@nugehs/bouncer 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,32 @@
+# Changelog
+
+All notable changes to `@nugehs/bouncer` are documented here.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2026-06-07
+
+Initial release.
+
+### Added
+
+- Static compliance-controls engine: deterministic rule packs evaluated against a
+  target repo, with `pass` / `fail` / `unknown` verdicts. `unknown` (surface not
+  located) is never reported as a pass.
+- Assertion probes: `find`, `allOf` / `anyOf` / `not`, and `allInFile` with an
+  optional `within` line-window for co-occurrence precision.
+- Built-in rule packs:
+  - `uk-osa` — UK Online Safety Act 2023 (age assurance, report/block on UGC,
+    content moderation, illegal-content risk assessment, CSEA route, terms).
+  - `uk-aadc` — ICO Children's Code (age-appropriate application, high-privacy
+    defaults, geolocation off, parental consent under 13, DPIA, no nudge patterns).
+- Stack adapters mapping regulation surfaces to file globs: `next`, `react-native`.
+- CLI: `check`, `report`, `list`, `explain`, `packs`, `init`, `doctor`, `mcp`.
+- Self-contained HTML audit report (compliance ring, per-pack control tables,
+  file-level evidence).
+- MCP server (stdio) exposing `compliance_check`, `list_rules`, `explain_rule`,
+  `list_packs`.
+- Zero runtime dependencies; Node >= 18.
+
+[0.1.0]: https://github.com/nugehs/bouncer/releases/tag/v0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 nugehs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,147 @@
+# bouncer
+
+**Static compliance-controls checker.** bouncer verifies that the controls a
+regulation *requires* actually exist in your code — UK Online Safety Act, ICO
+Children's Code (AADC) — expressed as deterministic **rule packs**. It runs in CI,
+exits non-zero when a required control is missing, and needs **no LLM**.
+
+It checks IDs at the door so non-compliant code doesn't get in.
+
+> bouncer is an engineering aid, **not legal advice**. A green report means the
+> coded controls a rule looks for were found — it is not a substitute for a
+> compliance / DPO review.
+
+---
+
+## Why
+
+Regulators now expect *demonstrable* controls: age assurance, high-privacy
+defaults for children, report/block affordances on user-generated content, a DPIA,
+a risk assessment. Those are concrete things that either exist in a codebase or
+don't. bouncer turns a regulation into a set of static checks over your repo, the
+same way [tieline](https://github.com/nugehs/tieline) turns an API contract into
+drift checks — the engine knows nothing about the law; the **rule packs** do.
+
+## Install
+
+```bash
+npx @nugehs/bouncer init
+npx @nugehs/bouncer check
+```
+
+Or clone and run with plain Node (zero runtime dependencies, Node ≥ 18).
+
+## Usage
+
+```bash
+bouncer init [path]                 # write a starter bouncer.config.json
+bouncer check                       # run packs, print report, exit 1 on a missing control
+bouncer check --pack uk-aadc        # restrict to one pack
+bouncer check --status fail         # show only the failures
+bouncer report --out report.html    # self-contained HTML audit report
+bouncer list                        # every rule the configured packs apply
+bouncer explain <ruleId>            # what a rule requires + how it is checked
+bouncer packs                       # rule packs shipped with bouncer
+bouncer doctor                      # sanity-check config, adapter, packs
+bouncer mcp                         # start the MCP server (stdio)
+```
+
+### Verdicts
+
+| Verdict     | Meaning                                                                       |
+| ----------- | ---------------------------------------------------------------------------- |
+| **pass**    | the required control was found (evidence: `file:line`)                        |
+| **fail**    | the surface exists, but no evidence of the control was found                  |
+| **unknown** | the surface could not be located in this repo — *can't determine, not a pass* |
+
+`unknown` is deliberate: bouncer never reports a green pass for a surface it could
+not find. Missing surface → honest "can't determine".
+
+## Configuration
+
+`bouncer.config.json`:
+
+```json
+{
+  "target": {
+    "adapter": "next",
+    "repo": "../bashbop-event-web",
+    "roots": ["app", "src", "components", "redux"]
+  },
+  "packs": ["uk-osa", "uk-aadc"],
+  "packDirs": [],
+  "ignore": [],
+  "failOn": ["fail"]
+}
+```
+
+- `adapter` — how regulation *surfaces* (sign-up, profile, chat, livestream…) map
+  onto files for your stack. Ships with `next` (App Router).
+- `packs` — which rule packs to run. Built-ins: `uk-osa`, `uk-aadc`.
+- `packDirs` — extra directories of your own `*.json` packs.
+- `ignore` — rule ids to skip.
+- `failOn` — which buckets make `check` exit non-zero (default `["fail"]`).
+
+## Rule packs
+
+A pack is JSON. Each rule maps a *legal standard* to a static assertion over a
+*surface*:
+
+```json
+{
+  "id": "aadc.geolocation-default-off",
+  "standard": "Standard 10 — Geolocation",
+  "severity": "high",
+  "surface": "profile",
+  "intent": "Geolocation must default to off for children.",
+  "fix": "Default any location-sharing setting to off.",
+  "assert": {
+    "find": "(geo|location)[^\\n;,]{0,30}(default|initial)[^\\n;,]{0,15}(false|off)",
+    "in": ["profile", "any"],
+    "expect": "present"
+  }
+}
+```
+
+Assertion nodes:
+
+- `{ "find": "<regex>", "in": "<surface|glob>", "expect": "present|absent" }`
+- `{ "allOf": [ … ] }` · `{ "anyOf": [ … ] }` · `{ "not": … }`
+
+`in` accepts a surface alias (resolved by the adapter), an array of aliases/globs,
+or a raw glob. `expect: "absent"` flips the meaning — a match is a *violation*
+(used for nudge patterns, self-declared age checkboxes, etc.).
+
+### Surfaces (next adapter)
+
+`any`, `signup`, `auth`, `profile`, `chat`, `livestream`, `ugc`, `governance`.
+
+## MCP
+
+bouncer is also an MCP server (stdio), so an agent can pull the same deterministic
+results:
+
+| Tool               | Purpose                                                       |
+| ------------------ | ------------------------------------------------------------ |
+| `compliance_check` | run packs, return per-control verdicts + evidence            |
+| `list_rules`       | list rules the configured packs apply                        |
+| `explain_rule`     | a rule's standard, intent, fix, and how it is checked        |
+| `list_packs`       | available rule packs                                          |
+
+```jsonc
+// .mcp.json
+{ "mcpServers": { "bouncer": { "command": "npx", "args": ["-y", "@nugehs/bouncer", "mcp"] } } }
+```
+
+## CI
+
+```yaml
+- run: npx @nugehs/bouncer check
+```
+
+Fails the build when a required control goes missing — e.g. someone removes an
+age-gate or a report button from a UGC surface.
+
+## License
+
+MIT

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "@nugehs/bouncer",
+  "version": "0.1.0",
+  "mcpName": "io.github.nugehs/bouncer",
+  "description": "bouncer — static compliance-controls checker. Verifies the controls a regulation requires actually exist in your code (UK Online Safety Act, ICO Children's Code), as deterministic rule packs. No LLM required.",
+  "type": "module",
+  "bin": {
+    "bouncer": "src/cli.js"
+  },
+  "files": [
+    "src",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
+  ],
+  "scripts": {
+    "start": "node src/cli.js",
+    "check": "node src/cli.js check",
+    "mcp": "node src/cli.js mcp",
+    "doctor": "node src/cli.js doctor",
+    "test": "node --test tests/*.test.js",
+    "prepublishOnly": "npm test"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/nugehs/bouncer.git"
+  },
+  "homepage": "https://github.com/nugehs/bouncer#readme",
+  "bugs": {
+    "url": "https://github.com/nugehs/bouncer/issues"
+  },
+  "keywords": [
+    "cli",
+    "mcp",
+    "mcp-server",
+    "compliance",
+    "online-safety-act",
+    "age-appropriate-design-code",
+    "childrens-code",
+    "aadc",
+    "age-assurance",
+    "static-analysis",
+    "policy-as-code",
+    "ci",
+    "developer-tools"
+  ],
+  "license": "MIT"
+}

package/src/cli.js

@@ -0,0 +1,143 @@
+#!/usr/bin/env node
+import { parseArgv } from "./lib/args.js";
+import { loadConfig } from "./lib/config.js";
+import { runCheck, listRules, explainRule, availablePacks } from "./lib/packs.js";
+import { reportHuman } from "./lib/reporters/human.js";
+import { reportJson } from "./lib/reporters/json.js";
+import { reportHtml } from "./lib/reporters/html.js";
+import { getDoctorReport, formatDoctorReport } from "./lib/doctor.js";
+import { initProject, formatInitSummary } from "./lib/init.js";
+import { startMcpServer } from "./lib/mcp.js";
+import { printText, printJson, printHelp, writeArtifact } from "./lib/output.js";
+
+const commandHandlers = {
+  check: handleCheck,
+  report: handleReport,
+  list: handleList,
+  explain: handleExplain,
+  packs: handlePacks,
+  init: handleInit,
+  doctor: handleDoctor,
+  mcp: handleMcp,
+  help: handleHelp,
+};
+
+async function main(argv = process.argv.slice(2)) {
+  const parsed = parseArgv(argv);
+  const command = parsed.command ?? "check";
+  const handler = commandHandlers[command];
+
+  if (!handler || parsed.flags.help) {
+    handleHelp();
+    process.exitCode = handler ? 0 : 1;
+    return;
+  }
+
+  try {
+    await handler(parsed);
+  } catch (error) {
+    printText(`bouncer: ${error instanceof Error ? error.message : String(error)}`);
+    process.exitCode = 2;
+  }
+}
+
+function cfgFrom(parsed) {
+  const cfg = loadConfig(parsed.flags.config);
+  if (parsed.flags.pack) cfg.packs = [].concat(parsed.flags.pack);
+  return cfg;
+}
+
+function handleCheck(parsed) {
+  const cfg = cfgFrom(parsed);
+  const result = runCheck(cfg);
+
+  if (parsed.flags.json) reportJson(result);
+  else reportHuman(result, { statusFilter: parsed.flags.status || "all" });
+
+  if (!parsed.flags.no_fail) {
+    const failing = (cfg.failOn || ["fail"]).some((k) => (result.totals[k] || 0) > 0);
+    if (failing) process.exitCode = 1;
+  }
+}
+
+function handleReport(parsed) {
+  const cfg = cfgFrom(parsed);
+  const result = runCheck(cfg);
+  const out = parsed.flags.out || "bouncer-report.html";
+  const html = reportHtml(result, {
+    generatedAt: new Date().toISOString().replace("T", " ").slice(0, 16) + " UTC",
+  });
+  const { path: written } = writeArtifact(out, html);
+  printText(`\n  📄 HTML report written to ${written}\n`);
+}
+
+function handleList(parsed) {
+  const rules = listRules(cfgFrom(parsed));
+  if (parsed.flags.json) return printJson({ rules });
+  printText("");
+  for (const r of rules) {
+    printText(`  ${pad(r.severity, 6)} ${pad(r.ruleId, 38)} ${r.standard || ""}`);
+  }
+  printText(`\n  ${rules.length} rules\n`);
+}
+
+function handleExplain(parsed) {
+  const ruleId = parsed.positionals[0];
+  if (!ruleId) throw new Error("usage: bouncer explain <ruleId>");
+  const r = explainRule(cfgFrom(parsed), ruleId);
+  if (parsed.flags.json) return printJson(r);
+  printText("");
+  printText(`  ${r.id}`);
+  printText(`  pack:     ${r.packTitle} (${r.packId})`);
+  printText(`  authority:${r.authority || ""}`);
+  printText(`  standard: ${r.standard || ""}`);
+  printText(`  severity: ${r.severity || "medium"}`);
+  printText("");
+  printText(`  intent:   ${r.intent || ""}`);
+  printText(`  fix:      ${r.fix || ""}`);
+  printText("");
+  printText(`  how it is checked:`);
+  for (const line of r.checks) printText(`    ${line}`);
+  if (r.url) printText(`\n  reference: ${r.url}`);
+  printText("");
+}
+
+function handlePacks(parsed) {
+  const dirs = parsed.flags.config ? loadConfig(parsed.flags.config).packDirs : [];
+  const packs = availablePacks(dirs);
+  if (parsed.flags.json) return printJson({ packs });
+  printText("");
+  for (const p of packs) {
+    printText(`  ${pad(p.id, 12)} ${pad(String(p.rules) + " rules", 10)} ${p.title}`);
+    printText(`  ${" ".repeat(12)} ${" ".repeat(10)} ${p.authority || ""}`);
+  }
+  printText("");
+}
+
+function handleInit(parsed) {
+  const result = initProject(parsed.positionals[0] || ".", { force: !!parsed.flags.force });
+  if (parsed.flags.json) return printJson(result);
+  printText(formatInitSummary(result));
+}
+
+function handleDoctor(parsed) {
+  const cfg = cfgFrom(parsed);
+  const report = getDoctorReport(cfg);
+  if (parsed.flags.json) printJson(report);
+  else printText(formatDoctorReport(report));
+  if (!report.ok) process.exitCode = 1;
+}
+
+async function handleMcp() {
+  await startMcpServer();
+}
+
+function handleHelp() {
+  printHelp();
+}
+
+function pad(s, n) {
+  return String(s || "").padEnd(n);
+}
+
+main();

package/src/lib/adapters/next.js

@@ -0,0 +1,67 @@
+// Next.js (App Router) adapter.
+//
+// A "surface" is a regulation-level concept (a sign-up flow, a child profile, a
+// chat box). Rule packs reference surfaces by alias; this adapter knows how those
+// aliases map onto files in a Next App Router codebase. Packs stay portable: only
+// the adapter is stack-specific, exactly like tieline's client/server adapters.
+
+export const id = "next";
+
+// Files this adapter considers source. Other files are ignored when scanning.
+export const SOURCE_EXT = [".ts", ".tsx", ".js", ".jsx", ".mjs"];
+
+// Surface alias -> globs (relative to the repo root). Globs support **, *, ?, {a,b}.
+// These are deliberately broad: a missed surface yields "unknown" (honest), never a
+// false "pass". Tune per project via pack rules that pass explicit `in` globs.
+export const SURFACES = {
+  any: ["**/*.{ts,tsx,js,jsx}"],
+
+  signup: [
+    "**/{sign-up,signup,register,registration,onboarding,create-account}/**/*.{ts,tsx}",
+    "**/*{SignUp,Signup,Register,Onboard}*.{ts,tsx}",
+  ],
+
+  auth: [
+    "**/{auth,login,sign-in,signin}/**/*.{ts,tsx}",
+    "**/*{Login,SignIn,Auth}*.{ts,tsx}",
+  ],
+
+  profile: [
+    "**/{profile,account,settings,me}/**/*.{ts,tsx}",
+    "**/*{Profile,Account,Settings}*.{ts,tsx}",
+  ],
+
+  chat: [
+    "**/{chat,messages,messaging,dm,inbox}/**/*.{ts,tsx}",
+    "**/*{Chat,Message,Messaging,Conversation}*.{ts,tsx}",
+  ],
+
+  livestream: [
+    "**/{livestream,live,stream,meet,broadcast,call}/**/*.{ts,tsx}",
+    "**/*{Livestream,LiveStream,Stream,Broadcast,Meeting,Viewer}*.{ts,tsx}",
+  ],
+
+  // Any user-generated-content surface (the union of the live/social surfaces).
+  ugc: [
+    "**/{chat,messages,messaging,dm,inbox,livestream,live,stream,meet,broadcast,comments,reviews}/**/*.{ts,tsx}",
+    "**/*{Chat,Message,Comment,Review,Stream,Broadcast,Profile,Event}*.{ts,tsx}",
+  ],
+
+  // Documentation / governance artifacts (DPIA, risk assessments, policies).
+  governance: [
+    "**/*{dpia,DPIA,data-protection,risk-assessment,risk_assessment}*",
+    "{docs,compliance,legal,governance}/**/*.{md,mdx,pdf}",
+  ],
+};
+
+/** Resolve a rule's `in` (alias string, alias array, or raw glob array) into a flat glob list. */
+export function resolveSurface(spec) {
+  const list = Array.isArray(spec) ? spec : [spec];
+  const globs = [];
+  for (const item of list) {
+    if (typeof item !== "string") continue;
+    if (SURFACES[item]) globs.push(...SURFACES[item]);
+    else globs.push(item); // treat as a raw glob
+  }
+  return globs.length ? globs : SURFACES.any;
+}

package/src/lib/adapters/react-native.js

@@ -0,0 +1,61 @@
+// React Native (Expo / bare) adapter.
+//
+// Same surface model as the Next adapter, but globs tuned for a typical RN/Expo
+// app layout (screens/, src/screens, app/ for expo-router, components/). Packs are
+// unchanged — only this file is stack-specific.
+
+export const id = "react-native";
+
+export const SOURCE_EXT = [".ts", ".tsx", ".js", ".jsx"];
+
+export const SURFACES = {
+  any: ["**/*.{ts,tsx,js,jsx}"],
+
+  signup: [
+    "**/{sign-up,signup,register,registration,onboarding,create-account}/**/*.{ts,tsx,js,jsx}",
+    "**/*{SignUp,Signup,Register,Onboard}*.{ts,tsx,js,jsx}",
+  ],
+
+  auth: [
+    "**/{auth,login,sign-in,signin}/**/*.{ts,tsx,js,jsx}",
+    "**/*{Login,SignIn,Auth}*Screen*.{ts,tsx,js,jsx}",
+    "**/*{Login,SignIn,Auth}*.{ts,tsx,js,jsx}",
+  ],
+
+  profile: [
+    "**/{profile,account,settings,me}/**/*.{ts,tsx,js,jsx}",
+    "**/*{Profile,Account,Settings}*Screen*.{ts,tsx,js,jsx}",
+    "**/*{Profile,Account,Settings}*.{ts,tsx,js,jsx}",
+  ],
+
+  chat: [
+    "**/{chat,messages,messaging,dm,inbox}/**/*.{ts,tsx,js,jsx}",
+    "**/*{Chat,Message,Messaging,Conversation}*.{ts,tsx,js,jsx}",
+  ],
+
+  livestream: [
+    "**/{livestream,live,stream,meet,broadcast,call}/**/*.{ts,tsx,js,jsx}",
+    "**/*{Livestream,LiveStream,Stream,Broadcast,Meeting,Viewer}*.{ts,tsx,js,jsx}",
+  ],
+
+  ugc: [
+    "**/{chat,messages,messaging,dm,inbox,livestream,live,stream,meet,broadcast,comments,reviews}/**/*.{ts,tsx,js,jsx}",
+    "**/*{Chat,Message,Comment,Review,Stream,Broadcast,Profile,Event}*.{ts,tsx,js,jsx}",
+  ],
+
+  governance: [
+    "**/*{dpia,DPIA,data-protection,risk-assessment,risk_assessment}*",
+    "{docs,compliance,legal,governance}/**/*.{md,mdx,pdf}",
+  ],
+};
+
+export function resolveSurface(spec) {
+  const list = Array.isArray(spec) ? spec : [spec];
+  const globs = [];
+  for (const item of list) {
+    if (typeof item !== "string") continue;
+    if (SURFACES[item]) globs.push(...SURFACES[item]);
+    else globs.push(item);
+  }
+  return globs.length ? globs : SURFACES.any;
+}

package/src/lib/args.js

@@ -0,0 +1,73 @@
+export function parseArgv(argv) {
+  const result = {
+    command: undefined,
+    positionals: [],
+    flags: {},
+  };
+
+  const args = [...argv];
+  result.command = args.shift();
+
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+    if (arg === "--") {
+      result.positionals.push(...args.slice(index + 1));
+      break;
+    }
+
+    if (!arg.startsWith("-")) {
+      result.positionals.push(arg);
+      continue;
+    }
+
+    if (arg.startsWith("--")) {
+      const [rawKey, inlineValue] = arg.slice(2).split("=", 2);
+      const key = normalizeFlagName(rawKey);
+      const next = args[index + 1];
+      const value = inlineValue ?? (next && !next.startsWith("-") ? args[++index] : true);
+      assignFlag(result.flags, key, value);
+      continue;
+    }
+
+    const shortFlags = arg.slice(1);
+    if (shortFlags.length === 1 && shortFlagTakesValue(shortFlags)) {
+      const next = args[index + 1];
+      assignFlag(result.flags, expandShortFlag(shortFlags), next && !next.startsWith("-") ? args[++index] : true);
+      continue;
+    }
+
+    for (const short of shortFlags) {
+      assignFlag(result.flags, expandShortFlag(short), true);
+    }
+  }
+
+  return result;
+}
+
+function assignFlag(flags, key, value) {
+  if (["pack", "ignore"].includes(key)) {
+    flags[key] = Array.isArray(flags[key]) ? [...flags[key], value] : [value];
+    return;
+  }
+  flags[key] = value;
+}
+
+function normalizeFlagName(flag) {
+  const aliases = {
+    o: "out",
+    h: "help",
+    j: "json",
+    p: "pack",
+    c: "config",
+    s: "status",
+  };
+  return aliases[flag] ?? flag.replaceAll("-", "_");
+}
+
+function expandShortFlag(short) {
+  return normalizeFlagName(short);
+}
+
+function shortFlagTakesValue(short) {
+  return ["o", "p", "c", "s"].includes(short);
+}

package/src/lib/brand.js

@@ -0,0 +1,22 @@
+export const designPrint = [
+  "bouncer",
+  "+------------------------------------------------------+",
+  "| Checks the controls a regulation requires actually   |",
+  "| exist in your code. No LLM required.                 |",
+  "+--------------------------.---------------------------+",
+  "                           |",
+  "              .------------+------------.",
+  "             /   regulation -> rules     \\",
+  "            /_____________________________\\",
+  "                 o----o----o----o",
+  "                pack  rule surface verdict",
+  "                 |    |    |    |",
+  "               OSA  AADC  code  pass/fail",
+].join("\n");
+
+// Verdict glyphs reused across reporters.
+export const GLYPH = {
+  pass: "✓", // ✓
+  fail: "✗", // ✗
+  unknown: "?",
+};

package/src/lib/config.js

@@ -0,0 +1,51 @@
+import fs from "node:fs";
+import path from "node:path";
+
+const DEFAULTS = {
+  target: { adapter: "next", repo: ".", roots: ["app", "src", "components"] },
+  packs: ["uk-osa", "uk-aadc"],
+  packDirs: [],
+  ignore: [],
+  failOn: ["fail"],
+};
+
+/** Load and resolve bouncer.config.json. The target repo path is resolved relative to the config file. */
+export function loadConfig(explicitPath) {
+  const cfgPath = path.resolve(explicitPath || findConfig());
+  const dir = path.dirname(cfgPath);
+  const raw = JSON.parse(fs.readFileSync(cfgPath, "utf8"));
+
+  const cfg = {
+    ...DEFAULTS,
+    ...raw,
+    target: { ...DEFAULTS.target, ...(raw.target || {}) },
+  };
+  cfg.target.repoRoot = path.resolve(dir, cfg.target.repo);
+  cfg.packDirs = (cfg.packDirs || []).map((d) => path.resolve(dir, d));
+  cfg._path = cfgPath;
+  return cfg;
+}
+
+function findConfig() {
+  let dir = process.cwd();
+  for (;;) {
+    const p = path.join(dir, "bouncer.config.json");
+    if (fs.existsSync(p)) return p;
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  throw new Error("No bouncer.config.json found (searched up from cwd). Run `bouncer init` or pass --config <path>.");
+}
+
+export const CONFIG_TEMPLATE = {
+  target: {
+    adapter: "next",
+    repo: ".",
+    roots: ["app", "src", "components", "redux"],
+  },
+  packs: ["uk-osa", "uk-aadc"],
+  packDirs: [],
+  ignore: [],
+  failOn: ["fail"],
+};