@cleartrip/frontguard 0.1.9 → 0.2.1

package/dist/cli.js

@@ -4,12 +4,12 @@ import g, { stdin, stdout, cwd } from 'process';
 import f from 'readline';
 import * as tty from 'tty';
 import { WriteStream } from 'tty';
-import path4, { sep, normalize, delimiter, resolve, dirname } from 'path';
+import path5, { sep, normalize, delimiter, resolve, dirname } from 'path';
 import fs from 'fs/promises';
+import { fileURLToPath, pathToFileURL } from 'url';
+import { execFileSync, spawn } from 'child_process';
 import { createRequire } from 'module';
-import fs4 from 'fs';
-import { pathToFileURL } from 'url';
-import { spawn } from 'child_process';
+import fs2 from 'fs';
 import { pipeline } from 'stream/promises';
 import { PassThrough } from 'stream';
 import fg from 'fast-glob';
@@ -2398,50 +2398,9 @@ async function runMain(cmd, opts = {}) {
     process.exit(1);
   }
 }
-var WORKFLOW = `name: FrontGuard
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-
-permissions:
-  contents: read
-  pull-requests: write
-
-concurrency:
-  group: frontguard-\${{ github.workflow }}-\${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  review-brief:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-
-      - name: Install dependencies
-        run: |
-          if [ -f pnpm-lock.yaml ]; then
-            corepack enable
-            pnpm install --frozen-lockfile || pnpm install
-          elif [ -f yarn.lock ]; then
-            yarn install --frozen-lockfile || yarn install
-          elif [ -f package-lock.json ]; then
-            npm ci || npm install
-          else
-            npm install
-          fi
-
-      - name: FrontGuard (Phase 1 \u2014 warn-only)
-        run: npx @cleartrip/frontguard run --ci
-        env:
-          GITHUB_TOKEN: \${{ secrets.GITHUB_TOKEN }}
-`;
+function packageRoot() {
+  return path5.resolve(path5.dirname(fileURLToPath(import.meta.url)), "..");
+}
 var CONFIG = `import { defineConfig } from '@cleartrip/frontguard'
 
 export default defineConfig({
@@ -2458,7 +2417,14 @@ export default defineConfig({
   // },
 
   // checks: {
-  //   bundle: { baselineRef: 'main', maxDeltaBytes: 50_000 }, // ref for git baseline file
+  //   bundle: { baselineRef: 'main', maxDeltaBytes: 50_000 },
+  //   coreWebVitals: { scanGlobs: ['src/**/*.{tsx,jsx}'] },
+  //   prSize: {
+  //     tiers: [
+  //       { minLines: 1000, severity: 'warn', message: 'Very large PR (\${lines} lines; \u2265 \${min})' },
+  //       { minLines: 500, severity: 'info', message: 'Consider splitting (\${lines} lines)' },
+  //     ],
+  //   },
   //   cycles: { enabled: true },
   //   deadCode: { enabled: true, gate: 'info' },
   //   // LLM: cloud keys in CI, or local Ollama (no API key) on dev/self-hosted runners:
@@ -2496,27 +2462,35 @@ If **Yes**, list tools and what they touched (helps reviewers run a stricter fir
 ## AI assistance (optional detail)
 - [ ] I have reviewed every AI-suggested line for security, auth, and product correctness
 `;
-async function ensureDir(dir) {
-  await fs.mkdir(dir, { recursive: true });
-}
 async function initFrontGuard(cwd) {
-  const gh = path4.join(cwd, ".github", "workflows");
-  await ensureDir(gh);
-  const wfPath = path4.join(gh, "frontguard.yml");
-  await fs.writeFile(wfPath, WORKFLOW, "utf8");
-  const cfgPath = path4.join(cwd, "frontguard.config.js");
+  const root = packageRoot();
+  const tplPath = path5.join(root, "templates", "bitbucket-pipelines.yml");
+  const outPipeline = path5.join(cwd, "bitbucket-pipelines.frontguard.example.yml");
+  try {
+    await fs.access(outPipeline);
+  } catch {
+    try {
+      const yml = await fs.readFile(tplPath, "utf8");
+      await fs.writeFile(outPipeline, yml, "utf8");
+    } catch {
+      await fs.writeFile(
+        outPipeline,
+        "# Copy bitbucket-pipelines.yml from @cleartrip/frontguard/templates in node_modules\n",
+        "utf8"
+      );
+    }
+  }
+  const cfgPath = path5.join(cwd, "frontguard.config.js");
   try {
     await fs.access(cfgPath);
   } catch {
     await fs.writeFile(cfgPath, CONFIG, "utf8");
   }
-  const tplRoot = path4.join(cwd, ".github");
-  await ensureDir(tplRoot);
-  const tplPath = path4.join(tplRoot, "pull_request_template.md");
+  const tplPr = path5.join(cwd, "pull_request_template.md");
   try {
-    await fs.access(tplPath);
+    await fs.access(tplPr);
   } catch {
-    await fs.writeFile(tplPath, PR_TEMPLATE, "utf8");
+    await fs.writeFile(tplPr, PR_TEMPLATE, "utf8");
   }
 }
 
@@ -2654,110 +2628,86 @@ function parseAiDisclosure(body) {
   return { assisted, explicitNo, ambiguous };
 }
 
-// src/ci/github.ts
-async function readGithubEvent() {
-  const p2 = process.env.GITHUB_EVENT_PATH;
-  if (!p2) return null;
-  try {
-    const raw = await fs.readFile(p2, "utf8");
-    const payload = JSON.parse(raw);
-    const pr = payload.pull_request;
-    if (!pr) return null;
-    const files = (pr.files ?? []).map((f4) => f4.filename ?? "").filter(Boolean);
-    const body = pr.body ?? "";
-    const ai = parseAiDisclosure(body);
-    return {
-      number: pr.number ?? 0,
-      title: pr.title ?? "",
-      body,
-      baseRef: pr.base?.ref ?? "main",
-      headRef: pr.head?.ref ?? "",
-      additions: pr.additions ?? 0,
-      deletions: pr.deletions ?? 0,
-      changedFiles: pr.changed_files ?? files.length,
-      files,
-      aiAssisted: ai.assisted,
-      aiExplicitNo: ai.explicitNo,
-      aiDisclosureAmbiguous: ai.ambiguous
-    };
-  } catch {
-    return null;
-  }
-}
-
-// src/lib/http-fetch.ts
-function getFetch() {
-  const f4 = globalThis.fetch;
-  if (typeof f4 !== "function") {
-    throw new Error(
-      "FrontGuard needs Node.js 18+ (global fetch). Use NODE_VERSION / image >= 18 in CI."
-    );
-  }
-  return f4;
-}
-
-// src/ci/pr-comment.ts
-var MARKER = "<!-- frontguard:brief -->";
-async function resolvePrNumber() {
-  const raw = process.env.FRONTGUARD_PR_NUMBER ?? process.env.PR_NUMBER;
-  const n3 = Number(raw);
-  if (Number.isFinite(n3) && n3 > 0) return n3;
-  const path17 = process.env.GITHUB_EVENT_PATH;
-  if (!path17) return null;
-  try {
-    const payload = JSON.parse(await fs.readFile(path17, "utf8"));
-    const num = payload.pull_request?.number;
-    return typeof num === "number" && num > 0 ? num : null;
-  } catch {
-    return null;
+// src/ci/pr-context.ts
+function gitTrimmed(cwd, args) {
+  return execFileSync("git", ["-C", cwd, ...args], {
+    encoding: "utf8",
+    maxBuffer: 20 * 1024 * 1024
+  }).trimEnd();
+}
+function resolveCompareRef(cwd, destBranch) {
+  const safe = destBranch.trim();
+  if (!safe || safe.startsWith("-") || safe.includes("..")) return null;
+  const candidates = [safe, `origin/${safe}`];
+  for (const c4 of candidates) {
+    try {
+      gitTrimmed(cwd, ["rev-parse", "--verify", `${c4}^{commit}`]);
+      return c4;
+    } catch {
+    }
   }
+  return null;
 }
-async function upsertBriefComment(body) {
-  const token = process.env.GITHUB_TOKEN;
-  const repo = process.env.GITHUB_REPOSITORY;
-  if (!token || !repo) {
-    return;
-  }
-  const [owner, name] = repo.split("/");
-  if (!owner || !name) return;
-  const prNumber = await resolvePrNumber();
-  if (!prNumber) {
-    return;
+function parseNumstat(output) {
+  let additions = 0;
+  let deletions = 0;
+  const files = [];
+  for (const line of output.split("\n")) {
+    const t3 = line.trim();
+    if (!t3) continue;
+    const tab = t3.indexOf("	");
+    if (tab < 0) continue;
+    const tab2 = t3.indexOf("	", tab + 1);
+    if (tab2 < 0) continue;
+    const aStr = t3.slice(0, tab);
+    const dStr = t3.slice(tab + 1, tab2);
+    const path18 = t3.slice(tab2 + 1);
+    const a3 = aStr === "-" ? 0 : Number(aStr);
+    const d3 = dStr === "-" ? 0 : Number(dStr);
+    if (!Number.isFinite(a3) || !Number.isFinite(d3)) continue;
+    additions += a3;
+    deletions += d3;
+    if (path18) files.push(path18);
+  }
+  return { additions, deletions, files };
+}
+function buildBitbucketPrContext(cwd) {
+  const prId = process.env.BITBUCKET_PR_ID?.trim();
+  if (!prId) return null;
+  const dest = process.env.BITBUCKET_PR_DESTINATION_BRANCH?.trim() || "main";
+  const body = process.env.FRONTGUARD_PR_BODY?.trim() ?? "";
+  const headRef = process.env.BITBUCKET_PR_SOURCE_BRANCH?.trim() ?? "";
+  const title = process.env.BITBUCKET_PR_TITLE?.trim() ?? "";
+  let additions = 0;
+  let deletions = 0;
+  let files = [];
+  const destRef = resolveCompareRef(cwd, dest);
+  if (destRef) {
+    try {
+      const raw = gitTrimmed(cwd, ["diff", `${destRef}...HEAD`, "--numstat"]);
+      const stat = parseNumstat(raw);
+      additions = stat.additions;
+      deletions = stat.deletions;
+      files = stat.files;
+    } catch {
+    }
   }
-  const apiBase = process.env.GITHUB_API_URL ?? "https://api.github.com";
-  const headers = {
-    authorization: `Bearer ${token}`,
-    accept: "application/vnd.github+json",
-    "x-github-api-version": "2022-11-28",
-    "content-type": "application/json"
+  const ai = parseAiDisclosure(body);
+  return {
+    number: Number.parseInt(prId, 10) || 0,
+    title,
+    body,
+    baseRef: dest,
+    headRef,
+    additions,
+    deletions,
+    changedFiles: files.length,
+    files,
+    ...ai
   };
-  const prefixed = `${MARKER}
-${body}`;
-  const listUrl = `${apiBase}/repos/${owner}/${name}/issues/${prNumber}/comments?per_page=100`;
-  const fetch = getFetch();
-  const listRes = await fetch(listUrl, { headers });
-  if (!listRes.ok) {
-    return;
-  }
-  const comments = await listRes.json();
-  const existing = comments.find(
-    (c4) => typeof c4.body === "string" && c4.body.includes(MARKER)
-  );
-  if (existing) {
-    const patchUrl = `${apiBase}/repos/${owner}/${name}/issues/comments/${existing.id}`;
-    await fetch(patchUrl, {
-      method: "PATCH",
-      headers,
-      body: JSON.stringify({ body: prefixed })
-    });
-    return;
-  }
-  const postUrl = `${apiBase}/repos/${owner}/${name}/issues/${prNumber}/comments`;
-  await fetch(postUrl, {
-    method: "POST",
-    headers,
-    body: JSON.stringify({ body: prefixed })
-  });
+}
+function readPrContext(cwd) {
+  return buildBitbucketPrContext(cwd);
 }
 
 // node_modules/defu/dist/defu.mjs
@@ -2874,7 +2824,7 @@ var defaultConfig = {
       maxDeltaBytes: null,
       maxTotalBytes: null
     },
-    cwv: {
+    coreWebVitals: {
       enabled: true,
       gate: "warn",
       scanGlobs: ["app/**/*.{tsx,jsx}", "pages/**/*.{tsx,jsx}", "src/**/*.{tsx,jsx}"],
@@ -2895,6 +2845,16 @@ var defaultConfig = {
   }
 };
 
+// src/config/migrate.ts
+function migrateLegacyConfigKeys(config) {
+  const ch = config.checks;
+  if (!ch) return;
+  if ("cwv" in ch && !("coreWebVitals" in ch)) {
+    ch.coreWebVitals = ch.cwv;
+    delete ch.cwv;
+  }
+}
+
 // src/config/load.ts
 var CONFIG_NAMES = [
   "frontguard.config.js",
@@ -2917,7 +2877,7 @@ function stripExtends(c4) {
 }
 async function loadExtendsLayer(cwd, spec) {
   if (!spec) return {};
-  const req = createRequire(path4.join(cwd, "package.json"));
+  const req = createRequire(path5.join(cwd, "package.json"));
   const specs = Array.isArray(spec) ? spec : [spec];
   let merged = {};
   for (const s3 of specs) {
@@ -2936,8 +2896,8 @@ async function loadExtendsLayer(cwd, spec) {
 async function loadConfig(cwd) {
   let userFile = null;
   for (const name of CONFIG_NAMES) {
-    const full = path4.join(cwd, name);
-    if (!fs4.existsSync(full)) continue;
+    const full = path5.join(cwd, name);
+    if (!fs2.existsSync(full)) continue;
     try {
       const mod = await importConfig(full);
       userFile = normalizeExport(mod);
@@ -2948,6 +2908,8 @@ async function loadConfig(cwd) {
   }
   const extendsSpec = userFile?.extends;
   const orgLayer = await loadExtendsLayer(cwd, extendsSpec);
+  migrateLegacyConfigKeys(orgLayer);
+  if (userFile) migrateLegacyConfigKeys(userFile);
   const user = userFile ? stripExtends(userFile) : {};
   const base = structuredClone(defaultConfig);
   const withOrg = defu2(orgLayer, base);
@@ -2966,7 +2928,7 @@ function hasDep(deps, name) {
 async function detectStack(cwd) {
   let pkg = {};
   try {
-    const raw = await fs.readFile(path4.join(cwd, "package.json"), "utf8");
+    const raw = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
     pkg = JSON.parse(raw);
   } catch {
     return {
@@ -2986,7 +2948,7 @@ async function detectStack(cwd) {
   const isMonorepo = Boolean(pkg.workspaces);
   let tsStrict = null;
   try {
-    const tsconfigPath = path4.join(cwd, "tsconfig.json");
+    const tsconfigPath = path5.join(cwd, "tsconfig.json");
     const tsRaw = await fs.readFile(tsconfigPath, "utf8");
     const ts = JSON.parse(tsRaw);
     if (typeof ts.compilerOptions?.strict === "boolean") {
@@ -2996,15 +2958,15 @@ async function detectStack(cwd) {
   }
   let pm = "unknown";
   try {
-    await fs.access(path4.join(cwd, "pnpm-lock.yaml"));
+    await fs.access(path5.join(cwd, "pnpm-lock.yaml"));
     pm = "pnpm";
   } catch {
     try {
-      await fs.access(path4.join(cwd, "yarn.lock"));
+      await fs.access(path5.join(cwd, "yarn.lock"));
       pm = "yarn";
     } catch {
       try {
-        await fs.access(path4.join(cwd, "package-lock.json"));
+        await fs.access(path5.join(cwd, "package-lock.json"));
         pm = "npm";
       } catch {
         pm = "npm";
@@ -3034,6 +2996,65 @@ function formatStackOneLiner(s3) {
   bits.push(`pkg: ${s3.packageManager}`);
   return bits.join(" \xB7 ") || "unknown";
 }
+function normalizePrPath(p2) {
+  return p2.replace(/\\/g, "/").replace(/^\.\//, "");
+}
+function hasPrFileList(pr) {
+  return Boolean(pr?.files?.length);
+}
+function prPathSet(pr) {
+  if (!hasPrFileList(pr)) return null;
+  return new Set(pr.files.map(normalizePrPath));
+}
+function isPathInPrScope(relOrAbs, cwd, prSet) {
+  const raw = relOrAbs.replace(/^file:\/\//, "");
+  let rel = normalizePrPath(raw);
+  if (path5.isAbsolute(raw)) {
+    rel = normalizePrPath(path5.relative(cwd, raw));
+  }
+  if (prSet.has(rel)) return true;
+  const trimmed = rel.replace(/^\.\//, "");
+  if (prSet.has(trimmed)) return true;
+  return false;
+}
+var ESLINT_EXT = /\.(js|cjs|mjs|jsx|ts|tsx)$/i;
+var PRETTIER_EXT = /\.(js|cjs|mjs|jsx|ts|tsx|json|md|css|scss|sass|less|yml|yaml|vue|svelte)$/i;
+var CYCLES_EXT = /\.(tsx?|jsx?|mjs|cjs|js)$/i;
+function filterPrFilesForEslint(pr) {
+  if (!hasPrFileList(pr)) return null;
+  return pr.files.map(normalizePrPath).filter((f4) => ESLINT_EXT.test(f4));
+}
+function filterPrFilesForPrettier(pr) {
+  if (!hasPrFileList(pr)) return null;
+  return pr.files.map(normalizePrPath).filter((f4) => PRETTIER_EXT.test(f4));
+}
+function filterPrFilesForMadge(pr) {
+  if (!hasPrFileList(pr)) return null;
+  return pr.files.map(normalizePrPath).filter((f4) => CYCLES_EXT.test(f4));
+}
+async function existingRepoPaths(cwd, rels) {
+  const out = [];
+  for (const rel of rels) {
+    try {
+      await fs.access(path5.join(cwd, rel));
+      out.push(rel);
+    } catch {
+    }
+  }
+  return out;
+}
+function filterTscOutputToPrFiles(output, cwd, prSet) {
+  const lines = output.split("\n");
+  const kept = [];
+  for (const line of lines) {
+    const m3 = /^(.+?)\(\d+,\d+\):\s/.exec(line);
+    if (m3?.[1]) {
+      if (isPathInPrScope(m3[1], cwd, prSet)) kept.push(line);
+      continue;
+    }
+  }
+  return kept.join("\n").trim();
+}
 function stripFileUrl(p2) {
   let s3 = p2.trim();
   if (!/^file:/i.test(s3)) return s3;
@@ -3045,30 +3066,30 @@ function stripFileUrl(p2) {
   return s3;
 }
 function isUnderDir(parent, child) {
-  const rel = path4.relative(parent, child);
-  return rel === "" || !rel.startsWith("..") && !path4.isAbsolute(rel);
+  const rel = path5.relative(parent, child);
+  return rel === "" || !rel.startsWith("..") && !path5.isAbsolute(rel);
 }
 function toRepoRelativePath(cwd, filePath) {
   if (!filePath?.trim()) return void 0;
   const raw = stripFileUrl(filePath);
-  const resolvedCwd = path4.resolve(cwd);
-  const absFile = path4.isAbsolute(raw) ? path4.resolve(raw) : path4.resolve(resolvedCwd, raw);
+  const resolvedCwd = path5.resolve(cwd);
+  const absFile = path5.isAbsolute(raw) ? path5.resolve(raw) : path5.resolve(resolvedCwd, raw);
   if (!isUnderDir(resolvedCwd, absFile)) {
     return raw.split(/[/\\]/g).join("/");
   }
-  let rel = path4.relative(resolvedCwd, absFile);
+  let rel = path5.relative(resolvedCwd, absFile);
   if (!rel || rel === ".") {
-    return path4.basename(absFile);
+    return path5.basename(absFile);
   }
-  return rel.split(path4.sep).join("/");
+  return rel.split(path5.sep).join("/");
 }
 function stripRepoAbsolutePaths(cwd, text) {
   if (!text || !cwd.trim()) return text;
-  const resolvedCwd = path4.resolve(cwd);
+  const resolvedCwd = path5.resolve(cwd);
   const asPosix = (s3) => s3.replace(/\\/g, "/");
   const cwdPosix = asPosix(resolvedCwd);
   let out = asPosix(text);
-  const prefixes = [.../* @__PURE__ */ new Set([cwdPosix + "/", resolvedCwd + path4.sep])].filter(
+  const prefixes = [.../* @__PURE__ */ new Set([cwdPosix + "/", resolvedCwd + path5.sep])].filter(
     (p2) => p2.length > 1
   );
   for (const prefix of prefixes) {
@@ -3694,7 +3715,7 @@ async function pathExists(file) {
   }
 }
 async function resolveBin(cwd, name) {
-  const local = path4.join(cwd, "node_modules", ".bin", name);
+  const local = path5.join(cwd, "node_modules", ".bin", name);
   if (await pathExists(local)) return local;
   const win = local + ".cmd";
   if (await pathExists(win)) return win;
@@ -3750,7 +3771,7 @@ async function runNpx(cwd, args) {
 // src/checks/eslint.ts
 async function hasEslintDependency(cwd) {
   try {
-    const raw = await fs.readFile(path4.join(cwd, "package.json"), "utf8");
+    const raw = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
     const p2 = JSON.parse(raw);
     return Boolean(p2.devDependencies?.eslint || p2.dependencies?.eslint);
   } catch {
@@ -3762,6 +3783,7 @@ async function hasEslintConfig(cwd) {
     "eslint.config.js",
     "eslint.config.mjs",
     "eslint.config.cjs",
+    "eslint.config.json",
     ".eslintrc",
     ".eslintrc.json",
     ".eslintrc.cjs",
@@ -3769,14 +3791,47 @@ async function hasEslintConfig(cwd) {
     ".eslintrc.yml"
   ];
   for (const c4 of candidates) {
-    if (await pathExists(path4.join(cwd, c4))) return true;
+    if (await pathExists(path5.join(cwd, c4))) return true;
   }
   return false;
 }
 function meaningfulStderr(stderr) {
   return stderr.split("\n").filter((l3) => l3.trim() && !/^npm warn\b/i.test(l3)).join("\n").trim();
 }
-async function runEslint(cwd, config, _stack) {
+var ESLINT_BATCH = 80;
+async function runEslintOnPaths(cwd, relPaths) {
+  let worstExit = 0;
+  const merged = [];
+  let stderrAcc = "";
+  for (let i3 = 0; i3 < relPaths.length; i3 += ESLINT_BATCH) {
+    const batch = relPaths.slice(i3, i3 + ESLINT_BATCH);
+    const args = [
+      ...batch,
+      "--max-warnings",
+      "0",
+      "--no-error-on-unmatched-pattern",
+      "-f",
+      "json"
+    ];
+    const { exitCode, stdout: stdout2, stderr } = await runNpmBinary(cwd, "eslint", args);
+    worstExit = Math.max(worstExit, exitCode ?? 0);
+    stderrAcc += stderr;
+    const t3 = stdout2.trim();
+    if (t3) {
+      try {
+        const rows = JSON.parse(t3);
+        if (Array.isArray(rows)) merged.push(...rows);
+      } catch {
+      }
+    }
+  }
+  return {
+    exitCode: worstExit,
+    stdout: JSON.stringify(merged),
+    stderr: stderrAcc
+  };
+}
+async function runEslint(cwd, config, _stack, pr) {
   const t0 = performance.now();
   if (!config.checks.eslint.enabled) {
     return {
@@ -3797,15 +3852,39 @@ async function runEslint(cwd, config, _stack) {
     };
   }
   const glob = config.checks.eslint.glob ?? "**/*.{js,cjs,mjs,jsx,ts,tsx}";
-  const args = [
-    glob,
-    "--max-warnings",
-    "0",
-    "--no-error-on-unmatched-pattern",
-    "-f",
-    "json"
-  ];
-  const { exitCode, stdout: stdout2, stderr } = await runNpmBinary(cwd, "eslint", args);
+  const prPaths = filterPrFilesForEslint(pr);
+  let exitCode;
+  let stdout2;
+  let stderr;
+  if (prPaths !== null) {
+    if (prPaths.length === 0) {
+      return {
+        checkId: "eslint",
+        findings: [],
+        durationMs: Math.round(performance.now() - t0),
+        skipped: "no lintable files in PR diff"
+      };
+    }
+    const existing = await existingRepoPaths(cwd, prPaths);
+    if (existing.length === 0) {
+      return {
+        checkId: "eslint",
+        findings: [],
+        durationMs: Math.round(performance.now() - t0),
+        skipped: hasPrFileList(pr) ? "no lintable files in PR diff (added/modified only)" : "no files"
+      };
+    }
+    ({ exitCode, stdout: stdout2, stderr } = await runEslintOnPaths(cwd, existing));
+  } else {
+    ({ exitCode, stdout: stdout2, stderr } = await runNpmBinary(cwd, "eslint", [
+      glob,
+      "--max-warnings",
+      "0",
+      "--no-error-on-unmatched-pattern",
+      "-f",
+      "json"
+    ]));
+  }
   const errText = meaningfulStderr(stderr);
   const findings = [];
   if (exitCode === 0) {
@@ -3871,7 +3950,25 @@ function truncate(s3, max) {
 }
 
 // src/checks/prettier.ts
-async function runPrettier(cwd, config) {
+var PRETTIER_BATCH = 100;
+async function runPrettierOnPaths(cwd, relPaths) {
+  let worstExit = 0;
+  let stdoutAcc = "";
+  let stderrAcc = "";
+  for (let i3 = 0; i3 < relPaths.length; i3 += PRETTIER_BATCH) {
+    const batch = relPaths.slice(i3, i3 + PRETTIER_BATCH);
+    const r4 = await runNpmBinary(cwd, "prettier", [
+      "--check",
+      "--ignore-unknown",
+      ...batch
+    ]);
+    worstExit = Math.max(worstExit, r4.exitCode ?? 0);
+    stdoutAcc += r4.stdout;
+    stderrAcc += r4.stderr;
+  }
+  return { exitCode: worstExit, stdout: stdoutAcc, stderr: stderrAcc };
+}
+async function runPrettier(cwd, config, pr) {
   const t0 = performance.now();
   if (!config.checks.prettier.enabled) {
     return {
@@ -3882,11 +3979,36 @@ async function runPrettier(cwd, config) {
     };
   }
   const glob = config.checks.prettier.glob ?? "**/*.{js,cjs,mjs,jsx,ts,tsx,json,md,css,scss,yml,yaml}";
-  const { exitCode, stdout: stdout2, stderr } = await runNpmBinary(cwd, "prettier", [
-    "--check",
-    glob,
-    "--ignore-unknown"
-  ]);
+  let exitCode;
+  let stdout2;
+  let stderr;
+  const prPaths = filterPrFilesForPrettier(pr);
+  if (prPaths !== null) {
+    if (prPaths.length === 0) {
+      return {
+        checkId: "prettier",
+        findings: [],
+        durationMs: Math.round(performance.now() - t0),
+        skipped: "no formattable files in PR diff"
+      };
+    }
+    const existing = await existingRepoPaths(cwd, prPaths);
+    if (existing.length === 0) {
+      return {
+        checkId: "prettier",
+        findings: [],
+        durationMs: Math.round(performance.now() - t0),
+        skipped: hasPrFileList(pr) ? "no formattable files in PR diff" : "no files"
+      };
+    }
+    ({ exitCode, stdout: stdout2, stderr } = await runPrettierOnPaths(cwd, existing));
+  } else {
+    ({ exitCode, stdout: stdout2, stderr } = await runNpmBinary(cwd, "prettier", [
+      "--check",
+      glob,
+      "--ignore-unknown"
+    ]));
+  }
   const findings = [];
   if (exitCode === 127 || /command not found|not recognized|ENOENT/i.test(stderr)) {
     return {
@@ -3915,7 +4037,7 @@ function truncate2(s3, max) {
   if (s3.length <= max) return s3;
   return s3.slice(0, max) + "\u2026";
 }
-async function runTypeScript(cwd, config, stack) {
+async function runTypeScript(cwd, config, stack, pr) {
   const t0 = performance.now();
   if (!config.checks.typescript.enabled) {
     return {
@@ -3925,7 +4047,7 @@ async function runTypeScript(cwd, config, stack) {
       skipped: "disabled in config"
     };
   }
-  const hasTs = stack.hasTypeScript || await pathExists(path4.join(cwd, "tsconfig.json"));
+  const hasTs = stack.hasTypeScript || await pathExists(path5.join(cwd, "tsconfig.json"));
   if (!hasTs) {
     return {
       checkId: "typescript",
@@ -3934,7 +4056,14 @@ async function runTypeScript(cwd, config, stack) {
       skipped: "no TypeScript project detected"
     };
   }
-  const args = ["--noEmit", ...config.checks.typescript.tscArgs ?? []];
+  const extra = config.checks.typescript.tscArgs ?? [];
+  const hasProject = extra.some((a3) => a3 === "-p" || a3 === "--project");
+  const tsconfigPath = path5.join(cwd, "tsconfig.json");
+  const args = [
+    "--noEmit",
+    ...hasProject || !await pathExists(tsconfigPath) ? [] : ["-p", "tsconfig.json"],
+    ...extra
+  ];
   const { exitCode, stdout: stdout2, stderr } = await runNpmBinary(cwd, "tsc", args);
   const findings = [];
   if (exitCode === 127 || /command not found|not recognized|ENOENT/i.test(stderr)) {
@@ -3947,12 +4076,16 @@ async function runTypeScript(cwd, config, stack) {
   }
   if (exitCode !== 0) {
     const out = [stdout2, stderr].filter(Boolean).join("\n").trim();
-    findings.push({
-      id: "tsc",
-      severity: "warn",
-      message: "TypeScript compiler reported diagnostics",
-      detail: out ? truncate3(out, 8e3) : `exit ${exitCode}`
-    });
+    const prS = prPathSet(pr);
+    const scoped = prS && out ? filterTscOutputToPrFiles(out, cwd, prS) : out;
+    if (scoped) {
+      findings.push({
+        id: "tsc",
+        severity: "warn",
+        message: prS ? "TypeScript: issues in PR-changed files (full project was typechecked)" : "TypeScript compiler reported diagnostics",
+        detail: scoped ? truncate3(scoped, 8e3) : `exit ${exitCode}`
+      });
+    }
   }
   return {
     checkId: "typescript",
@@ -4038,7 +4171,7 @@ async function runSecrets(cwd, config, pr) {
       });
       break;
     }
-    const full = path4.join(cwd, rel);
+    const full = path5.join(cwd, rel);
     let content;
     try {
       content = await fs.readFile(full, "utf8");
@@ -4064,7 +4197,7 @@ async function runSecrets(cwd, config, pr) {
   };
 }
 function isProbablyTextFile(rel) {
-  const ext = path4.extname(rel).toLowerCase();
+  const ext = path5.extname(rel).toLowerCase();
   return TEXT_EXT.has(ext);
 }
 
@@ -4084,7 +4217,7 @@ function runPrHygiene(config, pr) {
       checkId: "pr-hygiene",
       findings: [],
       durationMs: Math.round(performance.now() - t0),
-      skipped: "not running in GitHub pull_request context"
+      skipped: "no PR context (run in a Bitbucket PR pipeline with BITBUCKET_PR_ID, or set FRONTGUARD_PR_BODY for description checks)"
     };
   }
   const findings = [];
@@ -4163,6 +4296,25 @@ function sectionMentioned(body, hint) {
 }
 
 // src/checks/pr-size.ts
+function expandMessage(template, lines, min) {
+  return template.replaceAll("${lines}", String(lines)).replaceAll("${min}", String(min));
+}
+function defaultTiers(cfg) {
+  return [
+    {
+      minLines: cfg.softBlockLines,
+      severity: "warn",
+      id: "pr-size-large",
+      message: "PR is very large (${lines} lines changed; threshold ${min}). Consider splitting for review."
+    },
+    {
+      minLines: cfg.warnLines,
+      severity: "info",
+      id: "pr-size-medium",
+      message: "PR size is elevated (${lines} lines changed; threshold ${min})."
+    }
+  ];
+}
 function runPrSize(config, pr) {
   const t0 = performance.now();
   if (!config.checks.prSize.enabled) {
@@ -4178,24 +4330,29 @@ function runPrSize(config, pr) {
       checkId: "pr-size",
       findings: [],
       durationMs: Math.round(performance.now() - t0),
-      skipped: "not running in GitHub pull_request context"
+      skipped: "no PR context (run in a Bitbucket pull-request pipeline so BITBUCKET_PR_* and git diff are available)"
     };
   }
-  const findings = [];
   const lines = pr.additions + pr.deletions;
-  const { warnLines, softBlockLines } = config.checks.prSize;
-  if (lines >= softBlockLines) {
-    findings.push({
-      id: "pr-size-large",
-      severity: "warn",
-      message: `PR is very large (${lines} lines changed; \u2265 ${softBlockLines})`,
-      detail: "Consider splitting to improve review quality."
-    });
-  } else if (lines >= warnLines) {
+  const cfg = config.checks.prSize;
+  const rawTiers = cfg.tiers?.length ? cfg.tiers : defaultTiers(cfg);
+  const sorted = [...rawTiers].sort((a3, b3) => b3.minLines - a3.minLines);
+  const findings = [];
+  let i3 = 0;
+  for (const tier of sorted) {
+    if (lines < tier.minLines) continue;
+    const id = tier.id ?? `pr-size-tier-${i3}`;
+    i3 += 1;
+    const message = tier.message ? expandMessage(tier.message, lines, tier.minLines) : expandMessage(
+      "PR has ${lines} lines changed (\u2265 ${min}).",
+      lines,
+      tier.minLines
+    );
     findings.push({
-      id: "pr-size-medium",
-      severity: "info",
-      message: `PR size is elevated (${lines} lines changed; \u2265 ${warnLines})`
+      id,
+      severity: tier.severity,
+      message,
+      detail: "Total = additions + deletions from the PR diff."
     });
   }
   return {
@@ -4248,13 +4405,18 @@ async function gitDiffForReview(cwd, baseRef, maxChars) {
   }
 }
 async function resolveDiffBaseRef(cwd, fallback) {
-  const gh = process.env.GITHUB_BASE_REF;
-  if (gh) {
-    const origin = `origin/${gh}`;
+  const bb = process.env.BITBUCKET_PR_DESTINATION_BRANCH?.trim();
+  if (bb) {
+    const origin = `origin/${bb}`;
     try {
       await W2("git", ["rev-parse", "--verify", origin], { nodeOptions: { cwd } });
       return origin;
     } catch {
+      try {
+        await W2("git", ["rev-parse", "--verify", bb], { nodeOptions: { cwd } });
+        return bb;
+      } catch {
+      }
     }
   }
   try {
@@ -4352,7 +4514,7 @@ async function runTsAnyDelta(cwd, config, stack) {
 function gateSeverity2(g4) {
   return g4 === "block" ? "block" : g4 === "info" ? "info" : "warn";
 }
-async function runCycles(cwd, config, stack) {
+async function runCycles(cwd, config, stack, pr) {
   const t0 = performance.now();
   const cfg = config.checks.cycles;
   if (!cfg.enabled || !stack.hasTypeScript) {
@@ -4365,12 +4527,12 @@ async function runCycles(cwd, config, stack) {
   }
   let entry = cfg.entries[0] ?? "src";
   for (const e3 of cfg.entries) {
-    if (await pathExists(path4.join(cwd, e3))) {
+    if (await pathExists(path5.join(cwd, e3))) {
       entry = e3;
       break;
     }
   }
-  if (!await pathExists(path4.join(cwd, entry))) {
+  if (!await pathExists(path5.join(cwd, entry))) {
     return {
       checkId: "cycles",
       findings: [],
@@ -4378,10 +4540,13 @@ async function runCycles(cwd, config, stack) {
       skipped: `entry path not found (${entry})`
     };
   }
+  const prMadge = filterPrFilesForMadge(pr);
+  const prExisting = prMadge?.length ? await existingRepoPaths(cwd, prMadge) : [];
+  const roots = prExisting.length > 0 ? prExisting : [entry];
   const args = [
     "-y",
     "madge@6",
-    entry,
+    ...roots,
     "--extensions",
     "ts,tsx,js,jsx",
     "--circular",
@@ -4403,7 +4568,7 @@ async function runCycles(cwd, config, stack) {
     findings.push({
       id: "import-cycle",
       severity: gateSeverity2(cfg.gate),
-      message: "Circular dependencies detected (madge)",
+      message: prExisting.length > 0 ? "Circular dependencies detected (madge, scoped to PR files)" : "Circular dependencies detected (madge)",
       detail: truncate4(out || `exit ${exitCode}`, 12e3)
     });
   } else if (exitCode !== 0) {
@@ -4494,7 +4659,7 @@ async function sumGlobBytes(cwd, patterns) {
     });
     for (const rel of files) {
       try {
-        const st = await fs.stat(path4.join(cwd, rel));
+        const st = await fs.stat(path5.join(cwd, rel));
         total += st.size;
       } catch {
       }
@@ -4503,7 +4668,7 @@ async function sumGlobBytes(cwd, patterns) {
   return total;
 }
 async function readBaseline(cwd, relPath, baseRef) {
-  const disk = path4.join(cwd, relPath);
+  const disk = path5.join(cwd, relPath);
   try {
     const raw = await fs.readFile(disk, "utf8");
     return JSON.parse(raw);
@@ -4533,6 +4698,39 @@ async function gitOkQuick(cwd) {
 function tokenizeCommand(cmd) {
   return cmd.trim().split(/\s+/).map((t3) => t3.trim()).filter(Boolean);
 }
+function npmScriptFromBuildCommand(cmd) {
+  const t3 = cmd.trim();
+  if (/^yarn\s+build\b/i.test(t3)) return "build";
+  const np = /^(?:npm|pnpm)\s+run\s+(\S+)/i.exec(t3);
+  if (np?.[1]) return np[1];
+  const yr = /^yarn\s+run\s+(\S+)/i.exec(t3);
+  if (yr?.[1]) return yr[1];
+  return null;
+}
+async function bundleBuildPrecheck(cwd, buildCommand) {
+  const script = npmScriptFromBuildCommand(buildCommand);
+  if (!script) return { run: true };
+  let scripts;
+  try {
+    const raw = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
+    const pkg = JSON.parse(raw);
+    scripts = pkg.scripts;
+  } catch {
+    return {
+      run: false,
+      message: "Skipped bundle build \u2014 no readable package.json",
+      detail: "Set checks.bundle.buildCommand to your real build (e.g. `vite build`), set checks.bundle.runBuild to false, or add a package.json with the matching script."
+    };
+  }
+  if (!scripts?.[script]) {
+    return {
+      run: false,
+      message: `Skipped bundle build \u2014 no scripts.${script} in package.json`,
+      detail: "The bundle check runs a production build, then sums file sizes under checks.bundle.measureGlobs (dist/, build/static/, .next/static/, etc.). Libraries and non-web repos often have no `build` script \u2014 set checks.bundle.runBuild to false and optionally tune measureGlobs, or set checks.bundle.buildCommand to whatever produces your artifacts (e.g. `pnpm run compile`, `npx vite build`)."
+    };
+  }
+  return { run: true };
+}
 async function runBundle(cwd, config, stack) {
   const t0 = performance.now();
   const cfg = config.checks.bundle;
@@ -4552,6 +4750,7 @@ async function runBundle(cwd, config, stack) {
       skipped: "skipped for React Native (configure web artifacts if needed)"
     };
   }
+  const preFindings = [];
   if (cfg.runBuild) {
     const parts = tokenizeCommand(cfg.buildCommand);
     if (parts.length === 0) {
@@ -4567,21 +4766,31 @@ async function runBundle(cwd, config, stack) {
         durationMs: Math.round(performance.now() - t0)
       };
     }
-    const [bin, ...args] = parts;
-    const res = await W2(bin, args, { nodeOptions: { cwd } });
-    if ((res.exitCode ?? 0) !== 0) {
-      return {
-        checkId: "bundle",
-        findings: [
-          {
-            id: "bundle-build",
-            severity: gateSeverity4(cfg.gate),
-            message: "Build command failed \u2014 cannot measure bundle",
-            detail: [res.stdout, res.stderr].filter(Boolean).join("\n").slice(0, 8e3)
-          }
-        ],
-        durationMs: Math.round(performance.now() - t0)
-      };
+    const pre = await bundleBuildPrecheck(cwd, cfg.buildCommand);
+    if (!pre.run) {
+      preFindings.push({
+        id: "bundle-build-skipped",
+        severity: "info",
+        message: pre.message,
+        detail: pre.detail
+      });
+    } else {
+      const [bin, ...args] = parts;
+      const res = await W2(bin, args, { nodeOptions: { cwd } });
+      if ((res.exitCode ?? 0) !== 0) {
+        return {
+          checkId: "bundle",
+          findings: [
+            {
+              id: "bundle-build",
+              severity: gateSeverity4(cfg.gate),
+              message: "Build command failed \u2014 cannot measure bundle",
+              detail: [res.stdout, res.stderr].filter(Boolean).join("\n").slice(0, 8e3)
+            }
+          ],
+          durationMs: Math.round(performance.now() - t0)
+        };
+      }
     }
   }
   const total = await sumGlobBytes(cwd, cfg.measureGlobs);
@@ -4589,6 +4798,7 @@ async function runBundle(cwd, config, stack) {
     return {
       checkId: "bundle",
       findings: [
+        ...preFindings,
         {
           id: "bundle-empty",
           severity: "info",
@@ -4600,7 +4810,7 @@ async function runBundle(cwd, config, stack) {
   }
   const baseRef = await gitOkQuick(cwd) ? await resolveDiffBaseRef(cwd, cfg.baselineRef) : null;
   const baseline = await readBaseline(cwd, cfg.baselinePath, baseRef);
-  const findings = [];
+  const findings = [...preFindings];
   const infoLines = [
     `Measured ${total} bytes (${(total / 1024 / 1024).toFixed(2)} MiB)`,
     baseline ? `Baseline from \`${cfg.baselinePath}\`: ${baseline.totalBytes} bytes` : `No baseline at \`${cfg.baselinePath}\` (commit a baseline JSON to compare)`
@@ -4649,12 +4859,12 @@ async function runBundle(cwd, config, stack) {
 function gateSeverity5(g4) {
   return g4 === "block" ? "block" : g4 === "info" ? "info" : "warn";
 }
-async function runCwv(cwd, config, stack, pr) {
+async function runCoreWebVitals(cwd, config, stack, pr) {
   const t0 = performance.now();
-  const cfg = config.checks.cwv;
+  const cfg = config.checks.coreWebVitals;
   if (!cfg.enabled) {
     return {
-      checkId: "cwv",
+      checkId: "core-web-vitals",
       findings: [],
       durationMs: 0,
       skipped: "disabled in config"
@@ -4662,7 +4872,7 @@ async function runCwv(cwd, config, stack, pr) {
   }
   if (stack.hasReactNative && !stack.hasNext) {
     return {
-      checkId: "cwv",
+      checkId: "core-web-vitals",
       findings: [],
       durationMs: Math.round(performance.now() - t0),
       skipped: "skipped for React Native"
@@ -4678,7 +4888,7 @@ async function runCwv(cwd, config, stack, pr) {
   const findings = [];
   const sev2 = gateSeverity5(cfg.gate);
   for (const rel of toScan.slice(0, 400)) {
-    const full = path4.join(cwd, rel);
+    const full = path5.join(cwd, rel);
     let text;
     try {
       text = await fs.readFile(full, "utf8");
@@ -4688,23 +4898,23 @@ async function runCwv(cwd, config, stack, pr) {
     if (text.length > cfg.maxFileBytes) continue;
     if (stack.hasNext && /<img\b/i.test(text) && !/from\s+['"]next\/image['"]/.test(text)) {
       findings.push({
-        id: "cwv-img-tag",
+        id: "core-web-vitals-img-tag",
         severity: sev2,
-        message: "Raw `<img>` detected \u2014 prefer `next/image` for LCP-friendly delivery",
+        message: "Raw `<img>` \u2014 prefer `next/image` for LCP-friendly delivery",
         file: rel
       });
     }
     if (/dangerouslySetInnerHTML/i.test(text)) {
       findings.push({
-        id: "cwv-dsh",
+        id: "core-web-vitals-dsh",
         severity: "warn",
-        message: "`dangerouslySetInnerHTML` can impact main-thread work \u2014 validate necessity",
+        message: "`dangerouslySetInnerHTML` can add main-thread work \u2014 validate necessity",
         file: rel
       });
     }
   }
   return {
-    checkId: "cwv",
+    checkId: "core-web-vitals",
     findings: dedupeFindings(findings).slice(0, 40),
     durationMs: Math.round(performance.now() - t0)
   };
@@ -4763,7 +4973,7 @@ async function runCustomRules(cwd, config, restrictToFiles) {
       });
       break;
     }
-    const full = path4.join(cwd, rel);
+    const full = path5.join(cwd, rel);
     let content;
     try {
       content = await fs.readFile(full, "utf8");
@@ -4879,7 +5089,7 @@ async function runAiAssistedStrict(cwd, config, pr) {
       checkId: "ai-assisted-strict",
       findings: [],
       durationMs: Math.round(performance.now() - t0),
-      skipped: "not a pull request context"
+      skipped: "no PR context (Bitbucket PR pipeline + BITBUCKET_PR_ID required)"
     };
   }
   if (!pr.aiAssisted) {
@@ -4894,7 +5104,7 @@ async function runAiAssistedStrict(cwd, config, pr) {
   const gate = cfg.gate;
   const findings = [];
   for (const rel of files) {
-    const full = path4.join(cwd, rel);
+    const full = path5.join(cwd, rel);
     let content;
     try {
       content = await fs.readFile(full, "utf8");
@@ -4959,25 +5169,6 @@ function escapeHtml(s3) {
 }
 
 // src/report/html-report.ts
-function shieldUrl(label, message, color) {
-  const q2 = new URLSearchParams({ label, message, color, style: "for-the-badge" });
-  return `https://img.shields.io/static/v1?${q2}`;
-}
-function riskColor(risk) {
-  if (risk === "LOW") return "brightgreen";
-  if (risk === "MEDIUM") return "orange";
-  return "red";
-}
-function modeColor(mode) {
-  return mode === "enforce" ? "critical" : "blue";
-}
-function countColor(kind, n3) {
-  if (kind === "block") return n3 === 0 ? "brightgreen" : "critical";
-  if (kind === "info") return n3 === 0 ? "inactive" : "informational";
-  if (n3 === 0) return "brightgreen";
-  if (n3 <= 10) return "yellow";
-  return "orange";
-}
 function parseLineHint(detail) {
   if (!detail) return 0;
   const m3 = /^line\s+(\d+)/i.exec(detail.trim());
@@ -5009,13 +5200,20 @@ function formatDuration(ms) {
   const r4 = s3 % 60;
   return r4 ? `${m3}m ${r4}s` : `${m3}m`;
 }
+function statusDot(r4) {
+  if (r4.skipped) return '<span class="dot dot-skip" title="Skipped"></span>';
+  if (r4.findings.length === 0) return '<span class="dot dot-ok" title="Clean"></span>';
+  if (r4.findings.some((x3) => x3.severity === "block"))
+    return '<span class="dot dot-block" title="Blocking"></span>';
+  return '<span class="dot dot-warn" title="Issues"></span>';
+}
 function renderFindingCard(cwd, r4, f4) {
   const d3 = normalizeFinding(cwd, f4);
   const sevClass = f4.severity === "block" ? "sev-block" : f4.severity === "warn" ? "sev-warn" : "sev-info";
-  const fixBlock = f4.suggestedFix ? `<div class="suggested-fix"><h5>Suggested fix <span class="tag">LLM</span></h5><div class="fix-md">${escapeHtml(f4.suggestedFix.summary)}</div>${f4.suggestedFix.code ? `<pre class="code"><code>${escapeHtml(f4.suggestedFix.code)}</code></pre>` : ""}<p class="disclaimer">Suggestions are non-binding; review and test before applying.</p></div>` : "";
+  const fixBlock = f4.suggestedFix ? `<div class="suggested-fix"><div class="fix-label">Suggested fix <span class="pill pill-llm">LLM</span></div><div class="fix-md">${escapeHtml(f4.suggestedFix.summary)}</div>${f4.suggestedFix.code ? `<pre class="code"><code>${escapeHtml(f4.suggestedFix.code)}</code></pre>` : ""}<p class="disclaimer">Suggestions are non-binding; review before applying.</p></div>` : "";
   const hintRow = d3.detail && !d3.detail.includes("\n") && d3.detail.length <= 220 && !d3.detail.includes("|") ? `<tr><th>Hint</th><td>${escapeHtml(d3.detail)}</td></tr>` : "";
   const detailFence = d3.detail && (d3.detail.includes("\n") || d3.detail.length > 220 || d3.detail.includes("|")) ? `<pre class="code"><code>${escapeHtml(d3.detail)}</code></pre>` : "";
-  return `<article class="card ${sevClass}"><h4>${escapeHtml(d3.file ?? "\u2014")} <span class="muted">\xB7</span> ${escapeHtml(d3.message)}</h4><table class="meta"><tr><th>Check</th><td><code>${escapeHtml(r4.checkId)}</code></td></tr><tr><th>Rule</th><td><code>${escapeHtml(f4.id)}</code></td></tr>${d3.file ? `<tr><th>File</th><td><code>${escapeHtml(d3.file)}</code></td></tr>` : ""}${hintRow}</table>${detailFence}${fixBlock}</article>`;
+  return `<article class="card ${sevClass}"><div class="card-title">${escapeHtml(d3.file ?? "\u2014")}</div><p class="card-msg">${escapeHtml(d3.message)}</p><table class="meta"><tr><th>Check</th><td><code>${escapeHtml(r4.checkId)}</code></td></tr><tr><th>Rule</th><td><code>${escapeHtml(f4.id)}</code></td></tr>${d3.file ? `<tr><th>File</th><td><code>${escapeHtml(d3.file)}</code></td></tr>` : ""}${hintRow}</table>${detailFence}${fixBlock}</article>`;
 }
 function buildHtmlReport(p2) {
   const {
@@ -5031,21 +5229,11 @@ function buildHtmlReport(p2) {
     lines,
     llmAppendix
   } = p2;
-  const modeLabel = mode === "enforce" ? "enforce" : "warn only";
-  const badges = [
-    ["risk", riskScore, riskColor(riskScore)],
-    ["mode", modeLabel, modeColor(mode)],
-    ["blocking", String(blocks), countColor("block", blocks)],
-    ["warnings", String(warns), countColor("warn", warns)],
-    ["info", String(infos), countColor("info", infos)]
-  ];
-  const badgeImgs = badges.map(([l3, m3, c4]) => {
-    const alt = `${l3}: ${m3}`;
-    return `<img class="badge" src="${escapeHtml(shieldUrl(l3, m3, c4))}" alt="${escapeHtml(alt)}" loading="lazy" />`;
-  }).join(" ");
+  const modeLabel = mode === "enforce" ? "Enforce" : "Warn only";
+  const riskClass = riskScore === "LOW" ? "risk-low" : riskScore === "MEDIUM" ? "risk-med" : "risk-high";
   const checkRows = results.map((r4) => {
-    const status = r4.skipped ? `Skipped \u2014 ${escapeHtml(r4.skipped)}` : r4.findings.length === 0 ? "Clean" : `${r4.findings.length} finding(s)`;
-    return `<tr><td>${r4.skipped ? "\u23ED\uFE0F" : r4.findings.length === 0 ? "\u{1F7E2}" : r4.findings.some((x3) => x3.severity === "block") ? "\u{1F534}" : "\u{1F7E1}"}</td><td><strong>${escapeHtml(r4.checkId)}</strong></td><td>${status}</td><td>${r4.skipped ? "\u2014" : r4.findings.length}</td><td>${formatDuration(r4.durationMs)}</td></tr>`;
+    const status = r4.skipped ? `Skipped \u2014 ${escapeHtml(r4.skipped)}` : r4.findings.length === 0 ? "Pass" : `${r4.findings.length} issue(s)`;
+    return `<tr><td class="td-icon">${statusDot(r4)}</td><td><strong class="check-name">${escapeHtml(r4.checkId)}</strong></td><td class="td-status">${status}</td><td class="td-num">${r4.skipped ? "\u2014" : r4.findings.length}</td><td class="td-time">${formatDuration(r4.durationMs)}</td></tr>`;
   }).join("\n");
   const blockItems = sortFindings(
     cwd,
@@ -5072,138 +5260,286 @@ function buildHtmlReport(p2) {
     byCheck.set(item.r.checkId, list);
   }
   const checkOrder = [...byCheck.keys()].sort((a3, b3) => a3.localeCompare(b3));
-  const blockingHtml = blockItems.length === 0 ? '<p class="ok">No blocking findings.</p>' : blockItems.map(({ r: r4, f: f4 }) => renderFindingCard(cwd, r4, f4)).join("\n");
+  const blockingHtml = blockItems.length === 0 ? '<p class="empty-state">No blocking findings.</p>' : blockItems.map(({ r: r4, f: f4 }) => renderFindingCard(cwd, r4, f4)).join("\n");
   let warningsHtml = "";
   if (warnItems.length === 0) {
-    warningsHtml = '<p class="ok">No warnings.</p>';
+    warningsHtml = '<p class="empty-state">No warnings.</p>';
   } else {
     for (const cid of checkOrder) {
       const group = sortFindings(cwd, byCheck.get(cid));
-      warningsHtml += `<h3 class="grp">${escapeHtml(cid)} <span class="count">(${group.length})</span></h3>`;
-      warningsHtml += group.map(({ r: r4, f: f4 }) => renderFindingCard(cwd, r4, f4)).join("\n");
+      const cards = group.map(({ r: r4, f: f4 }) => renderFindingCard(cwd, r4, f4)).join("\n");
+      warningsHtml += `<details class="panel nested"><summary><span class="summary-title">${escapeHtml(cid)}</span><span class="summary-count">${group.length}</span></summary><div class="panel-body">${cards}</div></details>`;
     }
   }
-  const infoHtml = infoItems.length === 0 ? '<p class="muted">No info notes.</p>' : infoItems.map(({ r: r4, f: f4 }) => renderFindingCard(cwd, r4, f4)).join("\n");
-  const prBlock = pr && lines != null ? `<tr><th>PR size</th><td>${lines} LOC (+${pr.additions} / \u2212${pr.deletions}) \xB7 ${pr.changedFiles} files</td></tr>` : "";
-  const appendix = llmAppendix?.trim() ? `<section class="appendix"><h2>AI / manual appendix</h2><pre class="md-raw">${escapeHtml(llmAppendix.trim())}</pre></section>` : "";
+  const infoHtml = infoItems.length === 0 ? '<p class="empty-state muted">No info notes.</p>' : infoItems.map(({ r: r4, f: f4 }) => renderFindingCard(cwd, r4, f4)).join("\n");
+  const prBlock = pr && lines != null ? `<tr><th>Pull request</th><td>${lines} lines changed (+${pr.additions} / \u2212${pr.deletions}) \xB7 ${pr.changedFiles} files</td></tr>` : "";
+  const appendix = llmAppendix?.trim() ? `<section class="section"><h2 class="h2">Appendix</h2><pre class="md-raw">${escapeHtml(llmAppendix.trim())}</pre></section>` : "";
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>FrontGuard report</title>
+  <title>FrontGuard \u2014 Report</title>
   <style>
     :root {
-      --bg: #0f1419;
-      --panel: #1a2332;
-      --text: #e7ecf3;
-      --muted: #8b9aab;
-      --border: #2d3d52;
-      --block: #f87171;
-      --warn: #fbbf24;
-      --info: #38bdf8;
-      --accent: #a78bfa;
-      --ok: #4ade80;
+      --bg: #f8fafc;
+      --surface: #ffffff;
+      --text: #0f172a;
+      --muted: #64748b;
+      --border: #e2e8f0;
+      --accent: #4f46e5;
+      --accent-soft: #eef2ff;
+      --block: #dc2626;
+      --warn: #d97706;
+      --info: #0284c7;
+      --ok: #16a34a;
+      --radius: 10px;
+      --shadow: 0 1px 3px rgba(15, 23, 42, 0.06);
     }
     * { box-sizing: border-box; }
     body {
-      margin: 0; font-family: ui-sans-serif, system-ui, sans-serif;
-      background: var(--bg); color: var(--text); line-height: 1.5;
-      padding: 1.5rem clamp(1rem, 4vw, 2.5rem) 3rem;
-      max-width: 58rem; margin-left: auto; margin-right: auto;
-    }
-    h1 { font-size: 1.5rem; margin: 0 0 1rem; letter-spacing: -0.02em; }
-    h2 { font-size: 1.15rem; margin: 2rem 0 0.75rem; color: var(--accent); border-bottom: 1px solid var(--border); padding-bottom: 0.35rem; }
-    h3.grp { margin: 1.5rem 0 0.5rem; font-size: 1rem; color: var(--warn); }
-    h3.grp .count { color: var(--muted); font-weight: normal; }
-    h4 { font-size: 0.95rem; margin: 0 0 0.5rem; font-weight: 600; }
-    h5 { font-size: 0.8rem; margin: 0 0 0.35rem; text-transform: uppercase; letter-spacing: 0.04em; color: var(--accent); }
-    .badges { margin-bottom: 1.25rem; display: flex; flex-wrap: wrap; gap: 0.35rem; align-items: center; }
-    .badge { height: 28px; width: auto; max-width: 100%; image-rendering: crisp-edges; }
-    details { background: var(--panel); border: 1px solid var(--border); border-radius: 8px; margin-bottom: 0.75rem; }
-    summary {
-      cursor: pointer; padding: 0.65rem 1rem; font-weight: 600;
-      list-style: none; display: flex; align-items: center; gap: 0.5rem;
-    }
-    summary::-webkit-details-marker { display: none; }
-    details[open] > summary { border-bottom: 1px solid var(--border); }
-    .details-body { padding: 0.75rem 1rem 1rem; }
-    table.results { width: 100%; border-collapse: collapse; font-size: 0.875rem; margin: 0.5rem 0 1rem; }
-    table.results th, table.results td { border: 1px solid var(--border); padding: 0.45rem 0.6rem; text-align: left; }
-    table.results th { background: #243044; color: var(--muted); font-weight: 600; }
-    .snapshot { width: 100%; border-collapse: collapse; font-size: 0.9rem; margin: 0.5rem 0; }
-    .snapshot th, .snapshot td { border: 1px solid var(--border); padding: 0.5rem 0.65rem; vertical-align: top; }
-    .snapshot th { width: 10rem; background: #243044; color: var(--muted); text-align: left; }
+      margin: 0;
+      font-family: ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, sans-serif;
+      background: var(--bg);
+      color: var(--text);
+      line-height: 1.55;
+      font-size: 15px;
+      padding: 2rem clamp(1rem, 4vw, 3rem) 4rem;
+      max-width: 920px;
+      margin-left: auto;
+      margin-right: auto;
+    }
+    .hero {
+      margin-bottom: 2rem;
+    }
+    .brand {
+      font-size: 0.75rem;
+      font-weight: 600;
+      letter-spacing: 0.12em;
+      text-transform: uppercase;
+      color: var(--muted);
+      margin-bottom: 0.35rem;
+    }
+    h1 {
+      font-size: 1.75rem;
+      font-weight: 700;
+      letter-spacing: -0.03em;
+      margin: 0 0 1rem;
+      color: var(--text);
+    }
+    .metrics {
+      display: flex;
+      flex-wrap: wrap;
+      gap: 0.65rem;
+      margin-bottom: 0.5rem;
+    }
+    .metric {
+      background: var(--surface);
+      border: 1px solid var(--border);
+      border-radius: var(--radius);
+      padding: 0.5rem 0.9rem;
+      box-shadow: var(--shadow);
+      display: flex;
+      align-items: center;
+      gap: 0.5rem;
+    }
+    .metric-label { font-size: 0.72rem; color: var(--muted); text-transform: uppercase; letter-spacing: 0.04em; }
+    .metric-value { font-weight: 600; font-size: 0.95rem; }
+    .risk-low { color: var(--ok); }
+    .risk-med { color: var(--warn); }
+    .risk-high { color: var(--block); }
+    .section { margin-top: 2.25rem; }
+    .h2 {
+      font-size: 1rem;
+      font-weight: 600;
+      margin: 0 0 0.85rem;
+      color: var(--text);
+      letter-spacing: -0.02em;
+    }
+    .snapshot {
+      width: 100%;
+      border-collapse: collapse;
+      font-size: 0.9rem;
+      background: var(--surface);
+      border-radius: var(--radius);
+      overflow: hidden;
+      border: 1px solid var(--border);
+      box-shadow: var(--shadow);
+    }
+    .snapshot th, .snapshot td {
+      padding: 0.65rem 1rem;
+      text-align: left;
+      border-bottom: 1px solid var(--border);
+    }
+    .snapshot tr:last-child th, .snapshot tr:last-child td { border-bottom: none; }
+    .snapshot th {
+      width: 9rem;
+      color: var(--muted);
+      font-weight: 500;
+      background: #f1f5f9;
+    }
+    table.results {
+      width: 100%;
+      border-collapse: collapse;
+      font-size: 0.875rem;
+      background: var(--surface);
+      border-radius: var(--radius);
+      overflow: hidden;
+      border: 1px solid var(--border);
+      box-shadow: var(--shadow);
+    }
+    table.results th, table.results td {
+      padding: 0.55rem 0.85rem;
+      text-align: left;
+      border-bottom: 1px solid var(--border);
+    }
+    table.results tr:last-child td { border-bottom: none; }
+    table.results thead th {
+      background: #f1f5f9;
+      color: var(--muted);
+      font-weight: 600;
+      font-size: 0.72rem;
+      text-transform: uppercase;
+      letter-spacing: 0.04em;
+    }
+    .td-icon { width: 2rem; vertical-align: middle; }
+    .td-num, .td-time { color: var(--muted); font-variant-numeric: tabular-nums; }
+    .check-name { font-weight: 600; }
+    .dot {
+      display: inline-block;
+      width: 8px;
+      height: 8px;
+      border-radius: 50%;
+    }
+    .dot-ok { background: var(--ok); }
+    .dot-warn { background: var(--warn); }
+    .dot-block { background: var(--block); }
+    .dot-skip { background: #cbd5e1; }
+    .panel {
+      background: var(--surface);
+      border: 1px solid var(--border);
+      border-radius: var(--radius);
+      margin-bottom: 0.65rem;
+      box-shadow: var(--shadow);
+    }
+    .panel summary {
+      cursor: pointer;
+      padding: 0.85rem 1rem;
+      list-style: none;
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      font-weight: 600;
+      font-size: 0.9rem;
+    }
+    .panel summary::-webkit-details-marker { display: none; }
+    .panel[open] summary { border-bottom: 1px solid var(--border); }
+    .panel-body { padding: 0.75rem 1rem 1rem; }
+    .nested summary { font-weight: 500; color: var(--warn); }
+    .summary-count {
+      font-size: 0.8rem;
+      font-weight: 500;
+      color: var(--muted);
+      background: #f1f5f9;
+      padding: 0.15rem 0.5rem;
+      border-radius: 999px;
+    }
     .card {
-      border: 1px solid var(--border); border-radius: 8px; padding: 0.85rem 1rem;
-      margin-bottom: 0.65rem; background: #131c28;
-    }
-    .card.sev-block { border-left: 4px solid var(--block); }
-    .card.sev-warn { border-left: 4px solid var(--warn); }
-    .card.sev-info { border-left: 4px solid var(--info); }
-    table.meta { width: 100%; font-size: 0.8rem; border-collapse: collapse; margin: 0.5rem 0; }
-    table.meta th { text-align: left; color: var(--muted); width: 5.5rem; padding: 0.2rem 0.5rem 0.2rem 0; vertical-align: top; }
+      border: 1px solid var(--border);
+      border-radius: 8px;
+      padding: 1rem;
+      margin-bottom: 0.65rem;
+      background: #fafafa;
+    }
+    .card:last-child { margin-bottom: 0; }
+    .card.sev-block { border-left: 3px solid var(--block); }
+    .card.sev-warn { border-left: 3px solid var(--warn); }
+    .card.sev-info { border-left: 3px solid var(--info); }
+    .card-title { font-size: 0.8rem; font-weight: 600; color: var(--muted); margin-bottom: 0.35rem; }
+    .card-msg { margin: 0 0 0.65rem; font-size: 0.9rem; }
+    table.meta { width: 100%; font-size: 0.78rem; border-collapse: collapse; margin: 0.35rem 0 0; }
+    table.meta th { text-align: left; color: var(--muted); width: 4.5rem; padding: 0.2rem 0.5rem 0.2rem 0; vertical-align: top; }
     table.meta td { padding: 0.2rem 0; }
+    table.meta code { font-size: 0.85em; background: #f1f5f9; padding: 0.1rem 0.35rem; border-radius: 4px; }
     .muted { color: var(--muted); }
-    .ok { color: var(--ok); }
+    .empty-state { margin: 0; font-size: 0.9rem; color: var(--muted); }
     pre.code {
-      margin: 0.5rem 0 0; padding: 0.65rem 0.75rem; background: #0a0e14; border-radius: 6px;
-      overflow: auto; font-size: 0.78rem; border: 1px solid var(--border);
-    }
-    pre.code code { font-family: ui-monospace, monospace; white-space: pre; }
-    .suggested-fix {
-      margin-top: 0.75rem; padding-top: 0.75rem; border-top: 1px dashed var(--border);
-    }
+      margin: 0.5rem 0 0;
+      padding: 0.75rem;
+      background: #f1f5f9;
+      border-radius: 6px;
+      overflow: auto;
+      font-size: 0.78rem;
+      border: 1px solid var(--border);
+    }
+    pre.code code { font-family: ui-monospace, SFMono-Regular, Menlo, monospace; white-space: pre; }
+    .suggested-fix { margin-top: 0.75rem; padding-top: 0.75rem; border-top: 1px dashed var(--border); }
+    .fix-label { font-size: 0.7rem; font-weight: 600; text-transform: uppercase; letter-spacing: 0.05em; color: var(--accent); margin-bottom: 0.35rem; }
+    .pill-llm { background: var(--accent-soft); color: var(--accent); padding: 0.1rem 0.4rem; border-radius: 4px; font-size: 0.65rem; }
     .fix-md { font-size: 0.85rem; white-space: pre-wrap; margin: 0.25rem 0 0.5rem; }
-    .tag {
-      font-size: 0.65rem; background: var(--accent); color: var(--bg);
-      padding: 0.1rem 0.35rem; border-radius: 4px; vertical-align: middle;
-    }
     .disclaimer { font-size: 0.72rem; color: var(--muted); margin: 0.5rem 0 0; }
-    .appendix pre.md-raw {
-      white-space: pre-wrap; font-size: 0.85rem; background: var(--panel);
-      padding: 1rem; border-radius: 8px; border: 1px solid var(--border);
-    }
-    footer { margin-top: 2.5rem; padding-top: 1rem; border-top: 1px solid var(--border); font-size: 0.8rem; color: var(--muted); }
+    pre.md-raw {
+      white-space: pre-wrap;
+      font-size: 0.85rem;
+      background: var(--surface);
+      padding: 1rem;
+      border-radius: var(--radius);
+      border: 1px solid var(--border);
+      margin: 0;
+    }
+    footer {
+      margin-top: 3rem;
+      padding-top: 1.25rem;
+      border-top: 1px solid var(--border);
+      font-size: 0.8rem;
+      color: var(--muted);
+    }
+    footer a { color: var(--accent); text-decoration: none; }
+    footer a:hover { text-decoration: underline; }
   </style>
 </head>
 <body>
-  <h1>FrontGuard review</h1>
-  <div class="badges">${badgeImgs}</div>
-
-  <h2>Snapshot</h2>
-  <table class="snapshot">
-    <tr><th>Risk</th><td><strong>${riskScore}</strong> (heuristic)</td></tr>
-    <tr><th>Mode</th><td>${escapeHtml(modeLabel)}</td></tr>
-    <tr><th>Stack</th><td>${escapeHtml(formatStackOneLiner(stack))}</td></tr>
-    ${prBlock}
-  </table>
+  <header class="hero">
+    <div class="brand">FrontGuard</div>
+    <h1>Code review report</h1>
+    <div class="metrics">
+      <div class="metric"><span class="metric-label">Risk</span><span class="metric-value ${riskClass}">${riskScore}</span></div>
+      <div class="metric"><span class="metric-label">Mode</span><span class="metric-value">${escapeHtml(modeLabel)}</span></div>
+      <div class="metric"><span class="metric-label">Blocking</span><span class="metric-value">${blocks}</span></div>
+      <div class="metric"><span class="metric-label">Warnings</span><span class="metric-value">${warns}</span></div>
+      <div class="metric"><span class="metric-label">Info</span><span class="metric-value">${infos}</span></div>
+    </div>
+  </header>
 
-  <h2>Check results</h2>
-  <table class="results">
-    <thead><tr><th></th><th>Check</th><th>Status</th><th>#</th><th>Time</th></tr></thead>
-    <tbody>${checkRows}</tbody>
-  </table>
+  <section class="section">
+    <h2 class="h2">Overview</h2>
+    <table class="snapshot">
+      <tr><th>Risk score</th><td><strong>${riskScore}</strong> <span class="muted">\u2014 heuristic</span></td></tr>
+      <tr><th>Mode</th><td>${escapeHtml(modeLabel)}</td></tr>
+      <tr><th>Stack</th><td>${escapeHtml(formatStackOneLiner(stack))}</td></tr>
+      ${prBlock}
+    </table>
+  </section>
 
-  <details>
-    <summary>Blocking (${blocks})</summary>
-    <div class="details-body">${blockingHtml}</div>
-  </details>
+  <section class="section">
+    <h2 class="h2">Checks</h2>
+    <table class="results">
+      <thead><tr><th></th><th>Check</th><th>Status</th><th>#</th><th>Time</th></tr></thead>
+      <tbody>${checkRows}</tbody>
+    </table>
+  </section>
 
-  <details>
-    <summary>Warnings (${warns})</summary>
-    <div class="details-body">${warningsHtml}</div>
-  </details>
-
-  <details>
-    <summary>Info (${infos})</summary>
-    <div class="details-body">${infoHtml}</div>
-  </details>
+  <section class="section">
+    <h2 class="h2">Findings</h2>
+    <details class="panel"><summary>Blocking <span class="summary-count">${blocks}</span></summary><div class="panel-body">${blockingHtml}</div></details>
+    <details class="panel"><summary>Warnings <span class="summary-count">${warns}</span></summary><div class="panel-body">${warningsHtml}</div></details>
+    <details class="panel"><summary>Info <span class="summary-count">${infos}</span></summary><div class="panel-body">${infoHtml}</div></details>
+  </section>
 
   ${appendix}
 
   <footer>
-    <p>Self-contained HTML report \u2014 open locally or from CI artifacts. Badges load from <a href="https://shields.io" style="color: var(--info);">shields.io</a>.</p>
+    <p>Static report \u2014 open in any browser. Generated by <strong>FrontGuard</strong>.</p>
   </footer>
 </body>
 </html>`;
@@ -5605,6 +5941,17 @@ function formatConsole(p2) {
   return lines.join("\n");
 }
 
+// src/lib/http-fetch.ts
+function getFetch() {
+  const f4 = globalThis.fetch;
+  if (typeof f4 !== "function") {
+    throw new Error(
+      "FrontGuard needs Node.js 18+ (global fetch). Use NODE_VERSION / image >= 18 in CI."
+    );
+  }
+  return f4;
+}
+
 // src/llm/ollama.ts
 async function callOllamaChat(opts) {
   const fetch = getFetch();
@@ -5638,10 +5985,10 @@ async function callOllamaChat(opts) {
 
 // src/llm/finding-fixes.ts
 async function safeReadRepoFile(cwd, rel, maxChars) {
-  const root = path4.resolve(cwd);
-  const abs = path4.resolve(root, rel);
-  const relToRoot = path4.relative(root, abs);
-  if (relToRoot.startsWith("..") || path4.isAbsolute(relToRoot)) return null;
+  const root = path5.resolve(cwd);
+  const abs = path5.resolve(root, rel);
+  const relToRoot = path5.relative(root, abs);
+  if (relToRoot.startsWith("..") || path5.isAbsolute(relToRoot)) return null;
   try {
     let t3 = await fs.readFile(abs, "utf8");
     if (t3.length > maxChars) {
@@ -5670,7 +6017,7 @@ async function enrichFindingsWithOllamaFixes(opts) {
   }
   let pkgSnippet = "";
   try {
-    const pj = await fs.readFile(path4.join(cwd, "package.json"), "utf8");
+    const pj = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
     pkgSnippet = pj.slice(0, 4e3);
   } catch {
     pkgSnippet = "";
@@ -5754,7 +6101,7 @@ async function loadManualAppendix(opts) {
   const envFile = process.env.FRONTGUARD_MANUAL_APPENDIX_FILE?.trim();
   const resolvedPath = filePath?.trim() || envFile;
   if (resolvedPath) {
-    const abs = path4.isAbsolute(resolvedPath) ? resolvedPath : path4.join(cwd, resolvedPath);
+    const abs = path5.isAbsolute(resolvedPath) ? resolvedPath : path5.join(cwd, resolvedPath);
     try {
       let text = await fs.readFile(abs, "utf8");
       if (text.length > MAX_CHARS) {
@@ -5942,28 +6289,28 @@ async function runFrontGuard(opts) {
   const config = await loadConfig(opts.cwd);
   const mode = opts.enforce ? "enforce" : config.mode;
   const stack = await detectStack(opts.cwd);
-  const pr = await readGithubEvent();
+  const pr = readPrContext(opts.cwd);
   const restrictFiles = pr?.files?.length ? pr.files : null;
   const [
     eslint,
     prettier,
     typescript,
     secrets,
-    tsAnyDelta,
     cycles,
     deadCode,
-    cwv,
+    coreWebVitals,
+    tsAnyDelta,
     customRules,
     aiStrict
   ] = await Promise.all([
-    runEslint(opts.cwd, config),
-    runPrettier(opts.cwd, config),
-    runTypeScript(opts.cwd, config, stack),
+    runEslint(opts.cwd, config, stack, pr),
+    runPrettier(opts.cwd, config, pr),
+    runTypeScript(opts.cwd, config, stack, pr),
     runSecrets(opts.cwd, config, pr),
-    runTsAnyDelta(opts.cwd, config, stack),
-    runCycles(opts.cwd, config, stack),
+    runCycles(opts.cwd, config, stack, pr),
     runDeadCode(opts.cwd, config, stack, pr),
-    runCwv(opts.cwd, config, stack, pr),
+    runCoreWebVitals(opts.cwd, config, stack, pr),
+    runTsAnyDelta(opts.cwd, config, stack),
     runCustomRules(opts.cwd, config, restrictFiles),
     runAiAssistedStrict(opts.cwd, config, pr)
   ]);
@@ -5975,15 +6322,15 @@ async function runFrontGuard(opts) {
     prettier,
     typescript,
     secrets,
-    tsAnyDelta,
     cycles,
     deadCode,
     bundle,
-    cwv,
-    customRules,
+    coreWebVitals,
     aiStrict,
     prHygiene,
-    prSize
+    prSize,
+    tsAnyDelta,
+    customRules
   ];
   applyAiAssistedEscalation(results, pr, config);
   results = await enrichFindingsWithOllamaFixes({
@@ -6014,7 +6361,7 @@ async function runFrontGuard(opts) {
   }
   if (opts.prCommentOut) {
     const snippet = formatBitbucketPrSnippet(report);
-    const abs = path4.isAbsolute(opts.prCommentOut) ? opts.prCommentOut : path4.join(opts.cwd, opts.prCommentOut);
+    const abs = path5.isAbsolute(opts.prCommentOut) ? opts.prCommentOut : path5.join(opts.cwd, opts.prCommentOut);
     await fs.writeFile(abs, snippet, "utf8");
     g.stderr.write(
       `
@@ -6031,9 +6378,6 @@ FrontGuard: wrote Bitbucket PR comment text to ${abs} (${snippet.length} bytes).
     g.stdout.write(report.consoleText + "\n\n");
     g.stdout.write(report.markdown + "\n");
   }
-  if (opts.ci && g.env.GITHUB_TOKEN) {
-    await upsertBriefComment(report.markdown);
-  }
   const hasBlock = results.some((r4) => r4.findings.some((f4) => f4.severity === "block"));
   g.exitCode = mode === "enforce" && hasBlock ? 1 : 0;
 }
@@ -6042,13 +6386,13 @@ FrontGuard: wrote Bitbucket PR comment text to ${abs} (${snippet.length} bytes).
 var init2 = defineCommand({
   meta: {
     name: "init",
-    description: "Add workflow, PR template, and frontguard.config.js"
+    description: "Add Bitbucket pipeline example, pull_request_template.md, and frontguard.config.js"
   },
   run: async () => {
     const cwd = g.cwd();
     await initFrontGuard(cwd);
     g.stdout.write(
-      "FrontGuard initialized.\n\nNext: add the package as a devDependency so CI matches local runs:\n  npm install -D @cleartrip/frontguard\n  yarn add -D @cleartrip/frontguard\n"
+      "FrontGuard initialized for Bitbucket.\n\n  \u2022 bitbucket-pipelines.frontguard.example.yml \u2014 merge into your pipeline\n  \u2022 pull_request_template.md \u2014 PR description template (Bitbucket Cloud)\n  \u2022 frontguard.config.js (if missing)\n\nAdd the package as a devDependency so CI matches local runs:\n  npm install -D @cleartrip/frontguard\n  yarn add -D @cleartrip/frontguard\n"
     );
   }
 });
@@ -6058,11 +6402,6 @@ var run = defineCommand({
     description: "Run checks and print the review brief"
   },
   args: {
-    ci: {
-      type: "boolean",
-      description: "Upsert PR comment when GITHUB_TOKEN is available",
-      default: false
-    },
     markdown: {
       type: "boolean",
       description: "Print markdown only",
@@ -6089,7 +6428,6 @@ var run = defineCommand({
   run: async ({ args }) => {
     await runFrontGuard({
       cwd: g.cwd(),
-      ci: Boolean(args.ci),
       markdown: Boolean(args.markdown),
       enforce: Boolean(args.enforce),
       append: typeof args.append === "string" ? args.append : null,