@synergyerp/backend-standards 1.2.0 → 1.3.0

package/.github/workflows/ci-template.yml

@@ -1,3 +1,14 @@
+# This is a TEMPLATE for consumer repos.
+# Copy this to .github/workflows/ci.yml in your project.
+#
+# Consumer repos should USE this as a reference, not directly call it.
+# The actual CI is triggered by the consumer repo's own .github/workflows/ci.yml
+# which installs @synergyerp/backend-standards and runs the same commands.
+#
+# ANTI-BYPASS DESIGN: Local git hooks (Husky) can be skipped with --no-verify.
+# This CI pipeline is the SERVER-SIDE enforcement layer that cannot be bypassed.
+# Every PR is re-validated here regardless of what happened locally.
+
 name: CI Pipeline (Template)
 
 on:
@@ -32,11 +43,17 @@ jobs:
           key: pnpm-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
           path: ~/.pnpm-store
       - run: pnpm install --frozen-lockfile
-      - run: pnpm lint
-      - run: pnpm check-modularization
-      - name: Validate Commit Messages
+
+      # SERVER-SIDE ANTI-BYPASS: Validates ALL commit messages in this PR,
+      # catching any commits that were made with --no-verify locally.
+      # This step runs unconditionally and will fail if any commit in the PR
+      # does not meet the conventional commit standard.
+      - name: Validate Commit Messages (--no-verify anti-bypass)
         if: github.event_name == 'pull_request'
         run: pnpm exec commitlint --from origin/${{ github.base_ref }} --to HEAD
+
+      - run: pnpm lint
+      - run: pnpm check-modularization
       - run: pnpm check-types
       - run: pnpm format:check
       - run: pnpm test:ci

package/.husky/pre-commit

@@ -1,5 +1,8 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 
+# Detect --no-verify bypass patterns
+sh "$(dirname -- "$0")/../scripts/detect-no-verify.sh"
+
 echo "🔍 Running lint-staged..."
 pnpm exec lint-staged

package/.husky/pre-push

@@ -1,5 +1,8 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 
+# Detect --no-verify bypass patterns
+sh "$(dirname -- "$0")/../scripts/detect-no-verify.sh"
+
 echo "🚀 Running pre-push quality checks..."
 pnpm lint && pnpm check-modularization && pnpm check-types && pnpm test:ci

package/eslint.config.js

@@ -89,24 +89,37 @@ export default tseslint.config(
         },
         {
           selector: "VariableDeclarator[id.name='temp']",
-          message:
-            "Variable name 'temp' is banned. Use a descriptive name like 'formattedDate'.",
+          message: "Variable name 'temp' is banned. Use a descriptive name like 'formattedDate'.",
         },
         {
           selector: "VariableDeclarator[id.name='arr']",
-          message:
-            "Variable name 'arr' is banned. Use a descriptive name like 'permissions'.",
+          message: "Variable name 'arr' is banned. Use a descriptive name like 'permissions'.",
         },
         {
           selector: "VariableDeclarator[id.name='obj']",
-          message:
-            "Variable name 'obj' is banned. Use a descriptive name like 'config'.",
+          message: "Variable name 'obj' is banned. Use a descriptive name like 'config'.",
         },
         {
           selector: "VariableDeclarator[id.name='result']",
           message:
             "Variable name 'result' is banned. Use a descriptive name like 'validationResult'.",
         },
+        // ===== PREVENT _-PREFIXED SINGLE-LETTER NAMES (bypassing id-length) =====
+        {
+          selector:
+            'VariableDeclarator[id.name=/^_[a-z]$/], FunctionDeclaration[id.name=/^_[a-z]$/], FunctionExpression[id.name=/^_[a-z]$/]',
+          message:
+            "Do not use '_'-prefixed single-letter names (e.g. '_d', '_e', '_q'). Use meaningful names like 'date', 'employee', 'query'.",
+        },
+        {
+          selector: 'ArrowFunctionExpression > Identifier[name=/^_[a-z]$/]:first-child',
+          message: "Do not use '_'-prefixed single-letter parameter names. Use meaningful names.",
+        },
+        {
+          selector:
+            'FunctionDeclaration > Identifier[name=/^_[a-z]$/]:first-child, FunctionExpression > Identifier[name=/^_[a-z]$/]:first-child',
+          message: "Do not use '_'-prefixed single-letter parameter names. Use meaningful names.",
+        },
       ],
       'unicorn/filename-case': ['error', { case: 'kebabCase' }],
 
@@ -140,7 +153,11 @@ export default tseslint.config(
       '@typescript-eslint/no-unsafe-member-access': 'error',
       '@typescript-eslint/no-unused-vars': [
         'error',
-        { varsIgnorePattern: '^_', argsIgnorePattern: '^_' },
+        {
+          argsIgnorePattern: '^_',
+          destructuredArrayIgnorePattern: '^_',
+          ignoreRestSiblings: true,
+        },
       ],
 
       // PRETTIER

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@synergyerp/backend-standards",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "SynergyERP backend standards — ESLint, Prettier, commitlint, Husky, TypeScript configs, modularization enforcement, and PR templates.",
   "private": false,
   "type": "module",

package/scripts/detect-no-verify.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env sh
+# ============================================================
+# detect-no-verify.sh
+#
+# PURPOSE: Warn developers when --no-verify aliases / config
+# are detected. This script is run in pre-commit and pre-push
+# hooks. It does NOT block git itself (which cannot be done at
+# the OS level), but it:
+#   1. Detects known --no-verify aliases in global/local git config
+#   2. Logs a dated violation entry to .git/no-verify-violations.log
+#   3. Exits non-zero so the hook chain fails loudly
+#
+# The CI pipeline independently re-validates all commit messages
+# via commitlint (see .github/workflows/ci-template.yml), which
+# is the actual server-side enforcement that --no-verify cannot
+# bypass.
+# ============================================================
+
+set -e
+
+VIOLATIONS=0
+
+echo ""
+echo "🛡️  Checking for --no-verify bypass patterns..."
+
+# 1. Scan all git aliases in local + global config
+ALL_ALIASES=$(git config --list 2>/dev/null | grep '^alias\.' || true)
+
+if echo "$ALL_ALIASES" | grep -qi 'no-verify\|no.verify'; then
+  echo ""
+  echo "❌ ERROR: A git alias containing --no-verify was found in your git config!"
+  echo ""
+  echo "$ALL_ALIASES" | grep -i 'no-verify\|no.verify'
+  echo ""
+  echo "   Please remove this alias. The standards require all commits to pass hooks."
+  echo "   Run: git config --global --unset alias.<name>"
+  VIOLATIONS=$((VIOLATIONS + 1))
+fi
+
+# 2. Check for HUSKY=0 environment variable (bypasses husky hooks entirely)
+if [ "${HUSKY}" = "0" ]; then
+  echo ""
+  echo "❌ ERROR: HUSKY=0 is set — this bypasses ALL Husky hooks!"
+  echo "   Unset HUSKY or remove it from your shell profile."
+  VIOLATIONS=$((VIOLATIONS + 1))
+fi
+
+# 3. Log violations to .git/no-verify-violations.log for auditability
+if [ $VIOLATIONS -gt 0 ]; then
+  TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+  LOG_FILE="$(git rev-parse --git-dir)/no-verify-violations.log"
+  echo "$TIMESTAMP  user=$(git config user.email 2>/dev/null || echo unknown)  violations=$VIOLATIONS" >> "$LOG_FILE"
+  echo ""
+  echo "   ☝️  A record of this violation has been written to .git/no-verify-violations.log"
+  echo "   ☝️  Note: even if you bypass this hook, the CI pipeline will re-run commitlint"
+  echo "       on every PR and will reject commits that skipped required validation."
+  echo ""
+  exit 1
+fi
+
+echo "✅  No --no-verify bypass patterns detected."
+echo ""