@rigstate/cli 0.6.0

package/dist/index.js

@@ -0,0 +1,3964 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// node_modules/tsup/assets/esm_shims.js
+import path from "path";
+import { fileURLToPath } from "url";
+var init_esm_shims = __esm({
+  "node_modules/tsup/assets/esm_shims.js"() {
+    "use strict";
+  }
+});
+
+// src/utils/config.ts
+import Conf from "conf";
+function getApiKey() {
+  const apiKey = config.get("apiKey");
+  if (!apiKey) {
+    throw new Error(
+      '\u274C Not logged in. Please run "rigstate login <your-api-key>" first.'
+    );
+  }
+  return apiKey;
+}
+function setApiKey(key) {
+  config.set("apiKey", key);
+}
+function getProjectId() {
+  return config.get("projectId");
+}
+function setProjectId(projectId) {
+  config.set("projectId", projectId);
+}
+function getApiUrl() {
+  if (process.env.RIGSTATE_API_URL) {
+    return process.env.RIGSTATE_API_URL;
+  }
+  const storedUrl = config.get("apiUrl");
+  if (storedUrl) {
+    return storedUrl;
+  }
+  return "https://app.rigstate.com";
+}
+var config;
+var init_config = __esm({
+  "src/utils/config.ts"() {
+    "use strict";
+    init_esm_shims();
+    config = new Conf({
+      projectName: "rigstate-cli",
+      defaults: {
+        apiUrl: "http://localhost:3000"
+      }
+    });
+  }
+});
+
+// src/utils/skills-provisioner.ts
+var skills_provisioner_exports = {};
+__export(skills_provisioner_exports, {
+  generateSkillsDiscoveryBlock: () => generateSkillsDiscoveryBlock,
+  jitProvisionSkill: () => jitProvisionSkill,
+  provisionSkills: () => provisionSkills
+});
+import axios3 from "axios";
+import fs5 from "fs/promises";
+import path6 from "path";
+import chalk5 from "chalk";
+async function provisionSkills(apiUrl, apiKey, projectId, rootDir) {
+  const skills = [];
+  try {
+    const response = await axios3.get(`${apiUrl}/api/v1/skills`, {
+      params: { project_id: projectId },
+      headers: { Authorization: `Bearer ${apiKey}` }
+    });
+    if (response.data.success && response.data.data) {
+      for (const dbSkill of response.data.data) {
+        skills.push({
+          name: dbSkill.name,
+          description: dbSkill.description,
+          specialist: dbSkill.specialist || "General",
+          version: dbSkill.version || "1.0.0",
+          governance: dbSkill.governance || "OPEN",
+          content: dbSkill.content
+        });
+      }
+    }
+  } catch (e) {
+    const msg = e.response?.data?.error || e.message;
+    console.log(chalk5.dim(`  (Skills API not available: ${msg}, using core library)`));
+  }
+  if (skills.length === 0) {
+    const { getRigstateStandardSkills } = await import("@rigstate/rules-engine");
+    const coreSkills = getRigstateStandardSkills();
+    skills.push(...coreSkills);
+  }
+  const skillsDir = path6.join(rootDir, ".agent", "skills");
+  await fs5.mkdir(skillsDir, { recursive: true });
+  for (const skill of skills) {
+    const skillDir = path6.join(skillsDir, skill.name);
+    await fs5.mkdir(skillDir, { recursive: true });
+    const skillContent = `---
+name: ${skill.name}
+description: ${skill.description}
+version: "${skill.version}"
+specialist: ${skill.specialist}
+governance: ${skill.governance}
+---
+
+${skill.content}
+
+---
+*Provisioned by Rigstate CLI. Do not modify manually.*`;
+    const skillPath = path6.join(skillDir, "SKILL.md");
+    await fs5.writeFile(skillPath, skillContent, "utf-8");
+  }
+  console.log(chalk5.green(`  \u2705 Provisioned ${skills.length} skill(s) to .agent/skills/`));
+  return skills;
+}
+function generateSkillsDiscoveryBlock(skills) {
+  if (skills.length === 0) return "";
+  const skillBlocks = skills.map((skill) => `  <skill>
+    <name>${skill.name}</name>
+    <description>${skill.description}</description>
+    <location>.agent/skills/${skill.name}/SKILL.md</location>
+  </skill>`).join("\n");
+  return `<available_skills>
+${skillBlocks}
+</available_skills>`;
+}
+async function jitProvisionSkill(skillId, apiUrl, apiKey, projectId, rootDir) {
+  const rulesPath = path6.join(rootDir, ".cursorrules");
+  let rulesContent = "";
+  try {
+    rulesContent = await fs5.readFile(rulesPath, "utf-8");
+  } catch (e) {
+    return false;
+  }
+  const isProvisioned = rulesContent.includes(`<name>${skillId}</name>`) || rulesContent.includes(`.agent/skills/${skillId}`);
+  if (isProvisioned) return false;
+  console.log(chalk5.yellow(`  \u26A1 JIT PROVISIONING: Injecting ${skillId}...`));
+  try {
+    const skills = await provisionSkills(apiUrl, apiKey, projectId, rootDir);
+    const skillsBlock = generateSkillsDiscoveryBlock(skills);
+    if (rulesContent.includes("<available_skills>")) {
+      rulesContent = rulesContent.replace(
+        /<available_skills>[\s\S]*?<\/available_skills>/,
+        skillsBlock
+      );
+    } else if (rulesContent.includes("## \u{1F9E0} PROJECT CONTEXT")) {
+      const insertPoint = rulesContent.indexOf("---", rulesContent.indexOf("## \u{1F9E0} PROJECT CONTEXT"));
+      if (insertPoint !== -1) {
+        rulesContent = rulesContent.slice(0, insertPoint + 3) + "\n\n" + skillsBlock + "\n" + rulesContent.slice(insertPoint + 3);
+      }
+    }
+    await fs5.writeFile(rulesPath, rulesContent, "utf-8");
+    return true;
+  } catch (e) {
+    console.log(chalk5.red(`  Failed to provision skill: ${e.message}`));
+    return false;
+  }
+}
+var init_skills_provisioner = __esm({
+  "src/utils/skills-provisioner.ts"() {
+    "use strict";
+    init_esm_shims();
+  }
+});
+
+// src/utils/governance.ts
+var governance_exports = {};
+__export(governance_exports, {
+  InterventionLevel: () => InterventionLevel,
+  clearSoftLock: () => clearSoftLock,
+  getGovernanceConfig: () => getGovernanceConfig,
+  getSessionState: () => getSessionState,
+  performOverride: () => performOverride,
+  setSoftLock: () => setSoftLock
+});
+import fs6 from "fs/promises";
+import path7 from "path";
+import chalk6 from "chalk";
+async function getGovernanceConfig(rootDir = process.cwd()) {
+  try {
+    const configPath = path7.join(rootDir, "rigstate.config.json");
+    const content = await fs6.readFile(configPath, "utf-8");
+    const userConfig = JSON.parse(content);
+    return {
+      governance: {
+        ...DEFAULT_CONFIG.governance,
+        ...userConfig.governance
+      }
+    };
+  } catch (e) {
+    return DEFAULT_CONFIG;
+  }
+}
+async function getSessionState(rootDir = process.cwd()) {
+  try {
+    const sessionPath = path7.join(rootDir, ".rigstate", "session.json");
+    const content = await fs6.readFile(sessionPath, "utf-8");
+    return JSON.parse(content);
+  } catch (e) {
+    return DEFAULT_SESSION;
+  }
+}
+async function setSoftLock(reason, violationId, rootDir = process.cwd()) {
+  const sessionPath = path7.join(rootDir, ".rigstate", "session.json");
+  const state = {
+    status: "SOFT_LOCK",
+    active_violation: violationId,
+    lock_reason: reason,
+    last_updated: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  await fs6.mkdir(path7.dirname(sessionPath), { recursive: true });
+  await fs6.writeFile(sessionPath, JSON.stringify(state, null, 2), "utf-8");
+}
+async function clearSoftLock(rootDir = process.cwd()) {
+  const sessionPath = path7.join(rootDir, ".rigstate", "session.json");
+  const state = {
+    ...DEFAULT_SESSION,
+    last_updated: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  await fs6.mkdir(path7.dirname(sessionPath), { recursive: true });
+  await fs6.writeFile(sessionPath, JSON.stringify(state, null, 2), "utf-8");
+}
+async function performOverride(violationId, reason, rootDir = process.cwd()) {
+  const config2 = await getGovernanceConfig(rootDir);
+  if (!config2.governance.allow_overrides) {
+    console.log(chalk6.red("\u274C Overrides are disabled for this project."));
+    return false;
+  }
+  await clearSoftLock(rootDir);
+  return true;
+}
+var InterventionLevel, DEFAULT_CONFIG, DEFAULT_SESSION;
+var init_governance = __esm({
+  "src/utils/governance.ts"() {
+    "use strict";
+    init_esm_shims();
+    InterventionLevel = /* @__PURE__ */ ((InterventionLevel2) => {
+      InterventionLevel2[InterventionLevel2["GHOST"] = 0] = "GHOST";
+      InterventionLevel2[InterventionLevel2["NUDGE"] = 1] = "NUDGE";
+      InterventionLevel2[InterventionLevel2["SENTINEL"] = 2] = "SENTINEL";
+      return InterventionLevel2;
+    })(InterventionLevel || {});
+    DEFAULT_CONFIG = {
+      governance: {
+        intervention_level: 0 /* GHOST */,
+        allow_overrides: true
+      }
+    };
+    DEFAULT_SESSION = {
+      status: "OPEN",
+      active_violation: null,
+      lock_reason: null,
+      last_updated: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+});
+
+// src/utils/watchdog.ts
+var watchdog_exports = {};
+__export(watchdog_exports, {
+  runGuardianWatchdog: () => runGuardianWatchdog
+});
+import fs7 from "fs/promises";
+import path8 from "path";
+import chalk7 from "chalk";
+import axios4 from "axios";
+async function countLines(filePath) {
+  try {
+    const content = await fs7.readFile(filePath, "utf-8");
+    return content.split("\n").length;
+  } catch (e) {
+    return 0;
+  }
+}
+async function getFiles(dir, extension) {
+  const entries = await fs7.readdir(dir, { withFileTypes: true });
+  const files = await Promise.all(entries.map(async (entry) => {
+    const res = path8.resolve(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (entry.name === "node_modules" || entry.name === ".git" || entry.name === ".next" || entry.name === "dist") return [];
+      return getFiles(res, extension);
+    } else {
+      return extension.some((ext) => entry.name.endsWith(ext)) ? res : [];
+    }
+  }));
+  return files.flat();
+}
+async function fetchRulesFromApi(projectId) {
+  try {
+    const apiUrl = getApiUrl();
+    const apiKey = getApiKey();
+    const response = await axios4.get(`${apiUrl}/api/v1/guardian/rules`, {
+      params: { project_id: projectId },
+      headers: { Authorization: `Bearer ${apiKey}` },
+      timeout: 1e4
+    });
+    if (response.data.success && response.data.data.settings) {
+      return {
+        lmax: response.data.data.settings.lmax || DEFAULT_LMAX,
+        lmaxWarning: response.data.data.settings.lmax_warning || DEFAULT_LMAX_WARNING,
+        source: "API (Dynamic)"
+      };
+    }
+  } catch (error) {
+    try {
+      const cachePath = path8.join(process.cwd(), CACHE_FILE);
+      const content = await fs7.readFile(cachePath, "utf-8");
+      const cached = JSON.parse(content);
+      if (cached.settings) {
+        return {
+          lmax: cached.settings.lmax || DEFAULT_LMAX,
+          lmaxWarning: cached.settings.lmax_warning || DEFAULT_LMAX_WARNING,
+          source: "Cache (Fallback)"
+        };
+      }
+    } catch {
+    }
+  }
+  return {
+    lmax: DEFAULT_LMAX,
+    lmaxWarning: DEFAULT_LMAX_WARNING,
+    source: "Default (Hardcoded)"
+  };
+}
+async function runGuardianWatchdog(rootPath, settings = {}, projectId) {
+  console.log(chalk7.bold("\n\u{1F6E1}\uFE0F  Active Guardian Watchdog Initiated..."));
+  let lmax = settings.lmax || DEFAULT_LMAX;
+  let lmaxWarning = settings.lmax_warning || DEFAULT_LMAX_WARNING;
+  let ruleSource = settings.lmax ? "Settings (Passed)" : "Default";
+  if (projectId) {
+    const apiRules = await fetchRulesFromApi(projectId);
+    lmax = apiRules.lmax;
+    lmaxWarning = apiRules.lmaxWarning;
+    ruleSource = apiRules.source;
+  }
+  console.log(chalk7.dim(`Governance Rules: L_max=${lmax}, L_max_warning=${lmaxWarning}, Source: ${ruleSource}`));
+  const targetExtensions = [".ts", ".tsx"];
+  let scanTarget = rootPath;
+  const webSrc = path8.join(rootPath, "apps", "web", "src");
+  try {
+    await fs7.access(webSrc);
+    scanTarget = webSrc;
+  } catch {
+  }
+  console.log(chalk7.dim(`Scanning target: ${path8.relative(process.cwd(), scanTarget)}`));
+  const files = await getFiles(scanTarget, targetExtensions);
+  let violations = 0;
+  let warnings = 0;
+  const results = [];
+  for (const file of files) {
+    const lines = await countLines(file);
+    const relPath = path8.relative(rootPath, file);
+    if (lines > lmax) {
+      results.push({ file: relPath, lines, status: "VIOLATION" });
+      violations++;
+      console.log(chalk7.red(`[VIOLATION] ${relPath}: ${lines} lines (Limit: ${lmax})`));
+    } else if (lines > lmaxWarning) {
+      results.push({ file: relPath, lines, status: "WARNING" });
+      warnings++;
+      console.log(chalk7.yellow(`[WARNING]   ${relPath}: ${lines} lines (Threshold: ${lmaxWarning})`));
+    }
+  }
+  if (violations === 0 && warnings === 0) {
+    console.log(chalk7.green(`\u2714 All ${files.length} files are within governance limits.`));
+  } else {
+    console.log("\n" + chalk7.bold("Summary:"));
+    console.log(chalk7.red(`Violations: ${violations}`));
+    console.log(chalk7.yellow(`Warnings:   ${warnings}`));
+    const { getGovernanceConfig: getGovernanceConfig2, setSoftLock: setSoftLock2, InterventionLevel: InterventionLevel2 } = await Promise.resolve().then(() => (init_governance(), governance_exports));
+    const { governance } = await getGovernanceConfig2(rootPath);
+    console.log(chalk7.dim(`Intervention Level: ${InterventionLevel2[governance.intervention_level] || "UNKNOWN"} (${governance.intervention_level})`));
+    if (violations > 0) {
+      console.log(chalk7.red.bold("\nCRITICAL: Governance violations detected. Immediate refactoring required."));
+      if (governance.intervention_level >= InterventionLevel2.SENTINEL) {
+        console.log(chalk7.red.bold("\u{1F6D1} SENTINEL MODE: Session SOFT_LOCKED until resolved."));
+        console.log(chalk7.red('   Run "rigstate override <id> --reason \\"...\\"" if this is an emergency.'));
+        await setSoftLock2("Sentinel Mode: Governance Violations Detected", "ARC-VIOLATION", rootPath);
+      }
+    }
+  }
+  if (projectId) {
+    try {
+      const apiUrl = getApiUrl();
+      const apiKey = getApiKey();
+      const payloadViolations = results.filter((r) => r.status === "VIOLATION").map((v) => ({
+        uid: "V-" + Buffer.from(v.file).toString("base64").replace(/=/g, ""),
+        filePath: v.file,
+        lineCount: v.lines,
+        limitValue: lmax,
+        severity: "CRITICAL"
+      }));
+      await axios4.post(`${apiUrl}/api/v1/guardian/sync`, {
+        projectId,
+        violations: payloadViolations,
+        warnings
+      }, {
+        headers: { Authorization: `Bearer ${apiKey}` }
+      });
+      console.log(chalk7.dim("\u2714 Violations synced to Rigstate Cloud."));
+    } catch (e) {
+      console.log(chalk7.dim("\u26A0 Cloud sync skipped: " + (e.message || "Unknown")));
+    }
+  }
+}
+var DEFAULT_LMAX, DEFAULT_LMAX_WARNING, CACHE_FILE;
+var init_watchdog = __esm({
+  "src/utils/watchdog.ts"() {
+    "use strict";
+    init_esm_shims();
+    init_config();
+    DEFAULT_LMAX = 400;
+    DEFAULT_LMAX_WARNING = 350;
+    CACHE_FILE = ".rigstate/rules-cache.json";
+  }
+});
+
+// src/index.ts
+init_esm_shims();
+import { Command as Command19 } from "commander";
+import chalk27 from "chalk";
+
+// src/commands/login.ts
+init_esm_shims();
+init_config();
+import { Command } from "commander";
+import chalk from "chalk";
+function createLoginCommand() {
+  return new Command("login").description("Authenticate with your Rigstate API key").argument("<api-key>", "Your Rigstate API key (starts with sk_)").action(async (apiKey) => {
+    try {
+      if (!apiKey || !apiKey.startsWith("sk_rigstate_")) {
+        console.error(chalk.red("\u274C Invalid API key format"));
+        console.error(chalk.dim('API keys must start with "sk_rigstate_"'));
+        process.exit(1);
+      }
+      setApiKey(apiKey);
+      console.log(chalk.green("\u2705 Successfully logged in!"));
+      console.log(
+        chalk.dim(
+          `
+Your API key has been securely stored. You can now use "rigstate scan" to audit your code.`
+        )
+      );
+    } catch (error) {
+      console.error(
+        chalk.red("\u274C Login failed:"),
+        error instanceof Error ? error.message : "Unknown error"
+      );
+      process.exit(1);
+    }
+  });
+}
+
+// src/commands/link.ts
+init_esm_shims();
+import { Command as Command2 } from "commander";
+import fs from "fs/promises";
+import path2 from "path";
+import chalk2 from "chalk";
+import os from "os";
+function createLinkCommand() {
+  return new Command2("link").description("Link current directory to a Rigstate project").argument("<projectId>", "Project ID to link").action(async (projectId) => {
+    try {
+      const globalPath = path2.join(os.homedir(), ".rigstate", "config.json");
+      const globalData = await fs.readFile(globalPath, "utf-8").catch(() => null);
+      if (globalData) {
+        const config2 = JSON.parse(globalData);
+        const cwd = process.cwd();
+        if (config2.overrides && config2.overrides[cwd]) {
+          const overrideId = config2.overrides[cwd];
+          if (overrideId !== projectId) {
+            console.warn(chalk2.yellow(`Global override detected. Enforcing project ID: ${overrideId}`));
+            projectId = overrideId;
+          }
+        }
+      }
+    } catch (e) {
+    }
+    const manifestPath = path2.join(process.cwd(), ".rigstate");
+    const content = {
+      project_id: projectId,
+      api_url: process.env.NEXT_PUBLIC_APP_URL || "http://localhost:3000",
+      linked_at: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    try {
+      await fs.writeFile(manifestPath, JSON.stringify(content, null, 2), "utf-8");
+      console.log(chalk2.green(`\u2714 Linked to project ID: ${projectId}`));
+      console.log(chalk2.dim(`Created local context manifest at .rigstate`));
+    } catch (error) {
+      console.error(chalk2.red(`Failed to link project: ${error.message}`));
+    }
+  });
+}
+
+// src/commands/scan.ts
+init_esm_shims();
+init_config();
+import { Command as Command3 } from "commander";
+import chalk3 from "chalk";
+import ora from "ora";
+import axios from "axios";
+import { glob } from "glob";
+import fs3 from "fs/promises";
+import path4 from "path";
+
+// src/utils/files.ts
+init_esm_shims();
+import fs2 from "fs/promises";
+import path3 from "path";
+async function readGitignore(dir) {
+  const gitignorePath = path3.join(dir, ".gitignore");
+  try {
+    const content = await fs2.readFile(gitignorePath, "utf-8");
+    return content.split("\n").map((line) => line.trim()).filter((line) => line && !line.startsWith("#"));
+  } catch (error) {
+    return [];
+  }
+}
+function shouldIgnore(filePath, patterns) {
+  const relativePath = filePath.replace(/^\.\//, "");
+  const defaultIgnores = [
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    ".next",
+    ".turbo",
+    "coverage",
+    ".env",
+    ".env.local"
+  ];
+  const allPatterns = [...defaultIgnores, ...patterns];
+  for (const pattern of allPatterns) {
+    if (pattern.endsWith("/")) {
+      const dir = pattern.slice(0, -1);
+      if (relativePath.includes(`${dir}/`) || relativePath === dir) {
+        return true;
+      }
+    } else if (pattern.includes("*")) {
+      const regex = new RegExp(
+        "^" + pattern.replace(/\*/g, ".*").replace(/\?/g, ".") + "$"
+      );
+      if (regex.test(relativePath)) {
+        return true;
+      }
+    } else {
+      if (relativePath.includes(pattern)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function isCodeFile(filePath) {
+  const codeExtensions = [
+    ".js",
+    ".jsx",
+    ".ts",
+    ".tsx",
+    ".py",
+    ".java",
+    ".go",
+    ".rb",
+    ".php",
+    ".c",
+    ".cpp",
+    ".h",
+    ".cs",
+    ".swift",
+    ".kt",
+    ".rs",
+    ".vue",
+    ".svelte"
+  ];
+  const ext = path3.extname(filePath).toLowerCase();
+  return codeExtensions.includes(ext);
+}
+
+// src/commands/scan.ts
+function createScanCommand() {
+  return new Command3("scan").description("Scan code files for security and quality issues").argument("[path]", "Directory or file to scan", ".").option("--json", "Output results as JSON").option("--project <id>", "Project ID to associate with this scan").action(async (targetPath, options) => {
+    const spinner = ora();
+    try {
+      const apiKey = getApiKey();
+      const apiUrl = getApiUrl();
+      const projectId = options.project || getProjectId();
+      if (!projectId) {
+        console.warn(
+          chalk3.yellow(
+            "\u26A0\uFE0F  No project ID specified. Use --project <id> or set a default."
+          )
+        );
+      }
+      const scanPath = path4.resolve(process.cwd(), targetPath);
+      spinner.start(`Scanning ${chalk3.cyan(scanPath)}...`);
+      const gitignorePatterns = await readGitignore(scanPath);
+      const pattern = path4.join(scanPath, "**/*");
+      const allFiles = await glob(pattern, {
+        nodir: true,
+        dot: false,
+        ignore: ["**/node_modules/**", "**/.git/**", "**/dist/**", "**/build/**"]
+      });
+      const codeFiles = allFiles.filter((file) => {
+        const relativePath = path4.relative(scanPath, file);
+        return isCodeFile(file) && !shouldIgnore(relativePath, gitignorePatterns);
+      });
+      if (codeFiles.length === 0) {
+        spinner.warn(chalk3.yellow("No code files found to scan."));
+        return;
+      }
+      spinner.text = `Found ${codeFiles.length} files. Scanning...`;
+      const results = [];
+      let totalIssues = 0;
+      const severityCounts = {};
+      for (let i = 0; i < codeFiles.length; i++) {
+        const filePath = codeFiles[i];
+        const relativePath = path4.relative(scanPath, filePath);
+        spinner.text = `Scanning ${i + 1}/${codeFiles.length}: ${relativePath}`;
+        try {
+          const content = await fs3.readFile(filePath, "utf-8");
+          const response = await axios.post(
+            `${apiUrl}/api/v1/audit`,
+            {
+              content,
+              file_path: relativePath,
+              project_id: projectId
+            },
+            {
+              headers: {
+                "Authorization": `Bearer ${apiKey}`,
+                "Content-Type": "application/json"
+              },
+              timeout: 6e4
+              // 1 minute per file
+            }
+          );
+          const vulnerabilities = response.data.vulnerabilities || [];
+          if (vulnerabilities.length > 0) {
+            results.push({
+              id: response.data.id || relativePath,
+              file_path: relativePath,
+              issues: vulnerabilities.map((v) => ({
+                type: v.type,
+                severity: v.severity,
+                message: v.description || v.title,
+                line: v.line_number
+              }))
+            });
+            totalIssues += vulnerabilities.length;
+            vulnerabilities.forEach((v) => {
+              severityCounts[v.severity] = (severityCounts[v.severity] || 0) + 1;
+            });
+          }
+        } catch (fileError) {
+          if (axios.isAxiosError(fileError)) {
+            console.warn(chalk3.yellow(`
+\u26A0\uFE0F  Skipping ${relativePath}: ${fileError.message}`));
+          } else {
+            console.warn(chalk3.yellow(`
+\u26A0\uFE0F  Error reading ${relativePath}`));
+          }
+        }
+      }
+      spinner.succeed(chalk3.green("\u2705 Scan completed!"));
+      const aggregatedResponse = {
+        results,
+        summary: {
+          total_files: codeFiles.length,
+          total_issues: totalIssues,
+          by_severity: severityCounts
+        }
+      };
+      if (options.json) {
+        console.log(JSON.stringify(aggregatedResponse, null, 2));
+      } else {
+        printPrettyResults(aggregatedResponse);
+      }
+    } catch (error) {
+      spinner.fail(chalk3.red("\u274C Scan failed"));
+      if (axios.isAxiosError(error)) {
+        if (error.response) {
+          console.error(chalk3.red("API Error:"), error.response.data);
+        } else if (error.request) {
+          console.error(
+            chalk3.red("Network Error:"),
+            "Could not reach the API. Is the server running?"
+          );
+        } else {
+          console.error(chalk3.red("Error:"), error.message);
+        }
+      } else {
+        console.error(
+          chalk3.red("Error:"),
+          error instanceof Error ? error.message : "Unknown error"
+        );
+      }
+      process.exit(1);
+    }
+  });
+}
+function printPrettyResults(data) {
+  const { results, summary } = data;
+  console.log("\n" + chalk3.bold("\u{1F4CA} Scan Summary"));
+  console.log(chalk3.dim("\u2500".repeat(60)));
+  console.log(`Total Files Scanned: ${chalk3.cyan(summary.total_files)}`);
+  console.log(`Total Issues Found: ${chalk3.yellow(summary.total_issues)}`);
+  if (summary.by_severity) {
+    console.log("\nIssues by Severity:");
+    Object.entries(summary.by_severity).forEach(([severity, count]) => {
+      const color = getSeverityColor(severity);
+      console.log(`  ${color(`${severity}:`)} ${count}`);
+    });
+  }
+  if (results && results.length > 0) {
+    console.log("\n" + chalk3.bold("\u{1F50D} Detailed Results"));
+    console.log(chalk3.dim("\u2500".repeat(60)));
+    results.forEach((result) => {
+      if (result.issues && result.issues.length > 0) {
+        console.log(`
+${chalk3.bold(result.file_path)}`);
+        result.issues.forEach((issue) => {
+          const severityColor = getSeverityColor(issue.severity);
+          const lineInfo = issue.line ? chalk3.dim(`:${issue.line}`) : "";
+          console.log(
+            `  ${severityColor(`[${issue.severity.toUpperCase()}]`)} ${issue.type}${lineInfo}`
+          );
+          console.log(`  ${chalk3.dim(issue.message)}`);
+        });
+      }
+    });
+  }
+  console.log("\n" + chalk3.dim("\u2500".repeat(60)));
+}
+function getSeverityColor(severity) {
+  switch (severity.toLowerCase()) {
+    case "critical":
+      return chalk3.red.bold;
+    case "high":
+      return chalk3.red;
+    case "medium":
+      return chalk3.yellow;
+    case "low":
+      return chalk3.blue;
+    case "info":
+      return chalk3.gray;
+    default:
+      return chalk3.white;
+  }
+}
+
+// src/commands/fix.ts
+init_esm_shims();
+init_config();
+import { Command as Command4 } from "commander";
+import chalk4 from "chalk";
+import ora2 from "ora";
+import axios2 from "axios";
+import { glob as glob2 } from "glob";
+import fs4 from "fs/promises";
+import path5 from "path";
+import inquirer from "inquirer";
+import * as Diff from "diff";
+function createFixCommand() {
+  return new Command4("fix").description("Scan and interactively FIX detected issues using Rigstate AI").argument("[path]", "Directory or file to scan", ".").option("--project <id>", "Project ID to context-aware audit").action(async (targetPath, options) => {
+    const spinner = ora2();
+    try {
+      const apiKey = getApiKey();
+      const apiUrl = getApiUrl();
+      const projectId = options.project || getProjectId();
+      if (!projectId) {
+        console.log(chalk4.yellow("\u26A0\uFE0F  Project ID is required for fixing. Using default or pass --project <id>"));
+      }
+      const scanPath = path5.resolve(process.cwd(), targetPath);
+      const gitignorePatterns = await readGitignore(scanPath);
+      const pattern = path5.join(scanPath, "**/*");
+      const allFiles = await glob2(pattern, { nodir: true, dot: false, ignore: ["**/node_modules/**", "**/.git/**"] });
+      const codeFiles = allFiles.filter((file) => {
+        const relativePath = path5.relative(scanPath, file);
+        return isCodeFile(file) && !shouldIgnore(relativePath, gitignorePatterns);
+      });
+      if (codeFiles.length === 0) {
+        console.log(chalk4.yellow("No code files found."));
+        return;
+      }
+      console.log(chalk4.bold(`
+\u{1F9E0} Rigstate Fix Mode`));
+      console.log(chalk4.dim(`Scanning ${codeFiles.length} files with Project Context...
+`));
+      let fixedCount = 0;
+      for (let i = 0; i < codeFiles.length; i++) {
+        const filePath = codeFiles[i];
+        const relativePath = path5.relative(scanPath, filePath);
+        spinner.start(`Analyzing ${relativePath}...`);
+        try {
+          const content = await fs4.readFile(filePath, "utf-8");
+          const response = await axios2.post(
+            `${apiUrl}/api/v1/audit`,
+            { content, file_path: relativePath, project_id: projectId },
+            { headers: { "Authorization": `Bearer ${apiKey}` }, timeout: 12e4 }
+          );
+          const vulnerabilities = response.data.vulnerabilities || [];
+          const fixableIssues = vulnerabilities.filter((v) => v.fixed_content);
+          if (fixableIssues.length > 0) {
+            spinner.stop();
+            console.log(`
+${chalk4.bold(relativePath)}: Found ${fixableIssues.length} fixable issues.`);
+            for (const issue of fixableIssues) {
+              console.log(chalk4.red(`
+[${issue.type}] ${issue.title}`));
+              console.log(chalk4.dim(issue.suggestion || issue.message));
+              const diff = Diff.createTwoFilesPatch(relativePath, relativePath, content, issue.fixed_content, "Current", "Fixed");
+              console.log("\n" + diff.split("\n").slice(0, 15).join("\n") + (diff.split("\n").length > 15 ? "\n..." : ""));
+              const { apply } = await inquirer.prompt([{
+                type: "confirm",
+                name: "apply",
+                message: `Apply this fix to ${chalk4.cyan(relativePath)}?`,
+                default: true
+              }]);
+              if (apply) {
+                await fs4.writeFile(filePath, issue.fixed_content);
+                console.log(chalk4.green(`\u2705 Fixed applied!`));
+                fixedCount++;
+                if (issue.related_step_id) {
+                  const { completeStep } = await inquirer.prompt([{
+                    type: "confirm",
+                    name: "completeStep",
+                    message: `Frank thinks this fix completes a Roadmap Step. Mark as COMPLETED in Rigstate?`,
+                    default: true
+                  }]);
+                  if (completeStep) {
+                    try {
+                      await axios2.post(
+                        `${apiUrl}/api/v1/roadmap/update-status`,
+                        { step_id: issue.related_step_id, status: "COMPLETED", project_id: projectId },
+                        { headers: { "Authorization": `Bearer ${apiKey}` } }
+                      );
+                      console.log(chalk4.green(`\u{1F680} Roadmap updated! Mission Control is in sync.`));
+                    } catch (err) {
+                      console.error(chalk4.yellow(`Failed to update roadmap: ${err.message}`));
+                    }
+                  }
+                }
+                break;
+              } else {
+                console.log(chalk4.dim("Skipped."));
+              }
+            }
+          } else {
+            spinner.text = `Checked ${relativePath} (No auto-fixes)`;
+          }
+        } catch (e) {
+        }
+      }
+      spinner.stop();
+      console.log(chalk4.bold.green(`
+
+\u{1F680} Fix session complete!`));
+      console.log(`Frank fixed ${fixedCount} detected issues.`);
+      console.log(chalk4.dim(`Run 'rigstate scan' to verify remaining issues.`));
+    } catch (error) {
+      spinner.fail("Fix session failed");
+      console.error(error.message);
+    }
+  });
+}
+
+// src/commands/sync.ts
+init_esm_shims();
+init_config();
+import { Command as Command5 } from "commander";
+import chalk8 from "chalk";
+import ora3 from "ora";
+import axios5 from "axios";
+import fs8 from "fs/promises";
+import path9 from "path";
+function createSyncCommand() {
+  const sync = new Command5("sync");
+  sync.description("Synchronize local state with Rigstate Cloud").option("-p, --project <id>", "Specify Project ID (saves to config automatically)").action(async (options) => {
+    const spinner = ora3("Synchronizing project state...").start();
+    try {
+      let apiKey;
+      try {
+        apiKey = getApiKey();
+      } catch (e) {
+        spinner.fail('Not authenticated. Run "rigstate login" first.');
+        return;
+      }
+      let projectId = options.project;
+      if (!projectId) {
+        try {
+          const manifestPath = path9.join(process.cwd(), ".rigstate");
+          const manifestContent = await fs8.readFile(manifestPath, "utf-8");
+          const manifest = JSON.parse(manifestContent);
+          if (manifest.project_id) projectId = manifest.project_id;
+        } catch (e) {
+        }
+      }
+      if (!projectId) projectId = getProjectId();
+      if (options.project) {
+        setProjectId(options.project);
+      }
+      if (!projectId) {
+        spinner.fail("No project context found.\n Run with --project <id> once to save context.");
+        return;
+      }
+      const apiUrl = getApiUrl();
+      const response = await axios5.get(`${apiUrl}/api/v1/roadmap`, {
+        params: { project_id: projectId },
+        headers: { Authorization: `Bearer ${apiKey}` }
+      });
+      if (!response.data.success) {
+        throw new Error(response.data.error || "Unknown API failure");
+      }
+      const { roadmap, project } = response.data.data;
+      const timestamp = response.data.timestamp;
+      const targetPath = path9.join(process.cwd(), "roadmap.json");
+      const fileContent = JSON.stringify({
+        project,
+        last_synced: timestamp,
+        roadmap
+      }, null, 2);
+      await fs8.writeFile(targetPath, fileContent, "utf-8");
+      try {
+        const manifestPath = path9.join(process.cwd(), ".rigstate");
+        const manifestContent = {
+          project_id: projectId,
+          project_name: project,
+          last_synced: timestamp,
+          api_url: apiUrl
+        };
+        await fs8.writeFile(manifestPath, JSON.stringify(manifestContent, null, 2), "utf-8");
+      } catch (e) {
+      }
+      console.log(chalk8.bold("\n\u{1F9E0} Agent Skills Provisioning..."));
+      try {
+        const { provisionSkills: provisionSkills2, generateSkillsDiscoveryBlock: generateSkillsDiscoveryBlock2 } = await Promise.resolve().then(() => (init_skills_provisioner(), skills_provisioner_exports));
+        const skills = await provisionSkills2(apiUrl, apiKey, projectId, process.cwd());
+        const cursorRulesPath = path9.join(process.cwd(), ".cursorrules");
+        try {
+          let rulesContent = await fs8.readFile(cursorRulesPath, "utf-8");
+          const skillsBlock = generateSkillsDiscoveryBlock2(skills);
+          if (rulesContent.includes("<available_skills>")) {
+            rulesContent = rulesContent.replace(
+              /<available_skills>[\s\S]*?<\/available_skills>/,
+              skillsBlock
+            );
+          } else if (rulesContent.includes("## \u{1F9E0} PROJECT CONTEXT")) {
+            const insertPoint = rulesContent.indexOf("---", rulesContent.indexOf("## \u{1F9E0} PROJECT CONTEXT"));
+            if (insertPoint !== -1) {
+              rulesContent = rulesContent.slice(0, insertPoint + 3) + "\n\n" + skillsBlock + "\n" + rulesContent.slice(insertPoint + 3);
+            }
+          }
+          await fs8.writeFile(cursorRulesPath, rulesContent, "utf-8");
+          console.log(chalk8.dim(`  Updated .cursorrules with skills discovery block`));
+        } catch (e) {
+        }
+      } catch (e) {
+        console.log(chalk8.yellow(`  \u26A0 Skills provisioning skipped: ${e.message}`));
+      }
+      try {
+        const logPath = path9.join(process.cwd(), ".rigstate", "logs", "last_execution.json");
+        try {
+          const logContent = await fs8.readFile(logPath, "utf-8");
+          const logData = JSON.parse(logContent);
+          if (logData.task_summary) {
+            await axios5.post(`${apiUrl}/api/v1/execution-logs`, {
+              project_id: projectId,
+              ...logData,
+              agent_role: process.env.RIGSTATE_MODE === "SUPERVISOR" ? "SUPERVISOR" : "WORKER"
+            }, {
+              headers: { Authorization: `Bearer ${apiKey}` }
+            });
+            await fs8.unlink(logPath);
+            console.log(chalk8.dim(`\u2714 Mission Report uploaded.`));
+          }
+        } catch (e) {
+          if (e.code !== "ENOENT") {
+          }
+        }
+      } catch (e) {
+      }
+      spinner.succeed(chalk8.green(`Synced ${roadmap.length} roadmap steps for project "${project}"`));
+      console.log(chalk8.dim(`Local files updated: roadmap.json`));
+      const { runGuardianWatchdog: runGuardianWatchdog2 } = await Promise.resolve().then(() => (init_watchdog(), watchdog_exports));
+      const settings = response.data.data.settings || {};
+      await runGuardianWatchdog2(process.cwd(), settings, projectId);
+      console.log(chalk8.bold("\n\u{1F4E1} Agent Bridge Heartbeat..."));
+      try {
+        const bridgeResponse = await axios5.get(`${apiUrl}/api/v1/agent/bridge`, {
+          params: { project_id: projectId },
+          headers: { Authorization: `Bearer ${apiKey}` }
+        });
+        if (bridgeResponse.data.success) {
+          const tasks = bridgeResponse.data.tasks;
+          const pending = tasks.filter((t) => t.status === "PENDING");
+          const approved = tasks.filter((t) => t.status === "APPROVED");
+          if (pending.length > 0 || approved.length > 0) {
+            console.log(chalk8.yellow(`\u26A0 Bridge Alert: ${pending.length} pending, ${approved.length} approved tasks found.`));
+            console.log(chalk8.dim('Run "rigstate fix" to process these tasks or ensure your IDE MCP server is active.'));
+          } else {
+            console.log(chalk8.green("\u2714 Heartbeat healthy. No pending bridge tasks."));
+          }
+          const pings = pending.filter((t) => t.proposal?.startsWith("ping"));
+          for (const ping of pings) {
+            await axios5.post(`${apiUrl}/api/v1/agent/bridge`, {
+              bridge_id: ping.id,
+              status: "COMPLETED",
+              summary: "Pong! CLI Sync Heartbeat confirmed."
+            }, {
+              headers: { Authorization: `Bearer ${apiKey}` }
+            });
+            console.log(chalk8.cyan(`\u{1F3D3} Pong! Acknowledged heartbeat signal [${ping.id}]`));
+          }
+        }
+      } catch (e) {
+        console.log(chalk8.yellow(`\u26A0 Could not verify Bridge status: ${e.message}`));
+      }
+      if (options.project) {
+        console.log(chalk8.blue(`Project context saved. Future commands will use this project.`));
+      }
+      try {
+        const migrationDir = path9.join(process.cwd(), "supabase", "migrations");
+        const files = await fs8.readdir(migrationDir);
+        const sqlFiles = files.filter((f) => f.endsWith(".sql")).sort();
+        if (sqlFiles.length > 0) {
+          const latestMigration = sqlFiles[sqlFiles.length - 1];
+          console.log(chalk8.dim(`
+\u{1F6E1}  Migration Guard:`));
+          console.log(chalk8.dim(`   Latest Local: ${latestMigration}`));
+          console.log(chalk8.yellow(`   \u26A0  Ensure DB schema matches this version. CLI cannot verify Remote RLS policies directly.`));
+        }
+      } catch (e) {
+      }
+      try {
+        const vaultResponse = await axios5.post(
+          `${apiUrl}/api/v1/vault/sync`,
+          { project_id: projectId },
+          { headers: { Authorization: `Bearer ${apiKey}` } }
+        );
+        if (vaultResponse.data.success) {
+          const vaultContent = vaultResponse.data.data.content || "";
+          const localEnvPath = path9.join(process.cwd(), ".env.local");
+          let localContent = "";
+          try {
+            localContent = await fs8.readFile(localEnvPath, "utf-8");
+          } catch (e) {
+          }
+          if (vaultContent.trim() !== localContent.trim()) {
+            console.log(chalk8.bold("\n\u{1F510} Sovereign Foundation (Vault):"));
+            console.log(chalk8.yellow("   Status: Drift Detected / Update Available"));
+            const { syncVault } = await import("inquirer").then((m) => m.default.prompt([{
+              type: "confirm",
+              name: "syncVault",
+              message: "Synchronize local .env.local with Vault secrets?",
+              default: false
+            }]));
+            if (syncVault) {
+              await fs8.writeFile(localEnvPath, vaultContent, "utf-8");
+              console.log(chalk8.green("   \u2705 .env.local synchronized with Vault."));
+            } else {
+              console.log(chalk8.dim("   Skipped vault sync."));
+            }
+          } else {
+            console.log(chalk8.dim("\n\u{1F510} Sovereign Foundation: Synced."));
+          }
+        }
+      } catch (e) {
+      }
+      console.log(chalk8.dim("\n\u{1F6E1}\uFE0F System Integrity Check..."));
+      await checkSystemIntegrity(apiUrl, apiKey, projectId);
+    } catch (error) {
+      if (axios5.isAxiosError(error)) {
+        const message = error.response?.data?.error || error.message;
+        spinner.fail(chalk8.red(`Sync failed: ${message}`));
+      } else {
+        spinner.fail(chalk8.red("Sync failed: " + (error.message || "Unknown error")));
+      }
+    }
+  });
+  return sync;
+}
+async function checkSystemIntegrity(apiUrl, apiKey, projectId) {
+  try {
+    const response = await axios5.get(`${apiUrl}/api/v1/system/integrity`, {
+      params: { project_id: projectId },
+      headers: { Authorization: `Bearer ${apiKey}` }
+    });
+    if (response.data.success) {
+      const { migrations, rls, guardian_violations } = response.data.data;
+      if (migrations) {
+        if (migrations.in_sync) {
+          console.log(chalk8.green(`   \u2705 Migrations synced (${migrations.count} versions)`));
+        } else {
+          console.log(chalk8.red(`   \u{1F6D1} CRITICAL: DB Schema out of sync! ${migrations.missing?.length || 0} migrations not applied.`));
+          if (migrations.missing?.length > 0) {
+            console.log(chalk8.dim(`      Missing: ${migrations.missing.slice(0, 3).join(", ")}${migrations.missing.length > 3 ? "..." : ""}`));
+          }
+          console.log(chalk8.yellow(`      Run 'supabase db push' or apply migrations immediately.`));
+        }
+      }
+      if (rls) {
+        if (rls.all_secured) {
+          console.log(chalk8.green(`   \u2705 RLS Audit Passed (${rls.table_count} tables secured)`));
+        } else {
+          console.log(chalk8.red(`   \u{1F6D1} CRITICAL: Security Vulnerability! ${rls.unsecured?.length || 0} tables have RLS disabled.`));
+          rls.unsecured?.forEach((table) => {
+            console.log(chalk8.red(`      - ${table}`));
+          });
+          console.log(chalk8.yellow('      Enable RLS immediately: ALTER TABLE "table" ENABLE ROW LEVEL SECURITY;'));
+        }
+      }
+      if (guardian_violations) {
+        if (guardian_violations.count === 0) {
+          console.log(chalk8.green("   \u2705 Guardian: No active violations"));
+        } else {
+          console.log(chalk8.yellow(`   \u26A0\uFE0F Guardian: ${guardian_violations.count} active violations`));
+          console.log(chalk8.dim('      Run "rigstate check" for details.'));
+        }
+      }
+    }
+  } catch (e) {
+    console.log(chalk8.dim("   (System integrity check skipped - API endpoint not available)"));
+  }
+}
+
+// src/commands/init.ts
+init_esm_shims();
+import { Command as Command6 } from "commander";
+import chalk9 from "chalk";
+import fs10 from "fs/promises";
+import path11 from "path";
+import ora4 from "ora";
+import { execSync } from "child_process";
+
+// src/utils/manifest.ts
+init_esm_shims();
+import fs9 from "fs/promises";
+import path10 from "path";
+async function loadManifest() {
+  try {
+    const manifestPath = path10.join(process.cwd(), ".rigstate");
+    const content = await fs9.readFile(manifestPath, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+
+// src/commands/init.ts
+init_config();
+import axios6 from "axios";
+function createInitCommand() {
+  return new Command6("init").description("Initialize or link a Rigstate project (interactive mode available)").argument("[project-id]", "ID of the project to link (optional, prompts if not provided)").option("-f, --force", "Overwrite existing .cursorrules file").option("--rules-only", "Only regenerate .cursorrules without interactive setup").action(async (projectIdArg, options) => {
+    const spinner = ora4("Initializing Rigstate project...").start();
+    let apiKey;
+    try {
+      apiKey = getApiKey();
+    } catch (e) {
+      spinner.fail(chalk9.red('Not authenticated. Run "rigstate login" first.'));
+      return;
+    }
+    const apiUrl = getApiUrl();
+    let projectId = projectIdArg;
+    try {
+      if (options.rulesOnly) {
+        const manifest = await loadManifest();
+        if (!manifest) {
+          spinner.fail('No .rigstate manifest found. Run "rigstate init" first.');
+          return;
+        }
+        projectId = manifest.project_id;
+        await generateRules(apiUrl, apiKey, projectId, options.force, spinner);
+        return;
+      }
+      if (!projectId) {
+        spinner.stop();
+        const inquirer4 = (await import("inquirer")).default;
+        spinner.start("Fetching your projects...");
+        let projects = [];
+        try {
+          const projectsResponse = await axios6.get(`${apiUrl}/api/v1/projects`, {
+            headers: { Authorization: `Bearer ${apiKey}` }
+          });
+          if (projectsResponse.data.success) {
+            projects = projectsResponse.data.data.projects || [];
+          }
+        } catch (e) {
+          spinner.info("Projects API not available. Using manual entry mode.");
+        }
+        spinner.stop();
+        if (projects.length === 0) {
+          const { manualProjectId } = await inquirer4.prompt([
+            {
+              type: "input",
+              name: "manualProjectId",
+              message: "Enter Project ID (from Rigstate dashboard):",
+              validate: (input) => input.trim() ? true : "Project ID is required"
+            }
+          ]);
+          projectId = manualProjectId;
+        } else {
+          const choices = [
+            { name: "\u2795 Create New Project", value: "NEW" },
+            new inquirer4.Separator()
+          ];
+          projects.forEach((p) => {
+            choices.push({
+              name: `[${p.organization_name || "Personal"}] ${p.name} (${p.status})`,
+              value: p.id
+            });
+          });
+          const { selectedId } = await inquirer4.prompt([
+            {
+              type: "list",
+              name: "selectedId",
+              message: "Select a project to link:",
+              choices,
+              pageSize: 15
+            }
+          ]);
+          if (selectedId === "NEW") {
+            const { newName } = await inquirer4.prompt([
+              {
+                type: "input",
+                name: "newName",
+                message: "Enter project name:",
+                validate: (input) => input.trim() ? true : "Name is required"
+              }
+            ]);
+            spinner.start("Fetching organizations...");
+            let orgs = [];
+            try {
+              const orgsResponse = await axios6.get(`${apiUrl}/api/v1/organizations`, {
+                headers: { Authorization: `Bearer ${apiKey}` }
+              });
+              orgs = orgsResponse.data.data?.organizations || [];
+            } catch (e) {
+            }
+            spinner.stop();
+            let selectedOrgId = orgs[0]?.id;
+            if (orgs.length > 1) {
+              const { orgId } = await inquirer4.prompt([
+                {
+                  type: "list",
+                  name: "orgId",
+                  message: "Which organization does this belong to?",
+                  choices: orgs.map((org) => ({
+                    name: `${org.name} (${org.role || "member"})`,
+                    value: org.id
+                  }))
+                }
+              ]);
+              selectedOrgId = orgId;
+            }
+            if (!selectedOrgId) {
+              console.log(chalk9.yellow("No organization available. Please create the project via the Rigstate dashboard."));
+              return;
+            }
+            spinner.start("Creating new project...");
+            try {
+              const createResponse = await axios6.post(`${apiUrl}/api/v1/projects`, {
+                name: newName,
+                organization_id: selectedOrgId
+              }, {
+                headers: { Authorization: `Bearer ${apiKey}` }
+              });
+              if (!createResponse.data.success) {
+                spinner.fail(chalk9.red("Failed to create project: " + createResponse.data.error));
+                return;
+              }
+              projectId = createResponse.data.data.project.id;
+              spinner.succeed(chalk9.green(`Created new project: ${newName}`));
+            } catch (e) {
+              spinner.fail(chalk9.red("Project creation API not available. Please create via dashboard."));
+              return;
+            }
+          } else {
+            projectId = selectedId;
+          }
+        }
+        spinner.start(`Linking to project ID: ${projectId}...`);
+      }
+      setProjectId(projectId);
+      const manifestPath = path11.join(process.cwd(), ".rigstate");
+      const manifestContent = {
+        project_id: projectId,
+        last_linked: (/* @__PURE__ */ new Date()).toISOString(),
+        api_url: apiUrl
+      };
+      await fs10.writeFile(manifestPath, JSON.stringify(manifestContent, null, 2), "utf-8");
+      try {
+        await fs10.access(".git");
+      } catch {
+        spinner.text = "Initializing git repository...";
+        execSync("git init", { stdio: "ignore" });
+      }
+      spinner.succeed(chalk9.green(`\u2705 Linked to project: ${projectId}`));
+      await generateRules(apiUrl, apiKey, projectId, options.force, spinner);
+      console.log("");
+      console.log(chalk9.blue("Next steps:"));
+      console.log(chalk9.dim("  rigstate sync     - Sync roadmap and context"));
+      console.log(chalk9.dim("  rigstate watch    - Start development loop"));
+      console.log(chalk9.dim("  rigstate focus    - Get current task"));
+    } catch (e) {
+      spinner.fail(chalk9.red("Initialization failed: " + e.message));
+    }
+  });
+}
+async function generateRules(apiUrl, apiKey, projectId, force, spinner) {
+  spinner.start("Generating AI rules (MDC + AGENTS.md)...");
+  try {
+    const response = await axios6.post(`${apiUrl}/api/v1/rules/generate`, {
+      project_id: projectId
+    }, {
+      headers: { Authorization: `Bearer ${apiKey}` }
+    });
+    if (response.data.success || response.data.files) {
+      const files = response.data.files || [];
+      if (files.length === 0 && response.data.rules) {
+        const rulesPath = path11.join(process.cwd(), ".cursorrules");
+        await fs10.writeFile(rulesPath, response.data.rules, "utf-8");
+        spinner.succeed(chalk9.green("\u2714 Generated .cursorrules (legacy mode)"));
+        return;
+      }
+      for (const file of files) {
+        const targetPath = path11.join(process.cwd(), file.path);
+        const targetDir = path11.dirname(targetPath);
+        await fs10.mkdir(targetDir, { recursive: true });
+        try {
+          await fs10.access(targetPath);
+          if (!force && !file.path.startsWith(".cursor/rules/")) {
+            console.log(chalk9.dim(`  ${file.path} already exists. Skipping.`));
+            continue;
+          }
+        } catch {
+        }
+        await fs10.writeFile(targetPath, file.content, "utf-8");
+      }
+      if (files.length > 0) {
+        const legacyPath = path11.join(process.cwd(), ".cursorrules");
+        try {
+          const stats = await fs10.stat(legacyPath);
+          if (stats.isFile()) {
+            await fs10.rename(legacyPath, `${legacyPath}.bak`);
+            console.log(chalk9.dim("  Moved legacy .cursorrules to .cursorrules.bak"));
+          }
+        } catch (e) {
+        }
+      }
+      spinner.succeed(chalk9.green(`\u2714 Generated ${files.length} rule files (v${response.data.version || "3.0"})`));
+    } else {
+      spinner.info(chalk9.dim("  Rules generation skipped (API response invalid)"));
+    }
+  } catch (e) {
+    spinner.info(chalk9.dim(`  Rules generation failed: ${e.message}`));
+  }
+}
+
+// src/commands/check.ts
+init_esm_shims();
+init_config();
+import { Command as Command7 } from "commander";
+import chalk11 from "chalk";
+import ora5 from "ora";
+import axios7 from "axios";
+import { glob as glob3 } from "glob";
+import fs12 from "fs/promises";
+import path13 from "path";
+import { execSync as execSync2 } from "child_process";
+
+// src/utils/rule-engine.ts
+init_esm_shims();
+import fs11 from "fs/promises";
+import path12 from "path";
+import chalk10 from "chalk";
+async function checkFile(filePath, rules, rootPath) {
+  const violations = [];
+  const relativePath = path12.relative(rootPath, filePath);
+  try {
+    const content = await fs11.readFile(filePath, "utf-8");
+    const lines = content.split("\n");
+    for (const rule of rules) {
+      const ruleViolations = await evaluateRule(rule, content, lines, relativePath);
+      violations.push(...ruleViolations);
+    }
+  } catch (error) {
+    violations.push({
+      file: relativePath,
+      rule: "FILE_READ_ERROR",
+      ruleType: "SYSTEM",
+      severity: "warning",
+      message: `Could not read file: ${error.message}`
+    });
+  }
+  return {
+    file: relativePath,
+    violations,
+    passed: violations.length === 0
+  };
+}
+async function evaluateRule(rule, content, lines, filePath) {
+  const violations = [];
+  switch (rule.rule_type) {
+    case "MAX_FILE_LINES": {
+      const value = rule.value;
+      const lineCount = lines.length;
+      if (lineCount > value.limit) {
+        violations.push({
+          file: filePath,
+          rule: rule.rule_name,
+          ruleType: rule.rule_type,
+          severity: "critical",
+          message: `File exceeds ${value.limit} lines`,
+          details: `Current: ${lineCount} lines (limit: ${value.limit})`
+        });
+      } else if (value.warning_threshold && lineCount > value.warning_threshold) {
+        violations.push({
+          file: filePath,
+          rule: rule.rule_name,
+          ruleType: rule.rule_type,
+          severity: "warning",
+          message: `File approaching line limit`,
+          details: `Current: ${lineCount} lines (warning at: ${value.warning_threshold}, limit: ${value.limit})`
+        });
+      }
+      break;
+    }
+    case "MAX_FUNCTION_LINES": {
+      const value = rule.value;
+      const functionViolations = checkFunctionLines(content, lines, filePath, rule, value.limit);
+      violations.push(...functionViolations);
+      break;
+    }
+    case "PATTERN_FORBIDDEN": {
+      const value = rule.value;
+      const pattern = new RegExp(value.pattern, "g");
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNumber = content.substring(0, match.index).split("\n").length;
+        violations.push({
+          file: filePath,
+          rule: rule.rule_name,
+          ruleType: rule.rule_type,
+          severity: rule.severity,
+          message: value.message || `Forbidden pattern found: ${value.pattern}`,
+          line: lineNumber,
+          details: `Found: "${match[0].substring(0, 50)}${match[0].length > 50 ? "..." : ""}"`
+        });
+      }
+      break;
+    }
+    case "PATTERN_REQUIRED": {
+      const value = rule.value;
+      const pattern = new RegExp(value.pattern);
+      const shouldCheck = !value.context || filePath.includes(value.context);
+      if (shouldCheck && !pattern.test(content)) {
+        violations.push({
+          file: filePath,
+          rule: rule.rule_name,
+          ruleType: rule.rule_type,
+          severity: rule.severity,
+          message: `Required pattern not found: ${value.pattern}`,
+          details: value.context ? `Expected in files matching: ${value.context}` : void 0
+        });
+      }
+      break;
+    }
+    case "NAMING_CONVENTION": {
+      const value = rule.value;
+      const pattern = new RegExp(value.pattern);
+      const fileName = path12.basename(filePath);
+      if (filePath.includes(value.context) && !pattern.test(fileName)) {
+        violations.push({
+          file: filePath,
+          rule: rule.rule_name,
+          ruleType: rule.rule_type,
+          severity: rule.severity,
+          message: `File name does not match naming convention`,
+          details: `Expected pattern: ${value.pattern}`
+        });
+      }
+      break;
+    }
+    default:
+      break;
+  }
+  return violations;
+}
+function checkFunctionLines(content, lines, filePath, rule, limit) {
+  const violations = [];
+  const functionPatterns = [
+    /(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\([^)]*\)\s*\{/g,
+    /(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?\([^)]*\)\s*=>\s*\{/g,
+    /(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?function\s*\([^)]*\)\s*\{/g,
+    /(\w+)\s*\([^)]*\)\s*\{/g
+    // Method in class/object
+  ];
+  for (const pattern of functionPatterns) {
+    let match;
+    while ((match = pattern.exec(content)) !== null) {
+      const functionName = match[1];
+      const startIndex = match.index + match[0].length - 1;
+      let braceCount = 1;
+      let endIndex = startIndex + 1;
+      while (braceCount > 0 && endIndex < content.length) {
+        if (content[endIndex] === "{") braceCount++;
+        else if (content[endIndex] === "}") braceCount--;
+        endIndex++;
+      }
+      const functionContent = content.substring(startIndex, endIndex);
+      const functionLines = functionContent.split("\n").length;
+      if (functionLines > limit) {
+        const lineNumber = content.substring(0, match.index).split("\n").length;
+        violations.push({
+          file: filePath,
+          rule: rule.rule_name,
+          ruleType: rule.rule_type,
+          severity: rule.severity,
+          message: `Function "${functionName}" exceeds ${limit} lines`,
+          line: lineNumber,
+          details: `Current: ${functionLines} lines (limit: ${limit})`
+        });
+      }
+    }
+  }
+  return violations;
+}
+function formatViolations(violations) {
+  for (const v of violations) {
+    const severityColor = v.severity === "critical" ? chalk10.red : v.severity === "warning" ? chalk10.yellow : chalk10.blue;
+    const lineInfo = v.line ? chalk10.dim(`:${v.line}`) : "";
+    console.log(`  ${severityColor(`[${v.severity.toUpperCase()}]`)} ${v.file}${lineInfo}`);
+    console.log(`    ${v.message}`);
+    if (v.details) {
+      console.log(`    ${chalk10.dim(v.details)}`);
+    }
+  }
+}
+function summarizeResults(results) {
+  let criticalCount = 0;
+  let warningCount = 0;
+  let infoCount = 0;
+  for (const result of results) {
+    for (const v of result.violations) {
+      if (v.severity === "critical") criticalCount++;
+      else if (v.severity === "warning") warningCount++;
+      else infoCount++;
+    }
+  }
+  return {
+    totalFiles: results.length,
+    totalViolations: criticalCount + warningCount + infoCount,
+    criticalCount,
+    warningCount,
+    infoCount
+  };
+}
+
+// src/commands/check.ts
+var CACHE_FILE2 = ".rigstate/rules-cache.json";
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var CACHE_MAX_AGE_MS = 24 * 60 * 60 * 1e3;
+function createCheckCommand() {
+  return new Command7("check").description("Validate code against Guardian architectural rules").argument("[path]", "Directory or file to check", ".").option("--project <id>", "Project ID (or use .rigstate manifest)").option("--strict [level]", 'Exit 1 on violations. Level: "all" (default) or "critical"').option("--staged", "Only check git staged files (for pre-commit hooks)").option("--json", "Output results as JSON").option("--no-cache", "Skip rule cache and fetch fresh from API").action(async (targetPath, options) => {
+    const spinner = ora5();
+    try {
+      let projectId = options.project;
+      let apiUrl = getApiUrl();
+      if (!projectId) {
+        const manifest = await loadManifest();
+        if (manifest) {
+          projectId = manifest.project_id;
+          if (manifest.api_url) apiUrl = manifest.api_url;
+        }
+      }
+      if (!projectId) {
+        projectId = getProjectId();
+      }
+      if (!projectId) {
+        console.log(chalk11.red("\u274C No project context found."));
+        console.log(chalk11.dim('   Run "rigstate link" or pass --project <id>'));
+        process.exit(2);
+      }
+      let apiKey;
+      try {
+        apiKey = getApiKey();
+      } catch {
+        console.log(chalk11.red('\u274C Not authenticated. Run "rigstate login" first.'));
+        process.exit(2);
+      }
+      spinner.start("Fetching Guardian rules...");
+      let rules;
+      let settings;
+      try {
+        const cached = options.cache !== false ? await loadCachedRules(projectId) : null;
+        if (cached && !isStale(cached.timestamp, CACHE_TTL_MS)) {
+          rules = cached.rules;
+          settings = cached.settings;
+          spinner.text = "Using cached rules...";
+        } else {
+          const response = await axios7.get(`${apiUrl}/api/v1/guardian/rules`, {
+            params: { project_id: projectId },
+            headers: { Authorization: `Bearer ${apiKey}` },
+            timeout: 1e4
+          });
+          if (!response.data.success) {
+            throw new Error(response.data.error || "Unknown API error");
+          }
+          rules = response.data.data.rules;
+          settings = response.data.data.settings;
+          await saveCachedRules(projectId, rules, settings);
+        }
+      } catch (apiError) {
+        const cached = await loadCachedRules(projectId);
+        if (cached && !isStale(cached.timestamp, CACHE_MAX_AGE_MS)) {
+          spinner.warn(chalk11.yellow("Using cached rules (API unavailable)"));
+          rules = cached.rules;
+          settings = cached.settings;
+        } else {
+          spinner.fail(chalk11.red("Failed to fetch rules and no valid cache"));
+          console.log(chalk11.dim(`   Error: ${apiError.message}`));
+          process.exit(2);
+        }
+      }
+      spinner.succeed(`Loaded ${rules.length} Guardian rules`);
+      const scanPath = path13.resolve(process.cwd(), targetPath);
+      let filesToCheck;
+      if (options.staged) {
+        spinner.start("Getting staged files...");
+        try {
+          const stagedOutput = execSync2("git diff --cached --name-only --diff-filter=ACMR", {
+            encoding: "utf-8",
+            cwd: process.cwd()
+          });
+          filesToCheck = stagedOutput.split("\n").filter((f) => f.trim()).filter((f) => isCodeFile2(f)).map((f) => path13.resolve(process.cwd(), f));
+        } catch {
+          spinner.fail("Not a git repository or no staged files");
+          process.exit(2);
+        }
+      } else {
+        spinner.start(`Scanning ${chalk11.cyan(targetPath)}...`);
+        const pattern = path13.join(scanPath, "**/*");
+        const allFiles = await glob3(pattern, {
+          nodir: true,
+          dot: false,
+          ignore: [
+            "**/node_modules/**",
+            "**/.git/**",
+            "**/dist/**",
+            "**/build/**",
+            "**/.next/**",
+            "**/coverage/**"
+          ]
+        });
+        filesToCheck = allFiles.filter((f) => isCodeFile2(f));
+      }
+      if (filesToCheck.length === 0) {
+        spinner.warn(chalk11.yellow("No code files found to check."));
+        outputResults([], !!options.json);
+        process.exit(0);
+      }
+      spinner.succeed(`Found ${filesToCheck.length} files to check`);
+      spinner.start("Running Guardian checks...");
+      const results = [];
+      for (let i = 0; i < filesToCheck.length; i++) {
+        const file = filesToCheck[i];
+        spinner.text = `Checking ${i + 1}/${filesToCheck.length}: ${path13.basename(file)}`;
+        const result = await checkFile(file, rules, process.cwd());
+        results.push(result);
+      }
+      spinner.stop();
+      const summary = summarizeResults(results);
+      if (options.json) {
+        outputResults(results, true);
+      } else {
+        outputResults(results, false);
+        console.log("\n" + chalk11.bold("\u{1F4CA} Summary"));
+        console.log(chalk11.dim("\u2500".repeat(50)));
+        console.log(`Files checked: ${chalk11.cyan(summary.totalFiles)}`);
+        console.log(`Total violations: ${summary.totalViolations > 0 ? chalk11.red(summary.totalViolations) : chalk11.green(0)}`);
+        if (summary.totalViolations > 0) {
+          console.log(`  ${chalk11.red("Critical:")} ${summary.criticalCount}`);
+          console.log(`  ${chalk11.yellow("Warning:")} ${summary.warningCount}`);
+          console.log(`  ${chalk11.blue("Info:")} ${summary.infoCount}`);
+        }
+        console.log(chalk11.dim("\u2500".repeat(50)));
+      }
+      if (options.strict !== void 0) {
+        const strictLevel = typeof options.strict === "string" ? options.strict : "all";
+        if (strictLevel === "critical" && summary.criticalCount > 0) {
+          console.log(chalk11.red("\n\u274C Check failed: Critical violations found"));
+          process.exit(1);
+        } else if (strictLevel === "all" && summary.totalViolations > 0) {
+          console.log(chalk11.red("\n\u274C Check failed: Violations found"));
+          process.exit(1);
+        }
+      }
+      if (summary.totalViolations === 0) {
+        console.log(chalk11.green("\n\u2705 All checks passed!"));
+      }
+      process.exit(0);
+    } catch (error) {
+      spinner.fail(chalk11.red("Check failed"));
+      console.error(chalk11.red("Error:"), error.message);
+      process.exit(2);
+    }
+  });
+}
+function isCodeFile2(filePath) {
+  const codeExtensions = [".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"];
+  const ext = path13.extname(filePath).toLowerCase();
+  return codeExtensions.includes(ext);
+}
+async function loadCachedRules(projectId) {
+  try {
+    const cachePath = path13.join(process.cwd(), CACHE_FILE2);
+    const content = await fs12.readFile(cachePath, "utf-8");
+    const cached = JSON.parse(content);
+    if (cached.projectId !== projectId) {
+      return null;
+    }
+    return cached;
+  } catch {
+    return null;
+  }
+}
+async function saveCachedRules(projectId, rules, settings) {
+  try {
+    const cacheDir = path13.join(process.cwd(), ".rigstate");
+    await fs12.mkdir(cacheDir, { recursive: true });
+    const cached = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      projectId,
+      rules,
+      settings
+    };
+    await fs12.writeFile(
+      path13.join(cacheDir, "rules-cache.json"),
+      JSON.stringify(cached, null, 2)
+    );
+  } catch {
+  }
+}
+function isStale(timestamp, maxAge) {
+  const age = Date.now() - new Date(timestamp).getTime();
+  return age > maxAge;
+}
+function outputResults(results, json) {
+  if (json) {
+    console.log(JSON.stringify({
+      results,
+      summary: summarizeResults(results)
+    }, null, 2));
+    return;
+  }
+  const hasViolations = results.some((r) => r.violations.length > 0);
+  if (!hasViolations) {
+    return;
+  }
+  console.log("\n" + chalk11.bold("\u{1F50D} Violations Found"));
+  console.log(chalk11.dim("\u2500".repeat(50)));
+  for (const result of results) {
+    if (result.violations.length > 0) {
+      formatViolations(result.violations);
+    }
+  }
+}
+
+// src/commands/hooks.ts
+init_esm_shims();
+import { Command as Command8 } from "commander";
+import chalk12 from "chalk";
+import fs13 from "fs/promises";
+import path14 from "path";
+var PRE_COMMIT_SCRIPT = `#!/bin/sh
+# Rigstate Guardian Pre-commit Hook
+# Installed by: rigstate hooks install
+
+# 1. Silent Sentinel Check (Phase 5)
+if [ -f .rigstate/guardian.lock ]; then
+    echo "\u{1F6D1} INTERVENTION ACTIVE: Commit blocked by Silent Sentinel."
+    echo "   A critical violation ('HARD_LOCK') was detected by the Guardian Daemon."
+    echo "   Please fix the violation to unlock the repo."
+    echo ""
+    if grep -q "HARD_LOCK_ACTIVE" .rigstate/guardian.lock; then
+        cat .rigstate/guardian.lock
+    fi
+    exit 1
+fi
+
+echo "\u{1F6E1}\uFE0F  Running Guardian checks..."
+
+# Run check with strict mode for critical violations
+rigstate check --staged --strict=critical
+
+# Exit with the same code as rigstate check
+exit $?
+`;
+function createHooksCommand() {
+  const hooks = new Command8("hooks").description("Manage git hooks for Guardian integration");
+  hooks.command("install").description("Install pre-commit hook to run Guardian checks").option("--strict [level]", 'Strict level: "all" or "critical" (default)', "critical").action(async (options) => {
+    try {
+      const gitDir = path14.join(process.cwd(), ".git");
+      try {
+        await fs13.access(gitDir);
+      } catch {
+        console.log(chalk12.red("\u274C Not a git repository."));
+        console.log(chalk12.dim('   Initialize with "git init" first.'));
+        process.exit(1);
+      }
+      const hooksDir = path14.join(gitDir, "hooks");
+      await fs13.mkdir(hooksDir, { recursive: true });
+      const preCommitPath = path14.join(hooksDir, "pre-commit");
+      let existingContent = "";
+      try {
+        existingContent = await fs13.readFile(preCommitPath, "utf-8");
+        if (existingContent.includes("rigstate")) {
+          console.log(chalk12.yellow("\u26A0 Rigstate pre-commit hook already installed."));
+          console.log(chalk12.dim('   Use "rigstate hooks uninstall" to remove first.'));
+          return;
+        }
+      } catch {
+      }
+      let script = PRE_COMMIT_SCRIPT;
+      if (options.strict === "all") {
+        script = script.replace("--strict=critical", "--strict");
+      }
+      if (existingContent && !existingContent.includes("rigstate")) {
+        const combinedScript = existingContent + "\n\n" + script.replace("#!/bin/sh\n", "");
+        await fs13.writeFile(preCommitPath, combinedScript, { mode: 493 });
+        console.log(chalk12.green("\u2705 Rigstate hook appended to existing pre-commit."));
+      } else {
+        await fs13.writeFile(preCommitPath, script, { mode: 493 });
+        console.log(chalk12.green("\u2705 Pre-commit hook installed!"));
+      }
+      console.log(chalk12.dim(`   Path: ${preCommitPath}`));
+      console.log(chalk12.dim(`   Strict level: ${options.strict}`));
+      console.log("");
+      console.log(chalk12.cyan("Guardian will now check your code before each commit."));
+      console.log(chalk12.dim('Use "rigstate hooks uninstall" to remove the hook.'));
+    } catch (error) {
+      console.error(chalk12.red("Failed to install hook:"), error.message);
+      process.exit(1);
+    }
+  });
+  hooks.command("uninstall").description("Remove Rigstate pre-commit hook").action(async () => {
+    try {
+      const preCommitPath = path14.join(process.cwd(), ".git", "hooks", "pre-commit");
+      try {
+        const content = await fs13.readFile(preCommitPath, "utf-8");
+        if (!content.includes("rigstate")) {
+          console.log(chalk12.yellow("\u26A0 No Rigstate hook found in pre-commit."));
+          return;
+        }
+        if (content.includes("# Rigstate Guardian Pre-commit Hook") && content.trim().split("\n").filter((l) => l && !l.startsWith("#")).length <= 4) {
+          await fs13.unlink(preCommitPath);
+          console.log(chalk12.green("\u2705 Pre-commit hook removed."));
+        } else {
+          const lines = content.split("\n");
+          const filteredLines = [];
+          let inRigstateSection = false;
+          for (const line of lines) {
+            if (line.includes("Rigstate Guardian Pre-commit Hook")) {
+              inRigstateSection = true;
+              continue;
+            }
+            if (inRigstateSection && line.includes("exit $?")) {
+              inRigstateSection = false;
+              continue;
+            }
+            if (!inRigstateSection && !line.includes("rigstate check")) {
+              filteredLines.push(line);
+            }
+          }
+          await fs13.writeFile(preCommitPath, filteredLines.join("\n"), { mode: 493 });
+          console.log(chalk12.green("\u2705 Rigstate section removed from pre-commit hook."));
+        }
+      } catch {
+        console.log(chalk12.yellow("\u26A0 No pre-commit hook found."));
+      }
+    } catch (error) {
+      console.error(chalk12.red("Failed to uninstall hook:"), error.message);
+      process.exit(1);
+    }
+  });
+  return hooks;
+}
+
+// src/commands/daemon.ts
+init_esm_shims();
+import { Command as Command9 } from "commander";
+import chalk15 from "chalk";
+import ora6 from "ora";
+import fs17 from "fs/promises";
+import path19 from "path";
+
+// src/daemon/factory.ts
+init_esm_shims();
+
+// src/daemon/core.ts
+init_esm_shims();
+import chalk14 from "chalk";
+import * as fs16 from "fs/promises";
+import { EventEmitter as EventEmitter3 } from "events";
+
+// src/daemon/file-watcher.ts
+init_esm_shims();
+import * as chokidar from "chokidar";
+import path15 from "path";
+import { EventEmitter } from "events";
+var CODE_EXTENSIONS = [".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"];
+function isCodeFile3(filePath) {
+  const ext = path15.extname(filePath).toLowerCase();
+  return CODE_EXTENSIONS.includes(ext);
+}
+function createFileWatcher(watchPath) {
+  const emitter = new EventEmitter();
+  let watcher = null;
+  emitter.start = () => {
+    const absolutePath = path15.resolve(process.cwd(), watchPath);
+    watcher = chokidar.watch(absolutePath, {
+      ignored: (path24) => {
+        if (path24.includes("node_modules")) return true;
+        if (path24.includes(".git")) return true;
+        if (path24.includes(".next")) return true;
+        if (path24.includes("dist")) return true;
+        if (path24.includes("build")) return true;
+        if (path24.includes(".rigstate")) return true;
+        if (path24.includes("coverage")) return true;
+        return false;
+      },
+      persistent: true,
+      ignoreInitial: true,
+      depth: 15,
+      awaitWriteFinish: {
+        stabilityThreshold: 200,
+        pollInterval: 100
+      },
+      usePolling: false,
+      // Use native events when possible
+      interval: 300,
+      binaryInterval: 1e3
+    });
+    watcher.on("change", (filePath) => {
+      if (isCodeFile3(filePath)) {
+        emitter.emit("change", path15.relative(process.cwd(), filePath));
+      }
+    });
+    watcher.on("add", (filePath) => {
+      if (isCodeFile3(filePath)) {
+        emitter.emit("add", path15.relative(process.cwd(), filePath));
+      }
+    });
+    watcher.on("unlink", (filePath) => {
+      if (isCodeFile3(filePath)) {
+        emitter.emit("unlink", path15.relative(process.cwd(), filePath));
+      }
+    });
+    watcher.on("error", (error) => {
+      emitter.emit("error", error);
+    });
+    watcher.on("ready", () => {
+      emitter.emit("ready");
+    });
+  };
+  emitter.stop = async () => {
+    if (watcher) {
+      await watcher.close();
+      watcher = null;
+    }
+  };
+  return emitter;
+}
+
+// src/daemon/heuristic-engine.ts
+init_esm_shims();
+import { readFile, writeFile, mkdir } from "fs/promises";
+import { dirname } from "path";
+import path16 from "path";
+import axios8 from "axios";
+var GLOBAL_HEURISTICS = [
+  {
+    skillId: "payment-expert",
+    patterns: {
+      imports: ["@stripe/", "stripe"],
+      content: ["PaymentIntent", "CheckoutSession"]
+    },
+    confidence: "high"
+  },
+  {
+    skillId: "rigstate-integrity-gate",
+    patterns: {
+      files: ["**/release.config.js", "**/manifest.json", "**/.rigstate/release/*"],
+      content: ["[CORE INTEGRITY]", "prepare_release"]
+    },
+    confidence: "high"
+  },
+  {
+    skillId: "database-architect",
+    patterns: {
+      files: ["**/*.sql", "**/schema.prisma", "**/migrations/*"],
+      imports: ["@supabase/supabase-js", "drizzle-orm", "prisma"]
+    },
+    confidence: "medium"
+  }
+];
+var HeuristicEngine = class {
+  rules = [];
+  cachePath;
+  constructor() {
+    this.cachePath = path16.join(process.cwd(), ".rigstate", "cache", "heuristics.json");
+    this.loadRules();
+  }
+  async loadRules() {
+    try {
+      const cached = await readFile(this.cachePath, "utf-8");
+      const data = JSON.parse(cached);
+      if (Array.isArray(data) && data.length > 0) {
+        this.rules = data;
+        return;
+      }
+    } catch (e) {
+    }
+    this.rules = GLOBAL_HEURISTICS;
+  }
+  async refreshRules(projectId, apiUrl, apiKey) {
+    try {
+      await mkdir(dirname(this.cachePath), { recursive: true });
+      const endpoint = `${apiUrl}/api/v1/skills/triggers`;
+      const response = await axios8.get(endpoint, {
+        headers: {
+          "x-api-key": apiKey,
+          "Content-Type": "application/json"
+        }
+      });
+      if (response.data && Array.isArray(response.data.triggers)) {
+        const cloudRules = response.data.triggers;
+        await writeFile(this.cachePath, JSON.stringify(cloudRules, null, 2));
+        this.rules = cloudRules;
+        return true;
+      }
+    } catch (error) {
+      return false;
+    }
+  }
+  async analyzeFile(filePath, metrics) {
+    try {
+      const content = await readFile(filePath, "utf-8");
+      const matches = [];
+      const activeRules = this.rules.length > 0 ? this.rules : GLOBAL_HEURISTICS;
+      for (const heuristic of activeRules) {
+        const match = this.checkHeuristic(filePath, content, heuristic, metrics);
+        if (match) {
+          matches.push(match);
+        }
+      }
+      return matches;
+    } catch (error) {
+      return [];
+    }
+  }
+  checkHeuristic(filePath, content, heuristic, metrics) {
+    if (heuristic.patterns.metric_threshold && metrics) {
+      const lineLimitRule = metrics.rules.find((r) => r.rule_type === "MAX_FILE_LINES");
+      if (lineLimitRule) {
+        const limit = lineLimitRule.value.limit;
+        const threshold = limit * heuristic.patterns.metric_threshold;
+        if (metrics.lineCount >= threshold && metrics.lineCount < limit) {
+          return {
+            skillId: heuristic.skillId,
+            file: filePath,
+            reason: `File reached ${Math.round(metrics.lineCount / limit * 100)}% of its line limit (${metrics.lineCount}/${limit})`,
+            confidence: "high"
+          };
+        }
+      }
+    }
+    if (heuristic.patterns.files) {
+      const matchesFile = heuristic.patterns.files.some((pattern) => {
+        if (pattern.startsWith("**/*")) return filePath.endsWith(pattern.replace("**/*", ""));
+        return filePath.includes(pattern);
+      });
+      if (matchesFile) {
+        return {
+          skillId: heuristic.skillId,
+          file: filePath,
+          reason: `Matches file pattern: ${heuristic.patterns.files.join(", ")}`,
+          confidence: heuristic.confidence
+        };
+      }
+    }
+    if (heuristic.patterns.imports) {
+      for (const imp of heuristic.patterns.imports) {
+        const importRegex = new RegExp(`(import .* from ['"]${imp}|require\\(['"]${imp})`, "i");
+        if (importRegex.test(content)) {
+          return {
+            skillId: heuristic.skillId,
+            file: filePath,
+            reason: `Detected import: ${imp}`,
+            confidence: heuristic.confidence
+          };
+        }
+      }
+    }
+    if (heuristic.patterns.content) {
+      for (const pattern of heuristic.patterns.content) {
+        if (content.includes(pattern)) {
+          return {
+            skillId: heuristic.skillId,
+            file: filePath,
+            reason: `Detected content pattern: ${pattern}`,
+            confidence: heuristic.confidence
+          };
+        }
+      }
+    }
+    return null;
+  }
+};
+function createHeuristicEngine() {
+  return new HeuristicEngine();
+}
+
+// src/daemon/intervention-protocol.ts
+init_esm_shims();
+import chalk13 from "chalk";
+import * as fs14 from "fs";
+import * as path17 from "path";
+var InterventionProtocol = class {
+  activeViolators = /* @__PURE__ */ new Set();
+  /**
+   * Registers a violation outcome to update the global lock state.
+   */
+  registerViolation(filePath, decision) {
+    if (decision.mode === "HARD_LOCK") {
+      this.activeViolators.add(filePath);
+      this.syncLockFile();
+    }
+  }
+  /**
+   * Clears any active locks for a specific file (e.g. after a fix).
+   */
+  clear(filePath) {
+    if (this.activeViolators.has(filePath)) {
+      this.activeViolators.delete(filePath);
+      this.syncLockFile();
+    }
+  }
+  syncLockFile() {
+    try {
+      const lockDir = path17.join(process.cwd(), ".rigstate");
+      if (!fs14.existsSync(lockDir)) fs14.mkdirSync(lockDir, { recursive: true });
+      const lockPath = path17.join(lockDir, "guardian.lock");
+      if (this.activeViolators.size > 0) {
+        const content = `HARD_LOCK_ACTIVE
+Timestamp: ${(/* @__PURE__ */ new Date()).toISOString()}
+
+Blocking Files:
+${Array.from(this.activeViolators).join("\n")}`;
+        fs14.writeFileSync(lockPath, content, "utf-8");
+      } else {
+        if (fs14.existsSync(lockPath)) fs14.unlinkSync(lockPath);
+      }
+    } catch (e) {
+      console.error("Failed to sync guardian lock file:", e);
+    }
+  }
+  /**
+   * Evaluate a Heuristic Trigger (Preventative)
+   */
+  evaluateTrigger(skillId, confidence) {
+    if (skillId === "rigstate-integrity-gate") {
+      return {
+        mode: "SOFT_LOCK",
+        message: "Integrity Gate detected. Release Manifest required before final push.",
+        blockCommit: false
+        // Soft lock just warns
+      };
+    }
+    return {
+      mode: "OPEN",
+      message: `Predictive activation: ${skillId}`,
+      blockCommit: false
+    };
+  }
+  /**
+   * Evaluate a Guardian Violation (Corrective)
+   */
+  evaluateViolation(ruleId, severity) {
+    if (severity === "critical" || severity === "error") {
+      return {
+        mode: "HARD_LOCK",
+        message: `CRITICAL VIOLATION: ${ruleId}. System Integrity Compromised.`,
+        blockCommit: true
+      };
+    }
+    if (severity === "warning") {
+      return {
+        mode: "SOFT_LOCK",
+        message: `Warning: ${ruleId}. Review recommended.`,
+        blockCommit: false
+      };
+    }
+    return {
+      mode: "OPEN",
+      message: "Info notice.",
+      blockCommit: false
+    };
+  }
+  /**
+   * Logs the intervention to the console with appropriate visual weight
+   */
+  enforce(decision) {
+    if (decision.mode === "OPEN") return;
+    const icon = decision.mode === "HARD_LOCK" ? "\u{1F6AB}" : "\u26A0\uFE0F";
+    const color = decision.mode === "HARD_LOCK" ? chalk13.bgRed.white.bold : chalk13.yellow.bold;
+    console.log("\n" + color(` ${icon} [${decision.mode}] INTERVENTION `));
+    console.log(chalk13.redBright(` ${decision.message}`));
+    if (decision.blockCommit) {
+      console.log(chalk13.dim(" \u{1F512} Commit functionality is logically suspended until fixed."));
+    }
+  }
+};
+function createInterventionProtocol() {
+  return new InterventionProtocol();
+}
+
+// src/daemon/guardian-monitor.ts
+init_esm_shims();
+import axios9 from "axios";
+import fs15 from "fs/promises";
+import path18 from "path";
+var CACHE_FILE3 = ".rigstate/rules-cache.json";
+var CACHE_TTL_MS2 = 5 * 60 * 1e3;
+function createGuardianMonitor(projectId, apiUrl, apiKey) {
+  let rules = [];
+  let lastFetch = 0;
+  const loadRules = async () => {
+    if (rules.length > 0 && Date.now() - lastFetch < CACHE_TTL_MS2) {
+      return;
+    }
+    try {
+      const response = await axios9.get(`${apiUrl}/api/v1/guardian/rules`, {
+        params: { project_id: projectId },
+        headers: { Authorization: `Bearer ${apiKey}` },
+        timeout: 1e4
+      });
+      if (response.data.success && response.data.data.rules) {
+        rules = response.data.data.rules;
+        lastFetch = Date.now();
+        await saveCachedRules2(projectId, rules);
+        return;
+      }
+    } catch (error) {
+      const cached = await loadCachedRules2(projectId);
+      if (cached) {
+        rules = cached.rules;
+        lastFetch = Date.now();
+        return;
+      }
+    }
+    rules = [];
+  };
+  const checkFileImpl = async (filePath) => {
+    await loadRules();
+    if (rules.length === 0) {
+      return {
+        file: filePath,
+        violations: [],
+        passed: true
+      };
+    }
+    const absolutePath = path18.resolve(process.cwd(), filePath);
+    return checkFile(absolutePath, rules, process.cwd());
+  };
+  const getRuleCount = () => rules.length;
+  const getRules = () => rules;
+  return {
+    loadRules,
+    checkFile: checkFileImpl,
+    getRuleCount,
+    getRules
+  };
+}
+async function loadCachedRules2(projectId) {
+  try {
+    const cachePath = path18.join(process.cwd(), CACHE_FILE3);
+    const content = await fs15.readFile(cachePath, "utf-8");
+    const cached = JSON.parse(content);
+    if (cached.projectId !== projectId) {
+      return null;
+    }
+    return cached;
+  } catch {
+    return null;
+  }
+}
+async function saveCachedRules2(projectId, rules) {
+  try {
+    const cacheDir = path18.join(process.cwd(), ".rigstate");
+    await fs15.mkdir(cacheDir, { recursive: true });
+    const cached = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      projectId,
+      rules,
+      settings: { lmax: 400, lmax_warning: 350 }
+    };
+    await fs15.writeFile(
+      path18.join(cacheDir, "rules-cache.json"),
+      JSON.stringify(cached, null, 2)
+    );
+  } catch {
+  }
+}
+
+// src/daemon/bridge-listener.ts
+init_esm_shims();
+import axios10 from "axios";
+import { EventEmitter as EventEmitter2 } from "events";
+var POLL_INTERVAL_MS = 5e3;
+function createBridgeListener(projectId, apiUrl, apiKey) {
+  const emitter = new EventEmitter2();
+  let pollInterval = null;
+  let isConnected = false;
+  let lastCheckedId = null;
+  const checkBridge = async () => {
+    try {
+      const response = await axios10.get(`${apiUrl}/api/v1/agent/bridge`, {
+        params: {
+          project_id: projectId,
+          action: "check"
+        },
+        headers: { Authorization: `Bearer ${apiKey}` },
+        timeout: 1e4
+      });
+      if (response.data.success && response.data.data?.task) {
+        const task = response.data.data.task;
+        if (task.id !== lastCheckedId) {
+          lastCheckedId = task.id;
+          if (task.proposal?.startsWith("ping")) {
+            emitter.emit("ping");
+            await acknowledgePing(task.id);
+          } else {
+            emitter.emit("task", task);
+          }
+        }
+      }
+    } catch (error) {
+      if (error.code !== "ECONNREFUSED" && error.code !== "ETIMEDOUT") {
+        emitter.emit("error", error);
+      }
+    }
+  };
+  const acknowledgePing = async (taskId) => {
+    try {
+      await axios10.post(`${apiUrl}/api/v1/agent/bridge`, {
+        project_id: projectId,
+        action: "update",
+        bridge_id: taskId,
+        status: "COMPLETED",
+        summary: "Pong! Guardian Daemon is active."
+      }, {
+        headers: { Authorization: `Bearer ${apiKey}` },
+        timeout: 5e3
+      });
+    } catch {
+    }
+  };
+  emitter.connect = async () => {
+    if (isConnected) return;
+    await checkBridge();
+    pollInterval = setInterval(checkBridge, POLL_INTERVAL_MS);
+    isConnected = true;
+    emitter.emit("connected");
+  };
+  emitter.disconnect = async () => {
+    if (pollInterval) {
+      clearInterval(pollInterval);
+      pollInterval = null;
+    }
+    isConnected = false;
+    emitter.emit("disconnected");
+  };
+  return emitter;
+}
+
+// src/daemon/telemetry.ts
+init_esm_shims();
+import axios11 from "axios";
+async function trackSkillUsage(apiUrl, apiKey, projectId, skillId) {
+  try {
+    await axios11.post(`${apiUrl}/api/v1/skills/usage`, {
+      projectId,
+      skillName: skillId,
+      status: "ACTIVATED"
+    }, {
+      headers: { "x-api-key": apiKey }
+    });
+  } catch (e) {
+  }
+}
+
+// src/daemon/core.ts
+init_skills_provisioner();
+var GuardianDaemon = class extends EventEmitter3 {
+  config;
+  state;
+  fileWatcher = null;
+  guardianMonitor = null;
+  heuristicEngine = null;
+  interventionProtocol = null;
+  bridgeListener = null;
+  constructor(config2) {
+    super();
+    this.config = config2;
+    this.state = {
+      isRunning: false,
+      startedAt: null,
+      filesChecked: 0,
+      violationsFound: 0,
+      tasksProcessed: 0,
+      lastActivity: null
+    };
+  }
+  async start() {
+    if (this.state.isRunning) {
+      console.log(chalk14.yellow("Daemon is already running."));
+      return;
+    }
+    this.printWelcome();
+    this.state.isRunning = true;
+    this.state.startedAt = (/* @__PURE__ */ new Date()).toISOString();
+    this.heuristicEngine = createHeuristicEngine();
+    this.interventionProtocol = createInterventionProtocol();
+    this.guardianMonitor = createGuardianMonitor(this.config.projectId, this.config.apiUrl, this.config.apiKey);
+    await this.guardianMonitor.loadRules();
+    console.log(chalk14.green(`  \u2713 Loaded ${this.guardianMonitor.getRuleCount()} rules`));
+    await this.syncHeuristics();
+    if (this.config.checkOnChange) {
+      this.setupFileWatcher();
+    }
+    if (this.config.bridgeEnabled) {
+      await this.setupBridge();
+    }
+    this.printActive();
+    this.emit("started", this.state);
+  }
+  printWelcome() {
+    console.log(chalk14.bold.blue("\n\u{1F6E1}\uFE0F  Guardian Daemon Starting..."));
+    console.log(chalk14.dim(`Project: ${this.config.projectId}`));
+    console.log(chalk14.dim(`Watch Path: ${this.config.watchPath}`));
+    console.log(chalk14.dim("\u2500".repeat(50)));
+  }
+  printActive() {
+    console.log(chalk14.dim("\u2500".repeat(50)));
+    console.log(chalk14.green.bold("\u2705 Guardian Daemon is now active"));
+    console.log(chalk14.dim("Press Ctrl+C to stop\n"));
+  }
+  async syncHeuristics() {
+    if (!this.heuristicEngine) return;
+    const synced = await this.heuristicEngine.refreshRules(this.config.projectId, this.config.apiUrl, this.config.apiKey);
+    if (synced) console.log(chalk14.green("  \u2713 Synced heuristic rules"));
+  }
+  setupFileWatcher() {
+    console.log(chalk14.dim("\u{1F4C2} Starting file watcher..."));
+    this.fileWatcher = createFileWatcher(this.config.watchPath);
+    this.fileWatcher.on("change", (path24) => this.handleFileChange(path24));
+    this.fileWatcher.start();
+    console.log(chalk14.green("  \u2713 File watcher active"));
+  }
+  async handleFileChange(filePath) {
+    this.state.lastActivity = (/* @__PURE__ */ new Date()).toISOString();
+    if (this.config.verbose) console.log(chalk14.dim(`  \u{1F4DD} File changed: ${filePath}`));
+    let lineCount = 0;
+    try {
+      const content = await fs16.readFile(filePath, "utf-8");
+      lineCount = content.split("\n").length;
+    } catch (e) {
+    }
+    if (this.heuristicEngine && this.interventionProtocol && this.guardianMonitor) {
+      const matches = await this.heuristicEngine.analyzeFile(filePath, {
+        lineCount,
+        rules: this.guardianMonitor.getRules()
+      });
+      for (const match of matches) {
+        console.log(chalk14.magenta(`  \u{1F4A1} PREDICTIVE ACTIVATION: ${match.skillId}`));
+        console.log(chalk14.dim(`     Reason: ${match.reason}`));
+        const decision = this.interventionProtocol.evaluateTrigger(match.skillId, match.confidence);
+        this.interventionProtocol.enforce(decision);
+        await jitProvisionSkill(match.skillId, this.config.apiUrl, this.config.apiKey, this.config.projectId, process.cwd());
+        await trackSkillUsage(this.config.apiUrl, this.config.apiKey, this.config.projectId, match.skillId);
+        this.emit("skill:suggestion", match);
+      }
+    }
+    if (this.guardianMonitor) {
+      if (this.interventionProtocol) this.interventionProtocol.clear(filePath);
+      const result = await this.guardianMonitor.checkFile(filePath);
+      this.state.filesChecked++;
+      if (result.violations.length > 0) {
+        this.state.violationsFound += result.violations.length;
+        this.emit("violation", { file: filePath, violations: result.violations });
+        for (const v of result.violations) {
+          const color = v.severity === "critical" ? chalk14.red : v.severity === "warning" ? chalk14.yellow : chalk14.blue;
+          console.log(color(`  [${v.severity.toUpperCase()}] ${filePath}: ${v.message}`));
+          if (this.interventionProtocol) {
+            const decision = this.interventionProtocol.evaluateViolation(v.message, v.severity);
+            this.interventionProtocol.enforce(decision);
+            this.interventionProtocol.registerViolation(filePath, decision);
+          }
+        }
+      }
+    }
+  }
+  async setupBridge() {
+    console.log(chalk14.dim("\u{1F309} Connecting to Agent Bridge..."));
+    this.bridgeListener = createBridgeListener(this.config.projectId, this.config.apiUrl, this.config.apiKey);
+    this.bridgeListener.on("task", (task) => {
+      this.state.lastActivity = (/* @__PURE__ */ new Date()).toISOString();
+      this.state.tasksProcessed++;
+      console.log(chalk14.cyan(`
+\u{1F4E5} New task received: ${task.id}`));
+      this.emit("task", task);
+    });
+    await this.bridgeListener.connect();
+    console.log(chalk14.green("  \u2713 Agent Bridge connected"));
+  }
+  async stop() {
+    if (!this.state.isRunning) return;
+    console.log(chalk14.dim("\n\u{1F6D1} Stopping Guardian Daemon..."));
+    if (this.fileWatcher) await this.fileWatcher.stop();
+    if (this.bridgeListener) await this.bridgeListener.disconnect();
+    this.state.isRunning = false;
+    console.log(chalk14.green("\u2713 Daemon stopped."));
+    this.emit("stopped", this.state);
+  }
+  getState() {
+    return { ...this.state };
+  }
+};
+
+// src/daemon/factory.ts
+init_config();
+async function createDaemon(options) {
+  const apiUrl = getApiUrl();
+  let projectId = options.project;
+  if (!projectId) {
+    const manifest = await loadManifest();
+    if (manifest) projectId = manifest.project_id;
+  }
+  if (!projectId) projectId = getProjectId();
+  if (!projectId) {
+    throw new Error('No project ID found. Run "rigstate link" or use --project <id>.');
+  }
+  const apiKey = getApiKey();
+  if (!apiKey) {
+    throw new Error('Not authenticated. Run "rigstate login" first.');
+  }
+  const config2 = {
+    projectId,
+    apiUrl,
+    apiKey,
+    watchPath: options.path || process.cwd(),
+    checkOnChange: true,
+    bridgeEnabled: !options.noBridge,
+    verbose: !!options.verbose
+  };
+  return new GuardianDaemon(config2);
+}
+
+// src/commands/daemon.ts
+var PID_FILE = ".rigstate/daemon.pid";
+var STATE_FILE = ".rigstate/daemon.state.json";
+function createDaemonCommand() {
+  const daemon = new Command9("daemon").description("Start the Guardian daemon for continuous monitoring");
+  daemon.argument("[action]", "Action: start (default) or status", "start").option("--project <id>", "Project ID (or use .rigstate manifest)").option("--path <path>", "Path to watch", ".").option("--no-bridge", "Disable Agent Bridge connection").option("--verbose", "Enable verbose output").action(async (action, options) => {
+    if (action === "status") {
+      await showStatus();
+      return;
+    }
+    const spinner = ora6();
+    try {
+      if (await isRunning()) {
+        console.log(chalk15.yellow("\u26A0 Another daemon instance may be running."));
+        console.log(chalk15.dim(`   Check ${PID_FILE} or run "rigstate daemon status"`));
+        console.log(chalk15.dim("   Use Ctrl+C to stop the running daemon first.\n"));
+      }
+      spinner.start("Initializing Guardian Daemon...");
+      const daemonInstance = await createDaemon({
+        project: options.project,
+        path: options.path,
+        noBridge: options.bridge === false,
+        verbose: options.verbose
+      });
+      spinner.stop();
+      await writePidFile();
+      process.on("SIGINT", async () => {
+        console.log(chalk15.dim("\n\nShutting down..."));
+        await daemonInstance.stop();
+        await cleanupPidFile();
+        process.exit(0);
+      });
+      process.on("SIGTERM", async () => {
+        await daemonInstance.stop();
+        await cleanupPidFile();
+        process.exit(0);
+      });
+      const stateInterval = setInterval(async () => {
+        await writeStateFile(daemonInstance.getState());
+      }, 5e3);
+      daemonInstance.on("stopped", () => {
+        clearInterval(stateInterval);
+      });
+      await daemonInstance.start();
+      await new Promise(() => {
+      });
+    } catch (error) {
+      spinner.fail(chalk15.red("Failed to start daemon"));
+      console.error(chalk15.red("Error:"), error.message);
+      process.exit(1);
+    }
+  });
+  return daemon;
+}
+async function isRunning() {
+  try {
+    const pidPath = path19.join(process.cwd(), PID_FILE);
+    const content = await fs17.readFile(pidPath, "utf-8");
+    const pid = parseInt(content.trim(), 10);
+    try {
+      process.kill(pid, 0);
+      return true;
+    } catch {
+      await fs17.unlink(pidPath);
+      return false;
+    }
+  } catch {
+    return false;
+  }
+}
+async function writePidFile() {
+  try {
+    const dir = path19.join(process.cwd(), ".rigstate");
+    await fs17.mkdir(dir, { recursive: true });
+    await fs17.writeFile(path19.join(dir, "daemon.pid"), process.pid.toString());
+  } catch {
+  }
+}
+async function cleanupPidFile() {
+  try {
+    await fs17.unlink(path19.join(process.cwd(), PID_FILE));
+    await fs17.unlink(path19.join(process.cwd(), STATE_FILE));
+  } catch {
+  }
+}
+async function writeStateFile(state) {
+  try {
+    const dir = path19.join(process.cwd(), ".rigstate");
+    await fs17.mkdir(dir, { recursive: true });
+    await fs17.writeFile(
+      path19.join(dir, "daemon.state.json"),
+      JSON.stringify(state, null, 2)
+    );
+  } catch {
+  }
+}
+async function showStatus() {
+  console.log(chalk15.bold("\n\u{1F6E1}\uFE0F  Guardian Daemon Status\n"));
+  const running = await isRunning();
+  if (!running) {
+    console.log(chalk15.yellow("Status: Not running"));
+    console.log(chalk15.dim('Use "rigstate daemon" to start.\n'));
+    return;
+  }
+  console.log(chalk15.green("Status: Running"));
+  try {
+    const statePath = path19.join(process.cwd(), STATE_FILE);
+    const content = await fs17.readFile(statePath, "utf-8");
+    const state = JSON.parse(content);
+    console.log(chalk15.dim("\u2500".repeat(40)));
+    console.log(`Started at:      ${state.startedAt || "Unknown"}`);
+    console.log(`Files checked:   ${state.filesChecked || 0}`);
+    console.log(`Violations:      ${state.violationsFound || 0}`);
+    console.log(`Tasks processed: ${state.tasksProcessed || 0}`);
+    console.log(`Last activity:   ${state.lastActivity || "None"}`);
+    console.log(chalk15.dim("\u2500".repeat(40)));
+  } catch {
+    console.log(chalk15.dim("(State file not found)"));
+  }
+  try {
+    const pidPath = path19.join(process.cwd(), PID_FILE);
+    const pid = await fs17.readFile(pidPath, "utf-8");
+    console.log(chalk15.dim(`PID: ${pid.trim()}`));
+  } catch {
+  }
+  console.log("");
+}
+
+// src/commands/work.ts
+init_esm_shims();
+init_config();
+import { Command as Command10 } from "commander";
+import chalk16 from "chalk";
+import ora7 from "ora";
+import axios12 from "axios";
+import inquirer2 from "inquirer";
+import fs18 from "fs/promises";
+function createWorkCommand() {
+  return new Command10("work").alias("start").description("Select and execute a Roadmap Task (fetches IDE Prompt)").argument("[taskId]", "Optional Task ID (e.g., T-1021) to start immediately").option("--project <id>", "Project ID").action(async (taskId, options) => {
+    const spinner = ora7();
+    try {
+      const apiKey = getApiKey();
+      const apiUrl = getApiUrl();
+      const projectId = options.project || getProjectId();
+      if (!projectId) {
+        console.log(chalk16.red("\u274C Project ID is required. Run `rigstate link` or pass --project <id>"));
+        process.exit(1);
+      }
+      if (!taskId) {
+        spinner.start("Fetching active roadmap tasks...");
+      }
+      const response = await axios12.get(
+        `${apiUrl}/api/v1/roadmap?project_id=${projectId}`,
+        { headers: { "Authorization": `Bearer ${apiKey}` }, timeout: 1e4 }
+      );
+      if (!response.data.success) {
+        throw new Error(response.data.error || "Failed to fetch roadmap");
+      }
+      const allTasks = response.data.data.roadmap || [];
+      const actionableTasks = allTasks.filter((t) => ["ACTIVE", "LOCKED"].includes(t.status)).sort((a, b) => {
+        if (a.status === "ACTIVE" && b.status !== "ACTIVE") return -1;
+        if (b.status === "ACTIVE" && a.status !== "ACTIVE") return 1;
+        return a.step_number - b.step_number;
+      });
+      spinner.stop();
+      let selectedTask;
+      if (taskId) {
+        selectedTask = allTasks.find(
+          (t) => t.id === taskId || `T-${t.step_number}` === taskId || t.step_number.toString() === taskId
+        );
+        if (!selectedTask) {
+          console.log(chalk16.red(`\u274C Task '${taskId}' not found in roadmap.`));
+          return;
+        }
+      } else {
+        if (actionableTasks.length === 0) {
+          console.log(chalk16.yellow("No active or locked tasks found. The Roadmap is clear! \u{1F389}"));
+          return;
+        }
+        const choices = actionableTasks.map((t) => {
+          const id = `T-${t.step_number}`;
+          const statusIcon = t.status === "ACTIVE" ? "\u25B6\uFE0F" : "\u{1F512}";
+          const priority = t.priority === "MVP" ? chalk16.magenta("[MVP]") : chalk16.blue(`[${t.priority}]`);
+          return {
+            name: `${statusIcon}  ${chalk16.bold(id)}: ${t.title} ${priority}`,
+            value: t,
+            short: `${id}: ${t.title}`
+          };
+        });
+        const answer = await inquirer2.prompt([{
+          type: "list",
+          name: "task",
+          message: "Which task are you working on?",
+          choices,
+          pageSize: 15
+        }]);
+        selectedTask = answer.task;
+      }
+      console.log("\n" + chalk16.bold.underline(`\u{1F680} WORK MODE: ${selectedTask.title}`));
+      console.log(chalk16.dim(`ID: T-${selectedTask.step_number} | Status: ${selectedTask.status}`));
+      if (selectedTask.prompt_content) {
+        console.log(chalk16.yellow.bold("\n\u{1F4CB} IDE EXECUTION SIGNAL (Prompt):"));
+        console.log(chalk16.gray("--------------------------------------------------"));
+        console.log(selectedTask.prompt_content);
+        console.log(chalk16.gray("--------------------------------------------------"));
+        const { action } = await inquirer2.prompt([{
+          type: "list",
+          name: "action",
+          message: "What do you want to do?",
+          choices: [
+            { name: "Copy Prompt (Print clean)", value: "print" },
+            { name: "Create .cursorrules (Agent Context)", value: "cursorrules" },
+            { name: "Mark as ACTIVE (if LOCKED)", value: "activate" },
+            { name: "Mark as COMPLETED", value: "complete" },
+            { name: "Cancel", value: "cancel" }
+          ]
+        }]);
+        if (action === "cursorrules") {
+          await fs18.writeFile(".rigstate-prompt.md", selectedTask.prompt_content);
+          console.log(chalk16.green(`\u2705 Prompt saved to ${chalk16.bold(".rigstate-prompt.md")}`));
+          console.log(chalk16.dim("You can now reference this file in your IDE chat (@.rigstate-prompt.md)"));
+        } else if (action === "print") {
+          console.log("\n" + selectedTask.prompt_content + "\n");
+        } else if (action === "activate" && selectedTask.status !== "ACTIVE") {
+          try {
+            await axios12.post(
+              `${apiUrl}/api/v1/roadmap/update-status`,
+              { step_id: selectedTask.id, status: "ACTIVE", project_id: projectId },
+              { headers: { "Authorization": `Bearer ${apiKey}` } }
+            );
+            console.log(chalk16.green(`\u2705 Task marked as ACTIVE.`));
+          } catch (e) {
+            console.error(chalk16.red(`Failed to update status: ${e.message}`));
+          }
+        } else if (action === "complete") {
+          try {
+            await axios12.post(
+              `${apiUrl}/api/v1/roadmap/update-status`,
+              { step_id: selectedTask.id, status: "COMPLETED", project_id: projectId },
+              { headers: { "Authorization": `Bearer ${apiKey}` } }
+            );
+            console.log(chalk16.green(`\u2705 Task marked as COMPLETED. Great job!`));
+          } catch (e) {
+            console.error(chalk16.red(`Failed to update status: ${e.message}`));
+          }
+        }
+      } else {
+        console.log(chalk16.yellow("\n\u26A0\uFE0F  No specific IDE Prompt found for this task (Legacy Task?)."));
+        console.log(chalk16.dim("Objective: " + (selectedTask.summary || selectedTask.description || "Check web UI for details.")));
+      }
+    } catch (error) {
+      spinner.stop();
+      console.error(chalk16.red(`
+Command failed: ${error.message}`));
+    }
+  });
+}
+
+// src/commands/watch.ts
+init_esm_shims();
+init_config();
+import { Command as Command11 } from "commander";
+import chalk17 from "chalk";
+import ora8 from "ora";
+import chokidar2 from "chokidar";
+import fs19 from "fs/promises";
+import path20 from "path";
+import { execSync as execSync3 } from "child_process";
+import axios13 from "axios";
+function createWatchCommand() {
+  const watch2 = new Command11("watch");
+  watch2.description("Watch for changes and auto-verify roadmap tasks").option("--no-auto-commit", "Disable auto-commit on verification").option("--no-auto-push", "Disable auto-push after commit").option("--run-tests", "Run tests before committing").option("--test-command <cmd>", "Custom test command (default: npm test)").action(async (options) => {
+    console.log(chalk17.bold.blue("\u{1F52D} Rigstate Watch Mode"));
+    console.log(chalk17.dim("Monitoring for task completion..."));
+    console.log("");
+    let apiKey;
+    let projectId;
+    try {
+      apiKey = getApiKey();
+    } catch (e) {
+      console.log(chalk17.red('Not authenticated. Run "rigstate login" first.'));
+      return;
+    }
+    projectId = getProjectId();
+    if (!projectId) {
+      try {
+        const manifestPath = path20.join(process.cwd(), ".rigstate");
+        const content = await fs19.readFile(manifestPath, "utf-8");
+        const manifest = JSON.parse(content);
+        projectId = manifest.project_id;
+      } catch (e) {
+      }
+    }
+    if (!projectId) {
+      console.log(chalk17.red('No project context. Run "rigstate link" or "rigstate sync --project <id>" first.'));
+      return;
+    }
+    const apiUrl = getApiUrl();
+    const config2 = {
+      autoCommit: options.autoCommit !== false,
+      autoPush: options.autoPush !== false,
+      runTests: options.runTests || false,
+      testCommand: options.testCommand || "npm test"
+    };
+    console.log(chalk17.dim(`Auto-commit: ${config2.autoCommit ? "ON" : "OFF"}`));
+    console.log(chalk17.dim(`Auto-push: ${config2.autoPush ? "ON" : "OFF"}`));
+    console.log("");
+    const fetchActiveTask = async () => {
+      try {
+        const response = await axios13.get(`${apiUrl}/api/v1/roadmap`, {
+          params: { project_id: projectId },
+          headers: { Authorization: `Bearer ${apiKey}` }
+        });
+        if (!response.data.success) return null;
+        const roadmap = response.data.data.roadmap || [];
+        const statusPriority = {
+          "IN_PROGRESS": 0,
+          "ACTIVE": 1,
+          "LOCKED": 2
+        };
+        const activeTasks = roadmap.filter((t) => ["IN_PROGRESS", "ACTIVE", "LOCKED"].includes(t.status)).sort((a, b) => {
+          const pA = statusPriority[a.status] ?? 99;
+          const pB = statusPriority[b.status] ?? 99;
+          if (pA !== pB) return pA - pB;
+          return (a.step_number || 0) - (b.step_number || 0);
+        });
+        return activeTasks[0] || null;
+      } catch (e) {
+        return null;
+      }
+    };
+    const checkCriteria = async (criteria) => {
+      try {
+        const fullPath = path20.resolve(process.cwd(), criteria.path);
+        switch (criteria.type) {
+          case "file_exists":
+            await fs19.access(fullPath);
+            return true;
+          case "file_content":
+            const content = await fs19.readFile(fullPath, "utf-8");
+            return content.length > 0;
+          case "content_match":
+            if (!criteria.match) return false;
+            const fileContent = await fs19.readFile(fullPath, "utf-8");
+            return fileContent.includes(criteria.match);
+          default:
+            return false;
+        }
+      } catch (e) {
+        return false;
+      }
+    };
+    const completeTask = async (taskId, task) => {
+      const spinner = ora8("Completing task...").start();
+      try {
+        if (config2.runTests) {
+          spinner.text = "Running tests...";
+          try {
+            execSync3(config2.testCommand, { stdio: "pipe" });
+            spinner.text = "Tests passed!";
+          } catch (e) {
+            spinner.fail("Tests failed. Task not completed.");
+            return;
+          }
+        }
+        await axios13.post(`${apiUrl}/api/v1/roadmap/update-status`, {
+          project_id: projectId,
+          chunk_id: taskId,
+          status: "COMPLETED"
+        }, {
+          headers: { Authorization: `Bearer ${apiKey}` }
+        });
+        spinner.succeed(chalk17.green(`\u2705 Task #${task.step_number} completed: ${task.title}`));
+        if (config2.autoCommit) {
+          spinner.start("Committing changes...");
+          try {
+            execSync3("git add -A", { stdio: "pipe" });
+            const commitMsg = `feat: Complete task #${task.step_number} - ${task.title}`;
+            execSync3(`git commit -m "${commitMsg}"`, { stdio: "pipe" });
+            spinner.succeed("Changes committed");
+            if (config2.autoPush) {
+              spinner.start("Pushing to remote...");
+              try {
+                execSync3("git push", { stdio: "pipe" });
+                spinner.succeed("Pushed to remote");
+              } catch (e) {
+                spinner.warn("Push failed (no remote or conflict)");
+              }
+            }
+          } catch (e) {
+            spinner.warn("Nothing to commit or commit failed");
+          }
+        }
+        console.log("");
+        console.log(chalk17.blue("Watching for next task..."));
+      } catch (e) {
+        spinner.fail(`Failed to complete task: ${e.message}`);
+      }
+    };
+    let currentTask = null;
+    let isProcessing = false;
+    const processActiveTask = async () => {
+      if (isProcessing) return;
+      isProcessing = true;
+      const task = await fetchActiveTask();
+      if (!task) {
+        if (currentTask) {
+          console.log(chalk17.green("\u{1F389} All tasks completed! Watching for new tasks..."));
+          currentTask = null;
+        }
+        isProcessing = false;
+        return;
+      }
+      if (!currentTask || currentTask.id !== task.id) {
+        currentTask = task;
+        console.log("");
+        console.log(chalk17.bold.yellow(`\u{1F4CC} Active Task #${task.step_number}: ${task.title}`));
+        console.log(chalk17.dim(`Status: ${task.status}`));
+        if (task.verification_criteria) {
+          console.log(chalk17.dim("Verification: Auto-checking criteria..."));
+        }
+      }
+      if (task.verification_criteria && Array.isArray(task.verification_criteria)) {
+        let allPassed = true;
+        for (const criteria of task.verification_criteria) {
+          const passed = await checkCriteria(criteria);
+          if (!passed) {
+            allPassed = false;
+            break;
+          }
+        }
+        if (allPassed) {
+          console.log(chalk17.green("\u2713 All verification criteria passed!"));
+          await completeTask(task.id, task);
+          currentTask = null;
+        }
+      }
+      isProcessing = false;
+    };
+    await processActiveTask();
+    const watcher = chokidar2.watch(".", {
+      ignored: [
+        /(^|[\/\\])\../,
+        // dotfiles
+        "**/node_modules/**",
+        "**/.git/**",
+        "**/.next/**",
+        "**/dist/**"
+      ],
+      persistent: true,
+      ignoreInitial: true
+    });
+    watcher.on("all", async (event, filePath) => {
+      if (["add", "change", "unlink"].includes(event)) {
+        setTimeout(() => processActiveTask(), 500);
+      }
+    });
+    console.log(chalk17.dim("Watching for file changes... (Ctrl+C to exit)"));
+    setInterval(() => processActiveTask(), 3e4);
+    process.on("SIGINT", () => {
+      console.log("");
+      console.log(chalk17.dim("Watch mode stopped."));
+      watcher.close();
+      process.exit(0);
+    });
+  });
+  return watch2;
+}
+
+// src/commands/focus.ts
+init_esm_shims();
+init_config();
+import { Command as Command12 } from "commander";
+import chalk18 from "chalk";
+import ora9 from "ora";
+import axios14 from "axios";
+import { execSync as execSync4 } from "child_process";
+import fs20 from "fs/promises";
+import path21 from "path";
+function createFocusCommand() {
+  const focus = new Command12("focus");
+  focus.alias("task").description("Get the next active roadmap task and copy its prompt to clipboard").option("--no-copy", "Do not copy to clipboard").action(async (options) => {
+    const spinner = ora9("Fetching next objective...").start();
+    let apiKey;
+    let projectId;
+    try {
+      apiKey = getApiKey();
+    } catch (e) {
+      spinner.fail(chalk18.red('Not authenticated. Run "rigstate login" first.'));
+      return;
+    }
+    projectId = getProjectId();
+    if (!projectId) {
+      try {
+        const manifestPath = path21.join(process.cwd(), ".rigstate");
+        const content = await fs20.readFile(manifestPath, "utf-8");
+        const manifest = JSON.parse(content);
+        projectId = manifest.project_id;
+      } catch (e) {
+      }
+    }
+    if (!projectId) {
+      spinner.fail(chalk18.red('No project context. Run "rigstate link" first.'));
+      return;
+    }
+    const apiUrl = getApiUrl();
+    try {
+      const response = await axios14.get(`${apiUrl}/api/v1/roadmap`, {
+        params: { project_id: projectId },
+        headers: { Authorization: `Bearer ${apiKey}` }
+      });
+      if (!response.data.success) {
+        throw new Error(response.data.error || "Failed to fetch roadmap");
+      }
+      const roadmap = response.data.data.roadmap || [];
+      const statusPriority = {
+        "IN_PROGRESS": 0,
+        "ACTIVE": 1,
+        "LOCKED": 2
+      };
+      const activeTasks = roadmap.filter((t) => ["IN_PROGRESS", "ACTIVE", "LOCKED"].includes(t.status)).sort((a, b) => {
+        const pA = statusPriority[a.status] ?? 99;
+        const pB = statusPriority[b.status] ?? 99;
+        if (pA !== pB) return pA - pB;
+        return (a.step_number || 0) - (b.step_number || 0);
+      });
+      if (activeTasks.length === 0) {
+        spinner.succeed("All caught up! No active tasks found.");
+        return;
+      }
+      const nextTask = activeTasks[0];
+      spinner.stop();
+      console.log("");
+      console.log(chalk18.bold.blue(`\u{1F4CC} Task #${nextTask.step_number || "?"}: ${nextTask.title}`));
+      const statusColor = nextTask.status === "IN_PROGRESS" ? chalk18.yellow : nextTask.status === "ACTIVE" ? chalk18.green : chalk18.dim;
+      console.log(chalk18.dim("Status: ") + statusColor(nextTask.status));
+      console.log(chalk18.dim("\u2500".repeat(60)));
+      if (nextTask.prompt_content) {
+        console.log(chalk18.white(nextTask.prompt_content));
+        console.log(chalk18.dim("\u2500".repeat(60)));
+        if (options.copy !== false) {
+          try {
+            if (process.platform === "darwin") {
+              execSync4("pbcopy", { input: nextTask.prompt_content });
+              console.log(chalk18.green("\u2705 Prompt copied to clipboard! Ready to paste (Cmd+V)."));
+            } else if (process.platform === "linux") {
+              try {
+                execSync4("xclip -selection clipboard", { input: nextTask.prompt_content });
+                console.log(chalk18.green("\u2705 Prompt copied to clipboard!"));
+              } catch (e) {
+                console.log(chalk18.yellow("\u2139\uFE0F  Copy prompt manually (xclip not available)"));
+              }
+            } else {
+              console.log(chalk18.yellow("\u2139\uFE0F  Copy prompt manually (Auto-copy not supported on this OS)"));
+            }
+          } catch (e) {
+          }
+        }
+      } else {
+        console.log(chalk18.yellow("No prompt instructions available."));
+        if (nextTask.architectural_brief) {
+          console.log(chalk18.bold("Brief:"));
+          console.log(nextTask.architectural_brief);
+        }
+      }
+      console.log("");
+    } catch (e) {
+      spinner.fail(chalk18.red(`Failed to fetch task: ${e.message}`));
+    }
+  });
+  return focus;
+}
+
+// src/commands/env.ts
+init_esm_shims();
+init_config();
+import { Command as Command13 } from "commander";
+import chalk19 from "chalk";
+import ora10 from "ora";
+import fs21 from "fs/promises";
+import path22 from "path";
+import axios15 from "axios";
+function createEnvPullCommand() {
+  const envPull = new Command13("env");
+  envPull.command("pull").description("Pull environment variables from project vault").action(async () => {
+    console.log("");
+    console.log(chalk19.bold.yellow("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+    console.log(chalk19.bold.yellow("\u2551") + chalk19.bold.white("  \u{1F6E1}\uFE0F  RIGSTATE SOVEREIGN VAULT SYNC  \u{1F6E1}\uFE0F   ") + chalk19.bold.yellow("\u2551"));
+    console.log(chalk19.bold.yellow("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+    console.log("");
+    const spinner = ora10("Authenticating with Vault...").start();
+    let apiKey;
+    let projectId;
+    try {
+      apiKey = getApiKey();
+    } catch (e) {
+      spinner.fail(chalk19.red('Not authenticated. Run "rigstate login" first.'));
+      return;
+    }
+    spinner.succeed("Authenticated");
+    spinner.start("Reading project configuration...");
+    projectId = getProjectId();
+    if (!projectId) {
+      try {
+        const manifestPath = path22.join(process.cwd(), ".rigstate");
+        const content = await fs21.readFile(manifestPath, "utf-8");
+        const manifest = JSON.parse(content);
+        projectId = manifest.project_id;
+      } catch (e) {
+      }
+    }
+    if (!projectId) {
+      spinner.fail(chalk19.red('No project context. Run "rigstate link" first.'));
+      return;
+    }
+    spinner.succeed(`Project: ${chalk19.cyan(projectId.substring(0, 8))}...`);
+    const apiUrl = getApiUrl();
+    spinner.start("Fetching secrets from Vault...");
+    try {
+      const response = await axios15.post(`${apiUrl}/api/v1/vault/sync`, {
+        project_id: projectId
+      }, {
+        headers: { Authorization: `Bearer ${apiKey}` }
+      });
+      if (!response.data.success) {
+        throw new Error(response.data.error || "Failed to fetch secrets");
+      }
+      const vaultContent = response.data.data.content || "";
+      const secretCount = response.data.data.count || 0;
+      if (secretCount === 0) {
+        spinner.info("No secrets found in Vault for this project.");
+        console.log(chalk19.dim("  Add secrets via the Rigstate web interface."));
+        return;
+      }
+      spinner.succeed(`Retrieved ${chalk19.bold(secretCount)} secret(s)`);
+      const envFile = path22.resolve(process.cwd(), ".env.local");
+      let existingContent = "";
+      let existingKeys = /* @__PURE__ */ new Set();
+      try {
+        existingContent = await fs21.readFile(envFile, "utf-8");
+        existingContent.split("\n").forEach((line) => {
+          const match = line.match(/^([A-Z_][A-Z0-9_]*)=/);
+          if (match) existingKeys.add(match[1]);
+        });
+      } catch (e) {
+      }
+      const vaultKeys = /* @__PURE__ */ new Set();
+      vaultContent.split("\n").forEach((line) => {
+        const match = line.match(/^([A-Z_][A-Z0-9_]*)=/);
+        if (match) vaultKeys.add(match[1]);
+      });
+      let newCount = 0;
+      let updatedCount = 0;
+      vaultKeys.forEach((key) => {
+        if (!existingKeys.has(key)) {
+          newCount++;
+        } else {
+          updatedCount++;
+        }
+      });
+      const unchangedCount = existingKeys.size - updatedCount;
+      spinner.start("Writing .env.local...");
+      const header = [
+        "# ==========================================",
+        "# RIGSTATE SOVEREIGN FOUNDATION",
+        "# Authenticated Environment Configuration",
+        `# Synced at: ${(/* @__PURE__ */ new Date()).toISOString()}`,
+        `# Project: ${projectId}`,
+        "# ==========================================",
+        ""
+      ].join("\n");
+      await fs21.writeFile(envFile, header + vaultContent + "\n");
+      spinner.succeed("Written to .env.local");
+      console.log("");
+      console.log(chalk19.bold.green("\u2705 Environment synchronized successfully"));
+      console.log("");
+      console.log(chalk19.dim("   Summary:"));
+      console.log(chalk19.green(`   + ${newCount} new`));
+      console.log(chalk19.yellow(`   ~ ${updatedCount} updated`));
+      console.log(chalk19.dim(`   = ${unchangedCount} unchanged`));
+      console.log("");
+      console.log(chalk19.bold.yellow("\u26A0\uFE0F  Security Reminder:"));
+      console.log(chalk19.dim("   - Never commit .env.local to version control."));
+      console.log(chalk19.dim("   - Ensure .gitignore includes .env.local"));
+      console.log("");
+    } catch (e) {
+      spinner.fail(chalk19.red(`Failed to fetch secrets: ${e.message}`));
+    }
+  });
+  return envPull;
+}
+
+// src/commands/config.ts
+init_esm_shims();
+init_config();
+import { Command as Command14 } from "commander";
+import chalk20 from "chalk";
+function createConfigCommand() {
+  const config2 = new Command14("config");
+  config2.description("View or modify Rigstate configuration").argument("[key]", "Configuration key to view/set (api_key, project_id, api_url)").argument("[value]", "Value to set").action(async (key, value) => {
+    if (!key) {
+      console.log(chalk20.bold("Rigstate Configuration"));
+      console.log(chalk20.dim("\u2500".repeat(40)));
+      try {
+        const apiKey = getApiKey();
+        console.log(`${chalk20.cyan("api_key")}: ${apiKey.substring(0, 20)}...`);
+      } catch (e) {
+        console.log(`${chalk20.cyan("api_key")}: ${chalk20.dim("(not set)")}`);
+      }
+      const projectId = getProjectId();
+      console.log(`${chalk20.cyan("project_id")}: ${projectId || chalk20.dim("(not set)")}`);
+      const apiUrl = getApiUrl();
+      console.log(`${chalk20.cyan("api_url")}: ${apiUrl}`);
+      console.log("");
+      console.log(chalk20.dim('Use "rigstate config <key> <value>" to set a value.'));
+      return;
+    }
+    if (!value) {
+      switch (key) {
+        case "api_key":
+          try {
+            const apiKey = getApiKey();
+            console.log(apiKey);
+          } catch (e) {
+            console.log(chalk20.dim("(not set)"));
+          }
+          break;
+        case "project_id":
+          console.log(getProjectId() || chalk20.dim("(not set)"));
+          break;
+        case "api_url":
+          console.log(getApiUrl());
+          break;
+        default:
+          console.log(chalk20.red(`Unknown config key: ${key}`));
+          console.log(chalk20.dim("Valid keys: api_key, project_id, api_url"));
+      }
+      return;
+    }
+    switch (key) {
+      case "api_key":
+        setApiKey(value);
+        console.log(chalk20.green(`\u2705 api_key updated`));
+        break;
+      case "project_id":
+        setProjectId(value);
+        console.log(chalk20.green(`\u2705 project_id updated`));
+        break;
+      case "api_url":
+        console.log(chalk20.yellow("api_url is set via RIGSTATE_API_URL environment variable"));
+        break;
+      default:
+        console.log(chalk20.red(`Unknown config key: ${key}`));
+        console.log(chalk20.dim("Valid keys: api_key, project_id"));
+    }
+  });
+  return config2;
+}
+
+// src/commands/mcp.ts
+init_esm_shims();
+import { Command as Command15 } from "commander";
+import chalk21 from "chalk";
+import { spawn } from "child_process";
+import path23 from "path";
+import fs22 from "fs";
+import { fileURLToPath as fileURLToPath2 } from "url";
+var __filename2 = fileURLToPath2(import.meta.url);
+var __dirname2 = path23.dirname(__filename2);
+function createMcpCommand() {
+  const mcp = new Command15("mcp");
+  mcp.description("Run the Rigstate MCP server for AI editors").action(async () => {
+    const possiblePaths = [
+      // From packages/cli -> packages/mcp (sibling package)
+      path23.resolve(__dirname2, "../../mcp/dist/index.js"),
+      // If installed globally or via npm
+      path23.resolve(__dirname2, "../../../mcp/dist/index.js"),
+      // Development path from packages/cli/dist
+      path23.resolve(__dirname2, "../../../packages/mcp/dist/index.js")
+    ];
+    let serverPath = "";
+    for (const p of possiblePaths) {
+      if (fs22.existsSync(p)) {
+        serverPath = p;
+        break;
+      }
+    }
+    if (!serverPath) {
+      console.error(chalk21.red("\u274C Error: Rigstate MCP Server binary not found."));
+      console.error(chalk21.yellow("Please ensure that the mcp package is built:"));
+      console.error(chalk21.white("   cd packages/mcp && npm run build"));
+      console.error("");
+      console.error(chalk21.dim("Or run directly with:"));
+      console.error(chalk21.white("   npx @rigstate/mcp"));
+      process.exit(1);
+    }
+    console.log(chalk21.dim(`Starting MCP server from: ${serverPath}`));
+    if (process.env.VIBE_API_KEY && !process.env.RIGSTATE_API_KEY) {
+      process.env.RIGSTATE_API_KEY = process.env.VIBE_API_KEY;
+    }
+    const worker = spawn("node", [serverPath], {
+      env: process.env,
+      stdio: ["inherit", "inherit", "inherit"]
+    });
+    worker.on("error", (err) => {
+      console.error(chalk21.red(`\u274C Failed to start MCP server: ${err.message}`));
+      process.exit(1);
+    });
+    worker.on("exit", (code) => {
+      if (code !== 0 && code !== null) {
+        process.exit(code);
+      }
+    });
+  });
+  return mcp;
+}
+
+// src/commands/nexus.ts
+init_esm_shims();
+import { Command as Command16 } from "commander";
+import chalk24 from "chalk";
+
+// src/nexus/dispatcher.ts
+init_esm_shims();
+import EventEmitter4 from "events";
+import { v4 as uuidv4 } from "uuid";
+
+// src/hive/gateway.ts
+init_esm_shims();
+import axios16 from "axios";
+
+// src/hive/scrubber.ts
+init_esm_shims();
+var HiveScrubber = class {
+  // Patterns that definitely identify a project and MUST be removed
+  static SENSITIVE_PATTERNS = [
+    /(api_key|secret|token|password)[\s]*[:=][\s]*['"][a-zA-Z0-9_\-]+['"]/gi,
+    // Secrets
+    /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+    // Emails
+    /(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/g,
+    // IPs
+    /postgres:\/\/[^:]+:[^@]+@/g
+    // DB Connection Strings
+  ];
+  // Generic replacements for project-specific terms to keep the rule abstract
+  static ABSTRACTION_MAP = {
+    "Vibeline": "{PROJECT_NAME}",
+    "Rigstate": "{FRAMEWORK}",
+    "Steinhofve": "{USER}"
+  };
+  /**
+   * Scrubs a string (rule content or log excerpt) of sensitive data.
+   */
+  static scrub(content, customTerms = []) {
+    let scrubbed = content;
+    let count = 0;
+    let risk = 0;
+    this.SENSITIVE_PATTERNS.forEach((pattern) => {
+      if (pattern.test(scrubbed)) {
+        scrubbed = scrubbed.replace(pattern, "[REDACTED_CREDENTIAL]");
+        count++;
+        risk += 50;
+      }
+    });
+    Object.entries(this.ABSTRACTION_MAP).forEach(([term, replacement]) => {
+      const regex = new RegExp(term, "gi");
+      if (regex.test(scrubbed)) {
+        scrubbed = scrubbed.replace(regex, replacement);
+        count++;
+      }
+    });
+    customTerms.forEach((term) => {
+      const regex = new RegExp(term, "gi");
+      if (regex.test(scrubbed)) {
+        scrubbed = scrubbed.replace(regex, "{ENTITY}");
+        count++;
+      }
+    });
+    return {
+      sanitizedContent: scrubbed,
+      redactionCount: count,
+      riskScore: Math.min(risk, 100)
+    };
+  }
+};
+
+// src/hive/gateway.ts
+import chalk22 from "chalk";
+var HiveGateway = class {
+  client;
+  enabled;
+  lastSignalTime = 0;
+  MIN_INTERVAL_MS = 5e3;
+  // Throttle: Max 1 signal per 5s
+  constructor(baseUrl, token) {
+    this.enabled = !!token;
+    if (!this.enabled) {
+      console.log(chalk22.dim("\u26A0\uFE0F Hive Gateway disabled (No Token provided). Running in localized mode."));
+    }
+    this.client = axios16.create({
+      baseURL: baseUrl,
+      headers: {
+        "Authorization": `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Rigstate-Client": "CLI-0.2.0"
+      },
+      timeout: 5e3
+    });
+  }
+  /**
+   * Transmit an Immune Signal to the Hive.
+   * Includes Pre-Flight Scrubbing and Throttling.
+   */
+  async transmit(signal) {
+    if (!this.enabled) return false;
+    const now = Date.now();
+    if (now - this.lastSignalTime < this.MIN_INTERVAL_MS) {
+      console.warn(chalk22.yellow("\u23F3 Hive Gateway Throttled. Signal dropped to preventing spam."));
+      return false;
+    }
+    const scrubResult = HiveScrubber.scrub(signal.ruleContent);
+    if (scrubResult.riskScore > 20) {
+      console.error(chalk22.red(`\u{1F6D1} HIVE BLOCKED: Signal contains sensitive data (Risk: ${scrubResult.riskScore})`));
+      return false;
+    }
+    try {
+      console.log(chalk22.blue(`\u{1F4E1} Uplinking to Hive... [${signal.vector}]`));
+      const payload = { ...signal, ruleContent: scrubResult.sanitizedContent };
+      await this.client.post("/signal", payload);
+      this.lastSignalTime = now;
+      console.log(chalk22.green("\u2705 Signal Received by Hive Core. Knowledge Shared."));
+      return true;
+    } catch (error) {
+      console.error(chalk22.red(`\u274C Hive Transmission Failed: ${error.message}`));
+      return false;
+    }
+  }
+};
+
+// src/utils/logger.ts
+init_esm_shims();
+import chalk23 from "chalk";
+var Logger = class {
+  static formatMessage(level, message, context) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    let prefix = "";
+    switch (level) {
+      case "INFO" /* INFO */:
+        prefix = chalk23.blue(`[${"INFO" /* INFO */}]`);
+        break;
+      case "WARN" /* WARN */:
+        prefix = chalk23.yellow(`[${"WARN" /* WARN */}]`);
+        break;
+      case "ERROR" /* ERROR */:
+        prefix = chalk23.red(`[${"ERROR" /* ERROR */}]`);
+        break;
+      case "DEBUG" /* DEBUG */:
+        prefix = chalk23.gray(`[${"DEBUG" /* DEBUG */}]`);
+        break;
+    }
+    let output = `${chalk23.gray(timestamp)} ${prefix} ${message}`;
+    if (context) {
+      if (context instanceof Error) {
+        output += `
+${chalk23.red(context.stack || context.message)}`;
+      } else if (typeof context === "object") {
+        try {
+          output += `
+${chalk23.gray(JSON.stringify(context, null, 2))}`;
+        } catch (e) {
+          output += `
+${chalk23.gray("[Circular or invalid object]")}`;
+        }
+      } else {
+        output += ` ${String(context)}`;
+      }
+    }
+    return output;
+  }
+  static info(message, context) {
+    console.log(this.formatMessage("INFO" /* INFO */, message, context));
+  }
+  static warn(message, context) {
+    console.warn(this.formatMessage("WARN" /* WARN */, message, context));
+  }
+  static error(message, error) {
+    console.error(this.formatMessage("ERROR" /* ERROR */, message, error));
+  }
+  static debug(message, context) {
+    if (process.env.DEBUG || process.env.RIGSTATE_DEBUG) {
+      console.debug(this.formatMessage("DEBUG" /* DEBUG */, message, context));
+    }
+  }
+};
+
+// src/nexus/dispatcher.ts
+var NexusDispatcher = class extends EventEmitter4 {
+  context;
+  orderQueue = [];
+  orderHistory = [];
+  gateway;
+  constructor(context) {
+    super();
+    this.context = context;
+    this.gateway = new HiveGateway(
+      process.env.RIGSTATE_HIVE_URL || "https://rigstate.com/api/hive",
+      process.env.RIGSTATE_HIVE_TOKEN
+    );
+    Logger.info(`\u{1F9E0} NEXUS DISPATCHER ONLINE. Context: ${context.projectId} (DryRun: ${context.dryRun})`);
+  }
+  /**
+   * Creates a new Service Order and routes it.
+   */
+  async dispatch(source, target, intent, action, params, constraints = []) {
+    const order = {
+      id: uuidv4(),
+      traceId: uuidv4(),
+      // TODO: Inherit traceId if chained
+      sourceAgent: source,
+      targetAgent: target,
+      priority: "NORMAL",
+      intent,
+      action,
+      parameters: params,
+      constraints,
+      status: "PENDING",
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.orderQueue.push(order);
+    this.emit("order:created", order);
+    if (target === "EITRI" && order.action.startsWith("fs.write")) {
+      if (this.context.dryRun) {
+        Logger.info(`\u{1F6D1} NEXUS KILL-SWITCH: Order ${order.id} blocked by Dry-Run protocol.`);
+        order.status = "PENDING";
+        this.emit("order:blocked", order);
+        return order;
+      }
+    }
+    return this.executeOrder(order);
+  }
+  /**
+   * Executes the order (simulated for now, essentially "Sending" it)
+   */
+  async executeOrder(order) {
+    order.status = "EXECUTING";
+    order.startedAt = (/* @__PURE__ */ new Date()).toISOString();
+    this.emit("order:started", order);
+    try {
+      Logger.info(`\u{1F680} NEXUS: Routing Order ${order.id} [${order.sourceAgent} -> ${order.targetAgent}]: ${order.intent}`);
+      if (order.targetAgent === "MAJA" && order.action === "HIVE_TRANSMIT") {
+        const signal = order.parameters.signal;
+        if (signal) {
+          await this.gateway.transmit(signal);
+          order.status = "COMPLETED";
+          return order;
+        }
+      }
+      this.emit(`agent:${order.targetAgent}`, order);
+      return order;
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : "Unknown error occurred";
+      Logger.error(`Dispatch failed for order ${order.id}`, error);
+      order.status = "FAILED";
+      order.error = {
+        code: "DISPATCH_ERROR",
+        message: errorMessage
+      };
+      this.emit("order:failed", order);
+      return order;
+    }
+  }
+  /**
+   * Human Approval (The "Red Button")
+   */
+  async approveOrder(orderId) {
+    const order = this.orderQueue.find((o) => o.id === orderId);
+    if (!order) throw new Error(`Order ${orderId} not found`);
+    if (order.status !== "AWAITING_APPROVAL") {
+      Logger.warn(`Order ${orderId} is not awaiting approval (Status: ${order.status})`);
+      return;
+    }
+    Logger.info(`\u2705 HUMAN APPROVED Order ${orderId}`);
+    await this.executeOrder(order);
+  }
+};
+
+// src/commands/nexus.ts
+import inquirer3 from "inquirer";
+function createNexusCommand() {
+  const command = new Command16("nexus");
+  command.description("Interact with The Multi-Agent Nexus (Phase 8)").argument("<intent>", "The natural language instruction for the swarm").option("--dry-run", "Enable Dry-Run mode (Kill-Switch Active)", true).option("--force", "Disable Dry-Run mode (DANGEROUS)", false).action(async (intent, options) => {
+    console.log(chalk24.bold.magenta("\n\u{1F981} Welcome to The Nexus (Phase 8)\n"));
+    const dryRun = !options.force;
+    if (!dryRun) {
+      console.log(chalk24.black.bgYellow(" WARNING ") + chalk24.yellow(" Dry-Run disabled! Eitri is authorized to write code."));
+      const { confirm } = await inquirer3.prompt([{
+        type: "confirm",
+        name: "confirm",
+        message: "Are you absolutely sure you want to bypass the Kill-Switch?",
+        default: false
+      }]);
+      if (!confirm) {
+        console.log("Aborting.");
+        process.exit(0);
+      }
+    }
+    const context = {
+      projectId: process.env.RIGSTATE_PROJECT_ID || "local",
+      rootPath: process.cwd(),
+      sessionUser: "cli-user",
+      // Should strictly be pulled from auth
+      dryRun
+    };
+    const dispatcher = new NexusDispatcher(context);
+    dispatcher.on("order:created", (o) => {
+      console.log(chalk24.blue(`\u{1F195} [${o.id.slice(0, 6)}] Order Created: `) + o.intent);
+    });
+    dispatcher.on("order:started", (o) => {
+      console.log(chalk24.yellow(`\u23F3 [${o.id.slice(0, 6)}] Processing...`));
+    });
+    dispatcher.on("order:blocked", (o) => {
+      console.log(chalk24.red(`\u{1F6D1} [${o.id.slice(0, 6)}] BLOCKED by Kill-Switch`));
+      console.log(chalk24.dim(`   Target: ${o.targetAgent} | Action: ${o.action}`));
+      console.log(chalk24.dim("   Run with --force to execute automatically (NOT RECOMMENDED)."));
+    });
+    dispatcher.on("agent:SINDRE", (o) => console.log(chalk24.cyan(`\u{1F916} Sindre (Vault): I'm on it! (${o.action})`)));
+    dispatcher.on("agent:EITRI", (o) => console.log(chalk24.green(`\u{1F477} Eitri (Smith): Ready to build! (${o.action})`)));
+    console.log(chalk24.dim("\u{1F9E0} Frank is analyzing your intent..."));
+    await new Promise((r) => setTimeout(r, 800));
+    if (intent.toLowerCase().includes("db") || intent.toLowerCase().includes("database")) {
+      await dispatcher.dispatch("FRANK", "SINDRE", intent, "db.analyze", { raw: intent });
+    } else if (intent.toLowerCase().includes("create") || intent.toLowerCase().includes("code")) {
+      await dispatcher.dispatch("FRANK", "EITRI", intent, "fs.write", { path: "src/demo.ts", content: "// demo" });
+    } else {
+      console.log(chalk24.gray("Frank didn't understand. Try 'create file' or 'check database'."));
+    }
+  });
+  return command;
+}
+
+// src/commands/sync-rules.ts
+init_esm_shims();
+init_config();
+import { Command as Command17 } from "commander";
+import chalk25 from "chalk";
+import ora11 from "ora";
+import axios17 from "axios";
+function createSyncRulesCommand() {
+  const syncRules = new Command17("sync-rules");
+  syncRules.description("\u{1F6E1}\uFE0F Push Frank Protocol v1.0 to all existing projects").option("--dry-run", "Preview changes without pushing to GitHub").option("--project <id>", "Sync a specific project only").action(async (options) => {
+    const spinner = ora11("\u{1F6E1}\uFE0F Frank Protocol: Initializing retroactive sync...").start();
+    const results = [];
+    let apiKey;
+    try {
+      apiKey = getApiKey();
+    } catch (e) {
+      spinner.fail(chalk25.red('Not authenticated. Run "rigstate login" first.'));
+      return;
+    }
+    const apiUrl = getApiUrl();
+    try {
+      spinner.text = "Fetching projects...";
+      const projectsResponse = await axios17.get(`${apiUrl}/api/v1/projects`, {
+        params: options.project ? { project_id: options.project } : {},
+        headers: { Authorization: `Bearer ${apiKey}` }
+      });
+      if (!projectsResponse.data.success) {
+        throw new Error(projectsResponse.data.error || "Failed to fetch projects");
+      }
+      let projects = projectsResponse.data.data.projects || [];
+      if (projects.length === 0) {
+        spinner.fail(chalk25.red("No projects found."));
+        return;
+      }
+      if (projects.length > 1 && !options.project) {
+        spinner.stop();
+        const inquirer4 = (await import("inquirer")).default;
+        const { selectedProjectId } = await inquirer4.prompt([{
+          type: "list",
+          name: "selectedProjectId",
+          message: "Multiple projects found. Which one do you want to sync?",
+          choices: projects.map((p) => ({
+            name: `${p.name} [${p.id}]`,
+            value: p.id
+          }))
+        }]);
+        projects = projects.filter((p) => p.id === selectedProjectId);
+        options.project = selectedProjectId;
+        try {
+          const fs23 = await import("fs/promises");
+          const path24 = await import("path");
+          const envPath = path24.join(process.cwd(), ".env");
+          const envLocalPath = path24.join(process.cwd(), ".env.local");
+          let targetEnv = envLocalPath;
+          try {
+            await fs23.access(envLocalPath);
+          } catch {
+            try {
+              await fs23.access(envPath);
+              targetEnv = envPath;
+            } catch {
+              targetEnv = envPath;
+            }
+          }
+          let content = "";
+          try {
+            content = await fs23.readFile(targetEnv, "utf-8");
+          } catch {
+          }
+          if (!content.includes("RIGSTATE_PROJECT_ID")) {
+            const newContent = content.endsWith("\n") || content === "" ? `${content}RIGSTATE_PROJECT_ID=${selectedProjectId}
+` : `${content}
+RIGSTATE_PROJECT_ID=${selectedProjectId}
+`;
+            await fs23.writeFile(targetEnv, newContent, "utf-8");
+            console.log(chalk25.dim(`   \u{1F4BE} Saved default project to ${path24.basename(targetEnv)}`));
+          }
+        } catch (e) {
+        }
+      }
+      spinner.succeed(`Syncing project: ${projects[0].name}`);
+      for (const project of projects) {
+        const projectSpinner = ora11(`  Syncing: ${project.name}...`).start();
+        try {
+          if (options.dryRun) {
+            projectSpinner.succeed(chalk25.yellow(`  [DRY-RUN] Would sync: ${project.name}`));
+            results.push({ projectId: project.id, projectName: project.name, status: "success" });
+            continue;
+          }
+          const syncResponse = await axios17.post(`${apiUrl}/api/v1/rules/sync`, {
+            project_id: project.id
+          }, {
+            headers: { Authorization: `Bearer ${apiKey}` }
+          });
+          if (syncResponse.data.success) {
+            if (syncResponse.data.data.github_synced) {
+              projectSpinner.succeed(chalk25.green(`  \u2705 ${project.name} [${project.id}] \u2192 GitHub synced`));
+            } else {
+              projectSpinner.info(chalk25.blue(`  \u2139\uFE0F ${project.name} [${project.id}] \u2192 Rules generated (no GitHub)`));
+            }
+            const files = syncResponse.data.data.files;
+            if (files && Array.isArray(files) && (projects.length === 1 || options.project)) {
+              const fs23 = await import("fs/promises");
+              const path24 = await import("path");
+              for (const file of files) {
+                const filePath = path24.join(process.cwd(), file.path);
+                await fs23.mkdir(path24.dirname(filePath), { recursive: true });
+                await fs23.writeFile(filePath, file.content, "utf-8");
+              }
+              console.log(chalk25.dim(`      \u{1F4BE} Wrote ${files.length} rule files to local .cursor/rules/`));
+            }
+            results.push({ projectId: project.id, projectName: project.name, status: "success" });
+          } else {
+            projectSpinner.warn(chalk25.yellow(`  \u26A0\uFE0F ${project.name} \u2192 ${syncResponse.data.error || "Unknown error"}`));
+            results.push({ projectId: project.id, projectName: project.name, status: "failed", error: syncResponse.data.error });
+          }
+        } catch (e) {
+          projectSpinner.fail(chalk25.red(`  \u274C ${project.name}: ${e.message}`));
+          results.push({ projectId: project.id, projectName: project.name, status: "failed", error: e.message });
+        }
+      }
+      console.log("");
+      console.log(chalk25.bold("\u{1F4CA} Sync Summary:"));
+      const successful = results.filter((r) => r.status === "success").length;
+      const failed = results.filter((r) => r.status === "failed").length;
+      console.log(chalk25.green(`  \u2705 Successful: ${successful}`));
+      if (failed > 0) {
+        console.log(chalk25.red(`  \u274C Failed: ${failed}`));
+      }
+      console.log("");
+      console.log(chalk25.cyan("\u{1F6E1}\uFE0F Frank Protocol v1.0 has been injected into the rules engine."));
+      console.log(chalk25.dim("   All new chats will now boot with mandatory governance checks."));
+    } catch (e) {
+      spinner.fail(chalk25.red("Sync failed: " + e.message));
+    }
+  });
+  return syncRules;
+}
+
+// src/commands/override.ts
+init_esm_shims();
+init_governance();
+init_config();
+import { Command as Command18 } from "commander";
+import chalk26 from "chalk";
+import axios18 from "axios";
+function createOverrideCommand() {
+  const override = new Command18("override");
+  override.description("Emergency Override for Governance Soft Locks").argument("<violationId>", 'ID of the violation to override (or "all")').requiredOption("-r, --reason <reason>", "Description of why this override is necessary").action(async (violationId, options) => {
+    const { reason } = options;
+    console.log(chalk26.bold(`
+\u{1F513} Initiating Governance Override Protocol...`));
+    const session = await getSessionState(process.cwd());
+    if (session.status !== "SOFT_LOCK") {
+      console.log(chalk26.yellow("   Info: Session is not currently locked."));
+      return;
+    }
+    console.log(chalk26.dim(`   Active Violation: ${session.active_violation}`));
+    console.log(chalk26.dim(`   Reason Provided:  "${reason}"`));
+    const success = await performOverride(violationId, reason, process.cwd());
+    if (success) {
+      console.log(chalk26.green(`   \u2705 Session UNLOCKED.`));
+      console.log(chalk26.dim(`   This event has been logged to the Mission Report.`));
+      try {
+        const projectId = getProjectId();
+        if (projectId) {
+          const apiUrl = getApiUrl();
+          const apiKey = getApiKey();
+          await axios18.post(`${apiUrl}/api/v1/execution-logs`, {
+            project_id: projectId,
+            task_id: "OVERRIDE-" + Date.now(),
+            task_title: `Governance Override: ${violationId}`,
+            status: "COMPLETED",
+            execution_summary: `Manual override executed. Reason: ${reason}`,
+            agent_role: "SUPERVISOR"
+            // Override is a supervisor action
+          }, {
+            headers: { Authorization: `Bearer ${apiKey}` }
+          });
+          console.log(chalk26.dim(`   \u2601 Audit log synced to Cloud.`));
+        }
+      } catch (e) {
+        console.log(chalk26.dim(`   (Cloud audit sync failed: ${e.message})`));
+      }
+    } else {
+      console.log(chalk26.red(`   \u{1F6D1} Override Failed. Check project configuration.`));
+    }
+  });
+  return override;
+}
+
+// src/utils/version.ts
+init_esm_shims();
+async function checkVersion() {
+}
+
+// src/index.ts
+import dotenv from "dotenv";
+dotenv.config();
+var program = new Command19();
+program.name("rigstate").description("CLI for Rigstate - The AI-Native Dev Studio").version("0.2.0");
+program.addCommand(createLoginCommand());
+program.addCommand(createLinkCommand());
+program.addCommand(createScanCommand());
+program.addCommand(createFixCommand());
+program.addCommand(createSyncCommand());
+program.addCommand(createInitCommand());
+program.addCommand(createCheckCommand());
+program.addCommand(createHooksCommand());
+program.addCommand(createDaemonCommand());
+program.addCommand(createWorkCommand());
+program.addCommand(createWatchCommand());
+program.addCommand(createFocusCommand());
+program.addCommand(createEnvPullCommand());
+program.addCommand(createConfigCommand());
+program.addCommand(createMcpCommand());
+program.addCommand(createNexusCommand());
+program.addCommand(createSyncRulesCommand());
+program.addCommand(createOverrideCommand());
+program.hook("preAction", async () => {
+  await checkVersion();
+});
+program.on("--help", () => {
+  console.log("");
+  console.log(chalk27.bold("Examples:"));
+  console.log("");
+  console.log(chalk27.cyan("  $ rigstate login sk_rigstate_your_api_key"));
+  console.log(chalk27.dim("    Authenticate with your Rigstate API key"));
+  console.log("");
+  console.log(chalk27.cyan("  $ rigstate scan"));
+  console.log(chalk27.dim("    Scan the current directory"));
+  console.log("");
+  console.log(chalk27.cyan("  $ rigstate scan ./src --project abc123"));
+  console.log(chalk27.dim("    Scan a specific directory with project ID"));
+  console.log("");
+  console.log(chalk27.cyan("  $ rigstate scan --json"));
+  console.log(chalk27.dim("    Output results in JSON format (useful for IDE extensions)"));
+  console.log("");
+});
+program.parse(process.argv);
+if (!process.argv.slice(2).length) {
+  program.outputHelp();
+}
+//# sourceMappingURL=index.js.map