prodlint 0.3.1 → 0.6.0

package/README.md

@@ -4,22 +4,26 @@
 [![npm downloads](https://img.shields.io/npm/dm/prodlint.svg)](https://www.npmjs.com/package/prodlint)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-Catch the bugs AI leaves behind.
+The linter for vibe-coded apps.
 
-prodlint scans AI-generated JavaScript and TypeScript projects for production readiness issues — hallucinated imports, missing auth, exposed secrets, N+1 queries, and more. No LLM required, just pattern matching against known failure modes.
+Cursor, v0, Bolt, and Copilot build fast. prodlint catches what they miss — hallucinated imports, missing auth, hardcoded secrets, unvalidated server actions, and the other production bugs that compile just fine. Zero config, no LLM, fast static analysis.
 
 ```bash
 npx prodlint
 ```
 
 ```
-  prodlint v0.3.0
-  Scanned 148 files in 92ms
+  prodlint v0.6.0
+  Scanned 148 files · 3 critical · 5 warnings
 
   src/app/api/checkout/route.ts
     12:1  CRIT  No rate limiting — anyone could spam this endpoint and run up your API costs  rate-limiting
     28:5  WARN  Empty catch block silently swallows error  shallow-catch
 
+  src/actions/submit.ts
+    5:3   CRIT  Server action uses formData without validation  next-server-action-validation
+      ↳ Validate with Zod: const data = schema.safeParse(Object.fromEntries(formData))
+
   src/lib/db.ts
     1:1   CRIT  Package "drizzle-orm" is imported but not in package.json  hallucinated-imports
 
@@ -29,24 +33,26 @@ npx prodlint
   performance     95 ███████████████████░  (1 issue)
   ai-quality      90 ██████████████████░░  (3 issues)
 
-  Overall: 85/100
+  Overall: 82/100 (weighted)
 
-  8 critical · 5 warnings · 3 info
+  3 critical · 5 warnings · 3 info
 ```
 
 ## Why?
 
-AI code generators (Cursor, Copilot, v0, Bolt, Claude) write code that works in demos but breaks in production. Hardcoded secrets, hallucinated packages, missing auth, XSS vectors — these pass type-checks and look correct but aren't.
+Vibe coding is the fastest way to build. It's also the fastest way to ship hardcoded secrets, hallucinated packages, missing auth, and XSS vectors to production. These pass type-checks and look correct — but they aren't.
 
-prodlint catches what TypeScript and ESLint miss: **production readiness gaps**.
+prodlint catches what TypeScript and ESLint miss: **the bugs AI coding tools consistently write**.
 
 ## Install
 
 ```bash
-npx prodlint                      # Run directly (no install)
-npx prodlint ./my-app             # Scan specific path
-npx prodlint --json               # JSON output for CI
-npx prodlint --ignore "*.test.ts" # Ignore patterns
+npx prodlint                              # Run directly (no install)
+npx prodlint ./my-app                     # Scan specific path
+npx prodlint --json                       # JSON output for CI
+npx prodlint --ignore "*.test.ts"         # Ignore patterns
+npx prodlint --min-severity warning       # Only warnings and criticals
+npx prodlint --quiet                      # Suppress badge output
 ```
 
 Or install it:
@@ -56,9 +62,9 @@ npm i -D prodlint     # Project dependency
 npm i -g prodlint     # Global install
 ```
 
-## 27 Rules across 4 Categories
+## 52 Rules across 4 Categories
 
-### Security (10 rules)
+### Security (27 rules)
 
 | Rule | What it catches |
 |------|----------------|
@@ -68,12 +74,29 @@ npm i -g prodlint     # Global install
 | `input-validation` | Request body used without validation |
 | `cors-config` | `Access-Control-Allow-Origin: *` |
 | `unsafe-html` | `dangerouslySetInnerHTML` with user data |
-| `sql-injection` | String-interpolated SQL queries |
+| `sql-injection` | String-interpolated SQL queries (ORM-aware) |
 | `open-redirect` | User input passed to `redirect()` |
 | `rate-limiting` | API routes with no rate limiter |
 | `phantom-dependency` | Packages in node_modules but missing from package.json |
-
-### Reliability (6 rules)
+| `insecure-cookie` | Session cookies missing httpOnly/secure/sameSite |
+| `leaked-env-in-logs` | `process.env.*` inside console.log calls |
+| `insecure-random` | `Math.random()` used for tokens, secrets, or session IDs |
+| `next-server-action-validation` | Server actions using formData without Zod/schema validation |
+| `env-fallback-secret` | Security-sensitive env vars with hardcoded fallback values |
+| `verbose-error-response` | Error stack traces or messages leaked in API responses |
+| `missing-webhook-verification` | Webhook routes without signature verification |
+| `server-action-auth` | Server actions with mutations but no auth check |
+| `eval-injection` | `eval()`, `new Function()`, dynamic code execution |
+| `next-public-sensitive` | `NEXT_PUBLIC_` prefix on secret env vars |
+| `ssrf-risk` | User-controlled URLs passed to fetch in server code |
+| `path-traversal` | File system operations with unsanitized user input |
+| `unsafe-file-upload` | File upload handlers without type or size validation |
+| `supabase-missing-rls` | `CREATE TABLE` in migrations without enabling RLS |
+| `deprecated-oauth-flow` | OAuth Implicit Grant (response_type=token) |
+| `jwt-no-expiry` | JWT tokens signed without an expiration |
+| `client-side-auth-only` | Password comparisons or auth logic in client components |
+
+### Reliability (11 rules)
 
 | Rule | What it catches |
 |------|----------------|
@@ -83,8 +106,13 @@ npm i -g prodlint     # Global install
 | `shallow-catch` | Empty catch blocks that swallow errors |
 | `missing-loading-state` | Client components that fetch without a loading state |
 | `missing-error-boundary` | Route layouts without a matching error.tsx |
+| `missing-transaction` | Multiple Prisma writes without `$transaction` |
+| `redirect-in-try-catch` | `redirect()` inside try/catch — Next.js redirect throws, catch swallows it |
+| `missing-revalidation` | Server actions with DB mutations but no `revalidatePath` |
+| `missing-useeffect-cleanup` | useEffect with subscriptions/timers but no cleanup return |
+| `hydration-mismatch` | `window`/`Date.now()`/`Math.random()` in server component render path |
 
-### Performance (4 rules)
+### Performance (6 rules)
 
 | Rule | What it catches |
 |------|----------------|
@@ -92,8 +120,10 @@ npm i -g prodlint     # Global install
 | `no-n-plus-one` | Database calls inside loops |
 | `no-unbounded-query` | `.findMany()` / `.select('*')` with no limit |
 | `no-dynamic-import-loop` | `import()` inside loops |
+| `server-component-fetch-self` | Server components fetching their own API routes |
+| `missing-abort-controller` | Fetch calls without timeout or AbortController |
 
-### AI Quality (7 rules)
+### AI Quality (8 rules)
 
 | Rule | What it catches |
 |------|----------------|
@@ -104,28 +134,34 @@ npm i -g prodlint     # Global install
 | `comprehension-debt` | Functions over 80 lines, deep nesting, too many parameters |
 | `codebase-consistency` | Mixed naming conventions across the project |
 | `dead-exports` | Exported functions that nothing imports |
+| `use-client-overuse` | `"use client"` on files that don't use any client-side APIs |
 
 ## Smart Detection
 
 prodlint avoids common false positives:
 
+- **AST parsing** — Babel-based analysis for loops, imports, and SQL templates with regex fallback
+- **Framework awareness** — Prisma, Drizzle, Supabase, Knex, and Sequelize whitelists prevent false SQL injection flags
+- **Middleware detection** — Clerk, NextAuth, Supabase middleware detected — auth findings downgraded
 - **Block comment awareness** — patterns inside `/* */` are ignored
-- **Middleware detection** — if your project uses Clerk/NextAuth/Supabase middleware, auth findings are downgraded
 - **Path alias support** — `@/`, `~/`, and tsconfig paths aren't flagged as hallucinated imports
 - **Route exemptions** — auth, webhook, health, and cron routes are exempt from auth/rate-limit checks
 - **Test/script file awareness** — lower severity for non-production files
+- **Fix suggestions** — findings include actionable `fix` hints with remediation code
 
 ## Scoring
 
 Each category starts at 100. Deductions per finding:
 
-| Severity | Deduction |
-|----------|-----------|
-| critical | -10 |
-| warning | -3 |
-| info | -1 |
+| Severity | Deduction | Per-rule cap |
+|----------|-----------|--------------|
+| critical | -8 | max 1 |
+| warning | -2 | max 2 |
+| info | -0.5 | max 3 |
+
+**Diminishing returns**: after 30 points deducted in a category, further deductions are halved; after 50, quartered.
 
-Overall score = average of the 4 category scores (floor 0). Exit code `1` if any critical findings exist.
+**Weighted overall**: security 40%, reliability 30%, performance 15%, ai-quality 15%. Floor at 0. Exit code `1` if any critical findings exist.
 
 ## GitHub Action
 

package/action.yml

@@ -1,5 +1,5 @@
 name: 'Prodlint'
-description: 'Scan AI-generated projects for production readiness issues'
+description: 'The linter for vibe-coded apps — catch what AI coding tools miss'
 branding:
   icon: 'shield'
   color: 'green'
@@ -24,7 +24,7 @@ inputs:
 
 outputs:
   score:
-    description: 'Overall production readiness score (0-100)'
+    description: 'Overall prodlint score (0-100)'
     value: ${{ steps.scan.outputs.score }}
   critical:
     description: 'Number of critical findings'