34 checks. Zero config. Full report in 5 seconds. Architecture diagrams, trend tracking, best practices audit, and LLM readiness analysis — built for how software is made in 2026.
npx @vibecodeqa/cli
npx @vibecodeqa/cli — auto-detects your stack (TS/JS, React, Dart/Flutter), runs 34 checks, generates a full report.
A-F grade with transparent weighted scoring. Every issue shows file, line, rule, and how to fix it.
Each run compares to the previous one. See score deltas, new issues, and what you fixed.
Every dimension of code quality, scored 0-100 with research-backed methodology
Project structure, lint (Biome/ESLint auto-detected), TypeScript types, type safety (as any counts), code standards (naming, file size, code smells, strict mode).
Cognitive complexity, duplication (jscpd), error handling (info leakage), React/Vue/Svelte patterns, accessibility, documentation, production readiness, GitHub Actions security (10 checks).
6 sub-dimensions: testing pyramid layers, pass/fail execution, statement/branch/line/function coverage, file pairing, assertion density vs mock ratio, Playwright/Cypress detection.
Import graph + 6 interactive SVG diagrams (dep graph, DSM, sequence, layer, package, container). Circular deps, god modules, coupling metrics. Performance: barrel imports, heavy deps, dead code (Knip).
Secret detection (delegates to gitleaks, 14 built-in patterns). 36 CWE-mapped patterns (XSS, injection, SSRF, CORS, credential storage, cookies, redirects). Delegates to eslint-plugin-security when installed. Dependency audit via npm audit.
Confusion Index — naming ambiguity that causes AI to edit the wrong code. Context Locality — file self-containment for LLM comprehension. Research: GPT-4o drops 28.6% with ambiguous names.
Auto-detects your tools. Dedicated analysis for each ecosystem.
Biome/ESLint, tsc, vitest/jest, Playwright. React hooks rules, JSX accessibility, component testing.
Full SFC support. Script extraction for logic checks, template scanning for a11y + security (v-html XSS).
Express/Hono/Fastify, Cloudflare Workers, error handling, security SAST, dependency audit, monorepo support.
dart analyze, flutter_test, pub outdated, melos workspaces. Full analysis adapted for the Dart ecosystem.
Create .vcqa.json to disable checks, ignore paths, set per-check exclusions, and configure quality thresholds.
--pr-comment posts score, trend, and top issues as a GitHub PR comment. Upserts to avoid duplicates.
--diff main filters issues to only changed files. See what your PR introduced, not inherited debt.
--markdown generates a clean markdown report. Pipe to clipboard, paste into docs, or attach to issues.
--annotations emits ::warning and ::error lines. Issues appear inline on PR diffs.
Embed <img src="api.vibecodeqa.online/badge/org/repo.svg"> in READMEs, dashboards, and store listings.
Real-time quality control panel. Like htop for code health.
npx @vibecodeqa/cli monitor — full-screen TUI that watches your codebase and re-scans on every file change. Score, checks, issues, and activity log update live.
Press c for settings: alert thresholds (score floor, drop sensitivity), scan debounce, toggle panels on/off. Persists to .vibe-check/monitor.json.
Give your AI coding agent real-time code health context via Model Context Protocol.
claude mcp add vcqa -- npx @vibecodeqa/mcp
Works with Claude Code, Cursor, and any MCP client. 7 tools: score, scan, file health, check details, explain, AI fix, delta.
Before editing: Agent calls vcqa_file_health to see existing issues.
After editing: Agent calls vcqa_score to verify it didn't degrade quality.
Understanding: Agent calls vcqa_explain to learn why a check flags something.
2025 was about speed. 2026 is about keeping AI-generated code safe and maintainable.
AI-generated code introduces 1.7× more issues than human-written code. 23.7% more security vulnerabilities. Double the code churn rate. Without guardrails, AI agents accumulate technical debt faster than humans can review it.
Layered guardrails: MCP servers give agents code health context in real-time. PR comments catch regressions before merge. Quality gates block deploys when score drops. Trend tracking shows if AI is improving or degrading your codebase over time.
MCP server · Config file · PR comments · Diff mode · Markdown output · GH Actions annotations · Badge API · Integration API · Coverage ingestion · Monorepo support
AI code attribution (flag AI-generated commits) · Change risk hotspots (git churn × code health) · 30/60/90 day regression tracking · IDE extension
AI defect rate dashboard · Cross-service dependency detection · API surface stability tracking · Real-time MCP guardrails (block agent from degrading score)
The CLI is open source and always free. Pro adds hosted dashboards and team features.
Weights are visible. Every point of your score is explained.
Join developers who use VibeCode QA to catch bugs, reduce complexity, and keep their AI-assisted code clean.
npx @vibecodeqa/cli