Free & open source

Vibecodiq CLI

Name: Vibecodiq CLI
Author: Vibecodiq

Scan. Guard. Ship with confidence.

34 automated safety checks on auth, billing, admin, and architecture. Trust Score + AI Chaos Index computed locally. CI enforcement on every PR. Your code never leaves your machine.

terminal

npx @vibecodiq/cli scan

Requires Node.js 18+. Zero config. No login.

Scan

Detect safety gaps and structural risk. Results in seconds.

npx @vibecodiq/cli scan

Safety scan — checks auth, billing, admin, and foundation. Returns Trust Score (0-100, Grade A-F) with per-module breakdown.

npx @vibecodiq/cli scan --architecture

Architecture scan — checks code structure, domain boundaries, file sizes, CI/CD, tests. Returns AI Chaos Index (0-100) with RC01-RC05 breakdown and Risk Band.

Guard

Enforce safety rules on every PR. Prevent regressions in CI.

npx @vibecodiq/cli guard init

Safety mode — installs CI workflow and baseline snapshot. For existing apps where you want to prevent safety regressions without changing code structure.

npx @vibecodiq/cli guard init --all

Full mode — safety + architecture rules. Creates:

.asa/rules/architecture.md — architecture rules for AI (Lovable, Bolt, v0)
.cursorrules — same rules for IDE (Cursor, Windsurf, Claude Code)
.github/workflows/asa-guard.yml — CI workflow that checks every PR
.asa/baseline.json — snapshot of existing issues (won't block commits)

npx @vibecodiq/cli guard check

Run checks locally or in CI. Returns exit code 1 on failures — blocks PR merge when safety issues are found.

Create Slice

Scaffold new features with the correct domain structure. Each slice gets 4 template files — Component, Hook, server actions, and types.

npx @vibecodiq/cli create-slice auth/login

npx @vibecodiq/cli create-slice billing/subscribe

npx @vibecodiq/cli create-slice admin/user-list

Creates in src/domains/<domain>/<slice>/:

<SliceName>Form.tsx — React component

use<SliceName>.ts — React hook

actions.ts — server actions

types.ts — TypeScript types

Not every slice needs all 4 files. Create only what you need.

Waivers & Baseline

Handle false positives and existing debt without disabling checks.

Waivers

When guard blocks a commit on a finding that is a false positive or an accepted risk, create a waiver for that specific finding. The check stays active for all other findings.

npx @vibecodiq/cli waiver create AUTH-06 1c78c0cc "Custom auth via Edge Functions"

Creates a waiver for a specific finding. The finding will no longer block guard check. Stored in .asa/waivers.yml — commit it to your repo.

Three waiver types:

false_positive_claim — the finding is incorrect for your setup

accepted_risk — known risk, explicitly accepted by your team

temporary_exception — time-limited exception (max 90 days)

Waivers are per-finding (fingerprint), not per-check. A waived finding does not suppress other findings from the same check.

Baseline

When you enable guard on an existing project, guard init takes a snapshot of all current findings. These baselined findings are tracked but won't block commits — only new findings will.

npx @vibecodiq/cli guard init

Creates .asa/baseline.json with fingerprints of all existing findings. New findings after this point will block guard. Existing debt stays visible in reports but doesn't break your workflow.

What it checks

Auth Safety

8 checks

service_role key exposure, RLS policies, getUser() vs getSession(), NEXT_PUBLIC_ secrets

Billing Safety

8 checks

Stripe key exposure, webhook verification, server-side checkout, PCI compliance

Admin Safety

4 checks

Server-side auth on admin routes, debug route exposure, hardcoded credentials

Architecture

10 checks

Domain isolation, cross-domain imports, slice structure, port compliance, file size limits, CI/CD, tests

Foundation

4 checks

.env.example exists, no committed secrets, TypeScript strict mode, error boundary

34 checks total. Based on the ASA Standard. Each check links to a detailed explanation.

Output

Summary: Score, verdict, module breakdown, and shareable report link.

Report link: Every scan generates a shareable report URL on vibecodiq.com. Details (file paths, fix prompts) are only visible to the report owner.

See demo Trust Score report See demo Architecture report

How it works

1. Scan runs locally — CLI analyzes your source files using pattern matching (regex/AST). No code is uploaded.

2. Findings sent to API — only metadata (check IDs, pass/fail, relative file paths, line numbers). No source code, no secrets.

3. API returns intelligence — Trust Score, AI Chaos Index, fix prompts, shareable report link.

4. Report available online — view findings, fix prompts, and threat explanations at the shareable URL.

If the API is unavailable, CLI still works — you get local results without score/report link.

Available on npm

@vibecodiq/cli

Free to use. Based on the ASA Standard.

Static source-code analysis. Not a full security audit. May include false positives/negatives.