getdoorman 1.0.0

package/src/rules/bugs/nextjs-bugs.js

@@ -0,0 +1,242 @@
+// Bug detection: Next.js/SSR patterns AI generators get wrong
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx'];
+function isJSX(f) { return JS_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  {
+    id: 'BUG-NEXT-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Client-side API (window/document/localStorage) used in server component',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        // Next.js app router: files without "use client" are server components
+        const isAppRouter = /[\/\\]app[\/\\]/.test(fp) || /\/app\\/.test(fp);
+        if (!isAppRouter) continue;
+        const hasUseClient = /^['"]use client['"]/.test(content.trim());
+        if (hasUseClient) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\b(window|document|localStorage|sessionStorage|navigator|location\.href|addEventListener)\b/.test(lines[i]) && !/typeof\s+(window|document)/.test(lines[i]) && !/\/\//.test(lines[i].split(/window|document/)[0])) {
+            findings.push({
+              ruleId: 'BUG-NEXT-001', category: 'bugs', severity: 'high',
+              title: 'Browser API used in server component — will crash at build time',
+              description: 'This file is in the app/ directory without "use client". Browser APIs (window, document, localStorage) are not available on the server. Add "use client" or wrap in useEffect.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NEXT-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'useState/useEffect in server component',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const isAppRouter = /[\/\\]app[\/\\]/.test(fp);
+        if (!isAppRouter) continue;
+        const hasUseClient = /^['"]use client['"]/.test(content.trim());
+        if (hasUseClient) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\b(useState|useEffect|useRef|useCallback|useMemo|useReducer|useContext)\s*\(/.test(lines[i])) {
+            const hook = lines[i].match(/(use(?:State|Effect|Ref|Callback|Memo|Reducer|Context))/)[1];
+            findings.push({
+              ruleId: 'BUG-NEXT-002', category: 'bugs', severity: 'high',
+              title: `${hook} in server component — hooks only work in client components`,
+              description: `Add "use client" at the top of this file to use ${hook}. Server components cannot use React hooks.`,
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NEXT-003',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: '"use client" on a component that doesn\'t need it',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const hasUseClient = /^['"]use client['"]/.test(content.trim());
+        if (!hasUseClient) continue;
+        // Check if it actually uses client features
+        const needsClient = /\b(useState|useEffect|useRef|useCallback|useMemo|useReducer|useContext|onClick|onChange|onSubmit|onKeyDown|onMouseDown|onFocus|onBlur|addEventListener|window\.|document\.|localStorage|sessionStorage|navigator)\b/.test(content);
+        if (!needsClient) {
+          findings.push({
+            ruleId: 'BUG-NEXT-003', category: 'bugs', severity: 'medium',
+            title: '"use client" but no client features used — unnecessary client boundary',
+            description: 'This component has "use client" but doesn\'t use hooks, event handlers, or browser APIs. Removing it enables server rendering, reducing JS sent to the browser.',
+            file: fp, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NEXT-004',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'fetch() in client component instead of server',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        if (!/[\/\\]app[\/\\]/.test(fp)) continue;
+        const hasUseClient = /^['"]use client['"]/.test(content.trim());
+        if (!hasUseClient) continue;
+        // Client component doing data fetching in useEffect
+        if (/useEffect[\s\S]*fetch\s*\(/.test(content) && !/useSWR|useQuery|tanstack|swr/.test(content)) {
+          findings.push({
+            ruleId: 'BUG-NEXT-004', category: 'bugs', severity: 'high',
+            title: 'Data fetching in client component useEffect — use server component or SWR',
+            description: 'Fetching in useEffect causes loading waterfalls and shows spinners. In Next.js, fetch data in server components (no "use client") or use SWR/React Query for caching.',
+            file: fp, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NEXT-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Secrets exposed to client bundle',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const hasUseClient = /^['"]use client['"]/.test(content.trim());
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // NEXT_PUBLIC_ env vars with secret-like names
+          if (/process\.env\.NEXT_PUBLIC_.*(?:SECRET|PRIVATE|KEY|TOKEN|PASSWORD|CREDENTIAL)/i.test(lines[i]) && !/PUBLIC_KEY|PUBLISHABLE/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-NEXT-005', category: 'bugs', severity: 'high',
+              title: 'Secret in NEXT_PUBLIC_ env var — exposed to client browser',
+              description: 'NEXT_PUBLIC_ variables are embedded in the client JS bundle and visible to anyone. Secrets must NOT use the NEXT_PUBLIC_ prefix.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+          // Server-only env var in client component
+          if (hasUseClient && /process\.env\.(?!NEXT_PUBLIC_)\w+/.test(lines[i]) && !/\/\//.test(lines[i].split('process.env')[0])) {
+            findings.push({
+              ruleId: 'BUG-NEXT-005', category: 'bugs', severity: 'high',
+              title: 'Server env var in client component — will be undefined at runtime',
+              description: 'Only NEXT_PUBLIC_ env vars are available in client components. This will be undefined. Move to a server component or API route.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NEXT-006',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing loading.tsx or error.tsx in route',
+    check({ files }) {
+      const findings = [];
+      const routeDirs = new Set();
+      for (const [fp] of files) {
+        if (/[\/\\]app[\/\\].*\/page\.(tsx|jsx|ts|js)$/.test(fp)) {
+          routeDirs.add(fp.replace(/\/page\.\w+$/, ''));
+        }
+      }
+      for (const dir of routeDirs) {
+        const hasLoading = [...files.keys()].some(f => f.startsWith(dir + '/loading.'));
+        const hasError = [...files.keys()].some(f => f.startsWith(dir + '/error.'));
+        if (!hasLoading && !hasError) {
+          // Only flag if the page has data fetching
+          const pagePath = [...files.keys()].find(f => f.startsWith(dir + '/page.'));
+          if (pagePath) {
+            const content = files.get(pagePath);
+            if (/fetch\(|prisma\.|db\.|getServerSession|await/.test(content)) {
+              findings.push({
+                ruleId: 'BUG-NEXT-006', category: 'bugs', severity: 'medium',
+                title: `Route "${dir}" has async data but no loading.tsx or error.tsx`,
+                description: 'Without loading.tsx, users see a blank page during data fetching. Without error.tsx, errors crash the entire page. Add both for good UX.',
+                file: pagePath, line: 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NEXT-007',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing metadata export in page',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!/[\/\\]app[\/\\].*\/page\.(tsx|jsx|ts|js)$/.test(fp)) continue;
+        if (!/export\s+(const\s+metadata|function\s+generateMetadata|async\s+function\s+generateMetadata)/.test(content)) {
+          findings.push({
+            ruleId: 'BUG-NEXT-007', category: 'bugs', severity: 'medium',
+            title: 'Page without metadata export — missing title/description for SEO',
+            description: 'Export a metadata object or generateMetadata function for proper SEO. Without it, the page has no title, description, or social previews.',
+            file: fp, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NEXT-008',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Importing server-only module in client component',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const hasUseClient = /^['"]use client['"]/.test(content.trim());
+        if (!hasUseClient) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Importing server-only packages
+          if (/import.*from\s+['"](?:server-only|fs|path|crypto|child_process|net|dns|os|cluster)['"]/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-NEXT-008', category: 'bugs', severity: 'high',
+              title: 'Server-only module imported in client component — build will fail',
+              description: 'Node.js modules (fs, path, crypto) and server-only packages cannot be imported in client components.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/nextjs-fixable.js

@@ -0,0 +1,120 @@
+// Auto-fixable Next.js patterns
+const JSX_EXT = ['.jsx', '.tsx', '.js', '.ts'];
+function isJSX(f) { return JSX_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  {
+    id: 'BUG-NXFIX-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Add "use client" for component using hooks',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        if (!/[\/\\]app[\/\\]/.test(fp)) continue;
+        if (/^['"]use client['"]/.test(content.trim())) continue;
+        // Has hooks but no "use client"
+        if (/\b(useState|useEffect|useRef|useCallback|useMemo|useReducer)\s*\(/.test(content)) {
+          const hook = content.match(/(useState|useEffect|useRef|useCallback|useMemo|useReducer)/)[1];
+          findings.push({
+            ruleId: 'BUG-NXFIX-001', category: 'bugs', severity: 'high',
+            title: `Add "use client" — uses ${hook} but missing client directive`,
+            file: fp, line: 1,
+            fix: {
+              type: 'insert',
+              position: 'start',
+              content: '"use client";\n\n',
+            },
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NXFIX-002',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'Remove unnecessary "use client"',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const firstLine = content.trim().split('\n')[0];
+        if (!/^['"]use client['"]/.test(firstLine)) continue;
+        const needsClient = /\b(useState|useEffect|useRef|useCallback|useMemo|useReducer|useContext|onClick|onChange|onSubmit|onKeyDown|onMouseDown|onFocus|onBlur|addEventListener|window\.|document\.|localStorage|sessionStorage|navigator)\b/.test(content);
+        if (!needsClient) {
+          findings.push({
+            ruleId: 'BUG-NXFIX-002', category: 'bugs', severity: 'medium',
+            title: 'Remove "use client" — no client features used',
+            file: fp, line: 1,
+            fix: {
+              type: 'replace',
+              old: firstLine,
+              new: '',
+            },
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NXFIX-003',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: '<img> → Next.js <Image> component',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        if (!/next/.test(content) && !/[\/\\]app[\/\\]/.test(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/<img\s/.test(lines[i]) && !/<Image\b/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-NXFIX-003', category: 'bugs', severity: 'medium',
+              title: '<img> → use Next.js <Image> for automatic optimization',
+              file: fp, line: i + 1,
+              fix: { suggestion: 'Replace <img> with Next.js <Image> component from "next/image" for automatic lazy loading, responsive sizing, and WebP conversion.' },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NXFIX-004',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: '<a> → Next.js <Link> component',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        if (!/next/.test(content) && !/[\/\\]app[\/\\]/.test(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // <a href="/internal"> — internal link not using Next.js Link
+          if (/<a\b[^>]*href\s*=\s*['"]\/[^'"]*['"]/.test(lines[i]) && !/<Link\b/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-NXFIX-004', category: 'bugs', severity: 'medium',
+              title: '<a href="/..."> → use Next.js <Link> for client-side navigation',
+              file: fp, line: i + 1,
+              fix: { suggestion: 'Replace <a> with Next.js <Link> from "next/link" for client-side navigation (faster transitions, prefetching).' },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/node-fixable.js

@@ -0,0 +1,178 @@
+// Auto-fixable Node.js/backend bug patterns
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  {
+    id: 'BUG-NFIX-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'res.send without return → return res.send',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        if (!/express|router/.test(content)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // res.send/json/status without return, followed by more res calls
+          if (/^\s+res\.(send|json|status)\s*\(/.test(lines[i]) && !/return\s+res/.test(lines[i]) && !/^\s*return\b/.test(lines[i])) {
+            for (let j = i + 1; j < Math.min(i + 5, lines.length); j++) {
+              if (/res\.(send|json|status|end|redirect)/.test(lines[j])) {
+                findings.push({
+                  ruleId: 'BUG-NFIX-001', category: 'bugs', severity: 'high',
+                  title: 'Add return before res.send() to prevent double response',
+                  file: fp, line: i + 1,
+                  fix: {
+                    type: 'replace',
+                    old: lines[i],
+                    new: lines[i].replace(/^(\s*)res\./, '$1return res.'),
+                  },
+                });
+                break;
+              }
+              if (/return\b|\}/.test(lines[j])) break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NFIX-002',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'readFileSync → readFile (async)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const isServerFile = /express|fastify|http\.createServer|app\.(get|post)|router/.test(content);
+        if (!isServerFile) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/fs\.readFileSync\s*\(([^)]+)\)/);
+          if (match) {
+            findings.push({
+              ruleId: 'BUG-NFIX-002', category: 'bugs', severity: 'medium',
+              title: 'readFileSync → await fs.promises.readFile in server code',
+              file: fp, line: i + 1,
+              fix: {
+                type: 'replace',
+                old: `fs.readFileSync(${match[1]})`,
+                new: `await fs.promises.readFile(${match[1]})`,
+              },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NFIX-003',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'callback(err) without return → return callback(err)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/^\s+(callback|cb|next|done)\s*\(\s*(err|error|e|null)\s*\)\s*;?\s*$/.test(lines[i]) && !/return/.test(lines[i])) {
+            for (let j = i + 1; j < Math.min(i + 5, lines.length); j++) {
+              const cbName = lines[i].match(/(callback|cb|next|done)/)[1];
+              if (new RegExp(`\\b${cbName}\\b`).test(lines[j])) {
+                findings.push({
+                  ruleId: 'BUG-NFIX-003', category: 'bugs', severity: 'medium',
+                  title: `Add return before ${cbName}() to prevent double callback`,
+                  file: fp, line: i + 1,
+                  fix: {
+                    type: 'replace',
+                    old: lines[i],
+                    new: lines[i].replace(/^(\s*)(callback|cb|next|done)/, '$1return $2'),
+                  },
+                });
+                break;
+              }
+              if (/return\b|\}/.test(lines[j])) break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NFIX-004',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'JSON.stringify(req/res) → serialize specific properties',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/JSON\.stringify\s*\(\s*(req|res)\s*\)/);
+          if (match) {
+            const obj = match[1];
+            const replacement = obj === 'req'
+              ? `JSON.stringify({ method: ${obj}.method, url: ${obj}.url, headers: ${obj}.headers })`
+              : `JSON.stringify({ statusCode: ${obj}.statusCode })`;
+            findings.push({
+              ruleId: 'BUG-NFIX-004', category: 'bugs', severity: 'medium',
+              title: `JSON.stringify(${obj}) → serialize specific properties to avoid circular reference`,
+              file: fp, line: i + 1,
+              fix: {
+                type: 'replace',
+                old: `JSON.stringify(${obj})`,
+                new: replacement,
+              },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-NFIX-005',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'process.env.X → process.env.X || default for non-critical vars',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // const PORT = process.env.PORT (without fallback)
+          const match = lines[i].match(/(?:const|let|var)\s+PORT\s*=\s*process\.env\.PORT\s*;?\s*$/);
+          if (match) {
+            findings.push({
+              ruleId: 'BUG-NFIX-005', category: 'bugs', severity: 'medium',
+              title: 'PORT without fallback → add default value',
+              file: fp, line: i + 1,
+              fix: {
+                type: 'replace',
+                old: 'process.env.PORT',
+                new: 'process.env.PORT || 3000',
+              },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;