@vibecodeqa/cli 0.9.0

package/dist/runners/lint.js

@@ -0,0 +1,78 @@
+/** Lint check — auto-detects biome or eslint. */
+import { gradeFromScore } from "../types.js";
+import { run } from "./exec.js";
+export function runLint(cwd, stack) {
+    const start = Date.now();
+    const issues = [];
+    if (stack.linter === "biome") {
+        const { stdout } = run("npx biome check src/ --reporter=json 2>/dev/null || true", cwd);
+        try {
+            const data = JSON.parse(stdout);
+            const diagnostics = data.diagnostics || [];
+            for (const d of diagnostics) {
+                issues.push({
+                    severity: d.severity === "error"
+                        ? "error"
+                        : d.severity === "warning"
+                            ? "warning"
+                            : "info",
+                    message: d.description || d.message || "lint issue",
+                    file: d.location?.path,
+                    line: d.location?.span?.start?.line,
+                    rule: d.category,
+                });
+            }
+        }
+        catch {
+            // biome may not output valid JSON on some errors — count from summary
+            const errors = stdout.match(/Found (\d+) error/)?.[1] || "0";
+            const warnings = stdout.match(/Found (\d+) warning/)?.[1] || "0";
+            for (let i = 0; i < parseInt(errors); i++)
+                issues.push({ severity: "error", message: "lint error" });
+            for (let i = 0; i < parseInt(warnings); i++)
+                issues.push({ severity: "warning", message: "lint warning" });
+        }
+    }
+    else if (stack.linter === "eslint") {
+        const { stdout } = run("npx eslint src/ --format json 2>/dev/null || true", cwd);
+        try {
+            const files = JSON.parse(stdout);
+            for (const file of files) {
+                for (const msg of file.messages || []) {
+                    issues.push({
+                        severity: msg.severity === 2 ? "error" : "warning",
+                        message: msg.message,
+                        file: file.filePath,
+                        line: msg.line,
+                        rule: msg.ruleId,
+                    });
+                }
+            }
+        }
+        catch {
+            /* eslint output parse failed */
+        }
+    }
+    else {
+        return {
+            name: "lint",
+            score: 0,
+            grade: "F",
+            details: { skipped: true, reason: "no linter detected" },
+            issues: [],
+            duration: Date.now() - start,
+        };
+    }
+    const errors = issues.filter((i) => i.severity === "error").length;
+    const warnings = issues.filter((i) => i.severity === "warning").length;
+    // Score: start at 100, -10 per error, -2 per warning, floor at 0
+    const score = Math.max(0, Math.min(100, 100 - errors * 10 - warnings * 2));
+    return {
+        name: "lint",
+        score,
+        grade: gradeFromScore(score),
+        details: { errors, warnings, linter: stack.linter },
+        issues,
+        duration: Date.now() - start,
+    };
+}

package/dist/runners/secrets.d.ts

@@ -0,0 +1,3 @@
+/** Secret detection — scans for hardcoded keys/tokens in source files. */
+import type { CheckResult } from "../types.js";
+export declare function runSecrets(cwd: string): CheckResult;

package/dist/runners/secrets.js

@@ -0,0 +1,108 @@
+/** Secret detection — scans for hardcoded keys/tokens in source files. */
+import { readdirSync, readFileSync, statSync } from "node:fs";
+import { extname, join } from "node:path";
+import { gradeFromScore } from "../types.js";
+const SECRET_PATTERNS = [
+    { name: "AWS Access Key", pattern: /AKIA[0-9A-Z]{16}/ },
+    {
+        name: "AWS Secret Key",
+        pattern: /(?:aws_secret|AWS_SECRET)[^=]*=\s*['"][A-Za-z0-9/+=]{40}['"]/,
+    },
+    { name: "GitHub Token (classic)", pattern: /ghp_[A-Za-z0-9]{36}/ },
+    {
+        name: "GitHub Token (fine-grained)",
+        pattern: /github_pat_[A-Za-z0-9_]{22,}/,
+    },
+    { name: "GitHub OAuth", pattern: /gho_[A-Za-z0-9]{36}/ },
+    { name: "Slack Token", pattern: /xox[bpors]-[0-9a-zA-Z-]{10,}/ },
+    { name: "Stripe Secret Key", pattern: /sk_live_[0-9a-zA-Z]{24,}/ },
+    { name: "Stripe Publishable Key", pattern: /pk_live_[0-9a-zA-Z]{24,}/ },
+    {
+        name: "OpenAI API Key",
+        pattern: /sk-[A-Za-z0-9]{20,}T3BlbkFJ[A-Za-z0-9]{20,}/,
+    },
+    { name: "Anthropic API Key", pattern: /sk-ant-api\d{2}-[A-Za-z0-9-]{80,}/ },
+    { name: "Google API Key", pattern: /AIza[0-9A-Za-z_-]{35}/ },
+    {
+        name: "Private Key",
+        pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/,
+    },
+    {
+        name: "Generic Secret Assignment",
+        pattern: /(?:password|secret|api_key|apikey|token|auth)\s*[:=]\s*['"][A-Za-z0-9+/=]{20,}['"]/,
+    },
+];
+export function runSecrets(cwd) {
+    const start = Date.now();
+    const issues = [];
+    const files = [];
+    collectFiles(cwd, files);
+    for (const file of files) {
+        const content = readFileSync(file, "utf-8");
+        const relPath = file.replace(cwd + "/", "");
+        const lines = content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // Skip comments
+            if (line.trim().startsWith("//") || line.trim().startsWith("*"))
+                continue;
+            // Skip test files and mock data
+            if (relPath.includes(".test.") || relPath.includes("__mock"))
+                continue;
+            for (const { name, pattern } of SECRET_PATTERNS) {
+                if (pattern.test(line)) {
+                    issues.push({
+                        severity: "error",
+                        message: `Possible ${name}`,
+                        file: relPath,
+                        line: i + 1,
+                        rule: "secret-detected",
+                    });
+                }
+            }
+        }
+    }
+    const score = issues.length === 0 ? 100 : Math.max(0, 100 - issues.length * 25);
+    return {
+        name: "secrets",
+        score,
+        grade: gradeFromScore(score),
+        details: { secretsFound: issues.length },
+        issues,
+        duration: Date.now() - start,
+    };
+}
+function collectFiles(dir, out) {
+    for (const entry of readdirSync(dir)) {
+        if ([
+            "node_modules",
+            "dist",
+            ".git",
+            ".vibe-check",
+            "coverage",
+            "test-results",
+        ].includes(entry))
+            continue;
+        const full = join(dir, entry);
+        const stat = statSync(full);
+        if (stat.isDirectory()) {
+            collectFiles(full, out);
+        }
+        else {
+            const ext = extname(entry);
+            if ([
+                ".ts",
+                ".tsx",
+                ".js",
+                ".jsx",
+                ".json",
+                ".env",
+                ".yaml",
+                ".yml",
+                ".toml",
+            ].includes(ext)) {
+                out.push(full);
+            }
+        }
+    }
+}

package/dist/runners/security.d.ts

@@ -0,0 +1,3 @@
+/** Security analysis — beyond secrets, checks for vulnerable code patterns. */
+import type { CheckResult } from "../types.js";
+export declare function runSecurity(cwd: string): CheckResult;

package/dist/runners/security.js

@@ -0,0 +1,121 @@
+/** Security analysis — beyond secrets, checks for vulnerable code patterns. */
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { extname, join } from "node:path";
+import { gradeFromScore } from "../types.js";
+const PATTERNS = [
+    // XSS
+    { name: "innerHTML", pattern: /\.innerHTML\s*=/, severity: "warning", message: "XSS: innerHTML assignment — use textContent or DOM APIs", cwe: "CWE-79" },
+    { name: "dangerouslySetInnerHTML", pattern: /dangerouslySetInnerHTML/, severity: "error", message: "XSS: dangerouslySetInnerHTML bypasses React protection", cwe: "CWE-79" },
+    { name: "document.write", pattern: /document\.write\s*\(/, severity: "error", message: "XSS: document.write is dangerous", cwe: "CWE-79" },
+    { name: "outerHTML", pattern: /\.outerHTML\s*=/, severity: "warning", message: "XSS: outerHTML assignment", cwe: "CWE-79" },
+    { name: "insertAdjacentHTML", pattern: /\.insertAdjacentHTML\s*\(/, severity: "warning", message: "XSS: insertAdjacentHTML with user data", cwe: "CWE-79" },
+    // Injection
+    { name: "eval", pattern: /\beval\s*\(/, severity: "error", message: "Injection: eval() executes arbitrary code", cwe: "CWE-94" },
+    { name: "new Function", pattern: /new\s+Function\s*\(/, severity: "error", message: "Injection: new Function() is equivalent to eval()", cwe: "CWE-94" },
+    { name: "child_process.exec", pattern: /\bexec(?:Sync)?\s*\((?!.*\{[^}]*encoding)/, severity: "warning", message: "Command injection risk: prefer execFile with argument array", cwe: "CWE-78" },
+    { name: "template literal in SQL", pattern: /(?:query|prepare|execute)\s*\(\s*`[^`]*\$\{/, severity: "error", message: "SQL injection: use parameterized queries instead of template literals", cwe: "CWE-89" },
+    // Crypto
+    { name: "Math.random for security", pattern: /Math\.random\s*\(\).*(?:token|secret|key|password|nonce|salt)/i, severity: "error", message: "Weak randomness: use crypto.randomUUID() or crypto.getRandomValues()", cwe: "CWE-330" },
+    { name: "MD5/SHA1", pattern: /\b(?:md5|sha1|SHA1|MD5)\b/, severity: "warning", message: "Weak hash: MD5/SHA1 are broken — use SHA-256+", cwe: "CWE-328" },
+    // Prototype pollution
+    { name: "Object.assign from user input", pattern: /Object\.assign\s*\(\s*\{\s*\}\s*,\s*(?:req|request|body|params|query)/, severity: "warning", message: "Prototype pollution risk: validate/sanitize before Object.assign", cwe: "CWE-1321" },
+    { name: "spread from user input", pattern: /\{\s*\.\.\.(?:req|request|body|params|query)\./, severity: "warning", message: "Prototype pollution: spreading unvalidated user input", cwe: "CWE-1321" },
+    // Path traversal
+    { name: "path traversal", pattern: /(?:readFile|writeFile|access|stat)(?:Sync)?\s*\([^)]*(?:req|request|body|params|query)/, severity: "warning", message: "Path traversal: validate file paths from user input", cwe: "CWE-22" },
+    // SSRF
+    { name: "fetch with user URL", pattern: /fetch\s*\(\s*(?:req|request|body|params|query)\.(?:url|href|target)/, severity: "warning", message: "SSRF: validate URLs before fetching user-supplied targets", cwe: "CWE-918" },
+    // Sensitive data
+    { name: "password in URL", pattern: /(?:password|secret|token|key)=[^&\s'"]+/i, severity: "warning", message: "Sensitive data in URL query string", cwe: "CWE-598" },
+    // Missing security headers (in response construction)
+    { name: "no-cache header missing", pattern: /new Response\([^)]*\{[^}]*["']Set-Cookie["']/, severity: "warning", message: "Set-Cookie without Cache-Control: no-store", cwe: "CWE-525" },
+];
+export function runSecurity(cwd) {
+    const start = Date.now();
+    const issues = [];
+    const files = [];
+    const dirs = ["src", "web/src"];
+    for (const dir of dirs) {
+        try {
+            collectFiles(join(cwd, dir), files);
+        }
+        catch { /* dir doesn't exist */ }
+    }
+    if (files.length === 0) {
+        return { name: "security", score: 100, grade: "A", details: { skipped: true, reason: "no source files" }, issues: [], duration: Date.now() - start };
+    }
+    const cwePrefixes = new Set();
+    for (const file of files) {
+        const content = readFileSync(file, "utf-8");
+        const relPath = file.replace(cwd + "/", "");
+        const lines = content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const trimmed = line.trim();
+            if (trimmed.startsWith("//") || trimmed.startsWith("*"))
+                continue;
+            for (const p of PATTERNS) {
+                if (p.pattern.test(line)) {
+                    issues.push({
+                        severity: p.severity,
+                        message: p.message,
+                        file: relPath,
+                        line: i + 1,
+                        rule: p.cwe || p.name,
+                    });
+                    if (p.cwe)
+                        cwePrefixes.add(p.cwe);
+                }
+            }
+        }
+    }
+    // Check for security-critical HTML files
+    const htmlFiles = ["index.html", "web/index.html", "public/index.html"];
+    for (const h of htmlFiles) {
+        const full = join(cwd, h);
+        if (!existsSync(full))
+            continue;
+        const html = readFileSync(full, "utf-8");
+        // Missing CSP
+        if (!html.includes("Content-Security-Policy") && !html.includes("content-security-policy")) {
+            issues.push({ severity: "info", message: "No Content-Security-Policy meta tag in HTML", file: h, rule: "CWE-1021" });
+        }
+        // External scripts without integrity
+        const scripts = html.match(/<script[^>]*src=["'][^"']*["'][^>]*>/g) || [];
+        for (const s of scripts) {
+            if (s.includes("integrity="))
+                continue;
+            if (s.includes("localhost") || s.includes("/src/"))
+                continue; // local dev scripts
+            if (!s.includes("integrity")) {
+                issues.push({ severity: "info", message: "External script without subresource integrity (SRI)", file: h, rule: "CWE-829" });
+            }
+        }
+    }
+    const errors = issues.filter((i) => i.severity === "error").length;
+    const warnings = issues.filter((i) => i.severity === "warning").length;
+    const score = Math.max(0, Math.min(100, 100 - errors * 15 - warnings * 5));
+    return {
+        name: "security",
+        score,
+        grade: gradeFromScore(score),
+        details: { filesScanned: files.length, patterns: issues.length, cweCategories: cwePrefixes.size, errors, warnings },
+        issues,
+        duration: Date.now() - start,
+    };
+}
+function collectFiles(dir, out) {
+    for (const entry of readdirSync(dir)) {
+        if (["node_modules", "dist", ".git", ".vibe-check", "coverage", "test-results"].includes(entry))
+            continue;
+        const full = join(dir, entry);
+        if (statSync(full).isDirectory()) {
+            collectFiles(full, out);
+        }
+        else {
+            const ext = extname(entry);
+            if ([".ts", ".tsx", ".js", ".jsx"].includes(ext) && !entry.includes(".test.") && !entry.includes(".spec.")) {
+                out.push(full);
+            }
+        }
+    }
+}

package/dist/runners/standards.d.ts

@@ -0,0 +1,3 @@
+/** Code standards check — naming conventions, anti-patterns, config hygiene. */
+import type { CheckResult, StackInfo } from "../types.js";
+export declare function runStandards(cwd: string, stack: StackInfo): CheckResult;

package/dist/runners/standards.js

@@ -0,0 +1,153 @@
+/** Code standards check — naming conventions, anti-patterns, config hygiene. */
+import { readFileSync, readdirSync, statSync } from "node:fs";
+import { basename, extname, join } from "node:path";
+import { gradeFromScore } from "../types.js";
+const CODE_SMELLS = [
+    { name: "console.log", pattern: /\bconsole\.(log|debug|info)\s*\(/, severity: "warning", message: "console.log in production code", exclude: /\/\/ ?ok|eslint-disable|biome-ignore/ },
+    { name: "var keyword", pattern: /\bvar\s+\w/, severity: "error", message: "Use const/let instead of var" },
+    { name: "loose equality", pattern: /[^!=]==[^=]/, severity: "warning", message: "Use === instead of ==", exclude: /['"]use strict['"]/ },
+    { name: "eval()", pattern: /\beval\s*\(/, severity: "error", message: "eval() is a security risk — never use it" },
+    { name: "new Function()", pattern: /new\s+Function\s*\(/, severity: "error", message: "new Function() is equivalent to eval()" },
+    { name: "innerHTML assignment", pattern: /\.innerHTML\s*=/, severity: "warning", message: "innerHTML is an XSS vector — use textContent or DOM APIs" },
+    { name: "dangerouslySetInnerHTML", pattern: /dangerouslySetInnerHTML/, severity: "error", message: "dangerouslySetInnerHTML bypasses React's XSS protection" },
+    { name: "document.write", pattern: /document\.write\s*\(/, severity: "error", message: "document.write blocks rendering" },
+    { name: "http:// URL", pattern: /['"]http:\/\/(?!localhost|127\.0\.0\.1)/, severity: "warning", message: "Non-HTTPS URL — use https://" },
+    { name: "TODO/FIXME", pattern: /\b(TODO|FIXME|HACK|XXX)\b/, severity: "warning", message: "Unresolved TODO/FIXME comment" },
+    { name: "magic number", pattern: /(?:timeout|delay|interval|limit|max|min)\s*[:=]\s*\d{4,}(?!\d)/, severity: "warning", message: "Large magic number — consider a named constant" },
+];
+export function runStandards(cwd, stack) {
+    const start = Date.now();
+    const issues = [];
+    // Collect source files
+    const files = [];
+    const dirs = ["src", "web/src"];
+    for (const dir of dirs) {
+        try {
+            collectFiles(join(cwd, dir), cwd, files);
+        }
+        catch { /* dir doesn't exist */ }
+    }
+    // ── File naming conventions ──
+    let namingViolations = 0;
+    for (const f of files) {
+        const name = basename(f.path);
+        const ext = extname(name);
+        const base = name.replace(ext, "");
+        // React components should be PascalCase
+        if ((ext === ".tsx" || ext === ".jsx") && /^[A-Z]/.test(base)) {
+            // PascalCase component file — correct
+        }
+        else if ((ext === ".tsx" || ext === ".jsx") && /^[a-z]/.test(base) && base !== "main" && base !== "index") {
+            // lowercase tsx file that's not main/index — check if it exports a component
+            if (/export (default )?(function|const) [A-Z]/.test(f.content)) {
+                namingViolations++;
+                issues.push({ severity: "warning", message: `Component file should be PascalCase: ${name}`, file: f.path, rule: "file-naming" });
+            }
+        }
+        // Non-component TS files should be kebab-case or camelCase
+        if (ext === ".ts" && /[A-Z]/.test(base) && base !== "App" && !base.includes(".")) {
+            // PascalCase .ts file (not a component) — unusual
+            // Only flag if it's not a class file
+            if (!/export (default )?class /.test(f.content)) {
+                issues.push({ severity: "warning", message: `TS file uses PascalCase but doesn't export a class: ${name}`, file: f.path, rule: "file-naming" });
+            }
+        }
+    }
+    // ── Large files ──
+    let largeFiles = 0;
+    for (const f of files) {
+        const lines = f.content.split("\n").length;
+        if (lines > 300) {
+            largeFiles++;
+            issues.push({ severity: "warning", message: `${lines} lines — consider splitting (max 300)`, file: f.path, rule: "large-file" });
+        }
+        else if (lines > 200) {
+            issues.push({ severity: "warning", message: `${lines} lines — getting large`, file: f.path, rule: "large-file" });
+        }
+    }
+    // ── Code smell patterns ──
+    let smellCount = 0;
+    for (const f of files) {
+        const lines = f.content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (line.trim().startsWith("//") || line.trim().startsWith("*"))
+                continue;
+            for (const check of CODE_SMELLS) {
+                if (check.pattern.test(line)) {
+                    if (check.exclude && check.exclude.test(line))
+                        continue;
+                    smellCount++;
+                    issues.push({ severity: check.severity, message: check.message, file: f.path, line: i + 1, rule: check.name });
+                }
+            }
+        }
+    }
+    // ── Config hygiene ──
+    // tsconfig strict mode
+    if (stack.language === "typescript") {
+        const tsconfigPaths = ["tsconfig.json", "tsconfig.app.json"];
+        let strictFound = false;
+        for (const p of tsconfigPaths) {
+            try {
+                const tsconfig = JSON.parse(readFileSync(join(cwd, p), "utf-8"));
+                if (tsconfig.compilerOptions?.strict === true)
+                    strictFound = true;
+            }
+            catch { /* no tsconfig */ }
+        }
+        if (!strictFound) {
+            issues.push({ severity: "warning", message: "TypeScript strict mode not enabled — add \"strict\": true to tsconfig", rule: "ts-strict" });
+        }
+    }
+    // Tailwind: check for inline styles when TW is available
+    if (stack.framework === "react" && readDeps(cwd).tailwindcss) {
+        let inlineStyles = 0;
+        for (const f of files) {
+            if (!f.path.endsWith(".tsx"))
+                continue;
+            const matches = f.content.match(/style=\{\{/g);
+            if (matches)
+                inlineStyles += matches.length;
+        }
+        if (inlineStyles > 10) {
+            issues.push({ severity: "warning", message: `${inlineStyles} inline style objects in TSX — prefer Tailwind classes`, rule: "prefer-tailwind" });
+        }
+    }
+    const errors = issues.filter((i) => i.severity === "error").length;
+    const warnings = issues.filter((i) => i.severity === "warning").length;
+    const score = Math.max(0, Math.min(100, 100 - errors * 8 - warnings * 3 - largeFiles * 5));
+    return {
+        name: "standards",
+        score,
+        grade: gradeFromScore(score),
+        details: { filesScanned: files.length, codeSmells: smellCount, largeFiles, namingViolations },
+        issues,
+        duration: Date.now() - start,
+    };
+}
+function collectFiles(dir, cwd, out) {
+    for (const entry of readdirSync(dir)) {
+        if (entry === "node_modules" || entry === "dist" || entry === ".git")
+            continue;
+        const full = join(dir, entry);
+        if (statSync(full).isDirectory()) {
+            collectFiles(full, cwd, out);
+        }
+        else {
+            const ext = extname(entry);
+            if ([".ts", ".tsx", ".js", ".jsx"].includes(ext) && !entry.includes(".test.") && !entry.includes(".spec.")) {
+                out.push({ path: full.replace(cwd + "/", ""), content: readFileSync(full, "utf-8") });
+            }
+        }
+    }
+}
+function readDeps(cwd) {
+    try {
+        const pkg = JSON.parse(readFileSync(join(cwd, "package.json"), "utf-8"));
+        return { ...pkg.dependencies, ...pkg.devDependencies };
+    }
+    catch {
+        return {};
+    }
+}

package/dist/runners/structure.d.ts

@@ -0,0 +1,3 @@
+/** Project structure check — does the repo have standard files and conventions? */
+import type { CheckResult, StackInfo } from "../types.js";
+export declare function runStructure(cwd: string, stack: StackInfo): CheckResult;

package/dist/runners/structure.js

@@ -0,0 +1,110 @@
+/** Project structure check — does the repo have standard files and conventions? */
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { join, extname } from "node:path";
+import { gradeFromScore } from "../types.js";
+const EXPECTED_FILES = [
+    { name: "package.json", path: "package.json", required: true, description: "Package manifest" },
+    { name: "tsconfig.json", path: "tsconfig.json", required: false, description: "TypeScript configuration" },
+    { name: "LICENSE", path: "LICENSE", required: true, description: "Open source license" },
+    { name: ".gitignore", path: ".gitignore", required: true, description: "Git ignore rules" },
+    { name: "README.md", path: "README.md", required: false, description: "Project documentation" },
+];
+export function runStructure(cwd, stack) {
+    const start = Date.now();
+    const issues = [];
+    const found = [];
+    const missing = [];
+    // Check standard files
+    for (const fc of EXPECTED_FILES) {
+        // tsconfig is required only for TS projects
+        const required = fc.name === "tsconfig.json" ? stack.language === "typescript" : fc.required;
+        if (existsSync(join(cwd, fc.path))) {
+            found.push(fc.name);
+        }
+        else {
+            missing.push(fc.name);
+            issues.push({
+                severity: required ? "error" : "warning",
+                message: `Missing ${fc.name} — ${fc.description}`,
+                rule: "missing-file",
+            });
+        }
+    }
+    // Check for lockfile
+    const hasLock = ["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb"].some((f) => existsSync(join(cwd, f)));
+    if (hasLock) {
+        found.push("lockfile");
+    }
+    else {
+        issues.push({ severity: "warning", message: "No lockfile found — builds may not be reproducible", rule: "missing-lockfile" });
+    }
+    // Check for src directory
+    const hasSrc = existsSync(join(cwd, "src")) || existsSync(join(cwd, "web/src"));
+    if (!hasSrc) {
+        issues.push({ severity: "error", message: "No src/ directory found", rule: "no-src" });
+    }
+    // Count source vs test files
+    const srcFiles = [];
+    const testFiles = [];
+    collectAll(cwd, srcFiles, testFiles);
+    const srcCount = srcFiles.length;
+    const testCount = testFiles.length;
+    const testRatio = srcCount > 0 ? testCount / srcCount : 0;
+    if (testCount === 0 && srcCount > 0) {
+        issues.push({ severity: "error", message: `No test files found (${srcCount} source files with zero tests)`, rule: "no-tests" });
+    }
+    else if (testRatio < 0.3 && srcCount > 3) {
+        issues.push({ severity: "warning", message: `Low test-to-source ratio: ${testCount} tests for ${srcCount} source files (${Math.round(testRatio * 100)}%)`, rule: "low-test-ratio" });
+    }
+    // Check package.json has essential scripts
+    try {
+        const pkg = JSON.parse(readFileSync(join(cwd, "package.json"), "utf-8"));
+        const scripts = pkg.scripts || {};
+        if (!scripts.test)
+            issues.push({ severity: "warning", message: "No 'test' script in package.json", rule: "no-test-script" });
+        if (!scripts.build && !scripts.dev)
+            issues.push({ severity: "info", message: "No 'build' or 'dev' script in package.json", rule: "no-build-script" });
+    }
+    catch { /* no package.json or parse error */ }
+    const errors = issues.filter((i) => i.severity === "error").length;
+    const warnings = issues.filter((i) => i.severity === "warning").length;
+    const score = Math.max(0, Math.min(100, 100 - errors * 15 - warnings * 5));
+    return {
+        name: "structure",
+        score,
+        grade: gradeFromScore(score),
+        details: { found, missing, srcFiles: srcCount, testFiles: testCount, testRatio: Math.round(testRatio * 100) + "%" },
+        issues,
+        duration: Date.now() - start,
+    };
+}
+function collectAll(cwd, src, test) {
+    const dirs = ["src", "web/src"];
+    for (const dir of dirs) {
+        try {
+            walk(join(cwd, dir), src, test);
+        }
+        catch { /* dir doesn't exist */ }
+    }
+}
+function walk(dir, src, test) {
+    for (const entry of readdirSync(dir)) {
+        if (entry === "node_modules" || entry === "dist")
+            continue;
+        const full = join(dir, entry);
+        if (statSync(full).isDirectory()) {
+            walk(full, src, test);
+        }
+        else {
+            const ext = extname(entry);
+            if ([".ts", ".tsx", ".js", ".jsx"].includes(ext)) {
+                if (entry.includes(".test.") || entry.includes(".spec.")) {
+                    test.push(full);
+                }
+                else {
+                    src.push(full);
+                }
+            }
+        }
+    }
+}

package/dist/runners/testing.d.ts

@@ -0,0 +1,12 @@
+/** Comprehensive testing assessment — pyramid layers, quality, coverage.
+ *
+ * Dimensions assessed:
+ *   1. Pyramid presence — which layers exist? (unit, integration, e2e, component)
+ *   2. Test execution — pass/fail from the runner
+ *   3. Coverage — statement, branch, function, line
+ *   4. File pairing — does each source file have a test file?
+ *   5. Test quality — naming, assertions, mocking patterns, snapshot smell
+ *   6. Pyramid balance — right ratio of fast-to-slow tests
+ */
+import type { CheckResult, StackInfo } from "../types.js";
+export declare function runTesting(cwd: string, stack: StackInfo, skipExec: boolean): CheckResult;