@vibedrift/cli 0.1.4 → 0.2.0

package/dist/index.js

@@ -230,12 +230,12 @@ function normalizeBody(body, language) {
   }
   const sortedVars = [...varNames.entries()].sort((a, b) => b[0].length - a[0].length);
   for (const [name, placeholder] of sortedVars) {
-    normalized = normalized.replace(new RegExp(`\\b${escapeRegex2(name)}\\b`, "g"), placeholder);
+    normalized = normalized.replace(new RegExp(`\\b${escapeRegex3(name)}\\b`, "g"), placeholder);
   }
   normalized = normalized.replace(/\s+/g, " ").trim();
   return normalized;
 }
-function escapeRegex2(s) {
+function escapeRegex3(s) {
   return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function fnv1aHash(str) {
@@ -1012,13 +1012,13 @@ var init_sampler = __esm({
 });
 
 // src/ml-client/client.ts
-async function callMlApi(request, apiKey, apiUrl) {
+async function callMlApi(request, token, apiUrl) {
   const url = `${apiUrl ?? DEFAULT_API_URL}/v1/analyze`;
   const headers = {
     "Content-Type": "application/json"
   };
-  if (apiKey) {
-    headers["X-API-Key"] = apiKey;
+  if (token) {
+    headers["Authorization"] = `Bearer ${token}`;
   }
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), TIMEOUT_MS);
@@ -1031,7 +1031,7 @@ async function callMlApi(request, apiKey, apiUrl) {
     });
     if (!response.ok) {
       const errorBody = await response.text().catch(() => "");
-      throw new Error(`ML API error ${response.status}: ${errorBody.slice(0, 200)}`);
+      throw new Error(`Deep-analysis API error ${response.status}: ${errorBody.slice(0, 200)}`);
     }
     return await response.json();
   } finally {
@@ -1266,8 +1266,8 @@ async function runMlAnalysis(ctx, codeDnaResult, findings, options) {
   const deviations = buildDeviationPayloads(codeDnaResult, options.driftFindings ?? []);
   const payloadSize = JSON.stringify(sampled).length + JSON.stringify(deviations).length;
   if (options.verbose) {
-    console.error(`[ml] Sending ${sampled.length} functions + ${deviations.length} deviations (${Math.round(payloadSize / 1024)}KB) to ML API...`);
-    console.error(`[ml] No full files transmitted \u2014 only function snippets and structural metadata.`);
+    console.error(`[deep] Sending ${sampled.length} functions + ${deviations.length} deviations (${Math.round(payloadSize / 1024)}KB) to VibeDrift API...`);
+    console.error(`[deep] No full files transmitted \u2014 only function snippets and structural metadata.`);
   }
   const request = {
     language: ctx.dominantLanguage ?? "unknown",
@@ -1276,10 +1276,10 @@ async function runMlAnalysis(ctx, codeDnaResult, findings, options) {
     deviations,
     llm_validations: []
   };
-  const response = await callMlApi(request, options.mlKey, options.mlUrl);
+  const response = await callMlApi(request, options.token, options.apiUrl);
   if (options.verbose) {
     console.error(
-      `[ml] API returned: ${response.duplicates.length} duplicates, ${response.intent_mismatches.length} intent mismatches, ${response.anomalies.length} anomalies, ${response.deviations?.length ?? 0} deviation verdicts \u2014 ${response.processing_time_ms}ms`
+      `[deep] API returned: ${response.duplicates.length} duplicates, ${response.intent_mismatches.length} intent mismatches, ${response.anomalies.length} anomalies, ${response.deviations?.length ?? 0} deviation verdicts \u2014 ${response.processing_time_ms}ms`
     );
   }
   const filtered = filterByConfidence(response);
@@ -1372,7 +1372,7 @@ var summarize_exports = {};
 __export(summarize_exports, {
   fetchAiSummary: () => fetchAiSummary
 });
-async function fetchAiSummary(result, apiUrl, mlKey) {
+async function fetchAiSummary(result, apiUrl, token) {
   const dna = result.codeDnaResult;
   const mlFindings = result.findings.filter((f) => f.tags?.includes("ml"));
   const body = {
@@ -1409,7 +1409,7 @@ async function fetchAiSummary(result, apiUrl, mlKey) {
     }).slice(0, 5).map((d) => d.recommendation)
   };
   const headers = { "Content-Type": "application/json" };
-  if (mlKey) headers["X-API-Key"] = mlKey;
+  if (token) headers["Authorization"] = `Bearer ${token}`;
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), TIMEOUT_MS2);
   try {
@@ -1969,8 +1969,8 @@ import { Command, Option } from "commander";
 // src/cli/commands/scan.ts
 init_esm_shims();
 import { resolve } from "path";
-import { writeFile as writeFile2 } from "fs/promises";
-import { stat as stat2 } from "fs/promises";
+import { writeFile as writeFile3 } from "fs/promises";
+import { stat as stat3 } from "fs/promises";
 import chalk2 from "chalk";
 import ora from "ora";
 
@@ -2086,8 +2086,8 @@ async function discoverFiles(rootDir) {
         const language = detectLanguage(entry.name);
         if (!language) continue;
         try {
-          const info = await stat(fullPath);
-          if (info.size > MAX_FILE_SIZE) continue;
+          const info2 = await stat(fullPath);
+          if (info2.size > MAX_FILE_SIZE) continue;
           const content = await readFile2(fullPath, "utf-8");
           const lineCount = content.split("\n").length;
           files.push({ path: fullPath, relativePath: relPath, language, content, lineCount });
@@ -5962,33 +5962,36 @@ function computePerFileScores(findings, ctx) {
 
 // src/output/tease.ts
 init_esm_shims();
-function generateTeaseMessages(ctx, findings, premiumUsed) {
-  if (premiumUsed) return [];
+function generateTeaseMessages(ctx, findings, deepUsed) {
+  if (deepUsed) return [];
   const messages = [];
   const securityFindings = findings.filter((f) => f.analyzerId === "security");
   if (securityFindings.length > 0) {
     const errorCount = securityFindings.filter((f) => f.severity === "error").length;
     messages.push(
-      `${securityFindings.length} security issues found${errorCount > 0 ? ` (${errorCount} critical)` : ""} \u2014 run --ml for premium ML-powered context analysis`
+      `${securityFindings.length} security issues found${errorCount > 0 ? ` (${errorCount} critical)` : ""} \u2014 run \`vibedrift --deep\` for AI-powered context analysis`
     );
   }
   const complexityFindings = findings.filter((f) => f.analyzerId === "complexity");
   if (complexityFindings.length > 0) {
     messages.push(
-      `${complexityFindings.length} complexity concerns detected \u2014 run --ml for premium architectural recommendations`
+      `${complexityFindings.length} complexity concerns detected \u2014 run \`vibedrift --deep\` for AI-powered architectural recommendations`
     );
   }
   const deadCodeFindings = findings.filter((f) => f.analyzerId === "dead-code");
   if (deadCodeFindings.length > 0) {
     messages.push(
-      `Potential dead code detected \u2014 run --ml for premium semantic analysis`
+      `Potential dead code detected \u2014 run \`vibedrift --deep\` for AI-powered semantic analysis`
     );
   }
   if (ctx.files.length > 10 && messages.length === 0) {
     messages.push(
-      `Run --ml for premium architectural pattern detection and intent analysis`
+      `Run \`vibedrift --deep\` for AI-powered architectural pattern detection and intent analysis`
     );
   }
+  if (messages.length > 0) {
+    messages.push(`Sign in first with \`vibedrift login\` \u2014 it's free.`);
+  }
   return messages;
 }
 
@@ -6870,9 +6873,9 @@ function buildMlInsights(result) {
     </details>`;
   }).join("");
   return `<section class="section">
-  <div class="label">ML ANALYSIS <span style="font-size:11px;font-weight:400;letter-spacing:0;text-transform:none;color:var(--info-blue);margin-left:8px">Layer 2 &middot; UniXcoder Embeddings &middot; ${mlFindings.length} findings</span></div>
+  <div class="label">AI ANALYSIS <span style="font-size:11px;font-weight:400;letter-spacing:0;text-transform:none;color:var(--info-blue);margin-left:8px">Deep Layer &middot; Code Embeddings &middot; ${mlFindings.length} findings</span></div>
   <p style="font-size:13px;color:var(--text-secondary);margin-bottom:16px;line-height:1.6">
-    These findings were detected by the ML inference API using code embeddings. Only function snippets (not full files) were sent for analysis &mdash; snippets are processed in memory and not stored.
+    These findings were detected by VibeDrift&rsquo;s AI inference API. Only function snippets (not full files) were sent for analysis &mdash; snippets are processed in memory and not stored.
     Functions were embedded as 768-dimensional vectors and compared for semantic similarity, name-body alignment, and clustering anomalies.
   </p>
   ${sections}
@@ -6982,11 +6985,11 @@ function buildCodeDnaSummary(result) {
 </section>`;
 }
 function buildFooter(result) {
-  const hasMl = result.findings.some((f) => f.tags?.includes("ml")) || !!result.aiSummary;
-  const premiumUpsell = !hasMl ? `<div style="margin-top:16px;padding:14px 18px;background:var(--bg-surface);border-radius:0;border-left:3px solid var(--border);text-align:left;font-size:13px;color:var(--text-secondary);max-width:520px;margin-left:auto;margin-right:auto">
-    Want premium ML-powered analysis? Get a VibeDrift API key at <a href="https://vibedrift.ai" style="color:var(--text-primary);text-decoration:underline">vibedrift.ai</a><br>
-    <code class="mono" style="color:var(--text-primary);background:var(--bg-code);padding:2px 6px;border-radius:0;margin-top:4px;display:inline-block">vibedrift . --ml --ml-key vd_...</code>
-    <span data-copy="vibedrift . --ml --ml-key vd_..." style="cursor:pointer;margin-left:6px;font-size:11px;color:var(--text-tertiary)">[copy]</span>
+  const hasDeep = result.findings.some((f) => f.tags?.includes("ml")) || !!result.aiSummary;
+  const premiumUpsell = !hasDeep ? `<div style="margin-top:16px;padding:14px 18px;background:var(--bg-surface);border-radius:0;border-left:3px solid var(--border);text-align:left;font-size:13px;color:var(--text-secondary);max-width:520px;margin-left:auto;margin-right:auto">
+    Want AI-powered deep analysis? Sign in once with <code class="mono" style="color:var(--text-primary);background:var(--bg-code);padding:2px 6px;border-radius:0">vibedrift login</code> then run:<br>
+    <code class="mono" style="color:var(--text-primary);background:var(--bg-code);padding:2px 6px;border-radius:0;margin-top:4px;display:inline-block">vibedrift . --deep</code>
+    <span data-copy="vibedrift . --deep" style="cursor:pointer;margin-left:6px;font-size:11px;color:var(--text-tertiary)">[copy]</span>
   </div>` : "";
   return `<footer style="border-top:1px solid var(--border);padding-top:28px;margin-top:48px;text-align:center;color:var(--text-tertiary);font-size:13px">
   <div style="display:flex;gap:8px;justify-content:center;margin-bottom:20px;flex-wrap:wrap">
@@ -6996,7 +6999,7 @@ function buildFooter(result) {
   </div>
   <p>Generated by <span style="color:var(--text-primary);font-weight:600">VibeDrift v${getVersion()}</span></p>
   <p style="margin:4px 0">${result.context.files.length} files &middot; ${result.context.totalLines.toLocaleString()} lines &middot; ${(result.scanTimeMs / 1e3).toFixed(1)}s</p>
-  <p style="margin:4px 0;font-size:12px">${hasMl ? "Function snippets were sent to VibeDrift&rsquo;s ML API for analysis. No full files transmitted. Snippets processed in memory and not stored." : "No data sent externally."}</p>
+  <p style="margin:4px 0;font-size:12px">${hasDeep ? "Function snippets were sent to VibeDrift&rsquo;s AI API for analysis. No full files transmitted. Snippets processed in memory and not stored." : "No data sent externally."}</p>
   <p style="margin-top:10px">Fix the top issues and re-scan: <code class="mono" style="background:var(--bg-code);padding:2px 6px;border-radius:0;color:var(--text-primary)">vibedrift .</code> <span data-copy="vibedrift ." style="cursor:pointer;font-size:11px;color:var(--text-tertiary)">[copy]</span></p>
   ${premiumUpsell}
   <div style="margin-top:16px;padding:12px 18px;background:var(--bg-surface);border-radius:0;display:inline-block;text-align:left">
@@ -7404,16 +7407,25 @@ function esc2(s) { return String(s || '').replace(/&/g,'&amp;').replace(/</g,'&l
 // src/core/history.ts
 init_esm_shims();
 import { readdir as readdir2, readFile as readFile3, writeFile, mkdir } from "fs/promises";
+import { homedir } from "os";
+import { createHash } from "crypto";
 import { join as join4 } from "path";
-var HISTORY_DIR = ".vibedrift";
+var ROOT_DIR = join4(homedir(), ".vibedrift", "scans");
+function projectHash(rootDir) {
+  return createHash("sha256").update(rootDir).digest("hex").slice(0, 16);
+}
+function projectDir(rootDir) {
+  return join4(ROOT_DIR, projectHash(rootDir));
+}
 async function saveScanResult(rootDir, scores, compositeScore) {
-  const dir = join4(rootDir, HISTORY_DIR);
+  const dir = projectDir(rootDir);
   try {
-    await mkdir(dir, { recursive: true });
+    await mkdir(dir, { recursive: true, mode: 448 });
   } catch {
   }
   const data = {
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    rootDir,
     scores,
     compositeScore
   };
@@ -7421,7 +7433,7 @@ async function saveScanResult(rootDir, scores, compositeScore) {
   await writeFile(join4(dir, filename), JSON.stringify(data, null, 2));
 }
 async function loadPreviousScores(rootDir) {
-  const dir = join4(rootDir, HISTORY_DIR);
+  const dir = projectDir(rootDir);
   try {
     const files = await readdir2(dir);
     const scanFiles = files.filter((f) => f.startsWith("scan-") && f.endsWith(".json")).sort().reverse();
@@ -7434,12 +7446,196 @@ async function loadPreviousScores(rootDir) {
   }
 }
 
+// src/core/file-filter.ts
+init_esm_shims();
+function applyIncludeExclude(files, includes, excludes) {
+  const includeRegexes = includes.map(globToRegex);
+  const excludeRegexes = excludes.map(globToRegex);
+  const useInclude = includeRegexes.length > 0;
+  return files.filter((file) => {
+    const path2 = file.relativePath;
+    if (useInclude && !includeRegexes.some((re) => re.test(path2))) {
+      return false;
+    }
+    if (excludeRegexes.some((re) => re.test(path2))) {
+      return false;
+    }
+    return true;
+  });
+}
+function globToRegex(glob) {
+  let pattern = glob.replace(/^\.\//, "");
+  if (pattern.endsWith("/")) {
+    pattern = pattern + "**";
+  }
+  let result = "";
+  let i = 0;
+  let inClass = false;
+  while (i < pattern.length) {
+    const ch = pattern[i];
+    if (inClass) {
+      if (ch === "]") {
+        inClass = false;
+        result += "]";
+      } else {
+        result += escapeInClass(ch);
+      }
+      i++;
+      continue;
+    }
+    switch (ch) {
+      case "*": {
+        if (pattern[i + 1] === "*") {
+          if (pattern[i + 2] === "/") {
+            result += "(?:.*/)?";
+            i += 3;
+          } else {
+            result += ".*";
+            i += 2;
+          }
+        } else {
+          result += "[^/]*";
+          i++;
+        }
+        break;
+      }
+      case "?": {
+        result += "[^/]";
+        i++;
+        break;
+      }
+      case "[": {
+        inClass = true;
+        result += "[";
+        i++;
+        break;
+      }
+      case "{": {
+        const close = pattern.indexOf("}", i);
+        if (close === -1) {
+          result += "\\{";
+          i++;
+          break;
+        }
+        const inner = pattern.slice(i + 1, close);
+        const parts = inner.split(",").map((p) => p.trim()).filter(Boolean);
+        if (parts.length > 0) {
+          result += "(?:" + parts.map(escapeRegex2).join("|") + ")";
+        } else {
+          result += "\\{\\}";
+        }
+        i = close + 1;
+        break;
+      }
+      default: {
+        result += escapeRegex2(ch);
+        i++;
+        break;
+      }
+    }
+  }
+  return new RegExp("^" + result + "$");
+}
+function escapeRegex2(ch) {
+  if (/[.+^${}()|\\]/.test(ch)) return "\\" + ch;
+  return ch;
+}
+function escapeInClass(ch) {
+  if (ch === "\\") return "\\\\";
+  return ch;
+}
+
+// src/auth/resolver.ts
+init_esm_shims();
+
+// src/auth/config.ts
+init_esm_shims();
+import { homedir as homedir2 } from "os";
+import { join as join5 } from "path";
+import { readFile as readFile4, writeFile as writeFile2, mkdir as mkdir2, chmod, unlink, stat as stat2 } from "fs/promises";
+var DEFAULT_DIR = join5(homedir2(), ".vibedrift");
+var DEFAULT_FILE = join5(DEFAULT_DIR, "config.json");
+function getConfigDir() {
+  return DEFAULT_DIR;
+}
+function getConfigPath() {
+  return DEFAULT_FILE;
+}
+async function ensureConfigDir() {
+  await mkdir2(DEFAULT_DIR, { recursive: true, mode: 448 });
+}
+async function readConfig() {
+  try {
+    const raw = await readFile4(DEFAULT_FILE, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== "object" || parsed === null) return {};
+    return parsed;
+  } catch (err) {
+    if (err?.code === "ENOENT") return {};
+    process.stderr.write(`vibedrift: warning \u2014 config at ${DEFAULT_FILE} is unreadable (${err?.message ?? err}). Treating as empty.
+`);
+    return {};
+  }
+}
+async function writeConfig(config) {
+  await ensureConfigDir();
+  const json = JSON.stringify(config, null, 2);
+  await writeFile2(DEFAULT_FILE, json, { mode: 384 });
+  try {
+    await chmod(DEFAULT_FILE, 384);
+  } catch {
+  }
+}
+async function clearConfig() {
+  try {
+    await unlink(DEFAULT_FILE);
+  } catch (err) {
+    if (err?.code !== "ENOENT") throw err;
+  }
+}
+async function patchConfig(patch) {
+  const current = await readConfig();
+  const next = { ...current, ...patch };
+  await writeConfig(next);
+  return next;
+}
+
+// src/auth/resolver.ts
+async function resolveToken(input = {}) {
+  if (input.explicitToken && input.explicitToken.trim().length > 0) {
+    return { token: input.explicitToken.trim(), source: "flag" };
+  }
+  const fromEnv = process.env.VIBEDRIFT_TOKEN;
+  if (fromEnv && fromEnv.trim().length > 0) {
+    return { token: fromEnv.trim(), source: "env" };
+  }
+  const config = await readConfig();
+  if (config.token && config.token.trim().length > 0) {
+    return { token: config.token.trim(), source: "config" };
+  }
+  return null;
+}
+async function resolveApiUrl(explicitUrl) {
+  if (explicitUrl && explicitUrl.trim().length > 0) return explicitUrl.trim();
+  if (process.env.VIBEDRIFT_API_URL && process.env.VIBEDRIFT_API_URL.trim().length > 0) {
+    return process.env.VIBEDRIFT_API_URL.trim();
+  }
+  const config = await readConfig();
+  if (config.apiUrl && config.apiUrl.trim().length > 0) return config.apiUrl.trim();
+  return "https://vibedrift-api.fly.dev";
+}
+function previewToken(token) {
+  if (!token) return "(none)";
+  if (token.length <= 12) return token.slice(0, 4) + "\u2026";
+  return token.slice(0, 12) + "\u2026";
+}
+
 // src/cli/commands/scan.ts
 async function runScan(targetPath, options) {
   const rootDir = resolve(targetPath);
   try {
-    const info = await stat2(rootDir);
-    if (!info.isDirectory()) {
+    const info2 = await stat3(rootDir);
+    if (!info2.isDirectory()) {
       console.error(`Error: ${rootDir} is not a directory`);
       process.exit(1);
     }
@@ -7447,12 +7643,39 @@ async function runScan(targetPath, options) {
     console.error(`Error: ${rootDir} does not exist`);
     process.exit(1);
   }
+  let bearerToken = null;
+  let apiUrl = options.apiUrl;
+  if (options.deep) {
+    const resolved = await resolveToken();
+    if (!resolved) {
+      console.error("");
+      console.error(chalk2.red("  \u2717 Deep scans require a VibeDrift account."));
+      console.error("");
+      console.error("    Run " + chalk2.bold("vibedrift login") + " to sign in.");
+      console.error("    Or set " + chalk2.bold("VIBEDRIFT_TOKEN") + " in your environment for CI.");
+      console.error("");
+      process.exit(1);
+    }
+    bearerToken = resolved.token;
+    apiUrl = await resolveApiUrl(options.apiUrl);
+  }
   const startTime = Date.now();
   const timings = {};
   const isTerminal = options.format === "terminal" && !options.json;
   const spinner = isTerminal ? ora("Discovering files...").start() : null;
   const t0 = Date.now();
   const { ctx, warnings } = await buildAnalysisContext(rootDir);
+  const includes = options.include ?? [];
+  const excludes = options.exclude ?? [];
+  if (includes.length > 0 || excludes.length > 0) {
+    const before = ctx.files.length;
+    const filtered = applyIncludeExclude(ctx.files, includes, excludes);
+    ctx.files = filtered;
+    ctx.totalLines = filtered.reduce((sum, f) => sum + f.lineCount, 0);
+    if (options.verbose) {
+      console.error(chalk2.dim(`[filter] ${before} \u2192 ${filtered.length} files after include/exclude`));
+    }
+  }
   timings.discovery = Date.now() - t0;
   if (isTerminal) {
     if (warnings.truncated) {
@@ -7503,26 +7726,27 @@ Warning: File limit reached (${warnings.truncatedAt}). Only partial coverage \u2
     }
   }
   let mlMediumConfidence = [];
-  if (options.ml) {
+  if (options.deep && bearerToken) {
     const t5 = Date.now();
-    if (spinner) spinner.text = "Connecting to ML service (may take ~30s on cold start)...";
+    if (spinner) spinner.text = "Running AI deep analysis (may take ~30s on cold start)...";
     try {
       const { runMlAnalysis: runMlAnalysis2 } = await Promise.resolve().then(() => (init_ml_client(), ml_client_exports));
       const mlResult = await runMlAnalysis2(ctx, codeDnaResult, allFindings, {
-        mlKey: options.mlKey,
-        mlUrl: options.mlUrl,
+        token: bearerToken,
+        apiUrl,
         verbose: options.verbose,
         driftFindings: driftResult.driftFindings
       });
       allFindings.push(...mlResult.highConfidence);
       mlMediumConfidence = mlResult.mediumConfidence;
       if (options.verbose) {
-        console.error(`[ml] ${mlResult.highConfidence.length} high-confidence findings shipped, ${mlResult.mediumConfidence.length} sent to LLM, ${mlResult.droppedCount} dropped`);
+        console.error(`[deep] ${mlResult.highConfidence.length} high-confidence findings shipped, ${mlResult.mediumConfidence.length} sent to LLM, ${mlResult.droppedCount} dropped`);
       }
     } catch (err) {
-      console.error(`[ml] ML analysis failed: ${err.message}`);
+      console.error(chalk2.red(`[deep] AI analysis failed: ${err.message}`));
+      console.error(chalk2.dim("       The local scan will continue. Run `vibedrift doctor` if this persists."));
     }
-    timings.ml = Date.now() - t5;
+    timings.deep = Date.now() - t5;
   }
   const { deduplicateFindingsAcrossLayers: deduplicateFindingsAcrossLayers2 } = await Promise.resolve().then(() => (init_dedup(), dedup_exports));
   const dedupedCount = allFindings.length;
@@ -7541,13 +7765,13 @@ Warning: File limit reached (${warnings.truncatedAt}). Only partial coverage \u2
     previousScores ?? void 0
   );
   const deepInsights = [];
-  const teaseMessages = generateTeaseMessages(ctx, allFindings, false);
+  const teaseMessages = generateTeaseMessages(ctx, allFindings, options.deep === true);
   const scanTimeMs = Date.now() - startTime;
   if (spinner) spinner.stop();
   const layer1Ms = (timings.discovery ?? 0) + (timings.parsing ?? 0) + (timings.analyzers ?? 0) + (timings.drift ?? 0);
   const parts = [`Layer 1: ${(layer1Ms / 1e3).toFixed(1)}s`];
   if (timings.codedna) parts.push(`Code DNA: ${(timings.codedna / 1e3).toFixed(1)}s`);
-  if (timings.ml) parts.push(`ML API: ${(timings.ml / 1e3).toFixed(1)}s`);
+  if (timings.deep) parts.push(`AI: ${(timings.deep / 1e3).toFixed(1)}s`);
   parts.push(`Total: ${(scanTimeMs / 1e3).toFixed(1)}s`);
   console.error(chalk2.dim(`  ${parts.join(" \xB7 ")}`));
   const result = {
@@ -7564,13 +7788,13 @@ Warning: File limit reached (${warnings.truncatedAt}). Only partial coverage \u2
     perFileScores,
     codeDnaResult
   };
-  if (options.ml) {
+  if (options.deep && bearerToken) {
     if (spinner) spinner.text = "Generating AI summary...";
     try {
       const { fetchAiSummary: fetchAiSummary2 } = await Promise.resolve().then(() => (init_summarize(), summarize_exports));
-      const apiUrl = options.mlUrl ?? "https://vibedrift-api.fly.dev";
-      if (options.verbose) console.error(`[summary] Calling ${apiUrl}/v1/summarize...`);
-      const summary = await fetchAiSummary2(result, apiUrl, options.mlKey);
+      const targetUrl = apiUrl ?? "https://vibedrift-api.fly.dev";
+      if (options.verbose) console.error(`[summary] Calling ${targetUrl}/v1/summarize...`);
+      const summary = await fetchAiSummary2(result, targetUrl, bearerToken);
       if (summary) {
         result.aiSummary = summary;
         if (options.verbose) console.error(`[summary] AI summary generated (${summary.highlights.length} highlights)`);
@@ -7586,7 +7810,7 @@ Warning: File limit reached (${warnings.truncatedAt}). Only partial coverage \u2
   if (format === "html") {
     const html = renderHtmlReport(result);
     const outputPath = options.output ?? "vibedrift-report.html";
-    await writeFile2(outputPath, html);
+    await writeFile3(outputPath, html);
     const { createServer } = await import("http");
     const server = createServer((req, res) => {
       res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
@@ -7612,18 +7836,18 @@ Warning: File limit reached (${warnings.truncatedAt}). Only partial coverage \u2
     const { renderCsvReport: renderCsvReport2 } = await Promise.resolve().then(() => (init_csv(), csv_exports));
     const csv = renderCsvReport2(result);
     const outputPath = options.output ?? "vibedrift-report.csv";
-    await writeFile2(outputPath, csv);
+    await writeFile3(outputPath, csv);
     console.log(`CSV report written to ${outputPath}`);
   } else if (format === "docx") {
     const { renderDocxReport: renderDocxReport2 } = await Promise.resolve().then(() => (init_docx(), docx_exports));
     const docx = renderDocxReport2(result);
     const outputPath = options.output ?? "vibedrift-report.docx";
-    await writeFile2(outputPath, docx);
+    await writeFile3(outputPath, docx);
     console.log(`DOCX report written to ${outputPath}`);
   } else if (format === "json") {
     const json = renderJsonOutput(result);
     if (options.output) {
-      await writeFile2(options.output, json);
+      await writeFile3(options.output, json);
       console.log(`JSON report written to ${options.output}`);
     } else {
       console.log(json);
@@ -7728,6 +7952,614 @@ Update failed: ${message}`));
   });
 }
 
+// src/cli/commands/login.ts
+init_esm_shims();
+import chalk4 from "chalk";
+
+// src/auth/api.ts
+init_esm_shims();
+var REQUEST_TIMEOUT_MS = 3e4;
+var VibeDriftApiError = class extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+    this.name = "VibeDriftApiError";
+  }
+  status;
+};
+async function jsonFetch(url, init = {}) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+  try {
+    const res = await fetch(url, {
+      ...init,
+      signal: controller.signal,
+      headers: {
+        Accept: "application/json",
+        ...init.body ? { "Content-Type": "application/json" } : {},
+        ...init.headers ?? {}
+      }
+    });
+    if (!res.ok) {
+      let detail = "";
+      try {
+        const body = await res.json();
+        detail = body.detail ?? body.message ?? "";
+      } catch {
+        try {
+          detail = await res.text();
+        } catch {
+        }
+      }
+      throw new VibeDriftApiError(res.status, detail || `HTTP ${res.status}`);
+    }
+    return await res.json();
+  } catch (err) {
+    if (err?.name === "AbortError") {
+      throw new VibeDriftApiError(0, `Request timed out after ${REQUEST_TIMEOUT_MS / 1e3}s`);
+    }
+    if (err instanceof VibeDriftApiError) throw err;
+    throw new VibeDriftApiError(0, err?.message ?? String(err));
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function startDeviceAuth(opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  return jsonFetch(`${base}/auth/device`, {
+    method: "POST",
+    body: JSON.stringify({ client_id: "vibedrift-cli" })
+  });
+}
+async function pollDeviceAuth(deviceCode, opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  return jsonFetch(`${base}/auth/poll`, {
+    method: "POST",
+    body: JSON.stringify({ device_code: deviceCode })
+  });
+}
+async function validateToken(token, opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  return jsonFetch(`${base}/auth/validate`, {
+    method: "GET",
+    headers: { Authorization: `Bearer ${token}` }
+  });
+}
+async function revokeToken(token, opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  await jsonFetch(`${base}/auth/revoke`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${token}` }
+  });
+}
+async function fetchUsage(token, opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  return jsonFetch(`${base}/account/usage`, {
+    method: "GET",
+    headers: { Authorization: `Bearer ${token}` }
+  });
+}
+async function createPortalSession(token, opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  return jsonFetch(`${base}/account/portal`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${token}` }
+  });
+}
+
+// src/auth/browser.ts
+init_esm_shims();
+import { spawn as spawn2 } from "child_process";
+function openInBrowser(url) {
+  if (!isInteractive()) return false;
+  const env = process.env.BROWSER;
+  if (env && env.length > 0 && env !== "none") {
+    return spawnDetached(env, [url]);
+  }
+  switch (process.platform) {
+    case "darwin":
+      return spawnDetached("open", [url]);
+    case "win32":
+      return spawnDetached("cmd", ["/c", "start", "", url]);
+    default:
+      return spawnDetached("xdg-open", [url]);
+  }
+}
+function isInteractive() {
+  if (process.env.CI === "true" || process.env.CI === "1") return false;
+  if (process.env.VIBEDRIFT_NO_BROWSER === "1") return false;
+  return process.stdout.isTTY ?? false;
+}
+function spawnDetached(cmd, args) {
+  try {
+    const child = spawn2(cmd, args, {
+      detached: true,
+      stdio: "ignore",
+      shell: false
+    });
+    child.on("error", () => {
+    });
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/cli/commands/login.ts
+async function runLogin(options = {}) {
+  const existing = await readConfig();
+  if (existing.token) {
+    console.log(
+      chalk4.yellow(
+        `
+  You're already logged in as ${chalk4.bold(existing.email ?? "unknown")} (${existing.plan ?? "free"}).`
+      )
+    );
+    console.log(chalk4.dim(`  Token: ${previewToken(existing.token)}`));
+    console.log(chalk4.dim("  Continuing will replace this token.\n"));
+  }
+  let device;
+  try {
+    device = await startDeviceAuth({ apiUrl: options.apiUrl });
+  } catch (err) {
+    fail("Could not start the login flow", err);
+    return;
+  }
+  console.log("");
+  console.log(chalk4.bold("  First, copy your one-time code:"));
+  console.log("");
+  console.log(`    ${chalk4.bgYellow.black.bold(`  ${device.user_code}  `)}`);
+  console.log("");
+  console.log(chalk4.dim(`  This code expires in ${formatDuration(device.expires_in)}.`));
+  console.log("");
+  const opened = !options.noBrowser && openInBrowser(device.verification_uri_complete);
+  if (opened) {
+    console.log(chalk4.bold("  Opened your browser to:"));
+  } else {
+    console.log(chalk4.bold("  Open this URL in your browser:"));
+  }
+  console.log(`    ${chalk4.cyan(device.verification_uri_complete)}`);
+  console.log("");
+  console.log(chalk4.dim("  Waiting for you to authorize the CLI..."));
+  console.log("");
+  let interval = Math.max(1, device.interval);
+  const deadline = Date.now() + device.expires_in * 1e3;
+  while (Date.now() < deadline) {
+    await sleep(interval * 1e3);
+    let result;
+    try {
+      result = await pollDeviceAuth(device.device_code, { apiUrl: options.apiUrl });
+    } catch (err) {
+      if (err instanceof VibeDriftApiError && err.status === 429) {
+        interval = Math.min(interval * 2, 30);
+        continue;
+      }
+      fail("Polling for authorization failed", err);
+      return;
+    }
+    if (result.status === "pending") continue;
+    if (result.status === "authorized") {
+      await patchConfig({
+        token: result.access_token,
+        email: result.email,
+        plan: result.plan,
+        expiresAt: result.expires_at,
+        loggedInAt: (/* @__PURE__ */ new Date()).toISOString(),
+        apiUrl: options.apiUrl
+      });
+      console.log(chalk4.green("  \u2713 Logged in successfully."));
+      console.log("");
+      console.log(`  Account: ${chalk4.bold(result.email)}`);
+      console.log(`  Plan:    ${chalk4.bold(result.plan)}`);
+      console.log("");
+      if (result.plan === "free") {
+        console.log(chalk4.dim("  Run `vibedrift upgrade` to enable deep AI scans."));
+        console.log("");
+      } else {
+        console.log(chalk4.dim("  Run `vibedrift . --deep` to use AI-powered analysis."));
+        console.log("");
+      }
+      return;
+    }
+    if (result.status === "denied") {
+      console.error(chalk4.red("\n  \u2717 Authorization was denied in the browser."));
+      console.error(chalk4.dim("    Run `vibedrift login` again to retry.\n"));
+      process.exit(1);
+    }
+    if (result.status === "expired") {
+      console.error(chalk4.red("\n  \u2717 The login code expired before you authorized it."));
+      console.error(chalk4.dim("    Run `vibedrift login` again to retry.\n"));
+      process.exit(1);
+    }
+  }
+  console.error(chalk4.red("\n  \u2717 Login timed out before authorization completed."));
+  console.error(chalk4.dim("    Run `vibedrift login` again to retry.\n"));
+  process.exit(1);
+}
+function fail(intro, err) {
+  const msg = err instanceof VibeDriftApiError ? `${err.status ? `HTTP ${err.status}: ` : ""}${err.message}` : err instanceof Error ? err.message : String(err);
+  console.error(chalk4.red(`
+  \u2717 ${intro}: ${msg}
+`));
+  process.exit(1);
+}
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+function formatDuration(seconds) {
+  if (seconds < 60) return `${seconds}s`;
+  const m = Math.round(seconds / 60);
+  return `${m} minute${m === 1 ? "" : "s"}`;
+}
+
+// src/cli/commands/logout.ts
+init_esm_shims();
+import chalk5 from "chalk";
+async function runLogout() {
+  const config = await readConfig();
+  if (!config.token) {
+    console.log(chalk5.dim("  Not logged in. Nothing to do."));
+    return;
+  }
+  try {
+    await revokeToken(config.token, { apiUrl: config.apiUrl });
+  } catch (err) {
+    if (err instanceof VibeDriftApiError && (err.status === 401 || err.status === 404)) {
+    } else {
+      console.warn(
+        chalk5.yellow(
+          `  \u26A0 Could not revoke token on the server: ${err instanceof Error ? err.message : String(err)}`
+        )
+      );
+      console.warn(chalk5.dim("    Local token will still be removed."));
+    }
+  }
+  await clearConfig();
+  console.log(chalk5.green("  \u2713 Logged out."));
+}
+
+// src/cli/commands/status.ts
+init_esm_shims();
+import chalk6 from "chalk";
+init_version();
+async function runStatus() {
+  const version = getVersion();
+  const config = await readConfig();
+  const resolved = await resolveToken();
+  console.log("");
+  console.log(chalk6.bold(`  VibeDrift CLI v${version}`));
+  console.log("");
+  if (!resolved) {
+    console.log(`  Status:  ${chalk6.dim("not logged in")}`);
+    console.log(`  Config:  ${chalk6.dim(getConfigPath())}`);
+    console.log("");
+    console.log(chalk6.dim("  Run `vibedrift login` to authenticate."));
+    console.log("");
+    return;
+  }
+  console.log(`  Status:  ${chalk6.green("authenticated")}`);
+  console.log(`  Source:  ${chalk6.dim(describeSource(resolved.source))}`);
+  console.log(`  Token:   ${chalk6.dim(previewToken(resolved.token))}`);
+  if (resolved.source === "config") {
+    if (config.email) console.log(`  Account: ${chalk6.bold(config.email)}`);
+    if (config.plan) console.log(`  Plan:    ${chalk6.bold(config.plan)}`);
+    if (config.expiresAt) console.log(`  Expires: ${chalk6.dim(config.expiresAt)}`);
+    console.log(`  Config:  ${chalk6.dim(getConfigPath())}`);
+  }
+  console.log("");
+  process.stdout.write(chalk6.dim("  Validating token with server... "));
+  try {
+    const result = await validateToken(resolved.token, { apiUrl: config.apiUrl });
+    if (result.valid) {
+      console.log(chalk6.green("ok"));
+      if (result.email && result.email !== config.email) {
+        console.log(chalk6.dim(`  Server account: ${result.email} (config out of sync \u2014 run \`vibedrift login\` to refresh)`));
+      }
+      if (result.plan && result.plan !== config.plan) {
+        console.log(chalk6.dim(`  Server plan: ${result.plan} (config out of sync \u2014 run \`vibedrift login\` to refresh)`));
+      }
+    } else {
+      console.log(chalk6.red("invalid"));
+      console.log(chalk6.dim("  Run `vibedrift login` to re-authenticate."));
+    }
+  } catch (err) {
+    console.log(chalk6.yellow("offline"));
+    if (err instanceof VibeDriftApiError) {
+      console.log(chalk6.dim(`  ${err.message}`));
+    }
+  }
+  console.log("");
+}
+function describeSource(source) {
+  switch (source) {
+    case "flag":
+      return "command-line flag";
+    case "env":
+      return "VIBEDRIFT_TOKEN environment variable";
+    case "config":
+      return "~/.vibedrift/config.json";
+  }
+}
+
+// src/cli/commands/usage.ts
+init_esm_shims();
+import chalk7 from "chalk";
+async function runUsage() {
+  const resolved = await resolveToken();
+  if (!resolved) {
+    console.error(chalk7.red("\n  \u2717 Not logged in. Run `vibedrift login` first.\n"));
+    process.exit(1);
+  }
+  const config = await readConfig();
+  let data;
+  try {
+    data = await fetchUsage(resolved.token, { apiUrl: config.apiUrl });
+  } catch (err) {
+    if (err instanceof VibeDriftApiError && err.status === 401) {
+      console.error(chalk7.red("\n  \u2717 Your token is invalid or expired. Run `vibedrift login` to re-authenticate.\n"));
+      process.exit(1);
+    }
+    console.error(chalk7.red(`
+  \u2717 Could not fetch usage: ${err instanceof Error ? err.message : String(err)}
+`));
+    process.exit(1);
+  }
+  console.log("");
+  console.log(chalk7.bold("  Account"));
+  console.log(`    Email:   ${chalk7.bold(data.user.email)}`);
+  console.log(`    Plan:    ${chalk7.bold(data.user.plan)}`);
+  console.log("");
+  console.log(chalk7.bold("  Current period"));
+  console.log(`    From:    ${chalk7.dim(formatDate(data.current_period.start))}`);
+  console.log(`    To:      ${chalk7.dim(formatDate(data.current_period.end))}`);
+  console.log(`    Scans:   ${chalk7.bold(data.current_period.scans.toString())}`);
+  console.log(`    Deep:    ${chalk7.bold(data.current_period.deep_scans.toString())}`);
+  console.log("");
+  console.log(chalk7.bold("  Limits"));
+  const deepLimit = data.limits.deep_scans_per_month;
+  console.log(`    Deep:    ${deepLimit === null ? chalk7.green("unlimited") : `${deepLimit}/month`}`);
+  console.log(`    Rate:    ${data.limits.rate_limit_per_min} requests/minute`);
+  console.log("");
+  if (data.recent_scans.length > 0) {
+    console.log(chalk7.bold(`  Recent scans (${data.recent_scans.length})`));
+    for (const scan of data.recent_scans.slice(0, 10)) {
+      const flag = scan.is_deep ? chalk7.cyan("deep") : chalk7.dim("std ");
+      const score = scan.score === null ? chalk7.dim("\u2014") : chalk7.bold(String(Math.round(scan.score))).padEnd(3);
+      console.log(`    ${flag}  ${score}  ${chalk7.dim(formatDateTime(scan.created_at))}  ${chalk7.dim(scan.project_hash.slice(0, 12))}`);
+    }
+    console.log("");
+  }
+}
+function formatDate(iso) {
+  try {
+    return new Date(iso).toISOString().slice(0, 10);
+  } catch {
+    return iso;
+  }
+}
+function formatDateTime(iso) {
+  try {
+    const d = new Date(iso);
+    return d.toISOString().slice(0, 16).replace("T", " ");
+  } catch {
+    return iso;
+  }
+}
+
+// src/cli/commands/upgrade.ts
+init_esm_shims();
+import chalk8 from "chalk";
+var PRICING_URL = "https://vibedrift.ai/pricing";
+async function runUpgrade() {
+  console.log("");
+  console.log(chalk8.bold("  Upgrade your VibeDrift plan"));
+  console.log("");
+  console.log(`    ${chalk8.cyan(PRICING_URL)}`);
+  console.log("");
+  const opened = openInBrowser(PRICING_URL);
+  if (opened) {
+    console.log(chalk8.dim("  Opened in your browser."));
+  } else {
+    console.log(chalk8.dim("  Open the link above in your browser."));
+  }
+  console.log("");
+  console.log(chalk8.dim("  After upgrading, run `vibedrift login` to refresh your plan locally."));
+  console.log("");
+}
+
+// src/cli/commands/billing.ts
+init_esm_shims();
+import chalk9 from "chalk";
+async function runBilling() {
+  const resolved = await resolveToken();
+  if (!resolved) {
+    console.error(chalk9.red("\n  \u2717 Not logged in. Run `vibedrift login` first.\n"));
+    process.exit(1);
+  }
+  const config = await readConfig();
+  let portal;
+  try {
+    portal = await createPortalSession(resolved.token, { apiUrl: config.apiUrl });
+  } catch (err) {
+    if (err instanceof VibeDriftApiError) {
+      if (err.status === 401) {
+        console.error(chalk9.red("\n  \u2717 Your token is invalid or expired. Run `vibedrift login`.\n"));
+        process.exit(1);
+      }
+      if (err.status === 402 || err.status === 404) {
+        console.error(chalk9.yellow("\n  \u26A0 No billing account found for this user."));
+        console.error(chalk9.dim("    Run `vibedrift upgrade` to start a paid plan first.\n"));
+        process.exit(1);
+      }
+    }
+    console.error(chalk9.red(`
+  \u2717 Could not open billing portal: ${err instanceof Error ? err.message : String(err)}
+`));
+    process.exit(1);
+  }
+  console.log("");
+  console.log(chalk9.bold("  Stripe Customer Portal"));
+  console.log("");
+  console.log(`    ${chalk9.cyan(portal.url)}`);
+  console.log("");
+  const opened = openInBrowser(portal.url);
+  if (opened) {
+    console.log(chalk9.dim("  Opened in your browser. The link is single-use and expires shortly."));
+  } else {
+    console.log(chalk9.dim("  Open the link above in your browser. It's single-use and expires shortly."));
+  }
+  console.log("");
+}
+
+// src/cli/commands/doctor.ts
+init_esm_shims();
+import chalk10 from "chalk";
+import { homedir as homedir3, platform, arch } from "os";
+import { join as join6 } from "path";
+import { stat as stat4, access, constants } from "fs/promises";
+init_version();
+async function runDoctor() {
+  let failures = 0;
+  console.log("");
+  console.log(chalk10.bold("  VibeDrift Doctor"));
+  console.log("");
+  console.log(chalk10.bold("  Environment"));
+  ok("CLI version", getVersion());
+  ok("Node", process.version);
+  ok("Platform", `${platform()} ${arch()}`);
+  ok("HOME", homedir3());
+  console.log("");
+  console.log(chalk10.bold("  Config"));
+  const configDir = getConfigDir();
+  const configPath = getConfigPath();
+  let configDirOk = false;
+  try {
+    const info2 = await stat4(configDir);
+    if (info2.isDirectory()) {
+      configDirOk = true;
+      const mode = (info2.mode & 511).toString(8);
+      ok("Config dir", `${configDir} (mode ${mode})`);
+    } else {
+      bad(`Config dir exists but is not a directory: ${configDir}`);
+      failures++;
+    }
+  } catch {
+    info("Config dir", `${configDir} (will be created on first login)`);
+    configDirOk = true;
+  }
+  if (configDirOk) {
+    try {
+      await access(configPath, constants.R_OK);
+      const info2 = await stat4(configPath);
+      const mode = (info2.mode & 511).toString(8);
+      if ((info2.mode & 63) !== 0) {
+        warn("Config file", `${configPath} (mode ${mode}, world/group readable \u2014 should be 600)`);
+      } else {
+        ok("Config file", `${configPath} (mode ${mode})`);
+      }
+    } catch {
+      info("Config file", "absent (not logged in)");
+    }
+  }
+  const historyDir = join6(homedir3(), ".vibedrift", "scans");
+  try {
+    const info2 = await stat4(historyDir);
+    if (info2.isDirectory()) ok("Scan history", historyDir);
+    else warn("Scan history", `${historyDir} exists but is not a directory`);
+  } catch {
+    info("Scan history", "empty (no scans run yet)");
+  }
+  console.log("");
+  console.log(chalk10.bold("  Authentication"));
+  const config = await readConfig();
+  const resolved = await resolveToken();
+  if (!resolved) {
+    info("Login state", "not logged in");
+  } else {
+    ok("Token source", describeSource2(resolved.source));
+    ok("Token preview", previewToken(resolved.token));
+    if (resolved.source === "config") {
+      if (config.email) ok("Email", config.email);
+      if (config.plan) ok("Plan", config.plan);
+      if (config.expiresAt) {
+        const expires = new Date(config.expiresAt).getTime();
+        const now = Date.now();
+        if (expires < now) {
+          bad(`Token expired ${Math.floor((now - expires) / 864e5)} days ago`);
+          failures++;
+        } else {
+          ok("Token expires", `${config.expiresAt} (${Math.ceil((expires - now) / 864e5)} days)`);
+        }
+      }
+    }
+  }
+  console.log("");
+  console.log(chalk10.bold("  API"));
+  const apiUrl = await resolveApiUrl();
+  ok("API URL", apiUrl);
+  if (resolved) {
+    process.stdout.write(`    ${chalk10.dim("\u2192 Validating token... ")}`);
+    try {
+      const result = await validateToken(resolved.token, { apiUrl });
+      if (result.valid) {
+        console.log(chalk10.green("ok"));
+      } else {
+        console.log(chalk10.red("invalid token"));
+        failures++;
+      }
+    } catch (err) {
+      console.log(chalk10.red("unreachable"));
+      console.log(`    ${chalk10.dim("  ")}${err instanceof VibeDriftApiError ? err.message : String(err)}`);
+      failures++;
+    }
+  } else {
+    process.stdout.write(`    ${chalk10.dim("\u2192 Pinging API... ")}`);
+    try {
+      const res = await fetch(`${apiUrl}/health`, { signal: AbortSignal.timeout(1e4) });
+      if (res.ok) console.log(chalk10.green("ok"));
+      else {
+        console.log(chalk10.yellow(`HTTP ${res.status}`));
+        failures++;
+      }
+    } catch (err) {
+      console.log(chalk10.red("unreachable"));
+      console.log(`    ${chalk10.dim("  ")}${err instanceof Error ? err.message : String(err)}`);
+      failures++;
+    }
+  }
+  console.log("");
+  if (failures === 0) {
+    console.log(chalk10.green("  \u2713 All checks passed."));
+  } else {
+    console.log(chalk10.red(`  \u2717 ${failures} check${failures === 1 ? "" : "s"} failed.`));
+  }
+  console.log("");
+  process.exit(failures === 0 ? 0 : 1);
+}
+function ok(label, value) {
+  console.log(`    ${chalk10.green("\u2713")} ${label.padEnd(14)} ${chalk10.dim(value)}`);
+}
+function warn(label, value) {
+  console.log(`    ${chalk10.yellow("\u26A0")} ${label.padEnd(14)} ${chalk10.dim(value)}`);
+}
+function bad(value) {
+  console.log(`    ${chalk10.red("\u2717")} ${chalk10.red(value)}`);
+}
+function info(label, value) {
+  console.log(`    ${chalk10.dim("\xB7")} ${label.padEnd(14)} ${chalk10.dim(value)}`);
+}
+function describeSource2(source) {
+  switch (source) {
+    case "flag":
+      return "command-line flag";
+    case "env":
+      return "VIBEDRIFT_TOKEN environment variable";
+    case "config":
+      return "~/.vibedrift/config.json";
+  }
+}
+
 // src/cli/index.ts
 init_version();
 var VERSION = getVersion();
@@ -7741,10 +8573,14 @@ function parseScoreThreshold(value) {
   }
   return n;
 }
+function collect(value, previous) {
+  return previous.concat([value]);
+}
 var program = new Command();
 program.name("vibedrift").description(
   "Detect drift, contradictions, and security gaps in AI-generated codebases."
-).version(VERSION, "-V, --version", "show the installed version").helpOption("-h, --help", "show this help").argument("[path]", "path to project directory", ".").option(
+).version(VERSION, "-V, --version", "show the installed version").helpOption("-h, --help", "show this help");
+program.command("scan", { isDefault: true }).description("Scan a project for vibe drift (default command)").argument("[path]", "path to project directory", ".").option(
   "--format <type>",
   "output format: html, terminal, json, csv, docx",
   "html"
@@ -7752,8 +8588,24 @@ program.name("vibedrift").description(
   "--fail-on-score <n>",
   "exit with code 1 if composite score is below this threshold",
   parseScoreThreshold
-).option("--no-codedna", "skip Code DNA semantic analysis").option("--ml", "enable premium ML-powered analysis (requires VibeDrift key)").option("--ml-key <key>", "VibeDrift API key for premium features").option("--update", "update VibeDrift CLI to the latest version").option("--verbose", "show timing breakdown and analyzer details").addOption(
-  new Option("--ml-url <url>", "VibeDrift API endpoint").default("https://vibedrift-api.fly.dev").hideHelp()
+).option("--no-codedna", "skip Code DNA semantic analysis").option(
+  "--deep",
+  "enable AI-powered deep analysis (requires `vibedrift login`)"
+).option(
+  "--include <pattern>",
+  "only scan files matching this glob (repeatable)",
+  collect,
+  []
+).option(
+  "--exclude <pattern>",
+  "exclude files matching this glob (repeatable)",
+  collect,
+  []
+).option(
+  "--update",
+  "update the VibeDrift CLI to the latest version (alias for `vibedrift update`)"
+).option("--verbose", "show timing breakdown and analyzer details").addOption(
+  new Option("--api-url <url>", "override the VibeDrift API base URL").hideHelp()
 ).action(async (path2, options) => {
   if (options.update) {
     await runUpdate(VERSION);
@@ -7765,12 +8617,42 @@ program.name("vibedrift").description(
     output: options.output,
     failOnScore: options.failOnScore,
     codedna: options.codedna,
-    ml: options.ml,
-    mlKey: options.mlKey,
-    mlUrl: options.mlUrl,
+    deep: options.deep,
+    apiUrl: options.apiUrl,
+    include: options.include,
+    exclude: options.exclude,
     verbose: options.verbose
   });
 });
+program.command("login").description("Log in to your VibeDrift account").option("--no-browser", "don't open the browser automatically").addOption(
+  new Option("--api-url <url>", "override the API base URL").hideHelp()
+).action(async (options) => {
+  await runLogin({
+    apiUrl: options.apiUrl,
+    noBrowser: options.browser === false
+  });
+});
+program.command("logout").description("Log out and revoke the current token").action(async () => {
+  await runLogout();
+});
+program.command("status").description("Show the current account, plan, and token").action(async () => {
+  await runStatus();
+});
+program.command("usage").description("Show your current billing period's scan usage").action(async () => {
+  await runUsage();
+});
+program.command("upgrade").description("Open the VibeDrift pricing page").action(async () => {
+  await runUpgrade();
+});
+program.command("billing").description("Open the Stripe Customer Portal to manage your subscription").action(async () => {
+  await runBilling();
+});
+program.command("doctor").description("Diagnose CLI installation, auth, and API connectivity").action(async () => {
+  await runDoctor();
+});
+program.command("update").description("Update the VibeDrift CLI to the latest version").action(async () => {
+  await runUpdate(VERSION);
+});
 program.addHelpText(
   "after",
   `
@@ -7780,8 +8662,20 @@ Examples:
   $ vibedrift --format terminal        print results to the terminal
   $ vibedrift --json > report.json     pipe JSON output to a file
   $ vibedrift --fail-on-score 70       fail CI if score drops below 70
-  $ vibedrift --ml --ml-key vd_...     run premium ML-powered analysis
-  $ vibedrift --update                 update to the latest version
+  $ vibedrift --include "src/**"       only scan files under src/
+  $ vibedrift --exclude "**/*.spec.*"  skip test files
+  $ vibedrift --deep                   run premium AI-powered deep analysis
+  $ vibedrift login                    sign in to enable --deep
+  $ vibedrift status                   check current auth state
+  $ vibedrift usage                    view this month's scan usage
+  $ vibedrift upgrade                  open the pricing page
+  $ vibedrift billing                  manage your Stripe subscription
+  $ vibedrift update                   update to the latest CLI version
+
+Environment:
+  VIBEDRIFT_TOKEN     bearer token (overrides ~/.vibedrift/config.json)
+  VIBEDRIFT_API_URL   override the API base URL
+  VIBEDRIFT_NO_BROWSER if "1", never auto-open the browser
 
 Learn more: https://vibedrift.ai`
 );