# Shop Minis ESLint Plugin

Custom ESLint rules for Shop Minis apps. ESLint is included with the SDK.

## Quick Setup

Create **`eslint.config.js`** (NOT `.eslintrc.js`):

```javascript
const shopMinisConfig = require('@shopify/shop-minis-react/eslint/config')

module.exports = [shopMinisConfig]
```

**That's it!** TypeScript and JSX are supported out of the box.

**Important:**
- File must be named `eslint.config.js` (no dot, no "rc")
- This will lint all `.js`, `.jsx`, `.ts`, `.tsx` files in your project
- TypeScript and JSX parsing is configured automatically

## Usage

```bash
# Check for errors
npx eslint .

# Auto-fix (converts <img> to <Image> AND adds import!)
npx eslint . --fix
```

## What You Get

### Custom Shop Minis Rules
- ✅ No internal imports allowed
- ✅ Warnings for `<img>`, `<button>`, `<label>` tags (auto-fixes with imports)
- ✅ Manifest scope validation - ensures manifest.json has scopes for hooks you use (auto-fixes manifest)

### Security Rules (Using Built-in ESLint Rules)
- ✅ WebAssembly usage blocked - prevents WASM in Shop Minis environment
- ✅ Unsafe code execution blocked - prevents `eval()`, Function constructor, and dynamic code execution
- ✅ `dangerouslySetInnerHTML` blocked - prevents XSS vulnerabilities
- ✅ `window.open` blocked - use SDK navigation instead
- ✅ Navigator APIs blocked - `clipboard`, `credentials`, `geolocation`, `share` are not available

## Rules

### `no-internal-imports`

Prevents importing from internal SDK directories.

```tsx
// ❌ Error
import {something} from '@shopify/shop-minis-react/internal'

// ✅ Correct
import {Component} from '@shopify/shop-minis-react'
```

### `prefer-sdk-components`

Suggests using SDK components instead of native HTML elements. **Fully auto-fixable** - fixes both tags and imports!

**Before:**
```tsx
const MyComponent = () => (
  <img src="product.jpg" alt="Product" />
)
```

**After running `npx eslint . --fix`:**
```tsx
import {Image} from '@shopify/shop-minis-react'

const MyComponent = () => (
  <Image src="product.jpg" alt="Product" />
)
```

**Supported Components:**
- `<img>` → `<Image>`
- `<button>` → `<Button>`
- `<label>` → `<Label>`

**Auto-fix does TWO things:**
1. ✅ Replaces native element with SDK component
2. ✅ Adds import statement automatically (or adds to existing import)

### `validate-manifest`

Validates `src/manifest.json` configuration for scopes and permissions. **Auto-fixable** - adds missing values to manifest!

#### Scopes

Checks that hooks have required scopes:

```tsx
// If you use this hook:
import {useCurrentUser} from '@shopify/shop-minis-react'

// Manifest must include:
{
  "scopes": ["USER_SETTINGS_READ"]
}
```

**Scope Requirements:**
- `useCurrentUser` → `USER_SETTINGS_READ`
- `useSavedProducts` → `FAVORITES`
- `useOrders` → `ORDERS`

#### Permissions

Checks for native permission usage:

```tsx
// If you use this hook:
import {useImagePicker} from '@shopify/shop-minis-react'

// Or browser APIs:
navigator.mediaDevices.getUserMedia({video: true})

// Manifest must include:
{
  "permissions": ["CAMERA"]
}
```

**Supported Permissions:**
- `CAMERA` - Required for `useImagePicker` hook or getUserMedia video
- `MICROPHONE` - Required for getUserMedia audio
- `MOTION` - Required for DeviceOrientation/DeviceMotion events

#### Trusted Domains

Checks that external URLs are in trusted_domains. Detects:

**Network Requests:**
- `fetch('https://api.example.com/data')`
- `new XMLHttpRequest().open('GET', 'https://...')`
- `new WebSocket('wss://api.example.com')`
- `new EventSource('https://api.example.com/events')`
- `navigator.sendBeacon('https://analytics.example.com')`
- `window.open('https://external.com')`

**Media & Resources:**
- `<img src="https://cdn.shopify.com/image.jpg" />`
- `<video src="https://videos.example.com/video.mp4" />`
- `<video poster="https://cdn.example.com/poster.jpg" />`
- `<audio src="https://audio.example.com/sound.mp3" />`
- `<source src="https://media.example.com/video.mp4" />`
- `<track src="https://cdn.example.com/captions.vtt" />`
- `<object data="https://cdn.example.com/file.pdf" />`
- `<embed src="https://cdn.example.com/file.swf" />`
- `<form action="https://api.example.com/submit" />`

**Note:** External scripts (`<script>`), stylesheets (`<link>`), and iframes are not supported and excluded from validation.

**Example manifest:**
```json
{
  "trusted_domains": [
    "api.example.com",
    "cdn.shopify.com",
    "videos.example.com"
  ]
}
```

**Wildcard support:**
```json
{
  "trusted_domains": [
    "*.shopify.com",     // Matches any Shopify subdomain
    "api.example.com",   // Exact domain
    "cdn.example.com/assets"  // Specific path
  ]
}
```

**Auto-fix:**
```bash
npx eslint . --fix
# Automatically updates src/manifest.json
```

**Example errors:**
```
Hook "useCurrentUser" requires scope "USER_SETTINGS_READ" in src/manifest.json.
Hook "useImagePicker" requires permission "CAMERA" in src/manifest.json.
fetch() call loads from "api.example.com" which is not in trusted_domains.
<img> src attribute loads from "cdn.shopify.com" which is not in trusted_domains.
```

## Security Rules

The following security restrictions are enforced using standard ESLint plugins and built-in rules:

### WebAssembly Restrictions

**Rules:** `no-restricted-globals`, `no-restricted-syntax`

```tsx
// ❌ Error
const module = new WebAssembly.Module(bytes)
WebAssembly.instantiate(bytes)
WebAssembly.compile(bytes)

// ✅ Correct
// Use JavaScript implementations instead of WebAssembly
```

**Why:** WebAssembly is not supported in the Shop Minis security sandbox.

### Unsafe Code Execution

**Rules:** `no-eval`, `no-implied-eval`, `no-new-func`, `no-script-url` (built-in ESLint rules)

```tsx
// ❌ Error
eval('alert(1)')
new Function('a', 'b', 'return a + b')
setTimeout('alert(1)', 1000)
window.location = 'javascript:void(0)'

// ✅ Correct
const add = (a, b) => a + b
setTimeout(() => alert(1), 1000)
window.location = 'https://example.com'
```

**Why:** Dynamic code execution can bypass security restrictions.

**Built-in rules used:**
- `no-eval` - blocks `eval()` and `window.eval()`
- `no-new-func` - blocks `new Function()` constructor
- `no-implied-eval` - blocks `setTimeout()` / `setInterval()` with string arguments
- `no-script-url` - blocks `javascript:` URLs

### Dangerous HTML Injection

**Rule:** `react/no-danger`

```tsx
// ❌ Error
<div dangerouslySetInnerHTML={{__html: userInput}} />

// ✅ Correct
<div>{sanitizedContent}</div>
```

**Why:** Injecting raw HTML can lead to XSS (Cross-Site Scripting) attacks.

### Window Open Restriction

**Rule:** `no-restricted-syntax`

```tsx
// ❌ Error
window.open('https://example.com', '_blank')

// ✅ Correct
// Use SDK navigation methods instead
import {useNavigation} from '@shopify/shop-minis-react'
const {navigate} = useNavigation()
navigate('https://example.com')
```

**Why:** `window.open` is not allowed in the Shop Minis environment. Use SDK navigation methods instead.

### Navigator API Restrictions

**Rule:** `no-restricted-syntax`

The following Navigator APIs are not available in the Shop Minis environment:

```tsx
// ❌ Error - Clipboard API
navigator.clipboard.writeText('text')
navigator.clipboard.readText()

// ❌ Error - Credentials API
navigator.credentials.get({password: true})
navigator.credentials.store(credential)

// ❌ Error - Geolocation API
navigator.geolocation.getCurrentPosition(callback)
navigator.geolocation.watchPosition(callback)

// ❌ Error - Share API
navigator.share({title: 'Title', url: 'https://...'})
```

**Why:** These browser APIs are not supported in the Shop Minis security sandbox. Use the appropriate SDK alternatives when available.

## Extending Rules

To add more component mappings to `prefer-sdk-components`, edit `eslint/rules/prefer-sdk-components.cjs`:

```javascript
const defaultComponents = {
  img: 'Image',
  button: 'Button',
  label: 'Label',
  input: 'Input', // Add this
  a: 'TransitionLink', // Add this
}
```

All consumers automatically get new rules - no config changes needed!