@hatem427/code-guard-ci 3.0.0 → 3.1.0

package/config/python.config.ts

@@ -0,0 +1,512 @@
+/**
+ * ============================================================================
+ * python.config.ts — Python-specific coding rules
+ * ============================================================================
+ *
+ * Registers rules that apply to Python projects (Django, FastAPI, Flask,
+ * and generic Python). Rules are applied based on the `applicableTo` field:
+ *   - ['python']              → all Python projects
+ *   - ['django']              → Django only
+ *   - ['fastapi']             → FastAPI only
+ *   - ['flask']               → Flask only
+ *   - ['django', 'fastapi']   → multi-framework
+ */
+
+import { registerRules, Rule } from './guidelines.config';
+
+const pythonRules: Rule[] = [
+
+  // ── Generic Python ────────────────────────────────────────────────────────
+
+  // ─────────────────────────────────────────
+  // RULE: python-no-bare-except
+  // ROLE: Enforce specific exception handling
+  // PURPOSE: `except:` (bare) silently swallows every exception including
+  //          KeyboardInterrupt and SystemExit, making debugging impossible
+  //          and preventing graceful shutdown.
+  // EXAMPLE:
+  //   WRONG:
+  //     try:
+  //         result = db.query(...)
+  //     except:
+  //         pass
+  //   RIGHT:
+  //     try:
+  //         result = db.query(...)
+  //     except Exception as e:
+  //         logger.error("Query failed: %s", e)
+  //         raise
+  // ─────────────────────────────────────────
+  {
+    id: 'python-no-bare-except',
+    label: 'No bare except clauses',
+    description:
+      'Always catch a specific exception type (e.g. `except ValueError`) or at minimum `except Exception`. Bare `except:` swallows every error including KeyboardInterrupt.',
+    severity: 'error',
+    fileExtensions: ['py'],
+    pattern: /^\s*except\s*:/,
+    applicableTo: ['python', 'django', 'fastapi', 'flask'],
+    category: 'Error Handling',
+  },
+
+  // ─────────────────────────────────────────
+  // RULE: python-no-print-statements
+  // ROLE: Enforce structured logging
+  // PURPOSE: print() in production code bypasses log aggregation systems
+  //          (CloudWatch, Datadog, etc.) and cannot be toggled by log level.
+  //          Use the standard `logging` module or a structured logger instead.
+  // EXAMPLE:
+  //   WRONG:  print(f"User {user_id} created")
+  //   RIGHT:  logger.info("User %s created", user_id)
+  // ─────────────────────────────────────────
+  {
+    id: 'python-no-print-statements',
+    label: 'No print() in production code — use logging',
+    description:
+      'Replace print() calls with proper logging (logging.info / logger.info). print() bypasses log levels, log aggregation, and structured logging pipelines.',
+    severity: 'warning',
+    fileExtensions: ['py'],
+    pattern: /(?<![#\w])print\s*\(/,
+    applicableTo: ['python', 'django', 'fastapi', 'flask'],
+    category: 'Observability',
+  },
+
+  // ─────────────────────────────────────────
+  // RULE: python-no-hardcoded-secrets
+  // ROLE: Prevent credential leaks in source code
+  // PURPOSE: Hardcoded passwords, API keys, and secret tokens get committed
+  //          to version control and are trivially discoverable.
+  // EXAMPLE:
+  //   WRONG:  SECRET_KEY = "mysupersecret123"
+  //   RIGHT:  SECRET_KEY = os.environ["SECRET_KEY"]
+  // ─────────────────────────────────────────
+  {
+    id: 'python-no-hardcoded-secrets',
+    label: 'No hardcoded secrets or API keys',
+    description:
+      'Do not hardcode passwords, API keys, or secret tokens. Load sensitive values from environment variables or a secrets manager.',
+    severity: 'error',
+    fileExtensions: ['py'],
+    pattern: /(?:password|secret|api_key|apikey|token|auth_key)\s*=\s*['"][^'"]{6,}['"]/i,
+    applicableTo: ['python', 'django', 'fastapi', 'flask'],
+    category: 'Security',
+  },
+
+  // ─────────────────────────────────────────
+  // RULE: python-no-eval
+  // ROLE: Prevent arbitrary code execution
+  // PURPOSE: eval() and exec() execute arbitrary strings as code, opening
+  //          a direct remote-code-execution vector if user input reaches them.
+  // EXAMPLE:
+  //   WRONG:  result = eval(user_input)
+  //   RIGHT:  use ast.literal_eval() for safe literal parsing
+  // ─────────────────────────────────────────
+  {
+    id: 'python-no-eval',
+    label: 'No eval() or exec() with dynamic input',
+    description:
+      'eval() and exec() are remote code execution vulnerabilities when fed user-controlled data. Use ast.literal_eval() for data parsing or redesign the logic.',
+    severity: 'error',
+    fileExtensions: ['py'],
+    pattern: /\beval\s*\(|\bexec\s*\(/,
+    applicableTo: ['python', 'django', 'fastapi', 'flask'],
+    category: 'Security',
+  },
+
+  // ─────────────────────────────────────────
+  // RULE: python-type-hints-required
+  // ROLE: Enforce type annotations on function signatures
+  // PURPOSE: Type hints enable static analysis (mypy, pyright), improve IDE
+  //          autocompletion, and make APIs self-documenting.
+  // EXAMPLE:
+  //   WRONG:
+  //     def create_user(name, email):
+  //         ...
+  //   RIGHT:
+  //     def create_user(name: str, email: str) -> User:
+  //         ...
+  // ─────────────────────────────────────────
+  {
+    id: 'python-type-hints-required',
+    label: 'Add type hints to function parameters and return types',
+    description:
+      'Public functions and methods should have type annotations on all parameters and the return type. Enables mypy/pyright static analysis.',
+    severity: 'warning',
+    fileExtensions: ['py'],
+    pattern: /^def\s+[a-z_]\w*\s*\([^)]*\)\s*:/,
+    customCheck: (file) => {
+      const violations: Array<{ line: number | null; message: string }> = [];
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        // Match function definitions without return type annotation (no ->)
+        if (/^\s*def\s+[a-z_]\w*\s*\([^)]*\)\s*:/.test(line) && !line.includes('->')) {
+          // Skip dunder methods like __init__, __str__
+          if (!/__\w+__/.test(line)) {
+            violations.push({
+              line: i + 1,
+              message: 'Function is missing a return type annotation. Add `-> ReturnType:` after the parameter list.',
+            });
+          }
+        }
+      }
+      return violations;
+    },
+    applicableTo: ['python', 'django', 'fastapi', 'flask'],
+    category: 'Code Quality',
+  },
+
+  // ── Django ────────────────────────────────────────────────────────────────
+
+  // ─────────────────────────────────────────
+  // RULE: django-no-raw-sql
+  // ROLE: Prevent SQL injection via raw queries
+  // PURPOSE: cursor.execute() and raw() with string formatting bypass the ORM
+  //          parameterization, enabling SQL injection if user input is present.
+  // EXAMPLE:
+  //   WRONG:
+  //     cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
+  //   RIGHT:
+  //     cursor.execute("SELECT * FROM users WHERE id = %s", [user_id])
+  //   OR:    User.objects.filter(id=user_id)
+  // ─────────────────────────────────────────
+  {
+    id: 'django-no-raw-sql',
+    label: 'No string-formatted raw SQL queries',
+    description:
+      'cursor.execute() and .raw() with f-strings or % formatting are SQL injection risks. Use parameterized queries or the Django ORM.',
+    severity: 'error',
+    fileExtensions: ['py'],
+    pattern: /cursor\.execute\s*\(\s*f['"]|cursor\.execute\s*\(\s*['"][^'"]*%\s*(?!s\b|\()/,
+    applicableTo: ['django'],
+    category: 'Security',
+  },
+
+  // ─────────────────────────────────────────
+  // RULE: django-no-logic-in-view
+  // ROLE: Enforce thin views (controller pattern)
+  // PURPOSE: Business logic in Django views cannot be unit-tested without
+  //          the full HTTP request/response cycle. Logic belongs in service
+  //          modules or model methods.
+  // EXAMPLE:
+  //   WRONG:
+  //     class UserCreateView(APIView):
+  //         def post(self, request):
+  //             salt = bcrypt.gensalt()
+  //             hashed = bcrypt.hashpw(request.data['password'].encode(), salt)
+  //             User.objects.create(password=hashed, ...)
+  //   RIGHT:
+  //     class UserCreateView(APIView):
+  //         def post(self, request):
+  //             serializer = UserSerializer(data=request.data)
+  //             serializer.is_valid(raise_exception=True)
+  //             return UserService.create(serializer.validated_data)
+  // ─────────────────────────────────────────
+  {
+    id: 'django-no-logic-in-view',
+    label: 'No business logic in Django views',
+    description:
+      'Django views should only validate input (via serializers/forms) and delegate to service modules. Move hashing, computation, and ORM writes to a service layer.',
+    severity: 'warning',
+    fileExtensions: ['py'],
+    pattern: null,
+    customCheck: (file) => {
+      const violations: Array<{ line: number | null; message: string }> = [];
+      if (
+        !file.relativePath.includes('/views/') &&
+        !file.relativePath.endsWith('views.py') &&
+        !file.relativePath.endsWith('viewsets.py')
+      ) {
+        return [];
+      }
+      const businessPatterns = [
+        { regex: /bcrypt\.(hashpw|checkpw|gensalt)/g, label: 'bcrypt hashing' },
+        { regex: /\.objects\.create\s*\(/g, label: 'direct ORM create()' },
+        { regex: /send_mail\s*\(|send_message\s*\(/g, label: 'direct email/message send' },
+      ];
+      for (let i = 0; i < file.lines.length; i++) {
+        for (const { regex, label } of businessPatterns) {
+          regex.lastIndex = 0;
+          if (regex.test(file.lines[i])) {
+            violations.push({
+              line: i + 1,
+              message: `Business logic (${label}) in view. Move to a service module.`,
+            });
+          }
+        }
+      }
+      return violations;
+    },
+    applicableTo: ['django'],
+    category: 'Architecture',
+  },
+
+  // ─────────────────────────────────────────
+  // RULE: django-use-serializer-validation
+  // ROLE: Enforce validation via DRF serializers
+  // PURPOSE: Accessing request.data directly without calling is_valid() skips
+  //          all field-level validation and can allow malformed or malicious
+  //          data into the system.
+  // EXAMPLE:
+  //   WRONG:
+  //     def post(self, request):
+  //         User.objects.create(**request.data)
+  //   RIGHT:
+  //     def post(self, request):
+  //         serializer = UserSerializer(data=request.data)
+  //         serializer.is_valid(raise_exception=True)
+  //         serializer.save()
+  // ─────────────────────────────────────────
+  {
+    id: 'django-use-serializer-validation',
+    label: 'Validate request data through a serializer before use',
+    description:
+      'Do not pass request.data directly to model constructors or ORM calls. Always use a DRF Serializer with is_valid(raise_exception=True) first.',
+    severity: 'error',
+    fileExtensions: ['py'],
+    pattern: /\.objects\.create\s*\(\s*\*\*request\.data/,
+    applicableTo: ['django'],
+    category: 'Validation',
+  },
+
+  // ── FastAPI ───────────────────────────────────────────────────────────────
+
+  // ─────────────────────────────────────────
+  // RULE: fastapi-use-pydantic-models
+  // ROLE: Enforce schema-based request validation
+  // PURPOSE: FastAPI route functions that accept `request: Request` and then
+  //          call await request.json() bypass Pydantic validation entirely.
+  //          Pydantic models provide automatic type coercion, validation, and
+  //          OpenAPI schema generation.
+  // EXAMPLE:
+  //   WRONG:
+  //     @router.post("/users")
+  //     async def create_user(request: Request):
+  //         body = await request.json()
+  //   RIGHT:
+  //     @router.post("/users")
+  //     async def create_user(body: CreateUserRequest):
+  //         ...
+  // ─────────────────────────────────────────
+  {
+    id: 'fastapi-use-pydantic-models',
+    label: 'Use Pydantic models for request bodies — not raw Request',
+    description:
+      'Route handlers should declare their request body as a typed Pydantic model. Using `await request.json()` bypasses validation and OpenAPI schema generation.',
+    severity: 'error',
+    fileExtensions: ['py'],
+    pattern: /await\s+request\.json\s*\(\)/,
+    applicableTo: ['fastapi'],
+    category: 'Validation',
+  },
+
+  // ─────────────────────────────────────────
+  // RULE: fastapi-async-route-handler
+  // ROLE: Enforce async route handlers
+  // PURPOSE: Synchronous route handlers block the FastAPI event loop, which
+  //          defeats the purpose of the async framework and causes latency
+  //          spikes under concurrent load.
+  // EXAMPLE:
+  //   WRONG:
+  //     @router.get("/users/{id}")
+  //     def get_user(id: int, db: Session = Depends(get_db)):
+  //         return db.query(User).filter(User.id == id).first()
+  //   RIGHT:
+  //     @router.get("/users/{id}")
+  //     async def get_user(id: int, db: AsyncSession = Depends(get_db)):
+  //         return await db.get(User, id)
+  // ─────────────────────────────────────────
+  {
+    id: 'fastapi-async-route-handler',
+    label: 'Route handlers should be async',
+    description:
+      'Synchronous route handlers block the FastAPI event loop. Use `async def` with async DB drivers (e.g. SQLAlchemy async, databases, asyncpg).',
+    severity: 'warning',
+    fileExtensions: ['py'],
+    pattern: null,
+    customCheck: (file) => {
+      const violations: Array<{ line: number | null; message: string }> = [];
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        // Detect @router.get/post/put/patch/delete followed by a sync def on the next line
+        if (/@(?:router|app)\s*\.\s*(?:get|post|put|patch|delete)\s*\(/.test(line)) {
+          const nextLine = file.lines[i + 1] || '';
+          if (/^\s*def\s+/.test(nextLine) && !/^\s*async\s+def\s+/.test(nextLine)) {
+            violations.push({
+              line: i + 2,
+              message:
+                'Route handler is synchronous. Use `async def` to avoid blocking the FastAPI event loop.',
+            });
+          }
+        }
+      }
+      return violations;
+    },
+    applicableTo: ['fastapi'],
+    category: 'Performance',
+  },
+
+  // ─────────────────────────────────────────
+  // RULE: fastapi-response-model-required
+  // ROLE: Enforce response type declarations
+  // PURPOSE: Without a response_model, FastAPI will serialize the entire
+  //          returned object, potentially leaking internal fields (passwords,
+  //          tokens, internal IDs). response_model also generates the OpenAPI
+  //          response schema.
+  // EXAMPLE:
+  //   WRONG:
+  //     @router.post("/users")
+  //     async def create_user(body: CreateUserRequest, db: AsyncSession = Depends(get_db)):
+  //         return await user_service.create(db, body)
+  //   RIGHT:
+  //     @router.post("/users", response_model=UserResponse, status_code=201)
+  //     async def create_user(body: CreateUserRequest, db: AsyncSession = Depends(get_db)):
+  //         return await user_service.create(db, body)
+  // ─────────────────────────────────────────
+  {
+    id: 'fastapi-response-model-required',
+    label: 'Declare response_model on all mutating routes',
+    description:
+      'POST/PUT/PATCH/DELETE routes should declare a response_model to prevent data leaks and generate OpenAPI response schemas.',
+    severity: 'warning',
+    fileExtensions: ['py'],
+    pattern: null,
+    customCheck: (file) => {
+      const violations: Array<{ line: number | null; message: string }> = [];
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        if (/@(?:router|app)\s*\.\s*(?:post|put|patch|delete)\s*\(/.test(line)) {
+          // Collect the decorator (may span multiple lines)
+          const decoratorBlock = file.lines.slice(i, i + 5).join(' ');
+          if (!decoratorBlock.includes('response_model')) {
+            violations.push({
+              line: i + 1,
+              message:
+                'Mutating route is missing response_model. Add response_model=YourSchema to prevent data leaks.',
+            });
+          }
+        }
+      }
+      return violations;
+    },
+    applicableTo: ['fastapi'],
+    category: 'Security',
+  },
+
+  // ── Flask ─────────────────────────────────────────────────────────────────
+
+  // ─────────────────────────────────────────
+  // RULE: flask-use-blueprint-structure
+  // ROLE: Enforce Flask Blueprint organisation
+  // PURPOSE: Defining all routes directly on the `app` object in a single
+  //          file does not scale. Blueprints allow grouping related routes
+  //          into separate modules with their own URL prefixes.
+  // EXAMPLE:
+  //   WRONG:
+  //     @app.route('/users', methods=['POST'])
+  //     def create_user(): ...
+  //   RIGHT:
+  //     users_bp = Blueprint('users', __name__, url_prefix='/users')
+  //     @users_bp.route('/', methods=['POST'])
+  //     def create_user(): ...
+  // ─────────────────────────────────────────
+  {
+    id: 'flask-use-blueprint-structure',
+    label: 'Define routes on Blueprints, not directly on app',
+    description:
+      'Register routes on Blueprint instances instead of the global `app` object. Blueprints enable modular structure and independent URL prefixes.',
+    severity: 'warning',
+    fileExtensions: ['py'],
+    pattern: /@app\.route\s*\(/,
+    customCheck: (file) => {
+      const violations: Array<{ line: number | null; message: string }> = [];
+      // Only flag if the file does not define a Blueprint itself
+      const definesBp = file.content.includes('Blueprint(');
+      if (definesBp) return [];
+      for (let i = 0; i < file.lines.length; i++) {
+        if (/@app\.route\s*\(/.test(file.lines[i])) {
+          violations.push({
+            line: i + 1,
+            message:
+              'Route registered directly on `app`. Move to a Blueprint for modular structure.',
+          });
+        }
+      }
+      return violations;
+    },
+    applicableTo: ['flask'],
+    category: 'Architecture',
+  },
+
+  // ─────────────────────────────────────────
+  // RULE: flask-validate-request-data
+  // ROLE: Enforce input validation before use
+  // PURPOSE: request.json and request.form return raw dicts with no type
+  //          coercion or validation. A missing or malformed field will cause
+  //          an unhandled KeyError or TypeError at runtime.
+  //          Use Flask-Marshmallow, Pydantic, or wtforms validation.
+  // EXAMPLE:
+  //   WRONG:
+  //     data = request.json
+  //     user = User(name=data['name'], email=data['email'])
+  //   RIGHT:
+  //     schema = CreateUserSchema()
+  //     data = schema.load(request.json)   # raises ValidationError on bad input
+  //     user = User(**data)
+  // ─────────────────────────────────────────
+  {
+    id: 'flask-validate-request-data',
+    label: 'Validate request.json / request.form before use',
+    description:
+      'Do not use request.json or request.form directly. Validate with a schema library (Marshmallow, Pydantic) to catch malformed input before it reaches business logic.',
+    severity: 'error',
+    fileExtensions: ['py'],
+    pattern: null,
+    customCheck: (file) => {
+      const violations: Array<{ line: number | null; message: string }> = [];
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        if (/request\s*\.\s*(?:json|form)\b/.test(line)) {
+          // Check surrounding lines for a schema.load / validate call
+          const context = file.lines.slice(Math.max(0, i - 5), i + 5).join('\n');
+          if (!context.includes('.load(') && !context.includes('.validate(') && !context.includes('schema')) {
+            violations.push({
+              line: i + 1,
+              message:
+                'request.json/form used without schema validation. Run input through a Marshmallow schema or Pydantic model before use.',
+            });
+          }
+        }
+      }
+      return violations;
+    },
+    applicableTo: ['flask'],
+    category: 'Validation',
+  },
+
+  // ─────────────────────────────────────────
+  // RULE: flask-no-debug-in-production
+  // ROLE: Prevent debug mode in production
+  // PURPOSE: app.run(debug=True) exposes the Werkzeug interactive debugger,
+  //          which allows arbitrary Python code execution in the browser.
+  //          It must never run in production.
+  // EXAMPLE:
+  //   WRONG:  app.run(debug=True)
+  //   RIGHT:  app.run(debug=os.getenv("FLASK_DEBUG", "false").lower() == "true")
+  // ─────────────────────────────────────────
+  {
+    id: 'flask-no-debug-in-production',
+    label: 'Do not hardcode debug=True in app.run()',
+    description:
+      'app.run(debug=True) exposes the Werkzeug interactive debugger — a remote code execution vulnerability. Read the debug flag from an environment variable.',
+    severity: 'error',
+    fileExtensions: ['py'],
+    pattern: /app\.run\s*\([^)]*debug\s*=\s*True/,
+    applicableTo: ['flask'],
+    category: 'Security',
+  },
+];
+
+registerRules('python',  pythonRules.filter(r => r.applicableTo?.includes('python')));
+registerRules('django',  pythonRules.filter(r => r.applicableTo?.includes('django')));
+registerRules('fastapi', pythonRules.filter(r => r.applicableTo?.includes('fastapi')));
+registerRules('flask',   pythonRules.filter(r => r.applicableTo?.includes('flask')));

package/dist/config/fastify.config.d.ts

@@ -0,0 +1,17 @@
+/**
+ * ============================================================================
+ * fastify.config.ts — Fastify-specific coding rules
+ * ============================================================================
+ *
+ * Registers rules that apply to Fastify projects:
+ *   - Schema-first validation enforcement
+ *   - Plugin scope correctness
+ *   - Async handler patterns
+ *   - Security: CORS, helmet, rate limiting
+ *   - Error response shape
+ *   - Hook lifecycle usage
+ */
+import { Rule } from './guidelines.config';
+declare const fastifyRules: Rule[];
+export { fastifyRules };
+//# sourceMappingURL=fastify.config.d.ts.map

package/dist/config/fastify.config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fastify.config.d.ts","sourceRoot":"","sources":["../../config/fastify.config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAiB,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAE1D,QAAA,MAAM,YAAY,EAAE,IAAI,EAgTvB,CAAC;AAKF,OAAO,EAAE,YAAY,EAAE,CAAC"}