@hatem427/code-guard-ci 3.0.0 → 3.1.0

package/scripts/config-generators/frameworks/hono.ts

@@ -0,0 +1,60 @@
+/**
+ * hono.ts — Hono Backend Guidelines
+ * Generated guidelines for Hono projects.
+ */
+
+export function honoGuidelines(): string {
+  return `## Hono Backend Guidelines
+
+### Philosophy & Architecture
+- Hono is edge-first and runtime-agnostic (Cloudflare Workers, Deno, Bun, Node.js)
+- Keep the app instance lean — compose routes using \`Hono\` sub-apps mounted via \`app.route('/prefix', subApp)\`
+- Organise by feature: each domain has its own file exporting a \`Hono\` instance
+
+### Routing
+- Use typed route handlers with Hono's TypeScript generics — \`app.get<'/users/:id', ...>(...)\`
+- Group related routes into sub-apps: \`const users = new Hono()\` then \`app.route('/users', users)\`
+- Use \`c.req.param()\`, \`c.req.query()\`, \`c.req.json()\` for typed access to request data
+- Return responses via \`c.json(data, status)\` — never use raw \`Response\` objects unless necessary
+
+### Validation
+- Use Zod + \`@hono/zod-validator\` middleware for request validation
+- Apply the validator as a route middleware: \`app.post('/users', zValidator('json', schema), handler)\`
+- Define schemas close to the route — collocate request and response types
+
+### Middleware
+- Create middleware as \`const myMiddleware = createMiddleware(async (c, next) => { ... })\`
+- Apply globally with \`app.use('*', middleware)\` or per-route with \`app.use('/api/*', middleware)\`
+- Use built-in middleware: \`hono/cors\`, \`hono/logger\`, \`hono/etag\`, \`hono/compress\`
+- Pass data between middleware and handlers using \`c.set()\` and \`c.get()\` with typed variables
+
+### Context & Variables
+- Use \`createFactory\` and typed \`Variables\` to safely share request-scoped data between middleware
+- Avoid global mutable state — everything goes through the context \`c\`
+
+### Error Handling
+- Use \`app.onError((err, c) => c.json({ message: err.message }, 500))\` for global error handling
+- Use \`app.notFound(c => c.json({ message: 'Not Found' }, 404))\` for 404s
+- Throw \`HTTPException\` from middleware/handlers for expected errors: \`throw new HTTPException(401, { message: 'Unauthorized' })\`
+
+### Environment & Configuration
+- Access environment variables via \`c.env\` (Cloudflare Workers) or process.env (Node.js/Bun)
+- Use \`@hono/env\` or Zod to validate env vars at startup
+- Never scatter \`process.env\` reads across route files — centralise config access
+
+### Edge Runtime Best Practices
+- Avoid Node.js-specific built-ins (\`fs\`, \`path\`, \`crypto\` — use Web Crypto API instead)
+- Keep responses stateless — no in-memory caches (use KV, D1, Redis)
+- Use streaming responses for large payloads: \`c.stream()\` or \`c.streamText()\`
+
+### Testing
+- Use Hono's \`app.request()\` helper for in-process testing — no server needed
+- Test each sub-app independently by creating isolated instances
+- Validate both success responses and error cases (400, 401, 404, 500)
+
+### Security
+- Always add CORS middleware narrowed to allowed origins
+- Use \`hono/secure-headers\` to add security headers
+- Rate-limit via a Cloudflare WAF rule or \`@hono/rate-limiter\`
+- Validate all user input with Zod before processing`;
+}

package/scripts/config-generators/frameworks/index.ts

@@ -14,4 +14,7 @@ export { vueGuidelines } from './vue';
 export { nuxtGuidelines } from './nuxt';
 export { svelteGuidelines } from './svelte';
 export { nodeGuidelines } from './node';
+export { nestjsGuidelines } from './nestjs';
+export { fastifyGuidelines } from './fastify';
+export { honoGuidelines } from './hono';
 export { generalGuidelines } from './general';

package/scripts/config-generators/frameworks/nestjs.ts

@@ -0,0 +1,80 @@
+/**
+ * nestjs.ts — NestJS Backend Guidelines
+ * Generated guidelines for NestJS projects.
+ */
+
+export function nestjsGuidelines(): string {
+  return `## NestJS Backend Guidelines
+
+### Architecture & Modules
+- Organize code into **feature modules** — each domain (user, auth, product) gets its own module file
+- Use the module boundary to encapsulate: module → controller → service → repository
+- Never import services from another module directly — use that module's exports instead
+- Shared utilities (guards, pipes, interceptors) go in a \`common/\` or \`shared/\` module
+
+### Controllers
+- Controllers handle HTTP concerns ONLY — route binding, request parsing, response shaping
+- Never put business logic in a controller — delegate everything to the service layer
+- Use NestJS built-in decorators: \`@Get()\`, \`@Post()\`, \`@Body()\`, \`@Param()\`, \`@Query()\`
+- Always define the return type of controller methods explicitly
+- Use \`@ApiTags()\` and \`@ApiOperation()\` for Swagger documentation
+
+### Services & Business Logic
+- Services contain ALL business logic — keep them framework-agnostic where possible
+- Injected via constructor DI — never instantiate services manually with \`new\`
+- Mark services \`@Injectable()\` and register them in the module's \`providers\` array
+- One service per aggregate/domain concept — avoid god services
+
+### DTOs & Validation
+- ALWAYS define DTOs (Data Transfer Objects) for request bodies — never use raw \`any\` or plain objects
+- Use \`class-validator\` decorators on DTOs: \`@IsString()\`, \`@IsEmail()\`, \`@IsNotEmpty()\`
+- Apply \`ValidationPipe\` globally: \`app.useGlobalPipes(new ValidationPipe({ whitelist: true, forbidNonWhitelisted: true }))\`
+- Use \`@Type()\` from \`class-transformer\` for nested object transformation
+- Separate request DTOs from response DTOs — never expose internal entity fields directly
+
+### Guards & Authorization
+- Use Guards for authentication and authorization — apply via \`@UseGuards()\` decorator
+- Implement \`CanActivate\` interface for custom guards
+- Apply guards at the controller or handler level — prefer global guards for auth, handler-level for roles
+- Use custom \`@Roles()\` decorator + \`RolesGuard\` pattern for RBAC
+
+### Pipes
+- Use Pipes for input transformation and validation: \`ParseIntPipe\`, \`ParseUUIDPipe\`, \`ValidationPipe\`
+- Create custom pipes for complex transformations — implement \`PipeTransform\` interface
+- Apply pipes at the parameter level for targeted transformation
+
+### Interceptors
+- Use Interceptors for cross-cutting concerns: logging, caching, response transformation
+- Implement \`NestInterceptor\` interface using RxJS \`Observable\`
+- Apply globally for response wrapping (e.g., \`{ data: ..., statusCode: ... }\` envelope) or per-route
+
+### Exception Filters
+- Use NestJS built-in \`HttpException\` subclasses for expected errors: \`NotFoundException\`, \`BadRequestException\`, \`ForbiddenException\`
+- Create custom exception filters by implementing \`ExceptionFilter\` for domain-specific error shaping
+- Apply \`@Catch()\` decorator to target specific exception types
+- Never return raw error stack traces in production responses
+
+### Configuration
+- Use \`@nestjs/config\` with \`ConfigModule.forRoot()\` for environment variables
+- Access config via \`ConfigService\` — NEVER use \`process.env\` directly in services or controllers
+- Validate env variables at startup with a Joi or Zod schema passed to \`validationSchema\`
+- Store sensitive values in \`.env\` — never commit secrets to source control
+
+### Database & Repositories
+- Use TypeORM or Prisma — avoid raw SQL strings in services
+- Define repository abstraction (Repository pattern) — inject via \`@InjectRepository()\`
+- Transactions: use QueryRunner for multi-step write operations
+- Enable \`synchronize: false\` in production — always use migrations
+
+### Testing
+- Unit test services and guards in isolation — mock the repository layer
+- Integration test controllers with \`supertest\` via \`Test.createTestingModule()\`
+- At minimum: test happy path + validation errors + unauthorized access
+- Name test files \`*.spec.ts\` co-located with source files
+
+### Security
+- Enable CORS explicitly: \`app.enableCors({ origin: allowedOrigins })\`
+- Use \`helmet\` middleware: \`app.use(helmet())\`
+- Use \`ThrottlerModule\` for rate limiting
+- Sanitize all user inputs through DTOs + ValidationPipe whitelist`;
+}

package/scripts/config-generators/frameworks/node.ts

@@ -1,16 +1,62 @@
 /**
- * node.ts — Node.js Backend Guidelines
- * Generated guidelines for Node.js projects.
+ * node.ts — Express / Node.js Backend Guidelines
+ * Generated guidelines for Express and generic Node.js backend projects.
  */
 
 export function nodeGuidelines(): string {
-  return `## Node.js Backend Guidelines
-- Use async/await — avoid callback patterns
-- Always handle errors with try/catch
-- Validate request inputs before processing
-- Use environment variables for configuration
-- Use middleware for cross-cutting concerns
-- Log errors with structured logging
-- Use connection pooling for database connections
-- Implement graceful shutdown handling`;
+  return `## Express / Node.js Backend Guidelines
+
+### Architecture
+- Structure the project in layers: routes → controllers → services → data access
+- Never put business logic in route handlers — keep handlers thin (parse request, call service, send response)
+- Group routes by domain in separate router files: \`users.router.ts\`, \`auth.router.ts\`
+- Apply a barrel file (\`routes/index.ts\`) to mount all routers into the main app
+
+### Async & Error Handling
+- Use async/await throughout — avoid callbacks and raw Promises without \`.catch()\`
+- Wrap async route handlers with an error-catching wrapper or use \`express-async-errors\`
+- Always define a global error-handling middleware with 4 parameters: \`(err, req, res, next)\`
+- Use typed custom error classes (extending \`Error\`) with a \`statusCode\` property
+- Never expose stack traces in production responses
+
+### Middleware
+- Apply middleware with a clear separation of concerns: auth, validation, logging, error handling
+- Use \`helmet()\` for secure HTTP headers
+- Use \`cors()\` with an explicit allowlist — never \`cors()\` with no options
+- Apply \`express.json()\` and \`express.urlencoded()\` for body parsing
+- Use \`morgan\` or a structured logger (Pino, Winston) — never \`console.log\` in production
+- Rate limit public endpoints with \`express-rate-limit\`
+
+### Input Validation
+- ALWAYS validate request inputs before processing — use Zod, Joi, or \`express-validator\`
+- Validate \`req.body\`, \`req.params\`, and \`req.query\` separately
+- Return 400 with a clear error message on validation failure
+
+### Security
+- Never trust user input — validate and sanitize everything
+- Use parameterized queries for all database operations — never interpolate user input into SQL
+- Hash passwords with \`bcrypt\` (cost factor ≥ 12) — never store plaintext
+- Store secrets in environment variables — validate at startup (fail fast)
+- Enable \`trust proxy\` correctly when behind a reverse proxy (nginx, Cloudflare)
+
+### Configuration
+- Use \`dotenv\` + a config module to centralise all \`process.env\` access
+- Validate required env vars at startup — crash immediately if any are missing
+- Never access \`process.env\` directly in route files or services
+
+### Database
+- Use connection pooling — never create a new DB connection per request
+- Use an ORM (Prisma, TypeORM) or query builder (Knex) — avoid raw SQL strings with interpolation
+- Implement graceful shutdown: drain the connection pool before \`process.exit()\`
+
+### Graceful Shutdown
+- Listen for \`SIGTERM\` and \`SIGINT\` signals
+- Stop accepting new connections via \`server.close()\`, then close DB connections, then exit
+- Use a timeout (e.g., 10 s) to force-exit if shutdown hangs
+
+### Testing
+- Unit test service layer in isolation with mocked repositories
+- Integration test routes with \`supertest\` — test happy path + validation errors + auth failures
+- Co-locate tests with source: \`users.service.spec.ts\` next to \`users.service.ts\``;
 }
+

package/scripts/config-generators/typescript-generator.ts

@@ -121,6 +121,42 @@ function buildTsConfig(project: DetectionResult): Record<string, any> {
       delete base.compilerOptions.lib;
       base.compilerOptions.lib = ['ES2022'];
       break;
+
+    case 'nestjs':
+      base.compilerOptions.target = 'ES2021';
+      base.compilerOptions.module = 'commonjs';
+      base.compilerOptions.moduleResolution = 'node';
+      base.compilerOptions.outDir = './dist';
+      base.compilerOptions.rootDir = './src';
+      base.compilerOptions.experimentalDecorators = true;
+      base.compilerOptions.emitDecoratorMetadata = true;
+      base.compilerOptions.allowSyntheticDefaultImports = true;
+      delete base.compilerOptions.lib;
+      base.compilerOptions.lib = ['ES2021'];
+      // NestJS doesn't want verbatimModuleSyntax (conflicts with metadata emission)
+      delete base.compilerOptions.verbatimModuleSyntax;
+      base.include = ['src/**/*.ts'];
+      break;
+
+    case 'fastify':
+      base.compilerOptions.module = 'NodeNext';
+      base.compilerOptions.moduleResolution = 'NodeNext';
+      base.compilerOptions.outDir = './dist';
+      base.compilerOptions.rootDir = './src';
+      delete base.compilerOptions.lib;
+      base.compilerOptions.lib = ['ES2022'];
+      base.include = ['src/**/*.ts'];
+      break;
+
+    case 'hono':
+      base.compilerOptions.module = 'ESNext';
+      base.compilerOptions.moduleResolution = 'bundler';
+      base.compilerOptions.outDir = './dist';
+      base.compilerOptions.rootDir = './src';
+      delete base.compilerOptions.lib;
+      base.compilerOptions.lib = ['ES2022'];
+      base.include = ['src/**/*.ts'];
+      break;
   }
 
   return base;

package/scripts/config-generators/vscode-generator.ts

@@ -326,6 +326,39 @@ function buildTasks(project: DetectionResult): Record<string, any> {
         presentation: { reveal: 'always', panel: 'dedicated' },
       });
       break;
+
+    case 'nestjs':
+      tasks.push({
+        label: 'Dev Server (NestJS)',
+        type: 'shell',
+        command: `${runCmd} start:dev`,
+        isBackground: true,
+        problemMatcher: [],
+        presentation: { reveal: 'always', panel: 'dedicated' },
+      });
+      break;
+
+    case 'fastify':
+      tasks.push({
+        label: 'Dev Server (Fastify)',
+        type: 'shell',
+        command: `${runCmd} dev`,
+        isBackground: true,
+        problemMatcher: [],
+        presentation: { reveal: 'always', panel: 'dedicated' },
+      });
+      break;
+
+    case 'hono':
+      tasks.push({
+        label: 'Dev Server (Hono)',
+        type: 'shell',
+        command: `${runCmd} dev`,
+        isBackground: true,
+        problemMatcher: [],
+        presentation: { reveal: 'always', panel: 'dedicated' },
+      });
+      break;
   }
 
   // Code Guardian task
@@ -477,6 +510,57 @@ function buildLaunch(project: DetectionResult): Record<string, any> {
       );
       break;
 
+    case 'nestjs':
+      configurations.push(
+        {
+          name: 'NestJS: Debug',
+          type: 'node',
+          request: 'launch',
+          runtimeExecutable: '${workspaceFolder}/node_modules/.bin/ts-node',
+          args: ['${workspaceFolder}/src/main.ts'],
+          sourceMaps: true,
+          envFile: '${workspaceFolder}/.env',
+          cwd: '${workspaceFolder}',
+          skipFiles: ['<node_internals>/**'],
+          outFiles: ['${workspaceFolder}/dist/**/*.js'],
+        },
+        {
+          name: 'NestJS: Attach (--inspect)',
+          type: 'node',
+          request: 'attach',
+          port: 9229,
+          skipFiles: ['<node_internals>/**'],
+          restart: true,
+        },
+      );
+      break;
+
+    case 'fastify':
+    case 'hono':
+      configurations.push(
+        {
+          name: `${project.label}: Debug`,
+          type: 'node',
+          request: 'launch',
+          runtimeExecutable: '${workspaceFolder}/node_modules/.bin/ts-node',
+          args: ['${workspaceFolder}/src/index.ts'],
+          sourceMaps: true,
+          envFile: '${workspaceFolder}/.env',
+          cwd: '${workspaceFolder}',
+          skipFiles: ['<node_internals>/**'],
+          outFiles: ['${workspaceFolder}/dist/**/*.js'],
+        },
+        {
+          name: `${project.label}: Attach (--inspect)`,
+          type: 'node',
+          request: 'attach',
+          port: 9229,
+          skipFiles: ['<node_internals>/**'],
+          restart: true,
+        },
+      );
+      break;
+
     default:
       configurations.push(
         {

package/scripts/generate-pr-checklist.ts

@@ -29,6 +29,11 @@ import * as logger from './utils/logger';
 import '../config/angular.config';
 import '../config/react.config';
 import '../config/nextjs.config';
+import '../config/nestjs.config';
+import '../config/node.config';
+import '../config/fastify.config';
+import '../config/hono.config';
+import '../config/python.config';
 
 // ── Types ───────────────────────────────────────────────────────────────────
 
@@ -53,7 +58,7 @@ function parseArgs(): ChecklistOptions {
 
     switch (key) {
       case 'project':
-        if (['angular', 'react', 'nextjs'].includes(value)) {
+        if (['angular', 'react', 'nextjs', 'nestjs', 'node', 'fastify', 'hono'].includes(value)) {
           opts.project = value as ProjectType;
         }
         break;

package/scripts/postinstall.ts

@@ -31,6 +31,44 @@ console.log(`
      
      git commit -m "test"
 
+──────────────────────────────────────────────────────────────
+
+🔐 Security Scanning — Required Tools (one-time install)
+
+  Code Guardian runs 3 layers of security checks on every commit:
+
+  Layer 1: npm audit       ✅ built-in — no install needed
+  Layer 2: retire.js       ✅ built-in — auto-installed via npx
+  Layer 3: Syft + Grype    ⚠️  requires a one-time system install
+
+  Install Grype (CVE scanner):
+
+    Linux / macOS:
+    curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh \\
+      | sh -s -- -b /usr/local/bin
+
+    macOS (Homebrew):
+    brew install anchore/grype/grype
+
+  Install Syft (SBOM generator — optional but recommended):
+
+    Linux / macOS:
+    curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \\
+      | sh -s -- -b /usr/local/bin
+
+    macOS (Homebrew):
+    brew install anchore/syft/syft
+
+  Verify installation:
+    grype version
+    syft version
+
+  ℹ️  If Grype/Syft are not installed, Layer 3 is skipped with a
+     warning — it will NOT block your commits until installed.
+     Layers 1 and 2 always run automatically.
+
+──────────────────────────────────────────────────────────────
+
 📖 Documentation:
    https://github.com/hatem427/code-guard-ci