@cleartrip/frontguard 0.1.0

package/dist/cli.js

@@ -0,0 +1,2220 @@
+#!/usr/bin/env node
+import process2 from 'process';
+import { defineCommand, runMain } from 'citty';
+import fs from 'fs/promises';
+import path from 'path';
+import { createRequire } from 'module';
+import fs4 from 'fs';
+import { pathToFileURL } from 'url';
+import defu from 'defu';
+import { exec } from 'tinyexec';
+import fg from 'fast-glob';
+import pc from 'picocolors';
+
+var WORKFLOW = `name: FrontGuard
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+concurrency:
+  group: frontguard-\${{ github.workflow }}-\${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  review-brief:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install dependencies
+        run: |
+          if [ -f pnpm-lock.yaml ]; then
+            corepack enable
+            pnpm install --frozen-lockfile || pnpm install
+          elif [ -f yarn.lock ]; then
+            yarn install --frozen-lockfile || yarn install
+          elif [ -f package-lock.json ]; then
+            npm ci || npm install
+          else
+            npm install
+          fi
+
+      - name: FrontGuard (Phase 1 \u2014 warn-only)
+        run: npx @cleartrip/frontguard run --ci
+        env:
+          GITHUB_TOKEN: \${{ secrets.GITHUB_TOKEN }}
+`;
+var CONFIG = `import { defineConfig } from '@cleartrip/frontguard'
+
+export default defineConfig({
+  mode: 'warn', // or FrontGuard run with \`--enforce\`
+  // extends: '@your-org/frontguard-config/base',
+
+  // Example custom rules (return true when violated):
+  // rules: {
+  //   'no-inline-style': {
+  //     severity: 'warn',
+  //     message: 'Avoid inline style objects',
+  //     check: (file) => file.content.includes('style={{'),
+  //   },
+  // },
+
+  // checks: {
+  //   bundle: { enabled: true, maxDeltaBytes: 50_000, maxTotalBytes: null },
+  //   cycles: { enabled: true },
+  //   deadCode: { enabled: true, gate: 'info' },
+  //   // LLM in CI needs a key in the *runner* (GitHub secret). IDE keys (Cursor Enterprise)
+  //   // are not available in Actions \u2014 use paste workflow instead:
+  //   //   frontguard run --append ./.frontguard/review-notes.md
+  //   // or FRONTGUARD_MANUAL_APPENDIX_FILE / FRONTGUARD_MANUAL_APPENDIX
+  //   llm: {
+  //     enabled: true,
+  //     provider: 'openai',
+  //     apiKeyEnv: 'OPENAI_API_KEY',
+  //   },
+  // },
+})
+`;
+var PR_TEMPLATE = `## Summary
+
+## Why
+
+## How to test
+
+## AI disclosure
+<!-- FrontGuard reads this section. Mark exactly one of Yes / No. -->
+
+- [ ] **Yes** \u2014 AI tools (Cursor, Copilot, ChatGPT, Claude, etc.) helped write or materially refactor code in this PR
+- [ ] **No** \u2014 I did not use AI-generated code for the changes in this PR
+
+If **Yes**, list tools and what they touched (helps reviewers run a stricter first pass):
+
+- Tools: 
+- Areas/files or prompts (short): 
+
+## AI assistance (optional detail)
+- [ ] I have reviewed every AI-suggested line for security, auth, and product correctness
+`;
+async function ensureDir(dir) {
+  await fs.mkdir(dir, { recursive: true });
+}
+async function initFrontGuard(cwd) {
+  const gh = path.join(cwd, ".github", "workflows");
+  await ensureDir(gh);
+  const wfPath = path.join(gh, "frontguard.yml");
+  await fs.writeFile(wfPath, WORKFLOW, "utf8");
+  const cfgPath = path.join(cwd, "frontguard.config.js");
+  try {
+    await fs.access(cfgPath);
+  } catch {
+    await fs.writeFile(cfgPath, CONFIG, "utf8");
+  }
+  const tplRoot = path.join(cwd, ".github");
+  await ensureDir(tplRoot);
+  const tplPath = path.join(tplRoot, "pull_request_template.md");
+  try {
+    await fs.access(tplPath);
+  } catch {
+    await fs.writeFile(tplPath, PR_TEMPLATE, "utf8");
+  }
+}
+
+// src/ci/parse-ai-disclosure.ts
+function extractAiSection(body) {
+  const lines = body.split(/\r?\n/);
+  const idx = lines.findIndex((l) => /^#{1,6}\s+.*\bAI\b/i.test(l.trim()));
+  if (idx < 0) return null;
+  const out = [];
+  for (let j = idx + 1; j < lines.length; j++) {
+    const line = lines[j] ?? "";
+    if (/^##\s+/.test(line)) break;
+    out.push(line);
+  }
+  const text = out.join("\n").trim();
+  return text.length ? text : null;
+}
+function isCheckedItem(line) {
+  return /^\s*-\s*\[[xX]\]/.test(line);
+}
+function parseAiDisclosure(body) {
+  let assisted = false;
+  let explicitNo = false;
+  let ambiguous = false;
+  const section = extractAiSection(body);
+  if (section) {
+    let anyChecked = false;
+    for (const raw of section.split(/\r?\n/)) {
+      const line = raw.trimEnd();
+      if (!isCheckedItem(line)) continue;
+      anyChecked = true;
+      const lower = line.toLowerCase();
+      const saysNo = /\*\*no\*\*/i.test(line) || /\bwithout ai\b/i.test(lower) || /\bdid not use ai\b/i.test(lower) || /\bno\s+ai\b/i.test(lower);
+      const saysYes = /\*\*yes\*\*/i.test(line) || /\byes\s*[—–-]\s*ai\b/i.test(lower) || /\bwere used\b/i.test(lower) || /ai tools.*used/i.test(lower) || /\b(copilot|cursor|chatgpt|claude)\b/i.test(lower);
+      if (saysNo && !saysYes) explicitNo = true;
+      else if (saysYes) assisted = true;
+      else if (/\bai\b/i.test(line) && !saysNo) assisted = true;
+    }
+    if (anyChecked && !assisted && !explicitNo) ambiguous = true;
+  }
+  if (!section && /ai tools were used/i.test(body)) {
+    const checked = /\[[xX]\]\s*AI tools were used/i.test(body);
+    if (checked) assisted = true;
+  }
+  if (explicitNo && assisted) {
+    ambiguous = true;
+    assisted = false;
+    explicitNo = false;
+  }
+  return { assisted, explicitNo, ambiguous };
+}
+
+// src/ci/github.ts
+async function readGithubEvent() {
+  const p = process.env.GITHUB_EVENT_PATH;
+  if (!p) return null;
+  try {
+    const raw = await fs.readFile(p, "utf8");
+    const payload = JSON.parse(raw);
+    const pr = payload.pull_request;
+    if (!pr) return null;
+    const files = (pr.files ?? []).map((f) => f.filename ?? "").filter(Boolean);
+    const body = pr.body ?? "";
+    const ai = parseAiDisclosure(body);
+    return {
+      number: pr.number ?? 0,
+      title: pr.title ?? "",
+      body,
+      baseRef: pr.base?.ref ?? "main",
+      headRef: pr.head?.ref ?? "",
+      additions: pr.additions ?? 0,
+      deletions: pr.deletions ?? 0,
+      changedFiles: pr.changed_files ?? files.length,
+      files,
+      aiAssisted: ai.assisted,
+      aiExplicitNo: ai.explicitNo,
+      aiDisclosureAmbiguous: ai.ambiguous
+    };
+  } catch {
+    return null;
+  }
+}
+var MARKER = "<!-- frontguard:brief -->";
+async function resolvePrNumber() {
+  const raw = process.env.FRONTGUARD_PR_NUMBER ?? process.env.PR_NUMBER;
+  const n = Number(raw);
+  if (Number.isFinite(n) && n > 0) return n;
+  const path14 = process.env.GITHUB_EVENT_PATH;
+  if (!path14) return null;
+  try {
+    const payload = JSON.parse(await fs.readFile(path14, "utf8"));
+    const num = payload.pull_request?.number;
+    return typeof num === "number" && num > 0 ? num : null;
+  } catch {
+    return null;
+  }
+}
+async function upsertBriefComment(body) {
+  const token = process.env.GITHUB_TOKEN;
+  const repo = process.env.GITHUB_REPOSITORY;
+  if (!token || !repo) {
+    return;
+  }
+  const [owner, name] = repo.split("/");
+  if (!owner || !name) return;
+  const prNumber = await resolvePrNumber();
+  if (!prNumber) {
+    return;
+  }
+  const apiBase = process.env.GITHUB_API_URL ?? "https://api.github.com";
+  const headers = {
+    authorization: `Bearer ${token}`,
+    accept: "application/vnd.github+json",
+    "x-github-api-version": "2022-11-28",
+    "content-type": "application/json"
+  };
+  const prefixed = `${MARKER}
+${body}`;
+  const listUrl = `${apiBase}/repos/${owner}/${name}/issues/${prNumber}/comments?per_page=100`;
+  const listRes = await fetch(listUrl, { headers });
+  if (!listRes.ok) {
+    return;
+  }
+  const comments = await listRes.json();
+  const existing = comments.find(
+    (c) => typeof c.body === "string" && c.body.includes(MARKER)
+  );
+  if (existing) {
+    const patchUrl = `${apiBase}/repos/${owner}/${name}/issues/comments/${existing.id}`;
+    await fetch(patchUrl, {
+      method: "PATCH",
+      headers,
+      body: JSON.stringify({ body: prefixed })
+    });
+    return;
+  }
+  const postUrl = `${apiBase}/repos/${owner}/${name}/issues/${prNumber}/comments`;
+  await fetch(postUrl, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({ body: prefixed })
+  });
+}
+
+// src/config/defaults.ts
+var defaultConfig = {
+  mode: "warn",
+  rules: {},
+  checks: {
+    eslint: { enabled: true, glob: "**/*.{js,cjs,mjs,jsx,ts,tsx}" },
+    prettier: {
+      enabled: true,
+      glob: "**/*.{js,cjs,mjs,jsx,ts,tsx,json,md,css,scss,yml,yaml}"
+    },
+    typescript: { enabled: true },
+    secrets: { enabled: true },
+    prHygiene: {
+      enabled: true,
+      minBodyLength: 80,
+      requireSections: false,
+      sectionHints: ["what", "why", "test", "how to test", "screenshot"],
+      requireAiDisclosureSection: true,
+      gateWhenAiDisclosureAmbiguous: "warn"
+    },
+    aiAssistedReview: {
+      enabled: true,
+      gate: "warn",
+      escalate: {
+        secretFindingsToBlock: true,
+        tsAnyDeltaToBlock: true
+      }
+    },
+    prSize: { warnLines: 400, softBlockLines: 800 },
+    tsAnyDelta: {
+      enabled: true,
+      gate: "warn",
+      baseRef: "main",
+      maxAdded: 0
+    },
+    cycles: {
+      enabled: false,
+      gate: "warn",
+      entries: ["src"],
+      extraArgs: []
+    },
+    deadCode: {
+      enabled: false,
+      gate: "info",
+      extraArgs: [],
+      maxReportLines: 80
+    },
+    bundle: {
+      enabled: false,
+      gate: "warn",
+      runBuild: true,
+      buildCommand: "npm run build",
+      measureGlobs: ["dist/**/*", "build/static/**/*", ".next/static/**/*"],
+      baselinePath: ".frontguard/bundle-baseline.json",
+      maxDeltaBytes: null,
+      maxTotalBytes: null
+    },
+    cwv: {
+      enabled: true,
+      gate: "warn",
+      scanGlobs: ["app/**/*.{tsx,jsx}", "pages/**/*.{tsx,jsx}", "src/**/*.{tsx,jsx}"],
+      maxFileBytes: 4e5
+    },
+    llm: {
+      enabled: false,
+      provider: "openai",
+      model: "gpt-4o-mini",
+      apiKeyEnv: "OPENAI_API_KEY",
+      maxDiffChars: 48e3,
+      timeoutMs: 6e4
+    }
+  }
+};
+
+// src/config/load.ts
+var CONFIG_NAMES = [
+  "frontguard.config.js",
+  "frontguard.config.mjs",
+  "frontguard.config.cjs"
+];
+async function importConfig(absolutePath) {
+  const url = pathToFileURL(absolutePath).href;
+  return import(url);
+}
+function normalizeExport(mod) {
+  if (mod && typeof mod === "object" && "default" in mod && mod.default) {
+    return mod.default;
+  }
+  return mod;
+}
+function stripExtends(c) {
+  const { extends: _e, ...rest } = c;
+  return rest;
+}
+async function loadExtendsLayer(cwd, spec) {
+  if (!spec) return {};
+  const req = createRequire(path.join(cwd, "package.json"));
+  const specs = Array.isArray(spec) ? spec : [spec];
+  let merged = {};
+  for (const s of specs) {
+    try {
+      const resolved = req.resolve(s);
+      const mod = await import(pathToFileURL(resolved).href);
+      const layer = normalizeExport(
+        mod
+      );
+      merged = defu(stripExtends(layer), merged);
+    } catch {
+    }
+  }
+  return merged;
+}
+async function loadConfig(cwd) {
+  let userFile = null;
+  for (const name of CONFIG_NAMES) {
+    const full = path.join(cwd, name);
+    if (!fs4.existsSync(full)) continue;
+    try {
+      const mod = await importConfig(full);
+      userFile = normalizeExport(mod);
+      break;
+    } catch {
+      continue;
+    }
+  }
+  const extendsSpec = userFile?.extends;
+  const orgLayer = await loadExtendsLayer(cwd, extendsSpec);
+  const user = userFile ? stripExtends(userFile) : {};
+  const base = structuredClone(defaultConfig);
+  const withOrg = defu(orgLayer, base);
+  return defu(user, withOrg);
+}
+function allDeps(pkg) {
+  return {
+    ...pkg.peerDependencies,
+    ...pkg.devDependencies,
+    ...pkg.dependencies
+  };
+}
+function hasDep(deps, name) {
+  return Object.prototype.hasOwnProperty.call(deps, name);
+}
+async function detectStack(cwd) {
+  let pkg = {};
+  try {
+    const raw = await fs.readFile(path.join(cwd, "package.json"), "utf8");
+    pkg = JSON.parse(raw);
+  } catch {
+    return {
+      isMonorepo: false,
+      hasTypeScript: false,
+      hasReact: false,
+      hasNext: false,
+      hasReactNative: false,
+      hasJest: false,
+      hasVitest: false,
+      hasPlaywright: false,
+      packageManager: "unknown",
+      tsStrict: null
+    };
+  }
+  const deps = allDeps(pkg);
+  const isMonorepo = Boolean(pkg.workspaces);
+  let tsStrict = null;
+  try {
+    const tsconfigPath = path.join(cwd, "tsconfig.json");
+    const tsRaw = await fs.readFile(tsconfigPath, "utf8");
+    const ts = JSON.parse(tsRaw);
+    if (typeof ts.compilerOptions?.strict === "boolean") {
+      tsStrict = ts.compilerOptions.strict;
+    }
+  } catch {
+  }
+  let pm = "unknown";
+  try {
+    await fs.access(path.join(cwd, "pnpm-lock.yaml"));
+    pm = "pnpm";
+  } catch {
+    try {
+      await fs.access(path.join(cwd, "yarn.lock"));
+      pm = "yarn";
+    } catch {
+      try {
+        await fs.access(path.join(cwd, "package-lock.json"));
+        pm = "npm";
+      } catch {
+        pm = "npm";
+      }
+    }
+  }
+  return {
+    isMonorepo,
+    hasTypeScript: hasDep(deps, "typescript") || Boolean(tsStrict !== null),
+    hasReact: hasDep(deps, "react"),
+    hasNext: hasDep(deps, "next"),
+    hasReactNative: hasDep(deps, "react-native"),
+    hasJest: hasDep(deps, "jest"),
+    hasVitest: hasDep(deps, "vitest"),
+    hasPlaywright: hasDep(deps, "@playwright/test"),
+    packageManager: pm,
+    tsStrict
+  };
+}
+async function pathExists(file) {
+  try {
+    await fs.access(file);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function resolveBin(cwd, name) {
+  const local = path.join(cwd, "node_modules", ".bin", name);
+  if (await pathExists(local)) return local;
+  const win = local + ".cmd";
+  if (await pathExists(win)) return win;
+  return null;
+}
+async function runNpmBinary(cwd, name, args) {
+  try {
+    const bin = await resolveBin(cwd, name);
+    if (bin) {
+      const r2 = await exec(bin, args, { nodeOptions: { cwd } });
+      return {
+        exitCode: r2.exitCode ?? 0,
+        stdout: r2.stdout ?? "",
+        stderr: r2.stderr ?? ""
+      };
+    }
+    let r = await exec("npx", ["--no-install", name, ...args], { nodeOptions: { cwd } });
+    if ((r.exitCode ?? 0) !== 0) {
+      r = await exec("npx", [name, ...args], { nodeOptions: { cwd } });
+    }
+    return {
+      exitCode: r.exitCode ?? 0,
+      stdout: r.stdout ?? "",
+      stderr: r.stderr ?? ""
+    };
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    return {
+      exitCode: 127,
+      stdout: "",
+      stderr: msg
+    };
+  }
+}
+async function runNpx(cwd, args) {
+  try {
+    const r = await exec("npx", args, { nodeOptions: { cwd } });
+    return {
+      exitCode: r.exitCode ?? 0,
+      stdout: r.stdout ?? "",
+      stderr: r.stderr ?? ""
+    };
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    return {
+      exitCode: 127,
+      stdout: "",
+      stderr: msg
+    };
+  }
+}
+
+// src/checks/eslint.ts
+async function hasEslintDependency(cwd) {
+  try {
+    const raw = await fs.readFile(path.join(cwd, "package.json"), "utf8");
+    const p = JSON.parse(raw);
+    return Boolean(p.devDependencies?.eslint || p.dependencies?.eslint);
+  } catch {
+    return false;
+  }
+}
+async function hasEslintConfig(cwd) {
+  const candidates = [
+    "eslint.config.js",
+    "eslint.config.mjs",
+    "eslint.config.cjs",
+    ".eslintrc",
+    ".eslintrc.json",
+    ".eslintrc.cjs",
+    ".eslintrc.yaml",
+    ".eslintrc.yml"
+  ];
+  for (const c of candidates) {
+    if (await pathExists(path.join(cwd, c))) return true;
+  }
+  return false;
+}
+function meaningfulStderr(stderr) {
+  return stderr.split("\n").filter((l) => l.trim() && !/^npm warn\b/i.test(l)).join("\n").trim();
+}
+async function runEslint(cwd, config, _stack) {
+  const t0 = performance.now();
+  if (!config.checks.eslint.enabled) {
+    return {
+      checkId: "eslint",
+      findings: [],
+      durationMs: 0,
+      skipped: "disabled in config"
+    };
+  }
+  const configured = await hasEslintConfig(cwd);
+  const dep = await hasEslintDependency(cwd);
+  if (!configured && !dep) {
+    return {
+      checkId: "eslint",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "ESLint not installed or configured"
+    };
+  }
+  const glob = config.checks.eslint.glob ?? "**/*.{js,cjs,mjs,jsx,ts,tsx}";
+  const args = [
+    glob,
+    "--max-warnings",
+    "0",
+    "--no-error-on-unmatched-pattern",
+    "-f",
+    "json"
+  ];
+  const { exitCode, stdout, stderr } = await runNpmBinary(cwd, "eslint", args);
+  const errText = meaningfulStderr(stderr);
+  const findings = [];
+  if (exitCode === 0) {
+    if (errText) {
+      findings.push({
+        id: "eslint-stderr",
+        severity: "warn",
+        message: "ESLint wrote to stderr",
+        detail: truncate(errText, 4e3)
+      });
+    }
+    return {
+      checkId: "eslint",
+      findings,
+      durationMs: Math.round(performance.now() - t0)
+    };
+  }
+  try {
+    const rows = JSON.parse(stdout);
+    let n = 0;
+    for (const row of rows) {
+      for (const m of row.messages) {
+        if (n++ >= 40) break;
+        findings.push({
+          id: `eslint-${m.ruleId ?? "unknown"}`,
+          severity: "warn",
+          message: m.message,
+          file: row.filePath,
+          detail: m.line ? `line ${m.line}` : void 0
+        });
+      }
+    }
+    if (n === 0) {
+      findings.push({
+        id: "eslint-failed",
+        severity: "warn",
+        message: "ESLint exited with a non-zero status",
+        detail: truncate(
+          [stdout, errText].filter(Boolean).join("\n") || `exit ${exitCode}`,
+          4e3
+        )
+      });
+    }
+  } catch {
+    findings.push({
+      id: "eslint-failed",
+      severity: "warn",
+      message: "ESLint exited with errors",
+      detail: truncate(
+        [stdout, errText].filter(Boolean).join("\n") || `exit ${exitCode}`,
+        4e3
+      )
+    });
+  }
+  return {
+    checkId: "eslint",
+    findings,
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function truncate(s, max) {
+  if (s.length <= max) return s;
+  return s.slice(0, max) + "\u2026";
+}
+
+// src/checks/prettier.ts
+async function runPrettier(cwd, config) {
+  const t0 = performance.now();
+  if (!config.checks.prettier.enabled) {
+    return {
+      checkId: "prettier",
+      findings: [],
+      durationMs: 0,
+      skipped: "disabled in config"
+    };
+  }
+  const glob = config.checks.prettier.glob ?? "**/*.{js,cjs,mjs,jsx,ts,tsx,json,md,css,scss,yml,yaml}";
+  const { exitCode, stdout, stderr } = await runNpmBinary(cwd, "prettier", [
+    "--check",
+    glob,
+    "--ignore-unknown"
+  ]);
+  const findings = [];
+  if (exitCode === 127 || /command not found|not recognized|ENOENT/i.test(stderr)) {
+    return {
+      checkId: "prettier",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "prettier binary not found (install prettier or use npx)"
+    };
+  }
+  if (exitCode !== 0) {
+    const blob = [stdout, stderr].filter(Boolean).join("\n").trim();
+    findings.push({
+      id: "prettier-check",
+      severity: "warn",
+      message: "Prettier reported formatting differences",
+      detail: blob ? truncate2(blob, 6e3) : `exit ${exitCode}`
+    });
+  }
+  return {
+    checkId: "prettier",
+    findings,
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function truncate2(s, max) {
+  if (s.length <= max) return s;
+  return s.slice(0, max) + "\u2026";
+}
+async function runTypeScript(cwd, config, stack) {
+  const t0 = performance.now();
+  if (!config.checks.typescript.enabled) {
+    return {
+      checkId: "typescript",
+      findings: [],
+      durationMs: 0,
+      skipped: "disabled in config"
+    };
+  }
+  const hasTs = stack.hasTypeScript || await pathExists(path.join(cwd, "tsconfig.json"));
+  if (!hasTs) {
+    return {
+      checkId: "typescript",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "no TypeScript project detected"
+    };
+  }
+  const args = ["--noEmit", ...config.checks.typescript.tscArgs ?? []];
+  const { exitCode, stdout, stderr } = await runNpmBinary(cwd, "tsc", args);
+  const findings = [];
+  if (exitCode === 127 || /command not found|not recognized|ENOENT/i.test(stderr)) {
+    return {
+      checkId: "typescript",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "typescript compiler not found"
+    };
+  }
+  if (exitCode !== 0) {
+    const out = [stdout, stderr].filter(Boolean).join("\n").trim();
+    findings.push({
+      id: "tsc",
+      severity: "warn",
+      message: "TypeScript compiler reported diagnostics",
+      detail: out ? truncate3(out, 8e3) : `exit ${exitCode}`
+    });
+  }
+  return {
+    checkId: "typescript",
+    findings,
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function truncate3(s, max) {
+  if (s.length <= max) return s;
+  return s.slice(0, max) + "\u2026";
+}
+var PATTERNS = [
+  {
+    id: "aws-access-key",
+    re: /AKIA[0-9A-Z]{16}/,
+    message: "Possible AWS access key id"
+  },
+  {
+    id: "github-pat",
+    re: /\bghp_[a-zA-Z0-9]{20,}\b/,
+    message: "Possible GitHub personal access token"
+  },
+  {
+    id: "openai-sk",
+    re: /\bsk-[a-zA-Z0-9]{20,}\b/,
+    message: "Possible OpenAI-style API secret"
+  },
+  {
+    id: "private-key-block",
+    re: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/,
+    message: "Private key material in source"
+  }
+];
+var TEXT_EXT = /* @__PURE__ */ new Set([
+  ".ts",
+  ".tsx",
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".cjs",
+  ".json",
+  ".md",
+  ".yml",
+  ".yaml",
+  ".env",
+  ".txt"
+]);
+async function runSecrets(cwd, config, pr) {
+  const t0 = performance.now();
+  if (!config.checks.secrets.enabled) {
+    return {
+      checkId: "secrets",
+      findings: [],
+      durationMs: 0,
+      skipped: "disabled in config"
+    };
+  }
+  const findings = [];
+  let globs;
+  if (pr?.files.length) {
+    globs = pr.files.filter((f) => isProbablyTextFile(f));
+  } else {
+    globs = await fg(
+      [
+        "**/*.{ts,tsx,js,jsx,mjs,cjs,json,md,yml,yaml,env}",
+        "!**/node_modules/**",
+        "!**/dist/**",
+        "!**/.next/**",
+        "!**/build/**",
+        "!**/coverage/**"
+      ],
+      { cwd, onlyFiles: true, dot: false }
+    );
+  }
+  const maxFiles = 200;
+  let scanned = 0;
+  for (const rel of globs) {
+    if (scanned++ > maxFiles) {
+      findings.push({
+        id: "secrets-cap",
+        severity: "info",
+        message: `Secret scan capped after ${maxFiles} files (run on PR for narrower scope)`
+      });
+      break;
+    }
+    const full = path.join(cwd, rel);
+    let content;
+    try {
+      content = await fs.readFile(full, "utf8");
+    } catch {
+      continue;
+    }
+    if (content.length > 5e5) continue;
+    for (const { id, re, message } of PATTERNS) {
+      if (re.test(content)) {
+        findings.push({
+          id,
+          severity: "warn",
+          message,
+          file: rel
+        });
+      }
+    }
+  }
+  return {
+    checkId: "secrets",
+    findings,
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function isProbablyTextFile(rel) {
+  const ext = path.extname(rel).toLowerCase();
+  return TEXT_EXT.has(ext);
+}
+
+// src/checks/pr-hygiene.ts
+function runPrHygiene(config, pr) {
+  const t0 = performance.now();
+  if (!config.checks.prHygiene.enabled) {
+    return {
+      checkId: "pr-hygiene",
+      findings: [],
+      durationMs: 0,
+      skipped: "disabled in config"
+    };
+  }
+  if (!pr) {
+    return {
+      checkId: "pr-hygiene",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "not running in GitHub pull_request context"
+    };
+  }
+  const findings = [];
+  const body = (pr.body ?? "").trim();
+  const min = config.checks.prHygiene.minBodyLength;
+  if (body.length < min) {
+    findings.push({
+      id: "pr-body-short",
+      severity: "warn",
+      message: `PR description is shorter than ${min} characters`,
+      detail: `Current length: ${body.length}`
+    });
+  }
+  const lower = body.toLowerCase();
+  const hints = config.checks.prHygiene.sectionHints;
+  const missing = hints.filter((h) => !sectionMentioned(lower, h));
+  if (missing.length > 0) {
+    findings.push({
+      id: "pr-sections",
+      severity: config.checks.prHygiene.requireSections ? "warn" : "info",
+      message: `PR description may be missing suggested sections: ${missing.join(", ")}`
+    });
+  }
+  if (config.checks.prHygiene.requireAiDisclosureSection) {
+    const hasAiHeader = /^#{1,6}\s+.*\bAI\b/im.test(body);
+    if (!hasAiHeader) {
+      findings.push({
+        id: "pr-ai-section-missing",
+        severity: "warn",
+        message: "PR is missing an **AI disclosure** section (e.g. `## AI disclosure`). Mark whether this PR used AI tools."
+      });
+    }
+  }
+  if (pr.aiDisclosureAmbiguous) {
+    findings.push({
+      id: "pr-ai-disclosure-ambiguous",
+      severity: config.checks.prHygiene.gateWhenAiDisclosureAmbiguous,
+      message: "AI disclosure checkboxes look ambiguous \u2014 please mark **Yes** or **No** clearly in the AI section."
+    });
+  }
+  if (pr.aiAssisted) {
+    findings.push({
+      id: "pr-ai-flag",
+      severity: "warn",
+      message: "**AI-assisted PR:** FrontGuard is applying stricter static checks and may escalate secrets / `any` deltas. Verify business logic, auth, and data handling manually."
+    });
+  }
+  if (pr.aiExplicitNo) {
+    findings.push({
+      id: "pr-ai-explicit-no",
+      severity: "info",
+      message: "Author indicated **no AI** for code generation \u2014 standard review profile."
+    });
+  }
+  return {
+    checkId: "pr-hygiene",
+    findings,
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function sectionMentioned(body, hint) {
+  const h = hint.toLowerCase();
+  if (h === "what") {
+    return /\bwhat\b/.test(body) || /##\s*summary/.test(body) || /##\s*context/.test(body);
+  }
+  if (h === "why") {
+    return /\bwhy\b/.test(body) || /motivation/.test(body) || /##\s*rationale/.test(body);
+  }
+  if (h === "test" || h === "how to test") {
+    return /how to test/.test(body) || /\btesting\b/.test(body) || /##\s*test/.test(body) || /qa\s*steps/.test(body);
+  }
+  if (h === "screenshot") {
+    return /screenshot|screen recording|loom|recording/i.test(body);
+  }
+  return body.includes(h);
+}
+
+// src/checks/pr-size.ts
+function runPrSize(config, pr) {
+  const t0 = performance.now();
+  if (!pr) {
+    return {
+      checkId: "pr-size",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "not running in GitHub pull_request context"
+    };
+  }
+  const findings = [];
+  const lines = pr.additions + pr.deletions;
+  const { warnLines, softBlockLines } = config.checks.prSize;
+  if (lines >= softBlockLines) {
+    findings.push({
+      id: "pr-size-large",
+      severity: "warn",
+      message: `PR is very large (${lines} lines changed; \u2265 ${softBlockLines})`,
+      detail: "Consider splitting to improve review quality."
+    });
+  } else if (lines >= warnLines) {
+    findings.push({
+      id: "pr-size-medium",
+      severity: "info",
+      message: `PR size is elevated (${lines} lines changed; \u2265 ${warnLines})`
+    });
+  }
+  return {
+    checkId: "pr-size",
+    findings,
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+async function gitOk(cwd) {
+  try {
+    const r = await exec("git", ["rev-parse", "--is-inside-work-tree"], {
+      nodeOptions: { cwd }
+    });
+    return (r.stdout ?? "").trim() === "true";
+  } catch {
+    return false;
+  }
+}
+async function gitDiffPatch(cwd, baseRef, pathspecs) {
+  if (pathspecs.length === 0) return null;
+  try {
+    const r = await exec(
+      "git",
+      ["diff", `${baseRef}...HEAD`, "--unified=1", "--no-color", "--", ...pathspecs],
+      { nodeOptions: { cwd } }
+    );
+    return r.stdout ?? "";
+  } catch {
+    return null;
+  }
+}
+async function gitDiffForReview(cwd, baseRef, maxChars) {
+  try {
+    const r = await exec(
+      "git",
+      ["diff", `${baseRef}...HEAD`, "--unified=2", "--no-color"],
+      {
+        nodeOptions: { cwd }
+      }
+    );
+    let s = r.stdout ?? "";
+    if (s.length > maxChars) {
+      s = s.slice(0, maxChars) + "\n\u2026(truncated)\n";
+    }
+    return s;
+  } catch {
+    return "";
+  }
+}
+async function resolveDiffBaseRef(cwd, fallback) {
+  const gh = process.env.GITHUB_BASE_REF;
+  if (gh) {
+    const origin = `origin/${gh}`;
+    try {
+      await exec("git", ["rev-parse", "--verify", origin], { nodeOptions: { cwd } });
+      return origin;
+    } catch {
+    }
+  }
+  try {
+    const cand = fallback.includes("/") ? fallback : `origin/${fallback}`;
+    await exec("git", ["rev-parse", "--verify", cand], { nodeOptions: { cwd } });
+    return cand;
+  } catch {
+    try {
+      await exec("git", ["rev-parse", "--verify", fallback], { nodeOptions: { cwd } });
+      return fallback;
+    } catch {
+      return fallback;
+    }
+  }
+}
+
+// src/checks/ts-any-delta.ts
+function gateSeverity(g) {
+  return g === "block" ? "block" : g === "info" ? "info" : "warn";
+}
+function countAddedAnyInPatch(patch) {
+  let n = 0;
+  for (const raw of patch.split("\n")) {
+    if (!raw.startsWith("+") || raw.startsWith("+++")) continue;
+    const line = raw.slice(1);
+    if (/^\s*\/(\/|\*)/.test(line)) continue;
+    const patterns = [
+      /:\s*any\b/g,
+      /\bas\s+any\b/g,
+      /<\s*any\s*>/g,
+      /\bReadonlyArray\s*<\s*any\s*>/g,
+      /\bArray\s*<\s*any\s*>/g,
+      /\bRecord\s*<\s*[^,]+,\s*any\s*>/g
+    ];
+    for (const p of patterns) {
+      const m = line.match(p);
+      if (m) n += m.length;
+    }
+  }
+  return n;
+}
+async function runTsAnyDelta(cwd, config, stack) {
+  const t0 = performance.now();
+  const cfg = config.checks.tsAnyDelta;
+  if (!cfg.enabled || !stack.hasTypeScript) {
+    return {
+      checkId: "ts-any-delta",
+      findings: [],
+      durationMs: 0,
+      skipped: !cfg.enabled ? "disabled in config" : "no TypeScript"
+    };
+  }
+  if (!await gitOk(cwd)) {
+    return {
+      checkId: "ts-any-delta",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "not a git repository"
+    };
+  }
+  const base = await resolveDiffBaseRef(cwd, cfg.baseRef);
+  const patch = await gitDiffPatch(cwd, base, ["*.ts", "*.tsx", "*.mts", "*.cts"]) ?? "";
+  if (!patch.trim()) {
+    return {
+      checkId: "ts-any-delta",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "no diff vs base (fetch depth or base ref?)"
+    };
+  }
+  const added = countAddedAnyInPatch(patch);
+  const findings = [];
+  if (added === 0) {
+    return {
+      checkId: "ts-any-delta",
+      findings,
+      durationMs: Math.round(performance.now() - t0)
+    };
+  }
+  const overBudget = cfg.maxAdded > 0 && added > cfg.maxAdded;
+  const shouldGate = cfg.maxAdded === 0 ? added > 0 : overBudget;
+  const severity = shouldGate ? gateSeverity(cfg.gate) : "info";
+  findings.push({
+    id: "ts-any-added",
+    severity,
+    message: shouldGate ? cfg.maxAdded > 0 ? `Added ~${added} new \`any\` usages (budget ${cfg.maxAdded})` : `Added ~${added} new \`any\` usages in the PR diff` : `Added ~${added} new \`any\` usages (within budget ${cfg.maxAdded})`,
+    detail: `merge-base: ${base}`
+  });
+  return {
+    checkId: "ts-any-delta",
+    findings,
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function gateSeverity2(g) {
+  return g === "block" ? "block" : g === "info" ? "info" : "warn";
+}
+async function runCycles(cwd, config, stack) {
+  const t0 = performance.now();
+  const cfg = config.checks.cycles;
+  if (!cfg.enabled || !stack.hasTypeScript) {
+    return {
+      checkId: "cycles",
+      findings: [],
+      durationMs: 0,
+      skipped: !cfg.enabled ? "disabled in config" : "no TypeScript"
+    };
+  }
+  let entry = cfg.entries[0] ?? "src";
+  for (const e of cfg.entries) {
+    if (await pathExists(path.join(cwd, e))) {
+      entry = e;
+      break;
+    }
+  }
+  if (!await pathExists(path.join(cwd, entry))) {
+    return {
+      checkId: "cycles",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: `entry path not found (${entry})`
+    };
+  }
+  const args = [
+    "-y",
+    "madge@6",
+    entry,
+    "--extensions",
+    "ts,tsx,js,jsx",
+    "--circular",
+    ...cfg.extraArgs
+  ];
+  const { exitCode, stdout, stderr } = await runNpx(cwd, args);
+  const out = [stdout, stderr].filter(Boolean).join("\n").trim();
+  if (exitCode === 127 || /command not found|not recognized|ENOENT/i.test(stderr)) {
+    return {
+      checkId: "cycles",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "npx/madge not available"
+    };
+  }
+  const findings = [];
+  const cyclic = exitCode !== 0 && /circular|Circular|\(circular\)/i.test(out);
+  if (cyclic) {
+    findings.push({
+      id: "import-cycle",
+      severity: gateSeverity2(cfg.gate),
+      message: "Circular dependencies detected (madge)",
+      detail: truncate4(out || `exit ${exitCode}`, 12e3)
+    });
+  } else if (exitCode !== 0) {
+    findings.push({
+      id: "madge-error",
+      severity: "info",
+      message: "madge exited non-zero \u2014 verify entry/extensions or install deps locally",
+      detail: truncate4(out || `exit ${exitCode}`, 8e3)
+    });
+  }
+  return {
+    checkId: "cycles",
+    findings,
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function truncate4(s, max) {
+  if (s.length <= max) return s;
+  return s.slice(0, max) + "\u2026";
+}
+
+// src/checks/dead-code.ts
+function gateSeverity3(g) {
+  return g === "block" ? "block" : g === "info" ? "info" : "warn";
+}
+async function runDeadCode(cwd, config, stack, pr) {
+  const t0 = performance.now();
+  const cfg = config.checks.deadCode;
+  if (!cfg.enabled || !stack.hasTypeScript) {
+    return {
+      checkId: "dead-code",
+      findings: [],
+      durationMs: 0,
+      skipped: !cfg.enabled ? "disabled in config" : "no TypeScript"
+    };
+  }
+  const args = ["-y", "ts-prune", ...cfg.extraArgs];
+  const { exitCode, stdout, stderr } = await runNpx(cwd, args);
+  if (exitCode === 127 || /command not found|not recognized|ENOENT/i.test(stderr)) {
+    return {
+      checkId: "dead-code",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "npx/ts-prune not available"
+    };
+  }
+  const raw = (stdout || "").trim();
+  const lines = raw.split("\n").map((l) => l.trim()).filter((l) => l && /^[\w./\\~-]+[^\s]*\s*-\s*.+/.test(l));
+  if (lines.length === 0) {
+    return {
+      checkId: "dead-code",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0)
+    };
+  }
+  const prFiles = pr?.files?.length ? new Set(pr.files.map((f) => f.replace(/\\/g, "/"))) : null;
+  const relevant = prFiles ? lines.filter((l) => {
+    const file = l.split(/\s*-\s*/)[0]?.trim();
+    if (!file) return false;
+    return [...prFiles].some((p) => p === file || p.endsWith(file));
+  }) : lines;
+  const report = (relevant.length ? relevant : lines).slice(0, cfg.maxReportLines).join("\n");
+  const findings = [
+    {
+      id: "ts-prune",
+      severity: gateSeverity3(cfg.gate),
+      message: prFiles ? `Potentially unused exports (${relevant.length} on touched files; ${lines.length} total)` : `Potentially unused exports reported by ts-prune (${lines.length})`,
+      detail: report
+    }
+  ];
+  return {
+    checkId: "dead-code",
+    findings,
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function gateSeverity4(g) {
+  return g === "block" ? "block" : g === "info" ? "info" : "warn";
+}
+async function sumGlobBytes(cwd, patterns) {
+  let total = 0;
+  for (const pattern of patterns) {
+    const files = await fg(pattern, {
+      cwd,
+      onlyFiles: true,
+      dot: false,
+      ignore: ["**/node_modules/**"]
+    });
+    for (const rel of files) {
+      try {
+        const st = await fs.stat(path.join(cwd, rel));
+        total += st.size;
+      } catch {
+      }
+    }
+  }
+  return total;
+}
+async function readBaseline(cwd, relPath, baseRef) {
+  const disk = path.join(cwd, relPath);
+  try {
+    const raw = await fs.readFile(disk, "utf8");
+    return JSON.parse(raw);
+  } catch {
+  }
+  if (!baseRef) return null;
+  try {
+    const r = await exec("git", ["show", `${baseRef}:${relPath}`], {
+      nodeOptions: { cwd }
+    });
+    if ((r.exitCode ?? 0) !== 0) return null;
+    return JSON.parse((r.stdout ?? "").trim());
+  } catch {
+    return null;
+  }
+}
+async function gitOkQuick(cwd) {
+  try {
+    const r = await exec("git", ["rev-parse", "--is-inside-work-tree"], {
+      nodeOptions: { cwd }
+    });
+    return (r.stdout ?? "").trim() === "true";
+  } catch {
+    return false;
+  }
+}
+function tokenizeCommand(cmd) {
+  return cmd.trim().split(/\s+/).map((t) => t.trim()).filter(Boolean);
+}
+async function runBundle(cwd, config, stack) {
+  const t0 = performance.now();
+  const cfg = config.checks.bundle;
+  if (!cfg.enabled) {
+    return {
+      checkId: "bundle",
+      findings: [],
+      durationMs: 0,
+      skipped: "disabled in config"
+    };
+  }
+  if (stack.hasReactNative && !stack.hasNext) {
+    return {
+      checkId: "bundle",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "skipped for React Native (configure web artifacts if needed)"
+    };
+  }
+  if (cfg.runBuild) {
+    const parts = tokenizeCommand(cfg.buildCommand);
+    if (parts.length === 0) {
+      return {
+        checkId: "bundle",
+        findings: [
+          {
+            id: "bundle-cmd",
+            severity: "warn",
+            message: "`checks.bundle.buildCommand` is empty"
+          }
+        ],
+        durationMs: Math.round(performance.now() - t0)
+      };
+    }
+    const [bin, ...args] = parts;
+    const res = await exec(bin, args, { nodeOptions: { cwd } });
+    if ((res.exitCode ?? 0) !== 0) {
+      return {
+        checkId: "bundle",
+        findings: [
+          {
+            id: "bundle-build",
+            severity: gateSeverity4(cfg.gate),
+            message: "Build command failed \u2014 cannot measure bundle",
+            detail: [res.stdout, res.stderr].filter(Boolean).join("\n").slice(0, 8e3)
+          }
+        ],
+        durationMs: Math.round(performance.now() - t0)
+      };
+    }
+  }
+  const total = await sumGlobBytes(cwd, cfg.measureGlobs);
+  if (total === 0) {
+    return {
+      checkId: "bundle",
+      findings: [
+        {
+          id: "bundle-empty",
+          severity: "info",
+          message: "No bundle artifacts matched `measureGlobs` \u2014 configure paths or run a web build"
+        }
+      ],
+      durationMs: Math.round(performance.now() - t0)
+    };
+  }
+  const baseRef = await gitOkQuick(cwd) ? await resolveDiffBaseRef(cwd, config.checks.tsAnyDelta.baseRef) : null;
+  const baseline = await readBaseline(cwd, cfg.baselinePath, baseRef);
+  const findings = [];
+  const infoLines = [
+    `Measured ${total} bytes (${(total / 1024 / 1024).toFixed(2)} MiB)`,
+    baseline ? `Baseline from \`${cfg.baselinePath}\`: ${baseline.totalBytes} bytes` : `No baseline at \`${cfg.baselinePath}\` (commit a baseline JSON to compare)`
+  ].join("\n");
+  if (cfg.maxTotalBytes != null && total > cfg.maxTotalBytes) {
+    findings.push({
+      id: "bundle-max-total",
+      severity: gateSeverity4(cfg.gate),
+      message: `Bundle size ${total} bytes exceeds maxTotalBytes (${cfg.maxTotalBytes})`,
+      detail: infoLines
+    });
+  }
+  if (baseline && cfg.maxDeltaBytes != null) {
+    const delta = total - baseline.totalBytes;
+    if (delta > cfg.maxDeltaBytes) {
+      findings.push({
+        id: "bundle-delta",
+        severity: gateSeverity4(cfg.gate),
+        message: `Bundle grew by ${delta} bytes vs baseline (limit ${cfg.maxDeltaBytes})`,
+        detail: infoLines
+      });
+    }
+  }
+  if (findings.length === 0 && !baseline && (cfg.maxDeltaBytes != null || cfg.maxTotalBytes != null)) {
+    findings.push({
+      id: "bundle-baseline-missing",
+      severity: "info",
+      message: "Baseline file missing \u2014 delta/total gates need a committed `.frontguard/bundle-baseline.json`",
+      detail: infoLines
+    });
+  }
+  if (findings.length === 0) {
+    findings.push({
+      id: "bundle-ok",
+      severity: "info",
+      message: "Bundle measurement complete",
+      detail: infoLines
+    });
+  }
+  return {
+    checkId: "bundle",
+    findings,
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function gateSeverity5(g) {
+  return g === "block" ? "block" : g === "info" ? "info" : "warn";
+}
+async function runCwv(cwd, config, stack, pr) {
+  const t0 = performance.now();
+  const cfg = config.checks.cwv;
+  if (!cfg.enabled) {
+    return {
+      checkId: "cwv",
+      findings: [],
+      durationMs: 0,
+      skipped: "disabled in config"
+    };
+  }
+  if (stack.hasReactNative && !stack.hasNext) {
+    return {
+      checkId: "cwv",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "skipped for React Native"
+    };
+  }
+  const prSet = pr?.files?.length ? new Set(pr.files.map((f) => f.replace(/\\/g, "/"))) : null;
+  const files = await fg(cfg.scanGlobs, {
+    cwd,
+    onlyFiles: true,
+    ignore: ["**/node_modules/**", "**/*.test.*", "**/*.spec.*"]
+  });
+  const toScan = prSet ? files.filter((f) => [...prSet].some((p) => p === f || p.endsWith(f))) : files;
+  const findings = [];
+  const sev2 = gateSeverity5(cfg.gate);
+  for (const rel of toScan.slice(0, 400)) {
+    const full = path.join(cwd, rel);
+    let text;
+    try {
+      text = await fs.readFile(full, "utf8");
+    } catch {
+      continue;
+    }
+    if (text.length > cfg.maxFileBytes) continue;
+    if (stack.hasNext && /<img\b/i.test(text) && !/from\s+['"]next\/image['"]/.test(text)) {
+      findings.push({
+        id: "cwv-img-tag",
+        severity: sev2,
+        message: "Raw `<img>` detected \u2014 prefer `next/image` for LCP-friendly delivery",
+        file: rel
+      });
+    }
+    if (/dangerouslySetInnerHTML/i.test(text)) {
+      findings.push({
+        id: "cwv-dsh",
+        severity: "warn",
+        message: "`dangerouslySetInnerHTML` can impact main-thread work \u2014 validate necessity",
+        file: rel
+      });
+    }
+  }
+  return {
+    checkId: "cwv",
+    findings: dedupeFindings(findings).slice(0, 40),
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function dedupeFindings(f) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const x of f) {
+    const k = `${x.id}:${x.file ?? ""}`;
+    if (seen.has(k)) continue;
+    seen.add(k);
+    out.push(x);
+  }
+  return out;
+}
+var DEFAULT_GLOB = "**/*.{ts,tsx,js,jsx,mjs,cjs}";
+async function runCustomRules(cwd, config, restrictToFiles) {
+  const t0 = performance.now();
+  const rules = config.rules;
+  if (!rules || Object.keys(rules).length === 0) {
+    return {
+      checkId: "custom-rules",
+      findings: [],
+      durationMs: 0,
+      skipped: "no rules configured"
+    };
+  }
+  const active = Object.entries(rules).filter(([, v]) => v !== "off");
+  if (active.length === 0) {
+    return {
+      checkId: "custom-rules",
+      findings: [],
+      durationMs: 0,
+      skipped: "all rules off"
+    };
+  }
+  let files;
+  if (restrictToFiles?.length) {
+    files = restrictToFiles.filter((f) => /\.(tsx?|jsx?|mjs|cjs)$/i.test(f));
+  } else {
+    files = await fg(DEFAULT_GLOB, {
+      cwd,
+      ignore: ["**/node_modules/**", "**/dist/**", "**/.next/**", "**/build/**"],
+      onlyFiles: true
+    });
+  }
+  const findings = [];
+  const maxFiles = 300;
+  let n = 0;
+  for (const rel of files) {
+    if (n++ > maxFiles) {
+      findings.push({
+        id: "custom-rules-cap",
+        severity: "info",
+        message: `Custom rules scan capped after ${maxFiles} files`
+      });
+      break;
+    }
+    const full = path.join(cwd, rel);
+    let content;
+    try {
+      content = await fs.readFile(full, "utf8");
+    } catch {
+      continue;
+    }
+    if (content.length > 6e5) continue;
+    const ctx = { path: rel, content };
+    for (const [id, def] of active) {
+      if (typeof def.check !== "function") continue;
+      try {
+        if (def.check(ctx)) {
+          findings.push({
+            id: `rule:${id}`,
+            severity: def.severity,
+            message: def.message,
+            file: rel
+          });
+        }
+      } catch (e) {
+        findings.push({
+          id: `rule-error:${id}`,
+          severity: "warn",
+          message: `Rule \`${id}\` threw`,
+          detail: e instanceof Error ? e.message : String(e),
+          file: rel
+        });
+      }
+    }
+  }
+  return {
+    checkId: "custom-rules",
+    findings,
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function sev(gate) {
+  return gate === "block" ? "block" : gate === "info" ? "info" : "warn";
+}
+var CODE_EXT = /\.(tsx?|jsx?|mjs|cjs)$/i;
+var PATTERNS2 = [
+  {
+    id: "ai-eval",
+    re: /\beval\s*\(/,
+    message: "`eval()` \u2014 high risk; AI output often slips this in. Replace with safe parsing.",
+    forceBlock: true
+  },
+  {
+    id: "ai-new-function",
+    re: /\bnew\s+Function\s*\(/,
+    message: "`new Function()` is eval-like \u2014 verify necessity and input trust.",
+    forceBlock: true
+  },
+  {
+    id: "ai-dsh",
+    re: /dangerouslySetInnerHTML\s*=/,
+    message: "`dangerouslySetInnerHTML` \u2014 XSS risk. Ensure trusted/sanitized HTML only."
+  },
+  {
+    id: "ai-inner-html-assign",
+    re: /\.innerHTML\s*=/,
+    message: "DOM `innerHTML` assignment \u2014 XSS risk; prefer textContent or sanitization."
+  },
+  {
+    id: "ai-document-write",
+    re: /\bdocument\.write\s*\(/,
+    message: "`document.write` \u2014 brittle and unsafe in modern apps."
+  },
+  {
+    id: "ai-ts-ignore",
+    re: /@ts-ignore\b/,
+    message: "`@ts-ignore` hides errors (AI often uses instead of fixing). Prefer `@ts-expect-error` with reason."
+  },
+  {
+    id: "ai-empty-catch",
+    re: /catch\s*(?:\([^)]*\))?\s*\{\s*\}/,
+    message: "Empty `catch` \u2014 errors swallowed; at least log or rethrow intentionally."
+  },
+  {
+    id: "ai-http-url",
+    re: /(['"])http:\/\//,
+    message: "Plain `http://` URL \u2014 mixed content / MITM risk in browser code."
+  },
+  {
+    id: "ai-token-storage",
+    re: /(?:localStorage|sessionStorage)\.(?:setItem|getItem)\s*\(\s*['"][^'"]*token[^'"]*['"]/i,
+    message: "Token in web storage \u2014 confirm threat model (XSS exfiltration)."
+  },
+  {
+    id: "ai-child-process",
+    re: /(?:from\s+['"]child_process['"]|require\s*\(\s*['"]child_process['"]\s*\))/,
+    message: "`child_process` in app code \u2014 unusual for browser bundles; confirm this is server-only tooling."
+  },
+  {
+    id: "ai-sql-template",
+    re: /(?:query|execute|raw)\s*\(\s*[`'"][^`'"]*\$\{/i,
+    message: "Possible dynamic SQL/string \u2014 ensure parameterization, not string concat."
+  }
+];
+async function runAiAssistedStrict(cwd, config, pr) {
+  const t0 = performance.now();
+  const cfg = config.checks.aiAssistedReview;
+  if (!cfg.enabled) {
+    return {
+      checkId: "ai-assisted-strict",
+      findings: [],
+      durationMs: 0,
+      skipped: "disabled in config"
+    };
+  }
+  if (!pr) {
+    return {
+      checkId: "ai-assisted-strict",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "not a pull request context"
+    };
+  }
+  if (!pr.aiAssisted) {
+    return {
+      checkId: "ai-assisted-strict",
+      findings: [],
+      durationMs: Math.round(performance.now() - t0),
+      skipped: "PR does not indicate AI-assisted code"
+    };
+  }
+  const files = (pr.files ?? []).filter((f) => CODE_EXT.test(f)).slice(0, 150);
+  const gate = cfg.gate;
+  const findings = [];
+  for (const rel of files) {
+    const full = path.join(cwd, rel);
+    let content;
+    try {
+      content = await fs.readFile(full, "utf8");
+    } catch {
+      continue;
+    }
+    if (content.length > 5e5) continue;
+    for (const { id, re, message, forceBlock } of PATTERNS2) {
+      if (!re.test(content)) continue;
+      findings.push({
+        id,
+        severity: forceBlock ? "block" : sev(gate),
+        message: `[AI-assisted strict] ${message}`,
+        file: rel
+      });
+    }
+  }
+  return {
+    checkId: "ai-assisted-strict",
+    findings: dedupe(findings),
+    durationMs: Math.round(performance.now() - t0)
+  };
+}
+function dedupe(f) {
+  const s = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const x of f) {
+    const k = `${x.id}:${x.file ?? ""}`;
+    if (s.has(k)) continue;
+    s.add(k);
+    out.push(x);
+  }
+  return out;
+}
+
+// src/runner/ai-escalation.ts
+function applyAiAssistedEscalation(results, pr, config) {
+  const cfg = config.checks.aiAssistedReview;
+  if (!pr?.aiAssisted || !cfg.enabled) return;
+  const { escalate } = cfg;
+  for (const r of results) {
+    if (r.skipped) continue;
+    if (escalate.secretFindingsToBlock && r.checkId === "secrets") {
+      for (const f of r.findings) {
+        if (f.severity === "warn" || f.severity === "info") f.severity = "block";
+      }
+    }
+    if (escalate.tsAnyDeltaToBlock && r.checkId === "ts-any-delta") {
+      for (const f of r.findings) {
+        if (f.severity === "warn" || f.severity === "info") f.severity = "block";
+      }
+    }
+  }
+}
+function buildReport(stack, pr, results, options) {
+  const mode = options?.mode ?? "warn";
+  const allFindings = results.flatMap(
+    (r) => r.findings.map((f) => ({ ...f, checkId: r.checkId }))
+  );
+  const warns = allFindings.filter((f) => f.severity === "warn").length;
+  const infos = allFindings.filter((f) => f.severity === "info").length;
+  const blocks = allFindings.filter((f) => f.severity === "block").length;
+  const lines = pr != null ? pr.additions + pr.deletions : null;
+  const riskScore = scoreRisk(blocks, warns, lines, pr?.changedFiles ?? 0);
+  const markdown = formatMarkdown({
+    riskScore,
+    mode,
+    stack,
+    pr,
+    results,
+    warns,
+    infos,
+    blocks,
+    lines,
+    llmAppendix: options?.llmAppendix ?? null
+  });
+  const consoleText = formatConsole({
+    riskScore,
+    mode,
+    stack,
+    pr,
+    results,
+    warns,
+    infos,
+    blocks
+  });
+  return { riskScore, stack, pr, results, markdown, consoleText };
+}
+function formatStackOneLiner(s) {
+  const bits = [];
+  if (s.hasNext) bits.push("Next.js");
+  if (s.hasReactNative) bits.push("React Native");
+  else if (s.hasReact) bits.push("React");
+  if (s.hasTypeScript) bits.push("TypeScript");
+  if (s.tsStrict === true) bits.push("strict TS");
+  bits.push(`pkg: ${s.packageManager}`);
+  return bits.join(" \xB7 ") || "unknown";
+}
+function scoreRisk(blocks, warns, lines, files) {
+  let score = 0;
+  if (blocks > 0) score += 3;
+  if (warns >= 8) score += 2;
+  else if (warns >= 3) score += 1;
+  if (lines != null) {
+    if (lines >= 800) score += 2;
+    else if (lines >= 400) score += 1;
+  }
+  if (files >= 25) score += 1;
+  if (score >= 5) return "HIGH";
+  if (score >= 2) return "MEDIUM";
+  return "LOW";
+}
+function formatMarkdown(p) {
+  const {
+    riskScore,
+    mode,
+    stack,
+    pr,
+    results,
+    warns,
+    infos,
+    blocks,
+    lines,
+    llmAppendix
+  } = p;
+  const sb = [];
+  sb.push("## FrontGuard review brief");
+  sb.push("");
+  sb.push(
+    `**Risk:** ${riskScore} \xB7 **Mode:** ${mode === "enforce" ? "enforce (CI may fail on `block`)" : "warn-only"}`
+  );
+  if (pr?.aiAssisted) {
+    sb.push("");
+    sb.push(
+      "**AI-assisted PR:** Stricter static pass is active (security / footgun patterns on changed files; secrets & `any` deltas may be escalated). **Human review** still required for correctness and product rules."
+    );
+  }
+  sb.push("");
+  sb.push(`**Stack:** ${formatStackOneLiner(stack)}`);
+  if (pr && lines != null) {
+    sb.push(
+      `**Size:** ${lines} lines (+${pr.additions} / -${pr.deletions}) across ${pr.changedFiles} files`
+    );
+  }
+  sb.push("");
+  sb.push(
+    blocks > 0 ? `**Blocking (\`block\`) findings:** ${blocks}` : "**Blocking (`block`) findings:** 0"
+  );
+  sb.push(`**Warnings:** ${warns} \xB7 **Info:** ${infos}`);
+  sb.push("");
+  sb.push("### Check summary");
+  for (const r of results) {
+    const status = r.skipped ? `\u23ED\uFE0F skipped (${r.skipped})` : r.findings.length === 0 ? "\u2705 clean" : `\u26A0\uFE0F ${r.findings.length} finding(s)`;
+    sb.push(`- **${r.checkId}** \u2014 ${status} (${r.durationMs}ms)`);
+  }
+  sb.push("");
+  const blockFindings = results.flatMap(
+    (r) => r.findings.filter((f) => f.severity === "block").map((f) => ({ r, f }))
+  );
+  if (blockFindings.length) {
+    sb.push("### Blocking");
+    for (const { f } of blockFindings.slice(0, 40)) {
+      const loc = f.file ? ` \`${f.file}\`` : "";
+      sb.push(`- ${f.message}${loc}`);
+      if (f.detail) {
+        sb.push(
+          `  - <details><summary>detail</summary>
+
+\`\`\`text
+${f.detail}
+\`\`\`
+
+</details>`
+        );
+      }
+    }
+    sb.push("");
+  }
+  const warnFindings = results.flatMap(
+    (r) => r.findings.filter((f) => f.severity === "warn").map((f) => ({ r, f }))
+  );
+  if (warnFindings.length) {
+    sb.push("### Warnings");
+    for (const { f } of warnFindings.slice(0, 30)) {
+      const loc = f.file ? ` \`${f.file}\`` : "";
+      sb.push(`- ${f.message}${loc}`);
+      if (f.detail) {
+        sb.push(
+          `  - <details><summary>detail</summary>
+
+\`\`\`text
+${f.detail}
+\`\`\`
+
+</details>`
+        );
+      }
+    }
+    if (warnFindings.length > 30) {
+      sb.push(`- _\u2026and ${warnFindings.length - 30} more_`);
+    }
+    sb.push("");
+  }
+  const infoFindings = results.flatMap(
+    (r) => r.findings.filter((f) => f.severity === "info").map((f) => ({ r, f }))
+  );
+  if (infoFindings.length) {
+    sb.push("### Notes");
+    for (const { f } of infoFindings.slice(0, 20)) {
+      sb.push(`- ${f.message}`);
+    }
+    sb.push("");
+  }
+  if (llmAppendix?.trim()) {
+    sb.push(llmAppendix.trim());
+    sb.push("");
+  }
+  sb.push("---");
+  sb.push("_Generated by FrontGuard \u2014 configure with `frontguard.config.js`_");
+  return sb.join("\n");
+}
+function formatConsole(p) {
+  const { riskScore, mode, stack, pr, results, warns, infos, blocks } = p;
+  const lines = [];
+  lines.push(pc.bold("\u250C\u2500 FrontGuard review brief \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
+  lines.push(`\u2502 ${pc.dim("Risk:")} ${riskScore.padEnd(43)} \u2502`);
+  lines.push(`\u2502 ${pc.dim("Mode:")} ${mode.padEnd(42)} \u2502`);
+  lines.push(
+    `\u2502 ${pc.dim("Stack:")} ${(stack.hasNext ? "Next.js " : "") + (stack.hasReactNative ? "RN " : "") + (stack.hasReact ? "React " : "") + (stack.hasTypeScript ? "TS" : "JS")}`.padEnd(56).slice(0, 56) + " \u2502"
+  );
+  if (pr) {
+    const sz = `${pr.additions + pr.deletions} lines (+${pr.additions}/-${pr.deletions}) \xB7 ${pr.changedFiles} files`;
+    lines.push(`\u2502 ${pc.dim("PR:")} ${sz.slice(0, 49).padEnd(49)} \u2502`);
+  }
+  lines.push("\u2502 " + "".padEnd(53) + " \u2502");
+  const statusLine = blocks > 0 ? pc.red(`\u2716 ${blocks} blocking`) : warns === 0 && infos === 0 ? pc.green("\u2713 No findings") : pc.yellow(`\u26A0 ${warns} warnings \xB7 ${infos} info`);
+  lines.push(`\u2502 ${statusLine}`.padEnd(64).slice(0, 64) + " \u2502");
+  for (const r of results) {
+    const label = r.skipped ? pc.dim(` ${r.checkId}: skipped`) : ` ${r.checkId}: ${r.findings.length} issues`;
+    lines.push(`\u2502${label.slice(0, 54).padEnd(54)}\u2502`);
+  }
+  lines.push(pc.bold("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
+  return lines.join("\n");
+}
+
+// src/llm/review.ts
+function safeGetEnv(name) {
+  const v = process.env[name];
+  return v && v.trim() ? v : void 0;
+}
+async function runLlmReview(opts) {
+  const { cwd, config, pr, results } = opts;
+  const cfg = config.checks.llm;
+  if (!cfg.enabled) return null;
+  const apiKey = safeGetEnv(cfg.apiKeyEnv);
+  if (!apiKey) {
+    if (process.env.FRONTGUARD_LLM_SHOW_NO_KEY_HINT !== "1") {
+      return null;
+    }
+    return [
+      "### AI review (automated CI)",
+      "",
+      "_No API key in this environment._ IDE credentials do not reach GitHub Actions.",
+      "",
+      "**Options:**",
+      "1. **Manual** \u2014 Paste notes from Cursor/ChatGPT/Claude into a file, then `frontguard run --append ./notes.md` (or `FRONTGUARD_MANUAL_APPENDIX_FILE`).",
+      `2. **Org CI** \u2014 Map an approved inference key to \`${cfg.apiKeyEnv}\` via your secret store.`,
+      "3. **Docs in PR** \u2014 Rely on the PR template \u201CAI assistance\u201D section for reviewer context."
+    ].join("\n");
+  }
+  if (!await gitOk(cwd)) {
+    return "_LLM review skipped: not a git repository_";
+  }
+  const base = await resolveDiffBaseRef(cwd, config.checks.tsAnyDelta.baseRef);
+  const diff = await gitDiffForReview(cwd, base, cfg.maxDiffChars);
+  if (!diff.trim()) {
+    return "_LLM review skipped: empty diff vs base_";
+  }
+  const summaryLines = results.flatMap((r) => r.findings.map((f) => `- [${f.severity}] ${r.checkId}: ${f.message}`)).slice(0, 40).join("\n");
+  const prompt = [
+    "You are a senior frontend reviewer. Respond in Markdown with short sections:",
+    "### Summary",
+    "### Risk hotspots (files / themes)",
+    "### Logic / correctness smells",
+    "### Tests & regressions",
+    "",
+    "Constraints:",
+    "- Be specific to this diff; avoid generic advice.",
+    "- If uncertain, say what you need to verify manually.",
+    "",
+    pr ? `PR title: ${pr.title}
+PR body excerpt:
+${pr.body.slice(0, 2e3)}` : "No GitHub PR context (local run).",
+    "",
+    "Existing automated findings (may be incomplete):",
+    summaryLines || "(none)",
+    "",
+    "Git diff (may be truncated):",
+    "```diff",
+    diff,
+    "```"
+  ].join("\n");
+  const controller = new AbortController();
+  const t = setTimeout(() => controller.abort(), cfg.timeoutMs);
+  try {
+    if (cfg.provider === "anthropic") {
+      const text2 = await callAnthropic(cfg.model, apiKey, prompt, controller.signal);
+      return `### AI review (non-binding)
+
+${text2}`;
+    }
+    const text = await callOpenAI(cfg.model, apiKey, prompt, controller.signal);
+    return `### AI review (non-binding)
+
+${text}`;
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    return `_LLM request failed: ${msg}_`;
+  } finally {
+    clearTimeout(t);
+  }
+}
+async function callOpenAI(model, apiKey, prompt, signal) {
+  const res = await fetch("https://api.openai.com/v1/chat/completions", {
+    method: "POST",
+    signal,
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${apiKey}`
+    },
+    body: JSON.stringify({
+      model,
+      temperature: 0.2,
+      messages: [
+        {
+          role: "system",
+          content: "You audit frontend pull requests. Output concise Markdown. No preamble about being an AI."
+        },
+        { role: "user", content: prompt }
+      ]
+    })
+  });
+  if (!res.ok) {
+    const t = await res.text();
+    throw new Error(`OpenAI HTTP ${res.status}: ${t.slice(0, 500)}`);
+  }
+  const data = await res.json();
+  const text = data.choices?.[0]?.message?.content?.trim();
+  if (!text) throw new Error("OpenAI returned empty content");
+  return text;
+}
+async function callAnthropic(model, apiKey, prompt, signal) {
+  const res = await fetch("https://api.anthropic.com/v1/messages", {
+    method: "POST",
+    signal,
+    headers: {
+      "Content-Type": "application/json",
+      "x-api-key": apiKey,
+      "anthropic-version": "2023-06-01"
+    },
+    body: JSON.stringify({
+      model,
+      max_tokens: 4096,
+      temperature: 0.2,
+      messages: [{ role: "user", content: prompt }]
+    })
+  });
+  if (!res.ok) {
+    const t = await res.text();
+    throw new Error(`Anthropic HTTP ${res.status}: ${t.slice(0, 500)}`);
+  }
+  const data = await res.json();
+  const text = data.content?.map((b) => b.type === "text" ? b.text : "").join("").trim();
+  if (!text) throw new Error("Anthropic returned empty content");
+  return text;
+}
+var MAX_CHARS = 2e5;
+async function loadManualAppendix(opts) {
+  const { cwd, filePath } = opts;
+  const envFile = process.env.FRONTGUARD_MANUAL_APPENDIX_FILE?.trim();
+  const resolvedPath = filePath?.trim() || envFile;
+  if (resolvedPath) {
+    const abs = path.isAbsolute(resolvedPath) ? resolvedPath : path.join(cwd, resolvedPath);
+    try {
+      let text = await fs.readFile(abs, "utf8");
+      if (text.length > MAX_CHARS) {
+        text = text.slice(0, MAX_CHARS) + "\n\n_(truncated)_\n";
+      }
+      const t = text.trim();
+      if (t) {
+        return `### Contributed review notes
+
+_Pasted or file-based (no CI API key)._ 
+
+${t}`;
+      }
+    } catch {
+    }
+  }
+  const inline = process.env.FRONTGUARD_MANUAL_APPENDIX?.trim();
+  if (inline) {
+    let text = inline;
+    if (text.length > MAX_CHARS) {
+      text = text.slice(0, MAX_CHARS) + "\n\n_(truncated)_\n";
+    }
+    return `### Contributed review notes
+
+${text.trim()}`;
+  }
+  return null;
+}
+
+// src/commands/run.ts
+async function runFrontGuard(opts) {
+  const config = await loadConfig(opts.cwd);
+  const mode = opts.enforce ? "enforce" : config.mode;
+  const stack = await detectStack(opts.cwd);
+  const pr = await readGithubEvent();
+  const restrictFiles = pr?.files?.length ? pr.files : null;
+  const [
+    eslint,
+    prettier,
+    typescript,
+    secrets,
+    tsAnyDelta,
+    cycles,
+    deadCode,
+    cwv,
+    customRules,
+    aiStrict
+  ] = await Promise.all([
+    runEslint(opts.cwd, config),
+    runPrettier(opts.cwd, config),
+    runTypeScript(opts.cwd, config, stack),
+    runSecrets(opts.cwd, config, pr),
+    runTsAnyDelta(opts.cwd, config, stack),
+    runCycles(opts.cwd, config, stack),
+    runDeadCode(opts.cwd, config, stack, pr),
+    runCwv(opts.cwd, config, stack, pr),
+    runCustomRules(opts.cwd, config, restrictFiles),
+    runAiAssistedStrict(opts.cwd, config, pr)
+  ]);
+  const bundle = await runBundle(opts.cwd, config, stack);
+  const prHygiene = runPrHygiene(config, pr);
+  const prSize = runPrSize(config, pr);
+  const results = [
+    eslint,
+    prettier,
+    typescript,
+    secrets,
+    tsAnyDelta,
+    cycles,
+    deadCode,
+    bundle,
+    cwv,
+    customRules,
+    aiStrict,
+    prHygiene,
+    prSize
+  ];
+  applyAiAssistedEscalation(results, pr, config);
+  const manualAppendix = await loadManualAppendix({
+    cwd: opts.cwd,
+    filePath: opts.append ?? null
+  });
+  const automatedAppendix = await runLlmReview({
+    cwd: opts.cwd,
+    config,
+    pr,
+    results
+  });
+  const llmAppendix = [manualAppendix, automatedAppendix].filter(Boolean).join("\n\n") || null;
+  const report = buildReport(stack, pr, results, { mode, llmAppendix });
+  if (opts.markdown) {
+    process2.stdout.write(report.markdown + "\n");
+  } else {
+    process2.stdout.write(report.consoleText + "\n\n");
+    process2.stdout.write(report.markdown + "\n");
+  }
+  if (opts.ci && process2.env.GITHUB_TOKEN) {
+    await upsertBriefComment(report.markdown);
+  }
+  const hasBlock = results.some((r) => r.findings.some((f) => f.severity === "block"));
+  process2.exitCode = mode === "enforce" && hasBlock ? 1 : 0;
+}
+
+// src/cli.ts
+var init = defineCommand({
+  meta: {
+    name: "init",
+    description: "Add workflow, PR template, and frontguard.config.js"
+  },
+  run: async () => {
+    const cwd = process2.cwd();
+    await initFrontGuard(cwd);
+    process2.stdout.write(
+      "FrontGuard initialized.\n\nNext: add the package as a devDependency so CI matches local runs:\n  npm install -D @cleartrip/frontguard\n  yarn add -D @cleartrip/frontguard\n"
+    );
+  }
+});
+var run = defineCommand({
+  meta: {
+    name: "run",
+    description: "Run checks and print the review brief"
+  },
+  args: {
+    ci: {
+      type: "boolean",
+      description: "Upsert PR comment when GITHUB_TOKEN is available",
+      default: false
+    },
+    markdown: {
+      type: "boolean",
+      description: "Print markdown only",
+      default: false
+    },
+    enforce: {
+      type: "boolean",
+      description: "Exit non-zero if any finding has severity block",
+      default: false
+    },
+    append: {
+      type: "string",
+      description: "Append markdown from a file (paste from IDE/ChatGPT/Claude; no CI API key needed)"
+    }
+  },
+  run: async ({ args }) => {
+    await runFrontGuard({
+      cwd: process2.cwd(),
+      ci: Boolean(args.ci),
+      markdown: Boolean(args.markdown),
+      enforce: Boolean(args.enforce),
+      append: typeof args.append === "string" ? args.append : null
+    });
+  }
+});
+var main = defineCommand({
+  meta: { name: "frontguard", description: "FrontGuard \u2014 frontend PR guardrails" },
+  subCommands: { init, run }
+});
+runMain(main);
+//# sourceMappingURL=cli.js.map
+//# sourceMappingURL=cli.js.map