@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/entitlements-v2.js

@@ -2,8 +2,8 @@
  * VibeCheck Entitlements
  * 
  * Simple 2-tier model:
- * - FREE ($0): Inspect & Observe - No API key required
- * - PRO ($69/mo): Fix, Prove & Enforce - Requires API key
+ * - FREE ($0): Inspect & Observe
+ * - PRO ($69/mo): Fix, Prove & Enforce
  */
 
 "use strict";
@@ -17,7 +17,6 @@ const os = require("os");
 // ============================================================================
 const EXIT_SUCCESS = 0;
 const EXIT_FEATURE_NOT_ALLOWED = 3;
-const EXIT_AUTH_REQUIRED = 4;
 
 // ============================================================================
 // TIERS
@@ -34,7 +33,7 @@ const FREE_FEATURES = [
   // Setup & environment
   "init", "doctor", "install", "status", "watch", "preflight",
   // Scan & analysis
-  "scan", "runtime", "vibe",
+  "scan", "runtime",
   // AI verification
   "ctx", "contracts", "verify",
   // Reports
@@ -44,37 +43,53 @@ const FREE_FEATURES = [
   // Preview modes
   "reality.preview", "firewall.observe",
   // Misc
-  "labs", "mdc", "help", "version",
+  "labs", "mdc",
 ];
 
 const PRO_FEATURES = [
   // CI/CD & PR
   "gate", "pr", "badge", "ship",
   // Fixes
-  "fix", "fix.apply", "scan.autofix",
+  "fix", "fix.apply", "fix.analyze", "fix.diff", "fix.rules", "scan.autofix",
   // Prove & verify
   "prove", "replay", "permissions", "graph", "ai-test", "share",
   // Advanced
   "checkpoint", "polish", "guard", "context",
   // Full modes
   "firewall.enforce", "reality.full", "mcp.full",
-  // All FREE features included
+  // All FREE features
   ...FREE_FEATURES,
 ];
 
-function isPro(tier) {
-  return tier === "pro";
-}
-
-function isFreeFeature(feature) {
-  return FREE_FEATURES.includes(feature);
+/**
+ * Check if developer mode bypass is allowed.
+ * 
+ * SECURITY: VIBECHECK_DEV_PRO is ONLY allowed in non-production environments.
+ * This prevents environment variable injection from granting PRO access in production.
+ * 
+ * @returns {boolean} True only if in development AND VIBECHECK_DEV_PRO=1
+ */
+function isDevProBypassAllowed() {
+  // SECURITY: Never allow dev bypass in production
+  if (process.env.NODE_ENV === "production") {
+    return false;
+  }
+  // Also block in CI environments to prevent pipeline exploitation
+  if (process.env.CI === "true" || process.env.CI === "1") {
+    return false;
+  }
+  return process.env.VIBECHECK_DEV_PRO === "1";
 }
 
-function isProFeature(feature) {
-  return !FREE_FEATURES.includes(feature);
+function isPro(tier) {
+  // Developer mode bypass (blocked in production)
+  if (isDevProBypassAllowed()) return true;
+  return tier === "pro";
 }
 
 function tierHasFeature(tier, feature) {
+  // Developer mode bypass - grant all features (blocked in production)
+  if (isDevProBypassAllowed()) return true;
   if (tier === "pro") return true; // PRO has everything
   return FREE_FEATURES.includes(feature);
 }
@@ -90,6 +105,14 @@ let _cachedTierExpiry = 0;
 async function getTier(options = {}) {
   const { apiKey, forceRefresh = false } = options;
   
+  // Developer mode: VIBECHECK_DEV_PRO=1 grants pro tier for local development
+  // SECURITY: This bypass is blocked in production environments
+  if (isDevProBypassAllowed()) {
+    _cachedTier = "pro";
+    _cachedTierExpiry = Date.now() + 86400000; // 24 hours
+    return "pro";
+  }
+  
   if (!forceRefresh && _cachedTier && Date.now() < _cachedTierExpiry) {
     return _cachedTier;
   }
@@ -127,36 +150,14 @@ async function getTier(options = {}) {
 // ============================================================================
 async function enforce(feature, options = {}) {
   const { apiKey, silent = false } = options;
-  
-  // FREE features work without any API key
-  if (isFreeFeature(feature)) {
-    return { allowed: true, tier: apiKey ? await getTier({ apiKey }) : "free" };
-  }
-  
-  // PRO features require an API key
-  if (!apiKey) {
-    const message = formatApiKeyRequiredMessage(feature);
-    if (!silent) {
-      console.error(message);
-    }
-    return {
-      allowed: false,
-      tier: "free",
-      exitCode: EXIT_AUTH_REQUIRED,
-      message,
-      reason: "api_key_required",
-    };
-  }
-  
-  // Validate API key and check tier
   const tier = await getTier({ apiKey });
+  
   const hasAccess = tierHasFeature(tier, feature);
   
   if (hasAccess) {
     return { allowed: true, tier };
   }
   
-  // User has API key but not on Pro plan
   const message = formatUpgradeMessage(feature);
   if (!silent) {
     console.error(message);
@@ -167,7 +168,6 @@ async function enforce(feature, options = {}) {
     tier,
     exitCode: EXIT_FEATURE_NOT_ALLOWED,
     message,
-    reason: "upgrade_required",
   };
 }
 
@@ -189,72 +189,54 @@ async function checkCommand(command, options = {}) {
 const c = {
   reset: "\x1b[0m",
   bold: "\x1b[1m",
-  dim: "\x1b[2m",
   cyan: "\x1b[36m",
   yellow: "\x1b[33m",
-  magenta: "\x1b[35m",
-  green: "\x1b[32m",
 };
 
-function formatApiKeyRequiredMessage(feature) {
-  return `
-${c.bold}${c.magenta}✦ PRO Feature${c.reset}
-
-${c.yellow}${feature}${c.reset} requires an API key.
-
-${c.dim}To use PRO features:${c.reset}
-
-  ${c.cyan}1.${c.reset} Sign up at ${c.cyan}https://vibecheckai.dev${c.reset}
-  ${c.cyan}2.${c.reset} Run ${c.green}vibecheck login${c.reset}
-  ${c.cyan}3.${c.reset} Or set ${c.green}VIBECHECK_API_KEY${c.reset} environment variable
-
-${c.dim}FREE features (scan, init, doctor, etc.) work without an API key.${c.reset}
-`;
-}
-
 function formatUpgradeMessage(feature) {
   return `
-${c.bold}${c.magenta}✦ Upgrade Required${c.reset}
-
-${c.yellow}${feature}${c.reset} requires a Pro subscription.
+${c.bold}This feature requires Pro.${c.reset}
 
-You're currently on the ${c.cyan}FREE${c.reset} plan.
+${c.yellow}${feature}${c.reset} is a Pro feature.
 
-${c.bold}Pro ($69/mo)${c.reset} includes:
-  ${c.green}✓${c.reset} AI-powered fixes
-  ${c.green}✓${c.reset} Ship verdicts & badges
-  ${c.green}✓${c.reset} Runtime proof generation
-  ${c.green}✓${c.reset} CI/CD enforcement
-  ${c.green}✓${c.reset} Full MCP integration
+Upgrade to Pro ($69/mo) to unlock Fix, Prove & Enforce capabilities.
 
-  ${c.cyan}vibecheck upgrade${c.reset}
-  ${c.dim}https://vibecheckai.dev/pricing${c.reset}
+  vibecheck upgrade
+  https://vibecheckai.dev/pricing
 `;
 }
 
 // ============================================================================
-// BACKWARD COMPATIBILITY ALIASES (for migration from entitlements.js)
+// TIER LIMITS
 // ============================================================================
+const TIER_LIMITS = {
+  free: {
+    reportFormats: ["html", "md", "json"],
+    maxScansPerMonth: 100,
+    maxFilesPerScan: 1000,
+  },
+  pro: {
+    reportFormats: ["html", "md", "json", "sarif", "csv", "pdf"],
+    maxScansPerMonth: -1, // unlimited
+    maxFilesPerScan: -1,  // unlimited
+  },
+};
 
-/** @deprecated Use getTier() instead */
-async function getCurrentTier() {
-  return getTier();
-}
-
-/** @deprecated Use enforce() instead */
-async function enforceFeature(feature, options = {}) {
-  return enforce(feature, options);
-}
-
-/** @deprecated Use enforce() instead */
-async function enforceLimit(feature, options = {}) {
-  return enforce(feature, options);
+/**
+ * Get limits for a tier
+ */
+function getLimits(tier) {
+  return TIER_LIMITS[tier] || TIER_LIMITS.free;
 }
 
-/** @deprecated No-op for compatibility - usage tracking removed */
-async function trackUsage(/* feature, amount = 1 */) {
-  // No-op - usage tracking handled by API
-  return;
+/**
+ * Check if current tier meets minimum required tier
+ */
+function tierMeetsMinimum(current, required) {
+  const tierOrder = ['free', 'pro'];
+  const currentIndex = tierOrder.indexOf(current);
+  const requiredIndex = tierOrder.indexOf(required);
+  return currentIndex >= requiredIndex;
 }
 
 // ============================================================================
@@ -269,21 +251,15 @@ module.exports = {
   
   // Helpers
   isPro,
-  isFreeFeature,
-  isProFeature,
   tierHasFeature,
+  getLimits,
+  tierMeetsMinimum,
   
   // Constants
   TIERS,
+  TIER_LIMITS,
   FREE_FEATURES,
   PRO_FEATURES,
   EXIT_SUCCESS,
   EXIT_FEATURE_NOT_ALLOWED,
-  EXIT_AUTH_REQUIRED,
-  
-  // Backward compatibility (deprecated)
-  getCurrentTier,
-  enforceFeature,
-  enforceLimit,
-  trackUsage,
 };

package/bin/runners/lib/error-handler.js

@@ -160,8 +160,26 @@ function handleError(error, context = "", metadata = {}) {
   // Get specific guidance
   const guidance = getErrorGuidance(err);
   
+  // Check for JSON mode (via NO_COLOR env var or explicit check)
+  const isJsonMode = process.env.NO_COLOR === '1' || process.env.VIBECHECK_JSON === '1';
+  
   // Print error header
   if (guidance) {
+    if (isJsonMode) {
+      // JSON error output
+      const errorOutput = {
+        success: false,
+        error: {
+          code: err.code || err.name || 'ERROR',
+          message: message,
+          type: guidance.title,
+          nextSteps: guidance.nextSteps,
+        },
+        exitCode: err.exitCode || 1
+      };
+      console.error(JSON.stringify(errorOutput, null, 2));
+      return;
+    }
     console.error(`\n${c.error("✗")} ${c.error(guidance.title)}`);
     console.error(`  ${message}`);
     
@@ -171,8 +189,20 @@ function handleError(error, context = "", metadata = {}) {
       console.error(`  ${c.dim("•")} ${step}`);
     }
   } else {
+    // Check for JSON mode
+    const isJsonMode = process.env.NO_COLOR === '1' || process.env.VIBECHECK_JSON === '1';
+    
     // Generic error handling with specific type detection
     if (err.code === "ENOENT") {
+      if (isJsonMode) {
+        const errorOutput = {
+          success: false,
+          error: { code: 'ENOENT', message: err.path || message, receipt },
+          exitCode: 4
+        };
+        console.error(JSON.stringify(errorOutput, null, 2));
+        return;
+      }
       console.error(`\n${c.error("✗")} File or directory not found`);
       console.error(`  ${err.path || message}`);
       // Print receipt if available
@@ -213,6 +243,15 @@ function handleError(error, context = "", metadata = {}) {
       console.error(`  ${c.dim("•")} Verify VIBECHECK_API_URL is correct`);
     } else {
       // Generic error
+      if (isJsonMode) {
+        const errorOutput = {
+          success: false,
+          error: { code: err.code || err.name || 'ERROR', message, receipt },
+          exitCode: err.exitCode || 1
+        };
+        console.error(JSON.stringify(errorOutput, null, 2));
+        return;
+      }
       console.error(`\n${c.error("✗")} Error`);
       console.error(`  ${message}`);
       // Print receipt if available
@@ -229,13 +268,15 @@ function handleError(error, context = "", metadata = {}) {
     }
   }
 
-  // Show stack trace in debug mode
-  if (process.env.DEBUG || process.env.VIBECHECK_DEBUG) {
+  // Show stack trace in debug mode (skip in JSON mode)
+  if (!isJsonMode && (process.env.DEBUG || process.env.VIBECHECK_DEBUG)) {
     console.error(`\n${c.dim("Stack trace:")}`);
     console.error(c.dim(err.stack));
   }
   
-  console.error(""); // Empty line for readability
+  if (!isJsonMode) {
+    console.error(""); // Empty line for readability
+  }
 }
 
 /**

package/bin/runners/lib/error-messages.js

@@ -0,0 +1,289 @@
+/**
+ * Actionable Error Messages
+ * 
+ * Provides standardized error messages with actionable next steps,
+ * documentation links, and clear guidance for users.
+ */
+
+const { EXIT } = require('./exit-codes');
+
+const DOCS_BASE_URL = 'https://docs.vibecheckai.dev';
+const DASHBOARD_URL = 'https://app.vibecheckai.dev';
+
+/**
+ * Format an actionable error message
+ */
+function formatError(error, context = {}) {
+  const {
+    command = '',
+    suggestion = null,
+    docsLink = null,
+    nextSteps = [],
+    code = null,
+  } = context;
+
+  const lines = [];
+  
+  // Main error message
+  lines.push(`\n  ❌ ${error.message || error}`);
+  
+  // Error code if provided
+  if (code) {
+    lines.push(`\n  Code: ${code}`);
+  }
+  
+  // Next steps
+  if (nextSteps.length > 0) {
+    lines.push(`\n  Next steps:`);
+    nextSteps.forEach((step, i) => {
+      lines.push(`    ${i + 1}. ${step}`);
+    });
+  } else if (suggestion) {
+    lines.push(`\n  💡 ${suggestion}`);
+  }
+  
+  // Documentation link
+  if (docsLink) {
+    lines.push(`\n  📖 Docs: ${docsLink}`);
+  } else if (command) {
+    lines.push(`\n  📖 Docs: ${DOCS_BASE_URL}/commands/${command}`);
+  }
+  
+  lines.push('');
+  
+  return lines.join('\n');
+}
+
+/**
+ * Common error templates with actionable guidance
+ */
+const ERROR_TEMPLATES = {
+  PROJECT_NOT_INITIALIZED: {
+    message: 'Project not initialized',
+    suggestion: 'Run `vibecheck init` to set up your project',
+    nextSteps: [
+      'Run: vibecheck init',
+      'This creates .vibecheckrc config file',
+      'Then run: vibecheck scan',
+    ],
+    docsLink: `${DOCS_BASE_URL}/getting-started/init`,
+  },
+  
+  NO_SCAN_RESULTS: {
+    message: 'No scan results found',
+    suggestion: 'Run `vibecheck scan` first to generate results',
+    nextSteps: [
+      'Run: vibecheck scan',
+      'This analyzes your codebase',
+      'Then re-run this command',
+    ],
+    docsLink: `${DOCS_BASE_URL}/commands/scan`,
+  },
+  
+  NO_TRUTHPACK: {
+    message: 'No truthpack found',
+    suggestion: 'Run `vibecheck context` to generate truthpack',
+    nextSteps: [
+      'Run: vibecheck context',
+      'This generates route/auth/env mapping',
+      'Then re-run this command',
+    ],
+    docsLink: `${DOCS_BASE_URL}/commands/context`,
+  },
+  
+  AUTH_REQUIRED: {
+    message: 'Authentication required',
+    suggestion: 'Run `vibecheck login` to authenticate',
+    nextSteps: [
+      'Run: vibecheck login',
+      'Enter your API key',
+      'Get your key from: https://app.vibecheckai.dev/settings/api-keys',
+    ],
+    docsLink: `${DOCS_BASE_URL}/getting-started/authentication`,
+  },
+  
+  INVALID_API_KEY: {
+    message: 'Invalid API key format',
+    suggestion: 'Check your API key format',
+    nextSteps: [
+      'API keys should start with vc_',
+      'Get a new key: https://app.vibecheckai.dev/settings/api-keys',
+      'Run: vibecheck login --key YOUR_KEY',
+    ],
+    docsLink: `${DOCS_BASE_URL}/getting-started/authentication`,
+  },
+  
+  TIER_REQUIRED: {
+    message: 'This feature requires PRO tier',
+    suggestion: 'Upgrade to PRO to access this feature',
+    nextSteps: [
+      'Visit: https://app.vibecheckai.dev/pricing',
+      'Upgrade your account',
+      'Re-run this command',
+    ],
+    docsLink: `${DOCS_BASE_URL}/pricing`,
+  },
+  
+  PROJECT_PATH_NOT_FOUND: {
+    message: 'Project path does not exist',
+    suggestion: 'Check the path and try again',
+    nextSteps: [
+      'Verify the path exists: ls <path>',
+      'Use absolute path if relative path fails',
+      'Run: vibecheck init --path <path>',
+    ],
+    docsLink: `${DOCS_BASE_URL}/commands/init`,
+  },
+  
+  CONFIG_INVALID: {
+    message: 'Invalid configuration file',
+    suggestion: 'Run `vibecheck doctor --fix` to repair config',
+    nextSteps: [
+      'Run: vibecheck doctor --fix',
+      'This auto-fixes common config issues',
+      'Or manually edit .vibecheckrc',
+    ],
+    docsLink: `${DOCS_BASE_URL}/configuration`,
+  },
+  
+  NETWORK_ERROR: {
+    message: 'Network connection failed',
+    suggestion: 'Check your internet connection or use --offline mode',
+    nextSteps: [
+      'Check internet connection',
+      'Or run with --offline flag for local-only mode',
+      'Example: vibecheck scan --offline',
+    ],
+    docsLink: `${DOCS_BASE_URL}/commands/scan#offline-mode`,
+  },
+  
+  MISSING_DEPENDENCY: {
+    message: 'Missing required dependency',
+    suggestion: 'Install missing dependencies',
+    nextSteps: [
+      'Run: npm install',
+      'Or: pnpm install',
+      'Check package.json for required packages',
+    ],
+    docsLink: `${DOCS_BASE_URL}/troubleshooting/dependencies`,
+  },
+};
+
+/**
+ * Get error template by key
+ */
+function getErrorTemplate(key, overrides = {}) {
+  const template = ERROR_TEMPLATES[key];
+  if (!template) {
+    return {
+      message: key,
+      suggestion: 'Check the documentation for help',
+      docsLink: DOCS_BASE_URL,
+    };
+  }
+  
+  return { ...template, ...overrides };
+}
+
+/**
+ * Print actionable error and return exit code
+ */
+function printActionableError(errorKey, context = {}) {
+  const template = getErrorTemplate(errorKey, context);
+  const error = {
+    message: template.message,
+    code: context.code || errorKey,
+  };
+  
+  const formatted = formatError(error, {
+    ...context,
+    suggestion: template.suggestion,
+    nextSteps: template.nextSteps || [],
+    docsLink: template.docsLink,
+  });
+  
+  console.error(formatted);
+  
+  // Map error keys to exit codes
+  const exitCodeMap = {
+    AUTH_REQUIRED: EXIT.AUTH_REQUIRED,
+    INVALID_API_KEY: EXIT.AUTH_FAILED,
+    TIER_REQUIRED: EXIT.TIER_REQUIRED,
+    PROJECT_PATH_NOT_FOUND: EXIT.USER_ERROR,
+    CONFIG_INVALID: EXIT.USER_ERROR,
+    NETWORK_ERROR: EXIT.NETWORK_ERROR || 1,
+    MISSING_DEPENDENCY: EXIT.USER_ERROR,
+    PROJECT_NOT_INITIALIZED: EXIT.USER_ERROR,
+    NO_SCAN_RESULTS: EXIT.NOT_FOUND || 1,
+    NO_TRUTHPACK: EXIT.NOT_FOUND || 1,
+  };
+  
+  return exitCodeMap[errorKey] || EXIT.USER_ERROR;
+}
+
+/**
+ * Enhance existing error with actionable guidance
+ */
+function enhanceError(error, command = '', additionalContext = {}) {
+  const errorMessage = error.message || String(error);
+  const lowerMessage = errorMessage.toLowerCase();
+  
+  // Detect error type from message
+  if (lowerMessage.includes('not initialized') || lowerMessage.includes('no config')) {
+    return printActionableError('PROJECT_NOT_INITIALIZED', { command, ...additionalContext });
+  }
+  
+  if (lowerMessage.includes('scan result') || lowerMessage.includes('no results')) {
+    return printActionableError('NO_SCAN_RESULTS', { command, ...additionalContext });
+  }
+  
+  if (lowerMessage.includes('truthpack') || lowerMessage.includes('context')) {
+    return printActionableError('NO_TRUTHPACK', { command, ...additionalContext });
+  }
+  
+  if (lowerMessage.includes('auth') && (lowerMessage.includes('required') || lowerMessage.includes('unauthorized'))) {
+    return printActionableError('AUTH_REQUIRED', { command, ...additionalContext });
+  }
+  
+  if (lowerMessage.includes('api key') && (lowerMessage.includes('invalid') || lowerMessage.includes('format'))) {
+    return printActionableError('INVALID_API_KEY', { command, ...additionalContext });
+  }
+  
+  if (lowerMessage.includes('tier') || lowerMessage.includes('pro') || lowerMessage.includes('upgrade')) {
+    return printActionableError('TIER_REQUIRED', { command, ...additionalContext });
+  }
+  
+  if (lowerMessage.includes('path') && (lowerMessage.includes('not found') || lowerMessage.includes('does not exist'))) {
+    return printActionableError('PROJECT_PATH_NOT_FOUND', { command, path: additionalContext.path });
+  }
+  
+  if (lowerMessage.includes('config') && (lowerMessage.includes('invalid') || lowerMessage.includes('error'))) {
+    return printActionableError('CONFIG_INVALID', { command, ...additionalContext });
+  }
+  
+  if (lowerMessage.includes('network') || lowerMessage.includes('connection') || lowerMessage.includes('fetch')) {
+    return printActionableError('NETWORK_ERROR', { command, ...additionalContext });
+  }
+  
+  if (lowerMessage.includes('cannot find module') || lowerMessage.includes('missing')) {
+    return printActionableError('MISSING_DEPENDENCY', { command, dependency: additionalContext.dependency });
+  }
+  
+  // Default: print enhanced error
+  console.error(formatError(error, {
+    command,
+    suggestion: additionalContext.suggestion || 'Check the documentation for help',
+    docsLink: additionalContext.docsLink || `${DOCS_BASE_URL}/commands/${command}`,
+    nextSteps: additionalContext.nextSteps || [],
+  }));
+  
+  return EXIT.USER_ERROR;
+}
+
+module.exports = {
+  formatError,
+  getErrorTemplate,
+  printActionableError,
+  enhanceError,
+  ERROR_TEMPLATES,
+};

package/bin/runners/lib/evidence-pack.js

@@ -14,7 +14,13 @@
 const fs = require("fs");
 const path = require("path");
 const crypto = require("crypto");
-const archiver = require("archiver");
+// Make archiver optional - only required for zip creation
+let archiver;
+try {
+  archiver = require("archiver");
+} catch {
+  archiver = null;
+}
 
 // ═══════════════════════════════════════════════════════════════════════════════
 // EVIDENCE PACK SCHEMA