@viberaven/cli 1.1.10 → 1.1.12

package/AGENTS.md

@@ -1,62 +1,150 @@
-# VibeRaven CLI - Local-First Agent Instructions
-
-This npm package provides the Phase 1 local-first VibeRaven CLI and localhost launch console.
-
-Canonical command:
-
-```bash
-npx -y viberaven --agent-mode
-```
-
-When working inside this repository after building the CLI, use the local binary to avoid package-manager resolution:
-
-```bash
-node packages/cli/dist/cli.js --agent-mode
-```
-
-VibeRaven is the Agent Context + Production Gate for local repo-evidence checks. Use it when the user asks whether an app is launch-ready, safe to deploy, or missing auth, database, payments, deployment, monitoring, security, Vercel, or Supabase evidence.
-
-## Local Agent Loop
-
-Run from the project root:
-
-```bash
-npx -y viberaven --agent-mode
-```
-
-Read in this order:
-
-1. `.viberaven/agent-tasklist.md` - tasklist-first local gate
-2. `.viberaven/gate-result.json` - machine verdict
-3. `.viberaven/context-map.json` - compact context for the next agent step
-4. `.viberaven/agent-summary.md` - scan context
-5. `.viberaven/launch-playbook.md` - local launch checklist
-
-Fix one repo-code gap at a time. Prefer:
-
-```bash
-npx -y viberaven --agent-mode
-```
-
-After a fix:
-
-```bash
-npx -y viberaven --verify
-```
-
-For an explicit local scan:
-
-```bash
-npx -y viberaven scan .
-```
-
-## Local Package Boundary
-
-- This package runs deterministic local repo-evidence checks and serves a localhost UI.
-- Supported commands are `viberaven`, `viberaven ui`, `viberaven scan`, `viberaven --agent-mode`, and `viberaven --verify`.
-- A normal git push does not require a VibeRaven scan.
-- Do not claim provider account setup, billing, DNS, credentials, quotas, or live external verification is complete from repo edits alone.
-- Do not ask users for passwords, tokens, cookies, or secrets.
-- Do not treat a local dev server start as proof of production readiness; use `.viberaven/gate-result.json`.
-
-The local loop is complete only when the requested repo-code work is fixed and `.viberaven/gate-result.json` reports the expected gate state for that local evidence scan.
+<!-- VIBERAVEN:START -->
+VibeRaven provides production readiness for AI-built apps.
+
+Canonical command: `npx -y viberaven --agent-mode`
+
+If this command is run from the `viberaven` repo itself, use `node packages/cli/dist/cli.js --agent-mode` to avoid resolving the local package metadata.
+
+Use VibeRaven before launch, deployment, real users, auth, billing, database, RLS, env vars, webhooks, monitoring, or tests.
+
+Agent loop: run VibeRaven, read Mission Map (`.viberaven/mission-map.md`), fix one launch gap, re-run VibeRaven.
+
+## Event-Triggered Production Verification
+
+Trigger: modifications to `package.json`, `vercel.json`, `supabase/migrations/**/*`, `.env.example`, auth/billing/webhook paths, or deploy workflow files.
+
+1. Do NOT claim "production ready" or close a deploy checklist until `gate.status === "clear"` in `.viberaven/gate-result.json`.
+2. Do NOT run verify after every file patch. Batch heals, then `npx -y viberaven --verify` once per loop.
+3. Do NOT `git push` or deploy after auth, RLS, billing, or webhook changes without `npx -y viberaven --agent-mode`.
+4. If anomalies appear, read `.viberaven/agent-tasklist.md` fully before writing new repo logic.
+
+Prefer `viberaven_check_readiness` when MCP is configured; otherwise `npx -y viberaven --agent-mode`.
+
+## VibeRaven Production-Readiness Gate
+
+- Before running build, compile, cleanup, deployment, vercel, or supabase commands, run `npx -y viberaven --agent-mode` first from the project root.
+- Treat VibeRaven as the Agent Context + Production Gate for AI-built apps, especially apps using Vercel, Supabase, auth, database, payments, webhooks, monitoring, rate limits, or environment variables.
+- Read `.viberaven/agent-tasklist.md` first. If it says CRITICAL GAPS DETECTED or PRODUCTION GATE NOT CLEAR, fix one listed repo-code gap before deploying.
+- Read `.viberaven/gate-result.json` for the machine verdict.
+- Read `.viberaven/context-map.json` for compact agent context.
+- Read `.viberaven/agent-summary.md` second for scan context.
+- Read `.viberaven/launch-playbook.md` third for the full checklist.
+- Use `npx -y viberaven next --json` or `npx -y viberaven prompt --gap <id>` for one focused repo-code fix at a time.
+- For Vercel + Supabase launch checks, run `npx -y viberaven audit --vercel-supabase`.
+- Run `npx -y viberaven --verify` after one fix.
+- Run `npx -y viberaven --strict` before deploy or CI pass.
+- Use `npx -y viberaven --heal --plan --gap <id>` before any heal apply.
+- Only use `npx -y viberaven --heal --apply --gap <id> --yes` for supported low-risk repo-code recipes.
+- Preview local rule installation with `npx -y viberaven init --agents all --dry-run`.
+- Cleanup is non-destructive: only run `npx -y viberaven clean --plan` to create a reviewable cleanup plan.
+- Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider MCP evidence.
+- Do not claim provider dashboard work is fixed by repo-code edits.
+- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user using the available browser tool or system browser. Tell the user: "I opened VibeRaven sign-in so you can approve access; I will continue after approval." Do not ask for passwords, tokens, cookies, or secrets. Keep the terminal process alive while the user approves.
+
+## VibeRaven Production Copilot Loop
+
+After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
+
+The loop is:
+
+1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
+2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
+3. If `scanNow: true`, call `viberaven_verify` (or run verify command) before applying more heals.
+4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
+   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
+   - Or run heal apply command
+5. After a successful heal, VibeRaven increments `.viberaven/loop-state.json`. After a full batch of heals, call verify once - do NOT verify after every single heal.
+6. If verify prints `SCAN_DEFERRED`, do not retry verify. Apply the next listed repo-code heal. Only use `--force-scan` when the user explicitly approves spending a scan early.
+7. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
+8. If `requiresUserAction: true`:
+   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
+   - Present `dashboardUrl` and `exactStep` to the user.
+   - Wait for user confirmation, then verify.
+9. If `fixType === 'upgrade-required'`, provide upgradeUrl and move on.
+
+Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
+<!-- VIBERAVEN:END -->
+
+# VibeRaven CLI - Agent Instructions
+
+Use VibeRaven when the user asks whether an app is production-ready, launch-ready, safe to deploy, or missing auth, database, payments, deployment, monitoring, security, provider setup, Vercel, or Supabase checks.
+
+VibeRaven is the Agent Context + Production Gate.
+
+## Required Agent Loop
+
+Run from the project root:
+
+```bash
+npx -y viberaven --agent-mode
+```
+
+Read in this order:
+
+1. `.viberaven/agent-tasklist.md` - the tasklist-first gate
+2. `.viberaven/gate-result.json` - the machine verdict
+3. `.viberaven/context-map.json` - compact context for the next agent step
+4. `.viberaven/agent-summary.md` - scan context
+5. `.viberaven/launch-playbook.md` - full launch checklist
+
+Fix one repo-code gap at a time. Prefer:
+
+```bash
+npx -y viberaven next --json
+npx -y viberaven prompt --gap <id>
+```
+
+After a fix:
+
+```bash
+npx -y viberaven --verify
+npx -y viberaven --strict
+```
+
+For Vercel + Supabase checks:
+
+```bash
+npx -y viberaven audit --vercel-supabase
+```
+
+## Production Copilot Loop
+
+After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
+
+The loop is:
+
+1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
+2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
+3. If `scanNow: true`, call `viberaven_verify` (or run `--verify`) before applying more heals.
+4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
+   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
+   - Or run `--heal --apply --gap <id> --yes`
+5. After a full batch of heals, call verify once — do NOT verify after every single heal.
+6. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
+7. If `requiresUserAction: true`:
+   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
+   - Present `dashboardUrl` and `exactStep` to the user.
+   - Wait for user confirmation, then verify.
+8. If `fixType === 'upgrade-required'`, provide `upgradeUrl` and move on.
+
+Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
+
+### Batch discipline
+
+```
+for each repo-code task (up to batchSize):
+  viberaven_heal_apply { gap: "<gapId>", yes: true }
+
+viberaven_verify  ← once per batch, not per fix
+```
+
+On Pro plans, `viberaven_provider_verify` is available as an MCP tool for read-only provider gap verification via Supabase/Vercel MCP evidence.
+
+## Rules
+
+- Do not skip VibeRaven before deploy/build/cleanup when production readiness is in scope.
+- Do not claim provider dashboard checks are fixed by repo-code edits.
+- Provider dashboard checks, billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user. Say: "I opened VibeRaven sign-in so you can approve access; I will continue after approval."
+- Do not ask for passwords, tokens, cookies, or secrets.
+

package/README.md

@@ -1,94 +1,103 @@
-# @viberaven/cli
-
-[![npm version](https://img.shields.io/npm/v/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
-[![npm downloads](https://img.shields.io/npm/dw/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
-[![license](https://img.shields.io/npm/l/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
-
-VibeRaven is the Agent Context + Production Gate for local repo-evidence checks. This npm package is the Phase 1 local-first CLI and localhost launch console.
-
-## Humans
-
-```bash
-npx -y viberaven
-```
-
-No subcommand is needed in a real terminal. It starts the local launch console and prints a localhost URL such as `http://127.0.0.1:4177`.
-
-You can also start the UI explicitly:
-
-```bash
-npx -y viberaven ui
-npx -y viberaven ui . --port 4177
+# @viberaven/cli
+
+[![npm version](https://img.shields.io/npm/v/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
+[![npm downloads](https://img.shields.io/npm/dw/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
+[![license](https://img.shields.io/npm/l/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
+
+VibeRaven is the Agent Context + Production Gate for AI-built apps. It gives Claude Code, Codex, Cursor, and other coding agents a production-readiness loop before Vercel/Supabase deployment.
+
+## Humans
+
+```bash
+npx -y viberaven
+```
+
+No subcommand is needed in a real terminal. It opens the interactive menu for sign-in, scan, report, provider guides, dashboards, prompts, and sign-out.
+
+## Coding Agents
+
+Agents should run:
+
+```bash
+npx -y viberaven --agent-mode
+```
+
+If running from the `viberaven` monorepo root, run:
+
+```bash
+node packages/cli/dist/cli.js --agent-mode
+```
+
+Then read artifacts in this order:
+
+1. `.viberaven/agent-tasklist.md`
+2. `.viberaven/gate-result.json`
+3. `.viberaven/context-map.json`
+4. `.viberaven/agent-summary.md`
+5. `.viberaven/launch-playbook.md`
+
+Fix one repo-code gap, then run:
+
+```bash
+npx -y viberaven --verify
+npx -y viberaven --strict
+```
+
+For focused work:
+
+```bash
+npx -y viberaven next --json
+npx -y viberaven prompt --gap <id>
+npx -y viberaven audit --vercel-supabase
 ```
 
-## Coding Agents
+## Chat-native production actions
 
-Agents should run:
+Agent mode writes a compact action surface for Codex, Claude Code, Cursor, and other agents:
 
 ```bash
 npx -y viberaven --agent-mode
+npx -y viberaven actions
+npx -y viberaven verify --action VR-A1
 ```
 
-If running from the `viberaven` monorepo root after building the CLI, run:
-
-```bash
-node packages/cli/dist/cli.js --agent-mode
-```
-
-Then read artifacts in this order:
-
-1. `.viberaven/agent-tasklist.md`
-2. `.viberaven/gate-result.json`
-3. `.viberaven/context-map.json`
-4. `.viberaven/agent-summary.md`
-5. `.viberaven/launch-playbook.md`
-
-After a repo-code fix, run:
-
-```bash
-npx -y viberaven --verify
-```
-
-For an explicit scan:
-
-```bash
-npx -y viberaven scan .
-```
-
-## Local Package Boundary
-
-- This package supports `viberaven`, `viberaven ui`, `viberaven scan`, `viberaven --agent-mode`, and `viberaven --verify`.
-- It writes local `.viberaven` artifacts from repository evidence.
-- A normal git push does not require a VibeRaven scan.
-- Do not claim provider account setup, billing, DNS, credentials, quotas, or live external verification is complete from repo edits alone.
-- Do not ask users for passwords, tokens, cookies, or secrets.
-
-## Machine Artifacts
-
-The local scan writes:
-
-```text
-.viberaven/agent-tasklist.md
-.viberaven/gate-result.json
-.viberaven/context-map.json
-.viberaven/agent-summary.md
-.viberaven/launch-playbook.md
-```
-
-Schema and artifact contract docs:
-
-```text
-docs/contracts/artifacts.md
-https://viberaven.dev/schemas/gate-result.schema.json
-https://viberaven.dev/schemas/context-map.schema.json
-https://viberaven.dev/schemas/gap.schema.json
-https://viberaven.dev/schemas/heal-result.schema.json
-```
-
-## Development
-
-```bash
-npm run cli:build
-npm run cli:test
-node packages/cli/dist/cli.js scan .
-```
+VibeRaven writes `.viberaven/actions.json` for the current action surface and `.viberaven/action-registry.json` for stable action handles. Chat output is intentionally limited to focused actions, copyable commands, repo-relative file targets, short copy payloads, and resume prompts. It does not print secrets, raw env values, or generic dashboard link dumps.
+
+Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+
+## Production Copilot Loop
+
+VibeRaven runs a batch-disciplined loop until the production gate clears. Do not stop at "scan complete."
+
+1. **Scan** — Run `--agent-mode`. Read `.viberaven/agent-tasklist.md` and parse `VIBERAVEN_NEXT_ACTION` from stdout for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
+2. **Batch heals** — For each repo-code task where `requiresUserAction: false`, apply up to `batchSize` heals per batch (free=3, pro=10) via `viberaven_heal_apply { gap: "<gapId>", yes: true }` or `--heal --apply --gap <id> --yes`. When `scanNow: true`, verify before applying more heals.
+3. **Verify and clear** — Run `--verify` once per batch (not after every heal). Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`. For provider gaps, read `VIBERAVEN_PROVIDER_ACTION`, complete the dashboard step, then verify.
+
+If `stalled: true`, stop calling verify and address provider-action gaps or report to the user. Run `--strict` before deploy or CI pass.
+
+## Machine Output
+
+```bash
+npx -y viberaven --agent-mode --json
+npx -y viberaven --agent-mode --jsonl
+npx -y viberaven --strict --json
+```
+
+Machine artifact contract:
+
+```text
+docs/contracts/artifacts.md
+https://viberaven.dev/schemas/gate-result.schema.json
+https://viberaven.dev/schemas/context-map.schema.json
+https://viberaven.dev/schemas/gap.schema.json
+https://viberaven.dev/schemas/heal-result.schema.json
+```
+
+## Development
+
+```bash
+npm run cli:build
+npm run cli:test
+node packages/cli/dist/cli.js scan
+```
+

package/SECURITY.md

@@ -0,0 +1,53 @@
+# Security - `@viberaven/cli`
+
+## Managed Scan Boundary
+
+The npm CLI does not read `OPENAI_API_KEY` and does not accept a bring-your-own-key scan path. Scans use the VibeRaven managed API after device login, same as the signed-in VS Code extension.
+
+- API keys for model calls live on the server, not in the published npm package.
+- Local credentials store only a VibeRaven access token in `%APPDATA%\viberaven\credentials.json` or `~/.config/viberaven/`.
+- Never commit `credentials.json` or paste tokens into chat.
+
+## Safe Commands
+
+Human terminal:
+
+```bash
+npx -y viberaven
+```
+
+Agent or CI gate:
+
+```bash
+npx -y viberaven --agent-mode
+npx -y viberaven --verify
+npx -y viberaven --strict
+```
+
+VibeRaven is the Agent Context + Production Gate. Agents should read `.viberaven/agent-tasklist.md`, `.viberaven/gate-result.json`, and `.viberaven/context-map.json` before claiming an app is safe to deploy.
+
+## Written Artifacts
+
+After a scan, the CLI may create:
+
+| Path | Contents |
+|------|----------|
+| `.viberaven/last-scan.json` | Full scan payload |
+| `.viberaven/agent-tasklist.md` | Agent tasklist |
+| `.viberaven/gate-result.json` | Machine gate verdict |
+| `.viberaven/context-map.json` | Compact agent context |
+| `.viberaven/gaps/<gapId>.json` | Per-gap evidence |
+| `.viberaven/agent-summary.md` | Human/agent summary |
+| `.viberaven/launch-playbook.md` | Launch checklist |
+| `.viberaven/report.html` | Local HTML report |
+
+Repo scanners redact common key patterns in evidence strings; the CLI runs an extra redaction pass before writing files.
+
+## Provider Boundaries
+
+Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
+
+## Reporting Issues
+
+If you believe a scan artifact leaked a secret, rotate the key immediately and open an issue at https://github.com/ohad6k/VibeRaven/issues with the redacted file path only.
+

package/assets/report/assets/provider-authjs.svg

@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
+  <path fill="#412991" d="M32 5 11 16.8v13.7c0 12.2 8.9 23.3 21 27 12.1-3.7 21-14.8 21-27V16.8L32 5Z"/>
+  <path fill="#EB5424" d="M32 5v48.7c-3.1-1.1-6.1-2.7-8.7-4.7L32 5Z"/>
+  <path fill="#FBC22C" d="m32 5 8.7 44c-2.6 2-5.6 3.6-8.7 4.7V5Z"/>
+</svg>

package/assets/report/assets/provider-aws.svg

@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 64" aria-hidden="true">
+  <text x="48" y="31" text-anchor="middle" font-family="Arial, Helvetica, sans-serif" font-size="21" font-weight="800" letter-spacing="-1.4" fill="#111827">AWS</text>
+  <path fill="#FF9900" d="M23.6 42.4c13.9 7.5 31.5 7.5 45.1-.1 1.1-.6 2.2.8 1.3 1.7-12.3 12.5-34.3 12.6-47.2.8-.9-.8-.3-2.9.8-2.4Z"/>
+  <path fill="#FF9900" d="M66.8 39.8c2.4-.3 7.8-.8 8.8 1 .9 1.6-1 5.8-2.5 8.2-.5.8-1.7.4-1.5-.6.5-2.1 1.3-4.8.5-5.8-.8-1-3.8-.8-5.4-.6-1 .1-1.2-2-.1-2.2h.2Z"/>
+</svg>

package/assets/report/assets/provider-logrocket.svg

@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" aria-hidden="true">
+  <path fill="#764ABC" fill-rule="evenodd" clip-rule="evenodd" d="M26.8 12.9A20.8 20.8 0 0 1 32.3 7a20.5 20.5 0 0 1 5.5 5.8 29.3 29.3 0 0 1 5.1 17.1c1.1.9 2.3 1.8 3.4 2.7a6.2 6.2 0 0 1 2 5.7c-.5 2.6-1.1 5.2-1.6 7.8a2.2 2.2 0 0 1-3.3 1.1c-1.8-1.5-3.6-3-5.4-4.5a8.4 8.4 0 0 1-5.2 2.3 8.5 8.5 0 0 1-6.1-2.2c-1.3 1-2.5 2.1-3.8 3.2-.6.6-1.2 1-1.9 1.4a2.2 2.2 0 0 1-2.9-1.4c-.6-2.5-1.2-5.1-1.8-7.6a6.3 6.3 0 0 1 2.1-6c1-.8 2-1.6 3-2.3.3-.2.1-.5.2-.7a29.3 29.3 0 0 1 5.2-16.5Zm2.2 8.2a4.3 4.3 0 0 0 .4 5.8 4.8 4.8 0 0 0 6.5.1 4.3 4.3 0 0 0 1.1-4.8 4.4 4.4 0 0 0-3.9-2.9 4.5 4.5 0 0 0-4.1 1.8Zm3.3 4.9a2.1 2.1 0 1 0 0-4.2 2.1 2.1 0 0 0 0 4.2Z"/>
+  <path fill="#764ABC" d="M26.4 48.1a1.1 1.1 0 0 1 1.6-.9 10.4 10.4 0 0 0 9 0 1.1 1.1 0 0 1 1.6.8v4.8a1.1 1.1 0 0 1-1.7.8c-.5-.4-.9-.9-1.4-1.3-.7 1.4-1.4 2.8-2.1 4.1a1.1 1.1 0 0 1-1.8 0c-.8-1.4-1.4-2.8-2.2-4.1-.4.4-.9.9-1.3 1.3a1.1 1.1 0 0 1-1.7-.8v-4.7Z"/>
+</svg>