prodlint 0.7.0 → 0.7.1

package/action.yml

@@ -1,152 +1,152 @@
-name: 'Prodlint'
-description: 'The linter for vibe-coded apps — catch what AI coding tools miss'
-branding:
-  icon: 'shield'
-  color: 'green'
-
-inputs:
-  path:
-    description: 'Path to scan (default: current directory)'
-    required: false
-    default: '.'
-  threshold:
-    description: 'Minimum score to pass (0-100). Fails the check if score is below this.'
-    required: false
-    default: '0'
-  ignore:
-    description: 'Glob patterns to ignore (comma-separated)'
-    required: false
-    default: ''
-  comment:
-    description: 'Post a PR comment with results (true/false)'
-    required: false
-    default: 'true'
-
-outputs:
-  score:
-    description: 'Overall prodlint score (0-100)'
-    value: ${{ steps.scan.outputs.score }}
-  critical:
-    description: 'Number of critical findings'
-    value: ${{ steps.scan.outputs.critical }}
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Setup Node.js
-      uses: actions/setup-node@v4
-      with:
-        node-version: '20'
-
-    - name: Run prodlint
-      id: scan
-      shell: bash
-      env:
-        INPUT_PATH: ${{ inputs.path }}
-        INPUT_IGNORE: ${{ inputs.ignore }}
-      run: |
-        CMD_ARGS=("$INPUT_PATH" "--json")
-        if [ -n "$INPUT_IGNORE" ]; then
-          IFS=',' read -ra PATTERNS <<< "$INPUT_IGNORE"
-          for p in "${PATTERNS[@]}"; do
-            trimmed=$(echo "$p" | xargs)
-            CMD_ARGS+=("--ignore" "$trimmed")
-          done
-        fi
-
-        OUTPUT=$(npx -y prodlint@latest "${CMD_ARGS[@]}" 2>&1) || true
-
-        SCORE=$(echo "$OUTPUT" | node -e "
-          const d = JSON.parse(require('fs').readFileSync(0, 'utf8'));
-          console.log(Number(d.overallScore) || 0);
-        " 2>/dev/null || echo "0")
-        SCORE=$(echo "$SCORE" | tr -cd '0-9')
-
-        CRITICAL=$(echo "$OUTPUT" | node -e "
-          const d = JSON.parse(require('fs').readFileSync(0, 'utf8'));
-          console.log(Number(d.summary.critical) || 0);
-        " 2>/dev/null || echo "0")
-        CRITICAL=$(echo "$CRITICAL" | tr -cd '0-9')
-
-        echo "score=${SCORE:-0}" >> "$GITHUB_OUTPUT"
-        echo "critical=${CRITICAL:-0}" >> "$GITHUB_OUTPUT"
-        echo "$OUTPUT" > /tmp/prodlint-result.json
-
-    - name: Generate comment body
-      if: inputs.comment == 'true' && github.event_name == 'pull_request'
-      id: comment
-      shell: bash
-      env:
-        SCAN_SCORE: ${{ steps.scan.outputs.score }}
-        INPUT_THRESHOLD: ${{ inputs.threshold }}
-      run: |
-        SCORE="$SCAN_SCORE"
-        THRESHOLD="$INPUT_THRESHOLD"
-
-        if [ "$SCORE" -ge 80 ]; then
-          EMOJI="✅"
-          COLOR="brightgreen"
-        elif [ "$SCORE" -ge 60 ]; then
-          EMOJI="⚠️"
-          COLOR="yellow"
-        else
-          EMOJI="🚨"
-          COLOR="red"
-        fi
-
-        # Build comment from JSON with markdown sanitization
-        TMPFILE=$(mktemp "${RUNNER_TEMP:-/tmp}/prodlint-comment-XXXXXX.md")
-        node -e "
-          const fs = require('fs');
-          const d = JSON.parse(fs.readFileSync('/tmp/prodlint-result.json', 'utf8'));
-          const esc = s => String(s).replace(/[[\]()\\*_\`<>]/g, c => '\\\\' + c);
-          const lines = [];
-          lines.push('## ' + '$EMOJI' + ' Prodlint Score: **' + d.overallScore + '/100**');
-          lines.push('');
-          lines.push('| Category | Score | Issues |');
-          lines.push('|----------|-------|--------|');
-          for (const c of d.categoryScores) {
-            const icon = c.score >= 80 ? '🟢' : c.score >= 60 ? '🟡' : '🔴';
-            lines.push('| ' + icon + ' ' + esc(c.category) + ' | ' + c.score + '/100 | ' + c.findingCount + ' |');
-          }
-          if (d.summary.critical > 0) {
-            lines.push('');
-            lines.push('### Critical Issues');
-            lines.push('');
-            const crits = d.findings.filter(f => f.severity === 'critical');
-            for (const f of crits.slice(0, 10)) {
-              lines.push('- \`' + esc(f.ruleId) + '\` \`' + esc(f.file) + ':' + f.line + '\` — ' + esc(f.message));
-            }
-            if (crits.length > 10) {
-              lines.push('- ...and ' + (crits.length - 10) + ' more');
-            }
-          }
-          lines.push('');
-          lines.push('---');
-          lines.push('*Scanned ' + d.filesScanned + ' files in ' + d.scanDurationMs + 'ms · [prodlint](https://prodlint.com)*');
-          fs.writeFileSync('$TMPFILE', lines.join('\n'));
-        "
-
-        # Use the generated file for the comment step
-        cp "$TMPFILE" /tmp/prodlint-comment.md
-
-    - name: Post PR comment
-      if: inputs.comment == 'true' && github.event_name == 'pull_request'
-      uses: marocchino/sticky-pull-request-comment@v2
-      with:
-        header: prodlint
-        path: /tmp/prodlint-comment.md
-
-    - name: Check threshold
-      if: inputs.threshold != '0'
-      shell: bash
-      env:
-        SCAN_SCORE: ${{ steps.scan.outputs.score }}
-        INPUT_THRESHOLD: ${{ inputs.threshold }}
-      run: |
-        SCORE="$SCAN_SCORE"
-        THRESHOLD="$INPUT_THRESHOLD"
-        if [ "$SCORE" -lt "$THRESHOLD" ]; then
-          echo "::error::Prodlint score ($SCORE) is below threshold ($THRESHOLD)"
-          exit 1
-        fi
+name: 'Prodlint'
+description: 'The linter for vibe-coded apps — catch what AI coding tools miss'
+branding:
+  icon: 'shield'
+  color: 'green'
+
+inputs:
+  path:
+    description: 'Path to scan (default: current directory)'
+    required: false
+    default: '.'
+  threshold:
+    description: 'Minimum score to pass (0-100). Fails the check if score is below this.'
+    required: false
+    default: '0'
+  ignore:
+    description: 'Glob patterns to ignore (comma-separated)'
+    required: false
+    default: ''
+  comment:
+    description: 'Post a PR comment with results (true/false)'
+    required: false
+    default: 'true'
+
+outputs:
+  score:
+    description: 'Overall prodlint score (0-100)'
+    value: ${{ steps.scan.outputs.score }}
+  critical:
+    description: 'Number of critical findings'
+    value: ${{ steps.scan.outputs.critical }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+
+    - name: Run prodlint
+      id: scan
+      shell: bash
+      env:
+        INPUT_PATH: ${{ inputs.path }}
+        INPUT_IGNORE: ${{ inputs.ignore }}
+      run: |
+        CMD_ARGS=("$INPUT_PATH" "--json")
+        if [ -n "$INPUT_IGNORE" ]; then
+          IFS=',' read -ra PATTERNS <<< "$INPUT_IGNORE"
+          for p in "${PATTERNS[@]}"; do
+            trimmed=$(echo "$p" | xargs)
+            CMD_ARGS+=("--ignore" "$trimmed")
+          done
+        fi
+
+        OUTPUT=$(npx -y prodlint@latest "${CMD_ARGS[@]}" 2>&1) || true
+
+        SCORE=$(echo "$OUTPUT" | node -e "
+          const d = JSON.parse(require('fs').readFileSync(0, 'utf8'));
+          console.log(Number(d.overallScore) || 0);
+        " 2>/dev/null || echo "0")
+        SCORE=$(echo "$SCORE" | tr -cd '0-9')
+
+        CRITICAL=$(echo "$OUTPUT" | node -e "
+          const d = JSON.parse(require('fs').readFileSync(0, 'utf8'));
+          console.log(Number(d.summary.critical) || 0);
+        " 2>/dev/null || echo "0")
+        CRITICAL=$(echo "$CRITICAL" | tr -cd '0-9')
+
+        echo "score=${SCORE:-0}" >> "$GITHUB_OUTPUT"
+        echo "critical=${CRITICAL:-0}" >> "$GITHUB_OUTPUT"
+        echo "$OUTPUT" > /tmp/prodlint-result.json
+
+    - name: Generate comment body
+      if: inputs.comment == 'true' && github.event_name == 'pull_request'
+      id: comment
+      shell: bash
+      env:
+        SCAN_SCORE: ${{ steps.scan.outputs.score }}
+        INPUT_THRESHOLD: ${{ inputs.threshold }}
+      run: |
+        SCORE="$SCAN_SCORE"
+        THRESHOLD="$INPUT_THRESHOLD"
+
+        if [ "$SCORE" -ge 80 ]; then
+          EMOJI="✅"
+          COLOR="brightgreen"
+        elif [ "$SCORE" -ge 60 ]; then
+          EMOJI="⚠️"
+          COLOR="yellow"
+        else
+          EMOJI="🚨"
+          COLOR="red"
+        fi
+
+        # Build comment from JSON with markdown sanitization
+        TMPFILE=$(mktemp "${RUNNER_TEMP:-/tmp}/prodlint-comment-XXXXXX.md")
+        node -e "
+          const fs = require('fs');
+          const d = JSON.parse(fs.readFileSync('/tmp/prodlint-result.json', 'utf8'));
+          const esc = s => String(s).replace(/[[\]()\\*_\`<>]/g, c => '\\\\' + c);
+          const lines = [];
+          lines.push('## ' + '$EMOJI' + ' Prodlint Score: **' + d.overallScore + '/100**');
+          lines.push('');
+          lines.push('| Category | Score | Issues |');
+          lines.push('|----------|-------|--------|');
+          for (const c of d.categoryScores) {
+            const icon = c.score >= 80 ? '🟢' : c.score >= 60 ? '🟡' : '🔴';
+            lines.push('| ' + icon + ' ' + esc(c.category) + ' | ' + c.score + '/100 | ' + c.findingCount + ' |');
+          }
+          if (d.summary.critical > 0) {
+            lines.push('');
+            lines.push('### Critical Issues');
+            lines.push('');
+            const crits = d.findings.filter(f => f.severity === 'critical');
+            for (const f of crits.slice(0, 10)) {
+              lines.push('- \`' + esc(f.ruleId) + '\` \`' + esc(f.file) + ':' + f.line + '\` — ' + esc(f.message));
+            }
+            if (crits.length > 10) {
+              lines.push('- ...and ' + (crits.length - 10) + ' more');
+            }
+          }
+          lines.push('');
+          lines.push('---');
+          lines.push('*Scanned ' + d.filesScanned + ' files in ' + d.scanDurationMs + 'ms · [prodlint](https://prodlint.com)*');
+          fs.writeFileSync('$TMPFILE', lines.join('\n'));
+        "
+
+        # Use the generated file for the comment step
+        cp "$TMPFILE" /tmp/prodlint-comment.md
+
+    - name: Post PR comment
+      if: inputs.comment == 'true' && github.event_name == 'pull_request'
+      uses: marocchino/sticky-pull-request-comment@v2
+      with:
+        header: prodlint
+        path: /tmp/prodlint-comment.md
+
+    - name: Check threshold
+      if: inputs.threshold != '0'
+      shell: bash
+      env:
+        SCAN_SCORE: ${{ steps.scan.outputs.score }}
+        INPUT_THRESHOLD: ${{ inputs.threshold }}
+      run: |
+        SCORE="$SCAN_SCORE"
+        THRESHOLD="$INPUT_THRESHOLD"
+        if [ "$SCORE" -lt "$THRESHOLD" ]; then
+          echo "::error::Prodlint score ($SCORE) is below threshold ($THRESHOLD)"
+          exit 1
+        fi

package/dist/cli.js

@@ -76,7 +76,10 @@ function isTestFile(relativePath) {
   return /\.(test|spec)\.[jt]sx?$/.test(relativePath) || /(?:^|\/)__tests__\//.test(relativePath) || /(?:^|\/)tests?\//.test(relativePath) || /(?:^|\/)fixtures?\//.test(relativePath) || /(?:^|\/)mocks?\//.test(relativePath);
 }
 function isScriptFile(relativePath) {
-  return /(?:^|\/)scripts?\//.test(relativePath);
+  if (/(?:^|\/)scripts?\//.test(relativePath)) return true;
+  const name = relativePath.split("/").pop() ?? "";
+  const base = name.replace(/\.[^.]+$/, "");
+  return /^(seed|migrate|setup|bootstrap|generate|codegen|sync|deploy|cleanup|reset)$/.test(base);
 }
 function isConfigFile(relativePath) {
   const name = relativePath.split("/").pop() ?? "";
@@ -245,6 +248,25 @@ function findLoopsAST(ast) {
   });
   return loops;
 }
+function getImportSources(ast) {
+  const sources = [];
+  walkAST(ast.program, (node) => {
+    if (node.type === "ImportDeclaration") {
+      const decl = node;
+      sources.push({ source: decl.source.value, line: decl.loc?.start.line ?? 1 });
+    }
+    if (node.type === "CallExpression") {
+      const call = node;
+      if (call.callee.type === "Identifier" && call.callee.name === "require" && call.arguments.length === 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+      if (call.callee.type === "Import" && call.arguments.length >= 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+    }
+  });
+  return sources;
+}
 function isUserInputNode(node) {
   if (node.type === "MemberExpression") {
     const mem = node;
@@ -439,6 +461,66 @@ async function readFileContext(root, relativePath) {
     return null;
   }
 }
+async function getWorkspacePatterns(root, packageJson) {
+  const patterns = [];
+  if (packageJson) {
+    const workspaces = packageJson.workspaces;
+    if (Array.isArray(workspaces)) {
+      patterns.push(...workspaces);
+    } else if (workspaces && typeof workspaces === "object" && Array.isArray(workspaces.packages)) {
+      patterns.push(...workspaces.packages);
+    }
+  }
+  try {
+    const raw = await readFile(resolve(root, "pnpm-workspace.yaml"), "utf-8");
+    let inPackages = false;
+    for (const line of raw.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (/^packages\s*:/.test(trimmed)) {
+        inPackages = true;
+        continue;
+      }
+      if (inPackages) {
+        if (/^-\s+/.test(trimmed)) {
+          const glob = trimmed.replace(/^-\s+/, "").replace(/^['"]|['"]$/g, "");
+          if (glob) patterns.push(glob);
+        } else if (trimmed && !trimmed.startsWith("#")) {
+          break;
+        }
+      }
+    }
+  } catch {
+  }
+  return patterns;
+}
+async function collectWorkspaceDependencies(root, patterns) {
+  const deps = /* @__PURE__ */ new Set();
+  const globPatterns = patterns.map((p) => `${p}/package.json`);
+  try {
+    const pkgFiles = await fg(globPatterns, {
+      cwd: root,
+      absolute: false,
+      ignore: ["**/node_modules/**"]
+    });
+    for (const pkgFile of pkgFiles) {
+      try {
+        const raw = await readFile(resolve(root, pkgFile), "utf-8");
+        const pkg = JSON.parse(raw);
+        if (pkg.name) deps.add(pkg.name);
+        for (const key of ["dependencies", "devDependencies", "peerDependencies"]) {
+          if (pkg[key] && typeof pkg[key] === "object") {
+            for (const dep of Object.keys(pkg[key])) {
+              deps.add(dep);
+            }
+          }
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return deps;
+}
 async function buildProjectContext(root, files) {
   let packageJson = null;
   let declaredDependencies = /* @__PURE__ */ new Set();
@@ -457,19 +539,26 @@ async function buildProjectContext(root, files) {
       ...packageJson?.peerDependencies ?? {}
     };
     declaredDependencies = new Set(Object.keys(deps));
-    for (const dep of declaredDependencies) {
-      const framework = DEPENDENCY_TO_FRAMEWORK[dep];
-      if (framework) {
-        detectedFrameworks.add(framework);
-      }
+  } catch {
+  }
+  const workspacePatterns = await getWorkspacePatterns(root, packageJson);
+  if (workspacePatterns.length > 0) {
+    const workspaceDeps = await collectWorkspaceDependencies(root, workspacePatterns);
+    for (const dep of workspaceDeps) {
+      declaredDependencies.add(dep);
     }
-    for (const framework of detectedFrameworks) {
-      if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
-        hasRateLimiting = true;
-        break;
-      }
+  }
+  for (const dep of declaredDependencies) {
+    const framework = DEPENDENCY_TO_FRAMEWORK[dep];
+    if (framework) {
+      detectedFrameworks.add(framework);
+    }
+  }
+  for (const framework of detectedFrameworks) {
+    if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
+      hasRateLimiting = true;
+      break;
     }
-  } catch {
   }
   try {
     const raw = await readFile(resolve(root, "tsconfig.json"), "utf-8");
@@ -724,6 +813,32 @@ var hallucinatedImportsRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Set();
     const isNonProd = isTestFile(file.relativePath) || isScriptFile(file.relativePath);
+    if (file.ast) {
+      try {
+        const imports = getImportSources(file.ast);
+        for (const { source: importPath, line } of imports) {
+          if (importPath.startsWith(".") || importPath.startsWith("/")) continue;
+          const pkgName = getPackageName(importPath);
+          if (seen.has(pkgName)) continue;
+          seen.add(pkgName);
+          if (isPathAlias(importPath, project.tsconfigPaths)) continue;
+          if (isNodeBuiltin(pkgName)) continue;
+          if (IMPLICIT_PACKAGES.has(importPath) || IMPLICIT_PACKAGES.has(pkgName)) continue;
+          if (project.declaredDependencies.has(pkgName)) continue;
+          findings.push({
+            ruleId: "hallucinated-imports",
+            file: file.relativePath,
+            line,
+            column: 1,
+            message: `Package "${pkgName}" is imported but not in package.json`,
+            severity: isNonProd ? "warning" : "critical",
+            category: "reliability"
+          });
+        }
+        return findings;
+      } catch {
+      }
+    }
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
@@ -2255,8 +2370,14 @@ function scoreCatchBody(bodyLines) {
   const body = bodyLines.join("\n");
   let score = 0;
   if (/console\.(log|warn|error|info)\s*\(/.test(body)) score = 1;
-  if (/console\.(error|warn)\s*\(/.test(body) && /\b(err|error|e)\b/.test(body)) score = 2;
-  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body)) {
+  if ((/console\.(error|warn)\s*\(/.test(body) || /\b(logger|log)\.(error|warn)\s*\(/.test(body)) && /\b(err|error|e)\b/.test(body)) score = 2;
+  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body) || // Toast notifications (react-toastify, sonner, shadcn)
+  /\btoast\.(error|warn|warning)\s*\(/.test(body) || /\btoast\s*\(\s*\{/.test(body) || // Error monitoring (Sentry, etc.)
+  /\b(Sentry\.)?captureException\s*\(/.test(body) || /\b(Sentry\.)?captureMessage\s*\(/.test(body) || // Structured loggers
+  /\b(logger|log)\.(error|fatal)\s*\(/.test(body) || // Error handler utilities
+  /\b(handleError|reportError|logError|notifyError|showError|onError|trackError)\s*\(/.test(body) || // Express middleware: next(err)
+  /\bnext\s*\(\s*(err|error|e)\s*\)/.test(body) || // Next.js notFound()
+  /\bnotFound\s*\(/.test(body)) {
     score = 3;
   }
   const labels = {
@@ -2288,7 +2409,7 @@ var shallowCatchRule = {
           if (!body || !body.loc) return;
           const bodyStart = body.loc.start.line - 1;
           const bodyEnd = body.loc.end.line - 1;
-          const bodyLines = file.lines.slice(bodyStart + 1, bodyEnd);
+          const bodyLines = bodyStart === bodyEnd ? [file.lines[bodyStart]] : file.lines.slice(bodyStart + 1, bodyEnd);
           const { score, label } = scoreCatchBody(bodyLines);
           if (score <= 1) {
             findings.push({