@viberaven/cli 0.1.0-beta.0 → 0.1.0-beta.2

package/AGENTS.md

@@ -1,37 +1,114 @@
 # VibeRaven CLI — agent instructions
 
+
+
 Use this when the user asks whether their app is **production-ready**, **launch-ready**, what they are **missing before ship**, or how to improve **auth / database / payments / deployment** on an AI-built project.
 
-## Run (user does not need to type this — you run it)
+
+
+## Humans (interactive menu)
+
+
+
+```bash
+
+npx -y @viberaven/cli@beta
+
+# or: viberaven tui
+
+```
+
+
+
+No subcommand needed — opens an interactive menu for scan, gaps, prompts, and sign-in.
+
+
+
+## Run (agents — you run this, not the user)
+
+
 
 ```bash
-npx -y @viberaven/cli@beta scan --open
+
+npx -y @viberaven/cli@beta scan
+
 ```
 
+
+
 If not signed in:
 
+
+
 ```bash
+
 npx -y @viberaven/cli@beta login
+
 ```
 
-Then scan again.
 
-## Read
+
+Then scan again. Agents should use `scan` without `--open`; open the report only when the user wants the browser map.
+
+If scan output says `LOGIN_REQUIRED`, stop and ask the user to complete:
+
+```bash
+npx -y @viberaven/cli@beta login
+```
+
+Then rerun:
+
+```bash
+npx -y @viberaven/cli@beta scan
+```
+
+Stable agent-readable labels:
+
+- `READY` — scan finished; read `.viberaven/agent-summary.md` before changing code.
+- `LOGIN_REQUIRED` — stop and ask the user to complete login.
+- `UPGRADE_REQUIRED` — stop; the user must upgrade or wait for quota reset.
+- `MANUAL_ACTION_REQUIRED` — provider dashboard, billing, DNS, webhook, MCP, or live verification needs user/provider action.
+- `ERROR` — report the error and retry only when the cause is clear.
+
+
+
+## Read
+
+
 
 1. `.viberaven/agent-summary.md` — short briefing and top gaps
+
 2. `.viberaven/last-scan.json` — full mission map, providers, checks
-3. `.viberaven/report.html` — visual map for the user (opened with `--open`)
+
+3. `.viberaven/report.html` — visual map for the user (human menu or `--open`)
+
+
 
 ## Fix loop
 
+
+
 1. `npx -y @viberaven/cli@beta prompt` — stdout = copy-ready prompt for the top gap  
+
    Or: `viberaven prompt --gap <id>` / `--area database` / `--provider supabase`
+
 2. Implement the change in the repo.
+
 3. `npx -y @viberaven/cli@beta scan` — verify production core % and gap count improved.
+
 4. Tell the user to review `.viberaven/report.html` for the provider map.
 
+
+
 ## Rules
 
+
+
 - Do not skip the scan — VibeRaven uses repo evidence plus managed analysis, not generic checklists.
+
 - Prefer fixing **critical** gaps first unless the user names an area.
+
 - Do not claim external dashboard setup is done unless checks pass or the user confirmed manually.
+
+- Do not claim human-provider actions as repo-code fixes. Human-provider actions include dashboard setup, billing/product configuration, DNS, webhooks, provider credentials, quota upgrades, and read-only MCP/provider-live verification.
+

package/README.md

@@ -9,32 +9,43 @@ npx -y @viberaven/cli@beta login
 npx -y @viberaven/cli@beta scan --open
 ```
 
-Uses the **same VibeRaven account and scan quota** as the VS Code extension.
+Sign in once, then scan with `--open` to view `.viberaven/report.html` in the browser (same editorial Mission Map skin as the extension). Or run **`viberaven`** with no args for the interactive terminal menu.
 
-Opens `.viberaven/report.html` with an interactive provider map and copy-ready agent prompts.
+Uses the **same VibeRaven account and scan quota** as the VS Code extension. **Does not use your `OPENAI_API_KEY`** — scans go through the managed API after login. See [SECURITY.md](./SECURITY.md).
 
 ## For coding agents
 
-See [AGENTS.md](./AGENTS.md). Typical loop:
+Use VibeRaven when the user asks whether an AI-built app is launch-ready, production-ready, or missing auth/database/payments/deployment/security work.
 
 ```bash
-npx -y @viberaven/cli@beta scan --open
-# read .viberaven/agent-summary.md
-npx -y @viberaven/cli@beta prompt
-# implement, then scan again
+npx -y @viberaven/cli@beta scan
+```
+
+If output includes `LOGIN_REQUIRED`, ask the user to run:
+
+```bash
+npx -y @viberaven/cli@beta login
 ```
 
+After the browser/device login completes, run scan again. Then read `.viberaven/agent-summary.md`, run `viberaven prompt` or `viberaven prompt --gap <id>`, implement the repo-code fix, and run `npx -y @viberaven/cli@beta scan` again.
+
+Do not claim dashboard, billing, DNS, webhook, MCP, or provider-live actions as repo-code fixes. Tell the user when `.viberaven/report.html` has manual provider actions to review.
+
+See [AGENTS.md](./AGENTS.md). Paste [templates/AGENTS.snippet.md](./templates/AGENTS.snippet.md) into your repo's `AGENTS.md`.
+
 ## Artifacts
 
 | File | Purpose |
 |------|---------|
 | `.viberaven/last-scan.json` | Full scan payload |
 | `.viberaven/agent-summary.md` | Short briefing for agents |
-| `.viberaven/report.html` | Visual mission map (Phase A) |
-
-## Switch providers (matches the extension map)
+| `.viberaven/report.html` | Visual mission map + `report/station.css` (extension editorial UI) |
 
-The report shows a provider switch per production area (database, auth, payments, deployment, monitoring, security). Picking one copies a command:
+## Switch providers (matches the extension map)
+
+The report shows provider paths per production area. Clicking a provider in `.viberaven/report.html` updates the static map view for review; it does not silently persist or claim that provider is connected.
+
+To persist a provider choice for the next scan, use:
 
 ```bash
 viberaven stack set database neon && viberaven scan --open
@@ -48,7 +59,9 @@ viberaven stack list
 viberaven stack clear            # remove all overrides
 ```
 
-The next `scan` re-maps that area using your chosen provider.
+The next `scan` re-maps that area using your chosen provider.
+
+Agent-readable scan labels are stable: `READY`, `LOGIN_REQUIRED`, `UPGRADE_REQUIRED`, `MANUAL_ACTION_REQUIRED`, and `ERROR`.
 
 ## Development
 

package/SECURITY.md

@@ -0,0 +1,36 @@
+# Security — `@viberaven/cli`
+
+## Your OpenAI key stays on your machine (extension only)
+
+The **npm CLI does not read `OPENAI_API_KEY`** and does not accept a bring-your-own-key scan path. Scans use the **VibeRaven managed API** after device login (`viberaven login`), same as the signed-in VS Code extension.
+
+- API keys for model calls live on the **server**, not in the published npm package.
+- Local credentials store only a **VibeRaven access token** in `%APPDATA%\viberaven\credentials.json` (or `~/.config/viberaven/`).
+- Never commit `credentials.json` or paste tokens into chat.
+
+## What gets written to your repo
+
+After `viberaven scan`, the CLI may create:
+
+| Path | Contents |
+|------|----------|
+| `.viberaven/last-scan.json` | Mission map + gaps (secrets redacted before write) |
+| `.viberaven/agent-summary.md` | Agent briefing |
+| `.viberaven/report.html` | Local HTML report + `report/station.css` |
+
+Repo scanners already redact common key patterns in evidence strings; the CLI runs an extra redaction pass before writing files.
+
+## Safe `npx` usage
+
+```bash
+npx -y @viberaven/cli@beta login
+npx -y @viberaven/cli@beta scan
+```
+
+- Use official package name `@viberaven/cli` from npm.
+- Do not set `OPENAI_API_KEY` for CLI scans — it is ignored by design.
+- Add `.viberaven/` to `.gitignore` if you do not want scan output in git (optional; files should not contain raw keys after redaction).
+
+## Reporting issues
+
+If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only (not the secret).

package/assets/report/assets/provider-authjs.svg

@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
+  <path fill="#412991" d="M32 5 11 16.8v13.7c0 12.2 8.9 23.3 21 27 12.1-3.7 21-14.8 21-27V16.8L32 5Z"/>
+  <path fill="#EB5424" d="M32 5v48.7c-3.1-1.1-6.1-2.7-8.7-4.7L32 5Z"/>
+  <path fill="#FBC22C" d="m32 5 8.7 44c-2.6 2-5.6 3.6-8.7 4.7V5Z"/>
+</svg>

package/assets/report/assets/provider-aws.svg

@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 64" aria-hidden="true">
+  <text x="48" y="31" text-anchor="middle" font-family="Arial, Helvetica, sans-serif" font-size="21" font-weight="800" letter-spacing="-1.4" fill="#111827">AWS</text>
+  <path fill="#FF9900" d="M23.6 42.4c13.9 7.5 31.5 7.5 45.1-.1 1.1-.6 2.2.8 1.3 1.7-12.3 12.5-34.3 12.6-47.2.8-.9-.8-.3-2.9.8-2.4Z"/>
+  <path fill="#FF9900" d="M66.8 39.8c2.4-.3 7.8-.8 8.8 1 .9 1.6-1 5.8-2.5 8.2-.5.8-1.7.4-1.5-.6.5-2.1 1.3-4.8.5-5.8-.8-1-3.8-.8-5.4-.6-1 .1-1.2-2-.1-2.2h.2Z"/>
+</svg>

package/assets/report/assets/provider-logrocket.svg

@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
+  <path fill="#764ABC" fill-rule="evenodd" clip-rule="evenodd" d="M26.8 12.9A20.8 20.8 0 0 1 32.3 7a20.5 20.5 0 0 1 5.5 5.8 29.3 29.3 0 0 1 5.1 17.1c1.1.9 2.3 1.8 3.4 2.7a6.2 6.2 0 0 1 2 5.7c-.5 2.6-1.1 5.2-1.6 7.8a2.2 2.2 0 0 1-3.3 1.1c-1.8-1.5-3.6-3-5.4-4.5a8.4 8.4 0 0 1-5.2 2.3 8.5 8.5 0 0 1-6.1-2.2c-1.3 1-2.5 2.1-3.8 3.2-.6.6-1.2 1-1.9 1.4a2.2 2.2 0 0 1-2.9-1.4c-.6-2.5-1.2-5.1-1.8-7.6a6.3 6.3 0 0 1 2.1-6c1-.8 2-1.6 3-2.3.3-.2.1-.5.2-.7a29.3 29.3 0 0 1 5.2-16.5Zm2.2 8.2a4.3 4.3 0 0 0 .4 5.8 4.8 4.8 0 0 0 6.5.1 4.3 4.3 0 0 0 1.1-4.8 4.4 4.4 0 0 0-3.9-2.9 4.5 4.5 0 0 0-4.1 1.8Zm3.3 4.9a2.1 2.1 0 1 0 0-4.2 2.1 2.1 0 0 0 0 4.2Z"/>
+  <path fill="#764ABC" d="M26.4 48.1a1.1 1.1 0 0 1 1.6-.9 10.4 10.4 0 0 0 9 0 1.1 1.1 0 0 1 1.6.8v4.8a1.1 1.1 0 0 1-1.7.8c-.5-.4-.9-.9-1.4-1.3-.7 1.4-1.4 2.8-2.1 4.1a1.1 1.1 0 0 1-1.8 0c-.8-1.4-1.4-2.8-2.2-4.1-.4.4-.9.9-1.3 1.3a1.1 1.1 0 0 1-1.7-.8v-4.7Z"/>
+</svg>