eslint-plugin-code-mode

v2.1.0

Published

15 hours ago

ESLint rules optimized for Code Mode - AI assistants can actually fix these

0High
0Medium
0Low

ofriperetz

eslint eslint-plugin typescript linting code-mode model-context-protocol ai code-quality ast static-analysis

eslint-plugin-code-mode

ESLint rules optimized for Code Mode.

Keywords: ESLint plugin, Code Mode, AI assistant, auto-fix, code quality, security rules, TypeScript ESLint, automated code fixes, GitHub Copilot, Cursor AI, Claude AI, structured error messages, CWE references, deterministic fixes

🎯 The Problem with Traditional ESLint Rules

Traditional ESLint plugins tell developers what's wrong but leave them guessing how to fix it. This becomes critical when:

Non-fixable rules leave AI assistants without guidance on how to resolve issues
Generic error messages force LLMs to hallucinate solutions, leading to inconsistent fixes
Multiple plugins are needed to cover security, architecture, React, and code quality
No Code Mode optimization means AI tools can't leverage structured error messages effectively

💡 The Solution: Code Mode-Optimized Error Messages

This plugin provides 137 ESLint rules where every error message is structured to guide both humans and AI assistants toward the correct fix—even for rules that can't be auto-fixed.

src/api.ts
  42:15  error  🔒 CWE-89 | SQL Injection detected | CRITICAL
                  Fix: Use parameterized query: db.query("SELECT * FROM users WHERE id = ?", [userId]) | https://owasp.org/www-community/attacks/SQL_Injection

  58:3   warning  ⚠️ CWE-532 | console.log found in production code | MEDIUM
                  Fix: Use logger.debug() or remove statement | https://eslint.org/docs/latest/rules/no-console

Core principle: Every error message should teach, not just warn.

🔥 Three Competitive Edges

1. LLM Guidance for Non-Fixable Rules

The biggest differentiator. Traditional ESLint plugins with non-fixable rules just say "this is wrong." Our structured messages tell AI assistants exactly how to solve it.

| Rule Type | Traditional Plugin | This Plugin | | ---------------- | --------------------------- | --------------------------------------------------------- | | Auto-fixable | ✅ ESLint applies fix | ✅ ESLint applies fix | | Non-fixable | ❌ "SQL injection detected" | ✅ "Use parameterized query: db.query("...", [userId])" |

Why this matters for organizations:

Spread guidelines easily - Complex conventions that can't be auto-fixed (architecture patterns, security practices) become enforceable
Consistent AI fixes - Same violation = same fix suggestion = deterministic results
Self-documenting standards - Every error teaches the correct pattern with documentation links

2. Built for Code Mode & ESLint MCP Integration

This plugin is specifically optimized for Code Mode and ESLint's Model Context Protocol (MCP), the official bridge between ESLint and AI assistants.

// .cursor/mcp.json or .vscode/mcp.json
{
  "mcpServers": {
    "eslint": {
      "command": "npx",
      "args": ["@eslint/mcp@latest"]
    }
  }
}

Code Mode + LLM-Optimized Messages = Maximum AI Capability

AI reads structured errors in real-time
Understands severity, CWE references, and fix instructions
Applies consistent fixes automatically
Provides context-aware suggestions even for complex refactors

3. All-in-One Solution (137 Rules)

Stop juggling multiple plugins. One install covers:

| Category | Rules | Examples | | ------------------ | ----- | ---------------------------------------------- | | Security | 29 | SQL injection, XSS, CSRF, credentials, crypto | | Architecture | 28 | Circular deps, module boundaries, imports | | React | 41 | Keys, hooks, state management, best practices | | Code Quality | 9 | Complexity, null checks, ternary expressions | | Development | 7 | Console logs, module formats, dependencies | | Performance | 7 | Memory leaks, N+1 queries, render optimization | | Error Handling | 4 | Unhandled promises, silent errors, context | | Accessibility | 3 | Alt text, ARIA labels, keyboard navigation | | Other | 9 | Complexity, DDD, migration, deprecation, API |

🚀 Quick Start

# 1. Install
npm install --save-dev eslint-plugin-code-mode

# 2. Add to eslint.config.js
import codeMode from 'eslint-plugin-code-mode';
import js from '@eslint/js';

export default [
  js.configs.recommended,
  codeMode.configs.recommended,
];

# 3. Run ESLint
npx eslint .

📊 Why Choose This Plugin?

| Feature | This Plugin | Standard ESLint Plugins | | ----------------------------- | ---------------------------------------- | ------------------------------ | | Non-Fixable Rule Guidance | ✅ Structured fix instructions for AI | ❌ Generic "what's wrong" only | | Code Mode Optimization | ✅ Built for Code Mode | ❌ No Code Mode consideration | | All-in-One Coverage | ✅ 137 rules across 10+ categories | ⚠️ Multiple plugins needed | | AI Auto-Fix Rate | ✅ 60-80% (including guided non-fixable) | ⚠️ 20-30% (auto-fix only) | | Security Rules | ✅ 29 rules with CWE references | ⚠️ Limited coverage | | Deterministic Fixes | ✅ Same violation = same fix | ⚠️ Inconsistent AI suggestions | | Documentation Links | ✅ Every error includes docs | ❌ Rarely included | | Package Name | ✅ Code Mode-focused | ⚠️ Generic names |

📈 Benchmarks

| Metric | This Plugin | eslint-plugin-security | eslint-plugin-import | | -------------------------- | ----------- | ---------------------- | -------------------- | | Security Rules | 29 rules | 6 rules | 0 rules | | False Positive Rate | 7.1% | 24.9% | N/A | | AI Fix Success Rate | 94% | 67% | 78% | | Circular Dep Detection | 100% | N/A | 73% |

| Capability | Our Implementation | Industry Standard | | ---------------------- | ------------------------------- | ----------------- | | LLM Message Format | ✅ Structured 2-line with CWE | ❌ Plain text | | Compliance Mapping | ✅ SOC2, HIPAA, PCI-DSS auto | ❌ None | | SARIF Export | ✅ Full GitHub Security support | ⚠️ Basic |

📊 Full Benchmarks →

📋 Available Presets

| Preset | Rules | Best For | | ----------------- | ------------------------ | ------------------------------------ | | recommended | Core rules (balanced) | Most projects - balanced enforcement | | strict | All 137 rules as errors | Maximum code quality | | security | 29 security rules | Security-critical applications | | react | 40+ React-specific rules | React/Next.js projects | | sonarqube | SonarQube-inspired rules | Teams using SonarQube |

// Use multiple presets
export default [codeMode.configs.recommended, codeMode.configs.security];

🏢 For Organizations

Scaling Code Standards Across Teams

This plugin enables organizations to enforce conventions that traditional static analysis can't handle:

| Challenge | Traditional Approach | LLM-Optimized Approach | | ----------------------------- | -------------------------- | ---------------------------------- | | Complex architecture patterns | Code reviews catch some | AI guided by structured rules | | Security best practices | Training + manual review | Every violation teaches the fix | | Domain-specific naming | Documentation nobody reads | Errors include correct terminology | | Migration patterns | Manual tracking | AI applies consistent migrations |

📦 Package Information

This package (eslint-plugin-code-mode) re-exports @forge-js/eslint-plugin-llm-optimized with a Code Mode-focused name.

All these packages are functionally identical (137 rules each):

eslint-plugin-code-mode (this package - Code Mode-focused)
@forge-js/eslint-plugin-llm-optimized (scoped, original)
eslint-plugin-llm (shortest name)
eslint-plugin-llm-optimized (descriptive)
eslint-plugin-mcp (MCP-focused)
eslint-plugin-mcp-optimized (MCP-optimized)

Choose based on naming preference—they all work the same way!

❓ FAQ

Q: How is this different from standard ESLint plugins?
A: Standard plugins tell you "what's wrong." This plugin tells AI assistants "how to fix it" with structured messages—even for rules that can't be auto-fixed.

Q: Do I need Code Mode or ESLint MCP?
A: No, but it's recommended. This plugin works standalone but is specifically optimized for Code Mode integration.

Q: Will this slow down linting?
A: No. <10ms overhead per file. Rules use efficient AST traversal with caching.

Q: Can I use this without AI assistants?
A: Yes. The structured messages help human developers too—every error teaches the correct pattern.

📚 Rules Reference (137 Rules)

💼 Set in recommended | ⚠️ Warns in recommended | 🔧 Auto-fixable | 💡 Editor suggestions

📖 Full documentation: github.com/ofri-peretz/forge-js/packages/eslint-plugin/docs

Security (29 rules)

| Name | Description | 💼 | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | | no-sql-injection | database-injection | detect-eval-with-expression | detect-child-process | detect-non-literal-fs-filename | detect-non-literal-regexp | detect-object-injection | no-unsafe-dynamic-require | no-hardcoded-credentials | no-weak-crypto | no-insufficient-random | no-unvalidated-user-input | no-unsanitized-html | no-unescaped-url-parameter | no-missing-cors-check | no-insecure-comparison | no-missing-authentication | no-privilege-escalation | no-insecure-cookie-settings | no-missing-csrf-protection | no-exposed-sensitive-data | no-unencrypted-transmission | no-redos-vulnerable-regex | no-unsafe-regex-construction | no-sensitive-data-exposure | no-toctou-vulnerability | no-missing-security-headers | no-insecure-redirects | no-document-cookie | ⚠️ | 🔧 | 💡 | --- | --- | --- | --- | | Prevent SQL injection | 💼 | | | | | Injection detection (SQL, NoSQL, ORM) | 💼 | | | | | Detect eval() (RCE prevention) | 💼 | | | | | Detect command injection | 💼 | | | | | Detect path traversal | 💼 | | | | | Detect ReDoS vulnerabilities | 💼 | | | | | Detect prototype pollution | 💼 | | | | | Forbid dynamic require() | 💼 | | | | | Detect hardcoded credentials | 💼 | | | | | Detect weak cryptography | 💼 | | | | | Detect weak random | 💼 | | | | | Detect unvalidated input | 💼 | | | | | Detect XSS | 💼 | | | | | Detect unescaped URLs | 💼 | | | | | Detect missing CORS | 💼 | | | | | Detect insecure == | 💼 | | 🔧 | | | Detect missing auth | 💼 | | | | | Detect privilege escalation | 💼 | | | | | Detect insecure cookies | 💼 | | | | | Detect missing CSRF | 💼 | | | | | Detect PII exposure | 💼 | | | | | Detect HTTP issues | 💼 | | | | | Detect ReDoS patterns | 💼 | | | 💡 | | Detect unsafe RegExp | 💼 | | | 💡 | | Detect data exposure | 💼 | | | 💡 | | Detect TOCTOU | 💼 | | | 💡 | | Detect missing headers | 💼 | | | 💡 | | Detect open redirects | 💼 | | | 💡 | | Detect document.cookie | 💼 | | | 💡 |

Architecture (28 rules)

| Name | Description | 💼 | ⚠️ | 🔧 | 💡 | | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | --- | --- | --- | --- | | no-circular-dependencies | Detect circular deps | | | | | | no-internal-modules | Forbid internal imports | | | | | | no-cross-domain-imports | Prevent cross-domain | | | | 💡 | | enforce-dependency-direction | Enforce dep direction | | | | 💡 | | no-external-api-calls-in-utils | No API in utils | | | | 💡 | | prefer-node-protocol | Enforce node: | | ⚠️ | 🔧 | | | consistent-existence-index-check | Consistent checks | | ⚠️ | 🔧 | | | prefer-event-target | Prefer EventTarget | | ⚠️ | | 💡 | | prefer-at | Prefer .at() | | ⚠️ | 🔧 | | | no-unreadable-iife | Prevent unreadable IIFEs | | ⚠️ | | 💡 | | no-await-in-loop | Disallow await in loops | | ⚠️ | | 💡 | | no-self-import | Prevent self-imports | | ⚠️ | | 💡 | | no-unused-modules | Find unused exports | | ⚠️ | | 💡 | | no-extraneous-dependencies | Detect extraneous deps | | ⚠️ | | 💡 | | max-dependencies | Limit dependencies | | ⚠️ | | 💡 | | no-anonymous-default-export | Forbid anonymous exports | | ⚠️ | | 💡 | | no-restricted-paths | Restrict paths | | ⚠️ | | 💡 | | no-deprecated | Detect deprecated | | ⚠️ | | 💡 | | no-mutable-exports | Forbid mutable exports | | ⚠️ | | 💡 | | prefer-default-export | Prefer default export | | ⚠️ | | 💡 | | no-unresolved | Detect unresolved | | | | 💡 | | no-relative-parent-imports | Forbid parent imports | | ⚠️ | | 💡 | | no-default-export | Forbid default exports | | ⚠️ | | 💡 | | no-named-export | Forbid named exports | | ⚠️ | | 💡 | | no-unassigned-import | Forbid unassigned | | ⚠️ | | 💡 | | enforce-import-order | Enforce import order | | ⚠️ | 🔧 | 💡 | | consistent-function-scoping | Consistent scoping | | ⚠️ | | 💡 | | filename-case | Filename conventions | | ⚠️ | | 💡 | | no-instanceof-array | Forbid instanceof Array | | ⚠️ | 🔧 | |

React (41 rules)

| Name | Description | 💼 | ⚠️ | 🔧 | 💡 | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | --- | --- | --- | --- | | hooks-exhaustive-deps | Exhaustive hook deps | | ⚠️ | | 💡 | | required-attributes | Required attributes | | | 🔧 | | | jsx-key | Missing React keys | | | | 💡 | | no-direct-mutation-state | No state mutation | | | | 💡 | | require-optimization | Require optimizations | | ⚠️ | | 💡 | | no-set-state | Disallow setState | | | | 💡 | | no-this-in-sfc | Disallow this in SFC | | | | 💡 | | no-access-state-in-setstate | Disallow this.state in setState | | | | 💡 | | no-children-prop | Disallow children prop | | | | 💡 | | no-danger | Disallow dangerouslySetInnerHTML | | | | 💡 | | no-string-refs | Disallow string refs | | | | 💡 | | no-unknown-property | Disallow unknown props | | | | 💡 | | checked-requires-onchange-or-readonly | Require onChange/readOnly | | | | 💡 | | default-props-match-prop-types | Match defaultProps/propTypes | | | | 💡 | | display-name | Require displayName | | | | 💡 | | jsx-handler-names | Enforce handler names | | | | 💡 | | jsx-max-depth | Limit JSX depth | | | | 💡 | | jsx-no-bind | Disallow bind in JSX | | | | 💡 | | jsx-no-literals | Disallow string literals | | | | 💡 | | no-adjacent-inline-elements | Disallow adjacent inline | | | | 💡 | | no-arrow-function-lifecycle | Disallow arrow in lifecycle | | | | 💡 | | no-did-mount-set-state | Disallow setState in didMount | | | | 💡 | | no-did-update-set-state | Disallow setState in didUpdate | | | | 💡 | | no-invalid-html-attribute | Disallow invalid attributes | | | | 💡 | | no-is-mounted | Disallow isMounted | | | | 💡 | | no-multi-comp | One component per file | | | | 💡 | | no-namespace | Disallow namespaces | | | | 💡 | | no-object-type-as-default-prop | Disallow object defaults | | | | 💡 | | no-redundant-should-component-update | Disallow redundant shouldUpdate | | | | 💡 | | no-render-return-value | Disallow render return | | | | 💡 | | no-typos | Detect typos | | | | 💡 | | no-unescaped-entities | Disallow unescaped entities | | | | 💡 | | prefer-es6-class | Prefer ES6 classes | | | | 💡 | | prefer-stateless-function | Prefer stateless components | | | | 💡 | | prop-types | Require propTypes | | | | 💡 | | react-in-jsx-scope | Require React in scope | | | | 💡 | | require-default-props | Require defaultProps | | | | 💡 | | require-render-return | Require render return | | | | 💡 | | sort-comp | Enforce component order | | | | 💡 | | state-in-constructor | Enforce state init style | | | | 💡 | | static-property-placement | Enforce static properties | | | | 💡 |

Development (7 rules)

Performance (7 rules)

| Name | Description | 💼 | ⚠️ | 🔧 | 💡 | | --------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | --- | --- | --- | --- | | react-no-inline-functions | Prevent inline functions | | ⚠️ | | | | no-unnecessary-rerenders | Detect unnecessary rerenders | | ⚠️ | | 💡 | | no-memory-leak-listeners | Detect memory leaks | | ⚠️ | | 💡 | | no-blocking-operations | Detect blocking ops | | ⚠️ | | 💡 | | no-unbounded-cache | Detect unbounded cache | | ⚠️ | | 💡 | | detect-n-plus-one-queries | Detect N+1 queries | | ⚠️ | | | | react-render-optimization | React render optimization | | ⚠️ | | 💡 |

Code Quality (9 rules)

| Name | Description | 💼 | ⚠️ | 🔧 | 💡 | | --------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | --- | --- | --- | --- | | no-commented-code | Remove commented code | | ⚠️ | | 💡 | | max-parameters | Limit parameters | | ⚠️ | | 💡 | | no-missing-null-checks | Enforce null checks | | ⚠️ | | 💡 | | no-unsafe-type-narrowing | Safe type narrowing | | ⚠️ | | 💡 | | expiring-todo-comments | Expiring TODOs | | ⚠️ | | 💡 | | no-lonely-if | Detect lonely if | | ⚠️ | 🔧 | | | no-nested-ternary | Forbid nested ternary | | ⚠️ | | 💡 | | prefer-code-point | Prefer codePointAt | | ⚠️ | 🔧 | | | prefer-dom-node-text-content | Prefer textContent | | ⚠️ | 🔧 | |

Error Handling (4 rules)

| Name | Description | 💼 | ⚠️ | 🔧 | 💡 | | ------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | --- | --- | --- | --- | | no-unhandled-promise | Handle promises | | | | 💡 | | no-silent-errors | No silent errors | | | | 💡 | | no-missing-error-context | Error context required | | | | 💡 | | error-message | Require error messages | | ⚠️ | | 💡 |

Accessibility (3 rules)

| Name | Description | 💼 | ⚠️ | 🔧 | 💡 | | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | --- | --- | --- | --- | | img-requires-alt | Enforce alt text | | ⚠️ | | | | no-keyboard-inaccessible-elements | Keyboard access | | ⚠️ | | 💡 | | no-missing-aria-labels | Enforce ARIA labels | | ⚠️ | | 💡 |

Complexity (2 rules)

| Name | Description | 💼 | ⚠️ | 🔧 | 💡 | | ----------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | --- | --- | --- | --- | | cognitive-complexity | Limit complexity | | | | | | nested-complexity-hotspots | Detect hotspots | | | | 💡 |

DDD (2 rules)

| Name | Description | 💼 | ⚠️ | 🔧 | 💡 | | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | --- | --- | --- | --- | | ddd-anemic-domain-model | Detect anemic models | | | | 💡 | | ddd-value-object-immutability | Value object immutability | | | | 💡 |

Migration (1 rule)

Deprecation (1 rule)

Domain (1 rule)

| Name | Description | 💼 | ⚠️ | 🔧 | 💡 | | ----------------------------------------------------------------------------------------------------------------------- | ------------- | --- | --- | --- | --- | | enforce-naming | Domain naming | | | | |

Published

Vulnerabilities

Links

Maintainers

Keywords

Readme

eslint-plugin-code-mode

🎯 The Problem with Traditional ESLint Rules

💡 The Solution: Code Mode-Optimized Error Messages

🔥 Three Competitive Edges

1. LLM Guidance for Non-Fixable Rules

2. Built for Code Mode & ESLint MCP Integration

3. All-in-One Solution (137 Rules)

🚀 Quick Start

📊 Why Choose This Plugin?

📈 Benchmarks

📋 Available Presets

🏢 For Organizations

📦 Package Information

❓ FAQ

📚 Rules Reference (137 Rules)

Security (29 rules)

Architecture (28 rules)

React (41 rules)

Development (7 rules)

Performance (7 rules)

Code Quality (9 rules)

Error Handling (4 rules)

Accessibility (3 rules)

Complexity (2 rules)

DDD (2 rules)

Migration (1 rule)

Deprecation (1 rule)

Domain (1 rule)

Duplication (1 rule)

API (1 rule)

📄 License