What's new in VibeDrift.

Drift composite is now /100 instead of /80. The internal math is unchanged (4 applicable categories × 20 = 80 raw); the engine normalizes at the boundary so the headline matches user expectations from SonarQube, Lighthouse, etc. Hygiene was already /100. Grades come from the percentage so they're identical to prior versions.

Deep scans on monorepos like shadcn-ui (3,500+ files) used to silently fail to upload because the result blob exceeded the API's body-size cap. The CLI now compacts the payload progressively before uploading — stripping heavy bookkeeping fields in priority order until it fits — and surfaces any remaining failure with a visible warning instead of swallowing it.

Previously you had to run with `--verbose` to see if your scan made it to the dashboard. Now any upload failure shows a clear `⚠ Couldn't upload to dashboard` line at the end of the scan, with the reason and payload size. Successful uploads with trimming print a `ⓘ Result trimmed for upload: 39MB → 8MB` note so you know what happened.

A semantic-duplicate group spanning 60+ files (common in registry-style codebases with theme variants) used to produce a single 30–40 KB finding with the entire member list inline. The finding now caps the displayed names and locations and surfaces the total count separately, keeping the report scannable while preserving every piece of scoring signal.

VibeDrift now flags functions whose bodies are placeholder returns: `return "unvalidated"`, `return "not implemented"`, `raise NotImplementedError`, `panic("not implemented")`, `unimplemented!()`. Works across JavaScript, TypeScript, Python, Go, and Rust. Catches half-finished code that ships to production.

A TODO within five lines of a placeholder return or NotImplementedError is now a warning, not a buried info line. One TODO sitting next to a stub is orders of magnitude more actionable than ten scattered TODOs in a messy module.

VibeDrift now runs on every PR to the VibeDrift API repo itself. If a stub ever slips into review again, the drift detector will point at it before merge. Same GitHub Action any team can add in two minutes.

Run `vibedrift . --write-context` and VibeDrift writes a .vibedrift/ folder with context.md, fix-plan.md, fix-prompts.md, and patterns.json. Commit it alongside your CLAUDE.md. Your AI coding agent reads it on every new turn and knows which pattern to match — no more cold starts, no more drift across sessions.

`vibedrift watch` runs alongside your Cursor or Claude Code session and refreshes the context files on every file save. Zero network calls. The next AI turn always sees up-to-date peer patterns — even mid-refactor.

--write-context and watch mode both now require a free vibedrift login. The .vibedrift/ files carry the full finding surface — same gate as the one-shot HTML report. Sign up once (no card, 30 seconds), and both work everywhere.

When a newer @vibedrift/cli is available, the scan output now shows a dim one-liner at the end pointing at `vibedrift update`. Cached for 24 hours so it never slows a scan. Respects --local-only and telemetry opt-out.

vibedrift watch now checks for a local auth token before starting. This closes a gate that let an unsigned user get continuous full-finding output, which the one-shot scan gates behind a free account.

The headline score now measures cross-file pattern consistency — the thing VibeDrift was built to detect — and nothing else. Generic hygiene signals still render in a clearly labeled separate pane and get their own score, so nothing is hidden. If you gate CI on --fail-on-score, recalibrate after upgrading: the drift composite's max shifted from 100 to 80.

New vibedrift watch subcommand rescans on every file change and refreshes .vibedrift/context.md, fix-plan.md, and patterns.json. Point it at your project while your AI agent is working — every new turn, the agent sees up-to-date peer patterns and fix prompts. Local only, zero network calls, debounced so a burst of edits triggers one scan.

Every scan now compares to the previous one: ✓ Resolved, ✗ New, and score delta — right in the header. Finding identity survives small line shifts so moving code doesn't produce phantom 'new' findings. Use --since <scanId> to compare against any earlier saved scan.

New drift signal that reads your git history. Flags files written in a single burst by a single author when the rest of the directory was cultivated across time and contributors. It's a shape-of-authorship signal no linter has access to — useful for catching AI-generated files that shipped without human review.

When you run a free local scan, the upsell for deep scan used to be generic marketing copy. Now it names the exact near-duplicate function pairs, opaque function names, and mixed-pattern files that deep scan would confirm. You see what you're missing, not a banner.

When your repo root has a CLAUDE.md, AGENTS.md, or .cursorrules that declares 'use the repository pattern,' 'named exports only,' 'structured logging with winston,' or similar, VibeDrift now uses those declarations to bias the dominance vote across nine drift detectors. If your docs say one thing and your code does another, the divergence is flagged with a citation back to the source line.

Every PR gets an auto-updating comment showing the score delta vs main, new drifts introduced, and a consequence line for each. Updates on each push — no comment spam.

Set fail-on-score to block merges when the drift score drops below your threshold. Keeps the codebase consistent without manual review overhead.

Add a 10-line workflow file + your VIBEDRIFT_TOKEN secret. Free scans are unlimited in CI — deep scans use your monthly budget.

The premium feature — AI-authored prose describing how peer files implement the dominant pattern — was silently broken since launch. Now works on every logged-in scan. The 'How the peers do this' section appears in Copy AI Prompt blocks for findings with reference files.

Every finding in the Fix Plan shows a one-line consequence: what happens if you don't fix it. Security flaws, architectural drift, duplicates, missing deps — each has a concrete 'why this matters' annotation.

Security findings surface first, architectural contradictions second, semantic duplicates third. The Fix Plan shows the highest-stakes cross-file drift, not linter-grade complexity warnings.

When logged in, VibeDrift sends a lightweight anonymous ping per scan (language, file count, scan time, CLI version). No code, no file paths. Opt out anytime with `vibedrift telemetry disable`. Not-logged-in scans still make zero network calls.

Skip ALL network calls even when logged in — no scan log, no beacon, no deep analysis. Use this in air-gapped environments, on sensitive codebases, or when you want a pure offline scan.

New subcommand to manage telemetry preferences. Persisted in config. First-run notice shown once on first scan explaining what's collected and how to opt out.

Every file's vote is now multiplied by a recency factor — newer code outvotes older code with a 90-day half-life. Three fresh handlers adopting the repository pattern can now correctly outweigh ten old raw-SQL handlers the team is migrating away from.

When recent files lean toward a new pattern while legacy files hold the old one, VibeDrift now recognizes the migration and reclassifies old files as legacy (not drift). Old code you're planning to migrate is no longer treated as urgent drift.

Each deviating file is now aligned, legacy, or drift — with different copy-paste fix prompts for each. Legacy files get 'consider migrating' framing; true drift gets 'fix now.'

VibeDrift parses CLAUDE.md, AGENTS.md, .cursorrules, and AGENT.md in your repo root. When your declared convention disagrees with your actual code, that divergence is surfaced prominently in findings with a direct citation to the source file and line.

The secret-detection scanner no longer flags deliberate test strings (e.g. hardcoded 'AKIA...' in security.test.ts) as real credential leaks. Test paths and *.test.* / *.spec.* files are now excluded from secret scanning, eliminating a common source of false-positive findings.

Scale is $30/mo for 100 deep scans — a honest single-user power tier. Real multi-seat team billing is reserved for Enterprise where we can actually build it right (SSO, per-seat invoicing, admin dashboard).

Re-calibrated the scoring formula so one noisy category can't single-handedly tank your overall score. Projects with 100+ files now receive proportionally fair weighting instead of being over-penalized.

New hero section at the top of every report: score + grade, 5-category mini-cards, and quick links to the Fix Plan and detailed report. What used to take 10 minutes to read now takes 30 seconds to scan.

Every finding has a button that copies a drift-first Markdown block ready to paste into any AI coding assistant. The prompt names the peer baseline, lists reference files, and asks for a re-alignment refactor.

A top-of-report checklist of the 3–5 highest-impact drifts, with projected score gain if all are fixed. Includes a 'Copy full fix plan as AI context' bundler for one-shot multi-finding refactors.

Per-type visualizations — pattern-consensus bars for architectural drift, route-matrix grids for security, similarity bars for duplicates. Each card communicates its finding in under two seconds.

New --write-context flag emits a living context file (plus fix-plan.md, fix-prompts.md, patterns.json) into your repo that AI agents can read alongside CLAUDE.md. Safe to commit.

The full 2000-line lab report is preserved, but now lives behind a clear CTA rather than scrolling below the summary. Keeps the default view fast without hiding anything.

Architectural consistency, naming conventions, security posture, semantic duplication, phantom scaffolding, import/export style, async patterns, return shapes, logging, comments, state management, and test structure.

Semantic fingerprinting via MinHash + LSH, operation-sequence hashing, and taint-flow analysis. Catches near-duplicate functions that look completely different but behave identically.

On --deep scans, Claude Haiku synthesizes 'How the peers do this' prose from actual peer-file snippets. The AI prompt embeds real code from the files that follow the dominant pattern — grounded context instead of guesses.