sonar.projectKey=diegosouzapw_OmniRoute sonar.organization=diegosouzapw sonar.sourceEncoding=UTF-8 sonar.sources=src,open-sse,scripts,bin,next.config.mjs,Dockerfile sonar.tests=tests sonar.test.inclusions=tests/**/*.test.ts,tests/**/*.spec.ts sonar.exclusions=tests/**,src/i18n/messages/**,docs/**,coverage/**,.next/**,dist/**,build/**,node_modules/** sonar.javascript.lcov.reportPaths=coverage/lcov.info # ── "Clean as You Code" — new-code quality gate ─────────────────────────── # New code must not introduce any bug, vulnerability, hotspot or code smell. # Legacy code is grandfathered (sonar.newCode.referenceBranch baseline). # # OPERATIONAL PRE-REQUISITES (owner action required before the gate is live): # 1. Set repository secret SONAR_TOKEN (user/project token from SonarQube UI). # 2. Set repository secret SONAR_HOST_URL (e.g. https://sonar.example.com for # a self-hosted Community Build instance, or https://sonarcloud.io for the # cloud plan). # 3. Ensure the `sonarqube` job in `.github/workflows/ci.yml` passes both # secrets to the SonarScanner step as environment variables; without them # the step is a no-op (secrets-gated). # 4. Configure the "Clean as You Code" Quality Gate in the SonarQube project # settings (Conditions → New Code: Bugs=0, Vulnerabilities=0, # Security Hotspots Reviewed=100%, Code Smells=0 or bounded). # # sonar.qualitygate.wait=true causes the scanner to poll until the gate # result is available and fail the CI step when the gate is RED. # Without it the step always exits 0 even when the gate fails. sonar.qualitygate.wait=true # New-code baseline: compare against the tip of the release branch so that # every PR against release/* is judged as "new code vs release baseline". # Override with sonar.newCode.referenceBranch on a per-branch basis if needed. sonar.newCode.referenceBranch=main # ── Hotspot suppressions ─────────────────────────────────────────────────── # The following rules surface "review this" hotspots that are bounded / # non-security contexts in this codebase: # S5852 – Regex with super-linear backtracking. All matched call sites # use bounded character classes (e.g. `[^\]]+`) — no catastrophic # backtracking is possible. # S2245 – pseudo-random `Math.random()`. The few remaining call sites are # for non-security purposes (request IDs / jitter), never for # tokens, secrets, or session material. # S4036 – PATH lookups via `command -v` / `which`. The CLI helper resolves # tooling on the user's own machine; running with their PATH is # intentional and matches the behaviour of every other CLI on the # system. # S1523 – Dynamic code execution. SCOPED to src/lib/plugins/pluginWorker.ts # only: running plugin source IS the worker's purpose, and it does so # inside a hardened Node `vm` sandbox (vm.createContext, a require # allow-list of just `crypto`, and a 10s execution timeout). Not # `eval`/`new Function` (Hard Rule #3). S1523 stays active everywhere # else so a genuine dynamic-exec elsewhere is still flagged. sonar.issue.ignore.multicriteria=h1,h2,h3,h4,h5,h6 sonar.issue.ignore.multicriteria.h1.ruleKey=javascript:S5852 sonar.issue.ignore.multicriteria.h1.resourceKey=**/* sonar.issue.ignore.multicriteria.h2.ruleKey=typescript:S5852 sonar.issue.ignore.multicriteria.h2.resourceKey=**/* sonar.issue.ignore.multicriteria.h3.ruleKey=typescript:S2245 sonar.issue.ignore.multicriteria.h3.resourceKey=**/* sonar.issue.ignore.multicriteria.h4.ruleKey=javascript:S4036 sonar.issue.ignore.multicriteria.h4.resourceKey=**/* sonar.issue.ignore.multicriteria.h5.ruleKey=typescript:S4036 sonar.issue.ignore.multicriteria.h5.resourceKey=**/* sonar.issue.ignore.multicriteria.h6.ruleKey=typescript:S1523 sonar.issue.ignore.multicriteria.h6.resourceKey=**/pluginWorker.ts