npm - @vibecheckai/cli - Versions diffs - 3.0.7 → 3.0.9 - Mend

@vibecheckai/cli 3.0.7 → 3.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +77 -484
package/bin/runners/cli-utils.js +6 -6
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -0
package/bin/runners/lib/entitlements-v2.js +409 -299
package/bin/runners/lib/firewall-prompt.js +1 -1
package/bin/runners/lib/sandbox/proof-chain.js +3 -3
package/bin/runners/runFix.js +20 -0
package/bin/runners/runInstall.js +41 -1
package/bin/runners/runMcp.js +58 -0
package/bin/runners/runPR.js +80 -12
package/bin/runners/runProve.js +85 -27
package/bin/runners/runReality.js +136 -16
package/bin/runners/runReport.js +40 -0
package/bin/runners/runScan.js +6 -6
package/bin/runners/runShare.js +64 -4
package/bin/runners/runShip.js +97 -1
package/bin/runners/runStatus.js +3 -1
package/bin/runners/runWatch.js +63 -6
package/bin/vibecheck.js +161 -62
package/package.json +6 -2

package/README.md CHANGED Viewed

@@ -1,532 +1,125 @@
-# vibecheck CLI v3.0.0 🚀
+# vibecheck CLI v3.0.9 🚀
-Ship with confidence. One verdict: **SHIP | WARN | BLOCK**
+**Ship with confidence. One verdict: SHIP | WARN | BLOCK**
-## ✨ What's New in v3.0.0
-- 🎯 **Unified CLI** - All spec commands now available: `install`, `ship`, `reality`, `fix`, `pr`, `share`, `ctx`
-- 📜 **Context Contracts** - `ctx sync` writes routes.json, env.json, auth.json, external.json
-- 🤖 **MCP Server v1** - AI agent integration with `validate_plan` hallucination stopper
-- 🔒 **Signed Entitlements** - Server-side metering with 24h offline grace
-- 🏃 **Reality → Ship Integration** - Runtime findings (DeadUI, AuthCoverage) affect verdict
+The CLI that catches AI hallucinations before they ship. Dead routes, fake data, missing auth, exposed secrets — vibecheck blocks it all in CI.
 ## Installation
 ```bash
-npm install -g @vibecheckai/cli@latest
+npm install -g @vibecheckai/cli
+# or
+npx @vibecheckai/cli ship
 ```
 ## Quick Start
 ```bash
-# 🎮 Open the new interactive menu (recommended)
-vibecheck menu
-# 🔐 Authenticate with your API key
-vibecheck auth --key gr_pro_your_api_key_here
+# Get your ship verdict
+vibecheck ship
-# 🔍 Scan your project
-vibecheck scan --path ./your-project
+# Full proof loop (scan → reality → verdict)
+vibecheck prove --url http://localhost:3000
-# 🚀 Try Reality Mode (auto-installs Playwright)
-vibecheck reality --url https://your-site.com --flow user-journey
+# Generate truthpack for AI agents
+vibecheck ctx
-# 📦 Ship readiness check
-vibecheck ship --path ./your-project
+# Environment diagnostics
+vibecheck doctor
 ```
-## Authentication
-The CLI uses enterprise-grade authentication with secure credential storage.
-### Commands
-```bash
-# Authenticate with API key (validates against vibecheck API)
-vibecheck auth --key gr_pro_abc123xyz789
-# Check current authentication status
-# Shows masked key (gr_pro_****xyz9), tier, email, expiry
-vibecheck auth --status
-# Force refresh cached entitlements
-vibecheck auth --refresh
-# Logout and remove stored credentials
-vibecheck auth --logout
-```
-### Features
-- **Real API Validation**: Keys are validated against `POST /v1/cli/auth/validate`
-- **Secure Storage**: Credentials stored with 0600 permissions (Unix) or NTFS ACLs (Windows)
-- **Local Caching**: Entitlements cached for 15 minutes to reduce API calls
-- **Auto-Refresh**: Cache reused if > 5 minutes remaining; use `--refresh` to force
-- **Key Masking**: API keys always displayed masked: `gr_pro_****abcd`
-- **Expiry Warnings**: Yellow warning if entitlements expire within 72 hours
-### Credential Storage
-| Platform | Location |
-|----------|----------|
-| macOS | `~/Library/Application Support/vibecheck/state.json` |
-| Linux | `~/.config/vibecheck/state.json` |
-| Windows | `%APPDATA%\vibecheck\state.json` |
-If `keytar` is available, sensitive tokens are stored in the OS keychain.
 ## Commands
-- `vibecheck auth` - Authenticate with your API key
-- `vibecheck scan` - Run security scans
-- `vibecheck scan:secrets` - Scan for hardcoded secrets
-- `vibecheck scan:vulnerabilities` - Scan dependencies for CVEs (OSV integration)
-- `vibecheck scan:compliance` - Compliance assessment (Pro)
-- `vibecheck sbom:generate` - Generate SBOM (Pro)
-- `vibecheck ship` - Ship readiness checks (Starter+)
-- `vibecheck reality` - Browser testing for fake data (Starter+)
-- `vibecheck smells` - Code smell analysis
-- `vibecheck fix` - Manual fix suggestions (Starter+)
-- `vibecheck autopilot` - AI-powered batch remediation (Pro)
-- `vibecheck cache:clear` - Clear OSV vulnerability cache
-- `vibecheck cache:status` - Show cache statistics
-- `vibecheck init` - Initialize vibecheck in a project (see [Init Command](#init-command))
-- `vibecheck menu` - Interactive menu
-## Init Command
+### Core Proof Loop
-The `vibecheck init` command provides enterprise-grade project initialization with automatic framework detection and template-based configuration.
+| Command | Description |
+|---------|-------------|
+| `vibecheck scan` | Static analysis - routes, secrets, contracts |
+| `vibecheck ship` | Verdict engine - SHIP / WARN / BLOCK |
+| `vibecheck reality` | Runtime proof with Playwright |
+| `vibecheck prove` | Full loop: ctx → reality → ship → fix |
+| `vibecheck fix` | AI-powered auto-fix (Pro) |
+| `vibecheck report` | Generate HTML/MD/SARIF reports |
-### Basic Usage
+### Setup & Diagnostics
-```bash
-# Initialize with interactive prompts (auto-detects framework)
-vibecheck init
-# Initialize with a specific template
-vibecheck init --template enterprise
-# Initialize with CI and git hooks
-vibecheck init --ci --hooks
-# Non-interactive mode
-vibecheck init --template startup --no-interactive
-```
+| Command | Description |
+|---------|-------------|
+| `vibecheck init` | Project setup wizard |
+| `vibecheck install` | Zero-friction onboarding |
+| `vibecheck doctor` | Environment diagnostics |
+| `vibecheck status` | Project health dashboard |
+| `vibecheck watch` | Continuous mode |
-### Options
+### Truth System (AI Guardrails)
-| Option | Description |
-|--------|-------------|
-| `-p, --path <path>` | Project path (default: `.`) |
-| `-t, --template <template>` | Template: `startup`, `enterprise`, or `oss` |
-| `--ci` | Generate CI/CD workflow (GitHub Actions with SARIF upload) |
-| `--hooks` | Install git hooks (husky or lefthook) |
-| `--hook-runner <runner>` | Specify hook runner: `husky` or `lefthook` |
-| `--no-interactive` | Disable interactive prompts |
+| Command | Description |
+|---------|-------------|
+| `vibecheck ctx` | Generate truthpack for AI agents |
+| `vibecheck guard` | Validate AI claims against truth |
+| `vibecheck context` | Generate .cursorrules, .windsurf/rules |
+| `vibecheck mdc` | Generate MDC specifications |
-### Framework Detection
+### CI/CD & Extras
-vibecheck automatically detects your project framework by inspecting `package.json` and file structure:
+| Command | Description |
+|---------|-------------|
+| `vibecheck gate` | CI/CD gate (Starter) |
+| `vibecheck pr` | Generate PR comment |
+| `vibecheck badge` | Generate README badge |
+| `vibecheck mcp` | Start MCP server for AI IDEs |
-| Framework | Detection Signals |
-|-----------|-------------------|
-| **Next.js** | `next` dependency, `next.config.*`, `app/` or `pages/` directory |
-| **Express** | `express` dependency, `src/server.*` patterns, `routes/` directory |
-| **NestJS** | `@nestjs/core` dependency, `nest-cli.json`, `*.module.ts` files |
-| **Fastify** | `fastify` dependency, `@fastify/*` packages |
-| **Remix** | `@remix-run/*` packages, `remix.config.*`, `app/routes/` |
-| **Vite+React** | `vite` + `react` dependencies, `@vitejs/plugin-react` |
+## What It Catches
-Based on the detected framework, vibecheck recommends the most relevant scans:
+- **Dead Routes** - Client calls API that doesn't exist → BLOCK
+- **Ghost Auth** - Sensitive endpoint without auth → BLOCK
+- **Exposed Secrets** - API keys in code → BLOCK
+- **Fake Success** - Success UI without API confirmation → BLOCK
+- **Env Gaps** - Used env vars not in .env.example → WARN
+- **Stripe Violations** - Unverified webhooks → BLOCK
+- **Owner Mode Bypass** - Debug flags in production → BLOCK
-- **Next.js/Remix**: secrets, vulnerabilities, ship readiness, reality mode (auth flows)
-- **Express/NestJS/Fastify**: secrets, vulnerabilities, ship readiness, compliance (logging/rate limits)
-- **Vite+React**: secrets, vulnerabilities, ship readiness
+## Ship Verdict
-### Templates
-Templates configure `.vibecheck/config.json` with different defaults:
-#### Startup Template
-- **Use case**: Early-stage teams, fast iteration
-- **Scan thresholds**: High (fewer alerts)
-- **Compliance**: Disabled
-- **Gating**: Block on critical only
-- **Output**: Table format
-- **Noise reduction**: Suppress test files, low-confidence findings
-```bash
-vibecheck init --template startup
 ```
-#### Enterprise Template
-- **Use case**: Regulated industries, strict security requirements
-- **Scan thresholds**: Low (catch everything)
-- **Compliance**: Enabled (SOC2 by default)
-- **Gating**: Block on critical and high, baseline/allowlist enabled
-- **Output**: SARIF format with upload
-- **SBOM**: Enabled
-```bash
-vibecheck init --template enterprise
+╔═════════════════════════════════════════════════════════════════╗
+║  🟢  SHIP IT!  Your code is production-ready.                   ║
+╚═════════════════════════════════════════════════════════════════╝
 ```
-#### OSS Template
-- **Use case**: Open source projects, contributor-friendly
-- **Focus**: Supply chain security (SBOM, vulnerabilities)
-- **Gating**: Permissive, baseline/allowlist enabled
-- **Output**: Markdown format (PR-friendly)
-- **Noise reduction**: Suppress test files, examples
-```bash
-vibecheck init --template oss
-```
+Exit codes: `0` = SHIP, `1` = WARN, `2` = BLOCK
-### Generated Files
+## MCP Server
-#### Configuration (`.vibecheck/config.json`)
+Connect vibecheck to AI coding agents (Cursor, Windsurf, Claude):
 ```json
 {
-  "version": "1.0.0",
-  "template": "enterprise",
-  "framework": "nextjs",
-  "scans": {
-    "secrets": { "enabled": true, "threshold": "low" },
-    "vulnerabilities": { "enabled": true, "threshold": "medium" },
-    "compliance": { "enabled": true, "frameworks": ["soc2"] },
-    "sbom": { "enabled": true }
-  },
-  "gating": {
-    "enabled": true,
-    "blockOnCritical": true,
-    "blockOnHigh": true,
-    "baselineEnabled": true,
-    "allowlistEnabled": true
-  },
-  "output": {
-    "format": "sarif",
-    "sarifUpload": true,
-    "badgeGeneration": true
+  "mcpServers": {
+    "vibecheck": {
+      "command": "npx",
+      "args": ["@vibecheckai/cli", "mcp"]
+    }
   }
 }
 ```
-#### CI Workflow (`.github/workflows/vibecheck.yml`)
-When using `--ci`, generates a GitHub Actions workflow that:
-- Runs secrets and vulnerability scans
-- Runs compliance checks (if enabled)
-- Generates SBOM (if enabled)
-- Uploads SARIF results to GitHub Security tab
-- Runs ship readiness check
-- Fails the workflow on critical/high findings
-**Required**: Add `VIBECHECK_API_KEY` to your repository secrets.
+## Configuration
-#### Git Hooks (`.husky/` or `lefthook.yml`)
+Create `.vibecheck/config.json`:
-When using `--hooks`, installs:
-- **pre-commit**: Secrets scan on staged files
-- **pre-push**: Full secrets + vulnerability scan + ship check
-### Examples
-```bash
-# Next.js project with enterprise security
-vibecheck init --template enterprise --ci --hooks
-# Express API with startup defaults
-vibecheck init --path ./api --template startup
-# OSS project with lefthook
-vibecheck init --template oss --hooks --hook-runner lefthook
-# CI-only setup (no hooks)
-vibecheck init --template enterprise --ci --no-interactive
-```
-## Vulnerability Scanning (OSV Integration)
-The `scan:vulnerabilities` command uses real-time data from the [Open Source Vulnerabilities (OSV)](https://osv.dev) database.
-### Features
-- **Real-time OSV API queries** - Live vulnerability data from Google's OSV database
-- **Multi-ecosystem support** - npm, PyPI, RubyGems, Go
-- **Lockfile parsing** - package-lock.json, pnpm-lock.yaml, yarn.lock
-- **24-hour caching** - Reduces API calls with local cache in `.vibecheck/cache/osv.json`
-- **CVSS scoring** - Severity levels with optional NVD enrichment
-- **Remediation paths** - Upgrade suggestions with breaking change detection
-- **SARIF output** - GitHub code scanning integration
-### Usage
-```bash
-# Basic vulnerability scan
-vibecheck scan:vulnerabilities --path ./my-project
-# Bypass cache for fresh data
-vibecheck scan:vulnerabilities --no-cache
-# Enable NVD enrichment for CVSS scores (slower)
-vibecheck scan:vulnerabilities --nvd
-# Output as SARIF for GitHub code scanning
-vibecheck scan:vulnerabilities --format sarif -o results.sarif
-# Filter by ecosystem
-vibecheck scan:vulnerabilities --ecosystem npm
-# Fail CI if critical vulnerabilities found
-vibecheck scan:vulnerabilities --fail-on-critical
-```
-### Options
-| Option | Description |
-|--------|-------------|
-| `-p, --path <path>` | Project path to scan (default: `.`) |
-| `-f, --format <format>` | Output format: `table`, `json`, `sarif` (default: `table`) |
-| `-o, --output <file>` | Write report to file |
-| `--no-cache` | Bypass 24h cache, fetch fresh data from OSV |
-| `--nvd` | Enable NVD enrichment for CVSS scores (slower) |
-| `--fail-on-critical` | Exit with error if critical vulnerabilities found |
-| `--fail-on-high` | Exit with error if high+ vulnerabilities found |
-| `--ecosystem <eco>` | Filter by ecosystem: `npm`, `PyPI`, `RubyGems`, `Go` |
-### Cache Management
-Vulnerability data is cached for 24 hours in `.vibecheck/cache/osv.json`.
-```bash
-# View cache statistics
-vibecheck cache:status
-# Clear the cache
-vibecheck cache:clear
-# Clear global cache
-vibecheck cache:clear --global
-```
-### SARIF Output for GitHub
-Generate SARIF v2.1.0 output for GitHub code scanning:
-```bash
-# Generate SARIF report
-vibecheck scan:vulnerabilities --format sarif -o vuln-results.sarif
-# In GitHub Actions workflow:
-- name: Run vibecheck Vulnerability Scan
-  run: vibecheck scan:vulnerabilities --format sarif -o results.sarif
-- name: Upload SARIF to GitHub
-  uses: github/codeql-action/upload-sarif@v2
-  with:
-    sarif_file: results.sarif
-```
-The SARIF output includes:
-- Rule metadata with CVE/GHSA IDs
-- CVSS scores and vectors
-- Remediation suggestions
-- Package.json line locations
-- Direct vs transitive classification
-### Consistent Command Headers
-All analysis commands (`scan`, `ship`, `smells`, etc.) display a consistent framed header with:
-- **Title**: Command name with icon
-- **Project**: Project name from directory
-- **Path**: Project path (truncated for long paths)
-- **Started**: Timestamp when command started
-- **Mode**: Tier badge when authenticated (FREE/STARTER/PRO/ENTERPRISE)
-- **Metadata**: Command-specific options (e.g., scan type, severity filter)
-The header respects `NO_COLOR` environment variable and `--no-color` flag for CI/accessibility.
-## Tiers
-- **Free**: Basic scanning and validation
-- **Starter** ($29/mo): Ship checks, reality mode, fix suggestions
-- **Pro** ($99/mo): Advanced analysis, autopilot, smells detection, compliance
-- **Enterprise** ($499/mo): Custom policies, SSO, dedicated support
-## Environment Variables
-| Variable | Description |
-|----------|-------------|
-| `VIBECHECK_API_BASE_URL` | Override API endpoint (default: `https://api.vibecheckai.dev`) |
-| `VIBECHECK_NO_INTERACTIVE` | Disable interactive prompts (`1` to disable) |
-| `VIBECHECK_NO_UNICODE` | Disable Unicode output (`1` for ASCII-only) |
-## Reality Mode
-Reality Mode detects fake data, mock backends, and placeholder content in your running application using Playwright browser automation.
-### Generate Only (default)
-```bash
-# Generate a Playwright test for the auth flow
-vibecheck reality --flow auth
-# Generate test for a custom URL
-vibecheck reality --url http://localhost:8080 --flow checkout
-```
-### Generate + Run
-```bash
-# Generate and immediately execute the test
-vibecheck reality --run --flow auth
-# Run in headed mode (show browser)
-vibecheck reality --run --flow auth --headless=false
-# Custom timeout and workers
-vibecheck reality --run --timeout 60 --workers 2
-# Use HTML reporter for detailed results
-vibecheck reality --run --reporter html,list
-# Full configuration example
-vibecheck reality --run \
-  --url http://localhost:8080 \
-  --flow checkout \
-  --timeout 45 \
-  --workers 4 \
-  --reporter html,json \
-  --trace retain-on-failure \
-  --video retain-on-failure \
-  --screenshot only-on-failure
-```
-**Exit Code**: Mirrors Playwright's exit code (0 = pass, non-zero = fail)
-#### 3. Record Mode
-Opens Playwright in interactive recording mode using `codegen` to capture user actions.
-```bash
-# Start recording session
-vibecheck reality --record --url http://localhost:3000
-# Record with custom flow name
-vibecheck reality --record --url http://localhost:8080 --flow signup
-```
-**How it works**:
-1. Opens browser with Playwright Inspector
-2. Interact with your app (click, type, navigate)
-3. Playwright records all actions with robust selectors
-4. Generated test saved to `.vibecheck/reality/<runId>/reality-<flow>.test.ts`
-5. Press Ctrl+C when done
-### Options
-| Flag | Description | Default |
-|------|-------------|---------|
-| `-p, --path <path>` | Project path | `.` |
-| `-u, --url <url>` | Base URL of running app | `http://localhost:3000` |
-| `-f, --flow <flow>` | Flow to test: auth, checkout, dashboard | `auth` |
-| `-t, --timeout <seconds>` | Test timeout in seconds | `30` |
-| `--headless` | Run in headless mode | `false` |
-| `--run` | Execute the generated test immediately | `false` |
-| `--record` | Open Playwright codegen for recording | `false` |
-| `--workers <n>` | Number of parallel workers | `1` |
-| `--reporter <type>` | Test reporter: list, dot, html, json | `list` |
-| `--trace <mode>` | Trace mode: on, off, retain-on-failure, on-first-retry | `retain-on-failure` |
-| `--video <mode>` | Video mode: on, off, retain-on-failure, on-first-retry | `retain-on-failure` |
-| `--screenshot <mode>` | Screenshot mode: on, off, only-on-failure | `only-on-failure` |
-### Artifacts
-When using `--run`, artifacts are saved under `.vibecheck/reality/<runId>/`:
-```
-.vibecheck/reality/auth-1704123456789-a1b2c3d4/
-├── reality-auth.test.ts      # Generated test file
-├── output.log                 # Playwright console output
-├── result.json                # Run result summary (success, exitCode, duration)
-├── run-metadata.json          # Execution configuration
-├── screenshots/               # Failure screenshots (if --screenshot enabled)
-│   ├── test-failed-1.png
-│   └── test-failed-2.png
-└── report/                    # HTML report (if --reporter html)
-    └── index.html
-```
-### Viewing Results
-**HTML Report** (if `--reporter html`):
-```bash
-npx playwright show-report .vibecheck/reality/<runId>/report
-```
-**JSON Results**:
-```bash
-cat .vibecheck/reality/<runId>/result.json
-```
-**Logs**:
-```bash
-cat .vibecheck/reality/<runId>/output.log
-```
-### Prerequisites
-Reality Mode requires Playwright and browser binaries.
-**Install Playwright**:
-```bash
-npm install -D @playwright/test
-npx playwright install
-```
-The CLI automatically detects missing dependencies and provides exact install commands with exit code 2.
-### Exit Codes
-| Code | Meaning |
-|------|---------|
-| 0 | Tests passed |
-| 1 | Tests failed |
-| 2 | Playwright or browsers not installed |
-### Examples
-**Quick test in CI**:
-```bash
-vibecheck reality --run --flow auth --headless --timeout 30
-```
-**Debug with full visibility**:
-```bash
-vibecheck reality --run --flow checkout \
-  --no-headless \
-  --trace on \
-  --video on \
-  --screenshot on
-```
-**Record custom flow**:
-```bash
-vibecheck reality --record --url http://localhost:3000 --flow onboarding
-```
-**Parallel execution**:
-```bash
-vibecheck reality --run --workers 4 --reporter html,json
+```json
+{
+  "strict": false,
+  "fastifyEntry": "src/server.ts",
+  "exclude": ["**/test/**", "**/*.spec.ts"]
+}
 ```
-## Support
+## License
-- [Documentation](https://vibecheckai.dev/docs)
-- [Discord](https://discord.gg/vibecheck)
-- [Support](mailto:support@vibecheckai.dev)
+MIT © Vibecheck AI
-## License
+---
-MIT
+**[Documentation](https://vibecheckai.dev/docs)** · **[Discord](https://discord.gg/vibecheck)** · **[GitHub](https://github.com/vibecheck-Official/vibecheck)**

package/bin/runners/cli-utils.js CHANGED Viewed

@@ -38,12 +38,12 @@ const c = {
 // ASCII Art Banner
 const BANNER = `
-${c.brightCyan}  ██████╗ ██╗   ██╗ █████╗ ██████╗ ██████╗ ██████╗  █████╗ ██╗██╗
-  ██╔════╝ ██║   ██║██╔══██╗██╔══██╗██╔══██╗██╔══██╗██╔══██╗██║██║
-  ██║  ███╗██║   ██║███████║██████╔╝██║  ██║██████╔╝███████║██║██║
-  ██║   ██║██║   ██║██╔══██║██╔══██╗██║  ██║██╔══██╗██╔══██║██║██║
-  ╚██████╔╝╚██████╔╝██║  ██║██║  ██║██████╔╝██║  ██║██║  ██║██║███████╗
-   ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚══════╝${c.reset}
+${c.brightCyan}  ██╗   ██╗██╗██████╗ ███████╗ ██████╗██╗  ██╗███████╗ ██████╗██╗  ██╗
+  ██║   ██║██║██╔══██╗██╔════╝██╔════╝██║  ██║██╔════╝██╔════╝██║ ██╔╝
+  ██║   ██║██║██████╔╝█████╗  ██║     ███████║█████╗  ██║     █████╔╝
+  ╚██╗ ██╔╝██║██╔══██╗██╔══╝  ██║     ██╔══██║██╔══╝  ██║     ██╔═██╗
+   ╚████╔╝ ██║██████╔╝███████╗╚██████╗██║  ██║███████╗╚██████╗██║  ██╗
+    ╚═══╝  ╚═╝╚═════╝ ╚══════╝ ╚═════╝╚═╝  ╚═╝╚══════╝ ╚═════╝╚═╝  ╚═╝${c.reset}
 ${c.dim}                     AI-Native Code Security Platform${c.reset}
 `;