@vibecodeqa/cli 0.17.0 → 0.18.0

package/README.md

@@ -2,19 +2,19 @@
 
 **Code health scanner for the AI coding era.**
 
-One command. 15 checks. Full report. Zero config.
+One command. 21 checks. Full report. Zero config.
 
 ```bash
 npx @vibecodeqa/cli
 ```
 
-![Grade](https://img.shields.io/badge/checks-15-blue) ![TypeScript](https://img.shields.io/badge/TypeScript-first-3178C6) ![License](https://img.shields.io/badge/license-MIT-green)
+![Grade](https://img.shields.io/badge/checks-21-blue) ![TypeScript](https://img.shields.io/badge/TypeScript-first-3178C6) ![License](https://img.shields.io/badge/license-MIT-green)
 
 ## What it does
 
-vcqa scans your TypeScript/JavaScript codebase and produces a scored health report with actionable findings. It auto-detects your stack (React, Vite, vitest, Biome, etc.) and runs 15 checks across 6 categories.
+vcqa scans your TypeScript/JavaScript/Dart/Flutter codebase and produces a scored health report with actionable findings. It auto-detects your stack (React, Flutter, Vite, vitest, Biome, etc.) and runs 21 checks across 7 categories.
 
-The output is a self-contained HTML report with radar charts, architecture diagrams, file heatmaps, and drill-down issue lists — all navigable via sidebar and tab navigation.
+The output is a self-contained HTML report with radar charts, architecture diagrams, score timeline, testing pyramid, and drill-down issue lists — all navigable via sidebar and tab navigation.
 
 ## Quick start
 
@@ -34,6 +34,12 @@ npx @vibecodeqa/cli --ci
 # JSON output (pipe to other tools)
 npx @vibecodeqa/cli --json
 
+# Generate badge SVG for README
+npx @vibecodeqa/cli --badge
+
+# SARIF output for GitHub Security tab
+npx @vibecodeqa/cli --sarif
+
 # Scan a specific directory
 npx @vibecodeqa/cli /path/to/project
 ```
@@ -41,6 +47,8 @@ npx @vibecodeqa/cli /path/to/project
 Output goes to `.vibe-check/`:
 - `report.html` — navigable multi-page dashboard (open in browser)
 - `report.json` — machine-readable results
+- `badge.svg` — shields.io-style badge (with `--badge`)
+- `report.sarif` — SARIF 2.1.0 for GitHub Code Scanning (with `--sarif`)
 - `history/` — last 30 reports for trend tracking
 
 ## Checks
@@ -53,17 +61,20 @@ Output goes to `.vibe-check/`:
 | **Lint** | 5% | Biome or ESLint errors/warnings (auto-detected) |
 | **Types** | 6% | TypeScript compilation errors (`tsc --noEmit`) |
 | **Type Safety** | 3% | `as any`, `: any`, `@ts-ignore`, `@ts-nocheck` counts |
-| **Standards** | 3% | File naming, large files (>300 lines), code smells (console.log, var, ==, eval, innerHTML), config hygiene |
+| **Standards** | 3% | File naming, large files (>300 lines), code smells (console.log, var, ==, eval), config hygiene |
 
-### Quality (15%)
+### Quality (23%)
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
-| **Complexity** | 7% | Cognitive complexity per function, functions >60 lines |
+| **Complexity** | 3% | Cognitive complexity per function, functions >60 lines |
 | **Duplication** | 5% | Copy-pasted 6+ line blocks |
+| **Error Handling** | 5% | Empty catch blocks, throw string, missing Error Boundaries |
+| **React Patterns** | 3% | Conditional hooks, missing keys, index keys, prop spreading |
+| **Accessibility** | 4% | img alt, click on non-interactive elements, form labels, html lang |
 | **Docs** | 3% | README quality, JSDoc coverage of exports |
 
-### Testing (22%)
+### Testing (15%)
 
 One deep check with 6 sub-dimensions:
 
@@ -74,34 +85,36 @@ One deep check with 6 sub-dimensions:
 - **Quality** — assertion density, mock ratio, snapshot ratio
 - **E2E detection** — Playwright/Cypress configured?
 
-### Architecture (7%)
+### Architecture (10%)
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
-| **Architecture** | 7% | Import graph, circular deps, god modules, orphan files, fan-out, SVG diagram |
+| **Architecture** | 6% | Import graph, circular deps, god modules, orphan files, fan-out, SVG diagram with legend |
+| **Performance** | 4% | Barrel imports, heavy dependencies, dynamic import opportunities, CSS-in-JS overhead |
 
-### Security (18%)
+### Security (16%)
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
 | **Secrets** | 6% | 13 patterns (AWS, GitHub, Stripe, OpenAI, private keys) |
-| **Security** | 7% | 15 CWE-mapped patterns (XSS, injection, crypto, SSRF) |
-| **Dependencies** | 5% | npm audit vulnerabilities + outdated packages |
+| **Security** | 5% | 15 CWE-mapped patterns (XSS, injection, crypto, SSRF) |
+| **Dependencies** | 5% | npm audit / dart pub outdated vulnerabilities + outdated packages |
 
-### LLM Readiness (15%)
+### AI Readiness (13%)
 
 Novel checks that no other tool offers:
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
-| **Confusion Index** | 8% | File name similarity, generic names, export collisions, ambiguous abbreviations |
-| **Context Locality** | 7% | Token density, import depth, circular deps, context sinks |
+| **Confusion Index** | 7% | File name similarity, generic names, export collisions, ambiguous abbreviations |
+| **Context Locality** | 6% | Token density, import depth, circular deps, context sinks |
 
-**Research backing:**
-- "When Names Disappear" (arXiv:2510.03178): GPT-4o drops 28.6% on summarization with ambiguous names
-- "Lost in the Middle" (Liu et al. 2023): 30%+ accuracy drop for mid-context information
-- "Context Rot" (Chroma 2025): all frontier models degrade with input length
-- "Variable Naming Impact" (Research Square 2024): descriptive names = 8.9% better AI performance
+### AI Analysis (PRO — coming soon)
+
+| Check | What it will do |
+|-------|----------------|
+| **Doc Coherence** | LLM-powered detection of contradictions between docs and code |
+| **Code Coherence** | LLM-powered detection of internal inconsistencies across modules |
 
 ## Scoring
 
@@ -117,27 +130,19 @@ Each check produces a score from 0-100. The composite score is a weighted averag
 
 ## Report features
 
-The report is a multi-page navigable dashboard:
-
-- **10 pages**: Overview, Foundations, Quality, Testing, Architecture, Security, LLM Readiness, Issues, File Map, Heatmap
-- **Top nav + sidebar** — navigate by category and check
-- **Radar chart** — 6-axis view of category scores
-- **Architecture SVG diagram** — modules grouped by directory, import edges, node size by fan-in
-- **Code heatmap** — colored bars showing issue density per file
-- **Trend comparison** — score delta vs. previous run (reads previous report.json)
-- **File map** — top files by issue count across all checks
+- **Primary nav**: Overview + 7 dimension tabs (Foundations, Quality, Testing, Architecture, Security, AI Readiness, AI Analysis)
+- **Secondary nav**: Issues + Files (cross-cutting data views)
+- **Score ring + radar chart** — 6-axis view of category scores
+- **Score timeline** — last 30 runs with grade-colored dots
+- **Testing pyramid** — proportional SVG showing unit/integration/component/e2e distribution
+- **Architecture SVG** — modules grouped by directory, bezier edges with arrows, color-coded nodes (god module, cycle, orphan), legend
+- **File health map** — heatmap bars showing issue density per file
+- **Trend comparison** — score delta vs. previous run
 - **GitHub links** — click any file:line to open in GitHub (auto-detected from git remote)
-- **Actionable prompts** — 📋 button on every issue copies a fix prompt for Claude/Codex
+- **Actionable prompts** — clipboard button on every issue copies a fix prompt for Claude/Codex
 - **Info panels** — each check has What/Risk/Fix explanations with research citations
 - **Priority badges** — critical/high/medium/low on each check
 
-## Trend tracking
-
-vcqa reads the previous `.vibe-check/report.json` on each run and shows:
-- Score change (↑ improved / ↓ declined)
-- Per-check deltas
-- New vs. fixed issue counts
-
 ## CLI options
 
 | Flag | Description |
@@ -146,33 +151,37 @@ vcqa reads the previous `.vibe-check/report.json` on each run and shows:
 | `--watch` | Re-scan automatically on file changes |
 | `--ci` | Exit code 1 if composite score < 60 |
 | `--json` | Output JSON to stdout (no HTML, no browser) |
+| `--badge` | Generate badge.svg in output directory |
+| `--sarif` | Generate SARIF 2.1.0 for GitHub Code Scanning |
 
 ## Stack detection
 
-Auto-detects from `package.json` and config files:
-- **Language:** TypeScript, JavaScript
-- **Framework:** React, Vue, Svelte
+Auto-detects from `package.json`, `pubspec.yaml`, and config files:
+- **Language:** TypeScript, JavaScript, Dart
+- **Framework:** React, Vue, Svelte, Flutter
 - **Bundler:** Vite, Webpack, esbuild
-- **Test runner:** vitest, jest
-- **Linter:** Biome, ESLint
-- **Package manager:** pnpm, npm, yarn, bun
-
-## References
-
-Standards and research cited in vibe-check's analysis:
-
-- ISO/IEC 25010:2023 — Software product quality model
-- McCabe, T.J. "A Complexity Measure" (IEEE, 1976) — Cyclomatic complexity
-- Campbell, G.A. "Cognitive Complexity" (SonarSource, 2017) — Understandability metric
-- Martin, R.C. "Clean Code" (2008) — Naming principles
-- OWASP Top 10 — Web application security risks
-- CWE Top 25 — Most dangerous software weaknesses
-- Liu et al. "Lost in the Middle" (TACL, 2023) — LLM context attention
-- Chroma Research "Context Rot" (2025) — LLM degradation with input length
-- Wang et al. "How Does Naming Affect LLMs?" (JSEA, 2024) — Naming impact on AI
-- arXiv:2510.03178 "When Names Disappear" (2025) — 28.6% accuracy drop
-- Arnaoudova et al. "Linguistic Antipatterns" — 17-pattern naming catalog
-- Vassilev "Codified Context" (arXiv, 2025) — AI agent context architecture
+- **Test runner:** vitest, jest, flutter_test, dart_test
+- **Linter:** Biome, ESLint, dart analyze
+- **Package manager:** pnpm, npm, yarn, bun, pub
+
+## GitHub Actions
+
+Add this to `.github/workflows/vibecodeqa.yml` for automatic PR scanning:
+
+```yaml
+name: VibeCode QA
+on: [pull_request]
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npx @vibecodeqa/cli --skip-tests --ci --sarif
+      - uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: .vibe-check/report.sarif
+```
 
 ## License
 
@@ -180,6 +189,7 @@ MIT — Free forever as a CLI tool.
 
 ## Links
 
-- **GitHub:** https://github.com/freeappstore-online/vibe-check
+- **GitHub:** https://github.com/vibecodeqa/cli
 - **Website:** https://vibecodeqa.online
-- **Issues:** https://github.com/freeappstore-online/vibe-check/issues
+- **npm:** https://www.npmjs.com/package/@vibecodeqa/cli
+- **Issues:** https://github.com/vibecodeqa/cli/issues

package/dist/check-meta.d.ts

@@ -10,6 +10,7 @@ export interface CheckMeta {
     description: string;
     risk: string;
     recommendation: string;
+    premium?: boolean;
 }
 export declare const CHECK_META: Record<string, CheckMeta>;
 export declare function getCheckMeta(name: string): CheckMeta;

package/dist/check-meta.js

@@ -96,7 +96,7 @@ export const CHECK_META = {
         label: "Testing",
         category: "Testing",
         priority: "critical",
-        weight: 17,
+        weight: 15,
         description: "Deep assessment of test quality across 6 dimensions: pyramid presence (unit/integration/component/E2E layers), test execution (pass/fail), coverage (statement/branch/line/function), file pairing (test file per source file), test quality (assertion density, mock ratio, snapshot ratio), and E2E tool detection (Playwright/Cypress).",
         risk: "Code without tests is code you can't safely change. Missing test layers mean entire categories of bugs go undetected: unit tests catch logic bugs, integration tests catch API contract breaks, E2E tests catch user-visible regressions. Low coverage means large portions of code are never exercised.",
         recommendation: "Follow the testing pyramid: many unit tests, some integration tests, fewer E2E tests. Aim for >80% branch coverage. Every source file should have a corresponding test file. Use Playwright for E2E if you have a web frontend.",
@@ -116,7 +116,7 @@ export const CHECK_META = {
         label: "Security Patterns",
         category: "Security",
         priority: "critical",
-        weight: 7,
+        weight: 5,
         description: "Static analysis for 15 vulnerability patterns mapped to CWE (Common Weakness Enumeration) IDs. Covers: XSS (innerHTML, dangerouslySetInnerHTML, document.write), injection (eval, new Function, SQL template literals, command injection), weak crypto (Math.random for tokens, MD5/SHA1), prototype pollution, path traversal, SSRF, and missing security headers.",
         risk: "These patterns represent the most commonly exploited vulnerabilities in web applications (OWASP Top 10). A single XSS or injection vulnerability can lead to account takeover, data theft, or complete system compromise.",
         recommendation: "Replace innerHTML with textContent or DOM APIs. Never use eval(). Use parameterized queries for SQL. Use crypto.randomUUID() instead of Math.random() for tokens. Validate all user input before use in file paths or URLs.",
@@ -181,6 +181,38 @@ export const CHECK_META = {
         risk: "1 in 4 adults has a disability (CDC). Missing alt text makes images invisible to screen readers. Click-only divs exclude keyboard users. Unlabeled inputs are unusable with assistive technology. Missing lang attribute breaks screen reader pronunciation.",
         recommendation: "Add alt text to all images (use alt=\"\" for decorative). Use <button> for clickable elements, not <div onClick>. Label all form controls with <label>, aria-label, or aria-labelledby. Set lang on <html>.",
     },
+    performance: {
+        name: "performance",
+        label: "Performance",
+        category: "Architecture",
+        priority: "medium",
+        weight: 4,
+        description: "Detects barrel imports that defeat tree-shaking, heavy dependencies with lighter alternatives, static imports of large libraries that could be lazy-loaded, and runtime CSS-in-JS overhead.",
+        risk: "Barrel files (index.ts re-exports) prevent bundlers from tree-shaking unused code, bloating bundles by 2-10x. Heavy dependencies like moment.js add 300KB when date-fns does the same in 7KB. Static imports of visualization libraries delay initial page load.",
+        recommendation: "Replace barrel re-exports with direct imports. Swap heavy deps for lighter alternatives. Use dynamic import() for large libraries only needed on interaction. Prefer zero-runtime CSS (Tailwind, CSS Modules) over styled-components.",
+    },
+    "doc-coherence": {
+        name: "doc-coherence",
+        label: "Doc Coherence",
+        category: "AI Analysis",
+        priority: "high",
+        weight: 0,
+        description: "LLM-powered analysis that detects contradictions between documentation and code. Finds stale README claims, incorrect JSDoc parameters, outdated CHANGELOG references, and comments that no longer match the implementation.",
+        risk: "Stale documentation is worse than no documentation — it actively misleads developers and LLMs. When README says 'supports X' but the feature was removed, new contributors waste time. When JSDoc says a param is required but code treats it as optional, callers crash.",
+        recommendation: "Enable doc-coherence with a VibeCode QA Pro subscription. The LLM scans all documentation against the actual code and surfaces contradictions with specific file references.",
+        premium: true,
+    },
+    "code-coherence": {
+        name: "code-coherence",
+        label: "Code Coherence",
+        category: "AI Analysis",
+        priority: "high",
+        weight: 0,
+        description: "LLM-powered analysis that detects internal contradictions within the codebase itself. Finds inconsistent validation logic, conflicting defaults across modules, naming convention drift, dead config flags, and behavioral mismatches.",
+        risk: "Incoherent codebases are the #1 source of 'it works on my machine' bugs. When module A validates email with regex and module B uses a different regex, some emails pass one and fail the other. When timeouts differ across modules, race conditions emerge under load.",
+        recommendation: "Enable code-coherence with a VibeCode QA Pro subscription. The LLM analyzes cross-module patterns and surfaces behavioral contradictions that static analysis cannot detect.",
+        premium: true,
+    },
 };
 export function getCheckMeta(name) {
     return (CHECK_META[name] || {

package/dist/cli.js

@@ -3,7 +3,7 @@
 import { existsSync, mkdirSync, readdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
 import { join, resolve } from "node:path";
 import { detectRepoUrl, detectStack } from "./detect.js";
-import { generateHTML } from "./report/html.js";
+import { generatePages } from "./report/html.js";
 import { runArchitecture } from "./runners/architecture.js";
 import { runComplexity } from "./runners/complexity.js";
 import { runConfusion } from "./runners/confusion.js";
@@ -11,10 +11,13 @@ import { runContext } from "./runners/context.js";
 import { runDependencies } from "./runners/dependencies.js";
 import { runDocs } from "./runners/docs.js";
 import { runDuplication } from "./runners/duplication.js";
+import { runPerformance } from "./runners/performance.js";
 import { runErrorHandling } from "./runners/error-handling.js";
 import { runLint } from "./runners/lint.js";
 import { runReact } from "./runners/react.js";
 import { runAccessibility } from "./runners/accessibility.js";
+import { runDocCoherence } from "./runners/doc-coherence.js";
+import { runCodeCoherence } from "./runners/code-coherence.js";
 import { runSecrets } from "./runners/secrets.js";
 import { runSecurity } from "./runners/security.js";
 import { runStandards } from "./runners/standards.js";
@@ -36,6 +39,7 @@ const ciMode = flags.has("--ci");
 const skipTests = flags.has("--skip-tests");
 const watchMode = flags.has("--watch");
 const badgeMode = flags.has("--badge");
+const sarifMode = flags.has("--sarif");
 function color(grade) {
     if (grade === "A")
         return "\x1b[32m";
@@ -58,13 +62,14 @@ async function main() {
         console.log("");
     }
     const checks = [];
+    const isDart = stack.language === "dart";
     // All runners grouped by category
     const runners = [
         // Foundations
         { name: "structure", fn: () => runStructure(cwd, stack) },
         { name: "lint", fn: () => runLint(cwd, stack) },
-        { name: "types", fn: () => runTypeCheck(cwd) },
-        { name: "type-safety", fn: () => runTypeSafety(cwd) },
+        { name: "types", fn: () => runTypeCheck(cwd, isDart) },
+        { name: "type-safety", fn: () => runTypeSafety(cwd, isDart) },
         { name: "standards", fn: () => runStandards(cwd, stack) },
         // Quality
         { name: "complexity", fn: () => runComplexity(cwd) },
@@ -81,9 +86,13 @@ async function main() {
         { name: "dependencies", fn: () => runDependencies(cwd, stack) },
         // Architecture
         { name: "architecture", fn: () => runArchitecture(cwd) },
+        { name: "performance", fn: () => runPerformance(cwd) },
         // LLM Readiness
         { name: "confusion", fn: () => runConfusion(cwd) },
         { name: "context", fn: () => runContext(cwd) },
+        // AI Analysis (premium)
+        { name: "doc-coherence", fn: () => runDocCoherence(cwd) },
+        { name: "code-coherence", fn: () => runCodeCoherence(cwd) },
     ];
     for (const runner of runners) {
         if (!jsonOnly)
@@ -91,10 +100,12 @@ async function main() {
         const result = runner.fn();
         checks.push(result);
         if (!jsonOnly) {
-            const skipped = result.details.skipped;
-            const c = skipped ? "\x1b[2m" : color(result.grade);
-            const label = skipped ? "skip" : result.grade;
-            const scoreStr = skipped ? "—" : `${result.score}/100`;
+            const det = result.details;
+            const skipped = det.skipped;
+            const premium = det.comingSoon;
+            const c = premium ? "\x1b[2m" : skipped ? "\x1b[2m" : color(result.grade);
+            const label = premium ? "soon" : skipped ? "skip" : result.grade;
+            const scoreStr = premium ? "PRO" : skipped ? "—" : `${result.score}/100`;
             const issueStr = result.issues.length > 0 ? `  \x1b[2m${result.issues.length} issues\x1b[0m` : "";
             console.log(`${c}${label.padEnd(5)}${scoreStr}\x1b[0m  \x1b[2m${result.duration}ms\x1b[0m${issueStr}`);
         }
@@ -136,13 +147,25 @@ async function main() {
         }
     }
     writeFileSync(join(outputDir, "report.json"), JSON.stringify(report, null, 2));
-    writeFileSync(join(outputDir, "report.html"), generateHTML(report, historyDir));
+    // Generate multi-page HTML report
+    const reportDir = join(outputDir, "report");
+    if (!existsSync(reportDir))
+        mkdirSync(reportDir, { recursive: true });
+    const pages = generatePages(report, historyDir);
+    for (const [filename, html] of pages) {
+        writeFileSync(join(reportDir, filename), html);
+    }
     // Badge SVG
     if (badgeMode) {
         const { buildBadge } = await import("./report/svg.js");
         const badgeSvg = buildBadge(score, grade);
         writeFileSync(join(outputDir, "badge.svg"), badgeSvg);
     }
+    // SARIF output for GitHub Code Scanning
+    if (sarifMode) {
+        const { generateSARIF } = await import("./report/sarif.js");
+        writeFileSync(join(outputDir, "report.sarif"), generateSARIF(report));
+    }
     if (jsonOnly) {
         console.log(JSON.stringify(report));
     }
@@ -153,10 +176,12 @@ async function main() {
         if (trend)
             console.log(formatTrend(trend));
         console.log("");
-        console.log(`  \x1b[2mReport: ${join(outputDir, "report.html")}\x1b[0m`);
+        console.log(`  \x1b[2mReport: ${join(outputDir, "report/index.html")}\x1b[0m`);
         console.log(`  \x1b[2mJSON:   ${join(outputDir, "report.json")}\x1b[0m`);
         if (badgeMode)
             console.log(`  \x1b[2mBadge:  ${join(outputDir, "badge.svg")}\x1b[0m`);
+        if (sarifMode)
+            console.log(`  \x1b[2mSARIF:  ${join(outputDir, "report.sarif")}\x1b[0m`);
         console.log("");
     }
     if (ciMode && score < 60) {
@@ -166,7 +191,7 @@ async function main() {
         try {
             const { execFileSync } = await import("node:child_process");
             const openCmd = process.platform === "darwin" ? "open" : "xdg-open";
-            execFileSync(openCmd, [join(outputDir, "report.html")], { stdio: "ignore" });
+            execFileSync(openCmd, [join(outputDir, "report/index.html")], { stdio: "ignore" });
         }
         catch {
             /* failed to open browser */

package/dist/detect.js

@@ -12,9 +12,31 @@ export function detectStack(cwd) {
             return "";
         }
     };
+    // ── Dart/Flutter detection ──
+    const pubspec = read("pubspec.yaml");
+    if (pubspec || has("pubspec.lock")) {
+        const isFlutter = pubspec.includes("flutter:") || pubspec.includes("flutter_test:");
+        const hasTest = pubspec.includes("test:") || pubspec.includes("flutter_test:");
+        const hasAnalysis = has("analysis_options.yaml");
+        return {
+            language: "dart",
+            framework: isFlutter ? "flutter" : "none",
+            bundler: "none",
+            testRunner: isFlutter ? (hasTest ? "flutter_test" : "none") : hasTest ? "dart_test" : "none",
+            linter: hasAnalysis ? "dart_analyze" : "none",
+            packageManager: "pub",
+        };
+    }
+    // ── Node.js/TypeScript detection ──
     const pkg = read("package.json");
-    const deps = pkg ? JSON.parse(pkg) : {};
-    const allDeps = { ...deps.dependencies, ...deps.devDependencies };
+    let allDeps = {};
+    try {
+        const deps = pkg ? JSON.parse(pkg) : {};
+        allDeps = { ...deps.dependencies, ...deps.devDependencies };
+    }
+    catch {
+        // invalid package.json
+    }
     const language = has("tsconfig.json") || has("tsconfig.app.json") || allDeps.typescript
         ? "typescript"
         : allDeps.react || allDeps.vue

package/dist/fs-utils.d.ts

@@ -21,3 +21,7 @@ export declare function getTestFiles(cwd: string): SourceFile[];
 export declare function readSafe(cwd: string, path: string): string;
 /** Parse package.json dependencies. */
 export declare function readDeps(cwd: string): Record<string, string>;
+/** Walk from cwd root (not just src/) — for checks like secrets that scan all project files. */
+export declare function collectAllFiles(cwd: string, opts?: {
+    extraExts?: boolean;
+}): SourceFile[];

package/dist/fs-utils.js

@@ -1,13 +1,15 @@
 /** Shared filesystem utilities — eliminates duplicate file-walking across runners. */
 import { lstatSync, readdirSync, readFileSync, statSync } from "node:fs";
 import { basename, extname, join } from "node:path";
-const SKIP_DIRS = new Set(["node_modules", "dist", ".git", ".vibe-check", "coverage", "test-results", "__pycache__"]);
-const CODE_EXTS = new Set([".ts", ".tsx", ".js", ".jsx"]);
+const SKIP_DIRS = new Set(["node_modules", "dist", ".git", ".vibe-check", "coverage", "test-results", "__pycache__", ".dart_tool", "build", ".flutter-plugins"]);
+const CODE_EXTS = new Set([".ts", ".tsx", ".js", ".jsx", ".dart"]);
 const ALL_EXTS = new Set([...CODE_EXTS, ".json", ".env", ".yaml", ".yml", ".toml"]);
 /** Walk source directories and return all code files. */
 export function collectSourceFiles(cwd, opts) {
     const files = [];
-    const dirs = ["src", "web/src"];
+    const dirs = ["src", "web/src", "lib"];
+    if (opts?.includeTests)
+        dirs.push("test", "tests", "__tests__");
     for (const dir of dirs) {
         try {
             walk(join(cwd, dir), cwd, files, opts?.extraExts ? ALL_EXTS : CODE_EXTS);
@@ -16,8 +18,6 @@ export function collectSourceFiles(cwd, opts) {
             /* dir doesn't exist */
         }
     }
-    if (opts?.includeTests)
-        return files;
     return files;
 }
 /** Get only production source files (no tests). */
@@ -50,6 +50,12 @@ export function readDeps(cwd) {
         return {};
     }
 }
+/** Walk from cwd root (not just src/) — for checks like secrets that scan all project files. */
+export function collectAllFiles(cwd, opts) {
+    const files = [];
+    walk(cwd, cwd, files, opts?.extraExts ? ALL_EXTS : CODE_EXTS);
+    return files;
+}
 function walk(dir, cwd, out, exts) {
     for (const entry of readdirSync(dir)) {
         if (SKIP_DIRS.has(entry))
@@ -70,7 +76,7 @@ function walk(dir, cwd, out, exts) {
                 continue;
             const content = readFileSync(full, "utf-8");
             const relPath = full.replace(`${cwd}/`, "");
-            const isTest = entry.includes(".test.") || entry.includes(".spec.") || relPath.includes("__tests__");
+            const isTest = entry.includes(".test.") || entry.includes(".spec.") || entry.endsWith("_test.dart") || relPath.includes("__tests__") || relPath.includes("test/");
             out.push({
                 path: relPath,
                 fullPath: full,

package/dist/report/html.d.ts

@@ -1,14 +1,21 @@
-/** Generate a multi-page navigable HTML report.
+/** Generate a multi-page HTML report as separate files.
  *
- * Architecture:
- *   Primary nav:   Overview | Foundations | Quality | Testing | Security | Architecture | AI Readiness
- *   Secondary nav:  Issues (N) | Files  (right-aligned, visually distinct)
- *   Sidebar:        Score + dimension tree + view links
- *   Overview:       Dashboard with score, radar, timeline, category cards, top issues, file hotspots
- *   Dimensions:     Sub-tabs for each check within a category
- *   Views:          Cross-cutting data slices (issues table, file health map)
- *
- * All in one self-contained HTML file using show/hide navigation.
+ * Layout:
+ *   Top nav:    Logo | Overview | Foundations | Quality | ... | Issues | Files
+ *               Page-level navigation. Scrollable on mobile.
+ *   Sidebar:    CONTEXTUAL to current page — NOT a duplicate of top nav.
+ *               Overview: score + category scores
+ *               Category: individual checks with grades (click to jump)
+ *               Issues: severity breakdown
+ *               Files: summary stats
+ *   Mobile:     Hamburger toggles both top nav dropdown and sidebar panel.
  */
 import type { VibeReport } from "../types.js";
+export declare const GROUPS: {
+    id: string;
+    label: string;
+    file: string;
+    checks: string[];
+}[];
+export declare function generatePages(report: VibeReport, historyDir?: string): Map<string, string>;
 export declare function generateHTML(report: VibeReport, historyDir?: string): string;