@gpc-cli/core 0.9.32 → 0.9.33

package/dist/index.js

@@ -644,6 +644,29 @@ function formatSize(bytes) {
 }
 
 // src/commands/releases.ts
+async function withRetryOnConflict(client, packageName, operation) {
+  const edit = await client.edits.insert(packageName);
+  try {
+    return await operation(edit);
+  } catch (error) {
+    const isConflict = error instanceof PlayApiError && error.statusCode === 409;
+    if (!isConflict) {
+      await client.edits.delete(packageName, edit.id).catch(() => {
+      });
+      throw error;
+    }
+    await client.edits.delete(packageName, edit.id).catch(() => {
+    });
+    const freshEdit = await client.edits.insert(packageName);
+    try {
+      return await operation(freshEdit);
+    } catch (retryError) {
+      await client.edits.delete(packageName, freshEdit.id).catch(() => {
+      });
+      throw retryError;
+    }
+  }
+}
 function warnIfEditExpiring(edit) {
   if (!edit.expiryTimeSeconds) return;
   const expiryMs = Number(edit.expiryTimeSeconds) * 1e3;
@@ -770,8 +793,15 @@ async function getReleasesStatus(client, packageName, trackFilter) {
   }
 }
 async function promoteRelease(client, packageName, fromTrack, toTrack, options) {
-  const edit = await client.edits.insert(packageName);
-  try {
+  if (options?.userFraction && (options.userFraction <= 0 || options.userFraction > 1)) {
+    throw new GpcError(
+      "Rollout percentage must be between 0 and 1 (e.g., 0.1 for 10%)",
+      "RELEASE_INVALID_FRACTION",
+      2,
+      "Use a decimal value like 0.1 for 10%, 0.5 for 50%, or 1.0 for 100%."
+    );
+  }
+  return withRetryOnConflict(client, packageName, async (edit) => {
     const sourceTrack = await client.tracks.get(packageName, edit.id, fromTrack);
     const currentRelease = sourceTrack.releases?.find(
       (r) => r.status === "completed" || r.status === "inProgress"
@@ -784,14 +814,6 @@ async function promoteRelease(client, packageName, fromTrack, toTrack, options)
         `Ensure there is a completed or in-progress release on the "${fromTrack}" track before promoting.`
       );
     }
-    if (options?.userFraction && (options.userFraction <= 0 || options.userFraction > 1)) {
-      throw new GpcError(
-        "Rollout percentage must be between 0 and 1 (e.g., 0.1 for 10%)",
-        "RELEASE_INVALID_FRACTION",
-        2,
-        "Use a decimal value like 0.1 for 10%, 0.5 for 50%, or 1.0 for 100%."
-      );
-    }
     const release = {
       versionCodes: currentRelease.versionCodes,
       status: options?.userFraction ? "inProgress" : "completed",
@@ -807,11 +829,7 @@ async function promoteRelease(client, packageName, fromTrack, toTrack, options)
       versionCodes: release.versionCodes,
       userFraction: release.userFraction
     };
-  } catch (error) {
-    await client.edits.delete(packageName, edit.id).catch(() => {
-    });
-    throw error;
-  }
+  });
 }
 async function updateRollout(client, packageName, track, action, userFraction) {
   const edit = await client.edits.insert(packageName);
@@ -951,6 +969,25 @@ async function updateTrackConfig(client, packageName, trackName, config) {
     throw error;
   }
 }
+async function fetchReleaseNotes(client, packageName, track) {
+  const edit = await client.edits.insert(packageName);
+  try {
+    const trackData = await client.tracks.get(packageName, edit.id, track);
+    const release = trackData.releases?.find((r) => r.status === "completed" || r.status === "inProgress") ?? trackData.releases?.[0];
+    if (!release) {
+      throw new GpcError(
+        `No release found on track "${track}" to copy notes from`,
+        "RELEASE_NOT_FOUND",
+        1,
+        `Ensure there is a release on the "${track}" track.`
+      );
+    }
+    return release.releaseNotes ?? [];
+  } finally {
+    await client.edits.delete(packageName, edit.id).catch(() => {
+    });
+  }
+}
 async function diffReleases(client, packageName, fromTrack, toTrack) {
   const edit = await client.edits.insert(packageName);
   try {
@@ -1177,9 +1214,9 @@ async function readListingsFromDir(dir) {
   const listings = [];
   if (!await exists(dir)) return listings;
   const entries = await readdir(dir);
-  const SAFE_LANG = /^[a-zA-Z]{2,3}(-[a-zA-Z0-9]{2,8})*$/;
+  const SAFE_LANG2 = /^[a-zA-Z]{2,3}(-[a-zA-Z0-9]{2,8})*$/;
   for (const lang of entries) {
-    if (!SAFE_LANG.test(lang)) continue;
+    if (!SAFE_LANG2.test(lang)) continue;
     const langDir = join(dir, lang);
     const langStat = await stat4(langDir);
     if (!langStat.isDirectory()) continue;
@@ -1588,8 +1625,8 @@ var ALL_IMAGE_TYPES = [
   "tvBanner"
 ];
 async function exportImages(client, packageName, dir, options) {
-  const { mkdir: mkdir7, writeFile: writeFile9 } = await import("fs/promises");
-  const { join: join9 } = await import("path");
+  const { mkdir: mkdir8, writeFile: writeFile10 } = await import("fs/promises");
+  const { join: join12 } = await import("path");
   const edit = await client.edits.insert(packageName);
   try {
     let languages;
@@ -1620,12 +1657,12 @@ async function exportImages(client, packageName, dir, options) {
       const batch = tasks.slice(i, i + concurrency);
       const results = await Promise.all(
         batch.map(async (task) => {
-          const dirPath = join9(dir, task.language, task.imageType);
-          await mkdir7(dirPath, { recursive: true });
+          const dirPath = join12(dir, task.language, task.imageType);
+          await mkdir8(dirPath, { recursive: true });
           const response = await fetch(task.url);
           const buffer = Buffer.from(await response.arrayBuffer());
-          const filePath = join9(dirPath, `${task.index}.png`);
-          await writeFile9(filePath, buffer);
+          const filePath = join12(dirPath, `${task.index}.png`);
+          await writeFile10(filePath, buffer);
           return buffer.length;
         })
       );
@@ -4301,6 +4338,1599 @@ function safePathWithin(userPath, baseDir) {
   return resolved;
 }
 
+// src/commands/init.ts
+import { mkdir as mkdir5, writeFile as writeFile6, stat as stat7 } from "fs/promises";
+import { join as join7 } from "path";
+async function exists2(path) {
+  try {
+    await stat7(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function safeWrite(filePath, content, created, skipped, skipExisting) {
+  if (await exists2(filePath)) {
+    if (skipExisting) {
+      skipped.push(filePath);
+      return;
+    }
+  }
+  const dir = filePath.substring(0, filePath.lastIndexOf("/"));
+  await mkdir5(dir, { recursive: true });
+  await writeFile6(filePath, content, "utf-8");
+  created.push(filePath);
+}
+async function initProject(options) {
+  const { dir, app, ci } = options;
+  const skipExisting = options.skipExisting !== false;
+  const created = [];
+  const skipped = [];
+  const pkg = app || "com.example.app";
+  const gpcrc = JSON.stringify(
+    {
+      app: pkg,
+      output: "table"
+    },
+    null,
+    2
+  );
+  await safeWrite(join7(dir, ".gpcrc.json"), gpcrc + "\n", created, skipped, skipExisting);
+  const preflightrc = JSON.stringify(
+    {
+      failOn: "error",
+      targetSdkMinimum: 35,
+      maxDownloadSizeMb: 150,
+      allowedPermissions: [],
+      disabledRules: [],
+      severityOverrides: {}
+    },
+    null,
+    2
+  );
+  await safeWrite(
+    join7(dir, ".preflightrc.json"),
+    preflightrc + "\n",
+    created,
+    skipped,
+    skipExisting
+  );
+  const metaDir = join7(dir, "metadata", "android", "en-US");
+  await safeWrite(join7(metaDir, "title.txt"), "", created, skipped, skipExisting);
+  await safeWrite(join7(metaDir, "short_description.txt"), "", created, skipped, skipExisting);
+  await safeWrite(join7(metaDir, "full_description.txt"), "", created, skipped, skipExisting);
+  await safeWrite(join7(metaDir, "video.txt"), "", created, skipped, skipExisting);
+  const ssDir = join7(metaDir, "images", "phoneScreenshots");
+  await mkdir5(ssDir, { recursive: true });
+  await safeWrite(join7(ssDir, ".gitkeep"), "", created, skipped, skipExisting);
+  if (ci === "github") {
+    const workflow = githubActionsTemplate(pkg);
+    const workflowDir = join7(dir, ".github", "workflows");
+    await safeWrite(join7(workflowDir, "gpc-release.yml"), workflow, created, skipped, skipExisting);
+  } else if (ci === "gitlab") {
+    const pipeline = gitlabCiTemplate(pkg);
+    await safeWrite(join7(dir, ".gitlab-ci-gpc.yml"), pipeline, created, skipped, skipExisting);
+  }
+  return { created, skipped };
+}
+function githubActionsTemplate(pkg) {
+  return `name: GPC Release
+on:
+  push:
+    tags: ['v*']
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    env:
+      GPC_SERVICE_ACCOUNT: \${{ secrets.GPC_SERVICE_ACCOUNT }}
+      GPC_APP: ${pkg}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Build
+        run: ./gradlew bundleRelease
+
+      - name: Install GPC
+        run: npm install -g @gpc-cli/cli
+
+      - name: Preflight compliance check
+        run: gpc preflight app/build/outputs/bundle/release/app-release.aab --fail-on error
+
+      - name: Upload to internal track
+        run: |
+          gpc releases upload app/build/outputs/bundle/release/app-release.aab \\
+            --track internal \\
+            --json
+`;
+}
+function gitlabCiTemplate(pkg) {
+  return `# GPC Release Pipeline
+# Add GPC_SERVICE_ACCOUNT as a CI/CD variable (masked, protected)
+
+stages:
+  - build
+  - preflight
+  - release
+
+variables:
+  GPC_APP: ${pkg}
+
+build:
+  stage: build
+  image: gradle:jdk17
+  script:
+    - ./gradlew bundleRelease
+  artifacts:
+    paths:
+      - app/build/outputs/bundle/release/app-release.aab
+
+preflight:
+  stage: preflight
+  image: node:20
+  script:
+    - npm install -g @gpc-cli/cli
+    - gpc preflight app/build/outputs/bundle/release/app-release.aab --fail-on error --json
+
+release:
+  stage: release
+  image: node:20
+  script:
+    - npm install -g @gpc-cli/cli
+    - gpc releases upload app/build/outputs/bundle/release/app-release.aab --track internal
+  only:
+    - tags
+`;
+}
+
+// src/preflight/types.ts
+var SEVERITY_ORDER = {
+  info: 0,
+  warning: 1,
+  error: 2,
+  critical: 3
+};
+var DEFAULT_PREFLIGHT_CONFIG = {
+  failOn: "error",
+  targetSdkMinimum: 35,
+  maxDownloadSizeMb: 150,
+  allowedPermissions: [],
+  disabledRules: [],
+  severityOverrides: {}
+};
+
+// src/preflight/config.ts
+import { readFile as readFile9 } from "fs/promises";
+var VALID_SEVERITIES = /* @__PURE__ */ new Set(["critical", "error", "warning", "info"]);
+async function loadPreflightConfig(configPath) {
+  const path = configPath || ".preflightrc.json";
+  let raw;
+  try {
+    raw = await readFile9(path, "utf-8");
+  } catch {
+    return { ...DEFAULT_PREFLIGHT_CONFIG };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error(`Invalid JSON in ${path}. Check the file for syntax errors.`);
+  }
+  const config = { ...DEFAULT_PREFLIGHT_CONFIG };
+  if (typeof parsed["failOn"] === "string" && VALID_SEVERITIES.has(parsed["failOn"])) {
+    config.failOn = parsed["failOn"];
+  }
+  if (typeof parsed["targetSdkMinimum"] === "number" && parsed["targetSdkMinimum"] > 0) {
+    config.targetSdkMinimum = parsed["targetSdkMinimum"];
+  }
+  if (typeof parsed["maxDownloadSizeMb"] === "number" && parsed["maxDownloadSizeMb"] > 0) {
+    config.maxDownloadSizeMb = parsed["maxDownloadSizeMb"];
+  }
+  if (Array.isArray(parsed["allowedPermissions"])) {
+    config.allowedPermissions = parsed["allowedPermissions"].filter(
+      (v) => typeof v === "string"
+    );
+  }
+  if (Array.isArray(parsed["disabledRules"])) {
+    config.disabledRules = parsed["disabledRules"].filter(
+      (v) => typeof v === "string"
+    );
+  }
+  if (typeof parsed["severityOverrides"] === "object" && parsed["severityOverrides"] !== null) {
+    const overrides = {};
+    for (const [key, val] of Object.entries(
+      parsed["severityOverrides"]
+    )) {
+      if (typeof val === "string" && VALID_SEVERITIES.has(val)) {
+        overrides[key] = val;
+      }
+    }
+    config.severityOverrides = overrides;
+  }
+  return config;
+}
+
+// src/preflight/aab-reader.ts
+import { open as yauzlOpen } from "yauzl";
+
+// src/preflight/manifest-parser.ts
+import * as protobuf from "protobufjs";
+var RESOURCE_IDS = {
+  16842752: "theme",
+  16842753: "label",
+  16842754: "icon",
+  16842755: "name",
+  16842767: "versionCode",
+  16842768: "versionName",
+  16843276: "minSdkVersion",
+  16843376: "targetSdkVersion",
+  16842782: "debuggable",
+  16842786: "permission",
+  16842795: "exported",
+  16843378: "testOnly",
+  16843760: "usesCleartextTraffic",
+  16844010: "extractNativeLibs",
+  16843985: "foregroundServiceType",
+  16843402: "required",
+  16843393: "allowBackup"
+};
+function buildXmlSchema() {
+  const root = new protobuf.Root();
+  const ns = root.define("aapt.pb");
+  const Source = new protobuf.Type("Source").add(new protobuf.Field("pathIdx", 1, "uint32")).add(new protobuf.Field("position", 2, "Position"));
+  const Position = new protobuf.Type("Position").add(new protobuf.Field("lineNumber", 1, "uint32")).add(new protobuf.Field("columnNumber", 2, "uint32"));
+  const Primitive = new protobuf.Type("Primitive").add(
+    new protobuf.OneOf("oneofValue").add(new protobuf.Field("intDecimalValue", 6, "int32")).add(new protobuf.Field("intHexadecimalValue", 7, "uint32")).add(new protobuf.Field("booleanValue", 8, "bool")).add(new protobuf.Field("floatValue", 11, "float"))
+  );
+  const Reference = new protobuf.Type("Reference").add(new protobuf.Field("id", 1, "uint32")).add(new protobuf.Field("name", 2, "string"));
+  const Item = new protobuf.Type("Item").add(
+    new protobuf.OneOf("value").add(new protobuf.Field("ref", 1, "Reference")).add(new protobuf.Field("str", 2, "String")).add(new protobuf.Field("prim", 4, "Primitive"))
+  );
+  const StringMsg = new protobuf.Type("String").add(new protobuf.Field("value", 1, "string"));
+  const XmlAttribute = new protobuf.Type("XmlAttribute").add(new protobuf.Field("namespaceUri", 1, "string")).add(new protobuf.Field("name", 2, "string")).add(new protobuf.Field("value", 3, "string")).add(new protobuf.Field("source", 4, "Source")).add(new protobuf.Field("resourceId", 5, "uint32")).add(new protobuf.Field("compiledItem", 6, "Item"));
+  const XmlNamespace = new protobuf.Type("XmlNamespace").add(new protobuf.Field("prefix", 1, "string")).add(new protobuf.Field("uri", 2, "string")).add(new protobuf.Field("source", 3, "Source"));
+  const XmlElement = new protobuf.Type("XmlElement").add(new protobuf.Field("namespaceDeclaration", 1, "XmlNamespace", "repeated")).add(new protobuf.Field("namespaceUri", 2, "string")).add(new protobuf.Field("name", 3, "string")).add(new protobuf.Field("attribute", 4, "XmlAttribute", "repeated")).add(new protobuf.Field("child", 5, "XmlNode", "repeated"));
+  const XmlNode = new protobuf.Type("XmlNode").add(
+    new protobuf.OneOf("node").add(new protobuf.Field("element", 1, "XmlElement")).add(new protobuf.Field("text", 2, "string"))
+  ).add(new protobuf.Field("source", 3, "Source"));
+  ns.add(Position);
+  ns.add(Source);
+  ns.add(Primitive);
+  ns.add(Reference);
+  ns.add(StringMsg);
+  ns.add(Item);
+  ns.add(XmlAttribute);
+  ns.add(XmlNamespace);
+  ns.add(XmlElement);
+  ns.add(XmlNode);
+  return root;
+}
+var cachedSchema;
+function getSchema() {
+  if (!cachedSchema) cachedSchema = buildXmlSchema();
+  return cachedSchema;
+}
+function decodeManifest(buf) {
+  const root = getSchema();
+  const XmlNode = root.lookupType("aapt.pb.XmlNode");
+  const decoded = XmlNode.decode(buf);
+  if (!decoded.element || decoded.element.name !== "manifest") {
+    throw new Error("Invalid AAB manifest: root element is not <manifest>");
+  }
+  return extractManifestData(decoded.element);
+}
+function getAttrValue(attrs, resId) {
+  const attr = attrs.find((a) => a.resourceId === resId);
+  if (!attr) return void 0;
+  const ci = attr.compiledItem;
+  if (ci?.str?.value !== void 0) return ci.str.value;
+  if (ci?.ref?.name !== void 0) return ci.ref.name;
+  return attr.value || void 0;
+}
+function getAttrByName(attrs, name) {
+  const attr = attrs.find((a) => a.name === name || RESOURCE_IDS[a.resourceId] === name);
+  if (!attr) return void 0;
+  const ci = attr.compiledItem;
+  if (ci?.str?.value !== void 0) return ci.str.value;
+  if (ci?.ref?.name !== void 0) return ci.ref.name;
+  return attr.value || void 0;
+}
+function getBoolAttr(attrs, resId, defaultVal) {
+  const val = getAttrValue(attrs, resId);
+  if (val === void 0) return defaultVal;
+  return val === "true" || val === "1";
+}
+function getIntAttr(attrs, resId, defaultVal) {
+  const val = getAttrValue(attrs, resId);
+  if (val === void 0) return defaultVal;
+  const n = parseInt(val, 10);
+  return isNaN(n) ? defaultVal : n;
+}
+function getChildren(elem, tagName) {
+  return (elem.child || []).filter((c) => c.element?.name === tagName).map((c) => c.element);
+}
+function extractManifestData(manifest) {
+  const attrs = manifest.attribute || [];
+  const packageName = getAttrByName(attrs, "package") || "";
+  const versionCode = getIntAttr(attrs, 16842767, 0);
+  const versionName = getAttrValue(attrs, 16842768) || "";
+  const usesSdkElements = getChildren(manifest, "uses-sdk");
+  const usesSdk = usesSdkElements[0];
+  const minSdk = usesSdk ? getIntAttr(usesSdk.attribute || [], 16843276, 1) : 1;
+  const targetSdk = usesSdk ? getIntAttr(usesSdk.attribute || [], 16843376, minSdk) : minSdk;
+  const permissions = getChildren(manifest, "uses-permission").map((el) => getAttrValue(el.attribute || [], 16842755)).filter((p) => p !== void 0);
+  const features = getChildren(manifest, "uses-feature").map((el) => ({
+    name: getAttrValue(el.attribute || [], 16842755) || "",
+    required: getBoolAttr(el.attribute || [], 16843402, true)
+  }));
+  const appElements = getChildren(manifest, "application");
+  const app = appElements[0];
+  const debuggable = app ? getBoolAttr(app.attribute || [], 16842782, false) : false;
+  const testOnly = getBoolAttr(attrs, 16843378, false);
+  const usesCleartextTraffic = app ? getBoolAttr(app.attribute || [], 16843760, true) : true;
+  const extractNativeLibs = app ? getBoolAttr(app.attribute || [], 16844010, true) : true;
+  const activities = app ? extractComponents(app, "activity") : [];
+  const services = app ? extractComponents(app, "service") : [];
+  const receivers = app ? extractComponents(app, "receiver") : [];
+  const providers = app ? extractComponents(app, "provider") : [];
+  return {
+    packageName,
+    versionCode,
+    versionName,
+    minSdk,
+    targetSdk,
+    debuggable,
+    testOnly,
+    usesCleartextTraffic,
+    extractNativeLibs,
+    permissions,
+    features,
+    activities,
+    services,
+    receivers,
+    providers
+  };
+}
+function extractComponents(appElement, tagName) {
+  return getChildren(appElement, tagName).map((el) => {
+    const compAttrs = el.attribute || [];
+    const exportedVal = getAttrValue(compAttrs, 16842795);
+    const hasIntentFilter = getChildren(el, "intent-filter").length > 0;
+    return {
+      name: getAttrValue(compAttrs, 16842755) || "",
+      exported: exportedVal === void 0 ? void 0 : exportedVal === "true" || exportedVal === "1",
+      foregroundServiceType: tagName === "service" ? getAttrValue(compAttrs, 16843985) : void 0,
+      hasIntentFilter
+    };
+  });
+}
+
+// src/preflight/aab-reader.ts
+var MANIFEST_PATH = "base/manifest/AndroidManifest.xml";
+async function readAab(aabPath) {
+  const { zipfile, entries, manifestBuf } = await openAndScan(aabPath);
+  zipfile.close();
+  if (!manifestBuf) {
+    throw new Error(
+      `AAB is missing ${MANIFEST_PATH}. This does not appear to be a valid Android App Bundle.`
+    );
+  }
+  const manifest = decodeManifest(manifestBuf);
+  return { manifest, entries };
+}
+function openAndScan(aabPath) {
+  return new Promise((resolve2, reject) => {
+    yauzlOpen(aabPath, { lazyEntries: true, autoClose: false }, (err, zipfile) => {
+      if (err || !zipfile) {
+        reject(err ?? new Error("Failed to open AAB file"));
+        return;
+      }
+      const entries = [];
+      let manifestBuf = null;
+      let rejected = false;
+      function fail(error) {
+        if (!rejected) {
+          rejected = true;
+          zipfile.close();
+          reject(error);
+        }
+      }
+      zipfile.on("error", fail);
+      zipfile.on("entry", (entry) => {
+        if (rejected) return;
+        const path = entry.fileName;
+        if (!path.endsWith("/")) {
+          entries.push({
+            path,
+            compressedSize: entry.compressedSize,
+            uncompressedSize: entry.uncompressedSize
+          });
+        }
+        if (path === MANIFEST_PATH) {
+          zipfile.openReadStream(entry, (streamErr, stream) => {
+            if (streamErr || !stream) {
+              fail(streamErr ?? new Error("Failed to read manifest entry"));
+              return;
+            }
+            const chunks = [];
+            stream.on("data", (chunk) => chunks.push(chunk));
+            stream.on("error", (e) => fail(e));
+            stream.on("end", () => {
+              manifestBuf = Buffer.concat(chunks);
+              zipfile.readEntry();
+            });
+          });
+        } else {
+          zipfile.readEntry();
+        }
+      });
+      zipfile.on("end", () => {
+        if (!rejected) {
+          resolve2({ zipfile, entries, manifestBuf });
+        }
+      });
+      zipfile.readEntry();
+    });
+  });
+}
+
+// src/preflight/scanners/manifest-scanner.ts
+var manifestScanner = {
+  name: "manifest",
+  description: "Checks AndroidManifest.xml for target SDK, debug flags, and component declarations",
+  requires: ["manifest"],
+  async scan(ctx) {
+    const manifest = ctx.manifest;
+    const findings = [];
+    const minTargetSdk = ctx.config.targetSdkMinimum;
+    if (manifest.targetSdk < minTargetSdk) {
+      findings.push({
+        scanner: "manifest",
+        ruleId: "targetSdk-below-minimum",
+        severity: "critical",
+        title: `targetSdkVersion ${manifest.targetSdk} is below the required ${minTargetSdk}`,
+        message: `Google Play requires targetSdkVersion >= ${minTargetSdk} for new apps and updates. Your app targets API ${manifest.targetSdk}.`,
+        suggestion: `Update targetSdkVersion to ${minTargetSdk} or higher in your build.gradle file.`,
+        policyUrl: "https://developer.android.com/google/play/requirements/target-sdk"
+      });
+    }
+    if (manifest.debuggable) {
+      findings.push({
+        scanner: "manifest",
+        ruleId: "debuggable-true",
+        severity: "critical",
+        title: "App is marked as debuggable",
+        message: 'android:debuggable="true" is set in the manifest. Google Play rejects debuggable release builds.',
+        suggestion: "Remove android:debuggable from your manifest or set it to false. Release builds should never be debuggable."
+      });
+    }
+    if (manifest.testOnly) {
+      findings.push({
+        scanner: "manifest",
+        ruleId: "testOnly-true",
+        severity: "critical",
+        title: "App is marked as testOnly",
+        message: 'android:testOnly="true" is set in the manifest. Google Play rejects testOnly builds.',
+        suggestion: "Remove android:testOnly from your manifest. This flag is only for development builds."
+      });
+    }
+    if (manifest.versionCode <= 0) {
+      findings.push({
+        scanner: "manifest",
+        ruleId: "versionCode-invalid",
+        severity: "error",
+        title: "Invalid versionCode",
+        message: `versionCode is ${manifest.versionCode}. It must be a positive integer.`,
+        suggestion: "Set a valid versionCode in your build.gradle file."
+      });
+    }
+    if (manifest.usesCleartextTraffic && manifest.targetSdk >= 28) {
+      findings.push({
+        scanner: "manifest",
+        ruleId: "cleartext-traffic",
+        severity: "warning",
+        title: "Cleartext HTTP traffic is allowed",
+        message: 'android:usesCleartextTraffic="true" allows unencrypted HTTP connections. This is a security risk.',
+        suggestion: 'Set android:usesCleartextTraffic="false" and use HTTPS. If specific domains need HTTP, use a network security config.',
+        policyUrl: "https://developer.android.com/privacy-and-security/security-config"
+      });
+    }
+    if (manifest.targetSdk >= 31) {
+      const allComponents = [
+        ...manifest.activities,
+        ...manifest.services,
+        ...manifest.receivers,
+        ...manifest.providers
+      ];
+      for (const comp of allComponents) {
+        if (comp.hasIntentFilter && comp.exported === void 0) {
+          findings.push({
+            scanner: "manifest",
+            ruleId: "missing-exported",
+            severity: "error",
+            title: `Missing android:exported on ${comp.name}`,
+            message: `Component "${comp.name}" has an intent-filter but no android:exported attribute. This is required for apps targeting API 31+.`,
+            suggestion: `Add android:exported="true" or android:exported="false" to the <activity>, <service>, <receiver>, or <provider> declaration for "${comp.name}".`,
+            policyUrl: "https://developer.android.com/about/versions/12/behavior-changes-12#exported"
+          });
+        }
+      }
+    }
+    if (manifest.targetSdk >= 34) {
+      const hasFgsPerm = manifest.permissions.includes("android.permission.FOREGROUND_SERVICE");
+      if (hasFgsPerm) {
+        for (const service of manifest.services) {
+          if (!service.foregroundServiceType) {
+            findings.push({
+              scanner: "manifest",
+              ruleId: "foreground-service-type-missing",
+              severity: "error",
+              title: `Missing foregroundServiceType on ${service.name}`,
+              message: `Service "${service.name}" does not declare android:foregroundServiceType. This is required for apps targeting API 34+.`,
+              suggestion: `Add android:foregroundServiceType to the <service> declaration. Valid types: camera, connectedDevice, dataSync, health, location, mediaPlayback, mediaProcessing, mediaProjection, microphone, phoneCall, remoteMessaging, shortService, specialUse, systemExempted.`,
+              policyUrl: "https://developer.android.com/about/versions/14/changes/fgs-types-required"
+            });
+          }
+        }
+      }
+    }
+    if (manifest.minSdk < 21) {
+      findings.push({
+        scanner: "manifest",
+        ruleId: "minSdk-below-21",
+        severity: "info",
+        title: `minSdkVersion ${manifest.minSdk} is very low`,
+        message: `minSdkVersion ${manifest.minSdk} means your app supports very old devices (pre-Lollipop). This limits split APK support and modern features.`,
+        suggestion: "Consider raising minSdkVersion to 21 or higher to take advantage of modern Android features and better app size optimization."
+      });
+    }
+    return findings;
+  }
+};
+
+// src/preflight/scanners/permissions-scanner.ts
+var RESTRICTED_PERMISSIONS = [
+  // SMS permissions — only for default SMS handler
+  {
+    permission: "android.permission.READ_SMS",
+    severity: "critical",
+    title: "READ_SMS requires declaration form",
+    message: "READ_SMS is restricted to default SMS/phone/assistant handler apps. Google Play requires a Permissions Declaration Form and may reject apps using this permission without approval.",
+    suggestion: "Remove READ_SMS unless your app is a default SMS handler. Use the SMS Retriever API or one-tap SMS consent for OTP verification.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/10208820"
+  },
+  {
+    permission: "android.permission.SEND_SMS",
+    severity: "critical",
+    title: "SEND_SMS requires declaration form",
+    message: "SEND_SMS is restricted to default SMS handler apps.",
+    suggestion: "Remove SEND_SMS unless your app is a default SMS handler.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/10208820"
+  },
+  {
+    permission: "android.permission.RECEIVE_SMS",
+    severity: "critical",
+    title: "RECEIVE_SMS requires declaration form",
+    message: "RECEIVE_SMS is restricted to default SMS handler apps.",
+    suggestion: "Remove RECEIVE_SMS. Use the SMS Retriever API for OTP verification instead.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/10208820"
+  },
+  {
+    permission: "android.permission.RECEIVE_MMS",
+    severity: "critical",
+    title: "RECEIVE_MMS requires declaration form",
+    message: "RECEIVE_MMS is restricted to default SMS handler apps.",
+    suggestion: "Remove RECEIVE_MMS unless your app is a default SMS handler.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/10208820"
+  },
+  {
+    permission: "android.permission.RECEIVE_WAP_PUSH",
+    severity: "critical",
+    title: "RECEIVE_WAP_PUSH requires declaration form",
+    message: "RECEIVE_WAP_PUSH is restricted to default SMS handler apps.",
+    suggestion: "Remove RECEIVE_WAP_PUSH unless your app is a default SMS handler.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/10208820"
+  },
+  // Call log permissions
+  {
+    permission: "android.permission.READ_CALL_LOG",
+    severity: "critical",
+    title: "READ_CALL_LOG requires declaration form",
+    message: "READ_CALL_LOG is restricted to default phone/assistant handler apps.",
+    suggestion: "Remove READ_CALL_LOG unless your app is a default phone or assistant handler.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/10208820"
+  },
+  {
+    permission: "android.permission.WRITE_CALL_LOG",
+    severity: "critical",
+    title: "WRITE_CALL_LOG requires declaration form",
+    message: "WRITE_CALL_LOG is restricted to default phone handler apps.",
+    suggestion: "Remove WRITE_CALL_LOG unless your app is a default phone handler.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/10208820"
+  },
+  {
+    permission: "android.permission.PROCESS_OUTGOING_CALLS",
+    severity: "critical",
+    title: "PROCESS_OUTGOING_CALLS requires declaration form",
+    message: "PROCESS_OUTGOING_CALLS is restricted to default phone handler apps.",
+    suggestion: "Remove PROCESS_OUTGOING_CALLS unless your app is a default phone handler.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/10208820"
+  },
+  // Broad visibility
+  {
+    permission: "android.permission.QUERY_ALL_PACKAGES",
+    severity: "error",
+    title: "QUERY_ALL_PACKAGES requires justification",
+    message: "QUERY_ALL_PACKAGES grants broad package visibility. Google Play requires justification and may reject apps using this without approval.",
+    suggestion: "Replace with targeted <queries> elements in your manifest to declare specific packages you need to interact with.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/10158779"
+  },
+  // All files access
+  {
+    permission: "android.permission.MANAGE_EXTERNAL_STORAGE",
+    severity: "error",
+    title: "MANAGE_EXTERNAL_STORAGE (All Files Access) requires declaration form",
+    message: "All Files Access is restricted to file managers, backup apps, antivirus, and document management apps.",
+    suggestion: "Use scoped storage APIs or the Storage Access Framework (SAF) instead. Only use MANAGE_EXTERNAL_STORAGE if your app's core functionality requires broad file access.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/10467955"
+  },
+  // Background location
+  {
+    permission: "android.permission.ACCESS_BACKGROUND_LOCATION",
+    severity: "error",
+    title: "ACCESS_BACKGROUND_LOCATION requires declaration and review",
+    message: "Background location access requires a Permissions Declaration Form, privacy policy, and video demonstration. Extended review times apply.",
+    suggestion: "Use foreground location with a foreground service instead. Only use background location if it is essential to your app's core functionality.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/9799150"
+  },
+  // Photo/video permissions (May 2025 enforcement)
+  {
+    permission: "android.permission.READ_MEDIA_IMAGES",
+    severity: "error",
+    title: "READ_MEDIA_IMAGES requires declaration or photo picker",
+    message: "Photo/Video Permissions policy requires either an approved declaration form or use of the Android photo picker for one-time image access.",
+    suggestion: "Use the Android photo picker (ACTION_PICK_IMAGES) for profile pictures and one-time use. Only declare READ_MEDIA_IMAGES if your app's core functionality requires broad gallery access.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/14115180"
+  },
+  {
+    permission: "android.permission.READ_MEDIA_VIDEO",
+    severity: "error",
+    title: "READ_MEDIA_VIDEO requires declaration or photo picker",
+    message: "Photo/Video Permissions policy requires either an approved declaration form or use of the Android photo picker for one-time video access.",
+    suggestion: "Use the Android photo picker for one-time video selection. Only declare READ_MEDIA_VIDEO if your app's core functionality requires broad video access.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/14115180"
+  },
+  // Install packages
+  {
+    permission: "android.permission.REQUEST_INSTALL_PACKAGES",
+    severity: "error",
+    title: "REQUEST_INSTALL_PACKAGES requires justification",
+    message: "REQUEST_INSTALL_PACKAGES is restricted to apps whose core purpose is installing other packages.",
+    suggestion: "Remove REQUEST_INSTALL_PACKAGES unless your app is an app store, package manager, or OTA updater.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/12085295"
+  },
+  // Exact alarm
+  {
+    permission: "android.permission.USE_EXACT_ALARM",
+    severity: "warning",
+    title: "USE_EXACT_ALARM is restricted",
+    message: "USE_EXACT_ALARM is only for alarm, timer, and calendar apps. Google Play may reject apps using this without justification.",
+    suggestion: "Use SCHEDULE_EXACT_ALARM instead if possible, or remove exact alarm usage if your app does not need precise timing.",
+    policyUrl: "https://developer.android.com/about/versions/14/changes/schedule-exact-alarms"
+  },
+  // Full-screen intent
+  {
+    permission: "android.permission.USE_FULL_SCREEN_INTENT",
+    severity: "warning",
+    title: "USE_FULL_SCREEN_INTENT requires declaration",
+    message: "Full-screen intents are restricted to alarm and calling apps on Android 14+. A declaration form is required.",
+    suggestion: "Remove USE_FULL_SCREEN_INTENT unless your app is an alarm clock or calling app.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/13392821"
+  },
+  // Accessibility service
+  {
+    permission: "android.permission.BIND_ACCESSIBILITY_SERVICE",
+    severity: "error",
+    title: "BIND_ACCESSIBILITY_SERVICE requires declaration and justification",
+    message: "Accessibility services must support users with disabilities. A declaration form and detailed justification are required.",
+    suggestion: "Only use BIND_ACCESSIBILITY_SERVICE if your app genuinely assists users with disabilities. Misuse leads to rejection.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/10964491"
+  },
+  // VPN
+  {
+    permission: "android.permission.BIND_VPN_SERVICE",
+    severity: "error",
+    title: "BIND_VPN_SERVICE is restricted to VPN apps",
+    message: "BIND_VPN_SERVICE is only for apps whose core functionality is providing VPN services.",
+    suggestion: "Remove BIND_VPN_SERVICE unless your app is a VPN provider.",
+    policyUrl: "https://support.google.com/googleplay/android-developer/answer/9888170"
+  }
+];
+var RESTRICTED_MAP = new Map(RESTRICTED_PERMISSIONS.map((r) => [r.permission, r]));
+var permissionsScanner = {
+  name: "permissions",
+  description: "Audits declared permissions against Google Play restricted permissions policies",
+  requires: ["manifest"],
+  async scan(ctx) {
+    const manifest = ctx.manifest;
+    const findings = [];
+    const allowed = new Set(ctx.config.allowedPermissions);
+    for (const perm of manifest.permissions) {
+      if (allowed.has(perm)) continue;
+      const restriction = RESTRICTED_MAP.get(perm);
+      if (restriction) {
+        findings.push({
+          scanner: "permissions",
+          ruleId: `restricted-${perm.split(".").pop()?.toLowerCase() || perm}`,
+          severity: restriction.severity,
+          title: restriction.title,
+          message: restriction.message,
+          suggestion: restriction.suggestion,
+          policyUrl: restriction.policyUrl
+        });
+      }
+    }
+    const dataPermissions = [
+      { perm: "android.permission.ACCESS_FINE_LOCATION", data: "precise location" },
+      { perm: "android.permission.ACCESS_COARSE_LOCATION", data: "approximate location" },
+      { perm: "android.permission.READ_CONTACTS", data: "contacts" },
+      { perm: "android.permission.CAMERA", data: "photos/videos via camera" },
+      { perm: "android.permission.RECORD_AUDIO", data: "audio recordings" },
+      { perm: "android.permission.READ_CALENDAR", data: "calendar events" },
+      { perm: "android.permission.BODY_SENSORS", data: "health/fitness data" },
+      { perm: "android.permission.ACTIVITY_RECOGNITION", data: "physical activity" }
+    ];
+    const collectedData = [];
+    for (const { perm, data } of dataPermissions) {
+      if (manifest.permissions.includes(perm)) {
+        collectedData.push(data);
+      }
+    }
+    if (collectedData.length > 0) {
+      findings.push({
+        scanner: "permissions",
+        ruleId: "data-safety-reminder",
+        severity: "info",
+        title: "Data Safety declaration reminder",
+        message: `Your app declares permissions that imply collecting: ${collectedData.join(", ")}. Ensure your Data Safety form in Play Console accurately reflects this data collection.`,
+        suggestion: "Review your Data Safety declaration at Play Console > Policy > App content > Data safety.",
+        policyUrl: "https://support.google.com/googleplay/android-developer/answer/10787469"
+      });
+    }
+    return findings;
+  }
+};
+
+// src/preflight/scanners/native-libs-scanner.ts
+var KNOWN_ABIS = ["arm64-v8a", "armeabi-v7a", "x86", "x86_64"];
+var LIB_PATH_RE = /^(?:[^/]+\/)?lib\/([^/]+)\/[^/]+\.so$/;
+var nativeLibsScanner = {
+  name: "native-libs",
+  description: "Checks native library architectures for 64-bit compliance",
+  requires: ["zipEntries"],
+  async scan(ctx) {
+    const entries = ctx.zipEntries;
+    const findings = [];
+    const abisFound = /* @__PURE__ */ new Set();
+    let totalNativeSize = 0;
+    for (const entry of entries) {
+      const match = LIB_PATH_RE.exec(entry.path);
+      if (match) {
+        abisFound.add(match[1]);
+        totalNativeSize += entry.uncompressedSize;
+      }
+    }
+    if (abisFound.size === 0) {
+      return findings;
+    }
+    const has32Arm = abisFound.has("armeabi-v7a");
+    const has64Arm = abisFound.has("arm64-v8a");
+    const has32x86 = abisFound.has("x86");
+    const has64x86 = abisFound.has("x86_64");
+    if (has32Arm && !has64Arm) {
+      findings.push({
+        scanner: "native-libs",
+        ruleId: "missing-arm64",
+        severity: "critical",
+        title: "Missing arm64-v8a native libraries",
+        message: "App includes armeabi-v7a (32-bit ARM) native libraries but is missing arm64-v8a (64-bit ARM). Google Play requires 64-bit support for all apps with native code.",
+        suggestion: "Build your native libraries for arm64-v8a. In build.gradle: ndk { abiFilters 'armeabi-v7a', 'arm64-v8a' }",
+        policyUrl: "https://developer.android.com/google/play/requirements/64-bit"
+      });
+    }
+    if (has32x86 && !has64x86) {
+      findings.push({
+        scanner: "native-libs",
+        ruleId: "missing-x86_64",
+        severity: "warning",
+        title: "Missing x86_64 native libraries",
+        message: "App includes x86 (32-bit) native libraries but is missing x86_64 (64-bit). While ARM is required, x86_64 is recommended for emulator and Chromebook support.",
+        suggestion: "Add x86_64 to your ABI filters if you support x86: ndk { abiFilters 'x86', 'x86_64' }",
+        policyUrl: "https://developer.android.com/google/play/requirements/64-bit"
+      });
+    }
+    const detectedAbis = KNOWN_ABIS.filter((abi) => abisFound.has(abi));
+    const unknownAbis = [...abisFound].filter(
+      (abi) => !KNOWN_ABIS.includes(abi)
+    );
+    const abiList = [...detectedAbis, ...unknownAbis].join(", ");
+    const sizeMb = (totalNativeSize / (1024 * 1024)).toFixed(1);
+    findings.push({
+      scanner: "native-libs",
+      ruleId: "native-libs-summary",
+      severity: "info",
+      title: `Native libraries: ${abiList}`,
+      message: `Found native libraries for ${abisFound.size} architecture(s): ${abiList}. Total uncompressed size: ${sizeMb} MB.`
+    });
+    if (totalNativeSize > 150 * 1024 * 1024) {
+      findings.push({
+        scanner: "native-libs",
+        ruleId: "native-libs-large",
+        severity: "warning",
+        title: "Large native libraries",
+        message: `Native libraries total ${sizeMb} MB (uncompressed). This significantly increases download size.`,
+        suggestion: "Consider using Android App Bundles to deliver only the required ABI per device. Review if all native libraries are necessary."
+      });
+    }
+    return findings;
+  }
+};
+
+// src/preflight/scanners/metadata-scanner.ts
+import { readdir as readdir5, stat as stat8, readFile as readFile10 } from "fs/promises";
+import { join as join8 } from "path";
+var SAFE_LANG = /^[a-zA-Z]{2,3}(-[a-zA-Z0-9]{2,8})*$/;
+var FILE_MAP2 = {
+  "title.txt": "title",
+  "short_description.txt": "shortDescription",
+  "full_description.txt": "fullDescription",
+  "video.txt": "video"
+};
+var SCREENSHOT_DIRS = [
+  "phoneScreenshots",
+  "sevenInchScreenshots",
+  "tenInchScreenshots",
+  "tvScreenshots",
+  "wearScreenshots"
+];
+var MIN_PHONE_SCREENSHOTS = 2;
+var RECOMMENDED_PHONE_SCREENSHOTS = 4;
+var metadataScanner = {
+  name: "metadata",
+  description: "Checks store listing metadata for character limits, required fields, and screenshots",
+  requires: ["metadataDir"],
+  async scan(ctx) {
+    const dir = ctx.metadataDir;
+    const findings = [];
+    let entries;
+    try {
+      entries = await readdir5(dir);
+    } catch {
+      findings.push({
+        scanner: "metadata",
+        ruleId: "metadata-dir-not-found",
+        severity: "error",
+        title: "Metadata directory not found",
+        message: `Cannot read metadata directory: ${dir}`,
+        suggestion: "Check the path to your metadata directory. Expected Fastlane format: <dir>/<lang>/title.txt, short_description.txt, etc."
+      });
+      return findings;
+    }
+    const locales = entries.filter((e) => SAFE_LANG.test(e));
+    if (locales.length === 0) {
+      findings.push({
+        scanner: "metadata",
+        ruleId: "no-locales-found",
+        severity: "error",
+        title: "No locale directories found",
+        message: `No valid locale directories found in ${dir}. Expected subdirectories like en-US/, fr-FR/, etc.`,
+        suggestion: "Create locale directories with listing files: <dir>/en-US/title.txt"
+      });
+      return findings;
+    }
+    for (const lang of locales) {
+      const langDir = join8(dir, lang);
+      const langStat = await stat8(langDir).catch(() => null);
+      if (!langStat?.isDirectory()) continue;
+      const fields = {};
+      for (const [fileName, field] of Object.entries(FILE_MAP2)) {
+        const filePath = join8(langDir, fileName);
+        try {
+          const content = await readFile10(filePath, "utf-8");
+          fields[field] = content.trimEnd();
+        } catch {
+        }
+      }
+      const lintResult = lintListing(lang, fields, DEFAULT_LIMITS);
+      for (const field of lintResult.fields) {
+        if (field.status === "over") {
+          findings.push({
+            scanner: "metadata",
+            ruleId: `listing-${field.field}-over-limit`,
+            severity: "error",
+            title: `${lang}: ${field.field} exceeds ${field.limit} character limit`,
+            message: `${field.field} is ${field.chars} characters (limit: ${field.limit}). Google Play will reject this listing.`,
+            suggestion: `Shorten ${field.field} to ${field.limit} characters or fewer.`
+          });
+        } else if (field.status === "warn") {
+          findings.push({
+            scanner: "metadata",
+            ruleId: `listing-${field.field}-near-limit`,
+            severity: "info",
+            title: `${lang}: ${field.field} is ${field.pct}% of limit`,
+            message: `${field.field} is ${field.chars}/${field.limit} characters (${field.pct}%).`
+          });
+        }
+      }
+      if (!fields["title"]?.trim()) {
+        findings.push({
+          scanner: "metadata",
+          ruleId: "listing-missing-title",
+          severity: "error",
+          title: `${lang}: Missing title`,
+          message: `No title.txt found or file is empty for locale ${lang}.`,
+          suggestion: "Create a title.txt file with your app name (max 30 characters)."
+        });
+      }
+      let totalScreenshots = 0;
+      let phoneScreenshots = 0;
+      for (const ssDir of SCREENSHOT_DIRS) {
+        const ssPath = join8(langDir, "images", ssDir);
+        try {
+          const ssEntries = await readdir5(ssPath);
+          const imageFiles = ssEntries.filter((f) => /\.(png|jpe?g|webp)$/i.test(f));
+          totalScreenshots += imageFiles.length;
+          if (ssDir === "phoneScreenshots") {
+            phoneScreenshots = imageFiles.length;
+          }
+        } catch {
+        }
+      }
+      if (phoneScreenshots < MIN_PHONE_SCREENSHOTS && totalScreenshots === 0) {
+        findings.push({
+          scanner: "metadata",
+          ruleId: "listing-no-screenshots",
+          severity: "warning",
+          title: `${lang}: No screenshots found`,
+          message: `No screenshot images found for locale ${lang}. Google Play requires at least 2 phone screenshots.`,
+          suggestion: `Add PNG or JPEG screenshots to ${lang}/images/phoneScreenshots/`,
+          policyUrl: "https://support.google.com/googleplay/android-developer/answer/9866151"
+        });
+      } else if (phoneScreenshots < RECOMMENDED_PHONE_SCREENSHOTS && phoneScreenshots > 0) {
+        findings.push({
+          scanner: "metadata",
+          ruleId: "listing-few-screenshots",
+          severity: "info",
+          title: `${lang}: Only ${phoneScreenshots} phone screenshot(s)`,
+          message: `Found ${phoneScreenshots} phone screenshot(s). Google recommends at least ${RECOMMENDED_PHONE_SCREENSHOTS} for better store presence.`
+        });
+      }
+    }
+    const defaultLang = locales.includes("en-US") ? "en-US" : locales[0];
+    const privacyPath = join8(dir, defaultLang, "privacy_policy_url.txt");
+    try {
+      const url = await readFile10(privacyPath, "utf-8");
+      if (!url.trim()) throw new Error("empty");
+    } catch {
+      findings.push({
+        scanner: "metadata",
+        ruleId: "listing-no-privacy-policy",
+        severity: "warning",
+        title: "No privacy policy URL",
+        message: "No privacy_policy_url.txt found in metadata. A privacy policy is required for most apps on Google Play.",
+        suggestion: `Create ${defaultLang}/privacy_policy_url.txt with a link to your privacy policy.`,
+        policyUrl: "https://support.google.com/googleplay/android-developer/answer/9859455"
+      });
+    }
+    findings.push({
+      scanner: "metadata",
+      ruleId: "metadata-summary",
+      severity: "info",
+      title: `${locales.length} locale(s) found`,
+      message: `Scanned metadata for: ${locales.join(", ")}`
+    });
+    return findings;
+  }
+};
+
+// src/preflight/scanners/secrets-scanner.ts
+import { readFile as readFile11 } from "fs/promises";
+
+// src/preflight/scan-files.ts
+import { readdir as readdir6, stat as stat9 } from "fs/promises";
+import { join as join9, extname as extname4 } from "path";
+var DEFAULT_SKIP_DIRS = /* @__PURE__ */ new Set([
+  ".git",
+  "node_modules",
+  "build",
+  "dist",
+  ".gradle",
+  "__pycache__",
+  ".idea",
+  ".vscode",
+  "vendor"
+]);
+async function collectSourceFiles(dir, extensions, skipDirs = DEFAULT_SKIP_DIRS, maxDepth = 10) {
+  if (maxDepth <= 0) return [];
+  const files = [];
+  let entries;
+  try {
+    entries = await readdir6(dir);
+  } catch {
+    return files;
+  }
+  for (const entry of entries) {
+    if (skipDirs.has(entry)) continue;
+    const fullPath = join9(dir, entry);
+    const s = await stat9(fullPath).catch(() => null);
+    if (!s) continue;
+    if (s.isDirectory()) {
+      const sub = await collectSourceFiles(fullPath, extensions, skipDirs, maxDepth - 1);
+      files.push(...sub);
+    } else if (s.isFile()) {
+      const ext = extname4(entry).toLowerCase();
+      if (extensions.has(ext) || entry.endsWith(".gradle.kts")) {
+        files.push(fullPath);
+      }
+    }
+  }
+  return files;
+}
+
+// src/preflight/scanners/secrets-scanner.ts
+var SECRET_PATTERNS = [
+  {
+    ruleId: "secret-aws-key",
+    name: "AWS Access Key",
+    pattern: /AKIA[0-9A-Z]{16}/,
+    severity: "critical",
+    suggestion: "Use environment variables or AWS Secrets Manager. Never hardcode AWS credentials."
+  },
+  {
+    ruleId: "secret-google-api-key",
+    name: "Google API Key",
+    pattern: /AIza[0-9A-Za-z\-_]{35}/,
+    severity: "critical",
+    suggestion: "Move Google API keys to local.properties or environment variables. Restrict keys in Google Cloud Console."
+  },
+  {
+    ruleId: "secret-stripe-key",
+    name: "Stripe Secret Key",
+    pattern: /sk_live_[0-9a-zA-Z]{24,}/,
+    severity: "critical",
+    suggestion: "Never ship Stripe secret keys in client code. Use your backend server for Stripe API calls."
+  },
+  {
+    ruleId: "secret-stripe-restricted",
+    name: "Stripe Restricted Key",
+    pattern: /rk_live_[0-9a-zA-Z]{24,}/,
+    severity: "critical",
+    suggestion: "Stripe restricted keys should not be in client code. Use server-side integration."
+  },
+  {
+    ruleId: "secret-private-key",
+    name: "Private Key",
+    pattern: /-----BEGIN\s+(RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
+    severity: "critical",
+    suggestion: "Remove private keys from source code. Store them in a secure key management system."
+  },
+  {
+    ruleId: "secret-firebase-key",
+    name: "Firebase API Key in code",
+    pattern: /["']AIza[0-9A-Za-z\-_]{35}["']/,
+    severity: "warning",
+    suggestion: "Firebase API keys in client code are normal for google-services.json, but verify they are restricted in Google Cloud Console."
+  },
+  {
+    ruleId: "secret-generic-token",
+    name: "Generic API Token",
+    pattern: /(?:api[_-]?key|api[_-]?secret|auth[_-]?token|access[_-]?token)\s*[:=]\s*["'][a-zA-Z0-9\-_]{20,}["']/i,
+    severity: "warning",
+    suggestion: "Avoid hardcoding tokens. Use BuildConfig fields, environment variables, or a secrets manager."
+  }
+];
+var SCAN_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".ts",
+  ".js",
+  ".tsx",
+  ".jsx",
+  ".kt",
+  ".java",
+  ".xml",
+  ".json",
+  ".properties",
+  ".yaml",
+  ".yml",
+  ".gradle"
+]);
+var secretsScanner = {
+  name: "secrets",
+  description: "Scans source code for hardcoded credentials and API keys",
+  requires: ["sourceDir"],
+  async scan(ctx) {
+    const dir = ctx.sourceDir;
+    const findings = [];
+    const files = await collectSourceFiles(dir, SCAN_EXTENSIONS);
+    for (const filePath of files) {
+      let content;
+      try {
+        content = await readFile11(filePath, "utf-8");
+      } catch {
+        continue;
+      }
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const pattern of SECRET_PATTERNS) {
+          if (pattern.pattern.test(line)) {
+            const relativePath = filePath.startsWith(dir) ? filePath.slice(dir.length + 1) : filePath;
+            findings.push({
+              scanner: "secrets",
+              ruleId: pattern.ruleId,
+              severity: pattern.severity,
+              title: `${pattern.name} found in ${relativePath}:${i + 1}`,
+              message: `Potential ${pattern.name} detected at ${relativePath} line ${i + 1}.`,
+              suggestion: pattern.suggestion
+            });
+            break;
+          }
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/preflight/scanners/billing-scanner.ts
+import { readFile as readFile12 } from "fs/promises";
+var BILLING_PATTERNS = [
+  {
+    ruleId: "billing-stripe-sdk",
+    name: "Stripe SDK",
+    pattern: /(?:com\.stripe|@stripe\/|stripe-android|StripeSdk)/,
+    message: "Stripe SDK detected. Google Play requires Play Billing for in-app purchases of digital goods.",
+    suggestion: "If selling digital goods, use Google Play Billing Library. Stripe is only allowed for physical goods, services, or out-of-app purchases."
+  },
+  {
+    ruleId: "billing-braintree-sdk",
+    name: "Braintree SDK",
+    pattern: /(?:com\.braintreepayments|braintree-android)/,
+    message: "Braintree SDK detected. Google Play requires Play Billing for digital in-app purchases.",
+    suggestion: "Use Google Play Billing Library for digital goods. Braintree is only allowed for physical goods and services."
+  },
+  {
+    ruleId: "billing-paypal-sdk",
+    name: "PayPal SDK",
+    pattern: /(?:com\.paypal|paypal-android)/,
+    message: "PayPal SDK detected. Google Play requires Play Billing for digital in-app purchases.",
+    suggestion: "Use Google Play Billing Library for digital goods. PayPal is allowed for physical goods only."
+  },
+  {
+    ruleId: "billing-razorpay-sdk",
+    name: "Razorpay SDK",
+    pattern: /(?:com\.razorpay)/,
+    message: "Razorpay SDK detected. If used for digital goods, this may violate Google Play billing policy.",
+    suggestion: "Ensure Razorpay is only used for physical goods/services. Digital goods require Play Billing."
+  },
+  {
+    ruleId: "billing-checkout-sdk",
+    name: "Alternative checkout SDK",
+    pattern: /(?:com\.adyen|com\.checkout|com\.square\.sdk)/,
+    message: "Alternative payment SDK detected. Google Play requires Play Billing for digital goods.",
+    suggestion: "Verify this payment SDK is only used for physical goods or services, not digital content."
+  }
+];
+var SCAN_EXTENSIONS2 = /* @__PURE__ */ new Set([
+  ".kt",
+  ".java",
+  ".xml",
+  ".gradle",
+  ".ts",
+  ".js",
+  ".tsx",
+  ".jsx",
+  ".json"
+]);
+var billingScanner = {
+  name: "billing",
+  description: "Detects non-Play billing SDKs that may violate Google Play billing policy",
+  requires: ["sourceDir"],
+  async scan(ctx) {
+    const dir = ctx.sourceDir;
+    const findings = [];
+    const detectedSdks = /* @__PURE__ */ new Set();
+    const files = await collectSourceFiles(dir, SCAN_EXTENSIONS2);
+    for (const filePath of files) {
+      let content;
+      try {
+        content = await readFile12(filePath, "utf-8");
+      } catch {
+        continue;
+      }
+      for (const bp of BILLING_PATTERNS) {
+        if (detectedSdks.has(bp.ruleId)) continue;
+        if (bp.pattern.test(content)) {
+          const relativePath = filePath.startsWith(dir) ? filePath.slice(dir.length + 1) : filePath;
+          detectedSdks.add(bp.ruleId);
+          findings.push({
+            scanner: "billing",
+            ruleId: bp.ruleId,
+            severity: "warning",
+            title: `${bp.name} detected`,
+            message: `${bp.message} Found in ${relativePath}.`,
+            suggestion: bp.suggestion,
+            policyUrl: "https://support.google.com/googleplay/android-developer/answer/10281818"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/preflight/scanners/privacy-scanner.ts
+import { readFile as readFile13 } from "fs/promises";
+var TRACKING_SDKS = [
+  {
+    name: "Facebook SDK",
+    pattern: /(?:com\.facebook\.sdk|com\.facebook\.android|FacebookSdk\.sdkInitialize)/i
+  },
+  { name: "Adjust SDK", pattern: /(?:com\.adjust\.sdk|AdjustConfig|AdjustEvent)/i },
+  {
+    name: "AppsFlyer SDK",
+    pattern: /(?:com\.appsflyer|AppsFlyerLib|AppsFlyerConversionListener)/i
+  },
+  { name: "Amplitude SDK", pattern: /(?:com\.amplitude|AmplitudeClient|@amplitude\/analytics)/i },
+  { name: "Mixpanel SDK", pattern: /(?:com\.mixpanel|MixpanelAPI|@mixpanel)/i },
+  { name: "Branch SDK", pattern: /(?:io\.branch\.referral|Branch\.getInstance)/i },
+  { name: "CleverTap SDK", pattern: /(?:com\.clevertap|CleverTapAPI)/i },
+  { name: "Singular SDK", pattern: /(?:com\.singular\.sdk|SingularConfig)/i }
+];
+var SCAN_EXTENSIONS3 = /* @__PURE__ */ new Set([
+  ".kt",
+  ".java",
+  ".xml",
+  ".gradle",
+  ".ts",
+  ".js",
+  ".tsx",
+  ".jsx",
+  ".json"
+]);
+var privacyScanner = {
+  name: "privacy",
+  description: "Detects tracking SDKs and data collection patterns for Data Safety compliance",
+  requires: ["sourceDir"],
+  async scan(ctx) {
+    const dir = ctx.sourceDir;
+    const findings = [];
+    const detectedSdks = /* @__PURE__ */ new Set();
+    const files = await collectSourceFiles(dir, SCAN_EXTENSIONS3);
+    for (const filePath of files) {
+      let content;
+      try {
+        content = await readFile13(filePath, "utf-8");
+      } catch {
+        continue;
+      }
+      for (const sdk of TRACKING_SDKS) {
+        if (detectedSdks.has(sdk.name)) continue;
+        if (sdk.pattern.test(content)) {
+          detectedSdks.add(sdk.name);
+          const relativePath = filePath.startsWith(dir) ? filePath.slice(dir.length + 1) : filePath;
+          findings.push({
+            scanner: "privacy",
+            ruleId: `tracking-${sdk.name.toLowerCase().replace(/\s+/g, "-")}`,
+            severity: "warning",
+            title: `${sdk.name} detected`,
+            message: `${sdk.name} found in ${relativePath}. This SDK typically collects analytics or attribution data that must be declared in your Data Safety form.`,
+            suggestion: "Ensure your Data Safety declaration accurately lists all data types collected by this SDK.",
+            policyUrl: "https://support.google.com/googleplay/android-developer/answer/10787469"
+          });
+        }
+      }
+      if (content.includes("AD_ID") || content.includes("ADVERTISING_ID") || content.includes("AdvertisingIdClient")) {
+        if (!detectedSdks.has("_ad_id")) {
+          detectedSdks.add("_ad_id");
+          findings.push({
+            scanner: "privacy",
+            ruleId: "advertising-id-usage",
+            severity: "warning",
+            title: "Advertising ID usage detected",
+            message: "Your app appears to access the Advertising ID. This must be declared in your Data Safety form under 'Device or other IDs'.",
+            suggestion: "Declare Advertising ID collection in Play Console > Data safety. If your app targets children, Advertising ID usage is restricted.",
+            policyUrl: "https://support.google.com/googleplay/android-developer/answer/11043825"
+          });
+        }
+      }
+    }
+    if (ctx.manifest) {
+      const dataPermissions = [
+        { perm: "android.permission.ACCESS_FINE_LOCATION", dataType: "precise location" },
+        { perm: "android.permission.ACCESS_COARSE_LOCATION", dataType: "approximate location" },
+        { perm: "android.permission.READ_CONTACTS", dataType: "contacts" },
+        { perm: "android.permission.CAMERA", dataType: "photos/videos" },
+        { perm: "android.permission.RECORD_AUDIO", dataType: "audio" },
+        { perm: "android.permission.READ_CALENDAR", dataType: "calendar" },
+        { perm: "android.permission.BODY_SENSORS", dataType: "health/fitness data" },
+        { perm: "android.permission.READ_PHONE_STATE", dataType: "phone state/device ID" }
+      ];
+      const collectedTypes = [];
+      for (const { perm, dataType } of dataPermissions) {
+        if (ctx.manifest.permissions.includes(perm)) {
+          collectedTypes.push(dataType);
+        }
+      }
+      if (collectedTypes.length > 0 && detectedSdks.size > 0) {
+        findings.push({
+          scanner: "privacy",
+          ruleId: "data-collection-cross-reference",
+          severity: "info",
+          title: "Data collection cross-reference",
+          message: `Your app requests permissions for: ${collectedTypes.join(", ")}. Combined with ${detectedSdks.size} tracking SDK(s), ensure your Data Safety form declares all collected data types.`,
+          suggestion: "Review your Data Safety form at Play Console > Policy > App content > Data safety.",
+          policyUrl: "https://support.google.com/googleplay/android-developer/answer/10787469"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/preflight/scanners/policy-scanner.ts
+var policyScanner = {
+  name: "policy",
+  description: "Heuristic checks for Google Play policy compliance (families, financial, health, gambling)",
+  requires: ["manifest"],
+  async scan(ctx) {
+    const manifest = ctx.manifest;
+    const findings = [];
+    const perms = new Set(manifest.permissions);
+    if (manifest.targetSdk >= 28) {
+      const childrenIndicators = [
+        perms.has("android.permission.READ_CONTACTS"),
+        perms.has("android.permission.ACCESS_FINE_LOCATION"),
+        perms.has("android.permission.RECORD_AUDIO")
+      ];
+      const hasChildFeatures = manifest.features.some(
+        (f) => f.name.includes("kids") || f.name.includes("children") || f.name.includes("education")
+      );
+      if (hasChildFeatures && childrenIndicators.some(Boolean)) {
+        findings.push({
+          scanner: "policy",
+          ruleId: "policy-families-data-collection",
+          severity: "warning",
+          title: "Potential Families Policy concern",
+          message: "App appears to target children (based on features) but requests sensitive permissions (location, contacts, or audio). Apps in the Families program have strict data collection limits.",
+          suggestion: "Review the Families Policy requirements. Apps for children must minimize data collection and cannot use advertising ID.",
+          policyUrl: "https://support.google.com/googleplay/android-developer/answer/9893335"
+        });
+      }
+    }
+    const financialPerms = [
+      perms.has("android.permission.READ_SMS"),
+      perms.has("android.permission.RECEIVE_SMS"),
+      perms.has("android.permission.BIND_AUTOFILL_SERVICE")
+    ];
+    if (financialPerms.filter(Boolean).length >= 2) {
+      findings.push({
+        scanner: "policy",
+        ruleId: "policy-financial-app",
+        severity: "warning",
+        title: "Potential financial app detected",
+        message: "App requests SMS + autofill permissions, common in financial apps. Financial apps must comply with additional disclosure and security requirements.",
+        suggestion: "Ensure your app meets Google Play's financial services policy. Declare appropriate app category in Play Console.",
+        policyUrl: "https://support.google.com/googleplay/android-developer/answer/9876821"
+      });
+    }
+    if (perms.has("android.permission.BODY_SENSORS") || perms.has("android.permission.ACTIVITY_RECOGNITION")) {
+      findings.push({
+        scanner: "policy",
+        ruleId: "policy-health-app",
+        severity: "info",
+        title: "Health/fitness app detected",
+        message: "App requests body sensor or activity recognition permissions. Health apps must comply with health data policies.",
+        suggestion: "Review Google Play's health app policy. Ensure accurate health claims and proper data handling disclosures.",
+        policyUrl: "https://support.google.com/googleplay/android-developer/answer/10787469"
+      });
+    }
+    const ugcIndicators = [
+      perms.has("android.permission.CAMERA"),
+      perms.has("android.permission.RECORD_AUDIO"),
+      perms.has("android.permission.READ_MEDIA_IMAGES")
+    ];
+    if (ugcIndicators.filter(Boolean).length >= 2) {
+      findings.push({
+        scanner: "policy",
+        ruleId: "policy-ugc-content",
+        severity: "info",
+        title: "User-generated content indicators",
+        message: "App requests camera + audio/media permissions, suggesting user-generated content. Apps with UGC must have content moderation.",
+        suggestion: "Implement content moderation, reporting mechanisms, and content policies if your app allows user-generated content.",
+        policyUrl: "https://support.google.com/googleplay/android-developer/answer/9876937"
+      });
+    }
+    if (perms.has("android.permission.SYSTEM_ALERT_WINDOW")) {
+      findings.push({
+        scanner: "policy",
+        ruleId: "policy-overlay",
+        severity: "warning",
+        title: "SYSTEM_ALERT_WINDOW (overlay) permission",
+        message: "App requests overlay permission. This is restricted and must be justified. Misuse can lead to rejection.",
+        suggestion: "Only use SYSTEM_ALERT_WINDOW if overlay display is core to your app's functionality."
+      });
+    }
+    return findings;
+  }
+};
+
+// src/preflight/scanners/size-scanner.ts
+var sizeScanner = {
+  name: "size",
+  description: "Analyzes app bundle size and warns on large downloads",
+  requires: ["zipEntries"],
+  async scan(ctx) {
+    const entries = ctx.zipEntries;
+    const findings = [];
+    const maxMb = ctx.config.maxDownloadSizeMb;
+    const totalCompressed = entries.reduce((sum, e) => sum + e.compressedSize, 0);
+    const totalUncompressed = entries.reduce((sum, e) => sum + e.uncompressedSize, 0);
+    const compressedMb = totalCompressed / (1024 * 1024);
+    const uncompressedMb = totalUncompressed / (1024 * 1024);
+    if (compressedMb > maxMb) {
+      findings.push({
+        scanner: "size",
+        ruleId: "size-over-limit",
+        severity: "warning",
+        title: `Download size exceeds ${maxMb} MB`,
+        message: `Compressed size is ${compressedMb.toFixed(1)} MB. Downloads over ${maxMb} MB show a mobile data warning to users, which reduces install rates.`,
+        suggestion: "Use Android App Bundles for split APKs, remove unused resources, enable R8/ProGuard, and compress assets.",
+        policyUrl: "https://developer.android.com/topic/performance/reduce-apk-size"
+      });
+    }
+    const categories = /* @__PURE__ */ new Map();
+    for (const entry of entries) {
+      const cat = detectCategory(entry.path);
+      const existing = categories.get(cat) ?? { compressed: 0, uncompressed: 0, count: 0 };
+      existing.compressed += entry.compressedSize;
+      existing.uncompressed += entry.uncompressedSize;
+      existing.count += 1;
+      categories.set(cat, existing);
+    }
+    const nativeLibs = categories.get("native-libs");
+    if (nativeLibs && nativeLibs.compressed > 50 * 1024 * 1024) {
+      findings.push({
+        scanner: "size",
+        ruleId: "size-large-native",
+        severity: "warning",
+        title: "Large native libraries",
+        message: `Native libraries are ${(nativeLibs.compressed / (1024 * 1024)).toFixed(1)} MB (compressed). This is the largest contributor to download size.`,
+        suggestion: "Review which native libraries are bundled. Consider using dynamic feature modules for optional native code."
+      });
+    }
+    const assets = categories.get("assets");
+    if (assets && assets.compressed > 30 * 1024 * 1024) {
+      findings.push({
+        scanner: "size",
+        ruleId: "size-large-assets",
+        severity: "info",
+        title: "Large assets directory",
+        message: `Assets are ${(assets.compressed / (1024 * 1024)).toFixed(1)} MB (compressed). Consider using Play Asset Delivery for large assets.`,
+        suggestion: "Move large assets to Play Asset Delivery (install-time, fast-follow, or on-demand packs).",
+        policyUrl: "https://developer.android.com/guide/playcore/asset-delivery"
+      });
+    }
+    const breakdown = [...categories.entries()].sort((a, b) => b[1].compressed - a[1].compressed).map(([cat, data]) => `${cat}: ${(data.compressed / (1024 * 1024)).toFixed(1)} MB`).join(", ");
+    findings.push({
+      scanner: "size",
+      ruleId: "size-summary",
+      severity: "info",
+      title: `Total size: ${compressedMb.toFixed(1)} MB compressed, ${uncompressedMb.toFixed(1)} MB uncompressed`,
+      message: `${entries.length} files. Breakdown: ${breakdown}`
+    });
+    return findings;
+  }
+};
+function detectCategory(path) {
+  const lower = path.toLowerCase();
+  if (lower.endsWith(".dex") || /\/dex\//.test(lower)) return "dex";
+  if (/\/lib\/[^/]+\/[^/]+\.so$/.test(lower)) return "native-libs";
+  if (/\/res\//.test(lower) || lower.endsWith("/resources.pb") || lower.endsWith("/resources.arsc"))
+    return "resources";
+  if (/\/assets\//.test(lower)) return "assets";
+  if (lower.includes("androidmanifest.xml") || /\/manifest\//.test(lower)) return "manifest";
+  if (lower.startsWith("meta-inf/")) return "signing";
+  return "other";
+}
+
+// src/preflight/orchestrator.ts
+var ALL_SCANNERS = [
+  manifestScanner,
+  permissionsScanner,
+  nativeLibsScanner,
+  metadataScanner,
+  secretsScanner,
+  billingScanner,
+  privacyScanner,
+  policyScanner,
+  sizeScanner
+];
+function getAllScannerNames() {
+  return ALL_SCANNERS.map((s) => s.name);
+}
+async function runPreflight(options) {
+  const start = Date.now();
+  const fileConfig = await loadPreflightConfig(options.configPath);
+  const config = {
+    ...fileConfig,
+    failOn: options.failOn ?? fileConfig.failOn ?? DEFAULT_PREFLIGHT_CONFIG.failOn
+  };
+  const ctx = { config };
+  if (options.aabPath) {
+    ctx.aabPath = options.aabPath;
+    const aab = await readAab(options.aabPath);
+    ctx.manifest = aab.manifest;
+    ctx.zipEntries = aab.entries;
+  }
+  if (options.metadataDir) ctx.metadataDir = options.metadataDir;
+  if (options.sourceDir) ctx.sourceDir = options.sourceDir;
+  const requestedNames = options.scanners ? new Set(options.scanners.map((s) => s.toLowerCase())) : null;
+  const applicableScanners = ALL_SCANNERS.filter((scanner) => {
+    if (requestedNames && !requestedNames.has(scanner.name)) return false;
+    for (const req of scanner.requires) {
+      if (req === "manifest" && !ctx.manifest) return false;
+      if (req === "zipEntries" && !ctx.zipEntries) return false;
+      if (req === "metadataDir" && !ctx.metadataDir) return false;
+      if (req === "sourceDir" && !ctx.sourceDir) return false;
+    }
+    return true;
+  });
+  const settled = await Promise.allSettled(applicableScanners.map((scanner) => scanner.scan(ctx)));
+  let findings = [];
+  for (let i = 0; i < settled.length; i++) {
+    const result = settled[i];
+    if (result.status === "fulfilled") {
+      findings.push(...result.value);
+    } else {
+      const scanner = applicableScanners[i];
+      findings.push({
+        scanner: scanner.name,
+        ruleId: "scanner-error",
+        severity: "error",
+        title: `Scanner "${scanner.name}" failed`,
+        message: result.reason instanceof Error ? result.reason.message : String(result.reason),
+        suggestion: "This scanner encountered an unexpected error. Other scanners still ran."
+      });
+    }
+  }
+  if (config.disabledRules.length > 0) {
+    const disabled = new Set(config.disabledRules);
+    findings = findings.filter((f) => !disabled.has(f.ruleId));
+  }
+  if (Object.keys(config.severityOverrides).length > 0) {
+    findings = findings.map((f) => {
+      const override = config.severityOverrides[f.ruleId];
+      return override ? { ...f, severity: override } : f;
+    });
+  }
+  findings.sort((a, b) => SEVERITY_ORDER[b.severity] - SEVERITY_ORDER[a.severity]);
+  const summary = { critical: 0, error: 0, warning: 0, info: 0 };
+  for (const f of findings) summary[f.severity]++;
+  const failThreshold = SEVERITY_ORDER[config.failOn];
+  const passed = !findings.some((f) => SEVERITY_ORDER[f.severity] >= failThreshold);
+  return {
+    scanners: applicableScanners.map((s) => s.name),
+    findings,
+    summary,
+    passed,
+    durationMs: Date.now() - start
+  };
+}
+
 // src/utils/sort.ts
 function getNestedValue(obj, path) {
   const parts = path.split(".");
@@ -4342,16 +5972,16 @@ function sortResults(items, sortSpec) {
 }
 
 // src/commands/plugin-scaffold.ts
-import { mkdir as mkdir5, writeFile as writeFile6 } from "fs/promises";
-import { join as join7 } from "path";
+import { mkdir as mkdir6, writeFile as writeFile7 } from "fs/promises";
+import { join as join10 } from "path";
 async function scaffoldPlugin(options) {
   const { name, dir, description = `GPC plugin: ${name}` } = options;
   const pluginName = name.startsWith("gpc-plugin-") ? name : `gpc-plugin-${name}`;
   const shortName = pluginName.replace(/^gpc-plugin-/, "");
-  const srcDir = join7(dir, "src");
-  const testDir = join7(dir, "tests");
-  await mkdir5(srcDir, { recursive: true });
-  await mkdir5(testDir, { recursive: true });
+  const srcDir = join10(dir, "src");
+  const testDir = join10(dir, "tests");
+  await mkdir6(srcDir, { recursive: true });
+  await mkdir6(testDir, { recursive: true });
   const files = [];
   const pkg = {
     name: pluginName,
@@ -4385,7 +6015,7 @@ async function scaffoldPlugin(options) {
       vitest: "^3.0.0"
     }
   };
-  await writeFile6(join7(dir, "package.json"), JSON.stringify(pkg, null, 2) + "\n");
+  await writeFile7(join10(dir, "package.json"), JSON.stringify(pkg, null, 2) + "\n");
   files.push("package.json");
   const tsconfig = {
     compilerOptions: {
@@ -4401,7 +6031,7 @@ async function scaffoldPlugin(options) {
     },
     include: ["src"]
   };
-  await writeFile6(join7(dir, "tsconfig.json"), JSON.stringify(tsconfig, null, 2) + "\n");
+  await writeFile7(join10(dir, "tsconfig.json"), JSON.stringify(tsconfig, null, 2) + "\n");
   files.push("tsconfig.json");
   const srcContent = `import { definePlugin } from "@gpc-cli/plugin-sdk";
 import type { CommandEvent, CommandResult } from "@gpc-cli/plugin-sdk";
@@ -4434,7 +6064,7 @@ export const plugin = definePlugin({
   },
 });
 `;
-  await writeFile6(join7(srcDir, "index.ts"), srcContent);
+  await writeFile7(join10(srcDir, "index.ts"), srcContent);
   files.push("src/index.ts");
   const testContent = `import { describe, it, expect, vi } from "vitest";
 import { plugin } from "../src/index";
@@ -4459,7 +6089,7 @@ describe("${pluginName}", () => {
   });
 });
 `;
-  await writeFile6(join7(testDir, "plugin.test.ts"), testContent);
+  await writeFile7(join10(testDir, "plugin.test.ts"), testContent);
   files.push("tests/plugin.test.ts");
   return { dir, files };
 }
@@ -4570,7 +6200,7 @@ async function sendWebhook(config, payload, target) {
 }
 
 // src/commands/internal-sharing.ts
-import { extname as extname4 } from "path";
+import { extname as extname5 } from "path";
 async function uploadInternalSharing(client, packageName, filePath, fileType) {
   const resolvedType = fileType ?? detectFileType(filePath);
   const validation = await validateUploadFile(filePath);
@@ -4597,7 +6227,7 @@ ${validation.errors.join("\n")}`,
   };
 }
 function detectFileType(filePath) {
-  const ext = extname4(filePath).toLowerCase();
+  const ext = extname5(filePath).toLowerCase();
   if (ext === ".aab") return "bundle";
   if (ext === ".apk") return "apk";
   throw new GpcError(
@@ -4609,7 +6239,7 @@ function detectFileType(filePath) {
 }
 
 // src/commands/generated-apks.ts
-import { writeFile as writeFile7 } from "fs/promises";
+import { writeFile as writeFile8 } from "fs/promises";
 async function listGeneratedApks(client, packageName, versionCode) {
   if (!Number.isInteger(versionCode) || versionCode <= 0) {
     throw new GpcError(
@@ -4640,7 +6270,7 @@ async function downloadGeneratedApk(client, packageName, versionCode, apkId, out
   }
   const buffer = await client.generatedApks.download(packageName, versionCode, apkId);
   const bytes = new Uint8Array(buffer);
-  await writeFile7(outputPath, bytes);
+  await writeFile8(outputPath, bytes);
   return { path: outputPath, sizeBytes: bytes.byteLength };
 }
 
@@ -4707,11 +6337,11 @@ async function deactivatePurchaseOption(client, packageName, purchaseOptionId) {
 }
 
 // src/commands/bundle-analysis.ts
-import { readFile as readFile9, stat as stat7 } from "fs/promises";
+import { readFile as readFile14, stat as stat10 } from "fs/promises";
 var EOCD_SIGNATURE = 101010256;
 var CD_SIGNATURE = 33639248;
 var MODULE_SUBDIRS = /* @__PURE__ */ new Set(["dex", "manifest", "res", "assets", "lib", "resources.pb", "root"]);
-function detectCategory(path) {
+function detectCategory2(path) {
   const lower = path.toLowerCase();
   if (lower.endsWith(".dex") || /\/dex\/[^/]+\.dex$/.test(lower)) return "dex";
   if (lower === "resources.arsc" || lower.endsWith("/resources.arsc") || lower.endsWith("/resources.pb") || /^(([^/]+\/)?res\/)/.test(lower))
@@ -4783,18 +6413,18 @@ function detectFileType2(filePath) {
   return "apk";
 }
 async function analyzeBundle(filePath) {
-  const fileInfo = await stat7(filePath).catch(() => null);
+  const fileInfo = await stat10(filePath).catch(() => null);
   if (!fileInfo || !fileInfo.isFile()) {
     throw new Error(`File not found: ${filePath}`);
   }
-  const buf = await readFile9(filePath);
+  const buf = await readFile14(filePath);
   const cdEntries = parseCentralDirectory(buf);
   const fileType = detectFileType2(filePath);
   const isAab = fileType === "aab";
   const entries = cdEntries.map((e) => ({
     path: e.filename,
     module: detectModule(e.filename, isAab),
-    category: detectCategory(e.filename),
+    category: detectCategory2(e.filename),
     compressedSize: e.compressedSize,
     uncompressedSize: e.uncompressedSize
   }));
@@ -4873,7 +6503,7 @@ function topFiles(analysis, n = 20) {
 async function checkBundleSize(analysis, configPath = ".bundlesize.json") {
   let config;
   try {
-    const raw = await readFile9(configPath, "utf-8");
+    const raw = await readFile14(configPath, "utf-8");
     config = JSON.parse(raw);
   } catch {
     return { passed: true, violations: [] };
@@ -4902,17 +6532,17 @@ async function checkBundleSize(analysis, configPath = ".bundlesize.json") {
 }
 
 // src/commands/status.ts
-import { mkdir as mkdir6, readFile as readFile10, writeFile as writeFile8 } from "fs/promises";
+import { mkdir as mkdir7, readFile as readFile15, writeFile as writeFile9 } from "fs/promises";
 import { execFile as execFile2 } from "child_process";
-import { join as join8 } from "path";
+import { join as join11 } from "path";
 import { getCacheDir as getCacheDir2 } from "@gpc-cli/config";
 var DEFAULT_TTL_SECONDS = 3600;
 function cacheFilePath(packageName) {
-  return join8(getCacheDir2(), `status-${packageName}.json`);
+  return join11(getCacheDir2(), `status-${packageName}.json`);
 }
 async function loadStatusCache(packageName, ttlSeconds = DEFAULT_TTL_SECONDS) {
   try {
-    const raw = await readFile10(cacheFilePath(packageName), "utf-8");
+    const raw = await readFile15(cacheFilePath(packageName), "utf-8");
     const entry = JSON.parse(raw);
     const age = (Date.now() - new Date(entry.fetchedAt).getTime()) / 1e3;
     if (age > (entry.ttl ?? ttlSeconds)) return null;
@@ -4929,9 +6559,9 @@ async function loadStatusCache(packageName, ttlSeconds = DEFAULT_TTL_SECONDS) {
 async function saveStatusCache(packageName, data, ttlSeconds = DEFAULT_TTL_SECONDS) {
   try {
     const dir = getCacheDir2();
-    await mkdir6(dir, { recursive: true });
+    await mkdir7(dir, { recursive: true });
     const entry = { fetchedAt: data.fetchedAt, ttl: ttlSeconds, data };
-    await writeFile8(cacheFilePath(packageName), JSON.stringify(entry, null, 2), {
+    await writeFile9(cacheFilePath(packageName), JSON.stringify(entry, null, 2), {
       encoding: "utf-8",
       mode: 384
     });
@@ -5035,6 +6665,7 @@ function computeReviewSentiment(reviews, windowDays) {
 }
 async function getAppStatus(client, reporting, packageName, options = {}) {
   const days = options.days ?? 7;
+  const reviewDays = options.reviewDays ?? 30;
   const sections = new Set(options.sections ?? ["releases", "vitals", "reviews"]);
   const thresholds = {
     crashRate: options.vitalThresholds?.crashRate ?? DEFAULT_THRESHOLDS.crashRate,
@@ -5069,7 +6700,7 @@ async function getAppStatus(client, reporting, packageName, options = {}) {
   const slowStart = slowStartResult.status === "fulfilled" ? slowStartResult.value : SKIPPED_VITAL;
   const slowRender = slowRenderResult.status === "fulfilled" ? slowRenderResult.value : SKIPPED_VITAL;
   const rawReviews = reviewsResult.status === "fulfilled" ? reviewsResult.value : [];
-  const reviews = computeReviewSentiment(rawReviews, 30);
+  const reviews = computeReviewSentiment(rawReviews, reviewDays);
   return {
     packageName,
     fetchedAt: (/* @__PURE__ */ new Date()).toISOString(),
@@ -5292,6 +6923,7 @@ async function runWatchLoop(opts) {
   process.on("SIGTERM", cleanup);
   while (running) {
     process.stdout.write("\x1B[2J\x1B[H");
+    const fetchedAt = Date.now();
     try {
       const status = await opts.fetch();
       await opts.save(status);
@@ -5299,28 +6931,31 @@ async function runWatchLoop(opts) {
     } catch (err) {
       console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
     }
-    console.log(`
-[gpc status] Refreshing in ${opts.intervalSeconds}s\u2026 (Ctrl+C to stop)`);
     for (let i = 0; i < opts.intervalSeconds && running; i++) {
+      const elapsed = Math.round((Date.now() - fetchedAt) / 1e3);
+      const remaining = opts.intervalSeconds - i;
+      process.stdout.write(
+        `\r[gpc status] Fetched ${elapsed}s ago \xB7 refreshing in ${remaining}s (Ctrl+C to stop)\x1B[K`
+      );
       await new Promise((r) => setTimeout(r, 1e3));
     }
   }
 }
 function breachStateFilePath(packageName) {
-  return join8(getCacheDir2(), `breach-state-${packageName}.json`);
+  return join11(getCacheDir2(), `breach-state-${packageName}.json`);
 }
 async function trackBreachState(packageName, isBreaching) {
   const filePath = breachStateFilePath(packageName);
   let prevBreaching = false;
   try {
-    const raw = await readFile10(filePath, "utf-8");
+    const raw = await readFile15(filePath, "utf-8");
     prevBreaching = JSON.parse(raw).breaching;
   } catch {
   }
   if (prevBreaching !== isBreaching) {
     try {
-      await mkdir6(getCacheDir2(), { recursive: true });
-      await writeFile8(
+      await mkdir7(getCacheDir2(), { recursive: true });
+      await writeFile9(
         filePath,
         JSON.stringify({ breaching: isBreaching, since: (/* @__PURE__ */ new Date()).toISOString() }, null, 2),
         { encoding: "utf-8", mode: 384 }
@@ -5361,6 +6996,7 @@ export {
   ApiError,
   ConfigError,
   DEFAULT_LIMITS,
+  DEFAULT_PREFLIGHT_CONFIG,
   GOOGLE_PLAY_LANGUAGES,
   GpcError,
   NetworkError,
@@ -5368,6 +7004,7 @@ export {
   PluginManager,
   SENSITIVE_ARG_KEYS,
   SENSITIVE_KEYS,
+  SEVERITY_ORDER,
   abortTrain,
   acknowledgeProductPurchase,
   activateBasePlan,
@@ -5433,6 +7070,7 @@ export {
   exportDataSafety,
   exportImages,
   exportReviews,
+  fetchReleaseNotes,
   formatCustomPayload,
   formatDiscordPayload,
   formatJunit,
@@ -5444,6 +7082,7 @@ export {
   formatWordDiff,
   generateMigrationPlan,
   generateNotesFromGit,
+  getAllScannerNames,
   getAppInfo,
   getAppStatus,
   getCountryAvailability,
@@ -5477,6 +7116,7 @@ export {
   importDataSafety,
   importTestersFromCsv,
   initAudit,
+  initProject,
   inviteUser,
   isFinancialReportType,
   isStatsReportType,
@@ -5508,6 +7148,7 @@ export {
   listTracks,
   listUsers,
   listVoidedPurchases,
+  loadPreflightConfig,
   loadStatusCache,
   maybePaginate,
   migratePrices,
@@ -5531,6 +7172,7 @@ export {
   removeUser,
   replyToReview,
   revokeSubscriptionPurchase,
+  runPreflight,
   runWatchLoop,
   safePath,
   safePathWithin,