@vibecheckai/cli 3.1.2 → 3.1.4

package/bin/runners/runSecurity.js

@@ -0,0 +1,92 @@
+/**
+ * vibecheck security - AuthZ + IDOR + Sensitive Security Proofs
+ * 
+ * Subcommands:
+ *   security model = learn (extract auth model)
+ *   security matrix = build AuthZ matrix
+ *   security idor = detect IDOR candidates
+ *   security prove --url ... = runtime verification
+ * 
+ * Replaces: permissions
+ */
+
+"use strict";
+
+const c = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  dim: '\x1b[2m',
+  cyan: '\x1b[36m',
+  yellow: '\x1b[33m',
+  red: '\x1b[31m',
+};
+
+function printHelp() {
+  console.log(`
+${c.cyan}${c.bold}🔒 vibecheck security${c.reset} - Authorization & Security Verification
+
+AuthZ matrix & IDOR detection for sensitive security proofs.
+
+${c.bold}SUBCOMMANDS${c.reset}
+  ${c.cyan}model${c.reset}                ${c.dim}Extract auth model from codebase (replaces 'permissions --learn')${c.reset}
+  ${c.cyan}matrix${c.reset}               ${c.dim}Build AuthZ matrix (replaces 'permissions --matrix')${c.reset}
+  ${c.cyan}idor${c.reset}                 ${c.dim}Detect IDOR candidates (replaces 'permissions --idor')${c.reset}
+  ${c.cyan}prove${c.reset} --url <url>    ${c.dim}Runtime verification (replaces 'permissions --prove')${c.reset}
+
+${c.bold}EXAMPLES${c.reset}
+  vibecheck security model
+  vibecheck security matrix
+  vibecheck security idor
+  vibecheck security prove --url http://localhost:3000
+
+${c.dim}Note: Old command still works as alias:
+  vibecheck permissions → vibecheck security model${c.reset}
+`);
+}
+
+async function runSecurity(args) {
+  if (!args || args.length === 0 || args[0] === "--help" || args[0] === "-h") {
+    printHelp();
+    return 0;
+  }
+
+  const subcommand = args[0];
+  const subArgs = args.slice(1);
+
+  // Map subcommands to permissions flags
+  let permissionsArgs = [];
+  
+  switch (subcommand) {
+    case "model":
+      permissionsArgs = ["--learn", ...subArgs];
+      break;
+    
+    case "matrix":
+      permissionsArgs = ["--matrix", ...subArgs];
+      break;
+    
+    case "idor":
+      permissionsArgs = ["--idor", ...subArgs];
+      break;
+    
+    case "prove":
+      permissionsArgs = ["--prove", ...subArgs];
+      break;
+    
+    default:
+      console.error(`${c.red}Unknown subcommand:${c.reset} ${subcommand}`);
+      console.log(`\n${c.dim}Run 'vibecheck security --help' for available subcommands.${c.reset}\n`);
+      return 1;
+  }
+
+  // Delegate to runPermissions
+  try {
+    const { runPermissions } = require("./runPermissions");
+    return await runPermissions(permissionsArgs);
+  } catch (e) {
+    console.error(`${c.red}Error:${c.reset} Security command unavailable: ${e.message}`);
+    return 1;
+  }
+}
+
+module.exports = { runSecurity };

package/bin/runners/runShip.js

@@ -39,120 +39,45 @@ const upsell = require("./lib/upsell");
 const entitlements = require("./lib/entitlements-v2");
 
 // ═══════════════════════════════════════════════════════════════════════════════
-// ADVANCED TERMINAL - ANSI CODES & UTILITIES
+// ENHANCED TERMINAL UI & OUTPUT MODULES
 // ═══════════════════════════════════════════════════════════════════════════════
 
-const c = {
-  reset: '\x1b[0m',
-  bold: '\x1b[1m',
-  dim: '\x1b[2m',
-  italic: '\x1b[3m',
-  underline: '\x1b[4m',
-  blink: '\x1b[5m',
-  inverse: '\x1b[7m',
-  hidden: '\x1b[8m',
-  strike: '\x1b[9m',
-  // Colors
-  black: '\x1b[30m',
-  red: '\x1b[31m',
-  green: '\x1b[32m',
-  yellow: '\x1b[33m',
-  blue: '\x1b[34m',
-  magenta: '\x1b[35m',
-  cyan: '\x1b[36m',
-  white: '\x1b[37m',
-  // Bright colors
-  gray: '\x1b[90m',
-  brightRed: '\x1b[91m',
-  brightGreen: '\x1b[92m',
-  brightYellow: '\x1b[93m',
-  brightBlue: '\x1b[94m',
-  brightMagenta: '\x1b[95m',
-  brightCyan: '\x1b[96m',
-  brightWhite: '\x1b[97m',
-  // Background
-  bgBlack: '\x1b[40m',
-  bgRed: '\x1b[41m',
-  bgGreen: '\x1b[42m',
-  bgYellow: '\x1b[43m',
-  bgBlue: '\x1b[44m',
-  bgMagenta: '\x1b[45m',
-  bgCyan: '\x1b[46m',
-  bgWhite: '\x1b[47m',
-  bgBrightBlack: '\x1b[100m',
-  bgBrightRed: '\x1b[101m',
-  bgBrightGreen: '\x1b[102m',
-  bgBrightYellow: '\x1b[103m',
-  // Cursor control
-  cursorUp: (n = 1) => `\x1b[${n}A`,
-  cursorDown: (n = 1) => `\x1b[${n}B`,
-  cursorRight: (n = 1) => `\x1b[${n}C`,
-  cursorLeft: (n = 1) => `\x1b[${n}D`,
-  clearLine: '\x1b[2K',
-  clearScreen: '\x1b[2J',
-  saveCursor: '\x1b[s',
-  restoreCursor: '\x1b[u',
-  hideCursor: '\x1b[?25l',
-  showCursor: '\x1b[?25h',
-};
+const {
+  ansi,
+  colors,
+  icons,
+  Spinner,
+  renderBanner,
+  renderSection,
+  formatDuration,
+} = require("./lib/terminal-ui");
 
-// 256-color / True color support
-const rgb = (r, g, b) => `\x1b[38;2;${r};${g};${b}m`;
-const bgRgb = (r, g, b) => `\x1b[48;2;${r};${g};${b}m`;
-
-// Premium color palette
-const colors = {
-  // Gradients for banner
-  gradient1: rgb(0, 255, 200),    // Cyan-green
-  gradient2: rgb(0, 200, 255),    // Cyan
-  gradient3: rgb(50, 150, 255),   // Blue
-  gradient4: rgb(100, 100, 255),  // Purple-blue
-  gradient5: rgb(150, 50, 255),   // Purple
-  gradient6: rgb(200, 0, 255),    // Magenta
-  
-  // Verdict colors
-  shipGreen: rgb(0, 255, 150),
-  warnAmber: rgb(255, 200, 0),
-  blockRed: rgb(255, 80, 80),
-  
-  // UI colors
-  accent: rgb(100, 200, 255),
-  muted: rgb(120, 120, 140),
-  subtle: rgb(80, 80, 100),
-  highlight: rgb(255, 255, 255),
-  
-  // Severity colors
-  critical: rgb(255, 60, 60),
-  high: rgb(255, 120, 60),
-  medium: rgb(255, 200, 60),
-  low: rgb(100, 200, 255),
-  info: rgb(150, 150, 180),
-};
+const {
+  formatShipOutput,
+  renderVerdictCard,
+  renderFixModeHeader,
+  renderFixResults,
+  renderBadgeOutput,
+  getExitCode,
+  EXIT_CODES,
+  shipIcons,
+} = require("./lib/ship-output");
 
 // ═══════════════════════════════════════════════════════════════════════════════
 // PREMIUM BANNER
 // ═══════════════════════════════════════════════════════════════════════════════
 
-const SHIP_BANNER = `
-${rgb(0, 255, 200)}  ███████╗██╗  ██╗██╗██████╗ ${c.reset}
-${rgb(0, 230, 220)}  ██╔════╝██║  ██║██║██╔══██╗${c.reset}
-${rgb(0, 200, 255)}  ███████╗███████║██║██████╔╝${c.reset}
-${rgb(50, 150, 255)}  ╚════██║██╔══██║██║██╔═══╝ ${c.reset}
-${rgb(100, 100, 255)}  ███████║██║  ██║██║██║     ${c.reset}
-${rgb(150, 50, 255)}  ╚══════╝╚═╝  ╚═╝╚═╝╚═╝     ${c.reset}
-`;
-
-const BANNER_FULL = `
-${rgb(0, 255, 200)}  ██╗   ██╗██╗██████╗ ███████╗ ██████╗██╗  ██╗███████╗ ██████╗██╗  ██╗${c.reset}
-${rgb(0, 230, 220)}  ██║   ██║██║██╔══██╗██╔════╝██╔════╝██║  ██║██╔════╝██╔════╝██║ ██╔╝${c.reset}
-${rgb(0, 200, 255)}  ██║   ██║██║██████╔╝█████╗  ██║     ███████║█████╗  ██║     █████╔╝ ${c.reset}
-${rgb(50, 150, 255)}  ╚██╗ ██╔╝██║██╔══██╗██╔══╝  ██║     ██╔══██║██╔══╝  ██║     ██╔═██╗ ${c.reset}
-${rgb(100, 100, 255)}   ╚████╔╝ ██║██████╔╝███████╗╚██████╗██║  ██║███████╗╚██████╗██║  ██╗${c.reset}
-${rgb(150, 50, 255)}    ╚═══╝  ╚═╝╚═════╝ ╚══════╝ ╚═════╝╚═╝  ╚═╝╚══════╝ ╚═════╝╚═╝  ╚═╝${c.reset}
-
-${c.dim}  ┌─────────────────────────────────────────────────────────────────────┐${c.reset}
-${c.dim}  │${c.reset}  ${rgb(0, 255, 200)}🚀${c.reset} ${c.bold}SHIP${c.reset} ${c.dim}•${c.reset} ${rgb(200, 200, 200)}The One Command${c.reset} ${c.dim}•${c.reset} ${rgb(150, 150, 150)}Zero Config${c.reset} ${c.dim}•${c.reset} ${rgb(100, 100, 100)}Plain English${c.reset}      ${c.dim}│${c.reset}
-${c.dim}  └─────────────────────────────────────────────────────────────────────┘${c.reset}
+const BANNER = `
+${ansi.rgb(0, 255, 200)}  ██╗   ██╗██╗██████╗ ███████╗ ██████╗██╗  ██╗███████╗ ██████╗██╗  ██╗${ansi.reset}
+${ansi.rgb(0, 230, 220)}  ██║   ██║██║██╔══██╗██╔════╝██╔════╝██║  ██║██╔════╝██╔════╝██║ ██╔╝${ansi.reset}
+${ansi.rgb(0, 200, 255)}  ██║   ██║██║██████╔╝█████╗  ██║     ███████║█████╗  ██║     █████╔╝ ${ansi.reset}
+${ansi.rgb(50, 150, 255)}  ╚██╗ ██╔╝██║██╔══██╗██╔══╝  ██║     ██╔══██║██╔══╝  ██║     ██╔═██╗ ${ansi.reset}
+${ansi.rgb(100, 100, 255)}   ╚████╔╝ ██║██████╔╝███████╗╚██████╗██║  ██║███████╗╚██████╗██║  ██╗${ansi.reset}
+${ansi.rgb(150, 50, 255)}    ╚═══╝  ╚═╝╚═════╝ ╚══════╝ ╚═════╝╚═╝  ╚═╝╚══════╝ ╚═════╝╚═╝  ╚═╝${ansi.reset}
+
+${ansi.dim}  ┌─────────────────────────────────────────────────────────────────────┐${ansi.reset}
+${ansi.dim}  │${ansi.reset}  ${ansi.rgb(0, 255, 200)}🚀${ansi.reset} ${ansi.bold}SHIP${ansi.reset} ${ansi.dim}•${ansi.reset} ${ansi.rgb(200, 200, 200)}The One Command${ansi.reset} ${ansi.dim}•${ansi.reset} ${ansi.rgb(150, 150, 150)}Zero Config${ansi.reset} ${ansi.dim}•${ansi.reset} ${ansi.rgb(100, 100, 100)}Plain English${ansi.reset}      ${ansi.dim}│${ansi.reset}
+${ansi.dim}  └─────────────────────────────────────────────────────────────────────┘${ansi.reset}
 `;
 
 // ═══════════════════════════════════════════════════════════════════════════════
@@ -211,11 +136,7 @@ let spinnerIndex = 0;
 let spinnerInterval = null;
 let spinnerStartTime = null;
 
-function formatDuration(ms) {
-  if (ms < 1000) return `${ms}ms`;
-  if (ms < 60000) return `${(ms / 1000).toFixed(1)}s`;
-  return `${Math.floor(ms / 60000)}m ${Math.floor((ms % 60000) / 1000)}s`;
-}
+// formatDuration is imported from terminal-ui.js
 
 function formatNumber(num) {
   return num.toString().replace(/\B(?=(\d{3})+(?!\d))/g, ',');
@@ -280,8 +201,18 @@ function stopSpinner(message, success = true) {
   spinnerStartTime = null;
 }
 
+// Compact banner for fix mode
+const SHIP_BANNER = `
+${ansi.rgb(0, 255, 200)}  ███████╗██╗  ██╗██╗██████╗ ${ansi.reset}
+${ansi.rgb(0, 230, 220)}  ██╔════╝██║  ██║██║██╔══██╗${ansi.reset}
+${ansi.rgb(0, 200, 255)}  ███████╗███████║██║██████╔╝${ansi.reset}
+${ansi.rgb(50, 150, 255)}  ╚════██║██╔══██║██║██╔═══╝ ${ansi.reset}
+${ansi.rgb(100, 100, 255)}  ███████║██║  ██║██║██║     ${ansi.reset}
+${ansi.rgb(150, 50, 255)}  ╚══════╝╚═╝  ╚═╝╚═╝╚═╝     ${ansi.reset}
+`;
+
 function printBanner(compact = false) {
-  console.log(compact ? SHIP_BANNER : BANNER_FULL);
+  console.log(compact ? SHIP_BANNER : BANNER);
 }
 
 function printDivider(char = '─', width = 69, color = c.dim) {
@@ -677,41 +608,41 @@ function printFixResults(fixResults) {
 // ═══════════════════════════════════════════════════════════════════════════════
 
 function printHelp() {
-  console.log(BANNER_FULL);
+  console.log(BANNER);
   console.log(`
-  ${c.bold}Usage:${c.reset} vibecheck ship [options]
-
-  ${c.bold}The One Command${c.reset} — Get a ship verdict: ${colors.shipGreen}SHIP${c.reset} | ${colors.warnAmber}WARN${c.reset} | ${colors.blockRed}BLOCK${c.reset}
-
-  ${c.bold}Options:${c.reset}
-    ${colors.accent}--fix, -f${c.reset}       Try safe mechanical fixes ${c.dim}(shows plan first)${c.reset}
-    ${colors.accent}--assist${c.reset}        Generate AI mission prompts for complex issues
-    ${colors.accent}--badge, -b${c.reset}     Generate embeddable badge for README
-    ${colors.accent}--strict${c.reset}        Treat warnings as blockers
-    ${colors.accent}--ci${c.reset}            Machine output for CI/CD pipelines
-    ${colors.accent}--json${c.reset}          Output results as JSON
-    ${colors.accent}--path, -p${c.reset}      Project path ${c.dim}(default: current directory)${c.reset}
-    ${colors.accent}--verbose, -v${c.reset}   Show detailed progress
-    ${colors.accent}--help, -h${c.reset}      Show this help
-
-  ${c.bold}Exit Codes:${c.reset}
-    ${colors.shipGreen}0${c.reset}  SHIP  — Ready to ship
-    ${colors.warnAmber}1${c.reset}  WARN  — Warnings found, review recommended
-    ${colors.blockRed}2${c.reset}  BLOCK — Blockers found, must fix before shipping
-
-  ${c.bold}Examples:${c.reset}
-    ${c.dim}# Quick ship check${c.reset}
+  ${ansi.bold}Usage:${ansi.reset} vibecheck ship [options]
+
+  ${ansi.bold}The One Command${ansi.reset} — Get a ship verdict: ${colors.success}SHIP${ansi.reset} | ${colors.warning}WARN${ansi.reset} | ${colors.error}BLOCK${ansi.reset}
+
+  ${ansi.bold}Options:${ansi.reset}
+    ${colors.accent}--fix, -f${ansi.reset}       Try safe mechanical fixes ${ansi.dim}(shows plan first)${ansi.reset}
+    ${colors.accent}--assist${ansi.reset}        Generate AI mission prompts for complex issues
+    ${colors.accent}--badge, -b${ansi.reset}     Generate embeddable badge for README
+    ${colors.accent}--strict${ansi.reset}        Treat warnings as blockers
+    ${colors.accent}--ci${ansi.reset}            Machine output for CI/CD pipelines
+    ${colors.accent}--json${ansi.reset}          Output results as JSON
+    ${colors.accent}--path, -p${ansi.reset}      Project path ${ansi.dim}(default: current directory)${ansi.reset}
+    ${colors.accent}--verbose, -v${ansi.reset}   Show detailed progress
+    ${colors.accent}--help, -h${ansi.reset}      Show this help
+
+  ${ansi.bold}Exit Codes:${ansi.reset}
+    ${colors.success}0${ansi.reset}  SHIP  — Ready to ship
+    ${colors.warning}1${ansi.reset}  WARN  — Warnings found, review recommended
+    ${colors.error}2${ansi.reset}  BLOCK — Blockers found, must fix before shipping
+
+  ${ansi.bold}Examples:${ansi.reset}
+    ${ansi.dim}# Quick ship check${ansi.reset}
     vibecheck ship
 
-    ${c.dim}# Auto-fix what can be fixed${c.reset}
+    ${ansi.dim}# Auto-fix what can be fixed${ansi.reset}
     vibecheck ship --fix
 
-    ${c.dim}# Generate README badge${c.reset}
+    ${ansi.dim}# Generate README badge${ansi.reset}
     vibecheck ship --badge
 
-    ${c.dim}# Strict CI mode (warnings = failure)${c.reset}
+    ${ansi.dim}# Strict CI mode (warnings = failure)${ansi.reset}
     vibecheck ship --strict --ci
-  `);
+`);
 }
 
 // ═══════════════════════════════════════════════════════════════════════════════
@@ -832,6 +763,8 @@ function parseArgs(args) {
     assist: false,
     strict: false,
     ci: false,
+    mode: null, // "scan" for scan mode
+    withRuntime: false, // merge runtime results
     help: false,
   };
   
@@ -844,6 +777,11 @@ function parseArgs(args) {
     else if (a === "--assist") opts.assist = true;
     else if (a === "--strict") opts.strict = true;
     else if (a === "--ci") opts.ci = true;
+    else if (a === "--mode") opts.mode = args[++i];
+    else if (a === "--with") {
+      const next = args[++i];
+      if (next === "runtime") opts.withRuntime = true;
+    }
     else if (a === "--help" || a === "-h") opts.help = true;
     else if (a.startsWith("--path=")) opts.path = a.split("=")[1];
     else if (a === "--path" || a === "-p") opts.path = args[++i];
@@ -879,8 +817,8 @@ async function runShip(args, context = {}) {
     }
   } catch (err) {
     if (err.code === 'LIMIT_EXCEEDED' || err.code === 'FEATURE_NOT_AVAILABLE') {
-      console.error(`\n  ${colors.blockRed}${ICONS.cross}${c.reset} ${err.upgradePrompt || err.message}\n`);
-      return 1;
+      console.error(`\n  ${colors.error}${icons.error}${ansi.reset} ${err.upgradePrompt || err.message}\n`);
+      return EXIT_CODES.WARN;
     }
     throw err;
   }
@@ -891,11 +829,11 @@ async function runShip(args, context = {}) {
   const outputDir = path.join(projectPath, ".vibecheck");
   const projectName = path.basename(projectPath);
 
-  // Print banner (compact for CI)
+  // Print banner (unless quiet/json/ci)
   if (!opts.json && !opts.ci) {
-    printBanner(opts.ci);
-    console.log(`  ${c.dim}Project:${c.reset}  ${c.bold}${projectName}${c.reset}`);
-    console.log(`  ${c.dim}Path:${c.reset}     ${projectPath}`);
+    printBanner();
+    console.log(`  ${ansi.dim}Project:${ansi.reset}  ${ansi.bold}${projectName}${ansi.reset}`);
+    console.log(`  ${ansi.dim}Path:${ansi.reset}     ${projectPath}`);
     console.log();
   }
 
@@ -912,8 +850,14 @@ async function runShip(args, context = {}) {
   };
 
   try {
+    // Initialize spinner
+    let spinner;
+    if (!opts.json && !opts.ci) {
+      spinner = new Spinner({ color: colors.accent });
+    }
+
     // Phase 1: Production Integrity Check
-    if (!opts.json) startSpinner('Checking production integrity...');
+    if (spinner) spinner.start('Checking production integrity...');
     
     try {
       const { auditProductionIntegrity } = require(
@@ -926,13 +870,13 @@ async function runShip(args, context = {}) {
       results.deductions = integrity.deductions;
       results.integrity = integrityResults;
     } catch (err) {
-      if (opts.verbose) console.warn(`  ${c.dim}Integrity check skipped: ${err.message}${c.reset}`);
+      if (opts.verbose) console.warn(`  ${ansi.dim}Integrity check skipped: ${err.message}${ansi.reset}`);
     }
     
-    if (!opts.json) stopSpinner('Production integrity checked', true);
+    if (spinner) spinner.succeed('Production integrity checked');
 
     // Phase 2: Route Truth Analysis
-    if (!opts.json) startSpinner('Building route truth map...');
+    if (spinner) spinner.start('Building route truth map...');
     
     const fastifyEntry = detectFastifyEntry(projectPath);
     const truthpack = await buildTruthpack({ repoRoot: projectPath, fastifyEntry });
@@ -948,7 +892,8 @@ async function runShip(args, context = {}) {
       ...findStripeWebhookViolations(truthpack),
       ...findPaidSurfaceNotEnforced(truthpack),
       ...findOwnerModeBypass(projectPath),
-      ...findingsFromReality(projectPath)
+      // Merge runtime findings if --with runtime is specified
+      ...(opts.withRuntime ? findingsFromReality(projectPath) : [])
     ];
     
     // Contract drift detection
@@ -960,15 +905,15 @@ async function runShip(args, context = {}) {
     
     results.findings = allFindings;
     
-    if (!opts.json) stopSpinner(`Route truth mapped (${truthpack.routes?.server?.length || 0} routes)`, true);
+    if (spinner) spinner.succeed(`Route truth mapped (${truthpack.routes?.server?.length || 0} routes)`);
 
     // Phase 3: Build Proof Graph
-    if (!opts.json) startSpinner('Building proof graph...');
+    if (spinner) spinner.start('Building proof graph...');
     
     const proofGraph = buildProofGraph(allFindings, truthpack, projectPath);
     results.proofGraph = proofGraph;
     
-    if (!opts.json) stopSpinner(`Proof graph built (${proofGraph.summary.totalClaims} claims)`, true);
+    if (spinner) spinner.succeed(`Proof graph built (${proofGraph.summary.totalClaims} claims)`);
 
     // Calculate final verdict
     const blockers = allFindings.filter(f => f.severity === 'BLOCK' || f.severity === 'critical');
@@ -1008,7 +953,7 @@ async function runShip(args, context = {}) {
         runId,
         command: "ship",
         startTime,
-        exitCode: verdictToExitCode(verdict),
+        exitCode: getExitCode(verdict),
         verdict,
         result: {
           verdict,
@@ -1050,7 +995,7 @@ async function runShip(args, context = {}) {
       });
       const proofPath = saveArtifact(runId, "proof-graph", proofGraph);
       
-      return verdictToExitCode(verdict);
+      return getExitCode(verdict);
     }
 
     // CI output mode (minimal)
@@ -1069,69 +1014,52 @@ async function runShip(args, context = {}) {
         timestamp: new Date().toISOString()
       });
       
-      return verdictToExitCode(verdict);
+      return getExitCode(verdict);
     }
 
     // Fix mode
+    let fixResults = null;
     if (opts.fix) {
-      printFixModeHeader();
-      const fixResults = await runAutoFix(projectPath, results, outputDir, allFindings);
-      printFixResults(fixResults);
+      if (spinner) spinner.start('Applying safe fixes...');
+      fixResults = await runAutoFix(projectPath, results, outputDir, allFindings);
+      if (spinner) spinner.succeed('Safe fixes applied');
     }
 
-    // Main verdict card
-    printVerdictCard(verdict, results.score, blockers.length, warnings.length, duration);
-
-    // Findings breakdown
-    printFindingsBreakdown(allFindings);
-
-    // Blocker details (if any)
-    printBlockerDetails(allFindings);
-
-    // Route truth map (verbose)
-    if (opts.verbose) {
-      printRouteTruthMap(truthpack);
-    }
+    // Human-readable output using ship-output module
+    const result = {
+      verdict,
+      score: results.score,
+      findings: allFindings,
+      blockers,
+      warnings,
+      truthpack,
+      proofGraph,
+      fixResults,
+      duration: Date.now() - executionStart,
+    };
 
-    // Proof graph (verbose)
-    if (opts.verbose) {
-      printProofGraph(proofGraph);
-    }
+    console.log(formatShipOutput(result, {
+      verbose: opts.verbose,
+      showFix: opts.fix,
+      showBadge: opts.badge,
+      outputDir,
+      projectPath,
+    }));
 
-    // Badge generation
+    // Badge file generation
     if (opts.badge) {
-      const badgeInfo = printBadgeOutput(projectPath, verdict, results.score);
+      const { data: badgeData } = renderBadgeOutput(projectPath, verdict, results.score);
       
       // Save badge info
       fs.mkdirSync(outputDir, { recursive: true });
       fs.writeFileSync(
         path.join(outputDir, 'badge.json'),
-        JSON.stringify({ ...badgeInfo, verdict, score: results.score, generatedAt: new Date().toISOString() }, null, 2)
+        JSON.stringify({ ...badgeData, verdict, score: results.score, generatedAt: new Date().toISOString() }, null, 2)
       );
     }
 
-    // Footer with report links
-    printSection('REPORTS', ICONS.doc);
-    console.log();
-    console.log(`  ${colors.accent}${outputDir}/report.html${c.reset}`);
-    console.log(`  ${c.dim}${outputDir}/last_ship.json${c.reset}`);
-    if (opts.fix) {
-      console.log(`  ${colors.accent}${outputDir}/fixes.md${c.reset}`);
-      console.log(`  ${colors.accent}${outputDir}/ai-fix-prompt.md${c.reset}`);
-    }
-    console.log();
-
-    // Quick actions
+    // Earned upsell: Badge withheld when verdict != SHIP
     if (!results.canShip) {
-      printSection('NEXT STEPS', ICONS.lightning);
-      console.log();
-      if (!opts.fix) {
-        console.log(`  ${colors.accent}vibecheck ship --fix${c.reset}     ${c.dim}Auto-fix what can be fixed${c.reset}`);
-      }
-      console.log(`  ${colors.accent}vibecheck ship --assist${c.reset}  ${c.dim}Get AI help for complex issues${c.reset}`);
-      console.log();
-      
-      // Earned upsell: Badge withheld when verdict != SHIP
       const currentTier = context?.authInfo?.access?.tier || "free";
       if (entitlements.tierMeetsMinimum(currentTier, "starter")) {
         // User has badge access but verdict prevents it
@@ -1154,14 +1082,14 @@ async function runShip(args, context = {}) {
       issueCount: allFindings.length,
     });
 
-    // Write artifacts
+    // Write artifacts (no HTML report - use 'vibecheck report' command instead)
     try {
       const { writeArtifacts } = require("./utils");
-      writeArtifacts(outputDir, results);
+      writeArtifacts(outputDir, results, { skipHtmlReport: true });
     } catch {}
 
     // Exit code: 0=SHIP, 1=WARN, 2=BLOCK
-    const exitCode = verdictToExitCode(verdict);
+    const exitCode = getExitCode(verdict);
     
     // Save final results
     saveArtifact(runId, "summary", {
@@ -1175,14 +1103,14 @@ async function runShip(args, context = {}) {
     return exitCode;
 
   } catch (error) {
-    if (!opts.json) stopSpinner(`Ship check failed: ${error.message}`, false);
+    if (spinner) spinner.fail(`Ship check failed: ${error.message}`);
     
-    console.error(`\n  ${colors.blockRed}${ICONS.cross}${c.reset} ${c.bold}Error:${c.reset} ${error.message}`);
+    console.error(`\n  ${colors.error}${icons.error}${ansi.reset} ${ansi.bold}Error:${ansi.reset} ${error.message}`);
     if (opts.verbose) {
-      console.error(`  ${c.dim}${error.stack}${c.reset}`);
+      console.error(`  ${ansi.dim}${error.stack}${ansi.reset}`);
     }
     
-    return 2;
+    return EXIT_CODES.ERROR;
   }
 }
 
@@ -1272,6 +1200,8 @@ async function shipCore({ repoRoot, fastifyEntry, jsonOut, noWrite } = {}) {
   fs.writeFileSync(path.join(outDir, "last_ship.json"), JSON.stringify(report, null, 2));
   fs.writeFileSync(path.join(outDir, "proof-graph.json"), JSON.stringify(proofGraph, null, 2));
 
+  // Note: HTML reports are generated by 'vibecheck report' command, not here
+
   if (jsonOut) {
     fs.writeFileSync(path.isAbsolute(jsonOut) ? jsonOut : path.join(root, jsonOut), JSON.stringify(report, null, 2));
   }