@replikanti/flowlint-core 0.9.0 → 0.9.2

package/dist/index.js

@@ -678,8 +678,15 @@ function createHardcodedStringRule({
   return createNodeRule(ruleId, configKey, logic);
 }
 
-// src/rules/index.ts
-var r1Retry = createNodeRule("R1", "rate_limit_retry", (node, graph, ctx) => {
+// src/rules/lib/r1-retry.ts
+var metadata = {
+  id: "R1",
+  name: "rate_limit_retry",
+  severity: "must",
+  description: "Ensures that nodes making external API calls have a retry mechanism configured.",
+  details: "Critical for building resilient workflows that can handle transient network issues or temporary service unavailability."
+};
+var r1Retry = createNodeRule(metadata.id, metadata.name, (node, graph, ctx) => {
   if (!isApiNode(node.type)) return null;
   const params = node.params ?? {};
   const options = params.options ?? {};
@@ -699,8 +706,8 @@ var r1Retry = createNodeRule("R1", "rate_limit_retry", (node, graph, ctx) => {
     }
   }
   return {
-    rule: "R1",
-    severity: "must",
+    rule: metadata.id,
+    severity: metadata.severity,
     path: ctx.path,
     message: `Node ${node.name || node.id} is missing retry/backoff configuration`,
     raw_details: `In the node properties, enable "Retry on Fail" under Options.`,
@@ -708,11 +715,20 @@ var r1Retry = createNodeRule("R1", "rate_limit_retry", (node, graph, ctx) => {
     line: ctx.nodeLines?.[node.id]
   };
 });
-var r2ErrorHandling = createNodeRule("R2", "error_handling", (node, graph, ctx) => {
+
+// src/rules/lib/r2-error-handling.ts
+var metadata2 = {
+  id: "R2",
+  name: "error_handling",
+  severity: "must",
+  description: "Prevents the use of configurations that might hide errors.",
+  details: "Workflows should explicitly handle errors rather than ignoring them with continueOnFail: true."
+};
+var r2ErrorHandling = createNodeRule(metadata2.id, metadata2.name, (node, graph, ctx) => {
   if (ctx.cfg.rules.error_handling.forbid_continue_on_fail && node.flags?.continueOnFail) {
     return {
-      rule: "R2",
-      severity: "must",
+      rule: metadata2.id,
+      severity: metadata2.severity,
       path: ctx.path,
       message: `Node ${node.name || node.id} has continueOnFail enabled (disable it and route errors explicitly)`,
       nodeId: node.id,
@@ -722,152 +738,15 @@ var r2ErrorHandling = createNodeRule("R2", "error_handling", (node, graph, ctx)
   }
   return null;
 });
-var r4Secrets = createHardcodedStringRule({
-  ruleId: "R4",
-  severity: "must",
-  configKey: "secrets",
-  messageFn: (node) => `Node ${node.name || node.id} contains a hardcoded secret (move it to credentials/env vars)`,
-  details: "Move API keys/tokens into Credentials or environment variables; the workflow should only reference {{$credentials.*}} expressions."
-});
-var r9ConfigLiterals = createHardcodedStringRule({
-  ruleId: "R9",
+
+// src/rules/lib/r3-idempotency.ts
+var metadata3 = {
+  id: "R3",
+  name: "idempotency",
   severity: "should",
-  configKey: "config_literals",
-  messageFn: (node, value) => `Node ${node.name || node.id} contains env-specific literal "${value.substring(0, 40)}" (move to expression/credential)`,
-  details: "Move environment-specific URLs/IDs into expressions or credentials (e.g., {{$env.API_BASE_URL}}) so the workflow is portable."
-});
-var r10NamingConvention = createNodeRule("R10", "naming_convention", (node, graph, ctx) => {
-  const genericNames = new Set(ctx.cfg.rules.naming_convention.generic_names ?? []);
-  if (!node.name || genericNames.has(node.name.toLowerCase())) {
-    return {
-      rule: "R10",
-      severity: "nit",
-      path: ctx.path,
-      message: `Node ${node.id} uses a generic name "${node.name ?? ""}" (rename it to describe the action)`,
-      nodeId: node.id,
-      line: ctx.nodeLines?.[node.id],
-      raw_details: 'Rename the node to describe its purpose (e.g., "Check subscription status" instead of "IF") for easier reviews and debugging.'
-    };
-  }
-  return null;
-});
-var DEPRECATED_NODES = {
-  "n8n-nodes-base.splitInBatches": "Use Loop over items instead",
-  "n8n-nodes-base.executeWorkflow": "Use Execute Workflow (Sub-Workflow) instead"
+  description: "Guards against operations that are not idempotent with retries configured.",
+  details: "Detects patterns where a webhook trigger could lead to duplicate processing in databases or external services."
 };
-var r11DeprecatedNodes = createNodeRule("R11", "deprecated_nodes", (node, graph, ctx) => {
-  if (DEPRECATED_NODES[node.type]) {
-    return {
-      rule: "R11",
-      severity: "should",
-      path: ctx.path,
-      message: `Node ${node.name || node.id} uses deprecated type ${node.type} (replace with ${DEPRECATED_NODES[node.type]})`,
-      nodeId: node.id,
-      line: ctx.nodeLines?.[node.id],
-      raw_details: `Replace this node with ${DEPRECATED_NODES[node.type]} so future n8n upgrades don\xE2\u20AC\u2122t break the workflow.`
-    };
-  }
-  return null;
-});
-var r12UnhandledErrorPath = createNodeRule("R12", "unhandled_error_path", (node, graph, ctx) => {
-  if (!isErrorProneNode(node.type)) return null;
-  const hasErrorPath = graph.edges.some((edge) => {
-    if (edge.from !== node.id) return false;
-    if (edge.on === "error") return true;
-    const targetNode = graph.nodes.find((candidate) => candidate.id === edge.to);
-    return targetNode ? isErrorHandlerNode(targetNode.type, targetNode.name) : false;
-  });
-  if (!hasErrorPath) {
-    return {
-      rule: "R12",
-      severity: "must",
-      path: ctx.path,
-      message: `Node ${node.name || node.id} has no error branch (add a red connector to handler)`,
-      nodeId: node.id,
-      line: ctx.nodeLines?.[node.id],
-      raw_details: "Add an error (red) branch to a Stop and Error or logging/alert node so failures do not disappear silently."
-    };
-  }
-  return null;
-});
-function r13WebhookAcknowledgment(graph, ctx) {
-  const cfg = ctx.cfg.rules.webhook_acknowledgment;
-  if (!cfg?.enabled) return [];
-  const findings = [];
-  const webhookNodes = graph.nodes.filter(
-    (node) => node.type === "n8n-nodes-base.webhook" || node.type.includes("webhook") && !node.type.includes("respondToWebhook")
-  );
-  for (const webhookNode of webhookNodes) {
-    const directDownstream = graph.edges.filter((edge) => edge.from === webhookNode.id).map((edge) => graph.nodes.find((n) => n.id === edge.to)).filter((n) => !!n);
-    if (directDownstream.length === 0) continue;
-    const hasImmediateResponse = directDownstream.some(
-      (node) => node.type === "n8n-nodes-base.respondToWebhook" || /respond.*webhook/i.test(node.type) || /respond.*webhook/i.test(node.name || "")
-    );
-    if (hasImmediateResponse) continue;
-    const heavyNodeTypes = cfg.heavy_node_types || [
-      "n8n-nodes-base.httpRequest",
-      "n8n-nodes-base.postgres",
-      "n8n-nodes-base.mysql",
-      "n8n-nodes-base.mongodb",
-      "n8n-nodes-base.openAi",
-      "n8n-nodes-base.anthropic"
-    ];
-    const hasHeavyProcessing = directDownstream.some(
-      (node) => heavyNodeTypes.includes(node.type) || /loop|batch/i.test(node.type)
-    );
-    if (hasHeavyProcessing) {
-      findings.push({
-        rule: "R13",
-        severity: "must",
-        path: ctx.path,
-        message: `Webhook "${webhookNode.name || webhookNode.id}" performs heavy processing before acknowledgment (risk of timeout/duplicates)`,
-        nodeId: webhookNode.id,
-        line: ctx.nodeLines?.[webhookNode.id],
-        raw_details: `Add a "Respond to Webhook" node immediately after the webhook trigger (return 200/204), then perform heavy processing. This prevents webhook timeouts and duplicate events.`
-      });
-    }
-  }
-  return findings;
-}
-var r14RetryAfterCompliance = createNodeRule("R14", "retry_after_compliance", (node, graph, ctx) => {
-  if (!isApiNode(node.type)) return null;
-  const params = node.params ?? {};
-  const options = params.options ?? {};
-  const retryCandidates = [
-    options.retryOnFail,
-    params.retryOnFail,
-    node.flags?.retryOnFail
-  ];
-  const retryOnFail = retryCandidates.find((value) => value !== void 0 && value !== null);
-  if (!retryOnFail || retryOnFail === false) return null;
-  if (typeof retryOnFail === "string") {
-    const normalized = retryOnFail.trim().toLowerCase();
-    if (retryOnFail.includes("{{") && normalized !== "true") {
-      return null;
-    }
-  }
-  const waitBetweenTries = node.flags?.waitBetweenTries;
-  if (waitBetweenTries !== void 0 && waitBetweenTries !== null) {
-    if (typeof waitBetweenTries === "number") return null;
-    if (typeof waitBetweenTries === "string" && !isNaN(Number(waitBetweenTries)) && !waitBetweenTries.includes("{{")) {
-      return null;
-    }
-  }
-  const nodeStr = JSON.stringify(node);
-  const hasRetryAfterLogic = /retry[-_]?after|retryafter/i.test(nodeStr);
-  if (hasRetryAfterLogic) {
-    return null;
-  }
-  return {
-    rule: "R14",
-    severity: "should",
-    path: ctx.path,
-    message: `Node ${node.name || node.id} has retry logic but ignores Retry-After headers (429/503 responses)`,
-    raw_details: `Add expression to parse Retry-After header: const retryAfter = $json.headers['retry-after']; const delay = retryAfter ? (parseInt(retryAfter) || new Date(retryAfter) - Date.now()) : Math.min(1000 * Math.pow(2, $execution.retryCount), 60000); This prevents API bans and respects server rate limits.`,
-    nodeId: node.id,
-    line: ctx.nodeLines?.[node.id]
-  };
-});
 function r3Idempotency(graph, ctx) {
   const cfg = ctx.cfg.rules.idempotency;
   if (!cfg?.enabled) return [];
@@ -884,8 +763,8 @@ function r3Idempotency(graph, ctx) {
     );
     if (!hasGuard) {
       findings.push({
-        rule: "R3",
-        severity: "must",
+        rule: metadata3.id,
+        severity: metadata3.severity,
         path: ctx.path,
         message: `The mutation path ending at "${mutationNode.name || mutationNode.id}" appears to be missing an idempotency guard.`,
         raw_details: `Ensure one of the upstream nodes or the mutation node itself uses an idempotency key, such as one of: ${(cfg.key_field_candidates ?? []).join(
@@ -898,6 +777,31 @@ function r3Idempotency(graph, ctx) {
   }
   return findings;
 }
+
+// src/rules/lib/r4-secrets.ts
+var metadata4 = {
+  id: "R4",
+  name: "secrets",
+  severity: "must",
+  description: "Detects hardcoded secrets, API keys, or credentials within node parameters.",
+  details: "All secrets should be stored securely using credential management systems."
+};
+var r4Secrets = createHardcodedStringRule({
+  ruleId: metadata4.id,
+  severity: metadata4.severity,
+  configKey: "secrets",
+  messageFn: (node) => `Node ${node.name || node.id} contains a hardcoded secret (move it to credentials/env vars)`,
+  details: "Move API keys/tokens into Credentials or environment variables; the workflow should only reference {{$credentials.*}} expressions."
+});
+
+// src/rules/lib/r5-dead-ends.ts
+var metadata5 = {
+  id: "R5",
+  name: "dead_ends",
+  severity: "should",
+  description: "Finds nodes or workflow branches not connected to any other node.",
+  details: "Indicates incomplete or dead logic that should be reviewed or removed."
+};
 function r5DeadEnds(graph, ctx) {
   const cfg = ctx.cfg.rules.dead_ends;
   if (!cfg?.enabled) return [];
@@ -909,8 +813,8 @@ function r5DeadEnds(graph, ctx) {
   for (const node of graph.nodes) {
     if ((outgoing.get(node.id) || 0) === 0 && !isTerminalNode(node.type, node.name)) {
       findings.push({
-        rule: "R5",
-        severity: "nit",
+        rule: metadata5.id,
+        severity: metadata5.severity,
         path: ctx.path,
         message: `Node ${node.name || node.id} has no outgoing connections (either wire it up or remove it)`,
         nodeId: node.id,
@@ -921,6 +825,15 @@ function r5DeadEnds(graph, ctx) {
   }
   return findings;
 }
+
+// src/rules/lib/r6-long-running.ts
+var metadata6 = {
+  id: "R6",
+  name: "long_running",
+  severity: "should",
+  description: "Flags workflows with potential for excessive runtime.",
+  details: "Detects loops with high iteration counts or long timeouts that could cause performance issues."
+};
 function r6LongRunning(graph, ctx) {
   const cfg = ctx.cfg.rules.long_running;
   if (!cfg?.enabled) return [];
@@ -935,32 +848,41 @@ function r6LongRunning(graph, ctx) {
     ]);
     if (!iterations || cfg.max_iterations && iterations > cfg.max_iterations) {
       findings.push({
-        rule: "R6",
-        severity: "should",
+        rule: metadata6.id,
+        severity: metadata6.severity,
         path: ctx.path,
         message: `Node ${node.name || node.id} allows ${iterations ?? "unbounded"} iterations (limit ${cfg.max_iterations}; set a lower cap)`,
         nodeId: node.id,
         line: ctx.nodeLines?.[node.id],
-        raw_details: `Set Options > Max iterations to \xE2\u2030\xA4 ${cfg.max_iterations} or split the processing into smaller batches.`
+        raw_details: `Set Options > Max iterations to \u2264 ${cfg.max_iterations} or split the processing into smaller batches.`
       });
     }
     if (cfg.timeout_ms) {
       const timeout = readNumber(node.params, ["timeout", "timeoutMs", "options.timeout"]);
       if (timeout && timeout > cfg.timeout_ms) {
         findings.push({
-          rule: "R6",
-          severity: "should",
+          rule: metadata6.id,
+          severity: metadata6.severity,
           path: ctx.path,
           message: `Node ${node.name || node.id} uses timeout ${timeout}ms (limit ${cfg.timeout_ms}ms; shorten the timeout or break work apart)`,
           nodeId: node.id,
           line: ctx.nodeLines?.[node.id],
-          raw_details: `Lower the timeout to \xE2\u2030\xA4 ${cfg.timeout_ms}ms or split the workflow so no single step blocks for too long.`
+          raw_details: `Lower the timeout to \u2264 ${cfg.timeout_ms}ms or split the workflow so no single step blocks for too long.`
         });
       }
     }
   }
   return findings;
 }
+
+// src/rules/lib/r7-alert-log-enforcement.ts
+var metadata7 = {
+  id: "R7",
+  name: "alert_log_enforcement",
+  severity: "should",
+  description: "Ensures critical paths include logging or alerting steps.",
+  details: "For example, a failed payment processing branch should trigger an alert for monitoring."
+};
 function r7AlertLogEnforcement(graph, ctx) {
   const cfg = ctx.cfg.rules.alert_log_enforcement;
   if (!cfg?.enabled) return [];
@@ -992,8 +914,8 @@ function r7AlertLogEnforcement(graph, ctx) {
     }
     if (!isHandled) {
       findings.push({
-        rule: "R7",
-        severity: "should",
+        rule: metadata7.id,
+        severity: metadata7.severity,
         path: ctx.path,
         message: `Error path from node ${fromNode.name || fromNode.id} has no log/alert before rejoining (add notification node)`,
         nodeId: fromNode.id,
@@ -1004,6 +926,15 @@ function r7AlertLogEnforcement(graph, ctx) {
   }
   return findings;
 }
+
+// src/rules/lib/r8-unused-data.ts
+var metadata8 = {
+  id: "R8",
+  name: "unused_data",
+  severity: "nit",
+  description: "Detects when node output data is not consumed by subsequent nodes.",
+  details: "Identifies unnecessary data processing that could be optimized or removed."
+};
 function r8UnusedData(graph, ctx) {
   const cfg = ctx.cfg.rules.unused_data;
   if (!cfg?.enabled) return [];
@@ -1020,18 +951,213 @@ function r8UnusedData(graph, ctx) {
     });
     if (!leadsToConsumer) {
       findings.push({
-        rule: "R8",
-        severity: "nit",
+        rule: metadata8.id,
+        severity: metadata8.severity,
         path: ctx.path,
         message: `Node "${node.name || node.id}" produces data that never reaches any consumer`,
         nodeId: node.id,
         line: ctx.nodeLines?.[node.id],
-        raw_details: "Wire this branch into a consumer (DB/API/response) or remove it\xE2\u20AC\u201Dotherwise the data produced here is never used."
+        raw_details: "Wire this branch into a consumer (DB/API/response) or remove it\u2014otherwise the data produced here is never used."
+      });
+    }
+  }
+  return findings;
+}
+
+// src/rules/lib/r9-config-literals.ts
+var metadata9 = {
+  id: "R9",
+  name: "config_literals",
+  severity: "should",
+  description: "Flags hardcoded literals (URLs, environment tags, tenant IDs) that should come from configuration.",
+  details: "Promotes externalized configuration and prevents hardcoded environment-specific values."
+};
+var r9ConfigLiterals = createHardcodedStringRule({
+  ruleId: metadata9.id,
+  severity: metadata9.severity,
+  configKey: "config_literals",
+  messageFn: (node, value) => `Node ${node.name || node.id} contains env-specific literal "${value.substring(0, 40)}" (move to expression/credential)`,
+  details: "Move environment-specific URLs/IDs into expressions or credentials (e.g., {{$env.API_BASE_URL}}) so the workflow is portable."
+});
+
+// src/rules/lib/r10-naming-convention.ts
+var metadata10 = {
+  id: "R10",
+  name: "naming_convention",
+  severity: "nit",
+  description: "Enforces consistent and descriptive naming for nodes.",
+  details: "Enforces consistent and descriptive naming for nodes. Improves workflow readability and maintainability (e.g., 'Fetch Customer Data from CRM' vs 'HTTP Request')."
+};
+var r10NamingConvention = createNodeRule(metadata10.id, metadata10.name, (node, graph, ctx) => {
+  const genericNames = new Set(ctx.cfg.rules.naming_convention.generic_names ?? []);
+  if (!node.name || genericNames.has(node.name.toLowerCase())) {
+    return {
+      rule: metadata10.id,
+      severity: metadata10.severity,
+      path: ctx.path,
+      message: `Node ${node.id} uses a generic name "${node.name ?? ""}" (rename it to describe the action)`,
+      nodeId: node.id,
+      line: ctx.nodeLines?.[node.id],
+      raw_details: 'Rename the node to describe its purpose (e.g., "Check subscription status" instead of "IF") for easier reviews and debugging.'
+    };
+  }
+  return null;
+});
+
+// src/rules/lib/r11-deprecated-nodes.ts
+var metadata11 = {
+  id: "R11",
+  name: "deprecated_nodes",
+  severity: "should",
+  description: "Warns about deprecated node types and suggests alternatives.",
+  details: "Helps maintain workflows using current, supported node implementations."
+};
+var DEPRECATED_NODES = {
+  "n8n-nodes-base.splitInBatches": "Use Loop over items instead",
+  "n8n-nodes-base.executeWorkflow": "Use Execute Workflow (Sub-Workflow) instead"
+};
+var r11DeprecatedNodes = createNodeRule(metadata11.id, metadata11.name, (node, graph, ctx) => {
+  if (DEPRECATED_NODES[node.type]) {
+    return {
+      rule: metadata11.id,
+      severity: metadata11.severity,
+      path: ctx.path,
+      message: `Node ${node.name || node.id} uses deprecated type ${node.type} (replace with ${DEPRECATED_NODES[node.type]})`,
+      nodeId: node.id,
+      line: ctx.nodeLines?.[node.id],
+      raw_details: `Replace this node with ${DEPRECATED_NODES[node.type]} so future n8n upgrades don\u2019t break the workflow.`
+    };
+  }
+  return null;
+});
+
+// src/rules/lib/r12-unhandled-error-path.ts
+var metadata12 = {
+  id: "R12",
+  name: "unhandled_error_path",
+  severity: "must",
+  description: "Ensures nodes with error outputs have connected error handling branches.",
+  details: "Prevents silent failures by requiring explicit error path handling."
+};
+var r12UnhandledErrorPath = createNodeRule(metadata12.id, metadata12.name, (node, graph, ctx) => {
+  if (!isErrorProneNode(node.type)) return null;
+  const hasErrorPath = graph.edges.some((edge) => {
+    if (edge.from !== node.id) return false;
+    if (edge.on === "error") return true;
+    const targetNode = graph.nodes.find((candidate) => candidate.id === edge.to);
+    return targetNode ? isErrorHandlerNode(targetNode.type, targetNode.name) : false;
+  });
+  if (!hasErrorPath) {
+    return {
+      rule: metadata12.id,
+      severity: metadata12.severity,
+      path: ctx.path,
+      message: `Node ${node.name || node.id} has no error branch (add a red connector to handler)`,
+      nodeId: node.id,
+      line: ctx.nodeLines?.[node.id],
+      raw_details: "Add an error (red) branch to a Stop and Error or logging/alert node so failures do not disappear silently."
+    };
+  }
+  return null;
+});
+
+// src/rules/lib/r13-webhook-acknowledgment.ts
+var metadata13 = {
+  id: "R13",
+  name: "webhook_acknowledgment",
+  severity: "must",
+  description: "Detects webhooks performing heavy processing without immediate acknowledgment.",
+  details: "Prevents timeout and duplicate events by requiring 'Respond to Webhook' node before heavy operations (HTTP requests, database queries, AI/LLM calls)."
+};
+function r13WebhookAcknowledgment(graph, ctx) {
+  const cfg = ctx.cfg.rules.webhook_acknowledgment;
+  if (!cfg?.enabled) return [];
+  const findings = [];
+  const webhookNodes = graph.nodes.filter(
+    (node) => node.type === "n8n-nodes-base.webhook" || node.type.includes("webhook") && !node.type.includes("respondToWebhook")
+  );
+  for (const webhookNode of webhookNodes) {
+    const directDownstream = graph.edges.filter((edge) => edge.from === webhookNode.id).map((edge) => graph.nodes.find((n) => n.id === edge.to)).filter((n) => !!n);
+    if (directDownstream.length === 0) continue;
+    const hasImmediateResponse = directDownstream.some(
+      (node) => node.type === "n8n-nodes-base.respondToWebhook" || /respond.*webhook/i.test(node.type) || /respond.*webhook/i.test(node.name || "")
+    );
+    if (hasImmediateResponse) continue;
+    const heavyNodeTypes = cfg.heavy_node_types || [
+      "n8n-nodes-base.httpRequest",
+      "n8n-nodes-base.postgres",
+      "n8n-nodes-base.mysql",
+      "n8n-nodes-base.mongodb",
+      "n8n-nodes-base.openAi",
+      "n8n-nodes-base.anthropic"
+    ];
+    const hasHeavyProcessing = directDownstream.some(
+      (node) => heavyNodeTypes.includes(node.type) || /loop|batch/i.test(node.type)
+    );
+    if (hasHeavyProcessing) {
+      findings.push({
+        rule: metadata13.id,
+        severity: metadata13.severity,
+        path: ctx.path,
+        message: `Webhook "${webhookNode.name || webhookNode.id}" performs heavy processing before acknowledgment (risk of timeout/duplicates)`,
+        nodeId: webhookNode.id,
+        line: ctx.nodeLines?.[webhookNode.id],
+        raw_details: `Add a "Respond to Webhook" node immediately after the webhook trigger (return 200/204), then perform heavy processing. This prevents webhook timeouts and duplicate events.`
       });
     }
   }
   return findings;
 }
+
+// src/rules/lib/r14-retry-after-compliance.ts
+var metadata14 = {
+  id: "R14",
+  name: "retry_after_compliance",
+  severity: "should",
+  description: "Detects HTTP nodes with retry logic that ignore Retry-After headers from 429/503 responses.",
+  details: "APIs return Retry-After headers (seconds or HTTP date) to indicate when to retry. Ignoring these causes aggressive retry storms, wasted attempts, and potential API bans. Respecting server guidance prevents IP blocking and extended backoffs."
+};
+var r14RetryAfterCompliance = createNodeRule(metadata14.id, metadata14.name, (node, graph, ctx) => {
+  if (!isApiNode(node.type)) return null;
+  const params = node.params ?? {};
+  const options = params.options ?? {};
+  const retryCandidates = [
+    options.retryOnFail,
+    params.retryOnFail,
+    node.flags?.retryOnFail
+  ];
+  const retryOnFail = retryCandidates.find((value) => value !== void 0 && value !== null);
+  if (!retryOnFail || retryOnFail === false) return null;
+  if (typeof retryOnFail === "string") {
+    const normalized = retryOnFail.trim().toLowerCase();
+    if (retryOnFail.includes("{{") && normalized !== "true") {
+      return null;
+    }
+  }
+  const waitBetweenTries = node.flags?.waitBetweenTries;
+  if (waitBetweenTries !== void 0 && waitBetweenTries !== null) {
+    if (typeof waitBetweenTries === "number") return null;
+    if (typeof waitBetweenTries === "string" && !isNaN(Number(waitBetweenTries)) && !waitBetweenTries.includes("{{")) {
+      return null;
+    }
+  }
+  const nodeStr = JSON.stringify(node);
+  const hasRetryAfterLogic = /retry[-_]?after|retryafter/i.test(nodeStr);
+  if (hasRetryAfterLogic) {
+    return null;
+  }
+  return {
+    rule: metadata14.id,
+    severity: metadata14.severity,
+    path: ctx.path,
+    message: `Node ${node.name || node.id} has retry logic but ignores Retry-After headers (429/503 responses)`,
+    raw_details: `Add expression to parse Retry-After header: const retryAfter = $json.headers['retry-after']; const delay = retryAfter ? (parseInt(retryAfter) || new Date(retryAfter) - Date.now()) : Math.min(1000 * Math.pow(2, $execution.retryCount), 60000); This prevents API bans and respects server rate limits.`,
+    nodeId: node.id,
+    line: ctx.nodeLines?.[node.id]
+  };
+});
+
+// src/rules/index.ts
 var rules = [
   r1Retry,
   r2ErrorHandling,
@@ -1054,104 +1180,20 @@ function runAllRules(graph, ctx) {
 
 // src/rules/metadata.ts
 var RULES_METADATA = [
-  {
-    id: "R1",
-    name: "rate_limit_retry",
-    severity: "must",
-    description: "Ensures that nodes making external API calls have a retry mechanism configured.",
-    details: "Critical for building resilient workflows that can handle transient network issues or temporary service unavailability."
-  },
-  {
-    id: "R2",
-    name: "error_handling",
-    severity: "must",
-    description: "Prevents the use of configurations that might hide errors.",
-    details: "Workflows should explicitly handle errors rather than ignoring them with continueOnFail: true."
-  },
-  {
-    id: "R3",
-    name: "idempotency",
-    severity: "should",
-    description: "Guards against operations that are not idempotent with retries configured.",
-    details: "Detects patterns where a webhook trigger could lead to duplicate processing in databases or external services."
-  },
-  {
-    id: "R4",
-    name: "secrets",
-    severity: "must",
-    description: "Detects hardcoded secrets, API keys, or credentials within node parameters.",
-    details: "All secrets should be stored securely using credential management systems."
-  },
-  {
-    id: "R5",
-    name: "dead_ends",
-    severity: "should",
-    description: "Finds nodes or workflow branches not connected to any other node.",
-    details: "Indicates incomplete or dead logic that should be reviewed or removed."
-  },
-  {
-    id: "R6",
-    name: "long_running",
-    severity: "should",
-    description: "Flags workflows with potential for excessive runtime.",
-    details: "Detects loops with high iteration counts or long timeouts that could cause performance issues."
-  },
-  {
-    id: "R7",
-    name: "alert_log_enforcement",
-    severity: "should",
-    description: "Ensures critical paths include logging or alerting steps.",
-    details: "For example, a failed payment processing branch should trigger an alert for monitoring."
-  },
-  {
-    id: "R8",
-    name: "unused_data",
-    severity: "nit",
-    description: "Detects when node output data is not consumed by subsequent nodes.",
-    details: "Identifies unnecessary data processing that could be optimized or removed."
-  },
-  {
-    id: "R9",
-    name: "config_literals",
-    severity: "should",
-    description: "Flags hardcoded literals (URLs, environment tags, tenant IDs) that should come from configuration.",
-    details: "Promotes externalized configuration and prevents hardcoded environment-specific values."
-  },
-  {
-    id: "R10",
-    name: "naming_convention",
-    severity: "nit",
-    description: "Enforces consistent and descriptive naming for nodes.",
-    details: "Improves workflow readability and maintainability (e.g., 'Fetch Customer Data from CRM' vs 'HTTP Request')."
-  },
-  {
-    id: "R11",
-    name: "deprecated_nodes",
-    severity: "should",
-    description: "Warns about deprecated node types and suggests alternatives.",
-    details: "Helps maintain workflows using current, supported node implementations."
-  },
-  {
-    id: "R12",
-    name: "unhandled_error_path",
-    severity: "must",
-    description: "Ensures nodes with error outputs have connected error handling branches.",
-    details: "Prevents silent failures by requiring explicit error path handling."
-  },
-  {
-    id: "R13",
-    name: "webhook_acknowledgment",
-    severity: "must",
-    description: "Detects webhooks performing heavy processing without immediate acknowledgment.",
-    details: "Prevents timeout and duplicate events by requiring 'Respond to Webhook' node before heavy operations (HTTP requests, database queries, AI/LLM calls)."
-  },
-  {
-    id: "R14",
-    name: "retry_after_compliance",
-    severity: "should",
-    description: "Detects HTTP nodes with retry logic that ignore Retry-After headers from 429/503 responses.",
-    details: "APIs return Retry-After headers (seconds or HTTP date) to indicate when to retry. Ignoring these causes aggressive retry storms, wasted attempts, and potential API bans. Respecting server guidance prevents IP blocking and extended backoffs."
-  }
+  metadata,
+  metadata2,
+  metadata3,
+  metadata4,
+  metadata5,
+  metadata6,
+  metadata7,
+  metadata8,
+  metadata9,
+  metadata10,
+  metadata11,
+  metadata12,
+  metadata13,
+  metadata14
 ];
 
 // src/config/default-config.ts