@metasession.co/devaudit-cli 0.1.0

package/dist/index.js

@@ -0,0 +1,2446 @@
+#!/usr/bin/env node
+import { Command, Option } from 'commander';
+import { createConsola } from 'consola';
+import { execa } from 'execa';
+import { join, resolve, basename, dirname, relative } from 'path';
+import { promises } from 'fs';
+import envPaths from 'env-paths';
+import { fileURLToPath, pathToFileURL } from 'url';
+import { validateManifest } from '@metasession.co/devaudit-plugin-sdk';
+import * as clack2 from '@clack/prompts';
+
+var DEFAULT_OPTIONS = { json: false, verbose: false, noColor: false };
+var currentLogger = build(DEFAULT_OPTIONS);
+var jsonModeActive = false;
+function build(opts) {
+  const level = opts.verbose ? 5 : 3;
+  if (opts.json) {
+    return createConsola({
+      level,
+      reporters: [
+        {
+          log: (logObj) => {
+            const record2 = {
+              level: logObj.type,
+              tag: logObj.tag ?? null,
+              args: logObj.args,
+              date: logObj.date
+            };
+            process.stdout.write(JSON.stringify(record2) + "\n");
+          }
+        }
+      ]
+    });
+  }
+  if (opts.noColor) {
+    process.env["NO_COLOR"] = "1";
+  }
+  return createConsola({ level });
+}
+function configureLogger(opts) {
+  const merged = { ...DEFAULT_OPTIONS, ...opts };
+  jsonModeActive = merged.json;
+  currentLogger = build(merged);
+}
+function logger() {
+  return currentLogger;
+}
+function isJsonMode() {
+  return jsonModeActive;
+}
+function emitJsonResult(payload) {
+  process.stdout.write(JSON.stringify(payload) + "\n");
+}
+
+// src/lib/version.ts
+var CLI_VERSION = "0.0.1";
+var paths = envPaths("devaudit", { suffix: "" });
+var CONFIG_DIR = paths.config;
+var AUTH_FILE = join(CONFIG_DIR, "auth.json");
+join(CONFIG_DIR, "config.json");
+var PLUGINS_DIR = join(CONFIG_DIR, "plugins");
+function toFileUrl(absPath) {
+  return pathToFileURL(absPath).href.replace(/%7E/g, "~");
+}
+async function loadPluginFromDir(dir) {
+  const pkgPath = join(dir, "package.json");
+  const raw = await promises.readFile(pkgPath, "utf-8");
+  const parsed = JSON.parse(raw);
+  const result = validateManifest(parsed);
+  if (!result.valid) {
+    throw new Error(`Invalid manifest in ${pkgPath}: ${result.errors.join("; ")}`);
+  }
+  const mainPath = resolve(dir, result.main);
+  const mod = await import(toFileUrl(mainPath));
+  if (!mod.default || typeof mod.default !== "object") {
+    throw new Error(`Plugin main module ${mainPath} did not default-export a Plugin object.`);
+  }
+  if (mod.default.apiVersion !== "1") {
+    throw new Error(
+      `Plugin ${result.packageName} declares apiVersion '${mod.default.apiVersion}' at runtime, expected '1'.`
+    );
+  }
+  if (typeof mod.default.name !== "string" || mod.default.name.length === 0) {
+    throw new Error(`Plugin main module ${mainPath} did not export a non-empty 'name'.`);
+  }
+  return {
+    dir,
+    packageName: result.packageName,
+    packageVersion: result.packageVersion,
+    manifest: result.manifest,
+    plugin: mod.default
+  };
+}
+
+// src/lib/plugin/discover.ts
+async function listSubdirs(root) {
+  try {
+    const entries = await promises.readdir(root, { withFileTypes: true });
+    return entries.filter((e) => e.isDirectory()).map((e) => join(root, e.name));
+  } catch (err) {
+    if (err.code === "ENOENT") return [];
+    throw err;
+  }
+}
+async function discoverPlugins(root = PLUGINS_DIR) {
+  const dirs = await listSubdirs(root);
+  const loaded = [];
+  const failures = [];
+  for (const dir of dirs) {
+    try {
+      loaded.push(await loadPluginFromDir(dir));
+    } catch (err) {
+      failures.push({ dir, reason: err.message });
+    }
+  }
+  return { loaded, failures };
+}
+async function readSdlcConfig(projectPath) {
+  const configPath = join(resolve(projectPath), "sdlc-config.json");
+  try {
+    const raw = await promises.readFile(configPath, "utf-8");
+    return JSON.parse(raw);
+  } catch (err) {
+    if (err.code === "ENOENT") return null;
+    throw err;
+  }
+}
+async function checkFrameworkFiles(projectPath, files) {
+  const checks = await Promise.all(
+    files.map(async (rel) => {
+      try {
+        await promises.access(join(projectPath, rel));
+        return { path: rel, present: true };
+      } catch {
+        return { path: rel, present: false };
+      }
+    })
+  );
+  return checks;
+}
+
+// src/lib/plugin/context.ts
+async function buildPluginContext(opts) {
+  const cfg = await readSdlcConfig(opts.projectPath);
+  const sdlcConfig = cfg ?? {
+    project_slug: ""
+  };
+  return {
+    projectPath: opts.projectPath,
+    sdlcConfig,
+    logger: pluginLogger(),
+    apiVersion: "1",
+    emit: (event) => {
+      opts.events?.push(event);
+    }
+  };
+}
+function pluginLogger() {
+  const log = logger();
+  return {
+    info: (m) => log.info(`[plugin] ${m}`),
+    warn: (m) => log.warn(`[plugin] ${m}`),
+    error: (m) => log.error(`[plugin] ${m}`),
+    debug: (m) => log.debug(`[plugin] ${m}`)
+  };
+}
+
+// src/lib/plugin/hooks.ts
+async function runHook(plugins, hook, ctx) {
+  const log = logger();
+  const results = [];
+  for (const p of plugins) {
+    const fn = p.plugin.hooks?.[hook];
+    if (!fn) {
+      results.push({ plugin: p.packageName, hook, status: "skipped" });
+      continue;
+    }
+    try {
+      await fn(ctx);
+      results.push({ plugin: p.packageName, hook, status: "ok" });
+    } catch (err) {
+      const message = err.message;
+      log.warn(`Plugin '${p.packageName}' hook '${hook}' threw: ${message}`);
+      results.push({ plugin: p.packageName, hook, status: "error", message });
+    }
+  }
+  return results;
+}
+function registerPluginCommands(program, plugins) {
+  for (const p of plugins) {
+    const namespace = pluginNamespace(p.packageName);
+    const manifestCommands = p.manifest.commands ?? [];
+    if (manifestCommands.length === 0) continue;
+    const group2 = program.command(namespace).description(p.manifest.displayName ?? p.packageName);
+    for (const c of manifestCommands) {
+      const impl = p.plugin.commands?.[c.name];
+      if (!impl) continue;
+      group2.command(`${c.name} [args...]`).description(c.description).action(async (args) => {
+        const log = logger();
+        const projectPath = resolve(process.cwd());
+        const ctx = await buildPluginContext({ projectPath });
+        try {
+          await impl(ctx, args);
+        } catch (err) {
+          log.error(`Plugin '${p.packageName}' command '${c.name}' failed: ${err.message}`);
+          process.exit(1);
+        }
+      });
+    }
+  }
+}
+function pluginNamespace(packageName) {
+  return packageName.replace(/^@[^/]+\//, "").replace(/^devaudit-plugin-/, "");
+}
+
+// src/commands/doctor.ts
+async function checkCommand(name, args) {
+  try {
+    const result = await execa(name, args, { reject: false });
+    const ok2 = result.exitCode === 0;
+    const firstLine = result.stdout.split("\n")[0] ?? "";
+    return { name, ok: ok2, detail: ok2 ? firstLine : `exited ${result.exitCode}` };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { name, ok: false, detail: message };
+  }
+}
+async function checkNodeVersion() {
+  const version = process.versions.node;
+  const major = Number.parseInt(version.split(".")[0] ?? "0", 10);
+  const ok2 = major >= 22;
+  return { name: "node", ok: ok2, detail: `v${version} (require >=22)` };
+}
+async function runDoctor(options = {}) {
+  const log = logger();
+  log.info("Running devaudit doctor \u2014 checking required tools...\n");
+  const checks = [
+    await checkNodeVersion(),
+    await checkCommand("git", ["--version"]),
+    await checkCommand("gh", ["--version"]),
+    await checkCommand("jq", ["--version"]),
+    await checkCommand("curl", ["--version"])
+  ];
+  let allOk = true;
+  for (const check of checks) {
+    const marker = check.ok ? "\u2713" : "\u2717";
+    if (!check.ok) allOk = false;
+    log.log(`  ${marker} ${check.name.padEnd(8)} ${check.detail}`);
+  }
+  log.log("");
+  const plugins = options.plugins ?? (await discoverPlugins()).loaded;
+  if (plugins.length > 0) {
+    const ctx = await buildPluginContext({ projectPath: resolve(process.cwd()) });
+    await runHook(plugins, "onDoctor", ctx);
+  }
+  if (allOk) {
+    log.success("All required tools present.");
+    process.exit(0);
+  } else {
+    log.error("One or more required tools are missing. Install them and re-run `devaudit doctor`.");
+    process.exit(6);
+  }
+}
+var DEFAULT_BASE_URL = "https://devaudit.metasession.co";
+async function readAuth() {
+  try {
+    const raw = await promises.readFile(AUTH_FILE, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== 1 || typeof parsed.token !== "string") {
+      return null;
+    }
+    return parsed;
+  } catch (err) {
+    if (err.code === "ENOENT") return null;
+    throw err;
+  }
+}
+async function writeAuth(token, baseUrl = DEFAULT_BASE_URL) {
+  await promises.mkdir(dirname(AUTH_FILE), { recursive: true, mode: 448 });
+  const record2 = { version: 1, token, base_url: baseUrl };
+  await promises.writeFile(AUTH_FILE, JSON.stringify(record2, null, 2) + "\n", { mode: 384 });
+}
+async function deleteAuth() {
+  try {
+    await promises.unlink(AUTH_FILE);
+    return true;
+  } catch (err) {
+    if (err.code === "ENOENT") return false;
+    throw err;
+  }
+}
+async function resolveToken() {
+  const envToken = process.env["DEVAUDIT_USER_TOKEN"];
+  if (envToken) {
+    const envBase = process.env["DEVAUDIT_BASE_URL"] ?? DEFAULT_BASE_URL;
+    return { token: envToken, baseUrl: envBase, source: "env" };
+  }
+  const record2 = await readAuth();
+  if (record2) return { token: record2.token, baseUrl: record2.base_url, source: "file" };
+  return null;
+}
+
+// src/lib/devaudit-api.ts
+var DevAuditApiError = class extends Error {
+  constructor(message, status, body) {
+    super(message);
+    this.status = status;
+    this.body = body;
+    this.name = "DevAuditApiError";
+  }
+  status;
+  body;
+};
+var DevAuditClient = class {
+  token;
+  baseUrl;
+  constructor(opts) {
+    this.token = opts.token;
+    this.baseUrl = opts.baseUrl.replace(/\/$/, "");
+  }
+  async listProjects() {
+    const res = await this.request("GET", "/api/projects");
+    const json = await res.json();
+    if (Array.isArray(json)) return json;
+    return json.projects ?? [];
+  }
+  async getProjectBySlug(slug) {
+    const list = await this.listProjects();
+    return list.find((p) => p.slug === slug) ?? null;
+  }
+  async createProject(slug, name) {
+    const res = await this.request("POST", "/api/projects", { slug, name });
+    return await res.json();
+  }
+  async listApiKeys(projectId) {
+    const res = await this.request("GET", `/api/projects/${projectId}/api-keys`);
+    const json = await res.json();
+    if (Array.isArray(json)) return json;
+    return json.keys ?? [];
+  }
+  async issueApiKey(projectId, name) {
+    const res = await this.request("POST", `/api/projects/${projectId}/api-keys`, {
+      name,
+      role: "uploader"
+    });
+    return await res.json();
+  }
+  async request(method, path, body) {
+    const url = `${this.baseUrl}${path}`;
+    const headers = { "x-devaudit-token": this.token };
+    let payload;
+    if (body !== void 0) {
+      headers["content-type"] = "application/json";
+      payload = JSON.stringify(body);
+    }
+    const res = await fetch(url, { method, headers, body: payload });
+    if (!res.ok) {
+      const text2 = await res.text();
+      throw new DevAuditApiError(`${method} ${path} \u2192 HTTP ${res.status}`, res.status, text2);
+    }
+    return res;
+  }
+};
+
+// src/commands/auth/login.ts
+var DEFAULT_BASE_URL2 = "https://devaudit.metasession.co";
+async function runAuthLogin(options) {
+  const log = logger();
+  const baseUrl = options.baseUrl ?? DEFAULT_BASE_URL2;
+  let token = options.token ?? process.env["DEVAUDIT_USER_TOKEN"];
+  if (!token) {
+    log.info(`Open ${baseUrl}/settings/tokens in your browser and issue a Personal Access Token.`);
+    log.info("Paste the `mctok_...` value below; it never leaves this machine.");
+    const result = await clack2.password({
+      message: "Paste your DevAudit Personal Access Token (mctok_...):",
+      validate: (val) => {
+        if (!val) return "Token is required.";
+        if (!val.startsWith("mctok_")) return "Token should start with 'mctok_'.";
+        return void 0;
+      }
+    });
+    if (clack2.isCancel(result)) {
+      log.warn("Cancelled.");
+      process.exit(0);
+    }
+    token = result;
+  }
+  log.info("Validating token against portal...");
+  try {
+    const client = new DevAuditClient({ token, baseUrl });
+    await client.listProjects();
+  } catch (err) {
+    if (err instanceof DevAuditApiError && (err.status === 401 || err.status === 403)) {
+      log.error("Token rejected by portal (HTTP " + err.status + "). Check it was copied correctly + is not revoked.");
+      process.exit(3);
+    }
+    throw err;
+  }
+  await writeAuth(token, baseUrl);
+  log.success("Logged in. Token cached at ~/.config/devaudit/auth.json (mode 0600).");
+}
+
+// src/commands/auth/logout.ts
+async function runAuthLogout() {
+  const log = logger();
+  const existed = await deleteAuth();
+  if (existed) {
+    log.success(`Removed cached token at ${AUTH_FILE}.`);
+  } else {
+    log.info("No cached token to remove.");
+  }
+}
+
+// src/commands/auth/status.ts
+async function runAuthStatus() {
+  const log = logger();
+  const resolved = await resolveToken();
+  if (!resolved) {
+    if (isJsonMode()) emitJsonResult({ ok: false, reason: "not_logged_in" });
+    else log.warn("Not logged in. Run `devaudit auth login` or set DEVAUDIT_USER_TOKEN.");
+    process.exit(3);
+    return;
+  }
+  if (!isJsonMode()) {
+    log.info(`Token source: ${resolved.source === "env" ? "DEVAUDIT_USER_TOKEN env var" : "~/.config/devaudit/auth.json"}`);
+    log.info(`Portal:       ${resolved.baseUrl}`);
+    log.info("Verifying token against portal...");
+  }
+  try {
+    const client = new DevAuditClient({ token: resolved.token, baseUrl: resolved.baseUrl });
+    const projects = await client.listProjects();
+    if (isJsonMode()) {
+      emitJsonResult({
+        ok: true,
+        source: resolved.source,
+        baseUrl: resolved.baseUrl,
+        projects: projects.map((p) => p.slug)
+      });
+      return;
+    }
+    log.success(`Token is valid. Accessible projects: ${projects.length}`);
+    for (const p of projects.slice(0, 10)) {
+      log.log(`  \u2022 ${p.slug}`);
+    }
+    if (projects.length > 10) log.log(`  ... and ${projects.length - 10} more`);
+  } catch (err) {
+    if (err instanceof DevAuditApiError) {
+      if (isJsonMode()) emitJsonResult({ ok: false, reason: "portal_rejected", status: err.status });
+      else log.error(`Portal rejected the token (HTTP ${err.status}). Re-run \`devaudit auth login\`.`);
+      process.exit(3);
+      return;
+    }
+    if (isJsonMode())
+      emitJsonResult({ ok: false, reason: "unexpected", message: err instanceof Error ? err.message : String(err) });
+    else log.error(`Unexpected error: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(1);
+  }
+}
+var FRAMEWORK_FILES = [
+  "INSTRUCTIONS.md",
+  "CLAUDE.md",
+  ".cursorrules",
+  ".windsurfrules",
+  "GEMINI.md",
+  "SDLC/0-project-setup.md",
+  "SDLC/5-deploy-main.md",
+  "scripts/upload-evidence.sh",
+  "compliance/RTM.md",
+  ".github/workflows/ci.yml"
+];
+async function runStatus(options) {
+  const log = logger();
+  const projectPath = resolve(options.path ?? process.cwd());
+  const config = await readSdlcConfig(projectPath);
+  if (!config) {
+    if (isJsonMode()) {
+      emitJsonResult({ ok: false, reason: "not_onboarded", projectPath });
+    } else {
+      log.info(`Inspecting ${projectPath}`);
+      log.warn("No sdlc-config.json found here. This project is not onboarded to DevAudit.");
+      log.info("Run `devaudit install` to onboard.");
+    }
+    process.exit(7);
+    return;
+  }
+  const files = await checkFrameworkFiles(projectPath, FRAMEWORK_FILES);
+  const presentFiles = files.filter((f) => f.present).map((f) => f.path);
+  const missingFiles = files.filter((f) => !f.present).map((f) => f.path);
+  if (isJsonMode()) {
+    emitJsonResult({
+      ok: true,
+      projectPath,
+      project_slug: config.project_slug,
+      stack: config.stack ?? null,
+      host: config.host ?? null,
+      node_version: config.node_version ?? null,
+      python_version: config.python_version ?? null,
+      working_directory: config.working_directory ?? null,
+      source_dirs: config.source_dirs ?? null,
+      devaudit_base_url: config.devaudit?.base_url ?? null,
+      uat_enabled: config.uat?.enabled ?? false,
+      approval_mode: config.approval?.mode ?? null,
+      files_present: presentFiles,
+      files_missing: missingFiles
+    });
+    return;
+  }
+  log.info(`Inspecting ${projectPath}`);
+  log.success("sdlc-config.json found.");
+  log.log("");
+  log.log(`  Project slug:   ${config.project_slug}`);
+  log.log(`  Stack:          ${config.stack ?? "(unset)"}`);
+  log.log(`  Host:           ${config.host ?? "(unset)"}`);
+  if (config.node_version) log.log(`  Node version:   ${config.node_version}`);
+  if (config.python_version) log.log(`  Python version: ${config.python_version}`);
+  if (config.working_directory) log.log(`  Working dir:    ${config.working_directory}`);
+  if (config.source_dirs) log.log(`  Source dirs:    ${config.source_dirs}`);
+  log.log(`  DevAudit URL:   ${config.devaudit?.base_url ?? "(unset)"}`);
+  log.log(`  UAT enabled:    ${config.uat?.enabled ?? false}`);
+  log.log(`  Approval mode:  ${config.approval?.mode ?? "(unset)"}`);
+  log.log("");
+  log.info("Framework files present?");
+  for (const f of files) {
+    const marker = f.present ? "\u2713" : "\u2717";
+    log.log(`  ${marker} ${f.path}`);
+  }
+  log.log("");
+  if (missingFiles.length === 0) {
+    log.success("All checked framework files are present.");
+  } else {
+    log.warn(`${missingFiles.length} framework file(s) missing. Re-sync via DevAudit-Installer's sync-sdlc.sh to refresh.`);
+  }
+}
+var RETRYABLE_STATUSES = /* @__PURE__ */ new Set([429, 500, 502, 503, 504]);
+var MAX_ATTEMPTS = 3;
+var INITIAL_BACKOFF_MS = 1e3;
+async function collectFiles(filePath) {
+  const stat = await promises.stat(filePath);
+  if (stat.isFile()) return [filePath];
+  if (stat.isDirectory()) {
+    const entries = await promises.readdir(filePath, { withFileTypes: true });
+    const files = [];
+    for (const entry of entries) {
+      if (entry.isFile()) files.push(join(filePath, entry.name));
+    }
+    return files;
+  }
+  throw new Error(`${filePath} is neither a file nor a directory.`);
+}
+function delay(ms) {
+  return new Promise((res) => setTimeout(res, ms));
+}
+async function uploadOne(file, opts) {
+  const form = new FormData();
+  const buf = await promises.readFile(file);
+  const blob = new Blob([new Uint8Array(buf)]);
+  form.set("file", blob, basename(file));
+  form.set("projectSlug", opts.projectSlug);
+  form.set("requirementId", opts.requirementId);
+  form.set("evidenceType", opts.evidenceType);
+  form.set("metadata", JSON.stringify(opts.metadata ?? {}));
+  if (opts.releaseVersion) form.set("releaseVersion", opts.releaseVersion);
+  if (opts.createReleaseIfMissing) form.set("createReleaseIfMissing", "true");
+  if (opts.environment) form.set("environment", opts.environment);
+  if (opts.evidenceCategory) form.set("evidenceCategory", opts.evidenceCategory);
+  const url = `${opts.baseUrl.replace(/\/$/, "")}/api/evidence/upload`;
+  let attempt = 1;
+  let backoff = INITIAL_BACKOFF_MS;
+  while (attempt <= MAX_ATTEMPTS) {
+    const res = await fetch(url, {
+      method: "POST",
+      headers: { authorization: `Bearer ${opts.apiKey}` },
+      body: form
+    });
+    if (res.ok) {
+      const body = await res.json().catch(() => null);
+      return { file, ok: true, status: res.status, body };
+    }
+    if (RETRYABLE_STATUSES.has(res.status) && attempt < MAX_ATTEMPTS) {
+      const retryAfter = Number.parseInt(res.headers.get("retry-after") ?? "", 10);
+      const wait = Number.isFinite(retryAfter) && retryAfter > 0 ? retryAfter * 1e3 : backoff;
+      await delay(wait);
+      backoff *= 2;
+      attempt += 1;
+      continue;
+    }
+    const errText = await res.text().catch(() => "(no body)");
+    return { file, ok: false, status: res.status, error: errText };
+  }
+  return { file, ok: false, status: 0, error: "max retries exhausted" };
+}
+async function uploadEvidence(opts) {
+  const files = await collectFiles(opts.filePath);
+  if (files.length === 0) {
+    throw new DevAuditApiError(`No files at ${opts.filePath}`, 0, "");
+  }
+  const results = [];
+  for (const file of files) {
+    results.push(await uploadOne(file, opts));
+  }
+  return results;
+}
+
+// src/commands/push.ts
+var DEFAULT_BASE_URL3 = "https://devaudit.metasession.co";
+function buildMetadata(options) {
+  const metadata = {};
+  if (options.gitSha) metadata["gitSha"] = options.gitSha;
+  if (options.ciRunId) metadata["ciRunId"] = options.ciRunId;
+  if (options.branch) metadata["branch"] = options.branch;
+  return metadata;
+}
+async function runDryRun(options, baseUrl) {
+  const log = logger();
+  const files = await collectFiles(options.filePath);
+  const planned = {
+    dryRun: true,
+    projectSlug: options.projectSlug,
+    requirementId: options.requirementId,
+    evidenceType: options.evidenceType,
+    baseUrl,
+    files: files.map((f) => ({ path: f })),
+    metadata: buildMetadata(options),
+    ...options.release !== void 0 ? { release: options.release } : {},
+    ...options.environment !== void 0 ? { environment: options.environment } : {},
+    ...options.category !== void 0 ? { category: options.category } : {}
+  };
+  if (isJsonMode()) {
+    emitJsonResult(planned);
+    return;
+  }
+  log.info(
+    `[dry-run] Would upload ${files.length} file(s) for ${options.projectSlug}/${options.requirementId} (${options.evidenceType}) \u2192 ${baseUrl}`
+  );
+  for (const f of files) log.log(`  \xB7 ${f}`);
+}
+async function runPush(options) {
+  const log = logger();
+  const projectPath = resolve(process.cwd());
+  const baseUrl = options.baseUrl ?? process.env["DEVAUDIT_BASE_URL"] ?? DEFAULT_BASE_URL3;
+  if (options.dryRun) {
+    await runDryRun(options, baseUrl);
+    return;
+  }
+  const apiKey = options.apiKey ?? process.env["DEVAUDIT_API_KEY"];
+  if (!apiKey) {
+    if (isJsonMode()) emitJsonResult({ ok: false, reason: "missing_api_key" });
+    else {
+      log.error("DEVAUDIT_API_KEY env var is required (or pass --api-key).");
+      log.info("Issue a project API key at: <portal>/projects/<slug>/settings \u2192 API Key Management.");
+    }
+    process.exit(3);
+  }
+  log.info(
+    `Uploading ${options.filePath} (project=${options.projectSlug} req=${options.requirementId} type=${options.evidenceType}) \u2192 ${baseUrl}`
+  );
+  const plugins = options.plugins ?? (await discoverPlugins()).loaded;
+  if (plugins.length > 0) {
+    const ctx = await buildPluginContext({ projectPath });
+    await runHook(plugins, "beforePush", ctx);
+  }
+  const metadata = buildMetadata(options);
+  const results = await uploadEvidence({
+    projectSlug: options.projectSlug,
+    requirementId: options.requirementId,
+    evidenceType: options.evidenceType,
+    filePath: options.filePath,
+    apiKey,
+    baseUrl,
+    ...options.release !== void 0 ? { releaseVersion: options.release } : {},
+    ...options.createReleaseIfMissing !== void 0 ? { createReleaseIfMissing: options.createReleaseIfMissing } : {},
+    ...options.environment !== void 0 ? { environment: options.environment } : {},
+    ...options.category !== void 0 ? { evidenceCategory: options.category } : {},
+    metadata
+  });
+  let okCount = 0;
+  let failCount = 0;
+  for (const result of results) {
+    if (result.ok) {
+      okCount++;
+      log.success(`  \u2713 ${result.file} (HTTP ${result.status})`);
+    } else {
+      failCount++;
+      log.error(`  \u2717 ${result.file} (HTTP ${result.status}): ${result.error ?? "(no detail)"}`);
+    }
+  }
+  log.log("");
+  log.info(`Uploaded: ${okCount} succeeded, ${failCount} failed.`);
+  if (plugins.length > 0) {
+    const ctx = await buildPluginContext({ projectPath });
+    await runHook(plugins, "afterPush", ctx);
+  }
+  if (isJsonMode()) {
+    emitJsonResult({
+      ok: failCount === 0,
+      uploaded: okCount,
+      failed: failCount,
+      results: results.map((r) => ({ file: r.file, ok: r.ok, status: r.status, error: r.error ?? null }))
+    });
+  }
+  if (failCount > 0) process.exit(4);
+}
+async function resolveInstallerRoot() {
+  const override = process.env["DEVAUDIT_INSTALLER_ROOT"];
+  if (override) return resolve(override);
+  const here = dirname(fileURLToPath(import.meta.url));
+  const candidate = resolve(here, "..", "..");
+  await promises.access(resolve(candidate, "scripts", "sdlc-onboard.sh"));
+  return candidate;
+}
+async function ensureDir(dir, mode = 493) {
+  await promises.mkdir(dir, { recursive: true, mode });
+}
+async function exists(path) {
+  try {
+    await promises.access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function isDir(path) {
+  try {
+    const stat = await promises.stat(path);
+    return stat.isDirectory();
+  } catch {
+    return false;
+  }
+}
+async function copyFile(src, dst, mode) {
+  await ensureDir(dirname(dst));
+  await promises.copyFile(src, dst);
+  if (mode !== void 0) await promises.chmod(dst, mode);
+}
+async function copyDir(src, dst, clean = false) {
+  if (clean && await exists(dst)) {
+    await promises.rm(dst, { recursive: true, force: true });
+  }
+  await ensureDir(dst);
+  let count = 0;
+  const entries = await promises.readdir(src, { withFileTypes: true });
+  for (const entry of entries) {
+    const srcPath = join(src, entry.name);
+    const dstPath = join(dst, entry.name);
+    if (entry.isDirectory()) {
+      count += await copyDir(srcPath, dstPath, false);
+    } else if (entry.isFile()) {
+      await promises.copyFile(srcPath, dstPath);
+      count += 1;
+    }
+  }
+  return count;
+}
+async function listFiles(dir, predicate) {
+  if (!await isDir(dir)) return [];
+  const entries = await promises.readdir(dir, { withFileTypes: true });
+  return entries.filter((e) => e.isFile()).map((e) => e.name).filter((name) => predicate ? predicate(name) : true).map((name) => join(dir, name));
+}
+function fileBasename(path) {
+  return basename(path);
+}
+var ghAvailabilityCache = null;
+async function ghAvailable() {
+  if (ghAvailabilityCache !== null) return ghAvailabilityCache.available;
+  try {
+    await execa("gh", ["--version"]);
+    ghAvailabilityCache = { available: true };
+    return true;
+  } catch {
+    ghAvailabilityCache = { available: false };
+    return false;
+  }
+}
+var GitHubProvider = class {
+  name = "github";
+  preferGhCli;
+  token;
+  constructor(opts = {}) {
+    this.preferGhCli = opts.preferGhCli ?? true;
+    this.token = opts.token ?? process.env["GH_TOKEN"] ?? process.env["GITHUB_TOKEN"];
+  }
+  async getRepoMeta(cwd) {
+    if (this.preferGhCli && await ghAvailable()) {
+      const res2 = await execa(
+        "gh",
+        ["repo", "view", "--json", "owner,name,defaultBranchRef", "--jq", "{owner: .owner.login, name: .name, defaultBranch: .defaultBranchRef.name}"],
+        { cwd, reject: false }
+      );
+      if (res2.exitCode === 0 && res2.stdout.trim().length > 0) {
+        const parsed = JSON.parse(res2.stdout);
+        return parsed;
+      }
+    }
+    const { owner, name } = await parseOriginRemote(cwd);
+    if (!this.token) {
+      throw new Error(
+        "No `gh` CLI on PATH and no GH_TOKEN env var \u2014 cannot resolve repo metadata for GitHub."
+      );
+    }
+    const res = await fetch(`https://api.github.com/repos/${owner}/${name}`, {
+      headers: this.authHeaders()
+    });
+    if (!res.ok) {
+      throw new Error(`GitHub REST repo lookup failed: HTTP ${res.status}`);
+    }
+    const json = await res.json();
+    return { owner, name, defaultBranch: json.default_branch };
+  }
+  async setSecret(cwd, name, value) {
+    if (this.preferGhCli && await ghAvailable()) {
+      await execa("gh", ["secret", "set", name], { cwd, input: value });
+      return;
+    }
+    throw new Error(
+      "Setting a GitHub repo secret without `gh` CLI requires sodium encryption (libsodium) \u2014 not implemented. Install `gh` CLI to use this command."
+    );
+  }
+  async setVariable(cwd, name, value) {
+    if (this.preferGhCli && await ghAvailable()) {
+      await execa("gh", ["variable", "set", name, "--body", value], { cwd });
+      return;
+    }
+    const { owner, name: repoName } = await this.getRepoMeta(cwd);
+    if (!this.token) {
+      throw new Error("No `gh` CLI and no GH_TOKEN \u2014 cannot set repo variable.");
+    }
+    const res = await fetch(`https://api.github.com/repos/${owner}/${repoName}/actions/variables`, {
+      method: "POST",
+      headers: { ...this.authHeaders(), "content-type": "application/json" },
+      body: JSON.stringify({ name, value })
+    });
+    if (res.status === 409) {
+      const update = await fetch(
+        `https://api.github.com/repos/${owner}/${repoName}/actions/variables/${name}`,
+        {
+          method: "PATCH",
+          headers: { ...this.authHeaders(), "content-type": "application/json" },
+          body: JSON.stringify({ value })
+        }
+      );
+      if (!update.ok) throw new Error(`GitHub REST variable update failed: HTTP ${update.status}`);
+      return;
+    }
+    if (!res.ok) throw new Error(`GitHub REST variable create failed: HTTP ${res.status}`);
+  }
+  async applyBranchProtection(cwd, branch, requiredChecks) {
+    const body = {
+      required_status_checks: { strict: false, contexts: requiredChecks },
+      enforce_admins: false,
+      required_pull_request_reviews: { dismiss_stale_reviews: true, required_approving_review_count: 0 },
+      restrictions: null
+    };
+    if (this.preferGhCli && await ghAvailable()) {
+      const meta2 = await this.getRepoMeta(cwd);
+      const res2 = await execa(
+        "gh",
+        ["api", "-X", "PUT", `/repos/${meta2.owner}/${meta2.name}/branches/${branch}/protection`, "--input", "-"],
+        { cwd, input: JSON.stringify(body), reject: false }
+      );
+      if (res2.exitCode === 0) return { applied: true };
+      return { applied: false, message: res2.stderr.split("\n")[0] || "gh api call failed" };
+    }
+    const meta = await this.getRepoMeta(cwd);
+    if (!this.token) {
+      return { applied: false, message: "No `gh` CLI and no GH_TOKEN \u2014 cannot apply branch protection." };
+    }
+    const res = await fetch(
+      `https://api.github.com/repos/${meta.owner}/${meta.name}/branches/${branch}/protection`,
+      {
+        method: "PUT",
+        headers: { ...this.authHeaders(), "content-type": "application/json" },
+        body: JSON.stringify(body)
+      }
+    );
+    if (res.ok) return { applied: true };
+    return { applied: false, message: `GitHub REST branch-protection PUT failed: HTTP ${res.status}` };
+  }
+  async createPullRequest(cwd, opts) {
+    if (this.preferGhCli && await ghAvailable()) {
+      const res2 = await execa(
+        "gh",
+        ["pr", "create", "--base", opts.base, "--head", opts.head, "--title", opts.title, "--body", opts.body],
+        { cwd }
+      );
+      return { url: res2.stdout.trim() };
+    }
+    const meta = await this.getRepoMeta(cwd);
+    if (!this.token) {
+      throw new Error("No `gh` CLI and no GH_TOKEN \u2014 cannot create pull request.");
+    }
+    const res = await fetch(`https://api.github.com/repos/${meta.owner}/${meta.name}/pulls`, {
+      method: "POST",
+      headers: { ...this.authHeaders(), "content-type": "application/json" },
+      body: JSON.stringify(opts)
+    });
+    if (!res.ok) throw new Error(`GitHub REST PR create failed: HTTP ${res.status}`);
+    const json = await res.json();
+    return { url: json.html_url };
+  }
+  authHeaders() {
+    if (!this.token) return { accept: "application/vnd.github+json" };
+    return { accept: "application/vnd.github+json", authorization: `Bearer ${this.token}` };
+  }
+};
+async function parseOriginRemote(cwd) {
+  const res = await execa("git", ["remote", "get-url", "origin"], { cwd, reject: false });
+  if (res.exitCode !== 0) {
+    throw new Error("No `origin` git remote configured; cannot determine GitHub repo.");
+  }
+  const url = res.stdout.trim();
+  const match = url.match(/github\.com[/:]([^/]+)\/([^/.]+)(?:\.git)?$/);
+  if (!match) {
+    throw new Error(`Could not parse GitHub owner/name from remote URL: ${url}`);
+  }
+  return { owner: match[1] ?? "", name: match[2] ?? "" };
+}
+async function detectProvider(cwd) {
+  const res = await execa("git", ["remote", "get-url", "origin"], { cwd, reject: false });
+  if (res.exitCode !== 0) {
+    throw new Error(
+      "No `origin` git remote configured. Initialise the repo and add a remote before running this command."
+    );
+  }
+  const url = res.stdout.trim();
+  return classifyRemoteUrl(url);
+}
+function classifyRemoteUrl(url) {
+  if (/github\.com[/:]/.test(url)) return { provider: "github", host: "github.com" };
+  if (/gitlab\.com[/:]/.test(url)) return { provider: "gitlab", host: "gitlab.com" };
+  if (/bitbucket\.org[/:]/.test(url)) return { provider: "bitbucket", host: "bitbucket.org" };
+  const hostMatch = url.match(/^(?:https?:\/\/|git@)([^:/]+)/);
+  return { provider: "self-hosted", host: hostMatch?.[1] ?? "unknown" };
+}
+
+// src/lib/git-provider/index.ts
+async function getGitProvider(cwd) {
+  const { provider, host } = await detectProvider(cwd);
+  if (provider === "github") return new GitHubProvider();
+  throw new Error(
+    `Git provider '${provider}' (host: ${host}) is not yet supported. Only GitHub is implemented in workstream C; GitLab/Bitbucket/self-hosted are planned.`
+  );
+}
+
+// src/install/auth-probe.ts
+async function runAuthProbe(ctx) {
+  const client = new DevAuditClient({ token: ctx.token, baseUrl: ctx.baseUrl });
+  try {
+    await client.listProjects();
+    return { step: "1/11 Authenticate", status: "ok", message: `PAT accepted at ${ctx.baseUrl}` };
+  } catch (err) {
+    if (err instanceof DevAuditApiError && (err.status === 401 || err.status === 403)) {
+      throw new Error(
+        `PAT rejected (HTTP ${err.status}). Issue a fresh token at ${ctx.baseUrl}/settings/tokens and retry.`
+      );
+    }
+    throw err;
+  }
+}
+var MAX_DEPTH = 3;
+var SKIP_DIRS = /* @__PURE__ */ new Set(["node_modules", ".git", "dist", "build", ".next", ".turbo"]);
+async function fileExists(path) {
+  try {
+    await promises.access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function findPyproject(root, depth, current) {
+  if (depth > MAX_DEPTH) return null;
+  const entries = await promises.readdir(current, { withFileTypes: true });
+  for (const e of entries) {
+    if (e.isFile() && e.name === "pyproject.toml") {
+      return join(current, e.name);
+    }
+  }
+  for (const e of entries) {
+    if (e.isDirectory() && !SKIP_DIRS.has(e.name)) {
+      const found = await findPyproject(root, depth + 1, join(current, e.name));
+      if (found) return found;
+    }
+  }
+  return null;
+}
+async function detectStack(ctx) {
+  const root = ctx.projectPath;
+  if (await fileExists(join(root, "pyproject.toml"))) {
+    return { result: ok("python", "."), detected: { stack: "python", workingDirectory: "." } };
+  }
+  const nested = await findPyproject(root, 1, root);
+  if (nested) {
+    const wd = relative(root, nested).split("/").slice(0, -1).join("/") || ".";
+    return { result: ok("python", wd), detected: { stack: "python", workingDirectory: wd } };
+  }
+  if (await fileExists(join(root, "package.json"))) {
+    return { result: ok("node", "."), detected: { stack: "node", workingDirectory: "." } };
+  }
+  throw new Error(
+    "Could not detect stack \u2014 no pyproject.toml or package.json found within 3 directory levels."
+  );
+}
+function ok(stack, wd) {
+  return {
+    step: "2/11 Detect stack",
+    status: "ok",
+    message: `stack=${stack} working_directory=${wd} host=railway`,
+    data: { stack, workingDirectory: wd, host: "railway" }
+  };
+}
+var NODE_DEFAULTS = { runtimeVersion: "20", sourceDirs: "app/ lib/" };
+var PYTHON_DEFAULTS = { runtimeVersion: "3.11", sourceDirs: "src/ tests/" };
+function defaultSlug(projectName) {
+  return projectName.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+}
+function prodUrlSecretDefault(slug) {
+  return slug.toUpperCase().replace(/-/g, "_") + "_PROD_URL";
+}
+async function collectPlan(ctx, detected) {
+  const defaults = detected.stack === "node" ? NODE_DEFAULTS : PYTHON_DEFAULTS;
+  if (ctx.nonInteractive) {
+    return planFromConfig(ctx, detected, defaults);
+  }
+  return planFromPrompts(ctx, detected, defaults);
+}
+async function planFromConfig(ctx, detected, defaults) {
+  const cfg = await readSdlcConfig(ctx.projectPath);
+  if (!cfg && !ctx.dryRun) {
+    throw new Error(
+      "--yes requires an existing sdlc-config.json in the project directory. Run without --yes to create one interactively."
+    );
+  }
+  const slug = cfg?.project_slug ?? defaultSlug(ctx.projectName);
+  const runtimeKey = detected.stack === "node" ? cfg?.node_version : cfg?.python_version;
+  const cfgRaw = cfg;
+  const existingProdUrlSecret = typeof cfgRaw?.["production_url_secret"] === "string" ? cfgRaw["production_url_secret"] : void 0;
+  return {
+    stack: detected.stack,
+    host: "railway",
+    projectSlug: slug,
+    runtimeVersion: String(runtimeKey ?? defaults.runtimeVersion),
+    sourceDirs: cfg?.source_dirs ?? defaults.sourceDirs,
+    workingDirectory: cfg?.working_directory ?? detected.workingDirectory,
+    prodUrlSecretName: existingProdUrlSecret ?? prodUrlSecretDefault(slug),
+    prodUrlValue: ""
+  };
+}
+async function planFromPrompts(ctx, detected, defaults) {
+  const slugDefault = defaultSlug(ctx.projectName);
+  const wdInitialDefault = detected.workingDirectory;
+  const answers = await clack2.group(
+    {
+      projectSlug: () => clack2.text({ message: "Project slug", initialValue: slugDefault }),
+      runtimeVersion: () => clack2.text({
+        message: detected.stack === "node" ? "Node version" : "Python version",
+        initialValue: defaults.runtimeVersion
+      }),
+      sourceDirs: () => clack2.text({ message: "Source dirs (space-sep)", initialValue: defaults.sourceDirs }),
+      workingDirectory: () => clack2.text({
+        message: wdInitialDefault === "." ? "Working directory (blank = root)" : "Working directory",
+        initialValue: wdInitialDefault
+      }),
+      prodUrlSecretName: ({ results }) => clack2.text({
+        message: "Production URL secret name",
+        initialValue: prodUrlSecretDefault(String(results.projectSlug ?? slugDefault))
+      }),
+      prodUrlValue: () => clack2.text({ message: "Production URL (https://...) \u2014 blank to set later", initialValue: "" })
+    },
+    {
+      onCancel: () => {
+        process.stderr.write("Cancelled.\n");
+        process.exit(0);
+      }
+    }
+  );
+  const projectSlug = String(answers.projectSlug);
+  const workingDirectory = String(answers.workingDirectory) || ".";
+  return {
+    stack: detected.stack,
+    host: "railway",
+    projectSlug,
+    runtimeVersion: String(answers.runtimeVersion),
+    sourceDirs: String(answers.sourceDirs),
+    workingDirectory,
+    prodUrlSecretName: String(answers.prodUrlSecretName),
+    prodUrlValue: String(answers.prodUrlValue ?? "")
+  };
+}
+var NODE_PATHS_IGNORE = [
+  "SDLC/**",
+  "compliance/**",
+  "*.md",
+  ".cursorrules",
+  ".windsurfrules",
+  "sdlc-config.json",
+  "scripts/upload-evidence.sh",
+  "scripts/validate-compliance-artifacts.sh",
+  "scripts/validate-commits.sh",
+  "scripts/check-requirement-jsdoc.sh"
+];
+var PYTHON_PATHS_IGNORE = [
+  "SDLC/**",
+  "compliance/**",
+  "*.md",
+  ".cursorrules",
+  ".windsurfrules",
+  "sdlc-config.json"
+];
+async function writeSdlcConfig(ctx, plan) {
+  const runtimeKey = plan.stack === "node" ? "node_version" : "python_version";
+  const pathsIgnore = plan.stack === "node" ? NODE_PATHS_IGNORE : PYTHON_PATHS_IGNORE;
+  const existing = await readSdlcConfig(ctx.projectPath) ?? null;
+  const defaultedIfNew = {
+    runner: "ubuntu-latest",
+    sast_baseline: 0,
+    accepted_dep_risks: "",
+    database_service: "",
+    database_image: "",
+    database_port: "",
+    database_env: {},
+    app_env: {},
+    build_env: {},
+    e2e_project: "",
+    e2e_start_command: "",
+    paths_ignore: pathsIgnore,
+    uat: { enabled: false, url: "", required_risk_classes: ["payment", "destructive_migration", "realtime"] },
+    approval: { mode: "dual_actor", auto_low_risk_threshold: "LOW" },
+    production_review: { enabled: true, terminal_status: "prod_review" }
+  };
+  const wizardOwned = {
+    stack: plan.stack,
+    host: plan.host,
+    project_slug: plan.projectSlug,
+    production_url_secret: plan.prodUrlSecretName,
+    [runtimeKey]: plan.runtimeVersion,
+    working_directory: plan.workingDirectory,
+    source_dirs: plan.sourceDirs,
+    devaudit: {
+      base_url: ctx.baseUrl,
+      project_slug: plan.projectSlug,
+      api_key_secret: "DEVAUDIT_API_KEY"
+    }
+  };
+  const config = {
+    ...defaultedIfNew,
+    ...existing ?? {},
+    ...wizardOwned
+  };
+  const outPath = join(ctx.projectPath, "sdlc-config.json");
+  if (ctx.dryRun) {
+    const preserved = existing ? `preserves existing customizations (${Object.keys(existing).filter((k) => !(k in wizardOwned)).length} non-wizard fields)` : "fresh config";
+    return {
+      step: "4/11 Write sdlc-config.json",
+      status: "planned",
+      message: `would write ${outPath} (stack=${plan.stack}, slug=${plan.projectSlug}) \u2014 ${preserved}`
+    };
+  }
+  await promises.writeFile(outPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  return { step: "4/11 Write sdlc-config.json", status: "ok", message: `wrote ${outPath}` };
+}
+
+// src/install/project.ts
+async function findOrCreateProject(ctx, plan) {
+  if (ctx.dryRun) {
+    return {
+      step: "5/11 Find or create DevAudit project",
+      status: "planned",
+      message: `would create or find project slug='${plan.projectSlug}' on ${ctx.baseUrl}`
+    };
+  }
+  const client = new DevAuditClient({ token: ctx.token, baseUrl: ctx.baseUrl });
+  const existing = await client.getProjectBySlug(plan.projectSlug);
+  if (existing) {
+    plan.projectId = existing.id;
+    return {
+      step: "5/11 Find or create DevAudit project",
+      status: "ok",
+      message: `project '${plan.projectSlug}' already exists (id ${existing.id.slice(0, 8)}\u2026) \u2014 skipping creation`,
+      data: { projectId: existing.id, created: false }
+    };
+  }
+  const created = await client.createProject(plan.projectSlug, plan.projectSlug);
+  plan.projectId = created.id;
+  return {
+    step: "5/11 Find or create DevAudit project",
+    status: "ok",
+    message: `project '${plan.projectSlug}' created (id ${created.id.slice(0, 8)}\u2026)`,
+    data: { projectId: created.id, created: true }
+  };
+}
+
+// src/install/api-key.ts
+var KEY_NAME = "Onboarding-issued";
+async function issueApiKey(ctx, plan) {
+  if (ctx.dryRun) {
+    return {
+      step: "6/11 Issue project API key",
+      status: "planned",
+      message: `would issue API key named '${KEY_NAME}' on project '${plan.projectSlug}' (if not already present)`
+    };
+  }
+  if (!plan.projectId) {
+    throw new Error("projectId missing from plan \u2014 step 5 must run before step 6.");
+  }
+  const client = new DevAuditClient({ token: ctx.token, baseUrl: ctx.baseUrl });
+  const existing = await client.listApiKeys(plan.projectId);
+  const live = existing.find((k) => k.name === KEY_NAME && k.revoked_at === null);
+  if (live) {
+    return {
+      step: "6/11 Issue project API key",
+      status: "warn",
+      message: `'${KEY_NAME}' API key already exists \u2014 revoke it in the portal and re-run, or set DEVAUDIT_API_KEY manually`
+    };
+  }
+  const issued = await client.issueApiKey(plan.projectId, KEY_NAME);
+  plan.apiKey = issued.plainTextKey;
+  return {
+    step: "6/11 Issue project API key",
+    status: "ok",
+    message: `issued (will be stored as repo secret DEVAUDIT_API_KEY)`
+  };
+}
+
+// src/install/github.ts
+function buildOperations(ctx, plan) {
+  const operations = [];
+  if (plan.apiKey) operations.push({ kind: "secret", name: "DEVAUDIT_API_KEY", value: plan.apiKey });
+  operations.push({ kind: "secret", name: "DEVAUDIT_USER_TOKEN", value: ctx.token });
+  if (plan.prodUrlValue) {
+    operations.push({ kind: "secret", name: plan.prodUrlSecretName, value: plan.prodUrlValue });
+  }
+  operations.push({ kind: "variable", name: "DEVAUDIT_BASE_URL", value: ctx.baseUrl });
+  return operations;
+}
+function buildSkipped(plan) {
+  const skipped = [];
+  if (!plan.apiKey) skipped.push("DEVAUDIT_API_KEY (no new key issued)");
+  if (!plan.prodUrlValue) skipped.push(`${plan.prodUrlSecretName} (no value provided)`);
+  return skipped;
+}
+async function setGithubSecrets(ctx, plan, provider) {
+  const operations = buildOperations(ctx, plan);
+  if (ctx.dryRun) {
+    const summary = operations.map((op) => `${op.kind}:${op.name}`).join(", ");
+    return {
+      step: "7/11 Set GitHub secrets and variables",
+      status: "planned",
+      message: `would set ${summary} via ${provider.name} provider`
+    };
+  }
+  for (const op of operations) {
+    if (op.kind === "secret") {
+      await provider.setSecret(ctx.projectPath, op.name, op.value);
+    } else {
+      await provider.setVariable(ctx.projectPath, op.name, op.value);
+    }
+  }
+  const skipped = buildSkipped(plan);
+  const detail = `${operations.length} item(s) set${skipped.length > 0 ? ` (skipped: ${skipped.join("; ")})` : ""}`;
+  return { step: "7/11 Set GitHub secrets and variables", status: "ok", message: detail };
+}
+async function commandExists(cmd) {
+  try {
+    await execa(process.platform === "win32" ? "where" : "which", [cmd]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function dirExists(path) {
+  try {
+    const s = await promises.stat(path);
+    return s.isDirectory();
+  } catch {
+    return false;
+  }
+}
+async function bootstrapHooks(ctx, plan) {
+  if (ctx.dryRun) {
+    const action = plan.stack === "python" ? "pre-commit install" : "npx husky init";
+    return {
+      step: "8/11 Bootstrap hook framework",
+      status: "planned",
+      message: `would run \`${action}\` in ${ctx.projectPath}`
+    };
+  }
+  if (plan.stack === "python") return bootstrapPython(ctx);
+  return bootstrapNode(ctx);
+}
+async function bootstrapPython(ctx) {
+  if (!await commandExists("pre-commit")) {
+    return {
+      step: "8/11 Bootstrap hook framework",
+      status: "warn",
+      message: "pre-commit not on PATH \u2014 run `pip install pre-commit && pre-commit install` manually"
+    };
+  }
+  await execa("pre-commit", ["install"], { cwd: ctx.projectPath, stdio: "inherit" });
+  await execa("pre-commit", ["install", "--hook-type", "commit-msg"], { cwd: ctx.projectPath, stdio: "inherit" });
+  return { step: "8/11 Bootstrap hook framework", status: "ok", message: "pre-commit hooks installed" };
+}
+async function bootstrapNode(ctx) {
+  const huskyDir = join(ctx.projectPath, ".husky");
+  if (await dirExists(huskyDir)) {
+    return { step: "8/11 Bootstrap hook framework", status: "ok", message: ".husky/ already exists" };
+  }
+  if (!await commandExists("npx")) {
+    return {
+      step: "8/11 Bootstrap hook framework",
+      status: "warn",
+      message: "npx not on PATH \u2014 run `npx husky init` manually"
+    };
+  }
+  await execa("npx", ["husky", "init"], { cwd: ctx.projectPath, stdio: "inherit" });
+  return { step: "8/11 Bootstrap hook framework", status: "ok", message: ".husky/ bootstrapped" };
+}
+
+// src/install/branch-protection.ts
+var REQUIRED_CHECKS = [
+  "Compliance Validation",
+  "DevAudit Release Approval",
+  "Quality Gates"
+];
+async function configureBranchProtection(ctx, provider) {
+  let meta;
+  try {
+    meta = await provider.getRepoMeta(ctx.projectPath);
+  } catch (err) {
+    return {
+      step: "9/11 Configure branch protection",
+      status: "warn",
+      message: `could not resolve git repo (${err.message}) \u2014 configure manually`
+    };
+  }
+  const repo = `${meta.owner}/${meta.name}`;
+  if (ctx.dryRun) {
+    return {
+      step: "9/11 Configure branch protection",
+      status: "planned",
+      message: `would apply branch protection on ${repo}:${meta.defaultBranch} with checks=${JSON.stringify(REQUIRED_CHECKS)}`
+    };
+  }
+  const result = await provider.applyBranchProtection(ctx.projectPath, meta.defaultBranch, REQUIRED_CHECKS);
+  if (result.applied) {
+    return {
+      step: "9/11 Configure branch protection",
+      status: "ok",
+      message: `required checks on ${meta.defaultBranch}: ${REQUIRED_CHECKS.join(", ")}`
+    };
+  }
+  return {
+    step: "9/11 Configure branch protection",
+    status: "warn",
+    message: `${result.message ?? "branch-protection apply failed"} \u2014 configure manually`
+  };
+}
+async function loadStackAdapter(installerRoot, stack) {
+  const path = join(installerRoot, "sdlc", "files", "stacks", stack, "adapter.json");
+  const raw = await promises.readFile(path, "utf-8");
+  return JSON.parse(raw);
+}
+async function listStacks(installerRoot) {
+  const dir = join(installerRoot, "sdlc", "files", "stacks");
+  const entries = await promises.readdir(dir, { withFileTypes: true });
+  return entries.filter((e) => e.isDirectory() && !e.name.startsWith("_")).map((e) => e.name);
+}
+async function listHosts(installerRoot) {
+  const dir = join(installerRoot, "sdlc", "files", "hosts");
+  const entries = await promises.readdir(dir, { withFileTypes: true });
+  return entries.filter((e) => e.isDirectory() && !e.name.startsWith("_")).map((e) => e.name);
+}
+
+// src/update/resolve-adapters.ts
+async function resolveAdapters(projectPath, installerRoot) {
+  const configPath = join(projectPath, "sdlc-config.json");
+  let stack = "node";
+  let host = "railway";
+  let deprecatedDefaults = false;
+  if (await exists(configPath)) {
+    const raw = await promises.readFile(configPath, "utf-8");
+    const cfg = JSON.parse(raw);
+    if (cfg.stack) {
+      stack = cfg.stack;
+    } else {
+      deprecatedDefaults = true;
+    }
+    if (cfg.host) {
+      host = cfg.host;
+    } else {
+      deprecatedDefaults = true;
+    }
+  } else {
+    deprecatedDefaults = true;
+  }
+  const stackPath = join(installerRoot, "sdlc", "files", "stacks", stack, "adapter.json");
+  if (!await exists(stackPath)) {
+    const available = await listStacks(installerRoot);
+    throw new Error(`stack adapter not found: stacks/${stack}/adapter.json. Available: ${available.join(", ")}`);
+  }
+  const hostPath = join(installerRoot, "sdlc", "files", "hosts", host, "adapter.json");
+  if (!await exists(hostPath)) {
+    const available = await listHosts(installerRoot);
+    throw new Error(`host adapter not found: hosts/${host}/adapter.json. Available: ${available.join(", ")}`);
+  }
+  return { stack, host, deprecatedDefaults };
+}
+async function syncStageDocs(ctx) {
+  const sdlcTarget = join(ctx.projectPath, "SDLC");
+  await ensureDir(sdlcTarget);
+  const commonDir = join(ctx.installerRoot, "sdlc", "files", "_common");
+  const mdFiles = await listFiles(commonDir, (n) => n.endsWith(".md"));
+  for (const src of mdFiles) {
+    await copyFile(src, join(sdlcTarget, fileBasename(src)));
+  }
+  return {
+    name: "_common docs",
+    filesSynced: mdFiles.length,
+    message: "synced to SDLC/"
+  };
+}
+var CURSOR_POINTER = `# Cursor Rules
+
+All project rules, architectural standards, and development workflows are consolidated in:
+\u{1F449} **[INSTRUCTIONS.md](./INSTRUCTIONS.md)**
+
+Please refer to \`INSTRUCTIONS.md\` as the **Single Source of Truth** for all development standards in this repository.
+`;
+var WINDSURF_POINTER = `# Windsurf Rules
+
+All project rules, architectural standards, and development workflows are consolidated in:
+\u{1F449} **[INSTRUCTIONS.md](./INSTRUCTIONS.md)**
+
+Please refer to \`INSTRUCTIONS.md\` as the **Single Source of Truth** for all development standards in this repository.
+`;
+var GEMINI_POINTER = `# GEMINI.md
+
+This file provides guidance to Gemini CLI when working in this repository.
+
+## Context
+
+**Project Standards:** See **[./INSTRUCTIONS.md](./INSTRUCTIONS.md)** for project rules, architecture, and development standards.
+
+Please adhere to the instructions in \`INSTRUCTIONS.md\` as the **Single Source of Truth**.
+`;
+var CLAUDE_POINTER_TAIL = `
+## Project Standards
+
+All project rules, architectural standards, and development workflows are consolidated in:
+\u{1F449} **[INSTRUCTIONS.md](./INSTRUCTIONS.md)**
+
+Please refer to \`INSTRUCTIONS.md\` as the **Single Source of Truth** for:
+- Tech Stack & Architecture
+- Code Style & Formatting
+- Security & Compliance
+- SDLC Development Process & Quality Gates
+`;
+var CLAUDE_NEW = `# CLAUDE.md
+
+This file provides guidance to Claude Code when working in this repository.
+${CLAUDE_POINTER_TAIL}`;
+var SDLC_HEADER = "## SDLC Compliance Process (MANDATORY)";
+async function writePointerFile(path, content) {
+  await promises.writeFile(path, content);
+}
+async function updateClaudeFile(target) {
+  if (!await exists(target)) {
+    await promises.writeFile(target, CLAUDE_NEW);
+    return;
+  }
+  let body = await promises.readFile(target, "utf-8");
+  const sdlcIdx = body.indexOf(SDLC_HEADER);
+  if (sdlcIdx >= 0) {
+    body = body.slice(0, sdlcIdx).trimEnd() + "\n";
+  }
+  if (!body.includes("INSTRUCTIONS.md")) {
+    body = body.trimEnd() + "\n" + CLAUDE_POINTER_TAIL;
+  }
+  await promises.writeFile(target, body);
+}
+async function updateInstructionsFile(target, sdlcContent) {
+  if (!await exists(target)) {
+    const body = "# Project Instructions & Standards (Single Source of Truth)\n\nThis document serves as the primary reference for all development in this repository.\n\n" + sdlcContent;
+    await promises.writeFile(target, body);
+    return;
+  }
+  let existing = await promises.readFile(target, "utf-8");
+  const sdlcIdx = existing.indexOf(SDLC_HEADER);
+  if (sdlcIdx >= 0) {
+    existing = existing.slice(0, sdlcIdx).replace(/\n*$/u, "\n");
+  } else {
+    existing = existing.replace(/\n*$/u, "\n");
+  }
+  const next = existing + "\n" + sdlcContent;
+  await promises.writeFile(target, next);
+}
+async function syncAiRules(ctx) {
+  const sdlcSource = join(ctx.installerRoot, "sdlc", "ai-rules", "INSTRUCTIONS-SDLC.md");
+  if (!await exists(sdlcSource)) {
+    return { name: "AI rule pointers + INSTRUCTIONS.md", filesSynced: 0, skipped: true, message: "INSTRUCTIONS-SDLC.md not found" };
+  }
+  const sdlcContent = await promises.readFile(sdlcSource, "utf-8");
+  await writePointerFile(join(ctx.projectPath, ".cursorrules"), CURSOR_POINTER);
+  await writePointerFile(join(ctx.projectPath, ".windsurfrules"), WINDSURF_POINTER);
+  await writePointerFile(join(ctx.projectPath, "GEMINI.md"), GEMINI_POINTER);
+  await updateClaudeFile(join(ctx.projectPath, "CLAUDE.md"));
+  await updateInstructionsFile(join(ctx.projectPath, "INSTRUCTIONS.md"), sdlcContent);
+  return { name: "AI rule pointers + INSTRUCTIONS.md", filesSynced: 5, message: "synced" };
+}
+async function syncStackHooks(ctx) {
+  const adapter = await loadStackAdapter(ctx.installerRoot, ctx.stack);
+  const hookInstallDir = adapter.hook_install_dir ?? "";
+  if (!hookInstallDir) {
+    return { name: `${ctx.stack} hooks`, filesSynced: 0, skipped: true, message: "no hook_install_dir declared" };
+  }
+  const targetDir = join(ctx.projectPath, hookInstallDir);
+  if (!await isDir(targetDir)) {
+    return {
+      name: `${ctx.stack} hooks`,
+      filesSynced: 0,
+      skipped: true,
+      message: `${hookInstallDir}/ not found \u2014 bootstrap hook framework first`
+    };
+  }
+  const stackHooksDir = join(ctx.installerRoot, "sdlc", "files", "stacks", ctx.stack, "hooks");
+  if (!await isDir(stackHooksDir)) {
+    return { name: `${ctx.stack} hooks`, filesSynced: 0, skipped: true, message: "stack has no hooks/" };
+  }
+  let count = 0;
+  for (const hook of adapter.hooks ?? []) {
+    const src = join(stackHooksDir, hook);
+    if (await exists(src)) {
+      const dst = join(targetDir, hook);
+      await copyFile(src, dst, 493);
+      count += 1;
+    }
+  }
+  for (const cfg of adapter.hook_config_files ?? []) {
+    const src = join(stackHooksDir, cfg);
+    if (await exists(src)) {
+      const dst = join(ctx.projectPath, cfg);
+      await copyFile(src, dst);
+      count += 1;
+    }
+  }
+  return { name: `${ctx.stack} hooks`, filesSynced: count, message: `synced to ${hookInstallDir}/` };
+}
+async function syncStackDeps(ctx) {
+  if (ctx.stack !== "node") {
+    return { name: `${ctx.stack} deps`, filesSynced: 0, skipped: true };
+  }
+  const pkgPath = join(ctx.projectPath, "package.json");
+  if (!await exists(pkgPath)) {
+    return { name: `${ctx.stack} deps`, filesSynced: 0, skipped: true, message: "no package.json" };
+  }
+  const adapter = await loadStackAdapter(ctx.installerRoot, ctx.stack);
+  const required = adapter.required_dev_dependencies ?? [];
+  if (required.length === 0) {
+    return { name: `${ctx.stack} deps`, filesSynced: 0, message: "no required_dev_dependencies declared" };
+  }
+  const raw = await promises.readFile(pkgPath, "utf-8");
+  const pkg = JSON.parse(raw);
+  const installed = new Set(Object.keys(pkg.devDependencies ?? {}));
+  const missing = required.filter((dep) => !installed.has(dep));
+  if (missing.length === 0) {
+    return { name: `${ctx.stack} deps`, filesSynced: 0, message: "all present" };
+  }
+  const args = ["install", "--save-dev", ...missing];
+  const first = await execa("npm", args, { cwd: ctx.projectPath, reject: false, stdio: "inherit" });
+  if (first.exitCode === 0) {
+    return { name: `${ctx.stack} deps`, filesSynced: missing.length, message: `installed ${missing.join(" ")}` };
+  }
+  const legacyArgs = ["install", "--save-dev", "--legacy-peer-deps", ...missing];
+  const second = await execa("npm", legacyArgs, { cwd: ctx.projectPath, reject: false, stdio: "inherit" });
+  if (second.exitCode === 0) {
+    return {
+      name: `${ctx.stack} deps`,
+      filesSynced: missing.length,
+      message: `installed ${missing.join(" ")} (with --legacy-peer-deps)`
+    };
+  }
+  throw new Error(
+    `Failed to install ${ctx.stack} deps. Fix manually: cd ${ctx.projectPath} && npm install --save-dev ${missing.join(" ")}`
+  );
+}
+function isTestScript(name) {
+  return name.endsWith(".test.sh");
+}
+async function syncScripts(ctx) {
+  const scriptsDst = join(ctx.projectPath, "scripts");
+  if (!await isDir(scriptsDst)) {
+    return { name: "scripts", filesSynced: 0, skipped: true, message: "scripts/ not found" };
+  }
+  let count = 0;
+  const commonScriptsSrc = join(ctx.installerRoot, "sdlc", "files", "_common", "scripts");
+  if (await isDir(commonScriptsSrc)) {
+    const candidates = await listFiles(commonScriptsSrc, (n) => n.endsWith(".sh") && !isTestScript(n));
+    for (const src of candidates) {
+      await copyFile(src, join(scriptsDst, fileBasename(src)), 493);
+      count += 1;
+    }
+  }
+  const adapter = await loadStackAdapter(ctx.installerRoot, ctx.stack);
+  const stackScriptsSrc = join(ctx.installerRoot, "sdlc", "files", "stacks", ctx.stack, "scripts");
+  if (await isDir(stackScriptsSrc) && adapter.stack_scripts) {
+    for (const scriptName of adapter.stack_scripts) {
+      const src = join(stackScriptsSrc, scriptName);
+      if (await exists(src)) {
+        await copyFile(src, join(scriptsDst, scriptName), 493);
+        count += 1;
+      }
+    }
+  }
+  const uploadEvidence2 = join(ctx.installerRoot, "scripts", "upload-evidence.sh");
+  if (await exists(uploadEvidence2)) {
+    await copyFile(uploadEvidence2, join(scriptsDst, "upload-evidence.sh"), 493);
+    count += 1;
+  }
+  return { name: "scripts", filesSynced: count, message: "synced to scripts/" };
+}
+async function syncIssueTemplates(ctx) {
+  const src = join(ctx.installerRoot, "sdlc", "files", "_common", "github", "ISSUE_TEMPLATE");
+  if (!await isDir(src)) {
+    return { name: "Issue templates", filesSynced: 0, skipped: true };
+  }
+  const dst = join(ctx.projectPath, ".github", "ISSUE_TEMPLATE");
+  await ensureDir(dst);
+  const files = await listFiles(src, (n) => n.endsWith(".yml"));
+  for (const file of files) {
+    await copyFile(file, join(dst, fileBasename(file)));
+  }
+  return { name: "Issue templates", filesSynced: files.length, message: "synced to .github/ISSUE_TEMPLATE/" };
+}
+async function syncSkills(ctx) {
+  const skillDst = join(ctx.projectPath, ".claude", "skills");
+  const commonSkills = join(ctx.installerRoot, "sdlc", "files", "_common", "skills");
+  const stackSkills = join(ctx.installerRoot, "sdlc", "files", "stacks", ctx.stack, "skills");
+  await ensureDir(skillDst);
+  let count = 0;
+  for (const src of [commonSkills, stackSkills]) {
+    if (!await isDir(src)) continue;
+    const entries = await promises.readdir(src, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isDirectory()) continue;
+      if (entry.name.startsWith("_")) continue;
+      const skillSrc = join(src, entry.name);
+      const skillDstDir = join(skillDst, entry.name);
+      await copyDir(skillSrc, skillDstDir, true);
+      count += 1;
+    }
+  }
+  if (count === 0) {
+    return { name: "Claude Code skills", filesSynced: 0, skipped: true };
+  }
+  return { name: "Claude Code skills", filesSynced: count, message: `${count} synced to .claude/skills/` };
+}
+async function syncEvidenceHelper(ctx) {
+  if (ctx.stack !== "node") {
+    return { name: "E2E evidence helper", filesSynced: 0, skipped: true };
+  }
+  const src = join(
+    ctx.installerRoot,
+    "sdlc",
+    "files",
+    "_common",
+    "skills",
+    "e2e-test-engineer",
+    "references",
+    "evidence.ts"
+  );
+  if (!await exists(src)) {
+    return { name: "E2E evidence helper", filesSynced: 0, skipped: true, message: "source not found" };
+  }
+  const dst = join(ctx.projectPath, "e2e", "helpers", "evidence.ts");
+  await copyFile(src, dst);
+  return { name: "E2E evidence helper", filesSynced: 1, message: "synced to e2e/helpers/evidence.ts" };
+}
+
+// src/lib/templates.ts
+function substituteTokens(content, tokens) {
+  let out = content;
+  for (const [key, value] of Object.entries(tokens)) {
+    const needle = `{{${key}}}`;
+    out = out.split(needle).join(value);
+  }
+  return out;
+}
+function substituteBlocks(content, blocks) {
+  if (Object.keys(blocks).length === 0) return content;
+  Object.keys(blocks).map((k) => `{{${k}}}`);
+  return content.split("\n").map((line) => {
+    for (const [key, replacement] of Object.entries(blocks)) {
+      const needle = `{{${key}}}`;
+      if (line.includes(needle)) return replacement;
+    }
+    return line;
+  }).join("\n");
+}
+function stripServicesBlock(content) {
+  const lines = content.split("\n");
+  const out = [];
+  let inServices = false;
+  for (const line of lines) {
+    if (!inServices && /^ {4}services:\s*$/.test(line)) {
+      inServices = true;
+      continue;
+    }
+    if (inServices) {
+      if (line.trim() === "") {
+        inServices = false;
+        continue;
+      }
+      continue;
+    }
+    out.push(line);
+  }
+  return out.join("\n");
+}
+
+// src/update/ci-templates.ts
+var CI_TEMPLATES = [
+  "ci.yml.template",
+  "ci-status-fallback.yml.template",
+  "compliance-validation.yml.template",
+  "check-release-approval.yml.template",
+  "post-deploy-prod.yml.template",
+  "compliance-evidence.yml.template"
+];
+var OLD_WORKFLOWS_TO_REMOVE = ["test-on-pr.yml", "check-uat-approval.yml"];
+function indentEnvBlock(env, indent) {
+  const pad = " ".repeat(indent);
+  return Object.entries(env).map(([k, v]) => `${pad}${k}: ${v}`).join("\n");
+}
+function buildDbUriStep(dbService, dbPort) {
+  if (dbService !== "mongodb") return "";
+  return [
+    "      - name: Set database URI from dynamic port",
+    "        run: |",
+    `          DB_PORT="\${{ job.services.${dbService}.ports['${dbPort}'] }}"`,
+    '          echo "MONGODB_WAWAGARDENBAR_APP_URI=mongodb://localhost:${DB_PORT}" >> "$GITHUB_ENV"',
+    '          echo "Database on port: ${DB_PORT}"'
+  ].join("\n");
+}
+async function syncCiTemplates(ctx) {
+  const configPath = join(ctx.projectPath, "sdlc-config.json");
+  const workflowsDir = join(ctx.projectPath, ".github", "workflows");
+  if (!await exists(configPath)) {
+    return { name: "CI workflows", filesSynced: 0, skipped: true, message: "no sdlc-config.json" };
+  }
+  if (!await isDir(workflowsDir)) {
+    return { name: "CI workflows", filesSynced: 0, skipped: true, message: ".github/workflows/ not found" };
+  }
+  await ensureDir(workflowsDir);
+  const cfg = JSON.parse(await promises.readFile(configPath, "utf-8"));
+  for (const oldName of OLD_WORKFLOWS_TO_REMOVE) {
+    const oldPath = join(workflowsDir, oldName);
+    if (await exists(oldPath)) await promises.rm(oldPath);
+  }
+  const workingDirectory = cfg.working_directory && cfg.working_directory !== "." ? cfg.working_directory : "";
+  const workingDirPrefix = workingDirectory ? `${workingDirectory.replace(/\/$/, "")}/` : "";
+  const tokens = {
+    PROJECT_SLUG: cfg.project_slug,
+    PRODUCTION_URL_SECRET: cfg.production_url_secret,
+    NODE_VERSION: String(cfg.node_version ?? ""),
+    PYTHON_VERSION: String(cfg.python_version ?? ""),
+    WORKING_DIRECTORY: workingDirectory || ".",
+    WORKING_DIR_PREFIX: workingDirPrefix,
+    RUNNER: cfg.runner,
+    SOURCE_DIRS: cfg.source_dirs,
+    SAST_BASELINE: String(cfg.sast_baseline),
+    ACCEPTED_DEP_RISKS: cfg.accepted_dep_risks,
+    DATABASE_SERVICE: cfg.database_service,
+    DATABASE_IMAGE: cfg.database_image,
+    DATABASE_PORT: cfg.database_port,
+    E2E_PROJECT: cfg.e2e_project,
+    E2E_START_COMMAND: cfg.e2e_start_command
+  };
+  const pathsIgnoreBlock = (cfg.paths_ignore ?? []).map((p) => `      - '${p}'`).join("\n");
+  const blocks = {
+    PATHS_IGNORE: pathsIgnoreBlock,
+    DATABASE_ENV: cfg.database_env ? indentEnvBlock({ ...cfg.database_env }, 6) : "",
+    APP_ENV: cfg.app_env ? indentEnvBlock({ ...cfg.app_env }, 6) : "",
+    BUILD_ENV: cfg.build_env ? indentEnvBlock({ ...cfg.build_env }, 10) : "",
+    DATABASE_URI_STEP: buildDbUriStep(cfg.database_service, cfg.database_port)
+  };
+  let count = 0;
+  for (const tmpl of CI_TEMPLATES) {
+    const stackTmpl = join(ctx.installerRoot, "sdlc", "files", "ci", ctx.stack, tmpl);
+    const defaultTmpl = join(ctx.installerRoot, "sdlc", "files", "ci", tmpl);
+    let tmplPath;
+    if (await exists(stackTmpl)) {
+      tmplPath = stackTmpl;
+    } else if (await exists(defaultTmpl)) {
+      tmplPath = defaultTmpl;
+    } else {
+      continue;
+    }
+    const outputName = tmpl.replace(/\.template$/, "");
+    const outputPath = join(workflowsDir, outputName);
+    let content = await promises.readFile(tmplPath, "utf-8");
+    content = substituteTokens(content, tokens);
+    content = substituteBlocks(content, blocks);
+    if (!cfg.database_service) {
+      content = stripServicesBlock(content);
+    }
+    await promises.writeFile(outputPath, content);
+    count += 1;
+  }
+  return { name: "CI workflows", filesSynced: count, message: `${count} generated` };
+}
+var TIER_1_DOCS = ["Test_Policy.md", "Test_Strategy.md", "Test_Architecture.md"];
+async function runValidation(projectPath) {
+  const warnings = [];
+  const workflowsDir = join(projectPath, ".github", "workflows");
+  if (await isDir(workflowsDir)) {
+    const ymls = await listFiles(workflowsDir, (n) => n.endsWith(".yml"));
+    for (const wf of ymls) {
+      const content = await promises.readFile(wf, "utf-8");
+      const name = fileBasename(wf);
+      if (content.includes("push:") && !content.includes("pull_request:")) {
+        const dead = (content.match(/event_name.*pull_request/g) ?? []).length;
+        if (dead > 0) {
+          warnings.push(`${name} has ${dead} dead 'event_name == pull_request' condition(s) (push-only trigger)`);
+        }
+      }
+      if (/require.*package\.json.*version/i.test(content)) {
+        warnings.push(`${name} uses package.json for version (should be date-based)`);
+      }
+      if (content.includes("raw.githubusercontent.com/metasession-dev/devaudit")) {
+        warnings.push(`${name} downloads from DevAudit at runtime (should use local scripts)`);
+      }
+    }
+  }
+  const sdlcDir = join(projectPath, "SDLC");
+  if (await isDir(sdlcDir)) {
+    for (const doc of TIER_1_DOCS) {
+      if (!await exists(join(sdlcDir, doc))) {
+        warnings.push(`Missing Tier 1 doc: SDLC/${doc}`);
+      }
+    }
+  }
+  return warnings;
+}
+
+// src/update/index.ts
+var SECTION_RUNNERS = [
+  { key: "2a", run: syncStageDocs },
+  { key: "2b", run: syncAiRules },
+  { key: "2c", run: syncStackHooks },
+  { key: "2c-ii", run: syncStackDeps },
+  { key: "2d", run: syncScripts },
+  { key: "2e", run: syncIssueTemplates },
+  { key: "2e-ii", run: syncSkills },
+  { key: "2e-iii", run: syncEvidenceHelper },
+  { key: "2f", run: syncCiTemplates }
+];
+async function syncProject(projectPath) {
+  const absPath = resolve(projectPath);
+  if (!await isDir(absPath)) {
+    throw new Error(`Project path not found: ${absPath}`);
+  }
+  const installerRoot = await resolveInstallerRoot();
+  const log = logger();
+  const projectName = basename(absPath);
+  log.info(`--- Syncing to: ${projectName} (${absPath}) ---`);
+  const { stack, host, deprecatedDefaults } = await resolveAdapters(absPath, installerRoot);
+  log.info(`  Stack: ${stack} | Host: ${host}`);
+  if (deprecatedDefaults) {
+    log.warn(`  DEPRECATED: stack/host keys missing from sdlc-config.json \u2014 defaulted to ${stack}+${host}.`);
+  }
+  const ctx = { installerRoot, projectPath: absPath, projectName, stack, host };
+  const sections = [];
+  let total = 0;
+  for (const { key, run } of SECTION_RUNNERS) {
+    const result = await run(ctx);
+    sections.push(result);
+    total += result.filesSynced;
+    if (result.skipped) {
+      log.log(`  [${key}] ${result.name}: SKIPPED${result.message ? ` (${result.message})` : ""}`);
+    } else {
+      log.log(`  [${key}] ${result.name}: ${result.filesSynced} file(s)${result.message ? ` \u2014 ${result.message}` : ""}`);
+    }
+  }
+  log.log("");
+  log.info(`  Total: ${total} files synced`);
+  log.log("");
+  log.log("  --- Validation ---");
+  const warnings = await runValidation(absPath);
+  if (warnings.length === 0) {
+    log.success("  All validation checks passed");
+  } else {
+    for (const w of warnings) log.warn(`  ${w}`);
+  }
+  log.log("");
+  return { project: projectName, stack, host, sections, totalFilesSynced: total, warnings };
+}
+async function syncAll(projectPaths) {
+  const reports = [];
+  for (const p of projectPaths) {
+    try {
+      reports.push(await syncProject(p));
+    } catch (err) {
+      const log = logger();
+      log.error(`ERROR syncing ${p}: ${err instanceof Error ? err.message : String(err)}`);
+      throw err;
+    }
+  }
+  return reports;
+}
+
+// src/install/sync-templates.ts
+async function syncTemplates(ctx) {
+  if (ctx.dryRun) {
+    return {
+      step: "10/11 Sync SDLC templates",
+      status: "planned",
+      message: `would run native syncProject() against ${ctx.projectPath}`
+    };
+  }
+  const report = await syncProject(ctx.projectPath);
+  return {
+    step: "10/11 Sync SDLC templates",
+    status: "ok",
+    message: `synced ${report.totalFilesSynced} files across ${report.sections.length} sections`,
+    data: { totalFilesSynced: report.totalFilesSynced }
+  };
+}
+
+// src/install/done-report.ts
+function doneReport(ctx, plan) {
+  const branch = "feat/sdlc-onboarding";
+  const lines = [
+    "",
+    `  ${ctx.projectName} is onboarded.`,
+    "",
+    "  Next steps:",
+    `    cd ${ctx.projectPath}`,
+    "    git status                # review the diff",
+    `    git checkout -b ${branch}`,
+    "    git add -A",
+    `    git commit -m "feat: onboard ${plan.projectSlug} to Metasession SDLC"`,
+    `    git push -u origin ${branch}`,
+    "    gh pr create --base main",
+    "",
+    "  After the PR merges:",
+    "    - Push a compliance/ doc to develop so compliance-evidence.yml",
+    "      registers the first release in DevAudit.",
+    "    - Then walk REQ-001 through SDLC/0-project-setup.md \u2192 SDLC/5-deploy-main.md.",
+    ""
+  ];
+  return {
+    step: "11/11 Done",
+    status: "ok",
+    message: lines.join("\n"),
+    data: { nextBranch: branch }
+  };
+}
+
+// src/install/index.ts
+async function runInstall(options) {
+  const log = logger();
+  const projectPath = resolve(options.path ?? process.cwd());
+  if (!await isDir(projectPath)) {
+    throw new Error(`Project path not found: ${projectPath}`);
+  }
+  const projectName = basename(projectPath);
+  const auth = await resolveTokenForInstall(options);
+  const installerRoot = await resolveInstallerRoot();
+  const ctx = {
+    projectPath,
+    projectName,
+    installerRoot,
+    token: auth.token,
+    baseUrl: auth.baseUrl,
+    dryRun: Boolean(options.dryRun),
+    nonInteractive: Boolean(options.nonInteractive)
+  };
+  banner(ctx);
+  const steps = [];
+  steps.push(await record(log, runAuthProbe(ctx)));
+  const plugins = options.plugins ?? (await discoverPlugins()).loaded;
+  if (plugins.length > 0 && !ctx.dryRun) {
+    const pluginCtx = await buildPluginContext({ projectPath: ctx.projectPath });
+    await runHook(plugins, "beforeInstall", pluginCtx);
+  }
+  const { result: detectResult, detected } = await detectStack(ctx);
+  steps.push(await record(log, Promise.resolve(detectResult)));
+  const plan = await collectPlan(ctx, detected);
+  const planStep = planSummary(plan);
+  steps.push(planStep);
+  log.success(`[${planStep.step}] ${planStep.message ?? ""}`);
+  steps.push(await record(log, writeSdlcConfig(ctx, plan)));
+  steps.push(await record(log, findOrCreateProject(ctx, plan)));
+  steps.push(await record(log, issueApiKey(ctx, plan)));
+  const providerResolution = await resolveProvider(options, ctx);
+  if (providerResolution.provider) {
+    steps.push(await record(log, setGithubSecrets(ctx, plan, providerResolution.provider)));
+  } else {
+    const skipped = {
+      step: "7/11 Set GitHub secrets and variables",
+      status: "skipped",
+      message: providerResolution.reason ?? "no git provider available"
+    };
+    steps.push(skipped);
+    log.warn(`[${skipped.step}] SKIPPED ${skipped.message}`);
+  }
+  steps.push(await record(log, bootstrapHooks(ctx, plan)));
+  if (providerResolution.provider) {
+    steps.push(await record(log, configureBranchProtection(ctx, providerResolution.provider)));
+  } else {
+    const skipped = {
+      step: "9/11 Configure branch protection",
+      status: "skipped",
+      message: providerResolution.reason ?? "no git provider available"
+    };
+    steps.push(skipped);
+    log.warn(`[${skipped.step}] SKIPPED ${skipped.message}`);
+  }
+  steps.push(await record(log, syncTemplates(ctx)));
+  const done = doneReport(ctx, plan);
+  steps.push(done);
+  log.success(`[${done.step}]`);
+  log.log(done.message ?? "");
+  if (plugins.length > 0 && !ctx.dryRun) {
+    const pluginCtx = await buildPluginContext({ projectPath: ctx.projectPath });
+    await runHook(plugins, "afterInstall", pluginCtx);
+  }
+  return { project: projectName, projectPath, dryRun: ctx.dryRun, steps };
+}
+async function resolveProvider(options, ctx) {
+  if (options.provider) return { provider: options.provider };
+  try {
+    return { provider: await getGitProvider(ctx.projectPath) };
+  } catch (err) {
+    return { provider: null, reason: err.message };
+  }
+}
+async function resolveTokenForInstall(options) {
+  if (options.token) {
+    return { token: options.token, baseUrl: options.baseUrl ?? "https://devaudit.metasession.co" };
+  }
+  const resolved = await resolveToken();
+  if (!resolved) {
+    throw new Error(
+      "No DevAudit token found. Set DEVAUDIT_USER_TOKEN, pass --token, or run `devaudit auth login` first."
+    );
+  }
+  return { token: resolved.token, baseUrl: options.baseUrl ?? resolved.baseUrl };
+}
+async function record(log, p) {
+  const result = await p;
+  const tag = `[${result.step}]`;
+  const msg = result.message ?? "";
+  if (result.status === "ok") log.success(`${tag} ${msg}`);
+  else if (result.status === "warn") log.warn(`${tag} ${msg}`);
+  else if (result.status === "skipped") log.info(`${tag} SKIPPED ${msg}`);
+  else if (result.status === "planned") log.info(`${tag} [dry-run] ${msg}`);
+  else log.error(`${tag} ${msg}`);
+  return result;
+}
+function planSummary(plan) {
+  return {
+    step: "3/11 Configure",
+    status: "ok",
+    message: `slug=${plan.projectSlug} runtime=${plan.runtimeVersion}`,
+    data: { ...plan }
+  };
+}
+function banner(ctx) {
+  const log = logger();
+  log.log("");
+  log.info(`Metasession SDLC Onboarding`);
+  log.log(`  Consumer:  ${ctx.projectName}`);
+  log.log(`  Path:      ${ctx.projectPath}`);
+  log.log(`  DevAudit:  ${ctx.baseUrl}`);
+  if (ctx.dryRun) log.warn("  DRY RUN \u2014 no mutations will be performed");
+  log.log("");
+}
+
+// src/commands/install.ts
+async function runInstallCommand(options) {
+  const log = logger();
+  try {
+    await runInstall({
+      ...options.path !== void 0 ? { path: options.path } : {},
+      ...options.token !== void 0 ? { token: options.token } : {},
+      ...options.baseUrl !== void 0 ? { baseUrl: options.baseUrl } : {},
+      ...options.dryRun !== void 0 ? { dryRun: options.dryRun } : {},
+      ...options.yes !== void 0 ? { nonInteractive: options.yes } : {}
+    });
+  } catch (err) {
+    log.error(err.message);
+    process.exit(1);
+  }
+}
+
+// src/commands/update.ts
+async function runUpdate(options) {
+  const log = logger();
+  if (options.version) {
+    log.info(`Version (informational, no tag created): ${options.version}`);
+  }
+  if (options.paths.length === 0) {
+    log.error("No project paths provided. Usage: devaudit update <version> <path> [path...]");
+    process.exit(2);
+  }
+  const plugins = options.plugins ?? (await discoverPlugins()).loaded;
+  for (const projectPath of options.paths) {
+    if (plugins.length > 0) {
+      const ctx = await buildPluginContext({ projectPath });
+      await runHook(plugins, "beforeSync", ctx);
+    }
+  }
+  await syncAll(options.paths);
+  for (const projectPath of options.paths) {
+    if (plugins.length > 0) {
+      const ctx = await buildPluginContext({ projectPath });
+      await runHook(plugins, "afterSync", ctx);
+    }
+  }
+  log.success("=== Sync Complete ===");
+  log.log("");
+  log.log("Next steps for each consuming project:");
+  log.log("  1. cd into the project directory");
+  log.log("  2. Review the diff: git diff");
+  log.log("  3. Commit: git add -A && git commit -m 'chore: sync SDLC templates from DevAudit'");
+  log.log("  4. Push to develop");
+  log.log("");
+  log.warn("Do NOT auto-commit \u2014 review the changes first.");
+}
+
+// src/commands/stub.ts
+function makeStub(info) {
+  return async () => {
+    const log = logger();
+    log.warn(`\`devaudit ${info.command}\` is not implemented yet.`);
+    log.info(info.summary);
+    if (info.trackedIn) {
+      log.info(`Tracked in: ${info.trackedIn}`);
+    }
+    log.info("See ./docs/devaudit-cli/build-plan.md for the full implementation plan.");
+    process.exit(1);
+  };
+}
+
+// src/commands/plugin/list.ts
+async function runPluginList(opts = {}) {
+  const log = logger();
+  const root = opts.root ?? PLUGINS_DIR;
+  const result = await discoverPlugins(root);
+  log.info(`Plugin directory: ${root}`);
+  if (result.loaded.length === 0 && result.failures.length === 0) {
+    log.log("  (no plugins installed)");
+    return;
+  }
+  if (result.loaded.length > 0) {
+    log.log("");
+    log.log("Loaded:");
+    for (const p of result.loaded) {
+      const hooks = Object.keys(p.plugin.hooks ?? {});
+      const commands = Object.keys(p.plugin.commands ?? {});
+      const detail = [
+        `${p.packageName}@${p.packageVersion}`,
+        hooks.length > 0 ? `hooks=[${hooks.join(",")}]` : "hooks=[]",
+        commands.length > 0 ? `commands=[${commands.join(",")}]` : "commands=[]"
+      ].join(" ");
+      log.log(`  \u2713 ${detail}`);
+    }
+  }
+  if (result.failures.length > 0) {
+    log.log("");
+    log.warn("Failed to load:");
+    for (const f of result.failures) {
+      log.log(`  \u2717 ${f.dir} \u2014 ${f.reason}`);
+    }
+  }
+}
+function deriveDirName(source) {
+  const last = source.split("/").pop() ?? source;
+  return last.replace(/\.git$/, "");
+}
+async function pathExists(path) {
+  try {
+    await promises.access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function runPluginInstall(opts) {
+  const log = logger();
+  const root = opts.root ?? PLUGINS_DIR;
+  const dirName = deriveDirName(opts.source);
+  if (!dirName) {
+    log.error(`Could not derive a directory name from source: ${opts.source}`);
+    process.exit(2);
+  }
+  await promises.mkdir(root, { recursive: true });
+  const target = join(root, dirName);
+  if (await pathExists(target)) {
+    log.error(`Plugin directory already exists: ${target}. Run \`devaudit plugin remove ${dirName}\` first.`);
+    process.exit(2);
+  }
+  log.info(`Cloning ${opts.source} \u2192 ${target}`);
+  try {
+    await execa("git", ["clone", "--depth", "1", opts.source, target], { stdio: "inherit" });
+  } catch (err) {
+    log.error(`git clone failed: ${err.message}`);
+    process.exit(6);
+  }
+  if (await pathExists(join(target, "package.json"))) {
+    log.info("Installing plugin dependencies...");
+    const install = await execa("npm", ["install", "--legacy-peer-deps"], {
+      cwd: target,
+      stdio: "inherit",
+      reject: false
+    });
+    if (install.exitCode !== 0) {
+      log.error("npm install failed \u2014 leaving the plugin dir in place for inspection.");
+      process.exit(5);
+    }
+  }
+  log.info("Validating plugin manifest...");
+  try {
+    const loaded = await loadPluginFromDir(target);
+    log.success(`Installed: ${loaded.packageName}@${loaded.packageVersion} at ${target}`);
+  } catch (err) {
+    log.error(`Plugin validation failed: ${err.message}`);
+    log.warn(`Removing ${target}`);
+    await promises.rm(target, { recursive: true, force: true });
+    process.exit(9);
+  }
+}
+async function runPluginRemove(opts) {
+  const log = logger();
+  const root = opts.root ?? PLUGINS_DIR;
+  const discovery = await discoverPlugins(root);
+  const candidates = [
+    ...discovery.loaded.map((p) => ({ packageName: p.packageName, dir: p.dir })),
+    ...discovery.failures.map((f) => ({ packageName: basename(f.dir), dir: f.dir }))
+  ];
+  const match = candidates.find((c) => c.packageName === opts.name || basename(c.dir) === opts.name);
+  if (!match) {
+    log.error(`No plugin found matching '${opts.name}'.`);
+    log.info("Run `devaudit plugin list` to see installed plugins.");
+    process.exit(2);
+    return;
+  }
+  await promises.rm(match.dir, { recursive: true, force: true });
+  log.success(`Removed plugin at ${match.dir}`);
+}
+async function pathExists2(path) {
+  try {
+    await promises.access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function updateOne(dir, packageName) {
+  if (!await pathExists2(join(dir, ".git"))) {
+    return { plugin: packageName, status: "not-git" };
+  }
+  const pull = await execa("git", ["pull", "--ff-only"], { cwd: dir, reject: false });
+  if (pull.exitCode !== 0) {
+    return { plugin: packageName, status: "failed", detail: pull.stderr.split("\n")[0] };
+  }
+  const noChanges = /Already up to date/i.test(pull.stdout);
+  if (await pathExists2(join(dir, "package.json"))) {
+    const install = await execa("npm", ["install", "--legacy-peer-deps"], {
+      cwd: dir,
+      reject: false
+    });
+    if (install.exitCode !== 0) {
+      return { plugin: packageName, status: "failed", detail: "npm install failed after pull" };
+    }
+  }
+  return { plugin: packageName, status: noChanges ? "no-changes" : "updated" };
+}
+async function runPluginUpdate(opts = {}) {
+  const log = logger();
+  const root = opts.root ?? PLUGINS_DIR;
+  const discovery = await discoverPlugins(root);
+  if (discovery.loaded.length === 0) {
+    log.info("No plugins installed.");
+    return;
+  }
+  log.info(`Updating ${discovery.loaded.length} plugin(s)...`);
+  const results = [];
+  for (const p of discovery.loaded) {
+    results.push(await updateOne(p.dir, p.packageName));
+  }
+  for (const r of results) {
+    if (r.status === "updated") log.success(`  \u2713 ${r.plugin} \u2014 updated`);
+    else if (r.status === "no-changes") log.log(`  \xB7 ${r.plugin} \u2014 already up to date`);
+    else if (r.status === "not-git") log.warn(`  \u26A0 ${r.plugin} \u2014 not a git checkout, skipped`);
+    else log.error(`  \u2717 ${r.plugin} \u2014 ${r.detail ?? "failed"}`);
+  }
+}
+
+// src/index.ts
+var TRACKING_ISSUE = "https://github.com/metasession-dev/DevAudit-Installer/issues/1";
+function applyCommonFlags(program) {
+  program.addOption(new Option("--json", "machine-readable output"));
+  program.addOption(new Option("-y, --yes", "accept all interactive defaults (CI-friendly)"));
+  program.addOption(new Option("--dry-run", "preview, don't mutate"));
+  program.addOption(new Option("-v, --verbose", "extra detail"));
+  program.addOption(new Option("--no-color", "strip ANSI"));
+  program.addOption(new Option("--org <slug>", "override active org context for this invocation"));
+  program.hook("preAction", (cmd) => {
+    const opts = cmd.optsWithGlobals();
+    configureLogger({
+      json: Boolean(opts.json),
+      verbose: Boolean(opts.verbose),
+      noColor: opts.color === false
+    });
+  });
+}
+async function main(argv) {
+  const program = new Command();
+  program.name("devaudit").description(
+    "DevAudit CLI \u2014 installs, syncs, and operates the Metasession SDLC across consumer projects."
+  ).version(CLI_VERSION, "-V, --version");
+  applyCommonFlags(program);
+  program.command("install [path]").description("Interactive onboarding for a consumer project (native TS implementation)").option("--token <token>", "PAT to use (otherwise reads DEVAUDIT_USER_TOKEN env or ~/.config/devaudit/auth.json)").option("--base-url <url>", "override portal URL (defaults to DEVAUDIT_BASE_URL env or production)").action(async (path, cmdOpts, cmd) => {
+    const globals = cmd.optsWithGlobals();
+    await runInstallCommand({
+      ...path !== void 0 ? { path } : {},
+      ...cmdOpts.token !== void 0 ? { token: cmdOpts.token } : {},
+      ...cmdOpts.baseUrl !== void 0 ? { baseUrl: cmdOpts.baseUrl } : {},
+      ...globals.dryRun !== void 0 ? { dryRun: Boolean(globals.dryRun) } : {},
+      ...globals.yes !== void 0 ? { yes: Boolean(globals.yes) } : {}
+    });
+  });
+  program.command("update <version> <paths...>").description("Sync framework templates into existing consumer(s) (native TS implementation)").action(async (version, paths2) => {
+    await runUpdate({ version, paths: paths2 });
+  });
+  program.command("push <project-slug> <requirement-id> <evidence-type> <file>").description("Upload evidence file(s) to DevAudit (port of scripts/upload-evidence.sh)").option("--release <version>", "release version (e.g. v1.0.0)").option("--create-release-if-missing", "auto-create the release as 'draft' if absent").option("--environment <env>", "uat | production").option("--category <cat>", "ci_pipeline | local_dev | planning | test_report | security_scan | release_artifact").option("--git-sha <sha>", "attached to metadata.gitSha").option("--ci-run-id <id>", "attached to metadata.ciRunId").option("--branch <name>", "attached to metadata.branch").option("--base-url <url>", "override portal URL (defaults to DEVAUDIT_BASE_URL env or production)").option("--api-key <key>", "override DEVAUDIT_API_KEY env var").action(
+    async (projectSlug, requirementId, evidenceType, file, opts, cmd) => {
+      const globals = cmd.optsWithGlobals();
+      await runPush({
+        projectSlug,
+        requirementId,
+        evidenceType,
+        filePath: file,
+        ...opts.release !== void 0 ? { release: opts.release } : {},
+        ...opts.createReleaseIfMissing !== void 0 ? { createReleaseIfMissing: opts.createReleaseIfMissing } : {},
+        ...opts.environment !== void 0 ? { environment: opts.environment } : {},
+        ...opts.category !== void 0 ? { category: opts.category } : {},
+        ...opts.gitSha !== void 0 ? { gitSha: opts.gitSha } : {},
+        ...opts.ciRunId !== void 0 ? { ciRunId: opts.ciRunId } : {},
+        ...opts.branch !== void 0 ? { branch: opts.branch } : {},
+        ...opts.baseUrl !== void 0 ? { baseUrl: opts.baseUrl } : {},
+        ...opts.apiKey !== void 0 ? { apiKey: opts.apiKey } : {},
+        ...globals.dryRun !== void 0 ? { dryRun: Boolean(globals.dryRun) } : {}
+      });
+    }
+  );
+  program.command("doctor").description("Verify the local install: required tools on PATH, auth state, config validity").action(runDoctor);
+  program.command("status [path]").description("Show the consumer project's framework state").action(async (path) => {
+    await runStatus({ path });
+  });
+  program.command("upgrade").description("Update the devaudit CLI itself to the latest release").action(
+    makeStub({
+      command: "upgrade",
+      summary: "Self-update via npm or the platform package manager. Workstream A milestone 8.",
+      trackedIn: TRACKING_ISSUE
+    })
+  );
+  const authCmd = program.command("auth").description("Authentication management");
+  authCmd.command("login").option("--token <token>", "PAT to use (skips the interactive prompt)").option("--base-url <url>", "override portal base URL", "https://devaudit.metasession.co").description("Sign in via PAT paste; stores token in ~/.config/devaudit/auth.json").action(async (opts) => {
+    await runAuthLogin({ token: opts.token, baseUrl: opts.baseUrl });
+  });
+  authCmd.command("logout").description("Delete the cached token at ~/.config/devaudit/auth.json").action(runAuthLogout);
+  authCmd.command("status").description("Show current auth state and verify the cached token").action(runAuthStatus);
+  const orgCmd = program.command("org").description("Organisation management (workstream B prereq)");
+  orgCmd.command("list").description("List orgs the user belongs to").action(makeStub({ command: "org list", summary: "Needs portal RBAC + org endpoints.", trackedIn: TRACKING_ISSUE }));
+  orgCmd.command("switch <slug>").description("Switch active org context").action(
+    makeStub({ command: "org switch", summary: "Updates ~/.config/devaudit/config.json.", trackedIn: TRACKING_ISSUE })
+  );
+  const orgPolicyCmd = orgCmd.command("policy").description("Org policy management");
+  orgPolicyCmd.command("list").description("Show the active org's policy baselines").action(
+    makeStub({
+      command: "org policy list",
+      summary: "Reads from the portal policy engine (workstream B).",
+      trackedIn: TRACKING_ISSUE
+    })
+  );
+  orgPolicyCmd.command("apply [path]").description("Apply org policy to a project (or all org projects)").action(
+    makeStub({
+      command: "org policy apply",
+      summary: "Evaluates sdlc-config.json + CI evidence against org policy bundle.",
+      trackedIn: TRACKING_ISSUE
+    })
+  );
+  orgCmd.command("report").option("--format <fmt>", "html | json | csv", "html").description("Generate an org-wide compliance report").action(
+    makeStub({
+      command: "org report",
+      summary: "Aggregates per-project compliance state across the org.",
+      trackedIn: TRACKING_ISSUE
+    })
+  );
+  const pluginCmd = program.command("plugin").description("Plugin management");
+  pluginCmd.command("list").description("List installed plugins in ~/.config/devaudit/plugins/").action(runPluginList);
+  pluginCmd.command("install <source>").description("Install a plugin from a Git URL (portal registry resolution is pending)").action(async (source) => {
+    await runPluginInstall({ source });
+  });
+  pluginCmd.command("remove <name>").description("Remove a locally installed plugin by package or directory name").action(async (name) => {
+    await runPluginRemove({ name });
+  });
+  pluginCmd.command("update").description("Update all installed plugins (git pull + npm install)").action(runPluginUpdate);
+  const configCmd = program.command("config").description("CLI configuration (telemetry, default org, etc.)");
+  configCmd.command("get <key>").description("Read a CLI config value").action(
+    makeStub({ command: "config get", summary: "Reads ~/.config/devaudit/config.json.", trackedIn: TRACKING_ISSUE })
+  );
+  configCmd.command("set <key> <value>").description("Write a CLI config value").action(
+    makeStub({
+      command: "config set",
+      summary: "Writes to ~/.config/devaudit/config.json (mode 0600).",
+      trackedIn: TRACKING_ISSUE
+    })
+  );
+  configCmd.command("list").description("Print all CLI config values").action(
+    makeStub({
+      command: "config list",
+      summary: "Lists all CLI config keys with their current values.",
+      trackedIn: TRACKING_ISSUE
+    })
+  );
+  const discovery = await discoverPlugins();
+  if (discovery.failures.length > 0) {
+    const log = logger();
+    for (const f of discovery.failures) {
+      log.warn(`Plugin at ${f.dir} failed to load: ${f.reason}`);
+    }
+  }
+  registerPluginCommands(program, discovery.loaded);
+  program.parse(argv);
+}
+main(process.argv).catch((err) => {
+  const log = logger();
+  log.error(err.message);
+  process.exit(1);
+});
+
+export { main };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map