@fairfox/polly 0.40.0 → 0.47.0

package/dist/tools/quality/src/index.js

@@ -1053,12 +1053,1646 @@ async function checkGitignoreCoversAllowlist(options) {
     }
   };
 }
+// tools/quality/src/attest.ts
+import { createHash as createHash2 } from "node:crypto";
+import { mkdir as mkdir2, readFile as readFile3, writeFile as writeFile2 } from "node:fs/promises";
+import { join as join5 } from "node:path";
+
+// tools/quality/src/cache.ts
+import { createHash } from "node:crypto";
+import { mkdir, readFile as readFile2, rename, writeFile } from "node:fs/promises";
+import { dirname, isAbsolute, join as join4, resolve } from "node:path";
+var ABSENT_MARKER = "<absent>";
+async function hashFile(path) {
+  try {
+    const buf = await readFile2(path);
+    const h = createHash("sha256");
+    h.update(buf);
+    return h.digest("hex");
+  } catch {
+    return ABSENT_MARKER;
+  }
+}
+async function computeInputsHash(inputs, rootDir) {
+  const filePairs = [];
+  for (const f of inputs.files) {
+    const abs = isAbsolute(f) ? f : resolve(rootDir, f);
+    const hash = await hashFile(abs);
+    const rel = abs.startsWith(`${rootDir}/`) ? abs.slice(rootDir.length + 1) : abs;
+    filePairs.push({ path: rel, hash });
+  }
+  filePairs.sort((a, b) => a.path.localeCompare(b.path));
+  const extras = inputs.extras ?? {};
+  const extrasPairs = Object.keys(extras).sort().map((k) => ({ key: k, value: extras[k] ?? "" }));
+  const payload = JSON.stringify({ files: filePairs, extras: extrasPairs });
+  return createHash("sha256").update(payload).digest("hex");
+}
+function cachePath(rootDir, checkId) {
+  const safe = checkId.replace(/:/g, "__");
+  return join4(rootDir, ".cache", "polly-quality", `${safe}.json`);
+}
+async function getCachedOutcome(rootDir, checkId, hash) {
+  const path = cachePath(rootDir, checkId);
+  let raw;
+  try {
+    raw = await readFile2(path, "utf8");
+  } catch {
+    return null;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return null;
+  }
+  if (parsed.hash !== hash)
+    return null;
+  if (typeof parsed.outcome?.ok !== "boolean" || !Array.isArray(parsed.outcome?.messages)) {
+    return null;
+  }
+  return parsed.outcome;
+}
+async function setCachedOutcome(rootDir, checkId, hash, outcome) {
+  const path = cachePath(rootDir, checkId);
+  await mkdir(dirname(path), { recursive: true });
+  const entry = { hash, outcome, writtenAt: new Date().toISOString() };
+  const tmp = `${path}.tmp-${process.pid}-${Date.now()}`;
+  await writeFile(tmp, JSON.stringify(entry, null, 2));
+  await rename(tmp, path);
+}
+
+// tools/quality/src/host.ts
+function registerPlugins(plugins) {
+  const registry = new Map;
+  const pluginNames = new Set;
+  for (const plugin of plugins) {
+    if (pluginNames.has(plugin.name)) {
+      throw new Error(`Quality plugin name collision: "${plugin.name}" registered twice`);
+    }
+    pluginNames.add(plugin.name);
+    for (const check of plugin.checks) {
+      if (!check.id.startsWith(`${plugin.name}:`)) {
+        throw new Error(`Check "${check.id}" is registered under plugin "${plugin.name}" but its id does not begin with "${plugin.name}:"`);
+      }
+      if (registry.has(check.id)) {
+        const prior = registry.get(check.id)?.plugin.name ?? "<unknown>";
+        throw new Error(`Check id collision: "${check.id}" registered by plugins "${prior}" and "${plugin.name}"`);
+      }
+      registry.set(check.id, { check, plugin });
+    }
+  }
+  return registry;
+}
+function validateRunConfig(registry, runConfig) {
+  const errors = [];
+  const checks = runConfig.checks ?? {};
+  for (const [id, cfg] of Object.entries(checks)) {
+    const entry = registry.get(id);
+    if (!entry) {
+      errors.push(`Configuration references unknown check id "${id}"`);
+      continue;
+    }
+    if (!entry.check.validate)
+      continue;
+    const result = entry.check.validate(cfg);
+    if (result === null)
+      continue;
+    for (const msg of result) {
+      errors.push(`[${id}] ${msg}`);
+    }
+  }
+  return errors;
+}
+async function resolveCacheHash(check, config, opts) {
+  if (opts.noCache || !check.filesRead)
+    return null;
+  try {
+    const files = await check.filesRead(config, opts.rootDir);
+    const extras = check.cacheKeyExtras?.(config);
+    return computeInputsHash({ files, ...extras ? { extras } : {} }, opts.rootDir);
+  } catch {
+    return null;
+  }
+}
+async function executeBody(check, config, opts) {
+  try {
+    return await check.run({
+      rootDir: opts.rootDir,
+      config,
+      ...opts.signal ? { signal: opts.signal } : {}
+    });
+  } catch (err) {
+    return { error: err instanceof Error ? err.message : String(err) };
+  }
+}
+async function runOne(entry, config, opts) {
+  const { check } = entry;
+  const start = Date.now();
+  const cacheHash = await resolveCacheHash(check, config, opts);
+  if (cacheHash) {
+    const cached = await getCachedOutcome(opts.rootDir, check.id, cacheHash);
+    if (cached) {
+      return {
+        id: check.id,
+        ok: cached.ok,
+        durationMs: Date.now() - start,
+        cached: true,
+        messages: cached.messages
+      };
+    }
+  }
+  const result = await executeBody(check, config, opts);
+  if ("error" in result) {
+    return {
+      id: check.id,
+      ok: false,
+      durationMs: Date.now() - start,
+      cached: false,
+      messages: [],
+      error: result.error
+    };
+  }
+  if (cacheHash && result.ok) {
+    try {
+      await setCachedOutcome(opts.rootDir, check.id, cacheHash, result);
+    } catch {}
+  }
+  return {
+    id: check.id,
+    ok: result.ok,
+    durationMs: Date.now() - start,
+    cached: false,
+    messages: result.messages
+  };
+}
+async function runWithConcurrency(items, limit, worker) {
+  if (items.length === 0)
+    return [];
+  const results = new Array(items.length);
+  let cursor = 0;
+  const workers = Array.from({ length: Math.max(1, Math.min(limit, items.length)) }, async () => {
+    while (true) {
+      const i = cursor++;
+      if (i >= items.length)
+        return;
+      const item = items[i];
+      if (item === undefined)
+        return;
+      results[i] = await worker(item);
+    }
+  });
+  await Promise.all(workers);
+  return results;
+}
+async function runChecks(registry, runConfig, ids, opts) {
+  const start = Date.now();
+  const targets = [];
+  if (ids === undefined) {
+    targets.push(...registry.values());
+  } else {
+    for (const id of ids) {
+      const entry = registry.get(id);
+      if (!entry) {
+        throw new Error(`Unknown check id: "${id}"`);
+      }
+      targets.push(entry);
+    }
+  }
+  const checks = runConfig.checks ?? {};
+  const limit = opts.concurrency ?? targets.length;
+  const results = await runWithConcurrency(targets, limit, (entry) => runOne(entry, checks[entry.check.id], opts));
+  return {
+    ok: results.every((r) => r.ok),
+    results,
+    totalDurationMs: Date.now() - start
+  };
+}
+function listChecks(registry) {
+  return Array.from(registry.values()).map(({ check, plugin }) => ({
+    id: check.id,
+    description: check.description,
+    plugin: plugin.name
+  })).sort((a, b) => a.id.localeCompare(b.id));
+}
+
+// tools/quality/src/attest.ts
+async function spawnText(args, cwd) {
+  const proc = Bun.spawn(args, { cwd, stdout: "pipe", stderr: "pipe" });
+  const [stdout, stderr] = await Promise.all([
+    new Response(proc.stdout).text(),
+    new Response(proc.stderr).text()
+  ]);
+  await proc.exited;
+  return { ok: proc.exitCode === 0, out: `${stdout}${stderr}` };
+}
+async function workingTreeIsClean(rootDir) {
+  const r = await spawnText(["git", "status", "--porcelain"], rootDir);
+  if (!r.ok)
+    return false;
+  return r.out.trim().length === 0;
+}
+async function currentCommit(rootDir) {
+  const r = await spawnText(["git", "rev-parse", "HEAD"], rootDir);
+  if (!r.ok)
+    return null;
+  const sha = r.out.trim();
+  if (!/^[0-9a-f]{40}$/.test(sha))
+    return null;
+  return sha;
+}
+async function ghUser(rootDir) {
+  const r = await spawnText(["gh", "api", "user", "--jq", ".login"], rootDir);
+  if (!r.ok)
+    return null;
+  const login = r.out.trim();
+  return login.length > 0 ? login : null;
+}
+async function ghRepoSlug(rootDir) {
+  const r = await spawnText(["gh", "repo", "view", "--json", "nameWithOwner", "--jq", ".nameWithOwner"], rootDir);
+  if (!r.ok)
+    return null;
+  const slug = r.out.trim();
+  if (!slug.includes("/"))
+    return null;
+  return slug;
+}
+function summariseRunReport(report) {
+  const passed = report.results.filter((r) => r.ok).length;
+  const total = report.results.length;
+  return `${passed}/${total} checks passed`;
+}
+function digestRun(sha, results) {
+  const stable = results.slice().sort((a, b) => a.id.localeCompare(b.id)).map((r) => ({ id: r.id, ok: r.ok, messages: r.messages }));
+  const payload = JSON.stringify({ sha, results: stable });
+  return createHash2("sha256").update(payload).digest("hex");
+}
+function attestCachePath(rootDir, sha) {
+  return join5(rootDir, ".cache", "polly-quality", "attest", `${sha}.json`);
+}
+async function readPriorAttestation(rootDir, sha) {
+  try {
+    const raw = await readFile3(attestCachePath(rootDir, sha), "utf8");
+    const parsed = JSON.parse(raw);
+    return parsed.digest ?? null;
+  } catch {
+    return null;
+  }
+}
+async function writeAttestation(rootDir, sha, context, digest) {
+  const path = attestCachePath(rootDir, sha);
+  await mkdir2(join5(path, ".."), { recursive: true });
+  const entry = {
+    sha,
+    context,
+    digest,
+    attestedAt: new Date().toISOString()
+  };
+  await writeFile2(path, JSON.stringify(entry, null, 2));
+}
+async function postCommitStatus(rootDir, slug, sha, context, description) {
+  const r = await spawnText([
+    "gh",
+    "api",
+    "-X",
+    "POST",
+    `repos/${slug}/statuses/${sha}`,
+    "-f",
+    "state=success",
+    "-f",
+    `context=${context}`,
+    "-f",
+    `description=${description}`
+  ], rootDir);
+  return { ok: r.ok, output: r.out };
+}
+async function preflightOk(rootDir) {
+  if (!await workingTreeIsClean(rootDir)) {
+    return { ok: false, reason: "Working tree is dirty; commit or stash before attesting." };
+  }
+  const sha = await currentCommit(rootDir);
+  if (!sha)
+    return { ok: false, reason: "Could not resolve current commit (is this a git repo?)" };
+  return { ok: true, sha };
+}
+async function resolveContext(rootDir, deploy, contextPrefix) {
+  const user = await ghUser(rootDir);
+  if (!user)
+    return { ok: false, reason: "gh CLI is not authenticated; run `gh auth login`." };
+  const action = deploy ? "deploy-attested" : "attested";
+  return { ok: true, user, context: `${contextPrefix}/${action}/${user}` };
+}
+async function runAttest(opts) {
+  const contextPrefix = opts.contextPrefix ?? "polly";
+  const pre = await preflightOk(opts.rootDir);
+  if (!pre.ok || !pre.sha) {
+    return {
+      ok: false,
+      context: "",
+      sha: "",
+      digest: "",
+      messages: [],
+      error: pre.reason
+    };
+  }
+  const sha = pre.sha;
+  const ctx = await resolveContext(opts.rootDir, opts.deploy === true, contextPrefix);
+  if (!ctx.ok || !ctx.context) {
+    return { ok: false, context: "", sha, digest: "", messages: [], error: ctx.reason };
+  }
+  const slug = await ghRepoSlug(opts.rootDir);
+  if (!slug) {
+    return {
+      ok: false,
+      context: ctx.context,
+      sha,
+      digest: "",
+      messages: [],
+      error: "Could not resolve GitHub repo slug; is `gh` configured for this repo?"
+    };
+  }
+  const report = await runChecks(opts.registry, opts.runConfig, undefined, {
+    rootDir: opts.rootDir
+  });
+  if (!report.ok) {
+    return {
+      ok: false,
+      context: ctx.context,
+      sha,
+      digest: "",
+      messages: [
+        `attest aborted: ${summariseRunReport(report)}`,
+        ...report.results.filter((r) => !r.ok).map((r) => `  ✗ ${r.id}`)
+      ],
+      error: "one or more checks failed",
+      report
+    };
+  }
+  const digest = digestRun(sha, report.results);
+  const prior = await readPriorAttestation(opts.rootDir, sha);
+  const description = `${summariseRunReport(report)} · ${digest.slice(0, 12)}`;
+  const post = await postCommitStatus(opts.rootDir, slug, sha, ctx.context, description);
+  if (!post.ok) {
+    return {
+      ok: false,
+      context: ctx.context,
+      sha,
+      digest,
+      messages: [post.output.trim()],
+      error: "GitHub status post failed",
+      report
+    };
+  }
+  await writeAttestation(opts.rootDir, sha, ctx.context, digest);
+  const replayNote = prior === digest ? "replay (cached digest)" : "fresh attestation";
+  return {
+    ok: true,
+    context: ctx.context,
+    sha,
+    digest,
+    messages: [`${ctx.context} → ${sha.slice(0, 12)} (${replayNote})`, `  ${description}`],
+    report
+  };
+}
+// tools/quality/src/config.ts
+import { join as join10 } from "node:path";
+
+// tools/quality/src/plugins/core.ts
+import { join as join9 } from "node:path";
+import { Glob as Glob5 } from "bun";
+
+// tools/quality/src/plugins/core-checks.ts
+import { readdir as readdir3 } from "node:fs/promises";
+import { join as join6, relative as relative3 } from "node:path";
+async function semgrepInstalled() {
+  const which = Bun.spawn(["which", "semgrep"], { stdout: "ignore", stderr: "ignore" });
+  await which.exited;
+  return which.exitCode === 0;
+}
+var security = {
+  id: "polly:security",
+  description: "Run `semgrep scan` against the working tree (SAST)",
+  cacheKeyExtras: (cfg) => {
+    const c = cfg ?? {};
+    return {
+      config: c.config ?? "auto",
+      severities: (c.severities ?? ["ERROR", "WARNING"]).slice().sort().join(","),
+      exclude: (c.exclude ?? []).slice().sort().join(",")
+    };
+  },
+  run: async ({ rootDir, config }) => {
+    if (!await semgrepInstalled()) {
+      return {
+        ok: false,
+        messages: [
+          "semgrep is not on PATH. Install with `brew install semgrep` (macOS) or `pip install semgrep`."
+        ]
+      };
+    }
+    const cfg = config ?? {};
+    const args = ["semgrep", "scan", "--config", cfg.config ?? "auto", "--quiet", "--error"];
+    for (const sev of cfg.severities ?? ["ERROR", "WARNING"]) {
+      args.push("--severity", sev);
+    }
+    for (const exc of cfg.exclude ?? ["Dockerfile*", "docker-compose*"]) {
+      args.push(`--exclude=${exc}`);
+    }
+    const proc = Bun.spawn(args, { cwd: rootDir, stdout: "pipe", stderr: "pipe" });
+    const [stdout, stderr] = await Promise.all([
+      new Response(proc.stdout).text(),
+      new Response(proc.stderr).text()
+    ]);
+    await proc.exited;
+    const output = `${stdout}${stderr}`.trim();
+    return {
+      ok: proc.exitCode === 0,
+      messages: proc.exitCode === 0 ? [] : [output || `semgrep exited ${proc.exitCode}`]
+    };
+  }
+};
+var DEFAULT_BOUNDARIES = {
+  bans: { src: ["tools/", "cli/", "scripts/"], tools: ["cli/", "scripts/"] },
+  zones: ["src", "tools", "cli", "scripts"],
+  skipDirs: ["node_modules", ".git", "dist", ".bun", ".cache"]
+};
+var IMPORT_REGEX = /(?:import|export)\s+.*?from\s+['"]([^'"]+)['"]|require\(\s*['"]([^'"]+)['"]\s*\)/g;
+function isTestFile(rel) {
+  return rel.includes("__tests__") || rel.includes(".test.") || rel.includes(".spec.") || rel.startsWith("tests/");
+}
+function resolveTargetZone(specifier, fromFile, rootDir) {
+  if (!specifier.startsWith(".") && !specifier.startsWith("/"))
+    return null;
+  const fromDir = relative3(rootDir, fromFile).split("/").slice(0, -1).join("/");
+  const segments = `${fromDir}/${specifier}`.split("/");
+  const resolved = [];
+  for (const seg of segments) {
+    if (seg === "" || seg === ".")
+      continue;
+    if (seg === "..") {
+      resolved.pop();
+      continue;
+    }
+    resolved.push(seg);
+  }
+  return resolved.join("/");
+}
+async function collectScannableFiles(dir, skipDirs, out) {
+  let entries;
+  try {
+    entries = await readdir3(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    const fullPath = join6(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (!skipDirs.has(entry.name))
+        await collectScannableFiles(fullPath, skipDirs, out);
+    } else if (entry.isFile() && (entry.name.endsWith(".ts") || entry.name.endsWith(".tsx"))) {
+      out.push(fullPath);
+    }
+  }
+}
+function violationsForBoundarySpecifier(specifier, ctx) {
+  const target = resolveTargetZone(specifier, ctx.filePath, ctx.rootDir);
+  if (!target)
+    return [];
+  const out = [];
+  for (const banned of ctx.bans) {
+    if (target.startsWith(banned)) {
+      out.push({
+        file: ctx.rel,
+        line: ctx.line,
+        rule: `"${ctx.zone}/" cannot import from "${banned}" (resolved: ${target})`
+      });
+    }
+  }
+  return out;
+}
+function scanLineForBoundary(line, ctx) {
+  const trimmed = line.trim();
+  if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*"))
+    return [];
+  const out = [];
+  IMPORT_REGEX.lastIndex = 0;
+  let match = IMPORT_REGEX.exec(line);
+  while (match !== null) {
+    const specifier = match[1] || match[2];
+    if (specifier) {
+      out.push(...violationsForBoundarySpecifier(specifier, { ...ctx, line: ctx.lineNumber }));
+    }
+    match = IMPORT_REGEX.exec(line);
+  }
+  return out;
+}
+function scanFileForBoundaryViolations(filePath, content, rootDir, zone, bans) {
+  const rel = relative3(rootDir, filePath);
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    out.push(...scanLineForBoundary(lines[i] ?? "", {
+      filePath,
+      rootDir,
+      zone,
+      bans,
+      rel,
+      lineNumber: i + 1
+    }));
+  }
+  return out;
+}
+var boundaries = {
+  id: "polly:boundaries",
+  description: "Enforce directional import bans between top-level zones (src/tools/cli/scripts)",
+  filesRead: async (cfg, root) => {
+    const c = { ...DEFAULT_BOUNDARIES, ...cfg ?? {} };
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_BOUNDARIES.skipDirs ?? []);
+    const out = [];
+    for (const zone of c.zones ?? DEFAULT_BOUNDARIES.zones ?? []) {
+      await collectScannableFiles(join6(root, zone), skipDirs, out);
+    }
+    return out.filter((p) => !isTestFile(relative3(root, p)));
+  },
+  run: async ({ rootDir, config }) => {
+    const c = { ...DEFAULT_BOUNDARIES, ...config ?? {} };
+    const bans = c.bans ?? {};
+    const zones = c.zones ?? [];
+    const skipDirs = new Set(c.skipDirs ?? []);
+    const all = [];
+    for (const zone of zones) {
+      const files = [];
+      await collectScannableFiles(join6(rootDir, zone), skipDirs, files);
+      const fromBans = bans[zone] ?? [];
+      if (fromBans.length === 0)
+        continue;
+      for (const filePath of files) {
+        if (isTestFile(relative3(rootDir, filePath)))
+          continue;
+        const content = await Bun.file(filePath).text();
+        all.push(...scanFileForBoundaryViolations(filePath, content, rootDir, zone, fromBans));
+      }
+    }
+    return {
+      ok: all.length === 0,
+      messages: all.map((v) => `${v.file}:${v.line}: ${v.rule}`)
+    };
+  }
+};
+var DEFAULT_SERVER_IMPORTS = {
+  browserPaths: [
+    "src/popup",
+    "src/content",
+    "src/devtools",
+    "src/options",
+    "src/offscreen",
+    "src/page",
+    "src/ui",
+    "src/polly-ui",
+    "tools/test/src/browser"
+  ],
+  bannedSpecifiers: [
+    "bun:sqlite",
+    "bun:ffi",
+    "bun:jsc",
+    "node:fs",
+    "node:fs/promises",
+    "node:path",
+    "node:child_process",
+    "node:net",
+    "node:os",
+    "node:http",
+    "node:https",
+    "node:stream",
+    "node:worker_threads",
+    "node:cluster",
+    "node:tls",
+    "node:dns",
+    "better-sqlite3",
+    "sqlite3",
+    "ws"
+  ],
+  skipDirs: ["node_modules", "dist", ".cache"]
+};
+function buildBannedRegex(specs) {
+  const escaped = specs.map((s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")).join("|");
+  return new RegExp(`(?:import|export)\\s+.*?from\\s+['"](?:${escaped})(?:/[^'"]*)?['"]|require\\(\\s*['"](?:${escaped})(?:/[^'"]*)?['"]\\s*\\)`);
+}
+function isExcludedFromServerCheck(rel, allow) {
+  if (allow.has(rel))
+    return true;
+  return rel.includes("__tests__") || rel.includes(".test.") || rel.includes(".spec.");
+}
+function scanFileForServerImports(rel, content, bannedRegex) {
+  const violations = [];
+  const lines = content.split(`
+`);
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i] ?? "";
+    const trimmed = line.trim();
+    if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*"))
+      continue;
+    if (bannedRegex.test(line)) {
+      violations.push(`${rel}:${i + 1}: ${trimmed}`);
+    }
+  }
+  return violations;
+}
+var serverImports = {
+  id: "polly:server-imports",
+  description: "Ban node:* / bun:* imports inside browser-targeting packages",
+  filesRead: async (cfg, root) => {
+    const c = cfg ?? {};
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_SERVER_IMPORTS.skipDirs);
+    const allow = new Set(c.allowFiles ?? []);
+    const out = [];
+    for (const p of c.browserPaths ?? DEFAULT_SERVER_IMPORTS.browserPaths) {
+      await collectScannableFiles(join6(root, p), skipDirs, out);
+    }
+    return out.filter((p) => !isExcludedFromServerCheck(relative3(root, p), allow));
+  },
+  run: async ({ rootDir, config }) => {
+    const c = config ?? {};
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_SERVER_IMPORTS.skipDirs);
+    const bannedRegex = buildBannedRegex(c.bannedSpecifiers ?? DEFAULT_SERVER_IMPORTS.bannedSpecifiers);
+    const allow = new Set(c.allowFiles ?? []);
+    const violations = [];
+    for (const p of c.browserPaths ?? DEFAULT_SERVER_IMPORTS.browserPaths) {
+      const files = [];
+      await collectScannableFiles(join6(rootDir, p), skipDirs, files);
+      for (const filePath of files) {
+        const rel = relative3(rootDir, filePath);
+        if (isExcludedFromServerCheck(rel, allow))
+          continue;
+        const content = await Bun.file(filePath).text();
+        violations.push(...scanFileForServerImports(rel, content, bannedRegex));
+      }
+    }
+    return { ok: violations.length === 0, messages: violations };
+  }
+};
+var additionalCoreChecks = [
+  security,
+  boundaries,
+  serverImports
+];
+
+// tools/quality/src/plugins/extra-checks.ts
+import { readdir as readdir4 } from "node:fs/promises";
+import { join as join7, relative as relative4 } from "node:path";
+import { Glob as Glob3 } from "bun";
+var SKIP_DIRS_DEFAULT = ["node_modules", ".git", "dist", ".bun", ".cache"];
+function isCommentLine2(trimmed) {
+  return trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*");
+}
+function isTestFile2(rel) {
+  return rel.includes("__tests__") || rel.includes(".test.") || rel.includes(".spec.") || rel.startsWith("tests/");
+}
+async function walkScannableFiles(dir, skipDirs, out) {
+  let entries;
+  try {
+    entries = await readdir4(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    const fullPath = join7(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (!skipDirs.has(entry.name))
+        await walkScannableFiles(fullPath, skipDirs, out);
+    } else if (entry.isFile() && (entry.name.endsWith(".ts") || entry.name.endsWith(".tsx"))) {
+      out.push(fullPath);
+    }
+  }
+}
+var DEFAULT_FORBIDDEN = {
+  banned: {
+    "Alternative test runners (we use bun:test)": [
+      "vitest",
+      "jest",
+      "@jest/globals",
+      "mocha",
+      "ava",
+      "tape",
+      "tap",
+      "uvu"
+    ],
+    "Alternative linters/formatters (we use biome)": [
+      "eslint",
+      "@eslint",
+      "prettier",
+      "@prettier",
+      "tslint"
+    ],
+    "Deprecated HTTP libraries (use fetch)": [
+      "request",
+      "request-promise",
+      "request-promise-native"
+    ],
+    "Date-handling libraries (use Date or built-ins)": ["moment", "moment-timezone"]
+  },
+  zones: ["src", "tools", "cli", "scripts"],
+  skipDirs: SKIP_DIRS_DEFAULT
+};
+var IMPORT_REGEX2 = /(?:import|export)\s+.*?from\s+['"]([^'"]+)['"]|require\(\s*['"]([^'"]+)['"]\s*\)/g;
+function lookupBanned(specifier, banned) {
+  for (const [category, prefixes] of Object.entries(banned)) {
+    for (const p of prefixes) {
+      if (specifier === p || specifier.startsWith(`${p}/`))
+        return { category };
+    }
+  }
+  return null;
+}
+function scanLineForBanned(line, banned, rel, lineNumber) {
+  const trimmed = line.trim();
+  if (isCommentLine2(trimmed))
+    return [];
+  const out = [];
+  IMPORT_REGEX2.lastIndex = 0;
+  let match = IMPORT_REGEX2.exec(line);
+  while (match !== null) {
+    const specifier = match[1] || match[2];
+    const hit = specifier ? lookupBanned(specifier, banned) : null;
+    if (hit) {
+      out.push({ file: rel, line: lineNumber, content: trimmed, category: hit.category });
+    }
+    match = IMPORT_REGEX2.exec(line);
+  }
+  return out;
+}
+async function scanFileForForbidden(filePath, rel, banned) {
+  const content = await Bun.file(filePath).text();
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    for (const v of scanLineForBanned(lines[i] ?? "", banned, rel, i + 1)) {
+      out.push(`[${v.category}] ${v.file}:${v.line}: ${v.content}`);
+    }
+  }
+  return out;
+}
+var forbiddenDeps = {
+  id: "polly:forbidden-deps",
+  description: "Ban imports from a configured list of packages (alternative tools, deprecated libs)",
+  filesRead: async (cfg, root) => {
+    const c = cfg ?? {};
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_FORBIDDEN.skipDirs);
+    const out = [];
+    for (const z of c.zones ?? DEFAULT_FORBIDDEN.zones) {
+      await walkScannableFiles(join7(root, z), skipDirs, out);
+    }
+    return out.filter((p) => !isTestFile2(relative4(root, p)));
+  },
+  run: async ({ rootDir, config }) => {
+    const c = config ?? {};
+    const banned = c.banned ?? DEFAULT_FORBIDDEN.banned;
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_FORBIDDEN.skipDirs);
+    const violations = [];
+    for (const z of c.zones ?? DEFAULT_FORBIDDEN.zones) {
+      const files = [];
+      await walkScannableFiles(join7(rootDir, z), skipDirs, files);
+      for (const filePath of files) {
+        const rel = relative4(rootDir, filePath);
+        if (isTestFile2(rel))
+          continue;
+        violations.push(...await scanFileForForbidden(filePath, rel, banned));
+      }
+    }
+    return { ok: violations.length === 0, messages: violations };
+  }
+};
+var DEFAULT_NO_STATE_HOOKS = {
+  banned: ["useState", "useReducer", "useSignal"],
+  allowedFiles: [],
+  zones: ["src", "tools", "cli", "scripts"],
+  skipDirs: SKIP_DIRS_DEFAULT
+};
+function escapeForAlternation(name) {
+  return name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function buildHookRegex(banned) {
+  const alts = banned.map(escapeForAlternation).join("|");
+  return new RegExp(`\\b(${alts})\\b`);
+}
+function isAllowedByGlob(rel, allowedFiles) {
+  for (const pattern of allowedFiles) {
+    if (new Glob3(pattern).match(rel))
+      return true;
+  }
+  return false;
+}
+var noStateHooks = {
+  id: "polly:no-state-hooks",
+  description: "Ban useState/useReducer/useSignal — polly is signals-first",
+  filesRead: async (cfg, root) => {
+    const c = cfg ?? {};
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_NO_STATE_HOOKS.skipDirs);
+    const allowed = c.allowedFiles ?? DEFAULT_NO_STATE_HOOKS.allowedFiles;
+    const out = [];
+    for (const z of c.zones ?? DEFAULT_NO_STATE_HOOKS.zones) {
+      await walkScannableFiles(join7(root, z), skipDirs, out);
+    }
+    return out.filter((p) => {
+      const rel = relative4(root, p);
+      return !isTestFile2(rel) && !isAllowedByGlob(rel, allowed);
+    });
+  },
+  run: async ({ rootDir, config }) => {
+    const c = config ?? {};
+    const banned = c.banned ?? DEFAULT_NO_STATE_HOOKS.banned;
+    if (banned.length === 0)
+      return { ok: true, messages: [] };
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_NO_STATE_HOOKS.skipDirs);
+    const allowed = c.allowedFiles ?? DEFAULT_NO_STATE_HOOKS.allowedFiles;
+    const regex = buildHookRegex(banned);
+    const violations = [];
+    for (const z of c.zones ?? DEFAULT_NO_STATE_HOOKS.zones) {
+      const files = [];
+      await walkScannableFiles(join7(rootDir, z), skipDirs, files);
+      for (const filePath of files) {
+        const rel = relative4(rootDir, filePath);
+        if (isTestFile2(rel) || isAllowedByGlob(rel, allowed))
+          continue;
+        violations.push(...await scanFileForHookCalls(filePath, rel, regex));
+      }
+    }
+    return { ok: violations.length === 0, messages: violations };
+  }
+};
+async function scanFileForHookCalls(filePath, rel, regex) {
+  const content = await Bun.file(filePath).text();
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i] ?? "";
+    if (isCommentLine2(line.trim()))
+      continue;
+    if (regex.test(line))
+      out.push(`${rel}:${i + 1}: ${line.trim()}`);
+  }
+  return out;
+}
+var STRAIGHT_PATTERN = /["']/;
+var TYPOGRAPHIC_PATTERN = /[‘’“”]/;
+var DEFAULT_TYPOGRAPHIC = {
+  typographicZone: [],
+  straightZone: [],
+  zones: ["src", "tools", "cli", "scripts"],
+  skipDirs: SKIP_DIRS_DEFAULT
+};
+function fileMatchesAnyGlob(rel, globs) {
+  for (const g of globs) {
+    if (new Glob3(g).match(rel))
+      return true;
+  }
+  return false;
+}
+var typographicQuotes = {
+  id: "polly:typographic-quotes",
+  description: "Enforce typographic quotes inside configured zones, straight quotes outside (opt-in)",
+  filesRead: async (cfg, root) => {
+    const c = cfg ?? {};
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_TYPOGRAPHIC.skipDirs);
+    const out = [];
+    for (const z of c.zones ?? DEFAULT_TYPOGRAPHIC.zones) {
+      await walkScannableFiles(join7(root, z), skipDirs, out);
+    }
+    return out;
+  },
+  run: async ({ rootDir, config }) => {
+    const c = config ?? {};
+    const tz = c.typographicZone ?? DEFAULT_TYPOGRAPHIC.typographicZone;
+    const sz = c.straightZone ?? DEFAULT_TYPOGRAPHIC.straightZone;
+    if (tz.length === 0 && sz.length === 0)
+      return { ok: true, messages: [] };
+    return runTypographicScan(rootDir, c, tz, sz);
+  }
+};
+async function scanFileForQuoteViolations(filePath, rel, inTypographicZone, inStraightZone) {
+  const content = await Bun.file(filePath).text();
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i] ?? "";
+    if (inTypographicZone && STRAIGHT_PATTERN.test(line)) {
+      out.push(`${rel}:${i + 1}: straight quote in typographic zone — ${line.trim()}`);
+    }
+    if (inStraightZone && TYPOGRAPHIC_PATTERN.test(line)) {
+      out.push(`${rel}:${i + 1}: typographic quote in straight zone — ${line.trim()}`);
+    }
+  }
+  return out;
+}
+async function runTypographicScan(rootDir, c, tz, sz) {
+  const skipDirs = new Set(c.skipDirs ?? DEFAULT_TYPOGRAPHIC.skipDirs);
+  const violations = [];
+  for (const z of c.zones ?? DEFAULT_TYPOGRAPHIC.zones) {
+    const files = [];
+    await walkScannableFiles(join7(rootDir, z), skipDirs, files);
+    for (const filePath of files) {
+      const rel = relative4(rootDir, filePath);
+      const inT = fileMatchesAnyGlob(rel, tz);
+      const inS = fileMatchesAnyGlob(rel, sz);
+      if (!inT && !inS)
+        continue;
+      violations.push(...await scanFileForQuoteViolations(filePath, rel, inT, inS));
+    }
+  }
+  return { ok: violations.length === 0, messages: violations };
+}
+var extraCoreChecks = [
+  forbiddenDeps,
+  noStateHooks,
+  typographicQuotes
+];
+
+// tools/quality/src/plugins/import-checks.ts
+import { readdir as readdir5 } from "node:fs/promises";
+import { join as join8, relative as relative5 } from "node:path";
+import { Glob as Glob4 } from "bun";
+var SKIP_DIRS_DEFAULT2 = ["node_modules", ".git", "dist", ".bun", ".cache"];
+function isCommentLine3(trimmed) {
+  return trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*");
+}
+function isTestFile3(rel) {
+  return rel.includes("__tests__") || rel.includes(".test.") || rel.includes(".spec.") || rel.startsWith("tests/");
+}
+async function walkScannableFiles2(dir, skipDirs, out) {
+  let entries;
+  try {
+    entries = await readdir5(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    const fullPath = join8(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (!skipDirs.has(entry.name))
+        await walkScannableFiles2(fullPath, skipDirs, out);
+    } else if (entry.isFile() && (entry.name.endsWith(".ts") || entry.name.endsWith(".tsx"))) {
+      out.push(fullPath);
+    }
+  }
+}
+function isAllowedByGlob2(rel, globs) {
+  for (const g of globs) {
+    if (new Glob4(g).match(rel))
+      return true;
+  }
+  return false;
+}
+var IMPORT_REGEX3 = /(?:import|export)\s+.*?from\s+['"]([^'"]+)['"]|require\(\s*['"]([^'"]+)['"]\s*\)/g;
+function specifiersInLine(line) {
+  const out = [];
+  IMPORT_REGEX3.lastIndex = 0;
+  let match = IMPORT_REGEX3.exec(line);
+  while (match !== null) {
+    const s = match[1] || match[2];
+    if (s)
+      out.push(s);
+    match = IMPORT_REGEX3.exec(line);
+  }
+  return out;
+}
+var DEFAULT_RELATIVE = {
+  maxDepth: 1,
+  allowedFiles: [],
+  zones: ["src", "tools", "cli", "scripts"],
+  skipDirs: SKIP_DIRS_DEFAULT2
+};
+function relativeDepth(specifier) {
+  if (!specifier.startsWith(".."))
+    return 0;
+  let depth = 0;
+  for (const segment of specifier.split("/")) {
+    if (segment === "..")
+      depth++;
+    else
+      break;
+  }
+  return depth;
+}
+async function scanFileForRelativeViolations(filePath, rel, maxDepth) {
+  const content = await Bun.file(filePath).text();
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i] ?? "";
+    if (isCommentLine3(line.trim()))
+      continue;
+    for (const specifier of specifiersInLine(line)) {
+      if (relativeDepth(specifier) > maxDepth) {
+        out.push(`${rel}:${i + 1}: import "${specifier}" exceeds maxDepth ${maxDepth}`);
+      }
+    }
+  }
+  return out;
+}
+var relativeImports = {
+  id: "polly:relative-imports",
+  description: "Ban `../` imports deeper than a configured threshold",
+  filesRead: async (cfg, root) => {
+    const c = cfg ?? {};
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_RELATIVE.skipDirs);
+    const allowed = c.allowedFiles ?? DEFAULT_RELATIVE.allowedFiles;
+    const out = [];
+    for (const z of c.zones ?? DEFAULT_RELATIVE.zones) {
+      await walkScannableFiles2(join8(root, z), skipDirs, out);
+    }
+    return out.filter((p) => {
+      const rel = relative5(root, p);
+      return !isTestFile3(rel) && !isAllowedByGlob2(rel, allowed);
+    });
+  },
+  run: async ({ rootDir, config }) => {
+    const c = config ?? {};
+    const maxDepth = c.maxDepth ?? DEFAULT_RELATIVE.maxDepth;
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_RELATIVE.skipDirs);
+    const allowed = c.allowedFiles ?? DEFAULT_RELATIVE.allowedFiles;
+    const violations = [];
+    for (const z of c.zones ?? DEFAULT_RELATIVE.zones) {
+      const files = [];
+      await walkScannableFiles2(join8(rootDir, z), skipDirs, files);
+      for (const filePath of files) {
+        const rel = relative5(rootDir, filePath);
+        if (isTestFile3(rel) || isAllowedByGlob2(rel, allowed))
+          continue;
+        violations.push(...await scanFileForRelativeViolations(filePath, rel, maxDepth));
+      }
+    }
+    return { ok: violations.length === 0, messages: violations };
+  }
+};
+var DEFAULT_TSCONFIG_PATHS = {
+  files: ["tsconfig.json", "tsconfig.base.json"],
+  allowedAliases: []
+};
+async function findTsconfigs(rootDir, names) {
+  const out = [];
+  const skipDirs = new Set(SKIP_DIRS_DEFAULT2);
+  async function walk(dir) {
+    let entries;
+    try {
+      entries = await readdir5(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const fullPath = join8(dir, entry.name);
+      if (entry.isDirectory()) {
+        if (!skipDirs.has(entry.name))
+          await walk(fullPath);
+      } else if (entry.isFile() && names.includes(entry.name)) {
+        out.push(fullPath);
+      }
+    }
+  }
+  await walk(rootDir);
+  return out;
+}
+var tsconfigPaths = {
+  id: "polly:tsconfig-paths",
+  description: "Flag `compilerOptions.paths` entries (use package.json subpath imports instead)",
+  filesRead: async (cfg, root) => findTsconfigs(root, cfg?.files ?? DEFAULT_TSCONFIG_PATHS.files),
+  run: async ({ rootDir, config }) => {
+    const c = config ?? {};
+    const files = c.files ?? DEFAULT_TSCONFIG_PATHS.files;
+    const allowed = new Set(c.allowedAliases ?? DEFAULT_TSCONFIG_PATHS.allowedAliases);
+    const violations = [];
+    for (const tsconfigPath of await findTsconfigs(rootDir, files)) {
+      const raw = await Bun.file(tsconfigPath).text();
+      const stripped = raw.replace(/\/\/[^\n]*\n/g, `
+`).replace(/\/\*[\s\S]*?\*\//g, "");
+      let parsed;
+      try {
+        parsed = JSON.parse(stripped);
+      } catch {
+        violations.push(`${relative5(rootDir, tsconfigPath)}: failed to parse as JSON`);
+        continue;
+      }
+      const paths = parsed.compilerOptions?.paths ?? {};
+      for (const alias of Object.keys(paths)) {
+        if (allowed.has(alias))
+          continue;
+        violations.push(`${relative5(rootDir, tsconfigPath)}: paths["${alias}"] is set`);
+      }
+    }
+    return { ok: violations.length === 0, messages: violations };
+  }
+};
+var DEFAULT_NO_RAW_HTTP = {
+  banned: ["fetch", "XMLHttpRequest", "axios"],
+  allowedFiles: [],
+  zones: ["src"],
+  skipDirs: SKIP_DIRS_DEFAULT2
+};
+function buildBannedCallRegex(banned) {
+  const alts = banned.map((s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")).join("|");
+  return new RegExp(`\\b(${alts})\\s*[\\(.]`);
+}
+async function scanFileForRawHttp(filePath, rel, canonicalClient, bannedRegex) {
+  const content = await Bun.file(filePath).text();
+  const lines = content.split(`
+`);
+  const out = [];
+  const isCanonicalImpl = lines.some((l) => l.includes(`from "${canonicalClient}"`) || l.includes(`from '${canonicalClient}'`));
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i] ?? "";
+    const trimmed = line.trim();
+    if (isCommentLine3(trimmed))
+      continue;
+    if (bannedRegex.test(line) && !isCanonicalImpl) {
+      out.push(`${rel}:${i + 1}: ${trimmed}`);
+    }
+  }
+  return out;
+}
+var noRawHttp = {
+  id: "polly:no-raw-http",
+  description: "Force HTTP calls through a configured canonical client (opt-in)",
+  filesRead: async (cfg, root) => {
+    if (!cfg?.canonicalClient)
+      return [];
+    const skipDirs = new Set(cfg.skipDirs ?? DEFAULT_NO_RAW_HTTP.skipDirs);
+    const allowed = cfg.allowedFiles ?? DEFAULT_NO_RAW_HTTP.allowedFiles;
+    const out = [];
+    for (const z of cfg.zones ?? DEFAULT_NO_RAW_HTTP.zones) {
+      await walkScannableFiles2(join8(root, z), skipDirs, out);
+    }
+    return out.filter((p) => {
+      const rel = relative5(root, p);
+      return !isTestFile3(rel) && !isAllowedByGlob2(rel, allowed);
+    });
+  },
+  run: async ({ rootDir, config }) => {
+    const c = config ?? {};
+    if (!c.canonicalClient) {
+      return { ok: true, messages: [] };
+    }
+    const banned = c.banned ?? DEFAULT_NO_RAW_HTTP.banned;
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_NO_RAW_HTTP.skipDirs);
+    const allowed = c.allowedFiles ?? DEFAULT_NO_RAW_HTTP.allowedFiles;
+    const bannedRegex = buildBannedCallRegex(banned);
+    const violations = [];
+    for (const z of c.zones ?? DEFAULT_NO_RAW_HTTP.zones) {
+      const files = [];
+      await walkScannableFiles2(join8(rootDir, z), skipDirs, files);
+      for (const filePath of files) {
+        const rel = relative5(rootDir, filePath);
+        if (isTestFile3(rel) || isAllowedByGlob2(rel, allowed))
+          continue;
+        violations.push(...await scanFileForRawHttp(filePath, rel, c.canonicalClient, bannedRegex));
+      }
+    }
+    return { ok: violations.length === 0, messages: violations };
+  }
+};
+async function runTscFor(packagePath, rootDir) {
+  const proc = Bun.spawn(["bunx", "tsc", "--noEmit", "-p", packagePath], {
+    cwd: rootDir,
+    stdout: "pipe",
+    stderr: "pipe"
+  });
+  const [stdout, stderr] = await Promise.all([
+    new Response(proc.stdout).text(),
+    new Response(proc.stderr).text()
+  ]);
+  await proc.exited;
+  return { ok: proc.exitCode === 0, output: `${stdout}${stderr}` };
+}
+async function findWorkspaces(rootDir, patterns) {
+  const out = [];
+  for (const pattern of patterns) {
+    const glob = new Glob4(`${pattern}/tsconfig.json`);
+    for await (const file of glob.scan({ cwd: rootDir, absolute: true })) {
+      out.push(file.replace(/\/tsconfig\.json$/, ""));
+    }
+  }
+  return [...new Set(out)];
+}
+var types = {
+  id: "polly:types",
+  description: "Run `tsc --noEmit` against each workspace package in parallel",
+  filesRead: async () => {
+    return [];
+  },
+  run: async ({ rootDir, config }) => {
+    const patterns = (config ?? {}).workspaces ?? ["packages/*", "."];
+    const packages = await findWorkspaces(rootDir, patterns);
+    if (packages.length === 0)
+      return { ok: true, messages: ["no workspace packages found"] };
+    const results = await Promise.all(packages.map((p) => runTscFor(p, rootDir)));
+    return aggregateTypesResults(packages, results, rootDir);
+  }
+};
+function appendTscFailure(messages, relPkg, output) {
+  messages.push(`${relPkg}: tsc --noEmit failed`);
+  const trimmed = output.trim();
+  if (!trimmed)
+    return;
+  for (const ln of trimmed.split(`
+`).slice(0, 30))
+    messages.push(`  ${ln}`);
+}
+function aggregateTypesResults(packages, results, rootDir) {
+  const messages = [];
+  let ok = true;
+  for (let i = 0;i < packages.length; i++) {
+    const pkg = packages[i];
+    const r = results[i];
+    if (!pkg || !r || r.ok)
+      continue;
+    ok = false;
+    appendTscFailure(messages, relative5(rootDir, pkg) || ".", r.output);
+  }
+  return { ok, messages };
+}
+var importCoreChecks = [
+  relativeImports,
+  tsconfigPaths,
+  noRawHttp,
+  types
+];
+
+// tools/quality/src/plugins/core.ts
+var DEFAULT_EXCLUDES = ["node_modules", "dist", ".git", ".bun", "dist-test", "build", "coverage"];
+async function scanFiles(rootDir, cfg) {
+  const excludeDirs = new Set(cfg.exclude ?? DEFAULT_EXCLUDES);
+  const excludePackages = new Set(cfg.excludePackages ?? []);
+  const excludeFiles = new Set(cfg.excludeFiles ?? []);
+  const pattern = cfg.filePatterns ?? "**/*.{ts,tsx}";
+  const glob = new Glob5(pattern);
+  const out = [];
+  for await (const file of glob.scan({ cwd: rootDir, absolute: true })) {
+    const rel = file.replace(`${rootDir}/`, "");
+    const segments = rel.split("/");
+    if (segments.some((s) => excludeDirs.has(s)))
+      continue;
+    if (excludePackages.size > 0 && segments.some((s) => excludePackages.has(s)))
+      continue;
+    const basename = segments[segments.length - 1] ?? "";
+    if (excludeFiles.has(basename) || excludeFiles.has(rel))
+      continue;
+    out.push(file);
+  }
+  return out;
+}
+function resolveScanConfig(config) {
+  return config ?? {};
+}
+var noAsCasting = {
+  id: "polly:no-as-casting",
+  description: "Ban TypeScript `as` type assertions outside the allowed forms",
+  filesRead: (cfg, root) => scanFiles(root, resolveScanConfig(cfg)),
+  run: async ({ rootDir, config }) => {
+    const cfg = resolveScanConfig(config);
+    const result = await checkNoAsCasting({
+      rootDir,
+      exclude: cfg.exclude ?? DEFAULT_EXCLUDES,
+      ...cfg.excludePackages ? { excludePackages: cfg.excludePackages } : {},
+      ...cfg.excludeFiles ? { excludeFiles: cfg.excludeFiles } : {},
+      ...cfg.filePatterns ? { filePatterns: cfg.filePatterns } : {}
+    });
+    return {
+      ok: result.violations.length === 0,
+      messages: result.violations.map((v) => `${v.file}:${v.line}: ${v.content}${v.advice ? ` — ${v.advice}` : ""}`)
+    };
+  }
+};
+var noRequire = {
+  id: "polly:no-require",
+  description: "Ban CommonJS `require(...)` calls in TypeScript source",
+  filesRead: (cfg, root) => scanFiles(root, resolveScanConfig(cfg)),
+  run: async ({ rootDir, config }) => {
+    const cfg = resolveScanConfig(config);
+    const result = await checkNoRequire({
+      rootDir,
+      exclude: cfg.exclude ?? DEFAULT_EXCLUDES,
+      ...cfg.filePatterns ? { filePatterns: cfg.filePatterns } : {}
+    });
+    return {
+      ok: result.violations.length === 0,
+      messages: result.violations.map((v) => `${v.file}:${v.line}: ${v.content}`)
+    };
+  }
+};
+var secrets = {
+  id: "polly:secrets",
+  description: "Run `gitleaks detect` against the working tree",
+  filesRead: async (cfg, root) => {
+    const c = cfg ?? {};
+    if (!c.configPath)
+      return [];
+    return [join9(root, c.configPath)];
+  },
+  cacheKeyExtras: (cfg) => ({
+    noGit: (cfg ?? {}).noGit === false ? "false" : "true"
+  }),
+  run: async ({ rootDir, config }) => {
+    const cfg = config ?? {};
+    const result = await checkSecrets({
+      root: rootDir,
+      ...cfg.configPath ? { configPath: cfg.configPath } : {},
+      ...typeof cfg.noGit === "boolean" ? { noGit: cfg.noGit } : {}
+    });
+    if (!result.binaryFound) {
+      return {
+        ok: false,
+        messages: [
+          "gitleaks is not on PATH. Install with `brew install gitleaks` (macOS) or from https://github.com/gitleaks/gitleaks/releases."
+        ]
+      };
+    }
+    return {
+      ok: result.exitCode === 0,
+      messages: result.exitCode === 0 ? [] : [result.output.trim() || `gitleaks exited ${result.exitCode}`]
+    };
+  }
+};
+var gitignoreCrossCheck = {
+  id: "polly:gitignore-cross-check",
+  description: "Verify every gitleaks allowlist entry marked as gitignored is actually covered by .gitignore",
+  filesRead: (cfg, root) => {
+    const c = cfg ?? {};
+    return [
+      join9(root, c.tomlPath ?? ".gitleaks.toml"),
+      join9(root, c.gitignorePath ?? ".gitignore")
+    ];
+  },
+  run: async ({ rootDir, config }) => {
+    const cfg = config ?? {};
+    const result = await checkGitignoreCoversAllowlist({
+      root: rootDir,
+      ...cfg.tomlPath ? { tomlPath: cfg.tomlPath } : {},
+      ...cfg.gitignorePath ? { gitignorePath: cfg.gitignorePath } : {},
+      ...cfg.sectionStartMarkers ? { sectionStartMarkers: cfg.sectionStartMarkers } : {},
+      ...cfg.sectionEndMarkers ? { sectionEndMarkers: cfg.sectionEndMarkers } : {}
+    });
+    return {
+      ok: result.missing.length === 0,
+      messages: result.missing.length === 0 ? [] : [
+        "Paths allowed by .gitleaks.toml are NOT covered by .gitignore:",
+        ...result.missing.map((f) => `  ${f}`)
+      ]
+    };
+  }
+};
+var POLLY_CORE_VERSION = "0.45.0";
+var pollyCorePlugin = {
+  name: "polly",
+  version: POLLY_CORE_VERSION,
+  checks: [
+    noAsCasting,
+    noRequire,
+    secrets,
+    gitignoreCrossCheck,
+    ...additionalCoreChecks,
+    ...extraCoreChecks,
+    ...importCoreChecks
+  ]
+};
+
+// tools/quality/src/config.ts
+var DEFAULT_PATHS = ["polly.config.ts", "polly.config.js", "polly.config.mjs"];
+async function loadQualityConfig(rootDir, explicitPath) {
+  const candidates = explicitPath ? [explicitPath] : DEFAULT_PATHS.map((p) => join10(rootDir, p));
+  for (const path of candidates) {
+    if (!await Bun.file(path).exists())
+      continue;
+    const mod = await import(path);
+    const config = mod.default?.quality;
+    if (!config)
+      continue;
+    if (!Array.isArray(config.plugins) || config.plugins.length === 0) {
+      throw new Error(`${path}: \`quality.plugins\` must be a non-empty array`);
+    }
+    return config;
+  }
+  return { plugins: [pollyCorePlugin] };
+}
+// tools/quality/src/plugins/polly-ui.ts
+import { readdir as readdir6 } from "node:fs/promises";
+import { join as join11, relative as relative6 } from "node:path";
+import { Glob as Glob6 } from "bun";
+var SKIP_DIRS_DEFAULT3 = ["node_modules", ".git", "dist", ".bun", ".cache"];
+function isCommentLine4(trimmed) {
+  return trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*");
+}
+function isAllowedByGlob3(rel, globs) {
+  for (const g of globs) {
+    if (new Glob6(g).match(rel))
+      return true;
+  }
+  return false;
+}
+async function walkScannableFiles3(dir, skipDirs, exts, out) {
+  let entries;
+  try {
+    entries = await readdir6(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    const fullPath = join11(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (!skipDirs.has(entry.name))
+        await walkScannableFiles3(fullPath, skipDirs, exts, out);
+    } else if (entry.isFile() && exts.some((e) => entry.name.endsWith(e))) {
+      out.push(fullPath);
+    }
+  }
+}
+var cssLayout = {
+  id: "polly-ui:css-layout",
+  description: "Enforce that layout values come from the <Layout> primitive, not ad-hoc CSS",
+  run: async ({ rootDir, config }) => {
+    const r = await checkCssLayout({
+      rootDir,
+      ...config?.skipDirs ? { skipDirs: config.skipDirs } : {}
+    });
+    return {
+      ok: r.violations.length === 0,
+      messages: r.violations.map((v) => `${v.file}:${v.line}: ${v.rule}`)
+    };
+  }
+};
+var cssQuality = {
+  id: "polly-ui:css-quality",
+  description: "Enforce that styled values come from semantic tokens, not literals",
+  run: async ({ rootDir, config }) => {
+    const r = await checkCssQuality({
+      rootDir,
+      ...config?.skipDirs ? { skipDirs: config.skipDirs } : {}
+    });
+    return {
+      ok: r.violations.length === 0,
+      messages: r.violations.map((v) => `${v.file}:${v.line}: ${v.rule}`)
+    };
+  }
+};
+var cssVars = {
+  id: "polly-ui:css-vars",
+  description: "Flag `var(--name)` references that resolve to no `--name:` definition",
+  run: async ({ rootDir, config }) => {
+    const r = await checkCssVars({
+      rootDir,
+      ...config?.skipDirs ? { skipDirs: config.skipDirs } : {}
+    });
+    return {
+      ok: r.violations.length === 0,
+      messages: r.violations.map((v) => `${v.file}:${v.line}: ${v.rule}`)
+    };
+  }
+};
+var cssUnused = {
+  id: "polly-ui:css-unused",
+  description: "Surface CSS-module selectors that are never referenced from JS/TSX (advisory)",
+  run: async ({ rootDir, config }) => {
+    const r = await checkCssUnused({
+      rootDir,
+      ...config?.skipDirs ? { skipDirs: config.skipDirs } : {}
+    });
+    return {
+      ok: true,
+      messages: r.violations.map((v) => `${v.file}:${v.line}: ${v.rule}`)
+    };
+  }
+};
+var sharedComponents = {
+  id: "polly-ui:shared-components",
+  description: "Ban native interactive HTML elements; require the polly-ui primitive (<Button>, <Modal>, etc.)",
+  run: async ({ rootDir, config }) => {
+    const c = config ?? {};
+    const r = await checkSharedComponents({
+      root: rootDir,
+      ...c.scanRoot ? { scanRoot: c.scanRoot } : {},
+      ...c.skipDirs ? { skipDirs: new Set(c.skipDirs) } : {},
+      ...c.exemptPackages ? { exemptPackages: new Set(c.exemptPackages) } : {}
+    });
+    return {
+      ok: r.violations.length === 0,
+      messages: r.violations.map((v) => `${v.file}:${v.line}: ${v.element} → ${v.replacement} — ${v.content}`)
+    };
+  }
+};
+var DEFAULT_NO_INLINE_HANDLERS = {
+  banned: [
+    "onClick",
+    "onSubmit",
+    "onChange",
+    "onInput",
+    "onFocus",
+    "onBlur",
+    "onKeyDown",
+    "onKeyUp",
+    "onMouseDown",
+    "onMouseUp",
+    "onMouseEnter",
+    "onMouseLeave"
+  ],
+  allowedFiles: [],
+  zones: ["src"],
+  skipDirs: SKIP_DIRS_DEFAULT3
+};
+function escapeRegex(name) {
+  return name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function buildHandlerRegex(banned) {
+  const alts = banned.map(escapeRegex).join("|");
+  return new RegExp(`\\b(${alts})\\s*=\\s*\\{`);
+}
+function isTestFile4(rel) {
+  return rel.includes("__tests__") || rel.includes(".test.") || rel.includes(".spec.") || rel.startsWith("tests/");
+}
+async function scanFileForInlineHandlers(filePath, rel, regex) {
+  const content = await Bun.file(filePath).text();
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i] ?? "";
+    if (isCommentLine4(line.trim()))
+      continue;
+    if (regex.test(line)) {
+      out.push(`${rel}:${i + 1}: ${line.trim()}`);
+    }
+  }
+  return out;
+}
+var noInlineHandlers = {
+  id: "polly-ui:no-inline-handlers",
+  description: "Ban inline JSX event handlers (use data-action delegation instead — see polly-ui actions runtime)",
+  filesRead: async (cfg, root) => {
+    const c = cfg ?? {};
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_NO_INLINE_HANDLERS.skipDirs);
+    const allowed = c.allowedFiles ?? DEFAULT_NO_INLINE_HANDLERS.allowedFiles;
+    const out = [];
+    for (const z of c.zones ?? DEFAULT_NO_INLINE_HANDLERS.zones) {
+      await walkScannableFiles3(join11(root, z), skipDirs, [".tsx"], out);
+    }
+    return out.filter((p) => {
+      const rel = relative6(root, p);
+      return !isTestFile4(rel) && !isAllowedByGlob3(rel, allowed);
+    });
+  },
+  run: async ({ rootDir, config }) => {
+    const c = config ?? {};
+    const banned = c.banned ?? DEFAULT_NO_INLINE_HANDLERS.banned;
+    if (banned.length === 0)
+      return { ok: true, messages: [] };
+    const skipDirs = new Set(c.skipDirs ?? DEFAULT_NO_INLINE_HANDLERS.skipDirs);
+    const allowed = c.allowedFiles ?? DEFAULT_NO_INLINE_HANDLERS.allowedFiles;
+    const regex = buildHandlerRegex(banned);
+    const violations = [];
+    for (const z of c.zones ?? DEFAULT_NO_INLINE_HANDLERS.zones) {
+      const files = [];
+      await walkScannableFiles3(join11(rootDir, z), skipDirs, [".tsx"], files);
+      for (const filePath of files) {
+        const rel = relative6(rootDir, filePath);
+        if (isTestFile4(rel) || isAllowedByGlob3(rel, allowed))
+          continue;
+        violations.push(...await scanFileForInlineHandlers(filePath, rel, regex));
+      }
+    }
+    return { ok: violations.length === 0, messages: violations };
+  }
+};
+var POLLY_UI_PLUGIN_VERSION = "0.46.0";
+var pollyUiPlugin = {
+  name: "polly-ui",
+  version: POLLY_UI_PLUGIN_VERSION,
+  checks: [
+    cssLayout,
+    cssQuality,
+    cssVars,
+    cssUnused,
+    sharedComponents,
+    noInlineHandlers
+  ]
+};
 export {
+  validateRunConfig,
+  summariseRunReport,
   suggestFix,
+  setCachedOutcome,
+  runChecks,
+  runAttest,
   resetLogger,
+  registerPlugins,
+  pollyUiPlugin,
+  pollyCorePlugin,
   logger,
+  loadQualityConfig,
+  listChecks,
   isLineRequireClean,
   isLineClean,
+  getCachedOutcome,
+  digestRun,
+  computeInputsHash,
   checkSharedComponents,
   checkSecrets,
   checkNoRequire,
@@ -1068,7 +2702,9 @@ export {
   checkCssUnused,
   checkCssQuality,
   checkCssLayout,
+  POLLY_UI_PLUGIN_VERSION,
+  POLLY_CORE_VERSION,
   DEFAULT_SHARED_COMPONENT_RULES
 };
 
-//# debugId=DF1AD1BD498F9B7264756E2164756E21
+//# debugId=D75CC99DF86A22C764756E2164756E21