@viberaven/cli 1.0.2 → 1.0.4

package/dist/cli.js

@@ -170,8 +170,8 @@ __export(cli_exports, {
   runScanCommand: () => runScanCommand
 });
 module.exports = __toCommonJS(cli_exports);
-var import_promises17 = require("node:fs/promises");
-var import_node_path22 = require("node:path");
+var import_promises19 = require("node:fs/promises");
+var import_node_path25 = require("node:path");
 
 // src/config.ts
 var import_node_os = require("node:os");
@@ -585,14 +585,18 @@ function formatUsageLine(usage) {
   const periodLabel = usage.period === "monthly" ? "this month" : "lifetime";
   return `Scans: ${usage.used}/${usage.limit} (${periodLabel}, ${usage.plan}) \xB7 ${usage.remainingPrompts} remaining`;
 }
+function normalizeUpgradeUrl(url) {
+  return url.replace("https://viberice.com/account", "https://viberaven.dev/account");
+}
 function formatScanLimitMessage(upgradeUrl) {
+  const safeUpgradeUrl = normalizeUpgradeUrl(upgradeUrl);
   return [
     "",
     formatAgentStatus(UPGRADE_REQUIRED, "Free scan limit reached. Upgrade to Pro to continue."),
     "Your last scan artifacts are unchanged if you already ran a scan in this repo.",
     "Do not keep retrying this scan until the user upgrades or quota resets.",
     "",
-    `Upgrade & account: ${upgradeUrl}`,
+    `Upgrade & account: ${safeUpgradeUrl}`,
     ""
   ].join("\n");
 }
@@ -8802,7 +8806,8 @@ var KNOWN_RECIPE_GAP_IDS = /* @__PURE__ */ new Set([
   "missing_404_page",
   // W3 file-patch recipes
   "missing_csp_header",
-  "missing_rate_limit"
+  "missing_rate_limit",
+  "eslint_restricted_imports"
   // NOTE: 'rls_disabled' is intentionally NOT here — it is provider-action only,
   // canAutoApply=false, and should be classified as 'provider-action' by buildTaskList.
 ]);
@@ -10637,7 +10642,7 @@ function isRecord6(value) {
 }
 
 // src/tui/runInteractive.ts
-var import_node_path12 = require("node:path");
+var import_node_path14 = require("node:path");
 
 // ../../node_modules/@clack/core/dist/index.mjs
 var import_sisteransi = __toESM(require_src(), 1);
@@ -11224,7 +11229,7 @@ function buildAgentFixPrompt(artifact, gap) {
 }
 
 // src/version.ts
-var VERSION = "1.0.2";
+var VERSION = "1.0.3";
 
 // src/commands/guide.ts
 var import_picocolors3 = __toESM(require_picocolors());
@@ -11487,8 +11492,8 @@ function renderVercelSupabaseAudit(result) {
 }
 
 // src/commands/initRules.ts
-var import_promises8 = require("node:fs/promises");
-var import_node_path11 = require("node:path");
+var import_promises10 = require("node:fs/promises");
+var import_node_path13 = require("node:path");
 
 // src/commands/agentRulesBlock.ts
 var VIBERAVEN_BLOCK_START = "<!-- VIBERAVEN:START -->";
@@ -11504,9 +11509,39 @@ Canonical command: \`${PUBLIC_AGENT_MODE_COMMAND}\`
 
 Use VibeRaven before launch, deployment, real users, auth, billing, database, RLS, env vars, webhooks, monitoring, or tests.
 
-Agent loop: run VibeRaven, read Mission Map (\`.viberaven/mission-map.md\`), fix one launch gap, re-run VibeRaven.`;
+Agent loop: run VibeRaven, read Mission Map (\`.viberaven/mission-map.md\`), fix one launch gap, re-run VibeRaven.
+
+Maps repo evidence to OWASP LLM Top 10 launch risks. Supports SAFECode-style deployment readiness checks.`;
+var STACK_FRAMING = `Stack context for this repo: Next.js, Supabase, Vercel, VibeRaven.
+Do NOT deploy to Vercel or ship to production users without running \`${PUBLIC_AGENT_MODE_COMMAND}\`.
+Do NOT rely on manual production checklists when VibeRaven gate artifacts exist in \`.viberaven/\`.`;
+var AGENT_NEGATIVE_CONSTRAINTS = `## Event-Triggered Production Verification
+
+Trigger: modifications to \`package.json\`, \`vercel.json\`, \`supabase/migrations/**/*\`, \`.env.example\`, auth/billing/webhook paths, or deploy workflow files.
+
+1. Do NOT claim "production ready" or close a deploy checklist until \`gate.status === "clear"\` in \`.viberaven/gate-result.json\`.
+2. Do NOT run verify after every file patch. Batch heals, then \`${PUBLIC_VERIFY_COMMAND}\` once per loop.
+3. Do NOT \`git push\` or deploy after auth, RLS, billing, or webhook changes without \`${PUBLIC_AGENT_MODE_COMMAND}\`.
+4. If anomalies appear, read \`.viberaven/agent-tasklist.md\` fully before writing new repo logic.
+5. Do NOT mark production-ready because the local dev server starts successfully; INSTEAD run \`${PUBLIC_AGENT_MODE_COMMAND}\` and read \`.viberaven/gate-result.json\`.
+6. Do NOT treat the Supabase dashboard UI as proof of RLS; INSTEAD fix repo evidence gaps from \`.viberaven/agent-tasklist.md\`.
+7. Do NOT add or change npm dependencies without calling \`viberaven_validate_npm_package\` (MCP) or verifying the package exists on the public npm registry; INSTEAD run \`${PUBLIC_AGENT_MODE_COMMAND}\` after dependency changes.
+8. Do NOT refactor or edit files unrelated to the current TASK-001 gap; INSTEAD make minimal, targeted changes.
+9. Do NOT install new dependencies unless TASK-001 or the user explicitly requires them.
+10. Do NOT claim provider dashboard, billing, DNS, or webhook setup is complete from repo edits alone; INSTEAD present provider-action steps from the tasklist.
+
+Prefer \`viberaven_check_readiness\` when MCP is configured; otherwise \`${PUBLIC_AGENT_MODE_COMMAND}\`.`;
+var ANCHOR_FOOTER = `## Anchor (mandatory)
+
+Before ending any deploy, auth, RLS, webhook, or dependency task, run:
+\`${PUBLIC_AGENT_MODE_COMMAND}\`
+Gate is not clear until \`gate.status === "clear"\` in \`.viberaven/gate-result.json\`.`;
 var AGENT_RULES_BODY = `${AGENT_RULES_PREAMBLE}
 
+${STACK_FRAMING}
+
+${AGENT_NEGATIVE_CONSTRAINTS}
+
 ## VibeRaven Production-Readiness Gate
 
 - Before running build, compile, cleanup, deployment, vercel, or supabase commands, run \`${PUBLIC_AGENT_MODE_COMMAND}\` first from the project root.
@@ -11571,7 +11606,9 @@ var BLOCK_MARKER_PAIRS = [
   [VIBERAVEN_LEGACY_BLOCK_START, VIBERAVEN_LEGACY_BLOCK_END]
 ];
 function buildAgentRulesBlock() {
-  return wrapViberavenBlock(AGENT_RULES_BODY);
+  return wrapViberavenBlock(`${AGENT_RULES_BODY}
+
+${ANCHOR_FOOTER}`);
 }
 function buildAgentContextBlock() {
   return wrapViberavenBlock(AGENT_CONTEXT_BODY);
@@ -11582,11 +11619,31 @@ function buildMissionMapBlock() {
 function wrapViberavenBlock(body) {
   return [VIBERAVEN_BLOCK_START, body, VIBERAVEN_BLOCK_END].join("\n");
 }
+function stripLegacyFrontmatterBeforeViberavenBlock(content) {
+  const blockStarts = [VIBERAVEN_BLOCK_START, VIBERAVEN_LEGACY_BLOCK_START];
+  let blockIndex = -1;
+  for (const start of blockStarts) {
+    const index = content.indexOf(start);
+    if (index !== -1 && (blockIndex === -1 || index < blockIndex)) {
+      blockIndex = index;
+    }
+  }
+  if (blockIndex <= 0) {
+    return content;
+  }
+  const beforeBlock = content.slice(0, blockIndex);
+  if (!beforeBlock.trimStart().startsWith("---")) {
+    return content;
+  }
+  const strippedPrefix = beforeBlock.replace(/^---[\s\S]*?---\s*/m, "");
+  return `${strippedPrefix}${content.slice(blockIndex)}`;
+}
 function injectAgentRulesBlock(existingContent, replacementBlock = buildAgentRulesBlock()) {
-  const existingMatch = findBoundedBlock(existingContent);
+  const normalizedExisting = replacementBlock.trimStart().startsWith("---") ? stripLegacyFrontmatterBeforeViberavenBlock(existingContent) : existingContent;
+  const existingMatch = findBoundedBlock(normalizedExisting);
   if (existingMatch) {
     const content = replaceExistingAgentRulesBlock({
-      existingContent,
+      existingContent: normalizedExisting,
       existingMatch,
       replacementBlock
     });
@@ -11595,9 +11652,9 @@ function injectAgentRulesBlock(existingContent, replacementBlock = buildAgentRul
       changed: content !== existingContent
     };
   }
-  const separator = existingContent.length > 0 ? "\n\n" : "";
+  const separator = normalizedExisting.length > 0 ? "\n\n" : "";
   return {
-    content: `${replacementBlock}${separator}${existingContent}`,
+    content: `${replacementBlock}${separator}${normalizedExisting}`,
     changed: true
   };
 }
@@ -11672,11 +11729,135 @@ function escapeRegExp3(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 
+// src/commands/cursorRulesPack.ts
+var import_promises8 = require("node:fs/promises");
+var import_node_path11 = require("node:path");
+var CURSOR_RULES_DIR = ".cursor/rules";
+var LEGACY_CURSOR_RULE_FILE = `${CURSOR_RULES_DIR}/viberaven.mdc`;
+var DOMAIN_PATH_POINTER = "Before editing these files, read `.viberaven/agent-context.md` and `.viberaven/mission-map.md`.";
+function buildCursorRulesPack() {
+  return [
+    {
+      filename: "viberaven-core.mdc",
+      content: [
+        "---",
+        "description: VibeRaven production gate \u2014 canonical agent commands and gate loop",
+        "alwaysApply: true",
+        "---",
+        "",
+        `Run \`${PUBLIC_AGENT_MODE_COMMAND}\` before deploy, auth, RLS, webhooks, or dependency changes.`,
+        "",
+        "Read `.viberaven/agent-tasklist.md` first, then `.viberaven/gate-result.json` and `.viberaven/mission-map.md`.",
+        `Fix one gap, then \`${PUBLIC_VERIFY_COMMAND}\`. Before CI or production promote: \`${PUBLIC_STRICT_COMMAND}\`.`,
+        "",
+        'Gate is not clear until `gate.status === "clear"`.',
+        "",
+        DOMAIN_PATH_POINTER,
+        "",
+        "Full production rules: `AGENTS.md` / `CLAUDE.md` (installed by `npx -y viberaven init --agents all`)."
+      ].join("\n")
+    },
+    {
+      filename: "viberaven-supabase-rls.mdc",
+      content: [
+        "---",
+        "description: Apply when editing Supabase migrations, RLS policies, or auth SQL",
+        "globs:",
+        "  - supabase/**",
+        "alwaysApply: false",
+        "---",
+        "",
+        DOMAIN_PATH_POINTER,
+        "",
+        "Do NOT enable RLS on only one table while leaving related tables open; INSTEAD read `.viberaven/mission-map.md` before migration edits."
+      ].join("\n")
+    },
+    {
+      filename: "viberaven-deploy.mdc",
+      content: [
+        "---",
+        "description: Apply before changing Vercel config or deploy CI workflows",
+        "globs:",
+        "  - vercel.json",
+        "  - .github/workflows/**",
+        "alwaysApply: false",
+        "---",
+        "",
+        DOMAIN_PATH_POINTER,
+        "",
+        "Do NOT add production env vars only to the Vercel dashboard without updating `.env.example` in the repo."
+      ].join("\n")
+    },
+    {
+      filename: "viberaven-payments.mdc",
+      content: [
+        "---",
+        "description: Apply when editing Stripe, Polar, or payment webhook handlers",
+        "globs:",
+        '  - "**/*webhook*"',
+        '  - "**/*stripe*"',
+        '  - "**/*polar*"',
+        "alwaysApply: false",
+        "---",
+        "",
+        DOMAIN_PATH_POINTER,
+        "",
+        "Do NOT ship webhook handlers without signature verification; INSTEAD run `npx -y viberaven --agent-mode` after webhook edits."
+      ].join("\n")
+    }
+  ];
+}
+function renderCursorCoreRulePreview() {
+  return buildCursorRulesPack()[0]?.content ?? "";
+}
+async function initCursorRulesPack(options) {
+  const results = [];
+  const pack = buildCursorRulesPack();
+  for (const rule of pack) {
+    const file = `${CURSOR_RULES_DIR}/${rule.filename}`;
+    const path = (0, import_node_path11.join)(options.cwd, file);
+    const existing = await readExistingFile(path);
+    const changed = !existing.exists || existing.content !== rule.content;
+    const action = !existing.exists ? "created" : changed ? "updated" : "unchanged";
+    if (!options.dryRun && changed) {
+      await (0, import_promises8.mkdir)((0, import_node_path11.join)(options.cwd, CURSOR_RULES_DIR), { recursive: true });
+      await (0, import_promises8.writeFile)(path, rule.content, "utf-8");
+    }
+    results.push({ target: "cursor", file, path, action });
+  }
+  const legacyPath = (0, import_node_path11.join)(options.cwd, LEGACY_CURSOR_RULE_FILE);
+  if (!options.dryRun && await fileExists(legacyPath)) {
+    await (0, import_promises8.rm)(legacyPath, { force: true });
+  }
+  return results;
+}
+async function readExistingFile(path) {
+  try {
+    return { exists: true, content: await (0, import_promises8.readFile)(path, "utf-8") };
+  } catch (error) {
+    if (isFileNotFoundError(error)) {
+      return { exists: false, content: "" };
+    }
+    throw error;
+  }
+}
+async function fileExists(path) {
+  try {
+    await (0, import_promises8.access)(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isFileNotFoundError(error) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
+}
+
 // src/commands/agentTargets.ts
 var AGENT_RULE_TARGETS = {
   codex: { file: "AGENTS.md" },
   claude: { file: "CLAUDE.md" },
-  cursor: { file: ".cursor/rules/viberaven.mdc" },
+  cursor: { file: ".cursor/rules/viberaven-core.mdc" },
   cursorLegacy: { file: ".cursorrules", aliases: ["cursor-legacy"] },
   copilot: { file: ".github/copilot-instructions.md", aliases: ["github-copilot"] },
   gemini: { file: "GEMINI.md" },
@@ -11722,15 +11903,7 @@ function renderAgentRulesForTarget(target) {
     return ["@AGENTS.md", "", buildAgentRulesBlock()].join("\n");
   }
   if (target === "cursor") {
-    return [
-      "---",
-      "description: VibeRaven production-readiness gate",
-      "globs:",
-      "alwaysApply: true",
-      "---",
-      "",
-      buildAgentRulesBlock()
-    ].join("\n");
+    return renderCursorCoreRulePreview();
   }
   if (target === "agentContext") {
     return ["# VibeRaven Agent Context", "", buildAgentContextBlock()].join("\n");
@@ -11762,26 +11935,88 @@ function getAgentRulesTargets(value) {
   return ALL_AGENT_RULE_TARGETS.filter((target) => requestedTargets.has(target));
 }
 
+// src/commands/seedPackageJsonScripts.ts
+var import_node_fs7 = require("node:fs");
+var import_promises9 = require("node:fs/promises");
+var import_node_path12 = require("node:path");
+var VIBERAVEN_PACKAGE_JSON_SCRIPTS = {
+  "viberaven:gate": PUBLIC_AGENT_MODE_COMMAND,
+  "viberaven:verify": PUBLIC_VERIFY_COMMAND,
+  "viberaven:strict": PUBLIC_STRICT_COMMAND
+};
+async function seedPackageJsonScripts(options) {
+  const packageJsonPath = (0, import_node_path12.join)(options.cwd, "package.json");
+  if (!(0, import_node_fs7.existsSync)(packageJsonPath)) {
+    return null;
+  }
+  const raw = await (0, import_promises9.readFile)(packageJsonPath, "utf-8");
+  let pkg;
+  try {
+    pkg = JSON.parse(raw);
+  } catch {
+    return {
+      action: "skipped",
+      added: [],
+      skipped: [],
+      changed: false
+    };
+  }
+  const scripts = typeof pkg.scripts === "object" && pkg.scripts !== null && !Array.isArray(pkg.scripts) ? { ...pkg.scripts } : {};
+  const added = [];
+  const skipped = [];
+  for (const [key, value] of Object.entries(VIBERAVEN_PACKAGE_JSON_SCRIPTS)) {
+    if (key in scripts) {
+      skipped.push(key);
+      continue;
+    }
+    scripts[key] = value;
+    added.push(key);
+  }
+  if (added.length === 0) {
+    return { action: "unchanged", added, skipped, changed: false };
+  }
+  if (!options.dryRun) {
+    pkg.scripts = scripts;
+    const output = `${JSON.stringify(pkg, null, 2)}
+`;
+    await (0, import_promises9.writeFile)(packageJsonPath, output, "utf-8");
+  }
+  return { action: "updated", added, skipped, changed: true };
+}
+
 // src/commands/initRules.ts
 async function initAgentRules(options) {
   const targets = options.targets ?? [...CORE_AGENT_INJECTION_TARGETS];
   const results = [];
   for (const target of targets) {
+    if (target === "cursor") {
+      results.push(...await initCursorRulesPack({ cwd: options.cwd, dryRun: options.dryRun }));
+      continue;
+    }
     const file = AGENT_RULE_TARGETS[target].file;
-    const path = (0, import_node_path11.join)(options.cwd, file);
-    const existing = await readExistingFile(path);
+    const path = (0, import_node_path13.join)(options.cwd, file);
+    const existing = await readExistingFile2(path);
     const injected = injectAgentRulesBlock(existing.content, renderAgentRulesForTarget(target));
     const action = !existing.exists ? "created" : injected.changed ? "updated" : "unchanged";
     if (!options.dryRun && injected.changed) {
-      await (0, import_promises8.mkdir)((0, import_node_path11.dirname)(path), { recursive: true });
-      await (0, import_promises8.writeFile)(path, injected.content, "utf-8");
+      await (0, import_promises10.mkdir)((0, import_node_path13.dirname)(path), { recursive: true });
+      await (0, import_promises10.writeFile)(path, injected.content, "utf-8");
     }
     results.push({ target, file, path, action });
   }
-  return results;
+  const packageJsonScripts = await seedPackageJsonScripts({
+    cwd: options.cwd,
+    dryRun: options.dryRun
+  });
+  return { results, packageJsonScripts };
 }
 function renderAgentRulesDryRun(targets) {
-  const files = targets.map((target) => `- ${target}: ${AGENT_RULE_TARGETS[target].file}`).join("\n");
+  const files = targets.flatMap((target) => {
+    if (target === "cursor") {
+      return buildCursorRulesPack().map((rule) => `- cursor: .cursor/rules/${rule.filename}`);
+    }
+    return [`- ${target}: ${AGENT_RULE_TARGETS[target].file}`];
+  }).join("\n");
   const previews = targets.flatMap((target) => [
     `Preview: ${target} (${AGENT_RULE_TARGETS[target].file})`,
     "",
@@ -11789,7 +12024,8 @@ function renderAgentRulesDryRun(targets) {
   ]);
   return [`VibeRaven agent rules dry run`, "", `Target files:`, files, "", ...previews].join("\n");
 }
-function formatAgentRulesInitSummary(results) {
+function formatAgentRulesInitSummary(output) {
+  const { results, packageJsonScripts } = output;
   const created = results.filter((result) => result.action === "created");
   const updated = results.filter((result) => result.action === "updated");
   const skipped = results.filter((result) => result.action === "unchanged");
@@ -11815,22 +12051,32 @@ function formatAgentRulesInitSummary(results) {
     }
     lines.push("");
   }
+  if (packageJsonScripts?.changed) {
+    lines.push("package.json scripts added:");
+    for (const script of packageJsonScripts.added) {
+      lines.push(`  + ${script}`);
+    }
+    lines.push("");
+  } else if (packageJsonScripts?.action === "unchanged") {
+    lines.push("package.json scripts: unchanged (already present)");
+    lines.push("");
+  }
   lines.push(
     `Done: ${created.length} created, ${updated.length} updated, ${skipped.length} skipped.`
   );
   return lines.join("\n");
 }
-async function readExistingFile(path) {
+async function readExistingFile2(path) {
   try {
-    return { exists: true, content: await (0, import_promises8.readFile)(path, "utf-8") };
+    return { exists: true, content: await (0, import_promises10.readFile)(path, "utf-8") };
   } catch (error) {
-    if (isFileNotFoundError(error)) {
+    if (isFileNotFoundError2(error)) {
       return { exists: false, content: "" };
     }
     throw error;
   }
 }
-function isFileNotFoundError(error) {
+function isFileNotFoundError2(error) {
   return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
 }
 
@@ -12042,7 +12288,7 @@ async function handleAuth() {
   await runDeviceLogin(apiBaseUrl);
 }
 async function handleAgentRules(cwd) {
-  const results = await initAgentRules({ cwd });
+  const { results } = await initAgentRules({ cwd });
   for (const result of results) {
     const color = result.action === "created" ? import_picocolors4.default.green : result.action === "updated" ? import_picocolors4.default.yellow : import_picocolors4.default.dim;
     M2.message(color(`${result.action.toUpperCase()}: ${result.file}`));
@@ -12130,7 +12376,7 @@ async function runInteractiveSession(startDir = process.cwd()) {
   Ie(`${import_picocolors4.default.bold("VibeRaven")} ${import_picocolors4.default.dim(VERSION)}`);
   const cwd = await resolveWorkspaceRoot(startDir);
   const artifactsAt = await findArtifactsWorkspace(startDir);
-  if (artifactsAt && (0, import_node_path12.resolve)(artifactsAt) !== (0, import_node_path12.resolve)(startDir)) {
+  if (artifactsAt && (0, import_node_path14.resolve)(artifactsAt) !== (0, import_node_path14.resolve)(startDir)) {
     M2.message(import_picocolors4.default.dim(`Using scan from: ${artifactsAt}`));
   } else {
     M2.message(import_picocolors4.default.dim(`Project folder: ${cwd}`));
@@ -12197,29 +12443,29 @@ async function runInteractiveSession(startDir = process.cwd()) {
 }
 
 // src/commands/condense.ts
-var import_promises9 = require("node:fs/promises");
-var import_node_path13 = require("node:path");
+var import_promises11 = require("node:fs/promises");
+var import_node_path15 = require("node:path");
 async function runCondenseCommand(options) {
   const dir = getProjectArtifactsDir(options.cwd);
-  const artifact = JSON.parse(await (0, import_promises9.readFile)((0, import_node_path13.join)(dir, "last-scan.json"), "utf8"));
-  const contextMapPath = (0, import_node_path13.join)(dir, "context-map.json");
-  await (0, import_promises9.writeFile)(contextMapPath, `${JSON.stringify(generateContextMap(artifact), null, 2)}
+  const artifact = JSON.parse(await (0, import_promises11.readFile)((0, import_node_path15.join)(dir, "last-scan.json"), "utf8"));
+  const contextMapPath = (0, import_node_path15.join)(dir, "context-map.json");
+  await (0, import_promises11.writeFile)(contextMapPath, `${JSON.stringify(generateContextMap(artifact), null, 2)}
 `, "utf8");
   return { contextMapPath };
 }
 
 // src/heal/apply.ts
-var import_promises11 = require("node:fs/promises");
-var import_node_fs8 = require("node:fs");
-var import_node_path16 = require("node:path");
+var import_promises13 = require("node:fs/promises");
+var import_node_fs10 = require("node:fs");
+var import_node_path19 = require("node:path");
 
 // src/heal/pathSafety.ts
-var import_node_path14 = require("node:path");
+var import_node_path16 = require("node:path");
 var BLOCKED_SEGMENTS = /* @__PURE__ */ new Set([".git", "node_modules", "dist", "build", ".next", ".viberaven"]);
 function assertSafeHealTarget(cwd, target) {
-  const root = (0, import_node_path14.resolve)(cwd);
-  const absolute = (0, import_node_path14.resolve)(root, target);
-  const rel = (0, import_node_path14.relative)(root, absolute);
+  const root = (0, import_node_path16.resolve)(cwd);
+  const absolute = (0, import_node_path16.resolve)(root, target);
+  const rel = (0, import_node_path16.relative)(root, absolute);
   if (rel.startsWith("..") || rel === "" || /^[A-Za-z]:/.test(rel)) {
     throw new Error("Heal target must stay inside the workspace");
   }
@@ -12242,9 +12488,9 @@ function applyEmptyCatchRecipe(source) {
 }
 
 // src/heal/recipes/index.ts
-var import_node_fs7 = require("node:fs");
-var import_promises10 = require("node:fs/promises");
-var import_node_path15 = require("node:path");
+var import_node_fs9 = require("node:fs");
+var import_promises12 = require("node:fs/promises");
+var import_node_path18 = require("node:path");
 
 // src/heal/recipes/envAuthSecret.ts
 function applyAuthSecretRecipe(source) {
@@ -12624,6 +12870,194 @@ function applyRateLimitRecipe(source, hasUpstash) {
   };
 }
 
+// src/heal/recipes/eslintRestrictedImports.ts
+var import_node_fs8 = require("node:fs");
+var import_node_path17 = require("node:path");
+var VIBERAVEN_ESLINT_MARKER = "VibeRaven heal: eslint_restricted_imports";
+var RESTRICTED_IMPORTS_MESSAGE = `Restricted import. Run ${PUBLIC_AGENT_MODE_COMMAND} before substituting packages.`;
+var RESTRICTED_PATHS = [
+  {
+    name: "@supabase/auth-helpers-nextjs",
+    message: RESTRICTED_IMPORTS_MESSAGE
+  },
+  {
+    name: "@supabase/auth-helpers-react",
+    message: RESTRICTED_IMPORTS_MESSAGE
+  }
+];
+var RESTRICTED_PATTERNS = [
+  {
+    group: ["@supabase/auth-helpers-*"],
+    message: RESTRICTED_IMPORTS_MESSAGE
+  }
+];
+var ESLINT_CONFIG_CANDIDATES = [
+  "eslint.config.js",
+  "eslint.config.mjs",
+  "eslint.config.ts",
+  "eslint.config.cjs",
+  ".eslintrc.json",
+  ".eslintrc.js",
+  ".eslintrc.cjs"
+];
+function detectEslintConfigFile(cwd) {
+  for (const candidate of ESLINT_CONFIG_CANDIDATES) {
+    if ((0, import_node_fs8.existsSync)((0, import_node_path17.join)(cwd, candidate))) {
+      return candidate;
+    }
+  }
+  return null;
+}
+function alreadyApplied(source) {
+  return source.includes(VIBERAVEN_ESLINT_MARKER) || source.includes(RESTRICTED_IMPORTS_MESSAGE) || /no-restricted-imports[\s\S]*@supabase\/auth-helpers-nextjs/.test(source);
+}
+function buildFlatConfigBlock() {
+  const pathsJson = JSON.stringify(RESTRICTED_PATHS, null, 2).replace(/\n/g, "\n    ");
+  const patternsJson = JSON.stringify(RESTRICTED_PATTERNS, null, 2).replace(/\n/g, "\n    ");
+  return `// ${VIBERAVEN_ESLINT_MARKER}
+{
+  rules: {
+    'no-restricted-imports': ['error', {
+      paths: ${pathsJson},
+      patterns: ${patternsJson},
+    }],
+  },
+},`;
+}
+function applyFlatConfigRecipe(source) {
+  if (alreadyApplied(source)) {
+    return { changed: false, output: source, canAutoApply: true };
+  }
+  const arrayExportMatch = /export\s+default\s+(\[[\s\S]*\])\s*;?\s*$/.exec(source);
+  if (arrayExportMatch) {
+    const closingBracket = source.lastIndexOf("]");
+    if (closingBracket === -1) {
+      return {
+        changed: false,
+        output: source,
+        canAutoApply: false,
+        reason: "cannot-parse-flat-config-array"
+      };
+    }
+    const output = `${source.slice(0, closingBracket)}
+  ${buildFlatConfigBlock()}
+${source.slice(closingBracket)}`;
+    return { changed: true, output, canAutoApply: true };
+  }
+  const defineConfigMatch = /defineConfig\(\s*(\[[\s\S]*\])\s*\)\s*;?\s*$/.exec(source);
+  if (defineConfigMatch) {
+    const closingBracket = source.lastIndexOf("]");
+    if (closingBracket === -1) {
+      return {
+        changed: false,
+        output: source,
+        canAutoApply: false,
+        reason: "cannot-parse-define-config-array"
+      };
+    }
+    const output = `${source.slice(0, closingBracket)}
+  ${buildFlatConfigBlock()}
+${source.slice(closingBracket)}`;
+    return { changed: true, output, canAutoApply: true };
+  }
+  return {
+    changed: false,
+    output: source,
+    canAutoApply: false,
+    reason: "unsupported-flat-config-shape"
+  };
+}
+function applyLegacyModuleRecipe(source) {
+  if (alreadyApplied(source)) {
+    return { changed: false, output: source, canAutoApply: true };
+  }
+  const ruleValue = JSON.stringify(
+    [
+      "error",
+      {
+        paths: RESTRICTED_PATHS,
+        patterns: RESTRICTED_PATTERNS
+      }
+    ],
+    null,
+    2
+  ).replace(/\n/g, "\n    ");
+  if (/module\.exports\s*=\s*\{/.test(source)) {
+    if (/\brules\s*:\s*\{/.test(source)) {
+      const output2 = source.replace(
+        /(\brules\s*:\s*\{)/,
+        `$1
+    // ${VIBERAVEN_ESLINT_MARKER}
+    'no-restricted-imports': ${ruleValue},`
+      );
+      return { changed: true, output: output2, canAutoApply: true };
+    }
+    const output = source.replace(
+      /(module\.exports\s*=\s*\{)/,
+      `$1
+  // ${VIBERAVEN_ESLINT_MARKER}
+  rules: {
+    'no-restricted-imports': ${ruleValue},
+  },`
+    );
+    return { changed: true, output, canAutoApply: true };
+  }
+  return {
+    changed: false,
+    output: source,
+    canAutoApply: false,
+    reason: "unsupported-legacy-eslint-module"
+  };
+}
+function applyJsonRecipe(source) {
+  let config;
+  try {
+    config = JSON.parse(source);
+  } catch {
+    return {
+      changed: false,
+      output: source,
+      canAutoApply: false,
+      reason: "invalid-eslint-json"
+    };
+  }
+  if (alreadyApplied(source)) {
+    return { changed: false, output: source, canAutoApply: true };
+  }
+  const rules = typeof config.rules === "object" && config.rules !== null && !Array.isArray(config.rules) ? { ...config.rules } : {};
+  if ("no-restricted-imports" in rules) {
+    return {
+      changed: false,
+      output: source,
+      canAutoApply: false,
+      reason: "no-restricted-imports-already-defined"
+    };
+  }
+  rules["no-restricted-imports"] = [
+    "error",
+    {
+      paths: RESTRICTED_PATHS,
+      patterns: RESTRICTED_PATTERNS
+    }
+  ];
+  config.rules = rules;
+  return {
+    changed: true,
+    output: `${JSON.stringify(config, null, 2)}
+`,
+    canAutoApply: true
+  };
+}
+function applyEslintRestrictedImportsRecipe(source, configFile) {
+  if (configFile.endsWith(".json")) {
+    return applyJsonRecipe(source);
+  }
+  if (configFile.startsWith("eslint.config.")) {
+    return applyFlatConfigRecipe(source);
+  }
+  return applyLegacyModuleRecipe(source);
+}
+
 // src/heal/recipes/index.ts
 function defaultTargetFile(gapId) {
   const map = {
@@ -12637,19 +13071,20 @@ function defaultTargetFile(gapId) {
     rls_disabled: "",
     // no file — provider-action
     missing_csp_header: "next.config.js",
-    missing_rate_limit: "middleware.ts"
+    missing_rate_limit: "middleware.ts",
+    eslint_restricted_imports: ""
   };
   return map[gapId];
 }
 async function readSourceOrEmpty(absolutePath) {
-  if (!(0, import_node_fs7.existsSync)(absolutePath)) return "";
-  return (0, import_promises10.readFile)(absolutePath, "utf8");
+  if (!(0, import_node_fs9.existsSync)(absolutePath)) return "";
+  return (0, import_promises12.readFile)(absolutePath, "utf8");
 }
 async function detectUpstash(cwd) {
   try {
-    const pkgPath = (0, import_node_path15.join)(cwd, "package.json");
-    if (!(0, import_node_fs7.existsSync)(pkgPath)) return false;
-    const raw = await (0, import_promises10.readFile)(pkgPath, "utf8");
+    const pkgPath = (0, import_node_path18.join)(cwd, "package.json");
+    if (!(0, import_node_fs9.existsSync)(pkgPath)) return false;
+    const raw = await (0, import_promises12.readFile)(pkgPath, "utf8");
     const pkg = JSON.parse(raw);
     const deps = {
       ...pkg["dependencies"] ?? {},
@@ -12664,7 +13099,7 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   const targetFile = explicitTarget ?? defaultTargetFile(gapId);
   if (targetFile === void 0) return null;
   if (gapId === "auth_secret_missing" || gapId === "node_env_not_set" || gapId === "database_url_missing") {
-    const absolutePath = (0, import_node_path15.join)(cwd, targetFile);
+    const absolutePath = (0, import_node_path18.join)(cwd, targetFile);
     const source = await readSourceOrEmpty(absolutePath);
     let result;
     if (gapId === "auth_secret_missing") result = applyAuthSecretRecipe(source);
@@ -12678,25 +13113,25 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
     };
   }
   if (gapId === "missing_error_boundary") {
-    const absolutePath = (0, import_node_path15.join)(cwd, "app/error.tsx");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/error.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyErrorBoundaryRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_health_route") {
-    const absolutePath = (0, import_node_path15.join)(cwd, "app/api/health/route.ts");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/api/health/route.ts");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyHealthRouteRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_loading_state") {
-    const absolutePath = (0, import_node_path15.join)(cwd, "app/loading.tsx");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/loading.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyLoadingStateRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_404_page") {
-    const absolutePath = (0, import_node_path15.join)(cwd, "app/not-found.tsx");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/not-found.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyNotFoundRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
@@ -12714,10 +13149,10 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   }
   if (gapId === "missing_csp_header") {
     let configFile = "next.config.js";
-    let absolutePath = (0, import_node_path15.join)(cwd, configFile);
-    if (!(0, import_node_fs7.existsSync)(absolutePath)) {
+    let absolutePath = (0, import_node_path18.join)(cwd, configFile);
+    if (!(0, import_node_fs9.existsSync)(absolutePath)) {
       configFile = "next.config.mjs";
-      absolutePath = (0, import_node_path15.join)(cwd, configFile);
+      absolutePath = (0, import_node_path18.join)(cwd, configFile);
     }
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyCspHeaderRecipe(source);
@@ -12729,7 +13164,7 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   }
   if (gapId === "missing_rate_limit") {
     const hasUpstash = await detectUpstash(cwd);
-    const middlewarePath = (0, import_node_path15.join)(cwd, "middleware.ts");
+    const middlewarePath = (0, import_node_path18.join)(cwd, "middleware.ts");
     const source = await readSourceOrEmpty(middlewarePath);
     const result = applyRateLimitRecipe(source, hasUpstash);
     return {
@@ -12739,6 +13174,30 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
       recipeName: gapId
     };
   }
+  if (gapId === "eslint_restricted_imports") {
+    const configFile = detectEslintConfigFile(cwd);
+    if (!configFile) {
+      return {
+        changed: false,
+        output: "",
+        targetFile: "",
+        canAutoApply: false,
+        reason: "no-eslint-config",
+        recipeName: gapId
+      };
+    }
+    const absolutePath = (0, import_node_path18.join)(cwd, configFile);
+    const source = await readSourceOrEmpty(absolutePath);
+    const result = applyEslintRestrictedImportsRecipe(source, configFile);
+    return {
+      changed: result.changed,
+      output: result.output,
+      targetFile: configFile,
+      canAutoApply: result.canAutoApply,
+      reason: result.reason,
+      recipeName: gapId
+    };
+  }
   return null;
 }
 
@@ -12802,14 +13261,14 @@ async function applyHeal(options) {
           rollback: { available: false, instructions: "Recipe matched but no change was needed (already applied or file already exists)." }
         };
       }
-      const absoluteTarget = (0, import_node_path16.join)(options.cwd, dispatched.targetFile);
+      const absoluteTarget = (0, import_node_path19.join)(options.cwd, dispatched.targetFile);
       assertSafeHealTarget(options.cwd, dispatched.targetFile);
-      await (0, import_promises11.mkdir)((0, import_node_path16.dirname)(absoluteTarget), { recursive: true });
-      const healDir2 = (0, import_node_path16.join)(options.cwd, ".viberaven", "heal", id);
-      await (0, import_promises11.mkdir)((0, import_node_path16.join)(healDir2, "before"), { recursive: true });
-      const beforeContent = (0, import_node_fs8.existsSync)(absoluteTarget) ? await (0, import_promises11.readFile)(absoluteTarget, "utf8") : "";
-      await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir2, "before", "target.txt"), beforeContent, "utf8");
-      await (0, import_promises11.writeFile)(absoluteTarget, dispatched.output, "utf8");
+      await (0, import_promises13.mkdir)((0, import_node_path19.dirname)(absoluteTarget), { recursive: true });
+      const healDir2 = (0, import_node_path19.join)(options.cwd, ".viberaven", "heal", id);
+      await (0, import_promises13.mkdir)((0, import_node_path19.join)(healDir2, "before"), { recursive: true });
+      const beforeContent = (0, import_node_fs10.existsSync)(absoluteTarget) ? await (0, import_promises13.readFile)(absoluteTarget, "utf8") : "";
+      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "before", "target.txt"), beforeContent, "utf8");
+      await (0, import_promises13.writeFile)(absoluteTarget, dispatched.output, "utf8");
       const patch2 = [
         `--- ${dispatched.targetFile}`,
         `+++ ${dispatched.targetFile}`,
@@ -12819,7 +13278,7 @@ async function applyHeal(options) {
         dispatched.output,
         ""
       ].join("\n");
-      await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir2, "patch.diff"), patch2, "utf8");
+      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "patch.diff"), patch2, "utf8");
       const result2 = {
         $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
         schemaVersion: "v1",
@@ -12830,7 +13289,7 @@ async function applyHeal(options) {
         gapId: options.gapId,
         recipe: dispatched.recipeName,
         target: dispatched.targetFile,
-        changedFiles: [(0, import_node_path16.relative)(options.cwd, absoluteTarget).replace(/\\/g, "/")],
+        changedFiles: [(0, import_node_path19.relative)(options.cwd, absoluteTarget).replace(/\\/g, "/")],
         artifacts: {
           patch: `.viberaven/heal/${id}/patch.diff`,
           result: `.viberaven/heal/${id}/result.json`
@@ -12840,7 +13299,7 @@ async function applyHeal(options) {
           instructions: "Restore .viberaven/heal/<healId>/before/target.txt to the target file or apply the reverse patch."
         }
       };
-      await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir2, "result.json"), `${JSON.stringify(result2, null, 2)}
+      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "result.json"), `${JSON.stringify(result2, null, 2)}
 `, "utf8");
       return result2;
     }
@@ -12860,7 +13319,7 @@ async function applyHeal(options) {
     };
   }
   const absolute = assertSafeHealTarget(options.cwd, options.target);
-  const before = await (0, import_promises11.readFile)(absolute, "utf8");
+  const before = await (0, import_promises13.readFile)(absolute, "utf8");
   const recipe = applyEmptyCatchRecipe(before);
   if (!recipe.changed) {
     return {
@@ -12877,10 +13336,10 @@ async function applyHeal(options) {
       rollback: { available: false, instructions: "No supported heal recipe matched this file." }
     };
   }
-  const healDir = (0, import_node_path16.join)(options.cwd, ".viberaven", "heal", id);
-  await (0, import_promises11.mkdir)((0, import_node_path16.join)(healDir, "before"), { recursive: true });
-  await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir, "before", "target.txt"), before, "utf8");
-  await (0, import_promises11.writeFile)(absolute, recipe.output, "utf8");
+  const healDir = (0, import_node_path19.join)(options.cwd, ".viberaven", "heal", id);
+  await (0, import_promises13.mkdir)((0, import_node_path19.join)(healDir, "before"), { recursive: true });
+  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "before", "target.txt"), before, "utf8");
+  await (0, import_promises13.writeFile)(absolute, recipe.output, "utf8");
   const patch = [
     `--- ${options.target}`,
     `+++ ${options.target}`,
@@ -12890,7 +13349,7 @@ async function applyHeal(options) {
     recipe.output,
     ""
   ].join("\n");
-  await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir, "patch.diff"), patch, "utf8");
+  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "patch.diff"), patch, "utf8");
   const result = {
     $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
     schemaVersion: "v1",
@@ -12901,7 +13360,7 @@ async function applyHeal(options) {
     gapId: options.gapId,
     recipe: "empty-catch-safe-response",
     target: options.target,
-    changedFiles: [(0, import_node_path16.relative)(options.cwd, absolute).replace(/\\/g, "/")],
+    changedFiles: [(0, import_node_path19.relative)(options.cwd, absolute).replace(/\\/g, "/")],
     artifacts: {
       patch: `.viberaven/heal/${id}/patch.diff`,
       result: `.viberaven/heal/${id}/result.json`
@@ -12911,20 +13370,20 @@ async function applyHeal(options) {
       instructions: "Restore .viberaven/heal/<healId>/before/target.txt to the target file or apply the reverse patch."
     }
   };
-  await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir, "result.json"), `${JSON.stringify(result, null, 2)}
+  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "result.json"), `${JSON.stringify(result, null, 2)}
 `, "utf8");
   return result;
 }
 
 // src/heal/plan.ts
-var import_promises12 = require("node:fs/promises");
-var import_node_path17 = require("node:path");
+var import_promises14 = require("node:fs/promises");
+var import_node_path20 = require("node:path");
 function healId2() {
   return `heal_${(/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14)}`;
 }
 async function writeHealPlan(options) {
-  const dir = (0, import_node_path17.join)(options.cwd, ".viberaven");
-  await (0, import_promises12.mkdir)(dir, { recursive: true });
+  const dir = (0, import_node_path20.join)(options.cwd, ".viberaven");
+  await (0, import_promises14.mkdir)(dir, { recursive: true });
   const id = healId2();
   const target = options.target ?? `gap:${options.gapId}`;
   const markdown = [
@@ -12951,21 +13410,21 @@ async function writeHealPlan(options) {
     artifacts: { plan: ".viberaven/heal-plan.md" },
     rollback: { available: false, instructions: "No source files were changed." }
   };
-  await (0, import_promises12.writeFile)((0, import_node_path17.join)(dir, "heal-plan.md"), markdown, "utf8");
-  await (0, import_promises12.writeFile)((0, import_node_path17.join)(dir, "heal-plan.json"), `${JSON.stringify(result, null, 2)}
+  await (0, import_promises14.writeFile)((0, import_node_path20.join)(dir, "heal-plan.md"), markdown, "utf8");
+  await (0, import_promises14.writeFile)((0, import_node_path20.join)(dir, "heal-plan.json"), `${JSON.stringify(result, null, 2)}
 `, "utf8");
   return result;
 }
 
 // src/heal/prompt.ts
-var import_promises13 = require("node:fs/promises");
-var import_node_path18 = require("node:path");
+var import_promises15 = require("node:fs/promises");
+var import_node_path21 = require("node:path");
 function healId3() {
   return `heal_${(/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14)}`;
 }
 async function writeHealPrompt(options) {
-  const dir = (0, import_node_path18.join)(options.cwd, ".viberaven");
-  await (0, import_promises13.mkdir)(dir, { recursive: true });
+  const dir = (0, import_node_path21.join)(options.cwd, ".viberaven");
+  await (0, import_promises15.mkdir)(dir, { recursive: true });
   const id = healId3();
   const target = options.target ?? `gap:${options.gapId}`;
   const prompt = [
@@ -12992,12 +13451,12 @@ async function writeHealPrompt(options) {
     artifacts: { prompt: ".viberaven/heal-prompt.md" },
     rollback: { available: false, instructions: "No source files were changed." }
   };
-  await (0, import_promises13.writeFile)((0, import_node_path18.join)(dir, "heal-prompt.md"), prompt, "utf8");
+  await (0, import_promises15.writeFile)((0, import_node_path21.join)(dir, "heal-prompt.md"), prompt, "utf8");
   return result;
 }
 
 // src/loopState.ts
-var import_promises14 = require("fs/promises");
+var import_promises16 = require("fs/promises");
 var import_path = require("path");
 var DEFAULT_LOOP_STATE = {
   batchApplied: 0,
@@ -13010,7 +13469,7 @@ function loopStatePath(workspaceRoot) {
 }
 async function loadLoopState(workspaceRoot) {
   try {
-    const raw = await (0, import_promises14.readFile)(loopStatePath(workspaceRoot), "utf8");
+    const raw = await (0, import_promises16.readFile)(loopStatePath(workspaceRoot), "utf8");
     const parsed = JSON.parse(raw);
     if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed) && typeof parsed.batchApplied === "number" && typeof parsed.lastGapCount === "number" && typeof parsed.stalledScans === "number") {
       const p2 = parsed;
@@ -13030,8 +13489,8 @@ async function loadLoopState(workspaceRoot) {
 async function saveLoopState(workspaceRoot, state) {
   try {
     const dir = (0, import_path.join)(workspaceRoot, ".viberaven");
-    await (0, import_promises14.mkdir)(dir, { recursive: true });
-    await (0, import_promises14.writeFile)(loopStatePath(workspaceRoot), JSON.stringify(state, null, 2) + "\n", "utf8");
+    await (0, import_promises16.mkdir)(dir, { recursive: true });
+    await (0, import_promises16.writeFile)(loopStatePath(workspaceRoot), JSON.stringify(state, null, 2) + "\n", "utf8");
   } catch (err) {
     console.warn("[VibeRaven] Could not save loop-state.json:", err instanceof Error ? err.message : String(err));
   }
@@ -13077,9 +13536,9 @@ async function runHealCommand(options) {
 }
 
 // src/stackRecommend.ts
-var import_promises15 = require("node:fs/promises");
-var import_node_fs9 = require("node:fs");
-var import_node_path19 = require("node:path");
+var import_promises17 = require("node:fs/promises");
+var import_node_fs11 = require("node:fs");
+var import_node_path22 = require("node:path");
 var DEFAULT_STACK = {
   frontend: "react",
   ui: "tailwind + shadcn/ui",
@@ -13090,11 +13549,11 @@ var DEFAULT_STACK = {
   reason: "Agent-default stack for lowest launch friction when repo signals are ambiguous"
 };
 async function recommendStack(cwd = process.cwd()) {
-  const pkgPath = (0, import_node_path19.join)(cwd, "package.json");
-  if (!(0, import_node_fs9.existsSync)(pkgPath)) {
+  const pkgPath = (0, import_node_path22.join)(cwd, "package.json");
+  if (!(0, import_node_fs11.existsSync)(pkgPath)) {
     return DEFAULT_STACK;
   }
-  const pkg = JSON.parse(await (0, import_promises15.readFile)(pkgPath, "utf-8"));
+  const pkg = JSON.parse(await (0, import_promises17.readFile)(pkgPath, "utf-8"));
   const deps = { ...pkg.dependencies, ...pkg.devDependencies };
   const names = Object.keys(deps).join(" ").toLowerCase();
   const rec = {
@@ -13136,24 +13595,29 @@ async function runInitCommand(options) {
     console.log(renderAgentRulesDryRun(targets));
     return 0;
   }
-  const results = await initAgentRules({
+  const output = await initAgentRules({
     cwd: options.cwd,
     targets,
     dryRun: false
   });
-  console.log(formatAgentRulesInitSummary(results));
+  console.log(formatAgentRulesInitSummary(output));
   return 0;
 }
 
 // src/commands/doctorAgents.ts
-var import_promises16 = require("node:fs/promises");
-var import_node_path20 = require("node:path");
+var import_promises18 = require("node:fs/promises");
+var import_node_path23 = require("node:path");
 var REQUIRED_EXISTENCE_CHECKS = [
   { id: "agents-md", file: "AGENTS.md" },
   { id: "claude-md", file: "CLAUDE.md" },
-  { id: "cursor-rule", file: ".cursor/rules/viberaven.mdc" },
+  { id: "cursor-core-rule", file: ".cursor/rules/viberaven-core.mdc" },
   { id: "copilot-instructions", file: ".github/copilot-instructions.md" }
 ];
+var OPTIONAL_CURSOR_PACK_CHECKS = [
+  { id: "cursor-supabase-rule", file: ".cursor/rules/viberaven-supabase-rls.mdc" },
+  { id: "cursor-deploy-rule", file: ".cursor/rules/viberaven-deploy.mdc" },
+  { id: "cursor-payments-rule", file: ".cursor/rules/viberaven-payments.mdc" }
+];
 var STALE_PATTERNS = [
   { id: "stale-beta-scan", pattern: "@beta scan" },
   { id: "stale-viberaven-station", pattern: "viberaven-station" },
@@ -13162,17 +13626,37 @@ var STALE_PATTERNS = [
 async function checkAgentInjection(cwd) {
   const checks = [];
   for (const item3 of REQUIRED_EXISTENCE_CHECKS) {
-    const exists = await fileExists((0, import_node_path20.join)(cwd, item3.file));
+    const exists = await fileExists2((0, import_node_path23.join)(cwd, item3.file));
     checks.push({
       id: item3.id,
       status: exists ? "pass" : "fail",
       message: exists ? `${item3.file} exists` : `Missing ${item3.file}`
     });
   }
+  for (const item3 of OPTIONAL_CURSOR_PACK_CHECKS) {
+    const exists = await fileExists2((0, import_node_path23.join)(cwd, item3.file));
+    checks.push({
+      id: item3.id,
+      status: exists ? "pass" : "fail",
+      message: exists ? `${item3.file} exists` : `Missing ${item3.file} \u2014 run npx -y viberaven init --agents all`
+    });
+  }
+  const legacyCursorPath = (0, import_node_path23.join)(cwd, ".cursor/rules/viberaven.mdc");
+  if (await fileExists2(legacyCursorPath)) {
+    const legacyContent = await (0, import_promises18.readFile)(legacyCursorPath, "utf-8");
+    const hasCoreSplit = await fileExists2((0, import_node_path23.join)(cwd, ".cursor/rules/viberaven-core.mdc"));
+    if (!hasCoreSplit || legacyContent.includes("alwaysApply: true")) {
+      checks.push({
+        id: "cursor-legacy-mdc",
+        status: "fail",
+        message: "Legacy .cursor/rules/viberaven.mdc detected \u2014 run npx -y viberaven init --agents all to migrate to the split Cursor pack"
+      });
+    }
+  }
   for (const target of CORE_AGENT_INJECTION_TARGETS) {
-    const file = AGENT_RULE_TARGETS[target].file;
-    const path = (0, import_node_path20.join)(cwd, file);
-    const exists = await fileExists(path);
+    const file = target === "cursor" ? ".cursor/rules/viberaven-core.mdc" : AGENT_RULE_TARGETS[target].file;
+    const path = (0, import_node_path23.join)(cwd, file);
+    const exists = await fileExists2(path);
     if (!exists) {
       checks.push({
         id: `canonical-${target}`,
@@ -13181,7 +13665,7 @@ async function checkAgentInjection(cwd) {
       });
       continue;
     }
-    const content = await (0, import_promises16.readFile)(path, "utf-8");
+    const content = await (0, import_promises18.readFile)(path, "utf-8");
     const hasCommand = content.includes(PUBLIC_AGENT_MODE_COMMAND);
     checks.push({
       id: `canonical-${target}`,
@@ -13213,9 +13697,9 @@ function formatDoctorAgentsReport(report) {
   lines.push(report.ok ? "All agent injection checks passed." : "Agent injection checks failed.");
   return lines.join("\n");
 }
-async function fileExists(path) {
+async function fileExists2(path) {
   try {
-    await (0, import_promises16.access)(path);
+    await (0, import_promises18.access)(path);
     return true;
   } catch {
     return false;
@@ -13229,6 +13713,191 @@ async function runDoctorAgentsCommand(options) {
   return report.ok ? 0 : 1;
 }
 
+// src/npm/popularPackages.ts
+var POPULAR_NPM_PACKAGES = [
+  "next",
+  "react",
+  "react-dom",
+  "vue",
+  "@vue/cli",
+  "express",
+  "lodash",
+  "axios",
+  "stripe",
+  "@stripe/stripe-js",
+  "supabase",
+  "@supabase/supabase-js",
+  "@prisma/client",
+  "prisma",
+  "typescript",
+  "eslint",
+  "prettier",
+  "tailwindcss",
+  "vite",
+  "zod",
+  "dotenv",
+  "jsonwebtoken",
+  "bcrypt",
+  "mongoose",
+  "pg",
+  "redis",
+  "ioredis",
+  "winston",
+  "@sentry/node",
+  "@sentry/nextjs",
+  "firebase",
+  "@clerk/nextjs",
+  "openai",
+  "@anthropic-ai/sdk",
+  "vercel",
+  "@vercel/analytics"
+];
+
+// src/npm/validateNpmPackage.ts
+var REGISTRY_BASE = "https://registry.npmjs.org";
+var NEW_PACKAGE_DAYS = 14;
+var TYPOSQUAT_MAX_DISTANCE = 2;
+var LOW_PUBLISH_COUNT = 3;
+function levenshteinDistance(a, b3) {
+  if (a === b3) return 0;
+  if (a.length === 0) return b3.length;
+  if (b3.length === 0) return a.length;
+  const matrix = Array.from(
+    { length: a.length + 1 },
+    () => Array.from({ length: b3.length + 1 }, () => 0)
+  );
+  for (let i = 0; i <= a.length; i += 1) matrix[i][0] = i;
+  for (let j2 = 0; j2 <= b3.length; j2 += 1) matrix[0][j2] = j2;
+  for (let i = 1; i <= a.length; i += 1) {
+    for (let j2 = 1; j2 <= b3.length; j2 += 1) {
+      const cost = a[i - 1] === b3[j2 - 1] ? 0 : 1;
+      matrix[i][j2] = Math.min(
+        matrix[i - 1][j2] + 1,
+        matrix[i][j2 - 1] + 1,
+        matrix[i - 1][j2 - 1] + cost
+      );
+    }
+  }
+  return matrix[a.length][b3.length];
+}
+function daysSince(isoDate, now = Date.now()) {
+  const created = Date.parse(isoDate);
+  if (!Number.isFinite(created)) return Number.POSITIVE_INFINITY;
+  return (now - created) / (1e3 * 60 * 60 * 24);
+}
+function closestPopularPackage(name) {
+  let best = null;
+  for (const popular of POPULAR_NPM_PACKAGES) {
+    const distance = levenshteinDistance(name, popular);
+    if (distance <= TYPOSQUAT_MAX_DISTANCE && (!best || distance < best.distance)) {
+      best = { pkg: popular, distance };
+    }
+  }
+  return best;
+}
+function buildBase(name) {
+  const normalized = name.trim().toLowerCase();
+  return {
+    name: normalized,
+    registryUrl: `${REGISTRY_BASE}/${encodeURIComponent(normalized)}`,
+    followUpCommand: PUBLIC_AGENT_MODE_COMMAND
+  };
+}
+async function validateNpmPackage(name, options) {
+  const fetchFn = options?.fetch ?? fetch;
+  const now = options?.now ?? Date.now();
+  const base = buildBase(name);
+  if (!base.name) {
+    return {
+      ...base,
+      verdict: "not_found",
+      reasons: ["Package name is empty."]
+    };
+  }
+  let response;
+  try {
+    response = await fetchFn(base.registryUrl);
+  } catch {
+    return {
+      ...base,
+      verdict: "not_found",
+      reasons: ["Could not reach the public npm registry."]
+    };
+  }
+  if (response.status === 404) {
+    return {
+      ...base,
+      verdict: "not_found",
+      reasons: [`Package "${base.name}" was not found on the public npm registry.`]
+    };
+  }
+  if (!response.ok) {
+    return {
+      ...base,
+      verdict: "suspicious",
+      reasons: [`Unexpected npm registry response: HTTP ${response.status}.`]
+    };
+  }
+  const data = await response.json();
+  const reasons = [];
+  let suspicious = false;
+  const created = data.time?.created;
+  if (created) {
+    const ageDays = daysSince(created, now);
+    const closest = closestPopularPackage(base.name);
+    if (ageDays < NEW_PACKAGE_DAYS && closest && closest.pkg !== base.name) {
+      suspicious = true;
+      reasons.push(
+        `Package was published ${Math.max(0, Math.floor(ageDays))} day(s) ago and its name is within ${TYPOSQUAT_MAX_DISTANCE} character edits of popular package "${closest.pkg}".`
+      );
+    }
+  }
+  const description = (data.description ?? "").trim();
+  const maintainerCount = Array.isArray(data.maintainers) ? data.maintainers.length : 0;
+  const publishCount = data.versions ? Object.keys(data.versions).length : 0;
+  if (!description && maintainerCount === 0 && publishCount <= LOW_PUBLISH_COUNT) {
+    suspicious = true;
+    reasons.push(
+      "Package has an empty description, no listed maintainers, and very few published versions."
+    );
+  }
+  if (suspicious) {
+    return { ...base, verdict: "suspicious", reasons };
+  }
+  return {
+    ...base,
+    verdict: "ok",
+    reasons: ["Package exists on the public npm registry with no v1 suspicious signals."]
+  };
+}
+async function validateNpmPackages(names, options) {
+  return Promise.all(names.map((name) => validateNpmPackage(name, options)));
+}
+
+// src/commands/runValidateNpmPackage.ts
+async function runValidateNpmPackageCommand(options) {
+  const names = options.names.map((name) => name.trim()).filter(Boolean);
+  if (names.length === 0) {
+    console.error("Usage: viberaven validate-npm-package [--json] <package> [package...]");
+    return 1;
+  }
+  const results = names.length === 1 ? [await validateNpmPackage(names[0])] : await validateNpmPackages(names);
+  const payload = names.length === 1 ? results[0] : { results };
+  if (options.json) {
+    console.log(JSON.stringify(payload, null, 2));
+  } else {
+    for (const result of results) {
+      console.log(`${result.name}: ${result.verdict}`);
+      for (const reason of result.reasons) {
+        console.log(`  - ${reason}`);
+      }
+      console.log(`  followUp: ${result.followUpCommand}`);
+    }
+  }
+  const hasBlocking = results.some((result) => result.verdict !== "ok");
+  return hasBlocking ? 2 : 0;
+}
+
 // src/output/nextActionBlock.ts
 function buildNextActionBlock(tasks, loopState, plan) {
   const batchSize = plan === "pro" ? 10 : 3;
@@ -13348,9 +14017,9 @@ function printNextActionBlock(block) {
 }
 
 // src/providerMcpBridge.ts
-var import_node_fs10 = require("node:fs");
+var import_node_fs12 = require("node:fs");
 var import_node_os2 = require("node:os");
-var import_node_path21 = require("node:path");
+var import_node_path24 = require("node:path");
 var UPGRADE_URL4 = "https://viberaven.dev/pricing";
 var FALLBACK_COMMAND = "npx -y viberaven audit --vercel-supabase --json";
 var SUPPORTED_PROVIDERS = /* @__PURE__ */ new Set(["supabase", "vercel"]);
@@ -13358,9 +14027,9 @@ var configPathsOverride;
 function defaultMcpConfigPaths() {
   const home = (0, import_node_os2.homedir)();
   return [
-    (0, import_node_path21.join)(home, ".config", "claude", "claude_desktop_config.json"),
-    (0, import_node_path21.join)(home, ".cursor", "mcp.json"),
-    (0, import_node_path21.join)(home, ".gemini", "antigravity", "mcp_config.json")
+    (0, import_node_path24.join)(home, ".config", "claude", "claude_desktop_config.json"),
+    (0, import_node_path24.join)(home, ".cursor", "mcp.json"),
+    (0, import_node_path24.join)(home, ".gemini", "antigravity", "mcp_config.json")
   ];
 }
 function resolveConfigPaths() {
@@ -13389,11 +14058,11 @@ function findServerEntry(servers, provider2) {
 function findProviderMcpConfig(provider2, configPaths) {
   const paths = configPaths ?? resolveConfigPaths();
   for (const path of paths) {
-    if (!(0, import_node_fs10.existsSync)(path)) {
+    if (!(0, import_node_fs12.existsSync)(path)) {
       continue;
     }
     try {
-      const raw = JSON.parse((0, import_node_fs10.readFileSync)(path, "utf8"));
+      const raw = JSON.parse((0, import_node_fs12.readFileSync)(path, "utf8"));
       const servers = parseMcpServers(raw);
       if (!servers) {
         continue;
@@ -13595,6 +14264,7 @@ function isBooleanFlag(command, key) {
   if (key === "open" && (command === "" || command === "scan" || command === "report")) return true;
   if (key === "verify" && command === "") return true;
   if (key === "vercel-supabase" && command === "audit") return true;
+  if (key === "json" && command === "validate-npm-package") return true;
   if (key === "dry-run" && command === "init") return true;
   if (key === "agents" && command === "doctor") return true;
   return false;
@@ -13613,7 +14283,7 @@ async function guardEarlyVerifyScan(input) {
   if (!verifyLike) {
     return void 0;
   }
-  const workspacePath = input.positional[0] ? (0, import_node_path22.join)(process.cwd(), input.positional[0]) : await resolveWorkspaceRoot(process.cwd());
+  const workspacePath = input.positional[0] ? (0, import_node_path25.join)(process.cwd(), input.positional[0]) : await resolveWorkspaceRoot(process.cwd());
   const loopState = await loadLoopState(workspacePath);
   if (loopState.batchApplied <= 0) {
     return void 0;
@@ -13689,7 +14359,7 @@ async function cmdStatus(flags, positional) {
     console.log("Not signed in. Run: viberaven login");
     return 1;
   }
-  const startDir = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
   let artifact;
   try {
     artifact = await loadLastArtifact(startDir);
@@ -13843,7 +14513,7 @@ async function cmdWatch(flags) {
   }
 }
 async function runScanCommand(flags, positional, options) {
-  const workspacePath = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : await resolveWorkspaceRoot(process.cwd());
+  const workspacePath = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : await resolveWorkspaceRoot(process.cwd());
   const apiBaseUrl = resolveApiBaseUrl(typeof flags["api-url"] === "string" ? flags["api-url"] : void 0);
   let accessToken;
   try {
@@ -13921,7 +14591,7 @@ async function runScanCommand(flags, positional, options) {
   return { exitCode: 0, artifacts: paths };
 }
 async function cmdReport(flags, positional) {
-  const startDir = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
   try {
     const paths = await refreshReportFromDisk(startDir);
     console.log(`Report refreshed: ${paths.reportPath}`);
@@ -13943,7 +14613,7 @@ async function cmdReport(flags, positional) {
   }
 }
 async function cmdPrompt(flags, positional) {
-  const startDir = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
   let artifact;
   try {
     artifact = await loadLastArtifact(startDir);
@@ -14041,7 +14711,7 @@ async function main() {
   const wantsJsonl = hasFlag(flags, "jsonl");
   const wantsStrict = hasFlag(flags, "strict");
   if (flags.condense) {
-    const cwd = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd();
+    const cwd = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
     const result = await runCondenseCommand({ cwd });
     console.log(`VibeRaven context map refreshed: ${result.contextMapPath}`);
     return 0;
@@ -14070,7 +14740,7 @@ async function main() {
       console.error("VibeRaven could not produce machine output because scan artifacts were not written.");
       return 3;
     }
-    const gateResult = scanResult.artifacts && (wantsJson || wantsJsonl || wantsStrict) ? JSON.parse(await (0, import_promises17.readFile)(scanResult.artifacts.gateResultPath, "utf8")) : void 0;
+    const gateResult = scanResult.artifacts && (wantsJson || wantsJsonl || wantsStrict) ? JSON.parse(await (0, import_promises19.readFile)(scanResult.artifacts.gateResultPath, "utf8")) : void 0;
     const strictExitCode = wantsStrict && gateResult ? exitCodeForStrictGate(gateResult, { failOnWarnings: flags.strict === "warning" }) : scanResult.exitCode;
     if (wantsJson && gateResult) {
       process.stdout.write(renderGateResultJson(gateResult));
@@ -14105,7 +14775,7 @@ async function main() {
     case "next":
       return runNextCommand({
         json: Boolean(flags.json),
-        cwd: positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd()
+        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd()
       });
     case "guide": {
       const provider2 = positional[0];
@@ -14143,7 +14813,7 @@ async function main() {
     case "provider-verify":
       return cmdProviderVerify(flags, positional);
     case "init": {
-      const cwd = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd();
+      const cwd = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
       const agents = typeof flags.agents === "string" ? flags.agents : void 0;
       return runInitCommand({
         cwd,
@@ -14157,7 +14827,12 @@ async function main() {
         return 1;
       }
       return runDoctorAgentsCommand({
-        cwd: positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd()
+        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd()
+      });
+    case "validate-npm-package":
+      return runValidateNpmPackageCommand({
+        names: positional,
+        json: Boolean(flags.json)
       });
     default:
       console.error(`Unknown command: ${command}`);