@sun-asterisk/sunlint 1.3.53 → 1.3.55

package/core/cli-action-handler.js

@@ -72,7 +72,7 @@ class CliActionHandler {
 
       // Determine if we should proceed based on requested analyses
       const hasSourceFiles = targetingResult.files.length > 0;
-      const willRunCodeQuality = rulesToRun.length > 0 && !this.isArchitectureOnly() && !this.isImpactOnly();
+      const willRunCodeQuality = rulesToRun.length > 0 && !this.isArchitectureOnly(rulesToRun) && !this.isImpactOnly(rulesToRun);
       const willRunArchitecture = !!config.architecture?.enabled;
       const willRunImpact = !!(this.options.impact || config.impact?.enabled);
 
@@ -93,7 +93,7 @@ class CliActionHandler {
       let results = null;
 
       // Run code quality analysis (unless --architecture or --impact is used alone)
-      if (rulesToRun.length > 0 && !this.isArchitectureOnly() && !this.isImpactOnly()) {
+      if (rulesToRun.length > 0 && !this.isArchitectureOnly(rulesToRun) && !this.isImpactOnly(rulesToRun)) {
         results = await this.runModernAnalysis(rulesToRun, targetingResult.files, config);
       } else {
         results = { results: [], summary: { total: 0, errors: 0, warnings: 0 } };
@@ -530,12 +530,16 @@ class CliActionHandler {
    * Check if only architecture analysis was requested (no code quality rules)
    * Following Rule C006: Verb-noun naming
    */
-  isArchitectureOnly() {
+  isArchitectureOnly(rulesToRun = []) {
     const isArchEnabled = this.options.architecture || this.loadedConfig?.architecture?.enabled;
     const isImpactEnabled = this.options.impact || this.loadedConfig?.impact?.enabled;
 
+    // If rules were selected via config (extends/rules), this is not architecture-only
+    const hasConfigBasedRules = rulesToRun.length > 0 && this.hasConfigBasedRuleSelection();
+
     return isArchEnabled &&
       !isImpactEnabled &&
+      !hasConfigBasedRules &&
       !this.options.all &&
       !this.options.specific &&
       !this.options.rule &&
@@ -545,16 +549,29 @@ class CliActionHandler {
       !this.options.category;
   }
 
+  /**
+   * Check if rules were explicitly configured via config file (extends or rules field)
+   * Following Rule C006: Verb-noun naming
+   */
+  hasConfigBasedRuleSelection() {
+    const config = this.loadedConfig || {};
+    return !!(config.extends || (config.rules && Object.keys(config.rules).length > 0));
+  }
+
   /**
    * Check if only impact analysis was requested (no code quality rules)
    * Following Rule C006: Verb-noun naming
    */
-  isImpactOnly() {
+  isImpactOnly(rulesToRun = []) {
     const isArchEnabled = this.options.architecture || this.loadedConfig?.architecture?.enabled;
     const isImpactEnabled = this.options.impact || this.loadedConfig?.impact?.enabled;
 
+    // If rules were selected via config (extends/rules), this is not impact-only
+    const hasConfigBasedRules = rulesToRun.length > 0 && this.hasConfigBasedRuleSelection();
+
     return isImpactEnabled &&
       !isArchEnabled &&
+      !hasConfigBasedRules &&
       !this.options.all &&
       !this.options.specific &&
       !this.options.rule &&

package/engines/heuristic-engine.js

@@ -999,7 +999,11 @@ class HeuristicEngine extends AnalysisEngineInterface {
           // Group violations by file
           const violationsByFile = this.groupViolationsByFile(ruleViolations);
 
-          for (const [filePath, violations] of violationsByFile) {
+          for (const [filePath, fileViolations] of violationsByFile) {
+
+            // Filter violations suppressed by inline disable comments
+            const violations = this.filterViolationsByInlineDisable(filePath, fileViolations);
+            if (violations.length === 0) continue;
 
             // Apply per-file config overrides — skip violations disabled by overrides
             let overriddenSeverity = null;
@@ -1343,6 +1347,127 @@ class HeuristicEngine extends AnalysisEngineInterface {
     return groups;
   }
 
+  /**
+   * Filter violations suppressed by inline disable comments
+   * Supports: sunlint-disable-next-line <ruleId>, sunlint-disable <ruleId>,
+   *           sunlint-disable-file <ruleId>, sunlint-disable (all rules)
+   * Following Rule C006: Verb-noun naming
+   * @param {string} filePath - Path to the source file
+   * @param {Object[]} violations - Violations found in the file
+   * @returns {Object[]} Filtered violations (without suppressed ones)
+   */
+  filterViolationsByInlineDisable(filePath, violations) {
+    if (!violations || violations.length === 0) return violations;
+
+    let lines;
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      lines = content.split('\n');
+    } catch {
+      return violations;
+    }
+
+    // Pre-scan for file-level disables and block-level disable/enable ranges
+    const fileDisabledRules = new Set();
+    const disableRanges = []; // { ruleId: string|null, startLine: number, endLine: number }
+    let activeDisables = new Map(); // ruleId|'*' → startLineNumber
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i].trim();
+
+      // File-level disable: sunlint-disable-file or sunlint-disable-file S004
+      const fileDisableMatch = line.match(/(?:\/\/|\/\*)\s*sunlint-disable-file(?:\s+([\w,\s]+))?\s*(?:\*\/)?/);
+      if (fileDisableMatch) {
+        const ruleIds = fileDisableMatch[1] ? fileDisableMatch[1].split(',').map(r => r.trim()) : [null];
+        for (const ruleId of ruleIds) {
+          fileDisabledRules.add(ruleId); // null means all rules
+        }
+        continue;
+      }
+
+      // Block-level disable: sunlint-disable or sunlint-disable S004
+      const blockDisableMatch = line.match(/(?:\/\/|\/\*)\s*sunlint-disable(?!\s*-(?:next-line|file))(?:\s+([\w,\s]+))?\s*(?:\*\/)?/);
+      if (blockDisableMatch) {
+        const ruleIds = blockDisableMatch[1] ? blockDisableMatch[1].split(',').map(r => r.trim()) : ['*'];
+        for (const ruleId of ruleIds) {
+          if (!activeDisables.has(ruleId)) {
+            activeDisables.set(ruleId, i + 1); // 1-based line number
+          }
+        }
+        continue;
+      }
+
+      // Block-level enable: sunlint-enable or sunlint-enable S004
+      const blockEnableMatch = line.match(/(?:\/\/|\/\*)\s*sunlint-enable(?:\s+([\w,\s]+))?\s*(?:\*\/)?/);
+      if (blockEnableMatch) {
+        const ruleIds = blockEnableMatch[1] ? blockEnableMatch[1].split(',').map(r => r.trim()) : ['*'];
+        for (const ruleId of ruleIds) {
+          if (activeDisables.has(ruleId)) {
+            disableRanges.push({
+              ruleId: ruleId === '*' ? null : ruleId,
+              startLine: activeDisables.get(ruleId),
+              endLine: i + 1
+            });
+            activeDisables.delete(ruleId);
+          }
+        }
+        continue;
+      }
+    }
+
+    // Close any unclosed disable blocks (extend to end of file)
+    for (const [ruleId, startLine] of activeDisables) {
+      disableRanges.push({
+        ruleId: ruleId === '*' ? null : ruleId,
+        startLine,
+        endLine: lines.length
+      });
+    }
+
+    return violations.filter(violation => {
+      const ruleId = violation.ruleId;
+      const violationLine = violation.line;
+
+      // Check file-level disable
+      if (fileDisabledRules.has(null) || fileDisabledRules.has(ruleId)) {
+        return false;
+      }
+
+      // Check block-level disable ranges
+      for (const range of disableRanges) {
+        if (violationLine >= range.startLine && violationLine <= range.endLine) {
+          if (range.ruleId === null || range.ruleId === ruleId) {
+            return false;
+          }
+        }
+      }
+
+      // Check next-line directive (comment on previous line)
+      if (violationLine > 1) {
+        const prevLine = lines[violationLine - 2]?.trim() || '';
+        const nextLinePattern = /(?:\/\/|\/\*)\s*sunlint-disable-next-line(?:\s+([\w,\s]+))?\s*(?:\*\/)?/;
+        const nextLineMatch = prevLine.match(nextLinePattern);
+        if (nextLineMatch) {
+          if (!nextLineMatch[1]) return false; // No rule specified = disable all
+          const disabledRules = nextLineMatch[1].split(',').map(r => r.trim());
+          if (disabledRules.includes(ruleId)) return false;
+        }
+      }
+
+      // Check same-line disable (comment on the violation line itself)
+      const currentLine = lines[violationLine - 1] || '';
+      const sameLinePattern = /(?:\/\/|\/\*)\s*sunlint-disable(?:-next-line)?(?:\s+([\w,\s]+))?\s*(?:\*\/)?/;
+      const sameLineMatch = currentLine.match(sameLinePattern);
+      if (sameLineMatch) {
+        if (!sameLineMatch[1]) return false;
+        const disabledRules = sameLineMatch[1].split(',').map(r => r.trim());
+        if (disabledRules.includes(ruleId)) return false;
+      }
+
+      return true;
+    });
+  }
+
   /**
    * Get supported rules
    * Following Rule C006: Verb-noun naming

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.53",
+  "version": "1.3.55",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/common/C024_no_scatter_hardcoded_constants/typescript/symbol-based-analyzer.js

@@ -480,6 +480,11 @@ class C024SymbolBasedAnalyzer {
         return;
       }
 
+      // Skip strings inside throw/new Error() - error messages don't need to be constants
+      if (this.isInThrowOrErrorContext(literal)) {
+        return;
+      }
+
       this.trackConstant(constantUsage, `string:${value}`, literal);
 
       if (this.isInLogicContext(literal) || this.isInComparison(literal)) {
@@ -1122,6 +1127,37 @@ class C024SymbolBasedAnalyzer {
     return false;
   }
 
+  isInThrowOrErrorContext(node) {
+    let parent = node.getParent();
+    let depth = 0;
+    const maxDepth = 5;
+
+    while (parent && depth < maxDepth) {
+      const kind = parent.getKind();
+
+      // Direct: throw new Error("message")
+      if (kind === SyntaxKind.ThrowStatement) {
+        return true;
+      }
+
+      // new Error("message") or new CustomError("message")
+      if (kind === SyntaxKind.NewExpression) {
+        const expression = parent.getExpression();
+        if (expression) {
+          const text = expression.getText();
+          if (/Error$/.test(text) || /Exception$/.test(text)) {
+            return true;
+          }
+        }
+      }
+
+      parent = parent.getParent();
+      depth++;
+    }
+
+    return false;
+  }
+
   trackConstant(constantUsage, key, node) {
     if (!constantUsage.has(key)) {
       constantUsage.set(key, []);

package/rules/common/C041_no_sensitive_hardcode/typescript/symbol-based-analyzer.js

@@ -153,6 +153,13 @@ class C041SymbolBasedAnalyzer {
       /^[A-Z_]+CODE[A-Z_]*$/,         // ERROR_CODE, STATUS_CODE
       /^[A-Z_]+STATUS[A-Z_]*$/,       // USER_STATUS
       /^[A-Z_]+TYPE[A-Z_]*$/,         // MESSAGE_TYPE
+      /^[A-Z_]+NAME[A-Z_]*$/,         // REFRESH_TOKEN_COOKIE_NAME, SESSION_TOKEN_HEADER_NAME
+      /^[A-Z_]+KEY[A-Z_]*_NAME$/,     // API_KEY_PARAM_NAME
+      /^[A-Z_]+HEADER[A-Z_]*$/,       // AUTH_TOKEN_HEADER, CSRF_TOKEN_HEADER
+      /^[A-Z_]+COOKIE[A-Z_]*$/,       // SESSION_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE
+      /^[A-Z_]+LABEL[A-Z_]*$/,        // TOKEN_LABEL, PASSWORD_LABEL
+      /^[A-Z_]+FIELD[A-Z_]*$/,        // PASSWORD_FIELD, TOKEN_FIELD
+      /^[A-Z_]+PARAM[A-Z_]*$/,        // API_KEY_PARAM, TOKEN_PARAM
     ];
 
     // Parent object names that contain service/activity mappings (not secrets)
@@ -300,6 +307,11 @@ class C041SymbolBasedAnalyzer {
       const isSensitiveName = this.sensitiveVariableNames.some(pattern => pattern.test(name));
 
       if (isSensitiveName) {
+        // Skip if the variable name is a naming/labeling constant (e.g., REFRESH_TOKEN_COOKIE_NAME)
+        if (this.isErrorMessageConstant(name)) {
+          return;
+        }
+
         const initText = initializer.getText();
 
         // Skip if using env variables or config

package/rules/common/C042_boolean_name_prefix/typescript/analyzer.js

@@ -171,12 +171,18 @@ class C042Analyzer {
   
   isBooleanValue(value) {
     const trimmedValue = value.trim();
-    
+
     // Direct boolean literals
     if (trimmedValue === 'true' || trimmedValue === 'false') {
       return true;
     }
-    
+
+    // Ternary expressions: the result type depends on the branches, not the condition
+    // e.g., `typeof value === "string" ? value : JSON.stringify(value)` is NOT boolean
+    if (this.isTernaryExpression(trimmedValue)) {
+      return false;
+    }
+
     // Boolean expressions that clearly result in boolean
     const booleanExpressions = [
       /\w+\s*[<>!=]=/, // Comparisons
@@ -283,6 +289,25 @@ class C042Analyzer {
     return false;
   }
   
+  isTernaryExpression(value) {
+    // Detect ternary operator: condition ? trueValue : falseValue
+    // Must account for nested ternaries and template literals with colons
+    const questionIndex = value.indexOf('?');
+    if (questionIndex === -1) return false;
+
+    // Check there's a colon after the question mark (outside of template literals)
+    const afterQuestion = value.slice(questionIndex + 1);
+    // Simple heuristic: contains `:` that's not inside a template literal or object
+    let depth = 0;
+    for (let i = 0; i < afterQuestion.length; i++) {
+      const ch = afterQuestion[i];
+      if (ch === '(' || ch === '[' || ch === '{') depth++;
+      else if (ch === ')' || ch === ']' || ch === '}') depth--;
+      else if (ch === ':' && depth === 0) return true;
+    }
+    return false;
+  }
+
   generateSuggestions(varName) {
     const suggestions = [];
     const baseName = varName.replace(/^(is|has|should|can|will|must|may|check)/i, '');