coverme-scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/README.md +227 -0
  2. package/commands/scan.md +317 -0
  3. package/dist/cli/index.d.ts +3 -0
  4. package/dist/cli/index.d.ts.map +1 -0
  5. package/dist/cli/index.js +39 -0
  6. package/dist/cli/index.js.map +1 -0
  7. package/dist/cli/init.d.ts +6 -0
  8. package/dist/cli/init.d.ts.map +1 -0
  9. package/dist/cli/init.js +636 -0
  10. package/dist/cli/init.js.map +1 -0
  11. package/dist/cli/scan.d.ts +11 -0
  12. package/dist/cli/scan.d.ts.map +1 -0
  13. package/dist/cli/scan.js +498 -0
  14. package/dist/cli/scan.js.map +1 -0
  15. package/dist/report/generator.d.ts +48 -0
  16. package/dist/report/generator.d.ts.map +1 -0
  17. package/dist/report/generator.js +368 -0
  18. package/dist/report/generator.js.map +1 -0
  19. package/dist/report/index.d.ts +35 -0
  20. package/dist/report/index.d.ts.map +1 -0
  21. package/dist/report/index.js +463 -0
  22. package/dist/report/index.js.map +1 -0
  23. package/dist/templates/report.html +796 -0
  24. package/dist/types.d.ts +94 -0
  25. package/dist/types.d.ts.map +1 -0
  26. package/dist/types.js +3 -0
  27. package/dist/types.js.map +1 -0
  28. package/package.json +48 -0
  29. package/src/cli/index.ts +43 -0
  30. package/src/cli/init.ts +611 -0
  31. package/src/cli/scan.ts +483 -0
  32. package/src/prompts/architecture-reviewer.md +171 -0
  33. package/src/prompts/consensus-builder.md +247 -0
  34. package/src/prompts/context-discovery.md +174 -0
  35. package/src/prompts/cross-validator.md +224 -0
  36. package/src/prompts/deep-dive-expert.md +224 -0
  37. package/src/prompts/dependency-auditor.md +190 -0
  38. package/src/prompts/performance-hunter.md +200 -0
  39. package/src/prompts/quality-analyzer.md +150 -0
  40. package/src/prompts/report-generator.md +285 -0
  41. package/src/prompts/security-scanner.md +180 -0
  42. package/src/report/generator.ts +382 -0
  43. package/src/report/index.ts +483 -0
  44. package/src/templates/report.html +796 -0
  45. package/src/types.ts +107 -0
  46. package/tsconfig.json +20 -0
@@ -0,0 +1,611 @@
1
+ import * as fs from 'fs';
2
+ import * as path from 'path';
3
+ import * as os from 'os';
4
+
5
+ interface InitOptions {
6
+ global?: boolean;
7
+ }
8
+
9
+ const SLASH_COMMAND = `# CoverMe - Ultimate AI Security Scanner
10
+
11
+ The most comprehensive AI-powered code scanner. 10 specialized agents + 3 validators + deep analysis.
12
+
13
+ $ARGUMENTS
14
+
15
+ ## IMPORTANT: Execute ALL phases automatically. Do NOT stop until the HTML report is open.
16
+
17
+ ---
18
+
19
+ ## Phase 1: Discovery (10 parallel agents)
20
+
21
+ Launch ALL 10 agents IN PARALLEL using the Task tool with subagent_type="Explore":
22
+
23
+ ### Agent 1: Security Scanner (Core)
24
+ \`\`\`
25
+ Scan for OWASP Top 10 and common vulnerabilities:
26
+
27
+ INJECTION:
28
+ - SQL injection (string concatenation in queries, raw queries)
29
+ - NoSQL injection (MongoDB $where, $regex with user input)
30
+ - Command injection (exec, spawn, system with user input)
31
+ - LDAP injection, XPath injection
32
+ - Template injection (SSTI in Jinja2, EJS, Handlebars)
33
+ - Header injection (CRLF in headers)
34
+ - Log injection (unescaped user input in logs)
35
+
36
+ XSS:
37
+ - Reflected XSS (user input in response without encoding)
38
+ - Stored XSS (database content rendered without escaping)
39
+ - DOM XSS (innerHTML, document.write, eval with user data)
40
+ - dangerouslySetInnerHTML in React without sanitization
41
+
42
+ AUTHENTICATION:
43
+ - Hardcoded credentials (check git ls-files first!)
44
+ - Weak password policies (no complexity, short length)
45
+ - Missing rate limiting on login/register
46
+ - Session fixation (session ID not rotated after login)
47
+ - JWT issues (none algorithm, weak secret, no expiry)
48
+ - Missing MFA on sensitive operations
49
+
50
+ AUTHORIZATION:
51
+ - IDOR (direct object references without ownership check)
52
+ - Missing authorization checks on endpoints
53
+ - Privilege escalation paths
54
+ - Horizontal access (user A accessing user B's data)
55
+ - Vertical access (user accessing admin functions)
56
+
57
+ CRYPTOGRAPHY:
58
+ - MD5/SHA1 for passwords (use bcrypt/argon2)
59
+ - Math.random() for security (use crypto.randomBytes)
60
+ - Hardcoded encryption keys/IVs
61
+ - ECB mode usage
62
+ - Missing HTTPS enforcement
63
+
64
+ Output JSON: [{id: "SEC-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
65
+ \`\`\`
66
+
67
+ ### Agent 2: Auth & Session Scanner
68
+ \`\`\`
69
+ Deep dive into authentication and session management:
70
+
71
+ SSO/OAUTH:
72
+ - Open redirect in return_url/redirect_uri (CRITICAL!)
73
+ - State parameter missing or predictable
74
+ - PKCE not implemented for public clients
75
+ - Token stored in localStorage (XSS vulnerable)
76
+ - Refresh token rotation missing
77
+ - ID token validation incomplete
78
+
79
+ SESSION:
80
+ - Session ID in URL
81
+ - Session not invalidated on logout
82
+ - Session timeout too long (>24h)
83
+ - Same session across devices without tracking
84
+ - Session data not encrypted
85
+
86
+ COOKIES:
87
+ - Missing Secure flag
88
+ - Missing HttpOnly flag
89
+ - Missing SameSite attribute
90
+ - Overly broad domain/path
91
+ - Sensitive data in cookies
92
+
93
+ PASSWORD RESET:
94
+ - Predictable reset tokens
95
+ - Token not expiring
96
+ - No rate limiting on reset requests
97
+ - User enumeration via reset flow
98
+ - Reset link not single-use
99
+
100
+ Output JSON: [{id: "AUTH-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
101
+ \`\`\`
102
+
103
+ ### Agent 3: API Security Scanner
104
+ \`\`\`
105
+ Scan API endpoints for security issues:
106
+
107
+ INPUT VALIDATION:
108
+ - Missing input validation on request body
109
+ - Type coercion attacks (string vs number)
110
+ - Array/object pollution
111
+ - Prototype pollution
112
+ - Mass assignment vulnerabilities
113
+ - GraphQL introspection enabled in production
114
+ - GraphQL depth/complexity limits missing
115
+
116
+ RATE LIMITING:
117
+ - No rate limiting on expensive operations
118
+ - Rate limit bypass via headers (X-Forwarded-For)
119
+ - Missing rate limiting on auth endpoints
120
+ - No account lockout after failed attempts
121
+
122
+ API DESIGN:
123
+ - Verbose error messages leaking internals
124
+ - Stack traces in production
125
+ - Version information exposed
126
+ - Debug endpoints accessible
127
+ - CORS misconfiguration (wildcard origin with credentials)
128
+ - Missing security headers (CSP, HSTS, X-Frame-Options)
129
+
130
+ WEBHOOKS:
131
+ - Webhook signature not verified
132
+ - SSRF via webhook URLs
133
+ - No webhook replay protection
134
+ - Webhook secrets logged
135
+
136
+ Output JSON: [{id: "API-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
137
+ \`\`\`
138
+
139
+ ### Agent 4: Infrastructure Scanner
140
+ \`\`\`
141
+ Scan infrastructure and deployment configs:
142
+
143
+ DOCKER:
144
+ - Running as root user
145
+ - Secrets in Dockerfile or build args
146
+ - Latest tag usage (unpinned versions)
147
+ - Sensitive ports exposed
148
+ - Missing health checks
149
+ - No resource limits
150
+ - Privileged mode enabled
151
+ - Writable root filesystem
152
+
153
+ KUBERNETES/HELM:
154
+ - No resource limits/requests
155
+ - Running as root
156
+ - Privileged containers
157
+ - Host network/PID enabled
158
+ - Missing network policies
159
+ - Secrets not encrypted at rest
160
+ - No pod security policies/standards
161
+ - Service account auto-mount enabled
162
+
163
+ CI/CD:
164
+ - Secrets in CI config files
165
+ - Credentials in environment variables logged
166
+ - Missing secret scanning in pipeline
167
+ - Deploy keys with write access
168
+ - No branch protection
169
+ - Missing SAST/DAST in pipeline
170
+
171
+ CLOUD:
172
+ - S3 buckets public or misconfigured
173
+ - IAM roles too permissive
174
+ - Security groups too open
175
+ - Logging not enabled
176
+ - Encryption at rest disabled
177
+
178
+ Output JSON: [{id: "INFRA-XXX", title, severity, category: "infrastructure", file, line, code, description, recommendation, confidence}]
179
+ \`\`\`
180
+
181
+ ### Agent 5: Data & Privacy Scanner
182
+ \`\`\`
183
+ Scan for data protection and privacy issues:
184
+
185
+ PII HANDLING:
186
+ - PII logged (emails, names, IPs, phone numbers)
187
+ - PII in URLs/query strings
188
+ - PII in error messages
189
+ - PII not encrypted at rest
190
+ - PII not masked in UI/logs
191
+
192
+ GDPR/PRIVACY:
193
+ - Missing data retention policy implementation
194
+ - No data deletion mechanism (right to erasure)
195
+ - No data export mechanism (data portability)
196
+ - Consent not tracked properly
197
+ - Third-party data sharing without consent
198
+ - Cross-border data transfer issues
199
+
200
+ DATABASE:
201
+ - Sensitive data not encrypted (column-level)
202
+ - No audit logging for sensitive operations
203
+ - Backup not encrypted
204
+ - Connection strings with credentials in code
205
+
206
+ SECRETS:
207
+ - API keys in code (check git ls-files!)
208
+ - Secrets in environment files committed
209
+ - Secrets logged
210
+ - Secrets in client-side code
211
+ - Hardcoded tokens/passwords
212
+ - .env files not in .gitignore
213
+
214
+ Output JSON: [{id: "DATA-XXX", title, severity, category: "privacy", file, line, code, description, recommendation, confidence}]
215
+ \`\`\`
216
+
217
+ ### Agent 6: AI/LLM Security Scanner
218
+ \`\`\`
219
+ Scan for AI/LLM specific vulnerabilities:
220
+
221
+ PROMPT INJECTION:
222
+ - User input directly in prompts without sanitization
223
+ - System prompts exposed to users
224
+ - Prompt leakage via error messages
225
+ - No input length limits on prompts
226
+ - Missing output validation from LLM
227
+ - Jailbreak vulnerabilities
228
+
229
+ DATA LEAKAGE:
230
+ - Training data in responses
231
+ - PII in AI context
232
+ - Conversation history not cleared
233
+ - AI accessing unauthorized data
234
+ - Model output not sanitized
235
+
236
+ SUPPLY CHAIN:
237
+ - CDN imports without Subresource Integrity (SRI)
238
+ - Unpinned AI model versions
239
+ - External AI APIs without TLS verification
240
+ - Model files from untrusted sources
241
+
242
+ RESOURCE:
243
+ - No token limits on AI calls
244
+ - Missing rate limiting on AI endpoints
245
+ - Cost explosion attacks (large inputs)
246
+ - Denial of service via AI
247
+
248
+ BUSINESS LOGIC:
249
+ - AI bypassing business rules
250
+ - AI making unauthorized decisions
251
+ - Content filter bypasses
252
+ - AI output directly executed (code injection)
253
+
254
+ Output JSON: [{id: "AI-XXX", title, severity, category: "ai-security", file, line, code, description, recommendation, confidence}]
255
+ \`\`\`
256
+
257
+ ### Agent 7: Performance & DoS Scanner
258
+ \`\`\`
259
+ Scan for performance issues and DoS vectors:
260
+
261
+ DATABASE:
262
+ - N+1 query patterns
263
+ - Missing indexes on filtered/sorted columns
264
+ - Full table scans
265
+ - Unbounded queries (no LIMIT)
266
+ - Connection pool exhaustion
267
+ - Long-running transactions
268
+
269
+ MEMORY:
270
+ - Memory leaks (event listeners not removed)
271
+ - Unbounded caches
272
+ - Large object accumulation
273
+ - Buffer handling issues
274
+ - Stream not properly closed
275
+ - SSE/WebSocket buffer accumulation
276
+
277
+ CPU:
278
+ - ReDoS (Regular Expression DoS)
279
+ - Algorithmic complexity attacks
280
+ - Synchronous crypto operations
281
+ - JSON parsing of large payloads
282
+ - XML parsing without limits (billion laughs)
283
+
284
+ NETWORK:
285
+ - No timeout on external calls
286
+ - Missing circuit breakers
287
+ - Retry storms
288
+ - No backpressure handling
289
+ - Connection leaks
290
+
291
+ RESOURCE EXHAUSTION:
292
+ - File upload without size limits
293
+ - Zip bomb potential
294
+ - Unbounded pagination
295
+ - Missing request size limits
296
+ - Too many concurrent connections
297
+
298
+ Output JSON: [{id: "PERF-XXX", title, severity, category: "performance", file, line, code, description, recommendation, confidence}]
299
+ \`\`\`
300
+
301
+ ### Agent 8: Business Logic Scanner
302
+ \`\`\`
303
+ Scan for business logic vulnerabilities:
304
+
305
+ RACE CONDITIONS:
306
+ - TOCTOU (time-of-check-time-of-use)
307
+ - Double-spend in transactions
308
+ - Inventory overselling
309
+ - Concurrent booking conflicts
310
+ - Non-atomic read-modify-write
311
+
312
+ WORKFLOW:
313
+ - Step skipping in multi-step processes
314
+ - State manipulation attacks
315
+ - Order of operations bypass
316
+ - Workflow replay attacks
317
+
318
+ FINANCIAL:
319
+ - Rounding errors in calculations
320
+ - Currency handling issues
321
+ - Negative amount bypass
322
+ - Discount stacking exploits
323
+ - Price manipulation
324
+
325
+ ACCESS CONTROL:
326
+ - Role hierarchy bypass
327
+ - Feature flag manipulation
328
+ - Subscription level bypass
329
+ - Time-based access bypass
330
+
331
+ DATA INTEGRITY:
332
+ - Missing referential integrity
333
+ - Orphaned records possible
334
+ - Data inconsistency between services
335
+ - Missing transaction boundaries
336
+
337
+ Output JSON: [{id: "BIZ-XXX", title, severity, category: "business-logic", file, line, code, description, recommendation, confidence}]
338
+ \`\`\`
339
+
340
+ ### Agent 9: Code Quality Scanner
341
+ \`\`\`
342
+ Scan for code quality and maintainability issues:
343
+
344
+ COMPLEXITY:
345
+ - Cyclomatic complexity > 10
346
+ - Functions > 50 lines
347
+ - Files > 500 lines
348
+ - Deep nesting (> 4 levels)
349
+ - Too many parameters (> 5)
350
+
351
+ DRY VIOLATIONS:
352
+ - Duplicated code blocks (> 10 lines)
353
+ - Copy-paste code with minor changes
354
+ - Similar functions that should be unified
355
+
356
+ ANTI-PATTERNS:
357
+ - God objects/classes
358
+ - Callback hell
359
+ - Magic numbers/strings
360
+ - Dead code
361
+ - Unused imports/variables
362
+ - Any type overuse (TypeScript)
363
+ - Console.log in production
364
+ - TODO/FIXME comments in production
365
+
366
+ ERROR HANDLING:
367
+ - Empty catch blocks
368
+ - Generic error swallowing
369
+ - Missing error boundaries (React)
370
+ - Unhandled promise rejections
371
+ - Missing finally blocks for cleanup
372
+
373
+ NAMING:
374
+ - Inconsistent naming conventions
375
+ - Misleading names
376
+ - Single letter variables (except i,j,k)
377
+ - Abbreviations without context
378
+
379
+ Output JSON: [{id: "QUAL-XXX", title, severity, category: "quality", file, line, code, description, recommendation, confidence}]
380
+ \`\`\`
381
+
382
+ ### Agent 10: Testing & Reliability Scanner
383
+ \`\`\`
384
+ Scan for testing gaps and reliability issues:
385
+
386
+ TEST COVERAGE:
387
+ - Critical paths without tests (auth, payments, data access)
388
+ - Error handlers not tested
389
+ - Edge cases not covered
390
+ - No integration tests
391
+ - No E2E tests for main flows
392
+
393
+ TEST QUALITY:
394
+ - Tests without assertions
395
+ - Mocked security checks (dangerous!)
396
+ - Flaky tests (time-dependent)
397
+ - Tests with hardcoded data that can expire
398
+ - Missing negative tests (what should fail)
399
+
400
+ RELIABILITY:
401
+ - Missing health checks
402
+ - No graceful shutdown
403
+ - Missing readiness/liveness probes
404
+ - No circuit breakers for external calls
405
+ - Missing retry logic with backoff
406
+ - No fallback mechanisms
407
+
408
+ OBSERVABILITY:
409
+ - Missing structured logging
410
+ - No correlation IDs
411
+ - Missing metrics collection
412
+ - No distributed tracing
413
+ - Errors not properly categorized
414
+
415
+ DEPLOYMENT:
416
+ - No feature flags for risky changes
417
+ - Missing rollback mechanism
418
+ - No canary/blue-green deployment
419
+ - Database migrations not reversible
420
+
421
+ Output JSON: [{id: "TEST-XXX", title, severity, category: "testing", file, line, code, description, recommendation, confidence}]
422
+ \`\`\`
423
+
424
+ ---
425
+
426
+ ## Phase 2: Cross-Validation (3 parallel validators)
427
+
428
+ After ALL Phase 1 agents complete, launch 3 validators IN PARALLEL:
429
+
430
+ ### Validator A: False Positive Hunter
431
+ \`\`\`
432
+ Review ALL findings from Phase 1. For each finding:
433
+ 1. Read the actual code file
434
+ 2. Check if there are mitigating controls elsewhere
435
+ 3. For secrets: run "git ls-files <file>" - if not tracked, mark FALSE POSITIVE
436
+ 4. Check if code is actually reachable in production
437
+ 5. Verify the context (is it test code? example code? disabled feature?)
438
+
439
+ Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
440
+ \`\`\`
441
+
442
+ ### Validator B: Evidence Challenger
443
+ \`\`\`
444
+ Challenge every HIGH and CRITICAL finding:
445
+ 1. Read the actual code with 20 lines of context
446
+ 2. Trace data flow from source to sink
447
+ 3. Check for sanitization/validation in between
448
+ 4. Verify the exploit scenario is realistic
449
+ 5. Consider the deployment environment
450
+ 6. Check if it's actually exploitable in production
451
+
452
+ Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
453
+ \`\`\`
454
+
455
+ ### Validator C: Missing Issues Hunter
456
+ \`\`\`
457
+ Look for issues that Phase 1 agents MISSED:
458
+ - Race conditions in critical operations
459
+ - Business logic flaws specific to this application
460
+ - Edge cases (empty input, null, undefined, max length)
461
+ - Integration point vulnerabilities
462
+ - Configuration issues for specific environment
463
+ - Combination attacks (multiple low issues = high)
464
+
465
+ Output: { missedIssues: [{id, title, severity, file, line, description, recommendation},...] }
466
+ \`\`\`
467
+
468
+ ---
469
+
470
+ ## Phase 3: Build Consensus
471
+
472
+ Combine all results:
473
+ 1. Calculate confidence: (confirmations / validators) * 100
474
+ 2. Remove findings with confidence < 50%
475
+ 3. Add missed issues from Validator C
476
+ 4. Identify positive observations (good patterns found)
477
+
478
+ ---
479
+
480
+ ## Phase 4: Generate Report
481
+
482
+ Create a JSON file named \`coverme-scan.json\` with this EXACT structure:
483
+
484
+ \`\`\`json
485
+ {
486
+ "projectName": "<name from package.json or folder name>",
487
+ "scanDate": "<today's date formatted nicely>",
488
+ "findings": [
489
+ {
490
+ "id": "SEC-001",
491
+ "title": "Issue title",
492
+ "severity": "critical|high|medium|low|info",
493
+ "category": "security|auth|api|infrastructure|privacy|ai-security|performance|business-logic|quality|testing",
494
+ "file": "path/to/file.ts",
495
+ "line": 123,
496
+ "description": "Clear description of the issue",
497
+ "code": "the problematic code snippet (include 5+ lines of context)",
498
+ "recommendation": "Specific fix with code example if possible",
499
+ "confidence": 95,
500
+ "cwe": "CWE-XXX if applicable"
501
+ }
502
+ ],
503
+ "falsePositives": [
504
+ {
505
+ "id": "SEC-002",
506
+ "title": "What was originally flagged",
507
+ "file": "path/to/file.ts",
508
+ "reason": "Why it was rejected"
509
+ }
510
+ ],
511
+ "positiveObservations": [
512
+ "Uses parameterized queries for all database access",
513
+ "Implements proper rate limiting on authentication endpoints",
514
+ "PKCE implemented for OAuth flow",
515
+ "Proper secret management with environment variables",
516
+ "Comprehensive error handling with proper logging",
517
+ "Input validation using Zod/Joi schemas"
518
+ ],
519
+ "scanDuration": 300000,
520
+ "agentCount": 13
521
+ }
522
+ \`\`\`
523
+
524
+ Use the Write tool to save this JSON to \`coverme-scan.json\`.
525
+
526
+ ---
527
+
528
+ ## Phase 5: Generate HTML Report
529
+
530
+ 1. Create the .coverme directory and save the JSON:
531
+ \`\`\`bash
532
+ mkdir -p .coverme
533
+ \`\`\`
534
+
535
+ 2. Use the Write tool to save the JSON to \`coverme-scan.json\`
536
+
537
+ 3. Generate the HTML report and open it:
538
+ \`\`\`bash
539
+ TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
540
+ npx coverme report coverme-scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
541
+ mv coverme-scan.json ".coverme/scan_$TIMESTAMP.json"
542
+ open ".coverme/report_$TIMESTAMP.html"
543
+ \`\`\`
544
+
545
+ ---
546
+
547
+ ## DONE
548
+
549
+ Tell the user: "Scan complete! Report saved to .coverme/ and opened in browser. Found X issues across Y categories. All scan history is in .coverme/ folder."
550
+ `;
551
+
552
+ export async function init(options: InitOptions): Promise<void> {
553
+ const targetDir = options.global
554
+ ? path.join(os.homedir(), '.claude', 'commands')
555
+ : path.join(process.cwd(), '.claude', 'commands');
556
+
557
+ console.log(`Installing vibecode commands to: ${targetDir}`);
558
+
559
+ // Create directory if needed
560
+ if (!fs.existsSync(targetDir)) {
561
+ fs.mkdirSync(targetDir, { recursive: true });
562
+ console.log(`Created directory: ${targetDir}`);
563
+ }
564
+
565
+ // Write the slash command
566
+ const commandPath = path.join(targetDir, 'coverme.md');
567
+ fs.writeFileSync(commandPath, SLASH_COMMAND);
568
+ console.log(`Created: ${commandPath}`);
569
+
570
+ // Create .coverme directory for reports
571
+ const covermeDir = path.join(process.cwd(), '.coverme');
572
+ if (!fs.existsSync(covermeDir)) {
573
+ fs.mkdirSync(covermeDir, { recursive: true });
574
+ console.log(`Created: ${covermeDir}/`);
575
+ }
576
+
577
+ // Add .coverme to .gitignore if not already there
578
+ const gitignorePath = path.join(process.cwd(), '.gitignore');
579
+ const covermeIgnore = '\n# CoverMe scan reports\n.coverme/\n';
580
+
581
+ if (fs.existsSync(gitignorePath)) {
582
+ const gitignoreContent = fs.readFileSync(gitignorePath, 'utf-8');
583
+ if (!gitignoreContent.includes('.coverme')) {
584
+ fs.appendFileSync(gitignorePath, covermeIgnore);
585
+ console.log(`Added .coverme/ to .gitignore`);
586
+ }
587
+ } else {
588
+ fs.writeFileSync(gitignorePath, covermeIgnore.trim() + '\n');
589
+ console.log(`Created .gitignore with .coverme/`);
590
+ }
591
+
592
+ console.log(`
593
+ ================================================================================
594
+ COVERME INSTALLED
595
+ ================================================================================
596
+
597
+ Usage:
598
+ 1. Open Claude Code in your project
599
+ 2. Type /coverme and press Enter
600
+ 3. Wait for the scan to complete
601
+ 4. Report opens automatically in your browser
602
+
603
+ Reports saved to: .coverme/
604
+ - report_YYYY-MM-DD_HH-MM-SS.html
605
+ - scan_YYYY-MM-DD_HH-MM-SS.json
606
+
607
+ The .coverme/ folder is automatically added to .gitignore
608
+
609
+ ================================================================================
610
+ `);
611
+ }