@cybedefend/vibedefend 1.1.1

package/dist/custom-regions.js

@@ -0,0 +1,112 @@
+/**
+ * Loader for the optional `vibedefend.regions.json` file.
+ *
+ * The public CLI ships only the Production EU / US regions. Teams who
+ * need to install against non-production clusters (staging, localhost,
+ * a contributor's docker-compose stack) maintain a local JSON file with
+ * those endpoints — the file is gitignored on every machine where it
+ * lives, so internal URLs never leak to the public repo.
+ *
+ * Lookup order (first match wins):
+ *   1. `$CYBEDEFEND_REGIONS_FILE` — absolute or relative path
+ *   2. `./vibedefend.regions.json` — current working directory
+ *   3. `~/.cybedefend/regions.json` — user-wide
+ *
+ * The file is a JSON array of `RegionConfig` objects. Each entry needs
+ * the six string fields `id`, `label`, `description`, `mcpUrl`,
+ * `apiBase`, `mcpName`. `dev` is optional (defaults to `false`).
+ *
+ * The loader never throws — bad JSON or malformed entries log a warning
+ * and degrade to "no custom regions" so a broken file can't break the
+ * install picker.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { home, log } from './utils.js';
+const REQUIRED_STRING_FIELDS = [
+    'id',
+    'label',
+    'description',
+    'mcpUrl',
+    'apiBase',
+    'mcpName',
+];
+/**
+ * Resolve the candidate paths in lookup order. Filters out empty/undefined
+ * env-var values so we don't accidentally try to read `process.cwd()` etc.
+ */
+function candidatePaths() {
+    const envOverride = process.env.CYBEDEFEND_REGIONS_FILE;
+    const candidates = [
+        envOverride && envOverride.length > 0 ? envOverride : null,
+        join(process.cwd(), 'vibedefend.regions.json'),
+        home('.cybedefend', 'regions.json'),
+    ];
+    return candidates.filter((p) => typeof p === 'string');
+}
+/**
+ * Read + parse + validate a single regions file. Returns the valid
+ * entries; logs and skips any malformed ones. Returns `[]` (with a
+ * warning) when the whole file can't be read or parsed.
+ */
+function parseRegionsFile(path) {
+    let raw;
+    try {
+        raw = readFileSync(path, 'utf8');
+    }
+    catch (e) {
+        log.warn(`Could not read custom regions file ${path}: ${e.message}`);
+        return [];
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (e) {
+        log.warn(`Custom regions file ${path} is not valid JSON: ${e.message}`);
+        return [];
+    }
+    if (!Array.isArray(parsed)) {
+        log.warn(`Custom regions file ${path} must contain a JSON array of region objects.`);
+        return [];
+    }
+    const valid = [];
+    parsed.forEach((entry, i) => {
+        if (typeof entry !== 'object' || entry === null) {
+            log.warn(`Custom regions file ${path}: entry #${i} is not an object — skipped.`);
+            return;
+        }
+        const obj = entry;
+        const missing = REQUIRED_STRING_FIELDS.filter((f) => typeof obj[f] !== 'string' || obj[f].length === 0);
+        if (missing.length > 0) {
+            log.warn(`Custom regions file ${path}: entry #${i} missing or empty required field(s) [${missing.join(', ')}] — skipped.`);
+            return;
+        }
+        valid.push({
+            id: obj.id,
+            label: obj.label,
+            description: obj.description,
+            mcpUrl: obj.mcpUrl,
+            apiBase: obj.apiBase,
+            mcpName: obj.mcpName,
+            dev: typeof obj.dev === 'boolean' ? obj.dev : false,
+        });
+    });
+    if (valid.length > 0) {
+        log.hint(`Loaded ${valid.length} custom region(s) from ${path}`);
+    }
+    return valid;
+}
+/**
+ * Public entry point. Returns the parsed array from the FIRST file
+ * found, or `[]` if none of the candidate paths exist.
+ */
+export function loadCustomRegions() {
+    for (const path of candidatePaths()) {
+        if (!existsSync(path))
+            continue;
+        return parseRegionsFile(path);
+    }
+    return [];
+}
+//# sourceMappingURL=custom-regions.js.map

package/dist/custom-regions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"custom-regions.js","sourceRoot":"","sources":["../src/custom-regions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,YAAY,CAAC;AAEvC,MAAM,sBAAsB,GAAsC;IAChE,IAAI;IACJ,OAAO;IACP,aAAa;IACb,QAAQ;IACR,SAAS;IACT,SAAS;CACV,CAAC;AAEF;;;GAGG;AACH,SAAS,cAAc;IACrB,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;IACxD,MAAM,UAAU,GAAG;QACjB,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI;QAC1D,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,yBAAyB,CAAC;QAC9C,IAAI,CAAC,aAAa,EAAE,cAAc,CAAC;KACpC,CAAC;IACF,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AACtE,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,IAAY;IACpC,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,GAAG,CAAC,IAAI,CACN,sCAAsC,IAAI,KAAM,CAAW,CAAC,OAAO,EAAE,CACtE,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,GAAG,CAAC,IAAI,CACN,uBAAuB,IAAI,uBAAwB,CAAW,CAAC,OAAO,EAAE,CACzE,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,GAAG,CAAC,IAAI,CACN,uBAAuB,IAAI,+CAA+C,CAC3E,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,KAAK,GAAmB,EAAE,CAAC;IACjC,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QAC1B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YAChD,GAAG,CAAC,IAAI,CACN,uBAAuB,IAAI,YAAY,CAAC,8BAA8B,CACvE,CAAC;YACF,OAAO;QACT,CAAC;QACD,MAAM,GAAG,GAAG,KAAgC,CAAC;QAC7C,MAAM,OAAO,GAAG,sBAAsB,CAAC,MAAM,CAC3C,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAK,GAAG,CAAC,CAAC,CAAY,CAAC,MAAM,KAAK,CAAC,CACrE,CAAC;QACF,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,GAAG,CAAC,IAAI,CACN,uBAAuB,IAAI,YAAY,CAAC,wCAAwC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CACjH,CAAC;YACF,OAAO;QACT,CAAC;QACD,KAAK,CAAC,IAAI,CAAC;YACT,EAAE,EAAE,GAAG,CAAC,EAAY;YACpB,KAAK,EAAE,GAAG,CAAC,KAAe;YAC1B,WAAW,EAAE,GAAG,CAAC,WAAqB;YACtC,MAAM,EAAE,GAAG,CAAC,MAAgB;YAC5B,OAAO,EAAE,GAAG,CAAC,OAAiB;YAC9B,OAAO,EAAE,GAAG,CAAC,OAAiB;YAC9B,GAAG,EAAE,OAAO,GAAG,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK;SACpD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,GAAG,CAAC,IAAI,CAAC,UAAU,KAAK,CAAC,MAAM,0BAA0B,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,EAAE,CAAC;QACpC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,SAAS;QAChC,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/diagnostics.js

@@ -0,0 +1,122 @@
+/**
+ * Side-effect-free collector of the local VibeDefend install state.
+ * Consumed by `vibedefend status` (renders it) and `vibedefend doctor`
+ * (repairs from it). Never throws — every read degrades to an "absent"
+ * value on failure.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { ALL_ADAPTERS } from './clients/registry.js';
+import { pkg } from './version.js';
+import { pingGateway } from './hooks/runtime/api.js';
+import { resolveProjectId, resolveToken } from './hooks/runtime/resolve.js';
+/** `~/.cybedefend`, overridable via CYBEDEFEND_HOME for tests. */
+function cybeHome() {
+    return join(process.env.CYBEDEFEND_HOME ?? homedir(), '.cybedefend');
+}
+function readJsonSafe(path) {
+    try {
+        if (!existsSync(path))
+            return null;
+        return JSON.parse(readFileSync(path, 'utf8'));
+    }
+    catch {
+        return null;
+    }
+}
+/** Read a trimmed text file, or `null` if absent / empty / unreadable. */
+function readTextSafe(path) {
+    try {
+        if (!existsSync(path))
+            return null;
+        return readFileSync(path, 'utf8').trim() || null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function gatherInstallState(opts = {}) {
+    const dir = cybeHome();
+    const runtimeConfig = readJsonSafe(join(dir, 'runtime-config.json'));
+    const region = runtimeConfig?.region ?? null;
+    const versionStamped = readTextSafe(join(dir, 'version'));
+    const clients = ALL_ADAPTERS.map((a) => {
+        const detected = (() => {
+            try {
+                return a.detect().installed;
+            }
+            catch {
+                return false;
+            }
+        })();
+        const ins = region
+            ? (() => {
+                try {
+                    return a.inspect(region);
+                }
+                catch {
+                    return { hooksWired: false, mcpRegistered: false };
+                }
+            })()
+            : { hooksWired: false, mcpRegistered: false };
+        return {
+            id: a.id,
+            label: a.label,
+            detected,
+            hooksWired: ins.hooksWired,
+            mcpRegistered: ins.mcpRegistered,
+        };
+    });
+    // `resolveProjectId` never throws — it swallows malformed config JSON and
+    // returns `{ projectId: null }`. Wrapped defensively all the same.
+    let projectId = null;
+    try {
+        projectId = resolveProjectId().projectId;
+    }
+    catch {
+        projectId = null;
+    }
+    let live = null;
+    if (opts.live) {
+        let token = null;
+        try {
+            token = region ? resolveToken(region.mcpName) : null;
+        }
+        catch {
+            token = null;
+        }
+        if (!region) {
+            live = { status: 'skipped', reason: 'not installed' };
+        }
+        else if (!projectId) {
+            live = { status: 'skipped', reason: 'no projectId (.cybedefend/config.json)' };
+        }
+        else if (!token) {
+            live = { status: 'skipped', reason: 'no MCP token' };
+        }
+        else {
+            try {
+                live = await pingGateway({
+                    apiBase: region.apiBase,
+                    projectId,
+                    token,
+                });
+            }
+            catch {
+                live = { status: 'error', detail: 'live check threw' };
+            }
+        }
+    }
+    return {
+        installed: runtimeConfig !== null,
+        region,
+        runnerPresent: existsSync(join(dir, 'hook-runner.js')),
+        versionStamped,
+        versionCurrent: pkg.version,
+        clients,
+        projectId,
+        live,
+    };
+}
+//# sourceMappingURL=diagnostics.js.map

package/dist/diagnostics.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diagnostics.js","sourceRoot":"","sources":["../src/diagnostics.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAGrD,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AACnC,OAAO,EAAE,WAAW,EAAkB,MAAM,wBAAwB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAqB5E,kEAAkE;AAClE,SAAS,QAAQ;IACf,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,OAAO,EAAE,EAAE,aAAa,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAA4B,CAAC;IAC3E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,0EAA0E;AAC1E,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,OAAO,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAA2B,EAAE;IAE7B,MAAM,GAAG,GAAG,QAAQ,EAAE,CAAC;IACvB,MAAM,aAAa,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,qBAAqB,CAAC,CAAC,CAAC;IACrE,MAAM,MAAM,GAAI,aAAa,EAAE,MAAmC,IAAI,IAAI,CAAC;IAE3E,MAAM,cAAc,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC;IAE1D,MAAM,OAAO,GAAmB,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACrD,MAAM,QAAQ,GAAG,CAAC,GAAG,EAAE;YACrB,IAAI,CAAC;gBACH,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC;YAC9B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC,CAAC,EAAE,CAAC;QACL,MAAM,GAAG,GAAG,MAAM;YAChB,CAAC,CAAC,CAAC,GAAG,EAAE;gBACJ,IAAI,CAAC;oBACH,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBAC3B,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBACrD,CAAC;YACH,CAAC,CAAC,EAAE;YACN,CAAC,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QAChD,OAAO;YACL,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,QAAQ;YACR,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,aAAa,EAAE,GAAG,CAAC,aAAa;SACjC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,0EAA0E;IAC1E,mEAAmE;IACnE,IAAI,SAAS,GAAkB,IAAI,CAAC;IACpC,IAAI,CAAC;QACH,SAAS,GAAG,gBAAgB,EAAE,CAAC,SAAS,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,IAAI,CAAC;IACnB,CAAC;IAED,IAAI,IAAI,GAAqB,IAAI,CAAC;IAClC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,IAAI,KAAK,GAAkB,IAAI,CAAC;QAChC,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,GAAG,IAAI,CAAC;QACf,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QACxD,CAAC;aAAM,IAAI,CAAC,SAAS,EAAE,CAAC;YACtB,IAAI,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,wCAAwC,EAAE,CAAC;QACjF,CAAC;aAAM,IAAI,CAAC,KAAK,EAAE,CAAC;YAClB,IAAI,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;QACvD,CAAC;aAAM,CAAC;YACN,IAAI,CAAC;gBACH,IAAI,GAAG,MAAM,WAAW,CAAC;oBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,SAAS;oBACT,KAAK;iBACN,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;YACzD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,aAAa,KAAK,IAAI;QACjC,MAAM;QACN,aAAa,EAAE,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;QACtD,cAAc;QACd,cAAc,EAAE,GAAG,CAAC,OAAO;QAC3B,OAAO;QACP,SAAS;QACT,IAAI;KACL,CAAC;AACJ,CAAC"}

package/dist/doctor.js

@@ -0,0 +1,125 @@
+/**
+ * `vibedefend doctor` — diagnose the install and repair what is fixable.
+ *
+ * Two halves:
+ *  - `deriveRepairs(state)` — PURE. Maps an `InstallState` to a list of
+ *    `Repair`s. A repair with a `fix` function is auto-fixable; one
+ *    without is something only the user can resolve (e.g. "not installed").
+ *    No I/O, never throws — fully unit-testable.
+ *  - `runDoctor(opts)` — the command entry point. Gathers live state,
+ *    derives repairs, prints them, confirms, and applies the fixes.
+ */
+import kleur from 'kleur';
+import { adapterFor } from './clients/registry.js';
+import { gatherInstallState } from './diagnostics.js';
+import { installHookRuntime } from './hooks/install.js';
+import { loadRuntimeConfig } from './hooks/runtime/config.js';
+import { HOOK_DEFAULTS } from './config.js';
+import { log } from './utils.js';
+import { pkg } from './version.js';
+/**
+ * The hook tunables persisted in `runtime-config.json` and the install-time
+ * `HookConfig` share the exact same shape, so a loaded `RuntimeConfig.hooks`
+ * is a valid `HookConfig`. Fall back to `HOOK_DEFAULTS` when the config file
+ * is absent or corrupt.
+ */
+function resolveHookConfig() {
+    const cfg = loadRuntimeConfig();
+    return cfg?.hooks ?? { ...HOOK_DEFAULTS };
+}
+/** Pure: derive the repair list from a gathered state. */
+export function deriveRepairs(state) {
+    const repairs = [];
+    if (!state.installed || !state.region) {
+        repairs.push({
+            id: 'not-installed',
+            description: 'VibeDefend is not installed — run `vibedefend install`.',
+        });
+        return repairs;
+    }
+    const region = state.region;
+    if (!state.runnerPresent) {
+        repairs.push({
+            id: 'runner-missing',
+            description: 'Hook runner ~/.cybedefend/hook-runner.js is missing — re-render it.',
+            fix: () => {
+                installHookRuntime({
+                    region,
+                    hooks: resolveHookConfig(),
+                    installedVersion: pkg.version,
+                });
+            },
+        });
+    }
+    for (const c of state.clients) {
+        if (c.detected && !c.hooksWired) {
+            repairs.push({
+                id: `hooks-${c.id}`,
+                description: `${c.label} is installed but our hooks are not wired — re-wire them.`,
+                fix: () => {
+                    const hooks = resolveHookConfig();
+                    adapterFor(c.id).writeSettings({
+                        hookDir: '',
+                        enableSessionReview: hooks.enableSessionReview,
+                        region,
+                        hooks,
+                    });
+                },
+            });
+        }
+        if (c.detected && !c.mcpRegistered) {
+            repairs.push({
+                id: `mcp-${c.id}`,
+                description: `${c.label} is installed but the MCP server is not registered — register it.`,
+                fix: () => {
+                    const adapter = adapterFor(c.id);
+                    adapter.registerMcp?.({ region });
+                    adapter.postRegister?.({ region });
+                },
+            });
+        }
+    }
+    return repairs;
+}
+export async function runDoctor(opts = {}) {
+    const state = await gatherInstallState({ live: true });
+    const repairs = deriveRepairs(state);
+    if (repairs.length === 0) {
+        log.ok('VibeDefend looks healthy — nothing to repair.');
+        return;
+    }
+    console.log(kleur.bold(`Found ${repairs.length} issue(s):`));
+    for (const r of repairs) {
+        const tag = r.fix ? kleur.yellow('fixable') : kleur.red('manual');
+        console.log(`  [${tag}] ${r.description}`);
+    }
+    const fixable = repairs.filter((r) => r.fix);
+    if (opts.check || fixable.length === 0) {
+        if (repairs.some((r) => !r.fix))
+            process.exitCode = 1;
+        return;
+    }
+    if (!opts.yes) {
+        const { confirm } = await import('@inquirer/prompts');
+        const go = await confirm({
+            message: `Apply ${fixable.length} fix(es)?`,
+            default: true,
+        });
+        if (!go)
+            return;
+    }
+    for (const r of fixable) {
+        try {
+            log.step(r.description);
+            await r.fix();
+            log.ok('Fixed.');
+        }
+        catch (err) {
+            log.err(`Could not fix "${r.id}": ${err instanceof Error ? err.message : String(err)}`);
+            process.exitCode = 1;
+        }
+    }
+    if (repairs.some((r) => !r.fix))
+        process.exitCode = 1;
+}
+//# sourceMappingURL=doctor.js.map

package/dist/doctor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../src/doctor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAqB,MAAM,kBAAkB,CAAC;AACzE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,OAAO,EAAE,GAAG,EAAE,MAAM,YAAY,CAAC;AACjC,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AASnC;;;;;GAKG;AACH,SAAS,iBAAiB;IACxB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,OAAO,GAAG,EAAE,KAAK,IAAI,EAAE,GAAG,aAAa,EAAE,CAAC;AAC5C,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,aAAa,CAAC,KAAmB;IAC/C,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;QACtC,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,eAAe;YACnB,WAAW,EAAE,yDAAyD;SACvE,CAAC,CAAC;QACH,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;IAE5B,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;QACzB,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,gBAAgB;YACpB,WAAW,EACT,qEAAqE;YACvE,GAAG,EAAE,GAAG,EAAE;gBACR,kBAAkB,CAAC;oBACjB,MAAM;oBACN,KAAK,EAAE,iBAAiB,EAAE;oBAC1B,gBAAgB,EAAE,GAAG,CAAC,OAAO;iBAC9B,CAAC,CAAC;YACL,CAAC;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAC9B,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,EAAE,EAAE,SAAS,CAAC,CAAC,EAAE,EAAE;gBACnB,WAAW,EAAE,GAAG,CAAC,CAAC,KAAK,2DAA2D;gBAClF,GAAG,EAAE,GAAG,EAAE;oBACR,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;oBAClC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,aAAa,CAAC;wBAC7B,OAAO,EAAE,EAAE;wBACX,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;wBAC9C,MAAM;wBACN,KAAK;qBACN,CAAC,CAAC;gBACL,CAAC;aACF,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CAAC;gBACX,EAAE,EAAE,OAAO,CAAC,CAAC,EAAE,EAAE;gBACjB,WAAW,EAAE,GAAG,CAAC,CAAC,KAAK,mEAAmE;gBAC1F,GAAG,EAAE,GAAG,EAAE;oBACR,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBACjC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;oBAClC,OAAO,CAAC,YAAY,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;gBACrC,CAAC;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,OAA2C,EAAE;IAE7C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,MAAM,OAAO,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IAErC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,GAAG,CAAC,EAAE,CAAC,+CAA+C,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,OAAO,CAAC,MAAM,YAAY,CAAC,CAAC,CAAC;IAC7D,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,MAAM,GAAG,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAAE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACtD,OAAO;IACT,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC;YACvB,OAAO,EAAE,SAAS,OAAO,CAAC,MAAM,WAAW;YAC3C,OAAO,EAAE,IAAI;SACd,CAAC,CAAC;QACH,IAAI,CAAC,EAAE;YAAE,OAAO;IAClB,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;YACxB,MAAM,CAAC,CAAC,GAAI,EAAE,CAAC;YACf,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC;QACnB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,GAAG,CACL,kBAAkB,CAAC,CAAC,EAAE,MACpB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CACjD,EAAE,CACH,CAAC;YACF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAAE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACxD,CAAC"}

package/dist/guards-evaluator/bucketing.js

@@ -0,0 +1,83 @@
+/**
+ * Rule bucketing — group rules by the type of target they can match.
+ *
+ * Bucketing reduces the set of rules evaluated per request from N to a
+ * small constant, avoiding O(N) per-rule matcher dispatch at hot-path time.
+ */
+/**
+ * Determine which bucket a target belongs to.
+ */
+export function targetTypeBucket(target) {
+    switch (target.type) {
+        case 'file': return 'file';
+        case 'command': return 'command';
+        case 'env': return 'env';
+        case 'http': return 'http';
+        case 'git': return 'git';
+        default: {
+            // Throw a typed error the MCP tool can convert into a fail-closed deny.
+            const t = target.type ?? '(missing)';
+            throw new TypeError(`Invalid target.type: ${t}. Expected one of file|command|env|http|git.`);
+        }
+    }
+}
+/**
+ * Determine which buckets a rule belongs to, based on which matcher fields
+ * are populated.
+ *
+ * A single rule may live in multiple buckets when it mixes matcher types
+ * (rare, but valid for rules like process.proc_environ which has both
+ * filePathGlobs and command_regex).
+ */
+export function ruleBuckets(rule) {
+    const buckets = [];
+    const hasFile = (rule.filePathGlobs && rule.filePathGlobs.length > 0) ||
+        (rule.filePathExcludes && rule.filePathExcludes.length > 0);
+    const hasCommand = !!rule.commandRegex ||
+        (rule.commandArgGlobs && rule.commandArgGlobs.length > 0);
+    const hasEnv = rule.envNameGlobs && rule.envNameGlobs.length > 0;
+    const hasHttp = (rule.httpHostGlobs && rule.httpHostGlobs.length > 0) ||
+        (rule.httpMethod && rule.httpMethod.length > 0) ||
+        (rule.httpPathGlobs && rule.httpPathGlobs.length > 0);
+    const hasGit = (rule.gitRemoteGlobs && rule.gitRemoteGlobs.length > 0) ||
+        (rule.gitBranchGlobs && rule.gitBranchGlobs.length > 0) ||
+        (rule.gitSubcommand && rule.gitSubcommand.length > 0);
+    if (hasFile)
+        buckets.push('file');
+    if (hasCommand)
+        buckets.push('command');
+    if (hasEnv)
+        buckets.push('env');
+    if (hasHttp)
+        buckets.push('http');
+    if (hasGit)
+        buckets.push('git');
+    return buckets;
+}
+/**
+ * Partition a flat rule list into per-bucket maps for O(1) lookup per request.
+ *
+ * Rules with no recognised matcher fields are excluded from all buckets and
+ * a console.warn is emitted — they would never fire.
+ */
+export function bucketRules(rules) {
+    const result = {
+        file: [],
+        command: [],
+        env: [],
+        http: [],
+        git: [],
+    };
+    for (const rule of rules) {
+        const buckets = ruleBuckets(rule);
+        if (buckets.length === 0) {
+            console.warn(`[guards-evaluator] Rule "${rule.id}" has no matcher fields — it will never fire.`);
+            continue;
+        }
+        for (const bucket of buckets) {
+            result[bucket].push(rule);
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=bucketing.js.map

package/dist/guards-evaluator/bucketing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bucketing.js","sourceRoot":"","sources":["../../src/guards-evaluator/bucketing.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,KAAK,MAAM,CAAC,CAAI,OAAO,MAAM,CAAC;QAC9B,KAAK,SAAS,CAAC,CAAC,OAAO,SAAS,CAAC;QACjC,KAAK,KAAK,CAAC,CAAK,OAAO,KAAK,CAAC;QAC7B,KAAK,MAAM,CAAC,CAAI,OAAO,MAAM,CAAC;QAC9B,KAAK,KAAK,CAAC,CAAK,OAAO,KAAK,CAAC;QAC7B,OAAO,CAAC,CAAC,CAAC;YACR,wEAAwE;YACxE,MAAM,CAAC,GAAI,MAA4B,CAAC,IAAI,IAAI,WAAW,CAAC;YAC5D,MAAM,IAAI,SAAS,CACjB,wBAAwB,CAAC,8CAA8C,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,IAAU;IACpC,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,MAAM,OAAO,GACX,CAAC,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;QACrD,CAAC,IAAI,CAAC,gBAAgB,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE9D,MAAM,UAAU,GACd,CAAC,CAAC,IAAI,CAAC,YAAY;QACnB,CAAC,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE5D,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;IAEjE,MAAM,OAAO,GACX,CAAC,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;QACrD,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;QAC/C,CAAC,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAExD,MAAM,MAAM,GACV,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;QACvD,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;QACvD,CAAC,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAExD,IAAI,OAAO;QAAK,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACrC,IAAI,UAAU;QAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,MAAM;QAAM,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,IAAI,OAAO;QAAK,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACrC,IAAI,MAAM;QAAM,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEpC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,MAAM,MAAM,GAA2B;QACrC,IAAI,EAAK,EAAE;QACX,OAAO,EAAE,EAAE;QACX,GAAG,EAAM,EAAE;QACX,IAAI,EAAK,EAAE;QACX,GAAG,EAAM,EAAE;KACZ,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CACV,4BAA4B,IAAI,CAAC,EAAE,+CAA+C,CACnF,CAAC;YACF,SAAS;QACX,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}