@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js

@@ -0,0 +1,164 @@
+/**
+ * AST Cache
+ * Shared AST parsing cache for analysis engines.
+ *
+ * Goals:
+ * - Parse each source file once (per content hash)
+ * - Avoid re-parsing unchanged files across multiple engines
+ * - Keep cache bounded (entries + total bytes) to prevent memory blowups
+ * - Refuse to parse obviously minified/giant files (should be excluded anyway)
+ */
+
+const crypto = require("crypto");
+const parser = require("@babel/parser");
+
+// Map preserves insertion order. We'll use it as a simple LRU:
+// on get -> delete+set to move entry to end
+const _AST_CACHE = new Map(); // key -> { ast, hash, bytes, lines, ts }
+let _TOTAL_BYTES = 0;
+
+const LIMITS = {
+  maxEntries: 6000,
+  maxTotalBytes: 200 * 1024 * 1024, // 200MB across cached source sizes
+  maxFileBytes: 1_200_000, // 1.2MB per file (bigger files likely generated)
+  maxLines: 25_000,
+};
+
+function sha1(text) {
+  return crypto.createHash("sha1").update(text).digest("hex");
+}
+
+function countNewlines(text) {
+  let n = 1;
+  for (let i = 0; i < text.length; i++) if (text.charCodeAt(i) === 10) n++;
+  return n;
+}
+
+/**
+ * Heuristic: identify minified/bundled files (super long lines, few newlines).
+ */
+function isProbablyMinified(code) {
+  if (!code || typeof code !== "string") return false;
+  const bytes = Buffer.byteLength(code, "utf8");
+  if (bytes < 40_000) return false; // small files aren't our concern
+
+  const lines = countNewlines(code);
+  const avgLine = bytes / Math.max(1, lines);
+  if (avgLine > 600) return true;
+
+  // Count semicolons as a crude "density" marker
+  const sample = code.slice(0, Math.min(80_000, code.length));
+  const semi = (sample.match(/;/g) || []).length;
+  const braces = (sample.match(/[{}]/g) || []).length;
+  const density = (semi + braces) / Math.max(1, sample.length);
+
+  return density > 0.035 && lines < 80;
+}
+
+/**
+ * Parse code into a Babel AST.
+ * Returns null if code is too big/minified or parsing fails.
+ */
+function parseCode(code, filePath = "<unknown>") {
+  if (!code || typeof code !== "string") return null;
+
+  const bytes = Buffer.byteLength(code, "utf8");
+  if (bytes > LIMITS.maxFileBytes) return null;
+
+  const lines = countNewlines(code);
+  if (lines > LIMITS.maxLines) return null;
+
+  if (isProbablyMinified(code)) return null;
+
+  try {
+    // include TypeScript + JSX support; \"unambiguous\" handles CJS/ESM
+    return parser.parse(code, {
+      sourceType: "unambiguous",
+      plugins: [
+        "typescript",
+        "jsx",
+        "decorators-legacy",
+        "classProperties",
+        "classPrivateProperties",
+        "classPrivateMethods",
+        "dynamicImport",
+        "optionalChaining",
+        "nullishCoalescingOperator",
+        "objectRestSpread",
+        "topLevelAwait",
+      ],
+      errorRecovery: true,
+      ranges: false,
+      tokens: false,
+      attachComment: true,
+    });
+  } catch {
+    return null;
+  }
+}
+
+function _evictIfNeeded() {
+  while (_AST_CACHE.size > LIMITS.maxEntries || _TOTAL_BYTES > LIMITS.maxTotalBytes) {
+    const firstKey = _AST_CACHE.keys().next().value;
+    if (!firstKey) break;
+    const entry = _AST_CACHE.get(firstKey);
+    _AST_CACHE.delete(firstKey);
+    _TOTAL_BYTES -= entry?.bytes || 0;
+  }
+}
+
+function getAST(code, filePath = "<unknown>") {
+  // Caller should already filter, but keep extra guards here.
+  const bytes = Buffer.byteLength(code || "", "utf8");
+  if (!code || bytes > LIMITS.maxFileBytes) return null;
+  if (isProbablyMinified(code)) return null;
+
+  const key = String(filePath || "<unknown>");
+  const hash = sha1(code);
+
+  const existing = _AST_CACHE.get(key);
+  if (existing && existing.hash === hash && existing.ast) {
+    // LRU touch
+    _AST_CACHE.delete(key);
+    _AST_CACHE.set(key, existing);
+    return existing.ast;
+  }
+
+  const ast = parseCode(code, key);
+  if (!ast) return null;
+
+  const entry = {
+    ast,
+    hash,
+    bytes,
+    lines: countNewlines(code),
+    ts: Date.now(),
+  };
+
+  if (existing) _TOTAL_BYTES -= existing.bytes || 0;
+  _AST_CACHE.set(key, entry);
+  _TOTAL_BYTES += bytes;
+
+  _evictIfNeeded();
+  return ast;
+}
+
+function clearASTCache() {
+  _AST_CACHE.clear();
+  _TOTAL_BYTES = 0;
+}
+
+function getASTCacheStats() {
+  return {
+    entries: _AST_CACHE.size,
+    totalBytes: _TOTAL_BYTES,
+    limits: { ...LIMITS },
+  };
+}
+
+module.exports = {
+  getAST,
+  parseCode,
+  clearASTCache,
+  getASTCacheStats,
+};

package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js

@@ -0,0 +1,291 @@
+/**
+ * Code Quality Engine
+ * Detects high cyclomatic complexity, long functions, deep nesting, and magic numbers.
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+const MAX_COMPLEXITY = 30; // Increased from 18 - many legitimate functions have complexity 20-25
+const MAX_FUNCTION_LENGTH = 200; // Increased from 120 - allow longer functions
+const MAX_NESTING_DEPTH = 7; // Increased from 5 - many legitimate nested structures
+
+function snippetForLine(lines, line) {
+  return lines[line - 1] ? lines[line - 1].trim() : "";
+}
+
+function isMagicNumberLiteral(node) {
+  if (!t.isNumericLiteral(node)) return false;
+  const v = node.value;
+
+  // commonly acceptable constants - expanded list
+  const allowed = new Set([
+    0, 1, -1, 2, -2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
+    20, 24, 30, 32, 60, 64, 100, 128, 256, 512, 1000, 1024, 2000, 3000,
+    3600, 86400, // common time constants
+  ]);
+  if (allowed.has(v)) return false;
+
+  // Skip small integers (likely array indices, counts, etc.)
+  if (Math.abs(v) < 20 && Number.isInteger(v)) return false;
+
+  // Skip common HTTP status codes
+  if (v >= 200 && v <= 599 && Number.isInteger(v)) return false;
+
+  // Skip common port numbers
+  if (v >= 3000 && v <= 9999 && Number.isInteger(v)) return false;
+
+  if (!Number.isFinite(v)) return false;
+  return true;
+}
+
+function calculateCyclomaticComplexity(fnPath) {
+  let complexity = 1;
+
+  fnPath.traverse({
+    // don't count nested functions
+    Function(inner) {
+      if (inner !== fnPath) inner.skip();
+    },
+    IfStatement() {
+      complexity++;
+    },
+    ForStatement() {
+      complexity++;
+    },
+    ForInStatement() {
+      complexity++;
+    },
+    ForOfStatement() {
+      complexity++;
+    },
+    WhileStatement() {
+      complexity++;
+    },
+    DoWhileStatement() {
+      complexity++;
+    },
+    ConditionalExpression() {
+      complexity++;
+    },
+    LogicalExpression(p) {
+      if (p.node.operator === "&&" || p.node.operator === "||") complexity++;
+    },
+    SwitchCase() {
+      complexity++;
+    },
+    CatchClause() {
+      complexity++;
+    },
+  });
+
+  return complexity;
+}
+
+function measureMaxNesting(fnPath) {
+  let maxDepth = 0;
+
+  function walk(node, depth) {
+    if (!node) return;
+    maxDepth = Math.max(maxDepth, depth);
+
+    // stop nesting analysis at nested functions/classes
+    if (t.isFunction(node) || t.isArrowFunctionExpression(node) || t.isClass(node)) return;
+
+    const next = [];
+
+    if (t.isBlockStatement(node)) next.push(...node.body);
+    else if (t.isIfStatement(node)) {
+      next.push(node.consequent);
+      if (node.alternate) next.push(node.alternate);
+    } else if (
+      t.isForStatement(node) ||
+      t.isForInStatement(node) ||
+      t.isForOfStatement(node) ||
+      t.isWhileStatement(node) ||
+      t.isDoWhileStatement(node)
+    ) {
+      next.push(node.body);
+    } else if (t.isTryStatement(node)) {
+      next.push(node.block);
+      if (node.handler) next.push(node.handler.body);
+      if (node.finalizer) next.push(node.finalizer);
+    } else if (t.isSwitchStatement(node)) {
+      next.push(...node.cases);
+    } else if (t.isSwitchCase(node)) {
+      next.push(...node.consequent);
+    }
+
+    for (const n of next) walk(n, depth + 1);
+  }
+
+  const body = fnPath.node.body;
+  walk(body, 0);
+  return maxDepth;
+}
+
+function getFunctionName(fnPath) {
+  const n = fnPath.node;
+
+  if (t.isFunctionDeclaration(n) && n.id?.name) return n.id.name;
+
+  // const foo = () => {}
+  if (
+    (t.isFunctionExpression(n) || t.isArrowFunctionExpression(n)) &&
+    t.isVariableDeclarator(fnPath.parent) &&
+    t.isIdentifier(fnPath.parent.id)
+  ) {
+    return fnPath.parent.id.name;
+  }
+
+  if (t.isObjectMethod(n) && t.isIdentifier(n.key)) return n.key.name;
+  if (t.isClassMethod(n) && t.isIdentifier(n.key)) return n.key.name;
+
+  return "<anonymous>";
+}
+
+function analyzeCodeQuality(code, filePath) {
+  const findings = [];
+
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "code-quality")) return findings;
+
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+  const seenMagic = new Set();
+
+  function analyzeFunction(fnPath) {
+    if (!fnPath.node.loc) return;
+
+    const name = getFunctionName(fnPath);
+
+    // length (lines)
+    const startLine = fnPath.node.loc.start.line;
+    const endLine = fnPath.node.loc.end.line;
+    const length = endLine - startLine + 1;
+
+    if (length > MAX_FUNCTION_LENGTH) {
+      findings.push({
+        type: "long_function",
+        severity: "WARN",
+        category: "CodeQuality",
+        file: filePath,
+        line: startLine,
+        column: fnPath.node.loc.start.column,
+        title: `Long function: ${name}`,
+        message: `Function is ${length} lines long. Consider extracting helpers.`,
+        codeSnippet: snippetForLine(lines, startLine),
+        confidence: "med",
+      });
+    }
+
+    // complexity
+    const complexity = calculateCyclomaticComplexity(fnPath);
+    if (complexity > MAX_COMPLEXITY) {
+      findings.push({
+        type: "high_complexity",
+        severity: "WARN",
+        category: "CodeQuality",
+        file: filePath,
+        line: startLine,
+        column: fnPath.node.loc.start.column,
+        title: `High complexity: ${name}`,
+        message: `Cyclomatic complexity is ${complexity} (limit ${MAX_COMPLEXITY}).`,
+        codeSnippet: snippetForLine(lines, startLine),
+        confidence: "med",
+      });
+    }
+
+    // nesting
+    const nesting = measureMaxNesting(fnPath);
+    if (nesting > MAX_NESTING_DEPTH) {
+      findings.push({
+        type: "deep_nesting",
+        severity: "WARN",
+        category: "CodeQuality",
+        file: filePath,
+        line: startLine,
+        column: fnPath.node.loc.start.column,
+        title: `Deep nesting: ${name}`,
+        message: `Max nesting depth is ${nesting} (limit ${MAX_NESTING_DEPTH}).`,
+        codeSnippet: snippetForLine(lines, startLine),
+        confidence: "low",
+      });
+    }
+  }
+
+  traverse(ast, {
+    FunctionDeclaration(path) {
+      analyzeFunction(path);
+    },
+    FunctionExpression(path) {
+      analyzeFunction(path);
+    },
+    ArrowFunctionExpression(path) {
+      analyzeFunction(path);
+    },
+
+    NumericLiteral(path) {
+      if (!path.node.loc) return;
+      if (!isMagicNumberLiteral(path.node)) return;
+
+      // reduce noise in obvious non-business contexts
+      if (path.parentPath.isUnaryExpression() && path.parent.operator === "-") return;
+      if (path.parentPath.isObjectProperty() && path.parent.key === path.node) return;
+      if (path.parentPath.isMemberExpression() && path.parent.computed && path.parent.property === path.node) return;
+      if (path.parentPath.isArrayExpression()) return; // array indices are fine
+      if (path.parentPath.isCallExpression()) return; // function arguments might be legitimate
+      if (path.parentPath.isBinaryExpression()) {
+        // Skip common math operations with small numbers
+        const op = path.parent.operator;
+        if (['+', '-', '*', '/', '%'].includes(op)) return;
+      }
+
+      // skip enums / TS literal types if present
+      if (path.findParent((p) => p.isTSEnumDeclaration?.() || p.isTSLiteralType?.())) return;
+
+      // Skip if inside a test context
+      if (path.findParent((p) => {
+        const fn = p.getFunctionParent?.();
+        if (!fn) return false;
+        const name = getFunctionName(fn);
+        return /test|spec|it|describe/i.test(name);
+      })) return;
+
+      const line = path.node.loc.start.line;
+      const col = path.node.loc.start.column;
+      const key = `${line}:${col}`;
+      if (seenMagic.has(key)) return;
+      seenMagic.add(key);
+
+      // Only flag larger numbers or decimals as magic numbers
+      const v = path.node.value;
+      if (Math.abs(v) < 100 && Number.isInteger(v)) return; // Skip small integers entirely
+
+      findings.push({
+        type: "magic_number",
+        severity: "INFO",
+        category: "CodeQuality",
+        file: filePath,
+        line,
+        column: col,
+        title: "Magic number",
+        message: `Numeric literal ${path.node.value} may be clearer as a named constant.`,
+        codeSnippet: snippetForLine(lines, line),
+        confidence: "low",
+      });
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzeCodeQuality,
+  parseCode,
+};

package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js

@@ -0,0 +1,83 @@
+/**
+ * Console Logs Engine
+ * Finds console.* usage that should not ship to production.
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+function hasNoConsoleDisable(lines, lineIndex) {
+  const l = (lines[lineIndex] || "").toLowerCase();
+  const prev = (lines[lineIndex - 1] || "").toLowerCase();
+  return (
+    l.includes("eslint-disable-next-line no-console") ||
+    prev.includes("eslint-disable-next-line no-console") ||
+    l.includes("eslint-disable no-console") ||
+    prev.includes("eslint-disable no-console") ||
+    l.includes("vibecheck-allow-console") ||
+    prev.includes("vibecheck-allow-console")
+  );
+}
+
+function analyzeConsoleLogs(code, filePath) {
+  const findings = [];
+
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "console-logs")) return findings;
+
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  traverse(ast, {
+    CallExpression(path) {
+      const callee = path.node.callee;
+      if (!t.isMemberExpression(callee)) return;
+      if (!t.isIdentifier(callee.object, { name: "console" })) return;
+      if (!t.isIdentifier(callee.property)) return;
+
+      const method = callee.property.name;
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      if (hasNoConsoleDisable(lines, loc.line - 1)) return;
+
+      // classify severity
+      let severity = "WARN";
+      let confidence = "high";
+      if (method === "error" || method === "warn") {
+        severity = "INFO"; // these can be acceptable, but often should be routed to logger
+        confidence = "med";
+      } else if (method === "debug" || method === "trace") {
+        severity = "WARN";
+        confidence = "med";
+      } else if (method === "log") {
+        severity = "WARN";
+      }
+
+      findings.push({
+        type: "console_log",
+        severity,
+        category: "CodeQuality",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: `Console.${method} usage`,
+        message: `Consider removing console.${method} or replacing with structured logging.`,
+        codeSnippet: lines[loc.line - 1]?.trim(),
+        confidence,
+      });
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzeConsoleLogs,
+  parseCode,
+};