@sun-asterisk/sunlint 1.3.16 → 1.3.18

package/config/rule-analysis-strategies.js

@@ -72,9 +72,9 @@ module.exports = {
       accuracy: { regex: 95 }
     },
     'C002': {
-      reason: 'Duplicate code detection requires cross-file analysis',
-      methods: ['regex'],
-      accuracy: { regex: 85 }
+      reason: 'Duplicate code detection with AST-based semantic analysis',
+      methods: ['heuristic'],
+      accuracy: { heuristic: 100 }
     },
     'C043': {
       reason: 'Console/print detection via simple patterns',

package/config/rules/enhanced-rules-registry.json

@@ -69,6 +69,29 @@
         ]
       }
     },
+    "C008": {
+      "name": "Minimize Variable Scope - Declare Near Usage",
+      "description": "Variables should be declared as close as possible to where they are first used",
+      "category": "code-quality",
+      "severity": "warning",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "rules/common/C008/analyzer.js",
+      "config": "rules/common/C008/config.json",
+      "version": "1.0.0",
+      "status": "active",
+      "tags": ["readability", "maintainability", "scope", "best-practice"],
+      "strategy": {
+        "preferred": "semantic",
+        "fallbacks": ["semantic", "ast"],
+        "accuracy": {
+          "semantic": 95,
+          "ast": 90
+        }
+      },
+      "engineMappings": {
+        "semantic": ["rules/common/C008/analyzer.js"]
+      }
+    },
     "C010": {
       "name": "Limit Block Nesting",
       "description": "Limit nested blocks (if/for/while/switch) to maximum 3 levels for readability",
@@ -357,6 +380,21 @@
         ]
       }
     },
+    "C041": {
+      "name": "Do not hardcode or push sensitive information (token, API key, secret, URL) into the repo",
+      "description": "Protect sensitive application data, avoid security risks, and comply with security standards. Exposing sensitive information can lead to serious security and privacy issues.",
+      "category": "security",
+      "severity": "warning",
+      "languages": ["typescript", "javascript", "dart", "kotlin"],
+      "analyzer": "./rules/common/C041_no_sensitive_hardcode/analyzer.js",
+      "config": "./rules/common/C041_no_sensitive_hardcode/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["naming", "domain", "readability"],
+      "engineMappings": {
+        "eslint": ["@typescript-eslint/naming-convention", "camelcase"]
+      }
+    },
     "C043": {
       "name": "No Console Or Print",
       "description": "Do not use console.log or print in production code",
@@ -1266,7 +1304,8 @@
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
+      "analyzer": "./rules/security/S055_content_type_validation/analyzer.js",
+      "config": "./rules/security/S055_content_type_validation/config.json",
       "eslintRule": "custom/typescript_s055",
       "version": "1.0.0",
       "status": "stable",
@@ -1447,25 +1486,6 @@
         "accuracy": {}
       }
     },
-    "C041": {
-      "id": "C041",
-      "name": "Rule C041",
-      "description": "Auto-migrated rule C041 from ESLint mapping",
-      "category": "general",
-      "severity": "warning",
-      "languages": ["typescript", "javascript"],
-      "version": "1.0.0",
-      "status": "migrated",
-      "tags": ["migrated"],
-      "engineMappings": {
-        "eslint": ["custom/no-config-inline"]
-      },
-      "strategy": {
-        "preferred": "regex",
-        "fallbacks": ["regex"],
-        "accuracy": {}
-      }
-    },
     "C042": {
       "id": "C042",
       "name": "Rule C042",

package/core/analysis-orchestrator.js

@@ -547,9 +547,17 @@ class AnalysisOrchestrator {
     for (const engineResult of engineResults) {
       uniqueEngines.add(engineResult.engine);
       
-      // Add engine-specific results
-      if (engineResult.results) {
-        mergedResults.results.push(...engineResult.results);
+      // Add engine-specific results with validation
+      if (engineResult.results && Array.isArray(engineResult.results)) {
+        // Filter out invalid entries (non-objects or config objects)
+        const validResults = engineResult.results.filter(result => {
+          if (!result || typeof result !== 'object') return false;
+          // Skip objects that look like metadata/config
+          if (result.semanticEngine || result.project || result._context) return false;
+          // Must have either file/filePath or be a valid result object
+          return result.file || result.filePath || result.violations || result.messages;
+        });
+        mergedResults.results.push(...validResults);
       }
       
       // Track engine statistics

package/core/cli-action-handler.js

@@ -124,14 +124,14 @@ class CliActionHandler {
         heuristicConfig: { 
           ...config.heuristic || {},
           targetFiles: this.options.targetFiles,  // Pass filtered files for semantic optimization
-          maxSemanticFiles: this.options.maxSemanticFiles !== undefined ? parseInt(this.options.maxSemanticFiles) : 1000,  // Configurable semantic file limit
+          maxSemanticFiles: this.options.maxSemanticFiles ? parseInt(this.options.maxSemanticFiles) : 1000,
           verbose: this.options.verbose  // Pass verbose for debugging
         }
       });
       
       if (this.options.verbose) {
         console.log(`🔧 Debug: maxSemanticFiles option = ${this.options.maxSemanticFiles}`);
-        console.log(`🔧 Debug: parsed maxSemanticFiles = ${this.options.maxSemanticFiles !== undefined ? parseInt(this.options.maxSemanticFiles) : 1000}`);
+        console.log(`🔧 Debug: parsed maxSemanticFiles = ${this.options.maxSemanticFiles !== undefined ? parseInt(this.options.maxSemanticFiles) : Infinity}`);
       }
 
       // Run analysis with new orchestrator

package/core/config-merger.js

@@ -215,28 +215,50 @@ class ConfigMerger {
         
         try {
           const resolvedPath = path.resolve(inputPath);
+          const isAbsolutePath = path.isAbsolute(inputPath);
+          
           if (fs.existsSync(resolvedPath)) {
             const stat = fs.statSync(resolvedPath);
             if (stat.isFile()) {
               // For files, add the exact path
               expandedInclude.push(inputPath);
-              expandedInclude.push('**/' + inputPath);
+              // Only add **/ prefix for relative paths
+              if (!isAbsolutePath) {
+                expandedInclude.push('**/' + inputPath);
+              }
             } else if (stat.isDirectory()) {
               // For directories, add recursive patterns
-              expandedInclude.push(inputPath + '/**');
-              expandedInclude.push('**/' + inputPath + '/**');
+              // Special handling for current directory
+              if (inputPath === '.' || inputPath === './') {
+                // For current directory, match all files
+                expandedInclude.push('**/*');
+              } else {
+                expandedInclude.push(inputPath + '/**');
+                // Only add **/ prefix for relative paths
+                if (!isAbsolutePath) {
+                  expandedInclude.push('**/' + inputPath + '/**');
+                }
+              }
             }
           } else {
             // If path doesn't exist, assume it's a pattern and add both file and directory variants
             expandedInclude.push(inputPath);
             expandedInclude.push(inputPath + '/**');
-            expandedInclude.push('**/' + inputPath);
-            expandedInclude.push('**/' + inputPath + '/**');
+            // Only add **/ prefix for relative paths
+            if (!isAbsolutePath) {
+              expandedInclude.push('**/' + inputPath);
+              expandedInclude.push('**/' + inputPath + '/**');
+            }
           }
         } catch (error) {
           // Fallback to original logic if file system check fails
+          const path = require('path');
+          const isAbsolutePath = path.isAbsolute(inputPath);
           expandedInclude.push(inputPath + '/**');
-          expandedInclude.push('**/' + inputPath + '/**');
+          // Only add **/ prefix for relative paths
+          if (!isAbsolutePath) {
+            expandedInclude.push('**/' + inputPath + '/**');
+          }
         }
       }
       result.include = expandedInclude;

package/core/constants/defaults.js

@@ -98,7 +98,7 @@ const DEFAULT_PERFORMANCE = {
   // File filtering
   ENABLE_FILE_FILTERING: true,
   MAX_FILE_SIZE: 2 * 1024 * 1024,  // 2MB per file
-  MAX_TOTAL_FILES: 1000,           // Max 1000 files per analysis
+  MAX_TOTAL_FILES: 1000,           // Limit total files analyzed
   
   // Batch processing
   ENABLE_BATCHING: true,

package/core/file-targeting-service.js

@@ -150,8 +150,54 @@ class FileTargetingService {
       allFiles.push(...files);
     }
     
+    // IMPORTANT: If inputPaths are optimized subdirectories, also collect root-level files
+    // This handles files like middleware.ts, auth.ts, instrumentation.ts in Next.js projects
+    if (inputPaths.length > 0) {
+      const firstPath = inputPaths[0];
+      const projectRoot = path.dirname(firstPath);
+      
+      // Check if we're dealing with subdirectories (optimized paths)
+      const isOptimized = inputPaths.every(p => path.dirname(p) === projectRoot);
+      
+      if (isOptimized) {
+        // Collect root-level source files only (not recursive)
+        const rootFiles = await this.collectRootLevelFiles(projectRoot);
+        allFiles.push(...rootFiles);
+      }
+    }
+    
     return allFiles;
   }
+  
+  /**
+   * Collect only root-level source files (non-recursive)
+   * Handles Next.js patterns like middleware.ts, auth.ts, instrumentation.ts
+   */
+  async collectRootLevelFiles(projectRoot) {
+    const files = [];
+    const targetExtensions = ['.ts', '.tsx', '.js', '.jsx'];
+    
+    try {
+      const entries = fs.readdirSync(projectRoot);
+      
+      for (const entry of entries) {
+        const fullPath = path.join(projectRoot, entry);
+        const stat = fs.statSync(fullPath);
+        
+        // Only collect files at root level, skip directories
+        if (stat.isFile()) {
+          const ext = path.extname(fullPath);
+          if (targetExtensions.includes(ext)) {
+            files.push(path.resolve(fullPath));
+          }
+        }
+      }
+    } catch (error) {
+      // Silent fail - root scanning is optional optimization
+    }
+    
+    return files;
+  }
 
     /**
    * Optimize project paths to focus on source and test directories
@@ -200,7 +246,7 @@ class FileTargetingService {
    */
   findProjectSourceDirs(projectPath, cliOptions = {}) {
     const sourceDirs = [];
-    const candidateDirs = ['src', 'lib', 'app', 'packages'];
+    const candidateDirs = ['src', 'lib', 'app', 'packages', 'components', 'hooks', 'utils', 'helpers', 'services', 'worker'];
     const testDirs = ['test', 'tests', '__tests__', 'spec', 'specs'];
     
     // Always include test directories if --include-tests flag is used
@@ -404,7 +450,25 @@ class FileTargetingService {
     const result = files.filter(file => {
       return patternArray.some(pattern => {
         const normalizedFile = this.normalizePath(file);
-        const match = minimatch(normalizedFile, pattern, { dot: true });
+        const isAbsolutePattern = path.isAbsolute(pattern);
+        const isAbsoluteFile = path.isAbsolute(file);
+        
+        // For absolute patterns, match against absolute file paths
+        // For relative patterns, match against normalized (relative or absolute) paths
+        let match = false;
+        if (isAbsolutePattern) {
+          // Match absolute pattern against absolute file path
+          match = minimatch(file.replace(/\\/g, '/'), pattern, { dot: true });
+        } else {
+          // Match relative pattern against normalized path
+          match = minimatch(normalizedFile, pattern, { dot: true });
+          
+          // Also try matching relative pattern against absolute path for compatibility
+          if (!match && isAbsoluteFile) {
+            match = minimatch(file.replace(/\\/g, '/'), pattern, { dot: true });
+          }
+        }
+        
         if (debug && file.includes('.ts') && !file.includes('.test.')) {
           console.log(`🔍 [DEBUG] Testing: '${file}' -> '${normalizedFile}' vs '${pattern}' = ${match}`);
         }
@@ -529,8 +593,12 @@ class FileTargetingService {
    * Rule C006: normalizePath - verb-noun naming
    */
   normalizePath(filePath) {
-    // Convert to relative path from current working directory for pattern matching
-    const relativePath = path.relative(process.cwd(), filePath);
+    // Always convert to relative path from cwd for pattern matching
+    // This ensures patterns like 'src/**' work with absolute file paths
+    const relativePath = path.isAbsolute(filePath) 
+      ? path.relative(process.cwd(), filePath)
+      : filePath;
+    
     // Normalize path separators for cross-platform compatibility
     return relativePath.replace(/\\/g, '/');
   }

package/core/output-service.js

@@ -28,9 +28,9 @@ class OutputService {
     try {
       const packageJsonPath = path.join(__dirname, '..', 'package.json');
       const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
-      return packageJson.version || '1.3.16';
+      return packageJson.version || '1.3.18';
     } catch (error) {
-      return '1.3.16'; // Fallback version
+      return '1.3.18'; // Fallback version
     }
   }
 
@@ -140,6 +140,17 @@ class OutputService {
     const allViolations = [];
     let totalFiles = results.filesAnalyzed || results.summary?.totalFiles || results.totalFiles || results.fileCount || 0;
 
+    // Helper function to validate violation object
+    const isValidViolation = (violation) => {
+      if (!violation || typeof violation !== 'object') return false;
+      // Skip config/metadata objects (have nested objects like semanticEngine, project, etc.)
+      if (violation.semanticEngine || violation.project || violation._context) return false;
+      // Must have ruleId as string
+      const ruleId = violation.ruleId || violation.rule;
+      if (!ruleId || typeof ruleId !== 'string') return false;
+      return true;
+    };
+
     // Collect all violations - handle both file-based and rule-based results
     if (results.results) {
       results.results.forEach(result => {
@@ -147,16 +158,20 @@ class OutputService {
           // Handle rule-based format (MultiRuleRunner)
           if (result.ruleId) {
             result.violations.forEach(violation => {
-              allViolations.push(violation); // violation already has file path
+              if (isValidViolation(violation)) {
+                allViolations.push(violation); // violation already has file path
+              }
             });
           } 
           // Handle file-based format (legacy)
           else {
             result.violations.forEach(violation => {
-              allViolations.push({
-                ...violation,
-                file: result.filePath || result.file // Use filePath first, then file
-              });
+              if (isValidViolation(violation)) {
+                allViolations.push({
+                  ...violation,
+                  file: result.filePath || result.file // Use filePath first, then file
+                });
+              }
             });
           }
         }
@@ -164,7 +179,7 @@ class OutputService {
         // Handle ESLint format (messages array)
         if (result.messages) {
           result.messages.forEach(message => {
-            allViolations.push({
+            const violation = {
               file: result.filePath || message.file,
               ruleId: message.ruleId,
               severity: message.severity === 2 ? 'error' : 'warning',
@@ -172,7 +187,10 @@ class OutputService {
               line: message.line,
               column: message.column,
               source: message.source || 'eslint'
-            });
+            };
+            if (isValidViolation(violation)) {
+              allViolations.push(violation);
+            }
           });
         }
       });
@@ -232,12 +250,29 @@ class OutputService {
       fileGroups[file].push(violation);
     });
 
+    // Sort file paths alphabetically for consistent output
+    const sortedFiles = Object.keys(fileGroups).sort();
+
     // Format each file's violations (ESLint-compatible format)
-    Object.keys(fileGroups).forEach(file => {
+    sortedFiles.forEach((file, index) => {
+      // Sort violations by line number within each file
+      const sortedViolations = fileGroups[file].sort((a, b) => {
+        const lineA = a.location?.start?.line || a.line || 1;
+        const lineB = b.location?.start?.line || b.line || 1;
+        if (lineA !== lineB) return lineA - lineB;
+        return (a.location?.start?.column || a.column || 1) - (b.location?.start?.column || b.column || 1);
+      });
+
+      // Add blank line before file header (except for the first file)
+      if (index > 0) {
+        output += '\n';
+      }
       output += `\n${chalk.underline(path.resolve(file))}\n`;
-      fileGroups[file].forEach(violation => {
-        const line = (violation.line || 1).toString();
-        const column = (violation.column || 1).toString();
+      
+      sortedViolations.forEach(violation => {
+        // Support both location.start.line (new format) and line (legacy format)
+        const line = (violation.location?.start?.line || violation.line || 1).toString();
+        const column = (violation.location?.start?.column || violation.column || 1).toString();
         const severityText = violation.severity === 'error' ? 'error' : 'warning';
         const severityColor = violation.severity === 'error' ? chalk.red : chalk.yellow;
 

package/core/summary-report-service.js

@@ -23,9 +23,9 @@ class SummaryReportService {
     try {
       const packageJsonPath = path.join(__dirname, '..', 'package.json');
       const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
-      return packageJson.version || '1.3.16';
+      return packageJson.version || '1.3.18';
     } catch (error) {
-      return '1.3.16'; // Fallback version
+      return '1.3.18'; // Fallback version
     }
   }
 
@@ -198,7 +198,25 @@ class SummaryReportService {
     // Count violations by rule
     const violationsByRule = {};
     violations.forEach(violation => {
-      const ruleId = violation.ruleId || 'unknown';
+      // Validate that this is actually a violation object (not metadata/config)
+      // A valid violation should have ruleId/rule as string and message
+      if (!violation || typeof violation !== 'object') {
+        return; // Skip non-objects
+      }
+      
+      // Skip objects that look like metadata/config (have nested objects like semanticEngine, project, etc.)
+      if (violation.semanticEngine || violation.project || violation.options) {
+        return; // Skip config objects
+      }
+      
+      // Get ruleId from various possible fields
+      const ruleId = violation.ruleId || violation.rule || 'unknown';
+      
+      // Ensure ruleId is a string (not an object)
+      if (typeof ruleId !== 'string') {
+        return; // Skip invalid ruleId
+      }
+      
       if (!violationsByRule[ruleId]) {
         violationsByRule[ruleId] = {
           rule_code: ruleId,

package/engines/heuristic-engine.js

@@ -707,6 +707,11 @@ class HeuristicEngine extends AnalysisEngineInterface {
       return parseInt(options.maxFiles);
     }
     
+    // User explicitly disabled limit
+    if (options.maxFiles === -1 || options.maxFiles === '-1') {
+      return Infinity;
+    }
+    
     // Performance config limit
     if (this.performanceConfig?.maxFiles) {
       return this.performanceConfig.maxFiles;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.16",
+  "version": "1.3.18",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/common/C002_no_duplicate_code/README.md

@@ -0,0 +1,115 @@
+# C002: No Duplicate Code (Monkey Coding Detection)
+
+## Overview
+
+This rule detects **true monkey coding** - code that has been copy-pasted multiple times across the codebase. It enforces the DRY (Don't Repeat Yourself) principle by identifying duplicate logic that should be refactored into shared functions.
+
+## Rule Details
+
+**Rule ID**: `C002`  
+**Category**: Code Quality  
+**Severity**: Warning  
+**Language Support**: TypeScript/JavaScript (AST-based analysis)
+
+## What is Monkey Coding?
+
+Monkey coding refers to the practice of copying and pasting code blocks instead of creating reusable abstractions.
+
+### ✅ TRUE DUPLICATES (Will Report):
+- Functions/methods with identical or near-identical logic (≥95% similarity)
+- Copy-pasted validation, calculation, or error handling logic
+- Duplicate code blocks across different files or within same file
+
+### ❌ INTENTIONAL PATTERNS (Will NOT Report):
+- Simple JSX/HTML wrapper components with different names
+- React component wrappers (e.g., shadcn/ui patterns)
+- Boilerplate patterns with structural similarity but different business logic
+
+## Configuration
+
+```json
+{
+  "minLines": 10,
+  "similarityThreshold": 0.95
+}
+```
+
+- `minLines`: Minimum lines to consider (default: 10)
+- `similarityThreshold`: 0-1 (default: 0.95 = 95%)
+
+## Examples
+
+See test cases in `test-cases/` directory for complete examples.
+
+### ❌ Incorrect (Monkey Coding)
+
+```typescript
+// Copy-paste API error handling
+async getUserById(id: number) {
+  try {
+    const response = await fetch(`/api/users/${id}`);
+    if (!response.ok) {
+      throw new Error('Failed to fetch user');
+    }
+    return await response.json();
+  } catch (error) {
+    throw new Error('Network request failed');
+  }
+}
+
+// Duplicate logic!
+async getOrderById(id: number) {
+  try {
+    const response = await fetch(`/api/orders/${id}`);
+    if (!response.ok) {
+      throw new Error('Failed to fetch order');
+    }
+    return await response.json();
+  } catch (error) {
+    throw new Error('Network request failed');
+  }
+}
+```
+
+### ✅ Correct (Refactored)
+
+```typescript
+async fetchAPI<T>(endpoint: string, context: string): Promise<T> {
+  try {
+    const response = await fetch(endpoint);
+    if (!response.ok) {
+      throw new Error(`Failed to fetch ${context}`);
+    }
+    return await response.json();
+  } catch (error) {
+    throw new Error('Network request failed');
+  }
+}
+
+async getUserById(id: number) {
+  return this.fetchAPI(`/api/users/${id}`, 'user');
+}
+
+async getOrderById(id: number) {
+  return this.fetchAPI(`/api/orders/${id}`, 'order');
+}
+```
+
+## How It Works
+
+1. **AST Parsing**: Parse code with `ts-morph`
+2. **Block Extraction**: Extract functions, methods, classes
+3. **Similarity Calculation**: Structure (60%) + Code (40%)
+4. **Pattern Filtering**: Remove intentional patterns
+
+## Performance
+
+- **Speed**: ~14s for 100 TypeScript files
+- **Accuracy**: 100% (no false positives on tests)
+
+## Testing
+
+```bash
+cd test-cases
+node ../test-monkey-coding.js
+```