aislop 0.1.0 → 0.1.2

package/README.md

@@ -326,6 +326,26 @@ npx aislop scan --staged
 
 ---
 
+## Telemetry
+
+`aislop` collects anonymous usage analytics to help us understand how the tool is used and prioritize improvements. **No code, file paths, project names, or secrets are ever collected.**
+
+What we collect: command run (scan/fix/ci), languages detected, score bucket, issue counts per engine, engine timing, OS, Node version, and aislop version.
+
+Telemetry is **off in CI** by default. To opt out anywhere:
+
+```bash
+# Environment variable (any of these)
+AISLOP_NO_TELEMETRY=1 aislop scan
+DO_NOT_TRACK=1 aislop scan
+
+# Or in .aislop/config.yml
+telemetry:
+  enabled: false
+```
+
+---
+
 ## Contributing
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, project architecture, and how to add new rules or engines.

package/dist/cli.js

@@ -51,7 +51,8 @@ const DEFAULT_CONFIG = {
 	ci: {
 		failBelow: 0,
 		format: "json"
-	}
+	},
+	telemetry: { enabled: true }
 };
 const DEFAULT_CONFIG_YAML = `version: 1
 
@@ -88,6 +89,9 @@ scoring:
 ci:
   failBelow: 0
   format: json
+
+# telemetry:
+#   enabled: true        # set to false to disable anonymous usage analytics
 `;
 const DEFAULT_RULES_YAML = `# Architecture rules (BYO)
 # Uncomment and customize to enforce your project's conventions.
@@ -148,6 +152,7 @@ const CiSchema = z.object({
 	failBelow: z.number().default(0),
 	format: z.enum(["json"]).default("json")
 });
+const TelemetrySchema = z.object({ enabled: z.boolean().default(true) });
 const AislopConfigSchema = z.object({
 	version: z.number().default(1),
 	engines: EnginesSchema.default(() => ({
@@ -178,7 +183,8 @@ const AislopConfigSchema = z.object({
 	ci: CiSchema.default(() => ({
 		failBelow: 0,
 		format: "json"
-	}))
+	})),
+	telemetry: TelemetrySchema.default(() => ({ enabled: true }))
 });
 const defaults = AislopConfigSchema.parse({});
 /**
@@ -1380,17 +1386,21 @@ const isDataFile = (content) => {
 	const dataLinePattern = /^\s*[{}[\]"']/;
 	return nonEmpty.filter((l) => dataLinePattern.test(l)).length / nonEmpty.length > .8;
 };
+const ARROW_BLOCK_RE = /* @__PURE__ */ new RegExp("=>\\s*\\{");
+const ARROW_END_RE = /* @__PURE__ */ new RegExp("=>\\s*$");
+const BRACE_START_RE = /* @__PURE__ */ new RegExp("^\\s*\\{");
+const NEW_STATEMENT_RE = /* @__PURE__ */ new RegExp("^(?:export\\s+)?(?:const|let|var|function|class)\\s");
 const isBlockArrow = (lines, startIndex) => {
-	if (/=>\s*\{/.test(lines[startIndex])) return true;
-	if (/=>\s*$/.test(lines[startIndex])) {
+	if (ARROW_BLOCK_RE.test(lines[startIndex])) return true;
+	if (ARROW_END_RE.test(lines[startIndex])) {
 		const next = lines[startIndex + 1];
-		if (next && /^\s*\{/.test(next)) return true;
+		if (next && BRACE_START_RE.test(next)) return true;
 	}
 	for (let j = startIndex + 1; j < Math.min(startIndex + 3, lines.length); j++) {
 		const l = lines[j];
-		if (l.trim() === "" || /^(?:export\s+)?(?:const|let|var|function|class)\s/.test(l.trim())) break;
-		if (/=>\s*\{/.test(l)) return true;
-		if (/^\s*\{/.test(l)) return true;
+		if (l.trim() === "" || NEW_STATEMENT_RE.test(l.trim())) break;
+		if (ARROW_BLOCK_RE.test(l)) return true;
+		if (BRACE_START_RE.test(l)) return true;
 	}
 	return false;
 };
@@ -2750,7 +2760,7 @@ const RISKY_PATTERNS = [
 		help: "Avoid dynamic code execution — refactor to use static code paths"
 	},
 	{
-		pattern: /\.innerHTML\s*=/g,
+		pattern: new RegExp(`\\.innerHTML\\s*=`, "g"),
 		extensions: [
 			".ts",
 			".tsx",
@@ -2847,6 +2857,10 @@ const detectRiskyConstructs = async (context) => {
 			let match;
 			while ((match = regex.exec(content)) !== null) {
 				const line = content.slice(0, match.index).split("\n").length;
+				if (name === "innerhtml") {
+					const beforeMatch = content.slice(Math.max(0, match.index - 200), match.index);
+					if (/(?:template|tmpl|tpl)$/i.test(beforeMatch.trimEnd()) || /createElement\s*\(\s*['"]template['"]\s*\)$/.test(beforeMatch.trimEnd())) continue;
+				}
 				if (name === "sql-injection") {
 					const afterMatch = content.slice(match.index + match[0].length, match.index + match[0].length + 100);
 					if (/^(?:\w+\.join\s*\(|[A-Z_]+\}|tableName\}|table\})/.test(afterMatch)) continue;
@@ -3104,7 +3118,7 @@ const logger = {
 * Application version — injected at build time by tsdown from package.json.
 * The fallback should always match the "version" field in package.json.
 */
-const APP_VERSION = "0.1.0";
+const APP_VERSION = "0.1.2";
 
 //#endregion
 //#region src/output/layout.ts
@@ -3613,6 +3627,95 @@ const spinner = (text) => ({ start() {
 	};
 } });
 
+//#endregion
+//#region src/utils/telemetry.ts
+/**
+* Anonymous, opt-out telemetry for aislop.
+*
+* What we collect:
+*   - Command run (scan, fix, ci)
+*   - Languages detected in the project
+*   - Score bucket (0-25, 25-50, 50-75, 75-100)
+*   - Issue counts per engine (not file paths or code)
+*   - Engine timing (milliseconds)
+*   - OS, architecture, and Node version
+*   - aislop version
+*
+* What we never collect:
+*   - File paths, file contents, or code snippets
+*   - Project names or directory paths
+*   - Git remotes, branch names, or commit hashes
+*   - Environment variables or secrets
+*   - IP addresses are not stored (PostHog configured to discard)
+*
+* How to opt out (any one of these):
+*   - Set AISLOP_NO_TELEMETRY=1
+*   - Set DO_NOT_TRACK=1 (https://consoledonottrack.com)
+*   - Set CI=true (telemetry is off in CI by default)
+*   - Set telemetry.enabled: false in .aislop/config.yml
+*/
+const POSTHOG_HOST = "https://eu.i.posthog.com";
+const POSTHOG_KEY = "phc_eY2cOMFva9q24GrWeOuvuVIOhCIdjOALxeAR3ItrqbJ";
+/**
+* Returns true if telemetry should be disabled.
+* Telemetry is opt-out: it runs unless explicitly disabled.
+*/
+const isTelemetryDisabled = (configEnabled) => {
+	if (process.env.AISLOP_NO_TELEMETRY === "1" || process.env.DO_NOT_TRACK === "1") return true;
+	if (process.env.CI === "true" || process.env.CI === "1") return true;
+	if (configEnabled === false) return true;
+	return false;
+};
+const getScoreBucket = (score) => {
+	if (score >= 75) return "75-100";
+	if (score >= 50) return "50-75";
+	if (score >= 25) return "25-50";
+	return "0-25";
+};
+/**
+* Returns a stable anonymous device ID derived from hostname + OS.
+* This is NOT personally identifiable — it's a hash used only to
+* count unique devices, not to identify users.
+*/
+const getAnonymousId = () => {
+	const raw = `${os.hostname()}-${os.platform()}-${os.arch()}`;
+	let hash = 5381;
+	for (let i = 0; i < raw.length; i++) hash = hash * 33 ^ raw.charCodeAt(i);
+	return `aislop_${(hash >>> 0).toString(36)}`;
+};
+/**
+* Fire-and-forget telemetry event to PostHog.
+* Never throws, never blocks, never affects CLI output or exit code.
+*/
+const trackEvent = (event) => {
+	const payload = {
+		api_key: POSTHOG_KEY,
+		event: `cli_${event.command}`,
+		distinct_id: getAnonymousId(),
+		properties: {
+			version: APP_VERSION,
+			node_version: process.version,
+			os: os.platform(),
+			arch: os.arch(),
+			languages: event.languages,
+			score_bucket: event.scoreBucket,
+			engine_issues: event.engineIssues,
+			engine_timings: event.engineTimings,
+			elapsed_ms: event.elapsedMs,
+			file_count: event.fileCount,
+			fix_steps: event.fixSteps,
+			fix_resolved: event.fixResolved
+		},
+		timestamp: (/* @__PURE__ */ new Date()).toISOString()
+	};
+	fetch(`${POSTHOG_HOST}/capture/`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(payload),
+		signal: AbortSignal.timeout(3e3)
+	}).catch(() => {});
+};
+
 //#endregion
 //#region src/commands/scan.ts
 const shouldUseSpinner = () => Boolean(process.stderr.isTTY) && process.env.CI !== "true" && process.env.CI !== "1";
@@ -3669,7 +3772,24 @@ const scanCommand = async (directory, config, options) => {
 	const allDiagnostics = results.flatMap((r) => r.diagnostics);
 	const elapsedMs = performance.now() - startTime;
 	const scoreResult = calculateScore(allDiagnostics, config.scoring.weights, config.scoring.thresholds);
-	const exitCode = scoreResult.score < config.ci.failBelow ? 1 : 0;
+	const exitCode = allDiagnostics.some((d) => d.severity === "error") || scoreResult.score < config.ci.failBelow ? 1 : 0;
+	if (!isTelemetryDisabled(config.telemetry?.enabled)) {
+		const engineIssues = {};
+		const engineTimings = {};
+		for (const r of results) {
+			engineIssues[r.engine] = r.diagnostics.length;
+			engineTimings[r.engine] = Math.round(r.elapsed);
+		}
+		trackEvent({
+			command: options.command ?? "scan",
+			languages: projectInfo.languages,
+			scoreBucket: getScoreBucket(scoreResult.score),
+			engineIssues,
+			engineTimings,
+			elapsedMs: Math.round(elapsedMs),
+			fileCount: projectInfo.sourceFileCount
+		});
+	}
 	if (options.json) {
 		const { buildJsonOutput } = await import("./json-L5x3hQdy.js");
 		const jsonOut = buildJsonOutput(results, scoreResult, projectInfo.sourceFileCount, elapsedMs);
@@ -3692,7 +3812,8 @@ const ciCommand = async (directory, config) => {
 		changes: false,
 		staged: false,
 		verbose: false,
-		json: true
+		json: true,
+		command: "ci"
 	});
 };
 
@@ -3944,6 +4065,15 @@ const fixCommand = async (directory, config, options = {
 		logger.break();
 		summarizeFixRun(steps);
 	}
+	if (!isTelemetryDisabled(config.telemetry?.enabled)) {
+		const totalResolved = steps.reduce((sum, s) => sum + s.resolvedIssues, 0);
+		trackEvent({
+			command: "fix",
+			languages: projectInfo.languages,
+			fixSteps: steps.length,
+			fixResolved: totalResolved
+		});
+	}
 	logger.break();
 	logger.success("  ✓ Done. Run `aislop scan` to verify.");
 	logger.break();

package/dist/{engine-info-DBG3uXLc.js → engine-info-B4Eq4giL.js}

@@ -3,7 +3,7 @@
 * Application version — injected at build time by tsdown from package.json.
 * The fallback should always match the "version" field in package.json.
 */
-const APP_VERSION = "0.1.0";
+const APP_VERSION = "0.1.2";
 
 //#endregion
 //#region src/output/engine-info.ts

package/dist/index.d.ts

@@ -37,6 +37,9 @@ declare const AislopConfigSchema: z.ZodObject<{
       json: "json";
     }>>;
   }, z.core.$strip>>;
+  telemetry: z.ZodDefault<z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+  }, z.core.$strip>>;
 }, z.core.$strip>;
 type AislopConfig = z.infer<typeof AislopConfigSchema>;
 //#endregion
@@ -60,6 +63,8 @@ interface ScanOptions {
   verbose: boolean;
   json: boolean;
   showHeader?: boolean;
+  /** Used for telemetry to distinguish scan vs ci invocation */
+  command?: "scan" | "ci";
 }
 declare const scanCommand: (directory: string, config: AislopConfig, options: ScanOptions) => Promise<{
   exitCode: number;

package/dist/index.js

@@ -1,4 +1,4 @@
-import { n as getEngineLabel, r as APP_VERSION, t as ENGINE_INFO } from "./engine-info-DBG3uXLc.js";
+import { n as getEngineLabel, r as APP_VERSION, t as ENGINE_INFO } from "./engine-info-B4Eq4giL.js";
 import { n as runSubprocess, t as isToolInstalled } from "./subprocess-99puEEGl.js";
 import { createRequire } from "node:module";
 import fs from "node:fs";
@@ -1022,6 +1022,95 @@ const printMaybePaged = async (text) => {
 	if (!await pipeToPager(pager.command, pager.args, text)) writeToStdout(text);
 };
 
+//#endregion
+//#region src/utils/telemetry.ts
+/**
+* Anonymous, opt-out telemetry for aislop.
+*
+* What we collect:
+*   - Command run (scan, fix, ci)
+*   - Languages detected in the project
+*   - Score bucket (0-25, 25-50, 50-75, 75-100)
+*   - Issue counts per engine (not file paths or code)
+*   - Engine timing (milliseconds)
+*   - OS, architecture, and Node version
+*   - aislop version
+*
+* What we never collect:
+*   - File paths, file contents, or code snippets
+*   - Project names or directory paths
+*   - Git remotes, branch names, or commit hashes
+*   - Environment variables or secrets
+*   - IP addresses are not stored (PostHog configured to discard)
+*
+* How to opt out (any one of these):
+*   - Set AISLOP_NO_TELEMETRY=1
+*   - Set DO_NOT_TRACK=1 (https://consoledonottrack.com)
+*   - Set CI=true (telemetry is off in CI by default)
+*   - Set telemetry.enabled: false in .aislop/config.yml
+*/
+const POSTHOG_HOST = "https://eu.i.posthog.com";
+const POSTHOG_KEY = "phc_eY2cOMFva9q24GrWeOuvuVIOhCIdjOALxeAR3ItrqbJ";
+/**
+* Returns true if telemetry should be disabled.
+* Telemetry is opt-out: it runs unless explicitly disabled.
+*/
+const isTelemetryDisabled = (configEnabled) => {
+	if (process.env.AISLOP_NO_TELEMETRY === "1" || process.env.DO_NOT_TRACK === "1") return true;
+	if (process.env.CI === "true" || process.env.CI === "1") return true;
+	if (configEnabled === false) return true;
+	return false;
+};
+const getScoreBucket = (score) => {
+	if (score >= 75) return "75-100";
+	if (score >= 50) return "50-75";
+	if (score >= 25) return "25-50";
+	return "0-25";
+};
+/**
+* Returns a stable anonymous device ID derived from hostname + OS.
+* This is NOT personally identifiable — it's a hash used only to
+* count unique devices, not to identify users.
+*/
+const getAnonymousId = () => {
+	const raw = `${os.hostname()}-${os.platform()}-${os.arch()}`;
+	let hash = 5381;
+	for (let i = 0; i < raw.length; i++) hash = hash * 33 ^ raw.charCodeAt(i);
+	return `aislop_${(hash >>> 0).toString(36)}`;
+};
+/**
+* Fire-and-forget telemetry event to PostHog.
+* Never throws, never blocks, never affects CLI output or exit code.
+*/
+const trackEvent = (event) => {
+	const payload = {
+		api_key: POSTHOG_KEY,
+		event: `cli_${event.command}`,
+		distinct_id: getAnonymousId(),
+		properties: {
+			version: APP_VERSION,
+			node_version: process.version,
+			os: os.platform(),
+			arch: os.arch(),
+			languages: event.languages,
+			score_bucket: event.scoreBucket,
+			engine_issues: event.engineIssues,
+			engine_timings: event.engineTimings,
+			elapsed_ms: event.elapsedMs,
+			file_count: event.fileCount,
+			fix_steps: event.fixSteps,
+			fix_resolved: event.fixResolved
+		},
+		timestamp: (/* @__PURE__ */ new Date()).toISOString()
+	};
+	fetch(`${POSTHOG_HOST}/capture/`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(payload),
+		signal: AbortSignal.timeout(3e3)
+	}).catch(() => {});
+};
+
 //#endregion
 //#region src/commands/fix.ts
 const uniqueFiles = (diagnostics) => [...new Set(diagnostics.map((d) => d.filePath))];
@@ -1136,6 +1225,15 @@ const fixCommand = async (directory, config, options = {
 		logger.break();
 		summarizeFixRun(steps);
 	}
+	if (!isTelemetryDisabled(config.telemetry?.enabled)) {
+		const totalResolved = steps.reduce((sum, s) => sum + s.resolvedIssues, 0);
+		trackEvent({
+			command: "fix",
+			languages: projectInfo.languages,
+			fixSteps: steps.length,
+			fixResolved: totalResolved
+		});
+	}
 	logger.break();
 	logger.success("  ✓ Done. Run `aislop scan` to verify.");
 	logger.break();
@@ -1180,7 +1278,8 @@ const DEFAULT_CONFIG = {
 	ci: {
 		failBelow: 0,
 		format: "json"
-	}
+	},
+	telemetry: { enabled: true }
 };
 const DEFAULT_CONFIG_YAML = `version: 1
 
@@ -1217,6 +1316,9 @@ scoring:
 ci:
   failBelow: 0
   format: json
+
+# telemetry:
+#   enabled: true        # set to false to disable anonymous usage analytics
 `;
 const DEFAULT_RULES_YAML = `# Architecture rules (BYO)
 # Uncomment and customize to enforce your project's conventions.
@@ -1277,6 +1379,7 @@ const CiSchema = z.object({
 	failBelow: z.number().default(0),
 	format: z.enum(["json"]).default("json")
 });
+const TelemetrySchema = z.object({ enabled: z.boolean().default(true) });
 const AislopConfigSchema = z.object({
 	version: z.number().default(1),
 	engines: EnginesSchema.default(() => ({
@@ -1307,7 +1410,8 @@ const AislopConfigSchema = z.object({
 	ci: CiSchema.default(() => ({
 		failBelow: 0,
 		format: "json"
-	}))
+	})),
+	telemetry: TelemetrySchema.default(() => ({ enabled: true }))
 });
 const defaults = AislopConfigSchema.parse({});
 /**
@@ -2395,17 +2499,21 @@ const isDataFile = (content) => {
 	const dataLinePattern = /^\s*[{}[\]"']/;
 	return nonEmpty.filter((l) => dataLinePattern.test(l)).length / nonEmpty.length > .8;
 };
+const ARROW_BLOCK_RE = /* @__PURE__ */ new RegExp("=>\\s*\\{");
+const ARROW_END_RE = /* @__PURE__ */ new RegExp("=>\\s*$");
+const BRACE_START_RE = /* @__PURE__ */ new RegExp("^\\s*\\{");
+const NEW_STATEMENT_RE = /* @__PURE__ */ new RegExp("^(?:export\\s+)?(?:const|let|var|function|class)\\s");
 const isBlockArrow = (lines, startIndex) => {
-	if (/=>\s*\{/.test(lines[startIndex])) return true;
-	if (/=>\s*$/.test(lines[startIndex])) {
+	if (ARROW_BLOCK_RE.test(lines[startIndex])) return true;
+	if (ARROW_END_RE.test(lines[startIndex])) {
 		const next = lines[startIndex + 1];
-		if (next && /^\s*\{/.test(next)) return true;
+		if (next && BRACE_START_RE.test(next)) return true;
 	}
 	for (let j = startIndex + 1; j < Math.min(startIndex + 3, lines.length); j++) {
 		const l = lines[j];
-		if (l.trim() === "" || /^(?:export\s+)?(?:const|let|var|function|class)\s/.test(l.trim())) break;
-		if (/=>\s*\{/.test(l)) return true;
-		if (/^\s*\{/.test(l)) return true;
+		if (l.trim() === "" || NEW_STATEMENT_RE.test(l.trim())) break;
+		if (ARROW_BLOCK_RE.test(l)) return true;
+		if (BRACE_START_RE.test(l)) return true;
 	}
 	return false;
 };
@@ -3250,7 +3358,7 @@ const RISKY_PATTERNS = [
 		help: "Avoid dynamic code execution — refactor to use static code paths"
 	},
 	{
-		pattern: /\.innerHTML\s*=/g,
+		pattern: new RegExp(`\\.innerHTML\\s*=`, "g"),
 		extensions: [
 			".ts",
 			".tsx",
@@ -3347,6 +3455,10 @@ const detectRiskyConstructs = async (context) => {
 			let match;
 			while ((match = regex.exec(content)) !== null) {
 				const line = content.slice(0, match.index).split("\n").length;
+				if (name === "innerhtml") {
+					const beforeMatch = content.slice(Math.max(0, match.index - 200), match.index);
+					if (/(?:template|tmpl|tpl)$/i.test(beforeMatch.trimEnd()) || /createElement\s*\(\s*['"]template['"]\s*\)$/.test(beforeMatch.trimEnd())) continue;
+				}
 				if (name === "sql-injection") {
 					const afterMatch = content.slice(match.index + match[0].length, match.index + match[0].length + 100);
 					if (/^(?:\w+\.join\s*\(|[A-Z_]+\}|tableName\}|table\})/.test(afterMatch)) continue;
@@ -3860,9 +3972,26 @@ const scanCommand = async (directory, config, options) => {
 	const allDiagnostics = results.flatMap((r) => r.diagnostics);
 	const elapsedMs = performance.now() - startTime;
 	const scoreResult = calculateScore(allDiagnostics, config.scoring.weights, config.scoring.thresholds);
-	const exitCode = scoreResult.score < config.ci.failBelow ? 1 : 0;
+	const exitCode = allDiagnostics.some((d) => d.severity === "error") || scoreResult.score < config.ci.failBelow ? 1 : 0;
+	if (!isTelemetryDisabled(config.telemetry?.enabled)) {
+		const engineIssues = {};
+		const engineTimings = {};
+		for (const r of results) {
+			engineIssues[r.engine] = r.diagnostics.length;
+			engineTimings[r.engine] = Math.round(r.elapsed);
+		}
+		trackEvent({
+			command: options.command ?? "scan",
+			languages: projectInfo.languages,
+			scoreBucket: getScoreBucket(scoreResult.score),
+			engineIssues,
+			engineTimings,
+			elapsedMs: Math.round(elapsedMs),
+			fileCount: projectInfo.sourceFileCount
+		});
+	}
 	if (options.json) {
-		const { buildJsonOutput } = await import("./json-DkpW9UQj.js");
+		const { buildJsonOutput } = await import("./json-BMSa_G7o.js");
 		const jsonOut = buildJsonOutput(results, scoreResult, projectInfo.sourceFileCount, elapsedMs);
 		console.log(JSON.stringify(jsonOut, null, 2));
 		return { exitCode };

package/dist/{json-DkpW9UQj.js → json-BMSa_G7o.js}

@@ -1,4 +1,4 @@
-import { r as APP_VERSION, t as ENGINE_INFO } from "./engine-info-DBG3uXLc.js";
+import { r as APP_VERSION, t as ENGINE_INFO } from "./engine-info-B4Eq4giL.js";
 
 //#region src/output/json.ts
 const buildJsonOutput = (results, scoreResult, fileCount, elapsedMs) => {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "aislop",
-	"version": "0.1.0",
+	"version": "0.1.2",
 	"description": "Stop AI slop from shipping. A unified code quality CLI that catches the lazy patterns AI coding tools leave behind.",
 	"type": "module",
 	"bin": {