@indicated/vibeguard 1.0.0

package/dist/scanner/rules/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../../src/scanner/rules/loader.ts"],"names":[],"mappings":";;AAKA,8BA0BC;AAED,kCAyBC;AAzDD,+CAA8C;AAE9C,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,2BAA2B,CAAC;AAE3E,KAAK,UAAU,SAAS,CAAC,UAAmB;IACjD,2BAA2B;IAC3B,+CAA+C;IAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAC5D,OAAO,2BAAa,CAAC;IACvB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,YAAY,WAAW,EAAE;YACvD,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,UAAU,EAAE;gBACvC,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,wCAAwC;YACxC,OAAO,2BAAa,CAAC;QACvB,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA+B,CAAC;QACnE,OAAO,IAAI,CAAC,KAAK,IAAI,2BAAa,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,4CAA4C;QAC5C,OAAO,2BAAa,CAAC;IACvB,CAAC;AACH,CAAC;AAED,SAAgB,WAAW,CACzB,KAAqB,EACrB,OAIC;IAED,IAAI,QAAQ,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IAE1B,IAAI,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,OAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpD,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,QAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;IAC3E,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtD,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAChC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,SAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAC/D,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/scanner/rules/matcher.d.ts

@@ -0,0 +1,11 @@
+import { SecurityRule, Finding } from '../../types';
+export interface MatchContext {
+    code: string;
+    lines: string[];
+    filePath: string;
+    language: string;
+}
+export declare function matchPatterns(rule: SecurityRule, context: MatchContext): Finding[];
+export declare function deduplicateFindings(findings: Finding[]): Finding[];
+export declare function sortBySeverity(findings: Finding[]): Finding[];
+//# sourceMappingURL=matcher.d.ts.map

package/dist/scanner/rules/matcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"matcher.d.ts","sourceRoot":"","sources":["../../../src/scanner/rules/matcher.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAEpD,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,wBAAgB,aAAa,CAC3B,IAAI,EAAE,YAAY,EAClB,OAAO,EAAE,YAAY,GACpB,OAAO,EAAE,CAmCX;AAED,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,OAAO,EAAE,CAQlE;AAED,wBAAgB,cAAc,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,OAAO,EAAE,CAQ7D"}

package/dist/scanner/rules/matcher.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.matchPatterns = matchPatterns;
+exports.deduplicateFindings = deduplicateFindings;
+exports.sortBySeverity = sortBySeverity;
+function matchPatterns(rule, context) {
+    const findings = [];
+    if (!rule.patterns)
+        return findings;
+    for (const pattern of rule.patterns) {
+        let match;
+        const regex = new RegExp(pattern.source, pattern.flags + (pattern.flags.includes('g') ? '' : 'g'));
+        while ((match = regex.exec(context.code)) !== null) {
+            const beforeMatch = context.code.substring(0, match.index);
+            const lineNumber = (beforeMatch.match(/\n/g) || []).length + 1;
+            const lineStart = beforeMatch.lastIndexOf('\n') + 1;
+            const column = match.index - lineStart;
+            findings.push({
+                rule,
+                file: context.filePath,
+                line: lineNumber,
+                column,
+                code: context.lines[lineNumber - 1] || '',
+                message: rule.description,
+            });
+            // Prevent infinite loops on zero-width matches
+            if (match.index === regex.lastIndex) {
+                regex.lastIndex++;
+            }
+        }
+    }
+    return findings;
+}
+function deduplicateFindings(findings) {
+    const seen = new Set();
+    return findings.filter(finding => {
+        const key = `${finding.rule.id}:${finding.file}:${finding.line}`;
+        if (seen.has(key))
+            return false;
+        seen.add(key);
+        return true;
+    });
+}
+function sortBySeverity(findings) {
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    return findings.sort((a, b) => {
+        const severityDiff = severityOrder[a.rule.severity] - severityOrder[b.rule.severity];
+        if (severityDiff !== 0)
+            return severityDiff;
+        return a.file.localeCompare(b.file) || a.line - b.line;
+    });
+}
+//# sourceMappingURL=matcher.js.map

package/dist/scanner/rules/matcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"matcher.js","sourceRoot":"","sources":["../../../src/scanner/rules/matcher.ts"],"names":[],"mappings":";;AASA,sCAsCC;AAED,kDAQC;AAED,wCAQC;AA1DD,SAAgB,aAAa,CAC3B,IAAkB,EAClB,OAAqB;IAErB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,IAAI,CAAC,IAAI,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAEpC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QACpC,IAAI,KAAK,CAAC;QACV,MAAM,KAAK,GAAG,IAAI,MAAM,CACtB,OAAO,CAAC,MAAM,EACd,OAAO,CAAC,KAAK,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CACzD,CAAC;QAEF,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACnD,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC3D,MAAM,UAAU,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;YAC/D,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACpD,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,GAAG,SAAS,CAAC;YAEvC,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI;gBACJ,IAAI,EAAE,OAAO,CAAC,QAAQ;gBACtB,IAAI,EAAE,UAAU;gBAChB,MAAM;gBACN,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE;gBACzC,OAAO,EAAE,IAAI,CAAC,WAAW;aAC1B,CAAC,CAAC;YAEH,+CAA+C;YAC/C,IAAI,KAAK,CAAC,KAAK,KAAK,KAAK,CAAC,SAAS,EAAE,CAAC;gBACpC,KAAK,CAAC,SAAS,EAAE,CAAC;YACpB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAgB,mBAAmB,CAAC,QAAmB;IACrD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,OAAO,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE;QAC/B,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjE,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAChC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAgB,cAAc,CAAC,QAAmB;IAChD,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAClE,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC5B,MAAM,YAAY,GAChB,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAClE,IAAI,YAAY,KAAK,CAAC;YAAE,OAAO,YAAY,CAAC;QAC5C,OAAO,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;IACzD,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,33 @@
+export type Severity = 'critical' | 'high' | 'medium' | 'low';
+export interface SecurityRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: Severity;
+    languages: ('javascript' | 'typescript' | 'python')[];
+    patterns?: RegExp[];
+    astMatcher?: string;
+    fix?: string;
+}
+export interface Finding {
+    rule: SecurityRule;
+    file: string;
+    line: number;
+    column: number;
+    code: string;
+    message: string;
+}
+export interface ScanResult {
+    files: number;
+    findings: Finding[];
+    duration: number;
+}
+export interface Config {
+    exclude?: string[];
+    severity?: Severity;
+    rules?: {
+        enabled?: string[];
+        disabled?: string[];
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAE9D,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,QAAQ,CAAC;IACnB,SAAS,EAAE,CAAC,YAAY,GAAG,YAAY,GAAG,QAAQ,CAAC,EAAE,CAAC;IACtD,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,YAAY,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,MAAM;IACrB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,KAAK,CAAC,EAAE;QACN,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;CACH"}

package/dist/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@indicated/vibeguard",
+  "version": "1.0.0",
+  "description": "Local CLI security scanner for AI-generated code",
+  "main": "dist/cli/index.js",
+  "bin": {
+    "vibeguard": "./dist/cli/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/cli/index.js",
+    "dev": "tsc --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "cli",
+    "vulnerability",
+    "code-analysis"
+  ],
+  "author": "",
+  "license": "ISC",
+  "type": "commonjs",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@babel/parser": "^7.28.6",
+    "@babel/traverse": "^7.28.6",
+    "@babel/types": "^7.28.6",
+    "@modelcontextprotocol/sdk": "^1.25.3",
+    "@types/node": "^25.1.0",
+    "chalk": "^5.6.2",
+    "commander": "^14.0.2",
+    "glob": "^13.0.0",
+    "ora": "^9.1.0",
+    "typescript": "^5.9.3",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/babel__traverse": "^7.28.0",
+    "@vitest/coverage-v8": "^4.0.18",
+    "vitest": "^4.0.18"
+  }
+}

package/src/api/license.ts

@@ -0,0 +1,120 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+
+const CONFIG_DIR = path.join(os.homedir(), '.vibeguard');
+const LICENSE_FILE = path.join(CONFIG_DIR, 'license.json');
+const API_BASE_URL = process.env.VIBEGUARD_API_URL || 'https://api.vibeguard.dev';
+
+interface LicenseData {
+  key: string;
+  email?: string;
+  validUntil?: string;
+}
+
+export function getLicenseKey(): string | null {
+  try {
+    if (fs.existsSync(LICENSE_FILE)) {
+      const data = JSON.parse(fs.readFileSync(LICENSE_FILE, 'utf-8'));
+      return data.key || null;
+    }
+  } catch {
+    // Ignore errors
+  }
+  return null;
+}
+
+export function saveLicenseKey(key: string, email?: string): void {
+  if (!fs.existsSync(CONFIG_DIR)) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  }
+
+  const data: LicenseData = { key, email };
+  fs.writeFileSync(LICENSE_FILE, JSON.stringify(data, null, 2));
+}
+
+export function clearLicenseKey(): void {
+  if (fs.existsSync(LICENSE_FILE)) {
+    fs.unlinkSync(LICENSE_FILE);
+  }
+}
+
+export async function validateLicense(key: string): Promise<{
+  valid: boolean;
+  message?: string;
+  tier?: string;
+}> {
+  // For offline/development mode, accept any key
+  if (process.env.VIBEGUARD_OFFLINE === 'true') {
+    return { valid: true, tier: 'offline' };
+  }
+
+  try {
+    const response = await fetch(`${API_BASE_URL}/v1/license/validate`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ key }),
+    });
+
+    if (response.ok) {
+      const data = (await response.json()) as { tier?: string };
+      return {
+        valid: true,
+        tier: data.tier || 'standard',
+      };
+    }
+
+    const error = (await response.json().catch(() => ({}))) as { message?: string };
+    return {
+      valid: false,
+      message: error.message || 'Invalid license key',
+    };
+  } catch {
+    // If API is unreachable, allow offline mode
+    return {
+      valid: true,
+      message: 'Running in offline mode',
+      tier: 'offline',
+    };
+  }
+}
+
+export async function activateLicense(
+  email: string,
+  key: string
+): Promise<{ success: boolean; message: string }> {
+  if (process.env.VIBEGUARD_OFFLINE === 'true') {
+    saveLicenseKey(key, email);
+    return { success: true, message: 'License activated in offline mode' };
+  }
+
+  try {
+    const response = await fetch(`${API_BASE_URL}/v1/license/activate`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ email, key }),
+    });
+
+    if (response.ok) {
+      saveLicenseKey(key, email);
+      return { success: true, message: 'License activated successfully' };
+    }
+
+    const error = (await response.json().catch(() => ({}))) as { message?: string };
+    return {
+      success: false,
+      message: error.message || 'Failed to activate license',
+    };
+  } catch {
+    // Allow offline activation
+    saveLicenseKey(key, email);
+    return {
+      success: true,
+      message: 'License saved locally (offline mode)',
+    };
+  }
+}

package/src/api/rules.ts

@@ -0,0 +1,70 @@
+import { SecurityRule } from '../types';
+import { securityRules } from '../scanner/rules/definitions';
+
+const API_BASE_URL = process.env.VIBEGUARD_API_URL || 'https://api.vibeguard.dev';
+
+interface RulesResponse {
+  version: string;
+  rules: SecurityRule[];
+}
+
+export async function fetchLatestRules(licenseKey?: string): Promise<RulesResponse> {
+  // For offline mode or no license, use bundled rules
+  if (process.env.VIBEGUARD_OFFLINE === 'true' || !licenseKey) {
+    return {
+      version: 'local',
+      rules: securityRules,
+    };
+  }
+
+  try {
+    const response = await fetch(`${API_BASE_URL}/v1/rules`, {
+      headers: {
+        'Authorization': `Bearer ${licenseKey}`,
+        'Accept': 'application/json',
+      },
+    });
+
+    if (response.ok) {
+      return (await response.json()) as RulesResponse;
+    }
+
+    // Fall back to local rules
+    return {
+      version: 'local',
+      rules: securityRules,
+    };
+  } catch {
+    // Network error, use local rules
+    return {
+      version: 'local',
+      rules: securityRules,
+    };
+  }
+}
+
+export async function reportScanMetrics(
+  licenseKey: string,
+  metrics: {
+    filesScanned: number;
+    findingsCount: number;
+    duration: number;
+  }
+): Promise<void> {
+  if (process.env.VIBEGUARD_OFFLINE === 'true') {
+    return;
+  }
+
+  try {
+    await fetch(`${API_BASE_URL}/v1/metrics`, {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${licenseKey}`,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify(metrics),
+    });
+  } catch {
+    // Silently ignore metrics errors
+  }
+}

package/src/cli/commands/init.ts

@@ -0,0 +1,123 @@
+import { Command } from 'commander';
+import * as fs from 'fs';
+import * as path from 'path';
+import { execSync } from 'child_process';
+import { formatSuccess, formatError, formatInfo, formatWarning } from '../output';
+
+const HUSKY_HOOK = `#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npx vibeguard scan --staged
+`;
+
+const SIMPLE_HOOK = `#!/bin/sh
+npx vibeguard scan --staged
+`;
+
+export function createInitCommand(): Command {
+  const init = new Command('init')
+    .description('Set up pre-commit hook for automatic scanning')
+    .option('--force', 'Overwrite existing hooks')
+    .action(async (options) => {
+      const cwd = process.cwd();
+
+      try {
+        // Check if we're in a git repo
+        if (!fs.existsSync(path.join(cwd, '.git'))) {
+          console.log(formatError('Not a git repository. Run "git init" first.'));
+          process.exit(1);
+        }
+
+        // Check for husky
+        const packageJsonPath = path.join(cwd, 'package.json');
+        let hasHusky = false;
+        let huskyDir = '';
+
+        if (fs.existsSync(packageJsonPath)) {
+          const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+          hasHusky = !!(
+            pkg.devDependencies?.husky ||
+            pkg.dependencies?.husky
+          );
+        }
+
+        // Check for .husky directory
+        const huskyPath = path.join(cwd, '.husky');
+        if (fs.existsSync(huskyPath)) {
+          hasHusky = true;
+          huskyDir = huskyPath;
+        }
+
+        if (hasHusky && huskyDir) {
+          // Add husky hook
+          const hookPath = path.join(huskyDir, 'pre-commit');
+
+          if (fs.existsSync(hookPath) && !options.force) {
+            // Check if vibeguard is already in the hook
+            const existingHook = fs.readFileSync(hookPath, 'utf-8');
+            if (existingHook.includes('vibeguard')) {
+              console.log(formatInfo('VibeGuard hook already installed.'));
+              return;
+            }
+
+            // Append to existing hook
+            const updatedHook = existingHook.trimEnd() + '\n\nnpx vibeguard scan --staged\n';
+            fs.writeFileSync(hookPath, updatedHook);
+            console.log(formatSuccess('Added VibeGuard to existing pre-commit hook.'));
+          } else {
+            fs.writeFileSync(hookPath, HUSKY_HOOK);
+            fs.chmodSync(hookPath, '755');
+            console.log(formatSuccess('Created pre-commit hook with VibeGuard.'));
+          }
+        } else {
+          // No husky, use simple git hook
+          const hooksDir = path.join(cwd, '.git', 'hooks');
+          const hookPath = path.join(hooksDir, 'pre-commit');
+
+          if (fs.existsSync(hookPath) && !options.force) {
+            const existingHook = fs.readFileSync(hookPath, 'utf-8');
+            if (existingHook.includes('vibeguard')) {
+              console.log(formatInfo('VibeGuard hook already installed.'));
+              return;
+            }
+
+            // Append to existing hook
+            const updatedHook = existingHook.trimEnd() + '\n\nnpx vibeguard scan --staged\n';
+            fs.writeFileSync(hookPath, updatedHook);
+            fs.chmodSync(hookPath, '755');
+            console.log(formatSuccess('Added VibeGuard to existing pre-commit hook.'));
+          } else {
+            fs.writeFileSync(hookPath, SIMPLE_HOOK);
+            fs.chmodSync(hookPath, '755');
+            console.log(formatSuccess('Created pre-commit hook.'));
+          }
+
+          console.log(formatInfo('Tip: Consider using Husky for better hook management.'));
+          console.log(formatInfo('  npm install husky --save-dev'));
+          console.log(formatInfo('  npx husky init'));
+        }
+
+        // Create .vibeguardrc.json if it doesn't exist
+        const configPath = path.join(cwd, '.vibeguardrc.json');
+        if (!fs.existsSync(configPath)) {
+          const defaultConfig = {
+            exclude: ['node_modules', 'dist', 'build'],
+            rules: {
+              disabled: [],
+            },
+          };
+          fs.writeFileSync(configPath, JSON.stringify(defaultConfig, null, 2));
+          console.log(formatSuccess('Created .vibeguardrc.json config file.'));
+        }
+
+        console.log('\n' + formatSuccess('VibeGuard initialized successfully!'));
+        console.log(formatInfo('Your code will be scanned before each commit.'));
+        console.log(formatInfo('Use "git commit --no-verify" to skip the check if needed.'));
+      } catch (error) {
+        console.error(formatError(error instanceof Error ? error.message : 'Init failed'));
+        process.exit(1);
+      }
+    });
+
+  return init;
+}

package/src/cli/commands/login.ts

@@ -0,0 +1,92 @@
+import { Command } from 'commander';
+import * as readline from 'readline';
+import { activateLicense, clearLicenseKey, getLicenseKey } from '../../api/license';
+import { formatSuccess, formatError, formatInfo } from '../output';
+
+function prompt(question: string): Promise<string> {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+
+  return new Promise(resolve => {
+    rl.question(question, answer => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+export function createLoginCommand(): Command {
+  const login = new Command('login')
+    .description('Authenticate with your VibeGuard license key')
+    .option('--key <key>', 'License key (or enter interactively)')
+    .option('--email <email>', 'Email address associated with license')
+    .action(async (options) => {
+      try {
+        // Check if already logged in
+        const existingKey = getLicenseKey();
+        if (existingKey) {
+          console.log(formatInfo('You are already logged in.'));
+          console.log(formatInfo('Use "vibeguard logout" to log out first.'));
+          return;
+        }
+
+        // Get license key
+        let key = options.key;
+        if (!key) {
+          key = await prompt('Enter your license key: ');
+        }
+
+        if (!key) {
+          console.log(formatError('License key is required'));
+          process.exit(1);
+        }
+
+        // Get email
+        let email = options.email;
+        if (!email) {
+          email = await prompt('Enter your email (optional): ');
+        }
+
+        // Activate license
+        console.log('\nActivating license...');
+        const result = await activateLicense(email || '', key);
+
+        if (result.success) {
+          console.log(formatSuccess(result.message));
+          console.log(formatInfo('You can now run "vibeguard scan" to scan your code.'));
+        } else {
+          console.log(formatError(result.message));
+          process.exit(1);
+        }
+      } catch (error) {
+        console.error(formatError(error instanceof Error ? error.message : 'Login failed'));
+        process.exit(1);
+      }
+    });
+
+  return login;
+}
+
+export function createLogoutCommand(): Command {
+  const logout = new Command('logout')
+    .description('Remove stored license key')
+    .action(() => {
+      try {
+        const existingKey = getLicenseKey();
+        if (!existingKey) {
+          console.log(formatInfo('You are not logged in.'));
+          return;
+        }
+
+        clearLicenseKey();
+        console.log(formatSuccess('Logged out successfully.'));
+      } catch (error) {
+        console.error(formatError(error instanceof Error ? error.message : 'Logout failed'));
+        process.exit(1);
+      }
+    });
+
+  return logout;
+}

package/src/cli/commands/mcp.ts

@@ -0,0 +1,12 @@
+import { Command } from 'commander';
+import { startMcpServer } from '../../mcp/server';
+
+export function createMcpCommand(): Command {
+  const mcp = new Command('mcp')
+    .description('Start VibeGuard as an MCP server for AI assistant integration')
+    .action(async () => {
+      await startMcpServer();
+    });
+
+  return mcp;
+}

package/src/cli/commands/rules.ts

@@ -0,0 +1,58 @@
+import { Command } from 'commander';
+import { loadRules } from '../../scanner/rules/loader';
+import { getLicenseKey } from '../../api/license';
+import { formatRule, formatHeader, formatInfo } from '../output';
+
+const packageJson = require('../../../package.json');
+
+export function createRulesCommand(): Command {
+  const rules = new Command('rules')
+    .description('List all available security rules')
+    .option('--severity <level>', 'Filter by severity (critical, high, medium, low)')
+    .option('--language <lang>', 'Filter by language (javascript, typescript, python)')
+    .option('--json', 'Output as JSON')
+    .action(async (options) => {
+      try {
+        const licenseKey = getLicenseKey();
+        let allRules = await loadRules(licenseKey || undefined);
+
+        // Apply filters
+        if (options.severity) {
+          allRules = allRules.filter(r => r.severity === options.severity);
+        }
+
+        if (options.language) {
+          allRules = allRules.filter(r =>
+            r.languages.includes(options.language as 'javascript' | 'typescript' | 'python')
+          );
+        }
+
+        if (options.json) {
+          console.log(JSON.stringify(allRules, null, 2));
+          return;
+        }
+
+        console.log(formatHeader(packageJson.version));
+        console.log(formatInfo(`${allRules.length} security rules available\n`));
+
+        // Group by severity
+        const severities = ['critical', 'high', 'medium', 'low'] as const;
+
+        for (const severity of severities) {
+          const rulesInSeverity = allRules.filter(r => r.severity === severity);
+          if (rulesInSeverity.length > 0) {
+            console.log(`\n${severity.toUpperCase()} (${rulesInSeverity.length})`);
+            console.log('─'.repeat(40));
+            for (const rule of rulesInSeverity) {
+              console.log(formatRule(rule));
+            }
+          }
+        }
+      } catch (error) {
+        console.error('Failed to load rules:', error instanceof Error ? error.message : error);
+        process.exit(1);
+      }
+    });
+
+  return rules;
+}