@holdyourvoice/hyv 2.8.7 → 2.8.8

package/dist/index.js

@@ -974,7 +974,7 @@ var require_command = __commonJS({
     var EventEmitter = require("node:events").EventEmitter;
     var childProcess = require("node:child_process");
     var path23 = require("node:path");
-    var fs25 = require("node:fs");
+    var fs24 = require("node:fs");
     var process2 = require("node:process");
     var { Argument: Argument2, humanReadableArgName } = require_argument();
     var { CommanderError: CommanderError2 } = require_error();
@@ -1917,12 +1917,12 @@ Expecting one of '${allowedValues.join("', '")}'`);
         const sourceExt = [".js", ".ts", ".tsx", ".mjs", ".cjs"];
         function findFile(baseDir, baseName) {
           const localBin = path23.resolve(baseDir, baseName);
-          if (fs25.existsSync(localBin))
+          if (fs24.existsSync(localBin))
             return localBin;
           if (sourceExt.includes(path23.extname(baseName)))
             return void 0;
           const foundExt = sourceExt.find(
-            (ext) => fs25.existsSync(`${localBin}${ext}`)
+            (ext) => fs24.existsSync(`${localBin}${ext}`)
           );
           if (foundExt)
             return `${localBin}${foundExt}`;
@@ -1935,7 +1935,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
         if (this._scriptPath) {
           let resolvedScriptPath;
           try {
-            resolvedScriptPath = fs25.realpathSync(this._scriptPath);
+            resolvedScriptPath = fs24.realpathSync(this._scriptPath);
           } catch (err) {
             resolvedScriptPath = this._scriptPath;
           }
@@ -4612,14 +4612,97 @@ var require_source = __commonJS({
 });
 
 // src/lib/config.ts
+function validateApiBase(raw) {
+  const trimmed = raw.replace(/\/$/, "");
+  let parsed;
+  try {
+    parsed = new URL(trimmed);
+  } catch {
+    throw new Error(`Invalid HYV_API_URL: ${raw}`);
+  }
+  if (!ALLOWED_API_HOSTS.has(parsed.hostname)) {
+    throw new Error(`HYV_API_URL host not allowed: ${parsed.hostname}`);
+  }
+  if (parsed.hostname !== "localhost" && parsed.hostname !== "127.0.0.1" && parsed.protocol !== "https:") {
+    throw new Error("HYV_API_URL must use https://");
+  }
+  return trimmed;
+}
+function cliApiUrl(apiPath) {
+  const p = apiPath.startsWith("/") ? apiPath : `/${apiPath}`;
+  return `${API_BASE}${p}`;
+}
+function assertSafeOpenUrl(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error("Invalid URL");
+  }
+  if (parsed.protocol !== "https:") {
+    throw new Error("Only https:// URLs can be opened");
+  }
+  if (!ALLOWED_API_HOSTS.has(parsed.hostname)) {
+    throw new Error(`URL host not allowed: ${parsed.hostname}`);
+  }
+  return url;
+}
+function assertSafeProfileName(name) {
+  const normalized = String(name || "").trim();
+  if (!normalized)
+    throw new Error("Profile name is required");
+  if (/[/\\]|\.\.|\u0000/.test(normalized)) {
+    throw new Error("Invalid profile name: use letters, numbers, hyphens, and underscores only");
+  }
+  if (!PROFILE_NAME_RE.test(normalized)) {
+    throw new Error("Invalid profile name: use letters, numbers, hyphens, and underscores only");
+  }
+  return normalized;
+}
+function profilePathForName(name) {
+  const safe = assertSafeProfileName(name);
+  ensureHyvDir();
+  const profilePath = path.resolve(PROFILES_DIR, `${safe}.md`);
+  const profilesRoot = path.resolve(PROFILES_DIR) + path.sep;
+  if (!profilePath.startsWith(profilesRoot)) {
+    throw new Error("Invalid profile name");
+  }
+  return profilePath;
+}
 function ensureHyvDir() {
   const dirs = [HYV_DIR, PROFILES_DIR, CACHE_DIR, QUEUE_DIR];
   for (const dir of dirs) {
     if (!fs.existsSync(dir)) {
       fs.mkdirSync(dir, { recursive: true, mode: 448 });
+    } else {
+      try {
+        fs.chmodSync(dir, 448);
+      } catch {
+      }
     }
   }
 }
+function appendSecureLine(filePath, line, dir) {
+  if (dir) {
+    if (!fs.existsSync(dir))
+      fs.mkdirSync(dir, { recursive: true, mode: 448 });
+    else {
+      try {
+        fs.chmodSync(dir, 448);
+      } catch {
+      }
+    }
+  }
+  if (!fs.existsSync(filePath)) {
+    fs.writeFileSync(filePath, line, { mode: 384 });
+    return;
+  }
+  try {
+    fs.chmodSync(filePath, 384);
+  } catch {
+  }
+  fs.appendFileSync(filePath, line);
+}
 function isInitialized() {
   return fs.existsSync(AUTH_FILE);
 }
@@ -4673,18 +4756,19 @@ function listCachedProfiles() {
   }
 }
 function readCachedProfile(name) {
-  const profilePath = path.join(PROFILES_DIR, `${name}.md`);
+  const profilePath = profilePathForName(name);
   try {
     if (!fs.existsSync(profilePath))
       return null;
     return fs.readFileSync(profilePath, "utf-8");
-  } catch {
+  } catch (err) {
+    if (err.message?.includes("Invalid profile name"))
+      throw err;
     return null;
   }
 }
 function writeCachedProfile(name, content) {
-  ensureHyvDir();
-  const profilePath = path.join(PROFILES_DIR, `${name}.md`);
+  const profilePath = profilePathForName(name);
   fs.writeFileSync(profilePath, content, { mode: 384 });
 }
 function getQueuedSignals() {
@@ -4704,7 +4788,7 @@ function queueSignal(signal) {
   ensureHyvDir();
   const id = Date.now().toString(36) + Math.random().toString(36).slice(2, 8);
   const filePath = path.join(QUEUE_DIR, `${id}.json`);
-  fs.writeFileSync(filePath, JSON.stringify(signal, null, 2));
+  fs.writeFileSync(filePath, JSON.stringify(signal, null, 2), { mode: 384 });
 }
 function saveLastEditSession(session) {
   ensureHyvDir();
@@ -4720,7 +4804,7 @@ function readLastEditSession() {
     return null;
   }
 }
-var fs, path, os, HYV_DIR, AUTH_FILE, CONFIG_FILE, PROFILES_DIR, CACHE_DIR, QUEUE_DIR, LAST_SESSION_FILE, API_BASE;
+var fs, path, os, HYV_DIR, AUTH_FILE, CONFIG_FILE, PROFILES_DIR, CACHE_DIR, QUEUE_DIR, LAST_SESSION_FILE, ALLOWED_API_HOSTS, API_BASE, PROFILE_NAME_RE;
 var init_config = __esm({
   "src/lib/config.ts"() {
     "use strict";
@@ -4734,7 +4818,15 @@ var init_config = __esm({
     CACHE_DIR = path.join(HYV_DIR, "cache");
     QUEUE_DIR = path.join(HYV_DIR, "queue");
     LAST_SESSION_FILE = path.join(HYV_DIR, "last-session.json");
-    API_BASE = process.env.HYV_API_URL || "https://holdyourvoice.com";
+    ALLOWED_API_HOSTS = /* @__PURE__ */ new Set([
+      "holdyourvoice.com",
+      "www.holdyourvoice.com",
+      "staging.holdyourvoice.com",
+      "localhost",
+      "127.0.0.1"
+    ]);
+    API_BASE = validateApiBase(process.env.HYV_API_URL || "https://holdyourvoice.com");
+    PROFILE_NAME_RE = /^[a-z0-9][a-z0-9._-]{0,62}$/i;
   }
 });
 
@@ -4742,11 +4834,11 @@ var init_config = __esm({
 var require_is_docker = __commonJS({
   "node_modules/is-docker/index.js"(exports2, module2) {
     "use strict";
-    var fs25 = require("fs");
+    var fs24 = require("fs");
     var isDocker;
     function hasDockerEnv() {
       try {
-        fs25.statSync("/.dockerenv");
+        fs24.statSync("/.dockerenv");
         return true;
       } catch (_) {
         return false;
@@ -4754,7 +4846,7 @@ var require_is_docker = __commonJS({
     }
     function hasDockerCGroup() {
       try {
-        return fs25.readFileSync("/proc/self/cgroup", "utf8").includes("docker");
+        return fs24.readFileSync("/proc/self/cgroup", "utf8").includes("docker");
       } catch (_) {
         return false;
       }
@@ -4773,7 +4865,7 @@ var require_is_wsl = __commonJS({
   "node_modules/is-wsl/index.js"(exports2, module2) {
     "use strict";
     var os9 = require("os");
-    var fs25 = require("fs");
+    var fs24 = require("fs");
     var isDocker = require_is_docker();
     var isWsl = () => {
       if (process.platform !== "linux") {
@@ -4786,7 +4878,7 @@ var require_is_wsl = __commonJS({
         return true;
       }
       try {
-        return fs25.readFileSync("/proc/version", "utf8").toLowerCase().includes("microsoft") ? !isDocker() : false;
+        return fs24.readFileSync("/proc/version", "utf8").toLowerCase().includes("microsoft") ? !isDocker() : false;
       } catch (_) {
         return false;
       }
@@ -4827,7 +4919,7 @@ var require_open = __commonJS({
   "node_modules/open/index.js"(exports2, module2) {
     var path23 = require("path");
     var childProcess = require("child_process");
-    var { promises: fs25, constants: fsConstants } = require("fs");
+    var { promises: fs24, constants: fsConstants } = require("fs");
     var isWsl = require_is_wsl();
     var isDocker = require_is_docker();
     var defineLazyProperty = require_define_lazy_prop();
@@ -4835,7 +4927,7 @@ var require_open = __commonJS({
     var { platform, arch } = process;
     var hasContainerEnv = () => {
       try {
-        fs25.statSync("/run/.containerenv");
+        fs24.statSync("/run/.containerenv");
         return true;
       } catch {
         return false;
@@ -4858,14 +4950,14 @@ var require_open = __commonJS({
         const configFilePath = "/etc/wsl.conf";
         let isConfigFileExists = false;
         try {
-          await fs25.access(configFilePath, fsConstants.F_OK);
+          await fs24.access(configFilePath, fsConstants.F_OK);
           isConfigFileExists = true;
         } catch {
         }
         if (!isConfigFileExists) {
           return defaultMountPoint;
         }
-        const configContent = await fs25.readFile(configFilePath, { encoding: "utf8" });
+        const configContent = await fs24.readFile(configFilePath, { encoding: "utf8" });
         const configMountPoint = /(?<!#.*)root\s*=\s*(?<mountPoint>.*)/g.exec(configContent);
         if (!configMountPoint) {
           return defaultMountPoint;
@@ -4965,7 +5057,7 @@ var require_open = __commonJS({
           const isBundled = !__dirname || __dirname === "/";
           let exeLocalXdgOpen = false;
           try {
-            await fs25.access(localXdgOpenPath, fsConstants.X_OK);
+            await fs24.access(localXdgOpenPath, fsConstants.X_OK);
             exeLocalXdgOpen = true;
           } catch {
           }
@@ -4988,14 +5080,14 @@ var require_open = __commonJS({
       }
       const subprocess = childProcess.spawn(command, cliArguments, childProcessOptions);
       if (options.wait) {
-        return new Promise((resolve12, reject) => {
+        return new Promise((resolve14, reject) => {
           subprocess.once("error", reject);
           subprocess.once("close", (exitCode) => {
             if (!options.allowNonzeroExitCode && exitCode > 0) {
               reject(new Error(`Exited with code ${exitCode}`));
               return;
             }
-            resolve12(subprocess);
+            resolve14(subprocess);
           });
         });
       }
@@ -5077,6 +5169,81 @@ var require_open = __commonJS({
   }
 });
 
+// src/lib/version.ts
+function pkgRoot() {
+  const candidates = [
+    path2.resolve(__dirname, ".."),
+    // dist/ or src/lib/ → cli/
+    path2.resolve(__dirname, "..", "..")
+    // src/lib/ → cli/
+  ];
+  for (const root of candidates) {
+    if (fs2.existsSync(path2.join(root, "package.json")))
+      return root;
+  }
+  return path2.resolve(__dirname, "..");
+}
+function getCliVersion() {
+  try {
+    const pkg = JSON.parse(fs2.readFileSync(path2.join(PKG_ROOT, "package.json"), "utf-8"));
+    return pkg.version || "unknown";
+  } catch {
+    return "unknown";
+  }
+}
+function getRulesVersion() {
+  try {
+    if (fs2.existsSync(RULES_MANIFEST)) {
+      return JSON.parse(fs2.readFileSync(RULES_MANIFEST, "utf-8")).version || "unknown";
+    }
+  } catch {
+  }
+  return "unknown";
+}
+function getEngineLabel() {
+  return `hyv v${getCliVersion()} / rules v${getRulesVersion()}`;
+}
+function compareSemver(a, b) {
+  const pa = a.split(".").map((n) => parseInt(n, 10) || 0);
+  const pb = b.split(".").map((n) => parseInt(n, 10) || 0);
+  const len = Math.max(pa.length, pb.length);
+  for (let i = 0; i < len; i++) {
+    const da = pa[i] ?? 0;
+    const db = pb[i] ?? 0;
+    if (da > db)
+      return 1;
+    if (da < db)
+      return -1;
+  }
+  return 0;
+}
+function fetchLatestNpmVersion(timeoutMs = 8e3) {
+  return new Promise((resolve14) => {
+    (0, import_child_process.execFile)(
+      "npm",
+      ["view", "@holdyourvoice/hyv", "version"],
+      { timeout: timeoutMs, encoding: "utf-8" },
+      (err, stdout) => {
+        if (err || !stdout?.trim())
+          resolve14(null);
+        else
+          resolve14(stdout.trim());
+      }
+    );
+  });
+}
+var fs2, path2, import_child_process, PKG_ROOT, RULES_MANIFEST;
+var init_version = __esm({
+  "src/lib/version.ts"() {
+    "use strict";
+    fs2 = __toESM(require("fs"));
+    path2 = __toESM(require("path"));
+    import_child_process = require("child_process");
+    PKG_ROOT = pkgRoot();
+    RULES_MANIFEST = path2.join(PKG_ROOT, "assets", "detection-rules.json");
+  }
+});
+
 // src/lib/auth.ts
 var auth_exports = {};
 __export(auth_exports, {
@@ -5084,10 +5251,14 @@ __export(auth_exports, {
   authenticateWithLicense: () => authenticateWithLicense,
   authenticatedRequest: () => authenticatedRequest,
   checkSession: () => checkSession,
+  getValidToken: () => getValidToken,
   refreshToken: () => refreshToken
 });
+function escapeHtml(value) {
+  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
 function request(url, options = {}) {
-  return new Promise((resolve12, reject) => {
+  return new Promise((resolve14, reject) => {
     const urlObj = new URL(url);
     const isHttps = urlObj.protocol === "https:";
     const client = isHttps ? https : http;
@@ -5098,7 +5269,7 @@ function request(url, options = {}) {
       method: options.method || "GET",
       headers: {
         "Content-Type": "application/json",
-        "User-Agent": "hyv-cli/2.3.1",
+        "User-Agent": `hyv-cli/${getCliVersion()}`,
         ...options.headers
       },
       timeout: options.timeout || 3e4
@@ -5108,9 +5279,9 @@ function request(url, options = {}) {
       res.on("data", (chunk) => data += chunk);
       res.on("end", () => {
         try {
-          resolve12({ status: res.statusCode || 0, data: JSON.parse(data) });
+          resolve14({ status: res.statusCode || 0, data: JSON.parse(data) });
         } catch {
-          resolve12({ status: res.statusCode || 0, data });
+          resolve14({ status: res.statusCode || 0, data });
         }
       });
     });
@@ -5125,8 +5296,25 @@ function request(url, options = {}) {
     req.end();
   });
 }
+async function getValidToken() {
+  const auth = readAuth();
+  if (!auth?.token)
+    return null;
+  if (auth.expires_at) {
+    const expires = new Date(auth.expires_at);
+    const refreshBy = Date.now() + 5 * 60 * 1e3;
+    if (expires.getTime() <= refreshBy) {
+      const ok = await refreshToken(auth.token);
+      if (ok)
+        return getToken();
+      if (expires.getTime() < Date.now())
+        return null;
+    }
+  }
+  return auth.token;
+}
 async function authenticatedRequest(url, options = {}) {
-  const token = getToken();
+  const token = await getValidToken();
   if (!token) {
     throw new Error("Not authenticated. Run `hyv init` first.");
   }
@@ -5155,9 +5343,9 @@ async function authenticateWithLicense(licenseKey) {
 }
 async function authenticateWithBrowser() {
   const server = http.createServer();
-  const port = await new Promise((resolve12) => {
+  const port = await new Promise((resolve14) => {
     server.listen(0, "127.0.0.1", () => {
-      resolve12(server.address().port);
+      resolve14(server.address().port);
     });
   });
   const redirectUri = `http://127.0.0.1:${port}/callback`;
@@ -5169,10 +5357,14 @@ async function authenticateWithBrowser() {
     server.close();
     throw new Error("Failed to start authentication flow");
   }
-  const { auth_url } = response.data;
+  const { auth_url, state: expectedState } = response.data;
+  if (!expectedState) {
+    server.close();
+    throw new Error("Authentication server did not return OAuth state");
+  }
   console.log(import_chalk.default.cyan("\nOpening browser for authentication..."));
-  await (0, import_open.default)(auth_url);
-  const authData = await new Promise((resolve12, reject) => {
+  await (0, import_open.default)(assertSafeOpenUrl(auth_url));
+  const authData = await new Promise((resolve14, reject) => {
     const timeout = setTimeout(() => {
       server.close();
       reject(new Error("Authentication timeout. Please try again."));
@@ -5190,6 +5382,14 @@ async function authenticateWithBrowser() {
           reject(new Error("Invalid callback parameters"));
           return;
         }
+        if (state !== expectedState) {
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end("<h1>Authentication failed</h1><p>Invalid OAuth state.</p>");
+          clearTimeout(timeout);
+          server.close();
+          reject(new Error("OAuth state mismatch \u2014 possible CSRF attempt"));
+          return;
+        }
         try {
           const callbackResponse = await request(`${API_BASE}/cli/auth/callback`, {
             method: "POST",
@@ -5210,10 +5410,10 @@ async function authenticateWithBrowser() {
           `);
           clearTimeout(timeout);
           server.close();
-          resolve12(data);
+          resolve14(data);
         } catch (error) {
           res.writeHead(500, { "Content-Type": "text/html" });
-          res.end(`<h1>Authentication failed</h1><p>${error.message}</p>`);
+          res.end(`<h1>Authentication failed</h1><p>${escapeHtml(error.message)}</p>`);
           clearTimeout(timeout);
           server.close();
           reject(error);
@@ -5227,8 +5427,8 @@ async function authenticateWithBrowser() {
   writeAuth(authData);
   return authData;
 }
-async function refreshToken() {
-  const token = getToken();
+async function refreshToken(tokenOverride) {
+  const token = tokenOverride || readAuth()?.token;
   if (!token)
     return false;
   try {
@@ -5254,7 +5454,7 @@ async function refreshToken() {
   }
 }
 async function checkSession() {
-  const token = getToken();
+  const token = await getValidToken();
   if (!token)
     return { valid: false };
   try {
@@ -5280,6 +5480,7 @@ var init_auth = __esm({
     import_chalk = __toESM(require_source());
     import_open = __toESM(require_open());
     init_config();
+    init_version();
   }
 });
 
@@ -5413,25 +5614,23 @@ function recordEvent(event, meta) {
   if (!isTelemetryEnabled())
     return;
   try {
-    if (!fs2.existsSync(TELEMETRY_DIR))
-      fs2.mkdirSync(TELEMETRY_DIR, { recursive: true });
-    fs2.appendFileSync(TELEMETRY_FILE, JSON.stringify({
+    appendSecureLine(TELEMETRY_FILE, JSON.stringify({
       event,
       ts: (/* @__PURE__ */ new Date()).toISOString(),
       ...meta
-    }) + "\n");
+    }) + "\n", TELEMETRY_DIR);
   } catch {
   }
 }
-var fs2, path2, os2, TELEMETRY_DIR, TELEMETRY_FILE;
+var path3, os2, TELEMETRY_DIR, TELEMETRY_FILE;
 var init_telemetry = __esm({
   "src/lib/telemetry.ts"() {
     "use strict";
-    fs2 = __toESM(require("fs"));
-    path2 = __toESM(require("path"));
+    path3 = __toESM(require("path"));
     os2 = __toESM(require("os"));
-    TELEMETRY_DIR = path2.join(os2.homedir(), ".hyv", "telemetry");
-    TELEMETRY_FILE = path2.join(TELEMETRY_DIR, "events.jsonl");
+    init_config();
+    TELEMETRY_DIR = path3.join(os2.homedir(), ".hyv", "telemetry");
+    TELEMETRY_FILE = path3.join(TELEMETRY_DIR, "events.jsonl");
   }
 });
 
@@ -5443,7 +5642,7 @@ __export(api_exports, {
   requireSubscription: () => requireSubscription
 });
 async function request2(method, path23, body) {
-  const token = getToken();
+  const token = await getValidToken();
   if (!token)
     throw new Error("you're not signed in yet. run: hyv init");
   const url = `${API_BASE}${path23}`;
@@ -5485,6 +5684,7 @@ var init_api = __esm({
   "src/lib/api.ts"() {
     "use strict";
     init_config();
+    init_auth();
   }
 });
 
@@ -5679,7 +5879,7 @@ async function refreshInBackground(slug) {
   }
 }
 function getDiskCachePath(slug) {
-  return path3.join(DISK_CACHE_DIR, `${slug.replace(/[^a-z0-9-]/gi, "_")}.json`);
+  return path4.join(DISK_CACHE_DIR, `${slug.replace(/[^a-z0-9-]/gi, "_")}.json`);
 }
 function loadFromDiskCache(slug) {
   try {
@@ -5718,18 +5918,18 @@ function buildMinimalProfile(slug, body) {
     cadence: {}
   };
 }
-var fs3, path3, os3, CACHE_TTL, memoryCache, DISK_CACHE_DIR;
+var fs3, path4, os3, CACHE_TTL, memoryCache, DISK_CACHE_DIR;
 var init_profile = __esm({
   "src/lib/profile.ts"() {
     "use strict";
     init_api();
     init_config();
     fs3 = __toESM(require("fs"));
-    path3 = __toESM(require("path"));
+    path4 = __toESM(require("path"));
     os3 = __toESM(require("os"));
     CACHE_TTL = 5 * 60 * 1e3;
     memoryCache = /* @__PURE__ */ new Map();
-    DISK_CACHE_DIR = path3.join(os3.homedir(), ".hyv", "cache", "profiles");
+    DISK_CACHE_DIR = path4.join(os3.homedir(), ".hyv", "cache", "profiles");
   }
 });
 
@@ -5744,7 +5944,7 @@ __export(local_profile_exports, {
   loadProfileFromDiskCache: () => loadProfileFromDiskCache
 });
 function cachePathForSlug(slug) {
-  return path4.join(DISK_CACHE_DIR2, `${slug.replace(/[^a-z0-9-]/gi, "_")}.json`);
+  return path5.join(DISK_CACHE_DIR2, `${slug.replace(/[^a-z0-9-]/gi, "_")}.json`);
 }
 function loadProfileFromDiskCache(slug) {
   try {
@@ -5844,17 +6044,17 @@ function hasRichProfile(profile) {
     return false;
   return (profile.never_list?.length || 0) > 0 || (profile.learned_patterns?.length || 0) > 0 || (profile.drift_snapshot?.length || 0) > 0 || (profile.voice_rules?.length || 0) > 0;
 }
-var fs4, path4, os4, DISK_CACHE_DIR2;
+var fs4, path5, os4, DISK_CACHE_DIR2;
 var init_local_profile = __esm({
   "src/lib/local-profile.ts"() {
     "use strict";
     fs4 = __toESM(require("fs"));
-    path4 = __toESM(require("path"));
+    path5 = __toESM(require("path"));
     os4 = __toESM(require("os"));
     init_config();
     init_config();
     init_profile();
-    DISK_CACHE_DIR2 = path4.join(os4.homedir(), ".hyv", "cache", "profiles");
+    DISK_CACHE_DIR2 = path5.join(os4.homedir(), ".hyv", "cache", "profiles");
   }
 });
 
@@ -5946,19 +6146,19 @@ var init_profile_parse = __esm({
 function loadSupplementalPatterns() {
   const p = path8.join(CACHE_DIR, "supplemental-rules.json");
   try {
-    if (!fs8.existsSync(p))
+    if (!fs7.existsSync(p))
       return [];
-    const data = JSON.parse(fs8.readFileSync(p, "utf-8"));
+    const data = JSON.parse(fs7.readFileSync(p, "utf-8"));
     return Array.isArray(data.patterns) ? data.patterns : [];
   } catch {
     return [];
   }
 }
-var fs8, path8, BUNDLED_MANIFEST;
+var fs7, path8, BUNDLED_MANIFEST;
 var init_rules_loader = __esm({
   "src/lib/rules-loader.ts"() {
     "use strict";
-    fs8 = __toESM(require("fs"));
+    fs7 = __toESM(require("fs"));
     path8 = __toESM(require("path"));
     init_config();
     BUNDLED_MANIFEST = path8.resolve(__dirname, "..", "..", "assets", "detection-rules.json");
@@ -7046,26 +7246,26 @@ function runPipeline(text, profile, applyFixes = false) {
   };
 }
 function readText(source) {
-  const fs25 = require("fs");
+  const fs24 = require("fs");
   const path23 = require("path");
   if (source === "-") {
     if (process.stdin.isTTY) {
       console.error("No input provided. Pipe content or specify a file.");
       process.exit(1);
     }
-    return { text: fs25.readFileSync(0, "utf-8"), path: "stdin" };
+    return { text: fs24.readFileSync(0, "utf-8"), path: "stdin" };
   }
   const resolved = path23.resolve(source);
-  if (!fs25.existsSync(resolved)) {
+  if (!fs24.existsSync(resolved)) {
     console.error(`File not found: ${resolved}`);
     process.exit(1);
   }
-  const stat = fs25.statSync(resolved);
+  const stat = fs24.statSync(resolved);
   if (stat.isDirectory()) {
     console.error(`${resolved} is a directory, not a file.`);
     process.exit(1);
   }
-  return { text: fs25.readFileSync(resolved, "utf-8"), path: resolved };
+  return { text: fs24.readFileSync(resolved, "utf-8"), path: resolved };
 }
 var init_pipeline = __esm({
   "src/lib/pipeline.ts"() {
@@ -8073,7 +8273,7 @@ globstar while`, t, d, e, u, m), this.matchOne(t.slice(d), e.slice(u), s))
       g.minimatch.escape = vi.escape;
       g.minimatch.unescape = Ei.unescape;
     });
-    var fs25 = R((Wt) => {
+    var fs24 = R((Wt) => {
       "use strict";
       Object.defineProperty(Wt, "__esModule", { value: true });
       Wt.LRUCache = void 0;
@@ -9042,7 +9242,7 @@ globstar while`, t, d, e, u, m), this.matchOne(t.slice(d), e.slice(u), s))
       };
       Object.defineProperty(_, "__esModule", { value: true });
       _.PathScurry = _.Path = _.PathScurryDarwin = _.PathScurryPosix = _.PathScurryWin32 = _.PathScurryBase = _.PathPosix = _.PathWin32 = _.PathBase = _.ChildrenCache = _.ResolveCache = void 0;
-      var Qt = fs25(), Yt = require("node:path"), yr = require("node:url"), pt = require("fs"), Sr = br(require("node:fs")), vr = pt.realpathSync.native, Ht = require("node:fs/promises"), bs = Oe(), mt = { lstatSync: pt.lstatSync, readdir: pt.readdir, readdirSync: pt.readdirSync, readlinkSync: pt.readlinkSync, realpathSync: vr, promises: { lstat: Ht.lstat, readdir: Ht.readdir, readlink: Ht.readlink, realpath: Ht.realpath } }, _s = (n) => !n || n === mt || n === Sr ? mt : { ...mt, ...n, promises: { ...mt.promises, ...n.promises || {} } }, Os = /^\\\\\?\\([a-z]:)\\?$/i, Er = (n) => n.replace(/\//g, "\\").replace(Os, "$1\\"), _r = /[\\\/]/, N = 0, xs = 1, Ts = 2, G = 4, Cs = 6, Rs = 8, Q = 10, As = 12, j = 15, dt = ~j, xe = 16, ys = 32, gt = 64, W = 128, Vt = 256, Xt = 512, Ss = gt | W | Xt, Or = 1023, Te = (n) => n.isFile() ? Rs : n.isDirectory() ? G : n.isSymbolicLink() ? Q : n.isCharacterDevice() ? Ts : n.isBlockDevice() ? Cs : n.isSocket() ? As : n.isFIFO() ? xs : N, vs = new Qt.LRUCache({ max: 2 ** 12 }), wt = (n) => {
+      var Qt = fs24(), Yt = require("node:path"), yr = require("node:url"), pt = require("fs"), Sr = br(require("node:fs")), vr = pt.realpathSync.native, Ht = require("node:fs/promises"), bs = Oe(), mt = { lstatSync: pt.lstatSync, readdir: pt.readdir, readdirSync: pt.readdirSync, readlinkSync: pt.readlinkSync, realpathSync: vr, promises: { lstat: Ht.lstat, readdir: Ht.readdir, readlink: Ht.readlink, realpath: Ht.realpath } }, _s = (n) => !n || n === mt || n === Sr ? mt : { ...mt, ...n, promises: { ...mt.promises, ...n.promises || {} } }, Os = /^\\\\\?\\([a-z]:)\\?$/i, Er = (n) => n.replace(/\//g, "\\").replace(Os, "$1\\"), _r = /[\\\/]/, N = 0, xs = 1, Ts = 2, G = 4, Cs = 6, Rs = 8, Q = 10, As = 12, j = 15, dt = ~j, xe = 16, ys = 32, gt = 64, W = 128, Vt = 256, Xt = 512, Ss = gt | W | Xt, Or = 1023, Te = (n) => n.isFile() ? Rs : n.isDirectory() ? G : n.isSymbolicLink() ? Q : n.isCharacterDevice() ? Ts : n.isBlockDevice() ? Cs : n.isSocket() ? As : n.isFIFO() ? xs : N, vs = new Qt.LRUCache({ max: 2 ** 12 }), wt = (n) => {
         let t = vs.get(n);
         if (t)
           return t;
@@ -10733,79 +10933,11 @@ init_config();
 init_auth();
 init_access();
 init_local_profile();
-
-// src/lib/version.ts
-var fs5 = __toESM(require("fs"));
-var path5 = __toESM(require("path"));
-var import_child_process = require("child_process");
-function pkgRoot() {
-  const candidates = [
-    path5.resolve(__dirname, ".."),
-    // dist/ or src/lib/ → cli/
-    path5.resolve(__dirname, "..", "..")
-    // src/lib/ → cli/
-  ];
-  for (const root of candidates) {
-    if (fs5.existsSync(path5.join(root, "package.json")))
-      return root;
-  }
-  return path5.resolve(__dirname, "..");
-}
-var PKG_ROOT = pkgRoot();
-var RULES_MANIFEST = path5.join(PKG_ROOT, "assets", "detection-rules.json");
-function getCliVersion() {
-  try {
-    const pkg = JSON.parse(fs5.readFileSync(path5.join(PKG_ROOT, "package.json"), "utf-8"));
-    return pkg.version || "unknown";
-  } catch {
-    return "unknown";
-  }
-}
-function getRulesVersion() {
-  try {
-    if (fs5.existsSync(RULES_MANIFEST)) {
-      return JSON.parse(fs5.readFileSync(RULES_MANIFEST, "utf-8")).version || "unknown";
-    }
-  } catch {
-  }
-  return "unknown";
-}
-function getEngineLabel() {
-  return `hyv v${getCliVersion()} / rules v${getRulesVersion()}`;
-}
-function compareSemver(a, b) {
-  const pa = a.split(".").map((n) => parseInt(n, 10) || 0);
-  const pb = b.split(".").map((n) => parseInt(n, 10) || 0);
-  const len = Math.max(pa.length, pb.length);
-  for (let i = 0; i < len; i++) {
-    const da = pa[i] ?? 0;
-    const db = pb[i] ?? 0;
-    if (da > db)
-      return 1;
-    if (da < db)
-      return -1;
-  }
-  return 0;
-}
-function fetchLatestNpmVersion(timeoutMs = 8e3) {
-  return new Promise((resolve12) => {
-    (0, import_child_process.execFile)(
-      "npm",
-      ["view", "@holdyourvoice/hyv", "version"],
-      { timeout: timeoutMs, encoding: "utf-8" },
-      (err, stdout) => {
-        if (err || !stdout?.trim())
-          resolve12(null);
-        else
-          resolve12(stdout.trim());
-      }
-    );
-  });
-}
+init_version();
 
 // src/lib/queue-sync.ts
 var import_chalk6 = __toESM(require_source());
-var fs6 = __toESM(require("fs"));
+var fs5 = __toESM(require("fs"));
 var path6 = __toESM(require("path"));
 init_config();
 init_auth();
@@ -10815,34 +10947,34 @@ async function flushQueuedSignals() {
     return { sent: 0, failed: 0 };
   let sent = 0;
   let failed = 0;
-  if (!fs6.existsSync(QUEUE_DIR))
+  if (!fs5.existsSync(QUEUE_DIR))
     return { sent: 0, failed: 0 };
-  const files = fs6.readdirSync(QUEUE_DIR).filter((f) => f.endsWith(".json"));
+  const files = fs5.readdirSync(QUEUE_DIR).filter((f) => f.endsWith(".json"));
   for (const file of files) {
     const filePath = path6.join(QUEUE_DIR, file);
     try {
-      const signal = JSON.parse(fs6.readFileSync(filePath, "utf-8"));
+      const signal = JSON.parse(fs5.readFileSync(filePath, "utf-8"));
       let ok = false;
       if (signal.type === "reinforce") {
-        const res = await authenticatedRequest("https://holdyourvoice.com/cli/learning/reinforce", {
+        const res = await authenticatedRequest(cliApiUrl("/cli/learning/reinforce"), {
           method: "POST",
           body: {
             profile_id: signal.profile,
-            original_text: signal.report?.session?.original_path,
-            accepted_text: signal.report?.session?.accepted_path,
+            original_text: signal.original_text ?? signal.report?.original_text,
+            accepted_text: signal.accepted_text ?? signal.report?.accepted_text,
             signal_report: signal.report
           }
         });
         ok = res.status === 200;
       } else if (signal.type === "add_instruction") {
-        const res = await authenticatedRequest("https://holdyourvoice.com/cli/learning/add", {
+        const res = await authenticatedRequest(cliApiUrl("/cli/learning/add"), {
           method: "POST",
           body: { profile_id: signal.profile, instruction: signal.instruction }
         });
         ok = res.status === 200;
       }
       if (ok) {
-        fs6.unlinkSync(filePath);
+        fs5.unlinkSync(filePath);
         sent++;
       } else {
         failed++;
@@ -10971,7 +11103,7 @@ async function printEvolutionSummary(slug) {
     return;
   try {
     const res = await authenticatedRequest(
-      `https://holdyourvoice.com/cli/profiles/${encodeURIComponent(slug)}/evolution`,
+      cliApiUrl(`/cli/profiles/${encodeURIComponent(slug)}/evolution`),
       { method: "GET" }
     );
     if (res.status !== 200 || !res.data)
@@ -10999,7 +11131,7 @@ init_config();
 init_auth();
 init_access();
 init_profile();
-var fs7 = __toESM(require("fs"));
+var fs6 = __toESM(require("fs"));
 var path7 = __toESM(require("path"));
 function registerSyncCommand(program3) {
   program3.command("sync").description("Sync profiles and rules from server").option("--force", "Force re-download even if cache is fresh").action(async (options) => {
@@ -11007,7 +11139,7 @@ function registerSyncCommand(program3) {
       await requirePaidFeature("profiles");
       console.log(import_chalk8.default.cyan("Syncing profiles and rules..."));
       const response = await authenticatedRequest(
-        "https://holdyourvoice.com/cli/sync",
+        cliApiUrl("/cli/sync"),
         { method: "GET" }
       );
       if (response.status !== 200) {
@@ -11023,12 +11155,12 @@ function registerSyncCommand(program3) {
         profileCount++;
       }
       const rulesPath = path7.join(CACHE_DIR, "rules.md");
-      fs7.writeFileSync(rulesPath, data.rules, { mode: 384 });
+      fs6.writeFileSync(rulesPath, data.rules, { mode: 384 });
       const promptPath = path7.join(CACHE_DIR, "prompt-template.md");
-      fs7.writeFileSync(promptPath, data.prompt_template, { mode: 384 });
+      fs6.writeFileSync(promptPath, data.prompt_template, { mode: 384 });
       if (data.detection_rules) {
         const rulesJson = path7.join(CACHE_DIR, "detection-rules.json");
-        fs7.writeFileSync(rulesJson, JSON.stringify(data.detection_rules, null, 2), { mode: 384 });
+        fs6.writeFileSync(rulesJson, JSON.stringify(data.detection_rules, null, 2), { mode: 384 });
       }
       for (const profile of data.profiles) {
         try {
@@ -11044,7 +11176,7 @@ function registerSyncCommand(program3) {
         console.log(import_chalk8.default.yellow(`  ! ${queueResult.failed} queued signal(s) could not send`));
       }
       const metaPath = path7.join(CACHE_DIR, "sync-meta.json");
-      fs7.writeFileSync(metaPath, JSON.stringify({
+      fs6.writeFileSync(metaPath, JSON.stringify({
         synced_at: data.synced_at,
         profile_count: profileCount,
         plan: data.plan
@@ -11120,7 +11252,7 @@ async function showProfileHistory(slug) {
     return;
   }
   try {
-    const res = await authenticatedRequest2(`https://holdyourvoice.com/cli/profiles/${encodeURIComponent(slug)}/evolution`, { method: "GET" });
+    const res = await authenticatedRequest2(cliApiUrl(`/cli/profiles/${encodeURIComponent(slug)}/evolution`), { method: "GET" });
     if (res.status !== 200) {
       console.log(import_chalk8.default.red("Could not load profile history."));
       return;
@@ -11149,12 +11281,12 @@ Profile evolution: ${slug}
 
 // src/commands/rewrite.ts
 var import_chalk9 = __toESM(require_source());
-var fs10 = __toESM(require("fs"));
+var fs9 = __toESM(require("fs"));
 var path10 = __toESM(require("path"));
 init_pipeline();
 
 // src/lib/prompt.ts
-var fs9 = __toESM(require("fs"));
+var fs8 = __toESM(require("fs"));
 var path9 = __toESM(require("path"));
 init_config();
 init_signals();
@@ -11162,8 +11294,8 @@ init_profile_parse();
 function loadPromptTemplate() {
   const templatePath = path9.join(CACHE_DIR, "prompt-template.md");
   try {
-    if (fs9.existsSync(templatePath)) {
-      return fs9.readFileSync(templatePath, "utf-8");
+    if (fs8.existsSync(templatePath)) {
+      return fs8.readFileSync(templatePath, "utf-8");
     }
   } catch {
   }
@@ -11229,10 +11361,10 @@ function loadProfile(name) {
     }
   }
   try {
-    if (!fs9.existsSync(PROFILES_DIR)) {
+    if (!fs8.existsSync(PROFILES_DIR)) {
       return null;
     }
-    const profiles = fs9.readdirSync(PROFILES_DIR).filter((f) => f.endsWith(".md"));
+    const profiles = fs8.readdirSync(PROFILES_DIR).filter((f) => f.endsWith(".md"));
     if (profiles.length > 0) {
       const defaultProfile = profiles[0].replace(".md", "");
       const content = readCachedProfile(defaultProfile);
@@ -11364,7 +11496,7 @@ Draft: ${draftPath}`));
       }
       if (options.output) {
         const outputPath = path10.resolve(options.output);
-        fs10.writeFileSync(outputPath, promptResult.prompt);
+        fs9.writeFileSync(outputPath, promptResult.prompt);
         console.log(import_chalk9.default.green(`
 \u2713 Prompt written to ${outputPath}`));
       } else {
@@ -11384,7 +11516,7 @@ Draft: ${draftPath}`));
 
 // src/commands/learning.ts
 var import_chalk10 = __toESM(require_source());
-var fs11 = __toESM(require("fs"));
+var fs10 = __toESM(require("fs"));
 var path11 = __toESM(require("path"));
 
 // src/lib/patterns.ts
@@ -11889,16 +12021,16 @@ function registerLearningCommands(program3) {
         }
         origPath = path11.resolve(original);
         editPath = path11.resolve(edited);
-        if (!fs11.existsSync(origPath)) {
+        if (!fs10.existsSync(origPath)) {
           console.error(import_chalk10.default.red(`Original file not found: ${origPath}`));
           process.exit(1);
         }
-        if (!fs11.existsSync(editPath)) {
+        if (!fs10.existsSync(editPath)) {
           console.error(import_chalk10.default.red(`Edited file not found: ${editPath}`));
           process.exit(1);
         }
-        origText = fs11.readFileSync(origPath, "utf-8");
-        editText = fs11.readFileSync(editPath, "utf-8");
+        origText = fs10.readFileSync(origPath, "utf-8");
+        editText = fs10.readFileSync(editPath, "utf-8");
         saveLastEditSession({
           original_path: origPath,
           edited_path: editPath,
@@ -11914,6 +12046,8 @@ function registerLearningCommands(program3) {
         queueSignal({
           type: "reinforce",
           profile: options.profile,
+          original_text: origText,
+          accepted_text: editText,
           report,
           timestamp: (/* @__PURE__ */ new Date()).toISOString()
         });
@@ -11927,6 +12061,8 @@ ${err.message}`));
           queueSignal({
             type: "reinforce",
             profile: options.profile,
+            original_text: origText,
+            accepted_text: editText,
             report,
             timestamp: (/* @__PURE__ */ new Date()).toISOString()
           });
@@ -11939,6 +12075,8 @@ ${err.message}`));
           queueSignal({
             type: "reinforce",
             profile: options.profile,
+            original_text: origText,
+            accepted_text: editText,
             report,
             timestamp: (/* @__PURE__ */ new Date()).toISOString()
           });
@@ -11946,7 +12084,7 @@ ${err.message}`));
         }
         console.log(import_chalk10.default.cyan("\nSending to server..."));
         const response = await authenticatedRequest(
-          "https://holdyourvoice.com/cli/learning/reinforce",
+          cliApiUrl("/cli/learning/reinforce"),
           {
             method: "POST",
             body: {
@@ -11968,6 +12106,8 @@ ${err.message}`));
           queueSignal({
             type: "reinforce",
             profile: options.profile,
+            original_text: origText,
+            accepted_text: editText,
             report,
             timestamp: (/* @__PURE__ */ new Date()).toISOString()
           });
@@ -11994,7 +12134,7 @@ ${err.message}`));
       }
       console.log(import_chalk10.default.cyan("Adding instruction..."));
       const response = await authenticatedRequest(
-        "https://holdyourvoice.com/cli/learning/add",
+        cliApiUrl("/cli/learning/add"),
         {
           method: "POST",
           body: {
@@ -12057,7 +12197,7 @@ function printProfileImpact(impact, data) {
 
 // src/commands/onboarding.ts
 var import_chalk11 = __toESM(require_source());
-var fs12 = __toESM(require("fs"));
+var fs11 = __toESM(require("fs"));
 var path12 = __toESM(require("path"));
 init_config();
 init_auth();
@@ -12133,6 +12273,7 @@ function extractStats(samples) {
 function registerOnboardingCommands(program3) {
   program3.command("new").description("Create a new voice profile").argument("<name>", "Profile name").option("--from-samples <dir>", "Create from writing samples").option("--from-llm", "Generate extraction prompt for LLM").action(async (name, options) => {
     try {
+      assertSafeProfileName(name);
       const token = getToken();
       if (options.fromSamples) {
         await createFromSamples(name, options.fromSamples, token);
@@ -12147,6 +12288,7 @@ Error: ${error.message}`));
       process.exit(1);
     }
   });
+  registerImportCommand(program3);
 }
 async function flashcardOnboarding(name, token) {
   const { printWelcome: printWelcome2 } = await Promise.resolve().then(() => (init_welcome(), welcome_exports));
@@ -12170,7 +12312,7 @@ Industry: ${industry}
   if (token) {
     console.log(import_chalk11.default.cyan("\nGenerating profile on server..."));
     const response = await authenticatedRequest(
-      "https://holdyourvoice.com/cli/profiles/new",
+      cliApiUrl("/cli/profiles/new"),
       {
         method: "POST",
         body: {
@@ -12207,20 +12349,20 @@ Industry: ${industry}
 }
 async function createFromSamples(name, sampleDir, token) {
   const dirPath = path12.resolve(sampleDir);
-  if (!fs12.existsSync(dirPath)) {
+  if (!fs11.existsSync(dirPath)) {
     throw new Error(`Directory not found: ${dirPath}`);
   }
   console.log(import_chalk11.default.bold(`
 Creating voice profile: ${name}`));
   console.log(import_chalk11.default.dim(`Reading samples from: ${dirPath}
 `));
-  const files = fs12.readdirSync(dirPath).filter((f) => f.endsWith(".md") || f.endsWith(".txt")).map((f) => path12.join(dirPath, f));
+  const files = fs11.readdirSync(dirPath).filter((f) => f.endsWith(".md") || f.endsWith(".txt")).map((f) => path12.join(dirPath, f));
   if (files.length === 0) {
     throw new Error("No .md or .txt files found in directory");
   }
   const samples = [];
   for (const file of files) {
-    const text = fs12.readFileSync(file, "utf-8");
+    const text = fs11.readFileSync(file, "utf-8");
     if (text.trim().length > 0) {
       samples.push({ path: file, text });
       console.log(import_chalk11.default.dim(`  \u2022 ${path12.basename(file)} (${words(text).length} words)`));
@@ -12240,7 +12382,7 @@ Stats extracted:`));
   if (token) {
     console.log(import_chalk11.default.cyan("\nGenerating profile on server..."));
     const response = await authenticatedRequest(
-      "https://holdyourvoice.com/cli/profiles/new",
+      cliApiUrl("/cli/profiles/new"),
       {
         method: "POST",
         body: {
@@ -12290,8 +12432,28 @@ hyv import ${name} <file.md>
 Or paste the profile content and I'll save it.`;
   console.log(prompt);
 }
+function registerImportCommand(program3) {
+  program3.command("import").description("Import a voice profile from file").argument("<name>", "Profile name").argument("<file>", "Profile markdown file").action(async (name, file) => {
+    try {
+      assertSafeProfileName(name);
+      const filePath = path12.resolve(file);
+      if (!fs11.existsSync(filePath)) {
+        console.error(import_chalk11.default.red(`File not found: ${filePath}`));
+        process.exit(1);
+      }
+      const content = fs11.readFileSync(filePath, "utf-8");
+      ensureHyvDir();
+      writeCachedProfile(name, content);
+      console.log(import_chalk11.default.green(`
+\u2713 Profile imported: ${name}`));
+    } catch (error) {
+      console.error(import_chalk11.default.red(`Error: ${error.message}`));
+      process.exit(1);
+    }
+  });
+}
 function askQuestion(question) {
-  return new Promise((resolve12) => {
+  return new Promise((resolve14) => {
     const readline = require("readline");
     const rl = readline.createInterface({
       input: process.stdin,
@@ -12300,7 +12462,7 @@ function askQuestion(question) {
     rl.question(import_chalk11.default.cyan(`  ${question}
   > `), (answer) => {
       rl.close();
-      resolve12(answer.trim());
+      resolve14(answer.trim());
     });
   });
 }
@@ -12404,7 +12566,7 @@ Error: ${error.message}`));
 async function showPlan() {
   console.log(import_chalk12.default.bold("\nSubscription Plan\n"));
   const response = await authenticatedRequest(
-    "https://holdyourvoice.com/cli/heartbeat",
+    cliApiUrl("/cli/heartbeat"),
     { method: "GET" }
   );
   if (response.status !== 200) {
@@ -12448,7 +12610,7 @@ async function showPlan() {
 async function upgradePlan() {
   console.log(import_chalk12.default.cyan("\nOpening checkout...\n"));
   const response = await authenticatedRequest(
-    "https://holdyourvoice.com/cli/subscribe",
+    cliApiUrl("/cli/subscribe"),
     {
       method: "POST",
       body: { plan: "individual" }
@@ -12459,7 +12621,7 @@ async function upgradePlan() {
     const checkoutUrl = data.checkout_url;
     if (checkoutUrl) {
       console.log(import_chalk12.default.dim("Opening browser..."));
-      await (0, import_open2.default)(checkoutUrl);
+      await (0, import_open2.default)(assertSafeOpenUrl(checkoutUrl));
       console.log(import_chalk12.default.green("\n\u2713 Checkout opened in browser"));
       console.log(import_chalk12.default.dim("Complete the checkout to activate your plan."));
     } else {
@@ -12473,7 +12635,7 @@ async function upgradePlan() {
 async function openBillingPortal() {
   console.log(import_chalk12.default.cyan("\nOpening billing portal...\n"));
   const response = await authenticatedRequest(
-    "https://holdyourvoice.com/cli/subscribe/manage",
+    cliApiUrl("/cli/subscribe/manage"),
     { method: "POST" }
   );
   if (response.status === 200) {
@@ -12481,7 +12643,7 @@ async function openBillingPortal() {
     const portalUrl = data.portal_url;
     if (portalUrl) {
       console.log(import_chalk12.default.dim("Opening browser..."));
-      await (0, import_open2.default)(portalUrl);
+      await (0, import_open2.default)(assertSafeOpenUrl(portalUrl));
       console.log(import_chalk12.default.green("\n\u2713 Billing portal opened"));
     } else {
       console.log(import_chalk12.default.yellow("No portal URL received."));
@@ -12663,7 +12825,7 @@ async function runHybridAnalysis(text, profile, opts = {}) {
 
 // src/commands/history.ts
 var import_chalk14 = __toESM(require_source());
-var fs13 = __toESM(require("fs"));
+var fs12 = __toESM(require("fs"));
 var path13 = __toESM(require("path"));
 init_config();
 var HISTORY_DIR = path13.join(HYV_DIR, "history");
@@ -12671,17 +12833,15 @@ var HISTORY_FILE = path13.join(HISTORY_DIR, "scans.jsonl");
 function logScan(entry) {
   try {
     ensureHyvDir();
-    if (!fs13.existsSync(HISTORY_DIR))
-      fs13.mkdirSync(HISTORY_DIR, { recursive: true });
-    fs13.appendFileSync(HISTORY_FILE, JSON.stringify(entry) + "\n");
+    appendSecureLine(HISTORY_FILE, JSON.stringify(entry) + "\n", HISTORY_DIR);
   } catch {
   }
 }
 function readHistory() {
   try {
-    if (!fs13.existsSync(HISTORY_FILE))
+    if (!fs12.existsSync(HISTORY_FILE))
       return [];
-    const lines = fs13.readFileSync(HISTORY_FILE, "utf-8").trim().split("\n").filter(Boolean);
+    const lines = fs12.readFileSync(HISTORY_FILE, "utf-8").trim().split("\n").filter(Boolean);
     return lines.map((l) => JSON.parse(l));
   } catch {
     return [];
@@ -12713,8 +12873,8 @@ function registerHistoryCommand(program3) {
   program3.command("history").description("Show past scan scores and track improvement").option("--limit <n>", "Number of entries to show", "20").option("--file <path>", "Filter by file path").option("--since <date>", "Show entries since (e.g., 7d, 1m, 2024-01-01)").option("--chart", "Show ASCII sparkline chart").option("--clear", "Clear history").option("--format <type>", "Output format (text, json)", "text").action(async (options) => {
     try {
       if (options.clear) {
-        if (fs13.existsSync(HISTORY_FILE)) {
-          fs13.unlinkSync(HISTORY_FILE);
+        if (fs12.existsSync(HISTORY_FILE)) {
+          fs12.unlinkSync(HISTORY_FILE);
         }
         console.log(import_chalk14.default.green("\n\u2713 History cleared"));
         return;
@@ -12869,7 +13029,7 @@ hyv scan ${filePath}`));
         hasProfile: !!profile
       });
       if (options.failOnHit && signals.length > 0) {
-        process.exit(1);
+        process.exit(2);
       }
     } catch (error) {
       console.error(import_chalk15.default.red(`Error: ${error.message}`));
@@ -12880,15 +13040,33 @@ hyv scan ${filePath}`));
 
 // src/commands/doctor.ts
 var import_chalk16 = __toESM(require_source());
-var fs14 = __toESM(require("fs"));
+var fs13 = __toESM(require("fs"));
 var path14 = __toESM(require("path"));
 var os5 = __toESM(require("os"));
 init_config();
 init_auth();
 init_access();
 init_local_profile();
+init_version();
 var HOME = os5.homedir();
 var IS_WIN = process.platform === "win32";
+function claudeDesktopDir() {
+  if (IS_WIN)
+    return path14.join(HOME, "AppData", "Roaming", "Claude");
+  if (process.platform === "linux")
+    return path14.join(HOME, ".config", "Claude");
+  return path14.join(HOME, "Library", "Application Support", "Claude");
+}
+function readMcpHyv(configFile) {
+  try {
+    if (!fs13.existsSync(configFile))
+      return false;
+    const cfg = JSON.parse(fs13.readFileSync(configFile, "utf-8"));
+    return Boolean(cfg.mcpServers?.hyv);
+  } catch {
+    return false;
+  }
+}
 function registerDoctorCommand(program3) {
   program3.command("doctor").description("Diagnose CLI health: engine, cache, auth, agents").option("--fix-agents", "Re-run agent config copy (idempotent)").action(async (opts) => {
     console.log(import_chalk16.default.bold("\nhold your voice \u2014 doctor\n"));
@@ -12904,28 +13082,28 @@ function registerDoctorCommand(program3) {
     console.log(import_chalk16.default.dim("tip: run hyv welcome for free capabilities\n"));
     console.log(import_chalk16.default.dim("checking cli installation..."));
     const cliPath = process.argv[1];
-    if (cliPath && fs14.existsSync(cliPath)) {
+    if (cliPath && fs13.existsSync(cliPath)) {
       console.log(import_chalk16.default.green("  \u2713 cli installed"));
     } else {
       console.log(import_chalk16.default.red("  \u2717 cli not found"));
       issues++;
     }
     console.log(import_chalk16.default.dim("checking .hyv directory..."));
-    if (fs14.existsSync(HYV_DIR)) {
+    if (fs13.existsSync(HYV_DIR)) {
       console.log(import_chalk16.default.green("  \u2713 .hyv directory exists"));
     } else {
       console.log(import_chalk16.default.yellow("  ! .hyv directory missing \u2014 creating..."));
-      fs14.mkdirSync(HYV_DIR, { recursive: true });
+      fs13.mkdirSync(HYV_DIR, { recursive: true, mode: 448 });
       fixed++;
     }
     console.log(import_chalk16.default.dim("checking cache..."));
     const diskProfiles = listDiskCachedProfiles();
     const syncMeta = path14.join(CACHE_DIR, "sync-meta.json");
-    if (diskProfiles.length > 0 || fs14.existsSync(syncMeta)) {
+    if (diskProfiles.length > 0 || fs13.existsSync(syncMeta)) {
       console.log(import_chalk16.default.green(`  \u2713 profile cache (${diskProfiles.length} full profile(s))`));
-      if (fs14.existsSync(syncMeta)) {
+      if (fs13.existsSync(syncMeta)) {
         try {
-          const meta = JSON.parse(fs14.readFileSync(syncMeta, "utf-8"));
+          const meta = JSON.parse(fs13.readFileSync(syncMeta, "utf-8"));
           console.log(import_chalk16.default.dim(`    last sync: ${meta.synced_at || "unknown"}`));
         } catch {
         }
@@ -12958,8 +13136,8 @@ function registerDoctorCommand(program3) {
     }
     console.log(import_chalk16.default.dim("checking voice profile..."));
     const voiceMd = path14.join(HYV_DIR, "voice.md");
-    const hasVoiceMd = fs14.existsSync(voiceMd) && fs14.readFileSync(voiceMd, "utf-8").trim().length > 50;
-    const profileFiles = fs14.existsSync(PROFILES_DIR) ? fs14.readdirSync(PROFILES_DIR).filter((f) => f.endsWith(".md") && f !== "voice.md") : [];
+    const hasVoiceMd = fs13.existsSync(voiceMd) && fs13.readFileSync(voiceMd, "utf-8").trim().length > 50;
+    const profileFiles = fs13.existsSync(PROFILES_DIR) ? fs13.readdirSync(PROFILES_DIR).filter((f) => f.endsWith(".md") && f !== "voice.md") : [];
     if (hasVoiceMd || profileFiles.length > 0 || diskProfiles.length > 0) {
       if (hasVoiceMd)
         console.log(import_chalk16.default.green("  \u2713 voice.md exists"));
@@ -12972,15 +13150,17 @@ function registerDoctorCommand(program3) {
       console.log(import_chalk16.default.dim("    run: hyv new <name> or hyv init"));
     }
     console.log(import_chalk16.default.dim("checking agent configurations..."));
-    const cwd = process.cwd();
-    const agents = [
-      { name: "claude desktop", file: path14.join(IS_WIN ? path14.join(HOME, "AppData", "Roaming", "Claude") : path14.join(HOME, "Library", "Application Support", "Claude"), "claude_desktop_config.json") },
-      { name: "claude code", file: path14.join(HOME, ".claude", "commands", "hyv.md") },
-      { name: "cursor", file: path14.join(HOME, ".cursor", "rules", "hyv.md") },
-      { name: "codex (project)", file: path14.join(cwd, ".codex", "instructions.md") }
+    const agentChecks = [
+      { name: "claude desktop mcp", ok: readMcpHyv(path14.join(claudeDesktopDir(), "claude_desktop_config.json")) },
+      { name: "cursor mcp", ok: readMcpHyv(path14.join(HOME, ".cursor", "mcp.json")) },
+      { name: "cursor rule", ok: fs13.existsSync(path14.join(HOME, ".cursor", "rules", "hyv.mdc")) },
+      { name: "claude code command", ok: fs13.existsSync(path14.join(HOME, ".claude", "commands", "hyv.md")) },
+      { name: "claude code skill", ok: fs13.existsSync(path14.join(HOME, ".claude", "skills", "hold-your-voice", "SKILL.md")) },
+      { name: "codex agents", ok: fs13.existsSync(path14.join(HOME, ".codex", "AGENTS.md")) && fs13.readFileSync(path14.join(HOME, ".codex", "AGENTS.md"), "utf-8").includes("hyv") },
+      { name: "command code skill", ok: fs13.existsSync(path14.join(HOME, ".commandcode", "skills", "hyv", "SKILL.md")) }
     ];
-    for (const agent of agents) {
-      if (fs14.existsSync(agent.file)) {
+    for (const agent of agentChecks) {
+      if (agent.ok) {
         console.log(import_chalk16.default.green(`  \u2713 ${agent.name}`));
       } else {
         console.log(import_chalk16.default.dim(`  - ${agent.name} not configured`));
@@ -12988,35 +13168,29 @@ function registerDoctorCommand(program3) {
     }
     if (opts.fixAgents) {
       try {
-        const postinstall = path14.resolve(__dirname, "..", "..", "scripts", "postinstall.js");
-        if (fs14.existsSync(postinstall)) {
-          require(postinstall);
-          console.log(import_chalk16.default.green("  \u2713 re-ran postinstall agent setup"));
-          fixed++;
-        }
-      } catch {
-        console.log(import_chalk16.default.yellow("  ! could not re-run postinstall"));
+        const pkgDir = path14.resolve(__dirname, "..");
+        const { setupAgents } = require(path14.join(pkgDir, "scripts", "postinstall-lib.js"));
+        const result = setupAgents({ pkgDir, quiet: true });
+        console.log(import_chalk16.default.green(`  \u2713 re-ran agent setup (${result.configured.join(", ") || "no changes"})`));
+        if (result.warnings.length) {
+          console.log(import_chalk16.default.yellow(`    notes: ${result.warnings.join("; ")}`));
+        }
+        fixed++;
+      } catch (err) {
+        console.log(import_chalk16.default.yellow(`  ! could not re-run agent setup: ${err.message}`));
       }
     }
     console.log(import_chalk16.default.dim("checking mcp server..."));
-    const claudeConfigFile = path14.join(
-      IS_WIN ? path14.join(HOME, "AppData", "Roaming", "Claude") : path14.join(HOME, "Library", "Application Support", "Claude"),
-      "claude_desktop_config.json"
-    );
-    if (fs14.existsSync(claudeConfigFile)) {
-      try {
-        const cfg = JSON.parse(fs14.readFileSync(claudeConfigFile, "utf-8"));
-        if (cfg.mcpServers?.hyv) {
-          console.log(import_chalk16.default.green("  \u2713 mcp configured for claude desktop"));
-        } else {
-          console.log(import_chalk16.default.yellow("  ! mcp not configured \u2014 run: hyv init"));
-          issues++;
-        }
-      } catch {
-        console.log(import_chalk16.default.yellow("  ! could not read claude desktop config"));
-      }
+    const claudeMcp = readMcpHyv(path14.join(claudeDesktopDir(), "claude_desktop_config.json"));
+    const cursorMcp = readMcpHyv(path14.join(HOME, ".cursor", "mcp.json"));
+    if (claudeMcp || cursorMcp) {
+      if (claudeMcp)
+        console.log(import_chalk16.default.green("  \u2713 mcp configured for claude desktop"));
+      if (cursorMcp)
+        console.log(import_chalk16.default.green("  \u2713 mcp configured for cursor"));
     } else {
-      console.log(import_chalk16.default.dim("  - claude desktop not found"));
+      console.log(import_chalk16.default.yellow("  ! mcp not configured \u2014 run: hyv doctor --fix-agents or hyv mcp --setup"));
+      issues++;
     }
     console.log("");
     if (issues === 0 && fixed === 0) {
@@ -13065,7 +13239,7 @@ function registerRenameCommand(program3) {
         return;
       }
       const response = await authenticatedRequest(
-        "https://holdyourvoice.com/cli/profiles/rename",
+        cliApiUrl("/cli/profiles/rename"),
         {
           method: "POST",
           body: {
@@ -13095,7 +13269,7 @@ error: ${error.message}
 
 // src/commands/fix.ts
 var import_chalk18 = __toESM(require_source());
-var fs15 = __toESM(require("fs"));
+var fs14 = __toESM(require("fs"));
 var path15 = __toESM(require("path"));
 init_pipeline();
 init_local_profile();
@@ -13142,8 +13316,8 @@ hyv fix ${filePath}
       if (!options.dryRun) {
         if (options.inPlace && filePath !== "stdin") {
           const backupPath = filePath + ".bak";
-          fs15.copyFileSync(filePath, backupPath);
-          fs15.writeFileSync(filePath, result.fixed);
+          fs14.copyFileSync(filePath, backupPath);
+          fs14.writeFileSync(filePath, result.fixed);
           console.log(import_chalk18.default.dim(`  Written to ${filePath} (backup: ${path15.basename(backupPath)})`));
           saveLastEditSession({
             original_path: filePath,
@@ -13185,19 +13359,19 @@ function registerCheckCommand(program3) {
       const profile = await loadProfileForCommand(options.profile);
       let inputText = text;
       if (text === "-") {
-        const fs26 = require("fs");
+        const fs25 = require("fs");
         if (process.stdin.isTTY) {
           console.error(import_chalk19.default.red("No input provided. Pipe content or pass text as argument."));
           process.exit(1);
         }
-        inputText = fs26.readFileSync(0, "utf-8");
+        inputText = fs25.readFileSync(0, "utf-8");
       }
       if (!inputText.trim()) {
         console.error(import_chalk19.default.red("No text provided."));
         process.exit(1);
       }
-      const fs25 = require("fs");
-      if (text !== "-" && fs25.existsSync(text)) {
+      const fs24 = require("fs");
+      if (text !== "-" && fs24.existsSync(text)) {
         console.log(import_chalk19.default.yellow(`"${text}" looks like a file. Did you mean: hyv scan ${text}`));
         process.exit(1);
       }
@@ -13324,11 +13498,11 @@ function registerDiffCommand(program3) {
   ${result.changes.length} auto-fix${result.changes.length === 1 ? "" : "es"} available`));
       console.log(import_chalk21.default.dim(`  run: hyv fix ${file} -i  to apply`));
       if (options.apply && filePath !== "stdin") {
-        const fs25 = require("fs");
+        const fs24 = require("fs");
         const path23 = require("path");
         const backupPath = filePath + ".bak";
-        fs25.copyFileSync(filePath, backupPath);
-        fs25.writeFileSync(filePath, result.fixed);
+        fs24.copyFileSync(filePath, backupPath);
+        fs24.writeFileSync(filePath, result.fixed);
         console.log(import_chalk21.default.green(`  \u2713 Applied. Backup: ${path23.basename(backupPath)}`));
       }
     } catch (error) {
@@ -13504,12 +13678,12 @@ function registerRulesCommand(program3) {
 
 // src/commands/batch.ts
 var import_chalk23 = __toESM(require_source());
-var fs16 = __toESM(require("fs"));
+var fs15 = __toESM(require("fs"));
 var path16 = __toESM(require("path"));
 init_pipeline();
 init_local_profile();
 function registerBatchCommand(program3) {
-  program3.command("batch").description("Scan or fix multiple files matching a glob").argument("<pattern>", 'Glob pattern (e.g., "posts/**/*.md")').option("--fix", "Apply auto-fixes (default: scan only)").option("-i, --in-place", "Write fixes back to files").option("--threshold <n>", "Fail if any file score < threshold").option("--fail-on-hit", "Exit non-zero if any file has issues").option("--sort <field>", "Sort by: issues, score, name", "issues").option("--format <type>", "Output format (text, json, csv)", "text").option("--profile <name>", "Voice profile").option("--ignore <patterns>", "Comma-separated glob ignores").action(async (pattern, options) => {
+  program3.command("batch").description("Scan or fix multiple files matching a glob").argument("<pattern>", 'Glob pattern (e.g., "posts/**/*.md")').option("--fix", "Apply auto-fixes (default: scan only)").option("-i, --in-place", "Write fixes back to files").option("-y, --yes", "Confirm destructive in-place fixes without prompting").option("--threshold <n>", "Fail if any file score < threshold").option("--fail-on-hit", "Exit non-zero if any file has issues").option("--sort <field>", "Sort by: issues, score, name", "issues").option("--format <type>", "Output format (text, json, csv)", "text").option("--profile <name>", "Voice profile").option("--ignore <patterns>", "Comma-separated glob ignores").action(async (pattern, options) => {
     try {
       const profile = await loadProfileForCommand(options.profile);
       const glob = require_index_min();
@@ -13522,6 +13696,11 @@ function registerBatchCommand(program3) {
 No files matching: ${pattern}`));
         return;
       }
+      if (options.fix && options.inPlace && !options.yes) {
+        console.error(import_chalk23.default.red("\nRefusing to write fixes in-place without confirmation."));
+        console.error(import_chalk23.default.dim("  Re-run with --yes to create .bak backups and apply fixes.\n"));
+        process.exit(1);
+      }
       if (options.format === "text") {
         console.log(import_chalk23.default.dim(`
   scanning ${files.length} file${files.length === 1 ? "" : "s"}...
@@ -13530,9 +13709,9 @@ No files matching: ${pattern}`));
       const results = [];
       for (const file of files) {
         const absPath = path16.resolve(file);
-        if (!fs16.existsSync(absPath))
+        if (!fs15.existsSync(absPath))
           continue;
-        const text = fs16.readFileSync(absPath, "utf-8");
+        const text = fs15.readFileSync(absPath, "utf-8");
         const result = runPipeline(text, profile, options.fix || false);
         results.push({
           file,
@@ -13544,8 +13723,8 @@ No files matching: ${pattern}`));
         });
         if (options.fix && options.inPlace && result.changes.length > 0) {
           const backupPath = absPath + ".bak";
-          fs16.copyFileSync(absPath, backupPath);
-          fs16.writeFileSync(absPath, result.fixed);
+          fs15.copyFileSync(absPath, backupPath);
+          fs15.writeFileSync(absPath, result.fixed);
         }
       }
       if (options.sort === "score") {
@@ -13585,10 +13764,11 @@ No files matching: ${pattern}`));
         }
       }
       const threshold = options.threshold ? parseInt(options.threshold, 10) : 0;
-      const hasFailures = results.some(
-        (r) => options.failOnHit && r.issues > 0 || threshold > 0 && r.score < threshold
-      );
-      if (hasFailures)
+      const failOnHit = results.some((r) => options.failOnHit && r.issues > 0);
+      const belowThreshold = results.some((r) => threshold > 0 && r.score < threshold);
+      if (failOnHit)
+        process.exit(2);
+      if (belowThreshold)
         process.exit(1);
     } catch (error) {
       console.error(import_chalk23.default.red(`Error: ${error.message}`));
@@ -13599,19 +13779,24 @@ No files matching: ${pattern}`));
 
 // src/commands/watch.ts
 var import_chalk24 = __toESM(require_source());
-var fs17 = __toESM(require("fs"));
+var fs16 = __toESM(require("fs"));
 var path17 = __toESM(require("path"));
 init_pipeline();
 init_local_profile();
 function registerWatchCommand(program3) {
-  program3.command("watch").description("Watch a file and re-scan on every save").argument("<file>", "File to watch").option("--command <cmd>", "What to run on change: scan, score, fix", "scan").option("--debounce <ms>", "Delay after save before scanning", "300").option("--notify", "OS notification when issues found").option("--profile <name>", "Voice profile").action(async (file, options) => {
+  program3.command("watch").description("Watch a file and re-scan on every save").argument("<file>", "File to watch").option("--command <cmd>", "What to run on change: scan, score, fix", "scan").option("--debounce <ms>", "Delay after save before scanning", "300").option("--notify", "OS notification when issues found").option("-y, --yes", "Confirm destructive auto-fix writes without prompting").option("--profile <name>", "Voice profile").action(async (file, options) => {
     try {
       const profile = await loadProfileForCommand(options.profile);
       const absPath = path17.resolve(file);
-      if (!fs17.existsSync(absPath)) {
+      if (!fs16.existsSync(absPath)) {
         console.error(import_chalk24.default.red(`File not found: ${absPath}`));
         process.exit(1);
       }
+      if (options.command === "fix" && !options.yes) {
+        console.error(import_chalk24.default.red("\nRefusing to auto-fix on save without confirmation."));
+        console.error(import_chalk24.default.dim("  Re-run with --yes to create .bak backups before each fix.\n"));
+        process.exit(1);
+      }
       console.log(import_chalk24.default.dim(`
 watching ${absPath}`));
       console.log(import_chalk24.default.dim(`command: ${options.command}  debounce: ${options.debounce}ms`));
@@ -13621,7 +13806,7 @@ watching ${absPath}`));
       let scanCount = 0;
       let lastScore = 0;
       const runScan = () => {
-        const text = fs17.readFileSync(absPath, "utf-8");
+        const text = fs16.readFileSync(absPath, "utf-8");
         const result = runPipeline(text, profile, options.command === "fix");
         scanCount++;
         const now = (/* @__PURE__ */ new Date()).toLocaleTimeString("en-US", { hour12: false });
@@ -13640,7 +13825,9 @@ watching ${absPath}`));
             for (const change of result.changes) {
               console.log(import_chalk24.default.dim(`  Line ${change.line}: `) + import_chalk24.default.red(change.before) + import_chalk24.default.dim(" \u2192 ") + import_chalk24.default.green(change.after));
             }
-            fs17.writeFileSync(absPath, result.fixed);
+            const backupPath = absPath + ".bak";
+            fs16.copyFileSync(absPath, backupPath);
+            fs16.writeFileSync(absPath, result.fixed);
             console.log(import_chalk24.default.green(`  \u2713 ${result.changes.length} auto-fixes applied`));
           } else {
             console.log(import_chalk24.default.green("  \u2713 no auto-fixable issues"));
@@ -13662,7 +13849,7 @@ watching ${absPath}`));
         console.log("");
       };
       runScan();
-      fs17.watch(absPath, (eventType) => {
+      fs16.watch(absPath, (eventType) => {
         if (eventType !== "change")
           return;
         if (debounceTimer)
@@ -13685,7 +13872,7 @@ watching ${absPath}`));
 
 // src/commands/demo.ts
 var import_chalk25 = __toESM(require_source());
-var fs18 = __toESM(require("fs"));
+var fs17 = __toESM(require("fs"));
 var SAMPLES = {
   linkedin: {
     text: `In today's fast-paced digital landscape, it's important to note that leveraging the right tools is not just nice to have, but essential for success. Let's delve into the holistic approach that will transform your workflow.
@@ -13780,7 +13967,7 @@ function registerDemoCommand(program3) {
       }
       if (options.output) {
         const outputPath = require("path").resolve(options.output);
-        fs18.writeFileSync(outputPath, sample.text);
+        fs17.writeFileSync(outputPath, sample.text);
         console.log(import_chalk25.default.green(`
 \u2713 Sample written to ${outputPath}`));
         if (sample.patterns.length > 0) {
@@ -13846,35 +14033,35 @@ function registerOpenCommand(program3) {
 init_welcome();
 
 // src/lib/onboarding.ts
-var fs19 = __toESM(require("fs"));
+var fs18 = __toESM(require("fs"));
 var path18 = __toESM(require("path"));
 var os6 = __toESM(require("os"));
 var hyvDir = path18.join(os6.homedir(), ".hyv");
 var onboardingFile = path18.join(hyvDir, "onboarding-complete.json");
 function hasCompletedOnboarding() {
   try {
-    return fs19.existsSync(onboardingFile);
+    return fs18.existsSync(onboardingFile);
   } catch {
     return false;
   }
 }
 function markOnboardingComplete(version) {
-  if (!fs19.existsSync(hyvDir))
-    fs19.mkdirSync(hyvDir, { recursive: true });
-  fs19.writeFileSync(
+  if (!fs18.existsSync(hyvDir))
+    fs18.mkdirSync(hyvDir, { recursive: true });
+  fs18.writeFileSync(
     onboardingFile,
     JSON.stringify({ version, completed_at: (/* @__PURE__ */ new Date()).toISOString() }, null, 2)
   );
 }
 
 // src/commands/welcome.ts
-var fs20 = __toESM(require("fs"));
+var fs19 = __toESM(require("fs"));
 var path19 = __toESM(require("path"));
 function registerWelcomeCommand(program3) {
   const pkgVersion3 = (() => {
     try {
-      const pkgPath3 = path19.resolve(__dirname, "..", "..", "package.json");
-      return JSON.parse(fs20.readFileSync(pkgPath3, "utf-8")).version;
+      const pkgPath3 = path19.resolve(__dirname, "..", "package.json");
+      return JSON.parse(fs19.readFileSync(pkgPath3, "utf-8")).version;
     } catch {
       return "0.0.0";
     }
@@ -13991,6 +14178,7 @@ ${t.title}
 // src/commands/upgrade.ts
 var import_chalk28 = __toESM(require_source());
 var import_child_process2 = require("child_process");
+init_version();
 function registerUpgradeCommand(program3) {
   program3.command("upgrade").description("Upgrade to the latest @holdyourvoice/hyv").option("--check", "Only check if an update is available").action(async (opts) => {
     const current = getCliVersion();
@@ -14031,7 +14219,7 @@ Current: ${getEngineLabel()}
 }
 
 // src/mcp.ts
-var fs21 = __toESM(require("fs"));
+var fs20 = __toESM(require("fs"));
 var path20 = __toESM(require("path"));
 var os7 = __toESM(require("os"));
 init_classifier();
@@ -14046,16 +14234,42 @@ init_telemetry();
 init_access();
 var VOICE_MD = path20.join(os7.homedir(), ".hyv", "voice.md");
 var MAX_RESPONSE_CHARS = 12e4;
+var MAX_SCAN_FILE_BYTES = 2 * 1024 * 1024;
+function readScanFile(filePath) {
+  const cwdReal = fs20.realpathSync(process.cwd());
+  const resolved = fs20.realpathSync(path20.resolve(filePath));
+  if (!resolved.startsWith(cwdReal + path20.sep) && resolved !== cwdReal) {
+    throw new Error(`file must be in the current working directory (${cwdReal})`);
+  }
+  const stat = fs20.statSync(resolved);
+  if (stat.size > MAX_SCAN_FILE_BYTES) {
+    throw new Error(`file too large (max ${MAX_SCAN_FILE_BYTES} bytes)`);
+  }
+  return fs20.readFileSync(resolved, "utf-8");
+}
+function toolResultPayload(result) {
+  const isError = result.startsWith("Error:") || result.startsWith("Unknown tool:");
+  return {
+    content: [{ type: "text", text: truncateResponse(result) }],
+    ...isError ? { isError: true } : {}
+  };
+}
 var pkgPath = path20.resolve(__dirname, "..", "package.json");
 var pkgVersion = (() => {
   try {
-    return JSON.parse(fs21.readFileSync(pkgPath, "utf-8")).version;
+    return JSON.parse(fs20.readFileSync(pkgPath, "utf-8")).version;
   } catch {
     return "2.7.1";
   }
 })();
-async function resolveProfile(slug) {
-  return loadProfileForCommand(slug, { allowServerFetch: true });
+async function resolveProfile(slug, allowServerFetch = false) {
+  const profile = await loadProfileForCommand(slug, { allowServerFetch });
+  if (slug && !profile) {
+    const { requirePaidFeature: requirePaidFeature2 } = await Promise.resolve().then(() => (init_access(), access_exports));
+    await requirePaidFeature2("premiumPrompts");
+    return loadProfileForCommand(slug, { allowServerFetch: true });
+  }
+  return profile;
 }
 function jsonRpcOk(id, result) {
   return JSON.stringify({ jsonrpc: "2.0", id, result });
@@ -14116,14 +14330,11 @@ async function toolScan(args2) {
     let scanText2 = text;
     const profile = await resolveProfile(args2.profile);
     if (filePath) {
-      const resolved = path20.resolve(filePath);
-      const cwd = process.cwd();
-      if (!resolved.startsWith(cwd + path20.sep) && resolved !== cwd) {
-        return `Error: file must be in the current working directory (${cwd})`;
+      try {
+        scanText2 = readScanFile(filePath);
+      } catch (err) {
+        return `Error: ${err.message}`;
       }
-      if (!fs21.existsSync(resolved))
-        return `Error: file not found: ${filePath}`;
-      scanText2 = fs21.readFileSync(resolved, "utf-8");
     }
     const result = runPipeline(scanText2, profile, false);
     if (result.stats.totalSignals === 0) {
@@ -14135,13 +14346,19 @@ async function toolScan(args2) {
     const lines = [
       `Score: ${result.score}/100. Found ${result.stats.totalSignals} issues (${result.stats.red} red, ${result.stats.yellow} yellow):`
     ];
+    const shown = /* @__PURE__ */ new Set();
     if (profile && profileIssues.length > 0) {
       lines.push(`Profile-specific (${profileIssues.length}):`);
       for (const s of profileIssues.slice(0, 5)) {
+        const key = `${s.line}:${s.id}`;
+        shown.add(key);
         lines.push(`  line ${s.line}: [${s.severity}] ${s.id} \u2014 ${s.suggestion}`);
       }
     }
     for (const s of result.signalMap.signals.slice(0, 15)) {
+      const key = `${s.line}:${s.id}`;
+      if (shown.has(key))
+        continue;
       lines.push(`line ${s.line}: [${s.severity}] ${s.id} \u2014 ${s.suggestion}`);
     }
     return lines.join("\n");
@@ -14284,7 +14501,7 @@ async function toolAnalyze(args2) {
     return "Error: no text provided";
   try {
     const profile = await resolveProfile(args2.profile);
-    const preferServer = args2.prefer_server !== false;
+    const preferServer = args2.prefer_server === true;
     const result = await runHybridAnalysis(text, profile, {
       preferServer,
       profileSlug: args2.profile || profile?.slug
@@ -14407,7 +14624,7 @@ var TOOLS = [
       properties: {
         text: { type: "string", description: "Text to analyze" },
         profile: { type: "string", description: "Voice profile slug" },
-        prefer_server: { type: "boolean", description: "Use server hybrid engine when paid (default true)" }
+        prefer_server: { type: "boolean", description: "Use server hybrid engine when paid (default false)" }
       },
       required: ["text"]
     }
@@ -14599,9 +14816,12 @@ async function handleRequest(line) {
         mcpLog("error", `tool ${toolName}: ${err.message}`);
         recordEvent("mcp_tool_error", { tool: toolName, error: err.message });
       }
-      send(jsonRpcOk(id, { content: [{ type: "text", text: truncateResponse(result) }] }));
+      send(jsonRpcOk(id, toolResultPayload(result)));
       break;
     }
+    case "ping":
+      send(jsonRpcOk(id, {}));
+      break;
     default:
       if (id !== void 0) {
         send(jsonRpcError(id, -32601, `Method not found: ${method}`));
@@ -14611,7 +14831,7 @@ async function handleRequest(line) {
 }
 async function startMcpServer() {
   const access = await getAccessState().catch(() => null);
-  if (fs21.existsSync(VOICE_MD)) {
+  if (fs20.existsSync(VOICE_MD)) {
     mcpLog("info", `voice profile: ${VOICE_MD}`);
   } else {
     mcpLog("info", "free local engine ready \u2014 no voice profile yet");
@@ -14621,16 +14841,17 @@ async function startMcpServer() {
   }
   let buffer = "";
   process.stdin.setEncoding("utf-8");
+  let requestChain = Promise.resolve();
+  const enqueueRequest = (line) => {
+    requestChain = requestChain.then(() => handleRequest(line)).catch((err) => mcpLog("error", err.message));
+  };
   process.stdin.on("data", (chunk) => {
     buffer += chunk;
     const lines = buffer.split("\n");
     buffer = lines.pop() || "";
     for (const line of lines) {
-      if (line.trim()) {
-        handleRequest(line.trim()).catch((err) => {
-          mcpLog("error", err.message);
-        });
-      }
+      if (line.trim())
+        enqueueRequest(line.trim());
     }
   });
   process.stdin.on("end", () => process.exit(0));
@@ -14643,32 +14864,135 @@ async function startMcpServer() {
 
 // src/lib/mcp-setup.ts
 var import_chalk29 = __toESM(require_source());
-var fs22 = __toESM(require("fs"));
+var fs21 = __toESM(require("fs"));
 var path21 = __toESM(require("path"));
 var os8 = __toESM(require("os"));
+var import_child_process3 = require("child_process");
+init_version();
 var HOME2 = os8.homedir();
 var IS_WIN2 = process.platform === "win32";
+function claudeDesktopConfigPath() {
+  if (IS_WIN2)
+    return path21.join(HOME2, "AppData", "Roaming", "Claude", "claude_desktop_config.json");
+  if (process.platform === "linux")
+    return path21.join(HOME2, ".config", "Claude", "claude_desktop_config.json");
+  return path21.join(HOME2, "Library", "Application Support", "Claude", "claude_desktop_config.json");
+}
+function mcpSnippet() {
+  const entry = [
+    path21.resolve(process.argv[1] || ""),
+    path21.resolve(__dirname, "index.js"),
+    path21.resolve(__dirname, "..", "dist", "index.js")
+  ].find((p) => p && fs21.existsSync(p));
+  if (entry) {
+    return JSON.stringify({ command: process.execPath, args: [entry, "mcp"] }, null, 2);
+  }
+  return JSON.stringify({ command: "hyv", args: ["mcp"] }, null, 2);
+}
 function printMcpSetup() {
-  const claudeConfig = IS_WIN2 ? path21.join(HOME2, "AppData", "Roaming", "Claude", "claude_desktop_config.json") : path21.join(HOME2, "Library", "Application Support", "Claude", "claude_desktop_config.json");
   console.log(import_chalk29.default.bold("\nhold your voice \u2014 mcp setup\n"));
   console.log(import_chalk29.default.dim(`  ${getEngineLabel()}
 `));
   console.log(import_chalk29.default.bold("Claude Desktop"));
-  console.log(import_chalk29.default.dim("  Add to claude_desktop_config.json \u2192 mcpServers:"));
-  console.log(import_chalk29.default.cyan('  "hyv": { "command": "hyv", "args": ["mcp"] }'));
-  console.log(import_chalk29.default.dim(`  Config file: ${claudeConfig}
+  console.log(import_chalk29.default.dim("  Add to claude_desktop_config.json \u2192 mcpServers.hyv:"));
+  console.log(import_chalk29.default.cyan(`  ${mcpSnippet().split("\n").join("\n  ")}`));
+  console.log(import_chalk29.default.dim(`  Config: ${claudeDesktopConfigPath()}
 `));
   console.log(import_chalk29.default.bold("Cursor"));
-  console.log(import_chalk29.default.dim("  Rule file: ~/.cursor/rules/hyv.md"));
-  console.log(import_chalk29.default.dim("  Run: hyv doctor --fix-agents to copy latest instructions\n"));
+  console.log(import_chalk29.default.dim("  MCP: ~/.cursor/mcp.json \u2192 mcpServers.hyv (same JSON as above)"));
+  console.log(import_chalk29.default.dim("  Rule: ~/.cursor/rules/hyv.mdc (alwaysApply \u2014 auto via postinstall)\n"));
   console.log(import_chalk29.default.bold("Claude Code"));
-  console.log(import_chalk29.default.dim("  Command: ~/.claude/commands/hyv.md\n"));
-  console.log(import_chalk29.default.bold("Windsurf / Codex / ChatGPT"));
-  console.log(import_chalk29.default.dim("  hyv doctor --fix-agents copies agent files from the package\n"));
+  console.log(import_chalk29.default.dim("  Command: ~/.claude/commands/hyv.md"));
+  console.log(import_chalk29.default.dim("  Skill: ~/.claude/skills/hold-your-voice/SKILL.md\n"));
+  console.log(import_chalk29.default.bold("Windsurf"));
+  console.log(import_chalk29.default.dim("  Rule: ~/.windsurf/rules/hyv.md (trigger: always_on)\n"));
+  console.log(import_chalk29.default.bold("Codex"));
+  console.log(import_chalk29.default.dim("  Instructions: ~/.codex/AGENTS.md (merged on install)\n"));
+  console.log(import_chalk29.default.bold("Command Code"));
+  console.log(import_chalk29.default.dim("  Skill: ~/.commandcode/skills/hyv/SKILL.md\n"));
+  console.log(import_chalk29.default.bold("ChatGPT"));
+  console.log(import_chalk29.default.dim("  hyv mcp --setup-chatgpt\n"));
+  console.log(import_chalk29.default.bold("Auto-configure"));
+  console.log(import_chalk29.default.dim("  hyv doctor --fix-agents"));
+  console.log(import_chalk29.default.dim("  HYV_AUTO_CONFIGURE_AGENTS=0 npm i -g @holdyourvoice/hyv  (skip)\n"));
   console.log(import_chalk29.default.bold("Verify"));
   console.log(import_chalk29.default.dim("  hyv mcp --test"));
   console.log(import_chalk29.default.dim("  HYV_TELEMETRY=1 hyv mcp  (optional usage logging to ~/.hyv/telemetry/)\n"));
 }
+async function testMcpStdioSubprocess() {
+  const candidates = [
+    path21.resolve(process.argv[1] || ""),
+    path21.resolve(__dirname, "index.js"),
+    path21.resolve(__dirname, "..", "dist", "index.js")
+  ];
+  const entry = candidates.find((p) => p && fs21.existsSync(p));
+  if (!entry)
+    return { ok: false };
+  return new Promise((resolve14) => {
+    const child = (0, import_child_process3.spawn)(process.execPath, [entry, "mcp"], {
+      stdio: ["pipe", "pipe", "pipe"],
+      env: { ...process.env, HYV_POSTINSTALL_QUIET: "1" }
+    });
+    let buffer = "";
+    let settled = false;
+    const finish = (ok, toolCount) => {
+      if (settled)
+        return;
+      settled = true;
+      clearTimeout(timeout);
+      try {
+        child.kill();
+      } catch {
+      }
+      resolve14({ ok, toolCount });
+    };
+    const timeout = setTimeout(() => finish(false), 1e4);
+    const handleLine = (line) => {
+      const trimmed = line.trim();
+      if (!trimmed.startsWith("{"))
+        return;
+      try {
+        const msg = JSON.parse(trimmed);
+        if (msg.id === 2 && Array.isArray(msg.result?.tools) && msg.result.tools.length > 0) {
+          finish(true, msg.result.tools.length);
+        }
+      } catch {
+      }
+    };
+    child.stdout.on("data", (chunk) => {
+      buffer += chunk.toString();
+      const lines = buffer.split("\n");
+      buffer = lines.pop() || "";
+      for (const line of lines)
+        handleLine(line);
+    });
+    child.on("error", () => finish(false));
+    child.on("exit", () => {
+      if (!settled) {
+        handleLine(buffer);
+        finish(buffer.includes("hyv_scan"));
+      }
+    });
+    setTimeout(() => {
+      const send2 = (payload) => {
+        child.stdin.write(`${JSON.stringify(payload)}
+`);
+      };
+      send2({
+        jsonrpc: "2.0",
+        id: 1,
+        method: "initialize",
+        params: {
+          protocolVersion: "2024-11-05",
+          capabilities: {},
+          clientInfo: { name: "hyv-self-test", version: "1.0" }
+        }
+      });
+      send2({ jsonrpc: "2.0", method: "notifications/initialized" });
+      send2({ jsonrpc: "2.0", id: 2, method: "tools/list", params: {} });
+    }, 500);
+  });
+}
 async function runMcpSelfTest() {
   console.log(import_chalk29.default.bold("\nhold your voice \u2014 mcp self-test\n"));
   console.log(import_chalk29.default.dim(`  ${getEngineLabel()}
@@ -14683,7 +15007,7 @@ async function runMcpSelfTest() {
     console.log(import_chalk29.default.red(`  \u2717 expected 10+ tools, got ${tools.length}`));
     failed++;
   }
-  const required = ["hyv_welcome", "hyv_scan", "hyv_analyze", "hyv_clean", "hyv_validate"];
+  const required = ["hyv_welcome", "hyv_scan", "hyv_analyze", "hyv_clean", "hyv_validate", "hyv_list_free_tools"];
   for (const name of required) {
     if (tools.includes(name)) {
       console.log(import_chalk29.default.green(`  \u2713 tool: ${name}`));
@@ -14720,7 +15044,7 @@ async function runMcpSelfTest() {
     failed++;
   }
   const voiceMd = path21.join(HOME2, ".hyv", "voice.md");
-  if (fs22.existsSync(voiceMd)) {
+  if (fs21.existsSync(voiceMd)) {
     console.log(import_chalk29.default.green("  \u2713 voice profile found"));
     passed++;
   } else {
@@ -14733,6 +15057,22 @@ async function runMcpSelfTest() {
     console.log(import_chalk29.default.red("  \u2717 demo content missing"));
     failed++;
   }
+  try {
+    const stdio = await testMcpStdioSubprocess();
+    if (stdio.ok && (stdio.toolCount || 0) >= 10) {
+      console.log(import_chalk29.default.green(`  \u2713 stdio MCP subprocess responds (${stdio.toolCount} tools)`));
+      passed++;
+    } else if (stdio.ok) {
+      console.log(import_chalk29.default.yellow(`  ! stdio MCP subprocess ok but only ${stdio.toolCount || 0} tools`));
+      failed++;
+    } else {
+      console.log(import_chalk29.default.red("  \u2717 stdio MCP subprocess failed"));
+      failed++;
+    }
+  } catch (e) {
+    console.log(import_chalk29.default.red(`  \u2717 stdio MCP subprocess failed: ${e.message}`));
+    failed++;
+  }
   console.log("");
   if (failed === 0) {
     console.log(import_chalk29.default.green(`\u2713 all checks passed (${passed})`));
@@ -14744,7 +15084,7 @@ async function runMcpSelfTest() {
 }
 
 // src/commands/export.ts
-var fs23 = __toESM(require("fs"));
+var fs22 = __toESM(require("fs"));
 init_api();
 var FORMATS = {
   claude: {
@@ -14831,7 +15171,7 @@ async function exportCommand(format, opts) {
       const prompt = fmt.wrap(detail.profile, detail.body);
       if (opts.output) {
         const outFile = opts.output.replace("{name}", profile.slug || profile.name);
-        fs23.writeFileSync(outFile, prompt);
+        fs22.writeFileSync(outFile, prompt);
         results.push({ profile: profile.name, file: outFile });
       } else {
         results.push({ profile: profile.name, prompt });
@@ -14868,13 +15208,13 @@ async function exportCommand(format, opts) {
 // src/index.ts
 init_access();
 init_welcome();
-var fs24 = __toESM(require("fs"));
+var fs23 = __toESM(require("fs"));
 var path22 = __toESM(require("path"));
 var program2 = new Command();
 var pkgPath2 = path22.resolve(__dirname, "..", "package.json");
 var pkgVersion2 = (() => {
   try {
-    return JSON.parse(fs24.readFileSync(pkgPath2, "utf-8")).version;
+    return JSON.parse(fs23.readFileSync(pkgPath2, "utf-8")).version;
   } catch {
     return "2.7.1";
   }