@vibedrift/cli 0.3.2 → 0.4.1

package/dist/index.js

@@ -195,6 +195,7 @@ var init_version = __esm({
 });
 
 // src/codedna/semantic-fingerprint.ts
+import { createHash as createHash2 } from "crypto";
 function normalizeBody(body, language) {
   let normalized = body;
   normalized = normalized.replace(/\/\/.*$/gm, "");
@@ -262,7 +263,11 @@ function computeSemanticFingerprints(functions) {
     normalizedHash: fnv1aHash(normalizeBody(fn.rawBody, fn.language))
   }));
 }
-function findDuplicateGroups(fingerprints) {
+function findDuplicateGroups(fingerprints, functions) {
+  const fnLookup = /* @__PURE__ */ new Map();
+  for (const fn of functions) {
+    fnLookup.set(`${fn.name}:${fn.file}`, fn);
+  }
   const byHash = /* @__PURE__ */ new Map();
   for (const fp of fingerprints) {
     if (!byHash.has(fp.normalizedHash)) byHash.set(fp.normalizedHash, []);
@@ -272,13 +277,25 @@ function findDuplicateGroups(fingerprints) {
   let groupCounter = 0;
   for (const [hash, fps] of byHash) {
     if (fps.length < 2) continue;
-    const uniqueFiles = new Set(fps.map((fp) => fp.functionRef.file));
-    if (uniqueFiles.size < 2) continue;
-    groups.push({
-      groupId: `fingerprint-${groupCounter++}`,
-      hash,
-      functions: fps.map((fp) => fp.functionRef)
-    });
+    const bySha = /* @__PURE__ */ new Map();
+    for (const fp of fps) {
+      const key = `${fp.functionRef.name}:${fp.functionRef.file}`;
+      const fn = fnLookup.get(key);
+      if (!fn) continue;
+      const sha = createHash2("sha256").update(normalizeBody(fn.rawBody, fn.language)).digest("hex");
+      if (!bySha.has(sha)) bySha.set(sha, []);
+      bySha.get(sha).push(fp);
+    }
+    for (const [, shaGroup] of bySha) {
+      if (shaGroup.length < 2) continue;
+      const uniqueFiles = new Set(shaGroup.map((fp) => fp.functionRef.file));
+      if (uniqueFiles.size < 2) continue;
+      groups.push({
+        groupId: `fingerprint-${groupCounter++}`,
+        hash,
+        functions: shaGroup.map((fp) => fp.functionRef)
+      });
+    }
   }
   return groups;
 }
@@ -923,7 +940,7 @@ function runCodeDnaAnalysis(ctx) {
   timings.extractionMs = Date.now() - t;
   t = Date.now();
   const fingerprints = computeSemanticFingerprints(functions);
-  const duplicateGroups = findDuplicateGroups(fingerprints);
+  const duplicateGroups = findDuplicateGroups(fingerprints, functions);
   timings.fingerprintMs = Date.now() - t;
   t = Date.now();
   const sequences = extractOperationSequences(functions);
@@ -1206,9 +1223,9 @@ __export(project_name_exports, {
 });
 import { basename, join as join6 } from "path";
 import { readFile as readFile5 } from "fs/promises";
-import { createHash as createHash2 } from "crypto";
+import { createHash as createHash3 } from "crypto";
 async function detectProjectIdentity(rootDir, override) {
-  const hash = createHash2("sha256").update(rootDir).digest("hex");
+  const hash = createHash3("sha256").update(rootDir).digest("hex");
   if (override && override.trim()) {
     return { name: override.trim(), hash };
   }
@@ -1304,9 +1321,29 @@ function buildDeviationPayloads(codeDnaResult, driftFindings) {
       const hasComment = dj.signals?.some((s) => s.type === "explanatory_comment" && s.present) ?? false;
       const sqlComplexity = dj.signals?.find((s) => s.type === "complex_sql")?.present ? 3 : 0;
       const funcComplexity = dj.signals?.reduce((sum, s) => sum + (s.present ? Math.abs(s.weight) : 0), 0) ?? 0;
+      const patternToType = {
+        repository: "data_access",
+        raw_sql: "data_access",
+        orm: "data_access",
+        direct_db: "data_access",
+        http_client: "data_access",
+        wrap_with_context: "error_handling",
+        raw_propagation: "error_handling",
+        swallow: "error_handling",
+        http_error_response: "error_handling",
+        exception_throw: "error_handling",
+        result_type: "error_handling",
+        constructor_injection: "di",
+        global_import: "di",
+        service_locator: "di",
+        no_di: "di",
+        env_direct: "config",
+        config_struct_di: "config"
+      };
+      const inferredType = patternToType[dj.deviatingPattern] ?? patternToType[dj.dominantPattern] ?? "data_access";
       deviations.push({
         file: dj.relativePath,
-        deviation_type: "architectural",
+        deviation_type: inferredType,
         dominant_pattern: dj.dominantPattern,
         actual_pattern: dj.deviatingPattern,
         dominant_count: 0,
@@ -1327,7 +1364,7 @@ function buildDeviationPayloads(codeDnaResult, driftFindings) {
       seen.add(key);
       deviations.push({
         file: df.path,
-        deviation_type: d.subCategory ?? "architectural",
+        deviation_type: d.subCategory ?? "data_access",
         dominant_pattern: d.dominantPattern,
         actual_pattern: df.detectedPattern,
         dominant_count: d.dominantCount,
@@ -1456,9 +1493,11 @@ function deduplicateFindingsAcrossLayers(findings) {
   return [...nonDuplicate, ...dedupedDuplicates];
 }
 function makeFilePairKey(f) {
-  const files = f.locations.map((l) => l.file).filter(Boolean).sort();
+  const files = [...new Set(
+    f.locations.map((l) => l.file).filter(Boolean)
+  )].sort();
   if (files.length >= 2) {
-    return `dup::${files[0]}::${files[1]}`;
+    return `dup::${files.join("::")}`;
   }
   return `dup::${files[0] ?? "unknown"}::${f.analyzerId}`;
 }
@@ -2682,7 +2721,7 @@ var namingAnalyzer = {
 init_esm_shims();
 var ESM_PATTERN = /\b(?:import\s+|export\s+(?:default\s+)?(?:function|class|const|let|var|{))/;
 var CJS_PATTERN = /\b(?:require\s*\(|module\.exports|exports\.)/;
-var CONFIG_FILE_PATTERN = /(?:\.config\.|\.setup\.|\.rc\.|jest\.|babel\.|webpack\.|rollup\.|vite\.)/;
+var CONFIG_FILE_PATTERN = /(?:\.config\.|\.setup\.|\.rc\.|jest\.|babel\.|webpack\.|rollup\.|vite\.|next\.config|tailwind\.config|postcss\.config|tsconfig|eslint\.config|prettier\.config|svelte\.config|nuxt\.config|astro\.config|vitest\.config|tsup\.config|esbuild\.config|turbo\.json|\.cjs$|\.mjs$)/;
 var importsAnalyzer = {
   id: "imports",
   name: "Import Patterns",
@@ -2743,8 +2782,6 @@ function densityPer1K(count, totalLines) {
 
 // src/analyzers/error-handling.ts
 var EMPTY_CATCH_PATTERN = /catch\s*\([^)]*\)\s*\{\s*\}/g;
-var TRY_CATCH_PATTERN = /\btry\s*\{/g;
-var ASYNC_PATTERN = /\basync\s+(?:function|\(|[a-zA-Z])/g;
 var errorHandlingAnalyzer = {
   id: "error-handling",
   name: "Error Handling",
@@ -2781,22 +2818,43 @@ var errorHandlingAnalyzer = {
         tags: ["error-handling", "empty-catch"]
       });
     }
-    const dirStats = /* @__PURE__ */ new Map();
+    const ASYNC_FN_PATTERN = /async\s+(?:function\s+\w+|\(\w*\)|\w+)\s*\([^)]*\)\s*(?::\s*[^{]*)?\s*\{/g;
+    const ERROR_HANDLING_PATTERNS = [
+      /\btry\s*\{/,
+      /\.catch\s*\(/,
+      /\bcatch\s*\(/,
+      /\b(?:Result|Either)\s*[<(]/
+    ];
+    const dirUnhandled = /* @__PURE__ */ new Map();
     for (const file of jsFiles) {
       const dir = file.relativePath.includes("/") ? file.relativePath.slice(0, file.relativePath.lastIndexOf("/")) : ".";
-      if (!dirStats.has(dir)) dirStats.set(dir, { tryCatch: 0, asyncFns: 0 });
-      const stats = dirStats.get(dir);
-      stats.tryCatch += (file.content.match(TRY_CATCH_PATTERN) ?? []).length;
-      stats.asyncFns += (file.content.match(ASYNC_PATTERN) ?? []).length;
-    }
-    for (const [dir, stats] of dirStats) {
-      const unhandled = stats.asyncFns - stats.tryCatch;
-      if (unhandled > 3) {
+      const asyncRegex = new RegExp(ASYNC_FN_PATTERN.source, "g");
+      let fnMatch;
+      while ((fnMatch = asyncRegex.exec(file.content)) !== null) {
+        const openBrace = file.content.indexOf("{", fnMatch.index + fnMatch[0].length - 1);
+        if (openBrace === -1) continue;
+        let depth = 1;
+        let pos = openBrace + 1;
+        while (pos < file.content.length && depth > 0) {
+          if (file.content[pos] === "{") depth++;
+          else if (file.content[pos] === "}") depth--;
+          pos++;
+        }
+        const body = file.content.slice(openBrace + 1, pos - 1);
+        if (!/\bawait\b/.test(body)) continue;
+        const hasHandling = ERROR_HANDLING_PATTERNS.some((p) => p.test(body));
+        if (!hasHandling) {
+          dirUnhandled.set(dir, (dirUnhandled.get(dir) ?? 0) + 1);
+        }
+      }
+    }
+    for (const [dir, count] of dirUnhandled) {
+      if (count > 3) {
         findings.push({
           analyzerId: "error-handling",
           severity: "info",
           confidence: 0.6,
-          message: `${unhandled} async functions without try/catch in ${dir}/`,
+          message: `${count} async functions without error handling in ${dir}/`,
           locations: [{ file: dir }],
           tags: ["error-handling", "unhandled-async"]
         });
@@ -3418,6 +3476,16 @@ var duplicatesAnalyzer = {
         }
       }
     }
+    if (allSequences.length > 200) {
+      findings.push({
+        analyzerId: "duplicates",
+        severity: "info",
+        confidence: 0.3,
+        message: `Cross-function duplicate detection limited to hash-based matching (${allSequences.length} functions exceeds the 200-function threshold for full comparison). Use --include to narrow scope for deeper analysis.`,
+        locations: [],
+        tags: ["duplicates", "scalability"]
+      });
+    }
     if (allSequences.length <= 200) {
       for (let i = 0; i < allSequences.length; i++) {
         for (let j = i + 1; j < allSequences.length; j++) {
@@ -3768,7 +3836,9 @@ var SECURITY_PATTERNS = [
     message: "Math.random() is not cryptographically secure \u2014 use crypto.randomUUID()",
     languages: ["javascript", "typescript"],
     tags: ["security", "crypto"],
-    negativeFilter: /(?:test|mock|seed|shuffle|animation|color|position|offset|delay|jitter)/i
+    negativeFilter: /(?:test|mock|seed|shuffle|animation|color|position|offset|delay|jitter)/i,
+    // Only flag near security-relevant code — UI shuffles/animations are not a risk
+    contextRequired: /(?:token|secret|password|key|nonce|salt|hash|crypto|auth|session|jwt|api.?key|credential)/i
   },
   // === Path Traversal ===
   {
@@ -3860,6 +3930,14 @@ var securityAnalyzer = {
             const line = file.content.slice(lineStart2, lineEnd2 === -1 ? void 0 : lineEnd2);
             if (pattern.negativeFilter.test(line)) continue;
           }
+          if (pattern.contextRequired) {
+            const lines = file.content.split("\n");
+            const matchLine = file.content.slice(0, match.index).split("\n").length - 1;
+            const start = Math.max(0, matchLine - 5);
+            const end = Math.min(lines.length, matchLine + 6);
+            const context = lines.slice(start, end).join("\n");
+            if (!pattern.contextRequired.test(context)) continue;
+          }
           const lineNum = getLineNumber(file.content, match.index);
           const lineStart = file.content.lastIndexOf("\n", match.index) + 1;
           const lineEnd = file.content.indexOf("\n", match.index);
@@ -3974,7 +4052,11 @@ function computeComplexityAST(node, language) {
   walk(node);
   return complexity;
 }
+function stripComments(code) {
+  return code.replace(/\/\*[\s\S]*?\*\//g, "").replace(/\/\/.*$/gm, "").replace(/#.*$/gm, "");
+}
 function computeComplexityRegex(content) {
+  const stripped = stripComments(content);
   let complexity = 1;
   const patterns = [
     /\bif\s*\(/g,
@@ -3997,7 +4079,7 @@ function computeComplexityRegex(content) {
   ];
   for (const p of patterns) {
     const regex = new RegExp(p.source, p.flags);
-    const matches = content.match(regex);
+    const matches = stripped.match(regex);
     if (matches) complexity += matches.length;
   }
   return complexity;
@@ -5397,7 +5479,7 @@ function analyzeSecurityProperty(routes, propertyName, getter, excludePaths) {
   const withProperty = applicableRoutes.filter(getter);
   const withoutProperty = applicableRoutes.filter((r) => !getter(r));
   const ratio = withProperty.length / applicableRoutes.length;
-  if (ratio <= 0.6 || withoutProperty.length === 0) return null;
+  if (ratio <= 0.75 || withoutProperty.length === 0) return null;
   return {
     detector: "security_posture",
     subCategory: propertyName,
@@ -5957,9 +6039,9 @@ function computeDriftScores(findings) {
   ) / 10;
   let grade;
   if (composite >= 90) grade = "A";
-  else if (composite >= 80) grade = "B";
-  else if (composite >= 65) grade = "C";
-  else if (composite >= 50) grade = "D";
+  else if (composite >= 75) grade = "B";
+  else if (composite >= 50) grade = "C";
+  else if (composite >= 25) grade = "D";
   else grade = "F";
   return {
     ...scores,
@@ -6118,10 +6200,10 @@ function computeCategoryScore(findings, maxScore, totalLines, applicable, correl
     }
     rawWeight += base * confidence * fileWeight * corrWeight;
   }
-  const sizeFactor = totalLines > 100 ? Math.sqrt(totalLines / 1e3) : 1;
+  const sizeFactor = totalLines > 500 ? Math.sqrt(totalLines / 1e3) : 1;
   const clampedSizeFactor = Math.max(0.5, Math.min(3, sizeFactor));
   const adjustedWeight = rawWeight / clampedSizeFactor;
-  const k = Math.LN2 / 10;
+  const k = Math.LN2 / 15;
   const factor = Math.exp(-k * adjustedWeight);
   const score = Math.round(maxScore * factor * 10) / 10;
   return {
@@ -6172,7 +6254,7 @@ function computeScores(findings, totalLines, ctx, previousScores) {
   }
   const DRAG_CATEGORIES = ["architecturalConsistency", "redundancy"];
   const DRAG_THRESHOLD = 0.5;
-  const DRAG_MAX_PENALTY = 0.15;
+  const DRAG_MAX_PENALTY = 0.1;
   for (const cat of DRAG_CATEGORIES) {
     const s = scores[cat];
     if (!s.applicable || s.maxScore === 0) continue;