@vibgrate/cli 2026.618.2 → 2026.623.1

package/DOCS.md

@@ -185,9 +185,28 @@ vibgrate scan [path] [--format text|json|sarif|md] [--out <file>] [--fail-on war
 | `--package-manifest <file>` | — | JSON or ZIP package-version manifest used for offline/latest lookups (latest bundle: `https://github.com/vibgrate/manifests/latest-packages.zip`) |
 | `--no-local-artifacts` | — | Do not write `.vibgrate/*.json` scan artifacts to disk |
 | `--max-privacy` | — | Hardened privacy mode with minimal scanners and no local artifacts |
+| `--emit-facts` | — | Emit the schema-validated HCS fact payload (an in-toto attestation predicate) to stdout instead of a scan report. Runs offline and writes nothing to the scanned tree |
 
 By default, the scan writes `.vibgrate/scan_result.json`. Use `--no-local-artifacts` or `--max-privacy` to suppress local JSON artifact files.
 
+#### Emitting a fact payload for attestation (`--emit-facts`)
+
+`--emit-facts` turns a scan into machine-readable evidence: it runs offline,
+writes only a single JSON document to stdout (no source code — drift facts and
+counts), and is deterministic for a given commit so re-runs are byte-stable. The
+document is the predicate body for the `https://vibgrate.com/attestations/hcs/v0.5`
+in-toto attestation, ready to bind to a published artifact:
+
+```bash
+vibgrate scan . --emit-facts > vibgrate-facts.json
+cosign attest --yes \
+  --type https://vibgrate.com/attestations/hcs/v0.5 \
+  --predicate vibgrate-facts.json "$IMAGE_REF"
+```
+
+See [`docs/SIGNING-AND-PROVENANCE.md`](../../docs/SIGNING-AND-PROVENANCE.md) for the
+full signing & provenance pipeline.
+
 For offline drift scoring, pass `--package-manifest <file>` with a downloaded manifest bundle such as `https://github.com/vibgrate/manifests/latest-packages.zip`.
 
 #### Excluding paths from a scan
@@ -274,18 +293,50 @@ vibgrate report [--in <file>] [--format md|text|json]
 
 Export SBOMs from an existing scan artifact or compare two artifacts.
 
+The `sbom` command family covers supply-chain evidence — SBOM export/delta and
+OpenVEX generation.
+
 ```bash
 vibgrate sbom export [--in <file>] [--format cyclonedx|spdx] [--out <file>]
 vibgrate sbom delta --from <file> --to <file> [--out <file>]
+vibgrate sbom vex [--from <file>] [--statement <json>...] [--product <ref>] [--out <file>]
 ```
 
 | Command | Description |
 |---------|-------------|
 | `vibgrate sbom export` | Emit CycloneDX or SPDX JSON from a scan artifact |
 | `vibgrate sbom delta` | Compare dependencies between two artifacts (added/removed/changed + drift delta) |
+| `vibgrate sbom vex` | Emit a spec-compliant OpenVEX document (exploitability statements) |
 
 Use this to treat SBOMs as operational intelligence instead of static compliance output.
 
+#### vibgrate sbom vex
+
+Generate a spec-compliant **OpenVEX** document (exploitability statements) for
+attestation, consistent with the rest of the `sbom` family. The generator is
+input-agnostic — it assembles a complete document from statements you supply, so
+it works regardless of which scanner flagged the components. A zero-statement
+document is valid and honest: it asserts no known affected components.
+
+| Flag | Description |
+|------|-------------|
+| `--from <file>` | Read statements from a JSON file (an array, or an object with a `statements` array) |
+| `--statement <json>` | Add a statement as inline JSON. Repeatable |
+| `--product <ref>` | Default product applied to statements without their own (e.g. an image digest) |
+| `--author <name>` | Document author (default `Vibgrate`) |
+| `--timestamp <iso>` / `--id <uri>` | Pin for reproducible output |
+| `--out <file>` | Write to a file (default: stdout) |
+
+```bash
+# Attest exploitability alongside the image
+vibgrate sbom vex --product "$IMAGE_REF" \
+  --statement '{"vulnerability":"CVE-2024-1","status":"not_affected","justification":"vulnerable_code_not_present"}' \
+  > openvex.json
+cosign attest --yes --type openvex --predicate openvex.json "$IMAGE_REF"
+```
+
+See [`docs/SIGNING-AND-PROVENANCE.md`](../../docs/SIGNING-AND-PROVENANCE.md).
+
 ---
 
 ### vibgrate push
@@ -373,15 +424,15 @@ This makes drift a formal quality gate (fitness function), not just reporting.
 
 The Upgrade Drift Score is a deterministic, versioned metric (0–100) that represents how far behind your codebase is relative to the current stable ecosystem baseline.
 
-**Higher score = healthier upgrade posture.**
+**Lower score = healthier upgrade posture.** 0 means no drift (fully current); 100 means maximum drift. Higher is worse.
 
 ### Risk Levels
 
 | Score  | Risk Level                           |
 | ------ | ------------------------------------ |
-| 70–100 | **Low** — You're in good shape       |
-| 40–69  | **Moderate** — Some attention needed |
-| 0–39   | **High** — Significant upgrade debt  |
+| 0–30   | **Low** — You're in good shape       |
+| 31–60  | **Moderate** — Some attention needed |
+| 61–100 | **High** — Significant upgrade debt  |
 
 ### Score Components
 

package/README.md

@@ -363,6 +363,8 @@ The CLI writes per-project score files to `.vibgrate/` inside each detected proj
 | `vibgrate report` | Generate a report from a scan artifact |
 | `vibgrate sbom export` | Export scan artifact as CycloneDX or SPDX SBOM |
 | `vibgrate sbom delta` | Compare two artifacts and report SBOM drift delta |
+| `vibgrate sbom vex` | Generate an OpenVEX document (exploitability statements) for attestation |
+| `vibgrate scan --emit-facts` | Emit the HCS fact payload (in-toto predicate) for artifact attestation |
 | `vibgrate init [path]` | Initialise config and `.vibgrate/` directory |
 | `vibgrate push` | Upload scan results to dashboard |
 | `vibgrate dsn create` | Generate a DSN token |

package/dist/baseline-2B6YIW6Z.js

@@ -0,0 +1 @@
+export{h as baselineCommand,g as runBaseline}from'./chunk-BHWXSLTQ.js';import'./chunk-I65B3ZRL.js';import'./chunk-MKDRULJ6.js';import'./chunk-XTHPCEME.js';import'./chunk-EK7ODJWE.js';

package/dist/chunk-BHWXSLTQ.js

@@ -0,0 +1,2 @@
+import {ua}from'./chunk-I65B3ZRL.js';import*as s from'path';import {Command}from'commander';import r from'chalk';import {execFile}from'child_process';import*as i from'fs/promises';import'os';import {promisify}from'util';var o=class{available;queue=[];constructor(t){this.available=t;}async run(t){await this.acquire();try{return await t()}finally{this.release();}}acquire(){return this.available>0?(this.available--,Promise.resolve()):new Promise(t=>this.queue.push(t))}release(){let t=this.queue.shift();t?t():this.available++;}};promisify(execFile);function v(e){return e.charCodeAt(0)===65279?e.slice(1):e}async function j(e){let t=await i.readFile(e,"utf8");return JSON.parse(v(t))}async function D(e){try{return await i.access(e),!0}catch{return  false}}async function m(e){await i.mkdir(e,{recursive:true});}async function h(e,t){await m(s.dirname(e)),await i.writeFile(e,JSON.stringify(t,null,2)+`
+`,"utf8");}async function E(e,t){await m(s.dirname(e)),await i.writeFile(e,t,"utf8");}var n;async function f(){if(n!==void 0)return n??void 0;try{n=(await import('./dist-AP3RH35M.js')).advancedScanHook??null;}catch{n=null;}return n??void 0}async function b(e){console.log(r.dim("Creating baseline..."));let t=await f(),c=await ua(e,{format:"text",concurrency:8},t),p=s.join(e,".vibgrate","baseline.json");await h(p,c),console.log(r.green("\u2714")+` Baseline saved to ${r.bold(".vibgrate/baseline.json")}`),console.log(r.dim(`  Baseline score: ${c.drift.score}/100`));}var N=new Command("baseline").description("Create a drift baseline snapshot").argument("[path]","Path to baseline",".").action(async e=>{let t=s.resolve(e);await b(t);});export{o as a,j as b,D as c,m as d,E as e,f,b as g,N as h};

package/dist/chunk-EK7ODJWE.js

@@ -0,0 +1 @@
+var g=Object.create;var f=Object.defineProperty;var h=Object.getOwnPropertyDescriptor;var i=Object.getOwnPropertyNames;var j=Object.getPrototypeOf,k=Object.prototype.hasOwnProperty;var m=(b,a)=>()=>(a||b((a={exports:{}}).exports,a),a.exports);var l=(b,a,c,e)=>{if(a&&typeof a=="object"||typeof a=="function")for(let d of i(a))!k.call(b,d)&&d!==c&&f(b,d,{get:()=>a[d],enumerable:!(e=h(a,d))||e.enumerable});return b};var n=(b,a,c)=>(c=b!=null?g(j(b)):{},l(a||!b||!b.__esModule?f(c,"default",{value:b,enumerable:true}):c,b));export{m as a,n as b};