pi-gitnexus-fork 0.7.0

package/.sg-rules/no-console-in-server.yml

@@ -0,0 +1,42 @@
+# SOURCE: https://getpino.io/#/docs/api?id=logger
+#   "Pino is a structured JSON logger. Use it instead of console for production logging.
+#   console.log produces unstructured output that's hard to query in log aggregation systems."
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-4794/
+#   SonarQube S4794: "Using console logging in production code is a security and performance risk."
+# Rationale: This is the server-side companion to no-console-except-error (which is in common/).
+# Server code should ALWAYS use pino (injected via Fastify request.log or a shared logger).
+#
+# REFINED: Only flags console.log, console.debug, console.trace, console.info.
+# console.error and console.warn are legitimate error/warning logging and are NOT flagged.
+id: no-console-in-server
+language: typescript
+message: "console.log/debug/info/trace in server code — use request.log (Fastify pino) or the shared logger instead. Structured logs are required for Cloud Run log aggregation."
+severity: warning
+note: |
+  Flags unstructured console output (log, debug, trace, info) in server-side code.
+  These produce output without: request ID, timestamp, trace context, or log level.
+  
+  console.error and console.warn are NOT flagged — they are legitimate for error/warning
+  logging and produce properly tagged output (stderr with error/warn level markers).
+rule:
+  pattern: console.$METHOD($$$)
+constraints:
+  METHOD:
+    # Only unstructured output methods — NOT error or warn
+    regex: '^(log|debug|trace|info)$'
+paths:
+  - '**/api/**'
+  - '**/server/**'
+  - '**/routes/**'
+  - '**/src/index.ts'
+  - '**/src/app.ts'
+  - '**/src/server.ts'
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - '**/migrations/**'
+  - 'test-*.ts'

package/.sg-rules/no-empty-catch.yml

@@ -0,0 +1,20 @@
+# SOURCE: https://eslint.org/docs/latest/rules/no-empty
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-108/
+id: no-empty-catch
+message: Empty catch block silently swallows errors — handle the error or add a comment explaining why it's intentionally ignored
+severity: warning
+language: TypeScript
+note: Mirrors ESLint no-empty and SonarQube S108. Catch blocks with comments are acceptable.
+rule:
+  kind: statement_block
+  pattern: '{}'
+  inside:
+    kind: catch_clause
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/no-empty-function.yml

@@ -0,0 +1,24 @@
+# SOURCE: https://eslint.org/docs/latest/rules/no-empty-function
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-1186/
+id: no-empty-function
+message: Empty function body — either implement, add a comment explaining why empty, or throw NotImplementedError
+severity: warning
+language: TypeScript
+note: Mirrors ESLint no-empty-function and SonarQube S1186. Empty functions with comments inside are acceptable.
+rule:
+  kind: statement_block
+  pattern: '{}'
+  inside:
+    any:
+      - kind: function_declaration
+      - kind: function_expression
+      - kind: arrow_function
+      - kind: method_definition
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/no-eval.yml

@@ -0,0 +1,28 @@
+# SOURCE: https://eslint.org/docs/latest/rules/no-eval
+#   ESLint no-eval: "Eliminate eval() and its counterparts."
+# SOURCE: https://rules.sonarsource.com/javascript/RSPEC-1528/
+#   SonarQube S1528: "eval" and "new Function" should not be used.
+# SOURCE: https://ast-grep.github.io/catalog/typescript/no-eval.html
+#   ast-grep catalog rule for eval detection.
+id: no-eval
+language: TypeScript
+message: "Avoid eval() / new Function() / setTimeout(string) / setInterval(string) — code injection risk"
+severity: error
+note: "Mirrors ESLint no-eval and SonarQube S1528. String arguments to setTimeout/setInterval act as eval."
+rule:
+  any:
+    - pattern: eval($$$ARGS)
+    - pattern: new Function($$$ARGS)
+    - pattern: setTimeout($STR, $$$)
+    - pattern: setInterval($STR, $$$)
+constraints:
+  STR:
+    kind: string
+    # Only match when first arg is a string literal (not a function reference)
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'

package/.sg-rules/no-explicit-any.yml

@@ -0,0 +1,34 @@
+# SOURCE: https://typescript-eslint.io/rules/no-explicit-any/
+#   @typescript-eslint/no-explicit-any: "Disallow the any type."
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-4328/
+#   SonarQube S4328: "ANY type should not be used."
+# SOURCE: https://google.github.io/styleguide/tsguide.html#typescript
+#   Google TypeScript Style Guide: "Avoid using any."
+id: no-explicit-any
+language: TypeScript
+message: "Avoid explicit any — use a proper type, generic, or unknown"
+severity: warning
+note: "Mirrors @typescript-eslint/no-explicit-any and SonarQube S4328. any disables all type safety."
+rule:
+  any:
+    - pattern: $X as any
+    - kind: predefined_type
+      pattern: any
+      inside:
+        any:
+          - kind: type_annotation
+          - kind: type_arguments
+          - kind: as_expression
+          - kind: tuple_type
+          - kind: array_type
+          - kind: union_type
+          - kind: intersection_type
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'
+  - '**/*.d.ts'

package/.sg-rules/no-hardcoded-placeholder-string.yml

@@ -0,0 +1,23 @@
+# SOURCE: https://eslint.org/docs/latest/rules/no-magic-numbers
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-131/ (magic numbers)
+id: no-hardcoded-placeholder-string
+message: Hardcoded placeholder string detected — replace with actual value or configuration
+severity: warning
+language: TypeScript
+note: Detects strings containing placeholder markers like TODO, FIXME, INSERT, REPLACE, STUB, PLACEHOLDER in production code.
+rule:
+  any:
+    - pattern: '"$VALUE"'
+    - pattern: "'$VALUE'"
+constraints:
+  VALUE:
+    regex: '(?i)^(TODO|FIXME|STUB|PLACEHOLDER|INSERT .+|REPLACE .+|NOT IMPLEMENTED)$'
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/__mocks__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/no-hardcoded-secrets.yml

@@ -0,0 +1,32 @@
+# SOURCE: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
+#   Gitleaks default config: regex patterns for passwords, API keys, tokens, private keys.
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-2068/
+#   SonarQube S2068: "Hardcoded credentials should not be used in source code."
+# SOURCE: https://github.com/returntocorp/semgrep-rules/blob/main/javascript/lang/security/no-hardcoded-secrets.yaml
+#   Semgrep community rule for hardcoded secret detection.
+id: no-hardcoded-secrets
+language: TypeScript
+message: "Hardcoded credentials detected — use environment variables or secrets manager"
+severity: error
+note: "Mirrors Gitleaks, SonarQube S2068, and Semgrep no-hardcoded-secrets. Catches password/secret/token/credential patterns."
+rule:
+  any:
+    - pattern: const $KEY = '$VAL'
+    - pattern: $OBJ['$KEY'] = '$VAL'
+    - pattern: $OBJ.$KEY = '$VAL'
+constraints:
+  KEY:
+    regex: '(?i)(password|secret|api[_-]?key|token|credential|private[_-]?key|auth[_-]?key|access[_-]?key)'
+  VAL:
+    regex: '[a-zA-Z0-9+/=_-]{8,}'
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/__mocks__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'
+  - '**/*.example*'
+  - '**/*.md'

package/.sg-rules/no-innerHTML.yml

@@ -0,0 +1,22 @@
+# SOURCE: https://github.com/mozilla/eslint-plugin-no-unsanitized/blob/master/rules/no-unsanitized-property.md
+#   Mozilla eslint-plugin-no-unsanitized: flags innerHTML/outerHTML assignments with unsanitized values.
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-2819/
+#   SonarQube S2819: "DOM properties should not be misused — innerHTML with untrusted data is XSS."
+# SOURCE: https://websitesecurityscanner.org/alerts/dom-xss-innerhtml/
+#   DOM XSS via innerHTML is OWASP A03:2021 Injection.
+id: no-innerHTML
+language: TypeScript
+message: "Avoid .innerHTML / .outerHTML assignment — XSS risk, use textContent or DOM API"
+severity: error
+note: "Mirrors Mozilla no-unsanitized and SonarQube S2819. Direct innerHTML assignment is the #1 DOM XSS vector."
+rule:
+  any:
+    - pattern: $EL.innerHTML = $VAL
+    - pattern: $EL.outerHTML = $VAL
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'

package/.sg-rules/no-json-parse-without-trycatch.yml

@@ -0,0 +1,33 @@
+# SOURCE: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse
+#   "JSON.parse() throws SyntaxError if the string is not valid JSON."
+# SOURCE: https://typescript-eslint.io/rules/no-unsafe-assignment/
+#   TypeScript ESLint: unvalidated external data is a security risk.
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-4715/
+#   SonarQube S4715: "JSON.parse should not be used without error handling."
+#
+# NOTE: framework/bun/safe-json-parse.yml covers this for Bun projects.
+# This rule covers the general TypeScript case (Node.js, Fastify, React).
+id: no-json-parse-without-trycatch
+language: typescript
+message: "JSON.parse without try/catch — throws SyntaxError on malformed input. Wrap in try/catch or use safeParse-style helper"
+severity: warning
+note: |
+  JSON.parse() is the only standard JSON parser in JS and it throws on any invalid input.
+  In server-side code, malformed JSON from external sources (request bodies, config files,
+  external APIs) will crash the handler. Wrap in try/catch with a descriptive error message.
+rule:
+  pattern: JSON.parse($ARG)
+  not:
+    inside:
+      kind: try_statement
+      has:
+        kind: catch_clause
+        stopBy: end
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/no-magic-numbers.yml

@@ -0,0 +1,25 @@
+# SOURCE: https://eslint.org/docs/latest/rules/no-magic-numbers
+#   ESLint no-magic-numbers: "Disallow magic numbers — numbers should be named constants."
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-1094/
+#   SonarQube S109: "Magic numbers should not be used."
+id: no-magic-numbers
+language: TypeScript
+message: "Magic number detected — extract to a named constant"
+severity: hint
+note: "Mirrors ESLint no-magic-numbers and SonarQube S109. Flags numeric literals > 1 in comparisons."
+rule:
+  pattern: $X === $NUM
+constraints:
+  NUM:
+    regex: '[2-9]'
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'
+  - '**/*.d.ts'
+  - '**/const*'
+  - '**/constants*'

package/.sg-rules/no-nested-ternary.yml

@@ -0,0 +1,21 @@
+# SOURCE: https://eslint.org/docs/latest/rules/no-nested-ternary
+#   ESLint no-nested-ternary: "Disallow nested ternary expressions."
+# SOURCE: https://github.com/airbnb/javascript/blob/master/packages/eslint-config-airbnb-base/rules/style.js
+#   Airbnb style guide: "Ternaries should not be nested."
+id: no-nested-ternary
+language: TypeScript
+message: "Avoid nested ternary — extract to a variable or use if/else"
+severity: warning
+note: "Mirrors ESLint no-nested-ternary and Airbnb style guide. Nested ternaries are unreadable."
+rule:
+  kind: ternary_expression
+  has:
+    kind: ternary_expression
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/no-non-null-assertion.yml

@@ -0,0 +1,25 @@
+# SOURCE: https://typescript-eslint.io/rules/no-non-null-assertion/
+#   @typescript-eslint/no-non-null-assertion: "Disallow non-null assertions using the ! postfix operator."
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-6557/
+#   SonarQube S6557: "Non-null assertions should not be used."
+id: no-non-null-assertion
+language: TypeScript
+message: "Avoid non-null assertion (!) — use proper null checks or optional chaining"
+severity: warning
+note: "Mirrors @typescript-eslint/no-non-null-assertion and SonarQube S6557. The ! operator lies to the compiler."
+rule:
+  pattern: $X!
+constraints:
+  X:
+    not:
+      pattern: $Y!
+      # We match the postfix ! operator on identifiers and member expressions
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'
+  - '**/*.d.ts'

package/.sg-rules/no-stub-implementation.yml

@@ -0,0 +1,44 @@
+# SOURCE: coding-guard internal — comprehensive stub/placeholder detection
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-4658/ (placeholder usage)
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-1155/ (empty/placeholder implementations)
+id: no-stub-implementation
+message: "Stub/placeholder/incomplete implementation detected — replace with real code"
+severity: error
+language: TypeScript
+note: |
+  Comprehensive anti-evasion stub detector.
+  
+  Keywords: stub, not yet implemented, deferred, work around, monkey patch,
+  placeholder, hack, temporary, fixme, wip, todo: implement, not implemented
+  
+  Contexts: throw Error (any subclass), console.log/warn/error/info/debug
+  
+  Evasion resistance:
+  - String concatenation: 'st' + 'ub' → caught via per-char gaps in $MSG text
+  - Template literals: `stub response` → caught via same regex
+  - Different Error types: TypeError/RangeError/etc → $ERR matches any class
+  
+  Note: does NOT match `return` statements to avoid false positives from
+  prose/template strings containing incidental keyword matches.
+rule:
+  any:
+    # ── throw patterns (any Error subclass) ──
+    - pattern: throw new $ERR($MSG)
+    # ── console patterns ──
+    - pattern: console.log($MSG)
+    - pattern: console.warn($MSG)
+    - pattern: console.error($MSG)
+    - pattern: console.info($MSG)
+    - pattern: console.debug($MSG)
+constraints:
+  MSG:
+    regex: '(?i)(s[\W_]{0,5}t[\W_]{0,5}u[\W_]{0,5}b|h[\W_]{0,5}a[\W_]{0,5}c[\W_]{0,5}k|w[\W_]{0,5}i[\W_]{0,5}p|not.{0,15}implement|deferred|work.?-?around|monkey.?-?patch|placeholder|temporary|fixme|todo.{0,20}implement)'
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/__mocks__/**'
+  - '**/scripts/**'
+  - '**/fixtures/**'

package/.sg-rules/no-throw-literal.yml

@@ -0,0 +1,50 @@
+# SOURCE: https://www.typescriptlang.org/docs/handbook/2/functions.html#optional-parameters-in-callbacks
+#   "Use explicit return types on methods that return promises to avoid accidentally
+#   returning void (floating promises)."
+# SOURCE: https://typescript-book.com/exceptions/dont-throw-use-errors
+#   "throw 'string' or throw 42 bypasses Error stack trace capture. Always throw
+#   an Error subclass with proper context."
+# SOURCE: https://kentcdodds.com/blog/get-a-catch-block-error-message-with-typescript
+#   "throw new Error() captures stack. throw 'message' does not."
+id: no-throw-literal
+language: typescript
+message: "throw with non-Error value — no stack trace captured. Use throw new Error() or throw new AppError() for proper stack traces"
+severity: error
+note: |
+  UNSAFE:
+    throw 'Something went wrong'
+    throw 404
+    throw { message: 'failed', code: 'ERR_FAIL' }
+    throw response.statusText
+  
+  SAFE:
+    throw new Error('Something went wrong')
+    throw new AppError('FAILED', 'Something went wrong', 500)
+    throw new NotFoundError('User')
+    if (err instanceof Error) throw err;
+  
+  WHY: Only `throw new Error()` (or subclass) captures a stack trace. Throwing strings,
+  numbers, or plain objects produces errors with no stack trace — you can see the error
+  message but have NO idea where it was thrown from. This makes production debugging
+  impossible. Rule enforces all throws use Error instances.
+rule:
+  any:
+    - pattern: throw $LIT
+  not:
+    any:
+      # Safe: throwing Error instances
+      - pattern: throw new $ERR($$$ARGS)
+      - pattern: throw new $ERR
+      # Safe: rethrowing caught error
+      - inside:
+          kind: catch_clause
+          stopBy: end
+          pattern: throw $ERR
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/no-todo-comment.yml

@@ -0,0 +1,24 @@
+# SOURCE: https://eslint.org/docs/latest/rules/no-warning-comments
+#   Terms: TODO/FIXME/HACK only (mirrors ESLint defaults). Word boundary + location:start.
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-1135/
+#   isLetterAround() guard — requires delimiter after marker to avoid FP.
+# SOURCE: https://github.com/detekt/detekt/issues/6116
+#   Community consensus: require colon after marker (TODO: not just TODO).
+id: no-todo-comment
+message: 'TODO/FIXME/HACK comment found — track in issue tracker instead. ALWAYS callsout to the user WHENEVER encountering these TODO warning'
+severity: warning
+language: TypeScript
+note: "Mirrors ESLint no-warning-comments (terms: TODO/FIXME/HACK, location: start) and SonarQube S1135."
+rule:
+  kind: comment
+  regex: '(?i)\b(TODO|FIXME|HACK)\s*[:：]'
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/*.test-d.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/__mocks__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/no-ts-ignore-comment.yml

@@ -0,0 +1,48 @@
+# SOURCE: https://typescript-eslint.io/rules/ban-ts-comment/
+#   typescript-eslint ban-ts-comment: by default disallows `@ts-ignore` and `@ts-nocheck`
+#   while allowing `@ts-expect-error` (with description). Recommended preset.
+# SOURCE: https://www.typescriptlang.org/docs/handbook/release-notes/typescript-3-9.html#-ts-expect-error-comments
+#   TypeScript 3.9 introduced `@ts-expect-error` precisely so that the suppression
+#   itself raises an error once the underlying issue is fixed — `@ts-ignore` does not.
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-6535/
+#   SonarQube S6535: "TypeScript directive comments should not be used to silence type errors."
+id: no-ts-ignore-comment
+language: TypeScript
+message: "Replace @ts-ignore / @ts-nocheck with @ts-expect-error — the latter errors out once the underlying issue is fixed"
+severity: warning
+note: |
+  Mirrors typescript-eslint ban-ts-comment (recommended preset) and SonarQube S6535.
+
+  `@ts-ignore` silences the next line forever — even after the type bug is
+  fixed, the directive lingers as dead noise (and can hide new bugs).
+  `@ts-expect-error` flips the contract: it suppresses the error, but the
+  compiler reports an error if the next line type-checks cleanly, so
+  obsolete suppressions get flagged the moment they become obsolete.
+  `@ts-nocheck` opts an entire file out of type checking and is almost
+  never the right answer in a typed codebase.
+
+  BAD:
+    // @ts-ignore
+    const value: number = JSON.parse(raw);
+
+    // @ts-nocheck
+    // (silences the entire file)
+
+  GOOD:
+    // @ts-expect-error - upstream types are wrong, see DT#12345
+    const value: number = JSON.parse(raw);
+
+rule:
+  kind: comment
+  regex: '@ts-(ignore|nocheck)\b'
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/*.test-d.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/__mocks__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'
+  - '**/*.d.ts'

package/.sg-rules/no-type-assertion-in-jsx.yml

@@ -0,0 +1,23 @@
+# SOURCE: https://www.typescriptlang.org/docs/handbook/2/everyday-types.html#type-assertions
+#   TypeScript handbook: "Type assertions are a way to tell TypeScript 'trust me, I know what I'm doing.'
+#   The two syntaxes are angle-bracket and as-style, but angle-bracket syntax is NOT valid in JSX/TSX files."
+# SOURCE: https://typescript-eslint.io/rules/consistent-type-assertions/
+#   @typescript-eslint/consistent-type-assertions: "Enforce consistent usage of type assertions."
+id: no-type-assertion-in-jsx
+language: typescript
+message: "Angle-bracket type assertion (<Type>expr) conflicts with JSX syntax in TSX — use 'as' syntax instead"
+severity: error
+note: |
+  In TSX files, <Type>expr is ambiguous — TypeScript parses it as a JSX element, not a type assertion.
+  Use expr as Type instead. This is a hard error in TSX files, not a style preference.
+rule:
+  pattern: <$TYPE>$EXPR
+  # ast-grep limitation: tree-sitter-typescript may parse this as JSX, not type assertion.
+  # If this rule doesn't fire, it's because the parser can't distinguish JSX from angle-bracket assertions.
+  # TypeScript itself handles this by banning angle-bracket assertions in TSX — this rule mirrors that.
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'

package/.sg-rules/no-unguarded-trim.yml

@@ -0,0 +1,24 @@
+# SOURCE: coding-guard internal — detects .trim() calls in React render paths
+id: no-unguarded-trim-in-render
+message: "Unguarded .trim() in component — consider (val ?? '').trim() or val?.trim()"
+severity: info
+language: TypeScript
+note: |
+  Flags .trim() calls in React component files (.tsx) that lack
+  null-safety guards. Use (value ?? '').trim() or value?.trim().
+rule:
+  pattern: $OBJ.trim()
+constraints:
+  OBJ:
+    regex: '^\w+(\.\w+)+$'
+ignores:
+  - '**/*.test.ts'
+  - '**/*.test.tsx'
+  - '**/*.spec.ts'
+  - '**/*.spec.tsx'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/__mocks__/**'
+  - '**/scripts/**'
+  - '**/fixtures/**'

package/.sg-rules/no-unknown-without-narrowing.yml

@@ -0,0 +1,76 @@
+# SOURCE: https://www.typescriptlang.org/docs/handbook/2/narrowing.html#using-type-predicates
+#   "Type predicates (param is Type) are the TypeScript way to narrow types.
+#   typeof checks are for primitives only. instanceof is for classes."
+# SOURCE: https://www.totaltypescript.com/tips/use-type-predicates-to-narrow-types
+#   "unknown should be narrowed with type predicates before use."
+# SOURCE: https://typescript-book.com/typeNarrowing
+#   "Don't access unknown without narrowing. Use type guards."
+id: no-unknown-without-narrowing
+language: typescript
+message: "Parameter typed as 'unknown' used without type narrowing — use type guard (typeof, instanceof, in) or zod.parse() before accessing"
+severity: warning
+note: |
+  UNSAFE:
+    function handle(data: unknown) {
+      const str = data.toString();  // no narrowing — runtime error if data is null
+    }
+  
+    function process(value: unknown) {
+      console.log((value as any).name);  // bypasses the point of unknown
+    }
+  
+  SAFE:
+    function handle(data: unknown) {
+      if (typeof data === 'string') {
+        return data.toUpperCase();  // narrowed to string
+      }
+      if (typeof data === 'object' && data !== null && 'name' in data) {
+        return (data as { name: string }).name;  // narrowed
+      }
+    }
+    
+    function process(value: unknown) {
+      const result = schema.safeParse(value);  // zod validation
+      if (!result.success) throw new ValidationError('...');
+      return result.data;
+    }
+  
+  WHY: `unknown` forces you to narrow before use — that's its purpose. Accessing unknown
+  without narrowing defeats the entire point. Use typeof (primitives), instanceof (classes),
+  in operator (objects), or zod.parse() for complex shapes. `as any` on unknown is the
+  worst violation — it removes ALL type safety.
+rule:
+  pattern: $PARAM.$METHOD($$$ARGS)
+  inside:
+    any:
+      - kind: function_declaration
+      - kind: arrow_function
+      - kind: function_expression
+  not:
+    any:
+      # Safe: inside a typeof narrowing if block
+      - inside:
+          pattern: |
+            if (typeof $PARAM === $$$TYPE) {
+              $$$PRE
+              $PARAM.$METHOD($$$ARGS)
+              $$$POST
+            }
+          stopBy: end
+      # Safe: inside an instanceof narrowing if block
+      - inside:
+          pattern: |
+            if ($PARAM instanceof $$$TYPE) {
+              $$$PRE
+              $PARAM.$METHOD($$$ARGS)
+              $$$POST
+            }
+          stopBy: end
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'