VibeCode QA — AI Skills Guide

Give this page URL to Claude, Codex, Cursor, or any AI coding assistant to teach it how to use VibeCode QA on your project.

What is VibeCode QA?

A code health scanner that runs 34 checks across 7 categories (Foundations, Quality, Testing, Architecture, Security, AI Readiness, AI Analysis) and generates a scored report. Zero config, runs with npx — no setup, works on TypeScript/JavaScript and Dart/Flutter projects.

Quick Start

1. Run your first scan

npx @vibecodeqa/cli

This auto-detects your stack, runs all 34 checks, and opens an HTML report in your browser. Output goes to .vibe-check/.

2. Fast mode (skip test execution)

npx @vibecodeqa/cli --skip-tests

3. CI mode (fail build if score < 60)

npx @vibecodeqa/cli --ci

4. SARIF output for GitHub Security tab

npx @vibecodeqa/cli --sarif

5. JSON output (pipe to other tools)

npx @vibecodeqa/cli --json

6. Monorepos (auto-detected)

npx @vibecodeqa/cli ~/my-monorepo

Auto-detects pnpm/npm/yarn/bun workspaces, turborepo, nx, lerna, and melos. Scans all packages, checks tsconfig strict per package, scopes confusion analysis per package. Supports bun.lock (text) and bun.lockb (binary). No config needed.

7. Delta reports (what changed)

npx @vibecodeqa/cli fix        # baseline → fix → final scan → delta
cat .vibe-check/delta.md       # markdown report of what changed

Every scan compares against the previous run. The --markdown and --pr-comment outputs include per-check score changes, fixed issues, and new issues.

8. Live monitor (re-scans on file changes)

npx @vibecodeqa/cli monitor

Full-screen TUI dashboard. Press c for settings (thresholds, panel toggles). Press q to quit.

Output Files

• .vibe-check/report/index.html — Multi-page HTML report with dashboard, per-category pages, issues table, file health
• .vibe-check/report.json — Machine-readable results (all scores, issues, details)
• .vibe-check/report.sarif — SARIF 2.1.0 for GitHub Code Scanning (with --sarif)
• .vibe-check/badge.svg — shields.io-style badge (with --badge)
• .vibe-check/history/ — Last 30 reports for trend tracking

The 25 Checks

Foundations (23%)

• Structure (6%) — package.json, tsconfig, LICENSE, .gitignore, lockfile, test ratio
• Lint (5%) — Biome or ESLint auto-detected, error/warning counts
• Types (6%) — tsc --noEmit or dart analyze type errors
• Type Safety (3%) — as any, @ts-ignore, dynamic (Dart), late keyword
• Standards (3%) — naming, file size, code smells, strict mode

Quality (26%)

• Complexity (5%) — cognitive complexity per function, long functions
• Duplication (5%) — copy-pasted blocks (token-based, 6+ lines / 50+ tokens), powered by jscpd's clone-detection engine
• Error Handling (3%) — empty catch, throw string, Error Boundary, error info leakage (stack traces sent to client)
• React Patterns (3%) — conditional hooks, missing keys, index keys
• Accessibility (4%) — img alt, click on div, form labels, html lang
• Docs (3%) — README quality, JSDoc/doc comment coverage
• Best Practices (3%) — CI/CD, lockfile, linter, test scripts, supply chain, health endpoints, graceful shutdown, Helmet.js, input validation (Zod/Joi), GitHub Actions security (pwn requests, script injection, permissions). Severity-weighted: warnings=8pts, infos=2pts

Testing (15%)

• Pyramid layers (unit/integration/component/E2E)
• Pass/fail execution, coverage metrics
• File pairing, assertion density, mock ratio

Architecture (9%)

• Architecture (5%) — import graph, cycles, god modules, orphans, SVG diagrams
• Performance (4%) — barrel imports, heavy deps, dynamic import opportunities

Security (16%)

• Secrets (6%) — 14 patterns (AWS, GitHub, Stripe, OpenAI, Anthropic, Google keys)
• Security (5%) — 36 CWE-mapped patterns (XSS, injection, CORS, credential storage, cookies, redirects, debug mode). Delegates to eslint-plugin-security for ReDoS, timing attacks, and more
• Dependencies (5%) — npm audit / dart pub outdated

AI Readiness (11%)

• Confusion Index (6%) — naming ambiguity that causes AI to edit wrong code
• Context Locality (5%) — file self-containment for LLM comprehension

AI Analysis (Pro)

Five deeper, LLM-powered checks (weight 0 in the free score — informational):

• Doc Coherence — JSDoc/README claims that no longer match the code
• Code Coherence — contradictory patterns across modules, duplicate exports
• Comment Staleness — stale TODOs, numeric mismatches, commented-out code
• Dead Patterns — refactor debt, leftover fallbacks, parallel implementations
• Test Audit — fake/shallow tests, trivial assertions, mock abuse

How to Use the Results

Reading the JSON report programmatically

const report = JSON.parse(fs.readFileSync('.vibe-check/report.json', 'utf-8'));
console.log(`Score: ${report.grade} ${report.score}/100`);
for (const check of report.checks) {
  if (check.issues.length > 0) {
    console.log(`${check.name}: ${check.grade} — ${check.issues.length} issues`);
  }
}

Fixing issues with AI

Each issue in the report includes a copy-pasteable fix prompt. The format is:

Fix this issue in src/session.ts:240
warning: cognitive complexity 28 (max 15)
Check: complexity

Copy these directly into Claude, Codex, or your AI coding tool.

Configuration (.vcqa.json)

Create .vcqa.json in your project root to customize behavior:

{
  "checks": {
    "confusion": { "enabled": false },
    "standards": { "ignore": ["generated/**"] }
  },
  "ignore": ["vendor/**", "*.pb.ts"],
  "failUnder": 70
}

You can also put this in the "vcqa" field of package.json.

CLI commands

• vcqa — scan current directory (default)
• vcqa init — set up CI workflow, biome.json, .vcqa.json, .gitignore
• vcqa fix — auto-fix (.gitignore, tsconfig strict, biome/eslint, suggestions)
• vcqa explain [check] — deep-dive on any check (what/risk/fix)

Output modes

• --json — machine-readable JSON to stdout
• --markdown — clean markdown report (pipe to clipboard or file)
• --badge — generate SVG badge
• --sarif — SARIF 2.1.0 for GitHub Code Scanning
• --annotations — GitHub Actions ::warning/::error inline annotations
• --pr-comment — post score as GitHub PR comment (needs GITHUB_TOKEN)
• --diff [base] — only show issues in changed files
• --top [N] — show top N issues to fix

Adding to GitHub Actions

name: VibeCode QA
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npx @vibecodeqa/cli --skip-tests --ci --sarif --pr-comment --annotations
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: .vibe-check/report.sarif

For AI Agents: Workflow

When working on a codebase that uses VibeCode QA, follow this workflow:

1. Run npx @vibecodeqa/cli --skip-tests --json to get a baseline score
2. Read the JSON to understand which checks are failing and why
3. Fix issues starting with the highest-severity ones (errors first, then warnings)
4. Re-run after fixes to verify the score improved
5. Aim for grade B (75+) minimum; grade A (90+) for production-ready code

Key patterns AI agents should know

• Don't suppress issues with @ts-ignore or // eslint-disable — fix the root cause
• High complexity? Extract sub-functions with clear names
• Duplication? Extract a shared helper
• Security issue? Follow the CWE recommendation in the issue details
• Low test coverage? Add tests for the untested files listed in the report
• Confusion Index high? Rename ambiguous exports, eliminate synonym filenames

Supported Stacks

• Languages: TypeScript, JavaScript, Dart
• Frameworks: React, Vue, Svelte, Flutter
• Bundlers: Vite, Webpack, esbuild
• Test runners: vitest, jest, flutter_test, dart_test
• Linters: Biome, ESLint, dart analyze
• Package managers: pnpm, npm, yarn, bun, pub

Links

• GitHub — vibecodeqa/cli
• npm — @vibecodeqa/cli
• Website — vibecodeqa.online

VibeCode QA — Code health scanner for the AI coding era. MIT license.