@vibecheckai/cli 3.6.1 → 3.7.0

package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js

@@ -1,7 +1,14 @@
 /**
  * Fake Success UI Rule
  * 
- * Warns/blocks if UI shows success without mutation.
+ * Only flags egregious cases of UI showing success without any backing logic.
+ * This rule is now much more lenient to reduce false positives - most success
+ * messages are legitimate (form submissions, state updates, etc.)
+ * 
+ * Only flags when:
+ * 1. Success message is in a "critical" domain (payments, auth)
+ * 2. AND there's zero HTTP/API activity in the entire file
+ * 3. AND no state management activity detected
  */
 
 "use strict";
@@ -30,51 +37,37 @@ function evaluate({ claims, evidence, policy }) {
     return null;
   }
   
-  // Filter out false positives: if there's an HTTP call in the same file, it's likely a response check
-  const realSuccessClaims = successClaims.filter(claim => {
-    const claimFile = claim.pointer ? claim.pointer.split(":")[0] : "";
-    if (!claimFile) return true;
-    
-    // Check if there's an HTTP call in the same file (within reasonable distance)
-    const claimLine = claim.pointer ? parseInt(claim.pointer.split(":")[1]?.split("-")[0] || "0", 10) : 0;
-    const hasNearbyHttpCall = claims.some(c => {
-      if (c.type !== CLAIM_TYPES.HTTP_CALL && c.type !== CLAIM_TYPES.ROUTE) return false;
-      const cFile = c.pointer ? c.pointer.split(":")[0] : "";
-      if (cFile !== claimFile) return false;
-      const cLine = c.pointer ? parseInt(c.pointer.split(":")[1]?.split("-")[0] || "0", 10) : 0;
-      // Within 50 lines is considered "nearby"
-      return Math.abs(cLine - claimLine) <= 50;
-    });
-    
-    // If there's a nearby HTTP call, this is likely checking the response, not showing UI
-    // Only flag if there's NO HTTP call nearby
-    return !hasNearbyHttpCall;
-  });
-  
-  if (realSuccessClaims.length === 0) {
-    return null; // All were false positives (likely API response checks)
-  }
-  
-  // Check if there's a corresponding HTTP call or side effect globally
+  // Check if there's ANY HTTP call, route reference, or side effect in the claims
+  // If yes, the file likely has real logic and success messages are legitimate
   const hasHttpCall = claims.some(c => 
     c.type === CLAIM_TYPES.HTTP_CALL || c.type === CLAIM_TYPES.ROUTE
   );
   
   const hasSideEffect = claims.some(c => c.type === CLAIM_TYPES.SIDE_EFFECT);
   
-  if (!hasHttpCall && !hasSideEffect) {
-    // Check if domain requires blocking
-    const blockDomains = ruleConfig.block_if_domain || [];
-    const fileDomain = realSuccessClaims[0].domain || "general";
-    
-    const shouldBlock = blockDomains.includes(fileDomain);
-    
+  // If there's any API activity, allow all success messages
+  if (hasHttpCall || hasSideEffect) {
+    return null;
+  }
+  
+  // Check if any success claim is in a critical domain
+  const criticalDomains = ruleConfig.block_if_domain || ["payments", "auth"];
+  const criticalSuccessClaims = successClaims.filter(claim => {
+    const domain = claim.domain || "general";
+    return criticalDomains.includes(domain);
+  });
+  
+  // Only flag if:
+  // 1. There's a success claim in a critical domain
+  // 2. AND there's zero API activity
+  // 3. AND we have multiple success claims (single success is likely legitimate)
+  if (criticalSuccessClaims.length > 0 && successClaims.length > 2) {
     return {
       rule: "fake_success_ui",
-      severity: shouldBlock ? "block" : (ruleConfig.severity || "warn"),
-      message: `Fake success UI: Success message shown but no HTTP call or side effect detected`,
-      claimId: `claim_${claims.indexOf(realSuccessClaims[0])}`,
-      claim: realSuccessClaims[0]
+      severity: ruleConfig.severity || "warn", // Default to warn, not block
+      message: `Multiple success messages (${successClaims.length}) in ${criticalSuccessClaims[0].domain} without API calls - verify logic exists`,
+      claimId: `claim_${claims.indexOf(criticalSuccessClaims[0])}`,
+      claim: criticalSuccessClaims[0]
     };
   }
   

package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js

@@ -12,6 +12,10 @@ const { CLAIM_TYPES } = require("../../claims/claim-types");
 /**
  * Common environment variables that are safe to use without explicit declaration.
  * These are well-known Node.js, Next.js, and common deployment platform vars.
+ * 
+ * NOTE: Be generous with this list - most env vars are set by the user's deployment
+ * environment and aren't hallucinations. We only want to flag truly phantom vars
+ * that the agent invented with no basis.
  */
 const SAFE_ENV_VARS = new Set([
   // Node.js core
@@ -19,6 +23,7 @@ const SAFE_ENV_VARS = new Set([
   "NODE_OPTIONS",
   "NODE_PATH",
   "NODE_DEBUG",
+  "NODE_TLS_REJECT_UNAUTHORIZED",
   
   // Next.js / React
   "NEXT_PUBLIC_",      // Prefix pattern
@@ -27,6 +32,7 @@ const SAFE_ENV_VARS = new Set([
   "VERCEL_ENV",
   "VERCEL_URL",
   "NEXT_RUNTIME",
+  "ANALYZE",
   
   // Common deployment
   "PORT",
@@ -43,25 +49,70 @@ const SAFE_ENV_VARS = new Set([
   "PWD",
   "SHELL",
   "TERM",
+  "TMPDIR",
+  "TEMP",
+  "TMP",
   
   // Testing
   "TEST",
   "JEST_WORKER_ID",
   "VITEST",
+  "PLAYWRIGHT_TEST_BASE_URL",
   
   // Build tools
   "npm_package_name",
   "npm_package_version",
   "npm_lifecycle_event",
+  
+  // Database (common naming patterns)
+  "DATABASE_URL",
+  "DB_HOST",
+  "DB_PORT",
+  "DB_USER",
+  "DB_PASSWORD",
+  "DB_NAME",
+  "POSTGRES_URL",
+  "MYSQL_URL",
+  "REDIS_URL",
+  "MONGODB_URI",
+  
+  // Auth (common naming patterns)
+  "JWT_SECRET",
+  "SESSION_SECRET",
+  "AUTH_SECRET",
+  "NEXTAUTH_SECRET",
+  "NEXTAUTH_URL",
+  
+  // API keys (generic patterns)
+  "API_KEY",
+  "API_SECRET",
+  "SECRET_KEY",
+  
+  // Email
+  "SMTP_HOST",
+  "SMTP_PORT",
+  "SMTP_USER",
+  "SMTP_PASSWORD",
+  "MAIL_HOST",
+  "MAIL_PORT",
+  "RESEND_API_KEY",
+  "SENDGRID_API_KEY",
+  
+  // Payments
+  "STRIPE_SECRET_KEY",
+  "STRIPE_PUBLISHABLE_KEY",
+  "STRIPE_WEBHOOK_SECRET",
 ]);
 
 /**
- * Prefix patterns that are safe
+ * Prefix patterns that are safe - these are from known platforms/tools
  */
 const SAFE_ENV_PREFIXES = [
   "NEXT_PUBLIC_",
   "REACT_APP_",
   "VITE_",
+  "VUE_APP_",
+  "NUXT_",
   "npm_",
   "GITHUB_",
   "CI_",
@@ -70,6 +121,18 @@ const SAFE_ENV_PREFIXES = [
   "RENDER_",
   "HEROKU_",
   "AWS_",
+  "AZURE_",
+  "GOOGLE_",
+  "FIREBASE_",
+  "SUPABASE_",
+  "CLERK_",
+  "AUTH0_",
+  "SENTRY_",
+  "DATADOG_",
+  "NEW_RELIC_",
+  "OPENAI_",
+  "ANTHROPIC_",
+  "VIBECHECK_",
 ];
 
 /**
@@ -143,10 +206,12 @@ function evaluate({ claims, evidence, policy }) {
           };
         }
         
+        // Default to "warn" - only block if explicitly configured
+        // Most env vars are real, just not in .env.example
         return {
           rule: "ghost_env",
-          severity: ruleConfig.severity || "block",
-          message: `Ghost env var: ${envVar} is used but not declared`,
+          severity: ruleConfig.severity || "warn",
+          message: `Env var ${envVar} used but not found in .env.example`,
           claimId: `claim_${i}`,
           claim
         };

package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js

@@ -170,10 +170,12 @@ function evaluate({ claims, evidence, policy }) {
           continue;
         }
         
+        // Default to "warn" - only block if explicitly configured
+        // Route references are often correct, just not in truthpack yet
         return {
           rule: "ghost_route",
-          severity: ruleConfig.severity || "block",
-          message: `Ghost route: ${routePath} is referenced but not registered in truthpack`,
+          severity: ruleConfig.severity || "warn",
+          message: `Route ${routePath} not found in truthpack - verify it exists`,
           claimId: `claim_${i}`,
           claim
         };

package/bin/runners/lib/agent-firewall/risk/thresholds.js

@@ -18,11 +18,12 @@
 const DEFAULT_THRESHOLDS = {
   /**
    * Score thresholds for automatic decisions
-   * Raised to reduce noise for normal development
+   * Raised significantly to focus only on real issues (hallucinations, drift)
+   * Normal development changes should almost never trigger
    */
-  autoAllow: 30,        // Auto-allow if score <= this (raised from 15)
-  requireConfirm: 70,   // Require confirmation if score > this (raised from 50)
-  autoBlock: 100,       // Auto-block if score >= this (raised from 80)
+  autoAllow: 50,        // Auto-allow if score <= this (raised from 30)
+  requireConfirm: 85,   // Require confirmation if score > this (raised from 70)
+  autoBlock: 120,       // Auto-block if score >= this (raised from 100)
   
   /**
    * Vector-specific thresholds

package/bin/runners/lib/error-messages.js

@@ -106,7 +106,7 @@ const ERROR_TEMPLATES = {
     message: 'Invalid API key format',
     suggestion: 'Check your API key format',
     nextSteps: [
-      'API keys should start with vc_',
+      'API keys should start with grl_ (from dashboard)',
       'Get a new key: https://app.vibecheckai.dev/settings/api-keys',
       'Run: vibecheck login --key YOUR_KEY',
     ],

package/bin/runners/lib/report-output.js

@@ -52,12 +52,12 @@ const LOGO_VIBECHECK = `
 
 // HERO: REPORTS (Blue/Cyan) - Fixed to say "REPORTS" plural
 const LOGO_REPORTS = `
-    ██████╗ ███████╗██████╗  ██████╗ ██████╗ ███████╗██████╗ ████████╗███████╗
-    ██╔══██╗██╔════╝██╔══██╗██╔═══██╗██╔══██╗██╔════╝██╔══██╗╚══██╔══╝██╔════╝
-    ██████╔╝█████╗  ██████╔╝██║   ██║██████╔╝███████╗██████╔╝   ██║   ███████╗
-    ██╔══██╗██╔══╝  ██╔═══╝ ██║   ██║██╔══██╗╚════██║██╔══██╗   ██║   ╚════██║
-    ██║  ██║███████╗██║     ╚██████╔╝██║  ██║███████║██║  ██║   ██║   ███████║
-    ╚═╝  ╚═╝╚══════╝╚═╝      ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝   ╚═╝   ╚══════╝
+    ██████╗ ███████╗██████╗  ██████╗ ██████╗ ████████╗███████╗
+    ██╔══██╗██╔════╝██╔══██╗██╔═══██╗██╔══██╗╚══██╔══╝██╔════╝
+    ██████╔╝█████╗  ██████╔╝██║   ██║██████╔╝   ██║   ███████╗
+    ██╔══██╗██╔══╝  ██╔═══╝ ██║   ██║██╔══██╗   ██║   ╚════██║
+    ██║  ██║███████╗██║     ╚██████╔╝██║  ██║   ██║   ███████║
+    ╚═╝  ╚═╝╚══════╝╚═╝      ╚═════╝ ╚═╝  ╚═╝   ╚═╝   ╚══════╝
 `;
 
 // ═══════════════════════════════════════════════════════════════════════════════

package/mcp-server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibecheck-mcp-server",
-  "version": "3.6.1",
+  "version": "3.7.0",
   "description": "Professional MCP server for vibecheck - Intelligent development environment vibechecks",
   "type": "module",
   "main": "index.js",

package/mcp-server/tier-auth.js

@@ -51,6 +51,7 @@ export const ERROR_CODES = {
   INVALID_API_KEY: 'INVALID_API_KEY',
   RATE_LIMITED: 'RATE_LIMITED',
   OPTION_NOT_ENTITLED: 'OPTION_NOT_ENTITLED',
+  API_KEY_REQUIRED: 'API_KEY_REQUIRED',
 };
 
 // ============================================================================
@@ -237,10 +238,48 @@ export function createTierErrorEnvelope(code, message, extra = {}) {
   };
 }
 
+/**
+ * Create API_KEY_REQUIRED error envelope
+ * Used when a PRO tool is requested but no API key is provided
+ */
+export function apiKeyRequiredError(toolName) {
+  return createTierErrorEnvelope(ERROR_CODES.API_KEY_REQUIRED, `API key required for ${toolName}`, {
+    tool: toolName,
+    userAction: 'Add API Key',
+    retryable: true,
+    nextSteps: [
+      'Get your API key at https://vibecheckai.dev/dashboard',
+      'Run: vibecheck login',
+      'Or set VIBECHECK_API_KEY environment variable',
+      'Then pass apiKey in tool arguments or configure in ~/.vibecheck/credentials.json',
+    ],
+  });
+}
+
 /**
  * Create NOT_ENTITLED error envelope
  */
-export function notEntitledError(toolName, currentTier = 'free', requiredTier = 'pro') {
+export function notEntitledError(toolName, currentTier = 'free', requiredTier = 'pro', hasApiKey = true) {
+  // If no API key was provided, give more specific guidance
+  if (!hasApiKey) {
+    return createTierErrorEnvelope(ERROR_CODES.NOT_ENTITLED, `${toolName} requires PRO - add your API key`, {
+      tier: currentTier,
+      required: requiredTier,
+      tool: toolName,
+      userAction: 'Add API Key',
+      retryable: true,
+      nextSteps: [
+        `${toolName} requires PRO ($69/mo) subscription`,
+        'If you have PRO, add your API key:',
+        '  - Run: vibecheck login',
+        '  - Or pass apiKey in tool arguments',
+        '  - Or set VIBECHECK_API_KEY environment variable',
+        'Get your API key at https://vibecheckai.dev/dashboard',
+        'Upgrade at https://vibecheckai.dev/pricing',
+      ],
+    });
+  }
+  
   return createTierErrorEnvelope(ERROR_CODES.NOT_ENTITLED, `Requires ${requiredTier.toUpperCase()}`, {
     tier: currentTier,
     required: requiredTier,
@@ -326,6 +365,24 @@ export async function getTierFromApiKey(apiKey) {
   }
 }
 
+// ============================================================================
+// USER CONFIG
+// ============================================================================
+
+/**
+ * Load user configuration from ~/.vibecheck/credentials.json
+ * @returns {Promise<{apiKey?: string, email?: string}|null>}
+ */
+async function loadUserConfig() {
+  try {
+    const configPath = path.join(os.homedir(), '.vibecheck', 'credentials.json');
+    const data = await fs.readFile(configPath, 'utf-8');
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
+
 // ============================================================================
 // ACCESS CONTROL
 // ============================================================================
@@ -410,6 +467,34 @@ export function canApproveAuthority(tier) {
   return tier === 'pro';
 }
 
+/**
+ * Resolve API key from multiple sources
+ * Priority: 1. Passed directly 2. Environment variable 3. Credentials file
+ * 
+ * @param {string} apiKey - API key passed directly (optional)
+ * @returns {Promise<{apiKey: string|null, source: string}>}
+ */
+export async function resolveApiKey(apiKey) {
+  // 1. Use directly provided API key
+  if (apiKey && typeof apiKey === 'string' && apiKey.length >= 10) {
+    return { apiKey, source: 'args' };
+  }
+  
+  // 2. Check environment variable
+  const envKey = process.env.VIBECHECK_API_KEY;
+  if (envKey && typeof envKey === 'string' && envKey.length >= 10) {
+    return { apiKey: envKey, source: 'env' };
+  }
+  
+  // 3. Check credentials file
+  const config = await loadUserConfig();
+  if (config?.apiKey && typeof config.apiKey === 'string' && config.apiKey.length >= 10) {
+    return { apiKey: config.apiKey, source: 'credentials' };
+  }
+  
+  return { apiKey: null, source: 'none' };
+}
+
 /**
  * Get MCP tool access with full ErrorEnvelope support
  * 
@@ -419,18 +504,30 @@ export function canApproveAuthority(tier) {
  * @returns {Promise<{hasAccess: boolean, tier: string, error?: object}>}
  */
 export async function getMcpToolAccess(toolName, apiKey, args = {}) {
-  const tier = await getTierFromApiKey(apiKey);
+  // Resolve API key from multiple sources
+  const resolved = await resolveApiKey(apiKey);
+  const resolvedApiKey = resolved.apiKey;
+  const hasApiKey = resolvedApiKey !== null;
+  
+  const tier = await getTierFromApiKey(resolvedApiKey);
   
   // Check tool-level access
   const hasToolAccess = canAccessTool(tier, toolName);
   
   if (!hasToolAccess) {
+    // Check if this is a PRO tool and no API key was provided
+    const isPROTool = PRO_TOOLS.includes(toolName);
+    
     return {
       hasAccess: false,
       tier,
+      hasApiKey,
+      apiKeySource: resolved.source,
       firewallMode: getFirewallMode(tier),
-      error: notEntitledError(toolName, tier, 'pro'),
-      reason: `${toolName} requires Pro ($69/mo). Upgrade at https://vibecheckai.dev/pricing`,
+      error: notEntitledError(toolName, tier, 'pro', hasApiKey),
+      reason: hasApiKey
+        ? `${toolName} requires Pro ($69/mo). Upgrade at https://vibecheckai.dev/pricing`
+        : `${toolName} requires Pro. Add your API key first: run 'vibecheck login' or pass apiKey in tool arguments.`,
     };
   }
   
@@ -440,6 +537,8 @@ export async function getMcpToolAccess(toolName, apiKey, args = {}) {
     return {
       hasAccess: false,
       tier,
+      hasApiKey,
+      apiKeySource: resolved.source,
       firewallMode: getFirewallMode(tier),
       error: optionNotEntitledError(toolName, optionCheck.blockedOption, tier, optionCheck.required),
       reason: `Option --${optionCheck.blockedOption} requires Pro`,
@@ -449,6 +548,8 @@ export async function getMcpToolAccess(toolName, apiKey, args = {}) {
   return {
     hasAccess: true,
     tier,
+    hasApiKey,
+    apiKeySource: resolved.source,
     firewallMode: getFirewallMode(tier),
     reason: 'Access granted',
   };
@@ -515,16 +616,6 @@ export async function checkTierGate(toolName, apiKey, args = {}) {
 // USER INFO
 // ============================================================================
 
-async function loadUserConfig() {
-  try {
-    const configPath = path.join(os.homedir(), '.vibecheck', 'credentials.json');
-    const data = await fs.readFile(configPath, 'utf-8');
-    return JSON.parse(data);
-  } catch {
-    return null;
-  }
-}
-
 export async function getUserInfo() {
   const config = await loadUserConfig();
   

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecheckai/cli",
-  "version": "3.6.1",
+  "version": "3.7.0",
   "description": "Vibecheck CLI - Ship with confidence. One verdict: SHIP | WARN | BLOCK.",
   "main": "bin/vibecheck.js",
   "bin": {