@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.26",
+  "version": "1.3.28",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/common/C003_no_vague_abbreviations/analyzer.js

@@ -12,31 +12,83 @@ const { CommentDetector } = require('../../utils/rule-helpers');
 
 class C003NoVagueAbbreviations {
   constructor(options = {}) {
+    // Organize abbreviations by framework/category for better maintainability
+    const abbreviationsByCategory = {
+      // Core technical & web standards
+      core: [
+        'id', 'url', 'uri', 'api', 'ui', 'db', 'fs', 'os', 'io', 'ai', 'ml',
+        'dom', 'xhr', 'spa', 'pwa', 'seo', 'cdn', 'ssl', 'tls'
+      ],
+
+      // File formats & protocols
+      formats: [
+        'json', 'xml', 'html', 'css', 'pdf', 'csv', 'tsv',
+        'png', 'jpg', 'gif', 'svg', 'mp4', 'mp3', 'zip', 'tar'
+      ],
+
+      // Network protocols
+      protocols: [
+        'http', 'https', 'ftp', 'smtp', 'tcp', 'udp', 'sql'
+      ],
+
+      // Programming languages
+      languages: [
+        'js', 'ts', 'py', 'rb', 'go', 'rs', 'kt', 'cs', 'vb', 'sh'
+      ],
+
+      // Frontend frameworks & tools
+      frontend: [
+        'jsx', 'tsx', 'vue', 'scss', 'less'
+      ],
+
+      // Testing abbreviations
+      testing: [
+        'qa', 'ci', 'cd', 'pr', 'it', 'ut', 'e2e',
+        // Test variants from user feedback
+        'qa1', 'qa2', 'ci1', 'ci2', 'it2', 'tsx2'
+      ],
+
+      // Database & ORM
+      database: [
+        'orm', 'ddl', 'dml', 'etl', 'olap', 'oltp', 'sql'
+      ],
+
+      // TypeORM specific
+      typeorm: [
+        'qb'  // QueryBuilder - common in TypeORM
+      ],
+
+      // Business & project management
+      business: [
+        'kpi', 'roi', 'sla', 'poc', 'mvp', 'b2b', 'b2c', 'crm', 'erp'
+      ],
+
+      // Common development terms
+      dev: [
+        'config', 'env', 'app', 'btn', 'img', 'src', 'dest',
+        'req', 'res', 'ctx', 'auth', 'log', 'err', 'msg', 'key'
+      ],
+
+      // Math & measurements
+      math: [
+        'min', 'max', 'len', 'num', 'str', 'ms'
+      ],
+
+      // Common context terms
+      context: [
+        'value', 'result', 'response', 'request', 'data',
+        'item', 'element', 'object', 'async', 'length'
+      ]
+    };
+
+    // Combine all abbreviations from categories
+    const allAbbreviations = Object.values(abbreviationsByCategory).flat();
+
     this.options = {
       allowedSingleChar: new Set(options.allowedSingleChar || [
         'i', 'j', 'k', 'x', 'y', 'z', 'n', 'm', 't', 'v', 'r', 'e', 'p', 'w', 'h'
       ]),
-      allowedAbbreviations: new Set(options.allowedAbbreviations || [
-        // Technical abbreviations from user feedback
-        'id', 'url', 'uri', 'api', 'ui', 'db', 'fs', 'os', 'io', 'ai', 'ml', 'qa', 'ci', 'cd', 'pr',
-        'jwt', 'uuid', 'json', 'xml', 'html', 'css', 'sql', 'http', 'https', 'ftp', 'smtp', 'tcp', 'udp',
-        'pdf', 'csv', 'tsv', 'png', 'jpg', 'gif', 'svg', 'mp4', 'mp3', 'zip', 'tar',
-        'js', 'ts', 'py', 'rb', 'go', 'rs', 'kt', 'cs', 'vb', 'sh',
-        'dom', 'xhr', 'spa', 'pwa', 'seo', 'cdn', 'ssl', 'tls',
-        'orm', 'ddl', 'dml', 'etl', 'olap', 'oltp',
-        'kpi', 'roi', 'sla', 'poc', 'mvp', 'b2b', 'b2c', 'crm', 'erp',
-        'jsx', 'tsx', 'vue', 'scss', 'less',
-        'it', 'ut', 'e2e',
-        // Common development terms
-        'config', 'env', 'app', 'btn', 'img', 'src', 'dest', 'req', 'res', 'ctx',
-        'min', 'max', 'len', 'num', 'str', 'auth', 'log', 'err', 'msg', 'key',
-        // Add the variants from user feedback cases
-        'qa1', 'ci1', 'tsx2', 'it2', 'qa2', 'ci2',
-        // Common test/function context terms
-        'value', 'result', 'response', 'request', 'data', 'item', 'element', 'object',
-        // Common programming terms
-        'async', 'length', 'ms'
-      ]),
+      allowedAbbreviations: new Set(options.allowedAbbreviations || allAbbreviations),
       minLength: options.minLength || 2,
       strictMode: options.strictMode || false
     };

package/rules/common/C017_constructor_logic/symbol-based-analyzer.js

@@ -72,6 +72,158 @@ class C017SymbolBasedAnalyzer {
     }
   }
 
+  /**
+   * Check if the file is a Data Transfer Object (DTO)
+   * Uses multiple detection strategies:
+   * 1. Decorators (@DTO, @DataTransferObject)
+   * 2. Inheritance (extends BaseDTO, extends DTO)
+   * 3. Interface implementation (implements IDTO)
+   * 4. JSDoc annotations (@dto, @data-transfer-object)
+   * 5. File location (in dto/ or dtos/ folder)
+   * 6. Structural pattern analysis
+   * 7. Filename pattern (.dto.ts, .dto.js)
+   * 8. Class name pattern (ending with DTO/Dto)
+   */
+  isDataTransferObject(filePath, constructor) {
+    try {
+      const classDecl = constructor.getParent();
+      if (!classDecl) return false;
+
+      // Strategy 1: Check decorators
+      const decorators = classDecl.getDecorators?.() || [];
+      for (const decorator of decorators) {
+        const decoratorName = decorator.getName();
+        if (decoratorName && /^(DTO|DataTransferObject|Dto)$/i.test(decoratorName)) {
+          return true;
+        }
+      }
+
+      // Strategy 2: Check inheritance (extends BaseDTO, DTO, etc.)
+      const heritage = classDecl.getExtends?.();
+      if (heritage) {
+        const baseClassName = heritage.getText();
+        if (/\b(Base)?(DTO|Dto|DataTransferObject)\b/.test(baseClassName)) {
+          return true;
+        }
+      }
+
+      // Strategy 3: Check interface implementation
+      const implementations = classDecl.getImplements?.() || [];
+      for (const impl of implementations) {
+        const interfaceName = impl.getText();
+        if (/^I?(DTO|Dto|DataTransferObject)$/i.test(interfaceName)) {
+          return true;
+        }
+      }
+
+      // Strategy 4: Check JSDoc tags
+      const jsDocs = classDecl.getJsDocs?.() || [];
+      for (const jsDoc of jsDocs) {
+        const tags = jsDoc.getTags?.() || [];
+        for (const tag of tags) {
+          const tagName = tag.getTagName();
+          if (tagName && /^(dto|data-transfer-object|transfer-object)$/i.test(tagName)) {
+            return true;
+          }
+        }
+        // Also check comment text
+        const comment = jsDoc.getDescription?.() || '';
+        if (/@(dto|data-transfer-object)\b/i.test(comment)) {
+          return true;
+        }
+      }
+
+      // Strategy 5: Check file location (dto/ or dtos/ folder)
+      if (filePath.match(/[\/\\](dto|dtos|transfer-objects?)[\/\\]/i)) {
+        return true;
+      }
+
+      // Strategy 6: Structural pattern analysis
+      if (this.hasDataTransferObjectStructure(classDecl)) {
+        return true;
+      }
+
+      // Strategy 7: Check filename pattern
+      if (filePath.match(/\.dto\.(ts|js)$/i)) {
+        return true;
+      }
+
+      // Strategy 8: Check class name pattern
+      const className = classDecl.getName?.() || '';
+      if (className.match(/(DTO|Dto)$/)) {
+        return true;
+      }
+
+    } catch (error) {
+      // Ignore errors, continue with fallback checks
+    }
+
+    return false;
+  }
+
+  /**
+   * Analyze class structure to detect DTO pattern
+   * DTOs typically have:
+   * - Mostly public properties (data fields)
+   * - Few methods (only simple transformations)
+   * - Constructor that accepts plain data object
+   * - No injected dependencies (services, repositories)
+   */
+  hasDataTransferObjectStructure(classDecl) {
+    try {
+      const properties = classDecl.getProperties();
+      const methods = classDecl.getMethods();
+      const constructor = classDecl.getConstructors()[0];
+
+      // DTO should have at least some properties
+      if (properties.length === 0) {
+        return false;
+      }
+
+      // Count public properties vs total properties
+      const publicProperties = properties.filter(prop => {
+        const modifiers = prop.getModifiers().map(m => m.getText());
+        return !modifiers.includes('private') && !modifiers.includes('protected');
+      });
+
+      // DTO pattern: Most properties are public (data fields)
+      const publicPropertyRatio = publicProperties.length / properties.length;
+      if (publicPropertyRatio < 0.5) {
+        return false; // Too many private properties for a DTO
+      }
+
+      // DTO pattern: Few or no methods (excluding constructor)
+      if (methods.length > 3) {
+        return false; // Too many methods for a DTO
+      }
+
+      // Check constructor parameters
+      if (constructor) {
+        const params = constructor.getParameters();
+
+        // DTO pattern: Usually 1-2 parameters (data object, optional config)
+        if (params.length > 2) {
+          return false;
+        }
+
+        // Check if parameters are dependency injections (services, repositories)
+        for (const param of params) {
+          const paramType = param.getType().getText();
+          // If injecting services/repositories, not a DTO
+          if (/(Service|Repository|Controller|Manager|Handler|Provider)/.test(paramType)) {
+            return false;
+          }
+        }
+      }
+
+      // Passed all structural checks - likely a DTO
+      return true;
+
+    } catch (error) {
+      return false;
+    }
+  }
+
   /**
    * Analyze a constructor for business logic violations
    */
@@ -80,10 +232,15 @@ class C017SymbolBasedAnalyzer {
     if (!body) return;
 
     const statements = body.getStatements();
+    const isDTO = this.isDataTransferObject(filePath, constructor);
+
+    if (verbose && isDTO) {
+      console.log(`  📦 [C017] DTO class detected: ${filePath} - allowing private method calls`);
+    }
 
     for (const statement of statements) {
       // Check for method calls (instance methods)
-      if (this.containsMethodCall(statement, verbose)) {
+      if (this.containsMethodCall(statement, verbose, isDTO, constructor)) {
         const { line, column } = this.getStatementPosition(statement);
 
         violations.push({
@@ -206,10 +363,46 @@ class C017SymbolBasedAnalyzer {
     }
   }
 
+  /**
+   * Check if a method is a private method in the class
+   */
+  isPrivateMethod(methodName, constructor) {
+    try {
+      const classDecl = constructor.getParent();
+      if (!classDecl) return false;
+
+      // Get all methods in the class
+      const methods = classDecl.getMethods();
+
+      for (const method of methods) {
+        const name = method.getName();
+        if (name === methodName) {
+          // Check if method has private modifier
+          const modifiers = method.getModifiers();
+          for (const modifier of modifiers) {
+            if (modifier.getText() === 'private') {
+              return true;
+            }
+          }
+          // In TypeScript, methods starting with # are also private
+          if (name.startsWith('#')) {
+            return true;
+          }
+          break;
+        }
+      }
+    } catch (error) {
+      // Ignore errors, default to not private
+    }
+    return false;
+  }
+
   /**
    * Check if statement contains instance method calls
+   * @param {boolean} isDTO - If true and method is private, allow the call (DTO pattern)
+   * @param {object} constructor - Constructor node to check method visibility
    */
-  containsMethodCall(statement, verbose = false) {
+  containsMethodCall(statement, verbose = false, isDTO = false, constructor = null) {
     // Get all call expressions in the statement
     const callExpressions = statement.getDescendantsOfKind(SyntaxKind.CallExpression);
 
@@ -234,6 +427,17 @@ class C017SymbolBasedAnalyzer {
         if (!safePatterns.includes(methodName)) {
           // Check if it's a config service or environment variable access
           if (!this.isSafeConfigAccess(callExpr)) {
+            // DTO Exception: Allow private method calls in DTOs for data transformation
+            if (isDTO && constructor) {
+              const isPrivate = this.isPrivateMethod(methodName, constructor);
+              if (isPrivate) {
+                if (verbose) {
+                  console.log(`  ✅ [C017] DTO private method allowed: ${callText}`);
+                }
+                continue; // Skip this violation for DTO private methods
+              }
+            }
+
             if (verbose) {
               console.log(`  🔧 Method call detected: ${callText}`);
             }