@vibecheckai/cli 3.4.0 → 3.5.0

package/bin/runners/lib/engines/bundle-size-engine.js

@@ -0,0 +1,433 @@
+/**
+ * Bundle Size Analyzer Engine
+ * Detects:
+ * - Large library imports that hurt bundle size
+ * - Non-tree-shakeable imports
+ * - Heavy dependencies that have lighter alternatives
+ * - Dynamic imports that could be code-split
+ * - Duplicate functionality across packages
+ */
+
+const { getAST } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile } = require("./file-filter");
+
+/**
+ * Known heavy packages with size estimates and alternatives
+ */
+const HEAVY_PACKAGES = {
+  // Date/time libraries
+  moment: {
+    size: "290KB",
+    minified: "72KB",
+    alternatives: ["date-fns", "dayjs", "luxon"],
+    message: "moment.js is large and mutable. Consider date-fns (tree-shakeable) or dayjs (2KB).",
+  },
+  "moment-timezone": {
+    size: "900KB+",
+    minified: "200KB+",
+    alternatives: ["date-fns-tz", "luxon"],
+    message: "moment-timezone is very large. Consider date-fns-tz or native Intl API.",
+  },
+  
+  // Utility libraries
+  lodash: {
+    size: "530KB",
+    minified: "72KB",
+    alternatives: ["lodash-es", "lodash/[function]", "native ES"],
+    message: "Full lodash import adds ~70KB. Import individual functions or use lodash-es.",
+    checkTreeShaking: true,
+  },
+  underscore: {
+    size: "60KB",
+    minified: "18KB",
+    alternatives: ["native ES", "lodash-es"],
+    message: "underscore has native ES alternatives for most functions.",
+  },
+  ramda: {
+    size: "240KB",
+    minified: "50KB",
+    alternatives: ["native ES", "individual imports"],
+    message: "Consider importing only needed Ramda functions.",
+    checkTreeShaking: true,
+  },
+  
+  // UI frameworks
+  "@material-ui/core": {
+    size: "varies",
+    minified: "300KB+",
+    alternatives: ["@mui/material with tree-shaking"],
+    message: "Ensure you're importing MUI components individually, not from root.",
+    checkTreeShaking: true,
+  },
+  antd: {
+    size: "2MB+",
+    minified: "500KB+",
+    alternatives: ["individual antd imports"],
+    message: "Import antd components individually to enable tree-shaking.",
+    checkTreeShaking: true,
+  },
+  
+  // Visualization
+  "chart.js": {
+    size: "200KB",
+    minified: "60KB",
+    alternatives: ["lightweight-charts", "uPlot"],
+    message: "chart.js is large. For simple charts, consider lighter alternatives.",
+  },
+  d3: {
+    size: "500KB+",
+    minified: "100KB+",
+    alternatives: ["d3 micro-libraries", "visx"],
+    message: "Import only needed d3 modules (d3-scale, d3-shape) instead of full d3.",
+    checkTreeShaking: true,
+  },
+  
+  // Animation
+  "framer-motion": {
+    size: "130KB",
+    minified: "45KB",
+    alternatives: ["motion/react", "@formkit/auto-animate"],
+    message: "framer-motion is large. For simple animations, consider CSS or lighter libs.",
+  },
+  gsap: {
+    size: "60KB",
+    minified: "20KB",
+    alternatives: ["CSS animations", "Web Animations API"],
+    message: "For simple animations, CSS or Web Animations API may be sufficient.",
+  },
+  
+  // Validation
+  yup: {
+    size: "45KB",
+    minified: "15KB",
+    alternatives: ["zod", "valibot"],
+    message: "yup is heavier than zod or valibot. Consider switching if bundle size matters.",
+  },
+  joi: {
+    size: "150KB",
+    minified: "40KB",
+    alternatives: ["zod", "valibot"],
+    message: "joi is designed for Node.js. For browser, use zod or valibot.",
+  },
+  
+  // PDF generation
+  pdfkit: {
+    size: "2MB+",
+    minified: "500KB+",
+    alternatives: ["jspdf", "server-side generation"],
+    message: "Consider generating PDFs server-side to reduce client bundle.",
+  },
+  
+  // State management
+  redux: {
+    size: "20KB",
+    minified: "7KB",
+    alternatives: ["zustand", "jotai", "valtio"],
+    message: "For simpler state, zustand (1KB) or jotai may be sufficient.",
+  },
+  
+  // HTTP clients
+  axios: {
+    size: "30KB",
+    minified: "13KB",
+    alternatives: ["native fetch", "ky", "redaxios"],
+    message: "Native fetch or ky (3KB) may be sufficient for most use cases.",
+  },
+  
+  // Crypto
+  "crypto-js": {
+    size: "200KB",
+    minified: "50KB",
+    alternatives: ["Web Crypto API", "individual modules"],
+    message: "Use Web Crypto API for browser or import only needed modules.",
+    checkTreeShaking: true,
+  },
+  
+  // UUID
+  uuid: {
+    size: "15KB",
+    minified: "5KB",
+    alternatives: ["crypto.randomUUID()", "nanoid"],
+    message: "Modern browsers support crypto.randomUUID(). nanoid is only 130B.",
+  },
+};
+
+/**
+ * Non-tree-shakeable import patterns
+ */
+const NON_TREESHAKEABLE_PATTERNS = [
+  // Namespace imports from large libraries
+  { pattern: /import\s+\*\s+as\s+\w+\s+from\s+['"]lodash['"]/, lib: "lodash" },
+  { pattern: /import\s+\*\s+as\s+\w+\s+from\s+['"]ramda['"]/, lib: "ramda" },
+  { pattern: /import\s+\*\s+as\s+\w+\s+from\s+['"]d3['"]/, lib: "d3" },
+  
+  // Default imports from libraries that should use named imports
+  { pattern: /import\s+\w+\s+from\s+['"]lodash['"]/, lib: "lodash" },
+  { pattern: /import\s+\w+\s+from\s+['"]@material-ui\/core['"]/, lib: "@material-ui/core" },
+  { pattern: /import\s+\w+\s+from\s+['"]antd['"]/, lib: "antd" },
+  
+  // Importing entire icon sets
+  { pattern: /import\s+\*\s+as\s+\w+\s+from\s+['"]@?[\w-]+\/icons/, lib: "icons" },
+  { pattern: /import\s+\{\s*\*\s*\}\s+from\s+['"]lucide-react['"]/, lib: "lucide" },
+];
+
+/**
+ * Server-only packages that shouldn't be in client bundles
+ */
+const SERVER_ONLY_PACKAGES = [
+  "fs",
+  "path",
+  "crypto",
+  "http",
+  "https",
+  "net",
+  "child_process",
+  "bcrypt",
+  "bcryptjs",
+  "@prisma/client",
+  "pg",
+  "mysql2",
+  "mongodb",
+  "redis",
+  "nodemailer",
+  "sharp",
+];
+
+function snippetForLine(lines, line) {
+  return lines[line - 1] ? lines[line - 1].trim() : "";
+}
+
+/**
+ * Check if file is a client-side file
+ */
+function isClientFile(filePath, code) {
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  
+  // Check for "use client" directive
+  if (/['"]use client['"]/.test(code)) return true;
+  
+  // Check path patterns
+  const clientPatterns = [
+    /\/components\//,
+    /\/pages\//,
+    /\/app\/.*\/page\./,
+    /\/src\/.*\.(tsx?|jsx?)$/,
+    /\/client\//,
+    /\/web\//,
+    /\/frontend\//,
+  ];
+  
+  const serverPatterns = [
+    /\/api\//,
+    /\/server\//,
+    /\/backend\//,
+    /\/lib\/server/,
+    /\.server\./,
+    /\/actions\//,
+  ];
+  
+  // Server patterns take precedence
+  if (serverPatterns.some(p => p.test(normalizedPath))) return false;
+  if (clientPatterns.some(p => p.test(normalizedPath))) return true;
+  
+  // Check for "use server" directive
+  if (/['"]use server['"]/.test(code)) return false;
+  
+  // Default to client for tsx/jsx files
+  return /\.(tsx|jsx)$/.test(normalizedPath);
+}
+
+/**
+ * Analyze bundle size issues
+ */
+function analyzeBundleSize(code, filePath) {
+  const findings = [];
+  
+  if (shouldExcludeFile(filePath)) return findings;
+  
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+  
+  const lines = code.split("\n");
+  const isClient = isClientFile(filePath, code);
+  const importedPackages = new Set();
+
+  traverse(ast, {
+    ImportDeclaration(path) {
+      const source = path.node.source.value;
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+      
+      // Get the root package name
+      const packageName = source.startsWith("@")
+        ? source.split("/").slice(0, 2).join("/")
+        : source.split("/")[0];
+      
+      importedPackages.add(packageName);
+      
+      // Check for heavy packages
+      const heavyPkg = HEAVY_PACKAGES[packageName];
+      if (heavyPkg) {
+        const specifiers = path.node.specifiers;
+        const isNamespaceImport = specifiers.some(s => t.isImportNamespaceSpecifier(s));
+        const isDefaultImport = specifiers.some(s => t.isImportDefaultSpecifier(s));
+        
+        // Check if tree-shaking is being prevented
+        let isTreeShakeIssue = false;
+        if (heavyPkg.checkTreeShaking) {
+          // Namespace import prevents tree-shaking
+          if (isNamespaceImport) isTreeShakeIssue = true;
+          // Importing from root instead of subpath
+          if (isDefaultImport && source === packageName) isTreeShakeIssue = true;
+        }
+        
+        // Only warn for client bundles or tree-shake issues
+        if (isClient || isTreeShakeIssue) {
+          findings.push({
+            type: "heavy_dependency",
+            severity: isTreeShakeIssue ? "WARN" : "INFO",
+            category: "BundleSize",
+            file: filePath,
+            line: loc.line,
+            column: loc.column,
+            title: `Heavy package: ${packageName} (~${heavyPkg.minified} minified)`,
+            message: heavyPkg.message,
+            codeSnippet: snippetForLine(lines, loc.line),
+            confidence: isTreeShakeIssue ? "high" : "med",
+            fixHint: `Consider: ${heavyPkg.alternatives.join(", ")}`,
+          });
+        }
+      }
+      
+      // Check for server-only packages in client code
+      if (isClient && SERVER_ONLY_PACKAGES.includes(packageName)) {
+        findings.push({
+          type: "server_only_import",
+          severity: "BLOCK",
+          category: "BundleSize",
+          file: filePath,
+          line: loc.line,
+          column: loc.column,
+          title: `Server-only package in client bundle: ${packageName}`,
+          message: `'${packageName}' should not be imported in client-side code.`,
+          codeSnippet: snippetForLine(lines, loc.line),
+          confidence: "high",
+          fixHint: "Move this import to a server component or API route",
+        });
+      }
+      
+      // Check for non-tree-shakeable patterns
+      const importLine = code.substring(path.node.start, path.node.end);
+      for (const { pattern, lib } of NON_TREESHAKEABLE_PATTERNS) {
+        if (pattern.test(importLine)) {
+          findings.push({
+            type: "non_treeshakeable",
+            severity: "WARN",
+            category: "BundleSize",
+            file: filePath,
+            line: loc.line,
+            column: loc.column,
+            title: `Non-tree-shakeable import from ${lib}`,
+            message: "This import pattern prevents tree-shaking, including the entire library.",
+            codeSnippet: snippetForLine(lines, loc.line),
+            confidence: "high",
+            fixHint: `Import only what you need: import { specificFn } from '${lib}'`,
+          });
+          break;
+        }
+      }
+      
+      // Check for large icon imports
+      if (/icons?/i.test(source)) {
+        const specifiers = path.node.specifiers;
+        const namedImports = specifiers.filter(s => t.isImportSpecifier(s));
+        
+        if (namedImports.length > 20) {
+          findings.push({
+            type: "large_icon_import",
+            severity: "INFO",
+            category: "BundleSize",
+            file: filePath,
+            line: loc.line,
+            column: loc.column,
+            title: `Large icon import (${namedImports.length} icons)`,
+            message: "Consider code-splitting or using dynamic imports for icons.",
+            codeSnippet: snippetForLine(lines, loc.line),
+            confidence: "low",
+            fixHint: "Use dynamic imports: const Icon = dynamic(() => import('...'))",
+          });
+        }
+      }
+    },
+    
+    // Check for dynamic imports that could benefit from code splitting
+    CallExpression(path) {
+      const callee = path.node.callee;
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+      
+      // Check import() calls
+      if (t.isImport(callee)) {
+        const arg = path.node.arguments[0];
+        if (t.isStringLiteral(arg)) {
+          const importPath = arg.value;
+          const packageName = importPath.startsWith("@")
+            ? importPath.split("/").slice(0, 2).join("/")
+            : importPath.split("/")[0];
+          
+          // Heavy packages being dynamically imported - good!
+          if (HEAVY_PACKAGES[packageName]) {
+            // This is actually good practice, just note it
+          }
+        }
+      }
+      
+      // Check require() calls (CommonJS)
+      if (t.isIdentifier(callee, { name: "require" })) {
+        const arg = path.node.arguments[0];
+        if (t.isStringLiteral(arg)) {
+          const importPath = arg.value;
+          const packageName = importPath.startsWith("@")
+            ? importPath.split("/").slice(0, 2).join("/")
+            : importPath.split("/")[0];
+          
+          if (isClient && SERVER_ONLY_PACKAGES.includes(packageName)) {
+            findings.push({
+              type: "server_only_require",
+              severity: "BLOCK",
+              category: "BundleSize",
+              file: filePath,
+              line: loc.line,
+              column: loc.column,
+              title: `Server-only require in client bundle: ${packageName}`,
+              message: `'${packageName}' should not be required in client-side code.`,
+              codeSnippet: snippetForLine(lines, loc.line),
+              confidence: "high",
+              fixHint: "Move this require to a server component or API route",
+            });
+          }
+        }
+      }
+    },
+  });
+
+  return findings;
+}
+
+/**
+ * Get recommended alternatives for a package
+ */
+function getAlternatives(packageName) {
+  const pkg = HEAVY_PACKAGES[packageName];
+  return pkg ? pkg.alternatives : [];
+}
+
+module.exports = {
+  analyzeBundleSize,
+  getAlternatives,
+  HEAVY_PACKAGES,
+  SERVER_ONLY_PACKAGES,
+  isClientFile,
+};

package/bin/runners/lib/engines/confidence-scoring.js

@@ -0,0 +1,276 @@
+/**
+ * Standardized Confidence Scoring Module
+ * 
+ * Provides consistent confidence scoring across all vibecheck engines.
+ * 
+ * Confidence Scale (0-1):
+ * - 1.0 (HIGH):    Definitely an issue, AST-verified, high certainty
+ * - 0.8 (MEDIUM):  Likely an issue, pattern-matched with context
+ * - 0.5 (LOW):     Possibly an issue, needs manual verification
+ * - 0.3 (HINT):    Potential improvement, informational only
+ * 
+ * Legacy string values are mapped:
+ * - "high" → 1.0
+ * - "med"  → 0.8
+ * - "low"  → 0.5
+ */
+
+/**
+ * Confidence levels with numeric values
+ */
+const CONFIDENCE = {
+  // Definite issues - AST verified, no false positives expected
+  DEFINITE: 1.0,
+  HIGH: 1.0,
+  
+  // Likely issues - pattern matched with good context
+  LIKELY: 0.8,
+  MEDIUM: 0.8,
+  MED: 0.8,
+  
+  // Possible issues - lexical match, needs verification
+  POSSIBLE: 0.5,
+  LOW: 0.5,
+  
+  // Hints - informational, may not be issues
+  HINT: 0.3,
+  INFO: 0.3,
+};
+
+/**
+ * Convert legacy string confidence to numeric
+ */
+function normalizeConfidence(value) {
+  if (typeof value === "number") {
+    return Math.max(0, Math.min(1, value));
+  }
+  
+  if (typeof value === "string") {
+    const key = value.toUpperCase();
+    if (CONFIDENCE[key] !== undefined) {
+      return CONFIDENCE[key];
+    }
+    
+    // Legacy mappings
+    switch (value.toLowerCase()) {
+      case "high":
+        return CONFIDENCE.HIGH;
+      case "med":
+      case "medium":
+        return CONFIDENCE.MEDIUM;
+      case "low":
+        return CONFIDENCE.LOW;
+      case "info":
+      case "hint":
+        return CONFIDENCE.HINT;
+      default:
+        return CONFIDENCE.MEDIUM; // Default fallback
+    }
+  }
+  
+  return CONFIDENCE.MEDIUM;
+}
+
+/**
+ * Get confidence label from numeric value
+ */
+function getConfidenceLabel(value) {
+  const normalized = normalizeConfidence(value);
+  
+  if (normalized >= 0.9) return "high";
+  if (normalized >= 0.6) return "med";
+  if (normalized >= 0.4) return "low";
+  return "hint";
+}
+
+/**
+ * Severity levels (aligned with SARIF)
+ */
+const SEVERITY = {
+  BLOCK: "error",      // Must fix before shipping
+  WARN: "warning",     // Should fix, but not blocking
+  INFO: "note",        // Informational
+};
+
+/**
+ * Map internal severity to SARIF level
+ */
+function toSarifLevel(severity) {
+  switch (severity?.toUpperCase()) {
+    case "BLOCK":
+    case "ERROR":
+    case "CRITICAL":
+      return "error";
+    case "WARN":
+    case "WARNING":
+    case "HIGH":
+      return "warning";
+    case "INFO":
+    case "LOW":
+    case "NOTE":
+    default:
+      return "note";
+  }
+}
+
+/**
+ * Confidence modifiers based on context
+ */
+const CONFIDENCE_MODIFIERS = {
+  // Increase confidence
+  AST_VERIFIED: 0.2,        // Finding verified via AST analysis
+  PATTERN_CONTEXT: 0.1,     // Pattern has surrounding context
+  MULTIPLE_EVIDENCE: 0.1,   // Multiple pieces of evidence
+  
+  // Decrease confidence
+  LEXICAL_ONLY: -0.2,       // Only lexical/regex match
+  POSSIBLE_FALSE_POSITIVE: -0.3, // Known false positive pattern nearby
+  IN_COMMENT: -0.3,         // Found in comment
+  IN_STRING: -0.2,          // Found in string literal
+  TEST_FILE: -0.4,          // In test file
+  CONFIG_FILE: -0.2,        // In config file
+};
+
+/**
+ * Calculate confidence with modifiers
+ */
+function calculateConfidence(baseConfidence, modifiers = []) {
+  let confidence = normalizeConfidence(baseConfidence);
+  
+  for (const modifier of modifiers) {
+    if (typeof modifier === "string" && CONFIDENCE_MODIFIERS[modifier]) {
+      confidence += CONFIDENCE_MODIFIERS[modifier];
+    } else if (typeof modifier === "number") {
+      confidence += modifier;
+    }
+  }
+  
+  // Clamp to valid range
+  return Math.max(0, Math.min(1, confidence));
+}
+
+/**
+ * Create a standardized finding object
+ */
+function createFinding({
+  type,
+  severity = "WARN",
+  category,
+  file,
+  line = 0,
+  column = 0,
+  title,
+  message,
+  codeSnippet = "",
+  confidence = CONFIDENCE.MEDIUM,
+  fixHint = "",
+  evidence = [],
+  modifiers = [],
+}) {
+  const normalizedConfidence = calculateConfidence(confidence, modifiers);
+  
+  return {
+    type,
+    severity: severity.toUpperCase(),
+    category,
+    file,
+    line,
+    column,
+    title,
+    message,
+    codeSnippet,
+    confidence: getConfidenceLabel(normalizedConfidence),
+    confidenceScore: normalizedConfidence,
+    fixHint: fixHint || undefined,
+    evidence: evidence.length > 0 ? evidence : undefined,
+  };
+}
+
+/**
+ * Filter findings by minimum confidence threshold
+ */
+function filterByConfidence(findings, minConfidence = 0.3) {
+  const threshold = normalizeConfidence(minConfidence);
+  
+  return findings.filter(finding => {
+    const score = finding.confidenceScore !== undefined 
+      ? finding.confidenceScore 
+      : normalizeConfidence(finding.confidence);
+    return score >= threshold;
+  });
+}
+
+/**
+ * Sort findings by confidence (highest first)
+ */
+function sortByConfidence(findings) {
+  return [...findings].sort((a, b) => {
+    const scoreA = a.confidenceScore ?? normalizeConfidence(a.confidence);
+    const scoreB = b.confidenceScore ?? normalizeConfidence(b.confidence);
+    return scoreB - scoreA;
+  });
+}
+
+/**
+ * Group findings by confidence level
+ */
+function groupByConfidence(findings) {
+  return {
+    high: findings.filter(f => normalizeConfidence(f.confidence) >= 0.9),
+    medium: findings.filter(f => {
+      const c = normalizeConfidence(f.confidence);
+      return c >= 0.6 && c < 0.9;
+    }),
+    low: findings.filter(f => {
+      const c = normalizeConfidence(f.confidence);
+      return c >= 0.4 && c < 0.6;
+    }),
+    hint: findings.filter(f => normalizeConfidence(f.confidence) < 0.4),
+  };
+}
+
+/**
+ * Calculate overall confidence score for a scan
+ */
+function calculateOverallScore(findings) {
+  if (findings.length === 0) return 1.0; // No issues = high confidence
+  
+  // Weight by severity
+  const weights = {
+    BLOCK: 3,
+    WARN: 2,
+    INFO: 1,
+  };
+  
+  let totalWeight = 0;
+  let weightedSum = 0;
+  
+  for (const finding of findings) {
+    const weight = weights[finding.severity?.toUpperCase()] || 1;
+    const confidence = finding.confidenceScore ?? normalizeConfidence(finding.confidence);
+    
+    totalWeight += weight;
+    weightedSum += confidence * weight;
+  }
+  
+  // Invert - higher issues = lower score
+  return 1 - (weightedSum / totalWeight) * 0.5;
+}
+
+module.exports = {
+  // Constants
+  CONFIDENCE,
+  SEVERITY,
+  CONFIDENCE_MODIFIERS,
+  
+  // Functions
+  normalizeConfidence,
+  getConfidenceLabel,
+  toSarifLevel,
+  calculateConfidence,
+  createFinding,
+  filterByConfidence,
+  sortByConfidence,
+  groupByConfidence,
+  calculateOverallScore,
+};