vibeclean 1.0.2 → 1.1.0

package/README.md

@@ -32,9 +32,11 @@ npx vibeclean --changed --base main
 - 🔀 Pattern inconsistencies (multiple HTTP clients, mixed async styles, mixed imports)
 - 📝 Naming chaos (camelCase + snake_case + mixed file naming)
 - 🗑️ AI leftovers (TODO/FIXME, console logs, placeholders, localhost URLs)
+- 🔐 Security exposure (hardcoded keys/tokens, private keys, credential URLs)
 - 📦 Dependency bloat (unused packages, duplicate functionality, deprecated libs)
 - 💀 Dead code (orphan files, unused exports, stubs)
 - ⚠️ Error handling gaps (empty catches, unhandled async, mixed error patterns)
+- 🧠 TypeScript quality drift (explicit `any`, ts-ignore overuse, assertion style mix)
 
 ## Example Output
 
@@ -112,6 +114,10 @@ Options:
   --baseline              Compare against baseline file and detect regressions
   --baseline-file <path>  Baseline file path for compare/write (default: .vibeclean-baseline.json)
   --write-baseline        Write current report to baseline file
+  --watch                 Watch files and re-run audit on changes
+  --watch-interval <ms>   Polling interval fallback for --watch (default: 1200)
+  --ci-init               Generate a GitHub Actions workflow for vibeclean checks
+  --ci-force              Overwrite existing workflow when used with --ci-init
   --rules                 Generate .vibeclean-rules.md file
   --cursor                Also generate .cursorrules file
   --claude                Also generate CLAUDE.md file
@@ -179,6 +185,22 @@ vibeclean --report markdown
 vibeclean --report markdown --report-file vibeclean-report.md
 ```
 
+## Watch Mode
+
+```bash
+vibeclean --watch --profile cli
+```
+
+This re-runs the audit when files change using lightweight polling.
+
+## CI Workflow Bootstrap
+
+```bash
+vibeclean --ci-init --profile cli --baseline-file .vibeclean-baseline.json --min-score 70 --max-issues 35 --fail-on high
+```
+
+Generates `.github/workflows/vibeclean.yml` with a PR-ready baseline + gates command.
+
 ## Autofix Mode
 
 ```bash
@@ -215,9 +237,11 @@ Create `.vibecleanrc` or `.vibecleanrc.json` in project root:
     "naming": true,
     "patterns": true,
     "leftovers": true,
+    "security": true,
     "dependencies": true,
     "deadcode": true,
-    "errorhandling": true
+    "errorhandling": true,
+    "tsquality": true
   },
   "allowedPatterns": {
     "httpClient": "fetch",

package/bin/vibeclean.js

@@ -5,11 +5,16 @@ import path from "node:path";
 import { fileURLToPath } from "node:url";
 import { Command } from "commander";
 import chalk from "chalk";
+import { glob } from "glob";
 import ora from "ora";
 import { runAudit } from "../src/index.js";
 import { writeBaselineSnapshot } from "../src/baseline.js";
+import { generateCiWorkflow } from "../src/ci-init.js";
 import { renderMarkdownReport } from "../src/markdown-report.js";
 import { renderReport } from "../src/reporter.js";
+import { BUILTIN_IGNORE_GLOBS, SUPPORTED_EXTENSIONS } from "../src/scanner.js";
+
+const DEFAULT_WATCH_INTERVAL_MS = 1200;
 
 async function readToolVersion() {
   const currentFile = fileURLToPath(import.meta.url);
@@ -45,6 +50,10 @@ async function main() {
     .option("--rules", "Generate .vibeclean-rules.md file")
     .option("--cursor", "Also generate .cursorrules file")
     .option("--claude", "Also generate CLAUDE.md file")
+    .option("--watch", "Watch files and re-run audit on changes")
+    .option("--watch-interval <ms>", "Polling interval fallback for --watch", "1200")
+    .option("--ci-init", "Generate a GitHub Actions workflow for vibeclean checks")
+    .option("--ci-force", "Overwrite existing workflow file when used with --ci-init")
     .option("--min-severity <level>", "Minimum severity to report: low, medium, high", "low")
     .option("--fail-on <level>", "Fail with exit code 1 if findings reach this severity: low, medium, high")
     .option("--max-issues <n>", "Fail with exit code 1 if total issues exceed this number")
@@ -53,94 +62,38 @@ async function main() {
     .option("--max-files <n>", "Maximum files to scan", "500")
     .option("-q, --quiet", "Only show summary, not individual issues")
     .action(async (directory, options) => {
-      const spinner = ora("Running vibeclean diagnostics...").start();
+      const rootDir = path.resolve(directory || process.cwd());
 
-      try {
-        const result = await runAudit(directory, {
-          ...options,
-          maxFiles: Number.parseInt(options.maxFiles, 10),
-          maxIssues: Number.parseInt(options.maxIssues, 10),
-          minScore: Number.parseInt(options.minScore, 10),
+      if (options.ciInit) {
+        const workflow = await generateCiWorkflow(rootDir, {
+          force: Boolean(options.ciForce),
           profile: options.profile,
-          baseline: Boolean(options.baseline),
           baselineFile: options.baselineFile,
-          reportFormat: options.report,
-          reportFile: options.reportFile || null,
-          changedOnly: Boolean(options.changed),
-          changedBase: options.base,
-          minSeverity: options.minSeverity,
-          failOn: options.failOn,
-          version
+          minScore: Number.parseInt(options.minScore, 10),
+          maxIssues: Number.parseInt(options.maxIssues, 10),
+          failOn: options.failOn || "high",
+          baseRef: options.base && options.base !== "HEAD" ? options.base : "origin/main"
         });
 
-        spinner.stop();
-
-        let baselineWriteResult = null;
-        if (options.writeBaseline) {
-          baselineWriteResult = await writeBaselineSnapshot(
-            result.rootDir,
-            options.baselineFile,
-            result.report
-          );
-        }
-
-        const reportFormat = options.json
-          ? "json"
-          : String(result.config?.reportFormat || options.report || "text").toLowerCase();
-        const payload = {
-          report: result.report,
-          generatedRules: result.generatedRules
-        };
-
-        if (reportFormat === "json") {
-          const jsonOutput = JSON.stringify(payload, null, 2);
-          if (options.reportFile) {
-            await fs.writeFile(options.reportFile, `${jsonOutput}\n`, "utf8");
-            console.log(chalk.green(`Saved JSON report to ${options.reportFile}`));
-          } else {
-            console.log(jsonOutput);
-          }
-        } else if (reportFormat === "markdown") {
-          const markdownOutput = renderMarkdownReport(result.report);
-          if (options.reportFile) {
-            await fs.writeFile(options.reportFile, markdownOutput, "utf8");
-            console.log(chalk.green(`Saved Markdown report to ${options.reportFile}`));
-          } else {
-            console.log(markdownOutput);
-          }
+        if (workflow.skipped) {
+          console.log(chalk.yellow(`Workflow already exists: ${workflow.path}`));
+          console.log(chalk.yellow("Use --ci-force to overwrite it."));
         } else {
-          console.log(renderReport(result.report, { quiet: Boolean(options.quiet) }));
-
-          if (result.generatedRules?.length) {
-            console.log("");
-            console.log(chalk.green.bold("  📋 Generated rule files"));
-            for (const item of result.generatedRules) {
-              console.log(`  ${chalk.green("✓")} ${item.path}`);
-            }
-          }
-
-          if (baselineWriteResult) {
-            console.log("");
-            console.log(chalk.green.bold("  📌 Baseline updated"));
-            console.log(`  ${chalk.green("✓")} ${baselineWriteResult.path}`);
-          }
-
-          if (result.report.gateFailures?.length) {
-            console.log("");
-            console.log(chalk.red.bold("  ⛔ Quality gates failed"));
-            for (const failure of result.report.gateFailures) {
-              console.log(`  ${chalk.red("•")} ${failure}`);
-            }
-          }
+          console.log(chalk.green(`Generated GitHub Actions workflow: ${workflow.path}`));
         }
+        return;
+      }
 
-        if (baselineWriteResult && reportFormat !== "text") {
-          console.log(chalk.green(`Baseline updated: ${baselineWriteResult.path}`));
-        }
+      if (options.watch) {
+        await runWatchMode(rootDir, options, version);
+        return;
+      }
 
-        if (result.report.gateFailures?.length) {
-          process.exitCode = 1;
-        }
+      const spinner = ora("Running vibeclean diagnostics...").start();
+      try {
+        const output = await runOnce(rootDir, options, version);
+        spinner.stop();
+        await renderOutput(output, options);
       } catch (error) {
         spinner.fail("vibeclean failed");
         console.error(chalk.red(error?.message || "Unknown error"));
@@ -151,4 +104,210 @@ async function main() {
   await program.parseAsync(process.argv);
 }
 
+function normalizeRunOptions(options, version) {
+  return {
+    ...options,
+    maxFiles: Number.parseInt(options.maxFiles, 10),
+    maxIssues: Number.parseInt(options.maxIssues, 10),
+    minScore: Number.parseInt(options.minScore, 10),
+    profile: options.profile,
+    baseline: Boolean(options.baseline),
+    baselineFile: options.baselineFile,
+    reportFormat: options.report,
+    reportFile: options.reportFile || null,
+    changedOnly: Boolean(options.changed),
+    changedBase: options.base,
+    minSeverity: options.minSeverity,
+    failOn: options.failOn,
+    version
+  };
+}
+
+async function runOnce(directory, options, version) {
+  const normalized = normalizeRunOptions(options, version);
+  const result = await runAudit(directory, normalized);
+
+  let baselineWriteResult = null;
+  if (options.writeBaseline) {
+    baselineWriteResult = await writeBaselineSnapshot(
+      result.rootDir,
+      options.baselineFile,
+      result.report
+    );
+  }
+
+  const reportFormat = options.json
+    ? "json"
+    : String(result.config?.reportFormat || options.report || "text").toLowerCase();
+
+  return {
+    result,
+    baselineWriteResult,
+    reportFormat
+  };
+}
+
+async function renderOutput(output, options) {
+  const { result, baselineWriteResult, reportFormat } = output;
+  const payload = {
+    report: result.report,
+    generatedRules: result.generatedRules
+  };
+
+  if (reportFormat === "json") {
+    const jsonOutput = JSON.stringify(payload, null, 2);
+    if (options.reportFile) {
+      await fs.writeFile(options.reportFile, `${jsonOutput}\n`, "utf8");
+      console.log(chalk.green(`Saved JSON report to ${options.reportFile}`));
+    } else {
+      console.log(jsonOutput);
+    }
+  } else if (reportFormat === "markdown") {
+    const markdownOutput = renderMarkdownReport(result.report);
+    if (options.reportFile) {
+      await fs.writeFile(options.reportFile, markdownOutput, "utf8");
+      console.log(chalk.green(`Saved Markdown report to ${options.reportFile}`));
+    } else {
+      console.log(markdownOutput);
+    }
+  } else {
+    console.log(renderReport(result.report, { quiet: Boolean(options.quiet) }));
+
+    if (result.generatedRules?.length) {
+      console.log("");
+      console.log(chalk.green.bold("  📋 Generated rule files"));
+      for (const item of result.generatedRules) {
+        console.log(`  ${chalk.green("✓")} ${item.path}`);
+      }
+    }
+
+    if (baselineWriteResult) {
+      console.log("");
+      console.log(chalk.green.bold("  📌 Baseline updated"));
+      console.log(`  ${chalk.green("✓")} ${baselineWriteResult.path}`);
+    }
+
+    if (result.report.gateFailures?.length) {
+      console.log("");
+      console.log(chalk.red.bold("  ⛔ Quality gates failed"));
+      for (const failure of result.report.gateFailures) {
+        console.log(`  ${chalk.red("•")} ${failure}`);
+      }
+    }
+  }
+
+  if (baselineWriteResult && reportFormat !== "text") {
+    console.log(chalk.green(`Baseline updated: ${baselineWriteResult.path}`));
+  }
+
+  if (result.report.gateFailures?.length) {
+    process.exitCode = 1;
+  }
+}
+
+async function watchFingerprint(rootDir, baselineFile = ".vibeclean-baseline.json") {
+  const extensionBody = [...SUPPORTED_EXTENSIONS].map((ext) => ext.slice(1)).join(",");
+  const sourceFiles = await glob(`**/*.{${extensionBody}}`, {
+    cwd: rootDir,
+    nodir: true,
+    dot: false,
+    ignore: BUILTIN_IGNORE_GLOBS
+  });
+  const extras = [".vibecleanrc", ".vibecleanrc.json", "package.json", baselineFile].filter(Boolean);
+  const candidates = [...new Set([...sourceFiles, ...extras])];
+
+  let sumMtime = 0;
+  let sumSize = 0;
+  for (const relativePath of candidates) {
+    try {
+      const stats = await fs.stat(path.join(rootDir, relativePath));
+      if (!stats.isFile()) {
+        continue;
+      }
+      sumMtime += Math.floor(stats.mtimeMs);
+      sumSize += stats.size;
+    } catch {
+      // Ignore deleted or absent files while watching.
+    }
+  }
+
+  return `${candidates.length}:${sumMtime}:${sumSize}`;
+}
+
+async function runWatchMode(rootDir, options, version) {
+  console.log(chalk.cyan("Watch mode enabled. Press Ctrl+C to exit."));
+
+  let running = false;
+  let queued = false;
+
+  const runCycle = async (reason = null) => {
+    if (running) {
+      queued = true;
+      return;
+    }
+    running = true;
+
+    if (reason) {
+      console.log(chalk.gray(`\n[watch] ${reason}`));
+    }
+
+    const spinner = ora("Running vibeclean diagnostics...").start();
+    try {
+      const output = await runOnce(rootDir, options, version);
+      spinner.stop();
+      await renderOutput(output, options);
+    } catch (error) {
+      spinner.fail("vibeclean failed");
+      console.error(chalk.red(error?.message || "Unknown error"));
+      process.exitCode = 1;
+    } finally {
+      running = false;
+      if (queued) {
+        queued = false;
+        setTimeout(() => {
+          runCycle("re-running queued changes");
+        }, 250);
+      }
+    }
+  };
+
+  await runCycle("initial run");
+
+  const watchDelay = Math.max(
+    250,
+    Number.parseInt(options.watchInterval, 10) || DEFAULT_WATCH_INTERVAL_MS
+  );
+
+  let debounceTimer = null;
+  const scheduleDebounced = (reason) => {
+    if (debounceTimer) {
+      clearTimeout(debounceTimer);
+    }
+    debounceTimer = setTimeout(() => {
+      runCycle(reason);
+    }, watchDelay);
+  };
+
+  console.log(chalk.gray(`Polling for changes every ${watchDelay}ms...`));
+  let previousFingerprint = await watchFingerprint(rootDir, options.baselineFile);
+  const interval = setInterval(async () => {
+    try {
+      const currentFingerprint = await watchFingerprint(rootDir, options.baselineFile);
+      if (currentFingerprint !== previousFingerprint) {
+        previousFingerprint = currentFingerprint;
+        scheduleDebounced("detected file changes");
+      }
+    } catch (error) {
+      console.error(chalk.red(`[watch] polling error: ${error?.message || "unknown error"}`));
+    }
+  }, watchDelay);
+
+  process.on("SIGINT", () => {
+    clearInterval(interval);
+    process.exit(process.exitCode || 0);
+  });
+
+  await new Promise(() => {});
+}
+
 main();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibeclean",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "description": "Audit your codebase for vibe coding mess. Detect inconsistencies, AI leftovers, and pattern chaos with one command.",
   "type": "module",
   "bin": {

package/src/analyzers/security.js

@@ -0,0 +1,264 @@
+import { severityFromScore, scoreFromRatio } from "./utils.js";
+
+const MAX_LOCATIONS = 12;
+
+const SECURITY_PATTERNS = [
+  {
+    id: "privateKey",
+    severity: "high",
+    label: "private key material",
+    regex: /-----BEGIN(?: [A-Z]+)? PRIVATE KEY-----/g
+  },
+  {
+    id: "awsAccessKey",
+    severity: "high",
+    label: "AWS access keys",
+    regex: /\bAKIA[0-9A-Z]{16}\b/g
+  },
+  {
+    id: "npmToken",
+    severity: "high",
+    label: "npm tokens",
+    regex: /\bnpm_[A-Za-z0-9]{36}\b/g
+  },
+  {
+    id: "githubPat",
+    severity: "high",
+    label: "GitHub personal access tokens",
+    regex: /\bghp_[A-Za-z0-9]{36}\b/g
+  },
+  {
+    id: "dbCredentialsUrl",
+    severity: "high",
+    label: "database URLs with inline credentials",
+    regex: /\b(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?):\/\/[^:\s]+:[^@\s]+@/gi
+  },
+  {
+    id: "slackWebhook",
+    severity: "high",
+    label: "Slack webhook URLs",
+    regex: /https:\/\/hooks\.slack\.com\/services\/[A-Za-z0-9/_-]+/g
+  },
+  {
+    id: "jwtLike",
+    severity: "medium",
+    label: "JWT-like tokens",
+    regex: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g
+  },
+  {
+    id: "genericSecretAssignment",
+    severity: "medium",
+    label: "hardcoded credential assignments",
+    regex: /\b(?:api[_-]?key|secret|token|password|passwd)\b\s*[:=]\s*["'`][^"'`\n]{8,}["'`]/gi
+  }
+];
+
+function lineNumberAtIndex(content, index) {
+  return content.slice(0, index).split("\n").length;
+}
+
+function lineSnippet(content, lineNumber) {
+  return (content.split("\n")[lineNumber - 1] || "").trim().slice(0, 160);
+}
+
+function isDetectorDefinitionLine(content, index) {
+  const lineNumber = lineNumberAtIndex(content, index);
+  const line = (content.split("\n")[lineNumber - 1] || "").trim();
+  const prevLine = (content.split("\n")[lineNumber - 2] || "").trim();
+
+  if (/^const\s+[A-Z_]+(?:_RE|_PATTERN)\s*=/.test(line) && /\/.+\/[gimsuy]*;?$/.test(line)) {
+    return true;
+  }
+  if (/^\/.+\/[gimsuy]*;?$/.test(line) && /^const\s+[A-Z_]+(?:_RE|_PATTERN)\s*=\s*$/.test(prevLine)) {
+    return true;
+  }
+  return false;
+}
+
+function shannonEntropy(value) {
+  if (!value) {
+    return 0;
+  }
+
+  const map = new Map();
+  for (const char of value) {
+    map.set(char, (map.get(char) || 0) + 1);
+  }
+
+  let entropy = 0;
+  for (const count of map.values()) {
+    const p = count / value.length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
+function collectPatternHits(file, pattern, remainingCapacity) {
+  const flags = pattern.regex.flags.includes("g") ? pattern.regex.flags : `${pattern.regex.flags}g`;
+  const probe = new RegExp(pattern.regex.source, flags);
+  const locations = [];
+  const seen = new Set();
+  let count = 0;
+
+  for (const match of file.content.matchAll(probe)) {
+    const index = typeof match.index === "number" ? match.index : 0;
+    const raw = match[0] || "";
+    if (isDetectorDefinitionLine(file.content, index)) {
+      continue;
+    }
+
+    if (
+      pattern.id === "genericSecretAssignment" &&
+      /\b(example|dummy|replace_me|your-|test|localhost)\b/i.test(raw)
+    ) {
+      continue;
+    }
+
+    count += 1;
+    if (locations.length >= remainingCapacity) {
+      continue;
+    }
+
+    const line = lineNumberAtIndex(file.content, index);
+    const key = `${file.relativePath}:${line}`;
+    if (seen.has(key)) {
+      continue;
+    }
+    seen.add(key);
+    locations.push({
+      file: file.relativePath,
+      line,
+      snippet: lineSnippet(file.content, line)
+    });
+  }
+
+  return { count, locations };
+}
+
+function detectHighEntropyStrings(file, remainingCapacity) {
+  const regex = /["'`]([A-Za-z0-9+/=_-]{24,})["'`]/g;
+  let count = 0;
+  const seen = new Set();
+  const locations = [];
+
+  for (const match of file.content.matchAll(regex)) {
+    const candidate = match[1] || "";
+    if (
+      /^(?:[a-f0-9]{32,}|[0-9a-f]{8}-[0-9a-f-]{27,}|[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)$/.test(candidate)
+    ) {
+      continue;
+    }
+
+    const entropy = shannonEntropy(candidate);
+    if (entropy < 3.8) {
+      continue;
+    }
+
+    const index = typeof match.index === "number" ? match.index : 0;
+    if (isDetectorDefinitionLine(file.content, index)) {
+      continue;
+    }
+
+    count += 1;
+    if (locations.length >= remainingCapacity) {
+      continue;
+    }
+
+    const line = lineNumberAtIndex(file.content, index);
+    const key = `${file.relativePath}:${line}`;
+    if (seen.has(key)) {
+      continue;
+    }
+    seen.add(key);
+    locations.push({
+      file: file.relativePath,
+      line,
+      snippet: lineSnippet(file.content, line)
+    });
+  }
+
+  return { count, locations };
+}
+
+export function analyzeSecurity(files) {
+  const findings = [];
+  let highCount = 0;
+  let mediumCount = 0;
+  let entropyCount = 0;
+  const filesWithSignals = new Set();
+
+  for (const pattern of SECURITY_PATTERNS) {
+    let count = 0;
+    const locations = [];
+
+    for (const file of files) {
+      const hit = collectPatternHits(file, pattern, MAX_LOCATIONS - locations.length);
+      if (hit.count > 0) {
+        filesWithSignals.add(file.relativePath);
+      }
+      count += hit.count;
+      locations.push(...hit.locations);
+    }
+
+    if (count === 0) {
+      continue;
+    }
+
+    if (pattern.severity === "high") {
+      highCount += count;
+    } else {
+      mediumCount += count;
+    }
+
+    findings.push({
+      severity: pattern.severity,
+      message: `${count} potential ${pattern.label} detected.`,
+      locations
+    });
+  }
+
+  const entropyLocations = [];
+  for (const file of files) {
+    const entropyHits = detectHighEntropyStrings(file, MAX_LOCATIONS - entropyLocations.length);
+    entropyCount += entropyHits.count;
+    if (entropyHits.count > 0) {
+      filesWithSignals.add(file.relativePath);
+      entropyLocations.push(...entropyHits.locations);
+    }
+  }
+  if (entropyCount > 0) {
+    mediumCount += entropyCount;
+    findings.push({
+      severity: "medium",
+      message: `${entropyCount} high-entropy hardcoded strings found (review for secrets).`,
+      locations: entropyLocations
+    });
+  }
+
+  const weightedSignal = highCount * 2 + mediumCount;
+  const score = Math.min(10, scoreFromRatio(weightedSignal / Math.max(files.length * 0.8, 1), 10));
+
+  return {
+    id: "security",
+    title: "SECURITY EXPOSURE",
+    score,
+    severity: severityFromScore(score),
+    totalIssues: highCount + mediumCount,
+    summary:
+      highCount + mediumCount > 0
+        ? `${highCount + mediumCount} potential secret exposure signals detected.`
+        : "No obvious hardcoded secret exposure detected.",
+    metrics: {
+      highSeveritySignals: highCount,
+      mediumSeveritySignals: mediumCount,
+      entropySignals: entropyCount,
+      filesWithSignals: filesWithSignals.size
+    },
+    recommendations: [
+      "Move secrets into environment variables or secret managers.",
+      "Rotate exposed credentials immediately and revoke compromised tokens.",
+      "Use runtime configuration injection instead of hardcoding credentials."
+    ],
+    findings
+  };
+}

package/src/analyzers/tsquality.js

@@ -0,0 +1,158 @@
+import { severityFromScore, scoreFromRatio } from "./utils.js";
+
+const TS_EXTENSIONS = new Set([".ts", ".tsx"]);
+
+function countMatches(content, regex) {
+  const matches = content.match(regex);
+  return matches ? matches.length : 0;
+}
+
+function styleOfAssertions(content, extension) {
+  const asAssertions = countMatches(content, /\bas\s+[A-Za-z_$][A-Za-z0-9_$<>,\s.[\]|&?:]*/g);
+  const angleAssertions =
+    extension === ".ts"
+      ? countMatches(content, /<\s*[A-Za-z_$][A-Za-z0-9_$<>,\s.[\]|&?:]*>\s*[A-Za-z_$][A-Za-z0-9_$]*/g)
+      : 0;
+  return { asAssertions, angleAssertions };
+}
+
+export function analyzeTsQuality(files) {
+  const tsFiles = files.filter((file) => TS_EXTENSIONS.has(file.extension));
+  if (tsFiles.length === 0) {
+    return {
+      id: "tsquality",
+      title: "TYPESCRIPT QUALITY",
+      score: 0,
+      severity: "low",
+      totalIssues: 0,
+      summary: "No TypeScript files detected. TS-specific checks were skipped.",
+      metrics: {
+        tsFileCount: 0,
+        explicitAnyCount: 0,
+        suppressionCount: 0,
+        asAssertions: 0,
+        angleAssertions: 0,
+        missingReturnTypeCount: 0,
+        nonNullAssertionCount: 0
+      },
+      recommendations: [
+        "Add TypeScript files to enable TS-specific consistency checks."
+      ],
+      findings: [],
+      skipped: true
+    };
+  }
+
+  let explicitAnyCount = 0;
+  let suppressionCount = 0;
+  let asAssertions = 0;
+  let angleAssertions = 0;
+  let missingReturnTypeCount = 0;
+  let nonNullAssertionCount = 0;
+
+  const filesWithAny = new Set();
+  const filesWithSuppressions = new Set();
+
+  for (const file of tsFiles) {
+    const content = file.content;
+
+    const anySignals =
+      countMatches(content, /:\s*any\b/g) +
+      countMatches(content, /\bas\s+any\b/g) +
+      countMatches(content, /<\s*any\s*>/g);
+    if (anySignals > 0) {
+      explicitAnyCount += anySignals;
+      filesWithAny.add(file.relativePath);
+    }
+
+    const suppressions = countMatches(content, /\/\/\s*@ts-(?:ignore|expect-error)\b/g);
+    if (suppressions > 0) {
+      suppressionCount += suppressions;
+      filesWithSuppressions.add(file.relativePath);
+    }
+
+    const assertions = styleOfAssertions(content, file.extension);
+    asAssertions += assertions.asAssertions;
+    angleAssertions += assertions.angleAssertions;
+
+    missingReturnTypeCount +=
+      countMatches(content, /export\s+(?:async\s+)?function\s+[A-Za-z_$][A-Za-z0-9_$]*\s*\([^)]*\)\s*\{/g) +
+      countMatches(content, /export\s+const\s+[A-Za-z_$][A-Za-z0-9_$]*\s*=\s*(?:async\s*)?\([^)]*\)\s*=>\s*\{/g);
+
+    nonNullAssertionCount += countMatches(content, /\b[A-Za-z_$][A-Za-z0-9_$]*!\b/g);
+  }
+
+  const findings = [];
+
+  if (explicitAnyCount > 0) {
+    findings.push({
+      severity: explicitAnyCount >= 6 ? "high" : "medium",
+      message: `${explicitAnyCount} explicit any usages detected across ${filesWithAny.size} TS files.`,
+      files: [...filesWithAny].slice(0, 20)
+    });
+  }
+
+  if (suppressionCount > 0) {
+    findings.push({
+      severity: suppressionCount >= 4 ? "high" : "medium",
+      message: `${suppressionCount} @ts-ignore/@ts-expect-error suppressions found.`,
+      files: [...filesWithSuppressions].slice(0, 20)
+    });
+  }
+
+  if (asAssertions > 0 && angleAssertions > 0) {
+    findings.push({
+      severity: "medium",
+      message: `Mixed type assertion styles detected: "as" (${asAssertions}) and angle-bracket (${angleAssertions}).`
+    });
+  }
+
+  if (missingReturnTypeCount > 0) {
+    findings.push({
+      severity: missingReturnTypeCount >= 8 ? "medium" : "low",
+      message: `${missingReturnTypeCount} exported TS functions appear to omit explicit return types.`
+    });
+  }
+
+  if (nonNullAssertionCount > 0) {
+    findings.push({
+      severity: nonNullAssertionCount >= 10 ? "medium" : "low",
+      message: `${nonNullAssertionCount} non-null assertions found ("!").`
+    });
+  }
+
+  const weightedSignal =
+    explicitAnyCount * 1.6 +
+    suppressionCount * 1.8 +
+    missingReturnTypeCount * 0.7 +
+    nonNullAssertionCount * 0.5 +
+    (asAssertions > 0 && angleAssertions > 0 ? 3 : 0);
+  const score = Math.min(10, scoreFromRatio(weightedSignal / Math.max(tsFiles.length * 2.5, 1), 10));
+
+  return {
+    id: "tsquality",
+    title: "TYPESCRIPT QUALITY",
+    score,
+    severity: severityFromScore(score),
+    totalIssues: findings.length,
+    summary:
+      findings.length > 0
+        ? "TypeScript consistency and strictness issues detected."
+        : "TypeScript quality signals look consistent.",
+    metrics: {
+      tsFileCount: tsFiles.length,
+      explicitAnyCount,
+      suppressionCount,
+      asAssertions,
+      angleAssertions,
+      missingReturnTypeCount,
+      nonNullAssertionCount
+    },
+    recommendations: [
+      "Replace explicit any with specific types or generics.",
+      "Use @ts-ignore/@ts-expect-error only with issue-linked justification.",
+      "Keep one type assertion style and prefer explicit return types for exported APIs."
+    ],
+    findings
+  };
+}

package/src/ci-init.js

@@ -0,0 +1,123 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+
+function workflowTemplate(options = {}) {
+  const profile = options.profile || "app";
+  const baselineFile = options.baselineFile || ".vibeclean-baseline.json";
+  const minScore = Number.isFinite(options.minScore) ? options.minScore : 70;
+  const maxIssues = Number.isFinite(options.maxIssues) ? options.maxIssues : 35;
+  const failOn = options.failOn || "high";
+  const baseRef = options.baseRef || "origin/main";
+
+  return `name: vibeclean
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install deps
+        run: npm ci
+
+      - name: Run vibeclean
+        id: vibeclean
+        run: |
+          npx vibeclean . \\
+            --profile ${profile} \\
+            --changed --base ${baseRef} \\
+            --baseline --baseline-file ${baselineFile} \\
+            --fail-on ${failOn} --min-score ${minScore} --max-issues ${maxIssues} \\
+            --report markdown --report-file vibeclean-report.md
+
+      - name: Write job summary
+        if: always()
+        run: |
+          if [ -f vibeclean-report.md ]; then
+            cat vibeclean-report.md >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+      - name: Comment on PR
+        if: always() && github.event_name == 'pull_request'
+        continue-on-error: true
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require("fs");
+            if (!fs.existsSync("vibeclean-report.md")) return;
+            const body = fs.readFileSync("vibeclean-report.md", "utf8");
+            const marker = "<!-- vibeclean-report -->";
+            const fullBody = marker + "\\n" + body;
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            const existing = comments.find((c) => c.body?.includes(marker));
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body: fullBody,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body: fullBody,
+              });
+            }
+
+      - name: Upload report artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: vibeclean-report
+          path: vibeclean-report.md
+`;
+}
+
+export async function generateCiWorkflow(rootDir, options = {}) {
+  const workflowPath = path.join(rootDir, ".github", "workflows", "vibeclean.yml");
+  await fs.mkdir(path.dirname(workflowPath), { recursive: true });
+
+  if (!options.force) {
+    try {
+      await fs.stat(workflowPath);
+      return {
+        path: workflowPath,
+        created: false,
+        skipped: true
+      };
+    } catch {
+      // File does not exist: proceed.
+    }
+  }
+
+  await fs.writeFile(workflowPath, workflowTemplate(options), "utf8");
+  return {
+    path: workflowPath,
+    created: true,
+    skipped: false
+  };
+}

package/src/config.js

@@ -26,9 +26,11 @@ const DEFAULT_CONFIG = {
     naming: true,
     patterns: true,
     leftovers: true,
+    security: true,
     dependencies: true,
     deadcode: true,
-    errorhandling: true
+    errorhandling: true,
+    tsquality: true
   },
   allowedPatterns: {
     httpClient: null,

package/src/index.js

@@ -5,9 +5,11 @@ import { loadConfig, mergeConfig } from "./config.js";
 import { analyzeNaming } from "./analyzers/naming.js";
 import { analyzePatterns } from "./analyzers/patterns.js";
 import { analyzeLeftovers } from "./analyzers/leftovers.js";
+import { analyzeSecurity } from "./analyzers/security.js";
 import { analyzeDependencies } from "./analyzers/dependencies.js";
 import { analyzeDeadCode } from "./analyzers/deadcode.js";
 import { analyzeErrorHandling } from "./analyzers/errorhandling.js";
+import { analyzeTsQuality } from "./analyzers/tsquality.js";
 import { generateRulesFiles } from "./rules-generator.js";
 import { parseAstWithMeta } from "./analyzers/utils.js";
 import { applySafeFixes } from "./fixers/safe-fixes.js";
@@ -218,6 +220,9 @@ export async function runAudit(targetDir, cliOptions = {}) {
   if (enabledRules.leftovers !== false) {
     categoryResults.push(analyzeLeftovers(scanResult.files, context));
   }
+  if (enabledRules.security !== false) {
+    categoryResults.push(analyzeSecurity(scanResult.files, context));
+  }
   if (enabledRules.dependencies !== false) {
     categoryResults.push(await analyzeDependencies(scanResult.files, context));
   }
@@ -227,6 +232,9 @@ export async function runAudit(targetDir, cliOptions = {}) {
   if (enabledRules.errorhandling !== false) {
     categoryResults.push(analyzeErrorHandling(scanResult.files, context));
   }
+  if (enabledRules.tsquality !== false) {
+    categoryResults.push(analyzeTsQuality(scanResult.files, context));
+  }
 
   const filteredCategories = applySeverityFilter(categoryResults, config.severity || "low");
 

package/src/reporter.js

@@ -93,6 +93,13 @@ function categoryDetailLines(category) {
         `└─ Estimated savings: ~${metrics.estimatedSavingsMb || 0}MB`
       ];
 
+    case "security":
+      return [
+        `├─ High severity signals: ${metrics.highSeveritySignals || 0}`,
+        `├─ Medium severity signals: ${metrics.mediumSeveritySignals || 0}`,
+        `└─ Files with signals: ${metrics.filesWithSignals || 0}`
+      ];
+
     case "deadcode":
       return [
         `├─ Orphan files: ${(metrics.orphanFiles || []).length}`,
@@ -107,6 +114,13 @@ function categoryDetailLines(category) {
         `└─ Unhandled await signals: ${metrics.unhandledAwait || 0}`
       ];
 
+    case "tsquality":
+      return [
+        `├─ TS files scanned: ${metrics.tsFileCount || 0}`,
+        `├─ explicit any: ${metrics.explicitAnyCount || 0}, suppressions: ${metrics.suppressionCount || 0}`,
+        `└─ Missing return types: ${metrics.missingReturnTypeCount || 0}`
+      ];
+
     default:
       return ["└─ No details available"];
   }