@vibecheckai/cli 2.5.1

package/dist/runtime/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/runtime/client.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAwDH,wCA+GC;AAKD,kDAuDC;AAKD,gDA6BC;AAiBD,wCAIC;AAvRD,6CAAiD;AAqCjD,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,2BAA2B,CAAC;AAC3F,MAAM,eAAe,GAAG,KAAK,CAAC;AAC9B,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,MAAM,YAAY,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,sBAAsB;AAE/D;;GAEG;AACH,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,cAAc,CAAC,IAKpC;IACC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,gBAAgB,CAAC;IACjD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAC;IAChD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,mBAAmB,CAAC;IAE1D,MAAM,UAAU,GAAG,IAAA,8BAAiB,GAAE,CAAC;IACvC,MAAM,WAAW,GAAwB;QACvC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,MAAM,EAAE,UAAU;KACnB,CAAC;IAEF,IAAI,SAAS,GAAW,eAAe,CAAC;IAExC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;QACvD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;QAEhE,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,uBAAuB,EAAE;gBACzD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,YAAY,EAAE,iBAAiB,UAAU,CAAC,OAAO,KAAK,UAAU,CAAC,EAAE,KAAK,UAAU,CAAC,IAAI,UAAU,OAAO,CAAC,OAAO,GAAG;oBACnH,kBAAkB,EAAE,UAAU,CAAC,OAAO;iBACvC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;gBACjC,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;gBACnD,IAAI,YAAoB,CAAC;gBAEzB,IAAI,CAAC;oBACH,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;oBACxC,YAAY,GAAG,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC,OAAO,IAAI,SAAS,CAAC,KAAK,IAAI,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;gBAClG,CAAC;gBAAC,MAAM,CAAC;oBACP,YAAY,GAAG,QAAQ,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,UAAU,EAAE,CAAC;gBACzD,CAAC;gBAED,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACvB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;gBAC1E,CAAC;gBACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACvB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,8CAA8C,EAAE,CAAC;gBAC5F,CAAC;gBACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACvB,SAAS,GAAG,uCAAuC,CAAC;oBACpD,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;wBACzB,MAAM,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC;wBAC3C,SAAS;oBACX,CAAC;oBACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;gBACvD,CAAC;gBACD,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;oBACtB,SAAS,GAAG,iBAAiB,YAAY,EAAE,CAAC;oBAC5C,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;wBACzB,MAAM,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC;wBAC3C,SAAS;oBACX,CAAC;oBACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;gBACvD,CAAC;gBAED,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;YAC1D,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA0B,CAAC;YAEtD,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,IAAI,EAAE,MAAM;oBACZ,KAAK,EAAE,IAAI,CAAC,MAAM,IAAI,mBAAmB;iBAC1C,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,MAAM;gBACzB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,YAAY,EAAE,IAAI,CAAC,YAAY;gBAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACxB,CAAC;QAEJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC9B,SAAS,GAAG,mBAAmB,CAAC;YAClC,CAAC;iBAAM,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;gBACnE,SAAS,GAAG,+DAA+D,CAAC;YAC9E,CAAC;iBAAM,CAAC;gBACN,SAAS,GAAG,kBAAkB,GAAG,CAAC,OAAO,EAAE,CAAC;YAC9C,CAAC;YAED,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBACzB,MAAM,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC;gBAC3C,SAAS;YACX,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;AACvD,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,mBAAmB,CAAC,IAKzC;IACC,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QACtC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;IACvE,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,OAAO,cAAc,CAAC;YACpB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,gBAAgB,CAAC;IACjD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAC;IAChD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;IAEhE,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAA,8BAAiB,GAAE,CAAC;QACvC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,kBAAkB,EAAE;YACpD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,eAAe,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC7C,YAAY,EAAE,iBAAiB,UAAU,CAAC,OAAO,UAAU,OAAO,CAAC,OAAO,GAAG;aAC9E;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;YACtD,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QAEH,YAAY,CAAC,SAAS,CAAC,CAAC;QAExB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAC;YAC9E,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,cAAc,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;QACxE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAsB,CAAC;QAClD,OAAO,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,YAAY,CAAC,SAAS,CAAC,CAAC;QACxB,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC9B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACjE,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,kBAAkB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;IAC7E,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,kBAAkB,CAAC,IAGxC;IACC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,gBAAgB,CAAC;IACjD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,eAAe,CAAC,CAAC;IAExE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,iBAAiB,EAAE;YACnD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,YAAY,EAAE,iBAAiB,UAAU,EAAE,UAAU,OAAO,CAAC,OAAO,GAAG;aACxE;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;YACzD,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,EAAE,KAAK,EAAE,mBAAmB,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;QACpD,CAAC;QAED,OAAO,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;IAChC,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,SAAS,CAAC,CAAC;IAC1B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,UAAU;IACjB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;QAC1C,OAAO,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,UAAkB,EAAE;IACjD,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IAC1B,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE,GAAG,OAAO,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,WAAW,EAAE,CAAC;AAC9B,CAAC"}

package/dist/runtime/creds.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Enterprise Credential Store
+ * - OS keychain first (Keychain/Windows Credential Manager/libsecret)
+ * - Secure fallback with 0600 perms + atomic writes
+ * - Token-first model (short-lived tokens preferred over static API keys)
+ */
+export type Tier = 'free' | 'starter' | 'pro' | 'enterprise';
+export interface AuthState {
+    apiKey?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    tier?: Tier;
+    email?: string;
+    entitlements?: string[];
+    authenticatedAt?: string;
+    cacheUntil?: string;
+    expiresAt?: string;
+    issuedAt?: string;
+}
+/**
+ * Load authentication state
+ * Prefers keychain for sensitive tokens, falls back to disk
+ */
+export declare function loadAuthState(): Promise<AuthState>;
+/**
+ * Save authentication state
+ * Stores sensitive tokens in keychain when available, non-sensitive data on disk
+ */
+export declare function saveAuthState(next: AuthState): Promise<void>;
+/**
+ * Clear all authentication state (logout)
+ */
+export declare function clearAuthState(): Promise<void>;
+/**
+ * Check if cached entitlements are still valid
+ * Uses the shorter of cacheUntil (local) or expiresAt (server)
+ */
+export declare function isCacheValid(state: AuthState): boolean;
+/**
+ * Check if entitlements should be reused from cache
+ * Returns true only if cache is valid AND has > 5 minutes remaining
+ */
+export declare function shouldUseCachedEntitlements(state: AuthState): boolean;
+/**
+ * Get config directory path (for display purposes)
+ */
+export declare function getConfigPath(): string;
+//# sourceMappingURL=creds.d.ts.map

package/dist/runtime/creds.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"creds.d.ts","sourceRoot":"","sources":["../../src/runtime/creds.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,MAAM,MAAM,IAAI,GAAG,MAAM,GAAG,SAAS,GAAG,KAAK,GAAG,YAAY,CAAC;AAE7D,MAAM,WAAW,SAAS;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAgFD;;;GAGG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,SAAS,CAAC,CAwBxD;AAED;;;GAGG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBlE;AAED;;GAEG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAUpD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAmBtD;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAoBrE;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAEtC"}

package/dist/runtime/creds.js

@@ -0,0 +1,245 @@
+"use strict";
+/**
+ * Enterprise Credential Store
+ * - OS keychain first (Keychain/Windows Credential Manager/libsecret)
+ * - Secure fallback with 0600 perms + atomic writes
+ * - Token-first model (short-lived tokens preferred over static API keys)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadAuthState = loadAuthState;
+exports.saveAuthState = saveAuthState;
+exports.clearAuthState = clearAuthState;
+exports.isCacheValid = isCacheValid;
+exports.shouldUseCachedEntitlements = shouldUseCachedEntitlements;
+exports.getConfigPath = getConfigPath;
+const os_1 = __importDefault(require("os"));
+const path_1 = __importDefault(require("path"));
+const promises_1 = __importDefault(require("fs/promises"));
+const fs_1 = require("fs");
+const crypto_1 = __importDefault(require("crypto"));
+const SERVICE = 'guardrail-cli';
+const ACCOUNT = 'default';
+function getConfigDir() {
+    if (process.platform === 'win32') {
+        return path_1.default.join(process.env.APPDATA || path_1.default.join(os_1.default.homedir(), 'AppData', 'Roaming'), 'guardrail');
+    }
+    if (process.platform === 'darwin') {
+        return path_1.default.join(os_1.default.homedir(), 'Library', 'Application Support', 'guardrail');
+    }
+    return path_1.default.join(process.env.XDG_CONFIG_HOME || path_1.default.join(os_1.default.homedir(), '.config'), 'guardrail');
+}
+const CONFIG_DIR = getConfigDir();
+const CONFIG_FILE = path_1.default.join(CONFIG_DIR, 'state.json');
+/**
+ * Try to load keytar for OS keychain access
+ * Returns null if keytar is not available
+ */
+async function tryKeytar() {
+    try {
+        return require('keytar');
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Atomic write with restrictive permissions
+ * Prevents partial writes and race conditions
+ * Security: 0600 on Unix, NTFS ACL restriction on Windows (best effort)
+ */
+async function atomicWrite(filePath, data) {
+    await promises_1.default.mkdir(path_1.default.dirname(filePath), { recursive: true, mode: 0o700 });
+    const tmp = `${filePath}.${crypto_1.default.randomBytes(6).toString('hex')}.tmp`;
+    // Write with restrictive mode on Unix
+    await promises_1.default.writeFile(tmp, data, { encoding: 'utf8', mode: 0o600 });
+    // Lock down permissions
+    if (process.platform !== 'win32') {
+        // Unix: 0600 = owner read/write only
+        await promises_1.default.chmod(tmp, 0o600);
+    }
+    else {
+        // Windows: Best effort - use icacls to restrict access
+        // This is a no-op if it fails, as Windows file permissions are complex
+        try {
+            const { exec } = await Promise.resolve().then(() => __importStar(require('child_process')));
+            const username = process.env.USERNAME || process.env.USER;
+            if (username) {
+                await new Promise((resolve) => {
+                    exec(`icacls "${tmp}" /inheritance:r /grant:r "${username}:F"`, { windowsHide: true }, () => resolve() // Ignore errors
+                    );
+                });
+            }
+        }
+        catch {
+            // Windows permission setting failed - continue anyway
+        }
+    }
+    await promises_1.default.rename(tmp, filePath);
+    // Also secure the directory on Unix
+    if (process.platform !== 'win32') {
+        await promises_1.default.chmod(path_1.default.dirname(filePath), 0o700).catch(() => { });
+    }
+}
+/**
+ * Load authentication state
+ * Prefers keychain for sensitive tokens, falls back to disk
+ */
+async function loadAuthState() {
+    try {
+        if (!(0, fs_1.existsSync)(CONFIG_FILE))
+            return {};
+        const raw = await promises_1.default.readFile(CONFIG_FILE, 'utf8');
+        const state = JSON.parse(raw);
+        // If keychain is available, prefer tokens from there
+        const keytar = await tryKeytar();
+        if (keytar) {
+            try {
+                const secret = await keytar.getPassword(SERVICE, ACCOUNT);
+                if (secret) {
+                    const fromKeychain = JSON.parse(secret);
+                    return { ...state, ...fromKeychain };
+                }
+            }
+            catch {
+                // Keychain access failed, use disk state
+            }
+        }
+        return state;
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Save authentication state
+ * Stores sensitive tokens in keychain when available, non-sensitive data on disk
+ */
+async function saveAuthState(next) {
+    // Separate sensitive from non-sensitive data
+    const { accessToken, refreshToken, apiKey, ...diskSafe } = next;
+    const keytar = await tryKeytar();
+    if (keytar) {
+        try {
+            const secretPayload = { accessToken, refreshToken, apiKey };
+            await keytar.setPassword(SERVICE, ACCOUNT, JSON.stringify(secretPayload));
+        }
+        catch {
+            // Keychain save failed, store everything on disk
+            diskSafe.apiKey = apiKey;
+            diskSafe.accessToken = accessToken;
+            diskSafe.refreshToken = refreshToken;
+        }
+    }
+    else {
+        // No keychain available: fall back to disk with tight perms
+        diskSafe.apiKey = apiKey;
+        diskSafe.accessToken = accessToken;
+        diskSafe.refreshToken = refreshToken;
+    }
+    await atomicWrite(CONFIG_FILE, JSON.stringify(diskSafe, null, 2));
+}
+/**
+ * Clear all authentication state (logout)
+ */
+async function clearAuthState() {
+    const keytar = await tryKeytar();
+    if (keytar) {
+        try {
+            await keytar.deletePassword(SERVICE, ACCOUNT);
+        }
+        catch {
+            // Keychain delete failed, continue anyway
+        }
+    }
+    await atomicWrite(CONFIG_FILE, JSON.stringify({}, null, 2));
+}
+/**
+ * Check if cached entitlements are still valid
+ * Uses the shorter of cacheUntil (local) or expiresAt (server)
+ */
+function isCacheValid(state) {
+    if (!state.tier)
+        return false;
+    const now = new Date();
+    // Check local cache expiry
+    if (state.cacheUntil) {
+        const cacheExpiry = new Date(state.cacheUntil);
+        if (cacheExpiry <= now)
+            return false;
+    }
+    // Check server-issued expiry
+    if (state.expiresAt) {
+        const serverExpiry = new Date(state.expiresAt);
+        if (serverExpiry <= now)
+            return false;
+    }
+    // At least one expiry must be set
+    return Boolean(state.cacheUntil || state.expiresAt);
+}
+/**
+ * Check if entitlements should be reused from cache
+ * Returns true only if cache is valid AND has > 5 minutes remaining
+ */
+function shouldUseCachedEntitlements(state) {
+    if (!state.tier)
+        return false;
+    const now = new Date();
+    const fiveMinutesFromNow = new Date(now.getTime() + 5 * 60 * 1000);
+    // Check if local cache has > 5 min remaining
+    if (state.cacheUntil) {
+        const cacheExpiry = new Date(state.cacheUntil);
+        if (cacheExpiry <= fiveMinutesFromNow)
+            return false;
+    }
+    // Check if server expiry has > 5 min remaining
+    if (state.expiresAt) {
+        const serverExpiry = new Date(state.expiresAt);
+        if (serverExpiry <= fiveMinutesFromNow)
+            return false;
+    }
+    // At least one expiry must be set and valid
+    return Boolean(state.cacheUntil || state.expiresAt);
+}
+/**
+ * Get config directory path (for display purposes)
+ */
+function getConfigPath() {
+    return CONFIG_FILE;
+}
+//# sourceMappingURL=creds.js.map

package/dist/runtime/creds.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"creds.js","sourceRoot":"","sources":["../../src/runtime/creds.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyGH,sCAwBC;AAMD,sCAuBC;AAKD,wCAUC;AAMD,oCAmBC;AAMD,kEAoBC;AAKD,sCAEC;AArOD,4CAAoB;AACpB,gDAAwB;AACxB,2DAA6B;AAC7B,2BAAgC;AAChC,oDAA4B;AAiB5B,MAAM,OAAO,GAAG,eAAe,CAAC;AAChC,MAAM,OAAO,GAAG,SAAS,CAAC;AAE1B,SAAS,YAAY;IACnB,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,OAAO,cAAI,CAAC,IAAI,CACd,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,cAAI,CAAC,IAAI,CAAC,YAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,SAAS,CAAC,EACpE,WAAW,CACZ,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,OAAO,cAAI,CAAC,IAAI,CAAC,YAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,qBAAqB,EAAE,WAAW,CAAC,CAAC;IAChF,CAAC;IACD,OAAO,cAAI,CAAC,IAAI,CACd,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,cAAI,CAAC,IAAI,CAAC,YAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,EACjE,WAAW,CACZ,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC;AAClC,MAAM,WAAW,GAAG,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;AAExD;;;GAGG;AACH,KAAK,UAAU,SAAS;IACtB,IAAI,CAAC;QACH,OAAO,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,WAAW,CAAC,QAAgB,EAAE,IAAY;IACvD,MAAM,kBAAE,CAAC,KAAK,CAAC,cAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,GAAG,QAAQ,IAAI,gBAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC;IAEvE,sCAAsC;IACtC,MAAM,kBAAE,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEjE,wBAAwB;IACxB,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,qCAAqC;QACrC,MAAM,kBAAE,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,uDAAuD;QACvD,uEAAuE;QACvE,IAAI,CAAC;YACH,MAAM,EAAE,IAAI,EAAE,GAAG,wDAAa,eAAe,GAAC,CAAC;YAC/C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;YAC1D,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;oBAClC,IAAI,CACF,WAAW,GAAG,8BAA8B,QAAQ,KAAK,EACzD,EAAE,WAAW,EAAE,IAAI,EAAE,EACrB,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,gBAAgB;qBACjC,CAAC;gBACJ,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;IACH,CAAC;IAED,MAAM,kBAAE,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAE/B,oCAAoC;IACpC,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,kBAAE,CAAC,KAAK,CAAC,cAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,aAAa;IACjC,IAAI,CAAC;QACH,IAAI,CAAC,IAAA,eAAU,EAAC,WAAW,CAAC;YAAE,OAAO,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAc,CAAC;QAE3C,qDAAqD;QACrD,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;QACjC,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;gBAC1D,IAAI,MAAM,EAAE,CAAC;oBACX,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAuB,CAAC;oBAC9D,OAAO,EAAE,GAAG,KAAK,EAAE,GAAG,YAAY,EAAE,CAAC;gBACvC,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yCAAyC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,aAAa,CAAC,IAAe;IACjD,6CAA6C;IAC7C,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAC;IAEhE,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;IACjC,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,aAAa,GAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;YAChF,MAAM,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,iDAAiD;YAChD,QAAsB,CAAC,MAAM,GAAG,MAAM,CAAC;YACvC,QAAsB,CAAC,WAAW,GAAG,WAAW,CAAC;YACjD,QAAsB,CAAC,YAAY,GAAG,YAAY,CAAC;QACtD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,4DAA4D;QAC3D,QAAsB,CAAC,MAAM,GAAG,MAAM,CAAC;QACvC,QAAsB,CAAC,WAAW,GAAG,WAAW,CAAC;QACjD,QAAsB,CAAC,YAAY,GAAG,YAAY,CAAC;IACtD,CAAC;IAED,MAAM,WAAW,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AACpE,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,cAAc;IAClC,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;IACjC,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,0CAA0C;QAC5C,CAAC;IACH,CAAC;IACD,MAAM,WAAW,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED;;;GAGG;AACH,SAAgB,YAAY,CAAC,KAAgB;IAC3C,IAAI,CAAC,KAAK,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAE9B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,2BAA2B;IAC3B,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,WAAW,IAAI,GAAG;YAAE,OAAO,KAAK,CAAC;IACvC,CAAC;IAED,6BAA6B;IAC7B,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACpB,MAAM,YAAY,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,YAAY,IAAI,GAAG;YAAE,OAAO,KAAK,CAAC;IACxC,CAAC;IAED,kCAAkC;IAClC,OAAO,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,SAAgB,2BAA2B,CAAC,KAAgB;IAC1D,IAAI,CAAC,KAAK,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAE9B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,kBAAkB,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEnE,6CAA6C;IAC7C,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,WAAW,IAAI,kBAAkB;YAAE,OAAO,KAAK,CAAC;IACtD,CAAC;IAED,+CAA+C;IAC/C,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACpB,MAAM,YAAY,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,YAAY,IAAI,kBAAkB;YAAE,OAAO,KAAK,CAAC;IACvD,CAAC;IAED,4CAA4C;IAC5C,OAAO,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACtD,CAAC;AAED;;GAEG;AACH,SAAgB,aAAa;IAC3B,OAAO,WAAW,CAAC;AACrB,CAAC"}

package/dist/runtime/exit-codes.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Enterprise Exit Codes
+ * Consistent, meaningful exit codes for CI/CD integration
+ *
+ * Usage:
+ *   process.exit(ExitCode.POLICY_FAIL)
+ *   exitWith(ExitCode.AUTH_FAILURE, 'Invalid API key')
+ */
+export declare enum ExitCode {
+    /** Scan passed, no policy violations */
+    SUCCESS = 0,
+    /** Findings above threshold (policy fail) - actionable by user */
+    POLICY_FAIL = 1,
+    /** User error: invalid args, bad config, missing required options */
+    USER_ERROR = 2,
+    /** Invalid input: malformed data, validation failures */
+    INVALID_INPUT = 2,
+    /** System error: crash, filesystem issues, unexpected exceptions */
+    SYSTEM_ERROR = 3,
+    /** Auth/entitlement failure: invalid key, expired token, insufficient tier */
+    AUTH_FAILURE = 4,
+    /** Network/backend failure: API unreachable, timeout */
+    NETWORK_FAILURE = 5
+}
+export declare const EXIT_CODE_DESCRIPTIONS: Record<ExitCode, string>;
+/**
+ * Exit with code and optional message
+ * Logs the exit reason for debugging
+ */
+export declare function exitWith(code: ExitCode, message?: string): never;
+/**
+ * Map error types to exit codes
+ */
+export declare function getExitCodeForError(err: Error): ExitCode;
+/**
+ * Determine exit code based on scan results and policy
+ */
+export declare function getExitCodeForFindings(findings: {
+    critical?: number;
+    high?: number;
+    medium?: number;
+    low?: number;
+}, policy: {
+    failOnCritical?: boolean;
+    failOnHigh?: boolean;
+    failOnMedium?: boolean;
+    failOnAny?: boolean;
+}): ExitCode;
+//# sourceMappingURL=exit-codes.d.ts.map

package/dist/runtime/exit-codes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exit-codes.d.ts","sourceRoot":"","sources":["../../src/runtime/exit-codes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,oBAAY,QAAQ;IAClB,wCAAwC;IACxC,OAAO,IAAI;IAEX,kEAAkE;IAClE,WAAW,IAAI;IAEf,qEAAqE;IACrE,UAAU,IAAI;IAEd,yDAAyD;IACzD,aAAa,IAAI;IAEjB,oEAAoE;IACpE,YAAY,IAAI;IAEhB,8EAA8E;IAC9E,YAAY,IAAI;IAEhB,wDAAwD;IACxD,eAAe,IAAI;CACpB;AAED,eAAO,MAAM,sBAAsB,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAO3D,CAAC;AAEF;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,KAAK,CAShE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,GAAG,QAAQ,CAiBxD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,EAAE,MAAM,EAAE;IACT,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB,GAAG,QAAQ,CAiBX"}

package/dist/runtime/exit-codes.js

@@ -0,0 +1,93 @@
+"use strict";
+/**
+ * Enterprise Exit Codes
+ * Consistent, meaningful exit codes for CI/CD integration
+ *
+ * Usage:
+ *   process.exit(ExitCode.POLICY_FAIL)
+ *   exitWith(ExitCode.AUTH_FAILURE, 'Invalid API key')
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EXIT_CODE_DESCRIPTIONS = exports.ExitCode = void 0;
+exports.exitWith = exitWith;
+exports.getExitCodeForError = getExitCodeForError;
+exports.getExitCodeForFindings = getExitCodeForFindings;
+var ExitCode;
+(function (ExitCode) {
+    /** Scan passed, no policy violations */
+    ExitCode[ExitCode["SUCCESS"] = 0] = "SUCCESS";
+    /** Findings above threshold (policy fail) - actionable by user */
+    ExitCode[ExitCode["POLICY_FAIL"] = 1] = "POLICY_FAIL";
+    /** User error: invalid args, bad config, missing required options */
+    ExitCode[ExitCode["USER_ERROR"] = 2] = "USER_ERROR";
+    /** Invalid input: malformed data, validation failures */
+    ExitCode[ExitCode["INVALID_INPUT"] = 2] = "INVALID_INPUT";
+    /** System error: crash, filesystem issues, unexpected exceptions */
+    ExitCode[ExitCode["SYSTEM_ERROR"] = 3] = "SYSTEM_ERROR";
+    /** Auth/entitlement failure: invalid key, expired token, insufficient tier */
+    ExitCode[ExitCode["AUTH_FAILURE"] = 4] = "AUTH_FAILURE";
+    /** Network/backend failure: API unreachable, timeout */
+    ExitCode[ExitCode["NETWORK_FAILURE"] = 5] = "NETWORK_FAILURE";
+})(ExitCode || (exports.ExitCode = ExitCode = {}));
+exports.EXIT_CODE_DESCRIPTIONS = {
+    [ExitCode.SUCCESS]: 'Scan completed successfully with no policy violations',
+    [ExitCode.POLICY_FAIL]: 'Findings exceed configured thresholds',
+    [ExitCode.USER_ERROR]: 'Invalid arguments or configuration',
+    [ExitCode.SYSTEM_ERROR]: 'Internal error or filesystem issue',
+    [ExitCode.AUTH_FAILURE]: 'Authentication or authorization failed',
+    [ExitCode.NETWORK_FAILURE]: 'Network or API communication failed',
+};
+/**
+ * Exit with code and optional message
+ * Logs the exit reason for debugging
+ */
+function exitWith(code, message) {
+    if (message) {
+        if (code === ExitCode.SUCCESS) {
+            console.log(message);
+        }
+        else {
+            console.error(`[exit:${code}] ${message}`);
+        }
+    }
+    process.exit(code);
+}
+/**
+ * Map error types to exit codes
+ */
+function getExitCodeForError(err) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes('enoent') || msg.includes('permission denied') || msg.includes('eacces')) {
+        return ExitCode.SYSTEM_ERROR;
+    }
+    if (msg.includes('network') || msg.includes('timeout') || msg.includes('fetch')) {
+        return ExitCode.NETWORK_FAILURE;
+    }
+    if (msg.includes('auth') || msg.includes('unauthorized') || msg.includes('forbidden')) {
+        return ExitCode.AUTH_FAILURE;
+    }
+    if (msg.includes('invalid') || msg.includes('missing') || msg.includes('required')) {
+        return ExitCode.USER_ERROR;
+    }
+    return ExitCode.SYSTEM_ERROR;
+}
+/**
+ * Determine exit code based on scan results and policy
+ */
+function getExitCodeForFindings(findings, policy) {
+    const { critical = 0, high = 0, medium = 0, low = 0 } = findings;
+    if (policy.failOnAny && (critical + high + medium + low) > 0) {
+        return ExitCode.POLICY_FAIL;
+    }
+    if (policy.failOnCritical && critical > 0) {
+        return ExitCode.POLICY_FAIL;
+    }
+    if (policy.failOnHigh && (critical + high) > 0) {
+        return ExitCode.POLICY_FAIL;
+    }
+    if (policy.failOnMedium && (critical + high + medium) > 0) {
+        return ExitCode.POLICY_FAIL;
+    }
+    return ExitCode.SUCCESS;
+}
+//# sourceMappingURL=exit-codes.js.map

package/dist/runtime/exit-codes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exit-codes.js","sourceRoot":"","sources":["../../src/runtime/exit-codes.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAsCH,4BASC;AAKD,kDAiBC;AAKD,wDA2BC;AAnGD,IAAY,QAqBX;AArBD,WAAY,QAAQ;IAClB,wCAAwC;IACxC,6CAAW,CAAA;IAEX,kEAAkE;IAClE,qDAAe,CAAA;IAEf,qEAAqE;IACrE,mDAAc,CAAA;IAEd,yDAAyD;IACzD,yDAAiB,CAAA;IAEjB,oEAAoE;IACpE,uDAAgB,CAAA;IAEhB,8EAA8E;IAC9E,uDAAgB,CAAA;IAEhB,wDAAwD;IACxD,6DAAmB,CAAA;AACrB,CAAC,EArBW,QAAQ,wBAAR,QAAQ,QAqBnB;AAEY,QAAA,sBAAsB,GAA6B;IAC9D,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,uDAAuD;IAC3E,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,uCAAuC;IAC/D,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,oCAAoC;IAC3D,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,oCAAoC;IAC7D,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,wCAAwC;IACjE,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,qCAAqC;CAClE,CAAC;AAEF;;;GAGG;AACH,SAAgB,QAAQ,CAAC,IAAc,EAAE,OAAgB;IACvD,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,IAAI,KAAK,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,SAAS,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CAAC,GAAU;IAC5C,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;IAEtC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1F,OAAO,QAAQ,CAAC,YAAY,CAAC;IAC/B,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAChF,OAAO,QAAQ,CAAC,eAAe,CAAC;IAClC,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACtF,OAAO,QAAQ,CAAC,YAAY,CAAC;IAC/B,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACnF,OAAO,QAAQ,CAAC,UAAU,CAAC;IAC7B,CAAC;IAED,OAAO,QAAQ,CAAC,YAAY,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB,CAAC,QAKtC,EAAE,MAKF;IACC,MAAM,EAAE,QAAQ,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,MAAM,GAAG,CAAC,EAAE,GAAG,GAAG,CAAC,EAAE,GAAG,QAAQ,CAAC;IAEjE,IAAI,MAAM,CAAC,SAAS,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7D,OAAO,QAAQ,CAAC,WAAW,CAAC;IAC9B,CAAC;IACD,IAAI,MAAM,CAAC,cAAc,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QAC1C,OAAO,QAAQ,CAAC,WAAW,CAAC;IAC9B,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,OAAO,QAAQ,CAAC,WAAW,CAAC;IAC9B,CAAC;IACD,IAAI,MAAM,CAAC,YAAY,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO,QAAQ,CAAC,WAAW,CAAC;IAC9B,CAAC;IAED,OAAO,QAAQ,CAAC,OAAO,CAAC;AAC1B,CAAC"}

package/dist/runtime/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Enterprise Runtime Modules
+ * Re-exports all runtime utilities for clean imports
+ */
+export * from './creds';
+export * from './client';
+export * from './exit-codes';
+export * from './semver';
+//# sourceMappingURL=index.d.ts.map

package/dist/runtime/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,cAAc,CAAC;AAC7B,cAAc,UAAU,CAAC"}

package/dist/runtime/index.js

@@ -0,0 +1,25 @@
+"use strict";
+/**
+ * Enterprise Runtime Modules
+ * Re-exports all runtime utilities for clean imports
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./creds"), exports);
+__exportStar(require("./client"), exports);
+__exportStar(require("./exit-codes"), exports);
+__exportStar(require("./semver"), exports);
+//# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;AAEH,0CAAwB;AACxB,2CAAyB;AACzB,+CAA6B;AAC7B,2CAAyB"}

package/dist/runtime/json-output.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Standardized JSON Output Schema
+ *
+ * All CLI commands with --json flag use this unified schema
+ * Version: 1.0
+ */
+export interface GuardrailJsonOutput {
+    version: string;
+    schema: string;
+    timestamp: string;
+    command: string;
+    success: boolean;
+    exitCode: number;
+    data?: any;
+    error?: {
+        code: string;
+        message: string;
+        nextSteps?: string[];
+    };
+    metadata?: {
+        [key: string]: any;
+    };
+}
+/**
+ * Create standardized JSON output
+ */
+export declare function createJsonOutput(command: string, success: boolean, exitCode: number, data?: any, error?: {
+    code: string;
+    message: string;
+    nextSteps?: string[];
+}, metadata?: {
+    [key: string]: any;
+}): GuardrailJsonOutput;
+/**
+ * Format scan results for JSON output
+ */
+export declare function formatScanResults(results: any): any;
+/**
+ * Format gate results for JSON output
+ */
+export declare function formatGateResults(exitCode: number, verdict: string): any;
+//# sourceMappingURL=json-output.d.ts.map

package/dist/runtime/json-output.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"json-output.d.ts","sourceRoot":"","sources":["../../src/runtime/json-output.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,GAAG,CAAC;IACX,KAAK,CAAC,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;KACtB,CAAC;IACF,QAAQ,CAAC,EAAE;QACT,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;CACH;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE,GAAG,EACV,KAAK,CAAC,EAAE;IACN,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB,EACD,QAAQ,CAAC,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;CAAE,GAChC,mBAAmB,CAYrB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,GAAG,GAAG,GAAG,CAiBnD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,GAAG,CAMxE"}

package/dist/runtime/json-output.js

@@ -0,0 +1,59 @@
+"use strict";
+/**
+ * Standardized JSON Output Schema
+ *
+ * All CLI commands with --json flag use this unified schema
+ * Version: 1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createJsonOutput = createJsonOutput;
+exports.formatScanResults = formatScanResults;
+exports.formatGateResults = formatGateResults;
+/**
+ * Create standardized JSON output
+ */
+function createJsonOutput(command, success, exitCode, data, error, metadata) {
+    return {
+        version: '1.0',
+        schema: 'guardrail/v1',
+        timestamp: new Date().toISOString(),
+        command,
+        success,
+        exitCode,
+        ...(data && { data }),
+        ...(error && { error }),
+        ...(metadata && { metadata }),
+    };
+}
+/**
+ * Format scan results for JSON output
+ */
+function formatScanResults(results) {
+    return {
+        summary: {
+            critical: results?.summary?.critical ?? 0,
+            high: results?.summary?.high ?? 0,
+            medium: results?.summary?.medium ?? 0,
+            low: results?.summary?.low ?? 0,
+            info: results?.summary?.info ?? 0,
+            total: results?.summary?.total ?? 0,
+        },
+        findings: results?.findings || [],
+        score: results?.score ?? 0,
+        verdict: results?.verdict || 'unknown',
+        filesScanned: results?.filesScanned ?? 0,
+        linesScanned: results?.linesScanned ?? 0,
+        duration: results?.duration ?? 0,
+    };
+}
+/**
+ * Format gate results for JSON output
+ */
+function formatGateResults(exitCode, verdict) {
+    return {
+        verdict: exitCode === 0 ? 'pass' : 'fail',
+        gateResult: exitCode === 0 ? 'GATE_PASSED' : 'GATE_FAILED',
+        exitCode,
+    };
+}
+//# sourceMappingURL=json-output.js.map

package/dist/runtime/json-output.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"json-output.js","sourceRoot":"","sources":["../../src/runtime/json-output.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAuBH,4CAuBC;AAKD,8CAiBC;AAKD,8CAMC;AA3DD;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,OAAe,EACf,OAAgB,EAChB,QAAgB,EAChB,IAAU,EACV,KAIC,EACD,QAAiC;IAEjC,OAAO;QACL,OAAO,EAAE,KAAK;QACd,MAAM,EAAE,cAAc;QACtB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,OAAO;QACP,OAAO;QACP,QAAQ;QACR,GAAG,CAAC,IAAI,IAAI,EAAE,IAAI,EAAE,CAAC;QACrB,GAAG,CAAC,KAAK,IAAI,EAAE,KAAK,EAAE,CAAC;QACvB,GAAG,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,CAAC;KAC9B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,OAAY;IAC5C,OAAO;QACL,OAAO,EAAE;YACP,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,IAAI,CAAC;YACzC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC;YACjC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;YACrC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;YAC/B,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC;YACjC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;SACpC;QACD,QAAQ,EAAE,OAAO,EAAE,QAAQ,IAAI,EAAE;QACjC,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;QAC1B,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,SAAS;QACtC,YAAY,EAAE,OAAO,EAAE,YAAY,IAAI,CAAC;QACxC,YAAY,EAAE,OAAO,EAAE,YAAY,IAAI,CAAC;QACxC,QAAQ,EAAE,OAAO,EAAE,QAAQ,IAAI,CAAC;KACjC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,QAAgB,EAAE,OAAe;IACjE,OAAO;QACL,OAAO,EAAE,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;QACzC,UAAU,EAAE,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa;QAC1D,QAAQ;KACT,CAAC;AACJ,CAAC"}