All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Renamed MCP tool
list_custom_rules→list_session_custom_rules(TEC-51) — the previous name promised "all active custom rules" but the handler only returned rules added viaadd_custom_rulein the current session, omitting anycustomPatternsdefined in.techdebtrc.json(which are still executed insideanalyze_project). The tool was renamed rather than expanded so the name matches its actual scope. Migration: clients callinglist_custom_ruleswill now receiveMethodNotFound— update calls tolist_session_custom_rules. To inspect.techdebtrc.jsoncustomPatterns, read the config file directly or invokevalidate_config. Searchable:list_custom_ruleswas renamed tolist_session_custom_rules.
- Distributed Claude Code automation (#215) —
.claude/settings.json,.claude/hooks/block-npm-publish.sh,.claude/hooks/check-tools-manifest-sync.sh, and.claude/skills/are now force-added to the repository (git add -f) and distributed with the codebase. This supersedes the earlier model (first established in v2.0.2 / #130) where.claude/was gitignored and hooks were local-only. Thepre-pr-docs-check.shhook and developer-personal config (settings.local.json,hookify.*.local.md) remain local-only and gitignored. - Plugin-user-facing README (TEC-34, #173) —
plugin/README.mdcovers install flow (/plugin marketplace add+/plugin install), the available MCP tools surfaced to Claude, two example transcripts (project scan, vulnerability report), security posture, troubleshooting, and cross-links to the canonical docs site. MainREADME.mdcross-links to it from the plugin install collapsible and Documentation index. Screenshots / asciinema captures are deferred to the TEC-48 manual smoke pass, which exercises the install flow on a clean machine. - Privacy policy (TEC-44, #183) — new
PRIVACY.mdat repo root and a hosted mirror at https://pierrejanineh.github.io/TechDebtMCP/privacy covering data handling, telemetry posture, and third-party services. README gains a Privacy section linking to both. The hosted URL is the stable link for the Anthropic MCP directory submission form (TEC-45).
- Claude Code plugin layout (TEC-242) — two release-blocking bugs in the marketplace install path, fixed in a single restructure. (1)
commands/andskills/were nested under.claude-plugin/, which the CC loader does not scan, so/techdebt-scan,/techdebt-file,/techdebt-summary, and theproactive-analysisskill never loaded for any installer. (2) The marketplace install withsource: "./"performed a filesystem copy of the entire repo (~193 MB includingnode_modules/,.claude/,src/,tests/,docs/,.idea/,.env) into every user's plugin cache; theplugin.jsonschema defines nofiles/include/ignore/excludefield, so there is no first-class way to restrict the install surface. Fix: moved the entire plugin install surface into aplugin/subdirectory (manifest, slash commands,proactive-analysisskill, README) and changedmarketplace.jsonsourceto./plugin— only that subtree is now copied to user caches.src/server/__tests__/pluginManifest.test.tsgained three regression guards: the marketplace-source allowlist, the plugin-root component layout check, and a surface allowlist that fails CI if anything other than{.claude-plugin/, commands/, skills/, README.md}appears underplugin/. Surfaced by the v2.1.0 sanity-run (#238). analyze_projectreturned 0 issues whenlanguages/categorieswere empty arrays (TEC-73, #240) — MCP Inspector's auto-generated forms default array fields to[], which causedanalyze_projectto filter to an empty language/category set and report "Health Score: 100/100, 0 issues" for any repository.optionalLanguages/optionalCategoriesinsrc/server/inputParser.tsnow coerce empty arrays toundefined, so the three call shapes{},{ languages: undefined, categories: undefined }, and{ languages: [], categories: [] }produce identical output. Surfaced by the v2.1.0 sanity-run (#238).execute_custom_rulesinfers language from file extension (TEC-50) — when called withpathand no explicitlanguage, the handler now derives the language viadetectLanguageFromExtension(path)before invoking the engine, so rules carrying alanguagesfilter actually fire. Previously such rules were silently skipped on the path entry point while still firing forcode/languagecalls.customPatternswired intoanalyze_project(TEC-49, #204) — patterns defined in.techdebtrc.jsonundercustomPatternswere previously validated but never executed during project analysis.AnalysisEngine.analyzeProject()now instantiates a per-callCustomRulesEnginefrommergedConfig.customPatternsand runs it against every analyzed file, respecting the optionallanguagesfilter on each pattern. Custom-pattern issues also honorruleExclusionsandseverityoverrides. Note: theanalyze_filetool invokes the language analyzer directly without loading.techdebtrc.json, so config-definedcustomPatternsare applied only inanalyze_project.includeglob ignored inanalyze_project(TEC-57, #212) —mergedConfig.includepatterns are now applied as a post-discovery allowlist filter inanalysisEngine.tsusingminimatchagainst relative paths. Previously theincludearray was validated but never consulted during file discovery, causing all files to be analyzed regardless of the allowlist.
- Dependabot alert sweep — 13 alerts triaged (TEC-46, #189): 10 dismissed (patched version present), 3 dev-only tracked via
dependabot.ymlignore entries (alerts remain open until upstream patches).npm audit --omit=devconfirmed 0 runtime vulnerabilities throughout. Per-alert trace:- #45
fast-uri≤3.1.1 (high, GHSA path-traversal) — lockfile already installsfast-uri@3.1.2(patched) via@modelcontextprotocol/sdk. Dismissed: patched version present. - #41
fast-uri≤3.1.0 (high, GHSA host-confusion) — same resolution as #45. Dismissed: patched version present. - #44
hono<4.12.18 (moderate, CSS Declaration Injection in JSX SSR) — lockfile installshono@4.12.22(patched). TechDebtMCP uses stdio transport only;honois bundled by the SDK for its HTTP transport which is never invoked. Dismissed: patched version present, unreachable code path. - #43
hono<4.12.18 (low, improper NumericDate JWT validation) — same resolution as #44. - #42
hono<4.12.18 (moderate,bodyLimit()bypass) — same resolution as #44. - #40
hono<4.12.16 (moderate, Cache MiddlewareVaryleakage) — lockfile installshono@4.12.22. Dismissed: patched version present, unreachable code path. - #39
hono<4.12.16 (moderate, unvalidated JSX tag names) — same resolution as #40. - #37
hono<4.12.14 (moderate, HTML Injection inhono/jsxSSR) — lockfile installshono@4.12.22. Dismissed: patched version present, unreachable code path. - #38
ip-address≤10.1.0 (moderate, XSS inAddress6HTML methods) — lockfile installsip-address@10.2.0(patched) via@modelcontextprotocol/sdk→express-rate-limit. Dismissed: patched version present. - #46
brace-expansion≥5.0.0,<5.0.6 (moderate, numeric range DoS) — lockfile installsbrace-expansion@5.0.6(patched) via directminimatchdependency. Dismissed: patched version present. - #49
vite≤6.4.1 (moderate, GHSA-67mh-4wv8-2f99) — dev-only transitive viavitepress. Not shipped to npm consumers; not executed at runtime. Addeddependabot.ymlignore entry (suppresses future update PRs; alert remains open until upstreamvitepressreleases a patched version). - #48
esbuild≤0.24.2 (moderate, GHSA-67mh-4wv8-2f99) — dev-only transitive viavitepress→vite. Same rationale as #49. Addeddependabot.ymlignore entry (suppresses future update PRs; alert remains open until upstream can provide a patch). - #47
tmp≤0.2.3 (low, GHSA-52f5-9888-hmc6) — dev-only transitive via@anthropic-ai/mcpbbundler tool. Not shipped to npm consumers; only used locally to produce.mcpbrelease artifacts. Addeddependabot.ymlignore entry (suppresses future update PRs; alert remains open until@anthropic-ai/mcpbships a patched transitive).
- #45
- Added
.github/dependabot.yml— documents ignore entries foresbuild,vite, andtmpwith code-reference comments explaining why each is dev-only and unreachable at runtime.
- Tool annotations (
readOnlyHint/destructiveHint) on every entry inTOOL_DEFINITIONS. Read tools are flaggedreadOnlyHint: true;add_custom_ruleandremove_custom_ruleare flaggeddestructiveHint: true. README tool table gains a "Type" column documenting Read vs Write. (TEC-43) - Claude Code plugin manifest (TEC-35, #175) —
.claude-plugin/plugin.jsondeclares the plugin and wiresmcpServers.tech-debt-mcptonpx -y tech-debt-mcp@latest(no source bundling, tracks the published npm release)..claude-plugin/marketplace.jsonlets the repo double as its own marketplace, so users can run/plugin marketplace add PierreJanineh/TechDebtMCPthen/plugin install tech-debt-mcp@techdebtmcp. - MCPB bundle tooling (TEC-42, #182) —
mcpb/manifest.json+mcpb/icon.pngdescribe the server for Claude Desktop's one-click bundle installer. Newnpm run mcpb:packscript (driven byscripts/build-mcpb.mjs) stages a clean prod tree (npm ci --omit=dev --ignore-scripts) and producesmcpb/tech-debt-mcp-<version>.mcpb(3.9 MB packed). A Jest test (src/server/__tests__/mcpbManifest.test.ts) asserts the manifest's tool list and version stay in sync withTOOL_DEFINITIONSandpackage.json. - Docs site (TEC-38, #178) — VitePress site under
docs/site/deployed topierrejanineh.github.io/TechDebtMCPvia.github/workflows/docs.ymlon path-filtered pushes todevelop(triggers ondocs/site/**,src/server/tools.ts,scripts/gen-docs-tools.mjs, root docs,package.json,package-lock.json, and the workflow file itself). Tool reference (one page per MCP tool) is generated at build time byscripts/gen-docs-tools.mjsdirectly fromTOOL_DEFINITIONS, withreadOnlyHint/destructiveHintannotations rendered as badges.ARCHITECTURE.md,ROADMAP.md, andCHANGELOG.mdare mirrored into the site at build time so the canonical sources stay authoritative. Authored landing page, install paths (npx, Claude Desktop config, Claude Code plugin, MCPB bundle), language coverage matrix, custom rules guide, and security model page. README gains a "Documentation" badge.
2.0.2 - 2026-04-10
- Test coverage trace for v2.0.2 security fixes: All six security-hardening checklist items are verified by existing tests shipped alongside the individual security PRs. Coverage as of this entry (all files ≥ 80% statement; branch coverage ≥ 80% except
dependencyHandlers.tsat 74%):inputParser.ts99%/99%,resourceHandlers.ts100%/96%,configValidator.ts94%/92%,customRulesEngine.ts96%/85%,regexUtils.ts100%/100%,dependencyHandlers.ts95%/74%. Bullet-by-bullet trace:- Path validation rejects relative paths /
../traversal —src/server/__tests__/inputParser.test.tslines 396–483 (path validationdescribe block);src/server/__tests__/configValidator.test.tslines 53–59;src/server/__tests__/dependencyHandlers.test.tslines 79–99. - Resource handler path validation —
src/server/__tests__/resourceHandlers.test.tslines 348–404 (should reject a relative projectPath,should normalize a path with .. sequencescases for both summary and issues resources). - Regex flag allowlist rejects invalid flags —
src/core/__tests__/customRulesEngine.test.tslines 262–396 (rejects flags containing disallowed characters,accepts all valid flag characters,rejects combined u and v flags,strips disallowed flag characters at execution time). - Pattern length cap enforced —
src/core/__tests__/customRulesEngine.test.tslines 235–260 (rejects pattern whose length exceeds MAX_PATTERN_LENGTH,accepts pattern exactly at the MAX_PATTERN_LENGTH-character limit) and lines 415–433 (skips over-length patterns at execution time and invokes onRuleError). escapeRegExp()helper works correctly —src/utils/__tests__/regexUtils.test.tslines 1–52 (all five test cases covering no-metacharacter pass-through, individual metacharacter escaping, multi-metacharacter strings, safenew RegExp()construction, and literal-match semantics).- Error messages use relative paths / no absolute-path leakage —
src/server/__tests__/configValidator.test.tslines 62–134 (should not leak absolute path in ...assertions);src/server/__tests__/dependencyHandlers.test.tslines 88–93;src/server/__tests__/handlers.test.tslines 122–213 (path sanitization — no absolute paths in outputdescribe block, 4 assertions forget_debt_summaryandget_sqale_metrics).
- Path validation rejects relative paths /
- Dependency bumps to resolve reachable and unreachable Dependabot alerts ahead of v2.0.2:
glob^10.3.10→^13.0.6,ignore^5.3.0→^7.0.5,toml^3.0.0→^4.1.1. All runtime vulnerabilities flagged on the previous lockfile state no longer appear innpm audit. Remaining Dependabot alerts (handlebars viats-jest, hono/express/path-to-regexp via@modelcontextprotocol/sdkHTTP transport) are dev-only or unreachable code paths — TechDebtMCP uses stdio transport and does not ship dev dependencies to npm consumers. - Dropped Node 18 support —
toml@4.1.1(runtime dependency) requires Node >=20;engines.nodebumped from>=18.0.0to>=20.0.0. Node 18 reached EOL April 2025. CI matrix updated to[20.x, 22.x]. Subsequently bumped further to>=20.19.0to satisfy ESLint 10.2.0's declared engine requirement (^20.19.0 || ^22.13.0 || >=24).
-
.techdebtrc.json— AddedruleExclusionsforconsole-log(MCP stdio transport calls inindex.ts,setup.ts),type-assertion(idiomaticas const/as Recordpatterns in parsers and server modules),line-length(tools.tsMCP schema strings), andnesting-depth(inherentcheckPatternchains in all language analyzers and dependency parsers); addedjest.config.jsto theignorelist to suppress config file nesting noise (#147) -
README.md — Restructured for scannability: added stat line, grouped tools table with collapsible parameter reference, Resources table, collapsed SwiftUI section, merged Custom Rules into Configuration
-
ARCHITECTURE.md — Fixed project structure tree (added
inputParser.ts,argValidation.ts,swiftUiChecks.ts,swiftUiChecksPhase2.ts), removed phantomsrc/services/directory, updated test count (597), fixed file size table, marked resolved debt items -
CLAUDE.md — Deduplicated Git and Code Quality sections (reference
.claude/rules/), updated resource recipe, added Security section -
.github/copilot-instructions.md — Added Security Review and Testing Review sections, updated architecture tree, aligned file length threshold (500)
-
ROADMAP.md — Added v2.0.2 security patch section with issues #124-131
-
CONTRIBUTING.md — Updated metrics to March 2026 scan, marked resolved refactoring targets
-
GITHUB_PACKAGES.md — Clarified npm as primary distribution, removed incorrect
require()API example -
Extracted custom rules handlers from
handlers.tsintocustomRulesHandlers.tsto restorehandlers.tsto under 500 lines (#145) -
Reduced nesting in
customRulesEngine.validatePatternto ≤4 levels via extractedvalidatePatternRegexhelper (#146) -
Reduced nesting in core engines (
analysisEngine,customRulesEngine) to ≤4 levels (#118) -
Reduced nesting in server modules to ≤4 levels (#119)
-
Reduced nesting depth in 10 dependency parsers (#88)
-
Reduced
csharpAnalyzer.tsnesting from 7 to ≤4 levels (#113) -
Reduced
cppParser.parseVcpkgJsonnesting from 5 to ≤4 levels viamakeVcpkgDep()helper (#131) -
Split
swiftAnalyzer.tsinto companion modules (swiftUiChecks.ts,swiftUiChecksPhase2.ts) (#121) -
Replaced
<any>generics and suppressed non-null-assertion false positives (#112) -
Replaced type assertions in
handlers.tswith typed input parsers (#110) -
Replaced type assertions in
configValidator.tsanddependencyHandlers.tswith type guards (#106) -
Replaced type assertions in
resourceHandlers.tswith type guards (#107)
- Security: captured strings interpolated into
new RegExp()inswiftUiChecks.tsare now escaped viaescapeRegExp()from the newsrc/utils/regexUtils.tshelper, preventing regex injection and unintended matching (#128) - Regex flag allowlist in
customRulesEngine.tsnow includes thev(unicodeSets) flag introduced in Node.js 20 (V8 11.0); added mutual-exclusion validation that rejects patterns supplying bothuandvflags simultaneously (#140) optionalAbsolutePathininputParser.tsnow returnsundefinedfor empty string""instead of throwing a confusingmust be an absolute patherror; empty string is treated the same as an absent field (#137)execute_custom_rulesschema intools.tsnow declaresminLength: 1onpathandminLength: 1/maxLength: MAX_CODE_LENGTHoncodeto surface the empty-string rejection and 500,000-character cap in the schema.parseExecuteCustomRulesInputalso rejects empty-stringcodewith a targetedInvalidParamserror before the max-length checkhandleAnalyzeFile(inhandlers.ts) andhandleExecuteCustomRules(incustomRulesHandlers.ts) replaced thefileExists()pre-check with a singlegetFileStats()+isFile()guard, eliminating the TOCTOU race betweenaccess()andstat(), rejecting directories, devices, FIFOs, and sockets with a clearInvalidParamserror beforereadFile()is called, and surfacing accurate "Path not found or not accessible" messages for bothENOENTandEACCEScases without leaking absolute paths- Security:
handleValidateConfig(inconfigValidator.ts) replaced the doublefileExists()/stat()/fileExists()check-then-use chain with a singlegetFileStats()call and ENOENT-on-open handling, eliminating the same TOCTOU window the CodeQLjs/file-system-racerule flagged (#164).isFile()guards non-directory inputs so devices/FIFOs/sockets are rejected beforereadFile()is called - Dependencies: bumped transitive lockfile entries (
hono,path-to-regexp,express-rate-limit,ajv,yaml,qs,handlebars,picomatch,minimatch,brace-expansion) to their patched versions vianpm update, clearing all 29 open Dependabot advisories on the release branch. No direct dependencies changed — the SDK's transitive tree absorbed the fixes within existing semver ranges - npm-shrinkwrap.json — Removed to stop publishing lockfile to npm (#123)
- Replaced
console.warnwithconsole.errorfor MCP stdio compatibility (#100) - Eliminated analyzer false positives via
ruleExclusionsconfig mechanism (#78) - Replaced non-null assertions with destructured variables in
analysisEngine(#101) - Security: reduced absolute-path leakage in server-facing messages;
dependencyHandlers.tsusesbasename()in McpError messages (includingstat()error paths) and project-name report fields,configValidator.tsusesbasename()in user-facing messages and sanitizes rawfsReadFile/stat()error text, andfindPackageFilesusesgetRelativePath()for scan-error messages (#129) - Security: user-supplied regex patterns in
add_custom_ruleandvalidate_custom_patternare now validated for length (≤1 000 chars) and flag allowlist (dgimsuyonly); inlinecodeforexecute_custom_rulesis capped at 500 000 characters, preventing ReDoS attacks (#127) - Security:
projectPathextracted from URI template variables indebt://summaryanddebt://issuesresource handlers is now validated withisAbsolute()and normalized withresolve(), preventing path traversal attacks (#126) - Security:
pathparameters foranalyze_project,analyze_file,get_debt_summary,get_sqale_metrics,get_recommendations,get_issues_by_severity,get_issues_by_category, andexecute_custom_rulesare now validated withisAbsolute()and normalized withresolve()ininputParser.ts, preventing path traversal and relative-path attacks (#125)
- ESLint tooling —
eslint@^10+typescript-eslint@^8added todevDependencies, with a flateslint.config.mjsscoped tosrc/**/*.ts(tests, configs, anddist/ignored). Newtypechecknpm script (tsc --noEmit) and the existinglintscript now actually runs. CItest.ymlupgraded to treatnpm run lintas a blocking check (no more--if-present/continue-on-error), usenpm ci --ignore-scriptsto skip thepreparedouble-compile, and callnpm run typecheckinstead ofnpx tsc --noEmit. Workflows now also trigger on PRs torelease/**.CLAUDE.mdgains a canonical Build & Test Commands cheat sheet so agents stop probing for tools. Partially addresses #165 (cppAnalyzer.ts:212/228dead assignments fixed here) and closes #166 via source fixes for the flagged unused-variable warnings. The remaining #165 item —pipParser.parseDependencyStringdeadnamevariable — is closed in PR #171 alongside the back-merge. (PR #168) - CodeQL security scanning workflow (
.github/workflows/codeql.yml) — runs SAST on every push todevelop/main, every PR todevelop/main, and weekly on Mondays at 03:00 UTC; usessecurity-and-qualityqueries for deeper coverage (#124) cppParservcpkg.json tests for empty dependencies array, missingdependencieskey, and malformed JSON — completing coverage for allparseVcpkgJsonedge cases (#131)- CI workflow (
.github/workflows/docs-check.yml) warns on PRs withsrc/changes when none of the five required docs were touched; non-blocking, posts an actionable comment listing the required files and removes the comment automatically when docs are subsequently updated (#130) - Claude Code local hook (
.claude/hooks/pre-pr-docs-check.sh) warns beforegh pr createwhen docs were not updated alongsidesrc/changes; the hook lives in.claude/which is gitignored and therefore local-only, not distributed with the repo (#130) - Direct unit tests for
swiftUiChecksandswiftUiChecksPhase2modules - Unit tests for
inputParsermodule - Inline suppression comments for tech debt issues (#105)
- Regex precision improvements to eliminate 11 analyzer false positives (#102, #104)
2.0.1 - 2026-03-20
- MCP Resources (Phase 6) — Two passive resource templates for tech debt data access:
debt://summary/{+projectPath}— Health score, SQALE metrics, issue counts by severity/categorydebt://issues/{+projectPath}— Filterable issues list with severity, category, and limit query parameters
src/server/resourceHandlers.ts— New module usingMcpServer.registerResource()high-level API- 8 tests covering resource registration, reads, filters, limits, and error paths
- CLAUDE.md — Consolidated as single source of truth for coding conventions; added MCP resource recipe, design spec pointer, documentation maintenance checklist
- ARCHITECTURE.md — Updated MCP Server section to reflect
src/server/module split, fixed tool count (16), addedresourceHandlers.ts, updated dependency graph - README.md — Added MCP Resources section with usage documentation
- ROADMAP.md — Phase 6 marked complete, Phase 3/4 enriched with issue numbers, branch names, and acceptance criteria
- .github/copilot-instructions.md — Trimmed to Copilot-specific PR review workflow, references CLAUDE.md for conventions
2.0.0 - 2026-03-09
- CODE_OF_CONDUCT.md - Added Contributor Covenant v2.1 based Code of Conduct
- Establishes community standards and expectations
- Defines enforcement guidelines
- Improves Snyk community health score
- .techdebtrc.json - Project-specific tech debt configuration file
- File size limits (max 500 lines)
- Complexity limits (max nesting depth 4)
- Custom patterns for nullish coalescing and non-null assertions
- Test file exclusions to prevent false positives
- TECH_DEBT_SCAN.md - Complete self-scan analysis with before/after comparison
- Shows impact of .techdebtrc.json configuration
- Documents reduction from 101 to 81 issues (-19.8%)
- Identifies false positives vs. real technical debt
- Provides actionable roadmap for continuous improvement
- check_dependencies MCP tool (Phase 2 - Dependency Analysis)
- Scans project for package manifests across multiple ecosystems
- Validates that the provided path is a directory (rejects file paths)
- Returns a structured dependency report with production vs development dependencies
- Includes failed-parse reporting and filesystem scan error surfacing
- Filters empty manifest sections from reports (e.g., dev-only with
includeDev=false) - Parsers for npm, pip, Maven/Gradle, Cargo, Go Modules, Composer, Bundler, NuGet, C/C++, and Swift Package Manager added under
src/analyzers/dependencies/
- validate_config MCP tool (Phase 2 - Config Validation)
- Validates
.techdebtrc.jsonsyntax and schema - Checks
ignore,include,rules,severity,languageOverrides, andcustomPatternsfields - Guards against non-object top-level values (null, array, primitives)
- Reuses
CustomRulesEngine.validatePattern()for custom pattern validation - Returns detailed errors and warnings with actionable messages
- Validates
- get_vulnerability_report MCP tool (Phase 2 - Offline Vulnerability Inventory)
- Generates an offline dependency inventory for vulnerability review
- Validates that the provided path is a directory
- Lists all dependencies by ecosystem in tabular format
- Filters empty manifest sections and surfaces filesystem scan errors
- Offline-first; online CVE lookup planned for Phase 2b (OSV API)
- Accepts
includeDevflag (default: false) to focus on production dependencies
- src/index.ts refactored — split 883-line monolith into focused modules:
src/server/setup.ts— server instantiation and transport wiringsrc/server/handlers.ts— all MCP tool request handlerssrc/server/tools.ts— centralizedTOOL_DEFINITIONSarraysrc/server/formatters.ts— output formatting helperssrc/index.tsnow an 18-line entry point only
- README.md - Added Code Quality section with updated SQALE rating
- Self-scan results (A rating, 2.9% debt ratio, down from 3.4%)
- Link to TECH_DEBT_SCAN.md with before/after comparison
- Configuration impact metrics (81 issues vs. 101 before)
- Link to CODE_OF_CONDUCT.md in Contributing section
- Added SQALE rating badge to header
- CONTRIBUTING.md - Added Tech Debt Compliance section
- Updated metrics (2.9% debt ratio)
- File size and complexity limits
- Code quality rules enforcement
- Known refactoring targets with specific line numbers
- Configuration impact before/after comparison
- ARCHITECTURE.md - Added Code Quality Standards section
- Current project health metrics (2.9% debt ratio)
- File size and complexity limits table
- Known technical debt items with priorities and line numbers
- Self-scan strategy with measured configuration impact
- Before/after comparison showing improvement
- Regular health checks documentation
- .github/copilot-instructions.md - Added Tech Debt Refactoring Rules
- Current SQALE rating and debt ratio (2.9%)
- File size and complexity limits
- Refactoring priorities with specific targets
- Code quality rules enforcement
- Pre/post refactoring checklist
- Comprehensive self-scan using tech-debt-mcp tool (2 scans: with/without config)
- Measured impact of .techdebtrc.json: -20 issues (-19.8%), -10 hours (-14.3%) remediation
- Identified 1 real high-priority issue (C# analyzer nesting at line 267)
- Identified 13 false positives (analyzer pattern definitions)
- Documented specific refactoring targets (src/index.ts: 883 lines, csharpAnalyzer.ts:267)
- Established quality baselines and targets with measurable goals
- Created configuration to prevent false positives in self-scanning
- All documentation now cross-references TECH_DEBT_SCAN.md for transparency
- SQALE Rating: A ⭐⭐⭐⭐⭐ (2.9% debt ratio, improved from 3.4%)
- Total Issues: 81 (down from 101)
- Remediation Time: 60 hours (down from 70 hours)
- Improvement: -20 false positives, -10 hours remediation time
- Files Analyzed: 25 (down from 33, test files excluded)
- Critical Issues: 0
- High Issues: 14 (13 are false positives in analyzer patterns)
- Improved Snyk package health score with Code of Conduct
- Better contributor onboarding with comprehensive guidelines
- Transparent quality metrics showing "we practice what we preach"
1.1.0 - 2026-02-07
-
14 comprehensive SwiftUI checks across 2 phases
-
Phase 1 - Core SwiftUI Checks (9 checks):
- Excessive @State variables detection (>5 per view)
- @ObservedObject initialization misuse detection
- @Environment value force unwrap detection
- Combine pipeline circular reference detection ([weak self] validation)
- Missing Timer cleanup in onDisappear
- Missing Task cancellation in async operations
- UI updates on background threads detection
- Dynamic list missing .id() modifiers
- Expensive calculations in view body
-
Phase 2 - Advanced SwiftUI Patterns (5 checks):
- AnyView type erasure detection
- Deprecated NavigationLink patterns
- GeometryReader root-level misuse
- Retain cycles in SwiftUI closures
- Deep view nesting detection (>6 levels)
- Published to both npm Registry and GitHub Packages
- Comprehensive installation documentation (GITHUB_PACKAGES.md)
- Automated CI/CD publishing workflow
- 96 tests passing (100% of SwiftUI implementation)
- 22 todo tests for Phase 3 enhancements
- Performance optimization: content split once per file analysis
- Issue IDs include filePath for global uniqueness
- All Copilot review suggestions addressed
- Updated README.md with multiple installation options (npm, GitHub Packages, source)
- Enhanced publish.yml workflow to publish to both registries
- Improved SwiftUI analyzer with per-view @State counting
- Better Environment validation with force unwrap detection at usage sites
- Timer cleanup detection bug (lines.indexOf issue)
- Environment validation now detects actual usage patterns
- Task cancellation guidance clarified (@MainActor ≠ cancellation)
- Removed duplicate method implementations in SwiftAnalyzer
- execute_custom_rules schema - Removed unsupported anyOf constraint (Thanks @ophirbucai - PR #63)
- Added GITHUB_PACKAGES.md - Comprehensive installation and setup guide
- Updated .github/copilot-instructions.md with strict documentation requirements
- Enhanced PR workflow with mandatory documentation checklist
- IDE Installation Badges - One-click install for VS Code, Cursor, Claude, Windsurf, JetBrains, Xcode (Thanks @ophirbucai - PR #66)
- Documentation Accuracy - Fixed tool count (13 tools), test count (96 passing + 22 todo), and branch references throughout all docs
1.0.0 - 2026-02-07
- Support for 14 programming languages: JavaScript, TypeScript, Python, Java, Swift, Kotlin, Objective-C, C++, C, C#, Go, Rust, Ruby, PHP
- BaseAnalyzer with factory pattern for extensibility
- Language-specific tech debt detection patterns
- Comprehensive test coverage for all analyzers
- SQALE Engine with A-E rating system
- Remediation time calculations
- Debt ratio metrics (percentage of development time)
- Category and severity breakdowns
- Human-readable time formatting
- NEW:
get_sqale_metricsMCP tool for dedicated SQALE reporting - NEW: SQALE metrics integrated into all analysis reports
- CustomRulesEngine for pattern-based checks
- 5 MCP tools for rule management:
add_custom_rule- Add custom pattern rulesremove_custom_rule- Remove rules by IDlist_custom_rules- Show all active rulesexecute_custom_rules- Run rules against codevalidate_custom_pattern- Validate patterns
- Regex support with configurable flags
- Language-specific rule filtering
- Multiple matches per line
- Cross-platform line ending support (\r\n and \n)
analyze_project- Full project technical debt analysisanalyze_file- Single file analysisget_debt_summary- Quick debt summaryget_sqale_metrics- SQALE metrics with rating and remediation timelist_supported_languages- Show supported languagesget_recommendations- Prioritized suggestionsget_issues_by_severity- Filter issues by severityget_issues_by_category- Filter issues by categoryadd_custom_rule- Add custom pattern rulesremove_custom_rule- Remove custom ruleslist_custom_rules- List all custom rulesexecute_custom_rules- Execute custom rulesvalidate_custom_pattern- Validate custom patterns
- Comprehensive README with installation and usage instructions
- ARCHITECTURE.md describing system design and patterns
- CONTRIBUTING.md with contribution guidelines
- AI agent instructions for Copilot
- Full API documentation for all MCP tools
- 96 comprehensive tests across 8 test suites (22 todo for future enhancements)
- 100% test pass rate
- Tests for all language analyzers
- Tests for SQALE engine
- Tests for custom rules engine