@vibecodeqa/cli 0.40.0 → 0.42.0

package/dist/check-meta.js

@@ -79,7 +79,7 @@ export const CHECK_META = {
         label: "Duplication",
         category: "Quality",
         priority: "medium",
-        weight: 5,
+        weight: 3,
         description: "Detects copy-pasted code blocks of 6+ lines across source files. Duplication is measured as a percentage of total source lines involved in duplicate blocks.",
         risk: "Duplicated code means bugs must be fixed in multiple places. Miss one copy and the bug persists. DRY (Don't Repeat Yourself) violations increase maintenance cost linearly with each copy.",
         recommendation: "Extract duplicated logic into shared functions or modules. If two files share the same pattern, create a helper. If the duplication is across repos, consider vendoring a shared module.",
@@ -100,7 +100,7 @@ export const CHECK_META = {
         label: "Testing",
         category: "Testing",
         priority: "critical",
-        weight: 15,
+        weight: 13,
         description: "Deep assessment of test quality across 6 dimensions: pyramid presence (unit/integration/component/E2E layers), test execution (pass/fail), coverage (statement/branch/line/function), file pairing (test file per source file), test quality (assertion density, mock ratio, snapshot ratio), and E2E tool detection (Playwright/Cypress).",
         risk: "Code without tests is code you can't safely change. Missing test layers mean entire categories of bugs go undetected: unit tests catch logic bugs, integration tests catch API contract breaks, E2E tests catch user-visible regressions. Low coverage means large portions of code are never exercised.",
         recommendation: "Follow the testing pyramid: many unit tests, some integration tests, fewer E2E tests. Aim for >80% branch coverage. Every source file should have a corresponding test file. Use Playwright for E2E if you have a web frontend.",
@@ -153,7 +153,7 @@ export const CHECK_META = {
         label: "Confusion Index",
         category: "LLM Readiness",
         priority: "high",
-        weight: 6,
+        weight: 4,
         description: "Measures naming ambiguity that causes LLMs to misunderstand or edit the wrong code. Checks: file name confusability (Levenshtein distance + synonym detection), generic function/variable names, export name collisions across files, and ambiguous abbreviations.",
         risk: "GPT-4o drops 28.6 percentage points on code summarization when names are ambiguous (arXiv:2510.03178). LLMs editing similar-named files is the #1 reported failure mode in AI-assisted development. Generic names like process(), handle(), data cause models to misinterpret intent.",
         recommendation: "Use descriptive, unique names. Avoid synonym files (utils.ts + helpers.ts — pick one). Avoid generic exports. Disambiguate abbreviations (use 'authentication' not 'auth' if both auth meanings exist in the codebase).",
@@ -266,6 +266,46 @@ export const CHECK_META = {
         recommendation: "Enable test-audit with a VibeCode QA Pro subscription. The LLM analyzes each test to determine if its assertions actually verify the behavior described in its name.",
         premium: true,
     },
+    "env-validation": {
+        name: "env-validation",
+        label: "Environment Validation",
+        category: "Quality",
+        priority: "medium",
+        weight: 2,
+        description: "Checks .env file hygiene: .gitignore coverage, .env.example existence and drift, hardcoded secrets in env files, and empty required variables.",
+        risk: "A missing .env.example means new developers can't onboard without asking which env vars to set. Drift between .env and .env.example causes 'works on my machine' failures. Committed .env files leak secrets.",
+        recommendation: "Create .env.example with all required vars (values blanked). Ensure .env is in .gitignore. Keep .env.example in sync with .env.",
+    },
+    "git-hygiene": {
+        name: "git-hygiene",
+        label: "Git Hygiene",
+        category: "Quality",
+        priority: "medium",
+        weight: 2,
+        description: "Checks git repository health: merge conflict markers in source, commit message quality, large/binary files tracked, and .gitignore completeness.",
+        risk: "Merge conflict markers cause syntax errors. Large binary files bloat the repo forever (git history is append-only). Poor commit messages make git blame and bisect useless for debugging.",
+        recommendation: "Resolve all merge conflicts. Use Git LFS for files over 5MB. Write descriptive commit messages (what and why, not just 'fix').",
+    },
+    "memory-safety": {
+        name: "memory-safety",
+        label: "Memory Safety",
+        category: "Quality",
+        priority: "high",
+        weight: 2,
+        description: "Detects resource leak patterns: setInterval without clearInterval, addEventListener without removeEventListener, unclosed WebSockets/Observers, and global variable pollution.",
+        risk: "Resource leaks cause memory growth over time, eventually crashing the app or browser tab. Leaked event listeners fire on stale state, causing bugs. Global pollution creates hard-to-trace conflicts between modules.",
+        recommendation: "Always pair setInterval with clearInterval in cleanup. Remove event listeners in componentWillUnmount/useEffect return. Call .disconnect() on Observers. Avoid window.* assignments.",
+    },
+    "container-health": {
+        name: "container-health",
+        label: "Container Health",
+        category: "Quality",
+        priority: "medium",
+        weight: 0,
+        description: "Checks Dockerfile best practices: pinned base images, .dockerignore, multi-stage builds, layer caching, non-root user, and exposed ports.",
+        risk: "Unpinned base images break builds when upstream tags change. Missing .dockerignore includes node_modules and .git in the image (10x size). Running as root in containers is a security risk.",
+        recommendation: "Pin base images to specific tags. Add .dockerignore with node_modules/.git/.env. Use multi-stage builds. Add USER instruction.",
+    },
 };
 export function getCheckMeta(name) {
     return (CHECK_META[name] || {

package/dist/cli.js

@@ -18,13 +18,17 @@ import { runComplexity } from "./runners/complexity.js";
 import { runDeadPatterns } from "./runners/dead-patterns.js";
 import { runTestAudit } from "./runners/test-audit.js";
 import { runConfusion } from "./runners/confusion.js";
+import { runContainerHealth } from "./runners/container-health.js";
 import { runContext } from "./runners/context.js";
 import { runDependencies } from "./runners/dependencies.js";
+import { runEnvValidation } from "./runners/env-validation.js";
+import { runGitHygiene } from "./runners/git-hygiene.js";
 import { runDocCoherence } from "./runners/doc-coherence.js";
 import { runDocs } from "./runners/docs.js";
 import { runDuplication } from "./runners/duplication.js";
 import { runErrorHandling } from "./runners/error-handling.js";
 import { runLint } from "./runners/lint.js";
+import { runMemorySafety } from "./runners/memory-safety.js";
 import { runPerformance } from "./runners/performance.js";
 import { runReact } from "./runners/react.js";
 import { runSecrets } from "./runners/secrets.js";
@@ -117,6 +121,9 @@ async function runChecks(cwd, stack, workspace, skipTests, isDart, jsonOnly, con
         { name: "accessibility", fn: () => runAccessibility(cwd) },
         { name: "docs", fn: () => runDocs(cwd) },
         { name: "best-practices", fn: () => runBestPractices(cwd, workspace) },
+        { name: "env-validation", fn: () => runEnvValidation(cwd) },
+        { name: "git-hygiene", fn: () => runGitHygiene(cwd) },
+        { name: "memory-safety", fn: () => runMemorySafety(cwd) },
         // Testing
         { name: "testing", fn: () => runTesting(cwd, stack, skipTests, srcRoots) },
         // Security
@@ -126,6 +133,7 @@ async function runChecks(cwd, stack, workspace, skipTests, isDart, jsonOnly, con
         // Architecture
         { name: "architecture", fn: () => runArchitecture(cwd, workspace) },
         { name: "performance", fn: () => runPerformance(cwd) },
+        { name: "container-health", fn: () => runContainerHealth(cwd) },
         // LLM Readiness
         { name: "confusion", fn: () => runConfusion(cwd) },
         { name: "context", fn: () => runContext(cwd) },
@@ -477,17 +485,9 @@ jobs:
     // 3. Create .vcqa.json if not present
     const vcqaConfigPath = join(cwd, ".vcqa.json");
     if (!existsSync(vcqaConfigPath)) {
-        const allCheckNames = [
-            "structure", "lint", "types", "type-safety", "standards",
-            "complexity", "duplication", "error-handling", "react", "accessibility",
-            "docs", "best-practices", "testing",
-            "secrets", "security", "dependencies",
-            "architecture", "performance",
-            "confusion", "context",
-            "doc-coherence", "code-coherence", "comment-staleness", "dead-patterns", "test-audit",
-        ];
+        const { CHECK_META } = await import("./check-meta.js");
         const checksConfig = {};
-        for (const name of allCheckNames) {
+        for (const name of Object.keys(CHECK_META)) {
             checksConfig[name] = {};
         }
         const config = {

package/dist/core.d.ts

@@ -0,0 +1,28 @@
+/** @vibecodeqa/cli/core — Programmatic scan API.
+ *
+ * Usage:
+ *   import { scan } from "@vibecodeqa/cli/core";
+ *   const report = await scan("./src");
+ *   console.log(report.score, report.grade);
+ */
+import { CHECK_META, getCheckMeta, type CheckMeta } from "./check-meta.js";
+import { type VcqaConfig } from "./config.js";
+import type { CheckResult, Issue, StackInfo, VibeReport, WorkspaceInfo, WorkspacePackage } from "./types.js";
+export interface ScanOptions {
+    /** Skip test execution (faster scan). Default: false */
+    skipTests?: boolean;
+    /** Only run these checks (by name). Default: all checks */
+    checks?: string[];
+    /** Override config (instead of loading from .vcqa.json). */
+    config?: VcqaConfig;
+    /** Progress callback — called for each completed check. */
+    onProgress?: (check: string, result: CheckResult, index: number, total: number) => void;
+}
+/** Run a full code health scan. Returns a VibeReport with score, grade, and all check results. */
+export declare function scan(cwd: string, options?: ScanOptions): Promise<VibeReport>;
+export { CHECK_META, getCheckMeta, type CheckMeta };
+export { computeScore } from "./score.js";
+export { loadConfig, type VcqaConfig } from "./config.js";
+export { detectStack, detectWorkspace } from "./detect.js";
+export { gradeFromScore } from "./types.js";
+export type { CheckResult, Issue, StackInfo, VibeReport, WorkspaceInfo, WorkspacePackage };

package/dist/core.js

@@ -0,0 +1,171 @@
+/** @vibecodeqa/cli/core — Programmatic scan API.
+ *
+ * Usage:
+ *   import { scan } from "@vibecodeqa/cli/core";
+ *   const report = await scan("./src");
+ *   console.log(report.score, report.grade);
+ */
+import { resolve } from "node:path";
+import { readFileSync } from "node:fs";
+import { CHECK_META, getCheckMeta } from "./check-meta.js";
+import { getCheckIgnore, isCheckEnabled, loadConfig } from "./config.js";
+import { detectRepoUrl, detectStack, detectWorkspace } from "./detect.js";
+import { setGlobalIgnore, setGlobalSrcRoots } from "./fs-utils.js";
+import { runAccessibility } from "./runners/accessibility.js";
+import { runArchitecture } from "./runners/architecture.js";
+import { runBestPractices } from "./runners/best-practices.js";
+import { runCodeCoherence } from "./runners/code-coherence.js";
+import { runCommentStaleness } from "./runners/comment-staleness.js";
+import { runComplexity } from "./runners/complexity.js";
+import { runDeadPatterns } from "./runners/dead-patterns.js";
+import { runTestAudit } from "./runners/test-audit.js";
+import { runContainerHealth } from "./runners/container-health.js";
+import { runConfusion } from "./runners/confusion.js";
+import { runContext } from "./runners/context.js";
+import { runDependencies } from "./runners/dependencies.js";
+import { runEnvValidation } from "./runners/env-validation.js";
+import { runGitHygiene } from "./runners/git-hygiene.js";
+import { runDocCoherence } from "./runners/doc-coherence.js";
+import { runDocs } from "./runners/docs.js";
+import { runDuplication } from "./runners/duplication.js";
+import { runErrorHandling } from "./runners/error-handling.js";
+import { runLint } from "./runners/lint.js";
+import { runMemorySafety } from "./runners/memory-safety.js";
+import { runPerformance } from "./runners/performance.js";
+import { runReact } from "./runners/react.js";
+import { runSecrets } from "./runners/secrets.js";
+import { runSecurity } from "./runners/security.js";
+import { runStandards } from "./runners/standards.js";
+import { runStructure } from "./runners/structure.js";
+import { runTesting } from "./runners/testing.js";
+import { runTypeSafety } from "./runners/type-safety.js";
+import { runTypeCheck } from "./runners/types-check.js";
+import { computeScore } from "./score.js";
+import { gradeFromScore } from "./types.js";
+const pkg = JSON.parse(readFileSync(new URL("../package.json", import.meta.url), "utf-8"));
+const VERSION = pkg.version;
+/** Run a full code health scan. Returns a VibeReport with score, grade, and all check results. */
+export async function scan(cwd, options = {}) {
+    const start = Date.now();
+    const resolvedCwd = resolve(cwd);
+    const config = options.config ?? loadConfig(resolvedCwd);
+    const workspace = detectWorkspace(resolvedCwd);
+    const stack = detectStack(resolvedCwd, workspace);
+    const isDart = stack.language === "dart";
+    setGlobalSrcRoots(workspace.isMonorepo ? workspace.srcRoots : undefined);
+    setGlobalIgnore(config.ignore);
+    const srcRoots = workspace.isMonorepo ? workspace.srcRoots : undefined;
+    const skipTests = options.skipTests ?? false;
+    const allRunners = [
+        { name: "structure", fn: () => runStructure(resolvedCwd, stack, workspace) },
+        { name: "lint", fn: () => runLint(resolvedCwd, stack, workspace) },
+        { name: "types", fn: () => runTypeCheck(resolvedCwd, isDart, workspace) },
+        { name: "type-safety", fn: () => runTypeSafety(resolvedCwd, isDart) },
+        { name: "standards", fn: () => runStandards(resolvedCwd, stack) },
+        { name: "complexity", fn: () => runComplexity(resolvedCwd) },
+        { name: "duplication", fn: () => runDuplication(resolvedCwd) },
+        { name: "error-handling", fn: () => runErrorHandling(resolvedCwd, stack) },
+        { name: "react", fn: () => runReact(resolvedCwd, stack) },
+        { name: "accessibility", fn: () => runAccessibility(resolvedCwd) },
+        { name: "docs", fn: () => runDocs(resolvedCwd) },
+        { name: "best-practices", fn: () => runBestPractices(resolvedCwd, workspace) },
+        { name: "env-validation", fn: () => runEnvValidation(resolvedCwd) },
+        { name: "git-hygiene", fn: () => runGitHygiene(resolvedCwd) },
+        { name: "memory-safety", fn: () => runMemorySafety(resolvedCwd) },
+        { name: "testing", fn: () => runTesting(resolvedCwd, stack, skipTests, srcRoots) },
+        { name: "secrets", fn: () => runSecrets(resolvedCwd) },
+        { name: "security", fn: () => runSecurity(resolvedCwd) },
+        { name: "dependencies", fn: () => runDependencies(resolvedCwd, stack) },
+        { name: "architecture", fn: () => runArchitecture(resolvedCwd, workspace) },
+        { name: "performance", fn: () => runPerformance(resolvedCwd) },
+        { name: "container-health", fn: () => runContainerHealth(resolvedCwd) },
+        { name: "confusion", fn: () => runConfusion(resolvedCwd) },
+        { name: "context", fn: () => runContext(resolvedCwd) },
+        { name: "doc-coherence", fn: () => runDocCoherence(resolvedCwd) },
+        { name: "code-coherence", fn: () => runCodeCoherence(resolvedCwd) },
+        { name: "comment-staleness", fn: () => runCommentStaleness(resolvedCwd) },
+        { name: "dead-patterns", fn: () => runDeadPatterns(resolvedCwd) },
+        { name: "test-audit", fn: () => runTestAudit(resolvedCwd) },
+    ];
+    // Filter checks if specified
+    const checkFilter = options.checks ? new Set(options.checks) : null;
+    const runners = checkFilter
+        ? allRunners.filter((r) => checkFilter.has(r.name))
+        : allRunners;
+    const checks = [];
+    const total = runners.length;
+    for (let i = 0; i < total; i++) {
+        const runner = runners[i];
+        if (!isCheckEnabled(config, runner.name)) {
+            const skipped = {
+                name: runner.name,
+                score: 0,
+                grade: "F",
+                details: { skipped: true, reason: "disabled in config" },
+                issues: [],
+                duration: 0,
+            };
+            checks.push(skipped);
+            options.onProgress?.(runner.name, skipped, i, total);
+            continue;
+        }
+        let result;
+        try {
+            const maybeResult = runner.fn();
+            result = maybeResult instanceof Promise ? await maybeResult : maybeResult;
+        }
+        catch (err) {
+            result = {
+                name: runner.name,
+                score: 0,
+                grade: "F",
+                details: { skipped: true, reason: `runner error: ${err instanceof Error ? err.message : "unknown"}` },
+                issues: [],
+                duration: 0,
+            };
+        }
+        // Apply per-check ignore patterns
+        const patterns = getCheckIgnore(config, result.name);
+        if (patterns?.length) {
+            result.issues = result.issues.filter((issue) => {
+                if (!issue.file || typeof issue.file !== "string")
+                    return true;
+                const f = issue.file;
+                return !patterns.some((p) => {
+                    if (p.endsWith("/**"))
+                        return f.startsWith(p.slice(0, -3) + "/");
+                    if (p.startsWith("*"))
+                        return f.endsWith(p.slice(1));
+                    return f.startsWith(p);
+                });
+            });
+        }
+        checks.push(result);
+        options.onProgress?.(runner.name, result, i, total);
+    }
+    const score = computeScore(checks);
+    const grade = gradeFromScore(score);
+    const { repoUrl, branch } = detectRepoUrl(resolvedCwd);
+    return {
+        version: VERSION,
+        timestamp: new Date().toISOString(),
+        score,
+        grade,
+        checks,
+        meta: {
+            cwd: resolvedCwd,
+            node: process.version,
+            duration: Date.now() - start,
+            stack,
+            workspace,
+            repoUrl,
+            branch,
+        },
+    };
+}
+// ── Re-exports ──
+export { CHECK_META, getCheckMeta };
+export { computeScore } from "./score.js";
+export { loadConfig } from "./config.js";
+export { detectStack, detectWorkspace } from "./detect.js";
+export { gradeFromScore } from "./types.js";

package/dist/runners/container-health.d.ts

@@ -0,0 +1,3 @@
+/** Container health — Dockerfile best practices, .dockerignore, base image hygiene. */
+import type { CheckResult } from "../types.js";
+export declare function runContainerHealth(cwd: string): CheckResult;

package/dist/runners/container-health.js

@@ -0,0 +1,141 @@
+/** Container health — Dockerfile best practices, .dockerignore, base image hygiene. */
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { join } from "node:path";
+import { gradeFromScore } from "../types.js";
+export function runContainerHealth(cwd) {
+    const start = Date.now();
+    const issues = [];
+    // Find Dockerfiles
+    const dockerfiles = [];
+    try {
+        for (const f of readdirSync(cwd)) {
+            if (f === "Dockerfile" || f.startsWith("Dockerfile.") || f === "dockerfile") {
+                dockerfiles.push(f);
+            }
+        }
+    }
+    catch { /* not readable */ }
+    if (dockerfiles.length === 0) {
+        return {
+            name: "container-health",
+            score: 0,
+            grade: "F",
+            details: { skipped: true, reason: "no Dockerfile found" },
+            issues: [],
+            duration: Date.now() - start,
+        };
+    }
+    // Check .dockerignore exists
+    if (!existsSync(join(cwd, ".dockerignore"))) {
+        issues.push({
+            severity: "warning",
+            message: "No .dockerignore — node_modules, .git, and secrets may be included in the image",
+            rule: "no-dockerignore",
+        });
+    }
+    else {
+        const dockerignore = readFileSync(join(cwd, ".dockerignore"), "utf-8");
+        const missing = [];
+        if (!dockerignore.includes("node_modules"))
+            missing.push("node_modules");
+        if (!dockerignore.includes(".git"))
+            missing.push(".git");
+        if (!dockerignore.includes(".env"))
+            missing.push(".env");
+        if (missing.length > 0) {
+            issues.push({
+                severity: "warning",
+                message: `.dockerignore missing: ${missing.join(", ")}`,
+                file: ".dockerignore",
+                rule: "dockerignore-incomplete",
+            });
+        }
+    }
+    for (const df of dockerfiles) {
+        const content = readFileSync(join(cwd, df), "utf-8");
+        const lines = content.split("\n");
+        // Check for unpinned base images (FROM node, FROM ubuntu — no tag)
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i].trim();
+            if (/^FROM\s+\S+$/i.test(line) && !line.includes(":") && !line.includes("@") && !line.toLowerCase().includes("scratch")) {
+                issues.push({
+                    severity: "error",
+                    message: `Unpinned base image: ${line} — use a specific tag (e.g., node:22-slim)`,
+                    file: df,
+                    line: i + 1,
+                    rule: "unpinned-base",
+                });
+            }
+            // Check for :latest tag
+            if (/^FROM\s+\S+:latest/i.test(line)) {
+                issues.push({
+                    severity: "warning",
+                    message: `Using :latest tag: ${line} — pin to a specific version for reproducible builds`,
+                    file: df,
+                    line: i + 1,
+                    rule: "latest-tag",
+                });
+            }
+        }
+        // Check for running as root (no USER instruction)
+        if (!content.match(/^USER\s+/m)) {
+            issues.push({
+                severity: "warning",
+                message: "No USER instruction — container runs as root by default",
+                file: df,
+                rule: "runs-as-root",
+            });
+        }
+        // Check for multi-stage build (good practice for smaller images)
+        const fromCount = (content.match(/^FROM\s+/gim) || []).length;
+        if (fromCount === 1 && existsSync(join(cwd, "package.json"))) {
+            issues.push({
+                severity: "info",
+                message: "Single-stage build — multi-stage builds produce smaller images",
+                file: df,
+                rule: "no-multi-stage",
+            });
+        }
+        // Check for COPY before npm install (cache busting)
+        const copyAllIdx = lines.findIndex((l) => /^COPY\s+\.\s+/i.test(l.trim()));
+        const npmInstallIdx = lines.findIndex((l) => /npm install|pnpm install|yarn install/i.test(l));
+        if (copyAllIdx !== -1 && npmInstallIdx !== -1 && copyAllIdx < npmInstallIdx) {
+            issues.push({
+                severity: "warning",
+                message: "COPY . before npm install — copy package.json first to leverage Docker cache",
+                file: df,
+                line: copyAllIdx + 1,
+                rule: "cache-bust",
+            });
+        }
+        // Check for apt-get without cleanup
+        if (content.includes("apt-get install") && !content.includes("apt-get clean") && !content.includes("rm -rf /var/lib/apt")) {
+            issues.push({
+                severity: "info",
+                message: "apt-get install without cleanup — add 'apt-get clean && rm -rf /var/lib/apt/lists/*'",
+                file: df,
+                rule: "apt-no-clean",
+            });
+        }
+        // Check for EXPOSE
+        if (!content.match(/^EXPOSE\s+/m) && (content.includes("node") || content.includes("npm start"))) {
+            issues.push({
+                severity: "info",
+                message: "No EXPOSE instruction — document which port the app listens on",
+                file: df,
+                rule: "no-expose",
+            });
+        }
+    }
+    const errorCount = issues.filter((i) => i.severity === "error").length;
+    const warnCount = issues.filter((i) => i.severity === "warning").length;
+    const score = Math.max(0, 100 - errorCount * 25 - warnCount * 10);
+    return {
+        name: "container-health",
+        score,
+        grade: gradeFromScore(score),
+        details: { dockerfiles, hasDockerignore: existsSync(join(cwd, ".dockerignore")) },
+        issues,
+        duration: Date.now() - start,
+    };
+}

package/dist/runners/env-validation.d.ts

@@ -0,0 +1,3 @@
+/** Environment validation — checks .env hygiene, .env.example drift, and unsafe patterns. */
+import type { CheckResult } from "../types.js";
+export declare function runEnvValidation(cwd: string): CheckResult;

package/dist/runners/env-validation.js

@@ -0,0 +1,122 @@
+/** Environment validation — checks .env hygiene, .env.example drift, and unsafe patterns. */
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { join } from "node:path";
+import { gradeFromScore } from "../types.js";
+export function runEnvValidation(cwd) {
+    const start = Date.now();
+    const issues = [];
+    const envFiles = readdirSync(cwd).filter((f) => f.startsWith(".env"));
+    const hasEnv = envFiles.some((f) => f === ".env" || f === ".env.local");
+    const hasExample = envFiles.some((f) => f === ".env.example" || f === ".env.template");
+    // Check .gitignore includes .env
+    if (hasEnv) {
+        const gitignore = existsSync(join(cwd, ".gitignore")) ? readFileSync(join(cwd, ".gitignore"), "utf-8") : "";
+        if (!gitignore.includes(".env")) {
+            issues.push({ severity: "error", message: ".env not in .gitignore — secrets may be committed", file: ".gitignore", rule: "env-not-ignored" });
+        }
+    }
+    // Check .env.example exists when .env does
+    if (hasEnv && !hasExample) {
+        issues.push({ severity: "warning", message: "No .env.example — other developers won't know which vars are needed", rule: "no-env-example" });
+    }
+    // Check .env.example drift — vars in .env.example should match .env
+    if (hasEnv && hasExample) {
+        const exampleFile = envFiles.find((f) => f === ".env.example" || f === ".env.template");
+        const envVars = parseEnvKeys(readFileSync(join(cwd, ".env"), "utf-8"));
+        const exampleVars = parseEnvKeys(readFileSync(join(cwd, exampleFile), "utf-8"));
+        for (const key of exampleVars) {
+            if (!envVars.has(key)) {
+                issues.push({ severity: "info", message: `${exampleFile} has ${key} but .env doesn't — may be missing`, file: exampleFile, rule: "env-example-drift" });
+            }
+        }
+        for (const key of envVars) {
+            if (!exampleVars.has(key)) {
+                issues.push({ severity: "warning", message: `${key} in .env but not in ${exampleFile} — won't be documented for other developers`, file: exampleFile, rule: "env-example-drift" });
+            }
+        }
+    }
+    // Scan .env files for unsafe patterns
+    for (const f of envFiles) {
+        if (f === ".env.example" || f === ".env.template")
+            continue;
+        const content = readFileSync(join(cwd, f), "utf-8");
+        const lines = content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i].trim();
+            if (!line || line.startsWith("#"))
+                continue;
+            // Check for values that look like they should be secret but have defaults
+            if (/^(DATABASE_URL|DB_PASSWORD|SECRET_KEY|JWT_SECRET|API_KEY|PRIVATE_KEY)=/i.test(line)) {
+                const value = line.split("=").slice(1).join("=").trim().replace(/^["']|["']$/g, "");
+                if (value && !value.startsWith("$") && !value.includes("${") && value.length < 20 && !/^(changeme|replace|todo|xxx|your[-_])/i.test(value)) {
+                    issues.push({
+                        severity: "warning",
+                        message: `${line.split("=")[0]} appears to have a hardcoded value — use a placeholder in committed files`,
+                        file: f,
+                        line: i + 1,
+                        rule: "env-hardcoded-secret",
+                    });
+                }
+            }
+            // Check for empty required-looking vars
+            if (/^[A-Z_]+=\s*$/.test(line)) {
+                const key = line.split("=")[0];
+                if (/KEY|SECRET|TOKEN|PASSWORD|URL/i.test(key)) {
+                    issues.push({
+                        severity: "info",
+                        message: `${key} is empty — may cause runtime errors`,
+                        file: f,
+                        line: i + 1,
+                        rule: "env-empty-var",
+                    });
+                }
+            }
+        }
+    }
+    // Check for env vars used in code but not in .env.example
+    if (hasExample) {
+        const exampleFile = envFiles.find((f) => f === ".env.example" || f === ".env.template");
+        const exampleVars = parseEnvKeys(readFileSync(join(cwd, exampleFile), "utf-8"));
+        // Quick scan of package.json for referenced env vars
+        if (existsSync(join(cwd, "package.json"))) {
+            try {
+                const pkg = readFileSync(join(cwd, "package.json"), "utf-8");
+                const envRefs = pkg.match(/process\.env\.([A-Z_]+)/g) || [];
+                for (const ref of new Set(envRefs)) {
+                    const varName = ref.replace("process.env.", "");
+                    if (!exampleVars.has(varName) && !["NODE_ENV", "CI", "HOME", "PATH", "PWD"].includes(varName)) {
+                        issues.push({
+                            severity: "info",
+                            message: `${varName} used in code but not in ${exampleFile}`,
+                            rule: "env-undocumented",
+                        });
+                    }
+                }
+            }
+            catch { /* ignore */ }
+        }
+    }
+    const errorCount = issues.filter((i) => i.severity === "error").length;
+    const warnCount = issues.filter((i) => i.severity === "warning").length;
+    const score = Math.max(0, 100 - errorCount * 25 - warnCount * 10);
+    return {
+        name: "env-validation",
+        score,
+        grade: gradeFromScore(score),
+        details: { envFiles, hasExample },
+        issues,
+        duration: Date.now() - start,
+    };
+}
+function parseEnvKeys(content) {
+    const keys = new Set();
+    for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#"))
+            continue;
+        const eq = trimmed.indexOf("=");
+        if (eq > 0)
+            keys.add(trimmed.slice(0, eq).trim());
+    }
+    return keys;
+}

package/dist/runners/git-hygiene.d.ts

@@ -0,0 +1,3 @@
+/** Git hygiene — checks commit quality, large files, and repo health. */
+import type { CheckResult } from "../types.js";
+export declare function runGitHygiene(cwd: string): CheckResult;

package/dist/runners/git-hygiene.js

@@ -0,0 +1,125 @@
+/** Git hygiene — checks commit quality, large files, and repo health. */
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+import { getProductionFiles } from "../fs-utils.js";
+import { gradeFromScore } from "../types.js";
+import { run } from "./exec.js";
+export function runGitHygiene(cwd) {
+    const start = Date.now();
+    const issues = [];
+    if (!existsSync(join(cwd, ".git"))) {
+        return {
+            name: "git-hygiene",
+            score: 0,
+            grade: "F",
+            details: { skipped: true, reason: "not a git repository" },
+            issues: [],
+            duration: Date.now() - start,
+        };
+    }
+    // 1. Check for merge conflict markers in source files
+    const files = getProductionFiles(cwd);
+    for (const f of files) {
+        const lines = f.content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            if (/^<{7}\s|^={7}$|^>{7}\s/.test(lines[i])) {
+                issues.push({
+                    severity: "error",
+                    message: "Merge conflict marker found",
+                    file: f.path,
+                    line: i + 1,
+                    rule: "merge-conflict",
+                });
+                break; // one per file is enough
+            }
+        }
+    }
+    // 2. Check recent commit message quality (last 20 commits)
+    const { stdout: logOutput, ok: logOk } = run("git log --oneline -20 --format='%s' 2>/dev/null", cwd, 10_000);
+    if (logOk && logOutput.trim()) {
+        const messages = logOutput.trim().split("\n").filter(Boolean);
+        let poorMessages = 0;
+        for (const msg of messages) {
+            const trimmed = msg.trim().replace(/^'|'$/g, "");
+            // Flag very short or generic commit messages
+            if (trimmed.length < 5 || /^(fix|update|change|wip|test|stuff|asdf|temp|\.+)$/i.test(trimmed)) {
+                poorMessages++;
+            }
+        }
+        if (messages.length > 0) {
+            const poorRatio = poorMessages / messages.length;
+            if (poorRatio > 0.5) {
+                issues.push({
+                    severity: "warning",
+                    message: `${poorMessages}/${messages.length} recent commits have low-quality messages`,
+                    rule: "poor-commit-messages",
+                });
+            }
+        }
+    }
+    // 3. Check for large files tracked in git
+    const { stdout: lsOutput, ok: lsOk } = run("git ls-files -z 2>/dev/null | xargs -0 -I{} sh -c 'wc -c < \"{}\" | tr -d \" \" | xargs -I@ echo @\\t{}' 2>/dev/null | sort -rn | head -5", cwd, 15_000);
+    if (lsOk && lsOutput.trim()) {
+        for (const line of lsOutput.trim().split("\n")) {
+            const parts = line.split("\t");
+            if (parts.length < 2)
+                continue;
+            const size = parseInt(parts[0], 10);
+            const file = parts[1];
+            if (size > 5_000_000) { // 5MB
+                issues.push({
+                    severity: "warning",
+                    message: `Large file tracked in git: ${file} (${(size / 1_000_000).toFixed(1)}MB) — consider Git LFS`,
+                    file,
+                    rule: "large-file",
+                });
+            }
+        }
+    }
+    // 4. Check for committed binary files
+    const binaryExts = new Set([".zip", ".tar", ".gz", ".jar", ".war", ".exe", ".dll", ".so", ".dylib", ".bin", ".dat", ".sqlite", ".db"]);
+    const { stdout: allFiles } = run("git ls-files 2>/dev/null", cwd, 10_000);
+    if (allFiles) {
+        for (const file of allFiles.trim().split("\n")) {
+            const ext = file.slice(file.lastIndexOf(".")).toLowerCase();
+            if (binaryExts.has(ext)) {
+                issues.push({
+                    severity: "warning",
+                    message: `Binary file tracked in git: ${file} — use .gitignore or Git LFS`,
+                    file,
+                    rule: "binary-in-git",
+                });
+            }
+        }
+    }
+    // 5. Check .gitignore completeness
+    if (existsSync(join(cwd, ".gitignore"))) {
+        const gitignore = require("node:fs").readFileSync(join(cwd, ".gitignore"), "utf-8");
+        const missing = [];
+        if (!gitignore.includes("node_modules") && existsSync(join(cwd, "package.json")))
+            missing.push("node_modules");
+        if (!gitignore.includes(".env") && existsSync(join(cwd, ".env")))
+            missing.push(".env");
+        if (!gitignore.includes("dist") && !gitignore.includes("build"))
+            missing.push("dist/build");
+        if (missing.length > 0) {
+            issues.push({
+                severity: "warning",
+                message: `.gitignore missing common entries: ${missing.join(", ")}`,
+                file: ".gitignore",
+                rule: "gitignore-incomplete",
+            });
+        }
+    }
+    const errorCount = issues.filter((i) => i.severity === "error").length;
+    const warnCount = issues.filter((i) => i.severity === "warning").length;
+    const score = Math.max(0, 100 - errorCount * 30 - warnCount * 10);
+    return {
+        name: "git-hygiene",
+        score,
+        grade: gradeFromScore(score),
+        details: { commitCount: logOutput?.trim().split("\n").length || 0 },
+        issues,
+        duration: Date.now() - start,
+    };
+}

package/dist/runners/memory-safety.d.ts

@@ -0,0 +1,3 @@
+/** Memory safety — detects resource leak patterns in TypeScript/JavaScript. */
+import type { CheckResult } from "../types.js";
+export declare function runMemorySafety(cwd: string): CheckResult;

package/dist/runners/memory-safety.js

@@ -0,0 +1,114 @@
+/** Memory safety — detects resource leak patterns in TypeScript/JavaScript. */
+import { getProductionFiles } from "../fs-utils.js";
+import { gradeFromScore } from "../types.js";
+const PATTERNS = [
+    {
+        name: "setInterval-no-clear",
+        pattern: /\bsetInterval\s*\(/g,
+        severity: "warning",
+        message: "setInterval without clearInterval — potential memory leak",
+        rule: "interval-leak",
+    },
+    {
+        name: "addEventListener-no-remove",
+        pattern: /\.addEventListener\s*\(/g,
+        severity: "warning",
+        message: "addEventListener without removeEventListener — may leak if component unmounts",
+        rule: "listener-leak",
+    },
+    {
+        name: "global-var-assignment",
+        pattern: /(?:^|\n)\s*(?:window|globalThis|global)\.\w+\s*=/g,
+        severity: "warning",
+        message: "Global variable assignment — pollutes global scope, hard to garbage collect",
+        rule: "global-pollution",
+    },
+    {
+        name: "new-without-cleanup",
+        pattern: /new\s+(?:MutationObserver|IntersectionObserver|ResizeObserver|PerformanceObserver)\s*\(/g,
+        severity: "warning",
+        message: "Observer created — ensure .disconnect() is called on cleanup",
+        rule: "observer-leak",
+    },
+    {
+        name: "websocket-no-close",
+        pattern: /new\s+WebSocket\s*\(/g,
+        severity: "warning",
+        message: "WebSocket opened — ensure .close() is called on cleanup",
+        rule: "websocket-leak",
+    },
+    {
+        name: "event-emitter-leak",
+        pattern: /\.on\s*\(\s*['"`]/g,
+        severity: "warning",
+        message: "Event listener registered — ensure .off() or .removeListener() on cleanup",
+        rule: "emitter-leak",
+    },
+];
+export function runMemorySafety(cwd) {
+    const start = Date.now();
+    const issues = [];
+    const files = getProductionFiles(cwd);
+    for (const f of files) {
+        if (f.isTest)
+            continue;
+        const lines = f.content.split("\n");
+        for (const pat of PATTERNS) {
+            // Check if the file has the pattern
+            const matches = f.content.match(pat.pattern);
+            if (!matches)
+                continue;
+            // For interval/listener leaks, check if cleanup exists in the same file
+            if (pat.rule === "interval-leak") {
+                if (f.content.includes("clearInterval"))
+                    continue;
+            }
+            if (pat.rule === "listener-leak") {
+                if (f.content.includes("removeEventListener"))
+                    continue;
+            }
+            if (pat.rule === "observer-leak") {
+                if (f.content.includes(".disconnect()"))
+                    continue;
+            }
+            if (pat.rule === "websocket-leak") {
+                if (f.content.includes(".close()"))
+                    continue;
+            }
+            if (pat.rule === "emitter-leak") {
+                // Skip if .off or .removeListener or .removeAllListeners in same file
+                if (f.content.includes(".off(") || f.content.includes(".removeListener(") || f.content.includes(".removeAllListeners("))
+                    continue;
+                // Skip Node.js event emitter patterns (server.on, app.on, router.on)
+                if (/\b(?:server|app|router|express|fastify|hono)\b/.test(f.content))
+                    continue;
+            }
+            // Find first occurrence line number
+            for (let i = 0; i < lines.length; i++) {
+                if (pat.pattern.test(lines[i])) {
+                    pat.pattern.lastIndex = 0; // reset regex
+                    issues.push({
+                        severity: pat.severity,
+                        message: pat.message,
+                        file: f.path,
+                        line: i + 1,
+                        rule: pat.rule,
+                    });
+                    break; // one per file per pattern
+                }
+            }
+        }
+    }
+    const totalFiles = files.filter((f) => !f.isTest).length;
+    const affectedFiles = new Set(issues.map((i) => i.file)).size;
+    const ratio = totalFiles > 0 ? affectedFiles / totalFiles : 0;
+    const score = Math.round(Math.max(0, 100 - ratio * 200));
+    return {
+        name: "memory-safety",
+        score,
+        grade: gradeFromScore(score),
+        details: { totalFiles, affectedFiles, patterns: issues.length },
+        issues,
+        duration: Date.now() - start,
+    };
+}

package/package.json

@@ -1,12 +1,16 @@
 {
 	"name": "@vibecodeqa/cli",
-	"version": "0.40.0",
+	"version": "0.42.0",
 	"description": "Code health scanner for the AI coding era. 25 checks, zero config, full report.",
 	"type": "module",
 	"bin": {
 		"vcqa": "./dist/cli.js",
 		"vibe-check": "./dist/cli.js"
 	},
+	"exports": {
+		".": "./dist/cli.js",
+		"./core": "./dist/core.js"
+	},
 	"files": [
 		"dist",
 		"LICENSE",