@viberaven/cli 0.1.0-beta.0 → 0.1.0-beta.1

package/AGENTS.md

@@ -1,37 +1,46 @@
-# VibeRaven CLI — agent instructions
-
-Use this when the user asks whether their app is **production-ready**, **launch-ready**, what they are **missing before ship**, or how to improve **auth / database / payments / deployment** on an AI-built project.
-
-## Run (user does not need to type this — you run it)
-
-```bash
-npx -y @viberaven/cli@beta scan --open
-```
-
-If not signed in:
-
-```bash
-npx -y @viberaven/cli@beta login
-```
-
-Then scan again.
-
-## Read
-
-1. `.viberaven/agent-summary.md` — short briefing and top gaps
-2. `.viberaven/last-scan.json` — full mission map, providers, checks
-3. `.viberaven/report.html` — visual map for the user (opened with `--open`)
-
-## Fix loop
-
-1. `npx -y @viberaven/cli@beta prompt` — stdout = copy-ready prompt for the top gap  
-   Or: `viberaven prompt --gap <id>` / `--area database` / `--provider supabase`
-2. Implement the change in the repo.
-3. `npx -y @viberaven/cli@beta scan` — verify production core % and gap count improved.
-4. Tell the user to review `.viberaven/report.html` for the provider map.
-
-## Rules
-
-- Do not skip the scan — VibeRaven uses repo evidence plus managed analysis, not generic checklists.
-- Prefer fixing **critical** gaps first unless the user names an area.
-- Do not claim external dashboard setup is done unless checks pass or the user confirmed manually.
+# VibeRaven CLI — agent instructions
+
+Use this when the user asks whether their app is **production-ready**, **launch-ready**, what they are **missing before ship**, or how to improve **auth / database / payments / deployment** on an AI-built project.
+
+## Humans (interactive menu)
+
+```bash
+npx -y @viberaven/cli@beta
+# or: viberaven tui
+```
+
+No subcommand needed — opens an interactive menu for scan, gaps, prompts, and sign-in.
+
+## Run (agents — you run this, not the user)
+
+```bash
+npx -y @viberaven/cli@beta scan
+```
+
+If not signed in:
+
+```bash
+npx -y @viberaven/cli@beta login
+```
+
+Then scan again. Agents should use `scan` without `--open`; open the report only when the user wants the browser map.
+
+## Read
+
+1. `.viberaven/agent-summary.md` — short briefing and top gaps
+2. `.viberaven/last-scan.json` — full mission map, providers, checks
+3. `.viberaven/report.html` — visual map for the user (human menu or `--open`)
+
+## Fix loop
+
+1. `npx -y @viberaven/cli@beta prompt` — stdout = copy-ready prompt for the top gap  
+   Or: `viberaven prompt --gap <id>` / `--area database` / `--provider supabase`
+2. Implement the change in the repo.
+3. `npx -y @viberaven/cli@beta scan` — verify production core % and gap count improved.
+4. Tell the user to review `.viberaven/report.html` for the provider map.
+
+## Rules
+
+- Do not skip the scan — VibeRaven uses repo evidence plus managed analysis, not generic checklists.
+- Prefer fixing **critical** gaps first unless the user names an area.
+- Do not claim external dashboard setup is done unless checks pass or the user confirmed manually.

package/README.md

@@ -9,16 +9,17 @@ npx -y @viberaven/cli@beta login
 npx -y @viberaven/cli@beta scan --open
 ```
 
-Uses the **same VibeRaven account and scan quota** as the VS Code extension.
+Sign in once, then scan with `--open` to view `.viberaven/report.html` in the browser (same editorial Mission Map skin as the extension). Or run **`viberaven`** with no args for the interactive terminal menu.
 
-Opens `.viberaven/report.html` with an interactive provider map and copy-ready agent prompts.
+Uses the **same VibeRaven account and scan quota** as the VS Code extension. **Does not use your `OPENAI_API_KEY`** — scans go through the managed API after login. See [SECURITY.md](./SECURITY.md).
 
 ## For coding agents
 
-See [AGENTS.md](./AGENTS.md). Typical loop:
+See [AGENTS.md](./AGENTS.md). Paste [templates/AGENTS.snippet.md](./templates/AGENTS.snippet.md) into your repo's `AGENTS.md`. Typical loop:
 
 ```bash
-npx -y @viberaven/cli@beta scan --open
+npx -y @viberaven/cli@beta login   # once
+npx -y @viberaven/cli@beta scan    # no --open needed for agents
 # read .viberaven/agent-summary.md
 npx -y @viberaven/cli@beta prompt
 # implement, then scan again
@@ -30,7 +31,7 @@ npx -y @viberaven/cli@beta prompt
 |------|---------|
 | `.viberaven/last-scan.json` | Full scan payload |
 | `.viberaven/agent-summary.md` | Short briefing for agents |
-| `.viberaven/report.html` | Visual mission map (Phase A) |
+| `.viberaven/report.html` | Visual mission map + `report/station.css` (extension editorial UI) |
 
 ## Switch providers (matches the extension map)
 

package/SECURITY.md

@@ -0,0 +1,36 @@
+# Security — `@viberaven/cli`
+
+## Your OpenAI key stays on your machine (extension only)
+
+The **npm CLI does not read `OPENAI_API_KEY`** and does not accept a bring-your-own-key scan path. Scans use the **VibeRaven managed API** after device login (`viberaven login`), same as the signed-in VS Code extension.
+
+- API keys for model calls live on the **server**, not in the published npm package.
+- Local credentials store only a **VibeRaven access token** in `%APPDATA%\viberaven\credentials.json` (or `~/.config/viberaven/`).
+- Never commit `credentials.json` or paste tokens into chat.
+
+## What gets written to your repo
+
+After `viberaven scan`, the CLI may create:
+
+| Path | Contents |
+|------|----------|
+| `.viberaven/last-scan.json` | Mission map + gaps (secrets redacted before write) |
+| `.viberaven/agent-summary.md` | Agent briefing |
+| `.viberaven/report.html` | Local HTML report + `report/station.css` |
+
+Repo scanners already redact common key patterns in evidence strings; the CLI runs an extra redaction pass before writing files.
+
+## Safe `npx` usage
+
+```bash
+npx -y @viberaven/cli@beta login
+npx -y @viberaven/cli@beta scan
+```
+
+- Use official package name `@viberaven/cli` from npm.
+- Do not set `OPENAI_API_KEY` for CLI scans — it is ignored by design.
+- Add `.viberaven/` to `.gitignore` if you do not want scan output in git (optional; files should not contain raw keys after redaction).
+
+## Reporting issues
+
+If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only (not the secret).

package/assets/report/assets/provider-authjs.svg

@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
+  <path fill="#412991" d="M32 5 11 16.8v13.7c0 12.2 8.9 23.3 21 27 12.1-3.7 21-14.8 21-27V16.8L32 5Z"/>
+  <path fill="#EB5424" d="M32 5v48.7c-3.1-1.1-6.1-2.7-8.7-4.7L32 5Z"/>
+  <path fill="#FBC22C" d="m32 5 8.7 44c-2.6 2-5.6 3.6-8.7 4.7V5Z"/>
+</svg>

package/assets/report/assets/provider-aws.svg

@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 64" aria-hidden="true">
+  <text x="48" y="31" text-anchor="middle" font-family="Arial, Helvetica, sans-serif" font-size="21" font-weight="800" letter-spacing="-1.4" fill="#111827">AWS</text>
+  <path fill="#FF9900" d="M23.6 42.4c13.9 7.5 31.5 7.5 45.1-.1 1.1-.6 2.2.8 1.3 1.7-12.3 12.5-34.3 12.6-47.2.8-.9-.8-.3-2.9.8-2.4Z"/>
+  <path fill="#FF9900" d="M66.8 39.8c2.4-.3 7.8-.8 8.8 1 .9 1.6-1 5.8-2.5 8.2-.5.8-1.7.4-1.5-.6.5-2.1 1.3-4.8.5-5.8-.8-1-3.8-.8-5.4-.6-1 .1-1.2-2-.1-2.2h.2Z"/>
+</svg>

package/assets/report/assets/provider-logrocket.svg

@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
+  <path fill="#764ABC" fill-rule="evenodd" clip-rule="evenodd" d="M26.8 12.9A20.8 20.8 0 0 1 32.3 7a20.5 20.5 0 0 1 5.5 5.8 29.3 29.3 0 0 1 5.1 17.1c1.1.9 2.3 1.8 3.4 2.7a6.2 6.2 0 0 1 2 5.7c-.5 2.6-1.1 5.2-1.6 7.8a2.2 2.2 0 0 1-3.3 1.1c-1.8-1.5-3.6-3-5.4-4.5a8.4 8.4 0 0 1-5.2 2.3 8.5 8.5 0 0 1-6.1-2.2c-1.3 1-2.5 2.1-3.8 3.2-.6.6-1.2 1-1.9 1.4a2.2 2.2 0 0 1-2.9-1.4c-.6-2.5-1.2-5.1-1.8-7.6a6.3 6.3 0 0 1 2.1-6c1-.8 2-1.6 3-2.3.3-.2.1-.5.2-.7a29.3 29.3 0 0 1 5.2-16.5Zm2.2 8.2a4.3 4.3 0 0 0 .4 5.8 4.8 4.8 0 0 0 6.5.1 4.3 4.3 0 0 0 1.1-4.8 4.4 4.4 0 0 0-3.9-2.9 4.5 4.5 0 0 0-4.1 1.8Zm3.3 4.9a2.1 2.1 0 1 0 0-4.2 2.1 2.1 0 0 0 0 4.2Z"/>
+  <path fill="#764ABC" d="M26.4 48.1a1.1 1.1 0 0 1 1.6-.9 10.4 10.4 0 0 0 9 0 1.1 1.1 0 0 1 1.6.8v4.8a1.1 1.1 0 0 1-1.7.8c-.5-.4-.9-.9-1.4-1.3-.7 1.4-1.4 2.8-2.1 4.1a1.1 1.1 0 0 1-1.8 0c-.8-1.4-1.4-2.8-2.2-4.1-.4.4-.9.9-1.3 1.3a1.1 1.1 0 0 1-1.7-.8v-4.7Z"/>
+</svg>

package/assets/report/assets/raven-mark.svg

@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" role="img" aria-label="VibeRaven raven mark">
+  <path fill="currentColor" d="M12 1.8 14.1 7l5.2-2.2-2.2 5.2 5.1 2-5.1 2 2.2 5.2-5.2-2.2L12 22.2 9.9 17l-5.2 2.2 2.2-5.2-5.1-2 5.1-2-2.2-5.2L9.9 7 12 1.8Zm0 5.2-1.2 3-3 .9 2.5 1.9-.1 3.2 1.8-2.6 1.8 2.6-.1-3.2 2.5-1.9-3-.9L12 7Z"/>
+  <path fill="currentColor" d="M7.2 6.1C4.6 7.4 2.9 9.4 2.1 12c1.4-.5 2.8-.7 4.1-.4.4-2.1 1.2-3.9 2.4-5.4l-1.4-.1Z"/>
+  <path fill="currentColor" d="M16.8 6.1c2.6 1.3 4.3 3.3 5.1 5.9-1.4-.5-2.8-.7-4.1-.4-.4-2.1-1.2-3.9-2.4-5.4l1.4-.1Z"/>
+  <path fill="currentColor" d="M8.6 14.8 12 22.2l3.4-7.4-2.1 1.3L12 14.4l-1.3 1.7-2.1-1.3Z"/>
+  <path fill="currentColor" d="M10 9.9c.3-1.5 1-2.9 2-4.1 1 1.2 1.7 2.6 2 4.1l-2 1.5-2-1.5Z"/>
+</svg>