npm - @vibecheck-ai/mcp - Versions diffs - 24.4.3 → 24.5.6 - Mend

@vibecheck-ai/mcp 24.4.3 → 24.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -219676,7 +219676,7 @@ var require_wrappers = __commonJS({
     exports2.prepare = function prepare(sql) {
       return this[cppdb].prepare(sql, this, false);
     };
-    exports2.exec = function exec(sql) {
+    exports2.exec = function exec2(sql) {
       this[cppdb].exec(sql);
       return this;
     };
@@ -219823,9 +219823,9 @@ var require_backup = __commonJS({
     "use strict";
     var fs7 = __require("fs");
     var path10 = __require("path");
-    var { promisify } = __require("util");
+    var { promisify: promisify2 } = __require("util");
     var { cppdb } = require_util2();
-    var fsAccess = promisify(fs7.access);
+    var fsAccess = promisify2(fs7.access);
     module2.exports = async function backup(filename, options) {
       if (options == null) options = {};
       if (typeof filename !== "string") throw new TypeError("Expected first argument to be a string");
@@ -275179,10 +275179,10 @@ var init_browser = __esm({
       return response;
     };
     post = async (fetch3, host, data, options) => {
-      const isRecord = (input) => {
+      const isRecord2 = (input) => {
         return input !== null && typeof input === "object" && !Array.isArray(input);
       };
-      const formattedData = isRecord(data) ? JSON.stringify(data) : data;
+      const formattedData = isRecord2(data) ? JSON.stringify(data) : data;
       const response = await fetchWithHeaders(fetch3, host, {
         method: "POST",
         body: formattedData,
@@ -278734,6 +278734,8 @@ import { pathToFileURL } from "url";
 // src/server.ts
 import * as path9 from "path";
 import * as fs6 from "fs";
+import { exec } from "child_process";
+import { promisify } from "util";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import {
@@ -278747,6 +278749,7 @@ import {
 } from "@vibecheck/engines";
 import { formatRoastHtml } from "@vibecheck/roast";
 import {
+  gateCanonicalScanReportFindings,
   normalizeCanonicalScanReport
 } from "@repo/shared-types";
@@ -291808,7 +291811,7 @@ var ContextEngine = class {
 // src/server.ts
 init_dist();
-// ../subscriptions/dist/chunk-PGIBAA63.js
+// ../subscriptions/dist/chunk-EQ52N5FM.js
 var PLAN_IDS = ["free", "pro", "team", "enterprise"];
 var PLAN_RANK = Object.fromEntries(
   PLAN_IDS.map((id, index2) => [id, index2])
@@ -291840,9 +291843,6 @@ function normalizePlanId(raw) {
   if (isCanonicalPlanId(lower)) return lower;
   return PLAN_NORMALIZATION_ALIASES[lower] ?? "free";
 }
-function isPlanId(value) {
-  return isCanonicalPlanId(value);
-}
 function validateNormalizationAliases() {
   const errors = [];
   for (const [alias, canonical] of Object.entries(PLAN_NORMALIZATION_ALIASES)) {
@@ -292063,7 +292063,7 @@ if (typeof process !== "undefined") {
 }
 var PLAN_QUOTAS = {
   free: {
-    findingDetailLimit: 5,
+    findingDetailLimit: 0,
     canAutoFix: false,
     canHealPR: false,
     canModelFingerprint: false,
@@ -292188,10 +292188,213 @@ function formatDailyScanLimitMessage(usage) {
 }
 // ../subscriptions/dist/index.js
+var ENTITLEMENTS = {
+  // ── FREE ────────────────────────────────────────────────────────────────
+  /** Basic scanning (single file, summary only for free) */
+  SCAN: "v2.scan",
+  /** Workspace-level scanning (doctor, roast, score, codegraph, wikicode, atlas) */
+  SCAN_WORKSPACE: "v2.scan_workspace",
+  // ── PRO ─────────────────────────────────────────────────────────────────
+  /** GitHub Action CI guard, PR comments, status checks */
+  GITHUB_ACTION: "v2.github_action",
+  /** Reality Mode, Proof View, Certification, Provenance, Drift */
+  FULL_EVIDENCE: "v2.full_evidence",
+  /** Export findings to SARIF format */
+  SARIF_EXPORT: "v2.sarif_export",
+  /** API keys, programmatic access */
+  API_ACCESS: "v2.api_access",
+  /** Deep Scan (16+ engines), performance analysis, accessibility */
+  PRIORITY_ENGINES: "v2.priority_engines",
+  /** PDF reports, executive summaries, shareable links */
+  ADVANCED_REPORT: "v2.advanced_report",
+  /** AI-powered code repair, apply fixes, rollback */
+  AUTOFIX: "v2.autofix",
+  /** Ship Quality Gate, PR merge protection, CI blocking */
+  CI_BLOCK: "v2.ci_block",
+  /** Full AI context generation, rules, agents, skills, hooks */
+  CONTEXT_ENGINE: "v2.context_engine",
+  /** MCP Playground, AI generation, slash commands */
+  SANDBOX: "v2.sandbox",
+  /** Email support, faster response */
+  SUPPORT: "v2.support",
+  // ── TEAM ────────────────────────────────────────────────────────────────
+  /** Team dashboard, shared policies, cross-repo scanning, audit logs */
+  TEAM_COLLABORATION: "v2.team_collaboration",
+  // ── ENTERPRISE ──────────────────────────────────────────────────────────
+  /** SOC2, HIPAA, PCI-DSS, GDPR, SSO/SAML, dedicated SLA */
+  ENTERPRISE_COMPLIANCE: "v2.enterprise_compliance"
+};
+var FREE_SET = /* @__PURE__ */ new Set([
+  ENTITLEMENTS.SCAN,
+  ENTITLEMENTS.SCAN_WORKSPACE
+]);
+var PRO_SET = /* @__PURE__ */ new Set([
+  ...FREE_SET,
+  ENTITLEMENTS.GITHUB_ACTION,
+  ENTITLEMENTS.FULL_EVIDENCE,
+  ENTITLEMENTS.SARIF_EXPORT,
+  ENTITLEMENTS.API_ACCESS,
+  ENTITLEMENTS.PRIORITY_ENGINES,
+  ENTITLEMENTS.ADVANCED_REPORT,
+  ENTITLEMENTS.AUTOFIX,
+  ENTITLEMENTS.CI_BLOCK,
+  ENTITLEMENTS.CONTEXT_ENGINE,
+  ENTITLEMENTS.SANDBOX,
+  ENTITLEMENTS.SUPPORT
+]);
+var TEAM_SET = /* @__PURE__ */ new Set([
+  ...PRO_SET,
+  ENTITLEMENTS.TEAM_COLLABORATION
+]);
+var ENTERPRISE_SET = /* @__PURE__ */ new Set([
+  ...TEAM_SET,
+  ENTITLEMENTS.ENTERPRISE_COMPLIANCE
+]);
+var PLAN_ENTITLEMENTS = {
+  free: FREE_SET,
+  pro: PRO_SET,
+  team: TEAM_SET,
+  enterprise: ENTERPRISE_SET
+};
 function normalizePlanForEntitlement(plan) {
   return typeof plan === "string" ? normalizePlanId(plan) : "free";
 }
-var ENTITLEMENTS = {
+function hasEntitlement(plan, entitlement) {
+  const safePlan = normalizePlanForEntitlement(plan);
+  return PLAN_ENTITLEMENTS[safePlan]?.has(entitlement) ?? false;
+}
+function getRequiredPlan(entitlement) {
+  for (const id of PLAN_IDS) {
+    if (PLAN_ENTITLEMENTS[id]?.has(entitlement)) return id;
+  }
+  if (typeof process !== "undefined" && process.env?.NODE_ENV !== "production") {
+    console.warn(`[subscriptions] Unknown entitlement "${entitlement}" \u2014 defaulting to enterprise tier`);
+  }
+  return "enterprise";
+}
+function getEntitlementsForPlan(plan) {
+  const safePlan = normalizePlanForEntitlement(plan);
+  return PLAN_ENTITLEMENTS[safePlan] ?? FREE_SET;
+}
+function meetsPlanRequirement(userPlan, requiredPlan) {
+  const safeUserPlan = normalizePlanForEntitlement(userPlan);
+  return PLAN_RANK[safeUserPlan] >= PLAN_RANK[requiredPlan];
+}
+function validateEntitlementMatrix() {
+  const errors = [];
+  const validEntitlements = new Set(Object.values(ENTITLEMENTS));
+  const coveredEntitlements = /* @__PURE__ */ new Set();
+  for (const planId of PLAN_IDS) {
+    if (!PLAN_ENTITLEMENTS[planId]) {
+      errors.push(`Missing entitlement set for "${planId}"`);
+    }
+  }
+  for (const [planId, entitlements] of Object.entries(PLAN_ENTITLEMENTS)) {
+    for (const entitlement of entitlements) {
+      if (!validEntitlements.has(entitlement)) {
+        errors.push(`Plan "${planId}" contains unknown entitlement "${entitlement}"`);
+      }
+      coveredEntitlements.add(entitlement);
+    }
+  }
+  for (const entitlement of validEntitlements) {
+    if (!coveredEntitlements.has(entitlement)) {
+      errors.push(`Entitlement "${entitlement}" is not granted by any plan`);
+    }
+  }
+  for (let index2 = 1; index2 < PLAN_IDS.length; index2 += 1) {
+    const lowerPlan = PLAN_IDS[index2 - 1];
+    const higherPlan = PLAN_IDS[index2];
+    const lowerSet = PLAN_ENTITLEMENTS[lowerPlan];
+    const higherSet = PLAN_ENTITLEMENTS[higherPlan];
+    for (const entitlement of lowerSet) {
+      if (!higherSet.has(entitlement)) {
+        errors.push(`Plan "${higherPlan}" is missing inherited entitlement "${entitlement}" from "${lowerPlan}"`);
+      }
+    }
+  }
+  return errors;
+}
+function assertValidEntitlementMatrix() {
+  const errors = validateEntitlementMatrix();
+  if (errors.length > 0) {
+    throw new Error(`[subscriptions] Invalid entitlement matrix:
+- ${errors.join("\n- ")}`);
+  }
+}
+if (typeof process !== "undefined") {
+  if (process.env?.NODE_ENV === "test") {
+    assertValidEntitlementMatrix();
+  } else if (process.env?.NODE_ENV !== "production") {
+    const errors = validateEntitlementMatrix();
+    if (errors.length > 0) {
+      console.warn("[subscriptions] entitlement matrix validation failed:", errors);
+    }
+  }
+}
+var ENTITLEMENT_META = {
+  [ENTITLEMENTS.SCAN]: {
+    title: "Scan",
+    benefits: ["Single-file scanning", "Basic HTML report"]
+  },
+  [ENTITLEMENTS.SCAN_WORKSPACE]: {
+    title: "Workspace Scan",
+    benefits: ["Unlimited scans", "Doctor, Roast, Score", "Codegraph, WikiCode, Atlas"]
+  },
+  [ENTITLEMENTS.GITHUB_ACTION]: {
+    title: "GitHub Action",
+    benefits: ["CI guard action", "PR comments", "Status checks"]
+  },
+  [ENTITLEMENTS.FULL_EVIDENCE]: {
+    title: "Full Evidence",
+    benefits: ["Reality Mode", "Proof View", "Certification", "Provenance tracking", "Drift detection"]
+  },
+  [ENTITLEMENTS.SARIF_EXPORT]: {
+    title: "SARIF Export",
+    benefits: ["Export findings to SARIF format"]
+  },
+  [ENTITLEMENTS.API_ACCESS]: {
+    title: "API Access",
+    benefits: ["API keys", "Programmatic access"]
+  },
+  [ENTITLEMENTS.PRIORITY_ENGINES]: {
+    title: "Priority Engines",
+    benefits: ["Deep Scan (16 engines)", "Performance analysis", "Accessibility audit", "API connectivity check"]
+  },
+  [ENTITLEMENTS.ADVANCED_REPORT]: {
+    title: "Advanced Reports",
+    benefits: ["PDF reports", "Executive summaries", "Shareable links"]
+  },
+  [ENTITLEMENTS.AUTOFIX]: {
+    title: "Auto-Fix",
+    benefits: ["AI-powered code repair", "Apply fixes with one click", "Rollback support"]
+  },
+  [ENTITLEMENTS.CI_BLOCK]: {
+    title: "CI & PR Gates",
+    benefits: ["Ship Quality Gate (SHIP / NO_SHIP)", "PR merge protection & status checks", "Verify, trust, coverage & drift panels"]
+  },
+  [ENTITLEMENTS.CONTEXT_ENGINE]: {
+    title: "Context Engine",
+    benefits: ["Full AI context generation", "Rules, agents, skills, hooks"]
+  },
+  [ENTITLEMENTS.SANDBOX]: {
+    title: "Sandbox",
+    benefits: ["MCP Playground", "AI generation", "Slash commands"]
+  },
+  [ENTITLEMENTS.SUPPORT]: {
+    title: "Priority Support",
+    benefits: ["Email support", "Faster response"]
+  },
+  [ENTITLEMENTS.TEAM_COLLABORATION]: {
+    title: "Team Collaboration",
+    benefits: ["Team dashboard", "Shared policies", "Cross-repo scanning", "Audit logs"]
+  },
+  [ENTITLEMENTS.ENTERPRISE_COMPLIANCE]: {
+    title: "Enterprise Compliance",
+    benefits: ["SOC2", "HIPAA", "PCI-DSS", "GDPR", "SSO/SAML", "Dedicated SLA"]
+  }
+};
+var LEGACY_ENTITLEMENTS = {
   SCAN_UNLIMITED: "scan_unlimited",
   SCAN_BASIC: "scan_basic",
   SHIP_SCORE: "ship_score",
@@ -292284,7 +292487,6 @@ var ENTITLEMENTS = {
   COMMIT_SHIELD_COMPLIANCE: "commit_shield_compliance",
   ENTERPRISE_MULTI_REPO: "enterprise_multi_repo",
   ENTERPRISE_SIGNED_BUNDLES: "enterprise_signed_bundles",
-  // Sandbox & AI Engine
   SANDBOX_ACCESS: "sandbox_access",
   SANDBOX_GENERATIONS: "sandbox_generations",
   SANDBOX_PREMIUM_MODELS: "sandbox_premium_models",
@@ -292295,446 +292497,129 @@ var ENTITLEMENTS = {
   AI_CONFIDENCE_METER: "ai_confidence_meter",
   AI_HALLUCINATION_SHIELD: "ai_hallucination_shield",
   VERIFIED_BUILD_CERT: "verified_build_cert",
-  // ── Free-tier features (explicit entitlements per product spec) ──────────
   KICKOFF_CONNECT: "kickoff_connect",
   CODEGRAPH_VIEW: "codegraph_view",
   WIKICODE_VIEW: "wikicode_view",
   ROAST: "roast",
   VIBE_FLOW: "vibe_flow"
 };
-var FREE_SET = /* @__PURE__ */ new Set([
-  // ── Core free features (product spec: sign-in required for all) ──────────
-  // Free users get: unlimited scans (summary only), kickoff, doctor, roast, reports,
-  // truthpack, codegraph, wikicode, vibe flow. Everything else is PAID.
-  // For new features, prefer isPaidPlan() over adding new entitlement keys.
-  ENTITLEMENTS.SCAN_BASIC,
-  // unlimited scans, gated evidence (summary only for free)
-  ENTITLEMENTS.KICKOFF_CONNECT,
-  // vibecheckAI-Official kickoff / connect my project
-  ENTITLEMENTS.DOCTOR,
-  // health check / doctor
-  ENTITLEMENTS.ROAST,
-  // roast me
-  ENTITLEMENTS.REPORTS_HTML,
-  // reports (HTML)
-  ENTITLEMENTS.REPORTS_PDF,
-  // reports (PDF)
-  ENTITLEMENTS.TRUTHPACK_GENERATE,
-  // truth pack
-  ENTITLEMENTS.TRUTHPACK_VALIDATE,
-  // truth pack validation
-  ENTITLEMENTS.CODEGRAPH_VIEW,
-  // codegraph
-  ENTITLEMENTS.WIKICODE_VIEW,
-  // wikicode
-  ENTITLEMENTS.ATLAS,
-  // wikicode atlas (dashboard view of wikicode)
-  ENTITLEMENTS.VIBE_FLOW,
-  // vibe flow
-  ENTITLEMENTS.REVIEW_WORKFLOWS,
-  // vibe flow review workflows
-  ENTITLEMENTS.FLOW_WORKFLOWS,
-  // vibe flow flow workflows
-  ENTITLEMENTS.SHIP_SCORE,
-  // scan output (part of basic scan)
-  ENTITLEMENTS.ISL_STUDIO
-  // ISL Studio — free to browse/edit; generation uses credit packs
-]);
-var PRO_SET = /* @__PURE__ */ new Set([
-  ...FREE_SET,
-  // ── Moved from free to pro (product spec: everything else is paid) ────
-  ENTITLEMENTS.MISSIONS_VIEW,
-  ENTITLEMENTS.TEMPLATES_BROWSE,
-  ENTITLEMENTS.TEMPLATES_INSTALL,
-  ENTITLEMENTS.FIREWALL_OBSERVE,
-  // ISL_STUDIO moved to FREE_SET — credit-based generation, not tier-gated
-  // ── Pro features ──────────────────────────────────────────────────────
-  ENTITLEMENTS.AUTOFIX_LIMITED,
-  ENTITLEMENTS.PROOF_VIEW,
-  ENTITLEMENTS.SCAN_UNLIMITED,
-  ENTITLEMENTS.CHECKPOINT,
-  ENTITLEMENTS.FORGE_BASIC,
-  ENTITLEMENTS.PROMPT_TEMPLATES_BASIC,
-  ENTITLEMENTS.WATCH_MODE,
-  ENTITLEMENTS.TRACE_ANALYSIS,
-  ENTITLEMENTS.FILE_LOCKING,
-  ENTITLEMENTS.COMMIT_SHIELD_WARNINGS,
-  ENTITLEMENTS.GITHUB_ACTION_WARN,
-  ENTITLEMENTS.VIBE_PROMPT,
-  ENTITLEMENTS.AUTOFIX_UNLIMITED,
-  ENTITLEMENTS.AUTOFIX_APPLY,
-  ENTITLEMENTS.REALITY_MODE,
-  ENTITLEMENTS.COMMIT_SHIELD_FULL,
-  ENTITLEMENTS.COMMIT_SHIELD_AUDITOR,
-  ENTITLEMENTS.REPORTS_EXECUTIVE,
-  ENTITLEMENTS.CLOUD_SYNC,
-  ENTITLEMENTS.CERTIFY,
-  ENTITLEMENTS.BADGE_VERIFIED,
-  ENTITLEMENTS.PROOF_HISTORY,
-  ENTITLEMENTS.SHAREABLE_REPORTS,
-  ENTITLEMENTS.PRIORITY_SUPPORT,
-  // Sandbox (Pro tier)
-  ENTITLEMENTS.SANDBOX_ACCESS,
-  ENTITLEMENTS.SANDBOX_GENERATIONS,
-  ENTITLEMENTS.SANDBOX_SLASH_COMMANDS,
-  ENTITLEMENTS.AI_CONFIDENCE_METER,
-  ENTITLEMENTS.AI_HALLUCINATION_SHIELD,
-  // Former Team tier — included on Pro (single paid SKU; team rank kept for legacy subscribers).
-  // `PLAN_QUOTAS.pro.canCIBlock` is kept aligned so dashboard/API limits match this set.
-  ENTITLEMENTS.GITHUB_ACTION,
-  ENTITLEMENTS.CI_INTEGRATION,
-  ENTITLEMENTS.API_ACCESS,
-  ENTITLEMENTS.PR_COMMENTS,
-  ENTITLEMENTS.STATUS_CHECKS,
-  ENTITLEMENTS.BRANCH_PROTECTION,
-  ENTITLEMENTS.WEBHOOK_INTEGRATION,
-  ENTITLEMENTS.CI_GATE_BLOCK,
-  ENTITLEMENTS.CONTEXT_ENGINE,
-  ENTITLEMENTS.ISL_VERIFY,
-  ENTITLEMENTS.DEEP_SCAN,
-  ENTITLEMENTS.SCAN_PRO_ENGINES,
-  ENTITLEMENTS.DRIFT_DETECTION,
-  ENTITLEMENTS.CHAOS_AGENT,
-  ENTITLEMENTS.MODEL_FINGERPRINT,
-  ENTITLEMENTS.PROVENANCE_TRACKING,
-  ENTITLEMENTS.FIREWALL_AGENT,
-  ENTITLEMENTS.FIREWALL_ENFORCE,
-  ENTITLEMENTS.FIREWALL_LOCKDOWN,
-  ENTITLEMENTS.FORGE_EXTENDED,
-  ENTITLEMENTS.PROMPT_TEMPLATES_PRO,
-  ENTITLEMENTS.AI_GENERATION,
-  ENTITLEMENTS.REPLAY_VIEWER_FULL,
-  ENTITLEMENTS.SANDBOX_PREMIUM_MODELS,
-  ENTITLEMENTS.SANDBOX_AGENT_MODES,
-  ENTITLEMENTS.SANDBOX_PROOF_BUNDLES,
-  ENTITLEMENTS.SANDBOX_CLAUDE_SKILLS,
-  ENTITLEMENTS.VERIFIED_BUILD_CERT
-]);
-var TEAM_SET = new Set(PRO_SET);
-var ENTERPRISE_SET = /* @__PURE__ */ new Set([
-  ...TEAM_SET,
-  ENTITLEMENTS.TEAM_DASHBOARD,
-  ENTITLEMENTS.TEAM_COLLABORATION,
-  ENTITLEMENTS.TEAM_CROSS_REPO_SCANNING,
-  ENTITLEMENTS.TEAM_SHARED_POLICIES,
-  ENTITLEMENTS.TEAM_PROVENANCE_INSIGHTS,
-  ENTITLEMENTS.TEAM_ADMIN_POLICY_ENFORCEMENT,
-  ENTITLEMENTS.TEAM_AUDIT_LOG_EXPORT,
-  ENTITLEMENTS.TEAM_CONTEXT_ENGINE_SHARED,
-  ENTITLEMENTS.TEAM_PRIORITY_QUEUE,
-  ENTITLEMENTS.TEAM_ANALYTICS,
-  ENTITLEMENTS.TEAM_SLACK_ALERTS,
-  ENTITLEMENTS.TEAM_LEADERBOARDS,
-  ENTITLEMENTS.TEAM_BULK_INVITE,
-  ENTITLEMENTS.TEAM_ROLES,
-  ENTITLEMENTS.TEAM_SCAN_BUDGETS,
-  ENTITLEMENTS.COMPLIANCE_SOC2,
-  ENTITLEMENTS.COMPLIANCE_HIPAA,
-  ENTITLEMENTS.COMPLIANCE_PCI_DSS,
-  ENTITLEMENTS.COMPLIANCE_GDPR,
-  ENTITLEMENTS.COMPLIANCE_ISO27001,
-  ENTITLEMENTS.SDK_GENERATOR,
-  ENTITLEMENTS.POLICY_ENGINE,
-  ENTITLEMENTS.SSO_SAML,
-  ENTITLEMENTS.ON_PREMISE,
-  ENTITLEMENTS.DEDICATED_SLA,
-  ENTITLEMENTS.COMMIT_SHIELD_TEAM,
-  ENTITLEMENTS.COMMIT_SHIELD_ENTERPRISE,
-  ENTITLEMENTS.COMMIT_SHIELD_COMPLIANCE,
-  ENTITLEMENTS.ENTERPRISE_MULTI_REPO,
-  ENTITLEMENTS.ENTERPRISE_SIGNED_BUNDLES
-]);
-var PLAN_ENTITLEMENTS = {
-  free: FREE_SET,
-  pro: PRO_SET,
-  team: TEAM_SET,
-  enterprise: ENTERPRISE_SET
-};
-function validateEntitlementMatrix() {
-  const errors = [];
-  const validEntitlements = new Set(Object.values(ENTITLEMENTS));
-  const coveredEntitlements = /* @__PURE__ */ new Set();
-  for (const planId of PLAN_IDS) {
-    if (!PLAN_ENTITLEMENTS[planId]) {
-      errors.push(`Missing entitlement set for "${planId}"`);
-    }
-  }
-  for (const key of Object.keys(PLAN_ENTITLEMENTS)) {
-    if (!isPlanId(key)) {
-      errors.push(`Unexpected non-canonical entitlement plan key "${key}"`);
-    }
-  }
-  for (const [planId, entitlements] of Object.entries(PLAN_ENTITLEMENTS)) {
-    for (const entitlement of entitlements) {
-      if (!validEntitlements.has(entitlement)) {
-        errors.push(`Plan "${planId}" contains unknown entitlement "${entitlement}"`);
-      }
-      coveredEntitlements.add(entitlement);
-    }
-  }
-  for (const entitlement of validEntitlements) {
-    if (!coveredEntitlements.has(entitlement)) {
-      errors.push(`Entitlement "${entitlement}" is not granted by any plan`);
-    }
-  }
-  for (let index2 = 1; index2 < PLAN_IDS.length; index2 += 1) {
-    const lowerPlan = PLAN_IDS[index2 - 1];
-    const higherPlan = PLAN_IDS[index2];
-    const lowerSet = PLAN_ENTITLEMENTS[lowerPlan];
-    const higherSet = PLAN_ENTITLEMENTS[higherPlan];
-    for (const entitlement of lowerSet) {
-      if (!higherSet.has(entitlement)) {
-        errors.push(`Plan "${higherPlan}" is missing inherited entitlement "${entitlement}" from "${lowerPlan}"`);
-      }
-    }
-  }
-  return errors;
-}
-function assertValidEntitlementMatrix() {
-  const errors = validateEntitlementMatrix();
-  if (errors.length > 0) {
-    throw new Error(`[subscriptions] Invalid entitlement matrix:
-- ${errors.join("\n- ")}`);
-  }
-}
-function hasEntitlement(plan, entitlement) {
-  const safePlan = normalizePlanForEntitlement(plan);
-  return PLAN_ENTITLEMENTS[safePlan]?.has(entitlement) ?? false;
-}
-function getRequiredPlan(entitlement) {
-  for (const id of PLAN_IDS) {
-    if (PLAN_ENTITLEMENTS[id]?.has(entitlement)) return id;
-  }
-  if (typeof process !== "undefined" && process.env?.NODE_ENV !== "production") {
-    console.warn(`[subscriptions] Unknown entitlement "${entitlement}" \u2014 defaulting to enterprise tier`);
-  }
-  return "enterprise";
-}
-function getEntitlementsForPlan(plan) {
-  const safePlan = normalizePlanForEntitlement(plan);
-  return PLAN_ENTITLEMENTS[safePlan] ?? FREE_SET;
-}
-function meetsPlanRequirement(userPlan, requiredPlan) {
-  const safeUserPlan = normalizePlanForEntitlement(userPlan);
-  return PLAN_RANK[safeUserPlan] >= PLAN_RANK[requiredPlan];
-}
-if (typeof process !== "undefined") {
-  if (process.env?.NODE_ENV === "test") {
-    assertValidEntitlementMatrix();
-  } else if (process.env?.NODE_ENV !== "production") {
-    const errors = validateEntitlementMatrix();
-    if (errors.length > 0) {
-      console.warn("[subscriptions] entitlement matrix validation failed:", errors);
-    }
-  }
-}
-var ENTITLEMENTS_V2 = {
-  // ── FREE ────────────────────────────────────────────────────────────────
-  SCAN: "v2.scan",
-  SCAN_WORKSPACE: "v2.scan_workspace",
-  // ── PRO ─────────────────────────────────────────────────────────────────
-  GITHUB_ACTION: "v2.github_action",
-  FULL_EVIDENCE: "v2.full_evidence",
-  SARIF_EXPORT: "v2.sarif_export",
-  API_ACCESS: "v2.api_access",
-  PRIORITY_ENGINES: "v2.priority_engines",
-  ADVANCED_REPORT: "v2.advanced_report",
-  AUTOFIX: "v2.autofix",
-  CI_BLOCK: "v2.ci_block",
-  CONTEXT_ENGINE: "v2.context_engine",
-  SANDBOX: "v2.sandbox",
-  SUPPORT: "v2.support",
-  // ── TEAM ────────────────────────────────────────────────────────────────
-  TEAM_COLLABORATION: "v2.team_collaboration",
-  // ── ENTERPRISE ──────────────────────────────────────────────────────────
-  ENTERPRISE_COMPLIANCE: "v2.enterprise_compliance"
-};
 var LEGACY_TO_V2_MAP = {
   // ── FREE tier keys ──────────────────────────────────────────────────────
-  [ENTITLEMENTS.SCAN_BASIC]: ENTITLEMENTS_V2.SCAN,
-  [ENTITLEMENTS.SCAN_UNLIMITED]: ENTITLEMENTS_V2.SCAN_WORKSPACE,
-  [ENTITLEMENTS.SHIP_SCORE]: ENTITLEMENTS_V2.SCAN_WORKSPACE,
-  [ENTITLEMENTS.DOCTOR]: ENTITLEMENTS_V2.SCAN_WORKSPACE,
-  [ENTITLEMENTS.ROAST]: ENTITLEMENTS_V2.SCAN_WORKSPACE,
-  [ENTITLEMENTS.REPORTS_HTML]: ENTITLEMENTS_V2.SCAN,
-  [ENTITLEMENTS.CHECKPOINT]: null,
-  // Not visible in UI
-  [ENTITLEMENTS.MISSIONS_VIEW]: null,
-  // Missions merged into autofix
-  [ENTITLEMENTS.TEMPLATES_BROWSE]: null,
-  // Templates culled (P8)
-  [ENTITLEMENTS.TEMPLATES_INSTALL]: null,
-  // Templates culled (P8)
-  [ENTITLEMENTS.TRUTHPACK_GENERATE]: null,
-  // Truthpack culled (P8)
-  [ENTITLEMENTS.TRUTHPACK_VALIDATE]: null,
-  // Truthpack culled (P8)
-  [ENTITLEMENTS.KICKOFF_CONNECT]: null,
-  // Merged into onboarding
-  [ENTITLEMENTS.CODEGRAPH_VIEW]: ENTITLEMENTS_V2.SCAN_WORKSPACE,
-  [ENTITLEMENTS.WIKICODE_VIEW]: ENTITLEMENTS_V2.SCAN_WORKSPACE,
-  [ENTITLEMENTS.VIBE_FLOW]: null,
-  // Culled (P8)
-  [ENTITLEMENTS.REVIEW_WORKFLOWS]: null,
-  // Culled (P8)
-  [ENTITLEMENTS.FLOW_WORKFLOWS]: null,
-  // Culled (P8)
-  [ENTITLEMENTS.ATLAS]: ENTITLEMENTS_V2.SCAN_WORKSPACE,
-  [ENTITLEMENTS.ISL_STUDIO]: null,
-  // Free to browse; generation is credit-based
-  [ENTITLEMENTS.REPORTS_PDF]: ENTITLEMENTS_V2.ADVANCED_REPORT,
+  [LEGACY_ENTITLEMENTS.SCAN_BASIC]: ENTITLEMENTS.SCAN,
+  [LEGACY_ENTITLEMENTS.SCAN_UNLIMITED]: ENTITLEMENTS.SCAN_WORKSPACE,
+  [LEGACY_ENTITLEMENTS.SHIP_SCORE]: ENTITLEMENTS.SCAN_WORKSPACE,
+  [LEGACY_ENTITLEMENTS.DOCTOR]: ENTITLEMENTS.SCAN_WORKSPACE,
+  [LEGACY_ENTITLEMENTS.ROAST]: ENTITLEMENTS.SCAN_WORKSPACE,
+  [LEGACY_ENTITLEMENTS.REPORTS_HTML]: ENTITLEMENTS.SCAN,
+  [LEGACY_ENTITLEMENTS.CHECKPOINT]: null,
+  [LEGACY_ENTITLEMENTS.MISSIONS_VIEW]: null,
+  [LEGACY_ENTITLEMENTS.TEMPLATES_BROWSE]: null,
+  [LEGACY_ENTITLEMENTS.TEMPLATES_INSTALL]: null,
+  [LEGACY_ENTITLEMENTS.TRUTHPACK_GENERATE]: null,
+  [LEGACY_ENTITLEMENTS.TRUTHPACK_VALIDATE]: null,
+  [LEGACY_ENTITLEMENTS.KICKOFF_CONNECT]: null,
+  [LEGACY_ENTITLEMENTS.CODEGRAPH_VIEW]: ENTITLEMENTS.SCAN_WORKSPACE,
+  [LEGACY_ENTITLEMENTS.WIKICODE_VIEW]: ENTITLEMENTS.SCAN_WORKSPACE,
+  [LEGACY_ENTITLEMENTS.VIBE_FLOW]: null,
+  [LEGACY_ENTITLEMENTS.REVIEW_WORKFLOWS]: null,
+  [LEGACY_ENTITLEMENTS.FLOW_WORKFLOWS]: null,
+  [LEGACY_ENTITLEMENTS.ATLAS]: ENTITLEMENTS.SCAN_WORKSPACE,
+  [LEGACY_ENTITLEMENTS.ISL_STUDIO]: null,
+  [LEGACY_ENTITLEMENTS.REPORTS_PDF]: ENTITLEMENTS.ADVANCED_REPORT,
   // ── PRO tier keys ───────────────────────────────────────────────────────
-  [ENTITLEMENTS.FORGE_BASIC]: null,
-  // Forge culled
-  [ENTITLEMENTS.PROMPT_TEMPLATES_BASIC]: null,
-  // Part of context_engine
-  [ENTITLEMENTS.WATCH_MODE]: null,
-  // Not actively used
-  [ENTITLEMENTS.TRACE_ANALYSIS]: null,
-  // Not visible
-  [ENTITLEMENTS.FIREWALL_OBSERVE]: ENTITLEMENTS_V2.FULL_EVIDENCE,
-  [ENTITLEMENTS.FILE_LOCKING]: null,
-  // Feature incomplete
-  [ENTITLEMENTS.AUTOFIX_LIMITED]: ENTITLEMENTS_V2.AUTOFIX,
-  [ENTITLEMENTS.COMMIT_SHIELD_WARNINGS]: ENTITLEMENTS_V2.AUTOFIX,
-  [ENTITLEMENTS.GITHUB_ACTION_WARN]: ENTITLEMENTS_V2.GITHUB_ACTION,
-  [ENTITLEMENTS.VIBE_PROMPT]: null,
-  // Culled
-  [ENTITLEMENTS.PROOF_VIEW]: ENTITLEMENTS_V2.FULL_EVIDENCE,
-  [ENTITLEMENTS.AUTOFIX_UNLIMITED]: ENTITLEMENTS_V2.AUTOFIX,
-  [ENTITLEMENTS.AUTOFIX_APPLY]: ENTITLEMENTS_V2.AUTOFIX,
-  [ENTITLEMENTS.REALITY_MODE]: ENTITLEMENTS_V2.FULL_EVIDENCE,
-  [ENTITLEMENTS.COMMIT_SHIELD_FULL]: ENTITLEMENTS_V2.CI_BLOCK,
-  [ENTITLEMENTS.COMMIT_SHIELD_AUDITOR]: null,
-  // Auditor culled
-  [ENTITLEMENTS.REPORTS_EXECUTIVE]: ENTITLEMENTS_V2.ADVANCED_REPORT,
-  [ENTITLEMENTS.CLOUD_SYNC]: null,
-  // Implicit in paid
-  [ENTITLEMENTS.CERTIFY]: ENTITLEMENTS_V2.FULL_EVIDENCE,
-  [ENTITLEMENTS.BADGE_VERIFIED]: null,
-  // Badges culled (P8)
-  [ENTITLEMENTS.PROOF_HISTORY]: ENTITLEMENTS_V2.FULL_EVIDENCE,
-  [ENTITLEMENTS.SHAREABLE_REPORTS]: ENTITLEMENTS_V2.ADVANCED_REPORT,
-  [ENTITLEMENTS.PRIORITY_SUPPORT]: ENTITLEMENTS_V2.SUPPORT,
-  [ENTITLEMENTS.GITHUB_ACTION]: ENTITLEMENTS_V2.GITHUB_ACTION,
-  [ENTITLEMENTS.CI_INTEGRATION]: ENTITLEMENTS_V2.GITHUB_ACTION,
-  [ENTITLEMENTS.API_ACCESS]: ENTITLEMENTS_V2.API_ACCESS,
-  [ENTITLEMENTS.PR_COMMENTS]: ENTITLEMENTS_V2.GITHUB_ACTION,
-  [ENTITLEMENTS.STATUS_CHECKS]: ENTITLEMENTS_V2.GITHUB_ACTION,
-  [ENTITLEMENTS.BRANCH_PROTECTION]: ENTITLEMENTS_V2.CI_BLOCK,
-  [ENTITLEMENTS.WEBHOOK_INTEGRATION]: null,
-  // Webhooks culled
-  [ENTITLEMENTS.CI_GATE_BLOCK]: ENTITLEMENTS_V2.CI_BLOCK,
-  [ENTITLEMENTS.CONTEXT_ENGINE]: ENTITLEMENTS_V2.CONTEXT_ENGINE,
-  [ENTITLEMENTS.ISL_VERIFY]: null,
-  // ISL culled
-  [ENTITLEMENTS.DEEP_SCAN]: ENTITLEMENTS_V2.PRIORITY_ENGINES,
-  [ENTITLEMENTS.SCAN_PRO_ENGINES]: ENTITLEMENTS_V2.PRIORITY_ENGINES,
-  [ENTITLEMENTS.DRIFT_DETECTION]: ENTITLEMENTS_V2.FULL_EVIDENCE,
-  [ENTITLEMENTS.CHAOS_AGENT]: null,
-  // Chaos culled
-  [ENTITLEMENTS.MODEL_FINGERPRINT]: null,
-  // Model fingerprint culled
-  [ENTITLEMENTS.PROVENANCE_TRACKING]: ENTITLEMENTS_V2.FULL_EVIDENCE,
-  [ENTITLEMENTS.FIREWALL_AGENT]: ENTITLEMENTS_V2.FULL_EVIDENCE,
-  [ENTITLEMENTS.FIREWALL_ENFORCE]: ENTITLEMENTS_V2.CI_BLOCK,
-  [ENTITLEMENTS.FIREWALL_LOCKDOWN]: null,
-  // Lockdown not implemented
-  [ENTITLEMENTS.FORGE_EXTENDED]: null,
-  // Forge culled
-  [ENTITLEMENTS.PROMPT_TEMPLATES_PRO]: null,
-  // Part of context_engine
-  [ENTITLEMENTS.AI_GENERATION]: ENTITLEMENTS_V2.SANDBOX,
-  [ENTITLEMENTS.REPLAY_VIEWER_FULL]: null,
-  // Replay culled
+  [LEGACY_ENTITLEMENTS.FORGE_BASIC]: null,
+  [LEGACY_ENTITLEMENTS.PROMPT_TEMPLATES_BASIC]: null,
+  [LEGACY_ENTITLEMENTS.WATCH_MODE]: null,
+  [LEGACY_ENTITLEMENTS.TRACE_ANALYSIS]: null,
+  [LEGACY_ENTITLEMENTS.FIREWALL_OBSERVE]: ENTITLEMENTS.FULL_EVIDENCE,
+  [LEGACY_ENTITLEMENTS.FILE_LOCKING]: null,
+  [LEGACY_ENTITLEMENTS.AUTOFIX_LIMITED]: ENTITLEMENTS.AUTOFIX,
+  [LEGACY_ENTITLEMENTS.COMMIT_SHIELD_WARNINGS]: ENTITLEMENTS.AUTOFIX,
+  [LEGACY_ENTITLEMENTS.GITHUB_ACTION_WARN]: ENTITLEMENTS.GITHUB_ACTION,
+  [LEGACY_ENTITLEMENTS.VIBE_PROMPT]: null,
+  [LEGACY_ENTITLEMENTS.PROOF_VIEW]: ENTITLEMENTS.FULL_EVIDENCE,
+  [LEGACY_ENTITLEMENTS.AUTOFIX_UNLIMITED]: ENTITLEMENTS.AUTOFIX,
+  [LEGACY_ENTITLEMENTS.AUTOFIX_APPLY]: ENTITLEMENTS.AUTOFIX,
+  [LEGACY_ENTITLEMENTS.REALITY_MODE]: ENTITLEMENTS.FULL_EVIDENCE,
+  [LEGACY_ENTITLEMENTS.COMMIT_SHIELD_FULL]: ENTITLEMENTS.CI_BLOCK,
+  [LEGACY_ENTITLEMENTS.COMMIT_SHIELD_AUDITOR]: null,
+  [LEGACY_ENTITLEMENTS.REPORTS_EXECUTIVE]: ENTITLEMENTS.ADVANCED_REPORT,
+  [LEGACY_ENTITLEMENTS.CLOUD_SYNC]: null,
+  [LEGACY_ENTITLEMENTS.CERTIFY]: ENTITLEMENTS.FULL_EVIDENCE,
+  [LEGACY_ENTITLEMENTS.BADGE_VERIFIED]: null,
+  [LEGACY_ENTITLEMENTS.PROOF_HISTORY]: ENTITLEMENTS.FULL_EVIDENCE,
+  [LEGACY_ENTITLEMENTS.SHAREABLE_REPORTS]: ENTITLEMENTS.ADVANCED_REPORT,
+  [LEGACY_ENTITLEMENTS.PRIORITY_SUPPORT]: ENTITLEMENTS.SUPPORT,
+  [LEGACY_ENTITLEMENTS.GITHUB_ACTION]: ENTITLEMENTS.GITHUB_ACTION,
+  [LEGACY_ENTITLEMENTS.CI_INTEGRATION]: ENTITLEMENTS.GITHUB_ACTION,
+  [LEGACY_ENTITLEMENTS.API_ACCESS]: ENTITLEMENTS.API_ACCESS,
+  [LEGACY_ENTITLEMENTS.PR_COMMENTS]: ENTITLEMENTS.GITHUB_ACTION,
+  [LEGACY_ENTITLEMENTS.STATUS_CHECKS]: ENTITLEMENTS.GITHUB_ACTION,
+  [LEGACY_ENTITLEMENTS.BRANCH_PROTECTION]: ENTITLEMENTS.CI_BLOCK,
+  [LEGACY_ENTITLEMENTS.WEBHOOK_INTEGRATION]: null,
+  [LEGACY_ENTITLEMENTS.CI_GATE_BLOCK]: ENTITLEMENTS.CI_BLOCK,
+  [LEGACY_ENTITLEMENTS.CONTEXT_ENGINE]: ENTITLEMENTS.CONTEXT_ENGINE,
+  [LEGACY_ENTITLEMENTS.ISL_VERIFY]: null,
+  [LEGACY_ENTITLEMENTS.DEEP_SCAN]: ENTITLEMENTS.PRIORITY_ENGINES,
+  [LEGACY_ENTITLEMENTS.SCAN_PRO_ENGINES]: ENTITLEMENTS.PRIORITY_ENGINES,
+  [LEGACY_ENTITLEMENTS.DRIFT_DETECTION]: ENTITLEMENTS.FULL_EVIDENCE,
+  [LEGACY_ENTITLEMENTS.CHAOS_AGENT]: null,
+  [LEGACY_ENTITLEMENTS.MODEL_FINGERPRINT]: null,
+  [LEGACY_ENTITLEMENTS.PROVENANCE_TRACKING]: ENTITLEMENTS.FULL_EVIDENCE,
+  [LEGACY_ENTITLEMENTS.FIREWALL_AGENT]: ENTITLEMENTS.FULL_EVIDENCE,
+  [LEGACY_ENTITLEMENTS.FIREWALL_ENFORCE]: ENTITLEMENTS.CI_BLOCK,
+  [LEGACY_ENTITLEMENTS.FIREWALL_LOCKDOWN]: null,
+  [LEGACY_ENTITLEMENTS.FORGE_EXTENDED]: null,
+  [LEGACY_ENTITLEMENTS.PROMPT_TEMPLATES_PRO]: null,
+  [LEGACY_ENTITLEMENTS.AI_GENERATION]: ENTITLEMENTS.SANDBOX,
+  [LEGACY_ENTITLEMENTS.REPLAY_VIEWER_FULL]: null,
   // ── Sandbox & AI ────────────────────────────────────────────────────────
-  [ENTITLEMENTS.SANDBOX_ACCESS]: ENTITLEMENTS_V2.SANDBOX,
-  [ENTITLEMENTS.SANDBOX_GENERATIONS]: ENTITLEMENTS_V2.SANDBOX,
-  [ENTITLEMENTS.SANDBOX_PREMIUM_MODELS]: null,
-  // Not offered
-  [ENTITLEMENTS.SANDBOX_SLASH_COMMANDS]: ENTITLEMENTS_V2.SANDBOX,
-  [ENTITLEMENTS.SANDBOX_AGENT_MODES]: null,
-  // Agent modes culled
-  [ENTITLEMENTS.SANDBOX_PROOF_BUNDLES]: null,
-  // Proof bundles culled
-  [ENTITLEMENTS.SANDBOX_CLAUDE_SKILLS]: null,
-  // Skills culled
-  [ENTITLEMENTS.AI_CONFIDENCE_METER]: null,
-  // Not visible
-  [ENTITLEMENTS.AI_HALLUCINATION_SHIELD]: null,
-  // Part of core scanning
-  [ENTITLEMENTS.VERIFIED_BUILD_CERT]: null,
-  // Build certs culled
+  [LEGACY_ENTITLEMENTS.SANDBOX_ACCESS]: ENTITLEMENTS.SANDBOX,
+  [LEGACY_ENTITLEMENTS.SANDBOX_GENERATIONS]: ENTITLEMENTS.SANDBOX,
+  [LEGACY_ENTITLEMENTS.SANDBOX_PREMIUM_MODELS]: null,
+  [LEGACY_ENTITLEMENTS.SANDBOX_SLASH_COMMANDS]: ENTITLEMENTS.SANDBOX,
+  [LEGACY_ENTITLEMENTS.SANDBOX_AGENT_MODES]: null,
+  [LEGACY_ENTITLEMENTS.SANDBOX_PROOF_BUNDLES]: null,
+  [LEGACY_ENTITLEMENTS.SANDBOX_CLAUDE_SKILLS]: null,
+  [LEGACY_ENTITLEMENTS.AI_CONFIDENCE_METER]: null,
+  [LEGACY_ENTITLEMENTS.AI_HALLUCINATION_SHIELD]: null,
+  [LEGACY_ENTITLEMENTS.VERIFIED_BUILD_CERT]: null,
   // ── Team keys ───────────────────────────────────────────────────────────
-  [ENTITLEMENTS.TEAM_DASHBOARD]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.TEAM_COLLABORATION]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.TEAM_CROSS_REPO_SCANNING]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.TEAM_SHARED_POLICIES]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.TEAM_PROVENANCE_INSIGHTS]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.TEAM_ADMIN_POLICY_ENFORCEMENT]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.TEAM_AUDIT_LOG_EXPORT]: ENTITLEMENTS_V2.ENTERPRISE_COMPLIANCE,
-  [ENTITLEMENTS.TEAM_CONTEXT_ENGINE_SHARED]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.TEAM_PRIORITY_QUEUE]: null,
-  // Not implemented
-  [ENTITLEMENTS.TEAM_ANALYTICS]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.TEAM_SLACK_ALERTS]: null,
-  // Slack culled
-  [ENTITLEMENTS.TEAM_LEADERBOARDS]: null,
-  // Gamification culled
-  [ENTITLEMENTS.TEAM_BULK_INVITE]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.TEAM_ROLES]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.TEAM_SCAN_BUDGETS]: null,
-  // Budgeting not implemented
+  [LEGACY_ENTITLEMENTS.TEAM_DASHBOARD]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.TEAM_COLLABORATION]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.TEAM_CROSS_REPO_SCANNING]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.TEAM_SHARED_POLICIES]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.TEAM_PROVENANCE_INSIGHTS]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.TEAM_ADMIN_POLICY_ENFORCEMENT]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.TEAM_AUDIT_LOG_EXPORT]: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
+  [LEGACY_ENTITLEMENTS.TEAM_CONTEXT_ENGINE_SHARED]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.TEAM_PRIORITY_QUEUE]: null,
+  [LEGACY_ENTITLEMENTS.TEAM_ANALYTICS]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.TEAM_SLACK_ALERTS]: null,
+  [LEGACY_ENTITLEMENTS.TEAM_LEADERBOARDS]: null,
+  [LEGACY_ENTITLEMENTS.TEAM_BULK_INVITE]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.TEAM_ROLES]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.TEAM_SCAN_BUDGETS]: null,
   // ── Enterprise keys ─────────────────────────────────────────────────────
-  [ENTITLEMENTS.COMPLIANCE_SOC2]: ENTITLEMENTS_V2.ENTERPRISE_COMPLIANCE,
-  [ENTITLEMENTS.COMPLIANCE_HIPAA]: ENTITLEMENTS_V2.ENTERPRISE_COMPLIANCE,
-  [ENTITLEMENTS.COMPLIANCE_PCI_DSS]: ENTITLEMENTS_V2.ENTERPRISE_COMPLIANCE,
-  [ENTITLEMENTS.COMPLIANCE_GDPR]: ENTITLEMENTS_V2.ENTERPRISE_COMPLIANCE,
-  [ENTITLEMENTS.COMPLIANCE_ISO27001]: ENTITLEMENTS_V2.ENTERPRISE_COMPLIANCE,
-  [ENTITLEMENTS.SDK_GENERATOR]: null,
-  // SDK gen culled
-  [ENTITLEMENTS.POLICY_ENGINE]: null,
-  // Part of context_engine
-  [ENTITLEMENTS.SSO_SAML]: ENTITLEMENTS_V2.ENTERPRISE_COMPLIANCE,
-  [ENTITLEMENTS.ON_PREMISE]: null,
-  // On-premise not offered
-  [ENTITLEMENTS.DEDICATED_SLA]: ENTITLEMENTS_V2.ENTERPRISE_COMPLIANCE,
-  [ENTITLEMENTS.COMMIT_SHIELD_TEAM]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.COMMIT_SHIELD_ENTERPRISE]: ENTITLEMENTS_V2.ENTERPRISE_COMPLIANCE,
-  [ENTITLEMENTS.COMMIT_SHIELD_COMPLIANCE]: ENTITLEMENTS_V2.ENTERPRISE_COMPLIANCE,
-  [ENTITLEMENTS.ENTERPRISE_MULTI_REPO]: ENTITLEMENTS_V2.TEAM_COLLABORATION,
-  [ENTITLEMENTS.ENTERPRISE_SIGNED_BUNDLES]: null
-  // Not implemented
+  [LEGACY_ENTITLEMENTS.COMPLIANCE_SOC2]: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
+  [LEGACY_ENTITLEMENTS.COMPLIANCE_HIPAA]: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
+  [LEGACY_ENTITLEMENTS.COMPLIANCE_PCI_DSS]: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
+  [LEGACY_ENTITLEMENTS.COMPLIANCE_GDPR]: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
+  [LEGACY_ENTITLEMENTS.COMPLIANCE_ISO27001]: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
+  [LEGACY_ENTITLEMENTS.SDK_GENERATOR]: null,
+  [LEGACY_ENTITLEMENTS.POLICY_ENGINE]: null,
+  [LEGACY_ENTITLEMENTS.SSO_SAML]: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
+  [LEGACY_ENTITLEMENTS.ON_PREMISE]: null,
+  [LEGACY_ENTITLEMENTS.DEDICATED_SLA]: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
+  [LEGACY_ENTITLEMENTS.COMMIT_SHIELD_TEAM]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.COMMIT_SHIELD_ENTERPRISE]: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
+  [LEGACY_ENTITLEMENTS.COMMIT_SHIELD_COMPLIANCE]: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
+  [LEGACY_ENTITLEMENTS.ENTERPRISE_MULTI_REPO]: ENTITLEMENTS.TEAM_COLLABORATION,
+  [LEGACY_ENTITLEMENTS.ENTERPRISE_SIGNED_BUNDLES]: null
 };
-var V2_FREE_SET = /* @__PURE__ */ new Set([
-  ENTITLEMENTS_V2.SCAN,
-  ENTITLEMENTS_V2.SCAN_WORKSPACE
-]);
-var V2_PRO_SET = /* @__PURE__ */ new Set([
-  ...V2_FREE_SET,
-  ENTITLEMENTS_V2.GITHUB_ACTION,
-  ENTITLEMENTS_V2.FULL_EVIDENCE,
-  ENTITLEMENTS_V2.SARIF_EXPORT,
-  ENTITLEMENTS_V2.API_ACCESS,
-  ENTITLEMENTS_V2.PRIORITY_ENGINES,
-  ENTITLEMENTS_V2.ADVANCED_REPORT,
-  ENTITLEMENTS_V2.AUTOFIX,
-  ENTITLEMENTS_V2.CI_BLOCK,
-  ENTITLEMENTS_V2.CONTEXT_ENGINE,
-  ENTITLEMENTS_V2.SANDBOX,
-  ENTITLEMENTS_V2.SUPPORT
-]);
-var V2_TEAM_SET = /* @__PURE__ */ new Set([
-  ...V2_PRO_SET,
-  ENTITLEMENTS_V2.TEAM_COLLABORATION
-]);
-var V2_ENTERPRISE_SET = /* @__PURE__ */ new Set([
-  ...V2_TEAM_SET,
-  ENTITLEMENTS_V2.ENTERPRISE_COMPLIANCE
-]);
 var FEATURE_REGISTRY = {
   "Unlimited Auto-Fix": {
-    entitlement: ENTITLEMENTS.AUTOFIX_UNLIMITED,
+    entitlement: ENTITLEMENTS.AUTOFIX,
     title: "Unlimited Auto-Fix",
     subtitle: "AI-powered code repair without limits",
     benefits: ["No monthly limits", "Smart suggestions", "Safe rollback"],
@@ -292743,7 +292628,7 @@ var FEATURE_REGISTRY = {
     upgradeMessage: "Auto-Fix requires Pro. Upgrade to unlock AI-powered code repair."
   },
   "Reality Mode": {
-    entitlement: ENTITLEMENTS.REALITY_MODE,
+    entitlement: ENTITLEMENTS.FULL_EVIDENCE,
     title: "Reality Mode",
     subtitle: "Browser-based runtime verification",
     benefits: ["Runtime testing", "Screenshot evidence", "Error detection", "Network validation"],
@@ -292753,7 +292638,7 @@ var FEATURE_REGISTRY = {
     docsUrl: "/docs/reality-mode"
   },
   "CommitShield": {
-    entitlement: ENTITLEMENTS.COMMIT_SHIELD_FULL,
+    entitlement: ENTITLEMENTS.CI_BLOCK,
     title: "CommitShield",
     subtitle: "Pre-commit quality gate",
     benefits: ["25+ security rules", "Risk scoring", "Evidence bundles"],
@@ -292762,7 +292647,7 @@ var FEATURE_REGISTRY = {
   },
   /** CLI `vibecheck guard` — operator tooling (Pro). */
   "Guard": {
-    entitlement: ENTITLEMENTS.COMMIT_SHIELD_FULL,
+    entitlement: ENTITLEMENTS.CI_BLOCK,
     title: "Guard",
     subtitle: "Quality gate & policy enforcement from the CLI",
     benefits: ["Configurable fail thresholds", "Engine toggles", "CI-friendly output"],
@@ -292771,7 +292656,7 @@ var FEATURE_REGISTRY = {
   },
   /** CLI `vibecheck doctor` — engine / workspace diagnostics (Free). */
   "Doctor": {
-    entitlement: ENTITLEMENTS.DOCTOR,
+    entitlement: ENTITLEMENTS.SCAN_WORKSPACE,
     title: "Doctor",
     subtitle: "Engine health and workspace diagnostics",
     benefits: ["Engine readiness", "Config validation", "Optional repair flows"],
@@ -292780,7 +292665,7 @@ var FEATURE_REGISTRY = {
   },
   /** Truthpack generation / validation — free tier (local CLI + IDE viewer). */
   Truthpack: {
-    entitlement: ENTITLEMENTS.TRUTHPACK_GENERATE,
+    entitlement: ENTITLEMENTS.SCAN_WORKSPACE,
     title: "Truthpack",
     subtitle: "Ground-truth artifacts for your repo",
     benefits: ["Regenerate truthpack", "Cross-reference validation", "CI contracts"],
@@ -292789,7 +292674,7 @@ var FEATURE_REGISTRY = {
   },
   /** CLI `vibecheck roast` — stylized scan output (free for everyone; no login on CLI). */
   Roast: {
-    entitlement: ENTITLEMENTS.SCAN_BASIC,
+    entitlement: ENTITLEMENTS.SCAN,
     title: "Roast",
     subtitle: "Scan findings with editorial voice",
     benefits: [
@@ -292804,7 +292689,7 @@ var FEATURE_REGISTRY = {
   },
   /** CLI code graph / intent context that builds on local graph (free tier). */
   "Code Graph": {
-    entitlement: ENTITLEMENTS.SCAN_BASIC,
+    entitlement: ENTITLEMENTS.SCAN,
     title: "Code Graph",
     subtitle: "Local dependency and symbol graph",
     benefits: ["Import/export map", "Intent search", "Proactive file context"],
@@ -292813,7 +292698,7 @@ var FEATURE_REGISTRY = {
   },
   /** Ship / verify workflows from CLI (Pro). */
   "Ship Verification": {
-    entitlement: ENTITLEMENTS.CERTIFY,
+    entitlement: ENTITLEMENTS.FULL_EVIDENCE,
     title: "Ship Verification",
     subtitle: "Checklists, reports, and ship gates",
     benefits: ["Structured ship checks", "Evidence-friendly output"],
@@ -292821,7 +292706,7 @@ var FEATURE_REGISTRY = {
     category: "productivity"
   },
   "Firewall Enforce": {
-    entitlement: ENTITLEMENTS.FIREWALL_ENFORCE,
+    entitlement: ENTITLEMENTS.CI_BLOCK,
     title: "Firewall Enforce",
     subtitle: "Block AI mistakes before save",
     benefits: ["Pre-save validation", "Intent locking", "Drift prevention"],
@@ -292830,7 +292715,7 @@ var FEATURE_REGISTRY = {
     docsUrl: "/docs/firewall"
   },
   "Cloud Sync": {
-    entitlement: ENTITLEMENTS.CLOUD_SYNC,
+    entitlement: ENTITLEMENTS.SUPPORT,
     title: "Cloud Sync",
     subtitle: "Cross-device synchronization",
     benefits: ["Multi-device access", "Team sharing", "Automatic backup"],
@@ -292838,7 +292723,7 @@ var FEATURE_REGISTRY = {
     category: "productivity"
   },
   "PDF Reports": {
-    entitlement: ENTITLEMENTS.REPORTS_PDF,
+    entitlement: ENTITLEMENTS.SCAN,
     title: "PDF Reports",
     subtitle: "Professional shareable reports",
     benefits: ["Executive summaries", "Custom branding", "Print-ready"],
@@ -292846,7 +292731,7 @@ var FEATURE_REGISTRY = {
     category: "productivity"
   },
   "Verified Badge": {
-    entitlement: ENTITLEMENTS.BADGE_VERIFIED,
+    entitlement: ENTITLEMENTS.FULL_EVIDENCE,
     title: "Verified Ship Badge",
     subtitle: "Dynamic ship badges for your README",
     benefits: ["Live status", "README embeds", "Trust signals"],
@@ -292854,7 +292739,7 @@ var FEATURE_REGISTRY = {
     category: "productivity"
   },
   "Vibe Prompt": {
-    entitlement: ENTITLEMENTS.VIBE_PROMPT,
+    entitlement: ENTITLEMENTS.AUTOFIX,
     title: "Vibe Prompt",
     subtitle: "Generate prompt packs from intent",
     benefits: ["Truth-pack aware", "Implementation prompts", "Verification prompts"],
@@ -292863,7 +292748,7 @@ var FEATURE_REGISTRY = {
     upgradeMessage: "Vibe Prompt requires Pro. Upgrade to generate project-aware prompt packs."
   },
   "Review Workflows": {
-    entitlement: ENTITLEMENTS.REVIEW_WORKFLOWS,
+    entitlement: ENTITLEMENTS.SCAN_WORKSPACE,
     title: "Review Workflows",
     subtitle: "Code review workflows for Cursor/Claude",
     benefits: ["Copy to clipboard", "Install agents", "Workflow templates"],
@@ -292871,7 +292756,7 @@ var FEATURE_REGISTRY = {
     category: "productivity"
   },
   "Flow Workflows": {
-    entitlement: ENTITLEMENTS.FLOW_WORKFLOWS,
+    entitlement: ENTITLEMENTS.SCAN_WORKSPACE,
     title: "Flow Workflows",
     subtitle: "AI workflows panel",
     benefits: ["Copy workflows", "Agent chips", "AI automation"],
@@ -292879,7 +292764,7 @@ var FEATURE_REGISTRY = {
     category: "productivity"
   },
   "WikiCode Atlas": {
-    entitlement: ENTITLEMENTS.ATLAS,
+    entitlement: ENTITLEMENTS.SCAN_WORKSPACE,
     title: "WikiCode Atlas",
     subtitle: "Code atlas and wiki",
     benefits: ["Browse codebase", "Feature mapping", "Documentation"],
@@ -292891,17 +292776,17 @@ var FEATURE_REGISTRY = {
    * Pro+ unlimited. Use getAccessMode + getLimitForFeature — not canAccessFeature alone.
    */
   "Guided Route": {
-    entitlement: ENTITLEMENTS.WIKICODE_VIEW,
+    entitlement: ENTITLEMENTS.SCAN_WORKSPACE,
     title: "Guided Route (LLM)",
     subtitle: "Intent-driven tour with AI-ordered stops",
     benefits: ["Hybrid search + call graph context", "Next/prev stops", "Follow-up Q&A on each stop"],
     requiredPlan: "pro",
     category: "analysis",
     freeTasteLimit: "guidedRoute",
-    upgradeMessage: "You have used today\u2019s free guided routes. Upgrade to Pro for unlimited LLM routes and follow-ups."
+    upgradeMessage: "You have used today's free guided routes. Upgrade to Pro for unlimited LLM routes and follow-ups."
   },
   "Proof History": {
-    entitlement: ENTITLEMENTS.PROOF_VIEW,
+    entitlement: ENTITLEMENTS.FULL_EVIDENCE,
     title: "Proof History",
     subtitle: "Saved proof bundles beyond last run",
     benefits: ["90-day history", "Proof chains", "Audit trail"],
@@ -292910,7 +292795,7 @@ var FEATURE_REGISTRY = {
     upgradeMessage: "Proof History requires Pro. Upgrade for full proof history and audit trail."
   },
   "Forge": {
-    entitlement: ENTITLEMENTS.FORGE_BASIC,
+    entitlement: ENTITLEMENTS.AUTOFIX,
     title: "Forge",
     subtitle: "AI code generation (component, api, hook, test)",
     benefits: ["Component generation", "API scaffolding", "Test generation"],
@@ -292928,7 +292813,7 @@ var FEATURE_REGISTRY = {
     upgradeMessage: "GitHub Action requires Pro. Upgrade to automate PR quality checks."
   },
   "CI Integration": {
-    entitlement: ENTITLEMENTS.CI_INTEGRATION,
+    entitlement: ENTITLEMENTS.GITHUB_ACTION,
     title: "CI/CD Integration",
     subtitle: "All CI platforms supported",
     benefits: ["GitHub Actions", "GitLab CI", "CircleCI", "Jenkins"],
@@ -292957,7 +292842,7 @@ var FEATURE_REGISTRY = {
     upgradeMessage: "Context Engine (cloud rules & agents) requires Pro. Your local CLI `vibecheck context` command stays on Free."
   },
   "ISL Studio": {
-    entitlement: ENTITLEMENTS.ISL_STUDIO,
+    entitlement: ENTITLEMENTS.SCAN_WORKSPACE,
     title: "ISL Studio",
     subtitle: "Visual spec editor & code generation",
     benefits: ["Visual editor", "Real-time validation", "Code generation (credit packs)"],
@@ -292965,7 +292850,7 @@ var FEATURE_REGISTRY = {
     category: "analysis"
   },
   "Deep Scan": {
-    entitlement: ENTITLEMENTS.DEEP_SCAN,
+    entitlement: ENTITLEMENTS.PRIORITY_ENGINES,
     title: "Deep Scan",
     subtitle: "Advanced security analysis",
     benefits: ["18 production engines", "Runtime proof", "Mock detection"],
@@ -292973,7 +292858,7 @@ var FEATURE_REGISTRY = {
     category: "analysis"
   },
   "Drift Detection": {
-    entitlement: ENTITLEMENTS.DRIFT_DETECTION,
+    entitlement: ENTITLEMENTS.FULL_EVIDENCE,
     title: "Drift Detection",
     subtitle: "Code vs spec divergence tracking",
     benefits: ["Contract drift", "Intent violations", "Auto-alerts"],
@@ -292981,7 +292866,7 @@ var FEATURE_REGISTRY = {
     category: "analysis"
   },
   "Chaos Agent": {
-    entitlement: ENTITLEMENTS.CHAOS_AGENT,
+    entitlement: ENTITLEMENTS.PRIORITY_ENGINES,
     title: "Chaos Agent",
     subtitle: "AI-powered bug hunting",
     benefits: ["Edge case discovery", "Fault injection", "Resilience testing"],
@@ -292989,7 +292874,7 @@ var FEATURE_REGISTRY = {
     category: "analysis"
   },
   "Team Dashboard": {
-    entitlement: ENTITLEMENTS.TEAM_DASHBOARD,
+    entitlement: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
     title: "Team Dashboard",
     subtitle: "Aggregate team metrics & analytics",
     benefits: ["Cross-member insights", "Usage tracking", "Performance trends"],
@@ -292997,7 +292882,7 @@ var FEATURE_REGISTRY = {
     category: "team"
   },
   "Enterprise Dashboard": {
-    entitlement: ENTITLEMENTS.TEAM_DASHBOARD,
+    entitlement: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
     title: "Enterprise Dashboard",
     subtitle: "Org-wide visibility & governance",
     benefits: ["Cross-repo insights", "Policy enforcement", "Audit trails"],
@@ -293005,7 +292890,7 @@ var FEATURE_REGISTRY = {
     category: "team"
   },
   "Team Management": {
-    entitlement: ENTITLEMENTS.TEAM_COLLABORATION,
+    entitlement: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
     title: "Team Management",
     subtitle: "Unlimited team members & roles",
     benefits: ["Role-based access", "Shared policies", "Team analytics"],
@@ -293013,7 +292898,7 @@ var FEATURE_REGISTRY = {
     category: "team"
   },
   "Audit Log": {
-    entitlement: ENTITLEMENTS.TEAM_AUDIT_LOG_EXPORT,
+    entitlement: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
     title: "Audit Log Export",
     subtitle: "Compliance-ready activity records",
     benefits: ["CSV/JSON export", "Activity tracking", "SOC2 ready"],
@@ -293021,7 +292906,7 @@ var FEATURE_REGISTRY = {
     category: "compliance"
   },
   "Multi-Repo": {
-    entitlement: ENTITLEMENTS.ENTERPRISE_MULTI_REPO,
+    entitlement: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
     title: "Multi-Repo Scanning",
     subtitle: "Unified view across repositories",
     benefits: ["Aggregate metrics", "Cross-project drift", "Org-wide insights"],
@@ -293029,7 +292914,7 @@ var FEATURE_REGISTRY = {
     category: "team"
   },
   "Compliance Audit": {
-    entitlement: ENTITLEMENTS.COMPLIANCE_SOC2,
+    entitlement: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
     title: "Compliance Audit",
     subtitle: "SOC2, HIPAA, PCI-DSS, GDPR, ISO27001",
     benefits: ["Pre-built rules", "Evidence collection", "Audit reports"],
@@ -293037,7 +292922,7 @@ var FEATURE_REGISTRY = {
     category: "compliance"
   },
   "SDK Generator": {
-    entitlement: ENTITLEMENTS.SDK_GENERATOR,
+    entitlement: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
     title: "SDK Generator",
     subtitle: "Multi-language SDK generation",
     benefits: ["TypeScript, Python, Go, Rust", "Type-safe clients", "Auto-updated"],
@@ -293045,7 +292930,7 @@ var FEATURE_REGISTRY = {
     category: "compliance"
   },
   "Policy Engine": {
-    entitlement: ENTITLEMENTS.POLICY_ENGINE,
+    entitlement: ENTITLEMENTS.ENTERPRISE_COMPLIANCE,
     title: "Policy Engine",
     subtitle: "Policy-as-code evaluation",
     benefits: ["YAML/JSON policies", "Violation detection", "Team enforcement"],
@@ -293053,7 +292938,7 @@ var FEATURE_REGISTRY = {
     category: "compliance"
   },
   "Polish": {
-    entitlement: ENTITLEMENTS.AUTOFIX_UNLIMITED,
+    entitlement: ENTITLEMENTS.AUTOFIX,
     title: "Polish",
     subtitle: "Enterprise-grade code quality engine",
     benefits: ["Code quality scoring", "Complexity analysis", "Trend tracking"],
@@ -293061,7 +292946,7 @@ var FEATURE_REGISTRY = {
     category: "productivity"
   },
   "DocGuard": {
-    entitlement: ENTITLEMENTS.COMMIT_SHIELD_FULL,
+    entitlement: ENTITLEMENTS.CI_BLOCK,
     title: "DocGuard",
     subtitle: "Documentation quality enforcement",
     benefits: ["JSDoc validation", "Coverage tracking", "Stale doc detection"],
@@ -293069,7 +292954,7 @@ var FEATURE_REGISTRY = {
     category: "productivity"
   },
   "TestGap": {
-    entitlement: ENTITLEMENTS.DEEP_SCAN,
+    entitlement: ENTITLEMENTS.PRIORITY_ENGINES,
     title: "TestGap Analysis",
     subtitle: "Test coverage gap detection",
     benefits: ["Zero coverage detection", "Happy path analysis", "Orphaned test detection"],
@@ -293077,7 +292962,7 @@ var FEATURE_REGISTRY = {
     category: "analysis"
   },
   "ArchRules": {
-    entitlement: ENTITLEMENTS.DEEP_SCAN,
+    entitlement: ENTITLEMENTS.PRIORITY_ENGINES,
     title: "Architecture Rules",
     subtitle: "Enforce architectural patterns",
     benefits: ["YAML rule config", "6 rule types", "Violation detection"],
@@ -293085,7 +292970,7 @@ var FEATURE_REGISTRY = {
     category: "analysis"
   },
   "Provenance": {
-    entitlement: ENTITLEMENTS.PROVENANCE_TRACKING,
+    entitlement: ENTITLEMENTS.FULL_EVIDENCE,
     title: "Provenance Tracking",
     subtitle: "Edit history and attestations",
     benefits: ["Edit tracking", "Attestation DB", "Audit trail"],
@@ -293093,7 +292978,7 @@ var FEATURE_REGISTRY = {
     category: "compliance"
   },
   "Model Fingerprint": {
-    entitlement: ENTITLEMENTS.MODEL_FINGERPRINT,
+    entitlement: ENTITLEMENTS.FULL_EVIDENCE,
     title: "Model Fingerprint",
     subtitle: "AI model detection and tracking",
     benefits: ["Model identification", "Version tracking", "Usage analytics"],
@@ -293102,7 +292987,7 @@ var FEATURE_REGISTRY = {
   },
   /** Kickoff / connect project (Free). */
   "Kickoff Connect": {
-    entitlement: ENTITLEMENTS.KICKOFF_CONNECT,
+    entitlement: ENTITLEMENTS.SCAN_WORKSPACE,
     title: "Kickoff & Connect",
     subtitle: "Initialize and connect your project",
     benefits: ["Project scaffolding", "Config generation", "Quick start"],
@@ -293111,7 +292996,7 @@ var FEATURE_REGISTRY = {
   },
   /** Codegraph — local dependency/symbol graph (Free). */
   "Codegraph": {
-    entitlement: ENTITLEMENTS.CODEGRAPH_VIEW,
+    entitlement: ENTITLEMENTS.SCAN_WORKSPACE,
     title: "Codegraph",
     subtitle: "Local dependency and symbol graph",
     benefits: ["Import/export map", "Symbol navigation", "Dependency visualization"],
@@ -293120,7 +293005,7 @@ var FEATURE_REGISTRY = {
   },
   /** WikiCode — codebase wiki and atlas (Free). */
   "WikiCode": {
-    entitlement: ENTITLEMENTS.WIKICODE_VIEW,
+    entitlement: ENTITLEMENTS.SCAN_WORKSPACE,
     title: "WikiCode",
     subtitle: "Codebase wiki and documentation",
     benefits: ["Browse codebase", "Feature mapping", "Documentation"],
@@ -293129,7 +293014,7 @@ var FEATURE_REGISTRY = {
   },
   /** Vibe Flow — AI workflows panel (Free). */
   "Vibe Flow": {
-    entitlement: ENTITLEMENTS.VIBE_FLOW,
+    entitlement: ENTITLEMENTS.SCAN_WORKSPACE,
     title: "Vibe Flow",
     subtitle: "AI workflow automation",
     benefits: ["Workflow templates", "Agent chips", "AI automation"],
@@ -293265,6 +293150,74 @@ var FEATURE_NAMES = {
   SDK_GENERATOR: "SDK Generator",
   COMPLIANCE_AUDIT: "Compliance Audit"
 };
+var DEFAULT_API_BASE_URL = "https://api.vibecheckai.dev";
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function getCanonicalAccessUrl(apiBaseUrl2) {
+  const baseUrl = (apiBaseUrl2 || DEFAULT_API_BASE_URL).replace(/\/+$/, "");
+  return baseUrl.endsWith("/api/v1") ? `${baseUrl}/me/access` : `${baseUrl}/api/v1/me/access`;
+}
+function buildPlatformAuthHeaders(token, headers) {
+  const merged = new Headers(headers);
+  if (!merged.has("Accept")) {
+    merged.set("Accept", "application/json");
+  }
+  const trimmedToken = token?.trim();
+  if (!trimmedToken) {
+    return merged;
+  }
+  if (trimmedToken.startsWith("vc_")) {
+    merged.set("X-API-Key", trimmedToken);
+    merged.delete("Authorization");
+    return merged;
+  }
+  if (!merged.has("Authorization")) {
+    merged.set("Authorization", `Bearer ${trimmedToken}`);
+  }
+  return merged;
+}
+function coerceCanonicalAccessResponse(value) {
+  const payload = isRecord(value) && isRecord(value.data) ? value.data : value;
+  if (!isRecord(payload) || typeof payload.plan !== "string") {
+    return null;
+  }
+  return {
+    ...payload,
+    plan: normalizePlanId(payload.plan)
+  };
+}
+async function fetchCanonicalAccess(options = {}) {
+  const fetchImpl = options.fetchImpl ?? fetch;
+  const response = await fetchImpl(getCanonicalAccessUrl(options.apiBaseUrl), {
+    headers: buildPlatformAuthHeaders(options.token, options.headers),
+    signal: options.signal,
+    credentials: options.credentials
+  });
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      data: null
+    };
+  }
+  let json;
+  try {
+    json = await response.json();
+  } catch {
+    return {
+      ok: false,
+      status: response.status,
+      data: null
+    };
+  }
+  const data = coerceCanonicalAccessResponse(json);
+  return {
+    ok: data !== null,
+    status: response.status,
+    data
+  };
+}
 var CLI_COMMAND_MIN_PLAN = {
   scan: "free",
   score: "free",
@@ -293298,19 +293251,19 @@ var CLI_COMMAND_MIN_PLAN_LOWER = Object.fromEntries(
   Object.entries(CLI_COMMAND_MIN_PLAN).map(([k, v]) => [k.toLowerCase(), v])
 );
 var API_SURFACE_RULES = {
-  ship_proof: { kind: "entitlement", entitlement: ENTITLEMENTS.CERTIFY },
-  reality_mode: { kind: "entitlement", entitlement: ENTITLEMENTS.REALITY_MODE },
-  autofix: { kind: "entitlement", entitlement: ENTITLEMENTS.AUTOFIX_UNLIMITED },
-  isl_studio: { kind: "entitlement", entitlement: ENTITLEMENTS.ISL_STUDIO },
-  sandbox: { kind: "entitlement", entitlement: ENTITLEMENTS.SANDBOX_ACCESS },
-  commit_shield: { kind: "entitlement", entitlement: ENTITLEMENTS.COMMIT_SHIELD_FULL },
+  ship_proof: { kind: "entitlement", entitlement: ENTITLEMENTS.FULL_EVIDENCE },
+  reality_mode: { kind: "entitlement", entitlement: ENTITLEMENTS.FULL_EVIDENCE },
+  autofix: { kind: "entitlement", entitlement: ENTITLEMENTS.AUTOFIX },
+  isl_studio: { kind: "entitlement", entitlement: ENTITLEMENTS.SCAN_WORKSPACE },
+  sandbox: { kind: "entitlement", entitlement: ENTITLEMENTS.SANDBOX },
+  commit_shield: { kind: "entitlement", entitlement: ENTITLEMENTS.CI_BLOCK },
   context_engine: { kind: "entitlement", entitlement: ENTITLEMENTS.CONTEXT_ENGINE },
-  firewall: { kind: "entitlement", entitlement: ENTITLEMENTS.FIREWALL_ENFORCE },
-  cloud_sync: { kind: "entitlement", entitlement: ENTITLEMENTS.CLOUD_SYNC },
-  custom_policies: { kind: "entitlement", entitlement: ENTITLEMENTS.POLICY_ENGINE },
-  sso: { kind: "entitlement", entitlement: ENTITLEMENTS.SSO_SAML },
-  audit_logs: { kind: "entitlement", entitlement: ENTITLEMENTS.TEAM_AUDIT_LOG_EXPORT },
-  team_dashboard: { kind: "entitlement", entitlement: ENTITLEMENTS.TEAM_DASHBOARD },
+  firewall: { kind: "entitlement", entitlement: ENTITLEMENTS.CI_BLOCK },
+  cloud_sync: { kind: "entitlement", entitlement: ENTITLEMENTS.SUPPORT },
+  custom_policies: { kind: "entitlement", entitlement: ENTITLEMENTS.ENTERPRISE_COMPLIANCE },
+  sso: { kind: "entitlement", entitlement: ENTITLEMENTS.ENTERPRISE_COMPLIANCE },
+  audit_logs: { kind: "entitlement", entitlement: ENTITLEMENTS.ENTERPRISE_COMPLIANCE },
+  team_dashboard: { kind: "entitlement", entitlement: ENTITLEMENTS.TEAM_COLLABORATION },
   csv_export: { kind: "quota", satisfies: (q) => q.canExportCSV }
 };
 function minPlanForQuotaRule(satisfies) {
@@ -293369,6 +293322,16 @@ var INTRO_PRICES = {
   team: "$4.99",
   enterprise: "$14.99"
 };
+function formatFindingSeverityBreakdown(summary) {
+  const parts2 = [`${summary.total} total`];
+  if (summary.critical > 0) parts2.push(`${summary.critical} critical`);
+  if (summary.high > 0) parts2.push(`${summary.high} high`);
+  if (summary.medium > 0) parts2.push(`${summary.medium} medium`);
+  if (summary.low > 0) parts2.push(`${summary.low} low`);
+  if (summary.info > 0) parts2.push(`${summary.info} info`);
+  if (summary.other > 0) parts2.push(`${summary.other} other`);
+  return parts2.join(" \xB7 ");
+}
 function buildCliUpgradeBlock(featureName, currentPlan) {
   const target = getUpgradeTarget(currentPlan, featureName);
   if (!target) return "";
@@ -293386,12 +293349,66 @@ function buildCliUpgradeBlock(featureName, currentPlan) {
   }
   lines.push(
     "",
-    "  Upgrade: https://vibecheckai.dev/checkout?plan=pro",
+    `  Upgrade: ${getPricingPageUrl("pro")}`,
     "  Or run:  vibecheck auth upgrade",
     ""
   );
   return lines.join("\n");
 }
+function getPricingPageUrl(highlightPlan) {
+  const canonicalPlan = highlightPlan ? normalizePlanId(highlightPlan) : "pro";
+  const target = canonicalPlan === "free" ? "pro" : canonicalPlan;
+  return `https://vibecheckai.dev/pricing?plan=${target}`;
+}
+function buildGatedScanResponse(opts) {
+  const plan = normalizePlanId(opts.plan);
+  const limit = getQuotas(plan).findingDetailLimit;
+  const isFree = plan === "free";
+  const isGated = isFree && limit <= 0 && opts.findings.length > 0;
+  const severitySummary = {
+    total: opts.summary.total,
+    critical: opts.summary.critical,
+    high: opts.summary.high,
+    medium: opts.summary.medium,
+    low: opts.summary.low,
+    info: opts.summary.info ?? 0,
+    other: 0
+  };
+  if (!isGated) {
+    return {
+      gated: false,
+      plan,
+      summary: severitySummary,
+      healthScore: opts.healthScore,
+      verdict: opts.verdict,
+      findings: opts.findings,
+      upgrade: null
+    };
+  }
+  const gatedFindings = opts.findings.map((f) => ({
+    severity: String(f.severity ?? "info"),
+    engine: f.engine,
+    category: f.category,
+    ruleId: f.ruleId,
+    _gated: true,
+    _upgradeMessage: "Upgrade to Pro to see the full error details, location, and fix suggestion.",
+    _upgradeUrl: getPricingPageUrl("pro")
+  }));
+  return {
+    gated: true,
+    plan,
+    summary: severitySummary,
+    healthScore: opts.healthScore,
+    verdict: opts.verdict,
+    findings: gatedFindings,
+    upgrade: {
+      show: true,
+      message: `${opts.summary.total} issues found (${opts.summary.critical} critical, ${opts.summary.high} high, ${opts.summary.medium} medium). Upgrade to Pro to see every error with location, explanation, and fix suggestion.`,
+      url: getPricingPageUrl("pro"),
+      buttonLabel: "Upgrade to Pro"
+    }
+  };
+}
 // src/plan-resolver.ts
 var MCPAuthRequiredError = class extends Error {
@@ -293403,13 +293420,9 @@ var MCPAuthRequiredError = class extends Error {
     this.name = "MCPAuthRequiredError";
   }
 };
-var DEFAULT_API_BASE_URL = "https://api.vibecheckai.dev";
+var DEFAULT_API_BASE_URL2 = "https://api.vibecheckai.dev";
 function getApiBaseUrl() {
-  return (process.env.VIBECHECK_API_URL || DEFAULT_API_BASE_URL).replace(/\/+$/, "");
-}
-function getMeAccessUrl() {
-  const baseUrl = getApiBaseUrl();
-  return baseUrl.endsWith("/api/v1") ? `${baseUrl}/me/access` : `${baseUrl}/api/v1/me/access`;
+  return (process.env.VIBECHECK_API_URL || DEFAULT_API_BASE_URL2).replace(/\/+$/, "");
 }
 async function resolveUserPlan() {
   const resolved = await resolveUser();
@@ -293429,18 +293442,16 @@ async function resolveUser() {
     throw new MCPAuthRequiredError();
   }
   try {
-    const response = await fetch(getMeAccessUrl(), {
-      headers: {
-        Authorization: `Bearer ${token}`
-      },
+    const response = await fetchCanonicalAccess({
+      apiBaseUrl: getApiBaseUrl(),
+      token,
       signal: AbortSignal.timeout(1e4)
     });
-    if (!response.ok) {
+    if (!response.ok || !response.data) {
       throw new MCPAuthRequiredError();
     }
-    const payload = await response.json();
-    const rawPlan = payload.data?.plan;
-    const userId = payload.data?.user?.id ?? null;
+    const rawPlan = response.data.plan;
+    const userId = response.data.user?.id ?? null;
     return {
       plan: rawPlan ? normalizePlanId(rawPlan) : "free",
       userId,
@@ -293935,7 +293946,17 @@ var TOOL_FEATURE_MAP = {
   vibecheck_context_proactive: FEATURE_NAMES.CONTEXT_ENGINE,
   vibecheck_context_intent: FEATURE_NAMES.CONTEXT_ENGINE,
   vibecheck_context_evolve: FEATURE_NAMES.CONTEXT_ENGINE,
-  vibecheck_context_feedback: FEATURE_NAMES.CONTEXT_ENGINE
+  vibecheck_context_feedback: FEATURE_NAMES.CONTEXT_ENGINE,
+  vibecheck_forge: FEATURE_NAMES.FORGE_BASIC,
+  vibecheck_reality: FEATURE_NAMES.REALITY_MODE,
+  vibecheck_ship: FEATURE_NAMES.VERIFIED_BADGE,
+  vibecheck_firewall: FEATURE_NAMES.FIREWALL_ENFORCE,
+  vibecheck_isl: FEATURE_NAMES.ISL_STUDIO,
+  vibecheck_docguard: FEATURE_NAMES.DOCGUARD,
+  vibecheck_commitshield: FEATURE_NAMES.COMMIT_SHIELD,
+  vibecheck_polish: FEATURE_NAMES.POLISH,
+  vibecheck_truthpack: "Truthpack",
+  vibecheck_review: FEATURE_NAMES.COMMIT_SHIELD
 };
 function getToolApiSurface(toolName) {
   return TOOL_API_SURFACE_MAP[toolName];
@@ -294056,6 +294077,160 @@ var MCP_TOOLS = [
         }
       }
     }
+  },
+  {
+    name: "vibecheck_forge",
+    description: "Scaffolding for components, APIs, hooks, and tests.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Destination path." },
+        type: { type: "string", enum: ["component", "api", "hook", "test"], description: "Type of code to forge." },
+        name: { type: "string", description: "Name of the component/api/hook." }
+      },
+      required: ["type", "name"]
+    }
+  },
+  {
+    name: "vibecheck_reality",
+    description: "Runtime health checks (homepage, links, API health, mixed-content).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Workspace or project root path. Defaults to current directory." },
+        targetUrl: { type: "string", description: "Base URL to test." }
+      }
+    }
+  },
+  {
+    name: "vibecheck_ship",
+    description: "Runs a 16-point pre-deployment readiness checklist.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Workspace or project root path. Defaults to current directory." }
+      }
+    }
+  },
+  {
+    name: "vibecheck_firewall",
+    description: "Manage intent locking and protection management (observe, enforce, lockdown).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Workspace or project root path. Defaults to current directory." },
+        mode: { type: "string", enum: ["enforce", "observe", "off"], description: "Firewall mode to set." }
+      },
+      required: ["mode"]
+    }
+  },
+  {
+    name: "vibecheck_isl",
+    description: "Intent Specification Language generation and verification.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Path to ISL file or project root." },
+        action: { type: "string", enum: ["generate", "verify"], description: "Action to perform." }
+      },
+      required: ["action"]
+    }
+  },
+  {
+    name: "vibecheck_docguard",
+    description: "Documentation quality analysis (orphaned, stale, or duplicate docs).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Workspace or project root path. Defaults to current directory." }
+      }
+    }
+  },
+  {
+    name: "vibecheck_commitshield",
+    description: "Pre-commit security analysis and risk scoring.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Workspace or project root path. Defaults to current directory." }
+      }
+    }
+  },
+  {
+    name: "vibecheck_polish",
+    description: "Project-level quality report (SEO, performance, observability).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Workspace or project root path. Defaults to current directory." }
+      }
+    }
+  },
+  {
+    name: "vibecheck_truthpack",
+    description: "Ground-truth artifact generation (routes, env, contracts).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Workspace or project root path. Defaults to current directory." },
+        out: { type: "string", description: "Output path for the truthpack." }
+      }
+    }
+  },
+  {
+    name: "vibecheck_review",
+    description: "Git-aware code review across 10 quality dimensions.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Workspace or project root path. Defaults to current directory." },
+        branch: { type: "string", description: "Branch to compare against." }
+      }
+    }
+  },
+  {
+    name: "vibecheck_report",
+    description: "Generates a full codebase quality report as HTML.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Workspace or project root path. Defaults to current directory." }
+      }
+    }
+  },
+  {
+    name: "vibecheck_prompt_pack",
+    description: "Generates an AI implementation prompt pack based on an intent.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        intent: { type: "string", description: "Description of the feature to build." },
+        path: { type: "string", description: "Workspace or project root path. Defaults to current directory." }
+      },
+      required: ["intent"]
+    }
+  },
+  {
+    name: "vibecheck_rules_list",
+    description: "Lists all available custom detection rules.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Workspace or project root path. Defaults to current directory." }
+      }
+    }
+  },
+  {
+    name: "vibecheck_explain_file",
+    description: "Gets full codebase intelligence, call graph, and git temporal stats for a file.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        file: { type: "string", description: "Absolute path to the file." },
+        path: { type: "string", description: "Workspace root path." }
+      },
+      required: ["file"]
+    }
   }
 ];
 function isKnownToolName(toolName) {
@@ -294204,10 +294379,12 @@ function createScanIdempotencyKey(prefix) {
 // src/mcp-scan-meter-client.ts
 var MCP_SCAN_METER_CLIENT = {
   type: "mcp",
-  version: "24.4.3"
+  version: "24.5.6"
 };
 // src/server.ts
+import { uploadScanToApi } from "@repo/shared/sync/upload-scan";
+var execAsync = promisify(exec);
 async function executeScan(targetPath, engineToggles = null) {
   const resolved = path9.resolve(targetPath);
   const stat4 = fs6.statSync(resolved);
@@ -294635,6 +294812,7 @@ ${validation.errors.join("\n")}`
           MCP_TOOL_TIMEOUT_MS,
           "vibecheck_scan"
         );
+        const gatedReport = gateCanonicalScanReportFindings(report, userPlan);
         const scanRec = await recordMcpBillableUsage("mcp-scan");
         if (!scanRec.ok) {
           return buildErrorResponse(
@@ -294645,11 +294823,50 @@ ${validation.errors.join("\n")}`
             })
           );
         }
+        const mcpToken = process.env.VIBECHECK_TOKEN?.trim();
+        if (mcpToken) {
+          uploadScanToApi(report, {
+            token: mcpToken,
+            apiBaseUrl: process.env.VIBECHECK_API_URL || "https://api.vibecheckai.dev",
+            clientType: MCP_SCAN_METER_CLIENT.type,
+            clientVersion: MCP_SCAN_METER_CLIENT.version,
+            idempotencyKey: `mcp:${workspaceRoot}:${report.timestamp}`,
+            maxRetries: 1,
+            timeoutMs: 1e4
+          }).catch(() => {
+          });
+        }
+        const gatedResponse = buildGatedScanResponse({
+          plan: userPlan,
+          findings: gatedReport.findings,
+          summary: gatedReport.summary,
+          healthScore: gatedReport.summary.healthScore ?? 0,
+          verdict: gatedReport.summary.verdict ?? "REVIEW"
+        });
+        let responseText;
+        if (gatedResponse.gated) {
+          const breakdown = formatFindingSeverityBreakdown(gatedResponse.summary);
+          responseText = [
+            `## Scan Results (Free Tier \u2014 counts only)`,
+            "",
+            `**${gatedResponse.summary.total} issues found** \xB7 ${breakdown}`,
+            `**Health Score**: ${gatedResponse.healthScore}/100 \xB7 **Verdict**: ${gatedResponse.verdict}`,
+            "",
+            `> ${gatedResponse.upgrade?.message}`,
+            `> Upgrade: ${gatedResponse.upgrade?.url}`,
+            "",
+            "```json",
+            JSON.stringify(gatedResponse, null, 2),
+            "```"
+          ].join("\n");
+        } else {
+          responseText = JSON.stringify(gatedReport, null, 2);
+        }
         return {
           content: [
             {
               type: "text",
-              text: JSON.stringify(report, null, 2)
+              text: responseText
             }
           ]
         };
@@ -294694,6 +294911,37 @@ ${validation.errors.join("\n")}`
           ]
         };
       }
+      case "vibecheck_forge":
+      case "vibecheck_reality":
+      case "vibecheck_ship":
+      case "vibecheck_firewall":
+      case "vibecheck_isl":
+      case "vibecheck_docguard":
+      case "vibecheck_commitshield":
+      case "vibecheck_polish":
+      case "vibecheck_truthpack":
+      case "vibecheck_report":
+      case "vibecheck_prompt_pack":
+      case "vibecheck_rules_list":
+      case "vibecheck_explain_file":
+      case "vibecheck_review": {
+        const cmdName = name2.replace("vibecheck_", "");
+        const cliArgs = Object.entries(args2).filter(([k]) => k !== "path").map(([k, v]) => `--${k}="${String(v)}"`).join(" ");
+        const workDir = targetPath || workspaceRoot;
+        try {
+          const { stdout, stderr } = await execAsync(`npx vibecheck ${cmdName} ${cliArgs}`, { cwd: workDir });
+          return {
+            content: [
+              {
+                type: "text",
+                text: stdout || stderr || `Successfully executed ${cmdName}`
+              }
+            ]
+          };
+        } catch (error) {
+          return buildErrorResponse(`CLI Execution Error: ${error.message || error.stdout || error.stderr || String(error)}`);
+        }
+      }
       default:
         return buildErrorResponse(`Unknown tool: ${name2}`);
     }