Package Exports
- @vibecheck-ai/cli
- @vibecheck-ai/cli/runner
Readme
VibeCheck CLI
The trust layer for AI-generated code.
Catches phantom dependencies, ghost API routes, fake SDK methods, credential leaks, and silent failures — before they ship.
Why VibeCheck?
Every AI coding tool — Cursor, Copilot, Claude, Windsurf, ChatGPT — produces code that compiles, passes lint, and looks correct. Then it breaks in production.
fetch('/api/payments/confirm') → Endpoint never implemented. 404 in prod.
catch (err) { } → Error silently swallowed. Data lost.
{ revenue: 99999 } → Hardcoded mock. Dashboard lies to users.
STRIPE_SECRET_KEY in client bundle → Credential leaked to every browser.Your linter says it's fine. TypeScript says it's fine. PR review says it's fine.
VibeCheck catches what they miss. 14 detection engines. One command. Zero config.
Quick Start
# Scan your project (no install required)
npx @vibecheck-ai/cli scan .
# Or install globally
npm install -g @vibecheck-ai/cli
vibecheck scan .
# Shorthand alias
vc scan .That's it. No config files. No API keys. No setup wizard.
API compatibility
When you sign in and use server-backed daily scan limits, the CLI must be a current release (24.x or newer as of this major). The API rejects legacy clients without up-to-date scan metering headers. If you see SCAN_CLIENT_UPGRADE_REQUIRED, run npm i -g @vibecheck-ai/cli@latest (or use npx @vibecheck-ai/cli@latest).
14 Detection Engines
Every engine is purpose-built for a specific failure mode that traditional tools miss. These map to the engines registered by the CLI FileRunner (workspace engines + baseline registry).
| # | Engine | What it catches |
|---|---|---|
| 1 | Undefined env vars | process.env references not backed by your env / truthpack |
| 2 | Ghost routes | fetch and client calls to API paths with no handler |
| 3 | Phantom dependencies | Imports of packages not declared or not resolvable |
| 4 | API hallucinations | SDK or API usage that does not exist for your stack |
| 5 | Hardcoded secrets | Keys, tokens, and passwords committed to source |
| 6 | Security vulnerabilities | Injection, XSS, SSRF, weak crypto, and related OWASP-style issues |
| 7 | Fake features | Placeholder flags, empty handlers, mock data in prod paths |
| 8 | Version mismatches | APIs used in ways incompatible with installed package versions |
| 9 | Logic gaps | Contradictory or impossible control flow |
| 10 | Error-handling gaps | Swallowed errors, risky try/catch shape, unchecked async results |
| 11 | Incomplete implementation | Stubs, empty bodies, and unfinished paths |
| 12 | Type contracts | Types asserted vs actual JSON/API shape mismatches |
| 13 | Security patterns | Unprotected routes, CSRF, JWT misuse, redirects, CSP gaps |
| 14 | Performance anti-patterns | N+1 queries, sync I/O in async paths, fetch-in-render, and similar |
Commands
vibecheck scan
Scan a file or directory for all findings.
vibecheck scan .
vibecheck scan src/
vibecheck scan src/api.ts| Flag | Default | Description |
|---|---|---|
--json |
— | Output findings as JSON |
--no-color |
— | Disable ANSI color output |
--threshold <n> |
75 |
Minimum confidence to include a finding (0–100) |
Example output
VibeCheck Scan
3 files · 5 findings · 412ms
──────────────────────────────────────────────────────
src/lib/payments.ts
──────────────────────────────────────────────────────
✗ CRIT CRED001 line 12 Stripe live secret key hardcoded
Move to process.env.STRIPE_SECRET_KEY
✗ HIGH SEC001 line 34 SQL injection: template literal in query
Use parameterized queries
src/api/routes.ts
──────────────────────────────────────────────────────
✗ CRIT GRT001 line 8 Ghost route: /api/payments/confirm has no handler
Closest match: /api/payment/confirm (did you mean this?)
──────────────────────────────────────────────────────
5 findings · 2 critical · 2 high · 1 mediumJSON output (--json)
{
"findings": [
{
"id": "...",
"engine": "credentials",
"severity": "critical",
"ruleId": "CRED001",
"file": "src/lib/payments.ts",
"line": 12,
"message": "Stripe live secret key hardcoded",
"evidence": "const key = 'sk_live_abc123...'",
"suggestion": "Move to process.env.STRIPE_SECRET_KEY",
"confidence": 0.99
}
],
"meta": {
"filesScanned": 3,
"totalFindings": 5,
"durationMs": 412
}
}vibecheck score
Compute a 0–100 trust score with letter grade and ship/no-ship verdict.
vibecheck score .
vibecheck score src/ --json| Flag | Default | Description |
|---|---|---|
--json |
— | Output score as JSON |
--no-color |
— | Disable color |
Example output
VibeCheck Trust Score
3 files · 5 findings · 412ms
[██████████████████░░░░░░░░░░░░] 72/100 (C)
Verdict REVIEW
Mixed reliability. Manual review recommended before shipping.
Findings 2 critical · 2 high · 1 other
────────────────────────────────────────────────────────
Dimensions
API Integrity [████████████████░░░░] 80
Dependency Safety [██████████████░░░░░░] 70
Env Coverage [████████████████████] 100
Contract Health [████████████░░░░░░░░] 60
────────────────────────────────────────────────────────
Score Reducers (3 total)
-15 1 critical Hardcoded Secrets finding — blocks shipping (CRED001)
-8 1 high Security Vulnerabilities finding (SEC001)
-5 1 high Ghost Routes finding (GRT001)
────────────────────────────────────────────────────────
▲ Run vibecheck scan to review flagged issues before shipping.vibecheck guard
CI gatekeeper. Scan and exit with code 1 if the trust score is below threshold or critical findings exist.
vibecheck guard .
vibecheck guard . --threshold 80
vibecheck guard . --fail-on critical
vibecheck guard . --fail-on none # Never fail, just report| Flag | Default | Description |
|---|---|---|
--threshold <n> |
70 |
Minimum score to pass |
--fail-on <level> |
critical |
Fail on: critical, high, any, none |
--json |
— | Output report as JSON |
| Exit Code | Meaning |
|---|---|
0 |
Passed — score above threshold, no blocking findings |
1 |
Failed — score below threshold or critical finding found |
2 |
Error — invalid arguments or scan error |
vibecheck roast
Scan and deliver a brutal, opinionated summary of how AI-generated the code looks.
vibecheck roast .
vibecheck roast src/Example output
VibeCheck Roast
──────────────────────────────────────────────────────────
Let me be direct: this codebase has AI fingerprints all over it.
The Worst Offender
src/lib/payments.ts — 3 findings, trust score 42
Stats
┌─────────────────────────────────┐
│ Trust Score 42/100 F │
│ Hallucinations 3 │
│ Phantom Deps 1 │
│ Hardcoded Creds 1 │
│ Security Issues 2 │
└─────────────────────────────────┘
Hallucination density: 1 issue per 47 lines. That's a lot.
──────────────────────────────────────────────────────────
Run vibecheck scan for the full breakdown.vibecheck context
Intent-aware codebase intelligence. Query your code by natural language, evolve from provenance, and get proactive context hints.
vibecheck context --evolve
vibecheck context --intent "authentication"
vibecheck context --intent "where do we handle auth" --semantic
vibecheck context --proactive --file packages/api/src/routes/auth.ts| Flag | Description |
|---|---|
--evolve |
Learn from provenance (edits.jsonl); write co-edits, sequences, outcome scores to learned.json |
--intent <query> |
Query codebase by natural language → files, symbols |
--semantic |
Use embeddings for intent query (slower, finds conceptually related code) |
--proactive |
Proactive context for focused file |
--file <path> |
Focused file path (required with --proactive) |
--json |
Machine-readable output |
CI/CD Integration
GitHub Actions
# .github/workflows/vibecheck.yml
name: VibeCheck
on: [pull_request]
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npx @vibecheck-ai/cli guard . --threshold 70Pre-commit Hook
# .husky/pre-commit
vibecheck guard . --fail-on criticalpackage.json Scripts
{
"scripts": {
"vibecheck": "vibecheck scan .",
"vibecheck:guard": "vibecheck guard . --threshold 70",
"vibecheck:score": "vibecheck score ."
}
}Output Formats
All commands support --json for machine-readable output. The JSON schema is stable across patch versions.
Finding schema
interface Finding {
id: string;
engine: string;
severity: 'critical' | 'high' | 'medium' | 'low';
ruleId: string;
category: string;
file: string;
line: number;
column: number;
message: string;
evidence: string; // the offending code snippet
suggestion?: string; // how to fix it
confidence: number; // 0.0–1.0
autoFixable: boolean;
}SARIF export
The underlying FileRunner supports SARIF 2.1.0 for GitHub Code Scanning integration. Use --json and pipe to a SARIF converter, or use the GitHub Action which handles this automatically.
Configuration
Ignore Patterns
Create .vibecheckignore at your project root:
# Ignore generated files
src/generated/**
# Ignore specific file
src/legacy/old-api.ts
# Wildcards
**/*.test.tsEnvironment Variables
| Variable | Description |
|---|---|
NO_COLOR |
Disable color output (same as --no-color) |
VIBECHECK_THRESHOLD |
Default confidence threshold |
VIBECHECK_WORKSPACE |
Override workspace root detection |
Shell Completion
# Bash
eval "$(vibecheck completion bash)"
# Zsh
eval "$(vibecheck completion zsh)"Available on 4 Surfaces
| Surface | Install | Use case |
|---|---|---|
| CLI (you are here) | npm i -g @vibecheck-ai/cli |
CI/CD pipelines, terminal workflows, scripting |
| VS Code Extension | Marketplace | Interactive scanning, sidebar dashboard, inline fixes |
| MCP Server | npx @vibecheck-ai/mcp |
AI agent integration (Cursor, Claude, etc.) |
| GitHub Action | vibecheck-ai/action@v2 |
Pull request verification, deployment gating |
Language Support
TypeScript · JavaScript · React · Vue · Svelte · Next.js · Python · Go · Rust
Privacy & Security
- All scanning runs locally on your machine
- Zero code is transmitted — ever
- Works fully offline and in air-gapped environments
- Open source — read every line
Build with AI. Ship with proof.
Website · Documentation · Discord · GitHub
MIT License · Copyright 2024–2026 VibeCheck AI