@soulbatical/tetra-dev-toolkit 1.3.3 → 1.5.0

package/lib/checks/health/dependency-cruiser.js

@@ -0,0 +1,113 @@
+/**
+ * Health Check: Dependency Cruiser
+ *
+ * Checks for dependency analysis and circular dependency prevention.
+ * Score: up to 2 points:
+ *   +1 for dependency-cruiser config file exists
+ *   +1 for no-circular rule defined or dep:check script
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('dependency-cruiser', 2, {
+    configFound: false,
+    configPath: null,
+    hasNoCircularRule: false,
+    hasCheckScript: false,
+    checkScript: null,
+    installed: false,
+    message: ''
+  })
+
+  // Check for dependency-cruiser config files
+  const depCruiserConfigs = [
+    '.dependency-cruiser.js',
+    '.dependency-cruiser.cjs',
+    '.dependency-cruiser.mjs',
+    '.dependency-cruiser.json',
+    'dependency-cruiser.config.js',
+    'dependency-cruiser.config.cjs',
+    // Sub-packages
+    'backend/.dependency-cruiser.js',
+    'backend/.dependency-cruiser.cjs'
+  ]
+
+  let configContent = null
+
+  for (const config of depCruiserConfigs) {
+    const configPath = join(projectPath, config)
+    if (!existsSync(configPath)) continue
+
+    result.details.configFound = true
+    result.details.configPath = config
+    result.score += 1
+
+    try {
+      configContent = readFileSync(configPath, 'utf-8')
+    } catch { /* ignore */ }
+    break
+  }
+
+  // Check for dependency-cruiser in dependencies
+  const packageLocations = [
+    'package.json',
+    'backend/package.json'
+  ]
+
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies }
+
+      if (allDeps['dependency-cruiser']) {
+        result.details.installed = true
+      }
+
+      // Check for dep check scripts
+      const scripts = pkg.scripts || {}
+      for (const [name, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (cmd.includes('dependency-cruiser') || cmd.includes('depcruise') ||
+            name === 'check:deps' || name === 'check:circular') {
+          result.details.hasCheckScript = true
+          result.details.checkScript = `${loc} → ${name}`
+          break
+        }
+      }
+    } catch { /* ignore */ }
+  }
+
+  // Check config content for no-circular rule
+  if (configContent) {
+    if (configContent.includes('no-circular') || configContent.includes('circular')) {
+      result.details.hasNoCircularRule = true
+    }
+  }
+
+  if (result.details.hasNoCircularRule || result.details.hasCheckScript) {
+    result.score += 1
+  }
+
+  result.score = Math.min(result.score, result.maxScore)
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'warning'
+    result.details.message = 'No dependency analysis configured — circular dependencies go undetected'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = result.details.configFound
+      ? 'Dependency cruiser configured but no circular dependency rule'
+      : 'Dependency check script found but no config file'
+  } else {
+    result.details.message = 'Dependency analysis well-configured'
+  }
+
+  return result
+}

package/lib/checks/health/eslint-security.js

@@ -0,0 +1,172 @@
+/**
+ * Health Check: ESLint Security Plugins
+ *
+ * Checks for security-focused ESLint plugins.
+ * Score: up to 3 points:
+ *   +1 for eslint-plugin-security installed
+ *   +1 for eslint-plugin-sonarjs installed
+ *   +1 for custom security rules (no-restricted-imports/syntax for dangerous patterns)
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('eslint-security', 3, {
+    eslintConfigFound: false,
+    eslintConfigPath: null,
+    hasSecurityPlugin: false,
+    hasSonarPlugin: false,
+    hasCustomSecurityRules: false,
+    securityPlugins: [],
+    message: ''
+  })
+
+  // Check if ESLint is configured at all
+  const eslintConfigs = [
+    '.eslintrc.js',
+    '.eslintrc.cjs',
+    '.eslintrc.json',
+    '.eslintrc.yml',
+    '.eslintrc.yaml',
+    '.eslintrc',
+    'eslint.config.js',
+    'eslint.config.cjs',
+    'eslint.config.mjs',
+    'eslint.config.ts',
+    // Sub-packages
+    'backend/.eslintrc.js',
+    'backend/.eslintrc.json',
+    'backend/eslint.config.js',
+    'backend/eslint.config.mjs',
+    'frontend/.eslintrc.js',
+    'frontend/.eslintrc.json',
+    'frontend/eslint.config.js',
+    'frontend/eslint.config.mjs'
+  ]
+
+  let eslintContent = null
+
+  for (const config of eslintConfigs) {
+    const configPath = join(projectPath, config)
+    if (!existsSync(configPath)) continue
+
+    result.details.eslintConfigFound = true
+    result.details.eslintConfigPath = config
+
+    try {
+      eslintContent = readFileSync(configPath, 'utf-8')
+    } catch { /* ignore */ }
+    break
+  }
+
+  if (!result.details.eslintConfigFound) {
+    result.status = 'error'
+    result.details.message = 'No ESLint configuration found'
+    return result
+  }
+
+  // Check package.json for security plugins in dependencies
+  const packageLocations = [
+    'package.json',
+    'backend/package.json',
+    'frontend/package.json'
+  ]
+
+  const allDeps = {}
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      Object.assign(allDeps, pkg.dependencies || {}, pkg.devDependencies || {})
+    } catch { /* ignore */ }
+  }
+
+  // Check for security plugins
+  const securityPlugins = [
+    'eslint-plugin-security',
+    '@eslint/plugin-security',
+    'eslint-plugin-no-secrets'
+  ]
+  for (const plugin of securityPlugins) {
+    if (allDeps[plugin]) {
+      result.details.hasSecurityPlugin = true
+      result.details.securityPlugins.push(plugin)
+    }
+  }
+
+  // Also check ESLint config content for security plugin references
+  if (eslintContent) {
+    if (eslintContent.includes('plugin:security') || eslintContent.includes("'security'") ||
+        eslintContent.includes('"security"') || eslintContent.includes('eslint-plugin-security')) {
+      result.details.hasSecurityPlugin = true
+      if (!result.details.securityPlugins.includes('eslint-plugin-security')) {
+        result.details.securityPlugins.push('eslint-plugin-security (in config)')
+      }
+    }
+  }
+
+  if (result.details.hasSecurityPlugin) {
+    result.score += 1
+  }
+
+  // Check for SonarJS plugin
+  const sonarPlugins = [
+    'eslint-plugin-sonarjs',
+    '@eslint/plugin-sonarjs'
+  ]
+  for (const plugin of sonarPlugins) {
+    if (allDeps[plugin]) {
+      result.details.hasSonarPlugin = true
+      result.details.securityPlugins.push(plugin)
+    }
+  }
+
+  if (eslintContent) {
+    if (eslintContent.includes('sonarjs') || eslintContent.includes('plugin:sonarjs')) {
+      result.details.hasSonarPlugin = true
+      if (!result.details.securityPlugins.some(p => p.includes('sonarjs'))) {
+        result.details.securityPlugins.push('eslint-plugin-sonarjs (in config)')
+      }
+    }
+  }
+
+  if (result.details.hasSonarPlugin) {
+    result.score += 1
+  }
+
+  // Check for custom security rules (no-restricted-imports/syntax)
+  if (eslintContent) {
+    const hasRestrictedImports = eslintContent.includes('no-restricted-imports') ||
+      eslintContent.includes('no-restricted-syntax')
+    const hasSecurityKeywords = eslintContent.includes('SupabaseService') ||
+      eslintContent.includes('service_role') ||
+      eslintContent.includes('SERVICE_ROLE') ||
+      eslintContent.includes('@anthropic-ai') ||
+      eslintContent.includes('eval') ||
+      eslintContent.includes('DANGEROUS') ||
+      eslintContent.includes('detect-unsafe-regex') ||
+      eslintContent.includes('detect-eval')
+
+    if (hasRestrictedImports && hasSecurityKeywords) {
+      result.details.hasCustomSecurityRules = true
+      result.score += 1
+    }
+  }
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'error'
+    result.details.message = 'ESLint configured but no security plugins detected'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = `${result.details.securityPlugins.length} security plugin(s) — consider adding more`
+  } else {
+    result.details.message = `ESLint security well-configured (${result.details.securityPlugins.join(', ')})`
+  }
+
+  return result
+}

package/lib/checks/health/index.js

@@ -1,5 +1,5 @@
 /**
- * Health Checks — All 16 project health checks
+ * Health Checks — All 28 project health checks
  *
  * Main entry: scanProjectHealth(projectPath, projectName, options?)
  * Individual checks available via named imports.
@@ -26,3 +26,14 @@ export { check as checkDopplerCompliance } from './doppler-compliance.js'
 export { check as checkInfrastructureYml } from './infrastructure-yml.js'
 export { check as checkFileOrganization } from './file-organization.js'
 export { check as checkRpcParamMismatch } from './rpc-param-mismatch.js'
+export { check as checkTypescriptStrict } from './typescript-strict.js'
+export { check as checkPrettier } from './prettier.js'
+export { check as checkCoverageThresholds } from './coverage-thresholds.js'
+export { check as checkEslintSecurity } from './eslint-security.js'
+export { check as checkDependencyCruiser } from './dependency-cruiser.js'
+export { check as checkConventionalCommits } from './conventional-commits.js'
+export { check as checkKnip } from './knip.js'
+export { check as checkDependencyAutomation } from './dependency-automation.js'
+export { check as checkLicenseAudit } from './license-audit.js'
+export { check as checkSast } from './sast.js'
+export { check as checkBundleSize } from './bundle-size.js'

package/lib/checks/health/knip.js

@@ -0,0 +1,135 @@
+/**
+ * Health Check: Knip (Dead Code Detection)
+ *
+ * Checks for unused files, exports, and dependencies via Knip.
+ * Score: up to 3 points:
+ *   +1 for knip installed (in dependencies)
+ *   +1 for knip config file exists (knip.json, knip.config.ts, etc.)
+ *   +1 for knip script in package.json (e.g. check:unused, knip)
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('knip', 3, {
+    installed: false,
+    configFound: false,
+    configPath: null,
+    hasScript: false,
+    scriptName: null,
+    hasAlternative: false,
+    alternativeTool: null,
+    message: ''
+  })
+
+  // Check for knip config files
+  const knipConfigs = [
+    'knip.json',
+    'knip.jsonc',
+    'knip.config.ts',
+    'knip.config.js',
+    'knip.config.mjs',
+    'knip.config.cjs',
+    '.knip.json',
+    '.knip.jsonc',
+    // Sub-packages
+    'backend/knip.json',
+    'backend/knip.config.ts',
+    'frontend/knip.json',
+    'frontend/knip.config.ts'
+  ]
+
+  for (const config of knipConfigs) {
+    if (existsSync(join(projectPath, config))) {
+      result.details.configFound = true
+      result.details.configPath = config
+      result.score += 1
+      break
+    }
+  }
+
+  // Check package.json for knip in dependencies and scripts
+  const packageLocations = [
+    'package.json',
+    'backend/package.json',
+    'frontend/package.json'
+  ]
+
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies }
+
+      if (allDeps.knip) {
+        result.details.installed = true
+        result.score += 1
+      }
+
+      // Also check for knip key in package.json (inline config)
+      if (pkg.knip && !result.details.configFound) {
+        result.details.configFound = true
+        result.details.configPath = `${loc} (knip key)`
+        result.score += 1
+      }
+
+      // Check for knip script
+      const scripts = pkg.scripts || {}
+      for (const [name, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (cmd.includes('knip') || name === 'knip') {
+          result.details.hasScript = true
+          result.details.scriptName = `${loc} → ${name}`
+          result.score += 1
+          break
+        }
+      }
+
+      // Check for alternative dead code tools
+      if (allDeps['ts-prune'] || allDeps['unimported']) {
+        result.details.hasAlternative = true
+        result.details.alternativeTool = allDeps['ts-prune'] ? 'ts-prune' : 'unimported'
+      }
+
+      // Check for custom unused code scripts (partial credit)
+      if (!result.details.hasScript) {
+        for (const [name, cmd] of Object.entries(scripts)) {
+          if (typeof cmd !== 'string') continue
+          if (name.includes('unused') || name.includes('dead-code') ||
+              cmd.includes('unused') || cmd.includes('check-unused')) {
+            result.details.hasScript = true
+            result.details.scriptName = `${loc} → ${name} (custom)`
+            result.score += 1
+            break
+          }
+        }
+      }
+    } catch { /* ignore */ }
+  }
+
+  result.score = Math.min(result.score, result.maxScore)
+
+  // Determine status
+  if (result.score === 0) {
+    if (result.details.hasAlternative) {
+      result.status = 'warning'
+      result.details.message = `Using ${result.details.alternativeTool} — consider migrating to Knip (more comprehensive)`
+    } else {
+      result.status = 'error'
+      result.details.message = 'No dead code detection configured — unused files and exports go undetected'
+    }
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = result.details.installed
+      ? 'Knip installed but no config or script'
+      : 'Dead code script exists but Knip not installed'
+  } else {
+    result.details.message = 'Dead code detection well-configured'
+  }
+
+  return result
+}

package/lib/checks/health/license-audit.js

@@ -0,0 +1,133 @@
+/**
+ * Health Check: License Audit
+ *
+ * Checks for dependency license compliance tooling.
+ * Score: up to 2 points:
+ *   +1 for license-checker or license-report tool configured
+ *   +1 for forbidden license list or license check script
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('license-audit', 2, {
+    toolInstalled: false,
+    toolName: null,
+    hasConfig: false,
+    configPath: null,
+    hasScript: false,
+    scriptName: null,
+    hasForbiddenList: false,
+    message: ''
+  })
+
+  // License tools to check for
+  const licenseTools = [
+    'license-checker',
+    'license-checker-rspack',
+    'license-report',
+    'license-webpack-plugin',
+    'license-compliance',
+    'legally',
+    'nlf'
+  ]
+
+  // Check package.json files for license tools and scripts
+  const packageLocations = [
+    'package.json',
+    'backend/package.json',
+    'frontend/package.json'
+  ]
+
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies }
+
+      // Check for license tools
+      for (const tool of licenseTools) {
+        if (allDeps[tool]) {
+          result.details.toolInstalled = true
+          result.details.toolName = tool
+          result.score += 1
+          break
+        }
+      }
+
+      // Check for license scripts
+      const scripts = pkg.scripts || {}
+      for (const [name, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (name.includes('license') || cmd.includes('license-checker') ||
+            cmd.includes('license-report') || cmd.includes('license-compliance')) {
+          result.details.hasScript = true
+          result.details.scriptName = `${loc} → ${name}`
+          break
+        }
+      }
+
+      // Check for forbidden license patterns in scripts
+      for (const [, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (cmd.includes('--failOn') || cmd.includes('--excludeLicenses') ||
+            cmd.includes('--production') || cmd.includes('forbidden')) {
+          result.details.hasForbiddenList = true
+          break
+        }
+      }
+    } catch { /* ignore */ }
+  }
+
+  // Check for license config files
+  const licenseConfigs = [
+    '.licensechecker.json',
+    '.license-checker.json',
+    'license-checker-config.json',
+    '.license-report-config.json'
+  ]
+
+  for (const config of licenseConfigs) {
+    const configPath = join(projectPath, config)
+    if (!existsSync(configPath)) continue
+
+    result.details.hasConfig = true
+    result.details.configPath = config
+    result.score += 1
+
+    try {
+      const content = readFileSync(configPath, 'utf-8')
+      if (content.includes('GPL') || content.includes('forbidden') ||
+          content.includes('excludeLicenses') || content.includes('failOn')) {
+        result.details.hasForbiddenList = true
+      }
+    } catch { /* ignore */ }
+    break
+  }
+
+  // Script or forbidden list counts toward second point
+  if (!result.details.hasConfig && (result.details.hasScript || result.details.hasForbiddenList)) {
+    result.score += 1
+  }
+
+  result.score = Math.min(result.score, result.maxScore)
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'warning'
+    result.details.message = 'No license compliance tooling — GPL dependencies could go unnoticed'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = result.details.toolInstalled
+      ? `${result.details.toolName} installed but no forbidden license enforcement`
+      : 'License check script exists but no dedicated tool'
+  } else {
+    result.details.message = `License compliance enforced via ${result.details.toolName || 'config'}`
+  }
+
+  return result
+}