@vibe-agent-toolkit/cli 0.1.34-rc.2 → 0.1.34

package/dist/commands/corpus/index.js

@@ -0,0 +1,53 @@
+/**
+ * Corpus command group — Phase 1 ships only `scan`.
+ */
+import { Command } from 'commander';
+import { corpusScanCommand } from './scan.js';
+export function createCorpusCommand() {
+    const corpus = new Command('corpus');
+    corpus
+        .description('Run vat audit (and optionally vat skill review) at scale across a tracked plugin seed')
+        .helpCommand(false);
+    corpus
+        .command('scan [seed-file]')
+        .description('Audit each plugin in the seed; write a per-run snapshot under --out')
+        .argument('[seed-file]', 'Path to seed YAML (default: corpus/seed.yaml)')
+        .requiredOption('--out <dir>', 'Output directory for the run snapshot (no default — must be specified)')
+        .option('--with-review', 'Also invoke vat skill review per plugin (LLM-backed; uses API tokens)')
+        .option('--debug', 'Enable debug logging and preserve cloned tempdirs')
+        .action(async function (seedFile) {
+        await corpusScanCommand(seedFile, this.optsWithGlobals());
+    })
+        .addHelpText('after', `
+Description:
+  Reads a seed YAML listing plugins to audit (each entry: { source, name,
+  validation? }), runs 'vat audit' against each (and optionally 'vat skill
+  review' with --with-review), writes summary.yaml plus per-plugin sibling
+  files into a date-sha subdirectory of --out.
+
+  source forms accepted (same as vat audit):
+    - local path (absolute or relative)
+    - https://host/owner/repo.git[#ref[:subpath]]
+    - GitHub web URL (https://github.com/owner/repo/tree/<ref>/<subpath>)
+    - GitHub shorthand (owner/repo, with optional #ref:subpath)
+    - SSH URL (git@host:owner/repo.git or ssh://...)
+    - file:// URL (local bare-repo testing)
+
+Output:
+  <--out>/<UTC-date>-<vat-short-sha>/
+    summary.yaml          # index: per-plugin status + totals
+    <name>-audit.yaml     # full audit output per plugin
+    <name>-review.md      # full skill-review output (only with --with-review)
+
+Exit codes:
+  0  - scan completed (regardless of unloadable plugins)
+  2  - scan failed to start (seed missing, --out missing, etc.)
+  130 - interrupted by SIGINT (partial results written)
+
+Example:
+  $ vat corpus scan --out ~/scratch/vat-corpus-runs
+  $ vat corpus scan corpus/seed.yaml --out ~/scratch/vat-corpus-runs --with-review
+`);
+    return corpus;
+}
+//# sourceMappingURL=index.js.map

package/dist/commands/corpus/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/commands/corpus/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,iBAAiB,EAA0B,MAAM,WAAW,CAAC;AAEtE,MAAM,UAAU,mBAAmB;IACjC,MAAM,MAAM,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAC;IAErC,MAAM;SACH,WAAW,CAAC,uFAAuF,CAAC;SACpG,WAAW,CAAC,KAAK,CAAC,CAAC;IAEtB,MAAM;SACH,OAAO,CAAC,kBAAkB,CAAC;SAC3B,WAAW,CAAC,qEAAqE,CAAC;SAClF,QAAQ,CAAC,aAAa,EAAE,+CAA+C,CAAC;SACxE,cAAc,CAAC,aAAa,EAAE,wEAAwE,CAAC;SACvG,MAAM,CAAC,eAAe,EAAE,uEAAuE,CAAC;SAChG,MAAM,CAAC,SAAS,EAAE,mDAAmD,CAAC;SACtE,MAAM,CAAC,KAAK,WAA0B,QAA4B;QACjE,MAAM,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAuB,CAAC,CAAC;IACjF,CAAC,CAAC;SACD,WAAW,CACV,OAAO,EACP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6BL,CACI,CAAC;IAEJ,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/commands/corpus/report.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Run-summary types + writer for `vat corpus scan`.
+ *
+ * `summary.yaml` is the index for one scan run. Per-plugin full audit
+ * outputs and full skill-review outputs are written as sibling files
+ * referenced by relative `output_path`. Totals are derived from the
+ * per-plugin rows so callers can pass raw rows and let this module
+ * compute aggregates.
+ */
+export type AuditStatus = 'success' | 'warning' | 'error' | 'unloadable';
+export type ReviewStatus = 'ok' | 'error' | 'skipped';
+export interface AuditSummary {
+    errors: number;
+    warnings: number;
+    info: number;
+    files_scanned: number;
+}
+export interface AuditOutcome {
+    status: AuditStatus;
+    duration_ms: number;
+    summary?: AuditSummary;
+    findings_emitted?: number;
+    output_path?: string;
+    error?: string;
+}
+export interface ReviewOutcome {
+    status: ReviewStatus;
+    duration_ms: number;
+    output_path?: string;
+    error?: string;
+}
+export interface PluginRow {
+    source: string;
+    name: string;
+    validation_applied: boolean;
+    audit: AuditOutcome;
+    review: ReviewOutcome;
+}
+export interface RunReport {
+    schema_version: 1;
+    generated_at: string;
+    vat_version: string;
+    vat_commit: string;
+    seed_file: string;
+    flags: {
+        with_review: boolean;
+        debug: boolean;
+    };
+    plugins: PluginRow[];
+}
+export interface RunTotals {
+    plugins: number;
+    audit_clean: number;
+    audit_warning: number;
+    audit_error: number;
+    unloadable: number;
+    reviewed?: number;
+}
+/**
+ * Compute totals over the per-plugin rows.
+ */
+export declare function computeTotals(report: RunReport): RunTotals;
+/**
+ * Build the run directory name: `<YYYY-MM-DD>-<vat-short-sha>`.
+ * Date is the UTC date of `generated_at`.
+ */
+export declare function runDirectoryName(report: RunReport): string;
+/**
+ * Write `summary.yaml` (and create the run directory) under `outDir`.
+ * Returns the absolute path of the created run directory. Per-plugin
+ * sibling files (audit outputs, review outputs) are written by the
+ * runner — this function only writes the summary index.
+ */
+export declare function writeRunReport(report: RunReport, outDir: string): Promise<string>;
+//# sourceMappingURL=report.d.ts.map

package/dist/commands/corpus/report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.d.ts","sourceRoot":"","sources":["../../../src/commands/corpus/report.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAOH,MAAM,MAAM,WAAW,GAAG,SAAS,GAAG,SAAS,GAAG,OAAO,GAAG,YAAY,CAAC;AACzE,MAAM,MAAM,YAAY,GAAG,IAAI,GAAG,OAAO,GAAG,SAAS,CAAC;AAEtD,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,WAAW,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,YAAY,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,kBAAkB,EAAE,OAAO,CAAC;IAC5B,KAAK,EAAE,YAAY,CAAC;IACpB,MAAM,EAAE,aAAa,CAAC;CACvB;AAED,MAAM,WAAW,SAAS;IACxB,cAAc,EAAE,CAAC,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE;QAAE,WAAW,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;IAChD,OAAO,EAAE,SAAS,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,SAAS,GAAG,SAAS,CAmC1D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,GAAG,MAAM,CAG1D;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAsBvF"}

package/dist/commands/corpus/report.js

@@ -0,0 +1,83 @@
+/**
+ * Run-summary types + writer for `vat corpus scan`.
+ *
+ * `summary.yaml` is the index for one scan run. Per-plugin full audit
+ * outputs and full skill-review outputs are written as sibling files
+ * referenced by relative `output_path`. Totals are derived from the
+ * per-plugin rows so callers can pass raw rows and let this module
+ * compute aggregates.
+ */
+import { mkdirSync, writeFileSync } from 'node:fs';
+import { safePath } from '@vibe-agent-toolkit/utils';
+import * as yaml from 'js-yaml';
+/**
+ * Compute totals over the per-plugin rows.
+ */
+export function computeTotals(report) {
+    const totals = {
+        plugins: report.plugins.length,
+        audit_clean: 0,
+        audit_warning: 0,
+        audit_error: 0,
+        unloadable: 0,
+    };
+    for (const row of report.plugins) {
+        switch (row.audit.status) {
+            case 'success': {
+                totals.audit_clean += 1;
+                break;
+            }
+            case 'warning': {
+                totals.audit_warning += 1;
+                break;
+            }
+            case 'error': {
+                totals.audit_error += 1;
+                break;
+            }
+            case 'unloadable': {
+                totals.unloadable += 1;
+                break;
+            }
+        }
+    }
+    if (report.flags.with_review) {
+        totals.reviewed = report.plugins.filter((p) => p.review.status !== 'skipped').length;
+    }
+    return totals;
+}
+/**
+ * Build the run directory name: `<YYYY-MM-DD>-<vat-short-sha>`.
+ * Date is the UTC date of `generated_at`.
+ */
+export function runDirectoryName(report) {
+    const datePart = report.generated_at.slice(0, 10); // 'YYYY-MM-DD'
+    return `${datePart}-${report.vat_commit}`;
+}
+/**
+ * Write `summary.yaml` (and create the run directory) under `outDir`.
+ * Returns the absolute path of the created run directory. Per-plugin
+ * sibling files (audit outputs, review outputs) are written by the
+ * runner — this function only writes the summary index.
+ */
+export async function writeRunReport(report, outDir) {
+    const runDir = safePath.join(outDir, runDirectoryName(report));
+    // eslint-disable-next-line local/no-fs-mkdirSync, security/detect-non-literal-fs-filename -- the corpus output dir is caller-supplied; mkdir-recursive is the right call here
+    mkdirSync(runDir, { recursive: true });
+    const totals = computeTotals(report);
+    const dump = {
+        schema_version: report.schema_version,
+        generated_at: report.generated_at,
+        vat_version: report.vat_version,
+        vat_commit: report.vat_commit,
+        seed_file: report.seed_file,
+        flags: report.flags,
+        plugins: report.plugins,
+        totals,
+    };
+    const summaryPath = safePath.join(runDir, 'summary.yaml');
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- summaryPath composed under our run dir
+    writeFileSync(summaryPath, yaml.dump(dump, { lineWidth: -1 }), 'utf-8');
+    return runDir;
+}
+//# sourceMappingURL=report.js.map

package/dist/commands/corpus/report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.js","sourceRoot":"","sources":["../../../src/commands/corpus/report.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAEnD,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AACrD,OAAO,KAAK,IAAI,MAAM,SAAS,CAAC;AAuDhC;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAAiB;IAC7C,MAAM,MAAM,GAAc;QACxB,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;QAC9B,WAAW,EAAE,CAAC;QACd,aAAa,EAAE,CAAC;QAChB,WAAW,EAAE,CAAC;QACd,UAAU,EAAE,CAAC;KACd,CAAC;IAEF,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACjC,QAAQ,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACzB,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,CAAC,WAAW,IAAI,CAAC,CAAC;gBACxB,MAAM;YACR,CAAC;YACD,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,CAAC,aAAa,IAAI,CAAC,CAAC;gBAC1B,MAAM;YACR,CAAC;YACD,KAAK,OAAO,CAAC,CAAC,CAAC;gBACb,MAAM,CAAC,WAAW,IAAI,CAAC,CAAC;gBACxB,MAAM;YACR,CAAC;YACD,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC;gBACvB,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;QAC7B,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;IACvF,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAiB;IAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe;IAClE,OAAO,GAAG,QAAQ,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;AAC5C,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAiB,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/D,8KAA8K;IAC9K,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEvC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG;QACX,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,MAAM;KACP,CAAC;IAEF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAC1D,6GAA6G;IAC7G,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;IAExE,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/commands/corpus/runner.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Per-plugin orchestrator for `vat corpus scan`.
+ *
+ * Phase 1 scope: resolve source (local or URL), optionally overlay a
+ * synthetic `vibe-agent-toolkit.config.yaml` from the entry's `validation:`
+ * block, run `vat audit` in-process, optionally invoke `vat skill review`,
+ * write per-plugin sibling files into the run directory, and return a
+ * PluginRow. Per-plugin failures never abort the loop.
+ *
+ * URL handling clones via Layer 1's `withClonedRepo` helper. Validation
+ * overlay (Task 5) is added on top of this base.
+ */
+import type { PluginRow } from './report.js';
+import type { PluginEntry } from './seed.js';
+export interface RunnerOptions {
+    runDir: string;
+    withReview: boolean;
+    debug: boolean;
+}
+/**
+ * Run audit + optional review against one plugin entry.
+ */
+export declare function auditOnePlugin(entry: PluginEntry, opts: RunnerOptions): Promise<PluginRow>;
+//# sourceMappingURL=runner.d.ts.map

package/dist/commands/corpus/runner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../../src/commands/corpus/runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAgBH,OAAO,KAAK,EAA2C,SAAS,EAAiB,MAAM,aAAa,CAAC;AACrG,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAqB7C,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,EAAE,OAAO,CAAC;CAChB;AA0BD;;GAEG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,WAAW,EAClB,IAAI,EAAE,aAAa,GAClB,OAAO,CAAC,SAAS,CAAC,CAKpB"}

package/dist/commands/corpus/runner.js

@@ -0,0 +1,246 @@
+/**
+ * Per-plugin orchestrator for `vat corpus scan`.
+ *
+ * Phase 1 scope: resolve source (local or URL), optionally overlay a
+ * synthetic `vibe-agent-toolkit.config.yaml` from the entry's `validation:`
+ * block, run `vat audit` in-process, optionally invoke `vat skill review`,
+ * write per-plugin sibling files into the run directory, and return a
+ * PluginRow. Per-plugin failures never abort the loop.
+ *
+ * URL handling clones via Layer 1's `withClonedRepo` helper. Validation
+ * overlay (Task 5) is added on top of this base.
+ */
+import { spawnSync } from 'node:child_process';
+import { existsSync, writeFileSync } from 'node:fs';
+import { dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { scan } from '@vibe-agent-toolkit/discovery';
+import { safePath } from '@vibe-agent-toolkit/utils';
+import * as yaml from 'js-yaml';
+import { isGitUrl, parseGitUrl } from '../../utils/git-url.js';
+import { createLogger } from '../../utils/logger.js';
+import { withClonedRepo } from '../audit/git-url-clone.js';
+import { getValidationResults } from '../audit.js';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+/**
+ * Resolve the path to the built vat CLI entry. Works whether the runner is
+ * invoked from compiled dist (production) or from source under vitest. In
+ * either case we always invoke the *compiled* `dist/bin.js` — `node` cannot
+ * execute `.ts` directly, so the source-tree fallback walks across to
+ * `packages/cli/dist/bin.js`. A build is therefore required before tests that
+ * exercise the review path can pass.
+ */
+function resolveVatBinPath() {
+    // Compiled tree: packages/cli/dist/commands/corpus/runner.js → packages/cli/dist/bin.js
+    const compiled = safePath.resolve(__dirname, '../../bin.js');
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- internal path
+    if (existsSync(compiled))
+        return compiled;
+    // Source tree (vitest): packages/cli/src/commands/corpus/runner.ts → packages/cli/dist/bin.js
+    return safePath.resolve(__dirname, '../../../dist/bin.js');
+}
+const SKIPPED_REVIEW = { status: 'skipped', duration_ms: 0 };
+function statusFromCounts(errors, warnings) {
+    if (errors > 0)
+        return 'error';
+    if (warnings > 0)
+        return 'warning';
+    return 'success';
+}
+function summarizeResults(results) {
+    let errors = 0;
+    let warnings = 0;
+    let info = 0;
+    for (const r of results) {
+        for (const issue of r.issues ?? []) {
+            if (issue.severity === 'error')
+                errors += 1;
+            else if (issue.severity === 'warning')
+                warnings += 1;
+            else if (issue.severity === 'info')
+                info += 1;
+        }
+    }
+    return { errors, warnings, info, files_scanned: results.length };
+}
+/**
+ * Run audit + optional review against one plugin entry.
+ */
+export async function auditOnePlugin(entry, opts) {
+    if (isGitUrl(entry.source)) {
+        return runUrlEntry(entry, opts);
+    }
+    return runLocalEntry(entry, opts);
+}
+async function runLocalEntry(entry, opts) {
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- caller-supplied seed entry
+    if (!existsSync(entry.source)) {
+        return unloadableRow(entry, `Source path not found: ${entry.source}`, 0);
+    }
+    return auditAndRecord(entry, entry.source, opts);
+}
+async function runUrlEntry(entry, opts) {
+    try {
+        return await withClonedRepo(parseGitUrl(entry.source), { keepTempForDebug: opts.debug }, async ({ targetDir }) => auditAndRecord(entry, targetDir, opts));
+    }
+    catch (err) {
+        return unloadableRow(entry, err instanceof Error ? err.message : String(err), 0);
+    }
+}
+async function auditAndRecord(entry, scanPath, opts) {
+    const logger = createLogger(opts.debug ? { debug: true } : {});
+    const start = Date.now();
+    const validationApplied = applyValidationOverlay(entry, scanPath);
+    let audit;
+    try {
+        const results = await getValidationResults(scanPath, true, {}, logger);
+        const summary = summarizeResults(results);
+        const status = statusFromCounts(summary.errors, summary.warnings);
+        const auditYamlPath = safePath.join(opts.runDir, `${entry.name}-audit.yaml`);
+        // eslint-disable-next-line security/detect-non-literal-fs-filename -- composed under run dir
+        writeFileSync(auditYamlPath, yaml.dump({ results }, { lineWidth: -1 }), 'utf-8');
+        audit = {
+            status,
+            duration_ms: Date.now() - start,
+            summary,
+            findings_emitted: summary.errors + summary.warnings + summary.info,
+            output_path: `${entry.name}-audit.yaml`,
+        };
+    }
+    catch (err) {
+        audit = {
+            status: 'unloadable',
+            duration_ms: Date.now() - start,
+            error: err instanceof Error ? err.message : String(err),
+        };
+    }
+    // Skip review when audit was unloadable — nothing meaningful to review.
+    const review = opts.withReview && audit.status !== 'unloadable'
+        ? await runSkillReview(entry, scanPath, opts.runDir)
+        : SKIPPED_REVIEW;
+    return {
+        source: entry.source,
+        name: entry.name,
+        validation_applied: validationApplied,
+        audit,
+        review,
+    };
+}
+/**
+ * Spawn `vat skill review <skillDir>` for one skill and return a markdown
+ * section describing the result. Subprocess failure is captured as an
+ * error section rather than thrown — one bad skill must not abort siblings.
+ */
+function reviewOneSkill(bin, skillDir, relativePath) {
+    // eslint-disable-next-line sonarjs/no-os-command-from-path -- node is required for invoking vat
+    const result = spawnSync('node', [bin, 'skill', 'review', skillDir], {
+        encoding: 'utf-8',
+        stdio: ['ignore', 'pipe', 'pipe'],
+    });
+    // `vat skill review` exit semantics:
+    //   0 — review clean
+    //   1 — review completed but found warnings/errors (still a successful review for corpus purposes)
+    //   2 (or other non-zero / null) — system error, the review did not run to completion
+    const SKILL_REVIEW_FINDINGS_EXIT = 1;
+    const reviewRan = result.status === 0 || result.status === SKILL_REVIEW_FINDINGS_EXIT;
+    if (!reviewRan) {
+        const stderr = (result.stderr ?? '').trim();
+        const message = stderr || `vat skill review exited with code ${result.status ?? 'unknown'}`;
+        const stdout = (result.stdout ?? '').trim();
+        const stdoutBlock = stdout ? `\n\n${stdout}` : '';
+        const body = `**[review failed]**\n\n${message}${stdoutBlock}`;
+        return { relativePath, ok: false, body };
+    }
+    const body = ((result.stdout ?? '') + (result.stderr ?? '')).trim();
+    return { relativePath, ok: true, body };
+}
+function renderAggregatedReview(entry, sections, okCount) {
+    const header = `# Skill review: ${entry.name}\n\nReviewed ${okCount} of ${sections.length} skills (${sections.length - okCount} errors).\n`;
+    const rendered = sections
+        .map((s) => `\n---\n\n## ${s.relativePath}\n\n${s.body}\n`)
+        .join('');
+    return `${header}${rendered}`;
+}
+/**
+ * Discover every SKILL.md under `scanPath` (recursive, gitignore-aware) and
+ * invoke `vat skill review` once per skill directory. Concatenate the
+ * outputs into `<name>-review.md` with a section per skill keyed by the
+ * skill's path relative to the plugin root.
+ *
+ * Per-skill subprocess failures become error sections; the aggregate is
+ * still written so users can see which skills passed and which failed.
+ * Returns `status: 'error'` only when no skills were discovered or every
+ * subprocess failed.
+ */
+async function runSkillReview(entry, scanPath, runDir) {
+    const start = Date.now();
+    const bin = resolveVatBinPath();
+    const reviewPath = safePath.join(runDir, `${entry.name}-review.md`);
+    const summary = await scan({ path: scanPath, recursive: true });
+    const skills = summary.results.filter((r) => r.format === 'agent-skill' && !r.isGitIgnored);
+    if (skills.length === 0) {
+        return {
+            status: 'error',
+            duration_ms: Date.now() - start,
+            error: `No SKILL.md files found under ${scanPath}`,
+        };
+    }
+    const sections = [];
+    for (const skill of skills) {
+        const skillDir = dirname(skill.path);
+        sections.push(reviewOneSkill(bin, skillDir, skill.relativePath));
+    }
+    const okCount = sections.filter((s) => s.ok).length;
+    const aggregated = renderAggregatedReview(entry, sections, okCount);
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- composed under run dir
+    writeFileSync(reviewPath, aggregated, 'utf-8');
+    if (okCount === 0) {
+        const errors = sections
+            .map((s) => `${s.relativePath}: ${s.body.replaceAll('\n', ' ').slice(0, 200)}`)
+            .join('; ');
+        return {
+            status: 'error',
+            duration_ms: Date.now() - start,
+            error: `All ${sections.length} skill reviews failed. ${errors}`,
+            output_path: `${entry.name}-review.md`,
+        };
+    }
+    return {
+        status: 'ok',
+        duration_ms: Date.now() - start,
+        output_path: `${entry.name}-review.md`,
+    };
+}
+/**
+ * Write a synthetic `vibe-agent-toolkit.config.yaml` at the audit target,
+ * placing the entry's `validation:` block under `skills.defaults.validation`.
+ * Returns true iff the overlay was written.
+ *
+ * Phase 1: clobbers any pre-existing config in the cloned tree. Merging
+ * with author-shipped configs is a follow-up.
+ */
+function applyValidationOverlay(entry, scanPath) {
+    if (!entry.validation)
+        return false;
+    const overlayPath = safePath.join(scanPath, 'vibe-agent-toolkit.config.yaml');
+    const overlay = {
+        skills: {
+            defaults: {
+                validation: entry.validation,
+            },
+        },
+    };
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- composed under audit target
+    writeFileSync(overlayPath, yaml.dump(overlay, { lineWidth: -1 }), 'utf-8');
+    return true;
+}
+function unloadableRow(entry, error, durationMs) {
+    return {
+        source: entry.source,
+        name: entry.name,
+        validation_applied: false,
+        audit: { status: 'unloadable', duration_ms: durationMs, error },
+        review: SKIPPED_REVIEW,
+    };
+}
+//# sourceMappingURL=runner.js.map

package/dist/commands/corpus/runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runner.js","sourceRoot":"","sources":["../../../src/commands/corpus/runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,IAAI,EAAE,MAAM,+BAA+B,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AACrD,OAAO,KAAK,IAAI,MAAM,SAAS,CAAC;AAEhC,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAKnD,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAE1D;;;;;;;GAOG;AACH,SAAS,iBAAiB;IACxB,wFAAwF;IACxF,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IAC7D,oFAAoF;IACpF,IAAI,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC1C,8FAA8F;IAC9F,OAAO,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,sBAAsB,CAAC,CAAC;AAC7D,CAAC;AAQD,MAAM,cAAc,GAAkB,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC;AAE5E,SAAS,gBAAgB,CAAC,MAAc,EAAE,QAAgB;IACxD,IAAI,MAAM,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IAC/B,IAAI,QAAQ,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IACnC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,gBAAgB,CACvB,OAA8D;IAE9D,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,KAAK,MAAM,KAAK,IAAI,CAAC,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,QAAQ,KAAK,OAAO;gBAAE,MAAM,IAAI,CAAC,CAAC;iBACvC,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS;gBAAE,QAAQ,IAAI,CAAC,CAAC;iBAChD,IAAI,KAAK,CAAC,QAAQ,KAAK,MAAM;gBAAE,IAAI,IAAI,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;AACnE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAkB,EAClB,IAAmB;IAEnB,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,OAAO,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;AACpC,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,KAAkB,EAAE,IAAmB;IAClE,iGAAiG;IACjG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,OAAO,aAAa,CAAC,KAAK,EAAE,0BAA0B,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,KAAkB,EAAE,IAAmB;IAChE,IAAI,CAAC;QACH,OAAO,MAAM,cAAc,CACzB,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,EACzB,EAAE,gBAAgB,EAAE,IAAI,CAAC,KAAK,EAAE,EAChC,KAAK,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,cAAc,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAChE,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,aAAa,CAAC,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IACnF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,KAAkB,EAClB,QAAgB,EAChB,IAAmB;IAEnB,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC/D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzB,MAAM,iBAAiB,GAAG,sBAAsB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAElE,IAAI,KAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QACvE,MAAM,OAAO,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAClE,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,KAAK,CAAC,IAAI,aAAa,CAAC,CAAC;QAC7E,6FAA6F;QAC7F,aAAa,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;QAEjF,KAAK,GAAG;YACN,MAAM;YACN,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;YAC/B,OAAO;YACP,gBAAgB,EAAE,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,OAAO,CAAC,IAAI;YAClE,WAAW,EAAE,GAAG,KAAK,CAAC,IAAI,aAAa;SACxC,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,KAAK,GAAG;YACN,MAAM,EAAE,YAAY;YACpB,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;YAC/B,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,MAAM,MAAM,GACV,IAAI,CAAC,UAAU,IAAI,KAAK,CAAC,MAAM,KAAK,YAAY;QAC9C,CAAC,CAAC,MAAM,cAAc,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC;QACpD,CAAC,CAAC,cAAc,CAAC;IAErB,OAAO;QACL,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,kBAAkB,EAAE,iBAAiB;QACrC,KAAK;QACL,MAAM;KACP,CAAC;AACJ,CAAC;AAQD;;;;GAIG;AACH,SAAS,cAAc,CAAC,GAAW,EAAE,QAAgB,EAAE,YAAoB;IACzE,gGAAgG;IAChG,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,EAAE;QACnE,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;KAClC,CAAC,CAAC;IAEH,qCAAqC;IACrC,qBAAqB;IACrB,mGAAmG;IACnG,sFAAsF;IACtF,MAAM,0BAA0B,GAAG,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,0BAA0B,CAAC;IAEtF,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5C,MAAM,OAAO,GAAG,MAAM,IAAI,qCAAqC,MAAM,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;QAC5F,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5C,MAAM,WAAW,GAAG,MAAM,CAAC,CAAC,CAAC,OAAO,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,GAAG,0BAA0B,OAAO,GAAG,WAAW,EAAE,CAAC;QAC/D,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAC3C,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACpE,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,sBAAsB,CAC7B,KAAkB,EAClB,QAA8B,EAC9B,OAAe;IAEf,MAAM,MAAM,GAAG,mBAAmB,KAAK,CAAC,IAAI,gBAAgB,OAAO,OAAO,QAAQ,CAAC,MAAM,YAAY,QAAQ,CAAC,MAAM,GAAG,OAAO,aAAa,CAAC;IAC5I,MAAM,QAAQ,GAAG,QAAQ;SACtB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,YAAY,OAAO,CAAC,CAAC,IAAI,IAAI,CAAC;SAC1D,IAAI,CAAC,EAAE,CAAC,CAAC;IACZ,OAAO,GAAG,MAAM,GAAG,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,cAAc,CAC3B,KAAkB,EAClB,QAAgB,EAChB,MAAc;IAEd,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,KAAK,CAAC,IAAI,YAAY,CAAC,CAAC;IAEpE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAChE,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,aAAa,IAAI,CAAC,CAAC,CAAC,YAAY,CACrD,CAAC;IAEF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO;YACL,MAAM,EAAE,OAAO;YACf,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;YAC/B,KAAK,EAAE,iCAAiC,QAAQ,EAAE;SACnD,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAyB,EAAE,CAAC;IAC1C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACrC,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC;IACpD,MAAM,UAAU,GAAG,sBAAsB,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IACpE,6FAA6F;IAC7F,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IAE/C,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,QAAQ;aACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;aAC9E,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,OAAO;YACL,MAAM,EAAE,OAAO;YACf,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;YAC/B,KAAK,EAAE,OAAO,QAAQ,CAAC,MAAM,0BAA0B,MAAM,EAAE;YAC/D,WAAW,EAAE,GAAG,KAAK,CAAC,IAAI,YAAY;SACvC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,IAAI;QACZ,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;QAC/B,WAAW,EAAE,GAAG,KAAK,CAAC,IAAI,YAAY;KACvC,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,sBAAsB,CAAC,KAAkB,EAAE,QAAgB;IAClE,IAAI,CAAC,KAAK,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAEpC,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,gCAAgC,CAAC,CAAC;IAC9E,MAAM,OAAO,GAAG;QACd,MAAM,EAAE;YACN,QAAQ,EAAE;gBACR,UAAU,EAAE,KAAK,CAAC,UAAU;aAC7B;SACF;KACF,CAAC;IACF,kGAAkG;IAClG,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;IAC3E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CAAC,KAAkB,EAAE,KAAa,EAAE,UAAkB;IAC1E,OAAO;QACL,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,kBAAkB,EAAE,KAAK;QACzB,KAAK,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,KAAK,EAAE;QAC/D,MAAM,EAAE,cAAc;KACvB,CAAC;AACJ,CAAC"}

package/dist/commands/corpus/scan.d.ts

@@ -0,0 +1,15 @@
+/**
+ * `vat corpus scan [seed-file] --out <dir>` — Phase 1 orchestrator.
+ *
+ * Reads the seed, delegates each entry to the runner sequentially,
+ * writes summary.yaml and per-plugin sibling files into a date-sha
+ * subdirectory of `--out`. Sequential by design — concurrency is a
+ * follow-up once the seed grows past ~50.
+ */
+export interface CorpusScanOptions {
+    out?: string;
+    withReview?: boolean;
+    debug?: boolean;
+}
+export declare function corpusScanCommand(seedFileArg: string | undefined, options: CorpusScanOptions): Promise<void>;
+//# sourceMappingURL=scan.d.ts.map

package/dist/commands/corpus/scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../../../src/commands/corpus/scan.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAeH,MAAM,WAAW,iBAAiB;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAwBD,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,IAAI,CAAC,CA2Df"}

package/dist/commands/corpus/scan.js

@@ -0,0 +1,90 @@
+/**
+ * `vat corpus scan [seed-file] --out <dir>` — Phase 1 orchestrator.
+ *
+ * Reads the seed, delegates each entry to the runner sequentially,
+ * writes summary.yaml and per-plugin sibling files into a date-sha
+ * subdirectory of `--out`. Sequential by design — concurrency is a
+ * follow-up once the seed grows past ~50.
+ */
+import { mkdirSync, readFileSync } from 'node:fs';
+import { dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { safeExecSync, safePath } from '@vibe-agent-toolkit/utils';
+import { handleCommandError } from '../../utils/command-error.js';
+import { createLogger } from '../../utils/logger.js';
+import { writeRunReport } from './report.js';
+import { auditOnePlugin } from './runner.js';
+import { loadSeedFile } from './seed.js';
+const DEFAULT_SEED_PATH = 'corpus/seed.yaml';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+function readVatVersion() {
+    // packages/cli/dist/commands/corpus/scan.js → packages/cli/package.json
+    // packages/cli/src/commands/corpus/scan.ts → packages/cli/package.json
+    const pkgPath = safePath.resolve(__dirname, '../../../package.json');
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- internal package.json path
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return pkg.version ?? 'unknown';
+}
+function readVatCommit() {
+    try {
+        const out = safeExecSync('git', ['rev-parse', '--short=8', 'HEAD'], { encoding: 'utf-8' });
+        return (typeof out === 'string' ? out : out.toString('utf-8')).trim();
+    }
+    catch {
+        return 'unknown';
+    }
+}
+export async function corpusScanCommand(seedFileArg, options) {
+    const logger = createLogger(options.debug ? { debug: true } : {});
+    const startTime = Date.now();
+    try {
+        if (!options.out) {
+            throw new Error('specify an output directory: --out <path>');
+        }
+        const seedPath = seedFileArg ?? DEFAULT_SEED_PATH;
+        const seed = loadSeedFile(seedPath);
+        // eslint-disable-next-line local/no-fs-mkdirSync, security/detect-non-literal-fs-filename -- caller-supplied output dir; recursive create is correct here
+        mkdirSync(options.out, { recursive: true });
+        // We need the run directory to write per-plugin files into during the
+        // loop. Build the report skeleton, derive the run dir name, create it,
+        // then run the loop.
+        const generatedAt = new Date().toISOString().replace(/\.\d+Z$/, 'Z');
+        const vatVersion = readVatVersion();
+        const vatCommit = readVatCommit();
+        const runDirName = `${generatedAt.slice(0, 10)}-${vatCommit}`;
+        const runDir = safePath.join(options.out, runDirName);
+        // eslint-disable-next-line local/no-fs-mkdirSync, security/detect-non-literal-fs-filename -- composed under user-supplied --out
+        mkdirSync(runDir, { recursive: true });
+        const rows = [];
+        for (const entry of seed.plugins) {
+            logger.info(`[${entry.name}] auditing ${entry.source}`);
+            const row = await auditOnePlugin(entry, {
+                runDir,
+                withReview: options.withReview === true,
+                debug: options.debug === true,
+            });
+            rows.push(row);
+            logger.info(`[${entry.name}] audit=${row.audit.status} review=${row.review.status}`);
+        }
+        const report = {
+            schema_version: 1,
+            generated_at: generatedAt,
+            vat_version: vatVersion,
+            vat_commit: vatCommit,
+            seed_file: seedPath,
+            flags: {
+                with_review: options.withReview === true,
+                debug: options.debug === true,
+            },
+            plugins: rows,
+        };
+        await writeRunReport(report, options.out);
+        logger.info(`Wrote run report to ${runDir}/summary.yaml`);
+        logger.info(`  ${rows.length} plugins; durations recorded in summary.yaml`);
+        logger.debug(`Total scan duration: ${Date.now() - startTime}ms`);
+    }
+    catch (err) {
+        handleCommandError(err, logger, startTime, 'CorpusScan');
+    }
+}
+//# sourceMappingURL=scan.js.map

package/dist/commands/corpus/scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../../src/commands/corpus/scan.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAClD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAEnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAE,cAAc,EAAkC,MAAM,aAAa,CAAC;AAC7E,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAQzC,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAE1D,SAAS,cAAc;IACrB,wEAAwE;IACxE,uEAAuE;IACvE,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,uBAAuB,CAAC,CAAC;IACrE,iGAAiG;IACjG,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAyB,CAAC;IAC/E,OAAO,GAAG,CAAC,OAAO,IAAI,SAAS,CAAC;AAClC,CAAC;AAED,SAAS,aAAa;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QAC3F,OAAO,CAAC,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,WAA+B,EAC/B,OAA0B;IAE1B,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAClE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,CAAC;QACH,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QAED,MAAM,QAAQ,GAAG,WAAW,IAAI,iBAAiB,CAAC;QAClD,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;QAEpC,0JAA0J;QAC1J,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE5C,sEAAsE;QACtE,uEAAuE;QACvE,qBAAqB;QACrB,MAAM,WAAW,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACrE,MAAM,UAAU,GAAG,cAAc,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;QAClC,MAAM,UAAU,GAAG,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,SAAS,EAAE,CAAC;QAC9D,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QACtD,gIAAgI;QAChI,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEvC,MAAM,IAAI,GAAgB,EAAE,CAAC;QAC7B,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjC,MAAM,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,cAAc,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;YACxD,MAAM,GAAG,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE;gBACtC,MAAM;gBACN,UAAU,EAAE,OAAO,CAAC,UAAU,KAAK,IAAI;gBACvC,KAAK,EAAE,OAAO,CAAC,KAAK,KAAK,IAAI;aAC9B,CAAC,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,WAAW,GAAG,CAAC,KAAK,CAAC,MAAM,WAAW,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QACvF,CAAC;QAED,MAAM,MAAM,GAAc;YACxB,cAAc,EAAE,CAAC;YACjB,YAAY,EAAE,WAAW;YACzB,WAAW,EAAE,UAAU;YACvB,UAAU,EAAE,SAAS;YACrB,SAAS,EAAE,QAAQ;YACnB,KAAK,EAAE;gBACL,WAAW,EAAE,OAAO,CAAC,UAAU,KAAK,IAAI;gBACxC,KAAK,EAAE,OAAO,CAAC,KAAK,KAAK,IAAI;aAC9B;YACD,OAAO,EAAE,IAAI;SACd,CAAC;QAEF,MAAM,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QAE1C,MAAM,CAAC,IAAI,CAAC,uBAAuB,MAAM,eAAe,CAAC,CAAC;QAC1D,MAAM,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,8CAA8C,CAAC,CAAC;QAC5E,MAAM,CAAC,KAAK,CAAC,wBAAwB,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,IAAI,CAAC,CAAC;IACnE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC"}