@ijfw/install 1.1.0

package/dist/ijfw.js

@@ -0,0 +1,1316 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name12 in all)
+    __defProp(target, name12, { get: all[name12], enumerable: true });
+};
+
+// src/preflight/runner.js
+function statusColor(status) {
+  if (status === "PASS") return c.green;
+  if (status === "FAIL") return c.red;
+  if (status === "WARN") return c.yellow;
+  if (status === "SKIP") return c.cyan;
+  return "";
+}
+function pad(s, n) {
+  return s.padEnd(n, " ");
+}
+function printGateResult(result, index, total) {
+  const col = statusColor(result.status);
+  const badge = `${col}[${result.status}]${c.reset}`;
+  const ms = `${c.dim}${result.durationMs}ms${c.reset}`;
+  const num = `${c.dim}${String(index).padStart(2, " ")}/${total}${c.reset}`;
+  console.log(`  ${num} ${badge} ${pad(result.name, 20)} ${result.message}  ${ms}`);
+  if (result.details.length > 0) {
+    for (const line of result.details) {
+      console.log(`       ${c.dim}${line}${c.reset}`);
+    }
+  }
+}
+async function runPreflight(gates, ctx) {
+  const t0 = Date.now();
+  const results = [];
+  if (!ctx.json) {
+    console.log(`
+${c.bold}IJFW Preflight${c.reset}  -- ${gates.length} gates
+`);
+  }
+  const parallelGates = gates.filter((g) => g.parallel !== false);
+  const serialGates = gates.filter((g) => g.parallel === false);
+  if (parallelGates.length > 0) {
+    if (!ctx.json) console.log(`${c.dim}  Running ${parallelGates.length} gate(s) in parallel...${c.reset}`);
+    const parallelResults = await Promise.all(parallelGates.map((g) => g.run(ctx)));
+    for (let i = 0; i < parallelResults.length; i++) {
+      results.push(parallelResults[i]);
+      if (!ctx.json) printGateResult(parallelResults[i], results.length, gates.length);
+    }
+  }
+  for (const gate of serialGates) {
+    const result = await gate.run(ctx);
+    results.push(result);
+    if (!ctx.json) printGateResult(result, results.length, gates.length);
+    if (ctx.failFast && result.status === "FAIL" && gate.severity === "blocking") {
+      if (!ctx.json) {
+        console.log(`
+  ${c.yellow}Paused at gate: ${gate.name} -- resolve this one first, then rerun.${c.reset}
+`);
+      }
+      break;
+    }
+  }
+  const totalMs = Date.now() - t0;
+  const blockingFailures = results.filter((r) => {
+    const gate = gates.find((g) => g.name === r.name);
+    return r.status === "FAIL" && gate && gate.severity === "blocking";
+  });
+  const outcome = blockingFailures.length > 0 ? "fail" : "pass";
+  const report = {
+    version: "1.1.0",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    gates: results,
+    outcome,
+    totalMs
+  };
+  if (ctx.json) {
+    console.log(JSON.stringify(report, null, 2));
+    return report;
+  }
+  const passCount = results.filter((r) => r.status === "PASS").length;
+  const warnCount = results.filter((r) => r.status === "WARN").length;
+  const skipCount = results.filter((r) => r.status === "SKIP").length;
+  const failCount = results.filter((r) => r.status === "FAIL").length;
+  const warmSLO = 9e4;
+  const coldSLO = 24e4;
+  const timeNote = totalMs <= warmSLO ? `${c.green}within warm-cache SLO (<=90s)${c.reset}` : totalMs <= coldSLO ? `${c.yellow}within cold-cache limit (<=240s)${c.reset}` : `${c.red}exceeded cold-cache limit (${Math.round(totalMs / 1e3)}s > 240s)${c.reset}`;
+  console.log("");
+  console.log(`  ${c.bold}Summary${c.reset}`);
+  console.log(`  ${c.green}PASS ${passCount}${c.reset}  ${c.yellow}WARN ${warnCount}${c.reset}  ${c.cyan}SKIP ${skipCount}${c.reset}  ${c.red}FAIL ${failCount}${c.reset}`);
+  console.log(`  Time: ${Math.round(totalMs / 1e3)}s  ${timeNote}`);
+  console.log("");
+  if (outcome === "pass") {
+    console.log(`  ${c.bold}${c.green}All blocking gates passed.${c.reset}`);
+    if (warnCount > 0) {
+      console.log(`  ${c.yellow}${warnCount} advisory note(s) worth reviewing.${c.reset}`);
+    }
+  } else {
+    console.log(`  ${c.bold}${c.red}${blockingFailures.length} item(s) need attention before shipping.${c.reset}`);
+    for (const r of blockingFailures) {
+      console.log(`  ${c.red}  HIGH  ${r.name}: ${r.message}${c.reset}`);
+    }
+    console.log(`  ${c.yellow}Fix the findings above, then re-run \`ijfw preflight\`.${c.reset}`);
+  }
+  console.log("");
+  return report;
+}
+var isTTY, c;
+var init_runner = __esm({
+  "src/preflight/runner.js"() {
+    isTTY = process.stdout.isTTY;
+    c = {
+      green: isTTY ? "\x1B[32m" : "",
+      yellow: isTTY ? "\x1B[33m" : "",
+      red: isTTY ? "\x1B[31m" : "",
+      cyan: isTTY ? "\x1B[36m" : "",
+      bold: isTTY ? "\x1B[1m" : "",
+      reset: isTTY ? "\x1B[0m" : "",
+      dim: isTTY ? "\x1B[2m" : ""
+    };
+  }
+});
+
+// src/preflight/gates/shellcheck.js
+var shellcheck_exports = {};
+__export(shellcheck_exports, {
+  name: () => name,
+  parallel: () => parallel,
+  run: () => run,
+  severity: () => severity
+});
+import { spawnSync } from "node:child_process";
+import { readdirSync, statSync } from "node:fs";
+import { join } from "node:path";
+function findShFiles(dir, acc = []) {
+  let entries;
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return acc;
+  }
+  for (const e of entries) {
+    if (e === "node_modules" || e === ".git") continue;
+    const full = join(dir, e);
+    let st;
+    try {
+      st = statSync(full);
+    } catch {
+      continue;
+    }
+    if (st.isDirectory()) findShFiles(full, acc);
+    else if (e.endsWith(".sh")) acc.push(full);
+  }
+  return acc;
+}
+async function run(ctx) {
+  const t0 = Date.now();
+  const which = spawnSync("shellcheck", ["--version"], { encoding: "utf8" });
+  if (which.status === null || which.error) {
+    return {
+      name: "shellcheck",
+      status: "SKIP",
+      message: "shellcheck not installed -- brew install shellcheck / apt install shellcheck",
+      details: ["Gate skipped: install shellcheck to enable shell linting."],
+      durationMs: Date.now() - t0
+    };
+  }
+  const files = findShFiles(ctx.repoRoot);
+  if (files.length === 0) {
+    return {
+      name: "shellcheck",
+      status: "PASS",
+      message: "No shell scripts found",
+      details: [],
+      durationMs: Date.now() - t0
+    };
+  }
+  const res = spawnSync("shellcheck", ["--enable=all", "--disable=SC2312", ...files], {
+    encoding: "utf8",
+    cwd: ctx.repoRoot
+  });
+  const durationMs = Date.now() - t0;
+  if (res.status === 0) {
+    return {
+      name: "shellcheck",
+      status: "PASS",
+      message: `${files.length} shell script(s) clean`,
+      details: [],
+      durationMs
+    };
+  }
+  const lines = (res.stdout || "").split("\n").filter(Boolean);
+  return {
+    name: "shellcheck",
+    status: "FAIL",
+    message: `shellcheck found issues in ${files.length} script(s)`,
+    details: lines.slice(0, 20),
+    durationMs
+  };
+}
+var name, severity, parallel;
+var init_shellcheck = __esm({
+  "src/preflight/gates/shellcheck.js"() {
+    name = "shellcheck";
+    severity = "blocking";
+    parallel = true;
+  }
+});
+
+// src/preflight/gates/oxlint.js
+var oxlint_exports = {};
+__export(oxlint_exports, {
+  name: () => name2,
+  parallel: () => parallel2,
+  run: () => run2,
+  severity: () => severity2
+});
+import { spawnSync as spawnSync2 } from "node:child_process";
+async function run2(ctx) {
+  const t0 = Date.now();
+  const ver = ctx.versions["oxlint"] || "latest";
+  const res = spawnSync2(
+    "npx",
+    ["--yes", `oxlint@${ver}`, "--deny-warnings", "installer/src", "mcp-server/src"],
+    { encoding: "utf8", cwd: ctx.repoRoot, timeout: 6e4 }
+  );
+  const durationMs = Date.now() - t0;
+  const output = (res.stdout || "") + (res.stderr || "");
+  const lines = output.split("\n").filter(Boolean);
+  if (res.status === 0) {
+    return {
+      name: "oxlint",
+      status: "PASS",
+      message: "oxlint: no issues",
+      details: [],
+      durationMs
+    };
+  }
+  return {
+    name: "oxlint",
+    status: "FAIL",
+    message: "oxlint found lint issues",
+    details: lines.slice(0, 30),
+    durationMs
+  };
+}
+var name2, severity2, parallel2;
+var init_oxlint = __esm({
+  "src/preflight/gates/oxlint.js"() {
+    name2 = "oxlint";
+    severity2 = "blocking";
+    parallel2 = true;
+  }
+});
+
+// src/preflight/gates/eslint-security.js
+var eslint_security_exports = {};
+__export(eslint_security_exports, {
+  name: () => name3,
+  parallel: () => parallel3,
+  run: () => run3,
+  severity: () => severity3
+});
+import { spawnSync as spawnSync3 } from "node:child_process";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { join as join2 } from "node:path";
+import { tmpdir } from "node:os";
+async function run3(ctx) {
+  const t0 = Date.now();
+  const eslintVer = ctx.versions["eslint"] || "latest";
+  const pluginVer = ctx.versions["eslint-plugin-security"] || "latest";
+  const tmpDir = mkdtempSync(join2(tmpdir(), "ijfw-eslint-security-"));
+  try {
+    writeFileSync(join2(tmpDir, "package.json"), JSON.stringify({ name: "eslint-security-runner", version: "1.0.0", type: "module" }));
+    const install = spawnSync3(
+      "npm",
+      ["install", "--no-save", "--silent", `eslint@${eslintVer}`, `eslint-plugin-security@${pluginVer}`],
+      { encoding: "utf8", cwd: tmpDir, timeout: 9e4 }
+    );
+    if (install.status !== 0) {
+      return {
+        name: "eslint-security",
+        status: "WARN",
+        message: "eslint-security: could not install plugin (npm install failed)",
+        details: ((install.stdout || "") + (install.stderr || "")).split("\n").filter(Boolean).slice(0, 5),
+        durationMs: Date.now() - t0
+      };
+    }
+    const configContent = `
+import security from '${join2(tmpDir, "node_modules", "eslint-plugin-security", "index.js").replace(/\\/g, "/")}';
+export default [
+  {
+    files: ['installer/src/**/*.js', 'mcp-server/src/**/*.js'],
+    plugins: { security },
+    rules: ${JSON.stringify(RULES)},
+  }
+];
+`;
+    const configPath = join2(ctx.repoRoot, ".eslint-security-temp.mjs");
+    writeFileSync(configPath, configContent, "utf8");
+    const eslintBin = join2(tmpDir, "node_modules", ".bin", "eslint");
+    const res = spawnSync3(
+      eslintBin,
+      ["--config", configPath, "installer/src/**/*.js", "mcp-server/src/**/*.js"],
+      { encoding: "utf8", cwd: ctx.repoRoot, timeout: 6e4 }
+    );
+    const durationMs = Date.now() - t0;
+    const output = (res.stdout || "") + (res.stderr || "");
+    const lines = output.split("\n").filter(Boolean);
+    if (res.status === 0) {
+      return {
+        name: "eslint-security",
+        status: "PASS",
+        message: "eslint-security: no security issues",
+        details: [],
+        durationMs
+      };
+    }
+    if (res.status === 1) {
+      return {
+        name: "eslint-security",
+        status: "WARN",
+        message: "eslint-security: advisory warnings (review above)",
+        details: lines.slice(0, 30),
+        durationMs
+      };
+    }
+    return {
+      name: "eslint-security",
+      status: "FAIL",
+      message: "eslint-security: security errors found (exit code 2)",
+      details: lines.slice(0, 30),
+      durationMs
+    };
+  } finally {
+    try {
+      rmSync(tmpDir, { recursive: true, force: true });
+    } catch {
+    }
+    try {
+      rmSync(join2(ctx.repoRoot, ".eslint-security-temp.mjs"), { force: true });
+    } catch {
+    }
+  }
+}
+var RULES, name3, severity3, parallel3;
+var init_eslint_security = __esm({
+  "src/preflight/gates/eslint-security.js"() {
+    RULES = {
+      "security/detect-eval-with-expression": "error",
+      "security/detect-non-literal-fs-filename": "warn",
+      "security/detect-non-literal-regexp": "warn",
+      "security/detect-non-literal-require": "warn",
+      "security/detect-object-injection": "warn",
+      "security/detect-possible-timing-attacks": "warn",
+      "security/detect-pseudoRandomBytes": "error",
+      "security/detect-unsafe-regex": "error"
+    };
+    name3 = "eslint-security";
+    severity3 = "blocking";
+    parallel3 = true;
+  }
+});
+
+// src/preflight/gates/psscriptanalyzer.js
+var psscriptanalyzer_exports = {};
+__export(psscriptanalyzer_exports, {
+  name: () => name4,
+  parallel: () => parallel4,
+  run: () => run4,
+  severity: () => severity4
+});
+import { spawnSync as spawnSync4 } from "node:child_process";
+import { readdirSync as readdirSync2, statSync as statSync2 } from "node:fs";
+import { join as join3 } from "node:path";
+import { platform } from "node:os";
+function findPs1Files(dir, acc = []) {
+  let entries;
+  try {
+    entries = readdirSync2(dir);
+  } catch {
+    return acc;
+  }
+  for (const e of entries) {
+    if (e === "node_modules" || e === ".git") continue;
+    const full = join3(dir, e);
+    let st;
+    try {
+      st = statSync2(full);
+    } catch {
+      continue;
+    }
+    if (st.isDirectory()) findPs1Files(full, acc);
+    else if (e.endsWith(".ps1")) acc.push(full);
+  }
+  return acc;
+}
+async function run4(ctx) {
+  const t0 = Date.now();
+  const files = findPs1Files(ctx.repoRoot);
+  if (files.length === 0) {
+    return {
+      name: "psscriptanalyzer",
+      status: "PASS",
+      message: "No PowerShell scripts found",
+      details: [],
+      durationMs: Date.now() - t0
+    };
+  }
+  const which = spawnSync4("pwsh", ["--version"], { encoding: "utf8" });
+  if (which.status === null || which.error) {
+    const isWin2 = platform() === "win32";
+    return {
+      name: "psscriptanalyzer",
+      status: isWin2 ? "FAIL" : "WARN",
+      message: isWin2 ? `pwsh not found -- ${files.length} .ps1 file(s) unchecked (install PowerShell)` : `pwsh not installed -- PSScriptAnalyzer skipped on non-Windows (runs in CI on windows-latest)`,
+      details: [`Files that would be checked: ${files.join(", ")}`],
+      durationMs: Date.now() - t0
+    };
+  }
+  const script = `
+$files = @(${files.map((f) => `'${f.replace(/'/g, "''")}'`).join(",")})
+$found = $false
+foreach ($f in $files) {
+  $results = Invoke-ScriptAnalyzer -Path $f -Severity Warning -ErrorAction SilentlyContinue
+  if ($results) {
+    $found = $true
+    foreach ($r in $results) {
+      Write-Output "$($r.ScriptName):$($r.Line): [$($r.Severity)] $($r.RuleName) -- $($r.Message)"
+    }
+  }
+}
+if ($found) { exit 1 } else { exit 0 }
+`;
+  const res = spawnSync4("pwsh", ["-NoProfile", "-NonInteractive", "-Command", script], {
+    encoding: "utf8",
+    cwd: ctx.repoRoot,
+    timeout: 3e4
+  });
+  const durationMs = Date.now() - t0;
+  if (res.status === 0) {
+    return {
+      name: "psscriptanalyzer",
+      status: "PASS",
+      message: `${files.length} PowerShell script(s) clean`,
+      details: [],
+      durationMs
+    };
+  }
+  const lines = ((res.stdout || "") + (res.stderr || "")).split("\n").filter(Boolean);
+  const isWin = platform() === "win32";
+  return {
+    name: "psscriptanalyzer",
+    status: isWin ? "FAIL" : "WARN",
+    message: `PSScriptAnalyzer found issues in ${files.length} script(s)`,
+    details: lines.slice(0, 20),
+    durationMs
+  };
+}
+var name4, severity4, parallel4;
+var init_psscriptanalyzer = __esm({
+  "src/preflight/gates/psscriptanalyzer.js"() {
+    name4 = "psscriptanalyzer";
+    severity4 = "blocking";
+    parallel4 = true;
+  }
+});
+
+// src/preflight/gates/publint.js
+var publint_exports = {};
+__export(publint_exports, {
+  name: () => name5,
+  parallel: () => parallel5,
+  run: () => run5,
+  severity: () => severity5
+});
+import { spawnSync as spawnSync5 } from "node:child_process";
+async function run5(ctx) {
+  const t0 = Date.now();
+  const ver = ctx.versions["publint"] || "latest";
+  const res = spawnSync5(
+    "npx",
+    ["--yes", `publint@${ver}`, "--strict"],
+    { encoding: "utf8", cwd: ctx.repoRoot + "/installer", timeout: 3e4 }
+  );
+  const durationMs = Date.now() - t0;
+  const output = (res.stdout || "") + (res.stderr || "");
+  const lines = output.split("\n").filter(Boolean);
+  if (res.status === 0) {
+    return {
+      name: "publint",
+      status: "PASS",
+      message: "publint: package.json integrity verified",
+      details: [],
+      durationMs
+    };
+  }
+  return {
+    name: "publint",
+    status: "FAIL",
+    message: "publint: package.json issues found",
+    details: lines.slice(0, 20),
+    durationMs
+  };
+}
+var name5, severity5, parallel5;
+var init_publint = __esm({
+  "src/preflight/gates/publint.js"() {
+    name5 = "publint";
+    severity5 = "blocking";
+    parallel5 = true;
+  }
+});
+
+// src/preflight/gates/gitleaks.js
+var gitleaks_exports = {};
+__export(gitleaks_exports, {
+  name: () => name6,
+  parallel: () => parallel6,
+  run: () => run6,
+  severity: () => severity6
+});
+import { spawnSync as spawnSync6 } from "node:child_process";
+async function run6(ctx) {
+  const t0 = Date.now();
+  const which = spawnSync6("gitleaks", ["version"], { encoding: "utf8" });
+  if (which.status === null || which.error) {
+    return {
+      name: "gitleaks",
+      status: "WARN",
+      message: "gitleaks not installed -- brew install gitleaks / https://github.com/gitleaks/gitleaks",
+      details: ["Secret scan skipped. Install gitleaks to enable this gate."],
+      durationMs: Date.now() - t0
+    };
+  }
+  const res = spawnSync6(
+    "gitleaks",
+    ["detect", "--no-git", "--source", ctx.repoRoot, "--gitleaks-ignore-path", ".gitleaksignore", "-v", "--exit-code", "1"],
+    { encoding: "utf8", cwd: ctx.repoRoot, timeout: 3e4 }
+  );
+  const durationMs = Date.now() - t0;
+  if (res.status === 0) {
+    return {
+      name: "gitleaks",
+      status: "PASS",
+      message: "gitleaks: no secrets detected",
+      details: [],
+      durationMs
+    };
+  }
+  const lines = ((res.stdout || "") + (res.stderr || "")).split("\n").filter(Boolean);
+  return {
+    name: "gitleaks",
+    status: "FAIL",
+    message: "gitleaks: potential secrets detected",
+    details: lines.slice(0, 30),
+    durationMs
+  };
+}
+var name6, severity6, parallel6;
+var init_gitleaks = __esm({
+  "src/preflight/gates/gitleaks.js"() {
+    name6 = "gitleaks";
+    severity6 = "blocking";
+    parallel6 = true;
+  }
+});
+
+// src/preflight/gates/audit-ci.js
+var audit_ci_exports = {};
+__export(audit_ci_exports, {
+  name: () => name7,
+  parallel: () => parallel7,
+  run: () => run7,
+  severity: () => severity7
+});
+import { spawnSync as spawnSync7 } from "node:child_process";
+import { join as join4 } from "node:path";
+async function run7(ctx) {
+  const t0 = Date.now();
+  const ver = ctx.versions["audit-ci"] || "latest";
+  const configPath = join4(ctx.repoRoot, ".audit-ci.jsonc");
+  const res = spawnSync7(
+    "npx",
+    ["--yes", `audit-ci@${ver}`, "--config", configPath],
+    {
+      encoding: "utf8",
+      cwd: join4(ctx.repoRoot, "installer"),
+      timeout: 6e4
+    }
+  );
+  const durationMs = Date.now() - t0;
+  const output = (res.stdout || "") + (res.stderr || "");
+  const lines = output.split("\n").filter(Boolean);
+  if (res.status === 0) {
+    return {
+      name: "audit-ci",
+      status: "PASS",
+      message: "audit-ci: no high/critical vulnerabilities",
+      details: [],
+      durationMs
+    };
+  }
+  return {
+    name: "audit-ci",
+    status: "FAIL",
+    message: "audit-ci: high or critical vulnerabilities found",
+    details: lines.slice(0, 20),
+    durationMs
+  };
+}
+var name7, severity7, parallel7;
+var init_audit_ci = __esm({
+  "src/preflight/gates/audit-ci.js"() {
+    name7 = "audit-ci";
+    severity7 = "blocking";
+    parallel7 = true;
+  }
+});
+
+// src/preflight/gates/knip.js
+var knip_exports = {};
+__export(knip_exports, {
+  name: () => name8,
+  parallel: () => parallel8,
+  run: () => run8,
+  severity: () => severity8
+});
+import { spawnSync as spawnSync8 } from "node:child_process";
+async function run8(ctx) {
+  const t0 = Date.now();
+  const ver = ctx.versions["knip"] || "latest";
+  const res = spawnSync8(
+    "npx",
+    ["--yes", `knip@${ver}`, "--production"],
+    { encoding: "utf8", cwd: ctx.repoRoot, timeout: 6e4 }
+  );
+  const durationMs = Date.now() - t0;
+  const output = (res.stdout || "") + (res.stderr || "");
+  const lines = output.split("\n").filter(Boolean);
+  if (res.status === 0) {
+    return {
+      name: "knip",
+      status: "PASS",
+      message: "knip: no unused exports or dead code",
+      details: [],
+      durationMs
+    };
+  }
+  return {
+    name: "knip",
+    status: "WARN",
+    message: "knip: unused code detected (advisory)",
+    details: lines.slice(0, 20),
+    durationMs
+  };
+}
+var name8, severity8, parallel8;
+var init_knip = __esm({
+  "src/preflight/gates/knip.js"() {
+    name8 = "knip";
+    severity8 = "warn";
+    parallel8 = true;
+  }
+});
+
+// src/preflight/gates/license-check.js
+var license_check_exports = {};
+__export(license_check_exports, {
+  name: () => name9,
+  parallel: () => parallel9,
+  run: () => run9,
+  severity: () => severity9
+});
+import { spawnSync as spawnSync9 } from "node:child_process";
+import { join as join5 } from "node:path";
+async function run9(ctx) {
+  const t0 = Date.now();
+  const ver = ctx.versions["license-checker"] || "latest";
+  const res = spawnSync9(
+    "npx",
+    ["--yes", `license-checker@${ver}`, "--onlyAllow", ALLOWED, "--production"],
+    {
+      encoding: "utf8",
+      cwd: join5(ctx.repoRoot, "installer"),
+      timeout: 3e4
+    }
+  );
+  const durationMs = Date.now() - t0;
+  const output = (res.stdout || "") + (res.stderr || "");
+  const lines = output.split("\n").filter(Boolean);
+  if (res.status === 0) {
+    return {
+      name: "license-check",
+      status: "PASS",
+      message: "license-check: all production deps use approved licenses",
+      details: [],
+      durationMs
+    };
+  }
+  return {
+    name: "license-check",
+    status: "WARN",
+    message: "license-check: unexpected license(s) in production deps (advisory)",
+    details: lines.slice(0, 20),
+    durationMs
+  };
+}
+var ALLOWED, name9, severity9, parallel9;
+var init_license_check = __esm({
+  "src/preflight/gates/license-check.js"() {
+    ALLOWED = "MIT;ISC;BSD-2-Clause;BSD-3-Clause;Apache-2.0;CC0-1.0;Unlicense;0BSD;Python-2.0;BlueOak-1.0.0";
+    name9 = "license-check";
+    severity9 = "warn";
+    parallel9 = true;
+  }
+});
+
+// src/preflight/gates/pack-smoke.js
+var pack_smoke_exports = {};
+__export(pack_smoke_exports, {
+  name: () => name10,
+  parallel: () => parallel10,
+  run: () => run10,
+  severity: () => severity10
+});
+import { spawnSync as spawnSync10 } from "node:child_process";
+import { mkdtempSync as mkdtempSync2, rmSync as rmSync2, mkdirSync, writeFileSync as writeFileSync2, readdirSync as readdirSync3 } from "node:fs";
+import { join as join6, resolve } from "node:path";
+import { tmpdir as tmpdir2 } from "node:os";
+async function run10(ctx) {
+  const t0 = Date.now();
+  const installerDir = join6(ctx.repoRoot, "installer");
+  const build = spawnSync10("npm", ["run", "build"], {
+    encoding: "utf8",
+    cwd: installerDir,
+    timeout: 6e4
+  });
+  if (build.status !== 0) {
+    return {
+      name: "pack-smoke",
+      status: "FAIL",
+      message: "pack-smoke: build failed before pack",
+      details: ((build.stdout || "") + (build.stderr || "")).split("\n").filter(Boolean).slice(0, 10),
+      durationMs: Date.now() - t0
+    };
+  }
+  const pack = spawnSync10("npm", ["pack", "--silent"], {
+    encoding: "utf8",
+    cwd: installerDir,
+    timeout: 3e4
+  });
+  if (pack.status !== 0) {
+    return {
+      name: "pack-smoke",
+      status: "FAIL",
+      message: "pack-smoke: npm pack failed",
+      details: ((pack.stdout || "") + (pack.stderr || "")).split("\n").filter(Boolean),
+      durationMs: Date.now() - t0
+    };
+  }
+  const tarball = pack.stdout.trim();
+  if (!tarball) {
+    return {
+      name: "pack-smoke",
+      status: "FAIL",
+      message: "pack-smoke: npm pack produced no output",
+      details: [],
+      durationMs: Date.now() - t0
+    };
+  }
+  const tarballPath = resolve(installerDir, tarball);
+  const tmpRoot = mkdtempSync2(join6(tmpdir2(), "ijfw-pack-smoke-"));
+  const fakeHome = join6(tmpRoot, "home");
+  const installDir = join6(tmpRoot, "install");
+  mkdirSync(fakeHome, { recursive: true });
+  mkdirSync(installDir, { recursive: true });
+  try {
+    writeFileSync2(join6(installDir, "package.json"), JSON.stringify({ name: "smoke-test", version: "1.0.0", type: "module" }));
+    const install = spawnSync10("npm", ["install", "--no-save", tarballPath], {
+      encoding: "utf8",
+      cwd: installDir,
+      timeout: 6e4,
+      env: { ...process.env, HOME: fakeHome, npm_config_prefix: fakeHome }
+    });
+    if (install.status !== 0) {
+      return {
+        name: "pack-smoke",
+        status: "FAIL",
+        message: "pack-smoke: tarball install failed",
+        details: ((install.stdout || "") + (install.stderr || "")).split("\n").filter(Boolean).slice(0, 15),
+        durationMs: Date.now() - t0
+      };
+    }
+    const binCandidates = [
+      join6(installDir, "node_modules", ".bin", "ijfw"),
+      join6(installDir, "node_modules", ".bin", "ijfw-install")
+    ];
+    let binPath = null;
+    for (const c2 of binCandidates) {
+      try {
+        const r = spawnSync10("ls", [c2], { encoding: "utf8" });
+        if (r.status === 0) {
+          binPath = c2;
+          break;
+        }
+      } catch {
+      }
+    }
+    if (!binPath) {
+      const binDir = join6(installDir, "node_modules", ".bin");
+      let entries = [];
+      try {
+        entries = readdirSync3(binDir);
+      } catch {
+      }
+      const found = entries.find((e) => e.startsWith("ijfw"));
+      if (found) binPath = join6(binDir, found);
+    }
+    if (!binPath) {
+      return {
+        name: "pack-smoke",
+        status: "FAIL",
+        message: "pack-smoke: no ijfw* binary found in installed tarball",
+        details: [],
+        durationMs: Date.now() - t0
+      };
+    }
+    const helpRun = spawnSync10("node", [binPath, "--help"], {
+      encoding: "utf8",
+      cwd: installDir,
+      timeout: 15e3,
+      env: { ...process.env, HOME: fakeHome }
+    });
+    const durationMs = Date.now() - t0;
+    if (helpRun.status === 0) {
+      return {
+        name: "pack-smoke",
+        status: "PASS",
+        message: `pack-smoke: tarball installs and binary responds to --help`,
+        details: [],
+        durationMs
+      };
+    }
+    return {
+      name: "pack-smoke",
+      status: "FAIL",
+      message: "pack-smoke: binary --help exited non-zero",
+      details: ((helpRun.stdout || "") + (helpRun.stderr || "")).split("\n").filter(Boolean).slice(0, 15),
+      durationMs
+    };
+  } finally {
+    try {
+      rmSync2(tmpRoot, { recursive: true, force: true });
+    } catch {
+    }
+    try {
+      rmSync2(tarballPath, { force: true });
+    } catch {
+    }
+  }
+}
+var name10, severity10, parallel10;
+var init_pack_smoke = __esm({
+  "src/preflight/gates/pack-smoke.js"() {
+    name10 = "pack-smoke";
+    severity10 = "blocking";
+    parallel10 = false;
+  }
+});
+
+// src/preflight/gates/upgrade-smoke.js
+var upgrade_smoke_exports = {};
+__export(upgrade_smoke_exports, {
+  name: () => name11,
+  parallel: () => parallel11,
+  run: () => run11,
+  severity: () => severity11
+});
+import { spawnSync as spawnSync11 } from "node:child_process";
+import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3, readFileSync, existsSync } from "node:fs";
+import { join as join7, resolve as resolve2 } from "node:path";
+import { tmpdir as tmpdir3 } from "node:os";
+async function run11(ctx) {
+  const t0 = Date.now();
+  const installerDir = join7(ctx.repoRoot, "installer");
+  const build = spawnSync11("npm", ["run", "build"], {
+    encoding: "utf8",
+    cwd: installerDir,
+    timeout: 6e4
+  });
+  if (build.status !== 0) {
+    return {
+      name: "upgrade-smoke",
+      status: "FAIL",
+      message: "upgrade-smoke: build failed",
+      details: ((build.stdout || "") + (build.stderr || "")).split("\n").filter(Boolean).slice(0, 10),
+      durationMs: Date.now() - t0
+    };
+  }
+  const pack = spawnSync11("npm", ["pack", "--silent"], {
+    encoding: "utf8",
+    cwd: installerDir,
+    timeout: 3e4
+  });
+  if (pack.status !== 0) {
+    return {
+      name: "upgrade-smoke",
+      status: "FAIL",
+      message: "upgrade-smoke: npm pack failed",
+      details: ((pack.stdout || "") + (pack.stderr || "")).split("\n").filter(Boolean),
+      durationMs: Date.now() - t0
+    };
+  }
+  const tarball = pack.stdout.trim();
+  const tarballPath = resolve2(installerDir, tarball);
+  const tmpRoot = mkdtempSync3(join7(tmpdir3(), "ijfw-upgrade-smoke-"));
+  const fakeHome = join7(tmpRoot, "home");
+  const installDir = join7(tmpRoot, "install");
+  mkdirSync2(fakeHome, { recursive: true });
+  mkdirSync2(installDir, { recursive: true });
+  const claudeDir = join7(fakeHome, ".claude");
+  mkdirSync2(claudeDir, { recursive: true });
+  try {
+    writeFileSync3(join7(installDir, "package.json"), JSON.stringify({ name: "upgrade-smoke", version: "1.0.0", type: "module" }));
+    const install = spawnSync11("npm", ["install", "--no-save", tarballPath], {
+      encoding: "utf8",
+      cwd: installDir,
+      timeout: 6e4,
+      env: { ...process.env, HOME: fakeHome, npm_config_prefix: fakeHome }
+    });
+    if (install.status !== 0) {
+      return {
+        name: "upgrade-smoke",
+        status: "FAIL",
+        message: "upgrade-smoke: tarball install failed",
+        details: ((install.stdout || "") + (install.stderr || "")).split("\n").filter(Boolean).slice(0, 15),
+        durationMs: Date.now() - t0
+      };
+    }
+    const binCandidates = [
+      join7(installDir, "node_modules", ".bin", "ijfw-install"),
+      join7(installDir, "node_modules", ".bin", "ijfw")
+    ];
+    let installerBin = null;
+    for (const c2 of binCandidates) {
+      const check = spawnSync11("ls", [c2], { encoding: "utf8" });
+      if (check.status === 0) {
+        installerBin = c2;
+        break;
+      }
+    }
+    if (!installerBin) {
+      return {
+        name: "upgrade-smoke",
+        status: "FAIL",
+        message: "upgrade-smoke: no installer binary found",
+        details: [],
+        durationMs: Date.now() - t0
+      };
+    }
+    const settingsPath = join7(claudeDir, "settings.json");
+    if (existsSync(settingsPath)) {
+      let settings;
+      try {
+        settings = JSON.parse(readFileSync(settingsPath, "utf8"));
+      } catch (e) {
+        return {
+          name: "upgrade-smoke",
+          status: "FAIL",
+          message: "upgrade-smoke: settings.json is not valid JSON",
+          details: [e.message],
+          durationMs: Date.now() - t0
+        };
+      }
+      const hasWrongKey = JSON.stringify(settings).includes("ijfw-core");
+      if (hasWrongKey) {
+        return {
+          name: "upgrade-smoke",
+          status: "FAIL",
+          message: 'upgrade-smoke: settings.json still uses deprecated "ijfw-core" key',
+          details: [`Found "ijfw-core" in: ${settingsPath}`],
+          durationMs: Date.now() - t0
+        };
+      }
+    }
+    const marketplaceSrc = join7(installerDir, "src", "marketplace.js");
+    if (existsSync(marketplaceSrc)) {
+      const src = readFileSync(marketplaceSrc, "utf8");
+      const registersCorrectKey = src.includes("'ijfw@ijfw'") || src.includes('"ijfw@ijfw"');
+      const registersWrongKey = /enabledPlugins\[['"]ijfw-core@ijfw['"]\]\s*=\s*true/.test(src);
+      if (!registersCorrectKey) {
+        return {
+          name: "upgrade-smoke",
+          status: "FAIL",
+          message: 'upgrade-smoke: marketplace.js does not register "ijfw@ijfw" plugin key',
+          details: ['Fix: add enabledPlugins["ijfw@ijfw"] = true in marketplace.js'],
+          durationMs: Date.now() - t0
+        };
+      }
+      if (registersWrongKey) {
+        return {
+          name: "upgrade-smoke",
+          status: "FAIL",
+          message: 'upgrade-smoke: marketplace.js still registers deprecated "ijfw-core@ijfw" key as active',
+          details: ['Fix: change active registration to "ijfw@ijfw" in marketplace.js'],
+          durationMs: Date.now() - t0
+        };
+      }
+    }
+    const durationMs = Date.now() - t0;
+    return {
+      name: "upgrade-smoke",
+      status: "PASS",
+      message: "upgrade-smoke: plugin key and settings wiring verified",
+      details: [],
+      durationMs
+    };
+  } finally {
+    try {
+      rmSync3(tmpRoot, { recursive: true, force: true });
+    } catch {
+    }
+    try {
+      rmSync3(tarballPath, { force: true });
+    } catch {
+    }
+  }
+}
+var name11, severity11, parallel11;
+var init_upgrade_smoke = __esm({
+  "src/preflight/gates/upgrade-smoke.js"() {
+    name11 = "upgrade-smoke";
+    severity11 = "blocking";
+    parallel11 = false;
+  }
+});
+
+// src/preflight.js
+var preflight_exports = {};
+__export(preflight_exports, {
+  runPreflightCommand: () => runPreflightCommand
+});
+import { readFileSync as readFileSync2, existsSync as existsSync2 } from "node:fs";
+import { join as join8, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+function printHelp() {
+  console.log(`
+ijfw preflight -- 11-gate quality pipeline
+
+USAGE
+  ijfw preflight [options]
+
+OPTIONS
+  --json        Emit machine-readable JSON (for CI consumption)
+  --fail-fast   Stop after the first blocking gate failure
+  --help, -h    Show this help
+
+GATES (in execution order)
+  1.  shellcheck        Shell lint (POSIX, unbound vars)       [blocking]
+  2.  oxlint            JS/TS fast lint                        [blocking]
+  3.  eslint-security   Security-focused ESLint rules          [blocking]
+  4.  psscriptanalyzer  PowerShell lint (CI: windows-latest)   [blocking]
+  5.  publint           package.json bin/exports integrity     [blocking]
+  6.  gitleaks          Secret scan                            [blocking]
+  7.  audit-ci          npm audit, fails on high+              [blocking]
+  8.  knip              Dead code detection                    [advisory]
+  9.  license-check     Production dep license check           [advisory]
+  10. pack-smoke        npm pack -> install -> binary --help   [blocking]
+  11. upgrade-smoke     Plugin-key wiring verification         [blocking]
+
+EXIT CODES
+  0  All blocking gates passed (advisory warnings may exist)
+  1  One or more blocking gates failed
+
+SLO
+  Warm cache: <=90s  Cold cache: <=240s (both printed at end)
+`);
+}
+function loadVersions(repoRoot2) {
+  const candidates = [
+    join8(repoRoot2, "preflight-versions.json"),
+    join8(repoRoot2, ".ijfw", "preflight-versions.json")
+  ];
+  for (const f of candidates) {
+    if (existsSync2(f)) {
+      try {
+        return JSON.parse(readFileSync2(f, "utf8"));
+      } catch {
+      }
+    }
+  }
+  return {};
+}
+function parseArgs(argv) {
+  const out = { json: false, failFast: false, help: false };
+  for (const a of argv.slice(2)) {
+    if (a === "--json") out.json = true;
+    else if (a === "--fail-fast") out.failFast = true;
+    else if (a === "--help" || a === "-h") out.help = true;
+  }
+  return out;
+}
+async function runPreflightCommand(argv, repoRoot2) {
+  const args = parseArgs(argv);
+  if (args.help) {
+    printHelp();
+    process.exit(0);
+  }
+  const versions = loadVersions(repoRoot2);
+  const ctx = {
+    repoRoot: repoRoot2,
+    versions,
+    json: args.json,
+    failFast: args.failFast
+  };
+  const shellcheck = await Promise.resolve().then(() => (init_shellcheck(), shellcheck_exports));
+  const oxlint = await Promise.resolve().then(() => (init_oxlint(), oxlint_exports));
+  const eslintSecurity = await Promise.resolve().then(() => (init_eslint_security(), eslint_security_exports));
+  const psscriptanalyzer = await Promise.resolve().then(() => (init_psscriptanalyzer(), psscriptanalyzer_exports));
+  const publint = await Promise.resolve().then(() => (init_publint(), publint_exports));
+  const gitleaks = await Promise.resolve().then(() => (init_gitleaks(), gitleaks_exports));
+  const auditCi = await Promise.resolve().then(() => (init_audit_ci(), audit_ci_exports));
+  const knip = await Promise.resolve().then(() => (init_knip(), knip_exports));
+  const licenseCheck = await Promise.resolve().then(() => (init_license_check(), license_check_exports));
+  const packSmoke = await Promise.resolve().then(() => (init_pack_smoke(), pack_smoke_exports));
+  const upgradeSmoke = await Promise.resolve().then(() => (init_upgrade_smoke(), upgrade_smoke_exports));
+  const gates = [
+    shellcheck,
+    oxlint,
+    eslintSecurity,
+    psscriptanalyzer,
+    publint,
+    gitleaks,
+    auditCi,
+    knip,
+    licenseCheck,
+    packSmoke,
+    upgradeSmoke
+  ];
+  const report = await runPreflight(gates, ctx);
+  process.exit(report.outcome === "pass" ? 0 : 1);
+}
+var __dirname;
+var init_preflight = __esm({
+  "src/preflight.js"() {
+    init_runner();
+    __dirname = dirname(fileURLToPath(import.meta.url));
+  }
+});
+
+// src/ijfw.js
+import { dirname as dirname2, join as join9, resolve as resolve3, basename } from "node:path";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
+import { existsSync as existsSync3, mkdirSync as mkdirSync3, copyFileSync, readdirSync as readdirSync4, rmSync as rmSync4 } from "node:fs";
+import { homedir } from "node:os";
+import { spawnSync as spawnSync12 } from "node:child_process";
+var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
+function repoRoot() {
+  let dir = __dirname2;
+  for (let i = 0; i < 6; i++) {
+    if (existsSync3(join9(dir, "package.json")) && existsSync3(join9(dir, ".git"))) return dir;
+    dir = resolve3(dir, "..");
+  }
+  return process.cwd();
+}
+function printHelp2() {
+  console.log(`
+ijfw -- the AI efficiency layer
+
+USAGE
+  ijfw <command> [options]
+
+COMMANDS
+  install     Install IJFW into your AI coding agents
+  uninstall   Remove IJFW from your AI coding agents
+  preflight   Run 11-gate quality pipeline before publishing
+  dashboard   Start / stop / check the local observability dashboard
+  design      Manage the visual design companion
+  doctor      Diagnose IJFW installation health
+
+  --help, -h  Show this help
+  --version   Show version
+`);
+}
+function doctorCheck(cmd, args) {
+  const r = spawnSync12(cmd, args, { encoding: "utf8" });
+  return r.status === 0 ? r.stdout.split("\n")[0].trim() : "not found";
+}
+async function main() {
+  const argv = process.argv;
+  const sub = argv[2];
+  if (!sub || sub === "--help" || sub === "-h") {
+    printHelp2();
+    process.exit(0);
+  }
+  if (sub === "--version" || sub === "-v") {
+    try {
+      const { readFileSync: readFileSync3 } = await import("node:fs");
+      const pkgPath = join9(__dirname2, "..", "package.json");
+      const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
+      console.log(pkg.version || "unknown");
+    } catch {
+      console.log("unknown");
+    }
+    process.exit(0);
+  }
+  switch (sub) {
+    case "install": {
+      const installBin = resolve3(__dirname2, "..", "dist", "install.js");
+      const r = spawnSync12("node", [installBin, ...argv.slice(3)], { stdio: "inherit" });
+      process.exit(r.status ?? 1);
+      break;
+    }
+    case "uninstall": {
+      const uninstallBin = resolve3(__dirname2, "..", "dist", "uninstall.js");
+      const r = spawnSync12("node", [uninstallBin, ...argv.slice(3)], { stdio: "inherit" });
+      process.exit(r.status ?? 1);
+      break;
+    }
+    case "preflight": {
+      const { runPreflightCommand: runPreflightCommand2 } = await Promise.resolve().then(() => (init_preflight(), preflight_exports));
+      await runPreflightCommand2([argv[0], argv[1], ...argv.slice(3)], repoRoot());
+      break;
+    }
+    case "dashboard": {
+      const dashSub = argv[3];
+      const root = repoRoot();
+      if (dashSub === "start" || dashSub === "stop" || dashSub === "status") {
+        const dashBin = join9(root, "mcp-server", "bin", "ijfw-dashboard");
+        if (existsSync3(dashBin)) {
+          const r = spawnSync12("node", [dashBin, dashSub, ...argv.slice(4)], { stdio: "inherit" });
+          process.exit(r.status ?? 0);
+        } else {
+          const serverJs = join9(root, "mcp-server", "src", "dashboard-server.js");
+          if (dashSub === "start" && existsSync3(serverJs)) {
+            const { spawn } = await import("node:child_process");
+            const child = spawn(process.execPath, [serverJs, "--daemon"], {
+              detached: true,
+              stdio: "ignore"
+            });
+            child.unref();
+            console.log("Dashboard starting... (check: ijfw dashboard status)");
+            process.exit(0);
+          }
+          console.log("[ijfw] Dashboard bin not found. Run from the IJFW repo root.");
+          process.exit(1);
+        }
+      } else if (dashSub === "render" || !dashSub) {
+        const binJs = join9(root, "scripts", "dashboard", "bin.js");
+        if (existsSync3(binJs)) {
+          const r = spawnSync12("node", [binJs, ...argv.slice(dashSub ? 4 : 3)], { stdio: "inherit" });
+          process.exit(r.status ?? 0);
+        } else {
+          console.log("[ijfw] Run `ijfw dashboard start` to launch the web dashboard.");
+          process.exit(1);
+        }
+      } else {
+        console.log("Usage: ijfw dashboard <start|stop|status|render>");
+        process.exit(1);
+      }
+      break;
+    }
+    case "design": {
+      const designSub = argv[3];
+      const contentDir = join9(homedir(), ".ijfw", "design-companion", "content");
+      mkdirSync3(contentDir, { recursive: true });
+      if (designSub === "push") {
+        const filePath = argv[4];
+        if (!filePath) {
+          console.error("Usage: ijfw design push <file.html>");
+          process.exit(1);
+        }
+        const abs = resolve3(filePath);
+        if (!existsSync3(abs)) {
+          console.error(`File not found: ${abs}`);
+          process.exit(1);
+        }
+        const dest = join9(contentDir, basename(abs));
+        copyFileSync(abs, dest);
+        console.log(`Design pushed: ${dest}`);
+      } else if (designSub === "clear") {
+        const files = readdirSync4(contentDir);
+        for (const f of files) rmSync4(join9(contentDir, f), { force: true });
+        console.log("Design companion content cleared.");
+      } else {
+        console.log("ijfw design -- Manage the visual design companion. Push HTML mockups for live preview.");
+        console.log("");
+        console.log("Usage: ijfw design push <file.html> | ijfw design clear");
+        process.exit(1);
+      }
+      break;
+    }
+    case "doctor": {
+      console.log("\nijfw doctor\n");
+      console.log("  node:       " + doctorCheck("node", ["--version"]));
+      console.log("  git:        " + doctorCheck("git", ["--version"]));
+      console.log("  shellcheck: " + doctorCheck("shellcheck", ["--version"]));
+      console.log("  gitleaks:   " + doctorCheck("gitleaks", ["version"]));
+      console.log("");
+      process.exit(0);
+      break;
+    }
+    default: {
+      console.error(`Unknown subcommand: ${sub}`);
+      printHelp2();
+      process.exit(1);
+    }
+  }
+}
+main().catch((e) => {
+  console.error(e.message || e);
+  process.exit(1);
+});