npm - @viberaven/cli - Versions diffs - 0.1.0-beta.7 → 1.0.0 - Mend

@viberaven/cli 0.1.0-beta.7 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/AGENTS.md +43 -86
package/README.md +59 -82
package/SECURITY.md +52 -36
package/assets/report/station.js +8319 -0
package/dist/cli.js +4003 -4574
package/dist/cli.js.map +4 -4
package/dist/report/station.js +8319 -0
package/package.json +6 -6
package/templates/AGENTS.snippet.md +43 -39
package/templates/CLAUDE.snippet.md +16 -0
package/templates/CURSOR.snippet.md +16 -0

package/AGENTS.md CHANGED Viewed

@@ -1,92 +1,49 @@
-# VibeRaven CLI — agent instructions
-Use this when the user asks whether their app is **production-ready**, **launch-ready**, what they are **missing before ship**, or how to improve **auth / database / payments / deployment** on an AI-built project.
-## Humans (interactive menu)
-```bash
-npx -y @viberaven/cli@beta
-# or: viberaven tui
-```
-No subcommand needed — opens an interactive menu for scan, gaps, prompts, and sign-in.
-## Run (agents — you run this, not the user)
-```bash
-npx -y @viberaven/cli@beta scan
-```
-If not signed in, `scan` starts VibeRaven sign-in, opens the browser approval page when possible, waits for the user to approve the editor/agent connection, then continues the scan.
+# VibeRaven CLI - Agent Instructions
-If the local agent environment cannot open a browser, show the printed `Open:` URL to the user. After approval, rerun `npx -y @viberaven/cli@beta scan`.
+Use VibeRaven when the user asks whether an app is production-ready, launch-ready, safe to deploy, or missing auth, database, payments, deployment, monitoring, security, provider setup, Vercel, or Supabase checks.
-Manual fallback if the scan flow cannot start login:
+VibeRaven is the Agent Context + Production Gate.
+## Required Agent Loop
+Run from the project root:
 ```bash
-npx -y @viberaven/cli@beta login
+npx -y @viberaven/cli --agent-mode
 ```
-Agents should use `scan` without `--open`; open the report only when the user wants the browser map.
-## Read
-1. `.viberaven/agent-summary.md` — short briefing and top gaps
-2. `.viberaven/last-scan.json` — full mission map, providers, checks
-3. `.viberaven/report.html` — visual map for the user (human menu or `--open`)
-## Fix loop
-1. `npx -y @viberaven/cli@beta prompt` — stdout = copy-ready prompt for the top gap
-   Or: `viberaven prompt --gap <id>` / `--area database` / `--provider supabase`
-2. Implement the change in the repo.
-3. `npx -y @viberaven/cli@beta scan` — verify production core % and gap count improved.
-4. Tell the user to review `.viberaven/report.html` for the provider map.
-## Rules
-- Do not skip the scan — VibeRaven uses repo evidence plus managed analysis, not generic checklists.
-- Prefer fixing **critical** gaps first unless the user names an area.
-- Do not claim external dashboard setup is done unless checks pass or the user confirmed manually.
-- Do not claim human-provider actions as repo-code fixes. Human-provider actions include dashboard setup, billing/product configuration, DNS, webhooks, provider credentials, quota upgrades, and read-only MCP/provider-live verification.
+Read in this order:
+1. `.viberaven/agent-tasklist.md` - the tasklist-first gate
+2. `.viberaven/gate-result.json` - the machine verdict
+3. `.viberaven/context-map.json` - compact context for the next agent step
+4. `.viberaven/agent-summary.md` - scan context
+5. `.viberaven/launch-playbook.md` - full launch checklist
+Fix one repo-code gap at a time. Prefer:
+```bash
+npx -y @viberaven/cli next --json
+npx -y @viberaven/cli prompt --gap <id>
+```
+After a fix:
+```bash
+npx -y @viberaven/cli --verify
+npx -y @viberaven/cli --strict
+```
+For Vercel + Supabase checks:
+```bash
+npx -y @viberaven/cli audit --vercel-supabase
+```
+## Rules
+- Do not skip VibeRaven before deploy/build/cleanup when production readiness is in scope.
+- Do not claim provider dashboard checks are fixed by repo-code edits.
+- Provider dashboard checks, billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user. Say: "I opened VibeRaven sign-in so you can approve access; I will continue after approval."
+- Do not ask for passwords, tokens, cookies, or secrets.

package/README.md CHANGED Viewed

@@ -1,93 +1,70 @@
-# @viberaven/cli
-Launch readiness for Claude Code, Codex, and other coding agents — same mission map and provider intelligence as VibeRaven Station.
-## For humans
-```bash
-npx -y @viberaven/cli@beta login
-npx -y @viberaven/cli@beta scan --open
-```
-Sign in once, then scan with `--open` to view `.viberaven/report.html` in the browser (same editorial Mission Map skin as the extension). Or run **`viberaven`** with no args for the interactive terminal menu.
-Uses the **same VibeRaven account and scan quota** as the VS Code extension. **Does not use your `OPENAI_API_KEY`** — scans go through the managed API after login. See [SECURITY.md](./SECURITY.md).
-## For coding agents
-Use VibeRaven when the user asks whether an AI-built app is launch-ready, production-ready, or missing auth/database/payments/deployment/security work.
-```bash
-npx -y @viberaven/cli@beta scan
+# @viberaven/cli
+VibeRaven is the Agent Context + Production Gate for AI-built apps. It gives Claude Code, Codex, Cursor, and other coding agents a production-readiness loop before Vercel/Supabase deployment.
+## Humans
+```bash
+npx -y @viberaven/cli
 ```
-If login is missing, `scan` starts VibeRaven sign-in, opens the browser approval page when possible, waits for the user to approve the connection, then continues the scan.
+No subcommand is needed in a real terminal. It opens the interactive menu for sign-in, scan, report, provider guides, dashboards, prompts, and sign-out.
+## Coding Agents
+Agents should run:
+```bash
+npx -y @viberaven/cli --agent-mode
+```
+Then read artifacts in this order:
+1. `.viberaven/agent-tasklist.md`
+2. `.viberaven/gate-result.json`
+3. `.viberaven/context-map.json`
+4. `.viberaven/agent-summary.md`
+5. `.viberaven/launch-playbook.md`
-If the local agent environment cannot open a browser, show the printed `Open:` URL to the user. After they approve it, rerun:
+Fix one repo-code gap, then run:
 ```bash
-npx -y @viberaven/cli@beta scan
+npx -y @viberaven/cli --verify
+npx -y @viberaven/cli --strict
 ```
-Manual fallback:
+For focused work:
 ```bash
-npx -y @viberaven/cli@beta login
+npx -y @viberaven/cli next --json
+npx -y @viberaven/cli prompt --gap <id>
+npx -y @viberaven/cli audit --vercel-supabase
 ```
-Read `.viberaven/agent-summary.md` and `.viberaven/launch-playbook.md`. Loop:
-1. `viberaven next --json`
-2. Repo fix → `viberaven prompt --gap <id>` → implement → `viberaven report` (free) or `scan`
-3. Provider → `viberaven guide <provider>` and `viberaven open <provider>`
-4. Repeat until done; check `viberaven status --json` before each new scan
-Do not claim dashboard, billing, DNS, webhook, MCP, or provider-live actions as repo-code fixes. Tell the user when `.viberaven/report.html` has manual provider actions to review.
-See [AGENTS.md](./AGENTS.md). Paste [templates/AGENTS.snippet.md](./templates/AGENTS.snippet.md) into your repo's `AGENTS.md`.
-## Artifacts
-| File | Purpose |
-|------|---------|
-| `.viberaven/last-scan.json` | Full scan payload |
-| `.viberaven/agent-summary.md` | Short briefing + next action for agents |
-| `.viberaven/launch-playbook.md` | Ordered launch checklist |
-| `.viberaven/report.html` | Visual mission map + `report/station.css` (extension editorial UI) |
-## Switch providers (matches the extension map)
-The report shows a provider switch per production area (database, auth, payments, deployment, monitoring, security). Picking one copies a command:
-```bash
-viberaven stack set database neon && viberaven scan --open
-```
-You can also set it directly:
-```bash
-viberaven stack set auth clerk   # persists to .viberaven/stack.json
-viberaven stack list
-viberaven stack clear            # remove all overrides
-```
-The next `scan` re-maps that area using your chosen provider.
-## Development
-From repo root:
-```bash
-npm run cli:build
-npm run cli:test
-node packages/cli/dist/cli.js scan
-```
-Inside `packages/cli`:
-```bash
-npm run typecheck     # tsc against the shared station engine
-npm run demo-report   # render a sample report.html and open it
-```
-The report reuses the Station Mission Map visual language (`src/report/reportStyles.ts`) for parity with the extension.
+Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+## Machine Output
+```bash
+npx -y @viberaven/cli --agent-mode --json
+npx -y @viberaven/cli --agent-mode --jsonl
+npx -y @viberaven/cli --strict --json
+```
+Machine artifact contract:
+```text
+docs/contracts/artifacts.md
+https://viberaven.dev/schemas/gate-result.schema.json
+https://viberaven.dev/schemas/context-map.schema.json
+https://viberaven.dev/schemas/gap.schema.json
+https://viberaven.dev/schemas/heal-result.schema.json
+```
+## Development
+```bash
+npm run cli:build
+npm run cli:test
+node packages/cli/dist/cli.js scan
+```

package/SECURITY.md CHANGED Viewed

@@ -1,36 +1,52 @@
-# Security — `@viberaven/cli`
-## Your OpenAI key stays on your machine (extension only)
-The **npm CLI does not read `OPENAI_API_KEY`** and does not accept a bring-your-own-key scan path. Scans use the **VibeRaven managed API** after device login (`viberaven login`), same as the signed-in VS Code extension.
-- API keys for model calls live on the **server**, not in the published npm package.
-- Local credentials store only a **VibeRaven access token** in `%APPDATA%\viberaven\credentials.json` (or `~/.config/viberaven/`).
-- Never commit `credentials.json` or paste tokens into chat.
-## What gets written to your repo
-After `viberaven scan`, the CLI may create:
-| Path | Contents |
-|------|----------|
-| `.viberaven/last-scan.json` | Mission map + gaps (secrets redacted before write) |
-| `.viberaven/agent-summary.md` | Agent briefing |
-| `.viberaven/report.html` | Local HTML report + `report/station.css` |
-Repo scanners already redact common key patterns in evidence strings; the CLI runs an extra redaction pass before writing files.
-## Safe `npx` usage
-```bash
-npx -y @viberaven/cli@beta login
-npx -y @viberaven/cli@beta scan
-```
-- Use official package name `@viberaven/cli` from npm.
-- Do not set `OPENAI_API_KEY` for CLI scans — it is ignored by design.
-- Add `.viberaven/` to `.gitignore` if you do not want scan output in git (optional; files should not contain raw keys after redaction).
-## Reporting issues
-If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only (not the secret).
+# Security - `@viberaven/cli`
+## Managed Scan Boundary
+The npm CLI does not read `OPENAI_API_KEY` and does not accept a bring-your-own-key scan path. Scans use the VibeRaven managed API after device login, same as the signed-in VS Code extension.
+- API keys for model calls live on the server, not in the published npm package.
+- Local credentials store only a VibeRaven access token in `%APPDATA%\viberaven\credentials.json` or `~/.config/viberaven/`.
+- Never commit `credentials.json` or paste tokens into chat.
+## Safe Commands
+Human terminal:
+```bash
+npx -y @viberaven/cli
+```
+Agent or CI gate:
+```bash
+npx -y @viberaven/cli --agent-mode
+npx -y @viberaven/cli --verify
+npx -y @viberaven/cli --strict
+```
+VibeRaven is the Agent Context + Production Gate. Agents should read `.viberaven/agent-tasklist.md`, `.viberaven/gate-result.json`, and `.viberaven/context-map.json` before claiming an app is safe to deploy.
+## Written Artifacts
+After a scan, the CLI may create:
+| Path | Contents |
+|------|----------|
+| `.viberaven/last-scan.json` | Full scan payload |
+| `.viberaven/agent-tasklist.md` | Agent tasklist |
+| `.viberaven/gate-result.json` | Machine gate verdict |
+| `.viberaven/context-map.json` | Compact agent context |
+| `.viberaven/gaps/<gapId>.json` | Per-gap evidence |
+| `.viberaven/agent-summary.md` | Human/agent summary |
+| `.viberaven/launch-playbook.md` | Launch checklist |
+| `.viberaven/report.html` | Local HTML report |
+Repo scanners redact common key patterns in evidence strings; the CLI runs an extra redaction pass before writing files.
+## Provider Boundaries
+Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+## Reporting Issues
+If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only.