@chahuadev/junk-sweeper-app 1.0.0 → 1.0.2

package/README.md

@@ -41,7 +41,7 @@ junk-sweeper
 
 While standard linters look for syntax errors, **Chahuadev Junk Sweeper** uses deep AST analysis to understand the *context* and *architecture* of your entire project.
 
-### 🐛 Silent Bug Catcher
+### 🐛 Silent Bug Catcher  — 8 patterns
 Detects logical flaws that compile fine but silently break business logic:
 
 | Pattern | What It Catches |
@@ -50,11 +50,35 @@ Detects logical flaws that compile fine but silently break business logic:
 | **Zombie Event Listeners** | `.addEventListener()` without `.removeEventListener()` — memory leaks |
 | **Scope Shadowing** | Inner variable re-declaring an outer name — wrong value runs silently |
 | **Floating Promises** | `async` calls without `await` inside `try/catch` — rejections go unhandled |
+| **Orphaned Timers** | `setTimeout`/`setInterval` without cleanup reference — phantom callbacks |
+| **Uncaught Promise Chains** | `.then()` without `.catch()` — unhandled rejections |
+| **Naked JSON.parse** | `JSON.parse()` outside `try/catch` — crashes on malformed input |
+| **Await in Loop** | `await` inside `for`/`forEach` — accidental serial execution instead of parallel |
+
+### 🛠️ Code Quality Auditor  — 10 patterns
+Catches patterns that compile and run today, but rot the codebase over time:
+
+| Pattern | What It Catches |
+|---|---|
+| **debugger statement** | Debug pause left in production code |
+| **eval() / new Function(string)** | Arbitrary code execution — security + performance risk |
+| **NaN comparison** | `x === NaN` always evaluates to `false` — use `Number.isNaN()` |
+| **Assignment in condition** | `if (x = foo())` — likely a typo of `===` |
+| **parseInt without radix** | Octal parsing surprises in legacy engines |
+| **var declaration** | Function-scoped hoisting footgun — use `const`/`let` |
+| **console.\* debug logging** | Debug output left in production build |
+| **Prototype mutation** | `__proto__` / built-in `.prototype` mutation — attack vector |
+| **Overly long functions** | Functions >60 lines — complexity & maintainability risk |
+| **TODO / FIXME / HACK markers** | Unresolved technical debt accumulating in comments |
+
+### ✨ Live AST Recommendations
+Every finding includes a **live recommendation** generated from your actual code — real variable names, the exact problematic source line, and a concrete before/after fix example. No hardcoded template strings.
 
 ### 🗺️ Interactive Architecture Map (n8n-style)
 - **Left-to-Right auto-layout** — see cross-file dependency flow instantly
 - **Drag nodes freely** — organise your architecture your way
 - **Save / Load / Copy Layout** — positions persist across sessions
+- **Collapsible Node Status legend** — click to collapse/expand; state remembered in localStorage
 - **Bidirectional issue ↔ map linking** — click an issue to fly to its node; click a node to filter issues
 
 ### ⚡ One-Click VS Code Integration
@@ -65,6 +89,43 @@ Worker Threads keep the UI responsive while scanning 1,000+ file projects.
 
 ---
 
+## 🔒 Security Guarantee
+
+Junk Sweeper is **read-only by design** — verified at the code level, not just by policy.
+
+| Guarantee | How It Works |
+|---|---|
+| **Never modifies user files** | All detectors use `fs.readFileSync()` only — no `writeFileSync()` anywhere near your code |
+| **Never touches the OS** | No registry writes, no admin privilege requests, no system calls outside the app's own data folder |
+| **Path Traversal Protection** | Every scan path is validated against `../` traversal, symlinks, and forbidden OS directories (`System32`, `/etc`, `/sys`, `/proc`) |
+| **Executable Injection Prevention** | Strict file-type whitelist — `.exe`, `.dll`, `.bat`, `.sh` and all binary formats are blocked before analysis |
+| **App Integrity on Every Launch** | SHA-256 checksums of `main.js`, `preload.js`, and all detectors are verified before the app starts — tampered builds are rejected |
+| **Sandboxed Renderer** | Electron runs with `contextIsolation: true`, `sandbox: true`, `nodeIntegration: false` — the UI has zero direct Node.js access |
+| **Audit Log** | Every file access and security event is logged to `~/.chahuadev/logs/` for full traceability |
+
+The only files the app ever writes are its **own** layout cache (`%APPDATA%\Junk Sweeper\layouts\`) and its own security audit log — nothing inside your project.
+
+---
+
+## 📝 Changelog
+
+### v1.0.0 — Initial Release
+- Read-only AST analysis — JSON/HTML/CSV export
+- Interactive n8n-style Project Map with Layout Memory
+- 5 AST detectors: Unused Variables, Unused Imports, Dead Code, Duplicate Functions, Silent Bugs
+- 7-Layer Security Gateway + SHA-256 checksum integrity verification
+- One-Click VS Code Go-to-Line integration
+- Worker Thread architecture — UI stays responsive during large scans
+
+### v1.0.1 — AST Recommendations & Code Quality Auditor
+- **6th detector:** `ast-code-quality-detector.js` — 10 production-safety patterns (debugger, eval, NaN comparison, assignment-in-condition, parseInt radix, var, console.\*, prototype mutation, long functions, TODO markers)
+- **Silent Bugs expanded to 8 patterns:** Orphaned Timers, Uncaught Promise Chains, Naked `JSON.parse`, Await-in-Loop
+- **Live AST-driven recommendations** across all 6 detectors — every finding shows the actual code line from your source, real variable/function names from the AST, and a concrete before/after fix example
+- **Collapsible Node Status legend** in Project Map — collapse to save screen space; state persists in localStorage
+- **Terminal boot sequence** shows all 7 security layers and all 6 active detectors on launch
+
+---
+
 ## 📦 Platform Support
 
 | Platform | Architecture | Status |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chahuadev/junk-sweeper-app",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Chahuadev Junk Sweeper — AST-based dead code & silent bug detector with interactive architecture map",
   "main": "index.js",
   "bin": {