@vibecodeqa/cli 0.39.0 → 0.40.0

package/dist/ai-fix.d.ts

@@ -0,0 +1,27 @@
+/** AI-powered code fixing — uses Claude to fix issues found by vcqa scan.
+ *
+ * Auth: ANTHROPIC_API_KEY (direct) or VCQA_PRO_KEY (via api.vibecodeqa.online).
+ */
+import type { CheckResult } from "./types.js";
+export interface FixableIssue {
+    check: string;
+    file: string;
+    line: number;
+    rule: string;
+    message: string;
+    suggestion: string | null;
+}
+export interface AiFixResult {
+    file: string;
+    line: number;
+    check: string;
+    message: string;
+    explanation: string;
+    applied: boolean;
+}
+/** Collect fixable issues from scan results, optionally filtered by check name. */
+export declare function collectFixableIssues(checks: CheckResult[], suggestFix: (check: string, rule: string, message: string) => string | null, checkFilter?: string): FixableIssue[];
+/** Fix issues using AI. Returns results for each attempted fix. */
+export declare function aiFixIssues(cwd: string, issues: FixableIssue[], opts: {
+    dryRun: boolean;
+}): Promise<AiFixResult[]>;

package/dist/ai-fix.js

@@ -0,0 +1,216 @@
+/** AI-powered code fixing — uses Claude to fix issues found by vcqa scan.
+ *
+ * Auth: ANTHROPIC_API_KEY (direct) or VCQA_PRO_KEY (via api.vibecodeqa.online).
+ */
+import { readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { getCheckMeta } from "./check-meta.js";
+/** Collect fixable issues from scan results, optionally filtered by check name. */
+export function collectFixableIssues(checks, suggestFix, checkFilter) {
+    const issues = [];
+    for (const c of checks) {
+        if (checkFilter && c.name !== checkFilter)
+            continue;
+        for (const iss of c.issues) {
+            if (!iss.file || typeof iss.file !== "string" || !iss.line)
+                continue;
+            if (iss.severity === "info")
+                continue;
+            issues.push({
+                check: c.name,
+                file: iss.file,
+                line: iss.line,
+                rule: iss.rule || "",
+                message: iss.message,
+                suggestion: suggestFix(c.name, iss.rule || "", iss.message),
+            });
+        }
+    }
+    return issues;
+}
+/** Fix issues using AI. Returns results for each attempted fix. */
+export async function aiFixIssues(cwd, issues, opts) {
+    const apiKey = process.env.ANTHROPIC_API_KEY || "";
+    const proKey = process.env.VCQA_PRO_KEY || "";
+    if (!apiKey && !proKey) {
+        console.log("  \x1b[31mNo API key found.\x1b[0m Set ANTHROPIC_API_KEY or VCQA_PRO_KEY.");
+        console.log("  \x1b[2mANTHROPIC_API_KEY — direct Claude API (recommended)\x1b[0m");
+        console.log("  \x1b[2mVCQA_PRO_KEY     — via api.vibecodeqa.online\x1b[0m");
+        return [];
+    }
+    const results = [];
+    // Process files in order, one issue at a time to avoid drift
+    const sorted = [...issues].sort((a, b) => a.file.localeCompare(b.file) || a.line - b.line);
+    // Limit to 10 fixes per run to avoid burning tokens
+    const batch = sorted.slice(0, 10);
+    if (sorted.length > 10) {
+        console.log(`  \x1b[2mFixing 10 of ${sorted.length} issues (run again for more)\x1b[0m`);
+    }
+    for (const issue of batch) {
+        const absPath = join(cwd, issue.file);
+        let content;
+        try {
+            content = readFileSync(absPath, "utf-8");
+        }
+        catch {
+            results.push({ ...issue, explanation: "file not readable", applied: false });
+            continue;
+        }
+        const lines = content.split("\n");
+        const meta = getCheckMeta(issue.check);
+        // Extract context: ±20 lines around the issue
+        const start = Math.max(0, issue.line - 21);
+        const end = Math.min(lines.length, issue.line + 20);
+        const contextLines = lines.slice(start, end);
+        const numbered = contextLines.map((l, i) => `${start + i + 1}| ${l}`).join("\n");
+        const prompt = buildFixPrompt(issue, meta, numbered, issue.file);
+        process.stdout.write(`  ${issue.file}:${issue.line} \x1b[2m${issue.message.slice(0, 50)}\x1b[0m `);
+        const fix = apiKey
+            ? await callAnthropicDirect(prompt, apiKey)
+            : await callVcqaProxy(prompt, proKey);
+        if (!fix) {
+            console.log("\x1b[33mskip\x1b[0m");
+            results.push({ ...issue, explanation: "AI could not generate fix", applied: false });
+            continue;
+        }
+        if (opts.dryRun) {
+            console.log("\x1b[36mdry-run\x1b[0m");
+            console.log(`    \x1b[2m${fix.explanation}\x1b[0m`);
+            results.push({ ...issue, explanation: fix.explanation, applied: false });
+            continue;
+        }
+        // Apply search/replace
+        const searchNormalized = fix.search.trim();
+        if (!content.includes(searchNormalized)) {
+            console.log("\x1b[33mskip (no match)\x1b[0m");
+            results.push({ ...issue, explanation: "search text not found in file", applied: false });
+            continue;
+        }
+        const idx = content.indexOf(searchNormalized);
+        const updated = content.slice(0, idx) + fix.replace.trim() + content.slice(idx + searchNormalized.length);
+        writeFileSync(absPath, updated);
+        console.log("\x1b[32mfixed\x1b[0m");
+        console.log(`    \x1b[2m${fix.explanation}\x1b[0m`);
+        results.push({ ...issue, explanation: fix.explanation, applied: true });
+    }
+    return results;
+}
+function buildFixPrompt(issue, meta, codeContext, filePath) {
+    const ext = filePath.split(".").pop() || "ts";
+    const lang = ext === "vue" ? "vue" : ext === "svelte" ? "svelte" : ext === "dart" ? "dart" : "typescript";
+    let prompt = `Fix this code quality issue. Return a JSON object with search/replace strings.
+
+## Issue
+- Check: ${issue.check}
+- Rule: ${issue.rule || "n/a"}
+- Message: ${issue.message}
+- File: ${filePath}:${issue.line}
+
+## Why this matters
+${meta.risk}
+
+## Recommended approach
+${meta.recommendation}`;
+    if (issue.suggestion) {
+        prompt += `\n\nSpecific suggestion: ${issue.suggestion}`;
+    }
+    prompt += `
+
+## Code context (${filePath})
+\`\`\`${lang}
+${codeContext}
+\`\`\`
+
+## Instructions
+Return ONLY a valid JSON object (no markdown, no explanation outside JSON):
+{
+  "search": "exact lines from the code above that need to change (copy verbatim, preserve whitespace)",
+  "replace": "the fixed replacement code (same indentation)",
+  "explanation": "one sentence: what changed and why"
+}
+
+Rules:
+- The "search" string MUST appear verbatim in the file — copy it exactly
+- Keep the fix minimal — change only what's needed to resolve the issue
+- Preserve surrounding code, comments, and formatting
+- Do not add imports unless absolutely required
+- Match the existing code style`;
+    return prompt;
+}
+let _apiErrorShown = false;
+async function callAnthropicDirect(prompt, apiKey) {
+    try {
+        const res = await fetch("https://api.anthropic.com/v1/messages", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "x-api-key": apiKey,
+                "anthropic-version": "2023-06-01",
+            },
+            body: JSON.stringify({
+                model: "claude-haiku-4-5-20251001",
+                max_tokens: 1024,
+                messages: [{ role: "user", content: prompt }],
+            }),
+        });
+        if (!res.ok) {
+            if (!_apiErrorShown) {
+                const err = (await res.json().catch(() => null));
+                console.log(`\n  \x1b[31mAPI error:\x1b[0m ${err?.error?.message || `HTTP ${res.status}`}\n`);
+                _apiErrorShown = true;
+            }
+            return null;
+        }
+        const data = (await res.json());
+        const text = data.content?.find((c) => c.type === "text")?.text;
+        if (!text)
+            return null;
+        return parseFixResponse(text);
+    }
+    catch {
+        return null;
+    }
+}
+async function callVcqaProxy(prompt, proKey) {
+    try {
+        const res = await fetch("https://api.vibecodeqa.online/api/pro/fix", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${proKey}`,
+            },
+            body: JSON.stringify({ prompt }),
+        });
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        if (!data.search || !data.replace)
+            return null;
+        return { search: data.search, replace: data.replace, explanation: data.explanation || "" };
+    }
+    catch {
+        return null;
+    }
+}
+function parseFixResponse(text) {
+    try {
+        // Try to extract JSON from the response (handle markdown fences)
+        let json = text.trim();
+        const fenceMatch = json.match(/```(?:json)?\s*([\s\S]*?)```/);
+        if (fenceMatch)
+            json = fenceMatch[1].trim();
+        const parsed = JSON.parse(json);
+        if (!parsed.search || typeof parsed.search !== "string")
+            return null;
+        if (!parsed.replace || typeof parsed.replace !== "string")
+            return null;
+        return {
+            search: parsed.search,
+            replace: parsed.replace,
+            explanation: parsed.explanation || "",
+        };
+    }
+    catch {
+        return null;
+    }
+}

package/dist/cli.js

@@ -2,6 +2,7 @@
 /** vibe-check — code health scanner for the AI coding era. */
 import { existsSync, mkdirSync, readdirSync, readFileSync, statSync, unlinkSync, writeFileSync } from "node:fs";
 import { join, resolve } from "node:path";
+import { aiFixIssues, collectFixableIssues } from "./ai-fix.js";
 import { getCheckMeta } from "./check-meta.js";
 import { getCheckIgnore, isCheckEnabled, loadConfig } from "./config.js";
 import { detectRepoUrl, detectStack, detectWorkspace } from "./detect.js";
@@ -387,6 +388,9 @@ function printHelp() {
   \x1b[1mCommands:\x1b[0m
     init [path]       Set up CI workflow + recommended configs
     fix [path]        Auto-fix (.gitignore, strict mode, biome/eslint, suggestions)
+      --ai            Use Claude to fix remaining issues (needs ANTHROPIC_API_KEY)
+      --check NAME    Only fix issues from a specific check (e.g. --check security)
+      --dry-run       Show what AI would fix without applying changes
     explain [check]   Deep-dive explanation of a check (what/risk/fix)
     monitor [path]    Live quality control panel — re-scans on file changes
 
@@ -411,6 +415,9 @@ function printHelp() {
     npx @vibecodeqa/cli                     # scan current directory
     npx @vibecodeqa/cli init                # set up CI + configs
     npx @vibecodeqa/cli fix                 # auto-fix what's fixable
+    npx @vibecodeqa/cli fix --ai            # AI-powered fix (uses Claude)
+    npx @vibecodeqa/cli fix --ai --check security  # fix only security issues
+    npx @vibecodeqa/cli fix --ai --dry-run  # preview AI fixes without applying
     npx @vibecodeqa/cli --skip-tests --top  # fast scan with top issues
     npx @vibecodeqa/cli --ci --fail-under 80  # CI with quality gate
 `);
@@ -548,9 +555,9 @@ async function runExplain(checkName) {
     console.log("");
 }
 // ── fix command ──
-async function runFix(cwd) {
+async function runFix(cwd, opts = {}) {
     console.log("");
-    console.log(`  \x1b[1m\x1b[38;5;141mvcqa fix\x1b[0m`);
+    console.log(`  \x1b[1m\x1b[38;5;141mvcqa fix${opts.ai ? " --ai" : ""}${opts.dryRun ? " --dry-run" : ""}${opts.checkFilter ? ` --check ${opts.checkFilter}` : ""}\x1b[0m`);
     console.log(`  \x1b[2m${cwd}\x1b[0m`);
     console.log("");
     validateCwd(cwd);
@@ -621,7 +628,39 @@ async function runFix(cwd) {
     const isDart = enrichedStack.language === "dart";
     const checks = await runChecks(cwd, enrichedStack, workspace, true, isDart, true);
     const score = computeScore(checks);
-    // Collect actionable issues with fix suggestions
+    // AI-powered fix mode
+    if (opts.ai) {
+        const aiIssues = collectFixableIssues(checks, suggestFix, opts.checkFilter);
+        if (aiIssues.length === 0) {
+            console.log("  \x1b[2mNo fixable issues found.\x1b[0m");
+        }
+        else {
+            console.log(`  \x1b[1mAI fixing ${Math.min(aiIssues.length, 10)} issues${opts.dryRun ? " (dry run)" : ""}...\x1b[0m`);
+            console.log("");
+            const results = await aiFixIssues(cwd, aiIssues, { dryRun: opts.dryRun || false });
+            const applied = results.filter((r) => r.applied).length;
+            if (applied > 0) {
+                // Re-scan to show new score
+                console.log("");
+                console.log("  \x1b[1mRe-scanning...\x1b[0m");
+                const reChecks = await runChecks(cwd, enrichedStack, workspace, true, isDart, true);
+                const newScore = computeScore(reChecks);
+                const newGrade = gradeFromScore(newScore);
+                const delta = newScore - score;
+                console.log(`  Score: \x1b[${newScore >= 75 ? "32" : newScore >= 60 ? "33" : "31"}m${newGrade} ${newScore}/100\x1b[0m${delta > 0 ? ` \x1b[32m(+${delta})\x1b[0m` : ""}`);
+                console.log(`  \x1b[32m${applied} AI fix(es) applied.\x1b[0m Re-run \x1b[1mnpx @vibecodeqa/cli\x1b[0m for full report.`);
+            }
+            else {
+                const grade = gradeFromScore(score);
+                console.log(`\n  Score: \x1b[${score >= 75 ? "32" : score >= 60 ? "33" : "31"}m${grade} ${score}/100\x1b[0m`);
+                if (opts.dryRun)
+                    console.log("  \x1b[2mDry run — no files modified. Remove --dry-run to apply.\x1b[0m");
+            }
+        }
+        console.log("");
+        return;
+    }
+    // Collect actionable issues with fix suggestions (non-AI mode)
     const fixable = [];
     for (const c of checks) {
         for (const iss of c.issues) {
@@ -826,8 +865,13 @@ async function main() {
         return;
     }
     if (args[0] === "fix") {
-        const path = args.slice(1).find((a) => !a.startsWith("-")) || ".";
-        await runFix(resolve(path));
+        const fixArgs = args.slice(1);
+        const path = fixArgs.find((a) => !a.startsWith("-")) || ".";
+        const aiMode = fixArgs.includes("--ai");
+        const dryRun = fixArgs.includes("--dry-run");
+        const checkIdx = fixArgs.indexOf("--check");
+        const checkFilter = checkIdx !== -1 ? fixArgs[checkIdx + 1] : undefined;
+        await runFix(resolve(path), { ai: aiMode, dryRun, checkFilter });
         return;
     }
     if (args[0] === "explain") {
@@ -907,11 +951,11 @@ async function main() {
         emitAnnotations(report);
     }
     if (flags.uploadMode) {
-        await handleUpload(report, cwd, jsonOnly);
+        await handleUpload(report, cwd, quietMode);
     }
     if (flags.prComment) {
         const posted = await postPRComment(report, trend, cwd);
-        if (!jsonOnly) {
+        if (!quietMode) {
             if (posted)
                 console.log("  \x1b[32m\u2713 PR comment posted\x1b[0m");
             else
@@ -921,12 +965,12 @@ async function main() {
     // CI exit code: fail if score below threshold (skip in watch mode)
     const failUnder = flags.failUnder ?? (ciMode ? 60 : (config.failUnder ?? 0));
     if (failUnder > 0 && score < failUnder && !watchMode) {
-        if (!jsonOnly)
+        if (!quietMode)
             console.log(`  \x1b[31mFailing: score ${score} < ${failUnder}\x1b[0m\n`);
         process.exit(1);
     }
     // Non-blocking update check (don't slow down the scan)
-    if (!jsonOnly && !ciMode && !watchMode && !process.env.VCQA_NO_UPDATE_CHECK) {
+    if (!quietMode && !ciMode && !watchMode && !process.env.VCQA_NO_UPDATE_CHECK) {
         checkForUpdate(VERSION).catch(() => { });
     }
     if (watchMode) {

package/dist/fs-utils.js

@@ -168,7 +168,7 @@ function walk(dir, cwd, out, exts) {
             });
         }
         catch {
-            continue; // broken symlink, deleted file, or permission denied
+            /* broken symlink, deleted file, or permission denied */
         }
     }
 }

package/dist/runners/secrets.d.ts

@@ -1,3 +1,5 @@
-/** Secret detection — delegates to gitleaks when available, falls back to built-in regex. */
+/** Secret detection — delegates to gitleaks when available; otherwise scans with
+ *  secretlint's recommended ruleset (broad coverage) PLUS our own patterns (which
+ *  add LLM keys — OpenAI/Anthropic — that secretlint's preset doesn't cover). */
 import type { CheckResult } from "../types.js";
-export declare function runSecrets(cwd: string): CheckResult;
+export declare function runSecrets(cwd: string): Promise<CheckResult>;

package/dist/runners/secrets.js

@@ -1,9 +1,20 @@
-/** Secret detection — delegates to gitleaks when available, falls back to built-in regex. */
+/** Secret detection — delegates to gitleaks when available; otherwise scans with
+ *  secretlint's recommended ruleset (broad coverage) PLUS our own patterns (which
+ *  add LLM keys — OpenAI/Anthropic — that secretlint's preset doesn't cover). */
 import { existsSync, readFileSync } from "node:fs";
 import { join } from "node:path";
+import { lintSource } from "@secretlint/core";
+import { creator as secretlintPreset } from "@secretlint/secretlint-rule-preset-recommend";
 import { collectAllFiles } from "../fs-utils.js";
 import { gradeFromScore } from "../types.js";
 import { run } from "./exec.js";
+const SECRETLINT_CONFIG = { rules: [{ id: "@secretlint/secretlint-rule-preset-recommend", rule: secretlintPreset }] };
+/** Human-readable kind from a secretlint message, without leaking the secret value. */
+function secretlintKind(msg) {
+    if (msg.messageId)
+        return msg.messageId.replace(/_/g, " ").toLowerCase();
+    return (msg.ruleId ?? "secret").replace(/.*secretlint-rule-/, "");
+}
 /** Try running gitleaks for secret detection. Returns true if gitleaks ran. */
 function tryGitleaks(cwd, issues) {
     const { stdout, ok } = run("gitleaks detect --no-git --report-format json --report-path /dev/stdout 2>/dev/null", cwd, 30_000);
@@ -58,37 +69,61 @@ const SECRET_PATTERNS = [
         pattern: /(?:password|secret|api_key|apikey|token|auth)\s*[:=]\s*['"][A-Za-z0-9+/=]{20,}['"]/,
     },
 ];
-export function runSecrets(cwd) {
-    const start = Date.now();
-    const issues = [];
-    // Try gitleaks first (industry standard, 800+ patterns)
-    const gitleaksResult = tryGitleaks(cwd, issues);
-    const tool = gitleaksResult ? "gitleaks" : "built-in";
-    if (!gitleaksResult) {
-        // Fallback: built-in regex patterns
-        const sourceFiles = collectAllFiles(cwd, { extraExts: true });
-        for (const sf of sourceFiles) {
-            if (sf.isTest || sf.path.includes("__mock"))
+function scanPatterns(files, add) {
+    for (const sf of files) {
+        const lines = sf.content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (line.trim().startsWith("//") || line.trim().startsWith("*"))
                 continue;
-            const lines = sf.content.split("\n");
-            for (let i = 0; i < lines.length; i++) {
-                const line = lines[i];
-                if (line.trim().startsWith("//") || line.trim().startsWith("*"))
-                    continue;
-                for (const { name, pattern } of SECRET_PATTERNS) {
-                    if (pattern.test(line)) {
-                        issues.push({
-                            severity: "error",
-                            message: `Possible ${name}`,
-                            file: sf.path,
-                            line: i + 1,
-                            rule: "secret-detected",
-                        });
-                    }
-                }
+            for (const { name, pattern } of SECRET_PATTERNS) {
+                if (pattern.test(line))
+                    add({ severity: "error", message: `Possible ${name}`, file: sf.path, line: i + 1, rule: "secret-detected" });
             }
         }
     }
+}
+async function scanSecretlint(files, add) {
+    for (const sf of files) {
+        try {
+            const result = await lintSource({
+                source: { filePath: sf.path, content: sf.content, contentType: "text" },
+                options: { config: SECRETLINT_CONFIG },
+            });
+            for (const m of result.messages) {
+                add({ severity: "error", message: `Possible ${secretlintKind(m)} — remove and rotate`, file: sf.path, line: m.loc?.start?.line ?? 1, rule: "secret-detected" });
+            }
+        }
+        catch {
+            /* unparseable file — skip */
+        }
+    }
+}
+/** Built-in fallback when gitleaks isn't installed: curated patterns first (nice
+ *  names + LLM keys, winning dedup), then secretlint's broad ruleset augments. */
+async function scanFallback(cwd) {
+    const files = collectAllFiles(cwd, { extraExts: true }).filter((sf) => !sf.isTest && !sf.path.includes("__mock"));
+    const issues = [];
+    const seen = new Set();
+    const add = (iss) => {
+        const key = `${iss.file}:${iss.line}`;
+        if (!seen.has(key)) {
+            seen.add(key);
+            issues.push(iss);
+        }
+    };
+    scanPatterns(files, add);
+    await scanSecretlint(files, add);
+    return issues;
+}
+export async function runSecrets(cwd) {
+    const start = Date.now();
+    const issues = [];
+    // Try gitleaks first (industry standard, 800+ patterns)
+    const gitleaksResult = tryGitleaks(cwd, issues);
+    const tool = gitleaksResult ? "gitleaks" : "secretlint";
+    if (!gitleaksResult)
+        issues.push(...(await scanFallback(cwd)));
     // ── .env file audit ──
     const envFiles = [".env", ".env.local", ".env.production", ".env.development"];
     const gitignore = existsSync(join(cwd, ".gitignore")) ? readFileSync(join(cwd, ".gitignore"), "utf-8") : "";

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@vibecodeqa/cli",
-	"version": "0.39.0",
+	"version": "0.40.0",
 	"description": "Code health scanner for the AI coding era. 25 checks, zero config, full report.",
 	"type": "module",
 	"bin": {
@@ -54,6 +54,8 @@
 	},
 	"dependencies": {
 		"@jscpd/core": "^4.2.4",
+		"@secretlint/core": "^13.0.2",
+		"@secretlint/secretlint-rule-preset-recommend": "^13.0.2",
 		"dependency-cruiser": "^17.4.3",
 		"ink": "^5.2.1",
 		"react": "^18.3.1"