@vibgrate/cli 1.0.1 → 1.0.2

package/README.md

@@ -24,7 +24,7 @@ Modern codebases don't break all at once — they decay silently. Node runtimes
 Run instantly with npx — no install required:
 
 ```bash
-npx @vibgrate/cli scan .
+npx @vibgrate/cli scan
 ```
 
 Or install as a dev dependency:
@@ -36,14 +36,14 @@ npm install -D @vibgrate/cli
 Then scan your project:
 
 ```bash
-npx vibgrate scan .
+npx vibgrate scan
 ```
 
 > **Why `npx`?** Installing with `-D` places the binary in `node_modules/.bin/`, which isn't on your system PATH. Use `npx` to run it, or add a script to your `package.json`:
 >
 > ```json
 > "scripts": {
->   "drift": "vibgrate scan ."
+>   "drift": "vibgrate scan"
 > }
 > ```
 >
@@ -130,11 +130,17 @@ That's it. You'll see a full drift report in seconds.
   1. Upgrade NestJS 10.3.0 → 11.0.0 in my-api
      1 major version behind. Major framework drift increases
      breaking change risk and blocks access to security fixes.
+     ./src/api
+       NestJS: 10.3.0 → 11.0.0 (1 behind)
      Impact: +5–15 points (framework score)
 
   2. Reduce dependency rot in my-api (42% severely outdated)
      3 of 53 dependencies are 2+ majors behind. Run `npm outdated`
      and prioritise packages with known CVEs.
+     ./src/api
+       express: 3.4.0 → 5.0.0 (2 majors behind)
+       lodash: 3.10.1 → 4.17.21 (1 major behind)
+       ... and 1 more
      Impact: +5–10 points (dependency score)
 
   Scanned at 2026-02-16T00:00:00.000Z · 1.2s · 48 files scanned
@@ -179,7 +185,7 @@ Take a baseline snapshot, then measure drift over time:
 
 ```bash
 npx vibgrate baseline .
-npx vibgrate scan . --baseline .vibgrate/baseline.json
+npx vibgrate scan --baseline .vibgrate/baseline.json
 ```
 
 ### Multiple Output Formats
@@ -195,10 +201,26 @@ npx vibgrate scan . --baseline .vibgrate/baseline.json
 
 Push scan results to the [Vibgrate Dashboard](https://vibgrate.com) for trend analysis, cross-repo comparison, and team-wide visibility. Upload is always opt-in — the CLI provides full value offline.
 
+The easiest way is to combine scan and push in a single command:
+
+```bash
+VIBGRATE_DSN="..." npx @vibgrate/cli scan --push
+```
+
+Or pass the DSN directly:
+
+```bash
+npx @vibgrate/cli scan --push --dsn "vibgrate+https://<key_id>:<secret>@us.ingest.vibgrate.com/<workspace_id>"
+```
+
+You can also push a previously generated artifact separately:
+
 ```bash
 VIBGRATE_DSN="..." vibgrate push
 ```
 
+> **Get your DSN:** Sign up at [vibgrate.com](https://vibgrate.com) and your workspace will be created automatically with a ready-to-paste code snippet containing your DSN.
+
 ---
 
 ## CI Integration
@@ -207,18 +229,23 @@ VIBGRATE_DSN="..." vibgrate push
 
 ```yaml
 - name: Vibgrate Scan
-  run: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
+  env:
+    VIBGRATE_DSN: ${{ secrets.VIBGRATE_DSN }}
+  run: npx @vibgrate/cli scan --push --format sarif --out vibgrate.sarif --fail-on error
 
 - name: Upload SARIF
+  if: always()
   uses: github/codeql-action/upload-sarif@v3
   with:
     sarif_file: vibgrate.sarif
 ```
 
+> **Setup:** Add your DSN as a repository secret named `VIBGRATE_DSN` under **Settings → Secrets and variables → Actions**. Get your DSN from [vibgrate.com](https://vibgrate.com) — it's generated automatically when you create a workspace.
+
 ### Azure DevOps
 
 ```yaml
-- script: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
+- script: npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error
   displayName: Vibgrate Scan
 ```
 
@@ -260,9 +287,20 @@ Vibgrate is designed to be safe to run on any codebase:
 - **No source code is read** — only `package.json`, `tsconfig.json`, lockfiles, and project manifests
 - **No secrets are scanned** — ever
 - **No git history, authors, or commit messages** — only HEAD SHA and branch name for traceability
-- **No data leaves your machine** unless you explicitly run `vibgrate push`
+- **No data leaves your machine** unless you explicitly run `vibgrate push` or `vibgrate scan --push`
 - **No login required** — works fully offline
 
+### `.gitignore`
+
+The `.vibgrate/` directory contains ephemeral scan results and should not be committed to version control. Add it to your `.gitignore`:
+
+```gitignore
+# Vibgrate scan results (do not commit)
+.vibgrate/
+```
+
+The CLI writes per-project score files to `.vibgrate/` inside each detected project directory. These are regenerated on every scan and should not be copied between environments.
+
 ---
 
 ## Commands
@@ -270,6 +308,7 @@ Vibgrate is designed to be safe to run on any codebase:
 | Command | Description |
 |---------|-------------|
 | `vibgrate scan [path]` | Scan for upgrade drift |
+| `vibgrate scan --push` | Scan and auto-push to dashboard |
 | `vibgrate baseline [path]` | Create a drift baseline |
 | `vibgrate report` | Generate a report from a scan artifact |
 | `vibgrate init [path]` | Initialise config and `.vibgrate/` directory |

package/dist/{baseline-35XRSRAD.js → baseline-5SAUNH2V.js}

@@ -1,8 +1,8 @@
 import {
   baselineCommand,
   runBaseline
-} from "./chunk-NTRKEIKP.js";
-import "./chunk-VMNBKARQ.js";
+} from "./chunk-GG5AUF7X.js";
+import "./chunk-XZ4NRZMT.js";
 export {
   baselineCommand,
   runBaseline

package/dist/{chunk-NTRKEIKP.js → chunk-GG5AUF7X.js}

@@ -1,7 +1,7 @@
 import {
   runScan,
   writeJsonFile
-} from "./chunk-VMNBKARQ.js";
+} from "./chunk-XZ4NRZMT.js";
 
 // src/commands/baseline.ts
 import * as path from "path";