npm - vibecheck-ai - Versions diffs - 2.0.1 → 5.0.0 - Mend

vibecheck-ai 2.0.1 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (456) hide show

package/bin/.generated +25 -0
package/bin/_deprecations.js +463 -0
package/bin/_router.js +46 -0
package/bin/cli-hygiene.js +241 -0
package/bin/dev/run-v2-torture.js +30 -0
package/bin/registry.js +656 -0
package/bin/runners/CLI_REFACTOR_SUMMARY.md +229 -0
package/bin/runners/ENHANCEMENT_GUIDE.md +121 -0
package/bin/runners/REPORT_AUDIT.md +64 -0
package/bin/runners/cli-utils.js +1070 -0
package/bin/runners/context/ai-task-decomposer.js +337 -0
package/bin/runners/context/analyzer.js +513 -0
package/bin/runners/context/api-contracts.js +427 -0
package/bin/runners/context/context-diff.js +342 -0
package/bin/runners/context/context-pruner.js +291 -0
package/bin/runners/context/dependency-graph.js +414 -0
package/bin/runners/context/generators/claude.js +107 -0
package/bin/runners/context/generators/codex.js +108 -0
package/bin/runners/context/generators/copilot.js +119 -0
package/bin/runners/context/generators/cursor-enhanced.js +2525 -0
package/bin/runners/context/generators/cursor.js +514 -0
package/bin/runners/context/generators/mcp.js +169 -0
package/bin/runners/context/generators/windsurf.js +180 -0
package/bin/runners/context/git-context.js +304 -0
package/bin/runners/context/index.js +1110 -0
package/bin/runners/context/insights.js +173 -0
package/bin/runners/context/mcp-server/generate-rules.js +337 -0
package/bin/runners/context/mcp-server/index.js +1176 -0
package/bin/runners/context/mcp-server/package.json +24 -0
package/bin/runners/context/memory.js +200 -0
package/bin/runners/context/monorepo.js +215 -0
package/bin/runners/context/multi-repo-federation.js +404 -0
package/bin/runners/context/patterns.js +253 -0
package/bin/runners/context/proof-context.js +1264 -0
package/bin/runners/context/security-scanner.js +541 -0
package/bin/runners/context/semantic-search.js +350 -0
package/bin/runners/context/shared.js +264 -0
package/bin/runners/context/team-conventions.js +336 -0
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -0
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/change-packet/builder.js +488 -0
package/bin/runners/lib/agent-firewall/change-packet/schema.json +228 -0
package/bin/runners/lib/agent-firewall/change-packet/store.js +200 -0
package/bin/runners/lib/agent-firewall/claims/claim-types.js +21 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +303 -0
package/bin/runners/lib/agent-firewall/claims/patterns.js +24 -0
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/enforcement/gateway.js +1059 -0
package/bin/runners/lib/agent-firewall/enforcement/index.js +98 -0
package/bin/runners/lib/agent-firewall/enforcement/mode.js +318 -0
package/bin/runners/lib/agent-firewall/enforcement/orchestrator.js +484 -0
package/bin/runners/lib/agent-firewall/enforcement/proof-artifact.js +418 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/change-event.schema.json +173 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/intent.schema.json +181 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/verdict.schema.json +222 -0
package/bin/runners/lib/agent-firewall/enforcement/verdict-v2.js +333 -0
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +88 -0
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +75 -0
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +127 -0
package/bin/runners/lib/agent-firewall/evidence/resolver.js +102 -0
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +213 -0
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +145 -0
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +19 -0
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +87 -0
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +184 -0
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +163 -0
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +107 -0
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +68 -0
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +66 -0
package/bin/runners/lib/agent-firewall/index.js +200 -0
package/bin/runners/lib/agent-firewall/integration/index.js +20 -0
package/bin/runners/lib/agent-firewall/integration/ship-gate.js +437 -0
package/bin/runners/lib/agent-firewall/intent/alignment-engine.js +634 -0
package/bin/runners/lib/agent-firewall/intent/auto-detect.js +426 -0
package/bin/runners/lib/agent-firewall/intent/index.js +102 -0
package/bin/runners/lib/agent-firewall/intent/schema.js +352 -0
package/bin/runners/lib/agent-firewall/intent/store.js +283 -0
package/bin/runners/lib/agent-firewall/interception/fs-interceptor.js +502 -0
package/bin/runners/lib/agent-firewall/interception/index.js +23 -0
package/bin/runners/lib/agent-firewall/interceptor/base.js +308 -0
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +34 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/default-policy.json +90 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +103 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +451 -0
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +79 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +227 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +191 -0
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +93 -0
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +57 -0
package/bin/runners/lib/agent-firewall/policy/schema.json +183 -0
package/bin/runners/lib/agent-firewall/policy/verdict.js +54 -0
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +322 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/session/collector.js +451 -0
package/bin/runners/lib/agent-firewall/session/index.js +26 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/agent-firewall/truthpack/index.js +67 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +137 -0
package/bin/runners/lib/agent-firewall/unblock/planner.js +337 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/ai-bridge.js +416 -0
package/bin/runners/lib/analysis-core.js +309 -0
package/bin/runners/lib/analyzers.js +2500 -0
package/bin/runners/lib/api-client.js +269 -0
package/bin/runners/lib/approve-output.js +235 -0
package/bin/runners/lib/artifact-envelope.js +540 -0
package/bin/runners/lib/assets/vibecheck-logo.png +0 -0
package/bin/runners/lib/audit-bridge.js +391 -0
package/bin/runners/lib/auth-shared.js +977 -0
package/bin/runners/lib/auth-truth.js +193 -0
package/bin/runners/lib/auth.js +215 -0
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/backup.js +62 -0
package/bin/runners/lib/billing.js +107 -0
package/bin/runners/lib/checkpoint.js +941 -0
package/bin/runners/lib/claims.js +118 -0
package/bin/runners/lib/classify-output.js +204 -0
package/bin/runners/lib/cleanup/engine.js +571 -0
package/bin/runners/lib/cleanup/index.js +53 -0
package/bin/runners/lib/cleanup/output.js +375 -0
package/bin/runners/lib/cleanup/rules.js +1060 -0
package/bin/runners/lib/cli-output.js +400 -0
package/bin/runners/lib/cli-ui.js +540 -0
package/bin/runners/lib/compliance-bridge-new.js +0 -0
package/bin/runners/lib/compliance-bridge.js +165 -0
package/bin/runners/lib/contracts/auth-contract.js +202 -0
package/bin/runners/lib/contracts/env-contract.js +181 -0
package/bin/runners/lib/contracts/external-contract.js +206 -0
package/bin/runners/lib/contracts/guard.js +168 -0
package/bin/runners/lib/contracts/index.js +89 -0
package/bin/runners/lib/contracts/plan-validator.js +311 -0
package/bin/runners/lib/contracts/route-contract.js +199 -0
package/bin/runners/lib/contracts.js +804 -0
package/bin/runners/lib/default-config.js +127 -0
package/bin/runners/lib/detect.js +89 -0
package/bin/runners/lib/detectors-v2.js +622 -0
package/bin/runners/lib/doctor/autofix.js +254 -0
package/bin/runners/lib/doctor/diagnosis-receipt.js +454 -0
package/bin/runners/lib/doctor/failure-signatures.js +526 -0
package/bin/runners/lib/doctor/fix-script.js +336 -0
package/bin/runners/lib/doctor/index.js +37 -0
package/bin/runners/lib/doctor/modules/build-tools.js +453 -0
package/bin/runners/lib/doctor/modules/dependencies.js +325 -0
package/bin/runners/lib/doctor/modules/index.js +105 -0
package/bin/runners/lib/doctor/modules/network.js +250 -0
package/bin/runners/lib/doctor/modules/os-quirks.js +706 -0
package/bin/runners/lib/doctor/modules/project.js +312 -0
package/bin/runners/lib/doctor/modules/repo-integrity.js +485 -0
package/bin/runners/lib/doctor/modules/runtime.js +224 -0
package/bin/runners/lib/doctor/modules/security.js +350 -0
package/bin/runners/lib/doctor/modules/system.js +213 -0
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -0
package/bin/runners/lib/doctor/reporter.js +262 -0
package/bin/runners/lib/doctor/safe-repair.js +384 -0
package/bin/runners/lib/doctor/service.js +262 -0
package/bin/runners/lib/doctor/types.js +113 -0
package/bin/runners/lib/doctor/ui.js +263 -0
package/bin/runners/lib/doctor-enhanced.js +233 -0
package/bin/runners/lib/doctor-output.js +226 -0
package/bin/runners/lib/doctor-v2.js +608 -0
package/bin/runners/lib/drift.js +425 -0
package/bin/runners/lib/enforcement.js +72 -0
package/bin/runners/lib/engine/ast-cache.js +210 -0
package/bin/runners/lib/engine/auth-extractor.js +211 -0
package/bin/runners/lib/engine/billing-extractor.js +112 -0
package/bin/runners/lib/engine/enforcement-extractor.js +100 -0
package/bin/runners/lib/engine/env-extractor.js +207 -0
package/bin/runners/lib/engine/express-extractor.js +208 -0
package/bin/runners/lib/engine/extractors.js +849 -0
package/bin/runners/lib/engine/index.js +207 -0
package/bin/runners/lib/engine/repo-index.js +514 -0
package/bin/runners/lib/engine/types.js +124 -0
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/attack-detector.js +1192 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/enterprise-detect.js +603 -0
package/bin/runners/lib/enterprise-init.js +942 -0
package/bin/runners/lib/entitlements-v2.js +265 -0
package/bin/runners/lib/entitlements.generated.js +0 -0
package/bin/runners/lib/entitlements.js +340 -0
package/bin/runners/lib/env-resolver.js +417 -0
package/bin/runners/lib/env-template.js +66 -0
package/bin/runners/lib/env.js +189 -0
package/bin/runners/lib/error-handler.js +368 -0
package/bin/runners/lib/error-messages.js +289 -0
package/bin/runners/lib/evidence-pack.js +684 -0
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/extractors/client-calls.js +990 -0
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -0
package/bin/runners/lib/extractors/fastify-routes.js +426 -0
package/bin/runners/lib/extractors/index.js +363 -0
package/bin/runners/lib/extractors/next-routes.js +524 -0
package/bin/runners/lib/extractors/proof-graph.js +431 -0
package/bin/runners/lib/extractors/route-matcher.js +451 -0
package/bin/runners/lib/extractors/truthpack-v2.js +377 -0
package/bin/runners/lib/extractors/ui-bindings.js +547 -0
package/bin/runners/lib/finding-id.js +69 -0
package/bin/runners/lib/finding-sorter.js +89 -0
package/bin/runners/lib/findings-schema.js +281 -0
package/bin/runners/lib/fingerprint.js +377 -0
package/bin/runners/lib/firewall-prompt.js +50 -0
package/bin/runners/lib/fix-output.js +228 -0
package/bin/runners/lib/global-flags.js +250 -0
package/bin/runners/lib/graph/graph-builder.js +265 -0
package/bin/runners/lib/graph/html-renderer.js +413 -0
package/bin/runners/lib/graph/index.js +32 -0
package/bin/runners/lib/graph/runtime-collector.js +215 -0
package/bin/runners/lib/graph/static-extractor.js +518 -0
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/html-proof-report.js +913 -0
package/bin/runners/lib/html-report.js +650 -0
package/bin/runners/lib/init-wizard.js +601 -0
package/bin/runners/lib/interactive-menu.js +1496 -0
package/bin/runners/lib/json-output.js +76 -0
package/bin/runners/lib/llm.js +75 -0
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/meter.js +61 -0
package/bin/runners/lib/missions/briefing.js +427 -0
package/bin/runners/lib/missions/checkpoint.js +753 -0
package/bin/runners/lib/missions/evidence.js +126 -0
package/bin/runners/lib/missions/hardening.js +851 -0
package/bin/runners/lib/missions/plan.js +648 -0
package/bin/runners/lib/missions/safety-gates.js +645 -0
package/bin/runners/lib/missions/schema.js +478 -0
package/bin/runners/lib/missions/templates.js +317 -0
package/bin/runners/lib/next-action.js +560 -0
package/bin/runners/lib/packs/bundle.js +675 -0
package/bin/runners/lib/packs/evidence-pack.js +671 -0
package/bin/runners/lib/packs/pack-factory.js +837 -0
package/bin/runners/lib/packs/permissions-pack.js +686 -0
package/bin/runners/lib/packs/proof-graph-pack.js +779 -0
package/bin/runners/lib/patch.js +40 -0
package/bin/runners/lib/permissions/auth-model.js +213 -0
package/bin/runners/lib/permissions/idor-prover.js +205 -0
package/bin/runners/lib/permissions/index.js +45 -0
package/bin/runners/lib/permissions/matrix-builder.js +198 -0
package/bin/runners/lib/pkgjson.js +28 -0
package/bin/runners/lib/policy.js +295 -0
package/bin/runners/lib/polish/accessibility.js +62 -0
package/bin/runners/lib/polish/analyzer.js +93 -0
package/bin/runners/lib/polish/backend.js +87 -0
package/bin/runners/lib/polish/configuration.js +83 -0
package/bin/runners/lib/polish/documentation.js +83 -0
package/bin/runners/lib/polish/frontend.js +817 -0
package/bin/runners/lib/polish/index.js +27 -0
package/bin/runners/lib/polish/infrastructure.js +80 -0
package/bin/runners/lib/polish/internationalization.js +85 -0
package/bin/runners/lib/polish/libraries.js +180 -0
package/bin/runners/lib/polish/observability.js +75 -0
package/bin/runners/lib/polish/performance.js +64 -0
package/bin/runners/lib/polish/privacy.js +110 -0
package/bin/runners/lib/polish/resilience.js +92 -0
package/bin/runners/lib/polish/security.js +78 -0
package/bin/runners/lib/polish/seo.js +71 -0
package/bin/runners/lib/polish/styles.js +62 -0
package/bin/runners/lib/polish/utils.js +104 -0
package/bin/runners/lib/preflight.js +142 -0
package/bin/runners/lib/prerequisites.js +149 -0
package/bin/runners/lib/prove-output.js +220 -0
package/bin/runners/lib/reality/correlation-detectors.js +359 -0
package/bin/runners/lib/reality/index.js +318 -0
package/bin/runners/lib/reality/request-hashing.js +416 -0
package/bin/runners/lib/reality/request-mapper.js +453 -0
package/bin/runners/lib/reality/safety-rails.js +463 -0
package/bin/runners/lib/reality/semantic-snapshot.js +408 -0
package/bin/runners/lib/reality/toast-detector.js +393 -0
package/bin/runners/lib/reality-findings.js +84 -0
package/bin/runners/lib/reality-output.js +231 -0
package/bin/runners/lib/receipts.js +179 -0
package/bin/runners/lib/redact.js +29 -0
package/bin/runners/lib/replay/capsule-manager.js +154 -0
package/bin/runners/lib/replay/index.js +263 -0
package/bin/runners/lib/replay/player.js +348 -0
package/bin/runners/lib/replay/recorder.js +331 -0
package/bin/runners/lib/report-engine.js +626 -0
package/bin/runners/lib/report-html.js +1233 -0
package/bin/runners/lib/report-output.js +366 -0
package/bin/runners/lib/report-templates.js +967 -0
package/bin/runners/lib/report.js +135 -0
package/bin/runners/lib/route-detection.js +1209 -0
package/bin/runners/lib/route-truth.js +1322 -0
package/bin/runners/lib/safelist/index.js +96 -0
package/bin/runners/lib/safelist/integration.js +334 -0
package/bin/runners/lib/safelist/matcher.js +696 -0
package/bin/runners/lib/safelist/schema.js +948 -0
package/bin/runners/lib/safelist/store.js +438 -0
package/bin/runners/lib/sandbox/index.js +59 -0
package/bin/runners/lib/sandbox/proof-chain.js +399 -0
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -0
package/bin/runners/lib/sandbox/worktree.js +174 -0
package/bin/runners/lib/scan-cache.js +330 -0
package/bin/runners/lib/scan-output-schema.js +344 -0
package/bin/runners/lib/scan-output.js +631 -0
package/bin/runners/lib/scan-runner.js +135 -0
package/bin/runners/lib/schema-validator.js +350 -0
package/bin/runners/lib/schemas/ajv-validator.js +464 -0
package/bin/runners/lib/schemas/contracts.schema.json +160 -0
package/bin/runners/lib/schemas/error-envelope.schema.json +105 -0
package/bin/runners/lib/schemas/finding-v3.schema.json +151 -0
package/bin/runners/lib/schemas/finding.schema.json +100 -0
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -0
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -0
package/bin/runners/lib/schemas/reality-report.schema.json +162 -0
package/bin/runners/lib/schemas/report-artifact.schema.json +120 -0
package/bin/runners/lib/schemas/run-request.schema.json +108 -0
package/bin/runners/lib/schemas/share-pack.schema.json +180 -0
package/bin/runners/lib/schemas/ship-manifest.schema.json +251 -0
package/bin/runners/lib/schemas/ship-report.schema.json +117 -0
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -0
package/bin/runners/lib/schemas/validator.js +465 -0
package/bin/runners/lib/schemas/verdict.schema.json +140 -0
package/bin/runners/lib/score-history.js +282 -0
package/bin/runners/lib/security-bridge.js +249 -0
package/bin/runners/lib/server-usage.js +513 -0
package/bin/runners/lib/share-pack.js +239 -0
package/bin/runners/lib/ship-gate.js +832 -0
package/bin/runners/lib/ship-manifest.js +1153 -0
package/bin/runners/lib/ship-output-enterprise.js +239 -0
package/bin/runners/lib/ship-output.js +1128 -0
package/bin/runners/lib/snippets.js +67 -0
package/bin/runners/lib/status-output.js +340 -0
package/bin/runners/lib/terminal-ui.js +356 -0
package/bin/runners/lib/truth.js +1691 -0
package/bin/runners/lib/ui.js +562 -0
package/bin/runners/lib/unified-cli-output.js +947 -0
package/bin/runners/lib/unified-output.js +197 -0
package/bin/runners/lib/upsell.js +410 -0
package/bin/runners/lib/usage.js +153 -0
package/bin/runners/lib/validate-patch.js +156 -0
package/bin/runners/lib/verdict-engine.js +628 -0
package/bin/runners/lib/verification.js +345 -0
package/bin/runners/lib/why-tree.js +650 -0
package/bin/runners/reality/engine.js +917 -0
package/bin/runners/reality/flows.js +122 -0
package/bin/runners/reality/report.js +378 -0
package/bin/runners/reality/session.js +193 -0
package/bin/runners/runAIAgent.js +229 -0
package/bin/runners/runAgent.d.ts +5 -0
package/bin/runners/runAgent.js +161 -0
package/bin/runners/runAllowlist.js +418 -0
package/bin/runners/runApprove.js +320 -0
package/bin/runners/runAudit.js +692 -0
package/bin/runners/runAuth.js +731 -0
package/bin/runners/runCI.js +353 -0
package/bin/runners/runCheckpoint.js +530 -0
package/bin/runners/runClassify.js +928 -0
package/bin/runners/runCleanup.js +343 -0
package/bin/runners/runContext.d.ts +4 -0
package/bin/runners/runContext.js +175 -0
package/bin/runners/runDoctor.js +877 -0
package/bin/runners/runEvidencePack.js +362 -0
package/bin/runners/runFirewall.d.ts +5 -0
package/bin/runners/runFirewall.js +134 -0
package/bin/runners/runFirewallHook.d.ts +5 -0
package/bin/runners/runFirewallHook.js +56 -0
package/bin/runners/runFix.js +1355 -0
package/bin/runners/runForge.js +451 -0
package/bin/runners/runGuard.js +262 -0
package/bin/runners/runInit.js +1927 -0
package/bin/runners/runIntent.js +906 -0
package/bin/runners/runKickoff.js +878 -0
package/bin/runners/runLabs.js +424 -0
package/bin/runners/runLaunch.js +2000 -0
package/bin/runners/runLink.js +785 -0
package/bin/runners/runMcp.js +1875 -0
package/bin/runners/runPacks.js +2089 -0
package/bin/runners/runPolish.d.ts +4 -0
package/bin/runners/runPolish.js +390 -0
package/bin/runners/runPromptFirewall.js +211 -0
package/bin/runners/runProve.js +1411 -0
package/bin/runners/runQuickstart.js +531 -0
package/bin/runners/runReality.js +2260 -0
package/bin/runners/runReport.js +726 -0
package/bin/runners/runRuntime.js +110 -0
package/bin/runners/runSafelist.js +1190 -0
package/bin/runners/runScan.js +688 -0
package/bin/runners/runShield.js +1282 -0
package/bin/runners/runShip.js +1660 -0
package/bin/runners/runTruth.d.ts +5 -0
package/bin/runners/runTruth.js +101 -0
package/bin/runners/runValidate.js +179 -0
package/bin/runners/runWatch.js +478 -0
package/bin/runners/utils.js +360 -0
package/bin/scan.js +617 -0
package/bin/vibecheck.js +1617 -0
package/dist/guardrail/index.d.ts +2405 -0
package/dist/guardrail/index.js +9747 -0
package/dist/guardrail/index.js.map +1 -0
package/dist/scanner/index.d.ts +282 -0
package/dist/scanner/index.js +3395 -0
package/dist/scanner/index.js.map +1 -0
package/package.json +123 -104
package/README.md +0 -491
package/dist/index.js +0 -99711
package/dist/index.js.map +0 -1

package/bin/runners/runAuth.js ADDED Viewed

@@ -0,0 +1,731 @@
+/**
+ * vibecheck auth commands - Login, Logout, Whoami, Check, Refresh
+ *
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * World-Class Authentication Experience
+ * ═══════════════════════════════════════════════════════════════════════════════
+ *
+ * Auth must be invisible when it works, explicit when it doesn't.
+ * - auth login: store API key securely
+ * - auth logout: remove credentials everywhere
+ * - auth me: show identity + plan + entitlements
+ * - auth --check: validate without prompting
+ * - auth --refresh: force entitlements refresh
+ */
+const readline = require("readline");
+const {
+  saveApiKey,
+  deleteApiKey,
+  getApiKey,
+  getEntitlements,
+} = require("./lib/auth");
+const {
+  redactApiKey,
+  redactOutput,
+  validateKeyFormat,
+  isValidKeyFormat,
+  sanitizeInput,
+  resolveApiKey,
+  formatSource,
+  clearAll,
+  checkAuth,
+  refreshEntitlements,
+  readCache,
+  hashApiKey,
+  getCacheAge,
+  auditLog,
+  trackFailedAttempt,
+  resetActivityTracker,
+  detectEnvironment,
+} = require("./lib/auth-shared");
+const { EXIT } = require("./lib/exit-codes");
+const { parseGlobalFlags, shouldSuppressOutput, isJsonMode } = require("./lib/global-flags");
+const { getTier, getLimits, FREE_FEATURES, PRO_FEATURES } = require("./lib/entitlements-v2");
+const { printActionableError } = require("./lib/error-messages");
+const {
+  ansi,
+  sym,
+  renderMinimalHeader,
+  renderSectionHeader,
+  renderSuccess,
+  renderError,
+  renderWarning,
+  renderKeyValue,
+  renderFooter,
+  Spinner,
+  getTierBadge,
+  TIER,
+} = require("./lib/unified-cli-output");
+async function prompt(question) {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// LOGIN
+// ═══════════════════════════════════════════════════════════════════════════════
+async function runLogin(args) {
+  const { flags } = parseGlobalFlags(args);
+  const quiet = shouldSuppressOutput(flags);
+  const json = isJsonMode(flags);
+  const env = detectEnvironment();
+  // Check for lockout
+  const lockout = trackFailedAttempt();
+  resetActivityTracker(); // Reset test attempt
+  if (lockout.locked) {
+    if (json) {
+      console.log(JSON.stringify({
+        success: false,
+        error: `Too many failed attempts. Try again in ${lockout.lockoutRemaining}s`,
+        code: "LOCKED_OUT",
+      }));
+    } else {
+      renderError(`Too many failed attempts. Try again in ${Math.ceil(lockout.lockoutRemaining / 60)} minutes.`);
+    }
+    return EXIT.AUTH_FAILED;
+  }
+  if (flags.help) {
+    console.log(`
+  ${ansi.bold}USAGE${ansi.reset}
+    ${ansi.cyan}vibecheck login${ansi.reset} [options]
+  ${ansi.dim}Aliases: auth, signin${ansi.reset}
+  Authenticate with your Vibecheck API key to unlock paid features
+  and sync with the dashboard.
+  ${ansi.bold}OPTIONS${ansi.reset}
+    ${ansi.cyan}--key <key>${ansi.reset}       Provide API key directly (non-interactive)
+    ${ansi.cyan}--json${ansi.reset}            Output result as JSON
+    ${ansi.cyan}--quiet, -q${ansi.reset}       Suppress non-essential output
+    ${ansi.cyan}--help, -h${ansi.reset}        Show this help
+  ${ansi.bold}EXAMPLES${ansi.reset}
+    ${ansi.dim}# Interactive login${ansi.reset}
+    vibecheck login
+    ${ansi.dim}# Non-interactive (CI/scripts)${ansi.reset}
+    vibecheck login --key YOUR_API_KEY
+    ${ansi.dim}# Using environment variable${ansi.reset}
+    VIBECHECK_API_KEY=xxx vibecheck whoami
+  ${ansi.bold}GET YOUR API KEY${ansi.reset}
+    https://vibecheckai.dev/settings/keys
+  ${ansi.dim}────────────────────────────────────────────────────────────────────${ansi.reset}
+  ${ansi.dim}Documentation: https://docs.vibecheckai.dev/authentication${ansi.reset}
+`);
+    return EXIT.SUCCESS;
+  }
+  try {
+    let key = null;
+    const keyIndex = args.indexOf("--key");
+    if (keyIndex !== -1 && args[keyIndex + 1]) {
+      key = args[keyIndex + 1];
+    }
+    if (!quiet && !json) {
+      renderMinimalHeader("login", "free");
+    }
+    const existing = getApiKey();
+    if (existing.key && !key) {
+      if (!quiet && !json) {
+        renderWarning(`Already logged in (source: ${formatSource(existing.source)})`);
+      }
+      if (process.env.CI || !process.stdin.isTTY) {
+        if (json) {
+          console.log(JSON.stringify({ success: true, message: "Already logged in", source: existing.source }));
+        }
+        return EXIT.SUCCESS;
+      }
+      const answer = await prompt(`  Overwrite existing credentials? (y/N) `);
+      if (answer.toLowerCase() !== "y") {
+        if (!quiet && !json) console.log(`  ${ansi.dim}Cancelled.${ansi.reset}\n`);
+        if (json) console.log(JSON.stringify({ success: false, message: "Cancelled by user" }));
+        return EXIT.SUCCESS;
+      }
+    }
+    if (!key) {
+      if (process.env.CI || !process.stdin.isTTY) {
+        const errorMsg = "No API key provided. Use --key flag or set VIBECHECK_API_KEY environment variable.";
+        if (json) {
+          console.log(JSON.stringify({ success: false, error: errorMsg }));
+        } else {
+          renderError(errorMsg);
+        }
+        return EXIT.USER_ERROR;
+      }
+      if (!quiet && !json) {
+        console.log(`  ${ansi.dim}Get your API key at: https://vibecheckai.dev/settings/keys${ansi.reset}\n`);
+      }
+      key = await prompt(`  ${sym.key} API Key: `);
+    }
+    if (!key) {
+      if (json) {
+        console.log(JSON.stringify({ success: false, error: "No API key provided" }));
+      } else {
+        renderError("No API key provided");
+      }
+      return EXIT.USER_ERROR;
+    }
+    // Sanitize input
+    key = sanitizeInput(key);
+    // Validate key format
+    const validation = validateKeyFormat(key);
+    if (!validation.valid) {
+      trackFailedAttempt();
+      auditLog("LOGIN_FAILED", key, "cli", { reason: validation.error });
+      if (json) {
+        console.log(JSON.stringify({ success: false, error: validation.error }));
+      } else {
+        printActionableError('INVALID_API_KEY', { command: 'login' });
+      }
+      return EXIT.AUTH_FAILED;
+    }
+    const spinner = !quiet && !json ? new Spinner("Verifying API key").start() : null;
+    let entitlements;
+    try {
+      entitlements = await getEntitlements(key);
+    } catch (apiError) {
+      spinner?.fail(`Failed to verify: ${apiError.message}`);
+      if (json) {
+        console.log(JSON.stringify({ success: false, error: apiError.message }));
+      }
+      return EXIT.NETWORK_ERROR;
+    }
+    if (!entitlements) {
+      trackFailedAttempt();
+      auditLog("LOGIN_FAILED", key, "cli", { reason: "API validation failed" });
+      spinner?.fail("Invalid API key or server unreachable");
+      if (json) {
+        console.log(JSON.stringify({ success: false, error: "Invalid API key" }));
+      }
+      return EXIT.AUTH_FAILED;
+    }
+    // Success - reset activity tracker and save
+    resetActivityTracker();
+    auditLog("LOGIN_SUCCESS", key, "cli", { tier: entitlements.tier || entitlements.plan });
+    saveApiKey(key);
+    const result = {
+      success: true,
+      user: entitlements?.user?.name || "User",
+      plan: entitlements?.plan || "free",
+      keyMasked: redactApiKey(key),
+    };
+    if (json) {
+      console.log(JSON.stringify(result));
+    } else if (!quiet) {
+      spinner?.succeed(`Logged in as ${ansi.bold}${result.user}${ansi.reset}`);
+      console.log(`  ${ansi.dim}Plan:${ansi.reset} ${getTierBadge(result.plan)}`);
+      console.log(`  ${ansi.dim}Key:${ansi.reset}  ${result.keyMasked}\n`);
+    }
+    return EXIT.SUCCESS;
+  } catch (error) {
+    if (json) {
+      console.log(JSON.stringify({ success: false, error: error.message }));
+    } else {
+      renderError(`Login failed: ${error.message}`);
+    }
+    return EXIT.INTERNAL_ERROR;
+  }
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// LOGOUT
+// ═══════════════════════════════════════════════════════════════════════════════
+async function runLogout(args) {
+  const { flags } = parseGlobalFlags(args);
+  const quiet = shouldSuppressOutput(flags);
+  const json = isJsonMode(flags);
+  if (flags.help) {
+    console.log(`
+  ${ansi.bold}USAGE${ansi.reset}
+    ${ansi.cyan}vibecheck logout${ansi.reset}
+  ${ansi.dim}Aliases: signout${ansi.reset}
+  Remove stored API credentials from ALL locations:
+    • ~/.vibecheck/auth.json
+    • ~/.vibecheck/entitlements-cache.json
+    • Legacy config files
+  ${ansi.bold}OPTIONS${ansi.reset}
+    ${ansi.cyan}--json${ansi.reset}            Output result as JSON
+    ${ansi.cyan}--quiet, -q${ansi.reset}       Suppress non-essential output
+    ${ansi.cyan}--help, -h${ansi.reset}        Show this help
+`);
+    return EXIT.SUCCESS;
+  }
+  try {
+    if (!quiet && !json) {
+      renderMinimalHeader("logout", "free");
+    }
+    // Clear ALL auth data
+    clearAll();
+    // Also use legacy delete for backward compat
+    deleteApiKey();
+    if (json) {
+      console.log(JSON.stringify({
+        success: true,
+        message: "Logged out",
+        cleared: [
+          "~/.vibecheck/auth.json",
+          "~/.vibecheck/entitlements-cache.json",
+          "Legacy config",
+        ],
+      }));
+    } else if (!quiet) {
+      renderSuccess("Credentials removed from:");
+      console.log(`    ${ansi.dim}•${ansi.reset} ~/.vibecheck/auth.json`);
+      console.log(`    ${ansi.dim}•${ansi.reset} Entitlements cache`);
+      console.log(`    ${ansi.dim}•${ansi.reset} Legacy config files`);
+      console.log();
+    }
+    return EXIT.SUCCESS;
+  } catch (error) {
+    if (json) {
+      console.log(JSON.stringify({ success: false, error: error.message }));
+    } else {
+      renderError(`Logout failed: ${error.message}`);
+    }
+    return EXIT.INTERNAL_ERROR;
+  }
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// WHOAMI / ME
+// ═══════════════════════════════════════════════════════════════════════════════
+async function runWhoami(args) {
+  const { flags } = parseGlobalFlags(args);
+  const quiet = shouldSuppressOutput(flags);
+  const json = isJsonMode(flags);
+  if (flags.help) {
+    console.log(`
+  ${ansi.bold}USAGE${ansi.reset}
+    ${ansi.cyan}vibecheck whoami${ansi.reset}
+  ${ansi.dim}Aliases: me, user${ansi.reset}
+  Display information about the currently authenticated user,
+  including plan, limits, and available scopes.
+  ${ansi.bold}OPTIONS${ansi.reset}
+    ${ansi.cyan}--json${ansi.reset}            Output result as JSON
+    ${ansi.cyan}--quiet, -q${ansi.reset}       Suppress non-essential output
+    ${ansi.cyan}--help, -h${ansi.reset}        Show this help
+  ${ansi.bold}EXAMPLES${ansi.reset}
+    ${ansi.dim}# Check current user${ansi.reset}
+    vibecheck whoami
+    ${ansi.dim}# Get JSON for scripts${ansi.reset}
+    vibecheck whoami --json
+`);
+    return EXIT.SUCCESS;
+  }
+  try {
+    if (!quiet && !json) {
+      renderMinimalHeader("whoami", "free");
+    }
+    const { key, source } = getApiKey();
+    if (!key) {
+      const result = json ? {
+        success: false,
+        error: {
+          code: "AUTH_REQUIRED",
+          message: "Not logged in",
+        },
+      } : { authenticated: false, message: "Not logged in" };
+      if (json) {
+        console.log(JSON.stringify(result, null, 2));
+      } else {
+        renderWarning("Not logged in");
+        console.log(`  ${ansi.dim}Run "vibecheck login" or set VIBECHECK_API_KEY.${ansi.reset}\n`);
+      }
+      return EXIT.AUTH_REQUIRED;
+    }
+    const spinner = !quiet && !json ? new Spinner("Fetching user info").start() : null;
+    let entitlements;
+    try {
+      entitlements = await getEntitlements(key);
+    } catch (apiError) {
+      spinner?.fail(`Failed to fetch: ${apiError.message}`);
+      if (json) {
+        console.log(JSON.stringify({
+          success: false,
+          error: {
+            code: "NETWORK_ERROR",
+            message: apiError.message,
+          },
+        }, null, 2));
+      }
+      return EXIT.NETWORK_ERROR;
+    }
+    if (!entitlements) {
+      spinner?.fail("Invalid API key or server unreachable");
+      if (json) {
+        console.log(JSON.stringify({
+          success: false,
+          error: {
+            code: "AUTH_FAILED",
+            message: "Invalid API key",
+          },
+        }, null, 2));
+      } else {
+        console.log(`  ${ansi.dim}Run "vibecheck login" to re-authenticate.${ansi.reset}\n`);
+      }
+      return EXIT.AUTH_FAILED;
+    }
+    spinner?.stop(null, null, null);
+    // Determine tier
+    const plan = entitlements.plan || entitlements.tier || "free";
+    const tier = plan === "free" ? "free" : "pro";
+    const features = tier === "pro" ? PRO_FEATURES : FREE_FEATURES;
+    const tierLimits = getLimits(tier);
+    // Build result
+    const result = {
+      success: true,
+      data: {
+        user: {
+          id: entitlements.user?.id || entitlements.userId,
+          email: entitlements.user?.email || entitlements.email,
+          name: entitlements.user?.name,
+        },
+        tier: tier,
+        source: source,
+        keyMasked: redactApiKey(key),
+        features: features,
+        limits: {
+          scansPerMonth: entitlements.limits?.scansPerMonth ?? tierLimits.maxScansPerMonth,
+          filesPerScan: entitlements.limits?.filesPerScan ?? tierLimits.maxFilesPerScan,
+          reportFormats: tierLimits.reportFormats,
+        },
+        usage: {
+          scansThisMonth: entitlements.usage?.scansThisMonth || 0,
+          filesScanned: entitlements.usage?.filesScanned || 0,
+        },
+      },
+      timestamp: new Date().toISOString(),
+    };
+    if (json) {
+      console.log(JSON.stringify(result, null, 2));
+    } else if (!quiet) {
+      renderSectionHeader("Account", sym.key);
+      renderKeyValue([
+        { label: "User", value: `${ansi.bold}${result.data.user.name || 'Unknown'}${ansi.reset} ${ansi.dim}(${result.data.user.email || 'N/A'})${ansi.reset}` },
+        { label: "Tier", value: getTierBadge(tier) },
+        { label: "Source", value: formatSource(source) },
+        { label: "Key", value: result.data.keyMasked },
+        { label: "Scans", value: `${result.data.usage.scansThisMonth}/${result.data.limits.scansPerMonth === -1 ? '∞' : result.data.limits.scansPerMonth} this month` },
+      ]);
+      const scopes = entitlements.scopes || [];
+      if (scopes.length > 0) {
+        console.log();
+        console.log(`  ${ansi.dim}Scopes:${ansi.reset}`);
+        scopes.forEach(s => console.log(`    ${ansi.gray}${sym.bullet}${ansi.reset} ${s}`));
+      }
+      // Upsell for free tier
+      if (tier === "free") {
+        renderFooter({
+          nextSteps: [
+            { cmd: "vibecheck scan", desc: "analyze your codebase" },
+          ],
+          showUpsell: true,
+        });
+      } else {
+        console.log();
+      }
+    }
+    return EXIT.SUCCESS;
+  } catch (error) {
+    if (json) {
+      console.log(JSON.stringify({
+        success: false,
+        error: {
+          code: error.code || "INTERNAL_ERROR",
+          message: error.message,
+        },
+      }, null, 2));
+    } else {
+      renderError(`Whoami failed: ${error.message}`);
+    }
+    return EXIT.INTERNAL_ERROR;
+  }
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// CHECK (--check flag)
+// ═══════════════════════════════════════════════════════════════════════════════
+async function runCheck(args) {
+  const { flags } = parseGlobalFlags(args);
+  const json = isJsonMode(flags);
+  try {
+    const result = await checkAuth();
+    if (json) {
+      console.log(JSON.stringify({
+        success: result.authenticated,
+        data: {
+          authenticated: result.authenticated,
+          tier: result.tier,
+          source: result.source,
+          keyMasked: result.keyMasked,
+          networkOk: result.networkOk,
+          cacheValid: result.cacheValid,
+          cacheAge: result.cacheAge,
+          user: result.user,
+        },
+        error: result.error,
+        timestamp: new Date().toISOString(),
+      }, null, 2));
+    } else {
+      if (result.authenticated) {
+        console.log(`  ${sym.success} API key valid (${result.keyMasked})`);
+        console.log(`  ${sym.success} Tier: ${result.tier.toUpperCase()}`);
+        console.log(`  ${result.networkOk ? sym.success : sym.warning} Network: ${result.networkOk ? 'API reachable' : 'Offline (using cache)'}`);
+        if (result.cacheAge !== undefined) {
+          const mins = Math.floor(result.cacheAge / 60);
+          console.log(`  ${ansi.dim}Cache: ${result.cacheValid ? 'valid' : 'stale'} (${mins}m old)${ansi.reset}`);
+        }
+        console.log();
+      } else {
+        console.log(`  ${sym.error} Not authenticated`);
+        if (result.error) {
+          console.log(`  ${ansi.dim}${result.error.recovery}${ansi.reset}`);
+        }
+        console.log();
+      }
+    }
+    return result.authenticated ? EXIT.SUCCESS : EXIT.AUTH_REQUIRED;
+  } catch (error) {
+    if (json) {
+      console.log(JSON.stringify({ success: false, error: error.message }));
+    } else {
+      renderError(`Check failed: ${error.message}`);
+    }
+    return EXIT.INTERNAL_ERROR;
+  }
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// REFRESH (--refresh flag)
+// ═══════════════════════════════════════════════════════════════════════════════
+async function runRefresh(args) {
+  const { flags } = parseGlobalFlags(args);
+  const quiet = shouldSuppressOutput(flags);
+  const json = isJsonMode(flags);
+  try {
+    const resolved = resolveApiKey();
+    if (!resolved.key) {
+      if (json) {
+        console.log(JSON.stringify({ success: false, error: "Not logged in" }));
+      } else {
+        renderError("Not logged in");
+        console.log(`  ${ansi.dim}Run "vibecheck login" first.${ansi.reset}\n`);
+      }
+      return EXIT.AUTH_REQUIRED;
+    }
+    const spinner = !quiet && !json ? new Spinner("Refreshing entitlements").start() : null;
+    const entitlements = await refreshEntitlements();
+    if (entitlements) {
+      const tier = entitlements.plan === "free" ? "free" : "pro";
+      if (json) {
+        console.log(JSON.stringify({
+          success: true,
+          data: {
+            tier,
+            user: entitlements.user,
+            refreshedAt: new Date().toISOString(),
+          },
+        }, null, 2));
+      } else if (!quiet) {
+        spinner?.succeed("Entitlements refreshed");
+        console.log(`  ${ansi.dim}Tier:${ansi.reset} ${getTierBadge(tier)}`);
+        console.log(`  ${ansi.dim}Cache updated (expires in 10m)${ansi.reset}\n`);
+      }
+      return EXIT.SUCCESS;
+    } else {
+      spinner?.fail("Failed to refresh entitlements");
+      if (json) {
+        console.log(JSON.stringify({ success: false, error: "Could not reach API" }));
+      }
+      return EXIT.NETWORK_ERROR;
+    }
+  } catch (error) {
+    if (json) {
+      console.log(JSON.stringify({ success: false, error: error.message }));
+    } else {
+      renderError(`Refresh failed: ${error.message}`);
+    }
+    return EXIT.INTERNAL_ERROR;
+  }
+}
+// ═══════════════════════════════════════════════════════════════════════════════
+// MAIN ROUTER
+// ═══════════════════════════════════════════════════════════════════════════════
+/**
+ * Unified auth command handler
+ * Handles: login, logout, whoami, --check, --refresh
+ */
+async function runAuth(args = []) {
+  const { flags, cleanArgs } = parseGlobalFlags(args);
+  // Handle --check flag at top level
+  if (args.includes("--check")) {
+    return runCheck(args);
+  }
+  // Handle --refresh flag at top level
+  if (args.includes("--refresh")) {
+    return runRefresh(args);
+  }
+  // Get subcommand
+  const subcommand = cleanArgs[0];
+  const subArgs = cleanArgs.slice(1);
+  // Handle help at top level
+  if (flags.help && !subcommand) {
+    console.log(`
+  ${ansi.bold}USAGE${ansi.reset}
+    ${ansi.cyan}vibecheck auth${ansi.reset} <subcommand> [options]
+  ${ansi.dim}Authentication management${ansi.reset}
+  ${ansi.bold}SUBCOMMANDS${ansi.reset}
+    ${ansi.cyan}login${ansi.reset}              Authenticate with API key
+    ${ansi.cyan}logout${ansi.reset}             Remove stored credentials
+    ${ansi.cyan}whoami${ansi.reset}             Show current user and plan (alias: me)
+  ${ansi.bold}FLAGS${ansi.reset}
+    ${ansi.cyan}--check${ansi.reset}            Validate auth without prompting (CI/scripts)
+    ${ansi.cyan}--refresh${ansi.reset}          Force refresh entitlements from API
+  ${ansi.bold}EXAMPLES${ansi.reset}
+    ${ansi.dim}# Interactive login${ansi.reset}
+    vibecheck auth login
+    ${ansi.dim}# Login with key${ansi.reset}
+    vibecheck auth login --key YOUR_API_KEY
+    ${ansi.dim}# Show current user${ansi.reset}
+    vibecheck auth whoami
+    ${ansi.dim}# Validate auth (for CI)${ansi.reset}
+    vibecheck auth --check
+    ${ansi.dim}# Force refresh${ansi.reset}
+    vibecheck auth --refresh
+    ${ansi.dim}# Logout${ansi.reset}
+    vibecheck auth logout
+  ${ansi.dim}────────────────────────────────────────────────────────────────────${ansi.reset}
+  ${ansi.dim}Get your API key: https://vibecheckai.dev/settings/keys${ansi.reset}
+`);
+    return EXIT.SUCCESS;
+  }
+  // Route to subcommand
+  switch (subcommand) {
+    case "login":
+      return runLogin(subArgs);
+    case "logout":
+      return runLogout(subArgs);
+    case "whoami":
+    case "me":
+      return runWhoami(subArgs);
+    case "check":
+      return runCheck(subArgs);
+    case "refresh":
+      return runRefresh(subArgs);
+    default:
+      // Default to whoami if no subcommand
+      if (!subcommand) {
+        return runWhoami(args);
+      }
+      // If it's a flag, might be intended for login
+      if (subcommand.startsWith("--")) {
+        return runLogin(cleanArgs);
+      }
+      renderError(`Unknown subcommand: ${subcommand}`);
+      console.log(`\nRun ${ansi.cyan}vibecheck auth --help${ansi.reset} for usage.\n`);
+      return EXIT.USER_ERROR;
+  }
+}
+module.exports = {
+  runLogin,
+  runLogout,
+  runWhoami,
+  runCheck,
+  runRefresh,
+  runAuth,
+};