ship18ion 1.1.3 → 1.2.1

package/CONTRIBUTING.md

@@ -0,0 +1,60 @@
+# Contributing to ship18ion
+
+First off, thanks for taking the time to contribute! ❤️
+
+All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions.
+
+## Table of Contents
+
+- [I Have a Question](#i-have-a-question)
+- [I Want To Contribute](#i-want-to-contribute)
+  - [Reporting Bugs](#reporting-bugs)
+  - [Suggesting Enhancements](#suggesting-enhancements)
+  - [Your First Code Contribution](#your-first-code-contribution)
+
+## I Have a Question
+
+> If you want to ask a question, we assume that you have read the available [Documentation](README.md).
+
+Before you ask a question, it is best to search for existing [Issues](/issues) that might help you. In case you have found a suitable issue and still need clarification, you can write your question in this issue. It is also advisable to search the internet for answers first.
+
+## I Want To Contribute
+
+### Reporting Bugs
+
+- Make sure that you are using the latest version.
+- Read the documentation carefully and find out if the functionality is already covered, maybe by an individual configuration.
+- Perform a search to see if the problem has already been reported. If it has, add a comment to the existing issue instead of opening a new one.
+
+### Suggesting Enhancements
+
+- Open a new issue and use the **Feature Request** template.
+- Explain why this enhancement would be useful to most users.
+
+## Styleguides
+
+### Commit Messages
+
+- Use [Conventional Commits](https://www.conventionalcommits.org/).
+
+### Code Style
+
+- Keep code clean and use the existing ESLint/Prettier configs (if available).
+- Add tests for new features.
+
+## Development Workflow
+
+To test your changes locally on another project without publishing:
+
+1.  **Build and Link**:
+    ```bash
+    npm run build
+    npm link
+    ```
+2.  **Use in Target Project**:
+    ```bash
+    npm link ship18ion
+    npx ship18ion
+    ```
+
+Thank you!

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 champ18ion
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -31,6 +31,17 @@ Think of it as `eslint` but for **deployability**.
   - Ensures `.env` files are not bundled into build output directories.
   - Checks for dev dependencies (like `eslint`) accidentally listed in `dependencies`.
 
+- **🧹 Code Hygiene (New)**:
+  - Warns on leftover `console.log()` calls.
+  - Flags `FIXME` comments that need resolution.
+
+- **📦 Dependencies (New)**:
+  - Checks for duplicate packages (listed in both `dependencies` and `devDependencies`).
+
+- **🐙 Git Safety (New)**:
+  - Ensures critical files (`node_modules`, `.env`) and framework artifacts (`.next`) are git-ignored.
+  - **Security**: alerts if dangerous keys (e.g. `serviceAccountKey.json`) exist but are *not* ignored.
+
 - **👷 CI/CD Ready**: 
   - Zero config by default.
   - Returns exit code `1` on failure to block bad builds.
@@ -95,6 +106,11 @@ npx ship18ion check --ci
 | **Next.js** | `nextjs-public-secret` | High-entropy string found in `NEXT_PUBLIC_` variable. |
 | **Security** | `security-cors` | Detects wildcard `Access-Control-Allow-Origin`. |
 | **Git** | `git-dirty` | Warns if deploying with uncommitted changes. |
+| **Git** | `git-ignore-missing` | Warns if `.gitignore` is missing critical entries (`node_modules`, `.env`). |
+| **Git** | `git-ignore-auth` | **Critical**: Fails if `serviceAccountKey.json` etc are not ignored. |
+| **Hygiene** | `hygiene-console-log` | Warns on `console.log` in production code. |
+| **Hygiene** | `hygiene-fixme` | Warns on leftover `FIXME` comments. |
+| **Package** | `package-duplicate` | Warns if a package is in both dependency lists. |
 
 ## 🤝 Contributing
 

package/dist/cli/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/engine/ast.d.ts

@@ -0,0 +1,6 @@
+export interface EnvUsage {
+    name: string;
+    line: number;
+    file: string;
+}
+export declare function findEnvUsages(filePath: string): EnvUsage[];

package/dist/engine/config.d.ts

@@ -0,0 +1,12 @@
+export interface Ship18ionConfig {
+    env?: {
+        required?: string[];
+        disallowed?: string[];
+    };
+    security?: {
+        noCorsWildcard?: boolean;
+        requireRateLimit?: boolean;
+    };
+    ignore?: string[];
+}
+export declare function loadConfig(cwd?: string): Promise<Ship18ionConfig>;

package/dist/engine/detector.d.ts

@@ -0,0 +1,2 @@
+export type FrameworkType = 'nextjs' | 'remix' | 'vite' | 'nestjs' | 'express' | 'fastify' | 'Node.js / Generic' | 'unknown';
+export declare function detectFramework(cwd: string): Promise<FrameworkType>;

package/dist/engine/runner.d.ts

@@ -0,0 +1,3 @@
+import { Ship18ionConfig } from './config';
+import { RuleResult } from './types';
+export declare function runChecks(config: Ship18ionConfig, cwd: string, onProgress?: (stage: string) => void): Promise<RuleResult[]>;

package/dist/engine/runner.js

@@ -6,6 +6,8 @@ const env_1 = require("../rules/env");
 const secrets_1 = require("../rules/secrets");
 const security_1 = require("../rules/security");
 const build_1 = require("../rules/build");
+const hygiene_1 = require("../rules/hygiene");
+const packages_1 = require("../rules/packages");
 const nextjs_1 = require("../rules/frameworks/nextjs");
 const git_1 = require("../rules/git");
 const detector_1 = require("./detector");
@@ -33,6 +35,13 @@ async function runChecks(config, cwd, onProgress) {
     if (onProgress)
         onProgress('Inspecting build artifacts...');
     results.push(...await (0, build_1.checkBuild)(ctx));
+    // New Rules
+    if (onProgress)
+        onProgress('Checking code hygiene...');
+    results.push(...await (0, hygiene_1.checkHygiene)(ctx));
+    if (onProgress)
+        onProgress('Validating packages...');
+    results.push(...await (0, packages_1.checkPackages)(ctx));
     // Framework specific checks
     if (framework === 'nextjs') {
         if (onProgress)

package/dist/engine/scanner.d.ts

@@ -0,0 +1 @@
+export declare function scanFiles(cwd: string, ignore?: string[]): Promise<string[]>;

package/dist/engine/secrets.d.ts

@@ -0,0 +1,6 @@
+export declare const SECRET_PATTERNS: {
+    name: string;
+    regex: RegExp;
+}[];
+export declare function calculateEntropy(str: string): number;
+export declare function isHighEntropy(str: string, threshold?: number): boolean;

package/{src/engine/types.ts → dist/engine/types.d.ts}

@@ -1,17 +1,15 @@
-import { Ship18ionConfig } from './config';
-import { FrameworkType } from './detector';
-
-export interface RuleResult {
-    status: 'pass' | 'fail' | 'warn';
-    message: string;
-    file?: string;
-    line?: number;
-    ruleId: string;
-}
-
-export interface RuleContext {
-    config: Ship18ionConfig;
-    files: string[];
-    cwd: string;
-    framework: FrameworkType;
-}
+import { Ship18ionConfig } from './config';
+import { FrameworkType } from './detector';
+export interface RuleResult {
+    status: 'pass' | 'fail' | 'warn';
+    message: string;
+    file?: string;
+    line?: number;
+    ruleId: string;
+}
+export interface RuleContext {
+    config: Ship18ionConfig;
+    files: string[];
+    cwd: string;
+    framework: FrameworkType;
+}

package/dist/reporters/console.d.ts

@@ -0,0 +1,2 @@
+import { RuleResult } from '../engine/types';
+export declare function reportConsole(results: RuleResult[], cwd: string, framework?: string): void;

package/dist/reporters/console.js

@@ -12,6 +12,9 @@ const CATEGORIES = {
     'security': { icon: '⚠️', label: 'Security' },
     'dep': { icon: '📦', label: 'Dependency & Build' },
     'build': { icon: '📦', label: 'Dependency & Build' },
+    'git': { icon: '🐙', label: 'Git & Repo' },
+    'hygiene': { icon: '🧹', label: 'Code Hygiene' },
+    'package': { icon: '📦', label: 'Packages' },
 };
 function getCategory(ruleId) {
     const prefix = ruleId.split('-')[0];

package/dist/rules/build.d.ts

@@ -0,0 +1,3 @@
+import { RuleContext, RuleResult } from '../engine/types';
+export declare function checkDependencies(ctx: RuleContext): Promise<RuleResult[]>;
+export declare function checkBuild(ctx: RuleContext): Promise<RuleResult[]>;

package/dist/rules/env.d.ts

@@ -0,0 +1,2 @@
+import { RuleContext, RuleResult } from '../engine/types';
+export declare function checkEnvVars(ctx: RuleContext): Promise<RuleResult[]>;

package/dist/rules/frameworks/nextjs.d.ts

@@ -0,0 +1,2 @@
+import { RuleContext, RuleResult } from '../../engine/types';
+export declare function checkNextJs(ctx: RuleContext): Promise<RuleResult[]>;

package/dist/rules/git.d.ts

@@ -0,0 +1,2 @@
+import { RuleContext, RuleResult } from '../engine/types';
+export declare function checkGit(ctx: RuleContext): Promise<RuleResult[]>;

package/dist/rules/hygiene.d.ts

@@ -0,0 +1,2 @@
+import { RuleContext, RuleResult } from '../engine/types';
+export declare function checkHygiene(ctx: RuleContext): Promise<RuleResult[]>;

package/dist/rules/hygiene.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkHygiene = checkHygiene;
+const fs_1 = __importDefault(require("fs"));
+async function checkHygiene(ctx) {
+    const results = [];
+    const codeFiles = ctx.files.filter(f => f.match(/\.(js|ts|jsx|tsx)$/) &&
+        !f.includes('.test.') &&
+        !f.includes('.spec.'));
+    for (const file of codeFiles) {
+        const content = fs_1.default.readFileSync(file, 'utf-8');
+        const lines = content.split('\n');
+        lines.forEach((line, index) => {
+            const lineNum = index + 1;
+            // 1. Console Log Check
+            // Allow console.error and console.warn, but warn on console.log
+            if (line.includes('console.log(')) {
+                // Ignore if commented out
+                if (!line.trim().startsWith('//') && !line.trim().startsWith('*')) {
+                    results.push({
+                        status: 'warn',
+                        message: 'Leftover console.log() call detected.',
+                        ruleId: 'hygiene-console-log',
+                        file,
+                        line: lineNum
+                    });
+                }
+            }
+            // 2. TODO / FIXME Check
+            if (line.match(/\/\/\s*(TODO|FIXME):/i)) {
+                if (line.match(/FIXME/i)) {
+                    results.push({
+                        status: 'warn',
+                        message: 'FIXME comment found. Resolve before shipping.',
+                        ruleId: 'hygiene-fixme',
+                        file,
+                        line: lineNum
+                    });
+                }
+            }
+        });
+    }
+    return results;
+}

package/dist/rules/packages.d.ts

@@ -0,0 +1,2 @@
+import { RuleContext, RuleResult } from '../engine/types';
+export declare function checkPackages(ctx: RuleContext): Promise<RuleResult[]>;

package/dist/rules/packages.js

@@ -0,0 +1,32 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkPackages = checkPackages;
+const fs_1 = __importDefault(require("fs"));
+async function checkPackages(ctx) {
+    const results = [];
+    const packageJsons = ctx.files.filter(f => f.endsWith('package.json') && !f.includes('node_modules'));
+    for (const pkgFile of packageJsons) {
+        try {
+            const content = JSON.parse(fs_1.default.readFileSync(pkgFile, 'utf-8'));
+            const deps = Object.keys(content.dependencies || {});
+            const devDeps = Object.keys(content.devDependencies || {});
+            // Find intersection
+            const duplicates = deps.filter(d => devDeps.includes(d));
+            for (const dup of duplicates) {
+                results.push({
+                    status: 'warn',
+                    message: `Package '${dup}' is listed in both 'dependencies' and 'devDependencies'.`,
+                    ruleId: 'package-duplicate',
+                    file: pkgFile
+                });
+            }
+        }
+        catch (e) {
+            // ignore malformed json
+        }
+    }
+    return results;
+}

package/dist/rules/secrets.d.ts

@@ -0,0 +1,2 @@
+import { RuleContext, RuleResult } from '../engine/types';
+export declare function checkSecrets(ctx: RuleContext): Promise<RuleResult[]>;

package/dist/rules/security.d.ts

@@ -0,0 +1,2 @@
+import { RuleContext, RuleResult } from '../engine/types';
+export declare function checkSecurity(ctx: RuleContext): Promise<RuleResult[]>;

package/package.json

@@ -1,11 +1,17 @@
 {
   "name": "ship18ion",
-  "version": "1.1.3",
+  "version": "1.2.1",
   "description": "",
   "main": "dist/cli/index.js",
   "bin": {
     "ship18ion": "./dist/cli/index.js"
   },
+  "files": [
+    "dist",
+    "README.md",
+    "CONTRIBUTING.md",
+    "LICENSE"
+  ],
   "scripts": {
     "build": "tsc",
     "prepublishOnly": "npm run build",
@@ -21,8 +27,8 @@
     "deployment",
     "linter"
   ],
-  "author": "TRIPLE HASH",
-  "license": "ISC",
+  "author": "champ18ion",
+  "license": "MIT",
   "dependencies": {
     "@babel/parser": "^7.28.5",
     "@babel/traverse": "^7.28.5",

package/SHIPPING.md

@@ -1,57 +0,0 @@
-# Shipping ship18ion
-
-## 1. Local Testing (Link)
-To test `ship18ion` on your other local projects without publishing, use `npm link`.
-
-1. **In this directory (ship18ion):**
-   ```bash
-   npm run build
-   npm link
-   ```
-   This creates a global symlink to your local version.
-
-2. **In your target project directory:**
-   ```bash
-   npm link ship18ion
-   ```
-   Now you can run:
-   ```bash
-   npx ship18ion check
-   ```
-
-3. **To unlink:**
-   ```bash
-   # In target project
-   npm unlink -g ship18ion
-   
-   # In ship18ion directory
-   npm unlink -g
-   ```
-
-## 2. Publishing to NPM
-To share this tool with the world.
-
-1. **Login to NPM:**
-   ```bash
-   npm login
-   ```
-
-2. **Prepare:**
-   - Ensure `package.json` has the correct version.
-   - Run tests: `npm test` (or verifying script).
-
-3. **Publish:**
-   ```bash
-   npm publish
-   ```
-   
-   If you have a scoped package (e.g. `@yourname/ship18ion`), use:
-   ```bash
-   npm publish --access public
-   ```
-
-## 3. Usage for Users
-Once published, anyone can use it without installation:
-```bash
-npx ship18ion@latest
-```

package/src/cli/index.ts

@@ -1,56 +0,0 @@
-#!/usr/bin/env node
-import { Command } from 'commander';
-import chalk from 'chalk';
-import { loadConfig } from '../engine/config';
-import { runChecks } from '../engine/runner';
-import { reportConsole } from '../reporters/console';
-
-const program = new Command();
-
-import figlet from 'figlet';
-import gradient from 'gradient-string';
-import ora from 'ora';
-import { detectFramework } from '../engine/detector';
-
-program
-    .command('check', { isDefault: true })
-    .description('Run production readiness checks')
-    .option('--ci', 'Run in CI mode (minimal output, exit codes)')
-    .action(async (options) => {
-        if (!options.ci) {
-            console.log(gradient.pastel.multiline(figlet.textSync('SHIP18ION')));
-            console.log(chalk.dim('Production Readiness Inspector\n'));
-        }
-
-        const cwd = process.cwd();
-        const config = await loadConfig(cwd);
-        const spinner = ora('Initializing...').start();
-
-        try {
-            let framework: string = 'unknown';
-            if (!options.ci) {
-                framework = await detectFramework(cwd);
-                spinner.text = `Detected Framework: ${chalk.cyan(framework.toUpperCase())}`;
-                await new Promise(r => setTimeout(r, 800)); // Brief pause to show framework
-            } else {
-                // Even in CI, simple detection is useful for reporting if needed, or we just skip
-                framework = await detectFramework(cwd);
-            }
-
-            const results = await runChecks(config, cwd, (stage) => {
-                if (!options.ci) spinner.text = stage;
-            });
-
-            spinner.succeed(chalk.green('Checks completed!'));
-            console.log('');
-
-            // Uses console reporter for both normal and CI for now (it handles exit codes)
-            reportConsole(results, cwd, framework);
-        } catch (e) {
-            spinner.fail(chalk.red('Error running checks'));
-            console.error(e);
-            process.exit(1);
-        }
-    });
-
-program.parse(process.argv);

package/src/engine/ast.ts

@@ -1,84 +0,0 @@
-import fs from 'fs';
-import * as parser from '@babel/parser';
-import traverse from '@babel/traverse';
-import * as t from '@babel/types';
-
-export interface EnvUsage {
-    name: string;
-    line: number;
-    file: string;
-}
-
-export function findEnvUsages(filePath: string): EnvUsage[] {
-    if (!fs.existsSync(filePath)) return [];
-
-    const code = fs.readFileSync(filePath, 'utf-8');
-    const usages: EnvUsage[] = [];
-
-    // Only parse JS/TS files
-    if (!/\.(js|ts|jsx|tsx)$/.test(filePath)) {
-        return [];
-    }
-
-    try {
-        const ast = parser.parse(code, {
-            sourceType: 'module',
-            plugins: ['typescript', 'jsx'],
-        });
-
-        traverse(ast, {
-            MemberExpression(path) {
-                // 1. Check for process.env.VAR
-                if (
-                    t.isMemberExpression(path.node.object) &&
-                    t.isIdentifier(path.node.object.object) &&
-                    path.node.object.object.name === 'process' &&
-                    t.isIdentifier(path.node.object.property) &&
-                    path.node.object.property.name === 'env'
-                ) {
-                    if (t.isIdentifier(path.node.property)) {
-                        usages.push({
-                            name: path.node.property.name,
-                            line: path.node.loc?.start.line || 0,
-                            file: filePath
-                        });
-                    } else if (t.isStringLiteral(path.node.property)) {
-                        usages.push({
-                            name: path.node.property.value,
-                            line: path.node.loc?.start.line || 0,
-                            file: filePath
-                        });
-                    }
-                }
-
-                // 2. Check for import.meta.env.VAR (Vite)
-                // AST structure: MemberExpression
-                //   object: MemberExpression
-                //     object: MetaProperty (import.meta)
-                //     property: Identifier (env)
-                //   property: Identifier (VAR)
-
-                if (
-                    t.isMemberExpression(path.node.object) &&
-                    t.isMetaProperty(path.node.object.object) &&
-                    path.node.object.object.meta.name === 'import' &&
-                    path.node.object.object.property.name === 'meta' &&
-                    t.isIdentifier(path.node.object.property) &&
-                    path.node.object.property.name === 'env'
-                ) {
-                    if (t.isIdentifier(path.node.property)) {
-                        usages.push({
-                            name: path.node.property.name,
-                            line: path.node.loc?.start.line || 0,
-                            file: filePath
-                        });
-                    }
-                }
-            }
-        });
-
-    } catch (e) {
-        // console.warn(`Failed to parse ${filePath}:`, e);
-    }
-    return usages;
-}

package/src/engine/config.ts

@@ -1,28 +0,0 @@
-import fs from 'fs';
-import path from 'path';
-
-export interface Ship18ionConfig {
-    env?: {
-        required?: string[];
-        disallowed?: string[];
-    };
-    security?: {
-        noCorsWildcard?: boolean;
-        requireRateLimit?: boolean;
-    };
-    ignore?: string[];
-}
-
-export async function loadConfig(cwd: string = process.cwd()): Promise<Ship18ionConfig> {
-    const configPath = path.join(cwd, 'ship18ion.config.json');
-    if (fs.existsSync(configPath)) {
-        const content = fs.readFileSync(configPath, 'utf-8');
-        try {
-            return JSON.parse(content);
-        } catch (e) {
-            console.error('Failed to parse config file:', e);
-            return {};
-        }
-    }
-    return {};
-}

package/src/engine/detector.ts

@@ -1,27 +0,0 @@
-import fs from 'fs';
-import path from 'path';
-
-export type FrameworkType = 'nextjs' | 'remix' | 'vite' | 'nestjs' | 'express' | 'fastify' | 'Node.js / Generic' | 'unknown';
-
-export async function detectFramework(cwd: string): Promise<FrameworkType> {
-    const pkgPath = path.join(cwd, 'package.json');
-    if (!fs.existsSync(pkgPath)) {
-        return 'unknown';
-    }
-
-    try {
-        const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
-        const deps = { ...pkg.dependencies, ...pkg.devDependencies };
-
-        if (deps['next']) return 'nextjs';
-        if (deps['@remix-run/react']) return 'remix';
-        if (deps['vite']) return 'vite';
-        if (deps['@nestjs/core']) return 'nestjs';
-        if (deps['express']) return 'express';
-        if (deps['fastify']) return 'fastify';
-
-        return 'Node.js / Generic';
-    } catch (e) {
-        return 'unknown';
-    }
-}