@vibecheckai/cli 3.6.1 → 3.8.0

package/mcp-server/tier-auth.js

@@ -7,7 +7,7 @@
  * 
  * Simple 2-tier model:
  * - FREE ($0): Inspect & Observe
- * - PRO ($69/mo): Fix, Prove & Enforce
+ * - PRO ($49/mo): Fix, Prove & Enforce
  * 
  * ┌────────────────────────────────────────────────────────────────────────┐
  * │ MCP Tool                        │ Tier │ CLI Equivalent               │
@@ -42,6 +42,37 @@
 import fs from "fs/promises";
 import path from "path";
 import os from "os";
+import crypto from "crypto";
+
+// ============================================================================
+// REDACTION - Secure API key masking
+// ============================================================================
+
+/**
+ * Mask API key for secure display/logging.
+ * @param {string} key
+ * @returns {string}
+ */
+export function redactApiKey(key) {
+  if (!key || typeof key !== 'string' || key.length < 8) {
+    return '****';
+  }
+
+  if (key.startsWith('grl_')) {
+    return `grl_${'*'.repeat(8)}${key.slice(-4)}`;
+  }
+
+  const legacyMatch = key.match(/^(gr_[a-z]+_)/);
+  if (legacyMatch) {
+    return `${legacyMatch[1]}${'*'.repeat(8)}${key.slice(-4)}`;
+  }
+
+  if (key.length >= 12) {
+    return `${key.slice(0, 3)}****${key.slice(-4)}`;
+  }
+
+  return '****';
+}
 
 // ============================================================================
 // ERROR CODES - Standard error envelope codes
@@ -51,6 +82,7 @@ export const ERROR_CODES = {
   INVALID_API_KEY: 'INVALID_API_KEY',
   RATE_LIMITED: 'RATE_LIMITED',
   OPTION_NOT_ENTITLED: 'OPTION_NOT_ENTITLED',
+  API_KEY_REQUIRED: 'API_KEY_REQUIRED',
 };
 
 // ============================================================================
@@ -237,10 +269,48 @@ export function createTierErrorEnvelope(code, message, extra = {}) {
   };
 }
 
+/**
+ * Create API_KEY_REQUIRED error envelope
+ * Used when a PRO tool is requested but no API key is provided
+ */
+export function apiKeyRequiredError(toolName) {
+  return createTierErrorEnvelope(ERROR_CODES.API_KEY_REQUIRED, `API key required for ${toolName}`, {
+    tool: toolName,
+    userAction: 'Add API Key',
+    retryable: true,
+    nextSteps: [
+      'Get your API key at https://vibecheckai.dev/dashboard',
+      'Run: vibecheck login',
+      'Or set VIBECHECK_API_KEY environment variable',
+      'Then pass apiKey in tool arguments or configure in ~/.vibecheck/credentials.json',
+    ],
+  });
+}
+
 /**
  * Create NOT_ENTITLED error envelope
  */
-export function notEntitledError(toolName, currentTier = 'free', requiredTier = 'pro') {
+export function notEntitledError(toolName, currentTier = 'free', requiredTier = 'pro', hasApiKey = true) {
+  // If no API key was provided, give more specific guidance
+  if (!hasApiKey) {
+    return createTierErrorEnvelope(ERROR_CODES.NOT_ENTITLED, `${toolName} requires PRO - add your API key`, {
+      tier: currentTier,
+      required: requiredTier,
+      tool: toolName,
+      userAction: 'Add API Key',
+      retryable: true,
+      nextSteps: [
+        `${toolName} requires PRO ($49/mo) subscription`,
+        'If you have PRO, add your API key:',
+        '  - Run: vibecheck login',
+        '  - Or pass apiKey in tool arguments',
+        '  - Or set VIBECHECK_API_KEY environment variable',
+        'Get your API key at https://vibecheckai.dev/dashboard',
+        'Upgrade at https://vibecheckai.dev/pricing',
+      ],
+    });
+  }
+  
   return createTierErrorEnvelope(ERROR_CODES.NOT_ENTITLED, `Requires ${requiredTier.toUpperCase()}`, {
     tier: currentTier,
     required: requiredTier,
@@ -248,7 +318,7 @@ export function notEntitledError(toolName, currentTier = 'free', requiredTier =
     userAction: 'Open billing',
     retryable: false,
     nextSteps: [
-      `Upgrade to ${requiredTier.toUpperCase()} ($69/mo) to unlock this feature`,
+      `Upgrade to ${requiredTier.toUpperCase()} ($49/mo) to unlock this feature`,
       'Visit https://vibecheckai.dev/pricing',
       'Run: vibecheck upgrade',
     ],
@@ -326,6 +396,50 @@ export async function getTierFromApiKey(apiKey) {
   }
 }
 
+// ============================================================================
+// USER CONFIG
+// ============================================================================
+
+/**
+ * Load user configuration from credential files.
+ * Checks multiple locations in priority order:
+ * 1. ~/.vibecheck/auth.json (new unified format)
+ * 2. ~/.vibecheck/credentials.json (legacy TS CLI)
+ * 3. ~/.config/vibecheck/config.json (legacy JS CLI)
+ * 
+ * @returns {Promise<{apiKey?: string, email?: string}|null>}
+ */
+async function loadUserConfig() {
+  const locations = [
+    // New unified auth file (highest priority)
+    path.join(os.homedir(), '.vibecheck', 'auth.json'),
+    // Legacy credentials file
+    path.join(os.homedir(), '.vibecheck', 'credentials.json'),
+    // Legacy config file (Unix)
+    path.join(os.homedir(), '.config', 'vibecheck', 'config.json'),
+  ];
+
+  // Windows legacy location
+  if (process.platform === 'win32' && process.env.APPDATA) {
+    locations.push(path.join(process.env.APPDATA, 'vibecheck', 'config.json'));
+  }
+
+  for (const configPath of locations) {
+    try {
+      const data = await fs.readFile(configPath, 'utf-8');
+      const config = JSON.parse(data);
+      if (config?.apiKey) {
+        return config;
+      }
+    } catch {
+      // Try next location
+      continue;
+    }
+  }
+
+  return null;
+}
+
 // ============================================================================
 // ACCESS CONTROL
 // ============================================================================
@@ -410,6 +524,34 @@ export function canApproveAuthority(tier) {
   return tier === 'pro';
 }
 
+/**
+ * Resolve API key from multiple sources
+ * Priority: 1. Passed directly 2. Environment variable 3. Credentials file
+ * 
+ * @param {string} apiKey - API key passed directly (optional)
+ * @returns {Promise<{apiKey: string|null, source: string}>}
+ */
+export async function resolveApiKey(apiKey) {
+  // 1. Use directly provided API key
+  if (apiKey && typeof apiKey === 'string' && apiKey.length >= 10) {
+    return { apiKey, source: 'args' };
+  }
+  
+  // 2. Check environment variable
+  const envKey = process.env.VIBECHECK_API_KEY;
+  if (envKey && typeof envKey === 'string' && envKey.length >= 10) {
+    return { apiKey: envKey, source: 'env' };
+  }
+  
+  // 3. Check credentials file
+  const config = await loadUserConfig();
+  if (config?.apiKey && typeof config.apiKey === 'string' && config.apiKey.length >= 10) {
+    return { apiKey: config.apiKey, source: 'credentials' };
+  }
+  
+  return { apiKey: null, source: 'none' };
+}
+
 /**
  * Get MCP tool access with full ErrorEnvelope support
  * 
@@ -419,18 +561,30 @@ export function canApproveAuthority(tier) {
  * @returns {Promise<{hasAccess: boolean, tier: string, error?: object}>}
  */
 export async function getMcpToolAccess(toolName, apiKey, args = {}) {
-  const tier = await getTierFromApiKey(apiKey);
+  // Resolve API key from multiple sources
+  const resolved = await resolveApiKey(apiKey);
+  const resolvedApiKey = resolved.apiKey;
+  const hasApiKey = resolvedApiKey !== null;
+  
+  const tier = await getTierFromApiKey(resolvedApiKey);
   
   // Check tool-level access
   const hasToolAccess = canAccessTool(tier, toolName);
   
   if (!hasToolAccess) {
+    // Check if this is a PRO tool and no API key was provided
+    const isPROTool = PRO_TOOLS.includes(toolName);
+    
     return {
       hasAccess: false,
       tier,
+      hasApiKey,
+      apiKeySource: resolved.source,
       firewallMode: getFirewallMode(tier),
-      error: notEntitledError(toolName, tier, 'pro'),
-      reason: `${toolName} requires Pro ($69/mo). Upgrade at https://vibecheckai.dev/pricing`,
+      error: notEntitledError(toolName, tier, 'pro', hasApiKey),
+      reason: hasApiKey
+        ? `${toolName} requires Pro ($49/mo). Upgrade at https://vibecheckai.dev/pricing`
+        : `${toolName} requires Pro. Add your API key first: run 'vibecheck login' or pass apiKey in tool arguments.`,
     };
   }
   
@@ -440,6 +594,8 @@ export async function getMcpToolAccess(toolName, apiKey, args = {}) {
     return {
       hasAccess: false,
       tier,
+      hasApiKey,
+      apiKeySource: resolved.source,
       firewallMode: getFirewallMode(tier),
       error: optionNotEntitledError(toolName, optionCheck.blockedOption, tier, optionCheck.required),
       reason: `Option --${optionCheck.blockedOption} requires Pro`,
@@ -449,6 +605,8 @@ export async function getMcpToolAccess(toolName, apiKey, args = {}) {
   return {
     hasAccess: true,
     tier,
+    hasApiKey,
+    apiKeySource: resolved.source,
     firewallMode: getFirewallMode(tier),
     reason: 'Access granted',
   };
@@ -515,16 +673,6 @@ export async function checkTierGate(toolName, apiKey, args = {}) {
 // USER INFO
 // ============================================================================
 
-async function loadUserConfig() {
-  try {
-    const configPath = path.join(os.homedir(), '.vibecheck', 'credentials.json');
-    const data = await fs.readFile(configPath, 'utf-8');
-    return JSON.parse(data);
-  } catch {
-    return null;
-  }
-}
-
 export async function getUserInfo() {
   const config = await loadUserConfig();
   

package/mcp-server/tools-v3.js

@@ -7,7 +7,7 @@
  * 
  * Simple 2-tier model:
  * - FREE ($0): Inspect & Observe (10 tools)
- * - PRO ($69/mo): Fix, Prove & Enforce (18 tools)
+ * - PRO ($49/mo): Fix, Prove & Enforce (18 tools)
  * 
  * PRO includes:
  * - Authority System (verdicts, approvals)
@@ -356,7 +356,7 @@ Response:
 Returns evidence-backed verdict.
 Response includes cacheStats: { hit, reusedFindingsCount, durationMs }
 
-[PRO - $69/mo]`,
+[PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -381,7 +381,7 @@ Response includes cacheStats: { hit, reusedFindingsCount, durationMs }
 
 Modes: plan, apply, loop
 
-[PRO - $69/mo]`,
+[PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -396,7 +396,7 @@ Modes: plan, apply, loop
     name: "vibecheck.prove",
     description: `🔬 Full proof loop with runtime verification
 
-[PRO - $69/mo]`,
+[PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -410,7 +410,7 @@ Modes: plan, apply, loop
 
   {
     name: "vibecheck.gate",
-    description: `🚧 CI/CD enforcement - fail builds on issues [PRO - $69/mo]`,
+    description: `🚧 CI/CD enforcement - fail builds on issues [PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -422,7 +422,7 @@ Modes: plan, apply, loop
 
   {
     name: "vibecheck.badge",
-    description: `🏷️ Generate ship badge [PRO - $69/mo]`,
+    description: `🏷️ Generate ship badge [PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -434,7 +434,7 @@ Modes: plan, apply, loop
 
   {
     name: "vibecheck.reality",
-    description: `🧪 Full runtime verification with auth boundary testing [PRO - $69/mo]`,
+    description: `🧪 Full runtime verification with auth boundary testing [PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -449,7 +449,7 @@ Modes: plan, apply, loop
 
   {
     name: "vibecheck.ai_test",
-    description: `🤖 AI agent testing - autonomous exploration [PRO - $69/mo]`,
+    description: `🤖 AI agent testing - autonomous exploration [PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -463,7 +463,7 @@ Modes: plan, apply, loop
 
   {
     name: "vibecheck.share",
-    description: `📤 Generate PR/review bundle [PRO - $69/mo]`,
+    description: `📤 Generate PR/review bundle [PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -483,7 +483,7 @@ Modes: plan, apply, loop
 
 Execute an authority to get a structured verdict with proofs.
 
-[PRO - $69/mo]`,
+[PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -505,7 +505,7 @@ Execute an authority to get a structured verdict with proofs.
 
 Call this at the start of any multi-agent workflow.
 
-[PRO - $69/mo]`,
+[PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -523,7 +523,7 @@ Call this at the start of any multi-agent workflow.
 
 Prevents concurrent modifications by other agents.
 
-[PRO - $69/mo]`,
+[PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -538,7 +538,7 @@ Prevents concurrent modifications by other agents.
 
   {
     name: "vibecheck_conductor_release_lock",
-    description: `🔓 Release a previously acquired lock [PRO - $69/mo]`,
+    description: `🔓 Release a previously acquired lock [PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -555,7 +555,7 @@ Prevents concurrent modifications by other agents.
 
 Checks for conflicts with other agents before proceeding.
 
-[PRO - $69/mo]`,
+[PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -581,7 +581,7 @@ Checks for conflicts with other agents before proceeding.
 
   {
     name: "vibecheck_conductor_terminate",
-    description: `🛑 Terminate agent session and release all locks [PRO - $69/mo]`,
+    description: `🛑 Terminate agent session and release all locks [PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       properties: {
@@ -611,7 +611,7 @@ Features:
 
 Call BEFORE any file write operations.
 
-[PRO - $69/mo]`,
+[PRO - $49/mo]`,
     inputSchema: {
       type: "object",
       required: ["agentId", "filePath", "content"],
@@ -625,6 +625,60 @@ Call BEFORE any file write operations.
       },
     },
   },
+
+  // ═══════════════════════════════════════════════════════════════════════════
+  // INTENT FIREWALL v2 (PRO) - Intent-Aware BLOCKING Enforcement
+  // ═══════════════════════════════════════════════════════════════════════════
+
+  {
+    name: "vibecheck_intent_firewall_intercept",
+    description: `🛡️ Intent-Aware Firewall v2 - BLOCKING enforcement
+
+Intercepts AI code changes and BLOCKS unless:
+1. User intent is declared (via vibecheck intent set)
+2. Changes align with declared intent
+3. Reality proofs pass
+
+⚠️ If no intent is declared, ALL CHANGES ARE BLOCKED.
+
+This is enforcement infrastructure that cannot be bypassed.
+Declare intent BEFORE making AI changes:
+  vibecheck intent set -s "Your intent"
+
+Returns: { decision: "PASS"|"BLOCK", violations, intent_hash }
+
+[PRO - $49/mo]`,
+    inputSchema: {
+      type: "object",
+      required: ["agentId", "filePath", "content"],
+      properties: {
+        agentId: { type: "string", description: "Agent ID" },
+        filePath: { type: "string", description: "File to write" },
+        content: { type: "string", description: "New content" },
+        oldContent: { type: "string", description: "Old content (for diff)" },
+        intent: { type: "string", description: "Agent's stated intent (NOT user intent)" },
+        projectRoot: { type: "string" },
+      },
+    },
+  },
+
+  {
+    name: "vibecheck_intent_status",
+    description: `📋 Get current intent status for Agent Firewall v2
+
+Shows whether intent is declared and what changes are allowed.
+Use this BEFORE making AI changes to understand constraints.
+
+Returns: { hasIntent, summary, constraints, allowed_changes, hash }
+
+[FREE]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectRoot: { type: "string", default: "." },
+      },
+    },
+  },
 ];
 
 // =============================================================================

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecheckai/cli",
-  "version": "3.6.1",
+  "version": "3.8.0",
   "description": "Vibecheck CLI - Ship with confidence. One verdict: SHIP | WARN | BLOCK.",
   "main": "bin/vibecheck.js",
   "bin": {