@saiteja1123/mcp-server 1.1.4 → 1.1.6

package/src/cli.js

@@ -1,322 +1,771 @@
-#!/usr/bin/env node
-/**
- * vibesecur-mcp CLI
- *
- * Quick start:  npx -y @saiteja1123/mcp-server init
- *
- * Commands:
- *   init [folder]     bind folder + print IDE configs (optional --write=...)
- *   doctor [folder]   check lock, env hints, backend reachability
- *   bind <folder>
- *   rebind <folder>
- *   status [folder]
- *   config [folder]
- *   start             MCP stdio server
- *
- * Flags (init):  --api-base=URL  --skip-bind  --write=cursor|vscode|windsurf|all
- */
-
-import fs from 'fs/promises';
-import path from 'path';
-import os from 'os';
-import { createRequire } from 'module';
-import { fileURLToPath } from 'url';
-import { createLock, rebindLock, diagnosticLock, readLock } from './lock.mjs';
-import { pingBackend } from './api-scan.mjs';
-
-const require = createRequire(import.meta.url);
-const mcpPkg = require('../package.json');
-const NPM_PACKAGE_NAME = mcpPkg.name || '@saiteja1123/mcp-server';
-const DEFAULT_API_BASE = 'https://vibesecur.onrender.com';
-
-const serverPath = fileURLToPath(new URL('./server.js', import.meta.url));
-
-const BOLD = '\x1b[1m';
-const GREEN = '\x1b[32m';
-const RED = '\x1b[31m';
-const CYAN = '\x1b[36m';
-const DIM = '\x1b[2m';
-const RESET = '\x1b[0m';
-
-function h(t) { return `${BOLD}${CYAN}${t}${RESET}`; }
-function ok(t) { return `${GREEN}✓ ${t}${RESET}`; }
-function err(t) { return `${RED}✗ ${t}${RESET}`; }
-function dim(t) { return `${DIM}${t}${RESET}`; }
-
-function parseArgv(argv) {
-  const flags = {};
-  const positional = [];
-  for (const a of argv) {
-    if (a.startsWith('--')) {
-      const eq = a.indexOf('=');
-      if (eq === -1) flags[a.slice(2)] = true;
-      else flags[a.slice(2, eq)] = a.slice(eq + 1);
-    } else {
-      positional.push(a);
-    }
-  }
-  return { flags, positional };
-}
-
-const { flags, positional } = parseArgv(process.argv.slice(2));
-const command = positional[0];
-const arg = positional[1];
-
-function serverCmd() {
-  const normalizedPath = serverPath.replace(/\\/g, '/');
-  if (normalizedPath.includes('/node_modules/')) {
-    return { command: 'npx', args: ['-y', NPM_PACKAGE_NAME, 'start'] };
-  }
-  return { command: 'node', args: [serverPath] };
-}
-
-function buildEnv(folder, token, apiBase) {
-  return {
-    VIBESECUR_INSTALL_TOKEN: token,
-    VIBESECUR_BOUND_ROOT: folder,
-    VIBESECUR_API_BASE: apiBase || DEFAULT_API_BASE,
-  };
-}
-
-function printIdeBlocks(sc, env) {
-  console.log(`${BOLD}-- Cursor (~/.cursor/mcp.json) --${RESET}`);
-  console.log(JSON.stringify({ mcpServers: { vibesecur: { command: sc.command, args: sc.args, env } } }, null, 2));
-
-  console.log(`\n${BOLD}-- VS Code (project .vscode/mcp.json) --${RESET}`);
-  console.log(JSON.stringify({ servers: { vibesecur: { type: 'stdio', command: sc.command, args: sc.args, env } } }, null, 2));
-
-  console.log(`\n${BOLD}-- Windsurf (~/.codeium/windsurf/mcp_config.json) --${RESET}`);
-  console.log(JSON.stringify({ mcpServers: { vibesecur: { command: sc.command, args: sc.args, env } } }, null, 2));
-
-  console.log(`\n${BOLD}-- Generic env (paste into your MCP client) --${RESET}`);
-  console.log(`command: ${sc.command} ${sc.args.join(' ')}`);
-  Object.entries(env).forEach(([k, v]) => console.log(`  ${k}=${v}`));
-  console.log();
-}
-
-async function mergeJsonFile(filePath, merger) {
-  await fs.mkdir(path.dirname(filePath), { recursive: true });
-  let data = {};
-  try {
-    const raw = await fs.readFile(filePath, 'utf8');
-    data = JSON.parse(raw);
-  } catch {
-    data = {};
-  }
-  const next = merger(data);
-  await fs.writeFile(filePath, JSON.stringify(next, null, 2), 'utf8');
-}
-
-async function writeIdeConfig(which, sc, env) {
-  const entry = { command: sc.command, args: sc.args, env };
-  const vscodeEntry = { type: 'stdio', command: sc.command, args: sc.args, env };
-
-  if (which === 'cursor' || which === 'all') {
-    const file = path.join(os.homedir(), '.cursor', 'mcp.json');
-    await mergeJsonFile(file, (data) => {
-      const out = { ...data };
-      out.mcpServers = { ...(out.mcpServers || {}), vibesecur: entry };
-      return out;
-    });
-    console.log(ok(`Wrote Cursor MCP config: ${file}`));
-  }
-
-  if (which === 'vscode' || which === 'all') {
-    const folder = env.VIBESECUR_BOUND_ROOT;
-    const file = path.join(folder, '.vscode', 'mcp.json');
-    await mergeJsonFile(file, (data) => {
-      const out = { ...data };
-      out.servers = { ...(out.servers || {}), vibesecur: vscodeEntry };
-      return out;
-    });
-    console.log(ok(`Wrote VS Code MCP config: ${file}`));
-  }
-
-  if (which === 'windsurf' || which === 'all') {
-    const file = path.join(os.homedir(), '.codeium', 'windsurf', 'mcp_config.json');
-    await mergeJsonFile(file, (data) => {
-      const out = { ...data };
-      out.mcpServers = { ...(out.mcpServers || {}), vibesecur: entry };
-      return out;
-    });
-    console.log(ok(`Wrote Windsurf MCP config: ${file}`));
-  }
-}
-
-async function cmdBind() {
-  const folder = path.resolve(arg || process.cwd());
-  const account = process.env.VIBESECUR_ACCOUNT || 'anonymous';
-  console.log(`\n${h('Vibesecur MCP - Bind Install')}`);
-  console.log(`Folder : ${folder}`);
-  console.log(`Account: ${account}\n`);
-  const lock = await createLock({ rootPath: folder, account });
-  console.log(ok(`Lock created: ${folder}/.vibesecur/lock.json`));
-  console.log(`\n${BOLD}Install token (keep private):${RESET}`);
-  console.log(`  ${lock.installToken}\n`);
-  console.log('Add to MCP config env:');
-  console.log(`  VIBESECUR_INSTALL_TOKEN=${lock.installToken}`);
-  console.log(`  VIBESECUR_BOUND_ROOT=${folder}`);
-  console.log(`\n${dim(`Run: vibesecur-mcp config ${folder} for IDE snippets`)}\n`);
-}
-
-async function cmdRebind() {
-  const folder = path.resolve(arg || process.cwd());
-  const account = process.env.VIBESECUR_ACCOUNT || 'anonymous';
-  console.log(`\n${h('Vibesecur MCP - Rebind Install')}`);
-  console.log(`Folder : ${folder}\n`);
-  const result = await rebindLock({ rootPath: folder, account });
-  console.log(ok('Rebind complete. Previous token is now invalid.'));
-  console.log(`Previous: ${dim(result.previousToken || 'none')}`);
-  console.log(`\n${BOLD}New install token:${RESET}`);
-  console.log(`  ${result.newToken}\n`);
-  console.log('Update MCP config env:');
-  console.log(`  VIBESECUR_INSTALL_TOKEN=${result.newToken}`);
-  console.log(`  VIBESECUR_BOUND_ROOT=${result.boundRoot}\n`);
-}
-
-async function cmdStatus() {
-  const folder = path.resolve(arg || process.cwd());
-  console.log(`\n${h('Vibesecur MCP - Lock Diagnostic')}`);
-  const diag = await diagnosticLock(folder);
-  console.log(diag.healthy ? ok('Lock healthy') : err('Lock has issues'));
-  console.log(`Bound root  : ${diag.boundRoot || 'unknown'}`);
-  console.log(`Account     : ${diag.account || 'unknown'}`);
-  console.log(`Created     : ${diag.createdAt || 'unknown'}`);
-  console.log(`RootHash OK : ${diag.rootHash?.ok ? `${GREEN}yes${RESET}` : `${RED}NO${RESET}`}`);
-  console.log(`In scope    : ${diag.pathInBoundFolder ? `${GREEN}yes${RESET}` : `${RED}NO${RESET}`}`);
-  if (diag.issues?.length) {
-    console.log(`\n${RED}Issues:${RESET}`);
-    diag.issues.forEach((i) => console.log(`  - ${i}`));
-    console.log(`\nFix: vibesecur-mcp rebind ${diag.boundRoot || folder}`);
-  }
-  console.log();
-}
-
-async function cmdConfig() {
-  const folder = path.resolve(arg || process.cwd());
-  const lock = await readLock(folder);
-  const token = lock?.installToken || 'YOUR_INSTALL_TOKEN';
-  const apiBase = (flags['api-base'] || process.env.VIBESECUR_API_BASE || DEFAULT_API_BASE).trim();
-
-  console.log(`\n${h('Vibesecur MCP - IDE Config Snippets')}`);
-  console.log(`Folder: ${folder}`);
-  if (!lock) console.log(err(`No lock found. Run: vibesecur-mcp bind ${folder}`));
-  console.log();
-
-  const env = buildEnv(folder, token, apiBase);
-  const sc = serverCmd();
-  printIdeBlocks(sc, env);
-}
-
-async function cmdInit() {
-  const folder = path.resolve(arg || process.cwd());
-  const apiBase = (flags['api-base'] || process.env.VIBESECUR_API_BASE || DEFAULT_API_BASE).trim();
-  const account = process.env.VIBESECUR_ACCOUNT || 'anonymous';
-  const skipBind = flags['skip-bind'] === true || flags['skip-bind'] === 'true';
-
-  console.log(`\n${h('Vibesecur MCP - Init')}`);
-  console.log(`Project folder: ${folder}`);
-  console.log(`API base:       ${apiBase}`);
-  console.log(`Package:        ${NPM_PACKAGE_NAME}\n`);
-
-  let lock = await readLock(folder);
-  if (!lock) {
-    if (skipBind) {
-      console.log(err('No lock in this folder. Run without --skip-bind, or: vibesecur-mcp bind <folder>'));
-      process.exit(1);
-    }
-    lock = await createLock({ rootPath: folder, account });
-    console.log(ok(`Created lock: ${path.join(folder, '.vibesecur', 'lock.json')}`));
-  } else {
-    console.log(ok('Existing lock found (reusing token). Use rebind to rotate.'));
-  }
-
-  const env = buildEnv(folder, lock.installToken, apiBase);
-  const sc = serverCmd();
-
-  console.log(`\n${BOLD}Next:${RESET} paste ONE block below into your IDE MCP settings, then reload the IDE.\n`);
-  printIdeBlocks(sc, env);
-
-  const write = flags.write;
-  if (write) {
-    const w = String(write).toLowerCase();
-    if (!['cursor', 'vscode', 'windsurf', 'all'].includes(w)) {
-      console.log(err(`Invalid --write=${write}. Use: cursor | vscode | windsurf | all`));
-      process.exit(1);
-    }
-    await writeIdeConfig(w, sc, env);
-    console.log(dim('Reload your IDE so it picks up the new MCP config.'));
-  }
-}
-
-async function cmdDoctor() {
-  const folder = path.resolve(arg || process.cwd());
-  const apiBase = (flags['api-base'] || process.env.VIBESECUR_API_BASE || DEFAULT_API_BASE).trim();
-
-  console.log(`\n${h('Vibesecur MCP - Doctor')}`);
-  console.log(`Folder:   ${folder}`);
-  console.log(`API base: ${apiBase}\n`);
-
-  const lock = await readLock(folder);
-  if (!lock) {
-    console.log(err('No lock file. Run: vibesecur-mcp init'));
-  } else {
-    console.log(ok('Lock file present'));
-    const diag = await diagnosticLock(folder);
-    console.log(diag.healthy ? ok('Lock diagnostic: healthy') : err('Lock diagnostic: issues'));
-    if (diag.issues?.length) diag.issues.forEach((i) => console.log(`  - ${i}`));
-  }
-
-  const tokenEnv = process.env.VIBESECUR_INSTALL_TOKEN;
-  const rootEnv = process.env.VIBESECUR_BOUND_ROOT;
-  console.log(`\n${BOLD}Shell env (optional; IDE sets these when MCP runs):${RESET}`);
-  console.log(`  VIBESECUR_INSTALL_TOKEN: ${tokenEnv ? dim('set') : dim('not set in this shell (normal)')}`);
-  console.log(`  VIBESECUR_BOUND_ROOT:    ${rootEnv ? dim('set') : dim('not set in this shell (normal)')}`);
-  console.log(`  VIBESECUR_API_BASE:      ${process.env.VIBESECUR_API_BASE ? dim(process.env.VIBESECUR_API_BASE) : dim(`${DEFAULT_API_BASE} (default)`)}`);
-
-  const ping = await pingBackend(apiBase);
-  if (ping.skipped) {
-    console.log(`\n${err('Backend ping skipped')}`);
-  } else if (ping.ok) {
-    const note = ping.status >= 400 ? ' (server responded; check path if unexpected)' : '';
-    console.log(`\n${ok(`Backend responded HTTP ${ping.status}${note}`)}`);
-    console.log(dim(`  ${ping.url || ''}`));
-  } else {
-    console.log(`\n${err('Backend not reachable')}`);
-    if (ping.status !== undefined) console.log(`  HTTP ${ping.status}`);
-    if (ping.error) console.log(`  ${ping.error}`);
-  }
-
-  console.log(`\n${BOLD}CLI:${RESET} ${NPM_PACKAGE_NAME}@${mcpPkg.version}`);
-  console.log(dim('If IDE still fails: run init again, paste fresh config, reload IDE.\n'));
-}
-
-function usage() {
-  console.log(`\n${h('Vibesecur MCP')}`);
-  console.log(`  ${dim('Quick start:')} vibesecur-mcp init`);
-  console.log('  init [folder]       bind + print IDE configs [--api-base=URL] [--write=cursor|vscode|windsurf|all] [--skip-bind]');
-  console.log('  doctor [folder]   check lock + backend [--api-base=URL]');
-  console.log('  bind <folder>     create lock only');
-  console.log('  rebind <folder>   rotate token');
-  console.log('  status [folder]   lock health');
-  console.log('  config [folder]   print snippets only');
-  console.log('  start             MCP server (stdio)\n');
-  process.exit(1);
-}
-
-try {
-  switch (command) {
-    case 'init': await cmdInit(); break;
-    case 'doctor': await cmdDoctor(); break;
-    case 'bind': await cmdBind(); break;
-    case 'rebind': await cmdRebind(); break;
-    case 'status': await cmdStatus(); break;
-    case 'config': await cmdConfig(); break;
-    case 'start':
-    case undefined: await import('./server.js'); break;
-    default: usage();
-  }
-} catch (e) {
-  console.error(`\x1b[31m✗ ${e.message}\x1b[0m`);
-  process.exit(1);
-}
+#!/usr/bin/env node
+/**
+ * vibesecur-mcp CLI
+ *
+ * Quick start:  npx -y @saiteja1123/mcp-server init
+ *
+ * Commands:
+ *   init [folder]     bind folder + print IDE configs (optional --write=...)
+ *   doctor [folder]   check lock, env hints, backend reachability
+ *   bind <folder>
+ *   rebind <folder>
+ *   status [folder]
+ *   config [folder]
+ *   start             MCP stdio server
+ *
+ * Flags (init):  --api-base=URL  --skip-bind  --write=cursor|vscode|windsurf|all
+ */
+
+import fs from 'fs/promises';
+import path from 'path';
+import { createRequire } from 'module';
+import { fileURLToPath } from 'url';
+import {
+  createLock,
+  rebindLock,
+  diagnosticLock,
+  readLock,
+  validateScanPath,
+  isRuntimeCompatibleLock,
+} from './lock.mjs';
+import { pingBackend, requestServerBind, verifyInstallBinding } from './api-scan.mjs';
+import {
+  DEFAULT_API_BASE,
+  NPM_PACKAGE_NAME,
+  buildLegacyEnv,
+  buildUniversalEnv,
+  formatIdeConfigBlocks,
+  IDE_CONFIG_TARGETS,
+  isUniversalMode,
+  publishedServerCmd,
+} from './mcp-config.mjs';
+import {
+  DeepScanRuntime,
+  LocalDeepScanStore,
+  StepperRegistry,
+  buildDeepScanStatus,
+  createSampleStepperRegistry,
+  appendAcceptedRiskRecord,
+} from './deep-scan/index.js';
+
+const require = createRequire(import.meta.url);
+const mcpPkg = require('../package.json');
+const NPM_PACKAGE = NPM_PACKAGE_NAME;
+
+const serverPath = fileURLToPath(new URL('./server.js', import.meta.url));
+
+const BOLD = '\x1b[1m';
+const GREEN = '\x1b[32m';
+const RED = '\x1b[31m';
+const CYAN = '\x1b[36m';
+const DIM = '\x1b[2m';
+const RESET = '\x1b[0m';
+
+function h(t) { return `${BOLD}${CYAN}${t}${RESET}`; }
+function ok(t) { return `${GREEN}✓ ${t}${RESET}`; }
+function err(t) { return `${RED}✗ ${t}${RESET}`; }
+function dim(t) { return `${DIM}${t}${RESET}`; }
+
+function parseArgv(argv) {
+  const flags = {};
+  const positional = [];
+  for (const a of argv) {
+    if (a.startsWith('--')) {
+      const eq = a.indexOf('=');
+      if (eq === -1) flags[a.slice(2)] = true;
+      else flags[a.slice(2, eq)] = a.slice(eq + 1);
+    } else {
+      positional.push(a);
+    }
+  }
+  return { flags, positional };
+}
+
+const { flags, positional } = parseArgv(process.argv.slice(2));
+const command = positional[0];
+const arg = positional[1];
+const arg2 = positional[2];
+
+function allowLocalFallback() {
+  return flags['allow-local-fallback'] === true || flags['allow-local-fallback'] === 'true';
+}
+
+function serverCmd() {
+  const normalizedPath = serverPath.replace(/\\/g, '/');
+  if (normalizedPath.includes('/node_modules/')) {
+    return publishedServerCmd();
+  }
+  return { command: 'node', args: [serverPath] };
+}
+
+function buildEnv(folder, token, apiBase) {
+  return buildLegacyEnv(folder, token, apiBase);
+}
+
+function printIdeBlocks(sc, env, options = {}) {
+  for (const block of formatIdeConfigBlocks(sc, env, options)) {
+    if (block.title === 'Mode') {
+      console.log(`${DIM}${block.body}${RESET}\n`);
+      continue;
+    }
+    console.log(`${BOLD}-- ${block.title} --${RESET}`);
+    console.log(block.body);
+    console.log();
+  }
+}
+
+function printLocalDiagnosticNotice(folder) {
+  console.log(err('Local diagnostic lock created, but it is not a runtime MCP binding.'));
+  console.log(
+    'Runtime startup still requires backend verification through /mcp/verify-install. ' +
+    'Run a server-issued bind before using this in an IDE:',
+  );
+  console.log(`  VIBESECUR_AUTH_TOKEN=<jwt> vibesecur-mcp bind ${folder}`);
+  console.log();
+}
+
+async function createServerIssuedLock({ folder, account, authToken, apiBase, action = 'bind' }) {
+  const remote = await requestServerBind({
+    lockedRootPath: folder,
+    authToken,
+    apiBase,
+  });
+
+  if (remote.ok && remote.json?.success && remote.json?.data?.installToken) {
+    const data = remote.json.data;
+    const lock = await createLock({
+      rootPath: folder,
+      account,
+      installToken: data.installToken,
+      lockedRootHash: data.lockedRootHash,
+      source: 'server',
+    });
+    console.log(ok(`Server-issued ${action} created`));
+    return { ok: true, lock, remote };
+  }
+
+  if (!remote.skipped) {
+    console.log(err(`Server ${action} failed (HTTP ${remote.status}): ${remote.json?.error || 'unknown'}`));
+    console.log(dim('Tip: set VIBESECUR_AUTH_TOKEN or pass --auth-token=<jwt>'));
+  } else {
+    console.log(err(`Server ${action} skipped: ${remote.error}`));
+  }
+  return { ok: false, remote };
+}
+
+function printIdeBlocksLegacy(sc, env) {
+  printIdeBlocks(sc, env, { universal: false });
+}
+
+async function runUniversalSetup({ apiBase, authToken, folder, write }) {
+  const sc = serverCmd();
+  const env = buildUniversalEnv(apiBase, authToken);
+
+  console.log(ok('Universal account MCP config (works in Cursor, Windsurf, VS Code, Claude Desktop, Continue)'));
+  console.log(dim('No per-folder bind required. Use projectUpsert in the IDE before scanning a new codebase.\n'));
+
+  console.log(`${BOLD}Next:${RESET} paste ONE block below into your IDE MCP settings, then reload the IDE.\n`);
+  printIdeBlocks(sc, env, { universal: true });
+
+  if (write) {
+    const w = String(write).toLowerCase();
+    const allowed = ['cursor', 'vscode', 'windsurf', 'claude', 'all'];
+    if (!allowed.includes(w)) {
+      console.log(err(`Invalid --write=${write}. Use: ${allowed.join(' | ')}`));
+      process.exit(1);
+    }
+    await writeIdeConfig(w, sc, env, folder);
+    console.log(dim('Reload your IDE so it picks up the new MCP config.'));
+  }
+}
+
+async function mergeJsonFile(filePath, merger) {
+  await fs.mkdir(path.dirname(filePath), { recursive: true });
+  let data = {};
+  try {
+    const raw = await fs.readFile(filePath, 'utf8');
+    data = JSON.parse(raw);
+  } catch {
+    data = {};
+  }
+  const next = merger(data);
+  await fs.writeFile(filePath, JSON.stringify(next, null, 2), 'utf8');
+}
+
+async function writeIdeConfig(which, sc, env, folder = process.cwd()) {
+  const writeOne = async (id) => {
+    const target = IDE_CONFIG_TARGETS[id];
+    if (!target) return false;
+    if (target.needsFolder && !folder) {
+      console.log(err(`Skipping ${id}: pass a project folder for .vscode/mcp.json`));
+      return false;
+    }
+    const filePath = target.needsFolder ? target.path(folder) : target.path();
+    const built = target.build(sc, env);
+    const entry = built[target.mergeKey][target.entryKey];
+    await mergeJsonFile(filePath, (data) => {
+      const out = { ...data };
+      out[target.mergeKey] = { ...(out[target.mergeKey] || {}), [target.entryKey]: entry };
+      return out;
+    });
+    console.log(ok(`Wrote ${target.label}: ${filePath}`));
+    return true;
+  };
+
+  if (which === 'all') {
+    await writeOne('cursor');
+    await writeOne('windsurf');
+    await writeOne('claude');
+    await writeOne('vscode');
+    return;
+  }
+  await writeOne(which);
+}
+
+function createDeepScanRuntime(folder) {
+  const registry = createSampleStepperRegistry(new StepperRegistry());
+  const store = new LocalDeepScanStore({ rootPath: folder });
+  return new DeepScanRuntime({ registry, store });
+}
+
+function localDeepScanProfile({
+  requireHumanApproval = false,
+  previousDeterministicScanRef = null,
+  previousFailureStateRef = null,
+} = {}) {
+  return {
+    id: 'local-deep-scan-v1',
+    version: '1.0.0',
+    checkpoint: true,
+    ralphLoop: {
+      retry: {
+        maxAttempts: 3,
+        escalateAt: 2,
+        trackSeverities: ['critical', 'high'],
+      },
+    },
+    steppers: [
+      ...(requireHumanApproval ? [{ id: 'sample.needsHuman', required: true }] : []),
+      { id: 'project.map', required: true },
+      { id: 'rules.scan', required: true },
+      { id: 'tests.plan', required: true },
+      { id: 'ralph.tasks', required: true },
+      { id: 'ralph.compare', required: true, config: previousDeterministicScanRef ? { previousDeterministicScanRef } : {} },
+      { id: 'ralph.accept', required: true },
+      { id: 'ralph.track', required: true, config: previousFailureStateRef ? { previousFailureStateRef } : {} },
+    ],
+  };
+}
+
+function artifactRefFromRun(artifacts, { stepperId, type, fallbackId }) {
+  const ref = artifacts[stepperId]
+    || Object.values(artifacts).find((item) => item?.type === type);
+  if (!ref?.uri || !ref?.hash) return null;
+  return {
+    id: ref.id || fallbackId,
+    type,
+    storage: ref.storage || 'local',
+    uri: ref.uri,
+    hash: ref.hash,
+  };
+}
+
+async function resolvePreviousRunRefs(folder) {
+  const previousRunId = flags['previous-run-id'];
+  const previousScanUri = flags['previous-scan-uri'];
+  const previousScanHash = flags['previous-scan-hash'];
+  const previousScanId = flags['previous-scan-id'] || 'artifact-previous-deterministic-scan';
+
+  if (!previousRunId && !previousScanUri && !previousScanHash) {
+    return { previousDeterministicScanRef: null, previousFailureStateRef: null };
+  }
+
+  if (previousRunId) {
+    const store = new LocalDeepScanStore({ rootPath: folder });
+    const previousRun = await store.getRun(previousRunId);
+    const artifacts = previousRun?.artifacts || {};
+    const previousDeterministicScanRef = artifactRefFromRun(artifacts, {
+      stepperId: 'rules.scan',
+      type: 'deterministic_scan',
+      fallbackId: `artifact-${previousRunId}-deterministic-scan`,
+    });
+    if (!previousDeterministicScanRef) {
+      throw new Error(
+        `Run ${previousRunId} does not contain a deterministic_scan artifact with uri/hash for ralph.compare baseline.`,
+      );
+    }
+    const previousFailureStateRef = artifactRefFromRun(artifacts, {
+      stepperId: 'ralph.track',
+      type: 'ralph_failure_state',
+      fallbackId: `artifact-${previousRunId}-ralph-failure-state`,
+    });
+    return { previousDeterministicScanRef, previousFailureStateRef };
+  }
+
+  if (!previousScanUri || !previousScanHash) {
+    throw new Error('Both --previous-scan-uri and --previous-scan-hash are required when baseline run id is not provided.');
+  }
+
+  return {
+    previousDeterministicScanRef: {
+      id: previousScanId,
+      type: 'deterministic_scan',
+      storage: 'local',
+      uri: previousScanUri,
+      hash: previousScanHash,
+    },
+    previousFailureStateRef: null,
+  };
+}
+
+async function requireDeepScanBoundary(folder) {
+  const lock = await readLock(folder);
+  if (flags.demo === true || flags.demo === 'true') {
+    console.log(dim('Deep Scan demo mode: explicit unbound local run; no server-issued MCP binding is required.'));
+    return { folder: path.resolve(folder), lock: null, demo: true };
+  }
+  if (!lock || !isRuntimeCompatibleLock(lock)) {
+    throw new Error(
+      'Deep Scan runtime requires a server-issued MCP binding. ' +
+      `Run: vibesecur-mcp bind ${folder} (or pass --demo=true for explicit unbound local demo mode).`,
+    );
+  }
+  const local = await validateScanPath(folder, lock.installToken);
+  if (!local.ok) {
+    throw new Error(
+      `${local.message} Deep Scan runtime requires a verified server-issued MCP binding. ` +
+      `Run: ${local.rebindHint || `vibesecur-mcp bind ${folder}`}.`,
+    );
+  }
+  if (!isRuntimeCompatibleLock(local.lock)) {
+    throw new Error(
+      'Deep Scan runtime requires a server-issued MCP binding. ' +
+      `Run: vibesecur-mcp bind ${local.boundRoot || folder}.`,
+    );
+  }
+  const lockedRootHash = local.lockedRootHash || local.lock?.lockedRootHash || local.lock?.rootHash;
+  const apiBase = flags['api-base'] || process.env.VIBESECUR_API_BASE || process.env.VIBESECUR_API_URL || DEFAULT_API_BASE;
+  const verify = await verifyInstallBinding({
+    installToken: lock.installToken,
+    lockedRootHash,
+    apiBase,
+  });
+  if (!verify.ok || !verify.json?.success) {
+    throw new Error(
+      'Deep Scan runtime requires a verified server-issued MCP binding. ' +
+      `${verify.json?.error || verify.error || 'Unable to verify MCP install binding.'} ` +
+      `Run: vibesecur-mcp rebind ${local.boundRoot || folder}.`,
+    );
+  }
+  return { folder: local.boundRoot || path.resolve(folder), lock: local.lock, lockedRootHash };
+}
+
+async function cmdDeepScanStart() {
+  const folder = path.resolve(arg || process.cwd());
+  const boundary = await requireDeepScanBoundary(folder);
+  const runtime = createDeepScanRuntime(boundary.folder);
+  const { previousDeterministicScanRef, previousFailureStateRef } = await resolvePreviousRunRefs(boundary.folder);
+  const run = await runtime.createRun({
+    projectId: flags['project-id'] || 'local-project',
+    projectHash: flags['project-hash'] || null,
+      graphProfile: localDeepScanProfile({
+        requireHumanApproval: flags['human-approval'] === true || flags['human-approval'] === 'true',
+        previousDeterministicScanRef,
+        previousFailureStateRef,
+      }),
+    metadata: {
+      runtimeBoundary: 'mcp-local',
+      artifactStorage: 'refs-only',
+      trustModel: 'No raw source is stored in Deep Scan checkpoints.',
+    },
+  });
+  const state = await runtime.startRun(run.runId);
+  console.log(JSON.stringify(buildDeepScanStatus(state), null, 2));
+}
+
+async function cmdDeepScanStatus() {
+  const runId = arg;
+  if (!runId) throw new Error('Usage: vibesecur-mcp deep-scan-status <runId> [folder]');
+  const folder = path.resolve(arg2 || process.cwd());
+  const boundary = await requireDeepScanBoundary(folder);
+  const store = new LocalDeepScanStore({ rootPath: boundary.folder });
+  console.log(JSON.stringify(buildDeepScanStatus(await store.getRun(runId)), null, 2));
+}
+
+async function cmdDeepScanApprove() {
+  const runId = arg;
+  if (!runId) throw new Error('Usage: vibesecur-mcp deep-scan-approve <runId> [folder] --requirement-id=<id> --approved-by=<who> --reason=<why>');
+  const folder = path.resolve(arg2 || process.cwd());
+  const boundary = await requireDeepScanBoundary(folder);
+  const runtime = createDeepScanRuntime(boundary.folder);
+  const approval = await runtime.recordApproval({
+    runId,
+    requirementId: flags['requirement-id'] || 'sample.needsHuman',
+    decision: flags.decision || 'approved',
+    approvedBy: flags['approved-by'] || process.env.USER || process.env.USERNAME || 'local-user',
+    reason: flags.reason || 'Approved from local CLI.',
+    relatedFindingId: flags['related-finding-id'],
+    relatedArtifactId: flags['related-artifact-id'],
+    metadata: { source: 'cli' },
+  });
+  console.log(JSON.stringify({ approval, nextAction: 'Run vibesecur-mcp deep-scan-resume.' }, null, 2));
+}
+
+async function cmdDeepScanResume() {
+  const runId = arg;
+  if (!runId) throw new Error('Usage: vibesecur-mcp deep-scan-resume <runId> [folder]');
+  const folder = path.resolve(arg2 || process.cwd());
+  const boundary = await requireDeepScanBoundary(folder);
+  const runtime = createDeepScanRuntime(boundary.folder);
+  console.log(JSON.stringify(buildDeepScanStatus(await runtime.resumeRun(runId)), null, 2));
+}
+
+async function cmdDeepScanAcceptRisk() {
+  const folder = path.resolve(arg || process.cwd());
+  const boundary = await requireDeepScanBoundary(folder);
+  if (!flags.severity) {
+    throw new Error('Usage: vibesecur-mcp deep-scan-accept-risk [folder] --severity=<critical|high|medium|low> --finding-key=<sha256|--finding-id=<id> [--reason=<why> --reviewer=<who> --expires-at=<iso>]');
+  }
+  if (!flags['finding-key'] && !flags['finding-id']) {
+    throw new Error('deep-scan-accept-risk requires --finding-key=<sha256> or --finding-id=<id> to attach the accepted risk to a tracked finding.');
+  }
+  const result = await appendAcceptedRiskRecord({
+    rootPath: boundary.folder,
+    record: {
+      riskId: flags['risk-id'],
+      findingKey: flags['finding-key'],
+      findingId: flags['finding-id'],
+      taskId: flags['task-id'],
+      severity: flags.severity,
+      reason: flags.reason,
+      reviewer: flags.reviewer || process.env.USER || process.env.USERNAME || undefined,
+      acceptedAt: flags['accepted-at'],
+      expiresAt: flags['expires-at'],
+      reviewBy: flags['review-by'],
+      reportVisibility: flags['report-visibility'] || 'visible',
+      metadata: { source: 'cli' },
+    },
+  });
+  console.log(JSON.stringify({
+    record: result.record,
+    registerRef: { uri: result.uri, hash: result.hash },
+    activeRecordCount: result.register.records.length,
+    nextAction: 'Rerun vibesecur-mcp deep-scan-start so ralph.compare and ralph.accept apply this accepted risk.',
+  }, null, 2));
+}
+
+async function cmdBind() {
+  const folder = path.resolve(arg || process.cwd());
+  const apiBase = (flags['api-base'] || process.env.VIBESECUR_API_BASE || DEFAULT_API_BASE).trim();
+  const authToken = flags['auth-token'] || process.env.VIBESECUR_AUTH_TOKEN || '';
+  const account = process.env.VIBESECUR_ACCOUNT || 'anonymous';
+  const canFallbackLocal = allowLocalFallback();
+
+  console.log(`\n${h('Vibesecur MCP - Bind Install')}`);
+  console.log(`Folder : ${folder}`);
+  console.log(`API    : ${apiBase}`);
+  console.log(`Account: ${account}\n`);
+
+  let lock;
+  const serverBind = await createServerIssuedLock({ folder, account, authToken, apiBase, action: 'bind' });
+  if (serverBind.ok) {
+    lock = serverBind.lock;
+  } else {
+    if (!canFallbackLocal) {
+      throw new Error(
+        'Server-issued bind is required. Pass --allow-local-fallback=true only to create a diagnostic local lock.',
+      );
+    }
+    console.log(dim('Creating local diagnostic lock. It will not pass runtime server verification.\n'));
+    lock = await createLock({ rootPath: folder, account, source: 'local-diagnostic' });
+  }
+
+  console.log(ok(`Lock created: ${folder}/.vibesecur/lock.json`));
+  console.log(`Source: ${lock.source}`);
+  if (!isRuntimeCompatibleLock(lock)) {
+    printLocalDiagnosticNotice(folder);
+    return;
+  }
+  console.log(`\n${BOLD}Install token (keep private):${RESET}`);
+  console.log(`  ${lock.installToken}\n`);
+  console.log('Add to MCP config env:');
+  console.log(`  VIBESECUR_INSTALL_TOKEN=${lock.installToken}`);
+  console.log(`  VIBESECUR_BOUND_ROOT=${folder}`);
+  console.log(`  VIBESECUR_API_BASE=${apiBase}`);
+  console.log(`\n${dim(`Run: vibesecur-mcp config ${folder} for IDE snippets`)}\n`);
+}
+
+async function cmdRebind() {
+  const folder = path.resolve(arg || process.cwd());
+  const apiBase = (flags['api-base'] || process.env.VIBESECUR_API_BASE || DEFAULT_API_BASE).trim();
+  const authToken = flags['auth-token'] || process.env.VIBESECUR_AUTH_TOKEN || '';
+  const account = process.env.VIBESECUR_ACCOUNT || 'anonymous';
+  const canFallbackLocal = allowLocalFallback();
+
+  console.log(`\n${h('Vibesecur MCP - Rebind Install')}`);
+  console.log(`Folder : ${folder}`);
+  console.log(`API    : ${apiBase}\n`);
+
+  const oldLock = await readLock(folder);
+
+  let result;
+  const serverBind = await createServerIssuedLock({ folder, account, authToken, apiBase, action: 'rebind' });
+  if (serverBind.ok) {
+    const newLock = serverBind.lock;
+    result = {
+      previousToken: oldLock?.installToken || null,
+      newToken: newLock.installToken,
+      boundRoot: newLock.boundRoot,
+      source: newLock.source,
+    };
+  } else {
+    if (!canFallbackLocal) {
+      throw new Error(
+        'Server-issued rebind is required. Pass --allow-local-fallback=true only to create a diagnostic local lock.',
+      );
+    }
+    console.log(dim('Falling back to local diagnostic rebind. It will not pass runtime server verification.\n'));
+    result = await rebindLock({ rootPath: folder, account, source: 'local-diagnostic' });
+  }
+
+  console.log(ok('Rebind complete. Previous token is now invalid.'));
+  console.log(`Previous: ${dim(result.previousToken || 'none')}`);
+  if (result.source !== 'server') {
+    printLocalDiagnosticNotice(result.boundRoot);
+    return;
+  }
+  console.log(`\n${BOLD}New install token:${RESET}`);
+  console.log(`  ${result.newToken}\n`);
+  console.log('Update MCP config env:');
+  console.log(`  VIBESECUR_INSTALL_TOKEN=${result.newToken}`);
+  console.log(`  VIBESECUR_BOUND_ROOT=${result.boundRoot}`);
+  console.log(`  VIBESECUR_API_BASE=${apiBase}\n`);
+}
+
+async function cmdStatus() {
+  const folder = path.resolve(arg || process.cwd());
+  console.log(`\n${h('Vibesecur MCP - Lock Diagnostic')}`);
+  const diag = await diagnosticLock(folder);
+  console.log(diag.healthy ? ok('Lock healthy') : err('Lock has issues'));
+  console.log(`Bound root  : ${diag.boundRoot || 'unknown'}`);
+  console.log(`Account     : ${diag.account || 'unknown'}`);
+  console.log(`Created     : ${diag.createdAt || 'unknown'}`);
+  console.log(`Source      : ${diag.source || 'unknown'}`);
+  console.log(`Runtime OK  : ${diag.runtimeCompatible ? `${GREEN}yes${RESET}` : `${RED}NO${RESET}`}`);
+  console.log(`RootHash OK : ${diag.rootHash?.ok ? `${GREEN}yes${RESET}` : `${RED}NO${RESET}`}`);
+  console.log(`In scope    : ${diag.pathInBoundFolder ? `${GREEN}yes${RESET}` : `${RED}NO${RESET}`}`);
+  if (diag.issues?.length) {
+    console.log(`\n${RED}Issues:${RESET}`);
+    diag.issues.forEach((i) => console.log(`  - ${i}`));
+    console.log(`\nFix: vibesecur-mcp rebind ${diag.boundRoot || folder}`);
+  }
+  console.log();
+}
+
+async function cmdConfig() {
+  const folder = path.resolve(arg || process.cwd());
+  const apiBase = (flags['api-base'] || process.env.VIBESECUR_API_BASE || DEFAULT_API_BASE).trim();
+  const authToken = flags['auth-token'] || process.env.VIBESECUR_AUTH_TOKEN || '';
+
+  console.log(`\n${h('Vibesecur MCP - IDE Config Snippets')}`);
+
+  if (isUniversalMode(flags, authToken)) {
+    if (!authToken) {
+      console.log(err('Universal config requires VIBESECUR_AUTH_TOKEN or --auth-token=<jwt>'));
+      process.exit(1);
+    }
+    console.log(`Mode:   ${BOLD}universal (account-wide)${RESET}`);
+    console.log(`API:    ${apiBase}\n`);
+    const sc = serverCmd();
+    printIdeBlocks(sc, buildUniversalEnv(apiBase, authToken), { universal: true });
+    return;
+  }
+
+  console.log(`Mode:   ${BOLD}legacy (single folder)${RESET}`);
+  console.log(`Folder: ${folder}`);
+  const lock = await readLock(folder);
+  const token = lock?.installToken || 'YOUR_INSTALL_TOKEN';
+  if (!lock) console.log(err(`No lock found. Run: vibesecur-mcp init ${folder} --mode=legacy`));
+  else if (!isRuntimeCompatibleLock(lock)) {
+    console.log(err('Existing lock is local diagnostic-only and will not start the MCP runtime.'));
+    console.log(`Run: VIBESECUR_AUTH_TOKEN=<jwt> vibesecur-mcp init --mode=universal`);
+    console.log();
+    return;
+  }
+  console.log();
+
+  const sc = serverCmd();
+  printIdeBlocks(sc, buildEnv(folder, token, apiBase), { universal: false });
+}
+
+async function cmdInit() {
+  const folder = path.resolve(arg || process.cwd());
+  const apiBase = (flags['api-base'] || process.env.VIBESECUR_API_BASE || DEFAULT_API_BASE).trim();
+  const account = process.env.VIBESECUR_ACCOUNT || 'anonymous';
+  const skipBind = flags['skip-bind'] === true || flags['skip-bind'] === 'true';
+  const canFallbackLocal = allowLocalFallback();
+  const authToken = flags['auth-token'] || process.env.VIBESECUR_AUTH_TOKEN || '';
+  const write = flags.write;
+
+  console.log(`\n${h('Vibesecur MCP - Init')}`);
+  console.log(`Project folder: ${folder}`);
+  console.log(`API base:       ${apiBase}`);
+  console.log(`Package:        ${NPM_PACKAGE_NAME}@${mcpPkg.version}\n`);
+
+  if (isUniversalMode(flags, authToken)) {
+    if (!authToken) {
+      console.log(err('Universal init requires VIBESECUR_AUTH_TOKEN or --auth-token=<jwt> from the dashboard login.'));
+      console.log(dim('Example: npx -y @saiteja1123/mcp-server init --auth-token=<jwt> --write=all'));
+      process.exit(1);
+    }
+    await runUniversalSetup({ apiBase, authToken, folder, write });
+    return;
+  }
+
+  let lock = await readLock(folder);
+  if (lock && !isRuntimeCompatibleLock(lock) && !skipBind) {
+    console.log(err(`Existing lock source "${lock.source || 'unknown'}" is diagnostic-only; requesting server-issued binding.`));
+    lock = null;
+  }
+  if (!lock) {
+    if (skipBind) {
+      console.log(err('No lock in this folder. Run without --skip-bind, or: vibesecur-mcp bind <folder>'));
+      process.exit(1);
+    }
+
+    const serverBind = await createServerIssuedLock({ folder, account, authToken, apiBase, action: 'bind' });
+    if (serverBind.ok) {
+      lock = serverBind.lock;
+    } else {
+      if (!canFallbackLocal) {
+        throw new Error(
+          'Server-issued bind is required. Pass --allow-local-fallback=true only to create a diagnostic local lock.',
+        );
+      }
+      console.log(dim('Creating local diagnostic lock. It will not pass runtime server verification.'));
+      lock = await createLock({ rootPath: folder, account, source: 'local-diagnostic' });
+    }
+    console.log(ok(`Created lock: ${path.join(folder, '.vibesecur', 'lock.json')}`));
+  } else {
+    console.log(ok('Existing lock found (reusing token). Use rebind to rotate.'));
+  }
+
+  if (!isRuntimeCompatibleLock(lock)) {
+    printLocalDiagnosticNotice(folder);
+    return;
+  }
+
+  const env = buildEnv(folder, lock.installToken, apiBase);
+  const sc = serverCmd();
+
+  console.log(`\n${BOLD}Next:${RESET} paste ONE block below into your IDE MCP settings, then reload the IDE.\n`);
+  printIdeBlocks(sc, env, { universal: false });
+
+  if (write) {
+    const w = String(write).toLowerCase();
+    if (!['cursor', 'vscode', 'windsurf', 'claude', 'all'].includes(w)) {
+      console.log(err(`Invalid --write=${write}. Use: cursor | vscode | windsurf | claude | all`));
+      process.exit(1);
+    }
+    await writeIdeConfig(w, sc, env, folder);
+    console.log(dim('Reload your IDE so it picks up the new MCP config.'));
+  }
+}
+
+async function cmdDoctor() {
+  const folder = path.resolve(arg || process.cwd());
+  const apiBase = (flags['api-base'] || process.env.VIBESECUR_API_BASE || DEFAULT_API_BASE).trim();
+  const authToken = flags['auth-token'] || process.env.VIBESECUR_AUTH_TOKEN || '';
+  const universal = isUniversalMode(flags, authToken);
+
+  console.log(`\n${h('Vibesecur MCP - Doctor')}`);
+  console.log(`Folder:   ${folder}`);
+  console.log(`API base: ${apiBase}`);
+  console.log(`Mode:     ${universal ? 'universal (account-wide)' : 'legacy (single folder)'}\n`);
+
+  if (universal) {
+    if (authToken) {
+      console.log(ok('VIBESECUR_AUTH_TOKEN present (universal mode ready)'));
+    } else {
+      console.log(err('VIBESECUR_AUTH_TOKEN missing — set it in IDE MCP env or pass --auth-token=<jwt>'));
+    }
+    console.log(dim('Per-project locks are optional in universal mode. Use projectUpsert before scanning a codebase.\n'));
+  } else {
+    const lock = await readLock(folder);
+    if (!lock) {
+      console.log(err('No lock file. Run: vibesecur-mcp init --auth-token=<jwt> for universal mode'));
+    } else {
+      console.log(ok('Lock file present'));
+      const diag = await diagnosticLock(folder);
+      console.log(diag.healthy ? ok('Lock diagnostic: healthy') : err('Lock diagnostic: issues'));
+      console.log(diag.runtimeCompatible ? ok('Runtime binding: server-issued') : err('Runtime binding: not server-issued'));
+      if (diag.issues?.length) diag.issues.forEach((i) => console.log(`  - ${i}`));
+    }
+  }
+
+  const tokenEnv = process.env.VIBESECUR_INSTALL_TOKEN;
+  const rootEnv = process.env.VIBESECUR_BOUND_ROOT;
+  const authEnv = process.env.VIBESECUR_AUTH_TOKEN;
+  console.log(`\n${BOLD}Shell env (IDE injects these when MCP runs):${RESET}`);
+  console.log(`  VIBESECUR_AUTH_TOKEN:      ${authEnv ? dim('set') : dim('not set in this shell')}`);
+  console.log(`  VIBESECUR_INSTALL_TOKEN:   ${tokenEnv ? dim('set') : dim('not set (OK in universal mode)')}`);
+  console.log(`  VIBESECUR_BOUND_ROOT:      ${rootEnv ? dim('set') : dim('not set (OK in universal mode)')}`);
+  console.log(`  VIBESECUR_API_BASE:        ${process.env.VIBESECUR_API_BASE ? dim(process.env.VIBESECUR_API_BASE) : dim(`${DEFAULT_API_BASE} (default)`)}`);
+
+  const ping = await pingBackend(apiBase);
+  if (ping.skipped) {
+    console.log(`\n${err('Backend ping skipped')}`);
+  } else if (ping.ok) {
+    const note = ping.status >= 400 ? ' (server responded; check path if unexpected)' : '';
+    console.log(`\n${ok(`Backend responded HTTP ${ping.status}${note}`)}`);
+    console.log(dim(`  ${ping.url || ''}`));
+  } else {
+    console.log(`\n${err('Backend not reachable')}`);
+    if (ping.status !== undefined) console.log(`  HTTP ${ping.status}`);
+    if (ping.error) console.log(`  ${ping.error}`);
+  }
+
+  console.log(`\n${BOLD}CLI:${RESET} ${NPM_PACKAGE_NAME}@${mcpPkg.version}`);
+  console.log(dim('Universal setup: npx -y @saiteja1123/mcp-server init --auth-token=<jwt> --write=all --api-base=URL'));
+  console.log(dim('If IDE still fails: reload IDE after pasting config, then run projectUpsert for your codebase.\n'));
+}
+
+function usage() {
+  console.log(`\n${h('Vibesecur MCP')}`);
+  console.log(`  ${dim('Quick start (universal):')} VIBESECUR_AUTH_TOKEN=<jwt> npx -y ${NPM_PACKAGE_NAME} init --write=all`);
+  console.log('  init [folder]       print IDE configs [--auth-token=JWT] [--api-base=URL] [--mode=universal|legacy] [--write=cursor|vscode|windsurf|claude|all]');
+  console.log('  doctor [folder]     check env + backend [--auth-token=JWT] [--api-base=URL] [--mode=universal]');
+  console.log('  bind <folder>       legacy single-folder bind [--auth-token=JWT]');
+  console.log('  rebind <folder>     rotate legacy folder token');
+  console.log('  status [folder]   lock health (legacy mode)');
+  console.log('  config [folder]   print IDE snippets [--auth-token=JWT] [--mode=universal]');
+  console.log('  deep-scan-start [folder]   create and run local Deep Scan Project Map, deterministic scan, metadata-only test plan, Ralph tasks, and rerun comparison [--demo=true] [--human-approval=true] [--previous-run-id=<runId>] [--previous-scan-uri=<uri> --previous-scan-hash=<sha256>]');
+  console.log('  deep-scan-status <runId> [folder]   inspect local Deep Scan status');
+  console.log('  deep-scan-approve <runId> [folder]  record approval metadata');
+  console.log('  deep-scan-resume <runId> [folder]   resume a checkpointed local Deep Scan run');
+  console.log('  deep-scan-accept-risk [folder]   record accepted risk --severity=<level> (--finding-key=<sha256>|--finding-id=<id>) [--reason= --reviewer= --expires-at=<iso>]');
+  console.log('  start             MCP server (stdio)\n');
+  process.exit(1);
+}
+
+try {
+  switch (command) {
+    case 'init': await cmdInit(); break;
+    case 'doctor': await cmdDoctor(); break;
+    case 'bind': await cmdBind(); break;
+    case 'rebind': await cmdRebind(); break;
+    case 'status': await cmdStatus(); break;
+    case 'config': await cmdConfig(); break;
+    case 'deep-scan-start': await cmdDeepScanStart(); break;
+    case 'deep-scan-status': await cmdDeepScanStatus(); break;
+    case 'deep-scan-approve': await cmdDeepScanApprove(); break;
+    case 'deep-scan-resume': await cmdDeepScanResume(); break;
+    case 'deep-scan-accept-risk': await cmdDeepScanAcceptRisk(); break;
+    case 'start':
+    case undefined: await import('./server.js'); break;
+    default: usage();
+  }
+} catch (e) {
+  console.error(`\x1b[31m✗ ${e.message}\x1b[0m`);
+  process.exit(1);
+}