npm - @vibecheckai/cli - Versions diffs - 3.0.3 → 3.0.5 - Mend

@vibecheckai/cli 3.0.3 → 3.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (119) hide show

package/bin/cli-hygiene.js +241 -0
package/bin/dev/run-v2-torture.js +30 -0
package/bin/guardrail.js +843 -0
package/bin/runners/cli-utils.js +1070 -0
package/bin/runners/context/ai-task-decomposer.js +337 -0
package/bin/runners/context/analyzer.js +462 -0
package/bin/runners/context/api-contracts.js +427 -0
package/bin/runners/context/context-diff.js +342 -0
package/bin/runners/context/context-pruner.js +291 -0
package/bin/runners/context/dependency-graph.js +414 -0
package/bin/runners/context/generators/claude.js +107 -0
package/bin/runners/context/generators/codex.js +108 -0
package/bin/runners/context/generators/copilot.js +119 -0
package/bin/runners/context/generators/cursor.js +514 -0
package/bin/runners/context/generators/mcp.js +151 -0
package/bin/runners/context/generators/windsurf.js +180 -0
package/bin/runners/context/git-context.js +302 -0
package/bin/runners/context/index.js +1042 -0
package/bin/runners/context/insights.js +173 -0
package/bin/runners/context/mcp-server/generate-rules.js +337 -0
package/bin/runners/context/mcp-server/index.js +1176 -0
package/bin/runners/context/mcp-server/package.json +24 -0
package/bin/runners/context/memory.js +200 -0
package/bin/runners/context/monorepo.js +215 -0
package/bin/runners/context/multi-repo-federation.js +404 -0
package/bin/runners/context/patterns.js +253 -0
package/bin/runners/context/proof-context.js +972 -0
package/bin/runners/context/security-scanner.js +303 -0
package/bin/runners/context/semantic-search.js +350 -0
package/bin/runners/context/shared.js +264 -0
package/bin/runners/context/team-conventions.js +310 -0
package/bin/runners/lib/ai-bridge.js +416 -0
package/bin/runners/lib/analysis-core.js +271 -0
package/bin/runners/lib/analyzers.js +579 -0
package/bin/runners/lib/assets/vibecheck-logo.png +0 -0
package/bin/runners/lib/audit-bridge.js +391 -0
package/bin/runners/lib/auth-truth.js +193 -0
package/bin/runners/lib/auth.js +215 -0
package/bin/runners/lib/backup.js +62 -0
package/bin/runners/lib/billing.js +107 -0
package/bin/runners/lib/claims.js +118 -0
package/bin/runners/lib/cli-ui.js +540 -0
package/bin/runners/lib/compliance-bridge-new.js +0 -0
package/bin/runners/lib/compliance-bridge.js +165 -0
package/bin/runners/lib/contracts/auth-contract.js +202 -0
package/bin/runners/lib/contracts/env-contract.js +181 -0
package/bin/runners/lib/contracts/external-contract.js +206 -0
package/bin/runners/lib/contracts/guard.js +168 -0
package/bin/runners/lib/contracts/index.js +89 -0
package/bin/runners/lib/contracts/plan-validator.js +311 -0
package/bin/runners/lib/contracts/route-contract.js +199 -0
package/bin/runners/lib/contracts.js +804 -0
package/bin/runners/lib/detect.js +89 -0
package/bin/runners/lib/detectors-v2.js +703 -0
package/bin/runners/lib/doctor/autofix.js +254 -0
package/bin/runners/lib/doctor/index.js +37 -0
package/bin/runners/lib/doctor/modules/dependencies.js +325 -0
package/bin/runners/lib/doctor/modules/index.js +46 -0
package/bin/runners/lib/doctor/modules/network.js +250 -0
package/bin/runners/lib/doctor/modules/project.js +312 -0
package/bin/runners/lib/doctor/modules/runtime.js +224 -0
package/bin/runners/lib/doctor/modules/security.js +348 -0
package/bin/runners/lib/doctor/modules/system.js +213 -0
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -0
package/bin/runners/lib/doctor/reporter.js +262 -0
package/bin/runners/lib/doctor/service.js +262 -0
package/bin/runners/lib/doctor/types.js +113 -0
package/bin/runners/lib/doctor/ui.js +263 -0
package/bin/runners/lib/doctor-enhanced.js +233 -0
package/bin/runners/lib/doctor-v2.js +608 -0
package/bin/runners/lib/drift.js +425 -0
package/bin/runners/lib/enforcement.js +72 -0
package/bin/runners/lib/entitlements.js +8 -3
package/bin/runners/lib/env-resolver.js +417 -0
package/bin/runners/lib/extractors/client-calls.js +990 -0
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -0
package/bin/runners/lib/extractors/fastify-routes.js +426 -0
package/bin/runners/lib/extractors/index.js +363 -0
package/bin/runners/lib/extractors/next-routes.js +524 -0
package/bin/runners/lib/extractors/proof-graph.js +431 -0
package/bin/runners/lib/extractors/route-matcher.js +451 -0
package/bin/runners/lib/extractors/truthpack-v2.js +377 -0
package/bin/runners/lib/extractors/ui-bindings.js +547 -0
package/bin/runners/lib/findings-schema.js +281 -0
package/bin/runners/lib/html-report.js +650 -0
package/bin/runners/lib/missions/templates.js +45 -0
package/bin/runners/lib/policy.js +295 -0
package/bin/runners/lib/reality/correlation-detectors.js +359 -0
package/bin/runners/lib/reality/index.js +318 -0
package/bin/runners/lib/reality/request-hashing.js +416 -0
package/bin/runners/lib/reality/request-mapper.js +453 -0
package/bin/runners/lib/reality/safety-rails.js +463 -0
package/bin/runners/lib/reality/semantic-snapshot.js +408 -0
package/bin/runners/lib/reality/toast-detector.js +393 -0
package/bin/runners/lib/route-truth.js +10 -10
package/bin/runners/lib/schema-validator.js +350 -0
package/bin/runners/lib/schemas/contracts.schema.json +160 -0
package/bin/runners/lib/schemas/finding.schema.json +100 -0
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -0
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -0
package/bin/runners/lib/schemas/reality-report.schema.json +162 -0
package/bin/runners/lib/schemas/share-pack.schema.json +180 -0
package/bin/runners/lib/schemas/ship-report.schema.json +117 -0
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -0
package/bin/runners/lib/schemas/validator.js +438 -0
package/bin/runners/lib/verdict-engine.js +628 -0
package/bin/runners/runAIAgent.js +228 -1
package/bin/runners/runBadge.js +181 -1
package/bin/runners/runCtxDiff.js +301 -0
package/bin/runners/runInitGha.js +78 -15
package/bin/runners/runLaunch.js +180 -1
package/bin/runners/runProve.js +23 -0
package/bin/runners/runReplay.js +114 -84
package/bin/runners/runScan.js +111 -32
package/bin/runners/runShip.js +23 -2
package/bin/runners/runTruthpack.js +9 -7
package/bin/runners/runValidate.js +161 -1
package/bin/vibecheck.js +6 -1
package/package.json +1 -1

package/bin/guardrail.js ADDED Viewed

@@ -0,0 +1,843 @@
+#!/usr/bin/env node
+// bin/vibecheck.js
+const readline = require("readline");
+const path = require("path");
+const fs = require("fs");
+const { routeArgv } = require("./_router");
+const { warnDeprecationOnce } = require("./_deprecations");
+const {
+  getApiKey,
+  checkEntitlement,
+  getEntitlements,
+} = require("./runners/lib/auth");
+// Read version from package.json
+function getVersion() {
+  try {
+    const pkgPath = path.join(__dirname, "..", "package.json");
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+    return pkg.version || "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
+// Runners
+const { runScan } = require("./runners/runScan");
+const { runGate } = require("./runners/runGate");
+const { runContext } = require("./runners/runContext");
+const { runDashboard, runDemo } = require("./runners/runDashboard");
+const { runFix } = require("./runners/runFix");
+const { runShip } = require("./runners/runShip");
+const { runLaunch } = require("./runners/runLaunch");
+const { runAutopilot } = require("./runners/runAutopilot");
+const { runProof } = require("./runners/runProof");
+// Graceful loading for modules that may have syntax issues
+let runReality, runRealitySniff;
+try {
+  runReality = require("./runners/runReality").runReality;
+} catch (e) {
+  runReality = async () => { console.error("Reality runner unavailable:", e.message); return 1; };
+}
+try {
+  runRealitySniff = require("./runners/runRealitySniff").runRealitySniff;
+} catch (e) {
+  runRealitySniff = async () => { console.error("RealitySniff runner unavailable:", e.message); return 1; };
+}
+const { runValidate } = require("./runners/runValidate");
+const { runDoctor } = require("./runners/runDoctor");
+const { runInit } = require("./runners/runInit");
+const { runMcp } = require("./runners/runMcp");
+const { runLogin, runLogout, runWhoami } = require("./runners/runAuth");
+const {
+  runNaturalLanguage,
+  isNaturalLanguageCommand,
+} = require("./runners/runNaturalLanguage");
+const { runAIAgent } = require("./runners/runAIAgent");
+const { runBadge } = require("./runners/runBadge");
+const { runUpgrade } = require("./runners/runUpgrade");
+const { runCertify } = require("./runners/runCertify");
+const { runVerifyAgentOutput } = require("./runners/runVerifyAgentOutput");
+const { runFixPacks } = require("./runners/runFixPacks");
+const { runAudit } = require("./runners/runAudit");
+const { runMdc } = require("./runners/runMdc");
+const { runEnhancedShip } = require("./runners/runEnhancedShip");
+const { runPromptFirewall } = require("./runners/runPromptFirewall");
+// Route Truth v1 - ctx command
+const { runCtx } = require("./runners/runCtx");
+// Share command
+const { runShare } = require("./runners/runShare");
+// PR command
+const { runPR } = require("./runners/runPR");
+// Init GHA command
+const { runInitGha } = require("./runners/runInitGha");
+// Install command
+const { runInstall } = require("./runners/runInstall");
+// Prove command
+const { runProve } = require("./runners/runProve");
+// Watch command
+const { runWatch } = require("./runners/runWatch");
+// Status command
+const { runStatus } = require("./runners/runStatus");
+// Graph command - Reality Proof Graph
+const { runGraph } = require("./runners/runGraph");
+// Permissions command - AuthZ Matrix & IDOR
+const { runPermissions } = require("./runners/runPermissions");
+// Replay command - Record and replay user sessions
+const { runReplay } = require("./runners/runReplay");
+// Context Contracts commands
+const { runCtxSync } = require("./runners/runCtxSync");
+const { runCtxGuard } = require("./runners/runCtxGuard");
+const { runCtxDiff } = require("./runners/runCtxDiff");
+// Truth Pack v1 - Core truth system
+let runTruthpack;
+try {
+  runTruthpack = require("./runners/runTruthpack").runTruthpack;
+} catch (e) {
+  runTruthpack = async () => { console.error("Truthpack runner unavailable:", e.message); return 1; };
+}
+const VERSION = getVersion();
+// ANSI colors
+const c = {
+  reset: "\x1b[0m",
+  dim: "\x1b[2m",
+  cyan: "\x1b[36m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  red: "\x1b[31m",
+  blue: "\x1b[34m",
+  magenta: "\x1b[35m",
+};
+// Detect CI/CD environment (non-interactive)
+function isCI() {
+  return !!(
+    process.env.CI ||
+    process.env.CONTINUOUS_INTEGRATION ||
+    process.env.RAILWAY_ENVIRONMENT ||
+    process.env.VERCEL ||
+    process.env.NETLIFY ||
+    process.env.GITHUB_ACTIONS ||
+    process.env.GITLAB_CI ||
+    process.env.CIRCLECI ||
+    process.env.TRAVIS ||
+    process.env.BUILDKITE ||
+    process.env.RENDER ||
+    process.env.HEROKU ||
+    !process.stdin.isTTY
+  );
+}
+// ============================================================================
+// TIER-BASED COMMAND ACCESS
+// ============================================================================
+// FREE ($0) - No API key needed
+const FREE_COMMANDS = [
+  "help",
+  "version",
+  "doctor",
+  "init",
+  "login",
+  "logout",
+  "whoami",
+  "scan", // Route integrity + security analysis
+  "validate", // AI code validation
+  "badge", // Generate badges
+  "certify", // Certification badges (SEO fuel)
+  "context", // AI rules generator
+  "dashboard", // Real-time monitoring
+  "demo", // Interactive demo
+  "upgrade", // Subscription management
+  "verify-agent-output", // Verify AI agent output
+  "mdc", // MDC documentation generator
+  "prompt-firewall", // Prompt firewall (free tier with limited features)
+  "firewall", // Alias for prompt-firewall
+  "ctx", // Truth Pack generator
+  "truthpack", // Alias for ctx
+  "replay", // Record and replay user sessions
+  "graph", // Reality Proof Graph
+  "status", // Quick project status
+  "watch", // Continuous dev mode
+  "prove", // One command reality proof
+  "install", // Zero-friction onboarding
+  "pr", // PR comment generator
+  "share", // Share bundle generator
+  "reality", // Runtime UI verification
+];
+// STARTER ($19/mo) - Requires API key with starter+ plan
+const STARTER_COMMANDS = {
+  ship: "ship:audit", // Plain English audit
+  "enhanced-ship": "enhanced-ship:full", // Enhanced ship decision with all features
+  gate: "gate:ci", // CI/CD gate
+  reality: "reality:basic", // Browser testing
+  launch: "launch:checklist", // Pre-launch wizard
+};
+// PRO ($49/mo) - Requires API key with pro+ plan
+const PRO_COMMANDS = {
+  "ai-test": "ai:agent", // AI Agent testing
+  ai: "ai:agent",
+  agent: "ai:agent",
+  // fix: removed - handled specially to allow --plan-only on FREE tier
+  autopilot: "autopilot:enable", // Continuous protection
+};
+// Commands with FREE tier read-only modes
+const TIERED_COMMANDS = {
+  fix: {
+    freeArgs: ["--plan-only", "--help", "-h"], // Allow these args on FREE
+    requiredScope: "fix:apply",
+    tier: "pro",
+  },
+};
+// Special: proof command has sub-modes with different tiers
+const PROOF_COMMANDS = {
+  mocks: "proof:mocks", // Starter+
+  reality: "proof:reality", // Pro+
+};
+// Commands that always work (utilities)
+const UTILITY_COMMANDS = ["mcp", "rules", "api", "deps", "sbom", "fixpacks"];
+// Compliance tier commands
+const COMPLIANCE_COMMANDS = {
+  audit: "audit:full", // Full audit trail
+};
+async function prompt(question) {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+async function showWelcomeAndPromptLogin() {
+  console.log(`
+${c.cyan}╔════════════════════════════════════════════════════════════╗
+║  ${c.reset}🛡️  VIBECHECK${c.cyan}                                              ║
+╚════════════════════════════════════════════════════════════╝${c.reset}
+${c.dim}Ship with confidence. Catch fake features before your users do.${c.reset}
+`);
+  const { key, source } = getApiKey();
+  if (!key) {
+    // In CI/CD environments, skip interactive prompts
+    if (isCI()) {
+      console.log(`${c.yellow}⚠ No API key found${c.reset}`);
+      console.log(
+        `${c.dim}Running in CI mode with FREE tier features.${c.reset}`,
+      );
+      console.log(
+        `${c.dim}Set VIBECHECK_API_KEY env var to unlock more features.${c.reset}\n`,
+      );
+      return { key: null, entitlements: null };
+    }
+    console.log(`${c.yellow}⚠ No API key found${c.reset}`);
+    console.log(`
+${c.dim}To unlock all features, you need a vibecheck API key.${c.reset}
+  ${c.green}FREE${c.reset}     scan, validate, badge, doctor, init
+  ${c.cyan}STARTER${c.reset}  ship, gate, reality, launch, proof mocks  ${c.dim}($29/mo)${c.reset}
+  ${c.magenta}PRO${c.reset}      ai-test, fix, autopilot, proof reality  ${c.dim}($99/mo)${c.reset}
+${c.dim}Get your API key at: ${c.cyan}https://vibecheckai.dev/settings/keys${c.reset}
+`);
+    const answer = await prompt(
+      `${c.cyan}?${c.reset} Do you have an API key? (y/N) `,
+    );
+    if (answer.toLowerCase() === "y") {
+      const apiKey = await prompt(`${c.cyan}?${c.reset} Paste your API key: `);
+      if (apiKey) {
+        const { saveApiKey } = require("./runners/lib/auth");
+        console.log(`\n${c.dim}Verifying...${c.reset}`);
+        const entitlements = await getEntitlements(apiKey);
+        if (entitlements) {
+          saveApiKey(apiKey);
+          console.log(
+            `\n${c.green}✓${c.reset} Logged in as ${entitlements.user?.name || "User"}`,
+          );
+          console.log(
+            `${c.dim}Plan: ${entitlements.plan?.toUpperCase() || "FREE"}${c.reset}\n`,
+          );
+          return { key: apiKey, entitlements };
+        } else {
+          console.log(`\n${c.red}✗${c.reset} Invalid API key\n`);
+        }
+      }
+    }
+    console.log(`
+${c.dim}Continuing in FREE mode. Some features will be limited.${c.reset}
+${c.dim}Run ${c.cyan}vibecheck login${c.dim} anytime to upgrade.${c.reset}
+`);
+    return { key: null, entitlements: null };
+  }
+  // User has API key, get entitlements
+  const entitlements = await getEntitlements(key);
+  return { key, entitlements };
+}
+async function checkCommandAccess(cmd, entitlements, args = []) {
+  // Free commands always work (no API key needed)
+  if (FREE_COMMANDS.includes(cmd)) {
+    return { allowed: true, tier: "free" };
+  }
+  // Utility commands always work
+  if (UTILITY_COMMANDS.includes(cmd)) {
+    return { allowed: true, tier: "utility" };
+  }
+  // Tiered commands with FREE read-only modes
+  if (TIERED_COMMANDS[cmd]) {
+    const config = TIERED_COMMANDS[cmd];
+    // Check if using a FREE tier argument
+    const hasFreeArg = args.some(arg => config.freeArgs.includes(arg));
+    // Also allow if no fix pack specified (shows help)
+    const hasNoFixPack = cmd === "fix" && !args.some(arg => !arg.startsWith("-"));
+    if (hasFreeArg || hasNoFixPack) {
+      return { allowed: true, tier: "free" };
+    }
+    // Requires paid tier
+    if (!entitlements) {
+      return {
+        allowed: false,
+        reason: `${c.yellow}${cmd}${c.reset} requires a ${c.magenta}PRO${c.reset} plan.\n\n  Run ${c.cyan}vibecheck login${c.reset} to authenticate.\n  Get your API key at: ${c.cyan}https://vibecheckai.dev/settings/keys${c.reset}`,
+      };
+    }
+    if (
+      entitlements.scopes?.includes(config.requiredScope) ||
+      entitlements.scopes?.includes("*")
+    ) {
+      return { allowed: true, tier: config.tier };
+    }
+    return {
+      allowed: false,
+      reason: `Your ${c.yellow}${entitlements.plan?.toUpperCase()}${c.reset} plan doesn't include this feature.\n\n  Required: ${config.requiredScope}\n  Upgrade to ${c.magenta}PRO${c.reset} at: ${c.cyan}https://vibecheckai.dev/pricing${c.reset}`,
+    };
+  }
+  // Special handling for proof command (has sub-modes with different tiers)
+  if (cmd === "proof") {
+    const subMode = args[0]; // mocks or reality
+    if (subMode === "mocks") {
+      // Starter+ required
+      if (!entitlements) {
+        return {
+          allowed: false,
+          reason: `${c.yellow}proof mocks${c.reset} requires a ${c.cyan}STARTER${c.reset} plan or higher.\n\n  Run ${c.cyan}vibecheck login${c.reset} to authenticate.\n  Get your API key at: ${c.cyan}https://vibecheckai.dev/settings/keys${c.reset}`,
+        };
+      }
+      if (
+        entitlements.scopes?.includes("proof:mocks") ||
+        entitlements.scopes?.includes("*")
+      ) {
+        return { allowed: true, tier: "starter" };
+      }
+      return {
+        allowed: false,
+        reason: `Your ${c.yellow}${entitlements.plan?.toUpperCase()}${c.reset} plan doesn't include mock detection.\n\n  Upgrade to ${c.cyan}STARTER${c.reset} at: ${c.cyan}https://vibecheckai.dev/pricing${c.reset}`,
+      };
+    } else if (subMode === "reality") {
+      // Pro+ required
+      if (!entitlements) {
+        return {
+          allowed: false,
+          reason: `${c.yellow}proof reality${c.reset} requires a ${c.magenta}PRO${c.reset} plan.\n\n  Run ${c.cyan}vibecheck login${c.reset} to authenticate.\n  Get your API key at: ${c.cyan}https://vibecheckai.dev/settings/keys${c.reset}`,
+        };
+      }
+      if (
+        entitlements.scopes?.includes("proof:reality") ||
+        entitlements.scopes?.includes("*")
+      ) {
+        return { allowed: true, tier: "pro" };
+      }
+      return {
+        allowed: false,
+        reason: `Your ${c.yellow}${entitlements.plan?.toUpperCase()}${c.reset} plan doesn't include runtime verification.\n\n  Upgrade to ${c.magenta}PRO${c.reset} at: ${c.cyan}https://vibecheckai.dev/pricing${c.reset}`,
+      };
+    }
+    // No submode - show help
+    return { allowed: true };
+  }
+  // STARTER tier commands
+  if (STARTER_COMMANDS[cmd]) {
+    const requiredScope = STARTER_COMMANDS[cmd];
+    if (!entitlements) {
+      return {
+        allowed: false,
+        reason: `${c.yellow}${cmd}${c.reset} requires a ${c.cyan}STARTER${c.reset} plan or higher.\n\n  Run ${c.cyan}vibecheck login${c.reset} to authenticate.\n  Get your API key at: ${c.cyan}https://vibecheckai.dev/settings/keys${c.reset}`,
+      };
+    }
+    if (
+      entitlements.scopes?.includes(requiredScope) ||
+      entitlements.scopes?.includes("*")
+    ) {
+      return { allowed: true, tier: "starter" };
+    }
+    return {
+      allowed: false,
+      reason: `Your ${c.yellow}${entitlements.plan?.toUpperCase()}${c.reset} plan doesn't include this feature.\n\n  Required: ${requiredScope}\n  Upgrade to ${c.cyan}STARTER${c.reset} at: ${c.cyan}https://vibecheckai.dev/pricing${c.reset}`,
+    };
+  }
+  // PRO tier commands
+  if (PRO_COMMANDS[cmd]) {
+    const requiredScope = PRO_COMMANDS[cmd];
+    if (!entitlements) {
+      return {
+        allowed: false,
+        reason: `${c.yellow}${cmd}${c.reset} requires a ${c.magenta}PRO${c.reset} plan.\n\n  Run ${c.cyan}vibecheck login${c.reset} to authenticate.\n  Get your API key at: ${c.cyan}https://vibecheckai.dev/settings/keys${c.reset}`,
+      };
+    }
+    if (
+      entitlements.scopes?.includes(requiredScope) ||
+      entitlements.scopes?.includes("*")
+    ) {
+      return { allowed: true, tier: "pro" };
+    }
+    return {
+      allowed: false,
+      reason: `Your ${c.yellow}${entitlements.plan?.toUpperCase()}${c.reset} plan doesn't include this feature.\n\n  Required: ${requiredScope}\n  Upgrade to ${c.magenta}PRO${c.reset} at: ${c.cyan}https://vibecheckai.dev/pricing${c.reset}`,
+    };
+  }
+  return { allowed: true };
+}
+function printHelp() {
+  console.log(
+    `
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+${c.cyan}  VIBECHECK${c.reset} - Ship with confidence
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+${c.green}🚀 QUICK START${c.reset}
+  ${c.cyan}ship${c.reset}              "Is my app ready?" - Plain English, traffic light score
+  ${c.cyan}ship --fix${c.reset}        Same + auto-fix problems
+${c.yellow}🧪 TESTING${c.reset} (each does something different!)
+  ${c.cyan}scan${c.reset}              ${c.dim}Route Integrity${c.reset} - dead links, orphans, coverage, security 🗺️
+  ${c.cyan}scan --truth${c.reset}      ${c.dim}+ Build manifest${c.reset} verification (CI/ship ready)
+  ${c.cyan}scan --reality${c.reset}    ${c.dim}+ Playwright${c.reset} runtime proof (best-in-class)
+  ${c.cyan}reality${c.reset}           ${c.dim}Browser testing${c.reset} - clicks buttons, fills forms, finds broken UI
+  ${c.cyan}ai-test${c.reset}           ${c.dim}AI Agent${c.reset} - autonomous testing + generates fix prompts 🤖
+${c.magenta}🚦 CI/CD & GATES${c.reset}
+  ${c.cyan}gate${c.reset}              Block bad deploys - pass/fail for CI pipelines
+  ${c.cyan}proof mocks${c.reset}       Block mock/demo code from reaching production
+  ${c.cyan}proof reality${c.reset}     Runtime GO/NO-GO verification with Playwright
+${c.blue}🔧 FIX & AUTOMATE${c.reset}
+  ${c.cyan}fix${c.reset}               Auto-fix detected issues (--plan first, then --apply)
+  ${c.cyan}autopilot${c.reset}         Continuous protection - weekly reports, auto-PRs
+  ${c.cyan}badge${c.reset}             Generate Ship Badge for your README/PR
+  ${c.cyan}certify${c.reset}           Generate vibecheck Certified badge with verification link
+${c.dim}📦 TRUTH SYSTEM${c.reset}
+  ${c.cyan}ctx${c.reset}               Generate Truth Pack - ground truth for AI agents
+  ${c.cyan}ctx sync${c.reset}          Generate contracts from truthpack (routes/env/auth/external)
+  ${c.cyan}ctx guard${c.reset}         CI gate - fail on contract drift (BLOCK on route/env/auth drift)
+  ${c.cyan}ctx diff${c.reset}          Preview contract changes before syncing
+  ${c.cyan}ctx --snapshot${c.reset}    Save snapshot to .vibecheck/truth/snapshots/
+  ${c.cyan}graph${c.reset}             Build Reality Proof Graph - end-to-end causal chains
+${c.dim}📦 EXTRAS${c.reset}
+  ${c.cyan}audit${c.reset}             View/export audit trail (Compliance+ tier)
+  ${c.cyan}context${c.reset}           Generate AI rules files (.cursorrules, .windsurf/rules, etc.)
+  ${c.cyan}dashboard${c.reset}         Real-time monitoring dashboard with live metrics
+  ${c.cyan}demo${c.reset}              Interactive terminal features showcase
+  ${c.cyan}launch${c.reset}            Pre-launch checklist wizard
+  ${c.cyan}validate${c.reset}          Check AI-generated code for hallucinations
+  ${c.cyan}init${c.reset}              Set up vibecheck in your project
+  ${c.cyan}doctor${c.reset}            Debug environment issues
+  ${c.cyan}mcp${c.reset}               Start MCP server for AI editors
+${c.dim}🔑 ACCOUNT${c.reset}
+  ${c.cyan}login${c.reset}             Sign in with API key
+  ${c.cyan}logout${c.reset}            Sign out
+  ${c.cyan}whoami${c.reset}            Show current user & plan
+  ${c.cyan}upgrade${c.reset}           Manage subscription & view usage
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+${c.green}Examples:${c.reset}
+  vibecheck ship                      ${c.dim}# Quick health check${c.reset}
+  vibecheck scan                      ${c.dim}# Route integrity + security analysis${c.reset}
+  vibecheck scan --truth              ${c.dim}# + Build manifest verification${c.reset}
+  vibecheck scan --reality --url http://localhost:3000  ${c.dim}# Full proof${c.reset}
+  vibecheck reality --url https://... ${c.dim}# Test live app${c.reset}
+  vibecheck ai-test --url https://... ${c.dim}# AI explores your app${c.reset}
+  vibecheck gate                      ${c.dim}# Block bad deploy in CI${c.reset}
+  vibecheck badge                     ${c.dim}# Generate ship badge${c.reset}
+${c.dim}Run 'vibecheck <command> --help' for details.${c.reset}
+`.trim(),
+  );
+}
+(async function main() {
+  const rawArgs = process.argv.slice(2);
+  // Check if the first argument looks like a natural language command
+  // Natural language commands are typically quoted strings or multi-word phrases
+  const firstArg = rawArgs[0];
+  if (firstArg && isNaturalLanguageCommand(firstArg)) {
+    // Join all args as the natural language input
+    const nlInput = rawArgs.join(" ");
+    const exitCode = await runNaturalLanguage(nlInput);
+    process.exit(exitCode);
+  }
+  const { legacyFrom, routed } = routeArgv(process.argv);
+  const cmd = routed[0];
+  const args = routed.slice(1);
+  // Commands that skip auth check entirely
+  const skipAuthCommands = [
+    "help",
+    "-h",
+    "--help",
+    "version",
+    "login",
+    "logout",
+    "whoami",
+    "doctor",
+  ];
+  if (!cmd || cmd === "-h" || cmd === "--help" || cmd === "help") {
+    printHelp();
+    process.exit(0);
+  }
+  // Check for first run (no API key) - only for non-skip commands
+  let authInfo = { key: null, entitlements: null };
+  if (!skipAuthCommands.includes(cmd)) {
+    // Check if this is a free command or utility - if so, skip entitlement checks
+    const isFreeCommand = FREE_COMMANDS.includes(cmd) || UTILITY_COMMANDS.includes(cmd);
+    const isKnownCommand = isFreeCommand ||
+      STARTER_COMMANDS[cmd] ||
+      PRO_COMMANDS[cmd] ||
+      TIERED_COMMANDS[cmd] ||
+      PROOF_COMMANDS[cmd] ||
+      COMPLIANCE_COMMANDS[cmd];
+    // For unknown commands, skip auth and let them fail with "Unknown command" message
+    if (!isKnownCommand) {
+      // Skip authentication for unknown commands - they'll show help/error message
+      authInfo = { key: null, entitlements: null };
+    } else {
+      const { key } = getApiKey();
+      // First run without API key - show welcome and prompt
+      if (!key && !process.env.VIBECHECK_SKIP_AUTH) {
+        authInfo = await showWelcomeAndPromptLogin();
+      } else if (key && !isFreeCommand) {
+        // Has API key and command requires auth - get entitlements silently
+        // For free commands, we don't need to check entitlements
+        try {
+          const entitlements = await getEntitlements(key);
+          authInfo = { key, entitlements };
+        } catch (error) {
+          // If API is unavailable, allow free commands to proceed
+          // Paid commands will be blocked in checkCommandAccess
+          if (isFreeCommand) {
+            authInfo = { key, entitlements: null };
+          } else {
+            throw error;
+          }
+        }
+      } else if (key && isFreeCommand) {
+        // Free command with key - no need to fetch entitlements
+        authInfo = { key, entitlements: null };
+      }
+    }
+    // Check if user has access to this command (only for known commands)
+    if (isKnownCommand) {
+      const access = await checkCommandAccess(cmd, authInfo.entitlements, args);
+      if (!access.allowed) {
+        console.log(`\n${c.red}✗ Access Denied${c.reset}\n`);
+        console.log(access.reason);
+        console.log("");
+        process.exit(1);
+      }
+      // Show tier info for paid features
+      if (access.tier === "starter") {
+        console.log(`${c.cyan}▸ STARTER${c.reset} ${c.dim}feature${c.reset}\n`);
+      } else if (access.tier === "pro") {
+        console.log(`${c.magenta}▸ PRO${c.reset} ${c.dim}feature${c.reset}\n`);
+      }
+    }
+  }
+  // Deprecation suggestions
+  if (legacyFrom) {
+    const suggestion = routed.slice(0, 2).join(" ");
+    warnDeprecationOnce(legacyFrom, suggestion, VERSION);
+  }
+  try {
+    let exitCode = 0;
+    switch (cmd) {
+      case "scan":
+        exitCode = await runScan(args);
+        break;
+      case "gate":
+        exitCode = await runGate(args);
+        break;
+      case "ship":
+        exitCode = await runShip(args);
+        break;
+      case "enhanced-ship":
+        exitCode = await runEnhancedShip(args);
+        break;
+      case "prompt-firewall":
+      case "firewall":
+        exitCode = await runPromptFirewall(args);
+        break;
+      case "launch":
+        exitCode = await runLaunch(args);
+        break;
+      case "autopilot":
+        exitCode = await runAutopilot(args);
+        break;
+      case "fix":
+        exitCode = await runFix(args);
+        break;
+      case "share":
+        exitCode = await runShare({
+          repoRoot: process.cwd(),
+          missionDir: args.find((a, i) => args[i-1] === '--mission-dir'),
+          outputDir: args.find((a, i) => args[i-1] === '--output-dir'),
+          prComment: args.includes('--pr-comment')
+        });
+        break;
+      case "pr":
+        exitCode = await runPR({
+          repoRoot: process.cwd(),
+          fastifyEntry: args.find((a, i) => args[i-1] === '--fastify-entry'),
+          out: args.find((a, i) => args[i-1] === '--out'),
+          failOnWarn: args.includes('--fail-on-warn'),
+          maxFindings: Number(args.find((a, i) => args[i-1] === '--max-findings')) || 12
+        });
+        break;
+      case "install":
+        exitCode = await runInstall({ repoRoot: process.cwd() });
+        break;
+      case "prove":
+        exitCode = await runProve({
+          repoRoot: process.cwd(),
+          url: args.find((a, i) => args[i-1] === '--url' || args[i-1] === '-u'),
+          auth: args.find((a, i) => args[i-1] === '--auth'),
+          storageState: args.find((a, i) => args[i-1] === '--storage-state'),
+          fastifyEntry: args.find((a, i) => args[i-1] === '--fastify-entry'),
+          maxFixRounds: Number(args.find((a, i) => args[i-1] === '--max-fix-rounds')) || 3,
+          maxMissions: Number(args.find((a, i) => args[i-1] === '--max-missions')) || 8,
+          maxSteps: Number(args.find((a, i) => args[i-1] === '--max-steps')) || 10,
+          skipReality: args.includes('--skip-reality'),
+          skipFix: args.includes('--skip-fix'),
+          headed: args.includes('--headed'),
+          danger: args.includes('--danger'),
+          maxPages: Number(args.find((a, i) => args[i-1] === '--max-pages')) || 18,
+          maxDepth: Number(args.find((a, i) => args[i-1] === '--max-depth')) || 2,
+          timeoutMs: Number(args.find((a, i) => args[i-1] === '--timeout-ms')) || 15000
+        });
+        break;
+      case "watch":
+        exitCode = await runWatch({
+          repoRoot: process.cwd(),
+          fastifyEntry: args.find((a, i) => args[i-1] === '--fastify-entry'),
+          debounceMs: Number(args.find((a, i) => args[i-1] === '--debounce')) || 500,
+          clearScreen: !args.includes('--no-clear')
+        });
+        break;
+      case "status":
+        exitCode = await runStatus({
+          repoRoot: process.cwd(),
+          json: args.includes('--json')
+        });
+        break;
+      case "proof":
+        exitCode = await runProof(args);
+        break;
+      case "reality":
+        exitCode = await runReality({
+          repoRoot: process.cwd(),
+          url: args.find((a, i) => args[i-1] === '--url' || args[i-1] === '-u'),
+          auth: args.find((a, i) => args[i-1] === '--auth'),
+          storageState: args.find((a, i) => args[i-1] === '--storage-state'),
+          saveStorageState: args.find((a, i) => args[i-1] === '--save-storage-state'),
+          truthpack: args.find((a, i) => args[i-1] === '--truthpack'),
+          verifyAuth: args.includes('--verify-auth'),
+          headed: args.includes('--headed'),
+          maxPages: Number(args.find((a, i) => args[i-1] === '--max-pages')) || 18,
+          maxDepth: Number(args.find((a, i) => args[i-1] === '--max-depth')) || 2,
+          danger: args.includes('--danger'),
+          timeoutMs: Number(args.find((a, i) => args[i-1] === '--timeout-ms')) || 15000
+        });
+        break;
+      case "reality-sniff":
+      case "sniff":
+        exitCode = await runRealitySniff(args);
+        break;
+      case "ai-test":
+      case "ai":
+      case "agent":
+        exitCode = await runAIAgent(args);
+        break;
+      case "validate":
+        exitCode = await runValidate(args);
+        break;
+      case "doctor":
+        exitCode = runDoctor(args);
+        break;
+      case "init":
+        // Enterprise init handles all flags including --gha, --gitlab, --compliance, etc.
+        exitCode = await runInit(args);
+        break;
+      case "mcp":
+        exitCode = runMcp(args);
+        break;
+      case "login":
+        exitCode = await runLogin(args);
+        break;
+      case "logout":
+        exitCode = await runLogout(args);
+        break;
+      case "whoami":
+        exitCode = await runWhoami(args);
+        break;
+      case "badge":
+        exitCode = await runBadge(args);
+        break;
+      case "context":
+      case "rules":
+        exitCode = await runContext(args);
+        break;
+      case "dashboard":
+        exitCode = await runDashboard(args);
+        break;
+      case "demo":
+        exitCode = await runDemo(args);
+        break;
+      case "upgrade":
+        exitCode = await runUpgrade(args);
+        break;
+      case "certify":
+        exitCode = await runCertify(args, process.cwd());
+        break;
+      case "verify-agent-output":
+        exitCode = await runVerifyAgentOutput(args);
+        break;
+      case "fixpacks":
+        exitCode = await runFixPacks(args);
+        break;
+      case "audit":
+        exitCode = await runAudit(args);
+        break;
+      case "mdc":
+        exitCode = await runMdc(args);
+        break;
+      case "graph":
+        exitCode = await runGraph(args);
+        break;
+      case "permissions":
+      case "authz":
+        exitCode = await runPermissions(args);
+        break;
+      case "ctx":
+      case "truthpack":
+        // Check for subcommands
+        if (args[0] === "sync") {
+          exitCode = await runCtxSync({
+            repoRoot: process.cwd(),
+            fastifyEntry: args.find((a, i) => args[i-1] === '--fastify-entry')
+          });
+          break;
+        }
+        if (args[0] === "guard") {
+          exitCode = await runCtxGuard.main(args.slice(1));
+          break;
+        }
+        if (args[0] === "diff") {
+          const { main: ctxDiffMain } = require("./runners/runCtxDiff");
+          exitCode = await ctxDiffMain(args.slice(1));
+          break;
+        }
+        // Parse args for ctx command - use Route Truth v1
+        const fastifyEntryIdx = args.indexOf('--fastify-entry');
+        const fastifyEntry = fastifyEntryIdx !== -1 ? args[fastifyEntryIdx + 1] : undefined;
+        await runCtx({
+          repoRoot: process.cwd(),
+          fastifyEntry,
+          print: args.includes('--print'),
+        });
+        exitCode = 0;
+        break;
+      case "version":
+        console.log(`vibecheck v${VERSION}`);
+        break;
+      default:
+        // Try natural language parsing as fallback for unknown commands
+        const nlInput = [cmd, ...args].join(" ");
+        if (isNaturalLanguageCommand(nlInput)) {
+          exitCode = await runNaturalLanguage(nlInput);
+        } else {
+          process.stderr.write(`Unknown command: ${cmd}\n\n`);
+          printHelp();
+          exitCode = 1;
+        }
+    }
+    process.exit(exitCode);
+  } catch (err) {
+    process.stderr.write(
+      err && err.stack ? err.stack + "\n" : String(err) + "\n",
+    );
+    process.exit(1);
+  }
+})();