{"id":48250703,"url":"https://github.com/bhvbhushan/vibecop","last_synced_at":"2026-04-07T23:01:05.384Z","repository":{"id":348394856,"uuid":"1197853622","full_name":"bhvbhushan/vibecop","owner":"bhvbhushan","description":"AI code quality toolkit — deterministic linter for the AI coding era. 22 detectors, GitHub Action PR gate, zero LLM required.","archived":false,"fork":false,"pushed_at":"2026-04-06T18:08:34.000Z","size":424,"stargazers_count":44,"open_issues_count":1,"forks_count":8,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-06T22:03:08.138Z","etag":null,"topics":["ai","ai-code-quality","ast","ast-grep","ci-cd","code-quality","code-review","code-smell","developer-tools","eslint-alternative","github-action","javascript","linter","pull-request","python","security","static-analysis","tree-sitter","typescript","vibe-coding"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bhvbhushan.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-01T00:13:30.000Z","updated_at":"2026-04-06T18:07:44.000Z","dependencies_parsed_at":null,"dependency_job_id":"06712840-9927-4422-9dfc-6de6e8f1c198","html_url":"https://github.com/bhvbhushan/vibecop","commit_stats":null,"previous_names":["bhvbhushan/aiqt","bhvbhushan/vibecop","bhvbhushan/ai-lint"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/bhvbhushan/vibecop","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bhvbhushan%2Fvibecop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bhvbhushan%2Fvibecop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bhvbhushan%2Fvibecop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bhvbhushan%2Fvibecop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bhvbhushan","download_url":"https://codeload.github.com/bhvbhushan/vibecop/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bhvbhushan%2Fvibecop/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31532336,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T16:28:08.000Z","status":"ssl_error","status_checked_at":"2026-04-07T16:28:06.951Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","ai-code-quality","ast","ast-grep","ci-cd","code-quality","code-review","code-smell","developer-tools","eslint-alternative","github-action","javascript","linter","pull-request","python","security","static-analysis","tree-sitter","typescript","vibe-coding"],"created_at":"2026-04-04T20:52:25.721Z","updated_at":"2026-04-07T23:01:05.266Z","avatar_url":"https://github.com/bhvbhushan.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vibecop\n\n[![license](https://img.shields.io/npm/l/vibecop)](https://github.com/bhvbhushan/vibecop/blob/main/LICENSE)\n[![TypeScript](https://img.shields.io/badge/TypeScript-5.8-blue)](https://www.typescriptlang.org/)\n[![Node.js](https://img.shields.io/badge/Node.js-%3E%3D20-green)](https://nodejs.org/)\n[![CI](https://github.com/bhvbhushan/vibecop/actions/workflows/ci.yml/badge.svg)](https://github.com/bhvbhushan/vibecop/actions/workflows/ci.yml)\n[![Playground](https://img.shields.io/badge/Try-Playground-orange)](https://vibecop-pg.bhvbhushan7.com/)\n\nAI code quality toolkit — deterministic linter for the AI coding era. 28 detectors catch the bugs AI agents introduce: god functions, N+1 queries, unsafe shell exec, unpinned LLM models, and more. Runs automatically inside Claude Code, Cursor, Codex, Aider, and 3 other AI tools via `vibecop init`.\n\nBuilt on [ast-grep](https://ast-grep.github.io/) for fast, tree-sitter-based AST analysis. No LLM required — every finding is deterministic and reproducible.\n\n## Try it Online\n\n**[Playground](https://vibecop-pg.bhvbhushan7.com/)** — paste code and scan instantly in your browser.\n\n## Install\n\n```bash\n# npm\nnpm install -g vibecop\n\n# bun (recommended)\nbun add -g vibecop\n```\n\nRequires Node.js \u003e= 20 or Bun \u003e= 1.0.\n\n## Quick Start\n\n```bash\n# Scan current directory\nvibecop scan .\n\n# Scan specific directory with JSON output\nvibecop scan src/ --format json\n\n# Check what detectors are available\nvibecop check\n\n# CI mode — exit code 1 if errors found\nvibecop scan . --format text\n\n# Scan with custom config\nvibecop scan . --config .vibecop.yml\n```\n\n## Agent Integration\n\nvibecop runs automatically inside your AI coding agent. Every time the agent edits a file, vibecop scans the change and blocks on findings — the agent reads the output and fixes the issue before proceeding.\n\n### Auto-setup (recommended)\n\n```bash\nnpx vibecop init\n```\n\nDetects which tools you have installed and generates the right config files:\n\n```\n  vibecop — agent integration setup\n\n  Detected tools:\n    ✓ Claude Code (.claude/ directory found)\n    ✓ Cursor (.cursor/ directory found)\n    ✓ Aider (aider installed)\n    ✗ Codex CLI (not found)\n\n  Generated:\n    .claude/settings.json     — PostToolUse hook (blocks on findings)\n    .cursor/hooks.json        — afterFileEdit hook\n    .cursor/rules/vibecop.md  — always-on lint rule\n    .aider.conf.yml           — lint-cmd per language\n\n  Done! vibecop will now run automatically in your agent workflow.\n```\n\n### Supported tools\n\n| Tool | Integration | How it works |\n|------|-------------|--------------|\n| **Claude Code** | PostToolUse hook | Runs after every Edit/Write, exit 1 blocks and forces fix |\n| **Cursor** | afterFileEdit hook + rules | Hook runs scan, rules file tells agent to fix findings |\n| **Codex CLI** | PostToolUse hook | Same pattern as Claude Code |\n| **Aider** | Native `--lint-cmd` | Built-in lint integration, runs after every edit |\n| **GitHub Copilot** | Custom instructions | Instructions file tells agent to run vibecop |\n| **Windsurf** | Rules file | `trigger: always_on` rule |\n| **Cline/Roo Code** | `.clinerules` | Rules file tells agent to run vibecop |\n\n### Manual setup (Claude Code example)\n\nAdd to `.claude/settings.json`:\n\n```json\n{\n  \"hooks\": {\n    \"PostToolUse\": [{\n      \"matcher\": \"Edit|Write|MultiEdit\",\n      \"hooks\": [{\n        \"type\": \"command\",\n        \"command\": \"npx vibecop scan --diff HEAD --format agent\"\n      }]\n    }]\n  }\n}\n```\n\n### How the loop works\n\n```\nAgent writes code\n  → vibecop hook fires automatically\n  → Findings? Exit 1 → agent reads output, fixes code\n  → No findings? Exit 0 → agent continues\n```\n\nThe `--format agent` output is token-efficient (one finding per line, ~30 tokens each):\n\n```\nsrc/api.ts:42:1 error unsafe-shell-exec: execSync() with template literal. Use execFile() with argument array instead.\nsrc/llm.ts:18:5 warning llm-unpinned-model: Unpinned model alias \"gpt-4o\". Pin to a dated version like \"gpt-4o-2024-08-06\".\n```\n\nSee [docs/agent-integration.md](docs/agent-integration.md) for full setup instructions and troubleshooting.\n\n## Benchmarks\n\n### Vibe-coded vs established: finding density comparison\n\nAll numbers below are real — run `vibecop scan` on any of these repos yourself to reproduce. Finding density = findings per 1,000 lines of code.\n\n**Established projects (professionally maintained):**\n\n| Project | Stars | Files | LOC | Findings | Density |\n|---------|:-----:|:-----:|----:|:--------:|--------:|\n| [**fastify**](https://github.com/fastify/fastify) | 65K | 275 | 74,428 | 124 | 1.7/kLOC |\n| [**date-fns**](https://github.com/date-fns/date-fns) | 35K | 1,543 | 99,859 | 308 | 3.1/kLOC |\n| [**TanStack/query**](https://github.com/TanStack/query) | 43K | 997 | 148,492 | 652 | 4.4/kLOC |\n| [**express**](https://github.com/expressjs/express) | 66K | 141 | 21,346 | 123 | 5.8/kLOC |\n| [**zod**](https://github.com/colinhacks/zod) | 35K | 356 | 70,886 | 964 | 13.6/kLOC |\n\n**Vibe-coded projects (AI-generated/assisted):**\n\n| Project | Stars | Files | LOC | Findings | Density |\n|---------|:-----:|:-----:|----:|:--------:|--------:|\n| [**dyad**](https://github.com/dyad-sh/dyad) | 20K | 956 | 147,284 | 1,179 | 8.0/kLOC |\n| [**bolt.diy**](https://github.com/stackblitz-labs/bolt.diy) | 19.2K | 392 | 71,639 | 977 | 13.6/kLOC |\n| [**code-review-graph**](https://github.com/tirth8205/code-review-graph) | 3.9K | 95 | 27,119 | 361 | 13.3/kLOC |\n| [**context7**](https://github.com/upstash/context7) | 51.3K | 71 | 9,201 | 129 | 14.0/kLOC |\n| [**vibe-check-mcp**](https://github.com/PV-Bhat/vibe-check-mcp-server) | 480 | 55 | 5,964 | 119 | 20.0/kLOC |\n| [**magic-mcp**](https://github.com/21st-dev/magic-mcp) | 4.6K | 14 | 1,096 | 28 | 25.5/kLOC |\n| [**browser-tools-mcp**](https://github.com/AgentDeskAI/browser-tools-mcp) | 7.2K | 12 | 8,346 | 414 | 49.6/kLOC |\n\n**Median density: established 4.4/kLOC vs vibe-coded 14.0/kLOC (3.2x higher).** Vibe-coded projects consistently trigger more findings per line of code. The v0.2 detectors found **157 additional issues** across vibe-coded repos that v0.1 missed: 63 unsafe shell executions, 53 unpinned LLM models, 39 missing system messages.\n\n\u003e **Note:** Some established repos show higher-than-expected density for valid reasons — zod uses `any` deliberately for type gymnastics (634 of its 964 findings), date-fns has extensive JSDoc (218 comment-ratio findings). vibecop detects patterns, not intent. Use `.vibecop.yml` to tune or disable detectors for your codebase.\n\n### Example Output\n\n```\nsrc/services/user.service.ts\n  45:1    error    Function 'processUserData' is too complex (232 lines, cyclomatic complexity 41, 3 params)  god-function\n  89:5    warning  Database or API call inside a loop — potential N+1 query  n-plus-one-query\n  145:5   warning  Database mutation result is not checked — errors will be silently ignored  unchecked-db-result\n\nsrc/components/PaymentModal.tsx\n  1:1     warning  Component has too many hooks (8 useState, 3 useEffect, 593 lines)  god-component\n  201:9   warning  dangerouslySetInnerHTML can lead to XSS attacks if the content is not sanitized  dangerous-inner-html\n\nsrc/config/auth.ts\n  12:5    error    Placeholder placeholder domain found: \"yourdomain.com\"  placeholder-in-production\n  18:5    error    Auth token stored in localStorage — vulnerable to XSS  token-in-localstorage\n\nsrc/utils/api.ts\n  34:12   warning  Double type assertion (as unknown as X) bypasses TypeScript's type safety  double-type-assertion\n  67:1    info     TODO comment in production code (security-related)  todo-in-production\n\n✖ 9 problems (3 errors, 5 warnings, 1 info)\n```\n\n## Detectors (28 total)\n\n### Quality (16 detectors)\n\n| ID | Detector | Description | Severity |\n|----|----------|-------------|----------|\n| `god-function` | God Function | Functions exceeding line, complexity, or parameter thresholds | error/warning |\n| `god-component` | God Component | React components with too many hooks, lines, or imports | warning |\n| `n-plus-one-query` | N+1 Query | DB/API calls inside loops or `.map(async ...)` callbacks | warning |\n| `unbounded-query` | Unbounded Query | `findMany`/`findAll` without a `take`/`limit` clause | info |\n| `debug-console-in-prod` | Debug Console in Prod | `console.log`/`console.debug` left in production code | warning |\n| `dead-code-path` | Dead Code Path | Identical if/else branches, unreachable code after return/throw | warning |\n| `double-type-assertion` | Double Type Assertion | `as unknown as X` patterns that bypass TypeScript type safety | warning |\n| `excessive-any` | Excessive Any | Files with 4+ `any` type annotations | warning |\n| `todo-in-production` | TODO in Production | TODO/FIXME/HACK comments, escalated if security-related | info/warning |\n| `empty-error-handler` | Empty Error Handler | Catch/except blocks that silently swallow errors | warning |\n| `excessive-comment-ratio` | Excessive Comment Ratio | Files with \u003e50% comment lines | info |\n| `over-defensive-coding` | Over-Defensive Coding | Redundant null checks on values that can't be null | info |\n| `llm-call-no-timeout` | LLM Call No Timeout | `new OpenAI()`/`new Anthropic()` without timeout, `.create()` without max_tokens | warning |\n| `llm-unpinned-model` | LLM Unpinned Model | Moving model aliases like `\"gpt-4o\"` that silently change behavior | warning |\n| `llm-temperature-not-set` | LLM Temperature Not Set | LLM `.create()` calls without explicit `temperature` parameter | info |\n| `llm-no-system-message` | LLM No System Message | Chat API calls without a `role: \"system\"` message | info |\n\n### Security (7 detectors)\n\n| ID | Detector | Description | Severity |\n|----|----------|-------------|----------|\n| `sql-injection` | SQL Injection | Template literals or string concatenation in SQL query methods | error |\n| `dangerous-inner-html` | Dangerous innerHTML | `dangerouslySetInnerHTML` usage without sanitization | warning |\n| `token-in-localstorage` | Token in localStorage | Auth/JWT tokens stored in XSS-accessible storage | error |\n| `placeholder-in-production` | Placeholder in Production | `yourdomain.com`, `changeme`, `xxx` left in config | error |\n| `insecure-defaults` | Insecure Defaults | `eval()`, `rejectUnauthorized: false`, hardcoded credentials | error |\n| `unsafe-shell-exec` | Unsafe Shell Exec | `exec()`/`execSync()` with dynamic args, `subprocess` with `shell=True` | error |\n| `dynamic-code-exec` | Dynamic Code Exec | `eval(variable)`, `new Function(variable)` with non-literal arguments | error |\n\n### Correctness (4 detectors)\n\n| ID | Detector | Description | Severity |\n|----|----------|-------------|----------|\n| `unchecked-db-result` | Unchecked DB Result | Fire-and-forget database mutations (insert/update/delete) | warning |\n| `undeclared-import` | Undeclared Import | Imports not declared in package.json/requirements.txt | error |\n| `mixed-concerns` | Mixed Concerns | Files importing both UI frameworks and database/server libraries | warning |\n| `hallucinated-package` | Hallucinated Package | Dependencies not in top-5K npm allowlist (potential AI hallucination) | info |\n\n### Testing (2 detectors)\n\n| ID | Detector | Description | Severity |\n|----|----------|-------------|----------|\n| `trivial-assertion` | Trivial Assertion | `expect(true).toBe(true)` and similar no-op tests | info |\n| `over-mocking` | Over-Mocking | Test files with excessive mock/spy usage | info |\n\n## GitHub Action\n\nAdd vibecop as a PR gate that posts inline review comments on changed lines:\n\n```yaml\n# .github/workflows/vibecop.yml\nname: vibecop\non: [pull_request]\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: bhvbhushan/vibecop@main\n        with:\n          on-failure: comment-only    # or: request-changes, label, auto-close\n          severity-threshold: warning\n          max-findings: 50\n```\n\n### Action Inputs\n\n| Input | Description | Default |\n|-------|-------------|---------|\n| `github-token` | GitHub token for API access | `${{ github.token }}` |\n| `config` | Path to `.vibecop.yml` config file | `.vibecop.yml` |\n| `on-failure` | Action on findings: `comment-only`, `request-changes`, `label`, `auto-close` | `comment-only` |\n| `label` | Label to apply when `on-failure` is `label` | `vibecop:needs-review` |\n| `max-findings` | Maximum findings to report (0 = unlimited) | `50` |\n| `severity-threshold` | Minimum severity for inline comments (`error`, `warning`, `info`) | `warning` |\n| `working-directory` | Directory to scan (relative to repo root) | `.` |\n\n### Action Outputs\n\n| Output | Description |\n|--------|-------------|\n| `findings-count` | Total number of findings |\n| `errors-count` | Number of error-severity findings |\n| `warnings-count` | Number of warning-severity findings |\n| `has-findings` | Whether any findings were detected (`true`/`false`) |\n| `scan-time-ms` | Scan duration in milliseconds |\n\n## Configuration\n\nCreate `.vibecop.yml` in your project root:\n\n```yaml\nrules:\n  god-function:\n    severity: warning\n  debug-console-in-prod:\n    severity: \"off\"        # disable a detector\n  excessive-any:\n    severity: warning\n\nignore:\n  - \"**/dist/**\"\n  - \"**/vendor/**\"\n  - \"**/generated/**\"\n\npr-gate:\n  on-failure: request-changes\n  severity-threshold: warning\n  max-findings: 50\n  label: \"vibecop:needs-review\"\n```\n\n## CLI Options\n\n| Flag | Description | Default |\n|------|-------------|---------|\n| `--format` | Output format: `text`, `json`, `html`, `sarif`, `github`, `agent` | `text` |\n| `--config` | Path to config file | `.vibecop.yml` |\n| `--no-config` | Ignore config file | |\n| `--max-findings` | Maximum findings to report | `100` |\n| `--output` | Write report to file | |\n\n## Languages\n\n| Language | Extensions | Detectors |\n|----------|-----------|-----------|\n| TypeScript | `.ts`, `.tsx` | All 28 |\n| JavaScript | `.js`, `.jsx`, `.mjs`, `.cjs` | 24 (excludes TS-specific) |\n| Python | `.py` | 14 (correctness, quality, security) |\n\n## Architecture\n\n```\nvibecop CLI (Commander)\n+-- Scan Engine           -- discovers files, loads AST, runs detectors, dedup by priority\n+-- Init Wizard           -- auto-detects AI tools, generates hook/rule configs\n+-- Config Loader (Zod)   -- validates .vibecop.yml, merges defaults, per-rule config\n+-- Detectors (28)        -- AST pattern matching via ast-grep (@ast-grep/napi)\n+-- Formatters (6)        -- text, json, html, sarif, github, agent output\n+-- Project Analyzer      -- parses package.json, requirements.txt, lockfiles\n+-- GitHub Action          -- diff parser, finding filter, PR review poster\n```\n\n## Versioning\n\nvibecop follows [Semantic Versioning](https://semver.org/):\n\n- **0.x.y** ... pre-1.0, the API may change between minor versions\n- **PATCH** (0.x.Y) ... bug fixes, new detectors, doc updates\n- **MINOR** (0.X.0) ... new detector categories, output formats, config options\n- **MAJOR** (X.0.0) ... breaking CLI changes, removed detectors, config format changes\n\n## Roadmap\n\n- [x] **Phase 1**: Core scanner with 7 detectors, 5 output formats, `.vibecop.yml` config\n- [x] **Phase 2**: PR Gate GitHub Action, 15 new detectors (7 → 22), real-world validation\n- [x] **Phase 2.5**: Agent integration (7 tools), 6 LLM/agent detectors (22 → 28), `vibecop init`, `--format agent`\n- [ ] **Phase 3**: MCP server, VS Code extension, cross-file analysis\n- [ ] **Phase 4**: LLM-powered deep review mode (separation of concerns, semantic duplication)\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, code standards, and how to add new detectors.\n\n## Security\n\nSee [SECURITY.md](SECURITY.md) for reporting vulnerabilities.\n\n## Code of Conduct\n\nSee [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbhvbhushan%2Fvibecop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbhvbhushan%2Fvibecop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbhvbhushan%2Fvibecop/lists"}