npm - @vibecheckai/cli - Versions diffs - 2.8.2 → 3.0.0 - Mend

@vibecheckai/cli 2.8.2 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (454) hide show

package/README.md +8 -8
package/bin/_deprecations.js +35 -0
package/bin/_router.js +46 -0
package/bin/cli-hygiene.js +241 -0
package/bin/guardrail.js +834 -0
package/bin/runners/cli-utils.js +1070 -0
package/bin/runners/context/ai-task-decomposer.js +337 -0
package/bin/runners/context/analyzer.js +462 -0
package/bin/runners/context/api-contracts.js +427 -0
package/bin/runners/context/context-diff.js +342 -0
package/bin/runners/context/context-pruner.js +291 -0
package/bin/runners/context/dependency-graph.js +414 -0
package/bin/runners/context/generators/claude.js +107 -0
package/bin/runners/context/generators/codex.js +108 -0
package/bin/runners/context/generators/copilot.js +119 -0
package/bin/runners/context/generators/cursor.js +514 -0
package/bin/runners/context/generators/mcp.js +151 -0
package/bin/runners/context/generators/windsurf.js +180 -0
package/bin/runners/context/git-context.js +302 -0
package/bin/runners/context/index.js +1042 -0
package/bin/runners/context/insights.js +173 -0
package/bin/runners/context/mcp-server/generate-rules.js +337 -0
package/bin/runners/context/mcp-server/index.js +1176 -0
package/bin/runners/context/mcp-server/package.json +24 -0
package/bin/runners/context/memory.js +200 -0
package/bin/runners/context/monorepo.js +215 -0
package/bin/runners/context/multi-repo-federation.js +404 -0
package/bin/runners/context/patterns.js +253 -0
package/bin/runners/context/proof-context.js +972 -0
package/bin/runners/context/security-scanner.js +303 -0
package/bin/runners/context/semantic-search.js +350 -0
package/bin/runners/context/shared.js +264 -0
package/bin/runners/context/team-conventions.js +310 -0
package/bin/runners/lib/ai-bridge.js +416 -0
package/bin/runners/lib/analysis-core.js +271 -0
package/bin/runners/lib/analyzers.js +541 -0
package/bin/runners/lib/audit-bridge.js +391 -0
package/bin/runners/lib/auth-truth.js +193 -0
package/bin/runners/lib/auth.js +215 -0
package/bin/runners/lib/backup.js +62 -0
package/bin/runners/lib/billing.js +107 -0
package/bin/runners/lib/claims.js +118 -0
package/bin/runners/lib/cli-ui.js +540 -0
package/bin/runners/lib/compliance-bridge-new.js +0 -0
package/bin/runners/lib/compliance-bridge.js +165 -0
package/bin/runners/lib/contracts/auth-contract.js +194 -0
package/bin/runners/lib/contracts/env-contract.js +178 -0
package/bin/runners/lib/contracts/external-contract.js +198 -0
package/bin/runners/lib/contracts/guard.js +168 -0
package/bin/runners/lib/contracts/index.js +89 -0
package/bin/runners/lib/contracts/plan-validator.js +311 -0
package/bin/runners/lib/contracts/route-contract.js +192 -0
package/bin/runners/lib/detect.js +89 -0
package/bin/runners/lib/doctor/autofix.js +254 -0
package/bin/runners/lib/doctor/index.js +37 -0
package/bin/runners/lib/doctor/modules/dependencies.js +325 -0
package/bin/runners/lib/doctor/modules/index.js +46 -0
package/bin/runners/lib/doctor/modules/network.js +250 -0
package/bin/runners/lib/doctor/modules/project.js +312 -0
package/bin/runners/lib/doctor/modules/runtime.js +224 -0
package/bin/runners/lib/doctor/modules/security.js +348 -0
package/bin/runners/lib/doctor/modules/system.js +213 -0
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -0
package/bin/runners/lib/doctor/reporter.js +262 -0
package/bin/runners/lib/doctor/service.js +262 -0
package/bin/runners/lib/doctor/types.js +113 -0
package/bin/runners/lib/doctor/ui.js +263 -0
package/bin/runners/lib/doctor-enhanced.js +233 -0
package/bin/runners/lib/doctor-v2.js +608 -0
package/bin/runners/lib/enforcement.js +72 -0
package/bin/runners/lib/enterprise-detect.js +603 -0
package/bin/runners/lib/enterprise-init.js +942 -0
package/bin/runners/lib/entitlements-v2.js +381 -0
package/bin/runners/lib/entitlements.generated.js +0 -0
package/bin/runners/lib/entitlements.js +332 -0
package/bin/runners/lib/env-template.js +66 -0
package/bin/runners/lib/env.js +189 -0
package/bin/runners/lib/error-handler.js +320 -0
package/bin/runners/lib/firewall-prompt.js +50 -0
package/bin/runners/lib/graph/graph-builder.js +265 -0
package/bin/runners/lib/graph/html-renderer.js +413 -0
package/bin/runners/lib/graph/index.js +32 -0
package/bin/runners/lib/graph/runtime-collector.js +215 -0
package/bin/runners/lib/graph/static-extractor.js +518 -0
package/bin/runners/lib/init-wizard.js +308 -0
package/bin/runners/lib/json-output.js +76 -0
package/bin/runners/lib/llm.js +75 -0
package/bin/runners/lib/meter.js +61 -0
package/bin/runners/lib/missions/evidence.js +126 -0
package/bin/runners/lib/missions/plan.js +69 -0
package/bin/runners/lib/missions/templates.js +147 -0
package/bin/runners/lib/patch.js +40 -0
package/bin/runners/lib/permissions/auth-model.js +213 -0
package/bin/runners/lib/permissions/idor-prover.js +205 -0
package/bin/runners/lib/permissions/index.js +45 -0
package/bin/runners/lib/permissions/matrix-builder.js +198 -0
package/bin/runners/lib/pkgjson.js +28 -0
package/bin/runners/lib/preflight.js +142 -0
package/bin/runners/lib/reality-findings.js +84 -0
package/bin/runners/lib/redact.js +29 -0
package/bin/runners/lib/replay/capsule-manager.js +154 -0
package/bin/runners/lib/replay/index.js +263 -0
package/bin/runners/lib/replay/player.js +348 -0
package/bin/runners/lib/replay/recorder.js +331 -0
package/bin/runners/lib/report-engine.js +447 -0
package/bin/runners/lib/report-html.js +1117 -0
package/bin/runners/lib/report-templates.js +964 -0
package/bin/runners/lib/route-detection.js +1140 -0
package/bin/runners/lib/route-truth.js +477 -0
package/bin/runners/lib/sandbox/index.js +59 -0
package/bin/runners/lib/sandbox/proof-chain.js +399 -0
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -0
package/bin/runners/lib/sandbox/worktree.js +174 -0
package/bin/runners/lib/scan-cache.js +330 -0
package/bin/runners/lib/scan-output-schema.js +344 -0
package/bin/runners/lib/score-history.js +282 -0
package/bin/runners/lib/security-bridge.js +249 -0
package/bin/runners/lib/server-usage.js +513 -0
package/bin/runners/lib/share-pack.js +239 -0
package/bin/runners/lib/snippets.js +67 -0
package/bin/runners/lib/truth.js +667 -0
package/bin/runners/lib/unified-output.js +189 -0
package/bin/runners/lib/validate-patch.js +156 -0
package/bin/runners/lib/verification.js +345 -0
package/bin/runners/reality/engine.js +917 -0
package/bin/runners/reality/flows.js +122 -0
package/bin/runners/reality/report.js +378 -0
package/bin/runners/reality/session.js +193 -0
package/bin/runners/runAIAgent.js +2 -0
package/bin/runners/runAudit.js +2 -0
package/bin/runners/runAuth.js +106 -0
package/bin/runners/runAutopilot.js +2 -0
package/bin/runners/runBadge.js +2 -0
package/bin/runners/runCertify.js +2 -0
package/bin/runners/runClaimVerifier.js +483 -0
package/bin/runners/runContext.js +56 -0
package/bin/runners/runContextCompiler.js +385 -0
package/bin/runners/runCtx.js +187 -0
package/bin/runners/runCtxGuard.js +176 -0
package/bin/runners/runCtxSync.js +116 -0
package/bin/runners/runDashboard.js +10 -0
package/bin/runners/runDoctor.js +245 -0
package/bin/runners/runEnhancedShip.js +2 -0
package/bin/runners/runFix.js +735 -0
package/bin/runners/runFixPacks.js +2 -0
package/bin/runners/runGate.js +17 -0
package/bin/runners/runGraph.js +283 -0
package/bin/runners/runInit.js +260 -0
package/bin/runners/runInitGha.js +101 -0
package/bin/runners/runInstall.js +76 -0
package/bin/runners/runInteractive.js +388 -0
package/bin/runners/runLaunch.js +2 -0
package/bin/runners/runMcp.js +19 -0
package/bin/runners/runMdc.js +2 -0
package/bin/runners/runMissionGenerator.js +282 -0
package/bin/runners/runNaturalLanguage.js +3 -0
package/bin/runners/runPR.js +96 -0
package/bin/runners/runPermissions.js +290 -0
package/bin/runners/runPromptFirewall.js +211 -0
package/bin/runners/runProof.js +2 -0
package/bin/runners/runProve.js +392 -0
package/bin/runners/runReality.js +489 -0
package/bin/runners/runRealitySniff.js +2 -0
package/bin/runners/runReplay.js +469 -0
package/bin/runners/runReport.js +478 -0
package/bin/runners/runScan.js +835 -0
package/bin/runners/runShare.js +34 -0
package/bin/runners/runShip.js +1062 -0
package/bin/runners/runStatus.js +136 -0
package/bin/runners/runTruthpack.js +634 -0
package/bin/runners/runUpgrade.js +2 -0
package/bin/runners/runValidate.js +2 -0
package/bin/runners/runVerifyAgentOutput.js +2 -0
package/bin/runners/runWatch.js +230 -0
package/bin/runners/utils.js +360 -0
package/bin/scan.js +612 -0
package/bin/vibecheck.js +834 -0
package/package.json +11 -11
package/dist/autopatch/verified-autopatch.d.ts +0 -111
package/dist/autopatch/verified-autopatch.d.ts.map +0 -1
package/dist/autopatch/verified-autopatch.js +0 -503
package/dist/autopatch/verified-autopatch.js.map +0 -1
package/dist/bundles/index.js +0 -8
package/dist/bundles/vibecheck-core.js +0 -25799
package/dist/bundles/vibecheck-security.js +0 -208693
package/dist/bundles/vibecheck-ship.js +0 -2318
package/dist/commands/baseline.d.ts +0 -7
package/dist/commands/baseline.d.ts.map +0 -1
package/dist/commands/baseline.js +0 -79
package/dist/commands/baseline.js.map +0 -1
package/dist/commands/cache.d.ts +0 -13
package/dist/commands/cache.d.ts.map +0 -1
package/dist/commands/cache.js +0 -165
package/dist/commands/cache.js.map +0 -1
package/dist/commands/checkpoint.d.ts +0 -8
package/dist/commands/checkpoint.d.ts.map +0 -1
package/dist/commands/checkpoint.js +0 -35
package/dist/commands/checkpoint.js.map +0 -1
package/dist/commands/doctor.d.ts +0 -17
package/dist/commands/doctor.d.ts.map +0 -1
package/dist/commands/doctor.js +0 -226
package/dist/commands/doctor.js.map +0 -1
package/dist/commands/evidence.d.ts +0 -45
package/dist/commands/evidence.d.ts.map +0 -1
package/dist/commands/evidence.js +0 -197
package/dist/commands/evidence.js.map +0 -1
package/dist/commands/explain.d.ts +0 -8
package/dist/commands/explain.d.ts.map +0 -1
package/dist/commands/explain.js +0 -52
package/dist/commands/explain.js.map +0 -1
package/dist/commands/fix-consolidated.d.ts +0 -19
package/dist/commands/fix-consolidated.d.ts.map +0 -1
package/dist/commands/fix-consolidated.js +0 -165
package/dist/commands/fix-consolidated.js.map +0 -1
package/dist/commands/index.d.ts +0 -8
package/dist/commands/index.d.ts.map +0 -1
package/dist/commands/index.js +0 -15
package/dist/commands/index.js.map +0 -1
package/dist/commands/init.d.ts +0 -8
package/dist/commands/init.d.ts.map +0 -1
package/dist/commands/init.js +0 -125
package/dist/commands/init.js.map +0 -1
package/dist/commands/launcher.d.ts +0 -10
package/dist/commands/launcher.d.ts.map +0 -1
package/dist/commands/launcher.js +0 -174
package/dist/commands/launcher.js.map +0 -1
package/dist/commands/on.d.ts +0 -8
package/dist/commands/on.d.ts.map +0 -1
package/dist/commands/on.js +0 -123
package/dist/commands/on.js.map +0 -1
package/dist/commands/replay.d.ts +0 -8
package/dist/commands/replay.d.ts.map +0 -1
package/dist/commands/replay.js +0 -52
package/dist/commands/replay.js.map +0 -1
package/dist/commands/scan-consolidated.d.ts +0 -61
package/dist/commands/scan-consolidated.d.ts.map +0 -1
package/dist/commands/scan-consolidated.js +0 -243
package/dist/commands/scan-consolidated.js.map +0 -1
package/dist/commands/scan-secrets.d.ts +0 -47
package/dist/commands/scan-secrets.d.ts.map +0 -1
package/dist/commands/scan-secrets.js +0 -225
package/dist/commands/scan-secrets.js.map +0 -1
package/dist/commands/scan-vulnerabilities-enhanced.d.ts +0 -41
package/dist/commands/scan-vulnerabilities-enhanced.d.ts.map +0 -1
package/dist/commands/scan-vulnerabilities-enhanced.js +0 -368
package/dist/commands/scan-vulnerabilities-enhanced.js.map +0 -1
package/dist/commands/scan-vulnerabilities-osv.d.ts +0 -58
package/dist/commands/scan-vulnerabilities-osv.d.ts.map +0 -1
package/dist/commands/scan-vulnerabilities-osv.js +0 -722
package/dist/commands/scan-vulnerabilities-osv.js.map +0 -1
package/dist/commands/scan-vulnerabilities.d.ts +0 -32
package/dist/commands/scan-vulnerabilities.d.ts.map +0 -1
package/dist/commands/scan-vulnerabilities.js +0 -283
package/dist/commands/scan-vulnerabilities.js.map +0 -1
package/dist/commands/secrets-allowlist.d.ts +0 -7
package/dist/commands/secrets-allowlist.d.ts.map +0 -1
package/dist/commands/secrets-allowlist.js +0 -85
package/dist/commands/secrets-allowlist.js.map +0 -1
package/dist/commands/ship-consolidated.d.ts +0 -58
package/dist/commands/ship-consolidated.d.ts.map +0 -1
package/dist/commands/ship-consolidated.js +0 -515
package/dist/commands/ship-consolidated.js.map +0 -1
package/dist/commands/stats.d.ts +0 -8
package/dist/commands/stats.d.ts.map +0 -1
package/dist/commands/stats.js +0 -134
package/dist/commands/stats.js.map +0 -1
package/dist/commands/upgrade.d.ts +0 -8
package/dist/commands/upgrade.d.ts.map +0 -1
package/dist/commands/upgrade.js +0 -30
package/dist/commands/upgrade.js.map +0 -1
package/dist/fix/applicator.d.ts +0 -44
package/dist/fix/applicator.d.ts.map +0 -1
package/dist/fix/applicator.js +0 -144
package/dist/fix/applicator.js.map +0 -1
package/dist/fix/backup.d.ts +0 -38
package/dist/fix/backup.d.ts.map +0 -1
package/dist/fix/backup.js +0 -154
package/dist/fix/backup.js.map +0 -1
package/dist/fix/engine.d.ts +0 -55
package/dist/fix/engine.d.ts.map +0 -1
package/dist/fix/engine.js +0 -285
package/dist/fix/engine.js.map +0 -1
package/dist/fix/index.d.ts +0 -5
package/dist/fix/index.d.ts.map +0 -1
package/dist/fix/index.js +0 -12
package/dist/fix/index.js.map +0 -1
package/dist/fix/interactive.d.ts +0 -22
package/dist/fix/interactive.d.ts.map +0 -1
package/dist/fix/interactive.js +0 -172
package/dist/fix/interactive.js.map +0 -1
package/dist/formatters/index.d.ts +0 -6
package/dist/formatters/index.d.ts.map +0 -1
package/dist/formatters/index.js +0 -11
package/dist/formatters/index.js.map +0 -1
package/dist/formatters/sarif-enhanced.d.ts +0 -78
package/dist/formatters/sarif-enhanced.d.ts.map +0 -1
package/dist/formatters/sarif-enhanced.js +0 -144
package/dist/formatters/sarif-enhanced.js.map +0 -1
package/dist/formatters/sarif-v2.d.ts +0 -121
package/dist/formatters/sarif-v2.d.ts.map +0 -1
package/dist/formatters/sarif-v2.js +0 -356
package/dist/formatters/sarif-v2.js.map +0 -1
package/dist/formatters/sarif.d.ts +0 -72
package/dist/formatters/sarif.d.ts.map +0 -1
package/dist/formatters/sarif.js +0 -146
package/dist/formatters/sarif.js.map +0 -1
package/dist/index.d.ts +0 -61
package/dist/index.d.ts.map +0 -1
package/dist/index.js +0 -4388
package/dist/index.js.map +0 -1
package/dist/init/ci-generator.d.ts +0 -18
package/dist/init/ci-generator.d.ts.map +0 -1
package/dist/init/ci-generator.js +0 -317
package/dist/init/ci-generator.js.map +0 -1
package/dist/init/detect-framework.d.ts +0 -15
package/dist/init/detect-framework.d.ts.map +0 -1
package/dist/init/detect-framework.js +0 -301
package/dist/init/detect-framework.js.map +0 -1
package/dist/init/hooks-installer.d.ts +0 -22
package/dist/init/hooks-installer.d.ts.map +0 -1
package/dist/init/hooks-installer.js +0 -310
package/dist/init/hooks-installer.js.map +0 -1
package/dist/init/index.d.ts +0 -8
package/dist/init/index.d.ts.map +0 -1
package/dist/init/index.js +0 -22
package/dist/init/index.js.map +0 -1
package/dist/init/templates.d.ts +0 -402
package/dist/init/templates.d.ts.map +0 -1
package/dist/init/templates.js +0 -240
package/dist/init/templates.js.map +0 -1
package/dist/mcp/server.d.ts +0 -12
package/dist/mcp/server.d.ts.map +0 -1
package/dist/mcp/server.js +0 -42
package/dist/mcp/server.js.map +0 -1
package/dist/mcp/telemetry.d.ts +0 -40
package/dist/mcp/telemetry.d.ts.map +0 -1
package/dist/mcp/telemetry.js +0 -98
package/dist/mcp/telemetry.js.map +0 -1
package/dist/reality/no-dead-buttons/button-sweep-generator.d.ts +0 -32
package/dist/reality/no-dead-buttons/button-sweep-generator.d.ts.map +0 -1
package/dist/reality/no-dead-buttons/button-sweep-generator.js +0 -236
package/dist/reality/no-dead-buttons/button-sweep-generator.js.map +0 -1
package/dist/reality/no-dead-buttons/index.d.ts +0 -11
package/dist/reality/no-dead-buttons/index.d.ts.map +0 -1
package/dist/reality/no-dead-buttons/index.js +0 -18
package/dist/reality/no-dead-buttons/index.js.map +0 -1
package/dist/reality/no-dead-buttons/static-scanner.d.ts +0 -34
package/dist/reality/no-dead-buttons/static-scanner.d.ts.map +0 -1
package/dist/reality/no-dead-buttons/static-scanner.js +0 -230
package/dist/reality/no-dead-buttons/static-scanner.js.map +0 -1
package/dist/reality/reality-graph.d.ts +0 -192
package/dist/reality/reality-graph.d.ts.map +0 -1
package/dist/reality/reality-graph.js +0 -600
package/dist/reality/reality-graph.js.map +0 -1
package/dist/reality/reality-runner.d.ts +0 -89
package/dist/reality/reality-runner.d.ts.map +0 -1
package/dist/reality/reality-runner.js +0 -540
package/dist/reality/reality-runner.js.map +0 -1
package/dist/reality/receipt-generator.d.ts +0 -152
package/dist/reality/receipt-generator.d.ts.map +0 -1
package/dist/reality/receipt-generator.js +0 -495
package/dist/reality/receipt-generator.js.map +0 -1
package/dist/reality/runtime-tracer.d.ts +0 -75
package/dist/reality/runtime-tracer.d.ts.map +0 -1
package/dist/reality/runtime-tracer.js +0 -109
package/dist/reality/runtime-tracer.js.map +0 -1
package/dist/runtime/auth-utils.d.ts +0 -43
package/dist/runtime/auth-utils.d.ts.map +0 -1
package/dist/runtime/auth-utils.js +0 -130
package/dist/runtime/auth-utils.js.map +0 -1
package/dist/runtime/client.d.ts +0 -74
package/dist/runtime/client.d.ts.map +0 -1
package/dist/runtime/client.js +0 -222
package/dist/runtime/client.js.map +0 -1
package/dist/runtime/creds.d.ts +0 -48
package/dist/runtime/creds.d.ts.map +0 -1
package/dist/runtime/creds.js +0 -245
package/dist/runtime/creds.js.map +0 -1
package/dist/runtime/exit-codes.d.ts +0 -49
package/dist/runtime/exit-codes.d.ts.map +0 -1
package/dist/runtime/exit-codes.js +0 -93
package/dist/runtime/exit-codes.js.map +0 -1
package/dist/runtime/index.d.ts +0 -9
package/dist/runtime/index.d.ts.map +0 -1
package/dist/runtime/index.js +0 -25
package/dist/runtime/index.js.map +0 -1
package/dist/runtime/json-output.d.ts +0 -42
package/dist/runtime/json-output.d.ts.map +0 -1
package/dist/runtime/json-output.js +0 -59
package/dist/runtime/json-output.js.map +0 -1
package/dist/runtime/semver.d.ts +0 -37
package/dist/runtime/semver.d.ts.map +0 -1
package/dist/runtime/semver.js +0 -110
package/dist/runtime/semver.js.map +0 -1
package/dist/scan/dead-ui-detector.d.ts +0 -48
package/dist/scan/dead-ui-detector.d.ts.map +0 -1
package/dist/scan/dead-ui-detector.js +0 -170
package/dist/scan/dead-ui-detector.js.map +0 -1
package/dist/scan/playwright-sweep.d.ts +0 -40
package/dist/scan/playwright-sweep.d.ts.map +0 -1
package/dist/scan/playwright-sweep.js +0 -216
package/dist/scan/playwright-sweep.js.map +0 -1
package/dist/scan/proof-bundle.d.ts +0 -25
package/dist/scan/proof-bundle.d.ts.map +0 -1
package/dist/scan/proof-bundle.js +0 -203
package/dist/scan/proof-bundle.js.map +0 -1
package/dist/scan/proof-graph.d.ts +0 -59
package/dist/scan/proof-graph.d.ts.map +0 -1
package/dist/scan/proof-graph.js +0 -64
package/dist/scan/proof-graph.js.map +0 -1
package/dist/scan/reality-sniff.d.ts +0 -56
package/dist/scan/reality-sniff.d.ts.map +0 -1
package/dist/scan/reality-sniff.js +0 -200
package/dist/scan/reality-sniff.js.map +0 -1
package/dist/scan/structural-verifier.d.ts +0 -20
package/dist/scan/structural-verifier.d.ts.map +0 -1
package/dist/scan/structural-verifier.js +0 -112
package/dist/scan/structural-verifier.js.map +0 -1
package/dist/scan/verification-engine.d.ts +0 -47
package/dist/scan/verification-engine.d.ts.map +0 -1
package/dist/scan/verification-engine.js +0 -141
package/dist/scan/verification-engine.js.map +0 -1
package/dist/scanner/baseline.d.ts +0 -52
package/dist/scanner/baseline.d.ts.map +0 -1
package/dist/scanner/baseline.js +0 -85
package/dist/scanner/baseline.js.map +0 -1
package/dist/scanner/incremental.d.ts +0 -30
package/dist/scanner/incremental.d.ts.map +0 -1
package/dist/scanner/incremental.js +0 -82
package/dist/scanner/incremental.js.map +0 -1
package/dist/scanner/parallel.d.ts +0 -43
package/dist/scanner/parallel.d.ts.map +0 -1
package/dist/scanner/parallel.js +0 -99
package/dist/scanner/parallel.js.map +0 -1
package/dist/standalone.d.ts +0 -1
package/dist/standalone.d.ts.map +0 -1
package/dist/standalone.js +0 -1
package/dist/standalone.js.map +0 -1
package/dist/truth-pack/index.d.ts +0 -102
package/dist/truth-pack/index.d.ts.map +0 -1
package/dist/truth-pack/index.js +0 -694
package/dist/truth-pack/index.js.map +0 -1
package/dist/ui/frame.d.ts +0 -68
package/dist/ui/frame.d.ts.map +0 -1
package/dist/ui/frame.js +0 -165
package/dist/ui/frame.js.map +0 -1
package/dist/ui/index.d.ts +0 -5
package/dist/ui/index.d.ts.map +0 -1
package/dist/ui/index.js +0 -16
package/dist/ui/index.js.map +0 -1
package/dist/ui.d.ts +0 -36
package/dist/ui.d.ts.map +0 -1
package/dist/ui.js +0 -45
package/dist/ui.js.map +0 -1

package/bin/runners/runReality.js ADDED Viewed

@@ -0,0 +1,489 @@
+/**
+ * Reality Mode v2 - Two-Pass Auth Verification + Dead UI Crawler
+ *
+ * Pass A (anon): crawl + click, record which routes look protected
+ * Pass B (auth): crawl same routes using storageState, verify protected routes accessible
+ *
+ * Findings:
+ * - Dead UI (clicks that do nothing)
+ * - HTTP errors (4xx/5xx)
+ * - Auth coverage (protected route reachable anonymously = BLOCK)
+ * - Route coverage stats
+ */
+"use strict";
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+let chromium;
+let playwrightError = null;
+try {
+  chromium = require("playwright").chromium;
+} catch (e) {
+  chromium = null;
+  playwrightError = e.message;
+}
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+function stamp() {
+  const d = new Date();
+  const z = (n) => String(n).padStart(2, "0");
+  return `${d.getFullYear()}${z(d.getMonth() + 1)}${z(d.getDate())}_${z(d.getHours())}${z(d.getMinutes())}${z(d.getSeconds())}`;
+}
+function sha1(s) {
+  return crypto.createHash("sha1").update(String(s)).digest("hex");
+}
+function normalizeUrl(u) {
+  try {
+    const url = new URL(u);
+    url.hash = "";
+    return url.toString();
+  } catch {
+    return u;
+  }
+}
+function sameOrigin(a, b) {
+  try {
+    return new URL(a).origin === new URL(b).origin;
+  } catch {
+    return false;
+  }
+}
+function pathFromUrl(u) {
+  try {
+    return new URL(u).pathname || "/";
+  } catch {
+    return "/";
+  }
+}
+function looksRisky(text) {
+  const t = String(text || "").toLowerCase();
+  return /\b(delete|remove|destroy|wipe|purge|drop|cancel\s+plan|unsubscribe|terminate)\b/.test(t);
+}
+function looksAuthAction(text) {
+  const t = String(text || "").toLowerCase();
+  return /\b(logout|sign\s*out)\b/.test(t);
+}
+function loadTruthpack(repoRoot, truthpackRel) {
+  const rel = truthpackRel || path.join(".vibecheck", "truth", "truthpack.json");
+  const abs = path.isAbsolute(rel) ? rel : path.join(repoRoot, rel);
+  if (!fs.existsSync(abs)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(abs, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function compileNextMatcher(pattern) {
+  const p = String(pattern || "").trim();
+  if (!p) return null;
+  const norm = p.startsWith("/") ? p : `/${p}`;
+  const esc = norm.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  if (norm.includes(":path*")) {
+    const base = esc.replace(/\\:path\\\*/g, "");
+    return new RegExp(`^${base}(\\/.*)?$`, "i");
+  }
+  return new RegExp(`^${esc}$`, "i");
+}
+function getProtectedMatchersFromTruthpack(truthpack) {
+  const patterns = truthpack?.auth?.nextMatcherPatterns || [];
+  const out = [];
+  for (const p of patterns) {
+    const rx = compileNextMatcher(p);
+    if (rx) out.push({ pattern: p, rx });
+  }
+  return out;
+}
+async function isLoginPage(page) {
+  try {
+    return await page.evaluate(() => {
+      const hasPass = !!document.querySelector("input[type='password']");
+      const txt = (document.body?.innerText || "").toLowerCase();
+      const signInWords = /(sign in|log in|login|welcome back|forgot password)/.test(txt);
+      const urlLooks = /(login|signin|auth)/.test(location.pathname.toLowerCase());
+      return hasPass || signInWords || urlLooks;
+    });
+  } catch {
+    return false;
+  }
+}
+async function pageSignature(page) {
+  return page.evaluate(() => {
+    const c = document.querySelectorAll("a,button,input,select,textarea,[role='button']").length;
+    const t = document.body?.innerText?.length || 0;
+    return `${location.href}|${c}|${t}`;
+  });
+}
+async function clickOutcome(page, locator, opts = {}) {
+  const beforeSig = await pageSignature(page);
+  const beforeUrl = page.url();
+  const beforeReq = opts.reqCounter.value;
+  const domPromise = page.evaluate(() => {
+    return new Promise((resolve) => {
+      const obs = new MutationObserver(() => { obs.disconnect(); resolve({ changed: true }); });
+      obs.observe(document.documentElement, { childList: true, subtree: true, attributes: true });
+      setTimeout(() => { try { obs.disconnect(); } catch {} resolve({ changed: false }); }, 900);
+    });
+  });
+  const navPromise = page.waitForNavigation({ timeout: 1200 }).then(() => true).catch(() => false);
+  const clickRes = await locator.click({ timeout: 1200 }).then(() => ({ ok: true })).catch((e) => ({ ok: false, error: String(e?.message || e) }));
+  const navRes = await navPromise;
+  const domRes = await domPromise;
+  await page.waitForTimeout(250);
+  const afterSig = await pageSignature(page);
+  const afterUrl = page.url();
+  return {
+    clickOk: clickRes.ok,
+    clickError: clickRes.error || null,
+    navHappened: !!navRes,
+    urlChanged: normalizeUrl(afterUrl) !== normalizeUrl(beforeUrl),
+    domChanged: !!domRes?.changed || afterSig !== beforeSig,
+    reqDelta: Math.max(0, opts.reqCounter.value - beforeReq),
+    beforeUrl,
+    afterUrl
+  };
+}
+async function collectLinks(page, baseUrl) {
+  const links = await page.evaluate(() => Array.from(document.querySelectorAll("a[href]")).map(a => a.getAttribute("href")).filter(Boolean));
+  return links.map(href => { try { return new URL(href, baseUrl).toString(); } catch { return null; } }).filter(Boolean);
+}
+async function collectInteractives(page) {
+  return page.evaluate(() => {
+    const nodes = Array.from(document.querySelectorAll("button, a[href], input[type='submit'], [role='button'], [onclick]"));
+    return nodes.slice(0, 80).map((el, idx) => ({
+      idx,
+      tag: el.tagName.toLowerCase(),
+      role: el.getAttribute("role") || "",
+      href: el.tagName === "A" ? el.getAttribute("href") || "" : "",
+      text: (el.getAttribute("aria-label") || el.innerText || "").trim().slice(0, 80),
+      id: el.id || "",
+      disabled: !!(el.disabled || el.getAttribute("aria-disabled") === "true"),
+      key: `${el.tagName}|${el.id}|${idx}`
+    }));
+  });
+}
+async function attemptLogin(page, { auth }) {
+  if (!auth) return { did: false, ok: false };
+  const [email, pass] = String(auth).split(":");
+  if (!email || !pass) return { did: false, ok: false };
+  try {
+    const emailLoc = page.locator("input[type='email'], input[name*='email' i], input[placeholder*='email' i]").first();
+    const passLoc = page.locator("input[type='password']").first();
+    if ((await emailLoc.count()) === 0 || (await passLoc.count()) === 0) return { did: false, ok: false };
+    await emailLoc.fill(email, { timeout: 1200 });
+    await passLoc.fill(pass, { timeout: 1200 });
+    const submit = page.locator("button[type='submit'], input[type='submit']").first();
+    const fallback = page.locator("button:has-text('Log in'), button:has-text('Sign in')").first();
+    const before = page.url();
+    if ((await submit.count()) > 0) await submit.click({ timeout: 1200 });
+    else if ((await fallback.count()) > 0) await fallback.click({ timeout: 1200 });
+    else return { did: true, ok: false };
+    await page.waitForLoadState("networkidle", { timeout: 6000 }).catch(() => {});
+    const stillLogin = await isLoginPage(page);
+    return { did: true, ok: normalizeUrl(page.url()) !== normalizeUrl(before) || !stillLogin };
+  } catch {
+    return { did: true, ok: false };
+  }
+}
+async function runSinglePass({ label, baseUrl, context, shotsDir, danger, maxPages, maxDepth, timeoutMs, root }) {
+  const page = await context.newPage();
+  page.setDefaultTimeout(timeoutMs);
+  const reqCounter = { value: 0 };
+  const netErrors = [];
+  const consoleErrors = [];
+  const findings = [];
+  const pagesVisited = [];
+  page.on("requestfinished", () => { reqCounter.value += 1; });
+  page.on("requestfailed", (req) => { netErrors.push({ url: req.url(), failure: req.failure()?.errorText || "unknown" }); });
+  page.on("console", (msg) => { if (msg.type() === "error") consoleErrors.push({ text: msg.text().slice(0, 500) }); });
+  page.on("pageerror", (err) => { consoleErrors.push({ text: String(err?.message || err).slice(0, 500) }); });
+  const visited = new Set();
+  const queue = [{ url: baseUrl, depth: 0 }];
+  while (queue.length && pagesVisited.length < maxPages) {
+    const item = queue.shift();
+    if (!item) break;
+    const targetUrl = normalizeUrl(item.url);
+    if (!sameOrigin(baseUrl, targetUrl) || visited.has(targetUrl)) continue;
+    if (!danger && looksAuthAction(targetUrl)) continue;
+    visited.add(targetUrl);
+    const res = await page.goto(targetUrl, { waitUntil: "domcontentloaded" }).catch(() => null);
+    await page.waitForLoadState("networkidle", { timeout: 6000 }).catch(() => {});
+    const status = res ? res.status() : null;
+    const loginLike = await isLoginPage(page);
+    pagesVisited.push({ url: page.url(), depth: item.depth, status, loginLike });
+    if (status && status >= 400) {
+      const shot = path.join(shotsDir, `${label}_http_${status}_${sha1(targetUrl)}.png`);
+      await page.screenshot({ path: shot, fullPage: true }).catch(() => {});
+      findings.push({
+        id: `R_${label}_HTTP_${status}_${sha1(targetUrl).slice(0, 8)}`,
+        severity: status >= 500 ? "BLOCK" : "WARN",
+        category: "DeadUI",
+        title: `[${label}] HTTP ${status} at ${targetUrl}`,
+        page: targetUrl,
+        reason: "Navigation reached an error status",
+        screenshot: path.relative(root, shot).replace(/\\/g, "/")
+      });
+    }
+    if (item.depth < maxDepth) {
+      for (const l of await collectLinks(page, baseUrl)) {
+        const abs = normalizeUrl(l);
+        if (sameOrigin(baseUrl, abs) && !visited.has(abs) && (danger || !looksAuthAction(abs))) {
+          queue.push({ url: abs, depth: item.depth + 1 });
+        }
+      }
+    }
+    for (const el of await collectInteractives(page)) {
+      if (el.disabled || (looksRisky(el.text) && !danger)) continue;
+      let locator;
+      try {
+        if (el.tag === "a") locator = page.locator("a[href]").nth(el.idx);
+        else if (el.tag === "button") locator = page.locator("button").nth(el.idx);
+        else if (el.role === "button") locator = page.locator("[role='button']").nth(el.idx);
+        else continue;
+      } catch { continue; }
+      const out = await clickOutcome(page, locator, { reqCounter });
+      if (!out.clickOk) {
+        const shot = path.join(shotsDir, `${label}_click_fail_${sha1(el.key)}.png`);
+        await page.screenshot({ path: shot }).catch(() => {});
+        findings.push({
+          id: `R_${label}_CLICK_FAIL_${sha1(el.key).slice(0, 8)}`,
+          severity: "WARN",
+          category: "DeadUI",
+          title: `[${label}] Click failed: ${el.text || el.tag}`,
+          page: page.url(),
+          reason: out.clickError || "click failed",
+          screenshot: path.relative(root, shot).replace(/\\/g, "/")
+        });
+        continue;
+      }
+      if (!out.navHappened && !out.urlChanged && !out.domChanged && out.reqDelta === 0) {
+        const shot = path.join(shotsDir, `${label}_dead_${sha1(el.key)}.png`);
+        await page.screenshot({ path: shot }).catch(() => {});
+        findings.push({
+          id: `R_${label}_DEAD_${sha1(el.key).slice(0, 8)}`,
+          severity: "BLOCK",
+          category: "DeadUI",
+          title: `[${label}] Dead UI: ${el.text || el.tag}`,
+          page: page.url(),
+          reason: "Click produced no navigation, no network activity, and no DOM change",
+          screenshot: path.relative(root, shot).replace(/\\/g, "/")
+        });
+      }
+    }
+  }
+  await page.close();
+  return { label, pagesVisited, findings, consoleErrors: consoleErrors.slice(0, 50), networkErrors: netErrors.slice(0, 50) };
+}
+function buildAuthCoverageFindings({ baseUrl, matchers, anonPass, authPass }) {
+  const findings = [];
+  const anonByPath = new Map((anonPass.pagesVisited || []).map(p => [pathFromUrl(p.url), p]));
+  const authByPath = new Map((authPass?.pagesVisited || []).map(p => [pathFromUrl(p.url), p]));
+  for (const [pathKey, anon] of anonByPath) {
+    const isProtected = matchers.some(m => m.rx.test(pathKey));
+    if (!isProtected) continue;
+    const anonLooksBlocked = anon.loginLike || anon.status === 401 || anon.status === 403;
+    const authed = authByPath.get(pathKey);
+    const authedLooksBlocked = authed?.loginLike || authed?.status === 401 || authed?.status === 403;
+    if (!anonLooksBlocked) {
+      findings.push({
+        id: `R_AUTH_ANON_ACCESS_${sha1(pathKey).slice(0, 8)}`,
+        severity: "BLOCK",
+        category: "AuthCoverage",
+        title: `Protected route reachable anonymously: ${pathKey}`,
+        page: new URL(pathKey, baseUrl).toString(),
+        reason: "Matcher marks route protected, but anon session did not redirect or deny."
+      });
+    }
+    if (authed && authedLooksBlocked) {
+      findings.push({
+        id: `R_AUTH_BLOCKED_${sha1(pathKey).slice(0, 8)}`,
+        severity: "BLOCK",
+        category: "AuthCoverage",
+        title: `Protected route blocked after login: ${pathKey}`,
+        page: new URL(pathKey, baseUrl).toString(),
+        reason: "Authed session still looks like login/401/403 on a protected route."
+      });
+    }
+  }
+  return findings;
+}
+function coverageFromTruthpack({ truthpack, visitedUrls }) {
+  if (!truthpack) return null;
+  const refs = truthpack?.routes?.clientRefs || [];
+  const uiPaths = new Set(refs.map(r => r?.path || pathFromUrl(r?.url || r)).filter(Boolean));
+  const visitedPaths = new Set(visitedUrls.map(pathFromUrl));
+  const total = uiPaths.size;
+  const hit = Array.from(uiPaths).filter(p => visitedPaths.has(p)).length;
+  return { total, hit, percent: total ? Math.round((hit / total) * 100) : 0, missed: Array.from(uiPaths).filter(p => !visitedPaths.has(p)).slice(0, 50) };
+}
+async function runReality({
+  repoRoot,
+  url,
+  auth,
+  storageState,
+  saveStorageState,
+  truthpack,
+  verifyAuth = false,
+  headed = false,
+  maxPages = 18,
+  maxDepth = 2,
+  danger = false,
+  timeoutMs = 15000
+} = {}) {
+  if (!url) throw new Error("--url is required");
+  if (!chromium) {
+    const hint = playwrightError?.includes("Cannot find module")
+      ? "Run: npm i -D playwright && npx playwright install chromium"
+      : `Playwright error: ${playwrightError || "unknown"}`;
+    throw new Error(`Playwright not available. ${hint}`);
+  }
+  const root = repoRoot || process.cwd();
+  const baseUrl = normalizeUrl(url);
+  const outBase = path.join(root, ".vibecheck", "reality", stamp());
+  const shotsDir = path.join(outBase, "screenshots");
+  ensureDir(shotsDir);
+  const tp = loadTruthpack(root, truthpack);
+  const matchers = getProtectedMatchersFromTruthpack(tp);
+  const browser = await chromium.launch({ headless: !headed });
+  // Pass A: Anon
+  const anonContext = await browser.newContext();
+  const anonPass = await runSinglePass({ label: "ANON", baseUrl, context: anonContext, shotsDir, danger, maxPages, maxDepth, timeoutMs, root });
+  await anonContext.close();
+  // Pass B: Auth (optional)
+  let authPass = null;
+  let authFindings = [];
+  let savedStatePath = null;
+  if (verifyAuth) {
+    const ctxOpts = storageState ? { storageState } : {};
+    const authContext = await browser.newContext(ctxOpts);
+    const authPage = await authContext.newPage();
+    await authPage.goto(baseUrl, { waitUntil: "domcontentloaded" }).catch(() => {});
+    await authPage.waitForLoadState("networkidle", { timeout: 6000 }).catch(() => {});
+    if (!storageState && auth) {
+      const loginRes = await attemptLogin(authPage, { auth });
+      if (loginRes.ok && saveStorageState) {
+        const dest = path.isAbsolute(saveStorageState) ? saveStorageState : path.join(root, saveStorageState);
+        ensureDir(path.dirname(dest));
+        await authContext.storageState({ path: dest }).catch(() => {});
+        savedStatePath = dest;
+      }
+    }
+    await authPage.close();
+    authPass = await runSinglePass({ label: "AUTH", baseUrl, context: authContext, shotsDir, danger, maxPages, maxDepth, timeoutMs, root });
+    await authContext.close();
+    if (matchers.length) {
+      authFindings = buildAuthCoverageFindings({ baseUrl, matchers, anonPass, authPass });
+    }
+  }
+  await browser.close();
+  const allVisited = [...anonPass.pagesVisited.map(p => p.url), ...(authPass?.pagesVisited || []).map(p => p.url)];
+  const coverage = coverageFromTruthpack({ truthpack: tp, visitedUrls: allVisited });
+  const findings = [...anonPass.findings, ...(authPass?.findings || []), ...authFindings];
+  const report = {
+    meta: {
+      startedAt: new Date().toISOString(),
+      baseUrl,
+      verifyAuth,
+      maxPages,
+      maxDepth,
+      truthpackLoaded: !!tp,
+      protectedMatcherCount: matchers.length,
+      savedStorageState: savedStatePath ? path.relative(root, savedStatePath).replace(/\\/g, "/") : null
+    },
+    coverage,
+    passes: { anon: anonPass, auth: authPass },
+    findings,
+    consoleErrors: [...anonPass.consoleErrors, ...(authPass?.consoleErrors || [])].slice(0, 50),
+    networkErrors: [...anonPass.networkErrors, ...(authPass?.networkErrors || [])].slice(0, 50)
+  };
+  fs.writeFileSync(path.join(outBase, "reality_report.json"), JSON.stringify(report, null, 2), "utf8");
+  const latestDir = path.join(root, ".vibecheck", "reality");
+  ensureDir(latestDir);
+  fs.writeFileSync(path.join(latestDir, "latest.json"), JSON.stringify({ latest: path.relative(root, outBase).replace(/\\/g, "/") }, null, 2));
+  fs.writeFileSync(path.join(latestDir, "last_reality.json"), JSON.stringify(report, null, 2), "utf8");
+  const blocks = findings.filter(f => f.severity === "BLOCK").length;
+  const warns = findings.filter(f => f.severity === "WARN").length;
+  console.log(`\n🧪 vibecheck reality`);
+  console.log(`Anon visited: ${anonPass.pagesVisited.length}/${maxPages}`);
+  if (verifyAuth) console.log(`Auth visited: ${authPass?.pagesVisited?.length || 0}/${maxPages}`);
+  if (coverage) console.log(`Coverage: ${coverage.percent}% of UI paths (${coverage.hit}/${coverage.total})`);
+  console.log(`Findings: ${findings.length} (${blocks} BLOCK, ${warns} WARN)`);
+  console.log(`Report: .vibecheck/reality/${path.basename(outBase)}/reality_report.json`);
+  console.log(`Verdict: ${blocks ? "🛑 BLOCK" : warns ? "⚠️ WARN" : "✅ CLEAN"}`);
+  process.exitCode = blocks ? 2 : warns ? 1 : 0;
+}
+module.exports = { runReality };

package/bin/runners/runRealitySniff.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ async function runRealitySniff(args) { console.log("RealitySniff not yet implemented"); return 0; }
2	+ module.exports = { runRealitySniff };