@jsonstudio/rcc 0.89.1348 → 0.89.1488

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jsonstudio/rcc",
-  "version": "0.89.1348",
+  "version": "0.89.1488",
   "description": "Multi-provider OpenAI proxy server with anthropic/responses/chat support (release)",
   "type": "module",
   "main": "dist/index.js",
@@ -39,7 +39,12 @@
     "dev": "tsx watch src/index.ts",
     "jest:run": "node --experimental-vm-modules ./node_modules/jest/bin/jest.js",
     "test": "npm run test:routing-instructions && npm run mock:regressions",
-    "test:routing-instructions": "npm run jest:run -- --runTestsByPath tests/server/runtime/request-executor.single-attempt.spec.ts tests/server/runtime/executor-provider.retryable.spec.ts tests/providers/core/runtime/gemini-cli-http-provider.unit.test.ts tests/providers/core/runtime/antigravity-quota-client.unit.test.ts tests/manager/quota/provider-quota-center.spec.ts tests/manager/quota/provider-quota-store.spec.ts tests/manager/quota/quota-manager-refresh.spec.ts tests/manager/quota/provider-quota-daemon-module.spec.ts tests/manager/quota/provider-key-normalization.spec.ts tests/server/http-server/daemon-admin.e2e.spec.ts tests/server/http-server/quota-view-injection.spec.ts tests/server/http-server/quota-refresh-triggers.e2e.spec.ts tests/server/http-server/hub-policy-injection.spec.ts tests/server/http-server/session-header-injection.spec.ts tests/server/http-server/session-dir.spec.ts tests/server/handlers/sse-timeout.spec.ts tests/utils/is-direct-execution.test.ts tests/utils/windows-netstat.test.ts tests/servertool/virtual-router-context-fallback.spec.ts tests/servertool/virtual-router-longcontext-fallback.spec.ts tests/servertool/virtual-router-series-cooldown.spec.ts tests/servertool/recursive-detection-guard.spec.ts tests/servertool/routing-instructions.spec.ts tests/servertool/stop-message-auto.spec.ts tests/servertool/stopmessage-session-scope.spec.ts tests/servertool/stopmessage-anthropic-stop-sequence.spec.ts tests/servertool/servertool-progress-logging.spec.ts tests/unified-hub/hub-v1-single-path-imports.spec.ts",
+    "test:ci:jest": "node scripts/tests/ci-jest.mjs",
+    "test:ci:jest:coverage": "node scripts/tests/ci-jest.mjs --coverage",
+    "test:ci": "npm run test:ci:jest && npm run mock:regressions",
+    "test:ci:coverage": "npm run test:ci:jest:coverage",
+    "verify:repo-sanity": "node scripts/ci/repo-sanity.mjs",
+    "test:routing-instructions": "npm run jest:run -- --runTestsByPath tests/server/runtime/request-executor.single-attempt.spec.ts tests/server/runtime/executor-provider.retryable.spec.ts tests/providers/auth/tokenfile-auth.iflow.spec.ts tests/providers/core/runtime/gemini-cli-http-provider.unit.test.ts tests/providers/core/runtime/antigravity-quota-client.unit.test.ts tests/manager/quota/provider-quota-center.spec.ts tests/manager/quota/provider-quota-store.spec.ts tests/manager/quota/quota-manager-refresh.spec.ts tests/manager/quota/provider-quota-daemon-module.spec.ts tests/manager/quota/provider-key-normalization.spec.ts tests/server/http-server/daemon-admin.e2e.spec.ts tests/server/http-server/quota-view-injection.spec.ts tests/server/http-server/quota-refresh-triggers.e2e.spec.ts tests/server/http-server/hub-policy-injection.spec.ts tests/server/http-server/session-header-injection.spec.ts tests/server/http-server/session-dir.spec.ts tests/server/handlers/sse-timeout.spec.ts tests/utils/is-direct-execution.test.ts tests/utils/windows-netstat.test.ts tests/servertool/virtual-router-context-fallback.spec.ts tests/servertool/virtual-router-longcontext-fallback.spec.ts tests/servertool/virtual-router-series-cooldown.spec.ts tests/servertool/recursive-detection-guard.spec.ts tests/servertool/routing-instructions.spec.ts tests/servertool/stop-message-auto.spec.ts tests/servertool/stopmessage-session-scope.spec.ts tests/servertool/stopmessage-anthropic-stop-sequence.spec.ts tests/servertool/servertool-progress-logging.spec.ts tests/servertool/servertool-clock.spec.ts tests/sharedmodule/gemini-mapper-functioncall-args.spec.ts tests/sharedmodule/mcp-tool-descriptions.spec.ts tests/unified-hub/hub-v1-single-path-imports.spec.ts",
     "test:cli": "npm run jest:run -- --runTestsByPath tests/cli/clean-command.spec.ts tests/cli/code-command.spec.ts tests/cli/config-command.spec.ts tests/cli/env-command.spec.ts tests/cli/env-output.spec.ts tests/cli/examples-command.spec.ts tests/cli/port-command.spec.ts tests/cli/port-utils.spec.ts tests/cli/restart-command.spec.ts tests/cli/smoke.spec.ts tests/cli/start-command.spec.ts tests/cli/status-command.spec.ts tests/cli/stop-command.spec.ts",
     "test:watch": "npm run jest:run -- --watch",
     "test:coverage": "npm run jest:run -- --coverage",
@@ -51,11 +56,11 @@
     "test:lmstudio-dryrun": "node tests/lmstudio-tools-bidir-dry-run.mjs",
     "test:unified-hub-shadow": "node scripts/tests/unified-hub-shadow-regression.mjs",
     "test:unified-hub-responses-enforce": "node scripts/tests/unified-hub-responses-enforce-safe.mjs",
-    "lint": "eslint --no-eslintrc -c .eslintrc.json src --ext .ts --no-cache",
-    "lint:fix": "eslint --no-eslintrc -c .eslintrc.json src --ext .ts --fix --no-cache",
-    "lint:strict": "eslint --no-eslintrc -c .eslintrc.json src --ext .ts --max-warnings 0 --no-cache",
+    "lint": "ESLINT_USE_FLAT_CONFIG=1 eslint \"src/**/*.ts\" --no-cache",
+    "lint:fix": "ESLINT_USE_FLAT_CONFIG=1 eslint \"src/**/*.ts\" --fix --no-cache",
+    "lint:strict": "ESLINT_USE_FLAT_CONFIG=1 eslint \"src/**/*.ts\" --max-warnings 0 --no-cache",
     "clean": "rm -rf dist coverage",
-    "prebuild": "echo skip-lint",
+    "prebuild": "npm run verify:repo-sanity && echo skip-lint",
     "prepare": "",
     "postinstall": "chmod +x dist/cli.js || true",
     "verify:apply-patch": "node scripts/verify-apply-patch.mjs",
@@ -65,6 +70,7 @@
     "verify:e2e-gemini-followup-sample": "node scripts/verify-e2e-gemini-followup-sample.mjs",
     "install:global": "./scripts/install-global.sh",
     "install:release": "./scripts/install-release.sh",
+    "release:rcc": "npm run pack:rcc",
     "audit:tool-text": "node scripts/audit-tool-text.mjs",
     "start:bg": "bash scripts/run-bg.sh -- 'node dist/index.js'",
     "start:fg": "bash scripts/run-fg-gtimeout.sh 12 -- 'node dist/index.js'",
@@ -81,10 +87,10 @@
     "verify:sse-loop": "node scripts/verify-sse-loop.mjs",
     "snapshot:inspect": "node scripts/snapshot-inspect.mjs",
     "policy:report": "node scripts/policy-violations-report.mjs",
-    "debug:responses": "tsx tools/responses-debug-client/src/index.ts",
-    "debug:responses:lmstudio:text": "tsx tools/responses-debug-client/src/index.ts --file tools/responses-debug-client/payloads/lmstudio-text.json --baseURL ${LMSTUDIO_BASEURL:-http://127.0.0.1:1234/v1}",
-    "debug:responses:lmstudio:tool": "tsx tools/responses-debug-client/src/index.ts --file tools/responses-debug-client/payloads/lmstudio-tool.json --baseURL ${LMSTUDIO_BASEURL:-http://127.0.0.1:1234/v1}",
-    "capture:responses:lmstudio": "node scripts/capture-responses-sse.mjs --file tools/responses-debug-client/payloads/lmstudio-tool.json",
+    "debug:responses": "tsx scripts/tools-dev/responses-debug-client/src/index.ts",
+    "debug:responses:lmstudio:text": "tsx scripts/tools-dev/responses-debug-client/src/index.ts --file scripts/tools-dev/responses-debug-client/payloads/text.json --baseURL ${LMSTUDIO_BASEURL:-http://127.0.0.1:1234/v1}",
+    "debug:responses:lmstudio:tool": "tsx scripts/tools-dev/responses-debug-client/src/index.ts --file scripts/tools-dev/responses-debug-client/payloads/tool.json --baseURL ${LMSTUDIO_BASEURL:-http://127.0.0.1:1234/v1}",
+    "capture:responses:lmstudio": "node scripts/capture-responses-sse.mjs --file scripts/tools-dev/responses-debug-client/payloads/tool.json",
     "llmswitch:ensure": "node scripts/ensure-llmswitch-mode.mjs",
     "llmswitch:link": "node scripts/link-llmswitch.mjs",
     "llmswitch:unlink": "node scripts/link-llmswitch.mjs unlink",
@@ -140,7 +146,7 @@
   },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.65.0",
-    "@jsonstudio/llms": "^0.6.1172",
+    "@jsonstudio/llms": "^0.6.1397",
     "@lmstudio/sdk": "^1.5.0",
     "@radix-ui/react-switch": "^1.2.6",
     "@types/socket.io": "^3.0.1",

package/scripts/antigravity-token-bridge.mjs

@@ -0,0 +1,283 @@
+import fs from 'fs/promises';
+import { existsSync, readdirSync } from 'fs';
+import path from 'path';
+import os from 'os';
+import crypto from 'crypto';
+
+const args = process.argv.slice(2);
+const opts = new Set(args);
+
+const direction = args.includes('--to-routecodex') ? 'ag-to-rc' : 'rc-to-ag';
+const dryRun = opts.has('--dry-run');
+
+const home = os.homedir();
+const rcAuthDir = path.join(home, '.routecodex', 'auth');
+const agDataDir = path.join(home, '.antigravity_tools');
+const agAccountsDir = path.join(agDataDir, 'accounts');
+const agIndexPath = path.join(agDataDir, 'accounts.json');
+
+function nowSeconds() {
+  return Math.floor(Date.now() / 1000);
+}
+
+function normalizeExpirySeconds(token) {
+  const expiry = token.expiry_timestamp;
+  if (typeof expiry === 'number') {
+    return expiry > 10_000_000_000 ? Math.floor(expiry / 1000) : Math.floor(expiry);
+  }
+  const expiresAt = token.expires_at;
+  if (typeof expiresAt === 'number') {
+    return expiresAt > 10_000_000_000 ? Math.floor(expiresAt / 1000) : Math.floor(expiresAt);
+  }
+  const expiresIn = token.expires_in;
+  if (typeof expiresIn === 'number') {
+    return nowSeconds() + Math.max(0, Math.floor(expiresIn));
+  }
+  return nowSeconds() + 3600;
+}
+
+function normalizeRcToken(raw) {
+  if (!raw || typeof raw !== 'object') {
+    return null;
+  }
+  if (raw.token && typeof raw.token === 'object' && raw.token.access_token) {
+    return { ...raw.token, ...raw };
+  }
+  return raw;
+}
+
+async function ensureDir(p) {
+  await fs.mkdir(p, { recursive: true });
+}
+
+function pickEmail(token) {
+  if (typeof token.email === 'string' && token.email.trim()) {
+    return token.email.trim();
+  }
+  if (token.id_token && typeof token.id_token === 'string') {
+    // avoid parsing JWT here to keep script simple
+  }
+  return '';
+}
+
+async function loadExistingAccounts() {
+  if (!existsSync(agAccountsDir)) {
+    return { byEmail: new Map(), accounts: [] };
+  }
+  const byEmail = new Map();
+  const accounts = [];
+  for (const name of readdirSync(agAccountsDir)) {
+    if (!name.endsWith('.json')) {
+      continue;
+    }
+    const filePath = path.join(agAccountsDir, name);
+    try {
+      const raw = JSON.parse(await fs.readFile(filePath, 'utf-8'));
+      accounts.push({ filePath, data: raw });
+      if (raw && typeof raw.email === 'string') {
+        byEmail.set(raw.email, { filePath, data: raw });
+      }
+    } catch {
+      // ignore malformed file
+    }
+  }
+  return { byEmail, accounts };
+}
+
+async function loadAccountsIndex() {
+  try {
+    const raw = JSON.parse(await fs.readFile(agIndexPath, 'utf-8'));
+    if (raw && typeof raw === 'object' && Array.isArray(raw.accounts)) {
+      return raw;
+    }
+  } catch {
+    // ignore
+  }
+  return { version: '2.0', accounts: [], current_account_id: null };
+}
+
+function upsertIndexEntry(index, account) {
+  const idx = index.accounts.findIndex((item) => item.id === account.id);
+  const summary = {
+    id: account.id,
+    email: account.email,
+    name: account.name ?? null,
+    disabled: !!account.disabled,
+    proxy_disabled: !!account.proxy_disabled,
+    created_at: account.created_at,
+    last_used: account.last_used
+  };
+  if (idx >= 0) {
+    index.accounts[idx] = summary;
+  } else {
+    index.accounts.push(summary);
+  }
+}
+
+async function rcToAg() {
+  if (!existsSync(rcAuthDir)) {
+    throw new Error(`RouteCodex auth dir not found: ${rcAuthDir}`);
+  }
+  await ensureDir(agAccountsDir);
+
+  const { byEmail } = await loadExistingAccounts();
+  const index = await loadAccountsIndex();
+
+  const files = readdirSync(rcAuthDir).filter((name) => /^antigravity-oauth-.*\.json$/i.test(name));
+  if (!files.length) {
+    console.log('No antigravity token files found in ~/.routecodex/auth');
+    return;
+  }
+
+  for (const name of files) {
+    const filePath = path.join(rcAuthDir, name);
+    let tokenRaw;
+    try {
+      tokenRaw = JSON.parse(await fs.readFile(filePath, 'utf-8'));
+    } catch {
+      console.log(`Skip unreadable token: ${filePath}`);
+      continue;
+    }
+    const token = normalizeRcToken(tokenRaw);
+    if (!token || typeof token.access_token !== 'string' || typeof token.refresh_token !== 'string') {
+      console.log(`Skip invalid token (missing access/refresh): ${filePath}`);
+      continue;
+    }
+
+    const email = pickEmail(token);
+    if (!email) {
+      console.log(`Skip token without email: ${filePath}`);
+      continue;
+    }
+
+    const now = nowSeconds();
+    const expiryTimestamp = normalizeExpirySeconds(token);
+    const projectId = typeof token.project_id === 'string' ? token.project_id : (typeof token.projectId === 'string' ? token.projectId : undefined);
+
+    const baseAccount = {
+      created_at: now,
+      disabled: token.disabled === true,
+      email,
+      id: crypto.randomUUID(),
+      last_used: now,
+      name: typeof token.name === 'string' ? token.name : null,
+      proxy_disabled: token.proxy_disabled === true || token.proxyDisabled === true,
+      proxy_disabled_at: token.proxy_disabled_at ?? null,
+      proxy_disabled_reason: token.proxy_disabled_reason ?? null,
+      quota: null,
+      protected_models: Array.isArray(token.protected_models)
+        ? token.protected_models
+        : Array.isArray(token.protectedModels)
+          ? token.protectedModels
+          : [],
+      disabled_reason: token.disabled_reason ?? null,
+      disabled_at: token.disabled_at ?? null,
+      token: {
+        access_token: token.access_token,
+        refresh_token: token.refresh_token,
+        expires_in: typeof token.expires_in === 'number' ? token.expires_in : 3600,
+        expiry_timestamp: expiryTimestamp,
+        token_type: typeof token.token_type === 'string' ? token.token_type : 'Bearer',
+        email,
+        project_id: projectId
+      }
+    };
+
+    const existing = byEmail.get(email);
+    let account = baseAccount;
+    let targetPath;
+    if (existing) {
+      account = { ...existing.data, ...baseAccount };
+      account.id = existing.data.id || baseAccount.id;
+      account.created_at = existing.data.created_at || baseAccount.created_at;
+      account.last_used = now;
+      account.token = { ...(existing.data.token || {}), ...(baseAccount.token || {}) };
+      targetPath = existing.filePath;
+    } else {
+      targetPath = path.join(agAccountsDir, `${account.id}.json`);
+    }
+
+    if (dryRun) {
+      console.log(`[dry-run] write ${targetPath}`);
+    } else {
+      await fs.writeFile(targetPath, `${JSON.stringify(account, null, 2)}\n`, 'utf-8');
+      upsertIndexEntry(index, account);
+      console.log(`Wrote ${targetPath}`);
+    }
+  }
+
+  if (!dryRun) {
+    await fs.writeFile(agIndexPath, `${JSON.stringify(index, null, 2)}\n`, 'utf-8');
+    console.log(`Updated ${agIndexPath}`);
+  }
+}
+
+async function agToRc() {
+  if (!existsSync(agAccountsDir)) {
+    throw new Error(`Antigravity accounts dir not found: ${agAccountsDir}`);
+  }
+  await ensureDir(rcAuthDir);
+
+  const files = readdirSync(agAccountsDir).filter((name) => name.endsWith('.json'));
+  if (!files.length) {
+    console.log('No antigravity account files found in ~/.antigravity_tools/accounts');
+    return;
+  }
+
+  let seq = 1;
+  for (const name of files) {
+    const filePath = path.join(agAccountsDir, name);
+    let account;
+    try {
+      account = JSON.parse(await fs.readFile(filePath, 'utf-8'));
+    } catch {
+      console.log(`Skip unreadable account: ${filePath}`);
+      continue;
+    }
+    const token = account?.token;
+    if (!token || typeof token.access_token !== 'string') {
+      console.log(`Skip account without token: ${filePath}`);
+      continue;
+    }
+    const alias = typeof account.email === 'string' ? account.email.split('@')[0] : 'imported';
+    const rcPath = path.join(rcAuthDir, `antigravity-oauth-${seq}-${alias}.json`);
+    seq += 1;
+
+    const payload = {
+      access_token: token.access_token,
+      refresh_token: token.refresh_token,
+      token_type: token.token_type || 'Bearer',
+      expires_in: token.expires_in,
+      expires_at: typeof token.expiry_timestamp === 'number' ? token.expiry_timestamp * 1000 : undefined,
+      email: account.email,
+      name: account.name ?? undefined,
+      project_id: token.project_id || account.project_id || account.projectId,
+      projectId: token.project_id || account.projectId || account.project_id,
+      disabled: account.disabled === true,
+      disabled_reason: account.disabled_reason ?? undefined,
+      disabled_at: account.disabled_at ?? undefined,
+      proxy_disabled: account.proxy_disabled === true,
+      proxy_disabled_reason: account.proxy_disabled_reason ?? undefined,
+      proxy_disabled_at: account.proxy_disabled_at ?? undefined,
+      protected_models: Array.isArray(account.protected_models) ? account.protected_models : undefined
+    };
+
+    if (dryRun) {
+      console.log(`[dry-run] write ${rcPath}`);
+    } else {
+      await fs.writeFile(rcPath, `${JSON.stringify(payload, null, 2)}\n`, 'utf-8');
+      console.log(`Wrote ${rcPath}`);
+    }
+  }
+}
+
+try {
+  if (direction === 'ag-to-rc') {
+    await agToRc();
+  } else {
+    await rcToAg();
+  }
+} catch (error) {
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exit(1);
+}

package/scripts/build-core.mjs

@@ -13,7 +13,9 @@ const coreRoot = path.join(root, 'sharedmodule', 'llmswitch-core');
 const outDir = path.join(coreRoot, 'dist');
 const requiredOutputs = [
   path.join(outDir, 'bridge', 'routecodex-adapter.js'),
-  path.join(outDir, 'conversion', 'hub', 'response', 'provider-response.js')
+  path.join(outDir, 'conversion', 'hub', 'response', 'provider-response.js'),
+  // RouteCodex runtime loads this module via llmswitch bridge; ensure dev builds produce it.
+  path.join(outDir, 'router', 'virtual-router', 'error-center.js')
 ];
 
 function fail(msg){ console.error(`[build-core] ${msg}`); process.exit(2); }

package/scripts/ci/repo-sanity.mjs

@@ -0,0 +1,138 @@
+import { spawnSync } from 'node:child_process';
+import fs from 'node:fs';
+import path from 'node:path';
+
+function runGit(args) {
+  const out = spawnSync('git', args, { encoding: 'utf8' });
+  if (out.status !== 0) {
+    throw new Error(`git ${args.join(' ')} failed: ${out.stderr || out.stdout}`);
+  }
+  return String(out.stdout || '');
+}
+
+function isIgnoredByGit(p) {
+  const out = spawnSync('git', ['check-ignore', '-q', p], { encoding: 'utf8' });
+  return out.status === 0;
+}
+
+function listRootEntries() {
+  const cwd = process.cwd();
+  return fs
+    .readdirSync(cwd, { withFileTypes: true })
+    .filter((d) => d.name !== '.git')
+    .filter((d) => !isIgnoredByGit(d.name))
+    .map((d) => d.name)
+    .sort();
+}
+
+function isForbiddenRootFile(p) {
+  const base = path.posix.basename(p);
+  const allow = new Set(['AGENTS.md', 'README.md', 'task.md']);
+  if (allow.has(base)) return false;
+  if (/^test-.*\.(mjs|js|ts|py)$/i.test(base)) return true;
+  if (/^debug-.*\.(mjs|js|ts)$/i.test(base)) return true;
+  if (/\.pid$/i.test(base)) return true;
+  if (/\.tgz$/i.test(base)) return true;
+  if (base === 'plan.md') return true;
+  if (base === 'task-fallback.md') return true;
+  if (base === 'task.archive.md') return true;
+  if (base === 'WARP.md') return true;
+  if (base === 'CLAUDE.md') return true;
+  if (/(_SUMMARY|_FIX)_/i.test(base) && base.toLowerCase().endsWith('.md')) return true;
+  // Disallow ad-hoc root markdown by default (docs belong under docs/).
+  if (base.toLowerCase().endsWith('.md')) return true;
+  return false;
+}
+
+function isForbiddenTrackedPath(p) {
+  // Keep the rules narrow and explicit: this is an audit guard, not a policy engine.
+  if (p.startsWith('docs/archive/')) return true;
+  if (p.startsWith('scripts/dev/')) return true;
+  if (p.startsWith('scripts/test-') && p.endsWith('.mjs')) return true;
+  if (p.startsWith('tools/')) return true;
+  if (p.startsWith('replay/')) return true;
+  if (p.startsWith('servertool/')) return true;
+  if (p.startsWith('verified-configs/')) return true;
+  if (p.startsWith('interpreter/')) return true;
+  if (p.startsWith('exporters/')) return true;
+  if (p.startsWith('bin/')) return true;
+  if (p.startsWith('.npm-cache-local/')) return true;
+  if (p.startsWith('.claude/')) return true;
+  if (p.startsWith('.iflow/')) return true;
+  if (p === '.secrets.baseline') return true;
+  if (p.endsWith('/.DS_Store') || p === '.DS_Store') return true;
+  return false;
+}
+
+function checkRootLayout() {
+  // Fixed top-level layout. Adding new root entries requires an explicit policy change.
+  const allowed = new Set([
+    'eslint.config.js',
+    '.github',
+    '.gitignore',
+    'AGENTS.md',
+    'README.md',
+    'config',
+    'configsamples',
+    'dist',
+    'docs',
+    'jest.config.js',
+    'node_modules',
+    'package',
+    'package-lock.json',
+    'package.json',
+    'rcc',
+    'samples',
+    'scripts',
+    'sharedmodule',
+    'src',
+    'task.md',
+    'tests',
+    'tmp',
+    'tsconfig.json',
+    'vendor',
+  ]);
+
+  const rootEntries = listRootEntries();
+  const unexpected = rootEntries.filter((name) => !allowed.has(name));
+  if (unexpected.length) {
+    console.error('[repo-sanity] unexpected root entries (top-level is fixed):');
+    for (const name of unexpected) console.error(`- ${name}`);
+    process.exit(2);
+  }
+}
+
+function checkUntrackedNotIgnored() {
+  // Fail fast if anything new appears outside gitignore (anywhere in repo).
+  const out = runGit(['ls-files', '--others', '--exclude-standard']);
+  const paths = out
+    .split('\n')
+    .map((s) => s.trim())
+    .filter(Boolean);
+  if (paths.length) {
+    console.error('[repo-sanity] untracked files not ignored (add them to git or gitignore):');
+    for (const p of paths.slice(0, 200)) console.error(`- ${p}`);
+    if (paths.length > 200) console.error(`- ... (${paths.length - 200} more)`);
+    process.exit(2);
+  }
+}
+
+const files = runGit(['ls-files']).split('\n').map((s) => s.trim()).filter(Boolean);
+const forbidden = [];
+for (const p of files) {
+  if (isForbiddenTrackedPath(p)) forbidden.push(p);
+  if (!p.includes('/') && isForbiddenRootFile(p)) forbidden.push(p);
+}
+
+if (forbidden.length) {
+  console.error('[repo-sanity] forbidden tracked files detected:');
+  for (const p of Array.from(new Set(forbidden)).sort()) {
+    console.error(`- ${p}`);
+  }
+  process.exit(2);
+}
+
+checkRootLayout();
+checkUntrackedNotIgnored();
+
+console.log('[repo-sanity] ok');