npm - @viberaven/cli - Versions diffs - 1.0.5 → 1.1.0 - Mend

@viberaven/cli 1.0.5 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +27 -5
package/SECURITY.md +53 -53
package/assets/report/assets/provider-authjs.svg +5 -5
package/assets/report/assets/provider-aws.svg +5 -5
package/assets/report/assets/provider-logrocket.svg +4 -4
package/assets/report/station.js +2 -2
package/dist/cli.js +328 -125
package/dist/cli.js.map +4 -4
package/dist/report/assets/provider-authjs.svg +5 -5
package/dist/report/assets/provider-aws.svg +5 -5
package/dist/report/assets/provider-logrocket.svg +4 -4
package/dist/report/station.js +2 -2
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -1,5 +1,9 @@
 # @viberaven/cli
+[![npm version](https://img.shields.io/npm/v/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
+[![npm downloads](https://img.shields.io/npm/dw/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
+[![license](https://img.shields.io/npm/l/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
 VibeRaven is the Agent Context + Production Gate for AI-built apps. It gives Claude Code, Codex, Cursor, and other coding agents a production-readiness loop before Vercel/Supabase deployment.
 ## Humans
@@ -47,11 +51,29 @@ npx -y viberaven prompt --gap <id>
 npx -y viberaven audit --vercel-supabase
 ```
-Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
-## Production Copilot Loop
-VibeRaven runs a batch-disciplined loop until the production gate clears. Do not stop at "scan complete."
+Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+## VibeRaven Production Protocol
+VibeRaven 1.1.0 introduces the Production Protocol for AI-built apps.
+Run the canonical agent command:
+```bash
+npx -y viberaven --agent-mode
+```
+Then have the AI coding agent read:
+- `.viberaven/prp.json`
+- `.viberaven/mission-map.md`
+- `.viberaven/context-map.json`
+The agent should fix `nextActions` in order and must not claim production-ready while `decision.status` is `blocked`.
+## Production Copilot Loop
+VibeRaven runs a batch-disciplined loop until the production gate clears. Do not stop at "scan complete."
 1. **Scan** — Run `--agent-mode`. Read `.viberaven/agent-tasklist.md` and parse `VIBERAVEN_NEXT_ACTION` from stdout for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
 2. **Batch heals** — For each repo-code task where `requiresUserAction: false`, apply up to `batchSize` heals per batch (free=3, pro=10) via `viberaven_heal_apply { gap: "<gapId>", yes: true }` or `--heal --apply --gap <id> --yes`. When `scanNow: true`, verify before applying more heals.

package/SECURITY.md CHANGED Viewed

@@ -1,53 +1,53 @@
-# Security - `@viberaven/cli`
-## Managed Scan Boundary
-The npm CLI does not read `OPENAI_API_KEY` and does not accept a bring-your-own-key scan path. Scans use the VibeRaven managed API after device login, same as the signed-in VS Code extension.
-- API keys for model calls live on the server, not in the published npm package.
-- Local credentials store only a VibeRaven access token in `%APPDATA%\viberaven\credentials.json` or `~/.config/viberaven/`.
-- Never commit `credentials.json` or paste tokens into chat.
-## Safe Commands
-Human terminal:
-```bash
-npx -y viberaven
-```
-Agent or CI gate:
-```bash
-npx -y viberaven --agent-mode
-npx -y viberaven --verify
-npx -y viberaven --strict
-```
-VibeRaven is the Agent Context + Production Gate. Agents should read `.viberaven/agent-tasklist.md`, `.viberaven/gate-result.json`, and `.viberaven/context-map.json` before claiming an app is safe to deploy.
-## Written Artifacts
-After a scan, the CLI may create:
-| Path | Contents |
-|------|----------|
-| `.viberaven/last-scan.json` | Full scan payload |
-| `.viberaven/agent-tasklist.md` | Agent tasklist |
-| `.viberaven/gate-result.json` | Machine gate verdict |
-| `.viberaven/context-map.json` | Compact agent context |
-| `.viberaven/gaps/<gapId>.json` | Per-gap evidence |
-| `.viberaven/agent-summary.md` | Human/agent summary |
-| `.viberaven/launch-playbook.md` | Launch checklist |
-| `.viberaven/report.html` | Local HTML report |
-Repo scanners redact common key patterns in evidence strings; the CLI runs an extra redaction pass before writing files.
-## Provider Boundaries
-Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
-## Reporting Issues
-If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only.
+# Security - `@viberaven/cli`
+## Managed Scan Boundary
+The npm CLI does not read `OPENAI_API_KEY` and does not accept a bring-your-own-key scan path. Scans use the VibeRaven managed API after device login, same as the signed-in VS Code extension.
+- API keys for model calls live on the server, not in the published npm package.
+- Local credentials store only a VibeRaven access token in `%APPDATA%\viberaven\credentials.json` or `~/.config/viberaven/`.
+- Never commit `credentials.json` or paste tokens into chat.
+## Safe Commands
+Human terminal:
+```bash
+npx -y viberaven
+```
+Agent or CI gate:
+```bash
+npx -y viberaven --agent-mode
+npx -y viberaven --verify
+npx -y viberaven --strict
+```
+VibeRaven is the Agent Context + Production Gate. Agents should read `.viberaven/agent-tasklist.md`, `.viberaven/gate-result.json`, and `.viberaven/context-map.json` before claiming an app is safe to deploy.
+## Written Artifacts
+After a scan, the CLI may create:
+| Path | Contents |
+|------|----------|
+| `.viberaven/last-scan.json` | Full scan payload |
+| `.viberaven/agent-tasklist.md` | Agent tasklist |
+| `.viberaven/gate-result.json` | Machine gate verdict |
+| `.viberaven/context-map.json` | Compact agent context |
+| `.viberaven/gaps/<gapId>.json` | Per-gap evidence |
+| `.viberaven/agent-summary.md` | Human/agent summary |
+| `.viberaven/launch-playbook.md` | Launch checklist |
+| `.viberaven/report.html` | Local HTML report |
+Repo scanners redact common key patterns in evidence strings; the CLI runs an extra redaction pass before writing files.
+## Provider Boundaries
+Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+## Reporting Issues
+If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only.

package/assets/report/assets/provider-authjs.svg CHANGED Viewed

@@ -1,5 +1,5 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
-  <path fill="#412991" d="M32 5 11 16.8v13.7c0 12.2 8.9 23.3 21 27 12.1-3.7 21-14.8 21-27V16.8L32 5Z"/>
-  <path fill="#EB5424" d="M32 5v48.7c-3.1-1.1-6.1-2.7-8.7-4.7L32 5Z"/>
-  <path fill="#FBC22C" d="m32 5 8.7 44c-2.6 2-5.6 3.6-8.7 4.7V5Z"/>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
+  <path fill="#412991" d="M32 5 11 16.8v13.7c0 12.2 8.9 23.3 21 27 12.1-3.7 21-14.8 21-27V16.8L32 5Z"/>
+  <path fill="#EB5424" d="M32 5v48.7c-3.1-1.1-6.1-2.7-8.7-4.7L32 5Z"/>
+  <path fill="#FBC22C" d="m32 5 8.7 44c-2.6 2-5.6 3.6-8.7 4.7V5Z"/>
+</svg>

package/assets/report/assets/provider-aws.svg CHANGED Viewed

@@ -1,5 +1,5 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 64" aria-hidden="true">
-  <text x="48" y="31" text-anchor="middle" font-family="Arial, Helvetica, sans-serif" font-size="21" font-weight="800" letter-spacing="-1.4" fill="#111827">AWS</text>
-  <path fill="#FF9900" d="M23.6 42.4c13.9 7.5 31.5 7.5 45.1-.1 1.1-.6 2.2.8 1.3 1.7-12.3 12.5-34.3 12.6-47.2.8-.9-.8-.3-2.9.8-2.4Z"/>
-  <path fill="#FF9900" d="M66.8 39.8c2.4-.3 7.8-.8 8.8 1 .9 1.6-1 5.8-2.5 8.2-.5.8-1.7.4-1.5-.6.5-2.1 1.3-4.8.5-5.8-.8-1-3.8-.8-5.4-.6-1 .1-1.2-2-.1-2.2h.2Z"/>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 64" aria-hidden="true">
+  <text x="48" y="31" text-anchor="middle" font-family="Arial, Helvetica, sans-serif" font-size="21" font-weight="800" letter-spacing="-1.4" fill="#111827">AWS</text>
+  <path fill="#FF9900" d="M23.6 42.4c13.9 7.5 31.5 7.5 45.1-.1 1.1-.6 2.2.8 1.3 1.7-12.3 12.5-34.3 12.6-47.2.8-.9-.8-.3-2.9.8-2.4Z"/>
+  <path fill="#FF9900" d="M66.8 39.8c2.4-.3 7.8-.8 8.8 1 .9 1.6-1 5.8-2.5 8.2-.5.8-1.7.4-1.5-.6.5-2.1 1.3-4.8.5-5.8-.8-1-3.8-.8-5.4-.6-1 .1-1.2-2-.1-2.2h.2Z"/>
+</svg>

package/assets/report/assets/provider-logrocket.svg CHANGED Viewed

@@ -1,4 +1,4 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
-  <path fill="#764ABC" fill-rule="evenodd" clip-rule="evenodd" d="M26.8 12.9A20.8 20.8 0 0 1 32.3 7a20.5 20.5 0 0 1 5.5 5.8 29.3 29.3 0 0 1 5.1 17.1c1.1.9 2.3 1.8 3.4 2.7a6.2 6.2 0 0 1 2 5.7c-.5 2.6-1.1 5.2-1.6 7.8a2.2 2.2 0 0 1-3.3 1.1c-1.8-1.5-3.6-3-5.4-4.5a8.4 8.4 0 0 1-5.2 2.3 8.5 8.5 0 0 1-6.1-2.2c-1.3 1-2.5 2.1-3.8 3.2-.6.6-1.2 1-1.9 1.4a2.2 2.2 0 0 1-2.9-1.4c-.6-2.5-1.2-5.1-1.8-7.6a6.3 6.3 0 0 1 2.1-6c1-.8 2-1.6 3-2.3.3-.2.1-.5.2-.7a29.3 29.3 0 0 1 5.2-16.5Zm2.2 8.2a4.3 4.3 0 0 0 .4 5.8 4.8 4.8 0 0 0 6.5.1 4.3 4.3 0 0 0 1.1-4.8 4.4 4.4 0 0 0-3.9-2.9 4.5 4.5 0 0 0-4.1 1.8Zm3.3 4.9a2.1 2.1 0 1 0 0-4.2 2.1 2.1 0 0 0 0 4.2Z"/>
-  <path fill="#764ABC" d="M26.4 48.1a1.1 1.1 0 0 1 1.6-.9 10.4 10.4 0 0 0 9 0 1.1 1.1 0 0 1 1.6.8v4.8a1.1 1.1 0 0 1-1.7.8c-.5-.4-.9-.9-1.4-1.3-.7 1.4-1.4 2.8-2.1 4.1a1.1 1.1 0 0 1-1.8 0c-.8-1.4-1.4-2.8-2.2-4.1-.4.4-.9.9-1.3 1.3a1.1 1.1 0 0 1-1.7-.8v-4.7Z"/>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
+  <path fill="#764ABC" fill-rule="evenodd" clip-rule="evenodd" d="M26.8 12.9A20.8 20.8 0 0 1 32.3 7a20.5 20.5 0 0 1 5.5 5.8 29.3 29.3 0 0 1 5.1 17.1c1.1.9 2.3 1.8 3.4 2.7a6.2 6.2 0 0 1 2 5.7c-.5 2.6-1.1 5.2-1.6 7.8a2.2 2.2 0 0 1-3.3 1.1c-1.8-1.5-3.6-3-5.4-4.5a8.4 8.4 0 0 1-5.2 2.3 8.5 8.5 0 0 1-6.1-2.2c-1.3 1-2.5 2.1-3.8 3.2-.6.6-1.2 1-1.9 1.4a2.2 2.2 0 0 1-2.9-1.4c-.6-2.5-1.2-5.1-1.8-7.6a6.3 6.3 0 0 1 2.1-6c1-.8 2-1.6 3-2.3.3-.2.1-.5.2-.7a29.3 29.3 0 0 1 5.2-16.5Zm2.2 8.2a4.3 4.3 0 0 0 .4 5.8 4.8 4.8 0 0 0 6.5.1 4.3 4.3 0 0 0 1.1-4.8 4.4 4.4 0 0 0-3.9-2.9 4.5 4.5 0 0 0-4.1 1.8Zm3.3 4.9a2.1 2.1 0 1 0 0-4.2 2.1 2.1 0 0 0 0 4.2Z"/>
+  <path fill="#764ABC" d="M26.4 48.1a1.1 1.1 0 0 1 1.6-.9 10.4 10.4 0 0 0 9 0 1.1 1.1 0 0 1 1.6.8v4.8a1.1 1.1 0 0 1-1.7.8c-.5-.4-.9-.9-1.4-1.3-.7 1.4-1.4 2.8-2.1 4.1a1.1 1.1 0 0 1-1.8 0c-.8-1.4-1.4-2.8-2.2-4.1-.4.4-.9.9-1.3 1.3a1.1 1.1 0 0 1-1.7-.8v-4.7Z"/>
+</svg>

package/assets/report/station.js CHANGED Viewed

@@ -7274,9 +7274,9 @@ function buildAgentPromptText(payload, nextMove, missing, files) {
 function buildChecklistText(payload, nextMove, missing, files) {
   const lines = [
-    '# VibeRaven production checklist',
+    '# VibeRaven production checklist',
     '',
-    'Generated from the latest VibeRaven run.',
+    'Generated from the latest VibeRaven run.',
     '',
     '## Next move',
     '',