Built-in Checks
Built-in checks run entirely in Node.js with no external tools required. All are enabled by default and work on any project.
Code Size & Complexity
| Check | What it detects | Default thresholds |
|---|---|---|
| Line Count | Source files that are too long | warn ≥ 300, fail ≥ 500 lines |
| Function Length | Functions / methods that are too long | warn ≥ 40, fail ≥ 80 lines |
| Cyclomatic Complexity | Functions with too many branches | warn ≥ 10, fail ≥ 20 |
| File Size | Files exceeding size limits | warn ≥ 50 KB, fail ≥ 200 KB |
| Long Lines | Lines exceeding column width | warn if >5% of lines over 120 chars |
| Import Depth | Deep ../../../ import chains | warn ≥ 4, fail ≥ 6 levels |
| Directory Depth | Folder nesting too deep | warn ≥ 7, fail ≥ 10 levels |
| Dependency Count | Too many direct dependencies | warn ≥ 50, fail ≥ 100 |
Code Quality & Maintainability
| Check | What it detects |
|---|---|
| TODO Count | TODO, FIXME, HACK, BUG, XXX, NOSONAR markers in comments |
| Commented Code | Blocks of source code that have been commented out |
| Duplicate Files | Exact binary-identical files with different names |
| Test Ratio | Ratio of test files to source files — warns when tests are sparse |
| Mixed Indent | Files mixing tabs and spaces inconsistently |
| Encoding | Non-UTF-8 files that cause cross-platform issues |
| Debug Leaks | console.log, print(), debugger, var_dump(), dd() in production code |
| Secret Leaks | Hardcoded API keys, tokens, passwords, private keys |
| Gitignore Check | Files tracked by git that match .gitignore patterns |
| Magic Numbers | Hardcoded numeric literals that should be named constants |
| Parameter Count | Functions / methods with too many parameters |
| Barrel Files | Oversized index.ts/js re-export files that hurt tree-shaking and build times |
Architecture & Design
| Check | What it detects |
|---|---|
| Coupling Metrics | High afferent/efferent coupling; flags “god files” and architecturally unstable modules |
| Cross-Layer Imports | Forbidden import directions (e.g. UI components importing Prisma; API routes importing React) |
| Component Inventory | Similar UI components/hooks grouped by pattern — suggests consolidation opportunities |
| Heavy Imports | Full-package imports of large libraries (lodash, moment, @mui/material) that block tree-shaking |
Type Safety & Documentation
| Check | What it detects |
|---|---|
| Any Coverage | TypeScript any usage — counts explicit annotations, casts (as any), generics |
| JSDoc Coverage | Percentage of exported functions, classes, and interfaces with JSDoc comments |
Test Quality
| Check | What it detects |
|---|---|
| Test Ratio | Test-to-source file ratio |
| Empty Tests | it() / test() / def test_ / #[test] blocks with no assertions |
| LCOV Coverage | Reads existing lcov.info or coverage-summary.json — reports line, branch, function % without running tests |
CI/CD Security
| Check | What it detects |
|---|---|
| GitHub Actions Audit | Unpinned actions, pull_request_target misuse, ${{ }} injection, hardcoded secrets in workflow files |
Configuring Thresholds
Every built-in check supports enabled, and most support warnAt/failAt thresholds:
"devManager.quality.builtin.lineCount.enabled": true,"devManager.quality.builtin.lineCount.warnLines": 300,"devManager.quality.builtin.lineCount.failLines": 500,
"devManager.quality.builtin.functionLength.warnLines": 40,"devManager.quality.builtin.functionLength.failLines": 80,
"devManager.quality.builtin.complexity.warnScore": 10,"devManager.quality.builtin.complexity.failScore": 20,
"devManager.quality.builtin.parameterCount.warnAt": 4,"devManager.quality.builtin.parameterCount.failAt": 7,
"devManager.quality.builtin.dependencyCount.warnAt": 50,"devManager.quality.builtin.dependencyCount.failAt": 100To disable a check entirely:
"devManager.quality.builtin.magicNumbers.enabled": false