vigthoria-cli 1.9.5 → 1.9.8

package/README.md

@@ -99,7 +99,7 @@ If you see `ENOTFOUND registry.npmjs.org`, try these solutions:
 4. **Direct tarball download:**
    ```bash
    # Download directly
-   npm install -g https://coder.vigthoria.io/releases/vigthoria-cli-1.9.3.tgz
+   npm install -g https://coder.vigthoria.io/releases/vigthoria-cli-1.9.8.tgz
    ```
 
 5. **Use Git clone method (no npm registry needed):**

package/dist/commands/auth.js

@@ -20,6 +20,7 @@ const fs_1 = require("fs");
 const os_1 = require("os");
 const path_1 = __importDefault(require("path"));
 const readline_1 = __importDefault(require("readline"));
+const config_js_1 = require("../utils/config.js");
 const DEFAULT_API_URL = 'https://coder.vigthoria.io';
 const CONFIG_DIR = path_1.default.join((0, os_1.homedir)(), '.vigthoria');
 const CONFIG_FILE = path_1.default.join(CONFIG_DIR, 'config.json');
@@ -65,6 +66,36 @@ function ensureConfigDir() {
         // Best-effort on non-POSIX filesystems.
     }
 }
+function syncSharedConfig(config) {
+    try {
+        const shared = new config_js_1.Config();
+        shared.set('apiUrl', trimTrailingSlash(config.apiUrl || getApiUrl()));
+        if (config.token) {
+            shared.set('authToken', config.token);
+        }
+        if (config.user?.id) {
+            shared.set('userId', String(config.user.id));
+        }
+        if (config.user?.email) {
+            shared.set('email', String(config.user.email));
+        }
+    }
+    catch {
+        // Keep legacy auth flow working even if shared config write fails.
+    }
+}
+function clearSharedConfigAuth() {
+    try {
+        const shared = new config_js_1.Config();
+        shared.set('authToken', null);
+        shared.set('refreshToken', null);
+        shared.set('userId', null);
+        shared.set('email', null);
+    }
+    catch {
+        // Ignore shared config clear failures during logout.
+    }
+}
 function humanMessage(error) {
     const raw = error instanceof Error ? error.message : String(error);
     if (/^\s*</.test(raw) || /<!doctype html/i.test(raw)) {
@@ -128,24 +159,44 @@ function saveAuthConfig(config) {
     catch {
         // Best-effort on non-POSIX filesystems.
     }
+    syncSharedConfig(config);
 }
 function clearAuthConfig() {
     if ((0, fs_1.existsSync)(CONFIG_FILE)) {
         (0, fs_1.rmSync)(CONFIG_FILE, { force: true });
     }
+    clearSharedConfigAuth();
 }
 function getAuthToken() {
     return process.env.VIGTHORIA_TOKEN || loadAuthConfig().token;
 }
 async function requestJson(url, init) {
-    const response = await fetch(url, {
-        ...init,
-        headers: {
-            accept: 'application/json',
-            'content-type': 'application/json',
-            ...(init.headers || {}),
-        },
-    });
+    const timeoutMsRaw = Number(process.env.VIGTHORIA_AUTH_TIMEOUT_MS || 8000);
+    const timeoutMs = Number.isFinite(timeoutMsRaw) && timeoutMsRaw > 0 ? timeoutMsRaw : 8000;
+    const controller = new AbortController();
+    const timeoutHandle = setTimeout(() => controller.abort(), timeoutMs);
+    let response;
+    try {
+        response = await fetch(url, {
+            ...init,
+            signal: controller.signal,
+            headers: {
+                accept: 'application/json',
+                'content-type': 'application/json',
+                ...(init.headers || {}),
+            },
+        });
+    }
+    catch (error) {
+        const name = error?.name;
+        if (name === 'AbortError') {
+            throw new Error(`Authentication request timed out after ${timeoutMs}ms`);
+        }
+        throw error;
+    }
+    finally {
+        clearTimeout(timeoutHandle);
+    }
     const text = await response.text();
     let body = {};
     if (text.trim()) {
@@ -425,10 +476,38 @@ async function statusAction() {
         catch {
             // Keep local status available even if remote whoami endpoint is down.
         }
+        const sharedConfig = new config_js_1.Config();
+        let overallStatus = 'Unknown';
+        let coderStatus = 'Unknown';
+        let modelsStatus = 'Unknown';
+        try {
+            const [coderResponse, modelsResponse] = await Promise.all([
+                fetch(`${trimTrailingSlash(config.apiUrl)}/api/health`),
+                fetch('https://api.vigthoria.io/health'),
+            ]);
+            const coderJson = await coderResponse.json().catch(() => ({}));
+            const modelsJson = await modelsResponse.json().catch(() => ({}));
+            const coderOk = coderResponse.ok && (coderJson.status === 'ok' || coderJson.healthy === true);
+            const modelsOk = modelsResponse.ok && (modelsJson.status === 'ok' || modelsJson.status === 'healthy' || modelsJson.healthy === true);
+            coderStatus = coderOk ? 'Online' : 'Offline';
+            modelsStatus = modelsOk ? 'Online' : 'Offline';
+            overallStatus = coderOk && modelsOk ? 'Healthy' : 'Degraded';
+        }
+        catch {
+            // Status should still render even if health probes fail.
+        }
+        const plan = String(sharedConfig.get('subscription')?.plan || '').trim();
+        console.log(chalk_1.default.white('Account Status'));
         console.log(chalk_1.default.green('Logged in.'));
         if (user?.email) {
             console.log(`Account: ${user.email}`);
         }
+        if (plan) {
+            console.log(`Plan: ${plan.toUpperCase()}`);
+        }
+        console.log(`Overall: ${overallStatus}`);
+        console.log(`Coder API: ${coderStatus}`);
+        console.log(`Models API: ${modelsStatus}`);
         console.log(`API: ${config.apiUrl}`);
         process.exitCode = 0;
     }

package/dist/commands/bridge.js

@@ -19,14 +19,9 @@ class BridgeCommand {
         console.log();
         console.log(chalk_1.default.white('DevTools Bridge:'));
         console.log(chalk_1.default.gray('  Status: ') + (bridge.ok ? chalk_1.default.green('Reachable') : chalk_1.default.yellow('Not running')));
-        // Only show error details for unexpected failures — suppress
-        // "Connection timed out" / "ECONNREFUSED" for the normal
-        // not-running case to keep the UX clean.
-        if (bridge.error && bridge.ok === false) {
-            const isExpectedDown = /timed? out|ECONNREFUSED|connect ECONNREFUSED|Connection refused/i.test(bridge.error);
-            if (!isExpectedDown) {
-                console.log(chalk_1.default.gray('  Detail: ') + chalk_1.default.yellow(bridge.error));
-            }
+        if (!bridge.ok) {
+            const detail = String(bridge.error || 'Connection refused').trim() || 'Connection refused';
+            console.log(chalk_1.default.gray('  Error: ') + chalk_1.default.yellow(detail));
         }
         console.log(chalk_1.default.gray('  Browser tasks: ') + (bridge.ok
             ? chalk_1.default.green('Local browser observability is available for debugging flows.')

package/dist/commands/chat.js

@@ -66,9 +66,12 @@ const DEFAULT_V3_AGENT_IDLE_TIMEOUT_MS = (() => {
     return Number.isFinite(parsed) && parsed >= 0 ? parsed : 0;
 })();
 const DEFAULT_V3_AGENT_SOFT_TIMEOUT_MS = (() => {
-    const rawValue = process.env.VIGTHORIA_AGENT_SOFT_TIMEOUT_MS || process.env.V3_AGENT_SOFT_TIMEOUT_MS || '300000';
+    const rawValue = process.env.VIGTHORIA_AGENT_SOFT_TIMEOUT_MS || process.env.V3_AGENT_SOFT_TIMEOUT_MS;
+    if (!rawValue) {
+        return 0;
+    }
     const parsed = Number.parseInt(rawValue, 10);
-    return Number.isFinite(parsed) && parsed > 0 ? parsed : 300000;
+    return Number.isFinite(parsed) && parsed >= 0 ? parsed : 0;
 })();
 class ChatCommand {
     config;
@@ -192,7 +195,9 @@ class ChatCommand {
                 if (attempt >= retries || (!this.isNetworkError(error) && !this.isTimeoutError(error))) {
                     this.handleApiError(error, context);
                 }
-                this.logger.warn(`${context} failed due to ${this.isTimeoutError(error) ? 'timeout' : 'network error'}; retrying (${attempt + 1}/${retries})...`);
+                if (!this.jsonOutput) {
+                    this.logger.warn(`${context} failed due to ${this.isTimeoutError(error) ? 'timeout' : 'network error'}; retrying (${attempt + 1}/${retries})...`);
+                }
                 await new Promise((resolve) => setTimeout(resolve, 500 * (attempt + 1)));
             }
         }
@@ -221,7 +226,9 @@ class ChatCommand {
                 reason: 'governance-blocked-model',
             };
             this.currentModel = effectiveModel;
-            this.logger.warn(`Model ${requestedModel} is not permitted for no-agent chat; using ${effectiveModel}`);
+            if (!this.jsonOutput) {
+                this.logger.warn(`Model ${requestedModel} is not permitted for no-agent chat; using ${effectiveModel}`);
+            }
             return;
         }
         this.modelGovernanceFallback = null;
@@ -248,7 +255,7 @@ class ChatCommand {
     }
     operatorAccessMessage() {
         const currentPlan = this.config.get('subscription').plan || 'free';
-        return `Operator mode requires Enterprise or admin access. Current plan: ${currentPlan}.`;
+        return `Operator mode requires Pro, Ultra, Enterprise, or admin access. Current plan: ${currentPlan}.`;
     }
     getDefaultChatModel() {
         const preferredModel = String(this.config.get('preferences').defaultModel || '').trim().toLowerCase();
@@ -877,11 +884,16 @@ class ChatCommand {
             return;
         }
         if (options.prompt) {
-            // Wrap in a timeout to guarantee bridge cleanup even if the agent
-            // loop hangs (e.g. model takes forever on a turn).
-            const BRIDGE_TIMEOUT_MS = 180_000; // 3 minutes max for a single prompt
+            const bridgePromptTimeoutMs = (() => {
+                const rawValue = process.env.VIGTHORIA_BRIDGE_PROMPT_TIMEOUT_MS || process.env.V3_BRIDGE_PROMPT_TIMEOUT_MS;
+                if (!rawValue) {
+                    return 0;
+                }
+                const parsed = Number.parseInt(rawValue, 10);
+                return Number.isFinite(parsed) && parsed >= 0 ? parsed : 0;
+            })();
             let timedOut = false;
-            const timeoutId = options.bridge
+            const timeoutId = options.bridge && bridgePromptTimeoutMs > 0
                 ? setTimeout(() => {
                     timedOut = true;
                     const b = (0, bridge_client_js_1.getBridgeClient)();
@@ -890,10 +902,10 @@ class ChatCommand {
                         b.destroy();
                     }
                     if (!this.jsonOutput) {
-                        this.logger.error('Bridge prompt timed out after 3 minutes.');
+                        this.logger.error('Bridge prompt timed out after ' + Math.round(bridgePromptTimeoutMs / 1000) + ' seconds.');
                     }
                     process.exitCode = 1;
-                }, BRIDGE_TIMEOUT_MS)
+                }, bridgePromptTimeoutMs)
                 : null;
             await this.handleDirectPrompt(options.prompt);
             if (timeoutId)
@@ -1093,7 +1105,7 @@ class ChatCommand {
     async handleDirectPrompt(prompt) {
         // Suppress all setup banners in direct-prompt mode so only the final
         // answer reaches stdout.  Interactive (REPL) mode still shows them.
-        if (!this.jsonOutput && !this.directPromptMode) {
+        if (!this.jsonOutput) {
             console.log(chalk_1.default.cyan('Running single prompt in direct mode.'));
             console.log(chalk_1.default.gray(`Model: ${this.currentModel}`));
             console.log(chalk_1.default.gray(`Project: ${this.currentProjectPath}`));
@@ -1745,12 +1757,12 @@ class ChatCommand {
             tool: 'read_file',
             args: { path: targetFile },
         };
-        if (!this.jsonOutput && !this.directPromptMode) {
+        if (!this.jsonOutput) {
             console.log(chalk_1.default.cyan(`⚙ Executing: ${readCall.tool}`));
         }
         const readResult = await this.tools.execute(readCall);
         const readSummary = this.formatToolResult(readCall, readResult);
-        if (!this.jsonOutput && !this.directPromptMode) {
+        if (!this.jsonOutput) {
             console.log(readResult.success ? chalk_1.default.gray(readSummary) : chalk_1.default.red(readSummary));
         }
         this.messages.push({ role: 'system', content: readSummary });
@@ -1793,12 +1805,12 @@ class ChatCommand {
                 content: rewrittenContent,
             },
         };
-        if (!this.jsonOutput && !this.directPromptMode) {
+        if (!this.jsonOutput) {
             console.log(chalk_1.default.cyan(`⚙ Executing: ${writeCall.tool}`));
         }
         const writeResult = await this.tools.execute(writeCall);
         const writeSummary = this.formatToolResult(writeCall, writeResult);
-        if (!this.jsonOutput && !this.directPromptMode) {
+        if (!this.jsonOutput) {
             console.log(writeResult.success ? chalk_1.default.gray(writeSummary) : chalk_1.default.red(writeSummary));
         }
         this.messages.push({ role: 'system', content: writeSummary });
@@ -1972,7 +1984,7 @@ class ChatCommand {
             }
             else if (this.v3StreamingStarted) {
                 // Content was already streamed to stdout in real-time; skip duplicate print.
-                if (!this.directPromptMode) {
+                if (!this.jsonOutput) {
                     console.log(chalk_1.default.gray(`Agent routing: ${routingPolicy.cloudSelected ? 'Vigthoria Cloud' : 'V3 Agent'}`));
                 }
             }
@@ -1988,7 +2000,7 @@ class ChatCommand {
                 }
                 console.log('V3 agent workflow completed.');
             }
-            if (!this.jsonOutput && !this.directPromptMode && previewGate?.required) {
+            if (!this.jsonOutput && previewGate?.required) {
                 if (previewGate.passed) {
                     console.log(chalk_1.default.gray(`Template Service preview gate: passed via ${previewGate.backendUrl || 'unknown backend'}`));
                 }
@@ -2897,7 +2909,7 @@ class ChatCommand {
         }
         // In direct-prompt mode (--prompt), suppress verbose tool output so
         // only the final answer prints.  In interactive mode, show full detail.
-        const verbose = !this.jsonOutput && !this.directPromptMode;
+        const verbose = !this.jsonOutput;
         for (const call of toolCalls) {
             if (verbose) {
                 console.log(chalk_1.default.cyan(`⚙ Executing: ${call.tool}`));

package/dist/commands/legion.js

@@ -76,6 +76,7 @@ const HYPERLOOP_URLS = (0, api_js_1.isServerRuntime)()
 const CORTEX_WARN_BUDGET_USD = 3.5;
 const CORTEX_HARD_BUDGET_USD = 5.0;
 const CORTEX_MAX_ROUNDS = 2;
+const CORTEX_PLATFORM_FEE_PCT = 10;
 const execAsync = (0, node_util_1.promisify)(node_child_process_1.exec);
 class LegionCommand {
     config;
@@ -209,13 +210,13 @@ class LegionCommand {
         if (billingQuote.retryAdjustedUsd > CORTEX_WARN_BUDGET_USD) {
             console.log(chalk_1.default.yellow(`Estimated spend exceeds warning threshold ($${CORTEX_WARN_BUDGET_USD.toFixed(2)}).`));
         }
-        if (billingQuote.retryAdjustedUsd > CORTEX_HARD_BUDGET_USD && !options.forceBudget) {
-            console.log(chalk_1.default.red(`Estimated spend exceeds hard budget ceiling ($${CORTEX_HARD_BUDGET_USD.toFixed(2)}).`));
+        let billingGate = await this.evaluateBillingGate(billingQuote);
+        this.printCortexQuote(workspace, scan, quote, billingQuote, billingGate);
+        if (billingQuote.retryAdjustedUsd > CORTEX_HARD_BUDGET_USD && !options.forceBudget && !billingGate.masterAdminFree) {
+            console.log(chalk_1.default.red(`Estimated spend exceeds hard budget ceiling (${CORTEX_HARD_BUDGET_USD.toFixed(2)}).`));
             console.log(chalk_1.default.yellow('Re-run with --force-budget to continue.'));
             return;
         }
-        let billingGate = await this.evaluateBillingGate(billingQuote);
-        this.printCortexQuote(workspace, scan, quote, billingQuote, billingGate);
         if (options.planOnly) {
             console.log(chalk_1.default.green('Cortex estimator complete (plan-only).'));
             return;
@@ -326,6 +327,7 @@ class LegionCommand {
             tier: previousQuote.tier,
             vigcoinRateUsd: previousQuote.vigcoinRateUsd,
             vigcoinRequired: retryAdjustedUsd / previousQuote.vigcoinRateUsd,
+            platformFeePct: previousQuote.platformFeePct,
         };
     }
     async confirmAdditionalLoopCharge(nextQuote, nextRound, execution) {
@@ -640,7 +642,9 @@ class LegionCommand {
         const baseUsd = quote.reduce((sum, r) => sum + r.estCostUsd, 0);
         const marginPctRaw = Number.parseFloat(String(process.env.VIGTHORIA_CORTEX_MARGIN_PCT || process.env.VIGTHORIA_GODMODE_MARGIN_PCT || '10'));
         const marginPct = Number.isFinite(marginPctRaw) ? Math.max(0, marginPctRaw) : 10;
-        const finalUsd = baseUsd * (1 + (marginPct / 100));
+        const platformFeePct = CORTEX_PLATFORM_FEE_PCT;
+        const platformFeeMultiplier = 1 + (platformFeePct / 100);
+        const finalUsd = baseUsd * (1 + (marginPct / 100)) * platformFeeMultiplier;
         // Retry-adjusted estimate: all 7 critical roles can trigger the quality-gate
         // retry in state_manager.py (adds +2 iterations per degraded role).
         // Probability of retry per critical role ≈ 45% (from production telemetry).
@@ -651,13 +655,13 @@ class LegionCommand {
         const retryExtra = quote
             .filter((r) => CRITICAL_ROLES.has(r.role))
             .reduce((sum, r) => sum + r.estCostUsd * RETRY_PROB * RETRY_ITER_RATIO, 0);
-        const retryAdjustedUsd = (baseUsd + retryExtra) * (1 + (marginPct / 100));
+        const retryAdjustedUsd = (baseUsd + retryExtra) * (1 + (marginPct / 100)) * platformFeeMultiplier;
         // Range bounds.
         const rangeMinUsd = finalUsd; // single pass, no retries
         const maxRetryExtra = quote
             .filter((r) => CRITICAL_ROLES.has(r.role))
             .reduce((sum, r) => sum + r.estCostUsd * RETRY_ITER_RATIO, 0);
-        const rangeMaxUsd = (baseUsd + maxRetryExtra) * (1 + (marginPct / 100));
+        const rangeMaxUsd = (baseUsd + maxRetryExtra) * (1 + (marginPct / 100)) * platformFeeMultiplier;
         const vigcoinRateRaw = Number.parseFloat(String(process.env.VIGTHORIA_VIGCOIN_USD_RATE || '1'));
         const vigcoinRateUsd = Number.isFinite(vigcoinRateRaw) && vigcoinRateRaw > 0 ? vigcoinRateRaw : 1;
         const vigcoinRequired = retryAdjustedUsd / vigcoinRateUsd;
@@ -671,6 +675,7 @@ class LegionCommand {
             tier,
             vigcoinRateUsd,
             vigcoinRequired,
+            platformFeePct,
         };
     }
     async evaluateBillingGate(billingQuote) {
@@ -1069,6 +1074,7 @@ class LegionCommand {
             return;
         }
         console.log(chalk_1.default.gray(`    Estimated total (USD): $${billingQuote.retryAdjustedUsd.toFixed(4)}`) + chalk_1.default.gray(' (retry-adjusted expected)'));
+        console.log(chalk_1.default.gray(`    Platform fee: +${billingQuote.platformFeePct.toFixed(0)}% (already included in all estimates)`));
         console.log(chalk_1.default.gray(`    VigCoin rate: 1 VIG = $${billingQuote.vigcoinRateUsd.toFixed(4)}`));
         console.log(chalk_1.default.gray(`    VigCoin required: ${billingQuote.vigcoinRequired.toFixed(3)}`));
         if (gate.wallet.vigcoinBalance !== null) {
@@ -1104,7 +1110,9 @@ class LegionCommand {
         console.log();
         console.log(chalk_1.default.white('  Role assignment and estimated cost:'));
         for (const row of quote) {
-            console.log(chalk_1.default.gray(`    ${logger_js_1.CH.bullet} ${row.role.padEnd(11)} ${row.model}  $${row.estCostUsd.toFixed(4)}`));
+            const publicModelLabel = row.requestedModel || row.model.replace(/^openrouter:/i, '').split('/').pop() || 'managed-model';
+            const roleEstWithFee = row.estCostUsd * (1 + (billingQuote.platformFeePct / 100));
+            console.log(chalk_1.default.gray(`    ${logger_js_1.CH.bullet} ${row.role.padEnd(11)} ${publicModelLabel}  $${roleEstWithFee.toFixed(4)}`));
         }
         console.log();
         console.log(chalk_1.default.yellow(`  Cost range (single-pass best case):  $${billingQuote.rangeMinUsd.toFixed(4)}`));
@@ -1113,6 +1121,7 @@ class LegionCommand {
         console.log(chalk_1.default.gray('  Retry model: 45% chance per critical role triggers quality-gate (+40% iterations per retry).'));
         console.log(chalk_1.default.gray('  A mid-run checkpoint will appear when 70% of the expected estimate is consumed.'));
         console.log(chalk_1.default.gray('  Flow: Estimate -> Isolation -> Parallel Attack -> Synthesis'));
+        console.log(chalk_1.default.gray(`  All displayed costs include platform fee (+${billingQuote.platformFeePct.toFixed(0)}%).`));
         console.log();
         this.printBillingGateSummary(billingQuote, gate);
         console.log();
@@ -1224,7 +1233,7 @@ class LegionCommand {
             : 10;
         const baseEstimateUsd = (cortexExecution?.quote || []).reduce((s, q) => s + q.estCostUsd, 0);
         const budgetCheckpointThreshold = cortexExecution
-            ? baseEstimateUsd * (1 + marginPctMidrun / 100) * 0.70
+            ? baseEstimateUsd * (1 + marginPctMidrun / 100) * (1 + CORTEX_PLATFORM_FEE_PCT / 100) * 0.70
             : Infinity;
         let accumulatedEstUsd = 0;
         let budgetCheckpointFired = false;
@@ -1274,7 +1283,7 @@ class LegionCommand {
                             }
                             // Track spend and trigger mid-run budget checkpoint.
                             const stepRole = String(evt.step_id || '');
-                            accumulatedEstUsd += roleQuoteIndex.get(stepRole) || 0;
+                            accumulatedEstUsd += (roleQuoteIndex.get(stepRole) || 0) * (1 + CORTEX_PLATFORM_FEE_PCT / 100);
                             completedRoleSummaries.push({ role: stepRole, status: String(evt.status || ''), summary: stepSummaryRaw.slice(0, 200) });
                             if (!budgetCheckpointFired
                                 && cortexExecution
@@ -1288,7 +1297,7 @@ class LegionCommand {
                                     .map((q) => q.role);
                                 const remainingEstUsd = (cortexExecution.quote || [])
                                     .filter((q) => remainingRoles.includes(q.role))
-                                    .reduce((s, q) => s + q.estCostUsd, 0);
+                                    .reduce((s, q) => s + (q.estCostUsd * (1 + CORTEX_PLATFORM_FEE_PCT / 100)), 0);
                                 console.log();
                                 console.log(chalk_1.default.bold.yellow('  ━━━ Mid-Run Budget Checkpoint ━━━'));
                                 console.log(chalk_1.default.gray(`  Consumed so far (estimated):  $${accumulatedEstUsd.toFixed(4)}`));

package/dist/commands/security.d.ts

@@ -0,0 +1,20 @@
+import { Config } from '../utils/config.js';
+import { Logger } from '../utils/logger.js';
+interface SecurityOptions {
+    dir?: string;
+    json?: boolean;
+    issueId?: string;
+    apply?: boolean;
+}
+export declare class SecurityCommand {
+    private config;
+    private logger;
+    constructor(config: Config, logger: Logger);
+    private getMcpBaseUrl;
+    private resolveDir;
+    private execute;
+    scan(options: SecurityOptions): Promise<void>;
+    score(options: SecurityOptions): Promise<void>;
+    fix(options: SecurityOptions): Promise<void>;
+}
+export {};

package/dist/commands/security.js

@@ -0,0 +1,98 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityCommand = void 0;
+const axios_1 = __importDefault(require("axios"));
+const path_1 = __importDefault(require("path"));
+class SecurityCommand {
+    config;
+    logger;
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+    }
+    getMcpBaseUrl() {
+        const fromEnv = process.env.VIGTHORIA_MCP_URL || process.env.MCP_SERVER_URL;
+        if (fromEnv && fromEnv.trim()) {
+            return fromEnv.replace(/\/$/, '');
+        }
+        return 'http://127.0.0.1:4008';
+    }
+    resolveDir(dir) {
+        return path_1.default.resolve(dir || process.cwd());
+    }
+    async execute(tool, parameters) {
+        const baseUrl = this.getMcpBaseUrl();
+        const response = await axios_1.default.post(`${baseUrl}/mcp/execute`, {
+            tool,
+            parameters,
+            context: {
+                source: 'vigthoria-cli',
+                client: 'vsec'
+            }
+        }, {
+            timeout: 120000,
+            validateStatus: (status) => status >= 200 && status < 500,
+        });
+        if (!response.data?.success) {
+            const errorText = response.data?.error || `Tool ${tool} failed`;
+            throw new Error(errorText);
+        }
+        const result = response.data?.result || {};
+        return result.result || result;
+    }
+    async scan(options) {
+        const dir = this.resolveDir(options.dir);
+        const result = await this.execute('security_scan', { dir });
+        if (options.json) {
+            console.log(JSON.stringify(result, null, 2));
+            return;
+        }
+        this.logger.info(`Security scan complete for: ${dir}`);
+        this.logger.info(`Score: ${result.score}/100 (${result.grade})`);
+        this.logger.info(`Files scanned: ${result.scannedFiles}`);
+        this.logger.info(`Issues found: ${result.issueCount}`);
+        const issues = Array.isArray(result.issues) ? result.issues : [];
+        for (const issue of issues.slice(0, 20)) {
+            console.log(`- [${issue.severity}] ${issue.id} ${issue.file}:${issue.line} ${issue.message}`);
+        }
+        if (issues.length > 20) {
+            console.log(`... ${issues.length - 20} more issues`);
+        }
+    }
+    async score(options) {
+        const dir = this.resolveDir(options.dir);
+        const result = await this.execute('security_score', { dir });
+        if (options.json) {
+            console.log(JSON.stringify(result, null, 2));
+            return;
+        }
+        this.logger.info(`Security score for ${dir}`);
+        this.logger.info(`${result.score}/100 (${result.grade})`);
+        this.logger.info(result.summary || '');
+    }
+    async fix(options) {
+        const dir = this.resolveDir(options.dir);
+        const result = await this.execute('security_fix', {
+            dir,
+            issue_id: options.issueId,
+            confirm: Boolean(options.apply),
+        });
+        if (options.json) {
+            console.log(JSON.stringify(result, null, 2));
+            return;
+        }
+        this.logger.info(`Security fix plan for ${dir}`);
+        this.logger.info(result.message || 'Fix plan generated');
+        const actions = Array.isArray(result.plannedActions) ? result.plannedActions : [];
+        for (const action of actions.slice(0, 25)) {
+            console.log(`- ${action.issue_id} ${action.file}: ${action.action}`);
+        }
+        if (actions.length > 25) {
+            console.log(`... ${actions.length - 25} more actions`);
+        }
+    }
+}
+exports.SecurityCommand = SecurityCommand;

package/dist/index.js

@@ -76,6 +76,7 @@ const history_js_1 = require("./commands/history.js");
 const replay_js_1 = require("./commands/replay.js");
 const fork_js_1 = require("./commands/fork.js");
 const cancel_js_1 = require("./commands/cancel.js");
+const security_js_1 = require("./commands/security.js");
 const config_js_2 = require("./utils/config.js");
 const logger_js_1 = require("./utils/logger.js");
 const chalk_1 = __importDefault(require("chalk"));
@@ -124,7 +125,7 @@ function getVersion() {
             console.error(chalk_1.default.gray(`Unable to read package version: ${message}`));
         }
     }
-    return '1.9.3';
+    return '0.0.0';
 }
 function validateReleaseMetadata() {
     try {
@@ -150,20 +151,15 @@ function validateReleaseMetadata() {
             'vigthoria edit',
             'vigthoria update',
             'vigthoria doctor',
-            'version 1.9.3',
-            'vigthoria-cli-1.9.3.tgz',
         ];
         return (pkg.name === 'vigthoria-cli' &&
-            pkg.version === '1.9.3' &&
+            typeof pkg.version === 'string' &&
             pkg.description === 'Vigthoria Coder CLI - AI-powered terminal coding assistant' &&
             pkg.main === 'dist/index.js' &&
             bins.vigthoria === 'dist/index.js' &&
             bins.vig === 'dist/index.js' &&
             bins['vigthoria-chat'] === 'dist/index.js' &&
-            requiredReadmePhrases.every((phrase) => readme.includes(phrase)) &&
-            /Version\s+1\.9\.3/i.test(readme) &&
-            !readme.includes('vigthoria-cli-1.9.2.tgz') &&
-            !/version\s+1\.9\.2/i.test(readme));
+            requiredReadmePhrases.every((phrase) => readme.includes(phrase)));
     }
     catch (error) {
         const message = error instanceof Error ? error.message : String(error);
@@ -173,12 +169,6 @@ function validateReleaseMetadata() {
         return false;
     }
 }
-const VERSION = getVersion();
-const VIGTHORIA_DEFAULT_MANIFEST_URL = process.env.VIGTHORIA_UPDATE_MANIFEST_URL || "https://coder.vigthoria.io/releases/manifest.json";
-/**
- * Compare semantic versions properly
- * Returns: -1 if v1 < v2, 0 if equal, 1 if v1 > v2
- */
 function compareVersions(v1, v2) {
     const parts1 = v1.split('.').map(Number);
     const parts2 = v2.split('.').map(Number);
@@ -192,6 +182,8 @@ function compareVersions(v1, v2) {
     }
     return 0;
 }
+const VERSION = getVersion();
+const VIGTHORIA_DEFAULT_MANIFEST_URL = process.env.VIGTHORIA_UPDATE_MANIFEST_URL || "https://coder.vigthoria.io/releases/manifest.json";
 function resolveManifestEntry(manifest, channel) {
     const normalized = String(channel || 'stable').trim() || 'stable';
     if (manifest.channels && manifest.channels[normalized]) {
@@ -476,7 +468,7 @@ async function main(args) {
     if (invokedBinaryName === 'vigthoria-chat') {
         const knownCommands = new Set([
             'chat', 'chat-resume', 'agent', 'edit', 'generate', 'explain', 'fix', 'review', 'cancel',
-            'hub', 'repo', 'deploy', 'operator', 'workflow', 'flow', 'login', 'logout', 'status', 'config', 'update',
+            'hub', 'repo', 'deploy', 'operator', 'workflow', 'flow', 'security', 'vsec', 'login', 'logout', 'status', 'config', 'update',
             '--help', '-h', '--version', '-V', 'help', 'version',
         ]);
         if (!firstArg || firstArg.startsWith('-') || !knownCommands.has(firstArg)) {
@@ -647,6 +639,40 @@ async function main(args) {
         const bridge = new bridge_js_1.BridgeCommand(config, logger);
         await bridge.status();
     });
+    // Security command group - Security DevOps scans and fix plans
+    const securityCommand = program
+        .command('security')
+        .alias('vsec')
+        .description('Run security scans, scores, and fix plans via Vigthoria MCP security tools');
+    securityCommand
+        .command('scan')
+        .description('Scan project for security issues')
+        .option('-d, --dir <path>', 'Directory to scan (default: current directory)')
+        .option('--json', 'Emit JSON output', false)
+        .action(async (options) => {
+        const security = new security_js_1.SecurityCommand(config, logger);
+        await security.scan({ dir: options.dir, json: options.json });
+    });
+    securityCommand
+        .command('score')
+        .description('Calculate project security score')
+        .option('-d, --dir <path>', 'Directory to score (default: current directory)')
+        .option('--json', 'Emit JSON output', false)
+        .action(async (options) => {
+        const security = new security_js_1.SecurityCommand(config, logger);
+        await security.score({ dir: options.dir, json: options.json });
+    });
+    securityCommand
+        .command('fix')
+        .description('Generate security fix plan')
+        .option('-d, --dir <path>', 'Directory to inspect (default: current directory)')
+        .option('-i, --issue-id <id>', 'Single issue id to target')
+        .option('--apply', 'Request auto-apply mode (safe mode still requires explicit patching)', false)
+        .option('--json', 'Emit JSON output', false)
+        .action(async (options) => {
+        const security = new security_js_1.SecurityCommand(config, logger);
+        await security.fix({ dir: options.dir, issueId: options.issueId, apply: options.apply, json: options.json });
+    });
     // Edit command - Edit files with AI
     program
         .command('edit <file>')