@viberaven/cli 1.1.8 → 1.1.9

package/AGENTS.md

@@ -1,157 +1,62 @@
-<!-- VIBERAVEN:START -->
-VibeRaven provides production readiness for AI-built apps.
-
-Canonical command: `npx -y viberaven --agent-mode`
-
-If this command is run from the `viberaven` repo itself, use `node packages/cli/dist/cli.js --agent-mode` to avoid resolving the local package metadata.
-
-Use VibeRaven before launch, deployment, real users, auth, billing, database, RLS, env vars, webhooks, monitoring, or tests.
-
-Agent loop: run VibeRaven, read Mission Map (`.viberaven/mission-map.md`), fix one launch gap, re-run VibeRaven.
-
-## Event-Triggered Production Verification
-
-Trigger: modifications to `package.json`, `vercel.json`, `supabase/migrations/**/*`, `.env.example`, auth/billing/webhook paths, or deploy workflow files.
-
-1. Do NOT claim "production ready" or close a deploy checklist until `gate.status === "clear"` in `.viberaven/gate-result.json`.
-2. Do NOT run verify after every file patch. Batch heals, then `npx -y viberaven --verify` once per loop.
-3. Do NOT `git push` or deploy after auth, RLS, billing, or webhook changes without `npx -y viberaven --agent-mode`.
-4. If anomalies appear, read `.viberaven/agent-tasklist.md` fully before writing new repo logic.
-
-Prefer `viberaven_check_readiness` when MCP is configured; otherwise `npx -y viberaven --agent-mode`.
-
-## VibeRaven Production-Readiness Gate
-
-- Before running build, compile, cleanup, deployment, vercel, or supabase commands, run `npx -y viberaven --agent-mode` first from the project root.
-- Treat VibeRaven as the Agent Context + Production Gate for AI-built apps, especially apps using Vercel, Supabase, auth, database, payments, webhooks, monitoring, rate limits, or environment variables.
-- Read `.viberaven/agent-tasklist.md` first. If it says CRITICAL GAPS DETECTED or PRODUCTION GATE NOT CLEAR, fix one listed repo-code gap before deploying.
-- Read `.viberaven/gate-result.json` for the machine verdict.
-- Read `.viberaven/context-map.json` for compact agent context.
-- Read `.viberaven/agent-summary.md` second for scan context.
-- Read `.viberaven/launch-playbook.md` third for the full checklist.
-- Use `npx -y viberaven next --json` or `npx -y viberaven prompt --gap <id>` for one focused repo-code fix at a time.
-- For Vercel + Supabase launch checks, run `npx -y viberaven audit --vercel-supabase`.
-- Run `npx -y viberaven --verify` after one fix.
-- Run `npx -y viberaven --strict` before deploy or CI pass.
-- Use `npx -y viberaven --heal --plan --gap <id>` before any heal apply.
-- Only use `npx -y viberaven --heal --apply --gap <id> --yes` for supported low-risk repo-code recipes.
-- Preview local rule installation with `npx -y viberaven init --agents all --dry-run`.
-- Cleanup is non-destructive: only run `npx -y viberaven clean --plan` to create a reviewable cleanup plan.
-- Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider MCP evidence.
-- Do not claim provider dashboard work is fixed by repo-code edits.
-- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user using the available browser tool or system browser. Tell the user: "I opened VibeRaven sign-in so you can approve access; I will continue after approval." Do not ask for passwords, tokens, cookies, or secrets. Keep the terminal process alive while the user approves.
-
-## VibeRaven Production Copilot Loop
-
-After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
-
-The loop is:
-
-1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
-2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
-3. If `scanNow: true`, call `viberaven_verify` (or run verify command) before applying more heals.
-4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
-   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
-   - Or run heal apply command
-5. After a successful heal, VibeRaven increments `.viberaven/loop-state.json`. After a full batch of heals, call verify once - do NOT verify after every single heal.
-6. If verify prints `SCAN_DEFERRED`, do not retry verify. Apply the next listed repo-code heal. Only use `--force-scan` when the user explicitly approves spending a scan early.
-7. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
-8. If `requiresUserAction: true`:
-   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
-   - Present `dashboardUrl` and `exactStep` to the user.
-   - Wait for user confirmation, then verify.
-9. If `fixType === 'upgrade-required'`, provide upgradeUrl and move on.
-
-Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
-<!-- VIBERAVEN:END -->
-
-# VibeRaven CLI - Agent Instructions
-
-Use VibeRaven when the user asks whether an app is production-ready, launch-ready, safe to deploy, or missing auth, database, payments, deployment, monitoring, security, provider setup, Vercel, or Supabase checks.
-
-VibeRaven is the Agent Context + Production Gate.
-
-## Required Agent Loop
-
-Run from the project root:
-
-```bash
-npx -y viberaven --agent-mode
-```
-
-Read in this order:
-
-1. `.viberaven/agent-tasklist.md` - the tasklist-first gate
-2. `.viberaven/gate-result.json` - the machine verdict
-3. `.viberaven/context-map.json` - compact context for the next agent step
-4. `.viberaven/agent-summary.md` - scan context
-5. `.viberaven/launch-playbook.md` - full launch checklist
-
-Fix one repo-code gap at a time. Prefer:
-
-```bash
-npx -y viberaven next --json
-npx -y viberaven prompt --gap <id>
-```
-
-After a fix:
-
-```bash
-npx -y viberaven --verify
-npx -y viberaven --strict
-```
-
-For Vercel + Supabase checks:
-
-```bash
-npx -y viberaven audit --vercel-supabase
-```
-
-## Production Copilot Loop
-
-After every scan, read `.viberaven/agent-tasklist.md` for the prioritized task list.
-
-The loop is:
-
-1. Read `VIBERAVEN_NEXT_ACTION` from scan output for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
-2. If `stalled: true`, stop calling verify — address provider-action gaps or report to the user.
-3. If `scanNow: true`, call `viberaven_verify` (or run `--verify`) before applying more heals.
-4. For each repo-code task where `requiresUserAction: false` (up to `batchSize` per batch):
-   - Call MCP: `viberaven_heal_apply { gap: "<gapId>", yes: true }`
-   - Or run `--heal --apply --gap <id> --yes`
-5. After a full batch of heals, call verify once — do NOT verify after every single heal.
-6. Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`.
-7. If `requiresUserAction: true`:
-   - Read `VIBERAVEN_PROVIDER_ACTION` from terminal output.
-   - Present `dashboardUrl` and `exactStep` to the user.
-   - Wait for user confirmation, then verify.
-8. If `fixType === 'upgrade-required'`, provide `upgradeUrl` and move on.
-
-Do not stop at "scan complete." The loop is not done until `gate.status === 'clear'`.
-
-### Batch discipline
-
-```
-for each repo-code task (up to batchSize):
-  viberaven_heal_apply { gap: "<gapId>", yes: true }
-
-viberaven_verify  ← once per batch, not per fix
-```
-
-On Pro plans, `viberaven_provider_verify` is available as an MCP tool for read-only provider gap verification via Supabase/Vercel MCP evidence.
-
-## Rules
-
-- Do not skip VibeRaven before deploy/build/cleanup when production readiness is in scope.
-- Do not claim provider dashboard checks are fixed by repo-code edits.
-- Provider dashboard checks, billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
-- If VibeRaven prints `LOGIN_URL_READY`, open that URL for the user. Say: "I opened VibeRaven sign-in so you can approve access; I will continue after approval."
-- Do not ask for passwords, tokens, cookies, or secrets.
-
-## Current machine-readable docs
-
-- Skill: https://viberaven.dev/SKILL.md
-- Agent rules: https://viberaven.dev/AGENTS.md
-- CLI docs: https://viberaven.dev/cli.md
-- MCP config: https://viberaven.dev/mcp.md
-
+# VibeRaven CLI - Local-First Agent Instructions
+
+This npm package provides the Phase 1 local-first VibeRaven CLI and localhost launch console.
+
+Canonical command:
+
+```bash
+npx -y viberaven --agent-mode
+```
+
+When working inside this repository after building the CLI, use the local binary to avoid package-manager resolution:
+
+```bash
+node packages/cli/dist/cli.js --agent-mode
+```
+
+VibeRaven is the Agent Context + Production Gate for local repo-evidence checks. Use it when the user asks whether an app is launch-ready, safe to deploy, or missing auth, database, payments, deployment, monitoring, security, Vercel, or Supabase evidence.
+
+## Local Agent Loop
+
+Run from the project root:
+
+```bash
+npx -y viberaven --agent-mode
+```
+
+Read in this order:
+
+1. `.viberaven/agent-tasklist.md` - tasklist-first local gate
+2. `.viberaven/gate-result.json` - machine verdict
+3. `.viberaven/context-map.json` - compact context for the next agent step
+4. `.viberaven/agent-summary.md` - scan context
+5. `.viberaven/launch-playbook.md` - local launch checklist
+
+Fix one repo-code gap at a time. Prefer:
+
+```bash
+npx -y viberaven --agent-mode
+```
+
+After a fix:
+
+```bash
+npx -y viberaven --verify
+```
+
+For an explicit local scan:
+
+```bash
+npx -y viberaven scan .
+```
+
+## Local Package Boundary
+
+- This package runs deterministic local repo-evidence checks and serves a localhost UI.
+- Supported commands are `viberaven`, `viberaven ui`, `viberaven scan`, `viberaven --agent-mode`, and `viberaven --verify`.
+- A normal git push does not require a VibeRaven scan.
+- Do not claim provider account setup, billing, DNS, credentials, quotas, or live external verification is complete from repo edits alone.
+- Do not ask users for passwords, tokens, cookies, or secrets.
+- Do not treat a local dev server start as proof of production readiness; use `.viberaven/gate-result.json`.
+
+The local loop is complete only when the requested repo-code work is fixed and `.viberaven/gate-result.json` reports the expected gate state for that local evidence scan.

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2026 VibeRaven
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2026 VibeRaven
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,128 +1,94 @@
-# @viberaven/cli
-
-[![npm version](https://img.shields.io/npm/v/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
-[![npm downloads](https://img.shields.io/npm/dw/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
-[![license](https://img.shields.io/npm/l/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
-
-VibeRaven is the Agent Context + Production Gate for AI-built apps. It gives Claude Code, Codex, Cursor, and other coding agents a production-readiness loop before Vercel/Supabase deployment.
-
-## Humans
-
-```bash
-npx -y viberaven
-```
-
-No subcommand is needed in a real terminal. It opens the interactive menu for sign-in, scan, report, provider guides, dashboards, prompts, and sign-out.
-
-## Coding Agents
-
-Agents should run:
-
-```bash
-npx -y viberaven --agent-mode
-```
-
-If running from the `viberaven` monorepo root, run:
-
-```bash
-node packages/cli/dist/cli.js --agent-mode
-```
-
-Then read artifacts in this order:
-
-1. `.viberaven/agent-tasklist.md`
-2. `.viberaven/gate-result.json`
-3. `.viberaven/context-map.json`
-4. `.viberaven/agent-summary.md`
-5. `.viberaven/launch-playbook.md`
-
-Fix one repo-code gap, then run:
-
-```bash
-npx -y viberaven --verify
-npx -y viberaven --strict
-```
-
-For focused work:
-
-```bash
-npx -y viberaven next --json
-npx -y viberaven prompt --gap <id>
-npx -y viberaven audit --vercel-supabase
-```
-
-## Chat-native production actions
-
-Agent mode writes a compact action surface for Codex, Claude Code, Cursor, and other agents:
-
-```bash
-npx -y viberaven --agent-mode
-npx -y viberaven actions
-npx -y viberaven verify --action VR-A1
-```
-
-VibeRaven writes `.viberaven/actions.json` as the V1 source of truth and renderer contract for the current action surface. The manifest is generated by `--agent-mode`; `.viberaven/action-registry.json` preserves stable action handles across runs.
-
-Chat output is intentionally limited to focused actions, provider targets, copy payloads, verification commands, repo-relative file targets, and resume prompts. It does not print secrets, raw env values, or generic dashboard link dumps.
-
-Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider evidence.
-
-Preview the action surface without login, scan, or API spend:
-
-```bash
-npx -y viberaven preview --agent-mode
-```
-
-The preview uses sample renderer data to show the intended chat-native shape. It is not a production verdict for the current repository.
-
-## Agent infrastructure direction
-
-VibeRaven's action model is designed for normal Codex, Claude Code, Cursor, and MCP workflows today, and for richer agent hosts later.
-
-Managed-agent systems need durable sessions, observable event history, credential boundaries, bounded execution, and resumable action state. VibeRaven keeps those concerns in the manifest contract:
-
-- `.viberaven/actions.json` is the current action surface.
-- `.viberaven/action-registry.json` preserves stable IDs and lifecycle history.
-- Future session events can add an append-only timeline without changing the current action model.
-- Provider credentials and raw env values must stay out of chat output, manifests, MCP resources, and UI renderers.
-- Future local/hosted consoles should execute only narrow VibeRaven commands, not arbitrary shell text.
-
-## Production Copilot Loop
-
-VibeRaven runs a batch-disciplined loop until the production gate clears. Do not stop at "scan complete."
-
-1. **Scan** — Run `--agent-mode`. Read `.viberaven/agent-tasklist.md` and parse `VIBERAVEN_NEXT_ACTION` from stdout for `batchSize`, `batchApplied`, `scanNow`, and `stalled`.
-2. **Batch heals** — For each repo-code task where `requiresUserAction: false`, apply up to `batchSize` heals per batch (free=3, pro=10) via `viberaven_heal_apply { gap: "<gapId>", yes: true }` or `--heal --apply --gap <id> --yes`. When `scanNow: true`, verify before applying more heals.
-3. **Verify and clear** — Run `--verify` once per batch (not after every heal). Repeat until `gate.status === 'clear'` in `.viberaven/gate-result.json`. For provider gaps, read `VIBERAVEN_PROVIDER_ACTION`, complete the dashboard step, then verify.
-
-If `stalled: true`, stop calling verify and address provider-action gaps or report to the user. Run `--strict` before deploy or CI pass.
-
-## Machine Output
-
-```bash
-npx -y viberaven --agent-mode --json
-npx -y viberaven --agent-mode --jsonl
-npx -y viberaven --strict --json
-```
-
-Machine artifact contract:
-
-```text
-docs/contracts/artifacts.md
-https://viberaven.dev/schemas/gate-result.schema.json
-https://viberaven.dev/schemas/context-map.schema.json
-https://viberaven.dev/schemas/gap.schema.json
-https://viberaven.dev/schemas/heal-result.schema.json
-```
-
-## Development
-
-```bash
-npm run cli:build
-npm run cli:test
-node packages/cli/dist/cli.js scan
-```
-
-## License
-
-The public npm CLI package is MIT licensed. Private monorepo code and extension packaging may have separate product terms.
+# @viberaven/cli
+
+[![npm version](https://img.shields.io/npm/v/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
+[![npm downloads](https://img.shields.io/npm/dw/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
+[![license](https://img.shields.io/npm/l/@viberaven/cli)](https://www.npmjs.com/package/@viberaven/cli)
+
+VibeRaven is the Agent Context + Production Gate for local repo-evidence checks. This npm package is the Phase 1 local-first CLI and localhost launch console.
+
+## Humans
+
+```bash
+npx -y viberaven
+```
+
+No subcommand is needed in a real terminal. It starts the local launch console and prints a localhost URL such as `http://127.0.0.1:4177`.
+
+You can also start the UI explicitly:
+
+```bash
+npx -y viberaven ui
+npx -y viberaven ui . --port 4177
+```
+
+## Coding Agents
+
+Agents should run:
+
+```bash
+npx -y viberaven --agent-mode
+```
+
+If running from the `viberaven` monorepo root after building the CLI, run:
+
+```bash
+node packages/cli/dist/cli.js --agent-mode
+```
+
+Then read artifacts in this order:
+
+1. `.viberaven/agent-tasklist.md`
+2. `.viberaven/gate-result.json`
+3. `.viberaven/context-map.json`
+4. `.viberaven/agent-summary.md`
+5. `.viberaven/launch-playbook.md`
+
+After a repo-code fix, run:
+
+```bash
+npx -y viberaven --verify
+```
+
+For an explicit scan:
+
+```bash
+npx -y viberaven scan .
+```
+
+## Local Package Boundary
+
+- This package supports `viberaven`, `viberaven ui`, `viberaven scan`, `viberaven --agent-mode`, and `viberaven --verify`.
+- It writes local `.viberaven` artifacts from repository evidence.
+- A normal git push does not require a VibeRaven scan.
+- Do not claim provider account setup, billing, DNS, credentials, quotas, or live external verification is complete from repo edits alone.
+- Do not ask users for passwords, tokens, cookies, or secrets.
+
+## Machine Artifacts
+
+The local scan writes:
+
+```text
+.viberaven/agent-tasklist.md
+.viberaven/gate-result.json
+.viberaven/context-map.json
+.viberaven/agent-summary.md
+.viberaven/launch-playbook.md
+```
+
+Schema and artifact contract docs:
+
+```text
+docs/contracts/artifacts.md
+https://viberaven.dev/schemas/gate-result.schema.json
+https://viberaven.dev/schemas/context-map.schema.json
+https://viberaven.dev/schemas/gap.schema.json
+https://viberaven.dev/schemas/heal-result.schema.json
+```
+
+## Development
+
+```bash
+npm run cli:build
+npm run cli:test
+node packages/cli/dist/cli.js scan .
+```