@vibecheckai/cli 3.1.8 → 3.2.1

package/bin/vibecheck.js

@@ -888,6 +888,14 @@ ${c.green}QUICK START - The 5-Step Journey${c.reset}
   4. ${c.bold}Prove${c.reset}         ${c.cyan}vibecheck prove${c.reset} ${c.magenta}[PRO]${c.reset}
   5. ${c.bold}Ship${c.reset}          ${c.cyan}vibecheck ship${c.reset}
 
+${c.bold}GLOBAL OPTIONS${c.reset}
+
+  ${c.cyan}--offline, --local${c.reset}   Run in offline mode (no API, unlimited local scans)
+  ${c.cyan}--json${c.reset}               Output as JSON
+  ${c.cyan}--quiet, -q${c.reset}          Suppress output
+  ${c.cyan}--verbose${c.reset}            Show detailed output
+  ${c.cyan}--path, -p <dir>${c.reset}     Run in specified directory
+
 ${c.bold}SHELL COMPLETIONS${c.reset}
 
   ${c.cyan}vibecheck completion bash${c.reset}   ${c.dim}# Add to ~/.bashrc${c.reset}
@@ -939,6 +947,7 @@ function parseGlobalFlags(rawArgs) {
     debug: false,
     strict: false,
     noBanner: false,
+    offline: false,
     path: process.cwd(),
     output: null,
   };
@@ -980,6 +989,10 @@ function parseGlobalFlags(rawArgs) {
       case "--no-banner":
         flags.noBanner = true;
         break;
+      case "--offline":
+      case "--local":
+        flags.offline = true;
+        break;
       case "--path":
       case "-p":
         flags.path = rawArgs[++i] || process.cwd();
@@ -1077,6 +1090,7 @@ async function main() {
   }
   if (globalFlags.verbose) cmdArgs.push("--verbose");
   if (globalFlags.strict) cmdArgs.push("--strict");
+  if (globalFlags.offline) cmdArgs.push("--offline");
 
   // Unknown command
   if (!COMMANDS[cmd]) {
@@ -1103,8 +1117,13 @@ async function main() {
   const cmdDef = COMMANDS[cmd];
   let authInfo = { key: null };
 
-  // Auth check (unless skipAuth)
-  if (!cmdDef.skipAuth) {
+  // Check for offline mode (via flag or env var)
+  const isOffline = globalFlags.offline || 
+                    process.env.VIBECHECK_OFFLINE === '1' || 
+                    process.env.VIBECHECK_LOCAL === '1';
+
+  // Auth check (unless skipAuth or offline mode)
+  if (!cmdDef.skipAuth && !isOffline) {
     const auth = getAuthModule();
     const { key } = auth.getApiKey();
     authInfo.key = key;
@@ -1136,6 +1155,17 @@ async function main() {
     }
 
     authInfo.access = access;
+  } else if (isOffline) {
+    // Offline mode - provide basic access info
+    if (!config.quiet && !config.noBanner) {
+      console.log(`${c.cyan}${sym.arrowRight} OFFLINE${c.reset} ${c.dim}mode - local scanning without API${c.reset}`);
+    }
+    authInfo.access = {
+      allowed: true,
+      tier: 'free',
+      caps: { maxFiles: 100, maxDepth: 3 },
+      offline: true
+    };
   }
 
   // Update state

package/mcp-server/agent-firewall-interceptor.js

@@ -0,0 +1,164 @@
+/**
+ * Agent Firewall Interceptor - MCP Tool
+ * 
+ * Intercepts file write/patch tool calls from AI agents.
+ * Validates changes against truthpack and policy before allowing writes.
+ */
+
+"use strict";
+
+const path = require("path");
+const fs = require("fs");
+const { interceptFileWrite, interceptMultiFileWrite } = require("../../bin/runners/lib/agent-firewall/interceptor/base");
+
+/**
+ * MCP Tool Definition
+ */
+const AGENT_FIREWALL_TOOL = {
+  name: "vibecheck_agent_firewall_intercept",
+  description: `🛡️ Agent Firewall - Intercepts AI code changes and validates against repo truth.
+
+This tool MUST be called before any file write/patch operations.
+It validates changes against truthpack and policy rules.
+
+Returns: { allowed, verdict, violations, unblockPlan }`,
+  inputSchema: {
+    type: "object",
+    required: ["agentId", "filePath", "content"],
+    properties: {
+      agentId: {
+        type: "string",
+        description: "Agent identifier (e.g., 'cursor', 'windsurf', 'copilot')"
+      },
+      filePath: {
+        type: "string",
+        description: "File path relative to project root"
+      },
+      content: {
+        type: "string",
+        description: "New file content"
+      },
+      oldContent: {
+        type: "string",
+        description: "Old file content (optional, for diff generation)"
+      },
+      intent: {
+        type: "string",
+        description: "Agent's stated intent for this change"
+      },
+      projectRoot: {
+        type: "string",
+        default: ".",
+        description: "Project root directory"
+      }
+    }
+  }
+};
+
+/**
+ * Handle MCP tool call
+ * @param {string} name - Tool name (unused, for consistency)
+ * @param {object} args - Tool arguments
+ * @returns {object} MCP tool response
+ */
+async function handleAgentFirewallIntercept(name, args) {
+  const projectRoot = path.resolve(args.projectRoot || ".");
+  const agentId = args.agentId || "unknown";
+  const filePath = args.filePath;
+  const content = args.content;
+  const oldContent = args.oldContent || null;
+  const intent = args.intent || "No intent provided";
+  
+  // Validate file path is within project root
+  const fileAbs = path.resolve(projectRoot, filePath);
+  if (!fileAbs.startsWith(projectRoot + path.sep) && fileAbs !== projectRoot) {
+    return {
+      content: [{
+        type: "text",
+        text: `❌ BLOCKED: File path outside project root: ${filePath}`
+      }],
+      isError: true
+    };
+  }
+  
+  try {
+    // Read old content if not provided
+    let actualOldContent = oldContent;
+    if (!actualOldContent && fs.existsSync(fileAbs)) {
+      actualOldContent = fs.readFileSync(fileAbs, "utf8");
+    }
+    
+    // Intercept the write
+    const result = await interceptFileWrite({
+      projectRoot,
+      agentId,
+      intent,
+      filePath,
+      content,
+      oldContent: actualOldContent
+    });
+    
+    // Check policy mode (already loaded in interceptFileWrite, but we need it for mode check)
+    const { loadPolicy } = require("../../bin/runners/lib/agent-firewall/policy/loader");
+    const policy = loadPolicy(projectRoot);
+    
+    if (policy.mode === "observe") {
+      // Observe mode - log but don't block
+      return {
+        content: [{
+          type: "text",
+          text: `📊 OBSERVE MODE: ${result.verdict}\n\n${result.message}\n\nPacket ID: ${result.packetId}`
+        }]
+      };
+    }
+    
+    // Enforce mode - block if not allowed
+    if (!result.allowed) {
+      let message = `❌ BLOCKED: ${result.message}\n\n`;
+      
+      if (result.violations && result.violations.length > 0) {
+        message += "Violations:\n";
+        for (const violation of result.violations) {
+          message += `  - ${violation.rule}: ${violation.message}\n`;
+        }
+      }
+      
+      if (result.unblockPlan && result.unblockPlan.steps.length > 0) {
+        message += "\nTo unblock:\n";
+        for (const step of result.unblockPlan.steps) {
+          message += `  ${step.action === "create" ? "Create" : "Modify"} ${step.file || "file"}: ${step.description}\n`;
+        }
+      }
+      
+      return {
+        content: [{
+          type: "text",
+          text: message
+        }],
+        isError: true
+      };
+    }
+    
+    // Allowed
+    return {
+      content: [{
+        type: "text",
+        text: `✅ ALLOWED: ${result.message}\n\nPacket ID: ${result.packetId}`
+      }]
+    };
+    
+  } catch (error) {
+    return {
+      content: [{
+        type: "text",
+        text: `❌ Error intercepting write: ${error.message}\n\n${error.stack}`
+      }],
+      isError: true
+    };
+  }
+}
+
+module.exports = {
+  AGENT_FIREWALL_TOOL,
+  handleAgentFirewallIntercept
+};