@vibedrift/cli 0.4.0 → 0.4.2

package/README.md

@@ -21,27 +21,66 @@ vibedrift ./my-project
 
 That's it. No signup, no API key, no config file. The default run produces an interactive HTML report and serves it on a local port.
 
-To unlock AI-powered deep analysis (semantic duplicates, intent mismatches, anomaly detection):
+### Free deep scan
+
+Every account gets **1 free deep scan** on signup — no card required. Deep scans add Claude-powered AI analysis on top of the local scan (semantic duplicates, intent mismatches, anomaly detection):
 
 ```bash
-vibedrift login          # one-time browser sign-in, no password
-vibedrift . --deep       # run with cloud AI on top of the local scan
+vibedrift login          # one-time browser sign-in
+vibedrift . --deep       # uses your free credit (or Pro subscription)
 ```
 
 ---
 
 ## What It Catches
 
+### Layer 1 — Static Analysis (13 analyzers, runs locally)
 - **Architectural contradictions** — when half your handlers use a repository pattern and the other half hit raw SQL
-- **Hidden duplicates** — functions that do the same thing under different names in different files
-- **Security gaps** — routes missing auth, validation, or rate limiting
 - **Naming inconsistency** — `getUserData()`, `get_order_items()`, `FetchProductList()` in the same project
+- **Security patterns** — hardcoded secrets, SQL injection, command injection, weak crypto, unsafe functions
+- **Dependency health** — phantom deps, missing deps, undocumented env vars
+- **Code quality** — cyclomatic complexity, dead code, TODO density, long functions, unclear naming
+
+### Layer 1.5 — Cross-File Drift Detection (5 detectors)
+- **Architectural consistency** — data access patterns, error handling, DI, config approaches
+- **Convention oscillation** — naming conventions, file naming across the whole project
+- **Security consistency** — auth middleware, input validation, rate limiting across routes
+- **Semantic duplication** — functions that do the same thing under different names in different files
 - **Phantom scaffolding** — CRUD endpoints the AI generated but never wired up
 
+### Layer 1.7 — Code DNA Engine (5 modules, runs locally)
+- **Semantic fingerprinting** — normalizes function bodies and hashes them. Identical hashes = exact semantic duplicates at confidence 1.0
+- **Operation sequence analysis** — reduces functions to abstract operations (INPUT, QUERY, MUTATE, RETURN) and compares via LCS
+- **Pattern classification** — structural pattern detection with probability distributions per file
+- **Taint analysis** — tracks user input from sources (req.params) to dangerous sinks (db.query) within functions
+- **Deviation heuristics** — scores whether architectural deviations are justified or accidental
+
+### Layer 2 — AI Deep Analysis (requires `--deep`)
+- **ML duplicate detection** — UniXcoder embeddings + cosine similarity for near-duplicates
+- **Intent mismatch** — detects functions whose name doesn't match their behavior
+- **Anomaly detection** — DBSCAN outlier detection on handler embeddings
+- **Surgical LLM validation** — Claude validates medium-confidence ML findings
+
 VibeDrift learns the dominant patterns your codebase follows and flags files that deviate from them. A codebase isn't wrong because it uses raw SQL — it's *drifting* because 8 of its 10 handlers use a repository and 2 don't.
 
 ---
 
+## Scoring
+
+VibeDrift scores across 5 categories, each 0–20 points:
+
+| Category | What it measures |
+|----------|-----------------|
+| **Architectural Consistency** | Naming, imports, error handling, patterns, drift detection |
+| **Redundancy** | Duplicates, dead code, TODO density, Code DNA fingerprints |
+| **Dependency Health** | Phantom/missing deps, env var documentation |
+| **Security Posture** | Hardcoded secrets, injection risks, taint flows, security drift |
+| **Intent Clarity** | Complexity, unclear naming, commented-out code, documentation |
+
+**Composite score** = sum of applicable categories (0–100). Grade thresholds: A ≥ 90, B ≥ 75, C ≥ 50, D ≥ 25, F < 25.
+
+---
+
 ## Usage
 
 ```
@@ -57,6 +96,7 @@ Commands:
   billing              Open the Stripe Customer Portal
   doctor               Diagnose CLI installation, auth, and API
   update               Update the CLI to the latest version
+  feedback [message]   Send feedback, bug reports, or feature requests
 
 Scan options:
   --format <type>       Output format: html, terminal, json, csv, docx (default: html)
@@ -64,9 +104,11 @@ Scan options:
   --json                Shorthand for --format json
   --fail-on-score <n>   Exit with code 1 if composite score is below threshold
   --no-codedna          Skip Code DNA semantic analysis
-  --deep                Enable AI-powered deep analysis (requires `vibedrift login`)
+  --deep                Enable AI-powered deep analysis (requires login)
+  --project-name <name> Override the auto-detected project name
   --include <pattern>   Only scan files matching this glob (repeatable)
   --exclude <pattern>   Exclude files matching this glob (repeatable)
+  --feedback [message]  Send feedback (alias for `vibedrift feedback`)
   --update              Update the VibeDrift CLI to the latest version
   --verbose             Show timing breakdown and analyzer details
   -V, --version         Show installed version
@@ -76,6 +118,7 @@ Scan options:
 ### Examples
 
 ```bash
+# Scanning
 vibedrift                           # scan the current directory
 vibedrift ./my-project              # scan a specific project
 vibedrift --format terminal         # print results to the terminal
@@ -83,12 +126,20 @@ vibedrift --json > report.json      # pipe JSON output to a file
 vibedrift --fail-on-score 70        # fail CI if score drops below 70
 vibedrift --include "src/**"        # only scan files under src/
 vibedrift --exclude "**/*.spec.*"   # skip test files
-vibedrift --deep                    # run premium AI-powered deep analysis
-vibedrift login                     # sign in to enable --deep
-vibedrift status                    # check current auth state
+vibedrift --deep                    # run AI-powered deep analysis
+
+# Account
+vibedrift login                     # sign in (opens browser)
+vibedrift status                    # check auth + credit balance
 vibedrift usage                     # view this month's scan usage
-vibedrift billing                   # manage your Stripe subscription
+vibedrift billing                   # manage your subscription
 vibedrift update                    # update to the latest version
+
+# Feedback
+vibedrift feedback                  # interactive prompt
+vibedrift feedback "the report is great but needs dark mode"
+vibedrift --feedback "inline shortcut works too"
+echo "piped input" | vibedrift feedback
 ```
 
 ### Environment
@@ -103,27 +154,56 @@ vibedrift update                    # update to the latest version
 
 | Format | Description |
 |--------|-------------|
-| `html` (default) | Interactive report with charts, file rankings, and exports |
+| `html` (default) | Interactive report with charts, category breakdowns, drift findings, Code DNA results, and export options |
 | `terminal` | Color-coded terminal output with tables |
-| `json` | Full result serialization for CI pipelines |
-| `csv` | Tabular export of all findings |
-| `docx` | Word document with formatted sections |
+| `json` | Full ScanResult serialization for CI pipelines |
+| `csv` | Multi-section tabular export (metadata, scores, findings, drift, Code DNA, per-file) |
+| `docx` | Word document with formatted title page, AI summary, scores, and all findings |
 
 ### CI Integration
 
-```bash
-# Fail the build if score drops below 70
-npx @vibedrift/cli . --format json --fail-on-score 70
-
-# Same, with deep AI analysis (token from VIBEDRIFT_TOKEN secret)
-VIBEDRIFT_TOKEN=$VIBEDRIFT_TOKEN \
-  npx @vibedrift/cli . --deep --format json --fail-on-score 70
+```yaml
+# GitHub Actions
+name: VibeDrift
+on: [pull_request]
+jobs:
+  drift-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npx @vibedrift/cli . --deep --json --fail-on-score 70
+        env:
+          VIBEDRIFT_TOKEN: ${{ secrets.VIBEDRIFT_TOKEN }}
 ```
 
 Exit code 1 when the score drops below the threshold. JSON output includes every finding for downstream tooling.
 
 ---
 
+## Dashboard
+
+All scans (free and deep) are logged to your dashboard at [vibedrift.ai/dashboard](https://vibedrift.ai/dashboard) when you're logged in:
+
+- **Project overview** — score trends, sparklines, grade history
+- **Scan detail** — embedded HTML report, export (JSON/CSV/DOCX), share via public link
+- **Billing** — manage subscription, cancel/switch plans, view credits
+- **Settings** — API tokens, preferences, account management
+
+---
+
+## Pricing
+
+| Tier | Price | What you get |
+|------|-------|-------------|
+| **Free** | $0 | Unlimited local scans + 1 free deep scan on signup |
+| **Per scan** | $5/scan | One-time deep scan credit (Claude AI + ML embeddings) |
+| **Pro** | $29/month | Unlimited deep scans + GitHub Action + dashboard |
+| **Team** | $99/month | Everything in Pro + team features + API access |
+
+See [vibedrift.ai/#pricing](https://vibedrift.ai/#pricing) for details.
+
+---
+
 ## Supported Languages
 
 JavaScript · TypeScript · Python · Go · Rust
@@ -139,6 +219,18 @@ JavaScript · TypeScript · Python · Go · Rust
 
 ---
 
+## Feedback
+
+Found a bug? Have a feature request? Send it directly from the CLI:
+
+```bash
+vibedrift feedback "the naming analyzer flags Go acronyms incorrectly"
+```
+
+Feedback goes straight to the maintainer. If you're logged in, your account email is attached so we can follow up. Anonymous feedback works too.
+
+---
+
 ## License
 
 VibeDrift is proprietary software. Free to install and run for personal and internal commercial use; see [LICENSE](./LICENSE) for full terms.
@@ -155,5 +247,6 @@ For commercial licensing, partnerships, or enterprise terms: **sami.ahmadkhan12@
 
 ## Links
 
-- **Website:** https://vibedrift.ai
+- **Website:** [vibedrift.ai](https://vibedrift.ai)
+- **Dashboard:** [vibedrift.ai/dashboard](https://vibedrift.ai/dashboard)
 - **Issues / Support:** sami.ahmadkhan12@gmail.com

package/dist/index.js

@@ -1321,9 +1321,29 @@ function buildDeviationPayloads(codeDnaResult, driftFindings) {
       const hasComment = dj.signals?.some((s) => s.type === "explanatory_comment" && s.present) ?? false;
       const sqlComplexity = dj.signals?.find((s) => s.type === "complex_sql")?.present ? 3 : 0;
       const funcComplexity = dj.signals?.reduce((sum, s) => sum + (s.present ? Math.abs(s.weight) : 0), 0) ?? 0;
+      const patternToType = {
+        repository: "data_access",
+        raw_sql: "data_access",
+        orm: "data_access",
+        direct_db: "data_access",
+        http_client: "data_access",
+        wrap_with_context: "error_handling",
+        raw_propagation: "error_handling",
+        swallow: "error_handling",
+        http_error_response: "error_handling",
+        exception_throw: "error_handling",
+        result_type: "error_handling",
+        constructor_injection: "di",
+        global_import: "di",
+        service_locator: "di",
+        no_di: "di",
+        env_direct: "config",
+        config_struct_di: "config"
+      };
+      const inferredType = patternToType[dj.deviatingPattern] ?? patternToType[dj.dominantPattern] ?? "data_access";
       deviations.push({
         file: dj.relativePath,
-        deviation_type: "architectural",
+        deviation_type: inferredType,
         dominant_pattern: dj.dominantPattern,
         actual_pattern: dj.deviatingPattern,
         dominant_count: 0,
@@ -1344,7 +1364,7 @@ function buildDeviationPayloads(codeDnaResult, driftFindings) {
       seen.add(key);
       deviations.push({
         file: df.path,
-        deviation_type: d.subCategory ?? "architectural",
+        deviation_type: d.subCategory ?? "data_access",
         dominant_pattern: d.dominantPattern,
         actual_pattern: df.detectedPattern,
         dominant_count: d.dominantCount,
@@ -1473,9 +1493,11 @@ function deduplicateFindingsAcrossLayers(findings) {
   return [...nonDuplicate, ...dedupedDuplicates];
 }
 function makeFilePairKey(f) {
-  const files = f.locations.map((l) => l.file).filter(Boolean).sort();
+  const files = [...new Set(
+    f.locations.map((l) => l.file).filter(Boolean)
+  )].sort();
   if (files.length >= 2) {
-    return `dup::${files[0]}::${files[1]}`;
+    return `dup::${files.join("::")}`;
   }
   return `dup::${files[0] ?? "unknown"}::${f.analyzerId}`;
 }
@@ -6017,9 +6039,9 @@ function computeDriftScores(findings) {
   ) / 10;
   let grade;
   if (composite >= 90) grade = "A";
-  else if (composite >= 80) grade = "B";
-  else if (composite >= 65) grade = "C";
-  else if (composite >= 50) grade = "D";
+  else if (composite >= 75) grade = "B";
+  else if (composite >= 50) grade = "C";
+  else if (composite >= 25) grade = "D";
   else grade = "F";
   return {
     ...scores,