@vibecodeqa/cli 0.42.0 → 0.44.0

package/dist/runners/html-quality.js

@@ -0,0 +1,203 @@
+/** HTML quality — checks static HTML sites for meta tags, images, links, a11y, performance, SEO, security.
+ *
+ * Activates when the project has .html files. Works alongside framework checks —
+ * catches issues in static sites, landing pages, and docs that framework-specific
+ * checks miss entirely.
+ */
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { join, relative } from "node:path";
+import { gradeFromScore } from "../types.js";
+const SKIP_DIRS = new Set(["node_modules", ".git", ".vibe-check", "dist", "build", "coverage", ".next", ".nuxt"]);
+export function runHtmlQuality(cwd) {
+    const start = Date.now();
+    const issues = [];
+    const htmlFiles = collectHtmlFiles(cwd);
+    if (htmlFiles.length === 0) {
+        return {
+            name: "html-quality",
+            score: 0,
+            grade: "F",
+            details: { skipped: true, reason: "no HTML files found" },
+            issues: [],
+            duration: Date.now() - start,
+        };
+    }
+    const allLinks = new Set();
+    const titles = new Map();
+    for (const file of htmlFiles) {
+        const relPath = relative(cwd, file);
+        let content;
+        try {
+            content = readFileSync(file, "utf-8");
+        }
+        catch {
+            continue;
+        }
+        // ── Meta tags ──
+        if (content.includes("<head")) {
+            if (!/<title[^>]*>/.test(content)) {
+                issues.push({ severity: "error", message: "Missing <title> tag", file: relPath, rule: "missing-title" });
+            }
+            else {
+                const titleMatch = content.match(/<title[^>]*>([^<]*)<\/title>/i);
+                if (titleMatch) {
+                    const title = titleMatch[1].trim();
+                    if (title.length < 10) {
+                        issues.push({ severity: "warning", message: `Title too short: "${title}" — aim for 30-60 characters`, file: relPath, rule: "short-title" });
+                    }
+                    const existing = titles.get(title) || [];
+                    existing.push(relPath);
+                    titles.set(title, existing);
+                }
+            }
+            if (!/<meta\s[^>]*name=["']description["']/i.test(content)) {
+                issues.push({ severity: "warning", message: "Missing meta description", file: relPath, rule: "missing-description" });
+            }
+            if (!/<meta\s[^>]*name=["']viewport["']/i.test(content)) {
+                issues.push({ severity: "error", message: "Missing viewport meta — page won't be mobile-responsive", file: relPath, rule: "missing-viewport" });
+            }
+            if (!/<meta\s[^>]*charset/i.test(content)) {
+                issues.push({ severity: "warning", message: "Missing charset declaration", file: relPath, rule: "missing-charset" });
+            }
+            if (!/<meta\s[^>]*property=["']og:title["']/i.test(content)) {
+                issues.push({ severity: "info", message: "Missing Open Graph tags (og:title, og:description) — social sharing will look plain", file: relPath, rule: "missing-og" });
+            }
+            if (!/<link\s[^>]*rel=["']canonical["']/i.test(content)) {
+                issues.push({ severity: "info", message: "Missing canonical link — may cause duplicate content issues", file: relPath, rule: "missing-canonical" });
+            }
+            if (!/<link\s[^>]*rel=["']icon["']/i.test(content) && !/<link\s[^>]*rel=["']shortcut icon["']/i.test(content)) {
+                issues.push({ severity: "info", message: "Missing favicon", file: relPath, rule: "missing-favicon" });
+            }
+        }
+        // ── HTML lang ──
+        if (/<html[\s>]/.test(content) && !/<html\s[^>]*lang=/i.test(content)) {
+            issues.push({ severity: "warning", message: "Missing lang attribute on <html> — screen readers need this", file: relPath, rule: "missing-lang" });
+        }
+        // ── Images ──
+        const imgRegex = /<img\s[^>]*>/gi;
+        let imgMatch;
+        while ((imgMatch = imgRegex.exec(content)) !== null) {
+            const tag = imgMatch[0];
+            const line = content.slice(0, imgMatch.index).split("\n").length;
+            if (!/alt\s*=/i.test(tag)) {
+                issues.push({ severity: "error", message: "Image missing alt attribute", file: relPath, line, rule: "img-no-alt" });
+            }
+            if (!/(?:width|height)\s*=/i.test(tag)) {
+                issues.push({ severity: "warning", message: "Image missing width/height — causes layout shift", file: relPath, line, rule: "img-no-dimensions" });
+            }
+            if (!/loading\s*=/i.test(tag)) {
+                issues.push({ severity: "info", message: "Image missing loading=\"lazy\" — add for below-fold images", file: relPath, line, rule: "img-no-lazy" });
+            }
+        }
+        // ── Links ──
+        const linkRegex = /<a\s[^>]*href=["']([^"']+)["'][^>]*>/gi;
+        let linkMatch;
+        while ((linkMatch = linkRegex.exec(content)) !== null) {
+            const href = linkMatch[1];
+            const tag = linkMatch[0];
+            const line = content.slice(0, linkMatch.index).split("\n").length;
+            // HTTP links on what should be HTTPS
+            if (href.startsWith("http://") && !href.includes("localhost")) {
+                issues.push({ severity: "warning", message: `HTTP link: ${href} — use HTTPS`, file: relPath, line, rule: "http-link" });
+            }
+            // External links without rel=noopener
+            if (href.startsWith("http") && /target\s*=\s*["']_blank["']/i.test(tag) && !/rel\s*=\s*["'][^"']*noopener/i.test(tag)) {
+                issues.push({ severity: "warning", message: "External link with target=\"_blank\" missing rel=\"noopener\"", file: relPath, line, rule: "missing-noopener" });
+            }
+            // Collect internal links for broken link check
+            if (!href.startsWith("http") && !href.startsWith("mailto:") && !href.startsWith("#") && !href.startsWith("javascript:")) {
+                allLinks.add(join(cwd, href.split("#")[0].split("?")[0]));
+            }
+        }
+        // ── Heading hierarchy ──
+        const headings = [];
+        const headingRegex = /<h(\d)/gi;
+        let hMatch;
+        while ((hMatch = headingRegex.exec(content)) !== null) {
+            headings.push(parseInt(hMatch[1], 10));
+        }
+        for (let i = 1; i < headings.length; i++) {
+            if (headings[i] > headings[i - 1] + 1) {
+                issues.push({
+                    severity: "warning",
+                    message: `Heading hierarchy skip: h${headings[i - 1]} → h${headings[i]} (should be h${headings[i - 1] + 1})`,
+                    file: relPath,
+                    rule: "heading-skip",
+                });
+                break;
+            }
+        }
+        // ── Performance ──
+        // Render-blocking scripts (script in head without async/defer)
+        const headContent = content.match(/<head[^>]*>([\s\S]*?)<\/head>/i)?.[1] || "";
+        const scriptInHead = /<script\s[^>]*src=["'][^"']+["'][^>]*>/gi;
+        let scriptMatch;
+        while ((scriptMatch = scriptInHead.exec(headContent)) !== null) {
+            const tag = scriptMatch[0];
+            if (!/\b(?:async|defer|type=["']module["'])\b/i.test(tag)) {
+                issues.push({ severity: "warning", message: "Render-blocking script in <head> — add async or defer", file: relPath, rule: "render-blocking" });
+            }
+        }
+        // ── Security ──
+        // Mixed content (http:// resources on a page)
+        if (/<(?:img|script|link|iframe)\s[^>]*(?:src|href)=["']http:\/\/(?!localhost)/i.test(content)) {
+            issues.push({ severity: "warning", message: "Mixed content: HTTP resource on page — use HTTPS", file: relPath, rule: "mixed-content" });
+        }
+    }
+    // ── Cross-file checks ──
+    // Broken internal links
+    for (const link of allLinks) {
+        if (!existsSync(link)) {
+            const relLink = relative(cwd, link);
+            issues.push({ severity: "warning", message: `Broken internal link: ${relLink}`, rule: "broken-link" });
+        }
+    }
+    // Duplicate titles
+    for (const [title, files] of titles) {
+        if (files.length > 1) {
+            issues.push({ severity: "warning", message: `Duplicate title "${title}" in ${files.length} files — each page should have a unique title`, rule: "duplicate-title" });
+        }
+    }
+    // SEO files
+    if (!existsSync(join(cwd, "robots.txt"))) {
+        issues.push({ severity: "info", message: "Missing robots.txt", rule: "missing-robots" });
+    }
+    if (!existsSync(join(cwd, "sitemap.xml"))) {
+        issues.push({ severity: "info", message: "Missing sitemap.xml", rule: "missing-sitemap" });
+    }
+    // Score
+    const errorCount = issues.filter((i) => i.severity === "error").length;
+    const warnCount = issues.filter((i) => i.severity === "warning").length;
+    const score = Math.max(0, 100 - errorCount * 15 - warnCount * 5);
+    return {
+        name: "html-quality",
+        score,
+        grade: gradeFromScore(score),
+        details: { htmlFiles: htmlFiles.length },
+        issues,
+        duration: Date.now() - start,
+    };
+}
+function collectHtmlFiles(cwd, subdir = "") {
+    const files = [];
+    const dir = subdir ? join(cwd, subdir) : cwd;
+    try {
+        for (const entry of readdirSync(dir)) {
+            if (SKIP_DIRS.has(entry))
+                continue;
+            const full = join(dir, entry);
+            try {
+                const stat = statSync(full);
+                if (stat.isDirectory()) {
+                    files.push(...collectHtmlFiles(cwd, subdir ? join(subdir, entry) : entry));
+                }
+                else if (entry.endsWith(".html") || entry.endsWith(".htm")) {
+                    files.push(full);
+                }
+            }
+            catch { /* skip */ }
+        }
+    }
+    catch { /* skip */ }
+    return files;
+}

package/dist/runners/lint.js

@@ -13,7 +13,9 @@ export function runLint(cwd, stack, workspace) {
     // Determine the target path for linting
     // Monorepos with root config: lint "." (biome/eslint will find all files)
     // Single-package: lint "src/"
-    const lintTarget = workspace?.isMonorepo ? "." : "src/";
+    const lintTarget = workspace?.isMonorepo ? "."
+        : existsSync(join(cwd, "src")) ? "src/"
+            : ".";
     if (stack.linter === "biome") {
         const { stdout } = run(`npx biome check ${lintTarget} --reporter=json 2>/dev/null || true`, cwd);
         try {
@@ -23,6 +25,9 @@ export function runLint(cwd, stack, workspace) {
                 // biome path can be string or {file: "..."} depending on version
                 const rawPath = d.location?.path;
                 const file = typeof rawPath === "string" ? rawPath : rawPath?.file || undefined;
+                // Skip generated output files
+                if (file && (file.includes(".vibe-check/") || file.includes("node_modules/")))
+                    continue;
                 issues.push({
                     severity: d.severity === "error" ? "error" : d.severity === "warning" ? "warning" : "info",
                     message: d.description || d.message || "lint issue",

package/dist/runners/react.js

@@ -201,6 +201,7 @@ export function runReact(cwd, stack) {
             inlineHandlers,
             effectNoDeps,
             domManipulation,
+            suggestion: !hasHooksPlugin ? "Install eslint-plugin-react-hooks for deeper React analysis: pnpm add -D eslint-plugin-react-hooks" : undefined,
         },
         issues,
         duration: Date.now() - start,

package/dist/runners/secrets.js

@@ -122,8 +122,9 @@ export async function runSecrets(cwd) {
     // Try gitleaks first (industry standard, 800+ patterns)
     const gitleaksResult = tryGitleaks(cwd, issues);
     const tool = gitleaksResult ? "gitleaks" : "secretlint";
-    if (!gitleaksResult)
+    if (!gitleaksResult) {
         issues.push(...(await scanFallback(cwd)));
+    }
     // ── .env file audit ──
     const envFiles = [".env", ".env.local", ".env.production", ".env.development"];
     const gitignore = existsSync(join(cwd, ".gitignore")) ? readFileSync(join(cwd, ".gitignore"), "utf-8") : "";
@@ -185,7 +186,11 @@ export async function runSecrets(cwd) {
         name: "secrets",
         score,
         grade: gradeFromScore(score),
-        details: { secretsFound: issues.length, tool },
+        details: {
+            secretsFound: issues.length,
+            tool,
+            suggestion: !gitleaksResult ? "Install gitleaks for deeper secret detection (800+ patterns): brew install gitleaks" : undefined,
+        },
         issues,
         duration: Date.now() - start,
     };

package/dist/runners/security.js

@@ -301,11 +301,17 @@ export function runSecurity(cwd) {
             if (trimmed.startsWith("//") || trimmed.startsWith("*"))
                 continue;
             // Skip pattern/config definition lines and string-heavy metadata (prevents false positives on own code)
-            if (/\bpattern\s*:|name:\s*["']|message:\s*["']|description:\s*["']|risk:\s*["']|recommendation:\s*["']/.test(trimmed))
+            if (/\bpattern\s*:|name:\s*["']|message:\s*["'`]|description:\s*["']|risk:\s*["']|recommendation:\s*["']|rule:\s*["']|severity:\s*["']/.test(trimmed))
                 continue;
             // Skip lines that are primarily string content (check-meta descriptions, etc.)
             if (/^\s*["'`].*["'`][,;]?\s*$/.test(line))
                 continue;
+            // Skip return statements returning string literals (e.g., fix suggestions mentioning patterns)
+            if (/\breturn\s+["'`]/.test(trimmed))
+                continue;
+            // Skip rule-matching conditionals (e.g., if (rule === "secret-detected") ...)
+            if (/\brule\s*===?\s*["']/.test(trimmed) || /\bcheck\s*===?\s*["']/.test(trimmed))
+                continue;
             for (const p of PATTERNS) {
                 if (p.pattern.test(line)) {
                     issues.push({

package/dist/runners/standards.d.ts

@@ -1,3 +1,3 @@
 /** Code standards check — naming conventions, anti-patterns, config hygiene. */
-import type { CheckResult, StackInfo } from "../types.js";
-export declare function runStandards(cwd: string, stack: StackInfo): CheckResult;
+import type { CheckResult, StackInfo, WorkspaceInfo } from "../types.js";
+export declare function runStandards(cwd: string, stack: StackInfo, workspace?: WorkspaceInfo): CheckResult;

package/dist/runners/standards.js

@@ -1,5 +1,5 @@
 /** Code standards check — naming conventions, anti-patterns, config hygiene. */
-import { readFileSync } from "node:fs";
+import { existsSync, readFileSync } from "node:fs";
 import { basename, extname, join } from "node:path";
 import { getProductionFiles, readDeps } from "../fs-utils.js";
 import { gradeFromScore } from "../types.js";
@@ -42,22 +42,39 @@ const CODE_SMELLS = [
         message: "Large magic number — consider a named constant",
     },
 ];
-export function runStandards(cwd, stack) {
+export function runStandards(cwd, stack, workspace) {
     const start = Date.now();
     const issues = [];
+    // Detect CLI projects — console.log is intentional in CLI tools
+    let isCLI = false;
+    try {
+        const pkgPath = join(cwd, "package.json");
+        if (existsSync(pkgPath)) {
+            const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+            isCLI = !!pkg.bin;
+        }
+    }
+    catch { /* ignore */ }
     // Collect source files
     const files = getProductionFiles(cwd);
     // ── File naming conventions ──
     let namingViolations = 0;
+    // Detect dominant convention for tsx/jsx files before flagging
+    const tsxFiles = files.filter((f) => {
+        const ext = extname(basename(f.path));
+        return ext === ".tsx" || ext === ".jsx";
+    });
+    const pascalCount = tsxFiles.filter((f) => /^[A-Z]/.test(basename(f.path).replace(extname(basename(f.path)), ""))).length;
+    const usesKebabConvention = tsxFiles.length >= 3 && pascalCount < tsxFiles.length / 2;
     for (const f of files) {
         const name = basename(f.path);
         const ext = extname(name);
         const base = name.replace(ext, "");
-        // React components should be PascalCase
+        // React components should be PascalCase — but only flag if PascalCase is the project convention
         if ((ext === ".tsx" || ext === ".jsx") && /^[A-Z]/.test(base)) {
             // PascalCase component file — correct
         }
-        else if ((ext === ".tsx" || ext === ".jsx") && /^[a-z]/.test(base) && base !== "main" && base !== "index") {
+        else if (!usesKebabConvention && (ext === ".tsx" || ext === ".jsx") && /^[a-z]/.test(base) && base !== "main" && base !== "index") {
             // lowercase tsx file that's not main/index — check if it exports a component
             if (/export (default )?(function|const) [A-Z]/.test(f.content)) {
                 namingViolations++;
@@ -78,16 +95,25 @@ export function runStandards(cwd, stack) {
             }
         }
     }
-    // ── Large files ──
+    // ── Large files (exponential penalty) ──
+    // Penalty grows with the square of excess lines. A 300-line file is a nudge.
+    // A 600-line file is a wall. A 1000-line file tanks the check.
     let largeFiles = 0;
+    let fileSizePenalty = 0;
+    const SOFT_LIMIT = 300;
     for (const f of files) {
         const lines = f.content.split("\n").length;
-        if (lines > 300) {
+        if (lines > SOFT_LIMIT * 2) {
             largeFiles++;
-            issues.push({ severity: "warning", message: `${lines} lines — consider splitting (max 300)`, file: f.path, rule: "large-file" });
+            const excess = lines - SOFT_LIMIT;
+            fileSizePenalty += (excess / 100) ** 2;
+            issues.push({ severity: "error", message: `${lines} lines — split this file (exponential penalty above ${SOFT_LIMIT})`, file: f.path, rule: "large-file" });
         }
-        else if (lines > 200) {
-            issues.push({ severity: "warning", message: `${lines} lines — getting large`, file: f.path, rule: "large-file" });
+        else if (lines > SOFT_LIMIT) {
+            largeFiles++;
+            const excess = lines - SOFT_LIMIT;
+            fileSizePenalty += (excess / 100) ** 2;
+            issues.push({ severity: "warning", message: `${lines} lines — consider splitting (penalty grows exponentially above ${SOFT_LIMIT})`, file: f.path, rule: "large-file" });
         }
     }
     // ── Code smell patterns ──
@@ -105,8 +131,8 @@ export function runStandards(cwd, stack) {
             if (/^\s*["'`].*["'`][,;]?\s*$/.test(line))
                 continue;
             for (const check of CODE_SMELLS) {
-                // Skip console.log in CLI entry points (intentional output)
-                if (check.name === "console.log" && (f.path.includes("cli.") || f.path.includes("bin/")))
+                // Skip console.log in CLI projects (intentional terminal output)
+                if (check.name === "console.log" && isCLI)
                     continue;
                 if (check.pattern.test(line)) {
                     if (check.exclude?.test(line))
@@ -121,6 +147,12 @@ export function runStandards(cwd, stack) {
     // tsconfig maturity
     if (stack.language === "typescript") {
         const tsconfigPaths = ["tsconfig.json", "tsconfig.app.json", "tsconfig.base.json"];
+        // In monorepos, also check each workspace package's tsconfig
+        if (workspace?.isMonorepo) {
+            for (const pkg of workspace.packages) {
+                tsconfigPaths.push(join(pkg.path, "tsconfig.json"));
+            }
+        }
         let strictFound = false;
         let compilerOpts = {};
         for (const p of tsconfigPaths) {
@@ -192,7 +224,8 @@ export function runStandards(cwd, stack) {
     const totalFiles = files.length || 1;
     const errorPenalty = Math.min(40, (errors / totalFiles) * 150);
     const warningPenalty = Math.min(30, (warnings / totalFiles) * 80);
-    const largePenalty = Math.min(20, (largeFiles / totalFiles) * 100);
+    // fileSizePenalty is already exponential — normalize by file count, cap at 80
+    const largePenalty = Math.min(80, (fileSizePenalty / totalFiles) * 3);
     const score = Math.max(0, Math.min(100, Math.round(100 - errorPenalty - warningPenalty - largePenalty)));
     return {
         name: "standards",

package/dist/runners/structure.js

@@ -61,7 +61,7 @@ export function runStructure(cwd, stack, workspace) {
         }
     }
     // Check for lockfile — in monorepos, lockfiles may be in packages
-    const lockfiles = isDart ? ["pubspec.lock"] : ["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb"];
+    const lockfiles = isDart ? ["pubspec.lock"] : ["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb", "bun.lock"];
     let hasLock = lockfiles.some((f) => existsSync(join(cwd, f)));
     if (!hasLock && workspace?.isMonorepo) {
         hasLock = workspace.packages.some((p) => lockfiles.some((f) => existsSync(join(cwd, p.path, f))));

package/dist/runners/styling.d.ts

@@ -0,0 +1,15 @@
+/** Styling consistency — delegates to Stylelint when available, adds cross-file analysis.
+ *
+ * Tool delegation (same pattern as lint → biome/eslint, secrets → gitleaks):
+ *   - Stylelint installed → run it for CSS/SCSS linting (170+ rules)
+ *   - Always: cross-file analysis that no CSS linter covers:
+ *     1. Mixed styling approaches (Tailwind + CSS modules + styled-components + inline)
+ *     2. Hardcoded colors in JSX (not CSS — Stylelint handles CSS)
+ *     3. Magic numbers in spacing (cross-file consistency)
+ *     4. Inline style ratio
+ *     5. !important abuse
+ *     6. Duplicate Tailwind class strings across components
+ *     7. Inconsistent spacing values across components
+ */
+import type { CheckResult } from "../types.js";
+export declare function runStyling(cwd: string): CheckResult;