@vibecheck-ai/cli 23.2.0 → 24.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +26 -25
  2. package/dist/index.js +1621 -35103
  3. package/dist/runner/FileRunner.js +497 -7253
  4. package/package.json +25 -20
  5. package/dist/index.js.map +0 -7
  6. package/dist/runner/FileRunner.js.map +0 -7
package/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  <br />
4
4
 
5
- <img src="https://github.com/guardiavault-oss/Vibecheck/raw/HEAD/packages/vscode-extension/images/vibecheck_logo_transparent_2x.png" alt="VibeCheck CLI" width="80" />
5
+ <img src="https://github.com/vibecheck-oss/vibecheck/raw/HEAD/packages/vscode-extension/images/vibecheck_logo_transparent_2x.png" alt="VibeCheck CLI" width="80" />
6
6
 
7
7
  <br />
8
8
 
@@ -21,7 +21,7 @@ Catches phantom dependencies, ghost API routes, fake SDK methods, credential lea
21
21
  <br />
22
22
 
23
23
  <p align="center">
24
- <img src="https://github.com/guardiavault-oss/Vibecheck/raw/HEAD/docs/assets/cli-scan-demo.gif" alt="VibeCheck CLI scanning a project in real time" width="820" />
24
+ <img src="https://github.com/vibecheck-oss/vibecheck/raw/HEAD/docs/assets/cli-scan-demo.gif" alt="VibeCheck CLI scanning a project in real time" width="820" />
25
25
  </p>
26
26
 
27
27
  <br />
@@ -43,7 +43,7 @@ Every AI coding tool — **Cursor, Copilot, Claude, Windsurf, ChatGPT** — prod
43
43
 
44
44
  Your linter says it's fine. TypeScript says it's fine. PR review says it's fine.
45
45
 
46
- **VibeCheck catches what they miss.** 17 detection engines. One command. Zero config.
46
+ **VibeCheck catches what they miss.** 14 detection engines. One command. Zero config.
47
47
 
48
48
  <br />
49
49
 
@@ -67,10 +67,14 @@ vc scan .
67
67
 
68
68
  That's it. No config files. No API keys. No setup wizard.
69
69
 
70
+ ### API compatibility
71
+
72
+ When you sign in and use **server-backed daily scan limits**, the CLI must be a **current release** (24.x or newer as of this major). The API rejects legacy clients without up-to-date scan metering headers. If you see `SCAN_CLIENT_UPGRADE_REQUIRED`, run `npm i -g @vibecheck-ai/cli@latest` (or use `npx @vibecheck-ai/cli@latest`).
73
+
70
74
  <br />
71
75
 
72
76
  <p align="center">
73
- <img src="https://github.com/guardiavault-oss/Vibecheck/raw/HEAD/docs/assets/cli-quickstart.png" alt="VibeCheck CLI quick start output" width="720" />
77
+ <img src="https://github.com/vibecheck-oss/vibecheck/raw/HEAD/docs/assets/cli-quickstart.png" alt="VibeCheck CLI quick start output" width="720" />
74
78
  </p>
75
79
 
76
80
  <br />
@@ -79,29 +83,26 @@ That's it. No config files. No API keys. No setup wizard.
79
83
 
80
84
  <br />
81
85
 
82
- ## 17 Detection Engines
86
+ ## 14 Detection Engines
83
87
 
84
- Every engine is purpose-built for a specific failure mode that traditional tools miss.
88
+ Every engine is purpose-built for a specific failure mode that traditional tools miss. These map to the engines registered by the CLI `FileRunner` (workspace engines + baseline registry).
85
89
 
86
90
  | # | Engine | What it catches |
87
91
  |:---:|:---|:---|
88
- | 1 | **Ghost Routes** | API calls to endpoints that were never implemented |
89
- | 2 | **Dead UI** | Buttons, forms, and links wired to empty or missing handlers |
90
- | 3 | **Phantom Imports** | Modules and packages referenced but never installed |
91
- | 4 | **Silent Failures** | Try/catch blocks that swallow errors without handling them |
92
- | 5 | **Hardcoded Mocks** | Test data, fake values, and stubs left in production paths |
93
- | 6 | **Credential Leaks** | API keys, tokens, passwords, and secrets committed to source |
94
- | 7 | **Env Drift** | Environment variable references that don't exist in `.env` |
95
- | 8 | **Auth Gaps** | Middleware or guards referencing nonexistent auth providers |
96
- | 9 | **Type Holes** | `@ts-ignore`, `any` casts, unsafe assertions hiding real bugs |
97
- | 10 | **Console Pollution** | `console.log`, `console.debug` left in production bundles |
98
- | 11 | **Version Hallucinations** | API calls that don't exist in the installed package version |
99
- | 12 | **Slopsquatting** | Misspelled package names that could be typosquat attacks |
100
- | 13 | **Architectural Drift** | Code that violates your project's structural patterns |
101
- | 14 | **Dependency Vulnerabilities** | Known CVEs in your dependency tree |
102
- | 15 | **Performance Anti-patterns** | JSON parsing in loops, sync I/O in async paths |
103
- | 16 | **Accessibility Violations** | Missing ARIA labels, incorrect roles, keyboard traps |
104
- | 17 | **Contract Drift** | Code that diverged from its ISL/OpenAPI specification |
92
+ | 1 | **Undefined env vars** | `process.env` references not backed by your env / truthpack |
93
+ | 2 | **Ghost routes** | `fetch` and client calls to API paths with no handler |
94
+ | 3 | **Phantom dependencies** | Imports of packages not declared or not resolvable |
95
+ | 4 | **API hallucinations** | SDK or API usage that does not exist for your stack |
96
+ | 5 | **Hardcoded secrets** | Keys, tokens, and passwords committed to source |
97
+ | 6 | **Security vulnerabilities** | Injection, XSS, SSRF, weak crypto, and related OWASP-style issues |
98
+ | 7 | **Fake features** | Placeholder flags, empty handlers, mock data in prod paths |
99
+ | 8 | **Version mismatches** | APIs used in ways incompatible with installed package versions |
100
+ | 9 | **Logic gaps** | Contradictory or impossible control flow |
101
+ | 10 | **Error-handling gaps** | Swallowed errors, risky `try`/`catch` shape, unchecked async results |
102
+ | 11 | **Incomplete implementation** | Stubs, empty bodies, and unfinished paths |
103
+ | 12 | **Type contracts** | Types asserted vs actual JSON/API shape mismatches |
104
+ | 13 | **Security patterns** | Unprotected routes, CSRF, JWT misuse, redirects, CSP gaps |
105
+ | 14 | **Performance anti-patterns** | N+1 queries, sync I/O in async paths, fetch-in-render, and similar |
105
106
 
106
107
  <br />
107
108
 
@@ -478,7 +479,7 @@ eval "$(vibecheck completion zsh)"
478
479
  - All scanning runs **locally on your machine**
479
480
  - **Zero code is transmitted** — ever
480
481
  - Works **fully offline** and in air-gapped environments
481
- - [Open source](https://github.com/guardiavault-oss/Vibecheck) — read every line
482
+ - [Open source](https://github.com/vibecheck-oss/vibecheck) — read every line
482
483
 
483
484
  <br />
484
485
 
@@ -492,7 +493,7 @@ eval "$(vibecheck completion zsh)"
492
493
 
493
494
  <br />
494
495
 
495
- [Website](https://vibecheckai.dev) &nbsp;&nbsp;·&nbsp;&nbsp; [Documentation](https://docs.vibecheckai.dev) &nbsp;&nbsp;·&nbsp;&nbsp; [Discord](https://discord.gg/vibecheck) &nbsp;&nbsp;·&nbsp;&nbsp; [GitHub](https://github.com/guardiavault-oss/Vibecheck)
496
+ [Website](https://vibecheckai.dev) &nbsp;&nbsp;·&nbsp;&nbsp; [Documentation](https://docs.vibecheckai.dev) &nbsp;&nbsp;·&nbsp;&nbsp; [Discord](https://discord.gg/vibecheck) &nbsp;&nbsp;·&nbsp;&nbsp; [GitHub](https://github.com/vibecheck-oss/vibecheck)
496
497
 
497
498
  <br />
498
499