@vibecodeqa/cli 0.16.0 → 0.18.0

package/dist/runners/doc-coherence.js

@@ -0,0 +1,48 @@
+/** Doc Coherence — detects contradictions between documentation and code.
+ *
+ * Premium feature (powered by LLM). Scans README, CLAUDE.md, JSDoc, and inline
+ * comments for claims that contradict the actual code:
+ *   - README says "supports X" but feature X was removed
+ *   - JSDoc says "@param required" but param has a default
+ *   - Comment says "never throws" but function has throw statements
+ *   - CHANGELOG references files that no longer exist
+ *   - API docs describe endpoints/functions that were renamed or deleted
+ *
+ * Currently returns a "coming soon" placeholder.
+ */
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+import { getProductionFiles } from "../fs-utils.js";
+export function runDocCoherence(cwd) {
+    const start = Date.now();
+    // Detect if docs exist (useful info even in placeholder mode)
+    const docFiles = [];
+    const candidates = ["README.md", "CLAUDE.md", "ARCHITECTURE.md", "CONTRIBUTING.md", "CHANGELOG.md", "API.md", "docs/README.md"];
+    for (const f of candidates) {
+        if (existsSync(join(cwd, f)))
+            docFiles.push(f);
+    }
+    let hasJSDoc = false;
+    try {
+        const files = getProductionFiles(cwd);
+        hasJSDoc = files.some((f) => /\/\*\*/.test(f.content));
+    }
+    catch {
+        // no source files
+    }
+    return {
+        name: "doc-coherence",
+        score: 0,
+        grade: "F",
+        details: {
+            premium: true,
+            comingSoon: true,
+            reason: "LLM-powered analysis — coming soon",
+            docFiles,
+            hasJSDoc,
+            description: "Detects contradictions between documentation and code. Finds stale README claims, incorrect JSDoc, outdated API docs, and misleading comments.",
+        },
+        issues: [],
+        duration: Date.now() - start,
+    };
+}

package/dist/runners/docs.js

@@ -1,6 +1,7 @@
 /** Documentation check — README, JSDoc, code comments. */
-import { existsSync, readdirSync, readFileSync, statSync } from "node:fs";
-import { extname, join } from "node:path";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { getProductionFiles } from "../fs-utils.js";
 import { gradeFromScore } from "../types.js";
 export function runDocs(cwd) {
     const start = Date.now();
@@ -34,21 +35,11 @@ export function runDocs(cwd) {
             issues.push({ severity: "warning", message: "README has very little content", rule: "readme-sparse" });
     }
     // Check exported function documentation
-    const files = [];
-    const dirs = ["src", "web/src"];
-    for (const dir of dirs) {
-        try {
-            collectFiles(join(cwd, dir), files);
-        }
-        catch {
-            /* dir doesn't exist */
-        }
-    }
+    const sourceFiles = getProductionFiles(cwd);
     let totalExports = 0;
     let documentedExports = 0;
-    for (const file of files) {
-        const content = readFileSync(file, "utf-8");
-        const lines = content.split("\n");
+    for (const sf of sourceFiles) {
+        const lines = sf.content.split("\n");
         for (let i = 0; i < lines.length; i++) {
             const line = lines[i].trim();
             if (line.startsWith("export function ") ||
@@ -84,7 +75,7 @@ export function runDocs(cwd) {
         score,
         grade: gradeFromScore(score),
         details: {
-            readmeLines: existsSync(readmePath) ? readFileSync(readmePath, "utf-8").split("\n").length : 0,
+            readmeLines: existsSync(join(cwd, "README.md")) ? readFileSync(join(cwd, "README.md"), "utf-8").split("\n").length : 0,
             totalExports,
             documentedExports,
             documentedPct: totalExports > 0 ? `${Math.round((documentedExports / totalExports) * 100)}%` : "n/a",
@@ -93,19 +84,3 @@ export function runDocs(cwd) {
         duration: Date.now() - start,
     };
 }
-function collectFiles(dir, out) {
-    for (const entry of readdirSync(dir)) {
-        if (entry === "node_modules" || entry === "dist")
-            continue;
-        const full = join(dir, entry);
-        if (statSync(full).isDirectory()) {
-            collectFiles(full, out);
-        }
-        else {
-            const ext = extname(entry);
-            if ((ext === ".ts" || ext === ".tsx") && !entry.includes(".test.") && !entry.includes(".spec.")) {
-                out.push(full);
-            }
-        }
-    }
-}

package/dist/runners/duplication.js

@@ -1,28 +1,18 @@
 /** Code duplication detection — finds copy-pasted blocks. */
-import { readdirSync, readFileSync, statSync } from "node:fs";
-import { extname, join } from "node:path";
+import { getProductionFiles } from "../fs-utils.js";
 import { gradeFromScore } from "../types.js";
 const MIN_LINES = 6; // minimum duplicate block size
 const MIN_TOKENS = 50; // minimum token count for a duplicate
 export function runDuplication(cwd) {
     const start = Date.now();
     const issues = [];
-    const files = [];
-    const dirs = ["src", "web/src"];
-    for (const dir of dirs) {
-        try {
-            collectFiles(join(cwd, dir), files);
-        }
-        catch {
-            /* dir doesn't exist */
-        }
-    }
-    if (files.length < 2) {
+    const sourceFiles = getProductionFiles(cwd);
+    if (sourceFiles.length < 2) {
         return {
             name: "duplication",
             score: 100,
             grade: "A",
-            details: { filesScanned: files.length, duplicates: 0 },
+            details: { filesScanned: sourceFiles.length, duplicates: 0 },
             issues: [],
             duration: Date.now() - start,
         };
@@ -31,23 +21,21 @@ export function runDuplication(cwd) {
     // Build a map of normalized line hashes → locations
     const lineMap = new Map();
     let totalSourceLines = 0;
-    for (const file of files) {
-        const content = readFileSync(file, "utf-8");
-        const relPath = file.replace(`${cwd}/`, "");
-        const lines = content.split("\n");
+    for (const sf of sourceFiles) {
+        const lines = sf.content.split("\n");
         totalSourceLines += lines.length;
         for (let i = 0; i <= lines.length - MIN_LINES; i++) {
             const block = lines
                 .slice(i, i + MIN_LINES)
                 .map((l) => l.trim())
-                .filter((l) => l.length > 0 && !l.startsWith("//") && !l.startsWith("*") && l !== "{" && l !== "}" && l !== "");
+                .filter((l) => l.length > 0 && !l.startsWith("//") && !l.startsWith("*") && !l.startsWith("import ") && !l.startsWith("export {") && l !== "{" && l !== "}" && l !== "");
             if (block.length < MIN_LINES - 2)
                 continue; // too many empty/trivial lines
             const key = block.join("\n");
             if (key.length < MIN_TOKENS)
                 continue;
             const locs = lineMap.get(key) || [];
-            locs.push({ file: relPath, line: i + 1 });
+            locs.push({ file: sf.path, line: i + 1 });
             lineMap.set(key, locs);
         }
     }
@@ -86,24 +74,8 @@ export function runDuplication(cwd) {
         name: "duplication",
         score,
         grade: gradeFromScore(score),
-        details: { filesScanned: files.length, totalSourceLines, duplicateBlocks: duplicates.length, duplicationPct: `${dupPct}%` },
+        details: { filesScanned: sourceFiles.length, totalSourceLines, duplicateBlocks: duplicates.length, duplicationPct: `${dupPct}%` },
         issues,
         duration: Date.now() - start,
     };
 }
-function collectFiles(dir, out) {
-    for (const entry of readdirSync(dir)) {
-        if (entry === "node_modules" || entry === "dist" || entry === ".git")
-            continue;
-        const full = join(dir, entry);
-        if (statSync(full).isDirectory()) {
-            collectFiles(full, out);
-        }
-        else {
-            const ext = extname(entry);
-            if ([".ts", ".tsx", ".js", ".jsx"].includes(ext) && !entry.includes(".test.") && !entry.includes(".spec.")) {
-                out.push(full);
-            }
-        }
-    }
-}

package/dist/runners/lint.js

@@ -49,6 +49,23 @@ export function runLint(cwd, stack) {
             /* eslint output parse failed */
         }
     }
+    else if (stack.linter === "dart_analyze") {
+        const { stdout } = run("dart analyze --format=machine 2>/dev/null || true", cwd);
+        // machine format: SEVERITY|TYPE|CODE|PATH|LINE|COL|LEN|MESSAGE
+        for (const line of stdout.split("\n")) {
+            const parts = line.split("|");
+            if (parts.length < 8)
+                continue;
+            const severity = parts[0] === "ERROR" ? "error" : parts[0] === "WARNING" ? "warning" : "info";
+            issues.push({
+                severity,
+                message: parts[7],
+                file: parts[3],
+                line: parseInt(parts[4], 10) || undefined,
+                rule: parts[2],
+            });
+        }
+    }
     else {
         return {
             name: "lint",

package/dist/runners/performance.d.ts

@@ -0,0 +1,10 @@
+/** Performance check — barrel imports, dynamic import opportunities, large bundles.
+ *
+ * Sub-checks:
+ *   1. Barrel import smell — index.ts re-exports that defeat tree-shaking
+ *   2. Heavy dependencies — bundled packages known to bloat output
+ *   3. Dynamic import opportunities — large imports that could be lazy-loaded
+ *   4. CSS-in-JS overhead — detects runtime CSS solutions vs zero-runtime alternatives
+ */
+import type { CheckResult } from "../types.js";
+export declare function runPerformance(cwd: string): CheckResult;

package/dist/runners/performance.js

@@ -0,0 +1,174 @@
+/** Performance check — barrel imports, dynamic import opportunities, large bundles.
+ *
+ * Sub-checks:
+ *   1. Barrel import smell — index.ts re-exports that defeat tree-shaking
+ *   2. Heavy dependencies — bundled packages known to bloat output
+ *   3. Dynamic import opportunities — large imports that could be lazy-loaded
+ *   4. CSS-in-JS overhead — detects runtime CSS solutions vs zero-runtime alternatives
+ */
+import { existsSync, readdirSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { getProductionFiles, readDeps } from "../fs-utils.js";
+import { gradeFromScore } from "../types.js";
+// Packages known to be heavy (bundled KB, approx)
+const HEAVY_DEPS = {
+    moment: { kb: 300, alt: "date-fns or dayjs (2-7KB)" },
+    lodash: { kb: 70, alt: "lodash-es or native methods" },
+    "lodash.js": { kb: 70, alt: "lodash-es or native methods" },
+    rxjs: { kb: 50, alt: "only import operators you use" },
+    "@fortawesome/fontawesome-svg-core": { kb: 60, alt: "lucide-react or heroicons (tree-shakeable)" },
+    "@material-ui/core": { kb: 300, alt: "@mui/material with tree-shaking imports" },
+    "chart.js": { kb: 200, alt: "lightweight-charts or uPlot" },
+    firebase: { kb: 200, alt: "firebase/app + only needed modules" },
+    "aws-sdk": { kb: 400, alt: "@aws-sdk/client-* (v3 modular)" },
+    underscore: { kb: 25, alt: "native ES methods" },
+};
+export function runPerformance(cwd) {
+    const start = Date.now();
+    const issues = [];
+    const sourceFiles = getProductionFiles(cwd);
+    if (sourceFiles.length === 0) {
+        return {
+            name: "performance",
+            score: 100,
+            grade: "A",
+            details: { skipped: true, reason: "no source files" },
+            issues: [],
+            duration: Date.now() - start,
+        };
+    }
+    let barrelImports = 0;
+    let heavyDeps = 0;
+    let dynamicOpportunities = 0;
+    let cssInJsRuntime = 0;
+    // ── 1. Barrel import detection ──
+    // Find index.ts files that just re-export
+    for (const f of sourceFiles) {
+        if (f.base !== "index")
+            continue;
+        const lines = f.content.split("\n").filter((l) => l.trim().length > 0);
+        const exportLines = lines.filter((l) => /^export\s/.test(l.trim()));
+        // If >80% of non-empty lines are re-exports, it's a barrel
+        if (lines.length > 0 && exportLines.length / lines.length > 0.8 && exportLines.length >= 3) {
+            barrelImports++;
+            issues.push({
+                severity: "warning",
+                message: `Barrel file with ${exportLines.length} re-exports — defeats tree-shaking in many bundlers`,
+                file: f.path,
+                rule: "barrel-import",
+            });
+        }
+    }
+    // Check for imports from barrel files (importing from directory index)
+    for (const f of sourceFiles) {
+        const lines = f.content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const match = lines[i].match(/import\s+\{[^}]{50,}\}\s+from\s+['"](\.[^'"]+)['"]/);
+            if (match) {
+                issues.push({
+                    severity: "info",
+                    message: "Large destructured import — if from a barrel, only imported items should be bundled",
+                    file: f.path,
+                    line: i + 1,
+                    rule: "large-import",
+                });
+            }
+        }
+    }
+    // ── 2. Heavy dependency detection ──
+    const deps = readDeps(cwd);
+    for (const [name, info] of Object.entries(HEAVY_DEPS)) {
+        if (deps[name]) {
+            heavyDeps++;
+            issues.push({
+                severity: "warning",
+                message: `${name} (~${info.kb}KB) — consider ${info.alt}`,
+                rule: "heavy-dependency",
+            });
+        }
+    }
+    // lodash without lodash-es (non-tree-shakeable)
+    if (deps.lodash && !deps["lodash-es"]) {
+        issues.push({
+            severity: "warning",
+            message: "lodash (not lodash-es) — CommonJS build defeats tree-shaking",
+            rule: "non-esm-dep",
+        });
+    }
+    // ── 3. Dynamic import opportunities ──
+    // Large conditional imports that could be lazy-loaded
+    for (const f of sourceFiles) {
+        const lines = f.content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i].trim();
+            // Static import of known-heavy visualization/editor libraries
+            if (/^import\s/.test(line) && /\b(monaco|codemirror|ace-builds|chart\.js|three|@react-three|recharts|d3)\b/.test(line)) {
+                dynamicOpportunities++;
+                issues.push({
+                    severity: "info",
+                    message: "Consider dynamic import() for heavy library — reduces initial bundle",
+                    file: f.path,
+                    line: i + 1,
+                    rule: "dynamic-import-opportunity",
+                });
+            }
+        }
+    }
+    // ── 4. CSS-in-JS runtime overhead ──
+    const runtimeCss = ["styled-components", "@emotion/styled", "@emotion/react"];
+    for (const pkg of runtimeCss) {
+        if (deps[pkg]) {
+            cssInJsRuntime++;
+            issues.push({
+                severity: "info",
+                message: `${pkg} adds runtime CSS overhead — consider Tailwind, CSS Modules, or vanilla-extract`,
+                rule: "runtime-css",
+            });
+        }
+    }
+    // ── 5. Bundle size check (if dist/ exists) ──
+    let bundleSizeKB = 0;
+    const distDirs = ["dist", "build", ".next", "out"];
+    for (const d of distDirs) {
+        const distPath = join(cwd, d);
+        if (existsSync(distPath)) {
+            try {
+                bundleSizeKB = Math.round(dirSizeKB(distPath));
+            }
+            catch { /* can't read dist */ }
+            break;
+        }
+    }
+    // Score
+    const penalty = barrelImports * 3 + heavyDeps * 8 + dynamicOpportunities * 2 + cssInJsRuntime * 2;
+    const score = Math.max(0, Math.min(100, 100 - penalty));
+    return {
+        name: "performance",
+        score,
+        grade: gradeFromScore(score),
+        details: {
+            filesScanned: sourceFiles.length,
+            barrelImports,
+            heavyDeps,
+            dynamicOpportunities,
+            cssInJsRuntime,
+            ...(bundleSizeKB > 0 ? { bundleSizeKB } : {}),
+        },
+        issues,
+        duration: Date.now() - start,
+    };
+}
+function dirSizeKB(dir) {
+    let total = 0;
+    for (const entry of readdirSync(dir)) {
+        const full = join(dir, entry);
+        const stat = statSync(full);
+        if (stat.isDirectory()) {
+            total += dirSizeKB(full);
+        }
+        else {
+            total += stat.size;
+        }
+    }
+    return total / 1024;
+}

package/dist/runners/react.d.ts

@@ -0,0 +1,3 @@
+/** React-specific checks — hooks rules, conditional hooks, missing keys, prop spreading. */
+import type { CheckResult, StackInfo } from "../types.js";
+export declare function runReact(cwd: string, stack: StackInfo): CheckResult;

package/dist/runners/react.js

@@ -0,0 +1,86 @@
+/** React-specific checks — hooks rules, conditional hooks, missing keys, prop spreading. */
+import { gradeFromScore } from "../types.js";
+import { getProductionFiles } from "../fs-utils.js";
+export function runReact(cwd, stack) {
+    const start = Date.now();
+    if (stack.framework !== "react") {
+        return { name: "react", score: 100, grade: "A", details: { skipped: true, reason: "not a React project" }, issues: [], duration: Date.now() - start };
+    }
+    const files = getProductionFiles(cwd).filter((f) => f.ext === ".tsx" || f.ext === ".jsx");
+    if (files.length === 0) {
+        return { name: "react", score: 100, grade: "A", details: { skipped: true, reason: "no JSX/TSX files" }, issues: [], duration: Date.now() - start };
+    }
+    const issues = [];
+    let conditionalHooks = 0;
+    let missingKeys = 0;
+    let propSpreading = 0;
+    let inlineHandlers = 0;
+    let indexKeys = 0;
+    for (const f of files) {
+        const lines = f.content.split("\n");
+        // Track brace depth inside conditional blocks
+        let condBraceDepth = 0; // > 0 means we're inside a conditional's body
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const trimmed = line.trim();
+            // Skip comments
+            if (trimmed.startsWith("//") || trimmed.startsWith("*"))
+                continue;
+            // Count braces on this line
+            const opens = (trimmed.match(/\{/g) || []).length;
+            const closes = (trimmed.match(/\}/g) || []).length;
+            // Enter conditional: set depth to 1 on the opening brace
+            if (/\b(if|else|switch)\s*[\s(]/.test(trimmed) && opens > 0) {
+                condBraceDepth = 1;
+            }
+            else if (condBraceDepth > 0) {
+                condBraceDepth += opens - closes;
+                if (condBraceDepth < 0)
+                    condBraceDepth = 0;
+            }
+            // 1. Hooks called inside conditionals
+            if (condBraceDepth > 0 && /\buse[A-Z]\w*\s*\(/.test(trimmed) && !/\/\//.test(trimmed.split("use")[0])) {
+                conditionalHooks++;
+                issues.push({ severity: "error", message: "Hook called inside conditional — violates Rules of Hooks", file: f.path, line: i + 1, rule: "conditional-hook" });
+            }
+            // 2. Missing key in .map() returning JSX
+            if (/\.map\s*\(/.test(trimmed)) {
+                // Look ahead for JSX return without key
+                const mapBlock = lines.slice(i, Math.min(i + 10, lines.length)).join("\n");
+                if (/<\w/.test(mapBlock) && !mapBlock.includes("key=") && !mapBlock.includes("key:")) {
+                    missingKeys++;
+                    issues.push({ severity: "error", message: "JSX in .map() without key prop", file: f.path, line: i + 1, rule: "missing-key" });
+                }
+            }
+            // 3. index as key
+            if (/key=\{(?:i|idx|index)\}/.test(trimmed) || /key=\{.*(?:, *(?:i|idx|index)\))/.test(trimmed)) {
+                indexKeys++;
+                issues.push({ severity: "warning", message: "Using index as key — can cause rendering bugs with reorderable lists", file: f.path, line: i + 1, rule: "index-key" });
+            }
+            // 4. Prop spreading ({...props} on DOM elements)
+            if (/\{\.\.\.(?!children)\w+\}/.test(trimmed) && /<[a-z]/.test(trimmed)) {
+                propSpreading++;
+                issues.push({ severity: "warning", message: "Spreading props onto DOM element — can pass unexpected attributes", file: f.path, line: i + 1, rule: "prop-spreading" });
+            }
+            // 5. Inline arrow functions in JSX event handlers (performance)
+            if (/on[A-Z]\w*=\{(?:\(\) =>|function)/.test(trimmed)) {
+                inlineHandlers++;
+            }
+        }
+    }
+    // Only warn about inline handlers if there are many
+    if (inlineHandlers > 15) {
+        issues.push({ severity: "warning", message: `${inlineHandlers} inline arrow functions in JSX handlers — extract to named functions for readability`, rule: "inline-handlers" });
+    }
+    const errors = issues.filter((i) => i.severity === "error").length;
+    const warnings = issues.filter((i) => i.severity === "warning").length;
+    const score = Math.max(0, Math.min(100, 100 - errors * 8 - warnings * 3));
+    return {
+        name: "react",
+        score,
+        grade: gradeFromScore(score),
+        details: { jsxFiles: files.length, conditionalHooks, missingKeys, indexKeys, propSpreading, inlineHandlers },
+        issues,
+        duration: Date.now() - start,
+    };
+}

package/dist/runners/secrets.js

@@ -1,6 +1,5 @@
 /** Secret detection — scans for hardcoded keys/tokens in source files. */
-import { readdirSync, readFileSync, statSync } from "node:fs";
-import { extname, join } from "node:path";
+import { collectAllFiles } from "../fs-utils.js";
 import { gradeFromScore } from "../types.js";
 const SECRET_PATTERNS = [
     { name: "AWS Access Key", pattern: /AKIA[0-9A-Z]{16}/ },
@@ -35,26 +34,23 @@ const SECRET_PATTERNS = [
 export function runSecrets(cwd) {
     const start = Date.now();
     const issues = [];
-    const files = [];
-    collectFiles(cwd, files);
-    for (const file of files) {
-        const content = readFileSync(file, "utf-8");
-        const relPath = file.replace(`${cwd}/`, "");
-        const lines = content.split("\n");
+    const sourceFiles = collectAllFiles(cwd, { extraExts: true });
+    for (const sf of sourceFiles) {
+        // Skip test files and mock data
+        if (sf.isTest || sf.path.includes("__mock"))
+            continue;
+        const lines = sf.content.split("\n");
         for (let i = 0; i < lines.length; i++) {
             const line = lines[i];
             // Skip comments
             if (line.trim().startsWith("//") || line.trim().startsWith("*"))
                 continue;
-            // Skip test files and mock data
-            if (relPath.includes(".test.") || relPath.includes("__mock"))
-                continue;
             for (const { name, pattern } of SECRET_PATTERNS) {
                 if (pattern.test(line)) {
                     issues.push({
                         severity: "error",
                         message: `Possible ${name}`,
-                        file: relPath,
+                        file: sf.path,
                         line: i + 1,
                         rule: "secret-detected",
                     });
@@ -72,20 +68,3 @@ export function runSecrets(cwd) {
         duration: Date.now() - start,
     };
 }
-function collectFiles(dir, out) {
-    for (const entry of readdirSync(dir)) {
-        if (["node_modules", "dist", ".git", ".vibe-check", "coverage", "test-results"].includes(entry))
-            continue;
-        const full = join(dir, entry);
-        const stat = statSync(full);
-        if (stat.isDirectory()) {
-            collectFiles(full, out);
-        }
-        else {
-            const ext = extname(entry);
-            if ([".ts", ".tsx", ".js", ".jsx", ".json", ".env", ".yaml", ".yml", ".toml"].includes(ext)) {
-                out.push(full);
-            }
-        }
-    }
-}

package/dist/runners/security.js

@@ -1,6 +1,7 @@
 /** Security analysis — beyond secrets, checks for vulnerable code patterns. */
-import { existsSync, readdirSync, readFileSync, statSync } from "node:fs";
-import { extname, join } from "node:path";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { getProductionFiles } from "../fs-utils.js";
 import { gradeFromScore } from "../types.js";
 const PATTERNS = [
     // XSS
@@ -44,7 +45,7 @@ const PATTERNS = [
     },
     {
         name: "child_process.exec",
-        pattern: /\bexec(?:Sync)?\s*\((?!.*\{[^}]*encoding)/,
+        pattern: /\b(?:child_process|cp)\.exec(?:Sync)?\s*\(|(?:^|\s)execSync\s*\(/,
         severity: "warning",
         message: "Command injection risk: prefer execFile with argument array",
         cwe: "CWE-78",
@@ -105,7 +106,7 @@ const PATTERNS = [
     // Sensitive data
     {
         name: "password in URL",
-        pattern: /(?:password|secret|token|key)=[^&\s'"]+/i,
+        pattern: /(?:password|secret|api_?token)=[^&\s'"]{8,}/i,
         severity: "warning",
         message: "Sensitive data in URL query string",
         cwe: "CWE-598",
@@ -122,17 +123,8 @@ const PATTERNS = [
 export function runSecurity(cwd) {
     const start = Date.now();
     const issues = [];
-    const files = [];
-    const dirs = ["src", "web/src"];
-    for (const dir of dirs) {
-        try {
-            collectFiles(join(cwd, dir), files);
-        }
-        catch {
-            /* dir doesn't exist */
-        }
-    }
-    if (files.length === 0) {
+    const sourceFiles = getProductionFiles(cwd);
+    if (sourceFiles.length === 0) {
         return {
             name: "security",
             score: 100,
@@ -143,24 +135,25 @@ export function runSecurity(cwd) {
         };
     }
     const cwePrefixes = new Set();
-    for (const file of files) {
-        const content = readFileSync(file, "utf-8");
-        const relPath = file.replace(`${cwd}/`, "");
-        const lines = content.split("\n");
+    for (const sf of sourceFiles) {
+        const lines = sf.content.split("\n");
         for (let i = 0; i < lines.length; i++) {
             const line = lines[i];
             const trimmed = line.trim();
             if (trimmed.startsWith("//") || trimmed.startsWith("*"))
                 continue;
-            // Skip pattern/config definition lines (prevents false positives on own code)
+            // Skip pattern/config definition lines and string-heavy metadata (prevents false positives on own code)
             if (/\bpattern\s*:|name:\s*["']|message:\s*["']|description:\s*["']|risk:\s*["']|recommendation:\s*["']/.test(trimmed))
                 continue;
+            // Skip lines that are primarily string content (check-meta descriptions, etc.)
+            if (/^\s*["'`].*["'`][,;]?\s*$/.test(line))
+                continue;
             for (const p of PATTERNS) {
                 if (p.pattern.test(line)) {
                     issues.push({
                         severity: p.severity,
                         message: p.message,
-                        file: relPath,
+                        file: sf.path,
                         line: i + 1,
                         rule: p.cwe || p.name,
                     });
@@ -200,24 +193,8 @@ export function runSecurity(cwd) {
         name: "security",
         score,
         grade: gradeFromScore(score),
-        details: { filesScanned: files.length, patterns: issues.length, cweCategories: cwePrefixes.size, errors, warnings },
+        details: { filesScanned: sourceFiles.length, patterns: issues.length, cweCategories: cwePrefixes.size, errors, warnings },
         issues,
         duration: Date.now() - start,
     };
 }
-function collectFiles(dir, out) {
-    for (const entry of readdirSync(dir)) {
-        if (["node_modules", "dist", ".git", ".vibe-check", "coverage", "test-results"].includes(entry))
-            continue;
-        const full = join(dir, entry);
-        if (statSync(full).isDirectory()) {
-            collectFiles(full, out);
-        }
-        else {
-            const ext = extname(entry);
-            if ([".ts", ".tsx", ".js", ".jsx"].includes(ext) && !entry.includes(".test.") && !entry.includes(".spec.")) {
-                out.push(full);
-            }
-        }
-    }
-}