npm - @kingkyylian/handoffkit - Versions diffs - 0.1.0 - Mend

@kingkyylian/handoffkit 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1026 @@
+#!/usr/bin/env node
+// src/cli/index.ts
+import { Command as Command6 } from "commander";
+// src/cli/commands/pack.ts
+import { Command } from "commander";
+import { z as z2 } from "zod";
+// src/core/git.ts
+import { readFile } from "fs/promises";
+import { basename } from "path";
+import { execa } from "execa";
+var UNTRACKED_PATCH_CHAR_LIMIT = 2e4;
+var IGNORED_CHANGED_PATH_PREFIXES = ["node_modules/", "dist/", "coverage/", ".git/"];
+async function findGitRoot(cwd) {
+  const result = await execa("git", ["rev-parse", "--show-toplevel"], {
+    cwd,
+    reject: false
+  });
+  if (result.exitCode !== 0) {
+    throw new Error("HandoffKit must be run inside a git repository.");
+  }
+  return result.stdout.trimEnd();
+}
+async function collectGitInfo(root, options) {
+  const [branch, status, porcelainStatus, recentCommits, stagedDiffSummary, trackedUnstagedDiffSummary, baseInfo] = await Promise.all([
+    currentBranch(root),
+    git(root, ["status", "--short", "--branch"]),
+    git(root, ["status", "--porcelain=v1", "--untracked-files=all"]),
+    recentCommitLines(root, options.since),
+    options.includeDiffSummary ? git(root, ["diff", "--cached", "--stat"]) : Promise.resolve(""),
+    options.includeDiffSummary ? git(root, ["diff", "--stat"]) : Promise.resolve(""),
+    options.since ? collectBaseInfo(root, options.since, options.includeDiffSummary, options.includeDiff) : Promise.resolve(void 0)
+  ]);
+  const changedFiles = uniqueSorted([...baseInfo?.changedFiles ?? [], ...parseChangedFiles(porcelainStatus)]);
+  const untrackedFiles = parseUntrackedFiles(porcelainStatus);
+  const unstagedDiffSummary = options.includeDiffSummary ? joinSections([trackedUnstagedDiffSummary, renderUntrackedSummary(untrackedFiles)]) : "";
+  const diff = options.includeDiff ? await collectDiff(root, untrackedFiles) : void 0;
+  return {
+    name: basename(root),
+    branch,
+    ...options.since ? { baseRef: options.since } : {},
+    status,
+    recentCommits,
+    changedFiles,
+    ...baseInfo?.summary ? { baseDiffSummary: baseInfo.summary } : {},
+    stagedDiffSummary,
+    unstagedDiffSummary,
+    includeDiff: options.includeDiff,
+    ...baseInfo?.patch ? { baseDiff: baseInfo.patch } : {},
+    ...diff ? { diff } : {}
+  };
+}
+async function currentBranch(root) {
+  const branch = await git(root, ["branch", "--show-current"]);
+  if (branch) {
+    return branch;
+  }
+  const commit = await git(root, ["rev-parse", "--short", "HEAD"], { allowFailure: true });
+  return commit ? `detached:${commit}` : "unknown";
+}
+async function recentCommitLines(root, since) {
+  const args = since ? ["log", "--oneline", "-n", "10", `${since}..HEAD`] : ["log", "--oneline", "-n", "10"];
+  const output = await git(root, args, { allowFailure: true });
+  return output ? output.split("\n") : [];
+}
+async function collectBaseInfo(root, since, includeDiffSummary, includeDiff) {
+  await ensureRef(root, since);
+  const range = `${since}...HEAD`;
+  const [changedFiles, summary, patch] = await Promise.all([
+    git(root, ["diff", "--name-only", range], { allowFailure: true }),
+    includeDiffSummary ? git(root, ["diff", "--stat", range], { allowFailure: true }) : Promise.resolve(""),
+    includeDiff ? git(root, ["diff", "--patch", range], { allowFailure: true }) : Promise.resolve("")
+  ]);
+  return {
+    changedFiles: changedFiles ? changedFiles.split("\n").filter(Boolean) : [],
+    summary,
+    patch
+  };
+}
+async function ensureRef(root, ref) {
+  const result = await execa("git", ["rev-parse", "--verify", `${ref}^{commit}`], {
+    cwd: root,
+    reject: false
+  });
+  if (result.exitCode !== 0) {
+    throw new Error(`Could not resolve --since ref: ${ref}`);
+  }
+}
+async function collectDiff(root, untrackedFiles) {
+  const [staged, unstagedTracked, untracked] = await Promise.all([
+    git(root, ["diff", "--cached", "--patch"]),
+    git(root, ["diff", "--patch"]),
+    untrackedPatch(root, untrackedFiles)
+  ]);
+  return { staged, unstaged: joinSections([unstagedTracked, untracked]) };
+}
+async function git(root, args, options = {}) {
+  const result = await execa("git", args, {
+    cwd: root,
+    reject: false
+  });
+  if (result.exitCode !== 0 && !options.allowFailure) {
+    throw new Error(result.stderr || `git ${args.join(" ")} failed`);
+  }
+  return result.stdout.trim();
+}
+function parseChangedFiles(status) {
+  const files = status.split("\n").map((line) => line.trimEnd()).filter(Boolean).map((line) => line.slice(line[2] === " " ? 3 : 2).trim()).map((path) => path.includes(" -> ") ? path.split(" -> ").at(-1) ?? path : path).map((path) => path.replace(/^"|"$/g, ""));
+  return uniqueSorted(files.filter((file) => !isIgnoredChangedPath(file)));
+}
+function parseUntrackedFiles(status) {
+  return status.split("\n").map((line) => line.trimEnd()).filter((line) => line.startsWith("?? ")).map((line) => line.slice(3).trim()).map((path) => path.replace(/^"|"$/g, "")).filter((file) => !isIgnoredChangedPath(file)).sort();
+}
+function renderUntrackedSummary(files) {
+  if (files.length === 0) {
+    return "";
+  }
+  return files.map((file) => `${file} | untracked`).join("\n");
+}
+async function untrackedPatch(root, files) {
+  const patches = await Promise.all(
+    files.map(async (file) => {
+      const content = await readFile(`${root}/${file}`, "utf8");
+      const trimmedContent = content.length > UNTRACKED_PATCH_CHAR_LIMIT ? `${content.slice(0, UNTRACKED_PATCH_CHAR_LIMIT).trimEnd()}
+[truncated]` : content.trimEnd();
+      return [`Untracked file: ${file}`, "```text", trimmedContent, "```"].join("\n");
+    })
+  );
+  return patches.join("\n\n");
+}
+function joinSections(sections) {
+  return sections.filter(Boolean).join("\n\n").trim();
+}
+function uniqueSorted(files) {
+  return [...new Set(files.filter((file) => !isIgnoredChangedPath(file)))].sort();
+}
+function isIgnoredChangedPath(file) {
+  return IGNORED_CHANGED_PATH_PREFIXES.some((prefix) => file === prefix.slice(0, -1) || file.startsWith(prefix));
+}
+// src/core/instructions.ts
+import { readFile as readFile2, stat } from "fs/promises";
+import fg from "fast-glob";
+// src/core/redact.ts
+var REDACTION = "[REDACTED]";
+var SECRET_KEY_PATTERN = /(\b[A-Z0-9_.-]*(?:API[_-]?KEY|TOKEN|SECRET|PASSWORD|PASSWD|PRIVATE[_-]?KEY|CLIENT[_-]?SECRET|ACCESS[_-]?TOKEN|REFRESH[_-]?TOKEN|COOKIE|SESSION|JWT|AUTH_TOKEN)[A-Z0-9_.-]*\b\s*(?:=|:)\s*)(["']?)([^\s"',}]+)/gi;
+var TOKEN_PATTERNS = [
+  /\bBearer\s+[A-Za-z0-9._~+/=-]{12,}/gi,
+  /\bsk-[A-Za-z0-9_-]{16,}/g,
+  /\bgh[pousr]_[A-Za-z0-9_]{16,}/g,
+  /\bnpm_[A-Za-z0-9_-]{16,}/g,
+  /\bxox[baprs]-[A-Za-z0-9-]{16,}/g,
+  /\bAIza[0-9A-Za-z_-]{20,}/g,
+  /\bAKIA[0-9A-Z]{16}\b/g,
+  /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/g,
+  /\/\/([^/\s:@]+):([^@\s/]+)@/g
+];
+function redactText(input) {
+  let output = input.replace(
+    /-----BEGIN ([A-Z ]*PRIVATE KEY)-----[\s\S]*?-----END \1-----/g,
+    (_match, keyType) => `-----BEGIN ${keyType}-----
+${REDACTION}
+-----END ${keyType}-----`
+  );
+  output = output.replace(SECRET_KEY_PATTERN, (_match, prefix, quote) => {
+    return `${prefix}${quote}${REDACTION}${quote}`;
+  });
+  output = output.replace(/\bBearer\s+[A-Za-z0-9._~+/=-]{12,}/gi, "Bearer [REDACTED]");
+  output = output.replace(/\/\/([^/\s:@]+):([^@\s/]+)@/g, "//[REDACTED]@");
+  for (const pattern of TOKEN_PATTERNS.slice(1, -1)) {
+    output = output.replace(pattern, REDACTION);
+  }
+  return output;
+}
+// src/core/instructions.ts
+var INSTRUCTION_PATTERNS = [
+  "**/AGENTS.md",
+  "**/CLAUDE.md",
+  "**/GEMINI.md",
+  ".cursor/rules",
+  ".cursor/rules/**/*",
+  ".github/copilot-instructions.md"
+];
+var PREVIEW_CHAR_LIMIT = 1200;
+async function detectInstructionFiles(root) {
+  const paths = await fg(INSTRUCTION_PATTERNS, {
+    cwd: root,
+    dot: true,
+    onlyFiles: false,
+    unique: true,
+    ignore: ["**/.git/**", "**/node_modules/**", "**/dist/**", "**/coverage/**"]
+  });
+  return Promise.all(paths.sort().map((path) => instructionFile(root, path)));
+}
+async function instructionFile(root, path) {
+  return {
+    path,
+    kind: instructionKind(path),
+    preview: await readPreview(root, path)
+  };
+}
+async function readPreview(root, path) {
+  const fullPath = `${root}/${path}`;
+  const metadata = await stat(fullPath);
+  if (!metadata.isFile()) {
+    return "Directory rule set detected.";
+  }
+  const content = await readFile2(fullPath, "utf8");
+  const normalized = content.replace(/\r\n/g, "\n").trim();
+  const preview = normalized.length > PREVIEW_CHAR_LIMIT ? `${normalized.slice(0, PREVIEW_CHAR_LIMIT).trimEnd()}
+[truncated]` : normalized;
+  return redactText(preview);
+}
+function instructionKind(path) {
+  if (path.endsWith("AGENTS.md")) {
+    return "agents";
+  }
+  if (path.endsWith("CLAUDE.md")) {
+    return "claude";
+  }
+  if (path.endsWith("GEMINI.md")) {
+    return "gemini";
+  }
+  if (path === ".cursor/rules" || path.startsWith(".cursor/rules/")) {
+    return "cursor";
+  }
+  if (path === ".github/copilot-instructions.md") {
+    return "copilot";
+  }
+  return "instruction";
+}
+// src/core/package-json.ts
+import { access, readFile as readFile3 } from "fs/promises";
+import { join } from "path";
+import { z } from "zod";
+var PackageJsonSchema = z.object({
+  name: z.string().optional(),
+  packageManager: z.string().optional(),
+  scripts: z.record(z.string(), z.string()).optional()
+});
+var VERIFY_SCRIPT_ORDER = ["build", "test", "typecheck", "lint", "check", "verify", "ci"];
+var VERIFY_SCRIPT_PREFIX = /^(build|test|typecheck|lint|check|verify|ci)(:|$)/;
+async function detectPackageInfo(root) {
+  const packageJsonPath = join(root, "package.json");
+  if (!await pathExists(packageJsonPath)) {
+    return void 0;
+  }
+  const rawPackageJson = await readFile3(packageJsonPath, "utf8");
+  const packageJson = PackageJsonSchema.parse(JSON.parse(rawPackageJson));
+  const packageManager = await detectPackageManager(root, packageJson.packageManager);
+  const verificationScripts = detectVerificationScripts(packageJson.scripts ?? {});
+  return {
+    ...packageJson.name ? { name: packageJson.name } : {},
+    ...packageManager ? { packageManager } : {},
+    verificationScripts
+  };
+}
+async function detectPackageManager(root, packageManagerField) {
+  if (packageManagerField) {
+    return packageManagerField.split("@")[0] || packageManagerField;
+  }
+  const lockfiles = [
+    ["pnpm-lock.yaml", "pnpm"],
+    ["yarn.lock", "yarn"],
+    ["package-lock.json", "npm"],
+    ["bun.lock", "bun"],
+    ["bun.lockb", "bun"]
+  ];
+  for (const [lockfile, manager] of lockfiles) {
+    if (await pathExists(join(root, lockfile))) {
+      return manager;
+    }
+  }
+  return void 0;
+}
+function detectVerificationScripts(scripts) {
+  return Object.entries(scripts).filter(([name]) => VERIFY_SCRIPT_PREFIX.test(name)).sort(([left], [right]) => {
+    const leftIndex = orderIndex(left);
+    const rightIndex = orderIndex(right);
+    if (leftIndex !== rightIndex) {
+      return leftIndex - rightIndex;
+    }
+    return left.localeCompare(right);
+  }).map(([name, command]) => ({ name, command }));
+}
+async function pathExists(path) {
+  try {
+    await access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function orderIndex(name) {
+  const baseName = name.split(":")[0] ?? name;
+  const index = VERIFY_SCRIPT_ORDER.indexOf(baseName);
+  return index === -1 ? VERIFY_SCRIPT_ORDER.length : index;
+}
+// src/core/risk.ts
+function analyzeRisk(report) {
+  const files = report.repository.changedFiles;
+  const notes = [];
+  if (files.some((file) => /(^|\/)(redact|secret|auth|token|security)/i.test(file))) {
+    notes.push({
+      severity: "high",
+      title: "Security-sensitive code changed",
+      detail: "Review redaction, auth, token, or secret-handling changes carefully before handoff."
+    });
+  }
+  if (files.some((file) => file === "package.json" || file.endsWith("-lock.yaml") || file.endsWith("lock.json"))) {
+    notes.push({
+      severity: "medium",
+      title: "Dependency or package metadata changed",
+      detail: "Run install/build verification and check package publishing metadata."
+    });
+  }
+  if (files.some((file) => file.startsWith(".github/workflows/"))) {
+    notes.push({
+      severity: "medium",
+      title: "CI workflow changed",
+      detail: "Confirm GitHub Actions still passes after push."
+    });
+  }
+  const sourceFiles = files.filter((file) => file.startsWith("src/") && file.endsWith(".ts"));
+  const testFiles = files.filter((file) => file.startsWith("tests/") && file.endsWith(".test.ts"));
+  if (sourceFiles.length > 0 && testFiles.length === 0) {
+    notes.push({
+      severity: "medium",
+      title: "Source changed without matching tests",
+      detail: `Review test coverage for ${sourceFiles.slice(0, 5).join(", ")}.`
+    });
+  }
+  if (notes.length === 0) {
+    notes.push({
+      severity: "low",
+      title: "No obvious local risk signals",
+      detail: "No deterministic risk rule matched the current changed file set."
+    });
+  }
+  return { notes };
+}
+// src/core/scanners.ts
+import { mkdtemp, readFile as readFile4 } from "fs/promises";
+import { tmpdir } from "os";
+import { relative, join as join2 } from "path";
+import { performance } from "perf_hooks";
+import { execa as execa2 } from "execa";
+var MAX_FINDINGS = 20;
+var ERROR_LIMIT = 2e3;
+async function detectSecretScanners() {
+  const [gitleaks, secretlint] = await Promise.all([scannerStatus("gitleaks"), scannerStatus("secretlint")]);
+  return { scanners: [gitleaks, secretlint] };
+}
+async function runSecretScanners(root) {
+  const report = await detectSecretScanners();
+  const scans = await Promise.all(report.scanners.map((scanner) => runScanner(root, scanner)));
+  return { ...report, scans };
+}
+function normalizeGitleaksFindings(rawJson, limit = MAX_FINDINGS) {
+  const parsed = safeJson(rawJson);
+  if (!Array.isArray(parsed)) {
+    return [];
+  }
+  return parsed.slice(0, limit).map((finding) => {
+    const ruleId = stringValue(finding.RuleID);
+    const file = stringValue(finding.File);
+    const line = numberValue(finding.StartLine);
+    return {
+      ...ruleId ? { ruleId } : {},
+      message: redactText(stringValue(finding.Description) || "Secret finding"),
+      ...file ? { file } : {},
+      ...line ? { line } : {}
+    };
+  });
+}
+function normalizeSecretlintFindings(rawJson, limit = MAX_FINDINGS, root) {
+  const parsed = safeJson(rawJson);
+  if (!Array.isArray(parsed)) {
+    return [];
+  }
+  const findings = [];
+  for (const fileResult of parsed) {
+    const messages = Array.isArray(fileResult.messages) ? fileResult.messages : [];
+    for (const message of messages) {
+      if (findings.length >= limit) {
+        return findings;
+      }
+      const filePath = stringValue(fileResult.filePath);
+      const ruleId = stringValue(message.ruleId);
+      const line = numberValue(message.line);
+      findings.push({
+        ...ruleId ? { ruleId } : {},
+        message: redactText(stringValue(message.message) || "Secret finding"),
+        ...filePath ? { file: root ? relative(root, filePath) || filePath : filePath } : {},
+        ...line ? { line } : {}
+      });
+    }
+  }
+  return findings;
+}
+async function scannerStatus(name) {
+  const result = await execa2(name, ["--version"], {
+    reject: false
+  }).catch(() => void 0);
+  return {
+    name,
+    available: Boolean(result && result.exitCode === 0),
+    ...result?.stdout ? { version: result.stdout.trim() } : {}
+  };
+}
+async function runScanner(root, scanner) {
+  if (!scanner.available) {
+    return {
+      name: scanner.name,
+      available: false,
+      ran: false,
+      findings: [],
+      error: "Scanner binary not found.",
+      truncated: false
+    };
+  }
+  return scanner.name === "gitleaks" ? runGitleaks(root) : runSecretlint(root);
+}
+async function runGitleaks(root) {
+  const started = performance.now();
+  const tempDir = await mkdtemp(join2(tmpdir(), "handoffkit-gitleaks-"));
+  const reportPath = join2(tempDir, "report.json");
+  const result = await execa2(
+    "gitleaks",
+    ["dir", root, "--no-banner", "--no-color", "--redact=100", "--report-format", "json", "--report-path", reportPath, "--max-target-megabytes", "2"],
+    { reject: false, all: true }
+  );
+  const rawReport = await readFile4(reportPath, "utf8").catch(() => "[]");
+  const findings = normalizeGitleaksFindings(rawReport);
+  return {
+    name: "gitleaks",
+    available: true,
+    ran: result.exitCode === 0 || result.exitCode === 1,
+    exitCode: result.exitCode ?? 1,
+    durationMs: Math.round(performance.now() - started),
+    findings,
+    ...result.exitCode && result.exitCode > 1 ? { error: redactText(trimError(result.all ?? result.stderr ?? "")) } : {},
+    truncated: countJsonArray(rawReport) > findings.length
+  };
+}
+async function runSecretlint(root) {
+  const started = performance.now();
+  const result = await execa2("secretlint", ["**/*", "--format", "json", "--no-color"], {
+    cwd: root,
+    reject: false,
+    all: true
+  });
+  const rawOutput = result.stdout || result.all || "[]";
+  const findings = normalizeSecretlintFindings(rawOutput, MAX_FINDINGS, root);
+  return {
+    name: "secretlint",
+    available: true,
+    ran: result.exitCode === 0 || result.exitCode === 1,
+    exitCode: result.exitCode ?? 1,
+    durationMs: Math.round(performance.now() - started),
+    findings,
+    ...result.exitCode && result.exitCode > 1 ? { error: redactText(trimError(result.all ?? result.stderr ?? "")) } : {},
+    truncated: countSecretlintMessages(rawOutput) > findings.length
+  };
+}
+function safeJson(rawJson) {
+  try {
+    return JSON.parse(rawJson || "[]");
+  } catch {
+    return [];
+  }
+}
+function stringValue(value) {
+  return typeof value === "string" ? value : "";
+}
+function numberValue(value) {
+  return typeof value === "number" ? value : void 0;
+}
+function countJsonArray(rawJson) {
+  const parsed = safeJson(rawJson);
+  return Array.isArray(parsed) ? parsed.length : 0;
+}
+function countSecretlintMessages(rawJson) {
+  const parsed = safeJson(rawJson);
+  if (!Array.isArray(parsed)) {
+    return 0;
+  }
+  return parsed.reduce((count, fileResult) => {
+    return count + (Array.isArray(fileResult.messages) ? fileResult.messages.length : 0);
+  }, 0);
+}
+function trimError(output) {
+  const trimmed = output.trim();
+  return trimmed.length > ERROR_LIMIT ? `${trimmed.slice(0, ERROR_LIMIT)}
+[truncated]` : trimmed;
+}
+// src/core/verify.ts
+import { performance as performance2 } from "perf_hooks";
+import { execa as execa3 } from "execa";
+var VERIFY_ORDER = ["typecheck", "lint", "test", "build"];
+var OUTPUT_LIMIT = 4e3;
+function selectVerificationScripts(packageInfo) {
+  if (!packageInfo) {
+    return [];
+  }
+  return VERIFY_ORDER.flatMap((name) => packageInfo.verificationScripts.filter((script) => script.name === name));
+}
+async function runVerification(root) {
+  const packageInfo = await detectPackageInfo(root);
+  const scripts = selectVerificationScripts(packageInfo);
+  const commands = [];
+  for (const script of scripts) {
+    commands.push(await runScript(root, packageInfo?.packageManager ?? "npm", script));
+  }
+  return { commands };
+}
+async function runScript(root, packageManager, script) {
+  const started = performance2.now();
+  const command = `${packageManager} run ${script.name}`;
+  const result = await execa3(packageManager, ["run", script.name], {
+    cwd: root,
+    reject: false,
+    all: true
+  });
+  return {
+    name: script.name,
+    command,
+    exitCode: result.exitCode ?? 1,
+    durationMs: Math.round(performance2.now() - started),
+    output: trimOutput(result.all ?? result.stdout ?? result.stderr ?? "")
+  };
+}
+function trimOutput(output) {
+  const normalized = output.trim();
+  return normalized.length > OUTPUT_LIMIT ? `${normalized.slice(-OUTPUT_LIMIT)}
+[trimmed]` : normalized;
+}
+// src/core/collect.ts
+async function collectHandoffReport(options) {
+  const root = await findGitRoot(options.cwd);
+  const [repository, instructionFiles, packageInfo, secretScanning] = await Promise.all([
+    collectGitInfo(root, {
+      includeDiff: options.includeDiff && options.includeDiffSummary,
+      includeDiffSummary: options.includeDiffSummary,
+      ...options.since ? { since: options.since } : {}
+    }),
+    detectInstructionFiles(root),
+    detectPackageInfo(root),
+    options.scanSecrets ? runSecretScanners(root) : detectSecretScanners()
+  ]);
+  const report = {
+    goal: options.goal,
+    target: options.target,
+    repository,
+    instructionFiles,
+    ...packageInfo ? { packageInfo } : {},
+    ...options.resumeSource ? { resumeSource: options.resumeSource } : {},
+    ...options.includeVerification ? { verification: await runVerification(root) } : {},
+    secretScanning,
+    budget: {
+      requestedTokens: options.budget,
+      estimatedTokens: 0,
+      wasTrimmed: false
+    }
+  };
+  report.risk = analyzeRisk(report);
+  return report;
+}
+// src/cli/output.ts
+import { mkdir, writeFile } from "fs/promises";
+import { dirname, resolve } from "path";
+// src/core/budget.ts
+function estimateTokens(text) {
+  return Math.ceil(text.length / 4);
+}
+function applyMarkdownBudget(text, budget) {
+  const estimatedTokens = estimateTokens(text);
+  if (estimatedTokens <= budget) {
+    return { text, estimatedTokens, wasTrimmed: false };
+  }
+  const notice = `
+> Output trimmed to fit --budget ${budget}. Re-run with a larger budget or --output for the full packet.
+`;
+  const charLimit = Math.max(0, budget * 4 - notice.length);
+  const trimmed = `${text.slice(0, charLimit).trimEnd()}${notice}`;
+  return {
+    text: trimmed,
+    estimatedTokens: estimateTokens(trimmed),
+    wasTrimmed: true
+  };
+}
+// src/report/json.ts
+function renderJsonReport(report) {
+  return `${JSON.stringify(report, null, 2)}
+`;
+}
+// src/report/markdown.ts
+function renderMarkdownReport(report) {
+  const lines = [
+    `# ${titleForTarget(report.target)}`,
+    "",
+    "## Goal",
+    report.goal,
+    "",
+    "## Repository",
+    `- Repository: \`${report.repository.name}\``,
+    `- Branch: \`${report.repository.branch}\``,
+    `- Changed files: ${report.repository.changedFiles.length}`,
+    "",
+    "## Git Status",
+    codeBlock(report.repository.status || "Clean working tree."),
+    "",
+    "## Recent Commits",
+    listOrNone(report.repository.recentCommits.map((commit) => `- ${commit}`)),
+    "",
+    "## Changed Files",
+    listOrNone(report.repository.changedFiles.map((file) => `- \`${file}\``)),
+    "",
+    ...renderBaseDiffSummary(report),
+    "## Diff Summary",
+    "### Staged",
+    codeBlock(report.repository.stagedDiffSummary || "No staged diff."),
+    "",
+    "### Unstaged",
+    codeBlock(report.repository.unstagedDiffSummary || "No unstaged diff."),
+    "",
+    "## Instruction Files",
+    renderInstructionFiles(report.instructionFiles),
+    "",
+    "## Package",
+    renderPackage(report.packageInfo),
+    "",
+    ...renderResumeSource(report),
+    ...renderVerification(report),
+    ...renderRisk(report),
+    ...renderSecretScanning(report),
+    "## Next Agent Notes",
+    "- This packet was generated from local git and filesystem state.",
+    "- Likely secrets were redacted from generated output.",
+    "- No LLM APIs were called."
+  ];
+  if (report.repository.includeDiff && report.repository.diff) {
+    lines.splice(
+      lines.indexOf("## Instruction Files"),
+      0,
+      "## Included Diff",
+      "### Staged Patch",
+      codeBlock(report.repository.diff.staged || "No staged patch."),
+      "",
+      "### Unstaged Patch",
+      codeBlock(report.repository.diff.unstaged || "No unstaged patch."),
+      ""
+    );
+  }
+  if (report.repository.includeDiff && report.repository.baseDiff) {
+    lines.splice(
+      lines.indexOf("## Included Diff"),
+      0,
+      `## Included Branch Delta Since \`${report.repository.baseRef}\``,
+      codeBlock(report.repository.baseDiff),
+      ""
+    );
+  }
+  return `${lines.join("\n")}
+`;
+}
+function titleForTarget(target = "generic") {
+  const labels = {
+    generic: "Handoff Packet",
+    codex: "Codex Handoff Packet",
+    claude: "Claude Handoff Packet",
+    cursor: "Cursor Handoff Packet"
+  };
+  return labels[target] ?? "Handoff Packet";
+}
+function renderBaseDiffSummary(report) {
+  if (!report.repository.baseRef) {
+    return [];
+  }
+  return [
+    `## Branch Delta Since \`${report.repository.baseRef}\``,
+    codeBlock(report.repository.baseDiffSummary || "No committed branch delta detected."),
+    ""
+  ];
+}
+function renderPackage(packageInfo) {
+  if (!packageInfo) {
+    return "No package.json detected.";
+  }
+  const lines = [
+    packageInfo.name ? `- Package: \`${packageInfo.name}\`` : void 0,
+    packageInfo.packageManager ? `- Package manager: \`${packageInfo.packageManager}\`` : void 0
+  ].filter((line) => Boolean(line));
+  if (packageInfo.verificationScripts.length > 0) {
+    const prefix = packageInfo.packageManager ?? "npm";
+    lines.push("- Verification scripts:");
+    lines.push(...packageInfo.verificationScripts.map((script) => `  - \`${prefix} ${script.name}\``));
+  } else {
+    lines.push("- Verification scripts: none detected.");
+  }
+  return lines.join("\n");
+}
+function renderInstructionFiles(instructionFiles) {
+  if (instructionFiles.length === 0) {
+    return "None detected.";
+  }
+  return instructionFiles.map((file) => [`- \`${file.path}\` (${file.kind})`, codeBlock(file.preview || "No preview available.")].join("\n")).join("\n\n");
+}
+function renderResumeSource(report) {
+  if (!report.resumeSource) {
+    return [];
+  }
+  return ["## Resume Source", `- Source: \`${report.resumeSource.path}\``, codeBlock(report.resumeSource.preview), ""];
+}
+function renderVerification(report) {
+  if (!report.verification) {
+    return [];
+  }
+  return [
+    "## Verification",
+    report.verification.commands.length > 0 ? report.verification.commands.map(
+      (command) => [`- \`${command.command}\` exited ${command.exitCode} in ${command.durationMs}ms`, codeBlock(command.output || "No output.")].join("\n")
+    ).join("\n\n") : "No safe verification scripts detected.",
+    ""
+  ];
+}
+function renderRisk(report) {
+  if (!report.risk) {
+    return [];
+  }
+  return [
+    "## Risk Notes",
+    report.risk.notes.map((note) => `- **${note.severity}**: ${note.title} - ${note.detail}`).join("\n"),
+    ""
+  ];
+}
+function renderSecretScanning(report) {
+  if (!report.secretScanning) {
+    return [];
+  }
+  return [
+    report.secretScanning.scans ? "## Secret Scan Results" : "## Secret Scanner Availability",
+    renderSecretScannerReport(report.secretScanning),
+    ""
+  ];
+}
+function renderSecretScannerReport(secretScanning) {
+  if (!secretScanning.scans) {
+    return secretScanning.scanners.map((scanner) => `- ${scanner.name}: ${scanner.available ? "available" : "not found"}`).join("\n");
+  }
+  return secretScanning.scans.map((scan) => {
+    const lines = [
+      `- ${scan.name}: ${scan.ran ? `${scan.findings.length} finding(s), exit ${scan.exitCode}` : scan.error ?? "not run"}`
+    ];
+    for (const finding of scan.findings) {
+      lines.push(`  - ${finding.ruleId ? `${finding.ruleId}: ` : ""}${finding.message}${finding.file ? ` (${finding.file}${finding.line ? `:${finding.line}` : ""})` : ""}`);
+    }
+    if (scan.truncated) {
+      lines.push("  - Additional findings were truncated.");
+    }
+    return lines.join("\n");
+  }).join("\n");
+}
+function codeBlock(text) {
+  return ["```text", text, "```"].join("\n");
+}
+function listOrNone(items) {
+  return items.length > 0 ? items.join("\n") : "None detected.";
+}
+// src/cli/output.ts
+async function writeRenderedReport(report, format, budget, output) {
+  const rendered = redactText(renderOutput(report, format, budget));
+  if (output) {
+    const outputPath = resolve(process.cwd(), output);
+    await mkdir(dirname(outputPath), { recursive: true });
+    await writeFile(outputPath, rendered, "utf8");
+    process.stderr.write(`Wrote handoff packet to ${outputPath}
+`);
+    return;
+  }
+  process.stdout.write(rendered);
+}
+function renderOutput(report, format, budget) {
+  if (format === "json") {
+    const rendered = renderJsonReport(report);
+    report.budget.estimatedTokens = estimateTokens(rendered);
+    return renderJsonReport(report);
+  }
+  const firstRender = renderMarkdownReport(report);
+  const budgeted = applyMarkdownBudget(firstRender, budget);
+  report.budget.estimatedTokens = budgeted.estimatedTokens;
+  report.budget.wasTrimmed = budgeted.wasTrimmed;
+  if (budgeted.wasTrimmed) {
+    return budgeted.text;
+  }
+  return renderMarkdownReport(report);
+}
+// src/cli/commands/pack.ts
+var PackCliOptionsSchema = z2.object({
+  goal: z2.string().trim().min(1).default("Make your own goal"),
+  output: z2.string().optional(),
+  format: z2.enum(["markdown", "json"]).default("markdown"),
+  for: z2.enum(["generic", "codex", "claude", "cursor"]).default("generic"),
+  budget: z2.number().int().positive().default(4e3),
+  includeDiff: z2.boolean().default(false),
+  diff: z2.boolean().default(true),
+  since: z2.string().trim().min(1).optional(),
+  verify: z2.boolean().default(false),
+  scanSecrets: z2.boolean().default(false)
+});
+function createPackCommand() {
+  return new Command("pack").description("Create a safe local handoff packet for another AI assistant.").option("--goal <text>", "handoff goal", "Make your own goal").option("--output <path>", "write output to a file instead of stdout").option("--format <format>", "output format: markdown or json", "markdown").option("--for <agent>", "target output: generic, codex, claude, or cursor", "generic").option("--budget <tokens>", "rough output token budget", parseBudget, 4e3).option("--since <ref>", "focus committed branch delta on a base ref").option("--verify", "run safe verification scripts and include results").option("--scan-secrets", "run optional local secret scanners and include bounded results").option("--include-diff", "include full staged and unstaged patches", false).option("--no-diff", "omit diff summaries and full patches").action(async (rawOptions) => {
+    const options = parseOptions(rawOptions);
+    const report = await collectHandoffReport({
+      goal: options.goal,
+      cwd: process.cwd(),
+      ...options.output ? { output: options.output } : {},
+      format: options.format,
+      target: options.for,
+      budget: options.budget,
+      includeDiff: options.includeDiff,
+      includeDiffSummary: options.diff,
+      ...options.since ? { since: options.since } : {},
+      includeVerification: options.verify,
+      scanSecrets: options.scanSecrets
+    });
+    await writeRenderedReport(report, options.format, options.budget, options.output);
+  });
+}
+function parseOptions(rawOptions) {
+  const result = PackCliOptionsSchema.safeParse(rawOptions);
+  if (!result.success) {
+    const message = result.error.issues.map((issue) => issue.message).join("\n");
+    throw new Error(`Invalid pack options:
+${message}`);
+  }
+  return result.data;
+}
+function parseBudget(value) {
+  const parsed = Number.parseInt(value, 10);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    throw new Error("--budget must be a positive integer.");
+  }
+  return parsed;
+}
+// src/cli/commands/resume.ts
+import { readFile as readFile5 } from "fs/promises";
+import { Command as Command2 } from "commander";
+import { z as z3 } from "zod";
+// src/core/resume.ts
+var RESUME_PREVIEW_LIMIT = 3e3;
+function createResumeSource(path, content) {
+  const normalized = content.replace(/\r\n/g, "\n").trim();
+  const preview = normalized.length > RESUME_PREVIEW_LIMIT ? `${normalized.slice(0, RESUME_PREVIEW_LIMIT).trimEnd()}
+[truncated]` : normalized;
+  return {
+    path,
+    preview: redactText(preview)
+  };
+}
+// src/cli/commands/resume.ts
+var ResumeOptionsSchema = z3.object({
+  goal: z3.string().trim().min(1).default("Resume interrupted AI coding session"),
+  output: z3.string().optional(),
+  format: z3.enum(["markdown", "json"]).default("markdown"),
+  for: z3.enum(["generic", "codex", "claude", "cursor"]).default("generic"),
+  budget: z3.number().int().positive().default(4e3)
+});
+function createResumeCommand() {
+  return new Command2("resume").description("Create a fresh handoff packet using a previous handoff as resume context.").argument("<path>", "previous handoff or transcript file").option("--goal <text>", "new handoff goal", "Resume interrupted AI coding session").option("--output <path>", "write output to a file instead of stdout").option("--format <format>", "output format: markdown or json", "markdown").option("--for <agent>", "target output: generic, codex, claude, or cursor", "generic").option("--budget <tokens>", "rough output token budget", parseBudget2, 4e3).action(async (path, rawOptions) => {
+    const options = ResumeOptionsSchema.parse(rawOptions);
+    const source = createResumeSource(path, await readFile5(path, "utf8"));
+    const report = await collectHandoffReport({
+      goal: options.goal,
+      cwd: process.cwd(),
+      ...options.output ? { output: options.output } : {},
+      format: options.format,
+      target: options.for,
+      budget: options.budget,
+      includeDiff: false,
+      includeDiffSummary: true,
+      includeVerification: false,
+      scanSecrets: false,
+      resumeSource: source
+    });
+    await writeRenderedReport(report, options.format, options.budget, options.output);
+  });
+}
+function parseBudget2(value) {
+  const parsed = Number.parseInt(value, 10);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    throw new Error("--budget must be a positive integer.");
+  }
+  return parsed;
+}
+// src/cli/commands/risk.ts
+import { Command as Command3 } from "commander";
+import { z as z4 } from "zod";
+var RiskOptionsSchema = z4.object({
+  format: z4.enum(["markdown", "json"]).default("markdown")
+});
+function createRiskCommand() {
+  return new Command3("risk").description("Show deterministic risk notes for the current handoff.").option("--format <format>", "output format: markdown or json", "markdown").action(async (rawOptions) => {
+    const options = RiskOptionsSchema.parse(rawOptions);
+    const report = await collectHandoffReport({
+      goal: "Review local risk",
+      cwd: process.cwd(),
+      format: options.format,
+      target: "generic",
+      budget: 4e3,
+      includeDiff: false,
+      includeDiffSummary: false,
+      includeVerification: false,
+      scanSecrets: false
+    });
+    if (options.format === "json") {
+      process.stdout.write(`${JSON.stringify(report.risk, null, 2)}
+`);
+      return;
+    }
+    process.stdout.write(`# Risk Notes
+${report.risk?.notes.map((note) => `- **${note.severity}**: ${note.title} - ${note.detail}`).join("\n")}
+`);
+  });
+}
+// src/cli/commands/scan-secrets.ts
+import { Command as Command4 } from "commander";
+import { z as z5 } from "zod";
+var ScanSecretsOptionsSchema = z5.object({
+  format: z5.enum(["markdown", "json"]).default("markdown")
+});
+function createScanSecretsCommand() {
+  return new Command4("scan-secrets").description("Run optional local secret scanners and print bounded redacted results.").option("--format <format>", "output format: markdown or json", "markdown").action(async (rawOptions) => {
+    const options = ScanSecretsOptionsSchema.parse(rawOptions);
+    const root = await findGitRoot(process.cwd());
+    const report = await runSecretScanners(root);
+    if (options.format === "json") {
+      process.stdout.write(redactText(`${JSON.stringify(report, null, 2)}
+`));
+      return;
+    }
+    process.stdout.write(redactText(renderScanMarkdown(report)));
+  });
+}
+function renderScanMarkdown(report) {
+  const lines = ["# Secret Scan Results", ""];
+  for (const scan of report.scans ?? []) {
+    lines.push(`- ${scan.name}: ${scan.ran ? `${scan.findings.length} finding(s), exit ${scan.exitCode}` : scan.error ?? "not run"}`);
+    for (const finding of scan.findings) {
+      lines.push(`  - ${finding.ruleId ? `${finding.ruleId}: ` : ""}${finding.message}${finding.file ? ` (${finding.file}${finding.line ? `:${finding.line}` : ""})` : ""}`);
+    }
+  }
+  return `${lines.join("\n")}
+`;
+}
+// src/cli/commands/verify.ts
+import { Command as Command5 } from "commander";
+import { z as z6 } from "zod";
+var VerifyOptionsSchema = z6.object({
+  format: z6.enum(["markdown", "json"]).default("markdown")
+});
+function createVerifyCommand() {
+  return new Command5("verify").description("Run safe local verification scripts.").option("--format <format>", "output format: markdown or json", "markdown").action(async (rawOptions) => {
+    const options = VerifyOptionsSchema.parse(rawOptions);
+    const root = await findGitRoot(process.cwd());
+    const verification = await runVerification(root);
+    if (options.format === "json") {
+      process.stdout.write(redactText(`${JSON.stringify(verification, null, 2)}
+`));
+      return;
+    }
+    process.stdout.write(redactText(renderVerificationMarkdown(verification.commands)));
+  });
+}
+function renderVerificationMarkdown(commands) {
+  const lines = ["# Verification", ""];
+  if (commands.length === 0) {
+    lines.push("No safe verification scripts detected.");
+  } else {
+    for (const command of commands) {
+      lines.push(`- \`${command.command}\` exited ${command.exitCode} in ${command.durationMs}ms`);
+    }
+  }
+  return `${lines.join("\n")}
+`;
+}
+// src/cli/index.ts
+var program = new Command6().name("handoffkit").description("Create safe local handoff packets for AI-assisted coding sessions.").version("0.1.0");
+program.addCommand(createPackCommand());
+program.addCommand(createVerifyCommand());
+program.addCommand(createRiskCommand());
+program.addCommand(createScanSecretsCommand());
+program.addCommand(createResumeCommand());
+try {
+  await program.parseAsync(process.argv);
+} catch (error) {
+  const message = error instanceof Error ? error.message : String(error);
+  process.stderr.write(`${message}
+`);
+  process.exitCode = 1;
+}
+//# sourceMappingURL=index.js.map