@vibecheckai/cli 3.2.0 → 3.2.2

package/mcp-server/index.js

@@ -27,14 +27,37 @@ import {
 } from "@modelcontextprotocol/sdk/types.js";
 
 import fs from "fs/promises";
+import fsSync from "fs";
 import path from "path";
 import { fileURLToPath } from "url";
-import { execSync } from "child_process";
+import { execFile } from "child_process";
+import { promisify } from "util";
+
+const execFileAsync = promisify(execFile);
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-const VERSION = "2.1.0";
+// ============================================================================
+// CENTRALIZED CONFIGURATION
+// ============================================================================
+const CONFIG = {
+  VERSION: "2.1.0",
+  BIN_PATH: path.join(__dirname, "..", "bin", "vibecheck.js"),
+  OUTPUT_DIR: ".vibecheck",
+  ENV_DEFAULTS: { VIBECHECK_SKIP_AUTH: "1" },
+  TIMEOUTS: {
+    DEFAULT: 30000,      // 30 seconds
+    SCAN: 120000,        // 2 minutes
+    VERIFY: 180000,      // 3 minutes
+    REALITY: 300000,     // 5 minutes
+    PROVE: 600000,       // 10 minutes
+    AUTOPILOT: 300000,   // 5 minutes
+  },
+  MAX_BUFFER: 10 * 1024 * 1024, // 10MB
+};
+
+const VERSION = CONFIG.VERSION;
 
 // Import intelligence tools
 import {
@@ -106,6 +129,12 @@ import { MCP_TOOLS_V3, handleToolV3, TOOL_TIERS as V3_TOOL_TIERS } from "./tools
 // Import tier auth for entitlement checking
 import { checkFeatureAccess } from "./tier-auth.js";
 
+// Import Agent Firewall Interceptor
+import {
+  AGENT_FIREWALL_TOOL,
+  handleAgentFirewallIntercept,
+} from "./agent-firewall-interceptor.js";
+
 /**
  * TRUTH FIREWALL CONFIGURATION
  * 
@@ -204,11 +233,15 @@ const USE_CONSOLIDATED_TOOLS = process.env.VIBECHECK_MCP_CONSOLIDATED !== 'false
 const TOOLS = USE_V3_TOOLS ? [
   // v3: 10 focused tools for STARTER+ (no free MCP tools)
   ...MCP_TOOLS_V3,
+  AGENT_FIREWALL_TOOL, // Agent Firewall - intercepts file writes
 ] : USE_CONSOLIDATED_TOOLS ? [
   // Curated tools for agents (legacy)
   ...CONSOLIDATED_TOOLS,
+  AGENT_FIREWALL_TOOL, // Agent Firewall - intercepts file writes
 ] : [
   // Legacy: Full tool set (50+ tools) - for backward compatibility
+  // PRIORITY: Agent Firewall - intercepts ALL file writes
+  AGENT_FIREWALL_TOOL,
   // PRIORITY: Truth Firewall tools (Hallucination Stopper) - agents MUST use these
   ...TRUTH_FIREWALL_TOOLS, // vibecheck.get_truthpack, vibecheck.validate_claim, vibecheck.compile_context, etc.
   
@@ -824,16 +857,122 @@ class VibecheckMCP {
       { name: "vibecheck", version: VERSION },
       { capabilities: { tools: {}, resources: {} } },
     );
+    this.toolRegistry = this.buildToolRegistry();
     this.setupHandlers();
   }
 
+  // ============================================================================
+  // TOOL REGISTRY - Maps tool names to handlers for cleaner dispatch
+  // ============================================================================
+  buildToolRegistry() {
+    return {
+      // Agent Firewall - intercepts file writes
+      "vibecheck_agent_firewall_intercept": handleAgentFirewallIntercept,
+      // Core CLI tools
+      "vibecheck.ship": this.handleShip.bind(this),
+      "vibecheck.scan": this.handleScan.bind(this),
+      "vibecheck.verify": this.handleVerify.bind(this),
+      "vibecheck.reality": this.handleReality.bind(this),
+      "vibecheckai.dev-test": this.handleAITest.bind(this),
+      "vibecheck.gate": this.handleGate.bind(this),
+      "vibecheck.fix": this.handleFix.bind(this),
+      "vibecheck.share": this.handleShare.bind(this),
+      "vibecheck.ctx": this.handleCtx.bind(this),
+      "vibecheck.prove": this.handleProve.bind(this),
+      "vibecheck.proof": this.handleProof.bind(this),
+      "vibecheck.validate": this.handleValidate.bind(this),
+      "vibecheck.report": this.handleReport.bind(this),
+      "vibecheck.status": this.handleStatus.bind(this),
+      "vibecheck.autopilot": this.handleAutopilot.bind(this),
+      "vibecheck.autopilot_plan": this.handleAutopilotPlan.bind(this),
+      "vibecheck.autopilot_apply": this.handleAutopilotApply.bind(this),
+      "vibecheck.badge": this.handleBadge.bind(this),
+      "vibecheck.context": this.handleContext.bind(this),
+    };
+  }
+
+  // ============================================================================
+  // CLI RUNNER - Secure, async execution with array args (prevents injection)
+  // ============================================================================
+  async runCLI(command, args = [], cwd, options = {}) {
+    const {
+      env = {},
+      timeout = CONFIG.TIMEOUTS.DEFAULT,
+      skipAuth = true,
+    } = options;
+
+    // Build argument array - this prevents command injection
+    const finalArgs = [CONFIG.BIN_PATH, command, ...args];
+
+    const execEnv = {
+      ...process.env,
+      ...CONFIG.ENV_DEFAULTS,
+      ...(skipAuth ? { VIBECHECK_SKIP_AUTH: "1" } : {}),
+      ...env,
+    };
+
+    try {
+      const { stdout, stderr } = await execFileAsync(process.execPath, finalArgs, {
+        cwd,
+        encoding: "utf8",
+        maxBuffer: CONFIG.MAX_BUFFER,
+        timeout,
+        env: execEnv,
+      });
+      return { stdout, stderr, success: true };
+    } catch (error) {
+      // Attach partial output for graceful degradation
+      error.partialOutput = error.stdout || "";
+      error.partialStderr = error.stderr || "";
+      throw error;
+    }
+  }
+
+  // ============================================================================
+  // UTILITY HELPERS
+  // ============================================================================
+  
+  // Strip ANSI escape codes from output
+  stripAnsi(str) {
+    return str ? str.replace(/\x1b\[[0-9;]*m/g, "") : "";
+  }
+
+  // Parse summary from disk (for graceful degradation on CLI errors)
+  async parseSummaryFromDisk(projectPath) {
+    const summaryPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "summary.json");
+    try {
+      const content = await fs.readFile(summaryPath, "utf-8");
+      return JSON.parse(content);
+    } catch {
+      return null;
+    }
+  }
+
+  // Format scan output from summary object
+  formatScanOutput(summary, projectPath) {
+    let output = `## Score: ${summary.score}/100 (${summary.grade})\n\n`;
+    output += `**Verdict:** ${summary.canShip ? "✅ SHIP" : "🚫 NO-SHIP"}\n\n`;
+
+    if (summary.counts) {
+      output += "### Checks\n\n";
+      output += "| Category | Issues |\n|----------|--------|\n";
+      for (const [key, count] of Object.entries(summary.counts)) {
+        const icon = count === 0 ? "✅" : "⚠️";
+        output += `| ${icon} ${key} | ${count} |\n`;
+      }
+    }
+
+    output += `\n📄 **Report:** ${CONFIG.OUTPUT_DIR}/report.html\n`;
+    return output;
+  }
+
   setupHandlers() {
     // List tools
     this.server.setRequestHandler(ListToolsRequestSchema, async () => ({
       tools: TOOLS,
     }));
 
-    // Call tool
+    // Call tool - main dispatch handler
     this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
       const { name, arguments: args } = request.params;
       const projectPath = path.resolve(args?.projectPath || ".");
@@ -862,7 +1001,6 @@ class VibecheckMCP {
         
         // Handle v3 tools (10 consolidated tools, STARTER+ only)
         if (USE_V3_TOOLS && V3_TOOL_TIERS[name]) {
-          // Get user tier from context or args
           const userTier = args?.tier || process.env.VIBECHECK_TIER || 'free';
           const result = await handleToolV3(name, args, { tier: userTier });
           
@@ -875,12 +1013,17 @@ class VibecheckMCP {
           };
         }
         
-        // Handle intelligence tools first
+        // 1. Check tool registry first (local CLI handlers)
+        if (this.toolRegistry[name]) {
+          return await this.toolRegistry[name](projectPath, args);
+        }
+
+        // 2. Handle external module tools by prefix/pattern
         if (name.startsWith("vibecheck.intelligence.")) {
           return await handleIntelligenceTool(name, args, __dirname);
         }
 
-        // Handle AI vibecheck tools (verify, quality, smells, hallucination, breaking, mdc, coverage)
+        // Handle AI vibecheck tools
         if (["vibecheck.verify", "vibecheck.quality", "vibecheck.smells", 
              "vibecheck.hallucination", "vibecheck.breaking", "vibecheck.mdc", 
              "vibecheck.coverage"].includes(name)) {
@@ -924,64 +1067,24 @@ class VibecheckMCP {
           }
         }
 
-        switch (name) {
-          case "vibecheck.ship":
-            return await this.handleShip(projectPath, args);
-          case "vibecheck.scan":
-            return await this.handleScan(projectPath, args);
-          case "vibecheck.verify":
-            return await this.handleVerify(projectPath, args);
-          case "vibecheck.reality":
-            return await this.handleReality(projectPath, args);
-          case "vibecheckai.dev-test":
-            return await this.handleAITest(projectPath, args);
-          case "vibecheck.gate":
-            return await this.handleGate(projectPath, args);
-          case "vibecheck.fix":
-            return await this.handleFix(projectPath, args);
-          case "vibecheck.share":
-            return await this.handleShare(projectPath, args);
-          case "vibecheck.ctx":
-            return await this.handleCtx(projectPath, args);
-          case "vibecheck.prove":
-            return await this.handleProve(projectPath, args);
-          case "vibecheck.proof":
-            return await this.handleProof(projectPath, args);
-          case "vibecheck.validate":
-            return await this.handleValidate(projectPath, args);
-          case "vibecheck.report":
-            return await this.handleReport(projectPath, args);
-          case "vibecheck.status":
-            return await this.handleStatus(projectPath, args);
-          case "vibecheck.autopilot":
-            return await this.handleAutopilot(projectPath, args);
-          case "vibecheck.autopilot_plan":
-            return await this.handleAutopilotPlan(projectPath, args);
-          case "vibecheck.autopilot_apply":
-            return await this.handleAutopilotApply(projectPath, args);
-          case "vibecheck.badge":
-            return await this.handleBadge(projectPath, args);
-          case "vibecheck.context":
-            return await this.handleContext(projectPath, args);
-          case "generate_mdc":
-            return await handleMDCGeneration(args);
-          // Truth Context tools (Evidence Pack / Truth Pack)
-          case "vibecheck.verify_claim":
-          case "vibecheck.evidence":
-            return await handleTruthContextTool(name, args);
-          // Truth Firewall tools (Hallucination Stopper)
-          case "vibecheck.get_truthpack":
-          case "vibecheck.validate_claim":
-          case "vibecheck.compile_context":
-          case "vibecheck.search_evidence":
-          case "vibecheck.find_counterexamples":
-          case "vibecheck.propose_patch":
-          case "vibecheck.check_invariants":
-          case "vibecheck.add_assumption":
-            return await handleTruthFirewallTool(name, args, projectPath);
-          default:
-            return this.error(`Unknown tool: ${name}`);
+        // Handle MDC generator
+        if (name === "generate_mdc") {
+          return await handleMDCGeneration(args);
         }
+
+        // Handle Truth Context tools (Evidence Pack / Truth Pack)
+        if (["vibecheck.verify_claim", "vibecheck.evidence"].includes(name)) {
+          return await handleTruthContextTool(name, args);
+        }
+
+        // Handle Truth Firewall tools (Hallucination Stopper)
+        if (["vibecheck.get_truthpack", "vibecheck.validate_claim", "vibecheck.compile_context",
+             "vibecheck.search_evidence", "vibecheck.find_counterexamples", "vibecheck.propose_patch",
+             "vibecheck.check_invariants", "vibecheck.add_assumption"].includes(name)) {
+          return await handleTruthFirewallTool(name, args, projectPath);
+        }
+
+        return this.error(`Unknown tool: ${name}`);
       } catch (err) {
         // Emit audit event for tool error
         emitToolComplete(name, "error", { 
@@ -1209,10 +1312,10 @@ class VibecheckMCP {
     return { content: [{ type: "text", text: errorText }], isError: true };
   }
 
-  // Validate project path exists and is accessible
+  // Validate project path exists and is accessible (sync for simple validation)
   validateProjectPath(projectPath) {
     try {
-      const stats = require("fs").statSync(projectPath);
+      const stats = fsSync.statSync(projectPath);
       if (!stats.isDirectory()) {
         return { 
           valid: false, 
@@ -1255,46 +1358,35 @@ class VibecheckMCP {
     }
 
     const profile = args?.profile || "quick";
-    const format = args?.format || "text";
     const only = args?.only;
 
     let output = "# 🔍 vibecheck Scan\n\n";
     output += `**Profile:** ${profile}\n`;
     output += `**Path:** ${projectPath}\n\n`;
 
-    try {
-      // Build CLI command
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" scan`;
-      cmd += ` --profile=${profile}`;
-      if (only?.length) cmd += ` --only=${only.join(",")}`;
-      cmd += ` --json`;
-
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-      });
-
-      // Read summary
-      const summaryPath = path.join(projectPath, ".vibecheck", "summary.json");
-      const summary = JSON.parse(await fs.readFile(summaryPath, "utf-8"));
+    // Build CLI arguments array (secure - no injection possible)
+    const cliArgs = [`--profile=${profile}`, "--json"];
+    if (only?.length) cliArgs.push(`--only=${only.join(",")}`);
 
-      output += `## Score: ${summary.score}/100 (${summary.grade})\n\n`;
-      output += `**Verdict:** ${summary.canShip ? "✅ SHIP" : "🚫 NO-SHIP"}\n\n`;
+    try {
+      await this.runCLI("scan", cliArgs, projectPath, { timeout: CONFIG.TIMEOUTS.SCAN });
 
-      if (summary.counts) {
-        output += "### Checks\n\n";
-        output += "| Category | Issues |\n|----------|--------|\n";
-        for (const [key, count] of Object.entries(summary.counts)) {
-          const icon = count === 0 ? "✅" : "⚠️";
-          output += `| ${icon} ${key} | ${count} |\n`;
-        }
+      // Read summary from disk
+      const summary = await this.parseSummaryFromDisk(projectPath);
+      if (summary) {
+        output += this.formatScanOutput(summary, projectPath);
       }
-
-      output += `\n📄 **Report:** .vibecheck/report.html\n`;
       output += "\n---\n_Context Enhanced by vibecheck AI_\n";
       return this.success(output);
     } catch (err) {
+      // Graceful degradation: check if scan completed but found issues (exit code 1)
+      const summary = await this.parseSummaryFromDisk(projectPath);
+      if (summary) {
+        output += this.formatScanOutput(summary, projectPath);
+        output += `\n⚠️ Scan completed with findings (exit code ${err.code || 1})\n`;
+        return this.success(output);
+      }
+
       return this.error(`Scan failed: ${err.message}`, {
         code: "SCAN_ERROR",
         suggestion: "Check that the project path is valid and contains scanable code",
@@ -1329,16 +1421,12 @@ class VibecheckMCP {
     let output = "# 🚦 vibecheck Gate\n\n";
     output += `**Policy:** ${policy}\n\n`;
 
-    try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" gate`;
-      cmd += ` --policy=${policy}`;
-      if (args?.sarif) cmd += ` --sarif`;
+    // Build CLI arguments array (secure)
+    const cliArgs = [`--policy=${policy}`];
+    if (args?.sarif) cliArgs.push("--sarif");
 
-      execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-      });
+    try {
+      await this.runCLI("gate", cliArgs, projectPath);
 
       output += "## ✅ GATE PASSED\n\n";
       output += "All checks passed. Clear to merge.\n";
@@ -1371,35 +1459,35 @@ class VibecheckMCP {
 
     const mode = args?.autopilot ? "Autopilot" : 
                  args?.apply ? "Apply" : 
-                 args?.promptOnly ? "Prompt Only" : "Plan";
+                 args?.promptOnly ? "Prompt Only" : 
+                 args?.dryRun ? "Dry Run" : "Plan";
 
     let output = "# 🛠 vibecheck Fix Missions v1\n\n";
     output += `**Mode:** ${mode}\n`;
     output += `**Max Missions:** ${args?.maxMissions || 8}\n`;
     if (args?.autopilot) output += `**Max Steps:** ${args?.maxSteps || 10}\n`;
+    if (args?.dryRun) output += `**Dry Run:** Yes (no changes will be made)\n`;
     output += "\n";
 
+    // Build CLI arguments array (secure)
+    const cliArgs = [];
+    if (args?.promptOnly) cliArgs.push("--prompt-only");
+    if (args?.apply) cliArgs.push("--apply");
+    if (args?.autopilot) cliArgs.push("--autopilot");
+    if (args?.share) cliArgs.push("--share");
+    if (args?.dryRun) cliArgs.push("--dry-run");
+    if (args?.maxMissions) cliArgs.push("--max-missions", String(args.maxMissions));
+    if (args?.maxSteps) cliArgs.push("--max-steps", String(args.maxSteps));
+
     try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" fix`;
-      if (args?.promptOnly) cmd += ` --prompt-only`;
-      if (args?.apply) cmd += ` --apply`;
-      if (args?.autopilot) cmd += ` --autopilot`;
-      if (args?.share) cmd += ` --share`;
-      if (args?.maxMissions) cmd += ` --max-missions ${args.maxMissions}`;
-      if (args?.maxSteps) cmd += ` --max-steps ${args.maxSteps}`;
-
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        timeout: 300000, // 5 min timeout for autopilot
-        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+      const result = await this.runCLI("fix", cliArgs, projectPath, { 
+        timeout: CONFIG.TIMEOUTS.AUTOPILOT 
       });
 
-      output += result.replace(/\x1b\[[0-9;]*m/g, ""); // Strip ANSI codes
+      output += this.stripAnsi(result.stdout);
 
       // Read mission pack if available
-      const missionsDir = path.join(projectPath, ".vibecheck", "missions");
+      const missionsDir = path.join(projectPath, CONFIG.OUTPUT_DIR, "missions");
       try {
         const dirs = await fs.readdir(missionsDir);
         const latest = dirs.sort().reverse()[0];
@@ -1413,12 +1501,12 @@ class VibecheckMCP {
             const m = missions.missions[i];
             output += `| ${i + 1} | ${m.title} | ${m.targetFindingIds.length} |\n`;
           }
-          output += `\n📁 **Mission Pack:** .vibecheck/missions/${latest}\n`;
+          output += `\n📁 **Mission Pack:** ${CONFIG.OUTPUT_DIR}/missions/${latest}\n`;
         }
       } catch {}
     } catch (err) {
       output += `\n⚠️ Fix error: ${err.message}\n`;
-      if (err.stdout) output += `\n${err.stdout.replace(/\x1b\[[0-9;]*m/g, "")}\n`;
+      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
     }
 
     output += "\n---\n_Fix Missions v1 — Reality Firewall Protected_\n";
@@ -1431,22 +1519,18 @@ class VibecheckMCP {
   async handleShare(projectPath, args) {
     let output = "# 📦 vibecheck Share Bundle\n\n";
 
-    try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" share`;
-      if (args?.prComment) cmd += ` --pr-comment`;
-      if (args?.out) cmd += ` --out "${args.out}"`;
+    // Build CLI arguments array (secure)
+    const cliArgs = [];
+    if (args?.prComment) cliArgs.push("--pr-comment");
+    if (args?.out) cliArgs.push("--out", args.out);
 
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
-      });
+    try {
+      const result = await this.runCLI("share", cliArgs, projectPath);
 
-      output += result.replace(/\x1b\[[0-9;]*m/g, "");
+      output += this.stripAnsi(result.stdout);
 
       // Read share pack if available
-      const missionsDir = path.join(projectPath, ".vibecheck", "missions");
+      const missionsDir = path.join(projectPath, CONFIG.OUTPUT_DIR, "missions");
       try {
         const dirs = await fs.readdir(missionsDir);
         const latest = dirs.sort().reverse()[0];
@@ -1469,14 +1553,14 @@ class VibecheckMCP {
               }
             }
             
-            output += `\n📁 **Share Pack:** .vibecheck/missions/${latest}/share/\n`;
-            output += `📄 **PR Comment:** .vibecheck/missions/${latest}/share/pr_comment.md\n`;
+            output += `\n📁 **Share Pack:** ${CONFIG.OUTPUT_DIR}/missions/${latest}/share/\n`;
+            output += `📄 **PR Comment:** ${CONFIG.OUTPUT_DIR}/missions/${latest}/share/pr_comment.md\n`;
           } catch {}
         }
       } catch {}
     } catch (err) {
       output += `\n⚠️ Share error: ${err.message}\n`;
-      if (err.stdout) output += `\n${err.stdout.replace(/\x1b\[[0-9;]*m/g, "")}\n`;
+      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
     }
 
     output += "\n---\n_Fix Missions Share Bundle_\n";
@@ -1490,28 +1574,23 @@ class VibecheckMCP {
     let output = "# 📦 vibecheck Truth Pack\n\n";
     output += `**Path:** ${projectPath}\n\n`;
 
-    try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" ctx`;
-      if (args?.snapshot) cmd += ` --snapshot`;
-      if (args?.json) cmd += ` --json`;
+    // Build CLI arguments array (secure)
+    const cliArgs = [];
+    if (args?.snapshot) cliArgs.push("--snapshot");
+    if (args?.json) cliArgs.push("--json");
 
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
-      });
+    try {
+      const result = await this.runCLI("ctx", cliArgs, projectPath);
 
       if (args?.json) {
         // Return raw JSON
-        output = result;
-        return this.success(output);
+        return this.success(result.stdout);
       }
 
-      output += result.replace(/\x1b\[[0-9;]*m/g, ""); // Strip ANSI codes
+      output += this.stripAnsi(result.stdout);
 
       // Read truthpack summary
-      const truthpackPath = path.join(projectPath, ".vibecheck", "truth", "truthpack.json");
+      const truthpackPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "truth", "truthpack.json");
       try {
         const truthpack = JSON.parse(await fs.readFile(truthpackPath, "utf-8"));
         
@@ -1526,7 +1605,7 @@ class VibecheckMCP {
         output += `| Stripe Detected | ${truthpack.billing?.hasStripe ? "✅" : "❌"} |\n`;
         output += `| Webhooks | ${truthpack.billing?.summary?.webhookHandlersFound || 0} |\n`;
         
-        output += `\n📁 **Saved:** .vibecheck/truth/truthpack.json\n`;
+        output += `\n📁 **Saved:** ${CONFIG.OUTPUT_DIR}/truth/truthpack.json\n`;
       } catch {}
     } catch (err) {
       output += `\n⚠️ Truth pack error: ${err.message}\n`;
@@ -1556,27 +1635,24 @@ class VibecheckMCP {
     output += `**URL:** ${args?.url || "(static only)"}\n`;
     output += `**Max Fix Rounds:** ${args?.maxFixRounds || 3}\n\n`;
 
+    // Build CLI arguments array (secure)
+    const cliArgs = [];
+    if (args?.url) cliArgs.push("--url", args.url);
+    if (args?.auth) cliArgs.push("--auth", args.auth);
+    if (args?.storageState) cliArgs.push("--storage-state", args.storageState);
+    if (args?.skipReality) cliArgs.push("--skip-reality");
+    if (args?.skipFix) cliArgs.push("--skip-fix");
+    if (args?.maxFixRounds) cliArgs.push("--max-fix-rounds", String(args.maxFixRounds));
+
     try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" prove`;
-      if (args?.url) cmd += ` --url ${args.url}`;
-      if (args?.auth) cmd += ` --auth ${args.auth}`;
-      if (args?.storageState) cmd += ` --storage-state ${args.storageState}`;
-      if (args?.skipReality) cmd += ` --skip-reality`;
-      if (args?.skipFix) cmd += ` --skip-fix`;
-      if (args?.maxFixRounds) cmd += ` --max-fix-rounds ${args.maxFixRounds}`;
-
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        timeout: 600000, // 10 min timeout for full prove loop
-        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+      const result = await this.runCLI("prove", cliArgs, projectPath, { 
+        timeout: CONFIG.TIMEOUTS.PROVE 
       });
 
-      output += result.replace(/\x1b\[[0-9;]*m/g, "");
+      output += this.stripAnsi(result.stdout);
 
       // Read prove report
-      const provePath = path.join(projectPath, ".vibecheck", "prove", "last_prove.json");
+      const provePath = path.join(projectPath, CONFIG.OUTPUT_DIR, "prove", "last_prove.json");
       try {
         const report = JSON.parse(await fs.readFile(provePath, "utf-8"));
         
@@ -1591,7 +1667,7 @@ class VibecheckMCP {
       } catch {}
     } catch (err) {
       output += `\n⚠️ Prove error: ${err.message}\n`;
-      if (err.stdout) output += `\n${err.stdout.replace(/\x1b\[[0-9;]*m/g, "")}\n`;
+      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
     }
 
     output += "\n---\n_One command to make it real_\n";
@@ -1610,19 +1686,18 @@ class VibecheckMCP {
 
     let output = `# 🎬 vibecheck Proof: ${mode.toUpperCase()}\n\n`;
 
-    try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" proof ${mode}`;
-      if (mode === "reality" && args?.url) cmd += ` --url=${args.url}`;
-      if (mode === "reality" && args?.flow) cmd += ` --flow=${args.flow}`;
+    // Build CLI arguments array (secure)
+    const cliArgs = [mode];
+    if (mode === "reality" && args?.url) cliArgs.push(`--url=${args.url}`);
+    if (mode === "reality" && args?.flow) cliArgs.push(`--flow=${args.flow}`);
 
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        timeout: 120000, // 2 min timeout for reality mode
+    try {
+      const result = await this.runCLI("proof", cliArgs, projectPath, { 
+        timeout: CONFIG.TIMEOUTS.SCAN,
+        skipAuth: false 
       });
 
-      output += result;
+      output += result.stdout;
     } catch (err) {
       if (mode === "mocks") {
         output += "## 🚫 MOCKPROOF: FAIL\n\n";
@@ -1631,7 +1706,7 @@ class VibecheckMCP {
         output += "## 🚫 REALITY MODE: FAIL\n\n";
         output += "Fake data or mock services detected at runtime.\n";
       }
-      output += `\n${err.stdout || err.message}\n`;
+      output += `\n${err.partialOutput || err.message}\n`;
     }
 
     return this.success(output);
@@ -1751,21 +1826,17 @@ class VibecheckMCP {
     let output = "# 🚀 vibecheck Ship\n\n";
     output += `**Path:** ${projectPath}\n\n`;
 
-    try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" ship`;
-      if (args?.fix) cmd += ` --fix`;
+    // Build CLI arguments array (secure)
+    const cliArgs = [];
+    if (args?.fix) cliArgs.push("--fix");
 
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
-      });
+    try {
+      const result = await this.runCLI("ship", cliArgs, projectPath);
 
-      // Parse the output for key information
-      output += result.replace(/\x1b\[[0-9;]*m/g, ""); // Strip ANSI codes
+      output += this.stripAnsi(result.stdout);
     } catch (err) {
       output += `\n⚠️ Ship check failed: ${err.message}\n`;
+      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
     }
 
     output += "\n---\n_Context Enhanced by vibecheck AI_\n";
@@ -1786,25 +1857,22 @@ class VibecheckMCP {
     if (args?.record) output += `**Recording:** Enabled\n`;
     output += "\n";
 
+    // Build CLI arguments array (secure)
+    const cliArgs = ["--url", url];
+    if (args?.auth) cliArgs.push("--auth", args.auth);
+    if (args?.flows?.length) cliArgs.push("--flows", args.flows.join(","));
+    if (args?.headed) cliArgs.push("--headed");
+    if (args?.record) cliArgs.push("--record");
+
     try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" verify --url "${url}"`;
-      if (args?.auth) cmd += ` --auth "${args.auth}"`;
-      if (args?.flows?.length) cmd += ` --flows ${args.flows.join(",")}`;
-      if (args?.headed) cmd += ` --headed`;
-      if (args?.record) cmd += ` --record`;
-
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        timeout: 180000, // 3 min timeout
-        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+      const result = await this.runCLI("verify", cliArgs, projectPath, { 
+        timeout: CONFIG.TIMEOUTS.VERIFY 
       });
 
-      output += result.replace(/\x1b\[[0-9;]*m/g, "");
+      output += this.stripAnsi(result.stdout);
 
       // Try to read reality results
-      const realityPath = path.join(projectPath, ".vibecheck", "reality", "last_reality.json");
+      const realityPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "reality", "last_reality.json");
       try {
         const reality = JSON.parse(await fs.readFile(realityPath, "utf-8"));
         
@@ -1827,11 +1895,11 @@ class VibecheckMCP {
           }
         }
         
-        output += `\n📁 **Full Report:** .vibecheck/reality/last_reality.json\n`;
+        output += `\n📁 **Full Report:** ${CONFIG.OUTPUT_DIR}/reality/last_reality.json\n`;
       } catch {}
     } catch (err) {
       output += `\n⚠️ Verify failed: ${err.message}\n`;
-      if (err.stdout) output += `\n${err.stdout.replace(/\x1b\[[0-9;]*m/g, "")}\n`;
+      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
     }
 
     output += "\n---\n_Runtime Verification by vibecheck_\n";
@@ -1854,30 +1922,27 @@ class VibecheckMCP {
     if (args?.danger) output += `**Danger Mode:** Enabled (risky clicks allowed)\n`;
     output += "\n";
 
+    // Build CLI arguments array (secure)
+    const cliArgs = ["--url", url];
+    if (args?.auth) cliArgs.push("--auth", args.auth);
+    if (args?.verifyAuth) cliArgs.push("--verify-auth");
+    if (args?.storageState) cliArgs.push("--storage-state", args.storageState);
+    if (args?.saveStorageState) cliArgs.push("--save-storage-state", args.saveStorageState);
+    if (args?.truthpack) cliArgs.push("--truthpack", args.truthpack);
+    if (args?.headed) cliArgs.push("--headed");
+    if (args?.maxPages) cliArgs.push("--max-pages", String(args.maxPages));
+    if (args?.maxDepth) cliArgs.push("--max-depth", String(args.maxDepth));
+    if (args?.danger) cliArgs.push("--danger");
+
     try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" reality --url "${url}"`;
-      if (args?.auth) cmd += ` --auth "${args.auth}"`;
-      if (args?.verifyAuth) cmd += ` --verify-auth`;
-      if (args?.storageState) cmd += ` --storage-state "${args.storageState}"`;
-      if (args?.saveStorageState) cmd += ` --save-storage-state "${args.saveStorageState}"`;
-      if (args?.truthpack) cmd += ` --truthpack "${args.truthpack}"`;
-      if (args?.headed) cmd += ` --headed`;
-      if (args?.maxPages) cmd += ` --max-pages ${args.maxPages}`;
-      if (args?.maxDepth) cmd += ` --max-depth ${args.maxDepth}`;
-      if (args?.danger) cmd += ` --danger`;
-
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        timeout: 300000, // 5 min timeout for two-pass
-        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+      const result = await this.runCLI("reality", cliArgs, projectPath, { 
+        timeout: CONFIG.TIMEOUTS.REALITY 
       });
 
-      output += result.replace(/\x1b\[[0-9;]*m/g, "");
+      output += this.stripAnsi(result.stdout);
 
       // Read reality results
-      const realityPath = path.join(projectPath, ".vibecheck", "reality", "last_reality.json");
+      const realityPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "reality", "last_reality.json");
       try {
         const reality = JSON.parse(await fs.readFile(realityPath, "utf-8"));
         
@@ -1928,7 +1993,7 @@ class VibecheckMCP {
         const verdict = blocks.length > 0 ? "🛑 BLOCK" : warns.length > 0 ? "⚠️ WARN" : "✅ CLEAN";
         output += `\n## Verdict: ${verdict}\n`;
         
-        output += `\n📁 **Full Report:** .vibecheck/reality/last_reality.json\n`;
+        output += `\n📁 **Full Report:** ${CONFIG.OUTPUT_DIR}/reality/last_reality.json\n`;
         
         if (reality.meta?.savedStorageState) {
           output += `📁 **Saved Auth State:** ${reality.meta.savedStorageState}\n`;
@@ -1936,7 +2001,7 @@ class VibecheckMCP {
       } catch {}
     } catch (err) {
       output += `\n⚠️ Reality failed: ${err.message}\n`;
-      if (err.stdout) output += `\n${err.stdout.replace(/\x1b\[[0-9;]*m/g, "")}\n`;
+      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
     }
 
     output += "\n---\n_Reality Mode v2 — Two-Pass Auth Verification_\n";
@@ -1954,28 +2019,20 @@ class VibecheckMCP {
     output += `**URL:** ${url}\n`;
     output += `**Goal:** ${args?.goal || "Test all features"}\n\n`;
 
-    try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" ai-test --url "${url}"`;
-      if (args?.goal) cmd += ` --goal "${args.goal}"`;
-      if (args?.headed) cmd += ` --headed`;
+    // Build CLI arguments array (secure)
+    const cliArgs = ["--url", url];
+    if (args?.goal) cliArgs.push("--goal", args.goal);
+    if (args?.headed) cliArgs.push("--headed");
 
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        timeout: 180000,
-        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+    try {
+      const result = await this.runCLI("ai-test", cliArgs, projectPath, { 
+        timeout: CONFIG.TIMEOUTS.VERIFY 
       });
 
-      output += result.replace(/\x1b\[[0-9;]*m/g, "");
+      output += this.stripAnsi(result.stdout);
 
       // Try to read fix prompts
-      const promptPath = path.join(
-        projectPath,
-        ".vibecheck",
-        "ai-agent",
-        "fix-prompt.md",
-      );
+      const promptPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "ai-agent", "fix-prompt.md");
       try {
         const prompts = await fs.readFile(promptPath, "utf-8");
         output += "\n## Fix Prompts Generated\n\n";
@@ -1999,19 +2056,15 @@ class VibecheckMCP {
     let output = "# 🤖 vibecheck Autopilot\n\n";
     output += `**Action:** ${action}\n\n`;
 
-    try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" autopilot ${action}`;
-      if (args?.slack) cmd += ` --slack="${args.slack}"`;
-      if (args?.email) cmd += ` --email="${args.email}"`;
+    // Build CLI arguments array (secure - no injection possible)
+    const cliArgs = [action];
+    if (args?.slack) cliArgs.push("--slack", args.slack);
+    if (args?.email) cliArgs.push("--email", args.email);
 
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
-      });
+    try {
+      const result = await this.runCLI("autopilot", cliArgs, projectPath);
 
-      output += result.replace(/\x1b\[[0-9;]*m/g, "");
+      output += this.stripAnsi(result.stdout);
     } catch (err) {
       output += `\n⚠️ Autopilot failed: ${err.message}\n`;
     }
@@ -2048,20 +2101,17 @@ class VibecheckMCP {
         const core = await import(corePath);
         runAutopilot = core.runAutopilot;
       } catch {
-        // Fallback to CLI
-        let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" autopilot plan`;
-        cmd += ` --profile ${args?.profile || "ship"}`;
-        cmd += ` --max-fixes ${args?.maxFixes || 10}`;
-        cmd += ` --json`;
-
-        const result = execSync(cmd, {
-          cwd: projectPath,
-          encoding: "utf8",
-          maxBuffer: 10 * 1024 * 1024,
-          env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
-        });
+        // Fallback to CLI - build secure args array
+        const cliArgs = [
+          "plan",
+          "--profile", args?.profile || "ship",
+          "--max-fixes", String(args?.maxFixes || 10),
+          "--json"
+        ];
 
-        const jsonResult = JSON.parse(result);
+        const result = await this.runCLI("autopilot", cliArgs, projectPath);
+
+        const jsonResult = JSON.parse(result.stdout);
         output += `## Scan Results\n\n`;
         output += `- **Total findings:** ${jsonResult.totalFindings}\n`;
         output += `- **Fixable:** ${jsonResult.fixableFindings}\n`;
@@ -2130,24 +2180,22 @@ class VibecheckMCP {
     output += `**Profile:** ${args?.profile || "ship"}\n`;
     output += `**Dry Run:** ${args?.dryRun ? "Yes" : "No"}\n\n`;
 
+    // Build CLI arguments array (secure)
+    const cliArgs = [
+      "apply",
+      "--profile", args?.profile || "ship",
+      "--max-fixes", String(args?.maxFixes || 10),
+      "--json"
+    ];
+    if (args?.verify === false) cliArgs.push("--no-verify");
+    if (args?.dryRun) cliArgs.push("--dry-run");
+
     try {
-      // Fallback to CLI
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" autopilot apply`;
-      cmd += ` --profile ${args?.profile || "ship"}`;
-      cmd += ` --max-fixes ${args?.maxFixes || 10}`;
-      if (args?.verify === false) cmd += ` --no-verify`;
-      if (args?.dryRun) cmd += ` --dry-run`;
-      cmd += ` --json`;
-
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        timeout: 300000, // 5 min timeout
-        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+      const result = await this.runCLI("autopilot", cliArgs, projectPath, {
+        timeout: CONFIG.TIMEOUTS.AUTOPILOT,
       });
 
-      const jsonResult = JSON.parse(result);
+      const jsonResult = JSON.parse(result.stdout);
 
       output += `## Results\n\n`;
       output += `- **Packs attempted:** ${jsonResult.packsAttempted}\n`;
@@ -2192,26 +2240,17 @@ class VibecheckMCP {
 
     let output = "# 🏅 vibecheck Badge\n\n";
 
-    try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" badge --format ${format}`;
-      if (args?.style) cmd += ` --style ${args.style}`;
+    // Build CLI arguments array (secure)
+    const cliArgs = ["--format", format];
+    if (args?.style) cliArgs.push("--style", args.style);
 
-      const result = execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
-      });
+    try {
+      const result = await this.runCLI("badge", cliArgs, projectPath);
 
-      output += result.replace(/\x1b\[[0-9;]*m/g, "");
+      output += this.stripAnsi(result.stdout);
 
       // Read the badge file
-      const badgePath = path.join(
-        projectPath,
-        ".vibecheck",
-        "badges",
-        `badge.${format}`,
-      );
+      const badgePath = path.join(projectPath, CONFIG.OUTPUT_DIR, "badges", `badge.${format}`);
       try {
         const badge = await fs.readFile(badgePath, "utf-8");
         if (format === "md") {
@@ -2239,19 +2278,15 @@ class VibecheckMCP {
     output += `**Project:** ${path.basename(projectPath)}\n`;
     output += `**Platform:** ${platform}\n\n`;
 
-    try {
-      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" context`;
-      if (platform !== "all") cmd += ` --platform=${platform}`;
+    // Build CLI arguments array (secure)
+    const cliArgs = [];
+    if (platform !== "all") cliArgs.push(`--platform=${platform}`);
 
-      execSync(cmd, {
-        cwd: projectPath,
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-      });
+    try {
+      await this.runCLI("context", cliArgs, projectPath, { skipAuth: false });
 
       output += "## ✅ Context Generated\n\n";
-      output +=
-        "Your AI coding assistants now have full project awareness.\n\n";
+      output += "Your AI coding assistants now have full project awareness.\n\n";
 
       output += "### Generated Files\n\n";
 
@@ -2272,8 +2307,8 @@ class VibecheckMCP {
       }
 
       output += "**Universal (MCP):**\n";
-      output += "- `.vibecheck/context.json` - Full context\n";
-      output += "- `.vibecheck/project-map.json` - Project analysis\n\n";
+      output += `- \`${CONFIG.OUTPUT_DIR}/context.json\` - Full context\n`;
+      output += `- \`${CONFIG.OUTPUT_DIR}/project-map.json\` - Project analysis\n\n`;
 
       output += "### What Your AI Now Knows\n\n";
       output += "- Project architecture and structure\n";
@@ -2282,8 +2317,7 @@ class VibecheckMCP {
       output += "- Coding conventions and patterns\n";
       output += "- Dependencies and tech stack\n\n";
 
-      output +=
-        "> **Tip:** Regenerate after major codebase changes with `vibecheck context`\n";
+      output += "> **Tip:** Regenerate after major codebase changes with `vibecheck context`\n";
     } catch (err) {
       output += `\n⚠️ Context generation failed: ${err.message}\n`;
     }