prodlint 0.7.0 → 0.7.1

package/dist/index.js

@@ -71,7 +71,10 @@ function isTestFile(relativePath) {
   return /\.(test|spec)\.[jt]sx?$/.test(relativePath) || /(?:^|\/)__tests__\//.test(relativePath) || /(?:^|\/)tests?\//.test(relativePath) || /(?:^|\/)fixtures?\//.test(relativePath) || /(?:^|\/)mocks?\//.test(relativePath);
 }
 function isScriptFile(relativePath) {
-  return /(?:^|\/)scripts?\//.test(relativePath);
+  if (/(?:^|\/)scripts?\//.test(relativePath)) return true;
+  const name = relativePath.split("/").pop() ?? "";
+  const base = name.replace(/\.[^.]+$/, "");
+  return /^(seed|migrate|setup|bootstrap|generate|codegen|sync|deploy|cleanup|reset)$/.test(base);
 }
 function isConfigFile(relativePath) {
   const name = relativePath.split("/").pop() ?? "";
@@ -240,6 +243,25 @@ function findLoopsAST(ast) {
   });
   return loops;
 }
+function getImportSources(ast) {
+  const sources = [];
+  walkAST(ast.program, (node) => {
+    if (node.type === "ImportDeclaration") {
+      const decl = node;
+      sources.push({ source: decl.source.value, line: decl.loc?.start.line ?? 1 });
+    }
+    if (node.type === "CallExpression") {
+      const call = node;
+      if (call.callee.type === "Identifier" && call.callee.name === "require" && call.arguments.length === 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+      if (call.callee.type === "Import" && call.arguments.length >= 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+    }
+  });
+  return sources;
+}
 function isUserInputNode(node) {
   if (node.type === "MemberExpression") {
     const mem = node;
@@ -434,6 +456,66 @@ async function readFileContext(root, relativePath) {
     return null;
   }
 }
+async function getWorkspacePatterns(root, packageJson) {
+  const patterns = [];
+  if (packageJson) {
+    const workspaces = packageJson.workspaces;
+    if (Array.isArray(workspaces)) {
+      patterns.push(...workspaces);
+    } else if (workspaces && typeof workspaces === "object" && Array.isArray(workspaces.packages)) {
+      patterns.push(...workspaces.packages);
+    }
+  }
+  try {
+    const raw = await readFile(resolve(root, "pnpm-workspace.yaml"), "utf-8");
+    let inPackages = false;
+    for (const line of raw.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (/^packages\s*:/.test(trimmed)) {
+        inPackages = true;
+        continue;
+      }
+      if (inPackages) {
+        if (/^-\s+/.test(trimmed)) {
+          const glob = trimmed.replace(/^-\s+/, "").replace(/^['"]|['"]$/g, "");
+          if (glob) patterns.push(glob);
+        } else if (trimmed && !trimmed.startsWith("#")) {
+          break;
+        }
+      }
+    }
+  } catch {
+  }
+  return patterns;
+}
+async function collectWorkspaceDependencies(root, patterns) {
+  const deps = /* @__PURE__ */ new Set();
+  const globPatterns = patterns.map((p) => `${p}/package.json`);
+  try {
+    const pkgFiles = await fg(globPatterns, {
+      cwd: root,
+      absolute: false,
+      ignore: ["**/node_modules/**"]
+    });
+    for (const pkgFile of pkgFiles) {
+      try {
+        const raw = await readFile(resolve(root, pkgFile), "utf-8");
+        const pkg = JSON.parse(raw);
+        if (pkg.name) deps.add(pkg.name);
+        for (const key of ["dependencies", "devDependencies", "peerDependencies"]) {
+          if (pkg[key] && typeof pkg[key] === "object") {
+            for (const dep of Object.keys(pkg[key])) {
+              deps.add(dep);
+            }
+          }
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return deps;
+}
 async function buildProjectContext(root, files) {
   let packageJson = null;
   let declaredDependencies = /* @__PURE__ */ new Set();
@@ -452,19 +534,26 @@ async function buildProjectContext(root, files) {
       ...packageJson?.peerDependencies ?? {}
     };
     declaredDependencies = new Set(Object.keys(deps));
-    for (const dep of declaredDependencies) {
-      const framework = DEPENDENCY_TO_FRAMEWORK[dep];
-      if (framework) {
-        detectedFrameworks.add(framework);
-      }
+  } catch {
+  }
+  const workspacePatterns = await getWorkspacePatterns(root, packageJson);
+  if (workspacePatterns.length > 0) {
+    const workspaceDeps = await collectWorkspaceDependencies(root, workspacePatterns);
+    for (const dep of workspaceDeps) {
+      declaredDependencies.add(dep);
     }
-    for (const framework of detectedFrameworks) {
-      if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
-        hasRateLimiting = true;
-        break;
-      }
+  }
+  for (const dep of declaredDependencies) {
+    const framework = DEPENDENCY_TO_FRAMEWORK[dep];
+    if (framework) {
+      detectedFrameworks.add(framework);
+    }
+  }
+  for (const framework of detectedFrameworks) {
+    if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
+      hasRateLimiting = true;
+      break;
     }
-  } catch {
   }
   try {
     const raw = await readFile(resolve(root, "tsconfig.json"), "utf-8");
@@ -719,6 +808,32 @@ var hallucinatedImportsRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Set();
     const isNonProd = isTestFile(file.relativePath) || isScriptFile(file.relativePath);
+    if (file.ast) {
+      try {
+        const imports = getImportSources(file.ast);
+        for (const { source: importPath, line } of imports) {
+          if (importPath.startsWith(".") || importPath.startsWith("/")) continue;
+          const pkgName = getPackageName(importPath);
+          if (seen.has(pkgName)) continue;
+          seen.add(pkgName);
+          if (isPathAlias(importPath, project.tsconfigPaths)) continue;
+          if (isNodeBuiltin(pkgName)) continue;
+          if (IMPLICIT_PACKAGES.has(importPath) || IMPLICIT_PACKAGES.has(pkgName)) continue;
+          if (project.declaredDependencies.has(pkgName)) continue;
+          findings.push({
+            ruleId: "hallucinated-imports",
+            file: file.relativePath,
+            line,
+            column: 1,
+            message: `Package "${pkgName}" is imported but not in package.json`,
+            severity: isNonProd ? "warning" : "critical",
+            category: "reliability"
+          });
+        }
+        return findings;
+      } catch {
+      }
+    }
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
@@ -2250,8 +2365,14 @@ function scoreCatchBody(bodyLines) {
   const body = bodyLines.join("\n");
   let score = 0;
   if (/console\.(log|warn|error|info)\s*\(/.test(body)) score = 1;
-  if (/console\.(error|warn)\s*\(/.test(body) && /\b(err|error|e)\b/.test(body)) score = 2;
-  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body)) {
+  if ((/console\.(error|warn)\s*\(/.test(body) || /\b(logger|log)\.(error|warn)\s*\(/.test(body)) && /\b(err|error|e)\b/.test(body)) score = 2;
+  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body) || // Toast notifications (react-toastify, sonner, shadcn)
+  /\btoast\.(error|warn|warning)\s*\(/.test(body) || /\btoast\s*\(\s*\{/.test(body) || // Error monitoring (Sentry, etc.)
+  /\b(Sentry\.)?captureException\s*\(/.test(body) || /\b(Sentry\.)?captureMessage\s*\(/.test(body) || // Structured loggers
+  /\b(logger|log)\.(error|fatal)\s*\(/.test(body) || // Error handler utilities
+  /\b(handleError|reportError|logError|notifyError|showError|onError|trackError)\s*\(/.test(body) || // Express middleware: next(err)
+  /\bnext\s*\(\s*(err|error|e)\s*\)/.test(body) || // Next.js notFound()
+  /\bnotFound\s*\(/.test(body)) {
     score = 3;
   }
   const labels = {
@@ -2283,7 +2404,7 @@ var shallowCatchRule = {
           if (!body || !body.loc) return;
           const bodyStart = body.loc.start.line - 1;
           const bodyEnd = body.loc.end.line - 1;
-          const bodyLines = file.lines.slice(bodyStart + 1, bodyEnd);
+          const bodyLines = bodyStart === bodyEnd ? [file.lines[bodyStart]] : file.lines.slice(bodyStart + 1, bodyEnd);
           const { score, label } = scoreCatchBody(bodyLines);
           if (score <= 1) {
             findings.push({

package/dist/mcp.js

@@ -80,7 +80,10 @@ function isTestFile(relativePath) {
   return /\.(test|spec)\.[jt]sx?$/.test(relativePath) || /(?:^|\/)__tests__\//.test(relativePath) || /(?:^|\/)tests?\//.test(relativePath) || /(?:^|\/)fixtures?\//.test(relativePath) || /(?:^|\/)mocks?\//.test(relativePath);
 }
 function isScriptFile(relativePath) {
-  return /(?:^|\/)scripts?\//.test(relativePath);
+  if (/(?:^|\/)scripts?\//.test(relativePath)) return true;
+  const name = relativePath.split("/").pop() ?? "";
+  const base = name.replace(/\.[^.]+$/, "");
+  return /^(seed|migrate|setup|bootstrap|generate|codegen|sync|deploy|cleanup|reset)$/.test(base);
 }
 function isConfigFile(relativePath) {
   const name = relativePath.split("/").pop() ?? "";
@@ -249,6 +252,25 @@ function findLoopsAST(ast) {
   });
   return loops;
 }
+function getImportSources(ast) {
+  const sources = [];
+  walkAST(ast.program, (node) => {
+    if (node.type === "ImportDeclaration") {
+      const decl = node;
+      sources.push({ source: decl.source.value, line: decl.loc?.start.line ?? 1 });
+    }
+    if (node.type === "CallExpression") {
+      const call = node;
+      if (call.callee.type === "Identifier" && call.callee.name === "require" && call.arguments.length === 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+      if (call.callee.type === "Import" && call.arguments.length >= 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+    }
+  });
+  return sources;
+}
 function isUserInputNode(node) {
   if (node.type === "MemberExpression") {
     const mem = node;
@@ -443,6 +465,66 @@ async function readFileContext(root, relativePath) {
     return null;
   }
 }
+async function getWorkspacePatterns(root, packageJson) {
+  const patterns = [];
+  if (packageJson) {
+    const workspaces = packageJson.workspaces;
+    if (Array.isArray(workspaces)) {
+      patterns.push(...workspaces);
+    } else if (workspaces && typeof workspaces === "object" && Array.isArray(workspaces.packages)) {
+      patterns.push(...workspaces.packages);
+    }
+  }
+  try {
+    const raw = await readFile(resolve(root, "pnpm-workspace.yaml"), "utf-8");
+    let inPackages = false;
+    for (const line of raw.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (/^packages\s*:/.test(trimmed)) {
+        inPackages = true;
+        continue;
+      }
+      if (inPackages) {
+        if (/^-\s+/.test(trimmed)) {
+          const glob = trimmed.replace(/^-\s+/, "").replace(/^['"]|['"]$/g, "");
+          if (glob) patterns.push(glob);
+        } else if (trimmed && !trimmed.startsWith("#")) {
+          break;
+        }
+      }
+    }
+  } catch {
+  }
+  return patterns;
+}
+async function collectWorkspaceDependencies(root, patterns) {
+  const deps = /* @__PURE__ */ new Set();
+  const globPatterns = patterns.map((p) => `${p}/package.json`);
+  try {
+    const pkgFiles = await fg(globPatterns, {
+      cwd: root,
+      absolute: false,
+      ignore: ["**/node_modules/**"]
+    });
+    for (const pkgFile of pkgFiles) {
+      try {
+        const raw = await readFile(resolve(root, pkgFile), "utf-8");
+        const pkg = JSON.parse(raw);
+        if (pkg.name) deps.add(pkg.name);
+        for (const key of ["dependencies", "devDependencies", "peerDependencies"]) {
+          if (pkg[key] && typeof pkg[key] === "object") {
+            for (const dep of Object.keys(pkg[key])) {
+              deps.add(dep);
+            }
+          }
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return deps;
+}
 async function buildProjectContext(root, files) {
   let packageJson = null;
   let declaredDependencies = /* @__PURE__ */ new Set();
@@ -461,19 +543,26 @@ async function buildProjectContext(root, files) {
       ...packageJson?.peerDependencies ?? {}
     };
     declaredDependencies = new Set(Object.keys(deps));
-    for (const dep of declaredDependencies) {
-      const framework = DEPENDENCY_TO_FRAMEWORK[dep];
-      if (framework) {
-        detectedFrameworks.add(framework);
-      }
+  } catch {
+  }
+  const workspacePatterns = await getWorkspacePatterns(root, packageJson);
+  if (workspacePatterns.length > 0) {
+    const workspaceDeps = await collectWorkspaceDependencies(root, workspacePatterns);
+    for (const dep of workspaceDeps) {
+      declaredDependencies.add(dep);
     }
-    for (const framework of detectedFrameworks) {
-      if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
-        hasRateLimiting = true;
-        break;
-      }
+  }
+  for (const dep of declaredDependencies) {
+    const framework = DEPENDENCY_TO_FRAMEWORK[dep];
+    if (framework) {
+      detectedFrameworks.add(framework);
+    }
+  }
+  for (const framework of detectedFrameworks) {
+    if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
+      hasRateLimiting = true;
+      break;
     }
-  } catch {
   }
   try {
     const raw = await readFile(resolve(root, "tsconfig.json"), "utf-8");
@@ -728,6 +817,32 @@ var hallucinatedImportsRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Set();
     const isNonProd = isTestFile(file.relativePath) || isScriptFile(file.relativePath);
+    if (file.ast) {
+      try {
+        const imports = getImportSources(file.ast);
+        for (const { source: importPath, line } of imports) {
+          if (importPath.startsWith(".") || importPath.startsWith("/")) continue;
+          const pkgName = getPackageName(importPath);
+          if (seen.has(pkgName)) continue;
+          seen.add(pkgName);
+          if (isPathAlias(importPath, project.tsconfigPaths)) continue;
+          if (isNodeBuiltin(pkgName)) continue;
+          if (IMPLICIT_PACKAGES.has(importPath) || IMPLICIT_PACKAGES.has(pkgName)) continue;
+          if (project.declaredDependencies.has(pkgName)) continue;
+          findings.push({
+            ruleId: "hallucinated-imports",
+            file: file.relativePath,
+            line,
+            column: 1,
+            message: `Package "${pkgName}" is imported but not in package.json`,
+            severity: isNonProd ? "warning" : "critical",
+            category: "reliability"
+          });
+        }
+        return findings;
+      } catch {
+      }
+    }
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
@@ -2259,8 +2374,14 @@ function scoreCatchBody(bodyLines) {
   const body = bodyLines.join("\n");
   let score = 0;
   if (/console\.(log|warn|error|info)\s*\(/.test(body)) score = 1;
-  if (/console\.(error|warn)\s*\(/.test(body) && /\b(err|error|e)\b/.test(body)) score = 2;
-  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body)) {
+  if ((/console\.(error|warn)\s*\(/.test(body) || /\b(logger|log)\.(error|warn)\s*\(/.test(body)) && /\b(err|error|e)\b/.test(body)) score = 2;
+  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body) || // Toast notifications (react-toastify, sonner, shadcn)
+  /\btoast\.(error|warn|warning)\s*\(/.test(body) || /\btoast\s*\(\s*\{/.test(body) || // Error monitoring (Sentry, etc.)
+  /\b(Sentry\.)?captureException\s*\(/.test(body) || /\b(Sentry\.)?captureMessage\s*\(/.test(body) || // Structured loggers
+  /\b(logger|log)\.(error|fatal)\s*\(/.test(body) || // Error handler utilities
+  /\b(handleError|reportError|logError|notifyError|showError|onError|trackError)\s*\(/.test(body) || // Express middleware: next(err)
+  /\bnext\s*\(\s*(err|error|e)\s*\)/.test(body) || // Next.js notFound()
+  /\bnotFound\s*\(/.test(body)) {
     score = 3;
   }
   const labels = {
@@ -2292,7 +2413,7 @@ var shallowCatchRule = {
           if (!body || !body.loc) return;
           const bodyStart = body.loc.start.line - 1;
           const bodyEnd = body.loc.end.line - 1;
-          const bodyLines = file.lines.slice(bodyStart + 1, bodyEnd);
+          const bodyLines = bodyStart === bodyEnd ? [file.lines[bodyStart]] : file.lines.slice(bodyStart + 1, bodyEnd);
           const { score, label } = scoreCatchBody(bodyLines);
           if (score <= 1) {
             findings.push({

package/package.json

@@ -1,83 +1,83 @@
-{
-  "name": "prodlint",
-  "version": "0.7.0",
-  "description": "The linter for vibe-coded apps — catch what AI coding tools miss",
-  "license": "MIT",
-  "author": "prodlint contributors",
-  "type": "module",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/prodlint/prodlint"
-  },
-  "bugs": {
-    "url": "https://github.com/prodlint/prodlint/issues"
-  },
-  "homepage": "https://prodlint.com",
-  "bin": {
-    "prodlint": "./dist/cli.js",
-    "prodlint-mcp": "./dist/mcp.js"
-  },
-  "main": "./dist/index.js",
-  "types": "./dist/index.d.ts",
-  "exports": {
-    ".": {
-      "import": "./dist/index.js",
-      "types": "./dist/index.d.ts"
-    },
-    "./mcp": {
-      "import": "./dist/mcp.js"
-    }
-  },
-  "files": [
-    "dist/**/*.js",
-    "dist/**/*.d.ts",
-    "action.yml"
-  ],
-  "scripts": {
-    "build": "tsup",
-    "dev": "tsup --watch",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "lint": "node dist/cli.js .",
-    "prepublishOnly": "npm run build"
-  },
-  "dependencies": {
-    "@babel/parser": "^7.29.0",
-    "@babel/types": "^7.29.0",
-    "@modelcontextprotocol/sdk": "^1.26.0",
-    "fast-glob": "^3.3.3",
-    "picocolors": "^1.1.1",
-    "zod": "^4.3.6"
-  },
-  "devDependencies": {
-    "@types/node": "^25.2.3",
-    "tsup": "^8.4.0",
-    "typescript": "^5.7.0",
-    "vitest": "^3.0.0"
-  },
-  "engines": {
-    "node": ">=18"
-  },
-  "keywords": [
-    "lint",
-    "linter",
-    "security",
-    "ai",
-    "ai-code",
-    "vibe-coding",
-    "production-readiness",
-    "code-quality",
-    "code-scanner",
-    "next.js",
-    "react",
-    "typescript",
-    "static-analysis",
-    "cli",
-    "scanner",
-    "mcp",
-    "mcp-server",
-    "cursor",
-    "copilot",
-    "devtools"
-  ]
-}
+{
+  "name": "prodlint",
+  "version": "0.7.1",
+  "description": "The linter for vibe-coded apps — catch what AI coding tools miss",
+  "license": "MIT",
+  "author": "prodlint contributors",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/prodlint/prodlint"
+  },
+  "bugs": {
+    "url": "https://github.com/prodlint/prodlint/issues"
+  },
+  "homepage": "https://prodlint.com",
+  "bin": {
+    "prodlint": "./dist/cli.js",
+    "prodlint-mcp": "./dist/mcp.js"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./mcp": {
+      "import": "./dist/mcp.js"
+    }
+  },
+  "files": [
+    "dist/**/*.js",
+    "dist/**/*.d.ts",
+    "action.yml"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "node dist/cli.js .",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "@babel/parser": "^7.29.0",
+    "@babel/types": "^7.29.0",
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "fast-glob": "^3.3.3",
+    "picocolors": "^1.1.1",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/node": "^25.2.3",
+    "tsup": "^8.4.0",
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "keywords": [
+    "lint",
+    "linter",
+    "security",
+    "ai",
+    "ai-code",
+    "vibe-coding",
+    "production-readiness",
+    "code-quality",
+    "code-scanner",
+    "next.js",
+    "react",
+    "typescript",
+    "static-analysis",
+    "cli",
+    "scanner",
+    "mcp",
+    "mcp-server",
+    "cursor",
+    "copilot",
+    "devtools"
+  ]
+}