@viberaven/cli 1.0.0 → 1.0.1

package/dist/cli.js

@@ -170,7 +170,7 @@ __export(cli_exports, {
   runScanCommand: () => runScanCommand
 });
 module.exports = __toCommonJS(cli_exports);
-var import_promises15 = require("node:fs/promises");
+var import_promises16 = require("node:fs/promises");
 var import_node_path21 = require("node:path");
 
 // src/config.ts
@@ -526,6 +526,7 @@ var READY = "READY";
 var LOGIN_REQUIRED = "LOGIN_REQUIRED";
 var UPGRADE_REQUIRED = "UPGRADE_REQUIRED";
 var MANUAL_ACTION_REQUIRED = "MANUAL_ACTION_REQUIRED";
+var AGENT_ACTION = "AGENT_ACTION";
 var ERROR = "ERROR";
 function formatAgentStatus(label, message) {
   return `${label}: ${message}`;
@@ -676,7 +677,11 @@ async function runDeviceLogin(apiBaseUrl) {
     await openUrlInBrowser(verificationUrl);
     console.log("Opened the VibeRaven approval page in your browser.");
   } catch (error) {
-    console.warn(error instanceof Error ? error.message : String(error));
+    const detail = error instanceof Error ? error.message : String(error);
+    console.log(
+      "LOGIN_BROWSER_MANUAL: Automatic browser open failed. Open the LOGIN_URL_READY URL manually; the CLI is still waiting."
+    );
+    console.log(`LOGIN_BROWSER_DETAIL: ${detail}`);
   }
   console.log("Waiting for approval in the browser\u2026\n");
   console.log("LOGIN_WAITING: Complete approval in the browser, then VibeRaven will continue automatically.");
@@ -1078,8 +1083,8 @@ function isSecretFileName(fileName) {
   }
   return SECRET_PATTERNS.some((pattern) => pattern.test(fileName));
 }
-function isLikelyBinary(buffer2) {
-  return buffer2.includes(0);
+function isLikelyBinary(buffer) {
+  return buffer.includes(0);
 }
 function createGitignoreMatcher(gitignoreContent) {
   const rules = gitignoreContent.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#") && !line.startsWith("!")).map(parseGitignoreRule);
@@ -7693,7 +7698,7 @@ function createStationOrchestrator(deps) {
           if (error instanceof BackendHttpError && error.status === 402) {
             return {
               kind: "scan_limit_reached",
-              upgradeUrl: error.upgradeUrl ?? "https://viberice.com/account"
+              upgradeUrl: error.upgradeUrl ?? "https://viberaven.dev/account"
             };
           }
           if (error instanceof BackendHttpError && error.status === 401) {
@@ -8780,81 +8785,169 @@ function generateAgentSummary(artifact) {
 `;
 }
 
-// src/report/agentTasklist.ts
-var SEVERITY_ORDER2 = {
-  critical: 0,
-  warning: 1,
-  info: 2
-};
-function sortGaps2(gaps) {
-  return [...gaps].sort(
-    (a, b3) => SEVERITY_ORDER2[a.severity] - SEVERITY_ORDER2[b3.severity] || a.title.localeCompare(b3.title)
-  );
-}
-function redactDetail(detail) {
-  return detail.replace(
-    /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,
-    "<redacted>"
-  ).replace(
-    /\b([a-z][a-z0-9+.-]*:\/\/)([^:@\s/?#]+):([^@\s/?#]+)@([^\s)]+)/gi,
-    "$1<redacted>@$4"
-  ).replace(/\bAuthorization\s*:\s*([A-Za-z][A-Za-z0-9._-]*)\s+[^\s;,]+/gi, "Authorization: $1 <redacted>").replace(/\bghp_[A-Za-z0-9_]{20,}\b/g, "<redacted>").replace(/\bgithub_pat_[A-Za-z0-9_]{20,}\b/g, "<redacted>").replace(/\bxox[baprs]-[A-Za-z0-9-]{20,}\b/g, "<redacted>").replace(/\bxapp-[A-Za-z0-9-]{20,}\b/g, "<redacted>").replace(
-    /\b([A-Za-z0-9_]*(?:ACCESS_TOKEN|AUTHORIZATION|API_KEY|SECRET|SECRET_KEY|SERVICE_ROLE_KEY|TOKEN|PASSWORD|PRIVATE_KEY|CREDENTIALS?)[A-Za-z0-9_]*)\s*=\s*["']?[^"'\s;,]+["']?/gi,
-    "$1=<redacted>"
-  ).replace(/\beyJ[A-Za-z0-9._-]*\b/g, "<redacted>").replace(/\[REDACTED(?:_[A-Z_]+)?\]/g, "<redacted>");
+// src/buildTaskList.ts
+var KNOWN_RECIPE_GAP_IDS = /* @__PURE__ */ new Set([
+  // emptyCatch (original recipe)
+  "empty-catch",
+  "empty_catch",
+  "emptyCatch",
+  // W3 env-add recipes
+  "auth_secret_missing",
+  "node_env_not_set",
+  "database_url_missing",
+  // W3 file-create recipes
+  "missing_error_boundary",
+  "missing_health_route",
+  "missing_loading_state",
+  "missing_404_page",
+  // W3 file-patch recipes
+  "missing_csp_header",
+  "missing_rate_limit"
+  // NOTE: 'rls_disabled' is intentionally NOT here — it is provider-action only,
+  // canAutoApply=false, and should be classified as 'provider-action' by buildTaskList.
+]);
+function hasRecipe(gapId) {
+  if (KNOWN_RECIPE_GAP_IDS.has(gapId)) return true;
+  const lower = gapId.toLowerCase();
+  return lower.includes("empty") && lower.includes("catch");
+}
+function gapToPlaybookProvider(gap) {
+  const cat = gap.primaryMapCategory.toLowerCase();
+  if (cat === "deployment") return "vercel";
+  if (cat === "payments") return "stripe";
+  if (cat === "auth") return "auth-supabase";
+  if (cat === "database") return "supabase";
+  const id = gap.id.toLowerCase();
+  if (id.includes("vercel") || id.includes("deploy")) return "vercel";
+  if (id.includes("stripe") || id.includes("payment")) return "stripe";
+  if (id.includes("supabase") || id.includes("database") || id.includes("db")) return "supabase";
+  if (id.includes("auth")) return "auth-supabase";
+  return void 0;
 }
-function headingFor(gaps) {
-  if (gaps.some((gap) => gap.severity === "critical")) {
-    return "# VibeRaven Production Gate - CRITICAL GAPS DETECTED";
+function hasPlaybook(gap) {
+  try {
+    const provider2 = gapToPlaybookProvider(gap);
+    if (!provider2) return false;
+    return PLAYBOOK_PROVIDERS.includes(provider2);
+  } catch {
+    return false;
   }
-  if (gaps.length > 0) {
-    return "# VibeRaven Production Gate - GAPS DETECTED";
+}
+function buildProviderAction(gap, provider2) {
+  try {
+    const playbook = loadPlaybookSync(provider2);
+    const step = playbook.steps[0];
+    if (!step) return void 0;
+    return {
+      provider: provider2,
+      dashboardUrl: step.openUrl ?? `https://${provider2}.com`,
+      // PlaybookStep uses `instruction` — map to exactStep
+      exactStep: step.instruction,
+      // No envKeyName/envKeyExample in current PlaybookStep schema — leave undefined
+      envKeyName: void 0,
+      envKeyExample: void 0,
+      // Use step title as the done signal
+      doneSignal: `${step.title} step completed`,
+      verifyCommand: PUBLIC_VERIFY_COMMAND
+    };
+  } catch {
+    return void 0;
   }
-  return "# VibeRaven Production Gate - NO REPO-CODE GAPS DETECTED";
 }
-function generateAgentTasklist(artifact) {
-  const lines = [];
-  const gaps = sortGaps2(artifact.gaps);
-  const hasCritical = gaps.some((gap) => gap.severity === "critical");
-  lines.push(headingFor(gaps), "");
-  lines.push(`Workspace: \`${artifact.workspacePath}\``);
-  lines.push(`Scanned: ${artifact.scannedAt}`);
-  lines.push(`Production core: **${artifact.productionCorePercent}%**`);
-  lines.push("");
-  if (hasCritical) {
-    lines.push("PRODUCTION GATE NOT CLEAR", "");
-  } else if (gaps.length > 0) {
-    lines.push("Do not deploy until the listed production-readiness gaps are reviewed.", "");
-  } else {
-    lines.push("PRODUCTION GATE CLEAR FOR REPO-CODE GAPS");
-    lines.push(
-      "Provider dashboard checks still require dashboard or read-only MCP evidence before launch."
-    );
-    lines.push("");
+function unlockedKeys2(artifact) {
+  const keys = artifact.usage?.unlockedMapCategoryKeys ?? FREE_TRIAL_UNLOCKED_MAP_CATEGORY_KEYS;
+  return new Set(keys);
+}
+function buildTaskList(artifact) {
+  const unlocked = unlockedKeys2(artifact);
+  const sorted = sortGapsByPriority(artifact.gaps);
+  return sorted.map((gap, index) => {
+    const id = `TASK-${String(index + 1).padStart(3, "0")}`;
+    const isLocked = !unlocked.has(gap.primaryMapCategory);
+    let fixType;
+    if (isLocked) {
+      fixType = "upgrade-required";
+    } else if (hasRecipe(gap.id)) {
+      fixType = "repo-code";
+    } else if (hasPlaybook(gap)) {
+      fixType = "provider-action";
+    } else {
+      fixType = "manual-verify";
+    }
+    const base = {
+      id,
+      gapId: gap.id,
+      severity: gap.severity,
+      fixType,
+      title: gap.title,
+      verifyCommand: PUBLIC_VERIFY_COMMAND,
+      requiresUserAction: fixType !== "repo-code"
+    };
+    if (fixType === "repo-code") {
+      base.mcpTool = "viberaven_heal_apply";
+      base.mcpArgs = { gap: gap.id, yes: true };
+      base.requiresUserAction = false;
+      if (gap.copyPrompt) {
+        base.exactFix = gap.copyPrompt.trim();
+      }
+    } else if (fixType === "provider-action") {
+      try {
+        const provider2 = gapToPlaybookProvider(gap);
+        if (provider2) {
+          const pa = buildProviderAction(gap, provider2);
+          if (pa) {
+            base.providerAction = pa;
+            base.action = pa.exactStep;
+          }
+        }
+      } catch {
+        base.fixType = "manual-verify";
+      }
+      base.requiresUserAction = true;
+    }
+    return base;
+  });
+}
+function buildTaskListMarkdown(tasks) {
+  if (tasks.length === 0) {
+    return "# VibeRaven Agent Tasklist\n\n_No gaps found \u2014 production core looks solid._\n";
   }
-  lines.push("## TOP REPO-CODE GAPS", "");
-  if (gaps.length === 0) {
-    lines.push("_No repo-code gaps were returned by this scan._", "");
-  } else {
-    for (const gap of gaps.slice(0, 10)) {
-      const marker = gap.severity === "critical" ? "[!]" : "[ ]";
-      lines.push(`- ${marker} **${gap.title}**`);
-      lines.push(`  - Gap ID: \`${gap.id}\``);
-      lines.push(`  - Severity: ${gap.severity}`);
-      lines.push(`  - Area: ${gap.primaryMapCategory}`);
-      lines.push(`  - Detail: ${redactDetail(gap.detail)}`);
-      lines.push(`  - Command: \`${promptGapCommand(gap.id)}\``);
+  const lines = ["# VibeRaven Agent Tasklist", ""];
+  for (const task of tasks) {
+    const severityLabel = task.severity.toUpperCase();
+    lines.push(`## ${task.id} \xB7 ${task.gapId} \xB7 ${severityLabel}`, "");
+    lines.push(`**Fix type:** ${task.fixType}  `);
+    if (task.file) {
+      lines.push(`**File:** \`${task.file}\`  `);
+    }
+    if (task.action) {
+      lines.push(`**Action:** ${task.action}  `);
+    }
+    if (task.exactFix) {
+      lines.push(`**Exact fix:** ${task.exactFix}  `);
+    } else {
+      lines.push(`**Exact fix:** No automated recipe \u2014 see scanner hint.  `);
+    }
+    lines.push(`**Verify:** \`${task.verifyCommand}\`  `);
+    if (task.mcpTool && task.mcpArgs) {
+      lines.push(
+        `**MCP:** \`${task.mcpTool} ${JSON.stringify(task.mcpArgs)}\`  `
+      );
+    }
+    lines.push(`**Requires user action:** ${task.requiresUserAction}`);
+    if (task.providerAction) {
+      const pa = task.providerAction;
+      lines.push("");
+      lines.push("**Provider action:**");
+      lines.push(`- Provider: ${pa.provider}`);
+      lines.push(`- Dashboard: ${pa.dashboardUrl}`);
+      lines.push(`- Step: ${pa.exactStep}`);
+      if (pa.envKeyName) lines.push(`- Env key: \`${pa.envKeyName}\``);
+      if (pa.doneSignal) lines.push(`- Done when: ${pa.doneSignal}`);
+      if (pa.mcpAlternative) lines.push(`- MCP alternative: \`${pa.mcpAlternative}\``);
     }
     lines.push("");
   }
-  lines.push("## NEXT STEPS FOR THE AGENT", "");
-  lines.push("1. Pick one repo-code gap from this tasklist and fix only that gap.");
-  lines.push("2. Use `npx -y @viberaven/cli prompt --gap <id>` for focused guidance.");
-  lines.push(`3. Run \`${PUBLIC_VERIFY_COMMAND}\` to rescan and refresh this tasklist.`);
-  lines.push(
-    "4. Do not claim provider dashboard checks are fixed by repo-code edits; verify those in the provider dashboard or through read-only provider MCP evidence."
-  );
-  lines.push("");
   return `${lines.join("\n")}
 `;
 }
@@ -8949,7 +9042,7 @@ function getStationHtml(nonce, cssUri, jsUri, options) {
         href="https://fonts.googleapis.com/css2?family=Geist:wght@400;500;600;700&amp;family=JetBrains+Mono:wght@400;600&amp;display=swap"
       />
       <link rel="stylesheet" href="${cssUri}">
-      <title>VibeRaven Station</title>
+      <title>VibeRaven</title>
     </head>
     <body data-surface="${surface}">
       <div class="station-app">
@@ -9337,7 +9430,8 @@ async function writeScanArtifacts(options) {
   const summary = generateAgentSummary(safe);
   const playbook = generateLaunchPlaybook(safe);
   const html = generateReportHtml(safe);
-  const tasklist = generateAgentTasklist(safe);
+  const tasks = buildTaskList(safe);
+  const tasklist = buildTaskListMarkdown(tasks);
   const gateResult = `${JSON.stringify(generateGateResult(safe), null, 2)}
 `;
   const contextMap = `${JSON.stringify(generateContextMap(safe), null, 2)}
@@ -9567,6 +9661,21 @@ function printScanSummary(artifact, paths) {
   console.log(import_picocolors.default.dim(`  ${paths.summaryPath}`));
   console.log(import_picocolors.default.dim(`  ${paths.playbookPath}`));
   console.log("");
+  const next = resolveNextAction(artifact);
+  console.log(`Open report: ${paths.reportPath}`);
+  console.log(`Next action: ${next.title}`);
+  console.log(next.detail);
+  if (next.command) {
+    console.log(`Run: ${next.command}`);
+  }
+  if (next.openUrl) {
+    console.log(`Open: ${next.openUrl}`);
+  }
+  if (next.upgradeUrl) {
+    console.log(`Upgrade: ${next.upgradeUrl}`);
+  }
+  console.log(formatAgentStatus(AGENT_ACTION, "Read .viberaven/agent-tasklist.md, run the next command above, then rescan."));
+  console.log("");
   if (artifact.usage) {
     const lanes = artifact.usage.unlockedMapCategoryKeys.length;
     console.log(
@@ -9686,11 +9795,11 @@ function validateSafeFixRelativePath(path) {
   if (segments.some((segment) => segment === ".git" || segment === "node_modules")) {
     return { ok: false, reason: "Safe fix path targets a blocked directory." };
   }
-  const basename4 = segments.at(-1)?.toLowerCase() ?? "";
-  if (basename4 !== ".env.example" && (basename4 === ".env" || basename4.startsWith(".env."))) {
+  const basename3 = segments.at(-1)?.toLowerCase() ?? "";
+  if (basename3 !== ".env.example" && (basename3 === ".env" || basename3.startsWith(".env."))) {
     return { ok: false, reason: "Safe fix path targets an environment secret file." };
   }
-  if (isSecretLikeFilename(basename4)) {
+  if (isSecretLikeFilename(basename3)) {
     return { ok: false, reason: "Safe fix path targets a secret-like file." };
   }
   if (!isAllowedSafeFixPath(normalized)) {
@@ -11406,7 +11515,30 @@ var AGENT_RULES_BODY = `## VibeRaven Production-Readiness Gate
 - Cleanup is non-destructive: only run \`${PUBLIC_CLEAN_PLAN_COMMAND}\` to create a reviewable cleanup plan.
 - Provider dashboard checks are not cleared by repo-code edits. Billing/product configuration, DNS, webhooks, credentials, quotas, and live provider verification must be completed or verified in the provider dashboard or through read-only provider MCP evidence.
 - Do not claim provider dashboard work is fixed by repo-code edits.
-- If VibeRaven prints \`LOGIN_URL_READY\`, open that URL for the user using the available browser tool or system browser. Tell the user: "I opened VibeRaven sign-in so you can approve access; I will continue after approval." Do not ask for passwords, tokens, cookies, or secrets. Keep the terminal process alive while the user approves.`;
+- If VibeRaven prints \`LOGIN_URL_READY\`, open that URL for the user using the available browser tool or system browser. Tell the user: "I opened VibeRaven sign-in so you can approve access; I will continue after approval." Do not ask for passwords, tokens, cookies, or secrets. Keep the terminal process alive while the user approves.
+
+## VibeRaven Production Copilot Loop
+
+After every scan, read \`.viberaven/agent-tasklist.md\` for the prioritized task list.
+
+The loop is:
+
+1. Read \`VIBERAVEN_NEXT_ACTION\` from scan output for \`batchSize\`, \`batchApplied\`, \`scanNow\`, and \`stalled\`.
+2. If \`stalled: true\`, stop calling verify \u2014 address provider-action gaps or report to the user.
+3. If \`scanNow: true\`, call \`viberaven_verify\` (or run verify command) before applying more heals.
+4. For each repo-code task where \`requiresUserAction: false\` (up to \`batchSize\` per batch):
+   - Call MCP: \`viberaven_heal_apply { gap: "<gapId>", yes: true }\`
+   - Or run heal apply command
+5. After a successful heal, VibeRaven increments \`.viberaven/loop-state.json\`. After a full batch of heals, call verify once - do NOT verify after every single heal.
+6. If verify prints \`SCAN_DEFERRED\`, do not retry verify. Apply the next listed repo-code heal. Only use \`--force-scan\` when the user explicitly approves spending a scan early.
+7. Repeat until \`gate.status === 'clear'\` in \`.viberaven/gate-result.json\`.
+8. If \`requiresUserAction: true\`:
+   - Read \`VIBERAVEN_PROVIDER_ACTION\` from terminal output.
+   - Present \`dashboardUrl\` and \`exactStep\` to the user.
+   - Wait for user confirmation, then verify.
+9. If \`fixType === 'upgrade-required'\`, provide upgradeUrl and move on.
+
+Do not stop at "scan complete." The loop is not done until \`gate.status === 'clear'\`.`;
 function buildAgentRulesBlock() {
   return [VIBERAVEN_AGENT_RULES_START, AGENT_RULES_BODY, VIBERAVEN_AGENT_RULES_END].join("\n");
 }
@@ -11521,7 +11653,6 @@ var AGENT_RULE_TARGET_ALIAS_ENTRIES = ALL_AGENT_RULE_TARGETS.flatMap((target) =>
   ...(AGENT_RULE_TARGETS[target].aliases ?? []).map((alias) => [alias, target])
 ]);
 var AGENT_RULE_TARGET_ALIASES = new Map(AGENT_RULE_TARGET_ALIAS_ENTRIES);
-var VALID_AGENT_RULES_TARGET_TEXT = "all, codex, claude, cursor, cursor-legacy, copilot, github-copilot, gemini, devin, windsurf, cline, roo, junie, zed";
 function renderAgentRulesForTarget(target) {
   if (target === "claude") {
     return ["@AGENTS.md", "", buildAgentRulesBlock()].join("\n");
@@ -11539,27 +11670,6 @@ function renderAgentRulesForTarget(target) {
   }
   return buildAgentRulesBlock();
 }
-function validAgentRulesTargetText() {
-  return VALID_AGENT_RULES_TARGET_TEXT;
-}
-function getAgentRulesTargets(value) {
-  if (value === void 0 || value.trim() === "" || value.trim().toLowerCase() === "all") {
-    return [...ALL_AGENT_RULE_TARGETS];
-  }
-  const requested = value.split(",").map((target) => target.trim().toLowerCase()).filter(Boolean);
-  if (requested.length === 0 || requested.includes("all")) {
-    return [...ALL_AGENT_RULE_TARGETS];
-  }
-  const resolved = requested.map((target) => {
-    const canonicalTarget = AGENT_RULE_TARGET_ALIASES.get(target);
-    if (!canonicalTarget) {
-      throw new Error(`Unknown agent rules target "${target}". Valid targets: ${validAgentRulesTargetText()}.`);
-    }
-    return canonicalTarget;
-  });
-  const requestedTargets = new Set(resolved);
-  return ALL_AGENT_RULE_TARGETS.filter((target) => requestedTargets.has(target));
-}
 
 // src/commands/initRules.ts
 async function initAgentRules(options) {
@@ -11579,15 +11689,6 @@ async function initAgentRules(options) {
   }
   return results;
 }
-function renderAgentRulesDryRun(targets) {
-  const files = targets.map((target) => `- ${target}: ${AGENT_RULE_TARGETS[target].file}`).join("\n");
-  const previews = targets.flatMap((target) => [
-    `Preview: ${target} (${AGENT_RULE_TARGETS[target].file})`,
-    "",
-    renderAgentRulesForTarget(target)
-  ]);
-  return [`VibeRaven agent rules dry run`, "", `Target files:`, files, "", ...previews].join("\n");
-}
 async function readExistingFile(path) {
   try {
     return { exists: true, content: await (0, import_promises8.readFile)(path, "utf-8") };
@@ -11977,8 +12078,9 @@ async function runCondenseCommand(options) {
 }
 
 // src/heal/apply.ts
-var import_promises10 = require("node:fs/promises");
-var import_node_path15 = require("node:path");
+var import_promises11 = require("node:fs/promises");
+var import_node_fs8 = require("node:fs");
+var import_node_path16 = require("node:path");
 
 // src/heal/pathSafety.ts
 var import_node_path14 = require("node:path");
@@ -12008,6 +12110,507 @@ function applyEmptyCatchRecipe(source) {
   return { changed: output !== source, output };
 }
 
+// src/heal/recipes/index.ts
+var import_node_fs7 = require("node:fs");
+var import_promises10 = require("node:fs/promises");
+var import_node_path15 = require("node:path");
+
+// src/heal/recipes/envAuthSecret.ts
+function applyAuthSecretRecipe(source) {
+  if (/^\s*NEXTAUTH_SECRET\s*=/m.test(source)) {
+    return { changed: false, output: source, canAutoApply: true };
+  }
+  const line = "NEXTAUTH_SECRET=<generate with: openssl rand -base64 32>";
+  const output = source.trimEnd() ? `${source.trimEnd()}
+${line}
+` : `${line}
+`;
+  return { changed: true, output, canAutoApply: true };
+}
+
+// src/heal/recipes/envNodeEnv.ts
+function applyNodeEnvRecipe(source) {
+  if (/^\s*NODE_ENV\s*=/m.test(source)) {
+    return { changed: false, output: source, canAutoApply: true };
+  }
+  const line = "NODE_ENV=production";
+  const output = source.trimEnd() ? `${source.trimEnd()}
+${line}
+` : `${line}
+`;
+  return { changed: true, output, canAutoApply: true };
+}
+
+// src/heal/recipes/envDatabaseUrl.ts
+function applyDatabaseUrlRecipe(source) {
+  if (/^\s*DATABASE_URL\s*=/m.test(source)) {
+    return { changed: false, output: source, canAutoApply: true };
+  }
+  const lines = [
+    "# Get this from: https://supabase.com/dashboard/project/<ref>/settings/database",
+    "DATABASE_URL=<your-supabase-postgres-url>"
+  ].join("\n");
+  const output = source.trimEnd() ? `${source.trimEnd()}
+${lines}
+` : `${lines}
+`;
+  return { changed: true, output, canAutoApply: true };
+}
+
+// src/heal/recipes/nextjsErrorBoundary.ts
+var ERROR_BOUNDARY_CONTENT = `'use client';
+
+import { useEffect } from 'react';
+
+interface ErrorBoundaryProps {
+  error: Error & { digest?: string };
+  reset: () => void;
+}
+
+export default function ErrorBoundary({ error, reset }: ErrorBoundaryProps) {
+  useEffect(() => {
+    // Log to an error reporting service
+    console.error('[VibeRaven] Unhandled error:', error);
+  }, [error]);
+
+  return (
+    <main className="flex min-h-screen flex-col items-center justify-center p-4">
+      <h1 className="text-2xl font-bold mb-4">Something went wrong</h1>
+      {error.digest && (
+        <p className="text-sm text-gray-500 mb-4">Error ID: {error.digest}</p>
+      )}
+      <button
+        onClick={reset}
+        className="px-4 py-2 bg-blue-600 text-white rounded hover:bg-blue-700 transition"
+      >
+        Try again
+      </button>
+    </main>
+  );
+}
+`;
+function applyErrorBoundaryRecipe(source) {
+  if (source.trim().length > 0) {
+    return {
+      changed: false,
+      output: source,
+      targetFile: "app/error.tsx",
+      canAutoApply: true
+    };
+  }
+  return {
+    changed: true,
+    output: ERROR_BOUNDARY_CONTENT,
+    targetFile: "app/error.tsx",
+    canAutoApply: true
+  };
+}
+
+// src/heal/recipes/nextjsHealthRoute.ts
+var HEALTH_ROUTE_CONTENT = `import { NextResponse } from 'next/server';
+
+/**
+ * GET /api/health
+ * Simple health-check endpoint \u2014 returns { status: 'ok', ts: <timestamp> }.
+ * Created by VibeRaven heal recipe (missing_health_route).
+ */
+export function GET(): NextResponse {
+  return NextResponse.json({ status: 'ok', ts: Date.now() });
+}
+`;
+function applyHealthRouteRecipe(source) {
+  if (source.trim().length > 0) {
+    return {
+      changed: false,
+      output: source,
+      targetFile: "app/api/health/route.ts",
+      canAutoApply: true
+    };
+  }
+  return {
+    changed: true,
+    output: HEALTH_ROUTE_CONTENT,
+    targetFile: "app/api/health/route.ts",
+    canAutoApply: true
+  };
+}
+
+// src/heal/recipes/nextjsLoadingState.ts
+var LOADING_CONTENT = `/**
+ * Next.js App Router loading skeleton.
+ * Created by VibeRaven heal recipe (missing_loading_state).
+ */
+export default function Loading() {
+  return (
+    <main className="flex min-h-screen flex-col items-center justify-center p-4">
+      <div className="animate-pulse space-y-4 w-full max-w-md">
+        <div className="h-8 bg-gray-200 rounded w-3/4" />
+        <div className="h-4 bg-gray-200 rounded w-full" />
+        <div className="h-4 bg-gray-200 rounded w-5/6" />
+        <div className="h-4 bg-gray-200 rounded w-4/6" />
+        <div className="h-10 bg-gray-200 rounded w-1/3" />
+      </div>
+    </main>
+  );
+}
+`;
+function applyLoadingStateRecipe(source) {
+  if (source.trim().length > 0) {
+    return {
+      changed: false,
+      output: source,
+      targetFile: "app/loading.tsx",
+      canAutoApply: true
+    };
+  }
+  return {
+    changed: true,
+    output: LOADING_CONTENT,
+    targetFile: "app/loading.tsx",
+    canAutoApply: true
+  };
+}
+
+// src/heal/recipes/nextjsNotFound.ts
+var NOT_FOUND_CONTENT = `import Link from 'next/link';
+
+/**
+ * Next.js App Router 404 not-found page.
+ * Created by VibeRaven heal recipe (missing_404_page).
+ */
+export default function NotFound() {
+  return (
+    <main className="flex min-h-screen flex-col items-center justify-center p-4">
+      <h1 className="text-6xl font-bold text-gray-300 mb-4">404</h1>
+      <h2 className="text-2xl font-semibold mb-2">Page Not Found</h2>
+      <p className="text-gray-500 mb-8">
+        The page you are looking for does not exist or has been moved.
+      </p>
+      <Link
+        href="/"
+        className="px-4 py-2 bg-blue-600 text-white rounded hover:bg-blue-700 transition"
+      >
+        Go home
+      </Link>
+    </main>
+  );
+}
+`;
+function applyNotFoundRecipe(source) {
+  if (source.trim().length > 0) {
+    return {
+      changed: false,
+      output: source,
+      targetFile: "app/not-found.tsx",
+      canAutoApply: true
+    };
+  }
+  return {
+    changed: true,
+    output: NOT_FOUND_CONTENT,
+    targetFile: "app/not-found.tsx",
+    canAutoApply: true
+  };
+}
+
+// src/heal/recipes/supabaseRls.ts
+function applyRlsRecipe(_source) {
+  return {
+    changed: false,
+    output: _source,
+    canAutoApply: false,
+    reason: "dashboard-only",
+    providerAction: {
+      provider: "supabase",
+      dashboardUrl: "https://supabase.com/dashboard/project/{{PROJECT_REF}}/auth/policies",
+      exactStep: 'Enable Row Level Security (RLS) on each table under the "Table Editor" or "Auth > Policies" section.',
+      doneSignal: "RLS toggle is green for all public tables",
+      verifyCommand: "npx -y @viberaven/cli audit --vercel-supabase --json"
+    }
+  };
+}
+
+// src/heal/recipes/nextjsCspHeader.ts
+var CSP_HEADER_VALUE = [
+  "default-src 'self'",
+  "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+  "style-src 'self' 'unsafe-inline'",
+  "img-src 'self' data: blob: https:",
+  "font-src 'self' data:",
+  "connect-src 'self' https:",
+  "frame-ancestors 'none'"
+].join("; ");
+var HEADERS_BLOCK = `
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'Content-Security-Policy',
+            value: \`${CSP_HEADER_VALUE}\`,
+          },
+        ],
+      },
+    ];
+  },`;
+function applyCspHeaderRecipe(source) {
+  if (/Content-Security-Policy/i.test(source)) {
+    return { changed: false, output: source, canAutoApply: true };
+  }
+  const exportsFn = /module\.exports\s*=\s*(async\s+)?function/.test(source) || /export\s+default\s+(async\s+)?function/.test(source) || /module\.exports\s*=\s*\(/.test(source);
+  if (exportsFn) {
+    return {
+      changed: false,
+      output: source,
+      canAutoApply: false,
+      reason: "config-exports-function"
+    };
+  }
+  if (/\bheaders\s*\(/.test(source)) {
+    return {
+      changed: false,
+      output: source,
+      canAutoApply: false,
+      reason: "headers-already-defined"
+    };
+  }
+  const inlineConfigMatch = /(?:const|let|var)\s+nextConfig\s*=\s*\{[\s\S]*?\}(?=\s*;)/.exec(source);
+  if (inlineConfigMatch) {
+    const closingBrace = inlineConfigMatch.index + inlineConfigMatch[0].lastIndexOf("}");
+    const output2 = source.slice(0, closingBrace) + "," + HEADERS_BLOCK + source.slice(closingBrace);
+    return { changed: true, output: output2, canAutoApply: true };
+  }
+  const moduleExportsMatch = /module\.exports\s*=\s*\{[\s\S]*?\}(?=\s*;?)/.exec(source);
+  if (moduleExportsMatch) {
+    const closingBrace = moduleExportsMatch.index + moduleExportsMatch[0].lastIndexOf("}");
+    const output2 = source.slice(0, closingBrace) + "," + HEADERS_BLOCK + source.slice(closingBrace);
+    return { changed: true, output: output2, canAutoApply: true };
+  }
+  const lastBrace = source.lastIndexOf("\n}");
+  if (lastBrace === -1) {
+    return {
+      changed: false,
+      output: source,
+      canAutoApply: false,
+      reason: "cannot-locate-config-closing-brace"
+    };
+  }
+  const output = source.slice(0, lastBrace) + "," + HEADERS_BLOCK + source.slice(lastBrace);
+  return { changed: true, output, canAutoApply: true };
+}
+
+// src/heal/recipes/nextjsRateLimit.ts
+var DEPENDENCY_HINT = "If you see @upstash/ratelimit references in this file, run: npm install @upstash/ratelimit @upstash/redis";
+var UPSTASH_MIDDLEWARE = `import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+import { Ratelimit } from '@upstash/ratelimit';
+import { Redis } from '@upstash/redis';
+
+// VibeRaven heal: missing_rate_limit (Upstash)
+// Configure UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN in .env.local
+const ratelimit = new Ratelimit({
+  redis: Redis.fromEnv(),
+  limiter: Ratelimit.slidingWindow(60, '1 m'), // 60 requests per minute per IP
+  analytics: false,
+});
+
+export async function middleware(request: NextRequest): Promise<NextResponse> {
+  const ip = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? '127.0.0.1';
+  const { success } = await ratelimit.limit(ip);
+
+  if (!success) {
+    return new NextResponse('Too Many Requests', { status: 429 });
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ['/api/:path*'],
+};
+`;
+var INMEMORY_MIDDLEWARE = `import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+
+// VibeRaven heal: missing_rate_limit (in-memory fallback \u2014 resets on cold start)
+// For production, replace with @upstash/ratelimit + Redis.
+const WINDOW_MS = 60_000; // 1 minute
+const MAX_REQUESTS = 60;   // per IP per window
+
+const ipMap = new Map<string, { count: number; windowStart: number }>();
+
+function isRateLimited(ip: string): boolean {
+  const now = Date.now();
+  const entry = ipMap.get(ip);
+
+  if (!entry || now - entry.windowStart > WINDOW_MS) {
+    ipMap.set(ip, { count: 1, windowStart: now });
+    return false;
+  }
+
+  entry.count += 1;
+  return entry.count > MAX_REQUESTS;
+}
+
+export function middleware(request: NextRequest): NextResponse {
+  const ip = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? '127.0.0.1';
+
+  if (isRateLimited(ip)) {
+    return new NextResponse('Too Many Requests', { status: 429 });
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ['/api/:path*'],
+};
+`;
+function applyRateLimitRecipe(source, hasUpstash) {
+  if (/ratelimit|rate.limit|ipMap/i.test(source) || /429/.test(source)) {
+    return {
+      changed: false,
+      output: source,
+      canAutoApply: true,
+      usedUpstash: false
+    };
+  }
+  if (hasUpstash) {
+    return {
+      changed: true,
+      output: UPSTASH_MIDDLEWARE,
+      canAutoApply: true,
+      usedUpstash: true,
+      dependencyHint: DEPENDENCY_HINT
+    };
+  }
+  return {
+    changed: true,
+    output: INMEMORY_MIDDLEWARE,
+    canAutoApply: true,
+    usedUpstash: false
+  };
+}
+
+// src/heal/recipes/index.ts
+function defaultTargetFile(gapId) {
+  const map = {
+    auth_secret_missing: ".env.local",
+    node_env_not_set: ".env.local",
+    database_url_missing: ".env.local",
+    missing_error_boundary: "app/error.tsx",
+    missing_health_route: "app/api/health/route.ts",
+    missing_loading_state: "app/loading.tsx",
+    missing_404_page: "app/not-found.tsx",
+    rls_disabled: "",
+    // no file — provider-action
+    missing_csp_header: "next.config.js",
+    missing_rate_limit: "middleware.ts"
+  };
+  return map[gapId];
+}
+async function readSourceOrEmpty(absolutePath) {
+  if (!(0, import_node_fs7.existsSync)(absolutePath)) return "";
+  return (0, import_promises10.readFile)(absolutePath, "utf8");
+}
+async function detectUpstash(cwd) {
+  try {
+    const pkgPath = (0, import_node_path15.join)(cwd, "package.json");
+    if (!(0, import_node_fs7.existsSync)(pkgPath)) return false;
+    const raw = await (0, import_promises10.readFile)(pkgPath, "utf8");
+    const pkg = JSON.parse(raw);
+    const deps = {
+      ...pkg["dependencies"] ?? {},
+      ...pkg["devDependencies"] ?? {}
+    };
+    return "@upstash/ratelimit" in deps;
+  } catch {
+    return false;
+  }
+}
+async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
+  const targetFile = explicitTarget ?? defaultTargetFile(gapId);
+  if (targetFile === void 0) return null;
+  if (gapId === "auth_secret_missing" || gapId === "node_env_not_set" || gapId === "database_url_missing") {
+    const absolutePath = (0, import_node_path15.join)(cwd, targetFile);
+    const source = await readSourceOrEmpty(absolutePath);
+    let result;
+    if (gapId === "auth_secret_missing") result = applyAuthSecretRecipe(source);
+    else if (gapId === "node_env_not_set") result = applyNodeEnvRecipe(source);
+    else result = applyDatabaseUrlRecipe(source);
+    return {
+      ...result,
+      targetFile,
+      canAutoApply: true,
+      recipeName: gapId
+    };
+  }
+  if (gapId === "missing_error_boundary") {
+    const absolutePath = (0, import_node_path15.join)(cwd, "app/error.tsx");
+    const source = await readSourceOrEmpty(absolutePath);
+    const result = applyErrorBoundaryRecipe(source);
+    return { ...result, canAutoApply: true, recipeName: gapId };
+  }
+  if (gapId === "missing_health_route") {
+    const absolutePath = (0, import_node_path15.join)(cwd, "app/api/health/route.ts");
+    const source = await readSourceOrEmpty(absolutePath);
+    const result = applyHealthRouteRecipe(source);
+    return { ...result, canAutoApply: true, recipeName: gapId };
+  }
+  if (gapId === "missing_loading_state") {
+    const absolutePath = (0, import_node_path15.join)(cwd, "app/loading.tsx");
+    const source = await readSourceOrEmpty(absolutePath);
+    const result = applyLoadingStateRecipe(source);
+    return { ...result, canAutoApply: true, recipeName: gapId };
+  }
+  if (gapId === "missing_404_page") {
+    const absolutePath = (0, import_node_path15.join)(cwd, "app/not-found.tsx");
+    const source = await readSourceOrEmpty(absolutePath);
+    const result = applyNotFoundRecipe(source);
+    return { ...result, canAutoApply: true, recipeName: gapId };
+  }
+  if (gapId === "rls_disabled") {
+    const result = applyRlsRecipe("");
+    return {
+      changed: false,
+      output: "",
+      targetFile: "",
+      canAutoApply: false,
+      reason: result.reason,
+      recipeName: gapId
+    };
+  }
+  if (gapId === "missing_csp_header") {
+    let configFile = "next.config.js";
+    let absolutePath = (0, import_node_path15.join)(cwd, configFile);
+    if (!(0, import_node_fs7.existsSync)(absolutePath)) {
+      configFile = "next.config.mjs";
+      absolutePath = (0, import_node_path15.join)(cwd, configFile);
+    }
+    const source = await readSourceOrEmpty(absolutePath);
+    const result = applyCspHeaderRecipe(source);
+    return {
+      ...result,
+      targetFile: configFile,
+      recipeName: gapId
+    };
+  }
+  if (gapId === "missing_rate_limit") {
+    const hasUpstash = await detectUpstash(cwd);
+    const middlewarePath = (0, import_node_path15.join)(cwd, "middleware.ts");
+    const source = await readSourceOrEmpty(middlewarePath);
+    const result = applyRateLimitRecipe(source, hasUpstash);
+    return {
+      ...result,
+      targetFile: "middleware.ts",
+      canAutoApply: true,
+      recipeName: gapId
+    };
+  }
+  return null;
+}
+
 // src/heal/apply.ts
 function healId() {
   return `heal_${(/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14)}`;
@@ -12029,6 +12632,88 @@ async function applyHeal(options) {
       rollback: { available: false, instructions: "Re-run with --yes to allow guarded repo-code edits." }
     };
   }
+  if (options.gapId) {
+    const dispatched = await dispatchRecipeByGapId(
+      options.gapId,
+      options.cwd,
+      options.target
+    );
+    if (dispatched !== null) {
+      if (!dispatched.canAutoApply) {
+        return {
+          $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
+          schemaVersion: "v1",
+          runId: "vr_heal_apply",
+          healId: id,
+          mode: "apply",
+          status: "refused_unsupported",
+          gapId: options.gapId,
+          changedFiles: [],
+          artifacts: {},
+          rollback: {
+            available: false,
+            instructions: dispatched.reason ?? "This gap requires a manual provider-dashboard action."
+          }
+        };
+      }
+      if (!dispatched.changed) {
+        return {
+          $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
+          schemaVersion: "v1",
+          runId: "vr_heal_apply",
+          healId: id,
+          mode: "apply",
+          status: "refused_unsupported",
+          gapId: options.gapId,
+          target: dispatched.targetFile || options.target,
+          changedFiles: [],
+          artifacts: {},
+          rollback: { available: false, instructions: "Recipe matched but no change was needed (already applied or file already exists)." }
+        };
+      }
+      const absoluteTarget = (0, import_node_path16.join)(options.cwd, dispatched.targetFile);
+      assertSafeHealTarget(options.cwd, dispatched.targetFile);
+      await (0, import_promises11.mkdir)((0, import_node_path16.dirname)(absoluteTarget), { recursive: true });
+      const healDir2 = (0, import_node_path16.join)(options.cwd, ".viberaven", "heal", id);
+      await (0, import_promises11.mkdir)((0, import_node_path16.join)(healDir2, "before"), { recursive: true });
+      const beforeContent = (0, import_node_fs8.existsSync)(absoluteTarget) ? await (0, import_promises11.readFile)(absoluteTarget, "utf8") : "";
+      await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir2, "before", "target.txt"), beforeContent, "utf8");
+      await (0, import_promises11.writeFile)(absoluteTarget, dispatched.output, "utf8");
+      const patch2 = [
+        `--- ${dispatched.targetFile}`,
+        `+++ ${dispatched.targetFile}`,
+        "@@ VibeRaven guarded heal @@",
+        beforeContent || "(new file)",
+        "--- after ---",
+        dispatched.output,
+        ""
+      ].join("\n");
+      await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir2, "patch.diff"), patch2, "utf8");
+      const result2 = {
+        $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
+        schemaVersion: "v1",
+        runId: "vr_heal_apply",
+        healId: id,
+        mode: "apply",
+        status: "applied_verify_not_run",
+        gapId: options.gapId,
+        recipe: dispatched.recipeName,
+        target: dispatched.targetFile,
+        changedFiles: [(0, import_node_path16.relative)(options.cwd, absoluteTarget).replace(/\\/g, "/")],
+        artifacts: {
+          patch: `.viberaven/heal/${id}/patch.diff`,
+          result: `.viberaven/heal/${id}/result.json`
+        },
+        rollback: {
+          available: true,
+          instructions: "Restore .viberaven/heal/<healId>/before/target.txt to the target file or apply the reverse patch."
+        }
+      };
+      await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir2, "result.json"), `${JSON.stringify(result2, null, 2)}
+`, "utf8");
+      return result2;
+    }
+  }
   if (!options.target) {
     return {
       $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
@@ -12044,7 +12729,7 @@ async function applyHeal(options) {
     };
   }
   const absolute = assertSafeHealTarget(options.cwd, options.target);
-  const before = await (0, import_promises10.readFile)(absolute, "utf8");
+  const before = await (0, import_promises11.readFile)(absolute, "utf8");
   const recipe = applyEmptyCatchRecipe(before);
   if (!recipe.changed) {
     return {
@@ -12061,10 +12746,10 @@ async function applyHeal(options) {
       rollback: { available: false, instructions: "No supported heal recipe matched this file." }
     };
   }
-  const healDir = (0, import_node_path15.join)(options.cwd, ".viberaven", "heal", id);
-  await (0, import_promises10.mkdir)((0, import_node_path15.join)(healDir, "before"), { recursive: true });
-  await (0, import_promises10.writeFile)((0, import_node_path15.join)(healDir, "before", "target.txt"), before, "utf8");
-  await (0, import_promises10.writeFile)(absolute, recipe.output, "utf8");
+  const healDir = (0, import_node_path16.join)(options.cwd, ".viberaven", "heal", id);
+  await (0, import_promises11.mkdir)((0, import_node_path16.join)(healDir, "before"), { recursive: true });
+  await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir, "before", "target.txt"), before, "utf8");
+  await (0, import_promises11.writeFile)(absolute, recipe.output, "utf8");
   const patch = [
     `--- ${options.target}`,
     `+++ ${options.target}`,
@@ -12074,7 +12759,7 @@ async function applyHeal(options) {
     recipe.output,
     ""
   ].join("\n");
-  await (0, import_promises10.writeFile)((0, import_node_path15.join)(healDir, "patch.diff"), patch, "utf8");
+  await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir, "patch.diff"), patch, "utf8");
   const result = {
     $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
     schemaVersion: "v1",
@@ -12085,7 +12770,7 @@ async function applyHeal(options) {
     gapId: options.gapId,
     recipe: "empty-catch-safe-response",
     target: options.target,
-    changedFiles: [(0, import_node_path15.relative)(options.cwd, absolute).replace(/\\/g, "/")],
+    changedFiles: [(0, import_node_path16.relative)(options.cwd, absolute).replace(/\\/g, "/")],
     artifacts: {
       patch: `.viberaven/heal/${id}/patch.diff`,
       result: `.viberaven/heal/${id}/result.json`
@@ -12095,20 +12780,20 @@ async function applyHeal(options) {
       instructions: "Restore .viberaven/heal/<healId>/before/target.txt to the target file or apply the reverse patch."
     }
   };
-  await (0, import_promises10.writeFile)((0, import_node_path15.join)(healDir, "result.json"), `${JSON.stringify(result, null, 2)}
+  await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir, "result.json"), `${JSON.stringify(result, null, 2)}
 `, "utf8");
   return result;
 }
 
 // src/heal/plan.ts
-var import_promises11 = require("node:fs/promises");
-var import_node_path16 = require("node:path");
+var import_promises12 = require("node:fs/promises");
+var import_node_path17 = require("node:path");
 function healId2() {
   return `heal_${(/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14)}`;
 }
 async function writeHealPlan(options) {
-  const dir = (0, import_node_path16.join)(options.cwd, ".viberaven");
-  await (0, import_promises11.mkdir)(dir, { recursive: true });
+  const dir = (0, import_node_path17.join)(options.cwd, ".viberaven");
+  await (0, import_promises12.mkdir)(dir, { recursive: true });
   const id = healId2();
   const target = options.target ?? `gap:${options.gapId}`;
   const markdown = [
@@ -12135,21 +12820,21 @@ async function writeHealPlan(options) {
     artifacts: { plan: ".viberaven/heal-plan.md" },
     rollback: { available: false, instructions: "No source files were changed." }
   };
-  await (0, import_promises11.writeFile)((0, import_node_path16.join)(dir, "heal-plan.md"), markdown, "utf8");
-  await (0, import_promises11.writeFile)((0, import_node_path16.join)(dir, "heal-plan.json"), `${JSON.stringify(result, null, 2)}
+  await (0, import_promises12.writeFile)((0, import_node_path17.join)(dir, "heal-plan.md"), markdown, "utf8");
+  await (0, import_promises12.writeFile)((0, import_node_path17.join)(dir, "heal-plan.json"), `${JSON.stringify(result, null, 2)}
 `, "utf8");
   return result;
 }
 
 // src/heal/prompt.ts
-var import_promises12 = require("node:fs/promises");
-var import_node_path17 = require("node:path");
+var import_promises13 = require("node:fs/promises");
+var import_node_path18 = require("node:path");
 function healId3() {
   return `heal_${(/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14)}`;
 }
 async function writeHealPrompt(options) {
-  const dir = (0, import_node_path17.join)(options.cwd, ".viberaven");
-  await (0, import_promises12.mkdir)(dir, { recursive: true });
+  const dir = (0, import_node_path18.join)(options.cwd, ".viberaven");
+  await (0, import_promises13.mkdir)(dir, { recursive: true });
   const id = healId3();
   const target = options.target ?? `gap:${options.gapId}`;
   const prompt = [
@@ -12176,449 +12861,94 @@ async function writeHealPrompt(options) {
     artifacts: { prompt: ".viberaven/heal-prompt.md" },
     rollback: { available: false, instructions: "No source files were changed." }
   };
-  await (0, import_promises12.writeFile)((0, import_node_path17.join)(dir, "heal-prompt.md"), prompt, "utf8");
+  await (0, import_promises13.writeFile)((0, import_node_path18.join)(dir, "heal-prompt.md"), prompt, "utf8");
   return result;
 }
 
-// src/commands/heal.ts
-async function runHealCommand(options) {
-  if (!options.target && !options.gapId) {
-    throw new Error("Heal requires --target <file> or --gap <id>.");
-  }
-  if (options.target) {
-    assertSafeHealTarget(options.cwd, options.target);
-  }
-  if (options.mode === "plan") return writeHealPlan(options);
-  if (options.mode === "prompt") return writeHealPrompt(options);
-  return applyHeal(options);
-}
-
-// src/commands/cleanPlan.ts
-var import_promises13 = require("node:fs/promises");
-var import_node_path18 = require("node:path");
-var MAX_WALK_DEPTH = 5;
-var LARGE_LOG_BYTES = 8192;
-var SKIP_DIRECTORIES = /* @__PURE__ */ new Set([".git", "node_modules"]);
-function buildContextCleanupPlan(input) {
-  const items = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const file of input.files) {
-    const path = normalizePath5((0, import_node_path18.relative)(input.projectRoot, file.path) || file.path);
-    const fullPath = normalizePath5(file.path);
-    const category = categorizeCleanupFile(path, fullPath, file);
-    if (!category || seen.has(path)) {
-      continue;
-    }
-    seen.add(path);
-    items.push({
-      path,
-      category,
-      action: "review-ignore-or-exclude-manually",
-      reason: reasonForCategory(category)
-    });
-  }
-  return {
-    title: "VibeRaven context cleanup plan",
-    warning: "VibeRaven only writes this review plan. Review each item manually before changing ignore rules or excluding artifacts from agent context.",
-    items
-  };
-}
-async function collectCleanupFiles(projectRoot) {
-  const files = [];
-  await walkCleanupFiles(projectRoot, projectRoot, files, 0);
-  return files;
-}
-async function writeCleanupPlan(projectRoot, plan) {
-  const outputDir = (0, import_node_path18.join)(projectRoot, ".viberaven");
-  const outputPath = (0, import_node_path18.join)(outputDir, "context-cleanup.md");
-  await (0, import_promises13.mkdir)(outputDir, { recursive: true });
-  await (0, import_promises13.writeFile)(outputPath, renderCleanupPlan(plan), "utf8");
-  return outputPath;
-}
-function categorizeCleanupFile(relativePath, fullPath, file) {
-  if (relativePath.startsWith(".viberaven/") || fullPath.includes("/.viberaven/")) {
-    return "generated-artifact";
-  }
-  if (isCachePath(relativePath)) {
-    return "cache-directory";
-  }
-  if (relativePath.endsWith(".log") && file.sizeBytes >= LARGE_LOG_BYTES) {
-    return "large-log";
-  }
-  return void 0;
-}
-function isCachePath(path) {
-  return path === ".next/cache" || path.startsWith(".next/cache/") || path === ".turbo" || path.startsWith(".turbo/") || path === ".vite" || path.startsWith(".vite/") || path.includes("/node_modules/.cache/") || path.endsWith("/node_modules/.cache");
-}
-function reasonForCategory(category) {
-  switch (category) {
-    case "generated-artifact":
-      return "Generated VibeRaven artifact. Keep current scan outputs, but avoid loading old reports into agent context.";
-    case "large-log":
-      return "Large log file that can add token noise. Review it before changing ignore rules or excluding it from agent context.";
-    case "cache-directory":
-      return "Build cache evidence. Do not load it into agent context unless debugging build internals.";
-  }
-}
-function renderCleanupPlan(plan) {
-  const lines = ["# VibeRaven context cleanup plan", "", plan.warning, ""];
-  if (plan.items.length === 0) {
-    lines.push("No noisy generated artifacts, large logs, or cache directories were found by the conservative scanner.");
-  }
-  for (const item3 of plan.items) {
-    lines.push(`- ${item3.path}`);
-    lines.push(`  - Category: ${item3.category}`);
-    lines.push(`  - Action: ${item3.action}`);
-    lines.push(`  - Reason: ${item3.reason}`);
-  }
-  return `${lines.join("\n")}
-`;
-}
-async function walkCleanupFiles(root, dir, result, depth) {
-  if (depth > MAX_WALK_DEPTH) {
-    return;
-  }
-  let entries;
-  try {
-    entries = await (0, import_promises13.readdir)(dir, { withFileTypes: true });
-  } catch {
-    return;
-  }
-  for (const entry of entries) {
-    if (SKIP_DIRECTORIES.has(entry.name)) {
-      continue;
-    }
-    const absolute = (0, import_node_path18.join)(dir, entry.name);
-    if (entry.isDirectory()) {
-      if (isCachePath(normalizePath5((0, import_node_path18.relative)(root, absolute)))) {
-        result.push({ path: absolute, sizeBytes: 0, kind: "directory" });
-        continue;
-      }
-      await walkCleanupFiles(root, absolute, result, depth + 1);
-      continue;
-    }
-    if (!entry.isFile()) {
-      continue;
-    }
-    try {
-      const fileStat = await (0, import_promises13.stat)(absolute);
-      result.push({ path: absolute, sizeBytes: fileStat.size, kind: "file" });
-    } catch {
-      continue;
-    }
-  }
-}
-function normalizePath5(path) {
-  return path.replace(/\\/g, "/");
-}
-
-// src/mcpServer.ts
-var import_node_child_process4 = require("node:child_process");
-var import_node_fs7 = require("node:fs");
-var import_node_path19 = require("node:path");
-var cwdSchema = {
-  type: "object",
-  properties: {
-    cwd: { type: "string", description: "Project root. Defaults to the MCP server working directory." }
-  },
-  additionalProperties: false
-};
-var healSchema = {
-  type: "object",
-  properties: {
-    cwd: { type: "string" },
-    target: { type: "string" },
-    gap: { type: "string" },
-    yes: { type: "boolean" }
-  },
-  additionalProperties: false
+// src/loopState.ts
+var import_promises14 = require("fs/promises");
+var import_path = require("path");
+var DEFAULT_LOOP_STATE = {
+  batchApplied: 0,
+  lastGapCount: -1,
+  stalledScans: 0,
+  appliedGapIdsSinceScan: []
 };
-var CLI_MCP_TOOLS = [
-  {
-    name: "viberaven_check_readiness",
-    description: "Run the main VibeRaven production-readiness check from the current project.",
-    inputSchema: cwdSchema
-  },
-  {
-    name: "viberaven_verify",
-    description: "Rescan and refresh VibeRaven production-readiness artifacts after a fix.",
-    inputSchema: cwdSchema
-  },
-  {
-    name: "viberaven_audit",
-    description: "Run local Vercel/Supabase production checks for RLS, service-role boundaries, and Vercel pooler usage.",
-    inputSchema: {
-      type: "object",
-      properties: {
-        cwd: { type: "string", description: "Project root. Defaults to current working directory." },
-        json: { type: "boolean", description: "Return JSON output." }
-      },
-      additionalProperties: false
-    }
-  },
-  {
-    name: "viberaven_init_rules",
-    description: "Install bounded VibeRaven rules into native AI instruction files.",
-    inputSchema: {
-      type: "object",
-      properties: {
-        cwd: { type: "string", description: "Project root. Defaults to current working directory." },
-        agents: { type: "string", description: "Comma-separated agent targets, or all." },
-        dryRun: { type: "boolean", description: "Preview changes without writing files." }
-      },
-      additionalProperties: false
-    }
-  },
-  {
-    name: "viberaven_clean_plan",
-    description: "Write a non-destructive context cleanup plan for generated artifacts and logs.",
-    inputSchema: cwdSchema
-  },
-  {
-    name: "viberaven_strict_gate",
-    description: "Run VibeRaven agent-mode strict gate and return the machine verdict.",
-    inputSchema: cwdSchema
-  },
-  {
-    name: "viberaven_gate_result",
-    description: "Run VibeRaven agent-mode JSON output and return gate-result.json content.",
-    inputSchema: cwdSchema
-  },
-  {
-    name: "viberaven_context_map",
-    description: "Refresh .viberaven/context-map.json from the last scan.",
-    inputSchema: cwdSchema
-  },
-  {
-    name: "viberaven_heal_plan",
-    description: "Write a non-destructive VibeRaven heal plan for a target file or gap.",
-    inputSchema: healSchema
-  },
-  {
-    name: "viberaven_heal_prompt",
-    description: "Write an agent-ready VibeRaven heal prompt for a target file or gap.",
-    inputSchema: healSchema
-  },
-  {
-    name: "viberaven_heal_apply",
-    description: "Apply a guarded VibeRaven repo-code heal recipe when supported.",
-    inputSchema: healSchema
-  }
-];
-var spawnChild = import_node_child_process4.spawn;
-var buffer = Buffer.alloc(0);
-function buildLocalCliArgs(args) {
-  const currentFile = __filename;
-  const currentBase = (0, import_node_path19.basename)(currentFile).toLowerCase();
-  const cliEntry = currentBase === "cli.js" || currentBase === "cli.ts" ? currentFile : (0, import_node_path19.join)((0, import_node_path19.dirname)(currentFile), currentBase.endsWith(".ts") ? "cli.ts" : "cli.js");
-  return [cliEntry, ...args];
+function loopStatePath(workspaceRoot) {
+  return (0, import_path.join)(workspaceRoot, ".viberaven", "loop-state.json");
 }
-function resolveCwd(cwd) {
-  if (cwd === void 0 || cwd === null) {
-    return process.cwd();
-  }
-  if (typeof cwd !== "string") {
-    throw new Error("Invalid cwd: expected string");
-  }
-  if (!cwd.trim()) {
-    throw new Error("Invalid cwd: expected non-empty string");
-  }
-  if (!(0, import_node_fs7.existsSync)(cwd)) {
-    throw new Error(`Invalid cwd: directory does not exist: ${cwd}`);
-  }
-  if (!(0, import_node_fs7.statSync)(cwd).isDirectory()) {
-    throw new Error(`Invalid cwd: not a directory: ${cwd}`);
-  }
-  return cwd;
-}
-function safeStringArg(value, label) {
-  if (typeof value !== "string") {
-    throw new Error(`Invalid ${label}: expected string`);
-  }
-  if (!value.trim()) {
-    throw new Error(`Invalid ${label}: expected non-empty string`);
-  }
-  if (/[&|<>^%!"\r\n]/.test(value)) {
-    throw new Error(`Unsafe characters in ${label}`);
-  }
-  return value;
-}
-function buildToolArgs(name, input) {
-  if (name === "viberaven_check_readiness") {
-    return ["--agent-mode"];
-  }
-  if (name === "viberaven_verify") {
-    return ["--verify"];
-  }
-  if (name === "viberaven_audit") {
-    return ["audit", "--vercel-supabase", ...input.json ? ["--json"] : []];
-  }
-  if (name === "viberaven_init_rules") {
-    const args = ["init"];
-    if (input.agents !== void 0) {
-      args.push("--agents", safeStringArg(input.agents, "agents"));
-    }
-    if (input.dryRun) {
-      args.push("--dry-run");
+async function loadLoopState(workspaceRoot) {
+  try {
+    const raw = await (0, import_promises14.readFile)(loopStatePath(workspaceRoot), "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed) && typeof parsed.batchApplied === "number" && typeof parsed.lastGapCount === "number" && typeof parsed.stalledScans === "number") {
+      const p2 = parsed;
+      const appliedGapIdsSinceScan = Array.isArray(p2.appliedGapIdsSinceScan) ? p2.appliedGapIdsSinceScan.filter((value) => typeof value === "string") : [];
+      return {
+        batchApplied: p2.batchApplied,
+        lastGapCount: p2.lastGapCount,
+        stalledScans: p2.stalledScans,
+        appliedGapIdsSinceScan
+      };
     }
-    return args;
-  }
-  if (name === "viberaven_clean_plan") {
-    return ["clean", "--plan"];
-  }
-  if (name === "viberaven_strict_gate") {
-    return ["--agent-mode", "--strict", "--json"];
-  }
-  if (name === "viberaven_gate_result") {
-    return ["--agent-mode", "--json"];
-  }
-  if (name === "viberaven_context_map") {
-    return ["--condense"];
-  }
-  if (name === "viberaven_heal_plan") {
-    const args = ["--heal", "--plan"];
-    if (typeof input.target === "string") args.push("--target", input.target);
-    if (typeof input.gap === "string") args.push("--gap", input.gap);
-    return args;
-  }
-  if (name === "viberaven_heal_prompt") {
-    const args = ["--heal", "--prompt"];
-    if (typeof input.target === "string") args.push("--target", input.target);
-    if (typeof input.gap === "string") args.push("--gap", input.gap);
-    return args;
-  }
-  if (name === "viberaven_heal_apply") {
-    const args = ["--heal", "--apply"];
-    if (typeof input.target === "string") args.push("--target", input.target);
-    if (typeof input.gap === "string") args.push("--gap", input.gap);
-    if (input.yes === true) args.push("--yes");
-    return args;
+    return { ...DEFAULT_LOOP_STATE };
+  } catch {
+    return { ...DEFAULT_LOOP_STATE };
   }
-  throw new Error(`Unknown VibeRaven MCP tool: ${name}`);
-}
-function spawnLocalCli(args, cwd) {
-  return new Promise((resolve5) => {
-    const child = spawnChild(process.execPath, buildLocalCliArgs(args), {
-      cwd,
-      env: process.env,
-      shell: false,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    let stdout = "";
-    let stderr = "";
-    child.stdout.on("data", (chunk) => {
-      stdout += chunk.toString();
-    });
-    child.stderr.on("data", (chunk) => {
-      stderr += chunk.toString();
-    });
-    child.on("error", (error) => {
-      resolve5({ code: 1, stdout: "", stderr: `ERROR: ${error.message}` });
-    });
-    child.on("close", (code) => {
-      resolve5({ code, stdout, stderr });
-    });
-  });
 }
-function parseJsonObjectFromToolText(text) {
-  const jsonStart = text.indexOf("{");
-  if (jsonStart === -1) return void 0;
+async function saveLoopState(workspaceRoot, state) {
   try {
-    return JSON.parse(text.slice(jsonStart));
-  } catch {
-    return void 0;
+    const dir = (0, import_path.join)(workspaceRoot, ".viberaven");
+    await (0, import_promises14.mkdir)(dir, { recursive: true });
+    await (0, import_promises14.writeFile)(loopStatePath(workspaceRoot), JSON.stringify(state, null, 2) + "\n", "utf8");
+  } catch (err) {
+    console.warn("[VibeRaven] Could not save loop-state.json:", err instanceof Error ? err.message : String(err));
   }
 }
-async function callVibeRavenMcpTool(name, input = {}) {
-  const cwd = resolveCwd(input.cwd);
-  const result = await spawnLocalCli(buildToolArgs(name, input), cwd);
-  const combined = `${result.stdout}${result.stderr}`.trim();
-  return `exit ${result.code ?? 1}${combined ? `
-${combined}` : ""}`;
+function incrementBatch(state, gapId) {
+  const appliedGapIdsSinceScan = [...state.appliedGapIdsSinceScan ?? []];
+  if (gapId && !appliedGapIdsSinceScan.includes(gapId)) {
+    appliedGapIdsSinceScan.push(gapId);
+  }
+  return { ...state, batchApplied: state.batchApplied + 1, appliedGapIdsSinceScan };
 }
-async function handleRequest(method, params) {
-  if (method === "initialize") {
-    return {
-      protocolVersion: params.protocolVersion ?? "2024-11-05",
-      capabilities: { tools: {} },
-      serverInfo: { name: "viberaven-cli-mcp", version: VERSION }
-    };
+function resetBatch(state, newGapCount) {
+  if (state.lastGapCount === -1) {
+    return { batchApplied: 0, lastGapCount: newGapCount, stalledScans: 0, appliedGapIdsSinceScan: [] };
   }
-  if (method === "tools/list") {
-    return { tools: CLI_MCP_TOOLS };
+  if (newGapCount < state.lastGapCount) {
+    return { batchApplied: 0, lastGapCount: newGapCount, stalledScans: 0, appliedGapIdsSinceScan: [] };
   }
-  if (method === "tools/call") {
-    const name = String(params.name ?? "");
-    const args = params.arguments ?? {};
-    const text = await callVibeRavenMcpTool(name, args);
-    const parsed = parseJsonObjectFromToolText(text);
-    return {
-      content: [{ type: "text", text }],
-      ...parsed ? { structuredContent: parsed } : {}
-    };
-  }
-  throw new Error(`Unsupported MCP method: ${method}`);
-}
-function send(message) {
-  const body = JSON.stringify(message);
-  process.stdout.write(`Content-Length: ${Buffer.byteLength(body, "utf8")}\r
-\r
-${body}`);
+  return {
+    batchApplied: 0,
+    lastGapCount: newGapCount,
+    stalledScans: state.stalledScans + 1,
+    appliedGapIdsSinceScan: []
+  };
 }
-async function handleRawMessage(raw) {
-  let message;
-  try {
-    message = JSON.parse(raw);
-  } catch {
-    return;
-  }
-  if (typeof message.method !== "string" || message.id === void 0 || message.id === null) {
-    return;
+
+// src/commands/heal.ts
+async function runHealCommand(options) {
+  if (!options.target && !options.gapId) {
+    throw new Error("Heal requires --target <file> or --gap <id>.");
   }
-  try {
-    const result = await handleRequest(message.method, message.params ?? {});
-    send({ jsonrpc: "2.0", id: message.id, result });
-  } catch (error) {
-    send({
-      jsonrpc: "2.0",
-      id: message.id,
-      error: {
-        code: -32e3,
-        message: error instanceof Error ? error.message : String(error)
-      }
-    });
+  if (options.target) {
+    assertSafeHealTarget(options.cwd, options.target);
   }
-}
-function drainMessages() {
-  while (true) {
-    const headerEnd = buffer.indexOf("\r\n\r\n");
-    if (headerEnd === -1) return;
-    const header = buffer.slice(0, headerEnd).toString("utf8");
-    const match = header.match(/content-length:\s*(\d+)/i);
-    if (!match) {
-      buffer = buffer.slice(headerEnd + 4);
-      continue;
-    }
-    const length = Number(match[1]);
-    const messageStart = headerEnd + 4;
-    const messageEnd = messageStart + length;
-    if (buffer.length < messageEnd) return;
-    const raw = buffer.slice(messageStart, messageEnd).toString("utf8");
-    buffer = buffer.slice(messageEnd);
-    void handleRawMessage(raw);
+  if (options.mode === "plan") return writeHealPlan(options);
+  if (options.mode === "prompt") return writeHealPrompt(options);
+  const result = await applyHeal(options);
+  if (result.status.startsWith("applied_") && result.changedFiles.length > 0) {
+    const loopState = await loadLoopState(options.cwd);
+    await saveLoopState(options.cwd, incrementBatch(loopState, result.gapId));
   }
-}
-function runMcpServer() {
-  process.stdin.on("data", (chunk) => {
-    buffer = Buffer.concat([buffer, chunk]);
-    drainMessages();
-  });
+  return result;
 }
 
 // src/stackRecommend.ts
-var import_promises14 = require("node:fs/promises");
-var import_node_fs8 = require("node:fs");
-var import_node_path20 = require("node:path");
+var import_promises15 = require("node:fs/promises");
+var import_node_fs9 = require("node:fs");
+var import_node_path19 = require("node:path");
 var DEFAULT_STACK = {
   frontend: "react",
   ui: "tailwind + shadcn/ui",
@@ -12629,11 +12959,11 @@ var DEFAULT_STACK = {
   reason: "Agent-default stack for lowest launch friction when repo signals are ambiguous"
 };
 async function recommendStack(cwd = process.cwd()) {
-  const pkgPath = (0, import_node_path20.join)(cwd, "package.json");
-  if (!(0, import_node_fs8.existsSync)(pkgPath)) {
+  const pkgPath = (0, import_node_path19.join)(cwd, "package.json");
+  if (!(0, import_node_fs9.existsSync)(pkgPath)) {
     return DEFAULT_STACK;
   }
-  const pkg = JSON.parse(await (0, import_promises14.readFile)(pkgPath, "utf-8"));
+  const pkg = JSON.parse(await (0, import_promises15.readFile)(pkgPath, "utf-8"));
   const deps = { ...pkg.dependencies, ...pkg.devDependencies };
   const names = Object.keys(deps).join(" ").toLowerCase();
   const rec = {
@@ -12662,6 +12992,222 @@ async function recommendStack(cwd = process.cwd()) {
   return rec;
 }
 
+// src/output/nextActionBlock.ts
+function buildNextActionBlock(tasks, loopState, plan) {
+  const batchSize = plan === "pro" ? 10 : 3;
+  const batchApplied = loopState.batchApplied;
+  const remainingInBatch = batchSize - batchApplied;
+  const scanNow = batchApplied >= batchSize;
+  const stalled = loopState.stalledScans >= 2;
+  const stalledScans = loopState.stalledScans;
+  const base = { batchSize, batchApplied, remainingInBatch, scanNow, stalled, stalledScans };
+  if (stalled) {
+    const stallReason = resolveStallReason(tasks);
+    return {
+      ...base,
+      type: "stalled",
+      title: "Loop stalled \u2014 no gap reduction after 2+ consecutive scans",
+      requiresUserAction: true,
+      stallReason
+    };
+  }
+  if (scanNow) {
+    return {
+      ...base,
+      type: "verify",
+      title: "Batch complete \u2014 run verify to rescan before next batch",
+      mcpTool: "viberaven_verify",
+      mcpArgs: {},
+      requiresUserAction: false
+    };
+  }
+  const repoCodeTask = tasks.find((t) => t.fixType === "repo-code" && !t.requiresUserAction);
+  if (repoCodeTask) {
+    return {
+      ...base,
+      type: "repo-code",
+      gapId: repoCodeTask.gapId,
+      title: repoCodeTask.title,
+      mcpTool: repoCodeTask.mcpTool,
+      mcpArgs: repoCodeTask.mcpArgs,
+      fallbackCommand: repoCodeTask.mcpArgs ? `npx -y @viberaven/cli --heal --apply --gap ${repoCodeTask.gapId} --yes` : void 0,
+      requiresUserAction: false
+    };
+  }
+  const providerTask = tasks.find((t) => t.fixType === "provider-action");
+  if (providerTask) {
+    return {
+      ...base,
+      type: "provider-action",
+      gapId: providerTask.gapId,
+      title: providerTask.title,
+      requiresUserAction: true
+    };
+  }
+  const upgradeTask = tasks.find((t) => t.fixType === "upgrade-required");
+  if (upgradeTask) {
+    return {
+      ...base,
+      type: "upgrade-required",
+      gapId: upgradeTask.gapId,
+      title: upgradeTask.title,
+      requiresUserAction: true,
+      upgradeUrl: "https://viberaven.dev/pricing"
+    };
+  }
+  return {
+    ...base,
+    type: "done",
+    title: "All gaps resolved \u2014 production gate is clear",
+    requiresUserAction: false
+  };
+}
+function resolveStallReason(tasks) {
+  if (tasks.length === 0) return "no-recipes";
+  const allUpgradeOrEmpty = tasks.every((t) => t.fixType === "upgrade-required");
+  if (allUpgradeOrEmpty) return "no-recipes";
+  const allProviderAction = tasks.every((t) => t.fixType === "provider-action");
+  if (allProviderAction) return "provider-action-required";
+  return "unknown";
+}
+var NEXT_ACTION_START = "VIBERAVEN_NEXT_ACTION_START";
+var NEXT_ACTION_END = "VIBERAVEN_NEXT_ACTION_END";
+var PROVIDER_ACTION_START = "VIBERAVEN_PROVIDER_ACTION_START";
+var PROVIDER_ACTION_END = "VIBERAVEN_PROVIDER_ACTION_END";
+function buildProviderActionBlock(task) {
+  if (task.fixType !== "provider-action" || !task.providerAction) {
+    return void 0;
+  }
+  const pa = task.providerAction;
+  return {
+    VIBERAVEN_PROVIDER_ACTION: {
+      gap: task.gapId,
+      provider: pa.provider,
+      dashboardUrl: pa.dashboardUrl,
+      exactStep: pa.exactStep,
+      envKeyName: pa.envKeyName ?? null,
+      envKeyExample: pa.envKeyExample ?? null,
+      doneSignal: pa.doneSignal,
+      verifyCommand: task.verifyCommand,
+      mcpAlternative: task.mcpTool ?? pa.mcpAlternative ?? null
+    }
+  };
+}
+function printProviderActionBlock(tasks) {
+  const task = tasks.find(
+    (t) => t.fixType === "provider-action" && t.requiresUserAction === true
+  );
+  if (!task) return;
+  const block = buildProviderActionBlock(task);
+  if (!block) return;
+  console.log(PROVIDER_ACTION_START);
+  console.log(JSON.stringify(block, null, 2));
+  console.log(PROVIDER_ACTION_END);
+}
+function printNextActionBlock(block) {
+  console.log(NEXT_ACTION_START);
+  console.log(JSON.stringify(block, null, 2));
+  console.log(NEXT_ACTION_END);
+}
+
+// src/providerMcpBridge.ts
+var import_node_fs10 = require("node:fs");
+var import_node_os2 = require("node:os");
+var import_node_path20 = require("node:path");
+var UPGRADE_URL4 = "https://viberaven.dev/pricing";
+var FALLBACK_COMMAND = "npx -y @viberaven/cli audit --vercel-supabase --json";
+var SUPPORTED_PROVIDERS = /* @__PURE__ */ new Set(["supabase", "vercel"]);
+var configPathsOverride;
+function defaultMcpConfigPaths() {
+  const home = (0, import_node_os2.homedir)();
+  return [
+    (0, import_node_path20.join)(home, ".config", "claude", "claude_desktop_config.json"),
+    (0, import_node_path20.join)(home, ".cursor", "mcp.json"),
+    (0, import_node_path20.join)(home, ".gemini", "antigravity", "mcp_config.json")
+  ];
+}
+function resolveConfigPaths() {
+  return configPathsOverride ?? defaultMcpConfigPaths();
+}
+function parseMcpServers(raw) {
+  if (!raw || typeof raw !== "object") {
+    return void 0;
+  }
+  const obj = raw;
+  if (obj.mcpServers && typeof obj.mcpServers === "object") {
+    return obj.mcpServers;
+  }
+  if (obj.servers && typeof obj.servers === "object") {
+    return obj.servers;
+  }
+  return void 0;
+}
+function findServerEntry(servers, provider2) {
+  if (servers[provider2]) {
+    return servers[provider2];
+  }
+  const key = Object.keys(servers).find((candidate) => candidate.toLowerCase() === provider2);
+  return key ? servers[key] : void 0;
+}
+function findProviderMcpConfig(provider2, configPaths) {
+  const paths = configPaths ?? resolveConfigPaths();
+  for (const path of paths) {
+    if (!(0, import_node_fs10.existsSync)(path)) {
+      continue;
+    }
+    try {
+      const raw = JSON.parse((0, import_node_fs10.readFileSync)(path, "utf8"));
+      const servers = parseMcpServers(raw);
+      if (!servers) {
+        continue;
+      }
+      const entry = findServerEntry(servers, provider2);
+      if (!entry || typeof entry !== "object") {
+        continue;
+      }
+      const server = entry;
+      return {
+        command: typeof server.command === "string" ? server.command : void 0,
+        args: Array.isArray(server.args) ? server.args.filter((arg) => typeof arg === "string") : void 0,
+        url: typeof server.url === "string" ? server.url : void 0,
+        source: path
+      };
+    } catch {
+      continue;
+    }
+  }
+  return void 0;
+}
+async function verifyProviderGap(options) {
+  if (options.plan !== "pro") {
+    return {
+      verified: false,
+      reason: "pro-required",
+      upgradeUrl: UPGRADE_URL4
+    };
+  }
+  const provider2 = options.provider.toLowerCase().trim();
+  if (!SUPPORTED_PROVIDERS.has(provider2)) {
+    return {
+      verified: false,
+      reason: "unsupported-provider"
+    };
+  }
+  const mcpConfig = findProviderMcpConfig(provider2);
+  if (!mcpConfig) {
+    return {
+      verified: false,
+      mcpUnavailable: true,
+      fallbackCommand: FALLBACK_COMMAND
+    };
+  }
+  return {
+    verified: false,
+    mcpUnavailable: true,
+    fallbackCommand: FALLBACK_COMMAND
+  };
+}
+
 // src/cli.ts
 function printHelp() {
   console.log(`viberaven ${VERSION} \u2014 launch readiness for AI-built apps
@@ -12720,26 +13266,6 @@ Usage:
   viberaven open [provider|url]
                        Open dashboard URL from next action or playbook
 
-  viberaven init --agents all [--dry-run]
-                       Install bounded VibeRaven rules into native agent instruction files
-
-  viberaven audit --vercel-supabase [path]
-                       Local Vercel/Supabase repo evidence audit (RLS, pooler, service-role boundary)
-
-  viberaven clean --plan [path]
-                       Write a non-destructive context cleanup review plan
-
-  viberaven verify [path]
-  viberaven --verify [path]
-                       Rescan after a fix and refresh agent artifacts
-
-  viberaven mcp [--help]
-                       MCP stdio server exposing VibeRaven production-readiness tools
-
-  ${PUBLIC_COMMAND}
-  ${PUBLIC_VERIFY_COMMAND}
-  ${PUBLIC_AUDIT_COMMAND}
-
 
 
 Agent workflow (Claude Code / Codex):
@@ -12807,15 +13333,25 @@ function parseArgs(argv) {
   return { command, flags, positional };
 }
 function isBooleanFlag(command, key) {
-  if (["agent-mode", "json", "jsonl", "condense", "heal", "plan", "prompt", "apply", "yes", "no-verify"].includes(key)) {
+  if ([
+    "agent-mode",
+    "json",
+    "jsonl",
+    "condense",
+    "heal",
+    "plan",
+    "prompt",
+    "apply",
+    "yes",
+    "no-verify",
+    "force-scan"
+  ].includes(key)) {
     return true;
   }
   if (key === "strict") return true;
   if (key === "open" && (command === "" || command === "scan" || command === "report")) return true;
   if (key === "verify" && command === "") return true;
   if (key === "vercel-supabase" && command === "audit") return true;
-  if (key === "dry-run" && command === "init") return true;
-  if (key === "plan" && command === "clean") return true;
   return false;
 }
 function shouldConsumeLeadingHyphenValue(command, key, value) {
@@ -12824,6 +13360,44 @@ function shouldConsumeLeadingHyphenValue(command, key, value) {
 function hasFlag(flags, key) {
   return flags[key] === true || typeof flags[key] === "string";
 }
+async function guardEarlyVerifyScan(input) {
+  if (input.flags["force-scan"] === true) {
+    return void 0;
+  }
+  const verifyLike = input.flags.verify === true || input.wantsStrict;
+  if (!verifyLike) {
+    return void 0;
+  }
+  const workspacePath = input.positional[0] ? (0, import_node_path21.join)(process.cwd(), input.positional[0]) : await resolveWorkspaceRoot(process.cwd());
+  const loopState = await loadLoopState(workspacePath);
+  if (loopState.batchApplied <= 0) {
+    return void 0;
+  }
+  let artifact;
+  try {
+    artifact = await loadLastArtifact(workspacePath);
+  } catch {
+    return void 0;
+  }
+  const plan = artifact.plan ?? (await loadCredentials())?.plan ?? "free";
+  const batchSize = plan === "pro" ? 10 : 3;
+  if (loopState.batchApplied >= batchSize) {
+    return void 0;
+  }
+  const appliedGapIds = new Set(loopState.appliedGapIdsSinceScan ?? []);
+  const remainingRepoCodeTasks = buildTaskList(artifact).filter(
+    (task) => task.fixType === "repo-code" && task.requiresUserAction === false && !appliedGapIds.has(task.gapId)
+  );
+  if (remainingRepoCodeTasks.length === 0) {
+    return void 0;
+  }
+  const nextTask = remainingRepoCodeTasks[0];
+  console.error("SCAN_DEFERRED: Local heal batch is not full yet, so VibeRaven is protecting scan quota.");
+  console.error(`Batch progress: ${loopState.batchApplied}/${batchSize} local heals applied since the last scan.`);
+  console.error(`Next local heal: npx -y @viberaven/cli --heal --apply --gap ${nextTask.gapId} --yes`);
+  console.error("Run verify again after the batch is full, or add --force-scan if the user explicitly wants to spend a scan now.");
+  return 4;
+}
 function resolveDefaultEntrypointMode(options) {
   if (options.env.VIBERAVEN_TUI === "1") return "interactive";
   if (options.env.VIBERAVEN_AGENT === "1") return "agent-scan";
@@ -12841,6 +13415,29 @@ async function cmdLogout() {
   await clearCredentials();
   console.log("Signed out.");
 }
+async function cmdProviderVerify(flags, positional) {
+  const provider2 = typeof flags.provider === "string" ? flags.provider : positional[0];
+  const check = typeof flags.check === "string" ? flags.check : positional[1];
+  if (!provider2 || !check) {
+    console.error("Usage: viberaven provider-verify --provider <supabase|vercel> --check <id> [--plan free|pro]");
+    return 1;
+  }
+  let plan = typeof flags.plan === "string" ? flags.plan : "free";
+  if (!flags.plan) {
+    const creds = await loadCredentials();
+    if (creds?.plan === "pro" || creds?.plan === "free") {
+      plan = creds.plan;
+    }
+  }
+  const result = await verifyProviderGap({
+    provider: provider2,
+    check,
+    cwd: process.cwd(),
+    plan
+  });
+  console.log(JSON.stringify(result, null, 2));
+  return result.verified ? 0 : 1;
+}
 async function cmdStatus(flags, positional) {
   const creds = await loadCredentials();
   if (!creds?.accessToken) {
@@ -13009,11 +13606,10 @@ async function runScanCommand(flags, positional, options) {
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     if (message.startsWith(`${LOGIN_REQUIRED}:`)) {
-      const loginLog = options?.deferMachineOutput ? console.error : console.log;
-      loginLog("LOGIN_REQUIRED: Starting VibeRaven browser sign-in so this scan can continue.");
-      loginLog("AGENT_ACTION: Open the VibeRaven approval URL for the user if the browser does not open automatically.");
+      console.log("LOGIN_REQUIRED: Starting VibeRaven browser sign-in so this scan can continue.");
+      console.log("AGENT_ACTION: Open the VibeRaven approval URL for the user if the browser does not open automatically.");
       await runDeviceLogin(apiBaseUrl);
-      loginLog("LOGIN_RESUME: Sign-in complete. Continuing the original scan.");
+      console.log("LOGIN_RESUME: Sign-in complete. Continuing the original scan.");
       try {
         ({ accessToken } = await requireCredentials(apiBaseUrl));
       } catch (retryError) {
@@ -13059,6 +13655,17 @@ async function runScanCommand(flags, positional, options) {
   if (artifact.usage && !options?.deferMachineOutput) {
     console.log(formatUsageLine(artifact.usage));
   }
+  if (flags["agent-mode"] && !options?.deferMachineOutput) {
+    const loopState = await loadLoopState(workspacePath);
+    const openGapCount = artifact.gaps.length;
+    const updatedState = resetBatch(loopState, openGapCount);
+    const tasks = buildTaskList(artifact);
+    const plan = artifact.plan ?? "free";
+    const block = buildNextActionBlock(tasks, updatedState, plan);
+    printNextActionBlock(block);
+    printProviderActionBlock(tasks);
+    await saveLoopState(workspacePath, updatedState);
+  }
   if (flags.open) {
     try {
       await openPathInBrowser(paths.reportPath);
@@ -13174,67 +13781,9 @@ async function cmdStack(positional) {
   console.error(`Unknown stack subcommand "${sub}". Use set, clear, or list.`);
   return 1;
 }
-async function cmdInit(flags, positional) {
-  const cwd = process.cwd();
-  const dryRun = flags["dry-run"] === true;
-  const agentsValue = typeof flags.agents === "string" ? flags.agents : positional[0] === "all" ? "all" : void 0;
-  try {
-    const targets = getAgentRulesTargets(agentsValue);
-    if (dryRun) {
-      console.log(renderAgentRulesDryRun(targets));
-      return 0;
-    }
-    const results = await initAgentRules({ cwd, targets });
-    for (const result of results) {
-      console.log(`${result.action}: ${result.file}`);
-    }
-    return 0;
-  } catch (error) {
-    console.error(error instanceof Error ? error.message : String(error));
-    return 1;
-  }
-}
-function cmdMcp(flags) {
-  if (flags.help) {
-    console.log("viberaven mcp - MCP stdio server exposing VibeRaven production-readiness tools.");
-    console.log("");
-    console.log("Usage: viberaven mcp");
-    console.log(`       ${PUBLIC_COMMAND} mcp`);
-    return 0;
-  }
-  runMcpServer();
-  return 0;
-}
-async function cmdAudit(flags, positional) {
-  const cwd = positional[0] ? (0, import_node_path21.join)(process.cwd(), positional[0]) : process.cwd();
-  if (!flags["vercel-supabase"]) {
-    console.error("Usage: viberaven audit --vercel-supabase [path]");
-    return 1;
-  }
-  const input = await collectVercelSupabaseAuditInput(cwd);
-  const result = buildVercelSupabaseAudit(input);
-  if (flags.json) {
-    console.log(JSON.stringify(result, null, 2));
-  } else {
-    console.log(renderVercelSupabaseAudit(result));
-  }
-  return result.status === "pass" ? 0 : 1;
-}
-async function cmdClean(flags, positional) {
-  const cwd = positional[0] ? (0, import_node_path21.join)(process.cwd(), positional[0]) : process.cwd();
-  if (!flags.plan) {
-    console.error("Usage: viberaven clean --plan [path]");
-    return 1;
-  }
-  const files = await collectCleanupFiles(cwd);
-  const plan = buildContextCleanupPlan({ projectRoot: cwd, files });
-  const outputPath = await writeCleanupPlan(cwd, plan);
-  console.log(`Wrote ${outputPath}`);
-  return 0;
-}
 async function main() {
   const { command, flags, positional } = parseArgs(process.argv.slice(2));
-  if (flags.help && command !== "mcp") {
+  if (flags.help) {
     printHelp();
     return 0;
   }
@@ -13265,30 +13814,28 @@ async function main() {
     console.log(JSON.stringify(result, null, 2));
     return result.status.startsWith("refused") || result.status === "failed" ? 1 : 0;
   }
-  if (!command && (isAgentMode || wantsJson || wantsJsonl || wantsStrict)) {
+  if (!command && (isAgentMode || flags.verify === true || wantsJson || wantsJsonl || wantsStrict)) {
+    const guardedExitCode = await guardEarlyVerifyScan({ flags, positional, wantsStrict });
+    if (guardedExitCode !== void 0) {
+      return guardedExitCode;
+    }
     const deferMachineOutput = wantsJson || wantsJsonl;
     const scanResult = await runScanCommand(flags, positional, { deferMachineOutput });
     if ((wantsJson || wantsJsonl) && !scanResult.artifacts) {
       console.error("VibeRaven could not produce machine output because scan artifacts were not written.");
       return 3;
     }
-    let strictExitCode;
-    if (wantsStrict && scanResult.artifacts) {
-      const gateResult = JSON.parse(await (0, import_promises15.readFile)(scanResult.artifacts.gateResultPath, "utf8"));
-      const failOnWarnings = flags.strict === "warning";
-      strictExitCode = exitCodeForStrictGate(gateResult, { failOnWarnings });
-    }
-    if (wantsJson && scanResult.artifacts) {
-      const gateResult = JSON.parse(await (0, import_promises15.readFile)(scanResult.artifacts.gateResultPath, "utf8"));
+    const gateResult = scanResult.artifacts && (wantsJson || wantsJsonl || wantsStrict) ? JSON.parse(await (0, import_promises16.readFile)(scanResult.artifacts.gateResultPath, "utf8")) : void 0;
+    const strictExitCode = wantsStrict && gateResult ? exitCodeForStrictGate(gateResult, { failOnWarnings: flags.strict === "warning" }) : scanResult.exitCode;
+    if (wantsJson && gateResult) {
       process.stdout.write(renderGateResultJson(gateResult));
-      return strictExitCode ?? scanResult.exitCode;
+      return strictExitCode;
     }
-    if (wantsJsonl && scanResult.artifacts) {
-      const gateResult = JSON.parse(await (0, import_promises15.readFile)(scanResult.artifacts.gateResultPath, "utf8"));
+    if (wantsJsonl && gateResult) {
       process.stdout.write(renderJsonlEvents(gateResult));
-      return strictExitCode ?? scanResult.exitCode;
+      return strictExitCode;
     }
-    if (strictExitCode !== void 0) {
+    if (wantsStrict && gateResult) {
       return strictExitCode;
     }
     return scanResult.exitCode;
@@ -13348,18 +13895,8 @@ async function main() {
       return cmdPrompt(flags, positional);
     case "stack":
       return cmdStack(positional);
-    case "init":
-      return cmdInit(flags, positional);
-    case "mcp":
-      return cmdMcp(flags);
-    case "audit":
-      return cmdAudit(flags, positional);
-    case "clean":
-      return cmdClean(flags, positional);
-    case "verify": {
-      const scanResult = await runScanCommand({ ...flags, verify: true }, positional);
-      return scanResult.exitCode;
-    }
+    case "provider-verify":
+      return cmdProviderVerify(flags, positional);
     default:
       console.error(`Unknown command: ${command}`);
       printHelp();