npm - @ijfw/install - Versions diffs - 1.3.1 → 1.4.0 - Mend

@ijfw/install 1.3.1 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/ijfw.js CHANGED Viewed

@@ -267,6 +267,17 @@ import { spawnSync as spawnSync3 } from "node:child_process";
 import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { join as join2 } from "node:path";
 import { tmpdir } from "node:os";
+function formatMessages(results, severity12) {
+  const out = [];
+  for (const file of results) {
+    for (const msg of file.messages || []) {
+      if (severity12 === "error" && msg.severity !== 2) continue;
+      if (severity12 === "warning" && msg.severity !== 1) continue;
+      out.push(`${file.filePath}:${msg.line}:${msg.column} ${msg.severity === 2 ? "error" : "warning"} ${msg.ruleId} -- ${msg.message}`);
+    }
+  }
+  return out;
+}
 async function run3(ctx) {
   const t0 = Date.now();
   const eslintVer = ctx.versions["eslint"] || "latest";
@@ -292,6 +303,7 @@ async function run3(ctx) {
 import security from '${join2(tmpDir, "node_modules", "eslint-plugin-security", "index.js").replace(/\\/g, "/")}';
 export default [
   {
+    linterOptions: { reportUnusedDisableDirectives: 'off' },
     files: ['installer/src/**/*.js', 'mcp-server/src/**/*.js'],
     plugins: { security },
     rules: ${JSON.stringify(RULES)},
@@ -303,13 +315,20 @@ export default [
     const eslintBin = join2(tmpDir, "node_modules", ".bin", "eslint");
     const res = spawnSync3(
       eslintBin,
-      ["--config", configPath, "installer/src/**/*.js", "mcp-server/src/**/*.js"],
+      ["--no-config-lookup", "--config", configPath, "--format", "json", "installer/src/**/*.js", "mcp-server/src/**/*.js"],
       { encoding: "utf8", cwd: ctx.repoRoot, timeout: 6e4 }
     );
     const durationMs = Date.now() - t0;
     const output = (res.stdout || "") + (res.stderr || "");
-    const lines = output.split("\n").filter(Boolean);
-    if (res.status === 0) {
+    let results = [];
+    try {
+      results = JSON.parse(res.stdout || "[]");
+    } catch {
+      results = [];
+    }
+    const errorCount = results.reduce((sum, file) => sum + (file.errorCount || 0), 0);
+    const warningCount = results.reduce((sum, file) => sum + (file.warningCount || 0), 0);
+    if (res.status === 0 && errorCount === 0 && warningCount === 0) {
       return {
         name: "eslint-security",
         status: "PASS",
@@ -318,20 +337,20 @@ export default [
         durationMs
       };
     }
-    if (res.status === 1) {
+    if (errorCount > 0 || res.status === 2) {
       return {
         name: "eslint-security",
-        status: "WARN",
-        message: "eslint-security: advisory warnings (review above)",
-        details: lines.slice(0, 30),
+        status: "FAIL",
+        message: `eslint-security: ${errorCount || "unknown"} security error(s) found`,
+        details: (formatMessages(results, "error").length ? formatMessages(results, "error") : output.split("\n").filter(Boolean)).slice(0, 30),
         durationMs
       };
     }
     return {
       name: "eslint-security",
-      status: "FAIL",
-      message: "eslint-security: security errors found (exit code 2)",
-      details: lines.slice(0, 30),
+      status: "WARN",
+      message: `eslint-security: ${warningCount} advisory warning(s)`,
+      details: (formatMessages(results, "warning").length ? formatMessages(results, "warning") : output.split("\n").filter(Boolean)).slice(0, 30),
       durationMs
     };
   } finally {
@@ -350,11 +369,7 @@ var init_eslint_security = __esm({
   "src/preflight/gates/eslint-security.js"() {
     RULES = {
       "security/detect-eval-with-expression": "error",
-      "security/detect-non-literal-fs-filename": "warn",
-      "security/detect-non-literal-regexp": "warn",
       "security/detect-non-literal-require": "warn",
-      "security/detect-object-injection": "warn",
-      "security/detect-possible-timing-attacks": "warn",
       "security/detect-pseudoRandomBytes": "error",
       "security/detect-unsafe-regex": "error"
     };
@@ -367,15 +382,15 @@ var init_eslint_security = __esm({
 // src/preflight/gates/psscriptanalyzer.js
 var psscriptanalyzer_exports = {};
 __export(psscriptanalyzer_exports, {
+  fallbackAnalyzePowerShellText: () => fallbackAnalyzePowerShellText,
   name: () => name4,
   parallel: () => parallel4,
   run: () => run4,
   severity: () => severity4
 });
 import { spawnSync as spawnSync4 } from "node:child_process";
-import { readdirSync as readdirSync2, statSync as statSync2 } from "node:fs";
+import { readFileSync, readdirSync as readdirSync2, statSync as statSync2 } from "node:fs";
 import { join as join3 } from "node:path";
-import { platform } from "node:os";
 function findPs1Files(dir, acc = []) {
   let entries;
   try {
@@ -397,6 +412,109 @@ function findPs1Files(dir, acc = []) {
   }
   return acc;
 }
+function stripPowerShellComments(source) {
+  let out = "";
+  let i = 0;
+  let inSingle = false;
+  let inDouble = false;
+  let inBlockComment = false;
+  while (i < source.length) {
+    const ch = source[i];
+    const next = source[i + 1];
+    if (inBlockComment) {
+      if (ch === "#" && next === ">") {
+        inBlockComment = false;
+        i += 2;
+      } else {
+        if (ch === "\n") out += "\n";
+        i += 1;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "<" && next === "#") {
+      inBlockComment = true;
+      i += 2;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "#") {
+      while (i < source.length && source[i] !== "\n") i += 1;
+      out += "\n";
+      continue;
+    }
+    out += ch;
+    if (!inDouble && ch === "'") inSingle = !inSingle;
+    else if (!inSingle && ch === '"' && source[i - 1] !== "`") inDouble = !inDouble;
+    i += 1;
+  }
+  return out;
+}
+function bracketIssues(source, file) {
+  const pairs = { "(": ")", "[": "]", "{": "}" };
+  const closers = new Set(Object.values(pairs));
+  const stack = [];
+  let inSingle = false;
+  let inDouble = false;
+  for (let i = 0; i < source.length; i++) {
+    const ch = source[i];
+    if (!inDouble && ch === "'") {
+      inSingle = !inSingle;
+      continue;
+    }
+    if (!inSingle && ch === '"' && source[i - 1] !== "`") {
+      inDouble = !inDouble;
+      continue;
+    }
+    if (inSingle || inDouble) continue;
+    if (pairs[ch]) stack.push({ ch, index: i });
+    else if (closers.has(ch)) {
+      const open = stack.pop();
+      if (!open || pairs[open.ch] !== ch) return [`${file}: unbalanced bracket near offset ${i}`];
+    }
+  }
+  if (inSingle || inDouble) return [`${file}: unterminated string literal`];
+  if (stack.length > 0) return [`${file}: unclosed bracket near offset ${stack[stack.length - 1].index}`];
+  return [];
+}
+function fallbackAnalyzePowerShellText(source, file = "<inline>") {
+  const stripped = stripPowerShellComments(source);
+  const issues = bracketIssues(stripped, file);
+  const banned = [
+    [/\bInvoke-Expression\b|\biex\b/i, "Invoke-Expression/iex dynamic execution"],
+    [/\bSet-ExecutionPolicy\b[\s\S]{0,80}\bBypass\b/i, "Set-ExecutionPolicy Bypass"],
+    [/\bStart-Process\b[\s\S]{0,160}\b-Verb\s+RunAs\b/i, "Start-Process -Verb RunAs elevation"],
+    [/\bNew-Object\s+Net\.WebClient\b|\bDownloadString\s*\(/i, "legacy WebClient/DownloadString network execution"]
+  ];
+  for (const [re2, label] of banned) {
+    if (re2.test(stripped)) issues.push(`${file}: banned PowerShell pattern: ${label}`);
+  }
+  return issues;
+}
+function runFallback(files, t0, reason) {
+  const issues = [];
+  for (const file of files) {
+    try {
+      issues.push(...fallbackAnalyzePowerShellText(readFileSync(file, "utf8"), file));
+    } catch (e) {
+      issues.push(`${file}: could not read script (${e.message || e})`);
+    }
+  }
+  if (issues.length > 0) {
+    return {
+      name: "psscriptanalyzer",
+      status: "FAIL",
+      message: `PowerShell fallback found issues in ${files.length} script(s)`,
+      details: [reason, ...issues].slice(0, 20),
+      durationMs: Date.now() - t0
+    };
+  }
+  return {
+    name: "psscriptanalyzer",
+    status: "PASS",
+    message: `${files.length} PowerShell script(s) clean (static fallback; ${reason})`,
+    details: [],
+    durationMs: Date.now() - t0
+  };
+}
 async function run4(ctx) {
   const t0 = Date.now();
   const files = findPs1Files(ctx.repoRoot);
@@ -411,14 +529,15 @@ async function run4(ctx) {
   }
   const which = spawnSync4("pwsh", ["--version"], { encoding: "utf8" });
   if (which.status === null || which.error) {
-    const isWin2 = platform() === "win32";
-    return {
-      name: "psscriptanalyzer",
-      status: isWin2 ? "FAIL" : "WARN",
-      message: isWin2 ? `pwsh not found -- ${files.length} .ps1 file(s) unchecked (install PowerShell)` : `pwsh not installed -- PSScriptAnalyzer skipped on non-Windows (runs in CI on windows-latest)`,
-      details: [`Files that would be checked: ${files.join(", ")}`],
-      durationMs: Date.now() - t0
-    };
+    return runFallback(files, t0, "pwsh unavailable");
+  }
+  const moduleCheck = spawnSync4(
+    "pwsh",
+    ["-NoProfile", "-NonInteractive", "-Command", "if (Get-Module -ListAvailable -Name PSScriptAnalyzer) { exit 0 } else { exit 3 }"],
+    { encoding: "utf8", cwd: ctx.repoRoot, timeout: 1e4 }
+  );
+  if (moduleCheck.status !== 0) {
+    return runFallback(files, t0, "PSScriptAnalyzer module unavailable");
   }
   const script = `
 $files = @(${files.map((f) => `'${f.replace(/'/g, "''")}'`).join(",")})
@@ -450,10 +569,9 @@ if ($found) { exit 1 } else { exit 0 }
     };
   }
   const lines = ((res.stdout || "") + (res.stderr || "")).split("\n").filter(Boolean);
-  const isWin = platform() === "win32";
   return {
     name: "psscriptanalyzer",
-    status: isWin ? "FAIL" : "WARN",
+    status: "FAIL",
     message: `PSScriptAnalyzer found issues in ${files.length} script(s)`,
     details: lines.slice(0, 20),
     durationMs
@@ -568,6 +686,996 @@ var init_gitleaks = __esm({
   }
 });
+// ../mcp-server/src/gate-result-schema.js
+function makeGateId(gate) {
+  if (typeof gate !== "string" || !GATE_NAME_PATTERN.test(gate)) {
+    throw new TypeError(
+      `makeGateId: invalid gate name "${gate}" \u2014 must match ${GATE_NAME_PATTERN}`
+    );
+  }
+  const safe = gate.replace(/:/g, "-");
+  const ts = Date.now();
+  const rand4 = Math.floor(Math.random() * 65536).toString(16).padStart(4, "0");
+  return `${safe}-${ts}-${rand4}`;
+}
+function isString(v2) {
+  return typeof v2 === "string";
+}
+function isNonNullObject(v2) {
+  return v2 !== null && typeof v2 === "object" && !Array.isArray(v2);
+}
+function validateGateResult(obj) {
+  const errors = [];
+  if (!isNonNullObject(obj)) {
+    return { valid: false, errors: ["root: must be an object"] };
+  }
+  if (obj.schema_version !== SCHEMA_VERSION) {
+    errors.push(
+      `schema_version: must equal "${SCHEMA_VERSION}", got ${JSON.stringify(obj.schema_version)}`
+    );
+  }
+  if (!isString(obj.gate)) {
+    errors.push("gate: must be a string");
+  } else if (!GATE_NAME_PATTERN.test(obj.gate)) {
+    errors.push(
+      `gate: "${obj.gate}" does not match ${GATE_NAME_PATTERN}`
+    );
+  }
+  if (!VALID_STATUSES.includes(obj.status)) {
+    errors.push(
+      `status: must be one of ${VALID_STATUSES.join("|")}, got ${JSON.stringify(obj.status)}`
+    );
+  }
+  if (!VALID_PROJECT_TYPES.includes(obj.project_type)) {
+    errors.push(
+      `project_type: must be one of ${VALID_PROJECT_TYPES.join("|")}, got ${JSON.stringify(obj.project_type)}`
+    );
+  }
+  if (!Array.isArray(obj.lenses)) {
+    errors.push("lenses: must be an array (empty for single-model gates)");
+  } else {
+    obj.lenses.forEach((lens, i) => {
+      if (!isNonNullObject(lens)) {
+        errors.push(`lenses[${i}]: must be an object`);
+        return;
+      }
+      if (!isString(lens.model)) errors.push(`lenses[${i}].model: must be a string`);
+      if (!VALID_STATUSES.includes(lens.verdict)) {
+        errors.push(
+          `lenses[${i}].verdict: must be one of ${VALID_STATUSES.join("|")}`
+        );
+      }
+      if (typeof lens.confidence !== "number" || lens.confidence < 0 || lens.confidence > 1) {
+        errors.push(`lenses[${i}].confidence: must be number in [0,1]`);
+      }
+      if (!isString(lens.summary)) errors.push(`lenses[${i}].summary: must be a string`);
+    });
+  }
+  if (!Array.isArray(obj.affected_artifacts)) {
+    errors.push("affected_artifacts: must be an array");
+  } else {
+    obj.affected_artifacts.forEach((a, i) => {
+      if (!isNonNullObject(a)) {
+        errors.push(`affected_artifacts[${i}]: must be an object`);
+        return;
+      }
+      if (!VALID_ARTIFACT_TYPES.includes(a.type)) {
+        errors.push(
+          `affected_artifacts[${i}].type: must be one of ${VALID_ARTIFACT_TYPES.join("|")}`
+        );
+      }
+      if (!isString(a.ref)) errors.push(`affected_artifacts[${i}].ref: must be a string`);
+      if (!isString(a.role)) errors.push(`affected_artifacts[${i}].role: must be a string`);
+    });
+  }
+  if (!isNonNullObject(obj.accounting)) {
+    errors.push("accounting: must be an object");
+  } else {
+    const a = obj.accounting;
+    if (typeof a.duration_ms !== "number" || a.duration_ms < 0) {
+      errors.push("accounting.duration_ms: must be a non-negative number");
+    }
+    if (typeof a.lenses_invoked !== "number" || a.lenses_invoked < 0 || !Number.isInteger(a.lenses_invoked)) {
+      errors.push("accounting.lenses_invoked: must be a non-negative integer");
+    }
+    if (a.cost_usd !== null && (typeof a.cost_usd !== "number" || a.cost_usd < 0)) {
+      errors.push("accounting.cost_usd: must be null or non-negative number");
+    }
+  }
+  if (!Array.isArray(obj.remediation)) {
+    errors.push("remediation: must be an array (may be empty)");
+  } else {
+    obj.remediation.forEach((r, i) => {
+      if (!isNonNullObject(r)) {
+        errors.push(`remediation[${i}]: must be an object`);
+        return;
+      }
+      if (!isString(r.action)) errors.push(`remediation[${i}].action: must be a string`);
+      if (!isString(r.target)) errors.push(`remediation[${i}].target: must be a string`);
+      if (!isString(r.agent_recommended)) {
+        errors.push(`remediation[${i}].agent_recommended: must be a string`);
+      }
+      if (typeof r.confidence !== "number" || r.confidence < 0 || r.confidence > 1) {
+        errors.push(`remediation[${i}].confidence: must be number in [0,1]`);
+      }
+    });
+  }
+  if (obj.receipts_ref !== null && !isString(obj.receipts_ref)) {
+    errors.push("receipts_ref: must be a string or null");
+  }
+  if (obj.supersedes !== null && !isString(obj.supersedes)) {
+    errors.push("supersedes: must be a string or null");
+  }
+  if (!isString(obj.gate_id) || obj.gate_id.length === 0) {
+    errors.push("gate_id: must be a non-empty string");
+  } else if (isString(obj.gate)) {
+    const safeGate = obj.gate.replace(/:/g, "-");
+    if (!obj.gate_id.startsWith(safeGate + "-")) {
+      errors.push(
+        `gate_id: expected to start with "${safeGate}-" (colon-collapsed gate name)`
+      );
+    }
+  }
+  if (!isString(obj.emitted_at) || !ISO8601_PATTERN.test(obj.emitted_at)) {
+    errors.push("emitted_at: must be ISO-8601 string");
+  }
+  return { valid: errors.length === 0, errors };
+}
+function formatGateResult(obj) {
+  const json = JSON.stringify(obj, null, 2);
+  return "```gate-result\n" + json + "\n```";
+}
+var SCHEMA_VERSION, GATE_NAME_PATTERN, VALID_STATUSES, VALID_PROJECT_TYPES, VALID_ARTIFACT_TYPES, ISO8601_PATTERN;
+var init_gate_result_schema = __esm({
+  "../mcp-server/src/gate-result-schema.js"() {
+    SCHEMA_VERSION = "1.0";
+    GATE_NAME_PATTERN = /^[a-z][a-z0-9-]*(:[a-z][a-z0-9-]*)?$/;
+    VALID_STATUSES = Object.freeze([
+      "PASS",
+      "CONDITIONAL",
+      "WARN",
+      "FLAG",
+      "FAIL"
+    ]);
+    VALID_PROJECT_TYPES = Object.freeze([
+      "software",
+      "book",
+      "content",
+      "business",
+      "design",
+      "mixed",
+      "unknown"
+    ]);
+    VALID_ARTIFACT_TYPES = Object.freeze([
+      "file",
+      "chapter",
+      "section",
+      "asset",
+      "persona",
+      "decision",
+      "component"
+    ]);
+    ISO8601_PATTERN = // eslint-disable-next-line security/detect-unsafe-regex -- fixed-length anchored ISO 8601 shape; optional fractional + tz are non-overlapping
+    /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:?\d{2})$/;
+  }
+});
+// ../mcp-server/src/scan-resume.js
+import { existsSync, mkdirSync, readFileSync as readFileSync2, writeFileSync as writeFileSync2, renameSync, unlinkSync, copyFileSync } from "fs";
+import { join as join4 } from "path";
+function statePath(projectRoot) {
+  return join4(String(projectRoot), ".ijfw", STATE_FILE);
+}
+function loadScanState(projectRoot) {
+  const path = statePath(projectRoot);
+  if (!existsSync(path)) return null;
+  try {
+    const raw = readFileSync2(path, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === "object") return parsed;
+  } catch {
+  }
+  return null;
+}
+function writeScanState(projectRoot, state) {
+  const dir = join4(String(projectRoot), ".ijfw");
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  const finalPath = statePath(projectRoot);
+  const tmpPath = `${finalPath}.tmp.${process.pid}.${Date.now()}`;
+  const safe = {
+    scan_id: String(state.scan_id || ""),
+    started_at: String(state.started_at || (/* @__PURE__ */ new Date()).toISOString()),
+    last_path_walked: String(state.last_path_walked || ""),
+    files_scanned: Number.isFinite(state.files_scanned) ? state.files_scanned : 0,
+    total_estimate: Number.isFinite(state.total_estimate) ? state.total_estimate : 0,
+    attempts: Number.isFinite(state.attempts) ? state.attempts : 1,
+    incomplete: state.incomplete !== false,
+    session_id: state.session_id || null
+  };
+  if (state.partial && typeof state.partial === "object") {
+    safe.partial = state.partial;
+  }
+  writeFileSync2(tmpPath, JSON.stringify(safe, null, 2) + "\n", "utf8");
+  try {
+    renameSync(tmpPath, finalPath);
+  } catch (err) {
+    if (!err || err.code !== "EXDEV") throw err;
+    try {
+      copyFileSync(tmpPath, finalPath);
+    } finally {
+      try {
+        unlinkSync(tmpPath);
+      } catch {
+      }
+    }
+  }
+  return finalPath;
+}
+function lockPath(projectRoot) {
+  return join4(String(projectRoot), ".ijfw", LOCK_FILE);
+}
+function isPidAlive(pid) {
+  if (!Number.isFinite(pid) || pid <= 0) return false;
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    if (err && err.code === "EPERM") return true;
+    return false;
+  }
+}
+function reclaimIfStale(lp) {
+  if (!existsSync(lp)) return;
+  let raw;
+  try {
+    raw = readFileSync2(lp, "utf8");
+  } catch {
+    return;
+  }
+  const lines = String(raw).split(/\r?\n/);
+  const pid = Number(lines[0]);
+  const ts = Number(lines[1]);
+  const ageOk = Number.isFinite(ts) && Date.now() - ts <= LOCK_STALE_MS;
+  if (isPidAlive(pid) && ageOk) return;
+  try {
+    unlinkSync(lp);
+  } catch {
+  }
+}
+function acquireScanLock(projectRoot) {
+  const dir = join4(String(projectRoot), ".ijfw");
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  const lp = lockPath(projectRoot);
+  reclaimIfStale(lp);
+  const payload = String(process.pid) + "\n" + String(Date.now()) + "\n";
+  try {
+    writeFileSync2(lp, payload, { encoding: "utf8", flag: "wx" });
+  } catch (err) {
+    if (err && err.code === "EEXIST") return null;
+    throw err;
+  }
+  let released = false;
+  return {
+    released: () => {
+      if (released) return;
+      released = true;
+      try {
+        unlinkSync(lp);
+      } catch {
+      }
+    }
+  };
+}
+function shouldResume(state) {
+  if (!state || typeof state !== "object") return false;
+  if (state.incomplete !== true) return false;
+  if (!state.started_at || typeof state.started_at !== "string") return false;
+  const startedMs = Date.parse(state.started_at);
+  if (!Number.isFinite(startedMs)) return false;
+  const ageMs = Date.now() - startedMs;
+  if (ageMs > STALENESS_MS) return false;
+  const attempts = Number.isFinite(state.attempts) ? state.attempts : 0;
+  if (attempts >= ATTEMPT_CAP) return false;
+  return true;
+}
+function clearScanState(projectRoot) {
+  const path = statePath(projectRoot);
+  if (existsSync(path)) {
+    try {
+      unlinkSync(path);
+    } catch {
+    }
+  }
+}
+var STATE_FILE, LOCK_FILE, STALENESS_MS, ATTEMPT_CAP, LOCK_STALE_MS;
+var init_scan_resume = __esm({
+  "../mcp-server/src/scan-resume.js"() {
+    STATE_FILE = "scan-state.json";
+    LOCK_FILE = "scan-state.json.lock";
+    STALENESS_MS = 24 * 60 * 60 * 1e3;
+    ATTEMPT_CAP = 3;
+    LOCK_STALE_MS = 60 * 1e3;
+  }
+});
+// ../mcp-server/src/project-type-detector.js
+import {
+  readFileSync as readFileSync3,
+  writeFileSync as writeFileSync3,
+  existsSync as existsSync2,
+  readdirSync as readdirSync3,
+  statSync as statSync3,
+  renameSync as renameSync2,
+  mkdirSync as mkdirSync2,
+  unlinkSync as unlinkSync2,
+  realpathSync,
+  copyFileSync as copyFileSync2
+} from "fs";
+import { join as join5, extname, isAbsolute, resolve as pathResolve, dirname } from "path";
+import { fileURLToPath } from "url";
+import { createHash } from "crypto";
+function detect(projectRoot, options = {}) {
+  const root = String(projectRoot || process.cwd());
+  const c9Available = options.c9Available === false ? false : options.c9Available === true ? true : isC9AvailableSync();
+  const maxFiles = Number.isFinite(options.maxFiles) && options.maxFiles > 0 ? options.maxFiles : MAX_FILES;
+  const signals = [];
+  const fallbackReason = c9Available ? null : "c9_unavailable";
+  if (options.explicitType && DOMAINS.includes(String(options.explicitType))) {
+    signals.push({ kind: "user_declaration", weight: 1, value: options.explicitType });
+    return finalize({
+      primary: options.explicitType,
+      secondary: [],
+      score: 1,
+      signals,
+      scanIncomplete: false,
+      fallbackReason,
+      treeHash: "",
+      branchHash: branchHash(root)
+    });
+  }
+  const fmAgents = readFrontmatterType(join5(root, "AGENTS.md"));
+  if (fmAgents && DOMAINS.includes(fmAgents)) {
+    signals.push({ kind: "agents_md_frontmatter", weight: 0.9, value: fmAgents });
+  }
+  const fmBrief = readFrontmatterType(join5(root, ".ijfw", "memory", "brief.md"));
+  if (fmBrief && DOMAINS.includes(fmBrief)) {
+    signals.push({ kind: "brief_md_frontmatter", weight: 0.8, value: fmBrief });
+  }
+  const timeBudgetMs = resolveTimeBudgetMs(options);
+  const walk = walkProject(root, { maxFiles, maxDepth: MAX_DEPTH, options, timeBudgetMs });
+  const treeHash = fileTreeHash(walk.fingerprint);
+  if (walk.manifestsFound.length > 0) {
+    signals.push({
+      kind: "manifest",
+      weight: 0.9,
+      manifests: walk.manifestsFound.slice(0, 6)
+    });
+  }
+  for (const d of walk.dirHits.book) signals.push({ kind: "dir_book", weight: 0.4, name: d });
+  for (const d of walk.dirHits.content) signals.push({ kind: "dir_content", weight: 0.4, name: d });
+  for (const d of walk.dirHits.business) signals.push({ kind: "dir_business", weight: 0.4, name: d });
+  for (const d of walk.dirHits.design) signals.push({ kind: "dir_design", weight: 0.4, name: d });
+  const totals = walk.extTotals;
+  const totalClassified = Object.values(totals).reduce((a, b2) => a + b2, 0);
+  if (totalClassified > 0) {
+    for (const [domain, count] of Object.entries(totals)) {
+      const ratio = count / totalClassified;
+      if (ratio >= 0.05) {
+        signals.push({
+          kind: "file_extension_ratio",
+          weight: 0.7,
+          domain,
+          ratio: Number(ratio.toFixed(3)),
+          count
+        });
+      }
+    }
+  }
+  for (const hit of walk.patternHits) {
+    signals.push({ kind: "filename_pattern", weight: hit.weight, domain: hit.domain, name: hit.name });
+  }
+  const scoreboard = scoreSignals(signals);
+  const ranked = rankDomains(scoreboard);
+  let primary;
+  let secondary = [];
+  let confidence;
+  if (ranked.length === 0) {
+    primary = "unknown";
+    confidence = 0;
+  } else {
+    primary = ranked[0].domain;
+    confidence = ranked[0].score;
+    secondary = ranked.slice(1).filter((r) => r.score >= 0.4 && r.domain !== primary).map((r) => r.domain);
+    if (ranked.length >= 2 && ranked[0].score >= 0.55 && ranked[1].score >= 0.5 && ranked[1].score / ranked[0].score >= 0.75) {
+      const topTwo = [ranked[0].domain, ranked[1].domain];
+      secondary = topTwo;
+      primary = "mixed";
+      confidence = Math.min(0.85, (ranked[0].score + ranked[1].score) / 2);
+    }
+  }
+  const highTrust = signals.some(
+    (s) => s.kind === "user_declaration" || s.kind === "agents_md_frontmatter" || s.kind === "brief_md_frontmatter"
+  );
+  if (!c9Available && !highTrust && confidence > 0.7) confidence = 0.7;
+  const scanIncomplete = walk.incomplete;
+  if (scanIncomplete) {
+    const lock = acquireScanLock(root);
+    if (lock) {
+      try {
+        const prior = loadScanState(root) || {};
+        writeScanState(root, {
+          scan_id: prior.scan_id || newScanId(),
+          started_at: prior.started_at || (/* @__PURE__ */ new Date()).toISOString(),
+          last_path_walked: walk.lastPathWalked,
+          files_scanned: walk.filesScanned,
+          total_estimate: walk.totalEstimate,
+          attempts: (prior.attempts || 0) + 1,
+          incomplete: true,
+          session_id: options.sessionId || null,
+          partial: snapshotPartial(walk)
+        });
+      } catch {
+      } finally {
+        lock.released();
+      }
+    }
+  } else {
+    try {
+      clearScanState(root);
+    } catch {
+    }
+  }
+  return finalize({
+    primary,
+    secondary,
+    score: confidence,
+    signals,
+    scanIncomplete,
+    fallbackReason,
+    treeHash,
+    branchHash: branchHash(root)
+  });
+}
+function finalize({ primary, secondary, score, signals, scanIncomplete, fallbackReason, treeHash, branchHash: bh }) {
+  const confidence = Number(Math.max(0, Math.min(1, score)).toFixed(3));
+  const out = {
+    type: primary,
+    // single-label alias for hoist
+    primary_type: primary,
+    secondary_types: Array.isArray(secondary) ? secondary : [],
+    confidence,
+    scan_incomplete: !!scanIncomplete,
+    detected_at: (/* @__PURE__ */ new Date()).toISOString(),
+    signals,
+    fallback_reason: fallbackReason,
+    file_tree_hash: treeHash || "",
+    branch_hash: bh || ""
+  };
+  return out;
+}
+function readFrontmatterType(path) {
+  if (!existsSync2(path)) return null;
+  let src;
+  try {
+    src = readFileSync3(path, "utf8");
+  } catch {
+    return null;
+  }
+  if (!src.startsWith("---\n")) return null;
+  const after = src.slice(4);
+  const closeIdx = after.search(/\n---\s*(?:\r?\n|$)/);
+  if (closeIdx < 0) return null;
+  const fm = after.slice(0, closeIdx);
+  for (const ln of fm.split(/\r?\n/)) {
+    const m2 = ln.match(/^type\s*:\s*(\S+)\s*$/);
+    if (m2) {
+      const v2 = m2[1].replace(/^["']|["']$/g, "");
+      return v2;
+    }
+  }
+  return null;
+}
+function walkProject(root, { maxFiles, maxDepth, options, timeBudgetMs }) {
+  const out = {
+    filesScanned: 0,
+    totalEstimate: 0,
+    incomplete: false,
+    lastPathWalked: "",
+    fingerprint: [],
+    manifestsFound: [],
+    dirHits: { book: [], content: [], business: [], design: [] },
+    extTotals: {},
+    patternHits: []
+  };
+  let resumeFrom = null;
+  let priorState = null;
+  if (options.resume !== false) {
+    const state = loadScanState(root);
+    if (state && shouldResume(state)) {
+      resumeFrom = state.last_path_walked || null;
+      priorState = state;
+    }
+  }
+  if (priorState && priorState.partial && typeof priorState.partial === "object") {
+    const p = priorState.partial;
+    out.filesScanned = Number.isFinite(p.files_scanned) ? p.files_scanned : 0;
+    out.totalEstimate = Number.isFinite(p.total_estimate) ? p.total_estimate : out.filesScanned;
+    if (Array.isArray(p.fingerprint)) out.fingerprint = p.fingerprint.slice(0, 4096);
+    if (Array.isArray(p.manifestsFound)) out.manifestsFound = p.manifestsFound.slice();
+    if (p.dirHits && typeof p.dirHits === "object") {
+      for (const k2 of ["book", "content", "business", "design"]) {
+        if (Array.isArray(p.dirHits[k2])) out.dirHits[k2] = p.dirHits[k2].slice();
+      }
+    }
+    if (p.extTotals && typeof p.extTotals === "object") out.extTotals = { ...p.extTotals };
+    if (Array.isArray(p.patternHits)) out.patternHits = p.patternHits.slice();
+  }
+  let resumed = !resumeFrom;
+  const visitedDirs = /* @__PURE__ */ new Set();
+  try {
+    visitedDirs.add(realpathSync.native(root));
+  } catch {
+  }
+  const startedAt = Date.now();
+  const budget = Number.isFinite(timeBudgetMs) && timeBudgetMs > 0 ? timeBudgetMs : DEFAULT_TIME_BUDGET_MS;
+  let entriesSinceTimeCheck = 0;
+  const stack = [{ path: root, depth: 0 }];
+  while (stack.length > 0) {
+    const { path, depth } = stack.pop();
+    if (depth > maxDepth) continue;
+    let entries;
+    try {
+      entries = readdirSync3(path, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    entries.sort((a, b2) => a.name < b2.name ? -1 : a.name > b2.name ? 1 : 0);
+    for (const entry of entries) {
+      const childPath = join5(path, entry.name);
+      if (!resumed) {
+        if (childPath === resumeFrom) resumed = true;
+        continue;
+      }
+      out.lastPathWalked = childPath;
+      entriesSinceTimeCheck += 1;
+      if (entriesSinceTimeCheck >= TIME_BUDGET_CHECK_EVERY) {
+        entriesSinceTimeCheck = 0;
+        if (Date.now() - startedAt > budget) {
+          out.incomplete = true;
+          return out;
+        }
+      }
+      if (entry.isDirectory()) {
+        if (SKIP_DIRS.has(entry.name)) continue;
+        try {
+          const real = realpathSync.native(childPath);
+          if (visitedDirs.has(real)) continue;
+          visitedDirs.add(real);
+        } catch {
+        }
+        recordDirHit(out, entry.name, depth);
+        stack.push({ path: childPath, depth: depth + 1 });
+        continue;
+      }
+      if (!entry.isFile()) continue;
+      out.filesScanned += 1;
+      out.totalEstimate = Math.max(out.totalEstimate, out.filesScanned);
+      if (out.fingerprint.length < 4096) {
+        out.fingerprint.push(childPath.slice(root.length + 1));
+      }
+      if (depth <= 2 && SOFTWARE_MANIFESTS.includes(entry.name)) {
+        out.manifestsFound.push(entry.name);
+      }
+      for (const p of FILENAME_PATTERNS) {
+        if (p.re.test(entry.name)) {
+          out.patternHits.push({ name: entry.name, domain: p.domain, weight: p.weight });
+          break;
+        }
+      }
+      const ext = extname(entry.name).toLowerCase();
+      const dom = EXT_DOMAIN[ext];
+      if (dom) {
+        out.extTotals[dom] = (out.extTotals[dom] || 0) + 1;
+      }
+      if (out.filesScanned % CHECKPOINT_EVERY === 0) {
+        try {
+          writeScanState(root, {
+            scan_id: newScanId(),
+            started_at: (/* @__PURE__ */ new Date()).toISOString(),
+            last_path_walked: childPath,
+            files_scanned: out.filesScanned,
+            total_estimate: out.totalEstimate,
+            attempts: 1,
+            incomplete: true,
+            partial: snapshotPartial(out)
+          });
+        } catch {
+        }
+      }
+      if (out.filesScanned >= maxFiles) {
+        out.incomplete = true;
+        return out;
+      }
+    }
+  }
+  return out;
+}
+function snapshotPartial(out) {
+  return {
+    files_scanned: out.filesScanned,
+    total_estimate: out.totalEstimate,
+    fingerprint: out.fingerprint.slice(0, 4096),
+    manifestsFound: out.manifestsFound.slice(0, 32),
+    dirHits: {
+      book: out.dirHits.book.slice(0, 32),
+      content: out.dirHits.content.slice(0, 32),
+      business: out.dirHits.business.slice(0, 32),
+      design: out.dirHits.design.slice(0, 32)
+    },
+    extTotals: { ...out.extTotals },
+    patternHits: out.patternHits.slice(0, 64)
+  };
+}
+function resolveTimeBudgetMs(options) {
+  if (Number.isFinite(options.timeBudgetMs) && options.timeBudgetMs > 0) {
+    return options.timeBudgetMs;
+  }
+  const env = process.env.IJFW_DETECT_TIME_BUDGET_MS;
+  if (env) {
+    const n = Number(env);
+    if (Number.isFinite(n) && n > 0) return n;
+  }
+  return DEFAULT_TIME_BUDGET_MS;
+}
+function recordDirHit(out, name12, depth) {
+  if (depth > 2) return;
+  const lower = name12.toLowerCase();
+  if (BOOK_DIRS.includes(lower)) out.dirHits.book.push(lower);
+  if (CONTENT_DIRS.includes(lower)) out.dirHits.content.push(lower);
+  if (BUSINESS_DIRS.includes(lower)) out.dirHits.business.push(lower);
+  if (DESIGN_DIRS.includes(lower)) out.dirHits.design.push(lower);
+}
+function scoreSignals(signals) {
+  const board = {
+    software: 0,
+    book: 0,
+    content: 0,
+    business: 0,
+    design: 0,
+    mixed: 0,
+    unknown: 0
+  };
+  const patternBudget = { software: 0.8, book: 0.8, content: 0.8, business: 0.8, design: 0.8, mixed: 0.8, unknown: 0.8 };
+  const dirBudget = { software: 0.6, book: 0.6, content: 0.6, business: 0.6, design: 0.6, mixed: 0.6, unknown: 0.6 };
+  for (const s of signals) {
+    if (s.kind === "user_declaration" && s.value) board[s.value] += 1;
+    else if (s.kind === "agents_md_frontmatter" && s.value) board[s.value] += 0.9;
+    else if (s.kind === "brief_md_frontmatter" && s.value) board[s.value] += 0.8;
+    else if (s.kind === "manifest") board.software += 0.9;
+    else if (s.kind === "dir_book") {
+      const add = Math.min(0.4, dirBudget.book);
+      board.book += add;
+      dirBudget.book -= add;
+    } else if (s.kind === "dir_content") {
+      const add = Math.min(0.4, dirBudget.content);
+      board.content += add;
+      dirBudget.content -= add;
+    } else if (s.kind === "dir_business") {
+      const add = Math.min(0.4, dirBudget.business);
+      board.business += add;
+      dirBudget.business -= add;
+    } else if (s.kind === "dir_design") {
+      const add = Math.min(0.4, dirBudget.design);
+      board.design += add;
+      dirBudget.design -= add;
+    } else if (s.kind === "file_extension_ratio") {
+      const m2 = s.ratio || 0;
+      board[s.domain] = (board[s.domain] || 0) + 0.7 * m2;
+    } else if (s.kind === "filename_pattern") {
+      const add = Math.min(s.weight, patternBudget[s.domain] || 0);
+      if (add > 0) {
+        board[s.domain] = (board[s.domain] || 0) + add;
+        patternBudget[s.domain] -= add;
+      }
+    }
+  }
+  return board;
+}
+function rankDomains(board) {
+  const arr = Object.entries(board).filter(([d]) => d !== "mixed" && d !== "unknown").map(([domain, raw]) => ({ domain, raw }));
+  if (arr.length === 0) return [];
+  const maxRaw = arr.reduce((m2, e) => Math.max(m2, e.raw), 0);
+  if (maxRaw <= 0) return [];
+  for (const e of arr) {
+    e.score = anchor(e.raw, maxRaw);
+  }
+  arr.sort((a, b2) => b2.score - a.score);
+  return arr;
+}
+function anchor(raw, maxRaw) {
+  if (raw <= 0) return 0;
+  const top = Math.min(0.95, 0.4 + 0.55 * Math.tanh(raw));
+  return Number((top * (raw / maxRaw)).toFixed(3));
+}
+function fileTreeHash(paths) {
+  if (!paths || paths.length === 0) return "";
+  const h = createHash("sha256");
+  for (const p of paths) h.update(p + "\n");
+  return h.digest("hex").slice(0, 16);
+}
+function branchHash(root) {
+  try {
+    const dotGit = join5(root, ".git");
+    if (!existsSync2(dotGit)) return "";
+    let headPath = null;
+    let st;
+    try {
+      st = statSync3(dotGit);
+    } catch {
+      return "";
+    }
+    if (st.isDirectory()) {
+      headPath = join5(dotGit, "HEAD");
+    } else if (st.isFile()) {
+      const ptr = readFileSync3(dotGit, "utf8");
+      const m3 = ptr.match(/^gitdir:\s*(.+?)\s*$/m);
+      if (!m3) return "";
+      const target = m3[1];
+      const gitDir = isAbsolute(target) ? target : pathResolve(root, target);
+      headPath = join5(gitDir, "HEAD");
+    } else {
+      return "";
+    }
+    if (!headPath || !existsSync2(headPath)) return "";
+    const head = readFileSync3(headPath, "utf8").trim();
+    const m2 = head.match(/^ref:\s*(.+)$/);
+    const branch = m2 ? m2[1] : head;
+    return createHash("sha256").update(branch).digest("hex").slice(0, 16);
+  } catch {
+  }
+  return "";
+}
+function isC9AvailableSync() {
+  if (_c9AvailableCache !== null) return _c9AvailableCache;
+  try {
+    const here = fileURLToPath(import.meta.url);
+    const fts5Path = join5(dirname(here), "compute", "fts5.js");
+    _c9AvailableCache = existsSync2(fts5Path);
+  } catch {
+    _c9AvailableCache = false;
+  }
+  return _c9AvailableCache;
+}
+function newScanId() {
+  return createHash("sha256").update(String(process.pid) + ":" + String(Date.now()) + ":" + Math.random()).digest("hex").slice(0, 12);
+}
+var DOMAINS, MAX_FILES, MAX_DEPTH, CHECKPOINT_EVERY, DEFAULT_TIME_BUDGET_MS, TIME_BUDGET_CHECK_EVERY, SKIP_DIRS, EXT_DOMAIN, SOFTWARE_MANIFESTS, BOOK_DIRS, CONTENT_DIRS, BUSINESS_DIRS, DESIGN_DIRS, FILENAME_PATTERNS, _c9AvailableCache;
+var init_project_type_detector = __esm({
+  "../mcp-server/src/project-type-detector.js"() {
+    init_scan_resume();
+    DOMAINS = ["software", "book", "content", "business", "design", "mixed", "unknown"];
+    MAX_FILES = 2e5;
+    MAX_DEPTH = 12;
+    CHECKPOINT_EVERY = 500;
+    DEFAULT_TIME_BUDGET_MS = 5e3;
+    TIME_BUDGET_CHECK_EVERY = 1e3;
+    SKIP_DIRS = /* @__PURE__ */ new Set([
+      ".git",
+      ".hg",
+      ".svn",
+      ".ijfw",
+      ".planning",
+      ".cache",
+      "node_modules",
+      "dist",
+      "build",
+      "out",
+      "target",
+      ".next",
+      "__pycache__",
+      ".venv",
+      "venv",
+      "env",
+      ".pytest_cache",
+      ".mypy_cache",
+      ".tox",
+      ".gradle",
+      ".idea",
+      ".vscode",
+      "vendor",
+      "bower_components"
+    ]);
+    EXT_DOMAIN = {
+      // software (heavy)
+      ".js": "software",
+      ".jsx": "software",
+      ".ts": "software",
+      ".tsx": "software",
+      ".mjs": "software",
+      ".cjs": "software",
+      ".py": "software",
+      ".rs": "software",
+      ".go": "software",
+      ".java": "software",
+      ".kt": "software",
+      ".scala": "software",
+      ".rb": "software",
+      ".php": "software",
+      ".c": "software",
+      ".cc": "software",
+      ".cpp": "software",
+      ".h": "software",
+      ".hpp": "software",
+      ".hh": "software",
+      ".swift": "software",
+      ".m": "software",
+      ".mm": "software",
+      ".cs": "software",
+      ".fs": "software",
+      ".lua": "software",
+      ".dart": "software",
+      ".zig": "software",
+      // book / long-form prose
+      ".tex": "book",
+      ".bib": "book",
+      ".latex": "book",
+      ".epub": "book",
+      ".mobi": "book",
+      // content / blog / docs / marketing
+      ".mdx": "content",
+      ".markdown": "content",
+      ".rst": "content",
+      // design / assets
+      ".fig": "design",
+      ".sketch": "design",
+      ".xd": "design",
+      ".ai": "design",
+      ".psd": "design",
+      ".indd": "design",
+      ".svg": "design",
+      ".afdesign": "design",
+      ".afphoto": "design",
+      // business / ops
+      ".xlsx": "business",
+      ".xls": "business",
+      ".csv": "business",
+      ".numbers": "business",
+      ".ods": "business",
+      ".pptx": "business",
+      ".ppt": "business",
+      ".key": "business",
+      ".docx": "business",
+      ".doc": "business"
+    };
+    SOFTWARE_MANIFESTS = [
+      "package.json",
+      "Cargo.toml",
+      "pyproject.toml",
+      "setup.py",
+      "Gemfile",
+      "go.mod",
+      "pom.xml",
+      "build.gradle",
+      "build.gradle.kts",
+      "composer.json",
+      "Package.swift",
+      "mix.exs",
+      "rebar.config",
+      "pubspec.yaml",
+      "CMakeLists.txt",
+      "Makefile"
+    ];
+    BOOK_DIRS = ["manuscripts", "manuscript", "drafts", "draft", "chapters", "book"];
+    CONTENT_DIRS = ["content", "posts", "articles", "blog", "newsletter", "social"];
+    BUSINESS_DIRS = ["strategy", "financials", "finance", "ops", "runbooks", "sop", "sops", "ops-runbooks"];
+    DESIGN_DIRS = ["designs", "design", "assets", "mockups", "wireframes", "figma"];
+    FILENAME_PATTERNS = [
+      { re: /^chapter[-_]?\d+/i, domain: "book", weight: 0.4 },
+      { re: /^ch\d+/i, domain: "book", weight: 0.3 },
+      { re: /^brand[-_]voice/i, domain: "content", weight: 0.4 },
+      { re: /^seo[-_]/i, domain: "content", weight: 0.2 },
+      { re: /^post[-_]/i, domain: "content", weight: 0.2 },
+      { re: /^figma[-_]export/i, domain: "design", weight: 0.4 },
+      { re: /^wireframe/i, domain: "design", weight: 0.3 }
+    ];
+    _c9AvailableCache = null;
+  }
+});
+// ../mcp-server/src/gate-result.js
+import { mkdir, writeFile } from "node:fs/promises";
+import { basename, dirname as dirname2, join as join6 } from "node:path";
+async function emitGateResult(gateOpts, context = {}) {
+  if (gateOpts === null || typeof gateOpts !== "object") {
+    throw new TypeError("emitGateResult: gateOpts must be an object");
+  }
+  const projectType = typeof context.project_type === "string" && context.project_type.length > 0 ? context.project_type : await resolveProjectType(context.projectRoot);
+  const result = {
+    schema_version: SCHEMA_VERSION,
+    gate_id: makeGateId(gateOpts.gate),
+    gate: gateOpts.gate,
+    status: gateOpts.status,
+    project_type: projectType,
+    lenses: Array.isArray(gateOpts.lenses) ? gateOpts.lenses : [],
+    affected_artifacts: Array.isArray(gateOpts.affected_artifacts) ? gateOpts.affected_artifacts : [],
+    accounting: gateOpts.accounting,
+    remediation: Array.isArray(gateOpts.remediation) ? gateOpts.remediation : [],
+    receipts_ref: gateOpts.receipts_ref === void 0 ? null : gateOpts.receipts_ref,
+    supersedes: gateOpts.supersedes === void 0 ? null : gateOpts.supersedes,
+    emitted_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const { valid, errors } = validateGateResult(result);
+  if (!valid) {
+    throw new Error(
+      `emitGateResult: invalid gate-result \u2014 ${errors.join("; ")}`
+    );
+  }
+  makeReceipt(result, {
+    projectRoot: typeof context.projectRoot === "string" && context.projectRoot.length > 0 ? context.projectRoot : process.cwd()
+  }).catch(() => {
+  });
+  return formatGateResult(result);
+}
+async function makeReceipt(gateResult, opts = {}) {
+  try {
+    if (!gateResult || typeof gateResult !== "object") return;
+    const gateId = typeof gateResult.gate_id === "string" ? gateResult.gate_id : null;
+    if (!gateId) return;
+    if (!RECEIPT_GATE_ID_PATTERN.test(gateId)) {
+      try {
+        process.stderr.write(
+          `ijfw: makeReceipt rejected unsafe gate_id "${gateId}"
+`
+        );
+      } catch {
+      }
+      return;
+    }
+    const safeId = basename(gateId);
+    const root = typeof opts.projectRoot === "string" && opts.projectRoot.length > 0 ? opts.projectRoot : process.cwd();
+    const receiptPath = join6(
+      root,
+      ".ijfw",
+      "memory",
+      "gate-receipts",
+      `${safeId}.json`
+    );
+    await mkdir(dirname2(receiptPath), { recursive: true });
+    const body = JSON.stringify(gateResult, null, 2) + "\n";
+    await writeFile(receiptPath, body, "utf8");
+  } catch (err) {
+    const msg = err && err.message ? err.message : String(err);
+    try {
+      process.stderr.write(`ijfw: gate-result receipt write failed: ${msg}
+`);
+    } catch {
+    }
+  }
+}
+async function resolveProjectType(projectRoot) {
+  try {
+    const root = typeof projectRoot === "string" && projectRoot.length > 0 ? projectRoot : process.cwd();
+    const detected = detect(root);
+    if (detected && typeof detected.primary_type === "string" && detected.primary_type.length > 0) {
+      return detected.primary_type;
+    }
+    if (detected && typeof detected.type === "string" && detected.type.length > 0) {
+      return detected.type;
+    }
+    return "unknown";
+  } catch {
+    return "unknown";
+  }
+}
+var RECEIPT_GATE_ID_PATTERN;
+var init_gate_result = __esm({
+  "../mcp-server/src/gate-result.js"() {
+    init_gate_result_schema();
+    init_project_type_detector();
+    RECEIPT_GATE_ID_PATTERN = /^[a-z][a-z0-9-]+$/;
+  }
+});
 // src/preflight/gates/audit-ci.js
 var audit_ci_exports = {};
 __export(audit_ci_exports, {
@@ -577,51 +1685,105 @@ __export(audit_ci_exports, {
   severity: () => severity7
 });
 import { spawnSync as spawnSync7 } from "node:child_process";
-import { join as join4 } from "node:path";
+import { join as join7 } from "node:path";
+function parseAuditReport(output) {
+  const start = output.indexOf("{");
+  if (start === -1) return null;
+  try {
+    return JSON.parse(output.slice(start));
+  } catch {
+    return null;
+  }
+}
+function highCriticalCount(report) {
+  const vulns = report?.metadata?.vulnerabilities || {};
+  return Number(vulns.high || 0) + Number(vulns.critical || 0);
+}
+function vulnerableNames(report) {
+  const out = [];
+  for (const [name12, vuln] of Object.entries(report?.vulnerabilities || {})) {
+    const severity12 = String(vuln?.severity || "").toLowerCase();
+    if (severity12 === "high" || severity12 === "critical") out.push(`${name12}: ${severity12}`);
+  }
+  return out;
+}
 async function run7(ctx) {
   const t0 = Date.now();
-  const ver = ctx.versions["audit-ci"] || "latest";
-  const configPath = join4(ctx.repoRoot, ".audit-ci.jsonc");
   const packageDirs = ["installer", "mcp-server"];
   const runs = packageDirs.map((dir) => {
     const res = spawnSync7(
-      "npx",
-      ["--yes", `audit-ci@${ver}`, "--config", configPath],
+      "npm",
+      ["audit", "--audit-level=high", "--json"],
       {
         encoding: "utf8",
-        cwd: join4(ctx.repoRoot, dir),
+        cwd: join7(ctx.repoRoot, dir),
         timeout: 6e4
       }
     );
-    return { dir, status: res.status, output: (res.stdout || "") + (res.stderr || "") };
+    const output = (res.stdout || "") + (res.stderr || "");
+    const report = parseAuditReport(output);
+    const highCritical = highCriticalCount(report);
+    return { dir, status: res.status, output, report, highCritical };
   });
   const durationMs = Date.now() - t0;
-  const failed = runs.filter((r) => r.status !== 0);
-  if (failed.length === 0) {
-    return {
-      name: "audit-ci",
-      status: "PASS",
-      message: "audit-ci: no high/critical vulnerabilities in installer or mcp-server",
-      details: runs.map((r) => `${r.dir}: pass`),
-      durationMs
-    };
+  const failed = runs.filter((r) => !r.report || r.highCritical > 0);
+  const status = failed.length === 0 ? "PASS" : "FAIL";
+  const message = status === "PASS" ? "audit-ci: no high/critical vulnerabilities in installer or mcp-server" : "audit-ci: high or critical vulnerabilities found";
+  let details;
+  if (status === "PASS") {
+    details = runs.map((r) => `${r.dir}: pass`);
+  } else {
+    const lines = [];
+    for (const r of failed) {
+      if (!r.report) {
+        lines.push(`${r.dir}: audit report unavailable`);
+        lines.push(...r.output.split("\n").filter(Boolean).slice(0, 10));
+        continue;
+      }
+      lines.push(`${r.dir}: ${r.highCritical} high/critical advisory item(s)`);
+      lines.push(...vulnerableNames(r.report).slice(0, 10));
+    }
+    details = lines.slice(0, 20);
   }
-  const lines = [];
-  for (const r of failed) {
-    lines.push(`${r.dir}: audit failed`);
-    lines.push(...r.output.split("\n").filter(Boolean).slice(0, 10));
+  try {
+    const block = await emitGateResult(
+      {
+        gate: "preflight:audit-ci",
+        status,
+        lenses: [],
+        affected_artifacts: [],
+        accounting: {
+          duration_ms: durationMs,
+          lenses_invoked: 0,
+          cost_usd: null
+        },
+        remediation: []
+      },
+      ctx && ctx.repoRoot ? { projectRoot: ctx.repoRoot } : {}
+    );
+    if (typeof block === "string" && block.length > 0) {
+      details = [...details, block];
+    }
+  } catch (err) {
+    const msg = err && err.message ? err.message : String(err);
+    try {
+      process.stderr.write(`ijfw: preflight:audit-ci gate-result emit failed: ${msg}
+`);
+    } catch {
+    }
   }
   return {
     name: "audit-ci",
-    status: "FAIL",
-    message: "audit-ci: high or critical vulnerabilities found",
-    details: lines.slice(0, 20),
+    status,
+    message,
+    details,
     durationMs
   };
 }
 var name7, severity7, parallel7;
 var init_audit_ci = __esm({
   "src/preflight/gates/audit-ci.js"() {
+    init_gate_result();
     name7 = "audit-ci";
     severity7 = "blocking";
     parallel7 = true;
@@ -683,7 +1845,7 @@ __export(license_check_exports, {
   severity: () => severity9
 });
 import { spawnSync as spawnSync9 } from "node:child_process";
-import { join as join5 } from "node:path";
+import { join as join8 } from "node:path";
 async function run9(ctx) {
   const t0 = Date.now();
   const ver = ctx.versions["license-checker"] || "latest";
@@ -692,7 +1854,7 @@ async function run9(ctx) {
     ["--yes", `license-checker@${ver}`, "--onlyAllow", ALLOWED, "--production"],
     {
       encoding: "utf8",
-      cwd: join5(ctx.repoRoot, "installer"),
+      cwd: join8(ctx.repoRoot, "installer"),
       timeout: 3e4
     }
   );
@@ -735,12 +1897,12 @@ __export(pack_smoke_exports, {
   severity: () => severity10
 });
 import { spawnSync as spawnSync10 } from "node:child_process";
-import { mkdtempSync as mkdtempSync2, rmSync as rmSync2, mkdirSync, writeFileSync as writeFileSync2, readdirSync as readdirSync3, existsSync } from "node:fs";
-import { join as join6, resolve } from "node:path";
+import { mkdtempSync as mkdtempSync2, rmSync as rmSync2, mkdirSync as mkdirSync3, writeFileSync as writeFileSync4, readdirSync as readdirSync4, existsSync as existsSync3 } from "node:fs";
+import { join as join9, resolve } from "node:path";
 import { tmpdir as tmpdir2 } from "node:os";
 async function run10(ctx) {
   const t0 = Date.now();
-  const installerDir = join6(ctx.repoRoot, "installer");
+  const installerDir = join9(ctx.repoRoot, "installer");
   const build = spawnSync10("npm", ["run", "build"], {
     encoding: "utf8",
     cwd: installerDir,
@@ -782,13 +1944,13 @@ async function run10(ctx) {
     };
   }
   const tarballPath = resolve(installerDir, tarball);
-  const tmpRoot = mkdtempSync2(join6(tmpdir2(), "ijfw-pack-smoke-"));
-  const fakeHome = join6(tmpRoot, "home");
-  const installDir = join6(tmpRoot, "install");
-  mkdirSync(fakeHome, { recursive: true });
-  mkdirSync(installDir, { recursive: true });
+  const tmpRoot = mkdtempSync2(join9(tmpdir2(), "ijfw-pack-smoke-"));
+  const fakeHome = join9(tmpRoot, "home");
+  const installDir = join9(tmpRoot, "install");
+  mkdirSync3(fakeHome, { recursive: true });
+  mkdirSync3(installDir, { recursive: true });
   try {
-    writeFileSync2(join6(installDir, "package.json"), JSON.stringify({ name: "smoke-test", version: "1.0.0", type: "module" }));
+    writeFileSync4(join9(installDir, "package.json"), JSON.stringify({ name: "smoke-test", version: "1.0.0", type: "module" }));
     const install = spawnSync10("npm", ["install", "--no-save", tarballPath], {
       encoding: "utf8",
       cwd: installDir,
@@ -806,25 +1968,25 @@ async function run10(ctx) {
       };
     }
     const binCandidates = [
-      join6(installDir, "node_modules", ".bin", "ijfw"),
-      join6(installDir, "node_modules", ".bin", "ijfw-install")
+      join9(installDir, "node_modules", ".bin", "ijfw"),
+      join9(installDir, "node_modules", ".bin", "ijfw-install")
     ];
     let binPath = null;
     for (const c2 of binCandidates) {
-      if (existsSync(c2)) {
+      if (existsSync3(c2)) {
         binPath = c2;
         break;
       }
     }
     if (!binPath) {
-      const binDir = join6(installDir, "node_modules", ".bin");
+      const binDir = join9(installDir, "node_modules", ".bin");
       let entries = [];
       try {
-        entries = readdirSync3(binDir);
+        entries = readdirSync4(binDir);
       } catch {
       }
       const found = entries.find((e) => e.startsWith("ijfw"));
-      if (found) binPath = join6(binDir, found);
+      if (found) binPath = join9(binDir, found);
     }
     if (!binPath) {
       return {
@@ -887,12 +2049,12 @@ __export(upgrade_smoke_exports, {
   severity: () => severity11
 });
 import { spawnSync as spawnSync11 } from "node:child_process";
-import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3, readFileSync, existsSync as existsSync2 } from "node:fs";
-import { join as join7, resolve as resolve2 } from "node:path";
+import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, mkdirSync as mkdirSync4, writeFileSync as writeFileSync5, readFileSync as readFileSync4, existsSync as existsSync4 } from "node:fs";
+import { join as join10, resolve as resolve2 } from "node:path";
 import { tmpdir as tmpdir3 } from "node:os";
 async function run11(ctx) {
   const t0 = Date.now();
-  const installerDir = join7(ctx.repoRoot, "installer");
+  const installerDir = join10(ctx.repoRoot, "installer");
   const build = spawnSync11("npm", ["run", "build"], {
     encoding: "utf8",
     cwd: installerDir,
@@ -925,15 +2087,15 @@ async function run11(ctx) {
   }
   const tarball = pack.stdout.trim();
   const tarballPath = resolve2(installerDir, tarball);
-  const tmpRoot = mkdtempSync3(join7(tmpdir3(), "ijfw-upgrade-smoke-"));
-  const fakeHome = join7(tmpRoot, "home");
-  const installDir = join7(tmpRoot, "install");
-  mkdirSync2(fakeHome, { recursive: true });
-  mkdirSync2(installDir, { recursive: true });
-  const claudeDir = join7(fakeHome, ".claude");
-  mkdirSync2(claudeDir, { recursive: true });
+  const tmpRoot = mkdtempSync3(join10(tmpdir3(), "ijfw-upgrade-smoke-"));
+  const fakeHome = join10(tmpRoot, "home");
+  const installDir = join10(tmpRoot, "install");
+  mkdirSync4(fakeHome, { recursive: true });
+  mkdirSync4(installDir, { recursive: true });
+  const claudeDir = join10(fakeHome, ".claude");
+  mkdirSync4(claudeDir, { recursive: true });
   try {
-    writeFileSync3(join7(installDir, "package.json"), JSON.stringify({ name: "upgrade-smoke", version: "1.0.0", type: "module" }));
+    writeFileSync5(join10(installDir, "package.json"), JSON.stringify({ name: "upgrade-smoke", version: "1.0.0", type: "module" }));
     const install = spawnSync11("npm", ["install", "--no-save", tarballPath], {
       encoding: "utf8",
       cwd: installDir,
@@ -951,12 +2113,12 @@ async function run11(ctx) {
       };
     }
     const binCandidates = [
-      join7(installDir, "node_modules", ".bin", "ijfw-install"),
-      join7(installDir, "node_modules", ".bin", "ijfw")
+      join10(installDir, "node_modules", ".bin", "ijfw-install"),
+      join10(installDir, "node_modules", ".bin", "ijfw")
     ];
     let installerBin = null;
     for (const c2 of binCandidates) {
-      if (existsSync2(c2)) {
+      if (existsSync4(c2)) {
         installerBin = c2;
         break;
       }
@@ -970,11 +2132,11 @@ async function run11(ctx) {
         durationMs: Date.now() - t0
       };
     }
-    const settingsPath = join7(claudeDir, "settings.json");
-    if (existsSync2(settingsPath)) {
+    const settingsPath = join10(claudeDir, "settings.json");
+    if (existsSync4(settingsPath)) {
       let settings;
       try {
-        settings = JSON.parse(readFileSync(settingsPath, "utf8"));
+        settings = JSON.parse(readFileSync4(settingsPath, "utf8"));
       } catch (e) {
         return {
           name: "upgrade-smoke",
@@ -995,9 +2157,9 @@ async function run11(ctx) {
         };
       }
     }
-    const marketplaceSrc = join7(installerDir, "src", "marketplace.js");
-    if (existsSync2(marketplaceSrc)) {
-      const src = readFileSync(marketplaceSrc, "utf8");
+    const marketplaceSrc = join10(installerDir, "src", "marketplace.js");
+    if (existsSync4(marketplaceSrc)) {
+      const src = readFileSync4(marketplaceSrc, "utf8");
       const registersCorrectKey = src.includes("'ijfw@ijfw'") || src.includes('"ijfw@ijfw"');
       const registersWrongKey = /enabledPlugins\[['"]ijfw-core@ijfw['"]\]\s*=\s*true/.test(src);
       if (!registersCorrectKey) {
@@ -1052,9 +2214,9 @@ var preflight_exports = {};
 __export(preflight_exports, {
   runPreflightCommand: () => runPreflightCommand
 });
-import { readFileSync as readFileSync2, existsSync as existsSync3 } from "node:fs";
-import { join as join8, dirname, resolve as resolve3 } from "node:path";
-import { fileURLToPath } from "node:url";
+import { readFileSync as readFileSync5, existsSync as existsSync5 } from "node:fs";
+import { join as join11, dirname as dirname3, resolve as resolve3 } from "node:path";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
 function printHelp() {
   console.log(`
 ijfw preflight -- 11-gate quality pipeline
@@ -1090,13 +2252,13 @@ SLO
 }
 function loadVersions(repoRoot2) {
   const candidates = [
-    join8(repoRoot2, "preflight-versions.json"),
-    join8(repoRoot2, ".ijfw", "preflight-versions.json")
+    join11(repoRoot2, "preflight-versions.json"),
+    join11(repoRoot2, ".ijfw", "preflight-versions.json")
   ];
   for (const f of candidates) {
-    if (existsSync3(f)) {
+    if (existsSync5(f)) {
       try {
-        return JSON.parse(readFileSync2(f, "utf8"));
+        return JSON.parse(readFileSync5(f, "utf8"));
       } catch {
       }
     }
@@ -1155,7 +2317,7 @@ async function runPreflightCommand(argv, repoRoot2) {
 function defaultRepoRoot() {
   let dir = __dirname;
   for (let i = 0; i < 8; i++) {
-    if (existsSync3(join8(dir, "package.json")) && existsSync3(join8(dir, "mcp-server"))) return dir;
+    if (existsSync5(join11(dir, "package.json")) && existsSync5(join11(dir, "mcp-server"))) return dir;
     const next = resolve3(dir, "..");
     if (next === dir) break;
     dir = next;
@@ -1166,8 +2328,8 @@ var __dirname;
 var init_preflight = __esm({
   async "src/preflight.js"() {
     init_runner();
-    __dirname = dirname(fileURLToPath(import.meta.url));
-    if (process.argv[1] && resolve3(process.argv[1]) === fileURLToPath(import.meta.url)) {
+    __dirname = dirname3(fileURLToPath2(import.meta.url));
+    if (process.argv[1] && resolve3(process.argv[1]) === fileURLToPath2(import.meta.url)) {
       await runPreflightCommand(process.argv, defaultRepoRoot());
     }
   }
@@ -2433,20 +3595,78 @@ Please report this to https://github.com/markedjs/marked.`, e) {
 });
 // src/ijfw.js
-import { dirname as dirname2, join as join9, resolve as resolve4, basename } from "node:path";
-import { fileURLToPath as fileURLToPath2 } from "node:url";
-import { existsSync as existsSync4, mkdirSync as mkdirSync3, copyFileSync, readdirSync as readdirSync4, rmSync as rmSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync4 } from "node:fs";
-import { homedir, platform as platform2 } from "node:os";
+import { dirname as dirname4, join as join12, resolve as resolve4, basename as basename2 } from "node:path";
+import { fileURLToPath as fileURLToPath3 } from "node:url";
+import { existsSync as existsSync6, mkdirSync as mkdirSync5, copyFileSync as copyFileSync3, readdirSync as readdirSync5, rmSync as rmSync4, readFileSync as readFileSync6, writeFileSync as writeFileSync6 } from "node:fs";
+import { homedir, platform } from "node:os";
 import { spawnSync as spawnSync12 } from "node:child_process";
-var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
+var __dirname2 = dirname4(fileURLToPath3(import.meta.url));
 function repoRoot() {
   let dir = __dirname2;
   for (let i = 0; i < 6; i++) {
-    if (existsSync4(join9(dir, "package.json")) && existsSync4(join9(dir, ".git"))) return dir;
+    if (existsSync6(join12(dir, "package.json")) && existsSync6(join12(dir, ".git"))) return dir;
     dir = resolve4(dir, "..");
   }
   return process.cwd();
 }
+function findInternalAsset(...rel) {
+  const root = repoRoot();
+  const ijfwHome = join12(homedir(), ".ijfw");
+  const candidates = [join12(root, ...rel), join12(ijfwHome, ...rel)];
+  return candidates.find((p) => existsSync6(p)) || null;
+}
+function readDashboardPort() {
+  const portFile = join12(homedir(), ".ijfw", "dashboard.port");
+  try {
+    const port = Number.parseInt(readFileSync6(portFile, "utf8").trim(), 10);
+    return Number.isFinite(port) ? port : 37891;
+  } catch {
+    return 37891;
+  }
+}
+function openBrowser(url) {
+  if (process.env.CI || process.env.NO_OPEN) return;
+  const r = platform() === "darwin" ? spawnSync12("open", [url], { stdio: "ignore" }) : platform() === "win32" ? spawnSync12("cmd", ["/c", "start", "", url], { stdio: "ignore", shell: false }) : spawnSync12("xdg-open", [url], { stdio: "ignore" });
+  return r.status ?? 0;
+}
+var ORCHESTRATOR_COMMANDS = /* @__PURE__ */ new Set([
+  "update",
+  "statusline",
+  "config",
+  "insight",
+  "blackboard",
+  "team",
+  "swarm",
+  "codex",
+  "recover",
+  "memory",
+  "cross",
+  "status",
+  "demo",
+  "import",
+  "receipt",
+  "--purge-receipts",
+  "workflow",
+  "handoff",
+  "compress",
+  "consolidate",
+  "cross-audit",
+  "cross-critique",
+  "cross-research",
+  "ijfw-audit",
+  "ijfw-execute",
+  "ijfw-help",
+  "ijfw-plan",
+  "ijfw-ship",
+  "ijfw-verify",
+  "memory-audit",
+  "memory-consent",
+  "memory-why",
+  "metrics",
+  "mode",
+  "override",
+  "extension"
+]);
 function printHelp2() {
   console.log(`
 ijfw -- the AI efficiency layer
@@ -2460,7 +3680,13 @@ COMMANDS
   help        Open the full IJFW guide (terminal, or --browser for rendered)
   preflight   Run 11-gate quality pipeline before publishing
   dashboard   Start / stop / check the local observability dashboard
-  design      Manage the visual design companion
+  design      Manage live previews and durable design intelligence
+  blackboard  Coordinate project-local swarm state and artifact claims
+  codex       Check and sync Codex-native IJFW surfaces
+  team        Assemble project agents, charter, and workflow manifest
+  swarm       Plan, prepare, and track artifact-aware parallel work
+  recover     Show latest checkpoint and next recovery step
+  cross       Run Trident audit/research/critique, e.g. ijfw cross audit README.md
   doctor      Diagnose IJFW installation health
   --help, -h  Show this help
@@ -2475,10 +3701,10 @@ function doctorCheck(cmd, args) {
 }
 function findCli() {
   const candidates = [
-    join9(repoRoot(), "mcp-server", "src", "cross-orchestrator-cli.js"),
-    join9(homedir(), ".ijfw", "mcp-server", "src", "cross-orchestrator-cli.js")
+    join12(repoRoot(), "mcp-server", "src", "cross-orchestrator-cli.js"),
+    join12(homedir(), ".ijfw", "mcp-server", "src", "cross-orchestrator-cli.js")
   ];
-  return candidates.find((p) => existsSync4(p)) || null;
+  return candidates.find((p) => existsSync6(p)) || null;
 }
 function delegateToCli(argTail) {
   const cli = findCli();
@@ -2497,8 +3723,8 @@ async function main() {
     const verbose = argv.slice(3).includes("--verbose");
     if (delegateToCli(argv.slice(2))) return;
     try {
-      const pkgPath = join9(__dirname2, "..", "package.json");
-      const pkg = JSON.parse(readFileSync3(pkgPath, "utf8"));
+      const pkgPath = join12(__dirname2, "..", "package.json");
+      const pkg = JSON.parse(readFileSync6(pkgPath, "utf8"));
       console.log(`@ijfw/install@${pkg.version || "unknown"}`);
       if (verbose) {
         console.log("  (full --verbose details require a completed install: run ijfw install)");
@@ -2508,11 +3734,14 @@ async function main() {
     }
     process.exit(0);
   }
-  if (sub === "update" || sub === "statusline" || sub === "config" || sub === "insight") {
+  if (ORCHESTRATOR_COMMANDS.has(sub)) {
     if (delegateToCli(argv.slice(2))) return;
     console.error(`'ijfw ${sub}' requires a completed IJFW install. Run: ijfw install`);
     process.exit(1);
   }
+  if (sub === "doctor" && findCli()) {
+    if (delegateToCli(argv.slice(2))) return;
+  }
   switch (sub) {
     case "install": {
       const installBin = resolve4(__dirname2, "..", "dist", "install.js");
@@ -2533,19 +3762,13 @@ async function main() {
     }
     case "dashboard": {
       const dashSub = argv[3];
-      const root = repoRoot();
-      const ijfwHome = join9(homedir(), ".ijfw");
-      const findInTree = (...rel) => {
-        const candidates = [join9(root, ...rel), join9(ijfwHome, ...rel)];
-        return candidates.find((p) => existsSync4(p)) || null;
-      };
       if (dashSub === "start" || dashSub === "stop" || dashSub === "status") {
-        const dashBin = findInTree("mcp-server", "bin", "ijfw-dashboard");
+        const dashBin = findInternalAsset("mcp-server", "bin", "ijfw-dashboard");
         if (dashBin) {
           const r = spawnSync12("node", [dashBin, dashSub, ...argv.slice(4)], { stdio: "inherit" });
           process.exit(r.status ?? 0);
         } else {
-          const serverJs = findInTree("mcp-server", "src", "dashboard-server.js");
+          const serverJs = findInternalAsset("mcp-server", "src", "dashboard-server.js");
           if (dashSub === "start" && serverJs) {
             const { spawn } = await import("node:child_process");
             const child = spawn(process.execPath, [serverJs, "start", "--daemon"], {
@@ -2560,7 +3783,7 @@ async function main() {
           process.exit(1);
         }
       } else if (dashSub === "render" || !dashSub) {
-        const binJs = findInTree("scripts", "dashboard", "bin.js");
+        const binJs = findInternalAsset("scripts", "dashboard", "bin.js");
         if (binJs) {
           const r = spawnSync12("node", [binJs, ...argv.slice(dashSub ? 4 : 3)], { stdio: "inherit" });
           process.exit(r.status ?? 0);
@@ -2576,30 +3799,72 @@ async function main() {
     }
     case "design": {
       const designSub = argv[3];
-      const contentDir = join9(homedir(), ".ijfw", "design-companion", "content");
-      mkdirSync3(contentDir, { recursive: true });
-      if (designSub === "push") {
-        const filePath = argv[4];
-        if (!filePath) {
-          console.error("Usage: ijfw design push <file.html>");
+      const durableDesign = ["init", "plan", "audit", "critique", "polish", "normalize", "bolder", "quieter", "handoff"];
+      if (durableDesign.includes(designSub)) {
+        if (delegateToCli(argv.slice(2))) return;
+        console.error(`'ijfw design ${designSub}' requires a completed IJFW install. Run: ijfw install`);
+        process.exit(1);
+      }
+      const contentDir = join12(homedir(), ".ijfw", "design-companion", "content");
+      mkdirSync5(contentDir, { recursive: true });
+      if (designSub === "start" || designSub === "open") {
+        const dashBin = findInternalAsset("mcp-server", "bin", "ijfw-dashboard");
+        if (!dashBin) {
+          console.error("[ijfw] Design companion server not found. Run `ijfw-install` to deploy ~/.ijfw/, or run from the IJFW repo root.");
           process.exit(1);
         }
-        const abs = resolve4(filePath);
-        if (!existsSync4(abs)) {
-          console.error(`File not found: ${abs}`);
+        const noOpen = argv.slice(4).includes("--no-open");
+        const r = spawnSync12("node", [dashBin, "start", "--no-open"], { stdio: designSub === "start" ? "inherit" : "ignore" });
+        if ((r.status ?? 1) !== 0) process.exit(r.status ?? 1);
+        const url = `http://localhost:${readDashboardPort()}/design`;
+        if (!noOpen) openBrowser(url);
+        console.log(`Design companion running at ${url}`);
+      } else if (designSub === "status") {
+        const dashBin = findInternalAsset("mcp-server", "bin", "ijfw-dashboard");
+        if (!dashBin) {
+          console.error("[ijfw] Design companion server not found. Run `ijfw-install` to deploy ~/.ijfw/, or run from the IJFW repo root.");
           process.exit(1);
         }
-        const dest = join9(contentDir, basename(abs));
-        copyFileSync(abs, dest);
-        console.log(`Design pushed: ${dest}`);
+        const r = spawnSync12("node", [dashBin, "status"], { stdio: "inherit" });
+        if ((r.status ?? 1) === 0) console.log(`Design companion URL: http://localhost:${readDashboardPort()}/design`);
+        process.exit(r.status ?? 0);
+      } else if (designSub === "stop") {
+        const dashBin = findInternalAsset("mcp-server", "bin", "ijfw-dashboard");
+        if (!dashBin) {
+          console.error("[ijfw] Design companion server not found. Run `ijfw-install` to deploy ~/.ijfw/, or run from the IJFW repo root.");
+          process.exit(1);
+        }
+        const r = spawnSync12("node", [dashBin, "stop"], { stdio: "inherit" });
+        process.exit(r.status ?? 0);
+      } else if (designSub === "push") {
+        const filePaths = argv.slice(4);
+        if (filePaths.length === 0) {
+          console.error("Usage: ijfw design push <file.html> [more.html ...]");
+          process.exit(1);
+        }
+        for (const filePath of filePaths) {
+          const abs = resolve4(filePath);
+          if (!abs.toLowerCase().endsWith(".html")) {
+            console.error("Design companion accepts standalone .html files.");
+            process.exit(1);
+          }
+          if (!existsSync6(abs)) {
+            console.error(`File not found: ${abs}`);
+            process.exit(1);
+          }
+          const dest = join12(contentDir, basename2(abs));
+          copyFileSync3(abs, dest);
+          console.log(`Design pushed: ${dest}`);
+        }
+        console.log(`Preview: http://localhost:${readDashboardPort()}/design`);
       } else if (designSub === "clear") {
-        const files = readdirSync4(contentDir);
-        for (const f of files) rmSync4(join9(contentDir, f), { force: true });
+        const files = readdirSync5(contentDir);
+        for (const f of files) rmSync4(join12(contentDir, f), { force: true });
         console.log("Design companion content cleared.");
       } else {
-        console.log("ijfw design -- Manage the visual design companion. Push HTML mockups for live preview.");
+        console.log("ijfw design -- Manage live preview and durable design intelligence.");
         console.log("");
-        console.log("Usage: ijfw design push <file.html> | ijfw design clear");
+        console.log("Usage: ijfw design start [--no-open] | open | status | stop | push <file.html> [more.html ...] | clear | init|plan|audit|critique|polish|normalize|bolder|quieter|handoff");
         process.exit(1);
       }
       break;
@@ -2607,26 +3872,26 @@ async function main() {
     case "help": {
       const wantsBrowser = argv.slice(3).includes("--browser");
       const candidates = [
-        join9(repoRoot(), "docs", "GUIDE.md"),
+        join12(repoRoot(), "docs", "GUIDE.md"),
         resolve4(__dirname2, "..", "docs", "GUIDE.md"),
-        join9(homedir(), ".ijfw", "docs", "GUIDE.md")
+        join12(homedir(), ".ijfw", "docs", "GUIDE.md")
       ];
-      const guidePath = candidates.find((p) => existsSync4(p));
+      const guidePath = candidates.find((p) => existsSync6(p));
       if (!guidePath) {
         console.error("[ijfw] Guide not found. Run `ijfw install` to fetch the full guide, or visit https://gitlab.com/therealseandonahoe/ijfw/-/blob/main/docs/GUIDE.md");
         process.exit(1);
       }
       if (wantsBrowser) {
         const { marked } = await Promise.resolve().then(() => (init_marked_esm(), marked_esm_exports));
-        const assetsSrc = join9(dirname2(guidePath), "guide", "assets");
-        const outDir = join9(homedir(), ".ijfw", "guide");
-        mkdirSync3(join9(outDir, "assets"), { recursive: true });
-        if (existsSync4(assetsSrc)) {
-          for (const f of readdirSync4(assetsSrc)) {
-            copyFileSync(join9(assetsSrc, f), join9(outDir, "assets", f));
+        const assetsSrc = join12(dirname4(guidePath), "guide", "assets");
+        const outDir = join12(homedir(), ".ijfw", "guide");
+        mkdirSync5(join12(outDir, "assets"), { recursive: true });
+        if (existsSync6(assetsSrc)) {
+          for (const f of readdirSync5(assetsSrc)) {
+            copyFileSync3(join12(assetsSrc, f), join12(outDir, "assets", f));
           }
         }
-        const md = readFileSync3(guidePath, "utf8").replace(/\(guide\/assets\//g, "(assets/");
+        const md = readFileSync6(guidePath, "utf8").replace(/\(guide\/assets\//g, "(assets/");
         const rendered = marked.parse(md, { gfm: true, breaks: false });
         const html = `<!doctype html>
 <html lang="en"><head>
@@ -2643,9 +3908,9 @@ async function main() {
   table{display:table;width:100%}
 </style>
 </head><body><div class="wrap markdown-body">${rendered}</div></body></html>`;
-        const outHtml = join9(outDir, "index.html");
-        writeFileSync4(outHtml, html);
-        const opener = platform2() === "darwin" ? "open" : platform2() === "win32" ? "start" : "xdg-open";
+        const outHtml = join12(outDir, "index.html");
+        writeFileSync6(outHtml, html);
+        const opener = platform() === "darwin" ? "open" : platform() === "win32" ? "start" : "xdg-open";
         spawnSync12(opener, [outHtml], { stdio: "ignore", detached: true });
         console.log(`[ijfw] Guide opened in your browser.`);
         console.log(`       Local copy: ${outHtml}`);
@@ -2655,10 +3920,10 @@ async function main() {
       if (hasLess) {
         const lessRes = spawnSync12("less", ["-R", guidePath], { stdio: "inherit" });
         if (lessRes.status !== 0 && lessRes.status !== null) {
-          process.stdout.write(readFileSync3(guidePath, "utf8"));
+          process.stdout.write(readFileSync6(guidePath, "utf8"));
         }
       } else {
-        process.stdout.write(readFileSync3(guidePath, "utf8"));
+        process.stdout.write(readFileSync6(guidePath, "utf8"));
       }
       process.exit(0);
       break;