aislop 0.1.3 → 0.2.0

package/README.md

@@ -3,55 +3,38 @@
 **Stop AI slop from shipping.**
 
 [![npm version](https://img.shields.io/npm/v/aislop.svg)](https://www.npmjs.com/package/aislop)
+[![npm downloads](https://img.shields.io/npm/dm/aislop.svg)](https://www.npmjs.com/package/aislop)
 [![CI](https://github.com/heavykenny/aislop/actions/workflows/ci.yml/badge.svg)](https://github.com/heavykenny/aislop/actions/workflows/ci.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+[![Node >= 20](https://img.shields.io/badge/node-%3E%3D20-brightgreen.svg)](https://nodejs.org)
 
-AI coding assistants are fast, but they leave behind a trail of sloppy code: swallowed exceptions, trivial comments that restate the obvious, unused imports, `as any` casts, empty catch blocks, leftover `console.log` calls, and copy-paste duplication. **aislop** catches all of it in one command.
-
-`aislop` is a unified code-quality CLI for multi-language repositories. It runs formatting, linting, code-quality, AI-pattern, architecture, and security checks behind a single command and summarizes everything as one score out of 100.
+`aislop` is a unified code-quality CLI that catches the lazy patterns AI coding tools leave behind. One command, one score out of 100.
 
 ```
 $ npx aislop scan
 
-aislop Scan v0.1.0
+aislop Scan v0.2.0
 
   ✓ Project my-app (typescript)
   Source files: 142
 
-  ✓ Formatting:     done (0 issues)
-  ✓ Linting:        done (2 warnings)
-  ✓ Code Quality:   done (1 warning)
-  ! Maintainability: done (4 warnings)
-  ✓ Security:       done (0 issues)
+  ✓ Formatting:      done (0 issues)
+  ✓ Linting:         done (2 warnings)
+  ✓ Code Quality:    done (1 warning)
+  ! Maintainability:  done (4 warnings)
+  ✓ Security:        done (0 issues)
 
   Score: 80/100 (Healthy)
 ```
 
 ---
 
-## Why aislop?
-
-Code generated by AI assistants often looks correct at first glance but is full of quality issues that pass review because they are spread across dozens of files. No single existing linter catches all of them. `aislop` was built to be the one tool that does:
-
-- **Catches AI-specific patterns** that ESLint and Prettier ignore: trivial comments (`// Import React`), thin wrappers, generic names (`data2`, `helper_1`), swallowed exceptions
-- **Multi-language** -- TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP in one CLI
-- **Single score** -- one number to gate PRs, track in CI, and trend over time
-- **Zero config to start** -- run `npx aislop scan` and get results immediately
-- **Batteries included** -- ships with oxlint, biome, and knip; downloads ruff and golangci-lint automatically on install
-
----
-
 ## Installation
 
-### Run without installing
-
 ```bash
+# Run without installing
 npx aislop scan
-```
 
-### Install as a dev dependency
-
-```bash
 # npm
 npm install --save-dev aislop
 
@@ -60,298 +43,143 @@ yarn add --dev aislop
 
 # pnpm
 pnpm add -D aislop
-```
 
-### Global install
-
-```bash
+# Global
 npm install -g aislop
-aislop scan
-```
-
-`aislop` ships with Node-based tooling (oxlint, biome, knip) as package dependencies. On install it also downloads bundled binaries for **ruff** and **golangci-lint**. To skip those downloads:
-
-```bash
-AISLOP_SKIP_TOOL_DOWNLOAD=1 npm install
 ```
 
-Some checks depend on tools already present on your machine: `gofmt`, `govulncheck`, `cargo`, `rubocop`, `phpcs`, `php-cs-fixer`. Run `aislop doctor` to see what is available.
+Also available as [`@heavykenny/aislop`](docs/installation.md) on GitHub Packages.
 
 ---
 
-## Quick start
-
-```bash
-# Scan the current directory
-npx aislop scan
-
-# Auto-fix formatting and lint issues
-npx aislop fix
-
-# Scan only changed files (great for pre-commit)
-npx aislop scan --changes
+## Usage
 
-# Scan only staged files
-npx aislop scan --staged
-
-# CI-friendly JSON output
-npx aislop ci
-
-# Initialize config files
-npx aislop init
+### Scan your project
 
-# Interactive menu
-npx aislop
+```bash
+aislop scan                # scan current directory
+aislop scan ./src          # scan a specific directory
+aislop scan --changes      # only files changed from HEAD
+aislop scan --staged       # only staged files (pre-commit)
+aislop scan --json         # output JSON
 ```
 
----
-
-## Commands
-
-| Command | What it does |
-|---|---|
-| `aislop` | Interactive TTY menu (falls back to `scan` in non-TTY) |
-| `aislop scan [dir]` | Run all enabled engines and print a scored report |
-| `aislop fix [dir]` | Apply safe auto-fixes (formatting + lint) |
-| `aislop ci [dir]` | Output JSON for CI pipelines |
-| `aislop init [dir]` | Create `.aislop/config.yml` and `.aislop/rules.yml` |
-| `aislop doctor [dir]` | Report which tools are installed and available |
-| `aislop rules [dir]` | List all built-in and configured rules |
-
-### Flags
-
-| Flag | Description |
-|---|---|
-| `--changes` | Only scan files changed from `HEAD` |
-| `--staged` | Only scan staged files |
-| `-d, --verbose` | Show detailed per-file output |
-| `--json` | Output JSON instead of terminal UI |
-| `-v, --version` | Print version |
-
----
-
-## What it catches
-
-`aislop` groups checks into six engines. Each engine runs in parallel for speed.
-
-### Formatting
-
-Enforces consistent formatting using the best tool for each language.
-
-| Language | Tool |
-|---|---|
-| TypeScript / JavaScript | Biome |
-| Python | ruff format |
-| Go | gofmt |
-| Rust | cargo fmt |
-| Ruby | rubocop |
-| PHP | php-cs-fixer |
-
-### Linting
-
-Catches bugs and bad practices.
-
-| Language | Tool |
-|---|---|
-| TypeScript / JavaScript | oxlint (bundled, with React/Next.js awareness) |
-| Python | ruff |
-| Go | golangci-lint |
-| Rust | clippy |
-| Ruby | rubocop |
-
-### Code quality
-
-Measures structural complexity and finds dead code.
-
-| Rule | What it checks |
-|---|---|
-| `complexity/function-too-long` | Functions exceeding configurable line limit (default: 80) |
-| `complexity/file-too-large` | Files exceeding configurable line limit (default: 400) |
-| `complexity/deep-nesting` | Control-flow nesting beyond threshold (default: 5) |
-| `complexity/too-many-params` | Functions with too many parameters (default: 6) |
-| `duplication/block` | Cross-file duplicate code blocks (12+ lines) |
-| `knip/files`, `knip/exports`, `knip/types` | Dead code via knip (JS/TS) |
-
-### AI slop detection (Maintainability)
-
-The rules that make aislop unique. These catch the patterns AI assistants leave behind.
-
-| Rule | Severity | What it catches |
-|---|---|---|
-| `ai-slop/trivial-comment` | warning | Comments restating the code (`// Import React`, `// Return the value`) |
-| `ai-slop/swallowed-exception` | error | Empty catch blocks, catch blocks that only log (JS/TS/Python/Go/Ruby/Java) |
-| `ai-slop/thin-wrapper` | warning | Functions that only delegate to another function |
-| `ai-slop/generic-naming` | info | AI-generated names: `helper_1`, `data2`, `temp1` |
-| `ai-slop/unused-import` | warning | Unused imports (JS/TS and Python) |
-| `ai-slop/console-leftover` | warning | `console.log`/`debug`/`info` left in production code |
-| `ai-slop/todo-stub` | info | Unresolved TODO/FIXME/HACK comments |
-| `ai-slop/unreachable-code` | warning | Code after `return`/`throw` statements |
-| `ai-slop/constant-condition` | warning | `if (true)`, `if (false)`, `if (0)` |
-| `ai-slop/empty-function` | info | Empty function bodies |
-| `ai-slop/unsafe-type-assertion` | warning | `as any` in TypeScript |
-| `ai-slop/double-type-assertion` | warning | `as unknown as X` pattern |
-| `ai-slop/ts-directive` | info | `@ts-ignore` / `@ts-expect-error` usage |
-
-### Security
-
-Finds secrets, risky constructs, and vulnerable dependencies.
-
-| Rule | What it catches |
-|---|---|
-| `security/hardcoded-secret` | API keys, AWS credentials, JWT tokens, database URLs, passwords |
-| `security/eval` | `eval()` usage (JS/TS/Python/Ruby/PHP) |
-| `security/innerhtml` | `.innerHTML` and `dangerouslySetInnerHTML` |
-| `security/sql-injection` | String concatenation in SQL queries |
-| `security/shell-injection` | User input in command execution |
-| `security/vulnerable-dependency` | npm/pip/cargo/go dependency audit |
+### Fix issues automatically
 
-### Architecture (opt-in)
-
-Custom import and path rules defined in `.aislop/rules.yml`.
-
-| Rule type | Example |
-|---|---|
-| `forbid_import` | Ban `axios` project-wide |
-| `forbid_import_from_path` | Controllers cannot import database modules |
-| `require_pattern` | Require error handling in API routes |
+```bash
+aislop fix                 # auto-fix formatting + lint issues
+```
 
----
+### Use in CI pipelines
 
-Every diagnostic contributes a weighted penalty:
+```bash
+aislop ci                  # JSON output, exits 1 if score < threshold
+```
 
-| Severity | Penalty |
-|---|---|
-| Error | 3.0 |
-| Warning | 1.0 |
-| Info | 0.25 |
+### Other commands
 
-Penalties are multiplied by engine weight (configurable, security defaults to 2x). The final score uses logarithmic scaling with issue-density normalization (relative to source file count), so a few issues still matter but a single finding in an otherwise clean project remains proportional.
+```bash
+aislop init                # create .aislop/config.yml
+aislop doctor              # check which tools are available
+aislop rules               # list all built-in rules
+aislop                     # interactive menu
+```
 
-| Score | Label |
-|---|---|
-| 75 -- 100 | Healthy |
-| 50 -- 74 | Needs Work |
-| 0 -- 49 | Critical |
+See [all commands and flags](docs/commands.md).
 
 ---
 
-## Configuration
+## Use in your project
 
-Run `aislop init` to generate `.aislop/config.yml`:
-
-```yaml
-version: 1
-
-engines:
-  format: true
-  lint: true
-  code-quality: true
-  ai-slop: true
-  architecture: false    # opt-in, needs rules.yml
-  security: true
-
-quality:
-  maxFunctionLoc: 80
-  maxFileLoc: 400
-  maxNesting: 5
-  maxParams: 6
-
-security:
-  audit: true
-  auditTimeout: 25000
-
-scoring:
-  weights:
-    format: 0.5
-    lint: 1.0
-    code-quality: 1.5
-    ai-slop: 1.0
-    architecture: 1.0
-    security: 2.0
-  thresholds:
-    good: 75
-    ok: 50
+### Pre-commit hook
 
-ci:
-  failBelow: 0           # set to e.g. 70 to fail CI below that score
-  format: json
+```bash
+npx aislop scan --staged
 ```
 
----
-
-## CI / CD
-
 ### GitHub Actions
 
 ```yaml
-- uses: actions/setup-node@v4
+- uses: actions/setup-node@v6
   with:
     node-version: 20
-
 - run: npx aislop ci
 ```
 
-### Fail below a score threshold
+### Quality gate
 
-Set `ci.failBelow` in `.aislop/config.yml`:
+Set a minimum score in `.aislop/config.yml`:
 
 ```yaml
 ci:
   failBelow: 70
 ```
 
-`aislop ci` exits with code 1 when the score is below the threshold.
-
-### Pre-commit hook
-
-```bash
-npx aislop scan --staged
-```
+`aislop ci` exits with code 1 when the score drops below the threshold. See [CI/CD docs](docs/ci.md) for more.
 
 ---
 
-## Supported languages
+## Why aislop?
 
-| Language | Format | Lint | Code quality | AI slop | Security |
-|---|---|---|---|---|---|
-| TypeScript | Biome | oxlint | knip, complexity | All rules | All rules |
-| JavaScript | Biome | oxlint | knip, complexity | All rules | All rules |
-| Python | ruff | ruff | complexity | Imports, exceptions, comments | Secrets, audit |
-| Go | gofmt | golangci-lint | complexity | Exceptions, comments | Secrets, audit |
-| Rust | cargo fmt | clippy | complexity | Comments | Secrets, audit |
-| Ruby | rubocop | rubocop | complexity | Exceptions, comments | Secrets |
-| PHP | php-cs-fixer | -- | complexity | Comments | Secrets |
+AI-generated code passes review because issues are spread across dozens of files. No single linter catches all of them. `aislop` does:
 
----
+- **AI-specific pattern detection** — trivial comments, thin wrappers, generic names, swallowed exceptions, `as any` casts
+- **Multi-language** — TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP, Expo/React Native
+- **Single score** — one number to gate PRs, track in CI, and trend over time
+- **Zero config** — run `npx aislop scan` and get results immediately
+- **Framework-aware** — auto-detects Next.js, React, Expo, Vite, Remix, Django, Flask, FastAPI
+- **Batteries included** — ships with oxlint, biome, knip; downloads ruff and golangci-lint on install
 
-## Telemetry
+## What it catches
 
-`aislop` collects anonymous usage analytics to help us understand how the tool is used and prioritize improvements. **No code, file paths, project names, or secrets are ever collected.**
+Six engines run in parallel: **Formatting**, **Linting**, **Code Quality**, **AI Slop Detection**, **Security**, and **Architecture** (opt-in).
 
-What we collect: command run (scan/fix/ci), languages detected, score bucket, issue counts per engine, engine timing, OS, Node version, and aislop version.
+| Engine | Examples |
+|---|---|
+| Formatting | Biome, ruff, gofmt, cargo fmt, rubocop, php-cs-fixer |
+| Linting | oxlint, ruff, golangci-lint, clippy, expo-doctor |
+| Code Quality | Function/file size limits, deep nesting, duplication, dead code, unused dependencies (knip) |
+| AI Slop | Trivial comments, swallowed exceptions, unused imports, console leftovers, type assertion abuse, TODO stubs |
+| Security | Hardcoded secrets, eval, innerHTML, SQL/shell injection, dependency audits |
+| Architecture | Custom import bans, layering rules, required patterns |
 
-Telemetry is **off in CI** by default. To opt out anywhere:
+See the full [rules reference](docs/rules.md) for all 30+ built-in rules.
 
-```bash
-# Environment variable (any of these)
-AISLOP_NO_TELEMETRY=1 aislop scan
-DO_NOT_TRACK=1 aislop scan
+---
 
-# Or in .aislop/config.yml
-telemetry:
-  enabled: false
-```
+## Documentation
+
+| Topic | Link |
+|---|---|
+| Installation | [docs/installation.md](docs/installation.md) |
+| Commands & flags | [docs/commands.md](docs/commands.md) |
+| Rules reference | [docs/rules.md](docs/rules.md) |
+| Configuration | [docs/configuration.md](docs/configuration.md) |
+| Scoring | [docs/scoring.md](docs/scoring.md) |
+| CI / CD | [docs/ci.md](docs/ci.md) |
+| Telemetry | [docs/telemetry.md](docs/telemetry.md) |
 
 ---
 
 ## Contributing
 
-See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, project architecture, and how to add new rules or engines.
+See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and how to add new rules. AI coding assistants can find project context in [AGENTS.md](AGENTS.md).
+
+## Acknowledgments
+
+`aislop` is built on top of excellent open-source projects:
+
+- [Biome](https://biomejs.dev/) — formatting and linting for JS/TS
+- [oxlint](https://oxc.rs/) — fast JavaScript/TypeScript linter
+- [knip](https://knip.dev/) — unused files, exports, and dependencies
+- [ruff](https://docs.astral.sh/ruff/) — Python linting and formatting
+- [golangci-lint](https://golangci-lint.run/) — Go linting
+- [expo-doctor](https://docs.expo.dev/) — Expo/React Native project health
 
-## Security
+## Contributors
 
-See [SECURITY.md](SECURITY.md) for reporting vulnerabilities.
+[![Contributors](https://contrib.rocks/image?repo=heavykenny/aislop)](https://github.com/heavykenny/aislop/graphs/contributors)
 
 ## License
 
-[MIT](LICENSE) -- see the [LICENSE](LICENSE) file.
+[MIT](LICENSE)

package/dist/cli.js

@@ -1643,13 +1643,41 @@ const isToolInstalled = async (tool) => {
 //#region src/engines/code-quality/knip.ts
 const KNIP_MESSAGE_MAP = {
 	files: "Unused file",
+	dependencies: "Unused dependency",
+	devDependencies: "Unused devDependency",
+	unlisted: "Unlisted dependency",
+	unresolved: "Unresolved import",
+	binaries: "Unlisted binary",
 	exports: "Unused export",
 	types: "Unused type",
 	duplicates: "Duplicate export"
 };
+const DEPENDENCY_TYPES = [
+	"dependencies",
+	"devDependencies",
+	"unlisted",
+	"unresolved",
+	"binaries"
+];
+const isDependencyType = (type) => DEPENDENCY_TYPES.includes(type);
+const getIssueItems = (fileIssue, issueType) => {
+	const items = fileIssue[issueType];
+	return Array.isArray(items) ? items : [];
+};
+const DEPENDENCY_HELP = {
+	dependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `aislop fix`.",
+	devDependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `aislop fix`.",
+	unlisted: "This package is imported in code but not declared in package.json. Run `npm install` to add it.",
+	unresolved: "This import cannot be resolved. Check for typos or missing packages.",
+	binaries: "This binary is used but its package is not in package.json."
+};
 const collectIssues = (fileIssue, issueType, rootDir, knipCwd) => {
 	const diagnostics = [];
-	const issues = issueType === "exports" ? fileIssue.exports ?? [] : issueType === "types" ? fileIssue.types ?? [] : fileIssue.duplicates ?? [];
+	const issues = getIssueItems(fileIssue, issueType);
+	const category = isDependencyType(issueType) ? "Dependencies" : "Dead Code";
+	const severity = issueType === "unlisted" || issueType === "unresolved" ? "error" : "warning";
+	const fixable = issueType === "dependencies" || issueType === "devDependencies";
+	const help = DEPENDENCY_HELP[issueType] ?? "";
 	for (const issue of issues) {
 		const symbol = issue.name ?? issue.symbol ?? "unknown";
 		const absolutePath = path.resolve(knipCwd, fileIssue.file);
@@ -1657,13 +1685,13 @@ const collectIssues = (fileIssue, issueType, rootDir, knipCwd) => {
 			filePath: path.relative(rootDir, absolutePath),
 			engine: "code-quality",
 			rule: `knip/${issueType}`,
-			severity: "warning",
+			severity,
 			message: `${KNIP_MESSAGE_MAP[issueType]}: ${symbol}`,
-			help: "",
+			help,
 			line: issue.line ?? 0,
 			column: issue.col ?? 0,
-			category: "Dead Code",
-			fixable: false
+			category,
+			fixable
 		});
 	}
 	return diagnostics;
@@ -1697,6 +1725,38 @@ const findKnipBin = (rootDirectory, monorepoRoot) => {
 	}
 	return null;
 };
+const runKnipDependencyCheck = async (rootDirectory) => {
+	return (await runKnip(rootDirectory)).filter((d) => d.rule === "knip/dependencies" || d.rule === "knip/devDependencies");
+};
+const fixUnusedDependencies = async (rootDirectory) => {
+	const diagnostics = await runKnipDependencyCheck(rootDirectory);
+	if (diagnostics.length === 0) return;
+	const pkgPath = path.join(rootDirectory, "package.json");
+	if (!fs.existsSync(pkgPath)) return;
+	const raw = fs.readFileSync(pkgPath, "utf-8");
+	const pkg = JSON.parse(raw);
+	const unusedDeps = /* @__PURE__ */ new Set();
+	const unusedDevDeps = /* @__PURE__ */ new Set();
+	for (const d of diagnostics) {
+		const pkgName = d.message.replace(/^Unused (dev)?[Dd]ependency: /, "");
+		if (d.rule === "knip/dependencies") unusedDeps.add(pkgName);
+		if (d.rule === "knip/devDependencies") unusedDevDeps.add(pkgName);
+	}
+	let changed = false;
+	if (pkg.dependencies) {
+		for (const name of unusedDeps) if (name in pkg.dependencies) {
+			delete pkg.dependencies[name];
+			changed = true;
+		}
+	}
+	if (pkg.devDependencies) {
+		for (const name of unusedDevDeps) if (name in pkg.devDependencies) {
+			delete pkg.devDependencies[name];
+			changed = true;
+		}
+	}
+	if (changed) fs.writeFileSync(pkgPath, `${JSON.stringify(pkg, null, "	")}\n`);
+};
 const runKnip = async (rootDirectory) => {
 	const knipRuntime = findKnipBin(rootDirectory, findMonorepoRoot(rootDirectory));
 	if (!knipRuntime) return [];
@@ -1730,11 +1790,13 @@ const runKnip = async (rootDirectory) => {
 			fixable: false
 		});
 		const issues = parsed.issues ?? [];
-		for (const fileIssue of issues) for (const type of [
+		const issueTypes = [
+			...DEPENDENCY_TYPES,
 			"exports",
 			"types",
 			"duplicates"
-		]) diagnostics.push(...collectIssues(fileIssue, type, rootDirectory, knipRuntime.cwd));
+		];
+		for (const fileIssue of issues) for (const type of issueTypes) diagnostics.push(...collectIssues(fileIssue, type, rootDirectory, knipRuntime.cwd));
 		return diagnostics;
 	} catch {
 		return [];
@@ -3118,7 +3180,7 @@ const logger = {
 * Application version — injected at build time by tsdown from package.json.
 * The fallback should always match the "version" field in package.json.
 */
-const APP_VERSION = "0.1.3";
+const APP_VERSION = "0.2.0";
 
 //#endregion
 //#region src/output/layout.ts
@@ -3692,9 +3754,13 @@ const getAnonymousId = () => {
 	for (let i = 0; i < raw.length; i++) hash = hash * 33 ^ raw.charCodeAt(i);
 	return `aislop_${(hash >>> 0).toString(36)}`;
 };
+/** Pending telemetry request — kept alive so Node doesn't exit before it completes. */
+let pendingRequest = null;
 /**
 * Fire-and-forget telemetry event to PostHog.
-* Never throws, never blocks, never affects CLI output or exit code.
+* Never throws, never blocks CLI output.
+* The request is kept alive via `flushTelemetry()` so Node doesn't
+* exit before it completes.
 */
 const trackEvent = (event) => {
 	const payload = {
@@ -3717,12 +3783,23 @@ const trackEvent = (event) => {
 		},
 		timestamp: (/* @__PURE__ */ new Date()).toISOString()
 	};
-	fetch(`${POSTHOG_HOST}/capture/`, {
+	pendingRequest = fetch(`${POSTHOG_HOST}/capture/`, {
 		method: "POST",
 		headers: { "Content-Type": "application/json" },
 		body: JSON.stringify(payload),
 		signal: AbortSignal.timeout(3e3)
-	}).catch(() => {});
+	}).then(() => {}).catch(() => {});
+};
+/**
+* Wait for any pending telemetry request to complete.
+* Call this before `process.exit()` to ensure the event is delivered.
+* Times out after 3 seconds so it never hangs the CLI.
+*/
+const flushTelemetry = async () => {
+	if (pendingRequest) {
+		await pendingRequest;
+		pendingRequest = null;
+	}
 };
 
 //#endregion
@@ -4069,6 +4146,9 @@ const fixCommand = async (directory, config, options = {
 		if (projectInfo.languages.includes("python") && projectInfo.installedTools.ruff) steps.push(await runFixStep("Python lint fixes", () => runRuffLint(context), () => fixRuffLint(resolvedDir), options));
 		else if (projectInfo.languages.includes("python")) logger.warn("  Python detected but ruff is not installed; skipping Python lint fixes.");
 	}
+	if (config.engines["code-quality"]) {
+		if (projectInfo.languages.includes("typescript") || projectInfo.languages.includes("javascript")) steps.push(await runFixStep("Unused dependencies", () => runKnipDependencyCheck(resolvedDir), () => fixUnusedDependencies(resolvedDir), options));
+	}
 	if (steps.length === 0) logger.dim("  No applicable auto-fixers found for this project.");
 	else {
 		logger.break();
@@ -4148,6 +4228,11 @@ const BUILTIN_RULES = [
 		engine: "code-quality",
 		rules: [
 			"knip/files",
+			"knip/dependencies",
+			"knip/devDependencies",
+			"knip/unlisted",
+			"knip/unresolved",
+			"knip/binaries",
 			"knip/exports",
 			"knip/types",
 			"complexity/file-too-large",
@@ -4433,7 +4518,10 @@ const program = new Command().name("aislop").description("The unified code quali
 		verbose: Boolean(flags.verbose),
 		json: Boolean(flags.json)
 	});
-	if (exitCode !== 0) process.exit(exitCode);
+	if (exitCode !== 0) {
+		await flushTelemetry();
+		process.exit(exitCode);
+	}
 }).addHelpText("after", `
 ${highlighter.dim("Commands:")}
   aislop scan [dir]      Full code quality scan
@@ -4460,7 +4548,10 @@ program.command("scan [directory]").description("Run full code quality scan").op
 		verbose: Boolean(flags.verbose),
 		json: Boolean(flags.json)
 	});
-	if (exitCode !== 0) process.exit(exitCode);
+	if (exitCode !== 0) {
+		await flushTelemetry();
+		process.exit(exitCode);
+	}
 });
 program.command("fix [directory]").description("Auto-fix formatting and lint issues").option("-d, --verbose", "show detailed fix progress").action(async (directory = ".", _flags, command) => {
 	const flags = command.optsWithGlobals();
@@ -4474,13 +4565,17 @@ program.command("doctor [directory]").description("Check installed tools and env
 });
 program.command("ci [directory]").description("CI-friendly JSON output with exit codes").action(async (directory = ".") => {
 	const { exitCode } = await ciCommand(directory, loadConfig(directory));
-	if (exitCode !== 0) process.exit(exitCode);
+	if (exitCode !== 0) {
+		await flushTelemetry();
+		process.exit(exitCode);
+	}
 });
 program.command("rules [directory]").description("List all available rules").action(async (directory = ".") => {
 	await rulesCommand(directory);
 });
 const main = async () => {
 	await program.parseAsync();
+	await flushTelemetry();
 };
 main();
 

package/dist/{engine-info-Bi8pE12U.js → engine-info-DpU0WTTj.js}

@@ -3,7 +3,7 @@
 * Application version — injected at build time by tsdown from package.json.
 * The fallback should always match the "version" field in package.json.
 */
-const APP_VERSION = "0.1.3";
+const APP_VERSION = "0.2.0";
 
 //#endregion
 //#region src/output/engine-info.ts

package/dist/index.js

@@ -1,4 +1,4 @@
-import { n as getEngineLabel, r as APP_VERSION, t as ENGINE_INFO } from "./engine-info-Bi8pE12U.js";
+import { n as getEngineLabel, r as APP_VERSION, t as ENGINE_INFO } from "./engine-info-DpU0WTTj.js";
 import { n as runSubprocess, t as isToolInstalled } from "./subprocess-99puEEGl.js";
 import { createRequire } from "node:module";
 import fs from "node:fs";
@@ -719,6 +719,170 @@ const fixRuffFormat = async (rootDirectory) => {
 	if (result.exitCode !== 0) throw new Error(result.stderr || result.stdout || `ruff format exited with code ${result.exitCode}`);
 };
 
+//#endregion
+//#region src/engines/code-quality/knip.ts
+const KNIP_MESSAGE_MAP = {
+	files: "Unused file",
+	dependencies: "Unused dependency",
+	devDependencies: "Unused devDependency",
+	unlisted: "Unlisted dependency",
+	unresolved: "Unresolved import",
+	binaries: "Unlisted binary",
+	exports: "Unused export",
+	types: "Unused type",
+	duplicates: "Duplicate export"
+};
+const DEPENDENCY_TYPES = [
+	"dependencies",
+	"devDependencies",
+	"unlisted",
+	"unresolved",
+	"binaries"
+];
+const isDependencyType = (type) => DEPENDENCY_TYPES.includes(type);
+const getIssueItems = (fileIssue, issueType) => {
+	const items = fileIssue[issueType];
+	return Array.isArray(items) ? items : [];
+};
+const DEPENDENCY_HELP = {
+	dependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `aislop fix`.",
+	devDependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `aislop fix`.",
+	unlisted: "This package is imported in code but not declared in package.json. Run `npm install` to add it.",
+	unresolved: "This import cannot be resolved. Check for typos or missing packages.",
+	binaries: "This binary is used but its package is not in package.json."
+};
+const collectIssues = (fileIssue, issueType, rootDir, knipCwd) => {
+	const diagnostics = [];
+	const issues = getIssueItems(fileIssue, issueType);
+	const category = isDependencyType(issueType) ? "Dependencies" : "Dead Code";
+	const severity = issueType === "unlisted" || issueType === "unresolved" ? "error" : "warning";
+	const fixable = issueType === "dependencies" || issueType === "devDependencies";
+	const help = DEPENDENCY_HELP[issueType] ?? "";
+	for (const issue of issues) {
+		const symbol = issue.name ?? issue.symbol ?? "unknown";
+		const absolutePath = path.resolve(knipCwd, fileIssue.file);
+		diagnostics.push({
+			filePath: path.relative(rootDir, absolutePath),
+			engine: "code-quality",
+			rule: `knip/${issueType}`,
+			severity,
+			message: `${KNIP_MESSAGE_MAP[issueType]}: ${symbol}`,
+			help,
+			line: issue.line ?? 0,
+			column: issue.col ?? 0,
+			category,
+			fixable
+		});
+	}
+	return diagnostics;
+};
+const findMonorepoRoot = (directory) => {
+	let current = path.dirname(directory);
+	while (current !== path.dirname(current)) {
+		if (fs.existsSync(path.join(current, "pnpm-workspace.yaml")) || (() => {
+			const pkgPath = path.join(current, "package.json");
+			if (!fs.existsSync(pkgPath)) return false;
+			const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+			return Array.isArray(pkg.workspaces) || pkg.workspaces?.packages;
+		})()) return current;
+		current = path.dirname(current);
+	}
+	return null;
+};
+const KNIP_RELATIVE_BIN = path.join("node_modules", "knip", "bin", "knip.js");
+const findKnipBin = (rootDirectory, monorepoRoot) => {
+	const localPath = path.join(rootDirectory, KNIP_RELATIVE_BIN);
+	if (fs.existsSync(localPath)) return {
+		binPath: localPath,
+		cwd: rootDirectory
+	};
+	if (monorepoRoot) {
+		const monorepoPath = path.join(monorepoRoot, KNIP_RELATIVE_BIN);
+		if (fs.existsSync(monorepoPath)) return {
+			binPath: monorepoPath,
+			cwd: monorepoRoot
+		};
+	}
+	return null;
+};
+const runKnipDependencyCheck = async (rootDirectory) => {
+	return (await runKnip(rootDirectory)).filter((d) => d.rule === "knip/dependencies" || d.rule === "knip/devDependencies");
+};
+const fixUnusedDependencies = async (rootDirectory) => {
+	const diagnostics = await runKnipDependencyCheck(rootDirectory);
+	if (diagnostics.length === 0) return;
+	const pkgPath = path.join(rootDirectory, "package.json");
+	if (!fs.existsSync(pkgPath)) return;
+	const raw = fs.readFileSync(pkgPath, "utf-8");
+	const pkg = JSON.parse(raw);
+	const unusedDeps = /* @__PURE__ */ new Set();
+	const unusedDevDeps = /* @__PURE__ */ new Set();
+	for (const d of diagnostics) {
+		const pkgName = d.message.replace(/^Unused (dev)?[Dd]ependency: /, "");
+		if (d.rule === "knip/dependencies") unusedDeps.add(pkgName);
+		if (d.rule === "knip/devDependencies") unusedDevDeps.add(pkgName);
+	}
+	let changed = false;
+	if (pkg.dependencies) {
+		for (const name of unusedDeps) if (name in pkg.dependencies) {
+			delete pkg.dependencies[name];
+			changed = true;
+		}
+	}
+	if (pkg.devDependencies) {
+		for (const name of unusedDevDeps) if (name in pkg.devDependencies) {
+			delete pkg.devDependencies[name];
+			changed = true;
+		}
+	}
+	if (changed) fs.writeFileSync(pkgPath, `${JSON.stringify(pkg, null, "	")}\n`);
+};
+const runKnip = async (rootDirectory) => {
+	const knipRuntime = findKnipBin(rootDirectory, findMonorepoRoot(rootDirectory));
+	if (!knipRuntime) return [];
+	try {
+		const args = [
+			knipRuntime.binPath,
+			"--no-progress",
+			"--reporter",
+			"json",
+			"--no-exit-code"
+		];
+		const result = await runSubprocess(process.execPath, args, {
+			cwd: knipRuntime.cwd,
+			timeout: 2e4,
+			env: { FORCE_COLOR: "0" }
+		});
+		if (!result.stdout) return [];
+		const parsed = JSON.parse(result.stdout);
+		const diagnostics = [];
+		const files = parsed.files ?? [];
+		for (const unusedFile of files) diagnostics.push({
+			filePath: path.relative(rootDirectory, path.resolve(knipRuntime.cwd, unusedFile)),
+			engine: "code-quality",
+			rule: "knip/files",
+			severity: "warning",
+			message: KNIP_MESSAGE_MAP.files,
+			help: "This file is not imported by any other file in the project.",
+			line: 0,
+			column: 0,
+			category: "Dead Code",
+			fixable: false
+		});
+		const issues = parsed.issues ?? [];
+		const issueTypes = [
+			...DEPENDENCY_TYPES,
+			"exports",
+			"types",
+			"duplicates"
+		];
+		for (const fileIssue of issues) for (const type of issueTypes) diagnostics.push(...collectIssues(fileIssue, type, rootDirectory, knipRuntime.cwd));
+		return diagnostics;
+	} catch {
+		return [];
+	}
+};
+
 //#endregion
 //#region src/engines/lint/oxlint-config.ts
 const createOxlintConfig = (options) => {
@@ -1078,9 +1242,13 @@ const getAnonymousId = () => {
 	for (let i = 0; i < raw.length; i++) hash = hash * 33 ^ raw.charCodeAt(i);
 	return `aislop_${(hash >>> 0).toString(36)}`;
 };
+/** Pending telemetry request — kept alive so Node doesn't exit before it completes. */
+let pendingRequest = null;
 /**
 * Fire-and-forget telemetry event to PostHog.
-* Never throws, never blocks, never affects CLI output or exit code.
+* Never throws, never blocks CLI output.
+* The request is kept alive via `flushTelemetry()` so Node doesn't
+* exit before it completes.
 */
 const trackEvent = (event) => {
 	const payload = {
@@ -1103,12 +1271,12 @@ const trackEvent = (event) => {
 		},
 		timestamp: (/* @__PURE__ */ new Date()).toISOString()
 	};
-	fetch(`${POSTHOG_HOST}/capture/`, {
+	pendingRequest = fetch(`${POSTHOG_HOST}/capture/`, {
 		method: "POST",
 		headers: { "Content-Type": "application/json" },
 		body: JSON.stringify(payload),
 		signal: AbortSignal.timeout(3e3)
-	}).catch(() => {});
+	}).then(() => {}).catch(() => {});
 };
 
 //#endregion
@@ -1220,6 +1388,9 @@ const fixCommand = async (directory, config, options = {
 		if (projectInfo.languages.includes("python") && projectInfo.installedTools.ruff) steps.push(await runFixStep("Python lint fixes", () => runRuffLint(context), () => fixRuffLint(resolvedDir), options));
 		else if (projectInfo.languages.includes("python")) logger.warn("  Python detected but ruff is not installed; skipping Python lint fixes.");
 	}
+	if (config.engines["code-quality"]) {
+		if (projectInfo.languages.includes("typescript") || projectInfo.languages.includes("javascript")) steps.push(await runFixStep("Unused dependencies", () => runKnipDependencyCheck(resolvedDir), () => fixUnusedDependencies(resolvedDir), options));
+	}
 	if (steps.length === 0) logger.dim("  No applicable auto-fixers found for this project.");
 	else {
 		logger.break();
@@ -2696,108 +2867,6 @@ const checkDuplication = async (context) => {
 	return diagnostics;
 };
 
-//#endregion
-//#region src/engines/code-quality/knip.ts
-const KNIP_MESSAGE_MAP = {
-	files: "Unused file",
-	exports: "Unused export",
-	types: "Unused type",
-	duplicates: "Duplicate export"
-};
-const collectIssues = (fileIssue, issueType, rootDir, knipCwd) => {
-	const diagnostics = [];
-	const issues = issueType === "exports" ? fileIssue.exports ?? [] : issueType === "types" ? fileIssue.types ?? [] : fileIssue.duplicates ?? [];
-	for (const issue of issues) {
-		const symbol = issue.name ?? issue.symbol ?? "unknown";
-		const absolutePath = path.resolve(knipCwd, fileIssue.file);
-		diagnostics.push({
-			filePath: path.relative(rootDir, absolutePath),
-			engine: "code-quality",
-			rule: `knip/${issueType}`,
-			severity: "warning",
-			message: `${KNIP_MESSAGE_MAP[issueType]}: ${symbol}`,
-			help: "",
-			line: issue.line ?? 0,
-			column: issue.col ?? 0,
-			category: "Dead Code",
-			fixable: false
-		});
-	}
-	return diagnostics;
-};
-const findMonorepoRoot = (directory) => {
-	let current = path.dirname(directory);
-	while (current !== path.dirname(current)) {
-		if (fs.existsSync(path.join(current, "pnpm-workspace.yaml")) || (() => {
-			const pkgPath = path.join(current, "package.json");
-			if (!fs.existsSync(pkgPath)) return false;
-			const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
-			return Array.isArray(pkg.workspaces) || pkg.workspaces?.packages;
-		})()) return current;
-		current = path.dirname(current);
-	}
-	return null;
-};
-const KNIP_RELATIVE_BIN = path.join("node_modules", "knip", "bin", "knip.js");
-const findKnipBin = (rootDirectory, monorepoRoot) => {
-	const localPath = path.join(rootDirectory, KNIP_RELATIVE_BIN);
-	if (fs.existsSync(localPath)) return {
-		binPath: localPath,
-		cwd: rootDirectory
-	};
-	if (monorepoRoot) {
-		const monorepoPath = path.join(monorepoRoot, KNIP_RELATIVE_BIN);
-		if (fs.existsSync(monorepoPath)) return {
-			binPath: monorepoPath,
-			cwd: monorepoRoot
-		};
-	}
-	return null;
-};
-const runKnip = async (rootDirectory) => {
-	const knipRuntime = findKnipBin(rootDirectory, findMonorepoRoot(rootDirectory));
-	if (!knipRuntime) return [];
-	try {
-		const args = [
-			knipRuntime.binPath,
-			"--no-progress",
-			"--reporter",
-			"json",
-			"--no-exit-code"
-		];
-		const result = await runSubprocess(process.execPath, args, {
-			cwd: knipRuntime.cwd,
-			timeout: 2e4,
-			env: { FORCE_COLOR: "0" }
-		});
-		if (!result.stdout) return [];
-		const parsed = JSON.parse(result.stdout);
-		const diagnostics = [];
-		const files = parsed.files ?? [];
-		for (const unusedFile of files) diagnostics.push({
-			filePath: path.relative(rootDirectory, path.resolve(knipRuntime.cwd, unusedFile)),
-			engine: "code-quality",
-			rule: "knip/files",
-			severity: "warning",
-			message: KNIP_MESSAGE_MAP.files,
-			help: "This file is not imported by any other file in the project.",
-			line: 0,
-			column: 0,
-			category: "Dead Code",
-			fixable: false
-		});
-		const issues = parsed.issues ?? [];
-		for (const fileIssue of issues) for (const type of [
-			"exports",
-			"types",
-			"duplicates"
-		]) diagnostics.push(...collectIssues(fileIssue, type, rootDirectory, knipRuntime.cwd));
-		return diagnostics;
-	} catch {
-		return [];
-	}
-};
-
 //#endregion
 //#region src/engines/code-quality/index.ts
 const codeQualityEngine = {
@@ -4000,7 +4069,7 @@ const scanCommand = async (directory, config, options) => {
 		});
 	}
 	if (options.json) {
-		const { buildJsonOutput } = await import("./json-66-1kHeg.js");
+		const { buildJsonOutput } = await import("./json-UG8l_sLC.js");
 		const jsonOut = buildJsonOutput(results, scoreResult, projectInfo.sourceFileCount, elapsedMs);
 		console.log(JSON.stringify(jsonOut, null, 2));
 		return { exitCode };

package/dist/{json-66-1kHeg.js → json-UG8l_sLC.js}

@@ -1,4 +1,4 @@
-import { r as APP_VERSION, t as ENGINE_INFO } from "./engine-info-Bi8pE12U.js";
+import { r as APP_VERSION, t as ENGINE_INFO } from "./engine-info-DpU0WTTj.js";
 
 //#region src/output/json.ts
 const buildJsonOutput = (results, scoreResult, fileCount, elapsedMs) => {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "aislop",
-	"version": "0.1.3",
+	"version": "0.2.0",
 	"description": "Stop AI slop from shipping. A unified code quality CLI that catches the lazy patterns AI coding tools leave behind.",
 	"type": "module",
 	"bin": {