@darrenjcoxon/vibeoptimise 1.0.3 → 1.0.4

package/dist/scanners/depcheck.js

@@ -10,13 +10,12 @@
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
-import { isToolAvailable } from '../utils/tool-installer.js';
 export class DepcheckScanner {
     name = 'Depcheck';
     description = 'Dependency analyzer — finds unused and missing npm packages';
     category = 'dead-code';
     async isAvailable() {
-        return isToolAvailable('depcheck');
+        return true;
     }
     async scan(targetDir, options) {
         const start = Date.now();

package/dist/scanners/eslint-perf.js

@@ -13,13 +13,12 @@
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
-import { isToolAvailable } from '../utils/tool-installer.js';
 export class EslintPerfScanner {
     name = 'ESLint Perf';
     description = 'Performance-focused linting — import cycles, unused imports, inefficient patterns';
     category = 'code-quality';
     async isAvailable() {
-        return isToolAvailable('eslint');
+        return true;
     }
     async scan(targetDir, options) {
         const start = Date.now();

package/dist/scanners/jscpd.js

@@ -10,13 +10,12 @@
 import { execSync } from 'child_process';
 import { existsSync, readFileSync, mkdirSync } from 'fs';
 import { join } from 'path';
-import { isToolAvailable } from '../utils/tool-installer.js';
 export class JscpdScanner {
     name = 'JSCPD';
     description = 'Copy/paste detector — finds duplicated code blocks across the codebase';
     category = 'duplication';
     async isAvailable() {
-        return isToolAvailable('jscpd');
+        return true;
     }
     async scan(targetDir, options) {
         const start = Date.now();

package/dist/scanners/knip.js

@@ -10,13 +10,14 @@
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
-import { isToolAvailable } from '../utils/tool-installer.js';
 export class KnipScanner {
     name = 'Knip';
     description = 'Dead code detector — unused files, exports, dependencies, types';
     category = 'dead-code';
     async isAvailable() {
-        return isToolAvailable('knip');
+        // Always attempt to run — knip will be auto-installed via npx --yes during scan.
+        // Errors are handled gracefully in scan().
+        return true;
     }
     async scan(targetDir, options) {
         const start = Date.now();
@@ -33,6 +34,17 @@ export class KnipScanner {
             }
             let output;
             try {
+                // Ensure knip is available in the project context
+                // (knip needs typescript as a peer dep, resolved from project node_modules)
+                const hasTypescript = existsSync(join(targetDir, 'node_modules', 'typescript'));
+                if (!hasTypescript) {
+                    return {
+                        scanner: this.name,
+                        findings: [],
+                        summary: 'Skipped — typescript not installed in project (required by Knip)',
+                        duration: Date.now() - start,
+                    };
+                }
                 const excludeArgs = options.includeTests ? '' : '';
                 const cmd = `npx --yes knip --reporter json --no-exit-code ${excludeArgs}`;
                 output = execSync(cmd, {

package/dist/scanners/madge.js

@@ -10,13 +10,12 @@
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
-import { isToolAvailable } from '../utils/tool-installer.js';
 export class MadgeScanner {
     name = 'Madge';
     description = 'Circular dependency detector — finds import cycles and orphaned modules';
     category = 'performance';
     async isAvailable() {
-        return isToolAvailable('madge');
+        return true;
     }
     async scan(targetDir, options) {
         const start = Date.now();

package/dist/scanners/regex-safety.d.ts

@@ -58,21 +58,27 @@ export declare class RegexSafetyScanner implements Scanner {
      * Check if a group's content contains an inner quantifier that creates
      * backtracking risk when the group itself is quantified.
      *
-     * Key insight: (X+)+ is ALWAYS vulnerable for any X, because the regex
-     * engine can partition the input into the inner vs outer repetition in
-     * exponentially many ways. The exception is negated character classes
-     * with a following delimiter that prevents overlap.
+     * KEY RULE: (X+)+ is only dangerous when the regex engine can partition
+     * the input between inner/outer repetitions in many ways. A literal
+     * delimiter inside the group PREVENTS this because the engine has no
+     * ambiguity about where one repetition ends and the next begins.
      *
      * DANGEROUS: (a+)+, (.+)+, (\w+)+, (\s+\w+)+
-     * SAFE: ([^,]+,)+ — the comma delimiter prevents backtracking
+     * SAFE: (\s*,\s*\d+)+ — comma is a required literal delimiter
+     * SAFE: (\s+[A-Z][a-z]+)+ — [A-Z] after \s+ creates unambiguous boundary
+     * SAFE: ([^,]+,)+ — negated class + delimiter
      * SAFE: (\d+(?:\.\d+)?) — ? is not a repeating quantifier
-     * SAFE: ([^*\n]+?)[ \t]+ — lazy quantifier + different char class after
+     * SAFE: ([^*\n]+?)[ \t]+ — lazy quantifier + different char class
      */
     private hasUnboundedInnerQuantifier;
     /**
      * Check for overlapping alternation with quantifier.
      * Only flags when alternation branches use unbounded matchers that
      * can match the same characters.
+     *
+     * SAFE: (?:Mr|Mrs|Ms|Dr)\.? — fixed literals, no backtracking risk
+     * SAFE: (?:foo|bar)+ — fixed literals, no overlap
+     * DANGEROUS: (?:.*|.+)+ — unbounded matchers overlap
      */
     private hasDangerousAlternation;
 }

package/dist/scanners/regex-safety.js

@@ -266,48 +266,66 @@ export class RegexSafetyScanner {
      * Check if a group's content contains an inner quantifier that creates
      * backtracking risk when the group itself is quantified.
      *
-     * Key insight: (X+)+ is ALWAYS vulnerable for any X, because the regex
-     * engine can partition the input into the inner vs outer repetition in
-     * exponentially many ways. The exception is negated character classes
-     * with a following delimiter that prevents overlap.
+     * KEY RULE: (X+)+ is only dangerous when the regex engine can partition
+     * the input between inner/outer repetitions in many ways. A literal
+     * delimiter inside the group PREVENTS this because the engine has no
+     * ambiguity about where one repetition ends and the next begins.
      *
      * DANGEROUS: (a+)+, (.+)+, (\w+)+, (\s+\w+)+
-     * SAFE: ([^,]+,)+ — the comma delimiter prevents backtracking
+     * SAFE: (\s*,\s*\d+)+ — comma is a required literal delimiter
+     * SAFE: (\s+[A-Z][a-z]+)+ — [A-Z] after \s+ creates unambiguous boundary
+     * SAFE: ([^,]+,)+ — negated class + delimiter
      * SAFE: (\d+(?:\.\d+)?) — ? is not a repeating quantifier
-     * SAFE: ([^*\n]+?)[ \t]+ — lazy quantifier + different char class after
+     * SAFE: ([^*\n]+?)[ \t]+ — lazy quantifier + different char class
      */
     hasUnboundedInnerQuantifier(content) {
         // Check for any atom followed by + or * (greedy) inside the group
-        // This catches: a+, .+, \w+, \d+, [abc]+, etc.
         const hasInnerQuantifier = /[^?][+*]/.test(content) || /^.[+*]/.test(content);
         if (!hasInnerQuantifier)
             return false;
-        // Now check for SAFE exceptions:
+        // ── SAFE EXCEPTIONS ──
+        // Safe: Contains a required literal character (not a metachar) between quantified parts.
+        // e.g., \s*,\s*\d+ — the comma is required, preventing ambiguous partitioning.
+        // e.g., \s+[A-Z] — the [A-Z] after \s+ creates an unambiguous boundary.
+        // Look for: quantifier followed by a literal char or specific char class [A-Z], [a-z], etc.
+        if (/[+*]\s*[,;:=|&!@#'".\-\/]/.test(content)) {
+            // Has a required literal delimiter after a quantifier — safe
+            return false;
+        }
+        if (/[+*]\s*\[(?![\^])(?:[A-Z]|[a-z]|[0-9])/.test(content)) {
+            // Has a specific character class (not negated) after quantifier — safe
+            // e.g., \s+[A-Z] — the uppercase letter creates unambiguous boundary
+            return false;
+        }
         // Safe: negated char class followed by a delimiter
         // e.g., [^,]+, or [^"]+\" — the delimiter prevents overlap
-        if (/\[\^[^\]]+\][+*].*[^\\][\w,;:"'|&]/.test(content)) {
-            // Has a negated class + a literal delimiter after — likely safe
-            // But only if the delimiter is in the negated class
+        if (/\[\^[^\]]+\][+*]/.test(content)) {
             return false;
         }
         // Safe: lazy quantifier (+? or *?) — prevents catastrophic backtracking
-        // e.g., ([^*\n]+?)[ \t]+ — the lazy ? means it yields to what follows
         if (/[+*]\?/.test(content) && !/[+*][^?].*[+*]/.test(content)) {
-            // Has a lazy quantifier and no other greedy quantifier — safe
             return false;
         }
-        // Safe: \d+ is bounded (only digits) — ((\d+)\.?)+ is technically
-        // vulnerable but in practice \d is so bounded it rarely causes issues
+        // Safe: \d+ is bounded (only digits, 0-9)
         // Exception: (\d+\s*)+ IS dangerous because \s* can match empty
         if (/\\d[+*]/.test(content) && !/\\[sw.][+*]/.test(content)) {
             return false;
         }
+        // Safe: only \s quantifiers with required non-\s between them
+        // e.g., \s*,\s* — the comma breaks the chain
+        if (/\\s[+*]/.test(content) && /\\s[+*][^\\+*]*[,;:=\-\/.]/.test(content)) {
+            return false;
+        }
         return true;
     }
     /**
      * Check for overlapping alternation with quantifier.
      * Only flags when alternation branches use unbounded matchers that
      * can match the same characters.
+     *
+     * SAFE: (?:Mr|Mrs|Ms|Dr)\.? — fixed literals, no backtracking risk
+     * SAFE: (?:foo|bar)+ — fixed literals, no overlap
+     * DANGEROUS: (?:.*|.+)+ — unbounded matchers overlap
      */
     hasDangerousAlternation(pattern) {
         const match = pattern.match(/\(([^)]*\|[^)]*)\)\s*[+*{]/);
@@ -316,6 +334,11 @@ export class RegexSafetyScanner {
         const altParts = match[1].split('|');
         if (altParts.length < 2)
             return false;
+        // Safe: All branches are fixed literals (no quantifiers inside)
+        // e.g., (Mr|Mrs|Ms|Dr) — these can't cause backtracking
+        const allLiteral = altParts.every(part => !/[+*{]/.test(part) && !/\\[wsd.]/.test(part));
+        if (allLiteral)
+            return false;
         // Only flag if BOTH branches contain unbounded matchers
         const hasUnbounded = (part) => /\.[+*]/.test(part) || /\\[ws][+*]/.test(part);
         const unboundedCount = altParts.filter(hasUnbounded).length;

package/dist/scanners/source-map-explorer.js

@@ -10,13 +10,12 @@
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
-import { isToolAvailable } from '../utils/tool-installer.js';
 export class SourceMapExplorerScanner {
     name = 'Source Map Explorer';
     description = 'Bundle composition analyzer — shows what code is in your production bundles';
     category = 'bundle-size';
     async isAvailable() {
-        return isToolAvailable('source-map-explorer');
+        return true;
     }
     async scan(targetDir, options) {
         const start = Date.now();

package/dist/utils/tool-installer.d.ts

@@ -14,9 +14,10 @@
  *
  * @param packageName - npm package name (e.g., 'knip', 'jscpd', 'madge')
  * @param versionFlag - flag to check version (default: '--version')
+ * @param cwd - optional working directory (needed for tools with peer deps)
  * @returns true if tool is available
  */
-export declare function isToolAvailable(packageName: string, versionFlag?: string): boolean;
+export declare function isToolAvailable(packageName: string, versionFlag?: string, cwd?: string): boolean;
 /**
  * Build a command that runs a tool via npx --yes.
  * Ensures the tool will be auto-installed if not present.

package/dist/utils/tool-installer.js

@@ -15,33 +15,27 @@ import { execSync } from 'child_process';
  *
  * @param packageName - npm package name (e.g., 'knip', 'jscpd', 'madge')
  * @param versionFlag - flag to check version (default: '--version')
+ * @param cwd - optional working directory (needed for tools with peer deps)
  * @returns true if tool is available
  */
-export function isToolAvailable(packageName, versionFlag = '--version') {
+export function isToolAvailable(packageName, versionFlag = '--version', cwd) {
+    const opts = { stdio: 'pipe', timeout: 15000, ...(cwd ? { cwd } : {}) };
+    const optsLong = { stdio: 'pipe', timeout: 90000, ...(cwd ? { cwd } : {}) };
     // Try 1: Local/cached npx (fast path)
     try {
-        execSync(`npx ${packageName} ${versionFlag}`, {
-            stdio: 'pipe',
-            timeout: 15000,
-        });
+        execSync(`npx ${packageName} ${versionFlag}`, opts);
         return true;
     }
     catch { }
     // Try 2: npx --yes to auto-install (first-time download)
     try {
-        execSync(`npx --yes ${packageName} ${versionFlag}`, {
-            stdio: 'pipe',
-            timeout: 90000, // 90s for first download
-        });
+        execSync(`npx --yes ${packageName} ${versionFlag}`, optsLong);
         return true;
     }
     catch { }
     // Try 3: Global install as fallback
     try {
-        execSync(`npm install -g ${packageName} 2>/dev/null && npx ${packageName} ${versionFlag}`, {
-            stdio: 'pipe',
-            timeout: 90000,
-        });
+        execSync(`npm install -g ${packageName} 2>/dev/null && npx ${packageName} ${versionFlag}`, optsLong);
         return true;
     }
     catch { }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@darrenjcoxon/vibeoptimise",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "🚀 VibeOptimise — The ultimate codebase optimisation scanner. Find dead code, duplication, circular deps, bundle bloat & more. Get OPTIMISE.md for AI agents to fix everything.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",