@sun-asterisk/sunlint 1.3.39 → 1.3.41

package/rules/dart/D011_prefer_named_parameters/config.json

@@ -0,0 +1,12 @@
+{
+  "id": "D011",
+  "name": "Prefer Named Parameters",
+  "description": "Functions with more than 3 parameters and adjacent parameters of the same type should use named parameters",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["parameters", "naming", "readability", "maintainability"],
+  "config": {
+    "minParameterCount": 3
+  }
+}

package/rules/dart/D012_prefer_named_boolean_parameters/config.json

@@ -0,0 +1,9 @@
+{
+  "id": "D012",
+  "name": "Prefer Named Boolean Parameters",
+  "description": "Boolean parameters should be named or use separate functions for better readability",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["parameters", "boolean", "readability", "maintainability"]
+}

package/rules/dart/D013_single_public_class/config.json

@@ -0,0 +1,10 @@
+{
+  "id": "D013",
+  "name": "Prefer a Single Public Class Per File",
+  "description": "Each file should contain only one public class to improve code organization and maintainability",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["dart", "organization", "maintainability"],
+  "config": {}
+}

package/rules/dart/D014_unsafe_collection_access/config.json

@@ -0,0 +1,10 @@
+{
+  "id": "D014",
+  "name": "Avoid Unsafe Collection Access",
+  "description": "Always check collection empty or length before using first, last, single, or elementAt",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["dart", "safety", "collections", "runtime-error"],
+  "config": {}
+}

package/rules/dart/D015_copywith_all_parameters/config.json

@@ -0,0 +1,9 @@
+{
+  "id": "D015",
+  "name": "Ensure copyWith includes all constructor parameters",
+  "description": "When a class has a copyWith method, it should include all constructor parameters to ensure complete object copying",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["dart", "immutability", "data-class", "best-practice"]
+}

package/rules/dart/D016_project_should_have_tests/config.json

@@ -0,0 +1,24 @@
+{
+  "id": "D016",
+  "name": "Project Should Have Tests",
+  "description": "Ensure the project has a test directory with test files to maintain code quality and prevent regressions",
+  "severity": "warning",
+  "category": "dart",
+  "languages": ["dart"],
+  "tags": ["testing", "best-practices", "code-quality"],
+  "analysisMethod": "dart-only",
+  "dartAnalyzer": {
+    "class": "D016ProjectShouldHaveTestsAnalyzer",
+    "file": "D016_project_should_have_tests.dart"
+  },
+  "detection": {
+    "targetDirectories": ["test", "test/"],
+    "requiredFiles": ["*_test.dart"],
+    "minTestFiles": 1
+  },
+  "config": {
+    "minTestFiles": 1,
+    "testDirectories": ["test", "integration_test"],
+    "testFilePattern": "_test\\.dart$"
+  }
+}

package/rules/dart/D017_pubspec_dependencies_review/config.json

@@ -0,0 +1,23 @@
+{
+  "id": "D017",
+  "name": "Pubspec Dependencies Should Be Reviewed Regularly",
+  "description": "Dependencies in pubspec.yaml should be reviewed and updated regularly to ensure security patches and bug fixes are applied",
+  "severity": "warning",
+  "category": "dart",
+  "languages": ["dart"],
+  "tags": ["dependencies", "maintenance", "security", "best-practices"],
+  "analysisMethod": "dart-only",
+  "dartAnalyzer": {
+    "class": "D017PubspecDependenciesReviewAnalyzer",
+    "file": "D017_pubspec_dependencies_review.dart"
+  },
+  "detection": {
+    "targetFiles": ["pubspec.yaml", "pubspec.lock"],
+    "checkLastModified": true
+  },
+  "config": {
+    "maxMonthsWithoutReview": 4,
+    "ignoreDevDependencies": false,
+    "checkLockFile": true
+  }
+}

package/rules/dart/D018_remove_commented_code/config.json

@@ -0,0 +1,13 @@
+{
+  "id": "D018",
+  "name": "Remove Commented-Out Code",
+  "description": "Remove commented-out code instead of leaving it in the source. Use version control to track history.",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["code-quality", "maintainability", "clean-code"],
+  "config": {
+    "minLines": 2,
+    "ignoreDocComments": true
+  }
+}

package/rules/dart/D019_avoid_single_child_multi_child_widget/config.json

@@ -0,0 +1,21 @@
+{
+  "id": "D019",
+  "name": "Avoid Single Child in Multi-Child Widget",
+  "description": "Multi-child widgets (Column, Row, Wrap, etc.) should not have only a single child",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["flutter", "performance", "widget", "optimization"],
+  "config": {
+    "multiChildWidgets": [
+      "Column",
+      "Row",
+      "Wrap",
+      "Stack",
+      "Flex",
+      "ListView",
+      "GridView",
+      "CustomScrollView"
+    ]
+  }
+}

package/rules/dart/D020_limit_if_else_branches/config.json

@@ -0,0 +1,12 @@
+{
+  "id": "D020",
+  "name": "Limit If/Else Branches",
+  "description": "Limit the number of if/else branches to improve readability and maintainability",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["complexity", "maintainability", "readability", "branching"],
+  "config": {
+    "maxBranches": 3
+  }
+}

package/rules/dart/D021_avoid_negated_boolean_checks/config.json

@@ -0,0 +1,14 @@
+{
+  "id": "D021",
+  "name": "Avoid Negated Boolean Checks",
+  "description": "Avoid inverted or negated boolean checks to improve code readability",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["readability", "boolean", "condition"],
+  "config": {
+    "checkDoubleNegation": true,
+    "checkNegatedBooleans": true,
+    "checkInvertedConditions": true
+  }
+}

package/rules/dart/D022_use_setstate_correctly/config.json

@@ -0,0 +1,14 @@
+{
+  "id": "D022",
+  "name": "Use setState Correctly",
+  "description": "Ensure setState is used correctly in StatefulWidget without common anti-patterns",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["flutter", "state-management", "performance"],
+  "config": {
+    "checkMultipleCalls": true,
+    "checkNestedCalls": true,
+    "checkInBuildMethod": true
+  }
+}

package/rules/dart/D023_avoid_unnecessary_method_overrides/config.json

@@ -0,0 +1,13 @@
+{
+  "id": "D023",
+  "name": "Avoid Unnecessary Method Overrides",
+  "description": "Methods that only call super with the same parameters are unnecessary and should be removed",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["dart", "code-quality", "maintainability"],
+  "config": {
+    "checkLifecycleMethods": true,
+    "allowedMethods": []
+  }
+}

package/rules/dart/D024_avoid_unnecessary_stateful_widget/config.json

@@ -0,0 +1,9 @@
+{
+  "id": "D024",
+  "name": "Avoid Unnecessary StatefulWidget",
+  "description": "StatefulWidget should only be used when state is needed. If no state is used, convert to StatelessWidget",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["flutter", "widget", "performance", "state"]
+}

package/rules/dart/D025_avoid_nested_conditional_expressions/config.json

@@ -0,0 +1,9 @@
+{
+  "id": "D025",
+  "name": "Avoid Nested Conditional Expressions",
+  "description": "Nested conditional expressions (ternary operators) reduce code readability and should be avoided",
+  "category": "dart",
+  "severity": "warning",
+  "languages": ["dart"],
+  "tags": ["readability", "maintainability", "complexity"]
+}

package/skill-assets/sunlint-code-quality/AGENTS.md

@@ -0,0 +1,80 @@
+# SunLint Code Quality Standards
+
+> **AI Agent Directive**: Follow these rules when writing/reviewing code. For detailed examples, read rule files in `rules/` directory.
+
+## Skill Structure
+
+```
+sunlint-code-quality/
+├── SKILL.md           # Full skill documentation with priorities
+├── AGENTS.md          # This file - language-agnostic quick reference
+└── rules/             # Detailed rule files (language-specific versions installed)
+    ├── S017-*.md
+    └── C029-*.md
+```
+
+## How to Use This Skill
+
+1. **Identify Relevant Rules**: Check the priority categories below to find rules applicable to your current task (e.g., Auth, Security, Error Handling).
+2. **Read Rule Details**: Use `view_file` to read the specific `rules/{RULE_ID}-*.md` file for detailed implementation guidelines and code examples in your target language.
+3. **Apply Patterns**: Implement the patterns described in the rule file, adapting them to the language you are working in.
+
+---
+
+## Critical Rules (Never Violate)
+
+### Security - Injection Prevention
+
+| Rule | Action |
+|------|--------|
+| `S017` | Use parameterized queries - no SQL/NoSQL concatenation |
+| `S020` | No dynamic code execution (e.g. `eval`, `Function`, `Assembly.Load`) |
+| `S025` | Validate ALL client input server-side |
+| `S007` | Encode output before interpreter use |
+
+### Security - Authentication
+
+| Rule | Action |
+|------|--------|
+| `S005` | Server-side authorization at service layer |
+| `S006` | No default credentials (admin, root) |
+| `S012` | Use secrets management (env vars, vaults) |
+| `S026` | TLS 1.2+ mandatory for all connections |
+| `S036` | File paths from internal data only |
+
+### Code Quality - Error Handling
+
+| Rule | Action |
+|------|--------|
+| `C029` | Exception/Catch blocks MUST log error with context |
+| `C030` | Use custom error/exception classes |
+| `C018` | Do not throw generic errors/exceptions |
+| `C035` | Include requestId, entityId in error logs |
+
+### Code Quality - Structure
+
+| Rule | Action |
+|------|--------|
+| `C014` | Dependency Injection for testability |
+| `C017` | No business logic in constructors |
+| `C006` | Function/Method names: `Verb-Noun` pattern |
+| `C013` | No dead code, unused imports/variables |
+| `C041` | No hardcoded secrets in repository |
+
+---
+
+## Rule File Lookup
+
+Detailed rule files are located in the `rules/` directory.
+
+```
+rules/{RULE_ID}-{slug}.md
+```
+
+**Examples:**
+- `rules/S017-parameterized-queries.md`
+- `rules/C029-catch-log-root-cause.md`
+
+---
+
+**Version**: 2.3 | **Total Rules**: 65 | **Maintainer**: Sun* Engineering Excellence

package/skill-assets/sunlint-code-quality/SKILL.md

@@ -0,0 +1,176 @@
+---
+name: sunlint-code-quality
+description: Code quality and security guidelines from Sun* Engineering Excellence. This skill should be used when writing, reviewing, or refactoring code to ensure security and quality compliance. Triggers on tasks involving authentication, data validation, error handling, or security-sensitive operations.
+license: MIT
+metadata:
+  author: sun-asterisk
+  version: "2.4.0"
+---
+
+# SunLint Code Quality & Security Standards
+
+Comprehensive code quality and security optimization guide for all projects, maintained by Sun* Engineering Excellence team. Contains **65 rules** across **6 priority categories**, organized by impact to guide automated code review and generation.
+
+## When to Apply
+
+Reference these guidelines when:
+- Writing new code in any language (PHP, Python + PySpark, TypeScript, C#, Java, Go, Kotlin, etc.)
+- Implementing authentication, authorization, or session management
+- Handling user input, file uploads, or external data
+- Reviewing code for security vulnerabilities
+- Implementing error handling and logging
+- Refactoring existing codebase for quality improvements
+
+## Rule Categories by Priority
+
+| Priority | Category | Impact | Rule Count | Prefix |
+|----------|----------|--------|------------|--------|
+| 1 | Security - Injection Prevention | **CRITICAL** | 10 | `S0xx` |
+| 2 | Security - Authentication & Sessions | **CRITICAL** | 12 | `S0xx` |
+| 3 | Common - Error Handling & Code Quality | **CRITICAL** | 19 | `C0xx` |
+| 4 | Security - Cryptography & TLS | **HIGH** | 8 | `S0xx` |
+| 5 | Security - Data Protection | **HIGH** | 10 | `S0xx` |
+| 6 | Security - Logging & Monitoring | **MEDIUM** | 6 | `S0xx` |
+
+---
+
+## Quick Reference
+
+### 1. Security - Injection Prevention (CRITICAL)
+
+These rules prevent the most dangerous vulnerabilities. **Never violate these rules.**
+
+- `S017-parameterized-queries` - Always use parameterized queries, never concatenate SQL
+- `S020-eval-code-execution` - Avoid eval() or dynamic code execution
+- `S025-server-validation` - Always validate client data server-side
+- `S007-output-encoding` - Output encoding before interpreter use
+- `S022-context-escaping` - Escape data by output context (HTML, JS, URL)
+- `S023-dynamic-js-encoding` - Output encoding for dynamic JS/JSON
+- `S019-email-input-sanitization` - Sanitize input before sending emails
+- `S055-content-type-validation` - Validate Content-Type in REST services
+- `S056-log-injection` - Protect against Log Injection
+- `S058-ssrf-protection` - Protect against SSRF attacks
+
+### 2. Security - Authentication & Sessions (CRITICAL)
+
+These rules protect user accounts and session integrity. **Mandatory for all auth flows.**
+
+- `S005-server-authorization` - Enforce authorization at trusted service layer only
+- `S006-default-credentials` - Never use default credentials (admin/admin, root/root)
+- `S012-secrets-management` - Use secrets management for backend secrets
+- `S041-logout-invalidation` - Invalidate session on logout
+- `S042-long-lived-sessions` - Re-authenticate for long-lived sessions
+- `S044-critical-changes-reauth` - Re-authenticate before critical changes
+- `S045-brute-force-protection` - Implement brute-force protection
+- `S047-oauth-csrf-protection` - Protect OAuth code flow vs CSRF
+- `S048-oauth-redirect-validation` - Validate OAuth redirect URIs exactly
+- `S049-auth-code-expiry` - Authentication codes must expire quickly
+- `S003-open-redirect` - URL redirects must be in allow list
+- `S029-csrf-protection` - Apply CSRF protection
+
+### 3. Common - Error Handling & Code Quality (CRITICAL)
+
+These rules ensure robust error handling and maintainable code. **Mandatory for all code.**
+
+#### Error Handling
+- `C029-catch-log-root-cause` - All catch blocks must log root cause with context
+- `C030-custom-error-classes` - Use custom error classes, not generic Error/Exception
+- `C035-error-context-logging` - Log all relevant context on errors
+- `C018-generic-errors` - Do not throw generic errors
+- `C019-error-log-level` - Do not use error log level for non-critical issues
+
+#### Code Structure
+- `C014-dependency-injection` - Use Dependency Injection for testability
+- `C017-no-constructor-logic` - No business logic in constructors
+- `C033-separate-data-access` - Separate processing and data access layers
+- `C052-controller-parsing` - Separate parsing from controllers
+- `C060-superclass-logic` - Do not ignore superclass logic
+- `C024-centralize-constants` - Centralize constants in config files
+- `C067-no-hardcoded-config` - Do not hardcode configuration values
+
+#### Naming & Style
+- `C006-verb-noun-functions` - Function names: verb-noun pattern (getUserById)
+- `C013-no-dead-code` - Do not commit dead code
+- `C020-no-unused-imports` - Do not import unused modules
+- `C022-no-unused-variables` - Do not leave unused variables
+- `C023-no-duplicate-names` - No duplicate variable names in scope
+- `C042-boolean-naming` - Boolean names: is/has/should prefix
+- `C041-no-hardcoded-secrets` - No hardcoded secrets in repo
+
+### 4. Security - Cryptography & TLS (HIGH)
+
+These rules ensure secure data transmission and storage.
+
+- `S009-approved-crypto` - Use only approved crypto algorithms (no MD5, SHA1)
+- `S010-csprng` - Use CSPRNG for security purposes (not Math.random())
+- `S013-tls-connections` - Always use TLS for all connections
+- `S026-tls-encryption` - TLS encryption mandatory for all connections
+- `S027-mtls-validation` - Validate mTLS certificates before auth
+- `S039-tls-certificate-validation` - TLS clients must validate server certificates
+- `S050-token-entropy` - Reference tokens: 128-bit entropy CSPRNG
+- `S011-encrypted-client-hello` - Enable Encrypted Client Hello (ECH)
+
+### 5. Security - Data Protection (HIGH)
+
+These rules protect sensitive data from exposure.
+
+- `S004-no-log-credentials` - Do not log credentials/tokens
+- `S016-no-sensitive-query-string` - Do not pass sensitive data in query string
+- `S036-internal-file-paths` - Use internal data for file paths, strict validation
+- `S028-upload-limits` - Limit upload file size and count
+- `S030-directory-browsing` - Disable directory browsing
+- `S031-secure-cookie-flag` - Set Secure flag on session cookies
+- `S032-httponly-cookie` - Set HttpOnly on session cookies
+- `S033-samesite-cookie` - Set SameSite on session cookies
+- `S034-host-prefix-cookie` - Use __Host- prefix for cookies
+- `S035-app-hostnames` - Host apps on different hostnames
+- `S037-anti-cache-headers` - Set anti-cache headers for sensitive pages
+
+### 6. Security - Logging & Monitoring (MEDIUM)
+
+These rules ensure proper security monitoring.
+
+- `S051-password-length` - Support 12-64 char passwords
+- `S052-otp-entropy` - OTPs must have 20-bit entropy minimum
+- `S053-generic-error-messages` - Return generic error messages to users
+- `S054-no-default-admin` - Avoid default admin/root accounts
+- `S057-synchronized-time` - Use synchronized time (UTC) in logs
+
+---
+
+## How to Use
+
+Read individual rule files for detailed explanations and code examples. Rules are organized by language in the `rules/` directory:
+
+```
+rules/python/S017-parameterized-queries.md
+rules/typescript/S017-parameterized-queries.md
+rules/csharp/S017-parameterized-queries.md
+rules/kotlin/S017-parameterized-queries.md
+rules/java/S017-parameterized-queries.md
+```
+
+Each rule file contains:
+- YAML frontmatter with title, impact, and tags
+- Brief explanation of why it matters
+- Incorrect code example with explanation
+- Correct code example with explanation
+- Tools for enforcement
+
+## Full Compiled Document
+
+For the complete guide with all rules expanded: `AGENTS.md`
+
+---
+
+## Priority Legend
+
+| Level | Description | Action Required |
+|-------|-------------|-----------------|
+| **CRITICAL** | Security vulnerabilities OR code quality issues that lead to bugs/maintenance problems | Must fix immediately, block deployment |
+| **HIGH** | Security issues that weaken defenses | Fix before production release |
+| **MEDIUM** | Quality issues affecting maintainability | Fix when touching related code |
+
+---
+
+**Last Updated**: January 2026 | **Version**: 2.3 | **Maintainer**: Sun* Engineering Excellence

package/skill-assets/sunlint-code-quality/rules/csharp/C006-verb-noun-functions.md

@@ -0,0 +1,36 @@
+---
+title: Use PascalCase For Methods
+impact: LOW
+impactDescription: ensures consistent codebase style
+tags: naming, style, convention, quality, csharp
+---
+
+## Use PascalCase For Methods
+
+C# convention dictates PascalCase for method names, unlike camelCase in JavaScript/Java.
+
+**Incorrect (camelCase):**
+
+```csharp
+public void calculateTotal()
+{
+    // ...
+}
+```
+
+**Correct (PascalCase):**
+
+```csharp
+public void CalculateTotal()
+{
+    // ...
+}
+
+// Async methods should end with Async
+public async Task<User> GetUserAsync(int id)
+{
+    // ...
+}
+```
+
+**Tools:** StyleCop, Roslyn Analyzers

package/skill-assets/sunlint-code-quality/rules/csharp/C013-no-dead-code.md

@@ -0,0 +1,38 @@
+---
+title: Do Not Commit Dead Code
+impact: LOW
+impactDescription: keeps codebase clean and readable
+tags: cleanup, maintenance, quality, csharp
+---
+
+## Do Not Commit Dead Code
+
+Commented-out code and unused private methods clutter the codebase and rot over time.
+
+**Incorrect (commented code):**
+
+```csharp
+public void Process()
+{
+    // var oldLogic = new LegacyProcessor();
+    // oldLogic.Run();
+    
+    var newLogic = new Processor();
+    newLogic.Run();
+}
+
+// Unused private method
+private void UnusedHelper() { }
+```
+
+**Correct (clean):**
+
+```csharp
+public void Process()
+{
+    var newLogic = new Processor();
+    newLogic.Run();
+}
+```
+
+**Tools:** Roslyn Analyzers (IDE0051), SonarQube

package/skill-assets/sunlint-code-quality/rules/csharp/C014-dependency-injection.md

@@ -0,0 +1,45 @@
+---
+title: Use Dependency Injection
+impact: HIGH
+impactDescription: ensures testability and loose coupling
+tags: architecture, di, testing, quality, csharp
+---
+
+## Use Dependency Injection
+
+Hard dependencies make code hard to test and maintain. Use Constructor Injection.
+
+**Incorrect (creating dependencies):**
+
+```csharp
+public class OrderService
+{
+    private readonly Database _db;
+    
+    public OrderService()
+    {
+        _db = new Database("connection_string"); // Hard dependency
+    }
+}
+```
+
+**Correct (injecting dependencies):**
+
+```csharp
+public class OrderService
+{
+    private readonly IDatabase _db;
+    
+    // Explicit dependencies in constructor
+    public OrderService(IDatabase db)
+    {
+        _db = db;
+    }
+}
+
+// Registration in Startup.cs / Program.cs
+builder.Services.AddScoped<IDatabase, SqlDatabase>();
+builder.Services.AddScoped<OrderService>();
+```
+
+**Tools:** Roslyn Analyzers, Manual Review

package/skill-assets/sunlint-code-quality/rules/csharp/C017-no-constructor-logic.md

@@ -0,0 +1,46 @@
+---
+title: No Business Logic In Constructors
+impact: HIGH
+impactDescription: ensures predictable object initialization
+tags: constructor, initialization, side-effects, patterns, quality, csharp
+---
+
+## No Business Logic In Constructors
+
+Constructors should only assign fields. Complex logic, I/O, or API calls in constructors cause side effects and make testing impossible.
+
+**Incorrect (logic in ctor):**
+
+```csharp
+public class UserService
+{
+    public UserService()
+    {
+        // BAD: I/O in constructor
+        var config = File.ReadAllText("config.json");
+        ConnectToDatabase();
+    }
+}
+```
+
+**Correct (factory or init):**
+
+```csharp
+public class UserService
+{
+    private readonly IConfiguration _config;
+
+    public UserService(IConfiguration config)
+    {
+        _config = config; // Assignment only
+    }
+
+    public async Task InitializeAsync()
+    {
+        // Complex init logic here
+        await ConnectToDatabaseAsync();
+    }
+}
+```
+
+**Tools:** SonarQube, Manual Review