@appsforgood/next-supabase-kit 0.1.0

package/dist/index.js

@@ -0,0 +1,3521 @@
+#!/usr/bin/env node
+
+// src/cli/index.ts
+import { Command } from "commander";
+
+// src/install/add-skill.ts
+import { existsSync as existsSync3 } from "fs";
+import { join as join3 } from "path";
+
+// src/utils/fs.ts
+import { createHash } from "crypto";
+import {
+  cpSync,
+  existsSync,
+  lstatSync,
+  mkdirSync,
+  readFileSync,
+  readdirSync,
+  writeFileSync
+} from "fs";
+import { basename, dirname, isAbsolute, join, relative, resolve } from "path";
+function ensureDir(path) {
+  mkdirSync(path, { recursive: true });
+}
+function readTextIfExists(path) {
+  if (!existsSync(path)) return null;
+  return readFileSync(path, "utf8");
+}
+function writeText(path, content) {
+  ensureDir(dirname(path));
+  writeFileSync(path, content);
+}
+function sha256(content) {
+  return createHash("sha256").update(content).digest("hex");
+}
+function resolveInside(root, requestedPath) {
+  const resolvedRoot = resolve(root);
+  const resolvedPath = resolve(resolvedRoot, requestedPath);
+  const rel = relative(resolvedRoot, resolvedPath);
+  if (rel === ".." || rel.startsWith("..") || isAbsolute(rel)) {
+    throw new Error(`Unsafe path outside root: ${requestedPath}`);
+  }
+  return resolvedPath;
+}
+function listFilesRecursive(root) {
+  if (!existsSync(root)) return [];
+  const out = [];
+  const visit = (dir) => {
+    for (const entry of readdirSync(dir)) {
+      const fullPath = join(dir, entry);
+      let stats;
+      try {
+        stats = lstatSync(fullPath);
+      } catch {
+        continue;
+      }
+      if (stats.isSymbolicLink()) continue;
+      if (stats.isDirectory()) {
+        if (entry === "node_modules" || entry === ".git") continue;
+        visit(fullPath);
+      } else {
+        out.push(relative(root, fullPath));
+      }
+    }
+  };
+  visit(root);
+  return out.sort();
+}
+function copyTextWithConflict(sourcePath, targetRoot, targetRelativePath, options = {}) {
+  const targetPath = resolveInside(targetRoot, targetRelativePath);
+  const sourceContent = readFileSync(sourcePath, "utf8");
+  const existingContent = readTextIfExists(targetPath);
+  if (existingContent === null) {
+    writeText(targetPath, sourceContent);
+    return { action: "created", target: targetRelativePath };
+  }
+  if (sha256(existingContent) === sha256(sourceContent)) {
+    return { action: "unchanged", target: targetRelativePath };
+  }
+  if (options.force) {
+    writeText(targetPath, sourceContent);
+    return { action: "overwritten", target: targetRelativePath };
+  }
+  const conflictRoot = options.conflictRoot ?? join(targetRoot, ".agent-kit", "conflicts");
+  const safeName = `${Date.now()}-${targetRelativePath.replace(/[^a-zA-Z0-9_.-]/g, "_")}`;
+  const conflictPath = join(conflictRoot, safeName);
+  writeText(conflictPath, sourceContent);
+  return {
+    action: "conflict",
+    target: targetRelativePath,
+    conflictPath: relative(targetRoot, conflictPath)
+  };
+}
+function copyDirectory(sourceRoot, targetRoot) {
+  ensureDir(dirname(targetRoot));
+  cpSync(sourceRoot, targetRoot, {
+    recursive: true,
+    force: true,
+    filter: (source) => !basename(source).startsWith(".DS_Store")
+  });
+}
+
+// src/utils/package-root.ts
+import { existsSync as existsSync2 } from "fs";
+import { dirname as dirname2, join as join2, resolve as resolve2 } from "path";
+import { fileURLToPath } from "url";
+function findPackageRoot(start = dirname2(fileURLToPath(import.meta.url))) {
+  let current = resolve2(start);
+  for (let i = 0; i < 8; i += 1) {
+    if (existsSync2(join2(current, "package.json"))) {
+      return current;
+    }
+    const parent = dirname2(current);
+    if (parent === current) break;
+    current = parent;
+  }
+  throw new Error("Unable to locate package root from runtime path.");
+}
+
+// src/install/add-skill.ts
+function listSkills() {
+  const packageRoot = findPackageRoot();
+  return listFilesRecursive(join3(packageRoot, "skills")).filter((file) => file.endsWith(".md"));
+}
+function addSkill(cwd, skillName, options = {}) {
+  const packageRoot = findPackageRoot();
+  const normalized = skillName.endsWith(".md") ? skillName : `${skillName}.md`;
+  if (!/^[a-z0-9-]+\.md$/.test(normalized)) {
+    throw new Error("Skill names may contain only lowercase letters, numbers, and hyphens.");
+  }
+  const sourcePath = join3(packageRoot, "skills", normalized);
+  if (!existsSync3(sourcePath)) {
+    const available = listSkills().join(", ");
+    throw new Error(`Unknown skill "${skillName}". Available skills: ${available}`);
+  }
+  const result = copyTextWithConflict(sourcePath, cwd, join3(".agent-kit", "skills", normalized), {
+    force: Boolean(options.force),
+    conflictRoot: join3(cwd, ".agent-kit", "conflicts")
+  });
+  return `${result.action}: ${result.target}`;
+}
+
+// src/install/audit.ts
+import { existsSync as existsSync6, readFileSync as readFileSync4, statSync } from "fs";
+import { join as join6 } from "path";
+
+// src/config/contracts.ts
+import { z } from "zod";
+var stringList = z.array(z.string());
+var AgentRosterContract = z.object({
+  schemaVersion: z.literal(1),
+  id: z.string().min(1),
+  stack: z.string().min(1),
+  required: z.boolean(),
+  defaultWorkflow: z.string().min(1),
+  principle: z.string().optional(),
+  agents: z.array(
+    z.object({
+      id: z.string().min(1),
+      name: z.string().optional(),
+      file: z.string().optional(),
+      defaultFor: stringList.optional(),
+      skills: z.array(z.string()).min(1),
+      handsOffTo: stringList.optional()
+    }).strict()
+  ).min(1),
+  workflows: z.array(
+    z.object({
+      id: z.string().min(1),
+      triggers: stringList.optional(),
+      sequence: z.array(z.string()).min(1),
+      council: stringList,
+      requiredOutputs: stringList
+    }).strict()
+  ).min(1),
+  handoffRules: z.array(z.string()).min(1)
+}).strict();
+var CouncilSessionContract = z.object({
+  schemaVersion: z.literal(1),
+  sessionId: z.string().min(1),
+  createdAt: z.string().datetime(),
+  workflowId: z.string().min(1),
+  status: z.enum(["planned", "in-progress", "blocked", "complete"]),
+  request: z.string().min(1),
+  affectedLayers: stringList.optional(),
+  handoffs: z.array(
+    z.object({
+      agentId: z.string().min(1),
+      decision: z.string().min(1),
+      risk: z.string().min(1),
+      nextHandoff: z.string().min(1),
+      evidence: stringList.optional()
+    }).strict()
+  ).min(1),
+  requiredOutputs: z.array(
+    z.object({
+      name: z.string().min(1),
+      status: z.enum(["missing", "partial", "complete", "not-applicable"]),
+      evidence: z.string().optional()
+    }).strict()
+  ),
+  verification: z.array(
+    z.object({
+      command: z.string().min(1),
+      result: z.enum(["pass", "fail", "skipped"]),
+      notes: z.string().optional()
+    }).strict()
+  )
+}).strict();
+var AuditReportContract = z.object({
+  summary: z.object({
+    pass: z.number().int().min(0),
+    warn: z.number().int().min(0),
+    fail: z.number().int().min(0)
+  }).strict(),
+  readiness: z.object({
+    level: z.enum(["needs-setup", "baseline-setup", "needs-improvement", "best-practice-candidate"]),
+    summary: z.string().min(1),
+    nextActions: z.array(z.string())
+  }).strict(),
+  findings: z.array(
+    z.object({
+      level: z.enum(["pass", "warn", "fail"]),
+      area: z.string().min(1),
+      message: z.string().min(1),
+      remediation: z.string().min(1).optional()
+    }).strict()
+  )
+}).strict();
+var ModelRoutingContract = z.object({
+  schemaVersion: z.literal(1),
+  id: z.string().min(1),
+  stack: z.string().min(1),
+  reviewedAt: z.string().min(1),
+  reviewCadence: z.string().min(1),
+  principle: z.string().min(1),
+  profiles: z.array(
+    z.object({
+      id: z.string().min(1),
+      label: z.string().min(1),
+      intent: z.string().min(1),
+      reasoningEffort: z.enum(["low", "medium", "high", "varies"]),
+      contextWindow: z.enum(["small", "medium", "large", "very-large", "varies"]),
+      latency: z.enum(["low", "medium", "high", "varies"]),
+      cost: z.enum(["low", "medium", "high", "varies"]),
+      preferredFor: z.array(z.string()).min(1)
+    }).strict()
+  ).min(1),
+  agentRoutes: z.array(
+    z.object({
+      agentId: z.string().min(1),
+      profileId: z.string().min(1),
+      defaultEffort: z.enum(["low", "medium", "high"]),
+      escalationProfileId: z.string().optional(),
+      notes: z.string().optional()
+    }).strict()
+  ).min(1),
+  toolSurfaces: z.array(
+    z.object({
+      tool: z.string().min(1),
+      instructionSurface: z.string().min(1),
+      modelSelection: z.string().min(1),
+      enforcement: z.enum(["enforced", "partial", "advisory", "manual"]),
+      adapter: z.string().min(1)
+    }).strict()
+  ).min(1),
+  updatePolicy: z.array(z.string()).min(1)
+}).strict();
+var projectEvidenceItem = z.object({
+  source: z.string().min(1),
+  note: z.string().min(1)
+}).strict();
+var ProjectContextContract = z.object({
+  schemaVersion: z.literal(1),
+  projectName: z.string(),
+  productSummary: z.string(),
+  productCategory: z.string(),
+  primaryAudience: z.string(),
+  primaryWorkflows: z.array(z.string()),
+  businessCriticalBehavior: z.array(z.string()),
+  architecture: z.object({
+    packageManager: z.string().optional(),
+    scripts: z.array(z.string()),
+    frameworks: z.array(z.string()),
+    uiLibraries: z.array(z.string()),
+    hasSupabase: z.boolean(),
+    supabaseSignals: z.array(z.string()),
+    testTools: z.array(z.string()),
+    envExampleKeys: z.array(z.string()),
+    deployment: z.array(z.string())
+  }).strict(),
+  dataSensitivity: z.array(z.string()),
+  authModel: z.string(),
+  tenantModel: z.string(),
+  integrations: z.array(z.string()),
+  uiDirection: z.object({
+    preferred: z.string(),
+    avoid: z.string()
+  }).strict(),
+  messaging: z.object({
+    valueProposition: z.string(),
+    proof: z.array(z.string()),
+    objections: z.array(z.string())
+  }).strict(),
+  qualityTarget: z.enum(["baseline-setup", "needs-improvement", "best-practice-candidate"]),
+  knownConstraints: z.array(z.string()),
+  openQuestions: z.array(z.string()),
+  evidence: z.array(projectEvidenceItem),
+  lastReviewedAt: z.string().datetime(),
+  owners: z.array(z.string())
+}).strict();
+var CorrectionRuleContract = z.object({
+  id: z.string().min(1),
+  scope: z.enum(["session", "project", "agent", "upstream-proposal"]),
+  status: z.enum(["active", "retired", "proposed"]),
+  text: z.string().min(1),
+  appliesToAgents: z.array(z.string()).optional(),
+  agentId: z.string().min(1).optional(),
+  sourceSessionId: z.string().min(1).optional(),
+  createdAt: z.string().datetime(),
+  reviewedAt: z.string().datetime().nullable().optional(),
+  retiredAt: z.string().datetime().optional(),
+  reason: z.string().optional()
+}).strict().superRefine((rule, context2) => {
+  if (rule.scope === "agent" && !rule.agentId && (!rule.appliesToAgents || rule.appliesToAgents.length === 0)) {
+    context2.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "agent-scoped corrections require agentId or appliesToAgents",
+      path: ["agentId"]
+    });
+  }
+});
+var CorrectionRulesContract = z.object({
+  schemaVersion: z.literal(1),
+  rules: z.array(CorrectionRuleContract)
+}).strict();
+var StudioSessionContract = z.object({
+  schemaVersion: z.literal(1),
+  sessionId: z.string().min(1),
+  title: z.string().min(1),
+  createdAt: z.string().datetime(),
+  updatedAt: z.string().datetime(),
+  status: z.enum(["planned", "in-progress", "blocked", "complete"]),
+  workflowId: z.string().min(1),
+  request: z.string().min(1),
+  affectedLayers: z.array(z.string()),
+  activeAgentId: z.string().optional(),
+  nextAgentId: z.string().optional(),
+  qualityTarget: z.enum(["baseline-setup", "needs-improvement", "best-practice-candidate"]),
+  requiredOutputs: z.array(
+    z.object({
+      name: z.string().min(1),
+      status: z.enum(["missing", "partial", "complete", "not-applicable"]),
+      evidence: z.string().optional()
+    }).strict()
+  ),
+  renderedAt: z.string().datetime().optional()
+}).strict();
+var SessionEventContract = z.object({
+  type: z.enum([
+    "session_started",
+    "project_context_loaded",
+    "agent_message",
+    "agent_decision",
+    "handoff",
+    "human_correction",
+    "correction_promoted",
+    "artifact_recorded",
+    "command_recorded",
+    "verification_recorded",
+    "open_question",
+    "required_output_updated",
+    "session_status_changed",
+    "session_rendered"
+  ]),
+  createdAt: z.string().datetime(),
+  agentId: z.string().min(1).optional(),
+  fromAgentId: z.string().min(1).optional(),
+  toAgentId: z.string().min(1).optional(),
+  text: z.string().optional(),
+  decision: z.string().optional(),
+  risk: z.string().optional(),
+  evidence: z.array(z.string()).optional(),
+  scope: z.enum(["session", "project", "agent", "upstream-proposal"]).optional(),
+  correctionId: z.string().min(1).optional(),
+  artifactPath: z.string().min(1).optional(),
+  command: z.string().min(1).optional(),
+  result: z.enum(["pass", "fail", "skipped"]).optional(),
+  outputName: z.string().min(1).optional(),
+  outputStatus: z.enum(["missing", "partial", "complete", "not-applicable"]).optional(),
+  status: z.enum(["planned", "in-progress", "blocked", "complete"]).optional(),
+  notes: z.string().optional()
+}).strict().superRefine((event, context2) => {
+  if (event.type === "handoff") {
+    for (const field of ["fromAgentId", "toAgentId", "decision", "risk"]) {
+      if (!event[field]) {
+        context2.addIssue({ code: z.ZodIssueCode.custom, message: `${field} is required for handoff events`, path: [field] });
+      }
+    }
+  }
+  if (event.type === "human_correction" && (!event.text || !event.scope)) {
+    context2.addIssue({ code: z.ZodIssueCode.custom, message: "human corrections require text and scope", path: ["text"] });
+  }
+  if (event.type === "verification_recorded" && (!event.command || !event.result)) {
+    context2.addIssue({ code: z.ZodIssueCode.custom, message: "verification events require command and result", path: ["command"] });
+  }
+  if (event.type === "artifact_recorded" && !event.artifactPath) {
+    context2.addIssue({ code: z.ZodIssueCode.custom, message: "artifact events require artifactPath", path: ["artifactPath"] });
+  }
+  if (event.type === "required_output_updated" && (!event.outputName || !event.outputStatus)) {
+    context2.addIssue({ code: z.ZodIssueCode.custom, message: "required output events require outputName and outputStatus", path: ["outputName"] });
+  }
+});
+function formatContractIssues(error) {
+  return error.issues.map((issue) => {
+    const path = issue.path.length > 0 ? issue.path.join(".") : "<root>";
+    return `${path}: ${issue.message}`;
+  });
+}
+
+// src/config/defaults.ts
+var PACKAGE_NAME = "@agent-skills/next-supabase-kit";
+var PACKAGE_VERSION = "0.1.0";
+var DEFAULT_CONFIG = {
+  stack: "next-supabase",
+  projectType: "saas",
+  docsMode: "advisory",
+  agentCouncil: {
+    required: true,
+    rosterPath: ".agent-kit/agent-roster.json",
+    defaultWorkflow: "planning",
+    coreChangeWorkflow: "core-change"
+  },
+  modelRouting: {
+    required: true,
+    routingPath: ".agent-kit/model-routing.json",
+    reviewCadence: "quarterly-or-when-model-docs-change"
+  },
+  designProviders: ["stitch", "claude", "figma", "human"],
+  research: {
+    maxRepos: 100,
+    githubTokenEnv: "GITHUB_TOKEN",
+    workdir: "research/workdir"
+  }
+};
+var ROOT_DOCS = [
+  "AGENTS.md",
+  "AGENT_ROSTER.md",
+  "ASSISTANT_ADAPTERS.md",
+  "COUNCIL.md",
+  "SKILLS.md",
+  "SPEC.md",
+  "DECISIONS.md",
+  "DOCS.md",
+  "DESIGN.md",
+  "MESSAGING.md",
+  "MODEL_ROUTING.md",
+  "QUALITY_GATES.md",
+  "STYLE_GUIDE.md",
+  "SECURITY.md",
+  "TESTING.md",
+  "DEPLOYMENT.md",
+  "UPGRADE.md"
+];
+var LIBRARY_FOLDERS = [
+  "agents",
+  "skills",
+  "prompts",
+  "checklists",
+  "design-adapters",
+  "assistant-adapters",
+  "design-briefs",
+  "profiles",
+  "rosters",
+  "schemas"
+];
+var DEFAULT_AGENT_ROSTER_SOURCE = "rosters/next-supabase-default-council.json";
+var DEFAULT_AGENT_ROSTER_TARGET = ".agent-kit/agent-roster.json";
+var DEFAULT_MODEL_ROUTING_SOURCE = "model-routing/default-model-routing.json";
+var DEFAULT_MODEL_ROUTING_TARGET = ".agent-kit/model-routing.json";
+var CURSOR_ADAPTER_FILES = [
+  {
+    source: "assistant-adapters/cursor-agent-kit.mdc",
+    target: ".cursor/rules/cursor-agent-kit.mdc"
+  },
+  {
+    source: "assistant-adapters/model-selection/cursor-model-selection.mdc",
+    target: ".cursor/rules/cursor-model-selection.mdc"
+  }
+];
+
+// src/studio/shared.ts
+import { appendFileSync, existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
+import { basename as basename2, dirname as dirname3, join as join4 } from "path";
+var AGENT_KIT_DIR = ".agent-kit";
+var CONTEXT_JSON = ".agent-kit/project-context.json";
+var CONTEXT_MD = ".agent-kit/project-context.md";
+var CORRECTIONS_DIR = ".agent-kit/corrections";
+var PROJECT_RULES_JSON = ".agent-kit/corrections/project-rules.json";
+var AGENT_RULES_JSON = ".agent-kit/corrections/agent-rules.json";
+var UPSTREAM_PROPOSALS_JSON = ".agent-kit/corrections/upstream-proposals.json";
+var COUNCIL_SESSIONS_DIR = ".agent-kit/council-sessions";
+var ACTIVE_SESSION_FILE = ".agent-kit/council-sessions/active";
+var STUDIO_EXPORT_HTML = ".agent-kit/studio/index.html";
+var SECRET_PATTERNS = [
+  /gh[pousr]_[A-Za-z0-9_]{12,}/g,
+  /github_pat_[A-Za-z0-9_]{20,}/g,
+  /sk_(?:live|test)_[A-Za-z0-9_]{8,}/g,
+  /sbp_[A-Za-z0-9_]{12,}/g,
+  /(?:SUPABASE_SERVICE_ROLE_KEY|DATABASE_URL|OPENAI_API_KEY|ANTHROPIC_API_KEY|GITHUB_TOKEN)=["']?[^"'\s]+/gi,
+  /postgres(?:ql)?:\/\/[^\s)]+/gi
+];
+function nowIso() {
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+function redactSensitive(text) {
+  return SECRET_PATTERNS.reduce((current, pattern) => current.replace(pattern, "[REDACTED]"), text);
+}
+function containsLikelySecret(text) {
+  return SECRET_PATTERNS.some((pattern) => {
+    pattern.lastIndex = 0;
+    return pattern.test(text);
+  });
+}
+function safeSlug(input) {
+  const lowered = input.trim().toLowerCase();
+  if (!lowered) throw new Error("A non-empty title or id is required.");
+  if (lowered.includes("/") || lowered.includes("\\") || lowered.includes("..")) {
+    throw new Error(`Unsafe session or correction id: ${input}`);
+  }
+  const slug = lowered.replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 80);
+  if (!slug) throw new Error(`Could not derive a safe id from: ${input}`);
+  return slug;
+}
+function ensureStudioDirs(cwd) {
+  ensureDir(join4(cwd, AGENT_KIT_DIR));
+  ensureDir(join4(cwd, CORRECTIONS_DIR));
+  ensureDir(join4(cwd, COUNCIL_SESSIONS_DIR));
+}
+function readJsonFile(cwd, relativePath) {
+  const path = resolveInside(cwd, relativePath);
+  if (!existsSync4(path)) return null;
+  return JSON.parse(readFileSync2(path, "utf8"));
+}
+function writeJsonFile(cwd, relativePath, value) {
+  writeText(resolveInside(cwd, relativePath), `${JSON.stringify(value, null, 2)}
+`);
+}
+function appendJsonLine(cwd, relativePath, value) {
+  const path = resolveInside(cwd, relativePath);
+  ensureDir(dirname3(path));
+  appendFileSync(path, `${JSON.stringify(value)}
+`);
+}
+function readJsonLines(cwd, relativePath) {
+  const text = readTextIfExists(resolveInside(cwd, relativePath));
+  if (!text) return [];
+  return text.split(/\r?\n/).filter((line) => line.trim().length > 0).map((line) => JSON.parse(line));
+}
+function writeTextFile(cwd, relativePath, content) {
+  writeText(resolveInside(cwd, relativePath), content);
+}
+function readTextFile(cwd, relativePath) {
+  return readTextIfExists(resolveInside(cwd, relativePath));
+}
+function validateRelativeArtifactPath(cwd, requestedPath) {
+  const resolved = resolveInside(cwd, requestedPath);
+  if (basename2(resolved).startsWith(".")) {
+    throw new Error(`Hidden files cannot be recorded as artifacts: ${requestedPath}`);
+  }
+  return requestedPath.replace(/\\/g, "/");
+}
+function escapeMarkdownText(value) {
+  return redactSensitive(value ?? "").replace(/\\/g, "\\\\").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/[`![\]()|]/g, "\\$&").replace(/\r?\n/g, "<br>");
+}
+function escapeMarkdownTableCell(value) {
+  return escapeMarkdownText(value).replace(/\|/g, "\\|");
+}
+function listMarkdown(items) {
+  if (items.length === 0) return "- None recorded.\n";
+  return items.map((item) => `- ${escapeMarkdownText(item)}`).join("\n") + "\n";
+}
+function unique(values) {
+  return [...new Set(values.filter(Boolean))].sort();
+}
+
+// src/install/install.ts
+import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
+import { join as join5 } from "path";
+function initProject(options) {
+  const cwd = options.cwd;
+  const stack = options.stack ?? DEFAULT_CONFIG.stack;
+  const packageRoot = findPackageRoot();
+  const templateRoot = join5(packageRoot, "templates", stack);
+  if (!existsSync5(templateRoot)) {
+    throw new Error(`Unsupported stack profile: ${stack}`);
+  }
+  ensureDir(join5(cwd, ".agent-kit"));
+  ensureDir(join5(cwd, ".agent-kit", "conflicts"));
+  const result = {
+    copied: [],
+    unchanged: [],
+    conflicts: [],
+    overwritten: [],
+    manifestPath: ".agent-kit/manifest.json"
+  };
+  const templateHashes = {};
+  for (const doc of ROOT_DOCS) {
+    const templatePath = join5(templateRoot, doc);
+    templateHashes[doc] = sha256(readFileSync3(templatePath, "utf8"));
+    const copyResult = copyTextWithConflict(templatePath, cwd, doc, {
+      force: Boolean(options.force),
+      conflictRoot: join5(cwd, ".agent-kit", "conflicts")
+    });
+    if (copyResult.action === "created") result.copied.push(copyResult.target);
+    if (copyResult.action === "unchanged") result.unchanged.push(copyResult.target);
+    if (copyResult.action === "overwritten") result.overwritten.push(copyResult.target);
+    if (copyResult.action === "conflict") {
+      result.conflicts.push(`${copyResult.target} -> ${copyResult.conflictPath}`);
+    }
+  }
+  for (const folder of LIBRARY_FOLDERS) {
+    copyDirectory(join5(packageRoot, folder), join5(cwd, ".agent-kit", folder));
+  }
+  for (const adapter of CURSOR_ADAPTER_FILES) {
+    const adapterCopy = copyTextWithConflict(join5(packageRoot, adapter.source), cwd, adapter.target, {
+      force: Boolean(options.force),
+      conflictRoot: join5(cwd, ".agent-kit", "conflicts")
+    });
+    if (adapterCopy.action === "created") result.copied.push(adapterCopy.target);
+    if (adapterCopy.action === "unchanged") result.unchanged.push(adapterCopy.target);
+    if (adapterCopy.action === "overwritten") result.overwritten.push(adapterCopy.target);
+    if (adapterCopy.action === "conflict") {
+      result.conflicts.push(`${adapterCopy.target} -> ${adapterCopy.conflictPath}`);
+    }
+  }
+  const rosterCopy = copyTextWithConflict(join5(packageRoot, DEFAULT_AGENT_ROSTER_SOURCE), cwd, DEFAULT_AGENT_ROSTER_TARGET, {
+    force: Boolean(options.force),
+    conflictRoot: join5(cwd, ".agent-kit", "conflicts")
+  });
+  if (rosterCopy.action === "created") result.copied.push(rosterCopy.target);
+  if (rosterCopy.action === "unchanged") result.unchanged.push(rosterCopy.target);
+  if (rosterCopy.action === "overwritten") result.overwritten.push(rosterCopy.target);
+  if (rosterCopy.action === "conflict") result.conflicts.push(`${rosterCopy.target} -> ${rosterCopy.conflictPath}`);
+  const modelRoutingCopy = copyTextWithConflict(join5(packageRoot, DEFAULT_MODEL_ROUTING_SOURCE), cwd, DEFAULT_MODEL_ROUTING_TARGET, {
+    force: Boolean(options.force),
+    conflictRoot: join5(cwd, ".agent-kit", "conflicts")
+  });
+  if (modelRoutingCopy.action === "created") result.copied.push(modelRoutingCopy.target);
+  if (modelRoutingCopy.action === "unchanged") result.unchanged.push(modelRoutingCopy.target);
+  if (modelRoutingCopy.action === "overwritten") result.overwritten.push(modelRoutingCopy.target);
+  if (modelRoutingCopy.action === "conflict") result.conflicts.push(`${modelRoutingCopy.target} -> ${modelRoutingCopy.conflictPath}`);
+  const manifest = {
+    packageName: PACKAGE_NAME,
+    packageVersion: PACKAGE_VERSION,
+    stack,
+    installedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    docs: [...ROOT_DOCS],
+    libraryFolders: [...LIBRARY_FOLDERS],
+    agentRoster: DEFAULT_AGENT_ROSTER_TARGET,
+    modelRouting: DEFAULT_MODEL_ROUTING_TARGET,
+    templateHashes
+  };
+  writeText(join5(cwd, ".agent-kit", "manifest.json"), `${JSON.stringify(manifest, null, 2)}
+`);
+  writeText(join5(cwd, ".agent-kit", "config.json"), `${JSON.stringify(DEFAULT_CONFIG, null, 2)}
+`);
+  const overridesPath = join5(cwd, ".agent-kit", "overrides.json");
+  if (!existsSync5(overridesPath)) writeText(overridesPath, `${JSON.stringify({ templates: {} }, null, 2)}
+`);
+  return result;
+}
+function readManifest(cwd) {
+  const manifestPath = join5(cwd, ".agent-kit", "manifest.json");
+  if (!existsSync5(manifestPath)) return null;
+  return JSON.parse(readFileSync3(manifestPath, "utf8"));
+}
+
+// src/install/audit.ts
+var REQUIRED_AGENT_IDS = [
+  "planner",
+  "lead-architect",
+  "nextjs-engineer",
+  "supabase-postgres-engineer",
+  "security-reviewer",
+  "frontend-design-lead",
+  "marketing-copy-lead",
+  "qa-engineer",
+  "docs-maintainer",
+  "deployment-observability-engineer"
+];
+var REQUIRED_SKILL_IDS = [
+  "planning-council",
+  "best-practice-maturity-review",
+  "upgrade-maintenance",
+  "nextjs-app-router",
+  "supabase-auth-rls",
+  "postgres-migrations",
+  "owasp-security-review",
+  "agent-handoff-tracing",
+  "content-first-design",
+  "reference-led-design-critique",
+  "frontend-distinctiveness-benchmark",
+  "frontend-product-quality-rubric",
+  "frontend-design-system",
+  "visual-regression-qa",
+  "positioning-messaging",
+  "conversion-copywriting",
+  "landing-page-copy",
+  "product-voice-tone",
+  "onboarding-empty-state-copy",
+  "accessibility-wcag",
+  "testing-qa",
+  "docs-maintainer",
+  "deployment-observability"
+];
+var REQUIRED_SCHEMA_FILES = [
+  "agent-roster.schema.json",
+  "council-session.schema.json",
+  "audit-report.schema.json",
+  "model-routing.schema.json",
+  "project-context.schema.json",
+  "correction-rules.schema.json",
+  "session-event.schema.json",
+  "studio-session.schema.json"
+];
+var COUNCIL_SESSION_DIR = ".agent-kit/council-sessions";
+var READINESS_ORDER = ["needs-setup", "baseline-setup", "needs-improvement", "best-practice-candidate"];
+function isAuditReadinessLevel(value) {
+  return READINESS_ORDER.includes(value);
+}
+function meetsMinimumReadiness(actual, minimum) {
+  return READINESS_ORDER.indexOf(actual) >= READINESS_ORDER.indexOf(minimum);
+}
+function includesAny(text, values) {
+  const lower = text.toLowerCase();
+  return values.some((value) => lower.includes(value.toLowerCase()));
+}
+function includesAll(text, values) {
+  const lower = text.toLowerCase();
+  return values.every((value) => lower.includes(value.toLowerCase()));
+}
+function readDoc(cwd, file) {
+  const path = join6(cwd, file);
+  return existsSync6(path) ? readFileSync4(path, "utf8") : "";
+}
+function readOverrides(cwd) {
+  const path = join6(cwd, ".agent-kit", "overrides.json");
+  if (!existsSync6(path)) return {};
+  try {
+    const parsed = JSON.parse(readFileSync4(path, "utf8"));
+    const templates = parsed.templates ?? {};
+    return Object.fromEntries(
+      Object.entries(templates).map(([file, override]) => [
+        file,
+        typeof override === "string" ? { reason: override } : override && typeof override === "object" ? override : { reason: String(override) }
+      ])
+    );
+  } catch {
+    return {};
+  }
+}
+function readTemplate(stack, file) {
+  const path = join6(findPackageRoot(), "templates", stack, file);
+  return existsSync6(path) ? readFileSync4(path, "utf8") : null;
+}
+function asStringArray(value) {
+  if (!Array.isArray(value)) return [];
+  return value.filter((item) => typeof item === "string");
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function addAgentRosterFindings(cwd, findings) {
+  const rosterPath = join6(cwd, DEFAULT_AGENT_ROSTER_TARGET);
+  if (!existsSync6(rosterPath)) {
+    findings.push({
+      level: "fail",
+      area: "agents",
+      message: `${DEFAULT_AGENT_ROSTER_TARGET} is missing.`,
+      remediation: "Run agent-kit update to install the default council roster and agent-to-skill routing."
+    });
+    return;
+  }
+  let roster;
+  try {
+    const parsed = JSON.parse(readFileSync4(rosterPath, "utf8"));
+    if (!isRecord(parsed)) throw new Error("Roster must be a JSON object.");
+    const contractResult = AgentRosterContract.safeParse(parsed);
+    if (!contractResult.success) {
+      findings.push({
+        level: "fail",
+        area: "agents",
+        message: `${DEFAULT_AGENT_ROSTER_TARGET} does not match the schema-backed roster contract.`,
+        remediation: `Fix roster shape before relying on council routing. First issue: ${formatContractIssues(contractResult.error)[0]}`
+      });
+      return;
+    }
+    roster = contractResult.data;
+    findings.push({
+      level: "pass",
+      area: "agents",
+      message: "Agent roster matches the schema-backed runtime contract."
+    });
+  } catch {
+    findings.push({
+      level: "fail",
+      area: "agents",
+      message: `${DEFAULT_AGENT_ROSTER_TARGET} is not valid roster JSON.`,
+      remediation: "Replace it with .agent-kit/rosters/next-supabase-default-council.json or rerun agent-kit update."
+    });
+    return;
+  }
+  if (roster.schemaVersion !== 1 || roster.required !== true || roster.defaultWorkflow !== "planning") {
+    findings.push({
+      level: "warn",
+      area: "agents",
+      message: "Agent roster metadata does not match the expected default council contract.",
+      remediation: "Keep schemaVersion 1, required true, and defaultWorkflow planning unless a documented override exists."
+    });
+  }
+  const agents = Array.isArray(roster.agents) ? roster.agents.filter(isRecord) : [];
+  const agentIds = new Set(agents.map((agent) => typeof agent.id === "string" ? agent.id : "").filter(Boolean));
+  const missingAgents = REQUIRED_AGENT_IDS.filter((agentId) => !agentIds.has(agentId));
+  if (missingAgents.length > 0) {
+    findings.push({
+      level: "fail",
+      area: "agents",
+      message: `Agent roster is missing required default agents: ${missingAgents.join(", ")}.`,
+      remediation: "Restore the default council roster so Planner, Architect, implementation, security, QA, docs, and deployment handoffs are always available."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "agents",
+      message: "Agent roster contains the required default council agents."
+    });
+  }
+  const skillIds = new Set(agents.flatMap((agent) => asStringArray(agent.skills)));
+  const missingSkills = REQUIRED_SKILL_IDS.filter((skillId) => !skillIds.has(skillId));
+  if (missingSkills.length > 0) {
+    findings.push({
+      level: "fail",
+      area: "agents",
+      message: `Agent roster is missing required skill routing: ${missingSkills.join(", ")}.`,
+      remediation: "Map each default agent to its associated skills so handoffs can invoke the right review path automatically."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "agents",
+      message: "Agent roster maps default agents to required skills."
+    });
+  }
+  const planner = agents.find((agent) => agent.id === "planner");
+  if (!planner || !asStringArray(planner.defaultFor).includes("planning")) {
+    findings.push({
+      level: "fail",
+      area: "agents",
+      message: "Planner is not marked as the default agent for planning.",
+      remediation: "Set planner.defaultFor to include planning so planning requests do not bypass the planning role."
+    });
+  }
+  const workflows = Array.isArray(roster.workflows) ? roster.workflows.filter(isRecord) : [];
+  const planningWorkflow = workflows.find((workflow) => workflow.id === "planning");
+  const coreChangeWorkflow = workflows.find((workflow) => workflow.id === "core-change");
+  const frontendWorkflow = workflows.find((workflow) => workflow.id === "frontend-change");
+  const marketingCopyWorkflow = workflows.find((workflow) => workflow.id === "marketing-copy");
+  if (!planningWorkflow || asStringArray(planningWorkflow.sequence)[0] !== "planner") {
+    findings.push({
+      level: "fail",
+      area: "agents",
+      message: "Planning workflow does not start with Planner.",
+      remediation: "Define a planning workflow whose first sequence item is planner."
+    });
+  }
+  const coreSequence = asStringArray(coreChangeWorkflow?.sequence);
+  const coreCouncil = asStringArray(coreChangeWorkflow?.council);
+  if (!coreChangeWorkflow || !coreSequence.includes("lead-architect") || !coreCouncil.includes("lead-architect")) {
+    findings.push({
+      level: "fail",
+      area: "agents",
+      message: "Core-change workflow does not require Lead Architect council review.",
+      remediation: "Define core-change with Lead Architect in both sequence and council."
+    });
+  } else if (!coreCouncil.includes("security-reviewer") || !coreCouncil.includes("qa-engineer")) {
+    findings.push({
+      level: "warn",
+      area: "agents",
+      message: "Core-change council is missing security or QA participation.",
+      remediation: "Include Security Reviewer and QA Engineer in core-change council membership."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "agents",
+      message: "Core-change workflow requires architect-led council handoff."
+    });
+  }
+  const frontendSequence = asStringArray(frontendWorkflow?.sequence);
+  const frontendOutputs = asStringArray(frontendWorkflow?.requiredOutputs).join(" ").toLowerCase();
+  if (!frontendWorkflow || !frontendSequence.includes("frontend-design-lead")) {
+    findings.push({
+      level: "fail",
+      area: "agents",
+      message: "Frontend-change workflow does not require Frontend Design Lead review.",
+      remediation: "Define frontend-change with Frontend Design Lead in the sequence before implementation is accepted."
+    });
+  } else if (!frontendOutputs.includes("brand") || !frontendOutputs.includes("creative") || !frontendOutputs.includes("reference") || !frontendOutputs.includes("distinctiveness") || !frontendOutputs.includes("critique") || !frontendOutputs.includes("scorecard") || !frontendOutputs.includes("visual")) {
+    findings.push({
+      level: "warn",
+      area: "agents",
+      message: "Frontend-change workflow is missing brand/content intake, creative-direction, reference-led critique, or visual QA outputs.",
+      remediation: "Require brand/content intake, creative-direction rationale, reference-set evidence, distinctiveness benchmark, design critique verdict, frontend product-quality scorecard, visual QA evidence, state coverage, accessibility checks, and screenshot evidence."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "agents",
+      message: "Frontend-change workflow requires content-first design, reference-led critique, distinctiveness benchmarking, product-quality scoring, and creative-direction evidence."
+    });
+  }
+  const marketingCopyLead = agents.find((agent) => agent.id === "marketing-copy-lead");
+  const marketingDefaultFor = asStringArray(marketingCopyLead?.defaultFor);
+  const marketingSkills = asStringArray(marketingCopyLead?.skills);
+  if (!marketingCopyLead || !marketingDefaultFor.includes("copywriting") || !marketingDefaultFor.includes("value-proposition") || !marketingSkills.includes("positioning-messaging") || !marketingSkills.includes("conversion-copywriting")) {
+    findings.push({
+      level: "fail",
+      area: "agents",
+      message: "Marketing Copy Lead is missing question-led positioning or conversion-copy skill routing.",
+      remediation: "Restore Marketing Copy Lead with copywriting, positioning, value-proposition, conversion, voice/tone, landing-page, onboarding, and empty-state routing."
+    });
+  }
+  const marketingSequence = asStringArray(marketingCopyWorkflow?.sequence);
+  const marketingOutputs = asStringArray(marketingCopyWorkflow?.requiredOutputs).join(" ").toLowerCase();
+  if (!marketingCopyWorkflow || !marketingSequence.includes("marketing-copy-lead")) {
+    findings.push({
+      level: "fail",
+      area: "agents",
+      message: "Marketing-copy workflow does not require Marketing Copy Lead review.",
+      remediation: "Define marketing-copy with Marketing Copy Lead in the sequence before public-facing copy is accepted."
+    });
+  } else if (!marketingOutputs.includes("questions") || !marketingOutputs.includes("audience") || !marketingOutputs.includes("value proposition") || !marketingOutputs.includes("proof") || !marketingOutputs.includes("objections") || !marketingOutputs.includes("voice") || !marketingOutputs.includes("conversion")) {
+    findings.push({
+      level: "warn",
+      area: "agents",
+      message: "Marketing-copy workflow is missing discovery questions, audience, value proposition, proof, objections, voice, or conversion outputs.",
+      remediation: "Require discovery questions, audience and segment assumptions, problem/pain/outcome, value proposition, differentiators, proof, objections, voice/tone, conversion goal, and design handoff notes."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "agents",
+      message: "Marketing-copy workflow requires question-led positioning, value proposition, proof, objections, voice, and conversion evidence."
+    });
+  }
+  const handoffRules = asStringArray(roster.handoffRules).join(" ").toLowerCase();
+  if (!includesAll(handoffRules, ["decision", "risk", "handoff", "evidence"])) {
+    findings.push({
+      level: "warn",
+      area: "agents",
+      message: "Agent roster handoff rules do not require decision, risk, handoff, and evidence capture.",
+      remediation: "Add handoff rules that require each meaningful council step to record decision, risk, next handoff, and evidence."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "agents",
+      message: "Agent roster requires auditable handoff evidence."
+    });
+  }
+}
+function addCouncilSessionRecordFindings(cwd, findings) {
+  const sessionsRoot = join6(cwd, COUNCIL_SESSION_DIR);
+  if (!existsSync6(sessionsRoot)) return;
+  const sessionFiles = listFilesRecursive(sessionsRoot).filter((file) => file.endsWith(".json") && !/[\\/]/.test(file));
+  if (sessionFiles.length === 0) return;
+  let invalidCount = 0;
+  for (const sessionFile of sessionFiles) {
+    const displayPath = `${COUNCIL_SESSION_DIR}/${sessionFile}`;
+    try {
+      const parsed = JSON.parse(readFileSync4(join6(sessionsRoot, sessionFile), "utf8"));
+      const contractResult = CouncilSessionContract.safeParse(parsed);
+      if (!contractResult.success) {
+        invalidCount += 1;
+        findings.push({
+          level: "fail",
+          area: "agents",
+          message: `${displayPath} does not match the council-session contract.`,
+          remediation: `Fix the structured council record. First issue: ${formatContractIssues(contractResult.error)[0]}`
+        });
+      }
+    } catch {
+      invalidCount += 1;
+      findings.push({
+        level: "fail",
+        area: "agents",
+        message: `${displayPath} is not valid council-session JSON.`,
+        remediation: "Replace it with a valid JSON record matching .agent-kit/schemas/council-session.schema.json."
+      });
+    }
+  }
+  if (invalidCount === 0) {
+    findings.push({
+      level: "pass",
+      area: "agents",
+      message: `Structured council-session records match the runtime contract (${sessionFiles.length} checked).`
+    });
+  }
+}
+function addSchemaFindings(cwd, findings) {
+  for (const schemaFile of REQUIRED_SCHEMA_FILES) {
+    const schemaPath = join6(cwd, ".agent-kit", "schemas", schemaFile);
+    if (!existsSync6(schemaPath)) {
+      findings.push({
+        level: "warn",
+        area: "agents",
+        message: `.agent-kit/schemas/${schemaFile} is missing.`,
+        remediation: "Run agent-kit update to install the schema-backed council and roster contracts."
+      });
+      continue;
+    }
+    try {
+      const parsed = JSON.parse(readFileSync4(schemaPath, "utf8"));
+      if (!isRecord(parsed) || typeof parsed.$schema !== "string" || !isRecord(parsed.properties)) {
+        throw new Error("Schema file is missing JSON Schema metadata.");
+      }
+      findings.push({
+        level: "pass",
+        area: "agents",
+        message: `.agent-kit/schemas/${schemaFile} is present and parseable.`
+      });
+    } catch {
+      findings.push({
+        level: "fail",
+        area: "agents",
+        message: `.agent-kit/schemas/${schemaFile} is not valid JSON Schema.`,
+        remediation: "Restore the schema from the package or rerun agent-kit update."
+      });
+    }
+  }
+}
+function addAgentStudioFindings(cwd, findings) {
+  const contextPath = join6(cwd, CONTEXT_JSON);
+  if (!existsSync6(contextPath)) {
+    findings.push({
+      level: "warn",
+      area: "studio",
+      message: `${CONTEXT_JSON} is missing.`,
+      remediation: "Run agent-kit onboard or agent-kit init --guided so agents can start with project-specific context."
+    });
+  } else {
+    try {
+      const parsed = JSON.parse(readFileSync4(contextPath, "utf8"));
+      const result = ProjectContextContract.safeParse(parsed);
+      if (!result.success) {
+        findings.push({
+          level: "fail",
+          area: "studio",
+          message: `${CONTEXT_JSON} does not match the project-context contract.`,
+          remediation: `Fix project context before relying on guided agent behavior. First issue: ${formatContractIssues(result.error)[0]}`
+        });
+      } else {
+        const missingHighValue = [
+          ["product summary", result.data.productSummary],
+          ["primary audience", result.data.primaryAudience],
+          ["auth model", result.data.authModel],
+          ["tenant model", result.data.tenantModel]
+        ].filter(([, value]) => typeof value === "string" && !value.trim());
+        if (missingHighValue.length > 0 || result.data.primaryWorkflows.length === 0) {
+          findings.push({
+            level: "warn",
+            area: "studio",
+            message: `${CONTEXT_JSON} is valid but still missing high-value project context.`,
+            remediation: "Answer product summary, audience, workflows, auth/tenant model, UI direction, value proposition, and quality target before claiming context-aware setup."
+          });
+        } else {
+          findings.push({
+            level: "pass",
+            area: "studio",
+            message: "Project context is valid and contains high-value onboarding context."
+          });
+        }
+      }
+    } catch {
+      findings.push({
+        level: "fail",
+        area: "studio",
+        message: `${CONTEXT_JSON} is not valid JSON.`,
+        remediation: "Regenerate project context with agent-kit context init or fix the JSON syntax."
+      });
+    }
+  }
+  const contextMdPath = join6(cwd, CONTEXT_MD);
+  if (existsSync6(contextPath) && !existsSync6(contextMdPath)) {
+    findings.push({
+      level: "warn",
+      area: "studio",
+      message: `${CONTEXT_MD} is missing while project context JSON exists.`,
+      remediation: "Run agent-kit context render so humans can review the context agents will load."
+    });
+  }
+  for (const relativePath of [PROJECT_RULES_JSON, AGENT_RULES_JSON]) {
+    const path = join6(cwd, relativePath);
+    if (!existsSync6(path)) continue;
+    try {
+      const parsed = JSON.parse(readFileSync4(path, "utf8"));
+      const result = CorrectionRulesContract.safeParse(parsed);
+      if (!result.success) {
+        findings.push({
+          level: "fail",
+          area: "studio",
+          message: `${relativePath} does not match the correction-rules contract.`,
+          remediation: `Fix correction rules before relying on persistent human feedback. First issue: ${formatContractIssues(result.error)[0]}`
+        });
+      } else if (result.data.rules.some((rule) => rule.status === "active")) {
+        findings.push({
+          level: "pass",
+          area: "studio",
+          message: `${relativePath} contains valid active correction rules.`
+        });
+      }
+    } catch {
+      findings.push({
+        level: "fail",
+        area: "studio",
+        message: `${relativePath} is not valid JSON.`,
+        remediation: "Fix the JSON syntax or regenerate correction files with agent-kit correction commands."
+      });
+    }
+  }
+  const studioExportPath = join6(cwd, STUDIO_EXPORT_HTML);
+  if (existsSync6(studioExportPath)) {
+    const exportHtml = readFileSync4(studioExportPath, "utf8");
+    if (containsLikelySecret(exportHtml)) {
+      findings.push({
+        level: "fail",
+        area: "studio",
+        message: `${STUDIO_EXPORT_HTML} appears to contain a secret-like value.`,
+        remediation: "Regenerate the static studio export after redacting sensitive context, session, correction, and artifact data."
+      });
+    } else if (!exportHtml.includes("agent-studio-data") || !exportHtml.includes("Agent Studio")) {
+      findings.push({
+        level: "warn",
+        area: "studio",
+        message: `${STUDIO_EXPORT_HTML} does not look like a complete Agent Studio export.`,
+        remediation: "Regenerate it with agent-kit studio export."
+      });
+    } else {
+      findings.push({
+        level: "pass",
+        area: "studio",
+        message: `${STUDIO_EXPORT_HTML} is present and does not contain known secret patterns.`
+      });
+    }
+  }
+  const sessionsRoot = join6(cwd, COUNCIL_SESSION_DIR);
+  if (!existsSync6(sessionsRoot)) return;
+  const files = listFilesRecursive(sessionsRoot);
+  const studioSessionFiles = files.filter((file) => /[\\/]session\.json$/.test(file));
+  for (const sessionFile of studioSessionFiles) {
+    const normalizedSessionFile = sessionFile.replace(/\\/g, "/");
+    const sessionRelative = `${COUNCIL_SESSION_DIR}/${normalizedSessionFile}`;
+    const sessionDir2 = sessionFile.replace(/[\\/]session\.json$/, "");
+    const normalizedSessionDir = sessionDir2.replace(/\\/g, "/");
+    const eventsRelative = `${COUNCIL_SESSION_DIR}/${normalizedSessionDir}/events.jsonl`;
+    const indexRelative = `${COUNCIL_SESSION_DIR}/${normalizedSessionDir}/index.md`;
+    const transcriptRelative = `${COUNCIL_SESSION_DIR}/${normalizedSessionDir}/transcript.md`;
+    const sessionDirPath = join6(sessionsRoot, sessionDir2);
+    let sessionResult = null;
+    try {
+      sessionResult = StudioSessionContract.safeParse(JSON.parse(readFileSync4(join6(sessionDirPath, "session.json"), "utf8")));
+      if (!sessionResult.success) {
+        findings.push({
+          level: "fail",
+          area: "studio",
+          message: `${sessionRelative} does not match the studio-session contract.`,
+          remediation: `Fix session metadata. First issue: ${formatContractIssues(sessionResult.error)[0]}`
+        });
+        continue;
+      }
+    } catch {
+      findings.push({
+        level: "fail",
+        area: "studio",
+        message: `${sessionRelative} is not valid JSON.`,
+        remediation: "Fix session metadata JSON before relying on rendered session evidence."
+      });
+      continue;
+    }
+    const eventsPath2 = join6(sessionDirPath, "events.jsonl");
+    if (!existsSync6(eventsPath2)) {
+      findings.push({
+        level: "fail",
+        area: "studio",
+        message: `${eventsRelative} is missing.`,
+        remediation: "Record session events or remove the incomplete studio session folder."
+      });
+      continue;
+    }
+    const eventText = readFileSync4(eventsPath2, "utf8");
+    if (containsLikelySecret(eventText)) {
+      findings.push({
+        level: "fail",
+        area: "studio",
+        message: `${eventsRelative} appears to contain a secret-like value.`,
+        remediation: "Redact tokens, database URLs, env values, and private customer data from session logs."
+      });
+    }
+    const eventLines = eventText.split(/\r?\n/).filter((line) => line.trim().length > 0);
+    let validEvents = 0;
+    let verificationCount = 0;
+    for (const [index, line] of eventLines.entries()) {
+      try {
+        const result = SessionEventContract.safeParse(JSON.parse(line));
+        if (!result.success) {
+          findings.push({
+            level: "fail",
+            area: "studio",
+            message: `${eventsRelative} line ${index + 1} does not match the session-event contract.`,
+            remediation: `Fix the event row. First issue: ${formatContractIssues(result.error)[0]}`
+          });
+        } else {
+          validEvents += 1;
+          if (result.data.type === "verification_recorded") verificationCount += 1;
+        }
+      } catch {
+        findings.push({
+          level: "fail",
+          area: "studio",
+          message: `${eventsRelative} line ${index + 1} is not valid JSON.`,
+          remediation: "Fix malformed JSONL before rendering or auditing session history."
+        });
+      }
+    }
+    if (!existsSync6(join6(sessionDirPath, "index.md")) || !existsSync6(join6(sessionDirPath, "transcript.md"))) {
+      findings.push({
+        level: "warn",
+        area: "studio",
+        message: `${sessionDir2} has unrendered session Markdown.`,
+        remediation: "Run agent-kit session render so humans can inspect the current agent transcript and handoffs."
+      });
+    } else {
+      const indexText = readFileSync4(join6(sessionDirPath, "index.md"), "utf8");
+      const transcriptText = readFileSync4(join6(sessionDirPath, "transcript.md"), "utf8");
+      if (containsLikelySecret(indexText) || containsLikelySecret(transcriptText)) {
+        findings.push({
+          level: "fail",
+          area: "studio",
+          message: `${sessionDir2} rendered Markdown appears to contain a secret-like value.`,
+          remediation: "Regenerate Markdown after redacting sensitive values from the event log."
+        });
+      }
+      if (statSync(eventsPath2).mtimeMs > statSync(join6(sessionDirPath, "index.md")).mtimeMs) {
+        findings.push({
+          level: "warn",
+          area: "studio",
+          message: `${sessionDir2} has events newer than rendered Markdown.`,
+          remediation: "Run agent-kit session render after recording new events."
+        });
+      }
+    }
+    const session2 = sessionResult.data;
+    if (session2.status === "complete") {
+      const missingOutputs = session2.requiredOutputs.filter((output) => output.status === "missing" || output.status === "partial");
+      if (missingOutputs.length > 0 || verificationCount === 0) {
+        findings.push({
+          level: "fail",
+          area: "studio",
+          message: `${sessionRelative} is complete but lacks required outputs or verification evidence.`,
+          remediation: "Do not mark sessions complete until required outputs are complete or not-applicable and verification evidence is recorded."
+        });
+      }
+    }
+    if (validEvents > 0) {
+      findings.push({
+        level: "pass",
+        area: "studio",
+        message: `${sessionDir2} has ${validEvents} valid Agent Studio events.`
+      });
+    }
+  }
+}
+function addCouncilDocFindings(cwd, findings) {
+  const councilDoc = readDoc(cwd, "COUNCIL.md");
+  if (!councilDoc) return;
+  if (!includesAll(councilDoc, ["council session", "handoff", "decision", "risk", "evidence"])) {
+    findings.push({
+      level: "warn",
+      area: "agents",
+      message: "COUNCIL.md does not define a complete council-session handoff record.",
+      remediation: "Require workflow, decision, risk, next handoff, evidence, required outputs, and verification status in council sessions."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "agents",
+      message: "COUNCIL.md defines council-session handoff evidence."
+    });
+  }
+}
+function addAssistantAdapterFindings(cwd, findings) {
+  const adaptersDoc = readDoc(cwd, "ASSISTANT_ADAPTERS.md");
+  const adapterRoot = join6(cwd, ".agent-kit", "assistant-adapters");
+  if (!existsSync6(adapterRoot)) {
+    findings.push({
+      level: "warn",
+      area: "agents",
+      message: ".agent-kit/assistant-adapters is missing.",
+      remediation: "Run agent-kit update so tool-specific adapter templates are available for Codex, Copilot, Cursor, and Claude Code."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "agents",
+      message: ".agent-kit/assistant-adapters is installed."
+    });
+  }
+  if (!adaptersDoc) return;
+  if (!includesAll(adaptersDoc, ["AGENTS.md", "agent-roster.json", "copilot-instructions", ".cursor/rules", ".claude/agents", "source of truth"])) {
+    findings.push({
+      level: "warn",
+      area: "agents",
+      message: "ASSISTANT_ADAPTERS.md does not map the council roster to supported tool instruction surfaces.",
+      remediation: "Document Codex/AGENTS.md, GitHub Copilot, Cursor rules, Claude Code subagents, and the source-of-truth rule for avoiding divergent agent instructions."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "agents",
+      message: "ASSISTANT_ADAPTERS.md maps the council roster to tool-specific instruction surfaces."
+    });
+  }
+  if (!includesAll(adaptersDoc, ["model selection", "enforcement", "MODEL_ROUTING.md", "model-routing.json"])) {
+    findings.push({
+      level: "warn",
+      area: "models",
+      message: "ASSISTANT_ADAPTERS.md does not record model-selection and enforcement status for active tools.",
+      remediation: "Document which IDEs can enforce, partially apply, advise, or require manual model selection from MODEL_ROUTING.md."
+    });
+  }
+  if (/\bTBD\b/i.test(adaptersDoc)) {
+    findings.push({
+      level: "warn",
+      area: "models",
+      message: "ASSISTANT_ADAPTERS.md still has unverified tool-surface rows.",
+      remediation: "Replace TBD adapter rows with date, owner, evidence, model-selection status, and known limitations for each active IDE."
+    });
+  }
+}
+function addModelRoutingFindings(cwd, findings) {
+  const modelRoutingDoc = readDoc(cwd, "MODEL_ROUTING.md");
+  if (!modelRoutingDoc) {
+    findings.push({
+      level: "warn",
+      area: "models",
+      message: "MODEL_ROUTING.md is missing.",
+      remediation: "Run agent-kit update to install the model-routing guidance and document the active IDE model-selection setup."
+    });
+  } else if (!includesAll(modelRoutingDoc, ["model routing", "agent", "profile", "codex", "claude code", "cursor", "github copilot", "enforcement"])) {
+    findings.push({
+      level: "warn",
+      area: "models",
+      message: "MODEL_ROUTING.md does not explain agent profiles and IDE enforcement limits.",
+      remediation: "Restore model-routing guidance that maps agents to profiles and records Codex, Claude Code, Cursor, and GitHub Copilot setup status."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "models",
+      message: "MODEL_ROUTING.md documents agent model profiles and IDE enforcement limits."
+    });
+  }
+  const routingPath = join6(cwd, DEFAULT_MODEL_ROUTING_TARGET);
+  if (!existsSync6(routingPath)) {
+    findings.push({
+      level: "warn",
+      area: "models",
+      message: `${DEFAULT_MODEL_ROUTING_TARGET} is missing.`,
+      remediation: "Run agent-kit update to install the provider-neutral model-routing contract."
+    });
+    return;
+  }
+  let routing;
+  try {
+    routing = JSON.parse(readFileSync4(routingPath, "utf8"));
+  } catch {
+    findings.push({
+      level: "warn",
+      area: "models",
+      message: `${DEFAULT_MODEL_ROUTING_TARGET} is not valid JSON.`,
+      remediation: "Replace it with .agent-kit/model-routing/default-model-routing.json or rerun agent-kit update."
+    });
+    return;
+  }
+  const contractResult = ModelRoutingContract.safeParse(routing);
+  if (!contractResult.success) {
+    findings.push({
+      level: "warn",
+      area: "models",
+      message: `${DEFAULT_MODEL_ROUTING_TARGET} does not match the model-routing contract.`,
+      remediation: `Fix model-routing shape before relying on model recommendations. First issue: ${formatContractIssues(contractResult.error)[0]}`
+    });
+    return;
+  }
+  findings.push({
+    level: "pass",
+    area: "models",
+    message: "Model routing matches the schema-backed runtime contract."
+  });
+  const profileIds = new Set(contractResult.data.profiles.map((profile) => profile.id));
+  const missingAgents = REQUIRED_AGENT_IDS.filter((agentId) => !contractResult.data.agentRoutes.some((route) => route.agentId === agentId));
+  const danglingRoutes = contractResult.data.agentRoutes.filter(
+    (route) => !profileIds.has(route.profileId) || (route.escalationProfileId ? !profileIds.has(route.escalationProfileId) : false)
+  );
+  if (missingAgents.length > 0) {
+    findings.push({
+      level: "warn",
+      area: "models",
+      message: `Model routing is missing default agent routes: ${missingAgents.join(", ")}.`,
+      remediation: "Map every default council agent to a model profile so model selection does not collapse into one generic default."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "models",
+      message: "Model routing maps every default council agent to a profile."
+    });
+  }
+  if (danglingRoutes.length > 0) {
+    findings.push({
+      level: "warn",
+      area: "models",
+      message: "Model routing references profile ids that are not defined.",
+      remediation: "Ensure every profileId and escalationProfileId exists in model-routing profiles."
+    });
+  }
+}
+function addTemplateHashFindings(cwd, findings) {
+  const manifest = readManifest(cwd);
+  if (!manifest) return;
+  const overrides = readOverrides(cwd);
+  for (const doc of ROOT_DOCS) {
+    const targetPath = join6(cwd, doc);
+    if (!existsSync6(targetPath)) continue;
+    const currentTemplate = readTemplate(manifest.stack, doc);
+    if (!currentTemplate) continue;
+    const targetHash = sha256(readFileSync4(targetPath, "utf8"));
+    const currentTemplateHash = sha256(currentTemplate);
+    const installedTemplateHash = manifest.templateHashes?.[doc];
+    const override = overrides[doc];
+    if (!installedTemplateHash) {
+      findings.push({
+        level: "warn",
+        area: "templates",
+        message: `${doc} has no stored template hash in .agent-kit/manifest.json.`,
+        remediation: "Run agent-kit update to refresh manifest metadata and review any conflicts."
+      });
+      continue;
+    }
+    if (installedTemplateHash === currentTemplateHash && targetHash === currentTemplateHash) {
+      findings.push({
+        level: "pass",
+        area: "templates",
+        message: `${doc} matches the current bundled template.`
+      });
+      continue;
+    }
+    if (installedTemplateHash !== currentTemplateHash && targetHash === installedTemplateHash) {
+      findings.push({
+        level: "warn",
+        area: "templates",
+        message: `${doc} still matches an older installed template hash.`,
+        remediation: "Run agent-kit update and review the generated conflict file before adopting the new template."
+      });
+      continue;
+    }
+    if (targetHash === currentTemplateHash) {
+      findings.push({
+        level: "pass",
+        area: "templates",
+        message: `${doc} matches the current template even though manifest metadata is older.`
+      });
+      continue;
+    }
+    if (installedTemplateHash === currentTemplateHash) {
+      if (override) {
+        findings.push({
+          level: "pass",
+          area: "templates",
+          message: `${doc} has a documented local override.`,
+          remediation: override.reviewedAt ? `Last reviewed at ${override.reviewedAt}.` : "Add reviewedAt to the override after the next template review."
+        });
+        continue;
+      }
+      findings.push({
+        level: "warn",
+        area: "templates",
+        message: `${doc} is locally customized or was preserved from before agent-kit install.`,
+        remediation: "Compare the local file with .agent-kit/conflicts or agent-kit diff before adopting template changes."
+      });
+      continue;
+    }
+    if (override) {
+      findings.push({
+        level: "warn",
+        area: "templates",
+        message: `${doc} has a documented local override, but the bundled template changed since install.`,
+        remediation: "Review the override against the current conflict template and update reviewedAt when accepted."
+      });
+      continue;
+    }
+    findings.push({
+      level: "warn",
+      area: "templates",
+      message: `${doc} differs from both the installed template hash and current bundled template.`,
+      remediation: "Review local customizations with agent-kit diff before updating."
+    });
+  }
+}
+function readLikelyLandingFiles(cwd) {
+  const candidates = listFilesRecursive(cwd).filter((file) => {
+    const normalized = file.replace(/\\/g, "/");
+    return /(^|\/)(app|pages|src\/app|src\/pages)\/(page|index)\.(tsx|jsx)$/.test(normalized) || /(^|\/)components\/.*(hero|landing|marketing).*\.(tsx|jsx)$/i.test(normalized);
+  });
+  return candidates.slice(0, 20).map((file) => readDoc(cwd, file)).join("\n");
+}
+function addFrontendFindings(cwd, findings) {
+  const styleGuide = readDoc(cwd, "STYLE_GUIDE.md");
+  const designDoc = readDoc(cwd, "DESIGN.md");
+  if (!includesAny(styleGuide, ["generic AI", "gradient", "design token"])) {
+    findings.push({
+      level: "warn",
+      area: "frontend",
+      message: "STYLE_GUIDE.md does not contain anti-generic-AI-site design guidance.",
+      remediation: "Add rules for task-first screens, design tokens, real states, and non-generic visual direction."
+    });
+  }
+  if (!includesAll(styleGuide, ["design token", "color", "typography", "spacing", "radius"])) {
+    findings.push({
+      level: "warn",
+      area: "frontend",
+      message: "STYLE_GUIDE.md is missing a complete design-token inventory.",
+      remediation: "Document semantic color, typography, spacing, radius, motion, and depth decisions."
+    });
+  }
+  if (!includesAll(styleGuide, ["loading", "empty", "error", "disabled", "success", "mobile"])) {
+    findings.push({
+      level: "warn",
+      area: "frontend",
+      message: "STYLE_GUIDE.md is missing required component state coverage.",
+      remediation: "Require loading, empty, error, disabled, success, focus, and mobile states for interactive UI."
+    });
+  }
+  if (!includesAll(styleGuide, ["landing page", "working app", "task-first"])) {
+    findings.push({
+      level: "warn",
+      area: "frontend",
+      message: "STYLE_GUIDE.md does not explicitly prevent generic landing-page defaults.",
+      remediation: "State when landing pages are inappropriate and require the first screen to show the real product task."
+    });
+  }
+  if (!includesAll(designDoc, ["brand", "content", "user needs", "creative direction", "design tokens"])) {
+    findings.push({
+      level: "warn",
+      area: "frontend",
+      message: "DESIGN.md is missing brand, content, user-need, creative-direction, or token guidance.",
+      remediation: "Use the DESIGN.md template to capture product category, audience, content inventory, brand traits, creative directions, and token decisions."
+    });
+  }
+  if (!includesAll(designDoc, ["reference set", "anti-reference", "distinctiveness", "critique"])) {
+    findings.push({
+      level: "warn",
+      area: "frontend",
+      message: "DESIGN.md is missing reference-set, anti-reference, distinctiveness, or critique-gate guidance.",
+      remediation: "Add category references, anti-references, source-safety notes, distinctiveness criteria, and a design critique verdict before accepting frontend work as best-practice ready."
+    });
+  }
+  if (!includesAll(designDoc, ["distinctiveness benchmark", "first-screen proof", "content fingerprint", "asset provenance", "state proof", "visual QA proof"])) {
+    findings.push({
+      level: "warn",
+      area: "frontend",
+      message: "DESIGN.md is missing frontend distinctiveness benchmark evidence.",
+      remediation: "Add first-screen proof, content fingerprint, reference benchmark, creative divergence, asset provenance, state proof, visual QA proof, generic-risk, and source-safety fields before accepting significant frontend work."
+    });
+  }
+  if (!includesAll(designDoc, ["product quality scorecard", "user/task fit", "content specificity", "source safety", "total score"])) {
+    findings.push({
+      level: "warn",
+      area: "frontend",
+      message: "DESIGN.md is missing a frontend product-quality scorecard.",
+      remediation: "Add scorecard fields for user/task fit, content specificity, visual identity, information architecture, component states, accessibility and interaction, source safety, total score, and acceptance verdict."
+    });
+  }
+  if (!includesAll(styleGuide, ["DESIGN.md", "content-first", "creative direction"])) {
+    findings.push({
+      level: "warn",
+      area: "frontend",
+      message: "STYLE_GUIDE.md does not require content-first creative direction before frontend implementation.",
+      remediation: "Reference DESIGN.md, brand/content intake, and creative-direction selection before visual implementation starts."
+    });
+  }
+  const landingText = readLikelyLandingFiles(cwd);
+  if (landingText && includesAny(landingText, ["bg-gradient", "from-purple", "to-blue", "ai-powered", "supercharge", "revolutionize", "10x"])) {
+    findings.push({
+      level: "warn",
+      area: "frontend",
+      message: "Likely landing or hero files contain generic AI-site visual or copy patterns.",
+      remediation: "Review the first screen for domain-specific hierarchy, restrained tokens, real workflows, and useful states."
+    });
+  }
+}
+function addQualityGateFindings(cwd, findings) {
+  const qualityGates = readDoc(cwd, "QUALITY_GATES.md");
+  if (!qualityGates) return;
+  if (!includesAll(qualityGates, ["baseline", "strong", "best-practice", "evidence"])) {
+    findings.push({
+      level: "warn",
+      area: "quality",
+      message: "QUALITY_GATES.md does not define baseline, strong, best-practice, and evidence expectations.",
+      remediation: "Restore the maturity model so project quality is evaluated by evidence, not only by file presence."
+    });
+  }
+  if (!includesAll(qualityGates, [
+    "council",
+    "architecture",
+    "security",
+    "supabase",
+    "messaging",
+    "frontend",
+    "accessibility",
+    "testing",
+    "release",
+    "repo health"
+  ])) {
+    findings.push({
+      level: "warn",
+      area: "quality",
+      message: "QUALITY_GATES.md is missing one or more best-practice coverage areas.",
+      remediation: "Cover council routing, architecture, security, Supabase/RLS, frontend, accessibility, testing, release, and repo-health evidence."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "quality",
+      message: "QUALITY_GATES.md defines a multi-area best-practice maturity model."
+    });
+  }
+}
+function addUpgradeFindings(cwd, findings) {
+  const upgradeDoc = readDoc(cwd, "UPGRADE.md");
+  if (!upgradeDoc) return;
+  if (!includesAll(upgradeDoc, ["agent-kit diff", "agent-kit update", "audit --min-readiness", "rollback", "release notes"])) {
+    findings.push({
+      level: "warn",
+      area: "upgrade",
+      message: "UPGRADE.md does not define the full agent-kit diff, update, audit, release-notes, and rollback flow.",
+      remediation: "Document branch creation, agent-kit diff, agent-kit update, conflict review, audit readiness threshold, release notes, and rollback evidence."
+    });
+  } else if (!includesAll(upgradeDoc, ["next.js", "codemod", "supabase", "migration", "generated"])) {
+    findings.push({
+      level: "warn",
+      area: "upgrade",
+      message: "UPGRADE.md does not cover framework codemods, Supabase migrations, or generated type review.",
+      remediation: "Include Next.js upgrade/codemod review and Supabase migration history, RLS impact, rollback, and generated type checks."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "upgrade",
+      message: "UPGRADE.md defines a reviewable upgrade, migration, audit, and rollback lifecycle."
+    });
+  }
+}
+var STARTER_EVIDENCE_PATTERNS = [
+  /\bTBD\b/i,
+  /replace with real/i,
+  /example_table/i,
+  /describe the product/i,
+  /document required/i,
+  /pass\/fail\/skipped/i
+];
+var EVIDENCE_DOCS = [
+  "COUNCIL.md",
+  "SPEC.md",
+  "DESIGN.md",
+  "MESSAGING.md",
+  "SECURITY.md",
+  "TESTING.md",
+  "DEPLOYMENT.md",
+  "ASSISTANT_ADAPTERS.md",
+  "MODEL_ROUTING.md",
+  "UPGRADE.md"
+];
+function addProjectEvidenceFindings(cwd, findings) {
+  const placeholderDocs = EVIDENCE_DOCS.filter((doc) => {
+    const text = readDoc(cwd, doc);
+    return text && STARTER_EVIDENCE_PATTERNS.some((pattern) => pattern.test(text));
+  });
+  if (placeholderDocs.length > 0) {
+    findings.push({
+      level: "warn",
+      area: "evidence",
+      message: `Project evidence docs still contain starter placeholders: ${placeholderDocs.join(", ")}.`,
+      remediation: "Replace TBD/example rows with real project evidence, or document why an item is not applicable before claiming strong or best-practice maturity."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "evidence",
+      message: "Project evidence docs do not contain starter placeholders."
+    });
+  }
+}
+function addMessagingFindings(cwd, findings) {
+  const messagingDoc = readDoc(cwd, "MESSAGING.md");
+  if (!messagingDoc) return;
+  if (!includesAll(messagingDoc, ["discovery questions", "audience", "pain", "outcome", "differentiator", "proof", "objections", "voice", "conversion"])) {
+    findings.push({
+      level: "warn",
+      area: "messaging",
+      message: "MESSAGING.md does not capture the required discovery questions and value-proposition inputs.",
+      remediation: "Document audience, pain, outcome, differentiator, proof, objections, voice, conversion goal, and unanswered discovery questions before accepting final copy."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "messaging",
+      message: "MESSAGING.md captures question-led positioning and value-proposition inputs."
+    });
+  }
+  if (!includesAll(messagingDoc, ["claim", "proof required", "current proof", "objection", "cta"])) {
+    findings.push({
+      level: "warn",
+      area: "messaging",
+      message: "MESSAGING.md does not connect claims, proof, objections, and CTA hierarchy.",
+      remediation: "Track claims against proof, objection handling, primary CTA, secondary CTA, and risky claims before release."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "messaging",
+      message: "MESSAGING.md connects claims, proof, objections, and CTA hierarchy."
+    });
+  }
+}
+function auditProject(cwd) {
+  const findings = [];
+  const manifest = readManifest(cwd);
+  if (!manifest) {
+    findings.push({
+      level: "fail",
+      area: "install",
+      message: "Project has no .agent-kit/manifest.json.",
+      remediation: "Run agent-kit init --stack next-supabase."
+    });
+  } else {
+    findings.push({
+      level: "pass",
+      area: "install",
+      message: `Agent kit installed at version ${manifest.packageVersion}.`
+    });
+  }
+  addTemplateHashFindings(cwd, findings);
+  addAgentRosterFindings(cwd, findings);
+  addSchemaFindings(cwd, findings);
+  addCouncilSessionRecordFindings(cwd, findings);
+  addAgentStudioFindings(cwd, findings);
+  for (const doc of ROOT_DOCS) {
+    if (existsSync6(join6(cwd, doc))) {
+      findings.push({ level: "pass", area: "docs", message: `${doc} exists.` });
+    } else {
+      findings.push({
+        level: doc === "MODEL_ROUTING.md" ? "warn" : "fail",
+        area: "docs",
+        message: `${doc} is missing.`,
+        remediation: `Run agent-kit init or restore ${doc} from the next-supabase template.`
+      });
+    }
+  }
+  addCouncilDocFindings(cwd, findings);
+  addAssistantAdapterFindings(cwd, findings);
+  addModelRoutingFindings(cwd, findings);
+  addMessagingFindings(cwd, findings);
+  addQualityGateFindings(cwd, findings);
+  addUpgradeFindings(cwd, findings);
+  addProjectEvidenceFindings(cwd, findings);
+  const security = readDoc(cwd, "SECURITY.md");
+  if (!includesAny(security, ["OWASP", "Top 10"])) {
+    findings.push({
+      level: "fail",
+      area: "security",
+      message: "SECURITY.md does not explicitly reference OWASP Top 10 review.",
+      remediation: "Add OWASP Top 10 coverage to the security checklist."
+    });
+  }
+  if (!includesAny(security, ["RLS", "row level security"])) {
+    findings.push({
+      level: "fail",
+      area: "security",
+      message: "SECURITY.md does not explicitly cover Supabase RLS.",
+      remediation: "Require authorization to be enforced in Postgres RLS, not only in the UI."
+    });
+  }
+  if (!includesAny(security, ["service-role", "service role"])) {
+    findings.push({
+      level: "warn",
+      area: "security",
+      message: "SECURITY.md does not mention service-role key isolation.",
+      remediation: "Document that service-role keys are server-only and never exposed to client bundles."
+    });
+  }
+  addFrontendFindings(cwd, findings);
+  const testing = readDoc(cwd, "TESTING.md");
+  if (!includesAny(testing, ["Playwright", "smoke"])) {
+    findings.push({
+      level: "warn",
+      area: "testing",
+      message: "TESTING.md does not require Playwright or smoke coverage.",
+      remediation: "Define critical-path Playwright smoke tests for auth and primary workflows."
+    });
+  }
+  if (!includesAny(testing, ["visual regression", "visual QA", "screenshot evidence", "toHaveScreenshot", "Storybook", "Chromatic", "Argos"])) {
+    findings.push({
+      level: "warn",
+      area: "testing",
+      message: "TESTING.md does not define visual QA or visual-regression evidence.",
+      remediation: "Document the visual QA tier: screenshot review, Playwright screenshots, Storybook visual tests, or a visual-regression service for important UI changes."
+    });
+  }
+  return findings;
+}
+function createReadiness(findings, summary) {
+  const nextActions = findings.filter((finding) => finding.level === "fail" || finding.level === "warn").map((finding) => finding.remediation ?? finding.message).filter((value, index, values) => values.indexOf(value) === index).slice(0, 5);
+  if (summary.fail > 0) {
+    return {
+      level: "needs-setup",
+      summary: "Required setup or contract checks are failing.",
+      nextActions
+    };
+  }
+  if (findings.some((finding) => finding.level === "warn" && finding.area === "evidence")) {
+    return {
+      level: "baseline-setup",
+      summary: "Agent kit setup is valid, but project-specific evidence still needs to replace starter placeholders.",
+      nextActions
+    };
+  }
+  if (summary.warn > 0) {
+    return {
+      level: "needs-improvement",
+      summary: "No blocking failures, but warnings remain before this can be treated as best-practice ready.",
+      nextActions
+    };
+  }
+  return {
+    level: "best-practice-candidate",
+    summary: "Static audit found no setup, evidence, security, frontend, testing, or council warnings.",
+    nextActions
+  };
+}
+function createAuditReport(cwd) {
+  const findings = auditProject(cwd);
+  const summary = { pass: 0, warn: 0, fail: 0 };
+  for (const finding of findings) summary[finding.level] += 1;
+  return { summary, readiness: createReadiness(findings, summary), findings };
+}
+
+// src/install/diff.ts
+import { existsSync as existsSync7, readFileSync as readFileSync5 } from "fs";
+import { join as join7 } from "path";
+function statusForTextFile(target, template) {
+  if (!existsSync7(target)) return "missing";
+  const targetHash = sha256(readFileSync5(target, "utf8"));
+  const templateHash = sha256(readFileSync5(template, "utf8"));
+  return targetHash === templateHash ? "unchanged" : "changed";
+}
+function diffProject(cwd, stack = "next-supabase") {
+  const packageRoot = findPackageRoot();
+  const templateRoot = join7(packageRoot, "templates", stack);
+  const libraryFolders = {
+    missing: [],
+    present: [],
+    willRefresh: [...LIBRARY_FOLDERS]
+  };
+  const result = {
+    missing: [],
+    unchanged: [],
+    changed: [],
+    agentRoster: "missing",
+    modelRouting: "missing",
+    libraryFolders,
+    preview: {
+      wouldCreate: [],
+      wouldWriteConflicts: [],
+      wouldRefreshLibraryFolders: [...LIBRARY_FOLDERS],
+      wouldCreateAgentRoster: false,
+      wouldWriteAgentRosterConflict: false,
+      wouldCreateModelRouting: false,
+      wouldWriteModelRoutingConflict: false
+    }
+  };
+  for (const doc of ROOT_DOCS) {
+    const target = join7(cwd, doc);
+    const template = join7(templateRoot, doc);
+    const status = statusForTextFile(target, template);
+    if (status === "missing") {
+      result.missing.push(doc);
+      result.preview.wouldCreate.push(doc);
+      continue;
+    }
+    if (status === "unchanged") result.unchanged.push(doc);
+    else {
+      result.changed.push(doc);
+      result.preview.wouldWriteConflicts.push(doc);
+    }
+  }
+  result.agentRoster = statusForTextFile(join7(cwd, DEFAULT_AGENT_ROSTER_TARGET), join7(packageRoot, DEFAULT_AGENT_ROSTER_SOURCE));
+  if (result.agentRoster === "missing") {
+    result.preview.wouldCreate.push(DEFAULT_AGENT_ROSTER_TARGET);
+    result.preview.wouldCreateAgentRoster = true;
+  }
+  if (result.agentRoster === "changed") {
+    result.preview.wouldWriteConflicts.push(DEFAULT_AGENT_ROSTER_TARGET);
+    result.preview.wouldWriteAgentRosterConflict = true;
+  }
+  result.modelRouting = statusForTextFile(join7(cwd, DEFAULT_MODEL_ROUTING_TARGET), join7(packageRoot, DEFAULT_MODEL_ROUTING_SOURCE));
+  if (result.modelRouting === "missing") {
+    result.preview.wouldCreate.push(DEFAULT_MODEL_ROUTING_TARGET);
+    result.preview.wouldCreateModelRouting = true;
+  }
+  if (result.modelRouting === "changed") {
+    result.preview.wouldWriteConflicts.push(DEFAULT_MODEL_ROUTING_TARGET);
+    result.preview.wouldWriteModelRoutingConflict = true;
+  }
+  for (const folder of LIBRARY_FOLDERS) {
+    const target = join7(cwd, ".agent-kit", folder);
+    if (existsSync7(target)) libraryFolders.present.push(folder);
+    else libraryFolders.missing.push(folder);
+  }
+  return result;
+}
+
+// src/research/discover.ts
+import { Octokit } from "@octokit/rest";
+import { readFileSync as readFileSync6 } from "fs";
+import { join as join8 } from "path";
+
+// src/research/config.ts
+import { z as z2 } from "zod";
+var researchCategorySchema = z2.object({
+  name: z2.string().min(1),
+  queries: z2.array(z2.string().min(1)).min(1),
+  targetCount: z2.number().int().positive()
+});
+var researchSeedRepoSchema = z2.object({
+  fullName: z2.string().regex(/^[^/\s]+\/[^/\s]+$/),
+  category: z2.string().min(1)
+});
+var researchConfigSchema = z2.object({
+  maxRepos: z2.number().int().positive().default(100),
+  minStars: z2.number().int().nonnegative().default(100),
+  activeSince: z2.string().default("2024-12-01"),
+  excludeRepos: z2.array(z2.string().regex(/^[^/\s]+\/[^/\s]+$/)).default([]),
+  categories: z2.array(researchCategorySchema).min(1),
+  seedRepos: z2.array(researchSeedRepoSchema).default([])
+});
+
+// src/research/discover.ts
+async function discoverRepos(options) {
+  const packageRoot = findPackageRoot();
+  const configPath = join8(packageRoot, "research", "scan-config.json");
+  const config = researchConfigSchema.parse(JSON.parse(readFileSync6(configPath, "utf8")));
+  const token = options.token ?? process.env.GITHUB_TOKEN;
+  if (!token) {
+    throw new Error("GITHUB_TOKEN is required for GitHub API research discovery.");
+  }
+  const octokit = new Octokit({ auth: token });
+  const deduped = /* @__PURE__ */ new Map();
+  const maxRepos = options.limit ?? config.maxRepos;
+  const excludedRepos = new Set(config.excludeRepos.map((repo) => repo.toLowerCase()));
+  for (const category of config.categories) {
+    let categoryCount = 0;
+    for (const query of category.queries) {
+      if (deduped.size >= maxRepos || categoryCount >= category.targetCount) break;
+      const response = await octokit.search.repos({
+        q: `${query} archived:false pushed:>=${config.activeSince} stars:>=${config.minStars}`,
+        sort: "stars",
+        order: "desc",
+        per_page: 100
+      });
+      for (const repo of response.data.items) {
+        if (deduped.size >= maxRepos || categoryCount >= category.targetCount) break;
+        if (deduped.has(repo.full_name)) continue;
+        if (excludedRepos.has(repo.full_name.toLowerCase())) continue;
+        deduped.set(repo.full_name, {
+          fullName: repo.full_name,
+          htmlUrl: repo.html_url,
+          description: repo.description ?? "",
+          stars: repo.stargazers_count,
+          pushedAt: repo.pushed_at ?? "",
+          language: repo.language,
+          topics: repo.topics ?? [],
+          category: category.name
+        });
+        categoryCount += 1;
+      }
+    }
+  }
+  for (const seed of config.seedRepos) {
+    if (deduped.size >= maxRepos) break;
+    if (deduped.has(seed.fullName)) continue;
+    if (excludedRepos.has(seed.fullName.toLowerCase())) continue;
+    const [owner, repo] = seed.fullName.split("/");
+    if (!owner || !repo) continue;
+    try {
+      const response = await octokit.repos.get({ owner, repo });
+      deduped.set(response.data.full_name, {
+        fullName: response.data.full_name,
+        htmlUrl: response.data.html_url,
+        description: response.data.description ?? "",
+        stars: response.data.stargazers_count,
+        pushedAt: response.data.pushed_at ?? "",
+        language: response.data.language,
+        topics: response.data.topics ?? [],
+        category: seed.category
+      });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.warn(`Skipping seed repo ${seed.fullName}: ${message}`);
+    }
+  }
+  const candidates = [...deduped.values()].slice(0, maxRepos);
+  const output = options.output ?? join8(options.cwd, "research", "repo-candidates.json");
+  writeText(output, `${JSON.stringify(candidates, null, 2)}
+`);
+  return candidates;
+}
+
+// src/research/scan.ts
+import { existsSync as existsSync10, mkdirSync as mkdirSync2, readFileSync as readFileSync8, rmSync } from "fs";
+import { join as join10 } from "path";
+import { simpleGit } from "simple-git";
+
+// src/research/analyze.ts
+import { existsSync as existsSync9, readFileSync as readFileSync7 } from "fs";
+import { join as join9 } from "path";
+function normalizeRelativePath(file) {
+  return file.replace(/\\/g, "/");
+}
+function hasFile(files, matcher) {
+  return files.some((file) => matcher.test(normalizeRelativePath(file)));
+}
+function fileText(root, file) {
+  const path = join9(root, file);
+  return existsSync9(path) ? readFileSync7(path, "utf8") : "";
+}
+function textIncludes(root, files, matcher, terms) {
+  const lowerTerms = terms.map((term) => term.toLowerCase());
+  return files.filter((file) => matcher.test(normalizeRelativePath(file))).some((file) => {
+    const text = fileText(root, file).toLowerCase();
+    return lowerTerms.some((term) => text.includes(term));
+  });
+}
+function bounded(value) {
+  return Math.max(0, Math.min(5, value));
+}
+function analyzeRepository(candidate, repoRoot) {
+  const files = listFilesRecursive(repoRoot);
+  const score = {
+    architecture: bounded(
+      Number(hasFile(files, /^app\//)) + Number(hasFile(files, /^components\//)) + Number(hasFile(files, /^lib\//)) + Number(hasFile(files, /^server\//)) + Number(hasFile(files, /^packages\//))
+    ),
+    supabaseAuthRls: bounded(
+      Number(hasFile(files, /^supabase\/migrations\//)) * 2 + Number(textIncludes(repoRoot, files, /\.(sql|md|ts|tsx)$/, ["row level security", "policy", "rls"])) + Number(textIncludes(repoRoot, files, /\.(ts|tsx)$/, ["createServerClient", "supabase-js"])) + Number(textIncludes(repoRoot, files, /\.(ts|tsx)$/, ["service_role", "service-role"]))
+    ),
+    security: bounded(
+      Number(hasFile(files, /(^|\/)SECURITY\.md$/)) + Number(textIncludes(repoRoot, files, /\.(md|yml|yaml|ts|tsx)$/, ["OWASP", "CodeQL", "rate limit"])) + Number(hasFile(files, /^\.github\/workflows\//)) + Number(textIncludes(repoRoot, files, /\.(ts|tsx)$/, ["zod", "safeParse"])) + Number(textIncludes(repoRoot, files, /\.(md|ts|tsx)$/, ["csrf", "ssrf", "idor"]))
+    ),
+    frontendDesign: bounded(
+      Number(hasFile(files, /^components\//)) + Number(textIncludes(repoRoot, files, /\.(css|ts|tsx|json)$/, ["tokens", "theme", "tailwind", "radix"])) + Number(textIncludes(repoRoot, files, /\.(tsx|md|mdx)$/, ["empty state", "loading", "error state"])) + Number(hasFile(files, /(^|\/)(DESIGN|STYLE_GUIDE)\.md$/)) + Number(textIncludes(repoRoot, files, /\.(md|mdx)$/, ["creative direction", "content inventory", "user needs"])) + Number(textIncludes(repoRoot, files, /\.(md|mdx)$/, ["reference set", "anti-reference", "design critique", "distinctiveness"])) + Number(textIncludes(repoRoot, files, /\.(md|mdx)$/, ["product quality scorecard", "user/task fit", "content specificity", "source safety"])) + Number(textIncludes(repoRoot, files, /\.(tsx|css)$/, ["aria-", "focus-visible"]))
+    ),
+    accessibility: bounded(
+      Number(textIncludes(repoRoot, files, /\.(tsx|md)$/, ["aria-", "keyboard", "focus-visible"])) + Number(textIncludes(repoRoot, files, /\.(tsx|md)$/, ["WCAG", "accessibility", "a11y"])) + Number(textIncludes(repoRoot, files, /\.(json|js|ts)$/, ["axe", "eslint-plugin-jsx-a11y"]))
+    ),
+    testing: bounded(
+      Number(hasFile(files, /(vitest|jest)\.config\.(js|ts|mjs)$/)) + Number(hasFile(files, /playwright\.config\.(js|ts|mjs)$/)) * 2 + Number(hasFile(files, /(^|\/)(tests|__tests__|e2e)\//)) + Number(hasFile(files, /^\.storybook\//)) + Number(textIncludes(repoRoot, files, /\.(ts|tsx|js|jsx|md|mdx|json|yml|yaml)$/, ["toHaveScreenshot", "visual regression", "chromatic", "argos", "loki", "test-storybook"])) + Number(textIncludes(repoRoot, files, /package\.json$/, ["test"]))
+    ),
+    documentation: bounded(
+      Number(hasFile(files, /(^|\/)README\.md$/)) + Number(hasFile(files, /(^|\/)CONTRIBUTING\.md$/)) + Number(hasFile(files, /(^|\/)CHANGELOG\.md$/)) + Number(hasFile(files, /(^|\/)(CODE_OF_CONDUCT|SUPPORT|GOVERNANCE)\.md$/)) + Number(hasFile(files, /^docs\//)) + Number(textIncludes(repoRoot, files, /\.(md|mdx)$/, ["architecture", "decision", "deployment"]))
+    ),
+    ciDeployment: bounded(
+      Number(hasFile(files, /^\.github\/workflows\//)) * 2 + Number(hasFile(files, /vercel\.json$/)) + Number(textIncludes(repoRoot, files, /\.(yml|yaml|json|md)$/, ["deployment", "preview", "production"]))
+    ),
+    repoHealth: bounded(
+      Number(hasFile(files, /^\.github\/ISSUE_TEMPLATE\//)) + Number(hasFile(files, /(^|\/)pull_request_template\.md$/i)) + Number(hasFile(files, /^\.github\/CODEOWNERS$/)) + Number(hasFile(files, /^\.github\/(dependabot|labels|labeler)\.ya?ml$/)) + Number(hasFile(files, /^\.github\/workflows\/.*(codeql|labeler).*\.ya?ml$/)) + Number(hasFile(files, /(^|\/)(CODE_OF_CONDUCT|SUPPORT|GOVERNANCE|REPOSITORY_SETTINGS)\.md$/)) + Number(textIncludes(repoRoot, files, /\.(md|yml|yaml)$/, ["branch protection", "private vulnerability reporting", "required status checks"]))
+    ),
+    supplyChain: bounded(
+      Number(hasFile(files, /^\.github\/workflows\/.*dependency.*review.*\.ya?ml$/)) + Number(hasFile(files, /^\.github\/workflows\/.*scorecard.*\.ya?ml$/)) + Number(textIncludes(repoRoot, files, /^\.github\/workflows\/.*\.ya?ml$/, ["id-token: write", "npm publish", "trusted publishing", "provenance"])) + Number(textIncludes(repoRoot, files, /^\.github\/workflows\/.*\.ya?ml$/, ["dependency-review-action", "scorecard-action", "npm audit"])) + Number(hasFile(files, /(^|\/)SUPPLY_CHAIN\.md$/)) + Number(textIncludes(repoRoot, files, /\.(md|yml|yaml|json)$/, ["provenance", "OIDC", "trusted publishing", "OpenSSF"]))
+    ),
+    agentReadiness: bounded(
+      Number(hasFile(files, /(^|\/)AGENTS\.md$/)) * 2 + Number(hasFile(files, /(^|\/)\.cursor\//)) + Number(hasFile(files, /(^|\/)CLAUDE\.md$/)) + Number(hasFile(files, /(^|\/)schemas\//)) + Number(textIncludes(repoRoot, files, /\.(md|mdx|json|ts|tsx)$/, ["agent", "prompt", "skill", "handoff", "trace", "guardrail", "agent-roster"]))
+    )
+  };
+  const selectedFiles = files.filter(
+    (file) => /(^|\/)(README|SECURITY|CONTRIBUTING|CHANGELOG|CODE_OF_CONDUCT|SUPPORT|GOVERNANCE|REPOSITORY_SETTINGS|SUPPLY_CHAIN|AGENTS|CLAUDE|DESIGN|STYLE_GUIDE|TESTING|DEPLOYMENT)\.md$/.test(file) || /(^|\/)COUNCIL\.md$/.test(file) || /^\.github\/workflows\//.test(file) || /^\.github\/ISSUE_TEMPLATE\//.test(file) || /^\.github\/CODEOWNERS$/.test(file) || /^\.github\/(dependabot|labels|labeler)\.ya?ml$/.test(file) || /(^|\/)pull_request_template\.md$/i.test(file) || /^\.storybook\//.test(file) || /^schemas\//.test(file) || /^supabase\/migrations\//.test(file) || /package\.json$/.test(file) || /playwright\.config\.(js|ts|mjs)$/.test(file) || /(chromatic|argos|loki)\.(config\.)?(json|js|ts|mjs|yml|yaml)$/.test(file)
+  ).slice(0, 30);
+  const strongPractices = [];
+  if (score.security >= 4) strongPractices.push("Security posture is explicit through docs, validation, CI, or review tooling.");
+  if (score.supabaseAuthRls >= 4) strongPractices.push("Supabase authorization appears to be handled close to the data boundary.");
+  if (score.testing >= 4) strongPractices.push("Test setup includes meaningful automated, browser-level, component-state, or visual-regression coverage.");
+  if (score.frontendDesign >= 4)
+    strongPractices.push("Frontend implementation shows reusable components, states, design-system, content-first direction, or reference-led critique signals.");
+  if (score.documentation >= 4) strongPractices.push("Documentation is strong enough for external contributors or agents to onboard.");
+  if (score.repoHealth >= 4) strongPractices.push("Repository health is supported by issue/PR templates, labels, dependency automation, code scanning, ownership, branch protection guidance, or support docs.");
+  if (score.supplyChain >= 4) strongPractices.push("Supply-chain posture includes provenance, dependency review, Scorecard, OIDC publishing, or release integrity signals.");
+  const weakPractices = [];
+  if (score.security < 3) weakPractices.push("Security expectations are implicit or incomplete.");
+  if (score.supabaseAuthRls < 3) weakPractices.push("Supabase RLS/Auth practices are not clearly discoverable.");
+  if (score.accessibility < 3) weakPractices.push("Accessibility signals are weak or absent.");
+  if (score.repoHealth < 3) weakPractices.push("Public repository health files, labels, branch protection guidance, contribution workflow, dependency automation, or code scanning are weak.");
+  if (score.supplyChain < 3) weakPractices.push("Supply-chain provenance, dependency review, Scorecard, or release-integrity signals are weak.");
+  if (score.agentReadiness < 3) weakPractices.push("Agent handoff, tracing, guardrail, schema, or AI-workflow instructions are not mature.");
+  const patternsToAdopt = [
+    "Prefer explicit docs and checklists over tribal conventions.",
+    "Promote authorization and validation rules into reusable review gates.",
+    "Separate frontend design quality from generic implementation review.",
+    "Treat brand, content, and creative-direction evidence as frontend quality inputs, not optional polish.",
+    "Use references and anti-references as critique inputs, not as source designs to copy.",
+    "Use repeatable frontend product-quality scoring for user task, content specificity, visual identity, IA, states, accessibility, and source safety.",
+    "Treat component-state screenshots and visual-regression evidence as acceptance artifacts for high-risk UI changes.",
+    "Promote agent handoff practices into schema-backed records and auditable evidence instead of prose-only instructions.",
+    "Treat public repository health files, issue/PR templates, labels, branch protection guidance, dependency automation, and code scanning as release-readiness assets.",
+    "Treat package provenance, dependency review, Scorecard, and release workflow controls as package trust requirements."
+  ];
+  const impactOnKit = [
+    "Use score deltas to decide which templates and skills need stronger language.",
+    "Add repeated high-confidence patterns to checklists, not one-off project quirks."
+  ];
+  return {
+    candidate,
+    score,
+    selectedFiles,
+    strongPractices,
+    weakPractices,
+    patternsToAdopt,
+    impactOnKit
+  };
+}
+
+// src/research/scan.ts
+function findingToMarkdown(finding) {
+  const total = Object.values(finding.score).reduce((sum, value) => sum + value, 0);
+  const maxScore = Object.keys(finding.score).length * 5;
+  return `# Repo Finding: ${finding.candidate.fullName}
+
+## Why It Was Selected
+- Category: ${finding.candidate.category}
+- Stars: ${finding.candidate.stars}
+- Last pushed: ${finding.candidate.pushedAt}
+- Language: ${finding.candidate.language ?? "unknown"}
+- URL: ${finding.candidate.htmlUrl}
+- Score: ${total}/${maxScore}
+
+## Score
+\`\`\`json
+${JSON.stringify(finding.score, null, 2)}
+\`\`\`
+
+## Strong Practices
+${finding.strongPractices.map((item) => `- ${item}`).join("\n") || "- None detected by static scan."}
+
+## Weaknesses / Not Worth Copying Blindly
+${finding.weakPractices.map((item) => `- ${item}`).join("\n") || "- None detected by static scan."}
+
+## Files Worth Studying
+${finding.selectedFiles.map((item) => `- \`${item}\``).join("\n") || "- No high-signal files detected."}
+
+## Patterns To Adopt
+${finding.patternsToAdopt.map((item) => `- ${item}`).join("\n")}
+
+## Impact On Agent Kit
+${finding.impactOnKit.map((item) => `- ${item}`).join("\n")}
+`;
+}
+async function scanRepos(options) {
+  const candidatesPath = options.candidatesPath ?? join10(options.cwd, "research", "repo-candidates.json");
+  if (!existsSync10(candidatesPath)) {
+    throw new Error(`Candidates file not found: ${candidatesPath}`);
+  }
+  const candidates = JSON.parse(readFileSync8(candidatesPath, "utf8"));
+  const workdir = options.workdir ?? join10(options.cwd, "research", "workdir");
+  mkdirSync2(workdir, { recursive: true });
+  mkdirSync2(join10(options.cwd, "research", "findings"), { recursive: true });
+  const findings = [];
+  const git = simpleGit();
+  for (const candidate of candidates) {
+    const repoSlug = candidate.fullName.replace("/", "__");
+    const repoPath = join10(workdir, repoSlug);
+    if (existsSync10(repoPath)) rmSync(repoPath, { recursive: true, force: true });
+    await git.raw(["clone", "--depth", "1", candidate.htmlUrl, repoPath]);
+    const finding = analyzeRepository(candidate, repoPath);
+    findings.push(finding);
+    writeText(join10(options.cwd, "research", "findings", `${repoSlug}.md`), findingToMarkdown(finding));
+    if (!options.keepClones) {
+      rmSync(repoPath, { recursive: true, force: true });
+    }
+  }
+  return findings;
+}
+
+// src/research/summarize.ts
+import { existsSync as existsSync11, readFileSync as readFileSync9, readdirSync as readdirSync2 } from "fs";
+import { join as join11 } from "path";
+var SUMMARY_TARGETS = {
+  "nextjs-patterns": {
+    title: "Next.js Patterns",
+    scoreKeys: ["architecture", "ciDeployment", "documentation"],
+    categories: ["official-nextjs", "production-saas"]
+  },
+  "supabase-rls-patterns": {
+    title: "Supabase RLS Patterns",
+    scoreKeys: ["supabaseAuthRls"],
+    categories: ["supabase-nextjs"]
+  },
+  "security-patterns": {
+    title: "Security Patterns",
+    scoreKeys: ["security"],
+    categories: ["security-quality", "supabase-nextjs", "production-saas"]
+  },
+  "frontend-design-patterns": {
+    title: "Frontend Design Patterns",
+    scoreKeys: ["frontendDesign", "accessibility"],
+    categories: ["design-systems", "production-saas"]
+  },
+  "testing-patterns": {
+    title: "Testing Patterns",
+    scoreKeys: ["testing"],
+    categories: ["testing-docs-agents", "official-nextjs", "production-saas"]
+  },
+  "docs-and-agent-patterns": {
+    title: "Docs And Agent Patterns",
+    scoreKeys: ["documentation", "agentReadiness"],
+    categories: ["testing-docs-agents", "official-nextjs"]
+  },
+  "repo-health-patterns": {
+    title: "Repo Health Patterns",
+    scoreKeys: ["repoHealth", "documentation", "ciDeployment", "security"],
+    categories: ["repo-health-maintainers", "testing-docs-agents", "security-quality", "production-saas"]
+  },
+  "supply-chain-patterns": {
+    title: "Supply Chain Patterns",
+    scoreKeys: ["supplyChain", "security", "ciDeployment", "repoHealth"],
+    categories: ["supply-chain-security", "repo-health-maintainers", "security-quality"]
+  }
+};
+var SCORE_KEYS = [
+  "architecture",
+  "supabaseAuthRls",
+  "security",
+  "frontendDesign",
+  "accessibility",
+  "testing",
+  "documentation",
+  "ciDeployment",
+  "repoHealth",
+  "supplyChain",
+  "agentReadiness"
+];
+function sectionBullets(text, start, end) {
+  const startIndex = text.indexOf(start);
+  if (startIndex === -1) return [];
+  const afterStart = text.slice(startIndex + start.length);
+  const endIndex = afterStart.indexOf(end);
+  const section = endIndex === -1 ? afterStart : afterStart.slice(0, endIndex);
+  return section.split("\n").map((line) => line.trim()).filter((line) => line.startsWith("- ") && !line.includes("None detected")).map((line) => line.slice(2));
+}
+function parseFinding(file, text) {
+  const fullName = text.match(/^# Repo Finding: (.+)$/m)?.[1];
+  const category = text.match(/^- Category: (.+)$/m)?.[1];
+  const stars = Number.parseInt(text.match(/^- Stars: (\d+)$/m)?.[1] ?? "0", 10);
+  const scoreJson = text.match(/## Score\n```json\n([\s\S]*?)\n```/)?.[1];
+  if (!fullName || !category || !scoreJson) return null;
+  const parsedScore = JSON.parse(scoreJson);
+  const score = Object.fromEntries(SCORE_KEYS.map((key) => [key, parsedScore[key] ?? 0]));
+  const totalScore = Object.values(score).reduce((sum, value) => sum + value, 0);
+  return {
+    file,
+    fullName,
+    category,
+    stars,
+    score,
+    totalScore,
+    strongPractices: sectionBullets(text, "## Strong Practices", "## Weaknesses / Not Worth Copying Blindly"),
+    weakPractices: sectionBullets(text, "## Weaknesses / Not Worth Copying Blindly", "## Files Worth Studying")
+  };
+}
+function countBy(values) {
+  const counts = /* @__PURE__ */ new Map();
+  for (const value of values) counts.set(value, (counts.get(value) ?? 0) + 1);
+  return [...counts.entries()].sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0]));
+}
+function scoreFor(finding, scoreKeys) {
+  return scoreKeys.reduce((sum, key) => sum + finding.score[key], 0);
+}
+function averageScore(findings, scoreKeys) {
+  if (findings.length === 0) return "0.00";
+  const max = scoreKeys.length * 5;
+  const avg = findings.reduce((sum, finding) => sum + scoreFor(finding, scoreKeys) / max, 0) / findings.length;
+  return avg.toFixed(2);
+}
+function renderRepoList(findings, scoreKeys) {
+  const maxTotalScore = findings[0] ? Object.keys(findings[0].score).length * 5 : 0;
+  return findings.slice().sort((a, b) => scoreFor(b, scoreKeys) - scoreFor(a, scoreKeys) || b.totalScore - a.totalScore || b.stars - a.stars).slice(0, 12).map((finding) => `- ${finding.fullName} (${finding.category}) - focus score ${scoreFor(finding, scoreKeys)}, total ${finding.totalScore}/${maxTotalScore}`).join("\n");
+}
+function summarizeFindings(cwd) {
+  const findingsDir = join11(cwd, "research", "findings");
+  if (!existsSync11(findingsDir)) {
+    throw new Error("No research/findings directory exists. Run agent-kit research scan first.");
+  }
+  const findingFiles = readdirSync2(findingsDir).filter((file) => file.endsWith(".md"));
+  const findings = findingFiles.map((file) => parseFinding(file, readFileSync9(join11(findingsDir, file), "utf8"))).filter((finding) => finding !== null);
+  const categoryCounts = countBy(findings.map((finding) => finding.category));
+  const outputs = [];
+  const overview = `# Research Scan Overview
+
+Generated from ${findings.length} parsed repository findings.
+
+## Category Coverage
+${categoryCounts.map(([category, count]) => `- ${category}: ${count}`).join("\n")}
+
+## Highest Total Scores
+${findings.slice().sort((a, b) => b.totalScore - a.totalScore || b.stars - a.stars).slice(0, 20).map((finding) => `- ${finding.fullName} (${finding.category}) - ${finding.totalScore}/${Object.keys(finding.score).length * 5}`).join("\n")}
+
+## Most Repeated Strengths
+${countBy(findings.flatMap((finding) => finding.strongPractices)).slice(0, 12).map(([practice, count]) => `- ${practice} (${count})`).join("\n")}
+
+## Most Repeated Gaps
+${countBy(findings.flatMap((finding) => finding.weakPractices)).slice(0, 12).map(([practice, count]) => `- ${practice} (${count})`).join("\n")}
+`;
+  const overviewPath = join11(cwd, "research", "summaries", "scan-overview.md");
+  writeText(overviewPath, overview);
+  outputs.push(overviewPath);
+  for (const [target, config] of Object.entries(SUMMARY_TARGETS)) {
+    const categories = config.categories;
+    const scopedFindings = findings.filter((finding) => categories.includes(finding.category));
+    const path = join11(cwd, "research", "summaries", `${target}.md`);
+    const summary = `# ${config.title}
+
+Generated from ${scopedFindings.length} relevant repository findings.
+
+## Focus Areas
+${config.scoreKeys.map((key) => `- ${key}`).join("\n")}
+
+## Aggregate Evidence
+- Average normalized focus score: ${averageScore(scopedFindings, config.scoreKeys)}
+- Repositories considered: ${scopedFindings.length}
+
+## Strongest Repositories For This Topic
+${renderRepoList(scopedFindings, config.scoreKeys) || "- No matching findings."}
+
+## Repeated Strengths
+${countBy(scopedFindings.flatMap((finding) => finding.strongPractices)).slice(0, 8).map(([practice, count]) => `- ${practice} (${count})`).join("\n") || "- No repeated strengths detected."}
+
+## Repeated Gaps
+${countBy(scopedFindings.flatMap((finding) => finding.weakPractices)).slice(0, 8).map(([practice, count]) => `- ${practice} (${count})`).join("\n") || "- No repeated gaps detected."}
+
+## Source Findings
+${scopedFindings.slice().sort((a, b) => scoreFor(b, config.scoreKeys) - scoreFor(a, config.scoreKeys)).slice(0, 25).map((finding) => `- research/findings/${finding.file}`).join("\n")}
+`;
+    writeText(path, summary);
+    outputs.push(path);
+  }
+  return outputs;
+}
+function proposeUpdates(cwd) {
+  const output = `# Proposed Agent Kit Updates
+
+Review the generated research summaries, then convert repeated best practices into:
+
+- Root markdown templates in \`templates/next-supabase\`
+- Reusable skills in \`skills/\`
+- Agent role docs in \`agents/\`
+- Security and frontend checklists in \`checklists/\`
+
+Do not copy source code from scanned repositories. Adopt only generalized practices with clear rationale.
+`;
+  const path = join11(cwd, "research", "proposed-updates.md");
+  writeText(path, output);
+  return path;
+}
+
+// src/studio/corrections.ts
+function fileForScope(scope) {
+  if (scope === "agent") return AGENT_RULES_JSON;
+  if (scope === "upstream-proposal") return UPSTREAM_PROPOSALS_JSON;
+  return PROJECT_RULES_JSON;
+}
+function emptyCorrectionRules() {
+  return { schemaVersion: 1, rules: [] };
+}
+function readCorrectionRules(cwd, relativePath) {
+  const parsed = readJsonFile(cwd, relativePath) ?? emptyCorrectionRules();
+  const result = CorrectionRulesContract.safeParse(parsed);
+  if (!result.success) {
+    throw new Error(`Invalid ${relativePath}: ${formatContractIssues(result.error).join("; ")}`);
+  }
+  return result.data;
+}
+function ensureCorrectionFiles(cwd) {
+  ensureStudioDirs(cwd);
+  for (const path of [PROJECT_RULES_JSON, AGENT_RULES_JSON, UPSTREAM_PROPOSALS_JSON]) {
+    if (!readJsonFile(cwd, path)) writeJsonFile(cwd, path, emptyCorrectionRules());
+  }
+}
+function addCorrection(cwd, options) {
+  ensureCorrectionFiles(cwd);
+  const targetPath = fileForScope(options.scope);
+  const rules = readCorrectionRules(cwd, targetPath);
+  const id = options.id ?? safeSlug(options.text).slice(0, 48);
+  const rule = {
+    id,
+    scope: options.scope,
+    status: options.scope === "upstream-proposal" ? "proposed" : "active",
+    text: redactSensitive(options.text),
+    ...options.agentId ? { agentId: options.agentId, appliesToAgents: [options.agentId] } : {},
+    ...options.sourceSessionId ? { sourceSessionId: options.sourceSessionId } : {},
+    createdAt: nowIso(),
+    reviewedAt: null
+  };
+  const parsed = CorrectionRulesContract.parse({ ...rules, rules: [...rules.rules.filter((item) => item.id !== id), rule] });
+  writeJsonFile(cwd, targetPath, parsed);
+  return rule;
+}
+function listCorrections(cwd) {
+  ensureCorrectionFiles(cwd);
+  return {
+    project: readCorrectionRules(cwd, PROJECT_RULES_JSON).rules,
+    agent: readCorrectionRules(cwd, AGENT_RULES_JSON).rules,
+    upstream: readCorrectionRules(cwd, UPSTREAM_PROPOSALS_JSON).rules
+  };
+}
+function applyCorrection(cwd, id) {
+  ensureCorrectionFiles(cwd);
+  for (const path of [PROJECT_RULES_JSON, AGENT_RULES_JSON, UPSTREAM_PROPOSALS_JSON]) {
+    const rules = readCorrectionRules(cwd, path);
+    const index = rules.rules.findIndex((rule) => rule.id === id);
+    if (index === -1) continue;
+    const current = rules.rules[index];
+    if (!current) continue;
+    const { retiredAt: _retiredAt, reason: _reason, ...base } = current;
+    const updated = {
+      ...base,
+      status: "active",
+      reviewedAt: nowIso()
+    };
+    rules.rules[index] = updated;
+    writeJsonFile(cwd, path, CorrectionRulesContract.parse(rules));
+    return updated;
+  }
+  throw new Error(`Correction not found: ${id}`);
+}
+function retireCorrection(cwd, id, reason) {
+  ensureCorrectionFiles(cwd);
+  for (const path of [PROJECT_RULES_JSON, AGENT_RULES_JSON, UPSTREAM_PROPOSALS_JSON]) {
+    const rules = readCorrectionRules(cwd, path);
+    const index = rules.rules.findIndex((rule) => rule.id === id);
+    if (index === -1) continue;
+    const current = rules.rules[index];
+    if (!current) continue;
+    const updated = {
+      ...current,
+      status: "retired",
+      retiredAt: nowIso(),
+      reason
+    };
+    rules.rules[index] = updated;
+    writeJsonFile(cwd, path, CorrectionRulesContract.parse(rules));
+    return updated;
+  }
+  throw new Error(`Correction not found: ${id}`);
+}
+function proposeCorrectionUpstream(cwd, id) {
+  const all = listCorrections(cwd);
+  const found = [...all.project, ...all.agent].find((rule) => rule.id === id);
+  if (!found) throw new Error(`Correction not found: ${id}`);
+  return addCorrection(cwd, {
+    scope: "upstream-proposal",
+    text: found.text,
+    ...found.agentId ? { agentId: found.agentId } : {},
+    ...found.sourceSessionId ? { sourceSessionId: found.sourceSessionId } : {},
+    id: `${found.id}-upstream`
+  });
+}
+
+// src/studio/context.ts
+import { existsSync as existsSync12, readFileSync as readFileSync10 } from "fs";
+import { join as join12 } from "path";
+function readPackageJson(cwd) {
+  const path = join12(cwd, "package.json");
+  if (!existsSync12(path)) return null;
+  return JSON.parse(readFileSync10(path, "utf8"));
+}
+function detectPackageManager(cwd) {
+  if (existsSync12(join12(cwd, "pnpm-lock.yaml"))) return "pnpm";
+  if (existsSync12(join12(cwd, "yarn.lock"))) return "yarn";
+  if (existsSync12(join12(cwd, "package-lock.json"))) return "npm";
+  if (existsSync12(join12(cwd, "bun.lockb")) || existsSync12(join12(cwd, "bun.lock"))) return "bun";
+  return void 0;
+}
+function detectFromDependencies(packageJson, names) {
+  const deps = {
+    ...packageJson?.dependencies ?? {},
+    ...packageJson?.devDependencies ?? {}
+  };
+  return names.filter((name) => deps[name] !== void 0);
+}
+function readEnvExampleKeys(cwd) {
+  const envText = readTextIfExists(join12(cwd, ".env.example")) ?? "";
+  return unique(
+    envText.split(/\r?\n/).map((line) => line.trim()).filter((line) => line && !line.startsWith("#") && line.includes("=")).map((line) => line.split("=")[0]?.trim() ?? "").filter(Boolean)
+  );
+}
+function inferOpenQuestions(context2) {
+  const missing = [];
+  const questions = [
+    ["productSummary", "What does this product do in one concrete paragraph?"],
+    ["primaryAudience", "Who is the primary user or buyer?"],
+    ["authModel", "What authentication model should agents preserve?"],
+    ["tenantModel", "Is this single-user, team, tenant, marketplace, admin, or public content?"]
+  ];
+  missing.push(...questions.flatMap(([field, question]) => context2[field].trim() ? [] : [question]));
+  if (context2.primaryWorkflows.length === 0) missing.push("What are the top three user workflows?");
+  if (!context2.uiDirection.preferred.trim()) missing.push("What should the UI feel like, and what should it avoid?");
+  if (!context2.messaging.valueProposition.trim()) missing.push("What value proposition and proof should public copy use?");
+  return unique([...context2.openQuestions, ...missing]);
+}
+function scanProjectContext(cwd) {
+  const packageJson = readPackageJson(cwd);
+  const files = listFilesRecursive(cwd);
+  const dependencies = detectFromDependencies(packageJson, [
+    "next",
+    "react",
+    "@supabase/supabase-js",
+    "@supabase/ssr",
+    "tailwindcss",
+    "vitest",
+    "playwright",
+    "@playwright/test",
+    "jest",
+    "storybook"
+  ]);
+  const frameworks = dependencies.filter((name) => ["next", "react", "@supabase/supabase-js", "@supabase/ssr"].includes(name));
+  const uiLibraries = dependencies.filter((name) => ["tailwindcss", "storybook"].includes(name));
+  const testTools = dependencies.filter((name) => ["vitest", "playwright", "@playwright/test", "jest", "storybook"].includes(name));
+  const supabaseSignals = files.filter((file) => /(^|\/)(supabase|migrations|seed)\b/.test(file) || file.includes("supabase"));
+  const deployment = files.filter((file) => /(^|\/)(vercel\.json|netlify\.toml|Dockerfile|docker-compose\.yml|\.github\/workflows\/.*\.ya?ml)$/.test(file));
+  const existing = readJsonFile(cwd, CONTEXT_JSON);
+  const now = nowIso();
+  const context2 = {
+    schemaVersion: 1,
+    projectName: existing?.projectName || readPackageName(cwd) || "TBD",
+    productSummary: existing?.productSummary ?? "",
+    productCategory: existing?.productCategory ?? "TBD",
+    primaryAudience: existing?.primaryAudience ?? "",
+    primaryWorkflows: existing?.primaryWorkflows ?? [],
+    businessCriticalBehavior: existing?.businessCriticalBehavior ?? [],
+    architecture: {
+      packageManager: detectPackageManager(cwd) ?? existing?.architecture.packageManager,
+      scripts: unique(Object.keys(packageJson?.scripts ?? {})),
+      frameworks: unique([...existing?.architecture.frameworks ?? [], ...frameworks]),
+      uiLibraries: unique([...existing?.architecture.uiLibraries ?? [], ...uiLibraries]),
+      hasSupabase: Boolean(existing?.architecture.hasSupabase || supabaseSignals.length > 0 || frameworks.some((name) => name.includes("supabase"))),
+      supabaseSignals: unique([...existing?.architecture.supabaseSignals ?? [], ...supabaseSignals.slice(0, 20)]),
+      testTools: unique([...existing?.architecture.testTools ?? [], ...testTools]),
+      envExampleKeys: readEnvExampleKeys(cwd),
+      deployment: unique([...existing?.architecture.deployment ?? [], ...deployment.slice(0, 20)])
+    },
+    dataSensitivity: existing?.dataSensitivity ?? [],
+    authModel: existing?.authModel ?? "",
+    tenantModel: existing?.tenantModel ?? "",
+    integrations: existing?.integrations ?? [],
+    uiDirection: existing?.uiDirection ?? { preferred: "", avoid: "" },
+    messaging: existing?.messaging ?? { valueProposition: "", proof: [], objections: [] },
+    qualityTarget: existing?.qualityTarget ?? "baseline-setup",
+    knownConstraints: existing?.knownConstraints ?? [],
+    openQuestions: existing?.openQuestions ?? [],
+    evidence: uniqueEvidence([
+      ...existing?.evidence ?? [],
+      { source: "agent-kit context scan", note: `Scanned ${files.length} files for package, Supabase, test, env example, and deployment signals.` }
+    ]),
+    lastReviewedAt: now,
+    owners: existing?.owners ?? []
+  };
+  context2.openQuestions = inferOpenQuestions(context2);
+  return ProjectContextContract.parse(context2);
+}
+function readPackageName(cwd) {
+  const packageJson = readPackageJson(cwd);
+  return typeof packageJson?.name === "string" ? packageJson.name : null;
+}
+function uniqueEvidence(items) {
+  const seen = /* @__PURE__ */ new Set();
+  return items.filter((item) => {
+    const key = `${item.source}:${item.note}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+function writeProjectContext(cwd, context2) {
+  ensureStudioDirs(cwd);
+  const parsed = ProjectContextContract.parse(context2);
+  writeJsonFile(cwd, CONTEXT_JSON, parsed);
+  const markdown = renderProjectContextMarkdown(parsed);
+  writeTextFile(cwd, CONTEXT_MD, markdown);
+  return { contextPath: CONTEXT_JSON, markdownPath: CONTEXT_MD, openQuestions: parsed.openQuestions };
+}
+function initProjectContext(cwd) {
+  return writeProjectContext(cwd, scanProjectContext(cwd));
+}
+function validateProjectContext(cwd) {
+  const context2 = readJsonFile(cwd, CONTEXT_JSON);
+  const result = ProjectContextContract.safeParse(context2);
+  if (!result.success) {
+    throw new Error(`Invalid ${CONTEXT_JSON}: ${formatContractIssues(result.error).join("; ")}`);
+  }
+  return { contextPath: CONTEXT_JSON, markdownPath: CONTEXT_MD, openQuestions: result.data.openQuestions };
+}
+function renderProjectContext(cwd) {
+  const context2 = readJsonFile(cwd, CONTEXT_JSON);
+  const result = ProjectContextContract.safeParse(context2);
+  if (!result.success) {
+    throw new Error(`Invalid ${CONTEXT_JSON}: ${formatContractIssues(result.error).join("; ")}`);
+  }
+  writeTextFile(cwd, CONTEXT_MD, renderProjectContextMarkdown(result.data));
+  return { contextPath: CONTEXT_JSON, markdownPath: CONTEXT_MD, openQuestions: result.data.openQuestions };
+}
+function renderProjectContextMarkdown(context2) {
+  return `# Project Context
+
+Generated from \`${CONTEXT_JSON}\`.
+
+## Summary
+
+- Project: ${redactSensitive(context2.projectName || "TBD")}
+- Category: ${redactSensitive(context2.productCategory || "TBD")}
+- Audience: ${redactSensitive(context2.primaryAudience || "TBD")}
+- Quality target: ${context2.qualityTarget}
+- Last reviewed: ${context2.lastReviewedAt}
+
+${redactSensitive(context2.productSummary || "No product summary recorded.")}
+
+## Primary Workflows
+
+${listMarkdown(context2.primaryWorkflows)}
+
+## Architecture Signals
+
+- Package manager: ${context2.architecture.packageManager ?? "unknown"}
+- Frameworks: ${context2.architecture.frameworks.join(", ") || "none detected"}
+- UI libraries: ${context2.architecture.uiLibraries.join(", ") || "none detected"}
+- Test tools: ${context2.architecture.testTools.join(", ") || "none detected"}
+- Supabase detected: ${context2.architecture.hasSupabase ? "yes" : "no"}
+- Env example keys: ${context2.architecture.envExampleKeys.join(", ") || "none detected"}
+- Deployment files: ${context2.architecture.deployment.join(", ") || "none detected"}
+
+## Security And Data
+
+- Auth model: ${redactSensitive(context2.authModel || "TBD")}
+- Tenant model: ${redactSensitive(context2.tenantModel || "TBD")}
+
+Data sensitivity:
+
+${listMarkdown(context2.dataSensitivity)}
+
+## UI Direction
+
+- Preferred: ${redactSensitive(context2.uiDirection.preferred || "TBD")}
+- Avoid: ${redactSensitive(context2.uiDirection.avoid || "TBD")}
+
+## Messaging
+
+- Value proposition: ${redactSensitive(context2.messaging.valueProposition || "TBD")}
+
+Proof:
+
+${listMarkdown(context2.messaging.proof)}
+
+Objections:
+
+${listMarkdown(context2.messaging.objections)}
+
+## Open Questions
+
+${listMarkdown(context2.openQuestions)}
+
+## Evidence
+
+| Source | Note |
+| --- | --- |
+${context2.evidence.map((item) => `| ${redactSensitive(item.source)} | ${redactSensitive(item.note).replace(/\|/g, "\\|")} |`).join("\n")}
+`;
+}
+
+// src/studio/session.ts
+import { existsSync as existsSync13, readFileSync as readFileSync11, readdirSync as readdirSync3, statSync as statSync2 } from "fs";
+import { join as join13 } from "path";
+function sessionDir(sessionId) {
+  return `${COUNCIL_SESSIONS_DIR}/${safeSlug(sessionId)}`;
+}
+function sessionJsonPath(sessionId) {
+  return `${sessionDir(sessionId)}/session.json`;
+}
+function eventsPath(sessionId) {
+  return `${sessionDir(sessionId)}/events.jsonl`;
+}
+function indexPath(sessionId) {
+  return `${sessionDir(sessionId)}/index.md`;
+}
+function transcriptPath(sessionId) {
+  return `${sessionDir(sessionId)}/transcript.md`;
+}
+function readDefaultWorkflowOutputs(cwd, workflowId) {
+  const roster = readJsonFile(cwd, DEFAULT_AGENT_ROSTER_TARGET);
+  const workflow = roster?.workflows?.find((item) => item.id === workflowId);
+  return (workflow?.requiredOutputs ?? ["decision", "risk", "verification evidence"]).map((name) => ({
+    name,
+    status: "missing"
+  }));
+}
+function startSession(cwd, options) {
+  ensureStudioDirs(cwd);
+  const datePrefix = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+  const sessionId = safeSlug(`${datePrefix}-${options.title}`);
+  const now = nowIso();
+  const workflowId = options.workflowId ?? "planning";
+  const session2 = {
+    schemaVersion: 1,
+    sessionId,
+    title: options.title,
+    createdAt: now,
+    updatedAt: now,
+    status: "in-progress",
+    workflowId,
+    request: options.request ?? options.title,
+    affectedLayers: options.affectedLayers ?? [],
+    activeAgentId: "planner",
+    nextAgentId: void 0,
+    qualityTarget: options.qualityTarget ?? "baseline-setup",
+    requiredOutputs: readDefaultWorkflowOutputs(cwd, workflowId)
+  };
+  writeJsonFile(cwd, sessionJsonPath(sessionId), StudioSessionContract.parse(session2));
+  writeTextFile(cwd, ACTIVE_SESSION_FILE, `${sessionId}
+`);
+  appendSessionEvent(cwd, sessionId, {
+    type: "session_started",
+    createdAt: now,
+    agentId: "planner",
+    text: `Started ${workflowId} session: ${options.title}`
+  });
+  return { sessionId, sessionPath: sessionDir(sessionId) };
+}
+function listSessions(cwd) {
+  const root = join13(cwd, COUNCIL_SESSIONS_DIR);
+  if (!existsSync13(root)) return [];
+  return readdirSync3(root).filter((entry) => entry !== "active").map((entry) => join13(root, entry, "session.json")).filter((path) => existsSync13(path) && statSync2(path).isFile()).map((path) => StudioSessionContract.parse(JSON.parse(readFileSync11(path, "utf8")))).sort((a, b) => a.createdAt.localeCompare(b.createdAt));
+}
+function getActiveSessionId(cwd) {
+  const active = readTextFile(cwd, ACTIVE_SESSION_FILE)?.trim();
+  if (!active) throw new Error("No active Agent Studio session. Run agent-kit session start first.");
+  return safeSlug(active);
+}
+function readSession(cwd, sessionId = getActiveSessionId(cwd)) {
+  const parsed = readJsonFile(cwd, sessionJsonPath(sessionId));
+  const result = StudioSessionContract.safeParse(parsed);
+  if (!result.success) throw new Error(`Invalid ${sessionJsonPath(sessionId)}: ${formatContractIssues(result.error).join("; ")}`);
+  return result.data;
+}
+function readSessionEvents(cwd, sessionId = getActiveSessionId(cwd)) {
+  return readJsonLines(cwd, eventsPath(sessionId)).map((event, index) => {
+    const result = SessionEventContract.safeParse(event);
+    if (!result.success) {
+      throw new Error(`Invalid ${eventsPath(sessionId)} line ${index + 1}: ${formatContractIssues(result.error).join("; ")}`);
+    }
+    return result.data;
+  });
+}
+function writeSession(cwd, session2) {
+  writeJsonFile(cwd, sessionJsonPath(session2.sessionId), StudioSessionContract.parse(session2));
+}
+function appendSessionEvent(cwd, sessionId, event) {
+  const parsed = SessionEventContract.parse(redactEvent(event));
+  appendJsonLine(cwd, eventsPath(sessionId), parsed);
+  const session2 = readSession(cwd, sessionId);
+  const updated = {
+    ...session2,
+    updatedAt: parsed.createdAt
+  };
+  if (parsed.agentId) updated.activeAgentId = parsed.agentId;
+  if (parsed.type === "handoff" && parsed.toAgentId) {
+    updated.activeAgentId = parsed.toAgentId;
+    updated.nextAgentId = parsed.toAgentId;
+  }
+  if (parsed.type === "session_status_changed" && parsed.status) updated.status = parsed.status;
+  writeSession(cwd, updated);
+  return parsed;
+}
+function redactEvent(event) {
+  return {
+    ...event,
+    ...event.text ? { text: redactSensitive(event.text) } : {},
+    ...event.decision ? { decision: redactSensitive(event.decision) } : {},
+    ...event.risk ? { risk: redactSensitive(event.risk) } : {},
+    ...event.notes ? { notes: redactSensitive(event.notes) } : {},
+    ...event.command ? { command: redactSensitive(event.command) } : {},
+    ...event.outputName ? { outputName: redactSensitive(event.outputName) } : {},
+    ...event.evidence ? { evidence: event.evidence.map(redactSensitive) } : {}
+  };
+}
+function recordNote(cwd, agentId, text) {
+  return appendSessionEvent(cwd, getActiveSessionId(cwd), { type: "agent_message", createdAt: nowIso(), agentId, text });
+}
+function recordDecision(cwd, agentId, decision, risk) {
+  return appendSessionEvent(cwd, getActiveSessionId(cwd), {
+    type: "agent_decision",
+    createdAt: nowIso(),
+    agentId,
+    decision,
+    ...risk ? { risk } : {}
+  });
+}
+function recordHandoff(cwd, options) {
+  return appendSessionEvent(cwd, getActiveSessionId(cwd), {
+    type: "handoff",
+    createdAt: nowIso(),
+    fromAgentId: options.fromAgentId,
+    toAgentId: options.toAgentId,
+    decision: options.decision,
+    risk: options.risk,
+    evidence: options.evidence ?? []
+  });
+}
+function recordCorrection(cwd, options) {
+  const sessionId = getActiveSessionId(cwd);
+  const correction2 = options.scope === "session" ? void 0 : addCorrection(cwd, {
+    scope: options.scope,
+    text: options.text,
+    ...options.agentId ? { agentId: options.agentId } : {},
+    sourceSessionId: sessionId
+  });
+  return appendSessionEvent(cwd, sessionId, {
+    type: "human_correction",
+    createdAt: nowIso(),
+    ...options.agentId ? { agentId: options.agentId } : {},
+    scope: options.scope,
+    text: options.text,
+    ...correction2 ? { correctionId: correction2.id } : {}
+  });
+}
+function recordArtifact(cwd, file, note) {
+  const artifactPath = validateRelativeArtifactPath(cwd, file);
+  return appendSessionEvent(cwd, getActiveSessionId(cwd), {
+    type: "artifact_recorded",
+    createdAt: nowIso(),
+    artifactPath,
+    ...note ? { notes: note } : {}
+  });
+}
+function recordVerification(cwd, command, result, notes) {
+  return appendSessionEvent(cwd, getActiveSessionId(cwd), {
+    type: "verification_recorded",
+    createdAt: nowIso(),
+    command,
+    result,
+    ...notes ? { notes } : {}
+  });
+}
+function recordRequiredOutput(cwd, name, status, evidence) {
+  const trimmedName = name.trim();
+  if (!trimmedName) throw new Error("Required output name is required.");
+  const sessionId = getActiveSessionId(cwd);
+  const session2 = readSession(cwd, sessionId);
+  const now = nowIso();
+  const output = {
+    name: trimmedName,
+    status,
+    ...evidence ? { evidence: redactSensitive(evidence) } : {}
+  };
+  const outputIndex = session2.requiredOutputs.findIndex((item) => item.name === trimmedName);
+  const requiredOutputs = outputIndex === -1 ? [...session2.requiredOutputs, output] : session2.requiredOutputs.map((item, index) => index === outputIndex ? { ...item, ...output } : item);
+  writeSession(cwd, { ...session2, requiredOutputs, updatedAt: now });
+  return appendSessionEvent(cwd, sessionId, {
+    type: "required_output_updated",
+    createdAt: now,
+    outputName: trimmedName,
+    outputStatus: status,
+    ...evidence ? { evidence: [evidence] } : {}
+  });
+}
+function closeSession(cwd, status) {
+  const sessionId = getActiveSessionId(cwd);
+  appendSessionEvent(cwd, sessionId, {
+    type: "session_status_changed",
+    createdAt: nowIso(),
+    status,
+    text: `Session marked ${status}.`
+  });
+  return readSession(cwd, sessionId);
+}
+function renderActiveSession(cwd) {
+  return renderSession(cwd, getActiveSessionId(cwd));
+}
+function renderSession(cwd, sessionId) {
+  const session2 = readSession(cwd, sessionId);
+  const events = readSessionEvents(cwd, sessionId);
+  const renderedAt = nowIso();
+  const updated = { ...session2, renderedAt, updatedAt: renderedAt };
+  writeTextFile(cwd, indexPath(sessionId), renderSessionIndex(updated, events));
+  writeTextFile(cwd, transcriptPath(sessionId), renderSessionTranscript(updated, events));
+  writeSession(cwd, updated);
+  return { sessionId, sessionPath: sessionDir(sessionId) };
+}
+function renderSessionIndex(session2, events) {
+  const handoffs = events.filter((event) => event.type === "handoff");
+  const decisions = events.filter((event) => event.type === "agent_decision" || event.type === "handoff");
+  const corrections = events.filter((event) => event.type === "human_correction");
+  const artifacts = events.filter((event) => event.type === "artifact_recorded");
+  const verification = events.filter((event) => event.type === "verification_recorded");
+  return `# Council Session: ${escapeMarkdownText(session2.title)}
+
+Generated from \`${sessionDir(session2.sessionId)}/events.jsonl\` at ${session2.renderedAt ?? session2.updatedAt}.
+
+## Current State
+
+- Session: ${session2.sessionId}
+- Workflow: ${session2.workflowId}
+- Status: ${session2.status}
+- Active agent: ${session2.activeAgentId ?? "none"}
+- Next agent: ${session2.nextAgentId ?? "none"}
+- Quality target: ${session2.qualityTarget}
+- Request: ${escapeMarkdownText(session2.request)}
+
+## Handoff Graph
+
+\`\`\`mermaid
+${renderMermaidGraph(handoffs)}
+\`\`\`
+
+## Decisions
+
+| Agent | Decision | Risk | Evidence |
+| --- | --- | --- | --- |
+${decisions.map(renderDecisionRow).join("\n") || "| None | None recorded | None recorded | None |"}
+
+## Human Corrections
+
+| Scope | Agent | Correction | Durable Rule |
+| --- | --- | --- | --- |
+${corrections.map((event) => `| ${event.scope ?? "session"} | ${escapeMarkdownTableCell(event.agentId ?? "all")} | ${escapeMarkdownTableCell(event.text)} | ${event.correctionId ?? "session-only"} |`).join("\n") || "| None | None | None recorded | None |"}
+
+## Required Outputs
+
+| Output | Status | Evidence |
+| --- | --- | --- |
+${session2.requiredOutputs.map((output) => `| ${escapeMarkdownTableCell(output.name)} | ${output.status} | ${escapeMarkdownTableCell(output.evidence)} |`).join("\n")}
+
+## Artifacts
+
+${listMarkdown(artifacts.map((event) => `${event.artifactPath}${event.notes ? ` - ${event.notes}` : ""}`))}
+
+## Verification
+
+| Command | Result | Notes |
+| --- | --- | --- |
+${verification.map((event) => `| ${escapeMarkdownTableCell(event.command)} | ${event.result ?? "skipped"} | ${escapeMarkdownTableCell(event.notes)} |`).join("\n") || "| None recorded | skipped | Add verification before completion |"}
+
+## Next Actions
+
+${renderNextActions(session2, verification)}
+`;
+}
+function renderDecisionRow(event) {
+  if (event.type === "handoff") {
+    return `| ${escapeMarkdownTableCell(`${event.fromAgentId ?? "unknown"} -> ${event.toAgentId ?? "unknown"}`)} | ${escapeMarkdownTableCell(event.decision)} | ${escapeMarkdownTableCell(event.risk)} | ${escapeMarkdownTableCell(event.evidence?.join(", "))} |`;
+  }
+  return `| ${escapeMarkdownTableCell(event.agentId ?? "unknown")} | ${escapeMarkdownTableCell(event.decision)} | ${escapeMarkdownTableCell(event.risk)} | ${escapeMarkdownTableCell(event.evidence?.join(", "))} |`;
+}
+function renderMermaidGraph(handoffs) {
+  if (handoffs.length === 0) return 'flowchart LR\n  session["Session"]';
+  const lines = ["flowchart LR"];
+  for (const handoff of handoffs) {
+    const from = safeNodeId(handoff.fromAgentId ?? "unknown");
+    const to = safeNodeId(handoff.toAgentId ?? "unknown");
+    lines.push(`  ${from}["${safeMermaidLabel(handoff.fromAgentId ?? "unknown")}"] --> ${to}["${safeMermaidLabel(handoff.toAgentId ?? "unknown")}"]`);
+  }
+  return lines.join("\n");
+}
+function safeNodeId(value) {
+  const id = value.replace(/[^a-zA-Z0-9_]/g, "_");
+  return id || "unknown";
+}
+function safeMermaidLabel(value) {
+  const label = redactSensitive(value).replace(/[^a-zA-Z0-9 _./:-]/g, " ").replace(/\s+/g, " ").trim();
+  return label || "unknown";
+}
+function renderNextActions(session2, verification) {
+  const missingOutputs = session2.requiredOutputs.filter((output) => output.status === "missing" || output.status === "partial");
+  const actions = [
+    ...missingOutputs.map((output) => `Complete required output: ${output.name}.`),
+    ...verification.length === 0 ? ["Record verification evidence before closing the session."] : [],
+    ...session2.nextAgentId ? [`Continue with ${session2.nextAgentId}.`] : []
+  ];
+  return listMarkdown(actions);
+}
+function renderSessionTranscript(session2, events) {
+  const byAgent = /* @__PURE__ */ new Map();
+  for (const event of events) {
+    const key = event.agentId ?? event.fromAgentId ?? "session";
+    byAgent.set(key, [...byAgent.get(key) ?? [], event]);
+  }
+  const sections = [...byAgent.entries()].map(([agentId, agentEvents]) => {
+    const rows = agentEvents.map((event) => {
+      const detail = event.text ?? event.decision ?? event.command ?? event.artifactPath ?? (event.outputName ? `${event.outputName}: ${event.outputStatus ?? ""}` : void 0) ?? event.status ?? "";
+      return `- ${event.createdAt} \`${event.type}\`: ${escapeMarkdownText(detail)}`;
+    });
+    return `## ${escapeMarkdownText(agentId)}
+
+${rows.join("\n")}`;
+  }).join("\n\n");
+  return `# Transcript: ${escapeMarkdownText(session2.title)}
+
+Generated from \`${sessionDir(session2.sessionId)}/events.jsonl\`.
+
+${sections || "No events recorded."}
+`;
+}
+
+// src/studio/export.ts
+function exportStaticStudio(cwd) {
+  ensureStudioDirs(cwd);
+  const exportedAt = nowIso();
+  const context2 = readProjectContext(cwd);
+  const contextMarkdown = readTextFile(cwd, CONTEXT_MD);
+  const corrections = listCorrections(cwd);
+  const sessions = listSessions(cwd).map((session2) => {
+    const events = readSessionEvents(cwd, session2.sessionId);
+    return {
+      session: session2,
+      events,
+      indexPath: `${COUNCIL_SESSIONS_DIR}/${safeSlug(session2.sessionId)}/index.md`,
+      transcriptPath: `${COUNCIL_SESSIONS_DIR}/${safeSlug(session2.sessionId)}/transcript.md`,
+      agents: unique(events.flatMap((event) => [event.agentId, event.fromAgentId, event.toAgentId].filter(Boolean)))
+    };
+  });
+  const data = {
+    generatedAt: exportedAt,
+    context: context2,
+    contextMarkdown,
+    corrections,
+    activeSessionId: readTextFile(cwd, ACTIVE_SESSION_FILE)?.trim() ?? null,
+    sessions
+  };
+  const redactedData = redactDeep(data);
+  const html = renderStaticStudioHtml(redactedData);
+  if (containsLikelySecret(html)) {
+    throw new Error("Refusing to write static Agent Studio export because the rendered HTML contains a secret-like value.");
+  }
+  writeTextFile(cwd, STUDIO_EXPORT_HTML, html);
+  return { studioPath: STUDIO_EXPORT_HTML, sessionCount: sessions.length, exportedAt };
+}
+function readProjectContext(cwd) {
+  const raw = readJsonFile(cwd, CONTEXT_JSON);
+  if (!raw) return null;
+  return ProjectContextContract.parse(raw);
+}
+function redactDeep(value) {
+  if (typeof value === "string") return redactSensitive(value);
+  if (Array.isArray(value)) return value.map(redactDeep);
+  if (value && typeof value === "object") {
+    return Object.fromEntries(Object.entries(value).map(([key, item]) => [key, redactDeep(item)]));
+  }
+  return value;
+}
+function renderStaticStudioHtml(data) {
+  const sessionCount = data.sessions.length;
+  const correctionCount = data.corrections.project.length + data.corrections.agent.length;
+  return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; img-src data:; base-uri 'none'; form-action 'none'">
+  <title>Agent Studio</title>
+  <style>
+    :root { color-scheme: light; --ink: #1f2933; --muted: #52606d; --line: #d9e2ec; --panel: #ffffff; --bg: #f5f7fa; --accent: #0f766e; --accent-2: #7c3aed; --warn: #b45309; }
+    * { box-sizing: border-box; }
+    body { margin: 0; font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; color: var(--ink); background: var(--bg); line-height: 1.5; }
+    header { padding: 28px clamp(16px, 4vw, 48px) 20px; background: #0b1f24; color: #f8fafc; }
+    header h1 { margin: 0 0 8px; font-size: clamp(28px, 4vw, 44px); letter-spacing: 0; }
+    header p { margin: 0; color: #cbd5e1; max-width: 980px; }
+    main { display: grid; grid-template-columns: minmax(0, 1fr); gap: 18px; padding: 20px clamp(16px, 4vw, 48px) 48px; }
+    section, details { background: var(--panel); border: 1px solid var(--line); border-radius: 8px; }
+    section { padding: 18px; }
+    h2 { margin: 0 0 12px; font-size: 22px; letter-spacing: 0; }
+    h3 { margin: 18px 0 10px; font-size: 17px; letter-spacing: 0; }
+    .metrics { display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 10px; margin-top: 18px; }
+    .metric { border: 1px solid rgba(255,255,255,.22); border-radius: 8px; padding: 12px; background: rgba(255,255,255,.08); }
+    .metric strong { display: block; font-size: 24px; }
+    .metric span { color: #cbd5e1; font-size: 13px; }
+    .grid { display: grid; grid-template-columns: minmax(0, 340px) minmax(0, 1fr); gap: 18px; align-items: start; }
+    .stack { display: grid; gap: 12px; }
+    .muted { color: var(--muted); }
+    .path { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; font-size: 13px; color: var(--muted); overflow-wrap: anywhere; }
+    .pill { display: inline-flex; align-items: center; border-radius: 999px; padding: 2px 9px; border: 1px solid var(--line); background: #f8fafc; font-size: 12px; margin: 2px 4px 2px 0; }
+    .session-card { padding: 0; overflow: hidden; }
+    .session-head { padding: 16px 18px; border-bottom: 1px solid var(--line); display: flex; gap: 10px; flex-wrap: wrap; align-items: baseline; justify-content: space-between; }
+    .session-head h2 { margin: 0; }
+    .session-body { padding: 18px; display: grid; gap: 18px; }
+    .graph-wrap { overflow-x: auto; border: 1px solid var(--line); border-radius: 8px; background: #fbfdff; padding: 8px; }
+    svg.agent-graph { width: 100%; min-width: 520px; max-height: 240px; }
+    .event-list { margin: 0; padding-left: 20px; }
+    .event-list li { margin: 7px 0; }
+    details.agent-stream { padding: 0; }
+    details.agent-stream > summary { cursor: pointer; padding: 12px 14px; font-weight: 700; }
+    details.agent-stream[open] > summary { border-bottom: 1px solid var(--line); }
+    details.agent-stream .stream-body { padding: 12px 14px; }
+    table { width: 100%; border-collapse: collapse; font-size: 14px; }
+    th, td { text-align: left; border-bottom: 1px solid var(--line); padding: 8px; vertical-align: top; }
+    th { color: var(--muted); font-size: 12px; text-transform: uppercase; letter-spacing: .04em; }
+    code { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; font-size: 13px; background: #edf2f7; padding: 1px 4px; border-radius: 4px; }
+    @media (max-width: 860px) { .grid { grid-template-columns: 1fr; } header { padding-top: 22px; } }
+  </style>
+</head>
+<body>
+  <header>
+    <h1>Agent Studio</h1>
+    <p>Static local export generated from Agent Kit JSON and JSONL files. It embeds a redacted snapshot at export time and does not connect to a server, database, or model API.</p>
+    <div class="metrics">
+      <div class="metric"><strong>${sessionCount}</strong><span>sessions</span></div>
+      <div class="metric"><strong>${correctionCount}</strong><span>active correction files</span></div>
+      <div class="metric"><strong>${escapeHtml(data.generatedAt)}</strong><span>generated at</span></div>
+    </div>
+  </header>
+  <main>
+    <section>
+      <h2>Project Context</h2>
+      ${renderContextSummary(data)}
+    </section>
+    <div class="grid">
+      <aside class="stack">
+        <section>
+          <h2>Corrections</h2>
+          ${renderCorrections(data)}
+        </section>
+        <section>
+          <h2>Session Index</h2>
+          ${renderSessionIndexLinks(data.sessions)}
+        </section>
+      </aside>
+      <div class="stack">
+        ${data.sessions.map(renderSessionSection).join("\n")}
+      </div>
+    </div>
+  </main>
+  <script type="application/json" id="agent-studio-data">${safeJsonForHtml(data)}</script>
+</body>
+</html>
+`;
+}
+function renderContextSummary(data) {
+  const context2 = data.context;
+  if (!context2) return `<p class="muted">No project context found. Run <code>agent-kit onboard</code> or <code>agent-kit init --guided</code>.</p>`;
+  return `<div class="stack">
+    <p><strong>${escapeHtml(context2.projectName || "TBD")}</strong> ${escapeHtml(context2.productSummary || "No product summary recorded.")}</p>
+    <p class="muted">Audience: ${escapeHtml(context2.primaryAudience || "TBD")} | Quality target: ${escapeHtml(context2.qualityTarget || "baseline-setup")}</p>
+    <p>${renderPills([...context2.architecture?.frameworks ?? [], ...context2.architecture?.testTools ?? [], context2.architecture?.hasSupabase ? "supabase" : ""].filter(Boolean))}</p>
+    ${context2.openQuestions?.length ? `<h3>Open Questions</h3>${renderList(context2.openQuestions)}` : ""}
+    <p class="path">Source: ${CONTEXT_JSON}${data.contextMarkdown ? ` and ${CONTEXT_MD}` : ""}</p>
+  </div>`;
+}
+function renderCorrections(data) {
+  const rules = [...data.corrections.project, ...data.corrections.agent].filter((rule) => rule.status === "active");
+  if (rules.length === 0) return `<p class="muted">No active durable corrections recorded.</p>`;
+  return `<table>
+    <thead><tr><th>Scope</th><th>Agent</th><th>Correction</th></tr></thead>
+    <tbody>
+      ${rules.map((rule) => `<tr><td>${escapeHtml(rule.scope)}</td><td>${escapeHtml(rule.agentId ?? rule.appliesToAgents?.join(", ") ?? "all")}</td><td>${escapeHtml(rule.text)}</td></tr>`).join("\n")}
+    </tbody>
+  </table>`;
+}
+function renderSessionIndexLinks(sessions) {
+  if (sessions.length === 0) return `<p class="muted">No sessions recorded yet.</p>`;
+  return `<ol class="event-list">${sessions.map((item) => `<li><a href="#${htmlId(item.session.sessionId)}">${escapeHtml(item.session.title)}</a><br><span class="muted">${escapeHtml(item.session.status)} | ${escapeHtml(item.session.workflowId)}</span></li>`).join("")}</ol>`;
+}
+function renderSessionSection(item) {
+  const verification = item.events.filter((event) => event.type === "verification_recorded");
+  const corrections = item.events.filter((event) => event.type === "human_correction");
+  const artifacts = item.events.filter((event) => event.type === "artifact_recorded");
+  return `<section class="session-card" id="${htmlId(item.session.sessionId)}">
+    <div class="session-head">
+      <h2>${escapeHtml(item.session.title)}</h2>
+      <div>
+        <span class="pill">${escapeHtml(item.session.status)}</span>
+        <span class="pill">${escapeHtml(item.session.workflowId)}</span>
+        <span class="pill">${item.events.length} events</span>
+      </div>
+    </div>
+    <div class="session-body">
+      <p class="muted">Request: ${escapeHtml(item.session.request)}</p>
+      <p class="path">Markdown: ${escapeHtml(item.indexPath)} | ${escapeHtml(item.transcriptPath)}</p>
+      <div class="graph-wrap">${renderSvgGraph(item.events, item.agents)}</div>
+      <div>
+        <h3>Agent Streams</h3>
+        ${renderAgentStreams(item)}
+      </div>
+      <div class="grid">
+        <div>
+          <h3>Verification</h3>
+          ${verification.length ? renderEventList(verification) : `<p class="muted">No verification recorded.</p>`}
+        </div>
+        <div>
+          <h3>Corrections And Artifacts</h3>
+          ${corrections.length || artifacts.length ? renderEventList([...corrections, ...artifacts]) : `<p class="muted">No corrections or artifacts recorded.</p>`}
+        </div>
+      </div>
+    </div>
+  </section>`;
+}
+function renderAgentStreams(item) {
+  if (item.events.length === 0) return `<p class="muted">No events recorded.</p>`;
+  const byAgent = /* @__PURE__ */ new Map();
+  for (const event of item.events) {
+    const agent = event.agentId ?? event.fromAgentId ?? "session";
+    byAgent.set(agent, [...byAgent.get(agent) ?? [], event]);
+  }
+  return [...byAgent.entries()].map(([agent, events]) => `<details class="agent-stream"><summary>${escapeHtml(agent)} (${events.length})</summary><div class="stream-body">${renderEventList(events)}</div></details>`).join("\n");
+}
+function renderEventList(events) {
+  return `<ol class="event-list">${events.map((event) => `<li><time>${escapeHtml(event.createdAt)}</time> <code>${escapeHtml(event.type)}</code>: ${escapeHtml(eventDetail(event))}</li>`).join("\n")}</ol>`;
+}
+function eventDetail(event) {
+  if (event.type === "handoff") return `${event.fromAgentId ?? "unknown"} -> ${event.toAgentId ?? "unknown"}: ${event.decision ?? ""} Risk: ${event.risk ?? ""}`;
+  if (event.type === "required_output_updated") return `${event.outputName ?? "output"}: ${event.outputStatus ?? "unknown"}`;
+  return event.text ?? event.decision ?? event.command ?? event.artifactPath ?? event.status ?? "";
+}
+function renderSvgGraph(events, knownAgents) {
+  const handoffs = events.filter((event) => event.type === "handoff");
+  const agents = unique([...knownAgents, ...handoffs.flatMap((event) => [event.fromAgentId, event.toAgentId].filter(Boolean))]);
+  if (agents.length === 0) {
+    return `<svg class="agent-graph" viewBox="0 0 520 120" role="img" aria-label="No agent handoffs recorded"><text x="24" y="62" fill="#52606d">No handoffs recorded yet.</text></svg>`;
+  }
+  const width = Math.max(520, agents.length * 180);
+  const y = 78;
+  const positions = new Map(agents.map((agent, index) => [agent, { x: 74 + index * 170, y }]));
+  const edges = handoffs.map((event) => {
+    const from = positions.get(event.fromAgentId ?? "");
+    const to = positions.get(event.toAgentId ?? "");
+    if (!from || !to) return "";
+    return `<line x1="${from.x + 34}" y1="${from.y}" x2="${to.x - 34}" y2="${to.y}" stroke="#7c3aed" stroke-width="2" marker-end="url(#arrow)" />`;
+  }).join("\n");
+  const nodes = agents.map((agent) => {
+    const position = positions.get(agent);
+    if (!position) return "";
+    return `<g><circle cx="${position.x}" cy="${position.y}" r="34" fill="#ccfbf1" stroke="#0f766e" stroke-width="2" /><text x="${position.x}" y="${position.y + 56}" text-anchor="middle" fill="#1f2933" font-size="12">${escapeSvgText(agent)}</text></g>`;
+  }).join("\n");
+  return `<svg class="agent-graph" viewBox="0 0 ${width} 150" role="img" aria-label="Agent handoff graph">
+    <defs><marker id="arrow" markerWidth="10" markerHeight="10" refX="9" refY="3" orient="auto" markerUnits="strokeWidth"><path d="M0,0 L0,6 L9,3 z" fill="#7c3aed" /></marker></defs>
+    ${edges}
+    ${nodes}
+  </svg>`;
+}
+function renderPills(values) {
+  const cleaned = values.filter(Boolean);
+  return cleaned.length ? cleaned.map((value) => `<span class="pill">${escapeHtml(value)}</span>`).join("") : `<span class="muted">No stack signals recorded.</span>`;
+}
+function renderList(values) {
+  return `<ul>${values.map((value) => `<li>${escapeHtml(value)}</li>`).join("")}</ul>`;
+}
+function htmlId(value) {
+  return `session-${safeSlug(value)}`;
+}
+function escapeHtml(value) {
+  return String(value ?? "").replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function escapeSvgText(value) {
+  return escapeHtml(value).slice(0, 42);
+}
+function safeJsonForHtml(value) {
+  return JSON.stringify(value).replace(/&/g, "\\u0026").replace(/</g, "\\u003c").replace(/>/g, "\\u003e");
+}
+
+// src/cli/index.ts
+var program = new Command();
+var requiredOutputStatuses = ["missing", "partial", "complete", "not-applicable"];
+function isRequiredOutputStatus(value) {
+  return requiredOutputStatuses.includes(value);
+}
+program.name("agent-kit").description("Next.js + Supabase agent, skill, docs, design, and research kit.").version("0.1.0");
+program.command("init").description("Install agent-kit docs and library files into a project.").option("--stack <stack>", "Stack profile to install.", "next-supabase").option("--force", "Overwrite existing docs instead of writing conflicts.").option("--guided", "Also create local project context files from a non-interactive scan.").action((options) => {
+  const result = initProject({
+    cwd: process.cwd(),
+    stack: options.stack,
+    force: Boolean(options.force)
+  });
+  if (options.guided) {
+    console.log(JSON.stringify({ install: result, context: initProjectContext(process.cwd()) }, null, 2));
+    return;
+  }
+  console.log(JSON.stringify(result, null, 2));
+});
+program.command("audit").description("Audit an existing project for agent-kit coverage gaps.").option("--json", "Print machine-readable JSON output.").option("--min-readiness <level>", `Exit non-zero unless readiness is at least this level: ${READINESS_ORDER.join(", ")}.`).action((options) => {
+  const report = createAuditReport(process.cwd());
+  let minimumReadiness;
+  if (options.minReadiness) {
+    if (!isAuditReadinessLevel(options.minReadiness)) {
+      console.error(`Invalid --min-readiness value "${options.minReadiness}". Expected one of: ${READINESS_ORDER.join(", ")}.`);
+      process.exitCode = 1;
+      return;
+    }
+    minimumReadiness = options.minReadiness;
+  }
+  if (options.json) {
+    console.log(JSON.stringify(report, null, 2));
+  } else {
+    console.log(`READINESS ${report.readiness.level}: ${report.readiness.summary}`);
+    console.log(`SUMMARY pass=${report.summary.pass} warn=${report.summary.warn} fail=${report.summary.fail}`);
+    if (report.readiness.nextActions.length > 0) {
+      console.log("NEXT ACTIONS");
+      for (const action of report.readiness.nextActions) console.log(`- ${action}`);
+    }
+    console.log("");
+    for (const finding of report.findings) {
+      const prefix = finding.level.toUpperCase().padEnd(4);
+      console.log(`${prefix} ${finding.area}: ${finding.message}`);
+      if (finding.remediation) console.log(`     remediation: ${finding.remediation}`);
+    }
+  }
+  if (report.summary.fail > 0) {
+    process.exitCode = 1;
+  }
+  if (minimumReadiness && !meetsMinimumReadiness(report.readiness.level, minimumReadiness)) {
+    console.error(`Audit readiness ${report.readiness.level} is below required minimum ${minimumReadiness}.`);
+    process.exitCode = 1;
+  }
+});
+program.command("diff").description("Compare project docs against bundled templates.").action(() => {
+  console.log(JSON.stringify(diffProject(process.cwd()), null, 2));
+});
+program.command("update").description("Update installed templates, preserving local conflicts by default.").option("--force", "Overwrite local docs.").action((options) => {
+  const result = initProject({ cwd: process.cwd(), force: Boolean(options.force) });
+  console.log(JSON.stringify(result, null, 2));
+});
+var addCommand = program.command("add").description("Add one agent-kit asset.");
+addCommand.command("skill <name>").description("Add a single skill into .agent-kit/skills.").option("--force", "Overwrite existing skill.").action((name, options) => {
+  console.log(addSkill(process.cwd(), name, { force: Boolean(options.force) }));
+});
+program.command("doctor").description("Validate local CLI runtime prerequisites.").action(() => {
+  console.log("agent-kit doctor");
+  console.log(`node: ${process.version}`);
+  console.log(`available skills: ${listSkills().length}`);
+  console.log("status: ok");
+});
+program.command("onboard").description("Create or refresh local project context files for installed agents.").option("--refresh", "Refresh inferred context from the current project state.").action(() => {
+  console.log(JSON.stringify(initProjectContext(process.cwd()), null, 2));
+});
+var context = program.command("context").description("Manage local project context for Agent Studio.");
+context.command("init").description("Create project context from a local scan.").action(() => {
+  console.log(JSON.stringify(initProjectContext(process.cwd()), null, 2));
+});
+context.command("scan").description("Print inferred project context without writing it.").action(() => {
+  console.log(JSON.stringify(scanProjectContext(process.cwd()), null, 2));
+});
+context.command("ask").description("Print unanswered high-value project context questions.").action(() => {
+  const result = initProjectContext(process.cwd());
+  for (const question of result.openQuestions) console.log(`- ${question}`);
+});
+context.command("render").description("Render .agent-kit/project-context.md from project-context.json.").action(() => {
+  console.log(JSON.stringify(renderProjectContext(process.cwd()), null, 2));
+});
+context.command("validate").description("Validate .agent-kit/project-context.json.").action(() => {
+  console.log(JSON.stringify(validateProjectContext(process.cwd()), null, 2));
+});
+context.command("show").description("Print rendered project context markdown.").action(() => {
+  console.log(readTextFile(process.cwd(), ".agent-kit/project-context.md") ?? "");
+});
+var session = program.command("session").description("Record and render local Agent Studio council sessions.");
+session.command("start <title...>").description("Start a local council session.").option("--workflow <workflow>", "Workflow id.", "planning").option("--request <request>", "Original user request.").action((titleParts, options) => {
+  const title = titleParts.join(" ");
+  console.log(
+    JSON.stringify(
+      startSession(process.cwd(), {
+        title,
+        workflowId: options.workflow,
+        ...options.request ? { request: options.request } : {}
+      }),
+      null,
+      2
+    )
+  );
+});
+session.command("list").description("List local council sessions.").action(() => {
+  console.log(JSON.stringify(listSessions(process.cwd()), null, 2));
+});
+session.command("active").description("Print the active council session id.").action(() => {
+  console.log(getActiveSessionId(process.cwd()));
+});
+session.command("note <text...>").description("Record a visible agent message.").requiredOption("--agent <agent>", "Agent id.").action((textParts, options) => {
+  console.log(JSON.stringify(recordNote(process.cwd(), options.agent, textParts.join(" ")), null, 2));
+});
+session.command("decision <text...>").description("Record an agent decision.").requiredOption("--agent <agent>", "Agent id.").option("--risk <risk>", "Risk associated with the decision.").action((textParts, options) => {
+  console.log(JSON.stringify(recordDecision(process.cwd(), options.agent, textParts.join(" "), options.risk), null, 2));
+});
+session.command("handoff").description("Record an agent handoff.").requiredOption("--from <agent>", "Source agent id.").requiredOption("--to <agent>", "Target agent id.").requiredOption("--decision <decision>", "Decision being handed off.").requiredOption("--risk <risk>", "Risk that remains.").option("--evidence <evidence...>", "Evidence paths or notes.").action((options) => {
+  console.log(
+    JSON.stringify(
+      recordHandoff(process.cwd(), {
+        fromAgentId: options.from,
+        toAgentId: options.to,
+        decision: options.decision,
+        risk: options.risk,
+        ...options.evidence ? { evidence: options.evidence } : {}
+      }),
+      null,
+      2
+    )
+  );
+});
+session.command("correct <text...>").description("Record a human correction and optionally promote it to durable rules.").option("--agent <agent>", "Agent id.").option("--scope <scope>", "Correction scope: session, project, agent, upstream-proposal.", "session").action((textParts, options) => {
+  console.log(
+    JSON.stringify(
+      recordCorrection(process.cwd(), {
+        ...options.agent ? { agentId: options.agent } : {},
+        scope: options.scope,
+        text: textParts.join(" ")
+      }),
+      null,
+      2
+    )
+  );
+});
+session.command("artifact").description("Record a changed or relevant artifact path.").requiredOption("--file <file>", "Artifact file path.").option("--note <note>", "Artifact note.").action((options) => {
+  console.log(JSON.stringify(recordArtifact(process.cwd(), options.file, options.note), null, 2));
+});
+session.command("verify").description("Record verification evidence.").requiredOption("--command <command>", "Command or review performed.").requiredOption("--result <result>", "pass, fail, or skipped.").option("--notes <notes>", "Verification notes.").action((options) => {
+  console.log(JSON.stringify(recordVerification(process.cwd(), options.command, options.result, options.notes), null, 2));
+});
+session.command("output <name...>").description("Mark a required session output status.").requiredOption("--status <status>", "missing, partial, complete, or not-applicable.").option("--evidence <evidence>", "Evidence path, command, or note.").action((nameParts, options) => {
+  if (!isRequiredOutputStatus(options.status)) {
+    console.error(`Invalid --status value "${options.status}". Expected one of: ${requiredOutputStatuses.join(", ")}.`);
+    process.exitCode = 1;
+    return;
+  }
+  console.log(JSON.stringify(recordRequiredOutput(process.cwd(), nameParts.join(" "), options.status, options.evidence), null, 2));
+});
+session.command("render").description("Render active session Markdown files.").action(() => {
+  console.log(JSON.stringify(renderActiveSession(process.cwd()), null, 2));
+});
+session.command("close").description("Close the active session.").option("--status <status>", "planned, in-progress, blocked, or complete.", "complete").action((options) => {
+  console.log(JSON.stringify(closeSession(process.cwd(), options.status), null, 2));
+});
+var correction = program.command("correction").description("Manage durable Agent Studio correction rules.");
+correction.command("list").description("List correction rules.").action(() => {
+  console.log(JSON.stringify(listCorrections(process.cwd()), null, 2));
+});
+correction.command("add <text...>").description("Add a durable correction rule.").option("--scope <scope>", "Correction scope: project, agent, or upstream-proposal.", "project").option("--agent <agent>", "Agent id for agent-scoped corrections.").action((textParts, options) => {
+  console.log(
+    JSON.stringify(
+      addCorrection(process.cwd(), {
+        scope: options.scope,
+        ...options.agent ? { agentId: options.agent } : {},
+        text: textParts.join(" ")
+      }),
+      null,
+      2
+    )
+  );
+});
+correction.command("apply [id]").description("Mark a correction rule active and reviewed.").option("--id <id>", "Correction id.").action((idArgument, options) => {
+  const id = idArgument ?? options.id;
+  if (!id) {
+    console.error("Missing correction id. Use agent-kit correction apply <id> or --id <id>.");
+    process.exitCode = 1;
+    return;
+  }
+  console.log(JSON.stringify(applyCorrection(process.cwd(), id), null, 2));
+});
+correction.command("retire <id>").description("Retire a correction rule.").requiredOption("--reason <reason>", "Reason for retirement.").action((id, options) => {
+  console.log(JSON.stringify(retireCorrection(process.cwd(), id, options.reason), null, 2));
+});
+correction.command("propose-upstream <id>").description("Create an upstream proposal from a project or agent correction.").action((id) => {
+  console.log(JSON.stringify(proposeCorrectionUpstream(process.cwd(), id), null, 2));
+});
+var studio = program.command("studio").description("Export local Agent Studio views.");
+studio.command("export").description("Generate a self-contained static Agent Studio HTML file.").action(() => {
+  console.log(JSON.stringify(exportStaticStudio(process.cwd()), null, 2));
+});
+var research = program.command("research").description("Research high-quality open-source repositories.");
+research.command("discover").description("Discover GitHub repo candidates using configured queries.").option("--limit <number>", "Maximum repositories to write.", (value) => Number.parseInt(value, 10)).action(async (options) => {
+  const repos = await discoverRepos({
+    cwd: process.cwd(),
+    ...options.limit === void 0 ? {} : { limit: options.limit }
+  });
+  console.log(`Wrote ${repos.length} candidates to research/repo-candidates.json`);
+});
+research.command("scan").description("Shallow clone candidate repos and write repo findings.").option("--keep-clones", "Keep cloned repositories in research/workdir.").action(async (options) => {
+  const findings = await scanRepos({ cwd: process.cwd(), keepClones: Boolean(options.keepClones) });
+  console.log(`Wrote ${findings.length} findings to research/findings`);
+});
+research.command("summarize").description("Generate category summaries from repo findings.").action(() => {
+  const outputs = summarizeFindings(process.cwd());
+  for (const output of outputs) console.log(output);
+});
+research.command("propose-updates").description("Create a research-to-template update brief.").action(() => {
+  console.log(proposeUpdates(process.cwd()));
+});
+program.parseAsync(process.argv).catch((error) => {
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exitCode = 1;
+});
+//# sourceMappingURL=index.js.map