@codluv/versionguard 0.9.0 → 1.0.0

package/dist/chunks/{src-BPMDUQfR.js → src-Bofo3tVH.js}

@@ -1101,9 +1101,16 @@ function areHooksInstalled(cwd = process.cwd()) {
 * @param hookName - Name of the Git hook to generate.
 * @returns The VG block with start/end markers.
 */
+/** Mode description per hook for generated comments. */
+var HOOK_MODE_COMMENTS = {
+	"pre-commit": "# Mode: lightweight (version + sync only — fast)",
+	"pre-push": "# Mode: full (version, sync, changelog, scan, guard, publish)",
+	"post-tag": "# Mode: full with post-tag actions"
+};
 function generateHookBlock(hookName) {
 	return `${VG_BLOCK_START}
 # VersionGuard ${hookName} hook
+${HOOK_MODE_COMMENTS[hookName] ?? "# Mode: full"}
 # --no-install prevents accidentally downloading an unscoped package
 # if @codluv/versionguard is not installed locally
 npx --no-install versionguard validate --hook=${hookName}
@@ -1160,6 +1167,212 @@ function removeVgBlock(content) {
 	return content.slice(0, startIdx).replace(/\n\n$/, "\n") + content.slice(endIdx + 22).replace(/^\n\n/, "\n");
 }
 //#endregion
+//#region src/guard.ts
+var HOOK_NAMES = [
+	"pre-commit",
+	"pre-push",
+	"post-tag"
+];
+/**
+* Checks whether git hooks have been redirected away from the repository.
+*
+* @remarks
+* When `core.hooksPath` is set to a non-default location, git hooks installed
+* in `.git/hooks/` are silently ignored. This is a common bypass vector.
+*
+* @param cwd - Repository directory to inspect.
+* @returns A guard warning when a hooksPath override is detected.
+*
+* @example
+* ```ts
+* import { checkHooksPathOverride } from './guard';
+*
+* const warning = checkHooksPathOverride(process.cwd());
+* if (warning) console.warn(warning.message);
+* ```
+*
+* @public
+* @since 0.2.0
+*/
+function checkHooksPathOverride(cwd) {
+	try {
+		const hooksPath = execSync("git config core.hooksPath", {
+			cwd,
+			encoding: "utf-8"
+		}).trim();
+		if (hooksPath) {
+			const resolved = path.resolve(cwd, hooksPath);
+			const huskyDir = path.resolve(cwd, ".husky");
+			if (resolved === huskyDir || resolved.startsWith(`${huskyDir}${path.sep}`)) return {
+				code: "HOOKS_PATH_HUSKY",
+				severity: "warning",
+				message: `Husky detected — core.hooksPath is set to "${hooksPath}". Hooks in .git/hooks/ are bypassed. Add versionguard validate to your .husky/pre-commit manually or use a tool like forge-ts that manages .husky/ hooks cooperatively.`
+			};
+			return {
+				code: "HOOKS_PATH_OVERRIDE",
+				severity: "error",
+				message: `git core.hooksPath is set to "${hooksPath}" — hooks in .git/hooks/ are bypassed`,
+				fix: "git config --unset core.hooksPath"
+			};
+		}
+	} catch {}
+	return null;
+}
+/**
+* Checks whether the HUSKY environment variable is disabling hooks.
+*
+* @remarks
+* Setting `HUSKY=0` is a documented way to disable Husky hooks. Since
+* VersionGuard hooks may run alongside or through Husky, this bypass
+* can silently disable enforcement.
+*
+* @returns A guard warning when the HUSKY bypass is detected.
+*
+* @example
+* ```ts
+* import { checkHuskyBypass } from './guard';
+*
+* const warning = checkHuskyBypass();
+* if (warning) console.warn(warning.message);
+* ```
+*
+* @public
+* @since 0.2.0
+*/
+function checkHuskyBypass() {
+	if (process.env.HUSKY === "0") return {
+		code: "HUSKY_BYPASS",
+		severity: "error",
+		message: "HUSKY=0 is set — git hooks are disabled via environment variable",
+		fix: "unset HUSKY"
+	};
+	return null;
+}
+/**
+* Verifies that installed hook scripts match the expected content.
+*
+* @remarks
+* This compares each hook file against what `generateHookScript` would produce.
+* Tampered hooks that still contain "versionguard" pass `areHooksInstalled` but
+* may have had critical lines removed or modified.
+*
+* @param config - VersionGuard configuration that defines which hooks should exist.
+* @param cwd - Repository directory to inspect.
+* @returns Guard warnings for each hook that has been tampered with.
+*
+* @example
+* ```ts
+* import { checkHookIntegrity } from './guard';
+*
+* const warnings = checkHookIntegrity(config, process.cwd());
+* for (const w of warnings) console.warn(w.code, w.message);
+* ```
+*
+* @public
+* @since 0.2.0
+*/
+function checkHookIntegrity(config, cwd) {
+	const warnings = [];
+	const gitDir = findGitDir(cwd);
+	if (!gitDir) return warnings;
+	const hooksDir = path.join(gitDir, "hooks");
+	for (const hookName of HOOK_NAMES) {
+		if (!config.git.hooks[hookName]) continue;
+		const hookPath = path.join(hooksDir, hookName);
+		if (!fs.existsSync(hookPath)) {
+			warnings.push({
+				code: "HOOK_MISSING",
+				severity: "error",
+				message: `Required hook "${hookName}" is not installed`,
+				fix: "npx versionguard hooks install"
+			});
+			continue;
+		}
+		const actual = fs.readFileSync(hookPath, "utf-8");
+		if (actual !== generateHookScript(hookName)) if (!actual.includes("versionguard")) warnings.push({
+			code: "HOOK_REPLACED",
+			severity: "error",
+			message: `Hook "${hookName}" has been replaced — versionguard invocation is missing`,
+			fix: "npx versionguard hooks install"
+		});
+		else warnings.push({
+			code: "HOOK_TAMPERED",
+			severity: "warning",
+			message: `Hook "${hookName}" has been modified from the expected template`,
+			fix: "npx versionguard hooks install"
+		});
+	}
+	return warnings;
+}
+/**
+* Checks whether hooks are configured as required but not enforced.
+*
+* @remarks
+* When hooks are enabled in the config but `enforceHooks` is false, validation
+* will not fail for missing hooks. In strict mode this is a policy gap.
+*
+* @param config - VersionGuard configuration to inspect.
+* @returns A guard warning when hooks are enabled but not enforced.
+*
+* @example
+* ```ts
+* import { checkEnforceHooksPolicy } from './guard';
+*
+* const warning = checkEnforceHooksPolicy(config);
+* if (warning) console.warn(warning.message);
+* ```
+*
+* @public
+* @since 0.2.0
+*/
+function checkEnforceHooksPolicy(config) {
+	if (HOOK_NAMES.some((name) => config.git.hooks[name]) && !config.git.enforceHooks) return {
+		code: "HOOKS_NOT_ENFORCED",
+		severity: "warning",
+		message: "Hooks are enabled but enforceHooks is false — missing hooks will not fail validation",
+		fix: "Set git.enforceHooks: true in .versionguard.yml"
+	};
+	return null;
+}
+/**
+* Runs all guard checks and returns a consolidated report.
+*
+* @remarks
+* This is the primary entry point for strict mode. It runs every detection
+* check and returns a report indicating whether the repository is safe from
+* known bypass patterns.
+*
+* @param config - VersionGuard configuration.
+* @param cwd - Repository directory to inspect.
+* @returns A guard report with all findings.
+*
+* @example
+* ```ts
+* import { runGuardChecks } from './guard';
+*
+* const report = runGuardChecks(config, process.cwd());
+* if (!report.safe) console.error('Guard check failed:', report.warnings);
+* ```
+*
+* @public
+* @since 0.2.0
+*/
+function runGuardChecks(config, cwd) {
+	const warnings = [];
+	const hooksPathWarning = checkHooksPathOverride(cwd);
+	if (hooksPathWarning) warnings.push(hooksPathWarning);
+	const huskyWarning = checkHuskyBypass();
+	if (huskyWarning) warnings.push(huskyWarning);
+	const integrityWarnings = checkHookIntegrity(config, cwd);
+	warnings.push(...integrityWarnings);
+	const enforceWarning = checkEnforceHooksPolicy(config);
+	if (enforceWarning) warnings.push(enforceWarning);
+	return {
+		safe: !warnings.some((w) => w.severity === "error"),
+		warnings
+	};
+}
+//#endregion
 //#region src/sources/git-tag.ts
 /**
 * Git tag-based version source for Go, Swift, and similar ecosystems.
@@ -2119,23 +2332,261 @@ function setPackageVersion(version, cwd = process.cwd(), manifest) {
 * for the configured manifest type. Use this when you need direct access
 * to the provider's `exists`, `getVersion`, and `setVersion` methods.
 *
-* @param manifest - Manifest configuration.
+* @param manifest - Manifest configuration.
+* @param cwd - Project directory.
+* @returns The resolved provider instance.
+*
+* @example
+* ```ts
+* import { getVersionSource } from 'versionguard';
+*
+* const source = getVersionSource({ source: 'package.json' }, process.cwd());
+* const version = source.getVersion(process.cwd());
+* ```
+*
+* @public
+* @since 0.3.0
+*/
+function getVersionSource(manifest, cwd = process.cwd()) {
+	return resolveVersionSource(manifest, cwd);
+}
+//#endregion
+//#region src/publish.ts
+/**
+* Registry publish status verification.
+*
+* Checks whether a package version has been published to its ecosystem registry.
+* Supports npm (via execFileSync), crates.io, PyPI, Packagist, pub.dev, and Maven Central (via fetch).
+*
+* @packageDocumentation
+*/
+/**
+* Maps manifest source types to their registry check implementations.
+*
+* @remarks
+* Each entry provides the registry name and a check function that returns
+* whether the given version is published. The check function receives the
+* package name, version, and publish config.
+*
+* @public
+* @since 1.0.0
+*/
+var REGISTRY_TABLE = {
+	"package.json": {
+		registry: "npm",
+		check: checkNpmPublished
+	},
+	"Cargo.toml": {
+		registry: "crates.io",
+		check: checkHttpRegistry("crates.io", (name, version) => `https://crates.io/api/v1/crates/${encodeURIComponent(name)}/${encodeURIComponent(version)}`)
+	},
+	"pyproject.toml": {
+		registry: "pypi",
+		check: checkHttpRegistry("pypi", (name, version) => `https://pypi.org/pypi/${encodeURIComponent(name)}/${encodeURIComponent(version)}/json`)
+	},
+	"composer.json": {
+		registry: "packagist",
+		check: checkHttpRegistry("packagist", (name) => `https://repo.packagist.org/p2/${encodeURIComponent(name)}.json`, (body, version) => {
+			try {
+				const packages = JSON.parse(body).packages;
+				if (!packages) return false;
+				return Object.values(packages).flat().some((v) => v.version === version);
+			} catch {
+				return false;
+			}
+		})
+	},
+	"pubspec.yaml": {
+		registry: "pub.dev",
+		check: checkHttpRegistry("pub.dev", (name, version) => `https://pub.dev/api/packages/${encodeURIComponent(name)}/versions/${encodeURIComponent(version)}`)
+	},
+	"pom.xml": {
+		registry: "maven-central",
+		check: checkHttpRegistry("maven-central", (name, version) => `https://search.maven.org/solrsearch/select?q=a:"${encodeURIComponent(name)}"+AND+v:"${encodeURIComponent(version)}"&rows=1&wt=json`, (body) => {
+			try {
+				return (JSON.parse(body).response?.numFound ?? 0) > 0;
+			} catch {
+				return false;
+			}
+		})
+	}
+};
+/** Source types that have no registry to check. */
+var SKIP_SOURCES = new Set([
+	"VERSION",
+	"git-tag",
+	"auto",
+	"custom"
+]);
+/**
+* Checks whether a package version has been published to its ecosystem registry.
+*
+* @remarks
+* Uses the REGISTRY_TABLE to dispatch to the correct check implementation
+* based on the detected manifest source type. Fail-open on network errors:
+* returns `published: false` with an error message when the check cannot complete.
+*
+* @param manifestSource - The detected manifest source type.
+* @param packageName - Package name as read from the manifest.
+* @param version - Version string to check.
+* @param config - Publish configuration with timeout and optional registry URL.
+* @returns The publish check result.
+*
+* @example
+* ```ts
+* import { checkPublishStatus } from './publish';
+*
+* const result = await checkPublishStatus('package.json', '@codluv/vg', '1.0.0', { enabled: true, timeout: 5000 });
+* ```
+*
+* @public
+* @since 1.0.0
+*/
+async function checkPublishStatus(manifestSource, packageName, version, config) {
+	if (SKIP_SOURCES.has(manifestSource)) return {
+		published: false,
+		registry: "none",
+		packageName
+	};
+	if (config.registryUrl && !/^https?:\/\//i.test(config.registryUrl)) return {
+		published: false,
+		registry: "unknown",
+		packageName,
+		error: `Invalid registry URL scheme — only http:// and https:// are allowed: ${config.registryUrl}`
+	};
+	const entry = REGISTRY_TABLE[manifestSource];
+	if (!entry) return {
+		published: false,
+		registry: "unknown",
+		packageName
+	};
+	try {
+		return await entry.check(packageName, version, config);
+	} catch (err) {
+		return {
+			published: false,
+			registry: entry.registry,
+			packageName,
+			error: `Publish check failed: ${err.message}`
+		};
+	}
+}
+/**
+* Checks npm registry using execFileSync (shell-injection safe, inherits .npmrc auth).
+*/
+function checkNpmPublished(packageName, version, config) {
+	try {
+		const args = [
+			"view",
+			`${packageName}@${version}`,
+			"version"
+		];
+		if (config.registryUrl) args.push(`--registry=${config.registryUrl}`);
+		return {
+			published: execFileSync("npm", args, {
+				encoding: "utf-8",
+				timeout: config.timeout,
+				stdio: [
+					"pipe",
+					"pipe",
+					"pipe"
+				]
+			}).trim() === version,
+			registry: "npm",
+			packageName
+		};
+	} catch (err) {
+		const message = err.message || "";
+		if (message.includes("E404") || message.includes("is not in this registry")) return {
+			published: false,
+			registry: "npm",
+			packageName
+		};
+		return {
+			published: false,
+			registry: "npm",
+			packageName,
+			error: `npm check failed: ${message.split("\n")[0].slice(0, 100)}`
+		};
+	}
+}
+/**
+* Creates an HTTP registry check function using fetch with AbortController timeout.
+*/
+function checkHttpRegistry(registry, urlBuilder, bodyChecker) {
+	return async (packageName, version, config) => {
+		const url = config.registryUrl ? `${config.registryUrl.replace(/\/$/, "")}/${packageName}/${version}` : urlBuilder(packageName, version);
+		const controller = new AbortController();
+		const timeout = setTimeout(() => controller.abort(), config.timeout);
+		try {
+			const response = await fetch(url, {
+				signal: controller.signal,
+				headers: { Accept: "application/json" }
+			});
+			if (response.status === 404) return {
+				published: false,
+				registry,
+				packageName
+			};
+			if (!response.ok) return {
+				published: false,
+				registry,
+				packageName,
+				error: `Registry returned HTTP ${response.status}`
+			};
+			if (bodyChecker) return {
+				published: bodyChecker(await response.text(), version),
+				registry,
+				packageName
+			};
+			return {
+				published: true,
+				registry,
+				packageName
+			};
+		} catch (err) {
+			const message = err.message || "";
+			if (message.includes("abort")) return {
+				published: false,
+				registry,
+				packageName,
+				error: `Registry check timed out after ${config.timeout}ms`
+			};
+			return {
+				published: false,
+				registry,
+				packageName,
+				error: `Registry check failed: ${message.slice(0, 200)}`
+			};
+		} finally {
+			clearTimeout(timeout);
+		}
+	};
+}
+/**
+* Reads the package name from a manifest file for registry lookups.
+*
+* @param manifestSource - Detected manifest type.
 * @param cwd - Project directory.
-* @returns The resolved provider instance.
-*
-* @example
-* ```ts
-* import { getVersionSource } from 'versionguard';
-*
-* const source = getVersionSource({ source: 'package.json' }, process.cwd());
-* const version = source.getVersion(process.cwd());
-* ```
+* @returns The package name, or null if it cannot be determined.
 *
 * @public
-* @since 0.3.0
+* @since 1.0.0
 */
-function getVersionSource(manifest, cwd = process.cwd()) {
-	return resolveVersionSource(manifest, cwd);
+function readPackageName(manifestSource, cwd) {
+	try {
+		switch (manifestSource) {
+			case "package.json": return JSON.parse(fs.readFileSync(path.join(cwd, "package.json"), "utf-8")).name || null;
+			case "Cargo.toml": return fs.readFileSync(path.join(cwd, "Cargo.toml"), "utf-8").match(/^\s*name\s*=\s*"([^"]+)"/m)?.[1] || null;
+			case "pyproject.toml": return fs.readFileSync(path.join(cwd, "pyproject.toml"), "utf-8").match(/^\s*name\s*=\s*"([^"]+)"/m)?.[1] || null;
+			case "composer.json": return JSON.parse(fs.readFileSync(path.join(cwd, "composer.json"), "utf-8")).name || null;
+			case "pubspec.yaml": return fs.readFileSync(path.join(cwd, "pubspec.yaml"), "utf-8").match(/^name:\s*(.+)$/m)?.[1]?.trim() || null;
+			case "pom.xml": return fs.readFileSync(path.join(cwd, "pom.xml"), "utf-8").match(/<artifactId>([^<]+)<\/artifactId>/)?.[1] || null;
+			default: return null;
+		}
+	} catch {
+		return null;
+	}
 }
 //#endregion
 //#region src/semver.ts
@@ -3029,7 +3480,7 @@ var DEFAULT_CONFIG = {
 	},
 	github: { dependabot: true },
 	scan: {
-		enabled: false,
+		enabled: true,
 		patterns: [
 			"(?:version\\s*[:=]\\s*[\"'])([\\d]+\\.[\\d]+\\.[\\d]+(?:-[\\w.]+)?)[\"']",
 			"(?:FROM\\s+\\S+:)(\\d+\\.\\d+\\.\\d+(?:-[\\w.]+)?)",
@@ -3045,6 +3496,11 @@ var DEFAULT_CONFIG = {
 		},
 		enforceHooks: true
 	},
+	guard: { enabled: true },
+	publish: {
+		enabled: true,
+		timeout: 5e3
+	},
 	ignore: [
 		"node_modules/**",
 		"dist/**",
@@ -3204,6 +3660,16 @@ changelog:
 github:
   dependabot: true
 
+scan:
+  enabled: true
+
+guard:
+  enabled: true
+
+publish:
+  enabled: true
+  timeout: 5000
+
 git:
   hooks:
     pre-commit: true
@@ -3816,212 +4282,6 @@ function suggestNextVersion(currentVersion, config, changeType) {
 	return suggestions;
 }
 //#endregion
-//#region src/guard.ts
-var HOOK_NAMES = [
-	"pre-commit",
-	"pre-push",
-	"post-tag"
-];
-/**
-* Checks whether git hooks have been redirected away from the repository.
-*
-* @remarks
-* When `core.hooksPath` is set to a non-default location, git hooks installed
-* in `.git/hooks/` are silently ignored. This is a common bypass vector.
-*
-* @param cwd - Repository directory to inspect.
-* @returns A guard warning when a hooksPath override is detected.
-*
-* @example
-* ```ts
-* import { checkHooksPathOverride } from './guard';
-*
-* const warning = checkHooksPathOverride(process.cwd());
-* if (warning) console.warn(warning.message);
-* ```
-*
-* @public
-* @since 0.2.0
-*/
-function checkHooksPathOverride(cwd) {
-	try {
-		const hooksPath = execSync("git config core.hooksPath", {
-			cwd,
-			encoding: "utf-8"
-		}).trim();
-		if (hooksPath) {
-			const resolved = path.resolve(cwd, hooksPath);
-			const huskyDir = path.resolve(cwd, ".husky");
-			if (resolved === huskyDir || resolved.startsWith(`${huskyDir}${path.sep}`)) return {
-				code: "HOOKS_PATH_HUSKY",
-				severity: "warning",
-				message: `Husky detected — core.hooksPath is set to "${hooksPath}". Hooks in .git/hooks/ are bypassed. Add versionguard validate to your .husky/pre-commit manually or use a tool like forge-ts that manages .husky/ hooks cooperatively.`
-			};
-			return {
-				code: "HOOKS_PATH_OVERRIDE",
-				severity: "error",
-				message: `git core.hooksPath is set to "${hooksPath}" — hooks in .git/hooks/ are bypassed`,
-				fix: "git config --unset core.hooksPath"
-			};
-		}
-	} catch {}
-	return null;
-}
-/**
-* Checks whether the HUSKY environment variable is disabling hooks.
-*
-* @remarks
-* Setting `HUSKY=0` is a documented way to disable Husky hooks. Since
-* VersionGuard hooks may run alongside or through Husky, this bypass
-* can silently disable enforcement.
-*
-* @returns A guard warning when the HUSKY bypass is detected.
-*
-* @example
-* ```ts
-* import { checkHuskyBypass } from './guard';
-*
-* const warning = checkHuskyBypass();
-* if (warning) console.warn(warning.message);
-* ```
-*
-* @public
-* @since 0.2.0
-*/
-function checkHuskyBypass() {
-	if (process.env.HUSKY === "0") return {
-		code: "HUSKY_BYPASS",
-		severity: "error",
-		message: "HUSKY=0 is set — git hooks are disabled via environment variable",
-		fix: "unset HUSKY"
-	};
-	return null;
-}
-/**
-* Verifies that installed hook scripts match the expected content.
-*
-* @remarks
-* This compares each hook file against what `generateHookScript` would produce.
-* Tampered hooks that still contain "versionguard" pass `areHooksInstalled` but
-* may have had critical lines removed or modified.
-*
-* @param config - VersionGuard configuration that defines which hooks should exist.
-* @param cwd - Repository directory to inspect.
-* @returns Guard warnings for each hook that has been tampered with.
-*
-* @example
-* ```ts
-* import { checkHookIntegrity } from './guard';
-*
-* const warnings = checkHookIntegrity(config, process.cwd());
-* for (const w of warnings) console.warn(w.code, w.message);
-* ```
-*
-* @public
-* @since 0.2.0
-*/
-function checkHookIntegrity(config, cwd) {
-	const warnings = [];
-	const gitDir = findGitDir(cwd);
-	if (!gitDir) return warnings;
-	const hooksDir = path.join(gitDir, "hooks");
-	for (const hookName of HOOK_NAMES) {
-		if (!config.git.hooks[hookName]) continue;
-		const hookPath = path.join(hooksDir, hookName);
-		if (!fs.existsSync(hookPath)) {
-			warnings.push({
-				code: "HOOK_MISSING",
-				severity: "error",
-				message: `Required hook "${hookName}" is not installed`,
-				fix: "npx versionguard hooks install"
-			});
-			continue;
-		}
-		const actual = fs.readFileSync(hookPath, "utf-8");
-		if (actual !== generateHookScript(hookName)) if (!actual.includes("versionguard")) warnings.push({
-			code: "HOOK_REPLACED",
-			severity: "error",
-			message: `Hook "${hookName}" has been replaced — versionguard invocation is missing`,
-			fix: "npx versionguard hooks install"
-		});
-		else warnings.push({
-			code: "HOOK_TAMPERED",
-			severity: "warning",
-			message: `Hook "${hookName}" has been modified from the expected template`,
-			fix: "npx versionguard hooks install"
-		});
-	}
-	return warnings;
-}
-/**
-* Checks whether hooks are configured as required but not enforced.
-*
-* @remarks
-* When hooks are enabled in the config but `enforceHooks` is false, validation
-* will not fail for missing hooks. In strict mode this is a policy gap.
-*
-* @param config - VersionGuard configuration to inspect.
-* @returns A guard warning when hooks are enabled but not enforced.
-*
-* @example
-* ```ts
-* import { checkEnforceHooksPolicy } from './guard';
-*
-* const warning = checkEnforceHooksPolicy(config);
-* if (warning) console.warn(warning.message);
-* ```
-*
-* @public
-* @since 0.2.0
-*/
-function checkEnforceHooksPolicy(config) {
-	if (HOOK_NAMES.some((name) => config.git.hooks[name]) && !config.git.enforceHooks) return {
-		code: "HOOKS_NOT_ENFORCED",
-		severity: "warning",
-		message: "Hooks are enabled but enforceHooks is false — missing hooks will not fail validation",
-		fix: "Set git.enforceHooks: true in .versionguard.yml"
-	};
-	return null;
-}
-/**
-* Runs all guard checks and returns a consolidated report.
-*
-* @remarks
-* This is the primary entry point for strict mode. It runs every detection
-* check and returns a report indicating whether the repository is safe from
-* known bypass patterns.
-*
-* @param config - VersionGuard configuration.
-* @param cwd - Repository directory to inspect.
-* @returns A guard report with all findings.
-*
-* @example
-* ```ts
-* import { runGuardChecks } from './guard';
-*
-* const report = runGuardChecks(config, process.cwd());
-* if (!report.safe) console.error('Guard check failed:', report.warnings);
-* ```
-*
-* @public
-* @since 0.2.0
-*/
-function runGuardChecks(config, cwd) {
-	const warnings = [];
-	const hooksPathWarning = checkHooksPathOverride(cwd);
-	if (hooksPathWarning) warnings.push(hooksPathWarning);
-	const huskyWarning = checkHuskyBypass();
-	if (huskyWarning) warnings.push(huskyWarning);
-	const integrityWarnings = checkHookIntegrity(config, cwd);
-	warnings.push(...integrityWarnings);
-	const enforceWarning = checkEnforceHooksPolicy(config);
-	if (enforceWarning) warnings.push(enforceWarning);
-	return {
-		safe: !warnings.some((w) => w.severity === "error"),
-		warnings
-	};
-}
-//#endregion
 //#region src/project-root.ts
 /**
 * Project root detection and boundary validation.
@@ -4556,20 +4816,22 @@ function validateVersion(version, config) {
 * @public
 * @since 0.1.0
 * @remarks
-* This reads the package version from `package.json`, validates the version
-* format, checks synchronized files, and optionally validates the changelog.
+* Runs version, sync, changelog, scan, guard, and publish checks based on
+* the validation mode. Full mode (default) runs all checks. Lightweight
+* mode (for pre-commit hooks) runs only version + sync.
 *
 * @param config - VersionGuard configuration to apply.
 * @param cwd - Project directory to inspect.
+* @param mode - Validation mode: 'full' (default) or 'lightweight'.
 * @returns A full validation report for the project rooted at `cwd`.
 * @example
 * ```ts
 * import { getDefaultConfig, validate } from 'versionguard';
 *
-* const result = validate(getDefaultConfig(), process.cwd());
+* const result = await validate(getDefaultConfig(), process.cwd());
 * ```
 */
-function validate(config, cwd = process.cwd()) {
+async function validate(config, cwd = process.cwd(), mode = "full") {
 	const errors = [];
 	let version;
 	try {
@@ -4581,6 +4843,9 @@ function validate(config, cwd = process.cwd()) {
 			versionValid: false,
 			syncValid: false,
 			changelogValid: false,
+			scanValid: true,
+			guardValid: true,
+			publishValid: true,
 			errors: [err.message]
 		};
 	}
@@ -4588,10 +4853,17 @@ function validate(config, cwd = process.cwd()) {
 	if (!versionResult.valid) errors.push(...versionResult.errors.map((error) => error.message));
 	const hardcoded = checkHardcodedVersions(version, config.sync, config.ignore, cwd);
 	if (hardcoded.length > 0) for (const mismatch of hardcoded) errors.push(`Version mismatch in ${mismatch.file}:${mismatch.line} - found "${mismatch.found}" but expected "${version}"`);
-	if (config.scan?.enabled) {
-		const scanFindings = scanRepoForVersions(version, config.scan, config.ignore, cwd);
-		for (const finding of scanFindings) errors.push(`Stale version in ${finding.file}:${finding.line} - found "${finding.found}" but expected "${version}"`);
-	}
+	if (mode === "lightweight") return {
+		valid: errors.length === 0,
+		version,
+		versionValid: versionResult.valid,
+		syncValid: hardcoded.length === 0,
+		changelogValid: true,
+		scanValid: true,
+		guardValid: true,
+		publishValid: true,
+		errors
+	};
 	let changelogValid = true;
 	if (config.changelog.enabled) {
 		const changelogResult = validateChangelog(path.join(cwd, config.changelog.file), version, config.changelog.strict, config.changelog.requireEntry, {
@@ -4603,12 +4875,46 @@ function validate(config, cwd = process.cwd()) {
 			errors.push(...changelogResult.errors);
 		}
 	}
+	let scanValid = true;
+	if (config.scan?.enabled) {
+		const scanFindings = scanRepoForVersions(version, config.scan, config.ignore, cwd);
+		if (scanFindings.length > 0) {
+			scanValid = false;
+			for (const finding of scanFindings) errors.push(`Stale version in ${finding.file}:${finding.line} - found "${finding.found}" but expected "${version}"`);
+		}
+	}
+	let guardValid = true;
+	let guardReport;
+	if (config.guard?.enabled) {
+		guardReport = runGuardChecks(config, cwd);
+		if (!guardReport.safe) {
+			guardValid = false;
+			for (const warning of guardReport.warnings) if (warning.severity === "error") errors.push(`[${warning.code}] ${warning.message}`);
+		}
+	}
+	const publishValid = true;
+	let publishCheck;
+	if (config.publish?.enabled) {
+		const manifestSource = config.manifest.source !== "auto" ? config.manifest.source : detectManifests(cwd)[0] ?? null;
+		if (manifestSource) {
+			const packageName = readPackageName(manifestSource, cwd);
+			if (packageName) {
+				publishCheck = await checkPublishStatus(manifestSource, packageName, version, config.publish);
+				if (publishCheck.error) errors.push(`Publish check warning: ${publishCheck.error}`);
+			}
+		}
+	}
 	return {
 		valid: errors.length === 0,
 		version,
 		versionValid: versionResult.valid,
 		syncValid: hardcoded.length === 0,
 		changelogValid,
+		scanValid,
+		guardValid,
+		publishValid,
+		publishCheck,
+		guardReport,
 		errors
 	};
 }
@@ -4631,8 +4937,8 @@ function validate(config, cwd = process.cwd()) {
 * const report = doctor(getDefaultConfig(), process.cwd());
 * ```
 */
-function doctor(config, cwd = process.cwd()) {
-	const validation = validate(config, cwd);
+async function doctor(config, cwd = process.cwd()) {
+	const validation = await validate(config, cwd);
 	const gitRepository = findGitDir(cwd) !== null;
 	const hooksInstalled = gitRepository ? areHooksInstalled(cwd) : false;
 	const worktreeClean = gitRepository ? isWorktreeClean(cwd) : true;
@@ -4646,6 +4952,9 @@ function doctor(config, cwd = process.cwd()) {
 		versionValid: validation.versionValid,
 		syncValid: validation.syncValid,
 		changelogValid: validation.changelogValid,
+		scanValid: validation.scanValid,
+		guardValid: validation.guardValid,
+		publishValid: validation.publishValid,
 		gitRepository,
 		hooksInstalled,
 		worktreeClean,
@@ -4736,6 +5045,6 @@ function isWorktreeClean(cwd) {
 	}
 }
 //#endregion
-export { generateDependabotConfig as $, createCkmEngine as A, detectManifests as B, suggestNextVersion as C, getVersionFeedback as D, getTagFeedback as E, syncVersion as F, RegexVersionSource as G, YamlVersionSource as H, semver_exports as I, areHooksInstalled as J, JsonVersionSource as K, getPackageVersion as L, getSemVerConfig as M, checkHardcodedVersions as N, getConfig as O, scanRepoForVersions as P, dependabotConfigExists as Q, getVersionSource as R, fixSyncIssues as S, getSyncFeedback as T, VersionFileSource as U, resolveVersionSource as V, TomlVersionSource as W, uninstallHooks as X, installHooks as Y, MANIFEST_TO_ECOSYSTEM as Z, checkHuskyBypass as _, validateVersion as a, isValidCalVerFormat as at, fixChangelog as b, getLatestTag as c, validateTagForPush as d, writeDependabotConfig as et, findProjectRoot as f, checkHooksPathOverride as g, checkHookIntegrity as h, validate as i, calver_exports as it, getCalVerConfig as j, initConfig as k, handlePostTag as l, checkEnforceHooksPolicy as m, doctor as n, isChangesetMangled as nt, createTag as o, formatNotProjectError as p, GitTagSource as q, sync as r, validateChangelog as rt, getAllTags as s, canBump as t, fixChangesetMangling as tt, suggestTagMessage as u, runGuardChecks as v, getChangelogFeedback as w, fixPackageVersion as x, fixAll as y, setPackageVersion as z };
+export { uninstallHooks as $, syncVersion as A, YamlVersionSource as B, getConfig as C, getSemVerConfig as D, getCalVerConfig as E, getPackageVersion as F, GitTagSource as G, TomlVersionSource as H, getVersionSource as I, checkHooksPathOverride as J, checkEnforceHooksPolicy as K, setPackageVersion as L, REGISTRY_TABLE as M, checkPublishStatus as N, checkHardcodedVersions as O, readPackageName as P, installHooks as Q, detectManifests as R, getVersionFeedback as S, createCkmEngine as T, RegexVersionSource as U, VersionFileSource as V, JsonVersionSource as W, runGuardChecks as X, checkHuskyBypass as Y, areHooksInstalled as Z, fixSyncIssues as _, validateVersion as a, isChangesetMangled as at, getSyncFeedback as b, getLatestTag as c, isValidCalVerFormat as ct, validateTagForPush as d, MANIFEST_TO_ECOSYSTEM as et, findProjectRoot as f, fixPackageVersion as g, fixChangelog as h, validate as i, fixChangesetMangling as it, semver_exports as j, scanRepoForVersions as k, handlePostTag as l, fixAll as m, doctor as n, generateDependabotConfig as nt, createTag as o, validateChangelog as ot, formatNotProjectError as p, checkHookIntegrity as q, sync as r, writeDependabotConfig as rt, getAllTags as s, calver_exports as st, canBump as t, dependabotConfigExists as tt, suggestTagMessage as u, suggestNextVersion as v, initConfig as w, getTagFeedback as x, getChangelogFeedback as y, resolveVersionSource as z };
 
-//# sourceMappingURL=src-BPMDUQfR.js.map
+//# sourceMappingURL=src-Bofo3tVH.js.map