cloudflare-expression-lint 0.1.0

package/dist/schemas/operators.js

@@ -0,0 +1,37 @@
+/**
+ * Cloudflare expression operators.
+ *
+ * Reference: https://developers.cloudflare.com/ruleset-engine/rules-language/operators/
+ */
+/** Comparison operators */
+export const COMPARISON_OPERATORS = [
+    { name: 'eq', symbols: ['=='], supportedTypes: ['String', 'Integer', 'IP', 'Float', 'Boolean'] },
+    { name: 'ne', symbols: ['!='], supportedTypes: ['String', 'Integer', 'IP', 'Float', 'Boolean'] },
+    { name: 'lt', symbols: ['<'], supportedTypes: ['String', 'Integer', 'Float'] },
+    { name: 'le', symbols: ['<='], supportedTypes: ['String', 'Integer', 'Float'] },
+    { name: 'gt', symbols: ['>'], supportedTypes: ['String', 'Integer', 'Float'] },
+    { name: 'ge', symbols: ['>='], supportedTypes: ['String', 'Integer', 'Float'] },
+    { name: 'contains', symbols: [], supportedTypes: ['String'] },
+    { name: 'wildcard', symbols: [], supportedTypes: ['String'] },
+    { name: 'strict wildcard', symbols: [], supportedTypes: ['String'] },
+    { name: 'matches', symbols: ['~'], supportedTypes: ['String'] },
+    { name: 'in', symbols: [], supportedTypes: ['String', 'Integer', 'IP'] },
+];
+/** Logical operators with precedence */
+export const LOGICAL_OPERATORS = [
+    { name: 'not', symbols: ['!'], supportedTypes: [], isLogical: true, precedence: 1 },
+    { name: 'and', symbols: ['&&'], supportedTypes: [], isLogical: true, precedence: 2 },
+    { name: 'xor', symbols: ['^^'], supportedTypes: [], isLogical: true, precedence: 3 },
+    { name: 'or', symbols: ['||'], supportedTypes: [], isLogical: true, precedence: 4 },
+];
+/** All operator names and symbols for quick lookup */
+export const ALL_COMPARISON_NAMES = new Set(COMPARISON_OPERATORS.flatMap(op => [op.name, ...op.symbols]));
+export const ALL_LOGICAL_NAMES = new Set(LOGICAL_OPERATORS.flatMap(op => [op.name, ...op.symbols]));
+/** Look up operator def by name or symbol */
+export function findComparisonOperator(nameOrSymbol) {
+    return COMPARISON_OPERATORS.find(op => op.name === nameOrSymbol || op.symbols.includes(nameOrSymbol));
+}
+export function findLogicalOperator(nameOrSymbol) {
+    return LOGICAL_OPERATORS.find(op => op.name === nameOrSymbol || op.symbols.includes(nameOrSymbol));
+}
+//# sourceMappingURL=operators.js.map

package/dist/schemas/operators.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"operators.js","sourceRoot":"","sources":["../../src/schemas/operators.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAiBH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,oBAAoB,GAAkB;IACjD,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,CAAC,EAAE;IAChG,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,CAAC,EAAE;IAChG,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE,cAAc,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE;IAC9E,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE;IAC/E,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE,cAAc,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE;IAC9E,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE;IAC/E,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,QAAQ,CAAC,EAAE;IAC7D,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,QAAQ,CAAC,EAAE;IAC7D,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,QAAQ,CAAC,EAAE;IACpE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE,cAAc,EAAE,CAAC,QAAQ,CAAC,EAAE;IAC/D,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,EAAE;CACzE,CAAC;AAEF,wCAAwC;AACxC,MAAM,CAAC,MAAM,iBAAiB,GAAkB;IAC9C,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE;IACnF,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE;IACpF,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE;IACpF,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE;CACpF,CAAC;AAEF,sDAAsD;AACtD,MAAM,CAAC,MAAM,oBAAoB,GAAG,IAAI,GAAG,CACzC,oBAAoB,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,CAAC,CAC7D,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CACtC,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,CAAC,CAC1D,CAAC;AAEF,6CAA6C;AAC7C,MAAM,UAAU,sBAAsB,CAAC,YAAoB;IACzD,OAAO,oBAAoB,CAAC,IAAI,CAC9B,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,IAAI,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CACpE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,OAAO,iBAAiB,CAAC,IAAI,CAC3B,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,IAAI,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CACpE,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,149 @@
+/**
+ * Core types for the Cloudflare expression linter.
+ */
+export declare enum TokenType {
+    String = "String",
+    RawString = "RawString",
+    Integer = "Integer",
+    Float = "Float",
+    Boolean = "Boolean",
+    IPAddress = "IPAddress",
+    Field = "Field",
+    Function = "Function",
+    NamedList = "NamedList",// $list_name
+    ComparisonOp = "ComparisonOp",// eq, ne, lt, le, gt, ge, ==, !=, <, <=, >, >=, contains, matches, ~, wildcard, in
+    LogicalOp = "LogicalOp",// and, or, not, xor, &&, ||, !, ^^
+    StrictWildcard = "StrictWildcard",// "strict wildcard" (two-word operator)
+    LeftParen = "LeftParen",
+    RightParen = "RightParen",
+    LeftBrace = "LeftBrace",// { for in-lists
+    RightBrace = "RightBrace",// }
+    LeftBracket = "LeftBracket",// [ for map/array access
+    RightBracket = "RightBracket",// ]
+    Comma = "Comma",
+    DotDot = "DotDot",// .. for ranges
+    Slash = "Slash",// / for CIDR notation
+    ArrayUnpack = "ArrayUnpack",// [*]
+    Placeholder = "Placeholder",// {REPLACE_...} template variables
+    EOF = "EOF"
+}
+export interface Token {
+    type: TokenType;
+    value: string;
+    position: number;
+    line: number;
+    column: number;
+}
+export type ASTNode = BooleanLiteralNode | StringLiteralNode | IntegerLiteralNode | FloatLiteralNode | IPLiteralNode | FieldAccessNode | NamedListNode | FunctionCallNode | ComparisonNode | LogicalNode | NotNode | InExpressionNode | GroupNode | ArrayUnpackNode;
+export interface BooleanLiteralNode {
+    kind: 'BooleanLiteral';
+    value: boolean;
+    position: number;
+}
+export interface StringLiteralNode {
+    kind: 'StringLiteral';
+    value: string;
+    position: number;
+}
+export interface IntegerLiteralNode {
+    kind: 'IntegerLiteral';
+    value: number;
+    position: number;
+}
+export interface FloatLiteralNode {
+    kind: 'FloatLiteral';
+    value: number;
+    position: number;
+}
+export interface IPLiteralNode {
+    kind: 'IPLiteral';
+    value: string;
+    cidr?: number;
+    position: number;
+}
+export interface FieldAccessNode {
+    kind: 'FieldAccess';
+    /** Full field name (e.g., "http.request.uri.path") */
+    field: string;
+    /** Map key access, if any (e.g., "host" in headers["host"]) */
+    mapKey?: string;
+    /** Array index access, if any */
+    arrayIndex?: number;
+    position: number;
+}
+export interface NamedListNode {
+    kind: 'NamedList';
+    name: string;
+    position: number;
+}
+export interface FunctionCallNode {
+    kind: 'FunctionCall';
+    name: string;
+    args: ASTNode[];
+    position: number;
+}
+export interface ComparisonNode {
+    kind: 'Comparison';
+    left: ASTNode;
+    operator: string;
+    right: ASTNode;
+    position: number;
+}
+export interface LogicalNode {
+    kind: 'Logical';
+    left: ASTNode;
+    operator: string;
+    right: ASTNode;
+    position: number;
+}
+export interface NotNode {
+    kind: 'Not';
+    operand: ASTNode;
+    position: number;
+}
+export interface InExpressionNode {
+    kind: 'InExpression';
+    field: ASTNode;
+    values: ASTNode[];
+    negated: boolean;
+    position: number;
+}
+export interface GroupNode {
+    kind: 'Group';
+    expression: ASTNode;
+    position: number;
+}
+export interface ArrayUnpackNode {
+    kind: 'ArrayUnpack';
+    field: ASTNode;
+    position: number;
+}
+export type DiagnosticSeverity = 'error' | 'warning' | 'info';
+export interface Diagnostic {
+    severity: DiagnosticSeverity;
+    message: string;
+    position?: number;
+    line?: number;
+    column?: number;
+    /** Error code for programmatic use */
+    code: string;
+}
+export type ExpressionType = 'filter' | 'rewrite_url' | 'rewrite_header' | 'redirect_target';
+export interface ValidationContext {
+    /** The Cloudflare phase (e.g., "http_request_firewall_custom") */
+    phase?: string;
+    /** The type of expression being validated */
+    expressionType: ExpressionType;
+    /** Allow placeholder templates like {REPLACE_ZONE_NAME} */
+    allowPlaceholders?: boolean;
+}
+export interface LintResult {
+    /** The original expression string */
+    expression: string;
+    /** Whether the expression is valid (no errors) */
+    valid: boolean;
+    /** All diagnostics (errors, warnings, info) */
+    diagnostics: Diagnostic[];
+    /** Parsed AST (if parsing succeeded) */
+    ast?: ASTNode;
+}

package/dist/types.js

@@ -0,0 +1,38 @@
+/**
+ * Core types for the Cloudflare expression linter.
+ */
+// ── Token Types ────────────────────────────────────────────────────────
+export var TokenType;
+(function (TokenType) {
+    // Literals
+    TokenType["String"] = "String";
+    TokenType["RawString"] = "RawString";
+    TokenType["Integer"] = "Integer";
+    TokenType["Float"] = "Float";
+    TokenType["Boolean"] = "Boolean";
+    TokenType["IPAddress"] = "IPAddress";
+    // Identifiers
+    TokenType["Field"] = "Field";
+    TokenType["Function"] = "Function";
+    TokenType["NamedList"] = "NamedList";
+    // Operators
+    TokenType["ComparisonOp"] = "ComparisonOp";
+    TokenType["LogicalOp"] = "LogicalOp";
+    TokenType["StrictWildcard"] = "StrictWildcard";
+    // Grouping & Punctuation
+    TokenType["LeftParen"] = "LeftParen";
+    TokenType["RightParen"] = "RightParen";
+    TokenType["LeftBrace"] = "LeftBrace";
+    TokenType["RightBrace"] = "RightBrace";
+    TokenType["LeftBracket"] = "LeftBracket";
+    TokenType["RightBracket"] = "RightBracket";
+    TokenType["Comma"] = "Comma";
+    TokenType["DotDot"] = "DotDot";
+    TokenType["Slash"] = "Slash";
+    // Special
+    TokenType["ArrayUnpack"] = "ArrayUnpack";
+    TokenType["Placeholder"] = "Placeholder";
+    // End
+    TokenType["EOF"] = "EOF";
+})(TokenType || (TokenType = {}));
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,0EAA0E;AAE1E,MAAM,CAAN,IAAY,SAoCX;AApCD,WAAY,SAAS;IACnB,WAAW;IACX,8BAAiB,CAAA;IACjB,oCAAuB,CAAA;IACvB,gCAAmB,CAAA;IACnB,4BAAe,CAAA;IACf,gCAAmB,CAAA;IACnB,oCAAuB,CAAA;IAEvB,cAAc;IACd,4BAAe,CAAA;IACf,kCAAqB,CAAA;IACrB,oCAAuB,CAAA;IAEvB,YAAY;IACZ,0CAA6B,CAAA;IAC7B,oCAAuB,CAAA;IACvB,8CAAiC,CAAA;IAEjC,yBAAyB;IACzB,oCAAuB,CAAA;IACvB,sCAAyB,CAAA;IACzB,oCAAuB,CAAA;IACvB,sCAAyB,CAAA;IACzB,wCAA2B,CAAA;IAC3B,0CAA6B,CAAA;IAC7B,4BAAe,CAAA;IACf,8BAAiB,CAAA;IACjB,4BAAe,CAAA;IAEf,UAAU;IACV,wCAA2B,CAAA;IAC3B,wCAA2B,CAAA;IAE3B,MAAM;IACN,wBAAW,CAAA;AACb,CAAC,EApCW,SAAS,KAAT,SAAS,QAoCpB"}

package/dist/validator.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Validator for Cloudflare expressions.
+ *
+ * Performs semantic analysis on the AST:
+ * - Field existence and deprecation checks
+ * - Phase-specific field availability
+ * - Function existence and context validation
+ * - Function usage limits (e.g., max 1 regex_replace per expression)
+ * - Operator type checking (e.g., contains only works on String)
+ * - Header key casing warnings
+ * - Boolean comparison style hints
+ * - Expression length limits
+ */
+import type { ValidationContext, LintResult } from './types.js';
+/**
+ * Validate a Cloudflare expression string.
+ */
+export declare function validate(expression: string, context: ValidationContext): LintResult;

package/dist/validator.js

@@ -0,0 +1,420 @@
+/**
+ * Validator for Cloudflare expressions.
+ *
+ * Performs semantic analysis on the AST:
+ * - Field existence and deprecation checks
+ * - Phase-specific field availability
+ * - Function existence and context validation
+ * - Function usage limits (e.g., max 1 regex_replace per expression)
+ * - Operator type checking (e.g., contains only works on String)
+ * - Header key casing warnings
+ * - Boolean comparison style hints
+ * - Expression length limits
+ */
+import { parse } from './parser.js';
+import { findField, findBaseField } from './schemas/fields.js';
+import { findFunction } from './schemas/functions.js';
+import { findComparisonOperator } from './schemas/operators.js';
+const MAX_EXPRESSION_LENGTH = 4096;
+/**
+ * Validate a Cloudflare expression string.
+ */
+export function validate(expression, context) {
+    const diagnostics = [];
+    // Check expression length
+    if (expression.length > MAX_EXPRESSION_LENGTH) {
+        diagnostics.push({
+            severity: 'warning',
+            message: `Expression is ${expression.length} characters, exceeding the ${MAX_EXPRESSION_LENGTH} character limit`,
+            code: 'expression-too-long',
+        });
+    }
+    // Try to parse
+    let ast;
+    try {
+        ast = parse(expression);
+    }
+    catch (err) {
+        diagnostics.push({
+            severity: 'error',
+            message: err instanceof Error ? err.message : String(err),
+            code: 'parse-error',
+        });
+        return { expression, valid: false, diagnostics };
+    }
+    // Walk the AST and collect diagnostics
+    const walker = new ASTWalker(context, diagnostics);
+    walker.walk(ast);
+    // Check function usage limits and regex count
+    walker.checkFunctionLimits();
+    walker.checkRegexCount();
+    const hasErrors = diagnostics.some(d => d.severity === 'error');
+    return { expression, valid: !hasErrors, diagnostics, ast };
+}
+class ASTWalker {
+    context;
+    diagnostics;
+    functionCounts = new Map();
+    regexCount = 0;
+    constructor(context, diagnostics) {
+        this.context = context;
+        this.diagnostics = diagnostics;
+    }
+    walk(node) {
+        switch (node.kind) {
+            case 'FieldAccess':
+                this.validateField(node.field, node.position);
+                this.validateHeaderKeyCasing(node);
+                break;
+            case 'FunctionCall':
+                this.validateFunction(node.name, node.position);
+                this.functionCounts.set(node.name, (this.functionCounts.get(node.name) ?? 0) + 1);
+                for (const arg of node.args) {
+                    this.walk(arg);
+                }
+                break;
+            case 'Comparison':
+                this.walk(node.left);
+                this.walk(node.right);
+                this.validateOperatorTypes(node);
+                this.validateBooleanStyle(node);
+                this.validateWildcardPattern(node);
+                this.countRegexUsage(node);
+                break;
+            case 'Logical':
+                this.walk(node.left);
+                this.walk(node.right);
+                break;
+            case 'Not':
+                this.walk(node.operand);
+                break;
+            case 'InExpression':
+                this.walk(node.field);
+                for (const val of node.values) {
+                    this.walk(val);
+                }
+                this.validateInExpressionTypes(node);
+                this.validateEmptyInList(node);
+                break;
+            case 'Group':
+                this.walk(node.expression);
+                break;
+            case 'ArrayUnpack':
+                this.walk(node.field);
+                break;
+            case 'NamedList':
+                this.validateNamedList(node.name, node.position);
+                break;
+            case 'BooleanLiteral':
+            case 'StringLiteral':
+            case 'IntegerLiteral':
+            case 'FloatLiteral':
+                break;
+            case 'IPLiteral':
+                if (node.cidr !== undefined) {
+                    this.validateCIDRMask(node.value, node.cidr, node.position);
+                }
+                break;
+        }
+    }
+    // ── Field Validation ───────────────────────────────────────────────
+    validateField(fieldName, position) {
+        const field = findField(fieldName);
+        if (field) {
+            if (field.deprecated) {
+                this.diagnostics.push({
+                    severity: 'warning',
+                    message: `Field "${fieldName}" is deprecated${field.replacement ? `. Use "${field.replacement}" instead` : ''}`,
+                    code: 'deprecated-field',
+                    position,
+                });
+            }
+            if (this.context.phase && field.phases && field.phases.length > 0) {
+                if (!field.phases.includes(this.context.phase)) {
+                    this.diagnostics.push({
+                        severity: 'error',
+                        message: `Field "${fieldName}" is not available in phase "${this.context.phase}". Available in: ${field.phases.join(', ')}`,
+                        code: 'field-not-in-phase',
+                        position,
+                    });
+                }
+            }
+            return;
+        }
+        const baseField = findBaseField(fieldName);
+        if (baseField) {
+            if (baseField.deprecated) {
+                this.diagnostics.push({
+                    severity: 'warning',
+                    message: `Field "${baseField.name}" is deprecated${baseField.replacement ? `. Use "${baseField.replacement}" instead` : ''}`,
+                    code: 'deprecated-field',
+                    position,
+                });
+            }
+            return;
+        }
+        this.diagnostics.push({
+            severity: 'error',
+            message: `Unknown field "${fieldName}"`,
+            code: 'unknown-field',
+            position,
+        });
+    }
+    // ── Header Key Casing ──────────────────────────────────────────────
+    validateHeaderKeyCasing(node) {
+        if (node.kind !== 'FieldAccess')
+            return;
+        if (!node.mapKey)
+            return;
+        // Only check http.request.headers and http.response.headers
+        const isHeaderField = node.field === 'http.request.headers' ||
+            node.field === 'http.response.headers' ||
+            node.field === 'raw.http.request.headers' ||
+            node.field === 'raw.http.response.headers';
+        if (isHeaderField && node.mapKey !== node.mapKey.toLowerCase()) {
+            this.diagnostics.push({
+                severity: 'warning',
+                message: `Header key "${node.mapKey}" should be lowercase. Cloudflare normalizes header names to lowercase, so "${node.mapKey}" will never match. Use "${node.mapKey.toLowerCase()}" instead.`,
+                code: 'header-key-not-lowercase',
+                position: node.position,
+            });
+        }
+    }
+    // ── Operator Type Checking ─────────────────────────────────────────
+    validateOperatorTypes(node) {
+        if (node.kind !== 'Comparison')
+            return;
+        const operator = node.operator;
+        const opDef = findComparisonOperator(operator);
+        if (!opDef)
+            return; // Unknown operator — skip type check
+        // Resolve the field type from the left-hand side
+        const fieldType = this.resolveFieldType(node.left);
+        if (!fieldType)
+            return; // Can't determine type (e.g., function call) — skip
+        // Check if the operator supports this field type
+        if (!opDef.supportedTypes.includes(fieldType)) {
+            this.diagnostics.push({
+                severity: 'error',
+                message: `Operator "${opDef.name}" does not support ${fieldType} fields. Supported types: ${opDef.supportedTypes.join(', ')}`,
+                code: 'operator-type-mismatch',
+                position: node.position,
+            });
+        }
+    }
+    // ── Boolean Style Hints ────────────────────────────────────────────
+    validateBooleanStyle(node) {
+        if (node.kind !== 'Comparison')
+            return;
+        // Check for pattern: boolean_field == true or boolean_field eq true
+        const op = node.operator;
+        if (op !== '==' && op !== 'eq')
+            return;
+        // RHS must be boolean literal `true`
+        if (node.right.kind !== 'BooleanLiteral' || node.right.value !== true)
+            return;
+        // LHS must be a field with Boolean type
+        const fieldType = this.resolveFieldType(node.left);
+        if (fieldType !== 'Boolean')
+            return;
+        const fieldName = node.left.kind === 'FieldAccess' ? node.left.field : 'field';
+        this.diagnostics.push({
+            severity: 'info',
+            message: `Prefer bare "${fieldName}" over "${fieldName} ${op} true"`,
+            code: 'prefer-bare-boolean',
+            position: node.position,
+        });
+    }
+    // ── Resolve Field Type ─────────────────────────────────────────────
+    /**
+     * Attempt to determine the FieldType of an AST node.
+     * Returns undefined if the type cannot be determined.
+     */
+    resolveFieldType(node) {
+        switch (node.kind) {
+            case 'FieldAccess': {
+                const field = findField(node.field);
+                if (field) {
+                    // If this field has map key or array index access, resolve to element type
+                    if (node.mapKey !== undefined || node.arrayIndex !== undefined) {
+                        if (field.type === 'Map')
+                            return 'String';
+                        if (field.type === 'Array')
+                            return 'String';
+                    }
+                    return field.type;
+                }
+                const base = findBaseField(node.field);
+                if (base) {
+                    // Map/Array access yields String (the value type)
+                    if (base.type === 'Map')
+                        return 'String';
+                    if (base.type === 'Array')
+                        return 'String';
+                }
+                return undefined;
+            }
+            case 'FunctionCall': {
+                const func = findFunction(node.name);
+                return func?.returnType;
+            }
+            case 'StringLiteral':
+                return 'String';
+            case 'IntegerLiteral':
+                return 'Integer';
+            case 'FloatLiteral':
+                return 'Float';
+            case 'BooleanLiteral':
+                return 'Boolean';
+            case 'IPLiteral':
+                return 'IP';
+            case 'ArrayUnpack':
+                // Array unpack produces individual elements — typically String
+                return 'String';
+            case 'Group':
+                return this.resolveFieldType(node.expression);
+            default:
+                return undefined;
+        }
+    }
+    // ── Wildcard Pattern Validation ─────────────────────────────────────
+    validateWildcardPattern(node) {
+        if (node.kind !== 'Comparison')
+            return;
+        if (node.operator !== 'wildcard' && node.operator !== 'strict wildcard')
+            return;
+        // Check the RHS for double asterisks
+        if (node.right.kind === 'StringLiteral' && node.right.value.includes('**')) {
+            this.diagnostics.push({
+                severity: 'warning',
+                message: `Wildcard pattern contains "**" which is not allowed. Use a single "*" instead.`,
+                code: 'invalid-wildcard-pattern',
+                position: node.right.position,
+            });
+        }
+    }
+    // ── Regex Count ────────────────────────────────────────────────────
+    countRegexUsage(node) {
+        if (node.kind !== 'Comparison')
+            return;
+        if (node.operator === 'matches' || node.operator === '~') {
+            this.regexCount++;
+        }
+    }
+    checkRegexCount() {
+        if (this.regexCount > 64) {
+            this.diagnostics.push({
+                severity: 'warning',
+                message: `Expression uses ${this.regexCount} regex patterns, exceeding the limit of 64 per rule`,
+                code: 'too-many-regex',
+            });
+        }
+    }
+    // ── In-Expression Type Checking ────────────────────────────────────
+    validateInExpressionTypes(node) {
+        if (node.kind !== 'InExpression')
+            return;
+        const fieldType = this.resolveFieldType(node.field);
+        if (!fieldType)
+            return;
+        // `in` supports String, Integer, and IP — not Boolean or Float
+        const supportedInTypes = ['String', 'Integer', 'IP'];
+        if (!supportedInTypes.includes(fieldType)) {
+            this.diagnostics.push({
+                severity: 'error',
+                message: `Operator "in" does not support ${fieldType} fields. Supported types: ${supportedInTypes.join(', ')}`,
+                code: 'operator-type-mismatch',
+                position: node.position,
+            });
+        }
+    }
+    // ── Empty In-List ──────────────────────────────────────────────────
+    validateEmptyInList(node) {
+        if (node.kind !== 'InExpression')
+            return;
+        if (node.values.length === 0) {
+            this.diagnostics.push({
+                severity: 'warning',
+                message: 'Empty in-list "{}" — this expression will never match',
+                code: 'empty-in-list',
+                position: node.position,
+            });
+        }
+    }
+    // ── Named List Validation ───────────────────────────────────────────
+    validateNamedList(name, position) {
+        // Strip the leading $
+        const listName = name.startsWith('$') ? name.slice(1) : name;
+        // Managed lists use cf.* prefix — these are always valid
+        if (listName.startsWith('cf.'))
+            return;
+        // Custom list names must be lowercase, numbers, and underscores only
+        if (!/^[a-z0-9_]+$/.test(listName)) {
+            this.diagnostics.push({
+                severity: 'warning',
+                message: `Named list "${name}" may be invalid. Custom list names must use only lowercase letters, numbers, and underscores (a-z, 0-9, _)`,
+                code: 'invalid-list-name',
+                position,
+            });
+        }
+    }
+    // ── CIDR Mask Validation ───────────────────────────────────────────
+    validateCIDRMask(ip, mask, position) {
+        // Determine if IPv4 or IPv6
+        const isIPv6 = ip.includes(':');
+        const maxMask = isIPv6 ? 128 : 32;
+        if (mask < 0 || mask > maxMask) {
+            this.diagnostics.push({
+                severity: 'error',
+                message: `Invalid CIDR mask /${mask} for ${isIPv6 ? 'IPv6' : 'IPv4'} address. Must be 0-${maxMask}`,
+                code: 'invalid-cidr-mask',
+                position,
+            });
+        }
+    }
+    // ── Function Validation ────────────────────────────────────────────
+    validateFunction(funcName, position) {
+        const func = findFunction(funcName);
+        if (!func) {
+            this.diagnostics.push({
+                severity: 'error',
+                message: `Unknown function "${funcName}"`,
+                code: 'unknown-function',
+                position,
+            });
+            return;
+        }
+        if (!func.contexts.includes('all')) {
+            const exprContext = this.mapExpressionTypeToContext(this.context.expressionType);
+            if (!func.contexts.includes(exprContext)) {
+                this.diagnostics.push({
+                    severity: 'error',
+                    message: `Function "${funcName}" is not available in ${this.context.expressionType} expressions. Available in: ${func.contexts.join(', ')}`,
+                    code: 'function-not-in-context',
+                    position,
+                });
+            }
+        }
+    }
+    checkFunctionLimits() {
+        for (const [funcName, count] of this.functionCounts) {
+            const func = findFunction(funcName);
+            if (func?.maxPerExpression && count > func.maxPerExpression) {
+                this.diagnostics.push({
+                    severity: 'error',
+                    message: `Function "${funcName}" can only be used ${func.maxPerExpression} time(s) per expression, but was used ${count} times`,
+                    code: 'function-max-exceeded',
+                });
+            }
+        }
+    }
+    mapExpressionTypeToContext(exprType) {
+        switch (exprType) {
+            case 'filter': return 'filter';
+            case 'rewrite_url': return 'rewrite_url';
+            case 'rewrite_header': return 'rewrite_header';
+            case 'redirect_target': return 'redirect_target';
+        }
+    }
+}
+//# sourceMappingURL=validator.js.map