npm - @vibecheckai/cli - Versions diffs - 3.2.2 → 3.2.4 - Mend

@vibecheckai/cli 3.2.2 → 3.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/bin/.generated +25 -25
package/bin/dev/run-v2-torture.js +30 -30
package/bin/runners/ENHANCEMENT_GUIDE.md +121 -121
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -295
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +117 -28
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +23 -14
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +72 -1
package/bin/runners/lib/agent-firewall/interceptor/base.js +2 -2
package/bin/runners/lib/agent-firewall/policy/default-policy.json +6 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +34 -3
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +29 -4
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +12 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +21 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/analyzers.js +606 -325
package/bin/runners/lib/auth-truth.js +193 -193
package/bin/runners/lib/backup.js +62 -62
package/bin/runners/lib/billing.js +107 -107
package/bin/runners/lib/claims.js +118 -118
package/bin/runners/lib/cli-ui.js +540 -540
package/bin/runners/lib/contracts/auth-contract.js +202 -202
package/bin/runners/lib/contracts/env-contract.js +181 -181
package/bin/runners/lib/contracts/external-contract.js +206 -206
package/bin/runners/lib/contracts/guard.js +168 -168
package/bin/runners/lib/contracts/index.js +89 -89
package/bin/runners/lib/contracts/plan-validator.js +311 -311
package/bin/runners/lib/contracts/route-contract.js +199 -199
package/bin/runners/lib/contracts.js +804 -804
package/bin/runners/lib/detect.js +89 -89
package/bin/runners/lib/doctor/autofix.js +254 -254
package/bin/runners/lib/doctor/index.js +37 -37
package/bin/runners/lib/doctor/modules/dependencies.js +325 -325
package/bin/runners/lib/doctor/modules/index.js +46 -46
package/bin/runners/lib/doctor/modules/network.js +250 -250
package/bin/runners/lib/doctor/modules/project.js +312 -312
package/bin/runners/lib/doctor/modules/runtime.js +224 -224
package/bin/runners/lib/doctor/modules/security.js +348 -348
package/bin/runners/lib/doctor/modules/system.js +213 -213
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -394
package/bin/runners/lib/doctor/reporter.js +262 -262
package/bin/runners/lib/doctor/service.js +262 -262
package/bin/runners/lib/doctor/types.js +113 -113
package/bin/runners/lib/doctor/ui.js +263 -263
package/bin/runners/lib/doctor-v2.js +608 -608
package/bin/runners/lib/drift.js +425 -425
package/bin/runners/lib/enforcement.js +72 -72
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/enterprise-detect.js +603 -603
package/bin/runners/lib/enterprise-init.js +942 -942
package/bin/runners/lib/env-resolver.js +417 -417
package/bin/runners/lib/env-template.js +66 -66
package/bin/runners/lib/env.js +189 -189
package/bin/runners/lib/extractors/client-calls.js +990 -990
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -573
package/bin/runners/lib/extractors/fastify-routes.js +426 -426
package/bin/runners/lib/extractors/index.js +363 -363
package/bin/runners/lib/extractors/next-routes.js +524 -524
package/bin/runners/lib/extractors/proof-graph.js +431 -431
package/bin/runners/lib/extractors/route-matcher.js +451 -451
package/bin/runners/lib/extractors/truthpack-v2.js +377 -377
package/bin/runners/lib/extractors/ui-bindings.js +547 -547
package/bin/runners/lib/findings-schema.js +281 -281
package/bin/runners/lib/firewall-prompt.js +50 -50
package/bin/runners/lib/global-flags.js +213 -213
package/bin/runners/lib/graph/graph-builder.js +265 -265
package/bin/runners/lib/graph/html-renderer.js +413 -413
package/bin/runners/lib/graph/index.js +32 -32
package/bin/runners/lib/graph/runtime-collector.js +215 -215
package/bin/runners/lib/graph/static-extractor.js +518 -518
package/bin/runners/lib/html-report.js +650 -650
package/bin/runners/lib/interactive-menu.js +1496 -1496
package/bin/runners/lib/llm.js +75 -75
package/bin/runners/lib/meter.js +61 -61
package/bin/runners/lib/missions/evidence.js +126 -126
package/bin/runners/lib/patch.js +40 -40
package/bin/runners/lib/permissions/auth-model.js +213 -213
package/bin/runners/lib/permissions/idor-prover.js +205 -205
package/bin/runners/lib/permissions/index.js +45 -45
package/bin/runners/lib/permissions/matrix-builder.js +198 -198
package/bin/runners/lib/pkgjson.js +28 -28
package/bin/runners/lib/policy.js +295 -295
package/bin/runners/lib/preflight.js +142 -142
package/bin/runners/lib/reality/correlation-detectors.js +359 -359
package/bin/runners/lib/reality/index.js +318 -318
package/bin/runners/lib/reality/request-hashing.js +416 -416
package/bin/runners/lib/reality/request-mapper.js +453 -453
package/bin/runners/lib/reality/safety-rails.js +463 -463
package/bin/runners/lib/reality/semantic-snapshot.js +408 -408
package/bin/runners/lib/reality/toast-detector.js +393 -393
package/bin/runners/lib/reality-findings.js +84 -84
package/bin/runners/lib/receipts.js +179 -179
package/bin/runners/lib/redact.js +29 -29
package/bin/runners/lib/replay/capsule-manager.js +154 -154
package/bin/runners/lib/replay/index.js +263 -263
package/bin/runners/lib/replay/player.js +348 -348
package/bin/runners/lib/replay/recorder.js +331 -331
package/bin/runners/lib/report-output.js +187 -187
package/bin/runners/lib/report.js +135 -135
package/bin/runners/lib/route-detection.js +1140 -1140
package/bin/runners/lib/sandbox/index.js +59 -59
package/bin/runners/lib/sandbox/proof-chain.js +399 -399
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -205
package/bin/runners/lib/sandbox/worktree.js +174 -174
package/bin/runners/lib/scan-output.js +525 -190
package/bin/runners/lib/schema-validator.js +350 -350
package/bin/runners/lib/schemas/contracts.schema.json +160 -160
package/bin/runners/lib/schemas/finding.schema.json +100 -100
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -206
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -176
package/bin/runners/lib/schemas/reality-report.schema.json +162 -162
package/bin/runners/lib/schemas/share-pack.schema.json +180 -180
package/bin/runners/lib/schemas/ship-report.schema.json +117 -117
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -303
package/bin/runners/lib/schemas/validator.js +438 -438
package/bin/runners/lib/score-history.js +282 -282
package/bin/runners/lib/share-pack.js +239 -239
package/bin/runners/lib/snippets.js +67 -67
package/bin/runners/lib/status-output.js +253 -253
package/bin/runners/lib/terminal-ui.js +351 -271
package/bin/runners/lib/upsell.js +510 -510
package/bin/runners/lib/usage.js +153 -153
package/bin/runners/lib/validate-patch.js +156 -156
package/bin/runners/lib/verdict-engine.js +628 -628
package/bin/runners/reality/engine.js +917 -917
package/bin/runners/reality/flows.js +122 -122
package/bin/runners/reality/report.js +378 -378
package/bin/runners/reality/session.js +193 -193
package/bin/runners/runGuard.js +168 -168
package/bin/runners/runProof.zip +0 -0
package/bin/runners/runProve.js +8 -0
package/bin/runners/runReality.js +14 -0
package/bin/runners/runScan.js +17 -1
package/bin/runners/runTruth.js +15 -3
package/mcp-server/tier-auth.js +4 -4
package/mcp-server/tools/index.js +72 -72
package/package.json +1 -1

package/bin/runners/lib/env-resolver.js CHANGED Viewed

@@ -1,417 +1,417 @@
-/**
- * Env Resolver v2
- *
- * Resolves environment variables for client calls, handles baseURL,
- * and generates .env.template from usage.
- */
-"use strict";
-const fs = require("fs");
-const path = require("path");
-// =============================================================================
-// ENV VAR PATTERNS
-// =============================================================================
-const ENV_PATTERNS = {
-  // Standard Node.js
-  processEnv: /process\.env\.(\w+)/g,
-  processEnvBracket: /process\.env\[['"](\w+)['"]\]/g,
-  // Vite
-  importMetaEnv: /import\.meta\.env\.(\w+)/g,
-  // Template literals
-  templateEnv: /\$\{process\.env\.(\w+)\}/g,
-  // Next.js public
-  nextPublic: /NEXT_PUBLIC_(\w+)/g,
-};
-const BASE_URL_VARS = [
-  "NEXT_PUBLIC_API_URL",
-  "NEXT_PUBLIC_BASE_URL",
-  "NEXT_PUBLIC_APP_URL",
-  "VITE_API_URL",
-  "VITE_BASE_URL",
-  "API_URL",
-  "API_BASE_URL",
-  "BASE_URL",
-  "APP_URL",
-  "BACKEND_URL",
-];
-const SENSITIVE_PATTERNS = [
-  /SECRET/i,
-  /KEY/i,
-  /TOKEN/i,
-  /PASSWORD/i,
-  /PRIVATE/i,
-  /CREDENTIAL/i,
-  /AUTH/i,
-];
-// =============================================================================
-// BASE URL RESOLUTION
-// =============================================================================
-/**
- * Resolve base URL from env vars
- */
-function resolveBaseUrl(options = {}) {
-  const { envVars = {}, defaultUrl = "" } = options;
-  // Try each known base URL var
-  for (const varName of BASE_URL_VARS) {
-    if (envVars[varName]) {
-      return normalizeBaseUrl(envVars[varName]);
-    }
-  }
-  // Try to get from process.env (at runtime)
-  for (const varName of BASE_URL_VARS) {
-    if (process.env[varName]) {
-      return normalizeBaseUrl(process.env[varName]);
-    }
-  }
-  return defaultUrl;
-}
-/**
- * Normalize base URL (remove trailing slash)
- */
-function normalizeBaseUrl(url) {
-  if (!url) return "";
-  return url.replace(/\/+$/, "");
-}
-/**
- * Resolve URL with base
- */
-function resolveUrlWithBase(urlTemplate, baseUrl) {
-  if (!urlTemplate) return urlTemplate;
-  // Already absolute
-  if (urlTemplate.startsWith("http://") || urlTemplate.startsWith("https://")) {
-    return urlTemplate;
-  }
-  // Ensure path starts with /
-  const path = urlTemplate.startsWith("/") ? urlTemplate : `/${urlTemplate}`;
-  if (baseUrl) {
-    return `${normalizeBaseUrl(baseUrl)}${path}`;
-  }
-  return path;
-}
-/**
- * Extract env var references from URL template
- */
-function extractEnvVarsFromUrl(urlTemplate) {
-  const vars = [];
-  if (!urlTemplate) return vars;
-  // Check for env var patterns
-  let match;
-  for (const [name, pattern] of Object.entries(ENV_PATTERNS)) {
-    const regex = new RegExp(pattern.source, "g");
-    while ((match = regex.exec(urlTemplate)) !== null) {
-      vars.push({
-        name: match[1],
-        pattern: name,
-        fullMatch: match[0],
-      });
-    }
-  }
-  return vars;
-}
-/**
- * Substitute env vars in URL template
- */
-function substituteEnvVars(urlTemplate, envVars = {}) {
-  if (!urlTemplate) return urlTemplate;
-  let result = urlTemplate;
-  // Substitute process.env.VAR
-  result = result.replace(/process\.env\.(\w+)/g, (_, name) => {
-    return envVars[name] || process.env[name] || `\${${name}}`;
-  });
-  // Substitute process.env["VAR"]
-  result = result.replace(/process\.env\[['"](\w+)['"]\]/g, (_, name) => {
-    return envVars[name] || process.env[name] || `\${${name}}`;
-  });
-  // Substitute import.meta.env.VAR
-  result = result.replace(/import\.meta\.env\.(\w+)/g, (_, name) => {
-    return envVars[name] || process.env[name] || `\${${name}}`;
-  });
-  // Substitute ${VAR}
-  result = result.replace(/\$\{(\w+)\}/g, (_, name) => {
-    return envVars[name] || process.env[name] || `\${${name}}`;
-  });
-  return result;
-}
-// =============================================================================
-// CLIENT CALL BASE URL RESOLUTION
-// =============================================================================
-/**
- * Resolve base URL for client calls
- */
-function resolveClientCallUrls(clientCalls, options = {}) {
-  const { baseUrl = "", envVars = {} } = options;
-  const resolvedBaseUrl = baseUrl || resolveBaseUrl({ envVars });
-  return clientCalls.map(call => {
-    // Extract env vars from URL
-    const envRefs = extractEnvVarsFromUrl(call.urlTemplate);
-    // Substitute env vars
-    const substituted = substituteEnvVars(call.urlTemplate, envVars);
-    // Resolve with base URL
-    const resolved = resolveUrlWithBase(substituted, resolvedBaseUrl);
-    return {
-      ...call,
-      urlResolved: resolved,
-      envRefs,
-      baseUrlUsed: resolvedBaseUrl || null,
-    };
-  });
-}
-// =============================================================================
-// ENV TEMPLATE GENERATION
-// =============================================================================
-/**
- * Generate .env.template from truthpack
- */
-function generateEnvTemplate(truthpack, options = {}) {
-  const { includeExamples = true, groupByPrefix = true } = options;
-  const env = truthpack?.env || {};
-  const vars = env.vars || [];
-  const declared = new Set(env.declared || []);
-  // Group vars
-  const groups = {
-    next_public: [],
-    vite: [],
-    api: [],
-    auth: [],
-    database: [],
-    stripe: [],
-    other: [],
-  };
-  for (const v of vars) {
-    const name = v.name;
-    if (name.startsWith("NEXT_PUBLIC_")) {
-      groups.next_public.push(v);
-    } else if (name.startsWith("VITE_")) {
-      groups.vite.push(v);
-    } else if (name.includes("API") || name.includes("URL")) {
-      groups.api.push(v);
-    } else if (name.includes("AUTH") || name.includes("SESSION") || name.includes("JWT")) {
-      groups.auth.push(v);
-    } else if (name.includes("DATABASE") || name.includes("DB_") || name.includes("POSTGRES") || name.includes("MYSQL")) {
-      groups.database.push(v);
-    } else if (name.includes("STRIPE")) {
-      groups.stripe.push(v);
-    } else {
-      groups.other.push(v);
-    }
-  }
-  // Generate template
-  const lines = [];
-  lines.push("# Environment Variables Template");
-  lines.push("# Generated by Vibecheck - https://github.com/guardiavault-oss/Vibecheck");
-  lines.push(`# Generated at: ${new Date().toISOString()}`);
-  lines.push("");
-  const groupLabels = {
-    next_public: "# Next.js Public Variables (exposed to browser)",
-    vite: "# Vite Public Variables",
-    api: "# API Configuration",
-    auth: "# Authentication",
-    database: "# Database",
-    stripe: "# Stripe",
-    other: "# Other",
-  };
-  for (const [group, groupVars] of Object.entries(groups)) {
-    if (groupVars.length === 0) continue;
-    if (groupByPrefix) {
-      lines.push(groupLabels[group] || `# ${group}`);
-    }
-    for (const v of groupVars) {
-      const isSensitive = SENSITIVE_PATTERNS.some(p => p.test(v.name));
-      const example = includeExamples ? getExampleValue(v.name, isSensitive) : "";
-      const required = v.required || v.usageCount > 1 ? " # required" : "";
-      lines.push(`${v.name}=${example}${required}`);
-    }
-    lines.push("");
-  }
-  return lines.join("\n");
-}
-/**
- * Get example value for env var
- */
-function getExampleValue(name, isSensitive = false) {
-  if (isSensitive) {
-    return "your-secret-here";
-  }
-  // Common patterns
-  if (name.includes("URL") || name.includes("HOST")) {
-    if (name.includes("API")) return "http://localhost:3001";
-    if (name.includes("DATABASE") || name.includes("DB")) return "postgresql://user:pass@localhost:5432/db";
-    return "http://localhost:3000";
-  }
-  if (name.includes("PORT")) return "3000";
-  if (name.includes("NODE_ENV")) return "development";
-  if (name.includes("DEBUG")) return "false";
-  if (name.includes("LOG_LEVEL")) return "info";
-  return "";
-}
-/**
- * Write .env.template to disk
- */
-function writeEnvTemplate(repoRoot, template) {
-  const templatePath = path.join(repoRoot, ".env.template");
-  fs.writeFileSync(templatePath, template);
-  return templatePath;
-}
-/**
- * Compare .env.template with current usage
- */
-function compareEnvTemplate(repoRoot, truthpack) {
-  const templatePath = path.join(repoRoot, ".env.template");
-  const examplePath = path.join(repoRoot, ".env.example");
-  // Try both common names
-  let existingPath = null;
-  if (fs.existsSync(templatePath)) {
-    existingPath = templatePath;
-  } else if (fs.existsSync(examplePath)) {
-    existingPath = examplePath;
-  }
-  if (!existingPath) {
-    return { exists: false, missing: [], extra: [] };
-  }
-  const existingContent = fs.readFileSync(existingPath, "utf8");
-  const existingVars = new Set();
-  // Parse existing template
-  for (const line of existingContent.split("\n")) {
-    const match = line.match(/^([A-Z][A-Z0-9_]*)=/);
-    if (match) {
-      existingVars.add(match[1]);
-    }
-  }
-  // Compare with truthpack
-  const usedVars = new Set((truthpack?.env?.vars || []).map(v => v.name));
-  const missing = [...usedVars].filter(v => !existingVars.has(v));
-  const extra = [...existingVars].filter(v => !usedVars.has(v));
-  return {
-    exists: true,
-    path: existingPath,
-    missing,
-    extra,
-    upToDate: missing.length === 0,
-  };
-}
-// =============================================================================
-// ENV GAP DETECTION
-// =============================================================================
-/**
- * Find env gaps - required vars not declared
- */
-function findEnvGaps(truthpack) {
-  const env = truthpack?.env || {};
-  const vars = env.vars || [];
-  const declared = new Set(env.declared || []);
-  const gaps = [];
-  for (const v of vars) {
-    const isRequired = v.required || v.usageCount > 1;
-    if (isRequired && !declared.has(v.name)) {
-      gaps.push({
-        name: v.name,
-        usageCount: v.usageCount || 1,
-        files: v.files || [],
-        severity: SENSITIVE_PATTERNS.some(p => p.test(v.name)) ? "BLOCK" : "WARN",
-      });
-    }
-  }
-  return gaps;
-}
-// =============================================================================
-// EXPORTS
-// =============================================================================
-module.exports = {
-  // Patterns
-  ENV_PATTERNS,
-  BASE_URL_VARS,
-  SENSITIVE_PATTERNS,
-  // Base URL
-  resolveBaseUrl,
-  normalizeBaseUrl,
-  resolveUrlWithBase,
-  // Env var extraction
-  extractEnvVarsFromUrl,
-  substituteEnvVars,
-  // Client call resolution
-  resolveClientCallUrls,
-  // Template generation
-  generateEnvTemplate,
-  writeEnvTemplate,
-  compareEnvTemplate,
-  // Gap detection
-  findEnvGaps,
-};
+/**
+ * Env Resolver v2
+ *
+ * Resolves environment variables for client calls, handles baseURL,
+ * and generates .env.template from usage.
+ */
+"use strict";
+const fs = require("fs");
+const path = require("path");
+// =============================================================================
+// ENV VAR PATTERNS
+// =============================================================================
+const ENV_PATTERNS = {
+  // Standard Node.js
+  processEnv: /process\.env\.(\w+)/g,
+  processEnvBracket: /process\.env\[['"](\w+)['"]\]/g,
+  // Vite
+  importMetaEnv: /import\.meta\.env\.(\w+)/g,
+  // Template literals
+  templateEnv: /\$\{process\.env\.(\w+)\}/g,
+  // Next.js public
+  nextPublic: /NEXT_PUBLIC_(\w+)/g,
+};
+const BASE_URL_VARS = [
+  "NEXT_PUBLIC_API_URL",
+  "NEXT_PUBLIC_BASE_URL",
+  "NEXT_PUBLIC_APP_URL",
+  "VITE_API_URL",
+  "VITE_BASE_URL",
+  "API_URL",
+  "API_BASE_URL",
+  "BASE_URL",
+  "APP_URL",
+  "BACKEND_URL",
+];
+const SENSITIVE_PATTERNS = [
+  /SECRET/i,
+  /KEY/i,
+  /TOKEN/i,
+  /PASSWORD/i,
+  /PRIVATE/i,
+  /CREDENTIAL/i,
+  /AUTH/i,
+];
+// =============================================================================
+// BASE URL RESOLUTION
+// =============================================================================
+/**
+ * Resolve base URL from env vars
+ */
+function resolveBaseUrl(options = {}) {
+  const { envVars = {}, defaultUrl = "" } = options;
+  // Try each known base URL var
+  for (const varName of BASE_URL_VARS) {
+    if (envVars[varName]) {
+      return normalizeBaseUrl(envVars[varName]);
+    }
+  }
+  // Try to get from process.env (at runtime)
+  for (const varName of BASE_URL_VARS) {
+    if (process.env[varName]) {
+      return normalizeBaseUrl(process.env[varName]);
+    }
+  }
+  return defaultUrl;
+}
+/**
+ * Normalize base URL (remove trailing slash)
+ */
+function normalizeBaseUrl(url) {
+  if (!url) return "";
+  return url.replace(/\/+$/, "");
+}
+/**
+ * Resolve URL with base
+ */
+function resolveUrlWithBase(urlTemplate, baseUrl) {
+  if (!urlTemplate) return urlTemplate;
+  // Already absolute
+  if (urlTemplate.startsWith("http://") || urlTemplate.startsWith("https://")) {
+    return urlTemplate;
+  }
+  // Ensure path starts with /
+  const path = urlTemplate.startsWith("/") ? urlTemplate : `/${urlTemplate}`;
+  if (baseUrl) {
+    return `${normalizeBaseUrl(baseUrl)}${path}`;
+  }
+  return path;
+}
+/**
+ * Extract env var references from URL template
+ */
+function extractEnvVarsFromUrl(urlTemplate) {
+  const vars = [];
+  if (!urlTemplate) return vars;
+  // Check for env var patterns
+  let match;
+  for (const [name, pattern] of Object.entries(ENV_PATTERNS)) {
+    const regex = new RegExp(pattern.source, "g");
+    while ((match = regex.exec(urlTemplate)) !== null) {
+      vars.push({
+        name: match[1],
+        pattern: name,
+        fullMatch: match[0],
+      });
+    }
+  }
+  return vars;
+}
+/**
+ * Substitute env vars in URL template
+ */
+function substituteEnvVars(urlTemplate, envVars = {}) {
+  if (!urlTemplate) return urlTemplate;
+  let result = urlTemplate;
+  // Substitute process.env.VAR
+  result = result.replace(/process\.env\.(\w+)/g, (_, name) => {
+    return envVars[name] || process.env[name] || `\${${name}}`;
+  });
+  // Substitute process.env["VAR"]
+  result = result.replace(/process\.env\[['"](\w+)['"]\]/g, (_, name) => {
+    return envVars[name] || process.env[name] || `\${${name}}`;
+  });
+  // Substitute import.meta.env.VAR
+  result = result.replace(/import\.meta\.env\.(\w+)/g, (_, name) => {
+    return envVars[name] || process.env[name] || `\${${name}}`;
+  });
+  // Substitute ${VAR}
+  result = result.replace(/\$\{(\w+)\}/g, (_, name) => {
+    return envVars[name] || process.env[name] || `\${${name}}`;
+  });
+  return result;
+}
+// =============================================================================
+// CLIENT CALL BASE URL RESOLUTION
+// =============================================================================
+/**
+ * Resolve base URL for client calls
+ */
+function resolveClientCallUrls(clientCalls, options = {}) {
+  const { baseUrl = "", envVars = {} } = options;
+  const resolvedBaseUrl = baseUrl || resolveBaseUrl({ envVars });
+  return clientCalls.map(call => {
+    // Extract env vars from URL
+    const envRefs = extractEnvVarsFromUrl(call.urlTemplate);
+    // Substitute env vars
+    const substituted = substituteEnvVars(call.urlTemplate, envVars);
+    // Resolve with base URL
+    const resolved = resolveUrlWithBase(substituted, resolvedBaseUrl);
+    return {
+      ...call,
+      urlResolved: resolved,
+      envRefs,
+      baseUrlUsed: resolvedBaseUrl || null,
+    };
+  });
+}
+// =============================================================================
+// ENV TEMPLATE GENERATION
+// =============================================================================
+/**
+ * Generate .env.template from truthpack
+ */
+function generateEnvTemplate(truthpack, options = {}) {
+  const { includeExamples = true, groupByPrefix = true } = options;
+  const env = truthpack?.env || {};
+  const vars = env.vars || [];
+  const declared = new Set(env.declared || []);
+  // Group vars
+  const groups = {
+    next_public: [],
+    vite: [],
+    api: [],
+    auth: [],
+    database: [],
+    stripe: [],
+    other: [],
+  };
+  for (const v of vars) {
+    const name = v.name;
+    if (name.startsWith("NEXT_PUBLIC_")) {
+      groups.next_public.push(v);
+    } else if (name.startsWith("VITE_")) {
+      groups.vite.push(v);
+    } else if (name.includes("API") || name.includes("URL")) {
+      groups.api.push(v);
+    } else if (name.includes("AUTH") || name.includes("SESSION") || name.includes("JWT")) {
+      groups.auth.push(v);
+    } else if (name.includes("DATABASE") || name.includes("DB_") || name.includes("POSTGRES") || name.includes("MYSQL")) {
+      groups.database.push(v);
+    } else if (name.includes("STRIPE")) {
+      groups.stripe.push(v);
+    } else {
+      groups.other.push(v);
+    }
+  }
+  // Generate template
+  const lines = [];
+  lines.push("# Environment Variables Template");
+  lines.push("# Generated by Vibecheck - https://github.com/guardiavault-oss/Vibecheck");
+  lines.push(`# Generated at: ${new Date().toISOString()}`);
+  lines.push("");
+  const groupLabels = {
+    next_public: "# Next.js Public Variables (exposed to browser)",
+    vite: "# Vite Public Variables",
+    api: "# API Configuration",
+    auth: "# Authentication",
+    database: "# Database",
+    stripe: "# Stripe",
+    other: "# Other",
+  };
+  for (const [group, groupVars] of Object.entries(groups)) {
+    if (groupVars.length === 0) continue;
+    if (groupByPrefix) {
+      lines.push(groupLabels[group] || `# ${group}`);
+    }
+    for (const v of groupVars) {
+      const isSensitive = SENSITIVE_PATTERNS.some(p => p.test(v.name));
+      const example = includeExamples ? getExampleValue(v.name, isSensitive) : "";
+      const required = v.required || v.usageCount > 1 ? " # required" : "";
+      lines.push(`${v.name}=${example}${required}`);
+    }
+    lines.push("");
+  }
+  return lines.join("\n");
+}
+/**
+ * Get example value for env var
+ */
+function getExampleValue(name, isSensitive = false) {
+  if (isSensitive) {
+    return "your-secret-here";
+  }
+  // Common patterns
+  if (name.includes("URL") || name.includes("HOST")) {
+    if (name.includes("API")) return "http://localhost:3001";
+    if (name.includes("DATABASE") || name.includes("DB")) return "postgresql://user:pass@localhost:5432/db";
+    return "http://localhost:3000";
+  }
+  if (name.includes("PORT")) return "3000";
+  if (name.includes("NODE_ENV")) return "development";
+  if (name.includes("DEBUG")) return "false";
+  if (name.includes("LOG_LEVEL")) return "info";
+  return "";
+}
+/**
+ * Write .env.template to disk
+ */
+function writeEnvTemplate(repoRoot, template) {
+  const templatePath = path.join(repoRoot, ".env.template");
+  fs.writeFileSync(templatePath, template);
+  return templatePath;
+}
+/**
+ * Compare .env.template with current usage
+ */
+function compareEnvTemplate(repoRoot, truthpack) {
+  const templatePath = path.join(repoRoot, ".env.template");
+  const examplePath = path.join(repoRoot, ".env.example");
+  // Try both common names
+  let existingPath = null;
+  if (fs.existsSync(templatePath)) {
+    existingPath = templatePath;
+  } else if (fs.existsSync(examplePath)) {
+    existingPath = examplePath;
+  }
+  if (!existingPath) {
+    return { exists: false, missing: [], extra: [] };
+  }
+  const existingContent = fs.readFileSync(existingPath, "utf8");
+  const existingVars = new Set();
+  // Parse existing template
+  for (const line of existingContent.split("\n")) {
+    const match = line.match(/^([A-Z][A-Z0-9_]*)=/);
+    if (match) {
+      existingVars.add(match[1]);
+    }
+  }
+  // Compare with truthpack
+  const usedVars = new Set((truthpack?.env?.vars || []).map(v => v.name));
+  const missing = [...usedVars].filter(v => !existingVars.has(v));
+  const extra = [...existingVars].filter(v => !usedVars.has(v));
+  return {
+    exists: true,
+    path: existingPath,
+    missing,
+    extra,
+    upToDate: missing.length === 0,
+  };
+}
+// =============================================================================
+// ENV GAP DETECTION
+// =============================================================================
+/**
+ * Find env gaps - required vars not declared
+ */
+function findEnvGaps(truthpack) {
+  const env = truthpack?.env || {};
+  const vars = env.vars || [];
+  const declared = new Set(env.declared || []);
+  const gaps = [];
+  for (const v of vars) {
+    const isRequired = v.required || v.usageCount > 1;
+    if (isRequired && !declared.has(v.name)) {
+      gaps.push({
+        name: v.name,
+        usageCount: v.usageCount || 1,
+        files: v.files || [],
+        severity: SENSITIVE_PATTERNS.some(p => p.test(v.name)) ? "BLOCK" : "WARN",
+      });
+    }
+  }
+  return gaps;
+}
+// =============================================================================
+// EXPORTS
+// =============================================================================
+module.exports = {
+  // Patterns
+  ENV_PATTERNS,
+  BASE_URL_VARS,
+  SENSITIVE_PATTERNS,
+  // Base URL
+  resolveBaseUrl,
+  normalizeBaseUrl,
+  resolveUrlWithBase,
+  // Env var extraction
+  extractEnvVarsFromUrl,
+  substituteEnvVars,
+  // Client call resolution
+  resolveClientCallUrls,
+  // Template generation
+  generateEnvTemplate,
+  writeEnvTemplate,
+  compareEnvTemplate,
+  // Gap detection
+  findEnvGaps,
+};