@vibgrate/cli 0.1.4 → 1.0.2

package/README.md

@@ -24,7 +24,7 @@ Modern codebases don't break all at once — they decay silently. Node runtimes
 Run instantly with npx — no install required:
 
 ```bash
-npx @vibgrate/cli scan .
+npx @vibgrate/cli scan
 ```
 
 Or install as a dev dependency:
@@ -36,14 +36,14 @@ npm install -D @vibgrate/cli
 Then scan your project:
 
 ```bash
-npx vibgrate scan .
+npx vibgrate scan
 ```
 
 > **Why `npx`?** Installing with `-D` places the binary in `node_modules/.bin/`, which isn't on your system PATH. Use `npx` to run it, or add a script to your `package.json`:
 >
 > ```json
 > "scripts": {
->   "drift": "vibgrate scan ."
+>   "drift": "vibgrate scan"
 > }
 > ```
 >
@@ -56,13 +56,19 @@ That's it. You'll see a full drift report in seconds.
 ## What You Get
 
 ```
+    ╭───╮➜
+   ╭┤◉ ◉├╮  V I B G R A T E
+   ╰┤───├╯  Drift Intelligence Engine v1.x.x
+    ╰───╯
+
 ╔══════════════════════════════════════════╗
 ║        Vibgrate Drift Report             ║
 ╚══════════════════════════════════════════╝
 
   Drift Score:  72/100
-  Risk Level:   Low
+  Risk Level:   LOW
   Projects:     3
+  VCS:          git main a1b2c3d
 
   Score Breakdown
     Runtime:      ████████████████████ 100
@@ -77,9 +83,67 @@ That's it. You'll see a full drift report in seconds.
      Dependencies:
        42 current  8 1-behind  3 2+ behind
 
-  Findings
+  ── web-app (node) src/web
+     Runtime: 20.11.0 (current)
+     Frameworks:
+       React: 18.2.0 → 19.0.0 (1 behind)
+     Dependencies:
+       31 current  5 1-behind  2 2+ behind
+
+  Tech Stack
+    Frontend: React, Tailwind CSS
+    Bundlers: Vite
+    Testing: Vitest, Playwright
+    Lint & Format: ESLint, Prettier
+
+  Services & Integrations
+    Cloud: AWS SDK v3
+    Databases: PostgreSQL
+
+  TypeScript
+    v5.4.2 · strict ✔ · ESM · target: ES2022
+
+  Build & Deploy
+    CI: GitHub Actions
+    Docker: 2 Dockerfiles (node:20-alpine)
+    Package Managers: pnpm
+
+  Security Posture
+    Lockfile ✔ · .env ✔ · node_modules ✔
+
+  Dependency Graph
+    pnpm-lock.yaml: 312 unique, 487 installed
+    5 duplicated packages
+
+  Findings (2 warnings, 1 note)
     ⚠ Framework "NestJS" is 1 major version(s) behind
+      framework/outdated in src/api/package.json
     ⚠ 12% of dependencies are 2+ major versions behind
+      dependency/outdated in src/api/package.json
+    ℹ TypeScript target is ES2022
+      ts/target in tsconfig.json
+
+╔══════════════════════════════════════════╗
+║        Top Priority Actions              ║
+╚══════════════════════════════════════════╝
+
+  1. Upgrade NestJS 10.3.0 → 11.0.0 in my-api
+     1 major version behind. Major framework drift increases
+     breaking change risk and blocks access to security fixes.
+     ./src/api
+       NestJS: 10.3.0 → 11.0.0 (1 behind)
+     Impact: +5–15 points (framework score)
+
+  2. Reduce dependency rot in my-api (42% severely outdated)
+     3 of 53 dependencies are 2+ majors behind. Run `npm outdated`
+     and prioritise packages with known CVEs.
+     ./src/api
+       express: 3.4.0 → 5.0.0 (2 majors behind)
+       lodash: 3.10.1 → 4.17.21 (1 major behind)
+       ... and 1 more
+     Impact: +5–10 points (dependency score)
+
+  Scanned at 2026-02-16T00:00:00.000Z · 1.2s · 48 files scanned
 ```
 
 ---
@@ -121,7 +185,7 @@ Take a baseline snapshot, then measure drift over time:
 
 ```bash
 npx vibgrate baseline .
-npx vibgrate scan . --baseline .vibgrate/baseline.json
+npx vibgrate scan --baseline .vibgrate/baseline.json
 ```
 
 ### Multiple Output Formats
@@ -137,10 +201,26 @@ npx vibgrate scan . --baseline .vibgrate/baseline.json
 
 Push scan results to the [Vibgrate Dashboard](https://vibgrate.com) for trend analysis, cross-repo comparison, and team-wide visibility. Upload is always opt-in — the CLI provides full value offline.
 
+The easiest way is to combine scan and push in a single command:
+
+```bash
+VIBGRATE_DSN="..." npx @vibgrate/cli scan --push
+```
+
+Or pass the DSN directly:
+
+```bash
+npx @vibgrate/cli scan --push --dsn "vibgrate+https://<key_id>:<secret>@us.ingest.vibgrate.com/<workspace_id>"
+```
+
+You can also push a previously generated artifact separately:
+
 ```bash
 VIBGRATE_DSN="..." vibgrate push
 ```
 
+> **Get your DSN:** Sign up at [vibgrate.com](https://vibgrate.com) and your workspace will be created automatically with a ready-to-paste code snippet containing your DSN.
+
 ---
 
 ## CI Integration
@@ -149,18 +229,23 @@ VIBGRATE_DSN="..." vibgrate push
 
 ```yaml
 - name: Vibgrate Scan
-  run: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
+  env:
+    VIBGRATE_DSN: ${{ secrets.VIBGRATE_DSN }}
+  run: npx @vibgrate/cli scan --push --format sarif --out vibgrate.sarif --fail-on error
 
 - name: Upload SARIF
+  if: always()
   uses: github/codeql-action/upload-sarif@v3
   with:
     sarif_file: vibgrate.sarif
 ```
 
+> **Setup:** Add your DSN as a repository secret named `VIBGRATE_DSN` under **Settings → Secrets and variables → Actions**. Get your DSN from [vibgrate.com](https://vibgrate.com) — it's generated automatically when you create a workspace.
+
 ### Azure DevOps
 
 ```yaml
-- script: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
+- script: npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error
   displayName: Vibgrate Scan
 ```
 
@@ -202,9 +287,20 @@ Vibgrate is designed to be safe to run on any codebase:
 - **No source code is read** — only `package.json`, `tsconfig.json`, lockfiles, and project manifests
 - **No secrets are scanned** — ever
 - **No git history, authors, or commit messages** — only HEAD SHA and branch name for traceability
-- **No data leaves your machine** unless you explicitly run `vibgrate push`
+- **No data leaves your machine** unless you explicitly run `vibgrate push` or `vibgrate scan --push`
 - **No login required** — works fully offline
 
+### `.gitignore`
+
+The `.vibgrate/` directory contains ephemeral scan results and should not be committed to version control. Add it to your `.gitignore`:
+
+```gitignore
+# Vibgrate scan results (do not commit)
+.vibgrate/
+```
+
+The CLI writes per-project score files to `.vibgrate/` inside each detected project directory. These are regenerated on every scan and should not be copied between environments.
+
 ---
 
 ## Commands
@@ -212,6 +308,7 @@ Vibgrate is designed to be safe to run on any codebase:
 | Command | Description |
 |---------|-------------|
 | `vibgrate scan [path]` | Scan for upgrade drift |
+| `vibgrate scan --push` | Scan and auto-push to dashboard |
 | `vibgrate baseline [path]` | Create a drift baseline |
 | `vibgrate report` | Generate a report from a scan artifact |
 | `vibgrate init [path]` | Initialise config and `.vibgrate/` directory |

package/dist/{baseline-45AWVXG4.js → baseline-5SAUNH2V.js}

@@ -1,8 +1,8 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-BTIIFIOD.js";
-import "./chunk-WO6EZ6AF.js";
+} from "./chunk-GG5AUF7X.js";
+import "./chunk-XZ4NRZMT.js";
 export {
   baselineCommand,
   runBaseline

package/dist/{chunk-BTIIFIOD.js → chunk-GG5AUF7X.js}

@@ -1,7 +1,7 @@
 import {
   runScan,
   writeJsonFile
-} from "./chunk-WO6EZ6AF.js";
+} from "./chunk-XZ4NRZMT.js";
 
 // src/commands/baseline.ts
 import * as path from "path";

package/dist/{chunk-AMOJCCF5.js → chunk-VXZT34Y5.js}

@@ -8,7 +8,10 @@ function formatMarkdown(artifact) {
   lines.push(`| **Drift Score** | ${artifact.drift.score}/100 |`);
   lines.push(`| **Risk Level** | ${artifact.drift.riskLevel.toUpperCase()} |`);
   lines.push(`| **Projects** | ${artifact.projects.length} |`);
-  lines.push(`| **Scanned** | ${artifact.timestamp} |`);
+  const scannedMeta = [artifact.timestamp];
+  if (artifact.durationMs !== void 0) scannedMeta.push(`${(artifact.durationMs / 1e3).toFixed(1)}s`);
+  if (artifact.filesScanned !== void 0) scannedMeta.push(`${artifact.filesScanned} files`);
+  lines.push(`| **Scanned** | ${scannedMeta.join(" \xB7 ")} |`);
   if (artifact.vcs) {
     lines.push(`| **VCS** | ${artifact.vcs.type} |`);
     if (artifact.vcs.branch) lines.push(`| **Branch** | ${artifact.vcs.branch} |`);