@vibecheckai/cli 3.0.7 → 3.0.9

package/bin/runners/runScan.js

@@ -88,12 +88,12 @@ const gradientPink = rgb(255, 105, 180);
 const gradientOrange = rgb(255, 165, 0);
 
 const BANNER = `
-${rgb(0, 200, 255)}   ██████╗ ██╗   ██╗ █████╗ ██████╗ ██████╗ ██████╗  █████╗ ██╗██╗     ${c.reset}
-${rgb(30, 180, 255)}  ██╔════╝ ██║   ██║██╔══██╗██╔══██╗██╔══██╗██╔══██╗██╔══██╗██║██║     ${c.reset}
-${rgb(60, 160, 255)}  ██║  ███╗██║   ██║███████║██████╔╝██║  ██║██████╔╝███████║██║██║     ${c.reset}
-${rgb(90, 140, 255)}  ██║   ██║██║   ██║██╔══██║██╔══██╗██║  ██║██╔══██╗██╔══██║██║██║     ${c.reset}
-${rgb(120, 120, 255)}  ╚██████╔╝╚██████╔╝██║  ██║██║  ██║██████╔╝██║  ██║██║  ██║██║███████╗${c.reset}
-${rgb(150, 100, 255)}   ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚══════╝${c.reset}
+${rgb(0, 200, 255)}  ██╗   ██╗██╗██████╗ ███████╗ ██████╗██╗  ██╗███████╗ ██████╗██╗  ██╗${c.reset}
+${rgb(30, 180, 255)}  ██║   ██║██║██╔══██╗██╔════╝██╔════╝██║  ██║██╔════╝██╔════╝██║ ██╔╝${c.reset}
+${rgb(60, 160, 255)}  ██║   ██║██║██████╔╝█████╗  ██║     ███████║█████╗  ██║     █████╔╝ ${c.reset}
+${rgb(90, 140, 255)}  ╚██╗ ██╔╝██║██╔══██╗██╔══╝  ██║     ██╔══██║██╔══╝  ██║     ██╔═██╗ ${c.reset}
+${rgb(120, 120, 255)}   ╚████╔╝ ██║██████╔╝███████╗╚██████╗██║  ██║███████╗╚██████╗██║  ██╗${c.reset}
+${rgb(150, 100, 255)}    ╚═══╝  ╚═╝╚═════╝ ╚══════╝ ╚═════╝╚═╝  ╚═╝╚══════╝ ╚═════╝╚═╝  ╚═╝${c.reset}
 
 ${c.dim}  ┌─────────────────────────────────────────────────────────────────────┐${c.reset}
 ${c.dim}  │${c.reset}  ${rgb(255, 255, 255)}${c.bold}Route Integrity${c.reset} ${c.dim}•${c.reset} ${rgb(200, 200, 200)}Security${c.reset} ${c.dim}•${c.reset} ${rgb(150, 150, 150)}Quality${c.reset} ${c.dim}•${c.reset} ${rgb(100, 100, 100)}Ship with Confidence${c.reset}  ${c.dim}│${c.reset}

package/bin/runners/runShare.js

@@ -3,12 +3,72 @@ const fs = require("fs");
 const path = require("path");
 const { buildSharePack, findLatestMissionDir } = require("./lib/share-pack");
 
-async function runShare({ repoRoot, missionDir, outputDir, prComment } = {}) {
+function printHelp() {
+  console.log(`
+vibecheck share - Generate shareable proof bundles
+
+USAGE
+  vibecheck share [options]
+
+OPTIONS
+  --mission-dir <path>   Specific mission directory to share
+  --output-dir <path>    Output directory for share pack
+  --pr-comment           Print PR comment to stdout
+  --help, -h             Show this help
+
+WHAT IT DOES
+  1. Finds latest mission pack from .vibecheck/missions/
+  2. Generates share bundle with:
+     - share.json (machine readable)
+     - share.md (human readable)
+     - pr_comment.md (GitHub ready)
+
+OUTPUT FILES
+  .vibecheck/missions/<timestamp>/share/share.json
+  .vibecheck/missions/<timestamp>/share/share.md
+  .vibecheck/missions/<timestamp>/share/pr_comment.md
+
+EXAMPLES
+  vibecheck share                    # Share latest mission
+  vibecheck share --pr-comment       # Print PR comment body
+  vibecheck fix --autopilot --share  # Fix then auto-share
+`);
+}
+
+async function runShare(argsOrOpts = {}) {
+  // Handle array args from CLI
+  if (Array.isArray(argsOrOpts)) {
+    if (argsOrOpts.includes("--help") || argsOrOpts.includes("-h")) {
+      printHelp();
+      return 0;
+    }
+    const getArg = (flags) => {
+      for (const f of flags) {
+        const idx = argsOrOpts.indexOf(f);
+        if (idx !== -1 && idx < argsOrOpts.length - 1) return argsOrOpts[idx + 1];
+      }
+      return undefined;
+    };
+    argsOrOpts = {
+      missionDir: getArg(["--mission-dir"]),
+      outputDir: getArg(["--output-dir"]),
+      prComment: argsOrOpts.includes("--pr-comment"),
+    };
+  }
+
+  const { repoRoot, missionDir, outputDir, prComment } = argsOrOpts;
   const root = repoRoot || process.cwd();
 
-  const resolvedMissionDir = missionDir
-    ? (path.isAbsolute(missionDir) ? missionDir : path.join(root, missionDir))
-    : findLatestMissionDir(root);
+  let resolvedMissionDir;
+  try {
+    resolvedMissionDir = missionDir
+      ? (path.isAbsolute(missionDir) ? missionDir : path.join(root, missionDir))
+      : findLatestMissionDir(root);
+  } catch (e) {
+    console.log(`\n❌ Error: ${e.message}\n`);
+    console.log(`Run 'vibecheck fix --autopilot' first to generate mission packs.\n`);
+    return 1;
+  }
 
   const res = buildSharePack({
     repoRoot: root,

package/bin/runners/runShip.js

@@ -571,6 +571,7 @@ ${c.bold}EXAMPLES${c.reset}
       translated,
       results,
       outputDir,
+      results.routeTruth?.findings || [], // Pass modern analyzer findings
     );
     printFixResults(fixResults);
   }
@@ -699,7 +700,7 @@ ${c.bold}EXAMPLES${c.reset}
  * 2. Updates .gitignore to protect sensitive files
  * 3. Generates fixes.md with detailed manual fix instructions
  */
-async function runAutoFix(projectPath, translated, results, outputDir) {
+async function runAutoFix(projectPath, translated, results, outputDir, analyzerFindings = []) {
   const fixResults = {
     envExampleCreated: false,
     gitignoreUpdated: false,
@@ -984,6 +985,101 @@ async function runAutoFix(projectPath, translated, results, outputDir) {
       }
     }
 
+    // 5. Add modern analyzer findings to AI prompt
+    if (analyzerFindings && analyzerFindings.length > 0) {
+      aiPrompt += "---\n\n";
+      aiPrompt += "## Analyzer Findings\n\n";
+      aiPrompt += "The following issues were detected by static analysis:\n\n";
+      
+      // Group by category
+      const findingsByCategory = {};
+      for (const f of analyzerFindings) {
+        const cat = f.category || "Other";
+        if (!findingsByCategory[cat]) findingsByCategory[cat] = [];
+        findingsByCategory[cat].push(f);
+      }
+      
+      for (const [category, findings] of Object.entries(findingsByCategory)) {
+        const blockers = findings.filter(f => f.severity === "BLOCK");
+        const warnings = findings.filter(f => f.severity === "WARN");
+        
+        aiPrompt += `### ${category} (${blockers.length} blockers, ${warnings.length} warnings)\n\n`;
+        
+        // Show blockers first (limit to 10 per category to avoid huge prompts)
+        const toShow = [...blockers.slice(0, 10), ...warnings.slice(0, 5)];
+        
+        for (const finding of toShow) {
+          aiPrompt += `#### Fix ${fixNum}: ${finding.title}\n\n`;
+          aiPrompt += `**Severity:** ${finding.severity === "BLOCK" ? "🔴 BLOCKER" : "🟡 WARNING"}\n\n`;
+          
+          if (finding.evidence && finding.evidence.length > 0) {
+            const ev = finding.evidence[0];
+            aiPrompt += `**File:** \`${ev.file}${ev.lines ? `:${ev.lines}` : ""}\`\n\n`;
+          }
+          
+          aiPrompt += `**Problem:** ${finding.title}\n\n`;
+          
+          if (finding.why) {
+            aiPrompt += `**Why this matters:** ${finding.why}\n\n`;
+          }
+          
+          if (finding.fixHints && finding.fixHints.length > 0) {
+            aiPrompt += "**How to fix:**\n";
+            for (const hint of finding.fixHints) {
+              aiPrompt += `- ${hint}\n`;
+            }
+            aiPrompt += "\n";
+          }
+          
+          // Add category-specific fix instructions
+          if (category === "MissingRoute" || finding.title?.includes("route")) {
+            aiPrompt += "**Action:**\n";
+            aiPrompt += "1. Check if this API endpoint should exist\n";
+            aiPrompt += "2. If yes, create the route handler in your backend\n";
+            aiPrompt += "3. If no, update the frontend to use the correct endpoint\n";
+            aiPrompt += "4. Ensure the route is registered with your framework (Express, Fastify, Next.js API)\n\n";
+          } else if (category === "EnvGap" || finding.title?.includes("env")) {
+            aiPrompt += "**Action:**\n";
+            aiPrompt += "1. Add the missing environment variable to `.env.example`\n";
+            aiPrompt += "2. Document what the variable is for\n";
+            aiPrompt += "3. Add to your deployment environment\n\n";
+          } else if (category === "GhostAuth" || finding.title?.includes("auth")) {
+            aiPrompt += "**Action:**\n";
+            aiPrompt += "1. Add authentication middleware to this route\n";
+            aiPrompt += "2. Verify the middleware checks for valid session/token\n";
+            aiPrompt += "3. Return 401/403 for unauthorized requests\n\n";
+          } else if (category === "FakeSuccess" || finding.title?.includes("fake")) {
+            aiPrompt += "**Action:**\n";
+            aiPrompt += "1. Ensure success UI only shows after confirmed API success\n";
+            aiPrompt += "2. Check response.ok or status before showing success\n";
+            aiPrompt += "3. Add proper error handling for failed requests\n\n";
+          } else if (category === "StripeWebhook" || finding.title?.includes("Stripe")) {
+            aiPrompt += "**Action:**\n";
+            aiPrompt += "1. Verify Stripe webhook signature using stripe.webhooks.constructEvent()\n";
+            aiPrompt += "2. Add idempotency key handling to prevent duplicate processing\n";
+            aiPrompt += "3. Return 200 only after successful processing\n\n";
+          } else if (category === "PaidSurface" || finding.title?.includes("paid")) {
+            aiPrompt += "**Action:**\n";
+            aiPrompt += "1. Add server-side entitlement check before allowing access\n";
+            aiPrompt += "2. Verify the user's subscription status from your database\n";
+            aiPrompt += "3. Return 403 if user doesn't have access to this feature\n\n";
+          } else if (category === "OwnerMode" || finding.title?.includes("OWNER")) {
+            aiPrompt += "**Action:**\n";
+            aiPrompt += "1. Remove or disable OWNER_MODE/bypass flags in production\n";
+            aiPrompt += "2. Use proper feature flags that require authentication\n";
+            aiPrompt += "3. Never ship code that bypasses auth checks\n\n";
+          }
+          
+          fixNum++;
+        }
+        
+        if (blockers.length > 10) {
+          aiPrompt += `\n*...and ${blockers.length - 10} more blockers in this category*\n\n`;
+        }
+      }
+    }
+
+    aiPrompt += "---\n\n";
     aiPrompt += "## Verification\n\n";
     aiPrompt += "After applying fixes:\n";
     aiPrompt += "1. Run `npm run build` or `pnpm build` to check for errors\n";

package/bin/runners/runStatus.js

@@ -130,7 +130,9 @@ ${c.bold}Quick Actions${c.reset}
   ${lastShip?.meta?.verdict === "SHIP" ? `${c.green}✓ Ready to deploy!${c.reset}` : ""}
 `);
 
-  return lastShip?.meta?.verdict === "SHIP" ? 0 : lastShip?.meta?.verdict === "BLOCK" ? 2 : 1;
+  // Exit 0 when showing status successfully (even if no ship yet)
+  // Only return non-zero if explicitly checking for BLOCK
+  return 0;
 }
 
 module.exports = { runStatus };

package/bin/runners/runWatch.js

@@ -158,12 +158,69 @@ function watchDirectory(dir, callback) {
   };
 }
 
-async function runWatch({
-  repoRoot,
-  fastifyEntry,
-  debounceMs = 500,
-  clearScreen = true
-} = {}) {
+function printHelp() {
+  console.log(`
+${c.cyan}${c.bold}vibecheck watch${c.reset} - Continuous Dev Mode
+
+${c.bold}USAGE${c.reset}
+  vibecheck watch [options]
+
+${c.bold}OPTIONS${c.reset}
+  --fastify-entry <path>   Fastify entry file for route extraction
+  --debounce <ms>          Debounce delay in ms (default: 500)
+  --no-clear               Don't clear screen between runs
+  --help, -h               Show this help
+
+${c.bold}WHAT IT DOES${c.reset}
+  1. Runs initial ship analysis
+  2. Watches for file changes in your project
+  3. Re-runs analysis on each change
+  4. Shows live verdict dashboard
+
+${c.bold}WATCHED FILES${c.reset}
+  .ts, .tsx, .js, .jsx, .json, .env, .md, .yml, .yaml
+
+${c.bold}IGNORED${c.reset}
+  node_modules, .next, .vibecheck, dist, build, .git
+
+${c.bold}EXAMPLES${c.reset}
+  vibecheck watch                      # Start watching
+  vibecheck watch --debounce 1000      # 1s debounce
+  vibecheck watch --no-clear           # Keep history
+
+${c.dim}Press Ctrl+C to stop watching${c.reset}
+`);
+}
+
+async function runWatch(argsOrOpts = {}) {
+  // Handle array args from CLI
+  if (Array.isArray(argsOrOpts)) {
+    if (argsOrOpts.includes("--help") || argsOrOpts.includes("-h")) {
+      printHelp();
+      return 0;
+    }
+    const getArg = (flags) => {
+      for (const f of flags) {
+        const idx = argsOrOpts.indexOf(f);
+        if (idx !== -1 && idx < argsOrOpts.length - 1) return argsOrOpts[idx + 1];
+      }
+      return undefined;
+    };
+    argsOrOpts = {
+      repoRoot: process.cwd(),
+      fastifyEntry: getArg(["--fastify-entry"]),
+      debounceMs: parseInt(getArg(["--debounce"]) || "500", 10),
+      clearScreen: !argsOrOpts.includes("--no-clear"),
+    };
+  }
+
+  const {
+    repoRoot,
+    fastifyEntry,
+    debounceMs = 500,
+    clearScreen = true
+  } = argsOrOpts;
+
   const root = repoRoot || process.cwd();
   let runCount = 0;
   let lastFile = null;

package/bin/vibecheck.js

@@ -230,34 +230,53 @@ function findSimilarCommands(input, commands, maxDistance = 3) {
 }
 
 // ═══════════════════════════════════════════════════════════════════════════════
-// COMMAND REGISTRY
+// ENTITLEMENTS (v2 - Single Source of Truth)
+// ═══════════════════════════════════════════════════════════════════════════════
+const entitlements = require("./runners/lib/entitlements-v2");
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// COMMAND REGISTRY - Tiers match entitlements-v2.js EXACTLY
 // ═══════════════════════════════════════════════════════════════════════════════
 const COMMANDS = {
-  scan: { description: "Static truth - routes, contracts, secrets, coverage", tier: "free", category: "proof", aliases: ["s", "check"], runner: () => require("./runners/runScan").runScan },
-  ship: { description: "Verdict engine - SHIP / WARN / BLOCK decision", tier: "free", category: "proof", aliases: ["verdict"], runner: () => require("./runners/runShip").runShip },
-  reality: { description: "Runtime proof - Playwright clicks every button", tier: "free", category: "proof", aliases: ["r", "test", "e2e"], runner: () => { try { return require("./runners/runReality").runReality; } catch (e) { return async () => { console.error("Reality runner unavailable:", e.message); return 1; }; } } },
-  fix: { description: "Mission-based repair - targeted fixes with proof", tier: "pro", category: "proof", freeArgs: ["--plan-only", "--help", "-h"], aliases: ["f", "repair"], runner: () => require("./runners/runFix").runFix },
-  prove: { description: "One command - runs the full loop, fixes issues, proves SHIP", tier: "free", category: "proof", aliases: ["p", "full", "all"], runner: () => require("./runners/runProve").runProve },
-  report: { description: "HTML artifact - shareable proof of what shipped", tier: "free", category: "proof", aliases: ["html", "artifact"], runner: () => require("./runners/runReport").runReport },
-  init: { description: "Set up vibecheck (--gha for GitHub Actions)", tier: "free", category: "setup", aliases: ["setup", "configure"], runner: () => require("./runners/runInit").runInit },
-  install: { description: "Zero-friction onboarding - auto-detects everything", tier: "free", category: "setup", aliases: ["i", "bootstrap"], runner: () => require("./runners/runInstall").runInstall },
-  doctor: { description: "Environment + project diagnostics", tier: "free", category: "setup", aliases: ["health", "diag"], runner: () => require("./runners/runDoctor").runDoctor },
-  watch: { description: "Continuous mode - re-runs on file changes", tier: "free", category: "setup", aliases: ["w", "dev"], runner: () => require("./runners/runWatch").runWatch },
-  ctx: { description: "Generate truthpack - ground truth for AI agents", tier: "free", category: "truth", aliases: ["truthpack", "tp"], subcommands: ["build", "diff", "guard", "sync", "search"], runner: () => require("./runners/runCtx").runCtx },
-  guard: { description: "Trust boundaries - validates AI claims + prompt injection", tier: "free", category: "truth", aliases: ["validate", "trust"], runner: () => require("./runners/runGuard").runGuard },
-  context: { description: "Generate AI rules (.cursorrules, .windsurf/rules, etc.)", tier: "free", category: "truth", aliases: ["rules", "ai-rules"], runner: () => require("./runners/runContext").runContext },
-  mcp: { description: "Start MCP server for AI coding agents", tier: "free", category: "extras", aliases: [], runner: () => require("./runners/runMcp").runMcp },
-  badge: { description: "Generate ship badge for README/PR", tier: "free", category: "extras", aliases: ["b"], runner: () => require("./runners/runBadge").runBadge },
-  pr: { description: "Generate PR comment with findings", tier: "free", category: "extras", aliases: ["pull-request"], runner: () => require("./runners/runPR").runPR },
-  labs: { description: "Experimental features", tier: "free", category: "extras", aliases: ["experimental", "beta"], runner: () => require("./runners/runLabs").runLabs },
-  gate: { description: "CI/CD gate - blocks deploys on failures", tier: "starter", category: "ci", aliases: ["ci", "block"], scope: "gate:ci", runner: () => require("./runners/runGate").runGate },
-  "ai-test": { description: "AI Agent testing - autonomous test generation", tier: "pro", category: "automation", aliases: ["ai", "agent"], scope: "ai:agent", runner: () => require("./runners/runAIAgent").runAIAgent },
+  // PROOF LOOP
+  scan: { description: "Static analysis - routes, secrets, contracts", tier: "free", category: "proof", aliases: ["s", "check"], runner: () => require("./runners/runScan").runScan },
+  ship: { description: "Verdict engine - SHIP / WARN / BLOCK", tier: "free", category: "proof", aliases: ["verdict"], caps: "static-only on FREE", runner: () => require("./runners/runShip").runShip },
+  reality: { description: "Runtime proof - Playwright clicks every button", tier: "free", category: "proof", aliases: ["r", "test", "e2e"], caps: "preview mode on FREE (5 pages, no auth)", runner: () => { try { return require("./runners/runReality").runReality; } catch (e) { return async () => { console.error("Reality runner unavailable:", e.message); return 1; }; } } },
+  prove: { description: "Full proof loop - ctx → reality → ship → fix", tier: "pro", category: "proof", aliases: ["p", "full", "all"], runner: () => require("./runners/runProve").runProve },
+  fix: { description: "AI-powered auto-fix", tier: "free", category: "proof", caps: "--plan-only on FREE/STARTER", aliases: ["f", "repair"], runner: () => require("./runners/runFix").runFix },
+  report: { description: "Generate HTML/MD/SARIF reports", tier: "free", category: "proof", caps: "HTML/MD only on FREE", aliases: ["html", "artifact"], runner: () => require("./runners/runReport").runReport },
+  
+  // SETUP & DX
+  install: { description: "Zero-friction onboarding", tier: "free", category: "setup", aliases: ["i", "bootstrap"], runner: () => require("./runners/runInstall").runInstall },
+  init: { description: "Project setup wizard", tier: "free", category: "setup", aliases: ["setup", "configure"], runner: () => require("./runners/runInit").runInit },
+  doctor: { description: "Environment diagnostics", tier: "free", category: "setup", aliases: ["health", "diag"], runner: () => require("./runners/runDoctor").runDoctor },
+  status: { description: "Project health dashboard", tier: "free", category: "setup", aliases: ["st"], runner: () => require("./runners/runStatus").runStatus },
+  watch: { description: "Continuous mode - re-runs on changes", tier: "free", category: "setup", aliases: ["w", "dev"], runner: () => require("./runners/runWatch").runWatch },
+  launch: { description: "Pre-launch checklist wizard", tier: "starter", category: "setup", aliases: ["checklist", "preflight"], runner: () => require("./runners/runLaunch").runLaunch },
+  
+  // AI TRUTH
+  ctx: { description: "Generate truthpack for AI agents", tier: "free", category: "truth", aliases: ["truthpack", "tp"], subcommands: ["build", "diff", "guard", "sync", "search"], runner: () => require("./runners/runCtx").runCtx },
+  guard: { description: "Validate AI claims against truth", tier: "free", category: "truth", aliases: ["validate", "trust"], runner: () => require("./runners/runGuard").runGuard },
+  context: { description: "Generate .cursorrules, .windsurf/rules", tier: "free", category: "truth", aliases: ["rules", "ai-rules"], runner: () => require("./runners/runContext").runContext },
+  mdc: { description: "Generate MDC specifications", tier: "free", category: "truth", aliases: [], runner: () => require("./runners/runMdc").runMdc },
+  
+  // CI & COLLABORATION (STARTER+)
+  gate: { description: "CI/CD gate - blocks deploys on failures", tier: "starter", category: "ci", aliases: ["ci", "block"], runner: () => require("./runners/runGate").runGate },
+  pr: { description: "Generate PR comment with findings", tier: "starter", category: "ci", aliases: ["pull-request"], runner: () => require("./runners/runPR").runPR },
+  badge: { description: "Generate ship badge for README", tier: "starter", category: "ci", aliases: ["b"], runner: () => require("./runners/runBadge").runBadge },
+  
+  // AUTOMATION (STARTER+/PRO)
+  mcp: { description: "Start MCP server for AI IDEs", tier: "starter", category: "automation", aliases: [], runner: () => require("./runners/runMcp").runMcp },
+  share: { description: "Generate share pack for PR/docs", tier: "pro", category: "automation", aliases: [], runner: () => require("./runners/runShare").runShare },
+  "ai-test": { description: "AI autonomous test generation", tier: "pro", category: "automation", aliases: ["ai", "agent"], runner: () => require("./runners/runAIAgent").runAIAgent },
+  
+  // ACCOUNT (always free)
   login: { description: "Authenticate with API key", tier: "free", category: "account", aliases: ["auth", "signin"], runner: () => require("./runners/runAuth").runLogin, skipAuth: true },
   logout: { description: "Remove stored credentials", tier: "free", category: "account", aliases: ["signout"], runner: () => require("./runners/runAuth").runLogout, skipAuth: true },
   whoami: { description: "Show current user and plan", tier: "free", category: "account", aliases: ["me", "user"], runner: () => require("./runners/runAuth").runWhoami, skipAuth: true },
-  mdc: { description: "Generate MDC specifications", tier: "free", category: "truth", aliases: [], runner: () => require("./runners/runMdc").runMdc },
-  status: { description: "Project status dashboard", tier: "free", category: "setup", aliases: ["st"], runner: () => require("./runners/runStatus").runStatus },
-  share: { description: "Generate share pack for PR/docs", tier: "free", category: "extras", aliases: [], runner: () => require("./runners/runShare").runShare },
+  
+  // EXTRAS
+  labs: { description: "Experimental features", tier: "free", category: "extras", aliases: ["experimental", "beta"], runner: () => require("./runners/runLabs").runLabs },
 };
 
 const ALIAS_MAP = {};
@@ -271,27 +290,62 @@ function getRunner(cmd) {
 }
 
 // ═══════════════════════════════════════════════════════════════════════════════
-// AUTH & ACCESS CONTROL
+// AUTH & ACCESS CONTROL (uses entitlements-v2 - NO BYPASS ALLOWED)
 // ═══════════════════════════════════════════════════════════════════════════════
 let authModule = null;
 function getAuthModule() { if (!authModule) authModule = require("./runners/lib/auth"); return authModule; }
 
-async function checkCommandAccess(cmd, args, entitlements) {
+/**
+ * Check command access using entitlements-v2 module.
+ * NO OWNER MODE. NO ENV VAR BYPASS. NO OFFLINE ESCALATION.
+ */
+async function checkCommandAccess(cmd, args, authInfo) {
   const def = COMMANDS[cmd];
   if (!def) return { allowed: true };
-  if (def.tier === "free") return { allowed: true, tier: "free" };
-  if (!entitlements) return { allowed: false, tier: def.tier, reason: formatAccessDenied(cmd, def.tier, null) };
-  const hasAccess = entitlements.scopes?.includes(def.scope) || entitlements.scopes?.includes("*");
-  if (!hasAccess) return { allowed: false, tier: def.tier, reason: formatAccessDenied(cmd, def.tier, entitlements.plan) };
-  return { allowed: true, tier: def.tier };
+  
+  // Use centralized entitlements enforcement
+  const result = await entitlements.enforce(cmd, {
+    apiKey: authInfo?.key,
+    projectPath: process.cwd(),
+    silent: true, // We'll handle messaging ourselves
+  });
+  
+  if (result.allowed) {
+    return {
+      allowed: true,
+      tier: result.tier,
+      downgrade: result.downgrade,
+      limits: result.limits,
+      caps: result.caps,
+    };
+  }
+  
+  // Not allowed - return with proper exit code
+  return {
+    allowed: false,
+    tier: result.tier,
+    requiredTier: result.requiredTier,
+    exitCode: result.exitCode,
+    reason: formatAccessDenied(cmd, result.requiredTier, result.tier),
+  };
 }
 
-function formatAccessDenied(cmd, requiredTier, currentPlan) {
+function formatAccessDenied(cmd, requiredTier, currentTier) {
   const tierColors = { starter: c.cyan, pro: c.magenta, enterprise: c.yellow };
   const tierColor = tierColors[requiredTier] || c.white;
-  let msg = `${c.yellow}${cmd}${c.reset} requires a ${tierColor}${requiredTier.toUpperCase()}${c.reset} plan.\n\n`;
-  if (!currentPlan) { msg += `  Run ${c.cyan}vibecheck login${c.reset} to authenticate.\n  Get your API key at: ${c.cyan}https://vibecheckai.dev/settings/keys${c.reset}`; }
-  else { msg += `  Your current plan: ${c.yellow}${currentPlan.toUpperCase()}${c.reset}\n  Upgrade at: ${c.cyan}https://vibecheckai.dev/pricing${c.reset}`; }
+  const tierLabel = entitlements.getTierLabel(requiredTier);
+  const currentLabel = entitlements.getTierLabel(currentTier);
+  
+  let msg = `\n${c.red}${c.bold}⛔ Feature Not Available${c.reset}\n\n`;
+  msg += `  ${c.yellow}${cmd}${c.reset} requires ${tierColor}${tierLabel}${c.reset} plan.\n`;
+  msg += `  Your current plan: ${c.dim}${currentLabel}${c.reset}\n\n`;
+  
+  if (currentTier === "free") {
+    msg += `  ${c.cyan}Get started:${c.reset} vibecheck login\n`;
+  }
+  msg += `  ${c.cyan}Upgrade at:${c.reset} https://vibecheckai.dev/pricing\n`;
+  msg += `\n  ${c.dim}Exit code: ${entitlements.EXIT_FEATURE_NOT_ALLOWED}${c.reset}\n`;
+  
   return msg;
 }
 
@@ -309,40 +363,70 @@ ${c.dim}${sym.boxBottomLeft}${sym.boxHorizontal.repeat(60)}${sym.boxBottomRight}
 
 function printHelp() {
   printBanner();
+  
+  // Categories ordered as specified
+  const categoryOrder = ["proof", "setup", "truth", "ci", "automation", "account", "extras"];
   const categories = {
-    proof: { name: "THE PROOF LOOP", color: c.green, icon: sym.shield },
-    setup: { name: "SETUP & DIAGNOSTICS", color: c.yellow, icon: sym.gear },
-    truth: { name: "TRUTH SYSTEM", color: c.magenta, icon: sym.lightning },
-    extras: { name: "EXTRAS", color: c.dim, icon: sym.star },
-    ci: { name: "CI/CD", color: c.cyan, icon: sym.rocket },
+    proof: { name: "PROOF LOOP", color: c.green, icon: sym.shield },
+    setup: { name: "SETUP & DX", color: c.yellow, icon: sym.gear },
+    truth: { name: "AI TRUTH", color: c.magenta, icon: sym.lightning },
+    ci: { name: "CI & COLLABORATION", color: c.cyan, icon: sym.rocket },
     automation: { name: "AUTOMATION", color: c.blue, icon: sym.fire },
     account: { name: "ACCOUNT", color: c.dim, icon: sym.key },
+    extras: { name: "EXTRAS", color: c.dim, icon: sym.star },
   };
+  
+  // Group commands
   const grouped = {};
   for (const [cmd, def] of Object.entries(COMMANDS)) {
     const cat = def.category || "extras";
     if (!grouped[cat]) grouped[cat] = [];
     grouped[cat].push({ cmd, ...def });
   }
-  for (const [catKey, commands] of Object.entries(grouped)) {
-    const cat = categories[catKey] || { name: catKey.toUpperCase(), color: c.white, icon: sym.bullet };
+  
+  // Print in order
+  for (const catKey of categoryOrder) {
+    const commands = grouped[catKey];
+    if (!commands || commands.length === 0) continue;
+    
+    const cat = categories[catKey];
     console.log(`\n${cat.color}${cat.icon} ${cat.name}${c.reset}\n`);
-    for (const { cmd, description, tier, aliases } of commands) {
-      const tierBadge = tier === "starter" ? `${c.cyan}[STARTER]${c.reset} ` : tier === "pro" ? `${c.magenta}[PRO]${c.reset} ` : "";
-      const aliasStr = aliases?.length ? `${c.dim}(${aliases.join(", ")})${c.reset}` : "";
-      console.log(`  ${c.cyan}${cmd.padEnd(12)}${c.reset} ${tierBadge}${description} ${aliasStr}`);
+    
+    for (const { cmd, description, tier, aliases, caps } of commands) {
+      // Tier badge with color
+      let tierBadge = "";
+      if (tier === "free") {
+        tierBadge = `${c.green}[FREE]${c.reset} `;
+      } else if (tier === "starter") {
+        tierBadge = `${c.cyan}[STARTER]${c.reset} `;
+      } else if (tier === "pro") {
+        tierBadge = `${c.magenta}[PRO]${c.reset} `;
+      }
+      
+      // Caps info (e.g., "preview mode on FREE")
+      const capsStr = caps ? `${c.dim}(${caps})${c.reset}` : "";
+      
+      console.log(`  ${c.cyan}${cmd.padEnd(12)}${c.reset} ${tierBadge}${description} ${capsStr}`);
     }
   }
+  
   console.log(`
 ${c.dim}${sym.boxHorizontal.repeat(64)}${c.reset}
 
+${c.green}TIERS${c.reset}
+
+  ${c.green}FREE${c.reset}      $0       scan, ship, ctx, doctor, report (HTML/MD)
+  ${c.cyan}STARTER${c.reset}   $29/mo   + gate, launch, pr, badge, mcp, reality full
+  ${c.magenta}PRO${c.reset}       $99/mo   + prove, fix apply, share, ai-test, compliance
+
 ${c.green}QUICK START${c.reset}
 
   ${c.bold}"Check my repo"${c.reset}     ${c.cyan}vibecheck scan${c.reset}
-  ${c.bold}"Can I ship?"${c.reset}       ${c.cyan}vibecheck prove --url http://localhost:3000${c.reset}
-  ${c.bold}"Why did it fail?"${c.reset}  ${c.cyan}vibecheck report${c.reset}    ${c.dim}(then: vibecheck fix)${c.reset}
+  ${c.bold}"Can I ship?"${c.reset}       ${c.cyan}vibecheck ship${c.reset}
+  ${c.bold}"Full proof loop"${c.reset}   ${c.cyan}vibecheck prove --url http://localhost:3000${c.reset} ${c.magenta}[PRO]${c.reset}
 
 ${c.dim}Run 'vibecheck <command> --help' for command-specific help.${c.reset}
+${c.dim}Pricing: https://vibecheckai.dev/pricing${c.reset}
 `);
 }
 
@@ -419,20 +503,35 @@ async function main() {
   }
   
   const cmdDef = COMMANDS[cmd];
-  let authInfo = { key: null, entitlements: null };
+  let authInfo = { key: null };
   
   if (!cmdDef.skipAuth) {
     const auth = getAuthModule();
     const { key } = auth.getApiKey();
+    authInfo.key = key;
     
-    if (key && cmdDef.tier !== "free") {
-      try { authInfo.key = key; authInfo.entitlements = await auth.getEntitlements(key); } catch (e) { if (config.verbose) console.log(`${c.yellow}${sym.warning}${c.reset} ${c.dim}Could not verify credentials${c.reset}`); }
-    } else { authInfo.key = key; }
+    // Use entitlements-v2 for access control (NO BYPASS)
+    const access = await checkCommandAccess(cmd, cmdArgs, authInfo);
+    
+    if (!access.allowed) {
+      console.log(access.reason);
+      // Use proper exit code: 3 = feature not allowed
+      process.exit(access.exitCode || entitlements.EXIT_FEATURE_NOT_ALLOWED);
+    }
+    
+    // Show downgrade notice if applicable
+    if (access.downgrade && !config.quiet) {
+      console.log(`${c.yellow}${sym.warning}${c.reset} Running in ${c.yellow}${access.downgrade}${c.reset} mode (upgrade for full access)`);
+    }
+    
+    // Show tier badge
+    if (!config.quiet) {
+      if (access.tier === "starter") console.log(`${c.cyan}${sym.arrowRight} STARTER${c.reset} ${c.dim}feature${c.reset}`);
+      else if (access.tier === "pro") console.log(`${c.magenta}${sym.arrowRight} PRO${c.reset} ${c.dim}feature${c.reset}`);
+    }
     
-    const access = await checkCommandAccess(cmd, cmdArgs, authInfo.entitlements);
-    if (!access.allowed) { console.log(`\n${c.red}${sym.error} Access Denied${c.reset}\n`); console.log(access.reason); console.log(""); process.exit(1); }
-    if (access.tier === "starter" && !config.quiet) console.log(`${c.cyan}${sym.arrowRight} STARTER${c.reset} ${c.dim}feature${c.reset}`);
-    else if (access.tier === "pro" && !config.quiet) console.log(`${c.magenta}${sym.arrowRight} PRO${c.reset} ${c.dim}feature${c.reset}`);
+    // Attach access info for runners to use
+    authInfo.access = access;
   }
   
   state.runCount++; state.lastRun = Date.now();
@@ -447,20 +546,20 @@ async function main() {
     const context = { repoRoot: process.cwd(), config, state, authInfo, version: VERSION, isCI: isCI() };
     
     switch (cmd) {
-      case "prove": exitCode = await runner({ ...context, url: getArgValue(cmdArgs, ["--url", "-u"]), auth: getArgValue(cmdArgs, ["--auth"]), storageState: getArgValue(cmdArgs, ["--storage-state"]), fastifyEntry: getArgValue(cmdArgs, ["--fastify-entry"]), maxFixRounds: parseInt(getArgValue(cmdArgs, ["--max-fix-rounds"]) || "3", 10), skipReality: cmdArgs.includes("--skip-reality"), skipFix: cmdArgs.includes("--skip-fix"), headed: cmdArgs.includes("--headed"), danger: cmdArgs.includes("--danger") }); break;
-      case "reality": exitCode = await runner({ ...context, url: getArgValue(cmdArgs, ["--url", "-u"]), auth: getArgValue(cmdArgs, ["--auth"]), storageState: getArgValue(cmdArgs, ["--storage-state"]), saveStorageState: getArgValue(cmdArgs, ["--save-storage-state"]), truthpack: getArgValue(cmdArgs, ["--truthpack"]), verifyAuth: cmdArgs.includes("--verify-auth"), headed: cmdArgs.includes("--headed"), danger: cmdArgs.includes("--danger") }); break;
-      case "watch": exitCode = await runner({ ...context, fastifyEntry: getArgValue(cmdArgs, ["--fastify-entry"]), debounceMs: parseInt(getArgValue(cmdArgs, ["--debounce"]) || "500", 10), clearScreen: !cmdArgs.includes("--no-clear") }); break;
+      case "prove": exitCode = await runner(cmdArgs); break;
+      case "reality": exitCode = await runner(cmdArgs); break;
+      case "watch": exitCode = await runner(cmdArgs); break;
       case "ctx": case "truthpack":
         if (cmdArgs[0] === "sync") { const { runCtxSync } = require("./runners/runCtxSync"); exitCode = await runCtxSync({ ...context, fastifyEntry: getArgValue(cmdArgs, ["--fastify-entry"]) }); }
         else if (cmdArgs[0] === "guard") { const { runCtxGuard } = require("./runners/runCtxGuard"); exitCode = await runCtxGuard.main(cmdArgs.slice(1)); }
         else if (cmdArgs[0] === "diff") { const { main: ctxDiffMain } = require("./runners/runCtxDiff"); exitCode = await ctxDiffMain(cmdArgs.slice(1)); }
         else if (cmdArgs[0] === "search") { const { runContext } = require("./runners/runContext"); exitCode = await runContext(["--search", ...cmdArgs.slice(1)]); }
-        else { exitCode = await runner({ ...context, fastifyEntry: getArgValue(cmdArgs, ["--fastify-entry"]), print: cmdArgs.includes("--print") }); }
+        else { exitCode = await runner(cmdArgs); }
         break;
-      case "install": exitCode = await runner(context); break;
+      case "install": exitCode = await runner(cmdArgs); break;
       case "status": exitCode = await runner({ ...context, json: cmdArgs.includes("--json") }); break;
-      case "pr": exitCode = await runner({ ...context, fastifyEntry: getArgValue(cmdArgs, ["--fastify-entry"]), out: getArgValue(cmdArgs, ["--out"]), failOnWarn: cmdArgs.includes("--fail-on-warn"), maxFindings: parseInt(getArgValue(cmdArgs, ["--max-findings"]) || "12", 10) }); break;
-      case "share": exitCode = await runner({ ...context, missionDir: getArgValue(cmdArgs, ["--mission-dir"]), outputDir: getArgValue(cmdArgs, ["--output-dir"]), prComment: cmdArgs.includes("--pr-comment") }); break;
+      case "pr": exitCode = await runner(cmdArgs); break;
+      case "share": exitCode = await runner(cmdArgs); break;
       default: exitCode = await runner(cmdArgs);
     }
   } catch (error) { console.error(formatError(error, config)); exitCode = 1; }