@safetnsr/vet 1.4.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +94 -89
  2. package/dist/cli.js +0 -0
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -1,26 +1,65 @@
1
1
  # vet
2
2
 
3
- vet your AI-generated code. one command, nine checks, zero config.
3
+ your AI coding agent doesn't know what it broke. you need a second opinion.
4
+
5
+ ![vet demo](demo.gif)
4
6
 
5
7
  ```bash
6
8
  npx @safetnsr/vet
7
9
  ```
8
10
 
11
+ vet checks your codebase **before** and **after** AI coding sessions. before: is your repo set up so the agent does good work? after: did it leave behind anti-patterns, stale tests, leaked secrets, or technical debt?
12
+
9
13
  works with Claude Code, Cursor, Copilot, Codex, Aider, Windsurf, Cline — anything that writes code in a git repo.
10
14
 
11
- ## what it checks
15
+ ## two flows, one command
16
+
17
+ `npx @safetnsr/vet` runs everything. but the checks split into two categories:
18
+
19
+ ### before the session — is your codebase ready?
20
+
21
+ | check | what it does |
22
+ |-------|-------------|
23
+ | **ready** | scores your codebase structure: docs, types, tests, AI-friendliness |
24
+ | **config** | deep analysis of CLAUDE.md, .cursorrules, copilot-instructions — completeness, consistency, specificity |
25
+ | **scan** | detects prompt injection, shell injection, exfiltration in agent config files |
26
+ | **permissions** | flags MCP servers with dangerous filesystem access (writes to ~/.ssh, /etc, outside cwd) |
27
+ | **models** | finds deprecated/sunset model strings across OpenAI, Anthropic, Google, Cohere |
28
+ | **map** | verifies your codebase has navigable structure for agents |
29
+ | **memory** | catches stale facts, contradictions, and drift in CLAUDE.md, AGENTS.md, memory/ files |
30
+
31
+ a codebase that scores well here gives AI agents better context, fewer hallucinations, and less cleanup.
32
+
33
+ ### after the session — did the AI leave problems?
34
+
35
+ | check | what it does |
36
+ |-------|-------------|
37
+ | **diff** | AI-specific anti-patterns: wholesale rewrites, orphaned imports, catch-all error handling, over-commenting |
38
+ | **tests** | test theater: tautological assertions, empty test bodies, tests that prove nothing |
39
+ | **debt** | near-duplicate functions, orphaned exports, wrapper pass-throughs, naming drift |
40
+ | **secrets** | scans dist/, build/, .next/ + .env files for leaked API keys using pattern + entropy analysis |
41
+ | **history** | git commit churn, AI attribution ratios, suspiciously large changes |
42
+ | **receipt** | parses Claude Code session logs — files changed, commands run, packages installed, SHA256 integrity hash |
43
+
44
+ plus: **integrity** (hallucinated imports), **deps** (unused/phantom dependencies), **owasp** (OWASP Top 10 for AI agents), **verify** (validates agent claims against actual changes).
45
+
46
+ ## output
47
+
48
+ ```
49
+ my-project B 75/100
50
+
51
+ security ████████░░ 82 scan ✓ secrets ✓ config 3/10 owasp ✓
52
+ integrity ███████░░░ 68 diff: 3 issues integrity ✓ memory: 1 stale
53
+ debt ██████░░░░ 58 ready 4/10 history ✓ debt: 2 duplicates
54
+ deps ██████████ 98 all clean
55
+
56
+ ✗ no README — AI agents have no project context
57
+ ✗ [ai] wholesale rewrite: 40 lines removed, 45 added in utils.ts
58
+ ! config: "strict TS" but tsconfig.strict is false
59
+ ! memory: CLAUDE.md references vitest but package.json uses jest
12
60
 
13
- | check | what | how |
14
- |-------|------|-----|
15
- | **ready** | is your codebase AI-friendly? | scans structure, docs, types, tests |
16
- | **diff** | did the AI leave anti-patterns? | AI-specific patterns: wholesale rewrites, orphaned imports, catch-alls, over-commenting, plus secrets & stubs |
17
- | **models** | using deprecated AI models? | scans code for sunset model strings across OpenAI, Anthropic, Google, Cohere |
18
- | **config** | agent configs in place? | deep analysis of CLAUDE.md, .cursorrules, copilot-instructions — checks completeness, consistency, and specificity against your actual codebase |
19
- | **history** | git patterns healthy? | analyzes commit churn, AI attribution, large changes |
20
- | **scan** | malicious patterns in agent configs? | scans .claude/, .cursorrules, CLAUDE.md, .mcp/ for prompt injection, shell injection, exfiltration endpoints |
21
- | **secrets** | leaked secrets in build output? | scans dist/, build/, .next/ + .env files for API keys, tokens, connection strings using pattern + entropy analysis |
22
- | **receipt** | what did the last agent session do? | parses ~/.claude/projects/ JSONL session logs — files changed, commands run, packages installed, SHA256 integrity hash |
23
- | **debt** | AI-generated technical debt (duplicates, orphans, wrappers) | detects near-duplicate functions, orphaned exports, wrapper pass-throughs, naming drift |
61
+ run --fix to auto-repair 4 issues
62
+ ```
24
63
 
25
64
  ## usage
26
65
 
@@ -28,19 +67,19 @@ works with Claude Code, Cursor, Copilot, Codex, Aider, Windsurf, Cline — anyth
28
67
  # run all checks
29
68
  npx @safetnsr/vet
30
69
 
31
- # check a specific directory
70
+ # specific directory
32
71
  npx @safetnsr/vet ./my-project
33
72
 
34
73
  # auto-fix: generate CLAUDE.md, .cursorrules, fix deprecated models
35
74
  npx @safetnsr/vet --fix
36
75
 
37
- # check specific commit range
76
+ # specific commit range
38
77
  npx @safetnsr/vet --since HEAD~5
39
78
 
40
79
  # live monitoring during AI sessions
41
80
  npx @safetnsr/vet --watch
42
81
 
43
- # CI mode — exit code 1 if score below threshold
82
+ # CI mode — exit 1 if score below threshold
44
83
  npx @safetnsr/vet --ci
45
84
 
46
85
  # JSON output
@@ -49,78 +88,72 @@ npx @safetnsr/vet --json
49
88
  # generate configs + pre-commit hook
50
89
  npx @safetnsr/vet init
51
90
 
52
- # show last agent session receipt (ASCII or JSON)
91
+ # agent session receipt
53
92
  npx @safetnsr/vet receipt
54
93
  npx @safetnsr/vet receipt --json
55
94
  ```
56
95
 
57
- ## output
58
-
59
- ```
60
- my-project 7.5/10
61
-
62
- ready ████░░░░░░ 4 3 readiness issues
63
- diff ████████░░ 8 3 issues (2 AI-specific) in 5 files
64
- models ██████████ 10 all models current
65
- config ███░░░░░░░ 3 Cursor — needs work (3/10)
66
- history █████████░ 9 41 commits (~15% AI-attributed)
67
- scan ██████████ 10 no malicious patterns found
68
- secrets ██████████ 10 no leaked secrets
69
- receipt ██████████ 10 last session: 3 files, 2 commands
70
-
71
- ✗ no README — AI agents have no project context
72
- ✗ no tests — AI agents produce better code when tests exist
73
- ! [ai] wholesale rewrite: 40 lines removed, 45 added in utils.ts
74
- ! [ai] imported "lodash" but never used in new code
75
-
76
- run --fix to auto-repair 4 issues
77
- ```
78
-
79
96
  ## --fix
80
97
 
81
- `vet --fix` analyzes your codebase and generates project-specific configs:
98
+ analyzes your codebase and generates project-specific configs:
82
99
 
83
100
  ```bash
84
101
  $ npx @safetnsr/vet --fix
85
102
 
86
103
  vet --fix
87
104
 
88
- + CLAUDE.md (generated from codebase: Next.js + React, Vitest, Tailwind CSS, TypeScript)
105
+ + CLAUDE.md (generated: Next.js + React, Vitest, Tailwind CSS, TypeScript)
89
106
  + .cursorrules (generated)
90
107
  ✓ src/api.ts: "gpt-3.5-turbo" → "gpt-4o-mini"
91
108
 
92
109
  fixed 3 issues
93
110
  ```
94
111
 
95
- the generated CLAUDE.md includes your actual stack, directory structure, and framework-specific rules.
112
+ the generated CLAUDE.md includes your actual stack, directory structure, and framework-specific rules — not a template.
96
113
 
97
- ## AI-specific diff patterns
114
+ ## --watch
98
115
 
99
- | pattern | what it catches |
100
- |---------|----------------|
101
- | `[ai] wholesale rewrite` | AI rewrote an entire function when a small edit would suffice |
102
- | `[ai] orphaned imports` | AI added imports it never uses |
103
- | `[ai] catch-all handling` | `catch(e) { console.error(e) }` instead of specific error handling |
104
- | `[ai] comment density` | AI over-commented obvious code |
105
- | `[ai] empty test body` | AI stubbed a test without implementation |
106
- | `[ai] trivial assertion` | `expect(true).toBe(true)` — test proves nothing |
116
+ monitors your repo during an active AI session. re-runs checks on every file change:
107
117
 
108
- ## config analysis
118
+ ```bash
119
+ npx @safetnsr/vet --watch
120
+ ```
109
121
 
110
- the config check does deep analysis not just "does CLAUDE.md exist":
122
+ catch problems as the agent creates them, not after it's done.
111
123
 
124
+ ## CI/CD
125
+
126
+ ```yaml
127
+ # .github/workflows/vet.yml
128
+ name: vet
129
+ on: [pull_request]
130
+ jobs:
131
+ vet:
132
+ runs-on: ubuntu-latest
133
+ steps:
134
+ - uses: actions/checkout@v4
135
+ with:
136
+ fetch-depth: 50
137
+ - run: npx @safetnsr/vet --ci
112
138
  ```
113
- config score breakdown:
114
- completeness: 4/10 — mentions typescript but not react, vitest
115
- consistency: 7/10 — "strict TS" but tsconfig.strict is false
116
- specificity: 3/10 — generic rules, nothing project-specific
117
- ```
118
139
 
119
- ## subcommands
140
+ GitHub Action: [`safetnsr/vet-action`](https://github.com/safetnsr/vet-action) (coming soon)
141
+
142
+ ## config
143
+
144
+ optional `.vetrc` in your project root:
145
+
146
+ ```json
147
+ {
148
+ "checks": ["ready", "diff", "models", "config", "scan", "secrets"],
149
+ "ignore": ["vendor/", "generated/"],
150
+ "thresholds": { "min": 60 }
151
+ }
152
+ ```
120
153
 
121
- ### `vet receipt`
154
+ ## receipt
122
155
 
123
- Shows a receipt for the last Claude Code agent session — what files it touched, what commands it ran, what packages it installed, plus a SHA256 integrity hash:
156
+ shows what the last Claude Code session actually did — files touched, commands run, packages installed, with a SHA256 integrity hash:
124
157
 
125
158
  ```
126
159
  ╔══════════════════════════════════════════════╗
@@ -139,34 +172,6 @@ Shows a receipt for the last Claude Code agent session — what files it touched
139
172
  ╚══════════════════════════════════════════════╝
140
173
  ```
141
174
 
142
- ## config
143
-
144
- create `.vetrc` in your project root (optional):
145
-
146
- ```json
147
- {
148
- "checks": ["ready", "diff", "models", "config", "history", "scan", "secrets", "receipt"],
149
- "ignore": ["vendor/", "generated/"],
150
- "thresholds": { "min": 6 }
151
- }
152
- ```
153
-
154
- ## ci
155
-
156
- ```yaml
157
- # .github/workflows/vet.yml
158
- name: vet
159
- on: [pull_request]
160
- jobs:
161
- vet:
162
- runs-on: ubuntu-latest
163
- steps:
164
- - uses: actions/checkout@v4
165
- with:
166
- fetch-depth: 50
167
- - run: npx @safetnsr/vet --ci
168
- ```
169
-
170
175
  ## zero dependencies
171
176
 
172
177
  vet uses only Node.js built-ins. no runtime dependencies. works with Node 18+.
package/dist/cli.js CHANGED
File without changes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@safetnsr/vet",
3
- "version": "1.4.0",
3
+ "version": "1.6.0",
4
4
  "description": "vet your AI-generated code — one command, one score card, one letter grade",
5
5
  "type": "module",
6
6
  "bin": {