# vibecheck

> Agent-native "safe to ship?" gate for vibe-coded apps. Parses JS/TS/JSX/TSX (Babel), Python
> (the stdlib ast), and Go (go/parser) with real parsers and uses taint analysis (JS/TS inter-procedural: return-taint +
> param→sink summaries, intra-file and cross-file by resolved import; Python also inter-procedural; Go inter-procedural incl. unaliased cross-package) to flag the security
> classes AI coding agents get wrong (committed secrets, SQL injection via raw-query APIs, XSS, SSRF,
> path traversal, command injection, insecure deserialization, weak JWT/CORS/cookies). Every finding is
> confidence-ranked. Measured precision/recall on a labeled benchmark (see METRICS.md). Complements
> Semgrep/CodeQL — not a replacement. (Python scanning needs python3; Go scanning needs a go toolchain; both on PATH. JS/TS + Python + Go are inter-procedural (Go resolves unaliased cross-package; aliased = FN).)

## For agents
- Run `vibecheck . --ci` before declaring a coding task done; fix all critical/high findings.
- Machine-readable output: `vibecheck . --json` → `{ findings: [...], counts: {...} }`.
- MCP: run `vibecheck mcp` (stdio) and call the `scan` tool with `{ "dir": "." }`.
- See [AGENTS.md](AGENTS.md) for the full agent workflow.

## Docs
- [README](README.md): model, threat model, full rule table, CLI/MCP usage, config.
- [Rules](docs/PLAN.md): the implemented detectors and their acceptance criteria.
- [ADRs](docs/adr): design decisions (heuristic scanning, agent-first interface).

## Notes
- Heuristic, not a full taint analyzer; a high-signal gate, not a proof of security.
- License: MIT. See LICENSE.
