npm - @viberaven/cli - Versions diffs - 1.0.4 → 1.0.6 - Mend

@viberaven/cli 1.0.4 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/AGENTS.md +150 -150
package/README.md +99 -67
package/SECURITY.md +53 -53
package/assets/report/assets/provider-authjs.svg +5 -5
package/assets/report/assets/provider-aws.svg +5 -5
package/assets/report/assets/provider-logrocket.svg +4 -4
package/assets/report/station.js +2 -2
package/dist/cli.js +632 -200
package/dist/cli.js.map +4 -4
package/dist/report/assets/provider-authjs.svg +5 -5
package/dist/report/assets/provider-aws.svg +5 -5
package/dist/report/assets/provider-logrocket.svg +4 -4
package/dist/report/station.js +2 -2
package/package.json +75 -75
package/templates/AGENTS.snippet.md +52 -52

package/AGENTS.md CHANGED Viewed

@@ -1,150 +1,150 @@
-<!-- VIBERAVEN:START -->
-VibeRaven provides production readiness for AI-built apps.
-Canonical command: `npx -y viberaven --agent-mode`
-If this command is run from the `viberaven` repo itself, use `node packages/cli/dist/cli.js --agent-mode` to avoid resolving the local package metadata.
-Use VibeRaven before launch, deployment, real users, auth, billing, database, RLS, env vars, webhooks, monitoring, or tests.
-Agent loop: run VibeRaven, read Mission Map (`.viberaven/mission-map.md`), fix one launch gap, re-run VibeRaven.
-## Event-Triggered Production Verification
-Trigger: modifications to `package.json`, `vercel.json`, `supabase/migrations/**/*`, `.env.example`, auth/billing/webhook paths, or deploy workflow files.
-1. Do NOT claim "production ready" or close a deploy checklist until `gate.status === "clear"` in `.viberaven/gate-result.json`.
-2. Do NOT run verify after every file patch. Batch heals, then `npx -y viberaven --verify` once per loop.
-3. Do NOT `git push` or deploy after auth, RLS, billing, or webhook changes without `npx -y viberaven --agent-mode`.
-4. If anomalies appear, read `.viberaven/agent-tasklist.md` fully before writing new repo logic.
-Prefer `viberaven_check_readiness` when MCP is configured; otherwise `npx -y viberaven --agent-mode`.
-## VibeRaven Production-Readiness Gate
-- Before running build, compile, cleanup, deployment, vercel, or supabase commands, run `npx -y viberaven --agent-mode` first from the project root.
-- Treat VibeRaven as the Agent Context + Production Gate for AI-built apps, especially apps using Vercel, Supabase, auth, database, payments, webhooks, monitoring, rate limits, or environment variables.
-- Read `.viberaven/agent-tasklist.md` first. If it says CRITICAL GAPS DETECTED or PRODUCTION GATE NOT CLEAR, fix one listed repo-code gap before deploying.
-- Read `.viberaven/gate-result.json` for the machine verdict.
-- Read `.viberaven/context-map.json` for compact agent context.
-- Read `.viberaven/agent-summary.md` second for scan context.
-- Read `.viberaven/launch-playbook.md` third for the full checklist.
-- Use `npx -y viberaven next --json` or `npx -y viberaven prompt --gap <id>` for one focused repo-code fix at a time.
-- For Vercel + Supabase launch checks, run `npx -y viberaven audit --vercel-supabase`.
-- Run `npx -y viberaven --verify` after one fix.
-- Run `npx -y viberaven --strict` before deploy or CI pass.
-- Use `npx -y viberaven --heal --plan --gap <id>` before any heal apply.
-- Only use `npx -y viberaven --heal --apply --gap <id> --yes` for supported low-risk repo-code recipes.
-- Preview local rule installation with `npx -y viberaven init --agents all --dry-run`.
-- Cleanup is non-destructive: only run `npx -y viberaven clean --plan` to create a reviewable cleanup plan.
-- Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider MCP evidence.
-- Do not claim provider dashboard work is fixed by repo-code edits.
-- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user using the available browser tool or system browser. Tell the user: "I opened VibeRaven sign-in so you can approve access; I will continue after approval." Do not ask for passwords, tokens, cookies, or secrets. Keep the terminal process alive while the user approves.
-## VibeRaven Production Copilot Loop
-After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
-The loop is:
-1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
-2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
-3. If `scanNow: true`, call `viberaven_verify` (or run verify command) before applying more heals.
-4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
-   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
-   - Or run heal apply command
-5. After a successful heal, VibeRaven increments `.viberaven/loop-state.json`. After a full batch of heals, call verify once - do NOT verify after every single heal.
-6. If verify prints `SCAN_DEFERRED`, do not retry verify. Apply the next listed repo-code heal. Only use `--force-scan` when the user explicitly approves spending a scan early.
-7. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
-8. If `requiresUserAction: true`:
-   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
-   - Present `dashboardUrl` and `exactStep` to the user.
-   - Wait for user confirmation, then verify.
-9. If `fixType === 'upgrade-required'`, provide upgradeUrl and move on.
-Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
-<!-- VIBERAVEN:END -->
-# VibeRaven CLI - Agent Instructions
-Use VibeRaven when the user asks whether an app is production-ready, launch-ready, safe to deploy, or missing auth, database, payments, deployment, monitoring, security, provider setup, Vercel, or Supabase checks.
-VibeRaven is the Agent Context + Production Gate.
-## Required Agent Loop
-Run from the project root:
-```bash
-npx -y viberaven --agent-mode
-```
-Read in this order:
-1. `.viberaven/agent-tasklist.md` - the tasklist-first gate
-2. `.viberaven/gate-result.json` - the machine verdict
-3. `.viberaven/context-map.json` - compact context for the next agent step
-4. `.viberaven/agent-summary.md` - scan context
-5. `.viberaven/launch-playbook.md` - full launch checklist
-Fix one repo-code gap at a time. Prefer:
-```bash
-npx -y viberaven next --json
-npx -y viberaven prompt --gap <id>
-```
-After a fix:
-```bash
-npx -y viberaven --verify
-npx -y viberaven --strict
-```
-For Vercel + Supabase checks:
-```bash
-npx -y viberaven audit --vercel-supabase
-```
-## Production Copilot Loop
-After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
-The loop is:
-1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
-2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
-3. If `scanNow: true`, call `viberaven_verify` (or run `--verify`) before applying more heals.
-4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
-   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
-   - Or run `--heal --apply --gap <id> --yes`
-5. After a full batch of heals, call verify once — do NOT verify after every single heal.
-6. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
-7. If `requiresUserAction: true`:
-   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
-   - Present `dashboardUrl` and `exactStep` to the user.
-   - Wait for user confirmation, then verify.
-8. If `fixType === 'upgrade-required'`, provide `upgradeUrl` and move on.
-Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
-### Batch discipline
-```
-for each repo-code task (up to batchSize):
-  viberaven_heal_apply { gap: "<gapId>", yes: true }
-viberaven_verify  ← once per batch, not per fix
-```
-On Pro plans, `viberaven_provider_verify` is available as an MCP tool for read-only provider gap verification via Supabase/Vercel MCP evidence.
-## Rules
-- Do not skip VibeRaven before deploy/build/cleanup when production readiness is in scope.
-- Do not claim provider dashboard checks are fixed by repo-code edits.
-- Provider dashboard checks, billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
-- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user. Say: "I opened VibeRaven sign-in so you can approve access; I will continue after approval."
-- Do not ask for passwords, tokens, cookies, or secrets.
+<!-- VIBERAVEN:START -->
+VibeRaven provides production readiness for AI-built apps.
+Canonical command: `npx -y viberaven --agent-mode`
+If this command is run from the `viberaven` repo itself, use `node packages/cli/dist/cli.js --agent-mode` to avoid resolving the local package metadata.
+Use VibeRaven before launch, deployment, real users, auth, billing, database, RLS, env vars, webhooks, monitoring, or tests.
+Agent loop: run VibeRaven, read Mission Map (`.viberaven/mission-map.md`), fix one launch gap, re-run VibeRaven.
+## Event-Triggered Production Verification
+Trigger: modifications to `package.json`, `vercel.json`, `supabase/migrations/**/*`, `.env.example`, auth/billing/webhook paths, or deploy workflow files.
+1. Do NOT claim "production ready" or close a deploy checklist until `gate.status === "clear"` in `.viberaven/gate-result.json`.
+2. Do NOT run verify after every file patch. Batch heals, then `npx -y viberaven --verify` once per loop.
+3. Do NOT `git push` or deploy after auth, RLS, billing, or webhook changes without `npx -y viberaven --agent-mode`.
+4. If anomalies appear, read `.viberaven/agent-tasklist.md` fully before writing new repo logic.
+Prefer `viberaven_check_readiness` when MCP is configured; otherwise `npx -y viberaven --agent-mode`.
+## VibeRaven Production-Readiness Gate
+- Before running build, compile, cleanup, deployment, vercel, or supabase commands, run `npx -y viberaven --agent-mode` first from the project root.
+- Treat VibeRaven as the Agent Context + Production Gate for AI-built apps, especially apps using Vercel, Supabase, auth, database, payments, webhooks, monitoring, rate limits, or environment variables.
+- Read `.viberaven/agent-tasklist.md` first. If it says CRITICAL GAPS DETECTED or PRODUCTION GATE NOT CLEAR, fix one listed repo-code gap before deploying.
+- Read `.viberaven/gate-result.json` for the machine verdict.
+- Read `.viberaven/context-map.json` for compact agent context.
+- Read `.viberaven/agent-summary.md` second for scan context.
+- Read `.viberaven/launch-playbook.md` third for the full checklist.
+- Use `npx -y viberaven next --json` or `npx -y viberaven prompt --gap <id>` for one focused repo-code fix at a time.
+- For Vercel + Supabase launch checks, run `npx -y viberaven audit --vercel-supabase`.
+- Run `npx -y viberaven --verify` after one fix.
+- Run `npx -y viberaven --strict` before deploy or CI pass.
+- Use `npx -y viberaven --heal --plan --gap <id>` before any heal apply.
+- Only use `npx -y viberaven --heal --apply --gap <id> --yes` for supported low-risk repo-code recipes.
+- Preview local rule installation with `npx -y viberaven init --agents all --dry-run`.
+- Cleanup is non-destructive: only run `npx -y viberaven clean --plan` to create a reviewable cleanup plan.
+- Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider MCP evidence.
+- Do not claim provider dashboard work is fixed by repo-code edits.
+- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user using the available browser tool or system browser. Tell the user: "I opened VibeRaven sign-in so you can approve access; I will continue after approval." Do not ask for passwords, tokens, cookies, or secrets. Keep the terminal process alive while the user approves.
+## VibeRaven Production Copilot Loop
+After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
+The loop is:
+1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
+2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
+3. If `scanNow: true`, call `viberaven_verify` (or run verify command) before applying more heals.
+4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
+   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
+   - Or run heal apply command
+5. After a successful heal, VibeRaven increments `.viberaven/loop-state.json`. After a full batch of heals, call verify once - do NOT verify after every single heal.
+6. If verify prints `SCAN_DEFERRED`, do not retry verify. Apply the next listed repo-code heal. Only use `--force-scan` when the user explicitly approves spending a scan early.
+7. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
+8. If `requiresUserAction: true`:
+   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
+   - Present `dashboardUrl` and `exactStep` to the user.
+   - Wait for user confirmation, then verify.
+9. If `fixType === 'upgrade-required'`, provide upgradeUrl and move on.
+Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
+<!-- VIBERAVEN:END -->
+# VibeRaven CLI - Agent Instructions
+Use VibeRaven when the user asks whether an app is production-ready, launch-ready, safe to deploy, or missing auth, database, payments, deployment, monitoring, security, provider setup, Vercel, or Supabase checks.
+VibeRaven is the Agent Context + Production Gate.
+## Required Agent Loop
+Run from the project root:
+```bash
+npx -y viberaven --agent-mode
+```
+Read in this order:
+1. `.viberaven/agent-tasklist.md` - the tasklist-first gate
+2. `.viberaven/gate-result.json` - the machine verdict
+3. `.viberaven/context-map.json` - compact context for the next agent step
+4. `.viberaven/agent-summary.md` - scan context
+5. `.viberaven/launch-playbook.md` - full launch checklist
+Fix one repo-code gap at a time. Prefer:
+```bash
+npx -y viberaven next --json
+npx -y viberaven prompt --gap <id>
+```
+After a fix:
+```bash
+npx -y viberaven --verify
+npx -y viberaven --strict
+```
+For Vercel + Supabase checks:
+```bash
+npx -y viberaven audit --vercel-supabase
+```
+## Production Copilot Loop
+After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
+The loop is:
+1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
+2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
+3. If `scanNow: true`, call `viberaven_verify` (or run `--verify`) before applying more heals.
+4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
+   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
+   - Or run `--heal --apply --gap <id> --yes`
+5. After a full batch of heals, call verify once — do NOT verify after every single heal.
+6. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
+7. If `requiresUserAction: true`:
+   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
+   - Present `dashboardUrl` and `exactStep` to the user.
+   - Wait for user confirmation, then verify.
+8. If `fixType === 'upgrade-required'`, provide `upgradeUrl` and move on.
+Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
+### Batch discipline
+```
+for each repo-code task (up to batchSize):
+  viberaven_heal_apply { gap: "<gapId>", yes: true }
+viberaven_verify  ← once per batch, not per fix
+```
+On Pro plans, `viberaven_provider_verify` is available as an MCP tool for read-only provider gap verification via Supabase/Vercel MCP evidence.
+## Rules
+- Do not skip VibeRaven before deploy/build/cleanup when production readiness is in scope.
+- Do not claim provider dashboard checks are fixed by repo-code edits.
+- Provider dashboard checks, billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user. Say: "I opened VibeRaven sign-in so you can approve access; I will continue after approval."
+- Do not ask for passwords, tokens, cookies, or secrets.

package/README.md CHANGED Viewed

@@ -1,29 +1,33 @@
-# @viberaven/cli
-VibeRaven is the Agent Context + Production Gate for AI-built apps. It gives Claude Code, Codex, Cursor, and other coding agents a production-readiness loop before Vercel/Supabase deployment.
-## Humans
-```bash
-npx -y viberaven
-```
-No subcommand is needed in a real terminal. It opens the interactive menu for sign-in, scan, report, provider guides, dashboards, prompts, and sign-out.
-## Coding Agents
-Agents should run:
-```bash
-npx -y viberaven --agent-mode
-```
-If running from the `viberaven` monorepo root, run:
-```bash
-node packages/cli/dist/cli.js --agent-mode
-```
+# @viberaven/cli
+[![npm version](https://img.shields.io/npm/v/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
+[![npm downloads](https://img.shields.io/npm/dw/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
+[![license](https://img.shields.io/npm/l/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
+VibeRaven is the Agent Context + Production Gate for AI-built apps. It gives Claude Code, Codex, Cursor, and other coding agents a production-readiness loop before Vercel/Supabase deployment.
+## Humans
+```bash
+npx -y viberaven
+```
+No subcommand is needed in a real terminal. It opens the interactive menu for sign-in, scan, report, provider guides, dashboards, prompts, and sign-out.
+## Coding Agents
+Agents should run:
+```bash
+npx -y viberaven --agent-mode
+```
+If running from the `viberaven` monorepo root, run:
+```bash
+node packages/cli/dist/cli.js --agent-mode
+```
 Then read artifacts in this order:
 1. `.viberaven/agent-tasklist.md`
@@ -31,57 +35,85 @@ Then read artifacts in this order:
 3. `.viberaven/context-map.json`
 4. `.viberaven/agent-summary.md`
 5. `.viberaven/launch-playbook.md`
-Fix one repo-code gap, then run:
-```bash
-npx -y viberaven --verify
-npx -y viberaven --strict
-```
-For focused work:
-```bash
-npx -y viberaven next --json
-npx -y viberaven prompt --gap <id>
-npx -y viberaven audit --vercel-supabase
-```
+6. `.viberaven/launch-plan.json`
+7. `.viberaven/launch-tasklist.md`
+8. `.viberaven/provider-actions.json`
+Fix one repo-code gap, then run:
+```bash
+npx -y viberaven --verify
+npx -y viberaven --strict
+```
+For focused work:
+```bash
+npx -y viberaven next --json
+npx -y viberaven prompt --gap <id>
+npx -y viberaven audit --vercel-supabase
+```
 Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
-## Production Copilot Loop
-VibeRaven runs a batch-disciplined loop until the production gate clears. Do not stop at "scan complete."
-1. **Scan** — Run `--agent-mode`. Read `.viberaven/agent-tasklist.md` and parse `VIBERAVEN_NEXT_ACTION` from stdout for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
-2. **Batch heals** — For each repo-code task where `requiresUserAction: false`, apply up to `batchSize` heals per batch (free=3, pro=10) via `viberaven_heal_apply { gap: "<gapId>", yes: true }` or `--heal --apply --gap <id> --yes`. When `scanNow: true`, verify before applying more heals.
-3. **Verify and clear** — Run `--verify` once per batch (not after every heal). Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`. For provider gaps, read `VIBERAVEN_PROVIDER_ACTION`, complete the dashboard step, then verify.
-If `stalled: true`, stop calling verify and address provider-action gaps or report to the user. Run `--strict` before deploy or CI pass.
+## Launch Autopilot
-## Machine Output
+The canonical agent command is still:
 ```bash
-npx -y viberaven --agent-mode --json
-npx -y viberaven --agent-mode --jsonl
-npx -y viberaven --strict --json
+npx -y viberaven --agent-mode
 ```
-Machine artifact contract:
+Agent mode now behaves like a launch autopilot for AI-built apps:
-```text
-docs/contracts/artifacts.md
-https://viberaven.dev/schemas/gate-result.schema.json
-https://viberaven.dev/schemas/context-map.schema.json
-https://viberaven.dev/schemas/gap.schema.json
-https://viberaven.dev/schemas/heal-result.schema.json
-```
+1. Detect the launch recipe, such as Next.js + Supabase + Vercel.
+2. Queue safe local launch-gap fixes first.
+3. Protect scan usage by batching local fixes before verify.
+4. Guide Vercel preview deploy before production promotion.
+5. Guide Supabase, Stripe, analytics, and monitoring setup through MCP/plugin/CLI/dashboard/manual fallback actions.
+6. Require approval before provider writes, database migrations, secret writes, preview deploys, and production deploys.
-## Development
+Optional permission mode:
 ```bash
-npm run cli:build
-npm run cli:test
-node packages/cli/dist/cli.js scan
+npx -y viberaven --agent-mode --launch-mode ask
 ```
+Modes: `manual`, `ask`, `safe`, `full`. The default is `ask`.
+## Production Copilot Loop
+VibeRaven runs a batch-disciplined loop until the production gate clears. Do not stop at "scan complete."
+1. **Scan** — Run `--agent-mode`. Read `.viberaven/agent-tasklist.md` and parse `VIBERAVEN_NEXT_ACTION` from stdout for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
+2. **Batch heals** — For each repo-code task where `requiresUserAction: false`, apply up to `batchSize` heals per batch (free=3, pro=10) via `viberaven_heal_apply { gap: "<gapId>", yes: true }` or `--heal --apply --gap <id> --yes`. When `scanNow: true`, verify before applying more heals.
+3. **Verify and clear** — Run `--verify` once per batch (not after every heal). Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`. For provider gaps, read `VIBERAVEN_PROVIDER_ACTION`, complete the dashboard step, then verify.
+If `stalled: true`, stop calling verify and address provider-action gaps or report to the user. Run `--strict` before deploy or CI pass.
+## Machine Output
+```bash
+npx -y viberaven --agent-mode --json
+npx -y viberaven --agent-mode --jsonl
+npx -y viberaven --strict --json
+```
+Machine artifact contract:
+```text
+docs/contracts/artifacts.md
+https://viberaven.dev/schemas/gate-result.schema.json
+https://viberaven.dev/schemas/context-map.schema.json
+https://viberaven.dev/schemas/gap.schema.json
+https://viberaven.dev/schemas/heal-result.schema.json
+```
+## Development
+```bash
+npm run cli:build
+npm run cli:test
+node packages/cli/dist/cli.js scan
+```

package/SECURITY.md CHANGED Viewed

@@ -1,53 +1,53 @@
-# Security - `@viberaven/cli`
-## Managed Scan Boundary
-The npm CLI does not read `OPENAI_API_KEY` and does not accept a bring-your-own-key scan path. Scans use the VibeRaven managed API after device login, same as the signed-in VS Code extension.
-- API keys for model calls live on the server, not in the published npm package.
-- Local credentials store only a VibeRaven access token in `%APPDATA%\viberaven\credentials.json` or `~/.config/viberaven/`.
-- Never commit `credentials.json` or paste tokens into chat.
-## Safe Commands
-Human terminal:
-```bash
-npx -y viberaven
-```
-Agent or CI gate:
-```bash
-npx -y viberaven --agent-mode
-npx -y viberaven --verify
-npx -y viberaven --strict
-```
-VibeRaven is the Agent Context + Production Gate. Agents should read `.viberaven/agent-tasklist.md`, `.viberaven/gate-result.json`, and `.viberaven/context-map.json` before claiming an app is safe to deploy.
-## Written Artifacts
-After a scan, the CLI may create:
-| Path | Contents |
-|------|----------|
-| `.viberaven/last-scan.json` | Full scan payload |
-| `.viberaven/agent-tasklist.md` | Agent tasklist |
-| `.viberaven/gate-result.json` | Machine gate verdict |
-| `.viberaven/context-map.json` | Compact agent context |
-| `.viberaven/gaps/<gapId>.json` | Per-gap evidence |
-| `.viberaven/agent-summary.md` | Human/agent summary |
-| `.viberaven/launch-playbook.md` | Launch checklist |
-| `.viberaven/report.html` | Local HTML report |
-Repo scanners redact common key patterns in evidence strings; the CLI runs an extra redaction pass before writing files.
-## Provider Boundaries
-Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
-## Reporting Issues
-If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only.
+# Security - `@viberaven/cli`
+## Managed Scan Boundary
+The npm CLI does not read `OPENAI_API_KEY` and does not accept a bring-your-own-key scan path. Scans use the VibeRaven managed API after device login, same as the signed-in VS Code extension.
+- API keys for model calls live on the server, not in the published npm package.
+- Local credentials store only a VibeRaven access token in `%APPDATA%\viberaven\credentials.json` or `~/.config/viberaven/`.
+- Never commit `credentials.json` or paste tokens into chat.
+## Safe Commands
+Human terminal:
+```bash
+npx -y viberaven
+```
+Agent or CI gate:
+```bash
+npx -y viberaven --agent-mode
+npx -y viberaven --verify
+npx -y viberaven --strict
+```
+VibeRaven is the Agent Context + Production Gate. Agents should read `.viberaven/agent-tasklist.md`, `.viberaven/gate-result.json`, and `.viberaven/context-map.json` before claiming an app is safe to deploy.
+## Written Artifacts
+After a scan, the CLI may create:
+| Path | Contents |
+|------|----------|
+| `.viberaven/last-scan.json` | Full scan payload |
+| `.viberaven/agent-tasklist.md` | Agent tasklist |
+| `.viberaven/gate-result.json` | Machine gate verdict |
+| `.viberaven/context-map.json` | Compact agent context |
+| `.viberaven/gaps/<gapId>.json` | Per-gap evidence |
+| `.viberaven/agent-summary.md` | Human/agent summary |
+| `.viberaven/launch-playbook.md` | Launch checklist |
+| `.viberaven/report.html` | Local HTML report |
+Repo scanners redact common key patterns in evidence strings; the CLI runs an extra redaction pass before writing files.
+## Provider Boundaries
+Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+## Reporting Issues
+If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only.

package/assets/report/assets/provider-authjs.svg CHANGED Viewed

@@ -1,5 +1,5 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
-  <path fill="#412991" d="M32 5 11 16.8v13.7c0 12.2 8.9 23.3 21 27 12.1-3.7 21-14.8 21-27V16.8L32 5Z"/>
-  <path fill="#EB5424" d="M32 5v48.7c-3.1-1.1-6.1-2.7-8.7-4.7L32 5Z"/>
-  <path fill="#FBC22C" d="m32 5 8.7 44c-2.6 2-5.6 3.6-8.7 4.7V5Z"/>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
+  <path fill="#412991" d="M32 5 11 16.8v13.7c0 12.2 8.9 23.3 21 27 12.1-3.7 21-14.8 21-27V16.8L32 5Z"/>
+  <path fill="#EB5424" d="M32 5v48.7c-3.1-1.1-6.1-2.7-8.7-4.7L32 5Z"/>
+  <path fill="#FBC22C" d="m32 5 8.7 44c-2.6 2-5.6 3.6-8.7 4.7V5Z"/>
+</svg>

package/assets/report/assets/provider-aws.svg CHANGED Viewed

@@ -1,5 +1,5 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 64" aria-hidden="true">
-  <text x="48" y="31" text-anchor="middle" font-family="Arial, Helvetica, sans-serif" font-size="21" font-weight="800" letter-spacing="-1.4" fill="#111827">AWS</text>
-  <path fill="#FF9900" d="M23.6 42.4c13.9 7.5 31.5 7.5 45.1-.1 1.1-.6 2.2.8 1.3 1.7-12.3 12.5-34.3 12.6-47.2.8-.9-.8-.3-2.9.8-2.4Z"/>
-  <path fill="#FF9900" d="M66.8 39.8c2.4-.3 7.8-.8 8.8 1 .9 1.6-1 5.8-2.5 8.2-.5.8-1.7.4-1.5-.6.5-2.1 1.3-4.8.5-5.8-.8-1-3.8-.8-5.4-.6-1 .1-1.2-2-.1-2.2h.2Z"/>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 64" aria-hidden="true">
+  <text x="48" y="31" text-anchor="middle" font-family="Arial, Helvetica, sans-serif" font-size="21" font-weight="800" letter-spacing="-1.4" fill="#111827">AWS</text>
+  <path fill="#FF9900" d="M23.6 42.4c13.9 7.5 31.5 7.5 45.1-.1 1.1-.6 2.2.8 1.3 1.7-12.3 12.5-34.3 12.6-47.2.8-.9-.8-.3-2.9.8-2.4Z"/>
+  <path fill="#FF9900" d="M66.8 39.8c2.4-.3 7.8-.8 8.8 1 .9 1.6-1 5.8-2.5 8.2-.5.8-1.7.4-1.5-.6.5-2.1 1.3-4.8.5-5.8-.8-1-3.8-.8-5.4-.6-1 .1-1.2-2-.1-2.2h.2Z"/>
+</svg>

package/assets/report/assets/provider-logrocket.svg CHANGED Viewed

@@ -1,4 +1,4 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
-  <path fill="#764ABC" fill-rule="evenodd" clip-rule="evenodd" d="M26.8 12.9A20.8 20.8 0 0 1 32.3 7a20.5 20.5 0 0 1 5.5 5.8 29.3 29.3 0 0 1 5.1 17.1c1.1.9 2.3 1.8 3.4 2.7a6.2 6.2 0 0 1 2 5.7c-.5 2.6-1.1 5.2-1.6 7.8a2.2 2.2 0 0 1-3.3 1.1c-1.8-1.5-3.6-3-5.4-4.5a8.4 8.4 0 0 1-5.2 2.3 8.5 8.5 0 0 1-6.1-2.2c-1.3 1-2.5 2.1-3.8 3.2-.6.6-1.2 1-1.9 1.4a2.2 2.2 0 0 1-2.9-1.4c-.6-2.5-1.2-5.1-1.8-7.6a6.3 6.3 0 0 1 2.1-6c1-.8 2-1.6 3-2.3.3-.2.1-.5.2-.7a29.3 29.3 0 0 1 5.2-16.5Zm2.2 8.2a4.3 4.3 0 0 0 .4 5.8 4.8 4.8 0 0 0 6.5.1 4.3 4.3 0 0 0 1.1-4.8 4.4 4.4 0 0 0-3.9-2.9 4.5 4.5 0 0 0-4.1 1.8Zm3.3 4.9a2.1 2.1 0 1 0 0-4.2 2.1 2.1 0 0 0 0 4.2Z"/>
-  <path fill="#764ABC" d="M26.4 48.1a1.1 1.1 0 0 1 1.6-.9 10.4 10.4 0 0 0 9 0 1.1 1.1 0 0 1 1.6.8v4.8a1.1 1.1 0 0 1-1.7.8c-.5-.4-.9-.9-1.4-1.3-.7 1.4-1.4 2.8-2.1 4.1a1.1 1.1 0 0 1-1.8 0c-.8-1.4-1.4-2.8-2.2-4.1-.4.4-.9.9-1.3 1.3a1.1 1.1 0 0 1-1.7-.8v-4.7Z"/>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
+  <path fill="#764ABC" fill-rule="evenodd" clip-rule="evenodd" d="M26.8 12.9A20.8 20.8 0 0 1 32.3 7a20.5 20.5 0 0 1 5.5 5.8 29.3 29.3 0 0 1 5.1 17.1c1.1.9 2.3 1.8 3.4 2.7a6.2 6.2 0 0 1 2 5.7c-.5 2.6-1.1 5.2-1.6 7.8a2.2 2.2 0 0 1-3.3 1.1c-1.8-1.5-3.6-3-5.4-4.5a8.4 8.4 0 0 1-5.2 2.3 8.5 8.5 0 0 1-6.1-2.2c-1.3 1-2.5 2.1-3.8 3.2-.6.6-1.2 1-1.9 1.4a2.2 2.2 0 0 1-2.9-1.4c-.6-2.5-1.2-5.1-1.8-7.6a6.3 6.3 0 0 1 2.1-6c1-.8 2-1.6 3-2.3.3-.2.1-.5.2-.7a29.3 29.3 0 0 1 5.2-16.5Zm2.2 8.2a4.3 4.3 0 0 0 .4 5.8 4.8 4.8 0 0 0 6.5.1 4.3 4.3 0 0 0 1.1-4.8 4.4 4.4 0 0 0-3.9-2.9 4.5 4.5 0 0 0-4.1 1.8Zm3.3 4.9a2.1 2.1 0 1 0 0-4.2 2.1 2.1 0 0 0 0 4.2Z"/>
+  <path fill="#764ABC" d="M26.4 48.1a1.1 1.1 0 0 1 1.6-.9 10.4 10.4 0 0 0 9 0 1.1 1.1 0 0 1 1.6.8v4.8a1.1 1.1 0 0 1-1.7.8c-.5-.4-.9-.9-1.4-1.3-.7 1.4-1.4 2.8-2.1 4.1a1.1 1.1 0 0 1-1.8 0c-.8-1.4-1.4-2.8-2.2-4.1-.4.4-.9.9-1.3 1.3a1.1 1.1 0 0 1-1.7-.8v-4.7Z"/>
+</svg>

package/assets/report/station.js CHANGED Viewed

@@ -7274,9 +7274,9 @@ function buildAgentPromptText(payload, nextMove, missing, files) {
 function buildChecklistText(payload, nextMove, missing, files) {
   const lines = [
-    '# VibeRaven production checklist',
+    '# VibeRaven production checklist',
     '',
-    'Generated from the latest VibeRaven run.',
+    'Generated from the latest VibeRaven run.',
     '',
     '## Next move',
     '',