projectlens 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License Copyright (c) 2026 dagmawibabi
+
+Permission is hereby granted, free of
+charge, to any person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use, copy, modify, merge,
+publish, distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice
+(including the next paragraph) shall be included in all copies or substantial
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF
+ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
+EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

package/README.md

@@ -0,0 +1,128 @@
+# CodeLens CLI
+
+Local lint, type-check & AI security dashboard for JS/TS projects (Next.js, SvelteKit, Vue, plain Node).
+
+Run one command inside any project and CodeLens runs your **real** ESLint and
+TypeScript toolchain, audits your dependencies, runs an AI security review over
+your source, and opens a live dashboard at `localhost:4321`.
+
+```bash
+codelens                 # run checks + open the dashboard
+codelens --no-ai         # skip the AI security pass (lint + types only)
+codelens --ci            # run once, print a summary, exit non-zero on issues
+codelens --json          # print the full report as JSON and exit
+codelens --min-score 80  # in --ci mode, fail if health score < 80
+```
+
+## What the dashboard shows
+
+The dashboard turns one run into a navigable workspace:
+
+- **Overview** — composite health score, severity breakdown, and per-category summaries.
+- **Trends** — an interactive multi-metric chart and per-run history table built from
+  the local `.codelens/` run history (deltas, peak/low/avg).
+- **Code quality** — Lint, Types, and Tests findings from your real toolchain.
+- **Security** — AI security review with severity sub-tabs (Critical → Info).
+- **Dependencies** — real CVE advisories with fix-version guidance.
+- **Database** — schema inspection plus a foreign-key relationship graph.
+- **API surface** — a map of detected routes (Next, Express, Hono, Fastify, SvelteKit,
+  Nuxt) with method, auth, and validation coverage.
+- **Auth, Environment, Network, Git/CI, Docs** — focused panels for each area.
+- **Task Manager** — a built-in kanban board (see below).
+
+### Task Manager (dashboard-only)
+
+Every finding has a **Track task** action — in its detail sheet and inline on each
+list row. Tracking adds it to a kanban board and marks the row so you can see what's
+already on your worklist at a glance.
+
+- **Custom columns** — rename/delete the defaults (To do / In progress / Done) and add
+  your own; drag cards between columns to change status.
+- **Groups/tags** — file tasks under labels like "This sprint" or "Tech debt" and filter
+  by them; create a group inline while tracking.
+- **Detail** — click a tracked finding to reopen its full analysis; click a free-form task
+  to edit its column, priority, group, and notes.
+
+The board is stored only in your browser (localStorage) — it never leaves your machine or
+reaches the CLI. Manage or reset it from **Settings → Task board**.
+
+## How it works
+
+```
+cli.ts            entry point + flag parsing (commander)
+run.ts            orchestrates the pipeline, emits streaming events
+detect.ts         reads package.json → framework + package manager
+runners/eslint.ts spawns your local eslint, parses --format json
+runners/tsc.ts    spawns tsc --pretty false, parses the diagnostic chain
+runners/audit.ts  npm/pnpm/yarn audit --json → real CVE advisories
+ai/audit.ts       AI SDK security review (code) + dependency prioritization
+report.ts         weighted composite health score
+store.ts          local run history in .codelens/ (powers trends)
+server.ts         local HTTP + WebSocket server that serves the dashboard
+```
+
+The dashboard (the Next.js app one level up) is prebuilt into `cli/public` and
+served statically, so the installed tool has no runtime build step.
+
+## Building
+
+```bash
+# from the cli/ package
+pnpm install
+pnpm build          # builds the dashboard into ./public, then bundles the CLI
+```
+
+`pnpm build` runs two steps:
+1. `build:dashboard` — static-exports the Next.js dashboard (with
+   `CODELENS_EXPORT=1`) and copies it into `cli/public`.
+2. `tsup` — bundles `src/` into `dist/`.
+
+## Installing it into your own projects
+
+**Local link (best while iterating on the tool):**
+
+```bash
+cd cli
+pnpm build
+pnpm link --global
+
+cd ~/your-project
+codelens
+```
+
+**Run directly by path (no linking):**
+
+```bash
+node ~/path/to/cli/dist/cli.js
+```
+
+**Publish (optional, for `npx codelens`):**
+
+```bash
+cd cli
+npm publish
+```
+
+## AI security audit
+
+The AI pass needs a model key. CodeLens uses the Vercel AI Gateway, so set one of:
+
+```bash
+export AI_GATEWAY_API_KEY=...   # recommended
+# or
+export OPENAI_API_KEY=...
+```
+
+By default the audit runs on a **free** OpenRouter text model
+(`meta-llama/llama-3.3-70b-instruct:free`) and automatically **falls back** to
+`google/gemini-2.5-flash` if the primary model errors or is rate-limited, so the
+review keeps working out of the box. Override either via env or `.codelensrc`:
+
+```bash
+export CODELENS_MODEL=openai/gpt-5-mini           # primary model
+export CODELENS_FALLBACK_MODEL=anthropic/claude-haiku-4
+```
+
+Without a key, lint + type-check + dependency advisories still run; only the AI
+code review and prioritization are skipped (`--no-ai` silences the warning).
+Only the selected security-relevant source files are sent to the model.

package/dist/chunk-2ESYSVXG.js

@@ -0,0 +1,48 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __commonJS = (cb, mod) => function __require2() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+export {
+  __require,
+  __esm,
+  __commonJS,
+  __export,
+  __toESM,
+  __toCommonJS
+};