feat: Implement VibeSafe MVP

Author: slowcoder360

.github/workflows/ci.yml

@@ -0,0 +1,31 @@
+name: CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build_and_scan:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20' # Use a current LTS version
+        cache: 'npm'
+
+    - name: Install dependencies
+      run: npm ci
+
+    - name: Build project
+      run: npm run build
+
+    - name: Run VibeSafe Scan (High Only)
+      # This uses the globally linked bin command setup in package.json
+      # Or run directly: node dist/index.js scan --high-only
+      run: npx vibesafe scan --high-only 

.gitignore

@@ -0,0 +1,42 @@
+# Node.js
+node_modules/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+package-lock.json
+yarn.lock
+*.env
+dist/
+build/
+
+# Python
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+*.so
+.Python
+env/
+venv/
+ENV/
+venv.bak/
+ENV.bak/
+*.egg-info/
+*.egg
+build/
+dist/
+*.spec
+
+# OS specific
+.DS_Store
+Thumbs.db
+
+# IDE specific
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Test Reports
+test-*.md
+test-*.json 

LICENSE

@@ -0,0 +1,17 @@
+Copyright (c) 2025 Secret Society LLC - All Rights Reserved
+
+NOTICE: This software, VibeSafe (the "Software"), is provided free of charge for execution and use. The source code is made available for transparency and inspection purposes only.
+
+PERMISSION IS NOT GRANTED to modify, copy, merge, publish, distribute, sublicense, and/or sell copies of the Software, or any substantial portions of it.
+
+PERMISSION IS NOT GRANTED to create derivative works based on the Software or its source code.
+
+PERMISSION IS NOT GRANTED to redistribute the Software or its source code.
+
+Reverse engineering, decompiling, or disassembling the Software is prohibited.
+
+The Software is provided "AS IS", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the Software or the use or other dealings in the Software.
+
+By using or accessing the Software or its source code, you agree to these terms. If you do not agree to these terms, do not use or access the Software or its source code.
+
+For any licensing inquiries beyond the scope of this license, please contact [email protected]. 

README.md

@@ -0,0 +1,90 @@
+# VibeSafe ✨🛡️
+
+A CLI tool to scan your codebase for security vibes.
+
+VibeSafe helps developers quickly check their projects for common security issues like exposed secrets, outdated dependencies with known vulnerabilities (CVEs), and generates helpful reports.
+
+## Features (MVP)
+
+*   **Secret Scanning:** Detects potential secrets (API keys, credentials) using regex patterns and entropy analysis.
+*   **Dependency Scanning:** Parses package manifests (currently `package.json`) and checks dependencies against the OSV.dev vulnerability database.
+*   **Multiple Output Formats:** Provides results via console output (with colors!), JSON (`--output`), or a Markdown report (`--report`).
+*   **AI-Powered Suggestions (Optional):** Generates fix suggestions in the Markdown report using OpenAI (requires API key).
+*   **Filtering:** Focus on high-impact issues using `--high-only`.
+*   **Customizable Ignores:** Use a `.vibesafeignore` file (similar syntax to `.gitignore`) to exclude specific files or directories from the scan.
+
+## Installation
+
+```bash
+# Assuming publication to npm eventually
+npm install -g vibesafe 
+```
+
+*(Note: Currently, for local development, use `npm link` after building)*
+
+## Usage
+
+**Basic Scan (Current Directory):**
+
+```bash
+vibesafe scan
+```
+
+**Scan a Specific Directory:**
+
+```bash
+vibesafe scan ./path/to/your/project
+```
+
+**Output to JSON:**
+
+```bash
+vibesafe scan -o scan-results.json
+```
+
+**Generate Markdown Report:**
+
+```bash
+vibesafe scan -r scan-report.md
+```
+
+**Generate AI Report (Requires API Key):**
+
+To generate fix suggestions in the Markdown report, you need an OpenAI API key.
+
+1.  Create a `.env` file in the root of the directory where you run `vibesafe` (or in the project root if running locally during development).
+2.  Add your key to the `.env` file:
+    ```
+    OPENAI_API_KEY=sk-YourActualOpenAIKeyHere
+    ```
+3.  Run the scan with the report flag:
+    ```bash
+    vibesafe scan -r ai-report.md
+    ```
+
+**Show Only High/Critical Issues:**
+
+```bash
+vibesafe scan --high-only
+```
+
+## Ignoring Files (.vibesafeignore)
+
+Create a `.vibesafeignore` file in the root of the directory being scanned. Add file paths or glob patterns (one per line) to exclude them from the scan. The syntax is the same as `.gitignore`.
+
+**Example `.vibesafeignore`:**
+
+```
+# Ignore all test data
+test-data/
+
+# Ignore a specific configuration file
+config/legacy-secrets.conf
+
+# Allow scanning a specific .env file if needed (overrides default info behavior)
+# !.env.production 
+```
+
+## License
+
+This project uses a custom proprietary license. Please see the [LICENSE](LICENSE) file for details. TL;DR: Free to use, source visible, but no modification, copying, or redistribution allowed. 

instructions.md

@@ -0,0 +1,142 @@
+# VibeSafe MVP Development Plan
+
+## 1. Overview
+
+**Problem:** Developers ship code quickly but often miss basic security checks (secrets, stale deps, known CVEs).  
+**Solution:** A zero‑config CLI that scans a repo for secrets, outdated packages, and CVEs, then generates an AI‑powered risk report.  
+**MVP Goal:** Enable any developer to run `vibesafe scan` and get a readable security summary—including file paths and line numbers—in under 60 s.
+
+## 2. Personas & Use Cases
+
+| Persona            | Scenario                                                            | Outcome                                   |
+| ------------------ | ------------------------------------------------------------------- | ----------------------------------------- |
+| Solo "vibe" coder  | Quickly wants to check a side‑project for exposed keys before release | Markdown/JSON report with file, location, and severity‑scored findings |
+| CI/CD integrator   | Needs build to fail if any HIGH vulnerabilities are present        | CI job exits non-zero on HIGH issues      |
+| Security advocate  | Reviews multiple repos for baseline security hygiene               | Exports JSON for bulk analysis            |
+
+## 3. Scope & Non‑Goals
+
+**In‑Scope (MVP):**  
+- Secrets & plaintext key detection with file & line  
+- Dependency parsing + CVE lookup  
+- AI‑driven markdown risk report with fix suggestions  
+- CLI UX: colorized terminal + `--output` flags  
+
+**Out‑of‑Scope (v0.1+):**  
+- Automatic patching (`--fix`)  
+- Remote‑repo scanning  
+- Real‑time IDE plugins  
+- Telemetry collection (opt‑in only)
+- TODO: Proactively check `.gitignore` for `.env` exclusion patterns
+
+## 4. Success Metrics
+
+1. **Performance:** Full scan < 60 s on a 100 MB repo  
+2. **Coverage:** Detects ≥ 5 unique issues in standard test repos  
+3. **Adoption:** ≥ 10 installs in first week (npm/pip downloads)  
+4. **Reliability:** CI exit code behavior consistent (HIGH → non-zero)
+
+## 5. Phases & Atomic Tasks
+
+### Phase 1: Setup & CI Integration
+1. **Repo scaffold**  
+   - [x] `mkdir vibesafe && cd vibesafe`  
+   - [x] Initialize Git + add `.gitignore`, `LICENSE`, `README.md`  
+   - [x] Choose language: TypeScript (commander.js) ~~_or_ Python (argparse)~~  
+   - [x] Add basic `vibesafe scan` command stub  
+2. **CI hook**  
+   - [x] Write a GitHub Actions workflow that runs `vibesafe scan --high-only`  
+   - [x] Ensure exit code propagates  
+
+### Phase 2: Secrets Scanner
+1. **Regex & entropy engine**  
+   - [x] Define regex patterns for `.env`, AWS, JWT, SSH keys
+   - [x] Integrate an entropy checker (e.g., Shannon entropy > threshold)
+2. **File traversal**  
+   - [x] Walk directory tree, skip default excludes (`node_modules`, `dist`)
+   - [x] Honor `.vibesafeignore` entries
+3. **Scoring & output**  
+   - [x] Assign Low/Med/High severity based on pattern + entropy
+   - [x] Emit JSON record per finding including `file`, `line`, `pattern`, and `severity`  
+
+### Phase 3: Dependency & CVE Scanner
+1. **Detect package manager**  
+   - [x] Inspect files: `package.json`, `yarn.lock`, `requirements.txt`  
+2. **Parse deps**  
+   - [x] Extract name + version pairs  
+3. **CVE lookup**  
+   - [x] Call OSV.dev or NVD API with each dep  
+   - [x] Capture CVE IDs, severity, published date  
+4. **Threshold filtering**  
+   - [x] Mark HIGH if any dep ≥ 7.0 severity  
+
+### Phase 4: AI Risk Report
+1. **Markdown skeleton**  
+   - [x] Build template:
+     ```md
+     # VibeSafe Report
+
+     ## Summary
+     - Total Issues: 5 (2 High, 2 Medium, 1 Low)
+
+     ## Details
+     | File               | Location   | Issue            | Severity | CVE/Pattern   |
+     | ------------------ | ---------- | ---------------- | -------- | ------------- |
+     | `.env`             | line 10    | AWS Key exposed  | High     | —             |
+     | `config/app.js`    | line 45    | JWT secret       | Medium   | —             |
+     | `package.json`     | line 23    | lodash 4.17      | Medium   | CVE-2024-123  |
+     | `requirements.txt` | line 12    | Django 2.2       | High     | CVE-2023-456  |
+     | `src/utils.ts`     | line 80    | Hardcoded token  | Low      | —             |
+
+     ## Fix Suggestions
+     1. Remove AWS keys from code; use environment variables and a secrets vault.  
+     2. Rotate JWT secret and move to env vars.  
+     3. Upgrade `lodash` to ≥ 4.17.21.  
+     4. Update Django to ≥ 3.2.  
+     5. Replace hardcoded tokens with secure storage.
+     ```
+2. **LLM integration**  
+   - [x] Send JSON findings + skeleton to GPT‑4o-mini  
+   - [x] Parse human‑readable summary & per‑issue suggestions  
+   - [x] Merge into final MD  
+
+### Phase 5: CLI UX & Packaging
+1. **Terminal polish**  
+   - [ ] Colorize severities (e.g., red for High)  
+   - [ ] Add progress spinner during scans  
+2. **Flags & outputs**  
+   - [ ] `--output <file.md|.json>`  
+   - [ ] `--high-only` filter  
+3. **Distribution**  
+   - [ ] Set up npm `bin` or Python `entry_point`  
+   - [ ] Test on macOS, Win, Linux  
+
+## 6. Timeline & Ownership
+
+| Week   | Focus                          | Owner        |
+| ------ | ------------------------------ | ------------ |
+| Week 1 | Phase 1 scaffold + CI          | @you         |
+| Week 2 | Phase 2 secrets scanner        | @security    |
+| Week 3 | Phase 3 dep & CVE scanner      | @sec‑lead    |
+| Week 4 | Phase 4 AI report & polish     | @AI‑engineer |
+| Week 5 | Phase 5 packaging & QA         | @release     |
+
+## 7. Risks & Mitigations
+
+- **API rate limits (OSV/NVD):** cache results locally; implement exponential back‑off  
+- **False positives (secrets):** tune regex & entropy thresholds; allow exclusions  
+- **LLM costs:** only call on `--report` mode; support a dry‑run without AI  
+
+## 8. In Cursor
+
+- **Check progress:**  
+  > “What is the current status of Phase 2: Secrets Scanner?”  
+- **Mark tasks done:**  
+  > “Mark Phase 3.3 (CVE lookup) as complete.”  
+
+---
+
+**Next Steps:**  
+1. Review personas & success metrics.  
+2. Assign owners & adjust timeline as needed.  
+3. Kick off Week 1!  

package.json

@@ -0,0 +1,36 @@
+{
+  "name": "vibesafe",
+  "version": "0.0.1",
+  "description": "A CLI tool to scan your codebase for security vibes.",
+  "main": "dist/index.js",
+  "bin": {
+    "vibesafe": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/index.js",
+    "dev": "ts-node src/index.ts",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "cli"
+  ],
+  "author": "",
+  "license": "SEE LICENSE IN LICENSE",
+  "devDependencies": {
+    "@types/node": "^22.14.1",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.8.3"
+  },
+  "dependencies": {
+    "axios": "^1.8.4",
+    "chalk": "^4.1.2",
+    "commander": "^13.1.0",
+    "dotenv": "^16.5.0",
+    "ignore": "^7.0.3",
+    "openai": "^4.95.0",
+    "ora": "^5.4.1"
+  }
+}