@replikanti/flowlint-core 0.6.0

package/dist/index.mjs

@@ -0,0 +1,1183 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/parser/parser-n8n.ts
+import YAML from "yaml";
+
+// src/schemas/index.ts
+import Ajv from "ajv";
+import addFormats from "ajv-formats";
+
+// src/schemas/n8n-workflow.schema.json
+var n8n_workflow_schema_default = {
+  $schema: "http://json-schema.org/draft-07/schema#",
+  $id: "https://flowlint.dev/schemas/n8n-workflow.json",
+  title: "n8n Workflow Schema",
+  description: "JSON Schema for n8n workflow files (v1.x)",
+  type: "object",
+  required: ["nodes", "connections"],
+  properties: {
+    name: {
+      type: "string",
+      description: "Workflow name"
+    },
+    nodes: {
+      type: "array",
+      description: "Array of workflow nodes",
+      items: {
+        type: "object",
+        required: ["type", "name"],
+        properties: {
+          id: {
+            type: "string",
+            minLength: 1,
+            description: "Unique node identifier"
+          },
+          type: {
+            type: "string",
+            minLength: 1,
+            description: "Node type (e.g., n8n-nodes-base.httpRequest)"
+          },
+          name: {
+            type: "string",
+            minLength: 1,
+            description: "Human-readable node name"
+          },
+          parameters: {
+            type: "object",
+            description: "Node-specific configuration parameters"
+          },
+          credentials: {
+            type: "object",
+            description: "Credential references for this node"
+          },
+          position: {
+            type: "array",
+            description: "X,Y coordinates for UI placement",
+            items: {
+              type: "number"
+            },
+            minItems: 2,
+            maxItems: 2
+          },
+          continueOnFail: {
+            type: "boolean",
+            description: "Whether to continue execution on node failure"
+          },
+          disabled: {
+            type: "boolean",
+            description: "Whether the node is disabled"
+          },
+          notesInFlow: {
+            type: "boolean"
+          },
+          notes: {
+            type: "string"
+          },
+          typeVersion: {
+            type: "number",
+            description: "Version of the node type"
+          }
+        },
+        additionalProperties: true
+      }
+    },
+    connections: {
+      type: "object",
+      description: "Map of node connections (source node ID -> connection details)",
+      patternProperties: {
+        "^.*$": {
+          type: "object",
+          description: "Connection channels for a source node",
+          patternProperties: {
+            "^(main|error|timeout|.*?)$": {
+              description: "Connection array for this channel",
+              oneOf: [
+                {
+                  type: "array",
+                  items: {
+                    type: "object",
+                    required: ["node"],
+                    properties: {
+                      node: {
+                        type: "string",
+                        description: "Target node ID or name"
+                      },
+                      type: {
+                        type: "string",
+                        description: "Connection type"
+                      },
+                      index: {
+                        type: "number",
+                        description: "Output index"
+                      }
+                    }
+                  }
+                },
+                {
+                  type: "array",
+                  items: {
+                    type: "array",
+                    items: {
+                      type: "object",
+                      required: ["node"],
+                      properties: {
+                        node: {
+                          type: "string"
+                        },
+                        type: {
+                          type: "string"
+                        },
+                        index: {
+                          type: "number"
+                        }
+                      }
+                    }
+                  }
+                }
+              ]
+            }
+          }
+        }
+      }
+    },
+    active: {
+      type: "boolean",
+      description: "Whether the workflow is active"
+    },
+    settings: {
+      type: "object",
+      description: "Workflow settings"
+    },
+    tags: {
+      type: "array",
+      description: "Workflow tags",
+      items: {
+        oneOf: [
+          { type: "string" },
+          {
+            type: "object",
+            required: ["name"],
+            properties: {
+              id: { type: "string" },
+              name: { type: "string" }
+            },
+            additionalProperties: true
+          }
+        ]
+      }
+    },
+    pinData: {
+      type: "object",
+      description: "Pinned execution data for testing"
+    },
+    versionId: {
+      type: "string",
+      description: "Workflow version identifier"
+    },
+    id: {
+      type: ["string", "number"],
+      description: "Workflow ID"
+    },
+    meta: {
+      type: "object",
+      description: "Metadata"
+    }
+  },
+  additionalProperties: true
+};
+
+// src/utils/utils.ts
+function flattenConnections(value) {
+  if (!value) return [];
+  if (Array.isArray(value)) {
+    return value.flatMap((entry) => flattenConnections(entry));
+  }
+  if (typeof value === "object" && "node" in value) {
+    return [value];
+  }
+  return [];
+}
+function buildValidationErrors(items, errorConfig) {
+  const itemArray = Array.isArray(items) ? items : Array.from(items);
+  return itemArray.map((item) => ({
+    path: errorConfig.path,
+    message: errorConfig.messageTemplate(item),
+    suggestion: errorConfig.suggestionTemplate(item)
+  }));
+}
+function collectStrings(value, out = []) {
+  if (typeof value === "string") out.push(value);
+  else if (Array.isArray(value)) value.forEach((entry) => collectStrings(entry, out));
+  else if (value && typeof value === "object")
+    Object.values(value).forEach((entry) => collectStrings(entry, out));
+  return out;
+}
+function toRegex(pattern) {
+  let source = pattern;
+  let flags = "";
+  if (source.startsWith("(?i)")) {
+    source = source.slice(4);
+    flags += "i";
+  }
+  return new RegExp(source, flags);
+}
+function isApiNode(type) {
+  return /http|request|google|facebook|ads/i.test(type);
+}
+function isMutationNode(type) {
+  return /write|insert|update|delete|post|put|patch|database|mongo|supabase|sheet/i.test(type);
+}
+function isErrorProneNode(type) {
+  return isApiNode(type) || isMutationNode(type) || /execute|workflow|function/i.test(type);
+}
+function isNotificationNode(type) {
+  return /slack|discord|email|gotify|mattermost|microsoftTeams|pushbullet|pushover|rocketchat|zulip|telegram/i.test(
+    type
+  );
+}
+function isErrorHandlerNode(type, name) {
+  const normalizedType = type.toLowerCase();
+  if (normalizedType.includes("stopanderror")) return true;
+  if (normalizedType.includes("errorhandler")) return true;
+  if (normalizedType.includes("raiseerror")) return true;
+  const normalizedName = name?.toLowerCase() ?? "";
+  if (normalizedName.includes("stop and error")) return true;
+  if (normalizedName.includes("error handler")) return true;
+  return false;
+}
+function isRejoinNode(graph, nodeId) {
+  const incoming = graph.edges.filter((e) => e.to === nodeId);
+  if (incoming.length <= 1) return false;
+  const hasErrorEdge = incoming.some((e) => e.on === "error");
+  const hasSuccessEdge = incoming.some((e) => e.on !== "error");
+  return hasErrorEdge && hasSuccessEdge;
+}
+function isMeaningfulConsumer(node) {
+  return isMutationNode(node.type) || // Writes to a DB, sheet, etc.
+  isNotificationNode(node.type) || // Sends a message to Slack, email, etc.
+  isApiNode(node.type) || // Calls an external API
+  /respondToWebhook/i.test(node.type);
+}
+function containsCandidate(value, candidates) {
+  if (!value || !candidates.length) return false;
+  const queue = [value];
+  const candidateRegex = new RegExp(`(${candidates.join("|")})`, "i");
+  while (queue.length > 0) {
+    const current = queue.shift();
+    if (typeof current === "string") {
+      if (candidateRegex.test(current)) return true;
+    } else if (Array.isArray(current)) {
+      queue.push(...current);
+    } else if (current && typeof current === "object") {
+      for (const [key, val] of Object.entries(current)) {
+        if (candidateRegex.test(key)) return true;
+        queue.push(val);
+      }
+    }
+  }
+  return false;
+}
+var TERMINAL_NODE_PATTERNS = [
+  "respond",
+  "reply",
+  "end",
+  "stop",
+  "terminate",
+  "return",
+  "sticky",
+  "note",
+  "noop",
+  "no operation",
+  "slack",
+  "email",
+  "discord",
+  "teams",
+  "webhook",
+  "telegram",
+  "pushbullet",
+  "mattermost",
+  "notifier",
+  "notification",
+  "alert",
+  "sms",
+  "call"
+];
+function isTerminalNode(type, name) {
+  const label = `${type} ${name ?? ""}`.toLowerCase();
+  return TERMINAL_NODE_PATTERNS.some((pattern) => label.includes(pattern));
+}
+function readNumber(source, paths) {
+  for (const path of paths) {
+    const value = path.split(".").reduce((acc, key) => acc ? acc[key] : void 0, source);
+    if (typeof value === "number") return value;
+    if (typeof value === "string" && !Number.isNaN(Number(value))) return Number(value);
+  }
+  return void 0;
+}
+function findAllDownstreamNodes(graph, startNodeId) {
+  const visited = /* @__PURE__ */ new Set();
+  const queue = [startNodeId];
+  visited.add(startNodeId);
+  let head = 0;
+  while (head < queue.length) {
+    const currentId = queue[head++];
+    const outgoing = graph.edges.filter((e) => e.from === currentId);
+    for (const edge of outgoing) {
+      if (!visited.has(edge.to)) {
+        visited.add(edge.to);
+        queue.push(edge.to);
+      }
+    }
+  }
+  return visited;
+}
+function findAllUpstreamNodes(graph, startNodeId) {
+  const visited = /* @__PURE__ */ new Set();
+  const queue = [startNodeId];
+  visited.add(startNodeId);
+  let head = 0;
+  while (head < queue.length) {
+    const currentId = queue[head++];
+    const incoming = graph.edges.filter((e) => e.to === currentId);
+    for (const edge of incoming) {
+      if (!visited.has(edge.from)) {
+        visited.add(edge.from);
+        queue.push(edge.from);
+      }
+    }
+  }
+  return visited;
+}
+var EXAMPLES_BASE_URL = "https://github.com/Replikanti/flowlint-examples/tree/main";
+function getExampleLink(ruleId) {
+  return `${EXAMPLES_BASE_URL}/${ruleId}`;
+}
+
+// src/schemas/index.ts
+var ValidationError = class extends Error {
+  constructor(errors) {
+    super(`Workflow validation failed: ${errors.length} error(s)`);
+    this.errors = errors;
+    this.name = "ValidationError";
+  }
+};
+var createDummyValidator = () => {
+  const v = () => true;
+  v.errors = [];
+  return v;
+};
+var validatorInstance = null;
+function getValidator() {
+  if (validatorInstance) return validatorInstance;
+  const isNode = typeof process !== "undefined" && process?.versions?.node != null;
+  if (isNode) {
+    try {
+      const ajv = new Ajv({
+        allErrors: true,
+        strict: false,
+        verbose: true,
+        code: { source: true, es5: true }
+      });
+      addFormats(ajv);
+      validatorInstance = ajv.compile(n8n_workflow_schema_default);
+    } catch (error) {
+      console.warn("Failed to compile JSON schema validator, falling back to dummy validator:", error);
+      validatorInstance = createDummyValidator();
+    }
+  } else {
+    validatorInstance = createDummyValidator();
+  }
+  return validatorInstance;
+}
+function throwIfInvalid(items, config) {
+  if (items.size > 0) {
+    const errors = buildValidationErrors(items, config);
+    throw new ValidationError(errors);
+  }
+}
+function checkDuplicateNodeIds(data) {
+  if (!Array.isArray(data.nodes)) return;
+  const seen = /* @__PURE__ */ new Set();
+  const duplicates = /* @__PURE__ */ new Set();
+  for (const node of data.nodes) {
+    if (node.id && seen.has(node.id)) {
+      duplicates.add(node.id);
+    }
+    if (node.id) {
+      seen.add(node.id);
+    }
+  }
+  throwIfInvalid(duplicates, {
+    path: "nodes[].id",
+    messageTemplate: (id) => `Duplicate node ID: "${id}"`,
+    suggestionTemplate: (id) => `Each node must have a unique ID. Remove or rename the duplicate node with ID "${id}".`
+  });
+}
+function checkOrphanedConnections(data) {
+  if (!data.connections || !Array.isArray(data.nodes)) return;
+  const nodeIds = /* @__PURE__ */ new Set();
+  const nodeNames = /* @__PURE__ */ new Set();
+  for (const node of data.nodes) {
+    if (node.id) nodeIds.add(node.id);
+    if (node.name) nodeNames.add(node.name);
+  }
+  const orphanedRefs = /* @__PURE__ */ new Set();
+  Object.entries(data.connections).forEach(([sourceId, channels]) => {
+    if (!nodeIds.has(sourceId) && !nodeNames.has(sourceId)) {
+      orphanedRefs.add(sourceId);
+    }
+    if (typeof channels === "object" && channels !== null) {
+      Object.values(channels).forEach((connArray) => {
+        const flatConnections = flattenConnections(connArray);
+        flatConnections.forEach((conn) => {
+          if (conn?.node) {
+            if (!nodeIds.has(conn.node) && !nodeNames.has(conn.node)) {
+              orphanedRefs.add(conn.node);
+            }
+          }
+        });
+      });
+    }
+  });
+  throwIfInvalid(orphanedRefs, {
+    path: "connections",
+    messageTemplate: (ref) => `Orphaned connection reference: "${ref}"`,
+    suggestionTemplate: (ref) => `Connection references node "${ref}" which does not exist. Add the missing node or remove the invalid connection.`
+  });
+}
+function validateN8nWorkflow(data) {
+  const validate = getValidator();
+  if (!validate(data)) {
+    const errors = (validate.errors || []).map((err) => {
+      const path = err.instancePath || err.schemaPath;
+      const message = err.message || "Validation error";
+      let suggestion = "";
+      if (err.keyword === "required") {
+        const missing = err.params?.missingProperty;
+        suggestion = `Add the required field "${missing}" to the workflow.`;
+      } else if (err.keyword === "type") {
+        const expected = err.params?.type;
+        suggestion = `The field should be of type "${expected}".`;
+      } else if (err.keyword === "minLength") {
+        suggestion = "This field cannot be empty.";
+      }
+      return { path, message, suggestion };
+    });
+    throw new ValidationError(errors);
+  }
+  checkDuplicateNodeIds(data);
+  checkOrphanedConnections(data);
+}
+
+// src/parser/parser-n8n.ts
+function parseN8n(doc) {
+  let parsed;
+  try {
+    parsed = JSON.parse(doc);
+  } catch {
+    parsed = YAML.parse(doc);
+  }
+  validateN8nWorkflow(parsed);
+  const nodes = parsed.nodes.map((node, idx) => {
+    const nodeId = node.id || node.name || `node-${idx}`;
+    const flags = {
+      continueOnFail: node.continueOnFail,
+      retryOnFail: node.retryOnFail ?? node.settings?.retryOnFail,
+      waitBetweenTries: node.waitBetweenTries ?? node.settings?.waitBetweenTries,
+      maxTries: node.maxTries ?? node.settings?.maxTries
+    };
+    const hasFlags = flags.continueOnFail !== void 0 || flags.retryOnFail !== void 0 || flags.waitBetweenTries !== void 0;
+    return {
+      id: nodeId,
+      type: node.type,
+      name: node.name,
+      params: node.parameters,
+      cred: node.credentials,
+      flags: hasFlags ? flags : void 0
+    };
+  });
+  const nameToId = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    if (node.id) nameToId.set(node.id, node.id);
+    if (node.name) nameToId.set(node.name, node.id);
+  }
+  const lines = doc.split(/\r?\n/);
+  const idLine = /* @__PURE__ */ new Map();
+  const nameLine = /* @__PURE__ */ new Map();
+  lines.forEach((line, idx) => {
+    const idMatch = line.match(/"id":\s*"([^"]+)"/);
+    if (idMatch) idLine.set(idMatch[1], idx + 1);
+    const nameMatch = line.match(/"name":\s*"([^"]+)"/);
+    if (nameMatch) nameLine.set(nameMatch[1], idx + 1);
+  });
+  const nodeLines = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    const lineNumber = node.name && nameLine.get(node.name) || idLine.get(node.id);
+    if (lineNumber) {
+      nodeLines.set(node.id, lineNumber);
+    }
+  }
+  const nodeById = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    nodeById.set(node.id, node);
+  }
+  const resolveEdgeType = (connectionType, outputIndex, sourceType) => {
+    if (connectionType === "error") return "error";
+    if (connectionType === "timeout") return "timeout";
+    if (connectionType === "main") {
+      if (typeof outputIndex === "number" && outputIndex > 0 && sourceType && isErrorProneNode(sourceType)) {
+        return "error";
+      }
+      return "success";
+    }
+    return "success";
+  };
+  const edges = [];
+  Object.entries(parsed.connections || {}).forEach(([from, exits]) => {
+    if (!exits) {
+      return;
+    }
+    const exitChannels = exits;
+    Object.entries(exitChannels).forEach(([exitType, conn]) => {
+      const sourceId = nameToId.get(from) ?? from;
+      const sourceNode = nodeById.get(sourceId);
+      const enqueueEdges = (value, outputIndex) => {
+        flattenConnections(value).forEach((link) => {
+          if (!link || typeof link !== "object") return;
+          const targetId = nameToId.get(link.node) ?? link.node;
+          if (!targetId) return;
+          const edgeType = resolveEdgeType(exitType, outputIndex, sourceNode?.type);
+          edges.push({ from: sourceId, to: targetId, on: edgeType });
+        });
+      };
+      if (Array.isArray(conn)) {
+        conn.forEach((entry, index) => enqueueEdges(entry, index));
+      } else {
+        enqueueEdges(conn);
+      }
+    });
+  });
+  return {
+    nodes,
+    edges,
+    meta: {
+      credentials: !!parsed.credentials,
+      nodeLines: Object.fromEntries(nodeLines)
+    }
+  };
+}
+
+// src/rules/rule-utils.ts
+function createNodeRule(ruleId, configKey, logic) {
+  return (graph, ctx) => {
+    const ruleConfig = ctx.cfg.rules[configKey];
+    if (!ruleConfig?.enabled) {
+      return [];
+    }
+    const findings = [];
+    for (const node of graph.nodes) {
+      const result = logic(node, graph, ctx);
+      if (result) {
+        if (Array.isArray(result)) {
+          findings.push(...result);
+        } else {
+          findings.push(result);
+        }
+      }
+    }
+    return findings;
+  };
+}
+function createHardcodedStringRule({
+  ruleId,
+  severity,
+  configKey,
+  messageFn,
+  details
+}) {
+  const logic = (node, graph, ctx) => {
+    const cfg = ctx.cfg.rules[configKey];
+    if (!cfg.denylist_regex?.length) {
+      return null;
+    }
+    const regexes = cfg.denylist_regex.map((pattern) => toRegex(pattern));
+    const findings = [];
+    const strings = collectStrings(node.params);
+    for (const value of strings) {
+      if (!value || value.includes("{{")) {
+        continue;
+      }
+      if (regexes.some((regex) => regex.test(value))) {
+        findings.push({
+          rule: ruleId,
+          severity,
+          path: ctx.path,
+          message: messageFn(node, value),
+          nodeId: node.id,
+          line: ctx.nodeLines?.[node.id],
+          raw_details: details
+        });
+        break;
+      }
+    }
+    return findings;
+  };
+  return createNodeRule(ruleId, configKey, logic);
+}
+
+// src/rules/index.ts
+var r1Retry = createNodeRule("R1", "rate_limit_retry", (node, graph, ctx) => {
+  if (!isApiNode(node.type)) return null;
+  const params = node.params ?? {};
+  const options = params.options ?? {};
+  const retryCandidates = [
+    options.retryOnFail,
+    params.retryOnFail,
+    node.flags?.retryOnFail
+  ];
+  const retryOnFail = retryCandidates.find((value) => value !== void 0 && value !== null);
+  if (retryOnFail === true) {
+    return null;
+  }
+  if (typeof retryOnFail === "string") {
+    const normalized = retryOnFail.trim().toLowerCase();
+    if (retryOnFail.includes("{{") || normalized === "true") {
+      return null;
+    }
+  }
+  return {
+    rule: "R1",
+    severity: "must",
+    path: ctx.path,
+    message: `Node ${node.name || node.id} is missing retry/backoff configuration`,
+    raw_details: `In the node properties, enable "Retry on Fail" under Options.`,
+    nodeId: node.id,
+    line: ctx.nodeLines?.[node.id]
+  };
+});
+var r2ErrorHandling = createNodeRule("R2", "error_handling", (node, graph, ctx) => {
+  if (ctx.cfg.rules.error_handling.forbid_continue_on_fail && node.flags?.continueOnFail) {
+    return {
+      rule: "R2",
+      severity: "must",
+      path: ctx.path,
+      message: `Node ${node.name || node.id} has continueOnFail enabled (disable it and route errors explicitly)`,
+      nodeId: node.id,
+      line: ctx.nodeLines?.[node.id],
+      raw_details: 'Open the node in n8n and disable "Continue On Fail" (Options > Continue On Fail). Route failures down an explicit error branch instead.'
+    };
+  }
+  return null;
+});
+var r4Secrets = createHardcodedStringRule({
+  ruleId: "R4",
+  severity: "must",
+  configKey: "secrets",
+  messageFn: (node) => `Node ${node.name || node.id} contains a hardcoded secret (move it to credentials/env vars)`,
+  details: "Move API keys/tokens into Credentials or environment variables; the workflow should only reference {{$credentials.*}} expressions."
+});
+var r9ConfigLiterals = createHardcodedStringRule({
+  ruleId: "R9",
+  severity: "should",
+  configKey: "config_literals",
+  messageFn: (node, value) => `Node ${node.name || node.id} contains env-specific literal "${value.substring(0, 40)}" (move to expression/credential)`,
+  details: "Move environment-specific URLs/IDs into expressions or credentials (e.g., {{$env.API_BASE_URL}}) so the workflow is portable."
+});
+var r10NamingConvention = createNodeRule("R10", "naming_convention", (node, graph, ctx) => {
+  const genericNames = new Set(ctx.cfg.rules.naming_convention.generic_names ?? []);
+  if (!node.name || genericNames.has(node.name.toLowerCase())) {
+    return {
+      rule: "R10",
+      severity: "nit",
+      path: ctx.path,
+      message: `Node ${node.id} uses a generic name "${node.name ?? ""}" (rename it to describe the action)`,
+      nodeId: node.id,
+      line: ctx.nodeLines?.[node.id],
+      raw_details: 'Rename the node to describe its purpose (e.g., "Check subscription status" instead of "IF") for easier reviews and debugging.'
+    };
+  }
+  return null;
+});
+var DEPRECATED_NODES = {
+  "n8n-nodes-base.splitInBatches": "Use Loop over items instead",
+  "n8n-nodes-base.executeWorkflow": "Use Execute Workflow (Sub-Workflow) instead"
+};
+var r11DeprecatedNodes = createNodeRule("R11", "deprecated_nodes", (node, graph, ctx) => {
+  if (DEPRECATED_NODES[node.type]) {
+    return {
+      rule: "R11",
+      severity: "should",
+      path: ctx.path,
+      message: `Node ${node.name || node.id} uses deprecated type ${node.type} (replace with ${DEPRECATED_NODES[node.type]})`,
+      nodeId: node.id,
+      line: ctx.nodeLines?.[node.id],
+      raw_details: `Replace this node with ${DEPRECATED_NODES[node.type]} so future n8n upgrades don\xE2\u20AC\u2122t break the workflow.`
+    };
+  }
+  return null;
+});
+var r12UnhandledErrorPath = createNodeRule("R12", "unhandled_error_path", (node, graph, ctx) => {
+  if (!isErrorProneNode(node.type)) return null;
+  const hasErrorPath = graph.edges.some((edge) => {
+    if (edge.from !== node.id) return false;
+    if (edge.on === "error") return true;
+    const targetNode = graph.nodes.find((candidate) => candidate.id === edge.to);
+    return targetNode ? isErrorHandlerNode(targetNode.type, targetNode.name) : false;
+  });
+  if (!hasErrorPath) {
+    return {
+      rule: "R12",
+      severity: "must",
+      path: ctx.path,
+      message: `Node ${node.name || node.id} has no error branch (add a red connector to handler)`,
+      nodeId: node.id,
+      line: ctx.nodeLines?.[node.id],
+      raw_details: "Add an error (red) branch to a Stop and Error or logging/alert node so failures do not disappear silently."
+    };
+  }
+  return null;
+});
+function r13WebhookAcknowledgment(graph, ctx) {
+  const cfg = ctx.cfg.rules.webhook_acknowledgment;
+  if (!cfg?.enabled) return [];
+  const findings = [];
+  const webhookNodes = graph.nodes.filter(
+    (node) => node.type === "n8n-nodes-base.webhook" || node.type.includes("webhook") && !node.type.includes("respondToWebhook")
+  );
+  for (const webhookNode of webhookNodes) {
+    const directDownstream = graph.edges.filter((edge) => edge.from === webhookNode.id).map((edge) => graph.nodes.find((n) => n.id === edge.to)).filter((n) => !!n);
+    if (directDownstream.length === 0) continue;
+    const hasImmediateResponse = directDownstream.some(
+      (node) => node.type === "n8n-nodes-base.respondToWebhook" || /respond.*webhook/i.test(node.type) || /respond.*webhook/i.test(node.name || "")
+    );
+    if (hasImmediateResponse) continue;
+    const heavyNodeTypes = cfg.heavy_node_types || [
+      "n8n-nodes-base.httpRequest",
+      "n8n-nodes-base.postgres",
+      "n8n-nodes-base.mysql",
+      "n8n-nodes-base.mongodb",
+      "n8n-nodes-base.openAi",
+      "n8n-nodes-base.anthropic"
+    ];
+    const hasHeavyProcessing = directDownstream.some(
+      (node) => heavyNodeTypes.includes(node.type) || /loop|batch/i.test(node.type)
+    );
+    if (hasHeavyProcessing) {
+      findings.push({
+        rule: "R13",
+        severity: "must",
+        path: ctx.path,
+        message: `Webhook "${webhookNode.name || webhookNode.id}" performs heavy processing before acknowledgment (risk of timeout/duplicates)`,
+        nodeId: webhookNode.id,
+        line: ctx.nodeLines?.[webhookNode.id],
+        raw_details: `Add a "Respond to Webhook" node immediately after the webhook trigger (return 200/204), then perform heavy processing. This prevents webhook timeouts and duplicate events.`
+      });
+    }
+  }
+  return findings;
+}
+var r14RetryAfterCompliance = createNodeRule("R14", "retry_after_compliance", (node, graph, ctx) => {
+  if (!isApiNode(node.type)) return null;
+  const params = node.params ?? {};
+  const options = params.options ?? {};
+  const retryCandidates = [
+    options.retryOnFail,
+    params.retryOnFail,
+    node.flags?.retryOnFail
+  ];
+  const retryOnFail = retryCandidates.find((value) => value !== void 0 && value !== null);
+  if (!retryOnFail || retryOnFail === false) return null;
+  if (typeof retryOnFail === "string") {
+    const normalized = retryOnFail.trim().toLowerCase();
+    if (retryOnFail.includes("{{") && normalized !== "true") {
+      return null;
+    }
+  }
+  const waitBetweenTries = node.flags?.waitBetweenTries;
+  if (waitBetweenTries !== void 0 && waitBetweenTries !== null) {
+    if (typeof waitBetweenTries === "number") return null;
+    if (typeof waitBetweenTries === "string" && !isNaN(Number(waitBetweenTries)) && !waitBetweenTries.includes("{{")) {
+      return null;
+    }
+  }
+  const nodeStr = JSON.stringify(node);
+  const hasRetryAfterLogic = /retry[-_]?after|retryafter/i.test(nodeStr);
+  if (hasRetryAfterLogic) {
+    return null;
+  }
+  return {
+    rule: "R14",
+    severity: "should",
+    path: ctx.path,
+    message: `Node ${node.name || node.id} has retry logic but ignores Retry-After headers (429/503 responses)`,
+    raw_details: `Add expression to parse Retry-After header: const retryAfter = $json.headers['retry-after']; const delay = retryAfter ? (parseInt(retryAfter) || new Date(retryAfter) - Date.now()) : Math.min(1000 * Math.pow(2, $execution.retryCount), 60000); This prevents API bans and respects server rate limits.`,
+    nodeId: node.id,
+    line: ctx.nodeLines?.[node.id]
+  };
+});
+function r3Idempotency(graph, ctx) {
+  const cfg = ctx.cfg.rules.idempotency;
+  if (!cfg?.enabled) return [];
+  const hasIngress = graph.nodes.some((node) => /webhook|trigger|start/i.test(node.type));
+  if (!hasIngress) return [];
+  const mutationNodes = graph.nodes.filter((node) => isMutationNode(node.type));
+  if (!mutationNodes.length) return [];
+  const findings = [];
+  for (const mutationNode of mutationNodes) {
+    const upstreamNodeIds = findAllUpstreamNodes(graph, mutationNode.id);
+    const upstreamNodes = graph.nodes.filter((n) => upstreamNodeIds.has(n.id));
+    const hasGuard = upstreamNodes.some(
+      (p) => containsCandidate(p.params, cfg.key_field_candidates ?? [])
+    );
+    if (!hasGuard) {
+      findings.push({
+        rule: "R3",
+        severity: "must",
+        path: ctx.path,
+        message: `The mutation path ending at "${mutationNode.name || mutationNode.id}" appears to be missing an idempotency guard.`,
+        raw_details: `Ensure one of the upstream nodes or the mutation node itself uses an idempotency key, such as one of: ${(cfg.key_field_candidates ?? []).join(
+          ", "
+        )}`,
+        nodeId: mutationNode.id,
+        line: ctx.nodeLines?.[mutationNode.id]
+      });
+    }
+  }
+  return findings;
+}
+function r5DeadEnds(graph, ctx) {
+  const cfg = ctx.cfg.rules.dead_ends;
+  if (!cfg?.enabled) return [];
+  if (graph.nodes.length <= 1) return [];
+  const outgoing = /* @__PURE__ */ new Map();
+  for (const node of graph.nodes) outgoing.set(node.id, 0);
+  for (const edge of graph.edges) outgoing.set(edge.from, (outgoing.get(edge.from) || 0) + 1);
+  const findings = [];
+  for (const node of graph.nodes) {
+    if ((outgoing.get(node.id) || 0) === 0 && !isTerminalNode(node.type, node.name)) {
+      findings.push({
+        rule: "R5",
+        severity: "nit",
+        path: ctx.path,
+        message: `Node ${node.name || node.id} has no outgoing connections (either wire it up or remove it)`,
+        nodeId: node.id,
+        line: ctx.nodeLines?.[node.id],
+        raw_details: "Either remove this node as dead code or connect it to the next/safe step so the workflow can continue."
+      });
+    }
+  }
+  return findings;
+}
+function r6LongRunning(graph, ctx) {
+  const cfg = ctx.cfg.rules.long_running;
+  if (!cfg?.enabled) return [];
+  const findings = [];
+  const loopNodes = graph.nodes.filter((node) => /loop|batch|while|repeat/i.test(node.type));
+  for (const node of loopNodes) {
+    const iterations = readNumber(node.params, [
+      "maxIterations",
+      "maxIteration",
+      "limit",
+      "options.maxIterations"
+    ]);
+    if (!iterations || cfg.max_iterations && iterations > cfg.max_iterations) {
+      findings.push({
+        rule: "R6",
+        severity: "should",
+        path: ctx.path,
+        message: `Node ${node.name || node.id} allows ${iterations ?? "unbounded"} iterations (limit ${cfg.max_iterations}; set a lower cap)`,
+        nodeId: node.id,
+        line: ctx.nodeLines?.[node.id],
+        raw_details: `Set Options > Max iterations to \xE2\u2030\xA4 ${cfg.max_iterations} or split the processing into smaller batches.`
+      });
+    }
+    if (cfg.timeout_ms) {
+      const timeout = readNumber(node.params, ["timeout", "timeoutMs", "options.timeout"]);
+      if (timeout && timeout > cfg.timeout_ms) {
+        findings.push({
+          rule: "R6",
+          severity: "should",
+          path: ctx.path,
+          message: `Node ${node.name || node.id} uses timeout ${timeout}ms (limit ${cfg.timeout_ms}ms; shorten the timeout or break work apart)`,
+          nodeId: node.id,
+          line: ctx.nodeLines?.[node.id],
+          raw_details: `Lower the timeout to \xE2\u2030\xA4 ${cfg.timeout_ms}ms or split the workflow so no single step blocks for too long.`
+        });
+      }
+    }
+  }
+  return findings;
+}
+function r7AlertLogEnforcement(graph, ctx) {
+  const cfg = ctx.cfg.rules.alert_log_enforcement;
+  if (!cfg?.enabled) return [];
+  const findings = [];
+  const errorEdges = graph.edges.filter((edge) => edge.on === "error");
+  for (const edge of errorEdges) {
+    const fromNode = graph.nodes.find((n) => n.id === edge.from);
+    let isHandled = false;
+    const queue = [edge.to];
+    const visited = /* @__PURE__ */ new Set([edge.to]);
+    let head = 0;
+    while (head < queue.length) {
+      const currentId = queue[head++];
+      const currentNode = graph.nodes.find((n) => n.id === currentId);
+      if (isNotificationNode(currentNode.type) || isErrorHandlerNode(currentNode.type, currentNode.name)) {
+        isHandled = true;
+        break;
+      }
+      if (isRejoinNode(graph, currentId)) {
+        continue;
+      }
+      const outgoing = graph.edges.filter((e) => e.from === currentId);
+      for (const outEdge of outgoing) {
+        if (!visited.has(outEdge.to)) {
+          visited.add(outEdge.to);
+          queue.push(outEdge.to);
+        }
+      }
+    }
+    if (!isHandled) {
+      findings.push({
+        rule: "R7",
+        severity: "should",
+        path: ctx.path,
+        message: `Error path from node ${fromNode.name || fromNode.id} has no log/alert before rejoining (add notification node)`,
+        nodeId: fromNode.id,
+        line: ctx.nodeLines?.[fromNode.id],
+        raw_details: "Add a Slack/Email/Log node on the error branch before it rejoins the main flow so failures leave an audit trail."
+      });
+    }
+  }
+  return findings;
+}
+function r8UnusedData(graph, ctx) {
+  const cfg = ctx.cfg.rules.unused_data;
+  if (!cfg?.enabled) return [];
+  const findings = [];
+  for (const node of graph.nodes) {
+    if (isTerminalNode(node.type, node.name) || !graph.edges.some((e) => e.from === node.id)) {
+      continue;
+    }
+    const downstreamNodes = findAllDownstreamNodes(graph, node.id);
+    downstreamNodes.delete(node.id);
+    const leadsToConsumer = [...downstreamNodes].some((id) => {
+      const downstreamNode = graph.nodes.find((n) => n.id === id);
+      return isMeaningfulConsumer(downstreamNode);
+    });
+    if (!leadsToConsumer) {
+      findings.push({
+        rule: "R8",
+        severity: "nit",
+        path: ctx.path,
+        message: `Node "${node.name || node.id}" produces data that never reaches any consumer`,
+        nodeId: node.id,
+        line: ctx.nodeLines?.[node.id],
+        raw_details: "Wire this branch into a consumer (DB/API/response) or remove it\xE2\u20AC\u201Dotherwise the data produced here is never used."
+      });
+    }
+  }
+  return findings;
+}
+var rules = [
+  r1Retry,
+  r2ErrorHandling,
+  r3Idempotency,
+  r4Secrets,
+  r5DeadEnds,
+  r6LongRunning,
+  r7AlertLogEnforcement,
+  r8UnusedData,
+  r9ConfigLiterals,
+  r10NamingConvention,
+  r11DeprecatedNodes,
+  r12UnhandledErrorPath,
+  r13WebhookAcknowledgment,
+  r14RetryAfterCompliance
+];
+function runAllRules(graph, ctx) {
+  return rules.flatMap((rule) => rule(graph, ctx));
+}
+
+// src/config/default-config.ts
+var defaultConfig = {
+  files: {
+    include: ["**/*.n8n.json", "**/workflows/*.json", "**/workflows/**/*.json", "**/*.n8n.yaml", "**/*.json"],
+    ignore: [
+      "samples/**",
+      "**/*.spec.json",
+      "node_modules/**",
+      "package*.json",
+      "tsconfig*.json",
+      ".flowlint.yml",
+      ".github/**",
+      ".husky/**",
+      ".vscode/**",
+      "infra/**",
+      "*.config.js",
+      "*.config.ts",
+      "**/*.lock"
+    ]
+  },
+  report: { annotations: true, summary_limit: 25 },
+  rules: {
+    rate_limit_retry: {
+      enabled: true,
+      max_concurrency: 5,
+      default_retry: { count: 3, strategy: "exponential", base_ms: 500 }
+    },
+    error_handling: { enabled: true, forbid_continue_on_fail: true },
+    idempotency: { enabled: true, key_field_candidates: ["eventId", "messageId"] },
+    secrets: { enabled: true, denylist_regex: ["(?i)api[_-]?key", "Bearer "] },
+    dead_ends: { enabled: true },
+    long_running: { enabled: true, max_iterations: 1e3, timeout_ms: 3e5 },
+    unused_data: { enabled: true },
+    unhandled_error_path: { enabled: true },
+    alert_log_enforcement: { enabled: true },
+    deprecated_nodes: { enabled: true },
+    naming_convention: {
+      enabled: true,
+      generic_names: ["http request", "set", "if", "merge", "switch", "no-op", "start"]
+    },
+    config_literals: {
+      enabled: true,
+      denylist_regex: [
+        "(?i)\\b(dev|development)\\b",
+        "(?i)\\b(stag|staging)\\b",
+        "(?i)\\b(prod|production)\\b",
+        "(?i)\\b(test|testing)\\b"
+      ]
+    },
+    webhook_acknowledgment: {
+      enabled: true,
+      heavy_node_types: [
+        "n8n-nodes-base.httpRequest",
+        "n8n-nodes-base.postgres",
+        "n8n-nodes-base.mysql",
+        "n8n-nodes-base.mongodb",
+        "n8n-nodes-base.openAi",
+        "n8n-nodes-base.anthropic",
+        "n8n-nodes-base.huggingFace"
+      ]
+    },
+    retry_after_compliance: {
+      enabled: true,
+      suggest_exponential_backoff: true,
+      suggest_jitter: true
+    }
+  }
+};
+
+// src/config/loader.ts
+import YAML2 from "yaml";
+function deepMerge(base, override) {
+  const baseCopy = JSON.parse(JSON.stringify(base));
+  if (!override) return baseCopy;
+  return mergeInto(baseCopy, override);
+}
+function mergeInto(target, source) {
+  for (const [key, value] of Object.entries(source)) {
+    if (value === void 0 || value === null) continue;
+    if (Array.isArray(value)) {
+      target[key] = value;
+    } else if (typeof value === "object") {
+      if (typeof target[key] !== "object" || target[key] === null) {
+        target[key] = {};
+      }
+      mergeInto(target[key], value);
+    } else {
+      target[key] = value;
+    }
+  }
+  return target;
+}
+function parseConfig(content) {
+  const parsed = YAML2.parse(content) || {};
+  return deepMerge(defaultConfig, parsed);
+}
+function loadConfig(configPath) {
+  if (typeof globalThis !== "undefined" && "window" in globalThis) {
+    return defaultConfig;
+  }
+  if (configPath) {
+    return loadConfigFromFile(configPath);
+  }
+  return loadConfigFromCwd();
+}
+function loadConfigFromFile(configPath) {
+  try {
+    const fs = __require("fs");
+    if (!fs.existsSync(configPath)) {
+      return defaultConfig;
+    }
+    const content = fs.readFileSync(configPath, "utf-8");
+    return parseConfig(content);
+  } catch {
+    return defaultConfig;
+  }
+}
+function loadConfigFromCwd() {
+  try {
+    const fs = __require("fs");
+    const path = __require("path");
+    const candidates = [".flowlint.yml", ".flowlint.yaml", "flowlint.config.yml"];
+    const cwd = process.cwd();
+    for (const candidate of candidates) {
+      const configPath = path.join(cwd, candidate);
+      if (fs.existsSync(configPath)) {
+        const content = fs.readFileSync(configPath, "utf-8");
+        return parseConfig(content);
+      }
+    }
+    return defaultConfig;
+  } catch {
+    return defaultConfig;
+  }
+}
+function validateConfig(config) {
+  if (!config || typeof config !== "object") return false;
+  const c = config;
+  return "files" in c && "report" in c && "rules" in c && typeof c.files === "object" && typeof c.report === "object" && typeof c.rules === "object";
+}
+
+// src/utils/findings.ts
+function countFindingsBySeverity(findings) {
+  return {
+    must: findings.filter((f) => f.severity === "must").length,
+    should: findings.filter((f) => f.severity === "should").length,
+    nit: findings.filter((f) => f.severity === "nit").length,
+    total: findings.length
+  };
+}
+function getSeverityOrder() {
+  return { must: 0, should: 1, nit: 2 };
+}
+function sortFindingsBySeverity(findings) {
+  const order = getSeverityOrder();
+  return [...findings].sort((a, b) => order[a.severity] - order[b.severity]);
+}
+export {
+  ValidationError,
+  countFindingsBySeverity,
+  defaultConfig,
+  flattenConnections,
+  getExampleLink,
+  isApiNode,
+  isErrorProneNode,
+  isMutationNode,
+  isNotificationNode,
+  isTerminalNode,
+  loadConfig,
+  parseConfig,
+  parseN8n,
+  runAllRules,
+  sortFindingsBySeverity,
+  validateConfig,
+  validateN8nWorkflow
+};
+//# sourceMappingURL=index.mjs.map