resq — Developer CLI
Rust developer tooling CLI for the ResQ monorepo. Handles license headers, image placeholders, security audits, dependency cost analysis, secret scanning, and TypeScript tree-shaking.
Build & Install
# Optional: install globally
Binary: tools/cli/target/release/resq
Commands
copyright — License Header Management
Adds or checks copyright headers across every source file in the repo.
Supported formats: C-style block (/** */), XML/HTML (<!-- -->), hash-line (#), double-dash (--), Elisp (;;), AsciiDoc (////). Shebangs (#!/...) are always preserved at line 0.
Licenses: mit (default), apache-2.0, gpl-3.0, bsd-3-clause
# Check all tracked files (CI — exits 1 if any missing)
# Preview what would be added without writing
# Add headers to all files missing them
# Overwrite existing headers (e.g. change license or author)
# Scope to specific file types
# Use explicit glob patterns instead of git ls-files
# Exclude paths
File discovery (in priority order):
--globpatterns if providedgit ls-files+ untracked non-ignored files- Directory walk from project root (fallback when git unavailable)
Gitignore patterns are always applied on top of whichever source is used.
Flags:
| Flag | Default | Description |
|---|---|---|
--license |
mit |
License type |
--author |
ResQ |
Copyright holder |
--year |
current year | Copyright year |
--force |
off | Overwrite existing headers |
--dry-run |
off | Print paths without writing |
--check |
off | CI mode — exit 1 if any file missing |
--verbose / -v |
off | Show per-file decisions |
--glob |
— | Glob patterns to match files |
--ext |
— | Comma-separated extensions to include |
--exclude / -e |
— | Path substrings to exclude |
lqip — Low-Quality Image Placeholders
Generates tiny base64-encoded data URIs from images for use as blur-up placeholders in the web dashboard.
# Single image → prints data URI
# Directory of images → text list
# Recursive with JSON output (for import into JS)
# Custom placeholder dimensions (default 20×15)
Output (text mode):
File: "hero.jpg"
LQIP: data:image/jpeg;base64,/9j/4AAQSkZ...
Output (JSON mode):
Supported input formats: jpg, jpeg, png, webp. Output format matches input.
Flags:
| Flag | Default | Description |
|---|---|---|
--target / -t |
— | File or directory to process |
--width |
20 |
Placeholder width in pixels |
--height |
15 |
Placeholder height in pixels |
--recursive / -r |
off | Recurse into subdirectories |
--format |
text |
Output format: text or json |
audit — Security & Quality Audit
Three-pass security and quality sweep covering all language ecosystems in the monorepo.
# Full audit (all three passes)
# Scope to a specific subtree
# Run only the OSV Scanner pass
# Run only npm audit-ci
# Run only React Doctor
# CI mode — fail on high+ npm severity, require score ≥ 80
# Scan only files changed since main (React Doctor)
# Use SARIF output for OSV (e.g. upload to GitHub Code Scanning)
Pass 1 — OSV Scanner (cross-ecosystem)
Runs osv-scanner scan source -r <root> against all lock files in the tree: Cargo.lock, package-lock.json, yarn.lock, requirements.txt, *.csproj, and more. Covers Rust, npm, Python, .NET, C/C++ via the OSV.dev vulnerability database.
Gracefully skips with an install hint if osv-scanner is not on $PATH:
Install: go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
Pass 2 — npm audit-ci
Reads package.json workspace globs, then for each workspace:
- Runs
bun install --yarnto generateyarn.lock(required by audit-ci) - Runs
bunx audit-ci@^7.1.0 --<level> --report-type <type>
Pass 3 — React Doctor (web dashboard)
Runs react-doctor against services/web-dashboard (or --react-target). Two phases:
- Diagnostic: full
--verboserun streamed to the terminal (60+ lint rules, dead code, bundle analysis) - Score check: separate
--scoreinvocation; fails if the 0–100 health score is below--react-min-score
All three passes run unconditionally; failures accumulate and a summary is printed at the end. Exits non-zero if any pass failed.
Flags:
| Flag | Default | Description |
|---|---|---|
--root |
. |
Root directory to scan |
| npm audit-ci | ||
--level |
critical |
Minimum severity: critical, high, moderate, low |
--report-type |
important |
Report verbosity: important, full, summary |
--skip-prepare |
off | Skip bun install --yarn step |
--skip-npm |
off | Skip the npm audit-ci pass entirely |
| OSV Scanner | ||
--skip-osv |
off | Skip the OSV Scanner pass |
--osv-format |
table |
Output format: table, json, sarif, gh-annotations |
| React Doctor | ||
--skip-react |
off | Skip the React Doctor pass |
--react-target |
<root>/services/web-dashboard |
Path to the React/Next.js project |
--react-diff |
— | Only scan files changed vs this base branch (e.g. main) |
--react-min-score |
75 |
Minimum health score to pass (0–100) |
cost — Dependency Size Analysis
Fetches package sizes from registries (npm, crates.io, PyPI) and categorizes dependencies by download footprint. Useful for identifying bloated dependencies before they enter the repo.
# Auto-detect project type and analyze
# Specific project
# Force project type
# Custom output directory
Project type detection (auto):
Cargo.toml→ Rust (queries crates.io)package.json→ Node (queries npm registry)pyproject.toml/requirements.txt→ Python (queries PyPI)
Output: Three JSON files written to scripts/out/ (or --output):
high.json— packages > 10 MBmedium.json— packages 1–10 MBlow.json— packages < 1 MB
Console summary:
📦 Package Size Summary:
🔴 High (> 10 MB): 2 packages
🟡 Medium (1-10 MB): 8 packages
🟢 Low (< 1 MB): 34 packages
📊 Total size: 127.45 MB
Up to 10 registry requests run concurrently.
Flags:
| Flag | Default | Description |
|---|---|---|
--root |
. |
Directory with project manifest |
--output |
scripts/out |
Output directory for JSON reports |
--project-type |
auto-detect | Force: node, rust, python |
secrets — Secret Scanner
Scans source files for hardcoded credentials, API keys, private keys, tokens, and high-entropy strings. Designed to run as a pre-commit hook or in CI.
# Scan all git-tracked files (default)
# Only scan staged changes (pre-commit hook)
# Show matched content in output (partially redacted)
# Scan all files, not just git-tracked
# Load allowlist from custom path
Detected patterns (26 rules):
- Cloud providers: AWS access/secret keys, GCP API keys, GCP service accounts
- Source control: GitHub PATs (classic, fine-grained, OAuth, App tokens)
- AI/APIs: OpenAI, Anthropic, Stripe, Slack, Twilio, SendGrid, Mailgun
- Infrastructure: database connection strings (
postgres://,mongodb://, etc.) - Private keys: RSA, DSA, EC, OpenSSH, PGP
- Generic: bearer tokens, JWT tokens,
api_key=/secret=assignments - High-entropy: hex strings ≥ 40 chars with Shannon entropy > 4.5
Allowlist: Create .secretsignore at project root (one pattern per line, # for comments). Findings whose content or file path contains a pattern are suppressed.
Pre-commit hook integration:
# .git/hooks/pre-commit
Exits 0 if clean, 1 if secrets found.
Flags:
| Flag | Default | Description |
|---|---|---|
--root |
. |
Directory to scan |
--git-only |
true |
Only scan git-tracked + untracked-but-not-ignored files |
--staged |
off | Scan only staged changes (overrides --git-only) |
--verbose / -v |
off | Show (redacted) matched content |
--allowlist |
.secretsignore |
Path to allowlist file |
tree-shake — TypeScript Dead Code Removal
Runs tsr to remove unused TypeScript exports from the project entry points.
Runs: bunx tsr --write --recursive "^src/(main|index)\.ts$" "^src/app/.*\.(ts|tsx)$"
No flags — operates on the project root detected by walking up from the current directory.
Project Root Detection
All commands resolve the project root by walking up from the current directory until finding a Cargo.toml, package.json, or pyproject.toml. This means you can run resq <cmd> from any subdirectory in the monorepo.