@vibecheckai/cli 3.0.4 → 3.0.5

package/bin/runners/runScan.js

@@ -478,8 +478,65 @@ async function runScan(args) {
   }
 
   try {
-    // Import systems
-    const { scanRouteIntegrity } = require('../../dist/lib/route-integrity');
+    // Import systems - try TypeScript compiled first, fallback to JS runtime
+    let scanRouteIntegrity;
+    let useFallbackScanner = false;
+    
+    try {
+      scanRouteIntegrity = require('../../dist/lib/route-integrity').scanRouteIntegrity;
+    } catch (e) {
+      // Fallback to JS-based scanner using truth.js and analyzers.js
+      useFallbackScanner = true;
+      const { buildTruthpack } = require('./lib/truth');
+      const { findMissingRoutes, findEnvGaps, findFakeSuccess, findGhostAuth } = require('./lib/analyzers');
+      
+      scanRouteIntegrity = async function({ projectPath, layers, baseUrl, verbose }) {
+        // Build truthpack for route analysis
+        const truthpack = await buildTruthpack({ repoRoot: projectPath });
+        
+        // Run analyzers
+        const findings = [];
+        findings.push(...findMissingRoutes(truthpack));
+        findings.push(...findEnvGaps(truthpack));
+        findings.push(...findFakeSuccess(projectPath));
+        findings.push(...findGhostAuth(truthpack, projectPath));
+        
+        // Convert to scan format matching TypeScript scanner output
+        const shipBlockers = findings.map((f, i) => ({
+          id: f.id || `finding-${i}`,
+          ruleId: f.category,
+          category: f.category,
+          severity: f.severity === 'BLOCK' ? 'critical' : f.severity === 'WARN' ? 'warning' : 'info',
+          title: f.title,
+          message: f.title,
+          description: f.why,
+          file: f.evidence?.[0]?.file || '',
+          line: parseInt(f.evidence?.[0]?.lines?.split('-')[0]) || 1,
+          evidence: f.evidence || [],
+          fixHints: f.fixHints || [],
+          autofixAvailable: false,
+          verdict: f.severity === 'BLOCK' ? 'FAIL' : 'WARN',
+        }));
+        
+        // Return structure matching TypeScript scanner
+        return {
+          report: {
+            shipBlockers,
+            realitySniffFindings: [],
+            routeMap: truthpack.routes,
+            summary: {
+              total: shipBlockers.length,
+              critical: shipBlockers.filter(f => f.severity === 'critical').length,
+              warning: shipBlockers.filter(f => f.severity === 'warning').length,
+            },
+            verdict: shipBlockers.some(f => f.severity === 'critical') ? 'BLOCK' : 
+                     shipBlockers.some(f => f.severity === 'warning') ? 'WARN' : 'SHIP'
+          },
+          outputPaths: {},
+          truthpack
+        };
+      };
+    }
     
     // Try to import new unified output system (may not be compiled yet)
     let buildVerdictOutput, normalizeFinding, formatStandardOutput, formatScanOutput, getExitCode, CacheManager;
@@ -648,35 +705,6 @@ async function runScan(args) {
 
     const { report, outputPaths } = result;
 
-    // Normalize findings with stable IDs
-    const existingIDs = new Set();
-    const normalizedFindings = [];
-    
-    // Normalize route integrity findings
-    if (report.shipBlockers) {
-      for (let i = 0; i < report.shipBlockers.length; i++) {
-        const blocker = report.shipBlockers[i];
-        const category = blocker.category || 'ROUTE';
-        const normalized = normalizeFinding(blocker, category, i, existingIDs);
-        normalizedFindings.push(normalized);
-      }
-    }
-
-    // Normalize Reality Sniff findings if present
-    if (report.realitySniffFindings) {
-      for (let i = 0; i < report.realitySniffFindings.length; i++) {
-        const finding = report.realitySniffFindings[i];
-        const category = finding.ruleId?.startsWith('auth') ? 'AUTH' : 'REALITY';
-        const normalized = normalizeFinding(finding, category, normalizedFindings.length, existingIDs);
-        normalizedFindings.push(normalized);
-      }
-    }
-    
-    // Add detection engine findings (Dead UI, Billing, Fake Success)
-    for (const finding of detectionFindings) {
-      normalizedFindings.push(finding);
-    }
-
     // Use new unified output if available, otherwise fallback to old format
     if (useUnifiedOutput && buildVerdictOutput && normalizeFinding) {
       // Normalize findings with stable IDs
@@ -778,7 +806,58 @@ async function runScan(args) {
     });
 
     return getExitCode(verdict);
-    } // End of if (useUnifiedOutput)
+    } else {
+      // Legacy fallback output when unified output system isn't available
+      const findings = [...(report.shipBlockers || []), ...detectionFindings];
+      const criticalCount = findings.filter(f => f.severity === 'critical' || f.severity === 'BLOCK').length;
+      const warningCount = findings.filter(f => f.severity === 'warning' || f.severity === 'WARN').length;
+      
+      const verdict = criticalCount > 0 ? 'BLOCK' : warningCount > 0 ? 'WARN' : 'SHIP';
+      
+      // Print simple output
+      console.log();
+      console.log(`  ${c.bold}═══════════════════════════════════════════════════════════════════${c.reset}`);
+      
+      if (verdict === 'SHIP') {
+        console.log(`  ${c.bgGreen}${c.white}${c.bold}  ✓ SHIP  ${c.reset} ${c.green}Ready to ship!${c.reset}`);
+      } else if (verdict === 'WARN') {
+        console.log(`  ${c.bgYellow}${c.black}${c.bold}  ⚠ WARN  ${c.reset} ${c.yellow}Review recommended before shipping${c.reset}`);
+      } else {
+        console.log(`  ${c.bgRed}${c.white}${c.bold}  ✗ BLOCK ${c.reset} ${c.red}Issues must be fixed before shipping${c.reset}`);
+      }
+      
+      console.log(`  ${c.bold}═══════════════════════════════════════════════════════════════════${c.reset}`);
+      console.log();
+      
+      if (findings.length > 0) {
+        console.log(`  ${c.bold}Findings (${findings.length})${c.reset}`);
+        console.log();
+        
+        for (const finding of findings.slice(0, 10)) {
+          const severityIcon = finding.severity === 'critical' || finding.severity === 'BLOCK' 
+            ? `${c.red}✗${c.reset}` 
+            : `${c.yellow}⚠${c.reset}`;
+          console.log(`  ${severityIcon} ${finding.title || finding.message}`);
+          if (finding.file) {
+            console.log(`    ${c.dim}${finding.file}${finding.line ? `:${finding.line}` : ''}${c.reset}`);
+          }
+        }
+        
+        if (findings.length > 10) {
+          console.log(`  ${c.dim}... and ${findings.length - 10} more findings${c.reset}`);
+        }
+        console.log();
+      }
+      
+      // Emit audit event
+      emitScanComplete(projectPath, verdict === 'SHIP' ? 'success' : 'failure', {
+        score: verdict === 'SHIP' ? 100 : verdict === 'WARN' ? 70 : 40,
+        issueCount: criticalCount + warningCount,
+        durationMs: timings.total,
+      });
+      
+      return verdict === 'SHIP' ? 0 : verdict === 'WARN' ? 1 : 2;
+    }
 
   } catch (error) {
     stopSpinner(`Scan failed: ${error.message}`, false);

package/bin/runners/runShip.js

@@ -22,6 +22,8 @@ const {
   findOwnerModeBypass
 } = require("./lib/analyzers");
 const { findingsFromReality } = require("./lib/reality-findings");
+// Contract Drift Detection - per spec: "routes/env/auth drift → usually BLOCK"
+const { findContractDrift, loadContracts, hasContracts, getDriftSummary } = require("./lib/drift");
 
 // Build proof graph from findings for evidence-backed verdicts
 function buildProofGraph(findings, truthpack, root) {
@@ -103,7 +105,8 @@ function getClaimType(category) {
     'StripeWebhook': 'billing_enforced',
     'PaidSurface': 'billing_enforced',
     'OwnerModeBypass': 'billing_enforced',
-    'DeadUI': 'ui_wired'
+    'DeadUI': 'ui_wired',
+    'ContractDrift': 'contract_satisfied'
   };
   return map[category] || 'ui_wired';
 }
@@ -117,7 +120,8 @@ function getGapType(category) {
     'StripeWebhook': 'missing_verification',
     'PaidSurface': 'missing_gate',
     'OwnerModeBypass': 'missing_gate',
-    'DeadUI': 'missing_handler'
+    'DeadUI': 'missing_handler',
+    'ContractDrift': 'contract_drift'
   };
   return map[category] || 'untested_path';
 }
@@ -490,6 +494,23 @@ ${c.bold}EXAMPLES${c.reset}
       ...findingsFromReality(projectPath)
     ];
     
+    // Contract Drift Detection - per spec section 8.1:
+    // "drift can be WARN or BLOCK depending on category:
+    //  routes/env/auth drift → usually BLOCK (because AI will lie here)"
+    if (hasContracts(projectPath)) {
+      const contracts = loadContracts(projectPath);
+      const driftFindings = findContractDrift(contracts, truthpack);
+      allFindings.push(...driftFindings);
+      
+      const driftSummary = getDriftSummary(driftFindings);
+      if (driftSummary.hasDrift) {
+        console.log(`  ${driftSummary.blocks > 0 ? c.red + '🛑' : c.yellow + '⚠️'} Contract drift detected: ${driftSummary.blocks} blocks, ${driftSummary.warns} warnings${c.reset}`);
+        if (driftSummary.blocks > 0) {
+          console.log(`     ${c.dim}Run 'vibecheck ctx sync' to update contracts${c.reset}`);
+        }
+      }
+    }
+    
     results.routeTruth = {
       serverRoutes: truthpack.routes.server.length,
       clientRefs: truthpack.routes.clientRefs.length,

package/bin/runners/runTruthpack.js

@@ -11,11 +11,13 @@
  *   vibecheck ctx --md         - Also generate truthpack.md
  */
 
-import fs from 'fs/promises';
-import path from 'path';
-import crypto from 'crypto';
-import { execSync } from 'child_process';
-import { RouteIndex, resolveNextRoutes, resolveFastifyRoutes } from './lib/route-truth.js';
+"use strict";
+
+const fs = require('fs/promises');
+const path = require('path');
+const crypto = require('crypto');
+const { execSync } = require('child_process');
+const { RouteIndex, resolveNextRoutes, resolveFastifyRoutes } = require('./lib/route-truth.js');
 
 const VERSION = '1.0.0';
 
@@ -25,7 +27,7 @@ let evidenceCounter = 0;
 /**
  * Main entry point
  */
-export async function runTruthpack(projectPath = process.cwd(), options = {}) {
+async function runTruthpack(projectPath = process.cwd(), options = {}) {
   const startTime = Date.now();
   console.log('📦 Generating Truth Pack...\n');
   
@@ -631,4 +633,4 @@ function generateMarkdown(truthpack) {
   return lines.join('\n');
 }
 
-export default runTruthpack;
+module.exports = { runTruthpack };

package/bin/runners/runValidate.js

@@ -1,2 +1,162 @@
-async function runValidate(args) { console.log("Validate command not yet implemented"); return 0; }
+/**
+ * vibecheck validate - Validate AI-generated code for hallucinations
+ */
+
+const fs = require("fs");
+const path = require("path");
+const { buildTruthpack } = require("./lib/truth");
+const { routeMatches } = require("./lib/claims");
+
+const c = {
+  reset: "\x1b[0m",
+  bold: "\x1b[1m",
+  dim: "\x1b[2m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  red: "\x1b[31m",
+  cyan: "\x1b[36m",
+};
+
+function parseArgs(args) {
+  const opts = {
+    help: false,
+    file: null,
+    json: false,
+    verbose: false,
+  };
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    switch (arg) {
+      case "--help":
+      case "-h":
+        opts.help = true;
+        break;
+      case "--json":
+        opts.json = true;
+        break;
+      case "--verbose":
+      case "-v":
+        opts.verbose = true;
+        break;
+      default:
+        if (!arg.startsWith("-")) {
+          opts.file = arg;
+        }
+    }
+  }
+
+  return opts;
+}
+
+function printHelp() {
+  console.log(`
+${c.bold}vibecheck validate${c.reset} - Validate AI-generated code for hallucinations
+
+${c.bold}USAGE${c.reset}
+  vibecheck validate [file] [options]
+
+${c.bold}OPTIONS${c.reset}
+  --help, -h     Show this help
+  --json         Output as JSON
+  --verbose, -v  Show detailed output
+
+${c.bold}WHAT IT CHECKS${c.reset}
+  - API routes referenced but not defined
+  - Env vars used but not declared
+  - Imports that don't exist
+  - Function calls to undefined functions
+
+${c.bold}EXAMPLES${c.reset}
+  vibecheck validate                     # Validate all files
+  vibecheck validate src/api/route.ts    # Validate specific file
+  vibecheck validate --json              # JSON output
+`);
+}
+
+async function runValidate(args) {
+  const opts = parseArgs(args);
+
+  if (opts.help) {
+    printHelp();
+    return 0;
+  }
+
+  const projectPath = process.cwd();
+  
+  console.log(`\n${c.bold}🔍 Validating code for hallucinations...${c.reset}\n`);
+
+  try {
+    // Build truthpack for validation
+    const truthpack = await buildTruthpack({ repoRoot: projectPath });
+    
+    const issues = [];
+    
+    // Check for missing routes
+    const clientRefs = truthpack.routes?.clientRefs || [];
+    const serverRoutes = truthpack.routes?.server || [];
+    
+    for (const ref of clientRefs) {
+      const method = ref.method || "*";
+      const p = ref.path;
+      const exists = serverRoutes.some(r => routeMatches(r, method, p) || routeMatches(r, "*", p));
+      
+      if (!exists) {
+        issues.push({
+          type: "missing_route",
+          severity: "error",
+          message: `Route ${method} ${p} is referenced but not defined`,
+          file: ref.evidence?.[0]?.file || "unknown",
+          line: ref.evidence?.[0]?.lines?.split("-")[0] || 1,
+        });
+      }
+    }
+    
+    // Check for undeclared env vars (excluding system vars)
+    const envVars = truthpack.env?.vars || [];
+    const declared = new Set(truthpack.env?.declared || []);
+    const systemVars = new Set([
+      'HOME', 'USER', 'PATH', 'NODE_ENV', 'CI', 'DEBUG', 'PORT',
+      'APPDATA', 'USERPROFILE', 'COMPUTERNAME', 'HOSTNAME',
+    ]);
+    
+    for (const v of envVars) {
+      if (!declared.has(v.name) && !systemVars.has(v.name) && v.name.startsWith("VIBECHECK_")) {
+        issues.push({
+          type: "undeclared_env",
+          severity: "warning",
+          message: `Env var ${v.name} is used but not declared in .env.example`,
+          file: v.references?.[0]?.file || "unknown",
+          line: v.references?.[0]?.lines?.split("-")[0] || 1,
+        });
+      }
+    }
+    
+    // Output results
+    if (opts.json) {
+      console.log(JSON.stringify({ issues, valid: issues.length === 0 }, null, 2));
+    } else {
+      if (issues.length === 0) {
+        console.log(`${c.green}✓${c.reset} No hallucinations detected!\n`);
+        console.log(`  ${c.dim}All routes and env vars are properly defined.${c.reset}\n`);
+      } else {
+        console.log(`${c.yellow}⚠${c.reset} Found ${issues.length} potential issues:\n`);
+        
+        for (const issue of issues) {
+          const icon = issue.severity === "error" ? `${c.red}✗${c.reset}` : `${c.yellow}⚠${c.reset}`;
+          console.log(`  ${icon} ${issue.message}`);
+          console.log(`    ${c.dim}${issue.file}:${issue.line}${c.reset}`);
+        }
+        console.log();
+      }
+    }
+    
+    return issues.some(i => i.severity === "error") ? 1 : 0;
+    
+  } catch (error) {
+    console.error(`${c.red}✗${c.reset} Validation failed: ${error.message}`);
+    return 1;
+  }
+}
+
 module.exports = { runValidate };

package/bin/vibecheck.js

@@ -298,6 +298,11 @@ ${c.dim}Run ${c.cyan}vibecheck login${c.dim} anytime to upgrade.${c.reset}
 }
 
 async function checkCommandAccess(cmd, entitlements, args = []) {
+  // Development mode - bypass all tier checks
+  if (process.env.VIBECHECK_SKIP_AUTH) {
+    return { allowed: true, tier: "dev" };
+  }
+
   // Free commands always work (no API key needed)
   if (FREE_COMMANDS.includes(cmd)) {
     return { allowed: true, tier: "free" };
@@ -730,7 +735,7 @@ ${c.dim}Run 'vibecheck <command> --help' for details.${c.reset}
         exitCode = await runValidate(args);
         break;
       case "doctor":
-        exitCode = runDoctor(args);
+        exitCode = await runDoctor(args);
         break;
       case "init":
         // Enterprise init handles all flags including --gha, --gitlab, --compliance, etc.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecheckai/cli",
-  "version": "3.0.4",
+  "version": "3.0.5",
   "description": "Vibecheck CLI - Ship with confidence. One verdict: SHIP | WARN | BLOCK.",
   "main": "bin/vibecheck.js",
   "bin": {
@@ -12,6 +12,13 @@
     "README.md",
     "LICENSE"
   ],
+  "scripts": {
+    "build": "node scripts/copy-runners.js",
+    "build:legacy": "node scripts/build.js",
+    "dev": "node ../../bin/vibecheck.js",
+    "start": "node bin/vibecheck.js",
+    "prepublishOnly": "npm run build"
+  },
   "dependencies": {
     "@babel/parser": "^7.23.0",
     "@babel/traverse": "^7.23.0",
@@ -67,11 +74,5 @@
   },
   "publishConfig": {
     "access": "public"
-  },
-  "scripts": {
-    "build": "node scripts/copy-runners.js",
-    "build:legacy": "node scripts/build.js",
-    "dev": "node ../../bin/vibecheck.js",
-    "start": "node bin/vibecheck.js"
   }
-}
+}