@vibecodeqa/cli 0.16.0 → 0.18.0

package/README.md

@@ -2,19 +2,19 @@
 
 **Code health scanner for the AI coding era.**
 
-One command. 15 checks. Full report. Zero config.
+One command. 21 checks. Full report. Zero config.
 
 ```bash
 npx @vibecodeqa/cli
 ```
 
-![Grade](https://img.shields.io/badge/checks-15-blue) ![TypeScript](https://img.shields.io/badge/TypeScript-first-3178C6) ![License](https://img.shields.io/badge/license-MIT-green)
+![Grade](https://img.shields.io/badge/checks-21-blue) ![TypeScript](https://img.shields.io/badge/TypeScript-first-3178C6) ![License](https://img.shields.io/badge/license-MIT-green)
 
 ## What it does
 
-vcqa scans your TypeScript/JavaScript codebase and produces a scored health report with actionable findings. It auto-detects your stack (React, Vite, vitest, Biome, etc.) and runs 15 checks across 6 categories.
+vcqa scans your TypeScript/JavaScript/Dart/Flutter codebase and produces a scored health report with actionable findings. It auto-detects your stack (React, Flutter, Vite, vitest, Biome, etc.) and runs 21 checks across 7 categories.
 
-The output is a self-contained HTML report with radar charts, architecture diagrams, file heatmaps, and drill-down issue lists — all navigable via sidebar and tab navigation.
+The output is a self-contained HTML report with radar charts, architecture diagrams, score timeline, testing pyramid, and drill-down issue lists — all navigable via sidebar and tab navigation.
 
 ## Quick start
 
@@ -34,6 +34,12 @@ npx @vibecodeqa/cli --ci
 # JSON output (pipe to other tools)
 npx @vibecodeqa/cli --json
 
+# Generate badge SVG for README
+npx @vibecodeqa/cli --badge
+
+# SARIF output for GitHub Security tab
+npx @vibecodeqa/cli --sarif
+
 # Scan a specific directory
 npx @vibecodeqa/cli /path/to/project
 ```
@@ -41,6 +47,8 @@ npx @vibecodeqa/cli /path/to/project
 Output goes to `.vibe-check/`:
 - `report.html` — navigable multi-page dashboard (open in browser)
 - `report.json` — machine-readable results
+- `badge.svg` — shields.io-style badge (with `--badge`)
+- `report.sarif` — SARIF 2.1.0 for GitHub Code Scanning (with `--sarif`)
 - `history/` — last 30 reports for trend tracking
 
 ## Checks
@@ -53,17 +61,20 @@ Output goes to `.vibe-check/`:
 | **Lint** | 5% | Biome or ESLint errors/warnings (auto-detected) |
 | **Types** | 6% | TypeScript compilation errors (`tsc --noEmit`) |
 | **Type Safety** | 3% | `as any`, `: any`, `@ts-ignore`, `@ts-nocheck` counts |
-| **Standards** | 3% | File naming, large files (>300 lines), code smells (console.log, var, ==, eval, innerHTML), config hygiene |
+| **Standards** | 3% | File naming, large files (>300 lines), code smells (console.log, var, ==, eval), config hygiene |
 
-### Quality (15%)
+### Quality (23%)
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
-| **Complexity** | 7% | Cognitive complexity per function, functions >60 lines |
+| **Complexity** | 3% | Cognitive complexity per function, functions >60 lines |
 | **Duplication** | 5% | Copy-pasted 6+ line blocks |
+| **Error Handling** | 5% | Empty catch blocks, throw string, missing Error Boundaries |
+| **React Patterns** | 3% | Conditional hooks, missing keys, index keys, prop spreading |
+| **Accessibility** | 4% | img alt, click on non-interactive elements, form labels, html lang |
 | **Docs** | 3% | README quality, JSDoc coverage of exports |
 
-### Testing (22%)
+### Testing (15%)
 
 One deep check with 6 sub-dimensions:
 
@@ -74,34 +85,36 @@ One deep check with 6 sub-dimensions:
 - **Quality** — assertion density, mock ratio, snapshot ratio
 - **E2E detection** — Playwright/Cypress configured?
 
-### Architecture (7%)
+### Architecture (10%)
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
-| **Architecture** | 7% | Import graph, circular deps, god modules, orphan files, fan-out, SVG diagram |
+| **Architecture** | 6% | Import graph, circular deps, god modules, orphan files, fan-out, SVG diagram with legend |
+| **Performance** | 4% | Barrel imports, heavy dependencies, dynamic import opportunities, CSS-in-JS overhead |
 
-### Security (18%)
+### Security (16%)
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
 | **Secrets** | 6% | 13 patterns (AWS, GitHub, Stripe, OpenAI, private keys) |
-| **Security** | 7% | 15 CWE-mapped patterns (XSS, injection, crypto, SSRF) |
-| **Dependencies** | 5% | npm audit vulnerabilities + outdated packages |
+| **Security** | 5% | 15 CWE-mapped patterns (XSS, injection, crypto, SSRF) |
+| **Dependencies** | 5% | npm audit / dart pub outdated vulnerabilities + outdated packages |
 
-### LLM Readiness (15%)
+### AI Readiness (13%)
 
 Novel checks that no other tool offers:
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
-| **Confusion Index** | 8% | File name similarity, generic names, export collisions, ambiguous abbreviations |
-| **Context Locality** | 7% | Token density, import depth, circular deps, context sinks |
+| **Confusion Index** | 7% | File name similarity, generic names, export collisions, ambiguous abbreviations |
+| **Context Locality** | 6% | Token density, import depth, circular deps, context sinks |
 
-**Research backing:**
-- "When Names Disappear" (arXiv:2510.03178): GPT-4o drops 28.6% on summarization with ambiguous names
-- "Lost in the Middle" (Liu et al. 2023): 30%+ accuracy drop for mid-context information
-- "Context Rot" (Chroma 2025): all frontier models degrade with input length
-- "Variable Naming Impact" (Research Square 2024): descriptive names = 8.9% better AI performance
+### AI Analysis (PRO — coming soon)
+
+| Check | What it will do |
+|-------|----------------|
+| **Doc Coherence** | LLM-powered detection of contradictions between docs and code |
+| **Code Coherence** | LLM-powered detection of internal inconsistencies across modules |
 
 ## Scoring
 
@@ -117,27 +130,19 @@ Each check produces a score from 0-100. The composite score is a weighted averag
 
 ## Report features
 
-The report is a multi-page navigable dashboard:
-
-- **10 pages**: Overview, Foundations, Quality, Testing, Architecture, Security, LLM Readiness, Issues, File Map, Heatmap
-- **Top nav + sidebar** — navigate by category and check
-- **Radar chart** — 6-axis view of category scores
-- **Architecture SVG diagram** — modules grouped by directory, import edges, node size by fan-in
-- **Code heatmap** — colored bars showing issue density per file
-- **Trend comparison** — score delta vs. previous run (reads previous report.json)
-- **File map** — top files by issue count across all checks
+- **Primary nav**: Overview + 7 dimension tabs (Foundations, Quality, Testing, Architecture, Security, AI Readiness, AI Analysis)
+- **Secondary nav**: Issues + Files (cross-cutting data views)
+- **Score ring + radar chart** — 6-axis view of category scores
+- **Score timeline** — last 30 runs with grade-colored dots
+- **Testing pyramid** — proportional SVG showing unit/integration/component/e2e distribution
+- **Architecture SVG** — modules grouped by directory, bezier edges with arrows, color-coded nodes (god module, cycle, orphan), legend
+- **File health map** — heatmap bars showing issue density per file
+- **Trend comparison** — score delta vs. previous run
 - **GitHub links** — click any file:line to open in GitHub (auto-detected from git remote)
-- **Actionable prompts** — 📋 button on every issue copies a fix prompt for Claude/Codex
+- **Actionable prompts** — clipboard button on every issue copies a fix prompt for Claude/Codex
 - **Info panels** — each check has What/Risk/Fix explanations with research citations
 - **Priority badges** — critical/high/medium/low on each check
 
-## Trend tracking
-
-vcqa reads the previous `.vibe-check/report.json` on each run and shows:
-- Score change (↑ improved / ↓ declined)
-- Per-check deltas
-- New vs. fixed issue counts
-
 ## CLI options
 
 | Flag | Description |
@@ -146,33 +151,37 @@ vcqa reads the previous `.vibe-check/report.json` on each run and shows:
 | `--watch` | Re-scan automatically on file changes |
 | `--ci` | Exit code 1 if composite score < 60 |
 | `--json` | Output JSON to stdout (no HTML, no browser) |
+| `--badge` | Generate badge.svg in output directory |
+| `--sarif` | Generate SARIF 2.1.0 for GitHub Code Scanning |
 
 ## Stack detection
 
-Auto-detects from `package.json` and config files:
-- **Language:** TypeScript, JavaScript
-- **Framework:** React, Vue, Svelte
+Auto-detects from `package.json`, `pubspec.yaml`, and config files:
+- **Language:** TypeScript, JavaScript, Dart
+- **Framework:** React, Vue, Svelte, Flutter
 - **Bundler:** Vite, Webpack, esbuild
-- **Test runner:** vitest, jest
-- **Linter:** Biome, ESLint
-- **Package manager:** pnpm, npm, yarn, bun
-
-## References
-
-Standards and research cited in vibe-check's analysis:
-
-- ISO/IEC 25010:2023 — Software product quality model
-- McCabe, T.J. "A Complexity Measure" (IEEE, 1976) — Cyclomatic complexity
-- Campbell, G.A. "Cognitive Complexity" (SonarSource, 2017) — Understandability metric
-- Martin, R.C. "Clean Code" (2008) — Naming principles
-- OWASP Top 10 — Web application security risks
-- CWE Top 25 — Most dangerous software weaknesses
-- Liu et al. "Lost in the Middle" (TACL, 2023) — LLM context attention
-- Chroma Research "Context Rot" (2025) — LLM degradation with input length
-- Wang et al. "How Does Naming Affect LLMs?" (JSEA, 2024) — Naming impact on AI
-- arXiv:2510.03178 "When Names Disappear" (2025) — 28.6% accuracy drop
-- Arnaoudova et al. "Linguistic Antipatterns" — 17-pattern naming catalog
-- Vassilev "Codified Context" (arXiv, 2025) — AI agent context architecture
+- **Test runner:** vitest, jest, flutter_test, dart_test
+- **Linter:** Biome, ESLint, dart analyze
+- **Package manager:** pnpm, npm, yarn, bun, pub
+
+## GitHub Actions
+
+Add this to `.github/workflows/vibecodeqa.yml` for automatic PR scanning:
+
+```yaml
+name: VibeCode QA
+on: [pull_request]
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npx @vibecodeqa/cli --skip-tests --ci --sarif
+      - uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: .vibe-check/report.sarif
+```
 
 ## License
 
@@ -180,6 +189,7 @@ MIT — Free forever as a CLI tool.
 
 ## Links
 
-- **GitHub:** https://github.com/freeappstore-online/vibe-check
+- **GitHub:** https://github.com/vibecodeqa/cli
 - **Website:** https://vibecodeqa.online
-- **Issues:** https://github.com/freeappstore-online/vibe-check/issues
+- **npm:** https://www.npmjs.com/package/@vibecodeqa/cli
+- **Issues:** https://github.com/vibecodeqa/cli/issues

package/dist/check-meta.d.ts

@@ -10,6 +10,7 @@ export interface CheckMeta {
     description: string;
     risk: string;
     recommendation: string;
+    premium?: boolean;
 }
 export declare const CHECK_META: Record<string, CheckMeta>;
 export declare function getCheckMeta(name: string): CheckMeta;

package/dist/check-meta.js

@@ -56,7 +56,7 @@ export const CHECK_META = {
         label: "Error Handling",
         category: "Quality",
         priority: "high",
-        weight: 2,
+        weight: 3,
         description: "Detects poor error handling: empty catch blocks, throw with string literals, catch-and-rethrow without context, Promise.then() without .catch(), missing React Error Boundaries.",
         risk: "Empty catch blocks silently swallow errors. throw 'string' loses stack traces. Missing Error Boundaries in React cause the entire app to crash on render errors.",
         recommendation: "Handle or log every catch. Use throw new Error() for stack traces. Add Error Boundaries in React. Chain .catch() on promises.",
@@ -96,7 +96,7 @@ export const CHECK_META = {
         label: "Testing",
         category: "Testing",
         priority: "critical",
-        weight: 22,
+        weight: 15,
         description: "Deep assessment of test quality across 6 dimensions: pyramid presence (unit/integration/component/E2E layers), test execution (pass/fail), coverage (statement/branch/line/function), file pairing (test file per source file), test quality (assertion density, mock ratio, snapshot ratio), and E2E tool detection (Playwright/Cypress).",
         risk: "Code without tests is code you can't safely change. Missing test layers mean entire categories of bugs go undetected: unit tests catch logic bugs, integration tests catch API contract breaks, E2E tests catch user-visible regressions. Low coverage means large portions of code are never exercised.",
         recommendation: "Follow the testing pyramid: many unit tests, some integration tests, fewer E2E tests. Aim for >80% branch coverage. Every source file should have a corresponding test file. Use Playwright for E2E if you have a web frontend.",
@@ -116,7 +116,7 @@ export const CHECK_META = {
         label: "Security Patterns",
         category: "Security",
         priority: "critical",
-        weight: 7,
+        weight: 5,
         description: "Static analysis for 15 vulnerability patterns mapped to CWE (Common Weakness Enumeration) IDs. Covers: XSS (innerHTML, dangerouslySetInnerHTML, document.write), injection (eval, new Function, SQL template literals, command injection), weak crypto (Math.random for tokens, MD5/SHA1), prototype pollution, path traversal, SSRF, and missing security headers.",
         risk: "These patterns represent the most commonly exploited vulnerabilities in web applications (OWASP Top 10). A single XSS or injection vulnerability can lead to account takeover, data theft, or complete system compromise.",
         recommendation: "Replace innerHTML with textContent or DOM APIs. Never use eval(). Use parameterized queries for SQL. Use crypto.randomUUID() instead of Math.random() for tokens. Validate all user input before use in file paths or URLs.",
@@ -136,7 +136,7 @@ export const CHECK_META = {
         label: "Architecture",
         category: "Architecture",
         priority: "high",
-        weight: 7,
+        weight: 6,
         description: "Analyzes the import graph to detect structural problems: circular dependencies, god modules (imported by >50% of files), orphan modules (dead code), high fan-out (importing too many modules), and connector modules (high coupling). Generates an SVG architecture diagram.",
         risk: "Circular dependencies create build order issues and make refactoring impossible without breaking changes. God modules become bottlenecks — any change ripples through the entire codebase. High coupling means you can't change one module without testing everything it touches.",
         recommendation: "Break circular deps by extracting shared types to a separate file. Split god modules by concern. Reduce fan-out by co-locating related code. Use dependency injection for loose coupling.",
@@ -146,7 +146,7 @@ export const CHECK_META = {
         label: "Confusion Index",
         category: "LLM Readiness",
         priority: "high",
-        weight: 8,
+        weight: 7,
         description: "Measures naming ambiguity that causes LLMs to misunderstand or edit the wrong code. Checks: file name confusability (Levenshtein distance + synonym detection), generic function/variable names, export name collisions across files, and ambiguous abbreviations.",
         risk: "GPT-4o drops 28.6 percentage points on code summarization when names are ambiguous (arXiv:2510.03178). LLMs editing similar-named files is the #1 reported failure mode in AI-assisted development. Generic names like process(), handle(), data cause models to misinterpret intent.",
         recommendation: "Use descriptive, unique names. Avoid synonym files (utils.ts + helpers.ts — pick one). Avoid generic exports. Disambiguate abbreviations (use 'authentication' not 'auth' if both auth meanings exist in the codebase).",
@@ -156,11 +156,63 @@ export const CHECK_META = {
         label: "Context Locality",
         category: "LLM Readiness",
         priority: "high",
-        weight: 7,
+        weight: 6,
         description: "Measures how self-contained code is for LLM consumption. Checks: token density per file, import count, circular dependencies, and context sinks (files that import many modules but export little). Based on the finding that LLMs lose 30%+ accuracy for information in the middle of long contexts.",
         risk: "Files over ~4000 tokens exceed the 'sweet spot' for LLM attention (Liu et al. 2023 'Lost in the Middle'). Circular dependencies create infinite loops in LLM code navigation. Heavy import chains force LLMs to load many files, burning context window budget (Chroma 'Context Rot' 2025).",
         recommendation: "Keep files under 400 lines / 4000 tokens. Limit imports to <15 per file. Break circular dependencies. Co-locate related code to reduce cross-file jumps.",
     },
+    react: {
+        name: "react",
+        label: "React Patterns",
+        category: "Quality",
+        priority: "high",
+        weight: 3,
+        description: "Checks React-specific patterns: conditional hook calls (violates Rules of Hooks), missing key props in .map(), index as key, prop spreading on DOM elements, and excessive inline handlers.",
+        risk: "Conditional hooks cause React to crash at runtime. Missing keys cause incorrect reconciliation — items can swap, duplicate, or lose state. Index keys break when lists are reordered or filtered.",
+        recommendation: "Never call hooks inside conditions, loops, or nested functions. Always provide a unique, stable key in .map(). Avoid spreading unknown props onto DOM elements. Extract inline handlers for readability.",
+    },
+    accessibility: {
+        name: "accessibility",
+        label: "Accessibility",
+        category: "Quality",
+        priority: "high",
+        weight: 4,
+        description: "Checks common accessibility violations: images without alt text, click handlers on non-interactive elements without keyboard support, form controls without labels, autoFocus usage, positive tabIndex, and missing html lang attribute.",
+        risk: "1 in 4 adults has a disability (CDC). Missing alt text makes images invisible to screen readers. Click-only divs exclude keyboard users. Unlabeled inputs are unusable with assistive technology. Missing lang attribute breaks screen reader pronunciation.",
+        recommendation: "Add alt text to all images (use alt=\"\" for decorative). Use <button> for clickable elements, not <div onClick>. Label all form controls with <label>, aria-label, or aria-labelledby. Set lang on <html>.",
+    },
+    performance: {
+        name: "performance",
+        label: "Performance",
+        category: "Architecture",
+        priority: "medium",
+        weight: 4,
+        description: "Detects barrel imports that defeat tree-shaking, heavy dependencies with lighter alternatives, static imports of large libraries that could be lazy-loaded, and runtime CSS-in-JS overhead.",
+        risk: "Barrel files (index.ts re-exports) prevent bundlers from tree-shaking unused code, bloating bundles by 2-10x. Heavy dependencies like moment.js add 300KB when date-fns does the same in 7KB. Static imports of visualization libraries delay initial page load.",
+        recommendation: "Replace barrel re-exports with direct imports. Swap heavy deps for lighter alternatives. Use dynamic import() for large libraries only needed on interaction. Prefer zero-runtime CSS (Tailwind, CSS Modules) over styled-components.",
+    },
+    "doc-coherence": {
+        name: "doc-coherence",
+        label: "Doc Coherence",
+        category: "AI Analysis",
+        priority: "high",
+        weight: 0,
+        description: "LLM-powered analysis that detects contradictions between documentation and code. Finds stale README claims, incorrect JSDoc parameters, outdated CHANGELOG references, and comments that no longer match the implementation.",
+        risk: "Stale documentation is worse than no documentation — it actively misleads developers and LLMs. When README says 'supports X' but the feature was removed, new contributors waste time. When JSDoc says a param is required but code treats it as optional, callers crash.",
+        recommendation: "Enable doc-coherence with a VibeCode QA Pro subscription. The LLM scans all documentation against the actual code and surfaces contradictions with specific file references.",
+        premium: true,
+    },
+    "code-coherence": {
+        name: "code-coherence",
+        label: "Code Coherence",
+        category: "AI Analysis",
+        priority: "high",
+        weight: 0,
+        description: "LLM-powered analysis that detects internal contradictions within the codebase itself. Finds inconsistent validation logic, conflicting defaults across modules, naming convention drift, dead config flags, and behavioral mismatches.",
+        risk: "Incoherent codebases are the #1 source of 'it works on my machine' bugs. When module A validates email with regex and module B uses a different regex, some emails pass one and fail the other. When timeouts differ across modules, race conditions emerge under load.",
+        recommendation: "Enable code-coherence with a VibeCode QA Pro subscription. The LLM analyzes cross-module patterns and surfaces behavioral contradictions that static analysis cannot detect.",
+        premium: true,
+    },
 };
 export function getCheckMeta(name) {
     return (CHECK_META[name] || {

package/dist/cli.js

@@ -3,7 +3,7 @@
 import { existsSync, mkdirSync, readdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
 import { join, resolve } from "node:path";
 import { detectRepoUrl, detectStack } from "./detect.js";
-import { generateHTML } from "./report/html.js";
+import { generatePages } from "./report/html.js";
 import { runArchitecture } from "./runners/architecture.js";
 import { runComplexity } from "./runners/complexity.js";
 import { runConfusion } from "./runners/confusion.js";
@@ -11,8 +11,13 @@ import { runContext } from "./runners/context.js";
 import { runDependencies } from "./runners/dependencies.js";
 import { runDocs } from "./runners/docs.js";
 import { runDuplication } from "./runners/duplication.js";
+import { runPerformance } from "./runners/performance.js";
 import { runErrorHandling } from "./runners/error-handling.js";
 import { runLint } from "./runners/lint.js";
+import { runReact } from "./runners/react.js";
+import { runAccessibility } from "./runners/accessibility.js";
+import { runDocCoherence } from "./runners/doc-coherence.js";
+import { runCodeCoherence } from "./runners/code-coherence.js";
 import { runSecrets } from "./runners/secrets.js";
 import { runSecurity } from "./runners/security.js";
 import { runStandards } from "./runners/standards.js";
@@ -33,6 +38,8 @@ const jsonOnly = flags.has("--json");
 const ciMode = flags.has("--ci");
 const skipTests = flags.has("--skip-tests");
 const watchMode = flags.has("--watch");
+const badgeMode = flags.has("--badge");
+const sarifMode = flags.has("--sarif");
 function color(grade) {
     if (grade === "A")
         return "\x1b[32m";
@@ -55,18 +62,21 @@ async function main() {
         console.log("");
     }
     const checks = [];
+    const isDart = stack.language === "dart";
     // All runners grouped by category
     const runners = [
         // Foundations
         { name: "structure", fn: () => runStructure(cwd, stack) },
         { name: "lint", fn: () => runLint(cwd, stack) },
-        { name: "types", fn: () => runTypeCheck(cwd) },
-        { name: "type-safety", fn: () => runTypeSafety(cwd) },
+        { name: "types", fn: () => runTypeCheck(cwd, isDart) },
+        { name: "type-safety", fn: () => runTypeSafety(cwd, isDart) },
         { name: "standards", fn: () => runStandards(cwd, stack) },
         // Quality
         { name: "complexity", fn: () => runComplexity(cwd) },
         { name: "duplication", fn: () => runDuplication(cwd) },
         { name: "error-handling", fn: () => runErrorHandling(cwd, stack) },
+        { name: "react", fn: () => runReact(cwd, stack) },
+        { name: "accessibility", fn: () => runAccessibility(cwd) },
         { name: "docs", fn: () => runDocs(cwd) },
         // Testing
         { name: "testing", fn: () => runTesting(cwd, stack, skipTests) },
@@ -76,9 +86,13 @@ async function main() {
         { name: "dependencies", fn: () => runDependencies(cwd, stack) },
         // Architecture
         { name: "architecture", fn: () => runArchitecture(cwd) },
+        { name: "performance", fn: () => runPerformance(cwd) },
         // LLM Readiness
         { name: "confusion", fn: () => runConfusion(cwd) },
         { name: "context", fn: () => runContext(cwd) },
+        // AI Analysis (premium)
+        { name: "doc-coherence", fn: () => runDocCoherence(cwd) },
+        { name: "code-coherence", fn: () => runCodeCoherence(cwd) },
     ];
     for (const runner of runners) {
         if (!jsonOnly)
@@ -86,10 +100,12 @@ async function main() {
         const result = runner.fn();
         checks.push(result);
         if (!jsonOnly) {
-            const skipped = result.details.skipped;
-            const c = skipped ? "\x1b[2m" : color(result.grade);
-            const label = skipped ? "skip" : result.grade;
-            const scoreStr = skipped ? "—" : `${result.score}/100`;
+            const det = result.details;
+            const skipped = det.skipped;
+            const premium = det.comingSoon;
+            const c = premium ? "\x1b[2m" : skipped ? "\x1b[2m" : color(result.grade);
+            const label = premium ? "soon" : skipped ? "skip" : result.grade;
+            const scoreStr = premium ? "PRO" : skipped ? "—" : `${result.score}/100`;
             const issueStr = result.issues.length > 0 ? `  \x1b[2m${result.issues.length} issues\x1b[0m` : "";
             console.log(`${c}${label.padEnd(5)}${scoreStr}\x1b[0m  \x1b[2m${result.duration}ms\x1b[0m${issueStr}`);
         }
@@ -131,7 +147,25 @@ async function main() {
         }
     }
     writeFileSync(join(outputDir, "report.json"), JSON.stringify(report, null, 2));
-    writeFileSync(join(outputDir, "report.html"), generateHTML(report));
+    // Generate multi-page HTML report
+    const reportDir = join(outputDir, "report");
+    if (!existsSync(reportDir))
+        mkdirSync(reportDir, { recursive: true });
+    const pages = generatePages(report, historyDir);
+    for (const [filename, html] of pages) {
+        writeFileSync(join(reportDir, filename), html);
+    }
+    // Badge SVG
+    if (badgeMode) {
+        const { buildBadge } = await import("./report/svg.js");
+        const badgeSvg = buildBadge(score, grade);
+        writeFileSync(join(outputDir, "badge.svg"), badgeSvg);
+    }
+    // SARIF output for GitHub Code Scanning
+    if (sarifMode) {
+        const { generateSARIF } = await import("./report/sarif.js");
+        writeFileSync(join(outputDir, "report.sarif"), generateSARIF(report));
+    }
     if (jsonOnly) {
         console.log(JSON.stringify(report));
     }
@@ -142,8 +176,12 @@ async function main() {
         if (trend)
             console.log(formatTrend(trend));
         console.log("");
-        console.log(`  \x1b[2mReport: ${join(outputDir, "report.html")}\x1b[0m`);
+        console.log(`  \x1b[2mReport: ${join(outputDir, "report/index.html")}\x1b[0m`);
         console.log(`  \x1b[2mJSON:   ${join(outputDir, "report.json")}\x1b[0m`);
+        if (badgeMode)
+            console.log(`  \x1b[2mBadge:  ${join(outputDir, "badge.svg")}\x1b[0m`);
+        if (sarifMode)
+            console.log(`  \x1b[2mSARIF:  ${join(outputDir, "report.sarif")}\x1b[0m`);
         console.log("");
     }
     if (ciMode && score < 60) {
@@ -153,7 +191,7 @@ async function main() {
         try {
             const { execFileSync } = await import("node:child_process");
             const openCmd = process.platform === "darwin" ? "open" : "xdg-open";
-            execFileSync(openCmd, [join(outputDir, "report.html")], { stdio: "ignore" });
+            execFileSync(openCmd, [join(outputDir, "report/index.html")], { stdio: "ignore" });
         }
         catch {
             /* failed to open browser */

package/dist/detect.js

@@ -12,9 +12,31 @@ export function detectStack(cwd) {
             return "";
         }
     };
+    // ── Dart/Flutter detection ──
+    const pubspec = read("pubspec.yaml");
+    if (pubspec || has("pubspec.lock")) {
+        const isFlutter = pubspec.includes("flutter:") || pubspec.includes("flutter_test:");
+        const hasTest = pubspec.includes("test:") || pubspec.includes("flutter_test:");
+        const hasAnalysis = has("analysis_options.yaml");
+        return {
+            language: "dart",
+            framework: isFlutter ? "flutter" : "none",
+            bundler: "none",
+            testRunner: isFlutter ? (hasTest ? "flutter_test" : "none") : hasTest ? "dart_test" : "none",
+            linter: hasAnalysis ? "dart_analyze" : "none",
+            packageManager: "pub",
+        };
+    }
+    // ── Node.js/TypeScript detection ──
     const pkg = read("package.json");
-    const deps = pkg ? JSON.parse(pkg) : {};
-    const allDeps = { ...deps.dependencies, ...deps.devDependencies };
+    let allDeps = {};
+    try {
+        const deps = pkg ? JSON.parse(pkg) : {};
+        allDeps = { ...deps.dependencies, ...deps.devDependencies };
+    }
+    catch {
+        // invalid package.json
+    }
     const language = has("tsconfig.json") || has("tsconfig.app.json") || allDeps.typescript
         ? "typescript"
         : allDeps.react || allDeps.vue

package/dist/fs-utils.d.ts

@@ -21,3 +21,7 @@ export declare function getTestFiles(cwd: string): SourceFile[];
 export declare function readSafe(cwd: string, path: string): string;
 /** Parse package.json dependencies. */
 export declare function readDeps(cwd: string): Record<string, string>;
+/** Walk from cwd root (not just src/) — for checks like secrets that scan all project files. */
+export declare function collectAllFiles(cwd: string, opts?: {
+    extraExts?: boolean;
+}): SourceFile[];

package/dist/fs-utils.js

@@ -1,13 +1,15 @@
 /** Shared filesystem utilities — eliminates duplicate file-walking across runners. */
 import { lstatSync, readdirSync, readFileSync, statSync } from "node:fs";
 import { basename, extname, join } from "node:path";
-const SKIP_DIRS = new Set(["node_modules", "dist", ".git", ".vibe-check", "coverage", "test-results", "__pycache__"]);
-const CODE_EXTS = new Set([".ts", ".tsx", ".js", ".jsx"]);
+const SKIP_DIRS = new Set(["node_modules", "dist", ".git", ".vibe-check", "coverage", "test-results", "__pycache__", ".dart_tool", "build", ".flutter-plugins"]);
+const CODE_EXTS = new Set([".ts", ".tsx", ".js", ".jsx", ".dart"]);
 const ALL_EXTS = new Set([...CODE_EXTS, ".json", ".env", ".yaml", ".yml", ".toml"]);
 /** Walk source directories and return all code files. */
 export function collectSourceFiles(cwd, opts) {
     const files = [];
-    const dirs = ["src", "web/src"];
+    const dirs = ["src", "web/src", "lib"];
+    if (opts?.includeTests)
+        dirs.push("test", "tests", "__tests__");
     for (const dir of dirs) {
         try {
             walk(join(cwd, dir), cwd, files, opts?.extraExts ? ALL_EXTS : CODE_EXTS);
@@ -16,8 +18,6 @@ export function collectSourceFiles(cwd, opts) {
             /* dir doesn't exist */
         }
     }
-    if (opts?.includeTests)
-        return files;
     return files;
 }
 /** Get only production source files (no tests). */
@@ -50,6 +50,12 @@ export function readDeps(cwd) {
         return {};
     }
 }
+/** Walk from cwd root (not just src/) — for checks like secrets that scan all project files. */
+export function collectAllFiles(cwd, opts) {
+    const files = [];
+    walk(cwd, cwd, files, opts?.extraExts ? ALL_EXTS : CODE_EXTS);
+    return files;
+}
 function walk(dir, cwd, out, exts) {
     for (const entry of readdirSync(dir)) {
         if (SKIP_DIRS.has(entry))
@@ -70,7 +76,7 @@ function walk(dir, cwd, out, exts) {
                 continue;
             const content = readFileSync(full, "utf-8");
             const relPath = full.replace(`${cwd}/`, "");
-            const isTest = entry.includes(".test.") || entry.includes(".spec.") || relPath.includes("__tests__");
+            const isTest = entry.includes(".test.") || entry.includes(".spec.") || entry.endsWith("_test.dart") || relPath.includes("__tests__") || relPath.includes("test/");
             out.push({
                 path: relPath,
                 fullPath: full,

package/dist/report/html.d.ts

@@ -1,12 +1,21 @@
-/** Generate a multi-page navigable HTML report.
+/** Generate a multi-page HTML report as separate files.
  *
- * Architecture:
- *   Top nav:    Overview | Foundations | Quality | Testing | Security | Issues
- *   Sub-nav:    Tabs for each check within a category
- *   Detail:     Per-check stats + full issue list grouped by file
- *   File map:   Cross-check heatmap of issues per file
- *
- * All in one self-contained HTML file using hash routing + show/hide.
+ * Layout:
+ *   Top nav:    Logo | Overview | Foundations | Quality | ... | Issues | Files
+ *               Page-level navigation. Scrollable on mobile.
+ *   Sidebar:    CONTEXTUAL to current page — NOT a duplicate of top nav.
+ *               Overview: score + category scores
+ *               Category: individual checks with grades (click to jump)
+ *               Issues: severity breakdown
+ *               Files: summary stats
+ *   Mobile:     Hamburger toggles both top nav dropdown and sidebar panel.
  */
 import type { VibeReport } from "../types.js";
-export declare function generateHTML(report: VibeReport): string;
+export declare const GROUPS: {
+    id: string;
+    label: string;
+    file: string;
+    checks: string[];
+}[];
+export declare function generatePages(report: VibeReport, historyDir?: string): Map<string, string>;
+export declare function generateHTML(report: VibeReport, historyDir?: string): string;