@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/schemas/report-artifact.schema.json

@@ -0,0 +1,120 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vibecheck.dev/schemas/report-artifact.schema.json",
+  "x-schemaVersion": "1.0.0",
+  "title": "Vibecheck Report Artifact",
+  "description": "Generic report artifact from analysis operations",
+  "type": "object",
+  "required": [
+    "type",
+    "timestamp",
+    "data"
+  ],
+  "properties": {
+    "type": {
+      "type": "string",
+      "enum": [
+        "scan_result",
+        "fix_plan",
+        "fix_result",
+        "status_report",
+        "context_rules",
+        "reality_report",
+        "evidence_pack"
+      ],
+      "description": "Type of report artifact"
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO 8601 timestamp of generation"
+    },
+    "vibecheck_version": {
+      "type": "string",
+      "pattern": "^\\d+\\.\\d+\\.\\d+",
+      "description": "Vibecheck version that generated this artifact"
+    },
+    "data": {
+      "type": "object",
+      "description": "Artifact-specific data payload"
+    },
+    "findings": {
+      "type": "array",
+      "items": {
+        "$ref": "finding-v3.schema.json"
+      },
+      "description": "Associated findings (if applicable)"
+    },
+    "summary": {
+      "type": "object",
+      "properties": {
+        "total_files_scanned": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "total_findings": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "duration_ms": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "counts_by_severity": {
+          "type": "object",
+          "properties": {
+            "BLOCK": { "type": "integer", "minimum": 0 },
+            "WARN": { "type": "integer", "minimum": 0 },
+            "INFO": { "type": "integer", "minimum": 0 }
+          }
+        },
+        "counts_by_category": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "integer",
+            "minimum": 0
+          }
+        }
+      }
+    },
+    "metadata": {
+      "type": "object",
+      "properties": {
+        "project_path": {
+          "type": "string"
+        },
+        "project_fingerprint": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$"
+        },
+        "git_commit": {
+          "type": ["string", "null"]
+        },
+        "git_branch": {
+          "type": ["string", "null"]
+        },
+        "ci_build_id": {
+          "type": ["string", "null"]
+        }
+      }
+    },
+    "artifacts": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["name", "path"],
+        "properties": {
+          "name": { "type": "string" },
+          "path": { "type": "string" },
+          "type": {
+            "type": "string",
+            "enum": ["html", "json", "sarif", "md", "png", "mp4"]
+          },
+          "size_bytes": { "type": "integer", "minimum": 0 }
+        }
+      },
+      "description": "Generated artifact files"
+    }
+  },
+  "additionalProperties": false
+}

package/bin/runners/lib/schemas/run-request.schema.json

@@ -0,0 +1,108 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vibecheck.dev/schemas/run-request.schema.json",
+  "x-schemaVersion": "1.0.0",
+  "title": "Vibecheck Run Request",
+  "description": "Input schema for all vibecheck tool invocations",
+  "type": "object",
+  "required": ["tool"],
+  "properties": {
+    "tool": {
+      "type": "string",
+      "description": "Tool name to invoke",
+      "minLength": 1
+    },
+    "projectPath": {
+      "type": "string",
+      "description": "Path to project root",
+      "default": "."
+    },
+    "options": {
+      "type": "object",
+      "description": "Tool-specific options",
+      "properties": {
+        "profile": {
+          "type": "string",
+          "enum": ["quick", "standard", "full", "paranoid"],
+          "default": "standard"
+        },
+        "format": {
+          "type": "string",
+          "enum": ["json", "text", "html", "sarif", "md"],
+          "default": "json"
+        },
+        "strict": {
+          "type": "boolean",
+          "default": false
+        },
+        "ci": {
+          "type": "boolean",
+          "default": false
+        },
+        "verbose": {
+          "type": "boolean",
+          "default": false
+        },
+        "timeout": {
+          "type": "integer",
+          "minimum": 1000,
+          "maximum": 600000,
+          "default": 30000
+        }
+      },
+      "additionalProperties": true
+    },
+    "context": {
+      "type": "object",
+      "description": "Execution context",
+      "properties": {
+        "apiKey": {
+          "type": "string",
+          "description": "API key for authenticated requests"
+        },
+        "sessionId": {
+          "type": "string",
+          "description": "Session ID for tracking"
+        },
+        "correlationId": {
+          "type": "string",
+          "description": "Correlation ID for distributed tracing"
+        },
+        "userAgent": {
+          "type": "string",
+          "description": "Client user agent"
+        }
+      }
+    },
+    "filters": {
+      "type": "object",
+      "description": "Filtering options",
+      "properties": {
+        "include": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Glob patterns to include"
+        },
+        "exclude": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Glob patterns to exclude"
+        },
+        "categories": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Categories to check"
+        },
+        "severity": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["BLOCK", "WARN", "INFO"]
+          },
+          "description": "Severity levels to include"
+        }
+      }
+    }
+  },
+  "additionalProperties": false
+}

package/bin/runners/lib/schemas/validator.js

@@ -3,6 +3,9 @@
  * 
  * Validates artifacts against JSON schemas and provides
  * consistent finding/evidence generation.
+ * 
+ * NOTE: This module now delegates to ajv-validator.js when AJV is available.
+ * The minimal implementation is kept as a fallback for environments without AJV.
  */
 
 "use strict";
@@ -11,6 +14,30 @@ const fs = require("fs");
 const path = require("path");
 const crypto = require("crypto");
 
+// Try to use the AJV-based validator if available
+let ajvValidator = null;
+try {
+  // Check if AJV is installed before requiring
+  require.resolve("ajv");
+  require.resolve("ajv-formats");
+  ajvValidator = require("./ajv-validator.js");
+} catch (e) {
+  // AJV not available, will use minimal validator
+  if (process.env.NODE_ENV === "production") {
+    console.warn("Warning: AJV not available, using minimal schema validator");
+  }
+}
+
+// If AJV validator is available, export it directly
+if (ajvValidator) {
+  module.exports = ajvValidator;
+  return;
+}
+
+// =============================================================================
+// MINIMAL VALIDATOR FALLBACK (when AJV is not available)
+// =============================================================================
+
 // Schema cache
 const schemaCache = new Map();
 

package/bin/runners/lib/schemas/verdict.schema.json

@@ -0,0 +1,140 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vibecheck.dev/schemas/verdict.schema.json",
+  "x-schemaVersion": "1.0.0",
+  "title": "Vibecheck Verdict",
+  "description": "Final verdict from ship/checkpoint operations",
+  "type": "object",
+  "required": [
+    "status",
+    "score",
+    "blockers_count",
+    "next_steps",
+    "groups"
+  ],
+  "properties": {
+    "status": {
+      "type": "string",
+      "enum": ["SHIP", "WARN", "BLOCK"],
+      "description": "Final verdict status"
+    },
+    "score": {
+      "type": "integer",
+      "minimum": 0,
+      "maximum": 100,
+      "description": "Overall health score (0-100)"
+    },
+    "blockers_count": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Number of blocking issues"
+    },
+    "warnings_count": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Number of warning issues"
+    },
+    "info_count": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Number of informational issues"
+    },
+    "next_steps": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "description": "Recommended next steps to address issues"
+    },
+    "groups": {
+      "type": "array",
+      "items": {
+        "$ref": "#/$defs/findingGroup"
+      },
+      "description": "Findings grouped by category"
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO 8601 timestamp of verdict generation"
+    },
+    "duration_ms": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Analysis duration in milliseconds"
+    },
+    "vibecheck_version": {
+      "type": "string",
+      "pattern": "^\\d+\\.\\d+\\.\\d+",
+      "description": "Vibecheck version that generated this verdict"
+    },
+    "project_fingerprint": {
+      "type": "string",
+      "pattern": "^sha256:[a-f0-9]{64}$",
+      "description": "Hash of project state at analysis time"
+    },
+    "policy": {
+      "type": "object",
+      "properties": {
+        "fail_on_warn": {
+          "type": "boolean",
+          "default": false,
+          "description": "Whether warnings should cause BLOCK status"
+        },
+        "strictness": {
+          "type": "string",
+          "enum": ["chill", "standard", "strict", "paranoid"],
+          "default": "standard"
+        },
+        "required_score": {
+          "type": "integer",
+          "minimum": 0,
+          "maximum": 100,
+          "description": "Minimum score required to SHIP"
+        }
+      }
+    },
+    "ci_mode": {
+      "type": "boolean",
+      "default": false,
+      "description": "Whether this was run in CI mode"
+    },
+    "exit_code": {
+      "type": "integer",
+      "enum": [0, 1, 2],
+      "description": "Suggested exit code (0=SHIP, 1=WARN, 2=BLOCK)"
+    }
+  },
+  "$defs": {
+    "findingGroup": {
+      "type": "object",
+      "required": ["category", "count", "severity_breakdown"],
+      "properties": {
+        "category": {
+          "type": "string",
+          "description": "Category name"
+        },
+        "count": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Total findings in this category"
+        },
+        "severity_breakdown": {
+          "type": "object",
+          "properties": {
+            "BLOCK": { "type": "integer", "minimum": 0 },
+            "WARN": { "type": "integer", "minimum": 0 },
+            "INFO": { "type": "integer", "minimum": 0 }
+          }
+        },
+        "top_findings": {
+          "type": "array",
+          "items": { "type": "string" },
+          "maxItems": 5,
+          "description": "IDs of top findings in this category"
+        }
+      }
+    }
+  },
+  "additionalProperties": false
+}

package/bin/runners/lib/ship-output-enterprise.js

@@ -190,39 +190,39 @@ function formatShipOutput(result) {
      lines.push(BOX.vertical + tBot + BOX.vertical);
      lines.push(BOX.vertical + ' '.repeat(WIDTH - 2) + BOX.vertical);
 
-     // 6. LOCKED SECTION
+     // 6. AUTO-FIX SECTION
      lines.push(BOX.teeRight + BOX.horizontal.repeat(WIDTH - 2) + BOX.teeLeft);
-     lines.push(BOX.vertical + padCenter('🔒 ROOT CAUSE ANALYSIS:  ACCESS DENIED', WIDTH - 2) + BOX.vertical);
+     lines.push(BOX.vertical + padCenter('⚡ AUTO-FIX AVAILABLE', WIDTH - 2) + BOX.vertical);
      lines.push(BOX.vertical + padCenter('────────────────────────────────────────────────────────────────────', WIDTH - 2) + BOX.vertical);
-     lines.push(BOX.vertical + padCenter('The specific lines of code causing these breaks are deeper in the', WIDTH - 2) + BOX.vertical);
-     lines.push(BOX.vertical + padCenter('dependency graph. Starter/Pro context is required to trace them.', WIDTH - 2) + BOX.vertical);
      lines.push(BOX.vertical + ' '.repeat(WIDTH - 2) + BOX.vertical);
-     
-     // Redacted bars
-     const bar = '░'.repeat(60);
-     lines.push(BOX.vertical + padCenter(bar, WIDTH - 2) + BOX.vertical);
-     
-     const redacted = [
-       '░░ [REDACTED] 🔒 Schema definition mismatch in node_modules/@api...',
-       '░░ [REDACTED] 🔒 Environment leakage detected in webpack.config...',
-       '░░ [REDACTED] 🔒 Route /checkout defined in backend but not exp...'
-     ];
-     
-     redacted.forEach(r => {
-        lines.push(BOX.vertical + padCenter(r, WIDTH - 2) + BOX.vertical);
-     });
-
-     lines.push(BOX.vertical + padCenter(bar, WIDTH - 2) + BOX.vertical);
+     lines.push(BOX.vertical + padCenter('Run `vibecheck ship --fix` to apply automatic fixes', WIDTH - 2) + BOX.vertical);
+     lines.push(BOX.vertical + padCenter('Run `vibecheck fix` to generate AI-powered fix missions', WIDTH - 2) + BOX.vertical);
      lines.push(BOX.vertical + ' '.repeat(WIDTH - 2) + BOX.vertical);
-     
-     lines.push(BOX.vertical + padCenter('👉 RESOLUTION:', WIDTH - 2) + BOX.vertical);
-     lines.push(BOX.vertical + padCenter('Run `vibecheck upgrade starter` to reveal root causes.', WIDTH - 2) + BOX.vertical);
   }
 
   // 7. BOTTOM FRAME
   lines.push(BOX.vertical + ' '.repeat(WIDTH - 2) + BOX.vertical);
   lines.push(BOX.bottomLeft + BOX.horizontal.repeat(WIDTH - 2) + BOX.bottomRight);
 
+  // DASHBOARD LINK (outside frame)
+  const runId = result.runId;
+  if (runId) {
+    lines.push('');
+    lines.push(`  🔗 Dashboard: https://app.vibecheckai.dev/runs/${runId}`);
+  }
+
+  // NEXT BEST ACTION (outside frame)
+  try {
+    const { formatNextActionOneLine, getNextActionForCommand } = require('./next-action');
+    const tier = result.tier || 'free';
+    const findings = [...(result.blockers || []), ...(result.warnings || [])];
+    const nextAction = getNextActionForCommand('ship', { verdict, runId, findings }, tier);
+    lines.push('');
+    lines.push(`  ${formatNextActionOneLine(nextAction)}`);
+  } catch (e) {
+    // Next action module might not be available, skip gracefully
+  }
+
   return lines.join('\n');
 }
 

package/bin/runners/lib/ship-output.js

@@ -210,17 +210,45 @@ function renderRouteTruthMap(truthpack) {
   lines.push(renderSection('ROUTE TRUTH MAP', shipIcons.map));
   lines.push('');
   
-  const serverRoutes = truthpack.routes?.server?.length || 0;
+  const serverRoutes = truthpack.routes?.server || [];
+  const serverRouteCount = serverRoutes.length;
   const clientRefs = truthpack.routes?.clientRefs?.length || 0;
   const envVars = truthpack.env?.vars?.length || 0;
   const envDeclared = truthpack.env?.declared?.length || 0;
   
+  // Framework detection output
+  const frameworkCounts = {};
+  for (const route of serverRoutes) {
+    const fw = route.framework || 'unknown';
+    frameworkCounts[fw] = (frameworkCounts[fw] || 0) + 1;
+  }
+  
+  // Also include project-level detected frameworks
+  const detectedFrameworks = truthpack.project?.frameworks || [];
+  for (const fw of detectedFrameworks) {
+    if (!frameworkCounts[fw]) frameworkCounts[fw] = 0;
+  }
+  
+  // Sort by count descending
+  const sortedFrameworks = Object.entries(frameworkCounts)
+    .filter(([fw]) => fw !== 'unknown')
+    .sort((a, b) => b[1] - a[1]);
+  
+  if (sortedFrameworks.length > 0) {
+    const fwDisplay = sortedFrameworks
+      .slice(0, 5)
+      .map(([fw, count]) => `${fw} (${count})`)
+      .join(', ');
+    lines.push(`  ${ansi.bold}Frameworks:${ansi.reset} ${colors.accent}${fwDisplay}${ansi.reset}`);
+    lines.push('');
+  }
+  
   // Routes coverage
-  const routeCoverage = serverRoutes > 0 ? Math.round((clientRefs / serverRoutes) * 100) : 100;
+  const routeCoverage = serverRouteCount > 0 ? Math.round((clientRefs / serverRouteCount) * 100) : 100;
   const routeColor = routeCoverage >= 80 ? colors.success : routeCoverage >= 50 ? colors.warning : colors.error;
   
   lines.push(`  ${shipIcons.route} ${ansi.bold}Routes${ansi.reset}`);
-  lines.push(`     Server: ${colors.accent}${serverRoutes}${ansi.reset} defined`);
+  lines.push(`     Server: ${colors.accent}${serverRouteCount}${ansi.reset} defined`);
   lines.push(`     Client: ${colors.accent}${clientRefs}${ansi.reset} references`);
   lines.push(`     Coverage: ${renderProgressBar(routeCoverage, 20, routeColor)} ${routeColor}${routeCoverage}%${ansi.reset}`);
   lines.push('');
@@ -243,19 +271,28 @@ function renderRouteTruthMap(truthpack) {
 
 function getCategoryIcon(category) {
   const iconMap = {
+    // AI Hallucination Categories (primary)
     'MissingRoute': shipIcons.route,
-    'EnvContract': shipIcons.env,
-    'EnvGap': shipIcons.env,
     'FakeSuccess': shipIcons.ghost,
     'GhostAuth': shipIcons.auth,
+    'EnvContract': shipIcons.env,
+    'EnvGap': shipIcons.env,
+    'DeadUI': shipIcons.dead,
+    'OwnerModeBypass': shipIcons.lock,
+    'OptimisticNoRollback': '↩️',
+    'SilentCatch': '🔇',
+    'MethodMismatch': '🔀',
+    // Billing/Monetization
+    'Billing': shipIcons.money,
     'StripeWebhook': shipIcons.money,
     'PaidSurface': shipIcons.money,
-    'OwnerModeBypass': shipIcons.lock,
-    'DeadUI': shipIcons.dead,
-    'ContractDrift': icons.warning,
+    'Entitlements': '💳',
+    // Security
     'Security': shipIcons.shield,
     'Auth': shipIcons.lock,
     'SECRET': shipIcons.key,
+    // Quality
+    'ContractDrift': icons.warning,
     'ROUTE': shipIcons.route,
     'BILLING': shipIcons.money,
     'MOCK': shipIcons.ghost,
@@ -322,9 +359,6 @@ function renderBlockerDetails(findings, maxShow = 8, options = {}) {
   
   if (blockers.length === 0) return '';
   
-  // Fix hints are PRO only (2-tier model)
-  const canShowFixHints = tier === 'pro' || tier === 'compliance' || tier === 'starter'; // starter=legacy compatibility
-  
   const lines = [];
   lines.push(renderSection(`BLOCKERS (${blockers.length})`, '🚨'));
   lines.push('');
@@ -364,16 +398,11 @@ function renderBlockerDetails(findings, maxShow = 8, options = {}) {
       lines.push(`             ${colors.accent}${shipIcons.doc} ${fileDisplay}${ansi.reset}`);
     }
     
-    // Fix hint - STARTER+ only, show locked message for FREE
-    if (canShowFixHints) {
-      if (blocker.fixHints && blocker.fixHints.length > 0) {
-        lines.push(`             ${colors.success}→ ${truncate(blocker.fixHints[0], 50)}${ansi.reset}`);
-      } else if (blocker.fix) {
-        lines.push(`             ${colors.success}→ ${truncate(blocker.fix, 50)}${ansi.reset}`);
-      }
-    } else {
-      // Show locked fix hint for FREE tier
-      lines.push(`             ${ansi.dim}🔒 Fix hints available with PRO ($69/mo)${ansi.reset}`);
+    // Fix hint - shown to ALL tiers (FREE gets full details, PRO gets auto-fix capability)
+    if (blocker.fixHints && blocker.fixHints.length > 0) {
+      lines.push(`             ${colors.success}→ ${truncate(blocker.fixHints[0], 50)}${ansi.reset}`);
+    } else if (blocker.fix) {
+      lines.push(`             ${colors.success}→ ${truncate(blocker.fix, 50)}${ansi.reset}`);
     }
     
     lines.push('');
@@ -384,13 +413,11 @@ function renderBlockerDetails(findings, maxShow = 8, options = {}) {
     lines.push('');
   }
   
-  // Show upsell for fix hints if FREE tier
-  if (!canShowFixHints && blockers.length > 0) {
+  // Show PRO upsell for auto-fix capability (not viewing fix hints)
+  if (blockers.length > 0) {
     lines.push(`  ${ansi.dim}─────────────────────────────────────────${ansi.reset}`);
-    lines.push(`  ${colors.accent}💡${ansi.reset} ${ansi.bold}Unlock AI fix suggestions${ansi.reset}`);
-    lines.push(`  ${ansi.dim}PRO users get specific fix hints and${ansi.reset}`);
-    lines.push(`  ${ansi.dim}AI mission prompts for every issue.${ansi.reset}`);
-    lines.push(`  ${colors.accent}Upgrade to PRO ($69/mo)${ansi.reset} ${ansi.dim}→ vibecheckai.dev/pricing${ansi.reset}`);
+    lines.push(`  ${colors.accent}⚡${ansi.reset} ${ansi.bold}Auto-fix available${ansi.reset}`);
+    lines.push(`  ${ansi.dim}Run${ansi.reset} ${colors.accent}vibecheck ship --fix${ansi.reset} ${ansi.dim}to apply fixes automatically${ansi.reset}`);
     lines.push('');
   }
   
@@ -591,13 +618,30 @@ function renderReportLinks(outputDir, hasFix = false) {
 
 // Categories that indicate common AI hallucination patterns
 const AI_HALLUCINATION_CATEGORIES = {
+  // Route & API Issues (highest weight - these break apps)
   'MissingRoute': { weight: 25, label: 'Invented endpoints', desc: 'AI created API routes that don\'t exist' },
+  'MethodMismatch': { weight: 20, label: 'Wrong HTTP method', desc: 'GET request to POST-only endpoint or vice versa' },
+  
+  // Success/Error Handling Issues
   'FakeSuccess': { weight: 20, label: 'Fake success UI', desc: 'Shows success without verifying the operation' },
-  'GhostAuth': { weight: 15, label: 'Missing auth', desc: 'Sensitive endpoints without protection' },
+  'OptimisticNoRollback': { weight: 18, label: 'No rollback', desc: 'Optimistic update without failure rollback' },
+  'SilentCatch': { weight: 15, label: 'Silent failure', desc: 'Catch block swallows errors without handling' },
+  
+  // Auth & Security Issues
+  'GhostAuth': { weight: 15, label: 'Missing auth', desc: 'Sensitive endpoints without server-side protection' },
+  'OwnerModeBypass': { weight: 15, label: 'Backdoor access', desc: 'Production security bypasses left in code' },
+  
+  // Environment & Config Issues
   'EnvGap': { weight: 10, label: 'Undefined env vars', desc: 'Uses environment variables that don\'t exist' },
-  'DeadUI': { weight: 10, label: 'Dead UI elements', desc: 'Buttons/forms that do nothing' },
-  'OwnerModeBypass': { weight: 15, label: 'Backdoor access', desc: 'Production security bypasses' },
-  'PaidSurface': { weight: 5, label: 'Billing bypass', desc: 'Paid features without enforcement' },
+  'EnvContract': { weight: 10, label: 'Env contract', desc: 'Environment variable contract violations' },
+  
+  // UI & UX Issues
+  'DeadUI': { weight: 10, label: 'Dead UI elements', desc: 'Buttons/forms/links that do nothing or go nowhere' },
+  
+  // Billing & Monetization Issues
+  'PaidSurface': { weight: 5, label: 'Billing bypass', desc: 'Paid features accessible without enforcement' },
+  'Billing': { weight: 8, label: 'Billing issue', desc: 'Payment/webhook handling problems' },
+  'Entitlements': { weight: 8, label: 'Entitlement gap', desc: 'Feature access without entitlement check' },
 };
 
 function calculateAIHallucinationScore(findings) {