@soulbatical/tetra-dev-toolkit 1.3.3 → 1.4.0

package/lib/checks/health/coverage-thresholds.js

@@ -0,0 +1,199 @@
+/**
+ * Health Check: Test Coverage Thresholds
+ *
+ * Checks that test coverage thresholds are configured and enforced.
+ * Score: up to 3 points:
+ *   +1 for coverage config in test framework (jest/vitest)
+ *   +1 for threshold values defined (statements/branches/lines)
+ *   +1 for coverage script in package.json or CI enforcement
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('coverage-thresholds', 3, {
+    framework: null,
+    hasCoverageConfig: false,
+    hasThresholds: false,
+    thresholds: null,
+    hasCoverageScript: false,
+    coverageScript: null,
+    hasCiCoverage: false,
+    message: ''
+  })
+
+  // Check Jest configs
+  const jestConfigs = [
+    'jest.config.js',
+    'jest.config.ts',
+    'jest.config.cjs',
+    'jest.config.mjs',
+    'backend/jest.config.js',
+    'backend/jest.config.ts'
+  ]
+
+  for (const config of jestConfigs) {
+    const configPath = join(projectPath, config)
+    if (!existsSync(configPath)) continue
+
+    try {
+      const content = readFileSync(configPath, 'utf-8')
+      result.details.framework = 'jest'
+
+      // Check for coverage configuration
+      if (content.includes('collectCoverage') || content.includes('coverageDirectory') ||
+          content.includes('coverageReporters') || content.includes('collectCoverageFrom')) {
+        result.details.hasCoverageConfig = true
+        result.score += 1
+      }
+
+      // Check for thresholds
+      if (content.includes('coverageThreshold')) {
+        result.details.hasThresholds = true
+        result.score += 1
+
+        // Try to extract threshold values
+        const thresholdMatch = content.match(/coverageThreshold\s*:\s*\{[\s\S]*?global\s*:\s*\{([^}]+)\}/)
+        if (thresholdMatch) {
+          result.details.thresholds = thresholdMatch[1].trim()
+        }
+      }
+    } catch { /* ignore */ }
+    break
+  }
+
+  // Check Vitest configs
+  if (!result.details.framework) {
+    const vitestConfigs = [
+      'vitest.config.ts',
+      'vitest.config.js',
+      'vitest.config.mjs',
+      'vite.config.ts',
+      'vite.config.js',
+      'backend/vitest.config.ts',
+      'backend/vite.config.ts'
+    ]
+
+    for (const config of vitestConfigs) {
+      const configPath = join(projectPath, config)
+      if (!existsSync(configPath)) continue
+
+      try {
+        const content = readFileSync(configPath, 'utf-8')
+
+        // Only count as vitest if it has test config
+        if (!content.includes('test')) continue
+
+        result.details.framework = 'vitest'
+
+        if (content.includes('coverage')) {
+          result.details.hasCoverageConfig = true
+          result.score += 1
+        }
+
+        if (content.includes('thresholds') || content.includes('threshold')) {
+          result.details.hasThresholds = true
+          result.score += 1
+        }
+      } catch { /* ignore */ }
+      break
+    }
+  }
+
+  // Also check package.json for jest coverage config
+  if (!result.details.hasCoverageConfig) {
+    const pkgPath = join(projectPath, 'package.json')
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+        if (pkg.jest) {
+          result.details.framework = result.details.framework || 'jest'
+          if (pkg.jest.collectCoverage || pkg.jest.coverageReporters) {
+            result.details.hasCoverageConfig = true
+            result.score += 1
+          }
+          if (pkg.jest.coverageThreshold) {
+            result.details.hasThresholds = true
+            result.score += 1
+            const global = pkg.jest.coverageThreshold.global
+            if (global) {
+              result.details.thresholds = global
+            }
+          }
+        }
+      } catch { /* ignore */ }
+    }
+  }
+
+  // Check for coverage script
+  const packageLocations = [
+    'package.json',
+    'backend/package.json',
+    'frontend/package.json'
+  ]
+
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      const scripts = pkg.scripts || {}
+
+      for (const [name, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (name.includes('coverage') || cmd.includes('--coverage') ||
+            cmd.includes('--coverageThreshold')) {
+          result.details.hasCoverageScript = true
+          result.details.coverageScript = `${loc} → ${name}`
+          break
+        }
+      }
+      if (result.details.hasCoverageScript) break
+    } catch { /* ignore */ }
+  }
+
+  // Check CI workflows for coverage enforcement
+  const ciFiles = [
+    '.github/workflows/quality.yml',
+    '.github/workflows/test.yml',
+    '.github/workflows/ci.yml',
+    '.github/workflows/admin-mode-tests.yml'
+  ]
+
+  for (const ci of ciFiles) {
+    const ciPath = join(projectPath, ci)
+    if (!existsSync(ciPath)) continue
+
+    try {
+      const content = readFileSync(ciPath, 'utf-8')
+      if (content.includes('coverage') || content.includes('--coverageThreshold')) {
+        result.details.hasCiCoverage = true
+        break
+      }
+    } catch { /* ignore */ }
+  }
+
+  if (result.details.hasCoverageScript || result.details.hasCiCoverage) {
+    result.score += 1
+  }
+
+  result.score = Math.min(result.score, result.maxScore)
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = result.details.framework ? 'warning' : 'error'
+    result.details.message = result.details.framework
+      ? `${result.details.framework} detected but no coverage configuration`
+      : 'No test framework or coverage configuration detected'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = 'Coverage partially configured — add thresholds for enforcement'
+  } else {
+    result.details.message = `Coverage well-configured (${result.details.framework})`
+  }
+
+  return result
+}

package/lib/checks/health/dependency-cruiser.js

@@ -0,0 +1,113 @@
+/**
+ * Health Check: Dependency Cruiser
+ *
+ * Checks for dependency analysis and circular dependency prevention.
+ * Score: up to 2 points:
+ *   +1 for dependency-cruiser config file exists
+ *   +1 for no-circular rule defined or dep:check script
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('dependency-cruiser', 2, {
+    configFound: false,
+    configPath: null,
+    hasNoCircularRule: false,
+    hasCheckScript: false,
+    checkScript: null,
+    installed: false,
+    message: ''
+  })
+
+  // Check for dependency-cruiser config files
+  const depCruiserConfigs = [
+    '.dependency-cruiser.js',
+    '.dependency-cruiser.cjs',
+    '.dependency-cruiser.mjs',
+    '.dependency-cruiser.json',
+    'dependency-cruiser.config.js',
+    'dependency-cruiser.config.cjs',
+    // Sub-packages
+    'backend/.dependency-cruiser.js',
+    'backend/.dependency-cruiser.cjs'
+  ]
+
+  let configContent = null
+
+  for (const config of depCruiserConfigs) {
+    const configPath = join(projectPath, config)
+    if (!existsSync(configPath)) continue
+
+    result.details.configFound = true
+    result.details.configPath = config
+    result.score += 1
+
+    try {
+      configContent = readFileSync(configPath, 'utf-8')
+    } catch { /* ignore */ }
+    break
+  }
+
+  // Check for dependency-cruiser in dependencies
+  const packageLocations = [
+    'package.json',
+    'backend/package.json'
+  ]
+
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies }
+
+      if (allDeps['dependency-cruiser']) {
+        result.details.installed = true
+      }
+
+      // Check for dep check scripts
+      const scripts = pkg.scripts || {}
+      for (const [name, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (cmd.includes('dependency-cruiser') || cmd.includes('depcruise') ||
+            name === 'check:deps' || name === 'check:circular') {
+          result.details.hasCheckScript = true
+          result.details.checkScript = `${loc} → ${name}`
+          break
+        }
+      }
+    } catch { /* ignore */ }
+  }
+
+  // Check config content for no-circular rule
+  if (configContent) {
+    if (configContent.includes('no-circular') || configContent.includes('circular')) {
+      result.details.hasNoCircularRule = true
+    }
+  }
+
+  if (result.details.hasNoCircularRule || result.details.hasCheckScript) {
+    result.score += 1
+  }
+
+  result.score = Math.min(result.score, result.maxScore)
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'warning'
+    result.details.message = 'No dependency analysis configured — circular dependencies go undetected'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = result.details.configFound
+      ? 'Dependency cruiser configured but no circular dependency rule'
+      : 'Dependency check script found but no config file'
+  } else {
+    result.details.message = 'Dependency analysis well-configured'
+  }
+
+  return result
+}

package/lib/checks/health/eslint-security.js

@@ -0,0 +1,172 @@
+/**
+ * Health Check: ESLint Security Plugins
+ *
+ * Checks for security-focused ESLint plugins.
+ * Score: up to 3 points:
+ *   +1 for eslint-plugin-security installed
+ *   +1 for eslint-plugin-sonarjs installed
+ *   +1 for custom security rules (no-restricted-imports/syntax for dangerous patterns)
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('eslint-security', 3, {
+    eslintConfigFound: false,
+    eslintConfigPath: null,
+    hasSecurityPlugin: false,
+    hasSonarPlugin: false,
+    hasCustomSecurityRules: false,
+    securityPlugins: [],
+    message: ''
+  })
+
+  // Check if ESLint is configured at all
+  const eslintConfigs = [
+    '.eslintrc.js',
+    '.eslintrc.cjs',
+    '.eslintrc.json',
+    '.eslintrc.yml',
+    '.eslintrc.yaml',
+    '.eslintrc',
+    'eslint.config.js',
+    'eslint.config.cjs',
+    'eslint.config.mjs',
+    'eslint.config.ts',
+    // Sub-packages
+    'backend/.eslintrc.js',
+    'backend/.eslintrc.json',
+    'backend/eslint.config.js',
+    'backend/eslint.config.mjs',
+    'frontend/.eslintrc.js',
+    'frontend/.eslintrc.json',
+    'frontend/eslint.config.js',
+    'frontend/eslint.config.mjs'
+  ]
+
+  let eslintContent = null
+
+  for (const config of eslintConfigs) {
+    const configPath = join(projectPath, config)
+    if (!existsSync(configPath)) continue
+
+    result.details.eslintConfigFound = true
+    result.details.eslintConfigPath = config
+
+    try {
+      eslintContent = readFileSync(configPath, 'utf-8')
+    } catch { /* ignore */ }
+    break
+  }
+
+  if (!result.details.eslintConfigFound) {
+    result.status = 'error'
+    result.details.message = 'No ESLint configuration found'
+    return result
+  }
+
+  // Check package.json for security plugins in dependencies
+  const packageLocations = [
+    'package.json',
+    'backend/package.json',
+    'frontend/package.json'
+  ]
+
+  const allDeps = {}
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      Object.assign(allDeps, pkg.dependencies || {}, pkg.devDependencies || {})
+    } catch { /* ignore */ }
+  }
+
+  // Check for security plugins
+  const securityPlugins = [
+    'eslint-plugin-security',
+    '@eslint/plugin-security',
+    'eslint-plugin-no-secrets'
+  ]
+  for (const plugin of securityPlugins) {
+    if (allDeps[plugin]) {
+      result.details.hasSecurityPlugin = true
+      result.details.securityPlugins.push(plugin)
+    }
+  }
+
+  // Also check ESLint config content for security plugin references
+  if (eslintContent) {
+    if (eslintContent.includes('plugin:security') || eslintContent.includes("'security'") ||
+        eslintContent.includes('"security"') || eslintContent.includes('eslint-plugin-security')) {
+      result.details.hasSecurityPlugin = true
+      if (!result.details.securityPlugins.includes('eslint-plugin-security')) {
+        result.details.securityPlugins.push('eslint-plugin-security (in config)')
+      }
+    }
+  }
+
+  if (result.details.hasSecurityPlugin) {
+    result.score += 1
+  }
+
+  // Check for SonarJS plugin
+  const sonarPlugins = [
+    'eslint-plugin-sonarjs',
+    '@eslint/plugin-sonarjs'
+  ]
+  for (const plugin of sonarPlugins) {
+    if (allDeps[plugin]) {
+      result.details.hasSonarPlugin = true
+      result.details.securityPlugins.push(plugin)
+    }
+  }
+
+  if (eslintContent) {
+    if (eslintContent.includes('sonarjs') || eslintContent.includes('plugin:sonarjs')) {
+      result.details.hasSonarPlugin = true
+      if (!result.details.securityPlugins.some(p => p.includes('sonarjs'))) {
+        result.details.securityPlugins.push('eslint-plugin-sonarjs (in config)')
+      }
+    }
+  }
+
+  if (result.details.hasSonarPlugin) {
+    result.score += 1
+  }
+
+  // Check for custom security rules (no-restricted-imports/syntax)
+  if (eslintContent) {
+    const hasRestrictedImports = eslintContent.includes('no-restricted-imports') ||
+      eslintContent.includes('no-restricted-syntax')
+    const hasSecurityKeywords = eslintContent.includes('SupabaseService') ||
+      eslintContent.includes('service_role') ||
+      eslintContent.includes('SERVICE_ROLE') ||
+      eslintContent.includes('@anthropic-ai') ||
+      eslintContent.includes('eval') ||
+      eslintContent.includes('DANGEROUS') ||
+      eslintContent.includes('detect-unsafe-regex') ||
+      eslintContent.includes('detect-eval')
+
+    if (hasRestrictedImports && hasSecurityKeywords) {
+      result.details.hasCustomSecurityRules = true
+      result.score += 1
+    }
+  }
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'error'
+    result.details.message = 'ESLint configured but no security plugins detected'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = `${result.details.securityPlugins.length} security plugin(s) — consider adding more`
+  } else {
+    result.details.message = `ESLint security well-configured (${result.details.securityPlugins.join(', ')})`
+  }
+
+  return result
+}

package/lib/checks/health/index.js

@@ -1,5 +1,5 @@
 /**
- * Health Checks — All 16 project health checks
+ * Health Checks — All 23 project health checks
  *
  * Main entry: scanProjectHealth(projectPath, projectName, options?)
  * Individual checks available via named imports.
@@ -26,3 +26,9 @@ export { check as checkDopplerCompliance } from './doppler-compliance.js'
 export { check as checkInfrastructureYml } from './infrastructure-yml.js'
 export { check as checkFileOrganization } from './file-organization.js'
 export { check as checkRpcParamMismatch } from './rpc-param-mismatch.js'
+export { check as checkTypescriptStrict } from './typescript-strict.js'
+export { check as checkPrettier } from './prettier.js'
+export { check as checkCoverageThresholds } from './coverage-thresholds.js'
+export { check as checkEslintSecurity } from './eslint-security.js'
+export { check as checkDependencyCruiser } from './dependency-cruiser.js'
+export { check as checkConventionalCommits } from './conventional-commits.js'

package/lib/checks/health/prettier.js

@@ -0,0 +1,162 @@
+/**
+ * Health Check: Prettier / Code Formatting
+ *
+ * Checks for consistent code formatting setup.
+ * Score: up to 3 points:
+ *   +1 for Prettier config file exists
+ *   +1 for format:check or format script in package.json
+ *   +1 for lint-staged config (auto-format on commit)
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('prettier', 3, {
+    configFound: false,
+    configPath: null,
+    hasFormatScript: false,
+    formatScript: null,
+    hasLintStaged: false,
+    lintStagedConfig: null,
+    message: ''
+  })
+
+  // Check for Prettier config files
+  const prettierConfigs = [
+    '.prettierrc',
+    '.prettierrc.json',
+    '.prettierrc.js',
+    '.prettierrc.cjs',
+    '.prettierrc.mjs',
+    '.prettierrc.yml',
+    '.prettierrc.yaml',
+    '.prettierrc.toml',
+    'prettier.config.js',
+    'prettier.config.cjs',
+    'prettier.config.mjs',
+    // Also check in sub-packages
+    'frontend/.prettierrc',
+    'frontend/.prettierrc.json',
+    'backend/.prettierrc',
+    'backend/.prettierrc.json'
+  ]
+
+  for (const config of prettierConfigs) {
+    if (existsSync(join(projectPath, config))) {
+      result.details.configFound = true
+      result.details.configPath = config
+      result.score += 1
+      break
+    }
+  }
+
+  // Also check for prettier key in package.json
+  if (!result.details.configFound) {
+    const pkgPath = join(projectPath, 'package.json')
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+        if (pkg.prettier) {
+          result.details.configFound = true
+          result.details.configPath = 'package.json (prettier key)'
+          result.score += 1
+        }
+      } catch { /* ignore */ }
+    }
+  }
+
+  // Check for format scripts
+  const packageLocations = [
+    'package.json',
+    'backend/package.json',
+    'frontend/package.json',
+    'frontend-user/package.json'
+  ]
+
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      const scripts = pkg.scripts || {}
+
+      for (const [name, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (name === 'format' || name === 'format:check' || name === 'prettier' ||
+            name === 'prettier:check' || cmd.includes('prettier')) {
+          result.details.hasFormatScript = true
+          result.details.formatScript = `${loc} → ${name}`
+          break
+        }
+      }
+      if (result.details.hasFormatScript) break
+    } catch { /* ignore */ }
+  }
+
+  if (result.details.hasFormatScript) {
+    result.score += 1
+  }
+
+  // Check for lint-staged config
+  const lintStagedConfigs = [
+    '.lintstagedrc',
+    '.lintstagedrc.json',
+    '.lintstagedrc.js',
+    '.lintstagedrc.cjs',
+    '.lintstagedrc.mjs',
+    '.lintstagedrc.yml',
+    'lint-staged.config.js',
+    'lint-staged.config.cjs',
+    'lint-staged.config.mjs',
+    // Sub-packages
+    'frontend/.lintstagedrc',
+    'frontend/.lintstagedrc.json',
+    'backend/.lintstagedrc',
+    'backend/.lintstagedrc.json'
+  ]
+
+  for (const config of lintStagedConfigs) {
+    if (existsSync(join(projectPath, config))) {
+      result.details.hasLintStaged = true
+      result.details.lintStagedConfig = config
+      result.score += 1
+      break
+    }
+  }
+
+  // Also check package.json for lint-staged key
+  if (!result.details.hasLintStaged) {
+    for (const loc of packageLocations) {
+      const pkgPath = join(projectPath, loc)
+      if (!existsSync(pkgPath)) continue
+
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+        if (pkg['lint-staged']) {
+          result.details.hasLintStaged = true
+          result.details.lintStagedConfig = `${loc} (lint-staged key)`
+          result.score += 1
+          break
+        }
+      } catch { /* ignore */ }
+    }
+  }
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'error'
+    result.details.message = 'No code formatting setup detected'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = result.details.configFound
+      ? 'Prettier config exists but no format script or lint-staged'
+      : 'Format script exists but no Prettier config'
+  } else {
+    result.details.message = `Code formatting well-configured`
+  }
+
+  return result
+}

package/lib/checks/health/scanner.js

@@ -1,7 +1,7 @@
 /**
  * Project Health Scanner
  *
- * Orchestrates all 16 health checks and produces a HealthReport.
+ * Orchestrates all 23 health checks and produces a HealthReport.
  * This is the main entry point — consumers call scanProjectHealth().
  */
 
@@ -22,6 +22,12 @@ import { check as checkDopplerCompliance } from './doppler-compliance.js'
 import { check as checkInfrastructureYml } from './infrastructure-yml.js'
 import { check as checkFileOrganization } from './file-organization.js'
 import { check as checkRpcParamMismatch } from './rpc-param-mismatch.js'
+import { check as checkTypescriptStrict } from './typescript-strict.js'
+import { check as checkPrettier } from './prettier.js'
+import { check as checkCoverageThresholds } from './coverage-thresholds.js'
+import { check as checkEslintSecurity } from './eslint-security.js'
+import { check as checkDependencyCruiser } from './dependency-cruiser.js'
+import { check as checkConventionalCommits } from './conventional-commits.js'
 import { calculateHealthStatus } from './types.js'
 
 /**
@@ -52,7 +58,13 @@ export async function scanProjectHealth(projectPath, projectName, options = {})
     checkDopplerCompliance(projectPath),
     checkInfrastructureYml(projectPath),
     checkFileOrganization(projectPath),
-    checkRpcParamMismatch(projectPath)
+    checkRpcParamMismatch(projectPath),
+    checkTypescriptStrict(projectPath),
+    checkPrettier(projectPath),
+    checkCoverageThresholds(projectPath),
+    checkEslintSecurity(projectPath),
+    checkDependencyCruiser(projectPath),
+    checkConventionalCommits(projectPath)
   ])
 
   const totalScore = checks.reduce((sum, c) => sum + c.score, 0)