@chahuadev/junk-sweeper-app

Chahuadev Junk Sweeper — AST-based dead code & silent bug detector with an interactive architecture map.

⚙️ Installation

Auto-download: On install, the binary for your platform is downloaded automatically using --foreground-scripts so you can see the progress bar.

Global Install (Recommended)

npm install -g @chahuadev/junk-sweeper-app --foreground-scripts --force

Launch

junk-sweeper

🐧 Running on Linux / WSL2 (Ubuntu)

First install the required system libraries (one-time setup):

sudo apt-get update && sudo apt-get install -y \
  libnss3 libatk1.0-0 libatk-bridge2.0-0 libcups2 \
  libdrm2 libxkbcommon0 libxcomposite1 libxdamage1 \
  libxrandr2 libgbm1 libasound2

Then run the AppImage:

chmod +x "Junk Sweeper.AppImage"
DISPLAY=:0 WAYLAND_DISPLAY=wayland-0 \
  ./"Junk Sweeper.AppImage" \
  --appimage-extract-and-run --no-sandbox --disable-gpu

WSL2 tip: Copy to WSL native filesystem first:

# Path after: npm install -g @chahuadev/junk-sweeper-app
# (no sudo)
cp ~/.npm-global/lib/node_modules/@chahuadev/junk-sweeper-app/bin/"Junk Sweeper.AppImage" /tmp/JunkSweeper.AppImage
# (with sudo)
# cp /usr/lib/node_modules/@chahuadev/junk-sweeper-app/bin/"Junk Sweeper.AppImage" /tmp/JunkSweeper.AppImage
chmod +x /tmp/JunkSweeper.AppImage
DISPLAY=:0 WAYLAND_DISPLAY=wayland-0 /tmp/JunkSweeper.AppImage \
  --appimage-extract-and-run --no-sandbox --disable-gpu

🚀 What It Does

While standard linters look for syntax errors, Chahuadev Junk Sweeper uses deep AST analysis to understand the context and architecture of your entire project.

🐛 Silent Bug Catcher — 8 patterns

Detects logical flaws that compile fine but silently break business logic:

| Pattern | What It Catches | |---|---| | Empty Catch Blocks | Errors swallowed with catch(e) {} — bugs disappear without a trace | | Zombie Event Listeners | .addEventListener() without .removeEventListener() — memory leaks | | Scope Shadowing | Inner variable re-declaring an outer name — wrong value runs silently | | Floating Promises | async calls without await inside try/catch — rejections go unhandled | | Orphaned Timers | setTimeout/setInterval without cleanup reference — phantom callbacks | | Uncaught Promise Chains | .then() without .catch() — unhandled rejections | | Naked JSON.parse | JSON.parse() outside try/catch — crashes on malformed input | | Await in Loop | await inside for/forEach — accidental serial execution instead of parallel |

🛠️ Code Quality Auditor — 10 patterns

Catches patterns that compile and run today, but rot the codebase over time:

| Pattern | What It Catches | |---|---| | debugger statement | Debug pause left in production code | | eval() / new Function(string) | Arbitrary code execution — security + performance risk | | NaN comparison | x === NaN always evaluates to false — use Number.isNaN() | | Assignment in condition | if (x = foo()) — likely a typo of === | | parseInt without radix | Octal parsing surprises in legacy engines | | var declaration | Function-scoped hoisting footgun — use const/let | | console.* debug logging | Debug output left in production build | | Prototype mutation | __proto__ / built-in .prototype mutation — attack vector | | Overly long functions | Functions >60 lines — complexity & maintainability risk | | TODO / FIXME / HACK markers | Unresolved technical debt accumulating in comments |

✨ Live AST Recommendations

Every finding includes a live recommendation generated from your actual code — real variable names, the exact problematic source line, and a concrete before/after fix example. No hardcoded template strings.

🗺️ Interactive Architecture Map (n8n-style)

• Left-to-Right auto-layout — see cross-file dependency flow instantly
• Drag nodes freely — organise your architecture your way
• Save / Load / Copy Layout — positions persist across sessions
• Node Status legend — Clean / Minor / Critical / npm / Gateway Box with colour coding; collapsible, state remembered in localStorage
• Bidirectional issue ↔ map linking — click an issue to fly to its node; click a node to filter issues
• Graph Export (⬆ button) — export in 4 formats: Copy as Mermaid · Draw.io XML · Excalidraw JSON · Graphviz .dot

🏥 Project Health Score

After every scan, the sidebar shows an A–F grade ring weighted by issue severity and confidence. The grade is also embedded in the HTML export.

🚩 Mark as False Positive

Every issue card has a "Mark as False Positive" button that copies the exact suppress comment to clipboard — paste it above the flagged line to silence the finding in future scans.

⚙️ Per-Project Config

Drop .junksweeper.json in your project root to tune minConfidence, ignorePatterns, per-detector toggles, and excludePatterns — no app restart needed.

📤 SARIF 2.1.0 Export

Export findings in SARIF 2.1.0 format — compatible with GitHub Code Scanning, Azure DevOps, VS Code SARIF Viewer, and any SARIF-aware CI pipeline.

⚡ One-Click VS Code Integration

Click any filename in the report → VS Code opens at the exact problematic line.

🧵 Multi-Threaded Performance

Worker Threads keep the UI responsive while scanning 1,000+ file projects.

🔒 Security Guarantee

Junk Sweeper is read-only by design — verified at the code level, not just by policy.

| Guarantee | How It Works | |---|---| | Never modifies user files | All detectors use fs.readFileSync() only — no writeFileSync() anywhere near your code | | Never touches the OS | No registry writes, no admin privilege requests, no system calls outside the app's own data folder | | Path Traversal Protection | Every scan path is validated against ../ traversal, symlinks, and forbidden OS directories (System32, /etc, /sys, /proc) | | Executable Injection Prevention | Strict file-type whitelist — .exe, .dll, .bat, .sh and all binary formats are blocked before analysis | | App Integrity on Every Launch | SHA-256 checksums of main.js, preload.js, and all detectors are verified before the app starts — tampered builds are rejected | | Sandboxed Renderer | Electron runs with contextIsolation: true, sandbox: true, nodeIntegration: false — the UI has zero direct Node.js access | | Audit Log | Every file access and security event is logged to ~/.chahuadev/logs/ for full traceability |

The only files the app ever writes are its own layout cache (%APPDATA%\Junk Sweeper\layouts\) and its own security audit log — nothing inside your project.

📝 Changelog

v1.0.0 — Initial Release

• Read-only AST analysis — JSON/HTML/CSV export
• Interactive n8n-style Project Map with Layout Memory
• 5 AST detectors: Unused Variables, Unused Imports, Dead Code, Duplicate Functions, Silent Bugs
• 7-Layer Security Gateway + SHA-256 checksum integrity verification
• One-Click VS Code Go-to-Line integration
• Worker Thread architecture — UI stays responsive during large scans

v1.0.1 — AST Recommendations & Code Quality Auditor

• 6th detector: ast-code-quality-detector.js — 10 production-safety patterns (debugger, eval, NaN comparison, assignment-in-condition, parseInt radix, var, console.*, prototype mutation, long functions, TODO markers)
• Silent Bugs expanded to 8 patterns: Orphaned Timers, Uncaught Promise Chains, Naked JSON.parse, Await-in-Loop
• Live AST-driven recommendations across all 6 detectors — every finding shows the actual code line from your source, real variable/function names from the AST, and a concrete before/after fix example
• Collapsible Node Status legend in Project Map — collapse to save screen space; state persists in localStorage
• Terminal boot sequence shows all 7 security layers and all 6 active detectors on launch

v1.0.2 — SAST Security Scanner & Premium Export

• SAST Security Scanner — dedicated SCAN SECURITY button running ast-security-detector.js (6-level L1–L6) in a separate Worker Thread
• Security Issues Tab — severity-tagged findings with code snippet, file location, and searchable list
• Security Statistics Sidebar — per-severity issue count, toggleable filter badges
• PDF Export — A4 PDF via Electron printToPDF; no printer required
• Premium HTML Export — single-file dark-theme shareable report
• Native Save Dialog — all 4 formats (JSON/HTML/CSV/PDF) use dialog.showSaveDialog via IPC

v1.0.3 — Health Score, SARIF, Config & QoL

• Project Health Score — A–F grade ring in sidebar; embedded in HTML export
• SARIF 2.1.0 Export — GitHub Code Scanning, Azure DevOps, VS Code SARIF Viewer compatible
• Mark as False Positive — copies exact suppress comment to clipboard for any issue
• .junksweeper.json config — per-project minConfidence, ignorePatterns, detector toggles, excludePatterns
• Issues tab severity chips — ALL / HIGH / MEDIUM / LOW filter chips

v1.0.4 — Security UX, Node Status Legend & Graph Export

• Security tab severity chips — ALL / CRITICAL / HIGH / MEDIUM / LOW; synced with sidebar badge filter
• Security ⚠N badge repositioned on map cards — no longer overlaps Electron role badge
• Node Status legend reorganised — Clean / Minor / Critical / npm / Gateway Box with accurate colours
• Graph Export button (⬆ in map toolbar) — Mermaid · Draw.io XML · Excalidraw JSON · Graphviz .dot

📦 Platform Support

| Platform | Architecture | Status | |---|---|---| | Windows | x64 | ✅ Supported | | Windows | ia32 | ✅ Supported | | Linux | x64 | ✅ Supported | | macOS | arm64 / x64 | 🔜 Coming soon |

🔗 Links

• HuggingFace Dataset
• NPM Package

Made by Chahuadev | Security-First Code Analysis Tools