@vibecodeqa/cli 0.41.0 → 0.43.0

package/dist/commands/explain.d.ts

@@ -0,0 +1,2 @@
+/** vcqa explain — deep-dive explanation of a check. */
+export declare function runExplain(checkName?: string): Promise<void>;

package/dist/commands/explain.js

@@ -0,0 +1,33 @@
+/** vcqa explain — deep-dive explanation of a check. */
+import { getCheckMeta } from "../check-meta.js";
+export async function runExplain(checkName) {
+    if (!checkName) {
+        console.log("\n  \x1b[1mUsage:\x1b[0m vcqa explain <check>\n");
+        console.log("  Available checks:");
+        const { CHECK_META } = await import("../check-meta.js");
+        for (const [name, meta] of Object.entries(CHECK_META)) {
+            console.log(`    \x1b[1m${name.padEnd(16)}\x1b[0m ${meta.label} (${meta.category}, ${meta.weight}%)`);
+        }
+        console.log("");
+        return;
+    }
+    const meta = getCheckMeta(checkName);
+    if (!meta.description || meta.description.length < 20) {
+        console.log(`\n  \x1b[31mUnknown check: ${checkName}\x1b[0m`);
+        console.log("  Run \x1b[1mvcqa explain\x1b[0m to see available checks.\n");
+        return;
+    }
+    console.log("");
+    console.log(`  \x1b[1m\x1b[38;5;141m${meta.label}\x1b[0m  \x1b[2m${meta.category} · ${meta.priority} priority · ${meta.weight}% weight\x1b[0m`);
+    console.log("");
+    console.log(`  \x1b[1mWhat:\x1b[0m ${meta.description}`);
+    console.log("");
+    console.log(`  \x1b[1mRisk:\x1b[0m ${meta.risk}`);
+    console.log("");
+    console.log(`  \x1b[1mFix:\x1b[0m ${meta.recommendation}`);
+    if (meta.deeperTools?.length) {
+        console.log("");
+        console.log(`  \x1b[1mGo deeper:\x1b[0m ${meta.deeperTools.join(", ")}`);
+    }
+    console.log("");
+}

package/dist/commands/fix.d.ts

@@ -0,0 +1,6 @@
+/** vcqa fix — auto-fix + AI-powered fixing. */
+export declare function runFix(cwd: string, opts?: {
+    ai?: boolean;
+    dryRun?: boolean;
+    checkFilter?: string;
+}): Promise<void>;

package/dist/commands/fix.js

@@ -0,0 +1,131 @@
+/** vcqa fix — auto-fix + AI-powered fixing. */
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { aiFixIssues, collectFixableIssues } from "../ai-fix.js";
+import { scan } from "../core.js";
+import { detectStack } from "../detect.js";
+import { gradeFromScore } from "../types.js";
+import { suggestFix, validateCwd } from "./shared.js";
+export async function runFix(cwd, opts = {}) {
+    console.log("");
+    console.log(`  \x1b[1m\x1b[38;5;141mvcqa fix${opts.ai ? " --ai" : ""}${opts.dryRun ? " --dry-run" : ""}${opts.checkFilter ? ` --check ${opts.checkFilter}` : ""}\x1b[0m`);
+    console.log(`  \x1b[2m${cwd}\x1b[0m`);
+    console.log("");
+    validateCwd(cwd);
+    const stack = detectStack(cwd);
+    let fixed = 0;
+    // 0. Auto-fix structure issues (missing files)
+    if (!existsSync(join(cwd, ".gitignore"))) {
+        writeFileSync(join(cwd, ".gitignore"), "node_modules\ndist\n.vibe-check\ncoverage\n.env\n.env.local\n");
+        console.log("  \x1b[32m\u2713 Created .gitignore\x1b[0m");
+        fixed++;
+    }
+    if (existsSync(join(cwd, ".gitignore"))) {
+        const gi = readFileSync(join(cwd, ".gitignore"), "utf-8");
+        if (!gi.includes(".vibe-check")) {
+            writeFileSync(join(cwd, ".gitignore"), gi.trimEnd() + "\n.vibe-check/\n");
+            console.log("  \x1b[32m\u2713 Added .vibe-check/ to .gitignore\x1b[0m");
+            fixed++;
+        }
+    }
+    const tsconfigPath = join(cwd, "tsconfig.json");
+    if (existsSync(tsconfigPath)) {
+        try {
+            const raw = readFileSync(tsconfigPath, "utf-8");
+            const tsconfig = JSON.parse(raw);
+            if (!tsconfig.compilerOptions?.strict) {
+                tsconfig.compilerOptions = { ...tsconfig.compilerOptions, strict: true };
+                writeFileSync(tsconfigPath, JSON.stringify(tsconfig, null, 2) + "\n");
+                console.log('  \x1b[32m\u2713 Enabled "strict": true in tsconfig.json\x1b[0m');
+                fixed++;
+            }
+        }
+        catch { /* can't parse tsconfig */ }
+    }
+    // 1. Run linter auto-fix
+    if (stack.linter === "biome") {
+        console.log("  \x1b[1mFormatting with Biome...\x1b[0m");
+        const { execSync } = await import("node:child_process");
+        try {
+            execSync("npx biome check --write .", { cwd, stdio: "inherit", timeout: 30_000 });
+            fixed++;
+        }
+        catch {
+            console.log("  \x1b[33mBiome had issues (some may be unfixable)\x1b[0m");
+        }
+    }
+    else if (stack.linter === "eslint") {
+        console.log("  \x1b[1mFixing with ESLint...\x1b[0m");
+        const { execSync } = await import("node:child_process");
+        try {
+            execSync("npx eslint --fix src/", { cwd, stdio: "inherit", timeout: 30_000 });
+            fixed++;
+        }
+        catch {
+            console.log("  \x1b[33mESLint had issues (some may be unfixable)\x1b[0m");
+        }
+    }
+    // 2. Scan for remaining issues
+    console.log("");
+    console.log("  \x1b[1mScanning for remaining issues...\x1b[0m");
+    console.log("");
+    const report = await scan(cwd, { skipTests: true });
+    const { checks } = report;
+    const score = report.score;
+    // AI-powered fix mode
+    if (opts.ai) {
+        const aiIssues = collectFixableIssues(checks, suggestFix, opts.checkFilter);
+        if (aiIssues.length === 0) {
+            console.log("  \x1b[2mNo fixable issues found.\x1b[0m");
+        }
+        else {
+            console.log(`  \x1b[1mAI fixing ${Math.min(aiIssues.length, 10)} issues${opts.dryRun ? " (dry run)" : ""}...\x1b[0m`);
+            console.log("");
+            const results = await aiFixIssues(cwd, aiIssues, { dryRun: opts.dryRun || false });
+            const applied = results.filter((r) => r.applied).length;
+            if (applied > 0) {
+                console.log("");
+                console.log("  \x1b[1mRe-scanning...\x1b[0m");
+                const reReport = await scan(cwd, { skipTests: true });
+                const delta = reReport.score - score;
+                console.log(`  Score: \x1b[${reReport.score >= 75 ? "32" : reReport.score >= 60 ? "33" : "31"}m${reReport.grade} ${reReport.score}/100\x1b[0m${delta > 0 ? ` \x1b[32m(+${delta})\x1b[0m` : ""}`);
+                console.log(`  \x1b[32m${applied} AI fix(es) applied.\x1b[0m Re-run \x1b[1mnpx @vibecodeqa/cli\x1b[0m for full report.`);
+            }
+            else {
+                const grade = gradeFromScore(score);
+                console.log(`\n  Score: \x1b[${score >= 75 ? "32" : score >= 60 ? "33" : "31"}m${grade} ${score}/100\x1b[0m`);
+                if (opts.dryRun)
+                    console.log("  \x1b[2mDry run — no files modified. Remove --dry-run to apply.\x1b[0m");
+            }
+        }
+        console.log("");
+        return;
+    }
+    // Non-AI mode: show fix suggestions
+    const fixable = [];
+    for (const c of checks) {
+        for (const iss of c.issues) {
+            if (!iss.file || typeof iss.file !== "string" || !iss.line)
+                continue;
+            const fix = suggestFix(c.name, iss.rule || "", iss.message);
+            if (fix)
+                fixable.push({ check: c.name, file: iss.file, line: iss.line, message: iss.message, fix });
+        }
+    }
+    const top = fixable.slice(0, 10);
+    if (top.length > 0) {
+        console.log(`  \x1b[1m${top.length} issues with fix suggestions:\x1b[0m`);
+        console.log("");
+        for (const f of top) {
+            console.log(`  \x1b[2m${f.file}:${f.line}\x1b[0m`);
+            console.log(`  ${f.message}`);
+            console.log(`  \x1b[32mFix: ${f.fix}\x1b[0m`);
+            console.log("");
+        }
+    }
+    const grade = gradeFromScore(score);
+    console.log(`  Score after fix: \x1b[${score >= 75 ? "32" : score >= 60 ? "33" : "31"}m${grade} ${score}/100\x1b[0m`);
+    if (fixed > 0)
+        console.log(`  \x1b[32m${fixed} auto-fix(es) applied.\x1b[0m Re-run \x1b[1mnpx @vibecodeqa/cli\x1b[0m for full report.`);
+    console.log("");
+}

package/dist/commands/init.d.ts

@@ -0,0 +1,2 @@
+/** vcqa init — set up CI workflow + recommended configs. */
+export declare function runInit(cwd: string): Promise<void>;

package/dist/commands/init.js

@@ -0,0 +1,96 @@
+/** vcqa init — set up CI workflow + recommended configs. */
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { detectStack } from "../detect.js";
+import { validateCwd } from "./shared.js";
+export async function runInit(cwd) {
+    console.log("");
+    console.log(`  \x1b[1m\x1b[38;5;141mvcqa init\x1b[0m`);
+    console.log(`  \x1b[2m${cwd}\x1b[0m`);
+    console.log("");
+    validateCwd(cwd);
+    const stack = detectStack(cwd);
+    let created = 0;
+    // 1. GitHub Actions workflow
+    const workflowDir = join(cwd, ".github", "workflows");
+    const workflowPath = join(workflowDir, "vibecodeqa.yml");
+    if (!existsSync(workflowPath)) {
+        try {
+            mkdirSync(workflowDir, { recursive: true });
+            writeFileSync(workflowPath, `name: VibeCode QA
+on: [pull_request]
+permissions: { contents: read }
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npx @vibecodeqa/cli --ci --fail-under 70 --sarif --badge
+      - uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: .vibe-check/report.sarif
+`);
+            console.log(`  \x1b[32m+\x1b[0m .github/workflows/vibecodeqa.yml`);
+            created++;
+        }
+        catch {
+            console.log(`  \x1b[31m!\x1b[0m .github/workflows/vibecodeqa.yml (write failed — check permissions)`);
+        }
+    }
+    else {
+        console.log(`  \x1b[2m=\x1b[0m .github/workflows/vibecodeqa.yml (exists)`);
+    }
+    // 2. Biome config (if biome is a dep but no config exists)
+    if ((stack.linter === "biome" || existsSync(join(cwd, "node_modules", "@biomejs", "biome"))) &&
+        !existsSync(join(cwd, "biome.json")) &&
+        !existsSync(join(cwd, "biome.jsonc"))) {
+        writeFileSync(join(cwd, "biome.json"), JSON.stringify({
+            $schema: "https://biomejs.dev/schemas/2.0.0/schema.json",
+            formatter: { indentStyle: "tab", lineWidth: 120 },
+            linter: { enabled: true, rules: { recommended: true } },
+            organizeImports: { enabled: true },
+        }, null, "\t") + "\n");
+        console.log(`  \x1b[32m+\x1b[0m biome.json`);
+        created++;
+    }
+    // 3. Create .vcqa.json if not present
+    const vcqaConfigPath = join(cwd, ".vcqa.json");
+    if (!existsSync(vcqaConfigPath)) {
+        const { CHECK_META } = await import("../check-meta.js");
+        const checksConfig = {};
+        for (const name of Object.keys(CHECK_META)) {
+            checksConfig[name] = {};
+        }
+        const config = {
+            _comment: "vcqa config — docs: https://vibecodeqa.online/skills",
+            checks: checksConfig,
+            _checks_help: "Set { \"enabled\": false } to disable. Add \"ignore\": [\"generated/**\"] to skip files per-check.",
+            ignore: [],
+            _ignore_help: "Global file patterns to skip: [\"vendor/**\", \"*.generated.ts\", \"proto/**\"]",
+            failUnder: 60,
+            _failUnder_help: "Exit with code 1 if score below this. Overridden by --fail-under flag.",
+        };
+        writeFileSync(vcqaConfigPath, JSON.stringify(config, null, 2) + "\n");
+        console.log(`  \x1b[32m+\x1b[0m .vcqa.json`);
+        created++;
+    }
+    // 4. Add .vibe-check to .gitignore
+    const gitignorePath = join(cwd, ".gitignore");
+    if (existsSync(gitignorePath)) {
+        const content = readFileSync(gitignorePath, "utf-8");
+        if (!content.includes(".vibe-check")) {
+            writeFileSync(gitignorePath, content.trimEnd() + "\n.vibe-check/\n");
+            console.log(`  \x1b[32m+\x1b[0m .gitignore (added .vibe-check/)`);
+            created++;
+        }
+    }
+    console.log("");
+    if (created > 0) {
+        console.log(`  \x1b[32mCreated ${created} file(s).\x1b[0m Run \x1b[1mnpx @vibecodeqa/cli\x1b[0m to scan.`);
+    }
+    else {
+        console.log(`  \x1b[2mAlready set up. Run npx @vibecodeqa/cli to scan.\x1b[0m`);
+    }
+    console.log("");
+}

package/dist/commands/shared.d.ts

@@ -0,0 +1,4 @@
+/** Shared utilities for CLI commands. */
+export declare function validateCwd(cwd: string): void;
+/** Map common issue rules to actionable fix suggestions. */
+export declare function suggestFix(check: string, rule: string, message: string): string | null;

package/dist/commands/shared.js

@@ -0,0 +1,80 @@
+/** Shared utilities for CLI commands. */
+import { existsSync, statSync } from "node:fs";
+export function validateCwd(cwd) {
+    if (!existsSync(cwd)) {
+        console.error(`  \x1b[31mError: path does not exist: ${cwd}\x1b[0m`);
+        process.exit(1);
+    }
+    try {
+        if (!statSync(cwd).isDirectory()) {
+            console.error(`  \x1b[31mError: not a directory: ${cwd}\x1b[0m`);
+            process.exit(1);
+        }
+    }
+    catch {
+        console.error(`  \x1b[31mError: cannot access: ${cwd}\x1b[0m`);
+        process.exit(1);
+    }
+}
+/** Map common issue rules to actionable fix suggestions. */
+export function suggestFix(check, rule, message) {
+    if (rule === "empty-catch")
+        return "Add error logging: catch(e) { console.error(e); }";
+    if (rule === "throw-string")
+        return 'Replace throw "msg" with throw new Error("msg")';
+    if (rule === "swallowed-promise")
+        return "Add logging: .catch((e) => { console.error(e); })";
+    if (rule === "floating-promise")
+        return "Add await or .catch() to handle the promise";
+    if (rule === "unsafe-json-parse")
+        return "Wrap in try-catch: try { JSON.parse(x) } catch { /* handle */ }";
+    if (rule === "no-error-boundary")
+        return "Add <ErrorBoundary> wrapper in your React app root";
+    if (rule === "img-alt")
+        return 'Add alt attribute: <img alt="description" ...>';
+    if (rule === "click-events")
+        return 'Add role="button" and onKeyDown handler';
+    if (rule === "vue-v-for-key")
+        return 'Add :key="item.id" to the v-for element';
+    if (rule === "missing-key")
+        return "Add key={item.id} to the JSX element in .map()";
+    if (rule === "index-key")
+        return "Use a stable unique ID instead of array index for key";
+    if (rule === "conditional-hook")
+        return "Move the hook call before any conditional (if/switch)";
+    if (rule === "no-tests")
+        return "Create a test file: src/__tests__/example.test.ts";
+    if (rule === "no-readme")
+        return "Create README.md with: project description, install, usage";
+    if (rule === "no-changelog")
+        return "Create CHANGELOG.md or use changesets: npx changeset init";
+    if (rule === "env-not-ignored")
+        return "Add .env to .gitignore";
+    if (rule === "secret-detected")
+        return "Move to environment variable, rotate the exposed secret";
+    if (rule === "no-ci")
+        return "Run: npx @vibecodeqa/cli init";
+    if (rule === "missing-lockfile")
+        return "Run: pnpm install (or npm install) to generate lockfile";
+    if (rule === "missing-file" && message.includes("LICENSE"))
+        return "Add LICENSE file: https://choosealicense.com/";
+    if (rule === "long-function")
+        return "Extract logic into smaller helper functions";
+    if (rule === "high-complexity")
+        return "Reduce nesting: use early returns, extract conditions";
+    if (rule === "duplicate-code")
+        return "Extract shared logic into a helper function";
+    if (rule === "circular-dep")
+        return "Extract shared types to a separate file both modules import";
+    if (rule === "god-module")
+        return "Split into focused interfaces — one responsibility per module";
+    if (rule === "process-exit")
+        return "Replace process.exit() with throw new Error()";
+    if (check === "security" && message.includes("innerHTML"))
+        return "Use textContent or DOM APIs instead";
+    if (check === "security" && message.includes("ev" + "al"))
+        return `Remove ${"ev" + "al"}() — use a safer alternative`;
+    if (check === "security" && message.includes("v-html"))
+        return 'Sanitize with DOMPurify: v-html="DOMPurify.sanitize(input)"';
+    return null;
+}

package/dist/core.js

@@ -19,15 +19,24 @@ import { runCommentStaleness } from "./runners/comment-staleness.js";
 import { runComplexity } from "./runners/complexity.js";
 import { runDeadPatterns } from "./runners/dead-patterns.js";
 import { runTestAudit } from "./runners/test-audit.js";
+import { runContainerHealth } from "./runners/container-health.js";
 import { runConfusion } from "./runners/confusion.js";
 import { runContext } from "./runners/context.js";
 import { runDependencies } from "./runners/dependencies.js";
+import { runDesignConsistency } from "./runners/design-consistency.js";
+import { runEnvValidation } from "./runners/env-validation.js";
+import { runFrontendHealth } from "./runners/frontend-health.js";
+import { runHtmlQuality } from "./runners/html-quality.js";
+import { runFileCohesion } from "./runners/file-cohesion.js";
+import { runGitHygiene } from "./runners/git-hygiene.js";
 import { runDocCoherence } from "./runners/doc-coherence.js";
 import { runDocs } from "./runners/docs.js";
 import { runDuplication } from "./runners/duplication.js";
 import { runErrorHandling } from "./runners/error-handling.js";
 import { runLint } from "./runners/lint.js";
+import { runMemorySafety } from "./runners/memory-safety.js";
 import { runPerformance } from "./runners/performance.js";
+import { runStyling } from "./runners/styling.js";
 import { runReact } from "./runners/react.js";
 import { runSecrets } from "./runners/secrets.js";
 import { runSecurity } from "./runners/security.js";
@@ -65,19 +74,28 @@ export async function scan(cwd, options = {}) {
         { name: "accessibility", fn: () => runAccessibility(resolvedCwd) },
         { name: "docs", fn: () => runDocs(resolvedCwd) },
         { name: "best-practices", fn: () => runBestPractices(resolvedCwd, workspace) },
+        { name: "env-validation", fn: () => runEnvValidation(resolvedCwd) },
+        { name: "git-hygiene", fn: () => runGitHygiene(resolvedCwd) },
+        { name: "memory-safety", fn: () => runMemorySafety(resolvedCwd) },
         { name: "testing", fn: () => runTesting(resolvedCwd, stack, skipTests, srcRoots) },
         { name: "secrets", fn: () => runSecrets(resolvedCwd) },
         { name: "security", fn: () => runSecurity(resolvedCwd) },
         { name: "dependencies", fn: () => runDependencies(resolvedCwd, stack) },
         { name: "architecture", fn: () => runArchitecture(resolvedCwd, workspace) },
         { name: "performance", fn: () => runPerformance(resolvedCwd) },
+        { name: "container-health", fn: () => runContainerHealth(resolvedCwd) },
         { name: "confusion", fn: () => runConfusion(resolvedCwd) },
         { name: "context", fn: () => runContext(resolvedCwd) },
         { name: "doc-coherence", fn: () => runDocCoherence(resolvedCwd) },
         { name: "code-coherence", fn: () => runCodeCoherence(resolvedCwd) },
         { name: "comment-staleness", fn: () => runCommentStaleness(resolvedCwd) },
+        { name: "html-quality", fn: () => runHtmlQuality(resolvedCwd) },
+        { name: "frontend-health", fn: () => runFrontendHealth(resolvedCwd) },
+        { name: "styling", fn: () => runStyling(resolvedCwd) },
         { name: "dead-patterns", fn: () => runDeadPatterns(resolvedCwd) },
         { name: "test-audit", fn: () => runTestAudit(resolvedCwd) },
+        { name: "file-cohesion", fn: () => runFileCohesion(resolvedCwd) },
+        { name: "design-consistency", fn: () => runDesignConsistency(resolvedCwd) },
     ];
     // Filter checks if specified
     const checkFilter = options.checks ? new Set(options.checks) : null;

package/dist/runners/accessibility.js

@@ -183,7 +183,10 @@ export function runAccessibility(cwd) {
         name: "accessibility",
         score,
         grade: gradeFromScore(score),
-        details: { jsxFiles: files.length, missingAlt, clickDiv, missingLabel, missingLang, autofocus, positiveTabindex },
+        details: {
+            jsxFiles: files.length, missingAlt, clickDiv, missingLabel, missingLang, autofocus, positiveTabindex,
+            suggestion: !hasA11yPlugin ? "Install eslint-plugin-jsx-a11y for deeper accessibility analysis: pnpm add -D eslint-plugin-jsx-a11y" : undefined,
+        },
         issues,
         duration: Date.now() - start,
     };

package/dist/runners/container-health.d.ts

@@ -0,0 +1,3 @@
+/** Container health — Dockerfile best practices, .dockerignore, base image hygiene. */
+import type { CheckResult } from "../types.js";
+export declare function runContainerHealth(cwd: string): CheckResult;

package/dist/runners/container-health.js

@@ -0,0 +1,141 @@
+/** Container health — Dockerfile best practices, .dockerignore, base image hygiene. */
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { join } from "node:path";
+import { gradeFromScore } from "../types.js";
+export function runContainerHealth(cwd) {
+    const start = Date.now();
+    const issues = [];
+    // Find Dockerfiles
+    const dockerfiles = [];
+    try {
+        for (const f of readdirSync(cwd)) {
+            if (f === "Dockerfile" || f.startsWith("Dockerfile.") || f === "dockerfile") {
+                dockerfiles.push(f);
+            }
+        }
+    }
+    catch { /* not readable */ }
+    if (dockerfiles.length === 0) {
+        return {
+            name: "container-health",
+            score: 0,
+            grade: "F",
+            details: { skipped: true, reason: "no Dockerfile found" },
+            issues: [],
+            duration: Date.now() - start,
+        };
+    }
+    // Check .dockerignore exists
+    if (!existsSync(join(cwd, ".dockerignore"))) {
+        issues.push({
+            severity: "warning",
+            message: "No .dockerignore — node_modules, .git, and secrets may be included in the image",
+            rule: "no-dockerignore",
+        });
+    }
+    else {
+        const dockerignore = readFileSync(join(cwd, ".dockerignore"), "utf-8");
+        const missing = [];
+        if (!dockerignore.includes("node_modules"))
+            missing.push("node_modules");
+        if (!dockerignore.includes(".git"))
+            missing.push(".git");
+        if (!dockerignore.includes(".env"))
+            missing.push(".env");
+        if (missing.length > 0) {
+            issues.push({
+                severity: "warning",
+                message: `.dockerignore missing: ${missing.join(", ")}`,
+                file: ".dockerignore",
+                rule: "dockerignore-incomplete",
+            });
+        }
+    }
+    for (const df of dockerfiles) {
+        const content = readFileSync(join(cwd, df), "utf-8");
+        const lines = content.split("\n");
+        // Check for unpinned base images (FROM node, FROM ubuntu — no tag)
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i].trim();
+            if (/^FROM\s+\S+$/i.test(line) && !line.includes(":") && !line.includes("@") && !line.toLowerCase().includes("scratch")) {
+                issues.push({
+                    severity: "error",
+                    message: `Unpinned base image: ${line} — use a specific tag (e.g., node:22-slim)`,
+                    file: df,
+                    line: i + 1,
+                    rule: "unpinned-base",
+                });
+            }
+            // Check for :latest tag
+            if (/^FROM\s+\S+:latest/i.test(line)) {
+                issues.push({
+                    severity: "warning",
+                    message: `Using :latest tag: ${line} — pin to a specific version for reproducible builds`,
+                    file: df,
+                    line: i + 1,
+                    rule: "latest-tag",
+                });
+            }
+        }
+        // Check for running as root (no USER instruction)
+        if (!content.match(/^USER\s+/m)) {
+            issues.push({
+                severity: "warning",
+                message: "No USER instruction — container runs as root by default",
+                file: df,
+                rule: "runs-as-root",
+            });
+        }
+        // Check for multi-stage build (good practice for smaller images)
+        const fromCount = (content.match(/^FROM\s+/gim) || []).length;
+        if (fromCount === 1 && existsSync(join(cwd, "package.json"))) {
+            issues.push({
+                severity: "info",
+                message: "Single-stage build — multi-stage builds produce smaller images",
+                file: df,
+                rule: "no-multi-stage",
+            });
+        }
+        // Check for COPY before npm install (cache busting)
+        const copyAllIdx = lines.findIndex((l) => /^COPY\s+\.\s+/i.test(l.trim()));
+        const npmInstallIdx = lines.findIndex((l) => /npm install|pnpm install|yarn install/i.test(l));
+        if (copyAllIdx !== -1 && npmInstallIdx !== -1 && copyAllIdx < npmInstallIdx) {
+            issues.push({
+                severity: "warning",
+                message: "COPY . before npm install — copy package.json first to leverage Docker cache",
+                file: df,
+                line: copyAllIdx + 1,
+                rule: "cache-bust",
+            });
+        }
+        // Check for apt-get without cleanup
+        if (content.includes("apt-get install") && !content.includes("apt-get clean") && !content.includes("rm -rf /var/lib/apt")) {
+            issues.push({
+                severity: "info",
+                message: "apt-get install without cleanup — add 'apt-get clean && rm -rf /var/lib/apt/lists/*'",
+                file: df,
+                rule: "apt-no-clean",
+            });
+        }
+        // Check for EXPOSE
+        if (!content.match(/^EXPOSE\s+/m) && (content.includes("node") || content.includes("npm start"))) {
+            issues.push({
+                severity: "info",
+                message: "No EXPOSE instruction — document which port the app listens on",
+                file: df,
+                rule: "no-expose",
+            });
+        }
+    }
+    const errorCount = issues.filter((i) => i.severity === "error").length;
+    const warnCount = issues.filter((i) => i.severity === "warning").length;
+    const score = Math.max(0, 100 - errorCount * 25 - warnCount * 10);
+    return {
+        name: "container-health",
+        score,
+        grade: gradeFromScore(score),
+        details: { dockerfiles, hasDockerignore: existsSync(join(cwd, ".dockerignore")) },
+        issues,
+        duration: Date.now() - start,
+    };
+}

package/dist/runners/design-consistency.d.ts

@@ -0,0 +1,12 @@
+/** Design Consistency — LLM-powered audit of visual consistency across components.
+ *
+ * Pro feature. Requires VCQA_PRO_KEY env var.
+ *
+ * Detects:
+ *   - Components that define the same visual pattern differently (accidental design system)
+ *   - Spacing/color/typography inconsistencies across files
+ *   - Missing component extraction opportunities
+ *   - Tailwind class patterns that should be @apply'd or componentized
+ */
+import type { CheckResult } from "../types.js";
+export declare function runDesignConsistency(cwd: string): Promise<CheckResult>;