@vibecheckai/cli 2.8.2 → 3.0.0

package/bin/runners/lib/init-wizard.js

@@ -0,0 +1,308 @@
+/**
+ * Init Wizard — Beautiful Guided Setup
+ * 
+ * Interactive setup wizard with:
+ * - Step-by-step configuration
+ * - Project type detection
+ * - Beautiful progress indicators
+ * - Smart defaults
+ */
+
+const fs = require('fs');
+const path = require('path');
+const readline = require('readline');
+
+// Colors
+const c = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  dim: '\x1b[2m',
+  red: '\x1b[31m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  blue: '\x1b[34m',
+  cyan: '\x1b[36m',
+  magenta: '\x1b[35m',
+};
+
+// Project types with smart detection
+const PROJECT_TYPES = {
+  nextjs: {
+    name: 'Next.js',
+    icon: '▲',
+    detect: (dir) => fs.existsSync(path.join(dir, 'next.config.js')) || 
+                     fs.existsSync(path.join(dir, 'next.config.mjs')) ||
+                     fs.existsSync(path.join(dir, 'next.config.ts')),
+    config: { framework: 'nextjs', checks: ['routes', 'auth', 'api', 'security'] },
+  },
+  react: {
+    name: 'React',
+    icon: '⚛️',
+    detect: (dir) => {
+      const pkg = loadPackageJson(dir);
+      return pkg?.dependencies?.react && !PROJECT_TYPES.nextjs.detect(dir);
+    },
+    config: { framework: 'react', checks: ['components', 'api', 'security'] },
+  },
+  fastify: {
+    name: 'Fastify',
+    icon: '⚡',
+    detect: (dir) => {
+      const pkg = loadPackageJson(dir);
+      return pkg?.dependencies?.fastify;
+    },
+    config: { framework: 'fastify', checks: ['routes', 'auth', 'api', 'security'] },
+  },
+  express: {
+    name: 'Express',
+    icon: '🚂',
+    detect: (dir) => {
+      const pkg = loadPackageJson(dir);
+      return pkg?.dependencies?.express;
+    },
+    config: { framework: 'express', checks: ['routes', 'auth', 'api', 'security'] },
+  },
+  node: {
+    name: 'Node.js',
+    icon: '🟢',
+    detect: (dir) => fs.existsSync(path.join(dir, 'package.json')),
+    config: { framework: 'node', checks: ['security', 'quality'] },
+  },
+};
+
+function loadPackageJson(dir) {
+  try {
+    return JSON.parse(fs.readFileSync(path.join(dir, 'package.json'), 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+class InitWizard {
+  constructor(projectPath, options = {}) {
+    this.projectPath = projectPath;
+    this.options = options;
+    this.answers = {};
+    this.detectedType = null;
+  }
+
+  async run() {
+    this.printHeader();
+    
+    // Step 1: Detect project type
+    await this.detectProject();
+    
+    // Step 2: Configure checks
+    await this.configureChecks();
+    
+    // Step 3: Setup files
+    await this.setupFiles();
+    
+    // Step 4: Print next steps
+    this.printNextSteps();
+    
+    return 0;
+  }
+
+  printHeader() {
+    console.log('');
+    console.log(`${c.cyan}╔══════════════════════════════════════════════════════════════════════╗${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                      ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}   ${c.bold}⚡ VIBECHECK SETUP WIZARD${c.reset}                                        ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}   ${c.dim}Configure your project for production readiness checks${c.reset}           ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                      ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}╚══════════════════════════════════════════════════════════════════════╝${c.reset}`);
+    console.log('');
+  }
+
+  async detectProject() {
+    console.log(`${c.cyan}┌─ Step 1: Project Detection ─────────────────────────────────────────┐${c.reset}`);
+    console.log(`${c.cyan}│${c.reset}`);
+    
+    // Auto-detect project type
+    for (const [key, type] of Object.entries(PROJECT_TYPES)) {
+      if (type.detect(this.projectPath)) {
+        this.detectedType = { key, ...type };
+        break;
+      }
+    }
+
+    if (this.detectedType) {
+      console.log(`${c.cyan}│${c.reset}  ${c.green}✓${c.reset} Detected: ${c.bold}${this.detectedType.icon} ${this.detectedType.name}${c.reset}`);
+    } else {
+      console.log(`${c.cyan}│${c.reset}  ${c.yellow}!${c.reset} Could not auto-detect project type`);
+      this.detectedType = { key: 'node', ...PROJECT_TYPES.node };
+    }
+
+    // Check for package.json
+    const pkg = loadPackageJson(this.projectPath);
+    if (pkg) {
+      console.log(`${c.cyan}│${c.reset}  ${c.green}✓${c.reset} Package: ${c.bold}${pkg.name || 'unnamed'}${c.reset} v${pkg.version || '0.0.0'}`);
+    }
+
+    // Check for existing config
+    const configPath = path.join(this.projectPath, '.vibecheckrc');
+    if (fs.existsSync(configPath)) {
+      console.log(`${c.cyan}│${c.reset}  ${c.yellow}!${c.reset} Existing config found (will be updated)`);
+    }
+
+    console.log(`${c.cyan}│${c.reset}`);
+    console.log(`${c.cyan}└──────────────────────────────────────────────────────────────────────┘${c.reset}`);
+    console.log('');
+  }
+
+  async configureChecks() {
+    console.log(`${c.cyan}┌─ Step 2: Configuration ─────────────────────────────────────────────┐${c.reset}`);
+    console.log(`${c.cyan}│${c.reset}`);
+
+    // Use detected config as base
+    const config = this.detectedType?.config || PROJECT_TYPES.node.config;
+    
+    console.log(`${c.cyan}│${c.reset}  ${c.bold}Enabled checks:${c.reset}`);
+    
+    const allChecks = [
+      { id: 'routes', name: 'Route Integrity', desc: 'Dead links, orphan routes' },
+      { id: 'auth', name: 'Authentication', desc: 'Auth coverage, ghost auth' },
+      { id: 'api', name: 'API Verification', desc: 'Endpoint validation' },
+      { id: 'security', name: 'Security', desc: 'Secrets, vulnerabilities' },
+      { id: 'quality', name: 'Code Quality', desc: 'Mocks, placeholders' },
+      { id: 'billing', name: 'Billing Gates', desc: 'Payment flow verification' },
+    ];
+
+    for (const check of allChecks) {
+      const enabled = config.checks.includes(check.id);
+      const icon = enabled ? `${c.green}✓${c.reset}` : `${c.dim}○${c.reset}`;
+      const color = enabled ? '' : c.dim;
+      console.log(`${c.cyan}│${c.reset}    ${icon} ${color}${check.name}${c.reset} ${c.dim}— ${check.desc}${c.reset}`);
+    }
+
+    this.answers.config = {
+      version: '1.0.0',
+      framework: config.framework,
+      checks: config.checks,
+      output: '.vibecheck',
+      policy: {
+        strict: false,
+        allowlist: { domains: [], packages: [] },
+        ignore: { paths: ['node_modules', '__tests__', '*.test.*', '*.spec.*'] },
+      },
+    };
+
+    console.log(`${c.cyan}│${c.reset}`);
+    console.log(`${c.cyan}└──────────────────────────────────────────────────────────────────────┘${c.reset}`);
+    console.log('');
+  }
+
+  async setupFiles() {
+    console.log(`${c.cyan}┌─ Step 3: Setup ─────────────────────────────────────────────────────┐${c.reset}`);
+    console.log(`${c.cyan}│${c.reset}`);
+
+    const tasks = [
+      { name: 'Creating .vibecheckrc', fn: () => this.createConfig() },
+      { name: 'Creating .vibecheck/ directory', fn: () => this.createOutputDir() },
+      { name: 'Updating .gitignore', fn: () => this.updateGitignore() },
+      { name: 'Creating schemas/', fn: () => this.createSchemas() },
+    ];
+
+    for (const task of tasks) {
+      process.stdout.write(`${c.cyan}│${c.reset}  ○ ${task.name}...`);
+      try {
+        const result = await task.fn();
+        process.stdout.write(`\r${c.cyan}│${c.reset}  ${c.green}✓${c.reset} ${task.name} ${c.dim}${result || ''}${c.reset}\n`);
+      } catch (err) {
+        process.stdout.write(`\r${c.cyan}│${c.reset}  ${c.red}✗${c.reset} ${task.name} ${c.red}${err.message}${c.reset}\n`);
+      }
+    }
+
+    console.log(`${c.cyan}│${c.reset}`);
+    console.log(`${c.cyan}└──────────────────────────────────────────────────────────────────────┘${c.reset}`);
+    console.log('');
+  }
+
+  createConfig() {
+    const configPath = path.join(this.projectPath, '.vibecheckrc');
+    fs.writeFileSync(configPath, JSON.stringify(this.answers.config, null, 2));
+    return '';
+  }
+
+  createOutputDir() {
+    const outputDir = path.join(this.projectPath, '.vibecheck');
+    if (!fs.existsSync(outputDir)) {
+      fs.mkdirSync(outputDir, { recursive: true });
+    }
+    return '';
+  }
+
+  updateGitignore() {
+    const gitignorePath = path.join(this.projectPath, '.gitignore');
+    const entry = '\n# vibecheck\n.vibecheck/\n';
+    
+    if (fs.existsSync(gitignorePath)) {
+      const content = fs.readFileSync(gitignorePath, 'utf8');
+      if (!content.includes('.vibecheck/')) {
+        fs.appendFileSync(gitignorePath, entry);
+        return 'updated';
+      }
+      return 'already configured';
+    } else {
+      fs.writeFileSync(gitignorePath, entry.trim() + '\n');
+      return 'created';
+    }
+  }
+
+  createSchemas() {
+    const schemasDir = path.join(this.projectPath, '.vibecheck', 'schemas');
+    if (!fs.existsSync(schemasDir)) {
+      fs.mkdirSync(schemasDir, { recursive: true });
+    }
+    
+    // Create truthpack schema
+    const truthpackSchema = {
+      "$schema": "https://json-schema.org/draft/2020-12/schema",
+      "$id": "https://vibecheck.dev/schemas/truthpack.json",
+      "title": "Vibecheck Truthpack",
+      "type": "object",
+      "properties": {
+        "version": { "type": "string" },
+        "generatedAt": { "type": "string", "format": "date-time" },
+        "routes": { "type": "object" },
+        "env": { "type": "object" },
+        "auth": { "type": "object" },
+      },
+    };
+    
+    fs.writeFileSync(
+      path.join(schemasDir, 'truthpack.schema.json'),
+      JSON.stringify(truthpackSchema, null, 2)
+    );
+    
+    return '';
+  }
+
+  printNextSteps() {
+    console.log(`${c.green}${c.bold}✓ Vibecheck initialized successfully!${c.reset}`);
+    console.log('');
+    console.log(`${c.cyan}╔══════════════════════════════════════════════════════════════════════╗${c.reset}`);
+    console.log(`${c.cyan}║${c.reset} ${c.bold}Next Steps${c.reset}                                                           ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}╠══════════════════════════════════════════════════════════════════════╣${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                      ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}  ${c.bold}1.${c.reset} Run your first scan:                                             ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}     ${c.cyan}vibecheck ship${c.reset}                                                   ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                      ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}  ${c.bold}2.${c.reset} Review the report:                                               ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}     ${c.dim}Open .vibecheck/report.html in your browser${c.reset}                      ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                      ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}  ${c.bold}3.${c.reset} Fix issues and re-scan:                                          ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}     ${c.cyan}vibecheck ship --fix${c.reset}                                             ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                      ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}  ${c.bold}4.${c.reset} Generate a client report:                                        ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}     ${c.cyan}vibecheck report --type=executive${c.reset}                                ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                      ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}╚══════════════════════════════════════════════════════════════════════╝${c.reset}`);
+    console.log('');
+    console.log(`${c.dim}Tip: Run ${c.cyan}vibecheck --help${c.dim} to see all available commands.${c.reset}`);
+    console.log('');
+  }
+}
+
+module.exports = { InitWizard };

package/bin/runners/lib/json-output.js

@@ -0,0 +1,76 @@
+/**
+ * JSON Output Utilities
+ * 
+ * Provides versioned JSON output schema helpers for CLI commands
+ */
+
+const VERSION = "1.0.0";
+const SCHEMA_BASE = "vibecheck-cli-tool/v1";
+
+/**
+ * Create a versioned JSON output envelope
+ * @param {Object} data - The actual output data
+ * @param {string} schemaType - Schema type (e.g., "scan", "gate", "ship")
+ * @returns {Object} Versioned output object
+ */
+function createVersionedOutput(data, schemaType = "generic") {
+  return {
+    version: VERSION,
+    schema: `${SCHEMA_BASE}/${schemaType}`,
+    timestamp: new Date().toISOString(),
+    ...data,
+  };
+}
+
+/**
+ * Create a versioned error output
+ * @param {string|Error} error - Error message or Error object
+ * @param {Object} metadata - Additional error metadata
+ * @returns {Object} Versioned error output
+ */
+function createErrorOutput(error, metadata = {}) {
+  const errorMessage = error instanceof Error ? error.message : String(error);
+  const errorOutput = {
+    version: VERSION,
+    schema: `${SCHEMA_BASE}/error`,
+    timestamp: new Date().toISOString(),
+    success: false,
+    error: errorMessage,
+  };
+
+  if (metadata.receipt) {
+    errorOutput.receipt = metadata.receipt;
+  }
+  if (metadata.code) {
+    errorOutput.code = metadata.code;
+  }
+  if (metadata.exitCode) {
+    errorOutput.exitCode = metadata.exitCode;
+  }
+  if (metadata.verifyCommand) {
+    errorOutput.verifyCommand = metadata.verifyCommand;
+  }
+
+  return errorOutput;
+}
+
+/**
+ * Create a versioned success output
+ * @param {Object} data - Success data
+ * @param {string} schemaType - Schema type
+ * @returns {Object} Versioned success output
+ */
+function createSuccessOutput(data, schemaType = "generic") {
+  return createVersionedOutput({
+    success: true,
+    ...data,
+  }, schemaType);
+}
+
+module.exports = {
+  VERSION,
+  SCHEMA_BASE,
+  createVersionedOutput,
+  createErrorOutput,
+  createSuccessOutput,
+};

package/bin/runners/lib/llm.js

@@ -0,0 +1,75 @@
+// bin/runners/lib/llm.js
+const https = require("https");
+const http = require("http");
+const { URL } = require("url");
+
+function postJson(urlStr, headers, bodyObj) {
+  const url = new URL(urlStr);
+  const lib = url.protocol === "https:" ? https : http;
+
+  const data = JSON.stringify(bodyObj);
+
+  return new Promise((resolve, reject) => {
+    const req = lib.request(
+      {
+        method: "POST",
+        hostname: url.hostname,
+        port: url.port || (url.protocol === "https:" ? 443 : 80),
+        path: url.pathname,
+        headers: {
+          "Content-Type": "application/json",
+          "Content-Length": Buffer.byteLength(data),
+          ...headers
+        }
+      },
+      (res) => {
+        let buf = "";
+        res.on("data", (d) => (buf += d));
+        res.on("end", () => {
+          try {
+            const json = JSON.parse(buf);
+            resolve({ status: res.statusCode, json, raw: buf });
+          } catch (e) {
+            reject(new Error(`LLM response not JSON (status ${res.statusCode}): ${buf.slice(0, 400)}`));
+          }
+        });
+      }
+    );
+
+    req.on("error", reject);
+    req.write(data);
+    req.end();
+  });
+}
+
+async function generatePatchJson(prompt) {
+  const baseUrl = process.env.VIBECHECK_LLM_BASE_URL;
+  const apiKey = process.env.VIBECHECK_LLM_API_KEY;
+  const model = process.env.VIBECHECK_LLM_MODEL || "gpt-4.1-mini";
+
+  if (!baseUrl || !apiKey) {
+    const err = new Error("LLM not configured: set VIBECHECK_LLM_BASE_URL and VIBECHECK_LLM_API_KEY");
+    err.code = "VIBECHECK_LLM_NOT_CONFIGURED";
+    throw err;
+  }
+
+  const headers = { Authorization: `Bearer ${apiKey}` };
+
+  const body = {
+    model,
+    temperature: 0.1,
+    messages: [
+      { role: "system", content: "Return JSON only." },
+      { role: "user", content: prompt }
+    ]
+  };
+
+  const r = await postJson(baseUrl, headers, body);
+
+  const content = r.json?.choices?.[0]?.message?.content;
+  if (!content) throw new Error("LLM response missing choices[0].message.content");
+
+  return JSON.parse(content);
+}
+
+module.exports = { generatePatchJson };

package/bin/runners/lib/meter.js

@@ -0,0 +1,61 @@
+// bin/runners/lib/meter.js
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+
+function monthKey(d = new Date()) {
+  const y = d.getUTCFullYear();
+  const m = String(d.getUTCMonth() + 1).padStart(2, "0");
+  return `${y}-${m}`;
+}
+
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+
+function readJson(p, fallback) {
+  try { return JSON.parse(fs.readFileSync(p, "utf8")); } catch { return fallback; }
+}
+
+function writeJson(p, obj) {
+  fs.writeFileSync(p, JSON.stringify(obj, null, 2));
+}
+
+function defaultStorePath() {
+  return path.join(os.homedir(), ".vibecheck", "usage.json");
+}
+
+/**
+ * Local meter:
+ * - Free tier: 10 ship checks per calendar month
+ * - Paid tiers: unlimited (you can override tier via env while developing)
+ */
+function consumeShipCheckOrThrow({ tier, limitFree = 10 } = {}) {
+  const effectiveTier = (tier || process.env.VIBECHECK_TIER || "free").toLowerCase();
+
+  if (effectiveTier !== "free") {
+    return { ok: true, remaining: Infinity, tier: effectiveTier };
+  }
+
+  const storePath = process.env.VIBECHECK_USAGE_PATH || defaultStorePath();
+  ensureDir(path.dirname(storePath));
+  const store = readJson(storePath, { months: {} });
+
+  const key = monthKey();
+  const used = store.months[key]?.shipChecks || 0;
+
+  if (used >= limitFree) {
+    const err = new Error(`Free tier limit reached: ${limitFree} full ship checks/month. Upgrade to continue.`);
+    err.code = "VIBECHECK_LIMIT_REACHED";
+    err.meta = { used, limitFree, month: key };
+    throw err;
+  }
+
+  store.months[key] = store.months[key] || {};
+  store.months[key].shipChecks = used + 1;
+  writeJson(storePath, store);
+
+  return { ok: true, remaining: limitFree - (used + 1), tier: effectiveTier };
+}
+
+module.exports = { consumeShipCheckOrThrow };

package/bin/runners/lib/missions/evidence.js

@@ -0,0 +1,126 @@
+// bin/runners/lib/missions/evidence.js
+const fg = require("fast-glob");
+const fs = require("fs");
+const path = require("path");
+const { collectEvidenceSnippets, collectRegexSnippets } = require("../snippets");
+
+async function findFiles(repoRoot, patterns, limit = 12) {
+  const files = await fg(patterns, {
+    cwd: repoRoot,
+    onlyFiles: true,
+    absolute: false,
+    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
+  });
+  return files.slice(0, limit);
+}
+
+function uniq(arr) {
+  return Array.from(new Set((arr || []).filter(Boolean)));
+}
+
+function evidenceFilesFromFindings(findings) {
+  const files = [];
+  for (const f of findings || []) {
+    for (const ev of (f.evidence || [])) {
+      if (ev.file) files.push(ev.file);
+    }
+  }
+  return uniq(files);
+}
+
+function handlerFilesFromTruthpack(truthpack) {
+  const server = truthpack?.routes?.server || [];
+  return uniq(server.map(r => r.handler).filter(Boolean));
+}
+
+function enforcementHandlerFiles(truthpack) {
+  const checks = truthpack?.enforcement?.checks || [];
+  return uniq(checks.map(c => c.handler).filter(Boolean));
+}
+
+function stripeWebhookFiles(truthpack) {
+  const c = truthpack?.billing?.webhookCandidates || [];
+  return uniq(c.map(x => x.file).filter(Boolean));
+}
+
+function middlewareFiles(truthpack) {
+  const m = truthpack?.auth?.nextMiddleware || [];
+  return uniq(m.map(x => x.file).filter(Boolean));
+}
+
+async function expandEvidence({ repoRoot, truthpack, mission, targetFindings }) {
+  const type = mission?.type || "GENERIC_FIX";
+
+  let allowedFiles = evidenceFilesFromFindings(targetFindings);
+
+  if (type === "FIX_ENV_CONTRACT") {
+    allowedFiles = uniq([
+      ...allowedFiles,
+      ".env.example", ".env.template", ".env.sample", ".env"
+    ]);
+  }
+
+  if (type === "FIX_MISSING_ROUTE") {
+    allowedFiles = uniq([
+      ...allowedFiles,
+      ...handlerFilesFromTruthpack(truthpack)
+    ]);
+    const nextApiFiles = await findFiles(repoRoot, ["app/api/**/route.@(ts|js)", "pages/api/**/*.@(ts|js)"], 24);
+    allowedFiles = uniq([...allowedFiles, ...nextApiFiles]);
+  }
+
+  if (type === "ADD_SERVER_AUTH") {
+    allowedFiles = uniq([
+      ...allowedFiles,
+      ...middlewareFiles(truthpack),
+      ...handlerFilesFromTruthpack(truthpack)
+    ]);
+    const authLibs = await findFiles(repoRoot, ["**/*auth*.@(ts|js)","**/*session*.@(ts|js)","**/*jwt*.@(ts|js)"], 12);
+    allowedFiles = uniq([...allowedFiles, ...authLibs]);
+  }
+
+  if (type === "FIX_STRIPE_WEBHOOKS") {
+    allowedFiles = uniq([...allowedFiles, ...stripeWebhookFiles(truthpack)]);
+    const billingLibs = await findFiles(repoRoot, ["**/*stripe*.@(ts|js)","**/*billing*.@(ts|js)","**/*webhook*.@(ts|js)"], 12);
+    allowedFiles = uniq([...allowedFiles, ...billingLibs]);
+  }
+
+  if (type === "ENFORCE_PAID_SURFACE") {
+    allowedFiles = uniq([...allowedFiles, ...enforcementHandlerFiles(truthpack)]);
+    const entitlementLibs = await findFiles(repoRoot, ["**/*entitlement*.@(ts|js)","**/*plan*.@(ts|js)","**/*tier*.@(ts|js)"], 12);
+    allowedFiles = uniq([...allowedFiles, ...entitlementLibs]);
+  }
+
+  if (type === "REMOVE_OWNER_MODE") {
+    const bypassFiles = await findFiles(repoRoot, ["**/*owner*mode*.@(ts|js)","**/*entitlement*.@(ts|js)","**/*auth*.@(ts|js)"], 20);
+    allowedFiles = uniq([...allowedFiles, ...bypassFiles]);
+  }
+
+  if (type === "FIX_FAKE_SUCCESS") {
+    const uiFiles = await findFiles(repoRoot, ["app/**/*.@(ts|tsx|js|jsx)","src/**/*.@(ts|tsx|js|jsx)"], 20);
+    allowedFiles = uniq([...allowedFiles, ...uiFiles]);
+  }
+
+  const evidenceSnips = collectEvidenceSnippets(repoRoot, targetFindings, 12);
+
+  const regexByType = {
+    FIX_STRIPE_WEBHOOKS: /(constructEvent|stripe-signature|bodyParser\s*:\s*false|req\.(text|arrayBuffer)\(|event\.id|idempotenc)/i,
+    ENFORCE_PAID_SURFACE: /(enforceFeature|enforceLimit|getEntitlements|tier|plan|subscription|credits)/i,
+    ADD_SERVER_AUTH: /(authorization|bearer|jwtVerify|getServerSession|clerk|supabase|preHandler|onRequest|rbac|permissions)/i,
+    REMOVE_OWNER_MODE: /(OWNER_MODE|GUARDRAIL_OWNER_MODE|VIBECHECK_OWNER_MODE)/i,
+    FIX_FAKE_SUCCESS: /(toast\.success|router\.push|navigate\(|fetch\(|axios\.)/i,
+    FIX_ENV_CONTRACT: /(^|\s)(export\s+)?[A-Z0-9_]+\s*=/,
+    FIX_MISSING_ROUTE: /(\/api\/|fetch\(|axios\.)/i,
+    FIX_DEAD_UI: /(onClick|onclick|router\.push|navigate\(|toast\.success|fetch\(|axios\.|\/api\/)/i
+  };
+
+  const rx = regexByType[type];
+  const regexSnips = rx ? collectRegexSnippets(repoRoot, allowedFiles, rx, { pad: 4, limit: 10 }) : [];
+
+  return {
+    allowedFiles,
+    snippets: [...evidenceSnips, ...regexSnips]
+  };
+}
+
+module.exports = { expandEvidence };