https://github.com/asmuelle/cargo-vibecode
cargo vibe coding
https://github.com/asmuelle/cargo-vibecode
Last synced: about 1 month ago
JSON representation
cargo vibe coding
- Host: GitHub
- URL: https://github.com/asmuelle/cargo-vibecode
- Owner: asmuelle
- License: other
- Created: 2026-05-05T12:36:33.000Z (2 months ago)
- Default Branch: main
- Last Pushed: 2026-05-21T21:46:13.000Z (about 2 months ago)
- Last Synced: 2026-05-22T06:58:00.024Z (about 2 months ago)
- Language: Rust
- Size: 61.5 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Agents: AGENTS.md
Awesome Lists containing this project
README
# cargo-vibecode
[](https://github.com/asmuelle/cargo-vibecode/actions/workflows/ci.yml)
[](https://github.com/asmuelle/cargo-vibecode/actions/workflows/release.yml)
[](#license)
[](https://doc.rust-lang.org/edition-guide/rust-2024/index.html)
Repository for the `cargo-vibe` CLI orchestrator. The installed Cargo subcommand remains `cargo vibe`.
```
cargo vibe check ──► runs diff-risk + cargo-impact + spec-drift, aggregates results
cargo vibe fix ──► context → LLM → risk veto → impact verify → drift check → retry
cargo vibe risk ──► semantic risk scoring (delegates to diff-risk)
cargo vibe impact──► blast-radius analysis (delegates to cargo-impact)
cargo vibe drift ──► spec coherence check (delegates to spec-drift)
cargo vibe context──► token-budgeted context assembly (delegates to cargo-context)
```
## The Problem
AI-assisted Rust development has four failure modes:
1. **LLM generates dangerous code** — `unsafe` blocks, auth bypasses, serde wire breaks
2. **LLM doesn't know what to test** — runs all 5,000 tests instead of 12
3. **Documentation rots silently** — README says `fn old()` but code has `fn new()`
4. **Context quality determines output quality** — dumping all files wastes tokens and attention
Four tools solve these individually. `cargo-vibecode` packages the `cargo-vibe` orchestrator that runs them as a single workflow.
## Installation
From a released tag:
```bash
cargo install --git https://github.com/asmuelle/cargo-vibecode --tag v0.2.0 cargo-vibe
```
From a local checkout:
```bash
cargo install --path .
```
For full coverage, install the individual tools:
```bash
cargo install cargo-context
cargo install diff-risk
cargo install cargo-impact
cargo install spec-drift
```
`cargo vibe check` degrades gracefully when one of the companion tools is absent: it prints a warning and skips that tool. `cargo vibe fix` fails closed if `diff-risk` is unavailable, because the risk veto is the core safety gate for that workflow.
## Commands
### `cargo vibe check`
Run all health checks against the current diff:
```bash
cargo vibe check --since HEAD --strict
```
Output:
```
cargo-vibe: running health check against HEAD...
[1/3] diff-risk... passed
[2/3] cargo-impact... 3 finding(s)
🔴 test_reference tests/auth.rs:42 login() test references changed symbol
🟡 trait_impl src/handlers.rs:15 impl AuthHandler for App
🟡 doc_drift_link README.md:23 [login] references changed symbol
[3/3] spec-drift... 1 divergence(s)
❌ symbol_absence README.md:10 `connect_db()` not found in code
Total: 4 finding(s) | Critical: 0 | High: 1
```
Format options:
```bash
cargo vibe check --format json # Machine-readable
cargo vibe check --format sarif # GitHub Code Scanning
```
### `cargo vibe fix`
The AI fix loop:
```
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Context │───►│ LLM │───►│ Risk │───►│ Verify │
│ Assembly │ │ Generate │ │ Check │ │ Impact │
└──────────┘ └──────────┘ └──────────┘ └──────────┘
│
┌──────▼──────┐
│ Drift Check │
└──────┬──────┘
│
┌──────▼──────┐
│ Pass? Yes──► Ship
│ No ────────► Retry
└─────────────┘
```
Usage:
```bash
cargo vibe fix --prompt "Implement user authentication with JWT tokens"
```
The loop:
1. Assembles context pack (compiler errors, diff, project map, entry points, related tests)
2. Presents context + prompt for the user to paste into their LLM
3. After user applies changes: runs `diff-risk` — rejects if score ≥ threshold (default 7.0)
4. Runs `cargo-impact --fail-on high` — surfaces affected tests
5. Runs `spec-drift --deny warning` — checks for doc/CI drift
6. If all pass: done. If any fail: feeds failures back for retry (up to `--max-attempts`, default 3)
The generation step is automated in `v0.2.0` via standard programmatic client integrations (`LlmClient`), defaulting to Ollama or OpenAI/vLLM for local-first privacy while prompting with interactive unified diffs for confirmation.
Options:
```bash
cargo vibe fix \
--prompt "Refactor the auth module" \
--max-attempts 5 \
--risk-threshold 6.0 \
--since origin/main
```
### `cargo vibe risk`
Semantic risk scoring (wraps `diff-risk`):
```bash
cargo vibe risk --since HEAD --threshold 7.0
```
### `cargo vibe impact`
Blast-radius analysis (wraps `cargo-impact`):
```bash
cargo vibe impact --since HEAD --format json
cargo vibe impact --test # cargo-nextest filter expression
```
### `cargo vibe drift`
Spec coherence check (wraps `spec-drift`):
```bash
cargo vibe drift --diff HEAD --format sarif
cargo vibe drift --deny critical # Only fail on critical divergences
```
### `cargo vibe context`
Token-budgeted context assembly (wraps `cargo-context`):
```bash
cargo vibe context --preset fix --budget 32000
echo "why does this test fail?" | cargo vibe context --stdin
```
## Configuration
All tools read `.cargo-vibe.toml` from the project root:
```toml
[vibe]
# Global settings applied to all tools
threshold = 7.0 # Default risk threshold
token_budget = 32000 # Default context budget
tokenizer = "cl100k" # gpt-4, claude
scrub = true # Enable secret scrubbing
[diff_risk]
enabled = true
threshold = 8.0 # Tool-specific override
extra_args = ["--strict"]
[cargo_impact]
enabled = true
extra_args = ["--confidence-min", "0.7"]
[spec_drift]
enabled = true
[cargo_context]
enabled = true
```
Tool-specific config files (`.cargo-context/config.yaml`, `cargo-impact.toml`, `spec-drift.toml`) continue to work independently.
You can also pass an explicit config path:
```bash
cargo vibe --config ./ci/cargo-vibe.toml check --strict --since origin/main
```
The top-level config controls orchestration behavior: `enabled = false` skips a tool, `extra_args` are appended to the subprocess invocation, `[diff_risk].threshold` overrides `[vibe].threshold`, and `[vibe].token_budget` is used by `cargo vibe context` when `--budget` is omitted.
## CI Integration
### GitHub Actions
```yaml
- name: Vibe Check
run: |
cargo vibe check --since origin/main --strict --format sarif
continue-on-error: true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: vibe-results.sarif
```
For the `cargo-vibe` repository itself, the internal git-tag release gate is:
```bash
cargo fmt --all --check
cargo clippy --all-targets --all-features -- -D warnings
cargo test --all-features
cargo install --path . --locked
```
This `v0.2.0` release resolves `ai-tools-core` from the `asmuelle/ai-tools-core` `v0.2.0` git tag. A crates.io release additionally requires publishing `ai-tools-core` to crates.io and changing the dependency to the registry version before running `cargo package` / `cargo publish --dry-run`.
### Pre-commit Hook
```bash
#!/bin/sh
# .git/hooks/pre-commit
cargo vibe check --since HEAD --strict || exit 1
```
## Architecture
```
cargo-vibecode
└── cargo-vibe (orchestrator)
├── ai-tools-core (shared types)
│ ├── finding — Finding, Severity, Confidence, Location
│ ├── sarif — SARIF v2.1.0 renderer
│ ├── scrub — Secret scrubbing pipeline
│ ├── git_utils — diff, blame, changed files
│ ├── cargo_utils— metadata, workspace discovery
│ └── config — .cargo-vibe.toml parser
│
├── diff-risk ─────── risk scoring (regex detectors + custom DSL)
├── cargo-impact ──── blast-radius analysis (syn + rust-analyzer)
├── spec-drift ────── spec coherence (docs/examples/tests/CI)
└── cargo-context ─── context assembly (token-budgeted packs)
```
Each tool is independently usable. `cargo-vibecode` adds orchestration, feedback loops, and unified reporting through the `cargo-vibe` CLI.
## Exit Codes
| Code | Meaning |
|------|---------|
| 0 | All checks passed (or no blocking findings) |
| 1 | Threshold exceeded — findings exist at or above the configured severity |
| 2 | Tool error — config parse failure, missing dependency, I/O error |
Note: `cargo vibe check` treats missing companion tools as skipped checks, not tool errors. Wrapper commands such as `cargo vibe risk`, `cargo vibe impact`, `cargo vibe drift`, and `cargo vibe context` return code 2 when their required subprocess cannot be started. `cargo vibe fix` also returns code 2 when `diff-risk` is unavailable.
## Dependencies
| Crate | Why |
|-------|-----|
| `clap` | CLI argument parsing with subcommands |
| `anyhow` | Error handling |
| `serde` / `serde_json` | SARIF and JSON output |
| `ai-tools-core` | Shared types, utils, and config |
## License
MIT OR Apache-2.0