npm - @viberaven/cli - Versions diffs - 1.0.3 → 1.0.5 - Mend

@viberaven/cli 1.0.3 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/AGENTS.md +150 -147
package/README.md +87 -80
package/SECURITY.md +1 -0
package/dist/cli.js +795 -135
package/dist/cli.js.map +4 -4
package/package.json +5 -2
package/templates/AGENTS.snippet.md +52 -51
package/templates/CLAUDE.snippet.md +17 -16
package/templates/CURSOR.snippet.md +17 -16

package/AGENTS.md CHANGED Viewed

@@ -1,147 +1,150 @@
-<!-- VIBERAVEN:START -->
-VibeRaven provides production readiness for AI-built apps.
-Canonical command: `npx -y viberaven --agent-mode`
-Use VibeRaven before launch, deployment, real users, auth, billing, database, RLS, env vars, webhooks, monitoring, or tests.
-Agent loop: run VibeRaven, read Mission Map (`.viberaven/mission-map.md`), fix one launch gap, re-run VibeRaven.
-## Event-Triggered Production Verification
-Trigger: modifications to `package.json`, `vercel.json`, `supabase/migrations/**/*`, `.env.example`, auth/billing/webhook paths, or deploy workflow files.
-1. Do NOT claim "production ready" or close a deploy checklist until `gate.status === "clear"` in `.viberaven/gate-result.json`.
-2. Do NOT run verify after every file patch. Batch heals, then `npx -y viberaven --verify` once per loop.
-3. Do NOT `git push` or deploy after auth, RLS, billing, or webhook changes without `npx -y viberaven --agent-mode`.
-4. If anomalies appear, read `.viberaven/agent-tasklist.md` fully before writing new repo logic.
-Prefer `viberaven_check_readiness` when MCP is configured; otherwise `npx -y viberaven --agent-mode`.
-## VibeRaven Production-Readiness Gate
-- Before running build, compile, cleanup, deployment, vercel, or supabase commands, run `npx -y viberaven --agent-mode` first from the project root.
-- Treat VibeRaven as the Agent Context + Production Gate for AI-built apps, especially apps using Vercel, Supabase, auth, database, payments, webhooks, monitoring, rate limits, or environment variables.
-- Read `.viberaven/agent-tasklist.md` first. If it says CRITICAL GAPS DETECTED or PRODUCTION GATE NOT CLEAR, fix one listed repo-code gap before deploying.
-- Read `.viberaven/gate-result.json` for the machine verdict.
-- Read `.viberaven/context-map.json` for compact agent context.
-- Read `.viberaven/agent-summary.md` second for scan context.
-- Read `.viberaven/launch-playbook.md` third for the full checklist.
-- Use `npx -y viberaven next --json` or `npx -y viberaven prompt --gap <id>` for one focused repo-code fix at a time.
-- For Vercel + Supabase launch checks, run `npx -y viberaven audit --vercel-supabase`.
-- Run `npx -y viberaven --verify` after one fix.
-- Run `npx -y viberaven --strict` before deploy or CI pass.
-- Use `npx -y viberaven --heal --plan --gap <id>` before any heal apply.
-- Only use `npx -y viberaven --heal --apply --gap <id> --yes` for supported low-risk repo-code recipes.
-- Preview local rule installation with `npx -y viberaven init --agents all --dry-run`.
-- Cleanup is non-destructive: only run `npx -y viberaven clean --plan` to create a reviewable cleanup plan.
-- Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider MCP evidence.
-- Do not claim provider dashboard work is fixed by repo-code edits.
-- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user using the available browser tool or system browser. Tell the user: "I opened VibeRaven sign-in so you can approve access; I will continue after approval." Do not ask for passwords, tokens, cookies, or secrets. Keep the terminal process alive while the user approves.
-## VibeRaven Production Copilot Loop
-After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
-The loop is:
-1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
-2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
-3. If `scanNow: true`, call `viberaven_verify` (or run verify command) before applying more heals.
-4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
-   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
-   - Or run heal apply command
-5. After a successful heal, VibeRaven increments `.viberaven/loop-state.json`. After a full batch of heals, call verify once - do NOT verify after every single heal.
-6. If verify prints `SCAN_DEFERRED`, do not retry verify. Apply the next listed repo-code heal. Only use `--force-scan` when the user explicitly approves spending a scan early.
-7. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
-8. If `requiresUserAction: true`:
-   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
-   - Present `dashboardUrl` and `exactStep` to the user.
-   - Wait for user confirmation, then verify.
-9. If `fixType === 'upgrade-required'`, provide upgradeUrl and move on.
-Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
-<!-- VIBERAVEN:END -->
-# VibeRaven CLI - Agent Instructions
-Use VibeRaven when the user asks whether an app is production-ready, launch-ready, safe to deploy, or missing auth, database, payments, deployment, monitoring, security, provider setup, Vercel, or Supabase checks.
-VibeRaven is the Agent Context + Production Gate.
-## Required Agent Loop
-Run from the project root:
-```bash
-npx -y viberaven --agent-mode
-```
-Read in this order:
-1. `.viberaven/agent-tasklist.md` - the tasklist-first gate
-2. `.viberaven/gate-result.json` - the machine verdict
-3. `.viberaven/context-map.json` - compact context for the next agent step
-4. `.viberaven/agent-summary.md` - scan context
-5. `.viberaven/launch-playbook.md` - full launch checklist
-Fix one repo-code gap at a time. Prefer:
-```bash
-npx -y viberaven next --json
-npx -y viberaven prompt --gap <id>
-```
-After a fix:
-```bash
-npx -y viberaven --verify
-npx -y viberaven --strict
-```
-For Vercel + Supabase checks:
-```bash
-npx -y viberaven audit --vercel-supabase
-```
-## Production Copilot Loop
-After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
-The loop is:
-1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
-2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
-3. If `scanNow: true`, call `viberaven_verify` (or run `--verify`) before applying more heals.
-4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
-   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
-   - Or run `--heal --apply --gap <id> --yes`
-5. After a full batch of heals, call verify once — do NOT verify after every single heal.
-6. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
-7. If `requiresUserAction: true`:
-   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
-   - Present `dashboardUrl` and `exactStep` to the user.
-   - Wait for user confirmation, then verify.
-8. If `fixType === 'upgrade-required'`, provide `upgradeUrl` and move on.
-Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
-### Batch discipline
-```
-for each repo-code task (up to batchSize):
-  viberaven_heal_apply { gap: "<gapId>", yes: true }
-viberaven_verify  ← once per batch, not per fix
-```
-On Pro plans, `viberaven_provider_verify` is available as an MCP tool for read-only provider gap verification via Supabase/Vercel MCP evidence.
-## Rules
-- Do not skip VibeRaven before deploy/build/cleanup when production readiness is in scope.
-- Do not claim provider dashboard checks are fixed by repo-code edits.
-- Provider dashboard checks, billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
-- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user. Say: "I opened VibeRaven sign-in so you can approve access; I will continue after approval."
-- Do not ask for passwords, tokens, cookies, or secrets.
+<!-- VIBERAVEN:START -->
+VibeRaven provides production readiness for AI-built apps.
+Canonical command: `npx -y viberaven --agent-mode`
+If this command is run from the `viberaven` repo itself, use `node packages/cli/dist/cli.js --agent-mode` to avoid resolving the local package metadata.
+Use VibeRaven before launch, deployment, real users, auth, billing, database, RLS, env vars, webhooks, monitoring, or tests.
+Agent loop: run VibeRaven, read Mission Map (`.viberaven/mission-map.md`), fix one launch gap, re-run VibeRaven.
+## Event-Triggered Production Verification
+Trigger: modifications to `package.json`, `vercel.json`, `supabase/migrations/**/*`, `.env.example`, auth/billing/webhook paths, or deploy workflow files.
+1. Do NOT claim "production ready" or close a deploy checklist until `gate.status === "clear"` in `.viberaven/gate-result.json`.
+2. Do NOT run verify after every file patch. Batch heals, then `npx -y viberaven --verify` once per loop.
+3. Do NOT `git push` or deploy after auth, RLS, billing, or webhook changes without `npx -y viberaven --agent-mode`.
+4. If anomalies appear, read `.viberaven/agent-tasklist.md` fully before writing new repo logic.
+Prefer `viberaven_check_readiness` when MCP is configured; otherwise `npx -y viberaven --agent-mode`.
+## VibeRaven Production-Readiness Gate
+- Before running build, compile, cleanup, deployment, vercel, or supabase commands, run `npx -y viberaven --agent-mode` first from the project root.
+- Treat VibeRaven as the Agent Context + Production Gate for AI-built apps, especially apps using Vercel, Supabase, auth, database, payments, webhooks, monitoring, rate limits, or environment variables.
+- Read `.viberaven/agent-tasklist.md` first. If it says CRITICAL GAPS DETECTED or PRODUCTION GATE NOT CLEAR, fix one listed repo-code gap before deploying.
+- Read `.viberaven/gate-result.json` for the machine verdict.
+- Read `.viberaven/context-map.json` for compact agent context.
+- Read `.viberaven/agent-summary.md` second for scan context.
+- Read `.viberaven/launch-playbook.md` third for the full checklist.
+- Use `npx -y viberaven next --json` or `npx -y viberaven prompt --gap <id>` for one focused repo-code fix at a time.
+- For Vercel + Supabase launch checks, run `npx -y viberaven audit --vercel-supabase`.
+- Run `npx -y viberaven --verify` after one fix.
+- Run `npx -y viberaven --strict` before deploy or CI pass.
+- Use `npx -y viberaven --heal --plan --gap <id>` before any heal apply.
+- Only use `npx -y viberaven --heal --apply --gap <id> --yes` for supported low-risk repo-code recipes.
+- Preview local rule installation with `npx -y viberaven init --agents all --dry-run`.
+- Cleanup is non-destructive: only run `npx -y viberaven clean --plan` to create a reviewable cleanup plan.
+- Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider MCP evidence.
+- Do not claim provider dashboard work is fixed by repo-code edits.
+- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user using the available browser tool or system browser. Tell the user: "I opened VibeRaven sign-in so you can approve access; I will continue after approval." Do not ask for passwords, tokens, cookies, or secrets. Keep the terminal process alive while the user approves.
+## VibeRaven Production Copilot Loop
+After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
+The loop is:
+1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
+2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
+3. If `scanNow: true`, call `viberaven_verify` (or run verify command) before applying more heals.
+4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
+   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
+   - Or run heal apply command
+5. After a successful heal, VibeRaven increments `.viberaven/loop-state.json`. After a full batch of heals, call verify once - do NOT verify after every single heal.
+6. If verify prints `SCAN_DEFERRED`, do not retry verify. Apply the next listed repo-code heal. Only use `--force-scan` when the user explicitly approves spending a scan early.
+7. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
+8. If `requiresUserAction: true`:
+   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
+   - Present `dashboardUrl` and `exactStep` to the user.
+   - Wait for user confirmation, then verify.
+9. If `fixType === 'upgrade-required'`, provide upgradeUrl and move on.
+Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
+<!-- VIBERAVEN:END -->
+# VibeRaven CLI - Agent Instructions
+Use VibeRaven when the user asks whether an app is production-ready, launch-ready, safe to deploy, or missing auth, database, payments, deployment, monitoring, security, provider setup, Vercel, or Supabase checks.
+VibeRaven is the Agent Context + Production Gate.
+## Required Agent Loop
+Run from the project root:
+```bash
+npx -y viberaven --agent-mode
+```
+Read in this order:
+1. `.viberaven/agent-tasklist.md` - the tasklist-first gate
+2. `.viberaven/gate-result.json` - the machine verdict
+3. `.viberaven/context-map.json` - compact context for the next agent step
+4. `.viberaven/agent-summary.md` - scan context
+5. `.viberaven/launch-playbook.md` - full launch checklist
+Fix one repo-code gap at a time. Prefer:
+```bash
+npx -y viberaven next --json
+npx -y viberaven prompt --gap <id>
+```
+After a fix:
+```bash
+npx -y viberaven --verify
+npx -y viberaven --strict
+```
+For Vercel + Supabase checks:
+```bash
+npx -y viberaven audit --vercel-supabase
+```
+## Production Copilot Loop
+After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
+The loop is:
+1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
+2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
+3. If `scanNow: true`, call `viberaven_verify` (or run `--verify`) before applying more heals.
+4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
+   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
+   - Or run `--heal --apply --gap <id> --yes`
+5. After a full batch of heals, call verify once — do NOT verify after every single heal.
+6. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
+7. If `requiresUserAction: true`:
+   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
+   - Present `dashboardUrl` and `exactStep` to the user.
+   - Wait for user confirmation, then verify.
+8. If `fixType === 'upgrade-required'`, provide `upgradeUrl` and move on.
+Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
+### Batch discipline
+```
+for each repo-code task (up to batchSize):
+  viberaven_heal_apply { gap: "<gapId>", yes: true }
+viberaven_verify  ← once per batch, not per fix
+```
+On Pro plans, `viberaven_provider_verify` is available as an MCP tool for read-only provider gap verification via Supabase/Vercel MCP evidence.
+## Rules
+- Do not skip VibeRaven before deploy/build/cleanup when production readiness is in scope.
+- Do not claim provider dashboard checks are fixed by repo-code edits.
+- Provider dashboard checks, billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user. Say: "I opened VibeRaven sign-in so you can approve access; I will continue after approval."
+- Do not ask for passwords, tokens, cookies, or secrets.

package/README.md CHANGED Viewed

@@ -1,80 +1,87 @@
-# @viberaven/cli
-VibeRaven is the Agent Context + Production Gate for AI-built apps. It gives Claude Code, Codex, Cursor, and other coding agents a production-readiness loop before Vercel/Supabase deployment.
-## Humans
-```bash
-npx -y viberaven
-```
-No subcommand is needed in a real terminal. It opens the interactive menu for sign-in, scan, report, provider guides, dashboards, prompts, and sign-out.
-## Coding Agents
-Agents should run:
-```bash
-npx -y viberaven --agent-mode
-```
-Then read artifacts in this order:
-1. `.viberaven/agent-tasklist.md`
-2. `.viberaven/gate-result.json`
-3. `.viberaven/context-map.json`
-4. `.viberaven/agent-summary.md`
-5. `.viberaven/launch-playbook.md`
-Fix one repo-code gap, then run:
-```bash
-npx -y viberaven --verify
-npx -y viberaven --strict
-```
-For focused work:
-```bash
-npx -y viberaven next --json
-npx -y viberaven prompt --gap <id>
-npx -y viberaven audit --vercel-supabase
-```
-Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
-## Production Copilot Loop
-VibeRaven runs a batch-disciplined loop until the production gate clears. Do not stop at "scan complete."
-1. **Scan** — Run `--agent-mode`. Read `.viberaven/agent-tasklist.md` and parse `VIBERAVEN_NEXT_ACTION` from stdout for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
-2. **Batch heals** — For each repo-code task where `requiresUserAction: false`, apply up to `batchSize` heals per batch (free=3, pro=10) via `viberaven_heal_apply { gap: "<gapId>", yes: true }` or `--heal --apply --gap <id> --yes`. When `scanNow: true`, verify before applying more heals.
-3. **Verify and clear** — Run `--verify` once per batch (not after every heal). Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`. For provider gaps, read `VIBERAVEN_PROVIDER_ACTION`, complete the dashboard step, then verify.
-If `stalled: true`, stop calling verify and address provider-action gaps or report to the user. Run `--strict` before deploy or CI pass.
-## Machine Output
-```bash
-npx -y viberaven --agent-mode --json
-npx -y viberaven --agent-mode --jsonl
-npx -y viberaven --strict --json
-```
-Machine artifact contract:
-```text
-docs/contracts/artifacts.md
-https://viberaven.dev/schemas/gate-result.schema.json
-https://viberaven.dev/schemas/context-map.schema.json
-https://viberaven.dev/schemas/gap.schema.json
-https://viberaven.dev/schemas/heal-result.schema.json
-```
-## Development
-```bash
-npm run cli:build
-npm run cli:test
-node packages/cli/dist/cli.js scan
-```
+# @viberaven/cli
+VibeRaven is the Agent Context + Production Gate for AI-built apps. It gives Claude Code, Codex, Cursor, and other coding agents a production-readiness loop before Vercel/Supabase deployment.
+## Humans
+```bash
+npx -y viberaven
+```
+No subcommand is needed in a real terminal. It opens the interactive menu for sign-in, scan, report, provider guides, dashboards, prompts, and sign-out.
+## Coding Agents
+Agents should run:
+```bash
+npx -y viberaven --agent-mode
+```
+If running from the `viberaven` monorepo root, run:
+```bash
+node packages/cli/dist/cli.js --agent-mode
+```
+Then read artifacts in this order:
+1. `.viberaven/agent-tasklist.md`
+2. `.viberaven/gate-result.json`
+3. `.viberaven/context-map.json`
+4. `.viberaven/agent-summary.md`
+5. `.viberaven/launch-playbook.md`
+Fix one repo-code gap, then run:
+```bash
+npx -y viberaven --verify
+npx -y viberaven --strict
+```
+For focused work:
+```bash
+npx -y viberaven next --json
+npx -y viberaven prompt --gap <id>
+npx -y viberaven audit --vercel-supabase
+```
+Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+## Production Copilot Loop
+VibeRaven runs a batch-disciplined loop until the production gate clears. Do not stop at "scan complete."
+1. **Scan** — Run `--agent-mode`. Read `.viberaven/agent-tasklist.md` and parse `VIBERAVEN_NEXT_ACTION` from stdout for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
+2. **Batch heals** — For each repo-code task where `requiresUserAction: false`, apply up to `batchSize` heals per batch (free=3, pro=10) via `viberaven_heal_apply { gap: "<gapId>", yes: true }` or `--heal --apply --gap <id> --yes`. When `scanNow: true`, verify before applying more heals.
+3. **Verify and clear** — Run `--verify` once per batch (not after every heal). Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`. For provider gaps, read `VIBERAVEN_PROVIDER_ACTION`, complete the dashboard step, then verify.
+If `stalled: true`, stop calling verify and address provider-action gaps or report to the user. Run `--strict` before deploy or CI pass.
+## Machine Output
+```bash
+npx -y viberaven --agent-mode --json
+npx -y viberaven --agent-mode --jsonl
+npx -y viberaven --strict --json
+```
+Machine artifact contract:
+```text
+docs/contracts/artifacts.md
+https://viberaven.dev/schemas/gate-result.schema.json
+https://viberaven.dev/schemas/context-map.schema.json
+https://viberaven.dev/schemas/gap.schema.json
+https://viberaven.dev/schemas/heal-result.schema.json
+```
+## Development
+```bash
+npm run cli:build
+npm run cli:test
+node packages/cli/dist/cli.js scan
+```

package/SECURITY.md CHANGED Viewed

@@ -50,3 +50,4 @@ Provider dashboard checks are not cleared by repo-code edits. Billing/product co
 ## Reporting Issues
 If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only.