@vibecheckai/cli 3.1.6 → 3.2.0

package/bin/runners/runScan.js

@@ -103,6 +103,14 @@ function parseArgs(args) {
     noBanner: globalFlags.noBanner || false,
     ci: globalFlags.ci || false,
     quiet: globalFlags.quiet || false,
+    // Allowlist subcommand
+    allowlist: null, // null = not using allowlist, or 'list' | 'add' | 'remove' | 'check'
+    allowlistId: null,
+    allowlistPattern: null,
+    allowlistReason: null,
+    allowlistScope: 'global',
+    allowlistFile: null,
+    allowlistExpires: null,
   };
 
   // Parse command-specific args from cleanArgs
@@ -118,6 +126,22 @@ function parseArgs(args) {
     else if (arg === '--no-save') opts.save = false;
     else if (arg === '--path' || arg === '-p') opts.path = cleanArgs[++i] || process.cwd();
     else if (arg.startsWith('--path=')) opts.path = arg.split('=')[1];
+    // Allowlist subcommand support
+    else if (arg === '--allowlist') {
+      const nextArg = cleanArgs[i + 1];
+      if (nextArg && !nextArg.startsWith('-')) {
+        opts.allowlist = nextArg;
+        i++;
+      } else {
+        opts.allowlist = 'list'; // Default to list
+      }
+    }
+    else if (arg === '--id' && opts.allowlist) opts.allowlistId = cleanArgs[++i];
+    else if (arg === '--pattern' && opts.allowlist) opts.allowlistPattern = cleanArgs[++i];
+    else if (arg === '--reason' && opts.allowlist) opts.allowlistReason = cleanArgs[++i];
+    else if (arg === '--scope' && opts.allowlist) opts.allowlistScope = cleanArgs[++i];
+    else if (arg === '--file' && opts.allowlist) opts.allowlistFile = cleanArgs[++i];
+    else if (arg === '--expires' && opts.allowlist) opts.allowlistExpires = cleanArgs[++i];
     else if (!arg.startsWith('-')) opts.path = path.resolve(arg);
   }
   
@@ -142,6 +166,17 @@ function printHelp(showBanner = true) {
   ${ansi.bold}Fix Mode:${ansi.reset}
     ${colors.accent}--autofix, -f${ansi.reset}   Apply safe fixes + generate AI missions ${ansi.rgb(0, 200, 255)}[STARTER]${ansi.reset}
 
+  ${ansi.bold}Allowlist (suppress false positives):${ansi.reset}
+    ${colors.accent}--allowlist list${ansi.reset}                 Show all allowlist entries
+    ${colors.accent}--allowlist add${ansi.reset}                  Add entry to allowlist
+      ${ansi.dim}--id <finding-id>${ansi.reset}             Finding ID to allowlist
+      ${ansi.dim}--pattern <regex>${ansi.reset}             Pattern to match
+      ${ansi.dim}--reason <text>${ansi.reset}               Reason (required)
+      ${ansi.dim}--scope <global|file|line>${ansi.reset}    Scope (default: global)
+      ${ansi.dim}--expires <days>${ansi.reset}              Auto-expire after N days
+    ${colors.accent}--allowlist remove --id <id>${ansi.reset}     Remove entry from allowlist
+    ${colors.accent}--allowlist check --id <id>${ansi.reset}      Check if finding is allowlisted
+
   ${ansi.bold}Options:${ansi.reset}
     ${colors.accent}--url, -u${ansi.reset}       Base URL for reality testing (e.g., http://localhost:3000)
     ${colors.accent}--verbose, -v${ansi.reset}   Show detailed progress
@@ -157,8 +192,11 @@ function printHelp(showBanner = true) {
     ${ansi.dim}# Scan + autofix with missions${ansi.reset}
     vibecheck scan --autofix
 
-    ${ansi.dim}# CI/CD scan with manifest verification${ansi.reset}
-    vibecheck scan --truth
+    ${ansi.dim}# Add false positive to allowlist${ansi.reset}
+    vibecheck scan --allowlist add --id R_DEAD_abc123 --reason "Known toggle"
+
+    ${ansi.dim}# List allowlist entries${ansi.reset}
+    vibecheck scan --allowlist list
 
     ${ansi.dim}# Full proof with Playwright${ansi.reset}
     vibecheck scan --reality --url http://localhost:3000
@@ -169,6 +207,172 @@ function printHelp(showBanner = true) {
   `);
 }
 
+// ═══════════════════════════════════════════════════════════════════════════════
+// ALLOWLIST MANAGEMENT (integrated from runAllowlist)
+// ═══════════════════════════════════════════════════════════════════════════════
+
+async function handleAllowlistCommand(opts) {
+  const root = opts.path || process.cwd();
+  
+  // Load evidence-pack module for allowlist functions
+  let evidencePack;
+  try {
+    evidencePack = require("./lib/evidence-pack");
+  } catch (e) {
+    console.error(`${colors.error}✗${ansi.reset} Failed to load allowlist module: ${e.message}`);
+    return 1;
+  }
+
+  const action = opts.allowlist;
+  
+  try {
+    switch (action) {
+      case "list": {
+        const allowlist = evidencePack.loadAllowlist(root);
+        
+        if (opts.json) {
+          console.log(JSON.stringify(allowlist, null, 2));
+          return 0;
+        }
+        
+        if (!opts.quiet) {
+          console.log(`\n  📋 ${ansi.bold}Allowlist Entries${ansi.reset}\n`);
+        }
+        
+        if (!allowlist.entries || allowlist.entries.length === 0) {
+          console.log(`  ${ansi.dim}No entries in allowlist.${ansi.reset}\n`);
+          console.log(`  ${ansi.dim}Add entries with: vibecheck scan --allowlist add --id <id> --reason "..."${ansi.reset}\n`);
+          return 0;
+        }
+        
+        for (const entry of allowlist.entries) {
+          const expireStr = entry.expiresAt 
+            ? `${ansi.dim}expires ${new Date(entry.expiresAt).toLocaleDateString()}${ansi.reset}` 
+            : '';
+          const scopeStr = entry.scope !== 'global' 
+            ? `${colors.accent}[${entry.scope}]${ansi.reset} ` 
+            : '';
+          
+          console.log(`  ${colors.success}✓${ansi.reset} ${ansi.bold}${entry.id}${ansi.reset} ${scopeStr}${expireStr}`);
+          
+          if (entry.findingId) {
+            console.log(`    ${ansi.dim}Finding:${ansi.reset} ${entry.findingId}`);
+          }
+          if (entry.pattern) {
+            console.log(`    ${ansi.dim}Pattern:${ansi.reset} ${entry.pattern}`);
+          }
+          console.log(`    ${ansi.dim}Reason:${ansi.reset} ${entry.reason || 'No reason provided'}`);
+          console.log(`    ${ansi.dim}Added:${ansi.reset} ${entry.addedAt} by ${entry.addedBy || 'user'}`);
+          console.log();
+        }
+        
+        console.log(`  ${ansi.dim}Total: ${allowlist.entries.length} entries${ansi.reset}\n`);
+        return 0;
+      }
+      
+      case "add": {
+        if (!opts.allowlistId && !opts.allowlistPattern) {
+          console.error(`\n  ${colors.error}✗${ansi.reset} Either --id or --pattern is required\n`);
+          return 1;
+        }
+        
+        if (!opts.allowlistReason) {
+          console.error(`\n  ${colors.error}✗${ansi.reset} --reason is required\n`);
+          return 1;
+        }
+        
+        const entry = {
+          findingId: opts.allowlistId,
+          pattern: opts.allowlistPattern,
+          reason: opts.allowlistReason,
+          scope: opts.allowlistScope,
+          addedBy: 'cli'
+        };
+        
+        if (opts.allowlistFile) entry.file = opts.allowlistFile;
+        if (opts.allowlistExpires) {
+          const days = parseInt(opts.allowlistExpires, 10);
+          entry.expiresAt = new Date(Date.now() + days * 24 * 60 * 60 * 1000).toISOString();
+        }
+        
+        const added = evidencePack.addToAllowlist(root, entry);
+        
+        if (opts.json) {
+          console.log(JSON.stringify({ added }, null, 2));
+          return 0;
+        }
+        
+        console.log(`\n  ${colors.success}+${ansi.reset} Added allowlist entry: ${ansi.bold}${added.id}${ansi.reset}\n`);
+        return 0;
+      }
+      
+      case "remove": {
+        if (!opts.allowlistId) {
+          console.error(`\n  ${colors.error}✗${ansi.reset} --id is required for remove\n`);
+          return 1;
+        }
+        
+        const allowlist = evidencePack.loadAllowlist(root);
+        const before = allowlist.entries.length;
+        allowlist.entries = allowlist.entries.filter(e => e.id !== opts.allowlistId && e.findingId !== opts.allowlistId);
+        const removed = before - allowlist.entries.length;
+        
+        if (removed > 0) {
+          evidencePack.saveAllowlist(root, allowlist);
+        }
+        
+        if (opts.json) {
+          console.log(JSON.stringify({ removed, remaining: allowlist.entries.length }, null, 2));
+          return 0;
+        }
+        
+        if (removed > 0) {
+          console.log(`\n  ${colors.success}-${ansi.reset} Removed ${removed} entry from allowlist\n`);
+        } else {
+          console.log(`\n  ${colors.warning}⚠${ansi.reset} Entry not found: ${opts.allowlistId}\n`);
+        }
+        return 0;
+      }
+      
+      case "check": {
+        if (!opts.allowlistId) {
+          console.error(`\n  ${colors.error}✗${ansi.reset} --id is required for check\n`);
+          return 1;
+        }
+        
+        const allowlist = evidencePack.loadAllowlist(root);
+        const result = evidencePack.isAllowlisted({ id: opts.allowlistId }, allowlist);
+        
+        if (opts.json) {
+          console.log(JSON.stringify(result, null, 2));
+          return result.allowed ? 0 : 1;
+        }
+        
+        if (result.allowed) {
+          console.log(`\n  ${colors.success}✓${ansi.reset} ${ansi.bold}Allowlisted${ansi.reset}`);
+          console.log(`  ${ansi.dim}Reason:${ansi.reset} ${result.reason}`);
+          console.log(`  ${ansi.dim}Entry:${ansi.reset} ${result.entry?.id}\n`);
+        } else {
+          console.log(`\n  ${colors.warning}⚠${ansi.reset} ${ansi.bold}Not allowlisted${ansi.reset}\n`);
+        }
+        return result.allowed ? 0 : 1;
+      }
+      
+      default:
+        console.error(`\n  ${colors.error}✗${ansi.reset} Unknown allowlist action: ${action}\n`);
+        console.log(`  ${ansi.dim}Available: list, add, remove, check${ansi.reset}\n`);
+        return 1;
+    }
+  } catch (error) {
+    if (opts.json) {
+      console.log(JSON.stringify({ error: error.message }, null, 2));
+    } else {
+      console.error(`\n  ${colors.error}✗${ansi.reset} ${error.message}\n`);
+    }
+    return 1;
+  }
+}
+
 // ═══════════════════════════════════════════════════════════════════════════════
 // AUTOFIX & MISSION GENERATION
 // ═══════════════════════════════════════════════════════════════════════════════
@@ -453,6 +657,11 @@ async function runScan(args) {
     return 0;
   }
 
+  // Handle --allowlist subcommand
+  if (opts.allowlist) {
+    return await handleAllowlistCommand(opts);
+  }
+
   // Entitlement check (graceful offline handling)
   try {
     await enforceLimit('scans');
@@ -531,19 +740,44 @@ async function runScan(args) {
       // Fallback to JS-based scanner using truth.js and analyzers.js
       useFallbackScanner = true;
       const { buildTruthpack } = require('./lib/truth');
-      const { findMissingRoutes, findEnvGaps, findFakeSuccess, findGhostAuth } = require('./lib/analyzers');
+      const { 
+        findMissingRoutes, 
+        findEnvGaps, 
+        findFakeSuccess, 
+        findGhostAuth,
+        findMockData,
+        findTodoFixme,
+        findConsoleLogs,
+        findHardcodedSecrets,
+        findDeadCode,
+        findDeprecatedApis,
+        findEmptyCatch,
+        findUnsafeRegex,
+      } = require('./lib/analyzers');
       
       scanRouteIntegrity = async function({ projectPath, layers, baseUrl, verbose }) {
         // Build truthpack for route analysis
         const truthpack = await buildTruthpack({ repoRoot: projectPath });
         
-        // Run analyzers
+        // Run ALL analyzers for comprehensive scanning
         const findings = [];
+        
+        // Core analyzers (route integrity, env, auth)
         findings.push(...findMissingRoutes(truthpack));
         findings.push(...findEnvGaps(truthpack));
         findings.push(...findFakeSuccess(projectPath));
         findings.push(...findGhostAuth(truthpack, projectPath));
         
+        // Code quality analyzers (MOCK, TODO, console.log, etc.)
+        findings.push(...findMockData(projectPath));
+        findings.push(...findTodoFixme(projectPath));
+        findings.push(...findConsoleLogs(projectPath));
+        findings.push(...findHardcodedSecrets(projectPath));
+        findings.push(...findDeadCode(projectPath));
+        findings.push(...findDeprecatedApis(projectPath));
+        findings.push(...findEmptyCatch(projectPath));
+        findings.push(...findUnsafeRegex(projectPath));
+        
         // Convert to scan format matching TypeScript scanner output
         const shipBlockers = findings.map((f, i) => ({
           id: f.id || `finding-${i}`,

package/bin/runners/runShip.js

@@ -1044,23 +1044,39 @@ async function runShip(args, context = {}) {
       duration: Date.now() - executionStart,
     };
 
+    // Get current tier for output formatting
+    const currentTier = context?.authInfo?.access?.tier || getCurrentTier() || "free";
+    
     console.log(formatShipOutput(result, {
       verbose: opts.verbose,
       showFix: opts.fix,
       showBadge: opts.badge,
       outputDir,
       projectPath,
+      tier: currentTier,
+      isVerified: opts.withRuntime || false, // Reality testing = verified
     }));
 
-    // Badge file generation
+    // Badge file generation (STARTER+ only)
     if (opts.badge) {
-      const { data: badgeData } = renderBadgeOutput(projectPath, verdict, results.score);
+      const isVerified = opts.withRuntime && (currentTier === 'pro' || currentTier === 'compliance');
+      const { data: badgeData } = renderBadgeOutput(projectPath, verdict, results.score, { 
+        tier: currentTier, 
+        isVerified 
+      });
       
       // Save badge info
       fs.mkdirSync(outputDir, { recursive: true });
       fs.writeFileSync(
         path.join(outputDir, 'badge.json'),
-        JSON.stringify({ ...badgeData, verdict, score: results.score, generatedAt: new Date().toISOString() }, null, 2)
+        JSON.stringify({ 
+          ...badgeData, 
+          verdict, 
+          score: results.score, 
+          tier: currentTier,
+          isVerified,
+          generatedAt: new Date().toISOString() 
+        }, null, 2)
       );
     }
 

package/bin/runners/runWatch.js

@@ -14,6 +14,7 @@
 
 const fs = require("fs");
 const path = require("path");
+const { parseGlobalFlags, shouldShowBanner } = require("./lib/global-flags");
 const { shipCore } = require("./runShip");
 
 // ═══════════════════════════════════════════════════════════════════════════════
@@ -202,7 +203,13 @@ function printTopFindings(findings, max = 5) {
     .filter(f => f.severity === "BLOCK" || f.severity === "WARN")
     .slice(0, max);
 
-  if (!top.length) return;
+  if (!top.length) {
+    // Show success upsell for PRO
+    console.log(`  ${colors.shipGreen}✓${c.reset} ${c.bold}No issues detected!${c.reset}`);
+    console.log(`  ${c.dim}Want a verified badge? Try${c.reset} ${colors.cyan}vibecheck prove${c.reset} ${c.dim}(PRO)${c.reset}`);
+    console.log();
+    return;
+  }
 
   console.log(`  ${c.bold}Top findings:${c.reset}`);
   for (const f of top) {
@@ -210,6 +217,13 @@ function printTopFindings(findings, max = 5) {
     const title = f.title?.length > 50 ? f.title.slice(0, 47) + '...' : f.title;
     console.log(`    ${icon}${c.reset} ${title}`);
   }
+  
+  // Show upsell based on findings
+  const blockers = findings.filter(f => f.severity === "BLOCK").length;
+  if (blockers > 0) {
+    console.log();
+    console.log(`  ${colors.cyan}→${c.reset} ${c.dim}Fix these with${c.reset} ${colors.cyan}vibecheck fix${c.reset} ${c.dim}(STARTER)${c.reset}`);
+  }
   console.log();
 }
 
@@ -273,8 +287,10 @@ function watchDirectory(dir, callback) {
   };
 }
 
-function printHelp() {
-  console.log(BANNER_FULL);
+function printHelp(opts = {}) {
+  if (shouldShowBanner(opts)) {
+    console.log(BANNER_FULL);
+  }
   console.log(`
   ${c.bold}Usage:${c.reset} vibecheck watch [options]
 
@@ -314,9 +330,12 @@ function printHelp() {
 
 async function runWatch(argsOrOpts = {}) {
   // Handle array args from CLI
+  let globalOpts = { noBanner: false, json: false, quiet: false, ci: false };
   if (Array.isArray(argsOrOpts)) {
-    if (argsOrOpts.includes("--help") || argsOrOpts.includes("-h")) {
-      printHelp();
+    const { flags } = parseGlobalFlags(argsOrOpts);
+    globalOpts = { ...globalOpts, ...flags };
+    if (globalOpts.help) {
+      printHelp(globalOpts);
       return 0;
     }
     const getArg = (flags) => {
@@ -331,6 +350,7 @@ async function runWatch(argsOrOpts = {}) {
       fastifyEntry: getArg(["--fastify-entry"]),
       debounceMs: parseInt(getArg(["--debounce"]) || "500", 10),
       clearScreen: !argsOrOpts.includes("--no-clear"),
+      ...globalOpts,
     };
   }
 

package/bin/vibecheck.js

@@ -888,6 +888,14 @@ ${c.green}QUICK START - The 5-Step Journey${c.reset}
   4. ${c.bold}Prove${c.reset}         ${c.cyan}vibecheck prove${c.reset} ${c.magenta}[PRO]${c.reset}
   5. ${c.bold}Ship${c.reset}          ${c.cyan}vibecheck ship${c.reset}
 
+${c.bold}GLOBAL OPTIONS${c.reset}
+
+  ${c.cyan}--offline, --local${c.reset}   Run in offline mode (no API, unlimited local scans)
+  ${c.cyan}--json${c.reset}               Output as JSON
+  ${c.cyan}--quiet, -q${c.reset}          Suppress output
+  ${c.cyan}--verbose${c.reset}            Show detailed output
+  ${c.cyan}--path, -p <dir>${c.reset}     Run in specified directory
+
 ${c.bold}SHELL COMPLETIONS${c.reset}
 
   ${c.cyan}vibecheck completion bash${c.reset}   ${c.dim}# Add to ~/.bashrc${c.reset}
@@ -939,6 +947,7 @@ function parseGlobalFlags(rawArgs) {
     debug: false,
     strict: false,
     noBanner: false,
+    offline: false,
     path: process.cwd(),
     output: null,
   };
@@ -980,6 +989,10 @@ function parseGlobalFlags(rawArgs) {
       case "--no-banner":
         flags.noBanner = true;
         break;
+      case "--offline":
+      case "--local":
+        flags.offline = true;
+        break;
       case "--path":
       case "-p":
         flags.path = rawArgs[++i] || process.cwd();
@@ -1077,16 +1090,14 @@ async function main() {
   }
   if (globalFlags.verbose) cmdArgs.push("--verbose");
   if (globalFlags.strict) cmdArgs.push("--strict");
+  if (globalFlags.offline) cmdArgs.push("--offline");
 
   // Unknown command
   if (!COMMANDS[cmd]) {
     const suggestions = findSimilarCommands(cmd, ALL_COMMANDS);
     console.log(`\n${c.red}${sym.error}${c.reset} Unknown command: ${c.yellow}${cmd}${c.reset}`);
 
-    if (cmd === "replay" || cmd === "record") {
-      console.log(`\n${c.dim}replay is a PRO feature for session recording.${c.reset}`);
-      console.log(`${c.dim}Free alternative:${c.reset} ${c.cyan}vibecheck reality${c.reset} ${c.dim}(one-time runtime proof)${c.reset}`);
-    } else if (suggestions.length > 0) {
+    if (suggestions.length > 0) {
       console.log(`\n${c.dim}Did you mean:${c.reset}`);
       suggestions.forEach((s) => {
         const actual = ALIAS_MAP[s] || s;
@@ -1106,8 +1117,13 @@ async function main() {
   const cmdDef = COMMANDS[cmd];
   let authInfo = { key: null };
 
-  // Auth check (unless skipAuth)
-  if (!cmdDef.skipAuth) {
+  // Check for offline mode (via flag or env var)
+  const isOffline = globalFlags.offline || 
+                    process.env.VIBECHECK_OFFLINE === '1' || 
+                    process.env.VIBECHECK_LOCAL === '1';
+
+  // Auth check (unless skipAuth or offline mode)
+  if (!cmdDef.skipAuth && !isOffline) {
     const auth = getAuthModule();
     const { key } = auth.getApiKey();
     authInfo.key = key;
@@ -1139,6 +1155,17 @@ async function main() {
     }
 
     authInfo.access = access;
+  } else if (isOffline) {
+    // Offline mode - provide basic access info
+    if (!config.quiet && !config.noBanner) {
+      console.log(`${c.cyan}${sym.arrowRight} OFFLINE${c.reset} ${c.dim}mode - local scanning without API${c.reset}`);
+    }
+    authInfo.access = {
+      allowed: true,
+      tier: 'free',
+      caps: { maxFiles: 100, maxDepth: 3 },
+      offline: true
+    };
   }
 
   // Update state
@@ -1173,47 +1200,8 @@ async function main() {
       runStart,
     };
 
-    // Execute command
-    switch (cmd) {
-      case "prove":
-      case "reality":
-      case "watch":
-      case "ship":
-      case "runtime":
-      case "export":
-      case "security":
-      case "install":
-      case "pr":
-      case "share":
-        exitCode = await runner(cmdArgs, context);
-        break;
-
-      case "ctx":
-      case "truthpack":
-        if (cmdArgs[0] === "sync") {
-          const { runCtxSync } = require("./runners/runCtxSync");
-          exitCode = await runCtxSync({ ...context, fastifyEntry: getArgValue(cmdArgs, ["--fastify-entry"]) });
-        } else if (cmdArgs[0] === "guard") {
-          const { runCtxGuard } = require("./runners/runCtxGuard");
-          exitCode = await runCtxGuard.main(cmdArgs.slice(1));
-        } else if (cmdArgs[0] === "diff") {
-          const { main: ctxDiffMain } = require("./runners/runCtxDiff");
-          exitCode = await ctxDiffMain(cmdArgs.slice(1));
-        } else if (cmdArgs[0] === "search") {
-          const { runContext } = require("./runners/runContext");
-          exitCode = await runContext(["--search", ...cmdArgs.slice(1)]);
-        } else {
-          exitCode = await runner(cmdArgs, context);
-        }
-        break;
-
-      case "status":
-        exitCode = await runner({ ...context, json: cmdArgs.includes("--json") });
-        break;
-
-      default:
-        exitCode = await runner(cmdArgs);
-    }
+    // Execute command - all commands use consistent runner signature
+    exitCode = await runner(cmdArgs, context);
   } catch (error) {
     console.error(formatError(error, config));
     exitCode = 1;