ship18ion 1.1.0 → 1.2.0

package/CONTRIBUTING.md

@@ -0,0 +1,60 @@
+# Contributing to ship18ion
+
+First off, thanks for taking the time to contribute! ❤️
+
+All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions.
+
+## Table of Contents
+
+- [I Have a Question](#i-have-a-question)
+- [I Want To Contribute](#i-want-to-contribute)
+  - [Reporting Bugs](#reporting-bugs)
+  - [Suggesting Enhancements](#suggesting-enhancements)
+  - [Your First Code Contribution](#your-first-code-contribution)
+
+## I Have a Question
+
+> If you want to ask a question, we assume that you have read the available [Documentation](README.md).
+
+Before you ask a question, it is best to search for existing [Issues](/issues) that might help you. In case you have found a suitable issue and still need clarification, you can write your question in this issue. It is also advisable to search the internet for answers first.
+
+## I Want To Contribute
+
+### Reporting Bugs
+
+- Make sure that you are using the latest version.
+- Read the documentation carefully and find out if the functionality is already covered, maybe by an individual configuration.
+- Perform a search to see if the problem has already been reported. If it has, add a comment to the existing issue instead of opening a new one.
+
+### Suggesting Enhancements
+
+- Open a new issue and use the **Feature Request** template.
+- Explain why this enhancement would be useful to most users.
+
+## Styleguides
+
+### Commit Messages
+
+- Use [Conventional Commits](https://www.conventionalcommits.org/).
+
+### Code Style
+
+- Keep code clean and use the existing ESLint/Prettier configs (if available).
+- Add tests for new features.
+
+## Development Workflow
+
+To test your changes locally on another project without publishing:
+
+1.  **Build and Link**:
+    ```bash
+    npm run build
+    npm link
+    ```
+2.  **Use in Target Project**:
+    ```bash
+    npm link ship18ion
+    npx ship18ion
+    ```
+
+Thank you!

package/README.md

@@ -31,6 +31,17 @@ Think of it as `eslint` but for **deployability**.
   - Ensures `.env` files are not bundled into build output directories.
   - Checks for dev dependencies (like `eslint`) accidentally listed in `dependencies`.
 
+- **🧹 Code Hygiene (New)**:
+  - Warns on leftover `console.log()` calls.
+  - Flags `FIXME` comments that need resolution.
+
+- **📦 Dependencies (New)**:
+  - Checks for duplicate packages (listed in both `dependencies` and `devDependencies`).
+
+- **🐙 Git Safety (New)**:
+  - Ensures critical files (`node_modules`, `.env`) and framework artifacts (`.next`) are git-ignored.
+  - **Security**: alerts if dangerous keys (e.g. `serviceAccountKey.json`) exist but are *not* ignored.
+
 - **👷 CI/CD Ready**: 
   - Zero config by default.
   - Returns exit code `1` on failure to block bad builds.
@@ -95,6 +106,11 @@ npx ship18ion check --ci
 | **Next.js** | `nextjs-public-secret` | High-entropy string found in `NEXT_PUBLIC_` variable. |
 | **Security** | `security-cors` | Detects wildcard `Access-Control-Allow-Origin`. |
 | **Git** | `git-dirty` | Warns if deploying with uncommitted changes. |
+| **Git** | `git-ignore-missing` | Warns if `.gitignore` is missing critical entries (`node_modules`, `.env`). |
+| **Git** | `git-ignore-auth` | **Critical**: Fails if `serviceAccountKey.json` etc are not ignored. |
+| **Hygiene** | `hygiene-console-log` | Warns on `console.log` in production code. |
+| **Hygiene** | `hygiene-fixme` | Warns on leftover `FIXME` comments. |
+| **Package** | `package-duplicate` | Warns if a package is in both dependency lists. |
 
 ## 🤝 Contributing
 

package/dist/cli/index.js

@@ -27,11 +27,16 @@ program
     const config = await (0, config_1.loadConfig)(cwd);
     const spinner = (0, ora_1.default)('Initializing...').start();
     try {
+        let framework = 'unknown';
         if (!options.ci) {
-            const framework = await (0, detector_1.detectFramework)(cwd);
+            framework = await (0, detector_1.detectFramework)(cwd);
             spinner.text = `Detected Framework: ${chalk_1.default.cyan(framework.toUpperCase())}`;
             await new Promise(r => setTimeout(r, 800)); // Brief pause to show framework
         }
+        else {
+            // Even in CI, simple detection is useful for reporting if needed, or we just skip
+            framework = await (0, detector_1.detectFramework)(cwd);
+        }
         const results = await (0, runner_1.runChecks)(config, cwd, (stage) => {
             if (!options.ci)
                 spinner.text = stage;
@@ -39,7 +44,7 @@ program
         spinner.succeed(chalk_1.default.green('Checks completed!'));
         console.log('');
         // Uses console reporter for both normal and CI for now (it handles exit codes)
-        (0, console_1.reportConsole)(results, cwd);
+        (0, console_1.reportConsole)(results, cwd, framework);
     }
     catch (e) {
         spinner.fail(chalk_1.default.red('Error running checks'));

package/dist/engine/runner.js

@@ -6,6 +6,8 @@ const env_1 = require("../rules/env");
 const secrets_1 = require("../rules/secrets");
 const security_1 = require("../rules/security");
 const build_1 = require("../rules/build");
+const hygiene_1 = require("../rules/hygiene");
+const packages_1 = require("../rules/packages");
 const nextjs_1 = require("../rules/frameworks/nextjs");
 const git_1 = require("../rules/git");
 const detector_1 = require("./detector");
@@ -13,7 +15,9 @@ async function runChecks(config, cwd, onProgress) {
     if (onProgress)
         onProgress('Scanning files...');
     const files = await (0, scanner_1.scanFiles)(cwd, config.ignore);
-    const ctx = { config, files, cwd };
+    // Framework detection
+    const framework = await (0, detector_1.detectFramework)(cwd);
+    const ctx = { config, files, cwd, framework };
     const results = [];
     // Run all checks
     if (onProgress)
@@ -31,8 +35,14 @@ async function runChecks(config, cwd, onProgress) {
     if (onProgress)
         onProgress('Inspecting build artifacts...');
     results.push(...await (0, build_1.checkBuild)(ctx));
-    // Framework detection
-    const framework = await (0, detector_1.detectFramework)(cwd);
+    // New Rules
+    if (onProgress)
+        onProgress('Checking code hygiene...');
+    results.push(...await (0, hygiene_1.checkHygiene)(ctx));
+    if (onProgress)
+        onProgress('Validating packages...');
+    results.push(...await (0, packages_1.checkPackages)(ctx));
+    // Framework specific checks
     if (framework === 'nextjs') {
         if (onProgress)
             onProgress('Running Next.js specific checks...');

package/dist/reporters/console.js

@@ -12,12 +12,18 @@ const CATEGORIES = {
     'security': { icon: '⚠️', label: 'Security' },
     'dep': { icon: '📦', label: 'Dependency & Build' },
     'build': { icon: '📦', label: 'Dependency & Build' },
+    'git': { icon: '🐙', label: 'Git & Repo' },
+    'hygiene': { icon: '🧹', label: 'Code Hygiene' },
+    'package': { icon: '📦', label: 'Packages' },
 };
 function getCategory(ruleId) {
     const prefix = ruleId.split('-')[0];
     return CATEGORIES[prefix] || { icon: '❓', label: 'Other' };
 }
-function reportConsole(results, cwd) {
+function reportConsole(results, cwd, framework) {
+    if (framework) {
+        console.log(chalk_1.default.blue(`ℹ️  Framework: ${framework.toUpperCase()}`));
+    }
     if (results.length === 0) {
         console.log(chalk_1.default.green('\n✅  Production Readiness Check Passed!\n'));
         return;

package/dist/rules/build.js

@@ -46,12 +46,12 @@ async function checkBuild(ctx) {
     // We search inside the found build directories
     for (const dir of foundBuildDirs) {
         const mapFiles = await (0, glob_1.glob)(`${dir}/**/*.map`, { cwd: ctx.cwd, absolute: true });
-        for (const file of mapFiles) {
+        if (mapFiles.length > 0) {
             results.push({
                 status: 'warn',
-                message: `Source map found in build output (${dir}) (information leak)`,
+                message: `Found ${mapFiles.length} source map files in '${dir}' (e.g. ${path_1.default.basename(mapFiles[0])}). Ensure these are not exposed publicly.`,
                 ruleId: 'build-source-map',
-                file
+                file: dir // Point to the directory itself
             });
         }
         // 2. Check for .env files in build output

package/dist/rules/git.js

@@ -1,10 +1,16 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.checkGit = checkGit;
 const child_process_1 = require("child_process");
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
 async function checkGit(ctx) {
     const results = [];
     try {
+        // ... (Existing git checks) ...
         // Check for uncommitted changes
         const status = (0, child_process_1.execSync)('git status --porcelain', { cwd: ctx.cwd, encoding: 'utf-8' });
         if (status.trim().length > 0) {
@@ -18,17 +24,67 @@ async function checkGit(ctx) {
         const branch = (0, child_process_1.execSync)('git rev-parse --abbrev-ref HEAD', { cwd: ctx.cwd, encoding: 'utf-8' }).trim();
         const allowedBranches = ['main', 'master', 'staging', 'production', 'prod'];
         if (!allowedBranches.includes(branch)) {
+            // Warn, but maybe less aggressively? Keeping as warn.
             results.push({
                 status: 'warn',
                 message: `You are on branch '${branch}'. Production builds typically come from main/master.`,
                 ruleId: 'git-branch',
             });
         }
+        // --- New: .gitignore Check ---
+        const gitignorePath = path_1.default.join(ctx.cwd, '.gitignore');
+        if (fs_1.default.existsSync(gitignorePath)) {
+            const content = fs_1.default.readFileSync(gitignorePath, 'utf-8');
+            const lines = content.split('\n').map(l => l.trim()).filter(l => l && !l.startsWith('#'));
+            // Helper to check if item is ignored (naive grep)
+            const isIgnored = (item) => lines.some(l => l.includes(item));
+            const requiredIgnores = ['node_modules', '.env'];
+            if (ctx.framework === 'nextjs') {
+                requiredIgnores.push('.next');
+            }
+            else if (ctx.framework !== 'unknown') {
+                // For other frameworks, maybe 'dist' or 'build'
+                if (!isIgnored('dist') && !isIgnored('build')) {
+                    // We can't strictly require one, but warn if NEITHER is found? 
+                    // Let's stick to safe defaults.
+                }
+            }
+            for (const item of requiredIgnores) {
+                if (!isIgnored(item)) {
+                    results.push({
+                        status: 'warn',
+                        message: `.gitignore is missing '${item}'. This is critical for security and repo size.`,
+                        ruleId: 'git-ignore-missing',
+                        file: gitignorePath
+                    });
+                }
+            }
+            // Check for specific dangerous files not being ignored
+            const dangerousPatterns = ['firebase.json', 'serviceAccountKey.json', '*.pem', '*.key'];
+            // This is tricky because firebase.json CAN be committed. serviceAccountKey.json should NOT.
+            if (!isIgnored('serviceAccountKey.json')) {
+                // Only warn if the FILE actually exists? Or just warn generic?
+                // Best to warn if the file exists AND isn't ignored.
+                if (fs_1.default.existsSync(path_1.default.join(ctx.cwd, 'serviceAccountKey.json'))) {
+                    results.push({
+                        status: 'fail',
+                        message: 'serviceAccountKey.json exists but is NOT in .gitignore!',
+                        ruleId: 'git-ignore-auth',
+                        file: gitignorePath
+                    });
+                }
+            }
+        }
+        else {
+            results.push({
+                status: 'warn',
+                message: 'No .gitignore file found! node_modules and secrets might be committed.',
+                ruleId: 'git-no-ignore',
+            });
+        }
     }
     catch (e) {
         // Not a git repo or git not found
-        // Silently fail or warn?
-        // results.push({ status: 'warn', message: 'Not a git repository or git command failed.', ruleId: 'git-error' });
     }
     return results;
 }

package/dist/rules/hygiene.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkHygiene = checkHygiene;
+const fs_1 = __importDefault(require("fs"));
+async function checkHygiene(ctx) {
+    const results = [];
+    const codeFiles = ctx.files.filter(f => f.match(/\.(js|ts|jsx|tsx)$/) &&
+        !f.includes('.test.') &&
+        !f.includes('.spec.'));
+    for (const file of codeFiles) {
+        const content = fs_1.default.readFileSync(file, 'utf-8');
+        const lines = content.split('\n');
+        lines.forEach((line, index) => {
+            const lineNum = index + 1;
+            // 1. Console Log Check
+            // Allow console.error and console.warn, but warn on console.log
+            if (line.includes('console.log(')) {
+                // Ignore if commented out
+                if (!line.trim().startsWith('//') && !line.trim().startsWith('*')) {
+                    results.push({
+                        status: 'warn',
+                        message: 'Leftover console.log() call detected.',
+                        ruleId: 'hygiene-console-log',
+                        file,
+                        line: lineNum
+                    });
+                }
+            }
+            // 2. TODO / FIXME Check
+            if (line.match(/\/\/\s*(TODO|FIXME):/i)) {
+                if (line.match(/FIXME/i)) {
+                    results.push({
+                        status: 'warn',
+                        message: 'FIXME comment found. Resolve before shipping.',
+                        ruleId: 'hygiene-fixme',
+                        file,
+                        line: lineNum
+                    });
+                }
+            }
+        });
+    }
+    return results;
+}

package/dist/rules/packages.js

@@ -0,0 +1,32 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkPackages = checkPackages;
+const fs_1 = __importDefault(require("fs"));
+async function checkPackages(ctx) {
+    const results = [];
+    const packageJsons = ctx.files.filter(f => f.endsWith('package.json') && !f.includes('node_modules'));
+    for (const pkgFile of packageJsons) {
+        try {
+            const content = JSON.parse(fs_1.default.readFileSync(pkgFile, 'utf-8'));
+            const deps = Object.keys(content.dependencies || {});
+            const devDeps = Object.keys(content.devDependencies || {});
+            // Find intersection
+            const duplicates = deps.filter(d => devDeps.includes(d));
+            for (const dup of duplicates) {
+                results.push({
+                    status: 'warn',
+                    message: `Package '${dup}' is listed in both 'dependencies' and 'devDependencies'.`,
+                    ruleId: 'package-duplicate',
+                    file: pkgFile
+                });
+            }
+        }
+        catch (e) {
+            // ignore malformed json
+        }
+    }
+    return results;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship18ion",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "",
   "main": "dist/cli/index.js",
   "bin": {

package/src/cli/index.ts

@@ -27,10 +27,14 @@ program
         const spinner = ora('Initializing...').start();
 
         try {
+            let framework: string = 'unknown';
             if (!options.ci) {
-                const framework = await detectFramework(cwd);
+                framework = await detectFramework(cwd);
                 spinner.text = `Detected Framework: ${chalk.cyan(framework.toUpperCase())}`;
                 await new Promise(r => setTimeout(r, 800)); // Brief pause to show framework
+            } else {
+                // Even in CI, simple detection is useful for reporting if needed, or we just skip
+                framework = await detectFramework(cwd);
             }
 
             const results = await runChecks(config, cwd, (stage) => {
@@ -41,7 +45,7 @@ program
             console.log('');
 
             // Uses console reporter for both normal and CI for now (it handles exit codes)
-            reportConsole(results, cwd);
+            reportConsole(results, cwd, framework);
         } catch (e) {
             spinner.fail(chalk.red('Error running checks'));
             console.error(e);

package/src/engine/runner.ts

@@ -5,6 +5,8 @@ import { checkEnvVars } from '../rules/env';
 import { checkSecrets } from '../rules/secrets';
 import { checkSecurity } from '../rules/security';
 import { checkDependencies, checkBuild } from '../rules/build';
+import { checkHygiene } from '../rules/hygiene';
+import { checkPackages } from '../rules/packages';
 import { checkNextJs } from '../rules/frameworks/nextjs';
 import { checkGit } from '../rules/git';
 
@@ -17,7 +19,10 @@ export async function runChecks(
 ): Promise<RuleResult[]> {
     if (onProgress) onProgress('Scanning files...');
     const files = await scanFiles(cwd, config.ignore);
-    const ctx: RuleContext = { config, files, cwd };
+    // Framework detection
+    const framework = await detectFramework(cwd);
+
+    const ctx: RuleContext = { config, files, cwd, framework };
 
     const results: RuleResult[] = [];
 
@@ -37,8 +42,14 @@ export async function runChecks(
     if (onProgress) onProgress('Inspecting build artifacts...');
     results.push(...await checkBuild(ctx));
 
-    // Framework detection
-    const framework = await detectFramework(cwd);
+    // New Rules
+    if (onProgress) onProgress('Checking code hygiene...');
+    results.push(...await checkHygiene(ctx));
+
+    if (onProgress) onProgress('Validating packages...');
+    results.push(...await checkPackages(ctx));
+
+    // Framework specific checks
     if (framework === 'nextjs') {
         if (onProgress) onProgress('Running Next.js specific checks...');
         results.push(...await checkNextJs(ctx));

package/src/engine/types.ts

@@ -1,4 +1,5 @@
 import { Ship18ionConfig } from './config';
+import { FrameworkType } from './detector';
 
 export interface RuleResult {
     status: 'pass' | 'fail' | 'warn';
@@ -12,4 +13,5 @@ export interface RuleContext {
     config: Ship18ionConfig;
     files: string[];
     cwd: string;
+    framework: FrameworkType;
 }

package/src/reporters/console.ts

@@ -8,6 +8,9 @@ const CATEGORIES: Record<string, { icon: string; label: string }> = {
     'security': { icon: '⚠️', label: 'Security' },
     'dep': { icon: '📦', label: 'Dependency & Build' },
     'build': { icon: '📦', label: 'Dependency & Build' },
+    'git': { icon: '🐙', label: 'Git & Repo' },
+    'hygiene': { icon: '🧹', label: 'Code Hygiene' },
+    'package': { icon: '📦', label: 'Packages' },
 };
 
 function getCategory(ruleId: string) {
@@ -15,7 +18,11 @@ function getCategory(ruleId: string) {
     return CATEGORIES[prefix] || { icon: '❓', label: 'Other' };
 }
 
-export function reportConsole(results: RuleResult[], cwd: string) {
+export function reportConsole(results: RuleResult[], cwd: string, framework?: string) {
+    if (framework) {
+        console.log(chalk.blue(`ℹ️  Framework: ${framework.toUpperCase()}`));
+    }
+
     if (results.length === 0) {
         console.log(chalk.green('\n✅  Production Readiness Check Passed!\n'));
         return;

package/src/rules/build.ts

@@ -51,12 +51,12 @@ export async function checkBuild(ctx: RuleContext): Promise<RuleResult[]> {
     for (const dir of foundBuildDirs) {
         const mapFiles = await glob(`${dir}/**/*.map`, { cwd: ctx.cwd, absolute: true });
 
-        for (const file of mapFiles) {
+        if (mapFiles.length > 0) {
             results.push({
                 status: 'warn',
-                message: `Source map found in build output (${dir}) (information leak)`,
+                message: `Found ${mapFiles.length} source map files in '${dir}' (e.g. ${path.basename(mapFiles[0])}). Ensure these are not exposed publicly.`,
                 ruleId: 'build-source-map',
-                file
+                file: dir // Point to the directory itself
             });
         }
 

package/src/rules/git.ts

@@ -1,10 +1,14 @@
 import { execSync } from 'child_process';
 import { RuleContext, RuleResult } from '../engine/types';
 
+import fs from 'fs';
+import path from 'path';
+
 export async function checkGit(ctx: RuleContext): Promise<RuleResult[]> {
     const results: RuleResult[] = [];
 
     try {
+        // ... (Existing git checks) ...
         // Check for uncommitted changes
         const status = execSync('git status --porcelain', { cwd: ctx.cwd, encoding: 'utf-8' });
         if (status.trim().length > 0) {
@@ -19,6 +23,7 @@ export async function checkGit(ctx: RuleContext): Promise<RuleResult[]> {
         const branch = execSync('git rev-parse --abbrev-ref HEAD', { cwd: ctx.cwd, encoding: 'utf-8' }).trim();
         const allowedBranches = ['main', 'master', 'staging', 'production', 'prod'];
         if (!allowedBranches.includes(branch)) {
+            // Warn, but maybe less aggressively? Keeping as warn.
             results.push({
                 status: 'warn',
                 message: `You are on branch '${branch}'. Production builds typically come from main/master.`,
@@ -26,10 +31,64 @@ export async function checkGit(ctx: RuleContext): Promise<RuleResult[]> {
             });
         }
 
+        // --- New: .gitignore Check ---
+        const gitignorePath = path.join(ctx.cwd, '.gitignore');
+        if (fs.existsSync(gitignorePath)) {
+            const content = fs.readFileSync(gitignorePath, 'utf-8');
+            const lines = content.split('\n').map(l => l.trim()).filter(l => l && !l.startsWith('#'));
+
+            // Helper to check if item is ignored (naive grep)
+            const isIgnored = (item: string) => lines.some(l => l.includes(item));
+
+            const requiredIgnores = ['node_modules', '.env'];
+            if (ctx.framework === 'nextjs') {
+                requiredIgnores.push('.next');
+            } else if (ctx.framework !== 'unknown') {
+                // For other frameworks, maybe 'dist' or 'build'
+                if (!isIgnored('dist') && !isIgnored('build')) {
+                    // We can't strictly require one, but warn if NEITHER is found? 
+                    // Let's stick to safe defaults.
+                }
+            }
+
+            for (const item of requiredIgnores) {
+                if (!isIgnored(item)) {
+                    results.push({
+                        status: 'warn',
+                        message: `.gitignore is missing '${item}'. This is critical for security and repo size.`,
+                        ruleId: 'git-ignore-missing',
+                        file: gitignorePath
+                    });
+                }
+            }
+
+            // Check for specific dangerous files not being ignored
+            const dangerousPatterns = ['firebase.json', 'serviceAccountKey.json', '*.pem', '*.key'];
+            // This is tricky because firebase.json CAN be committed. serviceAccountKey.json should NOT.
+
+            if (!isIgnored('serviceAccountKey.json')) {
+                // Only warn if the FILE actually exists? Or just warn generic?
+                // Best to warn if the file exists AND isn't ignored.
+                if (fs.existsSync(path.join(ctx.cwd, 'serviceAccountKey.json'))) {
+                    results.push({
+                        status: 'fail',
+                        message: 'serviceAccountKey.json exists but is NOT in .gitignore!',
+                        ruleId: 'git-ignore-auth',
+                        file: gitignorePath
+                    });
+                }
+            }
+
+        } else {
+            results.push({
+                status: 'warn',
+                message: 'No .gitignore file found! node_modules and secrets might be committed.',
+                ruleId: 'git-no-ignore',
+            });
+        }
+
     } catch (e) {
         // Not a git repo or git not found
-        // Silently fail or warn?
-        // results.push({ status: 'warn', message: 'Not a git repository or git command failed.', ruleId: 'git-error' });
     }
 
     return results;

package/src/rules/hygiene.ts

@@ -0,0 +1,52 @@
+import fs from 'fs';
+import { RuleContext, RuleResult } from '../engine/types';
+
+export async function checkHygiene(ctx: RuleContext): Promise<RuleResult[]> {
+    const results: RuleResult[] = [];
+
+    const codeFiles = ctx.files.filter(f =>
+        f.match(/\.(js|ts|jsx|tsx)$/) &&
+        !f.includes('.test.') &&
+        !f.includes('.spec.')
+    );
+
+    for (const file of codeFiles) {
+        const content = fs.readFileSync(file, 'utf-8');
+        const lines = content.split('\n');
+
+        lines.forEach((line, index) => {
+            const lineNum = index + 1;
+
+            // 1. Console Log Check
+            // Allow console.error and console.warn, but warn on console.log
+            if (line.includes('console.log(')) {
+                // Ignore if commented out
+                if (!line.trim().startsWith('//') && !line.trim().startsWith('*')) {
+                    results.push({
+                        status: 'warn',
+                        message: 'Leftover console.log() call detected.',
+                        ruleId: 'hygiene-console-log',
+                        file,
+                        line: lineNum
+                    });
+                }
+            }
+
+            // 2. TODO / FIXME Check
+            if (line.match(/\/\/\s*(TODO|FIXME):/i)) {
+
+                if (line.match(/FIXME/i)) {
+                    results.push({
+                        status: 'warn',
+                        message: 'FIXME comment found. Resolve before shipping.',
+                        ruleId: 'hygiene-fixme',
+                        file,
+                        line: lineNum
+                    });
+                }
+            }
+        });
+    }
+
+    return results;
+}

package/src/rules/packages.ts

@@ -0,0 +1,33 @@
+import fs from 'fs';
+import { RuleContext, RuleResult } from '../engine/types';
+
+export async function checkPackages(ctx: RuleContext): Promise<RuleResult[]> {
+    const results: RuleResult[] = [];
+
+    const packageJsons = ctx.files.filter(f => f.endsWith('package.json') && !f.includes('node_modules'));
+
+    for (const pkgFile of packageJsons) {
+        try {
+            const content = JSON.parse(fs.readFileSync(pkgFile, 'utf-8'));
+            const deps = Object.keys(content.dependencies || {});
+            const devDeps = Object.keys(content.devDependencies || {});
+
+            // Find intersection
+            const duplicates = deps.filter(d => devDeps.includes(d));
+
+            for (const dup of duplicates) {
+                results.push({
+                    status: 'warn',
+                    message: `Package '${dup}' is listed in both 'dependencies' and 'devDependencies'.`,
+                    ruleId: 'package-duplicate',
+                    file: pkgFile
+                });
+            }
+
+        } catch (e) {
+            // ignore malformed json
+        }
+    }
+
+    return results;
+}

package/SHIPPING.md

@@ -1,57 +0,0 @@
-# Shipping ship18ion
-
-## 1. Local Testing (Link)
-To test `ship18ion` on your other local projects without publishing, use `npm link`.
-
-1. **In this directory (ship18ion):**
-   ```bash
-   npm run build
-   npm link
-   ```
-   This creates a global symlink to your local version.
-
-2. **In your target project directory:**
-   ```bash
-   npm link ship18ion
-   ```
-   Now you can run:
-   ```bash
-   npx ship18ion check
-   ```
-
-3. **To unlink:**
-   ```bash
-   # In target project
-   npm unlink -g ship18ion
-   
-   # In ship18ion directory
-   npm unlink -g
-   ```
-
-## 2. Publishing to NPM
-To share this tool with the world.
-
-1. **Login to NPM:**
-   ```bash
-   npm login
-   ```
-
-2. **Prepare:**
-   - Ensure `package.json` has the correct version.
-   - Run tests: `npm test` (or verifying script).
-
-3. **Publish:**
-   ```bash
-   npm publish
-   ```
-   
-   If you have a scoped package (e.g. `@yourname/ship18ion`), use:
-   ```bash
-   npm publish --access public
-   ```
-
-## 3. Usage for Users
-Once published, anyone can use it without installation:
-```bash
-npx ship18ion@latest
-```

package/walkthrough.md

@@ -1,51 +0,0 @@
-ship18ion - Production Readiness Inspector
-I have successfully built ship18ion, a CLI tool to check for production readiness.
-
-Features Implemented
-1. Environment Variable Safety
-Unused Variable Detection: Scans 
-
-.env
- files and code to find variables defined but never used.
-Missing Variable Detection: Identifies process.env.VAR usages that lack a corresponding definition in 
-
-.env
- (or config).
-Format Support: Supports 
-
-.env
-, .env.production files.
-Robust AST Parsing: Correctly detects process.env.VAR, import.meta.env.VAR (Vite), and process.env["VAR"].
-2. Secrets Detection
-Pattern Matching: Detects AWS Keys, Google API Keys, Stripe Keys, and generic private keys.
-Entropy Heuristics: Detects potential high-entropy strings assigned to "secret" or "key" variables.
-3. Framework & Security Checks
-Next.js Safety: Scans for NEXT_PUBLIC_ variables that appear to contain secrets (e.g. NEXT_PUBLIC_SECRET_KEY).
-Git Safety: Warns if deploying from a dirty working directory or a non-production branch.
-Debug Mode: Alerts on debug: true.
-CORS Wildcards: Fails if origin: '*' is detected.
-Database Credentials: Detects hardcoded connection strings.
-4. Dependency & Build Safety
-Dev Dependencies: Warns if eslint or other dev tools are in dependencies.
-Build Artifacts: Alerts if source maps (.map) or 
-
-.env
- files are found in build directories.
-Usage
-# In your project root
-npx ship18ion check
-# CI Mode (minimal output)
-npx ship18ion check --ci
-How to Ship & Share
-See 
-
-SHIPPING.md
- for detailed instructions on:
-
-Local Testing: Using npm link to test on your other projects instantly.
-Publishing: Pushing to NPM so anyone can use npx ship18ion.
-Architecture
-CLI: Built with commander.
-Engine: TypeScript-based rule engine.
-Parsing: Babel-based AST parsing.
-Config: ship18ion.config.json support.