@posthog/wizard 2.0.2 → 2.1.0

package/dist/src/lib/yara-scanner.js

@@ -0,0 +1,328 @@
+"use strict";
+/**
+ * YARA content scanner for the PostHog wizard.
+ *
+ * This file is the single source of truth for all wizard YARA rules.
+ *
+ * Scans tool inputs (pre-execution) and outputs (post-execution) for
+ * security violations including PII leakage, hardcoded secrets,
+ * prompt injection, and secret exfiltration.
+ *
+ * We use YARA-style regex rules rather than the real YARA C library to
+ * avoid native binary dependencies in an npx-distributed npm package.
+ *
+ * This is Layer 2 (L2) in the wizard's defense-in-depth model,
+ * complementing the prompt-based commandments (L0) and the
+ * canUseTool() allowlist (L1).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RULES = void 0;
+exports.scan = scan;
+exports.scanSkillDirectory = scanSkillDirectory;
+// ─── Rule Definitions ────────────────────────────────────────────
+//
+// Patterns are compiled once at module load time for performance.
+// Design spec: policies/yara/RULES.md
+const POST_WRITE_EDIT = [
+    { phase: 'PostToolUse', tool: 'Write' },
+    { phase: 'PostToolUse', tool: 'Edit' },
+];
+const POST_READ_GREP = [
+    { phase: 'PostToolUse', tool: 'Read' },
+    { phase: 'PostToolUse', tool: 'Grep' },
+];
+const PRE_BASH = [
+    { phase: 'PreToolUse', tool: 'Bash' },
+];
+// ── §1 PostHog API Violations ────────────────────────────────────
+const pii_in_capture_call = {
+    name: 'pii_in_capture_call',
+    description: "Detects PII fields passed to posthog.capture() — violates 'NEVER send PII in capture()' commandment",
+    severity: 'high',
+    category: 'posthog_pii',
+    appliesTo: POST_WRITE_EDIT,
+    patterns: [
+        // Direct PII field names in capture properties
+        /\.capture\s*\([^)]{0,200}email/i,
+        /\.capture\s*\([^)]{0,200}phone/i,
+        /\.capture\s*\([^)]{0,200}full[_\s]?name/i,
+        /\.capture\s*\([^)]{0,200}first[_\s]?name/i,
+        /\.capture\s*\([^)]{0,200}last[_\s]?name/i,
+        /\.capture\s*\([^)]{0,200}(street|mailing|home|billing)[_\s]?address/i,
+        /\.capture\s*\([^)]{0,200}(ssn|social[_\s]?security)/i,
+        /\.capture\s*\([^)]{0,200}(date[_\s]?of[_\s]?birth|dob|birthday)/i,
+        /\.capture\s*\([^)]{0,200}\$ip/,
+        // identify() allows email/phone/name (standard PostHog user properties),
+        // but highly sensitive PII is still blocked in identify().
+        /\.identify\s*\([^)]{0,200}(ssn|social[_\s]?security)/i,
+        /\.identify\s*\([^)]{0,200}(card[_\s]?number|cvv|credit[_\s]?card)/i,
+        /\.identify\s*\([^)]{0,200}(date[_\s]?of[_\s]?birth|dob|birthday)/i,
+        /\.identify\s*\([^)]{0,200}(street|mailing|home|billing)[_\s]?address/i,
+        // PII in $set properties via capture (bound to same object)
+        /\$set[^}]{0,200}email/i,
+        /\$set[^}]{0,200}phone/i,
+    ],
+};
+const hardcoded_posthog_key = {
+    name: 'hardcoded_posthog_key',
+    description: "Detects hardcoded PostHog API keys in source — violates 'use environment variables' commandment",
+    severity: 'high',
+    category: 'posthog_hardcoded_key',
+    appliesTo: POST_WRITE_EDIT,
+    patterns: [
+        // PostHog project API key (phc_ prefix, 20+ alphanumeric chars)
+        /phc_[a-zA-Z0-9]{20,}/,
+        // PostHog personal API key (phx_ prefix)
+        /phx_[a-zA-Z0-9]{20,}/,
+        // Hardcoded key assignment patterns
+        /apiKey\s*[:=]\s*['"][a-zA-Z0-9_]{20,}['"]/,
+        /api_key\s*[:=]\s*['"][a-zA-Z0-9_]{20,}['"]/,
+        /POSTHOG_KEY\s*[:=]\s*['"][a-zA-Z0-9_]{20,}['"]/,
+    ],
+};
+const autocapture_disabled = {
+    name: 'autocapture_disabled',
+    description: "Detects agent disabling autocapture — violates 'don't disable autocapture' commandment",
+    severity: 'medium',
+    category: 'posthog_autocapture',
+    appliesTo: POST_WRITE_EDIT,
+    patterns: [
+        /autocapture\s*:\s*false/,
+        /autocapture\s*:\s*'false'/,
+        /autocapture\s*:\s*"false"/,
+        /autocapture\s*=\s*False/,
+        /disable_autocapture\s*[:=]\s*(true|True|1)/,
+    ],
+};
+// ── §1b Additional PostHog config rules ──────────────────────────
+const hardcoded_posthog_host = {
+    name: 'hardcoded_posthog_host',
+    description: 'Detects hardcoded PostHog host URLs in source — should use environment variables',
+    severity: 'high',
+    category: 'posthog_hardcoded_key',
+    appliesTo: POST_WRITE_EDIT,
+    patterns: [/['"]https:\/\/(us|eu)\.i\.posthog\.com['"]/],
+};
+const session_recording_disabled = {
+    name: 'session_recording_disabled',
+    description: 'Detects agent disabling session recording',
+    severity: 'medium',
+    category: 'posthog_config',
+    appliesTo: POST_WRITE_EDIT,
+    patterns: [
+        /disable_session_recording\s*:\s*true/i,
+        /disable_session_recording\s*=\s*True/,
+    ],
+};
+const opt_out_capturing = {
+    name: 'opt_out_capturing',
+    description: 'Detects agent opting out of PostHog capturing entirely',
+    severity: 'medium',
+    category: 'posthog_config',
+    appliesTo: POST_WRITE_EDIT,
+    patterns: [
+        // Match opt_out_capturing as a config property (in init options), not as a method call.
+        // posthog.opt_out_capturing() is a legitimate GDPR-required API.
+        /opt_out_capturing\s*[:=]\s*(true|True|1)/i,
+        /opted_out\s*[:=]\s*(true|True|1)/i,
+    ],
+};
+// ── §2 Prompt Injection ──────────────────────────────────────────
+const prompt_injection_wizard_override = {
+    name: 'prompt_injection_wizard_override',
+    description: 'Detects classic prompt injection attempting to override agent instructions',
+    severity: 'critical',
+    category: 'prompt_injection',
+    appliesTo: POST_READ_GREP,
+    patterns: [
+        // Direct instruction override — classic injection patterns
+        /ignore previous instructions/i,
+        /disregard all/i,
+        /forget your instructions/i,
+        /override your rules/i,
+        // Role manipulation
+        /act as a different/i,
+        /new instructions:/i,
+    ],
+};
+const prompt_injection_wizard_specific = {
+    name: 'prompt_injection_wizard_specific',
+    description: 'Detects wizard-specific manipulation or tool abuse attempts in project files',
+    severity: 'medium',
+    category: 'prompt_injection',
+    appliesTo: POST_READ_GREP,
+    patterns: [
+        // Wizard-specific manipulation
+        /skip posthog/i,
+        /do not install posthog/i,
+        /remove posthog/i,
+        /uninstall posthog/i,
+        /delete the posthog/i,
+        // Tool abuse via file content
+        /run the following command/i,
+        /execute this shell command/i,
+        // Role hijacking — require "you are now a" to avoid false positives
+        // on legitimate phrases like "you are now ready to..."
+        /you are now a\s/i,
+    ],
+};
+const prompt_injection_base64 = {
+    name: 'prompt_injection_base64',
+    description: 'Detects suspicious base64-encoded blocks in file content that may contain obfuscated prompt injection',
+    severity: 'critical',
+    category: 'prompt_injection',
+    appliesTo: POST_READ_GREP,
+    patterns: [
+        // Long base64 strings (100+ chars) in comments or string literals
+        // that aren't typical data URIs or legitimate base64 content
+        /(?:\/\/|#|\/\*)\s*[A-Za-z0-9+/]{100,}={0,2}/,
+    ],
+};
+// ── §3 Secret Exfiltration ───────────────────────────────────────
+const secret_exfiltration_via_command = {
+    name: 'secret_exfiltration_via_command',
+    description: 'Detects shell commands attempting to exfiltrate secrets or credentials',
+    severity: 'critical',
+    category: 'exfiltration',
+    appliesTo: PRE_BASH,
+    patterns: [
+        // curl/wget with environment variable secrets
+        /curl\s+.*\$\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)/i,
+        /wget\s+.*\$\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)/i,
+        // Piping sensitive content to network tools
+        /(\$\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD)|\.env|credentials)\S*.*\|\s*curl/i,
+        /(\$\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD)|\.env|credentials)\S*.*\|\s*wget/i,
+        /\|\s*nc\s/,
+        /\|\s*netcat\s/,
+        // Base64 encoding piped to network
+        /base64.*\|\s*(curl|wget|nc\s)/i,
+        // Reading .env and sending
+        /cat\s+.*\.env.*\|\s*(curl|wget)/,
+        // PostHog key exfiltration specifically
+        /curl.*phc_[a-zA-Z0-9]/,
+        /wget.*phc_[a-zA-Z0-9]/,
+    ],
+};
+// ── §4 Filesystem Safety ─────────────────────────────────────────
+const destructive_rm = {
+    name: 'destructive_rm',
+    description: 'Detects rm -rf or rm -r commands that could mass-delete files',
+    severity: 'critical',
+    category: 'filesystem_safety',
+    appliesTo: PRE_BASH,
+    patterns: [
+        // Combined flags: rm -rf, rm -fr, rm -rfi, etc.
+        /\brm\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)\b/,
+        // Separated flags: rm -r -f, rm -f -r (with optional other flags)
+        /\brm\s+(-[a-zA-Z]*\s+)*-[a-zA-Z]*r[a-zA-Z]*\s+(-[a-zA-Z]*\s+)*-[a-zA-Z]*f\b/,
+        /\brm\s+(-[a-zA-Z]*\s+)*-[a-zA-Z]*f[a-zA-Z]*\s+(-[a-zA-Z]*\s+)*-[a-zA-Z]*r\b/,
+    ],
+};
+const git_force_push = {
+    name: 'git_force_push',
+    description: 'Detects git push --force which can overwrite remote history',
+    severity: 'critical',
+    category: 'filesystem_safety',
+    appliesTo: PRE_BASH,
+    patterns: [/git\s+push\s+.*--force/, /git\s+push\s+.*-f\b/],
+};
+const git_reset_hard = {
+    name: 'git_reset_hard',
+    description: 'Detects git reset --hard which discards all uncommitted changes',
+    severity: 'critical',
+    category: 'filesystem_safety',
+    appliesTo: PRE_BASH,
+    patterns: [/git\s+reset\s+--hard/],
+};
+// ── §5 Supply Chain ──────────────────────────────────────────────
+const wrong_posthog_package = {
+    name: 'wrong_posthog_package',
+    description: 'Detects installing the wrong PostHog npm package — should be posthog-js or posthog-node',
+    severity: 'high',
+    category: 'supply_chain',
+    appliesTo: PRE_BASH,
+    patterns: [
+        // Match "npm install posthog" but not "posthog-js", "posthog-node", etc.
+        /npm\s+install\s+(?:--save\s+|--save-dev\s+|-[SD]\s+)*posthog(?!\s*-)/,
+        /pnpm\s+(?:add|install)\s+(?:--save\s+|--save-dev\s+|-[SD]\s+)*posthog(?!\s*-)/,
+        /yarn\s+add\s+(?:--dev\s+|-D\s+)*posthog(?!\s*-)/,
+        /bun\s+(?:add|install)\s+(?:--dev\s+|-[dD]\s+)*posthog(?!\s*-)/,
+    ],
+};
+const npm_install_global = {
+    name: 'npm_install_global',
+    description: 'Detects global npm installs — should never install packages globally',
+    severity: 'high',
+    category: 'supply_chain',
+    appliesTo: PRE_BASH,
+    patterns: [/npm\s+install\s+-g\b/, /npm\s+install\s+--global\b/],
+};
+// ─── Rule Registry ───────────────────────────────────────────────
+exports.RULES = [
+    // §1 PostHog API violations
+    pii_in_capture_call,
+    hardcoded_posthog_key,
+    autocapture_disabled,
+    hardcoded_posthog_host,
+    session_recording_disabled,
+    opt_out_capturing,
+    // §2 Prompt injection
+    prompt_injection_wizard_override,
+    prompt_injection_wizard_specific,
+    prompt_injection_base64,
+    // §3 Secret exfiltration
+    secret_exfiltration_via_command,
+    // §4 Filesystem safety
+    destructive_rm,
+    git_force_push,
+    git_reset_hard,
+    // §5 Supply chain
+    wrong_posthog_package,
+    npm_install_global,
+];
+// ─── Scan Engine ─────────────────────────────────────────────────
+/** Maximum content length to scan (100 KB). Inputs beyond this are truncated. */
+const MAX_SCAN_LENGTH = 100_000;
+/**
+ * Scan content against rules applicable to a given hook phase and tool.
+ * Returns all matching rules (one match per rule, first pattern wins).
+ */
+function scan(content, phase, tool) {
+    // Cap input length to prevent pathological regex performance
+    const scanContent = content.length > MAX_SCAN_LENGTH
+        ? content.slice(0, MAX_SCAN_LENGTH)
+        : content;
+    const applicableRules = exports.RULES.filter((r) => r.appliesTo.some((a) => a.phase === phase && a.tool === tool));
+    const matches = [];
+    for (const rule of applicableRules) {
+        for (const pattern of rule.patterns) {
+            const match = pattern.exec(scanContent);
+            if (match) {
+                matches.push({
+                    rule,
+                    matchedText: match[0],
+                    offset: match.index,
+                });
+                break; // One match per rule is sufficient
+            }
+        }
+    }
+    return matches.length > 0 ? { matched: true, matches } : { matched: false };
+}
+/**
+ * Scan all files in a skill directory for prompt injection.
+ * Used for context-mill scanning after skill installation.
+ */
+function scanSkillDirectory(files) {
+    const allMatches = [];
+    for (const file of files) {
+        const result = scan(file.content, 'PostToolUse', 'Read');
+        if (result.matched) {
+            allMatches.push(...result.matches);
+        }
+    }
+    return allMatches.length > 0
+        ? { matched: true, matches: allMatches }
+        : { matched: false };
+}
+//# sourceMappingURL=yara-scanner.js.map

package/dist/src/lib/yara-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"yara-scanner.js","sourceRoot":"","sources":["../../../src/lib/yara-scanner.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AA+VH,oBA8BC;AAMD,gDAaC;AArWD,oEAAoE;AACpE,EAAE;AACF,kEAAkE;AAClE,sCAAsC;AAEtC,MAAM,eAAe,GAAkD;IACrE,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,OAAO,EAAE;IACvC,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE;CACvC,CAAC;AAEF,MAAM,cAAc,GAAkD;IACpE,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE;IACtC,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE;CACvC,CAAC;AAEF,MAAM,QAAQ,GAAkD;IAC9D,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE;CACtC,CAAC;AAEF,oEAAoE;AAEpE,MAAM,mBAAmB,GAAa;IACpC,IAAI,EAAE,qBAAqB;IAC3B,WAAW,EACT,qGAAqG;IACvG,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,aAAa;IACvB,SAAS,EAAE,eAAe;IAC1B,QAAQ,EAAE;QACR,+CAA+C;QAC/C,iCAAiC;QACjC,iCAAiC;QACjC,0CAA0C;QAC1C,2CAA2C;QAC3C,0CAA0C;QAC1C,sEAAsE;QACtE,sDAAsD;QACtD,kEAAkE;QAClE,+BAA+B;QAC/B,yEAAyE;QACzE,2DAA2D;QAC3D,uDAAuD;QACvD,oEAAoE;QACpE,mEAAmE;QACnE,uEAAuE;QACvE,4DAA4D;QAC5D,wBAAwB;QACxB,wBAAwB;KACzB;CACF,CAAC;AAEF,MAAM,qBAAqB,GAAa;IACtC,IAAI,EAAE,uBAAuB;IAC7B,WAAW,EACT,iGAAiG;IACnG,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,uBAAuB;IACjC,SAAS,EAAE,eAAe;IAC1B,QAAQ,EAAE;QACR,gEAAgE;QAChE,sBAAsB;QACtB,yCAAyC;QACzC,sBAAsB;QACtB,oCAAoC;QACpC,2CAA2C;QAC3C,4CAA4C;QAC5C,gDAAgD;KACjD;CACF,CAAC;AAEF,MAAM,oBAAoB,GAAa;IACrC,IAAI,EAAE,sBAAsB;IAC5B,WAAW,EACT,wFAAwF;IAC1F,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,qBAAqB;IAC/B,SAAS,EAAE,eAAe;IAC1B,QAAQ,EAAE;QACR,yBAAyB;QACzB,2BAA2B;QAC3B,2BAA2B;QAC3B,yBAAyB;QACzB,4CAA4C;KAC7C;CACF,CAAC;AAEF,oEAAoE;AAEpE,MAAM,sBAAsB,GAAa;IACvC,IAAI,EAAE,wBAAwB;IAC9B,WAAW,EACT,kFAAkF;IACpF,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,uBAAuB;IACjC,SAAS,EAAE,eAAe;IAC1B,QAAQ,EAAE,CAAC,4CAA4C,CAAC;CACzD,CAAC;AAEF,MAAM,0BAA0B,GAAa;IAC3C,IAAI,EAAE,4BAA4B;IAClC,WAAW,EAAE,2CAA2C;IACxD,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,gBAAgB;IAC1B,SAAS,EAAE,eAAe;IAC1B,QAAQ,EAAE;QACR,uCAAuC;QACvC,sCAAsC;KACvC;CACF,CAAC;AAEF,MAAM,iBAAiB,GAAa;IAClC,IAAI,EAAE,mBAAmB;IACzB,WAAW,EAAE,wDAAwD;IACrE,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,gBAAgB;IAC1B,SAAS,EAAE,eAAe;IAC1B,QAAQ,EAAE;QACR,wFAAwF;QACxF,iEAAiE;QACjE,2CAA2C;QAC3C,mCAAmC;KACpC;CACF,CAAC;AAEF,oEAAoE;AAEpE,MAAM,gCAAgC,GAAa;IACjD,IAAI,EAAE,kCAAkC;IACxC,WAAW,EACT,4EAA4E;IAC9E,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,kBAAkB;IAC5B,SAAS,EAAE,cAAc;IACzB,QAAQ,EAAE;QACR,2DAA2D;QAC3D,+BAA+B;QAC/B,gBAAgB;QAChB,2BAA2B;QAC3B,sBAAsB;QACtB,oBAAoB;QACpB,qBAAqB;QACrB,oBAAoB;KACrB;CACF,CAAC;AAEF,MAAM,gCAAgC,GAAa;IACjD,IAAI,EAAE,kCAAkC;IACxC,WAAW,EACT,8EAA8E;IAChF,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,kBAAkB;IAC5B,SAAS,EAAE,cAAc;IACzB,QAAQ,EAAE;QACR,+BAA+B;QAC/B,eAAe;QACf,yBAAyB;QACzB,iBAAiB;QACjB,oBAAoB;QACpB,qBAAqB;QACrB,8BAA8B;QAC9B,4BAA4B;QAC5B,6BAA6B;QAC7B,oEAAoE;QACpE,uDAAuD;QACvD,kBAAkB;KACnB;CACF,CAAC;AAEF,MAAM,uBAAuB,GAAa;IACxC,IAAI,EAAE,yBAAyB;IAC/B,WAAW,EACT,uGAAuG;IACzG,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,kBAAkB;IAC5B,SAAS,EAAE,cAAc;IACzB,QAAQ,EAAE;QACR,kEAAkE;QAClE,6DAA6D;QAC7D,6CAA6C;KAC9C;CACF,CAAC;AAEF,oEAAoE;AAEpE,MAAM,+BAA+B,GAAa;IAChD,IAAI,EAAE,iCAAiC;IACvC,WAAW,EACT,wEAAwE;IAC1E,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,cAAc;IACxB,SAAS,EAAE,QAAQ;IACnB,QAAQ,EAAE;QACR,8CAA8C;QAC9C,8DAA8D;QAC9D,8DAA8D;QAC9D,4CAA4C;QAC5C,4EAA4E;QAC5E,4EAA4E;QAC5E,WAAW;QACX,eAAe;QACf,mCAAmC;QACnC,gCAAgC;QAChC,2BAA2B;QAC3B,iCAAiC;QACjC,wCAAwC;QACxC,uBAAuB;QACvB,uBAAuB;KACxB;CACF,CAAC;AAEF,oEAAoE;AAEpE,MAAM,cAAc,GAAa;IAC/B,IAAI,EAAE,gBAAgB;IACtB,WAAW,EAAE,+DAA+D;IAC5E,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,mBAAmB;IAC7B,SAAS,EAAE,QAAQ;IACnB,QAAQ,EAAE;QACR,gDAAgD;QAChD,wDAAwD;QACxD,kEAAkE;QAClE,6EAA6E;QAC7E,6EAA6E;KAC9E;CACF,CAAC;AAEF,MAAM,cAAc,GAAa;IAC/B,IAAI,EAAE,gBAAgB;IACtB,WAAW,EAAE,6DAA6D;IAC1E,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,mBAAmB;IAC7B,SAAS,EAAE,QAAQ;IACnB,QAAQ,EAAE,CAAC,wBAAwB,EAAE,qBAAqB,CAAC;CAC5D,CAAC;AAEF,MAAM,cAAc,GAAa;IAC/B,IAAI,EAAE,gBAAgB;IACtB,WAAW,EACT,iEAAiE;IACnE,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,mBAAmB;IAC7B,SAAS,EAAE,QAAQ;IACnB,QAAQ,EAAE,CAAC,sBAAsB,CAAC;CACnC,CAAC;AAEF,oEAAoE;AAEpE,MAAM,qBAAqB,GAAa;IACtC,IAAI,EAAE,uBAAuB;IAC7B,WAAW,EACT,yFAAyF;IAC3F,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,cAAc;IACxB,SAAS,EAAE,QAAQ;IACnB,QAAQ,EAAE;QACR,yEAAyE;QACzE,sEAAsE;QACtE,+EAA+E;QAC/E,iDAAiD;QACjD,+DAA+D;KAChE;CACF,CAAC;AAEF,MAAM,kBAAkB,GAAa;IACnC,IAAI,EAAE,oBAAoB;IAC1B,WAAW,EACT,sEAAsE;IACxE,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,cAAc;IACxB,SAAS,EAAE,QAAQ;IACnB,QAAQ,EAAE,CAAC,sBAAsB,EAAE,4BAA4B,CAAC;CACjE,CAAC;AAEF,oEAAoE;AAEvD,QAAA,KAAK,GAAe;IAC/B,4BAA4B;IAC5B,mBAAmB;IACnB,qBAAqB;IACrB,oBAAoB;IACpB,sBAAsB;IACtB,0BAA0B;IAC1B,iBAAiB;IACjB,sBAAsB;IACtB,gCAAgC;IAChC,gCAAgC;IAChC,uBAAuB;IACvB,yBAAyB;IACzB,+BAA+B;IAC/B,uBAAuB;IACvB,cAAc;IACd,cAAc;IACd,cAAc;IACd,kBAAkB;IAClB,qBAAqB;IACrB,kBAAkB;CACnB,CAAC;AAEF,oEAAoE;AAEpE,iFAAiF;AACjF,MAAM,eAAe,GAAG,OAAO,CAAC;AAEhC;;;GAGG;AACH,SAAgB,IAAI,CAClB,OAAe,EACf,KAAgB,EAChB,IAAgB;IAEhB,6DAA6D;IAC7D,MAAM,WAAW,GACf,OAAO,CAAC,MAAM,GAAG,eAAe;QAC9B,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC;QACnC,CAAC,CAAC,OAAO,CAAC;IACd,MAAM,eAAe,GAAG,aAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACzC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAC9D,CAAC;IAEF,MAAM,OAAO,GAAgB,EAAE,CAAC;IAChC,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACxC,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;oBACrB,MAAM,EAAE,KAAK,CAAC,KAAK;iBACpB,CAAC,CAAC;gBACH,MAAM,CAAC,mCAAmC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC9E,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAChC,KAA+C;IAE/C,MAAM,UAAU,GAAgB,EAAE,CAAC;IACnC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC;QACzD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,UAAU,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC;QAC1B,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE;QACxC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AACzB,CAAC","sourcesContent":["/**\n * YARA content scanner for the PostHog wizard.\n *\n * This file is the single source of truth for all wizard YARA rules.\n *\n * Scans tool inputs (pre-execution) and outputs (post-execution) for\n * security violations including PII leakage, hardcoded secrets,\n * prompt injection, and secret exfiltration.\n *\n * We use YARA-style regex rules rather than the real YARA C library to\n * avoid native binary dependencies in an npx-distributed npm package.\n *\n * This is Layer 2 (L2) in the wizard's defense-in-depth model,\n * complementing the prompt-based commandments (L0) and the\n * canUseTool() allowlist (L1).\n */\n\n// ─── Types ───────────────────────────────────────────────────────\n\nexport type YaraSeverity = 'critical' | 'high' | 'medium' | 'low';\n\nexport type YaraCategory =\n  | 'posthog_pii'\n  | 'posthog_hardcoded_key'\n  | 'posthog_autocapture'\n  | 'posthog_config'\n  | 'prompt_injection'\n  | 'exfiltration'\n  | 'filesystem_safety'\n  | 'supply_chain';\n\nexport type HookPhase = 'PreToolUse' | 'PostToolUse';\nexport type ToolTarget = 'Bash' | 'Write' | 'Edit' | 'Read' | 'Grep';\n\nexport interface YaraRule {\n  /** Rule name matching the .yar file (e.g. 'pii_in_capture_call') */\n  name: string;\n  description: string;\n  severity: YaraSeverity;\n  category: YaraCategory;\n  /** Which hook+tool combinations this rule applies to */\n  appliesTo: Array<{ phase: HookPhase; tool: ToolTarget }>;\n  /** Compiled regex patterns — any match triggers the rule */\n  patterns: RegExp[];\n}\n\nexport interface YaraMatch {\n  rule: YaraRule;\n  /** The matched substring */\n  matchedText: string;\n  /** Byte offset in the scanned content */\n  offset: number;\n}\n\nexport type ScanResult =\n  | { matched: false }\n  | { matched: true; matches: YaraMatch[] };\n\n// ─── Rule Definitions ────────────────────────────────────────────\n//\n// Patterns are compiled once at module load time for performance.\n// Design spec: policies/yara/RULES.md\n\nconst POST_WRITE_EDIT: Array<{ phase: HookPhase; tool: ToolTarget }> = [\n  { phase: 'PostToolUse', tool: 'Write' },\n  { phase: 'PostToolUse', tool: 'Edit' },\n];\n\nconst POST_READ_GREP: Array<{ phase: HookPhase; tool: ToolTarget }> = [\n  { phase: 'PostToolUse', tool: 'Read' },\n  { phase: 'PostToolUse', tool: 'Grep' },\n];\n\nconst PRE_BASH: Array<{ phase: HookPhase; tool: ToolTarget }> = [\n  { phase: 'PreToolUse', tool: 'Bash' },\n];\n\n// ── §1 PostHog API Violations ────────────────────────────────────\n\nconst pii_in_capture_call: YaraRule = {\n  name: 'pii_in_capture_call',\n  description:\n    \"Detects PII fields passed to posthog.capture() — violates 'NEVER send PII in capture()' commandment\",\n  severity: 'high',\n  category: 'posthog_pii',\n  appliesTo: POST_WRITE_EDIT,\n  patterns: [\n    // Direct PII field names in capture properties\n    /\\.capture\\s*\\([^)]{0,200}email/i,\n    /\\.capture\\s*\\([^)]{0,200}phone/i,\n    /\\.capture\\s*\\([^)]{0,200}full[_\\s]?name/i,\n    /\\.capture\\s*\\([^)]{0,200}first[_\\s]?name/i,\n    /\\.capture\\s*\\([^)]{0,200}last[_\\s]?name/i,\n    /\\.capture\\s*\\([^)]{0,200}(street|mailing|home|billing)[_\\s]?address/i,\n    /\\.capture\\s*\\([^)]{0,200}(ssn|social[_\\s]?security)/i,\n    /\\.capture\\s*\\([^)]{0,200}(date[_\\s]?of[_\\s]?birth|dob|birthday)/i,\n    /\\.capture\\s*\\([^)]{0,200}\\$ip/,\n    // identify() allows email/phone/name (standard PostHog user properties),\n    // but highly sensitive PII is still blocked in identify().\n    /\\.identify\\s*\\([^)]{0,200}(ssn|social[_\\s]?security)/i,\n    /\\.identify\\s*\\([^)]{0,200}(card[_\\s]?number|cvv|credit[_\\s]?card)/i,\n    /\\.identify\\s*\\([^)]{0,200}(date[_\\s]?of[_\\s]?birth|dob|birthday)/i,\n    /\\.identify\\s*\\([^)]{0,200}(street|mailing|home|billing)[_\\s]?address/i,\n    // PII in $set properties via capture (bound to same object)\n    /\\$set[^}]{0,200}email/i,\n    /\\$set[^}]{0,200}phone/i,\n  ],\n};\n\nconst hardcoded_posthog_key: YaraRule = {\n  name: 'hardcoded_posthog_key',\n  description:\n    \"Detects hardcoded PostHog API keys in source — violates 'use environment variables' commandment\",\n  severity: 'high',\n  category: 'posthog_hardcoded_key',\n  appliesTo: POST_WRITE_EDIT,\n  patterns: [\n    // PostHog project API key (phc_ prefix, 20+ alphanumeric chars)\n    /phc_[a-zA-Z0-9]{20,}/,\n    // PostHog personal API key (phx_ prefix)\n    /phx_[a-zA-Z0-9]{20,}/,\n    // Hardcoded key assignment patterns\n    /apiKey\\s*[:=]\\s*['\"][a-zA-Z0-9_]{20,}['\"]/,\n    /api_key\\s*[:=]\\s*['\"][a-zA-Z0-9_]{20,}['\"]/,\n    /POSTHOG_KEY\\s*[:=]\\s*['\"][a-zA-Z0-9_]{20,}['\"]/,\n  ],\n};\n\nconst autocapture_disabled: YaraRule = {\n  name: 'autocapture_disabled',\n  description:\n    \"Detects agent disabling autocapture — violates 'don't disable autocapture' commandment\",\n  severity: 'medium',\n  category: 'posthog_autocapture',\n  appliesTo: POST_WRITE_EDIT,\n  patterns: [\n    /autocapture\\s*:\\s*false/,\n    /autocapture\\s*:\\s*'false'/,\n    /autocapture\\s*:\\s*\"false\"/,\n    /autocapture\\s*=\\s*False/,\n    /disable_autocapture\\s*[:=]\\s*(true|True|1)/,\n  ],\n};\n\n// ── §1b Additional PostHog config rules ──────────────────────────\n\nconst hardcoded_posthog_host: YaraRule = {\n  name: 'hardcoded_posthog_host',\n  description:\n    'Detects hardcoded PostHog host URLs in source — should use environment variables',\n  severity: 'high',\n  category: 'posthog_hardcoded_key',\n  appliesTo: POST_WRITE_EDIT,\n  patterns: [/['\"]https:\\/\\/(us|eu)\\.i\\.posthog\\.com['\"]/],\n};\n\nconst session_recording_disabled: YaraRule = {\n  name: 'session_recording_disabled',\n  description: 'Detects agent disabling session recording',\n  severity: 'medium',\n  category: 'posthog_config',\n  appliesTo: POST_WRITE_EDIT,\n  patterns: [\n    /disable_session_recording\\s*:\\s*true/i,\n    /disable_session_recording\\s*=\\s*True/,\n  ],\n};\n\nconst opt_out_capturing: YaraRule = {\n  name: 'opt_out_capturing',\n  description: 'Detects agent opting out of PostHog capturing entirely',\n  severity: 'medium',\n  category: 'posthog_config',\n  appliesTo: POST_WRITE_EDIT,\n  patterns: [\n    // Match opt_out_capturing as a config property (in init options), not as a method call.\n    // posthog.opt_out_capturing() is a legitimate GDPR-required API.\n    /opt_out_capturing\\s*[:=]\\s*(true|True|1)/i,\n    /opted_out\\s*[:=]\\s*(true|True|1)/i,\n  ],\n};\n\n// ── §2 Prompt Injection ──────────────────────────────────────────\n\nconst prompt_injection_wizard_override: YaraRule = {\n  name: 'prompt_injection_wizard_override',\n  description:\n    'Detects classic prompt injection attempting to override agent instructions',\n  severity: 'critical',\n  category: 'prompt_injection',\n  appliesTo: POST_READ_GREP,\n  patterns: [\n    // Direct instruction override — classic injection patterns\n    /ignore previous instructions/i,\n    /disregard all/i,\n    /forget your instructions/i,\n    /override your rules/i,\n    // Role manipulation\n    /act as a different/i,\n    /new instructions:/i,\n  ],\n};\n\nconst prompt_injection_wizard_specific: YaraRule = {\n  name: 'prompt_injection_wizard_specific',\n  description:\n    'Detects wizard-specific manipulation or tool abuse attempts in project files',\n  severity: 'medium',\n  category: 'prompt_injection',\n  appliesTo: POST_READ_GREP,\n  patterns: [\n    // Wizard-specific manipulation\n    /skip posthog/i,\n    /do not install posthog/i,\n    /remove posthog/i,\n    /uninstall posthog/i,\n    /delete the posthog/i,\n    // Tool abuse via file content\n    /run the following command/i,\n    /execute this shell command/i,\n    // Role hijacking — require \"you are now a\" to avoid false positives\n    // on legitimate phrases like \"you are now ready to...\"\n    /you are now a\\s/i,\n  ],\n};\n\nconst prompt_injection_base64: YaraRule = {\n  name: 'prompt_injection_base64',\n  description:\n    'Detects suspicious base64-encoded blocks in file content that may contain obfuscated prompt injection',\n  severity: 'critical',\n  category: 'prompt_injection',\n  appliesTo: POST_READ_GREP,\n  patterns: [\n    // Long base64 strings (100+ chars) in comments or string literals\n    // that aren't typical data URIs or legitimate base64 content\n    /(?:\\/\\/|#|\\/\\*)\\s*[A-Za-z0-9+/]{100,}={0,2}/,\n  ],\n};\n\n// ── §3 Secret Exfiltration ───────────────────────────────────────\n\nconst secret_exfiltration_via_command: YaraRule = {\n  name: 'secret_exfiltration_via_command',\n  description:\n    'Detects shell commands attempting to exfiltrate secrets or credentials',\n  severity: 'critical',\n  category: 'exfiltration',\n  appliesTo: PRE_BASH,\n  patterns: [\n    // curl/wget with environment variable secrets\n    /curl\\s+.*\\$\\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)/i,\n    /wget\\s+.*\\$\\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)/i,\n    // Piping sensitive content to network tools\n    /(\\$\\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD)|\\.env|credentials)\\S*.*\\|\\s*curl/i,\n    /(\\$\\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD)|\\.env|credentials)\\S*.*\\|\\s*wget/i,\n    /\\|\\s*nc\\s/,\n    /\\|\\s*netcat\\s/,\n    // Base64 encoding piped to network\n    /base64.*\\|\\s*(curl|wget|nc\\s)/i,\n    // Reading .env and sending\n    /cat\\s+.*\\.env.*\\|\\s*(curl|wget)/,\n    // PostHog key exfiltration specifically\n    /curl.*phc_[a-zA-Z0-9]/,\n    /wget.*phc_[a-zA-Z0-9]/,\n  ],\n};\n\n// ── §4 Filesystem Safety ─────────────────────────────────────────\n\nconst destructive_rm: YaraRule = {\n  name: 'destructive_rm',\n  description: 'Detects rm -rf or rm -r commands that could mass-delete files',\n  severity: 'critical',\n  category: 'filesystem_safety',\n  appliesTo: PRE_BASH,\n  patterns: [\n    // Combined flags: rm -rf, rm -fr, rm -rfi, etc.\n    /\\brm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)\\b/,\n    // Separated flags: rm -r -f, rm -f -r (with optional other flags)\n    /\\brm\\s+(-[a-zA-Z]*\\s+)*-[a-zA-Z]*r[a-zA-Z]*\\s+(-[a-zA-Z]*\\s+)*-[a-zA-Z]*f\\b/,\n    /\\brm\\s+(-[a-zA-Z]*\\s+)*-[a-zA-Z]*f[a-zA-Z]*\\s+(-[a-zA-Z]*\\s+)*-[a-zA-Z]*r\\b/,\n  ],\n};\n\nconst git_force_push: YaraRule = {\n  name: 'git_force_push',\n  description: 'Detects git push --force which can overwrite remote history',\n  severity: 'critical',\n  category: 'filesystem_safety',\n  appliesTo: PRE_BASH,\n  patterns: [/git\\s+push\\s+.*--force/, /git\\s+push\\s+.*-f\\b/],\n};\n\nconst git_reset_hard: YaraRule = {\n  name: 'git_reset_hard',\n  description:\n    'Detects git reset --hard which discards all uncommitted changes',\n  severity: 'critical',\n  category: 'filesystem_safety',\n  appliesTo: PRE_BASH,\n  patterns: [/git\\s+reset\\s+--hard/],\n};\n\n// ── §5 Supply Chain ──────────────────────────────────────────────\n\nconst wrong_posthog_package: YaraRule = {\n  name: 'wrong_posthog_package',\n  description:\n    'Detects installing the wrong PostHog npm package — should be posthog-js or posthog-node',\n  severity: 'high',\n  category: 'supply_chain',\n  appliesTo: PRE_BASH,\n  patterns: [\n    // Match \"npm install posthog\" but not \"posthog-js\", \"posthog-node\", etc.\n    /npm\\s+install\\s+(?:--save\\s+|--save-dev\\s+|-[SD]\\s+)*posthog(?!\\s*-)/,\n    /pnpm\\s+(?:add|install)\\s+(?:--save\\s+|--save-dev\\s+|-[SD]\\s+)*posthog(?!\\s*-)/,\n    /yarn\\s+add\\s+(?:--dev\\s+|-D\\s+)*posthog(?!\\s*-)/,\n    /bun\\s+(?:add|install)\\s+(?:--dev\\s+|-[dD]\\s+)*posthog(?!\\s*-)/,\n  ],\n};\n\nconst npm_install_global: YaraRule = {\n  name: 'npm_install_global',\n  description:\n    'Detects global npm installs — should never install packages globally',\n  severity: 'high',\n  category: 'supply_chain',\n  appliesTo: PRE_BASH,\n  patterns: [/npm\\s+install\\s+-g\\b/, /npm\\s+install\\s+--global\\b/],\n};\n\n// ─── Rule Registry ───────────────────────────────────────────────\n\nexport const RULES: YaraRule[] = [\n  // §1 PostHog API violations\n  pii_in_capture_call,\n  hardcoded_posthog_key,\n  autocapture_disabled,\n  hardcoded_posthog_host,\n  session_recording_disabled,\n  opt_out_capturing,\n  // §2 Prompt injection\n  prompt_injection_wizard_override,\n  prompt_injection_wizard_specific,\n  prompt_injection_base64,\n  // §3 Secret exfiltration\n  secret_exfiltration_via_command,\n  // §4 Filesystem safety\n  destructive_rm,\n  git_force_push,\n  git_reset_hard,\n  // §5 Supply chain\n  wrong_posthog_package,\n  npm_install_global,\n];\n\n// ─── Scan Engine ─────────────────────────────────────────────────\n\n/** Maximum content length to scan (100 KB). Inputs beyond this are truncated. */\nconst MAX_SCAN_LENGTH = 100_000;\n\n/**\n * Scan content against rules applicable to a given hook phase and tool.\n * Returns all matching rules (one match per rule, first pattern wins).\n */\nexport function scan(\n  content: string,\n  phase: HookPhase,\n  tool: ToolTarget,\n): ScanResult {\n  // Cap input length to prevent pathological regex performance\n  const scanContent =\n    content.length > MAX_SCAN_LENGTH\n      ? content.slice(0, MAX_SCAN_LENGTH)\n      : content;\n  const applicableRules = RULES.filter((r) =>\n    r.appliesTo.some((a) => a.phase === phase && a.tool === tool),\n  );\n\n  const matches: YaraMatch[] = [];\n  for (const rule of applicableRules) {\n    for (const pattern of rule.patterns) {\n      const match = pattern.exec(scanContent);\n      if (match) {\n        matches.push({\n          rule,\n          matchedText: match[0],\n          offset: match.index,\n        });\n        break; // One match per rule is sufficient\n      }\n    }\n  }\n\n  return matches.length > 0 ? { matched: true, matches } : { matched: false };\n}\n\n/**\n * Scan all files in a skill directory for prompt injection.\n * Used for context-mill scanning after skill installation.\n */\nexport function scanSkillDirectory(\n  files: Array<{ path: string; content: string }>,\n): ScanResult {\n  const allMatches: YaraMatch[] = [];\n  for (const file of files) {\n    const result = scan(file.content, 'PostToolUse', 'Read');\n    if (result.matched) {\n      allMatches.push(...result.matches);\n    }\n  }\n  return allMatches.length > 0\n    ? { matched: true, matches: allMatches }\n    : { matched: false };\n}\n"]}

package/dist/src/run.d.ts

@@ -1,10 +1,12 @@
 import { type WizardSession } from './lib/wizard-session';
+import type { CloudRegion } from './utils/types';
 import { Integration } from './lib/constants';
 type Args = {
     integration?: Integration;
     debug?: boolean;
     forceInstall?: boolean;
     installDir?: string;
+    region?: CloudRegion;
     default?: boolean;
     signup?: boolean;
     localMcp?: boolean;
@@ -13,6 +15,7 @@ type Args = {
     projectId?: string;
     menu?: boolean;
     benchmark?: boolean;
+    yaraReport?: boolean;
 };
 export declare function runWizard(argv: Args, session?: WizardSession): Promise<void>;
 export declare function detectIntegration(installDir: string): Promise<Integration | undefined>;

package/dist/src/run.js

@@ -47,6 +47,7 @@ async function runWizard(argv, session) {
             menu: finalArgs.menu,
             integration: finalArgs.integration,
             benchmark: finalArgs.benchmark,
+            yaraReport: finalArgs.yaraReport,
             projectId: finalArgs.projectId,
         });
     }
@@ -75,6 +76,7 @@ async function runWizard(argv, session) {
                 ci: session.ci,
                 menu: session.menu,
                 benchmark: session.benchmark,
+                yaraReport: session.yaraReport,
             });
             for (const [key, value] of Object.entries(context)) {
                 if (!(key in session.frameworkContext)) {
@@ -125,8 +127,16 @@ async function detectAndResolveIntegration(session) {
         const detectedIntegration = await detectIntegration(session.installDir);
         if (detectedIntegration) {
             (0, ui_1.getUI)().setDetectedFramework(registry_1.FRAMEWORK_REGISTRY[detectedIntegration].metadata.name);
+            analytics_1.analytics.capture(constants_1.WIZARD_INTERACTION_EVENT_NAME, {
+                action: 'wizard_framework_detected',
+                integration: detectedIntegration,
+                framework_name: registry_1.FRAMEWORK_REGISTRY[detectedIntegration].metadata.name,
+            });
             return detectedIntegration;
         }
+        analytics_1.analytics.capture(constants_1.WIZARD_INTERACTION_EVENT_NAME, {
+            action: 'wizard_framework_detection_failed',
+        });
         (0, ui_1.getUI)().log.info("I couldn't detect your framework. Please choose one to get started.");
     }
     // Fallback: in TUI mode the IntroScreen would handle this,

package/dist/src/run.js.map

@@ -1 +1 @@
-{"version":3,"file":"run.js","sourceRoot":"","sources":["../../src/run.ts"],"names":[],"mappings":";;;;;AA8BA,8BAiGC;AAED,8CAmBC;AApJD,yDAAwE;AAExE,+CAAoE;AACpE,qDAAsD;AACtD,6BAA6B;AAC7B,gDAAwB;AACxB,6CAAoD;AACpD,iDAA8C;AAC9C,qDAAoD;AACpD,mCAAsC;AACtC,yCAA0C;AAC1C,uDAAmD;AAEnD,qBAAY,CAAC,mBAAmB,GAAG,EAAE,CAAC;AAiB/B,KAAK,UAAU,SAAS,CAAC,IAAU,EAAE,OAAuB;IACjE,MAAM,SAAS,GAAG;QAChB,GAAG,IAAI;QACP,GAAG,IAAA,6BAAe,GAAE;KACrB,CAAC;IAEF,IAAI,kBAA0B,CAAC;IAC/B,IAAI,SAAS,CAAC,UAAU,EAAE,CAAC;QACzB,IAAI,cAAI,CAAC,UAAU,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;YAC1C,kBAAkB,GAAG,SAAS,CAAC,UAAU,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,kBAAkB,GAAG,cAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,UAAU,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;SAAM,CAAC;QACN,kBAAkB,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IACrC,CAAC;IAED,+DAA+D;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,GAAG,IAAA,6BAAY,EAAC;YACrB,KAAK,EAAE,SAAS,CAAC,KAAK;YACtB,YAAY,EAAE,SAAS,CAAC,YAAY;YACpC,UAAU,EAAE,kBAAkB;YAC9B,EAAE,EAAE,SAAS,CAAC,EAAE;YAChB,MAAM,EAAE,SAAS,CAAC,MAAM;YACxB,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,MAAM,EAAE,SAAS,CAAC,MAAM;YACxB,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,SAAS,EAAE,SAAS,CAAC,SAAS;YAC9B,SAAS,EAAE,SAAS,CAAC,SAAS;SAC/B,CAAC,CAAC;IACL,CAAC;IAED,OAAO,CAAC,UAAU,GAAG,kBAAkB,CAAC;IAExC,IAAA,UAAK,GAAE,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;IAErD,IAAI,OAAO,CAAC,EAAE,EAAE,CAAC;QACf,IAAA,UAAK,GAAE,CAAC,GAAG,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,WAAW,GACf,OAAO,CAAC,WAAW,IAAI,CAAC,MAAM,2BAA2B,CAAC,OAAO,CAAC,CAAC,CAAC;IAEtE,OAAO,CAAC,WAAW,GAAG,WAAW,CAAC;IAClC,qBAAS,CAAC,MAAM,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IAE7C,MAAM,MAAM,GAAG,6BAAkB,CAAC,WAAW,CAAC,CAAC;IAC/C,OAAO,CAAC,eAAe,GAAG,MAAM,CAAC;IAEjC,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,sBAAsB,GAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IACnD,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC7D,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAClD,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,SAAS,EAAE,OAAO,CAAC,SAAS;aAC7B,CAAC,CAAC;YACH,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnD,IAAI,CAAC,CAAC,GAAG,IAAI,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;oBACvC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBACxC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yDAAyD;QAC3D,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAA,6BAAc,EAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5E,MAAM,UAAU,GACd,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAElE,IAAA,iBAAS,EAAC,kCAAkC,YAAY,GAAG,CAAC,CAAC;QAC7D,IAAI,UAAU,EAAE,CAAC;YACf,IAAA,iBAAS,EAAC,gCAAgC,UAAU,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,CAAC,CAAC,OAAO,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAEzE,MAAM,IAAA,0BAAW,EAAC;YAChB,OAAO,EAAE,yBAAyB,YAAY,yCAAyC,MAAM,CAAC,QAAQ,CAAC,OAAO,+BAA+B,SAAS,EAAE;YACxJ,KAAK,EAAE,KAAc;SACtB,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,iBAAiB,CACrC,UAAkB;IAElB,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,MAAM,CAAC,uBAAW,CAAC,EAAE,CAAC;QACrD,MAAM,MAAM,GAAG,6BAAkB,CAAC,WAAW,CAAC,CAAC;QAC/C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAClC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,CAAC;gBACvC,IAAI,OAAO,CAAQ,CAAC,OAAO,EAAE,EAAE,CAC7B,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gCAAoB,CAAC,CACvD;aACF,CAAC,CAAC;YACH,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,WAAW,CAAC;YACrB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yCAAyC;QAC3C,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,2BAA2B,CACxC,OAAsB;IAEtB,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,mBAAmB,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAExE,IAAI,mBAAmB,EAAE,CAAC;YACxB,IAAA,UAAK,GAAE,CAAC,oBAAoB,CAC1B,6BAAkB,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,IAAI,CACtD,CAAC;YACF,OAAO,mBAAmB,CAAC;QAC7B,CAAC;QAED,IAAA,UAAK,GAAE,CAAC,GAAG,CAAC,IAAI,CACd,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED,2DAA2D;IAC3D,gEAAgE;IAChE,OAAO,IAAA,0BAAW,EAAC;QACjB,OAAO,EACL,yFAAyF;KAC5F,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { type WizardSession, buildSession } from './lib/wizard-session';\n\nimport { Integration, DETECTION_TIMEOUT_MS } from './lib/constants';\nimport { readEnvironment } from './utils/environment';\nimport { getUI } from './ui';\nimport path from 'path';\nimport { FRAMEWORK_REGISTRY } from './lib/registry';\nimport { analytics } from './utils/analytics';\nimport { runAgentWizard } from './lib/agent-runner';\nimport { EventEmitter } from 'events';\nimport { logToFile } from './utils/debug';\nimport { wizardAbort } from './utils/wizard-abort';\n\nEventEmitter.defaultMaxListeners = 50;\n\ntype Args = {\n  integration?: Integration;\n  debug?: boolean;\n  forceInstall?: boolean;\n  installDir?: string;\n  default?: boolean;\n  signup?: boolean;\n  localMcp?: boolean;\n  ci?: boolean;\n  apiKey?: string;\n  projectId?: string;\n  menu?: boolean;\n  benchmark?: boolean;\n};\n\nexport async function runWizard(argv: Args, session?: WizardSession) {\n  const finalArgs = {\n    ...argv,\n    ...readEnvironment(),\n  };\n\n  let resolvedInstallDir: string;\n  if (finalArgs.installDir) {\n    if (path.isAbsolute(finalArgs.installDir)) {\n      resolvedInstallDir = finalArgs.installDir;\n    } else {\n      resolvedInstallDir = path.join(process.cwd(), finalArgs.installDir);\n    }\n  } else {\n    resolvedInstallDir = process.cwd();\n  }\n\n  // Build session if not provided (CI mode passes one pre-built)\n  if (!session) {\n    session = buildSession({\n      debug: finalArgs.debug,\n      forceInstall: finalArgs.forceInstall,\n      installDir: resolvedInstallDir,\n      ci: finalArgs.ci,\n      signup: finalArgs.signup,\n      localMcp: finalArgs.localMcp,\n      apiKey: finalArgs.apiKey,\n      menu: finalArgs.menu,\n      integration: finalArgs.integration,\n      benchmark: finalArgs.benchmark,\n      projectId: finalArgs.projectId,\n    });\n  }\n\n  session.installDir = resolvedInstallDir;\n\n  getUI().intro(`Welcome to the PostHog setup wizard`);\n\n  if (session.ci) {\n    getUI().log.info('Running in CI mode');\n  }\n\n  const integration =\n    session.integration ?? (await detectAndResolveIntegration(session));\n\n  session.integration = integration;\n  analytics.setTag('integration', integration);\n\n  const config = FRAMEWORK_REGISTRY[integration];\n  session.frameworkConfig = config;\n\n  // Run gatherContext if the framework has it and it hasn't already run\n  // (bin.ts runs it early so IntroScreen can show the friendly label)\n  const contextAlreadyGathered =\n    Object.keys(session.frameworkContext).length > 0;\n  if (config.metadata.gatherContext && !contextAlreadyGathered) {\n    try {\n      const context = await config.metadata.gatherContext({\n        installDir: session.installDir,\n        debug: session.debug,\n        forceInstall: session.forceInstall,\n        default: false,\n        signup: session.signup,\n        localMcp: session.localMcp,\n        ci: session.ci,\n        menu: session.menu,\n        benchmark: session.benchmark,\n      });\n      for (const [key, value] of Object.entries(context)) {\n        if (!(key in session.frameworkContext)) {\n          session.frameworkContext[key] = value;\n        }\n      }\n    } catch {\n      // Detection failed — SetupScreen or agent will handle it\n    }\n  }\n\n  try {\n    await runAgentWizard(config, session);\n  } catch (error) {\n    const errorMessage = error instanceof Error ? error.message : String(error);\n    const errorStack =\n      error instanceof Error && error.stack ? error.stack : undefined;\n\n    logToFile(`[Wizard run.ts] ERROR MESSAGE: ${errorMessage} `);\n    if (errorStack) {\n      logToFile(`[Wizard run.ts] ERROR STACK: ${errorStack}`);\n    }\n\n    const debugInfo = session.debug && errorStack ? `\\n\\n${errorStack}` : '';\n\n    await wizardAbort({\n      message: `Something went wrong: ${errorMessage}\\n\\nYou can read the documentation at ${config.metadata.docsUrl} to set up PostHog manually.${debugInfo}`,\n      error: error as Error,\n    });\n  }\n}\n\nexport async function detectIntegration(\n  installDir: string,\n): Promise<Integration | undefined> {\n  for (const integration of Object.values(Integration)) {\n    const config = FRAMEWORK_REGISTRY[integration];\n    try {\n      const detected = await Promise.race([\n        config.detection.detect({ installDir }),\n        new Promise<false>((resolve) =>\n          setTimeout(() => resolve(false), DETECTION_TIMEOUT_MS),\n        ),\n      ]);\n      if (detected) {\n        return integration;\n      }\n    } catch {\n      // Skip frameworks whose detection throws\n    }\n  }\n}\n\nasync function detectAndResolveIntegration(\n  session: WizardSession,\n): Promise<Integration> {\n  if (!session.menu) {\n    const detectedIntegration = await detectIntegration(session.installDir);\n\n    if (detectedIntegration) {\n      getUI().setDetectedFramework(\n        FRAMEWORK_REGISTRY[detectedIntegration].metadata.name,\n      );\n      return detectedIntegration;\n    }\n\n    getUI().log.info(\n      \"I couldn't detect your framework. Please choose one to get started.\",\n    );\n  }\n\n  // Fallback: in TUI mode the IntroScreen would handle this,\n  // but for CI mode or when detection fails, abort with guidance.\n  return wizardAbort({\n    message:\n      'Could not auto-detect your framework. Please specify --integration on the command line.',\n  });\n}\n"]}
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../../src/run.ts"],"names":[],"mappings":";;;;;AAsCA,8BAmGC;AAED,8CAmBC;AA9JD,yDAAwE;AAIxE,+CAIyB;AACzB,qDAAsD;AACtD,6BAA6B;AAC7B,gDAAwB;AACxB,6CAAoD;AACpD,iDAA8C;AAC9C,qDAAoD;AACpD,mCAAsC;AACtC,yCAA0C;AAC1C,uDAAmD;AAEnD,qBAAY,CAAC,mBAAmB,GAAG,EAAE,CAAC;AAmB/B,KAAK,UAAU,SAAS,CAAC,IAAU,EAAE,OAAuB;IACjE,MAAM,SAAS,GAAG;QAChB,GAAG,IAAI;QACP,GAAG,IAAA,6BAAe,GAAE;KACrB,CAAC;IAEF,IAAI,kBAA0B,CAAC;IAC/B,IAAI,SAAS,CAAC,UAAU,EAAE,CAAC;QACzB,IAAI,cAAI,CAAC,UAAU,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;YAC1C,kBAAkB,GAAG,SAAS,CAAC,UAAU,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,kBAAkB,GAAG,cAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,UAAU,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;SAAM,CAAC;QACN,kBAAkB,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IACrC,CAAC;IAED,+DAA+D;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,GAAG,IAAA,6BAAY,EAAC;YACrB,KAAK,EAAE,SAAS,CAAC,KAAK;YACtB,YAAY,EAAE,SAAS,CAAC,YAAY;YACpC,UAAU,EAAE,kBAAkB;YAC9B,EAAE,EAAE,SAAS,CAAC,EAAE;YAChB,MAAM,EAAE,SAAS,CAAC,MAAM;YACxB,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,MAAM,EAAE,SAAS,CAAC,MAAM;YACxB,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,SAAS,EAAE,SAAS,CAAC,SAAS;YAC9B,UAAU,EAAE,SAAS,CAAC,UAAU;YAChC,SAAS,EAAE,SAAS,CAAC,SAAS;SAC/B,CAAC,CAAC;IACL,CAAC;IAED,OAAO,CAAC,UAAU,GAAG,kBAAkB,CAAC;IAExC,IAAA,UAAK,GAAE,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;IAErD,IAAI,OAAO,CAAC,EAAE,EAAE,CAAC;QACf,IAAA,UAAK,GAAE,CAAC,GAAG,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,WAAW,GACf,OAAO,CAAC,WAAW,IAAI,CAAC,MAAM,2BAA2B,CAAC,OAAO,CAAC,CAAC,CAAC;IAEtE,OAAO,CAAC,WAAW,GAAG,WAAW,CAAC;IAClC,qBAAS,CAAC,MAAM,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IAE7C,MAAM,MAAM,GAAG,6BAAkB,CAAC,WAAW,CAAC,CAAC;IAC/C,OAAO,CAAC,eAAe,GAAG,MAAM,CAAC;IAEjC,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,sBAAsB,GAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IACnD,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC7D,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAClD,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;aAC/B,CAAC,CAAC;YACH,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnD,IAAI,CAAC,CAAC,GAAG,IAAI,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;oBACvC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBACxC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yDAAyD;QAC3D,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAA,6BAAc,EAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5E,MAAM,UAAU,GACd,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAElE,IAAA,iBAAS,EAAC,kCAAkC,YAAY,GAAG,CAAC,CAAC;QAC7D,IAAI,UAAU,EAAE,CAAC;YACf,IAAA,iBAAS,EAAC,gCAAgC,UAAU,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,CAAC,CAAC,OAAO,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAEzE,MAAM,IAAA,0BAAW,EAAC;YAChB,OAAO,EAAE,yBAAyB,YAAY,yCAAyC,MAAM,CAAC,QAAQ,CAAC,OAAO,+BAA+B,SAAS,EAAE;YACxJ,KAAK,EAAE,KAAc;SACtB,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,iBAAiB,CACrC,UAAkB;IAElB,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,MAAM,CAAC,uBAAW,CAAC,EAAE,CAAC;QACrD,MAAM,MAAM,GAAG,6BAAkB,CAAC,WAAW,CAAC,CAAC;QAC/C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAClC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,CAAC;gBACvC,IAAI,OAAO,CAAQ,CAAC,OAAO,EAAE,EAAE,CAC7B,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,gCAAoB,CAAC,CACvD;aACF,CAAC,CAAC;YACH,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,WAAW,CAAC;YACrB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yCAAyC;QAC3C,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,2BAA2B,CACxC,OAAsB;IAEtB,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,mBAAmB,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAExE,IAAI,mBAAmB,EAAE,CAAC;YACxB,IAAA,UAAK,GAAE,CAAC,oBAAoB,CAC1B,6BAAkB,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,IAAI,CACtD,CAAC;YACF,qBAAS,CAAC,OAAO,CAAC,yCAA6B,EAAE;gBAC/C,MAAM,EAAE,2BAA2B;gBACnC,WAAW,EAAE,mBAAmB;gBAChC,cAAc,EAAE,6BAAkB,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,IAAI;aACtE,CAAC,CAAC;YACH,OAAO,mBAAmB,CAAC;QAC7B,CAAC;QAED,qBAAS,CAAC,OAAO,CAAC,yCAA6B,EAAE;YAC/C,MAAM,EAAE,mCAAmC;SAC5C,CAAC,CAAC;QACH,IAAA,UAAK,GAAE,CAAC,GAAG,CAAC,IAAI,CACd,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED,2DAA2D;IAC3D,gEAAgE;IAChE,OAAO,IAAA,0BAAW,EAAC;QACjB,OAAO,EACL,yFAAyF;KAC5F,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { type WizardSession, buildSession } from './lib/wizard-session';\n\nimport type { CloudRegion } from './utils/types';\n\nimport {\n  Integration,\n  DETECTION_TIMEOUT_MS,\n  WIZARD_INTERACTION_EVENT_NAME,\n} from './lib/constants';\nimport { readEnvironment } from './utils/environment';\nimport { getUI } from './ui';\nimport path from 'path';\nimport { FRAMEWORK_REGISTRY } from './lib/registry';\nimport { analytics } from './utils/analytics';\nimport { runAgentWizard } from './lib/agent-runner';\nimport { EventEmitter } from 'events';\nimport { logToFile } from './utils/debug';\nimport { wizardAbort } from './utils/wizard-abort';\n\nEventEmitter.defaultMaxListeners = 50;\n\ntype Args = {\n  integration?: Integration;\n  debug?: boolean;\n  forceInstall?: boolean;\n  installDir?: string;\n  region?: CloudRegion;\n  default?: boolean;\n  signup?: boolean;\n  localMcp?: boolean;\n  ci?: boolean;\n  apiKey?: string;\n  projectId?: string;\n  menu?: boolean;\n  benchmark?: boolean;\n  yaraReport?: boolean;\n};\n\nexport async function runWizard(argv: Args, session?: WizardSession) {\n  const finalArgs = {\n    ...argv,\n    ...readEnvironment(),\n  };\n\n  let resolvedInstallDir: string;\n  if (finalArgs.installDir) {\n    if (path.isAbsolute(finalArgs.installDir)) {\n      resolvedInstallDir = finalArgs.installDir;\n    } else {\n      resolvedInstallDir = path.join(process.cwd(), finalArgs.installDir);\n    }\n  } else {\n    resolvedInstallDir = process.cwd();\n  }\n\n  // Build session if not provided (CI mode passes one pre-built)\n  if (!session) {\n    session = buildSession({\n      debug: finalArgs.debug,\n      forceInstall: finalArgs.forceInstall,\n      installDir: resolvedInstallDir,\n      ci: finalArgs.ci,\n      signup: finalArgs.signup,\n      localMcp: finalArgs.localMcp,\n      apiKey: finalArgs.apiKey,\n      menu: finalArgs.menu,\n      integration: finalArgs.integration,\n      benchmark: finalArgs.benchmark,\n      yaraReport: finalArgs.yaraReport,\n      projectId: finalArgs.projectId,\n    });\n  }\n\n  session.installDir = resolvedInstallDir;\n\n  getUI().intro(`Welcome to the PostHog setup wizard`);\n\n  if (session.ci) {\n    getUI().log.info('Running in CI mode');\n  }\n\n  const integration =\n    session.integration ?? (await detectAndResolveIntegration(session));\n\n  session.integration = integration;\n  analytics.setTag('integration', integration);\n\n  const config = FRAMEWORK_REGISTRY[integration];\n  session.frameworkConfig = config;\n\n  // Run gatherContext if the framework has it and it hasn't already run\n  // (bin.ts runs it early so IntroScreen can show the friendly label)\n  const contextAlreadyGathered =\n    Object.keys(session.frameworkContext).length > 0;\n  if (config.metadata.gatherContext && !contextAlreadyGathered) {\n    try {\n      const context = await config.metadata.gatherContext({\n        installDir: session.installDir,\n        debug: session.debug,\n        forceInstall: session.forceInstall,\n        default: false,\n        signup: session.signup,\n        localMcp: session.localMcp,\n        ci: session.ci,\n        menu: session.menu,\n        benchmark: session.benchmark,\n        yaraReport: session.yaraReport,\n      });\n      for (const [key, value] of Object.entries(context)) {\n        if (!(key in session.frameworkContext)) {\n          session.frameworkContext[key] = value;\n        }\n      }\n    } catch {\n      // Detection failed — SetupScreen or agent will handle it\n    }\n  }\n\n  try {\n    await runAgentWizard(config, session);\n  } catch (error) {\n    const errorMessage = error instanceof Error ? error.message : String(error);\n    const errorStack =\n      error instanceof Error && error.stack ? error.stack : undefined;\n\n    logToFile(`[Wizard run.ts] ERROR MESSAGE: ${errorMessage} `);\n    if (errorStack) {\n      logToFile(`[Wizard run.ts] ERROR STACK: ${errorStack}`);\n    }\n\n    const debugInfo = session.debug && errorStack ? `\\n\\n${errorStack}` : '';\n\n    await wizardAbort({\n      message: `Something went wrong: ${errorMessage}\\n\\nYou can read the documentation at ${config.metadata.docsUrl} to set up PostHog manually.${debugInfo}`,\n      error: error as Error,\n    });\n  }\n}\n\nexport async function detectIntegration(\n  installDir: string,\n): Promise<Integration | undefined> {\n  for (const integration of Object.values(Integration)) {\n    const config = FRAMEWORK_REGISTRY[integration];\n    try {\n      const detected = await Promise.race([\n        config.detection.detect({ installDir }),\n        new Promise<false>((resolve) =>\n          setTimeout(() => resolve(false), DETECTION_TIMEOUT_MS),\n        ),\n      ]);\n      if (detected) {\n        return integration;\n      }\n    } catch {\n      // Skip frameworks whose detection throws\n    }\n  }\n}\n\nasync function detectAndResolveIntegration(\n  session: WizardSession,\n): Promise<Integration> {\n  if (!session.menu) {\n    const detectedIntegration = await detectIntegration(session.installDir);\n\n    if (detectedIntegration) {\n      getUI().setDetectedFramework(\n        FRAMEWORK_REGISTRY[detectedIntegration].metadata.name,\n      );\n      analytics.capture(WIZARD_INTERACTION_EVENT_NAME, {\n        action: 'wizard_framework_detected',\n        integration: detectedIntegration,\n        framework_name: FRAMEWORK_REGISTRY[detectedIntegration].metadata.name,\n      });\n      return detectedIntegration;\n    }\n\n    analytics.capture(WIZARD_INTERACTION_EVENT_NAME, {\n      action: 'wizard_framework_detection_failed',\n    });\n    getUI().log.info(\n      \"I couldn't detect your framework. Please choose one to get started.\",\n    );\n  }\n\n  // Fallback: in TUI mode the IntroScreen would handle this,\n  // but for CI mode or when detection fails, abort with guidance.\n  return wizardAbort({\n    message:\n      'Could not auto-detect your framework. Please specify --integration on the command line.',\n  });\n}\n"]}

package/dist/src/steps/add-mcp-server-to-clients/index.d.ts

@@ -5,10 +5,11 @@ export declare const getSupportedClients: () => Promise<MCPClient[]>;
  * Add MCP server to clients. No prompts — pure orchestration.
  * Prompts are handled by McpScreen (TUI) or auto-accepted (CI).
  */
-export declare const addMCPServerToClientsStep: ({ integration, local, ci, }: {
+export declare const addMCPServerToClientsStep: ({ integration, local, ci, cloudRegion: _cloudRegion, }: {
     integration?: Integration;
     local?: boolean;
     ci?: boolean;
+    cloudRegion?: import("../../utils/types").CloudRegion;
 }) => Promise<string[]>;
 export declare const removeMCPServerFromClientsStep: ({ integration, local, }: {
     integration?: Integration;

package/dist/src/steps/add-mcp-server-to-clients/index.js

@@ -40,7 +40,7 @@ exports.getSupportedClients = getSupportedClients;
  * Add MCP server to clients. No prompts — pure orchestration.
  * Prompts are handled by McpScreen (TUI) or auto-accepted (CI).
  */
-const addMCPServerToClientsStep = async ({ integration, local = false, ci = false, }) => {
+const addMCPServerToClientsStep = async ({ integration, local = false, ci = false, cloudRegion: _cloudRegion, }) => {
     const ui = (0, ui_1.getUI)();
     // CI mode: skip MCP installation entirely
     if (ci) {

package/dist/src/steps/add-mcp-server-to-clients/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/steps/add-mcp-server-to-clients/index.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAC5C,qDAAkD;AAClD,iCAAiC;AAEjC,6CAAmD;AACnD,6CAAmD;AACnD,uDAA4D;AAC5D,qEAAsE;AACtE,uCAA0C;AAC1C,2CAAiD;AACjD,yCAAgD;AAChD,6CAA0C;AAEnC,MAAM,mBAAmB,GAAG,KAAK,IAA0B,EAAE;IAClE,MAAM,UAAU,GAAG;QACjB,IAAI,wBAAe,EAAE;QACrB,IAAI,wBAAe,EAAE;QACrB,IAAI,iCAAmB,EAAE;QACzB,IAAI,2CAAsB,EAAE;QAC5B,IAAI,eAAS,EAAE;QACf,IAAI,sBAAc,EAAE;KACrB,CAAC;IACF,MAAM,gBAAgB,GAAgB,EAAE,CAAC;IAEzC,IAAA,aAAK,EAAC,uCAAuC,CAAC,CAAC;IAC/C,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAChC,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,iBAAiB,EAAE,CAAC;QACrD,IAAA,aAAK,EAAC,GAAG,MAAM,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,iBAAiB,EAAE,CAAC,CAAC;QAC5E,IAAI,WAAW,EAAE,CAAC;YAChB,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,IAAA,aAAK,EACH,SAAS,gBAAgB,CAAC,MAAM,yBAAyB,gBAAgB;SACtE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAClB,IAAI,CAAC,IAAI,CAAC,EAAE,CAChB,CAAC;IAEF,OAAO,gBAAgB,CAAC;AAC1B,CAAC,CAAC;AA1BW,QAAA,mBAAmB,uBA0B9B;AAEF;;;GAGG;AACI,MAAM,yBAAyB,GAAG,KAAK,EAAE,EAC9C,WAAW,EACX,KAAK,GAAG,KAAK,EACb,EAAE,GAAG,KAAK,GAKX,EAAqB,EAAE;IACtB,MAAM,EAAE,GAAG,IAAA,UAAK,GAAE,CAAC;IAEnB,0CAA0C;IAC1C,IAAI,EAAE,EAAE,CAAC;QACP,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QACnD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,gBAAgB,GAAG,MAAM,IAAA,2BAAmB,GAAE,CAAC;IAErD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,EAAE,CAAC,GAAG,CAAC,IAAI,CACT,+DAA+D,CAChE,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,wCAAwC;IACxC,MAAM,IAAA,qBAAS,EAAC,oBAAoB,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,IAAA,oBAAY,EAChB,gBAAgB,EAChB,SAAS,EACT,CAAC,GAAG,6BAAkB,CAAC,EACvB,KAAK,CACN,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,GAAG,CAAC,OAAO,CACZ;IACA,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAC3D,CAAC;IAEF,qBAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE;QAC3C,OAAO,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAC5C,WAAW;KACZ,CAAC,CAAC;IAEH,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;AAC7C,CAAC,CAAC;AA/CW,QAAA,yBAAyB,6BA+CpC;AAEK,MAAM,8BAA8B,GAAG,KAAK,EAAE,EACnD,WAAW,EACX,KAAK,GAAG,KAAK,GAId,EAAqB,EAAE;IACtB,MAAM,gBAAgB,GAAG,MAAM,IAAA,2BAAmB,EAAC,KAAK,CAAC,CAAC;IAC1D,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,qBAAS,CAAC,aAAa,CAAC,0BAA0B,EAAE;YAClD,WAAW;SACZ,CAAC,CAAC;QACH,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,yCAAyC;IACzC,MAAM,OAAO,GAAG,MAAM,IAAA,qBAAS,EAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,IAAA,uBAAe,EAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;QAC/C,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,qBAAS,CAAC,aAAa,CAAC,qBAAqB,EAAE;QAC7C,OAAO,EAAE,OAAO;QAChB,WAAW;KACZ,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC;AA3BW,QAAA,8BAA8B,kCA2BzC;AAEK,MAAM,mBAAmB,GAAG,KAAK,EACtC,KAAe,EACO,EAAE;IACxB,MAAM,OAAO,GAAG,MAAM,IAAA,2BAAmB,GAAE,CAAC;IAC5C,MAAM,gBAAgB,GAAgB,EAAE,CAAC;IAEzC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,MAAM,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1C,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,OAAO,gBAAgB,CAAC;AAC1B,CAAC,CAAC;AAbW,QAAA,mBAAmB,uBAa9B;AAEK,MAAM,YAAY,GAAG,KAAK,EAC/B,OAAoB,EACpB,cAAuB,EACvB,gBAA2B,EAC3B,KAAe,EACA,EAAE;IACjB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,MAAM,CAAC,SAAS,CAAC,cAAc,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAC;IAClE,CAAC;AACH,CAAC,CAAC;AATW,QAAA,YAAY,gBASvB;AAEK,MAAM,eAAe,GAAG,KAAK,EAClC,OAAoB,EACpB,KAAe,EACA,EAAE;IACjB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;AACH,CAAC,CAAC;AAPW,QAAA,eAAe,mBAO1B","sourcesContent":["import type { Integration } from '../../lib/constants';\nimport { traceStep } from '../../telemetry';\nimport { analytics } from '../../utils/analytics';\nimport { getUI } from '../../ui';\nimport { MCPClient } from './MCPClient';\nimport { CursorMCPClient } from './clients/cursor';\nimport { ClaudeMCPClient } from './clients/claude';\nimport { ClaudeCodeMCPClient } from './clients/claude-code';\nimport { VisualStudioCodeClient } from './clients/visual-studio-code';\nimport { ZedClient } from './clients/zed';\nimport { CodexMCPClient } from './clients/codex';\nimport { ALL_FEATURE_VALUES } from './defaults';\nimport { debug } from '../../utils/debug';\n\nexport const getSupportedClients = async (): Promise<MCPClient[]> => {\n  const allClients = [\n    new CursorMCPClient(),\n    new ClaudeMCPClient(),\n    new ClaudeCodeMCPClient(),\n    new VisualStudioCodeClient(),\n    new ZedClient(),\n    new CodexMCPClient(),\n  ];\n  const supportedClients: MCPClient[] = [];\n\n  debug('Checking for supported MCP clients...');\n  for (const client of allClients) {\n    const isSupported = await client.isClientSupported();\n    debug(`${client.name}: ${isSupported ? '✓ supported' : '✗ not supported'}`);\n    if (isSupported) {\n      supportedClients.push(client);\n    }\n  }\n  debug(\n    `Found ${supportedClients.length} supported client(s): ${supportedClients\n      .map((c) => c.name)\n      .join(', ')}`,\n  );\n\n  return supportedClients;\n};\n\n/**\n * Add MCP server to clients. No prompts — pure orchestration.\n * Prompts are handled by McpScreen (TUI) or auto-accepted (CI).\n */\nexport const addMCPServerToClientsStep = async ({\n  integration,\n  local = false,\n  ci = false,\n}: {\n  integration?: Integration;\n  local?: boolean;\n  ci?: boolean;\n}): Promise<string[]> => {\n  const ui = getUI();\n\n  // CI mode: skip MCP installation entirely\n  if (ci) {\n    ui.log.info('Skipping MCP installation (CI mode)');\n    return [];\n  }\n\n  const supportedClients = await getSupportedClients();\n\n  if (supportedClients.length === 0) {\n    ui.log.info(\n      'No supported MCP clients detected. Skipping MCP installation.',\n    );\n    return [];\n  }\n\n  // Auto-install to all supported clients\n  await traceStep('adding mcp servers', async () => {\n    await addMCPServer(\n      supportedClients,\n      undefined,\n      [...ALL_FEATURE_VALUES],\n      local,\n    );\n  });\n\n  ui.log.success(\n    `Added the MCP server to:\n  ${supportedClients.map((c) => `- ${c.name}`).join('\\n  ')} `,\n  );\n\n  analytics.wizardCapture('mcp servers added', {\n    clients: supportedClients.map((c) => c.name),\n    integration,\n  });\n\n  return supportedClients.map((c) => c.name);\n};\n\nexport const removeMCPServerFromClientsStep = async ({\n  integration,\n  local = false,\n}: {\n  integration?: Integration;\n  local?: boolean;\n}): Promise<string[]> => {\n  const installedClients = await getInstalledClients(local);\n  if (installedClients.length === 0) {\n    analytics.wizardCapture('mcp no servers to remove', {\n      integration,\n    });\n    return [];\n  }\n\n  // Auto-remove from all installed clients\n  const results = await traceStep('removing mcp servers', async () => {\n    await removeMCPServer(installedClients, local);\n    return installedClients.map((c) => c.name);\n  });\n\n  analytics.wizardCapture('mcp servers removed', {\n    clients: results,\n    integration,\n  });\n\n  return results;\n};\n\nexport const getInstalledClients = async (\n  local?: boolean,\n): Promise<MCPClient[]> => {\n  const clients = await getSupportedClients();\n  const installedClients: MCPClient[] = [];\n\n  for (const client of clients) {\n    if (await client.isServerInstalled(local)) {\n      installedClients.push(client);\n    }\n  }\n\n  return installedClients;\n};\n\nexport const addMCPServer = async (\n  clients: MCPClient[],\n  personalApiKey?: string,\n  selectedFeatures?: string[],\n  local?: boolean,\n): Promise<void> => {\n  for (const client of clients) {\n    await client.addServer(personalApiKey, selectedFeatures, local);\n  }\n};\n\nexport const removeMCPServer = async (\n  clients: MCPClient[],\n  local?: boolean,\n): Promise<void> => {\n  for (const client of clients) {\n    await client.removeServer(local);\n  }\n};\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/steps/add-mcp-server-to-clients/index.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAC5C,qDAAkD;AAClD,iCAAiC;AAEjC,6CAAmD;AACnD,6CAAmD;AACnD,uDAA4D;AAC5D,qEAAsE;AACtE,uCAA0C;AAC1C,2CAAiD;AACjD,yCAAgD;AAChD,6CAA0C;AAEnC,MAAM,mBAAmB,GAAG,KAAK,IAA0B,EAAE;IAClE,MAAM,UAAU,GAAG;QACjB,IAAI,wBAAe,EAAE;QACrB,IAAI,wBAAe,EAAE;QACrB,IAAI,iCAAmB,EAAE;QACzB,IAAI,2CAAsB,EAAE;QAC5B,IAAI,eAAS,EAAE;QACf,IAAI,sBAAc,EAAE;KACrB,CAAC;IACF,MAAM,gBAAgB,GAAgB,EAAE,CAAC;IAEzC,IAAA,aAAK,EAAC,uCAAuC,CAAC,CAAC;IAC/C,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAChC,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,iBAAiB,EAAE,CAAC;QACrD,IAAA,aAAK,EAAC,GAAG,MAAM,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,iBAAiB,EAAE,CAAC,CAAC;QAC5E,IAAI,WAAW,EAAE,CAAC;YAChB,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,IAAA,aAAK,EACH,SAAS,gBAAgB,CAAC,MAAM,yBAAyB,gBAAgB;SACtE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAClB,IAAI,CAAC,IAAI,CAAC,EAAE,CAChB,CAAC;IAEF,OAAO,gBAAgB,CAAC;AAC1B,CAAC,CAAC;AA1BW,QAAA,mBAAmB,uBA0B9B;AAEF;;;GAGG;AACI,MAAM,yBAAyB,GAAG,KAAK,EAAE,EAC9C,WAAW,EACX,KAAK,GAAG,KAAK,EACb,EAAE,GAAG,KAAK,EACV,WAAW,EAAE,YAAY,GAM1B,EAAqB,EAAE;IACtB,MAAM,EAAE,GAAG,IAAA,UAAK,GAAE,CAAC;IAEnB,0CAA0C;IAC1C,IAAI,EAAE,EAAE,CAAC;QACP,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QACnD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,gBAAgB,GAAG,MAAM,IAAA,2BAAmB,GAAE,CAAC;IAErD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,EAAE,CAAC,GAAG,CAAC,IAAI,CACT,+DAA+D,CAChE,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,wCAAwC;IACxC,MAAM,IAAA,qBAAS,EAAC,oBAAoB,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,IAAA,oBAAY,EAChB,gBAAgB,EAChB,SAAS,EACT,CAAC,GAAG,6BAAkB,CAAC,EACvB,KAAK,CACN,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,GAAG,CAAC,OAAO,CACZ;IACA,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAC3D,CAAC;IAEF,qBAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE;QAC3C,OAAO,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAC5C,WAAW;KACZ,CAAC,CAAC;IAEH,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;AAC7C,CAAC,CAAC;AAjDW,QAAA,yBAAyB,6BAiDpC;AAEK,MAAM,8BAA8B,GAAG,KAAK,EAAE,EACnD,WAAW,EACX,KAAK,GAAG,KAAK,GAId,EAAqB,EAAE;IACtB,MAAM,gBAAgB,GAAG,MAAM,IAAA,2BAAmB,EAAC,KAAK,CAAC,CAAC;IAC1D,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,qBAAS,CAAC,aAAa,CAAC,0BAA0B,EAAE;YAClD,WAAW;SACZ,CAAC,CAAC;QACH,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,yCAAyC;IACzC,MAAM,OAAO,GAAG,MAAM,IAAA,qBAAS,EAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,IAAA,uBAAe,EAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;QAC/C,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,qBAAS,CAAC,aAAa,CAAC,qBAAqB,EAAE;QAC7C,OAAO,EAAE,OAAO;QAChB,WAAW;KACZ,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC;AA3BW,QAAA,8BAA8B,kCA2BzC;AAEK,MAAM,mBAAmB,GAAG,KAAK,EACtC,KAAe,EACO,EAAE;IACxB,MAAM,OAAO,GAAG,MAAM,IAAA,2BAAmB,GAAE,CAAC;IAC5C,MAAM,gBAAgB,GAAgB,EAAE,CAAC;IAEzC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,MAAM,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1C,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,OAAO,gBAAgB,CAAC;AAC1B,CAAC,CAAC;AAbW,QAAA,mBAAmB,uBAa9B;AAEK,MAAM,YAAY,GAAG,KAAK,EAC/B,OAAoB,EACpB,cAAuB,EACvB,gBAA2B,EAC3B,KAAe,EACA,EAAE;IACjB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,MAAM,CAAC,SAAS,CAAC,cAAc,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAC;IAClE,CAAC;AACH,CAAC,CAAC;AATW,QAAA,YAAY,gBASvB;AAEK,MAAM,eAAe,GAAG,KAAK,EAClC,OAAoB,EACpB,KAAe,EACA,EAAE;IACjB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;AACH,CAAC,CAAC;AAPW,QAAA,eAAe,mBAO1B","sourcesContent":["import type { Integration } from '../../lib/constants';\nimport { traceStep } from '../../telemetry';\nimport { analytics } from '../../utils/analytics';\nimport { getUI } from '../../ui';\nimport { MCPClient } from './MCPClient';\nimport { CursorMCPClient } from './clients/cursor';\nimport { ClaudeMCPClient } from './clients/claude';\nimport { ClaudeCodeMCPClient } from './clients/claude-code';\nimport { VisualStudioCodeClient } from './clients/visual-studio-code';\nimport { ZedClient } from './clients/zed';\nimport { CodexMCPClient } from './clients/codex';\nimport { ALL_FEATURE_VALUES } from './defaults';\nimport { debug } from '../../utils/debug';\n\nexport const getSupportedClients = async (): Promise<MCPClient[]> => {\n  const allClients = [\n    new CursorMCPClient(),\n    new ClaudeMCPClient(),\n    new ClaudeCodeMCPClient(),\n    new VisualStudioCodeClient(),\n    new ZedClient(),\n    new CodexMCPClient(),\n  ];\n  const supportedClients: MCPClient[] = [];\n\n  debug('Checking for supported MCP clients...');\n  for (const client of allClients) {\n    const isSupported = await client.isClientSupported();\n    debug(`${client.name}: ${isSupported ? '✓ supported' : '✗ not supported'}`);\n    if (isSupported) {\n      supportedClients.push(client);\n    }\n  }\n  debug(\n    `Found ${supportedClients.length} supported client(s): ${supportedClients\n      .map((c) => c.name)\n      .join(', ')}`,\n  );\n\n  return supportedClients;\n};\n\n/**\n * Add MCP server to clients. No prompts — pure orchestration.\n * Prompts are handled by McpScreen (TUI) or auto-accepted (CI).\n */\nexport const addMCPServerToClientsStep = async ({\n  integration,\n  local = false,\n  ci = false,\n  cloudRegion: _cloudRegion,\n}: {\n  integration?: Integration;\n  local?: boolean;\n  ci?: boolean;\n  cloudRegion?: import('../../utils/types').CloudRegion;\n}): Promise<string[]> => {\n  const ui = getUI();\n\n  // CI mode: skip MCP installation entirely\n  if (ci) {\n    ui.log.info('Skipping MCP installation (CI mode)');\n    return [];\n  }\n\n  const supportedClients = await getSupportedClients();\n\n  if (supportedClients.length === 0) {\n    ui.log.info(\n      'No supported MCP clients detected. Skipping MCP installation.',\n    );\n    return [];\n  }\n\n  // Auto-install to all supported clients\n  await traceStep('adding mcp servers', async () => {\n    await addMCPServer(\n      supportedClients,\n      undefined,\n      [...ALL_FEATURE_VALUES],\n      local,\n    );\n  });\n\n  ui.log.success(\n    `Added the MCP server to:\n  ${supportedClients.map((c) => `- ${c.name}`).join('\\n  ')} `,\n  );\n\n  analytics.wizardCapture('mcp servers added', {\n    clients: supportedClients.map((c) => c.name),\n    integration,\n  });\n\n  return supportedClients.map((c) => c.name);\n};\n\nexport const removeMCPServerFromClientsStep = async ({\n  integration,\n  local = false,\n}: {\n  integration?: Integration;\n  local?: boolean;\n}): Promise<string[]> => {\n  const installedClients = await getInstalledClients(local);\n  if (installedClients.length === 0) {\n    analytics.wizardCapture('mcp no servers to remove', {\n      integration,\n    });\n    return [];\n  }\n\n  // Auto-remove from all installed clients\n  const results = await traceStep('removing mcp servers', async () => {\n    await removeMCPServer(installedClients, local);\n    return installedClients.map((c) => c.name);\n  });\n\n  analytics.wizardCapture('mcp servers removed', {\n    clients: results,\n    integration,\n  });\n\n  return results;\n};\n\nexport const getInstalledClients = async (\n  local?: boolean,\n): Promise<MCPClient[]> => {\n  const clients = await getSupportedClients();\n  const installedClients: MCPClient[] = [];\n\n  for (const client of clients) {\n    if (await client.isServerInstalled(local)) {\n      installedClients.push(client);\n    }\n  }\n\n  return installedClients;\n};\n\nexport const addMCPServer = async (\n  clients: MCPClient[],\n  personalApiKey?: string,\n  selectedFeatures?: string[],\n  local?: boolean,\n): Promise<void> => {\n  for (const client of clients) {\n    await client.addServer(personalApiKey, selectedFeatures, local);\n  }\n};\n\nexport const removeMCPServer = async (\n  clients: MCPClient[],\n  local?: boolean,\n): Promise<void> => {\n  for (const client of clients) {\n    await client.removeServer(local);\n  }\n};\n"]}

package/dist/src/utils/rules/universal.md

@@ -1,5 +1,17 @@
 Never hallucinate an API key. Instead, always use the API key populated in the .env file.
 
+Never write API keys, access tokens, or other secrets directly into source code. Always reference environment variables instead, and rely on the wizard-tools MCP server (check_env_keys / set_env_values) to create or update .env files.
+
+Always use the detect_package_manager tool from the wizard-tools MCP server to determine the package manager. Do not guess based on lockfiles or hard-code npm, yarn, pnpm, bun, pip, etc.
+
+When installing packages, start the installation as a background task and then continue with other work. Do not block waiting for installs to finish unless explicitly instructed.
+
+Before writing to any file, you MUST read that exact file immediately beforehand using the Read tool, even if you have already read it earlier in the run. This avoids tool failures and stale edits.
+
+Prefer minimal, targeted edits that achieve the requested behavior while preserving existing structure and style. Avoid large refactors, broad reformatting, or unrelated changes unless explicitly requested.
+
+Do not spawn subagents unless explicitly instructed to do so.
+
 # Feature flags
 
 A given feature flag should be used in as few places as possible. Do not increase the risk of undefined behavior by scattering the same feature flag across multiple areas of code. If the same feature flag needs to be introduced at multiple callsites, flag this for the developer to inspect carefully.

package/dist/src/utils/types.d.ts

@@ -56,6 +56,15 @@ export type WizardOptions = {
      * and writes detailed usage data to /tmp/posthog-wizard-benchmark.json.
      */
     benchmark: boolean;
+    /**
+     * Cloud region for the PostHog instance (US or EU).
+     * When not provided, the user will be prompted to select one.
+     */
+    cloudRegion?: CloudRegion;
+    /**
+     * Whether to print a YARA scanner summary after the agent run.
+     */
+    yaraReport: boolean;
 };
 export interface Feature {
     id: string;

package/dist/src/utils/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/utils/types.ts"],"names":[],"mappings":"","sourcesContent":["export type PostHogProjectData = Record<string, unknown>;\n\nexport type PreselectedProject = {\n  project: PostHogProjectData;\n  authToken: string;\n};\n\nexport type WizardOptions = {\n  /**\n   * Whether to enable debug mode.\n   */\n  debug: boolean;\n\n  /**\n   * Whether to force install the SDK package to continue with the installation in case\n   * any package manager checks are failing (e.g. peer dependency versions).\n   *\n   * Use with caution and only if you know what you're doing.\n   *\n   * Does not apply to all wizard flows (currently NPM only)\n   */\n  forceInstall: boolean;\n\n  /**\n   * The directory to run the wizard in.\n   */\n  installDir: string;\n\n  /**\n   * Whether to select the default option for all questions automatically.\n   */\n  default: boolean;\n\n  /**\n   * Whether to create a new PostHog account during setup.\n   */\n  signup: boolean;\n\n  /**\n   * Whether to use the local MCP server at http://localhost:8787/mcp\n   */\n  localMcp: boolean;\n\n  /**\n   * CI mode - non-interactive execution\n   */\n  ci: boolean;\n\n  /**\n   * Personal API key (phx_xxx) - used for LLM gateway auth, skips OAuth\n   */\n  apiKey?: string;\n\n  /**\n   * PostHog project ID. When set (e.g. in CI with --project-id), the wizard uses this project\n   * instead of the default from the API key or OAuth.\n   */\n  projectId?: number;\n\n  /**\n   * Whether to show the menu for manual integration selection instead of auto-detecting.\n   */\n  menu: boolean;\n\n  /**\n   * Whether to run in benchmark mode with per-phase token tracking.\n   * When enabled, the wizard runs each workflow phase as a separate agent call\n   * and writes detailed usage data to /tmp/posthog-wizard-benchmark.json.\n   */\n  benchmark: boolean;\n};\n\nexport interface Feature {\n  id: string;\n  prompt: string;\n  enabledHint?: string;\n  disabledHint?: string;\n}\n\nexport type FileChange = {\n  filePath: string;\n  oldContent?: string;\n  newContent: string;\n};\n\nexport type CloudRegion = 'us' | 'eu';\n\nexport type AIModel =\n  | 'gpt-5-mini'\n  | 'o4-mini'\n  | 'gemini-2.5-flash'\n  | 'gemini-2.5-pro';\n"]}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/utils/types.ts"],"names":[],"mappings":"","sourcesContent":["export type PostHogProjectData = Record<string, unknown>;\n\nexport type PreselectedProject = {\n  project: PostHogProjectData;\n  authToken: string;\n};\n\nexport type WizardOptions = {\n  /**\n   * Whether to enable debug mode.\n   */\n  debug: boolean;\n\n  /**\n   * Whether to force install the SDK package to continue with the installation in case\n   * any package manager checks are failing (e.g. peer dependency versions).\n   *\n   * Use with caution and only if you know what you're doing.\n   *\n   * Does not apply to all wizard flows (currently NPM only)\n   */\n  forceInstall: boolean;\n\n  /**\n   * The directory to run the wizard in.\n   */\n  installDir: string;\n\n  /**\n   * Whether to select the default option for all questions automatically.\n   */\n  default: boolean;\n\n  /**\n   * Whether to create a new PostHog account during setup.\n   */\n  signup: boolean;\n\n  /**\n   * Whether to use the local MCP server at http://localhost:8787/mcp\n   */\n  localMcp: boolean;\n\n  /**\n   * CI mode - non-interactive execution\n   */\n  ci: boolean;\n\n  /**\n   * Personal API key (phx_xxx) - used for LLM gateway auth, skips OAuth\n   */\n  apiKey?: string;\n\n  /**\n   * PostHog project ID. When set (e.g. in CI with --project-id), the wizard uses this project\n   * instead of the default from the API key or OAuth.\n   */\n  projectId?: number;\n\n  /**\n   * Whether to show the menu for manual integration selection instead of auto-detecting.\n   */\n  menu: boolean;\n\n  /**\n   * Whether to run in benchmark mode with per-phase token tracking.\n   * When enabled, the wizard runs each workflow phase as a separate agent call\n   * and writes detailed usage data to /tmp/posthog-wizard-benchmark.json.\n   */\n  benchmark: boolean;\n\n  /**\n   * Cloud region for the PostHog instance (US or EU).\n   * When not provided, the user will be prompted to select one.\n   */\n  cloudRegion?: CloudRegion;\n\n  /**\n   * Whether to print a YARA scanner summary after the agent run.\n   */\n  yaraReport: boolean;\n};\n\nexport interface Feature {\n  id: string;\n  prompt: string;\n  enabledHint?: string;\n  disabledHint?: string;\n}\n\nexport type FileChange = {\n  filePath: string;\n  oldContent?: string;\n  newContent: string;\n};\n\nexport type CloudRegion = 'us' | 'eu';\n\nexport type AIModel =\n  | 'gpt-5-mini'\n  | 'o4-mini'\n  | 'gemini-2.5-flash'\n  | 'gemini-2.5-pro';\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@posthog/wizard",
-  "version": "2.0.2",
+  "version": "2.1.0",
   "homepage": "https://github.com/PostHog/wizard",
   "repository": "https://github.com/PostHog/wizard",
   "description": "The PostHog wizard helps you to configure your project",