CLI Command Reference
The vibereview CLI exposes seven commands. Run any of them with npx -y @securityreviewai/vibereview@latest <command> or, if installed globally, as
vibereview <command>.
| Command | Purpose |
|---|---|
init | Configure the MCP server and install rules/skills/hooks for IDE/CLI tools. |
status | Show current configuration and installed targets. |
switch-project | Re-pick the linked project (rules only). |
sync | Upload structured scan JSON to VibeReview. |
flush | Backstop sync, designed for IDE SessionStart hooks. |
guardrails | List the active guardrails for the configured project. |
project | Show the resolved project and tenant. |
init
Configures the MCP server and installs rules/skills/hooks. This is the primary command — see Installation.
| Flag | Description |
|---|---|
-t, --target <name...> | Target IDE/CLI (one or more supported target names). |
-a, --all | Install for all supported targets. |
--mcp-url <url> | MCP server URL (default http://localhost:3000). |
--api-url <url> | API URL (default http://localhost:8000). |
--api-key <token> | API token credential. |
--project-slug <slug> | Preselect project by slug or ID. |
--switch-project | Re-pick project; updates rules only. |
--skip-mcp | Skip MCP server configuration. |
--skip-rules | Skip workspace rules/skills/hooks. |
--no-hooks | Skip IDE hooks (policy lockdown). |
--approval-mode <mode> | Local human-in-the-loop mode: auto | critical | always. |
-y, --yes | Non-interactive run using defaults. |
# Interactive
npx -y @securityreviewai/vibereview@latest init
# Scripted, all IDEs, critical approval
npx -y @securityreviewai/vibereview@latest init --all --approval-mode critical --yes
The --approval-mode values mirror the tenant MCP approval mode:
auto— apply guardrails silently.critical— ask before auth / authz / crypto / secrets changes.always— ask before every guardrail change.
status
Displays the current configuration and which IDE/CLI targets are installed.
npx -y @securityreviewai/vibereview@latest status
switch-project
Re-pick the project the workspace is linked to; updates rules/skills/hooks only (does not touch MCP config).
| Flag | Description |
|---|---|
--project-slug <slug> | Project to switch to. |
-y, --yes | Non-interactive. |
npx -y @securityreviewai/vibereview@latest switch-project --project-slug viberev-benchmark
sync
Uploads structured scan JSON to VibeReview. With no --file, it drains the
local queue — every artifact in .vibereview/scans/.
| Flag | Description |
|---|---|
--file <path> | Upload a single artifact. |
--force | Re-upload even if the content hash matches a prior upload. |
# Upload one event (normal IDE workflow)
npx -y @securityreviewai/vibereview@latest sync --file .vibereview/scans/<event>.json
# Drain everything pending (manual recovery / backstop)
npx -y @securityreviewai/vibereview@latest sync
flush
A backstop sync intended to run from IDE SessionStart hooks.
| Flag | Description |
|---|---|
--background | Detach and exit immediately. |
--force | Re-upload all artifacts. |
npx -y @securityreviewai/vibereview@latest flush --background
guardrails
Lists the active guardrails for the configured project.
npx -y @securityreviewai/vibereview@latest guardrails
project
Shows the resolved project and tenant information for the current workspace.
npx -y @securityreviewai/vibereview@latest project
The published package is v0.2.5. The CLI's internal --version string may
report 0.2.0 due to a minor version-string lag; treat the npm package version as
authoritative.