vibecop

AI code quality toolkit — deterministic linter for the AI coding era. 35 detectors catch the bugs AI agents introduce: god functions, N+1 queries, unsafe shell exec, unpinned LLM models, and more. Runs automatically inside Claude Code, Cursor, Codex, Aider, and 7 other AI tools. Also available as an MCP server.

Built on ast-grep for fast, tree-sitter-based AST analysis. No LLM required — every finding is deterministic and reproducible.

Documentation | Playground

Install

npm install -g vibecop    # or: bun add -g vibecop

Quick Start

vibecop scan .                         # Scan current directory
vibecop scan src/ --format json        # JSON output
vibecop scan . --diff HEAD             # Only changed files
vibecop init                           # Auto-setup agent integration
vibecop serve                          # Start MCP server

Agent Integration

vibecop runs inside your AI coding agent. Every edit triggers a scan — the agent reads findings and self-corrects.

npx vibecop init    # Auto-detects tools, generates configs

Agent writes code → vibecop hook fires → Findings? Agent fixes → Clean? Continue.

MCP Server

{
  "mcpServers": {
    "vibecop": {
      "command": "npx",
      "args": ["vibecop", "serve"]
    }
  }
}

Four tools: vibecop_scan, vibecop_check, vibecop_explain, vibecop_context_benchmark.

Context Optimization (Beta)

Beta: This feature is under active testing. Re-run vibecop init --context after upgrading vibecop or reinstalling dependencies.

Reduce token consumption by ~35% on Read tool re-reads. When Claude Code reads a file it's already seen, vibecop intercepts the Read and serves a compact AST skeleton instead of the full file. Unchanged files get smart-limited to 30 lines + skeleton context.

Requires bun runtime (uses bun:sqlite for zero-dependency caching). Claude Code only.

vibecop context benchmark  # See projected savings for your project
vibecop init --context     # Configure hooks (Claude Code only)
vibecop context stats      # View actual token savings after sessions

How it works:

1. First read — full file passes through, skeleton is cached
2. Re-read (unchanged) — smart-limited to 30 lines + skeleton injected via additionalContext
3. Re-read (changed) — full file passes through with "file changed" note

Skeletons include imports, function signatures, class outlines, and exports — enough for Claude to understand file structure without re-reading the full implementation.

Benchmarks

All numbers are real — run vibecop scan on any repo to reproduce.

Established projects:

Vibe-coded projects:

Median: established 4.4/kLOC vs vibe-coded 14.0/kLOC (3.2x higher).

GitHub Action

- uses: bhvbhushan/vibecop@main
  with:
    on-failure: comment-only
    severity-threshold: warning

Detectors (35)

4 categories: Quality (16), Security (7), Correctness (4), Testing (8).

Catches: god functions, N+1 queries, unsafe shell exec, SQL injection, hardcoded secrets, trivial assertions, empty tests, unpinned LLM models, hallucinated packages, and more.

Full detector reference →

Roadmap

• Phase 1: Core scanner — 7 detectors, 5 output formats
• Phase 2: PR Gate GitHub Action, 15 new detectors
• Phase 2.5: Agent integration (7 tools), 6 LLM/agent detectors, vibecop init
• Phase 3: Test quality detectors, custom YAML rules (28 → 35)
• Phase 3.5: MCP server with scan/check/explain tools
• Phase 4: Context optimization — Beta (Read tool interception, AST skeleton caching)
• Phase 5: VS Code extension, cross-file analysis

Links

• Documentation
• Playground
• Contributing
• Security
• Changelog
• License (MIT)