@chahuadev/junk-sweeper-app 1.0.1 → 1.1.0

package/README.md

@@ -41,7 +41,7 @@ junk-sweeper
 
 While standard linters look for syntax errors, **Chahuadev Junk Sweeper** uses deep AST analysis to understand the *context* and *architecture* of your entire project.
 
-### 🐛 Silent Bug Catcher
+### 🐛 Silent Bug Catcher  — 8 patterns
 Detects logical flaws that compile fine but silently break business logic:
 
 | Pattern | What It Catches |
@@ -50,12 +50,49 @@ Detects logical flaws that compile fine but silently break business logic:
 | **Zombie Event Listeners** | `.addEventListener()` without `.removeEventListener()` — memory leaks |
 | **Scope Shadowing** | Inner variable re-declaring an outer name — wrong value runs silently |
 | **Floating Promises** | `async` calls without `await` inside `try/catch` — rejections go unhandled |
+| **Orphaned Timers** | `setTimeout`/`setInterval` without cleanup reference — phantom callbacks |
+| **Uncaught Promise Chains** | `.then()` without `.catch()` — unhandled rejections |
+| **Naked JSON.parse** | `JSON.parse()` outside `try/catch` — crashes on malformed input |
+| **Await in Loop** | `await` inside `for`/`forEach` — accidental serial execution instead of parallel |
+
+### 🛠️ Code Quality Auditor  — 10 patterns
+Catches patterns that compile and run today, but rot the codebase over time:
+
+| Pattern | What It Catches |
+|---|---|
+| **debugger statement** | Debug pause left in production code |
+| **eval() / new Function(string)** | Arbitrary code execution — security + performance risk |
+| **NaN comparison** | `x === NaN` always evaluates to `false` — use `Number.isNaN()` |
+| **Assignment in condition** | `if (x = foo())` — likely a typo of `===` |
+| **parseInt without radix** | Octal parsing surprises in legacy engines |
+| **var declaration** | Function-scoped hoisting footgun — use `const`/`let` |
+| **console.\* debug logging** | Debug output left in production build |
+| **Prototype mutation** | `__proto__` / built-in `.prototype` mutation — attack vector |
+| **Overly long functions** | Functions >60 lines — complexity & maintainability risk |
+| **TODO / FIXME / HACK markers** | Unresolved technical debt accumulating in comments |
+
+### ✨ Live AST Recommendations
+Every finding includes a **live recommendation** generated from your actual code — real variable names, the exact problematic source line, and a concrete before/after fix example. No hardcoded template strings.
 
 ### 🗺️ Interactive Architecture Map (n8n-style)
 - **Left-to-Right auto-layout** — see cross-file dependency flow instantly
 - **Drag nodes freely** — organise your architecture your way
 - **Save / Load / Copy Layout** — positions persist across sessions
+- **Node Status legend** — Clean / Minor / Critical / npm / Gateway Box with colour coding; collapsible, state remembered in localStorage
 - **Bidirectional issue ↔ map linking** — click an issue to fly to its node; click a node to filter issues
+- **Graph Export (⬆ button)** — export in 4 formats: Copy as Mermaid · Draw.io XML · Excalidraw JSON · Graphviz .dot
+
+### 🏥 Project Health Score
+After every scan, the sidebar shows an **A–F grade ring** weighted by issue severity and confidence. The grade is also embedded in the HTML export.
+
+### 🚩 Mark as False Positive
+Every issue card has a **"Mark as False Positive"** button that copies the exact suppress comment to clipboard — paste it above the flagged line to silence the finding in future scans.
+
+### ⚙️ Per-Project Config
+Drop `.junksweeper.json` in your project root to tune `minConfidence`, `ignorePatterns`, per-detector toggles, and `excludePatterns` — no app restart needed.
+
+### 📤 SARIF 2.1.0 Export
+Export findings in **SARIF 2.1.0** format — compatible with GitHub Code Scanning, Azure DevOps, VS Code SARIF Viewer, and any SARIF-aware CI pipeline.
 
 ### ⚡ One-Click VS Code Integration
 Click any filename in the report → VS Code opens at the **exact problematic line**.
@@ -83,6 +120,46 @@ The only files the app ever writes are its **own** layout cache (`%APPDATA%\Junk
 
 ---
 
+## 📝 Changelog
+
+### v1.0.0 — Initial Release
+- Read-only AST analysis — JSON/HTML/CSV export
+- Interactive n8n-style Project Map with Layout Memory
+- 5 AST detectors: Unused Variables, Unused Imports, Dead Code, Duplicate Functions, Silent Bugs
+- 7-Layer Security Gateway + SHA-256 checksum integrity verification
+- One-Click VS Code Go-to-Line integration
+- Worker Thread architecture — UI stays responsive during large scans
+
+### v1.0.1 — AST Recommendations & Code Quality Auditor
+- **6th detector:** `ast-code-quality-detector.js` — 10 production-safety patterns (debugger, eval, NaN comparison, assignment-in-condition, parseInt radix, var, console.\*, prototype mutation, long functions, TODO markers)
+- **Silent Bugs expanded to 8 patterns:** Orphaned Timers, Uncaught Promise Chains, Naked `JSON.parse`, Await-in-Loop
+- **Live AST-driven recommendations** across all 6 detectors — every finding shows the actual code line from your source, real variable/function names from the AST, and a concrete before/after fix example
+- **Collapsible Node Status legend** in Project Map — collapse to save screen space; state persists in localStorage
+- **Terminal boot sequence** shows all 7 security layers and all 6 active detectors on launch
+
+### v1.0.2 — SAST Security Scanner & Premium Export
+- **SAST Security Scanner** — dedicated **SCAN SECURITY** button running `ast-security-detector.js` (6-level L1–L6) in a separate Worker Thread
+- **Security Issues Tab** — severity-tagged findings with code snippet, file location, and searchable list
+- **Security Statistics Sidebar** — per-severity issue count, toggleable filter badges
+- **PDF Export** — A4 PDF via Electron `printToPDF`; no printer required
+- **Premium HTML Export** — single-file dark-theme shareable report
+- **Native Save Dialog** — all 4 formats (JSON/HTML/CSV/PDF) use `dialog.showSaveDialog` via IPC
+
+### v1.0.3 — Health Score, SARIF, Config & QoL
+- **Project Health Score** — A–F grade ring in sidebar; embedded in HTML export
+- **SARIF 2.1.0 Export** — GitHub Code Scanning, Azure DevOps, VS Code SARIF Viewer compatible
+- **Mark as False Positive** — copies exact suppress comment to clipboard for any issue
+- **`.junksweeper.json` config** — per-project `minConfidence`, `ignorePatterns`, detector toggles, `excludePatterns`
+- **Issues tab severity chips** — ALL / HIGH / MEDIUM / LOW filter chips
+
+### v1.0.4 — Security UX, Node Status Legend & Graph Export
+- **Security tab severity chips** — ALL / CRITICAL / HIGH / MEDIUM / LOW; synced with sidebar badge filter
+- **Security ⚠N badge** repositioned on map cards — no longer overlaps Electron role badge
+- **Node Status legend** reorganised — Clean / Minor / Critical / npm / Gateway Box with accurate colours
+- **Graph Export button** (⬆ in map toolbar) — Mermaid · Draw.io XML · Excalidraw JSON · Graphviz .dot
+
+---
+
 ## 📦 Platform Support
 
 | Platform | Architecture | Status |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chahuadev/junk-sweeper-app",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "description": "Chahuadev Junk Sweeper — AST-based dead code & silent bug detector with interactive architecture map",
   "main": "index.js",
   "bin": {