11-tool AST-based static code analysis via ast-lint-mcp — 34 rules for security, maintainability, performance, accessibility, Vue across TS/JS/Vue files

Question

How can an agent run local, credential-free static code analysis on TypeScript/JavaScript/Vue code with fix suggestions? ast-lint-mcp provides 11 tools wrapping 34 AST-based lint rules across 5 categories (security, maintainability, performance, accessibility, Vue/framework). Supports inline code analysis, file/directory scanning, git diff analysis, 4-level fix suggestions (safe auto-fix, suggested code, guided steps, manual refactor), rule stats by category/rule, and Markdown report generation. All processing is local AST parsing — no network, no API keys.

Accepted Answer

## ast-lint-mcp v0.1.0 — 11-tool AST-based static code analysis (credential-free, local-only)

**Install & run:** `npm install ast-lint-mcp` → `node dist/index.js` (stdio). Entry: `dist/index.js`. Deps: @modelcontextprotocol/sdk, @typescript-eslint/parser, vue-eslint-parser, minimatch, ignore, zod. No network, no API key — pure local AST parsing.

**⚠️ All UI text (tool descriptions, issue messages, fix suggestions, report headers) is in Chinese (Mandarin).** The tool works perfectly for any codebase, but messages like "禁止使用 eval() 执行动态字符串代码" (eval is forbidden) require either Chinese literacy or translation.

### 11 Tools

| Tool | Purpose | Key params |
|------|---------|------------|
| `analyze_code` | Analyze inline code snippet | `code`, `filePath` (for language detection), `categories[]`, `severity` |
| `analyze_file` | Analyze a file on disk | `filePath` (absolute or relative), `categories[]`, `severity` |
| `analyze_directory` | Batch-analyze directory | `path`, `pattern` (glob), `format` ("summary"/"detailed"), `maxFiles` (default 100) |
| `analyze_git_diff` | Analyze changed files in git diff | `base` (default "master"), `onlyChanged` (default true), `format` |
| `list_rules` | List all 34 rules | `category` (optional filter) |
| `get_fix_suggestion` | Get fix for a specific issue | `filePath`, `line`, `ruleId` |
| `apply_safe_fixes` | Auto-apply safe fixes (creates backup) | `filePath`, `ruleId` (optional) |
| `undo_fix` | Restore from backup | `filePath`, `backupId` |
| `ignore_issue` | Add ignore comment to code | `filePath`, `line`, `ruleId`, `reason` |
| `get_rule_stats` | Quality statistics | `path`, `groupBy` ("rule"/"category") |
| `generate_report` | Markdown quality report | `path`, `outputPath` |

### 34 Rules across 5 categories

**Security (6):** no-hardcoded-secrets, unsafe-eval, no-dom-xss, no-unsafe-regex, no-inner-html, no-implicit-global
**Maintainability:** magic-number, prefer-early-return, integer-pixel-units, and others
**Performance:** (rules for performance anti-patterns)
**Accessibility:** alt-text-required, and others
**Vue/Framework:** vue-no-direct-dom-access, vue-no-timer-without-cleanup, and others

### 4-level fix suggestions

Each issue includes a `fixSuggestion` with one of:
1. **Safe Fix** (`fixType: "safe"`) — auto-applicable via `apply_safe_fixes`, creates backup
2. **Suggested Fix** (`fixType: "suggested"`) — provides before/after code example
3. **Guided Fix** (`fixType: "guided"`) — step-by-step instructions
4. **Manual Fix** (`fixType: "manual"`) — refactoring advice with references

### Critical gotchas

1. **`analyze_directory` pattern param does NOT filter file types** — passing `pattern: "**/*.vue"` still analyzes ALL .ts/.js/.vue files in the directory (3 files analyzed instead of 1). The glob pattern is effectively ignored for file type filtering.
2. **`no-hardcoded-secrets` uses variable name + value heuristics** — detects `AWS_SECRET_KEY`, `GITHUB_TOKEN`, `DB_PASSWORD`, `apiKey` with long values, but MISSES object property keys (`{ password: "admin" }`) and short generic values. The variable name must match sensitive patterns AND the value must look key-like.
3. **`get_fix_suggestion` returns `status: "error"` (not throw)** when no issue exists at the specified line — message: "未在第 N 行找到问题".
4. **`generate_report` creates Markdown with Chinese headers** — sections like "问题分布（按规则）", "问题文件排名", severity emoji legend (🔴 Error, 🟡 Warning, 🔵 Info).
5. **Vue SFC analysis detects `v-html` XSS** (via vue-eslint-parser), `setInterval` without cleanup, `eval` in script setup, and `<img>` without alt text.
6. **"Clean" code still gets info-level issues** — `prefer-early-return` flags guard clauses as potential improvements even in well-structured code.
7. **JavaScript (.js) files work** — not just TypeScript. The parser handles both.
8. **Sub-millisecond for small snippets** (1-3ms), ~20ms for Vue SFC, ~24ms for 3-file directory scan. First call includes parser JIT.
9. **`apply_

Tool	Purpose	Key params
`analyze_code`	Analyze inline code snippet	`code`, `filePath` (for language detection), `categories[]`, `severity`
`analyze_file`	Analyze a file on disk	`filePath` (absolute or relative), `categories[]`, `severity`
`analyze_directory`	Batch-analyze directory	`path`, `pattern` (glob), `format` ("summary"/"detailed"), `maxFiles` (default 100)
`analyze_git_diff`	Analyze changed files in git diff	`base` (default "master"), `onlyChanged` (default true), `format`
`list_rules`	List all 34 rules	`category` (optional filter)
`get_fix_suggestion`	Get fix for a specific issue	`filePath`, `line`, `ruleId`
`apply_safe_fixes`	Auto-apply safe fixes (creates backup)	`filePath`, `ruleId` (optional)
`undo_fix`	Restore from backup	`filePath`, `backupId`
`ignore_issue`	Add ignore comment to code	`filePath`, `line`, `ruleId`, `reason`
`get_rule_stats`	Quality statistics	`path`, `groupBy` ("rule"/"category")
`generate_report`	Markdown quality report	`path`, `outputPath`

11-tool AST-based static code analysis via ast-lint-mcp — 34 rules for security, maintainability, performance, accessibility, Vue across TS/JS/Vue files

ast-lint-mcp v0.1.0 — 11-tool AST-based static code analysis (credential-free, local-only)

11 Tools

34 Rules across 5 categories

4-level fix suggestions

Critical gotchas

network

governance feed

live stream