vibehacker 4.1.0 → 4.2.0

package/README.md

@@ -1,77 +1,415 @@
-# Vibe Hacker
+<p align="center">
+  <img src="https://vibsecurity.com/logo.png" alt="Vibe Hacker" width="80" />
+</p>
 
-> Terminal AI assistant for cybersecurity professionals. Free models, autonomous agent, multi-provider rotation. No credit card required.
+<h1 align="center">Vibe Hacker</h1>
 
-[![npm version](https://img.shields.io/npm/v/vibehacker.svg)](https://www.npmjs.com/package/vibehacker)
-[![license](https://img.shields.io/npm/l/vibehacker.svg)](https://github.com/agentichacker/vibehacker/blob/main/LICENSE)
-[![node](https://img.shields.io/node/v/vibehacker.svg)](https://nodejs.org)
+<p align="center">
+  <strong>Terminal AI Cybersecurity Assistant</strong><br/>
+  Autonomous agent with 10 tools, 13 providers, multi-model rotation — 100% free to start.
+</p>
+
+<p align="center">
+  <a href="https://www.npmjs.com/package/vibehacker"><img src="https://img.shields.io/npm/v/vibehacker?color=00ff88&label=npm" alt="npm version" /></a>
+  <a href="https://www.npmjs.com/package/vibehacker"><img src="https://img.shields.io/npm/dm/vibehacker?color=00ff88" alt="npm downloads" /></a>
+  <a href="https://github.com/agentichacker/vibehacker/blob/main/LICENSE"><img src="https://img.shields.io/github/license/agentichacker/vibehacker?color=00ff88" alt="license" /></a>
+  <a href="https://nodejs.org"><img src="https://img.shields.io/badge/node-%3E%3D16-00ff88" alt="node version" /></a>
+</p>
+
+<p align="center">
+  <a href="https://vibsecurity.com">Website</a> &middot;
+  <a href="#install">Install</a> &middot;
+  <a href="#providers">Providers</a> &middot;
+  <a href="https://github.com/agentichacker/vibehacker/issues">Issues</a> &middot;
+  <a href="CONTRIBUTING.md">Contributing</a>
+</p>
+
+---
+
+## What is Vibe Hacker?
+
+Vibe Hacker is an AI-powered cybersecurity assistant that runs entirely in your terminal. It can read, write, and edit files, run shell commands, search codebases, and reason about security — all autonomously.
+
+Think of it as **Claude Code for cybersecurity** — but free, open-source, and works with 13 AI providers out of the box.
+
+```
++-----------------------------------------------------------------+
+|  Vibe Hacker v4.1.0              Hunt Mode       Vibe Model     |
++-----------------------------------------------------------------+
+|                                                                  |
+|  You: Find all SQL injection vulnerabilities in this project     |
+|                                                                  |
+|  > Searching for SQL patterns...                                 |
+|  | grep: "query|execute|raw.*sql" in **/*.js                     |
+|  | read_file: src/db/users.js (lines 45-80)                      |
+|  | edit_file: src/db/users.js (parameterized query)               |
+|  | Done - fixed 3 SQL injection vulnerabilities                  |
+|                                                                  |
+|  Found 3 SQL injection vulnerabilities in src/db/:               |
+|  - users.js:52  string concatenation in WHERE clause             |
+|  - users.js:67  unsanitized ORDER BY                             |
+|  - posts.js:23  raw query with user input                        |
+|  All 3 have been patched with parameterized queries.             |
+|                                                                  |
++-----------------------------------------------------------------+
+| >                                                                |
++-----------------------------------------------------------------+
+```
+
+### Key Features
+
+- **Autonomous Agent** — Reads, writes, edits files and runs commands to complete tasks end-to-end
+- **10 Built-in Tools** — read, edit, write, execute, grep, glob, list, search, mkdir, delete
+- **13 AI Providers** — Groq, Gemini, Cerebras, Mistral, OpenRouter, xAI, Anthropic, OpenAI, and more
+- **Smart Rotation** — Auto-switches providers on rate limits with circuit breaker protection
+- **Surgical Edit** — Exact string replacement with mtime conflict detection and undo support
+- **Parallel Grep** — 8-concurrent file reads with binary extension filtering
+- **Context Management** — 3-phase trimming keeps conversations within token limits
+- **Project Memory** — Reads `VIBEHACKER.md` for project-specific instructions
+- **100% Free** — Works with free-tier API keys, no credit card needed
+
+---
 
 ## Install
 
+### One-liner (Linux / macOS / WSL)
+
+```bash
+curl -fsSL https://vibsecurity.com/install.sh | bash
+```
+
+### npm
+
 ```bash
 npm install -g vibehacker
+```
+
+### Run
+
+```bash
 vibehacker
 ```
 
-Or zero-install:
+### Uninstall
+
 ```bash
-npx vibehacker
+npm uninstall -g vibehacker
+# or
+curl -fsSL https://vibsecurity.com/install.sh | bash -s -- --uninstall
 ```
 
-## Get Started
+### Requirements
 
-1. Get a free API key at [vibsecurity.com](https://vibsecurity.com)
-2. Paste your key when prompted
-3. Start hacking
+- Node.js 16+ (recommend 22 LTS)
+- A terminal with ANSI color support
 
-## Features
+---
 
-- **Chat Mode** — Security Q&A, threat intel, vulnerability research
-- **Hunt Mode** — Autonomous agent with file system + shell access for pentesting, code review, exploit development
-- **Multi-Provider** — Add keys for Groq, Gemini, Cerebras, Mistral, OpenAI, Anthropic, DeepSeek, xAI
-- **Silent Auto-Rotation** — Rate limit on one model? Automatically switches to another. Zero downtime
-- **Cross-Platform** — Windows, macOS, Linux, WSL
+## Quick Start
 
-## Commands
+```bash
+# 1. Install
+npm install -g vibehacker
 
-| Command | Description |
-|---------|-------------|
-| `/mode` | Switch between Chat and Hunt |
-| `/addkey` | Add a provider API key |
-| `/providers` | List configured providers |
-| `/clear` | Clear chat and context |
-| `/update` | Self-update to latest version |
-| `/pro` | Upgrade to Pro (unlimited requests) |
-| `/account` | View usage and tier info |
+# 2. Launch
+vibehacker
+
+# 3. (Optional) Add a free API key for more requests
+#    Inside the app, type:
+/addkey gsk_your_groq_key_here
+```
+
+On first launch you get **50 free requests/day** with zero setup. Add your own free API keys for unlimited usage.
+
+---
+
+## Modes
+
+| Mode | Description | Tools |
+|------|-------------|-------|
+| **Chat** | Expert Q&A — security, engineering, threat intel | None (conversation only) |
+| **Hunt** | Autonomous agent — reads, writes, edits files, runs commands | All 10 tools |
+
+Switch modes with **Tab** or `/mode`.
+
+---
+
+## Tools
+
+Hunt mode gives the AI access to 10 tools for autonomous task completion:
+
+| Tool | Description | Needs Approval |
+|------|-------------|:--------------:|
+| `read_file` | Read file contents with line numbers, offset/limit | No |
+| `edit_file` | Surgical string replacement with diff output and undo | Yes |
+| `write_file` | Create or overwrite files | Yes |
+| `execute_command` | Run shell commands (2 min timeout) | Yes |
+| `grep` | Regex search across files (parallel, 8 concurrent) | No |
+| `glob` | Find files by glob pattern | No |
+| `list_files` | List directory contents | No |
+| `search_files` | Regex search with context lines | No |
+| `create_directory` | Create directories recursively | No |
+| `delete_file` | Delete a file | Yes |
+
+### Tool Approval
+
+Tools that modify your system ask for confirmation before running:
+
+| Option | Key | What it does |
+|--------|-----|-------------|
+| Yes | `1` or `y` | Execute this one time |
+| Always allow | `2` | Auto-approve similar operations going forward |
+| No | `3` or `n` | Reject |
+
+---
 
 ## Keyboard Shortcuts
 
 | Key | Action |
 |-----|--------|
-| `Tab` | Cycle mode |
+| `Tab` | Cycle mode (Chat / Hunt) |
+| `Ctrl+P` | Command palette |
+| `Ctrl+L` | Clear output |
+| `Ctrl+X` | Cancel running request |
 | `Ctrl+R` | Retry last message |
-| `Ctrl+C` | Cancel / exit |
-| `/` | Open command menu |
+| `Up / Down` | Input history |
+| `PageUp / PageDown` | Scroll output |
+| `Escape` | Clear input |
+| `Ctrl+C` | Exit |
+
+---
 
-## Pricing
+## Slash Commands
 
-| | Free | Pro |
-|---|---|---|
-| Requests/day | 50 | Unlimited |
-| Models | Free tier | All + frontier |
-| Support | Community | Email |
-| Price | $0 | $19/mo |
+| Command | Description |
+|---------|-------------|
+| `/clear` | Clear chat history and context |
+| `/undo` | Undo the last file edit |
+| `/modified` | List all files changed this session |
+| `/mode` | Switch mode (Chat / Hunt) |
+| `/retry` | Retry the last message |
+| `/cd <path>` | Change working directory |
+| `/cwd` | Show current directory |
+| `/addkey <key>` | Add an AI provider key |
+| `/providers` | List configured providers |
+| `/model` | Switch model |
+| `/tokens <n>` | Set max output tokens |
+| `/approve` | Manage auto-approved tools |
+| `/refresh` | Refresh model list |
+| `/update` | Check for updates |
+| `/pro` | Upgrade to Pro |
+| `/help` | Show help |
+| `/exit` | Exit |
+
+---
+
+## Providers
+
+Vibe Hacker supports **13 AI providers**. Free-tier providers require no credit card.
+
+### Free Providers
+
+| Provider | Free Limit | Top Models | Get a Key |
+|----------|-----------|------------|-----------|
+| **Built-in** | 50 req/day | Llama 3.3 70B, Qwen3 235B, DeepSeek R1 | No key needed |
+| **Groq** | 14,400 req/day | Llama 3.3 70B, Llama 4 Scout, Kimi K2 | [console.groq.com](https://console.groq.com) |
+| **Cerebras** | 1M tokens/day | Qwen3 235B, Llama 3.1 8B | [inference.cerebras.ai](https://inference.cerebras.ai) |
+| **Gemini** | 1,000 req/day | Gemini 2.5 Flash, 2.5 Pro (1M context!) | [aistudio.google.com](https://aistudio.google.com) |
+| **Mistral** | ~1B tok/month | Codestral, Mistral Large | [console.mistral.ai](https://console.mistral.ai) |
+| **xAI** | $25/mo credits | Grok 3, Grok 3 Mini | [console.x.ai](https://console.x.ai) |
+| **Together** | $1 free credit | Llama 3.3 70B, DeepSeek R1 | [api.together.xyz](https://api.together.xyz) |
+| **OpenRouter** | 50 req/day | 7 free models | [openrouter.ai](https://openrouter.ai) |
+
+### Paid Providers
+
+| Provider | Models | Get a Key |
+|----------|--------|-----------|
+| **Anthropic** | Claude Opus 4.5, Sonnet 4.5, Haiku 3.5 | [console.anthropic.com](https://console.anthropic.com) |
+| **OpenAI** | GPT-4.1, GPT-4o, o4-mini | [platform.openai.com](https://platform.openai.com) |
+| **DeepSeek** | DeepSeek V3, DeepSeek R1 | [platform.deepseek.com](https://platform.deepseek.com) |
+
+### Adding a Provider
+
+Inside Vibe Hacker, type:
+
+```
+/addkey gsk_xxxxxxxxxxxx          # Groq
+/addkey csk-xxxxxxxxxxxx          # Cerebras
+/addkey AIzaxxxxxxxxxxxx          # Gemini
+/addkey mistral:xxxxxxxxxxxx      # Mistral
+/addkey xai-xxxxxxxxxxxx          # xAI
+/addkey sk-ant-xxxxxxxxxxxx       # Anthropic
+/addkey sk-xxxxxxxxxxxx           # OpenAI
+```
+
+Keys are auto-detected by their prefix and stored locally in `~/.vibehacker/config.json`.
+
+### Smart Rotation
+
+When a provider hits a rate limit:
+
+1. Tries another model on the same provider
+2. Switches to the next healthy provider if all models fail
+3. Circuit breaker opens after 3 consecutive failures (30s cooldown)
+4. Providers with open circuit breakers are skipped automatically
+
+This happens silently — you never see rate limit errors.
+
+---
+
+## Project Memory
+
+Create a `VIBEHACKER.md` file in your project root to give the agent project-specific context:
+
+```markdown
+# Project Context
+
+This is a Node.js REST API using Express and PostgreSQL.
+
+## Conventions
+- Use TypeScript strict mode
+- All SQL queries must use parameterized statements
+- Error responses follow RFC 7807
 
 ## Security
+- All endpoints require JWT auth
+- Rate limit: 100 req/min per IP
+- Input validation with Joi on all POST/PUT
+```
+
+Also supports `.vibehacker/context.md` and `.vibehacker/instructions.md`.
+
+---
+
+## Use Cases
+
+### Security Auditing
+```
+Find all OWASP Top 10 vulnerabilities in this project
+Check dependencies for known CVEs
+Find hardcoded secrets in this repo
+```
+
+### Penetration Testing
+```
+Generate a recon checklist for example.com
+Review this firewall config for misconfigurations
+Analyze this pcap for suspicious traffic
+```
+
+### Code Security
+```
+Fix all SQL injection vulnerabilities in src/
+Add input validation to every API endpoint
+Review the auth flow for security issues
+```
+
+### DevSecOps
+```
+Write a GitHub Actions workflow for SAST scanning
+Create a secure Dockerfile for this app
+Set up CSP headers for this Express server
+```
+
+### Learning
+```
+Explain how buffer overflow attacks work
+What is the difference between symmetric and asymmetric encryption?
+Walk me through the TLS 1.3 handshake
+```
+
+---
+
+## Architecture
+
+```
+vibehacker/
+├── index.js              Entry point
+├── install.sh            One-line installer
+└── src/
+    ├── app.js            TUI (blessed), streaming, XML filter, render loop
+    ├── agent.js          Agent loop, system prompt, context management
+    ├── api.js            HTTP streaming, provider health, circuit breaker
+    ├── tools.js          10 tools, file state tracking, parallel grep
+    ├── providers.js      13 provider definitions, rotation logic
+    ├── approve.js        Tool approval dialog
+    └── config.js         Configuration loading and migration
+```
+
+### Technical Highlights
+
+| Feature | Detail |
+|---------|--------|
+| Streaming | Real-time SSE with unified parser (OpenAI + Anthropic formats) |
+| Tool Calling | XML tags in model output — works with any model, no function-calling API needed |
+| Circuit Breaker | Provider health tracking, auto-failover after 3 failures, 30s cooldown |
+| Context Trimming | 3-phase: strip thinking blocks, compress old tool results, drop middle messages |
+| Parallel I/O | Grep runs 8 concurrent file reads with binary extension pre-filtering |
+| Streaming Filter | Array-based XmlStreamFilter with 8KB buffer compaction |
+| Rendering | Adaptive — 30fps during streaming, 60fps idle |
+| Edit Journal | Last 50 edits tracked for `/undo` support |
+| Prompt Cache | System prompt and project memory rebuilt only when cwd/mode changes |
+
+---
+
+## Configuration
+
+Stored in `~/.vibehacker/config.json`:
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `apiKey` | — | Primary API key |
+| `baseURL` | OpenRouter | Primary API endpoint |
+| `maxTokens` | 8192 | Max output tokens per response |
+| `temperature` | 0.6 | Generation temperature (0-1) |
+| `maxToolIterations` | 30 | Max tool calls per task |
+
+---
+
+## FAQ
+
+**Is it really free?**
+Yes. You get 50 requests/day with no setup. Add free keys from Groq, Cerebras, or Gemini for thousands more daily requests.
 
-This is a dual-use security tool. Only use on systems you own or have written authorization to test. By using this tool you acknowledge that you are solely responsible for your actions.
+**Does it send my code to the cloud?**
+Code is sent to your chosen AI provider for processing. Nothing is stored on Vibe Hacker servers. For full privacy, use a self-hosted model.
 
-## Links
+**Which models work best for Hunt mode?**
+Llama 3.3 70B (Groq) and Qwen3 235B (Cerebras) handle tool calling best. Gemini 2.5 Flash offers 1M context for large codebases.
 
-- Website: [vibsecurity.com](https://vibsecurity.com)
-- Issues: [github.com/agentichacker/vibehacker/issues](https://github.com/agentichacker/vibehacker/issues)
-- Pricing: [vibsecurity.com/pricing](https://vibsecurity.com/pricing)
+**Can I use OpenAI or Anthropic?**
+Yes. `/addkey sk-your-key` for OpenAI, `/addkey sk-ant-your-key` for Anthropic.
+
+**Windows support?**
+Works via WSL or Git Bash. Native Windows terminal is experimental.
+
+**Node.js version?**
+16 or higher. Recommend 22 LTS.
+
+---
+
+## Pro
+
+**Vibe Hacker Pro** includes unlimited requests, priority model access, faster responses, and priority support.
+
+Visit [vibsecurity.com](https://vibsecurity.com) or type `/pro` in the app.
+
+---
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md).
+
+## Security
+
+Report vulnerabilities per [SECURITY.md](SECURITY.md).
 
 ## License
 
-MIT — see [LICENSE](LICENSE)
+[MIT](LICENSE)
+
+---
+
+<p align="center">
+  Built by <a href="https://vibsecurity.com">Vibe Security</a>
+</p>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibehacker",
-  "version": "4.1.0",
+  "version": "4.2.0",
   "description": "Vibe Hacker — Terminal AI cybersecurity assistant. Free models, autonomous agent, multi-provider rotation.",
   "main": "index.js",
   "bin": {

package/src/app.js

@@ -303,7 +303,6 @@ class HackerCLIApp {
         this.providers.add(key);
         this.providers.clearLimits();
         this._updateModeBar();
-        this._pendingModelPick = true; // show model picker after welcome
         this._freshSetup = true; // skip silent key check — model fetch validates key
       }
     }
@@ -336,17 +335,11 @@ class HackerCLIApp {
     this._log('');
     this.screen.render();
 
-    // After first-run setup, refresh models and show picker
-    if (this._pendingModelPick) {
-      this._pendingModelPick = false;
-      this._refreshModelsAndPick();
-    } else {
-      // Always refresh models on startup so stale models don't cause 404s
-      const cfg2 = require('./config');
-      if (cfg2.hasKey()) {
-        this._silentModelRefresh();
-        this._checkTier();
-      }
+    // Always silently refresh models on startup — no picker, no prompts
+    const cfg2 = require('./config');
+    if (cfg2.hasKey()) {
+      this._silentModelRefresh();
+      this._checkTier();
     }
 
     // Background update check — delayed 3s so it doesn't slow the first render
@@ -394,8 +387,15 @@ class HackerCLIApp {
       this._updateModeBar();
     });
 
-    sc.key(['pageup'],   () => { this.chat.scroll(-Math.floor(this.chat.height / 2)); sc.render(); });
-    sc.key(['pagedown'], () => { this.chat.scroll( Math.floor(this.chat.height / 2)); sc.render(); });
+    // Smooth scrolling — scroll by a few lines, not half-page jumps
+    const SCROLL_LINES = 3;
+    const PAGE_LINES   = () => Math.max(3, Math.floor(this.chat.height / 2));
+    sc.key(['pageup'],   () => { this.chat.scroll(-PAGE_LINES()); sc.render(); });
+    sc.key(['pagedown'], () => { this.chat.scroll( PAGE_LINES()); sc.render(); });
+
+    // Mouse wheel scrolling — smooth 3-line increments
+    this.chat.on('wheelup',   () => { this.chat.scroll(-SCROLL_LINES); this.screen.render(); });
+    this.chat.on('wheeldown', () => { this.chat.scroll( SCROLL_LINES); this.screen.render(); });
 
     // ── Manual keyboard input (bypasses inputOnFocus raw capture) ──
     sc.on('keypress', (ch, key) => {
@@ -603,14 +603,15 @@ class HackerCLIApp {
     const modelName = model ? 'Vibe Model' : '—';
     const mode = MODES[this.modeIndex];
 
-    // Tier badge with remaining
+    // Tier badge with remaining requests
     let tierBadge = '';
     if (this._tier === 'pro') {
       tierBadge = '{#ffaa00-fg}{bold}PRO{/bold}{/#ffaa00-fg}';
-    } else if (this._tier === 'free' && this._remaining !== null) {
-      const r = this._remaining;
-      const color = r > 50 ? '#00cc44' : r > 15 ? '#ffaa00' : '#ff4444';
-      tierBadge = `{#00aa44-fg}FREE{/#00aa44-fg} {${color}-fg}${r}{/${color}-fg}`;
+    } else {
+      const limit = this._dailyLimit || 50;
+      const r = this._remaining !== null && this._remaining !== undefined ? this._remaining : limit;
+      const color = r > 25 ? '#00cc44' : r > 10 ? '#ffaa00' : r > 0 ? '#ff6600' : '#ff4444';
+      tierBadge = `{${color}-fg}${r}/${limit}{/${color}-fg}`;
     }
 
     return (
@@ -1189,38 +1190,12 @@ class HackerCLIApp {
       }
 
       case 'login': case 'auth': {
-        // Open vibsecurity.com/login in browser, prompt user to paste their API key
-        const { openLoginPage, LOGIN_URL } = require('./auth');
+        // Redirect to /addkey — no separate login flow
         this._log('');
-        this._log('{#00aa44-fg}  Opening browser…{/#00aa44-fg}');
-        this._log(`  {#444444-fg}If it doesn't open: ${esc(LOGIN_URL)}{/#444444-fg}`);
+        this._log('{#444444-fg}  Use {#00ff88-fg}/addkey <paste-key>{/#00ff88-fg} to add a provider key.{/#444444-fg}');
+        this._log('{#444444-fg}  Get a free key: {cyan-fg}vibsecurity.com{/cyan-fg}{/#444444-fg}');
         this._log('');
         this.screen.render();
-        openLoginPage().catch(() => {});
-        this._promptInput('Paste your API key (vh_… / sk-or-v1-… / gsk_…):', (k) => {
-          k = (k || '').trim();
-          if (!k) {
-            this._log('{red-fg}  ✗ No key entered.{/red-fg}');
-            this.screen.render();
-            return;
-          }
-          try {
-            const type = this.providers.add(k);
-            this.providers.clearLimits();
-            this._dailyLimitHit = false;
-            this._updateModeBar();
-            const pname = (PROVIDERS[type] || {}).name || type;
-            this._log('');
-            this._log(`{green-fg}{bold}  ✓ ${esc(pname)} key saved.{/bold}{/green-fg}`);
-            this._log('');
-            this.screen.render();
-            this._checkTier();
-            this._refreshModelsAndPick();
-          } catch (err) {
-            this._log(`{red-fg}  ✗ ${esc(err.message || 'Invalid key')}{/red-fg}`);
-            this.screen.render();
-          }
-        });
         break;
       }
 
@@ -1322,8 +1297,8 @@ class HackerCLIApp {
           return;
         }
         doAdd(newKey);
-        // After adding key, refresh models from API then let user pick
-        this._refreshModelsAndPick();
+        // Silently refresh models — auto-rotation handles the rest
+        this._silentModelRefresh();
         return;
       }
 
@@ -1476,7 +1451,7 @@ class HackerCLIApp {
 
           // Usage
           if (this._remaining !== null && this._remaining !== undefined) {
-            const limit = this._dailyLimit || 100;
+            const limit = this._dailyLimit || 50;
             const used = limit - this._remaining;
             const pct = Math.round((used / limit) * 100);
             const barW = 20;
@@ -1893,7 +1868,7 @@ class HackerCLIApp {
     this._log('{#005500-fg}  ┌──────────────────────────────────────────────────────┐{/#005500-fg}');
     this._log(`{#005500-fg}  │{/#005500-fg}  {yellow-fg}{bold}⚠ Daily limit reached{/bold}{/yellow-fg}                                  {#005500-fg}│{/#005500-fg}`);
     this._log('{#005500-fg}  │{/#005500-fg}                                                        {#005500-fg}│{/#005500-fg}');
-    this._log("{#005500-fg}  │{/#005500-fg}  {#888888-fg}You've used all 100 free requests for today.{/#888888-fg}     {#005500-fg}│{/#005500-fg}");
+    this._log("{#005500-fg}  │{/#005500-fg}  {#888888-fg}You've used all 50 free requests for today.{/#888888-fg}      {#005500-fg}│{/#005500-fg}");
     this._log('{#005500-fg}  │{/#005500-fg}  {#888888-fg}Resets in 24 hours or upgrade for unlimited.{/#888888-fg}     {#005500-fg}│{/#005500-fg}');
     this._log('{#005500-fg}  │{/#005500-fg}                                                        {#005500-fg}│{/#005500-fg}');
     this._log('{#005500-fg}  │{/#005500-fg}  {#00ff88-fg}{bold}Go Pro → vibsecurity.com{/bold}{/#00ff88-fg}                         {#005500-fg}│{/#005500-fg}');
@@ -2014,7 +1989,7 @@ class HackerCLIApp {
         this._refreshHeader();
         this._log('');
         this._log('{red-fg}{bold}  ⚠ Daily request limit reached{/bold}{/red-fg}');
-        this._log(`{#888888-fg}  Free tier: ${this._dailyLimit || 100} requests/day{/#888888-fg}`);
+        this._log(`{#888888-fg}  Free tier: ${this._dailyLimit || 50} requests/day{/#888888-fg}`);
         this._log('');
         this._log('{#00ff88-fg}  Go Pro for unlimited requests:{/#00ff88-fg}');
         this._log('  {cyan-fg}{bold}https://vibsecurity.com{/bold}{/cyan-fg}');
@@ -2154,29 +2129,7 @@ class HackerCLIApp {
     });
   }
 
-  // ── Refresh models then show picker ────────────────────────────────────────
-
-  async _refreshModelsAndPick() {
-    this._log('{#444444-fg}[fetching available free models…]{/#444444-fg}');
-    this.screen.render();
-    try {
-      const cfg = require('./config');
-      const count = await this.models.refresh(cfg.apiKey, cfg.baseURL);
-      if (count > 0) {
-        this._log(`{green-fg}[found ${count} free models — choose your default:]{/green-fg}`);
-        this._updateModeBar();
-      } else {
-        this._log('{#444444-fg}[using built-in model list]{/#444444-fg}');
-      }
-    } catch (err) {
-      this._log(`{yellow-fg}[could not fetch models: ${esc(err.message)} — using defaults]{/yellow-fg}`);
-    }
-    this.screen.render();
-
-    // Small delay so user sees the log, then open picker
-    await new Promise(r => setTimeout(r, 300));
-    await this._showModelPicker();
-  }
+  // (_refreshModelsAndPick removed — models refresh silently, auto-rotation handles switching)
 
   // ── Exit ──────────────────────────────────────────────────────────────────