slowcoder360
diff --git a/‎.gitignore
+125-2 b/‎.gitignore
+125-2
diff --git a/‎CONTRIBUTING.md
+57 b/‎CONTRIBUTING.md
+57
diff --git a/‎LICENSE
+21-11 b/‎LICENSE
+21-11
diff --git a/‎README.md
+65-20 b/‎README.md
+65-20
diff --git a/‎package-lock.json
+2-2 b/‎package-lock.json
+2-2
diff --git a/‎package.json
+1-1 b/‎package.json
+1-1
@@ -14,9 +14,11 @@ build/
 # Log files
 *.log
 
-# Markdown files (except README)
+# Markdown files (except README & CONTRIBUTING)
+/md/
 *.md
 !README.md
+!CONTRIBUTING.md
 
 # Python
 __pycache__/
@@ -48,4 +50,125 @@ Thumbs.db
 
 # Test Reports
 # test-*.md # Covered by *.md above
-# test-*.json 
+# test-*.json
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+web_modules/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.*
+!.env.example
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# Next.js build output
+.next
+out
+
+# Nuxt.js build output
+.nuxt
+dist
+
+# Nuxt.js static directory
+.output
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test
+
+# Vercel project configuration file
+.vercel
+
+# Temporary generated report files
+*-report.json
+*-report.md
+
+# Blog content (internal)
+/blogs/ 
+
+.cursor
@@ -0,0 +1,57 @@
+# Contributing to VibeSafe 🛡️
+
+Thanks for your interest in improving VibeSafe!  
+We're an open-source security CLI built for developers — fast, useful, and community-driven.
+
+Whether you're fixing a typo, improving performance, adding new scanners, or suggesting a feature, we welcome your input.
+
+---
+
+## 💡 How to Contribute
+
+1. **Fork the repo**
+2. **Clone your fork and create a new branch**
+   ```bash
+   git checkout -b feature/your-feature-name
+   ```
+3. **Make your changes**
+4. **Run tests** (if applicable)
+5. **Open a Pull Request (PR)** with a clear description of what you changed and why
+
+## 📏 Guidelines
+Keep PRs focused and minimal — smaller is better
+
+Avoid introducing new dependencies unless absolutely necessary
+
+Write clear, readable code (preferably TypeScript where applicable)
+
+Add comments or docs for any non-obvious logic
+
+If adding a new scanner or rule, explain the security impact or use case
+
+## 🧪 Testing (Basic)
+Most of VibeSafe is modular and easy to test with sample files.
+You can test your changes by running:
+
+```bash
+npm run build
+npm link
+vibesafe scan ./test-project
+```
+
+If you're improving output formats or adding rules, try --output and --report modes to check formatting.
+
+## 📛 Brand Reminder
+The name VibeSafe™ is a trademark of Secret Society LLC.
+Forks and derivative tools are welcome under the MIT License, but please use a different name and logo for your project.
+
+If you'd like to collaborate, contribute under the official name, or build something commercial on top of VibeSafe, reach out:
+📬 [email protected]
+
+## 🤝 Code of Conduct
+Be respectful. This project is about making security tools accessible, not gatekeeping. We welcome newcomers, learners, and veterans alike.
+
+## 🚀 Ready to go?
+Open your PR, and let's make security more developer-friendly — together.
+
+Stay safe. Stay vibey. ✨
@@ -1,17 +1,27 @@
-Copyright (c) 2025 Secret Society LLC - All Rights Reserved
+MIT License
 
-NOTICE: This software, VibeSafe (the "Software"), is provided free of charge for execution and use. The source code is made available for transparency and inspection purposes only.
+Copyright (c) 2025 Secret Society LLC
 
-PERMISSION IS NOT GRANTED to modify, copy, merge, publish, distribute, sublicense, and/or sell copies of the Software, or any substantial portions of it.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
 
-PERMISSION IS NOT GRANTED to create derivative works based on the Software or its source code.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-PERMISSION IS NOT GRANTED to redistribute the Software or its source code.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+---
 
-Reverse engineering, decompiling, or disassembling the Software is prohibited.
+Trademark Notice:
 
-The Software is provided "AS IS", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the Software or the use or other dealings in the Software.
-
-By using or accessing the Software or its source code, you agree to these terms. If you do not agree to these terms, do not use or access the Software or its source code.
-
-For any licensing inquiries beyond the scope of this license, please contact [email protected]. 
+VibeSafe™ is a trademark of Secret Society LLC.  
+The MIT License does not grant permission to use the trade name, trademark, service mark, or product name “VibeSafe” except for attribution or with prior written consent.
@@ -4,30 +4,54 @@ A CLI tool to scan your codebase for security vibes.
 
 VibeSafe helps developers quickly check their projects for common security issues like exposed secrets, outdated dependencies with known vulnerabilities (CVEs), and generates helpful reports.
 
-## Features
-
-*   **Secret Scanning:** Detects potential secrets using regex patterns (AWS Keys, JWTs, SSH Keys, generic high-entropy strings) and specifically flags secrets found in `.env` files.
-*   **Dependency Scanning:** Parses `package.json` (for npm/yarn projects) and checks dependencies against the OSV.dev vulnerability database for known CVEs. *(Note: Currently only scans direct dependencies listed in `package.json`. Lockfile analysis for precise versions and transitive dependencies is planned for a future update.)*
-*   **Configuration Scanning:** Checks JSON and YAML files for common insecure settings (e.g., `DEBUG = true`, `devMode = true`, permissive CORS like `origin: '*'`)
-*   **HTTP Client Issues:** Detects potential missing timeout or cancellation configurations in calls using `axios`, `fetch`, `got`, and `request`. (*See Limitations below*).
-*   **Unvalidated Upload Detection:** Identifies potential missing file size/type restrictions in common upload libraries (`multer`, `formidable`, `express-fileupload`, `busboy`) and generic patterns (`new FormData()`, `<input type="file">`).
-*   **Exposed Endpoint Detection:** Flags potentially sensitive endpoints (e.g., `/admin`, `/debug`, `/status`, `/info`, `/metrics`) in Node.js web applications using common routing patterns or string literals.
-*   **Rate Limit Check (Heuristic):** Issues a project-level advisory if API routes are detected but no known rate-limiting package (e.g., `express-rate-limit`, `@upstash/ratelimit`) is found in dependencies.
-*   **Improper Logging Detection:** Flags potential logging of full error objects (e.g., `console.error(err)`), which can leak stack traces, and detects logging of potentially sensitive data based on keywords (e.g., `password`, `email`, `token`).
-*   **Multiple Output Formats:** Provides results via console output (with colors!), JSON (`--output`), or a Markdown report (`--report` with default `VIBESAFE-REPORT.md`).
-*   **AI-Powered Suggestions (Optional):** Generates fix suggestions in the Markdown report using OpenAI (requires API key).
-*   **Filtering:** Focus on high-impact issues using `--high-only`.
-*   **Customizable Ignores:** Use a `.vibesafeignore` file (similar syntax to `.gitignore`) to exclude specific files or directories from the scan.
-
-## Installation
+## ✨ Features
+
+- 🔐 **Secret Scanning**  
+  Flags AWS keys, JWTs, SSH keys, high-entropy strings, and secrets in `.env` files.
+
+- 📦 **Dependency Vulnerability Detection**  
+  Checks `package.json` dependencies against the [OSV.dev](https://osv.dev) vulnerability database. *(Direct deps only for now — lockfile support coming soon).*
+
+- ⚙️ **Insecure Config Detection**  
+  Scans JSON/YAML for flags like `DEBUG=true`, `devMode`, permissive CORS, etc.
+
+- 🌐 **HTTP Client Scan**  
+  Detects missing timeouts or abort controllers in `axios`, `fetch`, `got`, etc.
+
+- 📤 **Upload Validation Check**  
+  Warns on lack of file size/type checks in `multer`, `formidable`, etc.
+
+- 🔎 **Exposed Endpoint Detection**  
+  Flags risky endpoints like `/admin`, `/debug`, or `/metrics`, including for **Next.js API routes**.
+
+- 🚫 **Missing Rate Limiting (Heuristic)**  
+  Warns if your project has API routes but no known rate-limit package installed.
+
+- 🪵 **Improper Logging Patterns**  
+  Finds logs that may leak sensitive info or log full error stacks unsafely.
+
+- 📄 **Multi-format Output**  
+  Console, JSON (`--output`), or Markdown reports (`--report`).
+
+- 🧠 **AI-Powered Fix Suggestions (Optional)**  
+  Add an OpenAI API key for smart recommendations in Markdown reports.
+
+- 🎯 **Focus on Critical Issues**  
+  Use `--high-only` to trim noise.
+
+- 🙈 **Custom Ignores**  
+  Exclude files using `.vibesafeignore`, just like `.gitignore`.
+
+
+## 📦 Installation
 
 ```bash
 npm install -g vibesafe 
 ```
 
 *(Note: Currently, for local development, use `npm link` after building)*
 
-## Usage
+## 🚀 Usage
 
 **Basic Scan (Current Directory):**
 
@@ -83,7 +107,7 @@ vibesafe scan -r ai-report.md
 vibesafe scan --high-only
 ```
 
-## Ignoring Files (.vibesafeignore)
+## 🛑📁 Ignoring Files (.vibesafeignore)
 
 Create a `.vibesafeignore` file in the root of the directory being scanned. Add file paths or glob patterns (one per line) to exclude them from the scan. The syntax is the same as `.gitignore`.
 
@@ -99,7 +123,28 @@ config/legacy-secrets.conf
 # Allow scanning a specific .env file if needed (overrides default info behavior)
 # !.env.production 
 ```
+## 🤝 Contributing
+
+We welcome contributions from the community!
+
+If you have an idea for a new scanner, a bug fix, or a way to make VibeSafe better, check out our [Contributing Guide](./CONTRIBUTING.md) to get started.
+
+Whether you're submitting a pull request or opening an issue, we appreciate your help in making security tools more developer-friendly.
+
+## 🧾 License
+
+VibeSafe is open source software licensed under the [MIT License](./LICENSE).
+
+You're free to use, modify, and distribute it — even commercially — as long as the original copyright
+and license are included.
+
+For questions or commercial partnership inquiries, contact **[email protected]**.
+
+---
+
+## 📛 Trademark Notice
 
-## License
+**VibeSafe™** is a trademark of Secret Society LLC.  
+Use of the name “VibeSafe” for derivative tools, competing products, or commercial services is **not permitted without prior written consent.**
 
-This project uses a custom proprietary license. Please see the [LICENSE](LICENSE) file for details. TL;DR: Free to use, source visible, but no modification, copying, or redistribution allowed. 
+You are free to fork or build upon this code under the [MIT License](./LICENSE), but please use a different name and branding for public or commercial distributions.
@@ -1,6 +1,6 @@
 {
   "name": "vibesafe",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "A CLI tool to scan your codebase for security vibes.",
   "main": "dist/index.js",
   "bin": {
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "vibesafe",`
`3`		`- "version": "1.1.0",`
	`3`	`+ "version": "1.2.0",`
`4`	`4`	`"description": "A CLI tool to scan your codebase for security vibes.",`
`5`	`5`	`"main": "dist/index.js",`
`6`	`6`	`"bin": {`