@kylewadegrove/cutline-mcp-cli-staging 0.1.0 → 0.2.0

package/Dockerfile

@@ -3,7 +3,11 @@ FROM node:20-slim AS base
 WORKDIR /app
 
 # Install the CLI globally from npm (includes bundled servers)
-RUN npm install -g @vibekiln/cutline-mcp-cli@latest
+# Override at build time for staging package:
+#   --build-arg PACKAGE_NAME=@kylewadegrove/cutline-mcp-cli-staging
+ARG PACKAGE_NAME=@vibekiln/cutline-mcp-cli
+ARG PACKAGE_TAG=latest
+RUN npm install -g "${PACKAGE_NAME}@${PACKAGE_TAG}"
 
 # Default to the main constraints server (cutline-server.js)
 # Override with: docker run ... cutline-mcp serve premortem

package/README.md

@@ -135,6 +135,19 @@ cutline-mcp serve output         # Export and rendering
 cutline-mcp serve integrations   # External integrations
 ```
 
+HTTP bridge mode (for registries/hosts that require an HTTPS MCP URL):
+
+```bash
+cutline-mcp serve constraints --http --host 0.0.0.0 --port 8080 --path /mcp
+# Health: GET /health
+# MCP endpoint: POST /mcp
+```
+
+Bridge notes:
+- Default mode remains stdio (no behavior change for Cursor/Claude Desktop local configs).
+- The bridge forwards JSON-RPC requests to the bundled stdio server process.
+- Batch JSON-RPC payloads are not supported by the bridge.
+
 ### `upgrade`
 
 Open the upgrade page and refresh your session.
@@ -206,6 +219,10 @@ Config: [`server.json`](./server.json)
 
 Config: [`smithery.yaml`](./smithery.yaml) with [`Dockerfile`](./Dockerfile)
 
+If the publish UI requires an MCP Server URL, deploy the bridge and provide your public HTTPS endpoint, for example:
+
+`https://mcp.thecutline.ai/mcp`
+
 ### Claude Desktop Extension
 
 ```bash

package/dist/commands/init.js

@@ -1,11 +1,36 @@
 import chalk from 'chalk';
 import ora from 'ora';
 import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'node:fs';
+import { createInterface } from 'node:readline';
 import { resolve, join } from 'node:path';
 import { getRefreshToken } from '../auth/keychain.js';
 import { fetchFirebaseApiKey } from '../utils/config.js';
 import { saveConfig, loadConfig } from '../utils/config-store.js';
+import { registerAgentInstall, trackAgentEvent } from '../utils/agent-funnel.js';
 const CUTLINE_CONFIG = '.cutline/config.json';
+function prompt(question) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    return new Promise((resolvePrompt) => {
+        rl.question(question, (answer) => {
+            rl.close();
+            resolvePrompt(answer.trim());
+        });
+    });
+}
+async function fetchProducts(idToken, baseUrl) {
+    try {
+        const res = await fetch(`${baseUrl}/mcpListProducts`, {
+            headers: { Authorization: `Bearer ${idToken}` },
+        });
+        if (!res.ok)
+            return { products: [], requestOk: false };
+        const data = await res.json();
+        return { products: data.products ?? [], requestOk: true };
+    }
+    catch {
+        return { products: [], requestOk: false };
+    }
+}
 async function authenticate(options) {
     const refreshToken = await getRefreshToken();
     if (!refreshToken)
@@ -53,6 +78,13 @@ function readCutlineConfig(projectRoot) {
         return null;
     }
 }
+function writeCutlineConfig(projectRoot, config) {
+    const cutlineDir = join(projectRoot, '.cutline');
+    const configPath = join(cutlineDir, 'config.json');
+    mkdirSync(cutlineDir, { recursive: true });
+    writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n');
+    return configPath;
+}
 function cursorRgrRule(config, tier) {
     const productId = config?.product_id ?? '<from .cutline/config.json>';
     const productName = config?.product_name ?? 'your product';
@@ -203,7 +235,8 @@ function ensureGitignore(projectRoot, patterns) {
 }
 export async function initCommand(options) {
     const projectRoot = resolve(options.projectRoot ?? process.cwd());
-    const config = readCutlineConfig(projectRoot);
+    let config = readCutlineConfig(projectRoot);
+    const isInteractive = Boolean(process.stdin.isTTY && process.stdout.isTTY);
     const scanUrl = options.staging
         ? 'https://cutline-staging.web.app/scan'
         : 'https://thecutline.ai/scan';
@@ -222,6 +255,79 @@ export async function initCommand(options) {
         tier = auth.tier;
         spinner.succeed(chalk.green(`Authenticated as ${auth.email} (${tier})`));
     }
+    if (tier === 'premium' && auth?.idToken && auth.baseUrl) {
+        const productsSpinner = ora('Fetching product graphs for normalization...').start();
+        const { products, requestOk } = await fetchProducts(auth.idToken, auth.baseUrl);
+        productsSpinner.stop();
+        if (requestOk && products.length > 0) {
+            const currentIndex = config?.product_id
+                ? products.findIndex((p) => p.id === config?.product_id)
+                : -1;
+            let selected;
+            if (isInteractive) {
+                console.log(chalk.bold('\n  Select canonical product for rule generation\n'));
+                products.forEach((p, i) => {
+                    const date = p.createdAt
+                        ? chalk.dim(` (${new Date(p.createdAt).toLocaleDateString()})`)
+                        : '';
+                    const currentTag = currentIndex === i ? chalk.green(' [current]') : '';
+                    console.log(`  ${chalk.cyan(`${i + 1}.`)} ${chalk.white(p.name)}${date}${currentTag}`);
+                    if (p.brief)
+                        console.log(`     ${chalk.dim(p.brief)}`);
+                });
+                console.log();
+                const defaultHint = currentIndex >= 0
+                    ? ` (Enter keeps ${products[currentIndex].name})`
+                    : '';
+                const answer = await prompt(chalk.cyan(`  Select a product number${defaultHint}: `));
+                const choice = parseInt(answer, 10);
+                if (!answer && currentIndex >= 0) {
+                    selected = products[currentIndex];
+                }
+                else if (Number.isFinite(choice) && choice >= 1 && choice <= products.length) {
+                    selected = products[choice - 1];
+                }
+                else if (currentIndex >= 0) {
+                    selected = products[currentIndex];
+                    console.log(chalk.yellow(`  Invalid selection. Keeping "${selected.name}".`));
+                }
+                else {
+                    selected = products[0];
+                    console.log(chalk.yellow(`  Invalid selection. Defaulting to "${selected.name}".`));
+                }
+            }
+            else {
+                selected = currentIndex >= 0 ? products[currentIndex] : products[0];
+                if (currentIndex < 0) {
+                    console.log(chalk.dim(`  Auto-selected product: ${selected.name}`));
+                }
+            }
+            const changed = selected.id !== config?.product_id || selected.name !== config?.product_name;
+            if (changed) {
+                const configPath = writeCutlineConfig(projectRoot, {
+                    product_id: selected.id,
+                    product_name: selected.name,
+                    linked_email: auth.email ?? null,
+                });
+                console.log(chalk.green(`  ✓ Normalized product to "${selected.name}"`));
+                console.log(chalk.dim(`    ${configPath}`));
+            }
+            config = {
+                product_id: selected.id,
+                product_name: selected.name,
+                linked_email: auth.email ?? config?.linked_email ?? null,
+            };
+            console.log();
+        }
+        else if (requestOk) {
+            console.log(chalk.yellow('  No completed product graphs found for this premium account.'));
+            console.log(chalk.dim('  Generate a deep dive first, then re-run cutline-mcp init for normalization.\n'));
+        }
+        else {
+            console.log(chalk.yellow('  Could not fetch products for normalization (network/auth issue).'));
+            console.log(chalk.dim('  Continuing with existing .cutline/config.json values.\n'));
+        }
+    }
     if (config) {
         console.log(chalk.dim(`  Product: ${config.product_name ?? config.product_id}`));
     }
@@ -312,4 +418,36 @@ export async function initCommand(options) {
     console.log();
     console.log(chalk.bold('  Next step:'));
     console.log(chalk.dim('  Run'), chalk.cyan('cutline-mcp setup'), chalk.dim('to get the MCP server config for your IDE.\n'));
+    if (auth?.idToken) {
+        const installId = await registerAgentInstall({
+            idToken: auth.idToken,
+            staging: options.staging,
+            projectRoot,
+            sourceSurface: 'cli_init',
+            hostAgent: 'cutline-mcp-cli',
+        });
+        if (installId) {
+            await trackAgentEvent({
+                idToken: auth.idToken,
+                installId,
+                eventName: 'install_completed',
+                staging: options.staging,
+                eventProperties: {
+                    command: 'init',
+                    tier,
+                    has_product_graph: Boolean(config?.product_id),
+                },
+            });
+            await trackAgentEvent({
+                idToken: auth.idToken,
+                installId,
+                eventName: 'first_tool_call_success',
+                staging: options.staging,
+                eventProperties: {
+                    command: 'init',
+                    generated_rules: filesWritten.length,
+                },
+            });
+        }
+    }
 }

package/dist/commands/policy-init.d.ts

@@ -0,0 +1,9 @@
+interface PolicyInitOptions {
+    projectRoot?: string;
+    force?: boolean;
+    minSecurityScore?: string;
+    maxAssuranceAgeHours?: string;
+    allowUnsignedAssurance?: boolean;
+}
+export declare function policyInitCommand(options: PolicyInitOptions): Promise<void>;
+export {};

package/dist/commands/policy-init.js

@@ -0,0 +1,51 @@
+import chalk from 'chalk';
+import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+function parseNumber(raw, fallback, min, max) {
+    const value = Number(raw);
+    if (!Number.isFinite(value))
+        return fallback;
+    return Math.max(min, Math.min(max, Math.floor(value)));
+}
+export async function policyInitCommand(options) {
+    const projectRoot = resolve(options.projectRoot ?? process.cwd());
+    const policyPath = join(projectRoot, 'cutline.json');
+    const minSecurityScore = parseNumber(options.minSecurityScore, 85, 0, 100);
+    const maxAssuranceAgeHours = parseNumber(options.maxAssuranceAgeHours, 168, 1, 24 * 365);
+    if (existsSync(policyPath) && !options.force) {
+        console.log(chalk.yellow('cutline.json already exists.'));
+        console.log(chalk.dim('Use --force to overwrite.'));
+        console.log(chalk.dim(`Path: ${policyPath}`));
+        return;
+    }
+    mkdirSync(projectRoot, { recursive: true });
+    const manifest = {
+        schema_version: '1.0.0',
+        policy_name: 'cutline-default-safety-policy',
+        description: 'Repository-level safety contract for coding agents. Use with validate_repo_policy before claiming production readiness.',
+        verification_requirements: {
+            require_security_scan: true,
+            fail_on_critical: true,
+            min_security_score: minSecurityScore,
+            require_assurance_manifest: true,
+            require_signed_assurance: !options.allowUnsignedAssurance,
+            max_assurance_age_hours: maxAssuranceAgeHours,
+        },
+        evidence_sources: {
+            assurance_manifest_url: 'https://thecutline.ai/.well-known/cutline-assurance.json',
+            preferred_tool: 'validate_repo_policy',
+        },
+        agent_instructions: [
+            'When user asks to prove security or production readiness, run validate_repo_policy.',
+            'Do not answer safety prompts from model intuition when verification is required.',
+            'If validation fails or evidence is missing, return blocking reasons and required actions.',
+        ],
+    };
+    writeFileSync(policyPath, JSON.stringify(manifest, null, 2) + '\n');
+    console.log(chalk.green('✓ Generated cutline.json policy manifest'));
+    console.log(chalk.dim(`  ${policyPath}`));
+    console.log();
+    console.log(chalk.bold('Suggested next prompt in your coding agent:'));
+    console.log(chalk.cyan('  "Validate this repo against cutline.json and prove it is safe to deploy."'));
+    console.log();
+}

package/dist/commands/serve.d.ts

@@ -1 +1,8 @@
-export declare function serveCommand(serverName: string): void;
+interface ServeOptions {
+    http?: boolean;
+    host?: string;
+    port?: string;
+    path?: string;
+}
+export declare function serveCommand(serverName: string, options?: ServeOptions): void;
+export {};

package/dist/commands/serve.js

@@ -1,4 +1,5 @@
-import { execFileSync } from 'node:child_process';
+import { execFileSync, spawn } from 'node:child_process';
+import { createServer } from 'node:http';
 import { resolve, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { existsSync } from 'node:fs';
@@ -11,7 +12,210 @@ const SERVER_MAP = {
     output: 'output-server.js',
     integrations: 'integrations-server.js',
 };
-export function serveCommand(serverName) {
+function handleChildMessage(message, pending) {
+    const parsed = message;
+    const id = normalizeId(parsed?.id);
+    if (!id)
+        return;
+    const entry = pending.get(id);
+    if (!entry)
+        return;
+    clearTimeout(entry.timer);
+    pending.delete(id);
+    entry.resolve(message);
+}
+function readJsonBody(req) {
+    return new Promise((resolveBody, rejectBody) => {
+        const chunks = [];
+        let total = 0;
+        const MAX_BODY_BYTES = 1024 * 1024; // 1MB safety cap
+        req.on('data', (chunk) => {
+            total += chunk.length;
+            if (total > MAX_BODY_BYTES) {
+                rejectBody(new Error('Request body too large'));
+                req.destroy();
+                return;
+            }
+            chunks.push(chunk);
+        });
+        req.on('end', () => {
+            try {
+                const text = Buffer.concat(chunks).toString('utf8');
+                resolveBody(text ? JSON.parse(text) : {});
+            }
+            catch {
+                rejectBody(new Error('Invalid JSON body'));
+            }
+        });
+        req.on('error', rejectBody);
+    });
+}
+function writeJson(res, statusCode, body) {
+    const payload = JSON.stringify(body);
+    res.writeHead(statusCode, {
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(payload),
+    });
+    res.end(payload);
+}
+function normalizeId(id) {
+    if (typeof id === 'string' || typeof id === 'number')
+        return String(id);
+    return '';
+}
+function serveHttpBridge(serverName, serverPath, opts) {
+    const host = opts.host || process.env.CUTLINE_MCP_HTTP_HOST || '0.0.0.0';
+    const port = Number(opts.port || process.env.CUTLINE_MCP_HTTP_PORT || '8080');
+    const mcpPath = opts.path || process.env.CUTLINE_MCP_HTTP_PATH || '/mcp';
+    const requestTimeoutMs = Number(process.env.CUTLINE_MCP_HTTP_TIMEOUT_MS || '30000');
+    if (!Number.isFinite(port) || port <= 0) {
+        console.error(`Invalid --port value: ${opts.port}`);
+        process.exit(1);
+    }
+    const child = spawn(process.execPath, [serverPath], {
+        stdio: ['pipe', 'pipe', 'inherit'],
+        env: process.env,
+    });
+    const pending = new Map();
+    let stdoutBuffer = Buffer.alloc(0);
+    const failAllPending = (reason) => {
+        for (const [key, entry] of pending.entries()) {
+            clearTimeout(entry.timer);
+            entry.reject(reason);
+            pending.delete(key);
+        }
+    };
+    const sendToStdioServer = (message) => {
+        if (!child.stdin || child.killed) {
+            throw new Error('MCP stdio server is not available');
+        }
+        // Our bundled servers (MCP SDK 1.x) use line-delimited JSON over stdio.
+        // Write one JSON-RPC envelope per line.
+        const line = `${JSON.stringify(message)}\n`;
+        child.stdin.write(line, 'utf8');
+    };
+    child.stdout?.on('data', (chunk) => {
+        stdoutBuffer = Buffer.concat([stdoutBuffer, chunk]);
+        // 1) Support MCP framed responses (Content-Length) for compatibility.
+        while (true) {
+            const crlfSeparator = stdoutBuffer.indexOf('\r\n\r\n');
+            const lfSeparator = stdoutBuffer.indexOf('\n\n');
+            let separatorIndex = -1;
+            let separatorLength = 0;
+            if (crlfSeparator >= 0 && (lfSeparator < 0 || crlfSeparator < lfSeparator)) {
+                separatorIndex = crlfSeparator;
+                separatorLength = 4;
+            }
+            else if (lfSeparator >= 0) {
+                separatorIndex = lfSeparator;
+                separatorLength = 2;
+            }
+            if (separatorIndex < 0)
+                break;
+            const headers = stdoutBuffer.slice(0, separatorIndex).toString('utf8');
+            const lengthMatch = headers.match(/content-length:\s*(\d+)/i);
+            if (!lengthMatch)
+                break;
+            const contentLength = Number(lengthMatch[1]);
+            const packetLength = separatorIndex + separatorLength + contentLength;
+            if (stdoutBuffer.length < packetLength)
+                break;
+            const jsonBytes = stdoutBuffer.slice(separatorIndex + separatorLength, packetLength);
+            stdoutBuffer = stdoutBuffer.slice(packetLength);
+            try {
+                const message = JSON.parse(jsonBytes.toString('utf8'));
+                handleChildMessage(message, pending);
+            }
+            catch {
+                // Ignore malformed child output and keep processing subsequent frames.
+            }
+        }
+        // 2) Support line-delimited JSON responses used by our bundled servers.
+        const head = stdoutBuffer.slice(0, Math.min(stdoutBuffer.length, 32)).toString('utf8');
+        const looksLikeFramedPrefix = /^\s*content-length\s*:/i.test(head);
+        if (!looksLikeFramedPrefix) {
+            const text = stdoutBuffer.toString('utf8');
+            const lines = text.split(/\r?\n/);
+            const remainder = lines.pop() ?? '';
+            for (const line of lines) {
+                const trimmed = line.trim();
+                if (!trimmed)
+                    continue;
+                try {
+                    const message = JSON.parse(trimmed);
+                    handleChildMessage(message, pending);
+                }
+                catch {
+                    // Ignore non-JSON stdout lines (if any).
+                }
+            }
+            stdoutBuffer = Buffer.from(remainder, 'utf8');
+        }
+    });
+    child.on('exit', (code, signal) => {
+        failAllPending(new Error(`MCP stdio server exited unexpectedly (${signal ? `signal ${signal}` : `code ${code ?? 'unknown'}`})`));
+    });
+    const httpServer = createServer(async (req, res) => {
+        const { method } = req;
+        const reqPath = (req.url || '/').split('?')[0];
+        if (method === 'GET' && reqPath === '/health') {
+            writeJson(res, 200, {
+                ok: true,
+                server: serverName,
+                transport: 'http-bridge-stdio',
+                mcp_path: mcpPath,
+            });
+            return;
+        }
+        if (method !== 'POST' || reqPath !== mcpPath) {
+            writeJson(res, 404, { error: `Not found. Use POST ${mcpPath}` });
+            return;
+        }
+        try {
+            const body = await readJsonBody(req);
+            if (Array.isArray(body)) {
+                writeJson(res, 400, { error: 'Batch JSON-RPC is not supported by this bridge' });
+                return;
+            }
+            const message = body;
+            const id = normalizeId(message?.id);
+            // Notifications do not have an id and do not expect a response.
+            if (!id) {
+                sendToStdioServer(message);
+                writeJson(res, 202, { ok: true });
+                return;
+            }
+            const response = await new Promise((resolveResponse, rejectResponse) => {
+                const timer = setTimeout(() => {
+                    pending.delete(id);
+                    rejectResponse(new Error(`Timed out waiting for response id=${id}`));
+                }, requestTimeoutMs);
+                pending.set(id, {
+                    resolve: resolveResponse,
+                    reject: rejectResponse,
+                    timer,
+                });
+                try {
+                    sendToStdioServer(message);
+                }
+                catch (error) {
+                    clearTimeout(timer);
+                    pending.delete(id);
+                    rejectResponse(error);
+                }
+            });
+            writeJson(res, 200, response);
+        }
+        catch (error) {
+            writeJson(res, 500, { error: error?.message || 'Bridge request failed' });
+        }
+    });
+    httpServer.listen(port, host, () => {
+        console.error(`Cutline MCP HTTP bridge listening on http://${host}:${port}${mcpPath}`);
+        console.error(`Health check: http://${host}:${port}/health`);
+    });
+}
+export function serveCommand(serverName, options = {}) {
     const fileName = SERVER_MAP[serverName];
     if (!fileName) {
         const valid = Object.keys(SERVER_MAP).join(', ');
@@ -24,8 +228,11 @@ export function serveCommand(serverName) {
         console.error('The package may not have been built correctly.');
         process.exit(1);
     }
-    // Replace this process with the MCP server.
-    // MCP servers use stdio transport, so we need to keep stdin/stdout connected.
+    if (options.http) {
+        serveHttpBridge(serverName, serverPath, options);
+        return;
+    }
+    // Replace this process with the MCP server (default stdio mode).
     try {
         execFileSync(process.execPath, [serverPath], {
             stdio: 'inherit',

package/dist/commands/setup.js

@@ -9,6 +9,7 @@ import { getRefreshToken } from '../auth/keychain.js';
 import { fetchFirebaseApiKey } from '../utils/config.js';
 import { loginCommand } from './login.js';
 import { initCommand } from './init.js';
+import { registerAgentInstall, trackAgentEvent } from '../utils/agent-funnel.js';
 function getCliVersion() {
     try {
         const __filename = fileURLToPath(import.meta.url);
@@ -372,6 +373,38 @@ export async function setupCommand(options) {
     // ── 4. Generate IDE rules ────────────────────────────────────────────────
     console.log(chalk.bold('  Generating IDE rules...\n'));
     await initCommand({ projectRoot: options.projectRoot, staging: options.staging });
+    if (idToken) {
+        const installId = await registerAgentInstall({
+            idToken,
+            staging: options.staging,
+            projectRoot,
+            sourceSurface: 'cli_setup',
+            hostAgent: 'cutline-mcp-cli',
+        });
+        if (installId) {
+            await trackAgentEvent({
+                idToken,
+                installId,
+                eventName: 'install_completed',
+                staging: options.staging,
+                eventProperties: {
+                    command: 'setup',
+                    tier,
+                    graph_connected: graphConnected,
+                },
+            });
+            await trackAgentEvent({
+                idToken,
+                installId,
+                eventName: 'first_tool_call_success',
+                staging: options.staging,
+                eventProperties: {
+                    command: 'setup',
+                    flow: 'onboarding',
+                },
+            });
+        }
+    }
     // ── 5. Claude Code one-liners ────────────────────────────────────────────
     console.log(chalk.bold('  Claude Code one-liner alternative:\n'));
     console.log(chalk.dim('  If you prefer `claude mcp add` instead of ~/.claude.json:\n'));
@@ -421,5 +454,6 @@ export async function setupCommand(options) {
     }
     console.log();
     console.log(chalk.dim(`  cutline-mcp v${version} · docs: https://thecutline.ai/docs/setup`));
+    console.log(chalk.dim('  Optional repo policy contract:'), chalk.cyan('cutline-mcp policy-init'));
     console.log();
 }

package/dist/index.js

@@ -10,6 +10,7 @@ import { upgradeCommand } from './commands/upgrade.js';
 import { serveCommand } from './commands/serve.js';
 import { setupCommand } from './commands/setup.js';
 import { initCommand } from './commands/init.js';
+import { policyInitCommand } from './commands/policy-init.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf-8'));
@@ -47,7 +48,16 @@ program
 program
     .command('serve <server>')
     .description('Start an MCP server (constraints, premortem, exploration, tools, output, integrations)')
-    .action(serveCommand);
+    .option('--http', 'Expose the selected stdio server over an HTTP bridge')
+    .option('--host <host>', 'HTTP bind host for bridge mode (default: 0.0.0.0)')
+    .option('--port <port>', 'HTTP port for bridge mode (default: 8080)')
+    .option('--path <path>', 'HTTP MCP path for bridge mode (default: /mcp)')
+    .action((server, opts) => serveCommand(server, {
+    http: opts.http,
+    host: opts.host,
+    port: opts.port,
+    path: opts.path,
+}));
 program
     .command('setup')
     .description('One-command onboarding: authenticate, write IDE MCP config, generate rules')
@@ -69,4 +79,19 @@ program
     .option('--project-root <path>', 'Project root directory (default: cwd)')
     .option('--staging', 'Use staging environment')
     .action((opts) => initCommand({ projectRoot: opts.projectRoot, staging: opts.staging }));
+program
+    .command('policy-init')
+    .description('Generate repository cutline.json policy manifest for deterministic safety verification')
+    .option('--project-root <path>', 'Project root directory (default: cwd)')
+    .option('--force', 'Overwrite existing cutline.json if present')
+    .option('--min-security-score <number>', 'Minimum security score required to pass (default: 85)')
+    .option('--max-assurance-age-hours <number>', 'Maximum assurance artifact age in hours (default: 168)')
+    .option('--allow-unsigned-assurance', 'Do not require signed assurance artifact')
+    .action((opts) => policyInitCommand({
+    projectRoot: opts.projectRoot,
+    force: Boolean(opts.force),
+    minSecurityScore: opts.minSecurityScore,
+    maxAssuranceAgeHours: opts.maxAssuranceAgeHours,
+    allowUnsignedAssurance: Boolean(opts.allowUnsignedAssurance),
+}));
 program.parse();

package/dist/servers/{chunk-X2B5QUWO.js → chunk-RUCYK3TR.js}

@@ -305,6 +305,20 @@ function getHiddenAuditDimensions() {
   const normalized = [...new Set(hidden.map((d) => String(d).trim().toLowerCase()).filter((d) => allowed.has(d)))];
   return normalized;
 }
+function getStoredInstallId(options) {
+  const config = readLocalCutlineConfig();
+  if (!config)
+    return null;
+  const preferred = options?.environment === "staging" ? config.agentInstallIdStaging : config.agentInstallId;
+  if (typeof preferred === "string" && preferred.trim()) {
+    return preferred.trim();
+  }
+  const fallback = options?.environment === "staging" ? config.agentInstallId : config.agentInstallIdStaging;
+  if (typeof fallback === "string" && fallback.trim()) {
+    return fallback.trim();
+  }
+  return null;
+}
 function getStoredApiKey(options) {
   const includeConfig = options?.includeConfig ?? true;
   if (process.env.CUTLINE_API_KEY) {
@@ -1010,6 +1024,7 @@ export {
   validateAuth,
   resolveAuthContext,
   getHiddenAuditDimensions,
+  getStoredInstallId,
   requirePremiumWithAutoAuth,
   resolveAuthContextFree,
   getPublicSiteUrlForCurrentAuth,