@chahuadev/junk-sweeper-app 3.0.1 → 3.1.0

package/README.md

@@ -1,43 +1,50 @@
-# @chahuadev/junk-sweeper-app
-
-**Chahuadev Junk Sweeper** — Multi-language AST-based dead code & silent bug detector with an interactive architecture map.
+---
+license: other
+language:
+  - en
+tags:
+  - code-analysis
+  - static-analysis
+  - javascript
+  - electron
+---
+<div align="center">
 
-Detects issues across **JavaScript/TypeScript**, **Python**, and **C#** using native AST engines per language. Java scanner is in active development.
+# Chahuadev Junk Sweeper
 
-<div align="center">
+**Ultimate Diagnostic Code Analysis Tool**  
+Detect junk code with **95%+ accuracy** in read-only, non-destructive analysis mode.
 
 <p align="center">
-  <img src="https://huggingface.co/datasets/chahuadev/chahuadev-png/resolve/main/chahuadev-junk-sweeper.png" width="600" alt="Junk Sweeper — Main Dashboard">
+  <img src="https://huggingface.co/datasets/chahuadev/chahuadev-png/resolve/main/chahuadev-junk-sweeper.png" width="700" alt="Junk Sweeper — Main Dashboard">
 </p>
 
 <p align="center">
-  <a href="https://www.npmjs.com/package/@chahuadev/junk-sweeper-app"><img src="https://img.shields.io/npm/v/@chahuadev/junk-sweeper-app?style=for-the-badge&color=blue" alt="NPM Version"></a>
+ <a href="https://www.npmjs.com/package/@chahuadev/junk-sweeper-app"><img src="https://img.shields.io/npm/v/@chahuadev/junk-sweeper-app?style=for-the-badge&color=blue" alt="NPM Version"></a>
   <a href="https://www.npmjs.com/package/@chahuadev/junk-sweeper-app"><img src="https://img.shields.io/npm/dt/@chahuadev/junk-sweeper-app?style=for-the-badge&color=success" alt="NPM Downloads"></a>
+  <a href="https://huggingface.co/datasets/chahuadev/chahuadev-junk-sweeper"><img src="https://img.shields.io/badge/%20HuggingFace-Dataset-yellow?style=for-the-badge" alt="HuggingFace Dataset"></a>
+  <a href="LICENSE"><img src="https://img.shields.io/badge/License-Non--Commercial-blue?style=for-the-badge" alt="Non-Commercial License"></a>
+  <img src="https://img.shields.io/badge/Electron-40+-47848F?style=for-the-badge&logo=electron&logoColor=white" alt="Electron 40+">
+  <img src="https://img.shields.io/badge/Node.js-%E2%89%A522.0.0-339933?style=for-the-badge&logo=node.js&logoColor=white" alt="Node.js 22">
   <img src="https://img.shields.io/badge/Python-3.8+-3776AB?style=for-the-badge&logo=python&logoColor=white" alt="Python 3.8+">
   <img src="https://img.shields.io/badge/.NET-10.0-512BD4?style=for-the-badge&logo=dotnet&logoColor=white" alt=".NET 10">
   <img src="https://img.shields.io/badge/Platform-Windows-0078D4?style=for-the-badge&logo=windows&logoColor=white" alt="Windows">
-  <a href="https://huggingface.co/datasets/chahuadev/chahuadev-junk-sweeper/blob/main/LICENSE.md"><img src="https://img.shields.io/badge/License-Non--Commercial-blue?style=for-the-badge" alt="Non-Commercial License"></a>
+  <img src="https://img.shields.io/badge/Analysis-Read--Only%20%E2%9C%93-blue?style=for-the-badge" alt="Read-Only Analysis">
+  <img src="https://img.shields.io/badge/Security-7--Layer%20Gateway-red?style=for-the-badge&logo=shield&logoColor=white" alt="7-Layer Security">
 </p>
 
+>  **Built for developers who care about clean code.** Junk Sweeper scans your entire project using **native AST engines per language** — JavaScript/TypeScript (Babel), Python (stdlib ast), and C# (Microsoft Roslyn) — and surfaces unused variables, dead imports, duplicate functions, security vulnerabilities, and silent bugs through a live interactive dashboard and a draggable dependency graph. **Java scanner is in active development.** **Zero code modifications. Diagnostic-only. Always safe.**
+
 </div>
 
 ---
-
-## ⚙️ Installation
-
-> **Auto-download:** On install, the binary for your platform is downloaded automatically using `--foreground-scripts` so you can see the progress bar.
-
-### Global Install (Recommended)
+### npm Package (Windows)
 
 ```bash
 npm install -g @chahuadev/junk-sweeper-app --foreground-scripts --force
 ```
 
-### Launch
-
-```bash
-junk-sweeper
-```
+> The installer auto-downloads the correct binary for your platform. Use `--foreground-scripts` to see the download progress bar.
 
 ---
 
@@ -61,176 +68,463 @@ DISPLAY=:0 WAYLAND_DISPLAY=wayland-0 \
   --appimage-extract-and-run --no-sandbox --disable-gpu
 ```
 
-> **WSL2 tip:** Copy to WSL native filesystem first:
-> ```bash
-> # Path after: npm install -g @chahuadev/junk-sweeper-app
-> # (no sudo)
-> cp ~/.npm-global/lib/node_modules/@chahuadev/junk-sweeper-app/bin/"Junk Sweeper.AppImage" /tmp/JunkSweeper.AppImage
-> # (with sudo)
-> # cp /usr/lib/node_modules/@chahuadev/junk-sweeper-app/bin/"Junk Sweeper.AppImage" /tmp/JunkSweeper.AppImage
-> chmod +x /tmp/JunkSweeper.AppImage
-> DISPLAY=:0 WAYLAND_DISPLAY=wayland-0 /tmp/JunkSweeper.AppImage \
->   --appimage-extract-and-run --no-sandbox --disable-gpu
-> ```
+ **WSL2 tip:** Copy to WSL native filesystem first:
+
+ # Path after: npm install -g @chahuadev/junk-sweeper-app
+ # (no sudo)
+
+ ```bash
+ cp ~/.npm-global/lib/node_modules/@chahuadev/junk-sweeper-app/bin/"Junk Sweeper.AppImage" /tmp/JunkSweeper.AppImage
+ ```
+ # (with sudo)
+ # cp /usr/lib/node_modules/@chahuadev/junk-sweeper-app/bin/"Junk Sweeper.AppImage" /tmp/JunkSweeper.AppImage
+
+```bash
+ chmod +x /tmp/JunkSweeper.AppImage
+ DISPLAY=:0 WAYLAND_DISPLAY=wayland-0 /tmp/JunkSweeper.AppImage \
+   --appimage-extract-and-run --no-sandbox --disable-gpu
+```
 
 ---
+## Security Guarantee
+
+Junk Sweeper is **read-only by design** — verified at the code level, not just by policy.
+
+| Guarantee | How It Works |
+|---|---|
+| **Never modifies user files** | All detectors use `fs.readFileSync()` only — no `writeFileSync()` anywhere near your code |
+| **Never touches the OS** | No registry writes, no admin privilege requests, no system calls outside the app's own data folder |
+| **Path Traversal Protection** | Every scan path is validated against `../` traversal, symlinks, and forbidden OS directories (`System32`, `/etc`, `/sys`, `/proc`) |
+| **Executable Injection Prevention** | Strict file-type whitelist — `.exe`, `.dll`, `.bat`, `.sh` and all binary formats are blocked before analysis |
+| **App Integrity on Every Launch** | SHA-256 checksums of `main.js`, `preload.js`, and all detectors are verified before the app starts — tampered builds are rejected |
+| **Sandboxed Renderer** | Electron runs with `contextIsolation: true`, `sandbox: true`, `nodeIntegration: false` — the UI has zero direct Node.js access |
+| **Audit Log** | Every file access and security event is logged to `~/.chahuadev/logs/` for full traceability |
 
-## 🚀 What It Does
+The only files the app ever writes are its **own** layout cache (`%APPDATA%\Junk Sweeper\layouts\`) and its own security audit log — nothing inside your project.
 
-While standard linters look for syntax errors, **Chahuadev Junk Sweeper** uses deep native AST analysis per language to understand the *context* and *architecture* of your entire project.
+---
 
-### 🌐 Multi-Language AST Engines
+## Key Features That Set Us Apart
 
-| Language | Engine | Status |
-|---|---|---|
-| JavaScript / TypeScript / JSX / TSX | `@babel/parser` + `@babel/traverse` | ✅ Active |
-| Python | stdlib `ast` module via subprocess | ✅ Active |
-| C# | Microsoft Roslyn `CSharpSyntaxTree` via subprocess (.NET 10) | ✅ Active |
-| Java | subprocess `--source 11` | ⚠️ กำลังพัฒนา |
+While standard linters look for syntax errors, **Chahuadev Junk Sweeper** uses deep AST (Abstract Syntax Tree) analysis to understand the *context* and *architecture* of your entire project.
 
-### 🐛 Silent Bug Catcher  — 8 patterns
-Detects logical flaws that compile fine but silently break business logic:
+###  Silent Bug Catcher
+Detects logical flaws that won't crash your app but **will** silently break your business logic:
 
 | Pattern | What It Catches |
 |---|---|
 | **Empty Catch Blocks** | Errors swallowed with `catch(e) {}` — bugs disappear without a trace |
-| **Zombie Event Listeners** | `.addEventListener()` without `.removeEventListener()` — memory leaks |
-| **Scope Shadowing** | Inner variable re-declaring an outer name — wrong value runs silently |
-| **Floating Promises** | `async` calls without `await` inside `try/catch` — rejections go unhandled |
-| **Orphaned Timers** | `setTimeout`/`setInterval` without cleanup reference — phantom callbacks |
-| **Uncaught Promise Chains** | `.then()` without `.catch()` — unhandled rejections |
-| **Naked JSON.parse** | `JSON.parse()` outside `try/catch` — crashes on malformed input |
-| **Await in Loop** | `await` inside `for`/`forEach` — accidental serial execution instead of parallel |
+| **Zombie Event Listeners** | `.addEventListener()` without a matching `.removeEventListener()` — memory leaks that grow over time |
+| **Scope Shadowing** | Inner variable re-declaring an outer name — logic in the outer scope runs on the wrong value |
+| **Floating Promises** | `async` functions called without `await` inside `try/catch` — rejections go unhandled |
 
-### 🛠️ Code Quality Auditor  — 10 patterns
-Catches patterns that compile and run today, but rot the codebase over time:
+This is what separates Junk Sweeper from a plain linter. Your code compiles fine, your tests pass — and the bug ships anyway.
 
-| Pattern | What It Catches |
-|---|---|
-| **debugger statement** | Debug pause left in production code |
-| **eval() / new Function(string)** | Arbitrary code execution — security + performance risk |
-| **NaN comparison** | `x === NaN` always evaluates to `false` — use `Number.isNaN()` |
-| **Assignment in condition** | `if (x = foo())` — likely a typo of `===` |
-| **parseInt without radix** | Octal parsing surprises in legacy engines |
-| **var declaration** | Function-scoped hoisting footgun — use `const`/`let` |
-| **console.\* debug logging** | Debug output left in production build |
-| **Prototype mutation** | `__proto__` / built-in `.prototype` mutation — attack vector |
-| **Overly long functions** | Functions >60 lines — complexity & maintainability risk |
-| **TODO / FIXME / HACK markers** | Unresolved technical debt accumulating in comments |
+###  Interactive Architecture Map 
+Not just a static graph. A **fully interactive dependency diagram** that maps every cross-file connection in your project:
+
+- **Left-to-Right auto-layout** powered by ELK Layered (Sugiyama) — instantly see architecture flow with better crossing minimization
+- **Drag nodes freely** to group related files your way
+- **Save / Load / Copy Layout JSON** — positions persist across sessions, so your team always sees the same organised view
+- **Bidirectional issue linking** — click a file node to filter the Issues list; click the pin icon on any issue to fly to that node on the map
+- **Color-coded severity** — Green (clean) / Amber (1–2 issues) / Red (3+ issues)
+- **Standalone map mode** — open map window without scan data and import a previously exported workflow JSON
+- **Portable workflow export** — exported JSON embeds graph data, issue structures, layout/view state, and render assets for future mobile import
+- Detects `require()`, `import`, `<script src>`, `loadFile()`, IPC channels, and `preload:` edges
+
+###  One-Click VS Code Integration
+Found an issue? Click the **filename** in the report and Junk Sweeper opens VS Code directly at the **exact problematic line** — no searching, no scrolling. The moment you see the issue, you're already in position to fix it.
 
-### ✨ Live AST Recommendations
-Every finding includes a **live recommendation** generated from your actual code — real variable names, the exact problematic source line, and a concrete before/after fix example. No hardcoded template strings.
+###  Multi-Threaded Performance
+Heavy AST analysis runs in **Node.js Worker Threads** — your UI stays smooth and responsive while scanning 1,000+ file projects in the background.
+
+---
 
-### 🗺️ Interactive Architecture Map (n8n-style)
-- **Left-to-Right auto-layout** — see cross-file dependency flow instantly
-- **Drag nodes freely** — organise your architecture your way
-- **Save / Load / Copy Layout** — positions persist across sessions
-- **Node Status legend** — Clean / Minor / Critical / npm / Gateway Box with colour coding; collapsible, state remembered in localStorage
-- **Bidirectional issue ↔ map linking** — click an issue to fly to its node; click a node to filter issues
-- **Graph Export (⬆ button)** — export in 4 formats: Copy as Mermaid · Draw.io XML · Excalidraw JSON · Graphviz .dot
+> **Dataset & Model Hub:** [huggingface.co/datasets/chahuadev/chahuadev-junk-sweeper](https://huggingface.co/datasets/chahuadev/chahuadev-junk-sweeper)
 
-### 🏥 Project Health Score
-After every scan, the sidebar shows an **A–F grade ring** weighted by issue severity and confidence. The grade is also embedded in the HTML export.
+---
 
-### 🚩 Mark as False Positive
-Every issue card has a **"Mark as False Positive"** button that copies the exact suppress comment to clipboard — paste it above the flagged line to silence the finding in future scans.
+## What It Detects
+
+| Issue Type | Accuracy | Method | Language |
+|---|---|---|---|
+| Unused Imports | 99% | AST (`@babel/parser` + `@babel/traverse`) | JS/TS/JSX/TSX |
+| Unused Variables | 85–90% | AST + cross-file scope analysis | JS/TS/JSX/TSX |
+| Dead Code | 90–98% | AST control-flow / reachability | JS/TS/JSX/TSX |
+| Duplicate Functions | 88–94% | AST structural hash + semantic similarity | JS/TS/JSX/TSX |
+| Silent Bugs (8 patterns) | 85–95% | AST pattern matching | JS/TS/JSX/TSX |
+| Code Quality (10 patterns) | 80–100% | AST — debugger, eval, NaN, var, console, prototype… | JS/TS/JSX/TSX |
+| SAST Security (6 levels L1–L6) | 85–95% | AST — injection, path traversal, hardcoded secrets, unsafe eval… | JS/TS/JSX/TSX |
+| Python Security | 85–95% | Python stdlib ast subprocess | Python |
+| Python Dead Code | 88–94% | Python stdlib ast subprocess | Python |
+| Python Unused Imports | 90–97% | Python stdlib ast subprocess | Python |
+| Python Duplicates | 80–90% | Python stdlib ast subprocess | Python |
+| Python Complexity | 80–90% | Python stdlib ast subprocess | Python |
+| Python Type Hints | 85–95% | Python stdlib ast subprocess | Python |
+| C# Security | 85–95% | Roslyn `CSharpSyntaxTree` | C# |
+| C# Dead Code | 88–94% | Roslyn `CSharpSyntaxTree` | C# |
+| C# Unused Usings | 90–97% | Roslyn `CSharpSyntaxTree` | C# |
+| C# Code Quality | 80–92% | Roslyn `CSharpSyntaxTree` | C# |
+| C# Silent Bugs | 82–92% | Roslyn `CSharpSyntaxTree` | C# |
+| Java (structural) | ⚠️ กำลังพัฒนา | `--source 11` subprocess | Java |
+
+> Every finding now includes a **live recommendation** generated from your actual code — real variable names, the exact problematic line, and a concrete fix example. No hardcoded templates.
+
+Supports (full AST): **JavaScript, TypeScript, JSX, TSX, Python, C#**  
+Supports (in development): **Java**
 
-### ⚙️ Per-Project Config
-Drop `.junksweeper.json` in your project root to tune `minConfidence`, `ignorePatterns`, per-detector toggles, and `excludePatterns` — no app restart needed.
+---
 
-### 📤 SARIF 2.1.0 Export
-Export findings in **SARIF 2.1.0** format — compatible with GitHub Code Scanning, Azure DevOps, VS Code SARIF Viewer, and any SARIF-aware CI pipeline.
+## Core Features
+
+### Static Code Analysis
+- **Multi-language AST engines** — each language uses its own dedicated native parser:
+  - **JS/TS/JSX/TSX** — `@babel/parser` + `@babel/traverse` (in-process, Worker Thread)
+  - **Python** — stdlib `ast` module via subprocess (`main_json.py`); 7 detectors
+  - **C#** — Microsoft Roslyn (`CSharpSyntaxTree`) via subprocess (`Program.cs`, .NET 10); 5 detectors
+  - **Java** — subprocess via `--source 11` ⚠️ *กำลังพัฒนา*
+- **6 active detectors** — unused variables, unused imports, dead code, duplicate functions, silent bugs, code quality
+- **Silent Bugs — 8 patterns:** empty catch, floating promises, zombie listeners, orphaned timers, uncaught promise chains, scope shadowing, naked JSON.parse, await-in-loop
+- **Code Quality — 10 patterns:** debugger statements, eval/new Function, NaN comparison, assignment-in-condition, parseInt without radix, var declaration, console.* debug logging, prototype mutation, overly long functions, TODO/FIXME markers
+- **Live AST recommendations** — every finding shows real variable names, the actual code line, and a concrete fix example extracted from the AST at scan time — no hardcoded templates
+- **Common-sense filtering** — permanent Node.js/Electron lifecycle events not flagged; stdlib module names and error callback names excluded from shadow warnings
+- **Confidence scoring** — every finding includes an accuracy percentage and severity level
+- **Read-only analysis** — safe diagnostic mode, zero code modification
+
+### SAST Security Scanner
+- **Dedicated SCAN SECURITY button** — independent scan from junk analysis; runs in a separate Worker Thread
+- **6-level severity (L1–L6)** — from critical injection flaws to low-risk style-security issues
+- **Detects:** SQL/NoSQL injection, command injection, path traversal, hardcoded secrets/tokens/passwords, unsafe `eval` / `new Function`, prototype pollution, insecure `Math.random`, unvalidated redirects, and more
+- **Security tab severity chips** — ALL / CRITICAL / HIGH / MEDIUM / LOW filter chips sync with sidebar badge clicks
+- **Security Statistics Sidebar** — severity breakdown with clickable severity badges (toggle mode) — syncs with security chips
+- **Map Monitor integration** — security issue count + ⚠N badge shown on every affected file card
+- **Mutual exclusion** — switching between Junk Scan and Security Scan automatically clears the previous result
+
+### Project Map Monitor
+- **Interactive n8n-style dependency graph** — not a static image; every node is draggable, zoomable, and clickable
+- **SVG card nodes** — color-coded by file type and issue severity; file-type badge (JS / TS / HT / JSON / etc.) on every node
+- **ELK LR auto-layout** — left-to-right layered layout on first open; re-run anytime via the Auto-Layout button
+- **Layout Memory** — positions saved to `%APPDATA%\Junk Sweeper\layouts\<project>.json` automatically; close and reopen the app and every node is exactly where you left it; share the JSON with your team via the Copy button
+- **IPC channel edges** — visualises Electron `ipcRenderer`/`ipcMain` connections
+- **Dependency detection** across JS, TS, HTML (`<script src>`, `<link href>`), and Electron patterns (`loadFile()`, `preload:`)
+- **Per-file issue badges** — each node shows issue count with Green / Amber / Red status; ⚠N security badge appears above the role badge (non-overlapping)
+- **Node Status legend** — Clean (green) / Minor (amber) / Critical (red) / npm (purple) / Gateway Box (orange pill) — collapsible, state persists
+- **Electron Role badges** — MAIN / BR / UI / 🛡 / ⚙ role labels on key Electron files
+- **Bidirectional Issues ↔ Map linking** — click the 📍 pin icon on any issue card to fly to that node on the map; click a node on the map to filter the Issues list to that file
+- **One-Click VS Code Integration** — click any filename in the issue report to open VS Code at the exact problematic line
+- **Workflow JSON Export / Import** — one-click save/load of map state as Junk Sweeper workflow JSON
+- **Mobile-ready portable payload** — workflow JSON contains full map payload (nodes, edges, issueLinesByFile, positions, zoom/pan, edge style, node SVG data URIs, tooltips)
+- **Free-drag** — 8-direction resize + drag-anywhere code panel; nodes freely repositionable
+
+### Security-First Architecture
+- **7-Layer Security Gateway**: path validation, file-type whitelist, authentication, permission checks, audit logging, rate limiting, sandbox IPC isolation
+- **Path Traversal Protection** — prevents directory traversal attacks
+- **Checksum Validation** — file integrity verification on startup (production mode)
+- **Context Isolation** — Electron `contextBridge` / `contextIsolation: true`, no direct Node.js access in renderer
+
+### Report Export Formats
+- **JSON** — machine-readable analysis data
+- **HTML** — premium dark-theme interactive report with embedded CSS, Project Health Score, and all findings — shareable as a single file
+- **CSV** — spreadsheet-compatible data export
+- **PDF** — professional A4 PDF generated via native Electron `printToPDF` — no printer required, works without a print dialog
+- **SARIF 2.1.0** — Static Analysis Results Interchange Format; import directly into GitHub Code Scanning, Azure DevOps, VS Code SARIF Viewer, and CI/CD pipelines
+
+All formats trigger the native OS **Save File dialog** via Electron IPC — no browser download workarounds.
+
+### Project Health Score
+After every scan the sidebar displays a live **Health Score** ring: **A** (90–100) → **B** (75–89) → **C** (55–74) → **D** (35–54) → **F** (<35). Score is calculated from issue penalty points weighted by severity and confidence — gives an instant at-a-glance quality grade for the entire project.
+
+### Mark as False Positive
+Every issue card has a **"Mark as False Positive"** button. Clicking it copies the exact suppress comment for that line to the clipboard — paste it above the flagged code to silence the finding in future scans. Works for all 6 detectors.
+
+### Per-Project Config — `.junksweeper.json`
+Drop a `.junksweeper.json` file in your project root to override scan behaviour without touching the app:
+```json
+{
+  "minConfidence": 0.5,
+  "ignorePatterns": ["node_modules/**", "dist/**"],
+  "detectors": { "code_quality": false },
+  "excludePatterns": ["*.test.js"]
+}
+```
 
-### ⚡ One-Click VS Code Integration
-Click any filename in the report → VS Code opens at the **exact problematic line**.
+### Severity Filter Chips — Issues & Security Tabs
+Both the **Code Issues** tab and the **Security Issues** tab have filter chips (ALL / HIGH / MEDIUM / LOW for junk; ALL / CRITICAL / HIGH / MEDIUM / LOW for security) that instantly narrow the visible findings.
 
-### 🧵 Multi-Threaded Performance
-Worker Threads keep the UI responsive while scanning 1,000+ file projects.
+### Dual Interface
+- **Desktop App (Electron)** — split-layout dashboard with live terminal, issue browser, code snippets, and project map
+- **CLI Tool** — `junk-sweeper-cli` for CI/CD pipelines
 
 ---
+## Installation
 
-## 🔒 Security Guarantee
 
-Junk Sweeper is **read-only by design** — verified at the code level, not just by policy.
 
-| Guarantee | How It Works |
-|---|---|
-| **Never modifies user files** | All detectors use `fs.readFileSync()` only — no `writeFileSync()` anywhere near your code |
-| **Never touches the OS** | No registry writes, no admin privilege requests, no system calls outside the app's own data folder |
-| **Path Traversal Protection** | Every scan path is validated against `../` traversal, symlinks, and forbidden OS directories (`System32`, `/etc`, `/sys`, `/proc`) |
-| **Executable Injection Prevention** | Strict file-type whitelist — `.exe`, `.dll`, `.bat`, `.sh` and all binary formats are blocked before analysis |
-| **App Integrity on Every Launch** | SHA-256 checksums of `main.js`, `preload.js`, and all detectors are verified before the app starts — tampered builds are rejected |
-| **Sandboxed Renderer** | Electron runs with `contextIsolation: true`, `sandbox: true`, `nodeIntegration: false` — the UI has zero direct Node.js access |
-| **Audit Log** | Every file access and security event is logged to `~/.chahuadev/logs/` for full traceability |
+---
 
-The only files the app ever writes are its **own** layout cache (`%APPDATA%\Junk Sweeper\layouts\`) and its own security audit log — nothing inside your project.
+## Usage
+
+### Desktop Application
+
+#### Scan for Junk & Code Quality Issues
+1. App launches with animated **Splash Screen** (security gateway initialisation)
+2. Click **SELECT FOLDER** → choose target directory
+3. Click **START SCAN** → monitor Live Terminal for real-time progress
+4. Browse detected issues in the **Code Issues** tab
+
+#### Scan for Security Vulnerabilities (SAST)
+1. Select a folder (same or different project)
+2. Click **SCAN SECURITY** → dedicated SAST Worker Thread runs independently
+3. Security findings appear in the **Security Issues** tab with level, severity, and code snippet
+4. Use the **sidebar severity badges** (L1–L6) to filter findings — click the same badge again to clear the filter
+
+#### View Analysis Results
+- **Live Terminal** — real-time scan progress and status messages
+- **Code Issues** — searchable, filterable list of all detected problems with file, line, confidence score, and inline code snippet
+
+#### Project Map Monitor
+1. Click **PROJECT MAP** to open the map window any time (even before scanning)
+2. Nodes represent files; edges represent `require()`, `import`, `<script src>`, `loadFile()`, IPC channels, etc.
+3. Node color: **Green** = clean, **Amber** = 1–2 issues, **Red** = 3+ issues, **Purple** = npm package, **Cyan** = IPC/bridge
+4. **Layout Memory**: node positions save automatically on drag; use the hamburger menu (☰) to Save / Copy / Paste / Reset layout
+5. **Bidirectional linking**: click the 📍 pin icon on any issue card → map focuses that node; click a node in the map → Issues list filters to that file
+6. Hover a node to see full path and issue count; click to open its source code in the side panel
+7. Use **Export → Save as JSON** to produce a portable workflow file that includes full render context
+8. Use **Import** in map window to load workflow JSON back (desktop) or into future mobile map clients
+
+#### Export Report
+1. Click **EXPORT REPORT** → select **JSON**, **HTML**, **CSV**, or **PDF**
+2. The native OS Save dialog opens — choose your location and filename
+3. File is written directly by the Electron main process (no browser sandbox limitations)
+
+---
+
+## Security Architecture
+
+### 7-Layer Protection Stack
+1. **Path Validation** — prevents directory traversal attacks (`../` etc.)
+2. **File Type Whitelist** — only approved code file extensions are analysed
+3. **Authentication Layer** — validates user access before operations
+4. **Permission System** — checks read rights before file access
+5. **Operation Audit Logging** — complete trail of all IPC actions
+6. **Rate Limiting** — prevents scan-loop / DoS abuse
+7. **Sandbox Isolation** — Electron `contextIsolation: true`, `sandbox: true`, `nodeIntegration: false`
+
+### Confidence Levels
+- **High (95%+)** — highly reliable, recommended for automated pipelines
+- **Medium (50–95%)** — requires manual verification
+- **Low (<50%)** — likely false positives, informational only
+
+---
+
+## Example Output
+
+### Live Terminal
+```
+[init] System initialized. Awaiting scan command...
+[info] Scan started for directory: C:\projects\myapp
+[info] Analyzing files (5 of 247)...
+[success] Scan complete. Found 47 issues.
+[success] High confidence: 34
+[success] Medium confidence: 10
+[success] Low confidence: 3
+```
+
+### Analysis Report (JSON)
+```json
+{
+  "scanDate": "2026-03-08T10:30:00Z",
+  "targetPath": "./src",
+  "totalIssuesFound": 47,
+  "confidenceBreakdown": { "high": 34, "medium": 10, "low": 3 },
+  "issues": [
+    {
+      "file": "src/app.js",
+      "line": 42,
+      "type": "unused_variable",
+      "message": "Variable 'tempVar' is declared but never used",
+      "confidence": 0.96,
+      "codeSnippet": "const tempVar = calculateValue();"
+    }
+  ]
+}
+```
+
+---
+
+## Configuration
+
+### `.junksweeper.json` (optional, place in project root)
+```json
+{
+  "minConfidence": 0.5,
+  "languages": ["js", "ts", "py"],
+  "ignorePatterns": [
+    "node_modules/**",
+    "dist/**",
+    ".git/**",
+    "test/**"
+  ],
+  "maxScanDepth": 50,
+  "maxPathLength": 260
+}
+```
 
 ---
 
-## 📝 Changelog
+## Project Structure
+
+```
+chahuadev-junk-sweeper/
+├── main.js                      # Electron main process — IPC handlers, window management, startup watchdog
+├── preload.js                   # Secure contextBridge IPC gateway for all windows
+├── index.html                   # Main UI — split-layout dashboard (Terminal / Issues / Project Map tabs)
+├── splash.html                  # Animated splash screen with preload bridge retry loop
+├── map-monitor.html             # Interactive dependency graph (ELK layered, n8n-style, Layout Memory)
+├── junk-sweeper-cli.js          # CLI entry point
+├── checksums.json               # Integrity checksums (production)
+├── backend/
+│   └── utils/
+│       ├── project-inspector.js          # Dependency graph engine (AST + HTML/CSS/IPC)
+│       ├── project-inspector-ipc.js      # IPC bridge for inspector
+│       ├── inspector-worker.js           # Worker thread for dependency graph
+│       ├── junk-scanner-worker.js        # Worker thread for junk/code-quality scan
+│       └── security-scanner-worker.js   # Worker thread for SAST security scan
+├── engines/
+│   ├── engine-dispatcher.js          # Orchestrates all scan engines (JS + subprocess engines)
+│   ├── engine-registry.js            # Discovers engines via manifest.json scan
+│   ├── subprocess-bridge.js          # Generic OS-aware subprocess runner
+│   ├── project-mapper.js             # Polyglot import extractor (Python, C#, HTML)
+│   ├── js_scanner/
+│   │   ├── junk-detector.js              # Main JS/TS detection orchestrator (6 detectors)
+│   │   └── js-ts/
+│   │       ├── ast-unused-variables-detector.js
+│   │       ├── ast-unused-imports-detector.js
+│   │       ├── ast-dead-code-detector.js
+│   │       ├── ast-duplicate-functions-detector.js
+│   │       ├── ast-silent-bug-detector.js       # 8 silent-bug patterns
+│   │       ├── ast-code-quality-detector.js     # 10 code-quality patterns
+│   │       └── ast-security-detector.js         # SAST L1–L6
+│   ├── py_scanner/
+│   │   ├── manifest.json                 # runtime: python
+│   │   ├── main_json.py                  # Python coordinator (subprocess entry)
+│   │   ├── engine.py
+│   │   ├── models.py
+│   │   ├── ast_map.py
+│   │   └── detector_*.py                 # 7 Python detectors
+│   ├── cs_scanner/
+│   │   ├── manifest.json                 # runtime: dotnet, entry: Program.cs
+│   │   ├── cs_scanner.csproj             # .NET 10 + Microsoft.CodeAnalysis.CSharp
+│   │   ├── Program.cs                    # C# coordinator (Roslyn AST)
+│   │   └── cs/
+│   │       ├── AstSecurityDetector.cs
+│   │       ├── AstDeadCodeDetector.cs
+│   │       ├── AstUnusedUsingsDetector.cs
+│   │       ├── AstCodeQualityDetector.cs
+│   │       ├── AstSilentBugDetector.cs
+│   │       └── Issue.cs
+│   └── java_scanner/
+│       ├── manifest.json                 # runtime: java, --source 11
+│       └── Main.java                     # ⚠️ กำลังพัฒนา — basic structural scanner
+├── security/
+│   ├── authentication-gateway.js    # 7-layer security gateway
+│   └── security-validator.js        # Checksum validation
+├── icons/
+└── vendor/
+    ├── elkjs/                       # Bundled ELK layered graph layout
+    └── vis-network.min.js           # Bundled offline vis-network
+```
+
+---
+
+## Key Technologies
+
+| Technology | Role |
+|---|---|
+| Electron 40 | Desktop app framework |
+| vis-network 9 | Interactive dependency graph |
+| elkjs | ELK layered graph layout (replaced dagre) |
+| @babel/parser + @babel/traverse | JS/TS/JSX/TSX AST parsing and traversal (6 detectors) |
+| Python 3.8+ stdlib ast | Python AST via subprocess (7 detectors) |
+| Microsoft.CodeAnalysis.CSharp 4.12 | Roslyn C# AST via subprocess (5 detectors) |
+| Java --source 11 | Java structural scanner (⚠️ กำลังพัฒนา) |
+| @swc/core | High-speed JS/TS compilation & analysis |
+| parse5 | HTML parser (script/link dependency extraction) |
+| esquery | AST query engine |
+| estraverse | AST traversal utility |
+| jscpd | Duplicate code detection support |
+| typescript | TypeScript compiler API |
+
+---
+
+## Changelog
 
 ### v1.0.0 — Initial Release
-- Read-only AST analysis — JSON/HTML/CSV export
-- Interactive n8n-style Project Map with Layout Memory
-- 5 AST detectors: Unused Variables, Unused Imports, Dead Code, Duplicate Functions, Silent Bugs
-- 7-Layer Security Gateway + SHA-256 checksum integrity verification
+- Read-only AST analysis, JSON/HTML/CSV export, Project Map Monitor, animated splash screen
+- IPC dependency graph, Layout Memory (save/load/copy/reset)
+- 5 detectors: Unused Variables, Unused Imports, Dead Code, Duplicate Functions, Silent Bugs
+- 7-Layer Security Gateway: path validation, file-type whitelist, auth, permissions, audit log, rate limiter, sandbox
+- SHA-256 checksum integrity verification on every launch
 - One-Click VS Code Go-to-Line integration
-- Worker Thread architecture — UI stays responsive during large scans
+- Worker Thread architecture — UI remains responsive during large scans
 
-### v1.0.1 — AST Recommendations & Code Quality Auditor
-- **6th detector:** `ast-code-quality-detector.js` — 10 production-safety patterns (debugger, eval, NaN comparison, assignment-in-condition, parseInt radix, var, console.\*, prototype mutation, long functions, TODO markers)
-- **Silent Bugs expanded to 8 patterns:** Orphaned Timers, Uncaught Promise Chains, Naked `JSON.parse`, Await-in-Loop
-- **Live AST-driven recommendations** across all 6 detectors — every finding shows the actual code line from your source, real variable/function names from the AST, and a concrete before/after fix example
-- **Collapsible Node Status legend** in Project Map — collapse to save screen space; state persists in localStorage
-- **Terminal boot sequence** shows all 7 security layers and all 6 active detectors on launch
+### v1.0.1 — AST Recommendations & Code Quality
+- **6th detector activated:** `ast-code-quality-detector.js` — 10 patterns including `debugger`, `eval`, NaN comparison, assignment-in-condition, `parseInt` without radix, `var` declarations, `console.*`, prototype mutation, overly long functions, and TODO/FIXME markers
+- **Live AST-driven recommendations** across all 6 detectors — every finding now shows the actual code line and real variable/function names extracted from the AST, plus a concrete before/after fix example. No more hardcoded template strings.
+- **Silent Bugs expanded to 8 patterns:** added Naked `JSON.parse` (no try/catch) and Await-in-Loop (serial awaits inside `for`/`forEach`)
+- **Collapsible Node Status legend** in Project Map — click to collapse/expand; state persists in `localStorage`
+- Terminal boot sequence now shows all 7 security layers and 6 active detectors on startup
 
 ### v1.0.2 — SAST Security Scanner & Premium Export
-- **SAST Security Scanner** — dedicated **SCAN SECURITY** button running `ast-security-detector.js` (6-level L1–L6) in a separate Worker Thread
-- **Security Issues Tab** — severity-tagged findings with code snippet, file location, and searchable list
-- **Security Statistics Sidebar** — per-severity issue count, toggleable filter badges
-- **PDF Export** — A4 PDF via Electron `printToPDF`; no printer required
-- **Premium HTML Export** — single-file dark-theme shareable report
-- **Native Save Dialog** — all 4 formats (JSON/HTML/CSV/PDF) use `dialog.showSaveDialog` via IPC
+- **SAST Security Scanner** — dedicated **SCAN SECURITY** button; runs `ast-security-detector.js` (6-level L1–L6) in a separate Worker Thread independent of junk analysis
+- **Security Issues Tab** — severity-tagged findings (L1 Critical → L6 Low) with code snippet, file, and line; searchable list
+- **Security Statistics Sidebar** — per-severity issue count with toggleable severity filter (click badge to filter, click again to clear)
+- **Map Monitor security count** — total security findings shown in the stats bar of the dependency graph
+- **Mutual-exclusion scans** — switching between Junk Scan and Security Scan automatically clears the previous result and UI
+- **PDF Export** — premium A4 PDF via Electron `webContents.printToPDF` with dark-theme embedded CSS; no printer needed
+- **Premium HTML Export** — single-file shareable dark-theme report with all findings and embedded styles
+- **Native Save Dialog** — all 4 export formats (JSON/HTML/CSV/PDF) use `dialog.showSaveDialog` via IPC — bypasses Electron renderer sandbox limitations
+- **Security findings export** — Export Report works after either Junk Scan or Security Scan
 
 ### v1.0.3 — Health Score, SARIF, Config & QoL
-- **Project Health Score** — A–F grade ring in sidebar; embedded in HTML export
-- **SARIF 2.1.0 Export** — GitHub Code Scanning, Azure DevOps, VS Code SARIF Viewer compatible
-- **Mark as False Positive** — copies exact suppress comment to clipboard for any issue
-- **`.junksweeper.json` config** — per-project `minConfidence`, `ignorePatterns`, detector toggles, `excludePatterns`
-- **Issues tab severity chips** — ALL / HIGH / MEDIUM / LOW filter chips
+- **Project Health Score** — A–F grade ring displayed in the sidebar after every scan; penalty-weighted by severity and confidence
+- **SARIF 2.1.0 Export** — import into GitHub Code Scanning, Azure DevOps, VS Code SARIF Viewer, and any SARIF-compatible CI tool
+- **HTML Report includes Health Score** — exported HTML report embeds the current grade alongside all findings
+- **Mark as False Positive** — one-click button on each issue card copies the exact suppress comment to clipboard; paste above the flagged code to silence it in future scans
+- **`.junksweeper.json` per-project config** — drop a config file in project root to override `minConfidence`, `ignorePatterns`, `detectors` toggles, and `excludePatterns` without touching the app
+- **Issues tab severity chips** — ALL / HIGH / MEDIUM / LOW filter chips for instant narrowing of the junk issues list
 
 ### v1.0.4 — Security UX, Node Status Legend & Graph Export
-- **Security tab severity chips** — ALL / CRITICAL / HIGH / MEDIUM / LOW; synced with sidebar badge filter
-- **Security ⚠N badge** repositioned on map cards — no longer overlaps Electron role badge
-- **Node Status legend** reorganised — Clean / Minor / Critical / npm / Gateway Box with accurate colours
-- **Graph Export button** (⬆ in map toolbar) — Mermaid · Draw.io XML · Excalidraw JSON · Graphviz .dot
-
-### v1.0.5 — Multi-Language AST Engines (Python, C#)
-- **Python AST scanner** — stdlib `ast` subprocess engine with 7 detectors: security, dead code, unused imports, duplicates, complexity, type hints, code quality
-- **C# Roslyn scanner** — `Microsoft.CodeAnalysis.CSharp` via subprocess (.NET 10), 5 detectors: security, dead code, unused usings, code quality, silent bugs
-- **Java scanner scaffold** — basic structural scanner ⚠️ กำลังพัฒนา
-- **Interactive Project Map: multi-language workflow graph** — `subprocess-bridge.js → Program.cs`, `subprocess-bridge.js → main_json.py`; cross-language synthetic edges with per-language node colours (purple for C#, green for Python)
-- **Export/Import preserves node colours** — language-specific colours persist in workflow JSON export
-- **ELK layered layout** — replaced dagre; better large-graph rendering with true left-to-right hierarchy
-
+- **Security tab severity chips** — ALL / CRITICAL / HIGH / MEDIUM / LOW chips in the Security Issues tab; sync with sidebar badge filter clicks
+- **Security ⚠N badge repositioned** — security badge on map cards moved to mid-right above the Electron role badge; no longer obstructs role label
+- **Node Status legend** — legend section renamed and reorganised: Clean / Minor / Critical / npm / Gateway Box with accurate colour coding
+- **`execFile` shell injection fix** in `main.js` — VS Code Go-to-Line now uses `execFile` with array args instead of `exec()` with shell string
+
+### v1.0.5 — Standalone Map Import + Portable Workflow Payload
+- **Map window launch without scan** — open Project Map in import-only mode and load a workflow JSON directly
+- **Fresh scan map window behavior** — after scan, map opens as a fresh scan window while import window remains usable
+- **Portable workflow JSON schema v2** — export now embeds complete map payload for cross-platform rendering:
+  - raw graph (`nodes`, `edges`, `issueLinesByFile`, scan metadata)
+  - layout state (`positions`, collapsed folder state)
+  - view state (`zoom`, `pan`, edge routing style)
+  - render payload (node SVG data URIs, ghost variants, tooltip HTML, accent colors)
+- **Backward compatible import** — map importer supports both new portable payload and legacy workflow JSON
 ---
+## License
 
-## 📦 Platform Support
-
-| Platform | Architecture | Status |
-|---|---|---|
-| Windows | x64 | ✅ Supported |
-| Windows | ia32 | ✅ Supported |
-| Linux | x64 | ✅ Supported |
-| macOS | arm64 / x64 | 🔜 Coming soon |
+Non-Commercial & Acceptable Use — See [LICENSE](LICENSE)
 
 ---
 
-## 🔗 Links
+## Support
 
-- [HuggingFace Dataset](https://huggingface.co/datasets/chahuadev/chahuadev-junk-sweeper)
-- [NPM Package](https://www.npmjs.com/package/@chahuadev/junk-sweeper-app)
+- Email: chahuadev@gmail.com
+- Website: https://chahuadev.com
+- GitHub Issues: Report bugs and feature requests
+- Documentation: See [./docs/](docs/)
+- Dataset / Model Hub: [huggingface.co/datasets/chahuadev/chahuadev-junk-sweeper](https://huggingface.co/datasets/chahuadev/chahuadev-junk-sweeper)
 
 ---
 
-*Made by [Chahuadev](https://chahuadev.com) | Security-First Code Analysis Tools*
+*Made by Chahuadev | Security-First Code Analysis Tools*
+

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chahuadev/junk-sweeper-app",
-  "version": "3.0.1",
+  "version": "3.1.0",
   "description": "Chahuadev Junk Sweeper — AST-based dead code & silent bug detector with interactive architecture map",
   "main": "index.js",
   "bin": {