@vibedrift/cli 0.1.4 → 0.3.0

package/dist/index.js

@@ -230,12 +230,12 @@ function normalizeBody(body, language) {
   }
   const sortedVars = [...varNames.entries()].sort((a, b) => b[0].length - a[0].length);
   for (const [name, placeholder] of sortedVars) {
-    normalized = normalized.replace(new RegExp(`\\b${escapeRegex2(name)}\\b`, "g"), placeholder);
+    normalized = normalized.replace(new RegExp(`\\b${escapeRegex3(name)}\\b`, "g"), placeholder);
   }
   normalized = normalized.replace(/\s+/g, " ").trim();
   return normalized;
 }
-function escapeRegex2(s) {
+function escapeRegex3(s) {
   return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function fnv1aHash(str) {
@@ -1012,13 +1012,13 @@ var init_sampler = __esm({
 });
 
 // src/ml-client/client.ts
-async function callMlApi(request, apiKey, apiUrl) {
+async function callMlApi(request, token, apiUrl) {
   const url = `${apiUrl ?? DEFAULT_API_URL}/v1/analyze`;
   const headers = {
     "Content-Type": "application/json"
   };
-  if (apiKey) {
-    headers["X-API-Key"] = apiKey;
+  if (token) {
+    headers["Authorization"] = `Bearer ${token}`;
   }
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), TIMEOUT_MS);
@@ -1031,7 +1031,7 @@ async function callMlApi(request, apiKey, apiUrl) {
     });
     if (!response.ok) {
       const errorBody = await response.text().catch(() => "");
-      throw new Error(`ML API error ${response.status}: ${errorBody.slice(0, 200)}`);
+      throw new Error(`Deep-analysis API error ${response.status}: ${errorBody.slice(0, 200)}`);
     }
     return await response.json();
   } finally {
@@ -1199,6 +1199,95 @@ var init_confidence = __esm({
   }
 });
 
+// src/ml-client/project-name.ts
+var project_name_exports = {};
+__export(project_name_exports, {
+  detectProjectIdentity: () => detectProjectIdentity
+});
+import { basename, join as join6 } from "path";
+import { readFile as readFile5 } from "fs/promises";
+import { createHash as createHash2 } from "crypto";
+async function detectProjectIdentity(rootDir, override) {
+  const hash = createHash2("sha256").update(rootDir).digest("hex");
+  if (override && override.trim()) {
+    return { name: override.trim(), hash };
+  }
+  const fromPackageJson = await readJsonField(
+    join6(rootDir, "package.json"),
+    "name"
+  );
+  if (fromPackageJson) return { name: fromPackageJson, hash };
+  const fromCargo = await readTomlFieldInSection(
+    join6(rootDir, "Cargo.toml"),
+    "package",
+    "name"
+  );
+  if (fromCargo) return { name: fromCargo, hash };
+  const fromGoMod = await readGoModule(join6(rootDir, "go.mod"));
+  if (fromGoMod) return { name: fromGoMod, hash };
+  const fromPyProject = await readTomlFieldInSection(
+    join6(rootDir, "pyproject.toml"),
+    "project",
+    "name"
+  ) ?? await readTomlFieldInSection(
+    join6(rootDir, "pyproject.toml"),
+    "tool.poetry",
+    "name"
+  );
+  if (fromPyProject) return { name: fromPyProject, hash };
+  return { name: basename(rootDir) || "untitled", hash };
+}
+async function readJsonField(path2, field) {
+  try {
+    const raw = await readFile5(path2, "utf-8");
+    const parsed = JSON.parse(raw);
+    const value = parsed[field];
+    if (typeof value === "string" && value.trim()) return value.trim();
+  } catch {
+  }
+  return null;
+}
+async function readTomlFieldInSection(path2, section, key) {
+  try {
+    const raw = await readFile5(path2, "utf-8");
+    const lines = raw.split("\n");
+    let inSection = false;
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith("[") && trimmed.endsWith("]")) {
+        inSection = trimmed === `[${section}]`;
+        continue;
+      }
+      if (!inSection) continue;
+      const match = trimmed.match(/^([\w-]+)\s*=\s*"([^"]+)"/);
+      if (match && match[1] === key && match[2]) {
+        return match[2];
+      }
+    }
+  } catch {
+  }
+  return null;
+}
+async function readGoModule(path2) {
+  try {
+    const raw = await readFile5(path2, "utf-8");
+    const match = raw.match(/^\s*module\s+(\S+)/m);
+    if (match && match[1]) {
+      const segs = match[1].split("/");
+      const last = segs[segs.length - 1];
+      if (last) return last;
+    }
+  } catch {
+  }
+  return null;
+}
+var init_project_name = __esm({
+  "src/ml-client/project-name.ts"() {
+    "use strict";
+    init_esm_shims();
+  }
+});
+
 // src/ml-client/index.ts
 var ml_client_exports = {};
 __export(ml_client_exports, {
@@ -1266,23 +1355,39 @@ async function runMlAnalysis(ctx, codeDnaResult, findings, options) {
   const deviations = buildDeviationPayloads(codeDnaResult, options.driftFindings ?? []);
   const payloadSize = JSON.stringify(sampled).length + JSON.stringify(deviations).length;
   if (options.verbose) {
-    console.error(`[ml] Sending ${sampled.length} functions + ${deviations.length} deviations (${Math.round(payloadSize / 1024)}KB) to ML API...`);
-    console.error(`[ml] No full files transmitted \u2014 only function snippets and structural metadata.`);
+    console.error(`[deep] Sending ${sampled.length} functions + ${deviations.length} deviations (${Math.round(payloadSize / 1024)}KB) to VibeDrift API...`);
+    console.error(`[deep] No full files transmitted \u2014 only function snippets and structural metadata.`);
   }
+  const { detectProjectIdentity: detectProjectIdentity2 } = await Promise.resolve().then(() => (init_project_name(), project_name_exports));
+  const projectIdentity = await detectProjectIdentity2(
+    ctx.rootDir,
+    options.projectName
+  );
   const request = {
     language: ctx.dominantLanguage ?? "unknown",
     file_count: ctx.files.length,
+    project_hash: projectIdentity.hash,
+    project_name: projectIdentity.name,
+    score_hint: options.scoreHint,
+    grade_hint: options.gradeHint,
+    // Tell the server NOT to persist a row from the analyze call —
+    // the CLI logs the full scan summary via /v1/scans/log AFTER the
+    // pipeline finishes, which has accurate metadata.
+    defer_persist: true,
     functions: sampled,
     deviations,
     llm_validations: []
   };
-  const response = await callMlApi(request, options.mlKey, options.mlUrl);
+  const response = await callMlApi(request, options.token, options.apiUrl);
   if (options.verbose) {
     console.error(
-      `[ml] API returned: ${response.duplicates.length} duplicates, ${response.intent_mismatches.length} intent mismatches, ${response.anomalies.length} anomalies, ${response.deviations?.length ?? 0} deviation verdicts \u2014 ${response.processing_time_ms}ms`
+      `[deep] API returned: ${response.duplicates.length} duplicates, ${response.intent_mismatches.length} intent mismatches, ${response.anomalies.length} anomalies, ${response.deviations?.length ?? 0} deviation verdicts \u2014 ${response.processing_time_ms}ms`
     );
   }
   const filtered = filterByConfidence(response);
+  if (response.scan_id) {
+    filtered.scanId = response.scan_id;
+  }
   if (response.deviations?.length > 0 && codeDnaResult?.deviationJustifications) {
     for (const mlDev of response.deviations) {
       const local = codeDnaResult.deviationJustifications.find(
@@ -1372,7 +1477,7 @@ var summarize_exports = {};
 __export(summarize_exports, {
   fetchAiSummary: () => fetchAiSummary
 });
-async function fetchAiSummary(result, apiUrl, mlKey) {
+async function fetchAiSummary(result, apiUrl, token) {
   const dna = result.codeDnaResult;
   const mlFindings = result.findings.filter((f) => f.tags?.includes("ml"));
   const body = {
@@ -1409,7 +1514,7 @@ async function fetchAiSummary(result, apiUrl, mlKey) {
     }).slice(0, 5).map((d) => d.recommendation)
   };
   const headers = { "Content-Type": "application/json" };
-  if (mlKey) headers["X-API-Key"] = mlKey;
+  if (token) headers["Authorization"] = `Bearer ${token}`;
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), TIMEOUT_MS2);
   try {
@@ -1445,6 +1550,160 @@ var init_summarize = __esm({
   }
 });
 
+// src/ml-client/log-scan.ts
+var log_scan_exports = {};
+__export(log_scan_exports, {
+  logScan: () => logScan
+});
+async function logScan(opts) {
+  const { payload, token, apiUrl, verbose } = opts;
+  const base = apiUrl ?? DEFAULT_API_URL2;
+  const trimmed = { ...payload };
+  if (trimmed.report_html) {
+    const size = Buffer.byteLength(trimmed.report_html, "utf-8");
+    if (size > MAX_HTML_BYTES) {
+      if (verbose) {
+        console.error(
+          `[scan-log] HTML too large (${Math.round(size / 1024)}KB), dropping the blob`
+        );
+      }
+      delete trimmed.report_html;
+    }
+  }
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), TIMEOUT_MS3);
+  try {
+    const res = await fetch(`${base}/v1/scans/log`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(trimmed),
+      signal: controller.signal
+    });
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      if (verbose) {
+        console.error(`[scan-log] HTTP ${res.status}: ${text.slice(0, 200)}`);
+      }
+      return { ok: false, error: `HTTP ${res.status}` };
+    }
+    const data = await res.json().catch(() => ({}));
+    if (verbose) {
+      console.error(
+        `[scan-log] Logged scan ${data.scan_id?.slice(0, 8) ?? "?"} (project ${data.project_id?.slice(0, 8) ?? "?"}, ${data.bytes_stored ?? 0} HTML bytes)`
+      );
+    }
+    return {
+      ok: true,
+      scanId: data.scan_id,
+      projectId: data.project_id,
+      bytesStored: data.bytes_stored
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (verbose) console.error(`[scan-log] Failed: ${msg}`);
+    return { ok: false, error: msg };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+var DEFAULT_API_URL2, TIMEOUT_MS3, MAX_HTML_BYTES;
+var init_log_scan = __esm({
+  "src/ml-client/log-scan.ts"() {
+    "use strict";
+    init_esm_shims();
+    DEFAULT_API_URL2 = "https://vibedrift-api.fly.dev";
+    TIMEOUT_MS3 = 2e4;
+    MAX_HTML_BYTES = 15e5;
+  }
+});
+
+// src/ml-client/sanitize-result.ts
+var sanitize_result_exports = {};
+__export(sanitize_result_exports, {
+  sanitizeResultForUpload: () => sanitizeResultForUpload
+});
+function sanitizeResultForUpload(result) {
+  const ctx = result.context;
+  const rootDir = ctx?.rootDir ?? "";
+  const stripPath = (p) => {
+    if (!p) return null;
+    if (rootDir && p.startsWith(rootDir)) {
+      const rel = p.slice(rootDir.length).replace(/^\/+/, "");
+      return rel || ".";
+    }
+    return p;
+  };
+  const sanitizeNode = (node) => {
+    if (typeof node === "string") return stripPath(node) ?? node;
+    if (Array.isArray(node)) return node.map(sanitizeNode);
+    if (node && typeof node === "object") {
+      const out = {};
+      for (const [k, v] of Object.entries(node)) {
+        if (k === "rootDir") continue;
+        if (k === "files" && Array.isArray(v)) {
+          out[k] = v.map((f) => ({
+            relativePath: stripPath(f.relativePath) ?? f.relativePath,
+            lineCount: f.lineCount,
+            language: f.language
+          }));
+          continue;
+        }
+        if (k === "ast" || k === "treeSitterNode") continue;
+        out[k] = sanitizeNode(v);
+      }
+      return out;
+    }
+    if (node instanceof Map) {
+      const obj = {};
+      for (const [k, v] of node.entries()) {
+        const safeKey = typeof k === "string" ? stripPath(k) ?? k : String(k);
+        obj[safeKey] = sanitizeNode(v);
+      }
+      return obj;
+    }
+    if (node instanceof Set) {
+      return [...node].map(sanitizeNode);
+    }
+    return node;
+  };
+  const envelope = {
+    schema: "vibedrift-scan-result/v1",
+    project: {
+      // populated by the caller, since the CLI knows project_name + hash
+    },
+    language: {
+      dominant: ctx?.dominantLanguage ?? null,
+      breakdown: sanitizeNode(ctx?.languageBreakdown),
+      totalLines: ctx?.totalLines ?? 0
+    },
+    fileCount: (ctx?.files ?? []).length,
+    files: sanitizeNode(ctx?.files),
+    score: {
+      composite: result.compositeScore,
+      max: result.maxCompositeScore,
+      categories: sanitizeNode(result.scores)
+    },
+    findings: sanitizeNode(result.findings),
+    driftFindings: sanitizeNode(result.driftFindings),
+    driftScores: sanitizeNode(result.driftScores),
+    codeDnaResult: sanitizeNode(result.codeDnaResult),
+    perFileScores: sanitizeNode(result.perFileScores),
+    teaseMessages: result.teaseMessages,
+    aiSummary: result.aiSummary ?? null,
+    scanTimeMs: result.scanTimeMs
+  };
+  return envelope;
+}
+var init_sanitize_result = __esm({
+  "src/ml-client/sanitize-result.ts"() {
+    "use strict";
+    init_esm_shims();
+  }
+});
+
 // src/output/csv.ts
 var csv_exports = {};
 __export(csv_exports, {
@@ -1969,8 +2228,8 @@ import { Command, Option } from "commander";
 // src/cli/commands/scan.ts
 init_esm_shims();
 import { resolve } from "path";
-import { writeFile as writeFile2 } from "fs/promises";
-import { stat as stat2 } from "fs/promises";
+import { writeFile as writeFile3 } from "fs/promises";
+import { stat as stat3 } from "fs/promises";
 import chalk2 from "chalk";
 import ora from "ora";
 
@@ -2086,8 +2345,8 @@ async function discoverFiles(rootDir) {
         const language = detectLanguage(entry.name);
         if (!language) continue;
         try {
-          const info = await stat(fullPath);
-          if (info.size > MAX_FILE_SIZE) continue;
+          const info2 = await stat(fullPath);
+          if (info2.size > MAX_FILE_SIZE) continue;
           const content = await readFile2(fullPath, "utf-8");
           const lineCount = content.split("\n").length;
           files.push({ path: fullPath, relativePath: relPath, language, content, lineCount });
@@ -4917,10 +5176,10 @@ function extractSymbols(file) {
 function analyzeFileNaming(files) {
   const fileNameConventions = /* @__PURE__ */ new Map();
   for (const file of files) {
-    const basename = file.path.split("/").pop()?.replace(/\.[^.]+$/, "") ?? "";
-    if (basename.length <= 1) continue;
-    if (/(?:test|spec|config|setup|__)/i.test(basename)) continue;
-    const conv = classifyName(basename);
+    const basename2 = file.path.split("/").pop()?.replace(/\.[^.]+$/, "") ?? "";
+    if (basename2.length <= 1) continue;
+    if (/(?:test|spec|config|setup|__)/i.test(basename2)) continue;
+    const conv = classifyName(basename2);
     if (!conv) continue;
     if (!fileNameConventions.has(conv)) fileNameConventions.set(conv, []);
     fileNameConventions.get(conv).push(file.path);
@@ -5962,33 +6221,36 @@ function computePerFileScores(findings, ctx) {
 
 // src/output/tease.ts
 init_esm_shims();
-function generateTeaseMessages(ctx, findings, premiumUsed) {
-  if (premiumUsed) return [];
+function generateTeaseMessages(ctx, findings, deepUsed) {
+  if (deepUsed) return [];
   const messages = [];
   const securityFindings = findings.filter((f) => f.analyzerId === "security");
   if (securityFindings.length > 0) {
     const errorCount = securityFindings.filter((f) => f.severity === "error").length;
     messages.push(
-      `${securityFindings.length} security issues found${errorCount > 0 ? ` (${errorCount} critical)` : ""} \u2014 run --ml for premium ML-powered context analysis`
+      `${securityFindings.length} security issues found${errorCount > 0 ? ` (${errorCount} critical)` : ""} \u2014 run \`vibedrift --deep\` for AI-powered context analysis`
     );
   }
   const complexityFindings = findings.filter((f) => f.analyzerId === "complexity");
   if (complexityFindings.length > 0) {
     messages.push(
-      `${complexityFindings.length} complexity concerns detected \u2014 run --ml for premium architectural recommendations`
+      `${complexityFindings.length} complexity concerns detected \u2014 run \`vibedrift --deep\` for AI-powered architectural recommendations`
     );
   }
   const deadCodeFindings = findings.filter((f) => f.analyzerId === "dead-code");
   if (deadCodeFindings.length > 0) {
     messages.push(
-      `Potential dead code detected \u2014 run --ml for premium semantic analysis`
+      `Potential dead code detected \u2014 run \`vibedrift --deep\` for AI-powered semantic analysis`
     );
   }
   if (ctx.files.length > 10 && messages.length === 0) {
     messages.push(
-      `Run --ml for premium architectural pattern detection and intent analysis`
+      `Run \`vibedrift --deep\` for AI-powered architectural pattern detection and intent analysis`
     );
   }
+  if (messages.length > 0) {
+    messages.push(`Sign in first with \`vibedrift login\` \u2014 it's free.`);
+  }
   return messages;
 }
 
@@ -6870,9 +7132,9 @@ function buildMlInsights(result) {
     </details>`;
   }).join("");
   return `<section class="section">
-  <div class="label">ML ANALYSIS <span style="font-size:11px;font-weight:400;letter-spacing:0;text-transform:none;color:var(--info-blue);margin-left:8px">Layer 2 &middot; UniXcoder Embeddings &middot; ${mlFindings.length} findings</span></div>
+  <div class="label">AI ANALYSIS <span style="font-size:11px;font-weight:400;letter-spacing:0;text-transform:none;color:var(--info-blue);margin-left:8px">Deep Layer &middot; Code Embeddings &middot; ${mlFindings.length} findings</span></div>
   <p style="font-size:13px;color:var(--text-secondary);margin-bottom:16px;line-height:1.6">
-    These findings were detected by the ML inference API using code embeddings. Only function snippets (not full files) were sent for analysis &mdash; snippets are processed in memory and not stored.
+    These findings were detected by VibeDrift&rsquo;s AI inference API. Only function snippets (not full files) were sent for analysis &mdash; snippets are processed in memory and not stored.
     Functions were embedded as 768-dimensional vectors and compared for semantic similarity, name-body alignment, and clustering anomalies.
   </p>
   ${sections}
@@ -6982,11 +7244,11 @@ function buildCodeDnaSummary(result) {
 </section>`;
 }
 function buildFooter(result) {
-  const hasMl = result.findings.some((f) => f.tags?.includes("ml")) || !!result.aiSummary;
-  const premiumUpsell = !hasMl ? `<div style="margin-top:16px;padding:14px 18px;background:var(--bg-surface);border-radius:0;border-left:3px solid var(--border);text-align:left;font-size:13px;color:var(--text-secondary);max-width:520px;margin-left:auto;margin-right:auto">
-    Want premium ML-powered analysis? Get a VibeDrift API key at <a href="https://vibedrift.ai" style="color:var(--text-primary);text-decoration:underline">vibedrift.ai</a><br>
-    <code class="mono" style="color:var(--text-primary);background:var(--bg-code);padding:2px 6px;border-radius:0;margin-top:4px;display:inline-block">vibedrift . --ml --ml-key vd_...</code>
-    <span data-copy="vibedrift . --ml --ml-key vd_..." style="cursor:pointer;margin-left:6px;font-size:11px;color:var(--text-tertiary)">[copy]</span>
+  const hasDeep = result.findings.some((f) => f.tags?.includes("ml")) || !!result.aiSummary;
+  const premiumUpsell = !hasDeep ? `<div style="margin-top:16px;padding:14px 18px;background:var(--bg-surface);border-radius:0;border-left:3px solid var(--border);text-align:left;font-size:13px;color:var(--text-secondary);max-width:520px;margin-left:auto;margin-right:auto">
+    Want AI-powered deep analysis? Sign in once with <code class="mono" style="color:var(--text-primary);background:var(--bg-code);padding:2px 6px;border-radius:0">vibedrift login</code> then run:<br>
+    <code class="mono" style="color:var(--text-primary);background:var(--bg-code);padding:2px 6px;border-radius:0;margin-top:4px;display:inline-block">vibedrift . --deep</code>
+    <span data-copy="vibedrift . --deep" style="cursor:pointer;margin-left:6px;font-size:11px;color:var(--text-tertiary)">[copy]</span>
   </div>` : "";
   return `<footer style="border-top:1px solid var(--border);padding-top:28px;margin-top:48px;text-align:center;color:var(--text-tertiary);font-size:13px">
   <div style="display:flex;gap:8px;justify-content:center;margin-bottom:20px;flex-wrap:wrap">
@@ -6996,7 +7258,7 @@ function buildFooter(result) {
   </div>
   <p>Generated by <span style="color:var(--text-primary);font-weight:600">VibeDrift v${getVersion()}</span></p>
   <p style="margin:4px 0">${result.context.files.length} files &middot; ${result.context.totalLines.toLocaleString()} lines &middot; ${(result.scanTimeMs / 1e3).toFixed(1)}s</p>
-  <p style="margin:4px 0;font-size:12px">${hasMl ? "Function snippets were sent to VibeDrift&rsquo;s ML API for analysis. No full files transmitted. Snippets processed in memory and not stored." : "No data sent externally."}</p>
+  <p style="margin:4px 0;font-size:12px">${hasDeep ? "Function snippets were sent to VibeDrift&rsquo;s AI API for analysis. No full files transmitted. Snippets processed in memory and not stored." : "No data sent externally."}</p>
   <p style="margin-top:10px">Fix the top issues and re-scan: <code class="mono" style="background:var(--bg-code);padding:2px 6px;border-radius:0;color:var(--text-primary)">vibedrift .</code> <span data-copy="vibedrift ." style="cursor:pointer;font-size:11px;color:var(--text-tertiary)">[copy]</span></p>
   ${premiumUpsell}
   <div style="margin-top:16px;padding:12px 18px;background:var(--bg-surface);border-radius:0;display:inline-block;text-align:left">
@@ -7404,16 +7666,25 @@ function esc2(s) { return String(s || '').replace(/&/g,'&amp;').replace(/</g,'&l
 // src/core/history.ts
 init_esm_shims();
 import { readdir as readdir2, readFile as readFile3, writeFile, mkdir } from "fs/promises";
+import { homedir } from "os";
+import { createHash } from "crypto";
 import { join as join4 } from "path";
-var HISTORY_DIR = ".vibedrift";
+var ROOT_DIR = join4(homedir(), ".vibedrift", "scans");
+function projectHash(rootDir) {
+  return createHash("sha256").update(rootDir).digest("hex").slice(0, 16);
+}
+function projectDir(rootDir) {
+  return join4(ROOT_DIR, projectHash(rootDir));
+}
 async function saveScanResult(rootDir, scores, compositeScore) {
-  const dir = join4(rootDir, HISTORY_DIR);
+  const dir = projectDir(rootDir);
   try {
-    await mkdir(dir, { recursive: true });
+    await mkdir(dir, { recursive: true, mode: 448 });
   } catch {
   }
   const data = {
     timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    rootDir,
     scores,
     compositeScore
   };
@@ -7421,7 +7692,7 @@ async function saveScanResult(rootDir, scores, compositeScore) {
   await writeFile(join4(dir, filename), JSON.stringify(data, null, 2));
 }
 async function loadPreviousScores(rootDir) {
-  const dir = join4(rootDir, HISTORY_DIR);
+  const dir = projectDir(rootDir);
   try {
     const files = await readdir2(dir);
     const scanFiles = files.filter((f) => f.startsWith("scan-") && f.endsWith(".json")).sort().reverse();
@@ -7434,12 +7705,196 @@ async function loadPreviousScores(rootDir) {
   }
 }
 
+// src/core/file-filter.ts
+init_esm_shims();
+function applyIncludeExclude(files, includes, excludes) {
+  const includeRegexes = includes.map(globToRegex);
+  const excludeRegexes = excludes.map(globToRegex);
+  const useInclude = includeRegexes.length > 0;
+  return files.filter((file) => {
+    const path2 = file.relativePath;
+    if (useInclude && !includeRegexes.some((re) => re.test(path2))) {
+      return false;
+    }
+    if (excludeRegexes.some((re) => re.test(path2))) {
+      return false;
+    }
+    return true;
+  });
+}
+function globToRegex(glob) {
+  let pattern = glob.replace(/^\.\//, "");
+  if (pattern.endsWith("/")) {
+    pattern = pattern + "**";
+  }
+  let result = "";
+  let i = 0;
+  let inClass = false;
+  while (i < pattern.length) {
+    const ch = pattern[i];
+    if (inClass) {
+      if (ch === "]") {
+        inClass = false;
+        result += "]";
+      } else {
+        result += escapeInClass(ch);
+      }
+      i++;
+      continue;
+    }
+    switch (ch) {
+      case "*": {
+        if (pattern[i + 1] === "*") {
+          if (pattern[i + 2] === "/") {
+            result += "(?:.*/)?";
+            i += 3;
+          } else {
+            result += ".*";
+            i += 2;
+          }
+        } else {
+          result += "[^/]*";
+          i++;
+        }
+        break;
+      }
+      case "?": {
+        result += "[^/]";
+        i++;
+        break;
+      }
+      case "[": {
+        inClass = true;
+        result += "[";
+        i++;
+        break;
+      }
+      case "{": {
+        const close = pattern.indexOf("}", i);
+        if (close === -1) {
+          result += "\\{";
+          i++;
+          break;
+        }
+        const inner = pattern.slice(i + 1, close);
+        const parts = inner.split(",").map((p) => p.trim()).filter(Boolean);
+        if (parts.length > 0) {
+          result += "(?:" + parts.map(escapeRegex2).join("|") + ")";
+        } else {
+          result += "\\{\\}";
+        }
+        i = close + 1;
+        break;
+      }
+      default: {
+        result += escapeRegex2(ch);
+        i++;
+        break;
+      }
+    }
+  }
+  return new RegExp("^" + result + "$");
+}
+function escapeRegex2(ch) {
+  if (/[.+^${}()|\\]/.test(ch)) return "\\" + ch;
+  return ch;
+}
+function escapeInClass(ch) {
+  if (ch === "\\") return "\\\\";
+  return ch;
+}
+
+// src/auth/resolver.ts
+init_esm_shims();
+
+// src/auth/config.ts
+init_esm_shims();
+import { homedir as homedir2 } from "os";
+import { join as join5 } from "path";
+import { readFile as readFile4, writeFile as writeFile2, mkdir as mkdir2, chmod, unlink, stat as stat2 } from "fs/promises";
+var DEFAULT_DIR = join5(homedir2(), ".vibedrift");
+var DEFAULT_FILE = join5(DEFAULT_DIR, "config.json");
+function getConfigDir() {
+  return DEFAULT_DIR;
+}
+function getConfigPath() {
+  return DEFAULT_FILE;
+}
+async function ensureConfigDir() {
+  await mkdir2(DEFAULT_DIR, { recursive: true, mode: 448 });
+}
+async function readConfig() {
+  try {
+    const raw = await readFile4(DEFAULT_FILE, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== "object" || parsed === null) return {};
+    return parsed;
+  } catch (err) {
+    if (err?.code === "ENOENT") return {};
+    process.stderr.write(`vibedrift: warning \u2014 config at ${DEFAULT_FILE} is unreadable (${err?.message ?? err}). Treating as empty.
+`);
+    return {};
+  }
+}
+async function writeConfig(config) {
+  await ensureConfigDir();
+  const json = JSON.stringify(config, null, 2);
+  await writeFile2(DEFAULT_FILE, json, { mode: 384 });
+  try {
+    await chmod(DEFAULT_FILE, 384);
+  } catch {
+  }
+}
+async function clearConfig() {
+  try {
+    await unlink(DEFAULT_FILE);
+  } catch (err) {
+    if (err?.code !== "ENOENT") throw err;
+  }
+}
+async function patchConfig(patch) {
+  const current = await readConfig();
+  const next = { ...current, ...patch };
+  await writeConfig(next);
+  return next;
+}
+
+// src/auth/resolver.ts
+async function resolveToken(input = {}) {
+  if (input.explicitToken && input.explicitToken.trim().length > 0) {
+    return { token: input.explicitToken.trim(), source: "flag" };
+  }
+  const fromEnv = process.env.VIBEDRIFT_TOKEN;
+  if (fromEnv && fromEnv.trim().length > 0) {
+    return { token: fromEnv.trim(), source: "env" };
+  }
+  const config = await readConfig();
+  if (config.token && config.token.trim().length > 0) {
+    return { token: config.token.trim(), source: "config" };
+  }
+  return null;
+}
+async function resolveApiUrl(explicitUrl) {
+  if (explicitUrl && explicitUrl.trim().length > 0) return explicitUrl.trim();
+  if (process.env.VIBEDRIFT_API_URL && process.env.VIBEDRIFT_API_URL.trim().length > 0) {
+    return process.env.VIBEDRIFT_API_URL.trim();
+  }
+  const config = await readConfig();
+  if (config.apiUrl && config.apiUrl.trim().length > 0) return config.apiUrl.trim();
+  return "https://vibedrift-api.fly.dev";
+}
+function previewToken(token) {
+  if (!token) return "(none)";
+  if (token.length <= 12) return token.slice(0, 4) + "\u2026";
+  return token.slice(0, 12) + "\u2026";
+}
+
 // src/cli/commands/scan.ts
 async function runScan(targetPath, options) {
   const rootDir = resolve(targetPath);
   try {
-    const info = await stat2(rootDir);
-    if (!info.isDirectory()) {
+    const info2 = await stat3(rootDir);
+    if (!info2.isDirectory()) {
       console.error(`Error: ${rootDir} is not a directory`);
       process.exit(1);
     }
@@ -7447,12 +7902,48 @@ async function runScan(targetPath, options) {
     console.error(`Error: ${rootDir} does not exist`);
     process.exit(1);
   }
+  let bearerToken = null;
+  let apiUrl = options.apiUrl;
+  if (options.deep) {
+    const resolved = await resolveToken();
+    if (!resolved) {
+      console.error("");
+      console.error(chalk2.red("  \u2717 Deep scans require a VibeDrift account."));
+      console.error("");
+      console.error("    Run " + chalk2.bold("vibedrift login") + " to sign in.");
+      console.error("    Or set " + chalk2.bold("VIBEDRIFT_TOKEN") + " in your environment for CI.");
+      console.error("");
+      process.exit(1);
+    }
+    bearerToken = resolved.token;
+    apiUrl = await resolveApiUrl(options.apiUrl);
+  } else {
+    try {
+      const resolved = await resolveToken();
+      if (resolved) {
+        bearerToken = resolved.token;
+        apiUrl = await resolveApiUrl(options.apiUrl);
+      }
+    } catch {
+    }
+  }
   const startTime = Date.now();
   const timings = {};
   const isTerminal = options.format === "terminal" && !options.json;
   const spinner = isTerminal ? ora("Discovering files...").start() : null;
   const t0 = Date.now();
   const { ctx, warnings } = await buildAnalysisContext(rootDir);
+  const includes = options.include ?? [];
+  const excludes = options.exclude ?? [];
+  if (includes.length > 0 || excludes.length > 0) {
+    const before = ctx.files.length;
+    const filtered = applyIncludeExclude(ctx.files, includes, excludes);
+    ctx.files = filtered;
+    ctx.totalLines = filtered.reduce((sum, f) => sum + f.lineCount, 0);
+    if (options.verbose) {
+      console.error(chalk2.dim(`[filter] ${before} \u2192 ${filtered.length} files after include/exclude`));
+    }
+  }
   timings.discovery = Date.now() - t0;
   if (isTerminal) {
     if (warnings.truncated) {
@@ -7503,26 +7994,28 @@ Warning: File limit reached (${warnings.truncatedAt}). Only partial coverage \u2
     }
   }
   let mlMediumConfidence = [];
-  if (options.ml) {
+  if (options.deep && bearerToken) {
     const t5 = Date.now();
-    if (spinner) spinner.text = "Connecting to ML service (may take ~30s on cold start)...";
+    if (spinner) spinner.text = "Running AI deep analysis (may take ~30s on cold start)...";
     try {
       const { runMlAnalysis: runMlAnalysis2 } = await Promise.resolve().then(() => (init_ml_client(), ml_client_exports));
       const mlResult = await runMlAnalysis2(ctx, codeDnaResult, allFindings, {
-        mlKey: options.mlKey,
-        mlUrl: options.mlUrl,
+        token: bearerToken,
+        apiUrl,
         verbose: options.verbose,
-        driftFindings: driftResult.driftFindings
+        driftFindings: driftResult.driftFindings,
+        projectName: options.projectName
       });
       allFindings.push(...mlResult.highConfidence);
       mlMediumConfidence = mlResult.mediumConfidence;
       if (options.verbose) {
-        console.error(`[ml] ${mlResult.highConfidence.length} high-confidence findings shipped, ${mlResult.mediumConfidence.length} sent to LLM, ${mlResult.droppedCount} dropped`);
+        console.error(`[deep] ${mlResult.highConfidence.length} high-confidence findings shipped, ${mlResult.mediumConfidence.length} sent to LLM, ${mlResult.droppedCount} dropped`);
       }
     } catch (err) {
-      console.error(`[ml] ML analysis failed: ${err.message}`);
+      console.error(chalk2.red(`[deep] AI analysis failed: ${err.message}`));
+      console.error(chalk2.dim("       The local scan will continue. Run `vibedrift doctor` if this persists."));
     }
-    timings.ml = Date.now() - t5;
+    timings.deep = Date.now() - t5;
   }
   const { deduplicateFindingsAcrossLayers: deduplicateFindingsAcrossLayers2 } = await Promise.resolve().then(() => (init_dedup(), dedup_exports));
   const dedupedCount = allFindings.length;
@@ -7541,13 +8034,13 @@ Warning: File limit reached (${warnings.truncatedAt}). Only partial coverage \u2
     previousScores ?? void 0
   );
   const deepInsights = [];
-  const teaseMessages = generateTeaseMessages(ctx, allFindings, false);
+  const teaseMessages = generateTeaseMessages(ctx, allFindings, options.deep === true);
   const scanTimeMs = Date.now() - startTime;
   if (spinner) spinner.stop();
   const layer1Ms = (timings.discovery ?? 0) + (timings.parsing ?? 0) + (timings.analyzers ?? 0) + (timings.drift ?? 0);
   const parts = [`Layer 1: ${(layer1Ms / 1e3).toFixed(1)}s`];
   if (timings.codedna) parts.push(`Code DNA: ${(timings.codedna / 1e3).toFixed(1)}s`);
-  if (timings.ml) parts.push(`ML API: ${(timings.ml / 1e3).toFixed(1)}s`);
+  if (timings.deep) parts.push(`AI: ${(timings.deep / 1e3).toFixed(1)}s`);
   parts.push(`Total: ${(scanTimeMs / 1e3).toFixed(1)}s`);
   console.error(chalk2.dim(`  ${parts.join(" \xB7 ")}`));
   const result = {
@@ -7564,13 +8057,13 @@ Warning: File limit reached (${warnings.truncatedAt}). Only partial coverage \u2
     perFileScores,
     codeDnaResult
   };
-  if (options.ml) {
+  if (options.deep && bearerToken) {
     if (spinner) spinner.text = "Generating AI summary...";
     try {
       const { fetchAiSummary: fetchAiSummary2 } = await Promise.resolve().then(() => (init_summarize(), summarize_exports));
-      const apiUrl = options.mlUrl ?? "https://vibedrift-api.fly.dev";
-      if (options.verbose) console.error(`[summary] Calling ${apiUrl}/v1/summarize...`);
-      const summary = await fetchAiSummary2(result, apiUrl, options.mlKey);
+      const targetUrl = apiUrl ?? "https://vibedrift-api.fly.dev";
+      if (options.verbose) console.error(`[summary] Calling ${targetUrl}/v1/summarize...`);
+      const summary = await fetchAiSummary2(result, targetUrl, bearerToken);
       if (summary) {
         result.aiSummary = summary;
         if (options.verbose) console.error(`[summary] AI summary generated (${summary.highlights.length} highlights)`);
@@ -7582,11 +8075,67 @@ Warning: File limit reached (${warnings.truncatedAt}). Only partial coverage \u2
     }
   }
   await saveScanResult(rootDir, scores, compositeScore);
+  if (bearerToken) {
+    try {
+      const { logScan: logScan2 } = await Promise.resolve().then(() => (init_log_scan(), log_scan_exports));
+      const { detectProjectIdentity: detectProjectIdentity2 } = await Promise.resolve().then(() => (init_project_name(), project_name_exports));
+      const { sanitizeResultForUpload: sanitizeResultForUpload2 } = await Promise.resolve().then(() => (init_sanitize_result(), sanitize_result_exports));
+      const projectIdentity = await detectProjectIdentity2(
+        rootDir,
+        options.projectName
+      );
+      const mlDuplicates = allFindings.filter((f) => f.analyzerId === "ml-duplicate").length;
+      const mlIntent = allFindings.filter((f) => f.analyzerId === "ml-intent").length;
+      const mlAnomaly = allFindings.filter((f) => f.analyzerId === "ml-anomaly").length;
+      let html;
+      try {
+        html = renderHtmlReport(result);
+      } catch {
+        html = void 0;
+      }
+      const pct = maxCompositeScore > 0 ? compositeScore / maxCompositeScore * 100 : 0;
+      const grade = pct >= 90 ? "A" : pct >= 75 ? "B" : pct >= 50 ? "C" : pct >= 25 ? "D" : "F";
+      const sanitizedResult = sanitizeResultForUpload2(result);
+      sanitizedResult.project = {
+        name: projectIdentity.name,
+        hash: projectIdentity.hash
+      };
+      sanitizedResult.grade = grade;
+      sanitizedResult.scanType = options.deep ? "deep" : "free";
+      sanitizedResult.scannedAt = (/* @__PURE__ */ new Date()).toISOString();
+      await logScan2({
+        token: bearerToken,
+        apiUrl,
+        verbose: options.verbose,
+        payload: {
+          project_hash: projectIdentity.hash,
+          project_name: projectIdentity.name,
+          language: ctx.dominantLanguage ?? "unknown",
+          file_count: ctx.files.length,
+          function_count: codeDnaResult?.functions?.length ?? 0,
+          finding_count: allFindings.length,
+          score: compositeScore,
+          grade,
+          duplicates_found: mlDuplicates,
+          intent_mismatches: mlIntent,
+          anomalies_found: mlAnomaly,
+          is_deep: !!options.deep,
+          processing_time_ms: scanTimeMs,
+          report_html: html,
+          result_json: sanitizedResult
+        }
+      });
+    } catch (err) {
+      if (options.verbose) {
+        console.error(chalk2.dim(`[scan-log] Failed: ${err.message}`));
+      }
+    }
+  }
   const format = options.format ?? (options.json ? "json" : "html");
   if (format === "html") {
     const html = renderHtmlReport(result);
     const outputPath = options.output ?? "vibedrift-report.html";
-    await writeFile2(outputPath, html);
+    await writeFile3(outputPath, html);
     const { createServer } = await import("http");
     const server = createServer((req, res) => {
       res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
@@ -7612,18 +8161,18 @@ Warning: File limit reached (${warnings.truncatedAt}). Only partial coverage \u2
     const { renderCsvReport: renderCsvReport2 } = await Promise.resolve().then(() => (init_csv(), csv_exports));
     const csv = renderCsvReport2(result);
     const outputPath = options.output ?? "vibedrift-report.csv";
-    await writeFile2(outputPath, csv);
+    await writeFile3(outputPath, csv);
     console.log(`CSV report written to ${outputPath}`);
   } else if (format === "docx") {
     const { renderDocxReport: renderDocxReport2 } = await Promise.resolve().then(() => (init_docx(), docx_exports));
     const docx = renderDocxReport2(result);
     const outputPath = options.output ?? "vibedrift-report.docx";
-    await writeFile2(outputPath, docx);
+    await writeFile3(outputPath, docx);
     console.log(`DOCX report written to ${outputPath}`);
   } else if (format === "json") {
     const json = renderJsonOutput(result);
     if (options.output) {
-      await writeFile2(options.output, json);
+      await writeFile3(options.output, json);
       console.log(`JSON report written to ${options.output}`);
     } else {
       console.log(json);
@@ -7728,6 +8277,614 @@ Update failed: ${message}`));
   });
 }
 
+// src/cli/commands/login.ts
+init_esm_shims();
+import chalk4 from "chalk";
+
+// src/auth/api.ts
+init_esm_shims();
+var REQUEST_TIMEOUT_MS = 3e4;
+var VibeDriftApiError = class extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+    this.name = "VibeDriftApiError";
+  }
+  status;
+};
+async function jsonFetch(url, init = {}) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+  try {
+    const res = await fetch(url, {
+      ...init,
+      signal: controller.signal,
+      headers: {
+        Accept: "application/json",
+        ...init.body ? { "Content-Type": "application/json" } : {},
+        ...init.headers ?? {}
+      }
+    });
+    if (!res.ok) {
+      let detail = "";
+      try {
+        const body = await res.json();
+        detail = body.detail ?? body.message ?? "";
+      } catch {
+        try {
+          detail = await res.text();
+        } catch {
+        }
+      }
+      throw new VibeDriftApiError(res.status, detail || `HTTP ${res.status}`);
+    }
+    return await res.json();
+  } catch (err) {
+    if (err?.name === "AbortError") {
+      throw new VibeDriftApiError(0, `Request timed out after ${REQUEST_TIMEOUT_MS / 1e3}s`);
+    }
+    if (err instanceof VibeDriftApiError) throw err;
+    throw new VibeDriftApiError(0, err?.message ?? String(err));
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function startDeviceAuth(opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  return jsonFetch(`${base}/auth/device`, {
+    method: "POST",
+    body: JSON.stringify({ client_id: "vibedrift-cli" })
+  });
+}
+async function pollDeviceAuth(deviceCode, opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  return jsonFetch(`${base}/auth/poll`, {
+    method: "POST",
+    body: JSON.stringify({ device_code: deviceCode })
+  });
+}
+async function validateToken(token, opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  return jsonFetch(`${base}/auth/validate`, {
+    method: "GET",
+    headers: { Authorization: `Bearer ${token}` }
+  });
+}
+async function revokeToken(token, opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  await jsonFetch(`${base}/auth/revoke`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${token}` }
+  });
+}
+async function fetchUsage(token, opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  return jsonFetch(`${base}/account/usage`, {
+    method: "GET",
+    headers: { Authorization: `Bearer ${token}` }
+  });
+}
+async function createPortalSession(token, opts) {
+  const base = await resolveApiUrl(opts?.apiUrl);
+  return jsonFetch(`${base}/account/portal`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${token}` }
+  });
+}
+
+// src/auth/browser.ts
+init_esm_shims();
+import { spawn as spawn2 } from "child_process";
+function openInBrowser(url) {
+  if (!isInteractive()) return false;
+  const env = process.env.BROWSER;
+  if (env && env.length > 0 && env !== "none") {
+    return spawnDetached(env, [url]);
+  }
+  switch (process.platform) {
+    case "darwin":
+      return spawnDetached("open", [url]);
+    case "win32":
+      return spawnDetached("cmd", ["/c", "start", "", url]);
+    default:
+      return spawnDetached("xdg-open", [url]);
+  }
+}
+function isInteractive() {
+  if (process.env.CI === "true" || process.env.CI === "1") return false;
+  if (process.env.VIBEDRIFT_NO_BROWSER === "1") return false;
+  return process.stdout.isTTY ?? false;
+}
+function spawnDetached(cmd, args) {
+  try {
+    const child = spawn2(cmd, args, {
+      detached: true,
+      stdio: "ignore",
+      shell: false
+    });
+    child.on("error", () => {
+    });
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/cli/commands/login.ts
+async function runLogin(options = {}) {
+  const existing = await readConfig();
+  if (existing.token) {
+    console.log(
+      chalk4.yellow(
+        `
+  You're already logged in as ${chalk4.bold(existing.email ?? "unknown")} (${existing.plan ?? "free"}).`
+      )
+    );
+    console.log(chalk4.dim(`  Token: ${previewToken(existing.token)}`));
+    console.log(chalk4.dim("  Continuing will replace this token.\n"));
+  }
+  let device;
+  try {
+    device = await startDeviceAuth({ apiUrl: options.apiUrl });
+  } catch (err) {
+    fail("Could not start the login flow", err);
+    return;
+  }
+  console.log("");
+  console.log(chalk4.bold("  First, copy your one-time code:"));
+  console.log("");
+  console.log(`    ${chalk4.bgYellow.black.bold(`  ${device.user_code}  `)}`);
+  console.log("");
+  console.log(chalk4.dim(`  This code expires in ${formatDuration(device.expires_in)}.`));
+  console.log("");
+  const opened = !options.noBrowser && openInBrowser(device.verification_uri_complete);
+  if (opened) {
+    console.log(chalk4.bold("  Opened your browser to:"));
+  } else {
+    console.log(chalk4.bold("  Open this URL in your browser:"));
+  }
+  console.log(`    ${chalk4.cyan(device.verification_uri_complete)}`);
+  console.log("");
+  console.log(chalk4.dim("  Waiting for you to authorize the CLI..."));
+  console.log("");
+  let interval = Math.max(1, device.interval);
+  const deadline = Date.now() + device.expires_in * 1e3;
+  while (Date.now() < deadline) {
+    await sleep(interval * 1e3);
+    let result;
+    try {
+      result = await pollDeviceAuth(device.device_code, { apiUrl: options.apiUrl });
+    } catch (err) {
+      if (err instanceof VibeDriftApiError && err.status === 429) {
+        interval = Math.min(interval * 2, 30);
+        continue;
+      }
+      fail("Polling for authorization failed", err);
+      return;
+    }
+    if (result.status === "pending") continue;
+    if (result.status === "authorized") {
+      await patchConfig({
+        token: result.access_token,
+        email: result.email,
+        plan: result.plan,
+        expiresAt: result.expires_at,
+        loggedInAt: (/* @__PURE__ */ new Date()).toISOString(),
+        apiUrl: options.apiUrl
+      });
+      console.log(chalk4.green("  \u2713 Logged in successfully."));
+      console.log("");
+      console.log(`  Account: ${chalk4.bold(result.email)}`);
+      console.log(`  Plan:    ${chalk4.bold(result.plan)}`);
+      console.log("");
+      if (result.plan === "free") {
+        console.log(chalk4.dim("  Run `vibedrift upgrade` to enable deep AI scans."));
+        console.log("");
+      } else {
+        console.log(chalk4.dim("  Run `vibedrift . --deep` to use AI-powered analysis."));
+        console.log("");
+      }
+      return;
+    }
+    if (result.status === "denied") {
+      console.error(chalk4.red("\n  \u2717 Authorization was denied in the browser."));
+      console.error(chalk4.dim("    Run `vibedrift login` again to retry.\n"));
+      process.exit(1);
+    }
+    if (result.status === "expired") {
+      console.error(chalk4.red("\n  \u2717 The login code expired before you authorized it."));
+      console.error(chalk4.dim("    Run `vibedrift login` again to retry.\n"));
+      process.exit(1);
+    }
+  }
+  console.error(chalk4.red("\n  \u2717 Login timed out before authorization completed."));
+  console.error(chalk4.dim("    Run `vibedrift login` again to retry.\n"));
+  process.exit(1);
+}
+function fail(intro, err) {
+  const msg = err instanceof VibeDriftApiError ? `${err.status ? `HTTP ${err.status}: ` : ""}${err.message}` : err instanceof Error ? err.message : String(err);
+  console.error(chalk4.red(`
+  \u2717 ${intro}: ${msg}
+`));
+  process.exit(1);
+}
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+function formatDuration(seconds) {
+  if (seconds < 60) return `${seconds}s`;
+  const m = Math.round(seconds / 60);
+  return `${m} minute${m === 1 ? "" : "s"}`;
+}
+
+// src/cli/commands/logout.ts
+init_esm_shims();
+import chalk5 from "chalk";
+async function runLogout() {
+  const config = await readConfig();
+  if (!config.token) {
+    console.log(chalk5.dim("  Not logged in. Nothing to do."));
+    return;
+  }
+  try {
+    await revokeToken(config.token, { apiUrl: config.apiUrl });
+  } catch (err) {
+    if (err instanceof VibeDriftApiError && (err.status === 401 || err.status === 404)) {
+    } else {
+      console.warn(
+        chalk5.yellow(
+          `  \u26A0 Could not revoke token on the server: ${err instanceof Error ? err.message : String(err)}`
+        )
+      );
+      console.warn(chalk5.dim("    Local token will still be removed."));
+    }
+  }
+  await clearConfig();
+  console.log(chalk5.green("  \u2713 Logged out."));
+}
+
+// src/cli/commands/status.ts
+init_esm_shims();
+import chalk6 from "chalk";
+init_version();
+async function runStatus() {
+  const version = getVersion();
+  const config = await readConfig();
+  const resolved = await resolveToken();
+  console.log("");
+  console.log(chalk6.bold(`  VibeDrift CLI v${version}`));
+  console.log("");
+  if (!resolved) {
+    console.log(`  Status:  ${chalk6.dim("not logged in")}`);
+    console.log(`  Config:  ${chalk6.dim(getConfigPath())}`);
+    console.log("");
+    console.log(chalk6.dim("  Run `vibedrift login` to authenticate."));
+    console.log("");
+    return;
+  }
+  console.log(`  Status:  ${chalk6.green("authenticated")}`);
+  console.log(`  Source:  ${chalk6.dim(describeSource(resolved.source))}`);
+  console.log(`  Token:   ${chalk6.dim(previewToken(resolved.token))}`);
+  if (resolved.source === "config") {
+    if (config.email) console.log(`  Account: ${chalk6.bold(config.email)}`);
+    if (config.plan) console.log(`  Plan:    ${chalk6.bold(config.plan)}`);
+    if (config.expiresAt) console.log(`  Expires: ${chalk6.dim(config.expiresAt)}`);
+    console.log(`  Config:  ${chalk6.dim(getConfigPath())}`);
+  }
+  console.log("");
+  process.stdout.write(chalk6.dim("  Validating token with server... "));
+  try {
+    const result = await validateToken(resolved.token, { apiUrl: config.apiUrl });
+    if (result.valid) {
+      console.log(chalk6.green("ok"));
+      if (result.email && result.email !== config.email) {
+        console.log(chalk6.dim(`  Server account: ${result.email} (config out of sync \u2014 run \`vibedrift login\` to refresh)`));
+      }
+      if (result.plan && result.plan !== config.plan) {
+        console.log(chalk6.dim(`  Server plan: ${result.plan} (config out of sync \u2014 run \`vibedrift login\` to refresh)`));
+      }
+    } else {
+      console.log(chalk6.red("invalid"));
+      console.log(chalk6.dim("  Run `vibedrift login` to re-authenticate."));
+    }
+  } catch (err) {
+    console.log(chalk6.yellow("offline"));
+    if (err instanceof VibeDriftApiError) {
+      console.log(chalk6.dim(`  ${err.message}`));
+    }
+  }
+  console.log("");
+}
+function describeSource(source) {
+  switch (source) {
+    case "flag":
+      return "command-line flag";
+    case "env":
+      return "VIBEDRIFT_TOKEN environment variable";
+    case "config":
+      return "~/.vibedrift/config.json";
+  }
+}
+
+// src/cli/commands/usage.ts
+init_esm_shims();
+import chalk7 from "chalk";
+async function runUsage() {
+  const resolved = await resolveToken();
+  if (!resolved) {
+    console.error(chalk7.red("\n  \u2717 Not logged in. Run `vibedrift login` first.\n"));
+    process.exit(1);
+  }
+  const config = await readConfig();
+  let data;
+  try {
+    data = await fetchUsage(resolved.token, { apiUrl: config.apiUrl });
+  } catch (err) {
+    if (err instanceof VibeDriftApiError && err.status === 401) {
+      console.error(chalk7.red("\n  \u2717 Your token is invalid or expired. Run `vibedrift login` to re-authenticate.\n"));
+      process.exit(1);
+    }
+    console.error(chalk7.red(`
+  \u2717 Could not fetch usage: ${err instanceof Error ? err.message : String(err)}
+`));
+    process.exit(1);
+  }
+  console.log("");
+  console.log(chalk7.bold("  Account"));
+  console.log(`    Email:   ${chalk7.bold(data.user.email)}`);
+  console.log(`    Plan:    ${chalk7.bold(data.user.plan)}`);
+  console.log("");
+  console.log(chalk7.bold("  Current period"));
+  console.log(`    From:    ${chalk7.dim(formatDate(data.current_period.start))}`);
+  console.log(`    To:      ${chalk7.dim(formatDate(data.current_period.end))}`);
+  console.log(`    Scans:   ${chalk7.bold(data.current_period.scans.toString())}`);
+  console.log(`    Deep:    ${chalk7.bold(data.current_period.deep_scans.toString())}`);
+  console.log("");
+  console.log(chalk7.bold("  Limits"));
+  const deepLimit = data.limits.deep_scans_per_month;
+  console.log(`    Deep:    ${deepLimit === null ? chalk7.green("unlimited") : `${deepLimit}/month`}`);
+  console.log(`    Rate:    ${data.limits.rate_limit_per_min} requests/minute`);
+  console.log("");
+  if (data.recent_scans.length > 0) {
+    console.log(chalk7.bold(`  Recent scans (${data.recent_scans.length})`));
+    for (const scan of data.recent_scans.slice(0, 10)) {
+      const flag = scan.is_deep ? chalk7.cyan("deep") : chalk7.dim("std ");
+      const score = scan.score === null ? chalk7.dim("\u2014") : chalk7.bold(String(Math.round(scan.score))).padEnd(3);
+      console.log(`    ${flag}  ${score}  ${chalk7.dim(formatDateTime(scan.created_at))}  ${chalk7.dim(scan.project_hash.slice(0, 12))}`);
+    }
+    console.log("");
+  }
+}
+function formatDate(iso) {
+  try {
+    return new Date(iso).toISOString().slice(0, 10);
+  } catch {
+    return iso;
+  }
+}
+function formatDateTime(iso) {
+  try {
+    const d = new Date(iso);
+    return d.toISOString().slice(0, 16).replace("T", " ");
+  } catch {
+    return iso;
+  }
+}
+
+// src/cli/commands/upgrade.ts
+init_esm_shims();
+import chalk8 from "chalk";
+var PRICING_URL = "https://vibedrift.ai/pricing";
+async function runUpgrade() {
+  console.log("");
+  console.log(chalk8.bold("  Upgrade your VibeDrift plan"));
+  console.log("");
+  console.log(`    ${chalk8.cyan(PRICING_URL)}`);
+  console.log("");
+  const opened = openInBrowser(PRICING_URL);
+  if (opened) {
+    console.log(chalk8.dim("  Opened in your browser."));
+  } else {
+    console.log(chalk8.dim("  Open the link above in your browser."));
+  }
+  console.log("");
+  console.log(chalk8.dim("  After upgrading, run `vibedrift login` to refresh your plan locally."));
+  console.log("");
+}
+
+// src/cli/commands/billing.ts
+init_esm_shims();
+import chalk9 from "chalk";
+async function runBilling() {
+  const resolved = await resolveToken();
+  if (!resolved) {
+    console.error(chalk9.red("\n  \u2717 Not logged in. Run `vibedrift login` first.\n"));
+    process.exit(1);
+  }
+  const config = await readConfig();
+  let portal;
+  try {
+    portal = await createPortalSession(resolved.token, { apiUrl: config.apiUrl });
+  } catch (err) {
+    if (err instanceof VibeDriftApiError) {
+      if (err.status === 401) {
+        console.error(chalk9.red("\n  \u2717 Your token is invalid or expired. Run `vibedrift login`.\n"));
+        process.exit(1);
+      }
+      if (err.status === 402 || err.status === 404) {
+        console.error(chalk9.yellow("\n  \u26A0 No billing account found for this user."));
+        console.error(chalk9.dim("    Run `vibedrift upgrade` to start a paid plan first.\n"));
+        process.exit(1);
+      }
+    }
+    console.error(chalk9.red(`
+  \u2717 Could not open billing portal: ${err instanceof Error ? err.message : String(err)}
+`));
+    process.exit(1);
+  }
+  console.log("");
+  console.log(chalk9.bold("  Stripe Customer Portal"));
+  console.log("");
+  console.log(`    ${chalk9.cyan(portal.url)}`);
+  console.log("");
+  const opened = openInBrowser(portal.url);
+  if (opened) {
+    console.log(chalk9.dim("  Opened in your browser. The link is single-use and expires shortly."));
+  } else {
+    console.log(chalk9.dim("  Open the link above in your browser. It's single-use and expires shortly."));
+  }
+  console.log("");
+}
+
+// src/cli/commands/doctor.ts
+init_esm_shims();
+import chalk10 from "chalk";
+import { homedir as homedir3, platform, arch } from "os";
+import { join as join7 } from "path";
+import { stat as stat4, access, constants } from "fs/promises";
+init_version();
+async function runDoctor() {
+  let failures = 0;
+  console.log("");
+  console.log(chalk10.bold("  VibeDrift Doctor"));
+  console.log("");
+  console.log(chalk10.bold("  Environment"));
+  ok("CLI version", getVersion());
+  ok("Node", process.version);
+  ok("Platform", `${platform()} ${arch()}`);
+  ok("HOME", homedir3());
+  console.log("");
+  console.log(chalk10.bold("  Config"));
+  const configDir = getConfigDir();
+  const configPath = getConfigPath();
+  let configDirOk = false;
+  try {
+    const info2 = await stat4(configDir);
+    if (info2.isDirectory()) {
+      configDirOk = true;
+      const mode = (info2.mode & 511).toString(8);
+      ok("Config dir", `${configDir} (mode ${mode})`);
+    } else {
+      bad(`Config dir exists but is not a directory: ${configDir}`);
+      failures++;
+    }
+  } catch {
+    info("Config dir", `${configDir} (will be created on first login)`);
+    configDirOk = true;
+  }
+  if (configDirOk) {
+    try {
+      await access(configPath, constants.R_OK);
+      const info2 = await stat4(configPath);
+      const mode = (info2.mode & 511).toString(8);
+      if ((info2.mode & 63) !== 0) {
+        warn("Config file", `${configPath} (mode ${mode}, world/group readable \u2014 should be 600)`);
+      } else {
+        ok("Config file", `${configPath} (mode ${mode})`);
+      }
+    } catch {
+      info("Config file", "absent (not logged in)");
+    }
+  }
+  const historyDir = join7(homedir3(), ".vibedrift", "scans");
+  try {
+    const info2 = await stat4(historyDir);
+    if (info2.isDirectory()) ok("Scan history", historyDir);
+    else warn("Scan history", `${historyDir} exists but is not a directory`);
+  } catch {
+    info("Scan history", "empty (no scans run yet)");
+  }
+  console.log("");
+  console.log(chalk10.bold("  Authentication"));
+  const config = await readConfig();
+  const resolved = await resolveToken();
+  if (!resolved) {
+    info("Login state", "not logged in");
+  } else {
+    ok("Token source", describeSource2(resolved.source));
+    ok("Token preview", previewToken(resolved.token));
+    if (resolved.source === "config") {
+      if (config.email) ok("Email", config.email);
+      if (config.plan) ok("Plan", config.plan);
+      if (config.expiresAt) {
+        const expires = new Date(config.expiresAt).getTime();
+        const now = Date.now();
+        if (expires < now) {
+          bad(`Token expired ${Math.floor((now - expires) / 864e5)} days ago`);
+          failures++;
+        } else {
+          ok("Token expires", `${config.expiresAt} (${Math.ceil((expires - now) / 864e5)} days)`);
+        }
+      }
+    }
+  }
+  console.log("");
+  console.log(chalk10.bold("  API"));
+  const apiUrl = await resolveApiUrl();
+  ok("API URL", apiUrl);
+  if (resolved) {
+    process.stdout.write(`    ${chalk10.dim("\u2192 Validating token... ")}`);
+    try {
+      const result = await validateToken(resolved.token, { apiUrl });
+      if (result.valid) {
+        console.log(chalk10.green("ok"));
+      } else {
+        console.log(chalk10.red("invalid token"));
+        failures++;
+      }
+    } catch (err) {
+      console.log(chalk10.red("unreachable"));
+      console.log(`    ${chalk10.dim("  ")}${err instanceof VibeDriftApiError ? err.message : String(err)}`);
+      failures++;
+    }
+  } else {
+    process.stdout.write(`    ${chalk10.dim("\u2192 Pinging API... ")}`);
+    try {
+      const res = await fetch(`${apiUrl}/health`, { signal: AbortSignal.timeout(1e4) });
+      if (res.ok) console.log(chalk10.green("ok"));
+      else {
+        console.log(chalk10.yellow(`HTTP ${res.status}`));
+        failures++;
+      }
+    } catch (err) {
+      console.log(chalk10.red("unreachable"));
+      console.log(`    ${chalk10.dim("  ")}${err instanceof Error ? err.message : String(err)}`);
+      failures++;
+    }
+  }
+  console.log("");
+  if (failures === 0) {
+    console.log(chalk10.green("  \u2713 All checks passed."));
+  } else {
+    console.log(chalk10.red(`  \u2717 ${failures} check${failures === 1 ? "" : "s"} failed.`));
+  }
+  console.log("");
+  process.exit(failures === 0 ? 0 : 1);
+}
+function ok(label, value) {
+  console.log(`    ${chalk10.green("\u2713")} ${label.padEnd(14)} ${chalk10.dim(value)}`);
+}
+function warn(label, value) {
+  console.log(`    ${chalk10.yellow("\u26A0")} ${label.padEnd(14)} ${chalk10.dim(value)}`);
+}
+function bad(value) {
+  console.log(`    ${chalk10.red("\u2717")} ${chalk10.red(value)}`);
+}
+function info(label, value) {
+  console.log(`    ${chalk10.dim("\xB7")} ${label.padEnd(14)} ${chalk10.dim(value)}`);
+}
+function describeSource2(source) {
+  switch (source) {
+    case "flag":
+      return "command-line flag";
+    case "env":
+      return "VIBEDRIFT_TOKEN environment variable";
+    case "config":
+      return "~/.vibedrift/config.json";
+  }
+}
+
 // src/cli/index.ts
 init_version();
 var VERSION = getVersion();
@@ -7741,10 +8898,14 @@ function parseScoreThreshold(value) {
   }
   return n;
 }
+function collect(value, previous) {
+  return previous.concat([value]);
+}
 var program = new Command();
 program.name("vibedrift").description(
   "Detect drift, contradictions, and security gaps in AI-generated codebases."
-).version(VERSION, "-V, --version", "show the installed version").helpOption("-h, --help", "show this help").argument("[path]", "path to project directory", ".").option(
+).version(VERSION, "-V, --version", "show the installed version").helpOption("-h, --help", "show this help");
+program.command("scan", { isDefault: true }).description("Scan a project for vibe drift (default command)").argument("[path]", "path to project directory", ".").option(
   "--format <type>",
   "output format: html, terminal, json, csv, docx",
   "html"
@@ -7752,8 +8913,27 @@ program.name("vibedrift").description(
   "--fail-on-score <n>",
   "exit with code 1 if composite score is below this threshold",
   parseScoreThreshold
-).option("--no-codedna", "skip Code DNA semantic analysis").option("--ml", "enable premium ML-powered analysis (requires VibeDrift key)").option("--ml-key <key>", "VibeDrift API key for premium features").option("--update", "update VibeDrift CLI to the latest version").option("--verbose", "show timing breakdown and analyzer details").addOption(
-  new Option("--ml-url <url>", "VibeDrift API endpoint").default("https://vibedrift-api.fly.dev").hideHelp()
+).option("--no-codedna", "skip Code DNA semantic analysis").option(
+  "--deep",
+  "enable AI-powered deep analysis (requires `vibedrift login`)"
+).option(
+  "--project-name <name>",
+  "override the auto-detected project name shown in the dashboard"
+).option(
+  "--include <pattern>",
+  "only scan files matching this glob (repeatable)",
+  collect,
+  []
+).option(
+  "--exclude <pattern>",
+  "exclude files matching this glob (repeatable)",
+  collect,
+  []
+).option(
+  "--update",
+  "update the VibeDrift CLI to the latest version (alias for `vibedrift update`)"
+).option("--verbose", "show timing breakdown and analyzer details").addOption(
+  new Option("--api-url <url>", "override the VibeDrift API base URL").hideHelp()
 ).action(async (path2, options) => {
   if (options.update) {
     await runUpdate(VERSION);
@@ -7765,12 +8945,43 @@ program.name("vibedrift").description(
     output: options.output,
     failOnScore: options.failOnScore,
     codedna: options.codedna,
-    ml: options.ml,
-    mlKey: options.mlKey,
-    mlUrl: options.mlUrl,
-    verbose: options.verbose
+    deep: options.deep,
+    apiUrl: options.apiUrl,
+    include: options.include,
+    exclude: options.exclude,
+    verbose: options.verbose,
+    projectName: options.projectName
+  });
+});
+program.command("login").description("Log in to your VibeDrift account").option("--no-browser", "don't open the browser automatically").addOption(
+  new Option("--api-url <url>", "override the API base URL").hideHelp()
+).action(async (options) => {
+  await runLogin({
+    apiUrl: options.apiUrl,
+    noBrowser: options.browser === false
   });
 });
+program.command("logout").description("Log out and revoke the current token").action(async () => {
+  await runLogout();
+});
+program.command("status").description("Show the current account, plan, and token").action(async () => {
+  await runStatus();
+});
+program.command("usage").description("Show your current billing period's scan usage").action(async () => {
+  await runUsage();
+});
+program.command("upgrade").description("Open the VibeDrift pricing page").action(async () => {
+  await runUpgrade();
+});
+program.command("billing").description("Open the Stripe Customer Portal to manage your subscription").action(async () => {
+  await runBilling();
+});
+program.command("doctor").description("Diagnose CLI installation, auth, and API connectivity").action(async () => {
+  await runDoctor();
+});
+program.command("update").description("Update the VibeDrift CLI to the latest version").action(async () => {
+  await runUpdate(VERSION);
+});
 program.addHelpText(
   "after",
   `
@@ -7780,8 +8991,20 @@ Examples:
   $ vibedrift --format terminal        print results to the terminal
   $ vibedrift --json > report.json     pipe JSON output to a file
   $ vibedrift --fail-on-score 70       fail CI if score drops below 70
-  $ vibedrift --ml --ml-key vd_...     run premium ML-powered analysis
-  $ vibedrift --update                 update to the latest version
+  $ vibedrift --include "src/**"       only scan files under src/
+  $ vibedrift --exclude "**/*.spec.*"  skip test files
+  $ vibedrift --deep                   run premium AI-powered deep analysis
+  $ vibedrift login                    sign in to enable --deep
+  $ vibedrift status                   check current auth state
+  $ vibedrift usage                    view this month's scan usage
+  $ vibedrift upgrade                  open the pricing page
+  $ vibedrift billing                  manage your Stripe subscription
+  $ vibedrift update                   update to the latest CLI version
+
+Environment:
+  VIBEDRIFT_TOKEN     bearer token (overrides ~/.vibedrift/config.json)
+  VIBEDRIFT_API_URL   override the API base URL
+  VIBEDRIFT_NO_BROWSER if "1", never auto-open the browser
 
 Learn more: https://vibedrift.ai`
 );