@sun-asterisk/sunlint 1.3.36 → 1.3.37

package/cli.js

@@ -10,10 +10,42 @@
 const chalk = require('chalk');
 const { createCliProgram } = require('./core/cli-program');
 const CliActionHandler = require('./core/cli-action-handler');
+const { initProject } = require('./core/init-command');
 
 // Create CLI program
 const program = createCliProgram();
 
+// ──────────────────────────────────────────────────────────────
+// Init Command - Initialize project with SunLint skill
+// ──────────────────────────────────────────────────────────────
+const { AI_TOOL_CONFIG, DEFAULT_TOOL, getAvailableToolsHelp } = require('./core/init-command');
+
+program
+  .command('init [directory]')
+  .description('Initialize a project with SunLint code quality skill and AGENTS.md')
+  .option('-f, --force', 'Overwrite existing files')
+  .option('-t, --tool <tool>', `Target AI tool (default: ${DEFAULT_TOOL})`, DEFAULT_TOOL)
+  .addHelpText('after', `
+AI Tool Options:
+${getAvailableToolsHelp()}
+
+Examples:
+  $ sunlint init                     # Use default (antigravity)
+  $ sunlint init -t cursor           # For Cursor AI
+  $ sunlint init -t claude           # For Claude
+  $ sunlint init -t github-copilot   # For GitHub Copilot
+  $ sunlint init ./my-project -t cursor --force
+`)
+  .action(async (directory, options) => {
+    try {
+      const targetDir = directory || process.cwd();
+      await initProject(targetDir, options);
+    } catch (error) {
+      console.error(chalk.red('Error initializing project:'), error.message);
+      process.exit(1);
+    }
+  });
+
 // Set up main action handler
 program.action(async (options) => {
   // Always use modern architecture (legacy removed)
@@ -34,3 +66,4 @@ process.on('uncaughtException', (error) => {
 
 // Parse CLI arguments
 program.parse();
+

package/config/rules/enhanced-rules-registry.json

@@ -1549,7 +1549,8 @@
           "regex": 85,
           "ast": 90
         }
-      }
+      },
+      "analyzerPath": "rules/security/S001_backend_auth_communications"
     },
     "S002": {
       "name": "IDOR Check",
@@ -1568,7 +1569,8 @@
         "security",
         "idor",
         "access-control"
-      ]
+      ],
+      "analyzerPath": "rules/security/S002_os_command_injection"
     },
     "S003": {
       "name": "Open Redirect Protection",
@@ -1793,7 +1795,8 @@
         "security",
         "cryptography",
         "agility"
-      ]
+      ],
+      "analyzerPath": "rules/security/S008_svg_content_validation"
     },
     "S009": {
       "name": "No Insecure Crypto",
@@ -2052,7 +2055,8 @@
         "security",
         "validation",
         "input"
-      ]
+      ],
+      "analyzerPath": "rules/security/S018_no_sensitive_browser_storage"
     },
     "S019": {
       "name": "SMTP Injection Protection",
@@ -2274,42 +2278,76 @@
       }
     },
     "S026": {
-      "name": "JSON Schema Validation",
-      "description": "Require JSON schema validation",
+      "name": "Use TLS encryption for all inbound and outbound connections",
+      "description": "Ensure all application connections use encrypted TLS protocol. Detect insecure HTTP, WS, unencrypted database connections, and disabled SSL/TLS settings.",
       "category": "security",
-      "severity": "warning",
+      "severity": "critical",
       "languages": [
         "typescript",
-        "javascript"
+        "javascript",
+        "dart"
       ],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s026",
+      "analyzer": "./rules/security/S026_tls_all_connections/typescript/analyzer.js",
+      "config": "./rules/security/S026_tls_all_connections/config.json",
       "version": "1.0.0",
       "status": "stable",
       "tags": [
         "security",
-        "validation",
-        "json-schema"
-      ]
+        "tls",
+        "encryption",
+        "https",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": [
+          "heuristic"
+        ],
+        "accuracy": {
+          "heuristic": 90
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S026_tls_all_connections/typescript/analyzer.js"
+        ]
+      }
     },
     "S027": {
-      "name": "No Hardcoded Secrets Advanced",
-      "description": "Advanced detection of hardcoded secrets",
+      "name": "Validate mTLS client certificates before allowing authenticated operations",
+      "description": "Ensure mutual TLS (mTLS) client certificate validation is properly implemented before allowing authenticated operations. Detect missing certificate validation, disabled verification, and improper mTLS configuration.",
       "category": "security",
-      "severity": "error",
+      "severity": "critical",
       "languages": [
         "typescript",
-        "javascript"
+        "javascript",
+        "dart"
       ],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s027",
+      "analyzer": "./rules/security/S027_mtls_certificate_validation/typescript/analyzer.js",
+      "config": "./rules/security/S027_mtls_certificate_validation/config.json",
       "version": "1.0.0",
       "status": "stable",
       "tags": [
         "security",
-        "secrets",
-        "hardcoded"
-      ]
+        "mtls",
+        "certificate",
+        "authentication",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": [
+          "heuristic"
+        ],
+        "accuracy": {
+          "heuristic": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S027_mtls_certificate_validation/typescript/analyzer.js"
+        ]
+      }
     },
     "S028": {
       "name": "Limit upload file size and number of files per user",
@@ -2536,53 +2574,77 @@
       }
     },
     "S035": {
-      "name": "Set Path attribute for Session Cookies",
-      "description": "Set Path attribute for Session Cookies to limit access scope",
+      "name": "Host separate applications on different hostnames to leverage same-origin policy",
+      "description": "Detect applications sharing hostnames or domains which bypasses browser same-origin policy protection. Separate apps should use different hostnames for security isolation.",
       "category": "security",
-      "severity": "warning",
+      "severity": "medium",
       "languages": [
         "typescript",
-        "javascript"
+        "javascript",
+        "dart"
       ],
-      "analyzer": "heuristic",
+      "analyzer": "./rules/security/S035_separate_app_hostnames/typescript/analyzer.js",
+      "config": "./rules/security/S035_separate_app_hostnames/config.json",
       "version": "1.0.0",
       "status": "stable",
       "tags": [
         "security",
-        "cookies",
-        "path"
+        "same-origin",
+        "hostname",
+        "isolation",
+        "owasp"
       ],
       "strategy": {
-        "defaultEngine": "heuristic",
-        "engineMappings": {
-          "heuristic": [
-            "rules/security/S035_path_session_cookies/analyzer.js"
-          ]
+        "preferred": "heuristic",
+        "fallbacks": [
+          "heuristic"
+        ],
+        "accuracy": {
+          "heuristic": 80
         }
       },
-      "configPath": "rules/security/S035_path_session_cookies/config.json",
-      "analyzerPath": [
-        "rules/security/S035_path_session_cookies/analyzer.js"
-      ]
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S035_separate_app_hostnames/typescript/analyzer.js"
+        ]
+      }
     },
     "S036": {
-      "name": "No Unsafe File Include",
-      "description": "Prevent unsafe file inclusion vulnerabilities",
+      "name": "Use internal data for file paths, validate user filenames strictly",
+      "description": "Prevent path traversal, LFI, RFI, and SSRF attacks by validating file paths and user-provided filenames. Use allowlists, reject path separators, and resolve paths securely.",
       "category": "security",
       "severity": "error",
       "languages": [
         "typescript",
-        "javascript"
+        "javascript",
+        "dart"
       ],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s036",
+      "analyzer": "./rules/security/S036_lfi_rfi_protection/typescript/analyzer.js",
+      "config": "./rules/security/S036_lfi_rfi_protection/config.json",
       "version": "1.0.0",
       "status": "stable",
       "tags": [
         "security",
         "file-inclusion",
-        "path-traversal"
-      ]
+        "path-traversal",
+        "lfi",
+        "rfi",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": [
+          "heuristic"
+        ],
+        "accuracy": {
+          "heuristic": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S036_lfi_rfi_protection/typescript/analyzer.js"
+        ]
+      }
     },
     "S037": {
       "name": "Configure comprehensive cache headers to prevent sensitive data leakage",
@@ -2657,38 +2719,38 @@
       }
     },
     "S039": {
-      "name": "Do not pass Session Tokens via URL parameters",
-      "description": "Detects when session tokens, authentication tokens, JWT tokens, or other sensitive authentication data are passed as URL parameters instead of secure headers or request body. URL parameters are logged in web server logs, browser history, and can be exposed in referrer headers.",
+      "name": "TLS clients must validate server certificates to prevent MitM attacks",
+      "description": "Ensure TLS clients properly validate server certificates. Detect disabled certificate verification, missing CA validation, and insecure TLS configurations that allow man-in-the-middle attacks.",
       "category": "security",
-      "severity": "warning",
+      "severity": "critical",
       "languages": [
         "typescript",
-        "javascript"
+        "javascript",
+        "dart"
       ],
-      "analyzer": "./rules/security/S039_no_session_tokens_in_url/analyzer.js",
-      "config": "./rules/security/S039_no_session_tokens_in_url/config.json",
+      "analyzer": "./rules/security/S039_tls_certificate_validation/typescript/analyzer.js",
+      "config": "./rules/security/S039_tls_certificate_validation/config.json",
       "version": "1.0.0",
-      "status": "experimental",
+      "status": "stable",
       "tags": [
         "security",
-        "session-tokens",
-        "url-parameters",
-        "authentication"
+        "tls",
+        "certificate",
+        "mitm",
+        "owasp"
       ],
       "strategy": {
-        "preferred": "ast",
+        "preferred": "heuristic",
         "fallbacks": [
-          "ast",
-          "regex"
+          "heuristic"
         ],
         "accuracy": {
-          "ast": 85,
-          "regex": 70
+          "heuristic": 90
         }
       },
       "engineMappings": {
         "heuristic": [
-          "rules/security/S039_no_session_tokens_in_url/analyzer.js"
+          "rules/security/S039_tls_certificate_validation/typescript/analyzer.js"
         ]
       }
     },
@@ -2841,61 +2903,112 @@
       }
     },
     "S046": {
-      "name": "Secure Notification on Auth Change",
-      "description": "Require secure notification on authentication changes",
+      "name": "Use explicit algorithm allowlist for JWT verification",
+      "description": "Ensure JWT verification uses an explicit algorithm allowlist to prevent algorithm confusion attacks. Detect missing or weak algorithm configurations in JWT libraries.",
       "category": "security",
-      "severity": "warning",
+      "severity": "critical",
       "languages": [
         "typescript",
-        "javascript"
+        "javascript",
+        "dart"
       ],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s046",
+      "analyzer": "./rules/security/S046_jwt_algorithm_allowlist/typescript/analyzer.js",
+      "config": "./rules/security/S046_jwt_algorithm_allowlist/config.json",
       "version": "1.0.0",
       "status": "stable",
       "tags": [
         "security",
-        "notification",
-        "authentication"
-      ]
+        "jwt",
+        "algorithm",
+        "authentication",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": [
+          "heuristic"
+        ],
+        "accuracy": {
+          "heuristic": 90
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S046_jwt_algorithm_allowlist/typescript/analyzer.js"
+        ]
+      }
     },
     "S047": {
-      "name": "Secure Random Password Generation",
-      "description": "Require secure and random initial password generation",
+      "name": "Use PKCE protection for OAuth flows to prevent authorization code interception",
+      "description": "Ensure OAuth implementations use PKCE (Proof Key for Code Exchange) to protect against authorization code interception attacks, especially for public clients and mobile apps.",
       "category": "security",
-      "severity": "error",
+      "severity": "critical",
       "languages": [
         "typescript",
-        "javascript"
+        "javascript",
+        "dart"
       ],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s047",
+      "analyzer": "./rules/security/S047_oauth_pkce_protection/typescript/analyzer.js",
+      "config": "./rules/security/S047_oauth_pkce_protection/config.json",
       "version": "1.0.0",
       "status": "stable",
       "tags": [
         "security",
-        "password",
-        "random"
-      ]
+        "oauth",
+        "pkce",
+        "authorization",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": [
+          "heuristic"
+        ],
+        "accuracy": {
+          "heuristic": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S047_oauth_pkce_protection/typescript/analyzer.js"
+        ]
+      }
     },
     "S048": {
-      "name": "Password Credential Recovery",
-      "description": "Secure password credential recovery process",
+      "name": "Validate OAuth redirect URIs with exact string comparison",
+      "description": "Ensure OAuth redirect URIs are validated using exact string comparison to prevent open redirect vulnerabilities. Detect loose pattern matching, regex-based validation, or missing validation.",
       "category": "security",
-      "severity": "error",
+      "severity": "critical",
       "languages": [
         "typescript",
-        "javascript"
+        "javascript",
+        "dart"
       ],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s048",
+      "analyzer": "./rules/security/S048_oauth_redirect_uri_validation/typescript/analyzer.js",
+      "config": "./rules/security/S048_oauth_redirect_uri_validation/config.json",
       "version": "1.0.0",
       "status": "stable",
       "tags": [
         "security",
-        "password",
-        "recovery"
-      ]
+        "oauth",
+        "redirect",
+        "validation",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": [
+          "heuristic"
+        ],
+        "accuracy": {
+          "heuristic": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S048_oauth_redirect_uri_validation/typescript/analyzer.js"
+        ]
+      }
     },
     "S049": {
       "name": "Authentication tokens should have short validity periods",
@@ -2936,23 +3049,40 @@
       }
     },
     "S050": {
-      "name": "Session Token Weak Hash",
-      "description": "Prevent weak hashing for session tokens",
+      "name": "Reference tokens must have at least 128-bit entropy using CSPRNG",
+      "description": "Ensure reference tokens (session IDs, API tokens, etc.) have sufficient entropy (at least 128 bits) and are generated using cryptographically secure pseudo-random number generators (CSPRNG).",
       "category": "security",
-      "severity": "error",
+      "severity": "critical",
       "languages": [
         "typescript",
-        "javascript"
+        "javascript",
+        "dart"
       ],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s050",
+      "analyzer": "./rules/security/S050_reference_tokens_entropy/typescript/analyzer.js",
+      "config": "./rules/security/S050_reference_tokens_entropy/config.json",
       "version": "1.0.0",
       "status": "stable",
       "tags": [
         "security",
-        "session",
-        "hashing"
-      ]
+        "tokens",
+        "entropy",
+        "csprng",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": [
+          "heuristic"
+        ],
+        "accuracy": {
+          "heuristic": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S050_reference_tokens_entropy/typescript/analyzer.js"
+        ]
+      }
     },
     "S051": {
       "name": "Password length policy enforcement (12-64 chars recommended, reject >128)",
@@ -3013,6 +3143,41 @@
         ]
       }
     },
+    "S053": {
+      "name": "Return generic error messages, hide internal details from users",
+      "description": "Prevent exposure of internal error details (stack traces, SQL errors, file paths) to users. Return generic error messages while logging full details server-side.",
+      "category": "security",
+      "severity": "warning",
+      "languages": [
+        "typescript",
+        "javascript",
+        "dart"
+      ],
+      "analyzer": "./rules/security/S053_generic_error_messages/typescript/analyzer.js",
+      "config": "./rules/security/S053_generic_error_messages/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": [
+        "security",
+        "error-handling",
+        "information-disclosure",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": [
+          "heuristic"
+        ],
+        "accuracy": {
+          "heuristic": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S053_generic_error_messages/typescript/analyzer.js"
+        ]
+      }
+    },
     "S054": {
       "name": "Disallow Default/Built-in Accounts (admin/root/sa/...)",
       "description": "Prevent use of default or shared accounts. Enforce per-user identities, initial password change, and disabling well-known built-ins.",
@@ -3161,6 +3326,78 @@
         ]
       }
     },
+    "S059": {
+      "name": "Disable debug modes and features in production environments",
+      "description": "Ensure debug modes, verbose logging, and development-only features are disabled in production. Detect hardcoded DEBUG flags, exposed debug endpoints, and development configurations.",
+      "category": "security",
+      "severity": "warning",
+      "languages": [
+        "typescript",
+        "javascript",
+        "dart"
+      ],
+      "analyzer": "./rules/security/S059_disable_debug_mode/typescript/analyzer.js",
+      "config": "./rules/security/S059_disable_debug_mode/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": [
+        "security",
+        "debug",
+        "production",
+        "configuration",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": [
+          "heuristic"
+        ],
+        "accuracy": {
+          "heuristic": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S059_disable_debug_mode/typescript/analyzer.js"
+        ]
+      }
+    },
+    "S060": {
+      "name": "Enforce minimum password length of 8 characters, recommend 15+",
+      "description": "Ensure password validation enforces a minimum length of at least 8 characters (NIST recommendation). Detect weak password length requirements and missing length validation.",
+      "category": "security",
+      "severity": "warning",
+      "languages": [
+        "typescript",
+        "javascript",
+        "dart"
+      ],
+      "analyzer": "./rules/security/S060_password_minimum_length/typescript/analyzer.js",
+      "config": "./rules/security/S060_password_minimum_length/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": [
+        "security",
+        "password",
+        "authentication",
+        "nist",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": [
+          "heuristic"
+        ],
+        "accuracy": {
+          "heuristic": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S060_password_minimum_length/typescript/analyzer.js"
+        ]
+      }
+    },
     "T002": {
       "id": "T002",
       "name": "Rule T002",
@@ -3384,6 +3621,25 @@
         ],
         "accuracy": {}
       }
+    },
+    "S021": {
+      "name": "Referrer Policy",
+      "description": "Set Referrer-Policy to prevent sensitive data leakage via Referer header",
+      "category": "security",
+      "severity": "warning",
+      "languages": [
+        "typescript",
+        "javascript"
+      ],
+      "analyzer": "heuristic",
+      "analyzerPath": "rules/security/S021_referrer_policy",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": [
+        "security",
+        "headers",
+        "privacy"
+      ]
     }
   }
-}
+}