npm - @vibecheckai/cli - Versions diffs - 3.2.5 → 3.3.0 - Mend

@vibecheckai/cli 3.2.5 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (197) hide show

package/bin/.generated +25 -25
package/bin/dev/run-v2-torture.js +30 -30
package/bin/registry.js +192 -5
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -295
package/bin/runners/lib/agent-firewall/change-packet/builder.js +280 -6
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +312 -4
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +113 -1
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +133 -6
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +321 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/analyzers.js +81 -18
package/bin/runners/lib/api-client.js +269 -0
package/bin/runners/lib/auth-truth.js +193 -193
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/backup.js +62 -62
package/bin/runners/lib/billing.js +107 -107
package/bin/runners/lib/claims.js +118 -118
package/bin/runners/lib/cli-output.js +7 -1
package/bin/runners/lib/cli-ui.js +540 -540
package/bin/runners/lib/contracts/auth-contract.js +202 -202
package/bin/runners/lib/contracts/env-contract.js +181 -181
package/bin/runners/lib/contracts/external-contract.js +206 -206
package/bin/runners/lib/contracts/guard.js +168 -168
package/bin/runners/lib/contracts/index.js +89 -89
package/bin/runners/lib/contracts/plan-validator.js +311 -311
package/bin/runners/lib/contracts/route-contract.js +199 -199
package/bin/runners/lib/contracts.js +804 -804
package/bin/runners/lib/detect.js +89 -89
package/bin/runners/lib/doctor/autofix.js +254 -254
package/bin/runners/lib/doctor/index.js +37 -37
package/bin/runners/lib/doctor/modules/dependencies.js +325 -325
package/bin/runners/lib/doctor/modules/index.js +46 -46
package/bin/runners/lib/doctor/modules/network.js +250 -250
package/bin/runners/lib/doctor/modules/project.js +312 -312
package/bin/runners/lib/doctor/modules/runtime.js +224 -224
package/bin/runners/lib/doctor/modules/security.js +348 -348
package/bin/runners/lib/doctor/modules/system.js +213 -213
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -394
package/bin/runners/lib/doctor/reporter.js +262 -262
package/bin/runners/lib/doctor/service.js +262 -262
package/bin/runners/lib/doctor/types.js +113 -113
package/bin/runners/lib/doctor/ui.js +263 -263
package/bin/runners/lib/doctor-v2.js +608 -608
package/bin/runners/lib/drift.js +425 -425
package/bin/runners/lib/enforcement.js +72 -72
package/bin/runners/lib/enterprise-detect.js +603 -603
package/bin/runners/lib/enterprise-init.js +942 -942
package/bin/runners/lib/env-resolver.js +417 -417
package/bin/runners/lib/env-template.js +66 -66
package/bin/runners/lib/env.js +189 -189
package/bin/runners/lib/error-handler.js +16 -9
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/extractors/client-calls.js +990 -990
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -573
package/bin/runners/lib/extractors/fastify-routes.js +426 -426
package/bin/runners/lib/extractors/index.js +363 -363
package/bin/runners/lib/extractors/next-routes.js +524 -524
package/bin/runners/lib/extractors/proof-graph.js +431 -431
package/bin/runners/lib/extractors/route-matcher.js +451 -451
package/bin/runners/lib/extractors/truthpack-v2.js +377 -377
package/bin/runners/lib/extractors/ui-bindings.js +547 -547
package/bin/runners/lib/findings-schema.js +281 -281
package/bin/runners/lib/firewall-prompt.js +50 -50
package/bin/runners/lib/global-flags.js +37 -0
package/bin/runners/lib/graph/graph-builder.js +265 -265
package/bin/runners/lib/graph/html-renderer.js +413 -413
package/bin/runners/lib/graph/index.js +32 -32
package/bin/runners/lib/graph/runtime-collector.js +215 -215
package/bin/runners/lib/graph/static-extractor.js +518 -518
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/html-report.js +650 -650
package/bin/runners/lib/llm.js +75 -75
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/meter.js +61 -61
package/bin/runners/lib/missions/evidence.js +126 -126
package/bin/runners/lib/patch.js +40 -40
package/bin/runners/lib/permissions/auth-model.js +213 -213
package/bin/runners/lib/permissions/idor-prover.js +205 -205
package/bin/runners/lib/permissions/index.js +45 -45
package/bin/runners/lib/permissions/matrix-builder.js +198 -198
package/bin/runners/lib/pkgjson.js +28 -28
package/bin/runners/lib/policy.js +295 -295
package/bin/runners/lib/preflight.js +142 -142
package/bin/runners/lib/reality/correlation-detectors.js +359 -359
package/bin/runners/lib/reality/index.js +318 -318
package/bin/runners/lib/reality/request-hashing.js +416 -416
package/bin/runners/lib/reality/request-mapper.js +453 -453
package/bin/runners/lib/reality/safety-rails.js +463 -463
package/bin/runners/lib/reality/semantic-snapshot.js +408 -408
package/bin/runners/lib/reality/toast-detector.js +393 -393
package/bin/runners/lib/reality-findings.js +84 -84
package/bin/runners/lib/receipts.js +179 -179
package/bin/runners/lib/redact.js +29 -29
package/bin/runners/lib/replay/capsule-manager.js +154 -154
package/bin/runners/lib/replay/index.js +263 -263
package/bin/runners/lib/replay/player.js +348 -348
package/bin/runners/lib/replay/recorder.js +331 -331
package/bin/runners/lib/report.js +135 -135
package/bin/runners/lib/route-detection.js +1140 -1140
package/bin/runners/lib/sandbox/index.js +59 -59
package/bin/runners/lib/sandbox/proof-chain.js +399 -399
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -205
package/bin/runners/lib/sandbox/worktree.js +174 -174
package/bin/runners/lib/schema-validator.js +350 -350
package/bin/runners/lib/schemas/contracts.schema.json +160 -160
package/bin/runners/lib/schemas/finding.schema.json +100 -100
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -206
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -176
package/bin/runners/lib/schemas/reality-report.schema.json +162 -162
package/bin/runners/lib/schemas/share-pack.schema.json +180 -180
package/bin/runners/lib/schemas/ship-report.schema.json +117 -117
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -303
package/bin/runners/lib/schemas/validator.js +438 -438
package/bin/runners/lib/score-history.js +282 -282
package/bin/runners/lib/share-pack.js +239 -239
package/bin/runners/lib/snippets.js +67 -67
package/bin/runners/lib/unified-cli-output.js +604 -0
package/bin/runners/lib/upsell.js +658 -510
package/bin/runners/lib/usage.js +153 -153
package/bin/runners/lib/validate-patch.js +156 -156
package/bin/runners/lib/verdict-engine.js +628 -628
package/bin/runners/reality/engine.js +917 -917
package/bin/runners/reality/flows.js +122 -122
package/bin/runners/reality/report.js +378 -378
package/bin/runners/reality/session.js +193 -193
package/bin/runners/runAgent.d.ts +5 -0
package/bin/runners/runApprove.js +1200 -0
package/bin/runners/runAuth.js +324 -95
package/bin/runners/runCheckpoint.js +39 -21
package/bin/runners/runClassify.js +859 -0
package/bin/runners/runContext.js +136 -24
package/bin/runners/runDoctor.js +108 -68
package/bin/runners/runFirewall.d.ts +5 -0
package/bin/runners/runFirewallHook.d.ts +5 -0
package/bin/runners/runFix.js +6 -5
package/bin/runners/runGuard.js +262 -168
package/bin/runners/runInit.js +3 -2
package/bin/runners/runMcp.js +130 -52
package/bin/runners/runPolish.js +43 -20
package/bin/runners/runProve.js +1 -2
package/bin/runners/runReport.js +3 -2
package/bin/runners/runScan.js +145 -44
package/bin/runners/runShip.js +3 -4
package/bin/runners/runTruth.d.ts +5 -0
package/bin/runners/runValidate.js +19 -2
package/bin/runners/runWatch.js +104 -53
package/bin/vibecheck.js +106 -19
package/mcp-server/HARDENING_SUMMARY.md +299 -0
package/mcp-server/agent-firewall-interceptor.js +367 -31
package/mcp-server/authority-tools.js +569 -0
package/mcp-server/conductor/conflict-resolver.js +588 -0
package/mcp-server/conductor/execution-planner.js +544 -0
package/mcp-server/conductor/index.js +377 -0
package/mcp-server/conductor/lock-manager.js +615 -0
package/mcp-server/conductor/request-queue.js +550 -0
package/mcp-server/conductor/session-manager.js +500 -0
package/mcp-server/conductor/tools.js +510 -0
package/mcp-server/index.js +1199 -208
package/mcp-server/lib/api-client.cjs +305 -0
package/mcp-server/lib/logger.cjs +30 -0
package/mcp-server/logger.js +173 -0
package/mcp-server/package.json +2 -2
package/mcp-server/premium-tools.js +2 -2
package/mcp-server/tier-auth.js +351 -136
package/mcp-server/tools/index.js +72 -72
package/mcp-server/truth-firewall-tools.js +145 -15
package/mcp-server/vibecheck-tools.js +2 -2
package/package.json +2 -3
package/mcp-server/index.old.js +0 -4137
package/mcp-server/package-lock.json +0 -165

package/bin/runners/lib/__tests__/entitlements-v2.test.js CHANGED Viewed

@@ -1,295 +1,295 @@
-/**
- * Entitlements v2 Tests - Tier Enforcement Verification
- *
- * These tests verify:
- * 1. No bypass via env vars (VIBECHECK_SKIP_AUTH, VIBECHECK_OWNER, etc.)
- * 2. Correct tier gating for each command/feature
- * 3. Proper exit codes (3 = feature not allowed)
- * 4. Downgrade behaviors work correctly
- * 5. Help output shows correct tier labels
- */
-const {
-  getTier,
-  getLimits,
-  enforce,
-  checkCommand,
-  tierMeetsMinimum,
-  getMinTierForFeature,
-  tierHasFeature,
-  TIERS,
-  ENTITLEMENTS,
-  LIMITS,
-  EXIT_FEATURE_NOT_ALLOWED,
-  EXIT_MISCONFIG,
-} = require("../entitlements-v2");
-describe("Entitlements v2 - Tier Enforcement", () => {
-  // Store original env
-  const originalEnv = { ...process.env };
-  beforeEach(() => {
-    // Reset env before each test
-    process.env = { ...originalEnv };
-    // Clear any env vars that might bypass
-    delete process.env.VIBECHECK_SKIP_AUTH;
-    delete process.env.VIBECHECK_OWNER;
-    delete process.env.VIBECHECK_DEMO;
-    delete process.env.OWNER_MODE;
-  });
-  afterAll(() => {
-    process.env = originalEnv;
-  });
-  describe("No Bypass Tests", () => {
-    test("VIBECHECK_SKIP_AUTH does NOT grant paid features", async () => {
-      process.env.VIBECHECK_SKIP_AUTH = "1";
-      // prove is PRO-only
-      const result = await enforce("prove", { silent: true });
-      expect(result.allowed).toBe(false);
-      expect(result.exitCode).toBe(EXIT_FEATURE_NOT_ALLOWED);
-    });
-    test("VIBECHECK_OWNER does NOT grant paid features", async () => {
-      process.env.VIBECHECK_OWNER = "1";
-      const result = await enforce("prove", { silent: true });
-      expect(result.allowed).toBe(false);
-    });
-    test("VIBECHECK_DEMO does NOT grant paid features", async () => {
-      process.env.VIBECHECK_DEMO = "1";
-      const result = await enforce("ai-test", { silent: true });
-      expect(result.allowed).toBe(false);
-    });
-    test("OWNER_MODE does NOT grant paid features", async () => {
-      process.env.OWNER_MODE = "true";
-      const result = await enforce("share", { silent: true });
-      expect(result.allowed).toBe(false);
-    });
-    test("Offline mode defaults to FREE tier (no escalation)", async () => {
-      // Without API key, should be FREE
-      const tier = await getTier({});
-      expect(tier).toBe("free");
-    });
-  });
-  describe("Tier Matrix Compliance", () => {
-    describe("FREE tier commands", () => {
-      const freeCommands = [
-        "scan", "ship", "install", "init", "doctor", "status", "watch",
-        "ctx", "guard", "context", "mdc", "login", "logout", "whoami", "labs"
-      ];
-      test.each(freeCommands)("%s is allowed on FREE tier", async (cmd) => {
-        const result = await enforce(cmd, { silent: true });
-        expect(result.allowed).toBe(true);
-      });
-    });
-    describe("STARTER tier commands", () => {
-      const starterCommands = ["gate", "launch", "pr", "badge", "mcp"];
-      test.each(starterCommands)("%s requires STARTER+ (blocked on FREE)", async (cmd) => {
-        const result = await enforce(cmd, { silent: true });
-        // Without API key = FREE tier = should be blocked
-        expect(result.allowed).toBe(false);
-        expect(result.requiredTier).toBe("starter");
-        expect(result.exitCode).toBe(EXIT_FEATURE_NOT_ALLOWED);
-      });
-    });
-    describe("PRO tier commands", () => {
-      const proCommands = ["prove", "share", "ai-test"];
-      test.each(proCommands)("%s requires PRO (blocked on FREE/STARTER)", async (cmd) => {
-        const result = await enforce(cmd, { silent: true });
-        expect(result.allowed).toBe(false);
-        expect(result.requiredTier).toBe("pro");
-        expect(result.exitCode).toBe(EXIT_FEATURE_NOT_ALLOWED);
-      });
-    });
-    describe("Subfeature gating", () => {
-      test("fix.plan_only is FREE", async () => {
-        const result = await enforce("fix.plan_only", { silent: true });
-        expect(result.allowed).toBe(true);
-      });
-      test("fix.apply_patches requires PRO", async () => {
-        const result = await enforce("fix.apply_patches", { silent: true });
-        expect(result.allowed).toBe(false);
-        expect(result.requiredTier).toBe("pro");
-      });
-      test("reality.preview is FREE", async () => {
-        const result = await enforce("reality.preview", { silent: true });
-        expect(result.allowed).toBe(true);
-      });
-      test("reality.full requires STARTER", async () => {
-        const result = await enforce("reality.full", { silent: true });
-        expect(result.allowed).toBe(false);
-        expect(result.requiredTier).toBe("starter");
-      });
-      test("reality.advanced_auth_boundary requires PRO", async () => {
-        const result = await enforce("reality.advanced_auth_boundary", { silent: true });
-        expect(result.allowed).toBe(false);
-        expect(result.requiredTier).toBe("pro");
-      });
-      test("report.html_md is FREE", async () => {
-        const result = await enforce("report.html_md", { silent: true });
-        expect(result.allowed).toBe(true);
-      });
-      test("report.sarif_csv requires STARTER", async () => {
-        const result = await enforce("report.sarif_csv", { silent: true });
-        expect(result.allowed).toBe(false);
-        expect(result.requiredTier).toBe("starter");
-      });
-      test("report.compliance_packs requires PRO", async () => {
-        const result = await enforce("report.compliance_packs", { silent: true });
-        expect(result.allowed).toBe(false);
-        expect(result.requiredTier).toBe("pro");
-      });
-    });
-  });
-  describe("Downgrade Behaviors", () => {
-    test("reality downgrades to reality.preview on FREE", async () => {
-      const result = await enforce("reality", { silent: true });
-      expect(result.allowed).toBe(true);
-      expect(result.downgrade).toBe("reality.preview");
-      expect(result.caps).toBeDefined();
-    });
-    test("fix downgrades to fix.plan_only on FREE", async () => {
-      const result = await enforce("fix", { silent: true });
-      expect(result.allowed).toBe(true);
-      expect(result.downgrade).toBe("fix.plan_only");
-    });
-    test("report downgrades to report.html_md on FREE", async () => {
-      const result = await enforce("report", { silent: true });
-      expect(result.allowed).toBe(true);
-      expect(result.downgrade).toBe("report.html_md");
-    });
-  });
-  describe("Exit Codes", () => {
-    test("Returns EXIT_FEATURE_NOT_ALLOWED (3) for blocked features", async () => {
-      const result = await enforce("prove", { silent: true });
-      expect(result.exitCode).toBe(3);
-      expect(result.exitCode).toBe(EXIT_FEATURE_NOT_ALLOWED);
-    });
-    test("Returns EXIT_MISCONFIG (4) for unknown features", async () => {
-      const result = await enforce("nonexistent_feature", { silent: true });
-      expect(result.exitCode).toBe(4);
-      expect(result.exitCode).toBe(EXIT_MISCONFIG);
-    });
-  });
-  describe("Limits by Tier", () => {
-    test("FREE tier has correct limits", () => {
-      const limits = getLimits("free");
-      expect(limits.realityMaxPages).toBe(5);
-      expect(limits.realityMaxClicks).toBe(20);
-      expect(limits.realityAuthBoundary).toBe(false);
-      expect(limits.reportFormats).toEqual(["html", "md"]);
-      expect(limits.fixApplyPatches).toBe(false);
-    });
-    test("STARTER tier has expanded limits", () => {
-      const limits = getLimits("starter");
-      expect(limits.realityMaxPages).toBe(50);
-      expect(limits.realityAuthBoundary).toBe(true);
-      expect(limits.reportFormats).toContain("sarif");
-      expect(limits.reportFormats).toContain("csv");
-      expect(limits.fixApplyPatches).toBe(false);
-    });
-    test("PRO tier has full access", () => {
-      const limits = getLimits("pro");
-      expect(limits.realityMaxPages).toBe(-1); // unlimited
-      expect(limits.realityAdvancedAuth).toBe(true);
-      expect(limits.reportFormats).toContain("compliance");
-      expect(limits.fixApplyPatches).toBe(true);
-    });
-  });
-  describe("Tier Comparison Helpers", () => {
-    test("tierMeetsMinimum works correctly", () => {
-      expect(tierMeetsMinimum("free", "free")).toBe(true);
-      expect(tierMeetsMinimum("free", "starter")).toBe(false);
-      expect(tierMeetsMinimum("starter", "free")).toBe(true);
-      expect(tierMeetsMinimum("starter", "starter")).toBe(true);
-      expect(tierMeetsMinimum("starter", "pro")).toBe(false);
-      expect(tierMeetsMinimum("pro", "starter")).toBe(true);
-      expect(tierMeetsMinimum("pro", "pro")).toBe(true);
-      expect(tierMeetsMinimum("enterprise", "pro")).toBe(true);
-    });
-    test("getMinTierForFeature returns correct tier", () => {
-      expect(getMinTierForFeature("scan")).toBe("free");
-      expect(getMinTierForFeature("gate")).toBe("starter");
-      expect(getMinTierForFeature("prove")).toBe("pro");
-      expect(getMinTierForFeature("unknown")).toBe("enterprise");
-    });
-    test("tierHasFeature returns correct boolean", () => {
-      expect(tierHasFeature("free", "scan")).toBe(true);
-      expect(tierHasFeature("free", "gate")).toBe(false);
-      expect(tierHasFeature("starter", "gate")).toBe(true);
-      expect(tierHasFeature("starter", "prove")).toBe(false);
-      expect(tierHasFeature("pro", "prove")).toBe(true);
-    });
-  });
-  describe("ENTITLEMENTS Matrix Validation", () => {
-    test("All required commands are defined", () => {
-      const requiredCommands = [
-        "scan", "ship", "reality", "prove", "fix", "report",
-        "install", "init", "doctor", "status", "watch", "launch",
-        "ctx", "guard", "context", "mdc",
-        "gate", "pr", "badge", "mcp", "share", "ai-test",
-        "login", "logout", "whoami", "labs"
-      ];
-      for (const cmd of requiredCommands) {
-        expect(ENTITLEMENTS[cmd]).toBeDefined();
-        expect(ENTITLEMENTS[cmd].minTier).toBeDefined();
-      }
-    });
-    test("All tiers are valid", () => {
-      for (const [feature, def] of Object.entries(ENTITLEMENTS)) {
-        expect(TIERS[def.minTier]).toBeDefined();
-      }
-    });
-  });
-});
-describe("CLI Help Tier Labels", () => {
-  test("TIERS constant has correct pricing", () => {
-    expect(TIERS.free.price).toBe(0);
-    expect(TIERS.starter.price).toBe(29);
-    expect(TIERS.pro.price).toBe(99);
-    expect(TIERS.enterprise.price).toBe(499);
-  });
-  test("TIERS constant has correct order", () => {
-    expect(TIERS.free.order).toBeLessThan(TIERS.starter.order);
-    expect(TIERS.starter.order).toBeLessThan(TIERS.pro.order);
-    expect(TIERS.pro.order).toBeLessThan(TIERS.enterprise.order);
-  });
-});
+/**
+ * Entitlements v2 Tests - Tier Enforcement Verification
+ *
+ * These tests verify:
+ * 1. No bypass via env vars (VIBECHECK_SKIP_AUTH, VIBECHECK_OWNER, etc.)
+ * 2. Correct tier gating for each command/feature
+ * 3. Proper exit codes (3 = feature not allowed)
+ * 4. Downgrade behaviors work correctly
+ * 5. Help output shows correct tier labels
+ */
+const {
+  getTier,
+  getLimits,
+  enforce,
+  checkCommand,
+  tierMeetsMinimum,
+  getMinTierForFeature,
+  tierHasFeature,
+  TIERS,
+  ENTITLEMENTS,
+  LIMITS,
+  EXIT_FEATURE_NOT_ALLOWED,
+  EXIT_MISCONFIG,
+} = require("../entitlements-v2");
+describe("Entitlements v2 - Tier Enforcement", () => {
+  // Store original env
+  const originalEnv = { ...process.env };
+  beforeEach(() => {
+    // Reset env before each test
+    process.env = { ...originalEnv };
+    // Clear any env vars that might bypass
+    delete process.env.VIBECHECK_SKIP_AUTH;
+    delete process.env.VIBECHECK_OWNER;
+    delete process.env.VIBECHECK_DEMO;
+    delete process.env.OWNER_MODE;
+  });
+  afterAll(() => {
+    process.env = originalEnv;
+  });
+  describe("No Bypass Tests", () => {
+    test("VIBECHECK_SKIP_AUTH does NOT grant paid features", async () => {
+      process.env.VIBECHECK_SKIP_AUTH = "1";
+      // prove is PRO-only
+      const result = await enforce("prove", { silent: true });
+      expect(result.allowed).toBe(false);
+      expect(result.exitCode).toBe(EXIT_FEATURE_NOT_ALLOWED);
+    });
+    test("VIBECHECK_OWNER does NOT grant paid features", async () => {
+      process.env.VIBECHECK_OWNER = "1";
+      const result = await enforce("prove", { silent: true });
+      expect(result.allowed).toBe(false);
+    });
+    test("VIBECHECK_DEMO does NOT grant paid features", async () => {
+      process.env.VIBECHECK_DEMO = "1";
+      const result = await enforce("ai-test", { silent: true });
+      expect(result.allowed).toBe(false);
+    });
+    test("OWNER_MODE does NOT grant paid features", async () => {
+      process.env.OWNER_MODE = "true";
+      const result = await enforce("share", { silent: true });
+      expect(result.allowed).toBe(false);
+    });
+    test("Offline mode defaults to FREE tier (no escalation)", async () => {
+      // Without API key, should be FREE
+      const tier = await getTier({});
+      expect(tier).toBe("free");
+    });
+  });
+  describe("Tier Matrix Compliance", () => {
+    describe("FREE tier commands", () => {
+      const freeCommands = [
+        "scan", "ship", "install", "init", "doctor", "status", "watch",
+        "ctx", "guard", "context", "mdc", "login", "logout", "whoami", "labs"
+      ];
+      test.each(freeCommands)("%s is allowed on FREE tier", async (cmd) => {
+        const result = await enforce(cmd, { silent: true });
+        expect(result.allowed).toBe(true);
+      });
+    });
+    describe("STARTER tier commands", () => {
+      const starterCommands = ["gate", "launch", "pr", "badge", "mcp"];
+      test.each(starterCommands)("%s requires STARTER+ (blocked on FREE)", async (cmd) => {
+        const result = await enforce(cmd, { silent: true });
+        // Without API key = FREE tier = should be blocked
+        expect(result.allowed).toBe(false);
+        expect(result.requiredTier).toBe("starter");
+        expect(result.exitCode).toBe(EXIT_FEATURE_NOT_ALLOWED);
+      });
+    });
+    describe("PRO tier commands", () => {
+      const proCommands = ["prove", "share", "ai-test"];
+      test.each(proCommands)("%s requires PRO (blocked on FREE/STARTER)", async (cmd) => {
+        const result = await enforce(cmd, { silent: true });
+        expect(result.allowed).toBe(false);
+        expect(result.requiredTier).toBe("pro");
+        expect(result.exitCode).toBe(EXIT_FEATURE_NOT_ALLOWED);
+      });
+    });
+    describe("Subfeature gating", () => {
+      test("fix.plan_only is FREE", async () => {
+        const result = await enforce("fix.plan_only", { silent: true });
+        expect(result.allowed).toBe(true);
+      });
+      test("fix.apply_patches requires PRO", async () => {
+        const result = await enforce("fix.apply_patches", { silent: true });
+        expect(result.allowed).toBe(false);
+        expect(result.requiredTier).toBe("pro");
+      });
+      test("reality.preview is FREE", async () => {
+        const result = await enforce("reality.preview", { silent: true });
+        expect(result.allowed).toBe(true);
+      });
+      test("reality.full requires STARTER", async () => {
+        const result = await enforce("reality.full", { silent: true });
+        expect(result.allowed).toBe(false);
+        expect(result.requiredTier).toBe("starter");
+      });
+      test("reality.advanced_auth_boundary requires PRO", async () => {
+        const result = await enforce("reality.advanced_auth_boundary", { silent: true });
+        expect(result.allowed).toBe(false);
+        expect(result.requiredTier).toBe("pro");
+      });
+      test("report.html_md is FREE", async () => {
+        const result = await enforce("report.html_md", { silent: true });
+        expect(result.allowed).toBe(true);
+      });
+      test("report.sarif_csv requires STARTER", async () => {
+        const result = await enforce("report.sarif_csv", { silent: true });
+        expect(result.allowed).toBe(false);
+        expect(result.requiredTier).toBe("starter");
+      });
+      test("report.compliance_packs requires PRO", async () => {
+        const result = await enforce("report.compliance_packs", { silent: true });
+        expect(result.allowed).toBe(false);
+        expect(result.requiredTier).toBe("pro");
+      });
+    });
+  });
+  describe("Downgrade Behaviors", () => {
+    test("reality downgrades to reality.preview on FREE", async () => {
+      const result = await enforce("reality", { silent: true });
+      expect(result.allowed).toBe(true);
+      expect(result.downgrade).toBe("reality.preview");
+      expect(result.caps).toBeDefined();
+    });
+    test("fix downgrades to fix.plan_only on FREE", async () => {
+      const result = await enforce("fix", { silent: true });
+      expect(result.allowed).toBe(true);
+      expect(result.downgrade).toBe("fix.plan_only");
+    });
+    test("report downgrades to report.html_md on FREE", async () => {
+      const result = await enforce("report", { silent: true });
+      expect(result.allowed).toBe(true);
+      expect(result.downgrade).toBe("report.html_md");
+    });
+  });
+  describe("Exit Codes", () => {
+    test("Returns EXIT_FEATURE_NOT_ALLOWED (3) for blocked features", async () => {
+      const result = await enforce("prove", { silent: true });
+      expect(result.exitCode).toBe(3);
+      expect(result.exitCode).toBe(EXIT_FEATURE_NOT_ALLOWED);
+    });
+    test("Returns EXIT_MISCONFIG (4) for unknown features", async () => {
+      const result = await enforce("nonexistent_feature", { silent: true });
+      expect(result.exitCode).toBe(4);
+      expect(result.exitCode).toBe(EXIT_MISCONFIG);
+    });
+  });
+  describe("Limits by Tier", () => {
+    test("FREE tier has correct limits", () => {
+      const limits = getLimits("free");
+      expect(limits.realityMaxPages).toBe(5);
+      expect(limits.realityMaxClicks).toBe(20);
+      expect(limits.realityAuthBoundary).toBe(false);
+      expect(limits.reportFormats).toEqual(["html", "md"]);
+      expect(limits.fixApplyPatches).toBe(false);
+    });
+    test("STARTER tier has expanded limits", () => {
+      const limits = getLimits("starter");
+      expect(limits.realityMaxPages).toBe(50);
+      expect(limits.realityAuthBoundary).toBe(true);
+      expect(limits.reportFormats).toContain("sarif");
+      expect(limits.reportFormats).toContain("csv");
+      expect(limits.fixApplyPatches).toBe(false);
+    });
+    test("PRO tier has full access", () => {
+      const limits = getLimits("pro");
+      expect(limits.realityMaxPages).toBe(-1); // unlimited
+      expect(limits.realityAdvancedAuth).toBe(true);
+      expect(limits.reportFormats).toContain("compliance");
+      expect(limits.fixApplyPatches).toBe(true);
+    });
+  });
+  describe("Tier Comparison Helpers", () => {
+    test("tierMeetsMinimum works correctly", () => {
+      expect(tierMeetsMinimum("free", "free")).toBe(true);
+      expect(tierMeetsMinimum("free", "starter")).toBe(false);
+      expect(tierMeetsMinimum("starter", "free")).toBe(true);
+      expect(tierMeetsMinimum("starter", "starter")).toBe(true);
+      expect(tierMeetsMinimum("starter", "pro")).toBe(false);
+      expect(tierMeetsMinimum("pro", "starter")).toBe(true);
+      expect(tierMeetsMinimum("pro", "pro")).toBe(true);
+      expect(tierMeetsMinimum("enterprise", "pro")).toBe(true);
+    });
+    test("getMinTierForFeature returns correct tier", () => {
+      expect(getMinTierForFeature("scan")).toBe("free");
+      expect(getMinTierForFeature("gate")).toBe("starter");
+      expect(getMinTierForFeature("prove")).toBe("pro");
+      expect(getMinTierForFeature("unknown")).toBe("enterprise");
+    });
+    test("tierHasFeature returns correct boolean", () => {
+      expect(tierHasFeature("free", "scan")).toBe(true);
+      expect(tierHasFeature("free", "gate")).toBe(false);
+      expect(tierHasFeature("starter", "gate")).toBe(true);
+      expect(tierHasFeature("starter", "prove")).toBe(false);
+      expect(tierHasFeature("pro", "prove")).toBe(true);
+    });
+  });
+  describe("ENTITLEMENTS Matrix Validation", () => {
+    test("All required commands are defined", () => {
+      const requiredCommands = [
+        "scan", "ship", "reality", "prove", "fix", "report",
+        "install", "init", "doctor", "status", "watch", "launch",
+        "ctx", "guard", "context", "mdc",
+        "gate", "pr", "badge", "mcp", "share", "ai-test",
+        "login", "logout", "whoami", "labs"
+      ];
+      for (const cmd of requiredCommands) {
+        expect(ENTITLEMENTS[cmd]).toBeDefined();
+        expect(ENTITLEMENTS[cmd].minTier).toBeDefined();
+      }
+    });
+    test("All tiers are valid", () => {
+      for (const [feature, def] of Object.entries(ENTITLEMENTS)) {
+        expect(TIERS[def.minTier]).toBeDefined();
+      }
+    });
+  });
+});
+describe("CLI Help Tier Labels", () => {
+  test("TIERS constant has correct pricing", () => {
+    expect(TIERS.free.price).toBe(0);
+    expect(TIERS.starter.price).toBe(29);
+    expect(TIERS.pro.price).toBe(99);
+    expect(TIERS.enterprise.price).toBe(499);
+  });
+  test("TIERS constant has correct order", () => {
+    expect(TIERS.free.order).toBeLessThan(TIERS.starter.order);
+    expect(TIERS.starter.order).toBeLessThan(TIERS.pro.order);
+    expect(TIERS.pro.order).toBeLessThan(TIERS.enterprise.order);
+  });
+});