Skip to content

Early Jan. 2026 Release Updates #36

New issue
New issue
Open
Open
Early Jan. 2026 Release Updates#36
@noelsaw1

Description

@noelsaw1
noelsaw1
opened on Jan 6, 2026

WP Code Check - Marketing Statistics & Technical Summary

Generated: 2026-01-06
Version: 1.0.90
Purpose: Marketing materials, technical documentation, and feature highlights

📊 Detection Statistics (By the Numbers)

Total Checks & Patterns

Category Count Details
Total Security & Performance Checks 33 Defined in severity-levels.json
Active Detection Rules 27+ Implemented in check-performance.sh
Pattern Library (JSON) 20 files Modular pattern definitions
DRY/Magic String Patterns 4 Duplicate option names, transient keys, capabilities, functions
Headless WordPress Patterns 6 API key exposure, fetch errors, GraphQL, hardcoded URLs, auth headers, Next.js ISR
Node.js Security Patterns 4 Command injection, eval(), path traversal, unhandled promises
JavaScript Patterns 1 Duplicate localStorage/sessionStorage keys
Test Fixtures 31+ PHP, JavaScript, TypeScript validation test cases

Breakdown by Severity

Severity Count Examples
CRITICAL 14 SQL injection, unbounded queries, insecure deserialization, localStorage exposure, N+1 patterns
HIGH 11 Unsanitized superglobals, missing capability checks, WC N+1 patterns, AJAX without nonce, ORDER BY RAND
MEDIUM 7 Unsafe RegExp, LIKE leading wildcards, transients without expiration, HTTP timeouts, PHP short tags
LOW 1 Timezone-sensitive patterns

Breakdown by Category

Category Count Focus Areas
Security 12 SQL injection, XSS, CSRF, privilege escalation, data exposure, command injection, eval()
Performance 19 Unbounded queries, N+1 patterns, caching, database optimization, WooCommerce performance
Compatibility 1 PHP short tags
Maintenance 1 Code quality, technical debt, timezone handling

🔍 What We Detect (Detailed Breakdown)

Security Checks (12 patterns)

  1. SPO-001 - Debug code in production (console.log, var_dump, debugger, alert, print_r, error_log)
  2. HCC-001 - Sensitive data in localStorage/sessionStorage (plugin, cache, user, admin, settings data)
  3. HCC-002 - Client-side serialization to browser storage (JSON.stringify to localStorage)
  4. SPO-002 - Direct superglobal manipulation ($_GET/$_POST modification, unset)
  5. SPO-003 - Insecure data deserialization (unserialize, base64_decode, json_decode on $_GET/$_POST)
  6. Unsanitized superglobal read - $_GET/$_POST without sanitization (context-aware with nonce detection)
  7. wpdb-query-no-prepare - Direct database queries without $wpdb->prepare() (SQL injection risk)
  8. admin-no-capability-check - Admin functions missing current_user_can() (privilege escalation)
  9. ajax-no-nonce - wp_ajax handlers without nonce validation (CSRF vulnerability)
  10. file-get-contents-url - External URLs without wp_remote_get() (no timeout, no SSL verification)
  11. cron-interval-unvalidated - wp_schedule_event with user input (infinite loops, silent failures)
  12. HCC-008 - Unsafe RegExp construction (ReDoS vulnerability, user input concatenation)

Performance Checks (19 patterns)

  1. unbounded-posts-per-page - posts_per_page => -1 (fetches ALL posts)
  2. unbounded-numberposts - numberposts => -1 (fetches ALL posts)
  3. nopaging-true - nopaging => true (disables pagination)
  4. unbounded-wc-get-orders - WooCommerce limit => -1 (fetches ALL orders)
  5. get-users-no-limit - get_users() without 'number' parameter (fetches ALL users)
  6. get-terms-no-limit - get_terms() without 'number' parameter (fetches ALL terms)
  7. pre-get-posts-unbounded - pre_get_posts forcing unbounded queries (global query modification)
  8. rest-no-pagination - register_rest_route without pagination (unbounded REST API)
  9. ajax-polling-unbounded - setInterval + AJAX without rate limiting (request storms)
  10. HCC-005 - Expensive WP functions in polling (get_plugins, WP_Query, get_users in setInterval)
  11. unbounded-sql-terms - Direct SQL on wp_terms without LIMIT (full table scans)
  12. order-by-rand - ORDER BY RAND() (full table scan on every query)
  13. n-plus-one-pattern - get_post_meta/get_user_meta in loops (query multiplication)
  14. wc-n-plus-one-pattern - wc_get_order/wc_get_product in loops (WooCommerce query multiplication)
  15. wcs-get-subscriptions-no-limit - WooCommerce Subscriptions without limits (performance degradation)
  16. like-leading-wildcard - LIKE '%pattern' (cannot use indexes, slow on large tables)
  17. transient-no-expiration - set_transient() with 0 expiration (database bloat)
  18. http-no-timeout - wp_remote_get/post without timeout (site hangs if API is slow)
  19. script-versioning-time - wp_enqueue_script with time() version (breaks browser caching)

Headless WordPress & Modern JavaScript (11 patterns)

Headless WordPress (6 patterns):

  1. api-key-exposure - Hardcoded API keys in JavaScript/TypeScript
  2. fetch-no-error-handling - fetch() calls without .catch() or try/catch
  3. graphql-no-error-handling - GraphQL queries without error handling
  4. hardcoded-wordpress-url - Hardcoded WordPress URLs instead of environment variables
  5. missing-auth-headers - fetch() to WordPress REST API without Authorization headers
  6. nextjs-missing-revalidate - Next.js getStaticProps without revalidate (stale data)

Node.js Security (4 patterns):

  1. command-injection - child_process.exec() with user input (shell injection)
  2. eval-injection - eval() or Function() with user input (code injection)
  3. path-traversal - fs.readFile/writeFile with user input (directory traversal)
  4. unhandled-promise - Promises without .catch() or try/catch (silent failures)

JavaScript Code Quality (1 pattern):

  1. duplicate-storage-keys - Hardcoded localStorage/sessionStorage keys (DRY violation)

Code Quality & Compatibility (2 patterns)

  1. disallowed-php-short-tags - <?= or <? instead of <?php (server compatibility)
  2. timezone-sensitive - current_time('timestamp') or date() without timezone awareness

🛠️ Technical Features of the Scanning Engine

Multi-Layer Detection System

WP Code Check uses a sophisticated 4-tier detection architecture:

  1. Pattern Matching Layer - Regex-based grep searches with WordPress-specific patterns detect direct violations (e.g., posts_per_page => -1, $wpdb->query without prepare()). This layer uses optimized grep with file type filtering (.php, .js, .jsx, .ts, .tsx) and exclusion patterns to minimize false positives. Supports 20+ file extensions including modern JavaScript frameworks.

  2. Context-Aware Analysis Layer - Advanced checks analyze surrounding code context (10-20 lines) to validate findings. For example, the unsanitized superglobal detector checks for nonce verification (wp_verify_nonce, check_ajax_referer) in preceding lines and sanitization functions (sanitize_*, esc_*, absint) on the same line, dramatically reducing false positives while catching real security issues. Function boundary detection prevents cross-function false positives.

  3. Mitigation Detection Layer (NEW in v1.0.90) - Analyzes unbounded queries for mitigating factors and adjusts severity accordingly. Detects 4 mitigation patterns: (1) Caching (get_transient, wp_cache_get), (2) Parent-scoped queries ('parent' => $var), (3) IDs-only queries ('fields' => 'ids'), (4) Admin context (is_admin(), current_user_can()). Multi-factor severity adjustment: 3+ mitigations = CRITICAL→LOW, 2 = CRITICAL→MEDIUM, 1 = CRITICAL→HIGH. Reduces false positives by 60-70%.

  4. Aggregation & Grouping Layer - DRY (Don't Repeat Yourself) pattern detection uses capture groups and aggregation to identify magic strings (hardcoded option names, transient keys, capability strings, localStorage keys) scattered across multiple files. This layer groups findings by captured value, counts distinct files and total occurrences, and reports only violations exceeding configurable thresholds (e.g., 3+ files, 6+ occurrences).

Key Technical Capabilities

  • Zero Dependencies - Pure bash + grep, runs anywhere (macOS, Linux, Windows WSL, Docker, CI/CD)
  • WordPress-Specific Intelligence - Understands WP_Query, get_posts(), wp_ajax_*, register_rest_route(), WooCommerce patterns
  • Modern JavaScript Support - Scans JavaScript, TypeScript, JSX, TSX, Node.js (11 new patterns in v1.0.89)
  • Headless WordPress Detection - Next.js, React, Vue.js, GraphQL patterns (6 patterns)
  • Configurable Severity Levels - JSON-based severity configuration with factory defaults and custom overrides
  • Baseline Suppression - Exclude existing violations from new scans to prevent regressions
  • JSON Output - Structured output for CI/CD integration, HTML report generation, and programmatic analysis
  • Performance Profiling - Built-in timing for each check category (critical, warning, DRY)
  • File Path Safety - Handles spaces in file paths, excludes vendor/node_modules, respects .gitignore patterns
  • False Positive Reduction - Mitigation detection reduces false positives by 60-70% (v1.0.90)
  • AI Agent Integration - Native support for VS Code AI assistants with structured JSON output and comprehensive system instructions

🤖 AI Agent Integration: Built for VS Code AI Assistants

WP Code Check is fine-tuned to work seamlessly with your VS Code AI agents (Cursor, GitHub Copilot, Augment, Codeium, and others).

Why This Matters

Modern development workflows rely on AI assistants to analyze code, identify issues, and suggest fixes. WP Code Check bridges the gap between static analysis and AI-powered code review by providing machine-readable output that LLMs can instantly understand and act upon.

How It Works

1. Structured JSON Output

  • Every scan produces clean, parseable JSON with severity levels, file paths, line numbers, and context
  • AI agents can instantly parse findings without regex or text parsing
  • Consistent schema across all check types (security, performance, DRY violations)

2. Comprehensive System Instructions

  • Included AGENTS.md file provides AI assistants with WordPress-specific context
  • Teaches AI agents about WordPress performance antipatterns, security best practices, and remediation strategies
  • Enables AI to understand WHY a pattern is dangerous, not just THAT it was detected

3. Template & Configuration Management

  • AI agents can create, modify, and manage project templates (TEMPLATES/*.txt)
  • Automated template completion from plugin/theme metadata
  • AI-assisted baseline generation and technical debt tracking

4. Intelligent Analysis Beyond Static Detection

  • AI agents can correlate findings across multiple files
  • Suggest architectural improvements based on detected patterns
  • Prioritize fixes based on severity, impact, and codebase context
  • Generate remediation code that follows WordPress coding standards

Example AI Agent Workflows

Workflow 1: Automated Code Review

# AI agent runs scan
./dist/bin/check-performance.sh --paths . --format json > scan.json

# AI agent parses JSON and provides contextual analysis
# "Found 3 unbounded queries in admin/class-reports.php. These will cause
#  memory exhaustion when the site has 10,000+ posts. Recommend adding
#  pagination with posts_per_page => 50 and implementing AJAX load-more."

Workflow 2: Template Creation

# User: "Create a template for WooCommerce plugin"
# AI agent creates TEMPLATES/my-wc-plugin.txt with metadata
# AI agent runs initial scan and generates baseline
# AI agent documents findings in PROJECT/ folder

Workflow 3: Technical Debt Management

# AI agent generates baseline for legacy codebase
./dist/bin/check-performance.sh --paths . --generate-baseline

# AI agent analyzes baseline and creates prioritized fix list
# AI agent tracks progress as issues are resolved
# AI agent prevents new violations in code reviews

AI Agent Capabilities

With WP Code Check integration, your AI assistant can:

  • Run scans automatically - Trigger scans on file save, commit, or PR creation
  • Parse and explain findings - Translate technical violations into actionable insights
  • Suggest fixes - Generate WordPress-compliant remediation code
  • Manage templates - Create and maintain project configurations
  • Track technical debt - Monitor baseline changes and regression prevention
  • Correlate patterns - Identify systemic issues across multiple files
  • Prioritize work - Rank fixes by severity, impact, and effort
  • Generate reports - Create human-readable summaries for stakeholders

System Instructions for AI Agents

WP Code Check includes comprehensive AI agent documentation:

  • AGENTS.md - WordPress development guidelines, security best practices, performance patterns
  • TEMPLATES/_AI_INSTRUCTIONS.md - Template creation and auto-completion workflows
  • PROJECT/ folder - Architectural decision records, pattern libraries, integration guides
  • JSON schema documentation - Complete output format specification

Supported AI Platforms

Tested and optimized for:

  • Cursor - AI-first code editor
  • GitHub Copilot - AI pair programmer
  • Augment Code - Codebase-aware AI assistant
  • Codeium - Free AI code completion
  • Continue.dev - Open-source AI coding assistant
  • Any LLM with file access - Claude, GPT-4, Gemini via API

Getting Started with AI Agents

Step 1: Run a scan with JSON output

./dist/bin/check-performance.sh --paths . --format json > scan-results.json

Step 2: Ask your AI agent to analyze

"Analyze scan-results.json and explain the top 3 critical issues.
 For each issue, provide the WordPress-recommended fix."

Step 3: Let AI generate fixes

"Fix the unbounded query in includes/query-helpers.php line 45.
 Use WordPress best practices with proper pagination."

Step 4: Automate with templates

"Create a template for this plugin and set up baseline tracking."

Why AI + WP Code Check = Better Code

Traditional Static Analysis:

  • ❌ Generates reports humans must manually interpret
  • ❌ No context about WHY patterns are dangerous
  • ❌ No suggested fixes or remediation guidance
  • ❌ Requires WordPress expertise to understand findings

AI-Powered Analysis with WP Code Check:

  • ✅ AI instantly understands JSON output and provides context
  • ✅ AI explains impact in plain language ("This will crash your site when...")
  • ✅ AI generates WordPress-compliant fixes automatically
  • ✅ AI learns from system instructions and improves over time
  • ✅ AI correlates findings across files for architectural insights

Real-World Impact

Before AI Integration:

  • Developer runs scan → 47 findings
  • Developer manually reviews each finding
  • Developer researches WordPress best practices
  • Developer writes fixes one by one
  • Time: 4-6 hours

With AI Integration:

  • AI runs scan automatically
  • AI explains top 5 critical issues with context
  • AI generates fixes following WordPress standards
  • Developer reviews and approves AI suggestions
  • Time: 30-45 minutes

Result: 80% time savings + higher code quality

📈 Pattern Library Architecture

Modular JSON Pattern Definitions

20 JSON pattern files organized by category:

Core WordPress (4 patterns):

  • unsanitized-superglobal-isset-bypass.json
  • unsanitized-superglobal-read.json
  • wpdb-query-no-prepare.json
  • get-users-no-limit.json

DRY/Magic String Detection (4 patterns):

  • duplicate-option-names.json
  • duplicate-transient-keys.json
  • duplicate-capability-strings.json
  • duplicate-functions.json

Headless WordPress (6 patterns):

  • api-key-exposure.json
  • fetch-no-error-handling.json
  • graphql-no-error-handling.json
  • hardcoded-wordpress-url.json
  • missing-auth-headers.json
  • nextjs-missing-revalidate.json

Node.js Security (4 patterns):

  • command-injection.json
  • eval-injection.json
  • path-traversal.json
  • unhandled-promise.json

JavaScript Code Quality (1 pattern):

  • duplicate-storage-keys.json

Context-Aware (1 pattern):

  • superglobal-with-nonce-context.json

Pattern Schema Features

Each pattern includes:

  • Detection logic - Regex patterns, file types, grep arguments
  • Test fixtures - Known-bad code examples for validation
  • IRL examples - Real-world violations from production plugins
  • Remediation guidance - How to fix the issue
  • References - WordPress Codex, security advisories, performance guides
  • Severity levels - CRITICAL, HIGH, MEDIUM, LOW with justification
  • Allowlists - Exclude common WordPress core patterns (e.g., 'siteurl', 'home')

🎯 Use This For Marketing

Headline Stats:

  • 33 security & performance checks across 4 severity levels
  • 20 modular JSON patterns (WordPress, Headless, Node.js, JavaScript)
  • 4-tier detection engine (pattern matching, context analysis, mitigation detection, aggregation)
  • Zero dependencies - runs anywhere (bash + grep only)
  • WordPress-specific intelligence - understands WP APIs, WooCommerce, Headless WordPress
  • Modern JavaScript support - TypeScript, JSX, TSX, Node.js, Next.js, GraphQL
  • Battle-tested - detects real issues from production sites
  • 60-70% false positive reduction - mitigation detection (v1.0.90)
  • AI agent integration - native VS Code AI assistant support with structured JSON output

Technical Differentiators:

  • Context-aware analysis (not just grep)
  • Mitigation detection (caching, parent-scoped, IDs-only, admin context)
  • Configurable severity levels (JSON-based)
  • Baseline suppression (track technical debt)
  • DRY pattern detection (magic string aggregation)
  • Headless WordPress support (Next.js, GraphQL, React)
  • CI/CD ready (JSON output, exit codes)
  • AI-powered workflows (Cursor, GitHub Copilot, Augment, Codeium compatible)

Latest Features (v1.0.90):

  • Mitigation Detection - Reduces false positives by 60-70%
  • 4 Mitigation Patterns - Caching, parent-scoped, IDs-only, admin context
  • Multi-Factor Severity Adjustment - CRITICAL→LOW/MEDIUM/HIGH based on mitigations
  • Function-Scoped Analysis - Prevents cross-function false positives

Latest Features (v1.0.89):

  • 11 New JavaScript/TypeScript Patterns - Headless WordPress, Node.js security
  • 6 Headless WordPress Patterns - Next.js, GraphQL, API security
  • 4 Node.js Security Patterns - Command injection, eval(), path traversal
  • Full TypeScript Support - JSX, TSX file scanning

Last Updated: 2026-01-06
Source Files:

  • dist/config/severity-levels.json (33 checks)
  • dist/bin/check-performance.sh (27+ active rules)
  • dist/patterns/*.json (20 pattern definitions)
  • CHANGELOG.md (v1.0.90 - Mitigation Detection)
  • CHANGELOG.md (v1.0.89 - JavaScript/TypeScript Support)

Generated: 2026-01-06
Version: 1.0.68+
Purpose: Marketing materials, technical documentation, and feature highlights

📊 Detection Statistics (By the Numbers)

Total Checks & Patterns

Category Count Details
Total Security & Performance Checks 33 Defined in severity-levels.json
Active Detection Rules 25+ Implemented in check-performance.sh
Pattern Library (JSON) 9 files Modular pattern definitions
DRY/Magic String Patterns 3 Duplicate option names, transient keys, capabilities
Test Fixtures 8+ Validation test cases

Breakdown by Severity

Severity Count Examples
CRITICAL 11 SQL injection, unbounded queries, insecure deserialization, localStorage exposure
HIGH 10 Unsanitized superglobals, missing capability checks, N+1 patterns, WC performance
MEDIUM 11 ORDER BY RAND, transients without expiration, HTTP timeouts, unsafe RegExp
LOW 1 Timezone-sensitive patterns

Breakdown by Category

Category Count Focus Areas
Security 12 SQL injection, XSS, CSRF, privilege escalation, data exposure
Performance 18 Unbounded queries, N+1 patterns, caching, database optimization
Compatibility 2 PHP short tags, timezone handling
Maintenance 1 Code quality, technical debt

🔍 What We Detect (Detailed Breakdown)

Security Checks (12 patterns)

  1. SPO-001 - Debug code in production (console.log, var_dump, debugger)
  2. HCC-001 - Sensitive data in localStorage/sessionStorage
  3. HCC-002 - Client-side serialization to browser storage
  4. SPO-002 - Direct superglobal manipulation ($_GET/$_POST modification)
  5. SPO-003 - Insecure data deserialization (unserialize on $_GET/$_POST)
  6. Unsanitized superglobal read - $_GET/$_POST without sanitization (context-aware)
  7. wpdb-query-no-prepare - Direct database queries without $wpdb->prepare()
  8. admin-no-capability-check - Admin functions missing current_user_can()
  9. ajax-no-nonce - wp_ajax handlers without nonce validation
  10. file-get-contents-url - External URLs without wp_remote_get()
  11. cron-interval-unvalidated - wp_schedule_event with user input
  12. HCC-008 - Unsafe RegExp construction (ReDoS vulnerability)

Performance Checks (18 patterns)

  1. unbounded-posts-per-page - posts_per_page => -1
  2. unbounded-numberposts - numberposts => -1
  3. nopaging-true - nopaging => true
  4. unbounded-wc-get-orders - WooCommerce limit => -1
  5. get-users-no-limit - get_users() without 'number' parameter
  6. get-terms-no-limit - get_terms() without 'number' parameter
  7. pre-get-posts-unbounded - pre_get_posts forcing unbounded queries
  8. rest-no-pagination - register_rest_route without pagination
  9. ajax-polling-unbounded - setInterval + AJAX without rate limiting
  10. HCC-005 - Expensive WP functions in polling (get_plugins, WP_Query in setInterval)
  11. unbounded-sql-terms - Direct SQL on wp_terms without LIMIT
  12. order-by-rand - ORDER BY RAND() (full table scan)
  13. n-plus-one-pattern - get_post_meta/get_user_meta in loops
  14. wc-n-plus-one-pattern - wc_get_order/wc_get_product in loops
  15. wcs-get-subscriptions-no-limit - WooCommerce Subscriptions without limits
  16. like-leading-wildcard - LIKE '%pattern' (cannot use indexes)
  17. transient-no-expiration - set_transient() with 0 expiration
  18. http-no-timeout - wp_remote_get/post without timeout

Code Quality & Compatibility (3 patterns)

  1. disallowed-php-short-tags - <?= or <? instead of <?php
  2. timezone-sensitive - current_time('timestamp') or date() without timezone awareness
  3. script-versioning-time - wp_enqueue_script with time() version (breaks caching)

🛠️ Technical Features of the Scanning Engine

Multi-Layer Detection System

WP Code Check uses a sophisticated 3-tier detection architecture:

  1. Pattern Matching Layer - Regex-based grep searches with WordPress-specific patterns detect direct violations (e.g., posts_per_page => -1, $wpdb->query without prepare()). This layer uses optimized grep with file type filtering (.php, .js, .jsx, .ts, .tsx) and exclusion patterns to minimize false positives.

  2. Context-Aware Analysis Layer - Advanced checks analyze surrounding code context (10-20 lines) to validate findings. For example, the unsanitized superglobal detector checks for nonce verification (wp_verify_nonce, check_ajax_referer) in preceding lines and sanitization functions (sanitize_*, esc_*, absint) on the same line, dramatically reducing false positives while catching real security issues.

  3. Aggregation & Grouping Layer - DRY (Don't Repeat Yourself) pattern detection uses capture groups and aggregation to identify magic strings (hardcoded option names, transient keys, capability strings) scattered across multiple files. This layer groups findings by captured value, counts distinct files and total occurrences, and reports only violations exceeding configurable thresholds (e.g., 3+ files, 6+ occurrences).

Key Technical Capabilities

  • Zero Dependencies - Pure bash + grep, runs anywhere (macOS, Linux, Windows WSL, Docker, CI/CD)
  • WordPress-Specific Intelligence - Understands WP_Query, get_posts(), wp_ajax_*, register_rest_route(), WooCommerce patterns
  • Configurable Severity Levels - JSON-based severity configuration with factory defaults and custom overrides
  • Baseline Suppression - Exclude existing violations from new scans to prevent regressions
  • JSON Output - Structured output for CI/CD integration, HTML report generation, and programmatic analysis
  • Performance Profiling - Built-in timing for each check category (critical, warning, DRY)
  • File Path Safety - Handles spaces in file paths, excludes vendor/node_modules, respects .gitignore patterns

📈 Pattern Library Architecture

Modular JSON Pattern Definitions

9 JSON pattern files in dist/patterns/:

  • unsanitized-superglobal-isset-bypass.json
  • unsanitized-superglobal-read.json
  • wpdb-query-no-prepare.json
  • get-users-no-limit.json
  • duplicate-option-names.json (DRY)
  • duplicate-transient-keys.json (DRY)
  • duplicate-capability-strings.json (DRY)
  • duplicate-functions.json (DRY)
  • superglobal-with-nonce-context.json

Pattern Schema Features

Each pattern includes:

  • Detection logic - Regex patterns, file types, grep arguments
  • Test fixtures - Known-bad code examples for validation
  • IRL examples - Real-world violations from production plugins
  • Remediation guidance - How to fix the issue
  • References - WordPress Codex, security advisories, performance guides

🎯 Use This For Marketing

Headline Stats:

  • 33 security & performance checks
  • 3-tier detection engine (pattern matching, context analysis, aggregation)
  • Zero dependencies - runs anywhere
  • WordPress-specific intelligence - understands WP APIs
  • Battle-tested - detects real issues from production sites

Technical Differentiators:

  • Context-aware analysis (not just grep)
  • Configurable severity levels (JSON-based)
  • Baseline suppression (track technical debt)
  • DRY pattern detection (magic string aggregation)
  • CI/CD ready (JSON output, exit codes)

Last Updated: 2026-01-06
Source Files:

  • dist/config/severity-levels.json (33 checks)
  • dist/bin/check-performance.sh (25+ active rules)
  • dist/patterns/*.json (9 pattern definitions)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions