npm - @cleartrip/frontguard - Versions diffs - 0.2.9 → 0.3.1 - Mend

@cleartrip/frontguard 0.2.9 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +268 -0
package/dist/cli.js +749 -639
package/dist/cli.js.map +1 -1
package/dist/index.d.ts +28 -8
package/dist/index.js +3 -1
package/dist/index.js.map +1 -1
package/package.json +3 -6
package/templates/bitbucket-pipelines.yml +16 -44
package/templates/checks-snapshot-bitbucket-snippet.yml +0 -1
package/templates/freekit-ci-setup.md +0 -33

package/dist/cli.js CHANGED Viewed

@@ -4,17 +4,16 @@ import g, { stdin, stdout, cwd } from 'process';
 import f from 'readline';
 import * as tty from 'tty';
 import { WriteStream } from 'tty';
-import path5, { sep, normalize, delimiter, resolve, dirname } from 'path';
-import fs, { writeFile, readFile } from 'fs/promises';
-import { fileURLToPath, pathToFileURL } from 'url';
-import fs2, { existsSync, statSync, readFileSync } from 'fs';
+import path6, { sep, normalize, delimiter, resolve, dirname } from 'path';
+import fs from 'fs/promises';
 import { execFileSync, spawn } from 'child_process';
 import { createRequire } from 'module';
+import fs2 from 'fs';
+import { pathToFileURL } from 'url';
+import fg from 'fast-glob';
 import { pipeline } from 'stream/promises';
 import { PassThrough } from 'stream';
-import fg from 'fast-glob';
 import * as ts from 'typescript';
-import { Resvg } from '@resvg/resvg-js';
 var __create = Object.create;
 var __defProp = Object.defineProperty;
@@ -2400,50 +2399,177 @@ async function runMain(cmd, opts = {}) {
     process.exit(1);
   }
 }
-function packageRoot() {
-  return path5.resolve(path5.dirname(fileURLToPath(import.meta.url)), "..");
-}
-var CONFIG = `import { defineConfig } from '@cleartrip/frontguard'
+var CONFIG_TEMPLATE = `import { defineConfig } from '@cleartrip/frontguard'
 export default defineConfig({
-  mode: 'warn', // or FrontGuard run with \`--enforce\`
+  // \u2500\u2500\u2500 Mode \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // 'warn'    \u2014 findings are advisory; CI always passes (default).
+  // 'enforce' \u2014 CI exits non-zero when any finding has severity 'block'.
+  //             Same as running \`frontguard run --enforce\`.
+  mode: 'warn',
+  // \u2500\u2500\u2500 Shared org config \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // Inherit from an installed npm package; fields are deep-merged.
   // extends: '@your-org/frontguard-config/base',
-  // Example custom rules (return true when violated):
+  // \u2500\u2500\u2500 Custom rules \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  // Inline pattern checks \u2014 \`check(file)\` returns true when violated.
   // rules: {
   //   'no-inline-style': {
   //     severity: 'warn',
-  //     message: 'Avoid inline style objects',
-  //     check: (file) => file.content.includes('style={{'),
+  //     message: 'Avoid inline style objects in JSX',
+  //     check: (file) => /\\.tsx$/.test(file.path) && file.content.includes('style={{'),
   //   },
-  // },
-  // checks: {
-  //   bundle: { baselineRef: 'main', maxDeltaBytes: 50_000 },
-  //   coreWebVitals: { scanGlobs: ['src/**/*.{tsx,jsx}'] },
-  //   prSize: {
-  //     tiers: [
-  //       { minLines: 1000, severity: 'warn', message: 'Very large PR (\${lines} lines; \u2265 \${min})' },
-  //       { minLines: 500, severity: 'info', message: 'Consider splitting (\${lines} lines)' },
-  //     ],
+  //   'no-console-log': {
+  //     severity: 'info',
+  //     message: 'Remove console.log before merging',
+  //     check: (file) => /\\.(ts|tsx|js|jsx)$/.test(file.path) && /console\\.log\\(/.test(file.content),
   //   },
-  //   // AI strict: only // @frontguard-ai:start \u2026 :end (or // written by AI: start \u2026 :end) in PR files
-  //   // aiAssistedReview: { strictScanMode: 'decorator' },
-  //   cycles: { enabled: true },
-  //   deadCode: { enabled: true, gate: 'info' },
-  //   // LLM: cloud keys in CI, or local Ollama (no API key) on dev/self-hosted runners:
-  //   //   ollama serve && ollama pull llama3.2
-  //   // Paste workflow (no key): frontguard run --append ./.frontguard/review-notes.md
-  //   llm: {
-  //     enabled: true,
-  //     provider: 'ollama',
-  //     model: 'llama3.2',
-  //     ollamaUrl: 'http://127.0.0.1:11434',
-  //     perFindingFixes: true,
-  //     maxFixSuggestions: 8,
-  //   },
-  //   // llm: { enabled: true, provider: 'openai', apiKeyEnv: 'OPENAI_API_KEY' },
   // },
+  checks: {
+    // \u2500\u2500\u2500 ESLint \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Runs ESLint using your project config on PR-scoped files.
+    // eslint: {
+    //   enabled: true,
+    //   glob: '**/*.{js,cjs,mjs,jsx,ts,tsx}',   // files to lint
+    // },
+    // \u2500\u2500\u2500 Prettier \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Checks that files match Prettier formatting.
+    // prettier: {
+    //   enabled: true,
+    //   glob: '**/*.{js,cjs,mjs,jsx,ts,tsx,json,md,css,scss,yml,yaml}',
+    // },
+    // \u2500\u2500\u2500 TypeScript \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Runs \`tsc --noEmit\` to surface type errors before merge.
+    // typescript: {
+    //   enabled: true,
+    //   tscArgs: ['--noEmit'],                   // extra tsc flags
+    // },
+    // \u2500\u2500\u2500 Secrets \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Scans changed files for patterns that look like leaked secrets.
+    // secrets: { enabled: true },
+    // \u2500\u2500\u2500 PR Hygiene \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Validates PR metadata: description length, sections, AI disclosure.
+    // prHygiene: {
+    //   enabled: true,
+    //   minBodyLength: 80,
+    //   requireSections: false,
+    //   sectionHints: ['what', 'why', 'test', 'screenshot'],
+    //   requireAiDisclosureSection: true,
+    //   gateWhenAiDisclosureAmbiguous: 'warn',   // 'info' | 'warn' | 'block'
+    // },
+    // \u2500\u2500\u2500 PR Size \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Flags oversized PRs based on total changed lines.
+    // prSize: {
+    //   enabled: true,
+    //   warnLines: 400,
+    //   softBlockLines: 800,
+    //   // Custom tiers (overrides warnLines/softBlockLines when set):
+    //   // tiers: [
+    //   //   { minLines: 1000, severity: 'block', message: 'PR too large (\${lines} lines)' },
+    //   //   { minLines: 500,  severity: 'warn',  message: 'Consider splitting (\${lines} lines)' },
+    //   // ],
+    // },
+    // \u2500\u2500\u2500 TS any delta \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Counts new \`any\` usage introduced in the diff vs merge-base.
+    // tsAnyDelta: {
+    //   enabled: true,
+    //   gate: 'warn',                            // 'info' | 'warn' | 'block'
+    //   baseRef: 'main',                         // fallback when BITBUCKET_PR_DESTINATION_BRANCH unset
+    //   maxAdded: 0,                             // 0 = report only; >0 = trigger gate when exceeded
+    // },
+    // \u2500\u2500\u2500 Circular dependencies \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Runs \`madge\` to find import cycles in your source.
+    // cycles: {
+    //   enabled: true,
+    //   gate: 'warn',
+    //   entries: ['src'],                        // entry directories for madge
+    //   extraArgs: [],
+    // },
+    // \u2500\u2500\u2500 Dead code \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Runs \`ts-prune\` to find unused exports in the TypeScript project.
+    // deadCode: {
+    //   enabled: true,
+    //   gate: 'info',
+    //   extraArgs: [],
+    //   maxReportLines: 80,
+    // },
+    // \u2500\u2500\u2500 Bundle size \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Measures bundle after build and compares to a baseline.
+    //
+    // bundleSizeStrategy options:
+    //   'auto'   \u2014 auto-detect from package.json (Next\u2192next, Vite\u2192vite, CRA\u2192cra, else glob)
+    //   'next'   \u2014 parse "First Load JS shared by all" from \`next build\` stdout
+    //   'vite'   \u2014 sum dist/assets/*.js after \`vite build\`
+    //   'cra'    \u2014 parse gzipped JS total from \`react-scripts build\` stdout
+    //   'glob'   \u2014 sum raw bytes under measureGlobs (generic fallback)
+    //   'custom' \u2014 run bundleSizeCommand, read a single number (bytes) from stdout
+    //
+    // bundle: {
+    //   enabled: true,
+    //   gate: 'warn',
+    //   runBuild: true,                          // false = skip build, measure existing files
+    //   buildCommand: 'npm run build',           // your production build command
+    //   bundleSizeStrategy: 'auto',
+    //   bundleSizeCommand: null,                 // only for strategy 'custom', e.g. 'node scripts/bundle-size.js'
+    //   measureGlobs: ['dist/**/*', 'build/static/**/*', '.next/static/**/*'],
+    //   baselinePath: '.frontguard/bundle-baseline.json',
+    //   baselineRef: 'main',
+    //   maxDeltaBytes: 50_000,                   // max allowed growth vs baseline; null = no limit
+    //   maxTotalBytes: null,                     // absolute cap; null = no limit
+    // },
+    // \u2500\u2500\u2500 Core Web Vitals \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Static hints for LCP-friendly images, main-thread hygiene, etc.
+    // coreWebVitals: {
+    //   enabled: true,
+    //   gate: 'warn',
+    //   scanGlobs: ['app/**/*.{tsx,jsx}', 'pages/**/*.{tsx,jsx}', 'src/**/*.{tsx,jsx}'],
+    //   maxFileBytes: 400_000,
+    // },
+    // \u2500\u2500\u2500 AI-assisted review (UNDER DEVELOPMENT \u2014 off by default) \u2500
+    // Static heuristics on @frontguard-ai regions or AI-disclosed PRs. Not used in CI until you enable.
+    // aiAssistedReview: {
+    //   enabled: true,
+    //   gate: 'warn',
+    //   // 'decorator'     \u2014 only scan @frontguard-ai:start \u2026 :end regions
+    //   // 'pr-disclosure' \u2014 only when PR body discloses AI use
+    //   // 'both'          \u2014 scan decorators when present; otherwise PR disclosure triggers full scan
+    //   strictScanMode: 'both',
+    //   escalate: {
+    //     secretFindingsToBlock: true,            // promote secret findings to 'block' in AI PRs
+    //     tsAnyDeltaToBlock: true,                // promote any-delta findings to 'block' in AI PRs
+    //   },
+    // },
+    // \u2500\u2500\u2500 LLM review (UNDER DEVELOPMENT \u2014 off by default) \u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // When enabled: loads .cursor/rules, AGENTS.md for prompt context. Cloud keys or Ollama.
+    //   ollama: ollama serve && ollama pull llama3.2
+    //   paste:  frontguard run --append ./.frontguard/review-notes.md
+    // llm: {
+    //   enabled: true,
+    //   provider: 'ollama',                      // 'openai' | 'anthropic' | 'ollama'
+    //   model: 'llama3.2',
+    //   ollamaUrl: 'http://127.0.0.1:11434',
+    //   apiKeyEnv: 'OPENAI_API_KEY',             // env var name for OpenAI/Anthropic
+    //   maxDiffChars: 48_000,
+    //   timeoutMs: 60_000,
+    //   perFindingFixes: false,                  // ask model for per-finding fix hints (slow)
+    //   maxFixSuggestions: 12,
+    //   maxFileContextChars: 24_000,
+    // },
+  },
 })
 `;
 var PR_TEMPLATE = `## Summary
@@ -2466,183 +2592,285 @@ If **Yes**, list tools and what they touched (helps reviewers run a stricter fir
 ## AI assistance (optional detail)
 - [ ] I have reviewed every AI-suggested line for security, auth, and product correctness
 `;
-async function initFrontGuard(cwd) {
-  const root = packageRoot();
-  const tplPath = path5.join(root, "templates", "bitbucket-pipelines.yml");
-  const outPipeline = path5.join(cwd, "bitbucket-pipelines.frontguard.example.yml");
-  try {
-    await fs.access(outPipeline);
-  } catch {
-    try {
-      const yml = await fs.readFile(tplPath, "utf8");
-      await fs.writeFile(outPipeline, yml, "utf8");
-    } catch {
-      await fs.writeFile(
-        outPipeline,
-        "# Copy bitbucket-pipelines.yml from @cleartrip/frontguard/templates in node_modules\n",
-        "utf8"
-      );
-    }
+var FRONTGUARD_STEP_YAML = `      - step:
+          name: FrontGuard \u2014 report + PR comment
+          caches:
+            - node
+          artifacts:
+            - frontguard-report.html
+            - frontguard-report.md
+            - frontguard-pr-comment.partial.md
+          script:
+            - corepack enable
+            - yarn install --immutable || yarn install
+            - |
+              yarn frontguard run --markdown \\
+                --htmlOut frontguard-report.html \\
+                --prCommentOut frontguard-pr-comment.partial.md \\
+                > frontguard-report.md
+            - test -n "\${BITBUCKET_ACCESS_TOKEN:-}" || { echo "Missing secured var BITBUCKET_ACCESS_TOKEN"; exit 1; }
+            - |
+              python3 << 'PY'
+              import json
+              import os
+              from urllib.error import HTTPError
+              from urllib.request import Request, urlopen
+              PLACEHOLDER = "__FRONTGUARD_REPORT_URL__"
+              base = os.environ.get("FREEKIT_BASE_URL", "https://freekit.dev").rstrip("/")
+              with open("frontguard-report.html", encoding="utf-8") as f:
+                  html = f.read()
+              req = Request(
+                  f"{base}/api/v1/sites",
+                  data=json.dumps({"html": html}).encode("utf-8"),
+                  headers={"Content-Type": "application/json"},
+                  method="POST",
+              )
+              try:
+                  with urlopen(req, timeout=180) as resp:
+                      parsed = json.load(resp)
+              except HTTPError as e:
+                  raise SystemExit(
+                      f"FreeKit HTTP {e.code}: {(e.read() or b'').decode()[:4000]}"
+                  )
+              if parsed.get("status") != "success":
+                  raise SystemExit(f"FreeKit error: {json.dumps(parsed)[:4000]}")
+              data = parsed.get("data") or {}
+              report_url = (data.get("url") or "").strip()
+              if not report_url:
+                  raise SystemExit(f"FreeKit: missing data.url in {json.dumps(parsed)[:2000]}")
+              with open("frontguard-pr-comment.partial.md", encoding="utf-8") as f:
+                  body = f.read()
+              if PLACEHOLDER not in body:
+                  raise SystemExit(
+                      f"Expected {PLACEHOLDER!r} in frontguard-pr-comment.partial.md \u2014 regenerate with current FrontGuard."
+                  )
+              body = body.replace(PLACEHOLDER, report_url, 1)
+              with open("frontguard-pr-comment.md", "w", encoding="utf-8") as out:
+                  out.write(body)
+              with open("frontguard-payload.json", "w", encoding="utf-8") as out:
+                  json.dump({"content": {"raw": body}}, out, ensure_ascii=False)
+              PY
+            - |
+              curl --silent --show-error --fail --request POST \\
+                --url "https://api.bitbucket.org/2.0/repositories/\${BITBUCKET_REPO_FULL_NAME}/pullrequests/\${BITBUCKET_PR_ID}/comments" \\
+                --header 'Accept: application/json' \\
+                --header 'Content-Type: application/json' \\
+                --header "Authorization: Bearer \${BITBUCKET_ACCESS_TOKEN}" \\
+                --data @frontguard-payload.json`;
+var FRONTGUARD_MARKER = "FrontGuard";
+function hasFrontGuardStep(content) {
+  return content.includes(FRONTGUARD_MARKER);
+}
+function mergePipelineStep(existing) {
+  if (hasFrontGuardStep(existing)) {
+    return existing;
+  }
+  const lines = existing.split("\n");
+  const prSectionIdx = findPullRequestsSection(lines);
+  if (prSectionIdx !== null) {
+    return injectStepIntoPrSection(lines, prSectionIdx);
+  }
+  return appendPrSection(lines);
+}
+function findPullRequestsSection(lines) {
+  for (let i3 = 0; i3 < lines.length; i3++) {
+    if (/^\s{2,}pull-requests:\s*$/.test(lines[i3])) return i3;
   }
-  const cfgPath = path5.join(cwd, "frontguard.config.js");
-  try {
-    await fs.access(cfgPath);
-  } catch {
-    await fs.writeFile(cfgPath, CONFIG, "utf8");
+  return null;
+}
+function findBranchPattern(lines, afterLine) {
+  for (let i3 = afterLine + 1; i3 < lines.length; i3++) {
+    const line = lines[i3];
+    if (line.trim() === "" || line.trim().startsWith("#")) continue;
+    if (/^\s{4,}'[^']+':/.test(line) || /^\s{4,}"[^"]+":/.test(line)) return i3;
+    break;
   }
-  const tplPr = path5.join(cwd, "pull_request_template.md");
-  try {
-    await fs.access(tplPr);
-  } catch {
-    await fs.writeFile(tplPr, PR_TEMPLATE, "utf8");
+  return null;
+}
+function findLastStepEnd(lines, afterBranch) {
+  let lastContentLine = afterBranch;
+  const branchIndent = (lines[afterBranch].match(/^(\s*)/)?.[1] ?? "").length;
+  for (let i3 = afterBranch + 1; i3 < lines.length; i3++) {
+    const line = lines[i3];
+    if (line.trim() === "" || line.trim().startsWith("#")) continue;
+    const indent = (line.match(/^(\s*)/)?.[1] ?? "").length;
+    if (indent <= branchIndent) break;
+    lastContentLine = i3;
+  }
+  return lastContentLine;
+}
+function injectStepIntoPrSection(lines, prIdx) {
+  const branchIdx = findBranchPattern(lines, prIdx);
+  if (branchIdx !== null) {
+    const insertAfter = findLastStepEnd(lines, branchIdx);
+    const before = lines.slice(0, insertAfter + 1);
+    const after = lines.slice(insertAfter + 1);
+    return [...before, FRONTGUARD_STEP_YAML, ...after].join("\n");
+  }
+  const result = [...lines];
+  result.splice(prIdx + 1, 0, "    '**':", FRONTGUARD_STEP_YAML);
+  return result.join("\n");
+}
+function appendPrSection(lines) {
+  const pipelinesIdx = lines.findIndex((l3) => /^pipelines:\s*$/.test(l3));
+  if (pipelinesIdx === -1) {
+    return [
+      ...lines,
+      "",
+      "pipelines:",
+      "  pull-requests:",
+      "    '**':",
+      FRONTGUARD_STEP_YAML
+    ].join("\n");
+  }
+  let insertAt = pipelinesIdx + 1;
+  for (let i3 = pipelinesIdx + 1; i3 < lines.length; i3++) {
+    if (lines[i3].trim() === "" || lines[i3].trim().startsWith("#")) {
+      insertAt = i3 + 1;
+      continue;
+    }
+    const indent = (lines[i3].match(/^(\s*)/)?.[1] ?? "").length;
+    if (indent >= 2) {
+      insertAt = i3 + 1;
+    } else {
+      break;
+    }
   }
+  const lastSectionEnd = findEndOfLastSection(lines, pipelinesIdx);
+  const actualInsert = Math.max(insertAt, lastSectionEnd + 1);
+  const before = lines.slice(0, actualInsert);
+  const after = lines.slice(actualInsert);
+  return [
+    ...before,
+    "  pull-requests:",
+    "    '**':",
+    FRONTGUARD_STEP_YAML,
+    ...after
+  ].join("\n");
 }
-var BITBUCKET_CHECKS_IMAGE_MARKDOWN_ALT = "FrontGuard checks summary";
-var MAX_BITBUCKET_INLINE_IMAGE_MARKDOWN_LINE_LENGTH = 3e5;
-var MAX_PNG_BYTES_BITBUCKET_INLINE = 21e4;
-var MARKDOWN_LINE_PREFIX = `![${BITBUCKET_CHECKS_IMAGE_MARKDOWN_ALT}](data:image/png;base64,`;
-function isPngBuffer(buf) {
-  return buf.length >= 8 && buf[0] === 137 && buf[1] === 80 && buf[2] === 78 && buf[3] === 71 && buf[4] === 13 && buf[5] === 10 && buf[6] === 26 && buf[7] === 10;
+function findEndOfLastSection(lines, pipelinesIdx) {
+  let last = pipelinesIdx;
+  for (let i3 = pipelinesIdx + 1; i3 < lines.length; i3++) {
+    const line = lines[i3];
+    if (line.trim() === "") continue;
+    const indent = (line.match(/^(\s*)/)?.[1] ?? "").length;
+    if (indent === 0 && !line.trim().startsWith("#")) break;
+    last = i3;
+  }
+  return last;
 }
-function pngBufferToBitbucketImageMarkdownLine(png) {
-  if (!isPngBuffer(png)) {
-    throw new TypeError("Buffer is not a PNG (missing IHDR signature)");
+async function initFrontGuard(cwd) {
+  const actions = [];
+  const cfgPath = path6.join(cwd, "frontguard.config.js");
+  if (!await fileExists(cfgPath)) {
+    await fs.writeFile(cfgPath, CONFIG_TEMPLATE, "utf8");
+    actions.push("created frontguard.config.js");
+  } else {
+    actions.push("frontguard.config.js already exists (skipped)");
   }
-  if (png.length > MAX_PNG_BYTES_BITBUCKET_INLINE) {
-    throw new RangeError(
-      `PNG too large for Bitbucket inline markdown (${png.length} bytes; max ${MAX_PNG_BYTES_BITBUCKET_INLINE}). Host the image and use an HTTPS URL instead.`
-    );
+  const prTplPath = path6.join(cwd, "pull_request_template.md");
+  if (!await fileExists(prTplPath)) {
+    await fs.writeFile(prTplPath, PR_TEMPLATE, "utf8");
+    actions.push("created pull_request_template.md");
+  } else {
+    actions.push("pull_request_template.md already exists (skipped)");
   }
-  const b64 = png.toString("base64");
-  const line = `${MARKDOWN_LINE_PREFIX}${b64})`;
-  if (line.length > MAX_BITBUCKET_INLINE_IMAGE_MARKDOWN_LINE_LENGTH) {
-    throw new RangeError(
-      `Inline markdown line too long (${line.length} chars; max ${MAX_BITBUCKET_INLINE_IMAGE_MARKDOWN_LINE_LENGTH})`
+  const pipelinePath = path6.join(cwd, "bitbucket-pipelines.yml");
+  if (await fileExists(pipelinePath)) {
+    const existing = await fs.readFile(pipelinePath, "utf8");
+    if (hasFrontGuardStep(existing)) {
+      actions.push("bitbucket-pipelines.yml already has FrontGuard step (skipped)");
+    } else {
+      const merged = mergePipelineStep(existing);
+      await fs.writeFile(pipelinePath, merged, "utf8");
+      actions.push("merged FrontGuard step into bitbucket-pipelines.yml pull-requests");
+    }
+  } else {
+    await fs.writeFile(
+      pipelinePath,
+      [
+        "image: node:20",
+        "",
+        "clone:",
+        "  depth: 50",
+        "",
+        "pipelines:",
+        "  pull-requests:",
+        "    '**':",
+        FRONTGUARD_STEP_YAML,
+        ""
+      ].join("\n"),
+      "utf8"
     );
+    actions.push("created bitbucket-pipelines.yml with FrontGuard step");
   }
-  return line;
+  return actions;
 }
-function tryPngFileToBitbucketImageMarkdownLine(filePath) {
+async function fileExists(p2) {
   try {
-    if (!existsSync(filePath)) return null;
-    const st = statSync(filePath);
-    if (!st.isFile() || st.size > MAX_PNG_BYTES_BITBUCKET_INLINE) return null;
-    const buf = readFileSync(filePath);
-    return pngBufferToBitbucketImageMarkdownLine(buf);
+    await fs.access(p2);
+    return true;
   } catch {
-    return null;
+    return false;
   }
 }
 // src/ci/bitbucket-pr-snippet.ts
-function checksImageMarkdown() {
-  const embedPath = process.env.FRONTGUARD_EMBED_CHECKS_PNG_PATH?.trim();
-  if (embedPath) {
-    return tryPngFileToBitbucketImageMarkdownLine(embedPath);
-  }
-  const u4 = process.env.FRONTGUARD_CHECKS_IMAGE_URL?.trim();
-  if (!u4) return null;
-  return `![${BITBUCKET_CHECKS_IMAGE_MARKDOWN_ALT}](${u4})`;
-}
-function bitbucketPipelineResultsUrl() {
-  const full = process.env.BITBUCKET_REPO_FULL_NAME?.trim();
-  const bn = process.env.BITBUCKET_BUILD_NUMBER?.trim();
-  if (full && bn) {
-    return `https://bitbucket.org/${full}/pipelines/results/${bn}`;
-  }
-  const ws = process.env.BITBUCKET_WORKSPACE?.trim();
-  const slug = process.env.BITBUCKET_REPO_SLUG?.trim();
-  if (ws && slug && bn) {
-    return `https://bitbucket.org/${ws}/${slug}/pipelines/results/${bn}`;
+var FRONTGUARD_REPORT_URL_PLACEHOLDER = "__FRONTGUARD_REPORT_URL__";
+var DETAILED_REPORT_LINE = "For detailed check analysis, please open the full interactive report:";
+function mdTableCell(s3) {
+  return s3.replace(/\|/g, "\\|").replace(/\r?\n/g, " ").trim();
+}
+function statusForPrTable(r4) {
+  if (r4.skipped) {
+    const t3 = r4.skipped.replace(/\s+/g, " ").trim();
+    const short = t3.length > 120 ? `${t3.slice(0, 117)}\u2026` : t3;
+    return `Skipped \u2014 ${short}`;
   }
-  return null;
+  const n3 = r4.findings.length;
+  const blocks = r4.findings.filter((f4) => f4.severity === "block").length;
+  if (blocks > 0) return `${n3} issue(s), ${blocks} blocking`;
+  return `${n3} issue(s)`;
 }
-function bitbucketDownloadsPageUrl() {
-  const full = process.env.BITBUCKET_REPO_FULL_NAME?.trim();
-  if (full) return `https://bitbucket.org/${full}/downloads/`;
-  const ws = process.env.BITBUCKET_WORKSPACE?.trim();
-  const slug = process.env.BITBUCKET_REPO_SLUG?.trim();
-  if (ws && slug) return `https://bitbucket.org/${ws}/${slug}/downloads/`;
-  return null;
+function checkNeedsRow(r4) {
+  return Boolean(r4.skipped) || r4.findings.length > 0;
 }
-var DETAILED_REPORT_LINE = "For detailed check analysis, please open the full interactive report:";
 function formatBitbucketPrSnippet(report) {
   const publicReport = process.env.FRONTGUARD_PUBLIC_REPORT_URL?.trim();
   const linkOnly = process.env.FRONTGUARD_BITBUCKET_COMMENT_LINK_ONLY === "1";
-  const imgMd = checksImageMarkdown();
   if (linkOnly && publicReport) {
-    const parts = [];
-    if (imgMd) {
-      parts.push(imgMd, "");
-      parts.push(DETAILED_REPORT_LINE);
-    }
-    parts.push(publicReport.endsWith("\n") ? publicReport.slice(0, -1) : publicReport);
-    return `${parts.join("\n")}
+    const u4 = publicReport.endsWith("\n") ? publicReport.slice(0, -1) : publicReport;
+    return `${u4}
 `;
   }
-  const downloadsName = process.env.FRONTGUARD_REPORT_DOWNLOAD_NAME?.trim();
-  const downloadsPage = bitbucketDownloadsPageUrl();
-  const pipeline = bitbucketPipelineResultsUrl();
+  const reportUrl = publicReport || FRONTGUARD_REPORT_URL_PLACEHOLDER;
   const { riskScore, results } = report;
-  const blocks = results.reduce(
-    (n3, r4) => n3 + r4.findings.filter((f4) => f4.severity === "block").length,
-    0
-  );
-  const warns = results.reduce(
-    (n3, r4) => n3 + r4.findings.filter((f4) => f4.severity === "warn").length,
-    0
-  );
-  const out = [];
-  if (imgMd) {
-    out.push(imgMd);
-    out.push("");
-  }
-  out.push(
-    "FrontGuard report (short summary)",
-    "",
-    `Risk: ${riskScore}  |  Blocking: ${blocks}  |  Warnings: ${warns}`,
-    ""
-  );
-  if (publicReport) {
-    if (imgMd) {
-      out.push(DETAILED_REPORT_LINE);
-    } else {
-      out.push("Full interactive report (open in browser):");
-    }
-    out.push(publicReport);
-    out.push("");
-  } else if (downloadsName && downloadsPage) {
-    out.push("HTML report is in Repository \u2192 Downloads. Open this page while logged in:");
-    out.push(downloadsPage);
-    out.push(`File name: ${downloadsName}`);
-    out.push("Download the file, then open it in a browser.");
-    out.push("");
-  } else if (pipeline) {
-    out.push(
-      "There is no direct \u201CHTML URL\u201D for pipeline artifacts in Bitbucket. Use this pipeline run (log in), then Artifacts \u2192 frontguard-report.html:"
-    );
-    out.push(pipeline);
-    out.push("");
-    out.push(
-      "Steps: open the link \u2192 scroll to Artifacts \u2192 download frontguard-report.html \u2192 open the file on your machine."
-    );
-    out.push("");
+  const lines = [];
+  lines.push(`#### RISK score: ${riskScore}`);
+  lines.push("");
+  const failing = results.filter(checkNeedsRow);
+  if (failing.length > 0) {
+    lines.push("| Check name | Status |");
+    lines.push("| --- | --- |");
+    for (const r4 of failing) {
+      lines.push(`| ${mdTableCell(r4.checkId)} | ${mdTableCell(statusForPrTable(r4))} |`);
+    }
   } else {
-    out.push(
-      "Add a link: run FrontGuard inside Bitbucket Pipelines, or set FRONTGUARD_PUBLIC_REPORT_URL after uploading the HTML somewhere HTTPS."
-    );
-    out.push("");
-  }
-  out.push("Checks:");
-  for (const r4 of results) {
-    const status = r4.skipped ? `skipped (${r4.skipped.slice(0, 100)}${r4.skipped.length > 100 ? "\u2026" : ""})` : r4.findings.length === 0 ? "clean" : `${r4.findings.length} finding(s)`;
-    out.push(`- ${r4.checkId}: ${status}`);
+    lines.push("_All checks passed for this run._");
   }
-  out.push("");
-  out.push(
-    "Do not paste the long frontguard-report.md into PR comments. Full text output is in that file / pipeline artifacts only."
-  );
-  return out.join("\n");
+  lines.push("");
+  lines.push(DETAILED_REPORT_LINE);
+  lines.push("");
+  lines.push(reportUrl.endsWith("\n") ? reportUrl.slice(0, -1) : reportUrl);
+  lines.push("");
+  return lines.join("\n");
 }
 // src/ci/parse-ai-disclosure.ts
@@ -2727,13 +2955,13 @@ function parseNumstat(output) {
     if (tab2 < 0) continue;
     const aStr = t3.slice(0, tab);
     const dStr = t3.slice(tab + 1, tab2);
-    const path18 = t3.slice(tab2 + 1);
+    const path20 = t3.slice(tab2 + 1);
     const a3 = aStr === "-" ? 0 : Number(aStr);
     const d3 = dStr === "-" ? 0 : Number(dStr);
     if (!Number.isFinite(a3) || !Number.isFinite(d3)) continue;
     additions += a3;
     deletions += d3;
-    if (path18) files.push(path18);
+    if (path20) files.push(path20);
   }
   return { additions, deletions, files };
 }
@@ -2853,7 +3081,7 @@ var defaultConfig = {
       gateWhenAiDisclosureAmbiguous: "warn"
     },
     aiAssistedReview: {
-      enabled: true,
+      enabled: false,
       gate: "warn",
       strictScanMode: "both",
       escalate: {
@@ -2885,6 +3113,8 @@ var defaultConfig = {
       gate: "warn",
       runBuild: true,
       buildCommand: "npm run build",
+      bundleSizeStrategy: "auto",
+      bundleSizeCommand: null,
       measureGlobs: ["dist/**/*", "build/static/**/*", ".next/static/**/*"],
       baselinePath: ".frontguard/bundle-baseline.json",
       baselineRef: "main",
@@ -2944,7 +3174,7 @@ function stripExtends(c4) {
 }
 async function loadExtendsLayer(cwd, spec) {
   if (!spec) return {};
-  const req = createRequire(path5.join(cwd, "package.json"));
+  const req = createRequire(path6.join(cwd, "package.json"));
   const specs = Array.isArray(spec) ? spec : [spec];
   let merged = {};
   for (const s3 of specs) {
@@ -2963,7 +3193,7 @@ async function loadExtendsLayer(cwd, spec) {
 async function loadConfig(cwd) {
   let userFile = null;
   for (const name of CONFIG_NAMES) {
-    const full = path5.join(cwd, name);
+    const full = path6.join(cwd, name);
     if (!fs2.existsSync(full)) continue;
     try {
       const mod = await importConfig(full);
@@ -2995,7 +3225,7 @@ function hasDep(deps, name) {
 async function detectStack(cwd) {
   let pkg = {};
   try {
-    const raw = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
+    const raw = await fs.readFile(path6.join(cwd, "package.json"), "utf8");
     pkg = JSON.parse(raw);
   } catch {
     return {
@@ -3007,6 +3237,8 @@ async function detectStack(cwd) {
       hasJest: false,
       hasVitest: false,
       hasPlaywright: false,
+      hasVite: false,
+      hasCRA: false,
       packageManager: "unknown",
       tsStrict: null
     };
@@ -3015,7 +3247,7 @@ async function detectStack(cwd) {
   const isMonorepo = Boolean(pkg.workspaces);
   let tsStrict = null;
   try {
-    const tsconfigPath = path5.join(cwd, "tsconfig.json");
+    const tsconfigPath = path6.join(cwd, "tsconfig.json");
     const tsRaw = await fs.readFile(tsconfigPath, "utf8");
     const ts2 = JSON.parse(tsRaw);
     if (typeof ts2.compilerOptions?.strict === "boolean") {
@@ -3025,15 +3257,15 @@ async function detectStack(cwd) {
   }
   let pm = "unknown";
   try {
-    await fs.access(path5.join(cwd, "pnpm-lock.yaml"));
+    await fs.access(path6.join(cwd, "pnpm-lock.yaml"));
     pm = "pnpm";
   } catch {
     try {
-      await fs.access(path5.join(cwd, "yarn.lock"));
+      await fs.access(path6.join(cwd, "yarn.lock"));
       pm = "yarn";
     } catch {
       try {
-        await fs.access(path5.join(cwd, "package-lock.json"));
+        await fs.access(path6.join(cwd, "package-lock.json"));
         pm = "npm";
       } catch {
         pm = "npm";
@@ -3049,6 +3281,8 @@ async function detectStack(cwd) {
     hasJest: hasDep(deps, "jest"),
     hasVitest: hasDep(deps, "vitest"),
     hasPlaywright: hasDep(deps, "@playwright/test"),
+    hasVite: hasDep(deps, "vite"),
+    hasCRA: hasDep(deps, "react-scripts"),
     packageManager: pm,
     tsStrict
   };
@@ -3058,11 +3292,62 @@ function formatStackOneLiner(s3) {
   if (s3.hasNext) bits.push("Next.js");
   if (s3.hasReactNative) bits.push("React Native");
   else if (s3.hasReact) bits.push("React");
+  if (s3.hasVite) bits.push("Vite");
+  if (s3.hasCRA) bits.push("CRA");
   if (s3.hasTypeScript) bits.push("TypeScript");
   if (s3.tsStrict === true) bits.push("strict TS");
   bits.push(`pkg: ${s3.packageManager}`);
   return bits.join(" \xB7 ") || "unknown";
 }
+var MAX_TOTAL_CHARS = 32e3;
+var MAX_PER_FILE_CHARS = 8e3;
+async function loadCursorRules(cwd) {
+  const empty = { text: "", fileCount: 0, files: [] };
+  const parts = [];
+  let totalChars = 0;
+  const ruleFiles = await fg(
+    [".cursor/rules/**/*.{md,mdc}", ".cursorrules", "AGENTS.md"],
+    {
+      cwd,
+      onlyFiles: true,
+      dot: true,
+      ignore: ["**/node_modules/**"]
+    }
+  );
+  if (ruleFiles.length === 0) return empty;
+  ruleFiles.sort();
+  for (const rel of ruleFiles) {
+    if (totalChars >= MAX_TOTAL_CHARS) break;
+    try {
+      let content = await fs.readFile(path6.join(cwd, rel), "utf8");
+      content = stripFrontmatter(content).trim();
+      if (!content) continue;
+      const budget = Math.min(MAX_PER_FILE_CHARS, MAX_TOTAL_CHARS - totalChars);
+      if (content.length > budget) {
+        content = content.slice(0, budget) + "\n[\u2026 truncated]";
+      }
+      parts.push({ rel, content });
+      totalChars += content.length;
+    } catch {
+      continue;
+    }
+  }
+  if (parts.length === 0) return empty;
+  const text = parts.map((p2) => `### Rule: ${p2.rel}
+${p2.content}`).join("\n\n---\n\n");
+  return {
+    text,
+    fileCount: parts.length,
+    files: parts.map((p2) => p2.rel)
+  };
+}
+function stripFrontmatter(content) {
+  if (!content.startsWith("---")) return content;
+  const endIdx = content.indexOf("---", 3);
+  if (endIdx === -1) return content;
+  return content.slice(endIdx + 3).trim();
+}
 function normalizePrPath(p2) {
   return p2.replace(/\\/g, "/").replace(/^\.\//, "");
 }
@@ -3076,8 +3361,8 @@ function prPathSet(pr) {
 function isPathInPrScope(relOrAbs, cwd, prSet) {
   const raw = relOrAbs.replace(/^file:\/\//, "");
   let rel = normalizePrPath(raw);
-  if (path5.isAbsolute(raw)) {
-    rel = normalizePrPath(path5.relative(cwd, raw));
+  if (path6.isAbsolute(raw)) {
+    rel = normalizePrPath(path6.relative(cwd, raw));
   }
   if (prSet.has(rel)) return true;
   const trimmed = rel.replace(/^\.\//, "");
@@ -3103,7 +3388,7 @@ async function existingRepoPaths(cwd, rels) {
   const out = [];
   for (const rel of rels) {
     try {
-      await fs.access(path5.join(cwd, rel));
+      await fs.access(path6.join(cwd, rel));
       out.push(rel);
     } catch {
     }
@@ -3133,30 +3418,30 @@ function stripFileUrl(p2) {
   return s3;
 }
 function isUnderDir(parent, child) {
-  const rel = path5.relative(parent, child);
-  return rel === "" || !rel.startsWith("..") && !path5.isAbsolute(rel);
+  const rel = path6.relative(parent, child);
+  return rel === "" || !rel.startsWith("..") && !path6.isAbsolute(rel);
 }
 function toRepoRelativePath(cwd, filePath) {
   if (!filePath?.trim()) return void 0;
   const raw = stripFileUrl(filePath);
-  const resolvedCwd = path5.resolve(cwd);
-  const absFile = path5.isAbsolute(raw) ? path5.resolve(raw) : path5.resolve(resolvedCwd, raw);
+  const resolvedCwd = path6.resolve(cwd);
+  const absFile = path6.isAbsolute(raw) ? path6.resolve(raw) : path6.resolve(resolvedCwd, raw);
   if (!isUnderDir(resolvedCwd, absFile)) {
     return raw.split(/[/\\]/g).join("/");
   }
-  let rel = path5.relative(resolvedCwd, absFile);
+  let rel = path6.relative(resolvedCwd, absFile);
   if (!rel || rel === ".") {
-    return path5.basename(absFile);
+    return path6.basename(absFile);
   }
-  return rel.split(path5.sep).join("/");
+  return rel.split(path6.sep).join("/");
 }
 function stripRepoAbsolutePaths(cwd, text) {
   if (!text || !cwd.trim()) return text;
-  const resolvedCwd = path5.resolve(cwd);
+  const resolvedCwd = path6.resolve(cwd);
   const asPosix = (s3) => s3.replace(/\\/g, "/");
   const cwdPosix = asPosix(resolvedCwd);
   let out = asPosix(text);
-  const prefixes = [.../* @__PURE__ */ new Set([cwdPosix + "/", resolvedCwd + path5.sep])].filter(
+  const prefixes = [.../* @__PURE__ */ new Set([cwdPosix + "/", resolvedCwd + path6.sep])].filter(
     (p2) => p2.length > 1
   );
   for (const prefix of prefixes) {
@@ -3782,7 +4067,7 @@ async function pathExists(file) {
   }
 }
 async function resolveBin(cwd, name) {
-  const local = path5.join(cwd, "node_modules", ".bin", name);
+  const local = path6.join(cwd, "node_modules", ".bin", name);
   if (await pathExists(local)) return local;
   const win = local + ".cmd";
   if (await pathExists(win)) return win;
@@ -3838,7 +4123,7 @@ async function runNpx(cwd, args) {
 // src/checks/eslint.ts
 async function hasEslintDependency(cwd) {
   try {
-    const raw = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
+    const raw = await fs.readFile(path6.join(cwd, "package.json"), "utf8");
     const p2 = JSON.parse(raw);
     return Boolean(p2.devDependencies?.eslint || p2.dependencies?.eslint);
   } catch {
@@ -3858,7 +4143,7 @@ async function hasEslintConfig(cwd) {
     ".eslintrc.yml"
   ];
   for (const c4 of candidates) {
-    if (await pathExists(path5.join(cwd, c4))) return true;
+    if (await pathExists(path6.join(cwd, c4))) return true;
   }
   return false;
 }
@@ -4114,7 +4399,7 @@ async function runTypeScript(cwd, config, stack, pr) {
       skipped: "disabled in config"
     };
   }
-  const hasTs = stack.hasTypeScript || await pathExists(path5.join(cwd, "tsconfig.json"));
+  const hasTs = stack.hasTypeScript || await pathExists(path6.join(cwd, "tsconfig.json"));
   if (!hasTs) {
     return {
       checkId: "typescript",
@@ -4125,7 +4410,7 @@ async function runTypeScript(cwd, config, stack, pr) {
   }
   const extra = config.checks.typescript.tscArgs ?? [];
   const hasProject = extra.some((a3) => a3 === "-p" || a3 === "--project");
-  const tsconfigPath = path5.join(cwd, "tsconfig.json");
+  const tsconfigPath = path6.join(cwd, "tsconfig.json");
   const args = [
     "--noEmit",
     ...hasProject || !await pathExists(tsconfigPath) ? [] : ["-p", "tsconfig.json"],
@@ -4238,7 +4523,7 @@ async function runSecrets(cwd, config, pr) {
       });
       break;
     }
-    const full = path5.join(cwd, rel);
+    const full = path6.join(cwd, rel);
     let content;
     try {
       content = await fs.readFile(full, "utf8");
@@ -4264,7 +4549,7 @@ async function runSecrets(cwd, config, pr) {
   };
 }
 function isProbablyTextFile(rel) {
-  const ext = path5.extname(rel).toLowerCase();
+  const ext = path6.extname(rel).toLowerCase();
   return TEXT_EXT.has(ext);
 }
@@ -4328,8 +4613,8 @@ function runPrHygiene(config, pr) {
   if (pr.aiAssisted) {
     findings.push({
       id: "pr-ai-flag",
-      severity: "warn",
-      message: "**AI-assisted PR:** FrontGuard is applying stricter static checks and may escalate secrets / `any` deltas. Verify business logic, auth, and data handling manually."
+      severity: "info",
+      message: config.checks.aiAssistedReview.enabled ? "**AI-assisted PR:** FrontGuard is applying stricter static checks and may escalate secrets / `any` deltas. Verify business logic, auth, and data handling manually." : "**AI-assisted PR:** Disclosure recorded. The optional **AI-assisted review** check is off by default (under development); enable `checks.aiAssistedReview.enabled` when you want decorator / static heuristics."
     });
   }
   if (pr.aiExplicitNo) {
@@ -4594,12 +4879,12 @@ async function runCycles(cwd, config, stack, pr) {
   }
   let entry = cfg.entries[0] ?? "src";
   for (const e3 of cfg.entries) {
-    if (await pathExists(path5.join(cwd, e3))) {
+    if (await pathExists(path6.join(cwd, e3))) {
       entry = e3;
       break;
     }
   }
-  if (!await pathExists(path5.join(cwd, entry))) {
+  if (!await pathExists(path6.join(cwd, entry))) {
     return {
       checkId: "cycles",
       findings: [],
@@ -4712,11 +4997,62 @@ async function runDeadCode(cwd, config, stack, pr) {
     durationMs: Math.round(performance.now() - t0)
   };
 }
-function gateSeverity4(g4) {
-  return g4 === "block" ? "block" : g4 === "info" ? "info" : "warn";
+function resolveStrategy(configured, stack) {
+  if (configured !== "auto") return configured;
+  if (stack.hasNext) return "next";
+  if (stack.hasCRA) return "cra";
+  if (stack.hasVite) return "vite";
+  return "glob";
+}
+function parseNextBuildOutput(stdout2) {
+  for (const line of stdout2.split("\n")) {
+    if (!line.includes("First Load JS shared by all")) continue;
+    const m3 = /([\d.]+)\s*(kB|MB|B)\s*$/.exec(line.trim());
+    if (!m3) continue;
+    const num = parseFloat(m3[1]);
+    const unit = m3[2];
+    let bytes;
+    if (unit === "kB") bytes = Math.round(num * 1024);
+    else if (unit === "MB") bytes = Math.round(num * 1024 * 1024);
+    else bytes = Math.round(num);
+    return { bytes, label: `First Load JS shared by all: ${m3[1]} ${unit}` };
+  }
+  return null;
+}
+function parseCraBuildOutput(stdout2) {
+  const lines = stdout2.split("\n");
+  let inSection = false;
+  let totalBytes = 0;
+  let count = 0;
+  for (const line of lines) {
+    if (line.includes("File sizes after gzip")) {
+      inSection = true;
+      continue;
+    }
+    if (!inSection) continue;
+    if (line.trim() === "") {
+      if (count > 0) break;
+      continue;
+    }
+    if (!line.includes(".js")) continue;
+    const m3 = /([\d.]+)\s*(KB|kB|MB|B)/i.exec(line);
+    if (!m3) continue;
+    const num = parseFloat(m3[1]);
+    const unit = m3[2].toLowerCase();
+    if (unit === "kb") totalBytes += Math.round(num * 1024);
+    else if (unit === "mb") totalBytes += Math.round(num * 1024 * 1024);
+    else totalBytes += Math.round(num);
+    count++;
+  }
+  if (count === 0) return null;
+  return {
+    bytes: totalBytes,
+    label: `CRA gzipped JS total from ${count} file(s): ${(totalBytes / 1024).toFixed(1)} kB`
+  };
 }
 async function sumGlobBytes(cwd, patterns) {
   let total = 0;
+  let fileCount = 0;
   for (const pattern of patterns) {
     const files = await fg(pattern, {
       cwd,
@@ -4726,16 +5062,43 @@ async function sumGlobBytes(cwd, patterns) {
     });
     for (const rel of files) {
       try {
-        const st = await fs.stat(path5.join(cwd, rel));
+        const st = await fs.stat(path6.join(cwd, rel));
         total += st.size;
+        fileCount++;
       } catch {
       }
     }
   }
-  return total;
+  return {
+    bytes: total,
+    label: `Glob sum: ${fileCount} file(s), ${(total / 1024).toFixed(1)} kB`
+  };
+}
+async function measureViteBundle(cwd, measureGlobs) {
+  const jsGlobs = measureGlobs.length > 0 ? measureGlobs : ["dist/assets/**/*.js"];
+  return sumGlobBytes(cwd, jsGlobs);
+}
+async function runCustomSizeCommand(cwd, command) {
+  const parts = command.trim().split(/\s+/).filter(Boolean);
+  if (parts.length === 0) return null;
+  const [bin, ...args] = parts;
+  try {
+    const r4 = await W2(bin, args, { nodeOptions: { cwd } });
+    const out = (r4.stdout ?? "").trim();
+    const num = parseInt(out, 10);
+    if (!Number.isFinite(num) || num < 0) return null;
+    return { bytes: num, label: `Custom command reported: ${(num / 1024).toFixed(1)} kB` };
+  } catch {
+    return null;
+  }
+}
+// src/checks/bundle.ts
+function gateSeverity4(g4) {
+  return g4 === "block" ? "block" : g4 === "info" ? "info" : "warn";
 }
 async function readBaseline(cwd, relPath, baseRef) {
-  const disk = path5.join(cwd, relPath);
+  const disk = path6.join(cwd, relPath);
   try {
     const raw = await fs.readFile(disk, "utf8");
     return JSON.parse(raw);
@@ -4767,11 +5130,12 @@ function tokenizeCommand(cmd) {
 }
 function npmScriptFromBuildCommand(cmd) {
   const t3 = cmd.trim();
-  if (/^yarn\s+build\b/i.test(t3)) return "build";
   const np = /^(?:npm|pnpm)\s+run\s+(\S+)/i.exec(t3);
   if (np?.[1]) return np[1];
   const yr = /^yarn\s+run\s+(\S+)/i.exec(t3);
   if (yr?.[1]) return yr[1];
+  const yPlain = /^yarn\s+(?!run\b)(\S+)/i.exec(t3);
+  if (yPlain?.[1]) return yPlain[1];
   return null;
 }
 async function bundleBuildPrecheck(cwd, buildCommand) {
@@ -4779,7 +5143,7 @@ async function bundleBuildPrecheck(cwd, buildCommand) {
   if (!script) return { run: true };
   let scripts;
   try {
-    const raw = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
+    const raw = await fs.readFile(path6.join(cwd, "package.json"), "utf8");
     const pkg = JSON.parse(raw);
     scripts = pkg.scripts;
   } catch {
@@ -4793,7 +5157,7 @@ async function bundleBuildPrecheck(cwd, buildCommand) {
     return {
       run: false,
       message: `Skipped bundle build \u2014 no scripts.${script} in package.json`,
-      detail: "The bundle check runs a production build, then sums file sizes under checks.bundle.measureGlobs (dist/, build/static/, .next/static/, etc.). Libraries and non-web repos often have no `build` script \u2014 set checks.bundle.runBuild to false and optionally tune measureGlobs, or set checks.bundle.buildCommand to whatever produces your artifacts (e.g. `pnpm run compile`, `npx vite build`)."
+      detail: "The bundle check runs a production build, then measures the output. Libraries and non-web repos often have no `build` script \u2014 set checks.bundle.runBuild to false, or set checks.bundle.buildCommand to whatever produces your artifacts."
     };
   }
   return { run: true };
@@ -4817,7 +5181,9 @@ async function runBundle(cwd, config, stack) {
       skipped: "skipped for React Native (configure web artifacts if needed)"
     };
   }
+  const strategy = resolveStrategy(cfg.bundleSizeStrategy, stack);
   const preFindings = [];
+  let buildStdout = "";
   if (cfg.runBuild) {
     const parts = tokenizeCommand(cfg.buildCommand);
     if (parts.length === 0) {
@@ -4858,9 +5224,56 @@ async function runBundle(cwd, config, stack) {
           durationMs: Math.round(performance.now() - t0)
         };
       }
+      buildStdout = (res.stdout ?? "") + "\n" + (res.stderr ?? "");
+    }
+  }
+  let sizeResult = null;
+  switch (strategy) {
+    case "next": {
+      sizeResult = parseNextBuildOutput(buildStdout);
+      if (!sizeResult) {
+        sizeResult = (await sumGlobBytes(cwd, [".next/static/**/*.js"])).bytes > 0 ? await sumGlobBytes(cwd, [".next/static/**/*.js"]) : null;
+      }
+      break;
+    }
+    case "cra": {
+      sizeResult = parseCraBuildOutput(buildStdout);
+      if (!sizeResult) {
+        const g4 = await sumGlobBytes(cwd, ["build/static/js/**/*.js"]);
+        if (g4.bytes > 0) sizeResult = g4;
+      }
+      break;
+    }
+    case "vite": {
+      sizeResult = await measureViteBundle(cwd, cfg.measureGlobs);
+      break;
+    }
+    case "custom": {
+      if (!cfg.bundleSizeCommand) {
+        return {
+          checkId: "bundle",
+          findings: [
+            {
+              id: "bundle-custom-missing",
+              severity: "warn",
+              message: "bundleSizeStrategy is `custom` but `bundleSizeCommand` is not set"
+            }
+          ],
+          durationMs: Math.round(performance.now() - t0)
+        };
+      }
+      sizeResult = await runCustomSizeCommand(cwd, cfg.bundleSizeCommand);
+      break;
+    }
+    case "glob":
+    default: {
+      const g4 = await sumGlobBytes(cwd, cfg.measureGlobs);
+      if (g4.bytes > 0) sizeResult = g4;
+      break;
     }
   }
-  const total = await sumGlobBytes(cwd, cfg.measureGlobs);
+  const total = sizeResult?.bytes ?? 0;
+  const sizeLabel = sizeResult?.label ?? `(no bundle output detected for strategy "${strategy}")`;
   if (total === 0) {
     return {
       checkId: "bundle",
@@ -4869,7 +5282,9 @@ async function runBundle(cwd, config, stack) {
         {
           id: "bundle-empty",
           severity: "info",
-          message: "No bundle artifacts matched `measureGlobs` \u2014 configure paths or run a web build"
+          message: `No bundle size detected (strategy: ${strategy})`,
+          detail: `${sizeLabel}
+Ensure the build produces artifacts, or switch to a different bundleSizeStrategy.`
         }
       ],
       durationMs: Math.round(performance.now() - t0)
@@ -4879,7 +5294,9 @@ async function runBundle(cwd, config, stack) {
   const baseline = await readBaseline(cwd, cfg.baselinePath, baseRef);
   const findings = [...preFindings];
   const infoLines = [
-    `Measured ${total} bytes (${(total / 1024 / 1024).toFixed(2)} MiB)`,
+    `Strategy: ${strategy}`,
+    sizeLabel,
+    `Measured ${total} bytes (${(total / 1024).toFixed(1)} kB)`,
     baseline ? `Baseline from \`${cfg.baselinePath}\`: ${baseline.totalBytes} bytes` : `No baseline at \`${cfg.baselinePath}\` (commit a baseline JSON to compare)`
   ].join("\n");
   if (cfg.maxTotalBytes != null && total > cfg.maxTotalBytes) {
@@ -4955,7 +5372,7 @@ async function runCoreWebVitals(cwd, config, stack, pr) {
   const findings = [];
   const sev2 = gateSeverity5(cfg.gate);
   for (const rel of toScan.slice(0, 400)) {
-    const full = path5.join(cwd, rel);
+    const full = path6.join(cwd, rel);
     let text;
     try {
       text = await fs.readFile(full, "utf8");
@@ -5040,7 +5457,7 @@ async function runCustomRules(cwd, config, restrictToFiles) {
       });
       break;
     }
-    const full = path5.join(cwd, rel);
+    const full = path6.join(cwd, rel);
     let content;
     try {
       content = await fs.readFile(full, "utf8");
@@ -5485,7 +5902,7 @@ async function runAiAssistedStrict(cwd, config, pr) {
   const byRel = /* @__PURE__ */ new Map();
   let anyDecoratorInPr = false;
   for (const rel of files) {
-    const full = path5.join(cwd, rel);
+    const full = path6.join(cwd, rel);
     try {
       const content = await fs.readFile(full, "utf8");
       if (content.length > 5e5) continue;
@@ -5573,204 +5990,6 @@ function applyAiAssistedEscalation(results, pr, config) {
     }
   }
 }
-var W3 = 920;
-var PAD_X = 24;
-var TABLE_X = 20;
-var TABLE_W = 880;
-var HEADER_H = 34;
-var ROW_H = 34;
-var COL_CHECK = 52;
-var ICON_X = 268;
-var COL_STATUS = 400;
-var COL_NUM = 700;
-var COL_TIME = 820;
-var OVER_LABEL_W = 132;
-var OVER_ROW_H = 36;
-var clipSeq = 0;
-function nextClipId() {
-  clipSeq += 1;
-  return `fgc${clipSeq}_${Math.random().toString(36).slice(2, 8)}`;
-}
-function escapeXml(s3) {
-  return s3.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
-}
-function truncate5(s3, max) {
-  const t3 = s3.replace(/\s+/g, " ").trim();
-  if (t3.length <= max) return t3;
-  return `${t3.slice(0, max - 1)}\u2026`;
-}
-function formatDuration(ms) {
-  if (ms < 1e3) return `${ms} ms`;
-  const s3 = Math.round(ms / 1e3);
-  if (s3 < 60) return `${s3}s`;
-  const m3 = Math.floor(s3 / 60);
-  const r4 = s3 % 60;
-  return r4 ? `${m3}m ${r4}s` : `${m3}m`;
-}
-function statusText(r4) {
-  if (r4.skipped) return `Skipped \u2014 ${truncate5(r4.skipped, 42)}`;
-  if (r4.findings.length === 0) return "Pass";
-  return `${r4.findings.length} issue(s)`;
-}
-function dotFill(r4) {
-  if (r4.skipped) return "#cbd5e1";
-  if (r4.findings.length === 0) return "#16a34a";
-  if (r4.findings.some((x3) => x3.severity === "block")) return "#dc2626";
-  return "#d97706";
-}
-function riskFill(risk) {
-  if (risk === "LOW") return "#16a34a";
-  if (risk === "MEDIUM") return "#d97706";
-  return "#dc2626";
-}
-function resvgFontOptions() {
-  const base = { loadSystemFonts: true };
-  if (process.platform === "linux") {
-    return {
-      ...base,
-      fontDirs: [
-        "/usr/share/fonts/truetype/dejavu",
-        "/usr/share/fonts/truetype/liberation",
-        "/usr/share/fonts/opentype/noto",
-        "/usr/share/fonts"
-      ]
-    };
-  }
-  return base;
-}
-function buildChecksSnapshotSvg(p2) {
-  const { riskScore, mode, stack, pr, results, lines } = p2;
-  const modeLabel = mode === "enforce" ? "Enforce" : "Warn only";
-  const stackLine = truncate5(formatStackOneLiner(stack), 96);
-  const prLine = pr && lines != null ? truncate5(
-    `${lines} lines changed (+${pr.additions} / \u2212${pr.deletions}) \xB7 ${pr.changedFiles} files`,
-    96
-  ) : null;
-  const nOverview = 3 + (prLine ? 1 : 0);
-  const overviewH = nOverview * OVER_ROW_H;
-  const overviewY0 = 44;
-  const overviewClip = nextClipId();
-  const checksTitleY = overviewY0 + overviewH + 22;
-  const tableTop = checksTitleY + 22;
-  const bodyRows = results.length;
-  const cardH = HEADER_H + bodyRows * ROW_H;
-  const totalH = tableTop + cardH + 36;
-  const headerMid = tableTop + HEADER_H / 2 + 5;
-  const rowTextY = (i3) => tableTop + HEADER_H + i3 * ROW_H + ROW_H / 2 + 5;
-  const headerCells = [
-    { x: COL_CHECK, label: "CHECK", anchor: "start" },
-    { x: COL_STATUS, label: "STATUS", anchor: "start" },
-    { x: COL_NUM, label: "#", anchor: "end" },
-    { x: COL_TIME, label: "TIME", anchor: "end" }
-  ];
-  const overviewRows = [];
-  const ov = [
-    { label: "Risk score", kind: "risk" },
-    { label: "Mode", kind: "text", text: modeLabel },
-    { label: "Stack", kind: "text", text: stackLine }
-  ];
-  if (prLine) ov.push({ label: "Pull request", kind: "text", text: prLine });
-  for (let i3 = 0; i3 < nOverview; i3++) {
-    const row = ov[i3];
-    const y4 = overviewY0 + i3 * OVER_ROW_H;
-    const mid = y4 + OVER_ROW_H / 2 + 4;
-    overviewRows.push(
-      `<rect x="${TABLE_X}" y="${y4}" width="${OVER_LABEL_W}" height="${OVER_ROW_H}" fill="#f1f5f9" stroke="none"/>`,
-      `<line x1="${TABLE_X}" y1="${y4 + OVER_ROW_H}" x2="${TABLE_X + TABLE_W}" y2="${y4 + OVER_ROW_H}" stroke="#e2e8f0" stroke-width="1"/>`,
-      `<text x="${TABLE_X + 10}" y="${mid}" font-size="12" fill="#64748b" font-weight="500" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">${escapeXml(row.label)}</text>`
-    );
-    if (row.kind === "risk") {
-      const rs = riskScore;
-      overviewRows.push(
-        `<text x="${TABLE_X + OVER_LABEL_W + 10}" y="${mid}" font-size="13" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif"><tspan fill="${riskFill(riskScore)}" font-weight="600">${escapeXml(rs)}</tspan><tspan fill="#64748b"> \u2014 heuristic</tspan></text>`
-      );
-    } else {
-      overviewRows.push(
-        `<text x="${TABLE_X + OVER_LABEL_W + 10}" y="${mid}" font-size="13" fill="#0f172a" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">${escapeXml(row.text)}</text>`
-      );
-    }
-  }
-  const rowLines = [];
-  for (let i3 = 0; i3 < bodyRows; i3++) {
-    const y4 = tableTop + HEADER_H + i3 * ROW_H;
-    const fill = i3 % 2 === 1 ? "#f8fafc" : "#ffffff";
-    rowLines.push(
-      `<rect x="${TABLE_X}" y="${y4}" width="${TABLE_W}" height="${ROW_H}" fill="${fill}" stroke="none"/>`
-    );
-  }
-  const bodyCells = [];
-  for (let i3 = 0; i3 < bodyRows; i3++) {
-    const r4 = results[i3];
-    const cy = rowTextY(i3);
-    bodyCells.push(
-      `<circle cx="34" cy="${cy - 4}" r="4.5" fill="${dotFill(r4)}"/>`,
-      `<text x="${COL_CHECK}" y="${cy}" font-size="13" font-weight="600" fill="#0f172a" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">${escapeXml(truncate5(r4.checkId, 22))}</text>`,
-      `<circle cx="${ICON_X}" cy="${cy - 3}" r="8" fill="#f1f5f9" stroke="#e2e8f0" stroke-width="1"/>`,
-      `<text x="${ICON_X}" y="${cy}" font-size="9" font-weight="700" fill="#64748b" text-anchor="middle" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">i</text>`,
-      `<text x="${COL_STATUS}" y="${cy}" font-size="13" fill="#0f172a" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">${escapeXml(statusText(r4))}</text>`,
-      `<text x="${COL_NUM}" y="${cy}" font-size="13" fill="#64748b" font-family="Liberation Mono, DejaVu Sans Mono, monospace" text-anchor="end">${escapeXml(r4.skipped ? "\u2014" : String(r4.findings.length))}</text>`,
-      `<text x="${COL_TIME}" y="${cy}" font-size="13" fill="#64748b" font-family="Liberation Mono, DejaVu Sans Mono, monospace" text-anchor="end">${escapeXml(formatDuration(r4.durationMs))}</text>`
-    );
-  }
-  const gridLines = [];
-  for (let i3 = 0; i3 <= bodyRows; i3++) {
-    const y4 = tableTop + HEADER_H + i3 * ROW_H;
-    gridLines.push(
-      `<line x1="${TABLE_X}" y1="${y4}" x2="${TABLE_X + TABLE_W}" y2="${y4}" stroke="#e2e8f0" stroke-width="1"/>`
-    );
-  }
-  const checksClip = nextClipId();
-  return `<?xml version="1.0" encoding="UTF-8"?>
-<svg xmlns="http://www.w3.org/2000/svg" width="${W3}" height="${totalH}" viewBox="0 0 ${W3} ${totalH}">
-  <rect width="${W3}" height="${totalH}" fill="#f8fafc"/>
-  <text x="${PAD_X}" y="18" font-size="11" font-weight="600" fill="#64748b" letter-spacing="0.12em" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">FRONTGUARD</text>
-  <text x="${PAD_X}" y="36" font-size="16" font-weight="600" fill="#0f172a" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">Overview</text>
-  <defs>
-    <clipPath id="${overviewClip}">
-      <rect x="${TABLE_X}" y="${overviewY0}" width="${TABLE_W}" height="${overviewH}" rx="10" ry="10"/>
-    </clipPath>
-    <clipPath id="${checksClip}">
-      <rect x="${TABLE_X}" y="${tableTop}" width="${TABLE_W}" height="${cardH}" rx="10" ry="10"/>
-    </clipPath>
-  </defs>
-  <rect x="${TABLE_X}" y="${overviewY0}" width="${TABLE_W}" height="${overviewH}" rx="10" ry="10" fill="#ffffff" stroke="#e2e8f0" stroke-width="1"/>
-  <g clip-path="url(#${overviewClip})">
-    ${overviewRows.join("\n    ")}
-  </g>
-  <text x="${PAD_X}" y="${checksTitleY}" font-size="16" font-weight="600" fill="#0f172a" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif">Checks</text>
-  <rect x="${TABLE_X}" y="${tableTop}" width="${TABLE_W}" height="${cardH}" rx="10" ry="10" fill="#ffffff" stroke="#e2e8f0" stroke-width="1"/>
-  <g clip-path="url(#${checksClip})">
-    <rect x="${TABLE_X}" y="${tableTop}" width="${TABLE_W}" height="${HEADER_H}" fill="#f1f5f9"/>
-    ${headerCells.map(
-    (c4) => `<text x="${c4.x}" y="${headerMid}" font-size="11" font-weight="600" fill="#64748b" letter-spacing="0.04em" font-family="DejaVu Sans, Liberation Sans, system-ui, sans-serif" text-anchor="${c4.anchor}">${c4.label}</text>`
-  ).join("\n    ")}
-    ${rowLines.join("\n    ")}
-    ${gridLines.join("\n    ")}
-    ${bodyCells.join("\n    ")}
-  </g>
-</svg>`;
-}
-async function renderChecksSnapshotPng(pngPath, input) {
-  const svg = buildChecksSnapshotSvg(input);
-  const resvg = new Resvg(svg, {
-    background: "#f8fafc",
-    fitTo: { mode: "width", value: W3 },
-    font: resvgFontOptions()
-  });
-  const img = resvg.render();
-  const png = img.asPng();
-  await writeFile(pngPath, png);
-  const written = await readFile(pngPath);
-  if (!isPngBuffer(written) || written.length < 200) {
-    throw new Error(
-      "FrontGuard: checks PNG is missing or invalid after render. Install fonts on the runner (e.g. apt install fonts-dejavu-core fonts-liberation) and ensure @resvg/resvg-js native binary loads."
-    );
-  }
-  const { width, height } = img;
-  if (width < 16 || height < 16) {
-    throw new Error(`FrontGuard: checks PNG has invalid dimensions ${width}x${height}.`);
-  }
-}
 // src/report/builder.ts
 var import_picocolors = __toESM(require_picocolors());
@@ -5788,9 +6007,9 @@ var CHECK_DESCRIPTIONS = {
   secrets: "Scans changed files for patterns that look like leaked secrets (tokens, keys). Heuristic \u2014 review each hit.",
   cycles: "Runs madge for circular dependencies on TypeScript/JavaScript entry points. Import cycles can cause brittle builds and load order bugs.",
   "dead-code": "Runs ts-prune to find unused exports in the TypeScript project. Helps trim dead surface area.",
-  bundle: "Measures total size of configured build artifacts (glob) and compares to a checked-in baseline. Flags large regressions in shipped JS/CSS.",
+  bundle: "Measures bundle size using a stack-aware strategy (Next.js build output, Vite/CRA file sizes, or custom command) and compares to a checked-in baseline.",
   "core-web-vitals": "Static hints in JSX/TSX related to Core Web Vitals (e.g. LCP-friendly images, main-thread hygiene). Not a substitute for real field metrics.",
-  "ai-assisted-strict": "When the PR is AI-assisted or code is marked with @frontguard-ai decorators, scans those regions for risky patterns (eval, XSS sinks, etc.) and a few AST heuristics (e.g. discarded hot loops).",
+  "ai-assisted-strict": "Under development \u2014 off by default. When enabled: scans @frontguard-ai regions or AI-disclosed PR files for risky patterns (eval, XSS sinks, etc.) and AST heuristics.",
   "pr-hygiene": "Validates PR metadata when CI provides PR context: description length, checklist items, and similar hygiene rules from config.",
   "pr-size": "Compares PR diff size (lines/files) against configured budgets to discourage oversized changes.",
   "ts-any-delta": "Diffs the branch against a base ref and counts newly added uses of the TypeScript any type. Helps stop gradual loss of type safety.",
@@ -5824,7 +6043,7 @@ function sortFindings(cwd, items) {
     return a3.f.message.localeCompare(b3.f.message);
   });
 }
-function formatDuration2(ms) {
+function formatDuration(ms) {
   if (ms < 1e3) return `${ms} ms`;
   const s3 = Math.round(ms / 1e3);
   if (s3 < 60) return `${s3}s`;
@@ -5953,119 +6172,15 @@ var CHECKS_TABLE_STYLES = `
     .dot-block { background: var(--block); }
     .dot-skip { background: #cbd5e1; }
 `;
-var SNAPSHOT_OVERVIEW_STYLES = `
-    .snapshot {
-      width: 100%;
-      border-collapse: collapse;
-      font-size: 0.9rem;
-      background: var(--surface);
-      border-radius: var(--radius);
-      overflow: hidden;
-      border: 1px solid var(--border);
-      box-shadow: var(--shadow);
-      margin: 0 0 1.25rem;
-    }
-    .snapshot th, .snapshot td {
-      padding: 0.65rem 1rem;
-      text-align: left;
-      border-bottom: 1px solid var(--border);
-    }
-    .snapshot tr:last-child th, .snapshot tr:last-child td { border-bottom: none; }
-    .snapshot th {
-      width: 9rem;
-      color: var(--muted);
-      font-weight: 500;
-      background: #f1f5f9;
-    }
-    .muted { color: var(--muted); }
-`;
 function renderCheckTableRows(results) {
   return results.map((r4) => {
     const status = r4.skipped ? `Skipped \u2014 ${escapeHtml(r4.skipped)}` : r4.findings.length === 0 ? "Pass" : `${r4.findings.length} issue(s)`;
     const help = escapeHtml(getCheckDescription(r4.checkId));
     const ariaWhat = escapeHtml(`What does the ${r4.checkId} check do?`);
     const checkTitle = `<span class="check-title-cell"><strong class="check-name">${escapeHtml(r4.checkId)}</strong><span class="check-info-wrap"><button type="button" class="check-info" title="${help}" aria-label="${ariaWhat}">i</button><span class="check-tooltip" role="tooltip">${help}</span></span></span>`;
-    return `<tr><td class="td-icon">${statusDot(r4)}</td><td class="td-check">${checkTitle}</td><td class="td-status">${status}</td><td class="td-num">${r4.skipped ? "\u2014" : r4.findings.length}</td><td class="td-time">${formatDuration2(r4.durationMs)}</td></tr>`;
+    return `<tr><td class="td-icon">${statusDot(r4)}</td><td class="td-check">${checkTitle}</td><td class="td-status">${status}</td><td class="td-num">${r4.skipped ? "\u2014" : r4.findings.length}</td><td class="td-time">${formatDuration(r4.durationMs)}</td></tr>`;
   }).join("\n");
 }
-function buildChecksSnapshotHtml(p2) {
-  const { riskScore, mode, stack, pr, results, lines } = p2;
-  const modeLabel = mode === "enforce" ? "Enforce" : "Warn only";
-  const riskClass = riskScore === "LOW" ? "risk-low" : riskScore === "MEDIUM" ? "risk-med" : "risk-high";
-  const checkRows = renderCheckTableRows(results);
-  const prRow = pr && lines != null ? `<tr><th>Pull request</th><td>${lines} lines changed (+${pr.additions} / \u2212${pr.deletions}) \xB7 ${pr.changedFiles} files</td></tr>` : "";
-  return `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>FrontGuard \u2014 Snapshot</title>
-  <style>
-    :root {
-      --bg: #f8fafc;
-      --surface: #ffffff;
-      --text: #0f172a;
-      --muted: #64748b;
-      --border: #e2e8f0;
-      --accent: #4f46e5;
-      --accent-soft: #eef2ff;
-      --block: #dc2626;
-      --warn: #d97706;
-      --info: #0284c7;
-      --ok: #16a34a;
-      --radius: 10px;
-      --shadow: 0 1px 3px rgba(15, 23, 42, 0.06);
-    }
-    * { box-sizing: border-box; }
-    body {
-      margin: 0;
-      padding: 1.25rem 1.5rem 1.5rem;
-      font-family: ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, sans-serif;
-      background: var(--bg);
-      color: var(--text);
-      line-height: 1.55;
-      font-size: 15px;
-      max-width: 920px;
-    }
-    .brand {
-      font-size: 0.75rem;
-      font-weight: 600;
-      letter-spacing: 0.12em;
-      text-transform: uppercase;
-      color: var(--muted);
-      margin-bottom: 0.35rem;
-    }
-    .h2 {
-      font-size: 1rem;
-      font-weight: 600;
-      margin: 0 0 0.85rem;
-      color: var(--text);
-      letter-spacing: -0.02em;
-    }
-    .risk-low { color: var(--ok); }
-    .risk-med { color: var(--warn); }
-    .risk-high { color: var(--block); }
-    ${SNAPSHOT_OVERVIEW_STYLES}
-    ${CHECKS_TABLE_STYLES}
-  </style>
-</head>
-<body>
-  <div class="brand">FrontGuard</div>
-  <h2 class="h2">Overview</h2>
-  <table class="snapshot">
-    <tr><th>Risk score</th><td><strong class="${riskClass}">${riskScore}</strong> <span class="muted">\u2014 heuristic</span></td></tr>
-    <tr><th>Mode</th><td>${escapeHtml(modeLabel)}</td></tr>
-    <tr><th>Stack</th><td>${escapeHtml(formatStackOneLiner(stack))}</td></tr>
-    ${prRow}
-  </table>
-  <h2 class="h2">Checks</h2>
-  <table class="results">
-    <thead><tr><th></th><th>Check</th><th>Status</th><th>#</th><th>Time</th></tr></thead>
-    <tbody>${checkRows}</tbody>
-  </table>
-</body>
-</html>`;
-}
 function renderFindingCard(cwd, r4, f4) {
   const d3 = normalizeFinding(cwd, f4);
   const sevClass = f4.severity === "block" ? "sev-block" : f4.severity === "warn" ? "sev-warn" : "sev-info";
@@ -6369,6 +6484,7 @@ function buildHtmlReport(p2) {
 function buildReport(stack, pr, results, options) {
   const mode = options?.mode ?? "warn";
   const cwd = options?.cwd ?? process.cwd();
+  const showAiAssistedBanner = options?.showAiAssistedBanner ?? false;
   const allFindings = results.flatMap(
     (r4) => r4.findings.map((f4) => ({ ...f4, checkId: r4.checkId }))
   );
@@ -6388,7 +6504,8 @@ function buildReport(stack, pr, results, options) {
     infos,
     blocks,
     lines,
-    llmAppendix: options?.llmAppendix ?? null
+    llmAppendix: options?.llmAppendix ?? null,
+    showAiAssistedBanner
   });
   const consoleText = formatConsole({
     riskScore,
@@ -6413,21 +6530,6 @@ function buildReport(stack, pr, results, options) {
     lines,
     llmAppendix: options?.llmAppendix ?? null
   }) : null;
-  const llmAppendix = options?.llmAppendix ?? null;
-  const checksSnapshotInput = options?.emitChecksSnapshot === true ? {
-    cwd,
-    riskScore,
-    mode,
-    stack,
-    pr,
-    results,
-    warns,
-    infos,
-    blocks,
-    lines,
-    llmAppendix
-  } : null;
-  const checksSnapshotHtml = checksSnapshotInput != null ? buildChecksSnapshotHtml(checksSnapshotInput) : null;
   return {
     riskScore,
     stack,
@@ -6435,9 +6537,7 @@ function buildReport(stack, pr, results, options) {
     results,
     markdown,
     consoleText,
-    html,
-    checksSnapshotHtml,
-    checksSnapshotInput
+    html
   };
 }
 function scoreRisk(blocks, warns, lines, files) {
@@ -6486,7 +6586,7 @@ function countShieldColor(kind, n3) {
   if (n3 <= 10) return "yellow";
   return "orange";
 }
-function formatDuration3(ms) {
+function formatDuration2(ms) {
   if (ms < 1e3) return `${ms} ms`;
   const s3 = Math.round(ms / 1e3);
   if (s3 < 60) return `${s3}s`;
@@ -6561,7 +6661,8 @@ function formatMarkdown(p2) {
     infos,
     blocks,
     lines,
-    llmAppendix
+    llmAppendix,
+    showAiAssistedBanner
   } = p2;
   const sb = [];
   const sortWithCwd = (items) => [...items].sort((a3, b3) => {
@@ -6602,7 +6703,7 @@ function formatMarkdown(p2) {
     );
   }
   sb.push("");
-  if (pr?.aiAssisted) {
+  if (showAiAssistedBanner && pr?.aiAssisted) {
     sb.push(
       "> **\u{1F916} AI-assisted PR** \u2014 Stricter static checks run on changed files (security / footguns; secrets & `any` deltas may escalate). This does not replace human review for behavior or product rules."
     );
@@ -6641,7 +6742,7 @@ function formatMarkdown(p2) {
     }
     const nFind = r4.skipped ? "\u2014" : String(r4.findings.length);
     sb.push(
-      `| ${he2} | **${r4.checkId}** | ${status} | **${nFind}** | ${formatDuration3(r4.durationMs)} |`
+      `| ${he2} | **${r4.checkId}** | ${status} | **${nFind}** | ${formatDuration2(r4.durationMs)} |`
     );
   }
   sb.push("");
@@ -6830,10 +6931,10 @@ async function callOllamaChat(opts) {
 // src/llm/finding-fixes.ts
 async function safeReadRepoFile(cwd, rel, maxChars) {
-  const root = path5.resolve(cwd);
-  const abs = path5.resolve(root, rel);
-  const relToRoot = path5.relative(root, abs);
-  if (relToRoot.startsWith("..") || path5.isAbsolute(relToRoot)) return null;
+  const root = path6.resolve(cwd);
+  const abs = path6.resolve(root, rel);
+  const relToRoot = path6.relative(root, abs);
+  if (relToRoot.startsWith("..") || path6.isAbsolute(relToRoot)) return null;
   try {
     let t3 = await fs.readFile(abs, "utf8");
     if (t3.length > maxChars) {
@@ -6855,14 +6956,14 @@ function parseFixResponse(raw) {
   return { summary: summary || raw.trim(), code };
 }
 async function enrichFindingsWithOllamaFixes(opts) {
-  const { cwd, config, stack, results } = opts;
+  const { cwd, config, stack, results, cursorRules } = opts;
   const cfg = config.checks.llm;
   if (!cfg.enabled || cfg.provider !== "ollama" || !cfg.perFindingFixes) {
     return results;
   }
   let pkgSnippet = "";
   try {
-    const pj = await fs.readFile(path5.join(cwd, "package.json"), "utf8");
+    const pj = await fs.readFile(path6.join(cwd, "package.json"), "utf8");
     pkgSnippet = pj.slice(0, 4e3);
   } catch {
     pkgSnippet = "";
@@ -6885,7 +6986,7 @@ async function enrichFindingsWithOllamaFixes(opts) {
         f4.file,
         cfg.maxFileContextChars
       );
-      const prompt2 = [
+      const promptParts = [
         "You are a senior frontend engineer. A static checker flagged an issue in a pull request.",
         "Use ONLY the repo context below (stack summary, package.json excerpt, file content).",
         "If context is insufficient, say what is missing instead of guessing.",
@@ -6894,7 +6995,16 @@ async function enrichFindingsWithOllamaFixes(opts) {
         "### Why",
         "(1\u20133 short sentences: root cause and product/engineering risk.)",
         "### Fix",
-        "(Minimal, concrete change. Put code in a single fenced block with a language tag, e.g. ```ts)",
+        "(Minimal, concrete change. Put code in a single fenced block with a language tag, e.g. ```ts)"
+      ];
+      if (cursorRules?.text) {
+        promptParts.push(
+          "",
+          "The repo has coding rules/conventions. Ensure the fix follows them:",
+          cursorRules.text.slice(0, 8e3)
+        );
+      }
+      promptParts.push(
         "",
         `Repo stack: ${stackLabel}`,
         "",
@@ -6912,7 +7022,8 @@ async function enrichFindingsWithOllamaFixes(opts) {
         f4.file ? `file (repo-relative): ${f4.file}` : "",
         "",
         fileContent ? "File content:\n```\n" + fileContent + "\n```" : "_No file content could be read (binary or path issue)._"
-      ].filter(Boolean).join("\n");
+      );
+      const prompt2 = promptParts.filter(Boolean).join("\n");
       try {
         const raw = await callOllamaChat({
           baseUrl: cfg.ollamaUrl,
@@ -6946,7 +7057,7 @@ async function loadManualAppendix(opts) {
   const envFile = process.env.FRONTGUARD_MANUAL_APPENDIX_FILE?.trim();
   const resolvedPath = filePath?.trim() || envFile;
   if (resolvedPath) {
-    const abs = path5.isAbsolute(resolvedPath) ? resolvedPath : path5.join(cwd, resolvedPath);
+    const abs = path6.isAbsolute(resolvedPath) ? resolvedPath : path6.join(cwd, resolvedPath);
     try {
       let text = await fs.readFile(abs, "utf8");
       if (text.length > MAX_CHARS) {
@@ -6982,7 +7093,7 @@ function safeGetEnv(name) {
   return v3 && v3.trim() ? v3 : void 0;
 }
 async function runLlmReview(opts) {
-  const { cwd, config, pr, results } = opts;
+  const { cwd, config, pr, results, cursorRules } = opts;
   const cfg = config.checks.llm;
   if (!cfg.enabled) return null;
   if (cfg.provider !== "ollama") {
@@ -7012,21 +7123,42 @@ async function runLlmReview(opts) {
     return "_LLM review skipped: empty diff vs base_";
   }
   const summaryLines = results.flatMap((r4) => r4.findings.map((f4) => `- [${f4.severity}] ${r4.checkId}: ${f4.message}`)).slice(0, 40).join("\n");
-  const prompt2 = [
-    "You are a senior frontend reviewer. Respond in Markdown with short sections:",
+  const rulesBlock = cursorRules?.text ? [
+    "",
+    "The repository has the following coding rules and conventions that MUST be enforced during review.",
+    "Flag any violations of these rules as specific findings:",
+    "",
+    cursorRules.text,
+    ""
+  ].join("\n") : "";
+  const sections = [
     "### Summary",
     "### Risk hotspots (files / themes)",
-    "### Logic / correctness smells",
-    "### Tests & regressions",
+    "### Logic / correctness smells"
+  ];
+  if (cursorRules?.text) sections.push("### Coding standards violations");
+  sections.push("### Tests & regressions");
+  const promptParts = [
+    "You are a senior frontend reviewer. Respond in Markdown with short sections:",
+    ...sections,
     "",
     "Constraints:",
     "- Be specific to this diff; avoid generic advice.",
-    "- If uncertain, say what you need to verify manually.",
+    "- If uncertain, say what you need to verify manually."
+  ];
+  if (cursorRules?.text) {
+    promptParts.push(
+      `- The repo has ${cursorRules.fileCount} coding rule file(s). Check the diff against ALL rules below and report violations.`
+    );
+  }
+  promptParts.push(
     "",
     pr ? `PR title: ${pr.title}
 PR body excerpt:
-${pr.body.slice(0, 2e3)}` : "No PR context from the event payload (local run).",
-    "",
+${pr.body.slice(0, 2e3)}` : "No PR context from the event payload (local run)."
+  );
+  if (rulesBlock) promptParts.push(rulesBlock);
+  promptParts.push(
     "Existing automated findings (may be incomplete):",
     summaryLines || "(none)",
     "",
@@ -7034,7 +7166,8 @@ ${pr.body.slice(0, 2e3)}` : "No PR context from the event payload (local run).",
     "```diff",
     diff,
     "```"
-  ].join("\n");
+  );
+  const prompt2 = promptParts.join("\n");
   if (cfg.provider === "ollama") {
     try {
       const text = await callOllamaChat({
@@ -7133,7 +7266,17 @@ async function callAnthropic(model, apiKey, prompt2, signal) {
 async function runFrontGuard(opts) {
   const config = await loadConfig(opts.cwd);
   const mode = opts.enforce ? "enforce" : config.mode;
-  const stack = await detectStack(opts.cwd);
+  const llmOn = config.checks.llm.enabled;
+  const [stack, cursorRules] = await Promise.all([
+    detectStack(opts.cwd),
+    llmOn ? loadCursorRules(opts.cwd) : Promise.resolve({ text: "", fileCount: 0, files: [] })
+  ]);
+  if (llmOn && cursorRules.fileCount > 0) {
+    g.stderr.write(
+      `FrontGuard: loaded ${cursorRules.fileCount} cursor rule file(s): ${cursorRules.files.join(", ")}
+`
+    );
+  }
   const pr = readPrContext(opts.cwd);
   const restrictFiles = pr?.files?.length ? pr.files : null;
   const [
@@ -7182,7 +7325,8 @@ async function runFrontGuard(opts) {
     cwd: opts.cwd,
     config,
     stack,
-    results
+    results,
+    cursorRules
   });
   const manualAppendix = await loadManualAppendix({
     cwd: opts.cwd,
@@ -7192,7 +7336,8 @@ async function runFrontGuard(opts) {
     cwd: opts.cwd,
     config,
     pr,
-    results
+    results,
+    cursorRules
   });
   const llmAppendix = [manualAppendix, automatedAppendix].filter(Boolean).join("\n\n") || null;
   const report = buildReport(stack, pr, results, {
@@ -7200,49 +7345,20 @@ async function runFrontGuard(opts) {
     llmAppendix,
     cwd: opts.cwd,
     emitHtml: Boolean(opts.htmlOut),
-    emitChecksSnapshot: Boolean(opts.checksSnapshotOut || opts.checksPngOut)
+    showAiAssistedBanner: config.checks.aiAssistedReview.enabled
   });
   if (opts.htmlOut && report.html) {
     await fs.writeFile(opts.htmlOut, report.html, "utf8");
   }
-  let embedPngPath = null;
-  if ((opts.checksSnapshotOut || opts.checksPngOut) && report.checksSnapshotHtml && report.checksSnapshotInput) {
-    if (opts.checksSnapshotOut) {
-      const snapPath = path5.isAbsolute(opts.checksSnapshotOut) ? opts.checksSnapshotOut : path5.join(opts.cwd, opts.checksSnapshotOut);
-      await fs.writeFile(snapPath, report.checksSnapshotHtml, "utf8");
-      g.stderr.write(`
-FrontGuard: wrote checks snapshot HTML to ${snapPath}
-`);
-    }
-    if (opts.checksPngOut) {
-      const pngAbs = path5.isAbsolute(opts.checksPngOut) ? opts.checksPngOut : path5.join(opts.cwd, opts.checksPngOut);
-      await renderChecksSnapshotPng(pngAbs, report.checksSnapshotInput);
-      embedPngPath = pngAbs;
-      g.stderr.write(`FrontGuard: wrote checks PNG to ${pngAbs}.
-`);
-    } else if (opts.checksSnapshotOut) {
-      g.stderr.write(
-        `  Tip: add --checksPngOut checks.png to render the checks table to a PNG (no browser).
-`
-      );
-    }
-  }
   if (opts.prCommentOut) {
-    if (embedPngPath) {
-      g.env.FRONTGUARD_EMBED_CHECKS_PNG_PATH = embedPngPath;
-    }
     const snippet = formatBitbucketPrSnippet(report);
-    delete g.env.FRONTGUARD_EMBED_CHECKS_PNG_PATH;
-    const abs = path5.isAbsolute(opts.prCommentOut) ? opts.prCommentOut : path5.join(opts.cwd, opts.prCommentOut);
+    const abs = path6.isAbsolute(opts.prCommentOut) ? opts.prCommentOut : path6.join(opts.cwd, opts.prCommentOut);
     await fs.writeFile(abs, snippet, "utf8");
     g.stderr.write(
       `
-FrontGuard: wrote Bitbucket PR comment text to ${abs} (${snippet.length} bytes).
-  Use ONLY this file in your POST \u2026/pullrequests/{id}/comments payload (content.raw).
+FrontGuard: wrote Bitbucket PR comment Markdown to ${abs} (${snippet.length} bytes).
+  POST \u2026/pullrequests/{id}/comments with content.raw from this file (after replacing __FRONTGUARD_REPORT_URL__ if used).
   Do not post frontguard-report.md or captured stdout \u2014 that is the long markdown log.
-  With --checksPngOut, the PNG is inlined (small files only) or set FRONTGUARD_CHECKS_IMAGE_URL.
 `
     );
@@ -7261,25 +7377,29 @@ FrontGuard: wrote Bitbucket PR comment text to ${abs} (${snippet.length} bytes).
 var init2 = defineCommand({
   meta: {
     name: "init",
-    description: "Add Bitbucket pipeline example, pull_request_template.md, and frontguard.config.js"
+    description: "Set up FrontGuard: create config, PR template, and merge pipeline step into bitbucket-pipelines.yml"
   },
   run: async () => {
-    const cwd = g.cwd();
-    await initFrontGuard(cwd);
+    const actions = await initFrontGuard(g.cwd());
+    g.stdout.write("\nFrontGuard init complete:\n");
+    for (const a3 of actions) {
+      g.stdout.write(`  \u2022 ${a3}
+`);
+    }
     g.stdout.write(
-      "FrontGuard initialized for Bitbucket.\n\n  \u2022 bitbucket-pipelines.frontguard.example.yml \u2014 merge into your pipeline\n  \u2022 pull_request_template.md \u2014 PR description template (Bitbucket Cloud)\n  \u2022 frontguard.config.js (if missing)\n\nAdd the package as a devDependency so CI matches local runs:\n  npm install -D @cleartrip/frontguard\n  yarn add -D @cleartrip/frontguard\n"
+      "\nNext steps:\n  1. Review frontguard.config.js \u2014 uncomment and tune the checks you need\n  2. Review bitbucket-pipelines.yml \u2014 check the merged FrontGuard step\n  3. Set BITBUCKET_ACCESS_TOKEN as a secured variable in your repo\n  4. Install the package: yarn add -D @cleartrip/frontguard\n\n"
     );
   }
 });
 var run = defineCommand({
   meta: {
     name: "run",
-    description: "Run checks and print the review brief"
+    description: "Run all checks and print the review brief"
   },
   args: {
     markdown: {
       type: "boolean",
-      description: "Print markdown only",
+      description: "Print markdown only (no console box)",
       default: false
     },
     enforce: {
@@ -7289,23 +7409,15 @@ var run = defineCommand({
     },
     append: {
       type: "string",
-      description: "Append markdown from a file (paste from IDE/ChatGPT/Claude; no CI API key needed)"
+      description: "Append markdown from a file (e.g. IDE/ChatGPT paste)"
     },
     htmlOut: {
       type: "string",
-      description: "Write interactive HTML report (use with CI artifacts; PR comment links to download)"
-    },
-    checksSnapshotOut: {
-      type: "string",
-      description: "Write HTML with only the Checks table (for screenshots / PR comments)"
-    },
-    checksPngOut: {
-      type: "string",
-      description: "Write PNG of the checks table (SVG raster; @resvg/resvg-js, no browser). Pair with --checksSnapshotOut or use alone"
+      description: "Write interactive HTML report to this path"
     },
     prCommentOut: {
       type: "string",
-      description: "Write short Markdown for Bitbucket PR comment (summary + pipeline link for HTML artifact)"
+      description: "Write Bitbucket PR comment Markdown to this path"
     }
   },
   run: async ({ args }) => {
@@ -7315,8 +7427,6 @@ var run = defineCommand({
       enforce: Boolean(args.enforce),
       append: typeof args.append === "string" ? args.append : null,
       htmlOut: typeof args.htmlOut === "string" ? args.htmlOut : null,
-      checksSnapshotOut: typeof args.checksSnapshotOut === "string" ? args.checksSnapshotOut : null,
-      checksPngOut: typeof args.checksPngOut === "string" ? args.checksPngOut : null,
       prCommentOut: typeof args.prCommentOut === "string" ? args.prCommentOut : null
     });
   }