@flamki/vibeguard 1.0.1

package/.github/workflows/publish.yml

@@ -0,0 +1,30 @@
+name: Publish to npm
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18
+          registry-url: https://registry.npmjs.org/
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Publish
+        run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/dist/cli.js

@@ -0,0 +1,34 @@
+#!/usr/bin/env node
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const chalk_1 = __importDefault(require("chalk"));
+const scanner_1 = require("./scanner");
+const consoleReporter_1 = require("./reporter/consoleReporter");
+const program = new commander_1.Command();
+console.log(chalk_1.default.cyan.bold(`
+🛡️  VibeGuard
+-----------------------
+AI code safety net
+`));
+program
+    .name("vibeguard")
+    .description("Scan codebases for common AI-generated mistakes")
+    .version("0.1.0");
+program
+    .command("scan")
+    .argument("<path>", "Path to project")
+    .action(async (path) => {
+    try {
+        const results = await (0, scanner_1.runScan)(path);
+        (0, consoleReporter_1.printReport)(results);
+    }
+    catch (err) {
+        console.error(chalk_1.default.red("❌ Scan failed"), err);
+        process.exit(1);
+    }
+});
+program.parse(process.argv);

package/dist/reporter/consoleReporter.js

@@ -0,0 +1,30 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.printReport = printReport;
+const chalk_1 = __importDefault(require("chalk"));
+const path_1 = __importDefault(require("path"));
+function printReport(results) {
+    if (results.length === 0) {
+        console.log(chalk_1.default.green("✅ No issues found. Ship it."));
+        return;
+    }
+    const grouped = {};
+    for (const r of results) {
+        const file = path_1.default.basename(r.file || "unknown");
+        grouped[file] ?? (grouped[file] = []);
+        grouped[file].push(r);
+    }
+    console.log(chalk_1.default.bold("\n🛡️ VibeGuard Report\n"));
+    for (const file in grouped) {
+        console.log(chalk_1.default.cyan(file));
+        for (const r of grouped[file]) {
+            const lineInfo = r.line ? `Line ${r.line}` : "";
+            console.log(`  ${chalk_1.default.yellow("⚠️")} ${lineInfo}  ${r.message}`);
+        }
+        console.log("");
+    }
+    console.log(chalk_1.default.bold(`Summary: ${results.length} warning(s)\n`));
+}

package/dist/rules/hallucinatedApi.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hallucinatedApiRule = hallucinatedApiRule;
+/**
+ * Globals and well-known functions we NEVER want to flag
+ */
+const ALLOWED_GLOBALS = new Set([
+    "fetch",
+    "console",
+    "setTimeout",
+    "setInterval",
+    "clearTimeout",
+    "clearInterval",
+    "require",
+    "import",
+]);
+function hallucinatedApiRule(code, file) {
+    const warnings = [];
+    /**
+     * Matches function calls NOT preceded by a dot
+     * Example matched:   getUserByIdSafe(
+     * Example ignored:   obj.method(
+     */
+    const callRegex = /(?<!\.)\b([a-zA-Z_][a-zA-Z0-9_]*)\s*\(/g;
+    /**
+     * Matches function declarations, variables, and imports
+     */
+    const declaredRegex = /(function\s+([a-zA-Z_][a-zA-Z0-9_]*))|(const\s+([a-zA-Z_][a-zA-Z0-9_]*)\s*=)|(let\s+([a-zA-Z_][a-zA-Z0-9_]*)\s*=)|(var\s+([a-zA-Z_][a-zA-Z0-9_]*)\s*=)|import\s+.*\b([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
+    const calls = new Set();
+    const declared = new Set();
+    let match;
+    // Collect all function calls
+    while ((match = callRegex.exec(code))) {
+        const fn = match[1];
+        // Skip globals, constructors, and obvious safe cases
+        if (ALLOWED_GLOBALS.has(fn) ||
+            fn[0] === fn[0].toUpperCase()) {
+            continue;
+        }
+        calls.add(fn);
+    }
+    // Collect declared functions / variables / imports
+    while ((match = declaredRegex.exec(code))) {
+        const name = match[2] ||
+            match[4] ||
+            match[6] ||
+            match[8] ||
+            match[9];
+        if (name) {
+            declared.add(name);
+        }
+    }
+    // Diff: calls that were never declared
+    for (const fn of calls) {
+        if (!declared.has(fn)) {
+            const line = code
+                .split("\n")
+                .findIndex((l) => l.includes(`${fn}(`)) + 1;
+            warnings.push({
+                ruleId: "hallucinated-api",
+                severity: "warning",
+                message: `Possible hallucinated API: ${fn}() is used but never defined or imported.`,
+                file,
+                line: line > 0 ? line : undefined,
+            });
+        }
+    }
+    return warnings;
+}

package/dist/rules/index.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rules = void 0;
+const localStorageToken_1 = require("./localStorageToken");
+const missingTryCatch_1 = require("./missingTryCatch");
+const hallucinatedApi_1 = require("./hallucinatedApi");
+exports.rules = [
+    localStorageToken_1.localStorageTokenRule,
+    missingTryCatch_1.missingTryCatchRule,
+    hallucinatedApi_1.hallucinatedApiRule,
+];

package/dist/rules/localStorageToken.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.localStorageTokenRule = localStorageTokenRule;
+function localStorageTokenRule(code, file) {
+    const warnings = [];
+    const regex = /localStorage\.setItem\(['"`].*token.*['"`]/gi;
+    let match;
+    while ((match = regex.exec(code))) {
+        const line = code.slice(0, match.index).split("\n").length;
+        warnings.push({
+            ruleId: "local-storage-token",
+            severity: "warning",
+            message: "Token stored in localStorage. This is vulnerable to XSS. Use httpOnly cookies.",
+            file,
+            line,
+        });
+    }
+    return warnings;
+}

package/dist/rules/missingTryCatch.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.missingTryCatchRule = missingTryCatchRule;
+function missingTryCatchRule(code, file) {
+    if (code.includes("await") && !code.includes("try {")) {
+        const line = code
+            .split("\n")
+            .findIndex((l) => l.includes("await")) + 1;
+        return [
+            {
+                ruleId: "missing-try-catch",
+                severity: "warning",
+                message: "Async operation without try/catch. This may crash in production.",
+                file,
+                line,
+            },
+        ];
+    }
+    return [];
+}

package/dist/scanner/fileWalker.js

@@ -0,0 +1,23 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.walkFiles = walkFiles;
+const glob_1 = require("glob");
+const path_1 = __importDefault(require("path"));
+async function walkFiles(rootPath) {
+    const absoluteRoot = path_1.default.resolve(rootPath);
+    const pattern = "**/*.{js,ts,jsx,tsx}";
+    const files = await (0, glob_1.glob)(pattern, {
+        cwd: absoluteRoot,
+        absolute: true,
+        ignore: [
+            "**/node_modules/**",
+            "**/dist/**",
+            "**/.git/**",
+            "**/src/**"
+        ],
+    });
+    return files;
+}

package/dist/scanner/index.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runScan = runScan;
+const fileWalker_1 = require("./fileWalker");
+const scanFile_1 = require("./scanFile");
+async function runScan(rootPath) {
+    const files = await (0, fileWalker_1.walkFiles)(rootPath);
+    const results = [];
+    for (const file of files) {
+        const warnings = await (0, scanFile_1.scanFile)(file);
+        results.push(...warnings);
+    }
+    return results;
+}

package/dist/scanner/scanFile.js

@@ -0,0 +1,17 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanFile = scanFile;
+const fs_1 = __importDefault(require("fs"));
+const rules_1 = require("../rules");
+async function scanFile(filePath) {
+    const code = fs_1.default.readFileSync(filePath, "utf-8");
+    const warnings = [];
+    for (const rule of rules_1.rules) {
+        const result = rule(code, filePath);
+        warnings.push(...result);
+    }
+    return warnings;
+}

package/dist/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "@flamki/vibeguard",
+  "version": "1.0.1",
+  "description": "A CLI safety net for AI-generated code",
+  "main": "dist/cli.js",
+  "type": "commonjs",
+  "bin": {
+    "vibeguard": "dist/cli.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "npm run build && node dist/cli.js scan ."
+  },
+  "keywords": [
+    "ai",
+    "cli",
+    "static-analysis",
+    "security",
+    "developer-tools",
+    "code-quality"
+  ],
+  "author": "Ayush Singh",
+  "license": "MIT",
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^11.0.0",
+    "glob": "^10.3.10"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typescript": "^5.3.0"
+  }
+}

package/src/cli.ts

@@ -0,0 +1,36 @@
+#!/usr/bin/env node
+
+import { Command } from "commander";
+import chalk from "chalk";
+import { runScan } from "./scanner";
+import { printReport } from "./reporter/consoleReporter";
+
+const program = new Command();
+
+console.log(
+  chalk.cyan.bold(`
+🛡️  VibeGuard
+-----------------------
+AI code safety net
+`)
+);
+
+program
+  .name("vibeguard")
+  .description("Scan codebases for common AI-generated mistakes")
+  .version("0.1.0");
+
+program
+  .command("scan")
+  .argument("<path>", "Path to project")
+  .action(async (path: string) => {
+    try {
+      const results = await runScan(path);
+      printReport(results);
+    } catch (err) {
+      console.error(chalk.red("❌ Scan failed"), err);
+      process.exit(1);
+    }
+  });
+
+program.parse(process.argv);

package/src/reporter/consoleReporter.ts

@@ -0,0 +1,37 @@
+import chalk from "chalk";
+import { ScanWarning } from "../types";
+import path from "path";
+
+export function printReport(results: ScanWarning[]) {
+  if (results.length === 0) {
+    console.log(chalk.green("✅ No issues found. Ship it."));
+    return;
+  }
+
+  const grouped: Record<string, ScanWarning[]> = {};
+
+  for (const r of results) {
+    const file = path.basename(r.file || "unknown");
+    grouped[file] ??= [];
+    grouped[file].push(r);
+  }
+
+  console.log(chalk.bold("\n🛡️ VibeGuard Report\n"));
+
+  for (const file in grouped) {
+    console.log(chalk.cyan(file));
+
+    for (const r of grouped[file]) {
+      const lineInfo = r.line ? `Line ${r.line}` : "";
+      console.log(
+        `  ${chalk.yellow("⚠️")} ${lineInfo}  ${r.message}`
+      );
+    }
+
+    console.log("");
+  }
+
+  console.log(
+    chalk.bold(`Summary: ${results.length} warning(s)\n`)
+  );
+}

package/src/rules/hallucinatedApi.ts

@@ -0,0 +1,89 @@
+import { ScanWarning } from "../types";
+
+/**
+ * Globals and well-known functions we NEVER want to flag
+ */
+const ALLOWED_GLOBALS = new Set([
+  "fetch",
+  "console",
+  "setTimeout",
+  "setInterval",
+  "clearTimeout",
+  "clearInterval",
+  "require",
+  "import",
+]);
+
+export function hallucinatedApiRule(
+  code: string,
+  file: string
+): ScanWarning[] {
+  const warnings: ScanWarning[] = [];
+
+  /**
+   * Matches function calls NOT preceded by a dot
+   * Example matched:   getUserByIdSafe(
+   * Example ignored:   obj.method(
+   */
+  const callRegex = /(?<!\.)\b([a-zA-Z_][a-zA-Z0-9_]*)\s*\(/g;
+
+  /**
+   * Matches function declarations, variables, and imports
+   */
+  const declaredRegex =
+    /(function\s+([a-zA-Z_][a-zA-Z0-9_]*))|(const\s+([a-zA-Z_][a-zA-Z0-9_]*)\s*=)|(let\s+([a-zA-Z_][a-zA-Z0-9_]*)\s*=)|(var\s+([a-zA-Z_][a-zA-Z0-9_]*)\s*=)|import\s+.*\b([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
+
+  const calls = new Set<string>();
+  const declared = new Set<string>();
+
+  let match;
+
+  // Collect all function calls
+  while ((match = callRegex.exec(code))) {
+    const fn = match[1];
+
+    // Skip globals, constructors, and obvious safe cases
+    if (
+      ALLOWED_GLOBALS.has(fn) ||
+      fn[0] === fn[0].toUpperCase()
+    ) {
+      continue;
+    }
+
+    calls.add(fn);
+  }
+
+  // Collect declared functions / variables / imports
+  while ((match = declaredRegex.exec(code))) {
+    const name =
+      match[2] ||
+      match[4] ||
+      match[6] ||
+      match[8] ||
+      match[9];
+
+    if (name) {
+      declared.add(name);
+    }
+  }
+
+  // Diff: calls that were never declared
+  for (const fn of calls) {
+    if (!declared.has(fn)) {
+      const line =
+        code
+          .split("\n")
+          .findIndex((l) => l.includes(`${fn}(`)) + 1;
+
+      warnings.push({
+        ruleId: "hallucinated-api",
+        severity: "warning",
+        message: `Possible hallucinated API: ${fn}() is used but never defined or imported.`,
+        file,
+        line: line > 0 ? line : undefined,
+      });
+    }
+  }
+
+  return warnings;
+}

package/src/rules/index.ts

@@ -0,0 +1,9 @@
+import { localStorageTokenRule } from "./localStorageToken";
+import { missingTryCatchRule } from "./missingTryCatch";
+import { hallucinatedApiRule } from "./hallucinatedApi";
+
+export const rules = [
+  localStorageTokenRule,
+  missingTryCatchRule,
+  hallucinatedApiRule,
+];

package/src/rules/localStorageToken.ts

@@ -0,0 +1,26 @@
+import { ScanWarning } from "../types";
+
+export function localStorageTokenRule(
+  code: string,
+  file: string
+): ScanWarning[] {
+  const warnings: ScanWarning[] = [];
+  const regex = /localStorage\.setItem\(['"`].*token.*['"`]/gi;
+
+  let match;
+  while ((match = regex.exec(code))) {
+    const line =
+      code.slice(0, match.index).split("\n").length;
+
+    warnings.push({
+      ruleId: "local-storage-token",
+      severity: "warning",
+      message:
+        "Token stored in localStorage. This is vulnerable to XSS. Use httpOnly cookies.",
+      file,
+      line,
+    });
+  }
+
+  return warnings;
+}

package/src/rules/missingTryCatch.ts

@@ -0,0 +1,25 @@
+import { ScanWarning } from "../types";
+
+export function missingTryCatchRule(
+  code: string,
+  file: string
+): ScanWarning[] {
+  if (code.includes("await") && !code.includes("try {")) {
+    const line = code
+      .split("\n")
+      .findIndex((l) => l.includes("await")) + 1;
+
+    return [
+      {
+        ruleId: "missing-try-catch",
+        severity: "warning",
+        message:
+          "Async operation without try/catch. This may crash in production.",
+        file,
+        line,
+      },
+    ];
+  }
+
+  return [];
+}

package/src/scanner/fileWalker.ts

@@ -0,0 +1,21 @@
+import { glob } from "glob";
+import path from "path";
+
+export async function walkFiles(rootPath: string): Promise<string[]> {
+  const absoluteRoot = path.resolve(rootPath);
+
+  const pattern = "**/*.{js,ts,jsx,tsx}";
+
+  const files = await glob(pattern, {
+    cwd: absoluteRoot,
+    absolute: true,
+    ignore: [
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/.git/**",
+      "**/src/**"
+    ],
+  });
+
+  return files;
+}

package/src/scanner/index.ts

@@ -0,0 +1,15 @@
+import { walkFiles } from "./fileWalker";
+import { scanFile } from "./scanFile";
+import { ScanWarning } from "../types";
+
+export async function runScan(rootPath: string): Promise<ScanWarning[]> {
+  const files = await walkFiles(rootPath);
+  const results: ScanWarning[] = [];
+
+  for (const file of files) {
+    const warnings = await scanFile(file);
+    results.push(...warnings);
+  }
+
+  return results;
+}

package/src/scanner/scanFile.ts

@@ -0,0 +1,15 @@
+import fs from "fs";
+import { ScanWarning } from "../types";
+import { rules } from "../rules";
+
+export async function scanFile(filePath: string): Promise<ScanWarning[]> {
+  const code = fs.readFileSync(filePath, "utf-8");
+  const warnings: ScanWarning[] = [];
+
+  for (const rule of rules) {
+    const result = rule(code, filePath);
+    warnings.push(...result);
+  }
+
+  return warnings;
+}

package/src/types.ts

@@ -0,0 +1,7 @@
+export interface ScanWarning {
+  ruleId: string;
+  severity: "warning" | "error";
+  message: string;
+  line?: number;
+  file?: string;
+}

package/tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "CommonJS",
+    "rootDir": "src",
+    "outDir": "dist",
+
+    "strict": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+
+    "skipLibCheck": true
+  },
+  "include": ["src"]
+}