npm - @holdpoint/cli - Versions diffs - 0.1.0-alpha.2 → 0.1.0-alpha.21 - Mend

@holdpoint/cli 0.1.0-alpha.2 → 0.1.0-alpha.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/dist/chunk-D7ZF5JJH.js +521 -0
package/dist/chunk-D7ZF5JJH.js.map +1 -0
package/dist/data/verified-mcp-registry.json +14 -0
package/dist/index.js +1588 -603
package/dist/index.js.map +1 -1
package/dist/init-Y7NZBMU6.js +8 -0
package/dist/init-Y7NZBMU6.js.map +1 -0
package/dist/lib/scan.d.ts +20 -0
package/dist/lib/scan.js +200 -0
package/dist/lib/scan.js.map +1 -0
package/dist/prompt-EQ5IFADN.js +23 -0
package/dist/prompt-EQ5IFADN.js.map +1 -0
package/dist/templates/HOLDPOINT_PREREQUISITES.md +10 -0
package/dist/templates/HOLDPOINT_REFERENCE.md +372 -0
package/dist/templates/MASTER_PROMPT.md +25 -295
package/dist/templates/default.yaml +274 -0
package/package.json +16 -14
package/dist/builder-ui/assets/index-BxfWKnb5.js +0 -437
package/dist/builder-ui/assets/index-BxfWKnb5.js.map +0 -1
package/dist/builder-ui/assets/index-DkLHZ-in.css +0 -1
package/dist/builder-ui/favicon.svg +0 -10
package/dist/builder-ui/index.html +0 -14
package/dist/templates/_base.yaml +0 -52
package/dist/templates/fullstack.yaml +0 -93
package/dist/templates/go.yaml +0 -60
package/dist/templates/nextjs.yaml +0 -76
package/dist/templates/python.yaml +0 -60
package/dist/templates/typescript.yaml +0 -55

package/dist/lib/scan.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+interface ScanResult {
+    mcp: {
+        server: string;
+        verified: boolean;
+    }[];
+    deps: {
+        name: string;
+        severity: string;
+        title: string;
+    }[];
+}
+declare function extractPackageName(value: string): string | undefined;
+declare function parseAuditJson(raw: string): ScanResult["deps"];
+declare function runScan(root: string): Promise<ScanResult>;
+declare const __scanInternalsForTests: {
+    parseAuditJson: typeof parseAuditJson;
+    extractPackageName: typeof extractPackageName;
+};
+export { type ScanResult, __scanInternalsForTests, runScan };

package/dist/lib/scan.js ADDED Viewed

@@ -0,0 +1,200 @@
+#!/usr/bin/env node
+// src/lib/scan.ts
+import { execFile } from "child_process";
+import { existsSync, readFileSync } from "fs";
+import { dirname, join, resolve } from "path";
+import { fileURLToPath } from "url";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+var HIGH_SEVERITIES = /* @__PURE__ */ new Set(["high", "critical"]);
+var AUDIT_MAX_FINDINGS = 5;
+var AUDIT_TIMEOUT_MS = 8e3;
+function readJson(path) {
+  try {
+    return JSON.parse(readFileSync(path, "utf8"));
+  } catch {
+    return void 0;
+  }
+}
+function registryPath() {
+  const here = dirname(fileURLToPath(import.meta.url));
+  return join(here, "../data/verified-mcp-registry.json");
+}
+function loadRegistry() {
+  const parsed = readJson(registryPath());
+  const entries = Array.isArray(parsed) ? parsed : [];
+  return new Set(entries.filter((entry) => typeof entry === "string"));
+}
+function asStringArray(value) {
+  return Array.isArray(value) ? value.filter((entry) => typeof entry === "string") : [];
+}
+function mcpServersFromConfig(config) {
+  if (!config || typeof config !== "object") return [];
+  const obj = config;
+  const servers = obj.mcpServers ?? obj.servers;
+  if (!servers || typeof servers !== "object" || Array.isArray(servers)) return [];
+  return Object.entries(servers).map(([key, raw]) => {
+    const server = raw && typeof raw === "object" && !Array.isArray(raw) ? raw : {};
+    const record = server;
+    return {
+      key,
+      ...typeof record.name === "string" ? { name: record.name } : {},
+      ...typeof record.command === "string" ? { command: record.command } : {},
+      args: asStringArray(record.args)
+    };
+  });
+}
+function extractPackageName(value) {
+  const normalized = value.replace(/\\/g, "/");
+  const nodeModules = normalized.lastIndexOf("node_modules/");
+  if (nodeModules >= 0) {
+    const after = normalized.slice(nodeModules + "node_modules/".length);
+    const parts = after.split("/").filter(Boolean);
+    if (parts[0]?.startsWith("@") && parts[1]) return `${parts[0]}/${parts[1]}`;
+    return parts[0];
+  }
+  if (normalized.startsWith("@")) {
+    const [scope, name] = normalized.split("/");
+    return scope && name ? `${scope}/${name}` : void 0;
+  }
+  if (!normalized.includes("/") && /^[a-z0-9@._-]+$/i.test(normalized)) return normalized;
+  return void 0;
+}
+function serverCandidates(entry) {
+  const values = [entry.name, entry.command, ...entry.args].filter((value) => typeof value === "string" && value.trim().length > 0).map((value) => value.trim());
+  const packages = values.map(extractPackageName).filter((value) => Boolean(value));
+  return [...values, ...packages];
+}
+function readMcp(root, registry) {
+  const files = [join(root, ".mcp.json"), join(root, ".claude/mcp.json")];
+  const results = [];
+  for (const file of files) {
+    if (!existsSync(file)) continue;
+    for (const entry of mcpServersFromConfig(readJson(file))) {
+      const verified = serverCandidates(entry).some((candidate) => registry.has(candidate));
+      results.push({ server: entry.name ?? entry.key, verified });
+    }
+  }
+  return results;
+}
+function detectPackageManager(root) {
+  if (existsSync(join(root, "pnpm-lock.yaml"))) return "pnpm";
+  if (existsSync(join(root, "yarn.lock"))) return "yarn";
+  if (existsSync(join(root, "package-lock.json")) || existsSync(join(root, "npm-shrinkwrap.json"))) {
+    return "npm";
+  }
+  return void 0;
+}
+function firstTitle(value) {
+  if (typeof value === "string") return value;
+  if (Array.isArray(value)) {
+    for (const entry of value) {
+      const title = firstTitle(entry);
+      if (title) return title;
+    }
+  }
+  if (value && typeof value === "object") {
+    const record = value;
+    return typeof record.title === "string" ? record.title : void 0;
+  }
+  return void 0;
+}
+function addFinding(findings, seen, name, severity, title) {
+  if (!name || typeof severity !== "string") return;
+  const normalizedSeverity = severity.toLowerCase();
+  if (!HIGH_SEVERITIES.has(normalizedSeverity)) return;
+  const normalizedTitle = firstTitle(title) ?? "Security advisory";
+  const key = `${name}\0${normalizedSeverity}\0${normalizedTitle}`;
+  if (seen.has(key)) return;
+  seen.add(key);
+  findings.push({ name, severity: normalizedSeverity, title: normalizedTitle });
+}
+function parseAuditJson(raw) {
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  const parseOne = (value) => {
+    if (!value || typeof value !== "object") return;
+    const data = value;
+    if (data.vulnerabilities && typeof data.vulnerabilities === "object") {
+      for (const [name, vuln] of Object.entries(data.vulnerabilities)) {
+        if (!vuln || typeof vuln !== "object") continue;
+        const v = vuln;
+        addFinding(findings, seen, name, v.severity, v.via ?? v.title);
+      }
+    }
+    if (data.advisories && typeof data.advisories === "object") {
+      for (const advisory of Object.values(data.advisories)) {
+        if (!advisory || typeof advisory !== "object") continue;
+        const a = advisory;
+        addFinding(
+          findings,
+          seen,
+          typeof a.module_name === "string" ? a.module_name : void 0,
+          a.severity,
+          a.title
+        );
+      }
+    }
+    if (data.type === "auditAdvisory" && data.data && typeof data.data === "object") {
+      const advisory = data.data.advisory;
+      if (advisory && typeof advisory === "object") {
+        const a = advisory;
+        addFinding(
+          findings,
+          seen,
+          typeof a.module_name === "string" ? a.module_name : void 0,
+          a.severity,
+          a.title
+        );
+      }
+    }
+  };
+  try {
+    parseOne(JSON.parse(raw));
+  } catch {
+    for (const line of raw.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      try {
+        parseOne(JSON.parse(trimmed));
+      } catch {
+      }
+    }
+  }
+  return findings.slice(0, AUDIT_MAX_FINDINGS);
+}
+async function runAudit(root) {
+  const pm = detectPackageManager(root);
+  if (!pm) return [];
+  try {
+    const { stdout } = await execFileAsync(pm, ["audit", "--json"], {
+      cwd: root,
+      encoding: "utf8",
+      maxBuffer: 1024 * 1024 * 10,
+      timeout: AUDIT_TIMEOUT_MS
+    });
+    return parseAuditJson(String(stdout || ""));
+  } catch (error) {
+    const stdout = error.stdout;
+    if (typeof stdout !== "string" || !stdout.trim()) return [];
+    return parseAuditJson(stdout);
+  }
+}
+async function runScan(root) {
+  const resolvedRoot = resolve(root);
+  const registry = loadRegistry();
+  return {
+    mcp: readMcp(resolvedRoot, registry),
+    deps: await runAudit(resolvedRoot)
+  };
+}
+var __scanInternalsForTests = {
+  parseAuditJson,
+  extractPackageName
+};
+export {
+  __scanInternalsForTests,
+  runScan
+};
+//# sourceMappingURL=scan.js.map

package/dist/lib/scan.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/lib/scan.ts"],"sourcesContent":["import { execFile } from \"node:child_process\";\nimport { existsSync, readFileSync } from \"node:fs\";\nimport { dirname, join, resolve } from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport { promisify } from \"node:util\";\n\nconst execFileAsync = promisify(execFile);\nconst HIGH_SEVERITIES = new Set([\"high\", \"critical\"]);\nconst AUDIT_MAX_FINDINGS = 5;\nconst AUDIT_TIMEOUT_MS = 8_000;\n\nexport interface ScanResult {\n mcp: { server: string; verified: boolean }[];\n deps: { name: string; severity: string; title: string }[];\n}\n\ntype PackageManager = \"pnpm\" | \"yarn\" | \"npm\";\n\ntype McpEntry = {\n key: string;\n name?: string;\n command?: string;\n args: string[];\n};\n\nfunction readJson(path: string): unknown {\n try {\n return JSON.parse(readFileSync(path, \"utf8\"));\n } catch {\n return undefined;\n }\n}\n\nfunction registryPath(): string {\n const here = dirname(fileURLToPath(import.meta.url));\n return join(here, \"../data/verified-mcp-registry.json\");\n}\n\nfunction loadRegistry(): Set<string> {\n const parsed = readJson(registryPath());\n const entries = Array.isArray(parsed) ? parsed : [];\n return new Set(entries.filter((entry): entry is string => typeof entry === \"string\"));\n}\n\nfunction asStringArray(value: unknown): string[] {\n return Array.isArray(value)\n ? value.filter((entry): entry is string => typeof entry === \"string\")\n : [];\n}\n\nfunction mcpServersFromConfig(config: unknown): McpEntry[] {\n if (!config || typeof config !== \"object\") return [];\n const obj = config as Record<string, unknown>;\n const servers = obj.mcpServers ?? obj.servers;\n if (!servers || typeof servers !== \"object\" || Array.isArray(servers)) return [];\n\n return Object.entries(servers as Record<string, unknown>).map(([key, raw]) => {\n const server = raw && typeof raw === \"object\" && !Array.isArray(raw) ? raw : {};\n const record = server as Record<string, unknown>;\n return {\n key,\n ...(typeof record.name === \"string\" ? { name: record.name } : {}),\n ...(typeof record.command === \"string\" ? { command: record.command } : {}),\n args: asStringArray(record.args),\n };\n });\n}\n\nfunction extractPackageName(value: string): string | undefined {\n const normalized = value.replace(/\\\\/g, \"/\");\n const nodeModules = normalized.lastIndexOf(\"node_modules/\");\n if (nodeModules >= 0) {\n const after = normalized.slice(nodeModules + \"node_modules/\".length);\n const parts = after.split(\"/\").filter(Boolean);\n if (parts[0]?.startsWith(\"@\") && parts[1]) return `${parts[0]}/${parts[1]}`;\n return parts[0];\n }\n if (normalized.startsWith(\"@\")) {\n const [scope, name] = normalized.split(\"/\");\n return scope && name ? `${scope}/${name}` : undefined;\n }\n if (!normalized.includes(\"/\") && /^[a-z0-9@._-]+$/i.test(normalized)) return normalized;\n return undefined;\n}\n\nfunction serverCandidates(entry: McpEntry): string[] {\n const values = [entry.name, entry.command, ...entry.args]\n .filter((value): value is string => typeof value === \"string\" && value.trim().length > 0)\n .map((value) => value.trim());\n const packages = values\n .map(extractPackageName)\n .filter((value): value is string => Boolean(value));\n return [...values, ...packages];\n}\n\nfunction readMcp(root: string, registry: Set<string>): ScanResult[\"mcp\"] {\n const files = [join(root, \".mcp.json\"), join(root, \".claude/mcp.json\")];\n const results: ScanResult[\"mcp\"] = [];\n for (const file of files) {\n if (!existsSync(file)) continue;\n for (const entry of mcpServersFromConfig(readJson(file))) {\n const verified = serverCandidates(entry).some((candidate) => registry.has(candidate));\n results.push({ server: entry.name ?? entry.key, verified });\n }\n }\n return results;\n}\n\nfunction detectPackageManager(root: string): PackageManager | undefined {\n if (existsSync(join(root, \"pnpm-lock.yaml\"))) return \"pnpm\";\n if (existsSync(join(root, \"yarn.lock\"))) return \"yarn\";\n if (\n existsSync(join(root, \"package-lock.json\")) ||\n existsSync(join(root, \"npm-shrinkwrap.json\"))\n ) {\n return \"npm\";\n }\n return undefined;\n}\n\nfunction firstTitle(value: unknown): string | undefined {\n if (typeof value === \"string\") return value;\n if (Array.isArray(value)) {\n for (const entry of value) {\n const title = firstTitle(entry);\n if (title) return title;\n }\n }\n if (value && typeof value === \"object\") {\n const record = value as Record<string, unknown>;\n return typeof record.title === \"string\" ? record.title : undefined;\n }\n return undefined;\n}\n\nfunction addFinding(\n findings: ScanResult[\"deps\"],\n seen: Set<string>,\n name: string | undefined,\n severity: unknown,\n title: unknown,\n): void {\n if (!name || typeof severity !== \"string\") return;\n const normalizedSeverity = severity.toLowerCase();\n if (!HIGH_SEVERITIES.has(normalizedSeverity)) return;\n const normalizedTitle = firstTitle(title) ?? \"Security advisory\";\n const key = `${name}\\0${normalizedSeverity}\\0${normalizedTitle}`;\n if (seen.has(key)) return;\n seen.add(key);\n findings.push({ name, severity: normalizedSeverity, title: normalizedTitle });\n}\n\nfunction parseAuditJson(raw: string): ScanResult[\"deps\"] {\n const findings: ScanResult[\"deps\"] = [];\n const seen = new Set<string>();\n const parseOne = (value: unknown) => {\n if (!value || typeof value !== \"object\") return;\n const data = value as Record<string, unknown>;\n\n if (data.vulnerabilities && typeof data.vulnerabilities === \"object\") {\n for (const [name, vuln] of Object.entries(data.vulnerabilities as Record<string, unknown>)) {\n if (!vuln || typeof vuln !== \"object\") continue;\n const v = vuln as Record<string, unknown>;\n addFinding(findings, seen, name, v.severity, v.via ?? v.title);\n }\n }\n\n if (data.advisories && typeof data.advisories === \"object\") {\n for (const advisory of Object.values(data.advisories as Record<string, unknown>)) {\n if (!advisory || typeof advisory !== \"object\") continue;\n const a = advisory as Record<string, unknown>;\n addFinding(\n findings,\n seen,\n typeof a.module_name === \"string\" ? a.module_name : undefined,\n a.severity,\n a.title,\n );\n }\n }\n\n if (data.type === \"auditAdvisory\" && data.data && typeof data.data === \"object\") {\n const advisory = (data.data as Record<string, unknown>).advisory;\n if (advisory && typeof advisory === \"object\") {\n const a = advisory as Record<string, unknown>;\n addFinding(\n findings,\n seen,\n typeof a.module_name === \"string\" ? a.module_name : undefined,\n a.severity,\n a.title,\n );\n }\n }\n };\n\n try {\n parseOne(JSON.parse(raw));\n } catch {\n for (const line of raw.split(/\\r?\\n/)) {\n const trimmed = line.trim();\n if (!trimmed) continue;\n try {\n parseOne(JSON.parse(trimmed));\n } catch {\n // Ignore non-JSON audit chatter.\n }\n }\n }\n return findings.slice(0, AUDIT_MAX_FINDINGS);\n}\n\nasync function runAudit(root: string): Promise<ScanResult[\"deps\"]> {\n const pm = detectPackageManager(root);\n if (!pm) return [];\n try {\n const { stdout } = await execFileAsync(pm, [\"audit\", \"--json\"], {\n cwd: root,\n encoding: \"utf8\",\n maxBuffer: 1024 * 1024 * 10,\n timeout: AUDIT_TIMEOUT_MS,\n });\n return parseAuditJson(String(stdout || \"\"));\n } catch (error) {\n const stdout = (error as { stdout?: unknown }).stdout;\n if (typeof stdout !== \"string\" || !stdout.trim()) return [];\n return parseAuditJson(stdout);\n }\n}\n\n// Verified MCP registry is bundled statically; community PRs welcome.\nexport async function runScan(root: string): Promise<ScanResult> {\n const resolvedRoot = resolve(root);\n const registry = loadRegistry();\n return {\n mcp: readMcp(resolvedRoot, registry),\n deps: await runAudit(resolvedRoot),\n };\n}\n\nexport const __scanInternalsForTests = {\n parseAuditJson,\n extractPackageName,\n};\n"],"mappings":";;;AAAA,SAAS,gBAAgB;AACzB,SAAS,YAAY,oBAAoB;AACzC,SAAS,SAAS,MAAM,eAAe;AACvC,SAAS,qBAAqB;AAC9B,SAAS,iBAAiB;AAE1B,IAAM,gBAAgB,UAAU,QAAQ;AACxC,IAAM,kBAAkB,oBAAI,IAAI,CAAC,QAAQ,UAAU,CAAC;AACpD,IAAM,qBAAqB;AAC3B,IAAM,mBAAmB;AAgBzB,SAAS,SAAS,MAAuB;AACvC,MAAI;AACF,WAAO,KAAK,MAAM,aAAa,MAAM,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,eAAuB;AAC9B,QAAM,OAAO,QAAQ,cAAc,YAAY,GAAG,CAAC;AACnD,SAAO,KAAK,MAAM,oCAAoC;AACxD;AAEA,SAAS,eAA4B;AACnC,QAAM,SAAS,SAAS,aAAa,CAAC;AACtC,QAAM,UAAU,MAAM,QAAQ,MAAM,IAAI,SAAS,CAAC;AAClD,SAAO,IAAI,IAAI,QAAQ,OAAO,CAAC,UAA2B,OAAO,UAAU,QAAQ,CAAC;AACtF;AAEA,SAAS,cAAc,OAA0B;AAC/C,SAAO,MAAM,QAAQ,KAAK,IACtB,MAAM,OAAO,CAAC,UAA2B,OAAO,UAAU,QAAQ,IAClE,CAAC;AACP;AAEA,SAAS,qBAAqB,QAA6B;AACzD,MAAI,CAAC,UAAU,OAAO,WAAW,SAAU,QAAO,CAAC;AACnD,QAAM,MAAM;AACZ,QAAM,UAAU,IAAI,cAAc,IAAI;AACtC,MAAI,CAAC,WAAW,OAAO,YAAY,YAAY,MAAM,QAAQ,OAAO,EAAG,QAAO,CAAC;AAE/E,SAAO,OAAO,QAAQ,OAAkC,EAAE,IAAI,CAAC,CAAC,KAAK,GAAG,MAAM;AAC5E,UAAM,SAAS,OAAO,OAAO,QAAQ,YAAY,CAAC,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC;AAC9E,UAAM,SAAS;AACf,WAAO;AAAA,MACL;AAAA,MACA,GAAI,OAAO,OAAO,SAAS,WAAW,EAAE,MAAM,OAAO,KAAK,IAAI,CAAC;AAAA,MAC/D,GAAI,OAAO,OAAO,YAAY,WAAW,EAAE,SAAS,OAAO,QAAQ,IAAI,CAAC;AAAA,MACxE,MAAM,cAAc,OAAO,IAAI;AAAA,IACjC;AAAA,EACF,CAAC;AACH;AAEA,SAAS,mBAAmB,OAAmC;AAC7D,QAAM,aAAa,MAAM,QAAQ,OAAO,GAAG;AAC3C,QAAM,cAAc,WAAW,YAAY,eAAe;AAC1D,MAAI,eAAe,GAAG;AACpB,UAAM,QAAQ,WAAW,MAAM,cAAc,gBAAgB,MAAM;AACnE,UAAM,QAAQ,MAAM,MAAM,GAAG,EAAE,OAAO,OAAO;AAC7C,QAAI,MAAM,CAAC,GAAG,WAAW,GAAG,KAAK,MAAM,CAAC,EAAG,QAAO,GAAG,MAAM,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC;AACzE,WAAO,MAAM,CAAC;AAAA,EAChB;AACA,MAAI,WAAW,WAAW,GAAG,GAAG;AAC9B,UAAM,CAAC,OAAO,IAAI,IAAI,WAAW,MAAM,GAAG;AAC1C,WAAO,SAAS,OAAO,GAAG,KAAK,IAAI,IAAI,KAAK;AAAA,EAC9C;AACA,MAAI,CAAC,WAAW,SAAS,GAAG,KAAK,mBAAmB,KAAK,UAAU,EAAG,QAAO;AAC7E,SAAO;AACT;AAEA,SAAS,iBAAiB,OAA2B;AACnD,QAAM,SAAS,CAAC,MAAM,MAAM,MAAM,SAAS,GAAG,MAAM,IAAI,EACrD,OAAO,CAAC,UAA2B,OAAO,UAAU,YAAY,MAAM,KAAK,EAAE,SAAS,CAAC,EACvF,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC;AAC9B,QAAM,WAAW,OACd,IAAI,kBAAkB,EACtB,OAAO,CAAC,UAA2B,QAAQ,KAAK,CAAC;AACpD,SAAO,CAAC,GAAG,QAAQ,GAAG,QAAQ;AAChC;AAEA,SAAS,QAAQ,MAAc,UAA0C;AACvE,QAAM,QAAQ,CAAC,KAAK,MAAM,WAAW,GAAG,KAAK,MAAM,kBAAkB,CAAC;AACtE,QAAM,UAA6B,CAAC;AACpC,aAAW,QAAQ,OAAO;AACxB,QAAI,CAAC,WAAW,IAAI,EAAG;AACvB,eAAW,SAAS,qBAAqB,SAAS,IAAI,CAAC,GAAG;AACxD,YAAM,WAAW,iBAAiB,KAAK,EAAE,KAAK,CAAC,cAAc,SAAS,IAAI,SAAS,CAAC;AACpF,cAAQ,KAAK,EAAE,QAAQ,MAAM,QAAQ,MAAM,KAAK,SAAS,CAAC;AAAA,IAC5D;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,qBAAqB,MAA0C;AACtE,MAAI,WAAW,KAAK,MAAM,gBAAgB,CAAC,EAAG,QAAO;AACrD,MAAI,WAAW,KAAK,MAAM,WAAW,CAAC,EAAG,QAAO;AAChD,MACE,WAAW,KAAK,MAAM,mBAAmB,CAAC,KAC1C,WAAW,KAAK,MAAM,qBAAqB,CAAC,GAC5C;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,WAAW,OAAoC;AACtD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,eAAW,SAAS,OAAO;AACzB,YAAM,QAAQ,WAAW,KAAK;AAC9B,UAAI,MAAO,QAAO;AAAA,IACpB;AAAA,EACF;AACA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,SAAS;AACf,WAAO,OAAO,OAAO,UAAU,WAAW,OAAO,QAAQ;AAAA,EAC3D;AACA,SAAO;AACT;AAEA,SAAS,WACP,UACA,MACA,MACA,UACA,OACM;AACN,MAAI,CAAC,QAAQ,OAAO,aAAa,SAAU;AAC3C,QAAM,qBAAqB,SAAS,YAAY;AAChD,MAAI,CAAC,gBAAgB,IAAI,kBAAkB,EAAG;AAC9C,QAAM,kBAAkB,WAAW,KAAK,KAAK;AAC7C,QAAM,MAAM,GAAG,IAAI,KAAK,kBAAkB,KAAK,eAAe;AAC9D,MAAI,KAAK,IAAI,GAAG,EAAG;AACnB,OAAK,IAAI,GAAG;AACZ,WAAS,KAAK,EAAE,MAAM,UAAU,oBAAoB,OAAO,gBAAgB,CAAC;AAC9E;AAEA,SAAS,eAAe,KAAiC;AACvD,QAAM,WAA+B,CAAC;AACtC,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,WAAW,CAAC,UAAmB;AACnC,QAAI,CAAC,SAAS,OAAO,UAAU,SAAU;AACzC,UAAM,OAAO;AAEb,QAAI,KAAK,mBAAmB,OAAO,KAAK,oBAAoB,UAAU;AACpE,iBAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQ,KAAK,eAA0C,GAAG;AAC1F,YAAI,CAAC,QAAQ,OAAO,SAAS,SAAU;AACvC,cAAM,IAAI;AACV,mBAAW,UAAU,MAAM,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK;AAAA,MAC/D;AAAA,IACF;AAEA,QAAI,KAAK,cAAc,OAAO,KAAK,eAAe,UAAU;AAC1D,iBAAW,YAAY,OAAO,OAAO,KAAK,UAAqC,GAAG;AAChF,YAAI,CAAC,YAAY,OAAO,aAAa,SAAU;AAC/C,cAAM,IAAI;AACV;AAAA,UACE;AAAA,UACA;AAAA,UACA,OAAO,EAAE,gBAAgB,WAAW,EAAE,cAAc;AAAA,UACpD,EAAE;AAAA,UACF,EAAE;AAAA,QACJ;AAAA,MACF;AAAA,IACF;AAEA,QAAI,KAAK,SAAS,mBAAmB,KAAK,QAAQ,OAAO,KAAK,SAAS,UAAU;AAC/E,YAAM,WAAY,KAAK,KAAiC;AACxD,UAAI,YAAY,OAAO,aAAa,UAAU;AAC5C,cAAM,IAAI;AACV;AAAA,UACE;AAAA,UACA;AAAA,UACA,OAAO,EAAE,gBAAgB,WAAW,EAAE,cAAc;AAAA,UACpD,EAAE;AAAA,UACF,EAAE;AAAA,QACJ;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,MAAI;AACF,aAAS,KAAK,MAAM,GAAG,CAAC;AAAA,EAC1B,QAAQ;AACN,eAAW,QAAQ,IAAI,MAAM,OAAO,GAAG;AACrC,YAAM,UAAU,KAAK,KAAK;AAC1B,UAAI,CAAC,QAAS;AACd,UAAI;AACF,iBAAS,KAAK,MAAM,OAAO,CAAC;AAAA,MAC9B,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AACA,SAAO,SAAS,MAAM,GAAG,kBAAkB;AAC7C;AAEA,eAAe,SAAS,MAA2C;AACjE,QAAM,KAAK,qBAAqB,IAAI;AACpC,MAAI,CAAC,GAAI,QAAO,CAAC;AACjB,MAAI;AACF,UAAM,EAAE,OAAO,IAAI,MAAM,cAAc,IAAI,CAAC,SAAS,QAAQ,GAAG;AAAA,MAC9D,KAAK;AAAA,MACL,UAAU;AAAA,MACV,WAAW,OAAO,OAAO;AAAA,MACzB,SAAS;AAAA,IACX,CAAC;AACD,WAAO,eAAe,OAAO,UAAU,EAAE,CAAC;AAAA,EAC5C,SAAS,OAAO;AACd,UAAM,SAAU,MAA+B;AAC/C,QAAI,OAAO,WAAW,YAAY,CAAC,OAAO,KAAK,EAAG,QAAO,CAAC;AAC1D,WAAO,eAAe,MAAM;AAAA,EAC9B;AACF;AAGA,eAAsB,QAAQ,MAAmC;AAC/D,QAAM,eAAe,QAAQ,IAAI;AACjC,QAAM,WAAW,aAAa;AAC9B,SAAO;AAAA,IACL,KAAK,QAAQ,cAAc,QAAQ;AAAA,IACnC,MAAM,MAAM,SAAS,YAAY;AAAA,EACnC;AACF;AAEO,IAAM,0BAA0B;AAAA,EACrC;AAAA,EACA;AACF;","names":[]}

package/dist/prompt-EQ5IFADN.js ADDED Viewed

@@ -0,0 +1,23 @@
+#!/usr/bin/env node
+// src/lib/prompt.ts
+import readline from "readline/promises";
+import { stdin, stdout } from "process";
+async function promptYesNo(question, defaultYes = true) {
+  if (!stdout.isTTY || !stdin.isTTY) {
+    return defaultYes;
+  }
+  const rl = readline.createInterface({ input: stdin, output: stdout });
+  try {
+    const suffix = defaultYes ? " [Y/n] " : " [y/N] ";
+    const answer = (await rl.question(question + suffix)).trim().toLowerCase();
+    if (answer === "") return defaultYes;
+    return answer === "y" || answer === "yes";
+  } finally {
+    rl.close();
+  }
+}
+export {
+  promptYesNo
+};
+//# sourceMappingURL=prompt-EQ5IFADN.js.map

package/dist/prompt-EQ5IFADN.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/lib/prompt.ts"],"sourcesContent":["import readline from \"node:readline/promises\";\nimport { stdin, stdout } from \"node:process\";\n\n/**\n * Ask a yes/no question on the terminal and resolve to true/false.\n *\n * Defaults to true on empty input (`Y/n` style). Returns `defaultYes` and\n * skips the prompt entirely when stdout isn't a TTY (CI, piped invocation,\n * agent hook) so we never block on input nobody can provide. Callers that\n * need different non-TTY behaviour should check `stdout.isTTY` first.\n */\nexport async function promptYesNo(question: string, defaultYes = true): Promise<boolean> {\n if (!stdout.isTTY || !stdin.isTTY) {\n return defaultYes;\n }\n const rl = readline.createInterface({ input: stdin, output: stdout });\n try {\n const suffix = defaultYes ? \" [Y/n] \" : \" [y/N] \";\n const answer = (await rl.question(question + suffix)).trim().toLowerCase();\n if (answer === \"\") return defaultYes;\n return answer === \"y\" || answer === \"yes\";\n } finally {\n rl.close();\n }\n}\n"],"mappings":";;;AAAA,OAAO,cAAc;AACrB,SAAS,OAAO,cAAc;AAU9B,eAAsB,YAAY,UAAkB,aAAa,MAAwB;AACvF,MAAI,CAAC,OAAO,SAAS,CAAC,MAAM,OAAO;AACjC,WAAO;AAAA,EACT;AACA,QAAM,KAAK,SAAS,gBAAgB,EAAE,OAAO,OAAO,QAAQ,OAAO,CAAC;AACpE,MAAI;AACF,UAAM,SAAS,aAAa,YAAY;AACxC,UAAM,UAAU,MAAM,GAAG,SAAS,WAAW,MAAM,GAAG,KAAK,EAAE,YAAY;AACzE,QAAI,WAAW,GAAI,QAAO;AAC1B,WAAO,WAAW,OAAO,WAAW;AAAA,EACtC,UAAE;AACA,OAAG,MAAM;AAAA,EACX;AACF;","names":[]}

package/dist/templates/HOLDPOINT_PREREQUISITES.md ADDED Viewed

@@ -0,0 +1,10 @@
+# Holdpoint prerequisites
+Holdpoint installed repo-local adapters for one or more AI coding agents. Before relying on them locally, review these setup notes:
+- **GitHub Copilot CLI** — Holdpoint's `.github/extensions/holdpoint/extension.mjs` uses the Copilot CLI **EXTENSIONS** feature. Today that feature is gated behind experimental mode. In Copilot CLI, run `/experimental on` so **EXTENSIONS** appears in the enabled feature set before using Holdpoint locally.
+- **Cursor** — project-level hooks run in trusted workspaces. After opening the repo in Cursor, confirm the workspace is trusted and review Settings → Hooks if hooks do not fire.
+- **OpenAI Codex** — project-level hooks require trust approval. Run `codex trust` in the Codex TUI or review the hook with `/hooks`.
+- **General** — Holdpoint expects Node.js 18+ and a git repository so `holdpoint init`, `holdpoint update`, and `holdpoint check` can run normally.
+Docs: https://holdpoint.dev/docs

package/dist/templates/HOLDPOINT_REFERENCE.md ADDED Viewed

@@ -0,0 +1,372 @@
+# Holdpoint — Eval Checkpoints
+This project uses [Holdpoint](https://github.com/holdpoint-dev/holdpoint) to enforce
+eval checkpoints. Before marking any task done, all checks must pass.
+---
+## The Rule
+Before marking **any** task complete:
+1. Run `holdpoint check` — all tasks must exit 0.
+2. `holdpoint check` also prints every **prompt** check whose `when` matches the
+   files you changed. Read and act on each listed instruction before finishing.
+---
+## The Suggest Loop
+`checks.yaml` is not static — it grows alongside the project automatically.
+**`holdpoint-suggest` is a deterministic check** in `checks.yaml` that fires whenever you change a structural file (`package.json`, `pyproject.toml`, `go.mod`, `Dockerfile`, `tsconfig.json`, `vitest.config.*`, etc.). When it fires, `holdpoint suggest` runs and **exits 1 if `checks.yaml` is out of sync** — blocking task completion until you apply the proposals.
+When blocked by `holdpoint-suggest`, run:
+```
+holdpoint suggest --apply  # scan, apply proposals, regenerate engine files
+```
+Then commit:
+```
+git add checks.yaml .github/holdpoint/generated/
+git commit -m "chore: suggest holdpoint checks"
+```
+`holdpoint suggest --apply` is idempotent — safe to re-run at any time. It only adds checks for tools/patterns detected in the project and wraps stale checks (whose `when:` pattern no longer matches any file) with `conditionId: file_exists` so they auto-skip instead of failing.
+**What triggers evolution:**
+- New dependency in `package.json` / `pyproject.toml` / `go.mod` / `Cargo.toml`
+- New `Dockerfile`, `docker-compose.yml`, `*.tf`, `openapi.yaml`
+- New test runner config (`vitest.config.*`, `jest.config.*`, `playwright.config.*`)
+- New CI workflow in `.github/workflows/`
+- New TypeScript setup (`tsconfig.json`)
+**What does NOT trigger it:** `.ts` / `.py` / `.go` source files, docs, styles, tests — minor work proceeds without interruption.
+---
+## Git workflow best practices
+Prefer the least-disruptive git workflow that still satisfies the task:
+- Use a branch + PR when the user requests it, when work targets protected
+  `main`, or when remote CI/review is part of the task.
+- For small local fixes, commit directly on the current branch and do not open a
+  PR unless the user asks.
+- If already on a feature branch, keep committing there instead of creating
+  another branch.
+- After committing, decide whether to push: push when a PR, remote review, CI
+  run, or handoff needs it; otherwise leave the commit local and report the
+  branch/commit.
+---
+## checks.yaml — Full Reference
+`checks.yaml` at the project root is the single source of truth. Edit it to add,
+remove, or change checkpoints.
+After every edit, regenerate the engine files and commit everything together:
+```
+holdpoint update
+git add checks.yaml .github/holdpoint/generated/ .github/hooks/
+git commit -m "chore: update holdpoint checks"
+```
+### Top-level structure
+```yaml
+version: 1
+context:
+  guides: # project notes shown when `holdpoint check` runs
+    setup: >
+      Use pnpm, not npm. Node 20+ required.
+session_context_files:
+  - MASTER_PROMPT.md # injected into Copilot/Codex sessions when supported
+conditions: # gate checks on file/env state
+  - id: dist-built
+    operator: file_exists
+    path: dist/index.js
+checks: # list of all checks — each has on/when + cmd (task) or prompt
+  - ...
+```
+---
+### Deterministic check
+```yaml
+- id: lint # unique slug, kebab-case
+  label: "ESLint — all packages" # human-readable label shown in output
+  # on: before_done       # lifecycle hook (default; only value today)
+  # when: frontend        # file filter — omit to run on every task
+  cmd: "pnpm turbo lint" # shell command; must exit 0 to pass
+  conditionId: dist-built # optional: skip if condition is not met
+```
+### Prompt check
+```yaml
+- id: migration-review
+  label: "Review DB migration"
+  when: "^prisma/migrations/" # only fires when migration files change
+  prompt: >
+    Open the new migration file. Confirm it is backward-compatible
+    and does not drop or truncate data without a fallback.
+```
+---
+### `on` — lifecycle hooks
+`on` specifies _when in the agent lifecycle_ a check fires. Omit it to use the default.
+| Value         | Fires                              |
+| ------------- | ---------------------------------- |
+| `before_done` | Before the agent marks a task done |
+---
+### `when` — file filters
+`when` is an optional file filter. If omitted the check runs on every task.
+| Value       | Fires when changed files match                                                                     |
+| ----------- | -------------------------------------------------------------------------------------------------- |
+| _(absent)_  | Every task — no file filter applied                                                                |
+| `frontend`  | `**/*.tsx`, `**/*.jsx`, `**/*.css`, `**/*.scss`, `**/tailwind.config.*`, `apps/**`                 |
+| `backend`   | `**/api/**`, `**/server/**`, `**/routes/**`, `**/controllers/**`, `packages/*/src/**`              |
+| `socket`    | `**/socket/**`, `**/ws/**`, `**/websocket/**`                                                      |
+| `visual`    | `**/*.stories.{ts,tsx}`, `**/__screenshots__/**`, `**/*.snap`                                      |
+| `python`    | `**/*.py`, `**/*.pyi`, `**/requirements*.txt`, `**/pyproject.toml`, `**/setup.py`, `**/pytest.ini` |
+| `go`        | `**/*.go`, `**/go.mod`, `**/go.sum`                                                                |
+| `rust`      | `**/*.rs`, `**/Cargo.toml`, `**/Cargo.lock`                                                        |
+| `java`      | `**/*.java`, `**/*.kt`, `**/*.gradle`, `**/*.gradle.kts`, `**/pom.xml`                             |
+| `ruby`      | `**/*.rb`, `**/Gemfile`, `**/Gemfile.lock`, `**/Rakefile`                                          |
+| `database`  | `**/*.sql`, `**/migrations/**`, `**/db/**`, `**/database/**`, `**/prisma/**`, `**/*.prisma`        |
+| `prisma`    | `**/prisma/**`, `**/*.prisma` — focused subset of `database` for Prisma-specific checks            |
+| `testing`   | `**/*.test.*`, `**/*.spec.*`, `**/__tests__/**`, `**/test/**`, `**/tests/**`, `**/spec/**`         |
+| `infra`     | `**/Dockerfile*`, `**/docker-compose.*`, `**/*.tf`, `**/*.tfvars`, `**/k8s/**`, `**/kubernetes/**` |
+| `ci`        | `**/.github/workflows/**`, `**/.circleci/**`, `**/Jenkinsfile`, `**/.gitlab-ci.yml`                |
+| `docs`      | `**/*.mdx`, `**/*.rst`, `**/docs/**`, `**/documentation/**`                                        |
+| `"^src/.*"` | Any JavaScript regex tested against each changed file path                                         |
+Regex example — fires only when files under `src/api/` change:
+```yaml
+when: "^src/api/" # new RegExp(when).test(filePath)
+```
+> **Note:** Named scopes use glob matching; plain strings are treated as JavaScript regexes.
+---
+### Conditions
+Conditions let you skip a check when a prerequisite is not yet met (e.g. a build
+artefact doesn't exist yet).
+| Operator          | What it checks                                    |
+| ----------------- | ------------------------------------------------- |
+| `file_exists`     | A file or directory exists at `path`              |
+| `file_contains`   | The file at `path` contains the substring `value` |
+| `env_var_set`     | The environment variable named `value` is set     |
+| `shell_returns_0` | The shell command in `cmd` exits with code 0      |
+```yaml
+conditions:
+  - id: packages-built
+    operator: file_exists
+    path: packages/yaml-core/dist/index.js
+checks:
+  - id: validate-templates
+    label: "Templates parse against schema"
+    conditionId: packages-built # skipped (◌) when dist is absent
+    cmd: "node dist/validate.js templates/"
+```
+---
+### Context guides
+`context.guides` is a freeform key → multiline-string map. Guides are printed
+at the start of `holdpoint check` output as project-level reminders to whoever
+(or whatever) is running the checks.
+```yaml
+context:
+  guides:
+    setup: >
+      This project requires Node 20 and pnpm 9+.
+      Run `pnpm install` from the repo root before any other command.
+    architecture: >
+      API routes live in src/api/. Models live in src/models/.
+      Client code must never import from server modules.
+```
+---
+## Adding a New Check
+1. Open `checks.yaml`.
+2. Add your entry under `checks:`.
+3. Run `holdpoint update`.
+4. Commit `checks.yaml` and the generated files.
+**Add a task check (runs a shell command automatically):**
+```yaml
+checks:
+  - id: vitest
+    label: "Vitest — unit tests"
+    cmd: "pnpm vitest run"
+```
+**Add a scoped task (fires only on matching file changes):**
+```yaml
+checks:
+  - id: openapi-sync
+    label: "OpenAPI types are up to date"
+    when: "^src/api/"
+    cmd: "pnpm generate:types && git diff --exit-code src/generated/"
+```
+**Add an agent prompt checkpoint:**
+```yaml
+checks:
+  - id: jsdoc
+    label: "JSDoc on changed public functions"
+    prompt: >
+      For every public function or export you modified, ensure there is an
+      accurate JSDoc comment: description, @param, and @returns.
+```
+**Enforce changelog and git commit on every task (recommended):**
+```yaml
+checks:
+  - id: changelog-update
+    label: "Add a CHANGELOG.md entry for this session"
+    prompt: >
+      Before committing, add an entry to CHANGELOG.md describing what was done.
+      Use Keep a Changelog format — add under ## [Unreleased] (create the file
+      and that section if absent). Group entries as Added, Changed, Fixed, or Removed.
+      Be concise but specific. The entry text will serve as the commit message.
+  - id: readme-sync
+    label: "Update README.md if user-facing changes were made"
+    prompt: >
+      If you added, changed, or removed user-facing functionality — CLI commands,
+      configuration options, public APIs, or significant new features — update
+      README.md to reflect those changes.
+  - id: git-workflow
+    label: "Use the right git workflow"
+    prompt: >
+      Choose the least-disruptive git workflow: use branch + PR for requested
+      feature branches or protected-main work; for small local fixes, commit on
+      the current branch without opening a PR unless asked; if already on a
+      feature branch, keep committing there instead of creating another branch.
+      Push only when a PR, remote review, CI run, or handoff needs it; otherwise
+      leave the commit local and report the branch/commit.
+  - id: git-commit
+    label: "Commit all changes before finishing"
+    cmd: 'git rev-parse --is-inside-work-tree >/dev/null 2>&1 || exit 0; [ -z "$(git status --porcelain)" ] && exit 0; git status --short; exit 1'
+```
+When the `git-commit` check fails (uncommitted changes remain), the agent will also see
+the `changelog-update` and `readme-sync` prompt reminders inline — ensuring it updates
+the changelog, syncs docs, _then_ commits before it can mark the task done.
+---
+## `session_context_files`
+`session_context_files` is an optional list of project files that Holdpoint injects
+as context at the start of every Copilot session. Use it for files the agent should
+always read before starting work.
+```yaml
+session_context_files:
+  - MASTER_PROMPT.md
+  - AGENT_CONTEXT.md
+```
+Files are resolved relative to the repo root and must stay inside it (traversal
+paths like `../../etc/passwd` are rejected). If a file doesn't exist it is silently
+skipped.
+---
+## `inject_datetime`
+Holdpoint can inject the current date and time into every prompt the agent receives.
+This fixes a common failure mode where models anchor their sense of "now" to their
+training cutoff and make stale assumptions (e.g. treating months-old information as
+current, or not knowing what year it is).
+The feature is **on by default** — no configuration needed. To opt out:
+```yaml
+inject_datetime: false
+```
+When enabled, each prompt submission includes:
+```
+Current date and time: 2026-05-29T14:23:45.123Z (UTC)
+Provided by Holdpoint — use this to avoid knowledge-cutoff confusion.
+```
+**Agent support:**
+| Agent   | Hook                    | Notes                                                            |
+| ------- | ----------------------- | ---------------------------------------------------------------- |
+| Claude  | `UserPromptSubmit`      | Fires on every prompt via `additionalContext`                    |
+| Cursor  | `beforeSubmitPrompt`    | Fires on every prompt via `additional_context`                   |
+| Codex   | `UserPromptSubmit`      | Fires on every prompt via `hookSpecificOutput.additionalContext` |
+| Copilot | `onUserPromptSubmitted` | Fires on every prompt via `additionalContext`                    |
+---
+## Commands
+| Command                       | What it does                                            |
+| ----------------------------- | ------------------------------------------------------- |
+| `holdpoint check`             | Run checks against all files changed vs HEAD            |
+| `holdpoint check --staged`    | Run checks against staged files only                    |
+| `holdpoint suggest`           | Scan project and show proposed additions to checks.yaml |
+| `holdpoint suggest --apply`   | Apply proposals and regenerate engine files             |
+| `holdpoint require-changeset` | Require `.changeset/*.md` for package changes           |
+| `holdpoint update`            | Regenerate engine files from the current `checks.yaml`  |
+| `holdpoint validate`          | Validate `checks.yaml` schema (no commands run)         |
+| `holdpoint builder`           | Open the daemon-served visual builder UI                |
+---
+## Generated files (do not edit directly)
+| File                                                | Agent   |
+| --------------------------------------------------- | ------- |
+| `.github/holdpoint/generated/checks.immutable.json` | all     |
+| `.github/hooks/holdpoint.json`                      | Copilot |
+| `.github/hooks/holdpoint-check.mjs`                 | Copilot |
+| `.claude/settings.json`                             | Claude  |
+| `.cursor/hooks.json`                                | Cursor  |
+| `.cursor/holdpoint-hook.mjs`                        | Cursor  |
+| `.cursorrules` (Holdpoint section)                  | Cursor  |
+All generated files are overwritten by `holdpoint update`. Edit `checks.yaml`,
+then run `update` — never edit the generated files directly.