@vibecodeqa/cli 0.41.0 → 0.43.0

package/README.md

@@ -2,249 +2,214 @@
 
 **Code health scanner for the AI coding era.**
 
-One command. 25 checks. Full report. Zero config.
+One command. 34 checks. AI-powered fixes. Zero config.
 
 ```bash
 npx @vibecodeqa/cli
 ```
 
-![Grade](https://img.shields.io/badge/checks-25-blue) ![TypeScript](https://img.shields.io/badge/TypeScript-first-3178C6) ![License](https://img.shields.io/badge/license-MIT-green)
+![Grade](https://img.shields.io/badge/checks-34-blue) ![TypeScript](https://img.shields.io/badge/TypeScript-first-3178C6) ![License](https://img.shields.io/badge/license-MIT-green) ![npm](https://img.shields.io/npm/v/@vibecodeqa/cli)
 
 ## What it does
 
-vcqa scans your TypeScript/JavaScript/Dart/Flutter codebase and produces a scored health report with actionable findings. It auto-detects your stack (React, Flutter, Vite, vitest, Biome, etc.) and runs 25 checks across 7 categories.
+vcqa scans your codebase and produces a scored health report with actionable findings. Auto-detects your stack (React, Vue, Svelte, Flutter, monorepos) and runs 34 checks across 7 categories.
 
-The output is a self-contained HTML report with radar charts, architecture diagrams, score timeline, testing pyramid, and drill-down issue lists — all navigable via sidebar and tab navigation.
+**Scan → See issues → AI fixes them → Score improves.**
 
-## Quick start
+```bash
+npx @vibecodeqa/cli                     # scan + full HTML report
+npx @vibecodeqa/cli fix --ai            # AI-powered code fixes
+npx @vibecodeqa/cli --skip-tests --top  # fast scan + top issues
+```
+
+## Install everywhere
 
 ```bash
-# Scan current directory (runs tests + coverage)
+# CLI (one command, no install needed)
 npx @vibecodeqa/cli
 
-# Fast mode (skip test execution)
-npx @vibecodeqa/cli --skip-tests
+# GitHub Action (automatic PR scanning)
+- uses: vibecodeqa/action@v1
+  with:
+    fail-under: "70"
 
-# Watch mode (re-scan on file changes)
-npx @vibecodeqa/cli --watch
+# VS Code Extension
+ext install vibecodeqa
 
-# CI mode (exit code 1 if score < 60)
-npx @vibecodeqa/cli --ci
+# MCP Server (for AI coding agents)
+claude mcp add vcqa -- npx @vibecodeqa/mcp
 
-# JSON output (pipe to other tools)
-npx @vibecodeqa/cli --json
+# Programmatic API
+import { scan } from "@vibecodeqa/cli/core";
+const report = await scan("./src");
+```
 
-# Generate badge SVG for README
-npx @vibecodeqa/cli --badge
+## AI-Powered Fix
 
-# SARIF output for GitHub Security tab
-npx @vibecodeqa/cli --sarif
+Don't just find problems — fix them:
 
-# Scan a specific directory
-npx @vibecodeqa/cli /path/to/project
+```bash
+npx @vibecodeqa/cli fix --ai                      # fix all issues
+npx @vibecodeqa/cli fix --ai --check security      # fix only security
+npx @vibecodeqa/cli fix --ai --dry-run             # preview without applying
 ```
 
-Output goes to `.vibe-check/`:
-- `report/index.html` — navigable multi-page dashboard (open in browser)
-- `report.json` — machine-readable results
-- `badge.svg` — shields.io-style badge (with `--badge`)
-- `report.sarif` — SARIF 2.1.0 for GitHub Code Scanning (with `--sarif`)
-- `history/` — last 30 reports for trend tracking
+Uses Claude to read your code context, understand the issue, and generate a targeted fix. Requires `ANTHROPIC_API_KEY`.
 
-## Checks
+## 34 Checks
 
 ### Foundations (23%)
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
-| **Structure** | 6% | Standard files (package.json, tsconfig, LICENSE, README, .gitignore), lockfile, test-to-source ratio |
-| **Lint** | 5% | Biome or ESLint errors/warnings (auto-detected) |
-| **Types** | 6% | TypeScript compilation errors (`tsc --noEmit`) |
-| **Type Safety** | 3% | `as any`, `: any`, `@ts-ignore`, `@ts-nocheck` counts |
-| **Standards** | 3% | File naming, large files (>300 lines), code smells (console.log, var, ==, eval), config hygiene |
+| Structure | 6% | Standard files, lockfile, test-to-source ratio |
+| Lint | 5% | Biome or ESLint errors/warnings |
+| Types | 6% | TypeScript compilation errors |
+| Type Safety | 3% | `as any`, `@ts-ignore`, non-null assertions |
+| Standards | 3% | File naming, large files, code smells |
 
-### Quality (26%)
+### Quality (28%)
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
-| **Complexity** | 5% | Cognitive complexity per function, functions >60 lines |
-| **Duplication** | 5% | Copy-pasted 6+ line blocks |
-| **Error Handling** | 3% | Empty catch blocks, throw string, missing Error Boundaries, [error info leakage](https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html) (stack traces sent to client) |
-| **React Patterns** | 3% | Conditional hooks, missing keys, index keys, prop spreading |
-| **Accessibility** | 4% | img alt, click on non-interactive elements, form labels, html lang |
-| **Docs** | 3% | README quality, JSDoc coverage of exports |
-| **Best Practices** | 3% | CI/CD, lockfile, linter, test scripts, supply chain, [health endpoints](https://nodejs.org/learn/getting-started/security-best-practices), graceful shutdown, [Helmet.js](https://helmetjs.github.io/), input validation ([Zod](https://zod.dev)/Joi), [GitHub Actions security](https://docs.github.com/en/actions/security) (pwn requests, script injection, permissions). Severity-weighted: warnings=8pts, infos=2pts |
-
-### Testing (15%)
-
-One deep check with 6 sub-dimensions:
-
-- **Pyramid presence** — unit, integration, component, E2E layers detected
-- **Execution** — pass/fail from vitest/jest
-- **Coverage** — statement, branch, line, function (v8/istanbul)
-- **File pairing** — test file per source file
-- **Quality** — assertion density, mock ratio, snapshot ratio
-- **E2E detection** — Playwright/Cypress configured?
+| Complexity | 5% | Cognitive complexity per function |
+| Duplication | 3% | Copy-pasted 6+ line blocks |
+| Error Handling | 3% | Empty catch, throw string, floating promises |
+| React Patterns | 3% | Conditional hooks, missing keys |
+| Accessibility | 4% | img alt, click handlers, form labels |
+| Docs | 3% | README quality, JSDoc coverage |
+| Best Practices | 3% | CI/CD, supply chain, repo hygiene |
+| HTML Quality | — | Static site: meta tags, broken links, heading hierarchy, render-blocking scripts |
+| Frontend Health | 2% | UI framework conflicts, mixed icons, unoptimized images, heavy imports |
+| Styling | 1% | Hardcoded colors, mixed approaches, !important, inconsistent spacing |
+| Env Validation | 1% | .env hygiene, .env.example drift |
+| Git Hygiene | 1% | Merge conflicts, commit quality, large/binary files |
+| Memory Safety | 1% | Interval/listener leaks, unclosed observers, global pollution |
+
+### Testing (13%)
+
+Deep assessment: pyramid presence, execution, coverage, file pairing, quality metrics, E2E detection.
 
 ### Architecture (9%)
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
-| **Architecture** | 5% | Import graph, circular deps, god modules, orphan files, fan-out, SVG diagram with legend |
-| **Performance** | 4% | Barrel imports, heavy dependencies, dynamic import opportunities, CSS-in-JS overhead |
+| Architecture | 5% | Import graph, circular deps, god modules, orphans |
+| Performance | 4% | Barrel imports, heavy deps, dynamic import opportunities |
+| Container Health | — | Dockerfile best practices, .dockerignore, pinned images |
 
 ### Security (16%)
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
-| **Secrets** | 6% | 14 patterns (AWS, GitHub, Stripe, OpenAI, Anthropic, Google, private keys) |
-| **Security** | 5% | 36 CWE-mapped patterns (XSS, injection, SSRF, CORS, credential storage, cookies, redirects, debug mode). Delegates to [eslint-plugin-security](https://github.com/eslint-community/eslint-plugin-security) when installed |
-| **Dependencies** | 5% | npm audit vulnerabilities, outdated packages, [license compliance](https://www.npmjs.com/package/license-checker) (GPL/AGPL/copyleft detection) |
-
-### AI Readiness (11%)
+| Secrets | 6% | Hardcoded keys (AWS, GitHub, Stripe, OpenAI, Anthropic) |
+| Security | 5% | 31 CWE patterns (XSS, injection, SSRF, CORS) |
+| Dependencies | 5% | npm audit CVEs, outdated packages |
 
-Novel checks that no other tool offers:
+### AI Readiness (9%)
 
 | Check | Weight | What it measures |
 |-------|--------|-----------------|
-| **Confusion Index** | 6% | File name similarity, generic names, export collisions, ambiguous abbreviations |
-| **Context Locality** | 5% | Token density, import depth, circular deps, context sinks |
+| Confusion Index | 4% | Naming ambiguity that confuses LLMs |
+| Context Locality | 5% | Token density, import depth, circular deps |
 
 ### AI Analysis (PRO)
 
 | Check | What it measures |
 |-------|-----------------|
-| **Doc Coherence** | LLM-powered detection of contradictions between docs and code (JSDoc mismatch, stale README refs) |
-| **Code Coherence** | LLM-powered detection of internal inconsistencies (mixed error patterns, duplicate exports) |
-| **Comment Staleness** | Stale TODOs (>6 months), numeric mismatches ("3 cases" but 5 exist), commented-out code blocks, @deprecated without replacement |
+| Doc Coherence | Contradictions between docs and code |
+| Code Coherence | Internal inconsistencies across modules |
+| Comment Staleness | Stale TODOs, numeric mismatches, commented-out code |
+| Dead Patterns | Leftover code from incomplete refactors |
+| Test Audit | Fake/shallow tests that inflate coverage |
+| File Cohesion | Files mixing multiple responsibilities |
+| Design Consistency | Visual inconsistency across components |
 
-## Scoring
+## GitHub Action
 
-Each check produces a score from 0-100. The composite score is a **weighted average**:
-
-```
-composite = Σ(check_score × weight) / Σ(weight)
+```yaml
+- uses: vibecodeqa/action@v1
+  with:
+    fail-under: "70"          # quality gate
+    auto-fix: "true"          # AI fixes pushed to PR
+    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
 ```
 
-Weights sum to 100% (see table above). Skipped checks are excluded from both numerator and denominator. Within each check, scoring is **proportional to codebase size** — no absolute-count cliffs. The `best-practices` check uses **severity-weighted penalties** (error=15pts, warning=8pts, info=2pts) so missing nice-to-haves like CODEOWNERS don't tank your score.
-
-| Grade | Score | Meaning |
-|-------|-------|---------|
-| **A** | 90-100 | Excellent — production-ready |
-| **B** | 75-89 | Good — minor issues |
-| **C** | 60-74 | Fair — needs attention |
-| **D** | 40-59 | Poor — significant issues |
-| **F** | 0-39 | Critical — major problems |
-
-## Report features
-
-- **Primary nav**: Overview + 7 dimension tabs (Foundations, Quality, Testing, Architecture, Security, AI Readiness, AI Analysis)
-- **Secondary nav**: Issues + Files (cross-cutting data views)
-- **Score ring + radar chart** — 6-axis view of category scores
-- **Score timeline** — last 30 runs with grade-colored dots
-- **Testing pyramid** — proportional SVG showing unit/integration/component/e2e distribution
-- **Architecture SVG** — modules grouped by directory, bezier edges with arrows, color-coded nodes (god module, cycle, orphan), legend
-- **File health map** — heatmap bars showing issue density per file
-- **Trend comparison** — score delta vs. previous run
-- **GitHub links** — click any file:line to open in GitHub (auto-detected from git remote)
-- **Actionable prompts** — clipboard button on every issue copies a fix prompt for Claude/Codex
-- **Info panels** — each check has What/Risk/Fix explanations with research citations
-- **Priority badges** — critical/high/medium/low on each check
+Features: PR comments, SARIF upload, quality gates, AI autofix.
 
-## CLI options
+## Programmatic API
 
-| Flag | Description |
-|------|-------------|
-| `--skip-tests` | Skip test execution and coverage (fast mode) |
-| `--ci` | Exit code 1 if composite score < 60 |
-| `--fail-under N` | Exit code 1 if composite score < N |
-| `--json` | Output JSON to stdout (no HTML, no browser) |
-| `--badge` | Generate badge.svg in output directory |
-| `--sarif` | Generate SARIF 2.1.0 for GitHub Code Scanning |
-| `--upload` | Upload report to app.vibecodeqa.online |
-| `--top [N]` | Show top N issues to fix (default: 5) |
-| `--diff [base]` | Only show issues in changed files (vs HEAD or branch) |
-| `--markdown` | Output markdown summary (pipe to file or clipboard) |
-| `--pr-comment` | Post score as GitHub PR comment (needs `GITHUB_TOKEN`) |
-| `--annotations` | Emit GitHub Actions `::warning`/`::error` inline annotations |
-| `--watch` | Re-scan automatically on file changes |
+```typescript
+import { scan, CHECK_META } from "@vibecodeqa/cli/core";
 
-## Stack detection
+const report = await scan("./src", {
+  skipTests: true,
+  checks: ["security", "testing"],
+  onProgress: (check, result, i, total) => {
+    console.log(`${i + 1}/${total} ${check}: ${result.grade}`);
+  },
+});
+
+console.log(`${report.grade} ${report.score}/100`);
+```
+
+## MCP Server
+
+Give AI coding agents real-time code health context:
 
-Auto-detects from `package.json`, `pubspec.yaml`, and config files:
-- **Language:** TypeScript, JavaScript, Dart
-- **Framework:** React, Vue, Svelte, Flutter
-- **Bundler:** Vite, Webpack, esbuild
-- **Test runner:** vitest, jest, flutter_test, dart_test
-- **Linter:** Biome, ESLint, dart analyze
-- **Package manager:** pnpm, npm, yarn, bun, pub
+```bash
+claude mcp add vcqa -- npx @vibecodeqa/mcp
+```
+
+6 tools: `vcqa_score`, `vcqa_scan`, `vcqa_file_health`, `vcqa_check`, `vcqa_explain`, `vcqa_fix`.
 
 ## Configuration
 
-Create `.vcqa.json` in your project root (or add a `"vcqa"` field to `package.json`):
+Create `.vcqa.json`:
 
 ```json
 {
   "checks": {
-    "confusion": { "enabled": false },
-    "react": { "enabled": false }
+    "react": { "enabled": false },
+    "container-health": { "ignore": ["Dockerfile.dev"] }
   },
-  "ignore": ["generated/**", "*.pb.ts", "vendor/**"],
+  "ignore": ["generated/**", "vendor/**"],
   "failUnder": 70
 }
 ```
 
-| Field | Description |
-|-------|-------------|
-| `checks` | Disable individual checks with `"enabled": false` |
-| `ignore` | Extra glob patterns to skip when scanning source files |
-| `failUnder` | Default score threshold (overridden by `--fail-under` flag) |
-
 ## Monorepo support
 
-Automatically detects and scans all packages in:
-- **pnpm** — `pnpm-workspace.yaml` (with comments, flow-style YAML, negation patterns)
-- **npm/yarn** — `workspaces` in `package.json`
-- **bun** — `workspaces` in `package.json` + `bun.lockb`
-- **lerna** — `lerna.json`
-- **turborepo** — `turbo.json` (overlay on pnpm/npm/yarn)
-- **nx** — `nx.json` (overlay on pnpm/npm/yarn)
-- **melos** — `melos.yaml` (Dart/Flutter monorepos)
-- **Conventional layouts** — `server/` + `client/`, `apps/` + `packages/`, etc.
-
-Framework detection aggregates deps from all workspace packages — React in `packages/web/package.json` is detected even if root has no React dependency.
-
-## GitHub Actions
+Auto-detects: pnpm, npm, yarn, bun, lerna, turborepo, nx, melos.
 
-Add this to `.github/workflows/vibecodeqa.yml` for automatic PR scanning:
+## Stack detection
 
-```yaml
-name: VibeCode QA
-on: [pull_request]
-permissions:
-  contents: read
-  pull-requests: write
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - run: npx @vibecodeqa/cli --skip-tests --ci --sarif --pr-comment
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: .vibe-check/report.sarif
-```
+Auto-detects: TypeScript/JavaScript/Dart, React/Vue/Svelte/Flutter, Vite/Webpack/esbuild, vitest/jest, Biome/ESLint, pnpm/npm/yarn/bun.
 
-## License
+## CLI options
 
-MIT — Free forever as a CLI tool.
+| Flag | Description |
+|------|-------------|
+| `--skip-tests` | Skip test execution (fast mode) |
+| `--ci` | CI mode (exit 1 if score < 60) |
+| `--fail-under N` | Exit 1 if score < N |
+| `--json` | JSON output |
+| `--badge` | Generate SVG badge |
+| `--sarif` | SARIF for GitHub Code Scanning |
+| `--upload` | Upload to dashboard |
+| `--top [N]` | Show top N issues |
+| `--diff [base]` | Issues in changed files only |
+| `--markdown` | Markdown summary |
+| `--pr-comment` | PR comment (needs `GITHUB_TOKEN`) |
+| `--annotations` | GitHub Actions annotations |
+| `--watch` | Re-scan on file changes |
 
 ## Links
 
-- **GitHub:** https://github.com/vibecodeqa/cli
 - **Website:** https://vibecodeqa.online
-- **npm:** https://www.npmjs.com/package/@vibecodeqa/cli
-- **Issues:** https://github.com/vibecodeqa/cli/issues
+- **Dashboard:** https://app.vibecodeqa.online
+- **GitHub Action:** https://github.com/vibecodeqa/action
+- **VS Code:** https://github.com/vibecodeqa/vscode
+- **MCP:** https://github.com/vibecodeqa/mcp
+
+MIT — Free forever as a CLI tool.

package/dist/check-meta.js

@@ -46,10 +46,10 @@ export const CHECK_META = {
         name: "standards",
         label: "Code Standards",
         category: "Foundations",
-        priority: "medium",
+        priority: "high",
         weight: 3,
-        description: "Checks coding conventions: file naming (PascalCase for components, kebab-case for modules), file size limits (>300 lines flagged), code smells (console.log, var, ==, eval, innerHTML, TODO/FIXME), config hygiene (strict mode), and framework best practices (Tailwind vs inline styles).",
-        risk: "Large files are hard to review and test. console.log in production leaks internal data. var causes hoisting bugs. == causes type coercion surprises. eval/innerHTML are security vulnerabilities. Inconsistent naming makes the codebase harder to navigate.",
+        description: "Checks coding conventions: file naming (PascalCase for components, kebab-case for modules), file size limits (>250 lines warning, >400 error), code smells (console.log, var, ==, eval, innerHTML, TODO/FIXME), config hygiene (strict mode), and framework best practices.",
+        risk: "Large files are hard to review and test — AI-generated code accumulates in monolithic files that become impossible to refactor. console.log in production leaks internal data. var causes hoisting bugs. == causes type coercion surprises. Inconsistent naming makes the codebase harder to navigate.",
         recommendation: "Split files over 300 lines. Replace console.log with a proper logger or remove it. Use const/let, ===, and safe DOM APIs. Enable TypeScript strict mode.",
     },
     "error-handling": {
@@ -79,7 +79,7 @@ export const CHECK_META = {
         label: "Duplication",
         category: "Quality",
         priority: "medium",
-        weight: 5,
+        weight: 3,
         description: "Detects copy-pasted code blocks of 6+ lines across source files. Duplication is measured as a percentage of total source lines involved in duplicate blocks.",
         risk: "Duplicated code means bugs must be fixed in multiple places. Miss one copy and the bug persists. DRY (Don't Repeat Yourself) violations increase maintenance cost linearly with each copy.",
         recommendation: "Extract duplicated logic into shared functions or modules. If two files share the same pattern, create a helper. If the duplication is across repos, consider vendoring a shared module.",
@@ -100,7 +100,7 @@ export const CHECK_META = {
         label: "Testing",
         category: "Testing",
         priority: "critical",
-        weight: 15,
+        weight: 13,
         description: "Deep assessment of test quality across 6 dimensions: pyramid presence (unit/integration/component/E2E layers), test execution (pass/fail), coverage (statement/branch/line/function), file pairing (test file per source file), test quality (assertion density, mock ratio, snapshot ratio), and E2E tool detection (Playwright/Cypress).",
         risk: "Code without tests is code you can't safely change. Missing test layers mean entire categories of bugs go undetected: unit tests catch logic bugs, integration tests catch API contract breaks, E2E tests catch user-visible regressions. Low coverage means large portions of code are never exercised.",
         recommendation: "Follow the testing pyramid: many unit tests, some integration tests, fewer E2E tests. Aim for >80% branch coverage. Every source file should have a corresponding test file. Use Playwright for E2E if you have a web frontend.",
@@ -153,7 +153,7 @@ export const CHECK_META = {
         label: "Confusion Index",
         category: "LLM Readiness",
         priority: "high",
-        weight: 6,
+        weight: 4,
         description: "Measures naming ambiguity that causes LLMs to misunderstand or edit the wrong code. Checks: file name confusability (Levenshtein distance + synonym detection), generic function/variable names, export name collisions across files, and ambiguous abbreviations.",
         risk: "GPT-4o drops 28.6 percentage points on code summarization when names are ambiguous (arXiv:2510.03178). LLMs editing similar-named files is the #1 reported failure mode in AI-assisted development. Generic names like process(), handle(), data cause models to misinterpret intent.",
         recommendation: "Use descriptive, unique names. Avoid synonym files (utils.ts + helpers.ts — pick one). Avoid generic exports. Disambiguate abbreviations (use 'authentication' not 'auth' if both auth meanings exist in the codebase).",
@@ -266,6 +266,99 @@ export const CHECK_META = {
         recommendation: "Enable test-audit with a VibeCode QA Pro subscription. The LLM analyzes each test to determine if its assertions actually verify the behavior described in its name.",
         premium: true,
     },
+    "env-validation": {
+        name: "env-validation",
+        label: "Environment Validation",
+        category: "Quality",
+        priority: "medium",
+        weight: 1,
+        description: "Checks .env file hygiene: .gitignore coverage, .env.example existence and drift, hardcoded secrets in env files, and empty required variables.",
+        risk: "A missing .env.example means new developers can't onboard without asking which env vars to set. Drift between .env and .env.example causes 'works on my machine' failures. Committed .env files leak secrets.",
+        recommendation: "Create .env.example with all required vars (values blanked). Ensure .env is in .gitignore. Keep .env.example in sync with .env.",
+    },
+    "git-hygiene": {
+        name: "git-hygiene",
+        label: "Git Hygiene",
+        category: "Quality",
+        priority: "medium",
+        weight: 1,
+        description: "Checks git repository health: merge conflict markers in source, commit message quality, large/binary files tracked, and .gitignore completeness.",
+        risk: "Merge conflict markers cause syntax errors. Large binary files bloat the repo forever (git history is append-only). Poor commit messages make git blame and bisect useless for debugging.",
+        recommendation: "Resolve all merge conflicts. Use Git LFS for files over 5MB. Write descriptive commit messages (what and why, not just 'fix').",
+    },
+    "memory-safety": {
+        name: "memory-safety",
+        label: "Memory Safety",
+        category: "Quality",
+        priority: "high",
+        weight: 1,
+        description: "Detects resource leak patterns: setInterval without clearInterval, addEventListener without removeEventListener, unclosed WebSockets/Observers, and global variable pollution.",
+        risk: "Resource leaks cause memory growth over time, eventually crashing the app or browser tab. Leaked event listeners fire on stale state, causing bugs. Global pollution creates hard-to-trace conflicts between modules.",
+        recommendation: "Always pair setInterval with clearInterval in cleanup. Remove event listeners in componentWillUnmount/useEffect return. Call .disconnect() on Observers. Avoid window.* assignments.",
+    },
+    "html-quality": {
+        name: "html-quality",
+        label: "HTML Quality",
+        category: "Quality",
+        priority: "medium",
+        weight: 0,
+        description: "Checks static HTML sites for meta tags (title, description, viewport, OG), image optimization (alt, dimensions, lazy loading), broken internal links, heading hierarchy, render-blocking scripts, mixed content, SEO files (robots.txt, sitemap.xml), and accessibility (lang attribute).",
+        risk: "Missing viewport meta means the page isn't mobile-responsive. Missing alt attributes make images invisible to screen readers. Render-blocking scripts delay page load. Broken links frustrate users and hurt SEO. Missing OG tags make social sharing look unprofessional.",
+        recommendation: "Add meta viewport and description to every page. Set alt on all images. Use async/defer on scripts in <head>. Add robots.txt and sitemap.xml. Ensure each page has a unique title.",
+    },
+    "frontend-health": {
+        name: "frontend-health",
+        label: "Frontend Health",
+        category: "Quality",
+        priority: "high",
+        weight: 2,
+        description: "Detects frontend antipatterns: conflicting UI frameworks (MUI + Tailwind), mixed icon libraries, unoptimized images (no width/height), heavy full-library imports, missing loading states for async data, DOM nesting violations, and inline base64 images.",
+        risk: "Conflicting UI frameworks bloat the bundle and create visual inconsistency — MUI buttons look different from Tailwind buttons. Mixed icon libraries add hundreds of KB. Images without dimensions cause layout shift (CLS). Heavy imports slow initial page load.",
+        recommendation: "Pick one UI framework and one icon library. Use next/image or set width/height on all images. Import specific components, not entire libraries. Add loading states for all async data fetches.",
+    },
+    styling: {
+        name: "styling",
+        label: "Styling Consistency",
+        category: "Quality",
+        priority: "medium",
+        weight: 1,
+        description: "Delegates to Stylelint for CSS/SCSS linting when installed. Adds cross-file analysis no CSS linter covers: mixed styling approaches, hardcoded colors in JSX, inconsistent spacing scale, !important abuse, duplicate Tailwind class strings, and inline style overuse.",
+        deeperTools: ["stylelint", "stylelint-config-standard"],
+        risk: "AI-generated components pile up inconsistent styles — hardcoded hex colors, random pixel values, inline styles. This creates an accidental design system where every component looks slightly different and nothing is reusable. Changing the brand color means finding 47 hex values across 30 files.",
+        recommendation: "Pick one styling approach (Tailwind or CSS Modules). Define colors and spacing as design tokens (CSS variables or Tailwind theme). Extract repeated class strings into shared components. Use a 4px/8px spacing scale.",
+    },
+    "design-consistency": {
+        name: "design-consistency",
+        label: "Design Consistency",
+        category: "AI Analysis",
+        priority: "high",
+        weight: 0,
+        description: "LLM-powered audit of visual consistency across components. Finds duplicate visual patterns, inconsistent spacing/color/typography, and missing component extraction opportunities.",
+        risk: "Components that look similar but are styled differently are impossible to maintain. Changing a button style means editing 7 files. Users notice the inconsistency — different border radius, slightly different padding, mismatched colors.",
+        recommendation: "Enable design-consistency with a VibeCode QA Pro subscription. The LLM analyzes styling patterns across all components to surface inconsistencies and suggest shared components.",
+        premium: true,
+    },
+    "file-cohesion": {
+        name: "file-cohesion",
+        label: "File Cohesion",
+        category: "AI Analysis",
+        priority: "critical",
+        weight: 0,
+        description: "AI-powered detection of files with multiple responsibilities — the #1 code smell in AI-generated code. Detects when a single file handles auth + email + database, or mixes HTTP routing with business logic. Provides concrete split suggestions.",
+        risk: "AI coding assistants pile features into existing files instead of creating new ones. A file handling auth, sessions, AND email is untestable, unreviewable, and impossible to refactor safely. Every change risks breaking unrelated functionality. This is the root cause of 'vibe-coded' technical debt.",
+        recommendation: "Enable file-cohesion with a VibeCode QA Pro subscription. The LLM analyzes each file's exports and logic to label responsibility clusters and suggest concrete splits.",
+        premium: true,
+    },
+    "container-health": {
+        name: "container-health",
+        label: "Container Health",
+        category: "Quality",
+        priority: "medium",
+        weight: 0,
+        description: "Checks Dockerfile best practices: pinned base images, .dockerignore, multi-stage builds, layer caching, non-root user, and exposed ports.",
+        risk: "Unpinned base images break builds when upstream tags change. Missing .dockerignore includes node_modules and .git in the image (10x size). Running as root in containers is a security risk.",
+        recommendation: "Pin base images to specific tags. Add .dockerignore with node_modules/.git/.env. Use multi-stage builds. Add USER instruction.",
+    },
 };
 export function getCheckMeta(name) {
     return (CHECK_META[name] || {