@vibecheckai/cli 3.5.0 → 3.5.1

package/mcp-server/schemas/finding.schema.json

@@ -0,0 +1,167 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vibecheck.dev/schemas/finding.json",
+  "x-schemaVersion": "1.0.0",
+  "title": "Finding",
+  "description": "A single finding from vibecheck analysis. IDs are deterministic: sha256(rule_id + path + lineStart + message)",
+  "type": "object",
+  "properties": {
+    "id": {
+      "type": "string",
+      "description": "Stable, deterministic finding ID. Format: {category}-{hash}",
+      "pattern": "^[a-z_]+-[a-f0-9]{8}$",
+      "examples": ["auth_gap-a1b2c3d4", "dead_ui-e5f6g7h8"]
+    },
+    "category": {
+      "type": "string",
+      "description": "Finding category",
+      "enum": [
+        "secrets",
+        "auth_gap",
+        "billing_bypass",
+        "dead_ui",
+        "fake_success",
+        "missing_route",
+        "env_mismatch",
+        "ghost_auth",
+        "stripe_webhook",
+        "owner_mode_bypass",
+        "contract_drift",
+        "mock_data",
+        "placeholder",
+        "http_error",
+        "console_error",
+        "type_error",
+        "security",
+        "performance",
+        "accessibility"
+      ]
+    },
+    "severity": {
+      "type": "string",
+      "description": "Severity level. BLOCK stops ship, WARN requires review, INFO is advisory.",
+      "enum": ["BLOCK", "WARN", "INFO"]
+    },
+    "title": {
+      "type": "string",
+      "description": "Short, human-readable title",
+      "minLength": 1,
+      "maxLength": 200
+    },
+    "description": {
+      "type": "string",
+      "description": "Detailed description of the finding",
+      "maxLength": 2000
+    },
+    "evidence": {
+      "type": "array",
+      "description": "Evidence supporting this finding",
+      "items": {
+        "$ref": "#/$defs/Evidence"
+      },
+      "minItems": 1,
+      "maxItems": 10
+    },
+    "fixHints": {
+      "type": "array",
+      "description": "Suggestions for fixing this finding",
+      "items": {
+        "type": "string",
+        "maxLength": 500
+      },
+      "maxItems": 5
+    },
+    "relatedFindings": {
+      "type": "array",
+      "description": "IDs of related findings",
+      "items": {
+        "type": "string",
+        "pattern": "^[a-z_]+-[a-f0-9]{8}$"
+      },
+      "maxItems": 5
+    },
+    "confidence": {
+      "type": "number",
+      "description": "Confidence score (0.0-1.0)",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "source": {
+      "type": "string",
+      "description": "Which analyzer found this",
+      "enum": ["static", "runtime", "truthpack", "contract", "manual"]
+    },
+    "firstSeen": {
+      "type": "string",
+      "format": "date-time",
+      "description": "When this finding was first detected"
+    },
+    "allowlisted": {
+      "type": "boolean",
+      "description": "Whether this finding is allowlisted",
+      "default": false
+    },
+    "allowlistReason": {
+      "type": "string",
+      "description": "Reason for allowlisting (if allowlisted)",
+      "maxLength": 500
+    }
+  },
+  "required": ["id", "category", "severity", "title", "evidence"],
+  "additionalProperties": false,
+  "$defs": {
+    "Evidence": {
+      "type": "object",
+      "description": "Evidence supporting a finding",
+      "properties": {
+        "file": {
+          "type": "string",
+          "description": "Relative file path from project root",
+          "maxLength": 500
+        },
+        "line": {
+          "type": "integer",
+          "description": "Line number (1-indexed)",
+          "minimum": 1
+        },
+        "endLine": {
+          "type": "integer",
+          "description": "End line number for multi-line evidence",
+          "minimum": 1
+        },
+        "column": {
+          "type": "integer",
+          "description": "Column number (1-indexed)",
+          "minimum": 1
+        },
+        "snippet": {
+          "type": "string",
+          "description": "Code snippet (max 500 chars)",
+          "maxLength": 500
+        },
+        "reason": {
+          "type": "string",
+          "description": "Why this evidence is relevant",
+          "maxLength": 200
+        },
+        "url": {
+          "type": "string",
+          "description": "URL where issue was found (for runtime findings)",
+          "format": "uri"
+        },
+        "screenshot": {
+          "type": "string",
+          "description": "Path to screenshot (for UI findings)",
+          "maxLength": 500
+        },
+        "trace": {
+          "type": "string",
+          "description": "Path to Playwright trace (for runtime findings)",
+          "maxLength": 500
+        }
+      },
+      "required": ["file"],
+      "additionalProperties": false
+    }
+  }
+}

package/mcp-server/schemas/report-artifact.schema.json

@@ -0,0 +1,88 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vibecheck.dev/schemas/report-artifact.json",
+  "x-schemaVersion": "1.0.0",
+  "title": "ReportArtifact",
+  "description": "Report artifact metadata and content. Paths are relative to .vibecheck/",
+  "type": "object",
+  "properties": {
+    "id": {
+      "type": "string",
+      "description": "Unique artifact ID",
+      "pattern": "^[a-z_]+-[a-f0-9]{8,16}$"
+    },
+    "type": {
+      "type": "string",
+      "description": "Artifact type",
+      "enum": [
+        "verdict",
+        "truthpack",
+        "scan_report",
+        "reality_report",
+        "fix_mission",
+        "evidence_pack",
+        "sarif",
+        "html_report",
+        "pr_comment",
+        "share_bundle",
+        "proof_graph",
+        "trace",
+        "video",
+        "screenshot",
+        "har"
+      ]
+    },
+    "format": {
+      "type": "string",
+      "description": "File format",
+      "enum": ["json", "html", "md", "sarif", "zip", "png", "webm", "har"]
+    },
+    "path": {
+      "type": "string",
+      "description": "Relative path from .vibecheck/",
+      "maxLength": 500
+    },
+    "size": {
+      "type": "integer",
+      "description": "File size in bytes",
+      "minimum": 0
+    },
+    "checksum": {
+      "type": "string",
+      "description": "SHA-256 checksum",
+      "pattern": "^[a-f0-9]{64}$"
+    },
+    "createdAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "expiresAt": {
+      "type": "string",
+      "format": "date-time",
+      "description": "When this artifact should be garbage collected"
+    },
+    "runId": {
+      "type": "string",
+      "description": "Associated run ID"
+    },
+    "summary": {
+      "type": "object",
+      "description": "Brief summary of artifact contents",
+      "properties": {
+        "verdict": { "type": "string" },
+        "findingsCount": { "type": "integer" },
+        "score": { "type": "integer" }
+      },
+      "additionalProperties": true
+    },
+    "content": {
+      "description": "Inline content (for small artifacts only, <100KB)",
+      "oneOf": [
+        { "type": "string" },
+        { "type": "object" }
+      ]
+    }
+  },
+  "required": ["id", "type", "format", "path", "createdAt"],
+  "additionalProperties": false
+}

package/mcp-server/schemas/run-request.schema.json

@@ -0,0 +1,75 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vibecheck.dev/schemas/run-request.json",
+  "x-schemaVersion": "1.0.0",
+  "title": "RunRequest",
+  "description": "Unified request schema for all vibecheck MCP tools",
+  "type": "object",
+  "properties": {
+    "tool": {
+      "type": "string",
+      "description": "Tool name (e.g., 'vibecheck.scan')",
+      "pattern": "^vibecheck\\.[a-z_]+$"
+    },
+    "projectPath": {
+      "type": "string",
+      "description": "Absolute path to project root. Must be within allowed workspace.",
+      "minLength": 1,
+      "maxLength": 4096
+    },
+    "requestId": {
+      "type": "string",
+      "description": "Unique request ID for tracing. Auto-generated if not provided.",
+      "pattern": "^[a-zA-Z0-9_-]{8,64}$"
+    },
+    "timeout": {
+      "type": "integer",
+      "description": "Timeout in milliseconds. Default: 120000 (2 min)",
+      "minimum": 1000,
+      "maximum": 600000,
+      "default": 120000
+    },
+    "cache": {
+      "type": "object",
+      "description": "Cache control options",
+      "properties": {
+        "mode": {
+          "type": "string",
+          "enum": ["auto", "force", "skip"],
+          "default": "auto",
+          "description": "auto: use cache if fresh, force: always use cache, skip: bypass cache"
+        },
+        "maxAge": {
+          "type": "integer",
+          "description": "Max cache age in seconds. Default: 300 (5 min)",
+          "minimum": 0,
+          "maximum": 86400,
+          "default": 300
+        }
+      },
+      "additionalProperties": false
+    },
+    "options": {
+      "type": "object",
+      "description": "Tool-specific options. See individual tool schemas.",
+      "additionalProperties": true
+    },
+    "apiKey": {
+      "type": "string",
+      "description": "API key for tier authentication. Optional if configured globally.",
+      "pattern": "^gr_[a-z]+_[a-zA-Z0-9]{32,}$"
+    }
+  },
+  "required": ["tool", "projectPath"],
+  "additionalProperties": false,
+  "examples": [
+    {
+      "tool": "vibecheck.scan",
+      "projectPath": "/home/user/myproject",
+      "requestId": "req_abc123",
+      "timeout": 60000,
+      "cache": { "mode": "auto", "maxAge": 300 },
+      "options": { "profile": "quick" }
+    }
+  ]
+}

package/mcp-server/schemas/verdict.schema.json

@@ -0,0 +1,168 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vibecheck.dev/schemas/verdict.json",
+  "x-schemaVersion": "1.0.0",
+  "title": "Verdict",
+  "description": "Ship verdict from vibecheck analysis. Status: SHIP/WARN/BLOCK",
+  "type": "object",
+  "properties": {
+    "verdict": {
+      "type": "string",
+      "description": "Final verdict",
+      "enum": ["SHIP", "WARN", "BLOCK"]
+    },
+    "score": {
+      "type": "integer",
+      "description": "Overall score (0-100)",
+      "minimum": 0,
+      "maximum": 100
+    },
+    "grade": {
+      "type": "string",
+      "description": "Letter grade",
+      "enum": ["A+", "A", "A-", "B+", "B", "B-", "C+", "C", "C-", "D+", "D", "D-", "F"]
+    },
+    "summary": {
+      "type": "object",
+      "description": "Finding counts by severity",
+      "properties": {
+        "block": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "warn": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "info": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "total": {
+          "type": "integer",
+          "minimum": 0
+        }
+      },
+      "required": ["block", "warn", "info", "total"],
+      "additionalProperties": false
+    },
+    "findings": {
+      "type": "array",
+      "description": "All findings",
+      "items": {
+        "$ref": "finding.json"
+      }
+    },
+    "blockers": {
+      "type": "array",
+      "description": "Top blockers preventing ship",
+      "items": {
+        "$ref": "finding.json"
+      },
+      "maxItems": 10
+    },
+    "topIssues": {
+      "type": "array",
+      "description": "Top issues by severity (BLOCK first, then WARN)",
+      "items": {
+        "$ref": "finding.json"
+      },
+      "maxItems": 20
+    },
+    "coverage": {
+      "type": "object",
+      "description": "Analysis coverage metrics",
+      "properties": {
+        "filesScanned": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "routesCovered": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "authPathsChecked": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "billingGatesChecked": {
+          "type": "integer",
+          "minimum": 0
+        }
+      },
+      "additionalProperties": false
+    },
+    "proofGraph": {
+      "type": "object",
+      "description": "Proof graph showing evidence chains",
+      "properties": {
+        "claims": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "claim": { "type": "string" },
+              "verified": { "type": "boolean" },
+              "evidence": { "type": "array", "items": { "type": "string" } }
+            }
+          }
+        },
+        "gaps": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "riskScore": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        }
+      },
+      "additionalProperties": false
+    },
+    "meta": {
+      "type": "object",
+      "description": "Metadata about the analysis",
+      "properties": {
+        "version": {
+          "type": "string",
+          "description": "Vibecheck version"
+        },
+        "runId": {
+          "type": "string",
+          "description": "Unique run identifier"
+        },
+        "timestamp": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "durationMs": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "projectPath": {
+          "type": "string"
+        },
+        "profile": {
+          "type": "string"
+        },
+        "cached": {
+          "type": "boolean",
+          "default": false
+        },
+        "incremental": {
+          "type": "boolean",
+          "description": "Whether this was an incremental scan",
+          "default": false
+        },
+        "baseline": {
+          "type": "string",
+          "description": "Git commit used as baseline for incremental"
+        }
+      },
+      "required": ["version", "runId", "timestamp", "durationMs"],
+      "additionalProperties": false
+    }
+  },
+  "required": ["verdict", "score", "summary", "findings", "meta"],
+  "additionalProperties": false
+}

package/mcp-server/tier-auth.d.ts

@@ -0,0 +1,71 @@
+/**
+ * Type declarations for tier-auth.js
+ */
+
+export type TierName = 'free' | 'starter' | 'pro' | 'compliance' | 'enterprise' | 'unlimited';
+
+export interface TierConfig {
+  name: string;
+  price: number;
+  order: number;
+  mcpRateLimit: number;
+}
+
+export interface FeatureAccessResult {
+  hasAccess: boolean;
+  tier: TierName;
+  requiredTier?: TierName;
+  reason?: string;
+  upgradeUrl?: string;
+}
+
+export interface UserInfo {
+  authenticated: boolean;
+  tier: TierName;
+  tierName: string;
+  isOffline?: boolean;
+}
+
+export interface ToolAccessResult {
+  allowed: boolean;
+  reason?: string;
+  tier: TierName;
+  tierName: string;
+  requiredTier?: TierName;
+}
+
+export interface AvailableTool {
+  name: string;
+  allowed: boolean;
+  requiredTier?: TierName;
+}
+
+export const TIERS: Record<TierName, TierConfig>;
+
+export function clearTierCache(): void;
+
+export function checkFeatureAccess(
+  featureName: string,
+  providedApiKey?: string | null
+): Promise<FeatureAccessResult>;
+
+export function withTierCheck<T>(
+  featureName: string,
+  handler: () => Promise<T>
+): Promise<T>;
+
+export function checkMcpToolAccess(
+  toolName: string,
+  providedApiKey?: string | null
+): Promise<ToolAccessResult>;
+
+export function withMcpToolCheck<T>(
+  toolName: string,
+  handler: () => Promise<T>
+): Promise<T>;
+
+export function getUserInfo(): Promise<UserInfo>;
+
+export function getAvailableMcpTools(
+  providedApiKey?: string | null
+): Promise<AvailableTool[]>;