@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/runScan.js

@@ -1,46 +1,60 @@
 /**
- * vibecheck Scan - Quick Code Analysis (FREE)
+ * vibecheck Scan - Route Integrity & Code Analysis
  * 
- * Fast scan running only 5 essential engines:
- * - hardcoded-secrets-engine (security)
- * - console-logs-engine (code hygiene)
- * - ai-hallucination-engine (vibecheck core)
- * - type-aware-engine (type safety)
- * - error-handling-engine (reliability)
+ * The ultimate scanner combining:
+ * - Route integrity (dead links, orphan routes, coverage)
+ * - Security analysis (secrets, auth, vulnerabilities)
+ * - Code quality (mocks, placeholders, hygiene)
  * 
- * Target: < 3 seconds on medium project (100-500 files)
- * 
- * For comprehensive analysis (17+ engines + validators), use: vibecheck ship [PRO]
+ * Modes:
+ * - vibecheck scan: Layer 1 (AST) - Fast static analysis
+ * - vibecheck scan --truth: Layer 1+2 (+ build manifests) - CI/ship
+ * - vibecheck scan --reality --url <url>: Layer 1+2+3 (+ Playwright) - Full proof
  */
 
 const path = require("path");
 const fs = require("fs");
 const { withErrorHandling, createUserError } = require("./lib/error-handler");
-const { enforceLimit, trackUsage, getCurrentTier } = require("./lib/entitlements-v2");
+const { enforceLimit, trackUsage } = require("./lib/entitlements");
 const { emitScanStart, emitScanComplete } = require("./lib/audit-bridge");
 const { parseGlobalFlags, shouldShowBanner } = require("./lib/global-flags");
+const { 
+  createScan, 
+  updateScanProgress, 
+  submitScanResults, 
+  reportScanError, 
+  isApiAvailable 
+} = require("./lib/api-client");
 const { EXIT, verdictToExitCode } = require("./lib/exit-codes");
 
-// Import orchestrator for engine management
-const { runScanEngines, SCAN_ENGINES } = require("./lib/engines/orchestrator");
-
 // ═══════════════════════════════════════════════════════════════════════════════
-// TERMINAL UI
+// ENHANCED TERMINAL UI & OUTPUT MODULES
 // ═══════════════════════════════════════════════════════════════════════════════
 
 const {
   ansi,
   colors,
   Spinner,
+  PhaseProgress,
+  renderBanner,
+  renderSection,
   formatDuration,
 } = require("./lib/terminal-ui");
 
 const {
+  formatScanOutput,
   formatSARIF,
   getExitCode,
+  printError,
+  EXIT_CODES,
   calculateScore,
 } = require("./lib/scan-output");
 
+const {
+  enrichFindings,
+  saveBaseline,
+} = require("./lib/fingerprint");
+
 const BANNER = `
 ${ansi.rgb(0, 200, 255)}  ██╗   ██╗██╗██████╗ ███████╗ ██████╗██╗  ██╗███████╗ ██████╗██╗  ██╗${ansi.reset}
 ${ansi.rgb(30, 180, 255)}  ██║   ██║██║██╔══██╗██╔════╝██╔════╝██║  ██║██╔════╝██╔════╝██║ ██╔╝${ansi.reset}
@@ -50,7 +64,7 @@ ${ansi.rgb(120, 120, 255)}   ╚████╔╝ ██║██████
 ${ansi.rgb(150, 100, 255)}    ╚═══╝  ╚═╝╚═════╝ ╚══════╝ ╚═════╝╚═╝  ╚═╝╚══════╝ ╚═════╝╚═╝  ╚═╝${ansi.reset}
 
 ${ansi.dim}  ┌─────────────────────────────────────────────────────────────────────┐${ansi.reset}
-${ansi.dim}  │${ansi.reset}  ${ansi.rgb(255, 255, 255)}${ansi.bold}Quick Scan${ansi.reset} ${ansi.dim}•${ansi.reset} ${ansi.rgb(200, 200, 200)}5 Essential Engines${ansi.reset} ${ansi.dim}•${ansi.reset} ${ansi.rgb(150, 150, 150)}< 3 seconds${ansi.reset}            ${ansi.dim}│${ansi.reset}
+${ansi.dim}  │${ansi.reset}  ${ansi.rgb(255, 255, 255)}${ansi.bold}Route Integrity${ansi.reset} ${ansi.dim}•${ansi.reset} ${ansi.rgb(200, 200, 200)}Security${ansi.reset} ${ansi.dim}•${ansi.reset} ${ansi.rgb(150, 150, 150)}Quality${ansi.reset} ${ansi.dim}•${ansi.reset} ${ansi.rgb(100, 100, 100)}Ship with Confidence${ansi.reset}  ${ansi.dim}│${ansi.reset}
 ${ansi.dim}  └─────────────────────────────────────────────────────────────────────┘${ansi.reset}
 `;
 
@@ -58,32 +72,94 @@ function printBanner() {
   console.log(BANNER);
 }
 
+// Legacy compatibility functions - now use enhanced modules
+function printCoverageMap(coverageMap) {
+  const { renderCoverageMap } = require("./lib/scan-output");
+  console.log(renderCoverageMap(coverageMap));
+}
+
+function printBreakdown(breakdown) {
+  const { renderBreakdown } = require("./lib/scan-output");
+  console.log(renderBreakdown(breakdown));
+}
+
+function printBlockers(blockers) {
+  const { renderBlockers } = require("./lib/scan-output");
+  console.log(renderBlockers(blockers));
+}
+
+function printLayers(layers) {
+  const { renderLayers } = require("./lib/scan-output");
+  console.log(renderLayers(layers));
+}
+
 // ═══════════════════════════════════════════════════════════════════════════════
 // ARGS PARSER
 // ═══════════════════════════════════════════════════════════════════════════════
 
 function parseArgs(args) {
+  // Parse global flags first
   const { flags: globalFlags, cleanArgs } = parseGlobalFlags(args);
   
   const opts = {
     path: globalFlags.path || process.cwd(),
+    truth: false,
+    reality: false,
+    realitySniff: false,
+    baseUrl: null,
     json: globalFlags.json || false,
     sarif: false,
     verbose: globalFlags.verbose || false,
     help: globalFlags.help || false,
-    save: true,
+    autofix: false,
+    save: true, // Always save results by default
     noBanner: globalFlags.noBanner || false,
     ci: globalFlags.ci || false,
     quiet: globalFlags.quiet || false,
+    // Baseline tracking (fingerprints)
+    baseline: true, // Compare against baseline by default
+    updateBaseline: false, // --update-baseline to save current findings as baseline
+    // Allowlist subcommand
+    allowlist: null, // null = not using allowlist, or 'list' | 'add' | 'remove' | 'check'
+    allowlistId: null,
+    allowlistPattern: null,
+    allowlistReason: null,
+    allowlistScope: 'global',
+    allowlistFile: null,
+    allowlistExpires: null,
   };
 
+  // Parse command-specific args from cleanArgs
   for (let i = 0; i < cleanArgs.length; i++) {
     const arg = cleanArgs[i];
     
-    if (arg === '--sarif') opts.sarif = true;
+    if (arg === '--truth' || arg === '-t') opts.truth = true;
+    else if (arg === '--reality' || arg === '-r') { opts.reality = true; opts.truth = true; }
+    else if (arg === '--reality-sniff' || arg === '--sniff') opts.realitySniff = true;
+    else if (arg === '--url' || arg === '-u') { opts.baseUrl = cleanArgs[++i]; opts.reality = true; opts.truth = true; }
+    else if (arg === '--sarif') opts.sarif = true;
+    else if (arg === '--autofix' || arg === '--fix' || arg === '-f') opts.autofix = true;
     else if (arg === '--no-save') opts.save = false;
+    else if (arg === '--no-baseline') opts.baseline = false;
+    else if (arg === '--update-baseline' || arg === '--set-baseline') opts.updateBaseline = true;
     else if (arg === '--path' || arg === '-p') opts.path = cleanArgs[++i] || process.cwd();
     else if (arg.startsWith('--path=')) opts.path = arg.split('=')[1];
+    // Allowlist subcommand support
+    else if (arg === '--allowlist') {
+      const nextArg = cleanArgs[i + 1];
+      if (nextArg && !nextArg.startsWith('-')) {
+        opts.allowlist = nextArg;
+        i++;
+      } else {
+        opts.allowlist = 'list'; // Default to list
+      }
+    }
+    else if (arg === '--id' && opts.allowlist) opts.allowlistId = cleanArgs[++i];
+    else if (arg === '--pattern' && opts.allowlist) opts.allowlistPattern = cleanArgs[++i];
+    else if (arg === '--reason' && opts.allowlist) opts.allowlistReason = cleanArgs[++i];
+    else if (arg === '--scope' && opts.allowlist) opts.allowlistScope = cleanArgs[++i];
+    else if (arg === '--file' && opts.allowlist) opts.allowlistFile = cleanArgs[++i];
+    else if (arg === '--expires' && opts.allowlist) opts.allowlistExpires = cleanArgs[++i];
     else if (!arg.startsWith('-')) opts.path = path.resolve(arg);
   }
   
@@ -97,41 +173,70 @@ function printHelp(showBanner = true) {
   console.log(`
   ${ansi.bold}USAGE${ansi.reset}
     ${colors.accent}vibecheck scan${ansi.reset} [path] [options]
+  
+  ${ansi.dim}Aliases: s, check${ansi.reset}
+
+  The core analysis engine. Scans your codebase for route integrity issues,
+  security vulnerabilities, code quality problems, and more.
+
+  ${ansi.bold}SCAN LAYERS${ansi.reset}
+    ${colors.accent}(default)${ansi.reset}         Layer 1: AST static analysis ${ansi.dim}(fast, ~2s)${ansi.reset}
+    ${colors.accent}--truth, -t${ansi.reset}       Layer 1+2: + build manifest verification ${ansi.dim}(CI/ship)${ansi.reset}
+    ${colors.accent}--reality, -r${ansi.reset}     Layer 1+2+3: + Playwright runtime proof ${ansi.dim}[PRO]${ansi.reset}
+    ${colors.accent}--reality-sniff${ansi.reset}   Include Reality Sniff AI artifact detection
+
+  ${ansi.bold}FIX MODE${ansi.reset} ${ansi.cyan}[STARTER]${ansi.reset}
+    ${colors.accent}--autofix, -f${ansi.reset}     Generate AI fix missions for detected issues
+
+  ${ansi.bold}BASELINE TRACKING${ansi.reset}
+    ${colors.accent}--baseline${ansi.reset}        Compare against previous scan ${ansi.dim}(default: on)${ansi.reset}
+    ${colors.accent}--no-baseline${ansi.reset}     Skip baseline comparison
+    ${colors.accent}--update-baseline${ansi.reset} Save current findings as new baseline
 
-  ${ansi.bold}QUICK SCAN${ansi.reset} - Runs 5 essential engines in < 3 seconds:
-    • hardcoded-secrets-engine ${ansi.dim}(security)${ansi.reset}
-    • console-logs-engine ${ansi.dim}(code hygiene)${ansi.reset}
-    • ai-hallucination-engine ${ansi.dim}(vibecheck core)${ansi.reset}
-    • type-aware-engine ${ansi.dim}(type safety)${ansi.reset}
-    • error-handling-engine ${ansi.dim}(reliability)${ansi.reset}
+  ${ansi.bold}ALLOWLIST (suppress false positives)${ansi.reset}
+    ${colors.accent}--allowlist list${ansi.reset}                   Show all suppressed findings
+    ${colors.accent}--allowlist add --id <id> --reason "..."${ansi.reset}
+    ${colors.accent}--allowlist remove --id <id>${ansi.reset}       Remove suppression
+    ${colors.accent}--allowlist check --id <id>${ansi.reset}        Check if suppressed
 
   ${ansi.bold}OUTPUT OPTIONS${ansi.reset}
-    ${colors.accent}--json${ansi.reset}            Output as JSON
-    ${colors.accent}--sarif${ansi.reset}           SARIF format (GitHub code scanning)
+    ${colors.accent}--json${ansi.reset}            Output as JSON ${ansi.dim}(machine-readable)${ansi.reset}
+    ${colors.accent}--sarif${ansi.reset}           SARIF format ${ansi.dim}(GitHub code scanning)${ansi.reset}
     ${colors.accent}--no-save${ansi.reset}         Don't save results to .vibecheck/results/
     ${colors.accent}--verbose, -v${ansi.reset}     Show detailed progress
 
   ${ansi.bold}GLOBAL OPTIONS${ansi.reset}
     ${colors.accent}--path, -p <dir>${ansi.reset}  Run in specified directory
     ${colors.accent}--quiet, -q${ansi.reset}       Suppress non-essential output
-    ${colors.accent}--ci${ansi.reset}              CI mode (quiet + no-banner)
+    ${colors.accent}--ci${ansi.reset}              CI mode ${ansi.dim}(quiet + no-banner)${ansi.reset}
     ${colors.accent}--help, -h${ansi.reset}        Show this help
 
   ${ansi.bold}💡 EXAMPLES${ansi.reset}
 
-    ${ansi.dim}# Quick scan (default)${ansi.reset}
+    ${ansi.dim}# Quick scan (most common)${ansi.reset}
     vibecheck scan
 
-    ${ansi.dim}# Quick scan with JSON output${ansi.reset}
-    vibecheck scan --json
+    ${ansi.dim}# Scan with AI fix missions${ansi.reset}
+    vibecheck scan --autofix
 
-    ${ansi.dim}# Scan a specific directory${ansi.reset}
-    vibecheck scan ./my-project
+    ${ansi.dim}# Suppress a false positive${ansi.reset}
+    vibecheck scan --allowlist add --id R_DEAD_abc123 --reason "Feature toggle"
 
-  ${ansi.bold}🚀 COMPREHENSIVE ANALYSIS${ansi.reset}
+    ${ansi.dim}# CI pipeline (JSON output, strict)${ansi.reset}
+    vibecheck scan --ci --json > results.json
 
-    For 17+ engines plus ship-only validators, use:
-    ${colors.accent}vibecheck ship${ansi.reset} ${ansi.magenta}[PRO]${ansi.reset}
+    ${ansi.dim}# Full reality proof (requires running app)${ansi.reset}
+    vibecheck scan --reality --url http://localhost:3000
+
+  ${ansi.bold}📄 OUTPUT${ansi.reset}
+    Results:   .vibecheck/results/latest.json
+    Missions:  .vibecheck/missions/ ${ansi.dim}(with --autofix)${ansi.reset}
+    History:   .vibecheck/results/history/
+
+  ${ansi.bold}🔗 RELATED COMMANDS${ansi.reset}
+    ${colors.accent}vibecheck ship${ansi.reset}       Get final SHIP/WARN/BLOCK verdict
+    ${colors.accent}vibecheck fix${ansi.reset}        Apply AI-generated fixes ${ansi.cyan}[STARTER]${ansi.reset}
+    ${colors.accent}vibecheck prove${ansi.reset}      Full proof pipeline with evidence ${ansi.magenta}[PRO]${ansi.reset}
 
   ${ansi.dim}─────────────────────────────────────────────────────────────${ansi.reset}
   ${ansi.dim}Documentation: https://docs.vibecheckai.dev/cli/scan${ansi.reset}
@@ -139,7 +244,444 @@ function printHelp(showBanner = true) {
 }
 
 // ═══════════════════════════════════════════════════════════════════════════════
-// MAIN SCAN FUNCTION
+// ALLOWLIST MANAGEMENT (integrated from runAllowlist)
+// ═══════════════════════════════════════════════════════════════════════════════
+
+async function handleAllowlistCommand(opts) {
+  const root = opts.path || process.cwd();
+  
+  // Load evidence-pack module for allowlist functions
+  let evidencePack;
+  try {
+    evidencePack = require("./lib/evidence-pack");
+  } catch (e) {
+    console.error(`${colors.error}✗${ansi.reset} Failed to load allowlist module: ${e.message}`);
+    return 1;
+  }
+
+  const action = opts.allowlist;
+  
+  try {
+    switch (action) {
+      case "list": {
+        const allowlist = evidencePack.loadAllowlist(root);
+        
+        if (opts.json) {
+          console.log(JSON.stringify(allowlist, null, 2));
+          return 0;
+        }
+        
+        if (!opts.quiet) {
+          console.log(`\n  📋 ${ansi.bold}Allowlist Entries${ansi.reset}\n`);
+        }
+        
+        if (!allowlist.entries || allowlist.entries.length === 0) {
+          console.log(`  ${ansi.dim}No entries in allowlist.${ansi.reset}\n`);
+          console.log(`  ${ansi.dim}Add entries with: vibecheck scan --allowlist add --id <id> --reason "..."${ansi.reset}\n`);
+          return 0;
+        }
+        
+        for (const entry of allowlist.entries) {
+          const expireStr = entry.expiresAt 
+            ? `${ansi.dim}expires ${new Date(entry.expiresAt).toLocaleDateString()}${ansi.reset}` 
+            : '';
+          const scopeStr = entry.scope !== 'global' 
+            ? `${colors.accent}[${entry.scope}]${ansi.reset} ` 
+            : '';
+          
+          console.log(`  ${colors.success}✓${ansi.reset} ${ansi.bold}${entry.id}${ansi.reset} ${scopeStr}${expireStr}`);
+          
+          if (entry.findingId) {
+            console.log(`    ${ansi.dim}Finding:${ansi.reset} ${entry.findingId}`);
+          }
+          if (entry.pattern) {
+            console.log(`    ${ansi.dim}Pattern:${ansi.reset} ${entry.pattern}`);
+          }
+          console.log(`    ${ansi.dim}Reason:${ansi.reset} ${entry.reason || 'No reason provided'}`);
+          console.log(`    ${ansi.dim}Added:${ansi.reset} ${entry.addedAt} by ${entry.addedBy || 'user'}`);
+          console.log();
+        }
+        
+        console.log(`  ${ansi.dim}Total: ${allowlist.entries.length} entries${ansi.reset}\n`);
+        return 0;
+      }
+      
+      case "add": {
+        if (!opts.allowlistId && !opts.allowlistPattern) {
+          console.error(`\n  ${colors.error}✗${ansi.reset} Either --id or --pattern is required\n`);
+          return 1;
+        }
+        
+        if (!opts.allowlistReason) {
+          console.error(`\n  ${colors.error}✗${ansi.reset} --reason is required\n`);
+          return 1;
+        }
+        
+        const entry = {
+          findingId: opts.allowlistId,
+          pattern: opts.allowlistPattern,
+          reason: opts.allowlistReason,
+          scope: opts.allowlistScope,
+          addedBy: 'cli'
+        };
+        
+        if (opts.allowlistFile) entry.file = opts.allowlistFile;
+        if (opts.allowlistExpires) {
+          const days = parseInt(opts.allowlistExpires, 10);
+          entry.expiresAt = new Date(Date.now() + days * 24 * 60 * 60 * 1000).toISOString();
+        }
+        
+        const added = evidencePack.addToAllowlist(root, entry);
+        
+        if (opts.json) {
+          console.log(JSON.stringify({ added }, null, 2));
+          return 0;
+        }
+        
+        console.log(`\n  ${colors.success}+${ansi.reset} Added allowlist entry: ${ansi.bold}${added.id}${ansi.reset}\n`);
+        return 0;
+      }
+      
+      case "remove": {
+        if (!opts.allowlistId) {
+          console.error(`\n  ${colors.error}✗${ansi.reset} --id is required for remove\n`);
+          return 1;
+        }
+        
+        const allowlist = evidencePack.loadAllowlist(root);
+        const before = allowlist.entries.length;
+        allowlist.entries = allowlist.entries.filter(e => e.id !== opts.allowlistId && e.findingId !== opts.allowlistId);
+        const removed = before - allowlist.entries.length;
+        
+        if (removed > 0) {
+          evidencePack.saveAllowlist(root, allowlist);
+        }
+        
+        if (opts.json) {
+          console.log(JSON.stringify({ removed, remaining: allowlist.entries.length }, null, 2));
+          return 0;
+        }
+        
+        if (removed > 0) {
+          console.log(`\n  ${colors.success}-${ansi.reset} Removed ${removed} entry from allowlist\n`);
+        } else {
+          console.log(`\n  ${colors.warning}⚠${ansi.reset} Entry not found: ${opts.allowlistId}\n`);
+        }
+        return 0;
+      }
+      
+      case "check": {
+        if (!opts.allowlistId) {
+          console.error(`\n  ${colors.error}✗${ansi.reset} --id is required for check\n`);
+          return 1;
+        }
+        
+        const allowlist = evidencePack.loadAllowlist(root);
+        const result = evidencePack.isAllowlisted({ id: opts.allowlistId }, allowlist);
+        
+        if (opts.json) {
+          console.log(JSON.stringify(result, null, 2));
+          return result.allowed ? 0 : 1;
+        }
+        
+        if (result.allowed) {
+          console.log(`\n  ${colors.success}✓${ansi.reset} ${ansi.bold}Allowlisted${ansi.reset}`);
+          console.log(`  ${ansi.dim}Reason:${ansi.reset} ${result.reason}`);
+          console.log(`  ${ansi.dim}Entry:${ansi.reset} ${result.entry?.id}\n`);
+        } else {
+          console.log(`\n  ${colors.warning}⚠${ansi.reset} ${ansi.bold}Not allowlisted${ansi.reset}\n`);
+        }
+        return result.allowed ? 0 : 1;
+      }
+      
+      default:
+        console.error(`\n  ${colors.error}✗${ansi.reset} Unknown allowlist action: ${action}\n`);
+        console.log(`  ${ansi.dim}Available: list, add, remove, check${ansi.reset}\n`);
+        return 1;
+    }
+  } catch (error) {
+    if (opts.json) {
+      console.log(JSON.stringify({ error: error.message }, null, 2));
+    } else {
+      console.error(`\n  ${colors.error}✗${ansi.reset} ${error.message}\n`);
+    }
+    return 1;
+  }
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// AUTOFIX & MISSION GENERATION
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Normalize severity values to standard format
+ */
+function normalizeSeverity(severity) {
+  if (!severity) return 'medium';
+  const sev = String(severity).toLowerCase();
+  if (sev === 'block' || sev === 'critical') return 'critical';
+  if (sev === 'high') return 'high';
+  if (sev === 'warn' || sev === 'warning' || sev === 'medium') return 'medium';
+  if (sev === 'info' || sev === 'low') return 'low';
+  return 'medium'; // Default fallback
+}
+
+async function generateMissions(findings, projectPath, opts) {
+  const missionsDir = path.join(projectPath, '.vibecheck', 'missions');
+  
+  // Ensure missions directory exists
+  if (!fs.existsSync(missionsDir)) {
+    fs.mkdirSync(missionsDir, { recursive: true });
+  }
+  
+  const missions = [];
+  const missionIndex = [];
+  
+  for (let i = 0; i < findings.length; i++) {
+    const finding = findings[i];
+    const missionId = `mission-${String(i + 1).padStart(3, '0')}`;
+    const normalizedSeverity = normalizeSeverity(finding.severity);
+    
+    // Generate AI-ready mission prompt
+    const mission = {
+      id: missionId,
+      createdAt: new Date().toISOString(),
+      finding: {
+        id: finding.id || `finding-${i + 1}`,
+        severity: normalizedSeverity,
+        originalSeverity: finding.severity, // Keep original for reference
+        category: finding.category,
+        title: finding.title || finding.message,
+        file: finding.file,
+        line: finding.line,
+      },
+      prompt: generateMissionPrompt(finding),
+      constraints: generateConstraints(finding),
+      verification: generateVerificationSteps(finding),
+      status: 'pending',
+    };
+    
+    missions.push(mission);
+    missionIndex.push({
+      id: missionId,
+      severity: normalizedSeverity,
+      title: finding.title || finding.message,
+      file: finding.file,
+      status: 'pending',
+    });
+    
+    // Save individual mission JSON
+    const missionPath = path.join(missionsDir, `${missionId}.json`);
+    fs.writeFileSync(missionPath, JSON.stringify(mission, null, 2));
+  }
+  
+  // Generate MISSIONS.md index
+  const missionsMarkdown = generateMissionsMarkdown(missionIndex, projectPath);
+  fs.writeFileSync(path.join(missionsDir, 'MISSIONS.md'), missionsMarkdown);
+  
+  // Save missions summary
+  const summary = {
+    generatedAt: new Date().toISOString(),
+    totalMissions: missions.length,
+    bySeverity: {
+      critical: missionIndex.filter(m => m.severity === 'critical').length,
+      high: missionIndex.filter(m => m.severity === 'high').length,
+      medium: missionIndex.filter(m => m.severity === 'medium').length,
+      low: missionIndex.filter(m => m.severity === 'low').length,
+    },
+    missions: missionIndex,
+  };
+  fs.writeFileSync(path.join(missionsDir, 'summary.json'), JSON.stringify(summary, null, 2));
+  
+  return { missions, summary };
+}
+
+function generateMissionPrompt(finding) {
+  const file = finding.file || 'unknown file';
+  const line = finding.line ? ` at line ${finding.line}` : '';
+  const title = finding.title || finding.message || 'Unknown issue';
+  const category = finding.category || 'general';
+  
+  let prompt = `## Mission: Fix ${title}
+
+**File:** \`${file}\`${line}
+**Category:** ${category}
+**Severity:** ${finding.severity || 'medium'}
+
+### Problem
+${finding.message || title}
+
+### Context
+`;
+
+  // Add category-specific context
+  if (category === 'ROUTE' || category === 'routes') {
+    prompt += `This is a route integrity issue. The route may be:
+- Referenced but not defined
+- Defined but not reachable
+- Missing proper error handling
+`;
+  } else if (category === 'ENV' || category === 'env') {
+    prompt += `This is an environment variable issue. The variable may be:
+- Used but not defined in .env
+- Missing from .env.example
+- Not documented
+`;
+  } else if (category === 'AUTH' || category === 'auth' || category === 'security') {
+    prompt += `This is a security/authentication issue. Check for:
+- Proper authentication middleware
+- Authorization checks
+- Secure defaults
+`;
+  } else if (category === 'MOCK' || category === 'mock') {
+    prompt += `This is a mock/placeholder issue. The code may contain:
+- TODO comments that need implementation
+- Placeholder data that should be real
+- Fake success responses
+`;
+  }
+
+  prompt += `
+### Requirements
+1. Fix the issue while maintaining existing functionality
+2. Follow the project's coding style and patterns
+3. Add appropriate error handling
+4. Update tests if they exist
+
+### Verification
+After making changes:
+1. Run \`vibecheck scan\` to verify the issue is resolved
+2. Run any existing tests for the affected file
+3. Manually verify the functionality if applicable
+`;
+
+  if (finding.fix || finding.fixSuggestion) {
+    prompt += `
+### Suggested Fix
+${finding.fix || finding.fixSuggestion}
+`;
+  }
+
+  return prompt;
+}
+
+function generateConstraints(finding) {
+  const constraints = [
+    'Do not break existing functionality',
+    'Follow existing code patterns in the project',
+    'Add error handling where appropriate',
+  ];
+  
+  if (finding.category === 'security' || finding.category === 'AUTH') {
+    constraints.push('Ensure no security regressions');
+    constraints.push('Follow OWASP security guidelines');
+  }
+  
+  if (finding.category === 'ROUTE' || finding.category === 'routes') {
+    constraints.push('Maintain API backwards compatibility');
+    constraints.push('Update route documentation if changed');
+  }
+  
+  return constraints;
+}
+
+function generateVerificationSteps(finding) {
+  const steps = [
+    'Run `vibecheck scan` and confirm this issue no longer appears',
+    'Run `vibecheck checkpoint` to ensure no regressions',
+  ];
+  
+  if (finding.file) {
+    steps.push(`Review changes in \`${finding.file}\``);
+  }
+  
+  if (finding.category === 'ROUTE' || finding.category === 'routes') {
+    steps.push('Test the affected route(s) manually or with automated tests');
+  }
+  
+  if (finding.category === 'ENV' || finding.category === 'env') {
+    steps.push('Verify environment variable is properly documented');
+    steps.push('Check .env.example is updated');
+  }
+  
+  return steps;
+}
+
+function generateMissionsMarkdown(missionIndex, projectPath) {
+  const projectName = path.basename(projectPath);
+  const now = new Date().toISOString();
+  
+  let md = `# Vibecheck Missions
+
+> Generated: ${now}
+> Project: ${projectName}
+
+## Summary
+
+| Severity | Count |
+|----------|-------|
+| Critical | ${missionIndex.filter(m => m.severity === 'critical').length} |
+| High | ${missionIndex.filter(m => m.severity === 'high').length} |
+| Medium | ${missionIndex.filter(m => m.severity === 'medium').length} |
+| Low | ${missionIndex.filter(m => m.severity === 'low').length} |
+| **Total** | **${missionIndex.length}** |
+
+## Missions
+
+`;
+
+  // Group by severity
+  const bySeverity = {
+    critical: missionIndex.filter(m => m.severity === 'critical'),
+    high: missionIndex.filter(m => m.severity === 'high'),
+    medium: missionIndex.filter(m => m.severity === 'medium'),
+    low: missionIndex.filter(m => m.severity === 'low'),
+  };
+
+  for (const [severity, missions] of Object.entries(bySeverity)) {
+    if (missions.length === 0) continue;
+    
+    const emoji = severity === 'critical' ? '🔴' : severity === 'high' ? '🟠' : severity === 'medium' ? '🟡' : '🔵';
+    md += `### ${emoji} ${severity.charAt(0).toUpperCase() + severity.slice(1)} (${missions.length})\n\n`;
+    
+    for (const mission of missions) {
+      const checkbox = mission.status === 'completed' ? '[x]' : '[ ]';
+      md += `- ${checkbox} **${mission.id}**: ${mission.title}\n`;
+      if (mission.file) {
+        md += `  - File: \`${mission.file}\`\n`;
+      }
+    }
+    md += '\n';
+  }
+
+  md += `---
+
+## How to Use
+
+1. **Review missions**: Read each mission file in \`.vibecheck/missions/\`
+2. **Copy prompts**: Use the prompt in each mission file with your AI assistant
+3. **Verify fixes**: Run \`vibecheck scan\` after each fix
+4. **Track progress**: Update mission status in this file
+
+## Commands
+
+\`\`\`bash
+# Re-scan after fixes
+vibecheck scan
+
+# Check progress
+vibecheck checkpoint
+
+# Final verification
+vibecheck ship
+\`\`\`
+`;
+
+  return md;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// MAIN SCAN FUNCTION - ROUTE INTEGRITY SYSTEM
 // ═══════════════════════════════════════════════════════════════════════════════
 
 async function runScan(args) {
@@ -151,248 +693,929 @@ async function runScan(args) {
     return 0;
   }
 
-  // Entitlement check (scan is FREE)
+  // CRITICAL: Check for JSON/SARIF output FIRST - skip all banners/output if these flags are set
+  if (opts.json || opts.sarif) {
+    process.env.NO_COLOR = '1';
+    // Skip all banner/output until we output JSON/SARIF
+  }
+
+  // Handle --allowlist subcommand
+  if (opts.allowlist) {
+    return await handleAllowlistCommand(opts);
+  }
+
+  // Entitlement check (graceful offline handling)
   try {
     await enforceLimit('scans');
     await trackUsage('scans');
   } catch (err) {
     if (err.code === 'LIMIT_EXCEEDED') {
-      console.error(err.upgradePrompt || err.message);
+      if (!opts.json && !opts.sarif) {
+        console.error(err.upgradePrompt || err.message);
+      }
       return 1;
     }
-    // Network errors - continue with free tier
-    if (!['ECONNREFUSED', 'ETIMEDOUT', 'ENOTFOUND'].includes(err.code) && err.name !== 'NetworkError') {
-      throw err;
+    // Network error - fall back to free tier only (SECURITY: never grant paid features offline)
+    if (err.code === 'ECONNREFUSED' || err.code === 'ETIMEDOUT' || err.code === 'ENOTFOUND' || err.name === 'NetworkError') {
+      if (!opts.json && !opts.sarif) {
+        console.warn(`  ${colors.warning}⚠${ansi.reset} API unavailable, running in ${colors.success}FREE${ansi.reset} tier mode`);
+        console.warn(`  ${ansi.dim}Paid features require API connection. Continuing with free features only.${ansi.reset}\n`);
+      }
+      // Continue with free tier features only - scan command is free tier
+    } else {
+      throw err; // Re-throw unexpected errors
     }
   }
 
-  // Print banner
-  if (shouldShowBanner(opts)) {
+  // Print banner (respects --no-banner, VIBECHECK_NO_BANNER, --ci, --quiet, --json, --sarif)
+  if (shouldShowBanner(opts) && !opts.json && !opts.sarif) {
     printBanner();
   }
 
   const projectPath = path.resolve(opts.path);
   const startTime = Date.now();
-  const projectName = path.basename(projectPath);
 
-  // Emit audit event
+  // Emit audit event for scan start
   emitScanStart(projectPath, args);
+  const projectName = path.basename(projectPath);
+
+  // Initialize API integration
+  let apiScan = null;
+  let apiConnected = false;
+  
+  // Try to connect to API for dashboard integration
+  try {
+      apiConnected = await isApiAvailable();
+      if (apiConnected) {
+        // Create scan record in dashboard
+        apiScan = await createScan({
+          localPath: projectPath,
+          branch: opts.branch || 'main',
+          enableLLM: opts.llm || false,
+        });
+        if (!opts.json && !opts.sarif) {
+          console.log(`${colors.info}📡${ansi.reset} Connected to dashboard (Scan ID: ${apiScan.scanId})`);
+        }
+      }
+    } catch (err) {
+      // API connection is optional, continue without it
+      if (!opts.json && !opts.sarif) {
+        console.log(`${colors.dim}ℹ${ansi.reset} Dashboard integration unavailable`);
+      }
+    }
 
   // Validate project path
   if (!fs.existsSync(projectPath)) {
     throw createUserError(`Project path does not exist: ${projectPath}`, "ValidationError");
   }
 
-  // Print scan info
-  if (!opts.json && !opts.quiet) {
+  // Determine layers
+  const layers = {
+    ast: true,
+    truth: opts.truth,
+    reality: opts.reality,
+    realitySniff: opts.realitySniff,
+  };
+
+  // Print scan info (skip if JSON/SARIF mode)
+  if (!opts.json && !opts.sarif) {
+    const layerNames = [];
+    if (layers.ast) layerNames.push('AST');
+    if (layers.truth) layerNames.push('Truth');
+    if (layers.reality) layerNames.push('Reality');
+    if (layers.realitySniff) layerNames.push('Reality Sniff');
+
     console.log(`  ${ansi.dim}Project:${ansi.reset}  ${ansi.bold}${projectName}${ansi.reset}`);
     console.log(`  ${ansi.dim}Path:${ansi.reset}     ${projectPath}`);
-    console.log(`  ${ansi.dim}Mode:${ansi.reset}     ${colors.accent}Quick Scan${ansi.reset} ${ansi.dim}(${SCAN_ENGINES.length} engines)${ansi.reset}`);
+    console.log(`  ${ansi.dim}Layers:${ansi.reset}   ${colors.accent}${layerNames.join(' → ')}${ansi.reset}`);
     console.log();
   }
 
+  // Reality layer requires URL
+  if (opts.reality && !opts.baseUrl) {
+    if (!opts.json && !opts.sarif) {
+      console.log(`  ${colors.warning}⚠${ansi.reset} ${ansi.bold}Reality layer requires --url${ansi.reset}`);
+      console.log(`  ${ansi.dim}Example: vibecheck scan --reality --url http://localhost:3000${ansi.reset}`);
+      console.log();
+    }
+    return EXIT.USER_ERROR;
+  }
+
+  // Initialize spinner outside try block for error handling
   let spinner = null;
   
   try {
-    // Start spinner
-    if (!opts.json && !opts.quiet) {
+    // Import systems - try TypeScript compiled first, fallback to JS runtime
+    let scanRouteIntegrity;
+    let useFallbackScanner = false;
+    
+    try {
+      scanRouteIntegrity = require('../../dist/lib/route-integrity').scanRouteIntegrity;
+    } catch (e) {
+      // Fallback to JS-based scanner using truth.js and analyzers.js
+      useFallbackScanner = true;
+      const { buildTruthpackSmart } = require('./lib/truth');
+      const { 
+        findMissingRoutes, 
+        findEnvGaps, 
+        findFakeSuccess, 
+        findGhostAuth,
+        findMockData,
+        findTodoFixme,
+        findConsoleLogs,
+        findHardcodedSecrets,
+        findDeadCode,
+        findDeprecatedApis,
+        findEmptyCatch,
+        findUnsafeRegex,
+        findSecurityVulnerabilities,
+        findPerformanceIssues,
+        findCodeQualityIssues,
+        findCrossFileIssues,
+        findTypeSafetyIssues,
+        findAccessibilityIssues,
+        findAPIConsistencyIssues,
+        // NEW: AI Hallucination Detectors
+        findOptimisticNoRollback,
+        findSilentCatch,
+        findMethodMismatch,
+        findDeadUI,
+        clearFileCache, // V3: Memory management
+      } = require('./lib/analyzers');
+      
+      scanRouteIntegrity = async function({ projectPath, layers, baseUrl, verbose }) {
+        // Build truthpack for route analysis
+        const truthpack = await buildTruthpackSmart({ repoRoot: projectPath });
+        
+        // Run ALL analyzers for comprehensive scanning
+        const findings = [];
+        
+        // Core analyzers (route integrity, env, auth)
+        findings.push(...findMissingRoutes(truthpack));
+        findings.push(...findMethodMismatch(truthpack));
+        findings.push(...findEnvGaps(truthpack));
+        findings.push(...findFakeSuccess(projectPath));
+        findings.push(...findOptimisticNoRollback(projectPath));
+        findings.push(...findSilentCatch(projectPath));
+        findings.push(...findDeadUI(projectPath));
+        findings.push(...findGhostAuth(truthpack, projectPath));
+        
+        // Code quality analyzers (MOCK, TODO, console.log, etc.)
+        findings.push(...findMockData(projectPath));
+        findings.push(...findTodoFixme(projectPath));
+        findings.push(...findConsoleLogs(projectPath));
+        findings.push(...findHardcodedSecrets(projectPath));
+        findings.push(...findDeadCode(projectPath));
+        findings.push(...findDeprecatedApis(projectPath));
+        findings.push(...findEmptyCatch(projectPath));
+        findings.push(...findUnsafeRegex(projectPath));
+        
+        // Enhanced analyzers (Security, Performance, Code Quality)
+        findings.push(...findSecurityVulnerabilities(projectPath));
+        findings.push(...findPerformanceIssues(projectPath));
+        findings.push(...findCodeQualityIssues(projectPath));
+        
+        // V3: Clear file cache and AST cache to prevent memory leaks in large monorepos
+        clearFileCache();
+        const engines = require("./lib/engines/vibecheck-engines");
+        if (engines.clearASTCache) {
+          engines.clearASTCache();
+        }
+        
+        // Convert to scan format matching TypeScript scanner output
+        const shipBlockers = findings.map((f, i) => ({
+          id: f.id || `finding-${i}`,
+          ruleId: f.category,
+          category: f.category,
+          severity: f.severity === 'BLOCK' ? 'critical' : f.severity === 'WARN' ? 'warning' : 'info',
+          title: f.title,
+          message: f.title,
+          description: f.why,
+          file: f.evidence?.[0]?.file || '',
+          line: parseInt(f.evidence?.[0]?.lines?.split('-')[0]) || 1,
+          evidence: f.evidence || [],
+          fixHints: f.fixHints || [],
+          autofixAvailable: false,
+          verdict: f.severity === 'BLOCK' ? 'FAIL' : 'WARN',
+        }));
+        
+        // Return structure matching TypeScript scanner
+        return {
+          report: {
+            shipBlockers,
+            realitySniffFindings: [],
+            routeMap: truthpack.routes,
+            summary: {
+              total: shipBlockers.length,
+              critical: shipBlockers.filter(f => f.severity === 'critical').length,
+              warning: shipBlockers.filter(f => f.severity === 'warning').length,
+            },
+            verdict: shipBlockers.some(f => f.severity === 'critical') ? 'BLOCK' : 
+                     shipBlockers.some(f => f.severity === 'warning') ? 'WARN' : 'SHIP'
+          },
+          outputPaths: {},
+          truthpack
+        };
+      };
+    }
+    
+    // Try to import new unified output system (may not be compiled yet)
+    let buildVerdictOutput, normalizeFinding, formatStandardOutput, formatScanOutputFromUnified, getExitCodeFromUnified, CacheManager;
+    let useUnifiedOutput = false;
+    
+    try {
+      const outputContract = require('../../dist/lib/cli/output-contract');
+      buildVerdictOutput = outputContract.buildVerdictOutput;
+      normalizeFinding = outputContract.normalizeFinding;
+      formatStandardOutput = outputContract.formatStandardOutput;
+      
+      const unifiedOutput = require('./lib/unified-output');
+      formatScanOutputFromUnified = unifiedOutput.formatScanOutput;
+      getExitCodeFromUnified = unifiedOutput.getExitCode;
+      
+      const cacheModule = require('../../dist/lib/cli/cache-manager');
+      CacheManager = cacheModule.CacheManager;
+      useUnifiedOutput = true;
+    } catch (error) {
+      // Fallback to old system if new one not available
+      if (opts.verbose) {
+        console.warn('Unified output system not available, using enhanced format');
+      }
+      useUnifiedOutput = false;
+    }
+
+    // Initialize cache if available
+    let cache = null;
+    let cached = false;
+    let cachedResult = null;
+    
+    if (CacheManager) {
+      cache = new CacheManager(projectPath);
+      const cacheKey = 'scan';
+      
+      // Compute project hash for caching
+      const sourceFiles = await findSourceFiles(projectPath);
+      const projectHash = await cache.computeProjectHash(sourceFiles, { layers, baseUrl: opts.baseUrl });
+
+      // Check cache
+      if (!opts.verbose) {
+        cachedResult = await cache.get(cacheKey, projectHash);
+        if (cachedResult && buildVerdictOutput) {
+          cached = true;
+          // Use cached result
+          const verdict = buildVerdictOutput(cachedResult.findings, cachedResult.timings, true);
+          const output = formatStandardOutput(verdict, cachedResult.findings, cachedResult.scanId, projectPath, {
+            version: require('../../package.json').version || '1.0.0',
+            nodeVersion: process.version,
+            platform: process.platform,
+          });
+
+          if (opts.json) {
+            console.log(JSON.stringify(output, null, 2));
+            return getExitCode(verdict);
+          }
+
+          console.log(formatScanOutput({ verdict, findings: cachedResult.findings, cached }, { verbose: opts.verbose }));
+          return getExitCode(verdict);
+        }
+      }
+    }
+
+    // Start scanning with enhanced spinner
+    const timings = { discovery: 0, analysis: 0, verification: 0, detection: 0, total: 0 };
+    timings.discovery = Date.now();
+
+    // Only show spinner if not in JSON/SARIF mode
+    if (!opts.json && !opts.sarif) {
       spinner = new Spinner({ color: colors.primary });
-      spinner.start(`Running quick scan...`);
+      spinner.start('Analyzing codebase...');
     }
 
-    // Run the 5 quick scan engines via orchestrator
-    const scanResult = await runScanEngines(projectPath, {
-      maxFiles: 500,
-      onProgress: opts.verbose ? (phase, pct) => {
-        if (spinner) spinner.text = `${phase}: ${pct}%`;
+    const result = await scanRouteIntegrity({
+      projectPath,
+      layers,
+      baseUrl: opts.baseUrl,
+      verbose: opts.verbose,
+      onProgress: opts.verbose ? (phase, progress) => {
+        spinner.succeed(`${phase}: ${Math.round(progress)}%`);
+        if (progress < 100) spinner.start(`Running ${phase}...`);
       } : undefined,
     });
+
+    timings.analysis = Date.now() - timings.discovery;
+    
+    // Run new detection engines (Dead UI, Billing Bypass, Fake Success)
+    let detectionFindings = [];
+    try {
+      if (spinner) spinner.start('Running detection engines...');
+      const detectionStart = Date.now();
+      
+      // Dynamic import for TypeScript detection engines
+      const { DeadUIDetector } = require('../../dist/engines/detection/dead-ui-detector');
+      const { BillingBypassDetector } = require('../../dist/engines/detection/billing-bypass-detector');
+      const { FakeSuccessDetector } = require('../../dist/engines/detection/fake-success-detector');
+      
+      // Load ignore patterns from .vibecheckignore + defaults
+      const { loadIgnorePatterns } = require('./lib/agent-firewall/utils/ignore-checker');
+      const ignorePatterns = loadIgnorePatterns(projectPath);
+      const exclude = [
+        // Default excludes
+        'node_modules', '.git', 'dist', 'build', '.next', 'coverage', '_archive',
+        // From .vibecheckignore
+        'mcp-server', 'bin', 'packages/cli', 'tests', '__tests__', 'examples', 
+        'templates', 'docs', '.guardrail', '.cursor', '.vibecheck',
+        // Test files
+        '*.test.ts', '*.test.tsx', '*.spec.ts', '*.spec.tsx', '*.test.js', '*.spec.js',
+        // Type definitions
+        '*.d.ts', '*.d.ts.map',
+      ];
+      
+      // Run detectors in parallel
+      const [deadUIResult, billingResult, fakeSuccessResult] = await Promise.all([
+        new DeadUIDetector(projectPath).scan({ exclude }),
+        new BillingBypassDetector(projectPath).scan({ exclude }),
+        new FakeSuccessDetector(projectPath).scan({ exclude }),
+      ]);
+      
+      // Convert to normalized findings format
+      for (const finding of deadUIResult.findings) {
+        detectionFindings.push({
+          id: finding.id,
+          ruleId: finding.type,
+          category: 'DEAD_UI',
+          severity: finding.severity,
+          title: finding.message,
+          description: finding.suggestion,
+          file: finding.file,
+          line: finding.line,
+          evidence: finding.evidence,
+          autofixAvailable: false,
+          verdict: 'FAIL',
+        });
+      }
+      
+      for (const finding of billingResult.findings) {
+        detectionFindings.push({
+          id: finding.id,
+          ruleId: finding.type,
+          category: 'BILLING',
+          severity: finding.severity,
+          title: finding.message,
+          description: finding.suggestion,
+          file: finding.file,
+          line: finding.line,
+          evidence: finding.evidence,
+          autofixAvailable: false,
+          verdict: 'FAIL',
+        });
+      }
+      
+      for (const finding of fakeSuccessResult.findings) {
+        detectionFindings.push({
+          id: finding.id,
+          ruleId: finding.type,
+          category: 'FAKE_SUCCESS',
+          severity: finding.severity,
+          title: finding.message,
+          description: finding.suggestion,
+          file: finding.file,
+          line: finding.line,
+          evidence: finding.evidence,
+          autofixAvailable: false,
+          verdict: 'FAIL',
+        });
+      }
+      
+      timings.detection = Date.now() - detectionStart;
+      if (spinner && !opts.json && !opts.sarif) {
+        spinner.succeed(`Detection complete (${detectionFindings.length} findings)`);
+      }
+    } catch (detectionError) {
+      // Detection engines not compiled yet - continue without them
+      if (opts.verbose && !opts.json && !opts.sarif) {
+        console.log(`  ${ansi.dim}Detection engines not available: ${detectionError.message}${ansi.reset}`);
+      }
+      if (spinner && !opts.json && !opts.sarif) {
+        spinner.warn('Detection skipped (not compiled)');
+      }
+    }
     
-    const duration = Date.now() - startTime;
+    timings.verification = Date.now() - timings.analysis - timings.discovery;
+    timings.total = Date.now() - startTime;
 
-    if (spinner) {
-      spinner.succeed(`Quick scan complete (${scanResult.findings.length} findings in ${formatDuration(duration)})`);
+    if (spinner && !opts.json && !opts.sarif) {
+      spinner.succeed('Analysis complete');
     }
 
-    // Normalize findings
-    const findings = scanResult.findings.map((f, i) => ({
-      id: f.id || `finding-${i}`,
-      ruleId: f.type || f.category,
-      category: f.category || 'CodeQuality',
-      severity: normalizeSeverity(f.severity),
-      title: f.title || f.message,
-      message: f.message || f.title,
-      file: f.file || '',
-      line: f.line || 1,
-      confidence: f.confidence || 'medium',
-      engine: f.engine,
-      fixHint: f.fixHint,
-    }));
-    
-    // Calculate verdict
-    const blockers = findings.filter(f => f.severity === 'critical');
-    const warnings = findings.filter(f => f.severity === 'warning');
-    const verdict = blockers.length > 0 ? 'BLOCK' : warnings.length > 0 ? 'WARN' : 'PASS';
-    const score = calculateScore({ 
-      critical: blockers.length, 
-      high: 0, 
-      medium: warnings.length, 
-      low: findings.length - blockers.length - warnings.length 
-    });
+    const { report, outputPaths } = result;
 
-    // ═══════════════════════════════════════════════════════════════════════════
-    // OUTPUT
-    // ═══════════════════════════════════════════════════════════════════════════
-    
-    // JSON output
+    // Use new unified output if available, otherwise fallback to enhanced format
+    if (useUnifiedOutput && buildVerdictOutput && normalizeFinding && formatScanOutputFromUnified) {
+      // Normalize findings with stable IDs
+      const existingIDs = new Set();
+      const normalizedFindings = [];
+      
+      // Normalize route integrity findings
+      if (report.shipBlockers) {
+        for (let i = 0; i < report.shipBlockers.length; i++) {
+          const blocker = report.shipBlockers[i];
+          const category = blocker.category || 'ROUTE';
+          const normalized = normalizeFinding(blocker, category, i, existingIDs);
+          normalizedFindings.push(normalized);
+        }
+      }
+
+      // Normalize Reality Sniff findings if present
+      if (report.realitySniffFindings) {
+        for (let i = 0; i < report.realitySniffFindings.length; i++) {
+          const finding = report.realitySniffFindings[i];
+          const category = finding.ruleId?.startsWith('auth') ? 'AUTH' : 'REALITY';
+          const normalized = normalizeFinding(finding, category, normalizedFindings.length, existingIDs);
+          normalizedFindings.push(normalized);
+        }
+      }
+      
+      // Add detection engine findings (Dead UI, Billing, Fake Success)
+      for (const finding of detectionFindings) {
+        normalizedFindings.push(finding);
+      }
+
+      // Build verdict
+      const verdict = buildVerdictOutput(normalizedFindings, timings, false);
+      const scanId = `scan_${Date.now()}`;
+
+      // Cache result
+      if (cache) {
+        const sourceFiles = await findSourceFiles(projectPath);
+        const projectHash = await cache.computeProjectHash(sourceFiles, { layers, baseUrl: opts.baseUrl });
+        await cache.set('scan', projectHash, {
+          findings: normalizedFindings,
+          timings,
+          scanId,
+        }, {
+          filesScanned: sourceFiles.length,
+          findings: normalizedFindings.length,
+          duration: timings.total,
+        });
+      }
+
+      // Build standard output
+      const standardOutput = formatStandardOutput(verdict, normalizedFindings, scanId, projectPath, {
+        version: require('../../package.json').version || '1.0.0',
+        nodeVersion: process.version,
+        platform: process.platform,
+      });
+
+    // JSON output mode - CRITICAL: Output ONLY JSON, no banners/colors
     if (opts.json) {
+      // Ensure pure JSON output with no ANSI codes or banners
+      process.env.NO_COLOR = '1';
+      const calculatedExitCode = getExitCodeFromUnified ? getExitCodeFromUnified(verdict) : getExitCode(verdict);
       const jsonOutput = {
-        version: "1.0.0",
-        command: "scan",
-        mode: "quick",
-        engines: SCAN_ENGINES,
-        verdict,
-        score,
+        success: calculatedExitCode === 0 || calculatedExitCode === 1, // 0 or 1 are success (SHIP/WARN)
+        verdict: verdict?.verdict || 'UNKNOWN',
+        score: report.score?.overall || (verdict?.verdict === 'PASS' ? 100 : 50),
+        findings: normalizedFindings || [],
         summary: {
-          total: findings.length,
-          blockers: blockers.length,
-          warnings: warnings.length,
-          filesScanned: scanResult.stats.filesScanned,
-          duration,
+          total: normalizedFindings?.length || 0,
+          blockers: verdict?.summary?.blockers || 0,
+          warnings: verdict?.summary?.warnings || 0,
+          info: verdict?.summary?.info || 0,
         },
-        findings: findings.map(f => ({
-          id: f.id,
-          category: f.category,
-          severity: f.severity,
-          title: f.title,
-          message: f.message,
-          file: f.file,
-          line: f.line,
-          engine: f.engine,
-        })),
-        timestamp: new Date().toISOString(),
+        stats: {
+          filesScanned: report.stats?.filesScanned || 0,
+          linesScanned: report.stats?.linesScanned || 0,
+          durationMs: timings.total || 0,
+        },
+        exitCode: calculatedExitCode
       };
       console.log(JSON.stringify(jsonOutput, null, 2));
-      return verdictToExitCode(verdict);
+      // CRITICAL: Exit immediately, don't output anything else
+      process.exit(calculatedExitCode);
+      return calculatedExitCode;
     }
-    
-    // SARIF output
+
+    // SARIF output mode - CRITICAL: Output ONLY valid SARIF, no banners/colors
     if (opts.sarif) {
-      const sarif = formatSARIF(findings, { 
+      process.env.NO_COLOR = '1';
+      const sarif = formatSARIF(normalizedFindings, { 
         projectPath, 
         version: require('../../package.json').version || '1.0.0' 
       });
-      console.log(JSON.stringify(sarif, null, 2));
-      return verdictToExitCode(verdict);
+      // formatSARIF returns a JSON string, so output it directly
+      console.log(sarif);
+      const exitCode = getExitCodeFromUnified ? getExitCodeFromUnified(verdict) : getExitCode(verdict);
+      // CRITICAL: Exit immediately, don't output anything else
+      process.exit(exitCode);
+      return exitCode;
     }
+
+    // ═══════════════════════════════════════════════════════════════════════════
+    // FINGERPRINTING & BASELINE COMPARISON
+    // ═══════════════════════════════════════════════════════════════════════════
     
-    // Human-readable output
-    console.log();
-    
-    // Verdict
-    const verdictColor = verdict === 'PASS' ? colors.success : verdict === 'WARN' ? colors.warning : colors.error;
-    const verdictIcon = verdict === 'PASS' ? '✓' : verdict === 'WARN' ? '⚠' : '✗';
-    
-    console.log(`  ${verdictColor}${ansi.bold}${verdictIcon} ${verdict}${ansi.reset} ${ansi.dim}Score: ${score}/100${ansi.reset}`);
-    console.log(`  ${ansi.dim}${findings.length} findings (${blockers.length} blockers, ${warnings.length} warnings)${ansi.reset}`);
-    console.log(`  ${ansi.dim}${scanResult.stats.filesScanned} files scanned in ${formatDuration(duration)}${ansi.reset}`);
-    console.log();
-    
-    // Show blockers
-    if (blockers.length > 0) {
-      console.log(`  ${colors.error}${ansi.bold}Blockers (${blockers.length})${ansi.reset}`);
-      for (const f of blockers.slice(0, 5)) {
-        console.log(`    ${colors.error}●${ansi.reset} ${f.title}`);
-        if (f.file) console.log(`      ${ansi.dim}${f.file}:${f.line}${ansi.reset}`);
+    let diff = null;
+    if (opts.baseline) {
+      try {
+        const enrichResult = enrichFindings(normalizedFindings, projectPath, true);
+        diff = enrichResult.diff;
+        
+        // Update findings with fingerprints and status
+        for (let i = 0; i < normalizedFindings.length; i++) {
+          if (enrichResult.findings[i]) {
+            normalizedFindings[i].fingerprint = enrichResult.findings[i].fingerprint;
+            normalizedFindings[i].status = enrichResult.findings[i].status;
+            normalizedFindings[i].firstSeen = enrichResult.findings[i].firstSeen;
+          }
+        }
+      } catch (fpError) {
+        if (opts.verbose) {
+          console.warn(`  ${ansi.dim}Fingerprinting skipped: ${fpError.message}${ansi.reset}`);
+        }
       }
-      if (blockers.length > 5) {
-        console.log(`    ${ansi.dim}... and ${blockers.length - 5} more${ansi.reset}`);
-      }
-      console.log();
     }
     
-    // Show warnings (verbose only)
-    if (warnings.length > 0 && opts.verbose) {
-      console.log(`  ${colors.warning}${ansi.bold}Warnings (${warnings.length})${ansi.reset}`);
-      for (const f of warnings.slice(0, 5)) {
-        console.log(`    ${colors.warning}◐${ansi.reset} ${f.title}`);
-        if (f.file) console.log(`      ${ansi.dim}${f.file}:${f.line}${ansi.reset}`);
-      }
-      if (warnings.length > 5) {
-        console.log(`    ${ansi.dim}... and ${warnings.length - 5} more${ansi.reset}`);
+    // Update baseline if requested
+    if (opts.updateBaseline) {
+      try {
+        saveBaseline(projectPath, normalizedFindings, {
+          verdict: verdict?.verdict,
+          scanTime: new Date().toISOString(),
+        });
+        if (!opts.json && !opts.quiet) {
+          console.log(`  ${colors.success}✓${ansi.reset} Baseline updated with ${normalizedFindings.length} findings`);
+        }
+      } catch (blError) {
+        if (opts.verbose) {
+          console.warn(`  ${ansi.dim}Baseline save failed: ${blError.message}${ansi.reset}`);
+        }
       }
-      console.log();
     }
-    
-    // Pro upsell
-    if (!opts.quiet) {
-      console.log(`  ${ansi.dim}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${ansi.reset}`);
-      console.log(`  ${ansi.dim}Quick scan ran ${SCAN_ENGINES.length} engines.${ansi.reset}`);
-      console.log(`  ${colors.accent}For comprehensive analysis (17+ engines + validators):${ansi.reset}`);
-      console.log(`    ${colors.success}vibecheck ship${ansi.reset} ${ansi.dim}[PRO]${ansi.reset}`);
+
+    // ═══════════════════════════════════════════════════════════════════════════
+    // ENHANCED OUTPUT
+    // ═══════════════════════════════════════════════════════════════════════════
+
+    // Use enhanced output formatter (from scan-output.js) - ONLY if not JSON/SARIF mode
+    if (!opts.json && !opts.sarif) {
+      const resultForOutput = {
+        verdict,
+        findings: normalizedFindings,
+        layers: report.layers || [],
+        coverage: report.coverageMap,
+        breakdown: report.score?.breakdown,
+        timings,
+        cached,
+        diff, // Include diff for display
+      };
+      console.log(formatScanOutput(resultForOutput, { verbose: opts.verbose }));
+    }
+
+    // Additional details if verbose
+    if (opts.verbose) {
+      printBreakdown(report.score.breakdown);
+      printCoverageMap(report.coverageMap);
+      printLayers(report.layers);
+      
+      printSection('REPORTS', '📄');
       console.log();
+      console.log(`  ${c.cyan}${outputPaths.md}${c.reset}`);
+      console.log(`  ${c.dim}${outputPaths.json}${c.reset}`);
+      if (outputPaths.sarif) {
+        console.log(`  ${c.dim}${outputPaths.sarif}${c.reset}`);
+      }
     }
-    
-    // Emit completion
-    emitScanComplete(projectPath, verdict === 'PASS' ? 'success' : 'failure', {
-      score,
-      issueCount: findings.length,
-      durationMs: duration,
-    });
 
-    // Save results
+    // ═══════════════════════════════════════════════════════════════════════════
+    // SAVE RESULTS
+    // ═══════════════════════════════════════════════════════════════════════════
+    
     if (opts.save) {
       const resultsDir = path.join(projectPath, '.vibecheck', 'results');
       if (!fs.existsSync(resultsDir)) {
         fs.mkdirSync(resultsDir, { recursive: true });
       }
       
-      fs.writeFileSync(
-        path.join(resultsDir, 'latest.json'),
-        JSON.stringify({
-          verdict,
-          score,
-          findings,
-          timestamp: new Date().toISOString(),
-          mode: 'quick',
-          engines: SCAN_ENGINES,
-          stats: scanResult.stats,
-        }, null, 2)
-      );
+      // Save latest.json
+      const latestPath = path.join(resultsDir, 'latest.json');
+      fs.writeFileSync(latestPath, JSON.stringify(standardOutput, null, 2));
+      
+      // Save timestamped copy
+      const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+      const historyDir = path.join(resultsDir, 'history');
+      if (!fs.existsSync(historyDir)) {
+        fs.mkdirSync(historyDir, { recursive: true });
+      }
+      fs.writeFileSync(path.join(historyDir, `scan-${timestamp}.json`), JSON.stringify(standardOutput, null, 2));
+      
+      if (!opts.json) {
+        console.log(`\n  ${ansi.dim}Results saved to: ${latestPath}${ansi.reset}`);
+      }
     }
     
-    return verdictToExitCode(verdict);
+    // ═══════════════════════════════════════════════════════════════════════════
+    // AUTOFIX MODE - Generate missions
+    // ═══════════════════════════════════════════════════════════════════════════
+    
+    if (opts.autofix && normalizedFindings.length > 0) {
+      // Check entitlement
+      const entitlementsV2 = require("./lib/entitlements-v2");
+      const access = await entitlementsV2.enforce("scan.autofix", { 
+        projectPath,
+        silent: false,
+      });
+      
+      if (!access.allowed) {
+        console.log(`\n  ${colors.warning}${icons.warning}${ansi.reset} ${ansi.bold}--autofix requires STARTER plan${ansi.reset}`);
+        console.log(`  ${ansi.dim}Upgrade at: https://vibecheckai.dev/pricing${ansi.reset}`);
+        console.log(`  ${ansi.dim}Scan results saved. Run 'vibecheck fix' for manual mission generation.${ansi.reset}\n`);
+      } else {
+        console.log(`\n  ${colors.accent}${icons.lightning}${ansi.reset} ${ansi.bold}Generating AI missions...${ansi.reset}\n`);
+        
+        const { missions, summary } = await generateMissions(normalizedFindings, projectPath, opts);
+        
+        console.log(`  ${colors.success}✓${ansi.reset} Generated ${missions.length} missions`);
+        console.log(`    ${ansi.dim}Critical: ${summary.bySeverity.critical}${ansi.reset}`);
+        console.log(`    ${ansi.dim}High: ${summary.bySeverity.high}${ansi.reset}`);
+        console.log(`    ${ansi.dim}Medium: ${summary.bySeverity.medium}${ansi.reset}`);
+        console.log(`    ${ansi.dim}Low: ${summary.bySeverity.low}${ansi.reset}`);
+        console.log();
+        console.log(`  ${ansi.dim}Missions saved to: .vibecheck/missions/${ansi.reset}`);
+        console.log(`  ${ansi.dim}Open MISSIONS.md for prompts to use with your AI assistant.${ansi.reset}`);
+        console.log();
+      }
+    }
+
+    // Emit audit event for scan complete
+    emitScanComplete(projectPath, verdict.verdict === 'PASS' ? 'success' : 'failure', {
+      score: report.score?.overall || (verdict.verdict === 'PASS' ? 100 : 50),
+      grade: report.score?.grade || (verdict.verdict === 'PASS' ? 'A' : 'F'),
+      issueCount: verdict.summary.blockers,
+      durationMs: timings.total,
+    });
+
+    // Submit results to dashboard if connected
+    if (apiConnected && apiScan) {
+      try {
+        await submitScanResults(apiScan.scanId, {
+          verdict: verdict.verdict,
+          score: report.score?.overall || 0,
+          findings: report.findings || [],
+          filesScanned: report.stats?.filesScanned || 0,
+          linesScanned: report.stats?.linesScanned || 0,
+          durationMs: timings.total,
+          metadata: {
+            layers,
+            profile: opts.profile,
+            version: require('../../package.json').version,
+          },
+        });
+        console.log(`${colors.success}✓${ansi.reset} Results sent to dashboard`);
+      } catch (err) {
+        console.log(`${colors.warning}⚠${ansi.reset} Failed to send results to dashboard: ${err.message}`);
+      }
+    }
+
+    return getExitCodeFromUnified ? getExitCodeFromUnified(verdict) : getExitCode(verdict);
+    } else {
+      // Legacy fallback output when unified output system isn't available
+      const findings = [...(report.shipBlockers || []), ...detectionFindings];
+      const criticalCount = findings.filter(f => f.severity === 'critical' || f.severity === 'BLOCK').length;
+      const warningCount = findings.filter(f => f.severity === 'warning' || f.severity === 'WARN').length;
+      
+      const verdict = criticalCount > 0 ? 'BLOCK' : warningCount > 0 ? 'WARN' : 'SHIP';
+      
+      // ═══════════════════════════════════════════════════════════════════════════
+      // FINGERPRINTING & BASELINE COMPARISON (Legacy path)
+      // ═══════════════════════════════════════════════════════════════════════════
+      
+      const normalizedLegacyFindings = findings.map(f => ({
+        severity: f.severity === 'critical' || f.severity === 'BLOCK' ? 'critical' :
+                 f.severity === 'warning' || f.severity === 'WARN' ? 'medium' : 'low',
+        category: f.category || 'ROUTE',
+        title: f.title || f.message,
+        message: f.message || f.title,
+        file: f.file || f.evidence?.[0]?.file,
+        line: f.line || parseInt(f.evidence?.[0]?.lines?.split('-')[0]) || 1,
+        evidence: f.evidence,
+        fix: f.fixSuggestion,
+      }));
+      
+      let diff = null;
+      if (opts.baseline) {
+        try {
+          const enrichResult = enrichFindings(normalizedLegacyFindings, projectPath, true);
+          diff = enrichResult.diff;
+          
+          // Update findings with fingerprints and status
+          for (let i = 0; i < normalizedLegacyFindings.length; i++) {
+            if (enrichResult.findings[i]) {
+              normalizedLegacyFindings[i].fingerprint = enrichResult.findings[i].fingerprint;
+              normalizedLegacyFindings[i].status = enrichResult.findings[i].status;
+              normalizedLegacyFindings[i].firstSeen = enrichResult.findings[i].firstSeen;
+            }
+          }
+        } catch (fpError) {
+          if (opts.verbose) {
+            console.warn(`  ${ansi.dim}Fingerprinting skipped: ${fpError.message}${ansi.reset}`);
+          }
+        }
+      }
+      
+      // Update baseline if requested
+      if (opts.updateBaseline) {
+        try {
+          saveBaseline(projectPath, normalizedLegacyFindings, {
+            verdict,
+            scanTime: new Date().toISOString(),
+          });
+          if (!opts.json && !opts.quiet) {
+            console.log(`  ${colors.success}✓${ansi.reset} Baseline updated with ${normalizedLegacyFindings.length} findings`);
+          }
+        } catch (blError) {
+          if (opts.verbose) {
+            console.warn(`  ${ansi.dim}Baseline save failed: ${blError.message}${ansi.reset}`);
+          }
+        }
+      }
+      
+      // JSON output mode - CRITICAL: Output ONLY JSON, no banners/colors
+      if (opts.json) {
+        process.env.NO_COLOR = '1';
+        const jsonOutput = {
+          success: verdict === 'SHIP' || verdict === 'WARN',
+          verdict: verdict,
+          score: verdict === 'SHIP' ? 100 : verdict === 'WARN' ? 70 : 40,
+          findings: normalizedLegacyFindings || [],
+          summary: {
+            total: normalizedLegacyFindings?.length || 0,
+            blockers: criticalCount,
+            warnings: warningCount,
+            info: findings.length - criticalCount - warningCount,
+          },
+          stats: {
+            filesScanned: 0,
+            linesScanned: 0,
+            durationMs: timings.total || 0,
+          },
+          exitCode: verdictToExitCode(verdict)
+        };
+        console.log(JSON.stringify(jsonOutput, null, 2));
+        process.exit(jsonOutput.exitCode);
+        return jsonOutput.exitCode;
+      }
+
+      // SARIF output mode - CRITICAL: Output ONLY valid SARIF, no banners/colors
+      if (opts.sarif) {
+        process.env.NO_COLOR = '1';
+        const sarif = formatSARIF(normalizedLegacyFindings, { 
+          projectPath, 
+          version: require('../../package.json').version || '1.0.0' 
+        });
+        console.log(sarif);
+        const exitCode = verdictToExitCode(verdict);
+        process.exit(exitCode);
+        return exitCode;
+      }
+
+      // Use enhanced output formatter for legacy fallback
+      const severityCounts = {
+        critical: criticalCount,
+        high: 0,
+        medium: warningCount,
+        low: findings.length - criticalCount - warningCount,
+      };
+      const score = calculateScore(severityCounts);
+      
+      const result = {
+        verdict: { verdict, score },
+        findings: normalizedLegacyFindings,
+        layers: [],
+        timings,
+        diff,
+      };
+      
+      console.log(formatScanOutput(result, { verbose: opts.verbose }));
+      
+      // Emit audit event
+      emitScanComplete(projectPath, verdict === 'SHIP' ? 'success' : 'failure', {
+        score: verdict === 'SHIP' ? 100 : verdict === 'WARN' ? 70 : 40,
+        issueCount: criticalCount + warningCount,
+        durationMs: timings.total,
+      });
+
+      // Submit results to dashboard if connected
+      if (apiConnected && apiScan) {
+        try {
+          await submitScanResults(apiScan.scanId, {
+            verdict,
+            score: verdict === 'SHIP' ? 100 : verdict === 'WARN' ? 70 : 40,
+            findings: normalizedLegacyFindings,
+            filesScanned: result.stats?.filesScanned || 0,
+            linesScanned: result.stats?.linesScanned || 0,
+            durationMs: timings.total,
+            metadata: {
+              layers,
+              profile: opts.profile,
+              version: require('../../package.json').version,
+            },
+          });
+          console.log(`${colors.success}✓${ansi.reset} Results sent to dashboard`);
+        } catch (err) {
+          console.log(`${colors.warning}⚠${ansi.reset} Failed to send results to dashboard: ${err.message}`);
+        }
+      }
+      
+      return verdictToExitCode(verdict);
+    }
 
   } catch (error) {
-    if (spinner) {
+    if (spinner && !opts.json && !opts.sarif) {
       spinner.fail(`Scan failed: ${error.message}`);
     }
     
-    console.error(`\n  ${colors.error}✗${ansi.reset} ${ansi.bold}Error:${ansi.reset} ${error.message}`);
-    if (opts.verbose) {
-      console.error(`  ${ansi.dim}${error.stack}${ansi.reset}`);
+    // JSON/SARIF error output
+    if (opts.json || opts.sarif) {
+      process.env.NO_COLOR = '1';
+      const errorOutput = {
+        success: false,
+        error: {
+          code: error.code || 'SCAN_ERROR',
+          message: error.message,
+        },
+        exitCode: error.code === 'VALIDATION_ERROR' ? EXIT.USER_ERROR : EXIT.INTERNAL_ERROR
+      };
+      if (opts.json) {
+        console.log(JSON.stringify(errorOutput, null, 2));
+      } else {
+        // SARIF error - return empty SARIF with error in message
+        const sarif = formatSARIF([], { projectPath, version: require('../../package.json').version || '1.0.0' });
+        console.log(sarif);
+      }
+      process.exit(errorOutput.exitCode);
+      return errorOutput.exitCode;
     }
     
+    // Use enhanced error handling (only for non-JSON/SARIF modes)
+    const exitCode = printError(error, 'Scan');
+    
+    // Emit audit event for scan error
     emitScanComplete(projectPath, 'error', {
       errorCode: error.code || 'SCAN_ERROR',
       errorMessage: error.message,
       durationMs: Date.now() - startTime,
     });
+
+    // Report error to dashboard if connected
+    if (apiConnected && apiScan) {
+      try {
+        await reportScanError(apiScan.scanId, error);
+        if (!opts.json && !opts.sarif) {
+          console.log(`${colors.info}📡${ansi.reset} Error reported to dashboard`);
+        }
+      } catch (err) {
+        if (!opts.json && !opts.sarif) {
+          console.log(`${colors.warning}⚠${ansi.reset} Failed to report error to dashboard: ${err.message}`);
+        }
+      }
+    }
     
-    return EXIT.INTERNAL_ERROR;
+    return exitCode;
   }
 }
 
-// Helper to normalize severity
-function normalizeSeverity(sev) {
-  if (!sev) return 'info';
-  const s = String(sev).toLowerCase();
-  if (s === 'block' || s === 'critical' || s === 'high') return 'critical';
-  if (s === 'warn' || s === 'warning' || s === 'medium') return 'warning';
-  return 'info';
+// Helper function to find source files for cache hash
+async function findSourceFiles(projectPath) {
+  const files = [];
+  const fs = require('fs');
+  const path = require('path');
+  
+  async function walk(dir) {
+    try {
+      const entries = await fs.promises.readdir(dir, { withFileTypes: true });
+      for (const entry of entries) {
+        const fullPath = path.join(dir, entry.name);
+        if (entry.isDirectory()) {
+          if (!entry.name.startsWith('.') && entry.name !== 'node_modules') {
+            await walk(fullPath);
+          }
+        } else if (entry.isFile()) {
+          const ext = path.extname(entry.name).toLowerCase();
+          if (['.ts', '.tsx', '.js', '.jsx'].includes(ext)) {
+            files.push(fullPath);
+          }
+        }
+      }
+    } catch {
+      // Skip inaccessible directories
+    }
+  }
+  
+  await walk(projectPath);
+  return files;
 }
 
-// Export
+// Export with error handling wrapper
 module.exports = {
   runScan: withErrorHandling(runScan, "Scan failed"),
 };