coverme-scanner 1.0.0

package/README.md

@@ -0,0 +1,227 @@
+# Vibecode Tracker
+
+**Multi-Agent AI Code Scanner for Claude Code**
+
+A comprehensive code analysis tool that uses 11 AI agents with cross-validation to find security vulnerabilities, quality issues, architectural problems, and more.
+
+## How It Works
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                    VIBECODE ORCHESTRATOR                        │
+├─────────────────────────────────────────────────────────────────┤
+│                                                                 │
+│  Phase 0: CONTEXT DISCOVERY                                     │
+│  ┌──────────────────────────────────────────────────────────┐   │
+│  │  Understand project structure, tech stack, docs          │   │
+│  └──────────────────────────────────────────────────────────┘   │
+│                              │                                  │
+│                              ▼                                  │
+│  Phase 1: DISCOVERY (5 agents in parallel)                      │
+│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌────────┐│
+│  │ Security │ │ Quality  │ │   Arch   │ │   Deps   │ │  Perf  ││
+│  │  Agent   │ │  Agent   │ │  Agent   │ │  Agent   │ │ Agent  ││
+│  └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ └───┬────┘│
+│       │            │            │            │           │      │
+│       └────────────┴────────────┴────────────┴───────────┘      │
+│                              │                                  │
+│                              ▼                                  │
+│  Phase 2: CROSS-VALIDATION (3 agents in parallel)               │
+│  ┌──────────────────────────────────────────────────────────┐   │
+│  │  Validator A: Find false positives                       │   │
+│  │  Validator B: Challenge HIGH/CRITICAL findings           │   │
+│  │  Validator C: Find MISSED issues                         │   │
+│  └──────────────────────────────────────────────────────────┘   │
+│                              │                                  │
+│                              ▼                                  │
+│  Phase 3: DEEP DIVE (on disputed findings)                      │
+│  ┌──────────────────────────────────────────────────────────┐   │
+│  │  Expert analysis with full context for disagreements     │   │
+│  └──────────────────────────────────────────────────────────┘   │
+│                              │                                  │
+│                              ▼                                  │
+│  Phase 4: CONSENSUS & CONFIDENCE SCORING                        │
+│  ┌──────────────────────────────────────────────────────────┐   │
+│  │  Calculate confidence, filter false positives, sort      │   │
+│  └──────────────────────────────────────────────────────────┘   │
+│                              │                                  │
+│                              ▼                                  │
+│  Phase 5: REPORT GENERATION                                     │
+│  ┌──────────────────────────────────────────────────────────┐   │
+│  │  Professional PDF with findings, fixes, and positives    │   │
+│  └──────────────────────────────────────────────────────────┘   │
+│                                                                 │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+## Installation
+
+```bash
+# Install globally
+npm install -g vibecode-tracker
+
+# Or use npx
+npx vibecode-tracker init
+```
+
+This installs the `/scan` slash command into your `.claude/commands/` directory.
+
+## Usage
+
+### In Claude Code
+
+```bash
+# Full scan (all categories)
+/scan
+
+# Security-focused scan
+/scan security
+
+# Quality-focused scan
+/scan quality
+
+# Quick scan (skip validation)
+/scan --quick
+
+# JSON output only
+/scan --json
+```
+
+### CLI
+
+```bash
+# Initialize commands in current project
+vibecode init
+
+# Initialize globally
+vibecode init --global
+
+# Run scan (outputs orchestration instructions)
+vibecode scan ./my-project
+```
+
+## What It Finds
+
+### Security Issues
+- SQL/NoSQL Injection
+- Cross-Site Scripting (XSS)
+- Command Injection
+- Authentication/Authorization flaws
+- Hardcoded secrets
+- SSRF, Path Traversal
+- Insecure cryptography
+- Session management issues
+
+### Quality Issues
+- DRY violations (duplicated code)
+- High complexity functions
+- Dead code
+- Anti-patterns
+- Error handling problems
+- Type safety issues
+
+### Architecture Issues
+- Layer violations
+- Circular dependencies
+- Missing abstractions
+- Coupling problems
+- API design issues
+
+### Dependency Issues
+- Known CVEs
+- Outdated packages
+- License compliance
+- Supply chain risks
+
+### Performance Issues
+- N+1 queries
+- Memory leaks
+- Blocking operations
+- Missing caching
+
+## Why Multi-Agent?
+
+Traditional scanners have high false positive rates. Vibecode uses a unique approach:
+
+1. **Multiple perspectives**: 5 specialized agents scan independently
+2. **Cross-validation**: 3 validators challenge the findings
+3. **Deep dive**: Expert analysis for disputed findings
+4. **Consensus**: Only high-confidence findings make the report
+
+This results in:
+- **Lower false positive rate** - Validators catch mistakes
+- **Higher coverage** - Multiple agents find different issues
+- **Better evidence** - Each finding is verified with context
+- **Confidence scores** - Know how certain each finding is
+
+## Report Output
+
+The scan produces a professional PDF report:
+
+1. **Cover Page** - Project name, date, severity counts
+2. **Executive Summary** - One-page overview for leadership
+3. **Scan Overview** - Methodology and statistics
+4. **Critical Issues** - Full detail with code and fixes
+5. **High Issues** - Full detail
+6. **Medium Issues** - Summarized table
+7. **Low Issues** - Simple list
+8. **Positive Observations** - Good patterns found
+9. **Recommendations** - Prioritized action items
+
+## Configuration
+
+Create `.vibecode.yml` in your project root:
+
+```yaml
+# Categories to scan
+categories:
+  - security
+  - quality
+  - architecture
+  - dependencies
+  - performance
+
+# Minimum severity to report
+minSeverity: low
+
+# Validation rounds
+validation:
+  enabled: true
+  rounds: 1
+
+# Output format
+output:
+  format: pdf
+  path: ./reports/
+```
+
+## Requirements
+
+- Claude Code CLI installed and authenticated
+- Node.js 18+
+- No external API keys needed (uses your Claude Code session)
+
+## How It Differs From CodeRabbit/Snyk/etc.
+
+| Feature | Vibecode | Traditional Tools |
+|---------|----------|-------------------|
+| Multi-agent validation | Yes (11 agents) | No |
+| Cross-validation | Yes | No |
+| Confidence scores | Yes | No |
+| Context-aware | Reads your docs | Pattern matching |
+| False positive filtering | Built-in | Manual |
+| Uses your Claude Code | Yes (free*) | Separate subscription |
+
+*Uses your existing Claude Code quota
+
+## Contributing
+
+PRs welcome! See [CONTRIBUTING.md](CONTRIBUTING.md).
+
+## License
+
+MIT
+
+---
+
+Built with Claude Code

package/commands/scan.md

@@ -0,0 +1,317 @@
+# Vibecode Tracker - Multi-Agent Code Scanner
+
+Run a comprehensive code analysis using 11 AI agents with cross-validation.
+
+$ARGUMENTS
+
+## Execution Flow
+
+You will orchestrate a multi-phase code scan. Follow each phase exactly.
+
+---
+
+## PHASE 0: Context Discovery (REQUIRED FIRST)
+
+Before ANY scanning, understand the project:
+
+**Launch ONE agent with Task tool (subagent_type="Explore"):**
+
+```
+Understand this codebase thoroughly.
+
+1. Find and read ALL documentation:
+   - README.md, CLAUDE.md, .claude/CLAUDE.md
+   - docs/*.md, ARCHITECTURE.md, SECURITY.md
+
+2. Identify tech stack from:
+   - package.json (Node.js)
+   - requirements.txt (Python)
+   - go.mod, Cargo.toml, etc.
+
+3. Map the architecture:
+   - Entry points (routes, controllers)
+   - Middleware and auth
+   - Database access patterns
+   - External service integrations
+
+4. Note security-relevant components:
+   - Auth system used
+   - Encryption implementations
+   - File handling
+   - User input processing
+
+Output a structured JSON summary of the project context.
+```
+
+**Wait for this agent to complete before proceeding.**
+
+---
+
+## PHASE 1: Discovery Scan (5 Agents in Parallel)
+
+Launch ALL 5 agents simultaneously using parallel Task tool calls:
+
+### Agent 1: Security Scanner
+```
+You are a security researcher. Scan this codebase for vulnerabilities.
+
+PROJECT CONTEXT: {paste context from Phase 0}
+
+Check for:
+- SQL/NoSQL injection, XSS, Command injection
+- Authentication/Authorization flaws
+- Cryptography issues, hardcoded secrets
+- SSRF, Path traversal, File upload issues
+- Rate limiting, Session management
+
+For EACH finding output JSON:
+{
+  "id": "SEC-001",
+  "title": "...",
+  "severity": "critical|high|medium|low",
+  "file": "path/to/file.js",
+  "line": 123,
+  "code": "vulnerable code snippet",
+  "description": "What's wrong",
+  "exploit": "How to exploit",
+  "recommendation": "How to fix",
+  "evidence": ["data flow proof"]
+}
+
+Be thorough. Check EVERY file.
+```
+
+### Agent 2: Quality Analyzer
+```
+You are a code quality expert. Scan for quality issues.
+
+PROJECT CONTEXT: {paste context from Phase 0}
+
+Check for:
+- DRY violations (duplicated code)
+- High complexity functions
+- Dead code, unused imports
+- Error handling issues
+- Type safety problems
+- Anti-patterns
+
+Output findings as JSON with "QUAL-XXX" IDs.
+```
+
+### Agent 3: Architecture Reviewer
+```
+You are a software architect. Review the codebase structure.
+
+PROJECT CONTEXT: {paste context from Phase 0}
+
+Check for:
+- Layer violations
+- Circular dependencies
+- Missing abstractions
+- Component coupling
+- API design issues
+- Configuration problems
+
+Output findings as JSON with "ARCH-XXX" IDs.
+```
+
+### Agent 4: Dependency Auditor
+```
+You are a dependency security expert. Audit all dependencies.
+
+PROJECT CONTEXT: {paste context from Phase 0}
+
+Check for:
+- CVEs in dependencies
+- Outdated packages
+- License compliance
+- Unused dependencies
+- Supply chain risks
+
+Output findings as JSON with "DEPS-XXX" IDs.
+```
+
+### Agent 5: Performance Hunter
+```
+You are a performance engineer. Find performance issues.
+
+PROJECT CONTEXT: {paste context from Phase 0}
+
+Check for:
+- N+1 query patterns
+- Memory leaks
+- Blocking operations
+- Missing caching
+- Inefficient algorithms
+
+Output findings as JSON with "PERF-XXX" IDs.
+```
+
+**Wait for ALL 5 agents to complete before proceeding.**
+
+---
+
+## PHASE 2: Cross-Validation (3 Agents in Parallel)
+
+Collect ALL findings from Phase 1, then launch 3 validators:
+
+### Validator A: False Positive Hunter
+```
+Review all findings from Phase 1 for FALSE POSITIVES.
+
+FINDINGS TO VALIDATE:
+{paste all findings from Phase 1}
+
+For each finding:
+1. Read the actual code
+2. Check for mitigating controls
+3. Verify the issue is real
+
+Output:
+{
+  "confirmed": ["SEC-001", "QUAL-003", ...],
+  "falsePositives": [
+    {"id": "SEC-002", "reason": "Input is sanitized at line X"}
+  ]
+}
+```
+
+### Validator B: Evidence Challenger
+```
+Challenge every HIGH and CRITICAL finding.
+
+FINDINGS TO VALIDATE:
+{paste HIGH/CRITICAL findings only}
+
+For each finding:
+1. Read the full code context
+2. Trace the data flow
+3. Attempt to construct an exploit
+4. Determine if truly exploitable
+
+Output same format as Validator A.
+```
+
+### Validator C: Missing Issues Hunter
+```
+Look for issues that Phase 1 agents MISSED.
+
+EXISTING FINDINGS:
+{paste all findings}
+
+Search for:
+- Business logic flaws
+- Race conditions
+- Edge cases
+- Integration vulnerabilities
+- Combination attacks
+
+Output:
+{
+  "missedIssues": [
+    {full finding object with new ID}
+  ]
+}
+```
+
+**Wait for ALL 3 validators to complete.**
+
+---
+
+## PHASE 3: Deep Dive (If Needed)
+
+For any finding where Validator A and B disagree, launch a Deep Dive agent:
+
+```
+DISPUTED FINDING:
+{finding details}
+
+VALIDATOR A SAYS: {verdict}
+VALIDATOR B SAYS: {verdict}
+
+Perform exhaustive analysis:
+1. Read ALL relevant code
+2. Trace complete data flow
+3. Check all mitigating controls
+4. Determine the TRUE status
+
+Output your final verdict with detailed evidence.
+```
+
+---
+
+## PHASE 4: Build Consensus
+
+Now aggregate all results:
+
+1. **Merge duplicates** - Same issue from multiple agents
+2. **Calculate confidence**:
+   - Each validator confirmation: +15%
+   - Each false_positive vote: -20%
+   - Deep dive confirmation: +25%
+3. **Filter**: Remove findings with <50% confidence
+4. **Sort**: By severity, then confidence
+
+---
+
+## PHASE 5: Generate Report
+
+Create a professional PDF report:
+
+### Structure:
+1. **Cover Page** - Project name, date, finding counts
+2. **Executive Summary** - One page for leadership
+3. **Scan Overview** - Files scanned, duration, methodology
+4. **Critical Issues** - Full detail with code and fixes
+5. **High Issues** - Full detail
+6. **Medium Issues** - Summarized table
+7. **Low Issues** - List only
+8. **Positive Observations** - Good patterns found
+9. **Recommendations** - Prioritized action items
+
+### Generate Report:
+
+Use the report generator prompt to create the Markdown content, then convert to PDF:
+
+```bash
+npx md-to-pdf vibecode-report.md
+```
+
+Or use the Read tool to save directly as PDF if available.
+
+---
+
+## Output
+
+Save the final report as:
+```
+vibecode-report-{YYYY-MM-DD}.pdf
+```
+
+Also save the raw findings as:
+```
+vibecode-findings-{YYYY-MM-DD}.json
+```
+
+---
+
+## Quick Options
+
+If the user specifies options:
+
+- `/scan security` - Only run Security Scanner + validators
+- `/scan quality` - Only run Quality Analyzer + validators
+- `/scan --quick` - Skip validation phase (faster, less accurate)
+- `/scan --json` - Output JSON only, no PDF
+
+---
+
+## Important Notes
+
+1. **Always run Phase 0 first** - Context is critical
+2. **Use parallel Task calls** - Faster execution
+3. **Wait between phases** - Each phase needs previous results
+4. **Be thorough** - Better to find more and filter than miss issues
+5. **Include positives** - Good patterns are important too
+
+BEGIN SCAN NOW.

package/dist/cli/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":""}

package/dist/cli/index.js

@@ -0,0 +1,39 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const init_js_1 = require("./init.js");
+const scan_js_1 = require("./scan.js");
+const index_js_1 = require("../report/index.js");
+const program = new commander_1.Command();
+program
+    .name('vibecode')
+    .description('AI-powered code scanner with multi-agent verification for Claude Code')
+    .version('1.0.0');
+program
+    .command('init')
+    .description('Install vibecode slash commands into .claude/commands/')
+    .option('-g, --global', 'Install globally to ~/.claude/commands/')
+    .action(init_js_1.init);
+program
+    .command('scan')
+    .description('Scan codebase with multi-agent AI verification')
+    .argument('[path]', 'Path to scan', '.')
+    .option('-o, --output <format>', 'Output format: json, pdf, md, html', 'pdf')
+    .option('-O, --output-path <path>', 'Output file path')
+    .option('-c, --categories <cats>', 'Categories to scan: security,quality,arch,deps,perf', 'all')
+    .option('-s, --severity <level>', 'Minimum severity: critical,high,medium,low,info', 'low')
+    .option('-v, --verbose', 'Verbose output')
+    .option('-p, --parallel <num>', 'Number of parallel agents', '5')
+    .action(scan_js_1.scan);
+program
+    .command('report')
+    .description('Generate PDF/HTML report from scan JSON')
+    .argument('<json-file>', 'Path to scan results JSON file')
+    .option('-o, --output <path>', 'Output file path')
+    .option('-f, --format <format>', 'Output format: pdf, html', 'pdf')
+    .action(async (jsonFile, options) => {
+    await (0, index_js_1.generateReport)(jsonFile, options.output, options.format || 'pdf');
+});
+program.parse();
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";;;AAEA,yCAAoC;AACpC,uCAAiC;AACjC,uCAAiC;AACjC,iDAAoD;AAEpD,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CAAC,uEAAuE,CAAC;KACpF,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wDAAwD,CAAC;KACrE,MAAM,CAAC,cAAc,EAAE,yCAAyC,CAAC;KACjE,MAAM,CAAC,cAAI,CAAC,CAAC;AAEhB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,gDAAgD,CAAC;KAC7D,QAAQ,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,CAAC;KACvC,MAAM,CAAC,uBAAuB,EAAE,oCAAoC,EAAE,KAAK,CAAC;KAC5E,MAAM,CAAC,0BAA0B,EAAE,kBAAkB,CAAC;KACtD,MAAM,CAAC,yBAAyB,EAAE,qDAAqD,EAAE,KAAK,CAAC;KAC/F,MAAM,CAAC,wBAAwB,EAAE,iDAAiD,EAAE,KAAK,CAAC;KAC1F,MAAM,CAAC,eAAe,EAAE,gBAAgB,CAAC;KACzC,MAAM,CAAC,sBAAsB,EAAE,2BAA2B,EAAE,GAAG,CAAC;KAChE,MAAM,CAAC,cAAI,CAAC,CAAC;AAEhB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,yCAAyC,CAAC;KACtD,QAAQ,CAAC,aAAa,EAAE,gCAAgC,CAAC;KACzD,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;KACjD,MAAM,CAAC,uBAAuB,EAAE,0BAA0B,EAAE,KAAK,CAAC;KAClE,MAAM,CAAC,KAAK,EAAE,QAAgB,EAAE,OAAqD,EAAE,EAAE;IACxF,MAAM,IAAA,yBAAc,EAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC;AAC1E,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/cli/init.d.ts

@@ -0,0 +1,6 @@
+interface InitOptions {
+    global?: boolean;
+}
+export declare function init(options: InitOptions): Promise<void>;
+export {};
+//# sourceMappingURL=init.d.ts.map

package/dist/cli/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":"AAIA,UAAU,WAAW;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAiiBD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA2D9D"}