@praxis.guard/auditor-cli 0.0.1

package/README.md

@@ -0,0 +1,46 @@
+# @praxis/auditor-cli
+
+Shared **guard runtime** for Praxis shell policy: argv parsing (`shell-quote`), `evaluateShellProposal` / `evaluateArgv` / `gateShellCommand`, JSONL audit append, and the **shell approval bridge** under `.cursor/guard/bridge`.
+
+## Single entry: `auditor`
+
+Use one built binary for **MCP stdio**, **Cursor hook**, and diagnostics:
+
+| Surface | Command |
+|--------|---------|
+| **MCP** (`mcp.json`) | `auditor` + args `["mcp"]`, or `node …/auditor-cli/dist/cli.js mcp` |
+| **Hook** (`.cursor/hooks.json`) | `node …/auditor-cli/dist/cli.js hook before-shell` (or `auditor hook before-shell` if `auditor` is on `PATH`) |
+
+**`@praxis/guard-mcp`** remains as a **thin shim** (`dist/server.js` → `@praxis/auditor-cli/mcp`) for older configs that still point at `guard-mcp`.
+
+## Policy source of truth
+
+Classification rules live in **`@praxis/auditor-policy`** (`loadPoliciesV1`, `classifyArgv`, `policies.v1.json` via the path resolved from the built policy package). This package re-exports `loadPoliciesV1` for convenience; hooks may still import `classifyArgv` from `@praxis/auditor-policy` when they need hook-specific tier handling.
+
+## Bridge directory contract
+
+One-shot approvals for terminal execution use:
+
+- **Directory:** `path.resolve(cwd, ".cursor/guard/bridge")`
+- **Files:** `${sha256(JSON.stringify(argv))}_${uuid}.json` with TTL **10 minutes** (`DEFAULT_SHELL_BRIDGE_TTL_MS`).
+
+Do not change this layout without updating Cursor + MCP flows that rely on it.
+
+## Python `packages/auditor`
+
+The legacy **Python** guard under `packages/auditor/` remains for existing installs; new work should target **`@praxis/auditor-cli`** and Node-based tooling. Long-term migration: shell aliases or install scripts pointing at the `auditor` binary (`npx` / workspace) instead of `python3 guard.py` (see [AUDITOR_CLI_SOLUTION_PLAN.md](../../docs/AUDITOR_CLI_SOLUTION_PLAN.md)).
+
+## CLI (`auditor` binary)
+
+After `pnpm -C packages/auditor-cli build`, the **`auditor`** command is available from this package (`package.json` `bin`).
+
+| Command | Purpose |
+|--------|---------|
+| `auditor mcp` | **MCP stdio server** (registers tool `guard`). Use in Cursor `mcp.json` as the server command. |
+| `auditor hook before-shell` | Cursor hook: stdin JSON `{ "command", "cwd?" }` → stdout JSON `{ "permission", ... }` (fail-closed on crash). |
+| `auditor doctor` | Prints resolved policy path, bridge dir, audit log path, `Node` version, and `PRAXIS_GUARD_AUDIT_LOG` status. |
+| `auditor whoami` | Prints `uid`, profile email/display name, and token source via the `guardWhoAmI` callable (requires auth like `policies sync`). |
+| `auditor version` | Package version plus `git rev-parse --short HEAD` when run inside a git checkout. |
+| `auditor help` | Usage summary. |
+
+From the repo root: `pnpm exec auditor doctor` / `pnpm exec auditor mcp` (after `pnpm -C packages/auditor-cli build`), or `node packages/auditor-cli/dist/cli.js …`.

package/dist/audit/jsonl.d.ts

@@ -0,0 +1,7 @@
+/**
+ * @param resolveDefaultRelativeTo When `PRAXIS_GUARD_AUDIT_LOG` is unset, the directory used to
+ *   resolve `.cursor/guard/audit.jsonl` (usually the workspace root from the hook payload's `cwd`).
+ *   If omitted or empty, uses `process.cwd()` — which may differ from the workspace when Cursor spawns the hook.
+ */
+export declare function appendAuditJsonl(evt: Record<string, unknown>, resolveDefaultRelativeTo?: string | null): Promise<void>;
+//# sourceMappingURL=jsonl.d.ts.map

package/dist/audit/jsonl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonl.d.ts","sourceRoot":"","sources":["../../src/audit/jsonl.ts"],"names":[],"mappings":"AAGA;;;;GAIG;AACH,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,wBAAwB,CAAC,EAAE,MAAM,GAAG,IAAI,iBAY5G"}

package/dist/audit/jsonl.js

@@ -0,0 +1,16 @@
+import { appendFile, mkdir } from "node:fs/promises";
+import path from "node:path";
+/**
+ * @param resolveDefaultRelativeTo When `PRAXIS_GUARD_AUDIT_LOG` is unset, the directory used to
+ *   resolve `.cursor/guard/audit.jsonl` (usually the workspace root from the hook payload's `cwd`).
+ *   If omitted or empty, uses `process.cwd()` — which may differ from the workspace when Cursor spawns the hook.
+ */
+export async function appendAuditJsonl(evt, resolveDefaultRelativeTo) {
+    const fromEnv = process.env.PRAXIS_GUARD_AUDIT_LOG?.trim();
+    const auditPath = fromEnv && fromEnv.length > 0
+        ? fromEnv
+        : path.resolve((resolveDefaultRelativeTo && resolveDefaultRelativeTo.trim()) || process.cwd(), ".cursor/guard/audit.jsonl");
+    await mkdir(path.dirname(auditPath), { recursive: true });
+    await appendFile(auditPath, `${JSON.stringify(evt)}\n`, "utf8");
+}
+//# sourceMappingURL=jsonl.js.map

package/dist/audit/jsonl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonl.js","sourceRoot":"","sources":["../../src/audit/jsonl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,GAA4B,EAAE,wBAAwC;IAC3G,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,CAAC;IAC3D,MAAM,SAAS,GACb,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAC3B,CAAC,CAAC,OAAO;QACT,CAAC,CAAC,IAAI,CAAC,OAAO,CACV,CAAC,wBAAwB,IAAI,wBAAwB,CAAC,IAAI,EAAE,CAAC,IAAI,OAAO,CAAC,GAAG,EAAE,EAC9E,2BAA2B,CAC5B,CAAC;IAER,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1D,MAAM,UAAU,CAAC,SAAS,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAClE,CAAC"}

package/dist/bridge/shell-approval-bridge.d.ts

@@ -0,0 +1,28 @@
+import type { Tier } from "../policy/index.js";
+/** Same window as in-process MCP approval tokens (see guard-mcp server). */
+export declare const DEFAULT_SHELL_BRIDGE_TTL_MS: number;
+export declare function shellBridgeDir(cwd?: string): string;
+/** Stable id for argv; must match between MCP record and hook consume. */
+export declare function shellArgvApprovalId(argv: readonly string[]): string;
+/**
+ * After MCP `guard` returns allow for a MUTATE shell proposal, record a one-shot
+ * bridge so `beforeShellExecution` can allow the matching terminal command once.
+ */
+export declare function recordShellApprovalBridge(argv: readonly string[], opts?: {
+    cwd?: string;
+    ttlMs?: number;
+}): Promise<void>;
+/**
+ * If a non-expired bridge file exists for this argv, delete it and return true.
+ * Otherwise return false. POC: local filesystem trust boundary only.
+ */
+export declare function tryConsumeShellApprovalBridge(argv: readonly string[], opts?: {
+    cwd?: string;
+}): Promise<boolean>;
+/** Whether MCP should write a bridge file for this outcome. */
+export declare function shouldRecordShellBridge(opts: {
+    decision: "allow" | "require_approval" | "block";
+    skipped: boolean;
+    tier: Tier;
+}): boolean;
+//# sourceMappingURL=shell-approval-bridge.d.ts.map

package/dist/bridge/shell-approval-bridge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shell-approval-bridge.d.ts","sourceRoot":"","sources":["../../src/bridge/shell-approval-bridge.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAE/C,4EAA4E;AAC5E,eAAO,MAAM,2BAA2B,QAAiB,CAAC;AAE1D,wBAAgB,cAAc,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED,0EAA0E;AAC1E,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,CAEnE;AAED;;;GAGG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,IAAI,CAAC,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACtC,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;;GAGG;AACH,wBAAsB,6BAA6B,CACjD,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,IAAI,CAAC,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GACtB,OAAO,CAAC,OAAO,CAAC,CA2BlB;AAED,+DAA+D;AAC/D,wBAAgB,uBAAuB,CAAC,IAAI,EAAE;IAC5C,QAAQ,EAAE,OAAO,GAAG,kBAAkB,GAAG,OAAO,CAAC;IACjD,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,IAAI,CAAC;CACZ,GAAG,OAAO,CAEV"}

package/dist/bridge/shell-approval-bridge.js

@@ -0,0 +1,63 @@
+import { createHash, randomUUID } from "node:crypto";
+import { mkdir, readdir, readFile, unlink, writeFile } from "node:fs/promises";
+import path from "node:path";
+/** Same window as in-process MCP approval tokens (see guard-mcp server). */
+export const DEFAULT_SHELL_BRIDGE_TTL_MS = 10 * 60 * 1000;
+export function shellBridgeDir(cwd) {
+    return path.resolve(cwd ?? process.cwd(), ".cursor/guard/bridge");
+}
+/** Stable id for argv; must match between MCP record and hook consume. */
+export function shellArgvApprovalId(argv) {
+    return createHash("sha256").update(JSON.stringify([...argv]), "utf8").digest("hex");
+}
+/**
+ * After MCP `guard` returns allow for a MUTATE shell proposal, record a one-shot
+ * bridge so `beforeShellExecution` can allow the matching terminal command once.
+ */
+export async function recordShellApprovalBridge(argv, opts) {
+    const id = shellArgvApprovalId(argv);
+    const dir = shellBridgeDir(opts?.cwd);
+    await mkdir(dir, { recursive: true });
+    const exp = Date.now() + (opts?.ttlMs ?? DEFAULT_SHELL_BRIDGE_TTL_MS);
+    const file = path.join(dir, `${id}_${randomUUID()}.json`);
+    await writeFile(file, JSON.stringify({ exp, argv: [...argv] }), "utf8");
+}
+/**
+ * If a non-expired bridge file exists for this argv, delete it and return true.
+ * Otherwise return false. POC: local filesystem trust boundary only.
+ */
+export async function tryConsumeShellApprovalBridge(argv, opts) {
+    const id = shellArgvApprovalId(argv);
+    const dir = shellBridgeDir(opts?.cwd);
+    let names = [];
+    try {
+        names = await readdir(dir);
+    }
+    catch {
+        return false;
+    }
+    const now = Date.now();
+    const candidates = names.filter((n) => n.startsWith(`${id}_`) && n.endsWith(".json"));
+    for (const name of candidates) {
+        const file = path.join(dir, name);
+        try {
+            const raw = await readFile(file, "utf8");
+            const row = JSON.parse(raw);
+            if (typeof row.exp !== "number" || row.exp < now) {
+                await unlink(file).catch(() => { });
+                continue;
+            }
+            await unlink(file);
+            return true;
+        }
+        catch {
+            continue;
+        }
+    }
+    return false;
+}
+/** Whether MCP should write a bridge file for this outcome. */
+export function shouldRecordShellBridge(opts) {
+    return opts.decision === "allow" && !opts.skipped && opts.tier === "MUTATE";
+}
+//# sourceMappingURL=shell-approval-bridge.js.map

package/dist/bridge/shell-approval-bridge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shell-approval-bridge.js","sourceRoot":"","sources":["../../src/bridge/shell-approval-bridge.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC/E,OAAO,IAAI,MAAM,WAAW,CAAC;AAI7B,4EAA4E;AAC5E,MAAM,CAAC,MAAM,2BAA2B,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE1D,MAAM,UAAU,cAAc,CAAC,GAAY;IACzC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,EAAE,sBAAsB,CAAC,CAAC;AACpE,CAAC;AAED,0EAA0E;AAC1E,MAAM,UAAU,mBAAmB,CAAC,IAAuB;IACzD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACtF,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,IAAuB,EACvB,IAAuC;IAEvC,MAAM,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACtC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,EAAE,KAAK,IAAI,2BAA2B,CAAC,CAAC;IACtE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,UAAU,EAAE,OAAO,CAAC,CAAC;IAC1D,MAAM,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;AAC1E,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,IAAuB,EACvB,IAAuB;IAEvB,MAAM,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACtC,IAAI,KAAK,GAAa,EAAE,CAAC;IACzB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACtF,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YACzC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;YAC/C,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;gBACjD,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;gBACnC,SAAS;YACX,CAAC;YACD,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;YACnB,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,uBAAuB,CAAC,IAIvC;IACC,OAAO,IAAI,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC;AAC9E,CAAC"}

package/dist/cli/callable-fetch.d.ts

@@ -0,0 +1,8 @@
+/** Minimal Firebase HTTPS callable client (no firebase SDK dependency). */
+export declare function callHttpsCallable<TReq, TRes>(options: {
+    url: string;
+    /** Firebase ID token or guard API token (`PRAXIS_GUARD_TOKEN`), depending on what the function accepts. */
+    bearerToken: string;
+    data: TReq;
+}): Promise<TRes>;
+//# sourceMappingURL=callable-fetch.d.ts.map

package/dist/cli/callable-fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"callable-fetch.d.ts","sourceRoot":"","sources":["../../src/cli/callable-fetch.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAM3E,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE;IAC3D,GAAG,EAAE,MAAM,CAAC;IACZ,2GAA2G;IAC3G,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,IAAI,CAAC;CACZ,GAAG,OAAO,CAAC,IAAI,CAAC,CA6BhB"}

package/dist/cli/callable-fetch.js

@@ -0,0 +1,30 @@
+/** Minimal Firebase HTTPS callable client (no firebase SDK dependency). */
+import { touchLastSeen } from "./touch-last-seen.js";
+export async function callHttpsCallable(options) {
+    const res = await fetch(options.url, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${options.bearerToken}`,
+        },
+        body: JSON.stringify({ data: options.data ?? {} }),
+    });
+    const text = await res.text();
+    let json;
+    try {
+        json = JSON.parse(text);
+    }
+    catch {
+        throw new Error(`Callable ${options.url}: invalid JSON (${res.status}): ${text.slice(0, 200)}`);
+    }
+    if ("error" in json && json.error) {
+        const msg = json.error.message || json.error.status || "callable_error";
+        throw new Error(msg);
+    }
+    if (!("result" in json)) {
+        throw new Error(`Callable ${options.url}: missing result (${res.status})`);
+    }
+    void touchLastSeen();
+    return json.result;
+}
+//# sourceMappingURL=callable-fetch.js.map

package/dist/cli/callable-fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callable-fetch.js","sourceRoot":"","sources":["../../src/cli/callable-fetch.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAE3E,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAIrD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAa,OAKnD;IACC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE;QACnC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,OAAO,CAAC,WAAW,EAAE;SAC/C;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;KACnD,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,IAA4B,CAAC;IACjC,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAA2B,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,YAAY,OAAO,CAAC,GAAG,mBAAmB,GAAG,CAAC,MAAM,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAClG,CAAC;IAED,IAAI,OAAO,IAAI,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,gBAAgB,CAAC;QACxE,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,IAAI,CAAC,CAAC,QAAQ,IAAI,IAAI,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,YAAY,OAAO,CAAC,GAAG,qBAAqB,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7E,CAAC;IAED,KAAK,aAAa,EAAE,CAAC;IACrB,OAAO,IAAI,CAAC,MAAM,CAAC;AACrB,CAAC"}

package/dist/cli/credentials.d.ts

@@ -0,0 +1,10 @@
+export declare function credentialsPath(): string;
+/**
+ * Resolve the guard bearer token.
+ * Priority: env var > credential file > null.
+ */
+export declare function resolveGuardToken(): string | null;
+export declare function saveCredentials(token: string): void;
+export declare function deleteCredentials(): boolean;
+export declare function readCredentialsFileMode(): number | null;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/cli/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/cli/credentials.ts"],"names":[],"mappings":"AAKA,wBAAgB,eAAe,IAAI,MAAM,CAIxC;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,GAAG,IAAI,CAajD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAKnD;AAED,wBAAgB,iBAAiB,IAAI,OAAO,CAO3C;AAED,wBAAgB,uBAAuB,IAAI,MAAM,GAAG,IAAI,CAOvD"}

package/dist/cli/credentials.js

@@ -0,0 +1,53 @@
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import process from "node:process";
+export function credentialsPath() {
+    const xdg = process.env.XDG_CONFIG_HOME?.trim();
+    const base = xdg || path.join(os.homedir(), ".config");
+    return path.join(base, "praxis", "credentials.json");
+}
+/**
+ * Resolve the guard bearer token.
+ * Priority: env var > credential file > null.
+ */
+export function resolveGuardToken() {
+    const envToken = process.env.PRAXIS_GUARD_TOKEN?.trim();
+    if (envToken)
+        return envToken;
+    try {
+        const raw = fs.readFileSync(credentialsPath(), "utf8");
+        const data = JSON.parse(raw);
+        if (typeof data.token === "string" && data.token.length > 0)
+            return data.token;
+    }
+    catch {
+        // File doesn't exist or is invalid
+    }
+    return null;
+}
+export function saveCredentials(token) {
+    const p = credentialsPath();
+    fs.mkdirSync(path.dirname(p), { recursive: true, mode: 0o700 });
+    const payload = JSON.stringify({ token, createdAt: new Date().toISOString() }, null, 2);
+    fs.writeFileSync(p, payload + "\n", { mode: 0o600 });
+}
+export function deleteCredentials() {
+    try {
+        fs.unlinkSync(credentialsPath());
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export function readCredentialsFileMode() {
+    try {
+        const st = fs.statSync(credentialsPath());
+        return st.mode & 0o777;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=credentials.js.map

package/dist/cli/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/cli/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,OAAO,MAAM,cAAc,CAAC;AAEnC,MAAM,UAAU,eAAe;IAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,EAAE,CAAC;IAChD,MAAM,IAAI,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;IACvD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,kBAAkB,CAAC,CAAC;AACvD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC;IACxD,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,EAAE,MAAM,CAAC,CAAC;QACvD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC;IACjF,CAAC;IAAC,MAAM,CAAC;QACP,mCAAmC;IACrC,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,MAAM,CAAC,GAAG,eAAe,EAAE,CAAC;IAC5B,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACxF,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,eAAe,EAAE,CAAC,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,eAAe,EAAE,CAAC,CAAC;QAC1C,OAAO,EAAE,CAAC,IAAI,GAAG,KAAK,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/cli/cursor-config.d.ts

@@ -0,0 +1,16 @@
+type JsonMap = Record<string, unknown>;
+export type SetupResult = {
+    path: string;
+    changed: boolean;
+    message: string;
+};
+export declare function resolveProjectHooksPath(projectDir: string): string;
+export declare function resolveUserMcpConfigPath(explicitPath?: string): string;
+export declare function hasConfiguredHook(config: JsonMap | null): boolean;
+export declare function upsertHookConfig(projectDir: string, dryRun?: boolean): Promise<SetupResult>;
+export declare function hasConfiguredMcpServer(config: JsonMap | null): boolean;
+export declare function upsertMcpConfig(explicitPath?: string, dryRun?: boolean): Promise<SetupResult>;
+export declare function readHookConfigured(projectDir: string): Promise<boolean>;
+export declare function readMcpConfigured(explicitPath?: string): Promise<boolean>;
+export {};
+//# sourceMappingURL=cursor-config.d.ts.map

package/dist/cli/cursor-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cursor-config.d.ts","sourceRoot":"","sources":["../../src/cli/cursor-config.ts"],"names":[],"mappings":"AAIA,KAAK,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEvC,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAKF,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAElE;AAED,wBAAgB,wBAAwB,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,CAGtE;AA0CD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,GAAG,OAAO,CAYjE;AAED,wBAAsB,gBAAgB,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,UAAQ,GAAG,OAAO,CAAC,WAAW,CAAC,CA2C/F;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,GAAG,OAAO,CAQtE;AAED,wBAAsB,eAAe,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,MAAM,UAAQ,GAAG,OAAO,CAAC,WAAW,CAAC,CA8BjG;AAED,wBAAsB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAG7E;AAED,wBAAsB,iBAAiB,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAG/E"}

package/dist/cli/cursor-config.js

@@ -0,0 +1,153 @@
+import os from "node:os";
+import path from "node:path";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+const HOOK_COMMAND = "auditor hook before-shell";
+const MCP_SERVER_KEY = "praxis-guard";
+export function resolveProjectHooksPath(projectDir) {
+    return path.join(projectDir, ".cursor", "hooks.json");
+}
+export function resolveUserMcpConfigPath(explicitPath) {
+    if (explicitPath?.trim())
+        return explicitPath.trim();
+    return path.join(os.homedir(), ".cursor", "mcp.json");
+}
+async function readJson(pathname) {
+    try {
+        const raw = await readFile(pathname, "utf8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+            throw new Error("JSON root must be an object");
+        }
+        return parsed;
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        if (e.code === "ENOENT")
+            return null;
+        throw new Error([
+            `Invalid JSON at ${pathname}: ${msg}`,
+            "Refusing to overwrite existing file.",
+            "Fix the JSON manually or back up the file and re-run setup.",
+        ].join(" "));
+    }
+}
+async function writeJson(pathname, data) {
+    await mkdir(path.dirname(pathname), { recursive: true });
+    await writeFile(pathname, `${JSON.stringify(data, null, 2)}\n`, "utf8");
+}
+function cloneJsonMap(existing) {
+    if (!existing)
+        return {};
+    return JSON.parse(JSON.stringify(existing));
+}
+function normalizeHooksConfig(existing) {
+    const base = existing ?? { version: 1, hooks: {} };
+    if (typeof base.version !== "number")
+        base.version = 1;
+    if (!base.hooks || typeof base.hooks !== "object" || Array.isArray(base.hooks)) {
+        base.hooks = {};
+    }
+    return base;
+}
+export function hasConfiguredHook(config) {
+    if (!config)
+        return false;
+    const hooks = (config.hooks ?? {});
+    const arr = hooks.beforeShellExecution;
+    if (!Array.isArray(arr))
+        return false;
+    return arr.some((entry) => entry &&
+        typeof entry === "object" &&
+        entry.command === HOOK_COMMAND &&
+        entry.failClosed === true);
+}
+export async function upsertHookConfig(projectDir, dryRun = false) {
+    const hooksPath = resolveProjectHooksPath(projectDir);
+    const existing = await readJson(hooksPath);
+    const beforeJson = JSON.stringify(existing ?? {});
+    const config = normalizeHooksConfig(cloneJsonMap(existing));
+    const hooks = config.hooks;
+    const before = Array.isArray(hooks.beforeShellExecution) ? [...hooks.beforeShellExecution] : [];
+    const rewritten = [];
+    let found = false;
+    for (const item of before) {
+        if (!item || typeof item !== "object") {
+            rewritten.push(item);
+            continue;
+        }
+        const map = item;
+        if (map.command === HOOK_COMMAND) {
+            if (!found) {
+                found = true;
+                rewritten.push({ ...map, failClosed: true });
+            }
+            continue;
+        }
+        rewritten.push(item);
+    }
+    if (!found)
+        rewritten.push({ command: HOOK_COMMAND, failClosed: true });
+    hooks.beforeShellExecution = rewritten;
+    const changed = beforeJson !== JSON.stringify(config);
+    if (changed && !dryRun) {
+        await writeJson(hooksPath, config);
+    }
+    return {
+        path: hooksPath,
+        changed,
+        message: changed
+            ? dryRun
+                ? "would update hooks config"
+                : "updated hooks config"
+            : "hooks config already up to date",
+    };
+}
+export function hasConfiguredMcpServer(config) {
+    if (!config)
+        return false;
+    const servers = (config.mcpServers ?? {});
+    const server = servers[MCP_SERVER_KEY];
+    if (!server || typeof server !== "object")
+        return false;
+    const map = server;
+    const args = map.args;
+    return map.command === "auditor" && Array.isArray(args) && args.length === 1 && args[0] === "mcp";
+}
+export async function upsertMcpConfig(explicitPath, dryRun = false) {
+    const mcpPath = resolveUserMcpConfigPath(explicitPath);
+    const existing = await readJson(mcpPath);
+    const beforeJson = JSON.stringify(existing ?? {});
+    const config = cloneJsonMap(existing);
+    if (!config.mcpServers || typeof config.mcpServers !== "object" || Array.isArray(config.mcpServers)) {
+        config.mcpServers = {};
+    }
+    const servers = config.mcpServers;
+    const current = servers[MCP_SERVER_KEY];
+    servers[MCP_SERVER_KEY] = {
+        ...(current && typeof current === "object" ? current : {}),
+        command: "auditor",
+        args: ["mcp"],
+    };
+    const changed = beforeJson !== JSON.stringify(config);
+    if (changed && !dryRun) {
+        await writeJson(mcpPath, config);
+    }
+    return {
+        path: mcpPath,
+        changed,
+        message: changed
+            ? dryRun
+                ? "would update MCP config"
+                : "updated MCP config"
+            : "MCP config already up to date",
+    };
+}
+export async function readHookConfigured(projectDir) {
+    const config = await readJson(resolveProjectHooksPath(projectDir));
+    return hasConfiguredHook(config);
+}
+export async function readMcpConfigured(explicitPath) {
+    const config = await readJson(resolveUserMcpConfigPath(explicitPath));
+    return hasConfiguredMcpServer(config);
+}
+//# sourceMappingURL=cursor-config.js.map

package/dist/cli/cursor-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cursor-config.js","sourceRoot":"","sources":["../../src/cli/cursor-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAU9D,MAAM,YAAY,GAAG,2BAA2B,CAAC;AACjD,MAAM,cAAc,GAAG,cAAc,CAAC;AAEtC,MAAM,UAAU,uBAAuB,CAAC,UAAkB;IACxD,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,YAAqB;IAC5D,IAAI,YAAY,EAAE,IAAI,EAAE;QAAE,OAAO,YAAY,CAAC,IAAI,EAAE,CAAC;IACrD,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,QAAgB;IACtC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,MAAiB,CAAC;IAC3B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,IAAK,CAA2B,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAChE,MAAM,IAAI,KAAK,CACb;YACE,mBAAmB,QAAQ,KAAK,GAAG,EAAE;YACrC,sCAAsC;YACtC,6DAA6D;SAC9D,CAAC,IAAI,CAAC,GAAG,CAAC,CACZ,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,QAAgB,EAAE,IAAa;IACtD,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC1E,CAAC;AAED,SAAS,YAAY,CAAC,QAAwB;IAC5C,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IACzB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAY,CAAC;AACzD,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAwB;IACpD,MAAM,IAAI,GAAG,QAAQ,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACnD,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;QAAE,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC;IACvD,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/E,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;IAClB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAsB;IACtD,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,MAAM,KAAK,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAY,CAAC;IAC9C,MAAM,GAAG,GAAG,KAAK,CAAC,oBAAoB,CAAC;IACvC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACtC,OAAO,GAAG,CAAC,IAAI,CACb,CAAC,KAAK,EAAE,EAAE,CACR,KAAK;QACL,OAAO,KAAK,KAAK,QAAQ;QACxB,KAAiB,CAAC,OAAO,KAAK,YAAY;QAC1C,KAAiB,CAAC,UAAU,KAAK,IAAI,CACzC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,UAAkB,EAAE,MAAM,GAAG,KAAK;IACvE,MAAM,SAAS,GAAG,uBAAuB,CAAC,UAAU,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,oBAAoB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC5D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAgB,CAAC;IACtC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEhG,MAAM,SAAS,GAAc,EAAE,CAAC;IAChC,IAAI,KAAK,GAAG,KAAK,CAAC;IAClB,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;QAC1B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrB,SAAS;QACX,CAAC;QACD,MAAM,GAAG,GAAG,IAAe,CAAC;QAC5B,IAAI,GAAG,CAAC,OAAO,KAAK,YAAY,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,KAAK,GAAG,IAAI,CAAC;gBACb,SAAS,CAAC,IAAI,CAAC,EAAE,GAAG,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;YAC/C,CAAC;YACD,SAAS;QACX,CAAC;QACD,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvB,CAAC;IACD,IAAI,CAAC,KAAK;QAAE,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;IAExE,KAAK,CAAC,oBAAoB,GAAG,SAAS,CAAC;IAEvC,MAAM,OAAO,GAAG,UAAU,KAAK,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACtD,IAAI,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IAED,OAAO;QACL,IAAI,EAAE,SAAS;QACf,OAAO;QACP,OAAO,EAAE,OAAO;YACd,CAAC,CAAC,MAAM;gBACN,CAAC,CAAC,2BAA2B;gBAC7B,CAAC,CAAC,sBAAsB;YAC1B,CAAC,CAAC,iCAAiC;KACtC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAsB;IAC3D,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,MAAM,OAAO,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAY,CAAC;IACrD,MAAM,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,GAAG,GAAG,MAAiB,CAAC;IAC9B,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;IACtB,OAAO,GAAG,CAAC,OAAO,KAAK,SAAS,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC;AACpG,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,YAAqB,EAAE,MAAM,GAAG,KAAK;IACzE,MAAM,OAAO,GAAG,wBAAwB,CAAC,YAAY,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACtC,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QACpG,MAAM,CAAC,UAAU,GAAG,EAAE,CAAC;IACzB,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,UAAqB,CAAC;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;IACxC,OAAO,CAAC,cAAc,CAAC,GAAG;QACxB,GAAG,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAE,OAAmB,CAAC,CAAC,CAAC,EAAE,CAAC;QACvE,OAAO,EAAE,SAAS;QAClB,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC;IAEF,MAAM,OAAO,GAAG,UAAU,KAAK,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACtD,IAAI,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,OAAO;QACL,IAAI,EAAE,OAAO;QACb,OAAO;QACP,OAAO,EAAE,OAAO;YACd,CAAC,CAAC,MAAM;gBACN,CAAC,CAAC,yBAAyB;gBAC3B,CAAC,CAAC,oBAAoB;YACxB,CAAC,CAAC,+BAA+B;KACpC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,UAAkB;IACzD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC,CAAC;IACnE,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,YAAqB;IAC3D,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,wBAAwB,CAAC,YAAY,CAAC,CAAC,CAAC;IACtE,OAAO,sBAAsB,CAAC,MAAM,CAAC,CAAC;AACxC,CAAC"}

package/dist/cli/doctor.d.ts

@@ -0,0 +1,2 @@
+export declare function runDoctor(): Promise<void>;
+//# sourceMappingURL=doctor.d.ts.map

package/dist/cli/doctor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/cli/doctor.ts"],"names":[],"mappings":"AAaA,wBAAsB,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC,CAyF/C"}

package/dist/cli/doctor.js

@@ -0,0 +1,83 @@
+import path from "node:path";
+import process from "node:process";
+import { defaultPoliciesMetaPath, defaultPoliciesV1Path } from "../policy/index.js";
+import { shellBridgeDir } from "../bridge/shell-approval-bridge.js";
+import { fetchJson } from "./http-fetch.js";
+import { credentialsPath, readCredentialsFileMode, resolveGuardToken } from "./credentials.js";
+import { readHookConfigured, readMcpConfigured, resolveUserMcpConfigPath } from "./cursor-config.js";
+import { getInstallId } from "./install-id.js";
+import { functionsHttpUrl } from "./policies-callable-url.js";
+import { readPoliciesMetaFile } from "./policies-meta.js";
+export async function runDoctor() {
+    const cwd = process.cwd();
+    const auditPath = process.env.PRAXIS_GUARD_AUDIT_LOG ?? path.resolve(cwd, ".cursor/guard/audit.jsonl");
+    const policyPath = process.env.PRAXIS_POLICIES_V1_PATH?.trim() || defaultPoliciesV1Path();
+    const metaPath = process.env.PRAXIS_POLICIES_META_PATH?.trim() || defaultPoliciesMetaPath();
+    const meta = await readPoliciesMetaFile(metaPath);
+    const lines = [
+        `auditor doctor`,
+        `Install ID: ${getInstallId()}`,
+        `MCP stdio: auditor mcp   (Cursor: command auditor, args [mcp])`,
+        `Node: ${process.version}`,
+        `Policy file: ${policyPath}`,
+        `Policies meta: ${metaPath}`,
+        meta
+            ? `  Local synced revision: ${meta.revision}${meta.syncedAt ? ` (at ${meta.syncedAt})` : ""}`
+            : `  Local synced revision: (no meta file — run "auditor policies sync")`,
+        `Bridge dir: ${shellBridgeDir(cwd)}`,
+        `Audit log: ${auditPath}`,
+        `PRAXIS_GUARD_AUDIT_LOG: ${process.env.PRAXIS_GUARD_AUDIT_LOG ?? "(unset; default above)"}`,
+    ];
+    const hookConfigured = await readHookConfigured(cwd).catch(() => false);
+    const mcpPath = resolveUserMcpConfigPath();
+    const mcpConfigured = await readMcpConfigured().catch(() => false);
+    lines.push(`Hook setup: ${hookConfigured ? "configured" : "missing (run \`auditor setup hook\`)"} (${path.resolve(cwd, ".cursor/hooks.json")})`);
+    lines.push(`MCP setup: ${mcpConfigured ? "configured" : "missing (run \`auditor setup mcp\`)"} (${mcpPath})`);
+    const token = resolveGuardToken() || process.env.PRAXIS_FIREBASE_ID_TOKEN?.trim();
+    const tokenSource = process.env.PRAXIS_GUARD_TOKEN?.trim()
+        ? "env:PRAXIS_GUARD_TOKEN"
+        : token
+            ? `file:${credentialsPath()}`
+            : null;
+    lines.push(tokenSource
+        ? `Auth: ${tokenSource} (token: ${token.slice(0, 6)}...${token.slice(-3)})`
+        : "Auth: (none — run `auditor login`)");
+    const credsMode = readCredentialsFileMode();
+    if (credsMode !== null) {
+        lines.push(credsMode === 0o600
+            ? `Credentials mode: 0${credsMode.toString(8)}`
+            : `Credentials mode: 0${credsMode.toString(8)} (expected 0600)`);
+    }
+    const revisionHttpUrl = functionsHttpUrl("policiesGetRevisionHttp");
+    if (token) {
+        try {
+            const rev = await fetchJson({
+                url: revisionHttpUrl,
+                bearerToken: token,
+            });
+            const remote = rev.revision;
+            lines.push(`Remote Firestore revision: ${remote}`);
+            if (meta) {
+                lines.push(meta.revision === remote
+                    ? "Policies: in sync with Firestore revision."
+                    : `Policies: update available (local ${meta.revision} vs remote ${remote}).`);
+            }
+            else {
+                lines.push(`Policies: remote revision ${remote} (no local sync meta).`);
+            }
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            lines.push(`Remote revision check failed: ${msg}`);
+        }
+    }
+    else {
+        lines.push("Remote revision: (skip — not authenticated; run `auditor login`)");
+    }
+    const readySetup = hookConfigured && mcpConfigured;
+    const readyAuth = !!token;
+    const ready = readySetup && readyAuth;
+    lines.push(`Ready: ${ready ? "yes" : "no"} (setup=${readySetup ? "ok" : "missing"}, auth=${readyAuth ? "ok" : "missing"})`);
+    process.stdout.write(`${lines.join("\n")}\n`);
+}
+//# sourceMappingURL=doctor.js.map

package/dist/cli/doctor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../src/cli/doctor.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,OAAO,MAAM,cAAc,CAAC;AAEnC,OAAO,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAEpF,OAAO,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACpE,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC/F,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AACrG,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,MAAM,CAAC,KAAK,UAAU,SAAS;IAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,2BAA2B,CAAC,CAAC;IAEvF,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,EAAE,IAAI,EAAE,IAAI,qBAAqB,EAAE,CAAC;IAC1F,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE,IAAI,EAAE,IAAI,uBAAuB,EAAE,CAAC;IAC5F,MAAM,IAAI,GAAG,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC;IAElD,MAAM,KAAK,GAAG;QACZ,gBAAgB;QAChB,eAAe,YAAY,EAAE,EAAE;QAC/B,gEAAgE;QAChE,SAAS,OAAO,CAAC,OAAO,EAAE;QAC1B,gBAAgB,UAAU,EAAE;QAC5B,kBAAkB,QAAQ,EAAE;QAC5B,IAAI;YACF,CAAC,CAAC,4BAA4B,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YAC7F,CAAC,CAAC,uEAAuE;QAC3E,eAAe,cAAc,CAAC,GAAG,CAAC,EAAE;QACpC,cAAc,SAAS,EAAE;QACzB,2BAA2B,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,wBAAwB,EAAE;KAC5F,CAAC;IAEF,MAAM,cAAc,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;IACxE,MAAM,OAAO,GAAG,wBAAwB,EAAE,CAAC;IAC3C,MAAM,aAAa,GAAG,MAAM,iBAAiB,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;IACnE,KAAK,CAAC,IAAI,CACR,eAAe,cAAc,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,sCAAsC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,oBAAoB,CAAC,GAAG,CACrI,CAAC;IACF,KAAK,CAAC,IAAI,CACR,cAAc,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,qCAAqC,KAAK,OAAO,GAAG,CAClG,CAAC;IAEF,MAAM,KAAK,GAAG,iBAAiB,EAAE,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,EAAE,CAAC;IAClF,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE;QACxD,CAAC,CAAC,wBAAwB;QAC1B,CAAC,CAAC,KAAK;YACL,CAAC,CAAC,QAAQ,eAAe,EAAE,EAAE;YAC7B,CAAC,CAAC,IAAI,CAAC;IACX,KAAK,CAAC,IAAI,CACR,WAAW;QACT,CAAC,CAAC,SAAS,WAAW,YAAY,KAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,KAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG;QAC7E,CAAC,CAAC,oCAAoC,CACzC,CAAC;IACF,MAAM,SAAS,GAAG,uBAAuB,EAAE,CAAC;IAC5C,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACvB,KAAK,CAAC,IAAI,CACR,SAAS,KAAK,KAAK;YACjB,CAAC,CAAC,sBAAsB,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;YAC/C,CAAC,CAAC,sBAAsB,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAClE,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,gBAAgB,CAAC,yBAAyB,CAAC,CAAC;IAEpE,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,SAAS,CAAuB;gBAChD,GAAG,EAAE,eAAe;gBACpB,WAAW,EAAE,KAAK;aACnB,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,8BAA8B,MAAM,EAAE,CAAC,CAAC;YACnD,IAAI,IAAI,EAAE,CAAC;gBACT,KAAK,CAAC,IAAI,CACR,IAAI,CAAC,QAAQ,KAAK,MAAM;oBACtB,CAAC,CAAC,4CAA4C;oBAC9C,CAAC,CAAC,qCAAqC,IAAI,CAAC,QAAQ,cAAc,MAAM,IAAI,CAC/E,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,IAAI,CAAC,6BAA6B,MAAM,wBAAwB,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,KAAK,CAAC,IAAI,CAAC,iCAAiC,GAAG,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,UAAU,GAAG,cAAc,IAAI,aAAa,CAAC;IACnD,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC;IAC1B,MAAM,KAAK,GAAG,UAAU,IAAI,SAAS,CAAC;IACtC,KAAK,CAAC,IAAI,CACR,UAAU,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,WAAW,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,UAAU,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,GAAG,CAChH,CAAC;IAEF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChD,CAAC"}

package/dist/cli/firebase-targets.d.ts

@@ -0,0 +1,7 @@
+export declare function detectFirebaseProjectId(cwd: string): string | null;
+/**
+ * Resolve a Firebase Hosting site id for a given target (e.g. target "app" -> site "praxis-app-33b40").
+ * This reads `.firebaserc` and finds the first site configured for that hosting target.
+ */
+export declare function detectHostingSiteId(cwd: string, projectId: string, hostingTarget: string): string | null;
+//# sourceMappingURL=firebase-targets.d.ts.map

package/dist/cli/firebase-targets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"firebase-targets.d.ts","sourceRoot":"","sources":["../../src/cli/firebase-targets.ts"],"names":[],"mappings":"AAoBA,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAWlE;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAYxG"}