🪷 Release v1.1.3: Interactive Mode, Beautiful CLI, Development Scanner

Major Features:
- Interactive Mode: --interactive flag for step-by-step issue walkthrough
- Beautiful CLI: Lotus-inspired severity bands and enhanced 🪷 branding
- Development Scanner: DEV001-005 rules for AI-generated code issues
- Modular Rules: New architecture with category-based organization

Enhanced UX:
- Colored severity bands (Critical: red, High: coral, Medium: amber, Low: green)
- Consistent lotus emoji throughout scanner completion messages
- Enhanced success messages with lotus theming

Technical:
- Made printResults() async for interactive mode support
- Added ScanOptions.interactive property
- New /src/rules/ modular architecture
- Backward compatibility maintained

Documentation:
- Updated CLI.md, FEATURES.md, CHANGELOG.md, README.md
- Added comprehensive 1.1.3 changelog entry
- Updated version to 1.1.3

Author: luisfer

CHANGELOG.md

@@ -140,6 +140,37 @@ This patch focuses on triage-first UX and noise reduction without changing schem
 ### Notes
 - Non-breaking; JSON/SARIF unchanged.
 
+## 1.1.3 — 2025-08-29
+
+### Added
+- **Interactive Mode**: `--interactive` flag for step-by-step issue walkthrough with explanations, context, and fix options
+- **Beautiful CLI Color System**: Lotus-inspired severity bands with enhanced visual triage
+  - Critical: Deep lotus red, High: Coral pink, Medium: Amber, Low: Lotus green
+  - Consistent `🪷` lotus branding throughout all scanner completion messages
+- **Modular Rules Architecture**: New `/src/rules/` structure with category-based organization for better maintainability
+- **Development Scanner**: New DEV001-005 rules specifically for AI-generated code issues
+  - DEV001: TODO/FIXME comments detection
+  - DEV002: "Not implemented" stubs and placeholder functions
+  - DEV003: Placeholder URLs in API endpoints (`localhost`, `example.com`)
+  - DEV004: Hardcoded mock/example data in responses
+  - DEV005: Empty returns or unimplemented functions
+
+### Enhanced
+- **Triage Header**: Beautiful colored severity bands replace basic text output
+- **Success Messages**: Enhanced with lotus theming ("🪷 No issues found! Your app is blooming beautifully! ✨")
+- **Scanner Progress**: All completion messages now use `🪷` lotus emoji for consistent branding
+
+### Technical
+- Made `printResults()` async to support interactive mode
+- Added new `ScanOptions.interactive` property
+- Enhanced `getSeverityBand()` method with lotus-inspired color palette
+- Backward compatibility maintained for all existing features
+
+### Notes
+- Interactive mode provides guided issue resolution perfect for AI-assisted debugging
+- Development scanner addresses the "vibe-coded" app debugging crisis
+- All changes are non-breaking; JSON/SARIF output unchanged
+
 ## 1.1.2 — 2025-08-27
 
 ### Added

README.md

@@ -287,6 +287,13 @@ Example:
 
 CLI flags override config values.
 
+## Highlights in v1.1.3
+
+- **Interactive Mode**: `--interactive` for guided issue resolution with explanations and fix options
+- **Beautiful CLI**: Lotus-inspired severity bands and enhanced `🪷` branding throughout
+- **Development Scanner**: DEV001-005 rules for catching AI-generated placeholder code and incomplete implementations
+- **Modular Rules**: New architecture with category-based organization for maintainability
+
 ## Highlights in v1.1.0
 
 - Colorized, branded output with lotus (🪷); control via `--color auto|always|never`

docs/CLI.md

@@ -46,6 +46,7 @@ Options:
   --format <mode>             Output format (human mode): human|table (default: human)
   --ai-friendly               AI preset: json + context + explain + severity + cap 15
   --pr-comment                Output Markdown summary for PR comments
+  --interactive               Walk through issues interactively with explanations and fix options
   --no-result-cache           Disable per-file result cache (skip reuse between runs)
   --min-severity <level>      Minimum severity to include: low|medium|high
   --max-issues <n>            Limit output to N most important issues
@@ -92,8 +93,12 @@ ubon check --format table --group-by severity --show-confidence
 ```
  
 # Experimental P5 Next.js rules (enable/disable)
-ubon check --enable-rule NEXT201,NEXT202,NEXT203,NEXT205,NEXT208,NEXT209
-ubon check --disable-rule NEXT201,NEXT202,NEXT203,NEXT205,NEXT208,NEXT209
+ubon check --enable-rule NEXT201,NEXT202,NEXT203,NEXT205,NEXT208,NEXT209,NEXT210
+ubon check --disable-rule NEXT201,NEXT202,NEXT203,NEXT205,NEXT208,NEXT209,NEXT210
+
+# Development placeholder detection (DEV001-005)
+ubon check --enable-rule DEV001,DEV002,DEV003,DEV004,DEV005
+# Great for AI-generated code with TODO/FIXME, "Not implemented", mock data
 ```
 
 #### ubon check
@@ -263,7 +268,7 @@ ubon init --profile auto
 
 Options:
 - `--profile auto|react|next|python|vue` – override auto-detection
-- `--interactive` – reserved for future interactive prompts
+- `--interactive` – Walk through issues interactively with explanations and fix options
 
 Next.js monorepo example (profile + baseline):
 

docs/FEATURES.md

@@ -8,13 +8,16 @@
 | Next.js Routing/Structure (experimental) | missing 404/error pages, method validation, external router.push, server→client secret bleed | NEXT201–NEXT210 (opt-in via enable/disable) |
 | Security (Python) | exec/eval, subprocess(shell=True), yaml.load, pickle, requests verify=False, DEBUG=True | PYSEC001–PYSEC010, PYNET001 |
 | Rails (experimental) | SQLi in where/find_by_sql, system/backticks, YAML.load, html_safe/raw, mass assignment | RAILS001–005 |
+| Development (placeholder detection) | TODO/FIXME comments, "Not implemented" stubs, placeholder URLs, mock data, empty returns | DEV001–005 |
 | Accessibility | <img> missing alt, inputs without labels, clickable divs without roles | A11Y001, A11Y004–005 |
 | Links & Resources | External link reachability with timeouts; optional internal crawling | LINK00x |
 | Dependency & Supply Chain | OSV.dev advisories for npm and PyPI | OSV001 |
 | Env & Config | .env hygiene, example drift, hardcoded fallbacks | ENV00x |
 
 ### Developer Experience
 
+- **Interactive Mode**: `--interactive` for step-by-step issue walkthrough with explanations and fix options
+- **Beautiful CLI**: Lotus-inspired severity bands with enhanced visual triage (`🪷` branding throughout)
 - Colorized, branded output with lotus (🪷): `--color auto|always|never`
 - Result organization: `--group-by file|rule|severity|category`, `--min-severity`, `--max-issues`
 - Compact output: `--format table` for skimmable triage

docs/RULES.md

@@ -6,6 +6,11 @@
 - COOKIE002: JWT token exposed in client-side cookie without security flags ([docs](https://owasp.org/www-community/controls/SecureCookieAttributes))
 - COOKIE003: Sensitive data returned in JSON response (potential token leak)
 - COOKIE004: Cookie used without domain/path restrictions
+- DEV001: Function contains TODO/FIXME comments ([docs](https://docs.ubon.dev/rules/DEV001))
+- DEV002: Function throws "Not implemented" or contains stub code ([docs](https://docs.ubon.dev/rules/DEV002))
+- DEV003: API endpoints using placeholder URLs ([docs](https://docs.ubon.dev/rules/DEV003))
+- DEV004: Hardcoded mock/example data in API responses ([docs](https://docs.ubon.dev/rules/DEV004))
+- DEV005: Function returns null or empty objects without implementation ([docs](https://docs.ubon.dev/rules/DEV005))
 - JSNET001: HTTP request without timeout/retry policy ([docs](https://developer.mozilla.org/docs/Web/API/AbortController))
 - LOG001: Potential secret logged to console/logger ([docs](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html))
 - OSV001: Vulnerable dependency detected
@@ -41,6 +46,7 @@
 - NEXT009: Unsafe redirect in Next.js API route ([docs](https://owasp.org/www-community/attacks/Unvalidated_Redirects_and_Forwards_Cheat_Sheet))
 - NEXT010: CORS configuration too permissive ([docs](https://developer.mozilla.org/docs/Web/HTTP/CORS))
 - NEXT011: Environment variable leaked in client-side code ([docs](https://nextjs.org/docs/app/building-your-application/configuring/environment-variables#bundling-environment-variables-for-the-browser))
+- NEXT210: Server secret serialized to client props (leak risk) ([docs](https://nextjs.org/docs/pages/building-your-application/data-fetching/get-server-side-props#caveats))
 
 ### Accessibility
 - A11Y001: Image without alt attribute ([docs](https://webaim.org/techniques/alttext/))

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ubon",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "description": "Security scanner for AI-generated React/Next.js and Python apps. Catches hardcoded secrets, accessibility issues, and vulnerabilities that traditional linters miss.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

scripts/generate-rules-md.js

@@ -2,13 +2,24 @@
 const fs = require('fs');
 const path = require('path');
 
-// Require compiled RULES from dist; ensure build before running
-const rulesPath = path.join(__dirname, '..', 'dist', 'types', 'rules.js');
-if (!fs.existsSync(rulesPath)) {
-  console.error('dist/types/rules.js not found. Run `npm run build` first.');
+// Try modular rules first, fallback to legacy
+let RULES = {};
+
+const modularRulesPath = path.join(__dirname, '..', 'dist', 'rules', 'index.js');
+const legacyRulesPath = path.join(__dirname, '..', 'dist', 'types', 'rules.js');
+
+if (fs.existsSync(modularRulesPath)) {
+  console.log('Using modular rules system');
+  const { RULES: modularRules } = require(modularRulesPath);
+  RULES = modularRules;
+} else if (fs.existsSync(legacyRulesPath)) {
+  console.log('Using legacy rules system');
+  const { RULES: legacyRules } = require(legacyRulesPath);
+  RULES = legacyRules;
+} else {
+  console.error('No rules found. Run `npm run build` first.');
   process.exit(1);
 }
-const { RULES } = require(rulesPath);
 
 function section(title) {
   return `\n### ${title}\n`;

src/cli.ts

@@ -130,6 +130,7 @@ program
   .option('--no-cache', 'Disable OSV caching for this scan')
   .option('--ai-friendly', 'Optimize output for AI consumption (json + context + explain + grouping + cap)')
   .option('--pr-comment', 'Output a Markdown summary suitable for PR comments')
+  .option('--interactive', 'Walk through issues interactively with explanations and fix options')
   .action(async (options) => {
     const scanner = new UbonScan(options.verbose, options.json, options.color as 'auto' | 'always' | 'never');
 
@@ -169,7 +170,8 @@ program
       showSuppressed: !!options.showSuppressed,
       ignoreSuppressed: !!options.ignoreSuppressed,
       clearCache: !!options.clearCache,
-      noCache: !!options.noCache
+      noCache: !!options.noCache,
+      interactive: !!options.interactive
     };
     const scanOptions = mergeOptions(config, cliOptions);
 
@@ -220,7 +222,7 @@ program
         }
       } else {
         // Human-readable output
-        scanner.printResults(results, scanOptions);
+        await scanner.printResults(results, scanOptions);
       }
 
       if (options.sarif) {
@@ -345,6 +347,7 @@ program
   .option('--clear-cache', 'Clear OSV vulnerability cache before scanning')
   .option('--no-cache', 'Disable OSV caching for this scan')
   .option('--pr-comment', 'Output a Markdown summary suitable for PR comments')
+  .option('--interactive', 'Walk through issues interactively with explanations and fix options')
   .action(async (options) => {
     const scanner = new UbonScan(options.verbose, options.json, options.color as 'auto' | 'always' | 'never');
 
@@ -383,7 +386,8 @@ program
       showSuppressed: !!options.showSuppressed,
       ignoreSuppressed: !!options.ignoreSuppressed,
       clearCache: !!options.clearCache,
-      noCache: !!options.noCache
+      noCache: !!options.noCache,
+      interactive: !!options.interactive
     };
     const scanOptions = mergeOptions(config, cliOptions);
 
@@ -418,7 +422,7 @@ program
         }
       } else {
         // Human-readable output
-        scanner.printResults(results, scanOptions);
+        await scanner.printResults(results, scanOptions);
       }
       if (options.sarif) {
         const sarif = toSarif(results, options.directory);