npm - @viberaven/cli - Versions diffs - 0.1.0-beta.7 → 1.0.1 - Mend

@viberaven/cli 0.1.0-beta.7 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/AGENTS.md +78 -88
package/README.md +69 -82
package/SECURITY.md +52 -36
package/assets/report/station.js +8319 -0
package/dist/cli.js +4535 -4569
package/dist/cli.js.map +4 -4
package/dist/report/station.js +8319 -0
package/package.json +16 -7
package/templates/AGENTS.snippet.md +43 -39
package/templates/CLAUDE.snippet.md +16 -0
package/templates/CURSOR.snippet.md +16 -0

package/AGENTS.md CHANGED Viewed

@@ -1,92 +1,82 @@
-# VibeRaven CLI — agent instructions
-Use this when the user asks whether their app is **production-ready**, **launch-ready**, what they are **missing before ship**, or how to improve **auth / database / payments / deployment** on an AI-built project.
-## Humans (interactive menu)
-```bash
-npx -y @viberaven/cli@beta
-# or: viberaven tui
-```
-No subcommand needed — opens an interactive menu for scan, gaps, prompts, and sign-in.
-## Run (agents — you run this, not the user)
-```bash
-npx -y @viberaven/cli@beta scan
-```
-If not signed in, `scan` starts VibeRaven sign-in, opens the browser approval page when possible, waits for the user to approve the editor/agent connection, then continues the scan.
-If the local agent environment cannot open a browser, show the printed `Open:` URL to the user. After approval, rerun `npx -y @viberaven/cli@beta scan`.
-Manual fallback if the scan flow cannot start login:
+# VibeRaven CLI - Agent Instructions
+Use VibeRaven when the user asks whether an app is production-ready, launch-ready, safe to deploy, or missing auth, database, payments, deployment, monitoring, security, provider setup, Vercel, or Supabase checks.
+VibeRaven is the Agent Context + Production Gate.
+## Required Agent Loop
+Run from the project root:
+```bash
+npx -y @viberaven/cli --agent-mode
+```
+Read in this order:
+1. `.viberaven/agent-tasklist.md` - the tasklist-first gate
+2. `.viberaven/gate-result.json` - the machine verdict
+3. `.viberaven/context-map.json` - compact context for the next agent step
+4. `.viberaven/agent-summary.md` - scan context
+5. `.viberaven/launch-playbook.md` - full launch checklist
+Fix one repo-code gap at a time. Prefer:
+```bash
+npx -y @viberaven/cli next --json
+npx -y @viberaven/cli prompt --gap <id>
+```
+After a fix:
+```bash
+npx -y @viberaven/cli --verify
+npx -y @viberaven/cli --strict
+```
+For Vercel + Supabase checks:
 ```bash
-npx -y @viberaven/cli@beta login
+npx -y @viberaven/cli audit --vercel-supabase
 ```
-Agents should use `scan` without `--open`; open the report only when the user wants the browser map.
-## Read
-1. `.viberaven/agent-summary.md` — short briefing and top gaps
-2. `.viberaven/last-scan.json` — full mission map, providers, checks
-3. `.viberaven/report.html` — visual map for the user (human menu or `--open`)
-## Fix loop
-1. `npx -y @viberaven/cli@beta prompt` — stdout = copy-ready prompt for the top gap
-   Or: `viberaven prompt --gap <id>` / `--area database` / `--provider supabase`
-2. Implement the change in the repo.
-3. `npx -y @viberaven/cli@beta scan` — verify production core % and gap count improved.
-4. Tell the user to review `.viberaven/report.html` for the provider map.
-## Rules
-- Do not skip the scan — VibeRaven uses repo evidence plus managed analysis, not generic checklists.
-- Prefer fixing **critical** gaps first unless the user names an area.
-- Do not claim external dashboard setup is done unless checks pass or the user confirmed manually.
-- Do not claim human-provider actions as repo-code fixes. Human-provider actions include dashboard setup, billing/product configuration, DNS, webhooks, provider credentials, quota upgrades, and read-only MCP/provider-live verification.
+## Production Copilot Loop
+After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
+The loop is:
+1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
+2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
+3. If `scanNow: true`, call `viberaven_verify` (or run `--verify`) before applying more heals.
+4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
+   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
+   - Or run `--heal --apply --gap <id> --yes`
+5. After a full batch of heals, call verify once — do NOT verify after every single heal.
+6. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
+7. If `requiresUserAction: true`:
+   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
+   - Present `dashboardUrl` and `exactStep` to the user.
+   - Wait for user confirmation, then verify.
+8. If `fixType === 'upgrade-required'`, provide `upgradeUrl` and move on.
+Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
+### Batch discipline
+```
+for each repo-code task (up to batchSize):
+  viberaven_heal_apply { gap: "<gapId>", yes: true }
+viberaven_verify  ← once per batch, not per fix
+```
+On Pro plans, `viberaven_provider_verify` is available as an MCP tool for read-only provider gap verification via Supabase/Vercel MCP evidence.
+## Rules
+- Do not skip VibeRaven before deploy/build/cleanup when production readiness is in scope.
+- Do not claim provider dashboard checks are fixed by repo-code edits.
+- Provider dashboard checks, billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user. Say: "I opened VibeRaven sign-in so you can approve access; I will continue after approval."
+- Do not ask for passwords, tokens, cookies, or secrets.

package/README.md CHANGED Viewed

@@ -1,93 +1,80 @@
-# @viberaven/cli
-Launch readiness for Claude Code, Codex, and other coding agents — same mission map and provider intelligence as VibeRaven Station.
-## For humans
-```bash
-npx -y @viberaven/cli@beta login
-npx -y @viberaven/cli@beta scan --open
-```
-Sign in once, then scan with `--open` to view `.viberaven/report.html` in the browser (same editorial Mission Map skin as the extension). Or run **`viberaven`** with no args for the interactive terminal menu.
-Uses the **same VibeRaven account and scan quota** as the VS Code extension. **Does not use your `OPENAI_API_KEY`** — scans go through the managed API after login. See [SECURITY.md](./SECURITY.md).
-## For coding agents
-Use VibeRaven when the user asks whether an AI-built app is launch-ready, production-ready, or missing auth/database/payments/deployment/security work.
-```bash
-npx -y @viberaven/cli@beta scan
+# @viberaven/cli
+VibeRaven is the Agent Context + Production Gate for AI-built apps. It gives Claude Code, Codex, Cursor, and other coding agents a production-readiness loop before Vercel/Supabase deployment.
+## Humans
+```bash
+npx -y @viberaven/cli
 ```
-If login is missing, `scan` starts VibeRaven sign-in, opens the browser approval page when possible, waits for the user to approve the connection, then continues the scan.
+No subcommand is needed in a real terminal. It opens the interactive menu for sign-in, scan, report, provider guides, dashboards, prompts, and sign-out.
+## Coding Agents
+Agents should run:
+```bash
+npx -y @viberaven/cli --agent-mode
+```
+Then read artifacts in this order:
+1. `.viberaven/agent-tasklist.md`
+2. `.viberaven/gate-result.json`
+3. `.viberaven/context-map.json`
+4. `.viberaven/agent-summary.md`
+5. `.viberaven/launch-playbook.md`
+Fix one repo-code gap, then run:
+```bash
+npx -y @viberaven/cli --verify
+npx -y @viberaven/cli --strict
+```
-If the local agent environment cannot open a browser, show the printed `Open:` URL to the user. After they approve it, rerun:
+For focused work:
 ```bash
-npx -y @viberaven/cli@beta scan
+npx -y @viberaven/cli next --json
+npx -y @viberaven/cli prompt --gap <id>
+npx -y @viberaven/cli audit --vercel-supabase
 ```
-Manual fallback:
+Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+## Production Copilot Loop
+VibeRaven runs a batch-disciplined loop until the production gate clears. Do not stop at "scan complete."
+1. **Scan** — Run `--agent-mode`. Read `.viberaven/agent-tasklist.md` and parse `VIBERAVEN_NEXT_ACTION` from stdout for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
+2. **Batch heals** — For each repo-code task where `requiresUserAction: false`, apply up to `batchSize` heals per batch (free=3, pro=10) via `viberaven_heal_apply { gap: "<gapId>", yes: true }` or `--heal --apply --gap <id> --yes`. When `scanNow: true`, verify before applying more heals.
+3. **Verify and clear** — Run `--verify` once per batch (not after every heal). Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`. For provider gaps, read `VIBERAVEN_PROVIDER_ACTION`, complete the dashboard step, then verify.
+If `stalled: true`, stop calling verify and address provider-action gaps or report to the user. Run `--strict` before deploy or CI pass.
+## Machine Output
 ```bash
-npx -y @viberaven/cli@beta login
+npx -y @viberaven/cli --agent-mode --json
+npx -y @viberaven/cli --agent-mode --jsonl
+npx -y @viberaven/cli --strict --json
 ```
-Read `.viberaven/agent-summary.md` and `.viberaven/launch-playbook.md`. Loop:
-1. `viberaven next --json`
-2. Repo fix → `viberaven prompt --gap <id>` → implement → `viberaven report` (free) or `scan`
-3. Provider → `viberaven guide <provider>` and `viberaven open <provider>`
-4. Repeat until done; check `viberaven status --json` before each new scan
-Do not claim dashboard, billing, DNS, webhook, MCP, or provider-live actions as repo-code fixes. Tell the user when `.viberaven/report.html` has manual provider actions to review.
-See [AGENTS.md](./AGENTS.md). Paste [templates/AGENTS.snippet.md](./templates/AGENTS.snippet.md) into your repo's `AGENTS.md`.
-## Artifacts
-| File | Purpose |
-|------|---------|
-| `.viberaven/last-scan.json` | Full scan payload |
-| `.viberaven/agent-summary.md` | Short briefing + next action for agents |
-| `.viberaven/launch-playbook.md` | Ordered launch checklist |
-| `.viberaven/report.html` | Visual mission map + `report/station.css` (extension editorial UI) |
-## Switch providers (matches the extension map)
-The report shows a provider switch per production area (database, auth, payments, deployment, monitoring, security). Picking one copies a command:
-```bash
-viberaven stack set database neon && viberaven scan --open
-```
-You can also set it directly:
-```bash
-viberaven stack set auth clerk   # persists to .viberaven/stack.json
-viberaven stack list
-viberaven stack clear            # remove all overrides
-```
-The next `scan` re-maps that area using your chosen provider.
-## Development
-From repo root:
-```bash
-npm run cli:build
-npm run cli:test
-node packages/cli/dist/cli.js scan
-```
-Inside `packages/cli`:
-```bash
-npm run typecheck     # tsc against the shared station engine
-npm run demo-report   # render a sample report.html and open it
-```
-The report reuses the Station Mission Map visual language (`src/report/reportStyles.ts`) for parity with the extension.
+Machine artifact contract:
+```text
+docs/contracts/artifacts.md
+https://viberaven.dev/schemas/gate-result.schema.json
+https://viberaven.dev/schemas/context-map.schema.json
+https://viberaven.dev/schemas/gap.schema.json
+https://viberaven.dev/schemas/heal-result.schema.json
+```
+## Development
+```bash
+npm run cli:build
+npm run cli:test
+node packages/cli/dist/cli.js scan
+```

package/SECURITY.md CHANGED Viewed

@@ -1,36 +1,52 @@
-# Security — `@viberaven/cli`
-## Your OpenAI key stays on your machine (extension only)
-The **npm CLI does not read `OPENAI_API_KEY`** and does not accept a bring-your-own-key scan path. Scans use the **VibeRaven managed API** after device login (`viberaven login`), same as the signed-in VS Code extension.
-- API keys for model calls live on the **server**, not in the published npm package.
-- Local credentials store only a **VibeRaven access token** in `%APPDATA%\viberaven\credentials.json` (or `~/.config/viberaven/`).
-- Never commit `credentials.json` or paste tokens into chat.
-## What gets written to your repo
-After `viberaven scan`, the CLI may create:
-| Path | Contents |
-|------|----------|
-| `.viberaven/last-scan.json` | Mission map + gaps (secrets redacted before write) |
-| `.viberaven/agent-summary.md` | Agent briefing |
-| `.viberaven/report.html` | Local HTML report + `report/station.css` |
-Repo scanners already redact common key patterns in evidence strings; the CLI runs an extra redaction pass before writing files.
-## Safe `npx` usage
-```bash
-npx -y @viberaven/cli@beta login
-npx -y @viberaven/cli@beta scan
-```
-- Use official package name `@viberaven/cli` from npm.
-- Do not set `OPENAI_API_KEY` for CLI scans — it is ignored by design.
-- Add `.viberaven/` to `.gitignore` if you do not want scan output in git (optional; files should not contain raw keys after redaction).
-## Reporting issues
-If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only (not the secret).
+# Security - `@viberaven/cli`
+## Managed Scan Boundary
+The npm CLI does not read `OPENAI_API_KEY` and does not accept a bring-your-own-key scan path. Scans use the VibeRaven managed API after device login, same as the signed-in VS Code extension.
+- API keys for model calls live on the server, not in the published npm package.
+- Local credentials store only a VibeRaven access token in `%APPDATA%\viberaven\credentials.json` or `~/.config/viberaven/`.
+- Never commit `credentials.json` or paste tokens into chat.
+## Safe Commands
+Human terminal:
+```bash
+npx -y @viberaven/cli
+```
+Agent or CI gate:
+```bash
+npx -y @viberaven/cli --agent-mode
+npx -y @viberaven/cli --verify
+npx -y @viberaven/cli --strict
+```
+VibeRaven is the Agent Context + Production Gate. Agents should read `.viberaven/agent-tasklist.md`, `.viberaven/gate-result.json`, and `.viberaven/context-map.json` before claiming an app is safe to deploy.
+## Written Artifacts
+After a scan, the CLI may create:
+| Path | Contents |
+|------|----------|
+| `.viberaven/last-scan.json` | Full scan payload |
+| `.viberaven/agent-tasklist.md` | Agent tasklist |
+| `.viberaven/gate-result.json` | Machine gate verdict |
+| `.viberaven/context-map.json` | Compact agent context |
+| `.viberaven/gaps/<gapId>.json` | Per-gap evidence |
+| `.viberaven/agent-summary.md` | Human/agent summary |
+| `.viberaven/launch-playbook.md` | Launch checklist |
+| `.viberaven/report.html` | Local HTML report |
+Repo scanners redact common key patterns in evidence strings; the CLI runs an extra redaction pass before writing files.
+## Provider Boundaries
+Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+## Reporting Issues
+If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only.