@soulbatical/tetra-dev-toolkit 1.3.3 → 1.5.0

package/lib/checks/health/prettier.js

@@ -0,0 +1,162 @@
+/**
+ * Health Check: Prettier / Code Formatting
+ *
+ * Checks for consistent code formatting setup.
+ * Score: up to 3 points:
+ *   +1 for Prettier config file exists
+ *   +1 for format:check or format script in package.json
+ *   +1 for lint-staged config (auto-format on commit)
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('prettier', 3, {
+    configFound: false,
+    configPath: null,
+    hasFormatScript: false,
+    formatScript: null,
+    hasLintStaged: false,
+    lintStagedConfig: null,
+    message: ''
+  })
+
+  // Check for Prettier config files
+  const prettierConfigs = [
+    '.prettierrc',
+    '.prettierrc.json',
+    '.prettierrc.js',
+    '.prettierrc.cjs',
+    '.prettierrc.mjs',
+    '.prettierrc.yml',
+    '.prettierrc.yaml',
+    '.prettierrc.toml',
+    'prettier.config.js',
+    'prettier.config.cjs',
+    'prettier.config.mjs',
+    // Also check in sub-packages
+    'frontend/.prettierrc',
+    'frontend/.prettierrc.json',
+    'backend/.prettierrc',
+    'backend/.prettierrc.json'
+  ]
+
+  for (const config of prettierConfigs) {
+    if (existsSync(join(projectPath, config))) {
+      result.details.configFound = true
+      result.details.configPath = config
+      result.score += 1
+      break
+    }
+  }
+
+  // Also check for prettier key in package.json
+  if (!result.details.configFound) {
+    const pkgPath = join(projectPath, 'package.json')
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+        if (pkg.prettier) {
+          result.details.configFound = true
+          result.details.configPath = 'package.json (prettier key)'
+          result.score += 1
+        }
+      } catch { /* ignore */ }
+    }
+  }
+
+  // Check for format scripts
+  const packageLocations = [
+    'package.json',
+    'backend/package.json',
+    'frontend/package.json',
+    'frontend-user/package.json'
+  ]
+
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      const scripts = pkg.scripts || {}
+
+      for (const [name, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (name === 'format' || name === 'format:check' || name === 'prettier' ||
+            name === 'prettier:check' || cmd.includes('prettier')) {
+          result.details.hasFormatScript = true
+          result.details.formatScript = `${loc} → ${name}`
+          break
+        }
+      }
+      if (result.details.hasFormatScript) break
+    } catch { /* ignore */ }
+  }
+
+  if (result.details.hasFormatScript) {
+    result.score += 1
+  }
+
+  // Check for lint-staged config
+  const lintStagedConfigs = [
+    '.lintstagedrc',
+    '.lintstagedrc.json',
+    '.lintstagedrc.js',
+    '.lintstagedrc.cjs',
+    '.lintstagedrc.mjs',
+    '.lintstagedrc.yml',
+    'lint-staged.config.js',
+    'lint-staged.config.cjs',
+    'lint-staged.config.mjs',
+    // Sub-packages
+    'frontend/.lintstagedrc',
+    'frontend/.lintstagedrc.json',
+    'backend/.lintstagedrc',
+    'backend/.lintstagedrc.json'
+  ]
+
+  for (const config of lintStagedConfigs) {
+    if (existsSync(join(projectPath, config))) {
+      result.details.hasLintStaged = true
+      result.details.lintStagedConfig = config
+      result.score += 1
+      break
+    }
+  }
+
+  // Also check package.json for lint-staged key
+  if (!result.details.hasLintStaged) {
+    for (const loc of packageLocations) {
+      const pkgPath = join(projectPath, loc)
+      if (!existsSync(pkgPath)) continue
+
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+        if (pkg['lint-staged']) {
+          result.details.hasLintStaged = true
+          result.details.lintStagedConfig = `${loc} (lint-staged key)`
+          result.score += 1
+          break
+        }
+      } catch { /* ignore */ }
+    }
+  }
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'error'
+    result.details.message = 'No code formatting setup detected'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = result.details.configFound
+      ? 'Prettier config exists but no format script or lint-staged'
+      : 'Format script exists but no Prettier config'
+  } else {
+    result.details.message = `Code formatting well-configured`
+  }
+
+  return result
+}

package/lib/checks/health/sast.js

@@ -0,0 +1,166 @@
+/**
+ * Health Check: SAST (Static Application Security Testing)
+ *
+ * Checks for SAST tooling like Semgrep, CodeQL, Snyk Code, or SonarQube.
+ * Enterprise security requirement — catches OWASP patterns statically.
+ * Score: up to 2 points:
+ *   +1 for SAST tool configured (config file or CI workflow)
+ *   +1 for SAST running in CI (GitHub Actions workflow)
+ */
+
+import { existsSync, readFileSync, readdirSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('sast', 2, {
+    tool: null,
+    configFound: false,
+    configPath: null,
+    ciIntegration: false,
+    ciWorkflow: null,
+    message: ''
+  })
+
+  // Check for Semgrep config
+  const semgrepConfigs = [
+    '.semgrep.yml',
+    '.semgrep.yaml',
+    '.semgrep/',
+    'semgrep.yml',
+    'semgrep.yaml'
+  ]
+
+  for (const config of semgrepConfigs) {
+    if (existsSync(join(projectPath, config))) {
+      result.details.tool = 'semgrep'
+      result.details.configFound = true
+      result.details.configPath = config
+      result.score += 1
+      break
+    }
+  }
+
+  // Check for CodeQL config
+  if (!result.details.configFound) {
+    const codeqlConfigs = [
+      '.github/codeql/codeql-config.yml',
+      '.github/codeql-config.yml',
+      'codeql-config.yml'
+    ]
+    for (const config of codeqlConfigs) {
+      if (existsSync(join(projectPath, config))) {
+        result.details.tool = 'codeql'
+        result.details.configFound = true
+        result.details.configPath = config
+        result.score += 1
+        break
+      }
+    }
+  }
+
+  // Check for SonarQube/SonarCloud config
+  if (!result.details.configFound) {
+    const sonarConfigs = [
+      'sonar-project.properties',
+      '.sonarcloud.properties'
+    ]
+    for (const config of sonarConfigs) {
+      if (existsSync(join(projectPath, config))) {
+        result.details.tool = 'sonarqube'
+        result.details.configFound = true
+        result.details.configPath = config
+        result.score += 1
+        break
+      }
+    }
+  }
+
+  // Check for Snyk config
+  if (!result.details.configFound) {
+    if (existsSync(join(projectPath, '.snyk'))) {
+      result.details.tool = 'snyk'
+      result.details.configFound = true
+      result.details.configPath = '.snyk'
+      result.score += 1
+    }
+  }
+
+  // Check CI workflows for SAST integration
+  const workflowDir = join(projectPath, '.github/workflows')
+  if (existsSync(workflowDir)) {
+    try {
+      const files = readdirSync(workflowDir).filter(f => f.endsWith('.yml') || f.endsWith('.yaml'))
+      for (const file of files) {
+        try {
+          const content = readFileSync(join(workflowDir, file), 'utf-8')
+          const lower = content.toLowerCase()
+
+          if (lower.includes('semgrep') || lower.includes('codeql') ||
+              lower.includes('sonarcloud') || lower.includes('sonarqube') ||
+              lower.includes('snyk') || lower.includes('returntocorp/semgrep') ||
+              lower.includes('github/codeql-action') || lower.includes('sonarsource')) {
+            result.details.ciIntegration = true
+            result.details.ciWorkflow = file
+            result.score += 1
+
+            // Detect tool from CI if not already found
+            if (!result.details.tool) {
+              if (lower.includes('semgrep')) result.details.tool = 'semgrep'
+              else if (lower.includes('codeql')) result.details.tool = 'codeql'
+              else if (lower.includes('sonar')) result.details.tool = 'sonarqube'
+              else if (lower.includes('snyk')) result.details.tool = 'snyk'
+              result.details.configFound = true
+            }
+            break
+          }
+        } catch { /* ignore individual file errors */ }
+      }
+    } catch { /* ignore */ }
+  }
+
+  // Check package.json for SAST-related dependencies or scripts
+  if (!result.details.configFound) {
+    const pkgPath = join(projectPath, 'package.json')
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+        const allDeps = { ...pkg.dependencies, ...pkg.devDependencies }
+        const scripts = pkg.scripts || {}
+
+        if (allDeps['snyk']) {
+          result.details.tool = 'snyk'
+          result.details.configFound = true
+          result.score += 1
+        }
+
+        for (const [name, cmd] of Object.entries(scripts)) {
+          if (typeof cmd !== 'string') continue
+          if (cmd.includes('semgrep') || cmd.includes('snyk code') ||
+              name.includes('sast') || name.includes('security:scan')) {
+            result.details.configFound = true
+            result.details.configPath = `package.json → ${name}`
+            if (!result.details.tool) result.details.tool = 'custom'
+            result.score += 1
+            break
+          }
+        }
+      } catch { /* ignore */ }
+    }
+  }
+
+  result.score = Math.min(result.score, result.maxScore)
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'warning'
+    result.details.message = 'No SAST tooling — OWASP patterns not detected statically'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = `${result.details.tool} configured but not integrated in CI`
+  } else {
+    result.details.message = `SAST enabled via ${result.details.tool} (CI integrated)`
+  }
+
+  return result
+}

package/lib/checks/health/scanner.js

@@ -1,7 +1,7 @@
 /**
  * Project Health Scanner
  *
- * Orchestrates all 16 health checks and produces a HealthReport.
+ * Orchestrates all 28 health checks and produces a HealthReport.
  * This is the main entry point — consumers call scanProjectHealth().
  */
 
@@ -22,6 +22,17 @@ import { check as checkDopplerCompliance } from './doppler-compliance.js'
 import { check as checkInfrastructureYml } from './infrastructure-yml.js'
 import { check as checkFileOrganization } from './file-organization.js'
 import { check as checkRpcParamMismatch } from './rpc-param-mismatch.js'
+import { check as checkTypescriptStrict } from './typescript-strict.js'
+import { check as checkPrettier } from './prettier.js'
+import { check as checkCoverageThresholds } from './coverage-thresholds.js'
+import { check as checkEslintSecurity } from './eslint-security.js'
+import { check as checkDependencyCruiser } from './dependency-cruiser.js'
+import { check as checkConventionalCommits } from './conventional-commits.js'
+import { check as checkKnip } from './knip.js'
+import { check as checkDependencyAutomation } from './dependency-automation.js'
+import { check as checkLicenseAudit } from './license-audit.js'
+import { check as checkSast } from './sast.js'
+import { check as checkBundleSize } from './bundle-size.js'
 import { calculateHealthStatus } from './types.js'
 
 /**
@@ -52,7 +63,18 @@ export async function scanProjectHealth(projectPath, projectName, options = {})
     checkDopplerCompliance(projectPath),
     checkInfrastructureYml(projectPath),
     checkFileOrganization(projectPath),
-    checkRpcParamMismatch(projectPath)
+    checkRpcParamMismatch(projectPath),
+    checkTypescriptStrict(projectPath),
+    checkPrettier(projectPath),
+    checkCoverageThresholds(projectPath),
+    checkEslintSecurity(projectPath),
+    checkDependencyCruiser(projectPath),
+    checkConventionalCommits(projectPath),
+    checkKnip(projectPath),
+    checkDependencyAutomation(projectPath),
+    checkLicenseAudit(projectPath),
+    checkSast(projectPath),
+    checkBundleSize(projectPath)
   ])
 
   const totalScore = checks.reduce((sum, c) => sum + c.score, 0)

package/lib/checks/health/types.js

@@ -5,7 +5,7 @@
  */
 
 /**
- * @typedef {'plugins'|'mcps'|'git'|'tests'|'secrets'|'quality-toolkit'|'naming-conventions'|'rls-audit'|'rpc-param-mismatch'|'gitignore'|'repo-visibility'|'vincifox-widget'|'stella-integration'|'claude-md'|'doppler-compliance'|'infrastructure-yml'|'file-organization'} HealthCheckType
+ * @typedef {'plugins'|'mcps'|'git'|'tests'|'secrets'|'quality-toolkit'|'naming-conventions'|'rls-audit'|'rpc-param-mismatch'|'typescript-strict'|'prettier'|'coverage-thresholds'|'eslint-security'|'dependency-cruiser'|'conventional-commits'|'knip'|'dependency-automation'|'license-audit'|'sast'|'bundle-size'|'gitignore'|'repo-visibility'|'vincifox-widget'|'stella-integration'|'claude-md'|'doppler-compliance'|'infrastructure-yml'|'file-organization'} HealthCheckType
  *
  * @typedef {'ok'|'warning'|'error'} HealthStatus
  *

package/lib/checks/health/typescript-strict.js

@@ -0,0 +1,143 @@
+/**
+ * Health Check: TypeScript Strictness
+ *
+ * Checks TypeScript configuration for strict mode and type safety.
+ * Score: up to 3 points:
+ *   +1 for strict: true in tsconfig.json
+ *   +1 for tsc --noEmit script in package.json (typecheck command)
+ *   +1 for noImplicitAny + strictNullChecks (if not using strict: true)
+ *       OR bonus for strict: true + noUncheckedIndexedAccess
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('typescript-strict', 3, {
+    tsconfigFound: false,
+    strict: false,
+    noImplicitAny: false,
+    strictNullChecks: false,
+    noUncheckedIndexedAccess: false,
+    hasTypecheckScript: false,
+    typecheckScript: null,
+    tsconfigPaths: [],
+    message: ''
+  })
+
+  // Find tsconfig files in root + common sub-packages
+  const tsconfigLocations = [
+    'tsconfig.json',
+    'backend/tsconfig.json',
+    'frontend/tsconfig.json',
+    'frontend-user/tsconfig.json',
+    'src/tsconfig.json',
+    'mcp/tsconfig.json'
+  ]
+
+  let bestConfig = null
+
+  for (const loc of tsconfigLocations) {
+    const tsconfigPath = join(projectPath, loc)
+    if (!existsSync(tsconfigPath)) continue
+
+    result.details.tsconfigPaths.push(loc)
+    result.details.tsconfigFound = true
+
+    try {
+      // Strip JSON comments (// and /* */) before parsing
+      const raw = readFileSync(tsconfigPath, 'utf-8')
+      const stripped = raw
+        .replace(/\/\/.*$/gm, '')
+        .replace(/\/\*[\s\S]*?\*\//g, '')
+        .replace(/,\s*([}\]])/g, '$1')
+      const tsconfig = JSON.parse(stripped)
+      const opts = tsconfig.compilerOptions || {}
+
+      if (opts.strict && !bestConfig) {
+        bestConfig = { path: loc, strict: true, opts }
+      } else if (!bestConfig) {
+        bestConfig = { path: loc, strict: false, opts }
+      }
+    } catch { /* invalid tsconfig, skip */ }
+  }
+
+  if (!result.details.tsconfigFound) {
+    result.status = 'warning'
+    result.details.message = 'No tsconfig.json found'
+    return result
+  }
+
+  if (bestConfig) {
+    const opts = bestConfig.opts
+
+    if (opts.strict) {
+      result.score += 1
+      result.details.strict = true
+    }
+
+    if (opts.noImplicitAny) result.details.noImplicitAny = true
+    if (opts.strictNullChecks) result.details.strictNullChecks = true
+    if (opts.noUncheckedIndexedAccess) result.details.noUncheckedIndexedAccess = true
+
+    // Bonus point: strict + extra strictness OR individual flags
+    if (opts.strict && opts.noUncheckedIndexedAccess) {
+      result.score += 1
+    } else if (!opts.strict && opts.noImplicitAny && opts.strictNullChecks) {
+      result.score += 1
+    }
+  }
+
+  // Check for typecheck script in package.json files
+  const packageLocations = [
+    'package.json',
+    'backend/package.json',
+    'frontend/package.json',
+    'frontend-user/package.json'
+  ]
+
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      const scripts = pkg.scripts || {}
+
+      // Look for typecheck or tsc --noEmit scripts
+      for (const [name, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (name === 'typecheck' || name === 'type-check' ||
+            cmd.includes('tsc --noEmit') || cmd.includes('tsc -noEmit') ||
+            (name === 'check' && cmd.includes('tsc'))) {
+          result.details.hasTypecheckScript = true
+          result.details.typecheckScript = `${loc} → ${name}: ${cmd}`
+          break
+        }
+      }
+      if (result.details.hasTypecheckScript) break
+    } catch { /* ignore */ }
+  }
+
+  if (result.details.hasTypecheckScript) {
+    result.score += 1
+  }
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'error'
+    result.details.message = 'TypeScript not strict and no typecheck script found'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = result.details.strict
+      ? 'strict: true but no typecheck script'
+      : result.details.hasTypecheckScript
+        ? 'Typecheck script exists but strict mode disabled'
+        : 'Partial TypeScript strictness'
+  } else {
+    result.details.message = `TypeScript well-configured (${result.details.tsconfigPaths.length} tsconfig(s))`
+  }
+
+  return result
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.3.3",
+  "version": "1.5.0",
   "publishConfig": {
     "access": "restricted"
   },
@@ -35,7 +35,8 @@
     "templates/"
   ],
   "scripts": {
-    "test": "node --test src/**/*.test.js",
+    "test": "vitest run",
+    "test:watch": "vitest",
     "lint": "eslint src/ lib/ bin/",
     "build": "echo 'No build step needed'"
   },
@@ -52,7 +53,8 @@
     "yaml": "^2.8.2"
   },
   "devDependencies": {
-    "eslint": "^9.0.0"
+    "eslint": "^9.0.0",
+    "vitest": "^4.0.18"
   },
   "peerDependencies": {
     "eslint": ">=8.0.0",