chore(sonar): align project quality gate and fix regex findings

- enforce xConfig Sonar exclusions, profile rules, and new-code gate conditions
- replace Sonar-flagged regex parsers with small string parsers
- document verified SonarQube server state

Author: thomasasen

dist/autodarts-xconfig.user.js

@@ -5933,12 +5933,44 @@
     if (!normalized.startsWith("/")) {
       normalized = `/${normalized}`;
     }
-    normalized = normalized.replace(/[?#].*$/, "").replaceAll(/\/{2,}/g, "/");
+    normalized = collapseRepeatedSlashes(stripRouteSuffix(normalized));
     if (normalized.length > 1) {
-      normalized = normalized.replace(/\/+$/, "");
+      normalized = trimTrailingSlashes(normalized);
     }
     return normalized;
   }
+  function stripRouteSuffix(pathValue) {
+    const queryIndex = pathValue.indexOf("?");
+    const hashIndex = pathValue.indexOf("#");
+    const suffixIndexes = [queryIndex, hashIndex].filter((index) => index >= 0);
+    if (!suffixIndexes.length) {
+      return pathValue;
+    }
+    return pathValue.slice(0, Math.min(...suffixIndexes));
+  }
+  function collapseRepeatedSlashes(pathValue) {
+    let collapsed = "";
+    let previousWasSlash = false;
+    for (const char of pathValue) {
+      if (char === "/") {
+        if (!previousWasSlash) {
+          collapsed += char;
+        }
+        previousWasSlash = true;
+        continue;
+      }
+      collapsed += char;
+      previousWasSlash = false;
+    }
+    return collapsed;
+  }
+  function trimTrailingSlashes(pathValue) {
+    let endIndex = pathValue.length;
+    while (endIndex > 1 && pathValue[endIndex - 1] === "/") {
+      endIndex -= 1;
+    }
+    return pathValue.slice(0, endIndex);
+  }
   function normalizeMatchId(value) {
     return String(value || "").trim().toLowerCase();
   }
@@ -9634,7 +9666,8 @@
     max: 3.15
   });
   var TRANSFORM_SIGNATURE_STEP_PX = 0.5;
-  var APPLIED_ZOOM_TRANSFORM_PATTERN = /(?:^|\s)translate\(\s*([-+]?\d*\.?\d+)px,\s*([-+]?\d*\.?\d+)px\)\s+scale\(\s*([-+]?\d*\.?\d+)\s*\)\s*$/;
+  var TRANSLATE_PREFIX = "translate(";
+  var SCALE_PREFIX = "scale(";
   function parseViewBox(svgNode) {
     if (!svgNode || typeof svgNode.getAttribute !== "function") {
       return {
@@ -10097,7 +10130,7 @@
     const hasAppliedZoomTransform = targetNode.classList?.contains?.(ZOOM_CLASS) && Boolean(parseAppliedZoomTransform(currentTransform));
     state.targetStyleSnapshot = {
       node: targetNode,
-      transform: hasAppliedZoomTransform ? currentTransform.replace(APPLIED_ZOOM_TRANSFORM_PATTERN, "").trim() : currentTransform,
+      transform: hasAppliedZoomTransform ? stripAppliedZoomTransform(currentTransform) : currentTransform,
       transition: hasAppliedZoomTransform ? "" : String(targetNode.style.transition || ""),
       transformOrigin: hasAppliedZoomTransform ? "" : String(targetNode.style.transformOrigin || ""),
       willChange: hasAppliedZoomTransform ? "" : String(targetNode.style.willChange || "")
@@ -10301,13 +10334,35 @@
     return normalizeRect(measuredRect) || fallbackRect;
   }
   function parseAppliedZoomTransform(transformValue) {
-    const match = String(transformValue || "").match(APPLIED_ZOOM_TRANSFORM_PATTERN);
-    if (!match) {
+    const rawTransform = String(transformValue || "").trim();
+    const translateIndex = rawTransform.lastIndexOf(TRANSLATE_PREFIX);
+    if (translateIndex < 0) {
+      return null;
+    }
+    if (translateIndex > 0 && String(rawTransform[translateIndex - 1] || "").trim()) {
       return null;
     }
-    const tx = Number(match[1]);
-    const ty = Number(match[2]);
-    const scale = Number(match[3]);
+    const translateStart = translateIndex + TRANSLATE_PREFIX.length;
+    const translateEnd = rawTransform.indexOf(")", translateStart);
+    if (translateEnd < 0) {
+      return null;
+    }
+    const afterTranslate = rawTransform.slice(translateEnd + 1).trimStart();
+    if (!afterTranslate.startsWith(SCALE_PREFIX)) {
+      return null;
+    }
+    const scaleStart = SCALE_PREFIX.length;
+    const scaleEnd = afterTranslate.indexOf(")", scaleStart);
+    if (scaleEnd < 0 || afterTranslate.slice(scaleEnd + 1).trim()) {
+      return null;
+    }
+    const translateParts = rawTransform.slice(translateStart, translateEnd).split(",");
+    if (translateParts.length !== 2) {
+      return null;
+    }
+    const tx = parseCssPixelValue(translateParts[0]);
+    const ty = parseCssPixelValue(translateParts[1]);
+    const scale = Number(afterTranslate.slice(scaleStart, scaleEnd).trim());
     if (!(Number.isFinite(tx) && Number.isFinite(ty) && Number.isFinite(scale) && scale > 1)) {
       return null;
     }
@@ -10317,6 +10372,21 @@
       scale
     };
   }
+  function parseCssPixelValue(value) {
+    const normalized = String(value || "").trim();
+    if (!normalized.endsWith("px")) {
+      return Number.NaN;
+    }
+    return Number(normalized.slice(0, -2).trim());
+  }
+  function stripAppliedZoomTransform(transformValue) {
+    const rawTransform = String(transformValue || "").trim();
+    const translateIndex = rawTransform.lastIndexOf(TRANSLATE_PREFIX);
+    if (translateIndex < 0 || !parseAppliedZoomTransform(rawTransform)) {
+      return rawTransform;
+    }
+    return rawTransform.slice(0, translateIndex).trim();
+  }
   function resolveCurrentAppliedZoomTransform(targetNode, measuredNode) {
     if (!targetNode?.classList?.contains?.(ZOOM_CLASS)) {
       return null;

docs/sonarqube/2026-04-19-server-config.md

@@ -1,6 +1,7 @@
 # SonarQube Server Config For autodarts-xconfig
 
 Date: `2026-04-19`
+Last verified: `2026-04-24`
 Project key: `xConfig`
 Project name: `autodarts-xconfig`
 JS profile: `autodarts-xconfig JS`
@@ -17,34 +18,45 @@ The following changes were applied directly on the SonarQube server:
 - Updated `javascript:S3776` to severity `MAJOR` with threshold `25`
 - Updated `javascript:S2004` to severity `MAJOR` with max nesting `4`
 - Updated `javascript:S6582` to severity `MINOR`
+- Confirmed `javascript:S1128` is active
+- Confirmed `javascript:S125` is active
 - Set `sonar.exclusions` to:
   `dist/**`, `src/legacy-backups/**`, `src/vendors/anime.min.cjs`, `src/vendors/canvas-confetti.browser.js`
 - Set `sonar.cpd.exclusions` to:
   `src/vendors/**`, `src/legacy-backups/**`
 - Set `sonar.coverage.exclusions` to:
   `loader/**`, `scripts/**`, `src/vendors/**`, `src/legacy-backups/**`
+- Assigned quality gate `autodarts-xconfig` to project `xConfig`
+- Added new-code quality gate conditions:
+  - `new_security_review_rating > 1`
+  - `new_blocker_violations > 0`
+  - `new_critical_violations > 0`
 
 ## Verified Outcome
 
-After a fresh Sonar analysis:
+After a fresh Sonar analysis on `2026-04-24`:
 
-- Open issues dropped from `259` to `117`
-- Open `CRITICAL` issues dropped from `10` to `0`
+- Quality gate is `OK`
+- Open issues are `0`
+- Open Security Hotspots to review are `16`
 - JS profile active rule count is now `375`
-- Quality gate remains `OK`
+- New-code duplicated lines density is `1.59774`
+- New-code Blocker issues are `0`
+- New-code Critical issues are `0`
+- New-code Security Review Rating is `A`
+- Coverage remains `0.0`; no LCOV report is currently imported
 
 ## Intentional Non-Changes
 
 The following were intentionally left unchanged:
 
-- Quality gate conditions
 - New code definition
 - CSS profile
 - HTML profile
 
 Reason:
 
-- The current gate already focuses on new code and remains stable after the rule cleanup.
+- The current gate already focuses on new code.
 - Coverage import is still `0.0`, so adding a coverage gate now would create noise rather than value.
 - The repository is overwhelmingly JS/MJS. Standalone CSS/HTML analysis is currently marginal for this project.
 
@@ -58,10 +70,7 @@ Example:
 $env:SONARQUBE_URL = "http://your-sonarqube-server:9000"
 $env:SONARQUBE_TOKEN = "your-token"
 
-pwsh ./ops/sonarqube/apply-xconfig-server-config.ps1 `
-  -SonarQubeUrl $env:SONARQUBE_URL `
-  -SonarQubeToken $env:SONARQUBE_TOKEN `
-  -RunAnalysis
+.\ops\sonarqube\apply-xconfig-server-config.ps1 -RunAnalysis
 ```
 
 ## Next Sensible Step

ops/sonarqube/apply-xconfig-server-config.ps1

@@ -1,17 +1,24 @@
 param(
-  [Parameter(Mandatory = $true)]
-  [string]$SonarQubeUrl,
+  [string]$SonarQubeUrl = $env:SONARQUBE_URL,
 
-  [Parameter(Mandatory = $true)]
-  [string]$SonarQubeToken,
+  [string]$SonarQubeToken = $env:SONARQUBE_TOKEN,
 
   [string]$ProjectKey = "xConfig",
   [string]$JsProfileName = "autodarts-xconfig JS",
+  [string]$QualityGateName = "autodarts-xconfig",
   [switch]$RunAnalysis
 )
 
 $ErrorActionPreference = "Stop"
 
+if (-not $SonarQubeUrl) {
+  throw "SONARQUBE_URL must be set."
+}
+
+if (-not $SonarQubeToken) {
+  throw "SONARQUBE_TOKEN must be set."
+}
+
 function New-AuthHeader {
   param([string]$Token)
 
@@ -31,6 +38,16 @@ function Invoke-SonarPost {
   Invoke-RestMethod -Headers $Headers -Method Post -Uri "$BaseUrl$Path" -Body $Body | Out-Null
 }
 
+function Invoke-SonarGet {
+  param(
+    [hashtable]$Headers,
+    [string]$BaseUrl,
+    [string]$Path
+  )
+
+  Invoke-RestMethod -Headers $Headers -Uri "$BaseUrl$Path"
+}
+
 function Set-SonarMultiValue {
   param(
     [hashtable]$Headers,
@@ -59,10 +76,48 @@ function Set-SonarMultiValue {
     -Body $body | Out-Null
 }
 
+function Set-SonarGateCondition {
+  param(
+    [hashtable]$Headers,
+    [string]$BaseUrl,
+    [string]$GateName,
+    [string]$Metric,
+    [string]$Op,
+    [string]$ErrorThreshold
+  )
+
+  $gate = Invoke-SonarGet `
+    -Headers $Headers `
+    -BaseUrl $BaseUrl `
+    -Path "/api/qualitygates/show?name=$([uri]::EscapeDataString($GateName))"
+
+  $existing = @($gate.conditions) | Where-Object { $_.metric -eq $Metric } | Select-Object -First 1
+
+  if ($existing) {
+    if ($existing.op -ne $Op -or [string]$existing.error -ne $ErrorThreshold) {
+      Invoke-SonarPost -Headers $Headers -BaseUrl $BaseUrl -Path "/api/qualitygates/update_condition" -Body @{
+        id = $existing.id
+        metric = $Metric
+        op = $Op
+        error = $ErrorThreshold
+      }
+    }
+
+    return
+  }
+
+  Invoke-SonarPost -Headers $Headers -BaseUrl $BaseUrl -Path "/api/qualitygates/create_condition" -Body @{
+    gateName = $GateName
+    metric = $Metric
+    op = $Op
+    error = $ErrorThreshold
+  }
+}
+
 $baseUrl = $SonarQubeUrl.TrimEnd("/")
 $headers = New-AuthHeader -Token $SonarQubeToken
 
-$profiles = Invoke-RestMethod -Headers $headers -Uri "$baseUrl/api/qualityprofiles/search?project=$ProjectKey"
+$profiles = Invoke-SonarGet -Headers $headers -BaseUrl $baseUrl -Path "/api/qualityprofiles/search?project=$ProjectKey"
 $jsProfile = $profiles.profiles | Where-Object { $_.language -eq "js" -and $_.name -eq $JsProfileName } | Select-Object -First 1
 
 if (-not $jsProfile) {
@@ -105,6 +160,16 @@ foreach ($rule in $deactivateRules) {
   }
 }
 
+Invoke-SonarPost -Headers $headers -BaseUrl $baseUrl -Path "/api/qualityprofiles/activate_rule" -Body @{
+  key = $profileKey
+  rule = "javascript:S1128"
+}
+
+Invoke-SonarPost -Headers $headers -BaseUrl $baseUrl -Path "/api/qualityprofiles/activate_rule" -Body @{
+  key = $profileKey
+  rule = "javascript:S125"
+}
+
 Invoke-SonarPost -Headers $headers -BaseUrl $baseUrl -Path "/api/qualityprofiles/activate_rule" -Body @{
   key = $profileKey
   rule = "javascript:S3776"
@@ -125,6 +190,36 @@ Invoke-SonarPost -Headers $headers -BaseUrl $baseUrl -Path "/api/qualityprofiles
   severity = "MINOR"
 }
 
+$gate = $null
+
+try {
+  $gate = Invoke-SonarGet `
+    -Headers $headers `
+    -BaseUrl $baseUrl `
+    -Path "/api/qualitygates/show?name=$([uri]::EscapeDataString($QualityGateName))"
+} catch {
+  $gate = $null
+}
+
+if (-not $gate) {
+  Invoke-SonarPost -Headers $headers -BaseUrl $baseUrl -Path "/api/qualitygates/create" -Body @{
+    name = $QualityGateName
+  }
+}
+
+Invoke-SonarPost -Headers $headers -BaseUrl $baseUrl -Path "/api/qualitygates/select" -Body @{
+  projectKey = $ProjectKey
+  gateName = $QualityGateName
+}
+
+Set-SonarGateCondition -Headers $headers -BaseUrl $baseUrl -GateName $QualityGateName -Metric "new_reliability_rating" -Op "GT" -ErrorThreshold "1"
+Set-SonarGateCondition -Headers $headers -BaseUrl $baseUrl -GateName $QualityGateName -Metric "new_security_rating" -Op "GT" -ErrorThreshold "1"
+Set-SonarGateCondition -Headers $headers -BaseUrl $baseUrl -GateName $QualityGateName -Metric "new_security_review_rating" -Op "GT" -ErrorThreshold "1"
+Set-SonarGateCondition -Headers $headers -BaseUrl $baseUrl -GateName $QualityGateName -Metric "new_maintainability_rating" -Op "GT" -ErrorThreshold "1"
+Set-SonarGateCondition -Headers $headers -BaseUrl $baseUrl -GateName $QualityGateName -Metric "new_duplicated_lines_density" -Op "GT" -ErrorThreshold "3"
+Set-SonarGateCondition -Headers $headers -BaseUrl $baseUrl -GateName $QualityGateName -Metric "new_blocker_violations" -Op "GT" -ErrorThreshold "0"
+Set-SonarGateCondition -Headers $headers -BaseUrl $baseUrl -GateName $QualityGateName -Metric "new_critical_violations" -Op "GT" -ErrorThreshold "0"
+
 if ($RunAnalysis) {
   $env:SONAR_HOST_URL = $baseUrl
   $env:SONAR_TOKEN = $SonarQubeToken
@@ -134,10 +229,12 @@ if ($RunAnalysis) {
 $summary = [ordered]@{
   project = $ProjectKey
   jsProfile = $JsProfileName
-  activeRuleCount = (Invoke-RestMethod -Headers $headers -Uri "$baseUrl/api/qualityprofiles/search?project=$ProjectKey").profiles |
+  qualityGate = $QualityGateName
+  activeRuleCount = (Invoke-SonarGet -Headers $headers -BaseUrl $baseUrl -Path "/api/qualityprofiles/search?project=$ProjectKey").profiles |
     Where-Object { $_.language -eq "js" -and $_.name -eq $JsProfileName } |
     Select-Object -ExpandProperty activeRuleCount
-  settings = Invoke-RestMethod -Headers $headers -Uri "$baseUrl/api/settings/values?component=$ProjectKey&keys=sonar.exclusions,sonar.cpd.exclusions,sonar.coverage.exclusions"
+  settings = Invoke-SonarGet -Headers $headers -BaseUrl $baseUrl -Path "/api/settings/values?component=$ProjectKey&keys=sonar.exclusions,sonar.cpd.exclusions,sonar.coverage.exclusions"
+  gate = Invoke-SonarGet -Headers $headers -BaseUrl $baseUrl -Path "/api/qualitygates/show?name=$([uri]::EscapeDataString($QualityGateName))"
 }
 
 $summary | ConvertTo-Json -Depth 8

sonar-project.properties

@@ -8,3 +8,7 @@ sonar.projectName=autodarts-xconfig
 sonar.sources=src,loader,scripts
 sonar.tests=tests
 sonar.test.inclusions=tests/**
+
+sonar.exclusions=dist/**,src/legacy-backups/**,src/vendors/anime.min.cjs,src/vendors/canvas-confetti.browser.js
+sonar.cpd.exclusions=src/vendors/**,src/legacy-backups/**
+sonar.coverage.exclusions=loader/**,scripts/**,src/vendors/**,src/legacy-backups/**