@hatem427/code-guard-ci 3.5.4 → 3.5.6

package/scripts/cli.ts

@@ -73,9 +73,10 @@ function showHelp(): void {
   code-guard <command> [options]
 
 ${c.bold('Commands:')}
-  ${c.green('init')}              Full automatic setup (zero prompts)
-  ${c.green('check')}             Run pre-commit checks manually
-  ${c.green('report')}            Generate a rich report with fix examples (opens in editor)
+  ${c.green('init')}                    Full automatic setup (zero prompts)
+  ${c.green('check')}                   Run pre-commit checks manually
+  ${c.green('check-vuln')}   Run security scans (npm audit, RetireJS)
+  ${c.green('report')}                  Generate a rich report with fix examples (opens in editor)
   ${c.green('doc')}               Generate feature documentation
   ${c.green('checklist')}         Generate PR checklist
   ${c.green('validate')}          Validate structure & naming conventions
@@ -93,7 +94,6 @@ ${c.bold('Init Options:')}
 
 ${c.bold('Uninstall Options:')}
   --yes, -y          Skip confirmation prompt
-  --no-backup        Don't create backup of AI configs
 
 ${c.bold('Examples:')}
   ${c.dim('# Full automatic setup')}
@@ -111,11 +111,11 @@ ${c.bold('Examples:')}
   ${c.dim('# Generate docs')}
   code-guard doc --name="user-card" --type=ui
 
-  ${c.dim('# Clean uninstall with backup')}
+  ${c.dim('# Clean uninstall')}
   code-guard uninstall
 
   ${c.dim('# Force uninstall without prompts')}
-  code-guard uninstall --yes --no-backup
+  code-guard uninstall --yes
 `);
 }
 
@@ -143,6 +143,16 @@ function initProject(): void {
   const skipAI = hasFlag('skip-ai');
   const skipHooks = hasFlag('skip-hooks');
 
+  // ── Initialize manifest for tracking ────────────────────────────────────
+  const {
+    createManifest, saveManifest, loadManifest,
+    recordCreatedFile, recordModifiedFile, recordBackup,
+    recordAddedScript, recordModifiedScript,
+  } = requireUtil('manifest');
+
+  // Load existing manifest or create new one
+  const manifest = loadManifest(cwd) || createManifest();
+
   // ── Step 1: Detect Framework ────────────────────────────────────────────
   console.log(c.bold('📡 Step 1: Detecting project...'));
 
@@ -186,9 +196,25 @@ function initProject(): void {
   // ── Step 3: Generate ESLint Config ───────────────────────────────────────
   console.log(c.bold('⚡ Step 3: Configuring ESLint...'));
   try {
+    const eslintFile = 'eslint.config.mjs';
+    const eslintPath = path.join(cwd, eslintFile);
+    const eslintExisted = fs.existsSync(eslintPath);
+
     const { generateEslintConfig } = requireGenerator('eslint-generator');
     generateEslintConfig(project);
-    console.log(`  ${c.green('✓')} Created .eslintrc.json`);
+
+    // Track: eslint-generator already creates .backup files for existing configs
+    if (eslintExisted) {
+      recordModifiedFile(manifest, eslintFile, 'eslint');
+      // The generator already backed up the old file — record it
+      if (fs.existsSync(eslintPath + '.backup')) {
+        recordBackup(manifest, eslintFile, eslintFile + '.backup');
+      }
+    } else {
+      recordCreatedFile(manifest, eslintFile);
+    }
+
+    console.log(`  ${c.green('✓')} Created eslint.config.mjs`);
     console.log(`  ${c.green('✓')} Created .eslintignore\n`);
   } catch (error: any) {
     console.warn(c.yellow(`  ⚠️  ESLint config generation failed: ${error.message}\n`));
@@ -197,8 +223,33 @@ function initProject(): void {
   // ── Step 4: Generate Prettier Config ──────────────────────────────────────
   console.log(c.bold('🎨 Step 4: Configuring Prettier...'));
   try {
+    const prettierFile = '.prettierrc.json';
+    const prettierPath = path.join(cwd, prettierFile);
+    const prettierExisted = fs.existsSync(prettierPath);
+    const ignoreFile = '.prettierignore';
+    const ignorePath = path.join(cwd, ignoreFile);
+    const ignoreExisted = fs.existsSync(ignorePath);
+
     const { generatePrettierConfig } = requireGenerator('prettier-generator');
     generatePrettierConfig(project);
+
+    // Track: prettier-generator already creates .backup files for existing configs
+    if (prettierExisted) {
+      recordModifiedFile(manifest, prettierFile, 'prettier');
+      // Check for any backed-up prettier files
+      const prettierFiles = ['.prettierrc', '.prettierrc.js', '.prettierrc.cjs', '.prettierrc.json', '.prettierrc.yml', '.prettierrc.yaml', '.prettierrc.toml', 'prettier.config.js'];
+      for (const pf of prettierFiles) {
+        if (fs.existsSync(path.join(cwd, pf + '.backup'))) {
+          recordBackup(manifest, pf, pf + '.backup');
+        }
+      }
+    } else {
+      recordCreatedFile(manifest, prettierFile);
+    }
+    if (!ignoreExisted && fs.existsSync(ignorePath)) {
+      recordCreatedFile(manifest, ignoreFile);
+    }
+
     console.log(`  ${c.green('✓')} Created .prettierrc.json`);
     console.log(`  ${c.green('✓')} Created .prettierignore\n`);
   } catch (error: any) {
@@ -209,8 +260,19 @@ function initProject(): void {
   if (project.usesTypeScript) {
     console.log(c.bold('📘 Step 5: Configuring TypeScript...'));
     try {
+      const tsFile = project.existingTooling.hasTypescript ? 'tsconfig.strict.json' : 'tsconfig.json';
+      const tsPath = path.join(cwd, tsFile);
+      const tsExisted = fs.existsSync(tsPath);
+
       const { generateTypescriptConfig } = requireGenerator('typescript-generator');
       generateTypescriptConfig(project);
+
+      if (tsExisted) {
+        recordModifiedFile(manifest, tsFile, 'typescript');
+      } else {
+        recordCreatedFile(manifest, tsFile);
+      }
+
       if (project.existingTooling.hasTypescript) {
         console.log(`  ${c.green('✓')} Created tsconfig.strict.json (extends existing tsconfig)`);
       } else {
@@ -227,18 +289,34 @@ function initProject(): void {
   // ── Step 6: Generate lint-staged Config ───────────────────────────────────
   console.log(c.bold('📋 Step 6: Configuring lint-staged...'));
   try {
+    const lsFile = '.lintstagedrc.json';
+    const lsPath = path.join(cwd, lsFile);
+    const lsExisted = fs.existsSync(lsPath);
+
     const { generateLintStagedConfig } = requireGenerator('lint-staged-generator');
     generateLintStagedConfig(project);
+
+    if (!lsExisted && fs.existsSync(lsPath)) {
+      recordCreatedFile(manifest, lsFile);
+    }
     console.log(`  ${c.green('✓')} Created .lintstagedrc.json\n`);
   } catch (error: any) {
     console.warn(c.yellow(`  ⚠️  lint-staged config generation failed: ${error.message}\n`));
   }
 
   // ── Step 7: Generate .editorconfig ────────────────────────────────────────
-  console.log(c.bold('📐 Step 8: Creating .editorconfig...'));
+  console.log(c.bold('📐 Step 7: Creating .editorconfig...'));
   try {
+    const ecFile = '.editorconfig';
+    const ecPath = path.join(cwd, ecFile);
+    const ecExisted = fs.existsSync(ecPath);
+
     const { generateEditorConfig } = requireGenerator('editorconfig-generator');
     generateEditorConfig(project);
+
+    if (!ecExisted && fs.existsSync(ecPath)) {
+      recordCreatedFile(manifest, ecFile);
+    }
     console.log(`  ${c.green('✓')} Created .editorconfig\n`);
   } catch (error: any) {
     console.warn(c.yellow(`  ⚠️  EditorConfig generation failed: ${error.message}\n`));
@@ -247,11 +325,24 @@ function initProject(): void {
   // ── Step 8: Generate VS Code Settings ─────────────────────────────────────
   console.log(c.bold('💻 Step 8: Creating VS Code workspace settings...'));
   try {
+    const vscodeFiles = ['.vscode/settings.json', '.vscode/extensions.json', '.vscode/tasks.json', '.vscode/launch.json'];
+    const vscodeExisted: Record<string, boolean> = {};
+    for (const vf of vscodeFiles) {
+      vscodeExisted[vf] = fs.existsSync(path.join(cwd, vf));
+    }
+
     const { generateVSCodeSettings, generateVSCodeExtensions, generateVSCodeTasks, generateVSCodeLaunch } = requireGenerator('vscode-generator');
     generateVSCodeSettings(project);
     generateVSCodeExtensions(project);
     generateVSCodeTasks(project);
     generateVSCodeLaunch(project);
+
+    for (const vf of vscodeFiles) {
+      if (!vscodeExisted[vf] && fs.existsSync(path.join(cwd, vf))) {
+        recordCreatedFile(manifest, vf);
+      }
+    }
+
     console.log(`  ${c.green('✓')} Created .vscode/settings.json`);
     console.log(`  ${c.green('✓')} Created .vscode/extensions.json`);
     console.log(`  ${c.green('✓')} Created .vscode/tasks.json`);
@@ -263,7 +354,14 @@ function initProject(): void {
   // ── Step 9: Setup Git Hooks ───────────────────────────────────────────────
   if (!skipHooks) {
     console.log(c.bold('🐶 Step 9: Setting up Git hooks...'));
+    const hookFile = '.husky/pre-commit';
+    const hookExisted = fs.existsSync(path.join(cwd, hookFile));
     setupGitHooks(cwd);
+    if (hookExisted) {
+      recordModifiedFile(manifest, hookFile, 'husky');
+    } else if (fs.existsSync(path.join(cwd, hookFile))) {
+      recordCreatedFile(manifest, hookFile);
+    }
     console.log('');
   } else {
     console.log(c.dim('🐶 Step 9: Skipping git hooks (--skip-hooks)\n'));
@@ -275,17 +373,32 @@ function initProject(): void {
     try {
       const { loadCompanyRules } = requireUtil('custom-rules-loader');
       const companyRules = loadCompanyRules(cwd);
-      const { generateAIConfigs } = requireGenerator('ai-config-generator');
-      generateAIConfigs(project, companyRules.aiGuidelines);
 
+      // Snapshot which AI files exist before generation
       const { defaultRegistry } = requireUtil('ai-config-registry');
       const templates = defaultRegistry.getAll();
+      const aiExisted: Record<string, boolean> = {};
+      for (const t of templates) {
+        const targetDir = t.directory ? path.join(cwd, t.directory) : cwd;
+        const targetPath = path.join(targetDir, t.fileName);
+        const relPath = t.directory ? `${t.directory}/${t.fileName}` : t.fileName;
+        aiExisted[relPath] = fs.existsSync(targetPath);
+      }
+
+      const { generateAIConfigs } = requireGenerator('ai-config-generator');
+      generateAIConfigs(project, companyRules.aiGuidelines);
+
       for (const t of templates) {
         const targetDir = t.directory ? path.join(cwd, t.directory) : cwd;
         const targetPath = path.join(targetDir, t.fileName);
+        const relPath = t.directory ? `${t.directory}/${t.fileName}` : t.fileName;
         if (fs.existsSync(targetPath)) {
-          const displayPath = t.directory ? `${t.directory}/${t.fileName}` : t.fileName;
-          console.log(`  ${c.green('✓')} ${t.name}: ${displayPath}`);
+          if (aiExisted[relPath]) {
+            recordModifiedFile(manifest, relPath, t.marker);
+          } else {
+            recordCreatedFile(manifest, relPath);
+          }
+          console.log(`  ${c.green('✓')} ${t.name}: ${relPath}`);
         }
       }
       console.log('');
@@ -299,6 +412,12 @@ function initProject(): void {
   // ── Step 11: Custom Rules Template ─────────────────────────────────────────
   console.log(c.bold('🏢 Step 11: Creating custom rules templates...'));
   try {
+    const cgFiles = ['.code-guardian/custom-rules.json', '.code-guardian/structure-rules.json', '.code-guardian/naming-rules.json'];
+    const cgExisted: Record<string, boolean> = {};
+    for (const cf of cgFiles) {
+      cgExisted[cf] = fs.existsSync(path.join(cwd, cf));
+    }
+
     const { generateCustomRulesTemplate } = requireUtil('custom-rules-loader');
     generateCustomRulesTemplate(cwd);
     console.log(`  ${c.green('✓')} Created .code-guardian/custom-rules.json`);
@@ -310,20 +429,30 @@ function initProject(): void {
     const { generateNamingRulesTemplate } = requireUtil('naming-validator');
     generateNamingRulesTemplate(cwd);
     console.log(`  ${c.green('✓')} Created .code-guardian/naming-rules.json\n`);
+
+    for (const cf of cgFiles) {
+      if (!cgExisted[cf] && fs.existsSync(path.join(cwd, cf))) {
+        recordCreatedFile(manifest, cf);
+      }
+    }
   } catch (error: any) {
     console.warn(c.yellow(`  ⚠️  Custom rules template generation failed: ${error.message}\n`));
   }
 
   // ── Step 12: Update package.json ───────────────────────────────────────────
   console.log(c.bold('📦 Step 12: Updating package.json...'));
-  updatePackageJson(cwd, project);
+  updatePackageJson(cwd, project, manifest);
   console.log('');
 
   // ── Step 13: Copy Code Guardian configs and templates ──────────────────────
   console.log(c.bold('📁 Step 13: Copying Code Guardian rules and templates...'));
-  copyCodeGuardianFiles(cwd);
+  copyCodeGuardianFiles(cwd, manifest, project.type);
   console.log('');
 
+  // ── Save manifest ─────────────────────────────────────────────────────────
+  saveManifest(cwd, manifest);
+  console.log(`  ${c.green('✓')} Saved manifest to .code-guardian/manifest.json\n`);
+
   // ── Done! ─────────────────────────────────────────────────────────────────
   console.log(c.bold(c.green('═══════════════════════════════════════════════════════════')));
   console.log(c.bold(c.green('  ✅ Code Guardian initialized successfully!')));
@@ -358,44 +487,53 @@ function initProject(): void {
 
 function setupGitHooks(cwd: string): void {
   try {
-    // Initialize Husky
+    const huskyDir = path.join(cwd, '.husky');
+    const preCommitPath = path.join(huskyDir, 'pre-commit');
+
+    // Save existing pre-commit content BEFORE husky init (which overwrites it)
+    let existingPreCommit: string | null = null;
+    if (fs.existsSync(preCommitPath)) {
+      existingPreCommit = fs.readFileSync(preCommitPath, 'utf-8');
+    }
+
+    // Initialize Husky (creates .husky/ dir and default pre-commit)
     try {
       execSync('npx husky init', { stdio: 'pipe', cwd });
     } catch {
       // Fallback: manual setup
-      const huskyDir = path.join(cwd, '.husky');
       if (!fs.existsSync(huskyDir)) {
         fs.mkdirSync(huskyDir, { recursive: true });
       }
     }
 
-    const huskyDir = path.join(cwd, '.husky');
     if (!fs.existsSync(huskyDir)) {
       fs.mkdirSync(huskyDir, { recursive: true });
     }
 
-    // Create or append pre-commit hook (lint-staged + Code Guardian)
-    const preCommitContent = `
-# npm test
+    // Restore the original pre-commit content if husky init overwrote it
+    if (existingPreCommit !== null) {
+      fs.writeFileSync(preCommitPath, existingPreCommit);
+    }
 
+    // Create or append pre-commit hook (lint-staged + Code Guardian rule checks)
+    const preCommitContent = `
 # --- code-guardian-hook-start ---
 echo "🛡️  Code Guardian — Pre-commit checks..."
 
-# Skip lint-staged and all checks when BYPASS_RULES is set
+# Skip all checks when BYPASS_RULES is set
 if [ "$BYPASS_RULES" = "true" ] || [ "$BYPASS_RULES" = "1" ]; then
-  echo "⚡ BYPASS_RULES detected — skipping lint-staged and Code Guardian."
+  echo "⚡ BYPASS_RULES detected — skipping checks."
   exit 0
 fi
 
 # Run lint-staged (ESLint + Prettier auto-fix)
 npx lint-staged
 
-# Run Code Guardian custom rules
+# Run Code Guardian rules
 npm run precommit-check
 # --- code-guardian-hook-end ---
 `;
 
-    const preCommitPath = path.join(huskyDir, 'pre-commit');
     if (fs.existsSync(preCommitPath)) {
       const existing = fs.readFileSync(preCommitPath, 'utf-8');
       if (!existing.includes('code-guardian-hook-start')) {
@@ -409,7 +547,7 @@ npm run precommit-check
       // Create new hook file
       const preCommitHook = `#!/usr/bin/env sh\n${preCommitContent}`;
       fs.writeFileSync(preCommitPath, preCommitHook);
-      console.log(`  ${c.green('✓')} Created .husky/pre-commit (lint-staged + Code Guardian)`);
+      console.log(`  ${c.green('✓')} Created .husky/pre-commit (lint-staged only)`);
     }
     try { fs.chmodSync(preCommitPath, '755'); } catch {}
 
@@ -470,33 +608,50 @@ function buildInstallCommand(packageManager: string, deps: string[]): string {
 
 // ── Update package.json ─────────────────────────────────────────────────────
 
-function updatePackageJson(cwd: string, project: any): void {
+function updatePackageJson(cwd: string, project: any, manifest?: any): void {
   const packageJsonPath = path.join(cwd, 'package.json');
   const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
   const packageName = '@hatem427/code-guard-ci';
 
   packageJson.scripts = packageJson.scripts || {};
 
+  // Helper to track script changes in manifest
+  const setScript = (name: string, value: string) => {
+    if (manifest) {
+      if (packageJson.scripts[name] && packageJson.scripts[name] !== value) {
+        // Script existed with different value — record original
+        const { recordModifiedScript } = requireUtil('manifest');
+        recordModifiedScript(manifest, name, packageJson.scripts[name]);
+      } else if (!packageJson.scripts[name]) {
+        // New script
+        const { recordAddedScript } = requireUtil('manifest');
+        recordAddedScript(manifest, name);
+      }
+    }
+    packageJson.scripts[name] = value;
+  };
+
   // Core Code Guardian scripts
-  packageJson.scripts['precommit-check'] = 'code-guard check';
-  packageJson.scripts['generate-doc'] = 'code-guard doc';
-  packageJson.scripts['generate-pr-checklist'] = 'code-guard checklist';
-  packageJson.scripts['validate'] = 'code-guard validate';
-  packageJson.scripts['prepare'] = 'husky';
+  setScript('precommit-check', 'code-guard check');
+  setScript('check-vuln', 'code-guard check-vuln');
+  setScript('generate-doc', 'code-guard doc');
+  setScript('generate-pr-checklist', 'code-guard checklist');
+  setScript('validate', 'code-guard validate');
+  setScript('prepare', 'husky');
 
   // Lint and format scripts
   const extensions = project.usesTypeScript ? '.ts,.tsx,.js,.jsx' : '.js,.jsx';
-  packageJson.scripts['lint'] = `eslint . --ext ${extensions}`;
-  packageJson.scripts['lint:fix'] = `eslint . --ext ${extensions} --fix`;
-  packageJson.scripts['format'] = 'prettier --write .';
-  packageJson.scripts['format:check'] = 'prettier --check .';
+  setScript('lint', `eslint . --ext ${extensions}`);
+  setScript('lint:fix', `eslint . --ext ${extensions} --fix`);
+  setScript('format', 'prettier --write .');
+  setScript('format:check', 'prettier --check .');
 
   // Security scripts
-  packageJson.scripts['set-bypass-password'] = `node node_modules/${packageName}/dist/scripts/set-bypass-password.js`;
-  packageJson.scripts['set-admin-password'] = `node node_modules/${packageName}/dist/scripts/set-admin-password.js`;
-  packageJson.scripts['delete-bypass-logs'] = `node node_modules/${packageName}/dist/scripts/delete-bypass-logs.js`;
-  packageJson.scripts['view-bypass-log'] = `node node_modules/${packageName}/dist/scripts/view-bypass-log.js`;
-  packageJson.scripts['auto-fix'] = `node node_modules/${packageName}/dist/scripts/auto-fix.js`;
+  setScript('set-bypass-password', `node node_modules/${packageName}/dist/scripts/set-bypass-password.js`);
+  setScript('set-admin-password', `node node_modules/${packageName}/dist/scripts/set-admin-password.js`);
+  setScript('delete-bypass-logs', `node node_modules/${packageName}/dist/scripts/delete-bypass-logs.js`);
+  setScript('view-bypass-log', `node node_modules/${packageName}/dist/scripts/view-bypass-log.js`);
+  setScript('auto-fix', `node node_modules/${packageName}/dist/scripts/auto-fix.js`);
 
   fs.writeFileSync(packageJsonPath, JSON.stringify(packageJson, null, 2) + '\n');
   console.log(`  ${c.green('✓')} Added npm scripts (lint, format, validate, precommit-check, etc.)`);
@@ -504,18 +659,35 @@ function updatePackageJson(cwd: string, project: any): void {
 
 // ── Copy Code Guardian files ────────────────────────────────────────────────
 
-function copyCodeGuardianFiles(cwd: string): void {
+function copyCodeGuardianFiles(cwd: string, manifest?: any, projectType?: string): void {
   // Determine source directories (handles both dev and built package layouts)
   const distDir = path.join(__dirname, '..');
   const pkgRootDir = path.join(__dirname, '..', '..');
 
-  // Copy config files
+  // Copy config files — only guidelines (always) + detected framework config
   const configDir = path.join(cwd, 'config');
   if (!fs.existsSync(configDir)) {
     fs.mkdirSync(configDir, { recursive: true });
   }
 
-  const configFiles = ['guidelines.config.ts', 'angular.config.ts', 'react.config.ts', 'nextjs.config.ts'];
+  // Map project type to its config file
+  const frameworkConfigMap: Record<string, string> = {
+    angular: 'angular.config.ts',
+    react: 'react.config.ts',
+    nextjs: 'nextjs.config.ts',
+    node: 'node.config.ts',
+  };
+
+  // Always include guidelines + detected framework config (+ react for nextjs since it inherits)
+  const configFiles = ['guidelines.config.ts'];
+  if (projectType && frameworkConfigMap[projectType]) {
+    configFiles.push(frameworkConfigMap[projectType]);
+  }
+  // Next.js inherits React rules, so include react config too
+  if (projectType === 'nextjs' && !configFiles.includes('react.config.ts')) {
+    configFiles.push('react.config.ts');
+  }
+
   const sourceConfigDirs = [path.join(distDir, 'config'), path.join(pkgRootDir, 'config')];
 
   for (const file of configFiles) {
@@ -530,6 +702,10 @@ function copyCodeGuardianFiles(cwd: string): void {
     const dest = path.join(configDir, file);
     if (src && !fs.existsSync(dest)) {
       fs.copyFileSync(src, dest);
+      if (manifest) {
+        const { recordCreatedFile } = requireUtil('manifest');
+        recordCreatedFile(manifest, `config/${file}`);
+      }
       console.log(`  ${c.green('✓')} ${file}`);
     }
   }
@@ -555,6 +731,10 @@ function copyCodeGuardianFiles(cwd: string): void {
     const dest = path.join(templatesDir, file);
     if (src && !fs.existsSync(dest)) {
       fs.copyFileSync(src, dest);
+      if (manifest) {
+        const { recordCreatedFile } = requireUtil('manifest');
+        recordCreatedFile(manifest, `templates/${file}`);
+      }
       console.log(`  ${c.green('✓')} ${file}`);
     }
   }
@@ -564,6 +744,10 @@ function copyCodeGuardianFiles(cwd: string): void {
   if (!fs.existsSync(docsDir)) {
     fs.mkdirSync(docsDir, { recursive: true });
     fs.writeFileSync(path.join(docsDir, '.gitkeep'), '');
+    if (manifest) {
+      const { recordCreatedFile } = requireUtil('manifest');
+      recordCreatedFile(manifest, 'docs/features/.gitkeep');
+    }
     console.log(`  ${c.green('✓')} Created docs/features/`);
   }
 }
@@ -931,11 +1115,22 @@ async function uninstallCodeGuard(): Promise<void> {
   showBanner();
   console.log(c.bold('🗑️  Code Guardian Uninstall\n'));
 
-  const filesToRemove = [
+  const cwd = process.cwd();
+
+  // ── Load manifest for smart uninstall ────────────────────────────────
+  const { loadManifest, removeMarkedContent } = requireUtil('manifest');
+  const manifest = loadManifest(cwd);
+
+  // Hardcoded fallbacks for files that Code Guardian always creates
+  const fallbackFilesToRemove = [
     '.husky/_/husky.sh',
+    'eslint.config.mjs',
     'eslint.config.js',
+    '.prettierrc.json',
+    '.prettierignore',
     'prettier.config.js',
     '.editorconfig',
+    '.lintstagedrc.json',
     'lint-staged.config.js',
     'tsconfig.strict.json',
   ];
@@ -944,11 +1139,11 @@ async function uninstallCodeGuard(): Promise<void> {
     'config',
     'templates',
     'docs',
-    '.code-guardian',
   ];
 
   const scriptsToRemove = [
     'precommit-check',
+    'check-vuln',
     'auto-fix',
     'generate-doc',
     'generate-pr-checklist',
@@ -956,12 +1151,17 @@ async function uninstallCodeGuard(): Promise<void> {
     'set-admin-password',
     'view-bypass-log',
     'delete-bypass-logs',
+    'lint',
+    'lint:fix',
+    'format',
+    'format:check',
+    'validate',
+    'prepare',
   ];
 
   // ── Detect AI config files via registry ──────────────────────────────
   const { defaultRegistry } = requireUtil('ai-config-registry');
   const aiTemplates = defaultRegistry.getAll();
-  const cwd = process.cwd();
 
   // Classify each AI config: full-delete vs strip-only
   interface AIConfigAction {
@@ -969,7 +1169,7 @@ async function uninstallCodeGuard(): Promise<void> {
     filePath: string;
     relativePath: string;
     marker: string;
-    action: 'delete' | 'strip'; // delete = whole file is ours, strip = remove only our section
+    action: 'delete' | 'strip';
   }
   const aiActions: AIConfigAction[] = [];
 
@@ -981,48 +1181,111 @@ async function uninstallCodeGuard(): Promise<void> {
     if (!fs.existsSync(filePath)) continue;
 
     const content = fs.readFileSync(filePath, 'utf-8');
-    if (!content.includes(t.marker)) continue; // not ours
-
-    // Determine if the file was created by us or if we appended
-    // If appended, there will be a --- separator before our marker with user content above
-    const markerIdx = content.indexOf(t.marker);
-    const beforeMarker = content.substring(0, markerIdx).trimEnd();
-
-    // Check if there's substantial user content before our section
-    // When we append we add "\n\n---\n\n" before our content
-    // When we create, the marker is at or near the top (possibly after frontmatter)
-    const stripped = beforeMarker.replace(/^---[\s\S]*?---/, '').trim(); // strip MDC frontmatter
-    const hasUserContent = stripped.length > 0 && !stripped.endsWith('---');
+    if (!content.includes(t.marker)) continue;
 
-    // A more robust check: if content before marker (minus separator) has real text
-    const withoutTrailingSep = beforeMarker.replace(/\n*---\s*$/, '').trim();
-    const realUserContent = withoutTrailingSep.replace(/^---[\s\S]*?---/, '').trim(); // strip frontmatter
-
-    if (realUserContent.length > 0) {
-      aiActions.push({ name: t.name, filePath, relativePath, marker: t.marker, action: 'strip' });
+    // Use manifest to determine action if available
+    if (manifest && manifest.files[relativePath]) {
+      const record = manifest.files[relativePath];
+      if (record.action === 'created') {
+        aiActions.push({ name: t.name, filePath, relativePath, marker: t.marker, action: 'delete' });
+      } else {
+        aiActions.push({ name: t.name, filePath, relativePath, marker: t.marker, action: 'strip' });
+      }
     } else {
-      aiActions.push({ name: t.name, filePath, relativePath, marker: t.marker, action: 'delete' });
+      // Fallback: detect by checking for user content before marker
+      const markerIdx = content.indexOf(t.marker);
+      const beforeMarker = content.substring(0, markerIdx).trimEnd();
+      const withoutTrailingSep = beforeMarker.replace(/\n*---\s*$/, '').trim();
+      const realUserContent = withoutTrailingSep.replace(/^---[\s\S]*?---/, '').trim();
+
+      if (realUserContent.length > 0) {
+        aiActions.push({ name: t.name, filePath, relativePath, marker: t.marker, action: 'strip' });
+      } else {
+        aiActions.push({ name: t.name, filePath, relativePath, marker: t.marker, action: 'delete' });
+      }
     }
   }
 
+  // Determine which files to remove (use manifest if available, fallback to hardcoded)
+  let filesToProcess: string[];
+  if (manifest) {
+    // Use manifest — it knows exactly what we created vs modified
+    filesToProcess = Object.keys(manifest.files).filter(f => {
+      // Skip AI files — handled separately
+      return !aiActions.some(a => a.relativePath === f);
+    });
+  } else {
+    filesToProcess = fallbackFilesToRemove;
+  }
+
   // Check what exists
-  const existingFiles = filesToRemove.filter(f => fs.existsSync(path.join(cwd, f)));
+  const existingFiles = filesToProcess.filter(f => fs.existsSync(path.join(cwd, f)));
   const existingDirs = dirsToRemove.filter(d => fs.existsSync(path.join(cwd, d)));
 
-  if (existingFiles.length === 0 && existingDirs.length === 0 && aiActions.length === 0) {
+  // Also check for backup files that need restoring
+  const backupsToRestore: Array<{ original: string; backup: string }> = [];
+  if (manifest && manifest.backups) {
+    for (const [original, backup] of Object.entries(manifest.backups) as [string, string][]) {
+      if (fs.existsSync(path.join(cwd, backup))) {
+        backupsToRestore.push({ original, backup });
+      }
+    }
+  }
+  // Also find any .backup files from generators (eslint, prettier create them)
+  for (const file of existingFiles) {
+    const backupPath = path.join(cwd, file + '.backup');
+    if (fs.existsSync(backupPath) && !backupsToRestore.some(b => b.backup === file + '.backup')) {
+      backupsToRestore.push({ original: file, backup: file + '.backup' });
+    }
+  }
+  // Check common backup locations from generators
+  const commonBackups = [
+    '.eslintrc.backup', '.eslintrc.js.backup', '.eslintrc.cjs.backup', '.eslintrc.json.backup',
+    'eslint.config.js.backup', 'eslint.config.mjs.backup', 'eslint.config.cjs.backup',
+    '.prettierrc.backup', '.prettierrc.js.backup', '.prettierrc.cjs.backup', '.prettierrc.json.backup',
+    '.prettierrc.yml.backup', '.prettierrc.yaml.backup', '.prettierrc.toml.backup', 'prettier.config.js.backup',
+    '.eslintignore.backup',
+  ];
+  for (const backup of commonBackups) {
+    if (fs.existsSync(path.join(cwd, backup))) {
+      const original = backup.replace(/\.backup$/, '');
+      if (!backupsToRestore.some(b => b.backup === backup)) {
+        backupsToRestore.push({ original, backup });
+      }
+    }
+  }
+
+  if (existingFiles.length === 0 && existingDirs.length === 0 && aiActions.length === 0 && backupsToRestore.length === 0) {
     console.log(c.yellow('⚠️  No Code Guardian files found to remove.\n'));
     return;
   }
 
-  // Show what will be removed
+  // Show what will be done
   console.log(c.bold('The following will be removed:\n'));
-  
-  if (existingFiles.length > 0) {
-    console.log(c.bold('Files:'));
-    existingFiles.forEach(f => console.log(`  ${c.red('✗')} ${f}`));
+
+  // Separate created vs modified files
+  const createdFiles: string[] = [];
+  const modifiedFiles: string[] = [];
+  for (const f of existingFiles) {
+    if (manifest && manifest.files[f] && manifest.files[f].action === 'modified') {
+      modifiedFiles.push(f);
+    } else {
+      createdFiles.push(f);
+    }
+  }
+
+  if (createdFiles.length > 0) {
+    console.log(c.bold('Files (created by Code Guardian — will be deleted):'));
+    createdFiles.forEach(f => console.log(`  ${c.red('✗')} ${f}`));
     console.log('');
   }
-  
+
+  if (modifiedFiles.length > 0) {
+    console.log(c.bold('Files (modified — Code Guardian content will be stripped):'));
+    modifiedFiles.forEach(f => console.log(`  ${c.yellow('⚠')}  ${f} ${c.dim('(your content preserved)')}`));
+    console.log('');
+  }
+
   if (existingDirs.length > 0) {
     console.log(c.bold('Directories:'));
     existingDirs.forEach(d => console.log(`  ${c.red('✗')} ${d}/`));
@@ -1044,6 +1307,12 @@ async function uninstallCodeGuard(): Promise<void> {
     console.log('');
   }
 
+  if (backupsToRestore.length > 0) {
+    console.log(c.bold('Backups to restore (original configs):'));
+    backupsToRestore.forEach(b => console.log(`  ${c.blue('↩')}  ${b.backup} → ${b.original}`));
+    console.log('');
+  }
+
   if (!hasFlag('yes') && !hasFlag('y')) {
     const readline = require('readline');
     const rl = readline.createInterface({
@@ -1067,48 +1336,71 @@ async function uninstallCodeGuard(): Promise<void> {
   let removedCount = 0;
   console.log('');
 
-  // Backup AI config files before modifying
-  const backupDir = path.join(cwd, '.code-guardian-backup-' + Date.now());
-  let hasBackup = false;
+  // ── Phase 1: Handle created files (delete) ──────────────────────────
+  if (createdFiles.length > 0) {
+    console.log(c.bold('Removing created files...\n'));
+    for (const file of createdFiles) {
+      const fullPath = path.join(cwd, file);
+      if (fs.existsSync(fullPath)) {
+        try {
+          fs.unlinkSync(fullPath);
+          console.log(`  ${c.green('✓')} Removed ${file}`);
+          removedCount++;
+        } catch (error: any) {
+          console.log(`  ${c.red('✗')} Failed to remove ${file}: ${error.message}`);
+        }
+      }
+    }
+    console.log('');
+  }
 
-  if (aiActions.length > 0 && !hasFlag('no-backup')) {
-    console.log(c.bold('Creating backup...\n'));
-    fs.mkdirSync(backupDir, { recursive: true });
-    
-    for (const action of aiActions) {
-      if (fs.existsSync(action.filePath)) {
+  // ── Phase 2: Handle modified files (strip marked content) ───────────
+  if (modifiedFiles.length > 0) {
+    console.log(c.bold('Stripping Code Guardian content from modified files...\n'));
+    for (const file of modifiedFiles) {
+      const fullPath = path.join(cwd, file);
+      if (fs.existsSync(fullPath)) {
         try {
-          const destPath = path.join(backupDir, action.relativePath);
-          const destDir = path.dirname(destPath);
-          if (!fs.existsSync(destDir)) fs.mkdirSync(destDir, { recursive: true });
-          fs.cpSync(action.filePath, destPath);
-          console.log(`  ${c.blue('📦')} Backed up ${action.relativePath}`);
-          hasBackup = true;
+          const record = manifest?.files[file];
+          const stripped = removeMarkedContent(fullPath, record?.marker);
+          if (stripped) {
+            console.log(`  ${c.green('✓')} Stripped Code Guardian content from ${file}`);
+          } else {
+            console.log(`  ${c.dim('○')} No marked content found in ${file}`);
+          }
+          removedCount++;
         } catch (error: any) {
-          console.log(`  ${c.yellow('⚠')}  Failed to backup ${action.relativePath}: ${error.message}`);
+          console.log(`  ${c.red('✗')} Failed to clean ${file}: ${error.message}`);
         }
       }
     }
     console.log('');
   }
 
-  // Remove config files created entirely by Code Guardian
-  console.log(c.bold('Removing files...\n'));
-  for (const file of filesToRemove) {
-    const fullPath = path.join(cwd, file);
-    if (fs.existsSync(fullPath)) {
+  // ── Phase 3: Restore backup files ───────────────────────────────────
+  if (backupsToRestore.length > 0) {
+    console.log(c.bold('Restoring original config files...\n'));
+    for (const { original, backup } of backupsToRestore) {
+      const backupFullPath = path.join(cwd, backup);
+      const originalFullPath = path.join(cwd, original);
       try {
-        fs.unlinkSync(fullPath);
-        console.log(`  ${c.green('✓')} Removed ${file}`);
+        // Remove the Code Guardian version first (if it exists)
+        if (fs.existsSync(originalFullPath)) {
+          fs.unlinkSync(originalFullPath);
+        }
+        // Restore the backup as the original
+        fs.renameSync(backupFullPath, originalFullPath);
+        console.log(`  ${c.green('✓')} Restored ${original} from ${backup}`);
         removedCount++;
       } catch (error: any) {
-        console.log(`  ${c.red('✗')} Failed to remove ${file}: ${error.message}`);
+        console.log(`  ${c.red('✗')} Failed to restore ${original}: ${error.message}`);
       }
     }
+    console.log('');
   }
 
-  // Remove directories
-  console.log(c.bold('\nRemoving directories...\n'));
+  // ── Phase 4: Remove directories ─────────────────────────────────────
+  console.log(c.bold('Removing directories...\n'));
   for (const dir of dirsToRemove) {
     const fullPath = path.join(cwd, dir);
     if (fs.existsSync(fullPath)) {
@@ -1122,12 +1414,11 @@ async function uninstallCodeGuard(): Promise<void> {
     }
   }
 
-  // Handle AI config files intelligently
+  // ── Phase 5: Handle AI config files intelligently ───────────────────
   console.log(c.bold('\nCleaning AI config files...\n'));
   for (const action of aiActions) {
     try {
       if (action.action === 'delete') {
-        // Entire file was created by Code Guardian → delete it
         fs.unlinkSync(action.filePath);
         console.log(`  ${c.green('✓')} Removed ${action.relativePath}`);
         removedCount++;
@@ -1139,7 +1430,6 @@ async function uninstallCodeGuard(): Promise<void> {
             const remaining = fs.readdirSync(parentDir);
             if (remaining.length === 0) {
               fs.rmdirSync(parentDir);
-              // Check grandparent too (e.g., .windsurf/rules → .windsurf)
               const grandparent = path.dirname(parentDir);
               if (grandparent !== cwd && fs.existsSync(grandparent)) {
                 const gpRemaining = fs.readdirSync(grandparent);
@@ -1154,18 +1444,13 @@ async function uninstallCodeGuard(): Promise<void> {
         const markerIdx = content.indexOf(action.marker);
         if (markerIdx === -1) continue;
 
-        // Find the separator (--- on its own line) before the marker
-        // When we append, we add "\n\n---\n\n" before our content
         let cutStart = markerIdx;
         const beforeMarker = content.substring(0, markerIdx);
-        
-        // Look for the --- separator we added
         const sepMatch = beforeMarker.match(/\n*\s*---\s*\n*$/);
         if (sepMatch && sepMatch.index !== undefined) {
           cutStart = sepMatch.index;
         }
 
-        // Remove from cutStart to end of file (our content is always appended at the end)
         const cleaned = content.substring(0, cutStart).trimEnd() + '\n';
         fs.writeFileSync(action.filePath, cleaned);
         console.log(`  ${c.green('✓')} Stripped Code Guardian rules from ${action.relativePath} ${c.dim('(your content preserved)')}`);
@@ -1176,7 +1461,7 @@ async function uninstallCodeGuard(): Promise<void> {
     }
   }
 
-  // Clean up .husky hooks smartly
+  // ── Phase 6: Clean up .husky hooks smartly ──────────────────────────
   console.log(c.bold('\nCleaning git hooks...\n'));
   const huskyDir = path.join(cwd, '.husky');
   const huskyHookFiles = ['pre-commit'];
@@ -1198,7 +1483,6 @@ async function uninstallCodeGuard(): Promise<void> {
     const beforeHook = content.substring(0, startIdx).trimEnd();
     const afterHook = content.substring(endIdx + HOOK_END.length).trimEnd();
 
-    // Check if there's real user content outside of our markers
     const remaining = (beforeHook.replace(/^#!\/usr\/bin\/env\s+sh\s*/, '').trim() + afterHook.trim()).trim();
 
     if (remaining.length === 0) {
@@ -1229,23 +1513,47 @@ async function uninstallCodeGuard(): Promise<void> {
     } catch {}
   }
 
-  // Remove scripts from package.json
+  // ── Phase 7: Clean package.json scripts ─────────────────────────────
   console.log(c.bold('\nCleaning package.json scripts...\n'));
-  const packageJsonPath = path.join(cwd, 'package.json');  if (fs.existsSync(packageJsonPath)) {
+  const packageJsonPath = path.join(cwd, 'package.json');
+  if (fs.existsSync(packageJsonPath)) {
     try {
       const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
-      let scriptRemoved = false;
+      let scriptChanged = false;
+
+      if (manifest && manifest.packageJsonScripts) {
+        // Restore modified scripts to original values
+        for (const [scriptName, originalValue] of Object.entries(manifest.packageJsonScripts.modified)) {
+          if (packageJson.scripts && packageJson.scripts[scriptName]) {
+            packageJson.scripts[scriptName] = originalValue;
+            console.log(`  ${c.green('✓')} Restored script: ${scriptName} ${c.dim('(original value)')}`);
+            scriptChanged = true;
+            removedCount++;
+          }
+        }
 
-      for (const script of scriptsToRemove) {
-        if (packageJson.scripts && packageJson.scripts[script]) {
-          delete packageJson.scripts[script];
-          console.log(`  ${c.green('✓')} Removed script: ${script}`);
-          scriptRemoved = true;
-          removedCount++;
+        // Remove scripts that were added by Code Guardian
+        for (const scriptName of manifest.packageJsonScripts.added) {
+          if (packageJson.scripts && packageJson.scripts[scriptName]) {
+            delete packageJson.scripts[scriptName];
+            console.log(`  ${c.green('✓')} Removed script: ${scriptName}`);
+            scriptChanged = true;
+            removedCount++;
+          }
+        }
+      } else {
+        // Fallback: remove known Code Guardian scripts
+        for (const script of scriptsToRemove) {
+          if (packageJson.scripts && packageJson.scripts[script]) {
+            delete packageJson.scripts[script];
+            console.log(`  ${c.green('✓')} Removed script: ${script}`);
+            scriptChanged = true;
+            removedCount++;
+          }
         }
       }
 
-      if (scriptRemoved) {
+      if (scriptChanged) {
         fs.writeFileSync(packageJsonPath, JSON.stringify(packageJson, null, 2) + '\n');
         console.log(`  ${c.green('✓')} Updated package.json`);
       } else {
@@ -1256,19 +1564,69 @@ async function uninstallCodeGuard(): Promise<void> {
     }
   }
 
+  // ── Phase 8: Remove .code-guardian directory (including manifest) ────
+  const codeGuardianDir = path.join(cwd, '.code-guardian');
+  if (fs.existsSync(codeGuardianDir)) {
+    try {
+      fs.rmSync(codeGuardianDir, { recursive: true, force: true });
+      console.log(`\n  ${c.green('✓')} Removed .code-guardian/`);
+      removedCount++;
+    } catch (error: any) {
+      console.log(`  ${c.red('✗')} Failed to remove .code-guardian/: ${error.message}`);
+    }
+  }
+
   console.log('');
   console.log(c.green(`✅ Cleanup complete! Removed ${removedCount} item(s).`));
-  
-  if (hasBackup) {
-    console.log(c.blue(`📦 Backup saved to: ${path.basename(backupDir)}/`));
-  }
-  
   console.log('');
   console.log(c.dim('To completely remove the package, run:'));
   console.log(c.dim('  npm uninstall @hatem427/code-guard-ci'));
   console.log('');
 }
 
+// ── Vulnerability Check ────────────────────────────────────────────────────
+
+function runVulnerabilityCheck(): void {
+  showBanner();
+  console.log(c.bold('🔍 Code Guardian — Vulnerability Scan\n'));
+
+  const cwd = process.cwd();
+  let hasIssues = false;
+
+  // ── npm audit ──────────────────────────────────────────────────────────────
+  console.log(c.bold('📦 Running npm audit...'));
+  try {
+    execSync('npm audit --audit-level=moderate', { stdio: 'inherit', cwd });
+    console.log(`  ${c.green('✓')} No moderate/high vulnerabilities found\n`);
+  } catch {
+    console.log(`  ${c.yellow('⚠')}  npm audit found vulnerabilities. Run: npm audit fix\n`);
+    hasIssues = true;
+  }
+
+  // ── RetireJS ───────────────────────────────────────────────────────────────
+  console.log(c.bold('🔒 Checking for retired/vulnerable JS libraries (RetireJS)...'));
+  const retireResult = spawnSync('npx', ['retire', '--path', '.', '--outputformat', 'text'], {
+    encoding: 'utf-8',
+    cwd,
+  });
+  if (retireResult.error) {
+    console.log(c.dim('  ○ RetireJS not available — skipping (install with: npm i -g retire)\n'));
+  } else if (retireResult.status !== 0) {
+    console.log(c.yellow(`  ⚠  RetireJS found issues:\n${retireResult.stdout || retireResult.stderr}\n`));
+    hasIssues = true;
+  } else {
+    console.log(`  ${c.green('✓')} No retired libraries found\n`);
+  }
+
+  // ── Summary ────────────────────────────────────────────────────────────────
+  if (hasIssues) {
+    console.log(c.yellow('⚠️  Vulnerabilities found. Review and fix before deployment.'));
+    process.exit(1);
+  } else {
+    console.log(c.green('✅ No vulnerabilities found!'));
+  }
+}
+
 // ── Main ────────────────────────────────────────────────────────────────────
 
 (async () => {
@@ -1281,6 +1639,10 @@ async function uninstallCodeGuard(): Promise<void> {
       runCheck();
       break;
 
+    case 'check-vuln':
+      runVulnerabilityCheck();
+      break;
+
     case 'report':
       runReport();
       break;