Free & open source

Vibecodiq CLI

Scan. Guard. Ship with confidence.

32 automated safety checks on auth, billing, admin, and architecture. Trust Score + AI Chaos Index computed locally. CI enforcement on every PR. Your code never leaves your machine.

terminal

npx @vibecodiq/cli scan

Requires Node.js 18+. Zero config. No login.

Scan

Detect safety gaps and structural risk. Results in seconds.

npx @vibecodiq/cli scan

Safety scan — checks auth, billing, admin, and foundation. Returns Trust Score (0-100, Grade A-F) with per-module breakdown.

npx @vibecodiq/cli scan --architecture

Architecture scan — checks code structure, domain boundaries, file sizes, CI/CD, tests. Returns AI Chaos Index (0-100) with RC01-RC05 breakdown and Risk Band.

npx @vibecodiq/cli scan --all

Full scan — both safety and architecture. Returns Trust Score + AI Chaos Index in one run.

npx @vibecodiq/cli scan --verbose

Detailed output — shows every check with evidence, file paths, and line numbers. Add to any scan mode.

npx @vibecodiq/cli scan --json

Machine-readable JSON output for CI pipelines. Add to any scan mode.

Guard

Enforce safety rules on every PR. Prevent regressions in CI.

npx @vibecodiq/cli guard init

Installs safety rules into your repo. Creates .asa/rules/ and a GitHub Actions workflow that checks every PR.

npx @vibecodiq/cli guard init --all

Full mode — safety rules + architecture rules. Use for new projects or rebuilds on ASA architecture.

npx @vibecodiq/cli guard check

Run checks locally or in CI. Returns exit code 1 on failures — blocks PR merge when safety issues are found.

What it checks

Auth Safety

8 checks

service_role key exposure, RLS policies, getUser() vs getSession(), NEXT_PUBLIC_ secrets

Billing Safety

8 checks

Stripe key exposure, webhook verification, server-side checkout, PCI compliance

Admin Safety

4 checks

Server-side auth on admin routes, debug route exposure, hardcoded credentials

Architecture

8 checks

Domain isolation, cross-domain imports, file size limits, CI/CD pipeline, tests

Foundation

4 checks

.env.example exists, no committed secrets, TypeScript strict mode, error boundary

32 checks total. Based on the ASA Standard. Each check links to a detailed explanation.

Output

Default: Compact summary — score, verdict, module breakdown, report link.

--verbose: Full detail — every check with evidence and file paths.

--json: Machine-readable JSON for CI integration.

Share link: Every scan generates a shareable report URL on vibecodiq.com. Details (file paths, fix prompts) are only visible to the report owner.

See demo Trust Score reportSee demo Architecture report

How it works

1. Scan runs locally — CLI analyzes your source files using pattern matching (regex/AST). No code is uploaded.

2. Findings sent to API — only metadata (check IDs, pass/fail, relative file paths, line numbers). No source code, no secrets.

3. API returns intelligence — Trust Score, AI Chaos Index, fix prompts, shareable report link.

4. Report available online — view findings, fix prompts, and threat explanations at the shareable URL.

If the API is unavailable, CLI still works — you get local results without score/report link.

Available on npm

@vibecodiq/cli

Free to use. Based on the ASA Standard.

Static source-code analysis. Not a full security audit. May include false positives/negatives.