@vibecodeqa/cli 0.41.0 → 0.43.0

package/dist/runners/design-consistency.js

@@ -0,0 +1,125 @@
+/** Design Consistency — LLM-powered audit of visual consistency across components.
+ *
+ * Pro feature. Requires VCQA_PRO_KEY env var.
+ *
+ * Detects:
+ *   - Components that define the same visual pattern differently (accidental design system)
+ *   - Spacing/color/typography inconsistencies across files
+ *   - Missing component extraction opportunities
+ *   - Tailwind class patterns that should be @apply'd or componentized
+ */
+import { createHash } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { getProductionFiles } from "../fs-utils.js";
+import { gradeFromScore } from "../types.js";
+export async function runDesignConsistency(cwd) {
+    const start = Date.now();
+    const proKey = process.env.VCQA_PRO_KEY || "";
+    if (!proKey) {
+        return {
+            name: "design-consistency",
+            score: 0,
+            grade: "F",
+            details: {
+                premium: true,
+                comingSoon: true,
+                reason: "Set VCQA_PRO_KEY to enable design consistency analysis",
+                description: "LLM-powered audit of visual consistency — finds components with duplicate styling, inconsistent spacing scales, and missing component extraction opportunities.",
+            },
+            issues: [],
+            duration: Date.now() - start,
+        };
+    }
+    const files = getProductionFiles(cwd);
+    const componentFiles = files.filter((f) => !f.isTest && /\.(tsx|jsx|vue|svelte)$/.test(f.path));
+    if (componentFiles.length < 2) {
+        return {
+            name: "design-consistency",
+            score: 100,
+            grade: "A",
+            details: { componentsAnalyzed: componentFiles.length },
+            issues: [],
+            duration: Date.now() - start,
+        };
+    }
+    // Build hash of all component content for cache key
+    const h = createHash("sha256");
+    for (const f of componentFiles.sort((a, b) => a.path.localeCompare(b.path))) {
+        h.update(f.path);
+        h.update(f.content.slice(0, 2000));
+    }
+    const contentHash = h.digest("hex").slice(0, 16);
+    // Check cache
+    const cache = loadCache(cwd);
+    if (cache && cache.hash === contentHash) {
+        return {
+            name: "design-consistency",
+            score: cache.findings.length === 0 ? 100 : Math.max(20, 100 - cache.findings.length * 12),
+            grade: gradeFromScore(cache.findings.length === 0 ? 100 : Math.max(20, 100 - cache.findings.length * 12)),
+            details: { premium: true, componentsAnalyzed: componentFiles.length, cached: true },
+            issues: cache.findings,
+            duration: Date.now() - start,
+        };
+    }
+    // Extract styling snippets from top components (by size, most likely to have styling)
+    const candidates = componentFiles
+        .sort((a, b) => b.content.length - a.content.length)
+        .slice(0, 10);
+    const snippets = candidates.map((f) => ({
+        path: f.path,
+        content: f.content.slice(0, 2000),
+    }));
+    const issues = await analyzeDesign(snippets, proKey);
+    // Cache results
+    saveCache(cwd, { version: 1, hash: contentHash, findings: issues });
+    const score = issues.length === 0 ? 100 : Math.max(20, 100 - issues.length * 12);
+    return {
+        name: "design-consistency",
+        score,
+        grade: gradeFromScore(score),
+        details: { premium: true, componentsAnalyzed: componentFiles.length },
+        issues,
+        duration: Date.now() - start,
+    };
+}
+async function analyzeDesign(files, proKey) {
+    try {
+        const res = await fetch("https://api.vibecodeqa.online/api/pro/design-consistency", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${proKey}`,
+            },
+            body: JSON.stringify({ files: files.map((f) => ({ path: f.path, content: f.content })) }),
+        });
+        if (!res.ok)
+            return [];
+        const data = (await res.json());
+        return data.findings || [];
+    }
+    catch {
+        return [];
+    }
+}
+function loadCache(cwd) {
+    try {
+        const cachePath = join(cwd, ".vibe-check", "design-consistency-cache.json");
+        if (existsSync(cachePath)) {
+            const data = JSON.parse(readFileSync(cachePath, "utf-8"));
+            if (data.version === 1)
+                return data;
+        }
+    }
+    catch { /* corrupt cache */ }
+    return null;
+}
+function saveCache(cwd, cache) {
+    try {
+        const dir = join(cwd, ".vibe-check");
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true });
+        writeFileSync(join(dir, "design-consistency-cache.json"), JSON.stringify(cache));
+    }
+    catch { /* write failed */ }
+}

package/dist/runners/env-validation.d.ts

@@ -0,0 +1,3 @@
+/** Environment validation — checks .env hygiene, .env.example drift, and unsafe patterns. */
+import type { CheckResult } from "../types.js";
+export declare function runEnvValidation(cwd: string): CheckResult;

package/dist/runners/env-validation.js

@@ -0,0 +1,122 @@
+/** Environment validation — checks .env hygiene, .env.example drift, and unsafe patterns. */
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { join } from "node:path";
+import { gradeFromScore } from "../types.js";
+export function runEnvValidation(cwd) {
+    const start = Date.now();
+    const issues = [];
+    const envFiles = readdirSync(cwd).filter((f) => f.startsWith(".env"));
+    const hasEnv = envFiles.some((f) => f === ".env" || f === ".env.local");
+    const hasExample = envFiles.some((f) => f === ".env.example" || f === ".env.template");
+    // Check .gitignore includes .env
+    if (hasEnv) {
+        const gitignore = existsSync(join(cwd, ".gitignore")) ? readFileSync(join(cwd, ".gitignore"), "utf-8") : "";
+        if (!gitignore.includes(".env")) {
+            issues.push({ severity: "error", message: ".env not in .gitignore — secrets may be committed", file: ".gitignore", rule: "env-not-ignored" });
+        }
+    }
+    // Check .env.example exists when .env does
+    if (hasEnv && !hasExample) {
+        issues.push({ severity: "warning", message: "No .env.example — other developers won't know which vars are needed", rule: "no-env-example" });
+    }
+    // Check .env.example drift — vars in .env.example should match .env
+    if (hasEnv && hasExample) {
+        const exampleFile = envFiles.find((f) => f === ".env.example" || f === ".env.template");
+        const envVars = parseEnvKeys(readFileSync(join(cwd, ".env"), "utf-8"));
+        const exampleVars = parseEnvKeys(readFileSync(join(cwd, exampleFile), "utf-8"));
+        for (const key of exampleVars) {
+            if (!envVars.has(key)) {
+                issues.push({ severity: "info", message: `${exampleFile} has ${key} but .env doesn't — may be missing`, file: exampleFile, rule: "env-example-drift" });
+            }
+        }
+        for (const key of envVars) {
+            if (!exampleVars.has(key)) {
+                issues.push({ severity: "warning", message: `${key} in .env but not in ${exampleFile} — won't be documented for other developers`, file: exampleFile, rule: "env-example-drift" });
+            }
+        }
+    }
+    // Scan .env files for unsafe patterns
+    for (const f of envFiles) {
+        if (f === ".env.example" || f === ".env.template")
+            continue;
+        const content = readFileSync(join(cwd, f), "utf-8");
+        const lines = content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i].trim();
+            if (!line || line.startsWith("#"))
+                continue;
+            // Check for values that look like they should be secret but have defaults
+            if (/^(DATABASE_URL|DB_PASSWORD|SECRET_KEY|JWT_SECRET|API_KEY|PRIVATE_KEY)=/i.test(line)) {
+                const value = line.split("=").slice(1).join("=").trim().replace(/^["']|["']$/g, "");
+                if (value && !value.startsWith("$") && !value.includes("${") && value.length < 20 && !/^(changeme|replace|todo|xxx|your[-_])/i.test(value)) {
+                    issues.push({
+                        severity: "warning",
+                        message: `${line.split("=")[0]} appears to have a hardcoded value — use a placeholder in committed files`,
+                        file: f,
+                        line: i + 1,
+                        rule: "env-hardcoded-secret",
+                    });
+                }
+            }
+            // Check for empty required-looking vars
+            if (/^[A-Z_]+=\s*$/.test(line)) {
+                const key = line.split("=")[0];
+                if (/KEY|SECRET|TOKEN|PASSWORD|URL/i.test(key)) {
+                    issues.push({
+                        severity: "info",
+                        message: `${key} is empty — may cause runtime errors`,
+                        file: f,
+                        line: i + 1,
+                        rule: "env-empty-var",
+                    });
+                }
+            }
+        }
+    }
+    // Check for env vars used in code but not in .env.example
+    if (hasExample) {
+        const exampleFile = envFiles.find((f) => f === ".env.example" || f === ".env.template");
+        const exampleVars = parseEnvKeys(readFileSync(join(cwd, exampleFile), "utf-8"));
+        // Quick scan of package.json for referenced env vars
+        if (existsSync(join(cwd, "package.json"))) {
+            try {
+                const pkg = readFileSync(join(cwd, "package.json"), "utf-8");
+                const envRefs = pkg.match(/process\.env\.([A-Z_]+)/g) || [];
+                for (const ref of new Set(envRefs)) {
+                    const varName = ref.replace("process.env.", "");
+                    if (!exampleVars.has(varName) && !["NODE_ENV", "CI", "HOME", "PATH", "PWD"].includes(varName)) {
+                        issues.push({
+                            severity: "info",
+                            message: `${varName} used in code but not in ${exampleFile}`,
+                            rule: "env-undocumented",
+                        });
+                    }
+                }
+            }
+            catch { /* ignore */ }
+        }
+    }
+    const errorCount = issues.filter((i) => i.severity === "error").length;
+    const warnCount = issues.filter((i) => i.severity === "warning").length;
+    const score = Math.max(0, 100 - errorCount * 25 - warnCount * 10);
+    return {
+        name: "env-validation",
+        score,
+        grade: gradeFromScore(score),
+        details: { envFiles, hasExample },
+        issues,
+        duration: Date.now() - start,
+    };
+}
+function parseEnvKeys(content) {
+    const keys = new Set();
+    for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#"))
+            continue;
+        const eq = trimmed.indexOf("=");
+        if (eq > 0)
+            keys.add(trimmed.slice(0, eq).trim());
+    }
+    return keys;
+}

package/dist/runners/error-handling.js

@@ -25,12 +25,22 @@ export function runErrorHandling(cwd, stack) {
             const line = lines[i].trim();
             if (line.startsWith("//") || line.startsWith("*"))
                 continue;
-            // Skip string-only lines and metadata definitions
+            // Skip suppressed lines (// ok, // intentional, eslint-disable, biome-ignore)
+            if (/\/\/\s*(?:ok|intentional|eslint-disable|biome-ignore)/.test(line))
+                continue;
+            // Skip string-only lines, metadata definitions, and return statements with string literals
             if (/^\s*["'`].*["'`][,;]?\s*$/.test(lines[i]))
                 continue;
             if (/\b(?:message|description|risk|recommendation|name)\s*:\s*["']/.test(line))
                 continue;
+            if (/\breturn\s+["'`]/.test(line))
+                continue;
+            if (/\brule\s*===?\s*["']/.test(line))
+                continue;
             if (/catch\s*\([^)]*\)\s*\{\s*\}/.test(line) || /catch\s*\{\s*\}/.test(line)) {
+                // Skip intentional one-liner try-catch for optional browser APIs
+                if (/try\s*\{.*(?:localStorage|sessionStorage|document\.).*\}\s*catch/.test(line))
+                    continue;
                 emptyCatch++;
                 issues.push({ severity: "error", message: "Empty catch block", file: f.path, line: i + 1, rule: "empty-catch" });
             }
@@ -83,8 +93,14 @@ export function runErrorHandling(cwd, stack) {
             const line = lines[i].trim();
             if (line.startsWith("//") || line.startsWith("*"))
                 continue;
+            if (/\/\/\s*(?:ok|intentional|eslint-disable|biome-ignore)/.test(line))
+                continue;
+            if (/^\s*["'`].*["'`][,;]?\s*$/.test(lines[i]))
+                continue;
             if (/\b(?:message|description|risk|recommendation|name)\s*:\s*["']/.test(line))
                 continue;
+            if (/\breturn\s+["'`]/.test(line))
+                continue;
             // JSON.parse of external input without try-catch
             if (/\bJSON\.parse\s*\(/.test(line)) {
                 // Only flag if parsing user/network input (not internal known-safe files)
@@ -141,7 +157,7 @@ export function runErrorHandling(cwd, stack) {
                 }
             }
             // process.exit() in non-CLI files (library code shouldn't exit)
-            if (/\bprocess\.exit\s*\(/.test(line) && !f.path.includes("cli") && !f.path.includes("bin/")) {
+            if (/\bprocess\.exit\s*\(/.test(line) && !f.path.includes("cli") && !f.path.includes("bin/") && !f.path.includes("commands/") && !f.path.includes("monitor")) {
                 processExit++;
                 issues.push({
                     severity: "warning",

package/dist/runners/file-cohesion.d.ts

@@ -0,0 +1,17 @@
+/** File Cohesion — detects files with multiple responsibilities.
+ *
+ * Pro feature. Requires VCQA_PRO_KEY env var.
+ *
+ * Two-phase analysis:
+ *   1. Local heuristics (always run with Pro key):
+ *      - Files with exports spanning multiple domains (auth + email + db)
+ *      - Mixed concern signals: HTTP handlers + business logic + data access
+ *      - High export count relative to file purpose
+ *
+ *   2. LLM-powered analysis (via api.vibecodeqa.online):
+ *      - Labels each file's responsibility clusters
+ *      - Suggests concrete split points
+ *      - "This file handles auth, session, AND email — split into 3 modules"
+ */
+import type { CheckResult } from "../types.js";
+export declare function runFileCohesion(cwd: string): Promise<CheckResult>;

package/dist/runners/file-cohesion.js

@@ -0,0 +1,177 @@
+/** File Cohesion — detects files with multiple responsibilities.
+ *
+ * Pro feature. Requires VCQA_PRO_KEY env var.
+ *
+ * Two-phase analysis:
+ *   1. Local heuristics (always run with Pro key):
+ *      - Files with exports spanning multiple domains (auth + email + db)
+ *      - Mixed concern signals: HTTP handlers + business logic + data access
+ *      - High export count relative to file purpose
+ *
+ *   2. LLM-powered analysis (via api.vibecodeqa.online):
+ *      - Labels each file's responsibility clusters
+ *      - Suggests concrete split points
+ *      - "This file handles auth, session, AND email — split into 3 modules"
+ */
+import { createHash } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { getProductionFiles } from "../fs-utils.js";
+import { gradeFromScore } from "../types.js";
+const CONCERN_PATTERNS = [
+    { name: "HTTP/routing", patterns: [/\b(app|router|server)\.(get|post|put|delete|patch|use)\b/, /\bRequest\b.*\bResponse\b/, /\breq\s*,\s*res\b/, /\bfastify\b|\bhono\b|\bexpress\b/] },
+    { name: "database", patterns: [/\b(prisma|sequelize|typeorm|knex|drizzle)\b/, /\bSELECT\b.*\bFROM\b/i, /\.query\s*\(/, /\bcreateClient\b.*\bsupabase\b/i] },
+    { name: "auth", patterns: [/\b(jwt|token|session|cookie|passport|oauth|login|signup|signIn|signUp)\b/i, /\bverify(Token|Session|Auth)\b/, /\bbcrypt|argon2|scrypt\b/] },
+    { name: "email", patterns: [/\bsendMail|sendEmail|transporter|nodemailer|resend|postmark\b/i, /\bsmtp\b/i] },
+    { name: "file I/O", patterns: [/\breadFileSync|writeFileSync|createReadStream|createWriteStream\b/, /\bfs\.(read|write|mkdir|unlink|stat)\b/] },
+    { name: "validation", patterns: [/\bz\.(string|number|object|array)\b/, /\bJoi\.(string|number|object)\b/, /\byup\.(string|number|object)\b/, /\bvalidate\w*Schema\b/] },
+    { name: "UI rendering", patterns: [/\bJSX\b|\breturn\s*\(?\s*</, /\buseState|useEffect|useRef|useMemo\b/, /\brender\(\)/, /\bcomponent\b/i] },
+    { name: "state management", patterns: [/\bcreateStore|useStore|createSlice|createReducer\b/, /\bdispatch\(|getState\(\)/, /\buseSelector|useDispatch\b/] },
+    { name: "testing", patterns: [/\bdescribe\s*\(|it\s*\(|test\s*\(|expect\s*\(/, /\bbeforeEach|afterEach|beforeAll\b/, /\bjest\.|vitest\./] },
+    { name: "CLI", patterns: [/\bprocess\.argv\b/, /\bcommander|yargs|meow|cac\b/, /\bparse(Args|Options)\b/] },
+];
+export async function runFileCohesion(cwd) {
+    const start = Date.now();
+    const proKey = process.env.VCQA_PRO_KEY || "";
+    if (!proKey) {
+        return {
+            name: "file-cohesion",
+            score: 0,
+            grade: "F",
+            details: {
+                premium: true,
+                comingSoon: true,
+                reason: "Set VCQA_PRO_KEY to enable file cohesion analysis",
+                description: "Detects files with multiple responsibilities — the #1 code smell in AI-generated code. Labels each file's concern clusters and suggests concrete split points.",
+            },
+            issues: [],
+            duration: Date.now() - start,
+        };
+    }
+    const files = getProductionFiles(cwd);
+    const issues = [];
+    const cache = loadCache(cwd);
+    let cacheHits = 0;
+    // Phase 1: local heuristics — detect multi-concern files
+    const candidates = [];
+    for (const f of files) {
+        if (f.isTest)
+            continue;
+        const lines = f.content.split("\n").length;
+        if (lines < 100)
+            continue; // small files rarely have cohesion problems
+        const detectedConcerns = [];
+        for (const concern of CONCERN_PATTERNS) {
+            if (concern.patterns.some((p) => p.test(f.content))) {
+                detectedConcerns.push(concern.name);
+            }
+        }
+        if (detectedConcerns.length >= 2) {
+            candidates.push({ path: f.path, content: f.content, concerns: detectedConcerns, lines });
+            // Local issue for 2+ concerns
+            issues.push({
+                severity: detectedConcerns.length >= 3 ? "error" : "warning",
+                message: `${detectedConcerns.length} concerns detected: ${detectedConcerns.join(", ")} — consider splitting`,
+                file: f.path,
+                rule: "multi-concern",
+            });
+        }
+    }
+    // Phase 2: LLM analysis for top candidates (by line count, most likely to benefit from splitting)
+    const topCandidates = candidates
+        .sort((a, b) => b.lines - a.lines)
+        .slice(0, 5);
+    for (const candidate of topCandidates) {
+        const hash = createHash("sha256").update(candidate.content).digest("hex").slice(0, 16);
+        // Check cache
+        const cached = cache.files[candidate.path];
+        if (cached && cached.hash === hash) {
+            cacheHits++;
+            if (cached.suggestion) {
+                issues.push({
+                    severity: "warning",
+                    message: cached.suggestion,
+                    file: candidate.path,
+                    rule: "split-suggestion",
+                });
+            }
+            continue;
+        }
+        // Call LLM for concrete split suggestions
+        const analysis = await analyzeCohesion(candidate.path, candidate.content, proKey);
+        if (analysis) {
+            cache.files[candidate.path] = { hash, concerns: analysis.concerns, suggestion: analysis.suggestion };
+            if (analysis.suggestion) {
+                issues.push({
+                    severity: "warning",
+                    message: analysis.suggestion,
+                    file: candidate.path,
+                    rule: "split-suggestion",
+                });
+            }
+        }
+    }
+    saveCache(cwd, cache);
+    const totalFiles = files.filter((f) => !f.isTest).length;
+    const multiConcernFiles = candidates.length;
+    const ratio = totalFiles > 0 ? multiConcernFiles / totalFiles : 0;
+    const score = Math.round(Math.max(0, 100 - ratio * 300));
+    return {
+        name: "file-cohesion",
+        score,
+        grade: gradeFromScore(score),
+        details: {
+            premium: true,
+            totalFiles,
+            multiConcernFiles,
+            cacheHits,
+            candidates: candidates.map((c) => ({ path: c.path, concerns: c.concerns, lines: c.lines })),
+        },
+        issues,
+        duration: Date.now() - start,
+    };
+}
+async function analyzeCohesion(filePath, content, proKey) {
+    const truncated = content.slice(0, 4000);
+    try {
+        const res = await fetch("https://api.vibecodeqa.online/api/pro/file-cohesion", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${proKey}`,
+            },
+            body: JSON.stringify({ file: filePath, content: truncated }),
+        });
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        return {
+            concerns: data.concerns || [],
+            suggestion: data.suggestion || "",
+        };
+    }
+    catch {
+        return null;
+    }
+}
+function loadCache(cwd) {
+    try {
+        const cachePath = join(cwd, ".vibe-check", "file-cohesion-cache.json");
+        if (existsSync(cachePath)) {
+            const data = JSON.parse(readFileSync(cachePath, "utf-8"));
+            if (data.version === 1)
+                return data;
+        }
+    }
+    catch { /* corrupt cache */ }
+    return { version: 1, files: {} };
+}
+function saveCache(cwd, cache) {
+    try {
+        const dir = join(cwd, ".vibe-check");
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true });
+        writeFileSync(join(dir, "file-cohesion-cache.json"), JSON.stringify(cache));
+    }
+    catch { /* write failed */ }
+}

package/dist/runners/frontend-health.d.ts

@@ -0,0 +1,14 @@
+/** Frontend health — detects HTML/framework antipatterns in component code.
+ *
+ * Checks:
+ *   1. Conflicting UI frameworks (MUI + Tailwind, Chakra + Tailwind, etc.)
+ *   2. Large/unoptimized images (no width/height, no next/image, large src)
+ *   3. Inconsistent icon systems (mixing lucide + heroicons + fontawesome)
+ *   4. Bundle-heavy imports (entire libraries instead of specific components)
+ *   5. Missing loading states (async data without suspense/skeleton)
+ *   6. Hardcoded strings (potential i18n issues)
+ *   7. Missing meta tags / head management
+ *   8. DOM nesting violations (div in p, button in a)
+ */
+import type { CheckResult } from "../types.js";
+export declare function runFrontendHealth(cwd: string): CheckResult;