@cleartrip/frontguard 0.2.9 → 0.3.0

package/dist/cli.js

@@ -4,17 +4,16 @@ import g, { stdin, stdout, cwd } from 'process';
 import f from 'readline';
 import * as tty from 'tty';
 import { WriteStream } from 'tty';
-import path5, { sep, normalize, delimiter, resolve, dirname } from 'path';
-import fs, { writeFile, readFile } from 'fs/promises';
-import { fileURLToPath, pathToFileURL } from 'url';
-import fs2, { existsSync, statSync, readFileSync } from 'fs';
+import path6, { sep, normalize, delimiter, resolve, dirname } from 'path';
+import fs from 'fs/promises';
 import { execFileSync, spawn } from 'child_process';
 import { createRequire } from 'module';
+import fs2 from 'fs';
+import { pathToFileURL } from 'url';
+import fg from 'fast-glob';
 import { pipeline } from 'stream/promises';
 import { PassThrough } from 'stream';
-import fg from 'fast-glob';
 import * as ts from 'typescript';
-import { Resvg } from '@resvg/resvg-js';
 
 var __create = Object.create;
 var __defProp = Object.defineProperty;
@@ -2400,50 +2399,177 @@ async function runMain(cmd, opts = {}) {
     process.exit(1);
   }
 }
-function packageRoot() {
-  return path5.resolve(path5.dirname(fileURLToPath(import.meta.url)), "..");
-}
-var CONFIG = `import { defineConfig } from '@cleartrip/frontguard'
+var CONFIG_TEMPLATE = `import { defineConfig } from '@cleartrip/frontguard'
 
 export default defineConfig({
-  mode: 'warn', // or FrontGuard run with \`--enforce\`
+  // \u2500\u2500\u2500 Mode \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // 'warn'    \u2014 findings are advisory; CI always passes (default).
+  // 'enforce' \u2014 CI exits non-zero when any finding has severity 'block'.
+  //             Same as running \`frontguard run --enforce\`.
+  mode: 'warn',
+
+  // \u2500\u2500\u2500 Shared org config \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // Inherit from an installed npm package; fields are deep-merged.
   // extends: '@your-org/frontguard-config/base',
 
-  // Example custom rules (return true when violated):
+  // \u2500\u2500\u2500 Custom rules \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // Inline pattern checks \u2014 \`check(file)\` returns true when violated.
   // rules: {
   //   'no-inline-style': {
   //     severity: 'warn',
-  //     message: 'Avoid inline style objects',
-  //     check: (file) => file.content.includes('style={{'),
+  //     message: 'Avoid inline style objects in JSX',
+  //     check: (file) => /\\.tsx$/.test(file.path) && file.content.includes('style={{'),
   //   },
-  // },
-
-  // checks: {
-  //   bundle: { baselineRef: 'main', maxDeltaBytes: 50_000 },
-  //   coreWebVitals: { scanGlobs: ['src/**/*.{tsx,jsx}'] },
-  //   prSize: {
-  //     tiers: [
-  //       { minLines: 1000, severity: 'warn', message: 'Very large PR (\${lines} lines; \u2265 \${min})' },
-  //       { minLines: 500, severity: 'info', message: 'Consider splitting (\${lines} lines)' },
-  //     ],
+  //   'no-console-log': {
+  //     severity: 'info',
+  //     message: 'Remove console.log before merging',
+  //     check: (file) => /\\.(ts|tsx|js|jsx)$/.test(file.path) && /console\\.log\\(/.test(file.content),
   //   },
-  //   // AI strict: only // @frontguard-ai:start \u2026 :end (or // written by AI: start \u2026 :end) in PR files
-  //   // aiAssistedReview: { strictScanMode: 'decorator' },
-  //   cycles: { enabled: true },
-  //   deadCode: { enabled: true, gate: 'info' },
-  //   // LLM: cloud keys in CI, or local Ollama (no API key) on dev/self-hosted runners:
-  //   //   ollama serve && ollama pull llama3.2
-  //   // Paste workflow (no key): frontguard run --append ./.frontguard/review-notes.md
-  //   llm: {
-  //     enabled: true,
-  //     provider: 'ollama',
-  //     model: 'llama3.2',
-  //     ollamaUrl: 'http://127.0.0.1:11434',
-  //     perFindingFixes: true,
-  //     maxFixSuggestions: 8,
-  //   },
-  //   // llm: { enabled: true, provider: 'openai', apiKeyEnv: 'OPENAI_API_KEY' },
   // },
+
+  checks: {
+    // \u2500\u2500\u2500 ESLint \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Runs ESLint using your project config on PR-scoped files.
+    // eslint: {
+    //   enabled: true,
+    //   glob: '**/*.{js,cjs,mjs,jsx,ts,tsx}',   // files to lint
+    // },
+
+    // \u2500\u2500\u2500 Prettier \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Checks that files match Prettier formatting.
+    // prettier: {
+    //   enabled: true,
+    //   glob: '**/*.{js,cjs,mjs,jsx,ts,tsx,json,md,css,scss,yml,yaml}',
+    // },
+
+    // \u2500\u2500\u2500 TypeScript \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Runs \`tsc --noEmit\` to surface type errors before merge.
+    // typescript: {
+    //   enabled: true,
+    //   tscArgs: ['--noEmit'],                   // extra tsc flags
+    // },
+
+    // \u2500\u2500\u2500 Secrets \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Scans changed files for patterns that look like leaked secrets.
+    // secrets: { enabled: true },
+
+    // \u2500\u2500\u2500 PR Hygiene \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Validates PR metadata: description length, sections, AI disclosure.
+    // prHygiene: {
+    //   enabled: true,
+    //   minBodyLength: 80,
+    //   requireSections: false,
+    //   sectionHints: ['what', 'why', 'test', 'screenshot'],
+    //   requireAiDisclosureSection: true,
+    //   gateWhenAiDisclosureAmbiguous: 'warn',   // 'info' | 'warn' | 'block'
+    // },
+
+    // \u2500\u2500\u2500 PR Size \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Flags oversized PRs based on total changed lines.
+    // prSize: {
+    //   enabled: true,
+    //   warnLines: 400,
+    //   softBlockLines: 800,
+    //   // Custom tiers (overrides warnLines/softBlockLines when set):
+    //   // tiers: [
+    //   //   { minLines: 1000, severity: 'block', message: 'PR too large (\${lines} lines)' },
+    //   //   { minLines: 500,  severity: 'warn',  message: 'Consider splitting (\${lines} lines)' },
+    //   // ],
+    // },
+
+    // \u2500\u2500\u2500 TS any delta \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Counts new \`any\` usage introduced in the diff vs merge-base.
+    // tsAnyDelta: {
+    //   enabled: true,
+    //   gate: 'warn',                            // 'info' | 'warn' | 'block'
+    //   baseRef: 'main',                         // fallback when BITBUCKET_PR_DESTINATION_BRANCH unset
+    //   maxAdded: 0,                             // 0 = report only; >0 = trigger gate when exceeded
+    // },
+
+    // \u2500\u2500\u2500 Circular dependencies \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Runs \`madge\` to find import cycles in your source.
+    // cycles: {
+    //   enabled: true,
+    //   gate: 'warn',
+    //   entries: ['src'],                        // entry directories for madge
+    //   extraArgs: [],
+    // },
+
+    // \u2500\u2500\u2500 Dead code \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Runs \`ts-prune\` to find unused exports in the TypeScript project.
+    // deadCode: {
+    //   enabled: true,
+    //   gate: 'info',
+    //   extraArgs: [],
+    //   maxReportLines: 80,
+    // },
+
+    // \u2500\u2500\u2500 Bundle size \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Measures bundle after build and compares to a baseline.
+    //
+    // bundleSizeStrategy options:
+    //   'auto'   \u2014 auto-detect from package.json (Next\u2192next, Vite\u2192vite, CRA\u2192cra, else glob)
+    //   'next'   \u2014 parse "First Load JS shared by all" from \`next build\` stdout
+    //   'vite'   \u2014 sum dist/assets/*.js after \`vite build\`
+    //   'cra'    \u2014 parse gzipped JS total from \`react-scripts build\` stdout
+    //   'glob'   \u2014 sum raw bytes under measureGlobs (generic fallback)
+    //   'custom' \u2014 run bundleSizeCommand, read a single number (bytes) from stdout
+    //
+    // bundle: {
+    //   enabled: true,
+    //   gate: 'warn',
+    //   runBuild: true,                          // false = skip build, measure existing files
+    //   buildCommand: 'npm run build',           // your production build command
+    //   bundleSizeStrategy: 'auto',
+    //   bundleSizeCommand: null,                 // only for strategy 'custom', e.g. 'node scripts/bundle-size.js'
+    //   measureGlobs: ['dist/**/*', 'build/static/**/*', '.next/static/**/*'],
+    //   baselinePath: '.frontguard/bundle-baseline.json',
+    //   baselineRef: 'main',
+    //   maxDeltaBytes: 50_000,                   // max allowed growth vs baseline; null = no limit
+    //   maxTotalBytes: null,                     // absolute cap; null = no limit
+    // },
+
+    // \u2500\u2500\u2500 Core Web Vitals \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Static hints for LCP-friendly images, main-thread hygiene, etc.
+    // coreWebVitals: {
+    //   enabled: true,
+    //   gate: 'warn',
+    //   scanGlobs: ['app/**/*.{tsx,jsx}', 'pages/**/*.{tsx,jsx}', 'src/**/*.{tsx,jsx}'],
+    //   maxFileBytes: 400_000,
+    // },
+
+    // \u2500\u2500\u2500 AI-assisted review (UNDER DEVELOPMENT \u2014 off by default) \u2500
+    // Static heuristics on @frontguard-ai regions or AI-disclosed PRs. Not used in CI until you enable.
+    // aiAssistedReview: {
+    //   enabled: true,
+    //   gate: 'warn',
+    //   // 'decorator'     \u2014 only scan @frontguard-ai:start \u2026 :end regions
+    //   // 'pr-disclosure' \u2014 only when PR body discloses AI use
+    //   // 'both'          \u2014 scan decorators when present; otherwise PR disclosure triggers full scan
+    //   strictScanMode: 'both',
+    //   escalate: {
+    //     secretFindingsToBlock: true,            // promote secret findings to 'block' in AI PRs
+    //     tsAnyDeltaToBlock: true,                // promote any-delta findings to 'block' in AI PRs
+    //   },
+    // },
+
+    // \u2500\u2500\u2500 LLM review (UNDER DEVELOPMENT \u2014 off by default) \u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // When enabled: loads .cursor/rules, AGENTS.md for prompt context. Cloud keys or Ollama.
+    //   ollama: ollama serve && ollama pull llama3.2
+    //   paste:  frontguard run --append ./.frontguard/review-notes.md
+    // llm: {
+    //   enabled: true,
+    //   provider: 'ollama',                      // 'openai' | 'anthropic' | 'ollama'
+    //   model: 'llama3.2',
+    //   ollamaUrl: 'http://127.0.0.1:11434',
+    //   apiKeyEnv: 'OPENAI_API_KEY',             // env var name for OpenAI/Anthropic
+    //   maxDiffChars: 48_000,
+    //   timeoutMs: 60_000,
+    //   perFindingFixes: false,                  // ask model for per-finding fix hints (slow)
+    //   maxFixSuggestions: 12,
+    //   maxFileContextChars: 24_000,
+    // },
+  },
 })
 `;
 var PR_TEMPLATE = `## Summary
@@ -2466,183 +2592,285 @@ If **Yes**, list tools and what they touched (helps reviewers run a stricter fir
 ## AI assistance (optional detail)
 - [ ] I have reviewed every AI-suggested line for security, auth, and product correctness
 `;
-async function initFrontGuard(cwd) {
-  const root = packageRoot();
-  const tplPath = path5.join(root, "templates", "bitbucket-pipelines.yml");
-  const outPipeline = path5.join(cwd, "bitbucket-pipelines.frontguard.example.yml");
-  try {
-    await fs.access(outPipeline);
-  } catch {
-    try {
-      const yml = await fs.readFile(tplPath, "utf8");
-      await fs.writeFile(outPipeline, yml, "utf8");
-    } catch {
-      await fs.writeFile(
-        outPipeline,
-        "# Copy bitbucket-pipelines.yml from @cleartrip/frontguard/templates in node_modules\n",
-        "utf8"
-      );
-    }
+var FRONTGUARD_STEP_YAML = `      - step:
+          name: FrontGuard \u2014 report + PR comment
+          caches:
+            - node
+          artifacts:
+            - frontguard-report.html
+            - frontguard-report.md
+            - frontguard-pr-comment.partial.md
+          script:
+            - corepack enable
+            - yarn install --immutable || yarn install
+            - |
+              yarn frontguard run --markdown \\
+                --htmlOut frontguard-report.html \\
+                --prCommentOut frontguard-pr-comment.partial.md \\
+                > frontguard-report.md
+            - test -n "\${BITBUCKET_ACCESS_TOKEN:-}" || { echo "Missing secured var BITBUCKET_ACCESS_TOKEN"; exit 1; }
+            - |
+              python3 << 'PY'
+              import json
+              import os
+              from urllib.error import HTTPError
+              from urllib.request import Request, urlopen
+
+              PLACEHOLDER = "__FRONTGUARD_REPORT_URL__"
+
+              base = os.environ.get("FREEKIT_BASE_URL", "https://freekit.dev").rstrip("/")
+              with open("frontguard-report.html", encoding="utf-8") as f:
+                  html = f.read()
+
+              req = Request(
+                  f"{base}/api/v1/sites",
+                  data=json.dumps({"html": html}).encode("utf-8"),
+                  headers={"Content-Type": "application/json"},
+                  method="POST",
+              )
+              try:
+                  with urlopen(req, timeout=180) as resp:
+                      parsed = json.load(resp)
+              except HTTPError as e:
+                  raise SystemExit(
+                      f"FreeKit HTTP {e.code}: {(e.read() or b'').decode()[:4000]}"
+                  )
+
+              if parsed.get("status") != "success":
+                  raise SystemExit(f"FreeKit error: {json.dumps(parsed)[:4000]}")
+
+              data = parsed.get("data") or {}
+              report_url = (data.get("url") or "").strip()
+              if not report_url:
+                  raise SystemExit(f"FreeKit: missing data.url in {json.dumps(parsed)[:2000]}")
+
+              with open("frontguard-pr-comment.partial.md", encoding="utf-8") as f:
+                  body = f.read()
+              if PLACEHOLDER not in body:
+                  raise SystemExit(
+                      f"Expected {PLACEHOLDER!r} in frontguard-pr-comment.partial.md \u2014 regenerate with current FrontGuard."
+                  )
+              body = body.replace(PLACEHOLDER, report_url, 1)
+
+              with open("frontguard-pr-comment.md", "w", encoding="utf-8") as out:
+                  out.write(body)
+              with open("frontguard-payload.json", "w", encoding="utf-8") as out:
+                  json.dump({"content": {"raw": body}}, out, ensure_ascii=False)
+              PY
+            - |
+              curl --silent --show-error --fail --request POST \\
+                --url "https://api.bitbucket.org/2.0/repositories/\${BITBUCKET_REPO_FULL_NAME}/pullrequests/\${BITBUCKET_PR_ID}/comments" \\
+                --header 'Accept: application/json' \\
+                --header 'Content-Type: application/json' \\
+                --header "Authorization: Bearer \${BITBUCKET_ACCESS_TOKEN}" \\
+                --data @frontguard-payload.json`;
+var FRONTGUARD_MARKER = "FrontGuard";
+function hasFrontGuardStep(content) {
+  return content.includes(FRONTGUARD_MARKER);
+}
+function mergePipelineStep(existing) {
+  if (hasFrontGuardStep(existing)) {
+    return existing;
+  }
+  const lines = existing.split("\n");
+  const prSectionIdx = findPullRequestsSection(lines);
+  if (prSectionIdx !== null) {
+    return injectStepIntoPrSection(lines, prSectionIdx);
+  }
+  return appendPrSection(lines);
+}
+function findPullRequestsSection(lines) {
+  for (let i3 = 0; i3 < lines.length; i3++) {
+    if (/^\s{2,}pull-requests:\s*$/.test(lines[i3])) return i3;
   }
-  const cfgPath = path5.join(cwd, "frontguard.config.js");
-  try {
-    await fs.access(cfgPath);
-  } catch {
-    await fs.writeFile(cfgPath, CONFIG, "utf8");
+  return null;
+}
+function findBranchPattern(lines, afterLine) {
+  for (let i3 = afterLine + 1; i3 < lines.length; i3++) {
+    const line = lines[i3];
+    if (line.trim() === "" || line.trim().startsWith("#")) continue;
+    if (/^\s{4,}'[^']+':/.test(line) || /^\s{4,}"[^"]+":/.test(line)) return i3;
+    break;
   }
-  const tplPr = path5.join(cwd, "pull_request_template.md");
-  try {
-    await fs.access(tplPr);
-  } catch {
-    await fs.writeFile(tplPr, PR_TEMPLATE, "utf8");
+  return null;
+}
+function findLastStepEnd(lines, afterBranch) {
+  let lastContentLine = afterBranch;
+  const branchIndent = (lines[afterBranch].match(/^(\s*)/)?.[1] ?? "").length;
+  for (let i3 = afterBranch + 1; i3 < lines.length; i3++) {
+    const line = lines[i3];
+    if (line.trim() === "" || line.trim().startsWith("#")) continue;
+    const indent = (line.match(/^(\s*)/)?.[1] ?? "").length;
+    if (indent <= branchIndent) break;
+    lastContentLine = i3;
+  }
+  return lastContentLine;
+}
+function injectStepIntoPrSection(lines, prIdx) {
+  const branchIdx = findBranchPattern(lines, prIdx);
+  if (branchIdx !== null) {
+    const insertAfter = findLastStepEnd(lines, branchIdx);
+    const before = lines.slice(0, insertAfter + 1);
+    const after = lines.slice(insertAfter + 1);
+    return [...before, FRONTGUARD_STEP_YAML, ...after].join("\n");
+  }
+  const result = [...lines];
+  result.splice(prIdx + 1, 0, "    '**':", FRONTGUARD_STEP_YAML);
+  return result.join("\n");
+}
+function appendPrSection(lines) {
+  const pipelinesIdx = lines.findIndex((l3) => /^pipelines:\s*$/.test(l3));
+  if (pipelinesIdx === -1) {
+    return [
+      ...lines,
+      "",
+      "pipelines:",
+      "  pull-requests:",
+      "    '**':",
+      FRONTGUARD_STEP_YAML
+    ].join("\n");
+  }
+  let insertAt = pipelinesIdx + 1;
+  for (let i3 = pipelinesIdx + 1; i3 < lines.length; i3++) {
+    if (lines[i3].trim() === "" || lines[i3].trim().startsWith("#")) {
+      insertAt = i3 + 1;
+      continue;
+    }
+    const indent = (lines[i3].match(/^(\s*)/)?.[1] ?? "").length;
+    if (indent >= 2) {
+      insertAt = i3 + 1;
+    } else {
+      break;
+    }
   }
+  const lastSectionEnd = findEndOfLastSection(lines, pipelinesIdx);
+  const actualInsert = Math.max(insertAt, lastSectionEnd + 1);
+  const before = lines.slice(0, actualInsert);
+  const after = lines.slice(actualInsert);
+  return [
+    ...before,
+    "  pull-requests:",
+    "    '**':",
+    FRONTGUARD_STEP_YAML,
+    ...after
+  ].join("\n");
 }
-var BITBUCKET_CHECKS_IMAGE_MARKDOWN_ALT = "FrontGuard checks summary";
-var MAX_BITBUCKET_INLINE_IMAGE_MARKDOWN_LINE_LENGTH = 3e5;
-var MAX_PNG_BYTES_BITBUCKET_INLINE = 21e4;
-var MARKDOWN_LINE_PREFIX = `![${BITBUCKET_CHECKS_IMAGE_MARKDOWN_ALT}](data:image/png;base64,`;
-function isPngBuffer(buf) {
-  return buf.length >= 8 && buf[0] === 137 && buf[1] === 80 && buf[2] === 78 && buf[3] === 71 && buf[4] === 13 && buf[5] === 10 && buf[6] === 26 && buf[7] === 10;
+function findEndOfLastSection(lines, pipelinesIdx) {
+  let last = pipelinesIdx;
+  for (let i3 = pipelinesIdx + 1; i3 < lines.length; i3++) {
+    const line = lines[i3];
+    if (line.trim() === "") continue;
+    const indent = (line.match(/^(\s*)/)?.[1] ?? "").length;
+    if (indent === 0 && !line.trim().startsWith("#")) break;
+    last = i3;
+  }
+  return last;
 }
-function pngBufferToBitbucketImageMarkdownLine(png) {
-  if (!isPngBuffer(png)) {
-    throw new TypeError("Buffer is not a PNG (missing IHDR signature)");
+async function initFrontGuard(cwd) {
+  const actions = [];
+  const cfgPath = path6.join(cwd, "frontguard.config.js");
+  if (!await fileExists(cfgPath)) {
+    await fs.writeFile(cfgPath, CONFIG_TEMPLATE, "utf8");
+    actions.push("created frontguard.config.js");
+  } else {
+    actions.push("frontguard.config.js already exists (skipped)");
   }
-  if (png.length > MAX_PNG_BYTES_BITBUCKET_INLINE) {
-    throw new RangeError(
-      `PNG too large for Bitbucket inline markdown (${png.length} bytes; max ${MAX_PNG_BYTES_BITBUCKET_INLINE}). Host the image and use an HTTPS URL instead.`
-    );
+  const prTplPath = path6.join(cwd, "pull_request_template.md");
+  if (!await fileExists(prTplPath)) {
+    await fs.writeFile(prTplPath, PR_TEMPLATE, "utf8");
+    actions.push("created pull_request_template.md");
+  } else {
+    actions.push("pull_request_template.md already exists (skipped)");
   }
-  const b64 = png.toString("base64");
-  const line = `${MARKDOWN_LINE_PREFIX}${b64})`;
-  if (line.length > MAX_BITBUCKET_INLINE_IMAGE_MARKDOWN_LINE_LENGTH) {
-    throw new RangeError(
-      `Inline markdown line too long (${line.length} chars; max ${MAX_BITBUCKET_INLINE_IMAGE_MARKDOWN_LINE_LENGTH})`
+  const pipelinePath = path6.join(cwd, "bitbucket-pipelines.yml");
+  if (await fileExists(pipelinePath)) {
+    const existing = await fs.readFile(pipelinePath, "utf8");
+    if (hasFrontGuardStep(existing)) {
+      actions.push("bitbucket-pipelines.yml already has FrontGuard step (skipped)");
+    } else {
+      const merged = mergePipelineStep(existing);
+      await fs.writeFile(pipelinePath, merged, "utf8");
+      actions.push("merged FrontGuard step into bitbucket-pipelines.yml pull-requests");
+    }
+  } else {
+    await fs.writeFile(
+      pipelinePath,
+      [
+        "image: node:20",
+        "",
+        "clone:",
+        "  depth: 50",
+        "",
+        "pipelines:",
+        "  pull-requests:",
+        "    '**':",
+        FRONTGUARD_STEP_YAML,
+        ""
+      ].join("\n"),
+      "utf8"
     );
+    actions.push("created bitbucket-pipelines.yml with FrontGuard step");
   }
-  return line;
+  return actions;
 }
-function tryPngFileToBitbucketImageMarkdownLine(filePath) {
+async function fileExists(p2) {
   try {
-    if (!existsSync(filePath)) return null;
-    const st = statSync(filePath);
-    if (!st.isFile() || st.size > MAX_PNG_BYTES_BITBUCKET_INLINE) return null;
-    const buf = readFileSync(filePath);
-    return pngBufferToBitbucketImageMarkdownLine(buf);
+    await fs.access(p2);
+    return true;
   } catch {
-    return null;
+    return false;
   }
 }
 
 // src/ci/bitbucket-pr-snippet.ts
-function checksImageMarkdown() {
-  const embedPath = process.env.FRONTGUARD_EMBED_CHECKS_PNG_PATH?.trim();
-  if (embedPath) {
-    return tryPngFileToBitbucketImageMarkdownLine(embedPath);
-  }
-  const u4 = process.env.FRONTGUARD_CHECKS_IMAGE_URL?.trim();
-  if (!u4) return null;
-  return `![${BITBUCKET_CHECKS_IMAGE_MARKDOWN_ALT}](${u4})`;
-}
-function bitbucketPipelineResultsUrl() {
-  const full = process.env.BITBUCKET_REPO_FULL_NAME?.trim();
-  const bn = process.env.BITBUCKET_BUILD_NUMBER?.trim();
-  if (full && bn) {
-    return `https://bitbucket.org/${full}/pipelines/results/${bn}`;
-  }
-  const ws = process.env.BITBUCKET_WORKSPACE?.trim();
-  const slug = process.env.BITBUCKET_REPO_SLUG?.trim();
-  if (ws && slug && bn) {
-    return `https://bitbucket.org/${ws}/${slug}/pipelines/results/${bn}`;
+var FRONTGUARD_REPORT_URL_PLACEHOLDER = "__FRONTGUARD_REPORT_URL__";
+var DETAILED_REPORT_LINE = "For detailed check analysis, please open the full interactive report:";
+function mdTableCell(s3) {
+  return s3.replace(/\|/g, "\\|").replace(/\r?\n/g, " ").trim();
+}
+function statusForPrTable(r4) {
+  if (r4.skipped) {
+    const t3 = r4.skipped.replace(/\s+/g, " ").trim();
+    const short = t3.length > 120 ? `${t3.slice(0, 117)}\u2026` : t3;
+    return `Skipped \u2014 ${short}`;
   }
-  return null;
+  const n3 = r4.findings.length;
+  const blocks = r4.findings.filter((f4) => f4.severity === "block").length;
+  if (blocks > 0) return `${n3} issue(s), ${blocks} blocking`;
+  return `${n3} issue(s)`;
 }
-function bitbucketDownloadsPageUrl() {
-  const full = process.env.BITBUCKET_REPO_FULL_NAME?.trim();
-  if (full) return `https://bitbucket.org/${full}/downloads/`;
-  const ws = process.env.BITBUCKET_WORKSPACE?.trim();
-  const slug = process.env.BITBUCKET_REPO_SLUG?.trim();
-  if (ws && slug) return `https://bitbucket.org/${ws}/${slug}/downloads/`;
-  return null;
+function checkNeedsRow(r4) {
+  return Boolean(r4.skipped) || r4.findings.length > 0;
 }
-var DETAILED_REPORT_LINE = "For detailed check analysis, please open the full interactive report:";
 function formatBitbucketPrSnippet(report) {
   const publicReport = process.env.FRONTGUARD_PUBLIC_REPORT_URL?.trim();
   const linkOnly = process.env.FRONTGUARD_BITBUCKET_COMMENT_LINK_ONLY === "1";
-  const imgMd = checksImageMarkdown();
   if (linkOnly && publicReport) {
-    const parts = [];
-    if (imgMd) {
-      parts.push(imgMd, "");
-      parts.push(DETAILED_REPORT_LINE);
-    }
-    parts.push(publicReport.endsWith("\n") ? publicReport.slice(0, -1) : publicReport);
-    return `${parts.join("\n")}
+    const u4 = publicReport.endsWith("\n") ? publicReport.slice(0, -1) : publicReport;
+    return `${u4}
 `;
   }
-  const downloadsName = process.env.FRONTGUARD_REPORT_DOWNLOAD_NAME?.trim();
-  const downloadsPage = bitbucketDownloadsPageUrl();
-  const pipeline = bitbucketPipelineResultsUrl();
+  const reportUrl = publicReport || FRONTGUARD_REPORT_URL_PLACEHOLDER;
   const { riskScore, results } = report;
-  const blocks = results.reduce(
-    (n3, r4) => n3 + r4.findings.filter((f4) => f4.severity === "block").length,
-    0
-  );
-  const warns = results.reduce(
-    (n3, r4) => n3 + r4.findings.filter((f4) => f4.severity === "warn").length,
-    0
-  );
-  const out = [];
-  if (imgMd) {
-    out.push(imgMd);
-    out.push("");
-  }
-  out.push(
-    "FrontGuard report (short summary)",
-    "",
-    `Risk: ${riskScore}  |  Blocking: ${blocks}  |  Warnings: ${warns}`,
-    ""
-  );
-  if (publicReport) {
-    if (imgMd) {
-      out.push(DETAILED_REPORT_LINE);
-    } else {
-      out.push("Full interactive report (open in browser):");
-    }
-    out.push(publicReport);
-    out.push("");
-  } else if (downloadsName && downloadsPage) {
-    out.push("HTML report is in Repository \u2192 Downloads. Open this page while logged in:");
-    out.push(downloadsPage);
-    out.push(`File name: ${downloadsName}`);
-    out.push("Download the file, then open it in a browser.");
-    out.push("");
-  } else if (pipeline) {
-    out.push(
-      "There is no direct \u201CHTML URL\u201D for pipeline artifacts in Bitbucket. Use this pipeline run (log in), then Artifacts \u2192 frontguard-report.html:"
-    );
-    out.push(pipeline);
-    out.push("");
-    out.push(
-      "Steps: open the link \u2192 scroll to Artifacts \u2192 download frontguard-report.html \u2192 open the file on your machine."
-    );
-    out.push("");
+  const lines = [];
+  lines.push(`#### RISK score: ${riskScore}`);
+  lines.push("");
+  const failing = results.filter(checkNeedsRow);
+  if (failing.length > 0) {
+    lines.push("| Check name | Status |");
+    lines.push("| --- | --- |");
+    for (const r4 of failing) {
+      lines.push(`| ${mdTableCell(r4.checkId)} | ${mdTableCell(statusForPrTable(r4))} |`);
+    }
   } else {
-    out.push(
-      "Add a link: run FrontGuard inside Bitbucket Pipelines, or set FRONTGUARD_PUBLIC_REPORT_URL after uploading the HTML somewhere HTTPS."
-    );
-    out.push("");
-  }
-  out.push("Checks:");
-  for (const r4 of results) {
-    const status = r4.skipped ? `skipped (${r4.skipped.slice(0, 100)}${r4.skipped.length > 100 ? "\u2026" : ""})` : r4.findings.length === 0 ? "clean" : `${r4.findings.length} finding(s)`;
-    out.push(`- ${r4.checkId}: ${status}`);
+    lines.push("_All checks passed for this run._");
   }
-  out.push("");
-  out.push(
-    "Do not paste the long frontguard-report.md into PR comments. Full text output is in that file / pipeline artifacts only."
-  );
-  return out.join("\n");
+  lines.push("");
+  lines.push(DETAILED_REPORT_LINE);
+  lines.push("");
+  lines.push(reportUrl.endsWith("\n") ? reportUrl.slice(0, -1) : reportUrl);
+  lines.push("");
+  return lines.join("\n");
 }
 
 // src/ci/parse-ai-disclosure.ts
@@ -2727,13 +2955,13 @@ function parseNumstat(output) {
     if (tab2 < 0) continue;
     const aStr = t3.slice(0, tab);
     const dStr = t3.slice(tab + 1, tab2);
-    const path18 = t3.slice(tab2 + 1);
+    const path20 = t3.slice(tab2 + 1);
     const a3 = aStr === "-" ? 0 : Number(aStr);
     const d3 = dStr === "-" ? 0 : Number(dStr);
     if (!Number.isFinite(a3) || !Number.isFinite(d3)) continue;
     additions += a3;
     deletions += d3;
-    if (path18) files.push(path18);
+    if (path20) files.push(path20);
   }
   return { additions, deletions, files };
 }
@@ -2853,7 +3081,7 @@ var defaultConfig = {
       gateWhenAiDisclosureAmbiguous: "warn"
     },
     aiAssistedReview: {
-      enabled: true,
+      enabled: false,
       gate: "warn",
       strictScanMode: "both",
       escalate: {
@@ -2885,6 +3113,8 @@ var defaultConfig = {
       gate: "warn",
       runBuild: true,
       buildCommand: "npm run build",
+      bundleSizeStrategy: "auto",
+      bundleSizeCommand: null,
       measureGlobs: ["dist/**/*", "build/static/**/*", ".next/static/**/*"],
       baselinePath: ".frontguard/bundle-baseline.json",
       baselineRef: "main",
@@ -2944,7 +3174,7 @@ function stripExtends(c4) {
 }
 async function loadExtendsLayer(cwd, spec) {
   if (!spec) return {};
-  const req = createRequire(path5.join(cwd, "package.json"));
+  const req = createRequire(path6.join(cwd, "package.json"));
   const specs = Array.isArray(spec) ? spec : [spec];
   let merged = {};
   for (const s3 of specs) {
@@ -2963,7 +3193,7 @@ async function loadExtendsLayer(cwd, spec) {
 async function loadConfig(cwd) {
   let userFile = null;
   for (const name of CONFIG_NAMES) {
-    const full = path5.join(cwd, name);
+    const full = path6.join(cwd, name);
     if (!fs2.existsSync(full)) continue;
     try {
       const mod = await importConfig(full);
@@ -2995,7 +3225,7 @@ function hasDep(deps, name) {
 async function detectStack(cwd) {
   let pkg = {};
   try {
-    const raw = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
+    const raw = await fs.readFile(path6.join(cwd, "package.json"), "utf8");
     pkg = JSON.parse(raw);
   } catch {
     return {
@@ -3007,6 +3237,8 @@ async function detectStack(cwd) {
       hasJest: false,
       hasVitest: false,
       hasPlaywright: false,
+      hasVite: false,
+      hasCRA: false,
       packageManager: "unknown",
       tsStrict: null
     };
@@ -3015,7 +3247,7 @@ async function detectStack(cwd) {
   const isMonorepo = Boolean(pkg.workspaces);
   let tsStrict = null;
   try {
-    const tsconfigPath = path5.join(cwd, "tsconfig.json");
+    const tsconfigPath = path6.join(cwd, "tsconfig.json");
     const tsRaw = await fs.readFile(tsconfigPath, "utf8");
     const ts2 = JSON.parse(tsRaw);
     if (typeof ts2.compilerOptions?.strict === "boolean") {
@@ -3025,15 +3257,15 @@ async function detectStack(cwd) {
   }
   let pm = "unknown";
   try {
-    await fs.access(path5.join(cwd, "pnpm-lock.yaml"));
+    await fs.access(path6.join(cwd, "pnpm-lock.yaml"));
     pm = "pnpm";
   } catch {
     try {
-      await fs.access(path5.join(cwd, "yarn.lock"));
+      await fs.access(path6.join(cwd, "yarn.lock"));
       pm = "yarn";
     } catch {
       try {
-        await fs.access(path5.join(cwd, "package-lock.json"));
+        await fs.access(path6.join(cwd, "package-lock.json"));
         pm = "npm";
       } catch {
         pm = "npm";
@@ -3049,6 +3281,8 @@ async function detectStack(cwd) {
     hasJest: hasDep(deps, "jest"),
     hasVitest: hasDep(deps, "vitest"),
     hasPlaywright: hasDep(deps, "@playwright/test"),
+    hasVite: hasDep(deps, "vite"),
+    hasCRA: hasDep(deps, "react-scripts"),
     packageManager: pm,
     tsStrict
   };
@@ -3058,11 +3292,62 @@ function formatStackOneLiner(s3) {
   if (s3.hasNext) bits.push("Next.js");
   if (s3.hasReactNative) bits.push("React Native");
   else if (s3.hasReact) bits.push("React");
+  if (s3.hasVite) bits.push("Vite");
+  if (s3.hasCRA) bits.push("CRA");
   if (s3.hasTypeScript) bits.push("TypeScript");
   if (s3.tsStrict === true) bits.push("strict TS");
   bits.push(`pkg: ${s3.packageManager}`);
   return bits.join(" \xB7 ") || "unknown";
 }
+var MAX_TOTAL_CHARS = 32e3;
+var MAX_PER_FILE_CHARS = 8e3;
+async function loadCursorRules(cwd) {
+  const empty = { text: "", fileCount: 0, files: [] };
+  const parts = [];
+  let totalChars = 0;
+  const ruleFiles = await fg(
+    [".cursor/rules/**/*.{md,mdc}", ".cursorrules", "AGENTS.md"],
+    {
+      cwd,
+      onlyFiles: true,
+      dot: true,
+      ignore: ["**/node_modules/**"]
+    }
+  );
+  if (ruleFiles.length === 0) return empty;
+  ruleFiles.sort();
+  for (const rel of ruleFiles) {
+    if (totalChars >= MAX_TOTAL_CHARS) break;
+    try {
+      let content = await fs.readFile(path6.join(cwd, rel), "utf8");
+      content = stripFrontmatter(content).trim();
+      if (!content) continue;
+      const budget = Math.min(MAX_PER_FILE_CHARS, MAX_TOTAL_CHARS - totalChars);
+      if (content.length > budget) {
+        content = content.slice(0, budget) + "\n[\u2026 truncated]";
+      }
+      parts.push({ rel, content });
+      totalChars += content.length;
+    } catch {
+      continue;
+    }
+  }
+  if (parts.length === 0) return empty;
+  const text = parts.map((p2) => `### Rule: ${p2.rel}
+
+${p2.content}`).join("\n\n---\n\n");
+  return {
+    text,
+    fileCount: parts.length,
+    files: parts.map((p2) => p2.rel)
+  };
+}
+function stripFrontmatter(content) {
+  if (!content.startsWith("---")) return content;
+  const endIdx = content.indexOf("---", 3);
+  if (endIdx === -1) return content;
+  return content.slice(endIdx + 3).trim();
+}
 function normalizePrPath(p2) {
   return p2.replace(/\\/g, "/").replace(/^\.\//, "");
 }
@@ -3076,8 +3361,8 @@ function prPathSet(pr) {
 function isPathInPrScope(relOrAbs, cwd, prSet) {
   const raw = relOrAbs.replace(/^file:\/\//, "");
   let rel = normalizePrPath(raw);
-  if (path5.isAbsolute(raw)) {
-    rel = normalizePrPath(path5.relative(cwd, raw));
+  if (path6.isAbsolute(raw)) {
+    rel = normalizePrPath(path6.relative(cwd, raw));
   }
   if (prSet.has(rel)) return true;
   const trimmed = rel.replace(/^\.\//, "");
@@ -3103,7 +3388,7 @@ async function existingRepoPaths(cwd, rels) {
   const out = [];
   for (const rel of rels) {
     try {
-      await fs.access(path5.join(cwd, rel));
+      await fs.access(path6.join(cwd, rel));
       out.push(rel);
     } catch {
     }
@@ -3133,30 +3418,30 @@ function stripFileUrl(p2) {
   return s3;
 }
 function isUnderDir(parent, child) {
-  const rel = path5.relative(parent, child);
-  return rel === "" || !rel.startsWith("..") && !path5.isAbsolute(rel);
+  const rel = path6.relative(parent, child);
+  return rel === "" || !rel.startsWith("..") && !path6.isAbsolute(rel);
 }
 function toRepoRelativePath(cwd, filePath) {
   if (!filePath?.trim()) return void 0;
   const raw = stripFileUrl(filePath);
-  const resolvedCwd = path5.resolve(cwd);
-  const absFile = path5.isAbsolute(raw) ? path5.resolve(raw) : path5.resolve(resolvedCwd, raw);
+  const resolvedCwd = path6.resolve(cwd);
+  const absFile = path6.isAbsolute(raw) ? path6.resolve(raw) : path6.resolve(resolvedCwd, raw);
   if (!isUnderDir(resolvedCwd, absFile)) {
     return raw.split(/[/\\]/g).join("/");
   }
-  let rel = path5.relative(resolvedCwd, absFile);
+  let rel = path6.relative(resolvedCwd, absFile);
   if (!rel || rel === ".") {
-    return path5.basename(absFile);
+    return path6.basename(absFile);
   }
-  return rel.split(path5.sep).join("/");
+  return rel.split(path6.sep).join("/");
 }
 function stripRepoAbsolutePaths(cwd, text) {
   if (!text || !cwd.trim()) return text;
-  const resolvedCwd = path5.resolve(cwd);
+  const resolvedCwd = path6.resolve(cwd);
   const asPosix = (s3) => s3.replace(/\\/g, "/");
   const cwdPosix = asPosix(resolvedCwd);
   let out = asPosix(text);
-  const prefixes = [.../* @__PURE__ */ new Set([cwdPosix + "/", resolvedCwd + path5.sep])].filter(
+  const prefixes = [.../* @__PURE__ */ new Set([cwdPosix + "/", resolvedCwd + path6.sep])].filter(
     (p2) => p2.length > 1
   );
   for (const prefix of prefixes) {
@@ -3782,7 +4067,7 @@ async function pathExists(file) {
   }
 }
 async function resolveBin(cwd, name) {
-  const local = path5.join(cwd, "node_modules", ".bin", name);
+  const local = path6.join(cwd, "node_modules", ".bin", name);
   if (await pathExists(local)) return local;
   const win = local + ".cmd";
   if (await pathExists(win)) return win;
@@ -3838,7 +4123,7 @@ async function runNpx(cwd, args) {
 // src/checks/eslint.ts
 async function hasEslintDependency(cwd) {
   try {
-    const raw = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
+    const raw = await fs.readFile(path6.join(cwd, "package.json"), "utf8");
     const p2 = JSON.parse(raw);
     return Boolean(p2.devDependencies?.eslint || p2.dependencies?.eslint);
   } catch {
@@ -3858,7 +4143,7 @@ async function hasEslintConfig(cwd) {
     ".eslintrc.yml"
   ];
   for (const c4 of candidates) {
-    if (await pathExists(path5.join(cwd, c4))) return true;
+    if (await pathExists(path6.join(cwd, c4))) return true;
   }
   return false;
 }
@@ -4114,7 +4399,7 @@ async function runTypeScript(cwd, config, stack, pr) {
       skipped: "disabled in config"
     };
   }
-  const hasTs = stack.hasTypeScript || await pathExists(path5.join(cwd, "tsconfig.json"));
+  const hasTs = stack.hasTypeScript || await pathExists(path6.join(cwd, "tsconfig.json"));
   if (!hasTs) {
     return {
       checkId: "typescript",
@@ -4125,7 +4410,7 @@ async function runTypeScript(cwd, config, stack, pr) {
   }
   const extra = config.checks.typescript.tscArgs ?? [];
   const hasProject = extra.some((a3) => a3 === "-p" || a3 === "--project");
-  const tsconfigPath = path5.join(cwd, "tsconfig.json");
+  const tsconfigPath = path6.join(cwd, "tsconfig.json");
   const args = [
     "--noEmit",
     ...hasProject || !await pathExists(tsconfigPath) ? [] : ["-p", "tsconfig.json"],
@@ -4238,7 +4523,7 @@ async function runSecrets(cwd, config, pr) {
       });
       break;
     }
-    const full = path5.join(cwd, rel);
+    const full = path6.join(cwd, rel);
     let content;
     try {
       content = await fs.readFile(full, "utf8");
@@ -4264,7 +4549,7 @@ async function runSecrets(cwd, config, pr) {
   };
 }
 function isProbablyTextFile(rel) {
-  const ext = path5.extname(rel).toLowerCase();
+  const ext = path6.extname(rel).toLowerCase();
   return TEXT_EXT.has(ext);
 }
 
@@ -4328,8 +4613,8 @@ function runPrHygiene(config, pr) {
   if (pr.aiAssisted) {
     findings.push({
       id: "pr-ai-flag",
-      severity: "warn",
-      message: "**AI-assisted PR:** FrontGuard is applying stricter static checks and may escalate secrets / `any` deltas. Verify business logic, auth, and data handling manually."
+      severity: "info",
+      message: config.checks.aiAssistedReview.enabled ? "**AI-assisted PR:** FrontGuard is applying stricter static checks and may escalate secrets / `any` deltas. Verify business logic, auth, and data handling manually." : "**AI-assisted PR:** Disclosure recorded. The optional **AI-assisted review** check is off by default (under development); enable `checks.aiAssistedReview.enabled` when you want decorator / static heuristics."
     });
   }
   if (pr.aiExplicitNo) {
@@ -4594,12 +4879,12 @@ async function runCycles(cwd, config, stack, pr) {
   }
   let entry = cfg.entries[0] ?? "src";
   for (const e3 of cfg.entries) {
-    if (await pathExists(path5.join(cwd, e3))) {
+    if (await pathExists(path6.join(cwd, e3))) {
       entry = e3;
       break;
     }
   }
-  if (!await pathExists(path5.join(cwd, entry))) {
+  if (!await pathExists(path6.join(cwd, entry))) {
     return {
       checkId: "cycles",
       findings: [],
@@ -4712,11 +4997,62 @@ async function runDeadCode(cwd, config, stack, pr) {
     durationMs: Math.round(performance.now() - t0)
   };
 }
-function gateSeverity4(g4) {
-  return g4 === "block" ? "block" : g4 === "info" ? "info" : "warn";
+function resolveStrategy(configured, stack) {
+  if (configured !== "auto") return configured;
+  if (stack.hasNext) return "next";
+  if (stack.hasCRA) return "cra";
+  if (stack.hasVite) return "vite";
+  return "glob";
+}
+function parseNextBuildOutput(stdout2) {
+  for (const line of stdout2.split("\n")) {
+    if (!line.includes("First Load JS shared by all")) continue;
+    const m3 = /([\d.]+)\s*(kB|MB|B)\s*$/.exec(line.trim());
+    if (!m3) continue;
+    const num = parseFloat(m3[1]);
+    const unit = m3[2];
+    let bytes;
+    if (unit === "kB") bytes = Math.round(num * 1024);
+    else if (unit === "MB") bytes = Math.round(num * 1024 * 1024);
+    else bytes = Math.round(num);
+    return { bytes, label: `First Load JS shared by all: ${m3[1]} ${unit}` };
+  }
+  return null;
+}
+function parseCraBuildOutput(stdout2) {
+  const lines = stdout2.split("\n");
+  let inSection = false;
+  let totalBytes = 0;
+  let count = 0;
+  for (const line of lines) {
+    if (line.includes("File sizes after gzip")) {
+      inSection = true;
+      continue;
+    }
+    if (!inSection) continue;
+    if (line.trim() === "") {
+      if (count > 0) break;
+      continue;
+    }
+    if (!line.includes(".js")) continue;
+    const m3 = /([\d.]+)\s*(KB|kB|MB|B)/i.exec(line);
+    if (!m3) continue;
+    const num = parseFloat(m3[1]);
+    const unit = m3[2].toLowerCase();
+    if (unit === "kb") totalBytes += Math.round(num * 1024);
+    else if (unit === "mb") totalBytes += Math.round(num * 1024 * 1024);
+    else totalBytes += Math.round(num);
+    count++;
+  }
+  if (count === 0) return null;
+  return {
+    bytes: totalBytes,
+    label: `CRA gzipped JS total from ${count} file(s): ${(totalBytes / 1024).toFixed(1)} kB`
+  };
 }
 async function sumGlobBytes(cwd, patterns) {
   let total = 0;
+  let fileCount = 0;
   for (const pattern of patterns) {
     const files = await fg(pattern, {
       cwd,
@@ -4726,16 +5062,43 @@ async function sumGlobBytes(cwd, patterns) {
     });
     for (const rel of files) {
       try {
-        const st = await fs.stat(path5.join(cwd, rel));
+        const st = await fs.stat(path6.join(cwd, rel));
         total += st.size;
+        fileCount++;
       } catch {
       }
     }
   }
-  return total;
+  return {
+    bytes: total,
+    label: `Glob sum: ${fileCount} file(s), ${(total / 1024).toFixed(1)} kB`
+  };
+}
+async function measureViteBundle(cwd, measureGlobs) {
+  const jsGlobs = measureGlobs.length > 0 ? measureGlobs : ["dist/assets/**/*.js"];
+  return sumGlobBytes(cwd, jsGlobs);
+}
+async function runCustomSizeCommand(cwd, command) {
+  const parts = command.trim().split(/\s+/).filter(Boolean);
+  if (parts.length === 0) return null;
+  const [bin, ...args] = parts;
+  try {
+    const r4 = await W2(bin, args, { nodeOptions: { cwd } });
+    const out = (r4.stdout ?? "").trim();
+    const num = parseInt(out, 10);
+    if (!Number.isFinite(num) || num < 0) return null;
+    return { bytes: num, label: `Custom command reported: ${(num / 1024).toFixed(1)} kB` };
+  } catch {
+    return null;
+  }
+}
+
+// src/checks/bundle.ts
+function gateSeverity4(g4) {
+  return g4 === "block" ? "block" : g4 === "info" ? "info" : "warn";
 }
 async function readBaseline(cwd, relPath, baseRef) {
-  const disk = path5.join(cwd, relPath);
+  const disk = path6.join(cwd, relPath);
   try {
     const raw = await fs.readFile(disk, "utf8");
     return JSON.parse(raw);
@@ -4779,7 +5142,7 @@ async function bundleBuildPrecheck(cwd, buildCommand) {
   if (!script) return { run: true };
   let scripts;
   try {
-    const raw = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
+    const raw = await fs.readFile(path6.join(cwd, "package.json"), "utf8");
     const pkg = JSON.parse(raw);
     scripts = pkg.scripts;
   } catch {
@@ -4793,7 +5156,7 @@ async function bundleBuildPrecheck(cwd, buildCommand) {
     return {
       run: false,
       message: `Skipped bundle build \u2014 no scripts.${script} in package.json`,
-      detail: "The bundle check runs a production build, then sums file sizes under checks.bundle.measureGlobs (dist/, build/static/, .next/static/, etc.). Libraries and non-web repos often have no `build` script \u2014 set checks.bundle.runBuild to false and optionally tune measureGlobs, or set checks.bundle.buildCommand to whatever produces your artifacts (e.g. `pnpm run compile`, `npx vite build`)."
+      detail: "The bundle check runs a production build, then measures the output. Libraries and non-web repos often have no `build` script \u2014 set checks.bundle.runBuild to false, or set checks.bundle.buildCommand to whatever produces your artifacts."
     };
   }
   return { run: true };
@@ -4817,7 +5180,9 @@ async function runBundle(cwd, config, stack) {
       skipped: "skipped for React Native (configure web artifacts if needed)"
     };
   }
+  const strategy = resolveStrategy(cfg.bundleSizeStrategy, stack);
   const preFindings = [];
+  let buildStdout = "";
   if (cfg.runBuild) {
     const parts = tokenizeCommand(cfg.buildCommand);
     if (parts.length === 0) {
@@ -4858,9 +5223,56 @@ async function runBundle(cwd, config, stack) {
           durationMs: Math.round(performance.now() - t0)
         };
       }
+      buildStdout = (res.stdout ?? "") + "\n" + (res.stderr ?? "");
+    }
+  }
+  let sizeResult = null;
+  switch (strategy) {
+    case "next": {
+      sizeResult = parseNextBuildOutput(buildStdout);
+      if (!sizeResult) {
+        sizeResult = (await sumGlobBytes(cwd, [".next/static/**/*.js"])).bytes > 0 ? await sumGlobBytes(cwd, [".next/static/**/*.js"]) : null;
+      }
+      break;
+    }
+    case "cra": {
+      sizeResult = parseCraBuildOutput(buildStdout);
+      if (!sizeResult) {
+        const g4 = await sumGlobBytes(cwd, ["build/static/js/**/*.js"]);
+        if (g4.bytes > 0) sizeResult = g4;
+      }
+      break;
+    }
+    case "vite": {
+      sizeResult = await measureViteBundle(cwd, cfg.measureGlobs);
+      break;
+    }
+    case "custom": {
+      if (!cfg.bundleSizeCommand) {
+        return {
+          checkId: "bundle",
+          findings: [
+            {
+              id: "bundle-custom-missing",
+              severity: "warn",
+              message: "bundleSizeStrategy is `custom` but `bundleSizeCommand` is not set"
+            }
+          ],
+          durationMs: Math.round(performance.now() - t0)
+        };
+      }
+      sizeResult = await runCustomSizeCommand(cwd, cfg.bundleSizeCommand);
+      break;
+    }
+    case "glob":
+    default: {
+      const g4 = await sumGlobBytes(cwd, cfg.measureGlobs);
+      if (g4.bytes > 0) sizeResult = g4;
+      break;
     }
   }
-  const total = await sumGlobBytes(cwd, cfg.measureGlobs);
+  const total = sizeResult?.bytes ?? 0;
+  const sizeLabel = sizeResult?.label ?? `(no bundle output detected for strategy "${strategy}")`;
   if (total === 0) {
     return {
       checkId: "bundle",
@@ -4869,7 +5281,9 @@ async function runBundle(cwd, config, stack) {
         {
           id: "bundle-empty",
           severity: "info",
-          message: "No bundle artifacts matched `measureGlobs` \u2014 configure paths or run a web build"
+          message: `No bundle size detected (strategy: ${strategy})`,
+          detail: `${sizeLabel}
+Ensure the build produces artifacts, or switch to a different bundleSizeStrategy.`
         }
       ],
       durationMs: Math.round(performance.now() - t0)
@@ -4879,7 +5293,9 @@ async function runBundle(cwd, config, stack) {
   const baseline = await readBaseline(cwd, cfg.baselinePath, baseRef);
   const findings = [...preFindings];
   const infoLines = [
-    `Measured ${total} bytes (${(total / 1024 / 1024).toFixed(2)} MiB)`,
+    `Strategy: ${strategy}`,
+    sizeLabel,
+    `Measured ${total} bytes (${(total / 1024).toFixed(1)} kB)`,
     baseline ? `Baseline from \`${cfg.baselinePath}\`: ${baseline.totalBytes} bytes` : `No baseline at \`${cfg.baselinePath}\` (commit a baseline JSON to compare)`
   ].join("\n");
   if (cfg.maxTotalBytes != null && total > cfg.maxTotalBytes) {
@@ -4955,7 +5371,7 @@ async function runCoreWebVitals(cwd, config, stack, pr) {
   const findings = [];
   const sev2 = gateSeverity5(cfg.gate);
   for (const rel of toScan.slice(0, 400)) {
-    const full = path5.join(cwd, rel);
+    const full = path6.join(cwd, rel);
     let text;
     try {
       text = await fs.readFile(full, "utf8");
@@ -5040,7 +5456,7 @@ async function runCustomRules(cwd, config, restrictToFiles) {
       });
       break;
     }
-    const full = path5.join(cwd, rel);
+    const full = path6.join(cwd, rel);
     let content;
     try {
       content = await fs.readFile(full, "utf8");
@@ -5485,7 +5901,7 @@ async function runAiAssistedStrict(cwd, config, pr) {
   const byRel = /* @__PURE__ */ new Map();
   let anyDecoratorInPr = false;
   for (const rel of files) {
-    const full = path5.join(cwd, rel);
+    const full = path6.join(cwd, rel);
     try {
       const content = await fs.readFile(full, "utf8");
       if (content.length > 5e5) continue;
@@ -5573,204 +5989,6 @@ function applyAiAssistedEscalation(results, pr, config) {
     }
   }
 }
-var W3 = 920;
-var PAD_X = 24;
-var TABLE_X = 20;
-var TABLE_W = 880;
-var HEADER_H = 34;
-var ROW_H = 34;
-var COL_CHECK = 52;
-var ICON_X = 268;
-var COL_STATUS = 400;
-var COL_NUM = 700;
-var COL_TIME = 820;
-var OVER_LABEL_W = 132;
-var OVER_ROW_H = 36;
-var clipSeq = 0;
-function nextClipId() {
-  clipSeq += 1;
-  return `fgc${clipSeq}_${Math.random().toString(36).slice(2, 8)}`;
-}
-function escapeXml(s3) {
-  return s3.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
-}
-function truncate5(s3, max) {
-  const t3 = s3.replace(/\s+/g, " ").trim();
-  if (t3.length <= max) return t3;
-  return `${t3.slice(0, max - 1)}\u2026`;
-}
-function formatDuration(ms) {
-  if (ms < 1e3) return `${ms} ms`;
-  const s3 = Math.round(ms / 1e3);
-  if (s3 < 60) return `${s3}s`;
-  const m3 = Math.floor(s3 / 60);
-  const r4 = s3 % 60;
-  return r4 ? `${m3}m ${r4}s` : `${m3}m`;
-}
-function statusText(r4) {
-  if (r4.skipped) return `Skipped \u2014 ${truncate5(r4.skipped, 42)}`;
-  if (r4.findings.length === 0) return "Pass";
-  return `${r4.findings.length} issue(s)`;
-}
-function dotFill(r4) {
-  if (r4.skipped) return "#cbd5e1";
-  if (r4.findings.length === 0) return "#16a34a";
-  if (r4.findings.some((x3) => x3.severity === "block")) return "#dc2626";
-  return "#d97706";
-}
-function riskFill(risk) {
-  if (risk === "LOW") return "#16a34a";
-  if (risk === "MEDIUM") return "#d97706";
-  return "#dc2626";
-}
-function resvgFontOptions() {
-  const base = { loadSystemFonts: true };
-  if (process.platform === "linux") {
-    return {
-      ...base,
-      fontDirs: [
-        "/usr/share/fonts/truetype/dejavu",
-        "/usr/share/fonts/truetype/liberation",
-        "/usr/share/fonts/opentype/noto",
-        "/usr/share/fonts"
-      ]
-    };
-  }
-  return base;
-}
-function buildChecksSnapshotSvg(p2) {
-  const { riskScore, mode, stack, pr, results, lines } = p2;
-  const modeLabel = mode === "enforce" ? "Enforce" : "Warn only";
-  const stackLine = truncate5(formatStackOneLiner(stack), 96);
-  const prLine = pr && lines != null ? truncate5(
-    `${lines} lines changed (+${pr.additions} / \u2212${pr.deletions}) \xB7 ${pr.changedFiles} files`,
-    96
-  ) : null;
-  const nOverview = 3 + (prLine ? 1 : 0);
-  const overviewH = nOverview * OVER_ROW_H;
-  const overviewY0 = 44;
-  const overviewClip = nextClipId();
-  const checksTitleY = overviewY0 + overviewH + 22;
-  const tableTop = checksTitleY + 22;
-  const bodyRows = results.length;
-  const cardH = HEADER_H + bodyRows * ROW_H;
-  const totalH = tableTop + cardH + 36;
-  const headerMid = tableTop + HEADER_H / 2 + 5;
-  const rowTextY = (i3) => tableTop + HEADER_H + i3 * ROW_H + ROW_H / 2 + 5;
-  const headerCells = [
-    { x: COL_CHECK, label: "CHECK", anchor: "start" },
-    { x: COL_STATUS, label: "STATUS", anchor: "start" },
-    { x: COL_NUM, label: "#", anchor: "end" },
-    { x: COL_TIME, label: "TIME", anchor: "end" }
-  ];
-  const overviewRows = [];
-  const ov = [
-    { label: "Risk score", kind: "risk" },
-    { label: "Mode", kind: "text", text: modeLabel },
-    { label: "Stack", kind: "text", text: stackLine }
-  ];
-  if (prLine) ov.push({ label: "Pull request", kind: "text", text: prLine });
-  for (let i3 = 0; i3 < nOverview; i3++) {
-    const row = ov[i3];
-    const y4 = overviewY0 + i3 * OVER_ROW_H;
-    const mid = y4 + OVER_ROW_H / 2 + 4;
-    overviewRows.push(
-      `<rect x="${TABLE_X}" y="${y4}" width="${OVER_LABEL_W}" height="${OVER_ROW_H}" fill="#f1f5f9" stroke="none"/>`,
-      `<line x1="${TABLE_X}" y1="${y4 + OVER_ROW_H}" x2="${TABLE_X + TABLE_W}" y2="${y4 + OVER_ROW_H}" stroke="#e2e8f0" stroke-width="1"/>`,
-      `<text x="${TABLE_X + 10}" y="${mid}" font-size="12" fill="#64748b" font-weight="500" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">${escapeXml(row.label)}</text>`
-    );
-    if (row.kind === "risk") {
-      const rs = riskScore;
-      overviewRows.push(
-        `<text x="${TABLE_X + OVER_LABEL_W + 10}" y="${mid}" font-size="13" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif"><tspan fill="${riskFill(riskScore)}" font-weight="600">${escapeXml(rs)}</tspan><tspan fill="#64748b"> \u2014 heuristic</tspan></text>`
-      );
-    } else {
-      overviewRows.push(
-        `<text x="${TABLE_X + OVER_LABEL_W + 10}" y="${mid}" font-size="13" fill="#0f172a" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">${escapeXml(row.text)}</text>`
-      );
-    }
-  }
-  const rowLines = [];
-  for (let i3 = 0; i3 < bodyRows; i3++) {
-    const y4 = tableTop + HEADER_H + i3 * ROW_H;
-    const fill = i3 % 2 === 1 ? "#f8fafc" : "#ffffff";
-    rowLines.push(
-      `<rect x="${TABLE_X}" y="${y4}" width="${TABLE_W}" height="${ROW_H}" fill="${fill}" stroke="none"/>`
-    );
-  }
-  const bodyCells = [];
-  for (let i3 = 0; i3 < bodyRows; i3++) {
-    const r4 = results[i3];
-    const cy = rowTextY(i3);
-    bodyCells.push(
-      `<circle cx="34" cy="${cy - 4}" r="4.5" fill="${dotFill(r4)}"/>`,
-      `<text x="${COL_CHECK}" y="${cy}" font-size="13" font-weight="600" fill="#0f172a" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">${escapeXml(truncate5(r4.checkId, 22))}</text>`,
-      `<circle cx="${ICON_X}" cy="${cy - 3}" r="8" fill="#f1f5f9" stroke="#e2e8f0" stroke-width="1"/>`,
-      `<text x="${ICON_X}" y="${cy}" font-size="9" font-weight="700" fill="#64748b" text-anchor="middle" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">i</text>`,
-      `<text x="${COL_STATUS}" y="${cy}" font-size="13" fill="#0f172a" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">${escapeXml(statusText(r4))}</text>`,
-      `<text x="${COL_NUM}" y="${cy}" font-size="13" fill="#64748b" font-family="Liberation Mono, DejaVu Sans Mono, monospace" text-anchor="end">${escapeXml(r4.skipped ? "\u2014" : String(r4.findings.length))}</text>`,
-      `<text x="${COL_TIME}" y="${cy}" font-size="13" fill="#64748b" font-family="Liberation Mono, DejaVu Sans Mono, monospace" text-anchor="end">${escapeXml(formatDuration(r4.durationMs))}</text>`
-    );
-  }
-  const gridLines = [];
-  for (let i3 = 0; i3 <= bodyRows; i3++) {
-    const y4 = tableTop + HEADER_H + i3 * ROW_H;
-    gridLines.push(
-      `<line x1="${TABLE_X}" y1="${y4}" x2="${TABLE_X + TABLE_W}" y2="${y4}" stroke="#e2e8f0" stroke-width="1"/>`
-    );
-  }
-  const checksClip = nextClipId();
-  return `<?xml version="1.0" encoding="UTF-8"?>
-<svg xmlns="http://www.w3.org/2000/svg" width="${W3}" height="${totalH}" viewBox="0 0 ${W3} ${totalH}">
-  <rect width="${W3}" height="${totalH}" fill="#f8fafc"/>
-  <text x="${PAD_X}" y="18" font-size="11" font-weight="600" fill="#64748b" letter-spacing="0.12em" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">FRONTGUARD</text>
-  <text x="${PAD_X}" y="36" font-size="16" font-weight="600" fill="#0f172a" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">Overview</text>
-  <defs>
-    <clipPath id="${overviewClip}">
-      <rect x="${TABLE_X}" y="${overviewY0}" width="${TABLE_W}" height="${overviewH}" rx="10" ry="10"/>
-    </clipPath>
-    <clipPath id="${checksClip}">
-      <rect x="${TABLE_X}" y="${tableTop}" width="${TABLE_W}" height="${cardH}" rx="10" ry="10"/>
-    </clipPath>
-  </defs>
-  <rect x="${TABLE_X}" y="${overviewY0}" width="${TABLE_W}" height="${overviewH}" rx="10" ry="10" fill="#ffffff" stroke="#e2e8f0" stroke-width="1"/>
-  <g clip-path="url(#${overviewClip})">
-    ${overviewRows.join("\n    ")}
-  </g>
-  <text x="${PAD_X}" y="${checksTitleY}" font-size="16" font-weight="600" fill="#0f172a" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">Checks</text>
-  <rect x="${TABLE_X}" y="${tableTop}" width="${TABLE_W}" height="${cardH}" rx="10" ry="10" fill="#ffffff" stroke="#e2e8f0" stroke-width="1"/>
-  <g clip-path="url(#${checksClip})">
-    <rect x="${TABLE_X}" y="${tableTop}" width="${TABLE_W}" height="${HEADER_H}" fill="#f1f5f9"/>
-    ${headerCells.map(
-    (c4) => `<text x="${c4.x}" y="${headerMid}" font-size="11" font-weight="600" fill="#64748b" letter-spacing="0.04em" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif" text-anchor="${c4.anchor}">${c4.label}</text>`
-  ).join("\n    ")}
-    ${rowLines.join("\n    ")}
-    ${gridLines.join("\n    ")}
-    ${bodyCells.join("\n    ")}
-  </g>
-</svg>`;
-}
-async function renderChecksSnapshotPng(pngPath, input) {
-  const svg = buildChecksSnapshotSvg(input);
-  const resvg = new Resvg(svg, {
-    background: "#f8fafc",
-    fitTo: { mode: "width", value: W3 },
-    font: resvgFontOptions()
-  });
-  const img = resvg.render();
-  const png = img.asPng();
-  await writeFile(pngPath, png);
-  const written = await readFile(pngPath);
-  if (!isPngBuffer(written) || written.length < 200) {
-    throw new Error(
-      "FrontGuard: checks PNG is missing or invalid after render. Install fonts on the runner (e.g. apt install fonts-dejavu-core fonts-liberation) and ensure @resvg/resvg-js native binary loads."
-    );
-  }
-  const { width, height } = img;
-  if (width < 16 || height < 16) {
-    throw new Error(`FrontGuard: checks PNG has invalid dimensions ${width}x${height}.`);
-  }
-}
 
 // src/report/builder.ts
 var import_picocolors = __toESM(require_picocolors());
@@ -5788,9 +6006,9 @@ var CHECK_DESCRIPTIONS = {
   secrets: "Scans changed files for patterns that look like leaked secrets (tokens, keys). Heuristic \u2014 review each hit.",
   cycles: "Runs madge for circular dependencies on TypeScript/JavaScript entry points. Import cycles can cause brittle builds and load order bugs.",
   "dead-code": "Runs ts-prune to find unused exports in the TypeScript project. Helps trim dead surface area.",
-  bundle: "Measures total size of configured build artifacts (glob) and compares to a checked-in baseline. Flags large regressions in shipped JS/CSS.",
+  bundle: "Measures bundle size using a stack-aware strategy (Next.js build output, Vite/CRA file sizes, or custom command) and compares to a checked-in baseline.",
   "core-web-vitals": "Static hints in JSX/TSX related to Core Web Vitals (e.g. LCP-friendly images, main-thread hygiene). Not a substitute for real field metrics.",
-  "ai-assisted-strict": "When the PR is AI-assisted or code is marked with @frontguard-ai decorators, scans those regions for risky patterns (eval, XSS sinks, etc.) and a few AST heuristics (e.g. discarded hot loops).",
+  "ai-assisted-strict": "Under development \u2014 off by default. When enabled: scans @frontguard-ai regions or AI-disclosed PR files for risky patterns (eval, XSS sinks, etc.) and AST heuristics.",
   "pr-hygiene": "Validates PR metadata when CI provides PR context: description length, checklist items, and similar hygiene rules from config.",
   "pr-size": "Compares PR diff size (lines/files) against configured budgets to discourage oversized changes.",
   "ts-any-delta": "Diffs the branch against a base ref and counts newly added uses of the TypeScript any type. Helps stop gradual loss of type safety.",
@@ -5824,7 +6042,7 @@ function sortFindings(cwd, items) {
     return a3.f.message.localeCompare(b3.f.message);
   });
 }
-function formatDuration2(ms) {
+function formatDuration(ms) {
   if (ms < 1e3) return `${ms} ms`;
   const s3 = Math.round(ms / 1e3);
   if (s3 < 60) return `${s3}s`;
@@ -5953,119 +6171,15 @@ var CHECKS_TABLE_STYLES = `
     .dot-block { background: var(--block); }
     .dot-skip { background: #cbd5e1; }
 `;
-var SNAPSHOT_OVERVIEW_STYLES = `
-    .snapshot {
-      width: 100%;
-      border-collapse: collapse;
-      font-size: 0.9rem;
-      background: var(--surface);
-      border-radius: var(--radius);
-      overflow: hidden;
-      border: 1px solid var(--border);
-      box-shadow: var(--shadow);
-      margin: 0 0 1.25rem;
-    }
-    .snapshot th, .snapshot td {
-      padding: 0.65rem 1rem;
-      text-align: left;
-      border-bottom: 1px solid var(--border);
-    }
-    .snapshot tr:last-child th, .snapshot tr:last-child td { border-bottom: none; }
-    .snapshot th {
-      width: 9rem;
-      color: var(--muted);
-      font-weight: 500;
-      background: #f1f5f9;
-    }
-    .muted { color: var(--muted); }
-`;
 function renderCheckTableRows(results) {
   return results.map((r4) => {
     const status = r4.skipped ? `Skipped \u2014 ${escapeHtml(r4.skipped)}` : r4.findings.length === 0 ? "Pass" : `${r4.findings.length} issue(s)`;
     const help = escapeHtml(getCheckDescription(r4.checkId));
     const ariaWhat = escapeHtml(`What does the ${r4.checkId} check do?`);
     const checkTitle = `<span class="check-title-cell"><strong class="check-name">${escapeHtml(r4.checkId)}</strong><span class="check-info-wrap"><button type="button" class="check-info" title="${help}" aria-label="${ariaWhat}">i</button><span class="check-tooltip" role="tooltip">${help}</span></span></span>`;
-    return `<tr><td class="td-icon">${statusDot(r4)}</td><td class="td-check">${checkTitle}</td><td class="td-status">${status}</td><td class="td-num">${r4.skipped ? "\u2014" : r4.findings.length}</td><td class="td-time">${formatDuration2(r4.durationMs)}</td></tr>`;
+    return `<tr><td class="td-icon">${statusDot(r4)}</td><td class="td-check">${checkTitle}</td><td class="td-status">${status}</td><td class="td-num">${r4.skipped ? "\u2014" : r4.findings.length}</td><td class="td-time">${formatDuration(r4.durationMs)}</td></tr>`;
   }).join("\n");
 }
-function buildChecksSnapshotHtml(p2) {
-  const { riskScore, mode, stack, pr, results, lines } = p2;
-  const modeLabel = mode === "enforce" ? "Enforce" : "Warn only";
-  const riskClass = riskScore === "LOW" ? "risk-low" : riskScore === "MEDIUM" ? "risk-med" : "risk-high";
-  const checkRows = renderCheckTableRows(results);
-  const prRow = pr && lines != null ? `<tr><th>Pull request</th><td>${lines} lines changed (+${pr.additions} / \u2212${pr.deletions}) \xB7 ${pr.changedFiles} files</td></tr>` : "";
-  return `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>FrontGuard \u2014 Snapshot</title>
-  <style>
-    :root {
-      --bg: #f8fafc;
-      --surface: #ffffff;
-      --text: #0f172a;
-      --muted: #64748b;
-      --border: #e2e8f0;
-      --accent: #4f46e5;
-      --accent-soft: #eef2ff;
-      --block: #dc2626;
-      --warn: #d97706;
-      --info: #0284c7;
-      --ok: #16a34a;
-      --radius: 10px;
-      --shadow: 0 1px 3px rgba(15, 23, 42, 0.06);
-    }
-    * { box-sizing: border-box; }
-    body {
-      margin: 0;
-      padding: 1.25rem 1.5rem 1.5rem;
-      font-family: ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, sans-serif;
-      background: var(--bg);
-      color: var(--text);
-      line-height: 1.55;
-      font-size: 15px;
-      max-width: 920px;
-    }
-    .brand {
-      font-size: 0.75rem;
-      font-weight: 600;
-      letter-spacing: 0.12em;
-      text-transform: uppercase;
-      color: var(--muted);
-      margin-bottom: 0.35rem;
-    }
-    .h2 {
-      font-size: 1rem;
-      font-weight: 600;
-      margin: 0 0 0.85rem;
-      color: var(--text);
-      letter-spacing: -0.02em;
-    }
-    .risk-low { color: var(--ok); }
-    .risk-med { color: var(--warn); }
-    .risk-high { color: var(--block); }
-    ${SNAPSHOT_OVERVIEW_STYLES}
-    ${CHECKS_TABLE_STYLES}
-  </style>
-</head>
-<body>
-  <div class="brand">FrontGuard</div>
-  <h2 class="h2">Overview</h2>
-  <table class="snapshot">
-    <tr><th>Risk score</th><td><strong class="${riskClass}">${riskScore}</strong> <span class="muted">\u2014 heuristic</span></td></tr>
-    <tr><th>Mode</th><td>${escapeHtml(modeLabel)}</td></tr>
-    <tr><th>Stack</th><td>${escapeHtml(formatStackOneLiner(stack))}</td></tr>
-    ${prRow}
-  </table>
-  <h2 class="h2">Checks</h2>
-  <table class="results">
-    <thead><tr><th></th><th>Check</th><th>Status</th><th>#</th><th>Time</th></tr></thead>
-    <tbody>${checkRows}</tbody>
-  </table>
-</body>
-</html>`;
-}
 function renderFindingCard(cwd, r4, f4) {
   const d3 = normalizeFinding(cwd, f4);
   const sevClass = f4.severity === "block" ? "sev-block" : f4.severity === "warn" ? "sev-warn" : "sev-info";
@@ -6369,6 +6483,7 @@ function buildHtmlReport(p2) {
 function buildReport(stack, pr, results, options) {
   const mode = options?.mode ?? "warn";
   const cwd = options?.cwd ?? process.cwd();
+  const showAiAssistedBanner = options?.showAiAssistedBanner ?? false;
   const allFindings = results.flatMap(
     (r4) => r4.findings.map((f4) => ({ ...f4, checkId: r4.checkId }))
   );
@@ -6388,7 +6503,8 @@ function buildReport(stack, pr, results, options) {
     infos,
     blocks,
     lines,
-    llmAppendix: options?.llmAppendix ?? null
+    llmAppendix: options?.llmAppendix ?? null,
+    showAiAssistedBanner
   });
   const consoleText = formatConsole({
     riskScore,
@@ -6413,21 +6529,6 @@ function buildReport(stack, pr, results, options) {
     lines,
     llmAppendix: options?.llmAppendix ?? null
   }) : null;
-  const llmAppendix = options?.llmAppendix ?? null;
-  const checksSnapshotInput = options?.emitChecksSnapshot === true ? {
-    cwd,
-    riskScore,
-    mode,
-    stack,
-    pr,
-    results,
-    warns,
-    infos,
-    blocks,
-    lines,
-    llmAppendix
-  } : null;
-  const checksSnapshotHtml = checksSnapshotInput != null ? buildChecksSnapshotHtml(checksSnapshotInput) : null;
   return {
     riskScore,
     stack,
@@ -6435,9 +6536,7 @@ function buildReport(stack, pr, results, options) {
     results,
     markdown,
     consoleText,
-    html,
-    checksSnapshotHtml,
-    checksSnapshotInput
+    html
   };
 }
 function scoreRisk(blocks, warns, lines, files) {
@@ -6486,7 +6585,7 @@ function countShieldColor(kind, n3) {
   if (n3 <= 10) return "yellow";
   return "orange";
 }
-function formatDuration3(ms) {
+function formatDuration2(ms) {
   if (ms < 1e3) return `${ms} ms`;
   const s3 = Math.round(ms / 1e3);
   if (s3 < 60) return `${s3}s`;
@@ -6561,7 +6660,8 @@ function formatMarkdown(p2) {
     infos,
     blocks,
     lines,
-    llmAppendix
+    llmAppendix,
+    showAiAssistedBanner
   } = p2;
   const sb = [];
   const sortWithCwd = (items) => [...items].sort((a3, b3) => {
@@ -6602,7 +6702,7 @@ function formatMarkdown(p2) {
     );
   }
   sb.push("");
-  if (pr?.aiAssisted) {
+  if (showAiAssistedBanner && pr?.aiAssisted) {
     sb.push(
       "> **\u{1F916} AI-assisted PR** \u2014 Stricter static checks run on changed files (security / footguns; secrets & `any` deltas may escalate). This does not replace human review for behavior or product rules."
     );
@@ -6641,7 +6741,7 @@ function formatMarkdown(p2) {
     }
     const nFind = r4.skipped ? "\u2014" : String(r4.findings.length);
     sb.push(
-      `| ${he2} | **${r4.checkId}** | ${status} | **${nFind}** | ${formatDuration3(r4.durationMs)} |`
+      `| ${he2} | **${r4.checkId}** | ${status} | **${nFind}** | ${formatDuration2(r4.durationMs)} |`
     );
   }
   sb.push("");
@@ -6830,10 +6930,10 @@ async function callOllamaChat(opts) {
 
 // src/llm/finding-fixes.ts
 async function safeReadRepoFile(cwd, rel, maxChars) {
-  const root = path5.resolve(cwd);
-  const abs = path5.resolve(root, rel);
-  const relToRoot = path5.relative(root, abs);
-  if (relToRoot.startsWith("..") || path5.isAbsolute(relToRoot)) return null;
+  const root = path6.resolve(cwd);
+  const abs = path6.resolve(root, rel);
+  const relToRoot = path6.relative(root, abs);
+  if (relToRoot.startsWith("..") || path6.isAbsolute(relToRoot)) return null;
   try {
     let t3 = await fs.readFile(abs, "utf8");
     if (t3.length > maxChars) {
@@ -6855,14 +6955,14 @@ function parseFixResponse(raw) {
   return { summary: summary || raw.trim(), code };
 }
 async function enrichFindingsWithOllamaFixes(opts) {
-  const { cwd, config, stack, results } = opts;
+  const { cwd, config, stack, results, cursorRules } = opts;
   const cfg = config.checks.llm;
   if (!cfg.enabled || cfg.provider !== "ollama" || !cfg.perFindingFixes) {
     return results;
   }
   let pkgSnippet = "";
   try {
-    const pj = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
+    const pj = await fs.readFile(path6.join(cwd, "package.json"), "utf8");
     pkgSnippet = pj.slice(0, 4e3);
   } catch {
     pkgSnippet = "";
@@ -6885,7 +6985,7 @@ async function enrichFindingsWithOllamaFixes(opts) {
         f4.file,
         cfg.maxFileContextChars
       );
-      const prompt2 = [
+      const promptParts = [
         "You are a senior frontend engineer. A static checker flagged an issue in a pull request.",
         "Use ONLY the repo context below (stack summary, package.json excerpt, file content).",
         "If context is insufficient, say what is missing instead of guessing.",
@@ -6894,7 +6994,16 @@ async function enrichFindingsWithOllamaFixes(opts) {
         "### Why",
         "(1\u20133 short sentences: root cause and product/engineering risk.)",
         "### Fix",
-        "(Minimal, concrete change. Put code in a single fenced block with a language tag, e.g. ```ts)",
+        "(Minimal, concrete change. Put code in a single fenced block with a language tag, e.g. ```ts)"
+      ];
+      if (cursorRules?.text) {
+        promptParts.push(
+          "",
+          "The repo has coding rules/conventions. Ensure the fix follows them:",
+          cursorRules.text.slice(0, 8e3)
+        );
+      }
+      promptParts.push(
         "",
         `Repo stack: ${stackLabel}`,
         "",
@@ -6912,7 +7021,8 @@ async function enrichFindingsWithOllamaFixes(opts) {
         f4.file ? `file (repo-relative): ${f4.file}` : "",
         "",
         fileContent ? "File content:\n```\n" + fileContent + "\n```" : "_No file content could be read (binary or path issue)._"
-      ].filter(Boolean).join("\n");
+      );
+      const prompt2 = promptParts.filter(Boolean).join("\n");
       try {
         const raw = await callOllamaChat({
           baseUrl: cfg.ollamaUrl,
@@ -6946,7 +7056,7 @@ async function loadManualAppendix(opts) {
   const envFile = process.env.FRONTGUARD_MANUAL_APPENDIX_FILE?.trim();
   const resolvedPath = filePath?.trim() || envFile;
   if (resolvedPath) {
-    const abs = path5.isAbsolute(resolvedPath) ? resolvedPath : path5.join(cwd, resolvedPath);
+    const abs = path6.isAbsolute(resolvedPath) ? resolvedPath : path6.join(cwd, resolvedPath);
     try {
       let text = await fs.readFile(abs, "utf8");
       if (text.length > MAX_CHARS) {
@@ -6982,7 +7092,7 @@ function safeGetEnv(name) {
   return v3 && v3.trim() ? v3 : void 0;
 }
 async function runLlmReview(opts) {
-  const { cwd, config, pr, results } = opts;
+  const { cwd, config, pr, results, cursorRules } = opts;
   const cfg = config.checks.llm;
   if (!cfg.enabled) return null;
   if (cfg.provider !== "ollama") {
@@ -7012,21 +7122,42 @@ async function runLlmReview(opts) {
     return "_LLM review skipped: empty diff vs base_";
   }
   const summaryLines = results.flatMap((r4) => r4.findings.map((f4) => `- [${f4.severity}] ${r4.checkId}: ${f4.message}`)).slice(0, 40).join("\n");
-  const prompt2 = [
-    "You are a senior frontend reviewer. Respond in Markdown with short sections:",
+  const rulesBlock = cursorRules?.text ? [
+    "",
+    "The repository has the following coding rules and conventions that MUST be enforced during review.",
+    "Flag any violations of these rules as specific findings:",
+    "",
+    cursorRules.text,
+    ""
+  ].join("\n") : "";
+  const sections = [
     "### Summary",
     "### Risk hotspots (files / themes)",
-    "### Logic / correctness smells",
-    "### Tests & regressions",
+    "### Logic / correctness smells"
+  ];
+  if (cursorRules?.text) sections.push("### Coding standards violations");
+  sections.push("### Tests & regressions");
+  const promptParts = [
+    "You are a senior frontend reviewer. Respond in Markdown with short sections:",
+    ...sections,
     "",
     "Constraints:",
     "- Be specific to this diff; avoid generic advice.",
-    "- If uncertain, say what you need to verify manually.",
+    "- If uncertain, say what you need to verify manually."
+  ];
+  if (cursorRules?.text) {
+    promptParts.push(
+      `- The repo has ${cursorRules.fileCount} coding rule file(s). Check the diff against ALL rules below and report violations.`
+    );
+  }
+  promptParts.push(
     "",
     pr ? `PR title: ${pr.title}
 PR body excerpt:
-${pr.body.slice(0, 2e3)}` : "No PR context from the event payload (local run).",
-    "",
+${pr.body.slice(0, 2e3)}` : "No PR context from the event payload (local run)."
+  );
+  if (rulesBlock) promptParts.push(rulesBlock);
+  promptParts.push(
     "Existing automated findings (may be incomplete):",
     summaryLines || "(none)",
     "",
@@ -7034,7 +7165,8 @@ ${pr.body.slice(0, 2e3)}` : "No PR context from the event payload (local run).",
     "```diff",
     diff,
     "```"
-  ].join("\n");
+  );
+  const prompt2 = promptParts.join("\n");
   if (cfg.provider === "ollama") {
     try {
       const text = await callOllamaChat({
@@ -7133,7 +7265,17 @@ async function callAnthropic(model, apiKey, prompt2, signal) {
 async function runFrontGuard(opts) {
   const config = await loadConfig(opts.cwd);
   const mode = opts.enforce ? "enforce" : config.mode;
-  const stack = await detectStack(opts.cwd);
+  const llmOn = config.checks.llm.enabled;
+  const [stack, cursorRules] = await Promise.all([
+    detectStack(opts.cwd),
+    llmOn ? loadCursorRules(opts.cwd) : Promise.resolve({ text: "", fileCount: 0, files: [] })
+  ]);
+  if (llmOn && cursorRules.fileCount > 0) {
+    g.stderr.write(
+      `FrontGuard: loaded ${cursorRules.fileCount} cursor rule file(s): ${cursorRules.files.join(", ")}
+`
+    );
+  }
   const pr = readPrContext(opts.cwd);
   const restrictFiles = pr?.files?.length ? pr.files : null;
   const [
@@ -7182,7 +7324,8 @@ async function runFrontGuard(opts) {
     cwd: opts.cwd,
     config,
     stack,
-    results
+    results,
+    cursorRules
   });
   const manualAppendix = await loadManualAppendix({
     cwd: opts.cwd,
@@ -7192,7 +7335,8 @@ async function runFrontGuard(opts) {
     cwd: opts.cwd,
     config,
     pr,
-    results
+    results,
+    cursorRules
   });
   const llmAppendix = [manualAppendix, automatedAppendix].filter(Boolean).join("\n\n") || null;
   const report = buildReport(stack, pr, results, {
@@ -7200,49 +7344,20 @@ async function runFrontGuard(opts) {
     llmAppendix,
     cwd: opts.cwd,
     emitHtml: Boolean(opts.htmlOut),
-    emitChecksSnapshot: Boolean(opts.checksSnapshotOut || opts.checksPngOut)
+    showAiAssistedBanner: config.checks.aiAssistedReview.enabled
   });
   if (opts.htmlOut && report.html) {
     await fs.writeFile(opts.htmlOut, report.html, "utf8");
   }
-  let embedPngPath = null;
-  if ((opts.checksSnapshotOut || opts.checksPngOut) && report.checksSnapshotHtml && report.checksSnapshotInput) {
-    if (opts.checksSnapshotOut) {
-      const snapPath = path5.isAbsolute(opts.checksSnapshotOut) ? opts.checksSnapshotOut : path5.join(opts.cwd, opts.checksSnapshotOut);
-      await fs.writeFile(snapPath, report.checksSnapshotHtml, "utf8");
-      g.stderr.write(`
-FrontGuard: wrote checks snapshot HTML to ${snapPath}
-`);
-    }
-    if (opts.checksPngOut) {
-      const pngAbs = path5.isAbsolute(opts.checksPngOut) ? opts.checksPngOut : path5.join(opts.cwd, opts.checksPngOut);
-      await renderChecksSnapshotPng(pngAbs, report.checksSnapshotInput);
-      embedPngPath = pngAbs;
-      g.stderr.write(`FrontGuard: wrote checks PNG to ${pngAbs}.
-
-`);
-    } else if (opts.checksSnapshotOut) {
-      g.stderr.write(
-        `  Tip: add --checksPngOut checks.png to render the checks table to a PNG (no browser).
-
-`
-      );
-    }
-  }
   if (opts.prCommentOut) {
-    if (embedPngPath) {
-      g.env.FRONTGUARD_EMBED_CHECKS_PNG_PATH = embedPngPath;
-    }
     const snippet = formatBitbucketPrSnippet(report);
-    delete g.env.FRONTGUARD_EMBED_CHECKS_PNG_PATH;
-    const abs = path5.isAbsolute(opts.prCommentOut) ? opts.prCommentOut : path5.join(opts.cwd, opts.prCommentOut);
+    const abs = path6.isAbsolute(opts.prCommentOut) ? opts.prCommentOut : path6.join(opts.cwd, opts.prCommentOut);
     await fs.writeFile(abs, snippet, "utf8");
     g.stderr.write(
       `
-FrontGuard: wrote Bitbucket PR comment text to ${abs} (${snippet.length} bytes).
-  Use ONLY this file in your POST \u2026/pullrequests/{id}/comments payload (content.raw).
+FrontGuard: wrote Bitbucket PR comment Markdown to ${abs} (${snippet.length} bytes).
+  POST \u2026/pullrequests/{id}/comments with content.raw from this file (after replacing __FRONTGUARD_REPORT_URL__ if used).
   Do not post frontguard-report.md or captured stdout \u2014 that is the long markdown log.
-  With --checksPngOut, the PNG is inlined (small files only) or set FRONTGUARD_CHECKS_IMAGE_URL.
 
 `
     );
@@ -7261,25 +7376,29 @@ FrontGuard: wrote Bitbucket PR comment text to ${abs} (${snippet.length} bytes).
 var init2 = defineCommand({
   meta: {
     name: "init",
-    description: "Add Bitbucket pipeline example, pull_request_template.md, and frontguard.config.js"
+    description: "Set up FrontGuard: create config, PR template, and merge pipeline step into bitbucket-pipelines.yml"
   },
   run: async () => {
-    const cwd = g.cwd();
-    await initFrontGuard(cwd);
+    const actions = await initFrontGuard(g.cwd());
+    g.stdout.write("\nFrontGuard init complete:\n");
+    for (const a3 of actions) {
+      g.stdout.write(`  \u2022 ${a3}
+`);
+    }
     g.stdout.write(
-      "FrontGuard initialized for Bitbucket.\n\n  \u2022 bitbucket-pipelines.frontguard.example.yml \u2014 merge into your pipeline\n  \u2022 pull_request_template.md \u2014 PR description template (Bitbucket Cloud)\n  \u2022 frontguard.config.js (if missing)\n\nAdd the package as a devDependency so CI matches local runs:\n  npm install -D @cleartrip/frontguard\n  yarn add -D @cleartrip/frontguard\n"
+      "\nNext steps:\n  1. Review frontguard.config.js \u2014 uncomment and tune the checks you need\n  2. Review bitbucket-pipelines.yml \u2014 check the merged FrontGuard step\n  3. Set BITBUCKET_ACCESS_TOKEN as a secured variable in your repo\n  4. Install the package: yarn add -D @cleartrip/frontguard\n\n"
     );
   }
 });
 var run = defineCommand({
   meta: {
     name: "run",
-    description: "Run checks and print the review brief"
+    description: "Run all checks and print the review brief"
   },
   args: {
     markdown: {
       type: "boolean",
-      description: "Print markdown only",
+      description: "Print markdown only (no console box)",
       default: false
     },
     enforce: {
@@ -7289,23 +7408,15 @@ var run = defineCommand({
     },
     append: {
       type: "string",
-      description: "Append markdown from a file (paste from IDE/ChatGPT/Claude; no CI API key needed)"
+      description: "Append markdown from a file (e.g. IDE/ChatGPT paste)"
     },
     htmlOut: {
       type: "string",
-      description: "Write interactive HTML report (use with CI artifacts; PR comment links to download)"
-    },
-    checksSnapshotOut: {
-      type: "string",
-      description: "Write HTML with only the Checks table (for screenshots / PR comments)"
-    },
-    checksPngOut: {
-      type: "string",
-      description: "Write PNG of the checks table (SVG raster; @resvg/resvg-js, no browser). Pair with --checksSnapshotOut or use alone"
+      description: "Write interactive HTML report to this path"
     },
     prCommentOut: {
       type: "string",
-      description: "Write short Markdown for Bitbucket PR comment (summary + pipeline link for HTML artifact)"
+      description: "Write Bitbucket PR comment Markdown to this path"
     }
   },
   run: async ({ args }) => {
@@ -7315,8 +7426,6 @@ var run = defineCommand({
       enforce: Boolean(args.enforce),
       append: typeof args.append === "string" ? args.append : null,
       htmlOut: typeof args.htmlOut === "string" ? args.htmlOut : null,
-      checksSnapshotOut: typeof args.checksSnapshotOut === "string" ? args.checksSnapshotOut : null,
-      checksPngOut: typeof args.checksPngOut === "string" ? args.checksPngOut : null,
       prCommentOut: typeof args.prCommentOut === "string" ? args.prCommentOut : null
     });
   }