@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/enterprise-init.js

@@ -1,942 +1,942 @@
-// bin/runners/lib/enterprise-init.js
-// Enterprise-grade initialization: security policies, compliance, CI/CD, team configs
-const fs = require("fs");
-const path = require("path");
-const { detectAll, CI_PROVIDERS, DEPLOY_PLATFORMS } = require("./enterprise-detect");
-
-// ANSI colors
-const c = {
-  reset: "\x1b[0m",
-  bold: "\x1b[1m",
-  dim: "\x1b[2m",
-  red: "\x1b[31m",
-  green: "\x1b[32m",
-  yellow: "\x1b[33m",
-  blue: "\x1b[34m",
-  cyan: "\x1b[36m",
-  magenta: "\x1b[35m",
-};
-
-function ensureDir(p) {
-  fs.mkdirSync(p, { recursive: true });
-}
-
-// ============================================================================
-// INVARIANTS CONFIGURATION
-// ============================================================================
-const INVARIANT_DEFINITIONS = {
-  INV_NO_FAKE_SUCCESS: {
-    id: "INV_NO_FAKE_SUCCESS",
-    severity: "BLOCK",
-    description: "No success UI without confirmed success (awaited network + ok check)",
-    category: "reliability",
-  },
-  INV_NO_ROUTE_INVENTION: {
-    id: "INV_NO_ROUTE_INVENTION",
-    severity: "BLOCK",
-    description: "No route references without matching server route",
-    category: "integrity",
-  },
-  INV_NO_BYPASS_ENTITLEMENTS: {
-    id: "INV_NO_BYPASS_ENTITLEMENTS",
-    severity: "BLOCK",
-    description: "No bypass flags (OWNER_MODE, skipBilling, etc)",
-    category: "billing",
-  },
-  INV_NO_SILENT_CATCH_AUTH: {
-    id: "INV_NO_SILENT_CATCH_AUTH",
-    severity: "BLOCK",
-    description: "No silent catch blocks in auth/billing code paths",
-    category: "security",
-  },
-  INV_NO_HARDCODED_SECRETS: {
-    id: "INV_NO_HARDCODED_SECRETS",
-    severity: "BLOCK",
-    description: "No hardcoded secrets, API keys, or credentials in code",
-    category: "security",
-  },
-  INV_NO_GHOST_AUTH: {
-    id: "INV_NO_GHOST_AUTH",
-    severity: "BLOCK",
-    description: "No sensitive endpoints without auth enforcement",
-    category: "security",
-  },
-  INV_STRIPE_WEBHOOK_VERIFIED: {
-    id: "INV_STRIPE_WEBHOOK_VERIFIED",
-    severity: "BLOCK",
-    description: "All Stripe webhook handlers must verify signature",
-    category: "billing",
-  },
-  INV_STRIPE_IDEMPOTENT: {
-    id: "INV_STRIPE_IDEMPOTENT",
-    severity: "WARN",
-    description: "Stripe webhook handlers should be idempotent",
-    category: "billing",
-  },
-  INV_ENV_VARS_DECLARED: {
-    id: "INV_ENV_VARS_DECLARED",
-    severity: "WARN",
-    description: "All used env vars must be declared in .env.example",
-    category: "operations",
-  },
-};
-
-// ============================================================================
-// COMPLIANCE TEMPLATES
-// ============================================================================
-const COMPLIANCE_TEMPLATES = {
-  soc2: {
-    name: "SOC 2 Type II",
-    description: "Service Organization Control 2 compliance baseline",
-    policies: {
-      accessControl: true,
-      changeManagement: true,
-      riskAssessment: true,
-      incidentResponse: true,
-      vendorManagement: true,
-    },
-    invariants: [
-      "INV_NO_HARDCODED_SECRETS",
-      "INV_NO_GHOST_AUTH",
-      "INV_NO_SILENT_CATCH_AUTH",
-    ],
-  },
-  hipaa: {
-    name: "HIPAA",
-    description: "Health Insurance Portability and Accountability Act baseline",
-    policies: {
-      phi_protection: true,
-      accessControl: true,
-      auditLogging: true,
-      encryption: true,
-    },
-    invariants: [
-      "INV_NO_HARDCODED_SECRETS",
-      "INV_NO_GHOST_AUTH",
-    ],
-  },
-  gdpr: {
-    name: "GDPR",
-    description: "General Data Protection Regulation baseline",
-    policies: {
-      dataMinimization: true,
-      consentManagement: true,
-      rightToErasure: true,
-      dataPortability: true,
-    },
-    invariants: [
-      "INV_NO_HARDCODED_SECRETS",
-    ],
-  },
-  pci: {
-    name: "PCI-DSS",
-    description: "Payment Card Industry Data Security Standard baseline",
-    policies: {
-      cardDataProtection: true,
-      accessControl: true,
-      encryption: true,
-      monitoring: true,
-    },
-    invariants: [
-      "INV_NO_HARDCODED_SECRETS",
-      "INV_STRIPE_WEBHOOK_VERIFIED",
-      "INV_NO_BYPASS_ENTITLEMENTS",
-    ],
-  },
-};
-
-// ============================================================================
-// SECURITY POLICY TEMPLATES
-// ============================================================================
-function generateSecurityPolicy(detection) {
-  const hasPayments = Object.keys(detection.payments).length > 0;
-  const hasAuth = Object.keys(detection.auth).length > 0;
-  
-  return {
-    version: "1.0.0",
-    headers: {
-      strictTransportSecurity: "max-age=31536000; includeSubDomains",
-      contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'",
-      xFrameOptions: "DENY",
-      xContentTypeOptions: "nosniff",
-      referrerPolicy: "strict-origin-when-cross-origin",
-      permissionsPolicy: "camera=(), microphone=(), geolocation=()",
-    },
-    cors: {
-      allowedOrigins: ["${ALLOWED_ORIGINS}"],
-      allowedMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-      allowCredentials: true,
-      maxAge: 86400,
-    },
-    rateLimit: {
-      enabled: true,
-      windowMs: 60000,
-      max: 100,
-      message: "Too many requests, please try again later",
-    },
-    secrets: {
-      scanEnabled: true,
-      blockOnDetection: true,
-      patterns: [
-        "sk_live_",
-        "pk_live_",
-        "AKIA",
-        "ghp_",
-        "gho_",
-        "eyJ",
-      ],
-    },
-    auth: hasAuth ? {
-      sessionTimeout: 3600,
-      mfaRecommended: true,
-      passwordMinLength: 12,
-    } : null,
-    payments: hasPayments ? {
-      webhookVerification: true,
-      idempotencyRequired: true,
-      testModeBlockProduction: true,
-    } : null,
-  };
-}
-
-// ============================================================================
-// CI/CD TEMPLATES
-// ============================================================================
-function generateGitHubActionsWorkflow(detection, options = {}) {
-  const pm = detection.packageManager;
-  const installCmd = pm === "pnpm" ? "pnpm install --frozen-lockfile" :
-                     pm === "yarn" ? "yarn install --frozen-lockfile" :
-                     pm === "bun" ? "bun install --frozen-lockfile" : "npm ci";
-  
-  const runPrefix = pm === "pnpm" ? "pnpm" : pm === "yarn" ? "yarn" : pm === "bun" ? "bun" : "npx";
-
-  return `name: vibecheck
-
-on:
-  push:
-    branches: [main, master]
-  pull_request:
-    branches: [main, master]
-
-permissions:
-  contents: read
-  pull-requests: write
-  security-events: write
-
-env:
-  CI: true
-  NODE_ENV: test
-
-jobs:
-  vibecheck:
-    name: Ship Decision
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: '${pm}'
-
-      - name: Install dependencies
-        run: ${installCmd}
-
-      - name: Generate Truth Pack
-        run: ${runPrefix} vibecheck ctx
-        continue-on-error: true
-
-      - name: Ship Decision
-        id: ship
-        run: |
-          set +e
-          mkdir -p .vibecheck
-          ${runPrefix} vibecheck pr --out .vibecheck/pr_comment.md ${options.failOnWarn ? "--fail-on-warn" : ""}
-          code=$?
-          echo "exit_code=$code" >> $GITHUB_OUTPUT
-          exit 0
-
-      - name: Upload Artifacts
-        uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: vibecheck-report
-          path: .vibecheck/
-          retention-days: 30
-
-      - name: Comment on PR
-        if: github.event_name == 'pull_request'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const commentPath = '.vibecheck/pr_comment.md';
-            if (!fs.existsSync(commentPath)) {
-              console.log('No comment file found');
-              return;
-            }
-            const body = fs.readFileSync(commentPath, 'utf8');
-            
-            // Find existing vibecheck comment
-            const { data: comments } = await github.rest.issues.listComments({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-            });
-            
-            const existingComment = comments.find(c => 
-              c.user.type === 'Bot' && c.body.includes('vibecheck')
-            );
-            
-            if (existingComment) {
-              await github.rest.issues.updateComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: existingComment.id,
-                body
-              });
-            } else {
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                body
-              });
-            }
-
-      - name: Enforce Verdict
-        run: |
-          code="\${{ steps.ship.outputs.exit_code }}"
-          echo "vibecheck exit code: $code"
-          if [ "$code" = "2" ]; then
-            echo "::error::BLOCK verdict - deployment blocked"
-            exit 1
-          fi
-          ${options.failOnWarn ? 'if [ "$code" = "1" ]; then echo "::error::WARN verdict (policy: fail-on-warn)"; exit 1; fi' : ''}
-          echo "✅ Ship decision passed"
-`;
-}
-
-function generateGitLabCI(detection, options = {}) {
-  const pm = detection.packageManager;
-  const installCmd = pm === "pnpm" ? "pnpm install --frozen-lockfile" :
-                     pm === "yarn" ? "yarn install --frozen-lockfile" : "npm ci";
-  
-  return `stages:
-  - test
-  - deploy
-
-variables:
-  CI: "true"
-  NODE_ENV: test
-
-vibecheck:
-  stage: test
-  image: node:20
-  cache:
-    key: \${CI_COMMIT_REF_SLUG}
-    paths:
-      - node_modules/
-      - .pnpm-store/
-  before_script:
-    - ${pm === "pnpm" ? "corepack enable && " : ""}${installCmd}
-  script:
-    - npx vibecheck ctx
-    - npx vibecheck ship ${options.failOnWarn ? "--fail-on-warn" : ""}
-  artifacts:
-    when: always
-    paths:
-      - .vibecheck/
-    expire_in: 30 days
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-`;
-}
-
-// ============================================================================
-// TEAM CONFIG TEMPLATES
-// ============================================================================
-function generateTeamConfig(detection, options = {}) {
-  const environments = options.environments || ["development", "staging", "production"];
-  
-  return {
-    version: "1.0.0",
-    team: {
-      name: options.teamName || detection.pkg?.name || "unnamed",
-      environments,
-    },
-    policies: {
-      development: {
-        verdict: { warnAsPass: true, blockAsBlock: true },
-        autoFix: { enabled: true, requireApproval: false },
-      },
-      staging: {
-        verdict: { warnAsPass: true, blockAsBlock: true },
-        autoFix: { enabled: true, requireApproval: true },
-      },
-      production: {
-        verdict: { warnAsPass: false, blockAsBlock: true },
-        autoFix: { enabled: false, requireApproval: true },
-        additionalInvariants: ["INV_NO_BYPASS_ENTITLEMENTS"],
-      },
-    },
-    notifications: {
-      slack: { webhook: "${SLACK_WEBHOOK_URL}", enabled: false },
-      email: { recipients: [], enabled: false },
-    },
-    reporting: {
-      frequency: "weekly",
-      recipients: [],
-      includeMetrics: true,
-    },
-  };
-}
-
-// ============================================================================
-// MCP SERVER CONFIG
-// ============================================================================
-function generateMCPConfig(detection) {
-  return {
-    name: "vibecheck",
-    version: "1.0.0",
-    description: "Vibecheck MCP server for AI agent integration",
-    capabilities: {
-      tools: true,
-      resources: true,
-      prompts: true,
-    },
-    tools: [
-      "validate_claim",
-      "get_truthpack",
-      "get_route_map",
-      "verify_auth",
-      "check_invariant",
-    ],
-    security: {
-      requireAuth: false,
-      allowedOrigins: ["*"],
-    },
-  };
-}
-
-// ============================================================================
-// INVARIANTS FILE
-// ============================================================================
-function generateInvariantsYml(invariants) {
-  const lines = ["# vibecheck invariants - ship killers and warnings", ""];
-  
-  const blocks = invariants.filter(id => INVARIANT_DEFINITIONS[id]?.severity === "BLOCK");
-  const warns = invariants.filter(id => INVARIANT_DEFINITIONS[id]?.severity === "WARN");
-  
-  if (blocks.length) {
-    lines.push("ship_killers:");
-    for (const id of blocks) {
-      const def = INVARIANT_DEFINITIONS[id];
-      lines.push(`  - id: ${id}`);
-      lines.push(`    description: "${def?.description || id}"`);
-      lines.push(`    category: ${def?.category || "general"}`);
-      lines.push("");
-    }
-  }
-  
-  if (warns.length) {
-    lines.push("warnings:");
-    for (const id of warns) {
-      const def = INVARIANT_DEFINITIONS[id];
-      lines.push(`  - id: ${id}`);
-      lines.push(`    description: "${def?.description || id}"`);
-      lines.push(`    category: ${def?.category || "general"}`);
-      lines.push("");
-    }
-  }
-  
-  return lines.join("\n");
-}
-
-// ============================================================================
-// MAIN CONFIG FILE
-// ============================================================================
-function generateVibecheckConfig(detection, options = {}) {
-  const primaryFramework = Object.keys(detection.frameworks)[0] || "node";
-  const primaryDb = Object.keys(detection.databases)[0];
-  const primaryAuth = Object.keys(detection.auth)[0];
-  const primaryPayment = Object.keys(detection.payments)[0];
-  
-  return {
-    $schema: "https://vibecheck.dev/schemas/config.json",
-    version: "2.0.0",
-    project: {
-      name: detection.pkg?.name || "unnamed",
-      framework: primaryFramework,
-      packageManager: detection.packageManager,
-    },
-    detection: {
-      frameworks: Object.keys(detection.frameworks),
-      databases: Object.keys(detection.databases),
-      auth: Object.keys(detection.auth),
-      payments: Object.keys(detection.payments),
-      ci: Object.keys(detection.ci),
-      deploy: Object.keys(detection.deploy),
-      testing: Object.keys(detection.testing),
-    },
-    checks: detection.checks,
-    invariants: detection.invariants,
-    policy: {
-      strict: options.strict || false,
-      failOnWarn: options.failOnWarn || false,
-      allowlist: {
-        domains: [],
-        packages: [],
-      },
-      ignore: {
-        paths: [
-          "node_modules",
-          "__tests__",
-          "*.test.*",
-          "*.spec.*",
-          "**/*.d.ts",
-          "**/fixtures/**",
-          "**/mocks/**",
-        ],
-      },
-    },
-    output: {
-      dir: ".vibecheck",
-      reports: ["json", "html"],
-      badges: true,
-    },
-    integrations: {
-      mcp: { enabled: true },
-      ci: Object.keys(detection.ci).length > 0 ? Object.keys(detection.ci)[0] : null,
-    },
-  };
-}
-
-// ============================================================================
-// ENTERPRISE INIT ORCHESTRATOR
-// ============================================================================
-class EnterpriseInit {
-  constructor(projectPath, options = {}) {
-    this.projectPath = projectPath;
-    this.options = options;
-    this.detection = null;
-    this.created = [];
-    this.updated = [];
-    this.skipped = [];
-  }
-
-  async run() {
-    this.printHeader();
-    
-    // Step 1: Detect everything
-    await this.detectProject();
-    
-    if (this.detection.error) {
-      console.log(`\n${c.red}✗ ${this.detection.error}${c.reset}\n`);
-      return 1;
-    }
-    
-    // Step 2: Print detection results
-    this.printDetectionResults();
-    
-    // Step 3: Generate configurations
-    await this.generateConfigs();
-    
-    // Step 4: Setup CI/CD if requested
-    if (this.options.ci) {
-      await this.setupCI();
-    }
-    
-    // Step 5: Setup compliance if requested
-    if (this.options.compliance) {
-      await this.setupCompliance();
-    }
-    
-    // Step 6: Print summary
-    this.printSummary();
-    
-    return 0;
-  }
-
-  printHeader() {
-    console.log("");
-    console.log(`${c.cyan}╔══════════════════════════════════════════════════════════════════════════╗${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}   ${c.bold}🛡️  VIBECHECK ENTERPRISE INIT${c.reset}                                        ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}   ${c.dim}Production-grade project configuration${c.reset}                               ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}╚══════════════════════════════════════════════════════════════════════════╝${c.reset}`);
-    console.log("");
-  }
-
-  async detectProject() {
-    process.stdout.write(`${c.dim}Analyzing project...${c.reset}`);
-    this.detection = detectAll(this.projectPath);
-    process.stdout.write(`\r${c.green}✓${c.reset} Project analyzed                    \n`);
-  }
-
-  printDetectionResults() {
-    const d = this.detection;
-    
-    console.log("");
-    console.log(`${c.cyan}┌─ Detection Results ──────────────────────────────────────────────────────┐${c.reset}`);
-    
-    // Project info
-    console.log(`${c.cyan}│${c.reset}`);
-    console.log(`${c.cyan}│${c.reset}  ${c.bold}Project:${c.reset} ${d.pkg?.name || "unnamed"} ${c.dim}v${d.pkg?.version || "0.0.0"}${c.reset}`);
-    console.log(`${c.cyan}│${c.reset}  ${c.bold}Package Manager:${c.reset} ${d.packageManager}`);
-    if (d.monorepo.isMonorepo) {
-      console.log(`${c.cyan}│${c.reset}  ${c.bold}Monorepo:${c.reset} ${c.green}Yes${c.reset}`);
-    }
-    
-    // Frameworks
-    const frameworks = Object.values(d.frameworks);
-    if (frameworks.length) {
-      console.log(`${c.cyan}│${c.reset}`);
-      console.log(`${c.cyan}│${c.reset}  ${c.bold}Frameworks:${c.reset}`);
-      for (const fw of frameworks) {
-        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${fw.icon} ${fw.name}`);
-      }
-    }
-    
-    // Databases
-    const databases = Object.values(d.databases);
-    if (databases.length) {
-      console.log(`${c.cyan}│${c.reset}`);
-      console.log(`${c.cyan}│${c.reset}  ${c.bold}Databases:${c.reset}`);
-      for (const db of databases) {
-        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${db.icon} ${db.name}`);
-      }
-    }
-    
-    // Auth
-    const auth = Object.values(d.auth);
-    if (auth.length) {
-      console.log(`${c.cyan}│${c.reset}`);
-      console.log(`${c.cyan}│${c.reset}  ${c.bold}Authentication:${c.reset}`);
-      for (const a of auth) {
-        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${a.icon} ${a.name}`);
-      }
-    }
-    
-    // Payments
-    const payments = Object.values(d.payments);
-    if (payments.length) {
-      console.log(`${c.cyan}│${c.reset}`);
-      console.log(`${c.cyan}│${c.reset}  ${c.bold}Payments:${c.reset}`);
-      for (const p of payments) {
-        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${p.icon} ${p.name}`);
-      }
-    }
-    
-    // CI/CD
-    const ci = Object.values(d.ci);
-    if (ci.length) {
-      console.log(`${c.cyan}│${c.reset}`);
-      console.log(`${c.cyan}│${c.reset}  ${c.bold}CI/CD:${c.reset}`);
-      for (const c2 of ci) {
-        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${c2.icon} ${c2.name}`);
-      }
-    }
-    
-    // Deploy
-    const deploy = Object.values(d.deploy);
-    if (deploy.length) {
-      console.log(`${c.cyan}│${c.reset}`);
-      console.log(`${c.cyan}│${c.reset}  ${c.bold}Deployment:${c.reset}`);
-      for (const dp of deploy) {
-        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${dp.icon} ${dp.name}`);
-      }
-    }
-    
-    // Testing
-    const testing = Object.values(d.testing);
-    if (testing.length) {
-      console.log(`${c.cyan}│${c.reset}`);
-      console.log(`${c.cyan}│${c.reset}  ${c.bold}Testing:${c.reset}`);
-      for (const t of testing) {
-        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${t.icon} ${t.name}`);
-      }
-    }
-    
-    // Invariants
-    console.log(`${c.cyan}│${c.reset}`);
-    console.log(`${c.cyan}│${c.reset}  ${c.bold}Ship Killers:${c.reset} ${c.magenta}${d.invariants.length} invariants${c.reset}`);
-    
-    console.log(`${c.cyan}│${c.reset}`);
-    console.log(`${c.cyan}└───────────────────────────────────────────────────────────────────────────┘${c.reset}`);
-    console.log("");
-  }
-
-  async generateConfigs() {
-    console.log(`${c.cyan}┌─ Generating Configuration ───────────────────────────────────────────────┐${c.reset}`);
-    console.log(`${c.cyan}│${c.reset}`);
-    
-    const tasks = [
-      { name: ".vibecheck/config.json", fn: () => this.writeConfig() },
-      { name: ".vibecheck/invariants.yml", fn: () => this.writeInvariants() },
-      { name: ".vibecheck/security-policy.json", fn: () => this.writeSecurityPolicy() },
-      { name: ".vibecheck/schemas/", fn: () => this.writeSchemas() },
-      { name: ".gitignore update", fn: () => this.updateGitignore() },
-    ];
-    
-    if (this.options.team) {
-      tasks.push({ name: ".vibecheck/team.json", fn: () => this.writeTeamConfig() });
-    }
-    
-    if (this.options.mcp) {
-      tasks.push({ name: ".vibecheck/mcp.json", fn: () => this.writeMCPConfig() });
-    }
-    
-    for (const task of tasks) {
-      process.stdout.write(`${c.cyan}│${c.reset}  ○ ${task.name}...`);
-      try {
-        const result = await task.fn();
-        const status = result === "created" ? `${c.green}created${c.reset}` :
-                       result === "updated" ? `${c.yellow}updated${c.reset}` :
-                       `${c.dim}skipped${c.reset}`;
-        process.stdout.write(`\r${c.cyan}│${c.reset}  ${c.green}✓${c.reset} ${task.name} ${status}\n`);
-        
-        if (result === "created") this.created.push(task.name);
-        else if (result === "updated") this.updated.push(task.name);
-        else this.skipped.push(task.name);
-      } catch (err) {
-        process.stdout.write(`\r${c.cyan}│${c.reset}  ${c.red}✗${c.reset} ${task.name} ${c.red}${err.message}${c.reset}\n`);
-      }
-    }
-    
-    console.log(`${c.cyan}│${c.reset}`);
-    console.log(`${c.cyan}└───────────────────────────────────────────────────────────────────────────┘${c.reset}`);
-    console.log("");
-  }
-
-  writeConfig() {
-    const configDir = path.join(this.projectPath, ".vibecheck");
-    ensureDir(configDir);
-    
-    const configPath = path.join(configDir, "config.json");
-    const config = generateVibecheckConfig(this.detection, this.options);
-    
-    const exists = fs.existsSync(configPath);
-    fs.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf8");
-    return exists ? "updated" : "created";
-  }
-
-  writeInvariants() {
-    const configDir = path.join(this.projectPath, ".vibecheck");
-    ensureDir(configDir);
-    
-    const invPath = path.join(configDir, "invariants.yml");
-    const content = generateInvariantsYml(this.detection.invariants);
-    
-    const exists = fs.existsSync(invPath);
-    fs.writeFileSync(invPath, content, "utf8");
-    return exists ? "updated" : "created";
-  }
-
-  writeSecurityPolicy() {
-    const configDir = path.join(this.projectPath, ".vibecheck");
-    ensureDir(configDir);
-    
-    const policyPath = path.join(configDir, "security-policy.json");
-    const policy = generateSecurityPolicy(this.detection);
-    
-    const exists = fs.existsSync(policyPath);
-    fs.writeFileSync(policyPath, JSON.stringify(policy, null, 2), "utf8");
-    return exists ? "updated" : "created";
-  }
-
-  writeSchemas() {
-    const schemasDir = path.join(this.projectPath, ".vibecheck", "schemas");
-    ensureDir(schemasDir);
-    
-    const schemas = {
-      "config.schema.json": {
-        "$schema": "https://json-schema.org/draft/2020-12/schema",
-        "$id": "https://vibecheck.dev/schemas/config.json",
-        "title": "Vibecheck Configuration",
-        "type": "object",
-      },
-      "truthpack.schema.json": {
-        "$schema": "https://json-schema.org/draft/2020-12/schema",
-        "$id": "https://vibecheck.dev/schemas/truthpack.json",
-        "title": "Vibecheck Truthpack",
-        "type": "object",
-      },
-    };
-    
-    for (const [name, schema] of Object.entries(schemas)) {
-      fs.writeFileSync(path.join(schemasDir, name), JSON.stringify(schema, null, 2), "utf8");
-    }
-    
-    return "created";
-  }
-
-  writeTeamConfig() {
-    const configDir = path.join(this.projectPath, ".vibecheck");
-    ensureDir(configDir);
-    
-    const teamPath = path.join(configDir, "team.json");
-    const config = generateTeamConfig(this.detection, this.options);
-    
-    const exists = fs.existsSync(teamPath);
-    fs.writeFileSync(teamPath, JSON.stringify(config, null, 2), "utf8");
-    return exists ? "updated" : "created";
-  }
-
-  writeMCPConfig() {
-    const configDir = path.join(this.projectPath, ".vibecheck");
-    ensureDir(configDir);
-    
-    const mcpPath = path.join(configDir, "mcp.json");
-    const config = generateMCPConfig(this.detection);
-    
-    const exists = fs.existsSync(mcpPath);
-    fs.writeFileSync(mcpPath, JSON.stringify(config, null, 2), "utf8");
-    return exists ? "updated" : "created";
-  }
-
-  updateGitignore() {
-    const gitignorePath = path.join(this.projectPath, ".gitignore");
-    const entries = [
-      "",
-      "# vibecheck",
-      ".vibecheck/truth/",
-      ".vibecheck/reality/",
-      ".vibecheck/missions/",
-      ".vibecheck/prove/",
-      ".vibecheck/cache/",
-      "",
-    ].join("\n");
-    
-    if (fs.existsSync(gitignorePath)) {
-      const content = fs.readFileSync(gitignorePath, "utf8");
-      if (content.includes(".vibecheck/")) {
-        return "skipped";
-      }
-      fs.appendFileSync(gitignorePath, entries);
-      return "updated";
-    } else {
-      fs.writeFileSync(gitignorePath, entries.trim() + "\n");
-      return "created";
-    }
-  }
-
-  async setupCI() {
-    console.log(`${c.cyan}┌─ CI/CD Integration ──────────────────────────────────────────────────────┐${c.reset}`);
-    console.log(`${c.cyan}│${c.reset}`);
-    
-    const ciType = this.options.ci === true ? "github" : this.options.ci;
-    
-    if (ciType === "github" || ciType === "github-actions") {
-      const wfDir = path.join(this.projectPath, ".github", "workflows");
-      ensureDir(wfDir);
-      
-      const wfPath = path.join(wfDir, "vibecheck.yml");
-      const workflow = generateGitHubActionsWorkflow(this.detection, this.options);
-      
-      fs.writeFileSync(wfPath, workflow, "utf8");
-      console.log(`${c.cyan}│${c.reset}  ${c.green}✓${c.reset} Created .github/workflows/vibecheck.yml`);
-      this.created.push(".github/workflows/vibecheck.yml");
-    } else if (ciType === "gitlab") {
-      const ciPath = path.join(this.projectPath, ".gitlab-ci.vibecheck.yml");
-      const config = generateGitLabCI(this.detection, this.options);
-      
-      fs.writeFileSync(ciPath, config, "utf8");
-      console.log(`${c.cyan}│${c.reset}  ${c.green}✓${c.reset} Created .gitlab-ci.vibecheck.yml`);
-      console.log(`${c.cyan}│${c.reset}  ${c.dim}Include this in your main .gitlab-ci.yml${c.reset}`);
-      this.created.push(".gitlab-ci.vibecheck.yml");
-    }
-    
-    console.log(`${c.cyan}│${c.reset}`);
-    console.log(`${c.cyan}└───────────────────────────────────────────────────────────────────────────┘${c.reset}`);
-    console.log("");
-  }
-
-  async setupCompliance() {
-    console.log(`${c.cyan}┌─ Compliance Templates ───────────────────────────────────────────────────┐${c.reset}`);
-    console.log(`${c.cyan}│${c.reset}`);
-    
-    const complianceDir = path.join(this.projectPath, ".vibecheck", "compliance");
-    ensureDir(complianceDir);
-    
-    const templates = typeof this.options.compliance === "string" 
-      ? [this.options.compliance]
-      : Object.keys(COMPLIANCE_TEMPLATES);
-    
-    for (const key of templates) {
-      const template = COMPLIANCE_TEMPLATES[key];
-      if (!template) continue;
-      
-      const filePath = path.join(complianceDir, `${key}.json`);
-      fs.writeFileSync(filePath, JSON.stringify({
-        name: template.name,
-        description: template.description,
-        policies: template.policies,
-        invariants: template.invariants,
-        status: "not_started",
-        lastAudit: null,
-      }, null, 2), "utf8");
-      
-      console.log(`${c.cyan}│${c.reset}  ${c.green}✓${c.reset} Created compliance/${key}.json (${template.name})`);
-      this.created.push(`compliance/${key}.json`);
-    }
-    
-    console.log(`${c.cyan}│${c.reset}`);
-    console.log(`${c.cyan}└───────────────────────────────────────────────────────────────────────────┘${c.reset}`);
-    console.log("");
-  }
-
-  printSummary() {
-    console.log(`${c.green}${c.bold}✓ Enterprise init complete${c.reset}`);
-    console.log("");
-    
-    if (this.created.length) {
-      console.log(`${c.green}Created:${c.reset} ${this.created.length} files`);
-    }
-    if (this.updated.length) {
-      console.log(`${c.yellow}Updated:${c.reset} ${this.updated.length} files`);
-    }
-    
-    console.log("");
-    console.log(`${c.cyan}╔══════════════════════════════════════════════════════════════════════════╗${c.reset}`);
-    console.log(`${c.cyan}║${c.reset} ${c.bold}Next Steps${c.reset}                                                               ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}╠══════════════════════════════════════════════════════════════════════════╣${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}  ${c.bold}1.${c.reset} Generate truth pack:                                                  ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}     ${c.cyan}vibecheck ctx${c.reset}                                                         ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}  ${c.bold}2.${c.reset} Run ship decision:                                                    ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}     ${c.cyan}vibecheck ship${c.reset}                                                        ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}  ${c.bold}3.${c.reset} Start MCP server for AI agents:                                       ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}     ${c.cyan}vibecheck mcp${c.reset}                                                         ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
-    console.log(`${c.cyan}╚══════════════════════════════════════════════════════════════════════════╝${c.reset}`);
-    console.log("");
-    console.log(`${c.dim}Tip: Run ${c.cyan}vibecheck prove --url http://localhost:3000${c.dim} for full reality verification${c.reset}`);
-    console.log("");
-  }
-}
-
-// ============================================================================
-// EXPORTS
-// ============================================================================
-module.exports = {
-  EnterpriseInit,
-  generateGitHubActionsWorkflow,
-  generateGitLabCI,
-  generateSecurityPolicy,
-  generateTeamConfig,
-  generateVibecheckConfig,
-  generateInvariantsYml,
-  INVARIANT_DEFINITIONS,
-  COMPLIANCE_TEMPLATES,
-};
+// bin/runners/lib/enterprise-init.js
+// Enterprise-grade initialization: security policies, compliance, CI/CD, team configs
+const fs = require("fs");
+const path = require("path");
+const { detectAll, CI_PROVIDERS, DEPLOY_PLATFORMS } = require("./enterprise-detect");
+
+// ANSI colors
+const c = {
+  reset: "\x1b[0m",
+  bold: "\x1b[1m",
+  dim: "\x1b[2m",
+  red: "\x1b[31m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  blue: "\x1b[34m",
+  cyan: "\x1b[36m",
+  magenta: "\x1b[35m",
+};
+
+function ensureDir(p) {
+  fs.mkdirSync(p, { recursive: true });
+}
+
+// ============================================================================
+// INVARIANTS CONFIGURATION
+// ============================================================================
+const INVARIANT_DEFINITIONS = {
+  INV_NO_FAKE_SUCCESS: {
+    id: "INV_NO_FAKE_SUCCESS",
+    severity: "BLOCK",
+    description: "No success UI without confirmed success (awaited network + ok check)",
+    category: "reliability",
+  },
+  INV_NO_ROUTE_INVENTION: {
+    id: "INV_NO_ROUTE_INVENTION",
+    severity: "BLOCK",
+    description: "No route references without matching server route",
+    category: "integrity",
+  },
+  INV_NO_BYPASS_ENTITLEMENTS: {
+    id: "INV_NO_BYPASS_ENTITLEMENTS",
+    severity: "BLOCK",
+    description: "No bypass flags (OWNER_MODE, skipBilling, etc)",
+    category: "billing",
+  },
+  INV_NO_SILENT_CATCH_AUTH: {
+    id: "INV_NO_SILENT_CATCH_AUTH",
+    severity: "BLOCK",
+    description: "No silent catch blocks in auth/billing code paths",
+    category: "security",
+  },
+  INV_NO_HARDCODED_SECRETS: {
+    id: "INV_NO_HARDCODED_SECRETS",
+    severity: "BLOCK",
+    description: "No hardcoded secrets, API keys, or credentials in code",
+    category: "security",
+  },
+  INV_NO_GHOST_AUTH: {
+    id: "INV_NO_GHOST_AUTH",
+    severity: "BLOCK",
+    description: "No sensitive endpoints without auth enforcement",
+    category: "security",
+  },
+  INV_STRIPE_WEBHOOK_VERIFIED: {
+    id: "INV_STRIPE_WEBHOOK_VERIFIED",
+    severity: "BLOCK",
+    description: "All Stripe webhook handlers must verify signature",
+    category: "billing",
+  },
+  INV_STRIPE_IDEMPOTENT: {
+    id: "INV_STRIPE_IDEMPOTENT",
+    severity: "WARN",
+    description: "Stripe webhook handlers should be idempotent",
+    category: "billing",
+  },
+  INV_ENV_VARS_DECLARED: {
+    id: "INV_ENV_VARS_DECLARED",
+    severity: "WARN",
+    description: "All used env vars must be declared in .env.example",
+    category: "operations",
+  },
+};
+
+// ============================================================================
+// COMPLIANCE TEMPLATES
+// ============================================================================
+const COMPLIANCE_TEMPLATES = {
+  soc2: {
+    name: "SOC 2 Type II",
+    description: "Service Organization Control 2 compliance baseline",
+    policies: {
+      accessControl: true,
+      changeManagement: true,
+      riskAssessment: true,
+      incidentResponse: true,
+      vendorManagement: true,
+    },
+    invariants: [
+      "INV_NO_HARDCODED_SECRETS",
+      "INV_NO_GHOST_AUTH",
+      "INV_NO_SILENT_CATCH_AUTH",
+    ],
+  },
+  hipaa: {
+    name: "HIPAA",
+    description: "Health Insurance Portability and Accountability Act baseline",
+    policies: {
+      phi_protection: true,
+      accessControl: true,
+      auditLogging: true,
+      encryption: true,
+    },
+    invariants: [
+      "INV_NO_HARDCODED_SECRETS",
+      "INV_NO_GHOST_AUTH",
+    ],
+  },
+  gdpr: {
+    name: "GDPR",
+    description: "General Data Protection Regulation baseline",
+    policies: {
+      dataMinimization: true,
+      consentManagement: true,
+      rightToErasure: true,
+      dataPortability: true,
+    },
+    invariants: [
+      "INV_NO_HARDCODED_SECRETS",
+    ],
+  },
+  pci: {
+    name: "PCI-DSS",
+    description: "Payment Card Industry Data Security Standard baseline",
+    policies: {
+      cardDataProtection: true,
+      accessControl: true,
+      encryption: true,
+      monitoring: true,
+    },
+    invariants: [
+      "INV_NO_HARDCODED_SECRETS",
+      "INV_STRIPE_WEBHOOK_VERIFIED",
+      "INV_NO_BYPASS_ENTITLEMENTS",
+    ],
+  },
+};
+
+// ============================================================================
+// SECURITY POLICY TEMPLATES
+// ============================================================================
+function generateSecurityPolicy(detection) {
+  const hasPayments = Object.keys(detection.payments).length > 0;
+  const hasAuth = Object.keys(detection.auth).length > 0;
+  
+  return {
+    version: "1.0.0",
+    headers: {
+      strictTransportSecurity: "max-age=31536000; includeSubDomains",
+      contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'",
+      xFrameOptions: "DENY",
+      xContentTypeOptions: "nosniff",
+      referrerPolicy: "strict-origin-when-cross-origin",
+      permissionsPolicy: "camera=(), microphone=(), geolocation=()",
+    },
+    cors: {
+      allowedOrigins: ["${ALLOWED_ORIGINS}"],
+      allowedMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+      allowCredentials: true,
+      maxAge: 86400,
+    },
+    rateLimit: {
+      enabled: true,
+      windowMs: 60000,
+      max: 100,
+      message: "Too many requests, please try again later",
+    },
+    secrets: {
+      scanEnabled: true,
+      blockOnDetection: true,
+      patterns: [
+        "sk_live_",
+        "pk_live_",
+        "AKIA",
+        "ghp_",
+        "gho_",
+        "eyJ",
+      ],
+    },
+    auth: hasAuth ? {
+      sessionTimeout: 3600,
+      mfaRecommended: true,
+      passwordMinLength: 12,
+    } : null,
+    payments: hasPayments ? {
+      webhookVerification: true,
+      idempotencyRequired: true,
+      testModeBlockProduction: true,
+    } : null,
+  };
+}
+
+// ============================================================================
+// CI/CD TEMPLATES
+// ============================================================================
+function generateGitHubActionsWorkflow(detection, options = {}) {
+  const pm = detection.packageManager;
+  const installCmd = pm === "pnpm" ? "pnpm install --frozen-lockfile" :
+                     pm === "yarn" ? "yarn install --frozen-lockfile" :
+                     pm === "bun" ? "bun install --frozen-lockfile" : "npm ci";
+  
+  const runPrefix = pm === "pnpm" ? "pnpm" : pm === "yarn" ? "yarn" : pm === "bun" ? "bun" : "npx";
+
+  return `name: vibecheck
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+permissions:
+  contents: read
+  pull-requests: write
+  security-events: write
+
+env:
+  CI: true
+  NODE_ENV: test
+
+jobs:
+  vibecheck:
+    name: Ship Decision
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: '${pm}'
+
+      - name: Install dependencies
+        run: ${installCmd}
+
+      - name: Generate Truth Pack
+        run: ${runPrefix} vibecheck ctx
+        continue-on-error: true
+
+      - name: Ship Decision
+        id: ship
+        run: |
+          set +e
+          mkdir -p .vibecheck
+          ${runPrefix} vibecheck pr --out .vibecheck/pr_comment.md ${options.failOnWarn ? "--fail-on-warn" : ""}
+          code=$?
+          echo "exit_code=$code" >> $GITHUB_OUTPUT
+          exit 0
+
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: vibecheck-report
+          path: .vibecheck/
+          retention-days: 30
+
+      - name: Comment on PR
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const commentPath = '.vibecheck/pr_comment.md';
+            if (!fs.existsSync(commentPath)) {
+              console.log('No comment file found');
+              return;
+            }
+            const body = fs.readFileSync(commentPath, 'utf8');
+            
+            // Find existing vibecheck comment
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            
+            const existingComment = comments.find(c => 
+              c.user.type === 'Bot' && c.body.includes('vibecheck')
+            );
+            
+            if (existingComment) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existingComment.id,
+                body
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body
+              });
+            }
+
+      - name: Enforce Verdict
+        run: |
+          code="\${{ steps.ship.outputs.exit_code }}"
+          echo "vibecheck exit code: $code"
+          if [ "$code" = "2" ]; then
+            echo "::error::BLOCK verdict - deployment blocked"
+            exit 1
+          fi
+          ${options.failOnWarn ? 'if [ "$code" = "1" ]; then echo "::error::WARN verdict (policy: fail-on-warn)"; exit 1; fi' : ''}
+          echo "✅ Ship decision passed"
+`;
+}
+
+function generateGitLabCI(detection, options = {}) {
+  const pm = detection.packageManager;
+  const installCmd = pm === "pnpm" ? "pnpm install --frozen-lockfile" :
+                     pm === "yarn" ? "yarn install --frozen-lockfile" : "npm ci";
+  
+  return `stages:
+  - test
+  - deploy
+
+variables:
+  CI: "true"
+  NODE_ENV: test
+
+vibecheck:
+  stage: test
+  image: node:20
+  cache:
+    key: \${CI_COMMIT_REF_SLUG}
+    paths:
+      - node_modules/
+      - .pnpm-store/
+  before_script:
+    - ${pm === "pnpm" ? "corepack enable && " : ""}${installCmd}
+  script:
+    - npx vibecheck ctx
+    - npx vibecheck ship ${options.failOnWarn ? "--fail-on-warn" : ""}
+  artifacts:
+    when: always
+    paths:
+      - .vibecheck/
+    expire_in: 30 days
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+`;
+}
+
+// ============================================================================
+// TEAM CONFIG TEMPLATES
+// ============================================================================
+function generateTeamConfig(detection, options = {}) {
+  const environments = options.environments || ["development", "staging", "production"];
+  
+  return {
+    version: "1.0.0",
+    team: {
+      name: options.teamName || detection.pkg?.name || "unnamed",
+      environments,
+    },
+    policies: {
+      development: {
+        verdict: { warnAsPass: true, blockAsBlock: true },
+        autoFix: { enabled: true, requireApproval: false },
+      },
+      staging: {
+        verdict: { warnAsPass: true, blockAsBlock: true },
+        autoFix: { enabled: true, requireApproval: true },
+      },
+      production: {
+        verdict: { warnAsPass: false, blockAsBlock: true },
+        autoFix: { enabled: false, requireApproval: true },
+        additionalInvariants: ["INV_NO_BYPASS_ENTITLEMENTS"],
+      },
+    },
+    notifications: {
+      slack: { webhook: "${SLACK_WEBHOOK_URL}", enabled: false },
+      email: { recipients: [], enabled: false },
+    },
+    reporting: {
+      frequency: "weekly",
+      recipients: [],
+      includeMetrics: true,
+    },
+  };
+}
+
+// ============================================================================
+// MCP SERVER CONFIG
+// ============================================================================
+function generateMCPConfig(detection) {
+  return {
+    name: "vibecheck",
+    version: "1.0.0",
+    description: "Vibecheck MCP server for AI agent integration",
+    capabilities: {
+      tools: true,
+      resources: true,
+      prompts: true,
+    },
+    tools: [
+      "validate_claim",
+      "get_truthpack",
+      "get_route_map",
+      "verify_auth",
+      "check_invariant",
+    ],
+    security: {
+      requireAuth: false,
+      allowedOrigins: ["*"],
+    },
+  };
+}
+
+// ============================================================================
+// INVARIANTS FILE
+// ============================================================================
+function generateInvariantsYml(invariants) {
+  const lines = ["# vibecheck invariants - ship killers and warnings", ""];
+  
+  const blocks = invariants.filter(id => INVARIANT_DEFINITIONS[id]?.severity === "BLOCK");
+  const warns = invariants.filter(id => INVARIANT_DEFINITIONS[id]?.severity === "WARN");
+  
+  if (blocks.length) {
+    lines.push("ship_killers:");
+    for (const id of blocks) {
+      const def = INVARIANT_DEFINITIONS[id];
+      lines.push(`  - id: ${id}`);
+      lines.push(`    description: "${def?.description || id}"`);
+      lines.push(`    category: ${def?.category || "general"}`);
+      lines.push("");
+    }
+  }
+  
+  if (warns.length) {
+    lines.push("warnings:");
+    for (const id of warns) {
+      const def = INVARIANT_DEFINITIONS[id];
+      lines.push(`  - id: ${id}`);
+      lines.push(`    description: "${def?.description || id}"`);
+      lines.push(`    category: ${def?.category || "general"}`);
+      lines.push("");
+    }
+  }
+  
+  return lines.join("\n");
+}
+
+// ============================================================================
+// MAIN CONFIG FILE
+// ============================================================================
+function generateVibecheckConfig(detection, options = {}) {
+  const primaryFramework = Object.keys(detection.frameworks)[0] || "node";
+  const primaryDb = Object.keys(detection.databases)[0];
+  const primaryAuth = Object.keys(detection.auth)[0];
+  const primaryPayment = Object.keys(detection.payments)[0];
+  
+  return {
+    $schema: "https://vibecheck.dev/schemas/config.json",
+    version: "2.0.0",
+    project: {
+      name: detection.pkg?.name || "unnamed",
+      framework: primaryFramework,
+      packageManager: detection.packageManager,
+    },
+    detection: {
+      frameworks: Object.keys(detection.frameworks),
+      databases: Object.keys(detection.databases),
+      auth: Object.keys(detection.auth),
+      payments: Object.keys(detection.payments),
+      ci: Object.keys(detection.ci),
+      deploy: Object.keys(detection.deploy),
+      testing: Object.keys(detection.testing),
+    },
+    checks: detection.checks,
+    invariants: detection.invariants,
+    policy: {
+      strict: options.strict || false,
+      failOnWarn: options.failOnWarn || false,
+      allowlist: {
+        domains: [],
+        packages: [],
+      },
+      ignore: {
+        paths: [
+          "node_modules",
+          "__tests__",
+          "*.test.*",
+          "*.spec.*",
+          "**/*.d.ts",
+          "**/fixtures/**",
+          "**/mocks/**",
+        ],
+      },
+    },
+    output: {
+      dir: ".vibecheck",
+      reports: ["json", "html"],
+      badges: true,
+    },
+    integrations: {
+      mcp: { enabled: true },
+      ci: Object.keys(detection.ci).length > 0 ? Object.keys(detection.ci)[0] : null,
+    },
+  };
+}
+
+// ============================================================================
+// ENTERPRISE INIT ORCHESTRATOR
+// ============================================================================
+class EnterpriseInit {
+  constructor(projectPath, options = {}) {
+    this.projectPath = projectPath;
+    this.options = options;
+    this.detection = null;
+    this.created = [];
+    this.updated = [];
+    this.skipped = [];
+  }
+
+  async run() {
+    this.printHeader();
+    
+    // Step 1: Detect everything
+    await this.detectProject();
+    
+    if (this.detection.error) {
+      console.log(`\n${c.red}✗ ${this.detection.error}${c.reset}\n`);
+      return 1;
+    }
+    
+    // Step 2: Print detection results
+    this.printDetectionResults();
+    
+    // Step 3: Generate configurations
+    await this.generateConfigs();
+    
+    // Step 4: Setup CI/CD if requested
+    if (this.options.ci) {
+      await this.setupCI();
+    }
+    
+    // Step 5: Setup compliance if requested
+    if (this.options.compliance) {
+      await this.setupCompliance();
+    }
+    
+    // Step 6: Print summary
+    this.printSummary();
+    
+    return 0;
+  }
+
+  printHeader() {
+    console.log("");
+    console.log(`${c.cyan}╔══════════════════════════════════════════════════════════════════════════╗${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}   ${c.bold}🛡️  VIBECHECK ENTERPRISE INIT${c.reset}                                        ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}   ${c.dim}Production-grade project configuration${c.reset}                               ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}╚══════════════════════════════════════════════════════════════════════════╝${c.reset}`);
+    console.log("");
+  }
+
+  async detectProject() {
+    process.stdout.write(`${c.dim}Analyzing project...${c.reset}`);
+    this.detection = detectAll(this.projectPath);
+    process.stdout.write(`\r${c.green}✓${c.reset} Project analyzed                    \n`);
+  }
+
+  printDetectionResults() {
+    const d = this.detection;
+    
+    console.log("");
+    console.log(`${c.cyan}┌─ Detection Results ──────────────────────────────────────────────────────┐${c.reset}`);
+    
+    // Project info
+    console.log(`${c.cyan}│${c.reset}`);
+    console.log(`${c.cyan}│${c.reset}  ${c.bold}Project:${c.reset} ${d.pkg?.name || "unnamed"} ${c.dim}v${d.pkg?.version || "0.0.0"}${c.reset}`);
+    console.log(`${c.cyan}│${c.reset}  ${c.bold}Package Manager:${c.reset} ${d.packageManager}`);
+    if (d.monorepo.isMonorepo) {
+      console.log(`${c.cyan}│${c.reset}  ${c.bold}Monorepo:${c.reset} ${c.green}Yes${c.reset}`);
+    }
+    
+    // Frameworks
+    const frameworks = Object.values(d.frameworks);
+    if (frameworks.length) {
+      console.log(`${c.cyan}│${c.reset}`);
+      console.log(`${c.cyan}│${c.reset}  ${c.bold}Frameworks:${c.reset}`);
+      for (const fw of frameworks) {
+        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${fw.icon} ${fw.name}`);
+      }
+    }
+    
+    // Databases
+    const databases = Object.values(d.databases);
+    if (databases.length) {
+      console.log(`${c.cyan}│${c.reset}`);
+      console.log(`${c.cyan}│${c.reset}  ${c.bold}Databases:${c.reset}`);
+      for (const db of databases) {
+        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${db.icon} ${db.name}`);
+      }
+    }
+    
+    // Auth
+    const auth = Object.values(d.auth);
+    if (auth.length) {
+      console.log(`${c.cyan}│${c.reset}`);
+      console.log(`${c.cyan}│${c.reset}  ${c.bold}Authentication:${c.reset}`);
+      for (const a of auth) {
+        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${a.icon} ${a.name}`);
+      }
+    }
+    
+    // Payments
+    const payments = Object.values(d.payments);
+    if (payments.length) {
+      console.log(`${c.cyan}│${c.reset}`);
+      console.log(`${c.cyan}│${c.reset}  ${c.bold}Payments:${c.reset}`);
+      for (const p of payments) {
+        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${p.icon} ${p.name}`);
+      }
+    }
+    
+    // CI/CD
+    const ci = Object.values(d.ci);
+    if (ci.length) {
+      console.log(`${c.cyan}│${c.reset}`);
+      console.log(`${c.cyan}│${c.reset}  ${c.bold}CI/CD:${c.reset}`);
+      for (const c2 of ci) {
+        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${c2.icon} ${c2.name}`);
+      }
+    }
+    
+    // Deploy
+    const deploy = Object.values(d.deploy);
+    if (deploy.length) {
+      console.log(`${c.cyan}│${c.reset}`);
+      console.log(`${c.cyan}│${c.reset}  ${c.bold}Deployment:${c.reset}`);
+      for (const dp of deploy) {
+        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${dp.icon} ${dp.name}`);
+      }
+    }
+    
+    // Testing
+    const testing = Object.values(d.testing);
+    if (testing.length) {
+      console.log(`${c.cyan}│${c.reset}`);
+      console.log(`${c.cyan}│${c.reset}  ${c.bold}Testing:${c.reset}`);
+      for (const t of testing) {
+        console.log(`${c.cyan}│${c.reset}    ${c.green}✓${c.reset} ${t.icon} ${t.name}`);
+      }
+    }
+    
+    // Invariants
+    console.log(`${c.cyan}│${c.reset}`);
+    console.log(`${c.cyan}│${c.reset}  ${c.bold}Ship Killers:${c.reset} ${c.magenta}${d.invariants.length} invariants${c.reset}`);
+    
+    console.log(`${c.cyan}│${c.reset}`);
+    console.log(`${c.cyan}└───────────────────────────────────────────────────────────────────────────┘${c.reset}`);
+    console.log("");
+  }
+
+  async generateConfigs() {
+    console.log(`${c.cyan}┌─ Generating Configuration ───────────────────────────────────────────────┐${c.reset}`);
+    console.log(`${c.cyan}│${c.reset}`);
+    
+    const tasks = [
+      { name: ".vibecheck/config.json", fn: () => this.writeConfig() },
+      { name: ".vibecheck/invariants.yml", fn: () => this.writeInvariants() },
+      { name: ".vibecheck/security-policy.json", fn: () => this.writeSecurityPolicy() },
+      { name: ".vibecheck/schemas/", fn: () => this.writeSchemas() },
+      { name: ".gitignore update", fn: () => this.updateGitignore() },
+    ];
+    
+    if (this.options.team) {
+      tasks.push({ name: ".vibecheck/team.json", fn: () => this.writeTeamConfig() });
+    }
+    
+    if (this.options.mcp) {
+      tasks.push({ name: ".vibecheck/mcp.json", fn: () => this.writeMCPConfig() });
+    }
+    
+    for (const task of tasks) {
+      process.stdout.write(`${c.cyan}│${c.reset}  ○ ${task.name}...`);
+      try {
+        const result = await task.fn();
+        const status = result === "created" ? `${c.green}created${c.reset}` :
+                       result === "updated" ? `${c.yellow}updated${c.reset}` :
+                       `${c.dim}skipped${c.reset}`;
+        process.stdout.write(`\r${c.cyan}│${c.reset}  ${c.green}✓${c.reset} ${task.name} ${status}\n`);
+        
+        if (result === "created") this.created.push(task.name);
+        else if (result === "updated") this.updated.push(task.name);
+        else this.skipped.push(task.name);
+      } catch (err) {
+        process.stdout.write(`\r${c.cyan}│${c.reset}  ${c.red}✗${c.reset} ${task.name} ${c.red}${err.message}${c.reset}\n`);
+      }
+    }
+    
+    console.log(`${c.cyan}│${c.reset}`);
+    console.log(`${c.cyan}└───────────────────────────────────────────────────────────────────────────┘${c.reset}`);
+    console.log("");
+  }
+
+  writeConfig() {
+    const configDir = path.join(this.projectPath, ".vibecheck");
+    ensureDir(configDir);
+    
+    const configPath = path.join(configDir, "config.json");
+    const config = generateVibecheckConfig(this.detection, this.options);
+    
+    const exists = fs.existsSync(configPath);
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf8");
+    return exists ? "updated" : "created";
+  }
+
+  writeInvariants() {
+    const configDir = path.join(this.projectPath, ".vibecheck");
+    ensureDir(configDir);
+    
+    const invPath = path.join(configDir, "invariants.yml");
+    const content = generateInvariantsYml(this.detection.invariants);
+    
+    const exists = fs.existsSync(invPath);
+    fs.writeFileSync(invPath, content, "utf8");
+    return exists ? "updated" : "created";
+  }
+
+  writeSecurityPolicy() {
+    const configDir = path.join(this.projectPath, ".vibecheck");
+    ensureDir(configDir);
+    
+    const policyPath = path.join(configDir, "security-policy.json");
+    const policy = generateSecurityPolicy(this.detection);
+    
+    const exists = fs.existsSync(policyPath);
+    fs.writeFileSync(policyPath, JSON.stringify(policy, null, 2), "utf8");
+    return exists ? "updated" : "created";
+  }
+
+  writeSchemas() {
+    const schemasDir = path.join(this.projectPath, ".vibecheck", "schemas");
+    ensureDir(schemasDir);
+    
+    const schemas = {
+      "config.schema.json": {
+        "$schema": "https://json-schema.org/draft/2020-12/schema",
+        "$id": "https://vibecheck.dev/schemas/config.json",
+        "title": "Vibecheck Configuration",
+        "type": "object",
+      },
+      "truthpack.schema.json": {
+        "$schema": "https://json-schema.org/draft/2020-12/schema",
+        "$id": "https://vibecheck.dev/schemas/truthpack.json",
+        "title": "Vibecheck Truthpack",
+        "type": "object",
+      },
+    };
+    
+    for (const [name, schema] of Object.entries(schemas)) {
+      fs.writeFileSync(path.join(schemasDir, name), JSON.stringify(schema, null, 2), "utf8");
+    }
+    
+    return "created";
+  }
+
+  writeTeamConfig() {
+    const configDir = path.join(this.projectPath, ".vibecheck");
+    ensureDir(configDir);
+    
+    const teamPath = path.join(configDir, "team.json");
+    const config = generateTeamConfig(this.detection, this.options);
+    
+    const exists = fs.existsSync(teamPath);
+    fs.writeFileSync(teamPath, JSON.stringify(config, null, 2), "utf8");
+    return exists ? "updated" : "created";
+  }
+
+  writeMCPConfig() {
+    const configDir = path.join(this.projectPath, ".vibecheck");
+    ensureDir(configDir);
+    
+    const mcpPath = path.join(configDir, "mcp.json");
+    const config = generateMCPConfig(this.detection);
+    
+    const exists = fs.existsSync(mcpPath);
+    fs.writeFileSync(mcpPath, JSON.stringify(config, null, 2), "utf8");
+    return exists ? "updated" : "created";
+  }
+
+  updateGitignore() {
+    const gitignorePath = path.join(this.projectPath, ".gitignore");
+    const entries = [
+      "",
+      "# vibecheck",
+      ".vibecheck/truth/",
+      ".vibecheck/reality/",
+      ".vibecheck/missions/",
+      ".vibecheck/prove/",
+      ".vibecheck/cache/",
+      "",
+    ].join("\n");
+    
+    if (fs.existsSync(gitignorePath)) {
+      const content = fs.readFileSync(gitignorePath, "utf8");
+      if (content.includes(".vibecheck/")) {
+        return "skipped";
+      }
+      fs.appendFileSync(gitignorePath, entries);
+      return "updated";
+    } else {
+      fs.writeFileSync(gitignorePath, entries.trim() + "\n");
+      return "created";
+    }
+  }
+
+  async setupCI() {
+    console.log(`${c.cyan}┌─ CI/CD Integration ──────────────────────────────────────────────────────┐${c.reset}`);
+    console.log(`${c.cyan}│${c.reset}`);
+    
+    const ciType = this.options.ci === true ? "github" : this.options.ci;
+    
+    if (ciType === "github" || ciType === "github-actions") {
+      const wfDir = path.join(this.projectPath, ".github", "workflows");
+      ensureDir(wfDir);
+      
+      const wfPath = path.join(wfDir, "vibecheck.yml");
+      const workflow = generateGitHubActionsWorkflow(this.detection, this.options);
+      
+      fs.writeFileSync(wfPath, workflow, "utf8");
+      console.log(`${c.cyan}│${c.reset}  ${c.green}✓${c.reset} Created .github/workflows/vibecheck.yml`);
+      this.created.push(".github/workflows/vibecheck.yml");
+    } else if (ciType === "gitlab") {
+      const ciPath = path.join(this.projectPath, ".gitlab-ci.vibecheck.yml");
+      const config = generateGitLabCI(this.detection, this.options);
+      
+      fs.writeFileSync(ciPath, config, "utf8");
+      console.log(`${c.cyan}│${c.reset}  ${c.green}✓${c.reset} Created .gitlab-ci.vibecheck.yml`);
+      console.log(`${c.cyan}│${c.reset}  ${c.dim}Include this in your main .gitlab-ci.yml${c.reset}`);
+      this.created.push(".gitlab-ci.vibecheck.yml");
+    }
+    
+    console.log(`${c.cyan}│${c.reset}`);
+    console.log(`${c.cyan}└───────────────────────────────────────────────────────────────────────────┘${c.reset}`);
+    console.log("");
+  }
+
+  async setupCompliance() {
+    console.log(`${c.cyan}┌─ Compliance Templates ───────────────────────────────────────────────────┐${c.reset}`);
+    console.log(`${c.cyan}│${c.reset}`);
+    
+    const complianceDir = path.join(this.projectPath, ".vibecheck", "compliance");
+    ensureDir(complianceDir);
+    
+    const templates = typeof this.options.compliance === "string" 
+      ? [this.options.compliance]
+      : Object.keys(COMPLIANCE_TEMPLATES);
+    
+    for (const key of templates) {
+      const template = COMPLIANCE_TEMPLATES[key];
+      if (!template) continue;
+      
+      const filePath = path.join(complianceDir, `${key}.json`);
+      fs.writeFileSync(filePath, JSON.stringify({
+        name: template.name,
+        description: template.description,
+        policies: template.policies,
+        invariants: template.invariants,
+        status: "not_started",
+        lastAudit: null,
+      }, null, 2), "utf8");
+      
+      console.log(`${c.cyan}│${c.reset}  ${c.green}✓${c.reset} Created compliance/${key}.json (${template.name})`);
+      this.created.push(`compliance/${key}.json`);
+    }
+    
+    console.log(`${c.cyan}│${c.reset}`);
+    console.log(`${c.cyan}└───────────────────────────────────────────────────────────────────────────┘${c.reset}`);
+    console.log("");
+  }
+
+  printSummary() {
+    console.log(`${c.green}${c.bold}✓ Enterprise init complete${c.reset}`);
+    console.log("");
+    
+    if (this.created.length) {
+      console.log(`${c.green}Created:${c.reset} ${this.created.length} files`);
+    }
+    if (this.updated.length) {
+      console.log(`${c.yellow}Updated:${c.reset} ${this.updated.length} files`);
+    }
+    
+    console.log("");
+    console.log(`${c.cyan}╔══════════════════════════════════════════════════════════════════════════╗${c.reset}`);
+    console.log(`${c.cyan}║${c.reset} ${c.bold}Next Steps${c.reset}                                                               ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}╠══════════════════════════════════════════════════════════════════════════╣${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}  ${c.bold}1.${c.reset} Generate truth pack:                                                  ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}     ${c.cyan}vibecheck ctx${c.reset}                                                         ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}  ${c.bold}2.${c.reset} Run ship decision:                                                    ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}     ${c.cyan}vibecheck ship${c.reset}                                                        ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}  ${c.bold}3.${c.reset} Start MCP server for AI agents:                                       ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}     ${c.cyan}vibecheck mcp${c.reset}                                                         ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}║${c.reset}                                                                          ${c.cyan}║${c.reset}`);
+    console.log(`${c.cyan}╚══════════════════════════════════════════════════════════════════════════╝${c.reset}`);
+    console.log("");
+    console.log(`${c.dim}Tip: Run ${c.cyan}vibecheck prove --url http://localhost:3000${c.dim} for full reality verification${c.reset}`);
+    console.log("");
+  }
+}
+
+// ============================================================================
+// EXPORTS
+// ============================================================================
+module.exports = {
+  EnterpriseInit,
+  generateGitHubActionsWorkflow,
+  generateGitLabCI,
+  generateSecurityPolicy,
+  generateTeamConfig,
+  generateVibecheckConfig,
+  generateInvariantsYml,
+  INVARIANT_DEFINITIONS,
+  COMPLIANCE_TEMPLATES,
+};