@vibecheck-ai/mcp 24.6.11 → 25.0.0

package/dist/{chunk-RNFMO5GH.js → chunk-WUHPSW7M.js}

@@ -1,12 +1,12 @@
 import { createRequire } from 'module';
 import { fileURLToPath } from 'url';
-import * as path5__default from 'path';
-import path5__default__default, { dirname } from 'path';
+import * as path6__default from 'path';
+import path6__default__default, { dirname } from 'path';
 import { FrameworkPackEngine } from './chunk-MUP4JXOF.js';
 import { LogicGapEngine } from './chunk-DDTUTWRY.js';
-import { require_typescript, ErrorHandlingEngine } from './chunk-QFDZMUGO.js';
+import { require_typescript, ErrorHandlingEngine } from './chunk-FRK2XZX5.js';
 import { BaseEngine } from './chunk-RR5ETBSV.js';
-import { PhantomDepEngine } from './chunk-G3FQJC2H.js';
+import { PhantomDepEngine } from './chunk-FMRX5OVJ.js';
 import { APITruthEngine } from './chunk-JZSHXEYP.js';
 import { EnvVarEngine } from './chunk-QYXENOVK.js';
 import { GhostRouteEngine } from './chunk-LQSBUKYZ.js';
@@ -14,9 +14,9 @@ import { CredentialsEngine } from './chunk-5DADZJ3D.js';
 import { SecurityEngine } from './chunk-43XAAYST.js';
 import { VersionHallucinationEngine } from './chunk-F34MHA6A.js';
 import { __toESM } from './chunk-YWUMPN4Z.js';
+import * as fs from 'fs/promises';
 import * as fs2 from 'fs';
 import fs2__default, { existsSync } from 'fs';
-import * as fs from 'fs/promises';
 import { setMaxListeners } from 'events';
 import { z } from 'zod';
 
@@ -27,7 +27,7 @@ dirname(__filename$1);
 // ../engines/dist/index.js
 var import_typescript = __toESM(require_typescript(), 1);
 
-// ../subscriptions/dist/chunk-2SHIVAZT.js
+// ../subscriptions/dist/chunk-XDJH35I6.js
 var PLAN_IDS = ["pro", "team", "enterprise"];
 var PLAN_RANK = {
   pro: 0,
@@ -1442,7 +1442,7 @@ Object.fromEntries(
 
 // ../shared-types/dist/entitlements.js
 var ENTITLEMENTS2 = {
-  // === PRO ($19.00/mo) Tier Entitlements ===
+  // === PRO Tier Entitlements ===
   REALITY_MODE: "reality_mode",
   AUTOFIX: "autofix",
   AUTOFIX_APPLY: "autofix_apply",
@@ -1454,7 +1454,7 @@ var ENTITLEMENTS2 = {
   CLOUD_SYNC: "cloud_sync",
   PRIORITY_SUPPORT: "priority_support",
   SHAREABLE_REPORTS: "shareable_reports",
-  // === TEAM ($9.99/mo) Tier Entitlements ===
+  // === TEAM Tier Entitlements ===
   CONTEXT_ENGINE: "context_engine",
   FIREWALL_AGENT: "firewall_agent",
   FIREWALL_ENFORCE: "firewall_enforce",
@@ -1561,6 +1561,46 @@ var TEAM_ENTITLEMENTS = new Set(PRO_ENTITLEMENTS);
   ENTITLEMENTS2.ENTERPRISE_SIGNED_BUNDLES,
   ENTITLEMENTS2.ENTERPRISE_MULTI_REPO
 ]);
+function quotasToPlanLimits(q) {
+  return {
+    findingDetailLimit: q.findingDetailLimit,
+    canAutoFix: q.canAutoFix,
+    canHealPR: q.canHealPR,
+    canModelFingerprint: q.canModelFingerprint,
+    canRealityMode: q.canRealityMode,
+    canISLGenerate: q.canISLGenerate,
+    canCIBlock: q.canCIBlock,
+    scanHistoryDays: q.scanHistoryDays,
+    maxProjects: q.maxProjects,
+    apiRequestsPerDay: q.apiRequestsPerDay,
+    canExportCSV: q.canExportCSV,
+    canSlackIntegration: q.canSlackIntegration,
+    scansPerDay: q.scansPerDay
+  };
+}
+({
+  free: quotasToPlanLimits(getQuotas(null)),
+  pro: quotasToPlanLimits(PLAN_QUOTAS.pro),
+  team: quotasToPlanLimits(PLAN_QUOTAS.team),
+  enterprise: quotasToPlanLimits(PLAN_QUOTAS.enterprise)
+});
+({
+  pro: {
+    name: PLANS.pro.displayName,
+    tagline: PLANS.pro.tagline,
+    price: PLANS.pro.monthlyPriceUsd,
+    priceLabel: PLANS.pro.priceLabel},
+  team: {
+    name: PLANS.team.displayName,
+    tagline: PLANS.team.tagline,
+    price: PLANS.team.monthlyPriceUsd,
+    priceLabel: PLANS.team.priceLabel},
+  enterprise: {
+    name: PLANS.enterprise.displayName,
+    tagline: PLANS.enterprise.tagline,
+    price: PLANS.enterprise.monthlyPriceUsd,
+    priceLabel: PLANS.enterprise.priceLabel}
+});
 
 // ../shared-types/dist/risk-dimensions.js
 var RISK_DIMENSIONS = [
@@ -1994,6 +2034,26 @@ function gateCanonicalScanReportFindings(report, planInput) {
   };
 }
 
+// ../shared-types/dist/billing.js
+function quotasToTierLimits(q) {
+  return {
+    scansPerMonth: q.scansPerMonth === Infinity ? -1 : q.scansPerMonth,
+    projects: q.maxProjects === Infinity ? -1 : q.maxProjects,
+    seats: q.maxSeats === Infinity ? -1 : q.maxSeats,
+    apiCallsPerMinute: Math.ceil(q.apiRequestsPerDay / 1440),
+    retentionDays: q.scanHistoryDays
+  };
+}
+({
+  free: quotasToTierLimits(getQuotas(null)),
+  pro: quotasToTierLimits(PLAN_QUOTAS.pro),
+  team: quotasToTierLimits(PLAN_QUOTAS.team),
+  enterprise: quotasToTierLimits(PLAN_QUOTAS.enterprise)
+});
+({
+  ...PLAN_PRICE_LABELS
+});
+
 // ../shared-types/dist/api-client.js
 var PROOF_RUN_SOURCES = ["cli", "mcp", "extension", "github", "dashboard"];
 new Set(PROOF_RUN_SOURCES);
@@ -2197,9 +2257,11 @@ var TypeContractEngine = class extends BaseEngine {
   async scan(delta, signal) {
     const findings = [];
     const source = delta.fullText;
-    const uri = delta.documentUri.replace(/^file:\/\//, "");
+    const uri = delta.documentUri.replace(/^file:\/\//, "").replace(/\\/g, "/");
     const lines = delta.lines ?? source.split("\n");
-    if (/\.(test|spec)\.(ts|tsx)$/i.test(uri) || /__tests__|__mocks__|fixtures?/i.test(uri)) return findings;
+    if (/\.(test|spec)\.(ts|tsx)$/i.test(uri) || /\.bench\.(ts|tsx)$/i.test(uri) || /__tests__|__mocks__|fixtures?/i.test(uri) || /(?:^|[\\/])(?:bench|benchmarks?)(?:[\\/]|$)/i.test(uri)) {
+      return findings;
+    }
     this.checkAbort(signal);
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i];
@@ -3152,136 +3214,1202 @@ var PerformanceAntipatternEngine = class extends BaseEngine {
     return findings;
   }
 };
-var BreakerState = /* @__PURE__ */ ((BreakerState2) => {
-  BreakerState2[BreakerState2["Closed"] = 0] = "Closed";
-  BreakerState2[BreakerState2["Open"] = 1] = "Open";
-  BreakerState2[BreakerState2["HalfOpen"] = 2] = "HalfOpen";
-  return BreakerState2;
-})(BreakerState || {});
-var CircuitBreaker = class {
-  constructor(_threshold = 5, _cooldownMs = 3e4) {
-    this._threshold = _threshold;
-    this._cooldownMs = _cooldownMs;
+var TRUTHPACK_DIR = ".vibecheck/truthpack";
+async function loadTruthpack(workspaceRoot) {
+  const dir = path6__default.join(workspaceRoot, TRUTHPACK_DIR);
+  try {
+    await fs.access(dir);
+  } catch {
+    return null;
   }
-  _state = 0;
-  _failures = 0;
-  _halfOpenTimer = null;
-  get isOpen() {
-    return this._state === 1;
+  try {
+    const [routesData, envData, integrationsData] = await Promise.all([
+      fs.readFile(path6__default.join(dir, "routes.json"), "utf-8").catch(() => '{"routes":[]}'),
+      fs.readFile(path6__default.join(dir, "env.json"), "utf-8").catch(() => '{"variables":[]}'),
+      fs.readFile(path6__default.join(dir, "integrations.json"), "utf-8").catch(() => '{"integrations":[]}')
+    ]);
+    const routesJson = JSON.parse(routesData);
+    const envJson = JSON.parse(envData);
+    const integrationsJson = JSON.parse(integrationsData);
+    return {
+      routes: routesJson.routes ?? [],
+      env: envJson.variables ?? [],
+      integrations: integrationsJson.integrations ?? []
+    };
+  } catch {
+    return null;
   }
-  get state() {
-    return BreakerState[this._state];
+}
+function extractKnownHostsFromIntegrations(integrations) {
+  const out = /* @__PURE__ */ new Set([
+    "localhost",
+    "127.0.0.1",
+    "0.0.0.0",
+    "::1"
+  ]);
+  const sdkApex = {
+    stripe: "stripe.com",
+    "@octokit/rest": "github.com",
+    "posthog-node": "posthog.com",
+    "posthog-js": "posthog.com",
+    "@sentry/node": "sentry.io",
+    resend: "resend.com",
+    openai: "openai.com",
+    "@anthropic-ai/sdk": "anthropic.com",
+    ioredis: "redis.io",
+    "drizzle-orm": "drizzle.team"
+  };
+  for (const integ of integrations) {
+    if (integ.docsUrl) {
+      const apex = apexFromUrl(integ.docsUrl);
+      if (apex) out.add(apex);
+    }
+    if (integ.sdkPackage && sdkApex[integ.sdkPackage]) {
+      out.add(sdkApex[integ.sdkPackage]);
+    }
   }
-  recordSuccess() {
-    this._failures = 0;
-    this._state = 0;
+  return out;
+}
+function apexFromUrl(url) {
+  try {
+    const u = new URL(url);
+    return apexFromHost(u.hostname);
+  } catch {
+    return null;
   }
-  recordFailure() {
-    this._failures++;
-    if (this._failures >= this._threshold) {
-      this._state = 1;
-      this._scheduleHalfOpen();
-    }
+}
+function apexFromHost(hostname) {
+  const host = hostname.toLowerCase();
+  if (/^[\d.]+$/.test(host) || host.includes(":") || host === "localhost") {
+    return host;
   }
-  tryAllow() {
-    if (this._state === 0) return true;
-    if (this._state === 2) {
-      this._state = 0;
-      return true;
+  const parts = host.split(".");
+  if (parts.length <= 2) return host;
+  return parts.slice(-2).join(".");
+}
+function hostMatchesKnownSet(host, knownHosts) {
+  const lower = host.toLowerCase();
+  if (knownHosts.has(lower)) return true;
+  const apex = apexFromHost(lower);
+  if (knownHosts.has(apex)) return true;
+  for (const known of knownHosts) {
+    if (lower.endsWith(`.${known}`)) return true;
+  }
+  return false;
+}
+var TruthpackEnvIndex = class {
+  _index;
+  constructor(envVars, allowlistEnvVars) {
+    this._index = new Set(envVars.map((v) => v.name));
+    if (Array.isArray(allowlistEnvVars)) {
+      for (const v of allowlistEnvVars) {
+        if (typeof v === "string" && /^[A-Z_][A-Z0-9_]*$/.test(v)) this._index.add(v);
+      }
     }
-    return false;
   }
-  _scheduleHalfOpen() {
-    if (this._halfOpenTimer) clearTimeout(this._halfOpenTimer);
-    this._halfOpenTimer = setTimeout(() => {
-      this._state = 2;
-      this._halfOpenTimer = null;
-    }, this._cooldownMs);
+  get index() {
+    return this._index;
   }
-  dispose() {
-    if (this._halfOpenTimer) clearTimeout(this._halfOpenTimer);
+  has(name) {
+    return this._index.has(name);
   }
 };
-var EngineRegistry = class {
-  _slots = /* @__PURE__ */ new Map();
-  _breakers = /* @__PURE__ */ new Map();
-  _registrationOrder = /* @__PURE__ */ new Map();
-  _nextOrder = 0;
-  _activeCache = null;
-  /**
-   * Register an engine. If an engine with the same ID already exists, it is replaced.
-   */
-  register(engine, options = {}) {
-    const slot = {
-      engine,
-      timeoutMs: options.timeoutMs ?? 200,
-      priority: options.priority ?? 100,
-      enabled: options.enabled ?? true,
-      extensions: options.extensions ?? void 0
-    };
-    this._slots.set(engine.id, slot);
-    this._breakers.set(engine.id, new CircuitBreaker());
-    if (!this._registrationOrder.has(engine.id)) {
-      this._registrationOrder.set(engine.id, this._nextOrder++);
-    }
-    this._activeCache = null;
-  }
-  /**
-   * Deregister an engine by ID. Disposes the engine and its circuit breaker.
-   */
-  deregister(id) {
-    const slot = this._slots.get(id);
-    if (!slot) return false;
-    slot.engine.dispose?.();
-    this._breakers.get(id)?.dispose();
-    this._slots.delete(id);
-    this._breakers.delete(id);
-    this._activeCache = null;
-    return true;
+function compileRoutePattern(routePath) {
+  let isDynamic = false;
+  let isCatchAll = false;
+  let pattern = routePath.replace(/\[\[\.\.\.(\w+)\]\]/g, () => {
+    isDynamic = true;
+    isCatchAll = true;
+    return "(?:\\/.*)?";
+  }).replace(/\[\.\.\.(\w+)\]/g, () => {
+    isDynamic = true;
+    isCatchAll = true;
+    return "\\/.*";
+  }).replace(/\[(\w+)\]/g, () => {
+    isDynamic = true;
+    return "\\/[^/]+";
+  }).replace(/:\w+/g, () => {
+    isDynamic = true;
+    return "\\/[^/]+";
+  });
+  pattern = pattern.replace(/\//g, "\\/").replace(/\\\\\//g, "\\/");
+  return {
+    regex: new RegExp(`^${pattern}$`),
+    isDynamic,
+    isCatchAll
+  };
+}
+function truthpackToRouteIndex(routes, workspaceRoot) {
+  const entries = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const r of routes) {
+    const pathStr = r.path ?? "";
+    if (!pathStr.startsWith("/")) continue;
+    const pattern = pathStr.startsWith("/api") ? pathStr : pathStr;
+    const key = `${pattern}:${r.method ?? "GET"}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    const compiled = compileRoutePattern(pattern);
+    entries.push({
+      pattern,
+      regex: compiled.regex,
+      isDynamic: compiled.isDynamic,
+      isCatchAll: compiled.isCatchAll,
+      filePath: r.file ? path6__default.resolve(workspaceRoot, r.file) : ""
+    });
   }
-  /**
-   * Get a specific engine slot by ID.
-   */
-  get(id) {
-    return this._slots.get(id);
+  return {
+    routes: entries,
+    framework: "truthpack",
+    builtAt: Date.now()
+  };
+}
+function isAIRulesFile(uri) {
+  const path24 = uri.replace(/^file:\/\//, "").toLowerCase();
+  const base = path24.split("/").pop() ?? "";
+  if (base === ".cursorrules") return true;
+  if (/\.cursor\/rules\/.+\.(md|mdc)$/.test(path24)) return true;
+  if (base === "claude.md" || base === ".claude.md") return true;
+  if (/\.claude\/(?:claude\.md|agents\/|commands\/|skills\/|memory\/)/i.test(path24)) return true;
+  if (base === "agents.md") return true;
+  if (base === "gemini.md") return true;
+  if (/\.gemini\/(?!mcp\.json).+\.(md|toml)$/i.test(path24)) return true;
+  if (base === ".windsurfrules" || base === ".codeiumrc") return true;
+  if (/\.github\/copilot-instructions\.md$/.test(path24)) return true;
+  if (base === ".aider.conf.yml" || base === "conventions.md") return true;
+  if (/\.continue\/config\.(json|yaml|yml)$/.test(path24)) return true;
+  if (base === ".clinerules" || base === ".roorules") return true;
+  return false;
+}
+function isMCPConfigFile(uri) {
+  const path24 = uri.replace(/^file:\/\//, "").toLowerCase();
+  const base = path24.split("/").pop() ?? "";
+  if (base === "mcp.json" || base === ".mcp.json") return true;
+  if (base === "claude_desktop_config.json") return true;
+  if (base === "mcp_servers.json") return true;
+  if (/\/\.cursor\/mcp\.json$/.test(path24)) return true;
+  if (/\/\.vscode\/mcp\.json$/.test(path24)) return true;
+  if (/\/\.gemini\/(?:settings|mcp)\.json$/.test(path24)) return true;
+  if (/\/\.mcp\/config\.json$/.test(path24)) return true;
+  return false;
+}
+var INVISIBLE_UNICODE_RE = /[\u200B\u200C\u200D\u2060\uFEFF\u00AD\u200E\u200F]/u;
+var BIDI_OVERRIDE_RE = /[\u202A-\u202E\u2066-\u2069]/u;
+var TAG_CHARS_RE = /[\u{E0000}-\u{E007F}]/u;
+var VARIATION_SELECTORS_RE = /[\uFE00-\uFE0F\u{E0100}-\u{E01EF}]/u;
+var HOMOGLYPH_LATIN_RE = /[A-Za-z]/;
+var HOMOGLYPH_CYRILLIC_LOOKALIKES_RE = /[\u0430\u0435\u043E\u0440\u0441\u0445\u0443\u0456\u0458\u04CF\u0410\u0412\u0415\u041A\u041C\u041D\u041E\u0420\u0421\u0422\u0425]/;
+var HOMOGLYPH_GREEK_LOOKALIKES_RE = /[\u03BF\u03B1\u03BD\u03C5\u03C7\u03C9\u0391\u0392\u0395\u0397\u0399\u039A\u039C\u039D\u039F\u03A1\u03A4\u03A5\u03A7]/;
+var INSTRUCTION_OVERRIDE_RE = /\b(?:ignore|disregard|forget|override|bypass|skip)\s+(?:all\s+)?(?:the\s+)?(?:previous|prior|above|earlier|original|preceding)\s+(?:instructions?|rules?|prompts?|context|guidelines?|directives?|constraints?)\b/i;
+var ROLE_REASSIGNMENT_RE = /\b(?:you\s+are\s+now|act\s+as|pretend\s+to\s+be|assume\s+the\s+role(?:\s+of)?|from\s+now\s+on\s+you|you'?re\s+(?:no\s+longer|not)\s+claude|you\s+have\s+no\s+restrictions)\b/i;
+var AI_COMMENT_HIJACK_RE = /(?:\/\/|\/\*|#|<!--|;)\s*(?:AI|assistant|copilot|cursor|claude|gpt|codex|gemini|windsurf|aider|cline)\s*[:\s]?\s*(?:ignore|override|instead|actually|disregard|don'?t|skip|bypass)/i;
+var BASE64_PAYLOAD_RE = /(?:base64|atob|decode|b64decode|fromBase64)\s*\(|(?<![A-Za-z0-9+/])([A-Za-z0-9+/]{60,}={0,2})(?![A-Za-z0-9+/])/;
+var HIDDEN_CONTENT_BLOCK_RE = /<!--[\s\S]{40,}?-->|<(?:div|span|p|section)[^>]*(?:display\s*:\s*none|visibility\s*:\s*hidden|opacity\s*:\s*0|height\s*:\s*0|font-size\s*:\s*0|color\s*:\s*(?:white|#fff|transparent))[^>]*>/i;
+var SYSTEM_PROMPT_EXTRACTION_RE = /\b(?:print|reveal|repeat|show|output|expose|leak|reproduce|tell\s+me)\s+(?:your\s+)?(?:system\s+prompt|initial\s+instructions?|original\s+prompt|hidden\s+rules?|internal\s+(?:prompt|context)|developer\s+mode\s+settings)\b/i;
+var JAILBREAK_TOKEN_RE = /\b(?:DAN(?:\s+mode)?|developer\s+mode\s+enabled|do\s+anything\s+now|STAN\s+mode|jailbreak\s+(?:mode|prompt)|unfiltered\s+mode|sudo\s+mode)\b/i;
+var EXFIL_INTENT_RE = /\b(?:send|post|upload|transmit|forward|exfiltrate|leak|deliver|push)\b[\s\S]{0,40}?\b(?:code|context|secrets?|env(?:ironment)?|credentials?|tokens?|api[_\s-]?keys?|source|files?|contents?|data|history|conversation)\b/i;
+var EXTERNAL_URL_RE = /\bhttps?:\/\/(?!(?:localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1?\]|example\.com|github\.com\/[^/]+\/[^/]+(?:#|$|\s)))[\w.-]+(?:\.[a-z]{2,}|:\d+)/i;
+var WEBHOOK_VERB_RE = /\b(?:webhook|callback|fetch|request|curl|wget|http\.(?:get|post)|axios|XMLHttpRequest|navigator\.sendBeacon)\b/i;
+var TOOL_POISONING_RE = /\b(?:ALWAYS|MUST|REQUIRED|CRITICAL|IMPORTANT)\s+(?:use|call|invoke|run|execute|prefer)\s+this\s+tool|\b(?:before|prior\s+to)\s+(?:any|every|all)\s+(?:other|response|reply)|ignore\s+(?:previous|other)\s+tools?|do\s+not\s+(?:tell|inform)\s+the\s+user/i;
+var NPX_AUTO_YES_RE = /\b(?:npx|bunx|pnpx|pnpm\s+dlx|deno\s+run\s+--allow[^\s]*)\s+(?:-y|--yes|-Y)\b/i;
+var HTTP_NOT_HTTPS_RE = /["'`]http:\/\/(?!localhost|127\.0\.0\.1|\[::1?\]|0\.0\.0\.0)/i;
+var UNVERIFIED_GIT_URL_RE = /^git\+(?:https?|ssh):\/\/(?!.*#[a-f0-9]{7,40})/i;
+var DENO_BROAD_PERMS_RE = /--allow-all|--allow-net(?!=)|--allow-read(?!=)|--allow-write(?!=)|--allow-run(?!=)|--allow-env(?!=)|-A\b/;
+var PLAINTEXT_SECRET_VALUE_RE = /(?:sk-(?:live|test|proj|ant|or)[_-]|ghp_|gho_|ghu_|ghs_|github_pat_|xox[abprs]-|AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z_-]{35})/;
+function parseMCPDocument(content) {
+  try {
+    return JSON.parse(content);
+  } catch {
+    return null;
   }
-  /**
-   * Get the circuit breaker for an engine.
-   */
-  getBreaker(id) {
-    return this._breakers.get(id);
+}
+function listMCPServers(doc) {
+  const out = [];
+  const collect = (root) => {
+    const block = doc[root];
+    if (!block || typeof block !== "object") return;
+    for (const [name, entry] of Object.entries(block)) {
+      if (entry && typeof entry === "object") {
+        out.push({ name, entry, pointer: `${root}.${name}` });
+      }
+    }
+  };
+  collect("mcpServers");
+  collect("servers");
+  return out;
+}
+function findLineNumber(source, needle) {
+  const idx = source.indexOf(needle);
+  if (idx === -1) return 1;
+  let line = 1;
+  for (let i = 0; i < idx; i++) {
+    if (source.charCodeAt(i) === 10) line++;
   }
-  /**
-   * Get all enabled engine slots, sorted by priority (ascending), then registration order.
-   */
-  getActive() {
-    if (this._activeCache) return this._activeCache;
-    this._activeCache = [...this._slots.values()].filter((s) => s.enabled !== false).sort((a, b) => {
-      if (a.priority !== b.priority) return a.priority - b.priority;
-      return (this._registrationOrder.get(a.engine.id) ?? 0) - (this._registrationOrder.get(b.engine.id) ?? 0);
-    });
-    return this._activeCache;
+  return line;
+}
+function arrayContainsWildcard(value) {
+  if (!Array.isArray(value)) return false;
+  return value.some((v) => typeof v === "string" && (v === "*" || v.trim() === "*"));
+}
+function objectHasWildcardKey(value) {
+  if (!value || typeof value !== "object") return false;
+  for (const [k, v] of Object.entries(value)) {
+    if (k === "*") return true;
+    if (typeof v === "string" && (v === "*" || v === "all")) return true;
+    if (Array.isArray(v) && arrayContainsWildcard(v)) return true;
   }
+  return false;
+}
+function isAuthDisabled(entry) {
+  const checkVal = (v) => {
+    if (v === false) return true;
+    if (typeof v === "string") {
+      const s = v.toLowerCase();
+      return s === "none" || s === "disabled" || s === "off" || s === "false";
+    }
+    if (v && typeof v === "object") {
+      const obj = v;
+      if (obj.required === false) return true;
+      if (obj.enabled === false) return true;
+      if (typeof obj.type === "string" && obj.type.toLowerCase() === "none") return true;
+    }
+    return false;
+  };
+  return checkVal(entry.auth) || checkVal(entry.authentication);
+}
+var SEVERITY_LADDER = ["info", "low", "medium", "high", "critical"];
+var AIRulesAttackEngine = class extends BaseEngine {
+  id = "ai-rules-attack";
+  name = "AI Rules File & MCP Attack Engine";
+  version = "1.0.0";
   /**
-   * Get all registered engine slots (including disabled).
+   * `null` means "any extension". Rules files (`.cursorrules`, `.clinerules`,
+   * `.windsurfrules`) have no extension, so we cannot use a Set here. The
+   * scan() function does its own path-based gating in <1µs.
    */
-  getAll() {
-    return [...this._slots.values()];
+  supportedExtensions = null;
+  _knownHosts;
+  _hasTruthpack;
+  constructor(opts = {}) {
+    super();
+    this._knownHosts = opts.knownHosts ?? /* @__PURE__ */ new Set();
+    this._hasTruthpack = (opts.knownHosts?.size ?? 0) > 0;
   }
-  /**
-   * Enable or disable an engine by ID.
-   */
-  setEnabled(id, enabled) {
-    const slot = this._slots.get(id);
-    if (!slot) return false;
-    slot.enabled = enabled;
-    this._activeCache = null;
-    return true;
+  async scan(delta, signal) {
+    const uri = delta.documentUri;
+    const isRules = isAIRulesFile(uri);
+    const isMCP = isMCPConfigFile(uri);
+    if (!isRules && !isMCP) return [];
+    this.checkAbort(signal);
+    const source = delta.fullText;
+    const cleanUri = uri.replace(/^file:\/\//, "");
+    const pending = [];
+    if (isRules) {
+      this._checkRulesFile(source, pending);
+    }
+    if (isMCP) {
+      this._checkMCPConfig(source, pending);
+      this._checkRulesFile(source, pending);
+    }
+    if (pending.length === 0) return [];
+    this._applyCoOccurrenceBoost(pending);
+    return pending.map(
+      (p) => this.createFinding({
+        id: this.deterministicId(cleanUri, p.line, p.column, p.ruleId, p.evidence.slice(0, 32)),
+        ruleId: p.ruleId,
+        category: "ai_rules_attack",
+        message: p.message,
+        severity: p.severity,
+        confidence: p.confidence,
+        file: cleanUri,
+        line: p.line,
+        column: p.column,
+        evidence: p.evidence,
+        suggestion: p.suggestion,
+        autoFixable: p.autoFixable
+      })
+    );
   }
-  /**
-   * Activate all registered engines. Call once at startup.
-   */
-  async activateAll(onError) {
+  // ─── Rules-file checks ──────────────────────────────────────────────────
+  _checkRulesFile(source, out) {
+    const lines = source.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const raw = lines[i];
+      const line = i + 1;
+      if (INVISIBLE_UNICODE_RE.test(raw)) {
+        out.push({
+          ruleId: "AIRA001",
+          category: "unicode",
+          severity: "critical",
+          confidence: 0.95,
+          message: "Invisible Unicode character in rules file \u2014 may conceal hidden instructions [CWE-1007]",
+          evidence: this._safeEvidence(raw),
+          suggestion: "Strip zero-width and bidi-related characters from this file. Use a hex-aware editor to verify.",
+          line,
+          column: raw.search(INVISIBLE_UNICODE_RE),
+          autoFixable: true
+        });
+      }
+      if (BIDI_OVERRIDE_RE.test(raw)) {
+        out.push({
+          ruleId: "AIRA002",
+          category: "unicode",
+          severity: "critical",
+          confidence: 0.98,
+          message: "Bidirectional text override in rules file (Trojan Source variant) [CVE-2021-42574]",
+          evidence: this._safeEvidence(raw),
+          suggestion: "Remove all bidi control characters (LRO/RLO/LRE/RLE/PDF/LRI/RLI/FSI/PDI). These flip the visual order of text and are almost never legitimate in agent rules.",
+          line,
+          column: raw.search(BIDI_OVERRIDE_RE),
+          autoFixable: true
+        });
+      }
+      if (TAG_CHARS_RE.test(raw)) {
+        out.push({
+          ruleId: "AIRA003",
+          category: "unicode",
+          severity: "critical",
+          confidence: 0.99,
+          message: "Unicode tag characters detected \u2014 invisible ASCII payload encoding (Goodside-class attack)",
+          evidence: this._safeEvidence(raw),
+          suggestion: "Tag characters (U+E0000\u2013U+E007F) encode hidden ASCII text invisibly. Strip them entirely.",
+          line,
+          column: 0,
+          autoFixable: true
+        });
+      }
+      if (VARIATION_SELECTORS_RE.test(raw) && raw.length > 10) {
+        out.push({
+          ruleId: "AIRA004",
+          category: "unicode",
+          severity: "high",
+          confidence: 0.7,
+          message: "Variation selectors in rules file \u2014 may mask invisible payload",
+          evidence: this._safeEvidence(raw),
+          suggestion: "Variation selectors are rarely needed in agent instructions. Verify each one is legitimate (e.g., emoji styling) and strip the rest.",
+          line,
+          column: 0,
+          autoFixable: false
+        });
+      }
+      if (this._hasHomoglyphMix(raw)) {
+        out.push({
+          ruleId: "AIRA005",
+          category: "unicode",
+          severity: "high",
+          confidence: 0.85,
+          message: "Homoglyph mixing \u2014 Cyrillic or Greek letters used inside Latin words to spoof tokens",
+          evidence: this._safeEvidence(raw),
+          suggestion: "Words mixing Latin with Cyrillic/Greek lookalikes can spoof package names, auth headers, or commands. Replace non-Latin lookalikes with their ASCII equivalents.",
+          line,
+          column: 0,
+          autoFixable: false
+        });
+      }
+      if (INSTRUCTION_OVERRIDE_RE.test(raw)) {
+        out.push({
+          ruleId: "AIRA006",
+          category: "prompt_injection",
+          severity: "critical",
+          confidence: 0.9,
+          message: "Instruction-override pattern in rules file [CVE-2025-54135, OWASP LLM01]",
+          evidence: raw.trim().slice(0, 80),
+          suggestion: "Remove this instruction. Rules files should describe the project \u2014 they should never tell the AI to ignore prior context.",
+          line,
+          column: raw.search(INSTRUCTION_OVERRIDE_RE),
+          autoFixable: false
+        });
+      }
+      if (ROLE_REASSIGNMENT_RE.test(raw)) {
+        out.push({
+          ruleId: "AIRA007",
+          category: "prompt_injection",
+          severity: "critical",
+          confidence: 0.85,
+          message: "Role-reassignment pattern in rules file [OWASP LLM01]",
+          evidence: raw.trim().slice(0, 80),
+          suggestion: "Rules files should not redefine the assistant's identity. Remove or rewrite this directive.",
+          line,
+          column: raw.search(ROLE_REASSIGNMENT_RE),
+          autoFixable: false
+        });
+      }
+      if (AI_COMMENT_HIJACK_RE.test(raw)) {
+        out.push({
+          ruleId: "AIRA008",
+          category: "prompt_injection",
+          severity: "high",
+          confidence: 0.8,
+          message: "AI-targeted comment with override directive \u2014 hijack attempt",
+          evidence: raw.trim().slice(0, 80),
+          suggestion: 'Comments addressed to AI assistants that contain "ignore"/"override"/"actually" are an attack vector. Remove or rewrite.',
+          line,
+          column: raw.search(AI_COMMENT_HIJACK_RE),
+          autoFixable: false
+        });
+      }
+      if (HIDDEN_CONTENT_BLOCK_RE.test(raw)) {
+        out.push({
+          ruleId: "AIRA010",
+          category: "prompt_injection",
+          severity: "high",
+          confidence: 0.85,
+          message: "Hidden content block \u2014 may conceal instructions from human reviewer",
+          evidence: raw.trim().slice(0, 80),
+          suggestion: "Visually hidden HTML / large MD comment blocks are a known prompt-injection vector. Remove or expose the content.",
+          line,
+          column: raw.search(HIDDEN_CONTENT_BLOCK_RE),
+          autoFixable: false
+        });
+      }
+      if (SYSTEM_PROMPT_EXTRACTION_RE.test(raw)) {
+        out.push({
+          ruleId: "AIRA011",
+          category: "prompt_injection",
+          severity: "high",
+          confidence: 0.85,
+          message: "System-prompt extraction attempt in rules file [OWASP LLM07: System Prompt Leakage]",
+          evidence: raw.trim().slice(0, 80),
+          suggestion: "Rules files should never instruct the assistant to reveal its system prompt. Remove this directive.",
+          line,
+          column: raw.search(SYSTEM_PROMPT_EXTRACTION_RE),
+          autoFixable: false
+        });
+      }
+      if (JAILBREAK_TOKEN_RE.test(raw)) {
+        out.push({
+          ruleId: "AIRA012",
+          category: "prompt_injection",
+          severity: "critical",
+          confidence: 0.95,
+          message: "Jailbreak / persona-override token in rules file",
+          evidence: raw.trim().slice(0, 80),
+          suggestion: 'Tokens like "DAN", "developer mode", "do anything now" are well-known jailbreak markers. Remove this content.',
+          line,
+          column: raw.search(JAILBREAK_TOKEN_RE),
+          autoFixable: false
+        });
+      }
+      if (EXFIL_INTENT_RE.test(raw)) {
+        out.push({
+          ruleId: "AIRA013",
+          category: "exfiltration",
+          severity: "critical",
+          confidence: 0.85,
+          message: "Data-exfiltration directive in rules file [CVE-2025-55284, OWASP LLM02]",
+          evidence: raw.trim().slice(0, 80),
+          suggestion: "Rules files should never instruct the assistant to send code/secrets/context to external endpoints. Remove this directive.",
+          line,
+          column: raw.search(EXFIL_INTENT_RE),
+          autoFixable: false
+        });
+      }
+      if (EXTERNAL_URL_RE.test(raw) && WEBHOOK_VERB_RE.test(raw)) {
+        const urlMatch = raw.match(/https?:\/\/[\w.-]+(?::\d+)?/);
+        const host = urlMatch ? this._extractHost(urlMatch[0]) : null;
+        const isKnown = host && hostMatchesKnownSet(host, this._knownHosts);
+        if (!isKnown) {
+          const elevated = this._hasTruthpack;
+          out.push({
+            ruleId: "AIRA014",
+            category: "exfiltration",
+            severity: elevated ? "critical" : "high",
+            confidence: elevated ? 0.99 : 0.8,
+            message: elevated ? `External webhook / fetch URL to UNKNOWN host '${host ?? "?"}' (not in truthpack/integrations.json)` : "External webhook / fetch URL in rules file",
+            evidence: raw.trim().slice(0, 80),
+            suggestion: elevated ? `Host '${host ?? "?"}' is not a known integration for this project. If this is legitimate, add it to integrations.json and rerun \`vibecheck scan\`. Otherwise remove it.` : "Rules files should describe the project, not invoke external endpoints. Verify this URL is necessary; if so, document why.",
+            line,
+            column: raw.search(EXTERNAL_URL_RE),
+            autoFixable: false
+          });
+        }
+      }
+    }
+    if (BASE64_PAYLOAD_RE.test(source)) {
+      const m = BASE64_PAYLOAD_RE.exec(source);
+      const evidence = m ? m[0].slice(0, 60) : "[base64 blob]";
+      out.push({
+        ruleId: "AIRA009",
+        category: "prompt_injection",
+        severity: "high",
+        confidence: 0.7,
+        message: "Base64-encoded payload or decoder call in rules file",
+        evidence,
+        suggestion: "Encoded payloads in rules files are an obfuscation vector. Decode the content and inline it in plaintext, or remove it.",
+        line: findLineNumber(source, m?.[0] ?? ""),
+        column: 0,
+        autoFixable: false
+      });
+    }
+  }
+  // ─── MCP-config checks ──────────────────────────────────────────────────
+  _checkMCPConfig(source, out) {
+    const doc = parseMCPDocument(source);
+    if (!doc) return;
+    const servers = listMCPServers(doc);
+    for (const { name, entry } of servers) {
+      if (arrayContainsWildcard(entry.tools)) {
+        out.push({
+          ruleId: "AIRA016",
+          category: "mcp_misconfig",
+          severity: "critical",
+          confidence: 0.99,
+          message: `MCP server '${name}' exposes wildcard tool permissions ("*") [CWE-269; CVE-2025-54135]`,
+          evidence: `tools: ["*"]`,
+          suggestion: 'Replace "*" with an explicit tool allowlist, e.g. tools: ["read_file", "search"].',
+          line: findLineNumber(source, `"${name}"`),
+          column: 0,
+          autoFixable: false
+        });
+      }
+      const remoteUrl = typeof entry.url === "string" ? entry.url : void 0;
+      if (remoteUrl && /^https?:\/\//i.test(remoteUrl)) {
+        const host = this._extractHost(remoteUrl);
+        const isKnown = host && hostMatchesKnownSet(host, this._knownHosts);
+        const elevated = this._hasTruthpack && !isKnown;
+        const downgraded = isKnown;
+        out.push({
+          ruleId: "AIRA017",
+          category: "mcp_misconfig",
+          severity: elevated ? "critical" : downgraded ? "low" : "high",
+          confidence: elevated ? 0.99 : downgraded ? 0.5 : 0.9,
+          message: elevated ? `MCP server '${name}' connects to UNKNOWN host '${host ?? "?"}' (not in truthpack/integrations.json) [CWE-829]` : downgraded ? `MCP server '${name}' connects to known integration '${host ?? "?"}' (informational)` : `MCP server '${name}' connects to a remote endpoint [CWE-829]`,
+          evidence: remoteUrl.slice(0, 80),
+          suggestion: elevated ? `Host '${host ?? "?"}' is not in your project's integrations. Confirm this is intentional; if legitimate, add it to truthpack/integrations.json.` : "Verify the remote MCP server is from a trusted operator. Prefer local stdio servers when possible.",
+          line: findLineNumber(source, remoteUrl),
+          column: 0,
+          autoFixable: false
+        });
+        if (HTTP_NOT_HTTPS_RE.test(`"${remoteUrl}"`)) {
+          out.push({
+            ruleId: "AIRA024",
+            category: "mcp_misconfig",
+            severity: "critical",
+            confidence: 0.99,
+            message: `MCP server '${name}' uses unencrypted HTTP \u2014 MITM exposure`,
+            evidence: remoteUrl.slice(0, 80),
+            suggestion: "Use https:// for remote MCP servers. Reject any operator that requires plaintext HTTP.",
+            line: findLineNumber(source, remoteUrl),
+            column: 0,
+            autoFixable: false
+          });
+        }
+      }
+      if (Array.isArray(entry.args)) {
+        for (const arg of entry.args) {
+          if (typeof arg === "string" && DENO_BROAD_PERMS_RE.test(arg)) {
+            out.push({
+              ruleId: "AIRA018",
+              category: "mcp_misconfig",
+              severity: "high",
+              confidence: 0.95,
+              message: `MCP server '${name}' uses overly permissive Deno args (${arg}) [CWE-732]`,
+              evidence: arg,
+              suggestion: "Replace --allow-all / -A with scoped permissions like --allow-read=/specific/path or --allow-net=api.example.com.",
+              line: findLineNumber(source, arg),
+              column: 0,
+              autoFixable: false
+            });
+          }
+        }
+      }
+      if (entry.env && typeof entry.env === "object") {
+        for (const [k, v] of Object.entries(entry.env)) {
+          if (typeof v !== "string") continue;
+          if (/^\$\{?[A-Z_][A-Z0-9_]*\}?$/.test(v)) continue;
+          if (PLAINTEXT_SECRET_VALUE_RE.test(v) || k.match(/key|secret|token|password/i) && v.length > 12 && !/^\$/.test(v)) {
+            out.push({
+              ruleId: "AIRA019",
+              category: "mcp_misconfig",
+              severity: "critical",
+              confidence: 0.95,
+              message: `MCP server '${name}' exposes a plaintext secret in env (${k}) [CWE-798]`,
+              evidence: `${k}=[REDACTED]`,
+              suggestion: `Reference the secret indirectly: env: { ${k}: "\${${k}}" } and set ${k} in your shell environment or OS keychain.`,
+              line: findLineNumber(source, `"${k}"`),
+              column: 0,
+              autoFixable: false
+            });
+          }
+        }
+      }
+      if (isAuthDisabled(entry)) {
+        out.push({
+          ruleId: "AIRA020",
+          category: "mcp_misconfig",
+          severity: "high",
+          confidence: 0.9,
+          message: `MCP server '${name}' has authentication explicitly disabled [CWE-306]`,
+          evidence: `auth: disabled`,
+          suggestion: "Enable MCP server authentication. If the server cannot authenticate, do not expose it.",
+          line: findLineNumber(source, `"${name}"`),
+          column: 0,
+          autoFixable: false
+        });
+      }
+      if (objectHasWildcardKey(entry.permissions)) {
+        out.push({
+          ruleId: "AIRA021",
+          category: "mcp_misconfig",
+          severity: "critical",
+          confidence: 0.95,
+          message: `MCP server '${name}' has wildcard permissions [CWE-250]`,
+          evidence: `permissions: { "*": ... }`,
+          suggestion: "Replace wildcard with a scoped permission map.",
+          line: findLineNumber(source, `"${name}"`),
+          column: 0,
+          autoFixable: false
+        });
+      }
+      if (objectHasWildcardKey(entry.network) || typeof entry.network === "string" && entry.network === "*") {
+        out.push({
+          ruleId: "AIRA022",
+          category: "mcp_misconfig",
+          severity: "high",
+          confidence: 0.9,
+          message: `MCP server '${name}' allows unrestricted network access [CWE-284]`,
+          evidence: `network: *`,
+          suggestion: 'Restrict network: { allow: ["specific-host.example.com"] }.',
+          line: findLineNumber(source, `"${name}"`),
+          column: 0,
+          autoFixable: false
+        });
+      }
+      if (typeof entry.command === "string" && NPX_AUTO_YES_RE.test(entry.command)) {
+        out.push({
+          ruleId: "AIRA023",
+          category: "mcp_misconfig",
+          severity: "high",
+          confidence: 0.95,
+          message: `MCP server '${name}' auto-confirms package install (npx -y / equivalent)`,
+          evidence: entry.command.slice(0, 80),
+          suggestion: "Pin the package + version (e.g. npx --package=@org/pkg@1.2.3) and remove -y. Consider installing as a dev dep instead.",
+          line: findLineNumber(source, entry.command),
+          column: 0,
+          autoFixable: false
+        });
+      }
+      if (Array.isArray(entry.args) && entry.args.some((a) => typeof a === "string" && /^-y$|^--yes$/.test(a))) {
+        const cmd = typeof entry.command === "string" ? entry.command : "";
+        if (!NPX_AUTO_YES_RE.test(cmd)) {
+          out.push({
+            ruleId: "AIRA023",
+            category: "mcp_misconfig",
+            severity: "high",
+            confidence: 0.9,
+            message: `MCP server '${name}' passes -y / --yes \u2014 auto-confirms package install`,
+            evidence: `args: ["-y", ...]`,
+            suggestion: "Remove -y. Pin the package version explicitly.",
+            line: findLineNumber(source, `"${name}"`),
+            column: 0,
+            autoFixable: false
+          });
+        }
+      }
+      if (typeof entry.command === "string" && UNVERIFIED_GIT_URL_RE.test(entry.command)) {
+        out.push({
+          ruleId: "AIRA025",
+          category: "mcp_misconfig",
+          severity: "high",
+          confidence: 0.9,
+          message: `MCP server '${name}' installs from a Git URL with no commit pin`,
+          evidence: entry.command.slice(0, 80),
+          suggestion: "Pin to a specific commit: git+https://...#<full-sha>. A branch ref alone can change under you.",
+          line: findLineNumber(source, entry.command),
+          column: 0,
+          autoFixable: false
+        });
+      }
+      const desc = entry.description ?? entry.description_for_model;
+      if (typeof desc === "string" && TOOL_POISONING_RE.test(desc)) {
+        out.push({
+          ruleId: "AIRA015",
+          category: "tool_poisoning",
+          severity: "critical",
+          confidence: 0.9,
+          message: `MCP server '${name}' description contains tool-poisoning directives`,
+          evidence: desc.slice(0, 80),
+          suggestion: "Tool descriptions should describe what the tool does, not instruct the LLM to always call it or hide info from the user. Rewrite as a neutral description.",
+          line: findLineNumber(source, `"${name}"`),
+          column: 0,
+          autoFixable: false
+        });
+      }
+    }
+    if (Array.isArray(doc.tools)) {
+      for (const tool of doc.tools) {
+        if (tool && typeof tool.description === "string" && TOOL_POISONING_RE.test(tool.description)) {
+          out.push({
+            ruleId: "AIRA015",
+            category: "tool_poisoning",
+            severity: "critical",
+            confidence: 0.9,
+            message: `Tool '${tool.name ?? "?"}' description contains tool-poisoning directives`,
+            evidence: tool.description.slice(0, 80),
+            suggestion: 'Rewrite tool descriptions as neutral capability statements. Remove "ALWAYS"/"MUST"/"hide from user" directives.',
+            line: findLineNumber(source, tool.description),
+            column: 0,
+            autoFixable: false
+          });
+        }
+      }
+    }
+  }
+  // ─── Helpers ────────────────────────────────────────────────────────────
+  _hasHomoglyphMix(text) {
+    if (!HOMOGLYPH_LATIN_RE.test(text)) return false;
+    if (!HOMOGLYPH_CYRILLIC_LOOKALIKES_RE.test(text) && !HOMOGLYPH_GREEK_LOOKALIKES_RE.test(text)) {
+      return false;
+    }
+    for (const word of text.split(/\s+/)) {
+      if (word.length >= 3 && HOMOGLYPH_LATIN_RE.test(word) && (HOMOGLYPH_CYRILLIC_LOOKALIKES_RE.test(word) || HOMOGLYPH_GREEK_LOOKALIKES_RE.test(word))) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Extract the lowercased hostname from a URL substring. Returns null if the
+   * URL is malformed. Tolerant of trailing punctuation/quotes.
+   */
+  _extractHost(url) {
+    const cleaned = url.replace(/["'`,;).\]]+$/, "");
+    try {
+      return new URL(cleaned).hostname.toLowerCase();
+    } catch {
+      const m = cleaned.match(/^https?:\/\/([\w.-]+)/i);
+      return m ? m[1].toLowerCase() : null;
+    }
+  }
+  /**
+   * Render evidence safely — strip the offending char so log/UI consumers
+   * don't accidentally re-trigger downstream Unicode bugs. Cap at 80 chars.
+   */
+  _safeEvidence(line) {
+    return line.replace(INVISIBLE_UNICODE_RE, "\xB7").replace(BIDI_OVERRIDE_RE, "\xB7").replace(TAG_CHARS_RE, "\xB7").trim().slice(0, 80);
+  }
+  /**
+   * Co-occurrence boost — when 3+ distinct attack categories fire in the
+   * same file, every finding's severity advances one rung and confidence
+   * floors at 0.99. Empirical signal: an attack file usually triggers
+   * multiple categories at once; benign noise rarely does.
+   */
+  _applyCoOccurrenceBoost(findings) {
+    const categories = new Set(findings.map((f) => f.category));
+    if (categories.size < 3) return;
+    for (const f of findings) {
+      const idx = SEVERITY_LADDER.indexOf(f.severity);
+      if (idx >= 0 && idx < SEVERITY_LADDER.length - 1) {
+        f.severity = SEVERITY_LADDER[idx + 1];
+      }
+      f.confidence = Math.max(f.confidence, 0.99);
+      f.message = `${f.message} [BOOSTED: ${categories.size}-category co-occurrence]`;
+    }
+  }
+};
+var TEST_FILE_RE = /(?:\.(?:test|spec)\.(?:t|j)sx?$)|(?:^|\/)(?:__tests__|tests?|e2e|spec|cypress|playwright)\//i;
+var STORY_FILE_RE = /\.stories\.(?:ts|tsx|js|jsx|mdx)$/i;
+var EXPECT_CALL_RE = /\bexpect\s*\(/g;
+var IT_CALL_RE = /\b(?:it|test)\s*\(/g;
+var DESCRIBE_CALL_RE = /\bdescribe\s*\(/g;
+var SKIPPED_TEST_RE = /\b(?:it|test|describe)\.(?:skip|todo)\s*\(|\b(?:xit|xtest|xdescribe)\s*\(/g;
+var MOCK_CALL_RE = /\b(?:vi|jest)\.(?:mock|spyOn|fn)\s*\(|\b(?:mock|spyOn|stub|sinon\.(?:stub|spy|mock))\s*\(/g;
+var TAUTOLOGICAL_ASSERTIONS = [
+  /expect\s*\(\s*true\s*\)\s*\.toBe\s*\(\s*true\s*\)/i,
+  /expect\s*\(\s*false\s*\)\s*\.toBe\s*\(\s*false\s*\)/i,
+  /expect\s*\(\s*1\s*\)\s*\.toBe\s*\(\s*1\s*\)/i,
+  /expect\s*\(\s*['"]?\s*['"]?\s*\)\s*\.toBe\s*\(\s*['"]?\s*['"]?\s*\)/i,
+  /expect\s*\(\s*null\s*\)\s*\.toBe\s*\(\s*null\s*\)/i,
+  /expect\s*\(\s*undefined\s*\)\s*\.toBe\s*\(\s*undefined\s*\)/i,
+  // expect(x).toBe(x) — backreference requires the variable to be captured.
+  /expect\s*\(\s*([A-Za-z_$][\w$]*)\s*\)\s*\.toBe\s*\(\s*\1\s*\)/i,
+  /expect\s*\(\s*([A-Za-z_$][\w$]*)\s*\)\s*\.toEqual\s*\(\s*\1\s*\)/i,
+  /expect\s*\(\s*typeof\s+[\w$.]+\s*\)\s*\.toBe\s*\(\s*['"](?:string|number|boolean|object|function|undefined)['"]\s*\)/i
+];
+function extractTestBlocks(source) {
+  const blocks = [];
+  const re = /\b(?:it|test)\s*\(\s*['"`]([^'"`]+)['"`]\s*,\s*(?:async\s*)?\([^)]*\)\s*=>\s*\{/g;
+  let m;
+  while ((m = re.exec(source)) !== null) {
+    const name = m[1] ?? "";
+    const startIdx = m.index + m[0].length;
+    const startLine = lineOf(source, m.index);
+    let depth = 1;
+    let i = startIdx;
+    let inStr = null;
+    let inTpl = false;
+    while (i < source.length && depth > 0) {
+      const c2 = source[i];
+      if (inStr) {
+        if (c2 === "\\") {
+          i += 2;
+          continue;
+        }
+        if (c2 === inStr) inStr = null;
+      } else if (inTpl) {
+        if (c2 === "\\") {
+          i += 2;
+          continue;
+        }
+        if (c2 === "`") inTpl = false;
+      } else {
+        if (c2 === '"' || c2 === "'") inStr = c2;
+        else if (c2 === "`") inTpl = true;
+        else if (c2 === "{") depth++;
+        else if (c2 === "}") depth--;
+      }
+      i++;
+    }
+    const endLine = lineOf(source, i);
+    blocks.push({
+      startLine,
+      endLine,
+      name,
+      body: source.slice(startIdx, i)
+    });
+  }
+  return blocks;
+}
+function lineOf(source, index) {
+  let line = 1;
+  for (let i = 0; i < index && i < source.length; i++) {
+    if (source.charCodeAt(i) === 10) line++;
+  }
+  return line;
+}
+function countMatches(source, re) {
+  const r = new RegExp(re.source, re.flags);
+  let count = 0;
+  while (r.exec(source) !== null) count++;
+  return count;
+}
+var TestQualityEngine = class extends BaseEngine {
+  id = "test-quality";
+  name = "Test Quality Engine";
+  version = "1.0.0";
+  supportedExtensions = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mts", ".cts"]);
+  async scan(delta, signal) {
+    const uri = delta.documentUri;
+    const cleanUri = uri.replace(/^file:\/\//, "");
+    if (!TEST_FILE_RE.test(cleanUri)) return [];
+    if (STORY_FILE_RE.test(cleanUri)) return [];
+    if (/\/tests?\/(?:setup|helpers?|utils?|fixtures?)[^/]*$/i.test(cleanUri)) return [];
+    this.checkAbort(signal);
+    const source = delta.fullText;
+    const lines = source.split("\n");
+    const pending = [];
+    const expectCount = countMatches(source, EXPECT_CALL_RE);
+    const itCount = countMatches(source, IT_CALL_RE);
+    const describeCount = countMatches(source, DESCRIBE_CALL_RE);
+    const mockCount = countMatches(source, MOCK_CALL_RE);
+    if ((itCount > 0 || describeCount > 0) && expectCount === 0) {
+      const usesAssert = /\bassert\s*\(|\bassert\.(?:ok|equal|deepEqual|strictEqual)/i.test(source);
+      const usesChai = /\.\s*should\b|\bexpect\s*\([^)]+\)\s*\.\s*to\b/i.test(source);
+      if (!usesAssert && !usesChai) {
+        pending.push({
+          ruleId: "TQ001",
+          severity: "high",
+          confidence: 0.9,
+          message: `Test file has ${itCount} test block(s) but zero assertions`,
+          evidence: `${itCount} it/test blocks, 0 expect()`,
+          suggestion: "Add `expect(...)` (vitest/jest) or `assert(...)` (node:test) calls to verify behavior. A test without assertions cannot fail except by throwing.",
+          line: 1,
+          column: 0
+        });
+      }
+    }
+    {
+      const r = new RegExp(SKIPPED_TEST_RE.source, SKIPPED_TEST_RE.flags);
+      let m;
+      while ((m = r.exec(source)) !== null) {
+        pending.push({
+          ruleId: "TQ005",
+          severity: "medium",
+          confidence: 0.95,
+          message: `Skipped test left in source: ${m[0]}`,
+          evidence: m[0],
+          suggestion: "Remove `.skip` / `xit` / `xdescribe` once the test is fixed, or delete the test if it is no longer relevant. Skipped tests are silent dead weight in CI.",
+          line: lineOf(source, m.index),
+          column: 0
+        });
+      }
+    }
+    for (let i = 0; i < lines.length; i++) {
+      const raw = lines[i];
+      for (const re of TAUTOLOGICAL_ASSERTIONS) {
+        if (re.test(raw)) {
+          pending.push({
+            ruleId: "TQ002",
+            severity: "high",
+            confidence: 0.95,
+            message: "Tautological assertion \u2014 passes regardless of implementation",
+            evidence: raw.trim().slice(0, 80),
+            suggestion: "Replace with an assertion that compares actual behavior against an expected outcome (e.g. expect(result).toBe(expectedValue)).",
+            line: i + 1,
+            column: raw.search(re)
+          });
+          break;
+        }
+      }
+    }
+    for (let i = 0; i < lines.length; i++) {
+      const raw = lines[i];
+      if (!/\bconsole\.(?:log|info|debug)\s*\(/.test(raw)) continue;
+      if (i === 0 && /^\s*(?:\/\/|\/\*)/.test(raw)) continue;
+      const window = lines.slice(Math.max(0, i - 2), Math.min(lines.length, i + 3)).join("\n");
+      if (/\bexpect\s*\(/.test(window)) continue;
+      pending.push({
+        ruleId: "TQ007",
+        severity: "medium",
+        confidence: 0.7,
+        message: "console.log in test without nearby expect() \u2014 likely debugging leftover or assertion stand-in",
+        evidence: raw.trim().slice(0, 80),
+        suggestion: "Remove the console.log if it was for debugging, or replace with an `expect()` call that verifies the condition.",
+        line: i + 1,
+        column: 0
+      });
+    }
+    if (itCount > 0) {
+      const blocks = extractTestBlocks(source);
+      for (const block of blocks) {
+        const blockExpects = countMatches(block.body, EXPECT_CALL_RE);
+        const hasNotToThrow = /\.\s*not\s*\.\s*toThrow\s*\(/.test(block.body);
+        const hasStrongAssertion = /\.\s*(?:toBe|toEqual|toMatch|toContain|toHaveLength|toHaveProperty|toHaveBeenCalled|toStrictEqual|toBeNull|toBeUndefined|toBeDefined|toBeTruthy|toBeFalsy|toBeGreaterThan|toBeLessThan|toBeCloseTo|toBeInstanceOf|toThrow)\b/.test(
+          block.body
+        );
+        const hasNonNegatedStrongAssertion = hasStrongAssertion && /(?<!\.\s*not\s*)\.\s*(?:toBe|toEqual|toMatch|toContain|toHaveLength|toHaveProperty|toHaveBeenCalled|toStrictEqual|toBeNull|toBeUndefined|toBeDefined|toBeTruthy|toBeFalsy|toBeGreaterThan|toBeLessThan|toBeCloseTo|toBeInstanceOf|toThrow)\b/.test(
+          block.body
+        );
+        const onlyNotToThrow = blockExpects > 0 && hasNotToThrow && !hasNonNegatedStrongAssertion;
+        if (onlyNotToThrow && /^\s*should\b/i.test(block.name) && !/throw|error|reject|fail/i.test(block.name)) {
+          pending.push({
+            ruleId: "TQ006",
+            severity: "medium",
+            confidence: 0.8,
+            message: `Test "${block.name}" only checks that nothing throws \u2014 name implies a stronger assertion`,
+            evidence: `it("${block.name}", ...) { expect(...).not.toThrow() }`,
+            suggestion: "Add an explicit assertion against the function output. `not.toThrow()` only catches exceptions; it does not verify return values, side effects, or state.",
+            line: block.startLine,
+            column: 0
+          });
+        }
+        const weakPresenceRe = /\.\s*(?:toBeDefined|toBeTruthy|not\s*\.\s*toBeUndefined|not\s*\.\s*toBeNull)\s*\(/;
+        const hasWeakPresence = weakPresenceRe.test(block.body);
+        const hasReallyStrong = /\.\s*(?:toBe|toEqual|toMatch|toContain|toHaveLength|toHaveProperty|toHaveBeenCalled|toStrictEqual|toBeGreaterThan|toBeLessThan|toBeCloseTo|toBeInstanceOf|toThrow)\b/.test(
+          block.body
+        );
+        const onlyWeakPresence = blockExpects > 0 && hasWeakPresence && !hasReallyStrong && !hasNotToThrow;
+        if (onlyWeakPresence && /^\s*should\b/i.test(block.name) && !/defined|exist|present|truthy|render|return|undefined|null/i.test(block.name)) {
+          pending.push({
+            ruleId: "TQ009",
+            severity: "medium",
+            confidence: 0.8,
+            message: `Test "${block.name}" only checks presence \u2014 name implies a stronger assertion`,
+            evidence: `it("${block.name}", ...) { expect(...).toBeDefined() }`,
+            suggestion: "`.toBeDefined()` / `.toBeTruthy()` confirm the value exists but not that it is correct. Add an explicit assertion against the expected output.",
+            line: block.startLine,
+            column: 0
+          });
+        }
+        const tryCatchSwallow = /try\s*\{[\s\S]*?expect\s*\([\s\S]*?\}\s*catch\s*\(\s*\w*\s*\)\s*\{[^}]*\}/.test(
+          block.body
+        ) && !/throw|expect\.fail|done\s*\(/.test(block.body.split("catch")[1] ?? "");
+        if (tryCatchSwallow) {
+          pending.push({
+            ruleId: "TQ004",
+            severity: "critical",
+            confidence: 0.9,
+            message: `Test "${block.name}" swallows assertion failures inside try/catch`,
+            evidence: "try { expect(...) } catch { /* swallowed */ }",
+            suggestion: "Remove the try/catch around assertions, or have the catch block re-throw / call `expect.fail`. Assertion errors must propagate to the runner.",
+            line: block.startLine,
+            column: 0
+          });
+        }
+      }
+      if (mockCount >= 4 && expectCount >= 1 && mockCount >= expectCount * 2) {
+        pending.push({
+          ruleId: "TQ003",
+          severity: "medium",
+          confidence: 0.7,
+          message: `Mock-heavy test file: ${mockCount} mock calls vs ${expectCount} assertion(s)`,
+          evidence: `mocks=${mockCount}, expects=${expectCount}`,
+          suggestion: 'When mocks dominate assertions, the test usually verifies "the function called the mock", not real behavior. Reduce mocking surface or add behavioral assertions.',
+          line: 1,
+          column: 0
+        });
+      }
+      const importRe = /^\s*import\s+(?:[\w*\s{},]+\s+from\s+)?['"]([^'"]+)['"]/gm;
+      const projectImport = (() => {
+        let m;
+        while ((m = importRe.exec(source)) !== null) {
+          const spec = m[1] ?? "";
+          if (spec.startsWith(".") || spec.startsWith("@/") || spec.startsWith("~/")) return true;
+        }
+        return false;
+      })();
+      if (!projectImport && itCount >= 2 && expectCount >= 2) {
+        pending.push({
+          ruleId: "TQ008",
+          severity: "medium",
+          confidence: 0.65,
+          message: "Test file imports nothing from the project \u2014 what is being tested?",
+          evidence: "no relative or aliased imports",
+          suggestion: "A test that does not import any project module either tests nothing or duplicates the production code inline. Either import the unit under test or delete this file.",
+          line: 1,
+          column: 0
+        });
+      }
+    }
+    if (pending.length === 0) return [];
+    return pending.map(
+      (p) => this.createFinding({
+        id: this.deterministicId(cleanUri, p.line, p.column, p.ruleId, p.evidence.slice(0, 32)),
+        ruleId: p.ruleId,
+        category: "test_quality",
+        message: p.message,
+        severity: p.severity,
+        confidence: p.confidence,
+        file: cleanUri,
+        line: p.line,
+        column: p.column,
+        evidence: p.evidence,
+        suggestion: p.suggestion,
+        autoFixable: false
+      })
+    );
+  }
+};
+var BreakerState = /* @__PURE__ */ ((BreakerState2) => {
+  BreakerState2[BreakerState2["Closed"] = 0] = "Closed";
+  BreakerState2[BreakerState2["Open"] = 1] = "Open";
+  BreakerState2[BreakerState2["HalfOpen"] = 2] = "HalfOpen";
+  return BreakerState2;
+})(BreakerState || {});
+var CircuitBreaker = class {
+  constructor(_threshold = 5, _cooldownMs = 3e4) {
+    this._threshold = _threshold;
+    this._cooldownMs = _cooldownMs;
+  }
+  _state = 0;
+  _failures = 0;
+  _halfOpenTimer = null;
+  get isOpen() {
+    return this._state === 1;
+  }
+  get state() {
+    return BreakerState[this._state];
+  }
+  recordSuccess() {
+    this._failures = 0;
+    this._state = 0;
+  }
+  recordFailure() {
+    this._failures++;
+    if (this._failures >= this._threshold) {
+      this._state = 1;
+      this._scheduleHalfOpen();
+    }
+  }
+  tryAllow() {
+    if (this._state === 0) return true;
+    if (this._state === 2) {
+      this._state = 0;
+      return true;
+    }
+    return false;
+  }
+  _scheduleHalfOpen() {
+    if (this._halfOpenTimer) clearTimeout(this._halfOpenTimer);
+    this._halfOpenTimer = setTimeout(() => {
+      this._state = 2;
+      this._halfOpenTimer = null;
+    }, this._cooldownMs);
+  }
+  dispose() {
+    if (this._halfOpenTimer) clearTimeout(this._halfOpenTimer);
+  }
+};
+var EngineRegistry = class {
+  _slots = /* @__PURE__ */ new Map();
+  _breakers = /* @__PURE__ */ new Map();
+  _registrationOrder = /* @__PURE__ */ new Map();
+  _nextOrder = 0;
+  _activeCache = null;
+  /**
+   * Register an engine. If an engine with the same ID already exists, it is replaced.
+   */
+  register(engine, options = {}) {
+    const slot = {
+      engine,
+      timeoutMs: options.timeoutMs ?? 200,
+      priority: options.priority ?? 100,
+      enabled: options.enabled ?? true,
+      extensions: options.extensions ?? void 0
+    };
+    this._slots.set(engine.id, slot);
+    this._breakers.set(engine.id, new CircuitBreaker());
+    if (!this._registrationOrder.has(engine.id)) {
+      this._registrationOrder.set(engine.id, this._nextOrder++);
+    }
+    this._activeCache = null;
+  }
+  /**
+   * Deregister an engine by ID. Disposes the engine and its circuit breaker.
+   */
+  deregister(id) {
+    const slot = this._slots.get(id);
+    if (!slot) return false;
+    slot.engine.dispose?.();
+    this._breakers.get(id)?.dispose();
+    this._slots.delete(id);
+    this._breakers.delete(id);
+    this._activeCache = null;
+    return true;
+  }
+  /**
+   * Get a specific engine slot by ID.
+   */
+  get(id) {
+    return this._slots.get(id);
+  }
+  /**
+   * Get the circuit breaker for an engine.
+   */
+  getBreaker(id) {
+    return this._breakers.get(id);
+  }
+  /**
+   * Get all enabled engine slots, sorted by priority (ascending), then registration order.
+   */
+  getActive() {
+    if (this._activeCache) return this._activeCache;
+    this._activeCache = [...this._slots.values()].filter((s) => s.enabled !== false).sort((a, b) => {
+      if (a.priority !== b.priority) return a.priority - b.priority;
+      return (this._registrationOrder.get(a.engine.id) ?? 0) - (this._registrationOrder.get(b.engine.id) ?? 0);
+    });
+    return this._activeCache;
+  }
+  /**
+   * Get all registered engine slots (including disabled).
+   */
+  getAll() {
+    return [...this._slots.values()];
+  }
+  /**
+   * Enable or disable an engine by ID.
+   */
+  setEnabled(id, enabled) {
+    const slot = this._slots.get(id);
+    if (!slot) return false;
+    slot.enabled = enabled;
+    this._activeCache = null;
+    return true;
+  }
+  /**
+   * Activate all registered engines. Call once at startup.
+   */
+  async activateAll(onError) {
     const tasks = [...this._slots.entries()].map(async ([id, slot]) => {
       try {
         await slot.engine.activate?.();
@@ -3312,7 +4440,7 @@ var EngineRegistry = class {
     if (supportedExtensions) {
       const uri = delta.documentUri;
       const pathPart = uri.replace(/^file:\/\//, "");
-      const ext = path5__default.extname(pathPart).toLowerCase() || ".ts";
+      const ext = path6__default.extname(pathPart).toLowerCase() || ".ts";
       if (!supportedExtensions.has(ext)) {
         return {
           findings: [],
@@ -3408,6 +4536,8 @@ function createDefaultRegistry() {
   registry.register(new TypeContractEngine(), { priority: 50, timeoutMs: 120 });
   registry.register(new SecurityPatternEngine(), { priority: 55, timeoutMs: 100 });
   registry.register(new PerformanceAntipatternEngine(), { priority: 60, timeoutMs: 120 });
+  registry.register(new AIRulesAttackEngine(), { priority: 45, timeoutMs: 60 });
+  registry.register(new TestQualityEngine(), { priority: 47, timeoutMs: 30 });
   return registry;
 }
 function isTestFile2(uri) {
@@ -4103,6 +5233,14 @@ function literalKey(expr) {
   if (import_typescript.default.isBigIntLiteral(e)) return `bigint:${e.text}`;
   return null;
 }
+var IMPL001_SKIP_LONG_SAME_STRING = 200;
+function isLongSameLiteralReturn(expr) {
+  const e = unwrap(expr);
+  if (import_typescript.default.isStringLiteral(e) || import_typescript.default.isNoSubstitutionTemplateLiteral(e)) {
+    return e.text.length >= IMPL001_SKIP_LONG_SAME_STRING;
+  }
+  return false;
+}
 function getFunctionName(fn) {
   if (import_typescript.default.isFunctionDeclaration(fn) && fn.name) return fn.name.text;
   if (import_typescript.default.isFunctionExpression(fn) && fn.name) return fn.name.text;
@@ -4129,6 +5267,7 @@ function jsdocSuggestsStableLiteral(node) {
   );
 }
 var IMPL001_NAME_ALLOW = /^(noop|identity|constant|tojson|valueof|jsonstringify)$/i;
+var IMPL008_EMPTY_BODY_ALLOW_NAMES = /* @__PURE__ */ new Set(["deactivate"]);
 function isBooleanPredicateName(name) {
   if (!name) return false;
   return /^(is|has|can|must|should|will|did)[A-Z]/.test(name) || /^(is|has|can|must|should)_[a-z]/i.test(name);
@@ -4350,6 +5489,7 @@ var IncompleteImplEngine = class extends BaseEngine {
     if (jsdocSuggestsStableLiteral(fn)) return;
     const rets = collectReturns(fn);
     if (rets.length === 0) return;
+    if (rets.some((r) => isLongSameLiteralReturn(r))) return;
     const keys = rets.map(literalKey);
     if (keys.some((k) => k === null)) return;
     const first = keys[0];
@@ -4391,13 +5531,15 @@ var IncompleteImplEngine = class extends BaseEngine {
   ruleIMPL008(fn, filePath, uri, findings, lines) {
     if (isAbstractOrOverloadStub(fn)) return;
     if (!functionHasEmptyBody(fn)) return;
+    const fnName = getFunctionName(fn);
+    if (fnName && IMPL008_EMPTY_BODY_ALLOW_NAMES.has(fnName)) return;
     const pos = fn.getStart(fn.getSourceFile());
     const { line, character } = fn.getSourceFile().getLineAndCharacterOfPosition(pos);
     const lineNum = line + 1;
     if (this.lineHasEmptyBodySuppression(lines, lineNum)) return;
     const name = getFunctionName(fn);
-    const n = uri.replace(/\\/g, "/");
-    const sharedLibPath = /(?:^|\/)packages\/[^/]+\/src\//i.test(n) || /(?:^|\/)lib(?:s)?\/src\//i.test(n);
+    const normUri = uri.replace(/\\/g, "/");
+    const sharedLibPath = /(?:^|\/)packages\/[^/]+\/src\//i.test(normUri) || /(?:^|\/)lib(?:s)?\/src\//i.test(normUri);
     const confidence = sharedLibPath ? 0.72 : 0.78;
     findings.push(
       this.createFinding({
@@ -5137,12 +6279,31 @@ function hasDetachedAnnotation(sf, node) {
   }
   return false;
 }
+var _sfLinesCache = /* @__PURE__ */ new WeakMap();
+function getSourceLines(sf) {
+  let lines = _sfLinesCache.get(sf);
+  if (!lines) {
+    lines = sf.getFullText().split("\n");
+    _sfLinesCache.set(sf, lines);
+  }
+  return lines;
+}
+var IGNORE_REGEXES = /* @__PURE__ */ new Map();
+function getIgnoreRegex(rule) {
+  let re = IGNORE_REGEXES.get(rule);
+  if (!re) {
+    re = new RegExp(`@vibecheck-ignore(?:-${rule})?\\b`, "i");
+    IGNORE_REGEXES.set(rule, re);
+  }
+  return re;
+}
 function ignoreCommentNear(sf, pos, rule) {
   const lc = sf.getLineAndCharacterOfPosition(pos);
-  const lines = sf.getFullText().split("\n");
+  const lines = getSourceLines(sf);
+  const re = getIgnoreRegex(rule);
   for (let L = Math.max(0, lc.line - 3); L <= lc.line; L++) {
     const row = lines[L] ?? "";
-    if (new RegExp(`@vibecheck-ignore(?:-${rule})?\\b`, "i").test(row)) return true;
+    if (re.test(row)) return true;
   }
   return false;
 }
@@ -5474,13 +6635,893 @@ var OutcomeVerificationEngine = class extends BaseEngine {
         file: ctx.uri,
         line,
         column,
-        evidence: ret.getText().slice(0, 100),
-        suggestion: "Await the request, validate the outcome, then return based on the actual response (or return the promise).",
+        evidence: ret.getText().slice(0, 100),
+        suggestion: "Await the request, validate the outcome, then return based on the actual response (or return the promise).",
+        autoFixable: false
+      })
+    );
+  }
+};
+function isNpmManifest(uri) {
+  const path24 = uri.replace(/^file:\/\//, "").toLowerCase();
+  const base = path24.split("/").pop() ?? "";
+  if (base !== "package.json") return false;
+  return !/\/(node_modules|dist|build|\.next|\.turbo|out)\//.test(path24);
+}
+function isPythonManifest(uri) {
+  const path24 = uri.replace(/^file:\/\//, "").toLowerCase();
+  const base = path24.split("/").pop() ?? "";
+  if (base === "requirements.txt" || base === "pipfile" || base === "pipfile.lock") return true;
+  if (base === "pyproject.toml") return true;
+  if (/^requirements[-.][\w.-]+\.txt$/.test(base)) return true;
+  return false;
+}
+var CANONICAL_AI_PACKAGES_NPM = /* @__PURE__ */ new Set([
+  // Anthropic
+  "@anthropic-ai/sdk",
+  "@anthropic-ai/claude-code",
+  "@anthropic-ai/bedrock-sdk",
+  "@anthropic-ai/vertex-sdk",
+  "@anthropic-ai/tokenizer",
+  // OpenAI
+  "openai",
+  // Google
+  "@google/genai",
+  "@google/generative-ai",
+  "@google-ai/generativelanguage",
+  "@google-cloud/vertexai",
+  "@google-cloud/aiplatform",
+  // LangChain
+  "langchain",
+  "@langchain/core",
+  "@langchain/anthropic",
+  "@langchain/openai",
+  "@langchain/google-genai",
+  "@langchain/community",
+  // MCP
+  "@modelcontextprotocol/sdk",
+  "@modelcontextprotocol/server-everything",
+  "@modelcontextprotocol/server-filesystem",
+  "@modelcontextprotocol/server-github",
+  "@modelcontextprotocol/server-gitlab",
+  "@modelcontextprotocol/server-memory",
+  "@modelcontextprotocol/server-postgres",
+  "@modelcontextprotocol/server-puppeteer",
+  "@modelcontextprotocol/server-sequentialthinking",
+  "@modelcontextprotocol/server-slack",
+  "@modelcontextprotocol/server-time",
+  "@modelcontextprotocol/inspector",
+  // Vercel AI
+  "ai",
+  "@ai-sdk/anthropic",
+  "@ai-sdk/openai",
+  "@ai-sdk/google",
+  "@ai-sdk/react",
+  // Cohere
+  "cohere-ai",
+  // Mistral
+  "@mistralai/mistralai"
+]);
+var CANONICAL_AI_PACKAGES_PYPI = /* @__PURE__ */ new Set([
+  "anthropic",
+  "openai",
+  "google-generativeai",
+  "google-cloud-aiplatform",
+  "langchain",
+  "langchain-core",
+  "langchain-anthropic",
+  "langchain-openai",
+  "langchain-google-genai",
+  "langchain-community",
+  "mcp",
+  "fastmcp",
+  "mcp-server-fetch",
+  "mcp-server-git",
+  "mcp-server-time",
+  "mistralai",
+  "cohere",
+  "tiktoken"
+]);
+var BRAND_KEYWORDS = [
+  "claude",
+  "anthropic",
+  "openai",
+  "chatgpt",
+  "gpt-4",
+  "gpt4",
+  "gemini",
+  "modelcontextprotocol"
+];
+var AI_HALLUCINATED_PACKAGES = /* @__PURE__ */ new Set([
+  // npm — Anthropic / Claude
+  "@anthropic/sdk",
+  "@anthropic/claude",
+  "@anthropic/claude-sdk",
+  "@anthropic/api",
+  "claude-sdk",
+  "claude-api",
+  "claude-ai",
+  "anthropic-sdk",
+  "anthropic-api",
+  "anthropic-client",
+  "anthropic-typescript",
+  "claude-typescript",
+  "claude-node",
+  // npm — OpenAI
+  "@openai/sdk",
+  "@openai/api",
+  "@openai/node",
+  "openai-sdk",
+  "openai-api",
+  "openai-client",
+  "openai-node-sdk",
+  "gpt-sdk",
+  "chatgpt-sdk",
+  // npm — MCP
+  "@mcp/sdk",
+  "@mcp/server",
+  "@mcp/client",
+  "mcp-sdk",
+  "mcp-protocol",
+  "mcp-server-sdk",
+  "modelcontext-sdk",
+  // npm — Gemini / Google
+  "@google/gemini",
+  "gemini-sdk",
+  "gemini-api",
+  "google-gemini-sdk",
+  // PyPI
+  "claude-python",
+  "anthropic-python",
+  "anthropic-claude",
+  "claude-ai-sdk",
+  "openai-python-sdk",
+  "gpt-python",
+  "mcp-sdk-python",
+  "modelcontextprotocol",
+  "gemini-python"
+]);
+var WILDCARD_VERSION_RE = /^(?:\*|latest|x|>=?\s*0(?:\.0)?(?:\.0)?)$/i;
+var UNPINNED_GIT_URL_RE = /^git(?:\+(?:https?|ssh))?:\/\/[^#\s]+(?:\.git)?(?:#(?!(?:[a-f0-9]{7,40}\b|semver:|v?\d+\.\d+\.\d+)).*)?$/i;
+var HTTP_TARBALL_RE = /^http:\/\//i;
+var PYPI_LINE_RE = /^\s*([A-Za-z][A-Za-z0-9._-]*)\s*(?:\[[^\]]+\])?\s*(?:([<>=!~]=?|===)\s*([\w.+!*-]+))?\s*(?:;.*)?$/;
+function detectBrandImpersonationNpm(pkg) {
+  const lower = pkg.toLowerCase();
+  if (CANONICAL_AI_PACKAGES_NPM.has(lower)) return null;
+  for (const brand of BRAND_KEYWORDS) {
+    if (lower.includes(brand)) {
+      if (lower.startsWith("@anthropic-ai/")) return null;
+      if (lower.startsWith("@openai/")) return null;
+      if (lower.startsWith("@modelcontextprotocol/")) return null;
+      if (lower.startsWith("@langchain/")) return null;
+      if (lower.startsWith("@ai-sdk/")) return null;
+      if (lower.startsWith("@google-ai/") || lower.startsWith("@google-cloud/")) return null;
+      return brand;
+    }
+  }
+  return null;
+}
+function detectBrandImpersonationPypi(pkg) {
+  const lower = pkg.toLowerCase().replace(/_/g, "-");
+  if (CANONICAL_AI_PACKAGES_PYPI.has(lower)) return null;
+  if (lower.startsWith("langchain-")) return null;
+  for (const brand of BRAND_KEYWORDS) {
+    if (lower.includes(brand)) return brand;
+  }
+  return null;
+}
+function detectMCPSlopsquatNpm(pkg) {
+  const lower = pkg.toLowerCase();
+  if (CANONICAL_AI_PACKAGES_NPM.has(lower)) return false;
+  if (lower.startsWith("@modelcontextprotocol/")) return false;
+  return /^mcp-server-|^@[\w-]+\/mcp-server-|^mcp-/.test(lower) || /-mcp-server$|-mcp$/.test(lower);
+}
+function detectMCPSlopsquatPypi(pkg) {
+  const lower = pkg.toLowerCase().replace(/_/g, "-");
+  if (CANONICAL_AI_PACKAGES_PYPI.has(lower)) return false;
+  return /^mcp-server-|^mcp-/.test(lower);
+}
+var DEP_KEYS = [
+  "dependencies",
+  "devDependencies",
+  "peerDependencies",
+  "optionalDependencies"
+];
+var SlopsquatEngine = class extends BaseEngine {
+  id = "slopsquat";
+  name = "AI Slopsquat & Dependency Hygiene Engine";
+  version = "1.0.0";
+  supportedExtensions = null;
+  async scan(delta, signal) {
+    const uri = delta.documentUri;
+    const isNpm = isNpmManifest(uri);
+    const isPy = isPythonManifest(uri);
+    if (!isNpm && !isPy) return [];
+    this.checkAbort(signal);
+    const source = delta.fullText;
+    const cleanUri = uri.replace(/^file:\/\//, "");
+    const pending = [];
+    if (isNpm) {
+      this._checkNpmManifest(source, pending);
+    } else {
+      this._checkPythonManifest(source, pending);
+    }
+    if (pending.length === 0) return [];
+    return pending.map(
+      (p) => this.createFinding({
+        id: this.deterministicId(cleanUri, p.line, p.column, p.ruleId, p.evidence.slice(0, 32)),
+        ruleId: p.ruleId,
+        category: "slopsquat",
+        message: p.message,
+        severity: p.severity,
+        confidence: p.confidence,
+        file: cleanUri,
+        line: p.line,
+        column: p.column,
+        evidence: p.evidence,
+        suggestion: p.suggestion,
+        autoFixable: false
+      })
+    );
+  }
+  // ─── npm ────────────────────────────────────────────────────────────────
+  _checkNpmManifest(source, out) {
+    let doc;
+    try {
+      doc = JSON.parse(source);
+    } catch {
+      return;
+    }
+    for (const depKey of DEP_KEYS) {
+      const deps = doc[depKey];
+      if (!deps || typeof deps !== "object") continue;
+      for (const [pkg, rawVersion] of Object.entries(deps)) {
+        if (typeof rawVersion !== "string") continue;
+        const version = rawVersion.trim();
+        const line = this._findLine(source, `"${pkg}"`);
+        if (WILDCARD_VERSION_RE.test(version)) {
+          out.push({
+            ruleId: "SLOP001",
+            severity: "high",
+            confidence: 0.95,
+            message: `Wildcard version for '${pkg}' \u2014 accepts any future release including malicious ones`,
+            evidence: `"${pkg}": "${version}"`,
+            suggestion: `Pin to a specific version: "${pkg}": "^X.Y.Z" (or exact "X.Y.Z").`,
+            line,
+            column: 0
+          });
+        }
+        if (UNPINNED_GIT_URL_RE.test(version)) {
+          out.push({
+            ruleId: "SLOP006",
+            severity: "high",
+            confidence: 0.9,
+            message: `Git dependency '${pkg}' is not pinned to a commit`,
+            evidence: `"${pkg}": "${version}"`,
+            suggestion: `Pin to a full commit SHA: "${pkg}": "git+https://...#<full-sha>". A branch reference can change under you.`,
+            line,
+            column: 0
+          });
+        }
+        if (HTTP_TARBALL_RE.test(version)) {
+          out.push({
+            ruleId: "SLOP007",
+            severity: "critical",
+            confidence: 0.99,
+            message: `Dependency '${pkg}' installs over plaintext HTTP \u2014 MITM exposure`,
+            evidence: `"${pkg}": "${version}"`,
+            suggestion: "Use https:// for tarball URLs.",
+            line,
+            column: 0
+          });
+        }
+        if (AI_HALLUCINATED_PACKAGES.has(pkg.toLowerCase())) {
+          out.push({
+            ruleId: "SLOP004",
+            severity: "critical",
+            confidence: 0.99,
+            message: `'${pkg}' is a known AI-hallucinated package name \u2014 does not exist in the official ecosystem`,
+            evidence: `"${pkg}"`,
+            suggestion: this._fixHintForHallucinated(pkg),
+            line,
+            column: 0
+          });
+          continue;
+        }
+        const brand = detectBrandImpersonationNpm(pkg);
+        if (brand) {
+          out.push({
+            ruleId: "SLOP002",
+            severity: "critical",
+            confidence: 0.9,
+            message: `'${pkg}' uses the '${brand}' brand but is not from the official organization`,
+            evidence: `"${pkg}"`,
+            suggestion: this._fixHintForBrand(brand),
+            line,
+            column: 0
+          });
+        }
+        if (detectMCPSlopsquatNpm(pkg)) {
+          out.push({
+            ruleId: "SLOP003",
+            severity: "high",
+            confidence: 0.85,
+            message: `'${pkg}' claims to be an MCP server but is not in the @modelcontextprotocol/ scope`,
+            evidence: `"${pkg}"`,
+            suggestion: "Verify the package author. Official MCP servers live under @modelcontextprotocol/. Vetted third-party MCP servers should be added to an explicit allowlist.",
+            line,
+            column: 0
+          });
+        }
+      }
+    }
+  }
+  // ─── PyPI ───────────────────────────────────────────────────────────────
+  _checkPythonManifest(source, out) {
+    const lines = source.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const raw = lines[i];
+      const line = i + 1;
+      const trimmed = raw.replace(/(^|[^\\])#.*$/, "$1").trim();
+      if (!trimmed || trimmed.startsWith("-")) continue;
+      const m = trimmed.match(PYPI_LINE_RE);
+      if (!m) continue;
+      const [, pkgRaw, op, version] = m;
+      if (!pkgRaw) continue;
+      const pkg = pkgRaw.toLowerCase();
+      if (!op || version && (version === "*" || version.startsWith("0"))) {
+        if (!op || version === "*") {
+          out.push({
+            ruleId: "SLOP001",
+            severity: "medium",
+            confidence: 0.85,
+            message: `Unpinned PyPI dependency '${pkg}' \u2014 accepts any version`,
+            evidence: trimmed.slice(0, 80),
+            suggestion: `Pin to a specific version: ${pkg}==X.Y.Z (or use ~= for compatible release).`,
+            line,
+            column: 0
+          });
+        }
+      }
+      if (AI_HALLUCINATED_PACKAGES.has(pkg)) {
+        out.push({
+          ruleId: "SLOP004",
+          severity: "critical",
+          confidence: 0.99,
+          message: `'${pkg}' is a known AI-hallucinated PyPI package name \u2014 does not exist in the official ecosystem`,
+          evidence: trimmed.slice(0, 80),
+          suggestion: this._fixHintForHallucinated(pkg),
+          line,
+          column: 0
+        });
+        continue;
+      }
+      const brand = detectBrandImpersonationPypi(pkg);
+      if (brand) {
+        out.push({
+          ruleId: "SLOP005",
+          severity: "critical",
+          confidence: 0.9,
+          message: `'${pkg}' uses the '${brand}' brand on PyPI but is not the canonical package`,
+          evidence: trimmed.slice(0, 80),
+          suggestion: this._fixHintForBrand(brand),
+          line,
+          column: 0
+        });
+      }
+      if (detectMCPSlopsquatPypi(pkg)) {
+        out.push({
+          ruleId: "SLOP003",
+          severity: "high",
+          confidence: 0.8,
+          message: `'${pkg}' claims to be an MCP server on PyPI \u2014 verify the author`,
+          evidence: trimmed.slice(0, 80),
+          suggestion: "Official MCP packages on PyPI start with `mcp-server-` (e.g. mcp-server-fetch, mcp-server-git). Confirm the package author and source repository before installing.",
+          line,
+          column: 0
+        });
+      }
+    }
+  }
+  // ─── Helpers ────────────────────────────────────────────────────────────
+  _findLine(source, needle) {
+    const idx = source.indexOf(needle);
+    if (idx === -1) return 1;
+    let line = 1;
+    for (let i = 0; i < idx; i++) {
+      if (source.charCodeAt(i) === 10) line++;
+    }
+    return line;
+  }
+  _fixHintForHallucinated(pkg) {
+    const lower = pkg.toLowerCase();
+    if (lower.includes("claude") || lower.includes("anthropic")) {
+      return "Use the official package: @anthropic-ai/sdk (npm) or anthropic (PyPI).";
+    }
+    if (lower.includes("openai") || lower.includes("gpt") || lower.includes("chatgpt")) {
+      return "Use the official package: openai (npm and PyPI).";
+    }
+    if (lower.includes("mcp") || lower.includes("modelcontext")) {
+      return "Use the official MCP SDK: @modelcontextprotocol/sdk (npm) or mcp (PyPI).";
+    }
+    if (lower.includes("gemini") || lower.includes("google")) {
+      return "Use the official package: @google/genai (npm) or google-generativeai (PyPI).";
+    }
+    return "Search npm/PyPI for the actual canonical package name. AI assistants frequently invent plausible-looking package names that do not exist.";
+  }
+  _fixHintForBrand(brand) {
+    switch (brand) {
+      case "claude":
+      case "anthropic":
+        return "Use the official @anthropic-ai/sdk (npm) or anthropic (PyPI). Anything else with the Anthropic/Claude brand in its name is likely impersonation.";
+      case "openai":
+      case "chatgpt":
+      case "gpt-4":
+      case "gpt4":
+        return "Use the official openai (npm and PyPI). The OpenAI org does not publish other branded packages.";
+      case "gemini":
+        return "Use the official @google/genai (npm) or google-generativeai (PyPI). Google does not publish gemini-* packages from third-party scopes.";
+      case "modelcontextprotocol":
+        return "Official MCP packages are scoped under @modelcontextprotocol/ (npm) or named mcp / mcp-server-* (PyPI). Third-party MCP packages should be vetted against an explicit allowlist.";
+      default:
+        return `Verify '${brand}' is the official organization on the registry. AI brand impersonation packages are a common supply-chain attack.`;
+    }
+  }
+};
+var INITIAL_VERSION = "1.0.0";
+var baseLifecycle = {
+  scan: "src/scan.ts"
+  // engines export their scan via class.scan(); pointer is a stub for the manifest schema
+};
+var slopsquatManifest = {
+  id: "slopsquat",
+  version: INITIAL_VERSION,
+  description: "Detects typo-squatted package names \u2014 imports that look real but are a known typo of a popular package.",
+  capabilities: ["scan_files", "hallucination"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "slopsquat.match"]
+  }
+};
+var fakeFeaturesManifest = {
+  id: "fake_features",
+  version: INITIAL_VERSION,
+  description: "Detects code that simulates a feature without implementing it \u2014 placeholder UI bound to no backend, fake success returns, mock toggles in production.",
+  capabilities: ["scan_files", "hallucination", "quality"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "fake_features.match"]
+  }
+};
+var incompleteImplManifest = {
+  id: "incomplete_impl",
+  version: INITIAL_VERSION,
+  description: "Detects partial implementations \u2014 exported functions never called, TODO throws, stub bodies, half-wired routes.",
+  capabilities: ["scan_files", "hallucination", "quality"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "incomplete_impl.match"]
+  }
+};
+var aiRulesAttackManifest = {
+  id: "ai-rules-attack",
+  version: INITIAL_VERSION,
+  description: "Detects prompt-injection style patterns embedded in code or rules files that try to manipulate AI assistants downstream.",
+  capabilities: ["scan_files", "hallucination", "security"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "ai_rules_attack.match"]
+  }
+};
+var securityPatternManifest = {
+  id: "security-pattern",
+  version: INITIAL_VERSION,
+  description: "Detects classic security antipatterns \u2014 eval on user input, weak crypto, unsafe URL construction, missing CSRF, etc.",
+  capabilities: ["scan_files", "security"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "security_pattern.match"]
+  }
+};
+var typeContractManifest = {
+  id: "type-contract",
+  version: INITIAL_VERSION,
+  description: "Detects type-contract violations across module boundaries \u2014 return shape mismatches, missing required props, drift between consumer and producer.",
+  capabilities: ["scan_files", "type_safety", "quality"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "type_contract.match"]
+  }
+};
+var perfAntipatternManifest = {
+  id: "perf-antipattern",
+  version: INITIAL_VERSION,
+  description: "Detects performance antipatterns \u2014 N+1 queries, sync I/O on hot paths, unbounded loops, accidental quadratic.",
+  capabilities: ["scan_files", "quality"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "perf_antipattern.match"]
+  }
+};
+var errorHandlingManifest = {
+  id: "error_handling",
+  version: INITIAL_VERSION,
+  description: "Detects missing or swallowed error handling \u2014 empty catch, unawaited rejections, success-on-error, lost stack traces.",
+  capabilities: ["scan_files", "quality"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "error_handling.match"]
+  }
+};
+var logicGapManifest = {
+  id: "logic_gap",
+  version: INITIAL_VERSION,
+  description: "Detects logical gaps \u2014 branches that never execute, conditions that always evaluate the same way, dead state, contradictory guards.",
+  capabilities: ["scan_files", "quality"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "logic_gap.match"]
+  }
+};
+var testQualityManifest = {
+  id: "test-quality",
+  version: INITIAL_VERSION,
+  description: "Detects tests that pass without exercising real behavior \u2014 bare mocks, no assertions, expect-anything, snapshot rot.",
+  capabilities: ["scan_files", "quality"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "test_quality.match"]
+  }
+};
+var outcomeVerificationManifest = {
+  id: "outcome_verification",
+  version: INITIAL_VERSION,
+  description: "Verifies that observable outcomes match declared intent \u2014 function signatures vs. callers, return shapes vs. consumers.",
+  capabilities: ["scan_files", "quality"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "outcome_verification.match"]
+  }
+};
+var CORE_ENGINE_MANIFESTS = [
+  // Hallucination
+  slopsquatManifest,
+  fakeFeaturesManifest,
+  incompleteImplManifest,
+  aiRulesAttackManifest,
+  // Security
+  securityPatternManifest,
+  // Type
+  typeContractManifest,
+  // Quality
+  perfAntipatternManifest,
+  errorHandlingManifest,
+  logicGapManifest,
+  testQualityManifest,
+  outcomeVerificationManifest
+];
+var phantomDepManifest = {
+  id: "phantom_dep",
+  version: "1.0.0",
+  description: "Detects hallucinated package imports \u2014 modules that do not exist in package.json or node_modules. The most undeniable AI-generated-code failure class.",
+  capabilities: ["scan_files", "hallucination", "incremental"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "phantom_dep.match"]
+  }
+};
+var ghostRouteManifest = {
+  id: "ghost_route",
+  version: "1.0.0",
+  description: 'Detects API calls and links pointing at routes that do not exist in the workspace. The "this UI is wired to nothing" hallucination class.',
+  capabilities: ["scan_files", "hallucination"],
+  lifecycle: baseLifecycle,
+  telemetry: {
+    events: ["scan_started", "scan_completed", "ghost_route.match"]
+  }
+};
+var WORKSPACE_ENGINE_MANIFESTS = [
+  phantomDepManifest,
+  ghostRouteManifest
+];
+function registerCoreEngines(registry) {
+  registry.register(aiRulesAttackManifest, new AIRulesAttackEngine());
+  registry.register(errorHandlingManifest, new ErrorHandlingEngine());
+  registry.register(fakeFeaturesManifest, new FakeFeaturesEngine());
+  registry.register(incompleteImplManifest, new IncompleteImplEngine());
+  registry.register(logicGapManifest, new LogicGapEngine());
+  registry.register(outcomeVerificationManifest, new OutcomeVerificationEngine());
+  registry.register(perfAntipatternManifest, new PerformanceAntipatternEngine());
+  registry.register(securityPatternManifest, new SecurityPatternEngine());
+  registry.register(slopsquatManifest, new SlopsquatEngine());
+  registry.register(testQualityManifest, new TestQualityEngine());
+  registry.register(typeContractManifest, new TypeContractEngine());
+}
+var CORE_ENGINE_IDS = [
+  aiRulesAttackManifest.id,
+  errorHandlingManifest.id,
+  fakeFeaturesManifest.id,
+  incompleteImplManifest.id,
+  logicGapManifest.id,
+  outcomeVerificationManifest.id,
+  perfAntipatternManifest.id,
+  securityPatternManifest.id,
+  slopsquatManifest.id,
+  testQualityManifest.id,
+  typeContractManifest.id
+];
+function registerWorkspaceEngines(registry, options) {
+  registry.register(
+    phantomDepManifest,
+    new PhantomDepEngine(options.workspaceRoot)
+  );
+  registry.register(
+    ghostRouteManifest,
+    new GhostRouteEngine(
+      options.workspaceRoot,
+      options.ghostRouteConfidenceThreshold ?? 0.75,
+      options.ghostRouteSafePrefixes ?? []
+    )
+  );
+}
+var WORKSPACE_ENGINE_IDS = [
+  phantomDepManifest.id,
+  ghostRouteManifest.id
+];
+function registerAllEngines(registry, options) {
+  registerCoreEngines(registry);
+  registerWorkspaceEngines(registry, options);
+}
+async function tryLoadNativeApi() {
+  try {
+    return await import('@vibecheck/native');
+  } catch {
+    return null;
+  }
+}
+var VibecheckNativeEngine = class extends BaseEngine {
+  id = "vibecheck-native";
+  name = "Vibecheck Native Engine";
+  version = "2.0.0";
+  supportedExtensions = /* @__PURE__ */ new Set([
+    ".ts",
+    ".tsx",
+    ".js",
+    ".jsx",
+    ".cts",
+    ".mts",
+    ".cjs",
+    ".mjs"
+  ]);
+  opts;
+  constructor(opts = {}) {
+    super();
+    this.opts = {
+      deadCode: true,
+      duplication: true,
+      health: true,
+      ...opts
+    };
+  }
+  async scan(delta, signal) {
+    this.checkAbort(signal);
+    const native = await tryLoadNativeApi();
+    if (!native) {
+      return [];
+    }
+    const root = this.opts.root ?? rootFromDelta(delta) ?? process.cwd();
+    const configPath = this.opts.configPath;
+    const findings = [];
+    if (this.opts.deadCode) {
+      this.checkAbort(signal);
+      const dcOpts = { root, configPath };
+      const result = await native.detectDeadCode(dcOpts);
+      findings.push(...this.mapIssues(result, root, "native-dead-code", "medium"));
+    }
+    if (this.opts.duplication) {
+      this.checkAbort(signal);
+      const dupOpts = { root, configPath };
+      const result = await native.detectDuplication(dupOpts);
+      findings.push(...this.mapIssues(result, root, "native-duplication", "low"));
+    }
+    if (this.opts.health) {
+      this.checkAbort(signal);
+      const compOpts = { root, configPath };
+      const result = await native.computeHealth(compOpts);
+      findings.push(...this.mapIssues(result, root, "native-health", "medium"));
+    }
+    return findings;
+  }
+  mapIssues(raw, root, defaultRuleId, defaultSeverity) {
+    return readIssues(raw).map((issue) => {
+      const file = fileOf(issue, root);
+      const line = lineOf2(issue);
+      const column = colOf(issue);
+      const message = messageOf(issue);
+      return this.createFinding({
+        id: this.deterministicId(file, line, column, defaultRuleId, message),
+        ruleId: kindOf(issue) ?? defaultRuleId,
+        message,
+        file,
+        line,
+        column,
+        evidence: evidenceOf(issue, message),
+        severity: severityOf(issue) ?? defaultSeverity,
+        confidence: 0.9,
         autoFixable: false
-      })
-    );
+      });
+    });
   }
 };
+function readIssues(raw) {
+  if (!raw || typeof raw !== "object") return [];
+  const obj = raw;
+  for (const key of ["issues", "findings", "results", "items"]) {
+    const v = obj[key];
+    if (Array.isArray(v)) return v;
+  }
+  return [];
+}
+function rootFromDelta(delta) {
+  const uri = delta.documentUri;
+  if (typeof uri === "string" && uri.startsWith("file://")) {
+    return void 0;
+  }
+  return void 0;
+}
+function fileOf(issue, root) {
+  const f = issue.file ?? issue.path ?? issue.location_file;
+  return f ?? root;
+}
+function lineOf2(issue) {
+  const l = issue.line ?? issue.start_line ?? issue.row;
+  return typeof l === "number" ? l : 0;
+}
+function colOf(issue) {
+  const c2 = issue.column ?? issue.start_column ?? issue.col;
+  return typeof c2 === "number" ? c2 : 0;
+}
+function messageOf(issue) {
+  const m = issue.message ?? issue.title ?? issue.summary ?? issue.kind;
+  return typeof m === "string" ? m : "Vibecheck native finding";
+}
+function kindOf(issue) {
+  const k = issue.kind ?? issue.rule ?? issue.type;
+  return typeof k === "string" ? k : void 0;
+}
+function severityOf(issue) {
+  const s = issue.severity;
+  if (s === "critical" || s === "high" || s === "medium" || s === "low" || s === "info") {
+    return s;
+  }
+  return void 0;
+}
+function evidenceOf(issue, fallback) {
+  const e = issue.evidence ?? issue.snippet ?? issue.code;
+  return typeof e === "string" ? e : fallback;
+}
+var SEVERITY_ORDER = ["info", "low", "medium", "high", "critical"];
+function buildClusters(findings, windowLines) {
+  if (findings.length === 0) return [];
+  const tagged = findings.map((finding, index) => ({ finding, index }));
+  tagged.sort((a, b) => {
+    if (a.finding.file !== b.finding.file) {
+      return a.finding.file < b.finding.file ? -1 : 1;
+    }
+    return a.finding.line - b.finding.line;
+  });
+  const clusters = [];
+  let current = [];
+  let currentFile = "";
+  let lastLine = -Infinity;
+  for (const entry of tagged) {
+    const startsNewCluster = entry.finding.file !== currentFile || entry.finding.line - lastLine > windowLines;
+    if (startsNewCluster) {
+      if (current.length > 0) clusters.push(current);
+      current = [entry];
+      currentFile = entry.finding.file;
+    } else {
+      current.push(entry);
+    }
+    lastLine = entry.finding.line;
+  }
+  if (current.length > 0) clusters.push(current);
+  return clusters;
+}
+function fuseFindings(findings, options = {}) {
+  const {
+    windowLines = 5,
+    minEnginesForBoost = 2,
+    minEnginesForEscalation = 3,
+    confidenceCeiling = 0.99
+  } = options;
+  if (findings.length === 0) return [];
+  if (findings.length === 1) {
+    const single = findings[0];
+    return [
+      {
+        ...single,
+        relatedFindings: single.relatedFindings ?? []
+      }
+    ];
+  }
+  const input = [...findings];
+  const clusters = buildClusters(input, windowLines);
+  const out = new Array(input.length);
+  for (const cluster of clusters) {
+    const distinctEngines = new Set(cluster.map((e) => e.finding.engine));
+    const clusterSize = distinctEngines.size;
+    const ids = cluster.map((e) => e.finding.id).filter((id) => Boolean(id));
+    let maxSeverityIdx = -1;
+    for (const e of cluster) {
+      const sevIdx = SEVERITY_ORDER.indexOf(e.finding.severity);
+      if (sevIdx > maxSeverityIdx) maxSeverityIdx = sevIdx;
+    }
+    const shouldBoost = clusterSize >= minEnginesForBoost;
+    const shouldEscalate = clusterSize >= minEnginesForEscalation && maxSeverityIdx >= SEVERITY_ORDER.indexOf("high");
+    for (const entry of cluster) {
+      const f = entry.finding;
+      const relatedFindings = ids.filter((id) => id !== f.id);
+      let nextSeverity = f.severity;
+      let nextConfidence = f.confidence;
+      let reason;
+      if (shouldBoost) {
+        const extraEngines = clusterSize - 1;
+        let conf = f.confidence;
+        for (let i = 0; i < extraEngines; i++) {
+          conf = conf + (confidenceCeiling - conf) * 0.5;
+        }
+        nextConfidence = Math.min(confidenceCeiling, conf);
+        reason = `${clusterSize}-engine concurrence`;
+      }
+      if (shouldEscalate) {
+        const idx = SEVERITY_ORDER.indexOf(f.severity);
+        if (idx >= 0 && idx < SEVERITY_ORDER.length - 1) {
+          nextSeverity = SEVERITY_ORDER[idx + 1];
+        }
+        reason = `${clusterSize}-engine cluster (escalated)`;
+      }
+      const fused = {
+        ...f,
+        severity: nextSeverity,
+        confidence: nextConfidence,
+        relatedFindings,
+        ...shouldBoost || shouldEscalate ? {
+          fusion: {
+            ...f.fusion ?? {},
+            originalSeverity: f.fusion?.originalSeverity ?? f.severity,
+            originalConfidence: f.fusion?.originalConfidence ?? f.confidence,
+            clusterSize,
+            reason
+          }
+        } : {}
+      };
+      out[entry.index] = fused;
+    }
+  }
+  return out;
+}
+function computeFusionStats(findings, windowLines = 5) {
+  const clusters = buildClusters([...findings], windowLines);
+  let boosted = 0;
+  let escalated = 0;
+  let largest = 0;
+  for (const f of findings) {
+    if (f.fusion?.reason?.includes("escalated")) escalated++;
+    else if (f.fusion?.reason) boosted++;
+  }
+  for (const cluster of clusters) {
+    const distinctEngines = new Set(cluster.map((e) => e.finding.engine)).size;
+    if (distinctEngines > largest) largest = distinctEngines;
+  }
+  return {
+    totalFindings: findings.length,
+    totalClusters: clusters.length,
+    boostedFindings: boosted,
+    escalatedFindings: escalated,
+    largestClusterSize: largest
+  };
+}
 function isTestLikeScanPath(filePath) {
   const n = filePath.replace(/\\/g, "/");
   return /\.(test|spec)\.(ts|tsx|js|jsx)$/i.test(n) || /(?:^|\/)(?:__tests__|__mocks__|tests?|fixtures?|e2e|spec|cypress|playwright|__snapshots__|stubs?|mocks?)\//i.test(
@@ -5511,11 +7552,73 @@ function fnv1aId(input) {
   }
   return hash.toString(16).padStart(8, "0");
 }
-function collectCallAndNewNames(sf) {
+function normalizeFileKey(abs) {
+  return path6__default__default.normalize(abs);
+}
+function resolveRelativeModule(fromFileAbs, specifier, knownFiles) {
+  if (!specifier.startsWith(".")) return void 0;
+  const baseDir = path6__default__default.dirname(fromFileAbs);
+  const joined = normalizeFileKey(path6__default__default.join(baseDir, specifier));
+  if (knownFiles.has(joined)) return joined;
+  if (path6__default__default.extname(joined)) {
+    return void 0;
+  }
+  for (const ext of [".ts", ".tsx", ".mts", ".cts", ".js", ".jsx", ".mjs", ".cjs"]) {
+    const c2 = normalizeFileKey(joined + ext);
+    if (knownFiles.has(c2)) return c2;
+  }
+  for (const idx of ["index.ts", "index.tsx", "index.js", "index.jsx"]) {
+    const c2 = normalizeFileKey(path6__default__default.join(joined, idx));
+    if (knownFiles.has(c2)) return c2;
+  }
+  return void 0;
+}
+function moduleSpecifierText(m) {
+  if (m && import_typescript.default.isStringLiteral(m)) return m.text;
+  if (m && import_typescript.default.isNoSubstitutionTemplateLiteral(m)) return m.text;
+  return void 0;
+}
+function isDynamicImportCall(n) {
+  return n.expression.kind === import_typescript.default.SyntaxKind.ImportKeyword;
+}
+function addJsxTagNameToCalls(tag, into) {
+  if (import_typescript.default.isIdentifier(tag)) {
+    into.add(tag.text);
+  } else if (import_typescript.default.isPropertyAccessExpression(tag)) {
+    if (import_typescript.default.isIdentifier(tag.name)) into.add(tag.name.text);
+    if (import_typescript.default.isIdentifier(tag.expression)) into.add(tag.expression.text);
+  } else if (tag.kind === import_typescript.default.SyntaxKind.ThisKeyword) ;
+  else if (import_typescript.default.isJsxNamespacedName(tag)) {
+    into.add(tag.name.text);
+  }
+}
+function addCreateElementComponentArg(n, into) {
+  const e = n.expression;
+  let isComponentFactory = false;
+  if (import_typescript.default.isIdentifier(e)) {
+    isComponentFactory = /^(createElement|h|jsx|jsxs|jsxDEV)$/.test(e.text);
+  } else if (import_typescript.default.isPropertyAccessExpression(e) && import_typescript.default.isIdentifier(e.name)) {
+    isComponentFactory = /^(createElement|jsx|jsxs|jsxDEV)$/.test(e.name.text);
+  }
+  if (!isComponentFactory) return;
+  const first = n.arguments[0];
+  if (first && import_typescript.default.isIdentifier(first)) {
+    into.add(first.text);
+  }
+}
+function collectCallAndNewNames(sf, fromFileAbs, knownFiles, dynamicImportTargets) {
   const calls = /* @__PURE__ */ new Set();
   const ctors = /* @__PURE__ */ new Set();
   const visit = (n) => {
     if (import_typescript.default.isCallExpression(n)) {
+      if (isDynamicImportCall(n)) {
+        const a0 = n.arguments[0];
+        if (a0 && import_typescript.default.isStringLiteral(a0)) {
+          const t = resolveRelativeModule(fromFileAbs, a0.text, knownFiles);
+          if (t) dynamicImportTargets.add(t);
+        }
+      }
+      addCreateElementComponentArg(n, calls);
       const e = n.expression;
       if (import_typescript.default.isIdentifier(e)) {
         calls.add(e.text);
@@ -5524,6 +7627,10 @@ function collectCallAndNewNames(sf) {
       }
     } else if (import_typescript.default.isNewExpression(n) && import_typescript.default.isIdentifier(n.expression)) {
       ctors.add(n.expression.text);
+    } else if (import_typescript.default.isJsxSelfClosingElement(n) || import_typescript.default.isJsxOpeningElement(n)) {
+      addJsxTagNameToCalls(n.tagName, calls);
+    } else if (import_typescript.default.isObjectLiteralExpression(n)) {
+      collectObjectRouteStringNames(n, calls);
     }
     import_typescript.default.forEachChild(n, visit);
   };
@@ -5591,6 +7698,83 @@ function collectExportedValueFunctions(sf, absolutePath) {
   }
   return out;
 }
+function addReExportAliases(fromFileAbs, st, knownFiles, into) {
+  const spec = st.moduleSpecifier && moduleSpecifierText(st.moduleSpecifier);
+  if (!spec) return;
+  const target = resolveRelativeModule(fromFileAbs, spec, knownFiles);
+  if (!target) return;
+  if (!st.exportClause || !import_typescript.default.isNamedExports(st.exportClause)) return;
+  for (const el of st.exportClause.elements) {
+    const local = (el.propertyName ?? el.name).text;
+    const exportAs = el.name.text;
+    let perFile = into.get(target);
+    if (!perFile) {
+      perFile = /* @__PURE__ */ new Map();
+      into.set(target, perFile);
+    }
+    let set = perFile.get(local);
+    if (!set) {
+      set = /* @__PURE__ */ new Set();
+      perFile.set(local, set);
+    }
+    set.add(local);
+    set.add(exportAs);
+  }
+}
+function getNamesFromExportRecordList(records) {
+  return records.map((r) => r.exportName);
+}
+var ROUTE_STRING_PROP = /^(component|element|page|screen|loader|pathcomponent)$/i;
+function collectObjectRouteStringNames(n, into) {
+  if (!import_typescript.default.isObjectLiteralExpression(n)) {
+    return;
+  }
+  for (const p of n.properties) {
+    if (!import_typescript.default.isPropertyAssignment(p)) continue;
+    const key = p.name;
+    let keyText;
+    if (import_typescript.default.isIdentifier(key)) {
+      keyText = key.text;
+    } else if (import_typescript.default.isStringLiteral(key) || import_typescript.default.isNoSubstitutionTemplateLiteral(key)) {
+      keyText = key.text;
+    }
+    if (!keyText || !ROUTE_STRING_PROP.test(keyText)) continue;
+    const v = p.initializer;
+    if (import_typescript.default.isStringLiteral(v) || import_typescript.default.isNoSubstitutionTemplateLiteral(v)) {
+      const s = v.text;
+      if (/^[A-Z][A-Za-z0-9_]*$/.test(s) && s.length >= 2) {
+        into.add(s);
+      }
+    }
+  }
+}
+function saturateReexportSeeds(mergedCalls, mergedCtors, reExportAliases) {
+  const S = /* @__PURE__ */ new Set([...mergedCalls, ...mergedCtors]);
+  const MAX_ITER = 100;
+  let iter = 0;
+  let changed = true;
+  while (changed && iter < MAX_ITER) {
+    iter++;
+    changed = false;
+    for (const perLocal of reExportAliases.values()) {
+      for (const names of perLocal.values()) {
+        if (![...names].some((n) => S.has(n))) continue;
+        for (const m of names) {
+          if (!S.has(m)) {
+            S.add(m);
+            changed = true;
+          }
+        }
+      }
+    }
+  }
+  if (iter >= MAX_ITER && changed) {
+    console.debug(
+      `[IMPL007] saturateReexportSeeds hit MAX_ITER=${MAX_ITER}; results may be incomplete`
+    );
+  }
+  return S;
+}
 var IMPL007_SKIP_NAMES = /* @__PURE__ */ new Set([
   "handler",
   "main",
@@ -5613,43 +7797,86 @@ function findUncalledExportedFunctions(files, options) {
   const signal = options?.signal;
   const findings = [];
   if (files.length === 0) return findings;
-  const mergedCalls = /* @__PURE__ */ new Set();
-  const mergedCtors = /* @__PURE__ */ new Set();
+  const knownFiles = /* @__PURE__ */ new Set();
+  for (const f of files) {
+    knownFiles.add(normalizeFileKey(f.absolutePath));
+  }
+  const sourceByAbs = /* @__PURE__ */ new Map();
   for (const f of files) {
-    if (signal?.aborted) return [];
     if (f.relativePath.endsWith(".d.ts")) continue;
-    let sf;
+    const key = normalizeFileKey(f.absolutePath);
     try {
-      sf = import_typescript.default.createSourceFile(
+      const sf = import_typescript.default.createSourceFile(
         f.absolutePath,
         f.source,
         import_typescript.default.ScriptTarget.Latest,
         true,
         scriptKind(f.absolutePath)
       );
+      sourceByAbs.set(key, sf);
     } catch {
-      continue;
     }
-    const { calls, ctors } = collectCallAndNewNames(sf);
+  }
+  const reExportAliases = /* @__PURE__ */ new Map();
+  for (const f of files) {
+    if (signal?.aborted) return [];
+    if (f.relativePath.endsWith(".d.ts")) continue;
+    const k = normalizeFileKey(f.absolutePath);
+    const sf = sourceByAbs.get(k);
+    if (!sf) continue;
+    for (const st of sf.statements) {
+      if (import_typescript.default.isExportDeclaration(st) && st.moduleSpecifier) {
+        if (st.exportClause && import_typescript.default.isNamedExports(st.exportClause)) {
+          addReExportAliases(f.absolutePath, st, knownFiles, reExportAliases);
+        }
+      }
+    }
+  }
+  const mergedCalls = /* @__PURE__ */ new Set();
+  const mergedCtors = /* @__PURE__ */ new Set();
+  const dynamicImportTargets = /* @__PURE__ */ new Set();
+  const exportStarTargets = /* @__PURE__ */ new Set();
+  for (const f of files) {
+    if (signal?.aborted) return [];
+    if (f.relativePath.endsWith(".d.ts")) continue;
+    const k = normalizeFileKey(f.absolutePath);
+    const sf = sourceByAbs.get(k);
+    if (!sf) continue;
+    for (const st of sf.statements) {
+      if (import_typescript.default.isExportDeclaration(st) && st.moduleSpecifier && st.exportClause === void 0) {
+        const spec = moduleSpecifierText(st.moduleSpecifier);
+        if (spec) {
+          const t = resolveRelativeModule(f.absolutePath, spec, knownFiles);
+          if (t) exportStarTargets.add(t);
+        }
+      }
+    }
+    const { calls, ctors } = collectCallAndNewNames(
+      sf,
+      f.absolutePath,
+      knownFiles,
+      dynamicImportTargets
+    );
     for (const c2 of calls) mergedCalls.add(c2);
     for (const c2 of ctors) mergedCtors.add(c2);
   }
+  for (const targetAbs of /* @__PURE__ */ new Set([...dynamicImportTargets, ...exportStarTargets])) {
+    if (signal?.aborted) return [];
+    const tKey = normalizeFileKey(targetAbs);
+    const tSf = sourceByAbs.get(tKey);
+    if (!tSf) continue;
+    for (const n of getNamesFromExportRecordList(collectExportedValueFunctions(tSf, tKey))) {
+      mergedCalls.add(n);
+    }
+  }
+  const usageNames = saturateReexportSeeds(mergedCalls, mergedCtors, reExportAliases);
   for (const f of files) {
     if (signal?.aborted) return [];
     if (f.isTest || f.relativePath.endsWith(".d.ts")) continue;
     if (isIndexBarrel(f.relativePath)) continue;
-    let sf;
-    try {
-      sf = import_typescript.default.createSourceFile(
-        f.absolutePath,
-        f.source,
-        import_typescript.default.ScriptTarget.Latest,
-        true,
-        scriptKind(f.absolutePath)
-      );
-    } catch {
-      continue;
-    }
+    const k = normalizeFileKey(f.absolutePath);
+    const sf = sourceByAbs.get(k);
+    if (!sf) continue;
     const exports$1 = collectExportedValueFunctions(sf, f.absolutePath);
     const seen = /* @__PURE__ */ new Set();
     for (const ex of exports$1) {
@@ -5659,9 +7886,9 @@ function findUncalledExportedFunctions(files, options) {
       if (name.startsWith("_")) continue;
       if (IMPL007_SKIP_NAMES.has(name)) continue;
       if (name.length <= 1) continue;
-      const usedAsCall = mergedCalls.has(name);
-      const usedAsCtor = mergedCtors.has(name);
-      if (usedAsCall || usedAsCtor) continue;
+      if (usageNames.has(name)) {
+        continue;
+      }
       const id = fnv1aId(`${ex.absolutePath}::${ex.line}::${ex.column}::IMPL007::${name}`);
       findings.push({
         id,
@@ -5682,96 +7909,6 @@ function findUncalledExportedFunctions(files, options) {
   }
   return findings;
 }
-var TRUTHPACK_DIR = ".vibecheck/truthpack";
-async function loadTruthpack(workspaceRoot) {
-  const dir = path5__default.join(workspaceRoot, TRUTHPACK_DIR);
-  try {
-    await fs.access(dir);
-  } catch {
-    return null;
-  }
-  try {
-    const [routesData, envData] = await Promise.all([
-      fs.readFile(path5__default.join(dir, "routes.json"), "utf-8").catch(() => '{"routes":[]}'),
-      fs.readFile(path5__default.join(dir, "env.json"), "utf-8").catch(() => '{"variables":[]}')
-    ]);
-    const routesJson = JSON.parse(routesData);
-    const envJson = JSON.parse(envData);
-    return {
-      routes: routesJson.routes ?? [],
-      env: envJson.variables ?? []
-    };
-  } catch {
-    return null;
-  }
-}
-var TruthpackEnvIndex = class {
-  _index;
-  constructor(envVars, allowlistEnvVars) {
-    this._index = new Set(envVars.map((v) => v.name));
-    if (Array.isArray(allowlistEnvVars)) {
-      for (const v of allowlistEnvVars) {
-        if (typeof v === "string" && /^[A-Z_][A-Z0-9_]*$/.test(v)) this._index.add(v);
-      }
-    }
-  }
-  get index() {
-    return this._index;
-  }
-  has(name) {
-    return this._index.has(name);
-  }
-};
-function compileRoutePattern(routePath) {
-  let isDynamic = false;
-  let isCatchAll = false;
-  let pattern = routePath.replace(/\[\[\.\.\.(\w+)\]\]/g, () => {
-    isDynamic = true;
-    isCatchAll = true;
-    return "(?:\\/.*)?";
-  }).replace(/\[\.\.\.(\w+)\]/g, () => {
-    isDynamic = true;
-    isCatchAll = true;
-    return "\\/.*";
-  }).replace(/\[(\w+)\]/g, () => {
-    isDynamic = true;
-    return "\\/[^/]+";
-  }).replace(/:\w+/g, () => {
-    isDynamic = true;
-    return "\\/[^/]+";
-  });
-  pattern = pattern.replace(/\//g, "\\/").replace(/\\\\\//g, "\\/");
-  return {
-    regex: new RegExp(`^${pattern}$`),
-    isDynamic,
-    isCatchAll
-  };
-}
-function truthpackToRouteIndex(routes, workspaceRoot) {
-  const entries = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const r of routes) {
-    const pathStr = r.path ?? "";
-    if (!pathStr.startsWith("/")) continue;
-    const pattern = pathStr.startsWith("/api") ? pathStr : pathStr;
-    const key = `${pattern}:${r.method ?? "GET"}`;
-    if (seen.has(key)) continue;
-    seen.add(key);
-    const compiled = compileRoutePattern(pattern);
-    entries.push({
-      pattern,
-      regex: compiled.regex,
-      isDynamic: compiled.isDynamic,
-      isCatchAll: compiled.isCatchAll,
-      filePath: r.file ? path5__default.resolve(workspaceRoot, r.file) : ""
-    });
-  }
-  return {
-    routes: entries,
-    framework: "truthpack",
-    builtAt: Date.now()
-  };
-}
 function deterministicId2(workspaceRoot, routePath, status) {
   const input = `rtprobe:${workspaceRoot}::${routePath}::${status}::VRD007`;
   let hash = 2166136261;
@@ -5789,20 +7926,20 @@ var DEFAULT_CONFIG = {
 };
 var probedWorkspaces = /* @__PURE__ */ new Set();
 function getWorkspaceRoot(filePath) {
-  let dir = path5__default.dirname(filePath);
-  const root = path5__default.parse(dir).root;
+  let dir = path6__default.dirname(filePath);
+  const root = path6__default.parse(dir).root;
   while (dir !== root) {
     try {
-      const pkg = path5__default.join(dir, "package.json");
+      const pkg = path6__default.join(dir, "package.json");
       if (existsSync(pkg)) return dir;
     } catch (err) {
       if (process.env.VIBECHECK_DEBUG) {
         console.warn("[runtime_probe] getWorkspaceRoot check failed:", err instanceof Error ? err.message : err);
       }
     }
-    dir = path5__default.dirname(dir);
+    dir = path6__default.dirname(dir);
   }
-  return path5__default.dirname(filePath);
+  return path6__default.dirname(filePath);
 }
 function matchGlob(routePath, pattern) {
   const regex = pattern.replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^/]*").replace(/{{GLOBSTAR}}/g, ".*").replace(/\?/g, ".");
@@ -5946,7 +8083,7 @@ var EnvLoader = class {
     let hasAnyEnvFile = false;
     for (const f of envFiles) {
       try {
-        const content = fs2.readFileSync(path5__default.join(workspaceRoot, f), "utf-8");
+        const content = fs2.readFileSync(path6__default.join(workspaceRoot, f), "utf-8");
         hasAnyEnvFile = true;
         if (!EXAMPLE_ONLY_FILES.has(f)) {
           hasRealEnvFile = true;
@@ -5957,7 +8094,7 @@ var EnvLoader = class {
         }
       } catch (err) {
         if (err?.code === "EACCES") {
-          process.stderr.write(`[vibecheck] Permission denied: ${path5__default.join(workspaceRoot, f)}
+          process.stderr.write(`[vibecheck] Permission denied: ${path6__default.join(workspaceRoot, f)}
 `);
         }
       }
@@ -5968,17 +8105,17 @@ var EnvLoader = class {
     if (hasAnyEnvFile && !hasRealEnvFile) {
       this.exampleOnly = true;
     }
-    const workflowsDir = path5__default.join(workspaceRoot, ".github", "workflows");
+    const workflowsDir = path6__default.join(workspaceRoot, ".github", "workflows");
     if (fs2.existsSync(workflowsDir)) {
       for (const f of fs2.readdirSync(workflowsDir)) {
         if (!f.endsWith(".yml") && !f.endsWith(".yaml")) continue;
         try {
-          const content = fs2.readFileSync(path5__default.join(workflowsDir, f), "utf-8");
+          const content = fs2.readFileSync(path6__default.join(workflowsDir, f), "utf-8");
           const matches = content.match(/([A-Z_][A-Z0-9_]*):/g) ?? [];
           matches.forEach((v) => this._index.add(v.replace(":", "")));
         } catch (err) {
           if (err?.code === "EACCES") {
-            process.stderr.write(`[vibecheck] Permission denied: ${path5__default.join(workflowsDir, f)}
+            process.stderr.write(`[vibecheck] Permission denied: ${path6__default.join(workflowsDir, f)}
 `);
           }
         }
@@ -6534,10 +8671,11 @@ var DEFAULT_ENGINE_THRESHOLDS = {
   ghost_route: 0.65,
   phantom_dep: 0.55,
   api_truth: 0.65,
-  logic_gap: 0.55,
-  error_handling: 0.55,
-  outcome_verification: 0.55,
-  incomplete_impl: 0.5,
+  /** Slightly higher default confidence to reduce heuristic false positives. */
+  logic_gap: 0.57,
+  error_handling: 0.57,
+  outcome_verification: 0.57,
+  incomplete_impl: 0.52,
   framework_packs: 0.55
 };
 var INLINE_SUPPRESS_RE = /\/\/\s*vibecheck-ignore-next-line(?:\s+([A-Z0-9]+(?:\s+[A-Z0-9]+)*))?/i;
@@ -6582,17 +8720,28 @@ function deduplicateFindings(findings) {
     }
   }
   const byLocation = /* @__PURE__ */ new Map();
+  const wordSetCache = /* @__PURE__ */ new WeakMap();
+  const getWords = (f) => {
+    let s = wordSetCache.get(f);
+    if (!s) {
+      const slice = f.message.slice(0, 40).toLowerCase();
+      s = new Set(slice.split(/\W+/).filter((w) => w.length > 3));
+      wordSetCache.set(f, s);
+    }
+    return s;
+  };
   for (const f of map.values()) {
     const locKey = `${f.file}::${f.line}`;
     const existing = byLocation.get(locKey);
     if (!existing) {
       byLocation.set(locKey, f);
     } else {
-      const msgOverlap = f.message.slice(0, 40).toLowerCase();
-      const existMsgOverlap = existing.message.slice(0, 40).toLowerCase();
-      const fWords = new Set(msgOverlap.split(/\W+/).filter((w) => w.length > 3));
-      const eWords = new Set(existMsgOverlap.split(/\W+/).filter((w) => w.length > 3));
-      const overlap = [...fWords].filter((w) => eWords.has(w)).length;
+      const fWords = getWords(f);
+      const eWords = getWords(existing);
+      let overlap = 0;
+      for (const w of fWords) {
+        if (eWords.has(w)) overlap++;
+      }
       if (overlap >= 2) {
         if (f.confidence > existing.confidence) {
           byLocation.set(locKey, f);
@@ -6605,7 +8754,7 @@ function deduplicateFindings(findings) {
   return [...byLocation.values()];
 }
 function makeDelta(filePath, text) {
-  const ext = path5__default.extname(filePath).toLowerCase();
+  const ext = path6__default.extname(filePath).toLowerCase();
   const lines = text.split("\n");
   return {
     documentUri: filePath,
@@ -6724,9 +8873,9 @@ function normalizeGhostRoutePrefixes(routes) {
 }
 function toApiFinding(f, projectRoot) {
   const abs = f.file.replace(/^file:\/\//, "");
-  const rel = path5__default.relative(projectRoot, abs).replace(/\\/g, "/");
+  const rel = path6__default.relative(projectRoot, abs).replace(/\\/g, "/");
   const fileOut = rel && !rel.startsWith("..") ? rel : abs;
-  return {
+  const out = {
     id: f.id,
     ruleId: f.ruleId ?? f.engine,
     engine: String(f.engine),
@@ -6738,8 +8887,21 @@ function toApiFinding(f, projectRoot) {
     code: f.evidence ?? "",
     message: f.message,
     fix: f.suggestion ?? "",
-    autoFixable: f.autoFixable
+    autoFixable: f.autoFixable,
+    confidence: f.confidence
   };
+  if (f.fusion) {
+    out.fusion = {
+      ...f.fusion.reason ? { reason: f.fusion.reason } : {},
+      ...f.fusion.clusterSize != null ? { clusterSize: f.fusion.clusterSize } : {},
+      ...f.fusion.originalSeverity ? { originalSeverity: f.fusion.originalSeverity } : {},
+      ...f.fusion.originalConfidence != null ? { originalConfidence: f.fusion.originalConfidence } : {}
+    };
+  }
+  if (f.relatedFindings && f.relatedFindings.length > 0) {
+    out.relatedFindings = f.relatedFindings;
+  }
+  return out;
 }
 async function scan(opts) {
   const {
@@ -6763,7 +8925,7 @@ async function scan(opts) {
   const internalSignal = ac.signal;
   setMaxListeners(64, internalSignal);
   const absoluteFiles = rawFiles.map(
-    (f) => path5__default.isAbsolute(f) ? path5__default.normalize(f) : path5__default.normalize(path5__default.join(projectRoot, f))
+    (f) => path6__default.isAbsolute(f) ? path6__default.normalize(f) : path6__default.normalize(path6__default.join(projectRoot, f))
   );
   if (internalSignal.aborted || absoluteFiles.length === 0) {
     return {
@@ -6804,7 +8966,7 @@ async function scan(opts) {
   registry.register(
     new PhantomDepEngine(projectRoot, {
       confidenceThreshold: getThreshold("phantom_dep"),
-      registryCachePath: path5__default.join(projectRoot, ".vibecheck", "registry-cache.json")
+      registryCachePath: path6__default.join(projectRoot, ".vibecheck", "registry-cache.json")
     }),
     { timeoutMs: engineTimeouts["phantom-dep"] ?? 100, priority: 2 }
   );
@@ -6848,6 +9010,19 @@ async function scan(opts) {
     timeoutMs: engineTimeouts["incomplete-impl"] ?? 40,
     priority: 11
   });
+  registry.register(new SlopsquatEngine(), {
+    timeoutMs: engineTimeouts.slopsquat ?? 30,
+    priority: 2.7
+  });
+  const knownHosts = truthpack ? extractKnownHostsFromIntegrations(truthpack.integrations) : /* @__PURE__ */ new Set();
+  registry.register(new AIRulesAttackEngine({ knownHosts }), {
+    timeoutMs: engineTimeouts["ai-rules-attack"] ?? 60,
+    priority: 4.5
+  });
+  registry.register(new TestQualityEngine(), {
+    timeoutMs: engineTimeouts["test-quality"] ?? 30,
+    priority: 11.5
+  });
   applyEngineAllowlist(registry, expandEngineAllowlist(enginesOpt));
   await registry.activateAll((id, err) => {
     console.warn(`[VibeCheck] Engine "${id}" activation failed:`, err);
@@ -6865,11 +9040,11 @@ async function scan(opts) {
   const rows = [];
   for (const file of absoluteFiles) {
     if (internalSignal.aborted) break;
-    const ext = path5__default.extname(file).toLowerCase();
+    const ext = path6__default.extname(file).toLowerCase();
     if (!CHECKED_EXTS.has(ext)) {
       rows.push({
         file,
-        relativePath: path5__default.relative(projectRoot, file).replace(/\\/g, "/"),
+        relativePath: path6__default.relative(projectRoot, file).replace(/\\/g, "/"),
         findings: [],
         skipped: true,
         skipReason: "Unsupported extension"
@@ -6882,7 +9057,7 @@ async function scan(opts) {
     } catch {
       rows.push({
         file,
-        relativePath: path5__default.relative(projectRoot, file).replace(/\\/g, "/"),
+        relativePath: path6__default.relative(projectRoot, file).replace(/\\/g, "/"),
         findings: [],
         skipped: true,
         skipReason: "Stat error"
@@ -6892,7 +9067,7 @@ async function scan(opts) {
     if (stat2.size > MAX_FILE_SIZE) {
       rows.push({
         file,
-        relativePath: path5__default.relative(projectRoot, file).replace(/\\/g, "/"),
+        relativePath: path6__default.relative(projectRoot, file).replace(/\\/g, "/"),
         findings: [],
         skipped: true,
         skipReason: "File too large"
@@ -6905,7 +9080,7 @@ async function scan(opts) {
     } catch {
       rows.push({
         file,
-        relativePath: path5__default.relative(projectRoot, file).replace(/\\/g, "/"),
+        relativePath: path6__default.relative(projectRoot, file).replace(/\\/g, "/"),
         findings: [],
         skipped: true,
         skipReason: "Read error"
@@ -6915,7 +9090,7 @@ async function scan(opts) {
     if (text.trim().length === 0) {
       rows.push({
         file,
-        relativePath: path5__default.relative(projectRoot, file).replace(/\\/g, "/"),
+        relativePath: path6__default.relative(projectRoot, file).replace(/\\/g, "/"),
         findings: [],
         skipped: true,
         skipReason: "Empty file"
@@ -6925,7 +9100,7 @@ async function scan(opts) {
     if (incompleteWorkspaceEnabled && (ext === ".ts" || ext === ".tsx") && !file.endsWith(".d.ts")) {
       workspaceTsFiles.push({
         absolutePath: file,
-        relativePath: path5__default.relative(projectRoot, file).replace(/\\/g, "/"),
+        relativePath: path6__default.relative(projectRoot, file).replace(/\\/g, "/"),
         source: text,
         isTest: isTestLikeScanPath(file)
       });
@@ -6958,7 +9133,7 @@ async function scan(opts) {
     }
     rows.push({
       file,
-      relativePath: path5__default.relative(projectRoot, file).replace(/\\/g, "/"),
+      relativePath: path6__default.relative(projectRoot, file).replace(/\\/g, "/"),
       findings: deduped,
       skipped: false
     });
@@ -6970,20 +9145,24 @@ async function scan(opts) {
     if (extra007.length > 0) {
       const byFile = /* @__PURE__ */ new Map();
       for (const x of extra007) {
-        const k = path5__default.normalize(x.file);
+        const k = path6__default.normalize(x.file);
         const list = byFile.get(k) ?? [];
         list.push(x);
         byFile.set(k, list);
       }
       for (const row of rows) {
         if (row.skipped) continue;
-        const add = byFile.get(path5__default.normalize(row.file));
+        const add = byFile.get(path6__default.normalize(row.file));
         if (add?.length) {
           row.findings = deduplicateFindings([...row.findings, ...add]);
         }
       }
     }
   }
+  for (const row of rows) {
+    if (row.skipped || row.findings.length === 0) continue;
+    row.findings = fuseFindings(row.findings);
+  }
   await registry.prepareDispose();
   registry.dispose();
   let filesScanned = 0;
@@ -7077,7 +9256,7 @@ function severityRank(s) {
   return 4;
 }
 function relPath(workspaceRoot, file) {
-  return path5__default.relative(workspaceRoot, file).replace(/\\/g, "/");
+  return path6__default.relative(workspaceRoot, file).replace(/\\/g, "/");
 }
 function clusterWeight(f) {
   if (f.severity === "critical") return 4;
@@ -7156,6 +9335,7 @@ function buildCiSummaryJson(findings, score, workspaceRoot, opts = {}) {
   const fixableCount = findings.filter((f) => f.autoFixable).length;
   const fixableWithSuggestion = findings.filter((f) => f.autoFixable && f.suggestion).length;
   const shipBlockers = buildShipBlockers(findings, score, opts);
+  const fusionStats = computeFusionStats(findings);
   const md = formatCiSummaryMarkdownFromParts({
     score,
     findingsCount: findings.length,
@@ -7165,7 +9345,8 @@ function buildCiSummaryJson(findings, score, workspaceRoot, opts = {}) {
     fixableWithSuggestion,
     shipBlockers,
     threshold: opts.threshold,
-    failOn: opts.failOn
+    failOn: opts.failOn,
+    fusionStats
   });
   return {
     summaryMarkdown: md,
@@ -7173,7 +9354,8 @@ function buildCiSummaryJson(findings, score, workspaceRoot, opts = {}) {
     topFindings,
     fixableCount,
     fixableWithSuggestion,
-    shipBlockers
+    shipBlockers,
+    fusionStats
   };
 }
 function formatCiSummaryMarkdownFromParts(p) {
@@ -7228,6 +9410,25 @@ function formatCiSummaryMarkdownFromParts(p) {
     );
   }
   lines.push("");
+  if (p.fusionStats && p.fusionStats.totalFindings > 0 && (p.fusionStats.boostedFindings > 0 || p.fusionStats.escalatedFindings > 0)) {
+    const s = p.fusionStats;
+    lines.push("### Cross-engine fusion");
+    lines.push("");
+    const parts = [];
+    if (s.escalatedFindings > 0) {
+      parts.push(`**${s.escalatedFindings}** escalated`);
+    }
+    if (s.boostedFindings > 0) {
+      parts.push(`**${s.boostedFindings}** confidence-boosted`);
+    }
+    parts.push(`largest cluster size: **${s.largestClusterSize}**`);
+    lines.push(parts.join(" \xB7 ") + ".");
+    lines.push("");
+    lines.push(
+      `_Across ${s.totalFindings} finding(s) in ${s.totalClusters} cluster(s), multiple engines independently flagged ${s.boostedFindings + s.escalatedFindings} location(s). Cross-engine concurrence is a strong independent signal._`
+    );
+    lines.push("");
+  }
   const gateParts = [];
   if (typeof p.threshold === "number") {
     gateParts.push(`threshold ${p.threshold}`);
@@ -7271,6 +9472,18 @@ function formatCiSummaryPlainLines(findings, score, _workspaceRoot, opts = {}) {
   if (fixable > 0) {
     out.push(`  Auto-fixable: ${fixable}${withSug ? ` (${withSug} with suggestions)` : ""}`);
   }
+  const fusionStats = computeFusionStats(findings);
+  if (fusionStats.boostedFindings > 0 || fusionStats.escalatedFindings > 0) {
+    const parts = [];
+    if (fusionStats.escalatedFindings > 0) {
+      parts.push(`${fusionStats.escalatedFindings} escalated`);
+    }
+    if (fusionStats.boostedFindings > 0) {
+      parts.push(`${fusionStats.boostedFindings} boosted`);
+    }
+    parts.push(`largest cluster ${fusionStats.largestClusterSize}`);
+    out.push(`  Cross-engine fusion: ${parts.join(", ")}`);
+  }
   return out;
 }
 var SARIF_SCHEMA_URL = "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json";
@@ -7291,6 +9504,15 @@ function toSarif(input, workspaceRoot, options = {}) {
   } = options;
   const rulesMap = /* @__PURE__ */ new Map();
   const sarifResults = [];
+  const findingIndex = /* @__PURE__ */ new Map();
+  for (const fileResult of input.files) {
+    const relPathForFile = fileResult.relativePath ?? path6__default.relative(workspaceRoot, fileResult.file).replace(/\\/g, "/");
+    for (const finding of fileResult.findings) {
+      if (finding.id) {
+        findingIndex.set(finding.id, { finding, relPath: relPathForFile });
+      }
+    }
+  }
   for (const fileResult of input.files) {
     for (const finding of fileResult.findings) {
       const ruleId = finding.ruleId ?? `${finding.engine}-${finding.category}`;
@@ -7300,7 +9522,7 @@ function toSarif(input, workspaceRoot, options = {}) {
           shortDescription: { text: finding.message }
         });
       }
-      const relPath2 = fileResult.relativePath ?? path5__default.relative(workspaceRoot, finding.file).replace(/\\/g, "/");
+      const relPath2 = fileResult.relativePath ?? path6__default.relative(workspaceRoot, finding.file).replace(/\\/g, "/");
       const region = {
         startLine: finding.line
       };
@@ -7313,9 +9535,12 @@ function toSarif(input, workspaceRoot, options = {}) {
       if (finding.endColumn != null && finding.endColumn >= 0) {
         region.endColumn = finding.endColumn + 1;
       }
-      const messageText = finding.suggestion ? `${finding.message}
+      const fusionNote = finding.fusion?.reason ? `
+
+[Fusion: ${finding.fusion.reason}` + (finding.fusion.originalSeverity ? ` \u2014 originally ${finding.fusion.originalSeverity}` : "") + "]" : "";
+      const messageText = (finding.suggestion ? `${finding.message}
 
-Suggestion: ${finding.suggestion}` : finding.message;
+Suggestion: ${finding.suggestion}` : finding.message) + fusionNote;
       const sarifResult = {
         ruleId,
         level: SEVERITY_TO_SARIF_LEVEL[finding.severity] ?? "warning",
@@ -7332,6 +9557,50 @@ Suggestion: ${finding.suggestion}` : finding.message;
       if (finding.suggestion) {
         sarifResult.fixes = [{ description: { text: finding.suggestion } }];
       }
+      const relatedIds = finding.relatedFindings ?? [];
+      if (relatedIds.length > 0) {
+        const relatedLocations = [];
+        for (const relId of relatedIds) {
+          const target = findingIndex.get(relId);
+          if (!target) continue;
+          relatedLocations.push({
+            physicalLocation: {
+              artifactLocation: { uri: target.relPath },
+              region: {
+                startLine: target.finding.line,
+                ...target.finding.column != null && target.finding.column >= 0 ? { startColumn: target.finding.column + 1 } : {}
+              }
+            },
+            message: {
+              text: `Related: ${target.finding.ruleId ?? target.finding.engine} \u2014 ${target.finding.message.slice(0, 100)}`
+            }
+          });
+        }
+        if (relatedLocations.length > 0) {
+          sarifResult.relatedLocations = relatedLocations;
+        }
+      }
+      const properties = {};
+      if (typeof finding.confidence === "number") {
+        properties.confidence = finding.confidence;
+      }
+      if (finding.id) {
+        properties.fingerprint = finding.id;
+      }
+      if (finding.fusion) {
+        properties.fusion = {
+          ...finding.fusion.reason ? { reason: finding.fusion.reason } : {},
+          ...finding.fusion.clusterSize != null ? { clusterSize: finding.fusion.clusterSize } : {},
+          ...finding.fusion.originalSeverity ? { originalSeverity: finding.fusion.originalSeverity } : {},
+          ...finding.fusion.originalConfidence != null ? { originalConfidence: finding.fusion.originalConfidence } : {}
+        };
+      }
+      if (relatedIds.length > 0) {
+        properties.relatedFindings = relatedIds;
+      }
+      if (Object.keys(properties).length > 0) {
+        sarifResult.properties = properties;
+      }
       sarifResults.push(sarifResult);
     }
   }
@@ -7378,7 +9647,7 @@ function formatJson(result, options) {
       return {
         ...f,
         filePath: fr.file,
-        relativePath: fr.relativePath ?? path5__default.relative(options.workspaceRoot, fr.file).replace(/\\/g, "/"),
+        relativePath: fr.relativePath ?? path6__default.relative(options.workspaceRoot, fr.file).replace(/\\/g, "/"),
         riskDimension,
         suggestion: improveRemediationText(f.suggestion, riskDimension)
       };
@@ -7485,7 +9754,7 @@ async function findFile(dir, pattern, maxDepth = 5, currentDepth = 0) {
       if (entry.name.startsWith(".") || entry.name === "node_modules" || entry.name === "dist" || entry.name === "build") {
         continue;
       }
-      const fullPath = path5__default__default.join(dir, entry.name);
+      const fullPath = path6__default__default.join(dir, entry.name);
       if (entry.isDirectory()) {
         const found = await findFile(fullPath, pattern, maxDepth, currentDepth + 1);
         if (found) return found;
@@ -7507,7 +9776,7 @@ async function readFileSafe(filePath) {
 }
 async function seoEngine(projectPath) {
   const issues = [];
-  const hasRobots = await pathExists(path5__default__default.join(projectPath, "public", "robots.txt"));
+  const hasRobots = await pathExists(path6__default__default.join(projectPath, "public", "robots.txt"));
   if (!hasRobots) {
     issues.push({
       id: "missing-robots",
@@ -7519,7 +9788,7 @@ async function seoEngine(projectPath) {
       autoFixable: true
     });
   }
-  const hasSitemap = await pathExists(path5__default__default.join(projectPath, "public", "sitemap.xml")) || await findFile(projectPath, /sitemap/i);
+  const hasSitemap = await pathExists(path6__default__default.join(projectPath, "public", "sitemap.xml")) || await findFile(projectPath, /sitemap/i);
   if (!hasSitemap) {
     issues.push({
       id: "missing-sitemap",
@@ -7543,7 +9812,7 @@ async function seoEngine(projectPath) {
       autoFixable: true
     });
   }
-  const hasOgImage = await pathExists(path5__default__default.join(projectPath, "public", "og-image.png")) || await pathExists(path5__default__default.join(projectPath, "public", "og.png")) || await findFile(path5__default__default.join(projectPath, "public"), /og[-_]?image/i);
+  const hasOgImage = await pathExists(path6__default__default.join(projectPath, "public", "og-image.png")) || await pathExists(path6__default__default.join(projectPath, "public", "og.png")) || await findFile(path6__default__default.join(projectPath, "public"), /og[-_]?image/i);
   if (!hasOgImage) {
     issues.push({
       id: "missing-og-image",
@@ -7559,7 +9828,7 @@ async function seoEngine(projectPath) {
 }
 async function securityEngine(projectPath) {
   const issues = [];
-  const hasEnvExample = await pathExists(path5__default__default.join(projectPath, ".env.example")) || await pathExists(path5__default__default.join(projectPath, ".env.sample"));
+  const hasEnvExample = await pathExists(path6__default__default.join(projectPath, ".env.example")) || await pathExists(path6__default__default.join(projectPath, ".env.sample"));
   if (!hasEnvExample) {
     issues.push({
       id: "missing-env-example",
@@ -7571,7 +9840,7 @@ async function securityEngine(projectPath) {
       autoFixable: true
     });
   }
-  const gitignore = await readFileSafe(path5__default__default.join(projectPath, ".gitignore"));
+  const gitignore = await readFileSafe(path6__default__default.join(projectPath, ".gitignore"));
   if (gitignore && !gitignore.includes(".env")) {
     issues.push({
       id: "env-not-gitignored",
@@ -7583,7 +9852,7 @@ async function securityEngine(projectPath) {
       autoFixable: true
     });
   }
-  const packageJson = await readFileSafe(path5__default__default.join(projectPath, "package.json"));
+  const packageJson = await readFileSafe(path6__default__default.join(projectPath, "package.json"));
   const hasHelmet = packageJson && /helmet|next-secure-headers/i.test(packageJson);
   if (!hasHelmet) {
     issues.push({
@@ -7597,7 +9866,7 @@ async function securityEngine(projectPath) {
     });
   }
   const hasCors = packageJson && /cors|@fastify\/cors/i.test(packageJson);
-  const nextConfig = await readFileSafe(path5__default__default.join(projectPath, "next.config.js")) || await readFileSafe(path5__default__default.join(projectPath, "next.config.mjs")) || await readFileSafe(path5__default__default.join(projectPath, "next.config.ts"));
+  const nextConfig = await readFileSafe(path6__default__default.join(projectPath, "next.config.js")) || await readFileSafe(path6__default__default.join(projectPath, "next.config.mjs")) || await readFileSafe(path6__default__default.join(projectPath, "next.config.ts"));
   const hasNextCors = nextConfig && /headers|Access-Control/i.test(nextConfig ?? "");
   if (!hasCors && !hasNextCors) {
     issues.push({
@@ -7614,8 +9883,8 @@ async function securityEngine(projectPath) {
 }
 async function resilienceEngine(projectPath) {
   const issues = [];
-  const packageJson = await readFileSafe(path5__default__default.join(projectPath, "package.json"));
-  const srcPath = path5__default__default.join(projectPath, "src");
+  const packageJson = await readFileSafe(path6__default__default.join(projectPath, "package.json"));
+  const srcPath = path6__default__default.join(projectPath, "src");
   const hasSrc = await pathExists(srcPath);
   const searchPath = hasSrc ? srcPath : projectPath;
   if (!(packageJson && /opossum|cockatiel|resilience4j|circuit.*breaker/i.test(packageJson))) {
@@ -7686,8 +9955,8 @@ async function resilienceEngine(projectPath) {
 }
 async function performanceEngine(projectPath) {
   const issues = [];
-  const packageJson = await readFileSafe(path5__default__default.join(projectPath, "package.json"));
-  const nextConfig = await readFileSafe(path5__default__default.join(projectPath, "next.config.js")) || await readFileSafe(path5__default__default.join(projectPath, "next.config.mjs"));
+  const packageJson = await readFileSafe(path6__default__default.join(projectPath, "package.json"));
+  const nextConfig = await readFileSafe(path6__default__default.join(projectPath, "next.config.js")) || await readFileSafe(path6__default__default.join(projectPath, "next.config.mjs"));
   const hasImageOptimization = packageJson && /sharp|next\/image|@next\/image/i.test(packageJson) || nextConfig && /images:/i.test(nextConfig ?? "");
   if (!hasImageOptimization) {
     issues.push({
@@ -7728,8 +9997,8 @@ async function performanceEngine(projectPath) {
 }
 async function observabilityEngine(projectPath) {
   const issues = [];
-  const packageJson = await readFileSafe(path5__default__default.join(projectPath, "package.json"));
-  const srcPath = path5__default__default.join(projectPath, "src");
+  const packageJson = await readFileSafe(path6__default__default.join(projectPath, "package.json"));
+  const srcPath = path6__default__default.join(projectPath, "src");
   const hasSrc = await pathExists(srcPath);
   const searchPath = hasSrc ? srcPath : projectPath;
   if (!(packageJson && /@opentelemetry|otel/i.test(packageJson))) {
@@ -7785,8 +10054,8 @@ async function observabilityEngine(projectPath) {
 }
 async function infrastructureEngine(projectPath) {
   const issues = [];
-  const packageJson = await readFileSafe(path5__default__default.join(projectPath, "package.json"));
-  const hasDocker = await pathExists(path5__default__default.join(projectPath, "Dockerfile")) || await pathExists(path5__default__default.join(projectPath, "docker-compose.yml"));
+  const packageJson = await readFileSafe(path6__default__default.join(projectPath, "package.json"));
+  const hasDocker = await pathExists(path6__default__default.join(projectPath, "Dockerfile")) || await pathExists(path6__default__default.join(projectPath, "docker-compose.yml"));
   if (!hasDocker) {
     issues.push({
       id: "missing-docker",
@@ -7798,7 +10067,7 @@ async function infrastructureEngine(projectPath) {
       autoFixable: true
     });
   }
-  const hasCi = await pathExists(path5__default__default.join(projectPath, ".github", "workflows")) || await pathExists(path5__default__default.join(projectPath, ".gitlab-ci.yml")) || await pathExists(path5__default__default.join(projectPath, ".circleci"));
+  const hasCi = await pathExists(path6__default__default.join(projectPath, ".github", "workflows")) || await pathExists(path6__default__default.join(projectPath, ".gitlab-ci.yml")) || await pathExists(path6__default__default.join(projectPath, ".circleci"));
   if (!hasCi) {
     issues.push({
       id: "missing-ci",
@@ -7810,7 +10079,7 @@ async function infrastructureEngine(projectPath) {
       autoFixable: true
     });
   }
-  const hasDeployConfig = await pathExists(path5__default__default.join(projectPath, "vercel.json")) || await pathExists(path5__default__default.join(projectPath, "netlify.toml")) || await pathExists(path5__default__default.join(projectPath, "railway.json"));
+  const hasDeployConfig = await pathExists(path6__default__default.join(projectPath, "vercel.json")) || await pathExists(path6__default__default.join(projectPath, "netlify.toml")) || await pathExists(path6__default__default.join(projectPath, "railway.json"));
   if (!hasDeployConfig && !hasDocker) {
     issues.push({
       id: "missing-deployment-config",
@@ -7838,7 +10107,7 @@ async function infrastructureEngine(projectPath) {
 }
 async function documentationEngine(projectPath) {
   const issues = [];
-  const hasReadme = await pathExists(path5__default__default.join(projectPath, "README.md"));
+  const hasReadme = await pathExists(path6__default__default.join(projectPath, "README.md"));
   if (!hasReadme) {
     issues.push({
       id: "missing-readme",
@@ -7850,7 +10119,7 @@ async function documentationEngine(projectPath) {
       autoFixable: true
     });
   } else {
-    const readme = await readFileSafe(path5__default__default.join(projectPath, "README.md"));
+    const readme = await readFileSafe(path6__default__default.join(projectPath, "README.md"));
     if (readme && readme.length < 500) {
       issues.push({
         id: "insufficient-readme",
@@ -7863,7 +10132,7 @@ async function documentationEngine(projectPath) {
       });
     }
   }
-  if (!await pathExists(path5__default__default.join(projectPath, "CHANGELOG.md"))) {
+  if (!await pathExists(path6__default__default.join(projectPath, "CHANGELOG.md"))) {
     issues.push({
       id: "missing-changelog",
       category: "Documentation",
@@ -7874,7 +10143,7 @@ async function documentationEngine(projectPath) {
       autoFixable: true
     });
   }
-  if (!await pathExists(path5__default__default.join(projectPath, "CONTRIBUTING.md"))) {
+  if (!await pathExists(path6__default__default.join(projectPath, "CONTRIBUTING.md"))) {
     issues.push({
       id: "missing-contributing",
       category: "Documentation",
@@ -7885,7 +10154,7 @@ async function documentationEngine(projectPath) {
       autoFixable: true
     });
   }
-  const hasLicense = await pathExists(path5__default__default.join(projectPath, "LICENSE")) || await pathExists(path5__default__default.join(projectPath, "LICENSE.md"));
+  const hasLicense = await pathExists(path6__default__default.join(projectPath, "LICENSE")) || await pathExists(path6__default__default.join(projectPath, "LICENSE.md"));
   if (!hasLicense) {
     issues.push({
       id: "missing-license",
@@ -7901,7 +10170,7 @@ async function documentationEngine(projectPath) {
 }
 async function configurationEngine(projectPath) {
   const issues = [];
-  const tsConfig = await readFileSafe(path5__default__default.join(projectPath, "tsconfig.json"));
+  const tsConfig = await readFileSafe(path6__default__default.join(projectPath, "tsconfig.json"));
   if (tsConfig) {
     try {
       const parsed = JSON.parse(tsConfig);
@@ -7919,7 +10188,7 @@ async function configurationEngine(projectPath) {
     } catch {
     }
   }
-  const hasEslint = await pathExists(path5__default__default.join(projectPath, ".eslintrc.json")) || await pathExists(path5__default__default.join(projectPath, ".eslintrc.js")) || await pathExists(path5__default__default.join(projectPath, "eslint.config.js"));
+  const hasEslint = await pathExists(path6__default__default.join(projectPath, ".eslintrc.json")) || await pathExists(path6__default__default.join(projectPath, ".eslintrc.js")) || await pathExists(path6__default__default.join(projectPath, "eslint.config.js"));
   if (!hasEslint) {
     issues.push({
       id: "missing-eslint",
@@ -7931,7 +10200,7 @@ async function configurationEngine(projectPath) {
       autoFixable: true
     });
   }
-  const hasPrettier = await pathExists(path5__default__default.join(projectPath, ".prettierrc")) || await pathExists(path5__default__default.join(projectPath, ".prettierrc.json")) || await pathExists(path5__default__default.join(projectPath, "prettier.config.js"));
+  const hasPrettier = await pathExists(path6__default__default.join(projectPath, ".prettierrc")) || await pathExists(path6__default__default.join(projectPath, ".prettierrc.json")) || await pathExists(path6__default__default.join(projectPath, "prettier.config.js"));
   if (!hasPrettier) {
     issues.push({
       id: "missing-prettier",
@@ -7943,7 +10212,7 @@ async function configurationEngine(projectPath) {
       autoFixable: true
     });
   }
-  const hasEditorConfig = await pathExists(path5__default__default.join(projectPath, ".editorconfig"));
+  const hasEditorConfig = await pathExists(path6__default__default.join(projectPath, ".editorconfig"));
   if (!hasEditorConfig) {
     issues.push({
       id: "missing-editorconfig",
@@ -7959,13 +10228,13 @@ async function configurationEngine(projectPath) {
 }
 async function backendEngine(projectPath) {
   const issues = [];
-  const apiPath = path5__default__default.join(projectPath, "src", "server");
-  const apiAltPath = path5__default__default.join(projectPath, "api");
-  const pagesApiPath = path5__default__default.join(projectPath, "pages", "api");
-  const appApiPath = path5__default__default.join(projectPath, "app", "api");
+  const apiPath = path6__default__default.join(projectPath, "src", "server");
+  const apiAltPath = path6__default__default.join(projectPath, "api");
+  const pagesApiPath = path6__default__default.join(projectPath, "pages", "api");
+  const appApiPath = path6__default__default.join(projectPath, "app", "api");
   const hasApi = await pathExists(apiPath) || await pathExists(apiAltPath) || await pathExists(pagesApiPath) || await pathExists(appApiPath);
   if (!hasApi) return issues;
-  const packageJson = await readFileSafe(path5__default__default.join(projectPath, "package.json"));
+  const packageJson = await readFileSafe(path6__default__default.join(projectPath, "package.json"));
   const hasHealth = await findFile(projectPath, /health|healthcheck|status/i);
   if (!hasHealth) {
     issues.push({
@@ -8020,7 +10289,7 @@ async function backendEngine(projectPath) {
 }
 async function accessibilityEngine(projectPath) {
   const issues = [];
-  const packageJson = await readFileSafe(path5__default__default.join(projectPath, "package.json"));
+  const packageJson = await readFileSafe(path6__default__default.join(projectPath, "package.json"));
   const hasA11yTesting = packageJson && /axe-core|@axe-core|jest-axe|cypress-axe|pa11y/i.test(packageJson);
   if (!hasA11yTesting) {
     issues.push({
@@ -8045,7 +10314,7 @@ async function accessibilityEngine(projectPath) {
       autoFixable: true
     });
   }
-  const globalCss = await readFileSafe(path5__default__default.join(projectPath, "src", "styles", "globals.css")) || await readFileSafe(path5__default__default.join(projectPath, "app", "globals.css")) || await readFileSafe(path5__default__default.join(projectPath, "styles", "globals.css"));
+  const globalCss = await readFileSafe(path6__default__default.join(projectPath, "src", "styles", "globals.css")) || await readFileSafe(path6__default__default.join(projectPath, "app", "globals.css")) || await readFileSafe(path6__default__default.join(projectPath, "styles", "globals.css"));
   if (globalCss && /outline:\s*none|outline:\s*0/i.test(globalCss) && !/focus-visible/i.test(globalCss)) {
     issues.push({
       id: "focus-removed",
@@ -8083,9 +10352,9 @@ function hasLibrary(packageJsonContent, libraries) {
   return null;
 }
 async function detectProjectType(projectPath, packageJsonContent) {
-  const hasApp = await pathExists(path5__default__default.join(projectPath, "app"));
-  const hasPages = await pathExists(path5__default__default.join(projectPath, "pages"));
-  const hasSrc = await pathExists(path5__default__default.join(projectPath, "src"));
+  const hasApp = await pathExists(path6__default__default.join(projectPath, "app"));
+  const hasPages = await pathExists(path6__default__default.join(projectPath, "pages"));
+  const hasSrc = await pathExists(path6__default__default.join(projectPath, "src"));
   const isNextJs = !!packageJsonContent && /["']next["']/.test(packageJsonContent);
   const isRemix = !!packageJsonContent && /["']@remix-run\//.test(packageJsonContent);
   const isVite = !!packageJsonContent && /["']vite["']/.test(packageJsonContent);
@@ -8176,7 +10445,7 @@ var ENGINES = [
 ];
 async function runPolish(projectPath) {
   const allIssues = [];
-  const packageJson = await readFileSafe(path5__default__default.join(projectPath, "package.json"));
+  const packageJson = await readFileSafe(path6__default__default.join(projectPath, "package.json"));
   const projectType = await detectProjectType(projectPath, packageJson);
   const engineResults = await Promise.allSettled(
     ENGINES.map((engine) => engine(projectPath))
@@ -8591,13 +10860,13 @@ function estimateBlastRadius(steps, file) {
       }
     }
   }
-  const path23 = file.toLowerCase();
-  if (path23.includes("checkout") || path23.includes("payment")) flows.add("payment flow");
-  if (path23.includes("auth") || path23.includes("login") || path23.includes("signup"))
+  const path24 = file.toLowerCase();
+  if (path24.includes("checkout") || path24.includes("payment")) flows.add("payment flow");
+  if (path24.includes("auth") || path24.includes("login") || path24.includes("signup"))
     flows.add("authentication");
-  if (path23.includes("api/") || path23.includes("route")) flows.add("API endpoint");
-  if (path23.includes("middleware")) flows.add("request pipeline");
-  if (path23.includes("webhook")) flows.add("webhook processing");
+  if (path24.includes("api/") || path24.includes("route")) flows.add("API endpoint");
+  if (path24.includes("middleware")) flows.add("request pipeline");
+  if (path24.includes("webhook")) flows.add("webhook processing");
   if (flows.size === 0) return void 0;
   const flowList = [...flows].slice(0, 3).join(", ");
   const errorPct = Math.round(errors.length / Math.max(steps.length, 1) * 100);
@@ -8657,7 +10926,7 @@ async function loadEngines(workspaceRoot) {
   })();
   const ghostRouteIndex = truthpack ? truthpackToRouteIndex(truthpack.routes, workspaceRoot) : void 0;
   const ghostRoutePrefixes = [];
-  const { PhantomDepEngine: PhantomDepEngine2 } = await import('./PhantomDepEngine-HQEXAS25-TRVEXBMF.js');
+  const { PhantomDepEngine: PhantomDepEngine2 } = await import('./PhantomDepEngine-5O7Z7MDE-4A37GGL4.js');
   const { APITruthEngine: APITruthEngine2 } = await import('./APITruthEngine-IZRR3NT5-LPFUOMLD.js');
   const { EnvVarEngine: EnvVarEngine2 } = await import('./EnvVarEngine-ZFNW2XKP-6HRTZULP.js');
   const { GhostRouteEngine: GhostRouteEngine2 } = await import('./GhostRouteEngine-UMYBCOCL-MSZOPVZY.js');
@@ -8666,7 +10935,7 @@ async function loadEngines(workspaceRoot) {
   const { VersionHallucinationEngine: VersionHallucinationEngine2 } = await import('./VersionHallucinationEngine-673DJ26J-BD4SK6JX.js');
   const { FrameworkPackEngine: FrameworkPackEngine2 } = await import('./FrameworkPackEngine-RRBJW4MC-KH7WRXXS.js');
   const { LogicGapEngine: LogicGapEngine2 } = await import('./LogicGapEngine-OK5UKZQ5-YGXZDERB.js');
-  const { ErrorHandlingEngine: ErrorHandlingEngine2 } = await import('./ErrorHandlingEngine-VAHVDVFG-3GDGRN3U.js');
+  const { ErrorHandlingEngine: ErrorHandlingEngine2 } = await import('./ErrorHandlingEngine-FG65SFRB-4NEANCMF.js');
   const confidenceThreshold = 0.75;
   return [
     new EnvVarEngine2(envIndex, {
@@ -8682,7 +10951,7 @@ async function loadEngines(workspaceRoot) {
     ),
     new PhantomDepEngine2(workspaceRoot, {
       confidenceThreshold: 0.55,
-      registryCachePath: path5__default.join(workspaceRoot, ".vibecheck", "registry-cache.json")
+      registryCachePath: path6__default.join(workspaceRoot, ".vibecheck", "registry-cache.json")
     }),
     new APITruthEngine2(0.65, void 0, workspaceRoot),
     new CredentialsEngine2(),
@@ -8694,7 +10963,7 @@ async function loadEngines(workspaceRoot) {
   ];
 }
 function buildDelta(filePath, source) {
-  const ext = path5__default.extname(filePath).toLowerCase();
+  const ext = path6__default.extname(filePath).toLowerCase();
   const lines = source.split("\n");
   return {
     documentUri: filePath,
@@ -8797,10 +11066,10 @@ function findingsForFile(findings, relativePath) {
 async function runGhostTrace(options) {
   const { workspaceRoot, filePath, signal, engineTimeout = 1e4 } = options;
   const start = Date.now();
-  const absolutePath = path5__default.isAbsolute(filePath) ? filePath : path5__default.resolve(workspaceRoot, filePath);
+  const absolutePath = path6__default.isAbsolute(filePath) ? filePath : path6__default.resolve(workspaceRoot, filePath);
   const source = fs2.readFileSync(absolutePath, "utf-8");
   const lines = source.split("\n");
-  const relativePath = path5__default.relative(workspaceRoot, absolutePath).replace(/\\/g, "/");
+  const relativePath = path6__default.relative(workspaceRoot, absolutePath).replace(/\\/g, "/");
   const callSites = parseCallSites(source);
   const delta = buildDelta(absolutePath, source);
   const engines = await loadEngines(workspaceRoot);
@@ -8858,4 +11127,4 @@ async function runGhostTrace(options) {
   };
 }
 
-export { CircuitBreaker, DAILY_SCAN_LIMIT_UPGRADE_URL, ENGINE_FOCUS_PRESETS, EngineRegistry, EnvLoader, FEATURE_NAMES, FakeFeaturesEngine, IncompleteImplEngine, OutcomeVerificationEngine, PerformanceAntipatternEngine, RULE_AUTOFIX_SAFETY_BY_ID, RULE_MATURITY_BY_ID, RULE_TRUST_IMPACT_BY_ID, RuntimeProbeEngine, SCAN_ENGINE_FOCUS_PRESET_NAMES, SecurityPatternEngine, TruthpackEnvIndex, TypeContractEngine, VIBECHECK_DEFAULT_ENGINE_IDS, accessibilityEngine, autofixSafetyForRule, backendEngine, buildCiSummaryJson, buildCliUpgradeBlock, buildGatedScanResponse, buildRiskClusters, buildShipBlockers, canAccessFeature, categoryIcons, computeTrustScore, configurationEngine, createDefaultRegistry, dashboardFindingUrl, diffScores, documentationEngine, engineTogglesAllowOnly, estimateBlastRadius, fetchCanonicalAccess, findUncalledExportedFunctions, formatCiSummaryMarkdown, formatCiSummaryPlainLines, formatDailyScanLimitMessage, formatFindingSeverityBreakdown, formatFindings, formatSummary, formatTraceAsJson, formatTraceForTerminal, formatTrustScoreMarkdown, formatTrustScoreMcp, gateCanonicalScanReportFindings, generateVerdict, getCheckoutUrl, getMinPlanForApiSurface, getMinimumPlanForFeature, getQuotas, getTrustScoreStatus, icons, infrastructureEngine, isTestLikeScanPath, isVibecheckFinding, loadTruthpack, maturityTierForRule, normalizeCanonicalScanReport, normalizePlanId, observabilityEngine, parseCallSites, performanceEngine, planHasApiSurface, resilienceEngine, runGhostTrace, runPolish, scan, securityEngine, seoEngine, toCanonicalFinding, toCanonicalFindingFromGuardrail, toCanonicalFindingFromLegacyFinding, toCanonicalFindingFromMissionFinding, toCanonicalFindingFromPolish, toCanonicalFindingFromReport, toCanonicalFindingFromScanApi, toCanonicalFindingFromScanFinding, toCanonicalFindings, toSarif, trustImpactForRule, trustPenaltyScaleForFinding, truthpackToRouteIndex };
+export { AIRulesAttackEngine, AI_HALLUCINATED_PACKAGES, CANONICAL_AI_PACKAGES_NPM, CORE_ENGINE_IDS, CORE_ENGINE_MANIFESTS, CircuitBreaker, DAILY_SCAN_LIMIT_UPGRADE_URL, ENGINE_FOCUS_PRESETS, EngineRegistry, EnvLoader, FEATURE_NAMES, FakeFeaturesEngine, IncompleteImplEngine, OutcomeVerificationEngine, PerformanceAntipatternEngine, RULE_AUTOFIX_SAFETY_BY_ID, RULE_MATURITY_BY_ID, RULE_TRUST_IMPACT_BY_ID, RuntimeProbeEngine, SCAN_ENGINE_FOCUS_PRESET_NAMES, SecurityPatternEngine, SlopsquatEngine, TestQualityEngine, TruthpackEnvIndex, TypeContractEngine, VIBECHECK_DEFAULT_ENGINE_IDS, VibecheckNativeEngine, WORKSPACE_ENGINE_IDS, WORKSPACE_ENGINE_MANIFESTS, accessibilityEngine, aiRulesAttackManifest, apexFromHost, apexFromUrl, autofixSafetyForRule, backendEngine, buildCiSummaryJson, buildCliUpgradeBlock, buildGatedScanResponse, buildRiskClusters, buildShipBlockers, canAccessFeature, categoryIcons, computeFusionStats, computeTrustScore, configurationEngine, createDefaultRegistry, dashboardFindingUrl, detectBrandImpersonationNpm, diffScores, documentationEngine, engineTogglesAllowOnly, errorHandlingManifest, estimateBlastRadius, extractKnownHostsFromIntegrations, fakeFeaturesManifest, fetchCanonicalAccess, findUncalledExportedFunctions, formatCiSummaryMarkdown, formatCiSummaryPlainLines, formatDailyScanLimitMessage, formatFindingSeverityBreakdown, formatFindings, formatSummary, formatTraceAsJson, formatTraceForTerminal, formatTrustScoreMarkdown, formatTrustScoreMcp, fuseFindings, gateCanonicalScanReportFindings, generateVerdict, getCheckoutUrl, getMinPlanForApiSurface, getMinimumPlanForFeature, getQuotas, getTrustScoreStatus, ghostRouteManifest, hostMatchesKnownSet, icons, incompleteImplManifest, infrastructureEngine, isTestLikeScanPath, isVibecheckFinding, loadTruthpack, logicGapManifest, maturityTierForRule, normalizeCanonicalScanReport, normalizePlanId, observabilityEngine, outcomeVerificationManifest, parseCallSites, perfAntipatternManifest, performanceEngine, phantomDepManifest, planHasApiSurface, registerAllEngines, registerCoreEngines, registerWorkspaceEngines, resilienceEngine, runGhostTrace, runPolish, scan, securityEngine, securityPatternManifest, seoEngine, slopsquatManifest, testQualityManifest, toCanonicalFinding, toCanonicalFindingFromGuardrail, toCanonicalFindingFromLegacyFinding, toCanonicalFindingFromMissionFinding, toCanonicalFindingFromPolish, toCanonicalFindingFromReport, toCanonicalFindingFromScanApi, toCanonicalFindingFromScanFinding, toCanonicalFindings, toSarif, trustImpactForRule, trustPenaltyScaleForFinding, truthpackToRouteIndex, typeContractManifest };