vibe-audit-scan 1.2.9

package/README.md

@@ -0,0 +1,87 @@
+# Vibe Audit CLI
+
+Vibe Audit is a production-grade security scanner for modern codebases. It analyzes your application for vulnerabilities, architectural flaws, and business logic risks, then delivers AI-powered remediation guides so your team can ship with confidence.
+
+Vibe Audit is not a linter. It does not flag formatting issues, naming conventions, or stylistic preferences. It exists for one reason: to catch the security flaws, architectural blind spots, and business logic oversights that silently break applications in production.
+
+Where traditional static analysis tools stop at syntax, Vibe Audit goes deeper. It scans your codebase for the vulnerabilities that attackers actually exploit: authentication bypasses, broken access control, payment logic gaps, missing rate limits, unsafe data deletion, N+1 query bottlenecks, and leaked secrets. Every finding is graded by production impact (Critical, High, or Warning) and paired with specific, actionable remediation steps so your team knows exactly what to fix and how.
+
+## How It Works
+The Vibe Audit CLI scans your codebase using the built-in Core scanning engine, then sends the results to the Vibe Audit platform where an AI-powered analysis pipeline produces context-aware, developer-ready remediation guides for every finding.
+
+## Scanner Installation
+The CLI automatically downloads and manages the platform-specific core scan engine binary on first run. Binaries are stored locally within the user home directory (~/.vibe-audit-scan/bin/), ensuring zero-config initial setup.
+
+## Getting Started
+To use the Vibe Audit CLI, you must first create an account on the platform:
+1. Visit http://www.vibeauditscan.com to sign up for an account.
+2. Run the login command to authenticate the CLI with your credentials.
+
+## Prerequisites
+- Node.js 22+
+
+## Installation
+Once published to npm, you can install the utility globally:
+```bash
+npm install -g vibe-audit-scan
+```
+
+For local development setup:
+```bash
+# Navigate to the CLI package directory
+cd packages/cli
+
+# Link local CLI binary for testing
+npm link
+```
+
+## Usage
+
+### Run codebase scans
+Before running a scan, ensure you are authenticated.
+```bash
+# Scan current directory
+vibe scan
+
+# Scan specific directory
+vibe scan /path/to/your/project
+
+# Save results to a local file
+vibe scan /path/to/your/project -o results.json
+```
+
+### Authenticate with Vibe Cloud
+```bash
+# Log in via your web browser
+vibe login
+
+# Check active session profile
+vibe whoami
+
+# Log out and revoke active tokens
+vibe logout
+```
+
+## What Vibe Audit Looks For
+- Authentication and authorization bypasses
+- Insecure Direct Object References (IDOR) and Broken Object-Level Authorization (BOLA)
+- Payment, billing, and subscription logic flaws
+- Missing or weak rate limiting on critical endpoints
+- Leaked credentials, secrets, and API keys
+- Unsafe data deletion and missing cascade protections
+- N+1 query patterns and database performance risks
+- SQL injection, XSS, SSRF, and path traversal
+- Race conditions, unhandled edge cases, and memory leaks
+
+## What Vibe Audit Does Not Look For
+- Code formatting and style preferences
+- Naming conventions or variable casing
+- Unused imports or dead code
+- Indentation, whitespace, or line length
+- Any issue that would be caught by ESLint, Prettier, or similar linting tools
+
+## Features
+- Zero Configuration: The installer automatically bootstraps its own scanning binaries.
+- Production-First Analysis: Ignores noise. Surfaces only the flaws that threaten your application in production.
+- Severity Grading: Every finding is classified as Critical, High, or Warning with clear remediation paths.
+- AI-Powered Remediation: Automatically triggers the Vibe AI worker for detailed, developer-ready fix guides.

package/bin/vibe-audit.js

@@ -0,0 +1,109 @@
+#! /usr/bin/env node
+import { program } from 'commander';
+import chalk from 'chalk';
+import boxen from 'boxen';
+import { scan } from '../src/commands/scan.js';
+import { login, logout, whoami } from '../src/commands/auth.js';
+import { printWelcome, printHelpCheatsheet } from '../src/utils/welcome.js';
+
+program
+  .name('vibe')
+  .version('1.2.6', '-V, --version', 'output the version number')
+  .description('Vibe Audit CLI - Scan your codebase for vulnerabilities')
+  .configureOutput({
+    writeOut: (str) => {
+      // Check if this is the version output
+      if (str.trim().match(/^\d+\.\d+\.\d+$/)) {
+        console.log(chalk.cyan.bold('vibe-audit-scan v' + str.trim()));
+      } else {
+        console.log(boxen(str, {
+          padding: 1,
+          margin: 1,
+          borderStyle: 'round',
+          borderColor: 'cyan'
+        }));
+      }
+    },
+    writeErr: (str) => {
+      let msg = str.trim();
+      if (msg.includes('unknown command') || msg.includes('invalid command')) {
+        msg = `❌ Command does not exist.\n\nPlease run "${chalk.cyan('vibe cheatsheet')}" to see the list of available commands.`;
+      }
+      console.log(boxen(msg, {
+        padding: 1,
+        margin: 1,
+        borderStyle: 'round',
+        borderColor: 'red'
+      }));
+    },
+    outputError: (str, write) => write(chalk.red(str))
+  });
+
+program
+  .command('cheatsheet')
+  .description('List shortcuts and status')
+  .action(() => {
+    printHelpCheatsheet();
+  });
+
+program
+  .command('login')
+  .description('Authenticate your CLI with the Vibe Cloud backend')
+  .option('--api-url <url>', 'API endpoint to use for authentication')
+  .option('--web-url <url>', 'URL of the Vibe Audit web app to open for OAuth')
+  .action(async (options) => {
+    try {
+      await login(options);
+    } catch (error) {
+      console.error('Error:', error.message);
+      process.exit(1);
+    }
+  });
+
+program
+  .command('logout')
+  .description('Revokes your session and clears local tokens')
+  .action(async () => {
+    try {
+      await logout();
+    } catch (error) {
+      console.error('Error:', error.message);
+      process.exit(1);
+    }
+  });
+
+program
+  .command('whoami')
+  .description('Displays the currently logged-in user profile')
+  .option('--api-url <url>', 'API endpoint to use to verify profile')
+  .action(async (options) => {
+    try {
+      await whoami(options);
+    } catch (error) {
+      console.error('Error:', error.message);
+      process.exit(1);
+    }
+  });
+
+program
+  .command('scan')
+  .description('Scan a directory for vulnerabilities')
+  .argument('[directory]', 'Directory to scan', '.')
+  .option('-o, --output <file>', 'Output JSON file')
+  .option('--api-url <url>', 'API endpoint to send scan data to')
+  .action(async (directory, options) => {
+    try {
+      await scan(directory, options);
+    } catch (error) {
+      console.error('Error:', error.message);
+      process.exit(1);
+    }
+  });
+
+// Handle vibe without command - show welcome screen
+if (process.argv.length <= 2) {
+  printWelcome();
+  process.exit(0);
+}
+
+program.parse();

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "vibe-audit-scan",
+  "version": "1.2.9",
+  "type": "module",
+  "license": "UNLICENSED",
+  "author": "Vibe Audit",
+  "copyright": "Copyright (c) 2026 Vibe Audit. All Rights Reserved.",
+  "bin": {
+    "vibe": "./bin/vibe-audit.js",
+    "vibe-audit-scan": "./bin/vibe-audit.js"
+  },
+  "scripts": {
+    "postinstall": "node -e \"console.log('\\n\\n🎉 Vibe Audit CLI installed successfully!\\n\\n🚀 Run \\\"vibe scan\\\" inside your project folder to start scanning.\\n\\n')\""
+  },
+  "dependencies": {
+    "adm-zip": "^0.5.17",
+    "axios": "^1.17.0",
+    "boxen": "^8.0.1",
+    "chalk": "^5.6.2",
+    "commander": "^13.1.0",
+    "fs-extra": "^11.3.5",
+    "tar": "^7.5.16"
+  }
+}

package/src/commands/auth.js

@@ -0,0 +1,226 @@
+import http from 'http';
+import { exec } from 'child_process';
+import axios from 'axios';
+import chalk from 'chalk';
+import boxen from 'boxen';
+import { setToken, clearToken, getToken, getApiUrl, getWebUrl } from '../utils/config.js';
+
+function getFreePort(startPort) {
+  return new Promise((resolve, reject) => {
+    const server = http.createServer();
+    server.on('error', (err) => {
+      if (err.code === 'EADDRINUSE') {
+        resolve(getFreePort(startPort + 1));
+      } else {
+        reject(err);
+      }
+    });
+    server.listen(startPort, () => {
+      const { port } = server.address();
+      server.close(() => resolve(port));
+    });
+  });
+}
+
+export async function login(options) {
+  try {
+    const webUrl = getWebUrl(options.webUrl);
+    const port = await getFreePort(9999);
+    const authUrl = `${webUrl}/cli-login?port=${port}`;
+
+    console.log(chalk.cyan(`\n🔑 Initializing browser-based login...`));
+    console.log(chalk.gray(`Opening your default browser to: ${authUrl}\n`));
+
+    // Open default browser depending on platform
+    const openCmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
+    exec(`${openCmd} "${authUrl}"`, (err) => {
+      if (err) {
+        console.log(chalk.yellow(`Could not open browser automatically. Please open this link manually:\n  ${chalk.underline(authUrl)}`));
+      }
+    });
+
+    return new Promise((resolve) => {
+      const server = http.createServer((req, res) => {
+        const parsedUrl = new URL(req.url, `http://${req.headers.host}`);
+
+        if (parsedUrl.pathname === '/callback') {
+          const token = parsedUrl.searchParams.get('token');
+          const email = parsedUrl.searchParams.get('email');
+
+          if (token) {
+            const escapedEmail = (email || '')
+              .replace(/&/g, '&')
+              .replace(/</g, '&lt;')
+              .replace(/>/g, '&gt;')
+              .replace(/"/g, '&quot;')
+              .replace(/'/g, '&#039;');
+
+            setToken(token, escapedEmail);
+
+            res.writeHead(200, { 'Content-Type': 'text/html' });
+            res.end(`
+              <!DOCTYPE html>
+              <html>
+                <head>
+                  <title>Success | Vibe Audit CLI</title>
+                  <style>
+                    body {
+                      background-color: #09090b;
+                      color: #fafafa;
+                      font-family: ui-sans-serif, system-ui, sans-serif;
+                      display: flex;
+                      flex-direction: column;
+                      align-items: center;
+                      justify-content: center;
+                      height: 100vh;
+                      margin: 0;
+                      text-align: center;
+                      overflow: hidden;
+                    }
+                    .logo-container {
+                      display: flex;
+                      flex-direction: column;
+                      align-items: center;
+                      gap: 0.75rem;
+                      margin-bottom: 1.5rem;
+                    }
+                    .logo {
+                      width: 5rem;
+                      height: 5rem;
+                      color: #22d3ee;
+                      filter: drop-shadow(0 0 20px rgba(34, 211, 238, 0.35));
+                    }
+                    .brand {
+                      font-size: 2rem;
+                      font-weight: 950;
+                      letter-spacing: -0.075em;
+                      color: #ffffff;
+                      margin-top: 0.25rem;
+                    }
+                    .brand-sub {
+                      color: #71717a;
+                    }
+                    h1 {
+                      color: #22d3ee;
+                      margin: 1rem 0 0.5rem 0;
+                      font-size: 2.25rem;
+                      font-weight: 900;
+                      letter-spacing: -0.03em;
+                    }
+                    p {
+                      color: #71717a;
+                      font-size: 0.95rem;
+                      line-height: 1.6;
+                      max-width: 26rem;
+                      margin: 0;
+                    }
+                  </style>
+                </head>
+                <body>
+                  <div class="logo-container">
+                    <svg class="logo" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+                      <path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z"/>
+                      <path d="M12 8v4"/>
+                      <path d="M12 16h.01"/>
+                    </svg>
+                    <div class="brand">VIBE<span class="brand-sub">AUDIT</span></div>
+                  </div>
+                  <h1>Authorization Successful</h1>
+                  <p>You have successfully logged in to Vibe Audit CLI.<br>You can close this tab and return to the terminal.</p>
+                </body>
+              </html>
+            `);
+
+            console.log(boxen(`
+${chalk.green.bold('🎉 Authentication Successful!')}
+Logged in as: ${chalk.white(escapedEmail || 'User')}
+`, {
+              padding: 1,
+              borderStyle: 'round',
+              borderColor: 'green'
+            }));
+
+            // Close server and complete promise
+            res.socket.destroy();
+            server.close(() => {
+              resolve(true);
+            });
+          } else {
+            res.writeHead(400, { 'Content-Type': 'text/html' });
+            res.end(`
+              <!DOCTYPE html>
+              <html>
+                <body>
+                  <h1 style="color: red;">Authorization Failed</h1>
+                  <p>No authorization token received. Please try again.</p>
+                </body>
+              </html>
+            `);
+            console.log(chalk.red('\n❌ Authorization failed: No token received.'));
+            res.socket.destroy();
+            server.close(() => {
+              resolve(false);
+            });
+          }
+        } else {
+          res.writeHead(404);
+          res.end();
+        }
+      });
+
+      server.listen(port);
+    });
+  } catch (error) {
+    console.log(chalk.red(`\n❌ Login failed: ${error.message}`));
+  }
+}
+
+export async function logout() {
+  clearToken();
+  console.log(chalk.green('👋 Successfully logged out of Vibe Audit. Local tokens cleared.'));
+}
+
+export async function whoami(options) {
+  const token = getToken();
+  if (!token) {
+    console.log(chalk.yellow('You are not logged in. Run ') + chalk.white.bold('vibe login') + chalk.yellow(' to authenticate.'));
+    return;
+  }
+
+  const apiUrl = getApiUrl(options.apiUrl);
+
+  try {
+    const response = await axios.get(`${apiUrl}/api/auth/profile`, {
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    });
+
+    if (response.data?.success && response.data?.profile) {
+      const profile = response.data.profile;
+      const profileInfo = `
+${chalk.cyan.bold('Vibe User Profile')}
+${chalk.gray('-'.repeat(30))}
+Name:  ${chalk.white(profile.name)}
+Email: ${chalk.white(profile.email)}
+Role:  ${chalk.cyan(profile.role.toUpperCase())}
+`;
+      console.log(boxen(profileInfo, {
+        padding: 1,
+        borderStyle: 'round',
+        borderColor: 'cyan'
+      }));
+    } else {
+      console.log(chalk.red('Failed to retrieve user profile details.'));
+    }
+  } catch (error) {
+    // If token has expired or is invalid
+    if (error.response?.status === 401) {
+      console.log(chalk.red('❌ Your session has expired or is invalid. Please run vibe login to sign in again.'));
+      // Auto clear bad token
+      clearToken();
+    } else {
+      console.log(chalk.red(`❌ Failed to retrieve profile: ${error.message}`));
+    }
+  }
+}

package/src/commands/scan.js

@@ -0,0 +1,406 @@
+import { execFile, exec } from 'child_process';
+import util from 'util';
+import fs from 'fs/promises';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import axios from 'axios';
+import chalk from 'chalk';
+import readline from 'readline';
+import { ensureTrivyInstalled } from '../utils/trivyInstaller.js';
+import { getToken, getApiUrl, getWebUrl, getDeviceId } from '../utils/config.js';
+
+const execFilePromise = util.promisify(execFile);
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+export async function scan(directory, options) {
+  console.log(`🔍 Scanning directory: ${directory} for HIGH/CRITICAL vulnerabilities...`);
+
+  // Ensure Trivy is installed
+  const trivyPath = await ensureTrivyInstalled();
+
+  // Run Trivy scan (only HIGH and CRITICAL)
+  const scanData = await runTrivyScan(directory, trivyPath);
+  
+  // Normalize secrets and misconfigurations into the Vulnerabilities array
+  const normalizedData = normalizeTrivyData(scanData);
+  
+  // Filter to only HIGH and CRITICAL
+  const filteredData = filterHighCritical(normalizedData);
+
+  // Collect code files for SAST deep logic scanning
+  const codeFiles = await collectCodeFiles(directory);
+  if (codeFiles.length > 0) {
+    console.log(`📂 Collected ${codeFiles.length} source code files for deep logic SAST analysis.`);
+  }
+
+  if ((!filteredData || filteredData.Results?.length === 0) && codeFiles.length === 0) {
+    console.log('✅ No vulnerabilities or source files found to scan!');
+    return filteredData;
+  }
+
+  // Count vulnerabilities
+  let vulnCount = 0;
+  filteredData.Results?.forEach(r => {
+    vulnCount += r.Vulnerabilities?.length || 0;
+  });
+  console.log(`⚠️ Found ${vulnCount} HIGH/CRITICAL vulnerabilities!`);
+
+  // Save to file if output option is provided
+  if (options.output) {
+    const outputPath = path.resolve(options.output);
+    await fs.writeFile(outputPath, JSON.stringify(filteredData, null, 2));
+    console.log(`📄 Scan results saved to: ${outputPath}`);
+  }
+
+  // Send to API if token is present or apiUrl is explicitly provided
+  const token = getToken();
+  const rawApiUrl = getApiUrl(options.apiUrl);
+
+  if (token || options.apiUrl) {
+    const gatewayUrl = rawApiUrl.endsWith('/') 
+      ? `${rawApiUrl}api/audit/gateway` 
+      : `${rawApiUrl}/api/audit/gateway`;
+
+    console.log(`📡 Sending scan data to Vibe Gateway at ${gatewayUrl}...`);
+    try {
+      const result = await sendToAPI(gatewayUrl, filteredData, directory, token, codeFiles);
+      console.log('✅ Scan data sent successfully!');
+      if (result && result.jobId) {
+        await pollJobStatus(rawApiUrl, result.jobId, token);
+      }
+    } catch (err) {
+      console.error(chalk.red(`❌ Failed to send scan data: ${err.message}`));
+    }
+  } else {
+    console.log(chalk.yellow('\n💡 Tip: Run ') + chalk.white.bold('vibe login') + chalk.yellow(' to automatically sync reports to your Vibe Audit web dashboard.'));
+  }
+
+  return filteredData;
+}
+
+async function runTrivyScan(directory, trivyPath) {
+  try {
+    // Run Trivy with vuln, secret, and misconfig scanners, bypassing slow DB/policy updates and ignoring heavy directories
+    const { stdout } = await execFilePromise(
+      trivyPath,
+      [
+        'fs',
+        '--format', 'json',
+        '--severity', 'HIGH,CRITICAL',
+        '--scanners', 'vuln,secret,misconfig',
+        '--skip-db-update',
+        '--skip-policy-update',
+        '--skip-dirs', 'node_modules,dist,build,.git,.next,.npm-cache,coverage,tmp,temp,venv,.venv',
+        directory
+      ],
+      { maxBuffer: 10 * 1024 * 1024 } // 10MB buffer for large outputs
+    );
+    
+    return JSON.parse(stdout);
+  } catch (error) {
+    // Code 1 means vulnerabilities found, which is expected, so still parse output
+    if (error.code === 1 && error.stdout) {
+      return JSON.parse(error.stdout);
+    }
+    throw new Error(`Core scan engine execution failed: ${error.message}`);
+  }
+}
+
+async function collectCodeFiles(directory) {
+  const allowedExtensions = new Set(['.js', '.ts', '.tsx', '.jsx', '.py', '.go', '.rb', '.cs', '.java', '.php', '.cpp', '.c', '.swift']);
+  const ignoredNames = new Set([
+    'node_modules', 'dist', '.git', '.next', 'build', 'bin', 'obj',
+    '.npm-cache', '.svelte-kit', '.vscode', '.idea', 'vendor', 'tmp',
+    'temp', 'coverage', 'out', 'target', 'venv', '.venv', 'env', '.env'
+  ]);
+
+  const priorityDirs = ['controllers', 'routes', 'api', 'middleware', 'auth', 'models', 'src/controllers', 'src/routes', 'src/api', 'src/middleware', 'src/auth', 'src/models'];
+
+  const collected = [];
+  const collectedPaths = new Set();
+  let totalSize = 0;
+  const MAX_FILES = 15;
+  const MAX_SIZE = 150 * 1024; // 150KB limit
+
+  // Recursively find matching files
+  async function walk(currentDir) {
+    if (collected.length >= MAX_FILES || totalSize >= MAX_SIZE) return;
+
+    let entries = [];
+    try {
+      entries = await fs.readdir(currentDir, { withFileTypes: true });
+    } catch (e) {
+      return;
+    }
+
+    // Process subdirectories first if they match priority directories
+    const directories = [];
+    const files = [];
+
+    for (const entry of entries) {
+      if (entry.name.startsWith('.')) {
+        if (entry.name !== '.env') {
+          continue;
+        }
+      }
+      if (ignoredNames.has(entry.name.toLowerCase())) continue;
+
+      const fullPath = path.join(currentDir, entry.name);
+      if (entry.isDirectory()) {
+        directories.push(fullPath);
+      } else if (entry.isFile()) {
+        files.push({ name: entry.name, fullPath });
+      }
+    }
+
+    // Sort directories so priority ones are walked first
+    directories.sort((a, b) => {
+      const aBase = path.basename(a).toLowerCase();
+      const bBase = path.basename(b).toLowerCase();
+      const aPriority = priorityDirs.includes(aBase) || priorityDirs.some(p => a.includes(p));
+      const bPriority = priorityDirs.includes(bBase) || priorityDirs.some(p => b.includes(p));
+      if (aPriority && !bPriority) return -1;
+      if (!aPriority && bPriority) return 1;
+      return 0;
+    });
+
+    // Walk directories
+    for (const dir of directories) {
+      await walk(dir);
+      if (collected.length >= MAX_FILES || totalSize >= MAX_SIZE) return;
+    }
+
+    // Process files in this directory
+    for (const file of files) {
+      const ext = path.extname(file.name).toLowerCase();
+      if (!allowedExtensions.has(ext)) continue;
+
+      const relativePath = path.relative(directory, file.fullPath);
+      if (collectedPaths.has(relativePath)) continue;
+
+      try {
+        const stats = await fs.stat(file.fullPath);
+        // Skip files that are individually too large to allow variety
+        if (stats.size > 50 * 1024) continue;
+
+        if (totalSize + stats.size > MAX_SIZE) continue;
+
+        const content = await fs.readFile(file.fullPath, 'utf8');
+        collected.push({
+          filepath: relativePath,
+          content: content
+        });
+        collectedPaths.add(relativePath);
+        totalSize += stats.size;
+
+        if (collected.length >= MAX_FILES) break;
+      } catch (err) {
+        // Skip files we can't read
+      }
+    }
+  }
+
+  await walk(directory);
+  return collected;
+}
+
+function normalizeTrivyData(scanData) {
+  if (!scanData.Results) return scanData;
+
+  const Results = scanData.Results.map(result => {
+    const vulnerabilities = [...(result.Vulnerabilities || [])];
+
+    // Map Secrets
+    if (result.Secrets && result.Secrets.length > 0) {
+      result.Secrets.forEach(sec => {
+        vulnerabilities.push({
+          VulnerabilityID: sec.RuleID || 'SecretLeak',
+          PkgName: sec.Category || 'secret',
+          InstalledVersion: 'Leaked secret detected',
+          FixedVersion: 'Remove the hardcoded credentials and load them from environment variables instead.',
+          Title: sec.Title || 'Hardcoded Secret Detected',
+          Description: `Secret leak detected: ${sec.Title || 'credential'}. Code match at line ${sec.StartLine}: "${(sec.Match || '').trim()}"`,
+          Severity: sec.Severity || 'HIGH',
+          PrimaryURL: 'https://aquasecurity.github.io/trivy/latest/docs/scanner/secret/'
+        });
+      });
+    }
+
+    // Map Misconfigurations
+    if (result.Misconfigurations && result.Misconfigurations.length > 0) {
+      result.Misconfigurations.forEach(mis => {
+        vulnerabilities.push({
+          VulnerabilityID: mis.ID || 'Misconfiguration',
+          PkgName: mis.Type || 'config',
+          InstalledVersion: 'Misconfiguration detected',
+          FixedVersion: mis.Resolution || 'Update the configuration to comply with security guidelines.',
+          Title: mis.Title || 'Security Misconfiguration',
+          Description: `${mis.Message || 'Config violation'}\n\nResolution: ${mis.Resolution || ''}`,
+          Severity: mis.Severity || 'HIGH',
+          PrimaryURL: mis.PrimaryURL || 'https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfig/'
+        });
+      });
+    }
+
+    return {
+      ...result,
+      Vulnerabilities: vulnerabilities
+    };
+  });
+
+  return {
+    ...scanData,
+    Results
+  };
+}
+
+function filterHighCritical(scanData) {
+  if (!scanData.Results) return scanData;
+  
+  return {
+    ...scanData,
+    Results: scanData.Results.map(result => {
+      if (!result.Vulnerabilities) return result;
+      
+      // Filter only HIGH and CRITICAL
+      const filteredVulns = result.Vulnerabilities.filter(
+        vuln => vuln.Severity === 'HIGH' || vuln.Severity === 'CRITICAL'
+      );
+      
+      return {
+        ...result,
+        Vulnerabilities: filteredVulns
+      };
+    }).filter(result => result.Vulnerabilities?.length > 0)
+  };
+}
+
+async function sendToAPI(apiUrl, scanData, directory, token, codeFiles) {
+  try {
+    const headers = {
+      'Content-Type': 'application/json',
+      'X-Device-ID': getDeviceId()
+    };
+    if (token) {
+      headers['Authorization'] = `Bearer ${token}`;
+    }
+
+    const response = await axios.post(apiUrl, {
+      vulnerabilities: scanData.Results || [],
+      targetName: path.basename(path.resolve(directory || '.')),
+      codeFiles: codeFiles || []
+    }, {
+      headers
+    });
+    return response.data;
+  } catch (error) {
+    throw new Error(error.response?.data?.message || error.message);
+  }
+}
+
+async function pollJobStatus(rawApiUrl, jobId, token) {
+  const jobUrl = rawApiUrl.endsWith('/')
+    ? `${rawApiUrl}api/audit/jobs/${jobId}`
+    : `${rawApiUrl}/api/audit/jobs/${jobId}`;
+
+  const headers = {};
+  if (token) {
+    headers['Authorization'] = `Bearer ${token}`;
+  }
+
+  const stages = [
+    'Initializing audit task...',
+    'Compiling scan chunks...',
+    'Analyzing code architecture...',
+    'Running deep SAST logic checks...',
+    'Detecting access control flaws...',
+    'Verifying inputs & parameters...',
+    'Applying Vibe AI contextual analysis...',
+    'Calculating delta changes...',
+    'Finalizing security reports...'
+  ];
+  let stageIdx = 0;
+
+  console.log(chalk.cyan('\n⏳ Monitoring security pipeline in real-time...'));
+
+  let completed = 0;
+  let total = 0;
+  let progress = 0;
+  let stage = 'Initializing audit task...';
+  let spinnerIdx = 0;
+  const spinnerFrames = ['/', '-', '\\', '|'];
+
+  // Start smooth terminal spinner render loop
+  const spinnerId = setInterval(() => {
+    const frame = spinnerFrames[spinnerIdx % spinnerFrames.length];
+    spinnerIdx++;
+    process.stdout.write(
+      `\r${chalk.cyan(frame)} [${completed}/${total} Chunks - ${progress}%] ${chalk.gray(stage)}   `
+    );
+  }, 120);
+
+  return new Promise((resolve) => {
+    let intervalId = setInterval(async () => {
+      try {
+        const response = await axios.get(jobUrl, { headers });
+        const { job } = response.data;
+
+        if (job) {
+          const { status, total_chunks, completed_chunks } = job;
+          
+          if (status === 'completed') {
+            clearInterval(intervalId);
+            clearInterval(spinnerId);
+            process.stdout.write(`\r${chalk.green('»')} [${completed_chunks}/${total_chunks} Chunks - 100%] Scan complete!             \n`);
+            console.log(chalk.green.bold(`\n🎉 Scan complete! Check web dashboard for the results.`));
+            await promptForDashboard();
+            resolve();
+          } else if (status === 'failed') {
+            clearInterval(intervalId);
+            clearInterval(spinnerId);
+            process.stdout.write(`\r${chalk.red('»')} [${completed_chunks}/${total_chunks} Chunks] Pipeline failed.             \n`);
+            console.log(chalk.red.bold(`\n❌ Audit pipeline failed: Worker reports job failed.`));
+            resolve();
+          } else {
+            // Update state for spinner loop to render
+            completed = completed_chunks;
+            total = total_chunks;
+            progress = total_chunks > 0 ? Math.round((completed_chunks / total_chunks) * 100) : 0;
+            stage = stages[stageIdx % stages.length];
+            stageIdx++;
+          }
+        }
+      } catch (err) {
+        stage = 'Connection blip... retrying status check...';
+      }
+    }, 2000);
+  });
+}
+
+async function promptForDashboard() {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+
+  const webUrl = getWebUrl();
+
+  return new Promise((resolve) => {
+    rl.question(chalk.cyan('\n❓ Go to my dashboard? (yes/no): '), (answer) => {
+      rl.close();
+      const sanitized = answer.trim().toLowerCase();
+      if (sanitized === 'yes' || sanitized === 'y') {
+        const dashboardUrl = `${webUrl}/dashboard/history`;
+        console.log(chalk.gray(`Opening your default browser to: ${dashboardUrl}`));
+        const openCmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
+        exec(`${openCmd} "${dashboardUrl}"`, (err) => {
+          if (err) {
+            console.log(chalk.yellow(`Could not open browser automatically. Please open this link manually:\n  ${chalk.underline(dashboardUrl)}`));
+          }
+        });
+      }
+      resolve();
+    });
+  });
+}
+

package/src/utils/config.js

@@ -0,0 +1,87 @@
+import os from 'os';
+import path from 'path';
+import fs from 'fs-extra';
+import crypto from 'crypto';
+
+const CONFIG_DIR = path.join(os.homedir(), '.vibe');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+
+export function readConfig() {
+  try {
+    if (fs.existsSync(CONFIG_FILE)) {
+      return fs.readJsonSync(CONFIG_FILE);
+    }
+  } catch (error) {
+    // Ignore reading error, return empty object
+  }
+  return {};
+}
+
+export function writeConfig(data) {
+  try {
+    fs.ensureDirSync(CONFIG_DIR);
+    fs.writeJsonSync(CONFIG_FILE, data, { spaces: 2 });
+    return true;
+  } catch (error) {
+    console.error('Failed to write CLI config:', error.message);
+    return false;
+  }
+}
+
+export function getToken() {
+  const config = readConfig();
+  return config.token || null;
+}
+
+export function setToken(token, email) {
+  const config = readConfig();
+  config.token = token;
+  config.email = email;
+  return writeConfig(config);
+}
+
+export function clearToken() {
+  const config = readConfig();
+  delete config.token;
+  delete config.email;
+  return writeConfig(config);
+}
+
+export function getApiUrl(optionUrl) {
+  if (optionUrl) return optionUrl;
+  const config = readConfig();
+  return config.apiUrl || 'https://vibe-audit-theta.vercel.app';
+}
+
+export function getWebUrl(optionUrl) {
+  if (optionUrl) return optionUrl;
+  const config = readConfig();
+  return config.webUrl || 'https://vibeaduditai.vercel.app';
+}
+
+export function getDeviceId() {
+  const config = readConfig();
+  if (config.deviceId) {
+    return config.deviceId;
+  }
+  
+  // Build a stable machine-specific fingerprint
+  let fingerprint = 'fallback-device-vibe';
+  try {
+    fingerprint = [
+      os.hostname(),
+      os.userInfo().username,
+      os.platform(),
+      os.arch(),
+      os.release()
+    ].join('-');
+  } catch (err) {
+    // Fallback to random UUID if os details are not accessible
+    fingerprint = crypto.randomUUID();
+  }
+  
+  const deviceId = crypto.createHash('sha256').update(fingerprint).digest('hex');
+  config.deviceId = deviceId;
+  writeConfig(config);
+  return deviceId;
+}

package/src/utils/trivyInstaller.js

@@ -0,0 +1,130 @@
+import axios from 'axios';
+import { extract } from 'tar';
+import fs from 'fs-extra';
+import path from 'path';
+import os from 'os';
+import AdmZip from 'adm-zip';
+
+const VIBE_AUDIT_HOME = path.join(os.homedir(), '.vibe-audit-scan');
+const BIN_DIR = path.join(VIBE_AUDIT_HOME, 'bin');
+const TRIVY_BINARY_PATH = path.join(BIN_DIR, os.platform() === 'win32' ? 'trivy.exe' : 'trivy');
+
+export async function ensureTrivyInstalled() {
+  // First check if Trivy is already in PATH
+  if (await isSystemTrivyAvailable()) {
+    return 'trivy';
+  }
+
+  // Then check if we have a local installation
+  if (await isLocalTrivyAvailable()) {
+    return TRIVY_BINARY_PATH;
+  }
+
+  // If neither, install it locally
+  console.log('⬇️ Core scan engine not found, downloading components...');
+  await installLocalTrivy();
+  return TRIVY_BINARY_PATH;
+}
+
+async function isSystemTrivyAvailable() {
+  try {
+    const { exec } = await import('child_process');
+    const { promisify } = await import('util');
+    const execPromise = promisify(exec);
+    await execPromise('trivy --version');
+    return true;
+  } catch (error) {
+    return false;
+  }
+}
+
+async function isLocalTrivyAvailable() {
+  try {
+    return await fs.pathExists(TRIVY_BINARY_PATH);
+  } catch (error) {
+    return false;
+  }
+}
+
+async function installLocalTrivy() {
+  // Create directories
+  await fs.ensureDir(VIBE_AUDIT_HOME);
+  await fs.ensureDir(BIN_DIR);
+
+  // Get OS and arch
+  const platform = os.platform();
+  const arch = os.arch();
+
+  // Map to Trivy's naming convention
+  const osMap = {
+    'darwin': 'macOS',
+    'linux': 'Linux',
+    'win32': 'Windows'
+  };
+  const archMap = {
+    'x64': '64bit',
+    'arm64': 'ARM64'
+  };
+
+  const trivyOs = osMap[platform];
+  const trivyArch = archMap[arch];
+
+  if (!trivyOs || !trivyArch) {
+    throw new Error(`Unsupported platform/arch: ${platform}/${arch}`);
+  }
+
+  // Get latest release from GitHub
+  console.log('🔍 Fetching scan engine updates...');
+  const releaseRes = await axios.get('https://api.github.com/repos/aquasecurity/trivy/releases/latest');
+  const latestVersion = releaseRes.data.tag_name.replace('v', '');
+
+  // Construct download URL
+  const ext = platform === 'win32' ? 'zip' : 'tar.gz';
+  const assetName = `trivy_${latestVersion}_${trivyOs}-${trivyArch}.${ext}`;
+  const asset = releaseRes.data.assets.find(a => a.name === assetName);
+
+  if (!asset) {
+    throw new Error(`Could not find Trivy asset: ${assetName}`);
+  }
+
+  // Download the asset
+  console.log(`📥 Downloading scanner updates v${latestVersion}...`);
+  const downloadRes = await axios.get(asset.browser_download_url, {
+    responseType: 'arraybuffer'
+  });
+
+  // Create temp file
+  const tempPath = path.join(os.tmpdir(), `trivy_${latestVersion}.${ext}`);
+  await fs.writeFile(tempPath, downloadRes.data);
+
+  // Extract the binary
+  console.log('📦 Extracting scanner components...');
+  if (platform === 'win32') {
+    // Extract zip for Windows
+    const zip = new AdmZip(tempPath);
+    const zipEntries = zip.getEntries();
+    for (const entry of zipEntries) {
+      if (entry.name.endsWith('trivy.exe')) {
+        zip.extractEntryTo(entry, BIN_DIR, false, true);
+        break;
+      }
+    }
+  } else {
+    // Extract tar.gz for macOS/Linux
+    await extract({
+      file: tempPath,
+      cwd: BIN_DIR,
+      filter: (path) => path === 'trivy'
+    });
+  }
+
+  // Make executable (only for non-Windows)
+  if (os.platform() !== 'win32') {
+    await fs.chmod(TRIVY_BINARY_PATH, '755');
+  }
+
+  // Clean up temp file
+  await fs.remove(tempPath);
+
+  console.log('✅ Core scan engine initialized successfully!');
+}

package/src/utils/welcome.js

@@ -0,0 +1,71 @@
+import chalk from 'chalk';
+import boxen from 'boxen';
+
+const asciiArt = [
+  '█████   █████ █████ ███████████  ██████████      █████████   █████  █████ ██████████   █████ ███████████ ',
+  '░░███   ░░███ ░░███ ░░███░░░░░███░░███░░░░░█     ███░░░░░███ ░░███  ░░███ ░░███░░░░███ ░░███ ░█░░░███░░░█ ',
+  ' ░███    ░███  ░███  ░███    ░███ ░███  █ ░     ░███    ░███  ░███   ░███  ░███   ░░███ ░███ ░   ░███  ░ ',
+  ' ░███    ░███  ░███  ░██████████  ░██████       ░███████████  ░███   ░███  ░███    ░███ ░███     ░███    ',
+  ' ░░███   ███   ░███  ░███░░░░░███ ░███░░█       ░███░░░░░███  ░███   ░███  ░███    ░███ ░███     ░███    ',
+  '  ░░░█████░    ░███  ░███    ░███ ░███ ░   █    ░███    ░███  ░███   ░███  ░███    ███  ░███     ░███    ',
+  '    ░░███      █████ ███████████  ██████████    █████   █████ ░░████████   ██████████   █████    █████   ',
+  '     ░░░      ░░░░░ ░░░░░░░░░░░  ░░░░░░░░░░    ░░░░░   ░░░░░   ░░░░░░░░   ░░░░░░░░░░   ░░░░░    ░░░░░    '
+];
+
+export function printWelcome() {
+  // Print ASCII art first
+  console.log('');
+  asciiArt.forEach(line => {
+    console.log(chalk.cyan(line));
+  });
+  console.log('');
+
+  const welcomeContent = `
+${chalk.cyan.bold('Vibe Audit')}${chalk.gray(' v1.2.6 | Terminal-First Security')}
+${chalk.gray('-'.repeat(50))}
+
+${chalk.white.bold('🚀 Ready to secure your code?')}
+
+${chalk.cyan.bold('Quick Start:')}
+  ${chalk.gray('$')} ${chalk.white('vibe scan .')}${chalk.gray('        # Scan current directory')}
+  ${chalk.gray('$')} ${chalk.white('vibe login')}${chalk.gray('         # Authenticate your account')}
+
+${chalk.cyan.bold('Need help?')}
+  ${chalk.gray('$')} ${chalk.white('vibe --help')}${chalk.gray('        # View all available commands')}
+  ${chalk.gray('$')} ${chalk.white('vibe cheatsheet')}${chalk.gray('  # List shortcuts and status')}
+`;
+
+  console.log(boxen(welcomeContent, {
+    padding: 1,
+    margin: 1,
+    borderStyle: 'round',
+    borderColor: 'cyan',
+    titleAlignment: 'left'
+  }));
+}
+
+export function printHelpCheatsheet() {
+  const cheatsheet = `
+${chalk.cyan.bold('Vibe Audit Command Cheatsheet')}
+
+${chalk.white.bold('Auth Commands:')}
+  ${chalk.white('vibe login')}${chalk.gray('       - Authenticate your CLI with the Vibe Cloud backend')}
+  ${chalk.white('vibe whoami')}${chalk.gray('     - Displays the currently logged-in user profile')}
+  ${chalk.white('vibe logout')}${chalk.gray('     - Revokes your session and clears local tokens')}
+
+${chalk.white.bold('Scan Commands:')}
+  ${chalk.white('vibe scan <dir>')}${chalk.gray('  - Scans a directory and sends results to the AI engine')}
+  ${chalk.white('vibe status <id>')}${chalk.gray(' - Checks the real-time processing status of an audit')}
+
+${chalk.white.bold('System Commands:')}
+  ${chalk.white('vibe cheatsheet')}${chalk.gray('  - Lists all commands and current system status')}
+  ${chalk.white('vibe install-deps')}${chalk.gray(' - Auto-installs/verifies Trivy binary dependencies')}
+  `;
+  
+  console.log(boxen(cheatsheet, {
+    padding: 1,
+    margin: 1,
+    borderStyle: 'round',
+    borderColor: 'cyan'
+  }));
+}