Skip to content
SnakeFlow SnakeFlow

Built-in Checks

Built-in checks run under devManager.quality.builtin.*. Most use pure Node.js (filesystem + regex) with no extra install; a few call npx or an external CLI when present — those skip gracefully when the tool is absent. All checks are enabled by default.

CLI-based checks (Semgrep, Trivy, Bandit, etc.) have their own page: CLI Tool Checks →.

Dev Environment

Docker Compose

Runs docker compose ps (or docker-compose ps) and checks that every service defined in the Compose file is in running state. Fails when a service is stopped, restarting, or exited.

SettingDefault
devManager.quality.builtin.dockerComposePs.enabledtrue

Port Collisions

Scans package.json scripts, VS Code launch configs, Compose files, and .env* for port numbers. Warns when the same port appears more than once across different contexts.

SettingDefault
devManager.quality.builtin.portCollisions.enabledtrue

Dev Server Health

Sends an HTTP GET to the configured health path on the dev server URL. Fails when the server returns a non-2xx status or does not respond within the timeout.

SettingDefault
devManager.quality.builtin.devServerHealth.enabledtrue
devManager.quality.builtin.devServerHealth.healthPath"/"
devManager.quality.builtin.devServerHealth.timeoutMs2000

Dev Server Logs

Scans dev server log files for lines matching the error pattern. Warns when matching lines appear.

SettingDefault
devManager.quality.builtin.devServerLogs.enabledfalse

Tasks Drift

Compares devManager.project.servers (defined scripts) with VS Code tasks.json and detects missing or stale task definitions.

SettingDefault
devManager.quality.builtin.tasksDrift.enabledtrue

Linters & Formatters

ESLint

Runs your project’s ESLint config (eslint.config.js, .eslintrc.*) and surfaces code-quality and style violations. Skips when no ESLint config is found.

SettingDefault
devManager.quality.builtin.eslint.enabledtrue
devManager.quality.builtin.eslint.maxWarnings0
devManager.quality.builtin.eslint.path"" (auto)

Biome

Runs biome check when biome.json (or biome.jsonc) is present. Covers linting, formatting, and import sorting in a single pass.

SettingDefault
devManager.quality.builtin.biome.enabledtrue
devManager.quality.builtin.biome.path"" (auto)

OXLint

Runs the ultra-fast Oxc linter when configured for the repo (.oxlintrc.json or oxlint in package.json scripts). Up to 100× faster than ESLint.

SettingDefault
devManager.quality.builtin.oxlint.enabledtrue
devManager.quality.builtin.oxlint.path"" (auto)

Prettier

Runs prettier --check on all source files. Fails when any file differs from the Prettier-formatted version. Skips when no Prettier config is found.

SettingDefault
devManager.quality.builtin.prettierCheck.enabledtrue
devManager.quality.builtin.prettierCheck.path"" (auto)

Stylelint

Runs Stylelint on CSS, SCSS, and Less files using your project config. Skips when no Stylelint config is found.

SettingDefault
devManager.quality.builtin.stylelint.enabledtrue
devManager.quality.builtin.stylelint.path"" (auto)

TypeScript & JavaScript

Floating Promises

Detects Promise-returning calls that are neither await-ed nor returned nor explicitly handled with .then()/.catch(). A floating promise silently swallows errors.

SettingDefault
devManager.quality.builtin.floatingPromises.enabledtrue

Async/Await Misuse

Detects async callbacks passed to Array.forEach(), .then() without a corresponding .catch(), and discarded Promise.all() / Promise.race() results.

SettingDefault
devManager.quality.builtin.asyncAwaitMisuse.enabledtrue

Error Handling

Detects empty catch {} blocks, catch (e) {} that ignores the error, Python except: pass, and Ruby rescue with no body.

SettingDefault
devManager.quality.builtin.errorHandling.enabledtrue

Return Types

Reports TypeScript functions and methods that lack explicit return type annotations. Configurable warn/fail thresholds.

SettingDefault
devManager.quality.builtin.returnTypes.enabledtrue
devManager.quality.builtin.returnTypes.warnAt10
devManager.quality.builtin.returnTypes.failAt50

Missing Return Types

Alias check — same purpose as Return Types above but with a different default scope. Reports exported TypeScript functions/methods without explicit return type annotations.

SettingDefault
devManager.quality.builtin.missingReturnTypes.enabledtrue

React Hooks Deps

Checks useEffect, useCallback, useMemo, and useLayoutEffect for missing or extraneous dependency array items. Only runs when react is in package.json.

SettingDefault
devManager.quality.builtin.reactHooksDeps.enabledtrue

React Hook Rules

Detects useEffect / useCallback / useMemo calls that are missing a dependency array entirely (second argument omitted).

SettingDefault
devManager.quality.builtin.reactHookRules.enabledtrue

Dangerous Patterns

Flags inherently dangerous code: eval(), new Function(), innerHTML = assignment, document.write(), and dangerouslySetInnerHTML.

SettingDefault
devManager.quality.builtin.dangerousPatterns.enabledtrue

Insecure HTTP

Flags plain http:// URLs in source files that should be https://. Ignores localhost, test fixtures, and comment-only lines.

SettingDefault
devManager.quality.builtin.insecureHttp.enabledtrue

Import Hygiene

Checks for wildcard import * as usage, inconsistent file extension patterns, and self-imports (import './index' from index.ts).

SettingDefault
devManager.quality.builtin.importHygiene.enabledtrue

Import Cost

Estimates the minified+gzipped size each import adds to the bundle and warns when an individual import exceeds the threshold.

SettingDefault
devManager.quality.builtin.importCost.enabledtrue
devManager.quality.builtin.importCost.warnKb50
devManager.quality.builtin.importCost.failKb200

No Focused Tests

Warns when .only(), fit(), fdescribe(), or test.only() focus modifiers are found in committed test files. Also runs as a live diagnostic on-save.

SettingDefault
devManager.quality.builtin.noFocusedTests.enabledtrue
devManager.quality.builtin.noFocusedTests.realtimetrue
devManager.quality.builtin.noFocusedTests.precommitfalse

tsconfig Sanity

Audits tsconfig.json for missing strict-mode flags (strict, noImplicitAny, strictNullChecks) and important compiler options.

SettingDefault
devManager.quality.builtin.tsconfigSanity.enabledtrue

React & Next.js

Accessibility

Checks JSX, TSX, HTML, Vue, and Svelte files for common accessibility issues: missing alt text on images, empty decorative alt, unlabelled <input>, <button>, and <a> elements.

SettingDefault
devManager.quality.builtin.a11y.enabledtrue

Tailwind Classes

Detects conflicting or duplicate Tailwind CSS utility classes on the same element (e.g. text-sm text-base).

SettingDefault
devManager.quality.builtin.tailwindClasses.enabledtrue

Next.js Boundary

Flags 'use client' modules that import from server-only or use Node.js-only APIs. Only runs when next is in package.json.

SettingDefault
devManager.quality.builtin.nextjsBoundary.enabledtrue

Architecture & Imports

Circular Imports

Detects import cycles in JavaScript/TypeScript projects using dependency-cruiser when available, falling back to a built-in DFS traversal.

SettingDefault
devManager.quality.builtin.circularImports.enabledtrue

Barrel Files

Flags oversized index.ts/js re-export files. Large barrel files force bundlers to include the entire barrel, blocking tree-shaking.

SettingDefault
devManager.quality.builtin.barrelFiles.enabledtrue
devManager.quality.builtin.barrelFiles.warnAt20
devManager.quality.builtin.barrelFiles.failAt50

Coupling Metrics

Measures afferent (incoming) and efferent (outgoing) coupling for each module and flags architecturally unstable files (high instability ratio).

SettingDefault
devManager.quality.builtin.couplingMetrics.enabledtrue
devManager.quality.builtin.couplingMetrics.warnAt0.8

Cross-Layer Imports

Enforces the import allow-list declared in devManager.quality.builtin.projectStructure.layers. Detects forbidden import directions (e.g. ui → database, commands → api).

SettingDefault
devManager.quality.builtin.crossLayerImports.enabledtrue

Component Inventory

Groups similar UI components and hooks by name pattern to surface consolidation opportunities (e.g. five different Button variants).

SettingDefault
devManager.quality.builtin.componentInventory.enabledtrue

Heavy Imports

Detects full-package imports of large libraries that block tree-shaking (import _ from 'lodash', import moment from 'moment'). Suggests named or subpath imports.

SettingDefault
devManager.quality.builtin.heavyImports.enabledtrue

Import Depth

Warns when relative import chains go deeper than the configured limit (e.g. ../../../../utils).

SettingDefault
devManager.quality.builtin.importDepth.enabledtrue
devManager.quality.builtin.importDepth.warnDepth4
devManager.quality.builtin.importDepth.failDepth6

Code Size & Complexity

Line Count

Warns when source files exceed configurable line-count limits. Also runs as a live diagnostic on-save.

SettingDefault
devManager.quality.builtin.lineCount.enabledtrue
devManager.quality.builtin.lineCount.realtimetrue
devManager.quality.builtin.lineCount.precommitfalse
devManager.quality.builtin.lineCount.warnLines300
devManager.quality.builtin.lineCount.failLines500

Function Length

Warns when functions or methods exceed configurable line-length limits.

SettingDefault
devManager.quality.builtin.functionLength.enabledtrue
devManager.quality.builtin.functionLength.warnLines40
devManager.quality.builtin.functionLength.failLines80

Cyclomatic Complexity

Measures cyclomatic complexity per function (number of independent paths through the code) and warns when the score exceeds the limit.

SettingDefault
devManager.quality.builtin.complexity.enabledtrue
devManager.quality.builtin.complexity.warnScore10
devManager.quality.builtin.complexity.failScore20

File Size

Flags source files that exceed configurable KB size limits. Also runs as a live diagnostic on-save.

SettingDefault
devManager.quality.builtin.fileSize.enabledtrue
devManager.quality.builtin.fileSize.realtimetrue
devManager.quality.builtin.fileSize.precommitfalse
devManager.quality.builtin.fileSize.warnKb50
devManager.quality.builtin.fileSize.failKb200

Long Lines

Warns when too many lines in a file exceed the column width limit.

SettingDefault
devManager.quality.builtin.longLines.enabledtrue
devManager.quality.builtin.longLines.maxLength120
devManager.quality.builtin.longLines.warnPct5

Directory Depth

Warns when folder nesting exceeds a configurable depth limit.

SettingDefault
devManager.quality.builtin.directoryDepth.enabledtrue
devManager.quality.builtin.directoryDepth.warnDepth7
devManager.quality.builtin.directoryDepth.failDepth10

Dependency Count

Warns when a project accumulates too many direct dependencies (not devDependencies) in package.json.

SettingDefault
devManager.quality.builtin.dependencyCount.enabledtrue
devManager.quality.builtin.dependencyCount.warnAt50
devManager.quality.builtin.dependencyCount.failAt100

Parameter Count

Warns when functions or methods declare too many parameters. High parameter counts often indicate a function doing too much — consider grouping arguments into an options object.

SettingDefault
devManager.quality.builtin.parameterCount.enabledtrue
devManager.quality.builtin.parameterCount.warnAt4
devManager.quality.builtin.parameterCount.failAt7

Type Safety

TypeScript any Coverage

Counts TypeScript any usage: explicit : any annotations, casts (as any), and any in generics. Reports the count and the percentage of typed declarations.

SettingDefault
devManager.quality.builtin.anyCoverage.enabledtrue
devManager.quality.builtin.anyCoverage.warnAt10
devManager.quality.builtin.anyCoverage.failAt50

Type Coverage

Measures overall TypeScript type coverage using type-coverage CLI. Reports the percentage of typed nodes. Skips when type-coverage is not installed.

SettingDefault
devManager.quality.builtin.typeCoverage.enabledtrue
devManager.quality.builtin.typeCoverage.atLeast80

JSDoc Coverage

Measures JSDoc comment coverage for exported functions, classes, and interfaces.

SettingDefault
devManager.quality.builtin.jsdocCoverage.enabledtrue
devManager.quality.builtin.jsdocCoverage.warnAt50
devManager.quality.builtin.jsdocCoverage.failAt20

Type Safety

Detects TypeScript type-escape hatches: as any, @ts-ignore, @ts-expect-error, and similar suppression patterns that weaken static guarantees.

SettingDefault
devManager.quality.builtin.typeSafety.enabledtrue

Non-null Assertions

Warns on overuse of the postfix non-null assertion operator !. Frequent ! usage signals places where actual null guards would be safer.

SettingDefault
devManager.quality.builtin.nonNullAssertions.enabledtrue
devManager.quality.builtin.nonNullAssertions.warnAt10

tsconfig Audit

Audits tsconfig.json strictness settings and important compiler flags: strict, noImplicitAny, strictNullChecks, noUncheckedIndexedAccess, exactOptionalPropertyTypes. Suggests enabling flags that improve safety.

SettingDefault
devManager.quality.builtin.tsConfig.enabledtrue

Enum Usage

Flags TypeScript enum declarations that would be safer as const objects or string union types. TypeScript enums have surprising runtime behaviour and emit extra code.

SettingDefault
devManager.quality.builtin.enumUsage.enabledtrue

Broad Types

Detects over-broad TypeScript types that defeat the type system: Record<K, any>, Array<any>, loose object, and bare Function as a parameter or return type.

SettingDefault
devManager.quality.builtin.broadTypes.enabledtrue

Zod Consistency

Detects drift between Zod schemas and the TypeScript types they are supposed to validate. Flags duplicated shape definitions where z.infer<> could be used instead.

SettingDefault
devManager.quality.builtin.zodConsistency.enabledtrue

Zod Any

Detects z.any() fields in Zod schemas. A z.any() field silently allows anything — including malformed input — to pass validation.

SettingDefault
devManager.quality.builtin.zodAny.enabledtrue

ESLint Disable

Counts eslint-disable comments and file-level suppressions. A high count indicates systematic linting bypasses that should be reviewed. Also runs as a live diagnostic on-save.

SettingDefault
devManager.quality.builtin.eslintDisable.enabledtrue
devManager.quality.builtin.eslintDisable.realtimetrue
devManager.quality.builtin.eslintDisable.precommitfalse
devManager.quality.builtin.eslintDisable.warnAt5

N+1 Queries

Detects ORM / query patterns that suggest N+1 database round-trips: findOne / .find() calls inside loops, missing include/with clauses on nested relations (Prisma, Drizzle, Sequelize, TypeORM).

SettingDefault
devManager.quality.builtin.nPlusOne.enabledtrue

Edge Runtime Compatibility

Detects Node.js-only APIs (fs, path, crypto, process.env via CJS require) in files that will run on edge / worker runtimes (Cloudflare Workers, Vercel Edge, Deno Deploy).

SettingDefault
devManager.quality.builtin.edgeCompat.enabledtrue

use client Boundary

Flags Next.js 'use client' modules that import from server-only or use server-exclusive APIs (database clients, Prisma, Node.js fs/crypto). These imports cause runtime errors that are hard to debug.

SettingDefault
devManager.quality.builtin.useClientBoundary.enabledtrue

Test Quality

Test Ratio

Measures the ratio of test files to source files. Warns when tests are sparse relative to the codebase size.

SettingDefault
devManager.quality.builtin.testRatio.enabledtrue
devManager.quality.builtin.testRatio.warnAt0.2

Empty Tests

Detects it(), test(), describe(), def test_, and #[test] blocks that contain no assertions.

SettingDefault
devManager.quality.builtin.emptyTests.enabledtrue

Test Coverage Gaps

Identifies source files with low or no test coverage by scanning for corresponding test files. Does not execute tests — uses file-name heuristics.

SettingDefault
devManager.quality.builtin.testCoverageGaps.enabledfalse
devManager.quality.builtin.testCoverageGaps.untestedSampleLimit30

LCOV Coverage

Reads an existing lcov.info or coverage-summary.json (generated by your test runner) and reports line, branch, and function coverage percentages without re-running tests.

SettingDefault
devManager.quality.builtin.lcovCoverage.enabledtrue
devManager.quality.builtin.lcovCoverage.warnAt70
devManager.quality.builtin.lcovCoverage.failAt50

Code Hygiene

TODO Count

Counts TODO, FIXME, HACK, BUG, XXX, and NOSONAR markers in code comments. Warns when the count exceeds the threshold.

SettingDefault
devManager.quality.builtin.todoCount.enabledtrue
devManager.quality.builtin.todoCount.warnAt20
devManager.quality.builtin.todoCount.failAt50

Commented-Out Code

Detects large blocks of commented-out source code (multi-line // or /* */ blocks that look like real code rather than explanatory comments).

SettingDefault
devManager.quality.builtin.commentedCode.enabledtrue

Duplicate Files

Detects binary-identical files (same SHA-256 content hash) with different names across the project.

SettingDefault
devManager.quality.builtin.duplicateFiles.enabledtrue

Mixed Indent

Detects files that mix tabs and spaces inconsistently within the same file.

SettingDefault
devManager.quality.builtin.mixedIndent.enabledtrue

Encoding

Detects source files that are not UTF-8 encoded. Non-UTF-8 files cause cross-platform issues and garbled output.

SettingDefault
devManager.quality.builtin.encoding.enabledtrue

Magic Numbers

Detects hardcoded numeric literals that should be extracted into named constants. Ignores common values like 0, 1, -1.

SettingDefault
devManager.quality.builtin.magicNumbers.enabledtrue
devManager.quality.builtin.magicNumbers.warnAt10

Debug Leaks

Detects debug statements left in production source files: console.log, print(), debugger, var_dump(), and dd(). Ignores console.error/console.warn.

SettingDefault
devManager.quality.builtin.debugLeaks.enabledtrue

Secret Leaks

Scans source files for patterns matching hardcoded API keys, tokens, passwords, and private keys. Uses entropy analysis and common secret patterns.

SettingDefault
devManager.quality.builtin.secretLeaks.enabledtrue

Gitignore Check

Detects files that are tracked by git but match patterns in .gitignore. These files should be untracked or the .gitignore pattern should be removed.

SettingDefault
devManager.quality.builtin.gitignoreCheck.enabledtrue

Merge Conflict Markers

Detects unresolved git merge conflict markers (<<<<<<<, =======, >>>>>>>) left in source files. These must be resolved before committing. Live diagnostics highlight every marker on-type and on-save with error severity.

SettingDefault
devManager.quality.builtin.mergeConflictMarker.enabledtrue
devManager.quality.builtin.mergeConflictMarker.realtimetrue
devManager.quality.builtin.mergeConflictMarker.precommitfalse

License Header

Verifies that source files (.ts, .tsx, .js, .jsx, .py, .go, .rs, etc.) contain a required license header pattern in the first 30 lines. Only activates when licenseHeader.pattern is configured. Set the pattern to a regex string such as SPDX-License-Identifier or your company copyright notice.

SettingDefault
devManager.quality.builtin.licenseHeader.enabledtrue
devManager.quality.builtin.licenseHeader.realtimetrue
devManager.quality.builtin.licenseHeader.precommitfalse
devManager.quality.builtin.licenseHeader.pattern""
devManager.quality.builtin.licenseHeader.warnThreshold1
devManager.quality.builtin.licenseHeader.failThreshold10

Documentation & Prose

README Check

Checks that README.md exists, is not empty, and contains the required sections: Installation, Usage, Contributing, and License. Also runs as a live diagnostic on-save when a README file is open.

SettingDefault
devManager.quality.builtin.readmeCheck.enabledtrue
devManager.quality.builtin.readmeCheck.realtimetrue
devManager.quality.builtin.readmeCheck.precommitfalse

Changelog Check

Validates that CHANGELOG.md follows the Keep a Changelog format: an ## [Unreleased] section, versioned headings, and standard subsections (Added, Changed, Fixed, etc.). Also runs as a live diagnostic on-save when a CHANGELOG file is open.

SettingDefault
devManager.quality.builtin.changelogCheck.enabledtrue
devManager.quality.builtin.changelogCheck.realtimetrue
devManager.quality.builtin.changelogCheck.precommitfalse

CODEOWNERS Check

Validates .github/CODEOWNERS for correct file paths, valid GitHub usernames/teams, and a catch-all * rule. Also runs as a live diagnostic on-save when CODEOWNERS is open.

SettingDefault
devManager.quality.builtin.codeownersCheck.enabledtrue
devManager.quality.builtin.codeownersCheck.realtimetrue
devManager.quality.builtin.codeownersCheck.precommitfalse

Vale

Runs the Vale prose linter for documentation style consistency. Requires vale in PATH and a .vale.ini config. See CLI Tool Checks → Vale.

i18n Keys

Checks that every translation key referenced in code exists in all configured locale files, and that no locale file contains orphaned keys that are no longer used.

SettingDefault
devManager.quality.builtin.i18nKeys.enabledtrue

Alex

Runs alex to catch insensitive, inconsiderate, or exclusionary language in documentation and code comments. Requires alex in PATH or resolvable via npx.

SettingDefault
devManager.quality.builtin.alex.enabledtrue

Lychee

Checks all hyperlinks in Markdown and HTML files for broken URLs (404, timeout, redirect loops). Requires lychee in PATH.

SettingDefault
devManager.quality.builtin.lychee.enabledtrue

Project Configuration

.env Consistency

Compares .env and .env.example (or .env.sample). Warns when .env.example contains keys absent from .env (developer may be missing a required variable). Fails when .env contains keys absent from .env.example (undocumented secret).

SettingDefault
devManager.quality.builtin.envConsistency.enabledtrue

.env Linter

Lints .env files for consistency issues: duplicate keys, missing values, invalid syntax, and values that look like secrets stored without quoting.

SettingDefault
devManager.quality.builtin.dotenvLinter.enabledtrue

JSON Schema Validate

For JSON and YAML files that declare a $schema property, validates that the referenced schema URI is syntactically valid and, when pointing to a local file (relative path or file:// URI), that the schema file exists on disk. Detects typos in schema URIs and broken local references — no network requests, no external tools.

SettingDefault
devManager.quality.builtin.jsonSchemaValidate.enabledtrue
devManager.quality.builtin.jsonSchemaValidate.realtimetrue
devManager.quality.builtin.jsonSchemaValidate.precommitfalse

Lockfile Sync

Detects when a lockfile is missing despite a manifest existing, or when the lockfile is older than the manifest by mtime. Covers npm, yarn, pnpm, Cargo, Go modules, Composer, and Poetry.

SettingDefault
devManager.quality.builtin.lockfileSync.enabledtrue

Node Version Consistency

Detects Node.js version mismatches across .nvmrc, .node-version, .tool-versions, package.json engines.node, and Dockerfile FROM node: lines.

SettingDefault
devManager.quality.builtin.nodeVersionConsistency.enabledtrue

Build Freshness

Warns when the build output directory (dist/, build/, out/) is older than source files, suggesting the project is running on a stale build.

SettingDefault
devManager.quality.builtin.buildFreshness.enabledtrue

Monorepo Workspaces

Checks npm/pnpm/yarn workspace configurations for version drift between packages and missing peerDependencies.

SettingDefault
devManager.quality.builtin.monorepoWorkspaces.enabledtrue

package.json Sanity

Validates package.json structure: required fields (name, version), valid scripts, common anti-patterns (missing engines, suspicious preinstall scripts), and malformed JSON.

SettingDefault
devManager.quality.builtin.packageJsonSanity.enabledtrue

Dead Exports

Detects exported functions, types, and constants that are never imported anywhere in the project. Dead exports increase bundle size and confuse consumers.

SettingDefault
devManager.quality.builtin.deadExports.enabledfalse

Stale Feature Flags

Detects feature-flag constants (booleans named IS_*_ENABLED, FEATURE_*, FLAG_*) that have been set to a permanent value for more than the configured number of days, suggesting the flag code-path should be cleaned up.

SettingDefault
devManager.quality.builtin.staleFlags.enabledfalse

Bundle Budget

Checks that per-route or per-chunk JavaScript bundle sizes stay within configured budgets. Uses existing webpack stats or Vite manifests — does not re-build.

SettingDefault
devManager.quality.builtin.bundleBudget.enabledfalse
devManager.quality.builtin.bundleBudget.warnKb200
devManager.quality.builtin.bundleBudget.failKb500

Architecture DSL

Validates a declarative architecture definition file (.arch.yaml / arch.json) that specifies layer boundaries and module ownership rules. Fails when the repo structure drifts from the declared architecture.

SettingDefault
devManager.quality.builtin.archDsl.enabledfalse

Security

Trojan Source

Detects bidirectional Unicode control characters (RLO, LRO, RLI, LRI, PDI, BIDI) that can make malicious code appear benign to reviewers (CVE-2021-42574).

SettingDefault
devManager.quality.builtin.trojanSource.enabledtrue

Harden Runner Audit

Checks GitHub Actions workflows for missing StepSecurity Harden Runner steps, which prevent exfiltration and unexpected outbound network calls.

SettingDefault
devManager.quality.builtin.hardenRunnerAudit.enabledtrue

SBOM

Generates (or checks for an existing) Software Bill of Materials for all project dependencies and validates it against the configured format (SPDX, CycloneDX).

SettingDefault
devManager.quality.builtin.sbom.enabledfalse

CodeQL (Built-in)

Runs CodeQL queries locally for deep semantic vulnerability analysis. Requires the CodeQL CLI. For the cloud-based CodeQL integration see Cloud Quality Providers → CodeQL.

SettingDefault
devManager.quality.builtin.codeql.enabledfalse

Accessibility Check

Runs an extended accessibility audit covering WCAG 2.1 AA rules: colour-contrast ratios, focus management, ARIA landmark roles, form labelling, and skip-link presence.

SettingDefault
devManager.quality.builtin.a11yCheck.enabledtrue

GitHub Actions Audit

Audits all .github/workflows/*.yml files for security issues: unpinned action SHAs, pull_request_target abuse, template expression injection (${{ github.event.* }}), and hardcoded secrets.

SettingDefault
devManager.quality.builtin.actionsAudit.enabledtrue

OpenSSF Scorecard

Runs the OpenSSF Scorecard to assess the project’s security posture across 18 dimensions: branch protection, CI tests, code review, dependency updates, etc. Requires scorecard CLI.

SettingDefault
devManager.quality.builtin.scorecard.enabledfalse

Row Level Security

Checks PostgreSQL migration files for tables that are referenced in SELECT/INSERT/UPDATE/DELETE statements but have no ALTER TABLE ... ENABLE ROW LEVEL SECURITY or CREATE POLICY statement. Helps catch RLS gaps before they reach production.

SettingDefault
devManager.quality.builtin.rlsCheck.enabledtrue

Container & Docker

Dockle

Runs Dockle to lint Docker images for CIS Docker Benchmark compliance. Requires dockle in PATH.

SettingDefault
devManager.quality.builtin.dockle.enabledtrue
devManager.quality.builtin.dockle.path"" (auto)

Grype

Scans container images and filesystems for CVEs using Grype. Requires grype in PATH.

SettingDefault
devManager.quality.builtin.grype.enabledtrue
devManager.quality.builtin.grype.path"" (auto)
devManager.quality.builtin.grype.failOnSeverity"HIGH"

Dive

Analyses Docker image layer efficiency for wasted space using Dive. Requires dive in PATH.

SettingDefault
devManager.quality.builtin.dive.enabledtrue
devManager.quality.builtin.dive.path"" (auto)
devManager.quality.builtin.dive.warnPct10

API & Schema Breaking Changes

OASDiff (OpenAPI)

Detects breaking changes between the current branch’s OpenAPI spec and the base branch using oasdiff. Requires oasdiff in PATH.

SettingDefault
devManager.quality.builtin.oasdiff.enabledtrue
devManager.quality.builtin.oasdiff.path"" (auto)

GraphQL Inspector

Detects breaking changes in GraphQL schemas between the current branch and the base branch using @graphql-inspector/cli. Requires the package installed.

SettingDefault
devManager.quality.builtin.graphqlInspector.enabledtrue

Buf Breaking (Protobuf)

Detects breaking changes in Protobuf schemas using the buf CLI. Requires buf in PATH.

SettingDefault
devManager.quality.builtin.bufBreaking.enabledtrue
devManager.quality.builtin.bufBreaking.path"" (auto)

Bundle & Performance

Size Limit

Checks JavaScript/TypeScript bundle sizes against size-limit thresholds configured in package.json. Requires size-limit in devDependencies.

SettingDefault
devManager.quality.builtin.sizeLimit.enabledtrue

Lighthouse CI

Runs Lighthouse CI to measure performance, accessibility, SEO, and best-practice scores. Requires @lhci/cli installed and lighthouserc.* config.

SettingDefault
devManager.quality.builtin.lighthouseCi.enabledfalse
devManager.quality.builtin.lighthouseCi.path"" (auto)

npm Package Authoring

Are The Types Wrong

Checks npm package exports for TypeScript compatibility issues using Are The Types Wrong (attw). Useful for library authors.

SettingDefault
devManager.quality.builtin.attw.enabledfalse

Publint

Validates package.json exports, main, module, and types fields with publint. Catches common publishing mistakes.

SettingDefault
devManager.quality.builtin.publint.enabledfalse

Lockfile Lint

Validates lockfile format and integrity using lockfile-lint. Warns on non-standard registries and tampered lockfile entries.

SettingDefault
devManager.quality.builtin.lockfileLint.enabledfalse

npm Provenance

Checks that npm packages in the project are published with npm provenance attestation (SLSA build provenance).

SettingDefault
devManager.quality.builtin.npmProvenance.enabledfalse

Syncpack

Checks monorepo package version consistency using syncpack. Detects mismatched version ranges for the same dependency across packages.

SettingDefault
devManager.quality.builtin.syncpack.enabledfalse

Manypkg

Checks monorepo package constraints using manypkg. Enforces consistent dependency ranges across all packages.

SettingDefault
devManager.quality.builtin.manypkg.enabledfalse

CI/CD & Observability

Sentry Source Maps

Verifies that Sentry source maps are uploaded and available for the latest release, ensuring stack traces in production are human-readable.

SettingDefault
devManager.quality.builtin.sentrySourcemaps.enabledfalse

Promptfoo

Runs promptfoo tests to validate LLM prompt behaviour against a test suite. Detects prompt regressions before they reach production. Requires promptfoo installed.

SettingDefault
devManager.quality.builtin.promptfoo.enabledfalse

act

Runs GitHub Actions workflows locally using the act tool to catch workflow errors before pushing. Requires act in PATH and Docker.

SettingDefault
devManager.quality.builtin.act.enabledfalse

Database & Migrations

Prisma Validate

Runs prisma validate to check that your Prisma schema is syntactically correct and referentially consistent. Supports single-file prisma/schema.prisma and multi-file prisma/schema/*.prisma configurations.

SettingDefault
devManager.quality.builtin.prismaValidate.enabledtrue
CheckWhat it detects
Prisma Validateprisma validate when the Prisma CLI is available
Prisma Migrate StatusPending / drifted Prisma migrations (needs DATABASE_URL)
Drizzle CheckDrizzle schema vs migration consistency
No Manual MigrationsHand-written or hand-edited migration SQL (Drizzle, Prisma, or Atlas)
Migrations CI GateFails when a migration project has no CI workflow running safety commands

pgTAP Presence

Checks that pgTAP test files (.sql files importing pgtap) exist for projects that use PostgreSQL and have significant migration history. Encourages database-level testing.

SettingDefault
devManager.quality.builtin.pgtapPresence.enabledfalse

Sqruff

Runs the sqruff SQL linter for style and anti-pattern detection. Requires sqruff in PATH.

SettingDefault
devManager.quality.builtin.sqruff.enabledfalse

No Manual Migrations

builtin-noManualMigrations discourages editing migration files by hand. It runs in the full Quality Hub sweep and, when realtime quality is on, re-checks on save and when watched migration/schema files change.

StackHow it works
DrizzlePreferred: regenerates migrations in a temp dir and diffs; fallback: meta/_journal.json + drizzle-kit check.
Prismaprisma migrate diff compares schema to applied migrations. Multi-file schema supported.
Atlasatlas migrate validateatlas.sum checksums must match.
AllWhen checkRemoved is on, scans recent git history for deleted/renamed migration files.
"devManager.quality.builtin.noManualMigrations.enabled": true,
"devManager.quality.builtin.noManualMigrations.severity": "error",
"devManager.quality.builtin.noManualMigrations.adapters": ["drizzle", "prisma", "atlas"],
"devManager.quality.builtin.noManualMigrations.checkRemoved": true,
"devManager.quality.builtin.noManualMigrations.gitLookback": 50

Migrations CI Gate

Pure Node: fails when a Prisma/Drizzle/Atlas project has no GitHub Actions workflow that runs migration safety commands (prisma migrate diff, drizzle-kit check, atlas migrate validate). Ensures migration validation is enforced in CI.

SettingDefault
devManager.quality.builtin.migrationsCiGate.enabledtrue

Agent Context — User Level

Validates user-level agent context files that apply across all projects on the machine: ~/.claude/CLAUDE.md, ~/.codex/AGENTS.md, ~/.cursor/rules/**, ~/.cursor/skills/**, and Gemini global instructions.

CheckWhat it detects
CLAUDE.mdOversized or structurally invalid user-level CLAUDE.md
CodexOversized or structurally invalid user-level AGENTS.md for Codex
Cursor RulesMissing/invalid frontmatter in ~/.cursor/rules/*.mdc
GeminiOversized user-level Gemini instruction file
Global InventoryCounts all agent context files across all platforms
SkillsValidates ~/.cursor/skills/** SKILL.md files
Total BudgetCombined token budget across all user-level agent files
CyrillicCyrillic text in user instructions (~2.75× token cost)
Secrets in ContextLeaked API keys in user-level context files
"devManager.quality.builtin.agentContextUser.enabled": true

AI Agent Context

Project-scope checks for every file an AI coding agent reads before acting (AGENTS.md, CLAUDE.md, GEMINI.md, .github/copilot-instructions.md, Cursor / Windsurf / Zed rules, slash commands, chatmodes, Anthropic Skills, and @import graphs).

CheckWhat it detects
Context BudgetCombined token budget across all agent-visible files
Line Count / File SizePer-file caps for AGENTS.md, CLAUDE.md, copilot-instructions.md
Recommended SectionsEnforces the SnakeFlow 10-section AGENTS.md template
Structure Block DriftWarns when the managed <!-- SNAKEFLOW:STRUCTURE --> block in AGENTS.md has drifted
Import GraphRejects @import chains deeper than 5 levels or with cycles
Cursor Rules FrontmatterValidates YAML frontmatter for .cursor/rules/*.mdc
CLAUDE.md ↔ AGENTS.md SyncFlags significant content drift between the two files
Absolute PathsMachine-specific paths that break on other machines
Secrets in ContextLeaked API keys / tokens inside any agent context file
Cyrillic Outside CodeCyrillic text in instructions (~2.75× token cost per ACL 2023)
Orphaned / Duplicate RulesUnreferenced or duplicated rule files across platforms
"devManager.quality.builtin.agentContext.enabled": true

Project Structure

Validates import directions between architectural layers declared in devManager.quality.builtin.projectStructure.layers. Each file belongs to the first layer whose path glob matches; its imports must resolve to layers in canImport.

{
  "name": "auth", "path": "src/auth/**", "canImport": ["utils"],
  "exceptions": [
    { "file": "src/auth/service.ts", "canImport": ["utils", "crypto"] }
  ]
}

Config validation checks for duplicate names, unknown references, and cyclic canImport edges before scanning.

See dependency-cruiser for the complementary CLI-based check.

"devManager.quality.builtin.projectStructure.enabled": true

Security & Reliability

Unsafe DOM

Detects usage of dangerous DOM APIs — dangerouslySetInnerHTML, document.write, innerHTML =, eval(), and new Function() — that can introduce XSS vulnerabilities in JavaScript and TypeScript files. Runs on-type and on-save with a 400 ms debounce.

SettingDefault
devManager.quality.builtin.unsafeDom.enabledtrue
devManager.quality.builtin.unsafeDom.realtimetrue
devManager.quality.builtin.unsafeDom.precommitfalse

Regex DoS

Detects regular expressions with nested quantifiers that can cause catastrophic backtracking (ReDoS). Patterns like (.+)+ or (a*)* can freeze the event loop on adversarial input. Runs on-save for JS/TS files.

SettingDefault
devManager.quality.builtin.regexDoS.enabledtrue
devManager.quality.builtin.regexDoS.realtimetrue
devManager.quality.builtin.regexDoS.precommitfalse

Code Style

Import Sort

Detects import blocks that are out of the expected order: external packages first, then workspace imports, then relative imports. Runs on-save for JS/TS/JSX/TSX files without invoking ESLint.

SettingDefault
devManager.quality.builtin.importSortDelta.enabledtrue
devManager.quality.builtin.importSortDelta.realtimetrue
devManager.quality.builtin.importSortDelta.precommitfalse

Duplicate String Literals

Finds repeated user-facing string literals in JSX/TSX files to nudge i18n extraction. Only strings longer than minLength characters that appear at least minCount times in the same file are flagged. Runs on-save.

SettingDefault
devManager.quality.builtin.duplicateStringLiteral.enabledtrue
devManager.quality.builtin.duplicateStringLiteral.realtimetrue
devManager.quality.builtin.duplicateStringLiteral.precommitfalse
devManager.quality.builtin.duplicateStringLiteral.minLength10
devManager.quality.builtin.duplicateStringLiteral.minCount3

Shebang Portability

Warns when shell scripts use a non-portable absolute-path shebang (e.g. #!/bin/bash) instead of the portable #!/usr/bin/env bash. Runs on-save for shell script files.

SettingDefault
devManager.quality.builtin.shebangPortability.enabledtrue
devManager.quality.builtin.shebangPortability.realtimetrue
devManager.quality.builtin.shebangPortability.precommitfalse

Language Manifests

Cargo.toml Sanity

Validates Rust Cargo.toml manifests for the required [package] section and essential fields: name, version, and edition. Analogous to the Package JSON Sanity check for Rust projects. Runs on-save.

SettingDefault
devManager.quality.builtin.cargoToml.enabledtrue
devManager.quality.builtin.cargoToml.realtimetrue
devManager.quality.builtin.cargoToml.precommitfalse

pyproject.toml Sanity

Validates Python pyproject.toml manifests for a required [project] section (PEP 517/518) or [tool.poetry] section (Poetry). Runs on-save.

SettingDefault
devManager.quality.builtin.pyProject.enabledtrue
devManager.quality.builtin.pyProject.realtimetrue
devManager.quality.builtin.pyProject.precommitfalse

Git & Versioning

Git LFS Pointer

Detects binary files that are Git LFS pointer files instead of actual content. A pointer file starts with version https://git-lfs.github.com/spec/v1. Run git lfs pull to fetch the real content. Runs on-save.

SettingDefault
devManager.quality.builtin.gitLfsPointer.enabledtrue
devManager.quality.builtin.gitLfsPointer.realtimetrue
devManager.quality.builtin.gitLfsPointer.precommitfalse

Branch Behind Main

Checks how many commits the current branch is behind the remote main branch using git rev-list --count HEAD..origin/<mainBranch>. Runs as a workspace-level interval check every 5 minutes and warns to rebase when the branch falls too far behind.

SettingDefault
devManager.quality.builtin.branchBehindMain.enabledtrue
devManager.quality.builtin.branchBehindMain.realtimetrue
devManager.quality.builtin.branchBehindMain.precommitfalse
devManager.quality.builtin.branchBehindMain.mainBranch"main"
devManager.quality.builtin.branchBehindMain.warnAt10
devManager.quality.builtin.branchBehindMain.failAt50

Runtime / Infra

Pre-bind Port Check

Detects when dev server ports mentioned in package.json scripts are already occupied before the server starts. Runs every 10 seconds as a workspace interval check and watches package.json for changes. Complements the existing Port Collisions check.

SettingDefault
devManager.quality.builtin.prebindPort.enabledtrue
devManager.quality.builtin.prebindPort.realtimetrue
devManager.quality.builtin.prebindPort.precommitfalse

Docker Resource Alert

Monitors running Docker containers using docker stats --no-stream and warns when CPU or memory usage exceeds the configured thresholds. Watches docker-compose.yml / compose.yml for changes and polls every 30 seconds.

SettingDefault
devManager.quality.builtin.dockerResourceAlert.enabledtrue
devManager.quality.builtin.dockerResourceAlert.realtimetrue
devManager.quality.builtin.dockerResourceAlert.precommitfalse
devManager.quality.builtin.dockerResourceAlert.cpu80
devManager.quality.builtin.dockerResourceAlert.mem90

Configuring Thresholds

Every built-in check supports enabled. Most numeric checks support warnAt/failAt (or warnLines/failLines/warnDepth/etc.):

"devManager.quality.builtin.lineCount.warnLines": 300,
"devManager.quality.builtin.lineCount.failLines": 500,
"devManager.quality.builtin.complexity.warnScore": 10,
"devManager.quality.builtin.complexity.failScore": 20,
"devManager.quality.builtin.dependencyCount.warnAt": 50,
"devManager.quality.builtin.dependencyCount.failAt": 100

To disable a check entirely:

"devManager.quality.builtin.magicNumbers.enabled": false

The TypeScript Check (tscCheck) runs npx tsc --noEmit — see CLI Tool Checks →.