@vibecheckai/cli 3.1.2 → 3.1.4

package/bin/runners/CLI_REFACTOR_SUMMARY.md

@@ -0,0 +1,229 @@
+# CLI Refactor Summary - The 14-Command Vibecheck CLI
+
+**Date:** $(date)  
+**Purpose:** Consolidate CLI into 14 core commands with backward-compatible aliases
+
+---
+
+## The 14 Core Commands
+
+### SETUP (2 commands)
+| # | Command | Description | Tier |
+|---|---------|-------------|------|
+| 1 | `init` | One-time setup (config + contracts + scripts) | FREE |
+| 2 | `doctor` | Environment + dependency + config health check | FREE |
+
+### AI TRUTH LANE (4 commands)
+| # | Command | Description | Tier |
+|---|---------|-------------|------|
+| 3 | `ctx` | Truthpack generation - core truth engine | FREE |
+| 4 | `context` | Generate IDE rules (.cursorrules, MDC, Windsurf, Copilot) | FREE |
+| 5 | `guard` | AI guardrails - prompt firewall & hallucination checking | FREE |
+| 6 | `contracts` | CI gate for contract drift / invariants | FREE |
+
+### PROOF LOOP (5 commands)
+| # | Command | Description | Tier |
+|---|---------|-------------|------|
+| 7 | `ship` | Verdict engine - SHIP / WARN / BLOCK | FREE |
+| 8 | `runtime` | Browser-based runtime verification | FREE |
+| 9 | `fix` | AI-powered auto-fix | FREE |
+| 10 | `prove` | Full proof loop - ctx → runtime → ship → fix | PRO |
+| 11 | `security` | AuthZ matrix & IDOR detection | PRO |
+
+### OUTPUT & AUTOMATION (3 commands)
+| # | Command | Description | Tier |
+|---|---------|-------------|------|
+| 12 | `report` | Generate HTML/MD/SARIF reports | FREE |
+| 13 | `export` | Generate collaboration outputs | FREE |
+| 14 | `mcp` | Start MCP server for AI IDEs | STARTER |
+
+---
+
+## AI Truth Lane - Deep Dive
+
+### `vibecheck ctx` - Truthpack Generation
+The core truth engine that builds the "ground truth" of your project:
+- Project metadata (frameworks, workspaces, entrypoints)
+- Server routes and client route references
+- Environment variables and auth patterns
+- Billing/payment integrations
+- External service integrations
+
+**Subcommands:**
+- `ctx build` - Build/refresh truthpack
+- `ctx diff` - Show drift from contracts
+- `ctx sync` - Update contracts from truthpack
+- `ctx search` - Semantic search in context
+
+### `vibecheck context` - IDE Rules & MDC Generation
+Generates context files for AI coding assistants:
+- `.cursorrules` - Cursor IDE rules
+- `.cursor/rules/*.mdc` - Cursor MDC files
+- `.windsurf/rules/*.md` - Windsurf rules
+- `.github/copilot-instructions.md` - GitHub Copilot
+- `.claude/` and `.codex/` instructions
+- `.vibecheck/context.json` - Universal context
+
+Also supports:
+- Semantic code search
+- Secret/vulnerability scanning
+- AI task decomposition
+- Multi-repo federation
+- AI memory storage
+
+### `vibecheck guard` - AI Guardrails
+The prompt firewall and hallucination prevention system:
+- Validates AI claims against truthpack
+- Breaks prompts into tasks and verifies them
+- Checks for hallucination risks
+- Version-control aware fixes
+- Can generate diffs and apply fixes
+
+### `vibecheck contracts` - Contract Drift Detection
+CI gate for ensuring code doesn't drift from contracts:
+- Validates routes against routes.json
+- Validates env vars against env.json
+- Validates auth patterns against auth.json
+- Returns SHIP/WARN/BLOCK verdict
+
+---
+
+## Subcommand Reference
+
+### `runtime` Subcommands
+- `runtime crawl --url <url>` - UI verification (replaces `reality`)
+- `runtime agent --url <url>` - AI autonomous testing (replaces `ai-test`)
+- `runtime record --url <url>` - Record session (replaces `replay record`)
+- `runtime play <capsule>` - Replay session (replaces `replay play`)
+
+### `export` Subcommands
+- `export pr` - Generate PR comment (replaces `pr`)
+- `export badge` - Generate ship badge (replaces `badge`)
+- `export bundle` - Generate share pack (replaces `share`)
+
+### `security` Subcommands
+- `security model` - Extract auth model (replaces `permissions --learn`)
+- `security matrix` - Build AuthZ matrix (replaces `permissions --matrix`)
+- `security idor` - Detect IDOR candidates (replaces `permissions --idor`)
+- `security prove --url <url>` - Runtime verification
+
+---
+
+## Backward Compatibility Aliases
+
+All old commands still work:
+
+| Old Command | New Command |
+|-------------|-------------|
+| `install` | `init --quick` |
+| `scan` | `ship --mode scan` |
+| `gate` | `ship --ci` |
+| `reality` | `runtime crawl` |
+| `ai-test` | `runtime agent` |
+| `replay record` | `runtime record` |
+| `replay play` | `runtime play` |
+| `pr` | `export pr` |
+| `badge` | `export badge` |
+| `share` | `export bundle` |
+| `permissions` | `security model` |
+| `mdc` | `context` (alias) |
+
+---
+
+## The "What Do I Run?" Cheat Sheet
+
+### Daily Development
+```bash
+vibecheck ship              # Quick verdict
+vibecheck watch             # Continuous mode
+```
+
+### New Project Setup
+```bash
+vibecheck init              # Full wizard
+vibecheck init --quick      # Fast setup
+```
+
+### Before Pushing
+```bash
+vibecheck ship              # Static verdict
+vibecheck ship --with runtime  # Include runtime findings
+```
+
+### Before Deploying
+```bash
+vibecheck prove             # Full proof loop
+```
+
+### In CI/CD
+```bash
+vibecheck ship --ci         # CI verdict
+vibecheck contracts --strict  # Contract drift gate
+```
+
+### AI Context Generation
+```bash
+vibecheck ctx               # Build truthpack
+vibecheck context           # Generate IDE rules & MDC
+```
+
+### AI Guardrails
+```bash
+vibecheck guard             # Validate AI output
+vibecheck verify            # Verify AI-generated code
+```
+
+---
+
+## Key Distinctions
+
+### `guard` vs `contracts`
+- **`guard`** = AI guardrails (prompt firewall, hallucination checking)
+- **`contracts`** = Contract drift (CI gate for code vs contracts)
+
+### `ctx` vs `context`
+- **`ctx`** = Core truth engine (builds truthpack)
+- **`context`** = IDE rules & MDC generation (consumes truthpack)
+
+### `ship` vs `prove`
+- **`ship`** = Single verdict (static or with runtime)
+- **`prove`** = Full loop (ctx → runtime → ship → fix → verify)
+
+---
+
+## Additional Commands (DX Helpers)
+
+These commands are kept for convenience but not part of the core 14:
+
+| Command | Description | Tier |
+|---------|-------------|------|
+| `status` | Project health dashboard | FREE |
+| `watch` | Continuous mode - re-runs on changes | FREE |
+| `launch` | Pre-launch checklist wizard | STARTER |
+| `preflight` | Deployment validation checks | FREE |
+| `verify` | Verify AI-generated code output | FREE |
+| `graph` | Reality proof graph visualization | PRO |
+
+### Account Commands
+| Command | Description |
+|---------|-------------|
+| `login` | Authenticate with API key |
+| `logout` | Remove stored credentials |
+| `whoami` | Show current user and plan |
+
+---
+
+## Summary
+
+The 14-command structure provides:
+
+1. **Clear Setup** - `init`, `doctor`
+2. **AI Truth Lane** - `ctx`, `context`, `guard`, `contracts`
+3. **Proof Loop** - `ship`, `runtime`, `fix`, `prove`, `security`
+4. **Output & Automation** - `report`, `export`, `mcp`
+
+All features preserved, no confusion:
+- AI guardrails live in `guard`
+- Contract drift lives in `contracts`
+- MDC/IDE rules live in `context`
+- Truthpack generation lives in `ctx`

package/bin/runners/REPORT_AUDIT.md

@@ -0,0 +1,64 @@
+# Report Generation Audit
+
+## Commands That Generate Reports Automatically
+
+### ✅ Updated Commands
+
+1. **`vibecheck ship`**
+   - **Location**: `bin/runners/runShip.js`
+   - **Report**: `.vibecheck/report.html`
+   - **Type**: Technical report (detailed)
+   - **Generator**: `lib/html-report.js` → `generateHTMLReport()`
+   - **Status**: ✅ Updated to use better HTML report generator
+
+2. **`vibecheck report`**
+   - **Location**: `bin/runners/runReport.js`
+   - **Report**: `.vibecheck/report.html` (or custom path)
+   - **Types**:
+     - `--type=executive`: Client-friendly executive report
+     - `--type=technical` (default): Detailed technical report
+     - `--type=compliance`: Compliance report (PRO tier)
+   - **Generator**: 
+     - Executive: `lib/report-templates.js` → `generateEnhancedExecutiveReport()`
+     - Technical: `lib/html-report.js` → `generateHTMLReport()`
+   - **Status**: ✅ Updated - executive uses client-friendly template, technical uses detailed generator
+
+3. **`writeArtifacts()` utility**
+   - **Location**: `bin/runners/utils.js`
+   - **Report**: `.vibecheck/report.html`
+   - **Type**: Technical report (detailed)
+   - **Generator**: `lib/html-report.js` → `generateHTMLReport()`
+   - **Used by**: `runShip.js` (but skipped since ship generates its own)
+   - **Status**: ✅ Updated to use better HTML report generator
+
+### ✅ Specialized Reports (Keep As-Is)
+
+4. **`vibecheck reality`**
+   - **Location**: `bin/runners/reality/report.js`
+   - **Report**: `.vibecheck/reality/reality-report.html`
+   - **Type**: Reality mode specific report (runtime testing results)
+   - **Generator**: `reality/report.js` → `writeHtmlReport()`
+   - **Status**: ✅ Appropriate - specialized for reality mode, different format needed
+
+5. **`vibecheck prove`**
+   - **Location**: `bin/runners/runProve.js`
+   - **Report**: `.vibecheck/prove_report.json` (JSON only, no HTML)
+   - **Status**: ✅ Appropriate - JSON format for orchestration results
+
+### 📋 Summary
+
+**Commands that generate `report.html` automatically:**
+- ✅ `vibecheck ship` → Uses technical report generator
+- ✅ `vibecheck report` → Uses executive (client-friendly) or technical (default)
+- ✅ `writeArtifacts()` → Uses technical report generator (fallback)
+
+**Report Types:**
+- **Executive Report** (`--type=executive`): Client-friendly, simplified, stakeholder-focused
+- **Technical Report** (default): Detailed, developer-focused, includes file paths and code references
+- **Reality Report**: Specialized runtime testing report (different format)
+
+**Consistency:**
+- All general-purpose reports now use the unified HTML report generator
+- Executive reports use client-friendly templates
+- Technical reports use detailed generator
+- Specialized reports (reality) use their own formats (appropriate)

package/bin/runners/lib/entitlements-v2.js

@@ -17,8 +17,9 @@
  * 
  * Tiers:
  * - FREE ($0): Basic scanning and validation
- * - PRO ($99/repo/mo): Full fix, prove, ai-test, share, advanced reality
- * - COMPLETE ($199/repo/mo): Everything including permissions, graph, advanced compliance
+ * - STARTER ($39/repo/mo): CI/CD gates, PR checks, badges, MCP
+ * - PRO ($99/repo/mo): Full fix, prove, ai-test, share, advanced reality, permissions, graph, patch apply
+ * - COMPLIANCE (Enterprise): Advanced compliance packs, audit trails
  */
 
 "use strict";
@@ -41,9 +42,9 @@ const EXIT_MISCONFIG = 4;
 // ═══════════════════════════════════════════════════════════════════════════════
 const TIERS = {
   free: { name: "FREE", price: 0, order: 0 },
-  starter: { name: "STARTER", price: 29, order: 1 },
+  starter: { name: "STARTER", price: 39, order: 1 },  // Updated pricing
   pro: { name: "PRO", price: 99, order: 2 },
-  complete: { name: "COMPLETE", price: 199, order: 3 },
+  compliance: { name: "COMPLIANCE", price: 0, order: 3 }, // Enterprise/on-prem
 };
 
 // ═══════════════════════════════════════════════════════════════════════════════
@@ -51,64 +52,122 @@ const TIERS = {
 // Format: feature -> { minTier, caps?, downgrade? }
 // ═══════════════════════════════════════════════════════════════════════════════
 const ENTITLEMENTS = {
-  // Core commands
+  // ─────────────────────────────────────────────────────────────────────────────
+  // CORE COMMANDS
+  // ─────────────────────────────────────────────────────────────────────────────
   "scan": { minTier: "free" },
+  "scan.autofix": { minTier: "starter" },  // Apply safe fixes + missions
   "ship": { minTier: "free", caps: { free: "static-only" } },
   "ship.static": { minTier: "free" },
   "ship.full": { minTier: "pro" },
   
-  // Reality testing
+  // ─────────────────────────────────────────────────────────────────────────────
+  // INIT MODES
+  // ─────────────────────────────────────────────────────────────────────────────
+  "init": { minTier: "free" },
+  "init.local": { minTier: "free" },      // Full local setup
+  "init.connect": { minTier: "starter" }, // GitHub Actions + PR comments
+  
+  // ─────────────────────────────────────────────────────────────────────────────
+  // CHECKPOINT
+  // ─────────────────────────────────────────────────────────────────────────────
+  "checkpoint": { minTier: "free", downgrade: "checkpoint.basic" },
+  "checkpoint.basic": { minTier: "free" },        // Basic diff comparison
+  "checkpoint.hallucination": { minTier: "pro" }, // Hallucination scoring
+  
+  // ─────────────────────────────────────────────────────────────────────────────
+  // REALITY TESTING
+  // ─────────────────────────────────────────────────────────────────────────────
   "reality": { minTier: "free", downgrade: "reality.preview" },
   "reality.preview": { minTier: "free", caps: { free: { maxPages: 5, maxClicks: 20, noAuthBoundary: true } } },
+  "reality.basic": { minTier: "starter", caps: { starter: { maxPages: 50, maxClicks: 200, basicAuthVerify: true } } },
   "reality.full": { minTier: "pro" },
-  "reality.advanced_auth_boundary": { minTier: "complete" },
+  "reality.advanced_auth_boundary": { minTier: "pro" },
   
-  // Prove command
+  // ─────────────────────────────────────────────────────────────────────────────
+  // PROVE COMMAND
+  // ─────────────────────────────────────────────────────────────────────────────
   "prove": { minTier: "pro" },
   
-  // Fix command
+  // ─────────────────────────────────────────────────────────────────────────────
+  // FIX COMMAND
+  // ─────────────────────────────────────────────────────────────────────────────
   "fix": { minTier: "free", downgrade: "fix.plan_only" },
-  "fix.plan_only": { minTier: "free" },
-  "fix.apply_patches": { minTier: "complete" },
+  "fix.plan_only": { minTier: "free" },    // Generate missions, don't apply
+  "fix.apply_patches": { minTier: "pro" }, // Apply patches automatically
+  "fix.loop": { minTier: "pro" },          // Continuous fix loop
   
-  // Report formats
+  // ─────────────────────────────────────────────────────────────────────────────
+  // REPORT FORMATS
+  // ─────────────────────────────────────────────────────────────────────────────
   "report": { minTier: "free", downgrade: "report.html_md" },
   "report.html_md": { minTier: "free" },
-  "report.sarif_csv": { minTier: "pro" },
-  "report.compliance_packs": { minTier: "complete" },
+  "report.sarif_csv": { minTier: "starter" },  // SARIF/CSV at STARTER
+  "report.compliance_packs": { minTier: "compliance" },
   
-  // Setup & DX
+  // ─────────────────────────────────────────────────────────────────────────────
+  // SETUP & DX
+  // ─────────────────────────────────────────────────────────────────────────────
   "install": { minTier: "free" },
-  "init": { minTier: "free" },
   "doctor": { minTier: "free" },
   "status": { minTier: "free" },
-  "watch": { minTier: "free" },
+  "watch": { minTier: "free", downgrade: "watch.local" },
+  "watch.local": { minTier: "free" },      // Local-only file watching
+  "watch.pr": { minTier: "starter" },      // PR updates on changes
   "preflight": { minTier: "free" },
+  "polish": { minTier: "free" },
   
-  // AI Truth
+  // ─────────────────────────────────────────────────────────────────────────────
+  // AI TRUTH
+  // ─────────────────────────────────────────────────────────────────────────────
   "ctx": { minTier: "free" },
   "guard": { minTier: "free" },
   "context": { minTier: "free" },
   "mdc": { minTier: "free" },
+  "contracts": { minTier: "free" },
+  
+  // ─────────────────────────────────────────────────────────────────────────────
+  // EXPORT COMMAND (subcommands gate individually)
+  // ─────────────────────────────────────────────────────────────────────────────
+  "export": { minTier: "free" },  // Base export command is free, subcommands gate themselves
   
-  // PRO only
+  // ─────────────────────────────────────────────────────────────────────────────
+  // RUNTIME COMMAND (browser-based verification)
+  // ─────────────────────────────────────────────────────────────────────────────
+  "runtime": { minTier: "free", downgrade: "reality.preview" },  // Same as reality
+  
+  // ─────────────────────────────────────────────────────────────────────────────
+  // SECURITY COMMAND (AuthZ & IDOR)
+  // ─────────────────────────────────────────────────────────────────────────────
+  "security": { minTier: "pro" },
+  
+  // ─────────────────────────────────────────────────────────────────────────────
+  // PRO ONLY
+  // ─────────────────────────────────────────────────────────────────────────────
   "replay": { minTier: "pro" },
   "share": { minTier: "pro" },
   "ai-test": { minTier: "pro" },
+  "permissions": { minTier: "pro" },
+  "graph": { minTier: "pro" },
   
-  // STARTER and above
+  // ─────────────────────────────────────────────────────────────────────────────
+  // STARTER AND ABOVE
+  // ─────────────────────────────────────────────────────────────────────────────
   "gate": { minTier: "starter" },
   "pr": { minTier: "starter" },
   "badge": { minTier: "starter" },
   "launch": { minTier: "starter" },
+  "dashboard_sync": { minTier: "starter" },
+  
+  // MCP Server
   "mcp": { minTier: "starter", downgrade: "mcp.help_only" },
   "mcp.help_only": { minTier: "free", caps: { free: "help and print-config only" } },
+  "mcp.read_only": { minTier: "starter", caps: { starter: "read-only safe tools, rate limited" } },
+  "mcp.full": { minTier: "pro", caps: { pro: "full tools, audit logs, higher limits" } },
   
-  // COMPLETE only
-  "permissions": { minTier: "complete" },
-  "graph": { minTier: "complete" },
-  
-  // Account (always free)
+  // ─────────────────────────────────────────────────────────────────────────────
+  // ACCOUNT (ALWAYS FREE)
+  // ─────────────────────────────────────────────────────────────────────────────
   "login": { minTier: "free" },
   "logout": { minTier: "free" },
   "whoami": { minTier: "free" },
@@ -130,17 +189,27 @@ const LIMITS = {
     scansPerMonth: 50,
     shipChecksPerMonth: 20,
   },
+  starter: {
+    realityMaxPages: 50,
+    realityMaxClicks: 200,
+    realityAuthBoundary: false,
+    realityAdvancedAuth: false,
+    reportFormats: ["html", "md", "sarif", "csv"],
+    fixApplyPatches: false,
+    scansPerMonth: 500,
+    shipChecksPerMonth: 200,
+  },
   pro: {
     realityMaxPages: -1, // unlimited
     realityMaxClicks: -1,
     realityAuthBoundary: true,
-    realityAdvancedAuth: false,
+    realityAdvancedAuth: true,
     reportFormats: ["html", "md", "sarif", "csv"],
-    fixApplyPatches: false,
+    fixApplyPatches: true,
     scansPerMonth: -1, // unlimited
     shipChecksPerMonth: -1,
   },
-  complete: {
+  compliance: {
     realityMaxPages: -1,
     realityMaxClicks: -1,
     realityAuthBoundary: true,

package/bin/runners/lib/entitlements.js

@@ -186,12 +186,9 @@ class CLIEntitlementsManager {
       const syncResult = await serverUsage.syncOfflineUsage();
       if (syncResult.error) {
         // Allow offline mode by default - CLI should work without internet
-        // Only show warning if we actually tried to connect and failed (not just missing API key)
-        if (syncResult.error !== 'No API key configured' && syncResult.pending > 0) {
-          console.warn(
-            "\x1b[33mℹ Could not connect to vibecheck API, using offline mode\x1b[0m\n",
-          );
-        }
+        console.warn(
+          "\x1b[33mWarning: Could not connect to vibecheck API, using offline mode\x1b[0m\n",
+        );
         return { allowed: true, source: "offline" };
       }
     }

package/bin/runners/lib/init-wizard.js

@@ -290,7 +290,7 @@ class InitWizard {
     console.log(`${c.cyan}║${c.reset}     ${c.cyan}vibecheck ship${c.reset}                                                   ${c.cyan}║${c.reset}`);
     console.log(`${c.cyan}║${c.reset}                                                                      ${c.cyan}║${c.reset}`);
     console.log(`${c.cyan}║${c.reset}  ${c.bold}2.${c.reset} Review the report:                                               ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}     ${c.dim}Open .vibecheck/report.html in your browser${c.reset}                      ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}     ${c.dim}Generate report: ${c.cyan}vibecheck report${c.reset}                      ${c.cyan}║${c.reset}`);
     console.log(`${c.cyan}║${c.reset}                                                                      ${c.cyan}║${c.reset}`);
     console.log(`${c.cyan}║${c.reset}  ${c.bold}3.${c.reset} Fix issues and re-scan:                                          ${c.cyan}║${c.reset}`);
     console.log(`${c.cyan}║${c.reset}     ${c.cyan}vibecheck ship --fix${c.reset}                                             ${c.cyan}║${c.reset}`);