@vibedrift/cli

v0.7.0

Published

a month ago

Detect drift in AI-generated codebases — high-confidence measurement of architectural, semantic, and security inconsistency

0High
0Medium
0Low

skhan75

vibe-coding code-quality static-analysis ai-generated-code drift-detection debt-score ai-codebase code-audit

VibeDrift

Detect drift in AI-generated codebases.

Your AI coding agent doesn't remember what it built yesterday. VibeDrift scans your project for the contradictions, hidden duplicates, and security gaps that creep in when AI writes code across multiple sessions — and gives you a single score with concrete file-level evidence.

Quick Start

npx @vibedrift/cli

That's it. No install, no signup, no config. Produces an interactive HTML report and opens it in your browser.

Supported Languages

JavaScript · TypeScript · Python · Go · Rust

What It Finds

Architectural inconsistencies — half your handlers use a repository, the other half hit raw SQL
Hidden duplicates — two functions doing the same thing under different names
Security gaps — hardcoded secrets, injection risks, unsanitized input reaching sensitive calls
Dead code — orphan files never imported, exports never used, unreachable paths
Complexity hotspots — functions so deeply nested they've become unmaintainable
Convention drift — naming, imports, error handling, logging — any pattern that's inconsistent across the codebase
Implementation gaps — functions that return placeholder strings like "unvalidated" or "not implemented", raise NotImplementedError, panic("not implemented"), unimplemented!(). Catches half-finished code that slipped into production

VibeDrift learns the dominant patterns in your code and flags the deviators. A file isn't wrong because it uses raw SQL — it's drifting because 8 of its 10 siblings use a repository and 2 don't.

Example Output

╭─────────────────────╮
│  VibeDrift v0.6.0  │
╰─────────────────────╯

Scanning: /path/to/my-project
Files: 9 (TS: 9) | Lines: 262 | Time: 0.0s

  📘 Declared conventions (from CLAUDE.md)
     repository pattern · named exports · async/await

  📈 Since last scan (2h ago)
     ✓ Resolved: 3 drift findings
     ✗ New: 1 drift finding
     ▲ Vibe Drift Score: +2.3

── Vibe Drift Score ────────────────────────────────
  Architectural Consistency    12/20  ████████████░░░░░░░░
  Redundancy                    8/20  ████████░░░░░░░░░░░░
  Dependency Health              N/A
  Security Posture             18/20  ██████████████████░░
  Intent Clarity               16/20  ████████████████░░░░
  ──────────────────────────────────
  Vibe Drift Score:            54/80
  Hygiene Score:               82/100

  Vibe Drift Score — how consistent your code is with its own dominant patterns.
  Hygiene Score — generic quality checks (complexity, dead code, TODOs, …). Independent of drift.

── Fix Plan ──────────────────────────────────────
  1. Pattern drift: src/handlers/order.ts uses raw SQL while 7/8 files use repository
     src/handlers/order.ts:15  +0.8pts consistency
  2. 3 pair(s) of near-duplicate functions detected
     src/handlers/payment.ts:9  +0.6pts consistency

The default run produces the interactive HTML report and serves it locally so you can click through every finding with line-level evidence.

Scoring (v0.6.0 — drift-only composite)

VibeDrift reports two independent scores:

Vibe Drift Score — how consistent your code is with its own dominant patterns. Max 80 (4 applicable categories × 20 points). Grades: A ≥ 90% · B ≥ 75% · C ≥ 50% · D ≥ 25% · F < 25%.

Hygiene Score — generic code-quality findings (complexity, dead code, TODOs, outdated dependencies, empty catches, generic OWASP regex, language idioms). Max 100. Does not affect the Vibe Drift Score.

The split is deliberate: VibeDrift measures drift (pattern deviation) separately from quality (generic lint-style issues). That keeps the headline number honest about what the tool actually detects.

| Category | What counts (Drift) | What counts (Hygiene) | |---|---|---| | Architectural Consistency | Naming entropy, import style, cross-file architectural drift, commit archaeology | Empty catches, unhandled async, language idioms | | Redundancy | Semantic-fingerprint & opseq duplicates, ML duplicates | Static text duplicates, dead code, TODO density | | Dependency Health | (no drift signals here — drops out of composite) | Phantom/missing deps, undocumented env vars | | Security Posture | Cross-file auth/validation drift, taint flows | Hardcoded secrets, generic OWASP regex | | Intent Clarity | ML intent-mismatch (function name vs body) | Complexity, unclear naming, commented-out code |

Upgrading from <0.6.0? Prior versions reported a single 0–100 composite that mixed drift and hygiene. CI jobs using --fail-on-score should recalibrate: a repo that scored 80/100 on the old composite may score ~65/80 on drift alone.

Deep Scans (AI-powered)

Every account gets 3 free deep scans per month — no card required. Deep scans add what local static analysis can't do:

Semantic duplicates via UniXcoder embeddings + cosine similarity
Intent mismatches — functions whose name doesn't match their behavior
Anomaly detection via DBSCAN clustering on handler embeddings
Surgical LLM validation — Claude reviews medium-confidence ML findings

vibedrift login          # one-time browser sign-in
vibedrift . --deep       # uses one of your 3 monthly deep scans

CI Integration — GitHub Action

The fastest way to catch drift before merge. Posts a PR comment with score delta + new drifts introduced, and optionally fails the check.

# .github/workflows/vibedrift.yml
name: VibeDrift
on: [pull_request]

permissions:
  pull-requests: write

jobs:
  drift-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: skhan75/vibedrift-actions@v1
        with:
          token: ${{ secrets.VIBEDRIFT_TOKEN }}
          fail-on-score: 70
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Setup: Sign up at vibedrift.ai → Dashboard → Settings → copy your API token → add as VIBEDRIFT_TOKEN in your repo's GitHub Secrets.

Deep scan on release branches:

      - uses: skhan75/vibedrift-actions@v1
        with:
          token: ${{ secrets.VIBEDRIFT_TOKEN }}
          deep: ${{ github.base_ref == 'main' }}

See the full Action README for all inputs, outputs, and examples.

Dashboard

vibedrift.ai/dashboard — score trends, scan history, per-project sparklines, embedded reports, sharable links.

Pricing

| Tier | Price | Deep scans | |---|---|---| | Free | $0 | 3 / month | | Pro | $15/mo | 50 / month ($1/scan overage) | | Scale | $30/mo | 100 / month ($1/scan overage) | | Enterprise | Custom | Per-seat team billing, SSO/SAML, custom quotas, SLA |

Unlimited local scans on every tier. Full pricing at vibedrift.ai/#pricing.

Privacy & Telemetry

Not logged in → zero network calls. Nothing leaves your machine. No telemetry, no beacon, no tracking.
Logged in → lightweight anonymous scan beacon. Sends language, file_count, scan_time_ms, cli_version on each scan (no code, no file paths, no PII). Helps us improve the tool. Opt out anytime: vibedrift telemetry disable.
Update check (v0.6.1+) — once every 24 hours, scans query the public npm registry to see whether a newer @vibedrift/cli is available. Cached locally. Fails silently on network errors. Respects --local-only and vibedrift telemetry disable — both skip the check entirely. VibeDrift is early-stage; staying on the latest version keeps your drift detection sharp.
--local-only — skip ALL network calls even when logged in. No scan log, no beacon, no update check, no deep analysis, no fix-prompt synthesis. Use this in air-gapped environments, on sensitive codebases, or when you want a pure offline scan.
--deep sends function snippets (not full files) to the VibeDrift API, processed in memory and not stored. No BYOK required.
Auth state lives at ~/.vibedrift/config.json (mode 0600); revocable from vibedrift logout or the dashboard.
Scan history lives at ~/.vibedrift/scans/ — never inside your project tree.

Usage Reference

vibedrift [command] [path] [options]

Commands:
  scan [path]          Scan a project for vibe drift (default)
  watch [path]         Re-scan on file changes and refresh .vibedrift/ (requires `vibedrift login`, local, no network)
  login / logout       Account auth
  status               Show current account, plan, and token
  usage                Show this billing period's scan usage
  upgrade / billing    Pricing page / Stripe portal
  doctor               Diagnose CLI installation, auth, and API
  update               Update the CLI to the latest version
  feedback [message]   Send feedback, bug reports, or feature requests
  telemetry <action>   Enable or disable anonymous scan telemetry

Scan options:
  --format <type>       html (default), terminal, json, csv, docx
  --output <path>       Write report to a file
  --json                Shorthand for --format json
  --fail-on-score <n>   Exit with code 1 if Vibe Drift Score is below threshold
  --no-codedna          Skip Code DNA semantic analysis
  --no-cache            Disable the per-analyzer findings cache
  --deep                Enable AI-powered deep analysis (requires login)
  --local-only          Skip ALL network calls (offline / air-gapped mode)
  --write-context       Write .vibedrift/ context files (requires `vibedrift login`; safe to commit)
  --compare / --no-compare   Enable / disable the scan-over-scan diff banner (on by default when history exists)
  --since <scanId>      Diff against a specific saved scan rather than the most recent
  --project-name <name> Override the auto-detected project name
  --private             Anonymize project name (uses privXXXXXXXXXXXX)
  --include <pattern>   Only scan files matching this glob (repeatable)
  --exclude <pattern>   Exclude files matching this glob (repeatable)
  --verbose             Show timing breakdown and analyzer details

Watch options:
  --interval <seconds>  Debounce between rescans (default 10, min 2, max 600)
  --include, --exclude  Same semantics as scan
  --verbose             Print each file-change event

  Note: watch mode requires a signed-in account (free). It emits full
  finding details and refreshes the .vibedrift/ context files on every
  change — the equivalent gate as the one-shot scan. Run
  `vibedrift login` once, then `vibedrift watch`.

Intent-hint files

VibeDrift reads team-declared conventions from these files in the scan root and uses them to seed the dominance vote (a declared pattern outweighs close raw votes, and deviations become high-confidence findings):

CLAUDE.md
AGENTS.md / AGENT.md
.cursorrules
.claude/instructions.md

Supported categories: architectural, naming, async, export, import, return-shape, logging, state-management, test-structure.

Environment

| Variable | Purpose | |---|---| | VIBEDRIFT_TOKEN | Bearer token for CI / non-interactive use | | VIBEDRIFT_API_URL | Override API base URL (staging / self-hosted) | | VIBEDRIFT_NO_BROWSER | Set to 1 to never auto-open the browser | | VIBEDRIFT_DISABLE_CACHE | Set to 1 to disable the findings cache |

Output Formats

html (default) — interactive report with charts and foldable findings
terminal — color-coded terminal output
json — full scan result for CI pipelines
csv — multi-section tabular export
docx — Word document with AI summary and formatted findings

License

VibeDrift is proprietary software. Free to install and run for personal and internal commercial use. No modification, redistribution, or reverse engineering. See LICENSE for full terms. For commercial licensing or enterprise terms: [email protected].