@theglitchking/gimme-the-lint 2.0.0 → 2.1.0

package/.claude-plugin/marketplace.json

@@ -6,13 +6,13 @@
   },
   "metadata": {
     "description": "Official marketplace for gimme-the-lint - polyglot progressive linting with per-app baselines and drift detection",
-    "version": "2.0.0"
+    "version": "2.1.0"
   },
   "plugins": [
     {
       "name": "gimme-the-lint",
-      "description": "Polyglot progressive linting for monorepos — adapter-driven baselines, per-app drift detection, and idempotent skips across JavaScript/TypeScript, Python, Go, and Rust.",
-      "version": "2.0.0",
+      "description": "Polyglot progressive linting for monorepos — adapter-driven baselines, per-app drift detection, and idempotent skips across JavaScript/TypeScript, Python, Go, Rust, and Terraform.",
+      "version": "2.1.0",
       "author": {
         "name": "TheGlitchKing"
       },
@@ -30,6 +30,8 @@
         "ruff",
         "golangci-lint",
         "clippy",
+        "tflint",
+        "terraform",
         "claude-code"
       ],
       "category": "productivity",

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "gimme-the-lint",
-  "description": "Polyglot progressive linting for monorepos — adapter-driven baselines, per-app drift detection, and idempotent skips across JavaScript/TypeScript, Python, Go, and Rust.",
-  "version": "2.0.0",
+  "description": "Polyglot progressive linting for monorepos — adapter-driven baselines, per-app drift detection, and idempotent skips across JavaScript/TypeScript, Python, Go, Rust, and Terraform.",
+  "version": "2.1.0",
   "author": {
     "name": "TheGlitchKing",
     "email": "theglitchking@users.noreply.github.com"
@@ -19,6 +19,8 @@
     "eslint",
     "ruff",
     "golangci-lint",
-    "clippy"
+    "clippy",
+    "tflint",
+    "terraform"
   ]
 }

package/CHANGELOG.md

@@ -5,6 +5,48 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.1.0] - 2026-05-17
+
+### Added
+- **Terraform / OpenTofu support** via a new `tflint` linter adapter. tflint
+  plugs into the same progressive-lint engine as every other linter: baselines
+  are captured into `.gtl/apps/<app>/baseline.json` under a `tflint` section,
+  fingerprinted by `file + rule + message`, and only new violations block.
+  - Runs `tflint --format=json`, module-scoped (executes inside the module
+    directory for compatibility with tflint versions predating `--chdir`).
+  - Parses both `issues` and `errors` — broken HCL surfaces as a blocking
+    error rather than slipping through as zero issues.
+  - Supports `--fix`; tracks config drift on `.tflint.hcl`.
+- **Extension-based app discovery** for Terraform: a directory containing
+  `*.tf` / `*.tofu` source is auto-discovered and bound to `tflint`. Terraform
+  has no manifest file, so it is discovered by extension rather than by a
+  manifest like `package.json` or `go.mod`. In the root-module layout (`.tf`
+  at the repo root *and* in `modules/*/`), the root is treated as a workspace
+  root — bind `.` explicitly in `gimme-the-lint.config.js` to lint it. See the
+  installation guide.
+- **Best-practice config templates** for every supported codebase. `install`
+  now seeds each discovered app with a curated, "recommended tier" config for
+  its linter — `eslint.config.js` + `.prettierrc.json`, `biome.json`,
+  `pyproject.toml` `[tool.ruff]`, `.golangci.yml` (golangci-lint v2 format),
+  `clippy.toml` + `Cargo.toml` `[lints.clippy]`, `.tflint.hcl`. Every write is
+  create-if-absent — an existing config is never overwritten (`--force`
+  replaces). New module `lib/linter-configs.js`.
+- **Security lint rules** across every codebase. gitleaks remains the universal
+  secret scanner (passwords, SSL/private keys, tokens — always blocks, never
+  baselined) and its template now also flags PEM private keys and hardcoded
+  password assignments. Per-linter security layers are enabled in the shipped
+  configs: `gosec` (Go), Ruff `S` / flake8-bandit (Python),
+  `eslint-plugin-security` + `eslint-plugin-no-secrets` (JS/TS), and Biome's
+  `security` rule group.
+- **Prettier support** — a `.prettierrc.json` template is seeded for ESLint
+  apps, and the ESLint config now applies `eslint-config-prettier` so the two
+  do not fight over formatting. The ESLint template refresh is additive: every
+  pre-existing rule (architecture import guards, `no-cycle`, unused-vars) is
+  retained.
+- **New documentation** — `.documentation/lint-rules-guide.md` documents every
+  supported codebase, its baseline rules, the security layers, and how/where to
+  adjust them.
+
 ## [2.0.0] - 2026-05-17
 
 A ground-up rearchitecture: gimme-the-lint is now a language-agnostic

package/README.md

@@ -19,7 +19,7 @@ stuff at its own pace; meanwhile no new mess gets in.
 **v2.0** generalizes that idea to any linter and any language. It is no longer
 "ESLint + Ruff for webapps" — it is a progressive-lint **engine** with a
 pluggable **linter adapter** for each tool, across **JavaScript/TypeScript, Python,
-Go, and Rust**, in **any monorepo shape**.
+Go, Rust, and Terraform**, in **any monorepo shape**.
 
 ---
 
@@ -38,8 +38,10 @@ is ever flagged. (In v1 this job was outsourced to the third-party
 
 Each app is bound to the linters its package manifest implies — `package.json`
 → ESLint, `pyproject.toml` → Ruff, `go.mod` → golangci-lint, `Cargo.toml` →
-Clippy, `biome.json` → Biome. Drift detection runs per app, so a config or
-linter-version change in one app never churns the baselines of another.
+Clippy, `biome.json` → Biome. Terraform has no manifest, so a directory of
+`*.tf` / `*.tofu` files binds to tflint by extension. Drift detection runs per
+app, so a config or linter-version change in one app never churns the baselines
+of another.
 
 ---
 
@@ -48,10 +50,14 @@ linter-version change in one app never churns the baselines of another.
 - **Progressive linting** — only new violations block; existing ones are baselined
 - **In-house diff engine** — line/column-independent fingerprints survive code shifts
 - **Pluggable linter adapters** — the choice of linter is config, not a hardcode
-- **Polyglot** — JavaScript/TypeScript, Python, Go, Rust out of the box
+- **Polyglot** — JavaScript/TypeScript, Python, Go, Rust, Terraform out of the box
 - **Per-app model** — auto-discovers every package in a monorepo; no `frontend/`
   + `backend/` assumption
 - **Per-app drift detection** — app add/remove, config change, linter version, age
+- **Best-practice configs shipped** — `install` seeds each app with a curated,
+  security-aware config for its linter (create-if-absent — never clobbers yours)
+- **Security linting built in** — gitleaks for secrets across every codebase,
+  plus per-language security rules (gosec, Ruff `S`, eslint-plugin-security)
 - **Idempotent skips** — an app with code but no installed linter is warn-skipped
   (never blocks) — or fails loudly under `--strict`
 - **Offline install** — air-gapped mode for regulated environments
@@ -68,6 +74,22 @@ linter-version change in one app never churns the baselines of another.
 | Python | `ruff` | `pyproject.toml`, `requirements.txt`, `setup.py` |
 | Go | `golangci-lint` | `go.mod` |
 | Rust | `clippy` (`cargo clippy`) | `Cargo.toml` |
+| Terraform / OpenTofu | `tflint` | `*.tf` / `*.tofu` files (no manifest) |
+
+## Shipped lint configs
+
+`install` seeds every discovered app with a best-practice ("recommended" tier)
+config for its linter — `eslint.config.js` + `.prettierrc.json`, `biome.json`,
+`pyproject.toml` `[tool.ruff]`, `.golangci.yml`, `clippy.toml` + `Cargo.toml`
+`[lints.clippy]`, `.tflint.hcl` — plus a repo-root `.gitleaks.toml`. Configs are
+**created only if absent**; your own config is never overwritten.
+
+Every shipped config carries a **security layer**: gitleaks scans all files for
+secrets (passwords, SSL/private keys, tokens) and always blocks, while each
+linter adds language-specific security rules (`gosec`, Ruff `S` / flake8-bandit,
+`eslint-plugin-security`, Biome's `security` group). See
+[`.documentation/lint-rules-guide.md`](.documentation/lint-rules-guide.md) for
+the baseline rules per codebase and how to adjust them.
 
 ---
 
@@ -262,7 +284,7 @@ lib/
 ├── diff-engine.js      pure diff: new vs baselined vs fixed
 ├── baseline-store.js   one baseline.json format for every linter
 ├── adapters/           one adapter per linter (eslint, biome, ruff,
-│                       golangci-lint, clippy) + the base contract
+│                       golangci-lint, clippy, tflint) + the base contract
 ├── project-model.js    discovers apps + binds them to linters
 ├── units.js            resolves apps → {dir, linters, baseline path}
 ├── check.js            runCheck: lint → diff → report
@@ -282,7 +304,7 @@ git hooks, GitHub Action and Claude Code plugin are thin front doors over it.
 - **Node.js** >= 20
 - **Git** (for hooks and staged-file detection)
 - A linter for each language you use (`eslint`/`biome`, `ruff`, `golangci-lint`,
-  `clippy`) — any language whose linter is absent is simply skipped
+  `clippy`, `tflint`) — any language whose linter is absent is simply skipped
 
 ## License
 

package/lib/adapters/index.js

@@ -6,6 +6,7 @@ const BiomeAdapter = require('./biome');
 const RuffAdapter = require('./ruff');
 const GolangciLintAdapter = require('./golangci-lint');
 const ClippyAdapter = require('./clippy');
+const TflintAdapter = require('./tflint');
 
 // The adapter registry. `tool` strings in gimme-the-lint.config.js resolve to
 // concrete adapters here. Adding a language to gimme-the-lint means adding one
@@ -17,6 +18,7 @@ const REGISTRY = {
   ruff: RuffAdapter,
   'golangci-lint': GolangciLintAdapter,
   clippy: ClippyAdapter,
+  tflint: TflintAdapter,
 };
 
 /** Construct an adapter instance by id. Throws on an unknown id. */

package/lib/adapters/tflint.js

@@ -0,0 +1,138 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { LinterAdapter } = require('./adapter');
+const { createViolation, SEVERITY } = require('../violation');
+
+// tflint adapter. tflint is the de-facto Terraform/OpenTofu linter; it emits a
+// machine-readable report under `--format json`. Terraform has no manifest
+// file — a directory of *.tf (or *.tofu) IS the module — so detection here is
+// extension-based. tflint is module-scoped: it lints the .tf files of one
+// directory, so the adapter resolves and runs inside that directory, mirroring
+// the crate/module handling in the Clippy and golangci-lint adapters.
+
+const TFLINT_CONFIG_FILES = ['.tflint.hcl'];
+
+/** Map a tflint severity string onto a NormalizedViolation severity. */
+function mapSeverity(severity) {
+  switch (String(severity).toLowerCase()) {
+    case 'error':
+      return SEVERITY.ERROR;
+    case 'notice':
+    case 'info':
+      return SEVERITY.INFO;
+    case 'warning':
+    default:
+      return SEVERITY.WARNING;
+  }
+}
+
+class TflintAdapter extends LinterAdapter {
+  get id() {
+    return 'tflint';
+  }
+
+  get languages() {
+    return ['terraform'];
+  }
+
+  get supportsFix() {
+    return true;
+  }
+
+  // tflint config files double as a detection hint; the real signal is the
+  // presence of *.tf source (see sourceExtensions / project-model.js).
+  get manifestFiles() {
+    return ['.tflint.hcl', '.terraform.lock.hcl'];
+  }
+
+  get sourceExtensions() {
+    return ['.tf', '.tofu'];
+  }
+
+  configFiles() {
+    return TFLINT_CONFIG_FILES;
+  }
+
+  buildCommand(targets, opts = {}) {
+    const args = ['--format=json'];
+    if (opts.fix && this.supportsFix) args.push('--fix');
+
+    // tflint lints whichever directory it runs in. Resolve a run directory
+    // from the target — a directory target directly, or the parent directory
+    // of a file target (changed-files mode) — and lint there with no path
+    // arguments, which keeps the adapter compatible with tflint versions that
+    // predate `--chdir`.
+    let cwd = opts.cwd || this.projectRoot;
+    const first = targets && targets.length ? targets[0] : null;
+    if (first && first !== '.') {
+      const abs = path.resolve(this.projectRoot, first);
+      try {
+        cwd = fs.statSync(abs).isDirectory() ? abs : path.dirname(abs);
+      } catch {
+        // Unresolvable target — fall back to the default cwd.
+      }
+    }
+    return { cmd: this.binary, args, cwd };
+  }
+
+  parse(stdout) {
+    const text = (stdout || '').trim();
+    if (!text) return [];
+
+    let report;
+    try {
+      report = JSON.parse(text);
+    } catch {
+      return [];
+    }
+
+    const violations = [];
+
+    const issues = Array.isArray(report.issues) ? report.issues : [];
+    for (const issue of issues) {
+      const range = issue.range || {};
+      const start = range.start || {};
+      const end = range.end || {};
+      const rule = issue.rule || {};
+      violations.push(
+        createViolation({
+          file: this._relativize(range.filename || ''),
+          line: start.line,
+          col: start.column,
+          endLine: end.line,
+          endCol: end.column,
+          ruleId: rule.name || 'tflint',
+          severity: mapSeverity(rule.severity),
+          message: issue.message,
+          source: 'tflint',
+        })
+      );
+    }
+
+    // tflint reports configuration / HCL parse failures in a separate
+    // `errors` array — treat each as a blocking error so broken Terraform
+    // fails the check rather than slipping through as zero issues.
+    const errors = Array.isArray(report.errors) ? report.errors : [];
+    for (const err of errors) {
+      const range = err.range || {};
+      const start = range.start || {};
+      violations.push(
+        createViolation({
+          file: this._relativize(range.filename || ''),
+          line: start.line,
+          col: start.column,
+          ruleId: 'tflint-error',
+          severity: SEVERITY.ERROR,
+          message: err.message || err.summary || 'tflint error',
+          source: 'tflint',
+        })
+      );
+    }
+
+    return violations;
+  }
+}
+
+module.exports = TflintAdapter;

package/lib/installer.js

@@ -7,6 +7,7 @@ const venvManager = require('./venv-manager');
 const gitHooksManager = require('./git-hooks-manager');
 const toolchain = require('./toolchain');
 const { runBaseline } = require('./baseline');
+const { writeLinterConfigs } = require('./linter-configs');
 
 // init() supports two adoption modes beyond the default:
 //   options.offline    — air-gapped install: no npm/pip fetches; assumes the
@@ -99,6 +100,32 @@ async function init(projectRoot, options = {}) {
     }
   }
 
+  // Step 7b: Seed each discovered app with its linters' best-practice config
+  // (create-if-absent — a user's existing linter config is never overwritten).
+  try {
+    results.linterConfigs = await writeLinterConfigs(projectRoot, {
+      force: options.force,
+      reactVersion: options.reactVersion,
+    });
+    const seeded = results.linterConfigs.filter(
+      (c) => c.status === 'created' || c.status === 'appended'
+    );
+    if (seeded.length) {
+      results.steps.push(
+        `Seeded best-practice linter configs: ${seeded
+          .map((c) => `${c.app === '.' ? '' : c.app + '/'}${c.file}`)
+          .join(', ')}`
+      );
+    }
+    for (const c of results.linterConfigs) {
+      if (c.status === 'error') {
+        results.errors.push(`Linter config (${c.linter} @ ${c.app}): ${c.reason}`);
+      }
+    }
+  } catch (e) {
+    results.errors.push(`Linter configs: ${e.message}`);
+  }
+
   // Step 8: Setup Python venv (backend) — skipped entirely in offline mode,
   // where the toolchain is provisioned outside gimme-the-lint.
   if (options.offline) {

package/lib/linter-configs.js

@@ -0,0 +1,130 @@
+'use strict';
+
+const fs = require('fs-extra');
+const path = require('path');
+const projectModel = require('./project-model');
+const configManager = require('./config-manager');
+
+// Ships gimme-the-lint's best-practice ("recommended" tier) linter configs
+// into a project. Every write is CREATE-IF-ABSENT — a user's existing linter
+// config is never overwritten (pass { force: true } to replace).
+//
+// For eslint / golangci-lint / clippy / tflint the config file is not the
+// linter's detection key, so install genuinely seeds a config. For biome and
+// ruff the config file IS the detection key (biome.json / pyproject.toml), so
+// a discovered app already has one — the template then only applies on adoption
+// or under --force.
+
+// linter id -> { template filename, destination filename in the app dir }
+const LINTER_CONFIGS = {
+  eslint: { template: 'eslint.config.template.js', dest: 'eslint.config.js' },
+  biome: { template: 'biome.template.json', dest: 'biome.json' },
+  ruff: { template: 'pyproject.template.toml', dest: 'pyproject.toml' },
+  'golangci-lint': { template: '.golangci.template.yml', dest: '.golangci.yml' },
+  tflint: { template: '.tflint.template.hcl', dest: '.tflint.hcl' },
+  clippy: { template: 'clippy.template.toml', dest: 'clippy.toml' },
+};
+
+/** Copy one template into an app dir, create-if-absent. */
+async function writeConfig(appRoot, linterId, options = {}) {
+  const spec = LINTER_CONFIGS[linterId];
+  if (!spec) return { linter: linterId, status: 'skipped', reason: 'no template' };
+
+  const dest = path.join(appRoot, spec.dest);
+  const result = { linter: linterId, file: spec.dest };
+
+  if ((await fs.pathExists(dest)) && !options.force) {
+    result.status = 'exists';
+    return result;
+  }
+  try {
+    const subs =
+      linterId === 'eslint' ? { REACT_VERSION: options.reactVersion || '18.3' } : {};
+    await configManager.copyTemplate(spec.template, dest, subs);
+    result.status = 'created';
+  } catch (e) {
+    result.status = 'error';
+    result.reason = e.message;
+  }
+  return result;
+}
+
+/** ESLint apps also get a Prettier config (create-if-absent). */
+async function writePrettier(appRoot, options = {}) {
+  const dest = path.join(appRoot, '.prettierrc.json');
+  const result = { linter: 'prettier', file: '.prettierrc.json' };
+  if ((await fs.pathExists(dest)) && !options.force) {
+    result.status = 'exists';
+    return result;
+  }
+  try {
+    await configManager.copyTemplate('.prettierrc.template.json', dest);
+    result.status = 'created';
+  } catch (e) {
+    result.status = 'error';
+    result.reason = e.message;
+  }
+  return result;
+}
+
+/**
+ * Clippy lint levels can only be declared in Cargo.toml's [lints.clippy]
+ * table (clippy.toml tunes thresholds only). Append the table — but only if
+ * Cargo.toml has no [lints] / [workspace.lints] table already.
+ */
+async function writeClippyLints(appRoot) {
+  const cargoPath = path.join(appRoot, 'Cargo.toml');
+  const result = { linter: 'clippy', file: 'Cargo.toml [lints.clippy]' };
+
+  if (!(await fs.pathExists(cargoPath))) {
+    return { ...result, status: 'skipped', reason: 'no Cargo.toml' };
+  }
+  const content = await fs.readFile(cargoPath, 'utf8');
+  if (/^\s*\[(workspace\.)?lints/m.test(content)) {
+    return { ...result, status: 'exists' };
+  }
+  try {
+    const snippet = await fs.readFile(
+      path.join(configManager.TEMPLATES_DIR, 'clippy-cargo-lints.template.toml'),
+      'utf8'
+    );
+    const sep = content.endsWith('\n') ? '\n' : '\n\n';
+    await fs.writeFile(cargoPath, content + sep + snippet, 'utf8');
+    return { ...result, status: 'appended' };
+  } catch (e) {
+    return { ...result, status: 'error', reason: e.message };
+  }
+}
+
+/**
+ * Discover every app and seed its linters' best-practice configs.
+ * @returns {Promise<{app, linter, file, status, reason?}[]>}
+ */
+async function writeLinterConfigs(projectRoot, options = {}) {
+  const root = projectRoot || process.cwd();
+  const apps = projectModel.discoverApps(root);
+  const written = [];
+
+  for (const app of apps) {
+    const appRoot = path.resolve(root, app.appPath);
+    for (const linterId of app.linters) {
+      written.push({ app: app.appPath, ...(await writeConfig(appRoot, linterId, options)) });
+
+      if (linterId === 'eslint') {
+        written.push({ app: app.appPath, ...(await writePrettier(appRoot, options)) });
+      }
+      if (linterId === 'clippy') {
+        written.push({ app: app.appPath, ...(await writeClippyLints(appRoot)) });
+      }
+    }
+  }
+  return written;
+}
+
+module.exports = {
+  LINTER_CONFIGS,
+  writeConfig,
+  writePrettier,
+  writeClippyLints,
+  writeLinterConfigs,
+};

package/lib/project-model.js

@@ -23,6 +23,20 @@ const MANIFEST_LINTERS = {
   'Cargo.toml': 'clippy',
 };
 
+// Terraform / OpenTofu have no manifest file — a directory of *.tf (or *.tofu)
+// IS the module — so they are discovered by source extension rather than by a
+// manifest filename, unlike every other supported language.
+const TERRAFORM_EXTENSIONS = ['.tf', '.tofu'];
+
+/** True if any directory entry is a Terraform/OpenTofu source file. */
+function hasTerraformSource(entries) {
+  return entries.some(
+    (entry) =>
+      entry.isFile() &&
+      TERRAFORM_EXTENSIONS.some((ext) => entry.name.endsWith(ext))
+  );
+}
+
 // Template/scaffold directories: linting them is pure noise. Skipped by
 // convention; projects can add more via `skipPatterns` in the config.
 const DEFAULT_SKIP_PATTERNS = ['_template-*', '__template__', '*.template.*'];
@@ -67,6 +81,7 @@ function findManifestDirs(projectRoot) {
         linters.add(MANIFEST_LINTERS[entry.name]);
       }
     }
+    if (hasTerraformSource(entries)) linters.add('tflint');
     if (linters.size > 0) {
       found.push({ dir: relDir || '.', linters });
     }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@theglitchking/gimme-the-lint",
-  "version": "2.0.0",
-  "description": "Polyglot progressive linting for monorepos — adapter-driven baselines, per-app drift detection, and idempotent skips across JavaScript/TypeScript, Python, Go, and Rust.",
+  "version": "2.1.0",
+  "description": "Polyglot progressive linting for monorepos — adapter-driven baselines, per-app drift detection, and idempotent skips across JavaScript/TypeScript, Python, Go, Rust, and Terraform.",
   "keywords": [
     "linting",
     "progressive-linting",
@@ -20,7 +20,10 @@
     "golangci-lint",
     "go",
     "clippy",
-    "rust"
+    "rust",
+    "tflint",
+    "terraform",
+    "opentofu"
   ],
   "author": {
     "name": "TheGlitchKing",

package/templates/.gitleaks.template.toml

@@ -45,6 +45,18 @@ regex = '''(?i)(postgresql|postgres|mysql|mongodb)://[a-zA-Z0-9_-]+:([^@\s]+)@''
 tags = ["database", "password"]
 secretGroup = 2
 
+[[rules]]
+id = "private-key-pem"
+description = "Private key / SSL cert key (PEM, OpenSSH, PKCS)"
+regex = '''-----BEGIN ([A-Z]+ )?PRIVATE KEY( BLOCK)?-----'''
+tags = ["key", "private", "ssl"]
+
+[[rules]]
+id = "hardcoded-password"
+description = "Hardcoded password / secret assignment"
+regex = '''(?i)\b(password|passwd|pwd|secret)\b\s*[:=]\s*['"][^'"\s$]{6,}['"]'''
+tags = ["password", "secret"]
+
 # Allowlist (false positive prevention)
 [allowlist]
 description = "Allowlist for false positives"

package/templates/.golangci.template.yml

@@ -0,0 +1,81 @@
+# Generated by gimme-the-lint — golangci-lint v2 (recommended tier)
+# Requires golangci-lint v2.x. Run `golangci-lint migrate` to convert v1 configs.
+version: "2"
+
+run:
+  timeout: 5m
+  tests: true
+
+formatters:
+  enable:
+    - goimports   # superset of gofmt; also manages import grouping
+    - gofumpt     # stricter gofmt
+  # settings:
+  #   goimports:
+  #     local-prefixes:
+  #       - github.com/your-org/your-project   # set to your module path
+
+linters:
+  default: standard   # errcheck, govet, ineffassign, staticcheck, unused
+
+  enable:
+    # --- Correctness ---
+    - copyloopvar       # loop-variable capture bugs
+    - bodyclose         # HTTP response bodies must be closed
+    - errorlint         # correct error wrapping / unwrapping
+    - nilerr            # `return nil` when the error is non-nil
+    - noctx             # HTTP requests must carry a context
+    - durationcheck     # bad time.Duration arithmetic
+    - makezero          # make([]T, n) then append — usually a bug
+    # --- Security ---
+    - gosec             # hardcoded creds, injection, weak crypto, insecure TLS
+    # --- Code quality ---
+    - revive            # modern golint replacement
+    - gocritic          # broad diagnostic / performance checks
+    - gocyclo           # cyclomatic complexity
+    - unconvert         # unnecessary type conversions
+    - unparam           # parameters that always receive the same value
+    - nolintlint        # malformed or unexplained //nolint directives
+    - misspell          # misspellings in comments / strings
+    - usestdlibvars     # use stdlib constants (http.MethodGet, etc.)
+
+  settings:
+    errcheck:
+      check-type-assertions: true
+    gocyclo:
+      min-complexity: 15
+    gocritic:
+      enabled-tags:
+        - diagnostic
+        - performance
+      disabled-checks:
+        - ifElseChain
+    gosec:
+      # G104 overlaps errcheck; G115 (int-overflow) is high false-positive.
+      excludes:
+        - G104
+        - G115
+      severity: medium
+      confidence: medium
+    nolintlint:
+      require-explanation: true
+      require-specific: true
+
+  exclusions:
+    generated: lax
+    warn-unused: true
+    presets:
+      - std-error-handling
+      - common-false-positives
+    rules:
+      # Test code legitimately ignores errors, uses math/rand, repeats strings.
+      - path: '_test\.go'
+        linters:
+          - bodyclose
+          - gosec
+          - errcheck
+          - goconst
+
+issues:
+  max-same-issues: 50
+  max-issues-per-linter: 0

package/templates/.prettierrc.template.json

@@ -0,0 +1,14 @@
+{
+  "printWidth": 100,
+  "tabWidth": 2,
+  "useTabs": false,
+  "semi": true,
+  "singleQuote": true,
+  "quoteProps": "as-needed",
+  "jsxSingleQuote": false,
+  "trailingComma": "all",
+  "bracketSpacing": true,
+  "bracketSameLine": false,
+  "arrowParens": "always",
+  "endOfLine": "lf"
+}

package/templates/.tflint.template.hcl

@@ -0,0 +1,32 @@
+# Generated by gimme-the-lint — TFLint (recommended tier)
+#
+# Uses only the bundled "terraform" ruleset, which ships inside the TFLint
+# binary. No network access and no `tflint --init` required — works offline.
+#
+# For deeper, cloud-provider-specific checks (AWS / GCP / Azure best practices),
+# add the matching provider plugin block and run `tflint --init` once. Those
+# plugins require network access — do NOT add them for air-gapped installs.
+#
+#   plugin "aws" {
+#     enabled = true
+#     version = "0.47.0"
+#     source  = "github.com/terraform-linters/tflint-ruleset-aws"
+#   }
+
+tflint {
+  required_version = ">= 0.50"
+}
+
+config {
+  # "local" evaluates local module calls; "none" skips module evaluation.
+  call_module_type = "local"
+  # Set true to treat findings as warnings during initial rollout.
+  force = false
+}
+
+plugin "terraform" {
+  enabled = true
+  # "recommended" — Terraform-language hygiene. Use "all" for the stricter
+  # set (naming conventions, documented variables/outputs, module structure).
+  preset = "recommended"
+}

package/templates/biome.template.json

@@ -0,0 +1,90 @@
+{
+  "$schema": "https://biomejs.dev/schemas/latest/schema.json",
+  "vcs": {
+    "enabled": true,
+    "clientKind": "git",
+    "useIgnoreFile": true,
+    "defaultBranch": "main"
+  },
+  "files": {
+    "ignoreUnknown": false,
+    "maxSize": 2097152
+  },
+  "formatter": {
+    "enabled": true,
+    "indentStyle": "space",
+    "indentWidth": 2,
+    "lineWidth": 100,
+    "lineEnding": "lf"
+  },
+  "javascript": {
+    "formatter": {
+      "quoteStyle": "double",
+      "jsxQuoteStyle": "double",
+      "quoteProperties": "asNeeded",
+      "trailingCommas": "all",
+      "semicolons": "always",
+      "arrowParentheses": "always",
+      "bracketSameLine": false
+    }
+  },
+  "json": {
+    "formatter": {
+      "trailingCommas": "none"
+    }
+  },
+  "linter": {
+    "enabled": true,
+    "rules": {
+      "recommended": true,
+      "correctness": {
+        "noUnresolvedImports": "error"
+      },
+      "suspicious": {
+        "noConsole": {
+          "level": "warn",
+          "options": { "allow": ["error", "warn", "info"] }
+        },
+        "noImportCycles": "warn",
+        "noUnusedExpressions": "error"
+      },
+      "style": {
+        "useForOf": "warn",
+        "useNamingConvention": "warn",
+        "useConsistentTypeDefinitions": {
+          "level": "warn",
+          "options": { "define": "interface" }
+        }
+      },
+      "complexity": {
+        "noExcessiveCognitiveComplexity": {
+          "level": "warn",
+          "options": { "maxAllowedComplexity": 15 }
+        }
+      },
+      "performance": {
+        "noDelete": "warn"
+      },
+      "security": {
+        "noBlankTarget": "error",
+        "noDangerouslySetInnerHtml": "error",
+        "noDangerouslySetInnerHtmlWithChildren": "error",
+        "noGlobalEval": "error",
+        "noSecrets": "warn"
+      }
+    }
+  },
+  "overrides": [
+    {
+      "includes": ["**/*.test.*", "**/*.spec.*", "**/test/**"],
+      "linter": {
+        "rules": {
+          "suspicious": {
+            "noConsole": "off",
+            "noImportCycles": "off"
+          }
+        }
+      }
+    }
+  ]
+}

package/templates/clippy-cargo-lints.template.toml

@@ -0,0 +1,21 @@
+# Generated by gimme-the-lint — Clippy lint levels
+#
+# Clippy lint GROUPS cannot be enabled from clippy.toml. The canonical
+# mechanism (Cargo 1.74+) is the [lints.clippy] table in Cargo.toml.
+# gimme-the-lint appends this block to your Cargo.toml only if no [lints]
+# table already exists. For a workspace, put it under
+# [workspace.lints.clippy] in the root Cargo.toml and add `[lints]
+# workspace = true` to each member crate instead.
+
+[lints.clippy]
+# priority = -1 lets the individual "allow" overrides below win.
+pedantic = { level = "warn", priority = -1 }
+cargo = { level = "warn", priority = -1 }
+
+# Pedantic lints that are too noisy in idiomatic Rust — allowed back.
+module_name_repetitions = "allow"   # fires on config::Config, error::Error, ...
+must_use_candidate = "allow"        # demands #[must_use] almost everywhere
+missing_errors_doc = "allow"        # requires an # Errors doc section
+missing_panics_doc = "allow"        # requires a # Panics doc section
+default_trait_access = "allow"      # Default::default() vs T::default() — style
+map_unwrap_or = "allow"             # map_or style — team preference

package/templates/clippy.template.toml

@@ -0,0 +1,23 @@
+# Generated by gimme-the-lint — Clippy threshold tuning (recommended tier)
+#
+# clippy.toml only tunes lint PARAMETERS. It cannot enable lint groups —
+# that is done via the [lints.clippy] table in Cargo.toml (see the
+# clippy-cargo-lints snippet gimme-the-lint also provides).
+
+# Rust style guide suggests 6; Clippy's default is 7.
+too-many-arguments-threshold = 6
+
+# Default is 100; 80 is a sensible opinionated ceiling.
+too-many-lines-threshold = 80
+
+# Default is 25; 15 is a solid complexity gate.
+cognitive-complexity-threshold = 15
+
+# Allow unwrap/expect/indexing in tests without per-file attributes.
+allow-unwrap-in-tests = true
+allow-expect-in-tests = true
+allow-indexing-slicing-in-tests = true
+
+# Set to your project's minimum supported Rust version so lint
+# suggestions stay compatible.
+msrv = "1.74"

package/templates/eslint.config.template.js

@@ -1,5 +1,10 @@
 // ESLint v9 Flat Config - Generated by gimme-the-lint
-// Customize this file for your project
+// Customize this file for your project.
+//
+// Ships security linting (eslint-plugin-security + eslint-plugin-no-secrets)
+// and is Prettier-compatible (eslint-config-prettier disables conflicting
+// stylistic rules). Dev deps beyond the React/TS set: eslint-plugin-security,
+// eslint-plugin-no-secrets, eslint-config-prettier, prettier.
 
 import js from '@eslint/js'
 import globals from 'globals'
@@ -9,6 +14,9 @@ import reactRefresh from 'eslint-plugin-react-refresh'
 import importPlugin from 'eslint-plugin-import'
 import tseslint from '@typescript-eslint/eslint-plugin'
 import tsparser from '@typescript-eslint/parser'
+import security from 'eslint-plugin-security'
+import noSecrets from 'eslint-plugin-no-secrets'
+import prettier from 'eslint-config-prettier'
 
 export default [
   { ignores: ['dist', 'build', 'node_modules', 'vite.config.ts'] },
@@ -44,6 +52,8 @@ export default [
       'react-hooks': reactHooks,
       'react-refresh': reactRefresh,
       'import': importPlugin,
+      security,
+      'no-secrets': noSecrets,
     },
     rules: {
       ...js.configs.recommended.rules,
@@ -67,6 +77,9 @@ export default [
       'import/no-cycle': 'error',
       'import/no-self-import': 'error',
       'no-unused-vars': ['error', { argsIgnorePattern: '^_', varsIgnorePattern: '^_' }],
+      // Security rules — unsafe APIs + hardcoded-secret detection
+      ...security.configs.recommended.rules,
+      'no-secrets/no-secrets': ['warn', { tolerance: 4.2 }],
       'react/no-unescaped-entities': 'off',
       'react/prop-types': 'off',
     },
@@ -93,6 +106,8 @@ export default [
       'react-refresh': reactRefresh,
       'import': importPlugin,
       '@typescript-eslint': tseslint,
+      security,
+      'no-secrets': noSecrets,
     },
     rules: {
       ...js.configs.recommended.rules,
@@ -116,9 +131,16 @@ export default [
       '@typescript-eslint/no-unused-vars': ['warn', { argsIgnorePattern: '^_', varsIgnorePattern: '^_' }],
       '@typescript-eslint/explicit-module-boundary-types': 'off',
       '@typescript-eslint/no-non-null-assertion': 'warn',
+      // Security rules — unsafe APIs + hardcoded-secret detection
+      ...security.configs.recommended.rules,
+      'no-secrets/no-secrets': ['warn', { tolerance: 4.2 }],
       'react/no-unescaped-entities': 'off',
       'no-unused-vars': 'off',
       'react/prop-types': 'off',
     },
   },
+
+  // eslint-config-prettier — disables stylistic rules that conflict with
+  // Prettier. Keep this LAST so it overrides earlier formatting rules.
+  prettier,
 ];

package/templates/pyproject.template.toml

@@ -18,6 +18,10 @@ select = [
     "I",    # isort
     "B",    # flake8-bugbear
     "UP",   # pyupgrade
+    "S",    # flake8-bandit — security (hardcoded passwords, SQL injection, SSL misuse)
+    "C4",   # flake8-comprehensions
+    "SIM",  # flake8-simplify
+    "RUF",  # Ruff-specific rules
 ]
 ignore = [
     "E501",  # line too long (handled by formatter)
@@ -26,6 +30,12 @@ ignore = [
 [tool.ruff.lint.isort]
 known-first-party = ["app"]
 
+[tool.ruff.lint.per-file-ignores]
+# Tests legitimately use `assert` and may hold dummy credentials/fixtures.
+"tests/**" = ["S101", "S105", "S106"]
+"**/test_*.py" = ["S101", "S105", "S106"]
+"**/*_test.py" = ["S101", "S105", "S106"]
+
 [tool.ruff.format]
 quote-style = "double"
 indent-style = "space"