@vibecheckai/cli 3.7.0 → 3.9.0

package/mcp-server/README.md

@@ -1,4 +1,4 @@
-# vibecheck MCP Server
+# vibecheck MCP Server v4.0
 
 Professional Model Context Protocol server for vibecheck AI.
 
@@ -7,12 +7,25 @@ Professional Model Context Protocol server for vibecheck AI.
 ## Installation
 
 ```bash
-npm install -g vibecheck-mcp-server
+npm install -g @vibecheckai/cli
 ```
 
 ## Configuration
 
-See [MCP-INSTALLATION-GUIDE.md](../docs/MCP-INSTALLATION-GUIDE.md) for editor-specific setup.
+Add to your AI IDE's MCP configuration:
+
+```json
+{
+  "mcpServers": {
+    "vibecheck": {
+      "command": "npx",
+      "args": ["@vibecheckai/cli", "mcp"]
+    }
+  }
+}
+```
+
+See [MCP-QUICK-START.md](../docs/MCP-QUICK-START.md) for editor-specific setup.
 
 ## Development
 
@@ -22,231 +35,177 @@ npm install
 npm start
 ```
 
-## Premium Command Palette Tools
-
-These tools provide a top-notch, zero-friction UX:
+---
 
-### Ship Check Commands
-- `run_ship` - vibecheck: Ship Check (GO/NO-GO)
-- `run_reality` - vibecheck: Run Reality Mode
-- `run_mockproof` - vibecheck: Run MockProof Gate
-- `run_airlock` - vibecheck: Run Airlock (SupplyChain)
+## Core MCP Tools (v4.0)
 
-### Report & Artifact Commands
-- `get_last_run` - vibecheck: Open Last Run Report
-- `open_artifact` - Open Report/Replay/Trace/SARIF/Badge
-- `rerun_last_check` - vibecheck: Re-run Last Check
-- `export_sarif` - Export findings as SARIF
+These are the primary tools available via MCP:
 
-### Setup & Policy Commands
-- `run_doctor` - vibecheck: Doctor (Fix my setup)
-- `edit_policies` - vibecheck: Policies (Quick Edit)
-- `get_status` - Get server status and workspace info
-- `policy_patch` - Apply atomic policy changes
-
-### Fix Mode Commands
-- `enter_fix_mode` - Enter Fix Mode for blocker resolution
-- `fix_mode_status` - Get Fix Mode checklist status
-- `mark_fix_complete` - Mark blocker as fixed
-- `exit_fix_mode` - Exit and re-run ship check
+| Tool | Description |
+|------|-------------|
+| `vibecheck_audit` | 🔍 Static analysis - routes, secrets, contracts |
+| `vibecheck_ship` | 🚀 Verdict engine - SHIP / WARN / BLOCK |
+| `vibecheck_prove` | 🔬 Full proof loop: audit → reality → ship |
+| `vibecheck_fix` | 🛠️ Mission-based auto-fix with safety gates |
+| `vibecheck_reality` | 🧪 Browser-based runtime verification |
+| `vibecheck_forge` | 📝 Generate AI IDE rules (.cursorrules, .windsurf) |
+| `vibecheck_shield` | 🛡️ Agent Firewall controls |
+| `vibecheck_doctor` | 🏥 Environment health check |
+| `vibecheck_checkpoint` | 📍 Snapshot & restore, baseline comparison |
+| `vibecheck_polish` | ✨ Production polish - final cleanup |
 
-### Evidence & Diagnostics
-- `explain_finding` - Get detailed finding explanation
+---
 
-## AI vibecheck Tools (Prompt Firewall + Output Verification)
+## Shield (Agent Firewall) Tools
 
-These tools provide AI safety and verification capabilities:
+Control the Agent Firewall via MCP:
 
 | Tool | Description |
 |------|-------------|
-| `vibecheck.verify` | 🛡️ Verify AI agent output before applying - checks secrets, dangerous commands, path traversal |
-| `vibecheck.quality` | 📊 Code quality analysis - complexity, maintainability, technical debt metrics |
-| `vibecheck.smells` | 👃 Code smell detection - anti-patterns, naming issues, structural problems |
-| `vibecheck.hallucination` | 🔍 Hallucination check - verify claims against actual source code |
-| `vibecheck.breaking` | ⚠️ Breaking change detection - API changes, removed methods, type changes |
-| `vibecheck.mdc` | 📝 MDC Generator - source-anchored documentation generation |
-| `vibecheck.coverage` | 🧪 Test coverage mapping - identify untested components |
+| `vibecheck_shield_status` | Get firewall status |
+| `vibecheck_shield_enforce` | Enable enforcement mode |
+| `vibecheck_shield_observe` | Enable observe-only mode |
+| `vibecheck_shield_lock` | Hard lockdown (all rules enforced) |
+| `vibecheck_shield_unlock` | Release lock |
+| `vibecheck_shield_verify` | Verify claims/prompts |
 
-### Example Usage
+---
 
-```json
-// Verify AI-generated code before applying
-{
-  "tool": "vibecheck.verify",
-  "arguments": {
-    "input": "{\"format\":\"vibecheck-v1\",\"diff\":\"...\",\"commands\":[]}",
-    "mode": "build"
-  }
-}
+## Intent & Approval Tools
 
-// Check code quality
-{
-  "tool": "vibecheck.quality",
-  "arguments": {
-    "projectPath": ".",
-    "threshold": 70
-  }
-}
-
-// Detect code smells
-{
-  "tool": "vibecheck.smells",
-  "arguments": {
-    "projectPath": ".",
-    "severity": "high"
-  }
-}
-```
-
-## Agent Checkpoint Tools
-
-Pre-write validation that blocks AI agents until issues are fixed:
+For declaring AI intent and approving changes:
 
 | Tool | Description |
 |------|-------------|
-| `vibecheck_checkpoint` | 🛡️ Validate code before writing - blocks on TODOs, mocks, console.log, etc. |
-| `vibecheck_set_strictness` | ⚙️ Set checkpoint strictness: chill, standard, strict, paranoid |
-| `vibecheck_checkpoint_status` | 📊 Get current checkpoint status and blocking violations |
+| `vibecheck_intent_start` | 🎯 Declare intent before making changes |
+| `vibecheck_intent_check` | ✅ Check if changes align with stated intent |
+| `vibecheck_intent_complete` | ✅ Complete step and generate proof artifact |
+| `vibecheck_approve` | 👍 Review and approve session changes |
+
+---
 
-## Architect Tools
+## Checkpoint Tools
 
-AI agents consult the Architect before writing code:
+Pre-write validation and time machine:
 
 | Tool | Description |
 |------|-------------|
-| `vibecheck_architect_review` | 🏛️ Review code against architecture patterns |
-| `vibecheck_architect_suggest` | 💡 Get architectural guidance before writing code |
-| `vibecheck_architect_patterns` | 📋 List all active architecture patterns |
-| `vibecheck_architect_set_strictness` | ⚙️ Set architect strictness level |
+| `vibecheck_checkpoint` | 🛡️ Validate code before writing - blocks on issues |
+| `vibecheck_checkpoint_status` | 📊 Get current checkpoint status |
+| `vibecheck_checkpoint_restore` | ⏪ Restore to a previous checkpoint |
+| `vibecheck_checkpoint_compare` | 📈 Compare baseline vs current |
+
+---
 
-## Codebase Architect Tools
+## Report & Artifact Tools
 
-Deep codebase knowledge for AI agents:
+Generate outputs and evidence:
 
 | Tool | Description |
 |------|-------------|
-| `vibecheck_architect_context` | 🧠 Load full codebase context (tech stack, conventions, patterns) |
-| `vibecheck_architect_guide` | 🏛️ Get guidance for creating/modifying code |
-| `vibecheck_architect_validate` | ✅ Validate code against codebase patterns |
-| `vibecheck_architect_dependencies` | 🔗 Understand file relationships and impact |
+| `vibecheck_packs_evidence` | 📦 Bundle videos, traces, screenshots |
+| `vibecheck_packs_report` | 📄 Generate HTML/MD/SARIF reports |
+| `vibecheck_packs_graph` | 📊 Proof graph visualization |
+| `vibecheck_seal` | 🏆 Generate ship badge and attestation |
 
-## vibecheck 2.0 Tools (Consolidated)
+---
 
-Six core tools for the complete workflow:
+## Example Usage
 
-| Tool | Description |
-|------|-------------|
-| `checkpoint` | 🛡️ Block AI agents until issues are fixed (pre/post write) |
-| `check` | 🔍 Verify code is real, wired, honest |
-| `ship` | 🚀 Go/No-Go decision (GO / WARN / NO-GO) |
-| `fix` | 🔧 Fix blocking issues safely |
-| `status` | 📊 Health + version info |
-| `set_strictness` | ⚙️ Set checkpoint strictness level |
+### Run Analysis
 
-## Intent Drift Guard Tools
-
-Capture intent before writing code, monitor for drift:
+```json
+{
+  "tool": "vibecheck_audit",
+  "arguments": {
+    "path": ".",
+    "profile": "full"
+  }
+}
+```
 
-| Tool | Description |
-|------|-------------|
-| `vibecheck_intent_start` | 🎯 Start a new step with explicit intent |
-| `vibecheck_intent_check` | ✅ Check if code changes align with stated intent |
-| `vibecheck_intent_validate_prompt` | 🔒 Validate new prompts against locked intent |
-| `vibecheck_intent_status` | 📊 Get current Intent Drift Guard status |
-| `vibecheck_intent_complete` | ✅ Complete step and generate proof artifact |
-| `vibecheck_intent_lock` | 🔒 Lock intent to prevent scope expansion |
-| `vibecheck_intent_unlock` | 🔓 Unlock intent, allow scope changes |
+### Get Ship Verdict
 
-## Fix Missions v1 + Reality v2 Tools
+```json
+{
+  "tool": "vibecheck_ship",
+  "arguments": {
+    "path": "."
+  }
+}
+```
 
-Production-ready AI fix loop and runtime verification:
+### Full Proof Loop
 
-| Tool | Description |
-|------|-------------|
-| `vibecheck.fix` | 🛠 Fix Missions v1 — AI-powered surgical fixes with verification loop |
-| `vibecheck.reality` | 🧪 Reality Mode v2 — Two-pass auth verification (anon + auth), Dead UI detection |
-| `vibecheck.prove` | 🔬 One Command Reality Proof — orchestrates ctx → reality → ship → fix loop |
-| `vibecheck.share` | 📦 Share Bundle — generate PR comment / review bundle from fix missions |
+```json
+{
+  "tool": "vibecheck_prove",
+  "arguments": {
+    "url": "http://localhost:3000",
+    "maxFixRounds": 3
+  }
+}
+```
 
-### vibecheck.reality Options
+### Runtime Verification
 
 ```json
 {
-  "tool": "vibecheck.reality",
+  "tool": "vibecheck_reality",
   "arguments": {
     "url": "http://localhost:3000",
-    "verifyAuth": true,
-    "auth": "user@example.com:password",
-    "storageState": ".vibecheck/reality/storageState.json",
-    "truthpack": ".vibecheck/truth/truthpack.json",
     "headed": false,
     "maxPages": 18,
-    "maxDepth": 2,
-    "danger": false
+    "maxDepth": 2
   }
 }
 ```
 
-### vibecheck.fix Options
+### AI-Powered Fixes
 
 ```json
 {
-  "tool": "vibecheck.fix",
+  "tool": "vibecheck_fix",
   "arguments": {
-    "promptOnly": false,
     "apply": true,
-    "autopilot": true,
-    "share": true,
-    "maxMissions": 8,
-    "maxSteps": 10
+    "autopilot": false,
+    "maxMissions": 8
   }
 }
 ```
 
-### vibecheck.prove Options
+### Generate IDE Rules
 
 ```json
 {
-  "tool": "vibecheck.prove",
+  "tool": "vibecheck_forge",
   "arguments": {
-    "url": "http://localhost:3000",
-    "auth": "user@example.com:password",
-    "maxFixRounds": 3,
-    "skipReality": false,
-    "skipFix": false
+    "format": "cursor",
+    "enhanced": true
   }
 }
 ```
 
-## Core Analysis Tools
-
-- `validate_project` - Validate project structure and API endpoints
-- `check_design_system` - Validate design system consistency
-- `check_project_drift` - Check for architecture drift
-- `setup_design_system` - Set up and lock design system
-- `register_api_endpoint` - Register API endpoint
-- `get_project_health` - Get project health score
-- `get_vibechecks_rules` - Get vibechecks rules
-- `architect_analyze` - Intelligent project analysis
-- `build_knowledge_base` - Build codebase knowledge
-- `semantic_search` - Search code by meaning
-- `security_scan` - Full security scan
-- `ship_check` - Ship readiness check
-- `get_deploy_verdict` - Get deploy GO/NO-GO decision
+---
 
 ## Resources
 
-- `vibechecks://rules` - Vibechecks rules document
-- `vibechecks://templates` - Available templates
-- `vibechecks://design-tokens` - Design system tokens
+- `vibecheck://rules` - Generated AI rules
+- `vibecheck://truthpack` - Repo reality index
+- `vibecheck://status` - Server status and health
+
+---
 
 ## Documentation
 
-See [MCP-PREMIUM-TOOLS.md](../docs/MCP-PREMIUM-TOOLS.md) for detailed tool documentation.
+- [MCP Quick Start](../docs/MCP-QUICK-START.md)
+- [Full CLI Documentation](../docs/CLI-REFERENCE.md)
+- [Agent Firewall Spec](../docs/AGENT_FIREWALL_V2_SPEC.md)
+
+---
 
 ## Privacy & Trust
 
 - Runs locally
 - Artifacts saved to `.vibecheck/`
-- No upload unless you export/share
-
+- No upload unless you explicitly export/share

package/mcp-server/handlers/index.ts

@@ -10,6 +10,6 @@ export {
   getToolsByTier,
   getToolsByCategory,
   validateRegistry,
-} from "./tool-handler";
+} from "./tool-handler.js";
 
-export { default as ToolHandler } from "./tool-handler";
+export { default as ToolHandler } from "./tool-handler.js";

package/mcp-server/handlers/tool-handler.ts

@@ -13,8 +13,9 @@
  * 7) Return response with error envelope
  */
 
-import * as fs from "fs";
-import * as path from "path";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { fileURLToPath } from "node:url";
 import Ajv from "ajv";
 import type {
   RunRequest,
@@ -25,9 +26,46 @@ import type {
   ToolResult,
   ValidationError,
   Finding,
-} from "../lib/types";
-import { PathSandbox } from "../lib/sandbox";
-import { CliExecutor, parseCliOutput, sortFindings, buildCliArgs } from "../lib/executor";
+} from "../lib/types.js";
+import { resolveSandboxPath, configFromRunRequest, type SandboxConfig } from "../lib/sandbox.js";
+import { CliExecutor, parseCliOutput, sortFindings, buildCliArgs } from "../lib/executor.js";
+
+// ESM __dirname equivalent
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+/**
+ * Simple PathSandbox wrapper class using the sandbox functions
+ */
+class PathSandbox {
+  private config: SandboxConfig;
+
+  constructor(options: { projectRoot: string }) {
+    this.config = {
+      workspaceRoot: options.projectRoot,
+      includeThirdParty: false,
+      includeGenerated: false,
+    };
+  }
+
+  assertAllowed(inputPath: string): string {
+    const result = resolveSandboxPath(inputPath, this.config);
+    if (!result.valid) {
+      const error = new Error(result.error || "Path not allowed") as Error & { violationType?: string };
+      error.violationType = result.errorCode;
+      throw error;
+    }
+    return result.resolvedPath!;
+  }
+
+  validate(inputPath: string): { allowed: boolean; error?: string } {
+    const result = resolveSandboxPath(inputPath, this.config);
+    return {
+      allowed: result.valid,
+      error: result.error,
+    };
+  }
+}
 
 // ═══════════════════════════════════════════════════════════════════════════════
 // REGISTRY
@@ -78,7 +116,8 @@ function getToolDefinition(toolName: string): ToolDefinition | null {
 // VALIDATION
 // ═══════════════════════════════════════════════════════════════════════════════
 
-const ajv = new Ajv({ allErrors: true, strict: false });
+const AjvClass = Ajv.default || Ajv;
+const ajv = new AjvClass({ allErrors: true, strict: false });
 
 /**
  * Validate data against JSON schema
@@ -86,14 +125,14 @@ const ajv = new Ajv({ allErrors: true, strict: false });
 function validateSchema(
   data: unknown,
   schema: unknown,
-  schemaName: string
+  _schemaName: string
 ): ValidationError[] {
   const validate = ajv.compile(schema as object);
   const valid = validate(data);
 
   if (valid) return [];
 
-  return (validate.errors || []).map((err) => ({
+  return (validate.errors || []).map((err: { instancePath?: string; message?: string; params?: { allowedValues?: string[] }; data?: unknown }) => ({
     path: err.instancePath || "/",
     message: err.message || "Validation failed",
     expected: err.params?.allowedValues?.join(", "),
@@ -117,17 +156,17 @@ const ERROR_NEXT_STEPS: Record<ErrorCode, string[]> = {
     "List available tools with the registry",
   ],
   TIER_REQUIRED: [
-    "This tool requires a Pro subscription ($69/mo)",
+    "This tool requires a Pro subscription ($49/mo)",
     "Upgrade at https://vibecheckai.dev/pricing",
     "Some tools have free alternatives",
   ],
   NOT_ENTITLED: [
-    "This tool requires a Pro subscription ($69/mo)",
+    "This tool requires a Pro subscription ($49/mo)",
     "Upgrade at https://vibecheckai.dev/pricing",
     "Run: vibecheck upgrade",
   ],
   OPTION_NOT_ENTITLED: [
-    "This option requires a Pro subscription ($69/mo)",
+    "This option requires a Pro subscription ($49/mo)",
     "The base tool is available on FREE tier",
     "Upgrade at https://vibecheckai.dev/pricing",
   ],

package/mcp-server/index.js

@@ -553,6 +553,14 @@ import {
   handleAgentFirewallIntercept,
 } from "./agent-firewall-interceptor.js";
 
+// Import Intent-Aware Firewall v2 - BLOCKING enforcement with intent alignment
+import {
+  INTENT_FIREWALL_TOOL,
+  handleIntentFirewallIntercept,
+  INTENT_STATUS_TOOL,
+  handleIntentStatus,
+} from "./intent-firewall-interceptor.js";
+
 // Import Conductor tools - Multi-Agent Coordination (Phase 2)
 import {
   CONDUCTOR_TOOLS,
@@ -717,6 +725,14 @@ class VibecheckMCP {
       addHandler("vibecheck_agent_firewall_intercept", handleAgentFirewallIntercept);
     }
     
+    // Intent-Aware Firewall v2 - blocking enforcement with intent alignment
+    if (handleIntentFirewallIntercept && typeof handleIntentFirewallIntercept === 'function') {
+      addHandler("vibecheck_intent_firewall_intercept", handleIntentFirewallIntercept);
+    }
+    if (handleIntentStatus && typeof handleIntentStatus === 'function') {
+      addHandler("vibecheck_intent_status", handleIntentStatus);
+    }
+    
     // Conductor - multi-agent coordination tools
     addHandler("vibecheck_conductor_register", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_register", args, projectPath));
     addHandler("vibecheck_conductor_acquire_lock", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_acquire_lock", args, projectPath));