chore: add static analysis tooling (Knip, dependency-cruiser, Semgrep, Gitleaks)

- Knip: dead-code detection; found 2 dead files + 18 unused exports (not removed, reported)
- dependency-cruiser: enforces src/→electron boundary, no-circular, no-orphans
- Semgrep: 9 custom rules covering token-in-URL, innerHTML XSS, eval, shell injection, pkill-f
- Gitleaks: secret scanning with custom rules for MCP tokens and bearer tokens
- Scripts: lint:dead, lint:arch, lint:security, lint:secrets, check:static in package.json
- Pre-commit: Husky runs lint-staged + check on every commit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brooksc

.dependency-cruiser.cjs

@@ -0,0 +1,77 @@
+/** @type {import('dependency-cruiser').IConfiguration} */
+module.exports = {
+  forbidden: [
+    {
+      name: 'no-renderer-importing-main',
+      severity: 'error',
+      comment:
+        'Renderer (src/) must never import Electron main-process code. ' +
+        'Use IPC channels instead.',
+      from: { path: '^src/' },
+      to: {
+        path: '^electron/',
+        // Allow importing the shared IPC channel enum (channels.ts is a pure enum, no Node/Electron deps)
+        pathNot: '^electron/ipc/channels\\.ts',
+      },
+    },
+    {
+      name: 'no-mcp-importing-components',
+      severity: 'error',
+      comment: 'MCP coordinator must not import frontend components or store.',
+      from: { path: '^electron/mcp/' },
+      to: { path: '^src/(components|store|lib)/' },
+    },
+    {
+      name: 'no-circular',
+      severity: 'error',
+      comment:
+        'Circular dependencies break tree-shaking and make reasoning about startup order impossible.',
+      from: {},
+      to: { circular: true },
+    },
+    {
+      name: 'no-orphans',
+      severity: 'warn',
+      comment: 'Orphan modules have no importers and no exports used elsewhere — likely dead code.',
+      from: {
+        orphan: true,
+        // Test files, config files, entry points, and pure type modules are expected orphans.
+        // Type-only modules (types.ts, *.d.ts) are consumed by TypeScript structurally — the
+        // import graph doesn't capture all type-level usage, so they appear orphaned.
+        pathNot: [
+          '\\.test\\.(ts|tsx)$',
+          '\\.config\\.(ts|js|cjs)$',
+          '\\.d\\.ts$',
+          'types\\.ts$',
+          'types\\.(ts|tsx)$',
+          '^src/main\\.tsx$',
+          '^src/remote/main\\.tsx$',
+          '^electron/main\\.ts$',
+          '^electron/preload\\.cjs$',
+          '^electron/mcp/server\\.ts$',
+          // Vite ambient env declarations
+          '^src/vite-env\\.d\\.ts$',
+        ],
+      },
+      to: {},
+    },
+  ],
+
+  options: {
+    doNotFollow: {
+      path: 'node_modules',
+    },
+    moduleSystems: ['es6', 'cjs'],
+    tsConfig: {
+      fileName: 'tsconfig.json',
+    },
+    reporterOptions: {
+      dot: {
+        collapsePattern: 'node_modules/[^/]+',
+      },
+      archi: {
+        collapsePattern: '^(node_modules|src/components)/[^/]+',
+      },
+    },
+  },
+};

.gitleaks.toml

@@ -0,0 +1,43 @@
+title = "Gitleaks config for Parallel Code"
+
+[extend]
+# Use the default Gitleaks ruleset as the base
+useDefault = true
+
+[[rules]]
+id = "parallel-code-mcp-token"
+description = "Parallel Code MCP bearer token"
+regex = '''PARALLEL_CODE_MCP_TOKEN\s*[=:]\s*['""]?[A-Za-z0-9+/\-_]{20,}['""]?'''
+tags = ["token", "parallel-code"]
+
+[[rules]]
+id = "bearer-token-in-url"
+description = "Bearer token embedded in a URL query parameter"
+regex = '''[?&]token=[A-Za-z0-9+/\-_]{20,}'''
+tags = ["token", "url"]
+[rules.allowlist]
+# Test fixture URLs and documentation are expected to have placeholder tokens
+regexes = [
+  '''token=<[A-Za-z0-9_-]+>''',   # placeholder like ?token=<your-token>
+  '''token=test''',                 # obvious test value
+  '''token=abc''',                  # obvious test value
+  '''token=tok''',                  # obvious test value
+]
+
+[[rules]]
+id = "anthropic-api-key"
+description = "Anthropic API key"
+regex = '''sk-ant-[A-Za-z0-9\-_]{40,}'''
+tags = ["api-key", "anthropic"]
+
+[allowlist]
+description = "Global allowlist"
+paths = [
+  # Lock files contain package hashes, not secrets
+  '''package-lock\.json''',
+  # Test fixture files with obviously fake values
+  '''\.test\.(ts|tsx)$''',
+  # The gitleaks config itself documents patterns
+  '''\.gitleaks\.toml''',
+]
+commits = []

.semgrep/electron-security.yml

@@ -0,0 +1,49 @@
+rules:
+  - id: no-inner-html-without-sanitize
+    pattern: $EL.innerHTML = $VAL
+    pattern-not: $EL.innerHTML = DOMPurify.sanitize(...)
+    message: |
+      Direct innerHTML assignment without DOMPurify.sanitize() risks XSS.
+      Use the sanitizeHtml() helper or DOMPurify.sanitize() explicitly.
+    languages: [typescript]
+    severity: ERROR
+    paths:
+      include:
+        - '**/src/**'
+
+  - id: no-eval
+    pattern: eval($X)
+    message: |
+      eval() executes arbitrary code. Not allowed in Electron renderer or main process.
+    languages: [typescript]
+    severity: ERROR
+
+  - id: no-new-function
+    pattern: new Function($X)
+    message: |
+      new Function() executes arbitrary code. Not allowed in Electron renderer or main process.
+    languages: [typescript]
+    severity: ERROR
+
+  - id: no-shell-true-in-spawn
+    pattern: |
+      child_process.spawn($CMD, $ARGS, {shell: true})
+    message: |
+      spawn() with shell:true enables shell injection. Use shell:false and
+      pass arguments as an array.
+    languages: [typescript]
+    severity: ERROR
+    paths:
+      include:
+        - '**/electron/**'
+
+  - id: pkill-dash-f-broad-kill
+    pattern: $EXEC("pkill", ["-f", ...], ...)
+    message: |
+      pkill -f matches any process whose full command line contains the pattern,
+      which can accidentally kill unrelated processes. Use kill by PID or docker stop.
+    languages: [typescript]
+    severity: WARNING
+    paths:
+      include:
+        - '**/electron/**'

.semgrep/filesystem-safety.yml

@@ -0,0 +1,24 @@
+rules:
+  - id: direct-writefile-in-mcp-coordinator
+    pattern: writeFileSync($PATH, $DATA, ...)
+    message: |
+      Direct writeFileSync in coordinator code risks torn writes on crash.
+      Use atomicWriteFileSync() from electron/mcp/atomic.ts instead.
+    languages: [typescript]
+    severity: WARNING
+    paths:
+      include:
+        - '**/electron/mcp/coordinator.ts'
+        - '**/electron/ipc/register.ts'
+
+  - id: copyfilesync-side-effect
+    pattern: fs.copyFileSync($SRC, $DST)
+    message: |
+      fs.copyFileSync is a filesystem side effect. In StartMCPServer,
+      ensure all pure computation (mcpConfig, mergedMcpJson) precedes
+      any copyFileSync calls so validation failures don't leave residue.
+    languages: [typescript]
+    severity: INFO
+    paths:
+      include:
+        - '**/electron/ipc/register.ts'

.semgrep/ipc-auth.yml

@@ -0,0 +1,28 @@
+rules:
+  - id: token-embedded-in-url-template
+    pattern: |
+      `$PREFIX?token=${$TOKEN}$SUFFIX`
+    message: |
+      Token embedded directly in URL template literal. Mobile/shared URLs must use
+      mobileToken, not the coordinator token. The coordinator token must never appear
+      in any URL that reaches the renderer or network.
+    languages: [typescript]
+    severity: ERROR
+    paths:
+      include:
+        - '**/electron/**'
+
+  - id: console-log-token-variable
+    pattern-either:
+      - pattern: console.log($A, token, $B)
+      - pattern: console.warn($A, token, $B)
+      - pattern: console.log(token)
+      - pattern: console.warn(token)
+    message: |
+      Logging a variable named 'token' directly. Use redactServerUrl() or
+      ensure this is not a bearer token value.
+    languages: [typescript]
+    severity: WARNING
+    paths:
+      include:
+        - '**/electron/**'

knip.config.ts

@@ -0,0 +1,34 @@
+import type { KnipConfig } from 'knip';
+
+const config: KnipConfig = {
+  entry: [
+    'electron/main.ts',
+    'electron/preload.cjs',
+    'electron/mcp/server.ts',
+    'src/main.tsx',
+    'src/remote/main.tsx',
+  ],
+  project: ['electron/**/*.ts', 'src/**/*.{ts,tsx}'],
+  ignore: [
+    'dist/**',
+    'dist-electron/**',
+    'dist-remote/**',
+    'release/**',
+    'scripts/**',
+    // Vite/Electron configs are entry points picked up by their respective tools
+    'electron/vite.config.electron.ts',
+    'electron/vite.config.electron.test.ts',
+    'electron/shims/**',
+  ],
+  ignoreDependencies: [
+    // Peer dependencies and indirect runtime deps
+    'electron',
+    'electron-builder',
+    'concurrently',
+    'wait-on',
+  ],
+  // Test files are allowed to have unused exports (test helpers, fixtures)
+  ignoreExportsUsedInFile: true,
+};
+
+export default config;