@vibecheckai/cli 2.8.2 → 3.0.0

package/bin/runners/runFix.js

@@ -0,0 +1,735 @@
+/**
+ * vibecheck fix - Fix Missions v1
+ * 
+ * Generates surgical "mission prompts", runs them sequentially,
+ * applies patches (optional), and re-verifies by re-running ship.
+ * 
+ * Key features:
+ * - Reality Firewall prompt prevents LLM hallucinations
+ * - Patch validator ensures no drift
+ * - Backup/restore for safe rollback
+ * - Progress detector stops on stagnation
+ */
+
+const path = require('path');
+const fs = require('fs');
+const { shipCore } = require('./runShip');
+const { planMissions } = require('./lib/missions/plan');
+const { templateForMissionType } = require('./lib/missions/templates');
+const { expandEvidence } = require('./lib/missions/evidence');
+const { buildRealityFirewall } = require('./lib/firewall-prompt');
+const { generatePatchJson } = require('./lib/llm');
+const { applyUnifiedDiff } = require('./lib/patch');
+const { backupFiles, restoreBackup } = require('./lib/backup');
+const { validatePatchResponse, parseDiffTouchedFiles } = require('./lib/validate-patch');
+const { buildSharePack } = require('./lib/share-pack');
+
+const c = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  dim: '\x1b[2m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  cyan: '\x1b[36m',
+  red: '\x1b[31m',
+  blue: '\x1b[34m',
+};
+
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+
+function nowStamp() {
+  const d = new Date();
+  const z = (n) => String(n).padStart(2, "0");
+  return `${d.getFullYear()}${z(d.getMonth()+1)}${z(d.getDate())}_${z(d.getHours())}${z(d.getMinutes())}${z(d.getSeconds())}`;
+}
+
+function truthpackSummary(truthpack) {
+  return {
+    routes: {
+      serverCount: truthpack?.routes?.server?.length || 0,
+      clientRefsCount: truthpack?.routes?.clientRefs?.length || 0,
+      gaps: truthpack?.routes?.gaps?.length || 0
+    },
+    env: {
+      used: truthpack?.env?.vars?.length || 0,
+      declared: truthpack?.env?.declared?.length || 0
+    },
+    auth: {
+      middlewareCount: truthpack?.auth?.nextMiddleware?.length || 0,
+      matcherCount: truthpack?.auth?.nextMatcherPatterns?.length || 0,
+      fastifySignals: truthpack?.auth?.fastify?.signalTypes || []
+    },
+    billing: truthpack?.billing?.summary || {},
+    enforcement: {
+      checked: truthpack?.enforcement?.checkedCount || 0,
+      missing: truthpack?.enforcement?.missingCount || 0
+    }
+  };
+}
+
+function score(findings) {
+  let s = 0;
+  for (const f of findings || []) s += (f.severity === "BLOCK" ? 10 : f.severity === "WARN" ? 3 : 0);
+  return s;
+}
+
+function allowedFilesForMission({ mission, targetFindings, truthpack }) {
+  const allow = new Set();
+
+  for (const f of targetFindings) {
+    for (const ev of (f.evidence || [])) {
+      if (ev.file) allow.add(ev.file);
+    }
+  }
+
+  const type = mission?.type;
+  if (type === "FIX_ENV_CONTRACT") {
+    [".env.example",".env.template",".env.sample",".env"].forEach(p => allow.add(p));
+  }
+  if (type === "ADD_SERVER_AUTH") {
+    (truthpack?.auth?.nextMiddleware || []).forEach(mw => mw.file && allow.add(mw.file));
+  }
+  if (type === "FIX_STRIPE_WEBHOOKS") {
+    (truthpack?.billing?.webhookCandidates || []).forEach(w => w.file && allow.add(w.file));
+  }
+  if (type === "ENFORCE_PAID_SURFACE") {
+    (truthpack?.enforcement?.checks || []).forEach(c => c.handler && allow.add(c.handler));
+  }
+
+  return Array.from(allow).filter(Boolean);
+}
+
+async function runFix(args) {
+  const opts = parseArgs(args);
+  
+  if (opts.help) {
+    printHelp();
+    return 0;
+  }
+
+  const root = path.resolve(opts.path || process.cwd());
+  const outDir = path.join(root, ".vibecheck", "missions", nowStamp());
+  ensureDir(outDir);
+
+  // First ship check (no meter consumption)
+  const first = await shipCore({ repoRoot: root, fastifyEntry: opts.fastifyEntry, noWrite: false });
+
+  if (first.verdict === "SHIP") {
+    console.log(`${c.green}✅ Already SHIP. No fixes needed.${c.reset}`);
+    return 0;
+  }
+
+  const missions = planMissions(first.report.findings, { maxMissions: opts.maxMissions || 8 });
+  fs.writeFileSync(path.join(outDir, "missions.json"), JSON.stringify({ missions, fromVerdict: first.verdict }, null, 2));
+
+  console.log(`\n${c.cyan}${c.bold}🛠 vibecheck fix${c.reset}`);
+  console.log(`Planned missions: ${missions.length}`);
+  console.log(`Mission pack: ${path.relative(root, outDir)}`);
+
+  if (!opts.autopilot && !opts.promptOnly && !opts.apply) {
+    console.log(`\n${c.bold}Run one of:${c.reset}`);
+    console.log(`  ${c.cyan}vibecheck fix --prompt-only${c.reset}     (generate perfect prompts, no edits)`);
+    console.log(`  ${c.cyan}vibecheck fix --apply${c.reset}           (apply patches from the model)`);
+    console.log(`  ${c.cyan}vibecheck fix --autopilot --apply${c.reset}  (loop until SHIP or stuck)`);
+    return 0;
+  }
+
+  let stagnant = 0;
+  const maxSteps = opts.maxSteps || 10;
+  const stagnationLimit = opts.stagnationLimit || 2;
+
+  for (let step = 1; step <= maxSteps; step++) {
+    const before = await shipCore({ repoRoot: root, fastifyEntry: opts.fastifyEntry, noWrite: false });
+
+    if (before.verdict === "SHIP") {
+      console.log(`\n${c.green}✅ SHIP achieved in ${step - 1} steps.${c.reset}`);
+      
+      // Generate share bundle if requested
+      if (opts.share) {
+        try {
+          const shareResult = buildSharePack({ repoRoot: root, missionDirAbs: outDir });
+          console.log(`\n📦 Share bundle: ${path.relative(root, shareResult.outputDir)}`);
+        } catch (e) {
+          console.log(`${c.yellow}⚠️ Share bundle failed: ${e.message}${c.reset}`);
+        }
+      }
+      
+      return 0;
+    }
+
+    const ids = new Set(before.report.findings.map(f => f.id));
+    const mission = missions.find(m => m.targetFindingIds.some(id => ids.has(id)));
+    if (!mission) {
+      console.log(`\n${c.yellow}⚠️ No remaining planned mission matches current findings. Stopping.${c.reset}`);
+      return 0;
+    }
+
+    // Save before proof
+    fs.writeFileSync(
+      path.join(outDir, `step_${String(step).padStart(2,"0")}_${mission.id}_before_ship.json`),
+      JSON.stringify(before.report, null, 2),
+      "utf8"
+    );
+
+    const targetFindings = before.report.findings.filter(f => mission.targetFindingIds.includes(f.id));
+    
+    // Use mission template + auto-expanded evidence
+    const template = templateForMissionType(mission.type);
+    const expanded = await expandEvidence({
+      repoRoot: root,
+      truthpack: before.truthpack,
+      mission,
+      targetFindings
+    });
+    const allowedFiles = expanded.allowedFiles;
+    const snippets = expanded.snippets;
+
+    const prompt = buildRealityFirewall({
+      truthpackSummary: truthpackSummary(before.truthpack),
+      mission,
+      template,
+      findings: targetFindings,
+      fileSnippets: snippets,
+      allowedFiles
+    });
+
+    const promptPath = path.join(outDir, `step_${String(step).padStart(2,"0")}_${mission.id}_prompt.txt`);
+    fs.writeFileSync(promptPath, prompt, "utf8");
+
+    console.log(`\nStep ${step}/${maxSteps}: ${mission.title}`);
+    console.log(`Prompt: ${path.relative(root, promptPath)}`);
+
+    if (opts.promptOnly) {
+      if (!opts.autopilot) return 0;
+      continue;
+    }
+
+    let patchJson;
+    try {
+      patchJson = await generatePatchJson(prompt);
+    } catch (e) {
+      console.log(`${c.red}❌ LLM failed: ${e.message}${c.reset}`);
+      return 1;
+    }
+
+    const respPath = path.join(outDir, `step_${String(step).padStart(2,"0")}_${mission.id}_response.json`);
+    fs.writeFileSync(respPath, JSON.stringify(patchJson, null, 2), "utf8");
+
+    const v = validatePatchResponse({
+      repoRoot: root,
+      patchJson,
+      mission,
+      truthpack: before.truthpack,
+      allowedFiles,
+      limits: { maxEdits: 6, maxFiles: 6, maxChangedLines: 400 }
+    });
+
+    if (!v.ok) {
+      console.log(`${c.red}❌ Patch rejected by validator.${c.reset}`);
+      for (const e of v.errors) console.log(`  - ${e}`);
+      if (v.warnings.length) {
+        console.log("Warnings:");
+        for (const w of v.warnings) console.log(`  - ${w}`);
+      }
+      return 1;
+    }
+
+    if (v.warnings.length) {
+      console.log(`${c.yellow}⚠️ Validator warnings:${c.reset}`);
+      for (const w of v.warnings) console.log(`  - ${w}`);
+    }
+
+    if (!opts.apply) {
+      console.log(`${c.green}✅ Patch generated (not applied). Re-run with --apply to apply diffs.${c.reset}`);
+      return 0;
+    }
+
+    const touchedFiles = new Set();
+    for (const ed of patchJson.edits) {
+      for (const f of parseDiffTouchedFiles(ed.diff)) touchedFiles.add(f);
+    }
+    const touchedList = Array.from(touchedFiles);
+
+    const backupRoot = path.join(outDir, `backup_step_${String(step).padStart(2,"0")}`);
+    backupFiles(root, touchedList, backupRoot);
+
+    for (const ed of patchJson.edits) {
+      const res = applyUnifiedDiff(root, ed.diff);
+      if (!res.ok) {
+        console.log(`${c.red}❌ Patch apply failed: ${res.error}${c.reset}`);
+        restoreBackup(root, backupRoot);
+        console.log(`${c.yellow}↩️ Restored from backup.${c.reset}`);
+        return 1;
+      }
+      console.log(`${c.green}✅ Applied edit targeting: ${ed.path}${c.reset}`);
+    }
+
+    const after = await shipCore({ repoRoot: root, fastifyEntry: opts.fastifyEntry, noWrite: false });
+    console.log(`Verify verdict: ${after.verdict}`);
+
+    // Save after proof
+    fs.writeFileSync(
+      path.join(outDir, `step_${String(step).padStart(2,"0")}_${mission.id}_after_ship.json`),
+      JSON.stringify(after.report, null, 2),
+      "utf8"
+    );
+
+    const beforeScore = score(before.report.findings);
+    const afterScore = score(after.report.findings);
+    const targetStillThere = mission.targetFindingIds.some(id => after.report.findings.some(f => f.id === id));
+    const improved = (afterScore < beforeScore) || (!targetStillThere);
+
+    if (!improved) {
+      console.log(`${c.red}❌ No measurable progress. Rolling back.${c.reset}`);
+      restoreBackup(root, backupRoot);
+      console.log(`${c.yellow}↩️ Restored from backup.${c.reset}`);
+      stagnant += 1;
+      if (!opts.autopilot || stagnant >= stagnationLimit) {
+        console.log(`${c.red}🛑 Stopping: stagnation limit reached (${stagnant}/${stagnationLimit}).${c.reset}`);
+        return 1;
+      }
+      continue;
+    }
+
+    stagnant = 0;
+    if (!opts.autopilot) return 0;
+  }
+
+  console.log(`\n${c.yellow}⚠️ Max steps reached (${maxSteps}).${c.reset}`);
+  
+  // Generate share bundle if requested
+  if (opts.share) {
+    try {
+      const shareResult = buildSharePack({ repoRoot: root, missionDirAbs: outDir });
+      console.log(`\n📦 Share bundle: ${path.relative(root, shareResult.outputDir)}`);
+    } catch (e) {
+      console.log(`${c.yellow}⚠️ Share bundle failed: ${e.message}${c.reset}`);
+    }
+  }
+  
+  return 1;
+}
+
+/**
+ * Show Fix Plan (default behavior - no changes applied)
+ */
+async function showFixPlan(projectPath, opts) {
+  console.log(`\n${c.cyan}${c.bold}📋 FIX PLAN${c.reset}\n`);
+  console.log(`${c.dim}This shows what CAN be fixed. No changes will be made.${c.reset}`);
+  console.log(`${c.dim}Use --apply to apply changes (requires clean git state).${c.reset}\n`);
+
+  const scanResult = await loadLatestScan(projectPath);
+  if (!scanResult) {
+    console.error(`${c.red}Error:${c.reset} No scan results found. Run 'vibecheck scan' first.\n`);
+    return EXIT_CODES.MISCONFIG;
+  }
+
+  // Filter to fixable findings
+  const fixable = scanResult.findings.filter(f => {
+    const ruleId = f.ruleId || '';
+    return f.autofixAvailable && ALLOWED_FIX_TYPES.includes(ruleId);
+  });
+
+  if (fixable.length === 0) {
+    console.log(`${c.green}✓${c.reset} No mechanical fixes available.\n`);
+    console.log(`${c.dim}All remaining issues require manual intervention.${c.reset}\n`);
+    return EXIT_CODES.PASS;
+  }
+
+  console.log(`${c.bold}Fixable Issues (${fixable.length}):${c.reset}\n`);
+
+  for (const finding of fixable) {
+    const patch = generatePatchPreview(projectPath, finding);
+    
+    console.log(`${c.blue}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}`);
+    console.log(`${c.bold}${finding.id?.full || finding.id}${c.reset} - ${finding.ruleId}`);
+    console.log(`${c.dim}File:${c.reset} ${finding.file}:${finding.line}`);
+    console.log(`${c.dim}Why:${c.reset} ${finding.message || finding.description}`);
+    console.log(`${c.dim}Evidence:${c.reset} ${finding.evidence?.[0]?.snippet || 'See file'}`);
+    console.log('');
+    console.log(`${c.bold}Proposed Change:${c.reset}`);
+    console.log(patch.preview);
+    console.log('');
+    console.log(`${c.dim}Risk:${c.reset} ${patch.risk}`);
+    console.log(`${c.dim}Verification:${c.reset} Re-run scan to confirm no regression`);
+    console.log('');
+  }
+
+  console.log(`${c.blue}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}`);
+  console.log(`\n${c.bold}To apply these fixes:${c.reset}`);
+  console.log(`  ${c.cyan}vibecheck fix --apply${c.reset}\n`);
+  console.log(`${c.dim}This will:${c.reset}`);
+  console.log(`  1. Check for clean git state`);
+  console.log(`  2. Create branch: vibecheck/fix-<timestamp>`);
+  console.log(`  3. Apply patches with structured commits`);
+  console.log(`  4. Re-run scan to verify no regression\n`);
+
+  return EXIT_CODES.PASS;
+}
+
+/**
+ * Apply fixes with proof-gating
+ */
+async function applyFixes(projectPath, opts) {
+  console.log(`\n${c.cyan}${c.bold}🔧 APPLYING FIXES${c.reset}\n`);
+
+  // Step 1: Check git state
+  if (!isGitClean(projectPath)) {
+    console.error(`${c.red}Error:${c.reset} Git working directory is not clean.`);
+    console.error(`${c.dim}Commit or stash your changes before applying fixes.${c.reset}\n`);
+    return EXIT_CODES.MISCONFIG;
+  }
+
+  const scanResult = await loadLatestScan(projectPath);
+  if (!scanResult) {
+    console.error(`${c.red}Error:${c.reset} No scan results found. Run 'vibecheck scan' first.\n`);
+    return EXIT_CODES.MISCONFIG;
+  }
+
+  const fixable = scanResult.findings.filter(f => {
+    const ruleId = f.ruleId || '';
+    return f.autofixAvailable && ALLOWED_FIX_TYPES.includes(ruleId);
+  });
+
+  if (fixable.length === 0) {
+    console.log(`${c.green}✓${c.reset} No fixes to apply.\n`);
+    return EXIT_CODES.PASS;
+  }
+
+  // Step 2: Create branch
+  const branchName = `vibecheck/fix-${Date.now()}`;
+  try {
+    execSync(`git checkout -b ${branchName}`, { cwd: projectPath, stdio: 'pipe' });
+    console.log(`${c.green}✓${c.reset} Created branch: ${branchName}\n`);
+  } catch (err) {
+    console.error(`${c.red}Error:${c.reset} Failed to create branch: ${err.message}\n`);
+    return EXIT_CODES.INTERNAL;
+  }
+
+  // Step 3: Apply fixes
+  let applied = 0;
+  let failed = 0;
+
+  for (const finding of fixable) {
+    try {
+      const result = await applyAutofix(projectPath, finding, opts);
+      if (result) {
+        applied++;
+        
+        // Commit with structured message
+        const commitMsg = `fix(${finding.ruleId}): ${finding.id?.full || finding.id}\n\nFile: ${finding.file}:${finding.line}\nEvidence: ${finding.evidence?.[0]?.snippet || 'See scan results'}\n\nApplied by vibecheck fix --apply`;
+        
+        try {
+          execSync(`git add "${finding.file}"`, { cwd: projectPath, stdio: 'pipe' });
+          execSync(`git commit -m "${commitMsg.replace(/"/g, '\\"')}"`, { cwd: projectPath, stdio: 'pipe' });
+        } catch {
+          // File might not have changed, continue
+        }
+        
+        console.log(`${c.green}✓${c.reset} Fixed: ${finding.id?.full || finding.id}`);
+      } else {
+        failed++;
+        console.log(`${c.yellow}⚠${c.reset} Skipped: ${finding.id?.full || finding.id}`);
+      }
+    } catch (error) {
+      failed++;
+      console.log(`${c.red}✗${c.reset} Error: ${finding.id?.full || finding.id} - ${error.message}`);
+    }
+  }
+
+  console.log('');
+  console.log(`${c.bold}Summary:${c.reset}`);
+  console.log(`  Applied: ${c.green}${applied}${c.reset}`);
+  console.log(`  Skipped: ${c.yellow}${failed}${c.reset}`);
+  console.log('');
+
+  // Step 4: Re-run scan to verify
+  console.log(`${c.dim}Verifying fixes...${c.reset}\n`);
+  
+  try {
+    const { runScan } = require('./runScan');
+    const verifyResult = await runScan(['--json', '--path', projectPath]);
+    
+    if (verifyResult === 0 || verifyResult === EXIT_CODES.PASS) {
+      console.log(`${c.green}✓${c.reset} Verification passed - no regressions\n`);
+    } else {
+      console.log(`${c.yellow}⚠${c.reset} Verification found issues - review before merging\n`);
+    }
+  } catch {
+    console.log(`${c.dim}Run 'vibecheck scan' to verify manually.${c.reset}\n`);
+  }
+
+  console.log(`${c.bold}Rollback:${c.reset}`);
+  console.log(`  ${c.cyan}git checkout main && git branch -D ${branchName}${c.reset}\n`);
+
+  return applied > 0 ? EXIT_CODES.PASS : EXIT_CODES.FAIL;
+}
+
+/**
+ * Check if git working directory is clean
+ */
+function isGitClean(projectPath) {
+  try {
+    const status = execSync('git status --porcelain', { cwd: projectPath, encoding: 'utf8' });
+    return status.trim() === '';
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Generate patch preview for a finding
+ */
+function generatePatchPreview(projectPath, finding) {
+  const filePath = path.join(projectPath, finding.file);
+  
+  if (!fs.existsSync(filePath)) {
+    return { preview: `  ${c.red}File not found${c.reset}`, risk: 'N/A' };
+  }
+
+  const content = fs.readFileSync(filePath, 'utf8');
+  const lines = content.split('\n');
+  const lineIndex = finding.line - 1;
+
+  if (lineIndex < 0 || lineIndex >= lines.length) {
+    return { preview: `  ${c.red}Invalid line number${c.reset}`, risk: 'N/A' };
+  }
+
+  const before = lines[lineIndex];
+  let after = before;
+  let risk = 'Low';
+
+  // Generate preview based on rule type
+  switch (finding.ruleId) {
+    case 'empty-catch':
+      after = before.replace(/catch\s*(?:\(([^)]*)\))?\s*\{\s*\}/, (m, v) => {
+        const varName = v || 'err';
+        return `catch (${varName}) { console.error('Error:', ${varName}); throw ${varName}; }`;
+      });
+      risk = 'Low - adds proper error handling';
+      break;
+    case 'dangerous-default':
+      after = before.replace(/\s*(\|\||\?\?)\s*['"][^'"]*['"]/, '');
+      risk = 'Medium - removes fallback (may require env var)';
+      break;
+    case 'placeholder-value':
+      after = before.replace(/(CHANGEME|REPLACE_ME|YOUR_\w+|INSERT_\w+)/g, "/* TODO: Replace $1 */ ''");
+      risk = 'Low - flags for manual replacement';
+      break;
+    default:
+      return { preview: `  ${c.dim}No preview available${c.reset}`, risk: 'Unknown' };
+  }
+
+  return {
+    preview: `  ${c.red}- ${before.trim()}${c.reset}\n  ${c.green}+ ${after.trim()}${c.reset}`,
+    risk,
+  };
+}
+
+async function applyAutofix(projectPath, finding, options) {
+  const filePath = path.join(projectPath, finding.file);
+  
+  if (!fs.existsSync(filePath)) {
+    throw new Error(`File not found: ${finding.file}`);
+  }
+
+  const content = fs.readFileSync(filePath, 'utf8');
+  const lines = content.split('\n');
+  const lineIndex = finding.line - 1;
+
+  if (lineIndex < 0 || lineIndex >= lines.length) {
+    throw new Error(`Invalid line number: ${finding.line}`);
+  }
+
+  let newContent = content;
+  const ruleId = finding.ruleId;
+
+  // Apply fixes based on rule type
+  switch (ruleId) {
+    case 'empty-catch':
+      newContent = fixEmptyCatch(lines, lineIndex, filePath);
+      break;
+    case 'dangerous-default':
+      newContent = fixDangerousDefault(lines, lineIndex, filePath);
+      break;
+    case 'placeholder-value':
+      newContent = fixPlaceholderValue(lines, lineIndex, filePath);
+      break;
+    default:
+      return false;
+  }
+
+  if (newContent !== content) {
+    if (!options.dryRun) {
+      fs.writeFileSync(filePath, newContent, 'utf8');
+    }
+    return true;
+  }
+
+  return false;
+}
+
+function fixEmptyCatch(lines, lineIndex, filePath) {
+  const line = lines[lineIndex];
+  const newLines = [...lines];
+
+  // Find the catch block
+  if (line.includes('catch') && line.includes('{')) {
+    // Simple case: catch {} on one line
+    if (line.match(/catch\s*(?:\([^)]*\))?\s*\{\s*\}/)) {
+      const indent = line.match(/^(\s*)/)?.[1] || '';
+      newLines[lineIndex] = line.replace(
+        /catch\s*(?:\(([^)]*)\))?\s*\{\s*\}/,
+        (match, errVar) => {
+          const varName = errVar || 'err';
+          return `catch (${varName}) {\n${indent}  console.error('Error:', ${varName});\n${indent}  throw ${varName};\n${indent}}`;
+        }
+      );
+    }
+  }
+
+  return newLines.join('\n');
+}
+
+function fixDangerousDefault(lines, lineIndex, filePath) {
+  const line = lines[lineIndex];
+  const newLines = [...lines];
+
+  // Remove dangerous default
+  if (line.includes('process.env.') && (line.includes('||') || line.includes('??'))) {
+    newLines[lineIndex] = line.replace(
+      /\s*(\|\||\?\?)\s*['"][^'"]*['"]/,
+      ''
+    );
+  }
+
+  return newLines.join('\n');
+}
+
+function fixPlaceholderValue(lines, lineIndex, filePath) {
+  const line = lines[lineIndex];
+  const newLines = [...lines];
+
+  // Replace placeholder with TODO comment
+  newLines[lineIndex] = line.replace(
+    /(CHANGEME|REPLACE_ME|YOUR_[A-Z0-9_]+|INSERT_[A-Z0-9_]+)/g,
+    (match) => `/* TODO: Replace ${match} */ ''`
+  );
+
+  return newLines.join('\n');
+}
+
+async function loadLatestScan(projectPath) {
+  const scanDir = path.join(projectPath, '.vibecheck', 'reality-sniff', 'scans');
+  
+  if (!fs.existsSync(scanDir)) {
+    return null;
+  }
+
+  try {
+    const files = fs.readdirSync(scanDir)
+      .filter(f => f.endsWith('.json'))
+      .map(f => ({
+        name: f,
+        path: path.join(scanDir, f),
+        mtime: fs.statSync(path.join(scanDir, f)).mtime,
+      }))
+      .sort((a, b) => b.mtime - a.mtime);
+
+    if (files.length === 0) {
+      return null;
+    }
+
+    const content = fs.readFileSync(files[0].path, 'utf8');
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+
+function parseArgs(args) {
+  const opts = {
+    path: process.cwd(),
+    apply: false,
+    promptOnly: false,
+    autopilot: false,
+    share: false,
+    maxMissions: 8,
+    maxSteps: 10,
+    stagnationLimit: 2,
+    fastifyEntry: null,
+    help: false,
+  };
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === '--apply') opts.apply = true;
+    else if (arg === '--prompt-only') opts.promptOnly = true;
+    else if (arg === '--autopilot') opts.autopilot = true;
+    else if (arg === '--share') opts.share = true;
+    else if (arg === '--max-missions') opts.maxMissions = Number(args[++i]) || 8;
+    else if (arg === '--max-steps') opts.maxSteps = Number(args[++i]) || 10;
+    else if (arg === '--stagnation-limit') opts.stagnationLimit = Number(args[++i]) || 2;
+    else if (arg === '--fastify-entry') opts.fastifyEntry = args[++i];
+    else if (arg === '--path' || arg === '-p') opts.path = args[++i];
+    else if (arg === '--help' || arg === '-h') opts.help = true;
+  }
+
+  return opts;
+}
+
+function printHelp() {
+  console.log(`
+${c.cyan}${c.bold}🛠 vibecheck fix${c.reset} - Fix Missions v1
+
+Generate surgical fix prompts, apply patches, and verify with ship.
+
+${c.bold}USAGE${c.reset}
+  vibecheck fix                      ${c.dim}# Plan missions (no changes)${c.reset}
+  vibecheck fix --prompt-only        ${c.dim}# Generate perfect prompts${c.reset}
+  vibecheck fix --apply              ${c.dim}# Apply patches from LLM${c.reset}
+  vibecheck fix --autopilot --apply  ${c.dim}# Loop until SHIP or stuck${c.reset}
+
+${c.bold}OPTIONS${c.reset}
+  --prompt-only       Generate mission prompts only (no edits)
+  --apply             Apply patches returned by the model (requires git)
+  --autopilot         Loop: fix → verify → fix until SHIP or stuck
+  --max-missions <n>  Max missions to plan (default: 8)
+  --max-steps <n>     Max autopilot steps (default: 10)
+  --stagnation-limit  Stop after N non-improving steps (default: 2)
+  --fastify-entry     Fastify entry file (e.g. src/server.ts)
+  --path, -p          Project path (default: current directory)
+  --help, -h          Show this help
+
+${c.bold}SAFETY FEATURES${c.reset}
+  • Reality Firewall prompt prevents LLM hallucinations
+  • Patch validator ensures no drift (files, routes, env)
+  • Backup/restore for automatic rollback on failure
+  • Progress detector stops on stagnation
+
+${c.bold}MISSION TYPES${c.reset}
+  • REMOVE_OWNER_MODE      Delete backdoor env bypass
+  • FIX_STRIPE_WEBHOOKS    Add signature verification + idempotency
+  • ENFORCE_PAID_SURFACE   Add server-side entitlement checks
+  • ADD_SERVER_AUTH        Add auth to sensitive endpoints
+  • FIX_MISSING_ROUTE      Wire client refs to server routes
+  • FIX_FAKE_SUCCESS       Gate success UI on network result
+  • FIX_ENV_CONTRACT       Add missing env vars to templates
+
+${c.bold}LLM CONFIGURATION${c.reset}
+  Set these environment variables:
+  • VIBECHECK_LLM_BASE_URL  ${c.dim}(e.g. https://api.openai.com/v1/chat/completions)${c.reset}
+  • VIBECHECK_LLM_API_KEY   ${c.dim}(your API key)${c.reset}
+  • VIBECHECK_LLM_MODEL     ${c.dim}(default: gpt-4.1-mini)${c.reset}
+
+${c.bold}EXAMPLES${c.reset}
+  vibecheck fix                              ${c.dim}# Plan missions${c.reset}
+  vibecheck fix --prompt-only                ${c.dim}# Generate prompts${c.reset}
+  vibecheck fix --apply                      ${c.dim}# Apply patches${c.reset}
+  vibecheck fix --autopilot --apply          ${c.dim}# Full autopilot${c.reset}
+`);
+}
+
+module.exports = { runFix };