@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js

@@ -0,0 +1,164 @@
+/**
+ * Parallel Processor
+ * Utility to process a list of files concurrently with bounded parallelism.
+ *
+ * NOTE: The caller provides `processor(filePath)` which may return any value.
+ * We collect both results and errors without crashing the whole run.
+ */
+
+const os = require("os");
+
+/**
+ * Run a promise with an optional timeout.
+ */
+async function withTimeout(promise, timeoutMs, label = "operation") {
+  if (!timeoutMs || timeoutMs <= 0) return promise;
+
+  let timer = null;
+  const timeout = new Promise((_, reject) => {
+    timer = setTimeout(() => {
+      const err = new Error(`${label} timed out after ${timeoutMs}ms`);
+      err.code = "ETIMEDOUT";
+      reject(err);
+    }, timeoutMs);
+  });
+
+  try {
+    return await Promise.race([promise, timeout]);
+  } finally {
+    if (timer) clearTimeout(timer);
+  }
+}
+
+/**
+ * Process files in parallel with bounded concurrency.
+ *
+ * @param {string[]} files
+ * @param {(filePath: string) => Promise<any>} processor
+ * @param {object} options
+ * @returns {Promise<{results: Array<{file: string, result: any}>, errors: Array<{file: string, error: Error}>, stats: object}>}
+ */
+async function processFilesInParallel(files, processor, options = {}) {
+  const concurrency =
+    Number.isFinite(options.concurrency) && options.concurrency > 0
+      ? Math.floor(options.concurrency)
+      : Math.max(1, Math.min(os.cpus().length, 8));
+
+  const timeoutMs = Number.isFinite(options.timeoutMs) ? options.timeoutMs : 0;
+  const stopOnError = Boolean(options.stopOnError);
+  const onProgress = typeof options.onProgress === "function" ? options.onProgress : null;
+  const signal = options.signal;
+
+  const results = [];
+  const errors = [];
+
+  let cursor = 0;
+  let completed = 0;
+  const startedAt = Date.now();
+
+  function reportProgress(file, kind) {
+    if (!onProgress) return;
+    try {
+      onProgress({
+        kind,
+        file,
+        completed,
+        total: files.length,
+        errors: errors.length,
+        elapsedMs: Date.now() - startedAt,
+      });
+    } catch {
+      // ignore progress handler failures
+    }
+  }
+
+  async function runFile(filePath) {
+    if (signal?.aborted) {
+      const err = new Error("Aborted");
+      err.code = "ABORTED";
+      throw err;
+    }
+
+    const label = `process(${filePath})`;
+    const result = await withTimeout(Promise.resolve().then(() => processor(filePath)), timeoutMs, label);
+    return result;
+  }
+
+  async function worker(workerId) {
+    // eslint-disable-next-line no-constant-condition
+    while (true) {
+      if (signal?.aborted) break;
+      if (stopOnError && errors.length) break;
+
+      const i = cursor++;
+      if (i >= files.length) break;
+
+      const filePath = files[i];
+      reportProgress(filePath, "start");
+
+      try {
+        const result = await runFile(filePath);
+        results.push({ file: filePath, result });
+      } catch (error) {
+        errors.push({ file: filePath, error });
+        reportProgress(filePath, "error");
+      } finally {
+        completed++;
+        reportProgress(filePath, "done");
+      }
+    }
+  }
+
+  const workers = Array.from({ length: Math.min(concurrency, files.length) }, (_, i) => worker(i));
+  await Promise.all(workers);
+
+  return {
+    results,
+    errors,
+    stats: {
+      totalFiles: files.length,
+      processed: completed,
+      results: results.length,
+      errors: errors.length,
+      concurrency,
+      timeoutMs,
+      elapsedMs: Date.now() - startedAt,
+      aborted: Boolean(signal?.aborted),
+    },
+  };
+}
+
+/**
+ * Process in sequential batches (useful when you want deterministic ordering).
+ *
+ * @param {string[]} files
+ * @param {(filePath: string) => Promise<any>} processor
+ * @param {number} batchSize
+ */
+async function processFilesInBatches(files, processor, batchSize = 10) {
+  const results = [];
+  const errors = [];
+  const size = Math.max(1, Number(batchSize) || 10);
+
+  for (let i = 0; i < files.length; i += size) {
+    const batch = files.slice(i, i + size);
+    const batchResults = await Promise.allSettled(batch.map((f) => Promise.resolve().then(() => processor(f))));
+
+    for (let j = 0; j < batchResults.length; j++) {
+      const file = batch[j];
+      const r = batchResults[j];
+      if (r.status === "fulfilled") {
+        results.push({ file, result: r.value });
+      } else {
+        errors.push({ file, error: r.reason });
+      }
+    }
+  }
+
+  return { results, errors };
+}
+
+module.exports = {
+  processFilesInParallel,
+  processFilesInBatches,
+};

package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js

@@ -0,0 +1,234 @@
+/**
+ * Performance Issues Engine
+ * Detects potential performance problems:
+ * - Nested loops
+ * - Potential memory leaks (event listeners without cleanup)
+ * - Expensive operations in render-like contexts (heuristic)
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+function snippetForLine(lines, line) {
+  return lines[line - 1] ? lines[line - 1].trim() : "";
+}
+
+function isLoopStatement(node) {
+  return (
+    t.isForStatement(node) ||
+    t.isForInStatement(node) ||
+    t.isForOfStatement(node) ||
+    t.isWhileStatement(node) ||
+    t.isDoWhileStatement(node)
+  );
+}
+
+function getEventName(callNode) {
+  const arg0 = callNode.arguments?.[0];
+  if (t.isStringLiteral(arg0)) return arg0.value;
+  if (t.isIdentifier(arg0)) return arg0.name;
+  return null;
+}
+
+function calleePropertyName(callNode) {
+  const callee = callNode.callee;
+  if (t.isMemberExpression(callee) && t.isIdentifier(callee.property) && !callee.computed) return callee.property.name;
+  if (t.isIdentifier(callee)) return callee.name;
+  return null;
+}
+
+function hasMatchingRemoveEventListener(fnPath, eventName) {
+  let found = false;
+
+  fnPath.traverse({
+    Function(inner) {
+      if (inner !== fnPath) inner.skip();
+    },
+    CallExpression(p) {
+      const name = calleePropertyName(p.node);
+      if (name !== "removeEventListener") return;
+      const ev = getEventName(p.node);
+      if (!eventName || !ev) {
+        // no event info: still counts as cleanup
+        found = true;
+        return;
+      }
+      if (ev === eventName) found = true;
+    },
+  });
+
+  return found;
+}
+
+function isLikelyRenderContext(path) {
+  // Heuristic: inside a function named render, or a React component (PascalCase) returning JSX
+  const fn = path.getFunctionParent();
+  if (!fn) return false;
+
+  const node = fn.node;
+  let name = null;
+
+  if (t.isFunctionDeclaration(node) && node.id?.name) name = node.id.name;
+  if ((t.isFunctionExpression(node) || t.isArrowFunctionExpression(node)) && t.isVariableDeclarator(fn.parent) && t.isIdentifier(fn.parent.id)) {
+    name = fn.parent.id.name;
+  }
+
+  if (name === "render") return true;
+  if (name && /^[A-Z]/.test(name)) return true; // component-ish
+
+  // If function returns JSX somewhere
+  let returnsJSX = false;
+  fn.traverse({
+    Function(inner) {
+      if (inner !== fn) inner.skip();
+    },
+    ReturnStatement(r) {
+      if (t.isJSXElement(r.node.argument) || t.isJSXFragment(r.node.argument)) returnsJSX = true;
+    },
+  });
+
+  return returnsJSX;
+}
+
+function analyzePerformanceIssues(code, filePath) {
+  const findings = [];
+
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "performance")) return findings;
+
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  traverse(ast, {
+    // Nested loops - only flag 3+ levels deep
+    enter(path) {
+      if (!isLoopStatement(path.node)) return;
+
+      // Count nesting depth
+      let depth = 0;
+      let current = path;
+      while (current) {
+        if (isLoopStatement(current.node)) {
+          depth++;
+        }
+        current = current.parentPath;
+      }
+
+      // Only flag if 3 or more levels deep
+      if (depth < 3) return;
+
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      findings.push({
+        type: "nested_loop",
+        severity: "WARN",
+        category: "Performance",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: `Deeply nested loop (${depth} levels)`,
+        message: "Deeply nested loops can be expensive. Consider optimizing or using better data structures.",
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "med",
+      });
+      path.skip(); // avoid multiple nested loop reports in same subtree
+    },
+
+    // Event listeners without cleanup - only flag in component-like contexts
+    CallExpression(path) {
+      const callee = path.node.callee;
+      if (!t.isMemberExpression(callee)) return;
+      if (callee.computed) return;
+      if (!t.isIdentifier(callee.property, { name: "addEventListener" })) return;
+
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      // Skip if not in a component-like context (React, Vue, etc.)
+      const fn = path.getFunctionParent();
+      if (!fn) return;
+
+      // Only flag in component-like functions or useEffect-like hooks
+      const fnName = fn.node.id?.name || (fn.parent?.id?.name);
+      const isComponent = fnName && /^[A-Z]/.test(fnName);
+      const isEffectHook = fnName && /useEffect|useLayoutEffect|componentDidMount|componentWillUnmount/i.test(fnName);
+      
+      if (!isComponent && !isEffectHook) return;
+
+      const evName = getEventName(path.node);
+      const hasCleanup = hasMatchingRemoveEventListener(fn, evName);
+
+      if (hasCleanup) return;
+
+      findings.push({
+        type: "potential_memory_leak",
+        severity: "WARN",
+        category: "Performance",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: "Event listener without cleanup",
+        message: "addEventListener() found without a matching removeEventListener() in the same function scope.",
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "low",
+      });
+    },
+
+    // Expensive operations in render-like contexts
+    CallExpression(path) {
+      const callee = path.node.callee;
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      if (!isLikelyRenderContext(path)) return;
+
+      // JSON.parse / stringify in render
+      if (t.isMemberExpression(callee) && t.isIdentifier(callee.object, { name: "JSON" }) && t.isIdentifier(callee.property)) {
+        const m = callee.property.name;
+        if (m === "parse" || m === "stringify") {
+          findings.push({
+            type: "expensive_render_op",
+            severity: "INFO",
+            category: "Performance",
+            file: filePath,
+            line: loc.line,
+            column: loc.column,
+            title: `JSON.${m} in render context`,
+            message: "Consider moving JSON parsing/serialization out of render to avoid repeated work.",
+            codeSnippet: snippetForLine(lines, loc.line),
+            confidence: "low",
+          });
+        }
+      }
+
+      // Array.sort in render (mutates + expensive)
+      if (t.isMemberExpression(callee) && t.isIdentifier(callee.property, { name: "sort" })) {
+        findings.push({
+          type: "expensive_render_op",
+          severity: "INFO",
+          category: "Performance",
+          file: filePath,
+          line: loc.line,
+          column: loc.column,
+          title: "Array.sort in render context",
+          message: "Sorting during render can be expensive and mutates arrays. Consider sorting in memoized/selectors.",
+          codeSnippet: snippetForLine(lines, loc.line),
+          confidence: "low",
+        });
+      }
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzePerformanceIssues,
+  parseCode,
+};

package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js

@@ -0,0 +1,217 @@
+/**
+ * Type-Aware Engine (TypeScript focused)
+ * Detects risky TypeScript patterns: any, non-null assertions, ts-ignore, unsafe casts, missing return types on exported APIs.
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+function isTSFile(filePath) {
+  return filePath.endsWith(".ts") || filePath.endsWith(".tsx");
+}
+
+function snippetForLine(lines, line) {
+  return lines[line - 1] ? lines[line - 1].trim() : "";
+}
+
+function isExportedFunctionPath(path) {
+  // export function foo() {}
+  if (path.parentPath?.isExportNamedDeclaration?.() || path.parentPath?.isExportDefaultDeclaration?.()) return true;
+
+  // export const foo = () => {}
+  const exportDecl = path.findParent((p) => p.isExportNamedDeclaration?.());
+  if (exportDecl) return true;
+
+  return false;
+}
+
+function analyzeTypeAware(code, filePath) {
+  const findings = [];
+
+  if (!isTSFile(filePath)) return findings;
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "type-aware")) return findings;
+
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  // Scan header comments for ts-ignore
+  const comments = ast.comments || [];
+  for (const c of comments) {
+    const v = (c.value || "").trim();
+    if (/^@ts-ignore\b/.test(v) || /^@ts-expect-error\b/.test(v)) {
+      const line = c.loc?.start?.line || 1;
+      findings.push({
+        type: "ts_ignore",
+        severity: "WARN",
+        category: "TypeSafety",
+        file: filePath,
+        line,
+        column: c.loc?.start?.column || 0,
+        title: "TypeScript ignore directive used",
+        message: `Found ${v.split(/\s+/)[0]} - this bypasses type safety.`,
+        codeSnippet: snippetForLine(lines, line),
+        confidence: "high",
+      });
+    }
+  }
+
+  // General TS AST checks
+  traverse(ast, {
+    TSAnyKeyword(path) {
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      findings.push({
+        type: "any_type",
+        severity: "WARN",
+        category: "TypeSafety",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: "Usage of 'any' type",
+        message: "Avoid 'any' where possible. Prefer unknown + narrowing or a specific type.",
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "high",
+      });
+    },
+
+    TSNonNullExpression(path) {
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      findings.push({
+        type: "non_null_assertion",
+        severity: "WARN",
+        category: "TypeSafety",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: "Non-null assertion used (!)",
+        message: "Non-null assertions can hide real null/undefined bugs. Consider proper checks.",
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "med",
+      });
+    },
+
+    TSAsExpression(path) {
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      const typeAnn = path.node.typeAnnotation;
+      if (t.isTSAnyKeyword(typeAnn)) {
+        findings.push({
+          type: "unsafe_type_cast",
+          severity: "WARN",
+          category: "TypeSafety",
+          file: filePath,
+          line: loc.line,
+          column: loc.column,
+          title: "Unsafe type cast to 'any'",
+          message: "Casting to 'any' disables type checking. Prefer unknown + validation.",
+          codeSnippet: snippetForLine(lines, loc.line),
+          confidence: "high",
+        });
+      }
+    },
+
+    FunctionDeclaration(path) {
+      if (!path.node.loc) return;
+      if (!isExportedFunctionPath(path)) return;
+
+      // only flag when return type is missing AND the body has at least one return
+      const hasReturnType = Boolean(path.node.returnType);
+      if (hasReturnType) return;
+
+      let returnsValue = false;
+      path.traverse({
+        Function(inner) {
+          if (inner !== path) inner.skip();
+        },
+        ReturnStatement(r) {
+          if (r.node.argument) returnsValue = true;
+        },
+      });
+
+      if (!returnsValue) return;
+
+      const line = path.node.loc.start.line;
+      findings.push({
+        type: "missing_return_type",
+        severity: "INFO",
+        category: "TypeSafety",
+        file: filePath,
+        line,
+        column: path.node.loc.start.column,
+        title: "Exported function missing explicit return type",
+        message: "Public/ exported APIs should specify return types for stability and clarity.",
+        codeSnippet: snippetForLine(lines, line),
+        confidence: "low",
+      });
+    },
+
+    ExportNamedDeclaration(path) {
+      // export const foo = () => {}
+      const decl = path.node.declaration;
+      if (!t.isVariableDeclaration(decl)) return;
+
+      for (const d of decl.declarations) {
+        if (!t.isVariableDeclarator(d)) continue;
+        if (!t.isIdentifier(d.id) || !d.init) continue;
+        if (!t.isArrowFunctionExpression(d.init) && !t.isFunctionExpression(d.init)) continue;
+
+        const fnNode = d.init;
+        const hasReturnType = Boolean(fnNode.returnType);
+        if (hasReturnType) continue;
+
+        // Only if it returns a value
+        let returnsValue = false;
+        traverse(
+          t.file(t.program([t.expressionStatement(fnNode)])),
+          {
+            ReturnStatement(r) {
+              if (r.node.argument) returnsValue = true;
+            },
+            Function(inner) {
+              // skip nested
+              inner.skip();
+            },
+          },
+          undefined,
+          undefined,
+          undefined
+        );
+
+        if (!returnsValue) continue;
+
+        const loc = fnNode.loc?.start;
+        if (!loc) continue;
+
+        findings.push({
+          type: "missing_return_type",
+          severity: "INFO",
+          category: "TypeSafety",
+          file: filePath,
+          line: loc.line,
+          column: loc.column,
+          title: "Exported function missing explicit return type",
+          message: `Exported '${d.id.name}' should specify a return type.`,
+          codeSnippet: snippetForLine(lines, loc.line),
+          confidence: "low",
+        });
+      }
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzeTypeAware,
+  parseCode,
+};

package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js

@@ -0,0 +1,78 @@
+/**
+ * Unsafe Regex Engine
+ * Detects potentially catastrophic backtracking patterns.
+ *
+ * This is heuristic-based. It aims to flag the riskiest regexes:
+ * - Nested quantifiers like (.+)+, (.*)*, (a|aa)+, ([\s\S]*)+
+ * - Ambiguous repetitions inside groups: (a|a?)+ etc
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+function snippetForLine(lines, line) {
+  return lines[line - 1] ? lines[line - 1].trim() : "";
+}
+
+function isRiskyPattern(pattern) {
+  if (!pattern || typeof pattern !== "string") return false;
+
+  // Nested quantifiers: (.*)+, (.+)+, (.*)*, (.+)*
+  if (/\((?:[^()\\]|\\.)*([+*])\)\s*[+*]/.test(pattern)) return true;
+
+  // Very broad character classes repeated aggressively
+  if (/\[(?:\\s\\S|\\S\\s|\\w\\W|\\W\\w|\\d\\D|\\D\\d)\]\s*[+*]\s*[+*]/.test(pattern)) return true;
+
+  // Alternation inside repetition: (a|aa)+ or (.*|.+)+
+  if (/\((?:[^()\\]|\\.)*\|(?:[^()\\]|\\.)*\)\s*[+*]/.test(pattern)) return true;
+
+  // Repetition of ambiguous wildcard with backreferences (commonly risky)
+  if (/(\.\*|\.\+).*\1/.test(pattern)) return true;
+
+  return false;
+}
+
+function analyzeUnsafeRegex(code, filePath) {
+  const findings = [];
+
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "unsafe-regex")) return findings;
+
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  traverse(ast, {
+    RegExpLiteral(path) {
+      const pattern = path.node.pattern;
+      if (!isRiskyPattern(pattern)) return;
+
+      const loc = path.node.loc?.start;
+      if (!loc) return;
+
+      findings.push({
+        type: "unsafe_regex",
+        severity: "WARN",
+        category: "Security",
+        file: filePath,
+        line: loc.line,
+        column: loc.column,
+        title: "Potential ReDoS risk in regex",
+        message: `Regex pattern "${pattern}" may cause catastrophic backtracking.`,
+        codeSnippet: snippetForLine(lines, loc.line),
+        confidence: "med",
+      });
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzeUnsafeRegex,
+  parseCode,
+};