vibefixing 0.3.0

AI-powered code analysis and auto-fixing CLI tool

Code health CLI for the AI coding era.

Detect architecture issues, security risks, and quality problems
— aware of your stack, framework, and workflow.

Quick Start · What It Checks · Skills · GitHub Action · OSS vs Cloud · Contributing

---

Why Now

AI writes code faster than teams can review it.

eslint checks syntax. VibeFixing checks your stack, architecture, and workflow — then tells you what's actually broken.

Quick Start

# npm
npx vibefixing doctor

# pip (requires Node.js 18+)
pip install vibefixing
vibefixing doctor

Zero config. Auto-detects your stack and applies the right skills.

Example Output

 VibeFixing v0.1.0

 Environment
  ✔ Node.js 18+
  ✔ Git repository detected
  ✔ API key configured

 Skills detected
  ✔ TypeScript
  ✔ Next.js (App Router)
  ✔ OWASP Top 10

 Project Health
  Architecture   ███████████████░░░░░  78
  Security       ████████████░░░░░░░░  64
  Quality        ██████████████░░░░░░  72
  ─────────────────────────────────────
  Overall        █████████████░░░░░░░  71

 Top recommendations
  1. [high]   Direct DB access in API route handlers — extract to service layer
  2. [high]   Missing CSRF protection on mutation endpoints
  3. [medium] 'use client' applied to 12 components that use no browser APIs
  4. [medium] Duplicated validation logic across 3 route handlers
  5. [low]    next/image not used in 8 components with <img> tags

Before / After

Real output from an AI-generated Next.js codebase:

	Before	After diagnosis
Input validation	None	6 injection vectors found
DB access	Direct calls in route handlers	Service layer extraction recommended
Business logic	Duplicated across 3 routes	Consolidation points identified
Architecture score	—	78
Security score	—	64

VibeFixing doesn't auto-rewrite your code. It diagnoses what's broken so you fix it right.

What It Checks

Category	Examples
Security	OWASP Top 10, hardcoded secrets, injection vectors, insecure defaults
Architecture	Layer violations, circular dependencies, god objects, missing boundaries
Framework	Next.js App Router misuse, NestJS DI anti-patterns, Express middleware gaps
Infrastructure	Docker security, Terraform state management, K8s resource limits, CI/CD hardening
Database	Missing indexes, N+1 queries, unparameterized queries, connection pooling
Quality	Dead code, duplicated logic, complexity hotspots, missing error handling
Language	TypeScript strict mode gaps, Python type hints, Go error handling, Java null safety

Built-in Skills

VibeFixing uses skills — structured analysis packs that understand specific languages, frameworks, and architectures.

Each skill is based on official documentation and industry-standard references:

Category	Skill	Reference
Language	typescript	TypeScript Handbook
Language	python	PEP 8 / Python Docs
Language	go	Effective Go
Language	java	Oracle Java SE Best Practices
Language	javascript	MDN JavaScript Guide
Language	rust	The Rust Book
Language	ruby	Ruby Style Guide
Language	php	PHP The Right Way
Language	csharp	C# Documentation
Language	swift	Swift.org Documentation
Language	kotlin	Kotlin Docs
Language	scala	Scala Documentation
Language	dart	Effective Dart
Language	elixir	Elixir Guides
Framework	nextjs	Next.js Docs
Framework	react	React Docs
Framework	nestjs	NestJS Docs
Framework	express	Express.js Guide
Framework	django	Django Docs
Framework	flask	Flask Docs
Framework	vue	Vue.js Docs
Framework	angular	Angular Docs
Framework	nuxt	Nuxt Docs
Framework	sveltekit	SvelteKit Docs
Framework	spring	Spring Boot Docs
Framework	rails	Rails Guides
Framework	laravel	Laravel Docs
Framework	fastapi	FastAPI Docs
Framework	aspnet	ASP.NET Core Docs
Framework	flutter	Flutter Docs
Framework	remix	Remix Docs
Framework	astro	Astro Docs
Framework	supabase	Supabase Docs
Framework	firebase	Firebase Docs
Security	owasp-top10	OWASP Top 10 (2021)
Security	secrets-detection	OWASP Secrets Management Cheat Sheet
Architecture	clean-architecture	The Clean Architecture — Robert C. Martin
Architecture	ddd	Domain-Driven Design Reference — Eric Evans
Infrastructure	aws	AWS Well-Architected
Infrastructure	gcp	GCP Best Practices
Infrastructure	azure	Azure Well-Architected
Infrastructure	terraform	Terraform Best Practices
Infrastructure	docker	Dockerfile Best Practices
Infrastructure	kubernetes	Kubernetes Docs
Infrastructure	github-actions	GitHub Actions Docs
Database	postgresql	PostgreSQL Docs
Database	mysql	MySQL Docs
Database	mongodb	MongoDB Docs
Database	redis	Redis Docs
Database	bigquery	BigQuery Docs
Database	firestore	Firestore Docs

51 built-in skills. Auto-detected. No config needed.

Custom Skills

Add your own skills for team-specific patterns:

# .vibefixing/skills/my-team-rules.yml
skillId: my-team-rules
category: architecture
name: My Team Rules
version: "1.0.0"
match:
  files: ["*.ts"]
rules:
  - "All API handlers must use the withAuth wrapper"
  - "Database access only through repository classes"
antiPatterns:
  - "Direct Prisma calls outside /repositories"
  - "Missing error boundary in page components"

Commands

vibefixing doctor            # Health check — architecture, security, quality scores
vibefixing scan [path]       # Scan for issues using activated skills
vibefixing skills list       # Show available and active skills
vibefixing skills detect     # Detect which skills match your project
vibefixing init              # Initialize config
vibefixing upgrade           # Self-update

Output formats: table (default), json, sarif (GitHub Code Scanning).

GitHub Action

Run VibeFixing on every PR:

name: VibeFixing
on: pull_request

jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: open-neo/vibefixing-action@v1
        with:
          scan: 'true'
          severity: 'medium'
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

PR comments show findings inline with severity and suggested fixes.

Supported Stacks

Languages: TypeScript, JavaScript, Python, Go, Java, Rust, Ruby, PHP, C#, Swift, Kotlin, Scala, Dart, Elixir

Frameworks: Next.js, React, NestJS, Express, Django, Flask, Vue, Angular, Nuxt, SvelteKit, Spring, Rails, Laravel, FastAPI, ASP.NET, Flutter, Remix, Astro, Supabase, Firebase

Infrastructure: AWS, GCP, Azure, Terraform, Docker, Kubernetes, GitHub Actions

Databases: PostgreSQL, MySQL, MongoDB, Redis, BigQuery, Firestore

Architectures: Clean Architecture, DDD, Layered, MVC

More stacks added through skill contributions.

Open Source vs Cloud

	OSS (this repo)	Cloud
CLI	✔	✔
Skills	✔	✔
GitHub Action	✔	✔
AI-powered review	—	✔
Auto-fix engine	—	✔
Patch ranking	—	✔
Team dashboard	—	✔
Repo-wide analytics	—	✔
Policy management	—	✔

The CLI is free and open source (Apache 2.0).

Configuration

VibeFixing works with zero config. For customization:

# .vibefixing.yml
version: "1"
ai:
  provider: anthropic
skills:
  enabled: [typescript, nextjs, owasp-top10]
  custom: ./my-skills
scan:
  severity: medium
  ignore: ["**/*.test.ts", "dist/**"]

Contributing

The easiest way to contribute is to add a new skill pack.

1. Create a YAML file in skills/<category>/
2. Define skillId, match, rules, and antiPatterns
3. Submit a PR

Look for issues labeled good first issue — scoped to single skill additions or rule improvements.

git clone https://github.com/open-neo/vibefixing.git
cd vibefixing
pnpm install
pnpm build
pnpm test

License

Apache 2.0