ship18ion 1.1.3 → 1.2.0

package/CONTRIBUTING.md

@@ -0,0 +1,60 @@
+# Contributing to ship18ion
+
+First off, thanks for taking the time to contribute! ❤️
+
+All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions.
+
+## Table of Contents
+
+- [I Have a Question](#i-have-a-question)
+- [I Want To Contribute](#i-want-to-contribute)
+  - [Reporting Bugs](#reporting-bugs)
+  - [Suggesting Enhancements](#suggesting-enhancements)
+  - [Your First Code Contribution](#your-first-code-contribution)
+
+## I Have a Question
+
+> If you want to ask a question, we assume that you have read the available [Documentation](README.md).
+
+Before you ask a question, it is best to search for existing [Issues](/issues) that might help you. In case you have found a suitable issue and still need clarification, you can write your question in this issue. It is also advisable to search the internet for answers first.
+
+## I Want To Contribute
+
+### Reporting Bugs
+
+- Make sure that you are using the latest version.
+- Read the documentation carefully and find out if the functionality is already covered, maybe by an individual configuration.
+- Perform a search to see if the problem has already been reported. If it has, add a comment to the existing issue instead of opening a new one.
+
+### Suggesting Enhancements
+
+- Open a new issue and use the **Feature Request** template.
+- Explain why this enhancement would be useful to most users.
+
+## Styleguides
+
+### Commit Messages
+
+- Use [Conventional Commits](https://www.conventionalcommits.org/).
+
+### Code Style
+
+- Keep code clean and use the existing ESLint/Prettier configs (if available).
+- Add tests for new features.
+
+## Development Workflow
+
+To test your changes locally on another project without publishing:
+
+1.  **Build and Link**:
+    ```bash
+    npm run build
+    npm link
+    ```
+2.  **Use in Target Project**:
+    ```bash
+    npm link ship18ion
+    npx ship18ion
+    ```
+
+Thank you!

package/README.md

@@ -31,6 +31,17 @@ Think of it as `eslint` but for **deployability**.
   - Ensures `.env` files are not bundled into build output directories.
   - Checks for dev dependencies (like `eslint`) accidentally listed in `dependencies`.
 
+- **🧹 Code Hygiene (New)**:
+  - Warns on leftover `console.log()` calls.
+  - Flags `FIXME` comments that need resolution.
+
+- **📦 Dependencies (New)**:
+  - Checks for duplicate packages (listed in both `dependencies` and `devDependencies`).
+
+- **🐙 Git Safety (New)**:
+  - Ensures critical files (`node_modules`, `.env`) and framework artifacts (`.next`) are git-ignored.
+  - **Security**: alerts if dangerous keys (e.g. `serviceAccountKey.json`) exist but are *not* ignored.
+
 - **👷 CI/CD Ready**: 
   - Zero config by default.
   - Returns exit code `1` on failure to block bad builds.
@@ -95,6 +106,11 @@ npx ship18ion check --ci
 | **Next.js** | `nextjs-public-secret` | High-entropy string found in `NEXT_PUBLIC_` variable. |
 | **Security** | `security-cors` | Detects wildcard `Access-Control-Allow-Origin`. |
 | **Git** | `git-dirty` | Warns if deploying with uncommitted changes. |
+| **Git** | `git-ignore-missing` | Warns if `.gitignore` is missing critical entries (`node_modules`, `.env`). |
+| **Git** | `git-ignore-auth` | **Critical**: Fails if `serviceAccountKey.json` etc are not ignored. |
+| **Hygiene** | `hygiene-console-log` | Warns on `console.log` in production code. |
+| **Hygiene** | `hygiene-fixme` | Warns on leftover `FIXME` comments. |
+| **Package** | `package-duplicate` | Warns if a package is in both dependency lists. |
 
 ## 🤝 Contributing
 

package/dist/engine/runner.js

@@ -6,6 +6,8 @@ const env_1 = require("../rules/env");
 const secrets_1 = require("../rules/secrets");
 const security_1 = require("../rules/security");
 const build_1 = require("../rules/build");
+const hygiene_1 = require("../rules/hygiene");
+const packages_1 = require("../rules/packages");
 const nextjs_1 = require("../rules/frameworks/nextjs");
 const git_1 = require("../rules/git");
 const detector_1 = require("./detector");
@@ -33,6 +35,13 @@ async function runChecks(config, cwd, onProgress) {
     if (onProgress)
         onProgress('Inspecting build artifacts...');
     results.push(...await (0, build_1.checkBuild)(ctx));
+    // New Rules
+    if (onProgress)
+        onProgress('Checking code hygiene...');
+    results.push(...await (0, hygiene_1.checkHygiene)(ctx));
+    if (onProgress)
+        onProgress('Validating packages...');
+    results.push(...await (0, packages_1.checkPackages)(ctx));
     // Framework specific checks
     if (framework === 'nextjs') {
         if (onProgress)

package/dist/reporters/console.js

@@ -12,6 +12,9 @@ const CATEGORIES = {
     'security': { icon: '⚠️', label: 'Security' },
     'dep': { icon: '📦', label: 'Dependency & Build' },
     'build': { icon: '📦', label: 'Dependency & Build' },
+    'git': { icon: '🐙', label: 'Git & Repo' },
+    'hygiene': { icon: '🧹', label: 'Code Hygiene' },
+    'package': { icon: '📦', label: 'Packages' },
 };
 function getCategory(ruleId) {
     const prefix = ruleId.split('-')[0];

package/dist/rules/hygiene.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkHygiene = checkHygiene;
+const fs_1 = __importDefault(require("fs"));
+async function checkHygiene(ctx) {
+    const results = [];
+    const codeFiles = ctx.files.filter(f => f.match(/\.(js|ts|jsx|tsx)$/) &&
+        !f.includes('.test.') &&
+        !f.includes('.spec.'));
+    for (const file of codeFiles) {
+        const content = fs_1.default.readFileSync(file, 'utf-8');
+        const lines = content.split('\n');
+        lines.forEach((line, index) => {
+            const lineNum = index + 1;
+            // 1. Console Log Check
+            // Allow console.error and console.warn, but warn on console.log
+            if (line.includes('console.log(')) {
+                // Ignore if commented out
+                if (!line.trim().startsWith('//') && !line.trim().startsWith('*')) {
+                    results.push({
+                        status: 'warn',
+                        message: 'Leftover console.log() call detected.',
+                        ruleId: 'hygiene-console-log',
+                        file,
+                        line: lineNum
+                    });
+                }
+            }
+            // 2. TODO / FIXME Check
+            if (line.match(/\/\/\s*(TODO|FIXME):/i)) {
+                if (line.match(/FIXME/i)) {
+                    results.push({
+                        status: 'warn',
+                        message: 'FIXME comment found. Resolve before shipping.',
+                        ruleId: 'hygiene-fixme',
+                        file,
+                        line: lineNum
+                    });
+                }
+            }
+        });
+    }
+    return results;
+}

package/dist/rules/packages.js

@@ -0,0 +1,32 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkPackages = checkPackages;
+const fs_1 = __importDefault(require("fs"));
+async function checkPackages(ctx) {
+    const results = [];
+    const packageJsons = ctx.files.filter(f => f.endsWith('package.json') && !f.includes('node_modules'));
+    for (const pkgFile of packageJsons) {
+        try {
+            const content = JSON.parse(fs_1.default.readFileSync(pkgFile, 'utf-8'));
+            const deps = Object.keys(content.dependencies || {});
+            const devDeps = Object.keys(content.devDependencies || {});
+            // Find intersection
+            const duplicates = deps.filter(d => devDeps.includes(d));
+            for (const dup of duplicates) {
+                results.push({
+                    status: 'warn',
+                    message: `Package '${dup}' is listed in both 'dependencies' and 'devDependencies'.`,
+                    ruleId: 'package-duplicate',
+                    file: pkgFile
+                });
+            }
+        }
+        catch (e) {
+            // ignore malformed json
+        }
+    }
+    return results;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship18ion",
-  "version": "1.1.3",
+  "version": "1.2.0",
   "description": "",
   "main": "dist/cli/index.js",
   "bin": {

package/src/engine/runner.ts

@@ -5,6 +5,8 @@ import { checkEnvVars } from '../rules/env';
 import { checkSecrets } from '../rules/secrets';
 import { checkSecurity } from '../rules/security';
 import { checkDependencies, checkBuild } from '../rules/build';
+import { checkHygiene } from '../rules/hygiene';
+import { checkPackages } from '../rules/packages';
 import { checkNextJs } from '../rules/frameworks/nextjs';
 import { checkGit } from '../rules/git';
 
@@ -40,6 +42,13 @@ export async function runChecks(
     if (onProgress) onProgress('Inspecting build artifacts...');
     results.push(...await checkBuild(ctx));
 
+    // New Rules
+    if (onProgress) onProgress('Checking code hygiene...');
+    results.push(...await checkHygiene(ctx));
+
+    if (onProgress) onProgress('Validating packages...');
+    results.push(...await checkPackages(ctx));
+
     // Framework specific checks
     if (framework === 'nextjs') {
         if (onProgress) onProgress('Running Next.js specific checks...');

package/src/reporters/console.ts

@@ -8,6 +8,9 @@ const CATEGORIES: Record<string, { icon: string; label: string }> = {
     'security': { icon: '⚠️', label: 'Security' },
     'dep': { icon: '📦', label: 'Dependency & Build' },
     'build': { icon: '📦', label: 'Dependency & Build' },
+    'git': { icon: '🐙', label: 'Git & Repo' },
+    'hygiene': { icon: '🧹', label: 'Code Hygiene' },
+    'package': { icon: '📦', label: 'Packages' },
 };
 
 function getCategory(ruleId: string) {

package/src/rules/hygiene.ts

@@ -0,0 +1,52 @@
+import fs from 'fs';
+import { RuleContext, RuleResult } from '../engine/types';
+
+export async function checkHygiene(ctx: RuleContext): Promise<RuleResult[]> {
+    const results: RuleResult[] = [];
+
+    const codeFiles = ctx.files.filter(f =>
+        f.match(/\.(js|ts|jsx|tsx)$/) &&
+        !f.includes('.test.') &&
+        !f.includes('.spec.')
+    );
+
+    for (const file of codeFiles) {
+        const content = fs.readFileSync(file, 'utf-8');
+        const lines = content.split('\n');
+
+        lines.forEach((line, index) => {
+            const lineNum = index + 1;
+
+            // 1. Console Log Check
+            // Allow console.error and console.warn, but warn on console.log
+            if (line.includes('console.log(')) {
+                // Ignore if commented out
+                if (!line.trim().startsWith('//') && !line.trim().startsWith('*')) {
+                    results.push({
+                        status: 'warn',
+                        message: 'Leftover console.log() call detected.',
+                        ruleId: 'hygiene-console-log',
+                        file,
+                        line: lineNum
+                    });
+                }
+            }
+
+            // 2. TODO / FIXME Check
+            if (line.match(/\/\/\s*(TODO|FIXME):/i)) {
+
+                if (line.match(/FIXME/i)) {
+                    results.push({
+                        status: 'warn',
+                        message: 'FIXME comment found. Resolve before shipping.',
+                        ruleId: 'hygiene-fixme',
+                        file,
+                        line: lineNum
+                    });
+                }
+            }
+        });
+    }
+
+    return results;
+}

package/src/rules/packages.ts

@@ -0,0 +1,33 @@
+import fs from 'fs';
+import { RuleContext, RuleResult } from '../engine/types';
+
+export async function checkPackages(ctx: RuleContext): Promise<RuleResult[]> {
+    const results: RuleResult[] = [];
+
+    const packageJsons = ctx.files.filter(f => f.endsWith('package.json') && !f.includes('node_modules'));
+
+    for (const pkgFile of packageJsons) {
+        try {
+            const content = JSON.parse(fs.readFileSync(pkgFile, 'utf-8'));
+            const deps = Object.keys(content.dependencies || {});
+            const devDeps = Object.keys(content.devDependencies || {});
+
+            // Find intersection
+            const duplicates = deps.filter(d => devDeps.includes(d));
+
+            for (const dup of duplicates) {
+                results.push({
+                    status: 'warn',
+                    message: `Package '${dup}' is listed in both 'dependencies' and 'devDependencies'.`,
+                    ruleId: 'package-duplicate',
+                    file: pkgFile
+                });
+            }
+
+        } catch (e) {
+            // ignore malformed json
+        }
+    }
+
+    return results;
+}

package/SHIPPING.md

@@ -1,57 +0,0 @@
-# Shipping ship18ion
-
-## 1. Local Testing (Link)
-To test `ship18ion` on your other local projects without publishing, use `npm link`.
-
-1. **In this directory (ship18ion):**
-   ```bash
-   npm run build
-   npm link
-   ```
-   This creates a global symlink to your local version.
-
-2. **In your target project directory:**
-   ```bash
-   npm link ship18ion
-   ```
-   Now you can run:
-   ```bash
-   npx ship18ion check
-   ```
-
-3. **To unlink:**
-   ```bash
-   # In target project
-   npm unlink -g ship18ion
-   
-   # In ship18ion directory
-   npm unlink -g
-   ```
-
-## 2. Publishing to NPM
-To share this tool with the world.
-
-1. **Login to NPM:**
-   ```bash
-   npm login
-   ```
-
-2. **Prepare:**
-   - Ensure `package.json` has the correct version.
-   - Run tests: `npm test` (or verifying script).
-
-3. **Publish:**
-   ```bash
-   npm publish
-   ```
-   
-   If you have a scoped package (e.g. `@yourname/ship18ion`), use:
-   ```bash
-   npm publish --access public
-   ```
-
-## 3. Usage for Users
-Once published, anyone can use it without installation:
-```bash
-npx ship18ion@latest
-```

package/walkthrough.md

@@ -1,51 +0,0 @@
-ship18ion - Production Readiness Inspector
-I have successfully built ship18ion, a CLI tool to check for production readiness.
-
-Features Implemented
-1. Environment Variable Safety
-Unused Variable Detection: Scans 
-
-.env
- files and code to find variables defined but never used.
-Missing Variable Detection: Identifies process.env.VAR usages that lack a corresponding definition in 
-
-.env
- (or config).
-Format Support: Supports 
-
-.env
-, .env.production files.
-Robust AST Parsing: Correctly detects process.env.VAR, import.meta.env.VAR (Vite), and process.env["VAR"].
-2. Secrets Detection
-Pattern Matching: Detects AWS Keys, Google API Keys, Stripe Keys, and generic private keys.
-Entropy Heuristics: Detects potential high-entropy strings assigned to "secret" or "key" variables.
-3. Framework & Security Checks
-Next.js Safety: Scans for NEXT_PUBLIC_ variables that appear to contain secrets (e.g. NEXT_PUBLIC_SECRET_KEY).
-Git Safety: Warns if deploying from a dirty working directory or a non-production branch.
-Debug Mode: Alerts on debug: true.
-CORS Wildcards: Fails if origin: '*' is detected.
-Database Credentials: Detects hardcoded connection strings.
-4. Dependency & Build Safety
-Dev Dependencies: Warns if eslint or other dev tools are in dependencies.
-Build Artifacts: Alerts if source maps (.map) or 
-
-.env
- files are found in build directories.
-Usage
-# In your project root
-npx ship18ion check
-# CI Mode (minimal output)
-npx ship18ion check --ci
-How to Ship & Share
-See 
-
-SHIPPING.md
- for detailed instructions on:
-
-Local Testing: Using npm link to test on your other projects instantly.
-Publishing: Pushing to NPM so anyone can use npx ship18ion.
-Architecture
-CLI: Built with commander.
-Engine: TypeScript-based rule engine.
-Parsing: Babel-based AST parsing.
-Config: ship18ion.config.json support.