({
         type: z.string().min(1),
         config: z.record(z.string(), z.unknown()).optional(),
@@ -208,6 +213,37 @@ export const ConstraintRuleSchema = z.object({
     fix: RuleFixConfigSchema.optional(),
 });
 
+/**
+ * A relative module path a preset or rule file may load as an extension.
+ *
+ * Rejects absolute paths and `..` traversal: extension declarations are data, and a
+ * path that escapes the declaring file's directory is a trust-boundary violation even
+ * when extension loading is explicitly allowed.
+ */
+const relativeExtensionPath = z
+    .string()
+    .min(1)
+    .refine((value) => !/^([/\\]|[A-Za-z]:[/\\])/.test(value), {
+        message: 'extension path must be relative (no absolute paths)',
+    })
+    .refine((value) => !value.split(/[/\\]/).includes('..'), {
+        message: 'extension path must not contain ".." traversal',
+    });
+
+/**
+ * Shared zod schema for an `extensions` block, used by both preset and rule-file
+ * schemas so they validate identically. `.strict()` makes a typo'd or misplaced key
+ * a hard error rather than a silently-ignored field.
+ */
+export const ExtensionsSchema = z
+    .object({
+        resolvers: z.array(relativeExtensionPath).optional(),
+        evaluators: z.array(relativeExtensionPath).optional(),
+        fixers: z.array(relativeExtensionPath).optional(),
+        formatters: z.array(relativeExtensionPath).optional(),
+    })
+    .strict();
+
 /** Zod schema for a constraint rule file. */
 export const ConstraintRuleFileSchema = z.object({
     $schema: z.string().optional(),
@@ -215,6 +251,7 @@ export const ConstraintRuleFileSchema = z.object({
     exclude: z.array(z.string()).optional(),
     severity: z.enum(['error', 'warning', 'info']).optional(),
     rules: z.array(ConstraintRuleSchema),
+    extensions: ExtensionsSchema.optional(),
 });
 
 /** Zod schema for a preset definition. */
@@ -226,12 +263,5 @@ export const PresetDefinitionSchema = z.object({
     overrides: z
         .record(z.string(), z.object({ fix: z.object({ mode: z.enum(['none', 'suggest', 'auto']) }).optional() }))
         .optional(),
-    extensions: z
-        .object({
-            resolvers: z.array(z.string()).optional(),
-            evaluators: z.array(z.string()).optional(),
-            fixers: z.array(z.string()).optional(),
-            formatters: z.array(z.string()).optional(),
-        })
-        .optional(),
+    extensions: ExtensionsSchema.optional(),
 });