50c 3.9.4 → 3.9.6

package/lib/pre-publish.js

@@ -1,812 +1,1361 @@
-/**
- * 50c Pre-Publish Verification Tool
- * 
- * Thorough 100-point checklist before publishing to:
- * - npm (packages)
- * - GitHub (releases)
- * - arXiv (papers)
- * - Medical journals
- * - Scientific publications
- * 
- * "Ask once, verify everything"
- */
-
-// Verification profiles for different publish targets
-const PROFILES = {
-  npm: {
-    name: 'NPM Package',
-    checks: [
-      // Package basics
-      { id: 'pkg_name', cat: 'metadata', desc: 'Package name valid and available', empirical: true },
-      { id: 'pkg_version', cat: 'metadata', desc: 'Version bumped from npm registry', empirical: true },
-      { id: 'pkg_desc', cat: 'metadata', desc: 'Description clear, no marketing fluff', empirical: false },
-      { id: 'pkg_keywords', cat: 'metadata', desc: 'Keywords relevant and searchable', empirical: false },
-      { id: 'pkg_license', cat: 'metadata', desc: 'LICENSE file exists and valid', empirical: true },
-      { id: 'pkg_repo', cat: 'metadata', desc: 'Repository URL valid and accessible', empirical: true },
-      { id: 'pkg_homepage', cat: 'metadata', desc: 'Homepage URL live and correct', empirical: true },
-      
-      // Code quality
-      { id: 'syntax_valid', cat: 'code', desc: 'All JS/TS files pass syntax check', empirical: true },
-      { id: 'no_console_log', cat: 'code', desc: 'No debug console.log statements', empirical: true },
-      { id: 'no_todo_fixme', cat: 'code', desc: 'No unresolved TODO/FIXME comments', empirical: true },
-      { id: 'no_hardcoded_secrets', cat: 'security', desc: 'No hardcoded API keys/passwords/tokens', empirical: true },
-      { id: 'no_localhost', cat: 'security', desc: 'No localhost/127.0.0.1 in production code', empirical: true },
-      { id: 'deps_secure', cat: 'security', desc: 'No known vulnerabilities in dependencies', empirical: true },
-      
-      // Documentation
-      { id: 'readme_exists', cat: 'docs', desc: 'README.md exists', empirical: true },
-      { id: 'readme_install', cat: 'docs', desc: 'Installation instructions present', empirical: true },
-      { id: 'readme_usage', cat: 'docs', desc: 'Usage examples present', empirical: true },
-      { id: 'readme_links_live', cat: 'docs', desc: 'All README links are live', empirical: true },
-      { id: 'changelog_updated', cat: 'docs', desc: 'CHANGELOG updated for this version', empirical: true },
-      
-      // Build/Test
-      { id: 'tests_pass', cat: 'test', desc: 'All tests pass', empirical: true },
-      { id: 'build_clean', cat: 'test', desc: 'Build completes without warnings', empirical: true },
-      { id: 'entry_point_valid', cat: 'test', desc: 'Main/bin entry points resolve', empirical: true },
-      
-      // Files
-      { id: 'files_included', cat: 'files', desc: 'Only intended files in package', empirical: true },
-      { id: 'no_env_files', cat: 'files', desc: 'No .env files included', empirical: true },
-      { id: 'no_test_files', cat: 'files', desc: 'Test files excluded from package', empirical: true },
-      { id: 'size_reasonable', cat: 'files', desc: 'Package size under 10MB', empirical: true },
-    ]
-  },
-  
-  github: {
-    name: 'GitHub Release',
-    checks: [
-      { id: 'tag_format', cat: 'release', desc: 'Tag follows semver (vX.Y.Z)', empirical: true },
-      { id: 'tag_unique', cat: 'release', desc: 'Tag does not exist yet', empirical: true },
-      { id: 'branch_clean', cat: 'release', desc: 'No uncommitted changes', empirical: true },
-      { id: 'branch_pushed', cat: 'release', desc: 'All commits pushed to remote', empirical: true },
-      { id: 'ci_passing', cat: 'release', desc: 'CI/CD pipeline green', empirical: true },
-      { id: 'release_notes', cat: 'docs', desc: 'Release notes written', empirical: false },
-      { id: 'breaking_changes', cat: 'docs', desc: 'Breaking changes documented', empirical: false },
-      { id: 'migration_guide', cat: 'docs', desc: 'Migration guide if needed', empirical: false },
-      { id: 'no_secrets_in_history', cat: 'security', desc: 'No secrets in git history', empirical: true },
-      { id: 'license_file', cat: 'legal', desc: 'LICENSE file present', empirical: true },
-    ]
-  },
-  
-  arxiv: {
-    name: 'arXiv Paper',
-    checks: [
-      // Compilation
-      { id: 'latex_compiles', cat: 'build', desc: 'LaTeX compiles without errors', empirical: true },
-      { id: 'no_overfull_hbox', cat: 'build', desc: 'No overfull hbox warnings', empirical: true },
-      { id: 'figures_render', cat: 'build', desc: 'All figures render correctly', empirical: true },
-      { id: 'refs_resolve', cat: 'build', desc: 'All references resolve', empirical: true },
-      { id: 'citations_complete', cat: 'build', desc: 'No [?] citation markers', empirical: true },
-      
-      // Content integrity
-      { id: 'abstract_standalone', cat: 'content', desc: 'Abstract is self-contained', empirical: false },
-      { id: 'claims_supported', cat: 'content', desc: 'All claims have citations or proofs', empirical: false },
-      { id: 'math_verified', cat: 'content', desc: 'Mathematical derivations verified', empirical: false },
-      { id: 'no_placeholder', cat: 'content', desc: 'No TODO/TBD/XXX placeholders', empirical: true },
-      { id: 'consistent_notation', cat: 'content', desc: 'Notation consistent throughout', empirical: false },
-      
-      // AI-POWERED VERIFICATION (50c tools)
-      { id: 'math_verified_bcalc', cat: 'ai-verify', desc: '[bCalc] Math expressions validated', empirical: true },
-      { id: 'proofs_verified_genius', cat: 'ai-verify', desc: '[genius+] Proofs checked for gaps', empirical: true },
-      { id: 'claims_validated_search', cat: 'ai-verify', desc: '[web_search] Novelty claims validated', empirical: true },
-      
-      // Reproducibility
-      { id: 'code_available', cat: 'repro', desc: 'Code repository linked', empirical: true },
-      { id: 'data_available', cat: 'repro', desc: 'Dataset accessible or described', empirical: false },
-      { id: 'hyperparams_listed', cat: 'repro', desc: 'All hyperparameters specified', empirical: false },
-      { id: 'compute_resources', cat: 'repro', desc: 'Compute requirements stated', empirical: false },
-      
-      // Ethics
-      { id: 'ethics_statement', cat: 'ethics', desc: 'Ethics statement if applicable', empirical: false },
-      { id: 'limitations_discussed', cat: 'ethics', desc: 'Limitations acknowledged', empirical: false },
-      { id: 'societal_impact', cat: 'ethics', desc: 'Broader impact discussed', empirical: false },
-      
-      // Formatting
-      { id: 'arxiv_format', cat: 'format', desc: 'Follows arXiv formatting guidelines', empirical: true },
-      { id: 'page_limit', cat: 'format', desc: 'Within page limit for category', empirical: true },
-      { id: 'anon_submission', cat: 'format', desc: 'Anonymized if required', empirical: true },
-    ]
-  },
-  
-  medical: {
-    name: 'Medical/Clinical Publication',
-    checks: [
-      // Regulatory
-      { id: 'irb_approval', cat: 'regulatory', desc: 'IRB/Ethics approval documented', empirical: true },
-      { id: 'trial_registration', cat: 'regulatory', desc: 'Trial registered (if applicable)', empirical: true },
-      { id: 'consort_checklist', cat: 'regulatory', desc: 'CONSORT/STROBE checklist completed', empirical: true },
-      { id: 'data_privacy', cat: 'regulatory', desc: 'Patient data de-identified', empirical: true },
-      
-      // Statistical rigor
-      { id: 'sample_size_justified', cat: 'stats', desc: 'Sample size calculation provided', empirical: false },
-      { id: 'stats_methods_appropriate', cat: 'stats', desc: 'Statistical methods appropriate', empirical: false },
-      { id: 'confidence_intervals', cat: 'stats', desc: 'Confidence intervals reported', empirical: true },
-      { id: 'effect_sizes', cat: 'stats', desc: 'Effect sizes reported', empirical: true },
-      { id: 'multiple_comparisons', cat: 'stats', desc: 'Multiple comparisons addressed', empirical: false },
-      
-      // Clinical validity
-      { id: 'endpoints_defined', cat: 'clinical', desc: 'Primary/secondary endpoints defined', empirical: true },
-      { id: 'adverse_events', cat: 'clinical', desc: 'Adverse events reported', empirical: true },
-      { id: 'limitations_stated', cat: 'clinical', desc: 'Study limitations stated', empirical: true },
-      { id: 'generalizability', cat: 'clinical', desc: 'Generalizability discussed', empirical: false },
-      
-      // Conflicts
-      { id: 'coi_disclosed', cat: 'disclosure', desc: 'Conflicts of interest disclosed', empirical: true },
-      { id: 'funding_disclosed', cat: 'disclosure', desc: 'Funding sources disclosed', empirical: true },
-      { id: 'author_contributions', cat: 'disclosure', desc: 'Author contributions listed', empirical: true },
-    ]
-  },
-  
-  science: {
-    name: 'Scientific Publication',
-    checks: [
-      // Methodology
-      { id: 'methods_reproducible', cat: 'methods', desc: 'Methods described in reproducible detail', empirical: false },
-      { id: 'controls_appropriate', cat: 'methods', desc: 'Control experiments appropriate', empirical: false },
-      { id: 'sample_size_adequate', cat: 'methods', desc: 'Sample size adequate for claims', empirical: false },
-      { id: 'blinding_described', cat: 'methods', desc: 'Blinding procedures described', empirical: false },
-      
-      // AI-POWERED VERIFICATION (50c tools)
-      { id: 'methodology_hints', cat: 'ai-verify', desc: '[hints+] Methodology weaknesses', empirical: true },
-      { id: 'claims_validated_search', cat: 'ai-verify', desc: '[web_search] Prior work check', empirical: true },
-      
-      // Data integrity
-      { id: 'raw_data_available', cat: 'data', desc: 'Raw data available/accessible', empirical: true },
-      { id: 'data_processing_documented', cat: 'data', desc: 'Data processing steps documented', empirical: false },
-      { id: 'outliers_handled', cat: 'data', desc: 'Outlier handling described', empirical: false },
-      { id: 'error_bars_explained', cat: 'data', desc: 'Error bars/uncertainty quantified', empirical: true },
-      
-      // Claims
-      { id: 'claims_match_evidence', cat: 'claims', desc: 'Claims proportional to evidence', empirical: false },
-      { id: 'alternative_explanations', cat: 'claims', desc: 'Alternative explanations addressed', empirical: false },
-      { id: 'no_overclaiming', cat: 'claims', desc: 'No overclaiming in abstract/title', empirical: false },
-      { id: 'novelty_justified', cat: 'claims', desc: 'Novelty claims justified vs prior work', empirical: false },
-      
-      // Figures
-      { id: 'figures_clear', cat: 'figures', desc: 'Figures clear at print resolution', empirical: true },
-      { id: 'axes_labeled', cat: 'figures', desc: 'All axes labeled with units', empirical: true },
-      { id: 'legends_complete', cat: 'figures', desc: 'Figure legends self-contained', empirical: false },
-      { id: 'color_accessible', cat: 'figures', desc: 'Color-blind accessible', empirical: true },
-    ]
-  },
-  
-  math: {
-    name: 'Mathematics Paper',
-    checks: [
-      // Proofs
-      { id: 'proofs_complete', cat: 'proofs', desc: 'All proofs complete (no gaps)', empirical: false },
-      { id: 'proofs_verified', cat: 'proofs', desc: 'Proofs independently verified', empirical: false },
-      { id: 'edge_cases_handled', cat: 'proofs', desc: 'Edge cases and degeneracies handled', empirical: false },
-      { id: 'assumptions_explicit', cat: 'proofs', desc: 'All assumptions explicitly stated', empirical: false },
-      
-      // AI-POWERED VERIFICATION (50c tools)
-      { id: 'math_verified_bcalc', cat: 'ai-verify', desc: '[bCalc] Mathematical verification', empirical: true },
-      { id: 'proofs_verified_genius', cat: 'ai-verify', desc: '[genius+] Proof gap detection', empirical: true },
-      { id: 'claims_validated_search', cat: 'ai-verify', desc: '[web_search] Novelty validation', empirical: true },
-      
-      // Definitions
-      { id: 'terms_defined', cat: 'defs', desc: 'All terms defined before use', empirical: true },
-      { id: 'notation_consistent', cat: 'defs', desc: 'Notation consistent with literature', empirical: false },
-      { id: 'numbering_correct', cat: 'defs', desc: 'Theorem/lemma numbering correct', empirical: true },
-      
-      // Examples
-      { id: 'examples_verify_claims', cat: 'examples', desc: 'Examples verify main theorems', empirical: false },
-      { id: 'counterexamples_checked', cat: 'examples', desc: 'Potential counterexamples addressed', empirical: false },
-      { id: 'computational_verified', cat: 'examples', desc: 'Computational results verified', empirical: true },
-      
-      // Literature
-      { id: 'prior_work_cited', cat: 'refs', desc: 'Prior work appropriately cited', empirical: false },
-      { id: 'no_overclaiming_novelty', cat: 'refs', desc: 'Novelty claims accurate', empirical: false },
-      { id: 'comparison_to_existing', cat: 'refs', desc: 'Results compared to existing bounds', empirical: false },
-    ]
-  }
-};
-
-// 50c API integration for AI-powered verification
-async function call50cTool(tool, params, timeout = 60000) {
-  const fs = require('fs');
-  const path = require('path');
-  
-  // Try to get API key from mcp.json
-  let apiKey = process.env.FIFTYC_API_KEY;
-  if (!apiKey) {
-    try {
-      const homeDir = process.env.USERPROFILE || process.env.HOME;
-      const mcpPath = path.join(homeDir, '.verdent', 'mcp.json');
-      if (fs.existsSync(mcpPath)) {
-        const mcp = JSON.parse(fs.readFileSync(mcpPath, 'utf8'));
-        const server = mcp.mcpServers?.['50c'] || mcp.mcpServers?.['50c-ai'];
-        apiKey = server?.env?.FIFTYC_API_KEY;
-      }
-    } catch (e) {}
-  }
-  
-  if (!apiKey) {
-    return { error: 'No 50c API key configured' };
-  }
-  
-  try {
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), timeout);
-    
-    const res = await fetch('https://api.50c.ai/mcp', {
-      method: 'POST',
-      headers: { 
-        'Content-Type': 'application/json',
-        'Authorization': `Bearer ${apiKey}`
-      },
-      body: JSON.stringify({
-        jsonrpc: '2.0',
-        method: 'tools/call',
-        params: { name: tool, arguments: params },
-        id: Date.now()
-      }),
-      signal: controller.signal
-    });
-    
-    clearTimeout(timeoutId);
-    const data = await res.json();
-    return data.result?.content?.[0]?.text || data.result || data;
-  } catch (e) {
-    return { error: e.message };
-  }
-}
-
-// Empirical check implementations
-const EMPIRICAL_CHECKS = {
-  // NPM checks
-  async pkg_version(ctx) {
-    const pkg = ctx.packageJson;
-    if (!pkg) return { pass: false, msg: 'No package.json found' };
-    
-    try {
-      const res = await fetch(`https://registry.npmjs.org/${pkg.name}/latest`);
-      if (res.status === 404) return { pass: true, msg: 'New package (not on npm yet)' };
-      const data = await res.json();
-      const npmVersion = data.version;
-      const localVersion = pkg.version;
-      
-      if (localVersion === npmVersion) {
-        return { pass: false, msg: `Version ${localVersion} already published. Bump required.` };
-      }
-      
-      // Check if local is higher
-      const [lMaj, lMin, lPatch] = localVersion.split('.').map(Number);
-      const [nMaj, nMin, nPatch] = npmVersion.split('.').map(Number);
-      
-      if (lMaj > nMaj || (lMaj === nMaj && lMin > nMin) || (lMaj === nMaj && lMin === nMin && lPatch > nPatch)) {
-        return { pass: true, msg: `${localVersion} > ${npmVersion} (npm)` };
-      }
-      
-      return { pass: false, msg: `Local ${localVersion} <= npm ${npmVersion}` };
-    } catch (e) {
-      return { pass: false, msg: `npm check failed: ${e.message}` };
-    }
-  },
-  
-  async pkg_homepage(ctx) {
-    const url = ctx.packageJson?.homepage;
-    if (!url) return { pass: false, msg: 'No homepage in package.json' };
-    
-    try {
-      const res = await fetch(url, { method: 'HEAD' });
-      return res.ok 
-        ? { pass: true, msg: `${url} is live` }
-        : { pass: false, msg: `${url} returned ${res.status}` };
-    } catch (e) {
-      return { pass: false, msg: `${url} unreachable: ${e.message}` };
-    }
-  },
-  
-  async pkg_repo(ctx) {
-    const repo = ctx.packageJson?.repository?.url || ctx.packageJson?.repository;
-    if (!repo) return { pass: null, msg: 'No repository URL (optional)' };
-    
-    // Convert git URL to HTTPS for checking
-    let checkUrl = String(repo).replace(/^git\+/, '').replace(/\.git$/, '');
-    if (checkUrl.startsWith('git://')) {
-      checkUrl = checkUrl.replace('git://', 'https://');
-    }
-    
-    try {
-      const res = await fetch(checkUrl, { method: 'HEAD' });
-      return res.ok
-        ? { pass: true, msg: `${checkUrl} accessible` }
-        : { pass: false, msg: `${checkUrl} returned ${res.status}` };
-    } catch (e) {
-      return { pass: false, msg: `${checkUrl} unreachable` };
-    }
-  },
-  
-  async syntax_valid(ctx) {
-    const { execSync } = require('child_process');
-    const jsFiles = ctx.files.filter(f => f.endsWith('.js') || f.endsWith('.mjs'));
-    const errors = [];
-    
-    for (const file of jsFiles.slice(0, 20)) { // Limit to 20 files
-      try {
-        execSync(`node -c "${file}"`, { stdio: 'pipe', cwd: ctx.cwd });
-      } catch (e) {
-        errors.push(file);
-      }
-    }
-    
-    return errors.length === 0
-      ? { pass: true, msg: `${jsFiles.length} JS files valid` }
-      : { pass: false, msg: `Syntax errors in: ${errors.join(', ')}` };
-  },
-  
-  async no_hardcoded_secrets(ctx) {
-    const { execSync } = require('child_process');
-    const patterns = [
-      'api[_-]?key\\s*[=:]\\s*["\'][a-zA-Z0-9]{20,}',
-      'password\\s*[=:]\\s*["\'][^"\']{8,}',
-      'secret\\s*[=:]\\s*["\'][a-zA-Z0-9]{20,}',
-      'token\\s*[=:]\\s*["\'][a-zA-Z0-9]{20,}',
-      'AWS[_-]?ACCESS[_-]?KEY',
-      'PRIVATE[_-]?KEY',
-    ];
-    
-    const findings = [];
-    for (const pattern of patterns) {
-      try {
-        const result = execSync(
-          `findstr /R /I /S "${pattern}" *.js *.ts *.json 2>nul`,
-          { cwd: ctx.cwd, encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }
-        );
-        if (result.trim()) {
-          findings.push(pattern.substring(0, 20) + '...');
-        }
-      } catch (e) {
-        // No matches is good
-      }
-    }
-    
-    return findings.length === 0
-      ? { pass: true, msg: 'No hardcoded secrets detected' }
-      : { pass: false, msg: `Potential secrets: ${findings.join(', ')}` };
-  },
-  
-  async readme_links_live(ctx) {
-    const fs = require('fs');
-    const readmePath = ctx.files.find(f => f.toLowerCase().endsWith('readme.md'));
-    if (!readmePath) return { pass: false, msg: 'No README.md' };
-    
-    const content = fs.readFileSync(readmePath, 'utf8');
-    const urlPattern = /https?:\/\/[^\s\)\"\']+/g;
-    const urls = [...new Set(content.match(urlPattern) || [])];
-    
-    const deadLinks = [];
-    for (const url of urls.slice(0, 10)) { // Check first 10
-      try {
-        const res = await fetch(url, { method: 'HEAD', timeout: 5000 });
-        if (!res.ok) deadLinks.push(url);
-      } catch (e) {
-        deadLinks.push(url);
-      }
-    }
-    
-    return deadLinks.length === 0
-      ? { pass: true, msg: `${urls.length} links verified` }
-      : { pass: false, msg: `Dead links: ${deadLinks.join(', ')}` };
-  },
-  
-  async no_localhost(ctx) {
-    const fs = require('fs');
-    const path = require('path');
-    const findings = [];
-    
-    for (const file of ctx.files.filter(f => /\.(js|ts|json)$/.test(f)).slice(0, 30)) {
-      // Skip this file itself (it contains localhost patterns for checking)
-      if (path.basename(file) === 'pre-publish.js') continue;
-      
-      try {
-        const content = fs.readFileSync(file, 'utf8');
-        if (/localhost|127\.0\.0\.1|0\.0\.0\.0/.test(content)) {
-          // Check it's not in a comment or config option
-          const lines = content.split('\n');
-          for (let i = 0; i < lines.length; i++) {
-            const line = lines[i];
-            if (/localhost|127\.0\.0\.1/.test(line) && !line.trim().startsWith('//') && !line.includes('||') && !line.includes('regex') && !line.includes('pattern')) {
-              findings.push(`${path.basename(file)}:${i+1}`);
-              break;
-            }
-          }
-        }
-      } catch (e) {}
-    }
-    
-    return findings.length === 0
-      ? { pass: true, msg: 'No localhost references' }
-      : { pass: false, msg: `localhost found: ${findings.slice(0,3).join(', ')}` };
-  },
-  
-  async size_reasonable(ctx) {
-    const { execSync } = require('child_process');
-    try {
-      const result = execSync('npm pack --dry-run 2>&1', { cwd: ctx.cwd, encoding: 'utf8' });
-      const sizeMatch = result.match(/total files.*?(\d+(?:\.\d+)?)\s*(kB|MB|B)/i);
-      if (sizeMatch) {
-        let sizeKB = parseFloat(sizeMatch[1]);
-        if (sizeMatch[2].toLowerCase() === 'mb') sizeKB *= 1024;
-        if (sizeMatch[2].toLowerCase() === 'b') sizeKB /= 1024;
-        
-        return sizeKB < 10240 // 10MB limit
-          ? { pass: true, msg: `Package size: ${sizeKB.toFixed(1)} KB` }
-          : { pass: false, msg: `Package too large: ${sizeKB.toFixed(1)} KB (limit 10MB)` };
-      }
-    } catch (e) {}
-    return { pass: null, msg: 'Could not determine package size' };
-  },
-  
-  // arXiv checks
-  async latex_compiles(ctx) {
-    const { execSync } = require('child_process');
-    const texFile = ctx.files.find(f => f.endsWith('.tex') && !f.includes('preamble'));
-    if (!texFile) return { pass: false, msg: 'No .tex file found' };
-    
-    try {
-      execSync(`pdflatex -interaction=nonstopmode "${texFile}"`, { cwd: ctx.cwd, stdio: 'pipe' });
-      return { pass: true, msg: 'LaTeX compiles' };
-    } catch (e) {
-      return { pass: false, msg: 'LaTeX compilation failed' };
-    }
-  },
-  
-  async no_placeholder(ctx) {
-    const fs = require('fs');
-    const findings = [];
-    const patterns = /\b(TODO|FIXME|XXX|TBD|PLACEHOLDER)\b/gi;
-    
-    for (const file of ctx.files.slice(0, 50)) {
-      try {
-        const content = fs.readFileSync(file, 'utf8');
-        const matches = content.match(patterns);
-        if (matches) {
-          findings.push(`${file}: ${matches.length} placeholders`);
-        }
-      } catch (e) {}
-    }
-    
-    return findings.length === 0
-      ? { pass: true, msg: 'No placeholders found' }
-      : { pass: false, msg: findings.slice(0, 3).join('; ') };
-  },
-  
-  // AI-powered math verification using bCalc
-  async math_verified_bcalc(ctx) {
-    const fs = require('fs');
-    const texFiles = ctx.files.filter(f => f.endsWith('.tex'));
-    if (texFiles.length === 0) return { pass: null, msg: 'No .tex files' };
-    
-    // Extract key mathematical claims/equations
-    const content = fs.readFileSync(texFiles[0], 'utf8');
-    const equations = content.match(/\$\$[^$]+\$\$/g) || [];
-    const claims = content.match(/\\begin\{theorem\}[\s\S]*?\\end\{theorem\}/g) || [];
-    
-    if (equations.length === 0 && claims.length === 0) {
-      return { pass: null, msg: 'No equations/theorems found to verify' };
-    }
-    
-    // Sample first theorem or key equation for bCalc verification
-    const sample = claims[0] || equations[0];
-    const cleanSample = sample.replace(/\\[a-z]+\{[^}]*\}/g, '').substring(0, 500);
-    
-    try {
-      const result = await call50cTool('bcalc', {
-        expression: cleanSample,
-        mode: 'verify'
-      }, 30000);
-      
-      if (result.error) {
-        return { pass: null, msg: `bCalc unavailable: ${result.error}` };
-      }
-      
-      // Check if bCalc found issues
-      const resultStr = typeof result === 'string' ? result : JSON.stringify(result);
-      const hasIssues = /error|invalid|incorrect|false/i.test(resultStr);
-      
-      return hasIssues
-        ? { pass: false, msg: `bCalc found issues: ${resultStr.substring(0, 100)}` }
-        : { pass: true, msg: 'bCalc verified mathematical expressions' };
-    } catch (e) {
-      return { pass: null, msg: `bCalc check failed: ${e.message}` };
-    }
-  },
-  
-  // AI-powered proof verification using genius_plus
-  async proofs_verified_genius(ctx) {
-    const fs = require('fs');
-    const texFiles = ctx.files.filter(f => f.endsWith('.tex'));
-    if (texFiles.length === 0) return { pass: null, msg: 'No .tex files' };
-    
-    const content = fs.readFileSync(texFiles[0], 'utf8');
-    
-    // Extract proofs
-    const proofs = content.match(/\\begin\{proof\}[\s\S]*?\\end\{proof\}/g) || [];
-    if (proofs.length === 0) {
-      return { pass: null, msg: 'No formal proofs found' };
-    }
-    
-    // Take abstract + first proof for genius+ analysis
-    const abstractMatch = content.match(/\\begin\{abstract\}([\s\S]*?)\\end\{abstract\}/);
-    const abstract = abstractMatch ? abstractMatch[1] : '';
-    const firstProof = proofs[0].substring(0, 1000);
-    
-    try {
-      const result = await call50cTool('genius_plus', {
-        problem: `Verify this mathematical proof for logical gaps, unstated assumptions, or errors:\n\nContext: ${abstract.substring(0, 300)}\n\nProof:\n${firstProof}`
-      }, 90000);
-      
-      if (result.error) {
-        return { pass: null, msg: `genius+ unavailable: ${result.error}` };
-      }
-      
-      const resultStr = typeof result === 'string' ? result : JSON.stringify(result);
-      
-      // Check for red flags
-      const redFlags = /gap|flaw|error|incorrect|missing|invalid|contradiction/i.test(resultStr);
-      
-      return redFlags
-        ? { pass: false, msg: `genius+ found issues: ${resultStr.substring(0, 150)}...` }
-        : { pass: true, msg: 'genius+ verified proof structure' };
-    } catch (e) {
-      return { pass: null, msg: `genius+ check failed: ${e.message}` };
-    }
-  },
-  
-  // AI-powered claim validation using web_search
-  async claims_validated_search(ctx) {
-    const fs = require('fs');
-    const texFiles = ctx.files.filter(f => f.endsWith('.tex'));
-    if (texFiles.length === 0) return { pass: null, msg: 'No .tex files' };
-    
-    const content = fs.readFileSync(texFiles[0], 'utf8');
-    
-    // Extract title and key claims
-    const titleMatch = content.match(/\\title\{([^}]+)\}/);
-    const title = titleMatch ? titleMatch[1] : '';
-    
-    // Find novelty claims
-    const noveltyPatterns = /first|novel|new|unprecedented|breakthrough|improve|better than/gi;
-    const hasNoveltyClaims = noveltyPatterns.test(content);
-    
-    if (!hasNoveltyClaims || !title) {
-      return { pass: null, msg: 'No novelty claims to validate' };
-    }
-    
-    try {
-      const result = await call50cTool('web_search', {
-        query: title.replace(/[\\{}]/g, ' ').trim(),
-        max_results: 5
-      }, 30000);
-      
-      if (result.error) {
-        return { pass: null, msg: `web_search unavailable: ${result.error}` };
-      }
-      
-      const resultStr = typeof result === 'string' ? result : JSON.stringify(result);
-      
-      // Check if similar work already exists
-      const duplicateSignals = /already|published|existing|prior art|known result/i.test(resultStr);
-      
-      return duplicateSignals
-        ? { pass: false, msg: `Potential prior work found - verify novelty: ${resultStr.substring(0, 100)}` }
-        : { pass: true, msg: 'No obvious conflicting prior work found' };
-    } catch (e) {
-      return { pass: null, msg: `Search check failed: ${e.message}` };
-    }
-  },
-  
-  // Science-specific: validate methodology with hints+
-  async methodology_hints(ctx) {
-    const fs = require('fs');
-    const files = ctx.files.filter(f => /\.(tex|md|txt)$/.test(f));
-    if (files.length === 0) return { pass: null, msg: 'No text files' };
-    
-    // Read first file
-    const content = fs.readFileSync(files[0], 'utf8').substring(0, 2000);
-    
-    // Look for methods section
-    const methodsMatch = content.match(/method|experiment|procedure|approach/i);
-    if (!methodsMatch) {
-      return { pass: null, msg: 'No methods section detected' };
-    }
-    
-    try {
-      const result = await call50cTool('hints_plus', {
-        query: `Evaluate scientific methodology for weaknesses: ${content.substring(0, 1000)}`
-      }, 30000);
-      
-      if (result.error) {
-        return { pass: null, msg: `hints+ unavailable: ${result.error}` };
-      }
-      
-      // hints_plus returns brutal hints - just report them
-      return { 
-        pass: null, 
-        msg: `hints+: ${typeof result === 'string' ? result.substring(0, 200) : JSON.stringify(result).substring(0, 200)}` 
-      };
-    } catch (e) {
-      return { pass: null, msg: `hints+ check failed: ${e.message}` };
-    }
-  },
-};
-
-/**
- * Main verification function
- */
-async function verify(profile, options = {}) {
-  const config = PROFILES[profile];
-  if (!config) {
-    return { error: `Unknown profile: ${profile}. Available: ${Object.keys(PROFILES).join(', ')}` };
-  }
-  
-  const fs = require('fs');
-  const path = require('path');
-  const cwd = options.cwd || process.cwd();
-  
-  // Build context
-  const ctx = {
-    cwd,
-    profile,
-    files: [],
-    packageJson: null,
-  };
-  
-  // Gather files
-  try {
-    const walk = (dir, depth = 0) => {
-      if (depth > 3) return; // Max depth
-      const items = fs.readdirSync(dir);
-      for (const item of items) {
-        if (item.startsWith('.') || item === 'node_modules') continue;
-        const full = path.join(dir, item);
-        const stat = fs.statSync(full);
-        if (stat.isDirectory()) {
-          walk(full, depth + 1);
-        } else {
-          ctx.files.push(full);
-        }
-      }
-    };
-    walk(cwd);
-  } catch (e) {}
-  
-  // Load package.json if exists
-  try {
-    const pkgPath = path.join(cwd, 'package.json');
-    if (fs.existsSync(pkgPath)) {
-      ctx.packageJson = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
-    }
-  } catch (e) {}
-  
-  // Run checks
-  const results = {
-    profile: config.name,
-    timestamp: new Date().toISOString(),
-    summary: { pass: 0, fail: 0, skip: 0, manual: 0 },
-    checks: [],
-    ready: false,
-  };
-  
-  for (const check of config.checks) {
-    const result = { ...check, status: null, msg: '' };
-    
-    if (check.empirical && EMPIRICAL_CHECKS[check.id]) {
-      try {
-        const r = await EMPIRICAL_CHECKS[check.id](ctx);
-        result.status = r.pass ? 'PASS' : (r.pass === false ? 'FAIL' : 'SKIP');
-        result.msg = r.msg;
-      } catch (e) {
-        result.status = 'SKIP';
-        result.msg = `Error: ${e.message}`;
-      }
-    } else if (check.empirical) {
-      result.status = 'SKIP';
-      result.msg = 'Check not implemented';
-    } else {
-      result.status = 'MANUAL';
-      result.msg = 'Requires manual review';
-    }
-    
-    results.checks.push(result);
-    
-    if (result.status === 'PASS') results.summary.pass++;
-    else if (result.status === 'FAIL') results.summary.fail++;
-    else if (result.status === 'SKIP') results.summary.skip++;
-    else results.summary.manual++;
-  }
-  
-  results.ready = results.summary.fail === 0;
-  results.score = Math.round((results.summary.pass / (results.summary.pass + results.summary.fail + results.summary.manual)) * 100);
-  
-  return results;
-}
-
-/**
- * Generate verification receipt as Markdown
- */
-function generateReceipt(results, options = {}) {
-  const lines = [
-    '# 50c Pre-Publish Verification Receipt',
-    '',
-    `**Generated:** ${results.timestamp}`,
-    `**Profile:** ${results.profile}`,
-    `**Directory:** ${options.cwd || 'N/A'}`,
-    `**Verdict:** ${results.ready ? '✅ READY TO PUBLISH' : '❌ NOT READY - FIX ISSUES'}`,
-    '',
-    '---',
-    '',
-    '## Summary',
-    '',
-    '| Metric | Count |',
-    '|--------|-------|',
-    `| Pass | ${results.summary.pass} |`,
-    `| Fail | ${results.summary.fail} |`,
-    `| Skip | ${results.summary.skip} |`,
-    `| Manual | ${results.summary.manual} |`,
-    `| **Score** | **${results.score}/100** |`,
-    '',
-    '---',
-    '',
-    '## Detailed Results',
-    '',
-  ];
-  
-  // Group by category
-  const byCategory = {};
-  for (const check of results.checks) {
-    if (!byCategory[check.cat]) byCategory[check.cat] = [];
-    byCategory[check.cat].push(check);
-  }
-  
-  for (const [cat, checks] of Object.entries(byCategory)) {
-    lines.push(`### ${cat.toUpperCase()}`);
-    lines.push('');
-    lines.push('| Status | Check | Message |');
-    lines.push('|--------|-------|---------|');
-    for (const c of checks) {
-      const icon = c.status === 'PASS' ? '✅' : c.status === 'FAIL' ? '❌' : c.status === 'SKIP' ? '⏭️' : '👁️';
-      lines.push(`| ${icon} ${c.status} | ${c.desc} | ${(c.msg || '').substring(0, 50)} |`);
-    }
-    lines.push('');
-  }
-  
-  // Cost estimate
-  const aiChecks = results.checks.filter(c => c.cat === 'ai-verify' && c.status !== 'SKIP');
-  if (aiChecks.length > 0) {
-    lines.push('---');
-    lines.push('');
-    lines.push('## AI Verification Cost');
-    lines.push('');
-    lines.push('| Tool | Est. Cost |');
-    lines.push('|------|-----------|');
-    for (const c of aiChecks) {
-      const cost = c.id.includes('bcalc') ? '$0.15' : 
-                   c.id.includes('genius') ? '$0.65' : 
-                   c.id.includes('hints') ? '$0.10' : 'FREE';
-      lines.push(`| ${c.id} | ${cost} |`);
-    }
-    lines.push('');
-  }
-  
-  lines.push('---');
-  lines.push('');
-  lines.push('*Generated by 50c Pre-Publish Verification Tool*');
-  lines.push('*AI verification does not replace peer review*');
-  
-  return lines.join('\n');
-}
-
-/**
- * Full verification with receipt generation
- */
-async function verifyWithReceipt(profile, options = {}) {
-  const results = await verify(profile, options);
-  const receipt = generateReceipt(results, options);
-  return { ...results, receipt };
-}
-
-module.exports = { verify, verifyWithReceipt, generateReceipt, PROFILES, EMPIRICAL_CHECKS, call50cTool };
+/**
+ * 50c Pre-Publish Verification Tool
+ *
+ * Thorough checklist before publishing to:
+ * - npm (packages) — with supply chain attack detection
+ * - GitHub (releases)
+ * - arXiv (papers)
+ * - Medical journals
+ * - Scientific publications
+ *
+ * "Ask once, verify everything"
+ * "Never let a Verdant happen again"
+ */
+
+const { isPrivateIP, isValidIPv4, extractPublicIPs } = require('./ip-utils');
+
+// Severity levels for supply chain checks
+const CHECK_SEVERITY = {
+  no_hardcoded_ips: 'CRITICAL',
+  no_binary_files: 'CRITICAL',
+  no_env_leaks: 'CRITICAL',
+  no_suspicious_urls: 'HIGH',
+  no_obfuscated_code: 'HIGH',
+  no_dangerous_scripts: 'HIGH',
+  npm_diff_check: 'HIGH',
+  no_hardcoded_secrets: 'HIGH',
+  no_network_calls: 'MEDIUM',
+  no_minified_without_source: 'MEDIUM',
+  no_dynamic_requires: 'MEDIUM',
+};
+
+const SEVERITY_WEIGHTS = {
+  CRITICAL: 100,
+  HIGH: 50,
+  MEDIUM: 20,
+};
+
+// Verification profiles for different publish targets
+const PROFILES = {
+  npm: {
+    name: 'NPM Package',
+    checks: [
+      // SUPPLY CHAIN SECURITY (checked FIRST — stop-ship on failure)
+      { id: 'no_hardcoded_ips', cat: 'supply-chain', desc: 'No hardcoded public IPs in source code', empirical: true },
+      { id: 'no_suspicious_urls', cat: 'supply-chain', desc: 'No hardcoded URLs to non-standard domains', empirical: true },
+      { id: 'no_obfuscated_code', cat: 'supply-chain', desc: 'No eval/Function/Buffer.from obfuscation patterns', empirical: true },
+      { id: 'no_network_calls', cat: 'supply-chain', desc: 'No raw network calls to non-registry endpoints', empirical: true },
+      { id: 'no_dangerous_scripts', cat: 'supply-chain', desc: 'No dangerous preinstall/postinstall scripts', empirical: true },
+      { id: 'no_binary_files', cat: 'supply-chain', desc: 'No executable binary files in package', empirical: true },
+      { id: 'no_minified_without_source', cat: 'supply-chain', desc: 'No minified JS without source maps', empirical: true },
+      { id: 'no_env_leaks', cat: 'supply-chain', desc: 'No .env/credentials/key files in package', empirical: true },
+      { id: 'npm_diff_check', cat: 'supply-chain', desc: 'Diff against last published version — no injected IPs/URLs/eval', empirical: true },
+      { id: 'no_dynamic_requires', cat: 'supply-chain', desc: 'No dynamic require()/import() with variables', empirical: true },
+
+      // Existing security
+      { id: 'no_hardcoded_secrets', cat: 'security', desc: 'No hardcoded API keys/passwords/tokens', empirical: true },
+      { id: 'no_localhost', cat: 'security', desc: 'No localhost/127.0.0.1 in production code', empirical: true },
+      { id: 'deps_secure', cat: 'security', desc: 'No known vulnerabilities in dependencies', empirical: true },
+
+      // Package basics
+      { id: 'pkg_name', cat: 'metadata', desc: 'Package name valid and available', empirical: true },
+      { id: 'pkg_version', cat: 'metadata', desc: 'Version bumped from npm registry', empirical: true },
+      { id: 'pkg_desc', cat: 'metadata', desc: 'Description clear, no marketing fluff', empirical: false },
+      { id: 'pkg_keywords', cat: 'metadata', desc: 'Keywords relevant and searchable', empirical: false },
+      { id: 'pkg_license', cat: 'metadata', desc: 'LICENSE file exists and valid', empirical: true },
+      { id: 'pkg_repo', cat: 'metadata', desc: 'Repository URL valid and accessible', empirical: true },
+      { id: 'pkg_homepage', cat: 'metadata', desc: 'Homepage URL live and correct', empirical: true },
+
+      // Code quality
+      { id: 'syntax_valid', cat: 'code', desc: 'All JS/TS files pass syntax check', empirical: true },
+      { id: 'no_console_log', cat: 'code', desc: 'No debug console.log statements', empirical: true },
+      { id: 'no_todo_fixme', cat: 'code', desc: 'No unresolved TODO/FIXME comments', empirical: true },
+
+      // Documentation
+      { id: 'readme_exists', cat: 'docs', desc: 'README.md exists', empirical: true },
+      { id: 'readme_install', cat: 'docs', desc: 'Installation instructions present', empirical: true },
+      { id: 'readme_usage', cat: 'docs', desc: 'Usage examples present', empirical: true },
+      { id: 'readme_links_live', cat: 'docs', desc: 'All README links are live', empirical: true },
+      { id: 'changelog_updated', cat: 'docs', desc: 'CHANGELOG updated for this version', empirical: true },
+
+      // Build/Test
+      { id: 'tests_pass', cat: 'test', desc: 'All tests pass', empirical: true },
+      { id: 'build_clean', cat: 'test', desc: 'Build completes without warnings', empirical: true },
+      { id: 'entry_point_valid', cat: 'test', desc: 'Main/bin entry points resolve', empirical: true },
+
+      // Files
+      { id: 'files_included', cat: 'files', desc: 'Only intended files in package', empirical: true },
+      { id: 'no_env_files', cat: 'files', desc: 'No .env files included', empirical: true },
+      { id: 'no_test_files', cat: 'files', desc: 'Test files excluded from package', empirical: true },
+      { id: 'size_reasonable', cat: 'files', desc: 'Package size under 10MB', empirical: true },
+    ]
+  },
+
+  github: {
+    name: 'GitHub Release',
+    checks: [
+      { id: 'tag_format', cat: 'release', desc: 'Tag follows semver (vX.Y.Z)', empirical: true },
+      { id: 'tag_unique', cat: 'release', desc: 'Tag does not exist yet', empirical: true },
+      { id: 'branch_clean', cat: 'release', desc: 'No uncommitted changes', empirical: true },
+      { id: 'branch_pushed', cat: 'release', desc: 'All commits pushed to remote', empirical: true },
+      { id: 'ci_passing', cat: 'release', desc: 'CI/CD pipeline green', empirical: true },
+      { id: 'release_notes', cat: 'docs', desc: 'Release notes written', empirical: false },
+      { id: 'breaking_changes', cat: 'docs', desc: 'Breaking changes documented', empirical: false },
+      { id: 'migration_guide', cat: 'docs', desc: 'Migration guide if needed', empirical: false },
+      { id: 'no_secrets_in_history', cat: 'security', desc: 'No secrets in git history', empirical: true },
+      { id: 'license_file', cat: 'legal', desc: 'LICENSE file present', empirical: true },
+    ]
+  },
+
+  arxiv: {
+    name: 'arXiv Paper',
+    checks: [
+      { id: 'latex_compiles', cat: 'build', desc: 'LaTeX compiles without errors', empirical: true },
+      { id: 'no_overfull_hbox', cat: 'build', desc: 'No overfull hbox warnings', empirical: true },
+      { id: 'figures_render', cat: 'build', desc: 'All figures render correctly', empirical: true },
+      { id: 'refs_resolve', cat: 'build', desc: 'All references resolve', empirical: true },
+      { id: 'citations_complete', cat: 'build', desc: 'No [?] citation markers', empirical: true },
+      { id: 'abstract_standalone', cat: 'content', desc: 'Abstract is self-contained', empirical: false },
+      { id: 'claims_supported', cat: 'content', desc: 'All claims supported by evidence', empirical: false },
+      { id: 'math_verified_bcalc', cat: 'ai-verify', desc: 'Mathematical expressions verified (bCalc)', empirical: true },
+      { id: 'proofs_verified_genius', cat: 'ai-verify', desc: 'Proofs verified for gaps (genius+)', empirical: true },
+      { id: 'claims_validated_search', cat: 'ai-verify', desc: 'Novelty claims validated (web search)', empirical: true },
+      { id: 'no_placeholder', cat: 'content', desc: 'No TODO/FIXME placeholders', empirical: true },
+      { id: 'notation_consistent', cat: 'content', desc: 'Notation consistent throughout', empirical: false },
+      { id: 'code_available', cat: 'reproducibility', desc: 'Code/data availability stated', empirical: false },
+      { id: 'hyperparams_listed', cat: 'reproducibility', desc: 'Hyperparameters documented', empirical: false },
+      { id: 'compute_resources', cat: 'reproducibility', desc: 'Compute resources stated', empirical: false },
+      { id: 'ethics_statement', cat: 'ethics', desc: 'Ethics statement included', empirical: false },
+      { id: 'limitations', cat: 'ethics', desc: 'Limitations discussed', empirical: false },
+      { id: 'societal_impact', cat: 'ethics', desc: 'Societal impact considered', empirical: false },
+      { id: 'arxiv_format', cat: 'format', desc: 'Follows arXiv guidelines', empirical: false },
+      { id: 'page_limits', cat: 'format', desc: 'Within page limits', empirical: false },
+    ]
+  },
+
+  medical: {
+    name: 'Medical Journal',
+    checks: [
+      { id: 'irb_approval', cat: 'regulatory', desc: 'IRB/ethics approval documented', empirical: false },
+      { id: 'trial_registration', cat: 'regulatory', desc: 'Clinical trial registered', empirical: false },
+      { id: 'consort_strobe', cat: 'regulatory', desc: 'CONSORT/STROBE checklist followed', empirical: false },
+      { id: 'patient_deidentified', cat: 'regulatory', desc: 'Patient data de-identified', empirical: false },
+      { id: 'sample_size', cat: 'statistics', desc: 'Sample size justified', empirical: false },
+      { id: 'appropriate_methods', cat: 'statistics', desc: 'Statistical methods appropriate', empirical: false },
+      { id: 'confidence_intervals', cat: 'statistics', desc: 'Confidence intervals reported', empirical: false },
+      { id: 'effect_sizes', cat: 'statistics', desc: 'Effect sizes reported', empirical: false },
+      { id: 'multiple_comparisons', cat: 'statistics', desc: 'Multiple comparisons corrected', empirical: false },
+      { id: 'endpoints_defined', cat: 'clinical', desc: 'Primary/secondary endpoints defined', empirical: false },
+      { id: 'adverse_events', cat: 'clinical', desc: 'Adverse events reported', empirical: false },
+      { id: 'clinical_limitations', cat: 'clinical', desc: 'Limitations discussed', empirical: false },
+      { id: 'generalizability', cat: 'clinical', desc: 'Generalizability discussed', empirical: false },
+      { id: 'coi_disclosure', cat: 'conflicts', desc: 'Conflicts of interest disclosed', empirical: false },
+      { id: 'funding_source', cat: 'conflicts', desc: 'Funding source declared', empirical: false },
+      { id: 'author_contributions', cat: 'conflicts', desc: 'Author contributions listed', empirical: false },
+    ]
+  },
+
+  science: {
+    name: 'Scientific Publication',
+    checks: [
+      { id: 'reproducibility', cat: 'methodology', desc: 'Methods reproducible', empirical: false },
+      { id: 'controls', cat: 'methodology', desc: 'Appropriate controls', empirical: false },
+      { id: 'sample_size_sci', cat: 'methodology', desc: 'Sample size adequate', empirical: false },
+      { id: 'blinding', cat: 'methodology', desc: 'Blinding where appropriate', empirical: false },
+      { id: 'methodology_hints', cat: 'ai-verify', desc: 'Methodology review (hints+)', empirical: true },
+      { id: 'claims_validated_search', cat: 'ai-verify', desc: 'Novelty validated (web search)', empirical: true },
+      { id: 'raw_data', cat: 'data', desc: 'Raw data available', empirical: false },
+      { id: 'processing_documented', cat: 'data', desc: 'Data processing documented', empirical: false },
+      { id: 'outlier_handling', cat: 'data', desc: 'Outlier handling described', empirical: false },
+      { id: 'error_bars', cat: 'data', desc: 'Error bars included', empirical: false },
+      { id: 'claims_match', cat: 'claims', desc: 'Claims match evidence', empirical: false },
+      { id: 'alternative_explanations', cat: 'claims', desc: 'Alternative explanations considered', empirical: false },
+      { id: 'no_overclaiming', cat: 'claims', desc: 'No overclaiming', empirical: false },
+      { id: 'novelty_justified', cat: 'claims', desc: 'Novelty justified', empirical: false },
+      { id: 'figure_clarity', cat: 'figures', desc: 'Figures clear', empirical: false },
+      { id: 'axis_labels', cat: 'figures', desc: 'Axis labels present', empirical: false },
+      { id: 'legends', cat: 'figures', desc: 'Legends included', empirical: false },
+      { id: 'color_blind', cat: 'figures', desc: 'Color-blind accessible', empirical: false },
+      { id: 'no_placeholder', cat: 'content', desc: 'No placeholders', empirical: true },
+      { id: 'prior_work', cat: 'literature', desc: 'Prior work cited', empirical: false },
+      { id: 'novelty_claims', cat: 'literature', desc: 'Novelty claims accurate', empirical: false },
+    ]
+  },
+
+  math: {
+    name: 'Mathematics Paper',
+    checks: [
+      { id: 'proofs_complete', cat: 'proofs', desc: 'All proofs complete', empirical: false },
+      { id: 'math_verified_bcalc', cat: 'ai-verify', desc: 'Math verified (bCalc)', empirical: true },
+      { id: 'proofs_verified_genius', cat: 'ai-verify', desc: 'Proofs verified (genius+)', empirical: true },
+      { id: 'claims_validated_search', cat: 'ai-verify', desc: 'Novelty validated (web search)', empirical: true },
+      { id: 'edge_cases', cat: 'proofs', desc: 'Edge cases handled', empirical: false },
+      { id: 'assumptions_explicit', cat: 'proofs', desc: 'Assumptions explicit', empirical: false },
+      { id: 'terms_defined', cat: 'definitions', desc: 'All terms defined', empirical: false },
+      { id: 'notation_consistent', cat: 'definitions', desc: 'Notation consistent', empirical: false },
+      { id: 'numbering_correct', cat: 'definitions', desc: 'Theorem numbering correct', empirical: false },
+      { id: 'examples_verify', cat: 'examples', desc: 'Examples verify theorems', empirical: false },
+      { id: 'counterexamples', cat: 'examples', desc: 'Counterexamples considered', empirical: false },
+      { id: 'computational_verify', cat: 'examples', desc: 'Computational verification', empirical: false },
+      { id: 'prior_work_cited', cat: 'literature', desc: 'Prior work cited', empirical: false },
+      { id: 'novelty_claims_math', cat: 'literature', desc: 'Novelty claims accurate', empirical: false },
+      { id: 'bounds_compared', cat: 'literature', desc: 'Bounds compared to existing', empirical: false },
+      { id: 'no_placeholder', cat: 'content', desc: 'No placeholders', empirical: true },
+    ]
+  },
+};
+
+/**
+ * Load .50c-security.json allowlist from project root
+ */
+function loadAllowlist(cwd) {
+  const fs = require('fs');
+  const path = require('path');
+  const defaultAllowlist = {
+    allowedIPs: [],
+    allowedDomains: ['registry.npmjs.org', 'npmjs.com', 'npmjs.org', 'github.com', 'api.github.com', 'raw.githubusercontent.com', 'googleapis.com', 'api.50c.ai', 'beacon.50c.ai', '50c.ai', 'w3.org', 'www.w3.org', 'nodejs.org', 'localhost', 'ip-api.com'],
+    allowedScripts: [],
+    ignorePaths: ['node_modules/', '.git/'],
+  };
+
+  try {
+    const configPath = path.join(cwd, '.50c-security.json');
+    if (fs.existsSync(configPath)) {
+      const userConfig = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+      return {
+        allowedIPs: [...defaultAllowlist.allowedIPs, ...(userConfig.allowedIPs || [])],
+        allowedDomains: [...defaultAllowlist.allowedDomains, ...(userConfig.allowedDomains || [])],
+        allowedScripts: [...defaultAllowlist.allowedScripts, ...(userConfig.allowedScripts || [])],
+        ignorePaths: [...defaultAllowlist.ignorePaths, ...(userConfig.ignorePaths || [])],
+      };
+    }
+  } catch (e) {}
+  return defaultAllowlist;
+}
+
+/**
+ * Call a remote 50c tool via API
+ */
+async function call50cTool(tool, params, timeout = 60000) {
+  const fs = require('fs');
+  const path = require('path');
+
+  // Find API key
+  let apiKey = process.env.FIFTYC_API_KEY;
+  if (!apiKey) {
+    try {
+      const configPaths = [
+        path.join(process.env.HOME || process.env.USERPROFILE || '', '.verdent', 'mcp.json'),
+        path.join(process.env.HOME || process.env.USERPROFILE || '', '.50c', 'config.json'),
+      ];
+      for (const p of configPaths) {
+        if (fs.existsSync(p)) {
+          const cfg = JSON.parse(fs.readFileSync(p, 'utf8'));
+          apiKey = cfg.mcpServers?.['50c']?.env?.FIFTYC_API_KEY || cfg.apiKey;
+          if (apiKey) break;
+        }
+      }
+    } catch (e) {}
+  }
+
+  if (!apiKey) {
+    return { error: 'No 50c API key configured' };
+  }
+
+  try {
+    const res = await fetch('https://api.50c.ai/mcp', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${apiKey}`,
+      },
+      body: JSON.stringify({
+        jsonrpc: '2.0',
+        id: Date.now(),
+        method: 'tools/call',
+        params: { name: tool, arguments: params },
+      }),
+      signal: AbortSignal.timeout(timeout),
+    });
+
+    const data = await res.json();
+    return data.result?.content?.[0]?.text || data.result || data;
+  } catch (e) {
+    return { error: e.message };
+  }
+}
+
+// ==========================================
+// EMPIRICAL CHECK IMPLEMENTATIONS
+// ==========================================
+const EMPIRICAL_CHECKS = {
+
+  // ====== SUPPLY CHAIN CHECKS (NEW) ======
+
+  /**
+   * #1 CRITICAL: Detect hardcoded public IPs — the exact Verdant attack vector
+   * Scans all .js/.ts/.json files for routable public IP addresses
+   */
+  async no_hardcoded_ips(ctx) {
+    const fs = require('fs');
+    const path = require('path');
+    const allowlist = ctx.allowlist || loadAllowlist(ctx.cwd);
+    const findings = [];
+
+    const sourceFiles = ctx.files.filter(f => /\.(js|ts|mjs|cjs|json)$/.test(f));
+
+    for (const file of sourceFiles.slice(0, 50)) {
+      const basename = path.basename(file);
+      // Skip self, lock files, and test fixtures
+      if (basename === 'pre-publish.js' || basename === 'ip-utils.js' ||
+          basename === 'backdoor-checker.js' || basename === 'package-lock.json' ||
+          file.includes('__test') || file.includes('.test.') || file.includes('.spec.')) continue;
+
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        const lines = content.split('\n');
+
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Skip comments
+          if (line.trim().startsWith('//') || line.trim().startsWith('*') || line.trim().startsWith('/*')) continue;
+
+          const publicIPs = extractPublicIPs(line);
+          for (const ip of publicIPs) {
+            if (!allowlist.allowedIPs.includes(ip)) {
+              findings.push(`${path.basename(file)}:${i + 1} → ${ip}`);
+            }
+          }
+        }
+      } catch (e) {}
+    }
+
+    return findings.length === 0
+      ? { pass: true, msg: 'No hardcoded public IPs found' }
+      : { pass: false, msg: `[CRITICAL] Public IPs found: ${findings.slice(0, 5).join('; ')}` };
+  },
+
+  /**
+   * #2 HIGH: Detect hardcoded URLs to non-standard domains
+   */
+  async no_suspicious_urls(ctx) {
+    const fs = require('fs');
+    const path = require('path');
+    const allowlist = ctx.allowlist || loadAllowlist(ctx.cwd);
+    const findings = [];
+
+    const urlPattern = /https?:\/\/([a-zA-Z0-9.-]+)/g;
+    const sourceFiles = ctx.files.filter(f => /\.(js|ts|mjs|cjs)$/.test(f));
+
+    for (const file of sourceFiles.slice(0, 50)) {
+      const basename = path.basename(file);
+      if (basename === 'pre-publish.js' || basename === 'backdoor-checker.js' ||
+          file.includes('__test') || file.includes('.test.') || file.includes('.spec.') ||
+          file.includes('README')) continue;
+
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        const lines = content.split('\n');
+
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//') || line.trim().startsWith('*')) continue;
+
+          let match;
+          urlPattern.lastIndex = 0;
+          while ((match = urlPattern.exec(line)) !== null) {
+            const domain = match[1].toLowerCase();
+            const isDomainAllowed = allowlist.allowedDomains.some(d =>
+              domain === d || domain.endsWith('.' + d)
+            );
+            if (!isDomainAllowed) {
+              // Check if it's an IP-based URL (already caught by no_hardcoded_ips)
+              if (!isValidIPv4(domain)) {
+                findings.push(`${path.basename(file)}:${i + 1} → ${domain}`);
+              }
+            }
+          }
+        }
+      } catch (e) {}
+    }
+
+    // Deduplicate by domain
+    const uniqueDomains = [...new Set(findings.map(f => f.split(' → ')[1]))];
+
+    return uniqueDomains.length === 0
+      ? { pass: true, msg: 'No suspicious URLs found' }
+      : { pass: false, msg: `Non-standard domains: ${uniqueDomains.slice(0, 5).join(', ')}` };
+  },
+
+  /**
+   * #3 HIGH: Detect obfuscated code patterns
+   */
+  async no_obfuscated_code(ctx) {
+    const fs = require('fs');
+    const path = require('path');
+    const findings = [];
+
+    const patterns = [
+      { re: /\beval\s*\(/, name: 'eval()' },
+      { re: /\bnew\s+Function\s*\(/, name: 'new Function()' },
+      { re: /Buffer\.from\s*\([^)]*,\s*['"]base64['"]/, name: 'Buffer.from(base64)' },
+      { re: /\batob\s*\(/, name: 'atob()' },
+      { re: /\\x[0-9a-f]{2}\\x[0-9a-f]{2}\\x[0-9a-f]{2}\\x[0-9a-f]{2}/i, name: 'hex escape sequences' },
+      { re: /String\.fromCharCode\s*\(\s*\d+\s*(,\s*\d+\s*){5,}/, name: 'String.fromCharCode (many chars)' },
+      { re: /\['\\x[0-9a-f]+'\]/, name: 'hex property access' },
+    ];
+
+    const sourceFiles = ctx.files.filter(f => /\.(js|ts|mjs|cjs)$/.test(f));
+
+    for (const file of sourceFiles.slice(0, 50)) {
+      const basename = path.basename(file);
+      if (file.includes('__test') || file.includes('.test.') || file.includes('.spec.') || basename === 'pre-publish.js') continue;
+
+      // Higher threshold for minified files
+      const isMinified = basename.includes('.min.');
+      const hasSourceMap = ctx.files.some(f => f === file + '.map' || f === file.replace(/\.js$/, '.js.map'));
+      if (isMinified && hasSourceMap) continue; // minified with source map = OK
+
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        let score = 0;
+        const fileFindings = [];
+
+        for (const { re, name } of patterns) {
+          if (re.test(content)) {
+            score += 20;
+            fileFindings.push(name);
+          }
+        }
+
+        const threshold = isMinified ? 60 : 40;
+        if (score >= threshold) {
+          findings.push(`${basename}: ${fileFindings.join(', ')}`);
+        }
+      } catch (e) {}
+    }
+
+    return findings.length === 0
+      ? { pass: true, msg: 'No obfuscated code patterns detected' }
+      : { pass: false, msg: `Obfuscation detected: ${findings.slice(0, 3).join('; ')}` };
+  },
+
+  /**
+   * #4 MEDIUM: Detect raw network calls to non-registry endpoints
+   */
+  async no_network_calls(ctx) {
+    const fs = require('fs');
+    const path = require('path');
+    const allowlist = ctx.allowlist || loadAllowlist(ctx.cwd);
+    const findings = [];
+
+    // Patterns for direct network access
+    const netPatterns = [
+      /require\s*\(\s*['"]https?['"]\s*\)/,
+      /require\s*\(\s*['"]net['"]\s*\)/,
+      /require\s*\(\s*['"]dgram['"]\s*\)/,
+      /\.request\s*\(\s*['"]https?:\/\//,
+      /\.get\s*\(\s*['"]https?:\/\//,
+      /fetch\s*\(\s*['"]https?:\/\//,
+      /axios\s*[.(]/,
+      /\.createConnection\s*\(/,
+      /\.createServer\s*\(/,
+      /new\s+WebSocket\s*\(/,
+    ];
+
+    const sourceFiles = ctx.files.filter(f => /\.(js|ts|mjs|cjs)$/.test(f));
+
+    for (const file of sourceFiles.slice(0, 50)) {
+      const basename = path.basename(file);
+      if (basename === 'pre-publish.js' || basename === 'backdoor-checker.js' ||
+          basename === 'subagent.js' || basename === '50c.js' ||
+          basename === 'invent-ui.js' || basename === 'mcp-tv.js' ||
+          basename === 'team.js' || basename === 'tools-registry.js' ||
+          file.includes('__test') || file.includes('.test.')) continue;
+
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+
+        for (const pattern of netPatterns) {
+          if (pattern.test(content)) {
+            // Check if the URL targets an allowed domain
+            const urlMatch = content.match(/https?:\/\/([a-zA-Z0-9.-]+)/);
+            if (urlMatch) {
+              const domain = urlMatch[1].toLowerCase();
+              const isDomainAllowed = allowlist.allowedDomains.some(d =>
+                domain === d || domain.endsWith('.' + d)
+              );
+              if (isDomainAllowed) continue;
+            }
+            findings.push(`${basename}: network access pattern`);
+            break;
+          }
+        }
+      } catch (e) {}
+    }
+
+    return findings.length === 0
+      ? { pass: true, msg: 'No suspicious network calls' }
+      : { pass: false, msg: `Network calls found: ${findings.slice(0, 5).join('; ')}` };
+  },
+
+  /**
+   * #5 HIGH: Detect dangerous install scripts in package.json
+   */
+  async no_dangerous_scripts(ctx) {
+    const pkg = ctx.packageJson;
+    if (!pkg) return { pass: null, msg: 'No package.json' };
+
+    const allowlist = ctx.allowlist || loadAllowlist(ctx.cwd);
+    const dangerousHooks = ['preinstall', 'postinstall', 'preuninstall', 'postuninstall'];
+    const dangerousPatterns = [
+      /curl\s/i, /wget\s/i, /powershell/i, /cmd\s*\/c/i,
+      /\|\s*sh\b/i, /\|\s*bash\b/i, /exec\s*\(/i,
+      /rm\s+-rf/i, /del\s+\/f/i, /base64/i,
+      /eval/i, />\s*\/dev\/null/i,
+    ];
+
+    const findings = [];
+    const scripts = pkg.scripts || {};
+
+    for (const hook of dangerousHooks) {
+      const cmd = scripts[hook];
+      if (!cmd) continue;
+
+      // Check against allowlist
+      if (allowlist.allowedScripts.includes(`${hook}: ${cmd}`)) continue;
+
+      // Check for dangerous patterns
+      const isDangerous = dangerousPatterns.some(p => p.test(cmd));
+      if (isDangerous) {
+        findings.push(`${hook}: "${cmd.substring(0, 60)}"`);
+      } else if (cmd.includes('node ') || cmd.includes('npx ')) {
+        // node/npx scripts are usually OK but flag if they download
+        if (/http|fetch|request|download/i.test(cmd)) {
+          findings.push(`${hook}: "${cmd.substring(0, 60)}" (downloads)`)
+        }
+      }
+    }
+
+    return findings.length === 0
+      ? { pass: true, msg: 'No dangerous install scripts' }
+      : { pass: false, msg: `Dangerous scripts: ${findings.join('; ')}` };
+  },
+
+  /**
+   * #6 CRITICAL: Detect binary/executable files in package
+   */
+  async no_binary_files(ctx) {
+    const path = require('path');
+    const binaryExts = ['.exe', '.dll', '.so', '.dylib', '.bin', '.com', '.bat', '.cmd', '.ps1', '.vbs', '.scr', '.msi', '.dmg', '.app'];
+    const findings = [];
+
+    for (const file of ctx.files) {
+      const ext = path.extname(file).toLowerCase();
+      if (binaryExts.includes(ext)) {
+        findings.push(path.basename(file));
+      }
+    }
+
+    return findings.length === 0
+      ? { pass: true, msg: 'No binary/executable files' }
+      : { pass: false, msg: `[CRITICAL] Binaries found: ${findings.join(', ')}` };
+  },
+
+  /**
+   * #7 MEDIUM: Detect minified JS without source maps
+   */
+  async no_minified_without_source(ctx) {
+    const path = require('path');
+    const findings = [];
+
+    const minFiles = ctx.files.filter(f => f.includes('.min.js') || f.includes('.min.mjs'));
+
+    for (const file of minFiles) {
+      const mapFile = file + '.map';
+      const altMapFile = file.replace(/\.min\.(m?js)$/, '.$1.map');
+      const hasMap = ctx.files.includes(mapFile) || ctx.files.includes(altMapFile);
+      const hasSource = ctx.files.includes(file.replace('.min.', '.'));
+
+      if (!hasMap && !hasSource) {
+        findings.push(path.basename(file));
+      }
+    }
+
+    return findings.length === 0
+      ? { pass: true, msg: minFiles.length > 0 ? `${minFiles.length} minified files have sources` : 'No minified files' }
+      : { pass: false, msg: `Minified without source: ${findings.join(', ')}` };
+  },
+
+  /**
+   * #8 CRITICAL: Detect leaked credential/env files
+   */
+  async no_env_leaks(ctx) {
+    const path = require('path');
+    const dangerousFiles = [
+      '.env', '.env.local', '.env.production', '.env.staging', '.env.development',
+      'credentials.json', 'service-account.json', 'gcloud-key.json',
+      'id_rsa', 'id_ed25519', 'id_dsa', '.pem', '.key', '.pfx', '.p12',
+      '.htpasswd', '.netrc', '.npmrc', '.pypirc',
+    ];
+    const findings = [];
+
+    for (const file of ctx.files) {
+      const basename = path.basename(file).toLowerCase();
+      const ext = path.extname(file).toLowerCase();
+
+      if (dangerousFiles.includes(basename) || dangerousFiles.includes(ext)) {
+        findings.push(path.basename(file));
+      }
+    }
+
+    return findings.length === 0
+      ? { pass: true, msg: 'No credential/env file leaks' }
+      : { pass: false, msg: `[CRITICAL] Sensitive files: ${findings.join(', ')}` };
+  },
+
+  /**
+   * #9 HIGH: Diff against last published npm version — detect injected code
+   */
+  async npm_diff_check(ctx) {
+    const { execSync } = require('child_process');
+    const fs = require('fs');
+    const path = require('path');
+    const os = require('os');
+
+    const pkg = ctx.packageJson;
+    if (!pkg || !pkg.name) return { pass: null, msg: 'No package.json or name' };
+
+    try {
+      // Check if package exists on npm
+      const res = await fetch(`https://registry.npmjs.org/${pkg.name}/latest`);
+      if (res.status === 404) return { pass: true, msg: 'New package — no previous version to diff' };
+
+      const npmData = await res.json();
+      const tarballUrl = npmData.dist?.tarball;
+      if (!tarballUrl) return { pass: null, msg: 'Could not find tarball URL' };
+
+      // Download and extract to temp dir
+      const tmpDir = path.join(os.tmpdir(), `50c-diff-${Date.now()}`);
+      fs.mkdirSync(tmpDir, { recursive: true });
+
+      try {
+        // Download tarball
+        const tarball = path.join(tmpDir, 'pkg.tgz');
+        execSync(`node -e "const https=require('https');const fs=require('fs');const f=fs.createWriteStream('${tarball.replace(/\\/g, '\\\\')}');https.get('${tarballUrl}',(r)=>{r.pipe(f);f.on('finish',()=>{f.close();process.exit(0)})})"`,
+          { cwd: tmpDir, timeout: 30000, stdio: 'pipe' });
+
+        // Extract
+        execSync(`tar -xzf pkg.tgz 2>/dev/null || node -e "require('child_process').execSync('tar -xzf pkg.tgz',{cwd:'${tmpDir.replace(/\\/g, '\\\\')}'})"`,
+          { cwd: tmpDir, timeout: 15000, stdio: 'pipe' });
+
+        // Compare JS files — look for newly added IPs, URLs, eval, obfuscation
+        const pubDir = path.join(tmpDir, 'package');
+        if (!fs.existsSync(pubDir)) return { pass: null, msg: 'Could not extract published package' };
+
+        const suspiciousAdditions = [];
+        const localFiles = ctx.files.filter(f => /\.(js|ts|mjs|cjs)$/.test(f));
+
+        for (const localFile of localFiles.slice(0, 30)) {
+          const relativePath = path.relative(ctx.cwd, localFile);
+          const pubFile = path.join(pubDir, relativePath);
+
+          if (!fs.existsSync(pubFile)) continue; // New file, can't diff
+          if (path.basename(localFile) === 'pre-publish.js' || path.basename(localFile) === 'backdoor-checker.js') continue; // Skip security tool diffs
+
+          try {
+            const localContent = fs.readFileSync(localFile, 'utf8');
+            const pubContent = fs.readFileSync(pubFile, 'utf8');
+
+            if (localContent === pubContent) continue; // No changes
+
+            // Find added lines
+            const localLines = new Set(localContent.split('\n'));
+            const pubLines = new Set(pubContent.split('\n'));
+            const addedLines = [...localLines].filter(l => !pubLines.has(l));
+
+            // Scan added lines for suspicious patterns
+            for (const line of addedLines) {
+              // Skip regex definitions, pattern strings, and comments
+              const trimmed = line.trim();
+              if (trimmed.startsWith('//') || trimmed.startsWith('*') ||
+                  trimmed.startsWith('{ re:') || /^\s*\/.*\/[gimsuy]*,?\s*$/.test(trimmed) ||
+                  /pattern|regex|re:\s*\//.test(trimmed)) continue;
+
+              const ips = extractPublicIPs(line);
+              if (ips.length > 0) {
+                suspiciousAdditions.push(`${relativePath}: added IP ${ips[0]}`);
+              }
+              if (/\beval\s*\(/.test(line)) {
+                suspiciousAdditions.push(`${relativePath}: added eval()`);
+              }
+              if (/Buffer\.from\s*\([^)]*base64/.test(line)) {
+                suspiciousAdditions.push(`${relativePath}: added base64 decode`);
+              }
+            }
+          } catch (e) {}
+        }
+
+        // Cleanup
+        try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch (e) {}
+
+        return suspiciousAdditions.length === 0
+          ? { pass: true, msg: `Diffed against ${npmData.version} — no suspicious additions` }
+          : { pass: false, msg: `Suspicious additions vs ${npmData.version}: ${suspiciousAdditions.slice(0, 3).join('; ')}` };
+
+      } catch (innerErr) {
+        try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch (e) {}
+        return { pass: null, msg: `Diff failed: ${innerErr.message.substring(0, 60)}` };
+      }
+    } catch (e) {
+      return { pass: null, msg: `npm diff check failed: ${e.message.substring(0, 60)}` };
+    }
+  },
+
+  /**
+   * #10 MEDIUM: Detect dynamic require/import with variables
+   */
+  async no_dynamic_requires(ctx) {
+    const fs = require('fs');
+    const path = require('path');
+    const findings = [];
+
+    const patterns = [
+      { re: /require\s*\(\s*[^'")\s]/, name: 'dynamic require()' },  // require(variable)
+      { re: /import\s*\(\s*[^'")\s]/, name: 'dynamic import()' },    // import(variable)
+      { re: /require\s*\(\s*__dirname\s*\+/, name: 'require(__dirname + ...)' },
+      { re: /require\s*\(\s*process\./, name: 'require(process.*)' },
+    ];
+
+    const sourceFiles = ctx.files.filter(f => /\.(js|ts|mjs|cjs)$/.test(f));
+
+    for (const file of sourceFiles.slice(0, 50)) {
+      const basename = path.basename(file);
+      if (file.includes('__test') || file.includes('.test.') || file.includes('.spec.') || basename === 'pre-publish.js') continue;
+      // These files legitimately use dynamic requires
+      if (basename === 'pre-publish.js' || basename === '50c.js') continue;
+
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        const lines = content.split('\n');
+
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//') || line.trim().startsWith('*')) continue;
+
+          for (const { re, name } of patterns) {
+            if (re.test(line)) {
+              // Allow require('./relative-path') — only flag truly dynamic
+              const requireMatch = line.match(/require\s*\(\s*([^)]+)\)/);
+              if (requireMatch) {
+                const arg = requireMatch[1].trim();
+                // Static string literal = OK
+                if (/^['"]/.test(arg) && /['"]$/.test(arg)) continue;
+                // Template literal with only __dirname = OK
+                if (arg.startsWith('`') && arg.includes('__dirname') && !arg.includes('${')) continue;
+              }
+              findings.push(`${basename}:${i + 1} → ${name}`);
+              break;
+            }
+          }
+        }
+      } catch (e) {}
+    }
+
+    return findings.length === 0
+      ? { pass: true, msg: 'No dynamic requires/imports' }
+      : { pass: false, msg: `Dynamic requires: ${findings.slice(0, 3).join('; ')}` };
+  },
+
+  // ====== EXISTING CHECKS (FIXED) ======
+
+  async pkg_version(ctx) {
+    const pkg = ctx.packageJson;
+    if (!pkg) return { pass: false, msg: 'No package.json found' };
+
+    try {
+      const res = await fetch(`https://registry.npmjs.org/${pkg.name}/latest`);
+      if (res.status === 404) return { pass: true, msg: 'New package (not on npm yet)' };
+      const data = await res.json();
+      const npmVersion = data.version;
+      const localVersion = pkg.version;
+
+      if (localVersion === npmVersion) {
+        return { pass: false, msg: `Version ${localVersion} already published. Bump required.` };
+      }
+
+      const [lMaj, lMin, lPatch] = localVersion.split('.').map(Number);
+      const [nMaj, nMin, nPatch] = npmVersion.split('.').map(Number);
+
+      if (lMaj > nMaj || (lMaj === nMaj && lMin > nMin) || (lMaj === nMaj && lMin === nMin && lPatch > nPatch)) {
+        return { pass: true, msg: `${localVersion} > ${npmVersion} (npm)` };
+      }
+
+      return { pass: false, msg: `Local ${localVersion} <= npm ${npmVersion}` };
+    } catch (e) {
+      return { pass: false, msg: `npm check failed: ${e.message}` };
+    }
+  },
+
+  async pkg_homepage(ctx) {
+    const url = ctx.packageJson?.homepage;
+    if (!url) return { pass: false, msg: 'No homepage in package.json' };
+
+    try {
+      const res = await fetch(url, { method: 'HEAD' });
+      return res.ok
+        ? { pass: true, msg: `${url} is live` }
+        : { pass: false, msg: `${url} returned ${res.status}` };
+    } catch (e) {
+      return { pass: false, msg: `${url} unreachable: ${e.message}` };
+    }
+  },
+
+  async pkg_repo(ctx) {
+    const repo = ctx.packageJson?.repository?.url || ctx.packageJson?.repository;
+    if (!repo) return { pass: null, msg: 'No repository URL (optional)' };
+
+    let checkUrl = String(repo).replace(/^git\+/, '').replace(/\.git$/, '');
+    if (checkUrl.startsWith('git://')) {
+      checkUrl = checkUrl.replace('git://', 'https://');
+    }
+
+    try {
+      const res = await fetch(checkUrl, { method: 'HEAD' });
+      return res.ok
+        ? { pass: true, msg: `${checkUrl} accessible` }
+        : { pass: false, msg: `${checkUrl} returned ${res.status}` };
+    } catch (e) {
+      return { pass: false, msg: `${checkUrl} unreachable` };
+    }
+  },
+
+  async syntax_valid(ctx) {
+    const { execSync } = require('child_process');
+    const jsFiles = ctx.files.filter(f => f.endsWith('.js') || f.endsWith('.mjs'));
+    const errors = [];
+
+    for (const file of jsFiles.slice(0, 20)) {
+      try {
+        execSync(`node -c "${file}"`, { stdio: 'pipe', cwd: ctx.cwd });
+      } catch (e) {
+        errors.push(file);
+      }
+    }
+
+    return errors.length === 0
+      ? { pass: true, msg: `${jsFiles.length} JS files valid` }
+      : { pass: false, msg: `Syntax errors in: ${errors.join(', ')}` };
+  },
+
+  /**
+   * FIXED: Cross-platform — uses Node.js fs instead of Windows-only findstr
+   */
+  async no_hardcoded_secrets(ctx) {
+    const fs = require('fs');
+    const path = require('path');
+
+    const patterns = [
+      /api[_-]?key\s*[=:]\s*["'][a-zA-Z0-9]{20,}/i,
+      /password\s*[=:]\s*["'][^"']{8,}/i,
+      /secret\s*[=:]\s*["'][a-zA-Z0-9]{20,}/i,
+      /\btoken\s*[=:]\s*["'][a-zA-Z0-9]{20,}/i,
+      /AWS[_-]?ACCESS[_-]?KEY/,
+      /PRIVATE[_-]?KEY/,
+      /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY/,
+      /ghp_[a-zA-Z0-9]{36}/,  // GitHub personal access token
+      /sk-[a-zA-Z0-9]{20,}/,   // OpenAI/Stripe secret key
+    ];
+
+    const findings = [];
+    const sourceFiles = ctx.files.filter(f => /\.(js|ts|mjs|cjs|json)$/.test(f));
+
+    for (const file of sourceFiles.slice(0, 50)) {
+      const basename = path.basename(file);
+      if (basename === 'package-lock.json' || basename === 'pre-publish.js') continue;
+
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        const lines = content.split('\n');
+
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//') || line.trim().startsWith('*')) continue;
+
+          for (const pattern of patterns) {
+            if (pattern.test(line)) {
+              // Don't flag environment variable reads or pattern definitions
+              if (/process\.env|regex|pattern|example|test|mock/i.test(line)) continue;
+              findings.push(`${basename}:${i + 1}`);
+              break;
+            }
+          }
+        }
+      } catch (e) {}
+    }
+
+    return findings.length === 0
+      ? { pass: true, msg: 'No hardcoded secrets detected' }
+      : { pass: false, msg: `Potential secrets: ${findings.slice(0, 5).join(', ')}` };
+  },
+
+  async readme_links_live(ctx) {
+    const fs = require('fs');
+    const readmePath = ctx.files.find(f => f.toLowerCase().endsWith('readme.md'));
+    if (!readmePath) return { pass: false, msg: 'No README.md' };
+
+    const content = fs.readFileSync(readmePath, 'utf8');
+    const urlPattern = /https?:\/\/[^\s\)\"\']+/g;
+    const urls = [...new Set(content.match(urlPattern) || [])];
+
+    const deadLinks = [];
+    for (const url of urls.slice(0, 10)) {
+      try {
+        const res = await fetch(url, { method: 'HEAD', signal: AbortSignal.timeout(5000) });
+        if (!res.ok) deadLinks.push(url);
+      } catch (e) {
+        deadLinks.push(url);
+      }
+    }
+
+    return deadLinks.length === 0
+      ? { pass: true, msg: `${urls.length} links verified` }
+      : { pass: false, msg: `Dead links: ${deadLinks.join(', ')}` };
+  },
+
+  async no_localhost(ctx) {
+    const fs = require('fs');
+    const path = require('path');
+    const findings = [];
+
+    for (const file of ctx.files.filter(f => /\.(js|ts|json)$/.test(f)).slice(0, 30)) {
+      if (path.basename(file) === 'pre-publish.js') continue;
+      if (path.basename(file) === 'backdoor-checker.js') continue;
+
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        if (/localhost|127\.0\.0\.1|0\.0\.0\.0/.test(content)) {
+          const lines = content.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (/localhost|127\.0\.0\.1/.test(line) && !line.trim().startsWith('//') && !line.includes('||') && !line.includes('regex') && !line.includes('pattern')) {
+              findings.push(`${path.basename(file)}:${i+1}`);
+              break;
+            }
+          }
+        }
+      } catch (e) {}
+    }
+
+    return findings.length === 0
+      ? { pass: true, msg: 'No localhost references' }
+      : { pass: false, msg: `localhost found: ${findings.slice(0,3).join(', ')}` };
+  },
+
+  async size_reasonable(ctx) {
+    const { execSync } = require('child_process');
+    try {
+      const result = execSync('npm pack --dry-run 2>&1', { cwd: ctx.cwd, encoding: 'utf8' });
+      const sizeMatch = result.match(/total files.*?(\d+(?:\.\d+)?)\s*(kB|MB|B)/i);
+      if (sizeMatch) {
+        let sizeKB = parseFloat(sizeMatch[1]);
+        if (sizeMatch[2].toLowerCase() === 'mb') sizeKB *= 1024;
+        if (sizeMatch[2].toLowerCase() === 'b') sizeKB /= 1024;
+
+        return sizeKB < 10240
+          ? { pass: true, msg: `Package size: ${sizeKB.toFixed(1)} KB` }
+          : { pass: false, msg: `Package too large: ${sizeKB.toFixed(1)} KB (limit 10MB)` };
+      }
+    } catch (e) {}
+    return { pass: null, msg: 'Could not determine package size' };
+  },
+
+  // ====== ACADEMIC/AI CHECKS (unchanged) ======
+
+  async latex_compiles(ctx) {
+    const { execSync } = require('child_process');
+    const texFile = ctx.files.find(f => f.endsWith('.tex') && !f.includes('preamble'));
+    if (!texFile) return { pass: false, msg: 'No .tex file found' };
+
+    try {
+      execSync(`pdflatex -interaction=nonstopmode "${texFile}"`, { cwd: ctx.cwd, stdio: 'pipe' });
+      return { pass: true, msg: 'LaTeX compiles' };
+    } catch (e) {
+      return { pass: false, msg: 'LaTeX compilation failed' };
+    }
+  },
+
+  async no_placeholder(ctx) {
+    const fs = require('fs');
+    const findings = [];
+    const patterns = /\b(TODO|FIXME|XXX|TBD|PLACEHOLDER)\b/gi;
+
+    for (const file of ctx.files.slice(0, 50)) {
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        const matches = content.match(patterns);
+        if (matches) {
+          findings.push(`${file}: ${matches.length} placeholders`);
+        }
+      } catch (e) {}
+    }
+
+    return findings.length === 0
+      ? { pass: true, msg: 'No placeholders found' }
+      : { pass: false, msg: findings.slice(0, 3).join('; ') };
+  },
+
+  async math_verified_bcalc(ctx) {
+    const fs = require('fs');
+    const texFiles = ctx.files.filter(f => f.endsWith('.tex'));
+    if (texFiles.length === 0) return { pass: null, msg: 'No .tex files' };
+
+    const content = fs.readFileSync(texFiles[0], 'utf8');
+    const equations = content.match(/\$\$[^$]+\$\$/g) || [];
+    const claims = content.match(/\\begin\{theorem\}[\s\S]*?\\end\{theorem\}/g) || [];
+
+    if (equations.length === 0 && claims.length === 0) {
+      return { pass: null, msg: 'No equations/theorems found to verify' };
+    }
+
+    const sample = claims[0] || equations[0];
+    const cleanSample = sample.replace(/\\[a-z]+\{[^}]*\}/g, '').substring(0, 500);
+
+    try {
+      const result = await call50cTool('bcalc', { expression: cleanSample, mode: 'verify' }, 30000);
+
+      if (result.error) return { pass: null, msg: `bCalc unavailable: ${result.error}` };
+
+      const resultStr = typeof result === 'string' ? result : JSON.stringify(result);
+      const hasIssues = /error|invalid|incorrect|false/i.test(resultStr);
+
+      return hasIssues
+        ? { pass: false, msg: `bCalc found issues: ${resultStr.substring(0, 100)}` }
+        : { pass: true, msg: 'bCalc verified mathematical expressions' };
+    } catch (e) {
+      return { pass: null, msg: `bCalc check failed: ${e.message}` };
+    }
+  },
+
+  async proofs_verified_genius(ctx) {
+    const fs = require('fs');
+    const texFiles = ctx.files.filter(f => f.endsWith('.tex'));
+    if (texFiles.length === 0) return { pass: null, msg: 'No .tex files' };
+
+    const content = fs.readFileSync(texFiles[0], 'utf8');
+    const proofs = content.match(/\\begin\{proof\}[\s\S]*?\\end\{proof\}/g) || [];
+    if (proofs.length === 0) return { pass: null, msg: 'No formal proofs found' };
+
+    const abstractMatch = content.match(/\\begin\{abstract\}([\s\S]*?)\\end\{abstract\}/);
+    const abstract = abstractMatch ? abstractMatch[1] : '';
+    const firstProof = proofs[0].substring(0, 1000);
+
+    try {
+      const result = await call50cTool('genius_plus', {
+        problem: `Verify this mathematical proof for logical gaps, unstated assumptions, or errors:\n\nContext: ${abstract.substring(0, 300)}\n\nProof:\n${firstProof}`
+      }, 90000);
+
+      if (result.error) return { pass: null, msg: `genius+ unavailable: ${result.error}` };
+
+      const resultStr = typeof result === 'string' ? result : JSON.stringify(result);
+      const redFlags = /gap|flaw|error|incorrect|missing|invalid|contradiction/i.test(resultStr);
+
+      return redFlags
+        ? { pass: false, msg: `genius+ found issues: ${resultStr.substring(0, 150)}...` }
+        : { pass: true, msg: 'genius+ verified proof structure' };
+    } catch (e) {
+      return { pass: null, msg: `genius+ check failed: ${e.message}` };
+    }
+  },
+
+  async claims_validated_search(ctx) {
+    const fs = require('fs');
+    const texFiles = ctx.files.filter(f => f.endsWith('.tex'));
+    if (texFiles.length === 0) return { pass: null, msg: 'No .tex files' };
+
+    const content = fs.readFileSync(texFiles[0], 'utf8');
+    const titleMatch = content.match(/\\title\{([^}]+)\}/);
+    const title = titleMatch ? titleMatch[1] : '';
+
+    const noveltyPatterns = /first|novel|new|unprecedented|breakthrough|improve|better than/gi;
+    const hasNoveltyClaims = noveltyPatterns.test(content);
+
+    if (!hasNoveltyClaims || !title) return { pass: null, msg: 'No novelty claims to validate' };
+
+    try {
+      const result = await call50cTool('web_search', {
+        query: title.replace(/[\\{}]/g, ' ').trim(),
+        max_results: 5
+      }, 30000);
+
+      if (result.error) return { pass: null, msg: `web_search unavailable: ${result.error}` };
+
+      const resultStr = typeof result === 'string' ? result : JSON.stringify(result);
+      const duplicateSignals = /already|published|existing|prior art|known result/i.test(resultStr);
+
+      return duplicateSignals
+        ? { pass: false, msg: `Potential prior work found - verify novelty: ${resultStr.substring(0, 100)}` }
+        : { pass: true, msg: 'No obvious conflicting prior work found' };
+    } catch (e) {
+      return { pass: null, msg: `Search check failed: ${e.message}` };
+    }
+  },
+
+  async methodology_hints(ctx) {
+    const fs = require('fs');
+    const files = ctx.files.filter(f => /\.(tex|md|txt)$/.test(f));
+    if (files.length === 0) return { pass: null, msg: 'No text files' };
+
+    const content = fs.readFileSync(files[0], 'utf8').substring(0, 2000);
+    const methodsMatch = content.match(/method|experiment|procedure|approach/i);
+    if (!methodsMatch) return { pass: null, msg: 'No methods section detected' };
+
+    try {
+      const result = await call50cTool('hints_plus', {
+        query: `Evaluate scientific methodology for weaknesses: ${content.substring(0, 1000)}`
+      }, 30000);
+
+      if (result.error) return { pass: null, msg: `hints+ unavailable: ${result.error}` };
+
+      return {
+        pass: null,
+        msg: `hints+: ${typeof result === 'string' ? result.substring(0, 200) : JSON.stringify(result).substring(0, 200)}`
+      };
+    } catch (e) {
+      return { pass: null, msg: `hints+ check failed: ${e.message}` };
+    }
+  },
+};
+
+/**
+ * Main verification function
+ */
+async function verify(profile, options = {}) {
+  const config = PROFILES[profile];
+  if (!config) {
+    return { error: `Unknown profile: ${profile}. Available: ${Object.keys(PROFILES).join(', ')}` };
+  }
+
+  const fs = require('fs');
+  const path = require('path');
+  const cwd = options.cwd || process.cwd();
+
+  // Build context
+  const ctx = {
+    cwd,
+    profile,
+    files: [],
+    packageJson: null,
+    allowlist: loadAllowlist(cwd),
+  };
+
+  // Gather files
+  try {
+    const walk = (dir, depth = 0) => {
+      if (depth > 3) return;
+      const items = fs.readdirSync(dir);
+      for (const item of items) {
+        if (item.startsWith('.') || item === 'node_modules') continue;
+        const full = path.join(dir, item);
+        const stat = fs.statSync(full);
+        if (stat.isDirectory()) {
+          walk(full, depth + 1);
+        } else {
+          ctx.files.push(full);
+        }
+      }
+    };
+    walk(cwd);
+  } catch (e) {}
+
+  // Load package.json if exists
+  try {
+    const pkgPath = path.join(cwd, 'package.json');
+    if (fs.existsSync(pkgPath)) {
+      ctx.packageJson = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+    }
+  } catch (e) {}
+
+  // Run checks
+  const results = {
+    profile: config.name,
+    timestamp: new Date().toISOString(),
+    summary: { pass: 0, fail: 0, skip: 0, manual: 0, critical: 0, high: 0, medium: 0 },
+    checks: [],
+    ready: false,
+    blocked: false,
+  };
+
+  for (const check of config.checks) {
+    const result = { ...check, status: null, msg: '', severity: CHECK_SEVERITY[check.id] || null };
+
+    if (check.empirical && EMPIRICAL_CHECKS[check.id]) {
+      try {
+        const r = await EMPIRICAL_CHECKS[check.id](ctx);
+        result.status = r.pass ? 'PASS' : (r.pass === false ? 'FAIL' : 'SKIP');
+        result.msg = r.msg;
+      } catch (e) {
+        result.status = 'SKIP';
+        result.msg = `Error: ${e.message}`;
+      }
+    } else if (check.empirical) {
+      result.status = 'SKIP';
+      result.msg = 'Check not implemented';
+    } else {
+      result.status = 'MANUAL';
+      result.msg = 'Requires manual review';
+    }
+
+    results.checks.push(result);
+
+    if (result.status === 'PASS') results.summary.pass++;
+    else if (result.status === 'FAIL') {
+      results.summary.fail++;
+      // Track severity of failures
+      if (result.severity === 'CRITICAL') results.summary.critical++;
+      else if (result.severity === 'HIGH') results.summary.high++;
+      else if (result.severity === 'MEDIUM') results.summary.medium++;
+    }
+    else if (result.status === 'SKIP') results.summary.skip++;
+    else results.summary.manual++;
+  }
+
+  // Severity-weighted scoring
+  const totalCheckable = results.summary.pass + results.summary.fail + results.summary.manual;
+  const penaltyScore = (results.summary.critical * SEVERITY_WEIGHTS.CRITICAL) +
+                       (results.summary.high * SEVERITY_WEIGHTS.HIGH) +
+                       (results.summary.medium * SEVERITY_WEIGHTS.MEDIUM);
+
+  results.blocked = results.summary.critical > 0;
+  results.ready = results.summary.fail === 0;
+  results.score = Math.max(0, Math.round((results.summary.pass / Math.max(totalCheckable, 1)) * 100));
+  results.severityScore = penaltyScore;
+
+  // Verdict
+  if (results.blocked) {
+    results.verdict = 'BLOCKED — CRITICAL supply chain failure. DO NOT PUBLISH.';
+  } else if (results.summary.high > 0) {
+    results.verdict = 'NOT READY — HIGH severity issues must be resolved.';
+  } else if (results.summary.fail > 0) {
+    results.verdict = 'NOT READY — Fix failing checks before publishing.';
+  } else {
+    results.verdict = 'READY TO PUBLISH';
+  }
+
+  return results;
+}
+
+/**
+ * Generate verification receipt as Markdown
+ */
+function generateReceipt(results, options = {}) {
+  const lines = [
+    '# 50c Pre-Publish Verification Receipt',
+    '',
+    `**Generated:** ${results.timestamp}`,
+    `**Profile:** ${results.profile}`,
+    `**Directory:** ${options.cwd || 'N/A'}`,
+    '',
+  ];
+
+  // Verdict banner
+  if (results.blocked) {
+    lines.push('## BLOCKED — CRITICAL SUPPLY CHAIN FAILURE');
+    lines.push('');
+    lines.push('> This package has CRITICAL security issues that MUST be resolved before publishing.');
+    lines.push('> Publishing with these issues could compromise every user who installs this package.');
+  } else if (results.ready) {
+    lines.push('## READY TO PUBLISH');
+  } else {
+    lines.push('## NOT READY — FIX ISSUES');
+  }
+
+  lines.push('');
+  lines.push('---');
+  lines.push('');
+  lines.push('## Summary');
+  lines.push('');
+  lines.push('| Metric | Count |');
+  lines.push('|--------|-------|');
+  lines.push(`| Pass | ${results.summary.pass} |`);
+  lines.push(`| Fail | ${results.summary.fail} |`);
+  if (results.summary.critical > 0) lines.push(`| -- CRITICAL | ${results.summary.critical} |`);
+  if (results.summary.high > 0) lines.push(`| -- HIGH | ${results.summary.high} |`);
+  if (results.summary.medium > 0) lines.push(`| -- MEDIUM | ${results.summary.medium} |`);
+  lines.push(`| Skip | ${results.summary.skip} |`);
+  lines.push(`| Manual | ${results.summary.manual} |`);
+  lines.push(`| **Score** | **${results.score}/100** |`);
+  if (results.severityScore > 0) lines.push(`| **Severity Penalty** | **${results.severityScore}** |`);
+  lines.push('');
+  lines.push('---');
+  lines.push('');
+  lines.push('## Detailed Results');
+  lines.push('');
+
+  // Group by category — supply-chain FIRST
+  const byCategory = {};
+  const categoryOrder = ['supply-chain', 'security', 'metadata', 'code', 'docs', 'test', 'files', 'ai-verify', 'build', 'content', 'reproducibility', 'ethics', 'format', 'release', 'regulatory', 'statistics', 'clinical', 'conflicts', 'methodology', 'data', 'claims', 'figures', 'literature', 'proofs', 'definitions', 'examples', 'legal'];
+
+  for (const check of results.checks) {
+    if (!byCategory[check.cat]) byCategory[check.cat] = [];
+    byCategory[check.cat].push(check);
+  }
+
+  // Sort categories: supply-chain first, then security, then rest
+  const sortedCats = Object.keys(byCategory).sort((a, b) => {
+    const aIdx = categoryOrder.indexOf(a);
+    const bIdx = categoryOrder.indexOf(b);
+    return (aIdx === -1 ? 999 : aIdx) - (bIdx === -1 ? 999 : bIdx);
+  });
+
+  for (const cat of sortedCats) {
+    const checks = byCategory[cat];
+    const catLabel = cat === 'supply-chain' ? 'SUPPLY CHAIN SECURITY' : cat.toUpperCase();
+    lines.push(`### ${catLabel}`);
+    lines.push('');
+    lines.push('| Status | Severity | Check | Message |');
+    lines.push('|--------|----------|-------|---------|');
+    for (const c of checks) {
+      const icon = c.status === 'PASS' ? '✅' : c.status === 'FAIL' ? '❌' : c.status === 'SKIP' ? '⏭️' : '👁️';
+      const sev = c.severity || '-';
+      lines.push(`| ${icon} ${c.status} | ${sev} | ${c.desc} | ${(c.msg || '').substring(0, 60)} |`);
+    }
+    lines.push('');
+  }
+
+  // Cost estimate for AI checks
+  const aiChecks = results.checks.filter(c => c.cat === 'ai-verify' && c.status !== 'SKIP');
+  if (aiChecks.length > 0) {
+    lines.push('---');
+    lines.push('');
+    lines.push('## AI Verification Cost');
+    lines.push('');
+    lines.push('| Tool | Est. Cost |');
+    lines.push('|------|-----------|');
+    for (const c of aiChecks) {
+      const cost = c.id.includes('bcalc') ? '$0.15' :
+                   c.id.includes('genius') ? '$0.65' :
+                   c.id.includes('hints') ? '$0.10' : 'FREE';
+      lines.push(`| ${c.id} | ${cost} |`);
+    }
+    lines.push('');
+  }
+
+  lines.push('---');
+  lines.push('');
+  lines.push('*Generated by 50c Security Suite — "Never let a Verdant happen again"*');
+  lines.push('*Supply chain checks are FREE. AI verification costs noted above.*');
+
+  return lines.join('\n');
+}
+
+/**
+ * Full verification with receipt generation
+ */
+async function verifyWithReceipt(profile, options = {}) {
+  const results = await verify(profile, options);
+  const receipt = generateReceipt(results, options);
+  return { ...results, receipt };
+}
+
+module.exports = { verify, verifyWithReceipt, generateReceipt, PROFILES, EMPIRICAL_CHECKS, call50cTool, loadAllowlist };