aislop 0.6.1 → 0.7.0

package/README.md

@@ -5,6 +5,7 @@
 [![npm version](https://img.shields.io/npm/v/aislop.svg)](https://www.npmjs.com/package/aislop)
 [![npm downloads](https://img.shields.io/npm/dm/aislop.svg)](https://www.npmjs.com/package/aislop)
 [![CI](https://github.com/scanaislop/aislop/actions/workflows/ci.yml/badge.svg)](https://github.com/scanaislop/aislop/actions/workflows/ci.yml)
+[![aislop score](https://badges.scanaislop.com/score/scanaislop/aislop.svg)](https://scanaislop.com/scanaislop/aislop)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 [![Node >= 20](https://img.shields.io/badge/node-%3E%3D20-brightgreen.svg)](https://nodejs.org)
 
@@ -34,7 +35,7 @@ npx aislop fix
 # CI mode (JSON output + quality gate)
 npx aislop ci
 
-# wire aislop into your agent so it runs on every edit (new in 0.6.0)
+# wire aislop into your agent so it runs on every edit
 npx aislop hook install --claude
 ```
 
@@ -46,7 +47,7 @@ Sample output:
  [!]  Code Quality: done (2 warnings, 812ms)
  [!]  AI Slop: done (4 warnings, 455ms)
  [ok] Security: done (0 issues, 1.3s)
- aislop 0.6.1  ·  the quality gate for agentic coding
+ aislop 0.7.0  ·  the quality gate for agentic coding
 
  scan  ·  my-app  ·  typescript  ·  142 files
 
@@ -78,7 +79,7 @@ AI coding tools generate code that compiles and passes tests but ships with patt
 
 - **One score, one gate**: a 0-100 number you can enforce in CI with `aislop ci`. Weighted so sloppy patterns (dead code, `as any`, swallowed errors) hit harder than style noise.
 - **Auto-fix first, agent second**: `aislop fix` clears what's mechanically safe (formatters, unused imports, trivial comments, dead patterns). For the rest, one flag hands off to Claude Code, Codex, Cursor, Gemini, Windsurf, Amp, Aider, Goose, and 7 more, with full diagnostic context pre-filled.
-- **Wire it into your agent (new in 0.6.0)**: `aislop hook install` plugs aislop into Claude Code, Cursor, Gemini CLI (runtime), plus Codex, Windsurf, Cline, Kilo Code, Antigravity, and Copilot (rules-only). The agent gets score + findings on the turn it wrote the code, not after.
+- **Wire it into your agent**: `aislop hook install` plugs aislop into Claude Code, Cursor, Gemini CLI (runtime), plus Codex, Windsurf, Cline, Kilo Code, Antigravity, and Copilot (rules-only). The agent gets score + findings on the turn it wrote the code, not after.
 - **Deterministic**: regex, AST, and standard tooling. No LLMs, no API keys, no network dependency. Same repo in, same score out.
 - **Zero-config start**: `npx aislop scan` works on any repo. Add `.aislop/config.yml` when you want to tune thresholds or enable the architecture engine.
 - **Works across stacks**: TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP, Expo / React Native.
@@ -154,6 +155,18 @@ aislop scan --exclude "src/generated" --exclude "**/*.spec.*"
 
 CLI flags beat config; config beats defaults.
 
+**Extend a shared config.** A project config can extend a parent and override specific keys. Useful for org-wide baselines: ship one strict config, let each repo soften or tighten as needed.
+
+```yaml
+# .aislop/config.yml
+extends: ../../.aislop/base.yml   # relative path to a parent config
+
+ci:
+  failBelow: 80                   # override just this key, inherit the rest
+```
+
+`extends:` accepts a single path or an array of paths. Later entries win. Deep-merged: nested objects (`scoring.weights`, `engines`) are merged key-by-key; arrays are replaced. Circular references and depths beyond 5 are rejected with a clear error.
+
 ### Fix issues automatically
 
 ```bash
@@ -237,6 +250,7 @@ aislop scan
 aislop init                # create .aislop/config.yml
 aislop doctor              # check which tools are available
 aislop rules               # list all built-in rules
+aislop badge               # print the public score badge URL + README snippet
 aislop hook install        # wire aislop into your coding agent
 aislop                     # interactive menu
 ```
@@ -313,6 +327,18 @@ ci:
 
 The CLI is MIT-licensed and always will be. [Learn more about the platform →](https://scanaislop.com)
 
+## Public score badge
+
+Show your aislop score on a README. Free for any project that opts in on [scanaislop.com](https://scanaislop.com).
+
+```markdown
+[![aislop](https://badges.scanaislop.com/score/<owner>/<repo>.svg)](https://scanaislop.com)
+```
+
+Shields-compatible SVG, edge-cached on Cloudflare. Colour-coded: green ≥ 85, amber 70-84, red < 70, grey if no scans yet.
+
+Run `aislop badge` to print the snippet pre-filled with your repo's owner/name, auto-detected from `git remote get-url origin`.
+
 ## Contributing
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and how to add new rules. AI coding assistants can find project context in [AGENTS.md](AGENTS.md).
@@ -330,7 +356,15 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and how to add new
 
 ## Contributors
 
-[![Contributors](https://contrib.rocks/image?repo=scanaislop/aislop)](https://github.com/scanaislop/aislop/graphs/contributors)
+Thanks to everyone who has shipped code, ideas, docs, or bug reports.
+
+<!-- CONTRIBUTORS-START -->
+- [@heavykenny](https://github.com/heavykenny)
+- [@myke-awoniran](https://github.com/myke-awoniran)
+- [@yashrajoria](https://github.com/yashrajoria)
+<!-- CONTRIBUTORS-END -->
+
+This list is regenerated by `.github/workflows/contributors.yml` after every push to `develop` or `main`. The workflow reads git log, resolves each author's GitHub login, and opens a PR with any diff. If your commits aren't being credited, either link your commit email under [GitHub Settings → Emails](https://github.com/settings/emails) or add a mapping to [`.github/contributors-overrides.json`](.github/contributors-overrides.json).
 
 ## License
 

package/dist/cli.js

@@ -7,7 +7,7 @@ import path from "node:path";
 import YAML from "yaml";
 import { z } from "zod/v4";
 import { performance } from "node:perf_hooks";
-import { spawn, spawnSync } from "node:child_process";
+import { execSync, spawn, spawnSync } from "node:child_process";
 import micromatch from "micromatch";
 import { fileURLToPath } from "node:url";
 import ts from "typescript";
@@ -209,6 +209,48 @@ const DEFAULT_RULES_YAML = `# Architecture rules (BYO)
 #     severity: error
 `;
 
+//#endregion
+//#region src/config/extends.ts
+const MAX_DEPTH = 5;
+const isPlainObject = (v) => typeof v === "object" && v !== null && !Array.isArray(v);
+const deepMerge = (...sources) => {
+	const result = {};
+	for (const source of sources) for (const key of Object.keys(source)) {
+		const a = result[key];
+		const b = source[key];
+		result[key] = isPlainObject(a) && isPlainObject(b) ? deepMerge(a, b) : b;
+	}
+	return result;
+};
+const resolveExtendsRef = (ref, fromDir) => {
+	if (ref.startsWith("http://") || ref.startsWith("https://")) throw new Error(`URL-based extends not yet supported: ${ref}`);
+	if (ref.startsWith("./") || ref.startsWith("../") || path.isAbsolute(ref)) return path.resolve(fromDir, ref);
+	throw new Error(`Package-name extends not yet supported: ${ref} (use a relative path for now)`);
+};
+const normalizeExtends = (raw) => {
+	if (raw === void 0 || raw === null) return [];
+	if (typeof raw === "string") return [raw];
+	if (Array.isArray(raw) && raw.every((s) => typeof s === "string")) return raw;
+	throw new Error("`extends` must be a string or array of strings");
+};
+const loadConfigChain = (configPath, visited = /* @__PURE__ */ new Set(), depth = 0) => {
+	if (depth > MAX_DEPTH) throw new Error(`extends depth exceeded ${MAX_DEPTH} (cycle or runaway chain): ${configPath}`);
+	const absPath = path.resolve(configPath);
+	if (visited.has(absPath)) throw new Error(`circular extends detected: ${absPath}`);
+	if (!fs.existsSync(absPath)) throw new Error(`extends target not found: ${absPath}`);
+	const nextVisited = new Set(visited);
+	nextVisited.add(absPath);
+	const raw = fs.readFileSync(absPath, "utf-8");
+	const parsed = YAML.parse(raw) ?? {};
+	const refs = normalizeExtends(parsed.extends);
+	const fromDir = path.dirname(absPath);
+	const parents = refs.map((ref) => {
+		return loadConfigChain(resolveExtendsRef(ref, fromDir), nextVisited, depth + 1);
+	});
+	const { extends: _drop, ...own } = parsed;
+	return deepMerge(...parents, own);
+};
+
 //#endregion
 //#region src/config/schema.ts
 const DEFAULT_WEIGHTS = {
@@ -343,8 +385,7 @@ const loadConfig = (directory) => {
 	const configPath = path.join(configDir, CONFIG_FILE);
 	if (!fs.existsSync(configPath)) return DEFAULT_CONFIG;
 	try {
-		const raw = fs.readFileSync(configPath, "utf-8");
-		return parseConfig(YAML.parse(raw));
+		return parseConfig(loadConfigChain(configPath));
 	} catch (error) {
 		const msg = error instanceof Error ? error.message : String(error);
 		process.stderr.write(`  ⚠ Failed to parse ${configPath}: ${msg}\n  ⚠ Using default configuration.\n`);
@@ -2184,6 +2225,10 @@ const getIssueItems = (fileIssue, issueType) => {
 	const items = fileIssue[issueType];
 	return Array.isArray(items) ? items : [];
 };
+const shouldIncludeIssue = (issueType, filePath) => {
+	if (issueType !== "binaries") return true;
+	return !filePath.replace(/\\/g, "/").includes(".github/workflows/");
+};
 const DEPENDENCY_HELP = {
 	dependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `npx aislop fix`.",
 	devDependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `npx aislop fix`.",
@@ -2193,6 +2238,7 @@ const DEPENDENCY_HELP = {
 };
 const collectIssues = (fileIssue, issueType, rootDir, knipCwd) => {
 	const diagnostics = [];
+	if (!shouldIncludeIssue(issueType, fileIssue.file)) return diagnostics;
 	const issues = getIssueItems(fileIssue, issueType);
 	const category = isDependencyType(issueType) ? "Dependencies" : "Dead Code";
 	const severity = issueType === "unlisted" || issueType === "unresolved" ? "error" : "warning";
@@ -5913,6 +5959,83 @@ const registerHookCommand = (program) => {
 	registerCallbacks(hook);
 };
 
+//#endregion
+//#region src/commands/badge.ts
+const GITHUB_REMOTE_RE = /^(?:git@github\.com:|https:\/\/(?:[^@]+@)?github\.com\/)([^/]+)\/([^/.\s]+?)(?:\.git)?\s*$/;
+const renderBadgeOutput = ({ owner, repo, svgUrl, pageUrl }) => {
+	const slug = `${owner}/${repo}`;
+	const markdown = `[![aislop](${svgUrl})](${pageUrl})`;
+	return [
+		``,
+		`  Repository:  ${slug}`,
+		`  Badge URL:   ${svgUrl}`,
+		``,
+		`  Markdown:`,
+		``,
+		`    ${markdown}`,
+		``,
+		`  Drop the line above into your README. The badge auto-updates after every public scan.`,
+		``
+	].join("\n");
+};
+const detectGithubSlugFromGit = (directory) => {
+	let raw;
+	try {
+		raw = execSync("git remote get-url origin", {
+			cwd: path.resolve(directory),
+			encoding: "utf-8",
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			]
+		});
+	} catch {
+		return null;
+	}
+	const match = raw.trim().match(GITHUB_REMOTE_RE);
+	if (!match) return null;
+	const owner = match[1];
+	const repo = match[2];
+	if (!owner || !repo) return null;
+	return {
+		owner,
+		repo
+	};
+};
+const badgeCommand = async (options = {}) => {
+	let owner = options.owner?.trim();
+	let repo = options.repo?.trim();
+	if (!owner || !repo) {
+		const detected = detectGithubSlugFromGit(options.directory ?? ".");
+		if (!detected) throw new Error("Could not detect a GitHub remote. Run from a repo with `git remote get-url origin` set, or pass --owner and --repo.");
+		owner ??= detected.owner;
+		repo ??= detected.repo;
+	}
+	const svgUrl = `https://badges.scanaislop.com/score/${owner}/${repo}.svg`;
+	const pageUrl = `https://scanaislop.com/${owner}/${repo}`;
+	const output = renderBadgeOutput({
+		owner,
+		repo,
+		svgUrl,
+		pageUrl
+	});
+	if (options.json) process.stdout.write(JSON.stringify({
+		owner,
+		repo,
+		svgUrl,
+		pageUrl
+	}) + "\n");
+	else process.stdout.write(output);
+	return {
+		owner,
+		repo,
+		svgUrl,
+		pageUrl,
+		output
+	};
+};
+
 //#endregion
 //#region src/ui/symbols.ts
 const TTY = {
@@ -6329,7 +6452,7 @@ const renderCleanRun = (input, deps = {}) => {
 
 //#endregion
 //#region src/version.ts
-const APP_VERSION = "0.6.1";
+const APP_VERSION = "0.7.0";
 
 //#endregion
 //#region src/utils/telemetry.ts
@@ -8975,6 +9098,20 @@ program.command("ci [directory]").description("CI-friendly JSON output with exit
 program.command("rules [directory]").description("List all available rules").action(async (directory = ".") => {
 	await rulesCommand(directory);
 });
+program.command("badge [directory]").description("Print the public score badge URL + README markdown for this repo").option("--owner <owner>", "GitHub owner (auto-detected from git remote if omitted)").option("--repo <repo>", "GitHub repo name (auto-detected from git remote if omitted)").option("--json", "emit machine-readable JSON instead of the rendered output").action(async (directory = ".", _flags, command) => {
+	const flags = command.optsWithGlobals();
+	try {
+		await badgeCommand({
+			directory,
+			owner: flags.owner,
+			repo: flags.repo,
+			json: Boolean(flags.json)
+		});
+	} catch (err) {
+		process.stderr.write(`${err?.message ?? "Failed to print badge"}\n`);
+		process.exit(1);
+	}
+});
 registerHookCommand(program);
 const main = async () => {
 	await program.parseAsync();

package/dist/index.js

@@ -1,4 +1,4 @@
-import { n as ENGINE_INFO, r as getEngineLabel, t as APP_VERSION } from "./version-DukdnmKT.js";
+import { n as ENGINE_INFO, r as getEngineLabel, t as APP_VERSION } from "./version-BOJR1S8l.js";
 import { n as runSubprocess, t as isToolInstalled } from "./subprocess-CQUJDGgn.js";
 import { r as runGenericLinter, t as fixRubyLint } from "./generic-BrcWMW7E.js";
 import { n as runExpoDoctor } from "./expo-doctor-Bz0LZhQ6.js";
@@ -103,6 +103,48 @@ const DEFAULT_RULES_YAML = `# Architecture rules (BYO)
 #     severity: error
 `;
 
+//#endregion
+//#region src/config/extends.ts
+const MAX_DEPTH = 5;
+const isPlainObject = (v) => typeof v === "object" && v !== null && !Array.isArray(v);
+const deepMerge = (...sources) => {
+	const result = {};
+	for (const source of sources) for (const key of Object.keys(source)) {
+		const a = result[key];
+		const b = source[key];
+		result[key] = isPlainObject(a) && isPlainObject(b) ? deepMerge(a, b) : b;
+	}
+	return result;
+};
+const resolveExtendsRef = (ref, fromDir) => {
+	if (ref.startsWith("http://") || ref.startsWith("https://")) throw new Error(`URL-based extends not yet supported: ${ref}`);
+	if (ref.startsWith("./") || ref.startsWith("../") || path.isAbsolute(ref)) return path.resolve(fromDir, ref);
+	throw new Error(`Package-name extends not yet supported: ${ref} (use a relative path for now)`);
+};
+const normalizeExtends = (raw) => {
+	if (raw === void 0 || raw === null) return [];
+	if (typeof raw === "string") return [raw];
+	if (Array.isArray(raw) && raw.every((s) => typeof s === "string")) return raw;
+	throw new Error("`extends` must be a string or array of strings");
+};
+const loadConfigChain = (configPath, visited = /* @__PURE__ */ new Set(), depth = 0) => {
+	if (depth > MAX_DEPTH) throw new Error(`extends depth exceeded ${MAX_DEPTH} (cycle or runaway chain): ${configPath}`);
+	const absPath = path.resolve(configPath);
+	if (visited.has(absPath)) throw new Error(`circular extends detected: ${absPath}`);
+	if (!fs.existsSync(absPath)) throw new Error(`extends target not found: ${absPath}`);
+	const nextVisited = new Set(visited);
+	nextVisited.add(absPath);
+	const raw = fs.readFileSync(absPath, "utf-8");
+	const parsed = YAML.parse(raw) ?? {};
+	const refs = normalizeExtends(parsed.extends);
+	const fromDir = path.dirname(absPath);
+	const parents = refs.map((ref) => {
+		return loadConfigChain(resolveExtendsRef(ref, fromDir), nextVisited, depth + 1);
+	});
+	const { extends: _drop, ...own } = parsed;
+	return deepMerge(...parents, own);
+};
+
 //#endregion
 //#region src/config/schema.ts
 const DEFAULT_WEIGHTS = {
@@ -237,8 +279,7 @@ const loadConfig = (directory) => {
 	const configPath = path.join(configDir, CONFIG_FILE);
 	if (!fs.existsSync(configPath)) return DEFAULT_CONFIG;
 	try {
-		const raw = fs.readFileSync(configPath, "utf-8");
-		return parseConfig(YAML.parse(raw));
+		return parseConfig(loadConfigChain(configPath));
 	} catch (error) {
 		const msg = error instanceof Error ? error.message : String(error);
 		process.stderr.write(`  ⚠ Failed to parse ${configPath}: ${msg}\n  ⚠ Using default configuration.\n`);
@@ -2700,6 +2741,10 @@ const getIssueItems = (fileIssue, issueType) => {
 	const items = fileIssue[issueType];
 	return Array.isArray(items) ? items : [];
 };
+const shouldIncludeIssue = (issueType, filePath) => {
+	if (issueType !== "binaries") return true;
+	return !filePath.replace(/\\/g, "/").includes(".github/workflows/");
+};
 const DEPENDENCY_HELP = {
 	dependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `npx aislop fix`.",
 	devDependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `npx aislop fix`.",
@@ -2709,6 +2754,7 @@ const DEPENDENCY_HELP = {
 };
 const collectIssues = (fileIssue, issueType, rootDir, knipCwd) => {
 	const diagnostics = [];
+	if (!shouldIncludeIssue(issueType, fileIssue.file)) return diagnostics;
 	const issues = getIssueItems(fileIssue, issueType);
 	const category = isDependencyType(issueType) ? "Dependencies" : "Dead Code";
 	const severity = issueType === "unlisted" || issueType === "unresolved" ? "error" : "warning";
@@ -5336,7 +5382,7 @@ const scanCommand = async (directory, config, options) => {
 		});
 	}
 	if (options.json) {
-		const { buildJsonOutput } = await import("./json-DIW4kCBS.js");
+		const { buildJsonOutput } = await import("./json-DwAcCqqG.js");
 		const jsonOut = buildJsonOutput(results, scoreResult, projectInfo.sourceFileCount, elapsedMs);
 		console.log(JSON.stringify(jsonOut, null, 2));
 		return { exitCode };

package/dist/{json-DIW4kCBS.js → json-DwAcCqqG.js}

@@ -1,4 +1,4 @@
-import { n as ENGINE_INFO, t as APP_VERSION } from "./version-DukdnmKT.js";
+import { n as ENGINE_INFO, t as APP_VERSION } from "./version-BOJR1S8l.js";
 
 //#region src/output/json.ts
 const buildJsonOutput = (results, scoreResult, fileCount, elapsedMs) => {

package/dist/{version-DukdnmKT.js → version-BOJR1S8l.js}

@@ -29,7 +29,7 @@ const getEngineLabel = (engine) => ENGINE_INFO[engine].label;
 
 //#endregion
 //#region src/version.ts
-const APP_VERSION = "0.6.1";
+const APP_VERSION = "0.7.0";
 
 //#endregion
 export { ENGINE_INFO as n, getEngineLabel as r, APP_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "aislop",
-	"version": "0.6.1",
+	"version": "0.7.0",
 	"description": "Stop AI slop from shipping. A unified code quality CLI that catches the lazy patterns AI coding tools leave behind.",
 	"type": "module",
 	"bin": {
@@ -81,5 +81,10 @@
 		"@types/node": "^25.6.0",
 		"tsdown": "^0.20.3",
 		"vitest": "^4.0.18"
+	},
+	"pnpm": {
+		"overrides": {
+			"postcss@<8.5.10": "^8.5.10"
+		}
 	}
 }