@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/engines/bundle-size-engine.js

@@ -1,433 +0,0 @@
-/**
- * Bundle Size Analyzer Engine
- * Detects:
- * - Large library imports that hurt bundle size
- * - Non-tree-shakeable imports
- * - Heavy dependencies that have lighter alternatives
- * - Dynamic imports that could be code-split
- * - Duplicate functionality across packages
- */
-
-const { getAST } = require("./ast-cache");
-const traverse = require("@babel/traverse").default;
-const t = require("@babel/types");
-const { shouldExcludeFile } = require("./file-filter");
-
-/**
- * Known heavy packages with size estimates and alternatives
- */
-const HEAVY_PACKAGES = {
-  // Date/time libraries
-  moment: {
-    size: "290KB",
-    minified: "72KB",
-    alternatives: ["date-fns", "dayjs", "luxon"],
-    message: "moment.js is large and mutable. Consider date-fns (tree-shakeable) or dayjs (2KB).",
-  },
-  "moment-timezone": {
-    size: "900KB+",
-    minified: "200KB+",
-    alternatives: ["date-fns-tz", "luxon"],
-    message: "moment-timezone is very large. Consider date-fns-tz or native Intl API.",
-  },
-  
-  // Utility libraries
-  lodash: {
-    size: "530KB",
-    minified: "72KB",
-    alternatives: ["lodash-es", "lodash/[function]", "native ES"],
-    message: "Full lodash import adds ~70KB. Import individual functions or use lodash-es.",
-    checkTreeShaking: true,
-  },
-  underscore: {
-    size: "60KB",
-    minified: "18KB",
-    alternatives: ["native ES", "lodash-es"],
-    message: "underscore has native ES alternatives for most functions.",
-  },
-  ramda: {
-    size: "240KB",
-    minified: "50KB",
-    alternatives: ["native ES", "individual imports"],
-    message: "Consider importing only needed Ramda functions.",
-    checkTreeShaking: true,
-  },
-  
-  // UI frameworks
-  "@material-ui/core": {
-    size: "varies",
-    minified: "300KB+",
-    alternatives: ["@mui/material with tree-shaking"],
-    message: "Ensure you're importing MUI components individually, not from root.",
-    checkTreeShaking: true,
-  },
-  antd: {
-    size: "2MB+",
-    minified: "500KB+",
-    alternatives: ["individual antd imports"],
-    message: "Import antd components individually to enable tree-shaking.",
-    checkTreeShaking: true,
-  },
-  
-  // Visualization
-  "chart.js": {
-    size: "200KB",
-    minified: "60KB",
-    alternatives: ["lightweight-charts", "uPlot"],
-    message: "chart.js is large. For simple charts, consider lighter alternatives.",
-  },
-  d3: {
-    size: "500KB+",
-    minified: "100KB+",
-    alternatives: ["d3 micro-libraries", "visx"],
-    message: "Import only needed d3 modules (d3-scale, d3-shape) instead of full d3.",
-    checkTreeShaking: true,
-  },
-  
-  // Animation
-  "framer-motion": {
-    size: "130KB",
-    minified: "45KB",
-    alternatives: ["motion/react", "@formkit/auto-animate"],
-    message: "framer-motion is large. For simple animations, consider CSS or lighter libs.",
-  },
-  gsap: {
-    size: "60KB",
-    minified: "20KB",
-    alternatives: ["CSS animations", "Web Animations API"],
-    message: "For simple animations, CSS or Web Animations API may be sufficient.",
-  },
-  
-  // Validation
-  yup: {
-    size: "45KB",
-    minified: "15KB",
-    alternatives: ["zod", "valibot"],
-    message: "yup is heavier than zod or valibot. Consider switching if bundle size matters.",
-  },
-  joi: {
-    size: "150KB",
-    minified: "40KB",
-    alternatives: ["zod", "valibot"],
-    message: "joi is designed for Node.js. For browser, use zod or valibot.",
-  },
-  
-  // PDF generation
-  pdfkit: {
-    size: "2MB+",
-    minified: "500KB+",
-    alternatives: ["jspdf", "server-side generation"],
-    message: "Consider generating PDFs server-side to reduce client bundle.",
-  },
-  
-  // State management
-  redux: {
-    size: "20KB",
-    minified: "7KB",
-    alternatives: ["zustand", "jotai", "valtio"],
-    message: "For simpler state, zustand (1KB) or jotai may be sufficient.",
-  },
-  
-  // HTTP clients
-  axios: {
-    size: "30KB",
-    minified: "13KB",
-    alternatives: ["native fetch", "ky", "redaxios"],
-    message: "Native fetch or ky (3KB) may be sufficient for most use cases.",
-  },
-  
-  // Crypto
-  "crypto-js": {
-    size: "200KB",
-    minified: "50KB",
-    alternatives: ["Web Crypto API", "individual modules"],
-    message: "Use Web Crypto API for browser or import only needed modules.",
-    checkTreeShaking: true,
-  },
-  
-  // UUID
-  uuid: {
-    size: "15KB",
-    minified: "5KB",
-    alternatives: ["crypto.randomUUID()", "nanoid"],
-    message: "Modern browsers support crypto.randomUUID(). nanoid is only 130B.",
-  },
-};
-
-/**
- * Non-tree-shakeable import patterns
- */
-const NON_TREESHAKEABLE_PATTERNS = [
-  // Namespace imports from large libraries
-  { pattern: /import\s+\*\s+as\s+\w+\s+from\s+['"]lodash['"]/, lib: "lodash" },
-  { pattern: /import\s+\*\s+as\s+\w+\s+from\s+['"]ramda['"]/, lib: "ramda" },
-  { pattern: /import\s+\*\s+as\s+\w+\s+from\s+['"]d3['"]/, lib: "d3" },
-  
-  // Default imports from libraries that should use named imports
-  { pattern: /import\s+\w+\s+from\s+['"]lodash['"]/, lib: "lodash" },
-  { pattern: /import\s+\w+\s+from\s+['"]@material-ui\/core['"]/, lib: "@material-ui/core" },
-  { pattern: /import\s+\w+\s+from\s+['"]antd['"]/, lib: "antd" },
-  
-  // Importing entire icon sets
-  { pattern: /import\s+\*\s+as\s+\w+\s+from\s+['"]@?[\w-]+\/icons/, lib: "icons" },
-  { pattern: /import\s+\{\s*\*\s*\}\s+from\s+['"]lucide-react['"]/, lib: "lucide" },
-];
-
-/**
- * Server-only packages that shouldn't be in client bundles
- */
-const SERVER_ONLY_PACKAGES = [
-  "fs",
-  "path",
-  "crypto",
-  "http",
-  "https",
-  "net",
-  "child_process",
-  "bcrypt",
-  "bcryptjs",
-  "@prisma/client",
-  "pg",
-  "mysql2",
-  "mongodb",
-  "redis",
-  "nodemailer",
-  "sharp",
-];
-
-function snippetForLine(lines, line) {
-  return lines[line - 1] ? lines[line - 1].trim() : "";
-}
-
-/**
- * Check if file is a client-side file
- */
-function isClientFile(filePath, code) {
-  const normalizedPath = filePath.replace(/\\/g, "/");
-  
-  // Check for "use client" directive
-  if (/['"]use client['"]/.test(code)) return true;
-  
-  // Check path patterns
-  const clientPatterns = [
-    /\/components\//,
-    /\/pages\//,
-    /\/app\/.*\/page\./,
-    /\/src\/.*\.(tsx?|jsx?)$/,
-    /\/client\//,
-    /\/web\//,
-    /\/frontend\//,
-  ];
-  
-  const serverPatterns = [
-    /\/api\//,
-    /\/server\//,
-    /\/backend\//,
-    /\/lib\/server/,
-    /\.server\./,
-    /\/actions\//,
-  ];
-  
-  // Server patterns take precedence
-  if (serverPatterns.some(p => p.test(normalizedPath))) return false;
-  if (clientPatterns.some(p => p.test(normalizedPath))) return true;
-  
-  // Check for "use server" directive
-  if (/['"]use server['"]/.test(code)) return false;
-  
-  // Default to client for tsx/jsx files
-  return /\.(tsx|jsx)$/.test(normalizedPath);
-}
-
-/**
- * Analyze bundle size issues
- */
-function analyzeBundleSize(code, filePath) {
-  const findings = [];
-  
-  if (shouldExcludeFile(filePath)) return findings;
-  
-  const ast = getAST(code, filePath);
-  if (!ast) return findings;
-  
-  const lines = code.split("\n");
-  const isClient = isClientFile(filePath, code);
-  const importedPackages = new Set();
-
-  traverse(ast, {
-    ImportDeclaration(path) {
-      const source = path.node.source.value;
-      const loc = path.node.loc?.start;
-      if (!loc) return;
-      
-      // Get the root package name
-      const packageName = source.startsWith("@")
-        ? source.split("/").slice(0, 2).join("/")
-        : source.split("/")[0];
-      
-      importedPackages.add(packageName);
-      
-      // Check for heavy packages
-      const heavyPkg = HEAVY_PACKAGES[packageName];
-      if (heavyPkg) {
-        const specifiers = path.node.specifiers;
-        const isNamespaceImport = specifiers.some(s => t.isImportNamespaceSpecifier(s));
-        const isDefaultImport = specifiers.some(s => t.isImportDefaultSpecifier(s));
-        
-        // Check if tree-shaking is being prevented
-        let isTreeShakeIssue = false;
-        if (heavyPkg.checkTreeShaking) {
-          // Namespace import prevents tree-shaking
-          if (isNamespaceImport) isTreeShakeIssue = true;
-          // Importing from root instead of subpath
-          if (isDefaultImport && source === packageName) isTreeShakeIssue = true;
-        }
-        
-        // Only warn for client bundles or tree-shake issues
-        if (isClient || isTreeShakeIssue) {
-          findings.push({
-            type: "heavy_dependency",
-            severity: isTreeShakeIssue ? "WARN" : "INFO",
-            category: "BundleSize",
-            file: filePath,
-            line: loc.line,
-            column: loc.column,
-            title: `Heavy package: ${packageName} (~${heavyPkg.minified} minified)`,
-            message: heavyPkg.message,
-            codeSnippet: snippetForLine(lines, loc.line),
-            confidence: isTreeShakeIssue ? "high" : "med",
-            fixHint: `Consider: ${heavyPkg.alternatives.join(", ")}`,
-          });
-        }
-      }
-      
-      // Check for server-only packages in client code
-      if (isClient && SERVER_ONLY_PACKAGES.includes(packageName)) {
-        findings.push({
-          type: "server_only_import",
-          severity: "BLOCK",
-          category: "BundleSize",
-          file: filePath,
-          line: loc.line,
-          column: loc.column,
-          title: `Server-only package in client bundle: ${packageName}`,
-          message: `'${packageName}' should not be imported in client-side code.`,
-          codeSnippet: snippetForLine(lines, loc.line),
-          confidence: "high",
-          fixHint: "Move this import to a server component or API route",
-        });
-      }
-      
-      // Check for non-tree-shakeable patterns
-      const importLine = code.substring(path.node.start, path.node.end);
-      for (const { pattern, lib } of NON_TREESHAKEABLE_PATTERNS) {
-        if (pattern.test(importLine)) {
-          findings.push({
-            type: "non_treeshakeable",
-            severity: "WARN",
-            category: "BundleSize",
-            file: filePath,
-            line: loc.line,
-            column: loc.column,
-            title: `Non-tree-shakeable import from ${lib}`,
-            message: "This import pattern prevents tree-shaking, including the entire library.",
-            codeSnippet: snippetForLine(lines, loc.line),
-            confidence: "high",
-            fixHint: `Import only what you need: import { specificFn } from '${lib}'`,
-          });
-          break;
-        }
-      }
-      
-      // Check for large icon imports
-      if (/icons?/i.test(source)) {
-        const specifiers = path.node.specifiers;
-        const namedImports = specifiers.filter(s => t.isImportSpecifier(s));
-        
-        if (namedImports.length > 20) {
-          findings.push({
-            type: "large_icon_import",
-            severity: "INFO",
-            category: "BundleSize",
-            file: filePath,
-            line: loc.line,
-            column: loc.column,
-            title: `Large icon import (${namedImports.length} icons)`,
-            message: "Consider code-splitting or using dynamic imports for icons.",
-            codeSnippet: snippetForLine(lines, loc.line),
-            confidence: "low",
-            fixHint: "Use dynamic imports: const Icon = dynamic(() => import('...'))",
-          });
-        }
-      }
-    },
-    
-    // Check for dynamic imports that could benefit from code splitting
-    CallExpression(path) {
-      const callee = path.node.callee;
-      const loc = path.node.loc?.start;
-      if (!loc) return;
-      
-      // Check import() calls
-      if (t.isImport(callee)) {
-        const arg = path.node.arguments[0];
-        if (t.isStringLiteral(arg)) {
-          const importPath = arg.value;
-          const packageName = importPath.startsWith("@")
-            ? importPath.split("/").slice(0, 2).join("/")
-            : importPath.split("/")[0];
-          
-          // Heavy packages being dynamically imported - good!
-          if (HEAVY_PACKAGES[packageName]) {
-            // This is actually good practice, just note it
-          }
-        }
-      }
-      
-      // Check require() calls (CommonJS)
-      if (t.isIdentifier(callee, { name: "require" })) {
-        const arg = path.node.arguments[0];
-        if (t.isStringLiteral(arg)) {
-          const importPath = arg.value;
-          const packageName = importPath.startsWith("@")
-            ? importPath.split("/").slice(0, 2).join("/")
-            : importPath.split("/")[0];
-          
-          if (isClient && SERVER_ONLY_PACKAGES.includes(packageName)) {
-            findings.push({
-              type: "server_only_require",
-              severity: "BLOCK",
-              category: "BundleSize",
-              file: filePath,
-              line: loc.line,
-              column: loc.column,
-              title: `Server-only require in client bundle: ${packageName}`,
-              message: `'${packageName}' should not be required in client-side code.`,
-              codeSnippet: snippetForLine(lines, loc.line),
-              confidence: "high",
-              fixHint: "Move this require to a server component or API route",
-            });
-          }
-        }
-      }
-    },
-  });
-
-  return findings;
-}
-
-/**
- * Get recommended alternatives for a package
- */
-function getAlternatives(packageName) {
-  const pkg = HEAVY_PACKAGES[packageName];
-  return pkg ? pkg.alternatives : [];
-}
-
-module.exports = {
-  analyzeBundleSize,
-  getAlternatives,
-  HEAVY_PACKAGES,
-  SERVER_ONLY_PACKAGES,
-  isClientFile,
-};

package/bin/runners/lib/engines/confidence-scoring.js

@@ -1,276 +0,0 @@
-/**
- * Standardized Confidence Scoring Module
- * 
- * Provides consistent confidence scoring across all vibecheck engines.
- * 
- * Confidence Scale (0-1):
- * - 1.0 (HIGH):    Definitely an issue, AST-verified, high certainty
- * - 0.8 (MEDIUM):  Likely an issue, pattern-matched with context
- * - 0.5 (LOW):     Possibly an issue, needs manual verification
- * - 0.3 (HINT):    Potential improvement, informational only
- * 
- * Legacy string values are mapped:
- * - "high" → 1.0
- * - "med"  → 0.8
- * - "low"  → 0.5
- */
-
-/**
- * Confidence levels with numeric values
- */
-const CONFIDENCE = {
-  // Definite issues - AST verified, no false positives expected
-  DEFINITE: 1.0,
-  HIGH: 1.0,
-  
-  // Likely issues - pattern matched with good context
-  LIKELY: 0.8,
-  MEDIUM: 0.8,
-  MED: 0.8,
-  
-  // Possible issues - lexical match, needs verification
-  POSSIBLE: 0.5,
-  LOW: 0.5,
-  
-  // Hints - informational, may not be issues
-  HINT: 0.3,
-  INFO: 0.3,
-};
-
-/**
- * Convert legacy string confidence to numeric
- */
-function normalizeConfidence(value) {
-  if (typeof value === "number") {
-    return Math.max(0, Math.min(1, value));
-  }
-  
-  if (typeof value === "string") {
-    const key = value.toUpperCase();
-    if (CONFIDENCE[key] !== undefined) {
-      return CONFIDENCE[key];
-    }
-    
-    // Legacy mappings
-    switch (value.toLowerCase()) {
-      case "high":
-        return CONFIDENCE.HIGH;
-      case "med":
-      case "medium":
-        return CONFIDENCE.MEDIUM;
-      case "low":
-        return CONFIDENCE.LOW;
-      case "info":
-      case "hint":
-        return CONFIDENCE.HINT;
-      default:
-        return CONFIDENCE.MEDIUM; // Default fallback
-    }
-  }
-  
-  return CONFIDENCE.MEDIUM;
-}
-
-/**
- * Get confidence label from numeric value
- */
-function getConfidenceLabel(value) {
-  const normalized = normalizeConfidence(value);
-  
-  if (normalized >= 0.9) return "high";
-  if (normalized >= 0.6) return "med";
-  if (normalized >= 0.4) return "low";
-  return "hint";
-}
-
-/**
- * Severity levels (aligned with SARIF)
- */
-const SEVERITY = {
-  BLOCK: "error",      // Must fix before shipping
-  WARN: "warning",     // Should fix, but not blocking
-  INFO: "note",        // Informational
-};
-
-/**
- * Map internal severity to SARIF level
- */
-function toSarifLevel(severity) {
-  switch (severity?.toUpperCase()) {
-    case "BLOCK":
-    case "ERROR":
-    case "CRITICAL":
-      return "error";
-    case "WARN":
-    case "WARNING":
-    case "HIGH":
-      return "warning";
-    case "INFO":
-    case "LOW":
-    case "NOTE":
-    default:
-      return "note";
-  }
-}
-
-/**
- * Confidence modifiers based on context
- */
-const CONFIDENCE_MODIFIERS = {
-  // Increase confidence
-  AST_VERIFIED: 0.2,        // Finding verified via AST analysis
-  PATTERN_CONTEXT: 0.1,     // Pattern has surrounding context
-  MULTIPLE_EVIDENCE: 0.1,   // Multiple pieces of evidence
-  
-  // Decrease confidence
-  LEXICAL_ONLY: -0.2,       // Only lexical/regex match
-  POSSIBLE_FALSE_POSITIVE: -0.3, // Known false positive pattern nearby
-  IN_COMMENT: -0.3,         // Found in comment
-  IN_STRING: -0.2,          // Found in string literal
-  TEST_FILE: -0.4,          // In test file
-  CONFIG_FILE: -0.2,        // In config file
-};
-
-/**
- * Calculate confidence with modifiers
- */
-function calculateConfidence(baseConfidence, modifiers = []) {
-  let confidence = normalizeConfidence(baseConfidence);
-  
-  for (const modifier of modifiers) {
-    if (typeof modifier === "string" && CONFIDENCE_MODIFIERS[modifier]) {
-      confidence += CONFIDENCE_MODIFIERS[modifier];
-    } else if (typeof modifier === "number") {
-      confidence += modifier;
-    }
-  }
-  
-  // Clamp to valid range
-  return Math.max(0, Math.min(1, confidence));
-}
-
-/**
- * Create a standardized finding object
- */
-function createFinding({
-  type,
-  severity = "WARN",
-  category,
-  file,
-  line = 0,
-  column = 0,
-  title,
-  message,
-  codeSnippet = "",
-  confidence = CONFIDENCE.MEDIUM,
-  fixHint = "",
-  evidence = [],
-  modifiers = [],
-}) {
-  const normalizedConfidence = calculateConfidence(confidence, modifiers);
-  
-  return {
-    type,
-    severity: severity.toUpperCase(),
-    category,
-    file,
-    line,
-    column,
-    title,
-    message,
-    codeSnippet,
-    confidence: getConfidenceLabel(normalizedConfidence),
-    confidenceScore: normalizedConfidence,
-    fixHint: fixHint || undefined,
-    evidence: evidence.length > 0 ? evidence : undefined,
-  };
-}
-
-/**
- * Filter findings by minimum confidence threshold
- */
-function filterByConfidence(findings, minConfidence = 0.3) {
-  const threshold = normalizeConfidence(minConfidence);
-  
-  return findings.filter(finding => {
-    const score = finding.confidenceScore !== undefined 
-      ? finding.confidenceScore 
-      : normalizeConfidence(finding.confidence);
-    return score >= threshold;
-  });
-}
-
-/**
- * Sort findings by confidence (highest first)
- */
-function sortByConfidence(findings) {
-  return [...findings].sort((a, b) => {
-    const scoreA = a.confidenceScore ?? normalizeConfidence(a.confidence);
-    const scoreB = b.confidenceScore ?? normalizeConfidence(b.confidence);
-    return scoreB - scoreA;
-  });
-}
-
-/**
- * Group findings by confidence level
- */
-function groupByConfidence(findings) {
-  return {
-    high: findings.filter(f => normalizeConfidence(f.confidence) >= 0.9),
-    medium: findings.filter(f => {
-      const c = normalizeConfidence(f.confidence);
-      return c >= 0.6 && c < 0.9;
-    }),
-    low: findings.filter(f => {
-      const c = normalizeConfidence(f.confidence);
-      return c >= 0.4 && c < 0.6;
-    }),
-    hint: findings.filter(f => normalizeConfidence(f.confidence) < 0.4),
-  };
-}
-
-/**
- * Calculate overall confidence score for a scan
- */
-function calculateOverallScore(findings) {
-  if (findings.length === 0) return 1.0; // No issues = high confidence
-  
-  // Weight by severity
-  const weights = {
-    BLOCK: 3,
-    WARN: 2,
-    INFO: 1,
-  };
-  
-  let totalWeight = 0;
-  let weightedSum = 0;
-  
-  for (const finding of findings) {
-    const weight = weights[finding.severity?.toUpperCase()] || 1;
-    const confidence = finding.confidenceScore ?? normalizeConfidence(finding.confidence);
-    
-    totalWeight += weight;
-    weightedSum += confidence * weight;
-  }
-  
-  // Invert - higher issues = lower score
-  return 1 - (weightedSum / totalWeight) * 0.5;
-}
-
-module.exports = {
-  // Constants
-  CONFIDENCE,
-  SEVERITY,
-  CONFIDENCE_MODIFIERS,
-  
-  // Functions
-  normalizeConfidence,
-  getConfidenceLabel,
-  toSarifLevel,
-  calculateConfidence,
-  createFinding,
-  filterByConfidence,
-  sortByConfidence,
-  groupByConfidence,
-  calculateOverallScore,
-};