@vibgrate/cli 0.1.1 → 0.1.3

package/README.md

@@ -0,0 +1,244 @@
+<p align="center">
+  <strong>@vibgrate/cli</strong>
+  <br />
+  Continuous Upgrade Drift Intelligence for Node & .NET
+</p>
+
+<p align="center">
+  <a href="https://www.npmjs.com/package/@vibgrate/cli"><img src="https://img.shields.io/npm/v/@vibgrate/cli?color=blue&label=npm" alt="npm version" /></a>
+  <a href="https://www.npmjs.com/package/@vibgrate/cli"><img src="https://img.shields.io/npm/dm/@vibgrate/cli?color=green" alt="npm downloads" /></a>
+  <a href="https://vibgrate.com"><img src="https://img.shields.io/badge/website-vibgrate.com-blue" alt="website" /></a>
+  <img src="https://img.shields.io/node/v/@vibgrate/cli" alt="node version" />
+</p>
+
+---
+
+Modern codebases don't break all at once — they decay silently. Node runtimes fall behind LTS. .NET frameworks approach end-of-life. Core dependencies lag multiple major versions. Upgrade cost compounds until it becomes a project in itself.
+
+**Vibgrate turns that invisible decay into a measurable signal.** One CLI command gives you an Upgrade Drift Score (0–100), actionable findings, and a clear picture of where your upgrade debt lives.
+
+---
+
+## Quick Start
+
+Run instantly with npx — no install required:
+
+```bash
+npx @vibgrate/cli scan .
+```
+
+Or install as a dev dependency:
+
+```bash
+npm install -D @vibgrate/cli
+```
+
+Then scan your project:
+
+```bash
+npx vibgrate scan .
+```
+
+> **Why `npx`?** Installing with `-D` places the binary in `node_modules/.bin/`, which isn't on your system PATH. Use `npx` to run it, or add a script to your `package.json`:
+>
+> ```json
+> "scripts": {
+>   "drift": "vibgrate scan ."
+> }
+> ```
+>
+> Then run `npm run drift`. Alternatively, install globally with `npm install -g @vibgrate/cli` to use `vibgrate` directly.
+
+That's it. You'll see a full drift report in seconds.
+
+---
+
+## What You Get
+
+```
+╔══════════════════════════════════════════╗
+║        Vibgrate Drift Report             ║
+╚══════════════════════════════════════════╝
+
+  Drift Score:  72/100
+  Risk Level:   Low
+  Projects:     3
+
+  Score Breakdown
+    Runtime:      ████████████████████ 100
+    Frameworks:   ████████████████░░░░  78
+    Dependencies: ██████████████░░░░░░  64
+    EOL Risk:     ████████████████████ 100
+
+  ── my-api (node) src/api
+     Runtime: 20.11.0 (current)
+     Frameworks:
+       NestJS: 10.3.0 → 11.0.0 (1 behind)
+     Dependencies:
+       42 current  8 1-behind  3 2+ behind
+
+  Findings
+    ⚠ Framework "NestJS" is 1 major version(s) behind
+    ⚠ 12% of dependencies are 2+ major versions behind
+```
+
+---
+
+## Key Features
+
+### Upgrade Drift Score
+
+A single 0–100 number that tells you how upgrade-ready your codebase is. Computed from runtime lag, framework versions, dependency age distribution, and EOL proximity. Deterministic and comparable across repos.
+
+### Multi-Platform Scanning
+
+Works across **Node.js/TypeScript** and **.NET** projects in the same scan. Detects `package.json`, `.sln`, and `.csproj` files recursively.
+
+### CI-Native
+
+Designed to live in your build pipeline. Returns meaningful exit codes, produces SARIF output for GitHub Code Scanning and Azure DevOps, and requires zero configuration to get started.
+
+### Ten Extended Scanners
+
+Beyond the core drift score, Vibgrate runs a suite of extended scanners — all optional, all privacy-safe:
+
+| Scanner | What It Finds |
+|---------|---------------|
+| **Platform Matrix** | Native modules, OS assumptions, Docker base images, architecture risks |
+| **Dependency Risk** | Deprecated packages, native module flags, platform-specific dependencies |
+| **Dependency Graph** | Duplicated packages, phantom dependencies, lockfile analysis |
+| **Tooling Inventory** | Full tech stack map — frameworks, bundlers, ORMs, testing tools |
+| **Build & Deploy** | CI systems, Docker, IaC, release tooling, monorepo tools |
+| **TypeScript Modernity** | Strict mode, module system, ESM readiness |
+| **Breaking Change Exposure** | Packages known to cause upgrade pain, legacy polyfills |
+| **File Hotspots** | Codebase shape — file counts, sizes, depth, shared packages |
+| **Security Posture** | Lockfile hygiene, `.gitignore` coverage, audit severity counts |
+| **Service Dependencies** | External SDK detection — payment, auth, cloud, databases, messaging |
+
+### Baseline & Delta Tracking
+
+Take a baseline snapshot, then measure drift over time:
+
+```bash
+npx vibgrate baseline .
+npx vibgrate scan . --baseline .vibgrate/baseline.json
+```
+
+### Multiple Output Formats
+
+| Format | Use Case |
+|--------|----------|
+| `text` | Terminal output, local development |
+| `json` | Programmatic consumption, artifact storage |
+| `sarif` | GitHub Code Scanning, Azure DevOps integration |
+| `md` | PR comments, documentation, wikis |
+
+### Dashboard Upload (Optional)
+
+Push scan results to the [Vibgrate Dashboard](https://vibgrate.com) for trend analysis, cross-repo comparison, and team-wide visibility. Upload is always opt-in — the CLI provides full value offline.
+
+```bash
+VIBGRATE_DSN="..." vibgrate push
+```
+
+---
+
+## CI Integration
+
+### GitHub Actions
+
+```yaml
+- name: Vibgrate Scan
+  run: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
+
+- name: Upload SARIF
+  uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: vibgrate.sarif
+```
+
+### Azure DevOps
+
+```yaml
+- script: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
+  displayName: Vibgrate Scan
+```
+
+Works in any CI environment. No login required. No configuration needed.
+
+---
+
+## Configuration
+
+Optionally create a `vibgrate.config.ts` to customise thresholds and scanner toggles:
+
+```bash
+vibgrate init
+```
+
+```typescript
+import type { VibgrateConfig } from '@vibgrate/cli';
+
+const config: VibgrateConfig = {
+  exclude: ['legacy/**'],
+  thresholds: {
+    failOnError: {
+      eolDays: 180,
+      frameworkMajorLag: 3,
+      dependencyTwoPlusPercent: 50,
+    },
+  },
+};
+
+export default config;
+```
+
+---
+
+## Privacy First
+
+Vibgrate is designed to be safe to run on any codebase:
+
+- **No source code is read** — only `package.json`, `tsconfig.json`, lockfiles, and project manifests
+- **No secrets are scanned** — ever
+- **No git history, authors, or commit messages** — only HEAD SHA and branch name for traceability
+- **No data leaves your machine** unless you explicitly run `vibgrate push`
+- **No login required** — works fully offline
+
+---
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `vibgrate scan [path]` | Scan for upgrade drift |
+| `vibgrate baseline [path]` | Create a drift baseline |
+| `vibgrate report` | Generate a report from a scan artifact |
+| `vibgrate init [path]` | Initialise config and `.vibgrate/` directory |
+| `vibgrate push` | Upload scan results to dashboard |
+| `vibgrate dsn create` | Generate a DSN token |
+| `vibgrate update` | Check for and install updates |
+
+---
+
+## Requirements
+
+- **Node.js** >= 20.0.0
+- Works on macOS, Linux, and Windows
+
+---
+
+## Full Documentation
+
+See [DOCS.md](https://github.com/crowers/vibgrate-cli/blob/main/packages/vibgrate-cli/DOCS.md) for the complete reference — all commands, all flags, configuration options, extended scanner details, CI examples, and more.
+
+---
+
+## Links
+
+- [Website](https://vibgrate.com)
+- [Documentation](https://github.com/crowers/vibgrate-cli/blob/main/packages/vibgrate-cli/DOCS.md)
+
+---
+
+Copyright © 2026 Vibgrate. All rights reserved. See [LICENSE](./LICENSE) for terms.

package/dist/{baseline-AENFLFQT.js → baseline-D5UDXOEJ.js}

@@ -1,8 +1,8 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-OHAVLM6P.js";
-import "./chunk-DLRBJYO6.js";
+} from "./chunk-3X3ZMVHI.js";
+import "./chunk-VXEZ7APL.js";
 export {
   baselineCommand,
   runBaseline

package/dist/{chunk-OHAVLM6P.js → chunk-3X3ZMVHI.js}

@@ -1,7 +1,7 @@
 import {
   runScan,
   writeJsonFile
-} from "./chunk-DLRBJYO6.js";
+} from "./chunk-VXEZ7APL.js";
 
 // src/commands/baseline.ts
 import * as path from "path";