@vibecheckai/cli 3.1.0 → 3.1.2

package/bin/runners/lib/llm.js

@@ -1,75 +1,75 @@
-// bin/runners/lib/llm.js
-const https = require("https");
-const http = require("http");
-const { URL } = require("url");
-
-function postJson(urlStr, headers, bodyObj) {
-  const url = new URL(urlStr);
-  const lib = url.protocol === "https:" ? https : http;
-
-  const data = JSON.stringify(bodyObj);
-
-  return new Promise((resolve, reject) => {
-    const req = lib.request(
-      {
-        method: "POST",
-        hostname: url.hostname,
-        port: url.port || (url.protocol === "https:" ? 443 : 80),
-        path: url.pathname,
-        headers: {
-          "Content-Type": "application/json",
-          "Content-Length": Buffer.byteLength(data),
-          ...headers
-        }
-      },
-      (res) => {
-        let buf = "";
-        res.on("data", (d) => (buf += d));
-        res.on("end", () => {
-          try {
-            const json = JSON.parse(buf);
-            resolve({ status: res.statusCode, json, raw: buf });
-          } catch (e) {
-            reject(new Error(`LLM response not JSON (status ${res.statusCode}): ${buf.slice(0, 400)}`));
-          }
-        });
-      }
-    );
-
-    req.on("error", reject);
-    req.write(data);
-    req.end();
-  });
-}
-
-async function generatePatchJson(prompt) {
-  const baseUrl = process.env.VIBECHECK_LLM_BASE_URL;
-  const apiKey = process.env.VIBECHECK_LLM_API_KEY;
-  const model = process.env.VIBECHECK_LLM_MODEL || "gpt-4.1-mini";
-
-  if (!baseUrl || !apiKey) {
-    const err = new Error("LLM not configured: set VIBECHECK_LLM_BASE_URL and VIBECHECK_LLM_API_KEY");
-    err.code = "VIBECHECK_LLM_NOT_CONFIGURED";
-    throw err;
-  }
-
-  const headers = { Authorization: `Bearer ${apiKey}` };
-
-  const body = {
-    model,
-    temperature: 0.1,
-    messages: [
-      { role: "system", content: "Return JSON only." },
-      { role: "user", content: prompt }
-    ]
-  };
-
-  const r = await postJson(baseUrl, headers, body);
-
-  const content = r.json?.choices?.[0]?.message?.content;
-  if (!content) throw new Error("LLM response missing choices[0].message.content");
-
-  return JSON.parse(content);
-}
-
-module.exports = { generatePatchJson };
+// bin/runners/lib/llm.js
+const https = require("https");
+const http = require("http");
+const { URL } = require("url");
+
+function postJson(urlStr, headers, bodyObj) {
+  const url = new URL(urlStr);
+  const lib = url.protocol === "https:" ? https : http;
+
+  const data = JSON.stringify(bodyObj);
+
+  return new Promise((resolve, reject) => {
+    const req = lib.request(
+      {
+        method: "POST",
+        hostname: url.hostname,
+        port: url.port || (url.protocol === "https:" ? 443 : 80),
+        path: url.pathname,
+        headers: {
+          "Content-Type": "application/json",
+          "Content-Length": Buffer.byteLength(data),
+          ...headers
+        }
+      },
+      (res) => {
+        let buf = "";
+        res.on("data", (d) => (buf += d));
+        res.on("end", () => {
+          try {
+            const json = JSON.parse(buf);
+            resolve({ status: res.statusCode, json, raw: buf });
+          } catch (e) {
+            reject(new Error(`LLM response not JSON (status ${res.statusCode}): ${buf.slice(0, 400)}`));
+          }
+        });
+      }
+    );
+
+    req.on("error", reject);
+    req.write(data);
+    req.end();
+  });
+}
+
+async function generatePatchJson(prompt) {
+  const baseUrl = process.env.VIBECHECK_LLM_BASE_URL;
+  const apiKey = process.env.VIBECHECK_LLM_API_KEY;
+  const model = process.env.VIBECHECK_LLM_MODEL || "gpt-4.1-mini";
+
+  if (!baseUrl || !apiKey) {
+    const err = new Error("LLM not configured: set VIBECHECK_LLM_BASE_URL and VIBECHECK_LLM_API_KEY");
+    err.code = "VIBECHECK_LLM_NOT_CONFIGURED";
+    throw err;
+  }
+
+  const headers = { Authorization: `Bearer ${apiKey}` };
+
+  const body = {
+    model,
+    temperature: 0.1,
+    messages: [
+      { role: "system", content: "Return JSON only." },
+      { role: "user", content: prompt }
+    ]
+  };
+
+  const r = await postJson(baseUrl, headers, body);
+
+  const content = r.json?.choices?.[0]?.message?.content;
+  if (!content) throw new Error("LLM response missing choices[0].message.content");
+
+  return JSON.parse(content);
+}
+
+module.exports = { generatePatchJson };

package/bin/runners/lib/meter.js

@@ -1,61 +1,61 @@
-// bin/runners/lib/meter.js
-const fs = require("fs");
-const path = require("path");
-const os = require("os");
-
-function monthKey(d = new Date()) {
-  const y = d.getUTCFullYear();
-  const m = String(d.getUTCMonth() + 1).padStart(2, "0");
-  return `${y}-${m}`;
-}
-
-function ensureDir(p) {
-  fs.mkdirSync(p, { recursive: true });
-}
-
-function readJson(p, fallback) {
-  try { return JSON.parse(fs.readFileSync(p, "utf8")); } catch { return fallback; }
-}
-
-function writeJson(p, obj) {
-  fs.writeFileSync(p, JSON.stringify(obj, null, 2));
-}
-
-function defaultStorePath() {
-  return path.join(os.homedir(), ".vibecheck", "usage.json");
-}
-
-/**
- * Local meter:
- * - Free tier: 10 ship checks per calendar month
- * - Paid tiers: unlimited (you can override tier via env while developing)
- */
-function consumeShipCheckOrThrow({ tier, limitFree = 10 } = {}) {
-  const effectiveTier = (tier || process.env.VIBECHECK_TIER || "free").toLowerCase();
-
-  if (effectiveTier !== "free") {
-    return { ok: true, remaining: Infinity, tier: effectiveTier };
-  }
-
-  const storePath = process.env.VIBECHECK_USAGE_PATH || defaultStorePath();
-  ensureDir(path.dirname(storePath));
-  const store = readJson(storePath, { months: {} });
-
-  const key = monthKey();
-  const used = store.months[key]?.shipChecks || 0;
-
-  if (used >= limitFree) {
-    const err = new Error(`Free tier limit reached: ${limitFree} full ship checks/month. Upgrade to continue.`);
-    err.code = "VIBECHECK_LIMIT_REACHED";
-    err.meta = { used, limitFree, month: key };
-    throw err;
-  }
-
-  store.months[key] = store.months[key] || {};
-  store.months[key].shipChecks = used + 1;
-  writeJson(storePath, store);
-
-  return { ok: true, remaining: limitFree - (used + 1), tier: effectiveTier };
-}
-
-module.exports = { consumeShipCheckOrThrow };
+// bin/runners/lib/meter.js
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+
+function monthKey(d = new Date()) {
+  const y = d.getUTCFullYear();
+  const m = String(d.getUTCMonth() + 1).padStart(2, "0");
+  return `${y}-${m}`;
+}
+
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+
+function readJson(p, fallback) {
+  try { return JSON.parse(fs.readFileSync(p, "utf8")); } catch { return fallback; }
+}
+
+function writeJson(p, obj) {
+  fs.writeFileSync(p, JSON.stringify(obj, null, 2));
+}
+
+function defaultStorePath() {
+  return path.join(os.homedir(), ".vibecheck", "usage.json");
+}
+
+/**
+ * Local meter:
+ * - Free tier: 10 ship checks per calendar month
+ * - Paid tiers: unlimited (you can override tier via env while developing)
+ */
+function consumeShipCheckOrThrow({ tier, limitFree = 10 } = {}) {
+  const effectiveTier = (tier || process.env.VIBECHECK_TIER || "free").toLowerCase();
+
+  if (effectiveTier !== "free") {
+    return { ok: true, remaining: Infinity, tier: effectiveTier };
+  }
+
+  const storePath = process.env.VIBECHECK_USAGE_PATH || defaultStorePath();
+  ensureDir(path.dirname(storePath));
+  const store = readJson(storePath, { months: {} });
+
+  const key = monthKey();
+  const used = store.months[key]?.shipChecks || 0;
+
+  if (used >= limitFree) {
+    const err = new Error(`Free tier limit reached: ${limitFree} full ship checks/month. Upgrade to continue.`);
+    err.code = "VIBECHECK_LIMIT_REACHED";
+    err.meta = { used, limitFree, month: key };
+    throw err;
+  }
+
+  store.months[key] = store.months[key] || {};
+  store.months[key].shipChecks = used + 1;
+  writeJson(storePath, store);
+
+  return { ok: true, remaining: limitFree - (used + 1), tier: effectiveTier };
+}
+
+module.exports = { consumeShipCheckOrThrow };

package/bin/runners/lib/missions/evidence.js

@@ -1,126 +1,126 @@
-// bin/runners/lib/missions/evidence.js
-const fg = require("fast-glob");
-const fs = require("fs");
-const path = require("path");
-const { collectEvidenceSnippets, collectRegexSnippets } = require("../snippets");
-
-async function findFiles(repoRoot, patterns, limit = 12) {
-  const files = await fg(patterns, {
-    cwd: repoRoot,
-    onlyFiles: true,
-    absolute: false,
-    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
-  });
-  return files.slice(0, limit);
-}
-
-function uniq(arr) {
-  return Array.from(new Set((arr || []).filter(Boolean)));
-}
-
-function evidenceFilesFromFindings(findings) {
-  const files = [];
-  for (const f of findings || []) {
-    for (const ev of (f.evidence || [])) {
-      if (ev.file) files.push(ev.file);
-    }
-  }
-  return uniq(files);
-}
-
-function handlerFilesFromTruthpack(truthpack) {
-  const server = truthpack?.routes?.server || [];
-  return uniq(server.map(r => r.handler).filter(Boolean));
-}
-
-function enforcementHandlerFiles(truthpack) {
-  const checks = truthpack?.enforcement?.checks || [];
-  return uniq(checks.map(c => c.handler).filter(Boolean));
-}
-
-function stripeWebhookFiles(truthpack) {
-  const c = truthpack?.billing?.webhookCandidates || [];
-  return uniq(c.map(x => x.file).filter(Boolean));
-}
-
-function middlewareFiles(truthpack) {
-  const m = truthpack?.auth?.nextMiddleware || [];
-  return uniq(m.map(x => x.file).filter(Boolean));
-}
-
-async function expandEvidence({ repoRoot, truthpack, mission, targetFindings }) {
-  const type = mission?.type || "GENERIC_FIX";
-
-  let allowedFiles = evidenceFilesFromFindings(targetFindings);
-
-  if (type === "FIX_ENV_CONTRACT") {
-    allowedFiles = uniq([
-      ...allowedFiles,
-      ".env.example", ".env.template", ".env.sample", ".env"
-    ]);
-  }
-
-  if (type === "FIX_MISSING_ROUTE") {
-    allowedFiles = uniq([
-      ...allowedFiles,
-      ...handlerFilesFromTruthpack(truthpack)
-    ]);
-    const nextApiFiles = await findFiles(repoRoot, ["app/api/**/route.@(ts|js)", "pages/api/**/*.@(ts|js)"], 24);
-    allowedFiles = uniq([...allowedFiles, ...nextApiFiles]);
-  }
-
-  if (type === "ADD_SERVER_AUTH") {
-    allowedFiles = uniq([
-      ...allowedFiles,
-      ...middlewareFiles(truthpack),
-      ...handlerFilesFromTruthpack(truthpack)
-    ]);
-    const authLibs = await findFiles(repoRoot, ["**/*auth*.@(ts|js)","**/*session*.@(ts|js)","**/*jwt*.@(ts|js)"], 12);
-    allowedFiles = uniq([...allowedFiles, ...authLibs]);
-  }
-
-  if (type === "FIX_STRIPE_WEBHOOKS") {
-    allowedFiles = uniq([...allowedFiles, ...stripeWebhookFiles(truthpack)]);
-    const billingLibs = await findFiles(repoRoot, ["**/*stripe*.@(ts|js)","**/*billing*.@(ts|js)","**/*webhook*.@(ts|js)"], 12);
-    allowedFiles = uniq([...allowedFiles, ...billingLibs]);
-  }
-
-  if (type === "ENFORCE_PAID_SURFACE") {
-    allowedFiles = uniq([...allowedFiles, ...enforcementHandlerFiles(truthpack)]);
-    const entitlementLibs = await findFiles(repoRoot, ["**/*entitlement*.@(ts|js)","**/*plan*.@(ts|js)","**/*tier*.@(ts|js)"], 12);
-    allowedFiles = uniq([...allowedFiles, ...entitlementLibs]);
-  }
-
-  if (type === "REMOVE_OWNER_MODE") {
-    const bypassFiles = await findFiles(repoRoot, ["**/*owner*mode*.@(ts|js)","**/*entitlement*.@(ts|js)","**/*auth*.@(ts|js)"], 20);
-    allowedFiles = uniq([...allowedFiles, ...bypassFiles]);
-  }
-
-  if (type === "FIX_FAKE_SUCCESS") {
-    const uiFiles = await findFiles(repoRoot, ["app/**/*.@(ts|tsx|js|jsx)","src/**/*.@(ts|tsx|js|jsx)"], 20);
-    allowedFiles = uniq([...allowedFiles, ...uiFiles]);
-  }
-
-  const evidenceSnips = collectEvidenceSnippets(repoRoot, targetFindings, 12);
-
-  const regexByType = {
-    FIX_STRIPE_WEBHOOKS: /(constructEvent|stripe-signature|bodyParser\s*:\s*false|req\.(text|arrayBuffer)\(|event\.id|idempotenc)/i,
-    ENFORCE_PAID_SURFACE: /(enforceFeature|enforceLimit|getEntitlements|tier|plan|subscription|credits)/i,
-    ADD_SERVER_AUTH: /(authorization|bearer|jwtVerify|getServerSession|clerk|supabase|preHandler|onRequest|rbac|permissions)/i,
-    REMOVE_OWNER_MODE: /(OWNER_MODE|GUARDRAIL_OWNER_MODE|VIBECHECK_OWNER_MODE)/i,
-    FIX_FAKE_SUCCESS: /(toast\.success|router\.push|navigate\(|fetch\(|axios\.)/i,
-    FIX_ENV_CONTRACT: /(^|\s)(export\s+)?[A-Z0-9_]+\s*=/,
-    FIX_MISSING_ROUTE: /(\/api\/|fetch\(|axios\.)/i,
-    FIX_DEAD_UI: /(onClick|onclick|router\.push|navigate\(|toast\.success|fetch\(|axios\.|\/api\/)/i
-  };
-
-  const rx = regexByType[type];
-  const regexSnips = rx ? collectRegexSnippets(repoRoot, allowedFiles, rx, { pad: 4, limit: 10 }) : [];
-
-  return {
-    allowedFiles,
-    snippets: [...evidenceSnips, ...regexSnips]
-  };
-}
-
-module.exports = { expandEvidence };
+// bin/runners/lib/missions/evidence.js
+const fg = require("fast-glob");
+const fs = require("fs");
+const path = require("path");
+const { collectEvidenceSnippets, collectRegexSnippets } = require("../snippets");
+
+async function findFiles(repoRoot, patterns, limit = 12) {
+  const files = await fg(patterns, {
+    cwd: repoRoot,
+    onlyFiles: true,
+    absolute: false,
+    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
+  });
+  return files.slice(0, limit);
+}
+
+function uniq(arr) {
+  return Array.from(new Set((arr || []).filter(Boolean)));
+}
+
+function evidenceFilesFromFindings(findings) {
+  const files = [];
+  for (const f of findings || []) {
+    for (const ev of (f.evidence || [])) {
+      if (ev.file) files.push(ev.file);
+    }
+  }
+  return uniq(files);
+}
+
+function handlerFilesFromTruthpack(truthpack) {
+  const server = truthpack?.routes?.server || [];
+  return uniq(server.map(r => r.handler).filter(Boolean));
+}
+
+function enforcementHandlerFiles(truthpack) {
+  const checks = truthpack?.enforcement?.checks || [];
+  return uniq(checks.map(c => c.handler).filter(Boolean));
+}
+
+function stripeWebhookFiles(truthpack) {
+  const c = truthpack?.billing?.webhookCandidates || [];
+  return uniq(c.map(x => x.file).filter(Boolean));
+}
+
+function middlewareFiles(truthpack) {
+  const m = truthpack?.auth?.nextMiddleware || [];
+  return uniq(m.map(x => x.file).filter(Boolean));
+}
+
+async function expandEvidence({ repoRoot, truthpack, mission, targetFindings }) {
+  const type = mission?.type || "GENERIC_FIX";
+
+  let allowedFiles = evidenceFilesFromFindings(targetFindings);
+
+  if (type === "FIX_ENV_CONTRACT") {
+    allowedFiles = uniq([
+      ...allowedFiles,
+      ".env.example", ".env.template", ".env.sample", ".env"
+    ]);
+  }
+
+  if (type === "FIX_MISSING_ROUTE") {
+    allowedFiles = uniq([
+      ...allowedFiles,
+      ...handlerFilesFromTruthpack(truthpack)
+    ]);
+    const nextApiFiles = await findFiles(repoRoot, ["app/api/**/route.@(ts|js)", "pages/api/**/*.@(ts|js)"], 24);
+    allowedFiles = uniq([...allowedFiles, ...nextApiFiles]);
+  }
+
+  if (type === "ADD_SERVER_AUTH") {
+    allowedFiles = uniq([
+      ...allowedFiles,
+      ...middlewareFiles(truthpack),
+      ...handlerFilesFromTruthpack(truthpack)
+    ]);
+    const authLibs = await findFiles(repoRoot, ["**/*auth*.@(ts|js)","**/*session*.@(ts|js)","**/*jwt*.@(ts|js)"], 12);
+    allowedFiles = uniq([...allowedFiles, ...authLibs]);
+  }
+
+  if (type === "FIX_STRIPE_WEBHOOKS") {
+    allowedFiles = uniq([...allowedFiles, ...stripeWebhookFiles(truthpack)]);
+    const billingLibs = await findFiles(repoRoot, ["**/*stripe*.@(ts|js)","**/*billing*.@(ts|js)","**/*webhook*.@(ts|js)"], 12);
+    allowedFiles = uniq([...allowedFiles, ...billingLibs]);
+  }
+
+  if (type === "ENFORCE_PAID_SURFACE") {
+    allowedFiles = uniq([...allowedFiles, ...enforcementHandlerFiles(truthpack)]);
+    const entitlementLibs = await findFiles(repoRoot, ["**/*entitlement*.@(ts|js)","**/*plan*.@(ts|js)","**/*tier*.@(ts|js)"], 12);
+    allowedFiles = uniq([...allowedFiles, ...entitlementLibs]);
+  }
+
+  if (type === "REMOVE_OWNER_MODE") {
+    const bypassFiles = await findFiles(repoRoot, ["**/*owner*mode*.@(ts|js)","**/*entitlement*.@(ts|js)","**/*auth*.@(ts|js)"], 20);
+    allowedFiles = uniq([...allowedFiles, ...bypassFiles]);
+  }
+
+  if (type === "FIX_FAKE_SUCCESS") {
+    const uiFiles = await findFiles(repoRoot, ["app/**/*.@(ts|tsx|js|jsx)","src/**/*.@(ts|tsx|js|jsx)"], 20);
+    allowedFiles = uniq([...allowedFiles, ...uiFiles]);
+  }
+
+  const evidenceSnips = collectEvidenceSnippets(repoRoot, targetFindings, 12);
+
+  const regexByType = {
+    FIX_STRIPE_WEBHOOKS: /(constructEvent|stripe-signature|bodyParser\s*:\s*false|req\.(text|arrayBuffer)\(|event\.id|idempotenc)/i,
+    ENFORCE_PAID_SURFACE: /(enforceFeature|enforceLimit|getEntitlements|tier|plan|subscription|credits)/i,
+    ADD_SERVER_AUTH: /(authorization|bearer|jwtVerify|getServerSession|clerk|supabase|preHandler|onRequest|rbac|permissions)/i,
+    REMOVE_OWNER_MODE: /(OWNER_MODE|GUARDRAIL_OWNER_MODE|VIBECHECK_OWNER_MODE)/i,
+    FIX_FAKE_SUCCESS: /(toast\.success|router\.push|navigate\(|fetch\(|axios\.)/i,
+    FIX_ENV_CONTRACT: /(^|\s)(export\s+)?[A-Z0-9_]+\s*=/,
+    FIX_MISSING_ROUTE: /(\/api\/|fetch\(|axios\.)/i,
+    FIX_DEAD_UI: /(onClick|onclick|router\.push|navigate\(|toast\.success|fetch\(|axios\.|\/api\/)/i
+  };
+
+  const rx = regexByType[type];
+  const regexSnips = rx ? collectRegexSnippets(repoRoot, allowedFiles, rx, { pad: 4, limit: 10 }) : [];
+
+  return {
+    allowedFiles,
+    snippets: [...evidenceSnips, ...regexSnips]
+  };
+}
+
+module.exports = { expandEvidence };

package/bin/runners/lib/missions/plan.js

@@ -1,69 +1,69 @@
-// bin/runners/lib/missions/plan.js
-function scoreFinding(f) {
-  if (f.severity === "BLOCK") return 100;
-  if (f.severity === "WARN") return 50;
-  return 0;
-}
-
-function missionFromFinding(f) {
-  const typeByCategory = {
-    Security: "REMOVE_OWNER_MODE",
-    Billing: "FIX_STRIPE_WEBHOOKS",
-    Entitlements: "ENFORCE_PAID_SURFACE",
-    GhostAuth: "ADD_SERVER_AUTH",
-    MissingRoute: "FIX_MISSING_ROUTE",
-    EnvContract: "FIX_ENV_CONTRACT",
-    FakeSuccess: "FIX_FAKE_SUCCESS",
-    DeadUI: "FIX_DEAD_UI",
-    AuthCoverage: "ADD_SERVER_AUTH"
-  };
-
-  return {
-    id: `M_${f.id}`,
-    type: typeByCategory[f.category] || "GENERIC_FIX",
-    title: f.title,
-    severity: f.severity,
-    category: f.category,
-    successCriteria: [
-      `Finding ${f.id} no longer appears in ship results` 
-    ],
-    targetFindingIds: [f.id]
-  };
-}
-
-function planMissions(findings, { maxMissions = 12, blocksOnlyFirst = true } = {}) {
-  const sorted = [...findings].sort((a,b) => scoreFinding(b) - scoreFinding(a));
-
-  // Cost control: if there are BLOCKs, only plan for BLOCKs first
-  const hasBlocks = sorted.some(f => f.severity === "BLOCK");
-  const scoped = (blocksOnlyFirst && hasBlocks)
-    ? sorted.filter(f => f.severity === "BLOCK")
-    : sorted;
-
-  const seen = new Set();
-  const filtered = [];
-  for (const f of scoped) {
-    const k = `${f.category}:${f.title}`;
-    if (f.severity === "WARN" && seen.has(k)) continue;
-    seen.add(k);
-    filtered.push(f);
-  }
-
-  const missions = filtered.slice(0, maxMissions).map(missionFromFinding);
-
-  const priority = {
-    REMOVE_OWNER_MODE: 1,
-    FIX_STRIPE_WEBHOOKS: 2,
-    ENFORCE_PAID_SURFACE: 3,
-    ADD_SERVER_AUTH: 4,
-    FIX_MISSING_ROUTE: 5,
-    FIX_FAKE_SUCCESS: 6,
-    FIX_ENV_CONTRACT: 7,
-    GENERIC_FIX: 99
-  };
-
-  missions.sort((a,b) => (priority[a.type] || 50) - (priority[b.type] || 50));
-  return missions;
-}
-
-module.exports = { planMissions };
+// bin/runners/lib/missions/plan.js
+function scoreFinding(f) {
+  if (f.severity === "BLOCK") return 100;
+  if (f.severity === "WARN") return 50;
+  return 0;
+}
+
+function missionFromFinding(f) {
+  const typeByCategory = {
+    Security: "REMOVE_OWNER_MODE",
+    Billing: "FIX_STRIPE_WEBHOOKS",
+    Entitlements: "ENFORCE_PAID_SURFACE",
+    GhostAuth: "ADD_SERVER_AUTH",
+    MissingRoute: "FIX_MISSING_ROUTE",
+    EnvContract: "FIX_ENV_CONTRACT",
+    FakeSuccess: "FIX_FAKE_SUCCESS",
+    DeadUI: "FIX_DEAD_UI",
+    AuthCoverage: "ADD_SERVER_AUTH"
+  };
+
+  return {
+    id: `M_${f.id}`,
+    type: typeByCategory[f.category] || "GENERIC_FIX",
+    title: f.title,
+    severity: f.severity,
+    category: f.category,
+    successCriteria: [
+      `Finding ${f.id} no longer appears in ship results` 
+    ],
+    targetFindingIds: [f.id]
+  };
+}
+
+function planMissions(findings, { maxMissions = 12, blocksOnlyFirst = true } = {}) {
+  const sorted = [...findings].sort((a,b) => scoreFinding(b) - scoreFinding(a));
+
+  // Cost control: if there are BLOCKs, only plan for BLOCKs first
+  const hasBlocks = sorted.some(f => f.severity === "BLOCK");
+  const scoped = (blocksOnlyFirst && hasBlocks)
+    ? sorted.filter(f => f.severity === "BLOCK")
+    : sorted;
+
+  const seen = new Set();
+  const filtered = [];
+  for (const f of scoped) {
+    const k = `${f.category}:${f.title}`;
+    if (f.severity === "WARN" && seen.has(k)) continue;
+    seen.add(k);
+    filtered.push(f);
+  }
+
+  const missions = filtered.slice(0, maxMissions).map(missionFromFinding);
+
+  const priority = {
+    REMOVE_OWNER_MODE: 1,
+    FIX_STRIPE_WEBHOOKS: 2,
+    ENFORCE_PAID_SURFACE: 3,
+    ADD_SERVER_AUTH: 4,
+    FIX_MISSING_ROUTE: 5,
+    FIX_FAKE_SUCCESS: 6,
+    FIX_ENV_CONTRACT: 7,
+    GENERIC_FIX: 99
+  };
+
+  missions.sort((a,b) => (priority[a.type] || 50) - (priority[b.type] || 50));
+  return missions;
+}
+
+module.exports = { planMissions };