@vibecodeqa/cli 0.9.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 freeappstore.online
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,174 @@
+# vibe-check
+
+**Code health scanner for the AI coding era.**
+
+One command. 15 checks. Full report. Zero config.
+
+```bash
+npx vibe-check
+```
+
+![Grade](https://img.shields.io/badge/checks-15-blue) ![TypeScript](https://img.shields.io/badge/TypeScript-first-3178C6) ![License](https://img.shields.io/badge/license-MIT-green)
+
+## What it does
+
+vibe-check scans your TypeScript/JavaScript codebase and produces a scored health report with actionable findings. It auto-detects your stack (React, Vite, vitest, Biome, etc.) and runs 15 checks across 6 categories.
+
+The output is a self-contained HTML report with radar charts, architecture diagrams, file heatmaps, and drill-down issue lists — all navigable via sidebar and tab navigation.
+
+## Quick start
+
+```bash
+# Scan current directory (runs tests + coverage)
+npx vibe-check
+
+# Fast mode (skip test execution)
+npx vibe-check --skip-tests
+
+# CI mode (exit code 1 if score < 60)
+npx vibe-check --ci
+
+# JSON output (pipe to other tools)
+npx vibe-check --json
+
+# Scan a specific directory
+npx vibe-check /path/to/project
+```
+
+Output goes to `.vibe-check/`:
+- `report.html` — navigable dashboard (open in browser)
+- `report.json` — machine-readable results
+
+## Checks
+
+### Foundations (23%)
+
+| Check | Weight | What it measures |
+|-------|--------|-----------------|
+| **Structure** | 6% | Standard files (package.json, tsconfig, LICENSE, README, .gitignore), lockfile, test-to-source ratio |
+| **Lint** | 5% | Biome or ESLint errors/warnings (auto-detected) |
+| **Types** | 6% | TypeScript compilation errors (`tsc --noEmit`) |
+| **Type Safety** | 3% | `as any`, `: any`, `@ts-ignore`, `@ts-nocheck` counts |
+| **Standards** | 3% | File naming, large files (>300 lines), code smells (console.log, var, ==, eval, innerHTML), config hygiene |
+
+### Quality (15%)
+
+| Check | Weight | What it measures |
+|-------|--------|-----------------|
+| **Complexity** | 7% | Cognitive complexity per function, functions >60 lines |
+| **Duplication** | 5% | Copy-pasted 6+ line blocks |
+| **Docs** | 3% | README quality, JSDoc coverage of exports |
+
+### Testing (22%)
+
+One deep check with 6 sub-dimensions:
+
+- **Pyramid presence** — unit, integration, component, E2E layers detected
+- **Execution** — pass/fail from vitest/jest
+- **Coverage** — statement, branch, line, function (v8/istanbul)
+- **File pairing** — test file per source file
+- **Quality** — assertion density, mock ratio, snapshot ratio
+- **E2E detection** — Playwright/Cypress configured?
+
+### Architecture (7%)
+
+| Check | Weight | What it measures |
+|-------|--------|-----------------|
+| **Architecture** | 7% | Import graph, circular deps, god modules, orphan files, fan-out, SVG diagram |
+
+### Security (18%)
+
+| Check | Weight | What it measures |
+|-------|--------|-----------------|
+| **Secrets** | 6% | 13 patterns (AWS, GitHub, Stripe, OpenAI, private keys) |
+| **Security** | 7% | 15 CWE-mapped patterns (XSS, injection, crypto, SSRF) |
+| **Dependencies** | 5% | npm audit vulnerabilities + outdated packages |
+
+### LLM Readiness (15%)
+
+Novel checks that no other tool offers:
+
+| Check | Weight | What it measures |
+|-------|--------|-----------------|
+| **Confusion Index** | 8% | File name similarity, generic names, export collisions, ambiguous abbreviations |
+| **Context Locality** | 7% | Token density, import depth, circular deps, context sinks |
+
+**Research backing:**
+- "When Names Disappear" (arXiv:2510.03178): GPT-4o drops 28.6% on summarization with ambiguous names
+- "Lost in the Middle" (Liu et al. 2023): 30%+ accuracy drop for mid-context information
+- "Context Rot" (Chroma 2025): all frontier models degrade with input length
+- "Variable Naming Impact" (Research Square 2024): descriptive names = 8.9% better AI performance
+
+## Scoring
+
+Each check produces a score from 0-100. The composite score is a weighted average (weights shown above, sum to 100%). Grades:
+
+| Grade | Score | Meaning |
+|-------|-------|---------|
+| **A** | 90-100 | Excellent — production-ready |
+| **B** | 75-89 | Good — minor issues |
+| **C** | 60-74 | Fair — needs attention |
+| **D** | 40-59 | Poor — significant issues |
+| **F** | 0-39 | Critical — major problems |
+
+## Report features
+
+- **Radar chart** — 6-axis view of category scores
+- **Architecture diagram** — SVG showing module relationships and import edges
+- **Trend comparison** — score delta vs. previous run
+- **File heatmap** — top files by issue count across all checks
+- **GitHub links** — click any file:line to open in GitHub
+- **Info panels** — each check explains what it measures, why it matters, and how to fix issues
+- **Priority badges** — critical/high/medium/low on each check
+
+## Trend tracking
+
+vibe-check reads the previous `.vibe-check/report.json` on each run and shows:
+- Score change (↑ improved / ↓ declined)
+- Per-check deltas
+- New vs. fixed issue counts
+
+## CLI options
+
+| Flag | Description |
+|------|-------------|
+| `--skip-tests` | Skip test execution and coverage (fast mode) |
+| `--ci` | Exit code 1 if composite score < 60 |
+| `--json` | Output JSON to stdout (no HTML, no browser) |
+
+## Stack detection
+
+Auto-detects from `package.json` and config files:
+- **Language:** TypeScript, JavaScript
+- **Framework:** React, Vue, Svelte
+- **Bundler:** Vite, Webpack, esbuild
+- **Test runner:** vitest, jest
+- **Linter:** Biome, ESLint
+- **Package manager:** pnpm, npm, yarn, bun
+
+## References
+
+Standards and research cited in vibe-check's analysis:
+
+- ISO/IEC 25010:2023 — Software product quality model
+- McCabe, T.J. "A Complexity Measure" (IEEE, 1976) — Cyclomatic complexity
+- Campbell, G.A. "Cognitive Complexity" (SonarSource, 2017) — Understandability metric
+- Martin, R.C. "Clean Code" (2008) — Naming principles
+- OWASP Top 10 — Web application security risks
+- CWE Top 25 — Most dangerous software weaknesses
+- Liu et al. "Lost in the Middle" (TACL, 2023) — LLM context attention
+- Chroma Research "Context Rot" (2025) — LLM degradation with input length
+- Wang et al. "How Does Naming Affect LLMs?" (JSEA, 2024) — Naming impact on AI
+- arXiv:2510.03178 "When Names Disappear" (2025) — 28.6% accuracy drop
+- Arnaoudova et al. "Linguistic Antipatterns" — 17-pattern naming catalog
+- Vassilev "Codified Context" (arXiv, 2025) — AI agent context architecture
+
+## License
+
+MIT — Free forever as a CLI tool.
+
+## Links
+
+- **GitHub:** https://github.com/freeappstore-online/vibe-check
+- **Website:** https://vibechecker.online (coming soon)
+- **Issues:** https://github.com/freeappstore-online/vibe-check/issues

package/dist/check-meta.d.ts

@@ -0,0 +1,15 @@
+/** Metadata for each check — description, risk, priority, weight, recommendations.
+ *  This is what makes the report educational, not just a scorecard. */
+export type Priority = "critical" | "high" | "medium" | "low";
+export interface CheckMeta {
+    name: string;
+    label: string;
+    category: string;
+    priority: Priority;
+    weight: number;
+    description: string;
+    risk: string;
+    recommendation: string;
+}
+export declare const CHECK_META: Record<string, CheckMeta>;
+export declare function getCheckMeta(name: string): CheckMeta;

package/dist/check-meta.js

@@ -0,0 +1,166 @@
+/** Metadata for each check — description, risk, priority, weight, recommendations.
+ *  This is what makes the report educational, not just a scorecard. */
+export const CHECK_META = {
+    structure: {
+        name: "structure",
+        label: "Project Structure",
+        category: "Foundations",
+        priority: "high",
+        weight: 6,
+        description: "Checks for standard project files: package.json, tsconfig.json, LICENSE, README, .gitignore, lockfile. Verifies test-to-source file ratio and that essential scripts (test, build) exist.",
+        risk: "Missing config files cause build failures in CI. Missing LICENSE makes the project legally ambiguous. No lockfile means non-reproducible builds — a dependency update can break production silently.",
+        recommendation: "Ensure every project has package.json, tsconfig.json, LICENSE, .gitignore, and a lockfile. Add 'test' and 'build' scripts. Aim for at least one test file per source file.",
+    },
+    lint: {
+        name: "lint",
+        label: "Lint",
+        category: "Foundations",
+        priority: "high",
+        weight: 5,
+        description: "Runs the project's linter (Biome or ESLint, auto-detected) and counts errors and warnings. Lint rules catch bugs, enforce consistency, and prevent common mistakes before they reach production.",
+        risk: "Unlinted code accumulates inconsistencies and latent bugs. Studies show that projects with active linting have 15-20% fewer production defects (Microsoft Research, 2019).",
+        recommendation: "Fix all lint errors. Warnings can be addressed incrementally. If no linter is configured, add Biome (@biomejs/biome) — it's the fastest linter for TypeScript with zero config needed.",
+    },
+    types: {
+        name: "types",
+        label: "Type Check",
+        category: "Foundations",
+        priority: "critical",
+        weight: 6,
+        description: "Runs tsc --noEmit to find TypeScript compilation errors. Type errors mean the code may crash at runtime in ways the compiler could have prevented.",
+        risk: "Type errors are bugs. Every unresolved type error is a potential runtime crash. TypeScript's type system exists to prevent entire categories of bugs — ignoring it negates its value.",
+        recommendation: "Fix all type errors. If you're migrating from JavaScript, enable strict mode gradually — start with 'strict: true' and fix errors file by file.",
+    },
+    "type-safety": {
+        name: "type-safety",
+        label: "Type Safety",
+        category: "Foundations",
+        priority: "medium",
+        weight: 3,
+        description: "Counts unsafe type patterns: 'as any' casts, explicit ': any' annotations, @ts-ignore directives, @ts-nocheck, and non-null assertions (!.). Each weakens the type system's protection.",
+        risk: "'as any' silences the type checker at that point — any bug the types would have caught now slips through. @ts-ignore and @ts-nocheck disable type checking entirely for a line or file. Accumulated 'any' usage correlates with higher defect density.",
+        recommendation: "Replace 'as any' with proper types or type guards. Use 'unknown' instead of 'any' when the type is genuinely unknown. Remove @ts-ignore comments by fixing the underlying type issue.",
+    },
+    standards: {
+        name: "standards",
+        label: "Code Standards",
+        category: "Foundations",
+        priority: "medium",
+        weight: 3,
+        description: "Checks coding conventions: file naming (PascalCase for components, kebab-case for modules), file size limits (>300 lines flagged), code smells (console.log, var, ==, eval, innerHTML, TODO/FIXME), config hygiene (strict mode), and framework best practices (Tailwind vs inline styles).",
+        risk: "Large files are hard to review and test. console.log in production leaks internal data. var causes hoisting bugs. == causes type coercion surprises. eval/innerHTML are security vulnerabilities. Inconsistent naming makes the codebase harder to navigate.",
+        recommendation: "Split files over 300 lines. Replace console.log with a proper logger or remove it. Use const/let, ===, and safe DOM APIs. Enable TypeScript strict mode.",
+    },
+    complexity: {
+        name: "complexity",
+        label: "Complexity",
+        category: "Quality",
+        priority: "high",
+        weight: 7,
+        description: "Measures cognitive complexity of each function: how many branches (if/else/switch/for/while/ternary/&&/||) and how many lines. Functions over 60 lines or with complexity over 15 are flagged.",
+        risk: "Complex functions are the #1 source of bugs. Research shows defect density increases exponentially with cyclomatic complexity above 10 (McCabe, 1976). Complex code is also harder to review, test, and modify safely.",
+        recommendation: "Extract complex functions into smaller ones. Use early returns to reduce nesting. Replace conditional chains with lookup tables or strategy patterns. Aim for functions under 30 lines with complexity under 10.",
+    },
+    duplication: {
+        name: "duplication",
+        label: "Duplication",
+        category: "Quality",
+        priority: "medium",
+        weight: 5,
+        description: "Detects copy-pasted code blocks of 6+ lines across source files. Duplication is measured as a percentage of total source lines involved in duplicate blocks.",
+        risk: "Duplicated code means bugs must be fixed in multiple places. Miss one copy and the bug persists. DRY (Don't Repeat Yourself) violations increase maintenance cost linearly with each copy.",
+        recommendation: "Extract duplicated logic into shared functions or modules. If two files share the same pattern, create a helper. If the duplication is across repos, consider vendoring a shared module.",
+    },
+    docs: {
+        name: "docs",
+        label: "Documentation",
+        category: "Quality",
+        priority: "low",
+        weight: 3,
+        description: "Checks README quality (existence, length, sections) and JSDoc coverage (what percentage of exported functions/classes have documentation comments).",
+        risk: "Undocumented code is hard to onboard to and easy to misuse. Missing README means new contributors can't get started. Undocumented exports become tribal knowledge that leaves when people leave.",
+        recommendation: "Write a README with: what it does, how to install, how to run, how to develop. Add JSDoc comments to all public exports — even a one-line description helps.",
+    },
+    testing: {
+        name: "testing",
+        label: "Testing",
+        category: "Testing",
+        priority: "critical",
+        weight: 22,
+        description: "Deep assessment of test quality across 6 dimensions: pyramid presence (unit/integration/component/E2E layers), test execution (pass/fail), coverage (statement/branch/line/function), file pairing (test file per source file), test quality (assertion density, mock ratio, snapshot ratio), and E2E tool detection (Playwright/Cypress).",
+        risk: "Code without tests is code you can't safely change. Missing test layers mean entire categories of bugs go undetected: unit tests catch logic bugs, integration tests catch API contract breaks, E2E tests catch user-visible regressions. Low coverage means large portions of code are never exercised.",
+        recommendation: "Follow the testing pyramid: many unit tests, some integration tests, fewer E2E tests. Aim for >80% branch coverage. Every source file should have a corresponding test file. Use Playwright for E2E if you have a web frontend.",
+    },
+    secrets: {
+        name: "secrets",
+        label: "Secrets",
+        category: "Security",
+        priority: "critical",
+        weight: 6,
+        description: "Scans source files for hardcoded secrets: AWS keys, GitHub tokens, Stripe keys, OpenAI/Anthropic API keys, Google API keys, private keys, and generic secret patterns. Checks 13 regex patterns against every non-test source file.",
+        risk: "Hardcoded secrets in source code are the #1 cause of credential leaks. Once pushed to Git, secrets are in the history forever — even if deleted in a later commit. Leaked API keys can be exploited within minutes by automated scanners.",
+        recommendation: "Never hardcode secrets. Use environment variables or a secret manager (Bitwarden, AWS Secrets Manager, Cloudflare Secrets). If a secret was committed, rotate it immediately — deleting the file is not enough.",
+    },
+    security: {
+        name: "security",
+        label: "Security Patterns",
+        category: "Security",
+        priority: "critical",
+        weight: 7,
+        description: "Static analysis for 15 vulnerability patterns mapped to CWE (Common Weakness Enumeration) IDs. Covers: XSS (innerHTML, dangerouslySetInnerHTML, document.write), injection (eval, new Function, SQL template literals, command injection), weak crypto (Math.random for tokens, MD5/SHA1), prototype pollution, path traversal, SSRF, and missing security headers.",
+        risk: "These patterns represent the most commonly exploited vulnerabilities in web applications (OWASP Top 10). A single XSS or injection vulnerability can lead to account takeover, data theft, or complete system compromise.",
+        recommendation: "Replace innerHTML with textContent or DOM APIs. Never use eval(). Use parameterized queries for SQL. Use crypto.randomUUID() instead of Math.random() for tokens. Validate all user input before use in file paths or URLs.",
+    },
+    dependencies: {
+        name: "dependencies",
+        label: "Dependencies",
+        category: "Security",
+        priority: "high",
+        weight: 5,
+        description: "Runs npm/pnpm audit to find known vulnerabilities (CVEs) in dependencies. Also checks for outdated packages — major version gaps indicate potential security debt and breaking API changes.",
+        risk: "Vulnerable dependencies are the most common attack vector for supply chain attacks. 84% of codebases contain at least one known vulnerability in their dependencies (Synopsys OSSRA 2024). Outdated major versions often have unpatched security issues.",
+        recommendation: "Run 'pnpm audit' regularly and fix critical/high vulnerabilities immediately. Keep dependencies updated — use Dependabot or Renovate for automated PRs. Pin versions with a lockfile.",
+    },
+    architecture: {
+        name: "architecture",
+        label: "Architecture",
+        category: "Architecture",
+        priority: "high",
+        weight: 7,
+        description: "Analyzes the import graph to detect structural problems: circular dependencies, god modules (imported by >50% of files), orphan modules (dead code), high fan-out (importing too many modules), and connector modules (high coupling). Generates an SVG architecture diagram.",
+        risk: "Circular dependencies create build order issues and make refactoring impossible without breaking changes. God modules become bottlenecks — any change ripples through the entire codebase. High coupling means you can't change one module without testing everything it touches.",
+        recommendation: "Break circular deps by extracting shared types to a separate file. Split god modules by concern. Reduce fan-out by co-locating related code. Use dependency injection for loose coupling.",
+    },
+    confusion: {
+        name: "confusion",
+        label: "Confusion Index",
+        category: "LLM Readiness",
+        priority: "high",
+        weight: 8,
+        description: "Measures naming ambiguity that causes LLMs to misunderstand or edit the wrong code. Checks: file name confusability (Levenshtein distance + synonym detection), generic function/variable names, export name collisions across files, and ambiguous abbreviations.",
+        risk: "GPT-4o drops 28.6 percentage points on code summarization when names are ambiguous (arXiv:2510.03178). LLMs editing similar-named files is the #1 reported failure mode in AI-assisted development. Generic names like process(), handle(), data cause models to misinterpret intent.",
+        recommendation: "Use descriptive, unique names. Avoid synonym files (utils.ts + helpers.ts — pick one). Avoid generic exports. Disambiguate abbreviations (use 'authentication' not 'auth' if both auth meanings exist in the codebase).",
+    },
+    context: {
+        name: "context",
+        label: "Context Locality",
+        category: "LLM Readiness",
+        priority: "high",
+        weight: 7,
+        description: "Measures how self-contained code is for LLM consumption. Checks: token density per file, import count, circular dependencies, and context sinks (files that import many modules but export little). Based on the finding that LLMs lose 30%+ accuracy for information in the middle of long contexts.",
+        risk: "Files over ~4000 tokens exceed the 'sweet spot' for LLM attention (Liu et al. 2023 'Lost in the Middle'). Circular dependencies create infinite loops in LLM code navigation. Heavy import chains force LLMs to load many files, burning context window budget (Chroma 'Context Rot' 2025).",
+        recommendation: "Keep files under 400 lines / 4000 tokens. Limit imports to <15 per file. Break circular dependencies. Co-locate related code to reduce cross-file jumps.",
+    },
+};
+export function getCheckMeta(name) {
+    return CHECK_META[name] || {
+        name,
+        label: name,
+        category: "Other",
+        priority: "medium",
+        weight: 5,
+        description: "",
+        risk: "",
+        recommendation: "",
+    };
+}

package/dist/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+/** vibe-check — code health scanner for the AI coding era. */
+export {};

package/dist/cli.js

@@ -0,0 +1,140 @@
+#!/usr/bin/env node
+/** vibe-check — code health scanner for the AI coding era. */
+import { existsSync, mkdirSync, writeFileSync } from "node:fs";
+import { join, resolve } from "node:path";
+import { detectRepoUrl, detectStack } from "./detect.js";
+import { generateHTML } from "./report/html.js";
+import { runComplexity } from "./runners/complexity.js";
+import { runArchitecture } from "./runners/architecture.js";
+import { runConfusion } from "./runners/confusion.js";
+import { runContext } from "./runners/context.js";
+import { runDependencies } from "./runners/dependencies.js";
+import { runDocs } from "./runners/docs.js";
+import { runDuplication } from "./runners/duplication.js";
+import { runLint } from "./runners/lint.js";
+import { runSecrets } from "./runners/secrets.js";
+import { runSecurity } from "./runners/security.js";
+import { runStandards } from "./runners/standards.js";
+import { runStructure } from "./runners/structure.js";
+import { runTesting } from "./runners/testing.js";
+import { runTypeCheck } from "./runners/types-check.js";
+import { runTypeSafety } from "./runners/type-safety.js";
+import { computeScore } from "./score.js";
+import { computeTrend, formatTrend } from "./trend.js";
+import { gradeFromScore } from "./types.js";
+const VERSION = "0.9.0";
+const args = process.argv.slice(2);
+const flags = new Set(args.filter((a) => a.startsWith("--")));
+const cwd = resolve(args.find((a) => !a.startsWith("--")) || ".");
+const outputDir = join(cwd, ".vibe-check");
+const jsonOnly = flags.has("--json");
+const ciMode = flags.has("--ci");
+const skipTests = flags.has("--skip-tests");
+function color(grade) {
+    if (grade === "A")
+        return "\x1b[32m";
+    if (grade === "B")
+        return "\x1b[33m";
+    return "\x1b[31m";
+}
+async function main() {
+    const start = Date.now();
+    if (!jsonOnly) {
+        console.log("");
+        console.log("  \x1b[1mvibe-check\x1b[0m v" + VERSION);
+        console.log("  \x1b[2m" + cwd + "\x1b[0m");
+        console.log("");
+    }
+    const stack = detectStack(cwd);
+    if (!jsonOnly) {
+        const parts = [stack.language, stack.framework, stack.bundler, stack.testRunner, stack.linter, stack.packageManager].filter((v) => v !== "none" && v !== "unknown");
+        console.log("  stack: " + parts.join(" + "));
+        console.log("");
+    }
+    const checks = [];
+    // All runners grouped by category
+    const runners = [
+        // Foundations
+        { name: "structure", fn: () => runStructure(cwd, stack) },
+        { name: "lint", fn: () => runLint(cwd, stack) },
+        { name: "types", fn: () => runTypeCheck(cwd) },
+        { name: "type-safety", fn: () => runTypeSafety(cwd) },
+        { name: "standards", fn: () => runStandards(cwd, stack) },
+        // Quality
+        { name: "complexity", fn: () => runComplexity(cwd) },
+        { name: "duplication", fn: () => runDuplication(cwd) },
+        { name: "docs", fn: () => runDocs(cwd) },
+        // Testing
+        { name: "testing", fn: () => runTesting(cwd, stack, skipTests) },
+        // Security
+        { name: "secrets", fn: () => runSecrets(cwd) },
+        { name: "security", fn: () => runSecurity(cwd) },
+        { name: "dependencies", fn: () => runDependencies(cwd, stack) },
+        // Architecture
+        { name: "architecture", fn: () => runArchitecture(cwd) },
+        // LLM Readiness
+        { name: "confusion", fn: () => runConfusion(cwd) },
+        { name: "context", fn: () => runContext(cwd) },
+    ];
+    for (const runner of runners) {
+        if (!jsonOnly)
+            process.stdout.write("  " + runner.name.padEnd(14));
+        const result = runner.fn();
+        checks.push(result);
+        if (!jsonOnly) {
+            const skipped = result.details.skipped;
+            const c = skipped ? "\x1b[2m" : color(result.grade);
+            const label = skipped ? "skip" : result.grade;
+            const scoreStr = skipped ? "—" : result.score + "/100";
+            const issueStr = result.issues.length > 0 ? `  \x1b[2m${result.issues.length} issues\x1b[0m` : "";
+            console.log(`${c}${label.padEnd(5)}${scoreStr}\x1b[0m  \x1b[2m${result.duration}ms\x1b[0m${issueStr}`);
+        }
+    }
+    const score = computeScore(checks);
+    const grade = gradeFromScore(score);
+    const duration = Date.now() - start;
+    const totalIssues = checks.reduce((s, c) => s + c.issues.length, 0);
+    const report = {
+        version: VERSION,
+        timestamp: new Date().toISOString(),
+        score,
+        grade,
+        checks,
+        meta: { cwd, node: process.version, duration, stack, ...detectRepoUrl(cwd) },
+    };
+    // Trend comparison (read previous report before overwriting)
+    const trend = computeTrend(report, outputDir);
+    if (!existsSync(outputDir))
+        mkdirSync(outputDir, { recursive: true });
+    writeFileSync(join(outputDir, "report.json"), JSON.stringify(report, null, 2));
+    writeFileSync(join(outputDir, "report.html"), generateHTML(report));
+    if (jsonOnly) {
+        console.log(JSON.stringify(report));
+    }
+    else {
+        const gc = color(grade);
+        console.log("");
+        console.log(`  ${gc}\x1b[1m${grade}\x1b[0m ${gc}${score}/100\x1b[0m  \x1b[2m${checks.length} checks · ${totalIssues} issues · ${duration}ms\x1b[0m`);
+        if (trend)
+            console.log(formatTrend(trend));
+        console.log("");
+        console.log("  \x1b[2mReport: " + join(outputDir, "report.html") + "\x1b[0m");
+        console.log("  \x1b[2mJSON:   " + join(outputDir, "report.json") + "\x1b[0m");
+        console.log("");
+    }
+    if (ciMode && score < 60) {
+        process.exit(1);
+    }
+    if (!jsonOnly && !ciMode) {
+        try {
+            const { execSync } = await import("node:child_process");
+            const openCmd = process.platform === "darwin" ? "open" : "xdg-open";
+            execSync(`${openCmd} "${join(outputDir, "report.html")}"`, { stdio: "ignore" });
+        }
+        catch { /* failed to open browser */ }
+    }
+}
+main().catch((err) => {
+    console.error("vibe-check error:", err);
+    process.exit(1);
+});

package/dist/detect.d.ts

@@ -0,0 +1,8 @@
+/** Auto-detect project stack and git repo from files in the working directory. */
+import type { StackInfo } from "./types.js";
+export declare function detectStack(cwd: string): StackInfo;
+/** Detect GitHub/GitLab repo URL from git remote. */
+export declare function detectRepoUrl(cwd: string): {
+    repoUrl: string | null;
+    branch: string;
+};

package/dist/detect.js

@@ -0,0 +1,67 @@
+/** Auto-detect project stack and git repo from files in the working directory. */
+import { execSync } from "node:child_process";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+export function detectStack(cwd) {
+    const has = (f) => existsSync(join(cwd, f));
+    const read = (f) => {
+        try {
+            return readFileSync(join(cwd, f), "utf-8");
+        }
+        catch {
+            return "";
+        }
+    };
+    const pkg = read("package.json");
+    const deps = pkg ? JSON.parse(pkg) : {};
+    const allDeps = { ...deps.dependencies, ...deps.devDependencies };
+    const language = has("tsconfig.json") || has("tsconfig.app.json") || allDeps.typescript
+        ? "typescript"
+        : allDeps.react || allDeps.vue
+            ? "javascript"
+            : "unknown";
+    const framework = allDeps.react
+        ? "react"
+        : allDeps.vue
+            ? "vue"
+            : allDeps.svelte
+                ? "svelte"
+                : "none";
+    const bundler = allDeps.vite
+        ? "vite"
+        : allDeps.webpack
+            ? "webpack"
+            : allDeps.esbuild
+                ? "esbuild"
+                : "none";
+    const testRunner = allDeps.vitest ? "vitest" : allDeps.jest ? "jest" : "none";
+    const linter = allDeps["@biomejs/biome"]
+        ? "biome"
+        : allDeps.eslint
+            ? "eslint"
+            : "none";
+    const packageManager = has("pnpm-lock.yaml")
+        ? "pnpm"
+        : has("bun.lockb")
+            ? "bun"
+            : has("yarn.lock")
+                ? "yarn"
+                : "npm";
+    return { language, framework, bundler, testRunner, linter, packageManager };
+}
+/** Detect GitHub/GitLab repo URL from git remote. */
+export function detectRepoUrl(cwd) {
+    try {
+        const remote = execSync("git remote get-url origin", { cwd, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
+        const branch = execSync("git branch --show-current", { cwd, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim() || "main";
+        // Convert SSH to HTTPS
+        let url = remote
+            .replace(/^git@github\.com:/, "https://github.com/")
+            .replace(/^git@gitlab\.com:/, "https://gitlab.com/")
+            .replace(/\.git$/, "");
+        return { repoUrl: url, branch };
+    }
+    catch {
+        return { repoUrl: null, branch: "main" };
+    }
+}

package/dist/fs-utils.d.ts

@@ -0,0 +1,23 @@
+/** Shared filesystem utilities — eliminates duplicate file-walking across runners. */
+export interface SourceFile {
+    path: string;
+    fullPath: string;
+    base: string;
+    ext: string;
+    content: string;
+    lines: number;
+    isTest: boolean;
+}
+/** Walk source directories and return all code files. */
+export declare function collectSourceFiles(cwd: string, opts?: {
+    includeTests?: boolean;
+    extraExts?: boolean;
+}): SourceFile[];
+/** Get only production source files (no tests). */
+export declare function getProductionFiles(cwd: string): SourceFile[];
+/** Get only test files. */
+export declare function getTestFiles(cwd: string): SourceFile[];
+/** Read a file relative to cwd, return empty string on error. */
+export declare function readSafe(cwd: string, path: string): string;
+/** Parse package.json dependencies. */
+export declare function readDeps(cwd: string): Record<string, string>;