cura 0.6.0

CLI tool to audit Flutter/Dart package health, dependency scores, and maintenance status.

🩺 Cura

Replace "Vibe Code" with data-driven decisions

---

📖 Table of Contents

• What is Cura?
• Features
• Quick Start
• Installation
• Usage
  • Check Command
  • View Command
  • Config Command
• Scoring Algorithm
• Configuration
• CI/CD Integration
• Advanced Features
• Contributing
• License

---

🎯 What is Cura?

Cura is a CLI tool that provides objective health scores (0-100) for Flutter and Dart packages, helping you make informed decisions about your dependencies instead of relying on intuition ("Vibe Code").

The Problem

When choosing packages, developers often rely on:

• ❌ Gut feeling - "This looks good"
• ❌ Popularity alone - High downloads ≠ quality
• ❌ Outdated information - Last checked 6 months ago

The Solution

Cura analyzes packages across 4 key dimensions:

Dimension	Weight	What it measures
Vitality	40pts	Release frequency, commit recency, active maintenance.
Technical Health	30pts	Pana score, null safety, platform support
Trust	20pts	Popularity, community engagement
Maintenance	10pts	Verified publisher, Flutter Favorite

Score: 0-100 → Grade: F to A+

---

✨ Features

Core Features

• 🔍 Package Analysis - Deep health check for any pub.dev package
• 📊 Project Scanning - Analyze all dependencies in your pubspec.yaml
• 💯 Objective Scoring - Data-driven scores (0-100) with detailed breakdown
• 💡 Smart Suggestions - Recommendations for better alternatives
• ⚡ Fast & Cached - Local SQLite cache for instant results

Developer Experience

• 🎨 Beautiful CLI - Color-coded output with progress bars
• 🌗 Theme Support - Dark, Light, Minimal, Dracula themes
• 🔧 Highly Configurable - Global + project-level configs
• 🚀 CI/CD Ready - Exit codes, JSON output, quiet mode

Advanced

• 🌐 Multi-API - Aggregates data from pub.dev, GitHub, OSV.dev
• 🔄 Auto-update - Background cache refresh every 24h
• 📈 GitHub Metrics - Stars, issues, commit activity (optional)
• 🔐 Security Checks - CVE detection via OSV.dev

---

⚡ Quick Start

# Install globally
dart pub global activate cura

# Analyze your Flutter project
cd my_flutter_app
cura check

# View detailed score for a specific package
cura view riverpod

# CI/CD health check
cura check --min-score 70

Output:

📦 Scanning pubspec.yaml...
Found 15 dependencies

✓ Analyzing packages... [████████████████████] 15/15 (3.2s)

┌────────────────────────┬───────┬────────┬──────────────┐
│ Package                │ Score │ Status │ Last Update  │
├────────────────────────┼───────┼────────┼──────────────┤
│ riverpod               │  92   │   ✅   │ 1 month      │
│ dio                    │  88   │   ✅   │ 15 days      │
│ provider               │  68   │   ⚠️   │ 8 months     │
│ old_package            │  25   │   ❌   │ 32 months    │
└────────────────────────┴───────┴────────┴──────────────┘

📊 Summary
   Average Score: 75.3/100
   ✅ Healthy: 12/15 (80%)
   💡 Alternatives Available: 2

---

📥 Installation

Method 1: Global Installation (Recommended)

dart pub global activate cura

Verify installation:

cura --version

Method 2: Local Installation

# Clone the repository
git clone https://github.com/meragix/cura.git
cd cura

# Install dependencies
dart pub get

# Activate locally
dart pub global activate --source path .

Requirements

• Dart SDK ≥ 3.0.0
• Internet connection (for initial package analysis)

---

🚀 Usage

Check Command

Analyze all dependencies in your project.

cura check [options]

Options:

• -p, --path <path> - Project directory (default: current directory)
• --min-score <score> - Fail if average score below threshold
• --fail-on-vulnerable - Exit 1 if vulnerabilities found
• --fail-on-discontinued - Exit 1 if discontinued packages found
• --no-github - Skip GitHub metrics (faster, offline mode)
• --json - Output results as JSON
• -q, --quiet - Minimal output

Examples:

# Basic check
cura check

# Scan specific directory
cura check --path /path/to/project

# Strict check for CI/CD
cura check --min-score 80 --fail-on-vulnerable

# CI/CD mode with threshold
cura check --min-score 80 --json > report.json

# Offline mode (cached data only)
cura check --no-github

# Quiet mode (only errors)
cura check --quiet
echo $?  # 0 = pass, 1 = fail

---

See also: doc/scan.md for advanced usage

GitHub Actions Integration:

- name: Cura Health Check
  run: cura check --min-score 75

See also: doc/ci-cd.md for CI/CD best practices

---

View Command

Get detailed analysis for a specific package.

cura view <package> [options]

Options:

• -v, --verbose - Show detailed debug information
• --json - Output as JSON

Examples:

# View package score
cura view dio

# Verbose mode (cache status, API calls, timing)
cura view dio --verbose

# JSON output for scripts
cura view dio --json | jq '.score.total'

Output (Normal):

$ cura view dio

═════════════════════════════════════════════════════════════════

 ✨ dio v5.4.0

 ● Score: 92/100 (A+)
 
 █ Vitality  ▓ Tech  █ Trust  ▒ Maint

Key Metrics
  Publisher:   dart.dev ✓
  Pub Score:   135/140 ●
  Popularity:  98% ●●●
  Likes:       12,450
  Last Update: 1 month ago 🟢
  Repository:  github.com/cfug/dio
  Platforms:   android, ios, web, linux, macos, windows
  Flutter Favorite ✨

GitHub
  Stars:       ⭐ 12.0K
  Forks:       1,234
  Open Issues: 45
  Activity:    87 commits (90d)
  Last Commit: 2 days ago

✓ Recommended - High-quality, actively maintained package

$ cura view bad_pkg

═════════════════════════════════════════════════════════════════

 ✗ bad_pkg v0.0.1

 ● Score: 25/100 (F)
 
 · Vitality  ░ Tech  ░ Trust  · Maint

Issues Detected
  ● No updates in 2.6 years
  ● Unverified publisher
  ● No repository
  ● Minimal documentation

Key Metrics
  Publisher:   None (unverified)
  Pub Score:   35/140 ○
  Popularity:  12% ○○○
  Likes:       8
  Last Update: 2 yr 7 mo ago ⚠
  Repository:  None

Better Alternatives
  → better_package (88/100)
    Modern alternative with active maintenance
  
  → another_option (82/100)
    Well-documented with good community support

✗ Not Recommended - Appears abandoned, high risk for production use

Output (Verbose):

$ cura view dio --verbose

[... same output as above ...]

Detailed Score Breakdown
  Vitality (38/40):
    ✓ Last published: 1 month ago (38 pts)
    ✓ Stable package bonus (v5.x) (+5 pts)
  
  Technical Health (28/30):
    ✓ Pana score: 135/140 (14 pts)
    ✓ Null safety: Yes (10 pts)
    ✓ Platform support: 6 platforms (4 pts)
  
  Trust (19/20):
    ✓ Likes: 12,450 (9 pts)
    ✓ Popularity: 98% (10 pts)
  
  Maintenance (7/10):
    ✓ Verified publisher (5 pts)
    ✓ Flutter Favorite (2 pts)

Feature Highlights
  ✓ Request/Response interceptors
  ✓ FormData support (file uploads)
  ✓ Request cancellation
  ✓ Built-in retry logic
  ✓ Global configuration
  ✓ Extensive documentation

[...]

See also: doc/view.md for output customization

---

Config Command

Manage global and project-level configuration.

cura config <subcommand> [options]

Subcommands:

• show - Display current configuration
• init - Create project config (./.cura/config.yaml)
• edit - Open config in editor
• set <key> <value> - Set a configuration value
• get <key> - Get a configuration value
• reset - Reset to defaults
• validate - Validate config file

Examples:

# Show config hierarchy
cura config show

# Initialize project config
cura config init

# Set global preference
cura config set theme dracula --global

# Set project-specific min score
cura config set min_score 85 --project

# Edit config
cura config edit --global

See also: doc/configuration.md for all options

---

📊 Scoring Algorithm

Cura calculates a score from 0 to 100 based on weighted criteria:

Score Breakdown

Total Score = Vitality (40) + Technical Health (30) + Trust (20) + Maintenance (10)

1. Vitality (40 points)

Measures how actively maintained the package is.

Last Update	Score
< 1 month	40
1-3 months	35
3-6 months	28
6-12 months	20
1-2 years	10
> 2 years	0

Exceptions: Packages with high Pana scores (>130) and proven stability receive bonus points even if older.

2. Technical Health (30 points)

Evaluates code quality and platform support.

• Pana Score (15pts): Normalized from pub.dev's 0-140 scale
• Null Safety (10pts): Supports null safety
• Platform Support (5pts): Number of supported platforms (iOS, Android, Web, etc.)

3. Trust (20 points)

Measures community confidence.

• Likes (10pts): Normalized from pub.dev likes
• Popularity (10pts): Based on download metrics

4. Maintenance (10 points)

Indicates official support and reliability.

• Verified Publisher (5pts): Has verified publisher
• Flutter Favorite (5pts): Official Flutter Favorite badge

Grade Mapping

Score	Grade	Meaning
90-100	A+	Excellent - Production ready
80-89	A	Very good - Highly recommended
70-79	B	Good - Safe to use
60-69	C	Fair - Use with caution
50-59	D	Poor - Consider alternatives
0-49	F	Critical - Avoid

Penalties

Automatic score of 0 if:

• Package is marked as discontinued
• Critical security vulnerabilities detected (via OSV.dev)

See also: doc/scoring.md for detailed algorithm explanation

---

⚙️ Configuration

Cura supports hierarchical configuration: Project > Global > Defaults

Config Locations

~/.cura/config.yaml          # Global config (user preferences)
./.cura/config.yaml          # Project config (team standards)

Config Hierarchy

CLI Flags (highest priority)
    ↓
Project Config (./.cura/config.yaml)
    ↓
Global Config (~/.cura/config.yaml)
    ↓
Defaults (lowest priority)

Example Configuration

Global Config (~/.cura/config.yaml):

# Appearance
theme: dracula
use_emojis: true
use_colors: true

# Cache
cache_max_age: 24  # hours
auto_update: true

# Scoring
min_score: 70

# API
timeout_seconds: 10
github_token: ghp_your_token_here

# Suggestions
show_suggestions: true
max_suggestions_per_package: 3

Project Config (./.cura/config.yaml):

# Override for this project
min_score: 85

# Ignore internal packages
ignore_packages:
  - internal_test_package

# Trust company packages
trusted_publishers:
  - my-company.dev

Common Settings

Setting	Type	Default	Description
theme	string	dark	UI theme (dark, light, minimal, dracula)
min_score	int	70	Minimum acceptable score
cache_max_age	int	24	Cache TTL in hours
github_token	string	null	GitHub PAT for higher rate limits
ignore_packages	list	[]	Packages to skip during analysis
trusted_publishers	list	[]	Auto-approve publishers

See also: doc/configuration.md for full reference

---

🔄 CI/CD Integration

GitHub Actions

name: Cura Health Check

on: [push, pull_request]

jobs:
  health:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - uses: dart-lang/setup-dart@v1
      
      - name: Install Cura
        run: dart pub global activate cura
      
      - name: Health Check
        run: cura check --min-score 75 --fail-on-vulnerable

GitLab CI

cura_check:
  image: dart:stable
  script:
    - dart pub global activate cura
    - cura check --min-score 80 --quiet
  allow_failure: false

Exit Codes

• 0 - All checks passed
• 1 - Failed (score below threshold, vulnerabilities, etc.)

See also: doc/ci-cd.md for advanced workflows

---

🎨 Advanced Features

Themes

Switch between 4 built-in themes:

# Via CLI flag
cura check --theme=dracula

# Via config
cura config set theme light

# Via environment variable
export CURA_THEME=minimal
cura check

Available Themes:

• dark - Default, vibrant colors
• light - For light terminals
• minimal - Monochrome, CI/CD friendly

See also: doc/themes.md for theme customization

---

Caching

Cura uses local SQLite cache to minimize API calls.

Cache locations:

~/.cura/cache/cura_cache.db           # Package scores
~/.cura/suggestions_cache.yaml        # Alternative suggestions

Cache management:

# Clear cache
cura clean

# View cache stats
cura config show

# Disable cache
cura check --no-cache

Cache TTL:

• Popular packages (>1000 likes): 1 hour
• Normal packages: 24 hours
• Failed requests: Not cached

See also: docs/caching.md for cache strategies

---

Multi-API Aggregation

Cura aggregates data from multiple sources:

Source	Data Retrieved
pub.dev	Pana score, likes, popularity, publisher
GitHub	Stars, issues, commits, contributors
OSV.dev	Security vulnerabilities (CVEs)

GitHub integration:

# Set GitHub token for higher rate limits
cura config set github_token ghp_xxxxx

# Disable GitHub (faster, offline)
cura scan --no-github

Rate limits:

• pub.dev: ~10 req/s (built-in retry)
• GitHub: 60 req/h (5000/h with token)
• OSV.dev: No limit

See also: docs/api-integration.md

---

🤝 Contributing

We welcome contributions! Here's how you can help:

Bug Reports & Feature Requests

Open an issue with:

• Clear description
• Steps to reproduce (for bugs)
• Expected vs actual behavior

Code Contributions

1. Fork the repository
2. Create a feature branch (git checkout -b feat/amazing-feature)
3. Commit your changes (git commit -m 'feat: add amazing feature')
4. Push to the branch (git push origin feat/amazing-feature)
5. Open a Pull Request

Development setup:

git clone https://github.com/meragix/cura.git
cd cura
dart pub get
dart run bin/cura.dart --help

Run tests:

dart test

1. Submit PR (auto-validated by CI)

See also: CONTRIBUTING.md for guidelines

---

📚 Documentation

• Scoring Algorithm - Detailed score calculation
• Configuration - All config options
• CI/CD Integration - GitHub Actions, GitLab CI examples
• Themes - Theme customization
• API Integration - Multi-API architecture
• Caching - Cache strategies
• Suggestions - Alternatives engine

---

💬 Community

• Discord: Join our server
• Twitter: @Meragix
• Discussions: GitHub Discussions

---

📄 License

Cura is MIT licensed. See LICENSE for details.

---

🙏 Acknowledgments

• Inspired by Pana and npm's Snyk
• Built with mason_logger for beautiful CLI output
• Data provided by pub.dev, GitHub, and OSV.dev

---

Made with ❤️ for the Flutter/Dart community

⭐ Star us on GitHub • 🐛 Report Bug • 💬 Discussions