@sun-asterisk/sunlint 1.3.52 → 1.3.54

package/core/cli-action-handler.js

@@ -72,7 +72,7 @@ class CliActionHandler {
 
       // Determine if we should proceed based on requested analyses
       const hasSourceFiles = targetingResult.files.length > 0;
-      const willRunCodeQuality = rulesToRun.length > 0 && !this.isArchitectureOnly() && !this.isImpactOnly();
+      const willRunCodeQuality = rulesToRun.length > 0 && !this.isArchitectureOnly(rulesToRun) && !this.isImpactOnly(rulesToRun);
       const willRunArchitecture = !!config.architecture?.enabled;
       const willRunImpact = !!(this.options.impact || config.impact?.enabled);
 
@@ -93,7 +93,7 @@ class CliActionHandler {
       let results = null;
 
       // Run code quality analysis (unless --architecture or --impact is used alone)
-      if (rulesToRun.length > 0 && !this.isArchitectureOnly() && !this.isImpactOnly()) {
+      if (rulesToRun.length > 0 && !this.isArchitectureOnly(rulesToRun) && !this.isImpactOnly(rulesToRun)) {
         results = await this.runModernAnalysis(rulesToRun, targetingResult.files, config);
       } else {
         results = { results: [], summary: { total: 0, errors: 0, warnings: 0 } };
@@ -530,12 +530,16 @@ class CliActionHandler {
    * Check if only architecture analysis was requested (no code quality rules)
    * Following Rule C006: Verb-noun naming
    */
-  isArchitectureOnly() {
+  isArchitectureOnly(rulesToRun = []) {
     const isArchEnabled = this.options.architecture || this.loadedConfig?.architecture?.enabled;
     const isImpactEnabled = this.options.impact || this.loadedConfig?.impact?.enabled;
 
+    // If rules were selected via config (extends/rules), this is not architecture-only
+    const hasConfigBasedRules = rulesToRun.length > 0 && this.hasConfigBasedRuleSelection();
+
     return isArchEnabled &&
       !isImpactEnabled &&
+      !hasConfigBasedRules &&
       !this.options.all &&
       !this.options.specific &&
       !this.options.rule &&
@@ -545,16 +549,29 @@ class CliActionHandler {
       !this.options.category;
   }
 
+  /**
+   * Check if rules were explicitly configured via config file (extends or rules field)
+   * Following Rule C006: Verb-noun naming
+   */
+  hasConfigBasedRuleSelection() {
+    const config = this.loadedConfig || {};
+    return !!(config.extends || (config.rules && Object.keys(config.rules).length > 0));
+  }
+
   /**
    * Check if only impact analysis was requested (no code quality rules)
    * Following Rule C006: Verb-noun naming
    */
-  isImpactOnly() {
+  isImpactOnly(rulesToRun = []) {
     const isArchEnabled = this.options.architecture || this.loadedConfig?.architecture?.enabled;
     const isImpactEnabled = this.options.impact || this.loadedConfig?.impact?.enabled;
 
+    // If rules were selected via config (extends/rules), this is not impact-only
+    const hasConfigBasedRules = rulesToRun.length > 0 && this.hasConfigBasedRuleSelection();
+
     return isImpactEnabled &&
       !isArchEnabled &&
+      !hasConfigBasedRules &&
       !this.options.all &&
       !this.options.specific &&
       !this.options.rule &&

package/core/config-override-processor.js

@@ -7,7 +7,7 @@ class ConfigOverrideProcessor {
 
   constructor() {
     // Rule C014: Dependency injection for minimatch
-    this.minimatch = require('minimatch');
+    this.minimatch = require('minimatch').minimatch;
   }
 
   /**
@@ -37,12 +37,27 @@ class ConfigOverrideProcessor {
    */
   shouldApplyOverride(override, filePath) {
     const { files } = override;
-    
-    if (!files || !Array.isArray(files)) {
+
+    // No files pattern means the override applies to all files
+    if (!files) {
+      return true;
+    }
+
+    if (!Array.isArray(files)) {
       return false;
     }
 
-    return files.some(pattern => this.minimatch(filePath, pattern));
+    return files.some(pattern => {
+      // Direct match (works when filePath is relative or pattern is absolute)
+      if (this.minimatch(filePath, pattern, { dot: true })) {
+        return true;
+      }
+      // For relative patterns, also try with **/ prefix so they match absolute paths
+      if (!pattern.startsWith('/')) {
+        return this.minimatch(filePath, '**/' + pattern, { dot: true });
+      }
+      return false;
+    });
   }
 
   /**

package/core/summary-report-service.js

@@ -315,10 +315,9 @@ class SummaryReportService {
         analysis_time_ms: archSummary.analysisTime || 0
       };
 
-      // Add all rules with score > 0 (passed + failed) to report
+      // Add all checked rules (passed + failed) to report
       if (options.architecture.allRules && options.architecture.allRules.length > 0) {
         summaryReport.architecture.rules = options.architecture.allRules
-          .filter(r => r.score > 0) // Only include rules with evidence (score > 0)
           .map(r => ({
             rule_code: r.ruleId,
             rule_name: r.ruleName,

package/engines/heuristic-engine.js

@@ -9,6 +9,7 @@ const AnalysisEngineInterface = require('../core/interfaces/analysis-engine.inte
 const ASTModuleRegistry = require('../core/ast-modules/index');
 const dependencyChecker = require('../core/dependency-checker');
 const SunlintRuleAdapter = require('../core/adapters/sunlint-rule-adapter');
+const ConfigOverrideProcessor = require('../core/config-override-processor');
 const SemanticEngine = require('../core/semantic-engine');
 const SemanticRuleBase = require('../core/semantic-rule-base');
 const { getInstance: getUnifiedRegistry } = require('../core/unified-rule-registry');
@@ -76,6 +77,9 @@ class HeuristicEngine extends AnalysisEngineInterface {
     // Unified rule registry
     this.unifiedRegistry = getUnifiedRegistry();
     
+    // Rule C014: Dependency injection for per-file override processing
+    this.overrideProcessor = new ConfigOverrideProcessor();
+
     // ✅ PERFORMANCE OPTIMIZATIONS (Integrated)
     this.performanceManager = new AutoPerformanceManager();
     this.performanceConfig = null;
@@ -996,16 +1000,32 @@ class HeuristicEngine extends AnalysisEngineInterface {
           const violationsByFile = this.groupViolationsByFile(ruleViolations);
 
           for (const [filePath, violations] of violationsByFile) {
+
+            // Apply per-file config overrides — skip violations disabled by overrides
+            let overriddenSeverity = null;
+            if (options.config?.overrides?.length > 0) {
+              const effectiveConfig = this.overrideProcessor.applyFileOverrides(options.config, filePath);
+              const overrideValue = effectiveConfig.rules?.[rule.id];
+              if (overrideValue === 'off') {
+                continue;
+              }
+              if (overrideValue === 'error') {
+                overriddenSeverity = 'error';
+              } else if (overrideValue === 'warn' || overrideValue === 'warning') {
+                overriddenSeverity = 'warning';
+              }
+            }
+
             // Find or create file result
             let fileResult = results.results.find(r => r.file === filePath);
             if (!fileResult) {
               fileResult = { file: filePath, violations: [] };
               results.results.push(fileResult);
             }
-            // Apply rule severity to each violation (from config)
+            // Apply rule severity to each violation (override takes precedence over rule default)
             const violationsWithSeverity = violations.map(v => ({
               ...v,
-              severity: rule.severity || v.severity || 'warning'
+              severity: overriddenSeverity || rule.severity || v.severity || 'warning'
             }));
             fileResult.violations.push(...violationsWithSeverity);
           }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.52",
+  "version": "1.3.54",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/common/C024_no_scatter_hardcoded_constants/typescript/symbol-based-analyzer.js

@@ -480,6 +480,11 @@ class C024SymbolBasedAnalyzer {
         return;
       }
 
+      // Skip strings inside throw/new Error() - error messages don't need to be constants
+      if (this.isInThrowOrErrorContext(literal)) {
+        return;
+      }
+
       this.trackConstant(constantUsage, `string:${value}`, literal);
 
       if (this.isInLogicContext(literal) || this.isInComparison(literal)) {
@@ -1122,6 +1127,37 @@ class C024SymbolBasedAnalyzer {
     return false;
   }
 
+  isInThrowOrErrorContext(node) {
+    let parent = node.getParent();
+    let depth = 0;
+    const maxDepth = 5;
+
+    while (parent && depth < maxDepth) {
+      const kind = parent.getKind();
+
+      // Direct: throw new Error("message")
+      if (kind === SyntaxKind.ThrowStatement) {
+        return true;
+      }
+
+      // new Error("message") or new CustomError("message")
+      if (kind === SyntaxKind.NewExpression) {
+        const expression = parent.getExpression();
+        if (expression) {
+          const text = expression.getText();
+          if (/Error$/.test(text) || /Exception$/.test(text)) {
+            return true;
+          }
+        }
+      }
+
+      parent = parent.getParent();
+      depth++;
+    }
+
+    return false;
+  }
+
   trackConstant(constantUsage, key, node) {
     if (!constantUsage.has(key)) {
       constantUsage.set(key, []);

package/rules/common/C041_no_sensitive_hardcode/typescript/symbol-based-analyzer.js

@@ -153,6 +153,13 @@ class C041SymbolBasedAnalyzer {
       /^[A-Z_]+CODE[A-Z_]*$/,         // ERROR_CODE, STATUS_CODE
       /^[A-Z_]+STATUS[A-Z_]*$/,       // USER_STATUS
       /^[A-Z_]+TYPE[A-Z_]*$/,         // MESSAGE_TYPE
+      /^[A-Z_]+NAME[A-Z_]*$/,         // REFRESH_TOKEN_COOKIE_NAME, SESSION_TOKEN_HEADER_NAME
+      /^[A-Z_]+KEY[A-Z_]*_NAME$/,     // API_KEY_PARAM_NAME
+      /^[A-Z_]+HEADER[A-Z_]*$/,       // AUTH_TOKEN_HEADER, CSRF_TOKEN_HEADER
+      /^[A-Z_]+COOKIE[A-Z_]*$/,       // SESSION_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE
+      /^[A-Z_]+LABEL[A-Z_]*$/,        // TOKEN_LABEL, PASSWORD_LABEL
+      /^[A-Z_]+FIELD[A-Z_]*$/,        // PASSWORD_FIELD, TOKEN_FIELD
+      /^[A-Z_]+PARAM[A-Z_]*$/,        // API_KEY_PARAM, TOKEN_PARAM
     ];
 
     // Parent object names that contain service/activity mappings (not secrets)
@@ -300,6 +307,11 @@ class C041SymbolBasedAnalyzer {
       const isSensitiveName = this.sensitiveVariableNames.some(pattern => pattern.test(name));
 
       if (isSensitiveName) {
+        // Skip if the variable name is a naming/labeling constant (e.g., REFRESH_TOKEN_COOKIE_NAME)
+        if (this.isErrorMessageConstant(name)) {
+          return;
+        }
+
         const initText = initializer.getText();
 
         // Skip if using env variables or config

package/rules/common/C042_boolean_name_prefix/typescript/analyzer.js

@@ -171,12 +171,18 @@ class C042Analyzer {
   
   isBooleanValue(value) {
     const trimmedValue = value.trim();
-    
+
     // Direct boolean literals
     if (trimmedValue === 'true' || trimmedValue === 'false') {
       return true;
     }
-    
+
+    // Ternary expressions: the result type depends on the branches, not the condition
+    // e.g., `typeof value === "string" ? value : JSON.stringify(value)` is NOT boolean
+    if (this.isTernaryExpression(trimmedValue)) {
+      return false;
+    }
+
     // Boolean expressions that clearly result in boolean
     const booleanExpressions = [
       /\w+\s*[<>!=]=/, // Comparisons
@@ -283,6 +289,25 @@ class C042Analyzer {
     return false;
   }
   
+  isTernaryExpression(value) {
+    // Detect ternary operator: condition ? trueValue : falseValue
+    // Must account for nested ternaries and template literals with colons
+    const questionIndex = value.indexOf('?');
+    if (questionIndex === -1) return false;
+
+    // Check there's a colon after the question mark (outside of template literals)
+    const afterQuestion = value.slice(questionIndex + 1);
+    // Simple heuristic: contains `:` that's not inside a template literal or object
+    let depth = 0;
+    for (let i = 0; i < afterQuestion.length; i++) {
+      const ch = afterQuestion[i];
+      if (ch === '(' || ch === '[' || ch === '{') depth++;
+      else if (ch === ')' || ch === ']' || ch === '}') depth--;
+      else if (ch === ':' && depth === 0) return true;
+    }
+    return false;
+  }
+
   generateSuggestions(varName) {
     const suggestions = [];
     const baseName = varName.replace(/^(is|has|should|can|will|must|may|check)/i, '');