npm - @vibecheckai/cli - Versions diffs - 3.2.2 → 3.2.4 - Mend

@vibecheckai/cli 3.2.2 → 3.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/bin/.generated +25 -25
package/bin/dev/run-v2-torture.js +30 -30
package/bin/runners/ENHANCEMENT_GUIDE.md +121 -121
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -295
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +117 -28
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +23 -14
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +72 -1
package/bin/runners/lib/agent-firewall/interceptor/base.js +2 -2
package/bin/runners/lib/agent-firewall/policy/default-policy.json +6 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +34 -3
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +29 -4
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +12 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +21 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/analyzers.js +606 -325
package/bin/runners/lib/auth-truth.js +193 -193
package/bin/runners/lib/backup.js +62 -62
package/bin/runners/lib/billing.js +107 -107
package/bin/runners/lib/claims.js +118 -118
package/bin/runners/lib/cli-ui.js +540 -540
package/bin/runners/lib/contracts/auth-contract.js +202 -202
package/bin/runners/lib/contracts/env-contract.js +181 -181
package/bin/runners/lib/contracts/external-contract.js +206 -206
package/bin/runners/lib/contracts/guard.js +168 -168
package/bin/runners/lib/contracts/index.js +89 -89
package/bin/runners/lib/contracts/plan-validator.js +311 -311
package/bin/runners/lib/contracts/route-contract.js +199 -199
package/bin/runners/lib/contracts.js +804 -804
package/bin/runners/lib/detect.js +89 -89
package/bin/runners/lib/doctor/autofix.js +254 -254
package/bin/runners/lib/doctor/index.js +37 -37
package/bin/runners/lib/doctor/modules/dependencies.js +325 -325
package/bin/runners/lib/doctor/modules/index.js +46 -46
package/bin/runners/lib/doctor/modules/network.js +250 -250
package/bin/runners/lib/doctor/modules/project.js +312 -312
package/bin/runners/lib/doctor/modules/runtime.js +224 -224
package/bin/runners/lib/doctor/modules/security.js +348 -348
package/bin/runners/lib/doctor/modules/system.js +213 -213
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -394
package/bin/runners/lib/doctor/reporter.js +262 -262
package/bin/runners/lib/doctor/service.js +262 -262
package/bin/runners/lib/doctor/types.js +113 -113
package/bin/runners/lib/doctor/ui.js +263 -263
package/bin/runners/lib/doctor-v2.js +608 -608
package/bin/runners/lib/drift.js +425 -425
package/bin/runners/lib/enforcement.js +72 -72
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/enterprise-detect.js +603 -603
package/bin/runners/lib/enterprise-init.js +942 -942
package/bin/runners/lib/env-resolver.js +417 -417
package/bin/runners/lib/env-template.js +66 -66
package/bin/runners/lib/env.js +189 -189
package/bin/runners/lib/extractors/client-calls.js +990 -990
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -573
package/bin/runners/lib/extractors/fastify-routes.js +426 -426
package/bin/runners/lib/extractors/index.js +363 -363
package/bin/runners/lib/extractors/next-routes.js +524 -524
package/bin/runners/lib/extractors/proof-graph.js +431 -431
package/bin/runners/lib/extractors/route-matcher.js +451 -451
package/bin/runners/lib/extractors/truthpack-v2.js +377 -377
package/bin/runners/lib/extractors/ui-bindings.js +547 -547
package/bin/runners/lib/findings-schema.js +281 -281
package/bin/runners/lib/firewall-prompt.js +50 -50
package/bin/runners/lib/global-flags.js +213 -213
package/bin/runners/lib/graph/graph-builder.js +265 -265
package/bin/runners/lib/graph/html-renderer.js +413 -413
package/bin/runners/lib/graph/index.js +32 -32
package/bin/runners/lib/graph/runtime-collector.js +215 -215
package/bin/runners/lib/graph/static-extractor.js +518 -518
package/bin/runners/lib/html-report.js +650 -650
package/bin/runners/lib/interactive-menu.js +1496 -1496
package/bin/runners/lib/llm.js +75 -75
package/bin/runners/lib/meter.js +61 -61
package/bin/runners/lib/missions/evidence.js +126 -126
package/bin/runners/lib/patch.js +40 -40
package/bin/runners/lib/permissions/auth-model.js +213 -213
package/bin/runners/lib/permissions/idor-prover.js +205 -205
package/bin/runners/lib/permissions/index.js +45 -45
package/bin/runners/lib/permissions/matrix-builder.js +198 -198
package/bin/runners/lib/pkgjson.js +28 -28
package/bin/runners/lib/policy.js +295 -295
package/bin/runners/lib/preflight.js +142 -142
package/bin/runners/lib/reality/correlation-detectors.js +359 -359
package/bin/runners/lib/reality/index.js +318 -318
package/bin/runners/lib/reality/request-hashing.js +416 -416
package/bin/runners/lib/reality/request-mapper.js +453 -453
package/bin/runners/lib/reality/safety-rails.js +463 -463
package/bin/runners/lib/reality/semantic-snapshot.js +408 -408
package/bin/runners/lib/reality/toast-detector.js +393 -393
package/bin/runners/lib/reality-findings.js +84 -84
package/bin/runners/lib/receipts.js +179 -179
package/bin/runners/lib/redact.js +29 -29
package/bin/runners/lib/replay/capsule-manager.js +154 -154
package/bin/runners/lib/replay/index.js +263 -263
package/bin/runners/lib/replay/player.js +348 -348
package/bin/runners/lib/replay/recorder.js +331 -331
package/bin/runners/lib/report-output.js +187 -187
package/bin/runners/lib/report.js +135 -135
package/bin/runners/lib/route-detection.js +1140 -1140
package/bin/runners/lib/sandbox/index.js +59 -59
package/bin/runners/lib/sandbox/proof-chain.js +399 -399
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -205
package/bin/runners/lib/sandbox/worktree.js +174 -174
package/bin/runners/lib/scan-output.js +525 -190
package/bin/runners/lib/schema-validator.js +350 -350
package/bin/runners/lib/schemas/contracts.schema.json +160 -160
package/bin/runners/lib/schemas/finding.schema.json +100 -100
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -206
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -176
package/bin/runners/lib/schemas/reality-report.schema.json +162 -162
package/bin/runners/lib/schemas/share-pack.schema.json +180 -180
package/bin/runners/lib/schemas/ship-report.schema.json +117 -117
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -303
package/bin/runners/lib/schemas/validator.js +438 -438
package/bin/runners/lib/score-history.js +282 -282
package/bin/runners/lib/share-pack.js +239 -239
package/bin/runners/lib/snippets.js +67 -67
package/bin/runners/lib/status-output.js +253 -253
package/bin/runners/lib/terminal-ui.js +351 -271
package/bin/runners/lib/upsell.js +510 -510
package/bin/runners/lib/usage.js +153 -153
package/bin/runners/lib/validate-patch.js +156 -156
package/bin/runners/lib/verdict-engine.js +628 -628
package/bin/runners/reality/engine.js +917 -917
package/bin/runners/reality/flows.js +122 -122
package/bin/runners/reality/report.js +378 -378
package/bin/runners/reality/session.js +193 -193
package/bin/runners/runGuard.js +168 -168
package/bin/runners/runProof.zip +0 -0
package/bin/runners/runProve.js +8 -0
package/bin/runners/runReality.js +14 -0
package/bin/runners/runScan.js +17 -1
package/bin/runners/runTruth.js +15 -3
package/mcp-server/tier-auth.js +4 -4
package/mcp-server/tools/index.js +72 -72
package/package.json +1 -1

package/bin/runners/lib/contracts/guard.js CHANGED Viewed

@@ -1,168 +1,168 @@
-/**
- * Contract Guard
- * Validates code against contracts - CI gate functionality
- */
-"use strict";
-const fs = require("fs");
-const path = require("path");
-const { validateAgainstRouteContract } = require("./route-contract");
-const { validateAgainstEnvContract } = require("./env-contract");
-const { validateAuthContract } = require("./auth-contract");
-const { validateExternalContract } = require("./external-contract");
-/**
- * Load contracts from .vibecheck/contracts/
- */
-function loadContracts(repoRoot) {
-  const contractDir = path.join(repoRoot, ".vibecheck", "contracts");
-  const contracts = {};
-  const files = {
-    routes: "routes.json",
-    env: "env.json",
-    auth: "auth.json",
-    external: "external.json"
-  };
-  for (const [key, file] of Object.entries(files)) {
-    const filePath = path.join(contractDir, file);
-    if (fs.existsSync(filePath)) {
-      try {
-        contracts[key] = JSON.parse(fs.readFileSync(filePath, "utf8"));
-      } catch (e) {
-        console.warn(`Warning: Could not parse ${file}: ${e.message}`);
-      }
-    }
-  }
-  return contracts;
-}
-/**
- * Save contracts to .vibecheck/contracts/
- */
-function saveContracts(repoRoot, contracts) {
-  const contractDir = path.join(repoRoot, ".vibecheck", "contracts");
-  fs.mkdirSync(contractDir, { recursive: true });
-  const files = {
-    routes: "routes.json",
-    env: "env.json",
-    auth: "auth.json",
-    external: "external.json"
-  };
-  for (const [key, file] of Object.entries(files)) {
-    if (contracts[key]) {
-      const filePath = path.join(contractDir, file);
-      fs.writeFileSync(filePath, JSON.stringify(contracts[key], null, 2), "utf8");
-    }
-  }
-}
-/**
- * Guard: Validate current code against contracts
- */
-function guardContracts(contracts, truthpack, options = {}) {
-  const violations = [];
-  // Route contract validation
-  if (contracts.routes && truthpack?.routes?.clientRefs) {
-    const routeViolations = validateAgainstRouteContract(
-      contracts.routes,
-      truthpack.routes.clientRefs
-    );
-    violations.push(...routeViolations);
-  }
-  // Env contract validation
-  if (contracts.env && truthpack?.env?.vars) {
-    const envViolations = validateAgainstEnvContract(
-      contracts.env,
-      truthpack.env.vars
-    );
-    violations.push(...envViolations);
-  }
-  // Auth contract validation
-  if (contracts.auth && truthpack?.routes?.server) {
-    const authViolations = validateAuthContract(
-      contracts.auth,
-      truthpack.routes.server,
-      options.realityResults
-    );
-    violations.push(...authViolations);
-  }
-  // External contract validation
-  if (contracts.external) {
-    const externalViolations = validateExternalContract(contracts.external);
-    violations.push(...externalViolations);
-  }
-  return {
-    valid: violations.filter(v => v.severity === "BLOCK").length === 0,
-    violations,
-    blocks: violations.filter(v => v.severity === "BLOCK"),
-    warns: violations.filter(v => v.severity === "WARN")
-  };
-}
-/**
- * Get guard summary for CI output
- */
-function getGuardSummary(guardResult) {
-  const { valid, blocks, warns } = guardResult;
-  return {
-    verdict: valid ? (warns.length ? "WARN" : "PASS") : "BLOCK",
-    exitCode: valid ? (warns.length ? 1 : 0) : 2,
-    summary: {
-      blocks: blocks.length,
-      warns: warns.length,
-      total: blocks.length + warns.length
-    },
-    violations: guardResult.violations
-  };
-}
-/**
- * Format guard result for console output
- */
-function formatGuardResult(guardResult) {
-  const lines = [];
-  const { violations, blocks, warns } = guardResult;
-  if (violations.length === 0) {
-    lines.push("✓ All contracts satisfied");
-    return lines.join("\n");
-  }
-  if (blocks.length > 0) {
-    lines.push(`\n🛑 BLOCKS (${blocks.length}):`);
-    for (const v of blocks) {
-      lines.push(`  ✗ [${v.type}] ${v.message}`);
-      if (v.route) lines.push(`    Route: ${v.route}`);
-      if (v.name) lines.push(`    Var: ${v.name}`);
-    }
-  }
-  if (warns.length > 0) {
-    lines.push(`\n⚠️ WARNINGS (${warns.length}):`);
-    for (const v of warns) {
-      lines.push(`  ⚠ [${v.type}] ${v.message}`);
-    }
-  }
-  return lines.join("\n");
-}
-module.exports = {
-  loadContracts,
-  saveContracts,
-  guardContracts,
-  getGuardSummary,
-  formatGuardResult
-};
+/**
+ * Contract Guard
+ * Validates code against contracts - CI gate functionality
+ */
+"use strict";
+const fs = require("fs");
+const path = require("path");
+const { validateAgainstRouteContract } = require("./route-contract");
+const { validateAgainstEnvContract } = require("./env-contract");
+const { validateAuthContract } = require("./auth-contract");
+const { validateExternalContract } = require("./external-contract");
+/**
+ * Load contracts from .vibecheck/contracts/
+ */
+function loadContracts(repoRoot) {
+  const contractDir = path.join(repoRoot, ".vibecheck", "contracts");
+  const contracts = {};
+  const files = {
+    routes: "routes.json",
+    env: "env.json",
+    auth: "auth.json",
+    external: "external.json"
+  };
+  for (const [key, file] of Object.entries(files)) {
+    const filePath = path.join(contractDir, file);
+    if (fs.existsSync(filePath)) {
+      try {
+        contracts[key] = JSON.parse(fs.readFileSync(filePath, "utf8"));
+      } catch (e) {
+        console.warn(`Warning: Could not parse ${file}: ${e.message}`);
+      }
+    }
+  }
+  return contracts;
+}
+/**
+ * Save contracts to .vibecheck/contracts/
+ */
+function saveContracts(repoRoot, contracts) {
+  const contractDir = path.join(repoRoot, ".vibecheck", "contracts");
+  fs.mkdirSync(contractDir, { recursive: true });
+  const files = {
+    routes: "routes.json",
+    env: "env.json",
+    auth: "auth.json",
+    external: "external.json"
+  };
+  for (const [key, file] of Object.entries(files)) {
+    if (contracts[key]) {
+      const filePath = path.join(contractDir, file);
+      fs.writeFileSync(filePath, JSON.stringify(contracts[key], null, 2), "utf8");
+    }
+  }
+}
+/**
+ * Guard: Validate current code against contracts
+ */
+function guardContracts(contracts, truthpack, options = {}) {
+  const violations = [];
+  // Route contract validation
+  if (contracts.routes && truthpack?.routes?.clientRefs) {
+    const routeViolations = validateAgainstRouteContract(
+      contracts.routes,
+      truthpack.routes.clientRefs
+    );
+    violations.push(...routeViolations);
+  }
+  // Env contract validation
+  if (contracts.env && truthpack?.env?.vars) {
+    const envViolations = validateAgainstEnvContract(
+      contracts.env,
+      truthpack.env.vars
+    );
+    violations.push(...envViolations);
+  }
+  // Auth contract validation
+  if (contracts.auth && truthpack?.routes?.server) {
+    const authViolations = validateAuthContract(
+      contracts.auth,
+      truthpack.routes.server,
+      options.realityResults
+    );
+    violations.push(...authViolations);
+  }
+  // External contract validation
+  if (contracts.external) {
+    const externalViolations = validateExternalContract(contracts.external);
+    violations.push(...externalViolations);
+  }
+  return {
+    valid: violations.filter(v => v.severity === "BLOCK").length === 0,
+    violations,
+    blocks: violations.filter(v => v.severity === "BLOCK"),
+    warns: violations.filter(v => v.severity === "WARN")
+  };
+}
+/**
+ * Get guard summary for CI output
+ */
+function getGuardSummary(guardResult) {
+  const { valid, blocks, warns } = guardResult;
+  return {
+    verdict: valid ? (warns.length ? "WARN" : "PASS") : "BLOCK",
+    exitCode: valid ? (warns.length ? 1 : 0) : 2,
+    summary: {
+      blocks: blocks.length,
+      warns: warns.length,
+      total: blocks.length + warns.length
+    },
+    violations: guardResult.violations
+  };
+}
+/**
+ * Format guard result for console output
+ */
+function formatGuardResult(guardResult) {
+  const lines = [];
+  const { violations, blocks, warns } = guardResult;
+  if (violations.length === 0) {
+    lines.push("✓ All contracts satisfied");
+    return lines.join("\n");
+  }
+  if (blocks.length > 0) {
+    lines.push(`\n🛑 BLOCKS (${blocks.length}):`);
+    for (const v of blocks) {
+      lines.push(`  ✗ [${v.type}] ${v.message}`);
+      if (v.route) lines.push(`    Route: ${v.route}`);
+      if (v.name) lines.push(`    Var: ${v.name}`);
+    }
+  }
+  if (warns.length > 0) {
+    lines.push(`\n⚠️ WARNINGS (${warns.length}):`);
+    for (const v of warns) {
+      lines.push(`  ⚠ [${v.type}] ${v.message}`);
+    }
+  }
+  return lines.join("\n");
+}
+module.exports = {
+  loadContracts,
+  saveContracts,
+  guardContracts,
+  getGuardSummary,
+  formatGuardResult
+};

package/bin/runners/lib/contracts/index.js CHANGED Viewed

@@ -1,89 +1,89 @@
-/**
- * Context Contracts - Module Index
- *
- * Exports all contract functionality for CLI and MCP use
- */
-"use strict";
-const { buildRouteContract, validateAgainstRouteContract, diffRouteContracts } = require("./route-contract");
-const { buildEnvContract, validateAgainstEnvContract, diffEnvContracts } = require("./env-contract");
-const { buildAuthContract, validateAuthContract, diffAuthContracts } = require("./auth-contract");
-const { buildExternalContract, validateExternalContract, diffExternalContracts } = require("./external-contract");
-const { loadContracts, saveContracts, guardContracts, getGuardSummary, formatGuardResult } = require("./guard");
-const { validatePlan, parsePlanActions, formatValidationResult } = require("./plan-validator");
-/**
- * Build all contracts from truthpack
- */
-function buildAllContracts(truthpack) {
-  return {
-    routes: buildRouteContract(truthpack),
-    env: buildEnvContract(truthpack),
-    auth: buildAuthContract(truthpack),
-    external: buildExternalContract(truthpack)
-  };
-}
-/**
- * Diff all contracts
- */
-function diffAllContracts(before, after) {
-  return {
-    routes: before.routes && after.routes ? diffRouteContracts(before.routes, after.routes) : null,
-    env: before.env && after.env ? diffEnvContracts(before.env, after.env) : null,
-    auth: before.auth && after.auth ? diffAuthContracts(before.auth, after.auth) : null,
-    external: before.external && after.external ? diffExternalContracts(before.external, after.external) : null
-  };
-}
-/**
- * Check if contracts have meaningful changes
- */
-function hasContractChanges(diff) {
-  if (!diff) return false;
-  const checkDiff = (d) => {
-    if (!d) return false;
-    return (d.added?.length > 0) || (d.removed?.length > 0) || (d.changed?.length > 0) ||
-           (d.protectedAdded?.length > 0) || (d.protectedRemoved?.length > 0);
-  };
-  return checkDiff(diff.routes) || checkDiff(diff.env) ||
-         checkDiff(diff.auth) || checkDiff(diff.external);
-}
-module.exports = {
-  // Contract builders
-  buildRouteContract,
-  buildEnvContract,
-  buildAuthContract,
-  buildExternalContract,
-  buildAllContracts,
-  // Contract validation
-  validateAgainstRouteContract,
-  validateAgainstEnvContract,
-  validateAuthContract,
-  validateExternalContract,
-  // Contract diffing
-  diffRouteContracts,
-  diffEnvContracts,
-  diffAuthContracts,
-  diffExternalContracts,
-  diffAllContracts,
-  hasContractChanges,
-  // Guard (CI gate)
-  loadContracts,
-  saveContracts,
-  guardContracts,
-  getGuardSummary,
-  formatGuardResult,
-  // Plan validation (hallucination stopper)
-  validatePlan,
-  parsePlanActions,
-  formatValidationResult
-};
+/**
+ * Context Contracts - Module Index
+ *
+ * Exports all contract functionality for CLI and MCP use
+ */
+"use strict";
+const { buildRouteContract, validateAgainstRouteContract, diffRouteContracts } = require("./route-contract");
+const { buildEnvContract, validateAgainstEnvContract, diffEnvContracts } = require("./env-contract");
+const { buildAuthContract, validateAuthContract, diffAuthContracts } = require("./auth-contract");
+const { buildExternalContract, validateExternalContract, diffExternalContracts } = require("./external-contract");
+const { loadContracts, saveContracts, guardContracts, getGuardSummary, formatGuardResult } = require("./guard");
+const { validatePlan, parsePlanActions, formatValidationResult } = require("./plan-validator");
+/**
+ * Build all contracts from truthpack
+ */
+function buildAllContracts(truthpack) {
+  return {
+    routes: buildRouteContract(truthpack),
+    env: buildEnvContract(truthpack),
+    auth: buildAuthContract(truthpack),
+    external: buildExternalContract(truthpack)
+  };
+}
+/**
+ * Diff all contracts
+ */
+function diffAllContracts(before, after) {
+  return {
+    routes: before.routes && after.routes ? diffRouteContracts(before.routes, after.routes) : null,
+    env: before.env && after.env ? diffEnvContracts(before.env, after.env) : null,
+    auth: before.auth && after.auth ? diffAuthContracts(before.auth, after.auth) : null,
+    external: before.external && after.external ? diffExternalContracts(before.external, after.external) : null
+  };
+}
+/**
+ * Check if contracts have meaningful changes
+ */
+function hasContractChanges(diff) {
+  if (!diff) return false;
+  const checkDiff = (d) => {
+    if (!d) return false;
+    return (d.added?.length > 0) || (d.removed?.length > 0) || (d.changed?.length > 0) ||
+           (d.protectedAdded?.length > 0) || (d.protectedRemoved?.length > 0);
+  };
+  return checkDiff(diff.routes) || checkDiff(diff.env) ||
+         checkDiff(diff.auth) || checkDiff(diff.external);
+}
+module.exports = {
+  // Contract builders
+  buildRouteContract,
+  buildEnvContract,
+  buildAuthContract,
+  buildExternalContract,
+  buildAllContracts,
+  // Contract validation
+  validateAgainstRouteContract,
+  validateAgainstEnvContract,
+  validateAuthContract,
+  validateExternalContract,
+  // Contract diffing
+  diffRouteContracts,
+  diffEnvContracts,
+  diffAuthContracts,
+  diffExternalContracts,
+  diffAllContracts,
+  hasContractChanges,
+  // Guard (CI gate)
+  loadContracts,
+  saveContracts,
+  guardContracts,
+  getGuardSummary,
+  formatGuardResult,
+  // Plan validation (hallucination stopper)
+  validatePlan,
+  parsePlanActions,
+  formatValidationResult
+};