npm - @viberaven/cli - Versions diffs - 1.0.3 → 1.0.5 - Mend

@viberaven/cli 1.0.3 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/AGENTS.md +150 -147
package/README.md +87 -80
package/SECURITY.md +1 -0
package/dist/cli.js +795 -135
package/dist/cli.js.map +4 -4
package/package.json +5 -2
package/templates/AGENTS.snippet.md +52 -51
package/templates/CLAUDE.snippet.md +17 -16
package/templates/CURSOR.snippet.md +17 -16

package/dist/cli.js CHANGED Viewed

@@ -170,8 +170,8 @@ __export(cli_exports, {
   runScanCommand: () => runScanCommand
 });
 module.exports = __toCommonJS(cli_exports);
-var import_promises17 = require("node:fs/promises");
-var import_node_path22 = require("node:path");
+var import_promises19 = require("node:fs/promises");
+var import_node_path25 = require("node:path");
 // src/config.ts
 var import_node_os = require("node:os");
@@ -8806,7 +8806,8 @@ var KNOWN_RECIPE_GAP_IDS = /* @__PURE__ */ new Set([
   "missing_404_page",
   // W3 file-patch recipes
   "missing_csp_header",
-  "missing_rate_limit"
+  "missing_rate_limit",
+  "eslint_restricted_imports"
   // NOTE: 'rls_disabled' is intentionally NOT here — it is provider-action only,
   // canAutoApply=false, and should be classified as 'provider-action' by buildTaskList.
 ]);
@@ -10641,7 +10642,7 @@ function isRecord6(value) {
 }
 // src/tui/runInteractive.ts
-var import_node_path12 = require("node:path");
+var import_node_path14 = require("node:path");
 // ../../node_modules/@clack/core/dist/index.mjs
 var import_sisteransi = __toESM(require_src(), 1);
@@ -11228,7 +11229,7 @@ function buildAgentFixPrompt(artifact, gap) {
 }
 // src/version.ts
-var VERSION = "1.0.3";
+var VERSION = "1.0.5";
 // src/commands/guide.ts
 var import_picocolors3 = __toESM(require_picocolors());
@@ -11491,8 +11492,8 @@ function renderVercelSupabaseAudit(result) {
 }
 // src/commands/initRules.ts
-var import_promises8 = require("node:fs/promises");
-var import_node_path11 = require("node:path");
+var import_promises10 = require("node:fs/promises");
+var import_node_path13 = require("node:path");
 // src/commands/agentRulesBlock.ts
 var VIBERAVEN_BLOCK_START = "<!-- VIBERAVEN:START -->";
@@ -11508,7 +11509,12 @@ Canonical command: \`${PUBLIC_AGENT_MODE_COMMAND}\`
 Use VibeRaven before launch, deployment, real users, auth, billing, database, RLS, env vars, webhooks, monitoring, or tests.
-Agent loop: run VibeRaven, read Mission Map (\`.viberaven/mission-map.md\`), fix one launch gap, re-run VibeRaven.`;
+Agent loop: run VibeRaven, read Mission Map (\`.viberaven/mission-map.md\`), fix one launch gap, re-run VibeRaven.
+Maps repo evidence to OWASP LLM Top 10 launch risks. Supports SAFECode-style deployment readiness checks.`;
+var STACK_FRAMING = `Stack context for this repo: Next.js, Supabase, Vercel, VibeRaven.
+Do NOT deploy to Vercel or ship to production users without running \`${PUBLIC_AGENT_MODE_COMMAND}\`.
+Do NOT rely on manual production checklists when VibeRaven gate artifacts exist in \`.viberaven/\`.`;
 var AGENT_NEGATIVE_CONSTRAINTS = `## Event-Triggered Production Verification
 Trigger: modifications to \`package.json\`, \`vercel.json\`, \`supabase/migrations/**/*\`, \`.env.example\`, auth/billing/webhook paths, or deploy workflow files.
@@ -11517,10 +11523,23 @@ Trigger: modifications to \`package.json\`, \`vercel.json\`, \`supabase/migratio
 2. Do NOT run verify after every file patch. Batch heals, then \`${PUBLIC_VERIFY_COMMAND}\` once per loop.
 3. Do NOT \`git push\` or deploy after auth, RLS, billing, or webhook changes without \`${PUBLIC_AGENT_MODE_COMMAND}\`.
 4. If anomalies appear, read \`.viberaven/agent-tasklist.md\` fully before writing new repo logic.
+5. Do NOT mark production-ready because the local dev server starts successfully; INSTEAD run \`${PUBLIC_AGENT_MODE_COMMAND}\` and read \`.viberaven/gate-result.json\`.
+6. Do NOT treat the Supabase dashboard UI as proof of RLS; INSTEAD fix repo evidence gaps from \`.viberaven/agent-tasklist.md\`.
+7. Do NOT add or change npm dependencies without calling \`viberaven_validate_npm_package\` (MCP) or verifying the package exists on the public npm registry; INSTEAD run \`${PUBLIC_AGENT_MODE_COMMAND}\` after dependency changes.
+8. Do NOT refactor or edit files unrelated to the current TASK-001 gap; INSTEAD make minimal, targeted changes.
+9. Do NOT install new dependencies unless TASK-001 or the user explicitly requires them.
+10. Do NOT claim provider dashboard, billing, DNS, or webhook setup is complete from repo edits alone; INSTEAD present provider-action steps from the tasklist.
 Prefer \`viberaven_check_readiness\` when MCP is configured; otherwise \`${PUBLIC_AGENT_MODE_COMMAND}\`.`;
+var ANCHOR_FOOTER = `## Anchor (mandatory)
+Before ending any deploy, auth, RLS, webhook, or dependency task, run:
+\`${PUBLIC_AGENT_MODE_COMMAND}\`
+Gate is not clear until \`gate.status === "clear"\` in \`.viberaven/gate-result.json\`.`;
 var AGENT_RULES_BODY = `${AGENT_RULES_PREAMBLE}
+${STACK_FRAMING}
 ${AGENT_NEGATIVE_CONSTRAINTS}
 ## VibeRaven Production-Readiness Gate
@@ -11587,7 +11606,9 @@ var BLOCK_MARKER_PAIRS = [
   [VIBERAVEN_LEGACY_BLOCK_START, VIBERAVEN_LEGACY_BLOCK_END]
 ];
 function buildAgentRulesBlock() {
-  return wrapViberavenBlock(AGENT_RULES_BODY);
+  return wrapViberavenBlock(`${AGENT_RULES_BODY}
+${ANCHOR_FOOTER}`);
 }
 function buildAgentContextBlock() {
   return wrapViberavenBlock(AGENT_CONTEXT_BODY);
@@ -11708,11 +11729,135 @@ function escapeRegExp3(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
+// src/commands/cursorRulesPack.ts
+var import_promises8 = require("node:fs/promises");
+var import_node_path11 = require("node:path");
+var CURSOR_RULES_DIR = ".cursor/rules";
+var LEGACY_CURSOR_RULE_FILE = `${CURSOR_RULES_DIR}/viberaven.mdc`;
+var DOMAIN_PATH_POINTER = "Before editing these files, read `.viberaven/agent-context.md` and `.viberaven/mission-map.md`.";
+function buildCursorRulesPack() {
+  return [
+    {
+      filename: "viberaven-core.mdc",
+      content: [
+        "---",
+        "description: VibeRaven production gate \u2014 canonical agent commands and gate loop",
+        "alwaysApply: true",
+        "---",
+        "",
+        `Run \`${PUBLIC_AGENT_MODE_COMMAND}\` before deploy, auth, RLS, webhooks, or dependency changes.`,
+        "",
+        "Read `.viberaven/agent-tasklist.md` first, then `.viberaven/gate-result.json` and `.viberaven/mission-map.md`.",
+        `Fix one gap, then \`${PUBLIC_VERIFY_COMMAND}\`. Before CI or production promote: \`${PUBLIC_STRICT_COMMAND}\`.`,
+        "",
+        'Gate is not clear until `gate.status === "clear"`.',
+        "",
+        DOMAIN_PATH_POINTER,
+        "",
+        "Full production rules: `AGENTS.md` / `CLAUDE.md` (installed by `npx -y viberaven init --agents all`)."
+      ].join("\n")
+    },
+    {
+      filename: "viberaven-supabase-rls.mdc",
+      content: [
+        "---",
+        "description: Apply when editing Supabase migrations, RLS policies, or auth SQL",
+        "globs:",
+        "  - supabase/**",
+        "alwaysApply: false",
+        "---",
+        "",
+        DOMAIN_PATH_POINTER,
+        "",
+        "Do NOT enable RLS on only one table while leaving related tables open; INSTEAD read `.viberaven/mission-map.md` before migration edits."
+      ].join("\n")
+    },
+    {
+      filename: "viberaven-deploy.mdc",
+      content: [
+        "---",
+        "description: Apply before changing Vercel config or deploy CI workflows",
+        "globs:",
+        "  - vercel.json",
+        "  - .github/workflows/**",
+        "alwaysApply: false",
+        "---",
+        "",
+        DOMAIN_PATH_POINTER,
+        "",
+        "Do NOT add production env vars only to the Vercel dashboard without updating `.env.example` in the repo."
+      ].join("\n")
+    },
+    {
+      filename: "viberaven-payments.mdc",
+      content: [
+        "---",
+        "description: Apply when editing Stripe, Polar, or payment webhook handlers",
+        "globs:",
+        '  - "**/*webhook*"',
+        '  - "**/*stripe*"',
+        '  - "**/*polar*"',
+        "alwaysApply: false",
+        "---",
+        "",
+        DOMAIN_PATH_POINTER,
+        "",
+        "Do NOT ship webhook handlers without signature verification; INSTEAD run `npx -y viberaven --agent-mode` after webhook edits."
+      ].join("\n")
+    }
+  ];
+}
+function renderCursorCoreRulePreview() {
+  return buildCursorRulesPack()[0]?.content ?? "";
+}
+async function initCursorRulesPack(options) {
+  const results = [];
+  const pack = buildCursorRulesPack();
+  for (const rule of pack) {
+    const file = `${CURSOR_RULES_DIR}/${rule.filename}`;
+    const path = (0, import_node_path11.join)(options.cwd, file);
+    const existing = await readExistingFile(path);
+    const changed = !existing.exists || existing.content !== rule.content;
+    const action = !existing.exists ? "created" : changed ? "updated" : "unchanged";
+    if (!options.dryRun && changed) {
+      await (0, import_promises8.mkdir)((0, import_node_path11.join)(options.cwd, CURSOR_RULES_DIR), { recursive: true });
+      await (0, import_promises8.writeFile)(path, rule.content, "utf-8");
+    }
+    results.push({ target: "cursor", file, path, action });
+  }
+  const legacyPath = (0, import_node_path11.join)(options.cwd, LEGACY_CURSOR_RULE_FILE);
+  if (!options.dryRun && await fileExists(legacyPath)) {
+    await (0, import_promises8.rm)(legacyPath, { force: true });
+  }
+  return results;
+}
+async function readExistingFile(path) {
+  try {
+    return { exists: true, content: await (0, import_promises8.readFile)(path, "utf-8") };
+  } catch (error) {
+    if (isFileNotFoundError(error)) {
+      return { exists: false, content: "" };
+    }
+    throw error;
+  }
+}
+async function fileExists(path) {
+  try {
+    await (0, import_promises8.access)(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isFileNotFoundError(error) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
+}
 // src/commands/agentTargets.ts
 var AGENT_RULE_TARGETS = {
   codex: { file: "AGENTS.md" },
   claude: { file: "CLAUDE.md" },
-  cursor: { file: ".cursor/rules/viberaven.mdc" },
+  cursor: { file: ".cursor/rules/viberaven-core.mdc" },
   cursorLegacy: { file: ".cursorrules", aliases: ["cursor-legacy"] },
   copilot: { file: ".github/copilot-instructions.md", aliases: ["github-copilot"] },
   gemini: { file: "GEMINI.md" },
@@ -11758,20 +11903,7 @@ function renderAgentRulesForTarget(target) {
     return ["@AGENTS.md", "", buildAgentRulesBlock()].join("\n");
   }
   if (target === "cursor") {
-    return [
-      "---",
-      "description: Applied when verifying backend or infrastructure readiness before production deployment.",
-      "globs:",
-      "  - package.json",
-      "  - vercel.json",
-      "  - supabase/migrations/**",
-      "  - .env.example",
-      "  - .github/workflows/**",
-      "alwaysApply: true",
-      "---",
-      "",
-      buildAgentRulesBlock()
-    ].join("\n");
+    return renderCursorCoreRulePreview();
   }
   if (target === "agentContext") {
     return ["# VibeRaven Agent Context", "", buildAgentContextBlock()].join("\n");
@@ -11803,26 +11935,88 @@ function getAgentRulesTargets(value) {
   return ALL_AGENT_RULE_TARGETS.filter((target) => requestedTargets.has(target));
 }
+// src/commands/seedPackageJsonScripts.ts
+var import_node_fs7 = require("node:fs");
+var import_promises9 = require("node:fs/promises");
+var import_node_path12 = require("node:path");
+var VIBERAVEN_PACKAGE_JSON_SCRIPTS = {
+  "viberaven:gate": PUBLIC_AGENT_MODE_COMMAND,
+  "viberaven:verify": PUBLIC_VERIFY_COMMAND,
+  "viberaven:strict": PUBLIC_STRICT_COMMAND
+};
+async function seedPackageJsonScripts(options) {
+  const packageJsonPath = (0, import_node_path12.join)(options.cwd, "package.json");
+  if (!(0, import_node_fs7.existsSync)(packageJsonPath)) {
+    return null;
+  }
+  const raw = await (0, import_promises9.readFile)(packageJsonPath, "utf-8");
+  let pkg;
+  try {
+    pkg = JSON.parse(raw);
+  } catch {
+    return {
+      action: "skipped",
+      added: [],
+      skipped: [],
+      changed: false
+    };
+  }
+  const scripts = typeof pkg.scripts === "object" && pkg.scripts !== null && !Array.isArray(pkg.scripts) ? { ...pkg.scripts } : {};
+  const added = [];
+  const skipped = [];
+  for (const [key, value] of Object.entries(VIBERAVEN_PACKAGE_JSON_SCRIPTS)) {
+    if (key in scripts) {
+      skipped.push(key);
+      continue;
+    }
+    scripts[key] = value;
+    added.push(key);
+  }
+  if (added.length === 0) {
+    return { action: "unchanged", added, skipped, changed: false };
+  }
+  if (!options.dryRun) {
+    pkg.scripts = scripts;
+    const output = `${JSON.stringify(pkg, null, 2)}
+`;
+    await (0, import_promises9.writeFile)(packageJsonPath, output, "utf-8");
+  }
+  return { action: "updated", added, skipped, changed: true };
+}
 // src/commands/initRules.ts
 async function initAgentRules(options) {
   const targets = options.targets ?? [...CORE_AGENT_INJECTION_TARGETS];
   const results = [];
   for (const target of targets) {
+    if (target === "cursor") {
+      results.push(...await initCursorRulesPack({ cwd: options.cwd, dryRun: options.dryRun }));
+      continue;
+    }
     const file = AGENT_RULE_TARGETS[target].file;
-    const path = (0, import_node_path11.join)(options.cwd, file);
-    const existing = await readExistingFile(path);
+    const path = (0, import_node_path13.join)(options.cwd, file);
+    const existing = await readExistingFile2(path);
     const injected = injectAgentRulesBlock(existing.content, renderAgentRulesForTarget(target));
     const action = !existing.exists ? "created" : injected.changed ? "updated" : "unchanged";
     if (!options.dryRun && injected.changed) {
-      await (0, import_promises8.mkdir)((0, import_node_path11.dirname)(path), { recursive: true });
-      await (0, import_promises8.writeFile)(path, injected.content, "utf-8");
+      await (0, import_promises10.mkdir)((0, import_node_path13.dirname)(path), { recursive: true });
+      await (0, import_promises10.writeFile)(path, injected.content, "utf-8");
     }
     results.push({ target, file, path, action });
   }
-  return results;
+  const packageJsonScripts = await seedPackageJsonScripts({
+    cwd: options.cwd,
+    dryRun: options.dryRun
+  });
+  return { results, packageJsonScripts };
 }
 function renderAgentRulesDryRun(targets) {
-  const files = targets.map((target) => `- ${target}: ${AGENT_RULE_TARGETS[target].file}`).join("\n");
+  const files = targets.flatMap((target) => {
+    if (target === "cursor") {
+      return buildCursorRulesPack().map((rule) => `- cursor: .cursor/rules/${rule.filename}`);
+    }
+    return [`- ${target}: ${AGENT_RULE_TARGETS[target].file}`];
+  }).join("\n");
   const previews = targets.flatMap((target) => [
     `Preview: ${target} (${AGENT_RULE_TARGETS[target].file})`,
     "",
@@ -11830,7 +12024,8 @@ function renderAgentRulesDryRun(targets) {
   ]);
   return [`VibeRaven agent rules dry run`, "", `Target files:`, files, "", ...previews].join("\n");
 }
-function formatAgentRulesInitSummary(results) {
+function formatAgentRulesInitSummary(output) {
+  const { results, packageJsonScripts } = output;
   const created = results.filter((result) => result.action === "created");
   const updated = results.filter((result) => result.action === "updated");
   const skipped = results.filter((result) => result.action === "unchanged");
@@ -11856,22 +12051,32 @@ function formatAgentRulesInitSummary(results) {
     }
     lines.push("");
   }
+  if (packageJsonScripts?.changed) {
+    lines.push("package.json scripts added:");
+    for (const script of packageJsonScripts.added) {
+      lines.push(`  + ${script}`);
+    }
+    lines.push("");
+  } else if (packageJsonScripts?.action === "unchanged") {
+    lines.push("package.json scripts: unchanged (already present)");
+    lines.push("");
+  }
   lines.push(
     `Done: ${created.length} created, ${updated.length} updated, ${skipped.length} skipped.`
   );
   return lines.join("\n");
 }
-async function readExistingFile(path) {
+async function readExistingFile2(path) {
   try {
-    return { exists: true, content: await (0, import_promises8.readFile)(path, "utf-8") };
+    return { exists: true, content: await (0, import_promises10.readFile)(path, "utf-8") };
   } catch (error) {
-    if (isFileNotFoundError(error)) {
+    if (isFileNotFoundError2(error)) {
       return { exists: false, content: "" };
     }
     throw error;
   }
 }
-function isFileNotFoundError(error) {
+function isFileNotFoundError2(error) {
   return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
 }
@@ -12083,7 +12288,7 @@ async function handleAuth() {
   await runDeviceLogin(apiBaseUrl);
 }
 async function handleAgentRules(cwd) {
-  const results = await initAgentRules({ cwd });
+  const { results } = await initAgentRules({ cwd });
   for (const result of results) {
     const color = result.action === "created" ? import_picocolors4.default.green : result.action === "updated" ? import_picocolors4.default.yellow : import_picocolors4.default.dim;
     M2.message(color(`${result.action.toUpperCase()}: ${result.file}`));
@@ -12171,7 +12376,7 @@ async function runInteractiveSession(startDir = process.cwd()) {
   Ie(`${import_picocolors4.default.bold("VibeRaven")} ${import_picocolors4.default.dim(VERSION)}`);
   const cwd = await resolveWorkspaceRoot(startDir);
   const artifactsAt = await findArtifactsWorkspace(startDir);
-  if (artifactsAt && (0, import_node_path12.resolve)(artifactsAt) !== (0, import_node_path12.resolve)(startDir)) {
+  if (artifactsAt && (0, import_node_path14.resolve)(artifactsAt) !== (0, import_node_path14.resolve)(startDir)) {
     M2.message(import_picocolors4.default.dim(`Using scan from: ${artifactsAt}`));
   } else {
     M2.message(import_picocolors4.default.dim(`Project folder: ${cwd}`));
@@ -12238,29 +12443,29 @@ async function runInteractiveSession(startDir = process.cwd()) {
 }
 // src/commands/condense.ts
-var import_promises9 = require("node:fs/promises");
-var import_node_path13 = require("node:path");
+var import_promises11 = require("node:fs/promises");
+var import_node_path15 = require("node:path");
 async function runCondenseCommand(options) {
   const dir = getProjectArtifactsDir(options.cwd);
-  const artifact = JSON.parse(await (0, import_promises9.readFile)((0, import_node_path13.join)(dir, "last-scan.json"), "utf8"));
-  const contextMapPath = (0, import_node_path13.join)(dir, "context-map.json");
-  await (0, import_promises9.writeFile)(contextMapPath, `${JSON.stringify(generateContextMap(artifact), null, 2)}
+  const artifact = JSON.parse(await (0, import_promises11.readFile)((0, import_node_path15.join)(dir, "last-scan.json"), "utf8"));
+  const contextMapPath = (0, import_node_path15.join)(dir, "context-map.json");
+  await (0, import_promises11.writeFile)(contextMapPath, `${JSON.stringify(generateContextMap(artifact), null, 2)}
 `, "utf8");
   return { contextMapPath };
 }
 // src/heal/apply.ts
-var import_promises11 = require("node:fs/promises");
-var import_node_fs8 = require("node:fs");
-var import_node_path16 = require("node:path");
+var import_promises13 = require("node:fs/promises");
+var import_node_fs10 = require("node:fs");
+var import_node_path19 = require("node:path");
 // src/heal/pathSafety.ts
-var import_node_path14 = require("node:path");
+var import_node_path16 = require("node:path");
 var BLOCKED_SEGMENTS = /* @__PURE__ */ new Set([".git", "node_modules", "dist", "build", ".next", ".viberaven"]);
 function assertSafeHealTarget(cwd, target) {
-  const root = (0, import_node_path14.resolve)(cwd);
-  const absolute = (0, import_node_path14.resolve)(root, target);
-  const rel = (0, import_node_path14.relative)(root, absolute);
+  const root = (0, import_node_path16.resolve)(cwd);
+  const absolute = (0, import_node_path16.resolve)(root, target);
+  const rel = (0, import_node_path16.relative)(root, absolute);
   if (rel.startsWith("..") || rel === "" || /^[A-Za-z]:/.test(rel)) {
     throw new Error("Heal target must stay inside the workspace");
   }
@@ -12283,9 +12488,9 @@ function applyEmptyCatchRecipe(source) {
 }
 // src/heal/recipes/index.ts
-var import_node_fs7 = require("node:fs");
-var import_promises10 = require("node:fs/promises");
-var import_node_path15 = require("node:path");
+var import_node_fs9 = require("node:fs");
+var import_promises12 = require("node:fs/promises");
+var import_node_path18 = require("node:path");
 // src/heal/recipes/envAuthSecret.ts
 function applyAuthSecretRecipe(source) {
@@ -12665,6 +12870,194 @@ function applyRateLimitRecipe(source, hasUpstash) {
   };
 }
+// src/heal/recipes/eslintRestrictedImports.ts
+var import_node_fs8 = require("node:fs");
+var import_node_path17 = require("node:path");
+var VIBERAVEN_ESLINT_MARKER = "VibeRaven heal: eslint_restricted_imports";
+var RESTRICTED_IMPORTS_MESSAGE = `Restricted import. Run ${PUBLIC_AGENT_MODE_COMMAND} before substituting packages.`;
+var RESTRICTED_PATHS = [
+  {
+    name: "@supabase/auth-helpers-nextjs",
+    message: RESTRICTED_IMPORTS_MESSAGE
+  },
+  {
+    name: "@supabase/auth-helpers-react",
+    message: RESTRICTED_IMPORTS_MESSAGE
+  }
+];
+var RESTRICTED_PATTERNS = [
+  {
+    group: ["@supabase/auth-helpers-*"],
+    message: RESTRICTED_IMPORTS_MESSAGE
+  }
+];
+var ESLINT_CONFIG_CANDIDATES = [
+  "eslint.config.js",
+  "eslint.config.mjs",
+  "eslint.config.ts",
+  "eslint.config.cjs",
+  ".eslintrc.json",
+  ".eslintrc.js",
+  ".eslintrc.cjs"
+];
+function detectEslintConfigFile(cwd) {
+  for (const candidate of ESLINT_CONFIG_CANDIDATES) {
+    if ((0, import_node_fs8.existsSync)((0, import_node_path17.join)(cwd, candidate))) {
+      return candidate;
+    }
+  }
+  return null;
+}
+function alreadyApplied(source) {
+  return source.includes(VIBERAVEN_ESLINT_MARKER) || source.includes(RESTRICTED_IMPORTS_MESSAGE) || /no-restricted-imports[\s\S]*@supabase\/auth-helpers-nextjs/.test(source);
+}
+function buildFlatConfigBlock() {
+  const pathsJson = JSON.stringify(RESTRICTED_PATHS, null, 2).replace(/\n/g, "\n    ");
+  const patternsJson = JSON.stringify(RESTRICTED_PATTERNS, null, 2).replace(/\n/g, "\n    ");
+  return `// ${VIBERAVEN_ESLINT_MARKER}
+{
+  rules: {
+    'no-restricted-imports': ['error', {
+      paths: ${pathsJson},
+      patterns: ${patternsJson},
+    }],
+  },
+},`;
+}
+function applyFlatConfigRecipe(source) {
+  if (alreadyApplied(source)) {
+    return { changed: false, output: source, canAutoApply: true };
+  }
+  const arrayExportMatch = /export\s+default\s+(\[[\s\S]*\])\s*;?\s*$/.exec(source);
+  if (arrayExportMatch) {
+    const closingBracket = source.lastIndexOf("]");
+    if (closingBracket === -1) {
+      return {
+        changed: false,
+        output: source,
+        canAutoApply: false,
+        reason: "cannot-parse-flat-config-array"
+      };
+    }
+    const output = `${source.slice(0, closingBracket)}
+  ${buildFlatConfigBlock()}
+${source.slice(closingBracket)}`;
+    return { changed: true, output, canAutoApply: true };
+  }
+  const defineConfigMatch = /defineConfig\(\s*(\[[\s\S]*\])\s*\)\s*;?\s*$/.exec(source);
+  if (defineConfigMatch) {
+    const closingBracket = source.lastIndexOf("]");
+    if (closingBracket === -1) {
+      return {
+        changed: false,
+        output: source,
+        canAutoApply: false,
+        reason: "cannot-parse-define-config-array"
+      };
+    }
+    const output = `${source.slice(0, closingBracket)}
+  ${buildFlatConfigBlock()}
+${source.slice(closingBracket)}`;
+    return { changed: true, output, canAutoApply: true };
+  }
+  return {
+    changed: false,
+    output: source,
+    canAutoApply: false,
+    reason: "unsupported-flat-config-shape"
+  };
+}
+function applyLegacyModuleRecipe(source) {
+  if (alreadyApplied(source)) {
+    return { changed: false, output: source, canAutoApply: true };
+  }
+  const ruleValue = JSON.stringify(
+    [
+      "error",
+      {
+        paths: RESTRICTED_PATHS,
+        patterns: RESTRICTED_PATTERNS
+      }
+    ],
+    null,
+    2
+  ).replace(/\n/g, "\n    ");
+  if (/module\.exports\s*=\s*\{/.test(source)) {
+    if (/\brules\s*:\s*\{/.test(source)) {
+      const output2 = source.replace(
+        /(\brules\s*:\s*\{)/,
+        `$1
+    // ${VIBERAVEN_ESLINT_MARKER}
+    'no-restricted-imports': ${ruleValue},`
+      );
+      return { changed: true, output: output2, canAutoApply: true };
+    }
+    const output = source.replace(
+      /(module\.exports\s*=\s*\{)/,
+      `$1
+  // ${VIBERAVEN_ESLINT_MARKER}
+  rules: {
+    'no-restricted-imports': ${ruleValue},
+  },`
+    );
+    return { changed: true, output, canAutoApply: true };
+  }
+  return {
+    changed: false,
+    output: source,
+    canAutoApply: false,
+    reason: "unsupported-legacy-eslint-module"
+  };
+}
+function applyJsonRecipe(source) {
+  let config;
+  try {
+    config = JSON.parse(source);
+  } catch {
+    return {
+      changed: false,
+      output: source,
+      canAutoApply: false,
+      reason: "invalid-eslint-json"
+    };
+  }
+  if (alreadyApplied(source)) {
+    return { changed: false, output: source, canAutoApply: true };
+  }
+  const rules = typeof config.rules === "object" && config.rules !== null && !Array.isArray(config.rules) ? { ...config.rules } : {};
+  if ("no-restricted-imports" in rules) {
+    return {
+      changed: false,
+      output: source,
+      canAutoApply: false,
+      reason: "no-restricted-imports-already-defined"
+    };
+  }
+  rules["no-restricted-imports"] = [
+    "error",
+    {
+      paths: RESTRICTED_PATHS,
+      patterns: RESTRICTED_PATTERNS
+    }
+  ];
+  config.rules = rules;
+  return {
+    changed: true,
+    output: `${JSON.stringify(config, null, 2)}
+`,
+    canAutoApply: true
+  };
+}
+function applyEslintRestrictedImportsRecipe(source, configFile) {
+  if (configFile.endsWith(".json")) {
+    return applyJsonRecipe(source);
+  }
+  if (configFile.startsWith("eslint.config.")) {
+    return applyFlatConfigRecipe(source);
+  }
+  return applyLegacyModuleRecipe(source);
+}
 // src/heal/recipes/index.ts
 function defaultTargetFile(gapId) {
   const map = {
@@ -12678,19 +13071,20 @@ function defaultTargetFile(gapId) {
     rls_disabled: "",
     // no file — provider-action
     missing_csp_header: "next.config.js",
-    missing_rate_limit: "middleware.ts"
+    missing_rate_limit: "middleware.ts",
+    eslint_restricted_imports: ""
   };
   return map[gapId];
 }
 async function readSourceOrEmpty(absolutePath) {
-  if (!(0, import_node_fs7.existsSync)(absolutePath)) return "";
-  return (0, import_promises10.readFile)(absolutePath, "utf8");
+  if (!(0, import_node_fs9.existsSync)(absolutePath)) return "";
+  return (0, import_promises12.readFile)(absolutePath, "utf8");
 }
 async function detectUpstash(cwd) {
   try {
-    const pkgPath = (0, import_node_path15.join)(cwd, "package.json");
-    if (!(0, import_node_fs7.existsSync)(pkgPath)) return false;
-    const raw = await (0, import_promises10.readFile)(pkgPath, "utf8");
+    const pkgPath = (0, import_node_path18.join)(cwd, "package.json");
+    if (!(0, import_node_fs9.existsSync)(pkgPath)) return false;
+    const raw = await (0, import_promises12.readFile)(pkgPath, "utf8");
     const pkg = JSON.parse(raw);
     const deps = {
       ...pkg["dependencies"] ?? {},
@@ -12705,7 +13099,7 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   const targetFile = explicitTarget ?? defaultTargetFile(gapId);
   if (targetFile === void 0) return null;
   if (gapId === "auth_secret_missing" || gapId === "node_env_not_set" || gapId === "database_url_missing") {
-    const absolutePath = (0, import_node_path15.join)(cwd, targetFile);
+    const absolutePath = (0, import_node_path18.join)(cwd, targetFile);
     const source = await readSourceOrEmpty(absolutePath);
     let result;
     if (gapId === "auth_secret_missing") result = applyAuthSecretRecipe(source);
@@ -12719,25 +13113,25 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
     };
   }
   if (gapId === "missing_error_boundary") {
-    const absolutePath = (0, import_node_path15.join)(cwd, "app/error.tsx");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/error.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyErrorBoundaryRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_health_route") {
-    const absolutePath = (0, import_node_path15.join)(cwd, "app/api/health/route.ts");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/api/health/route.ts");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyHealthRouteRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_loading_state") {
-    const absolutePath = (0, import_node_path15.join)(cwd, "app/loading.tsx");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/loading.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyLoadingStateRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_404_page") {
-    const absolutePath = (0, import_node_path15.join)(cwd, "app/not-found.tsx");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/not-found.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyNotFoundRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
@@ -12755,10 +13149,10 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   }
   if (gapId === "missing_csp_header") {
     let configFile = "next.config.js";
-    let absolutePath = (0, import_node_path15.join)(cwd, configFile);
-    if (!(0, import_node_fs7.existsSync)(absolutePath)) {
+    let absolutePath = (0, import_node_path18.join)(cwd, configFile);
+    if (!(0, import_node_fs9.existsSync)(absolutePath)) {
       configFile = "next.config.mjs";
-      absolutePath = (0, import_node_path15.join)(cwd, configFile);
+      absolutePath = (0, import_node_path18.join)(cwd, configFile);
     }
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyCspHeaderRecipe(source);
@@ -12770,7 +13164,7 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   }
   if (gapId === "missing_rate_limit") {
     const hasUpstash = await detectUpstash(cwd);
-    const middlewarePath = (0, import_node_path15.join)(cwd, "middleware.ts");
+    const middlewarePath = (0, import_node_path18.join)(cwd, "middleware.ts");
     const source = await readSourceOrEmpty(middlewarePath);
     const result = applyRateLimitRecipe(source, hasUpstash);
     return {
@@ -12780,6 +13174,30 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
       recipeName: gapId
     };
   }
+  if (gapId === "eslint_restricted_imports") {
+    const configFile = detectEslintConfigFile(cwd);
+    if (!configFile) {
+      return {
+        changed: false,
+        output: "",
+        targetFile: "",
+        canAutoApply: false,
+        reason: "no-eslint-config",
+        recipeName: gapId
+      };
+    }
+    const absolutePath = (0, import_node_path18.join)(cwd, configFile);
+    const source = await readSourceOrEmpty(absolutePath);
+    const result = applyEslintRestrictedImportsRecipe(source, configFile);
+    return {
+      changed: result.changed,
+      output: result.output,
+      targetFile: configFile,
+      canAutoApply: result.canAutoApply,
+      reason: result.reason,
+      recipeName: gapId
+    };
+  }
   return null;
 }
@@ -12843,14 +13261,14 @@ async function applyHeal(options) {
           rollback: { available: false, instructions: "Recipe matched but no change was needed (already applied or file already exists)." }
         };
       }
-      const absoluteTarget = (0, import_node_path16.join)(options.cwd, dispatched.targetFile);
+      const absoluteTarget = (0, import_node_path19.join)(options.cwd, dispatched.targetFile);
       assertSafeHealTarget(options.cwd, dispatched.targetFile);
-      await (0, import_promises11.mkdir)((0, import_node_path16.dirname)(absoluteTarget), { recursive: true });
-      const healDir2 = (0, import_node_path16.join)(options.cwd, ".viberaven", "heal", id);
-      await (0, import_promises11.mkdir)((0, import_node_path16.join)(healDir2, "before"), { recursive: true });
-      const beforeContent = (0, import_node_fs8.existsSync)(absoluteTarget) ? await (0, import_promises11.readFile)(absoluteTarget, "utf8") : "";
-      await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir2, "before", "target.txt"), beforeContent, "utf8");
-      await (0, import_promises11.writeFile)(absoluteTarget, dispatched.output, "utf8");
+      await (0, import_promises13.mkdir)((0, import_node_path19.dirname)(absoluteTarget), { recursive: true });
+      const healDir2 = (0, import_node_path19.join)(options.cwd, ".viberaven", "heal", id);
+      await (0, import_promises13.mkdir)((0, import_node_path19.join)(healDir2, "before"), { recursive: true });
+      const beforeContent = (0, import_node_fs10.existsSync)(absoluteTarget) ? await (0, import_promises13.readFile)(absoluteTarget, "utf8") : "";
+      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "before", "target.txt"), beforeContent, "utf8");
+      await (0, import_promises13.writeFile)(absoluteTarget, dispatched.output, "utf8");
       const patch2 = [
         `--- ${dispatched.targetFile}`,
         `+++ ${dispatched.targetFile}`,
@@ -12860,7 +13278,7 @@ async function applyHeal(options) {
         dispatched.output,
         ""
       ].join("\n");
-      await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir2, "patch.diff"), patch2, "utf8");
+      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "patch.diff"), patch2, "utf8");
       const result2 = {
         $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
         schemaVersion: "v1",
@@ -12871,7 +13289,7 @@ async function applyHeal(options) {
         gapId: options.gapId,
         recipe: dispatched.recipeName,
         target: dispatched.targetFile,
-        changedFiles: [(0, import_node_path16.relative)(options.cwd, absoluteTarget).replace(/\\/g, "/")],
+        changedFiles: [(0, import_node_path19.relative)(options.cwd, absoluteTarget).replace(/\\/g, "/")],
         artifacts: {
           patch: `.viberaven/heal/${id}/patch.diff`,
           result: `.viberaven/heal/${id}/result.json`
@@ -12881,7 +13299,7 @@ async function applyHeal(options) {
           instructions: "Restore .viberaven/heal/<healId>/before/target.txt to the target file or apply the reverse patch."
         }
       };
-      await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir2, "result.json"), `${JSON.stringify(result2, null, 2)}
+      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "result.json"), `${JSON.stringify(result2, null, 2)}
 `, "utf8");
       return result2;
     }
@@ -12901,7 +13319,7 @@ async function applyHeal(options) {
     };
   }
   const absolute = assertSafeHealTarget(options.cwd, options.target);
-  const before = await (0, import_promises11.readFile)(absolute, "utf8");
+  const before = await (0, import_promises13.readFile)(absolute, "utf8");
   const recipe = applyEmptyCatchRecipe(before);
   if (!recipe.changed) {
     return {
@@ -12918,10 +13336,10 @@ async function applyHeal(options) {
       rollback: { available: false, instructions: "No supported heal recipe matched this file." }
     };
   }
-  const healDir = (0, import_node_path16.join)(options.cwd, ".viberaven", "heal", id);
-  await (0, import_promises11.mkdir)((0, import_node_path16.join)(healDir, "before"), { recursive: true });
-  await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir, "before", "target.txt"), before, "utf8");
-  await (0, import_promises11.writeFile)(absolute, recipe.output, "utf8");
+  const healDir = (0, import_node_path19.join)(options.cwd, ".viberaven", "heal", id);
+  await (0, import_promises13.mkdir)((0, import_node_path19.join)(healDir, "before"), { recursive: true });
+  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "before", "target.txt"), before, "utf8");
+  await (0, import_promises13.writeFile)(absolute, recipe.output, "utf8");
   const patch = [
     `--- ${options.target}`,
     `+++ ${options.target}`,
@@ -12931,7 +13349,7 @@ async function applyHeal(options) {
     recipe.output,
     ""
   ].join("\n");
-  await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir, "patch.diff"), patch, "utf8");
+  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "patch.diff"), patch, "utf8");
   const result = {
     $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
     schemaVersion: "v1",
@@ -12942,7 +13360,7 @@ async function applyHeal(options) {
     gapId: options.gapId,
     recipe: "empty-catch-safe-response",
     target: options.target,
-    changedFiles: [(0, import_node_path16.relative)(options.cwd, absolute).replace(/\\/g, "/")],
+    changedFiles: [(0, import_node_path19.relative)(options.cwd, absolute).replace(/\\/g, "/")],
     artifacts: {
       patch: `.viberaven/heal/${id}/patch.diff`,
       result: `.viberaven/heal/${id}/result.json`
@@ -12952,20 +13370,20 @@ async function applyHeal(options) {
       instructions: "Restore .viberaven/heal/<healId>/before/target.txt to the target file or apply the reverse patch."
     }
   };
-  await (0, import_promises11.writeFile)((0, import_node_path16.join)(healDir, "result.json"), `${JSON.stringify(result, null, 2)}
+  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "result.json"), `${JSON.stringify(result, null, 2)}
 `, "utf8");
   return result;
 }
 // src/heal/plan.ts
-var import_promises12 = require("node:fs/promises");
-var import_node_path17 = require("node:path");
+var import_promises14 = require("node:fs/promises");
+var import_node_path20 = require("node:path");
 function healId2() {
   return `heal_${(/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14)}`;
 }
 async function writeHealPlan(options) {
-  const dir = (0, import_node_path17.join)(options.cwd, ".viberaven");
-  await (0, import_promises12.mkdir)(dir, { recursive: true });
+  const dir = (0, import_node_path20.join)(options.cwd, ".viberaven");
+  await (0, import_promises14.mkdir)(dir, { recursive: true });
   const id = healId2();
   const target = options.target ?? `gap:${options.gapId}`;
   const markdown = [
@@ -12992,21 +13410,21 @@ async function writeHealPlan(options) {
     artifacts: { plan: ".viberaven/heal-plan.md" },
     rollback: { available: false, instructions: "No source files were changed." }
   };
-  await (0, import_promises12.writeFile)((0, import_node_path17.join)(dir, "heal-plan.md"), markdown, "utf8");
-  await (0, import_promises12.writeFile)((0, import_node_path17.join)(dir, "heal-plan.json"), `${JSON.stringify(result, null, 2)}
+  await (0, import_promises14.writeFile)((0, import_node_path20.join)(dir, "heal-plan.md"), markdown, "utf8");
+  await (0, import_promises14.writeFile)((0, import_node_path20.join)(dir, "heal-plan.json"), `${JSON.stringify(result, null, 2)}
 `, "utf8");
   return result;
 }
 // src/heal/prompt.ts
-var import_promises13 = require("node:fs/promises");
-var import_node_path18 = require("node:path");
+var import_promises15 = require("node:fs/promises");
+var import_node_path21 = require("node:path");
 function healId3() {
   return `heal_${(/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14)}`;
 }
 async function writeHealPrompt(options) {
-  const dir = (0, import_node_path18.join)(options.cwd, ".viberaven");
-  await (0, import_promises13.mkdir)(dir, { recursive: true });
+  const dir = (0, import_node_path21.join)(options.cwd, ".viberaven");
+  await (0, import_promises15.mkdir)(dir, { recursive: true });
   const id = healId3();
   const target = options.target ?? `gap:${options.gapId}`;
   const prompt = [
@@ -13033,12 +13451,12 @@ async function writeHealPrompt(options) {
     artifacts: { prompt: ".viberaven/heal-prompt.md" },
     rollback: { available: false, instructions: "No source files were changed." }
   };
-  await (0, import_promises13.writeFile)((0, import_node_path18.join)(dir, "heal-prompt.md"), prompt, "utf8");
+  await (0, import_promises15.writeFile)((0, import_node_path21.join)(dir, "heal-prompt.md"), prompt, "utf8");
   return result;
 }
 // src/loopState.ts
-var import_promises14 = require("fs/promises");
+var import_promises16 = require("fs/promises");
 var import_path = require("path");
 var DEFAULT_LOOP_STATE = {
   batchApplied: 0,
@@ -13051,7 +13469,7 @@ function loopStatePath(workspaceRoot) {
 }
 async function loadLoopState(workspaceRoot) {
   try {
-    const raw = await (0, import_promises14.readFile)(loopStatePath(workspaceRoot), "utf8");
+    const raw = await (0, import_promises16.readFile)(loopStatePath(workspaceRoot), "utf8");
     const parsed = JSON.parse(raw);
     if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed) && typeof parsed.batchApplied === "number" && typeof parsed.lastGapCount === "number" && typeof parsed.stalledScans === "number") {
       const p2 = parsed;
@@ -13071,8 +13489,8 @@ async function loadLoopState(workspaceRoot) {
 async function saveLoopState(workspaceRoot, state) {
   try {
     const dir = (0, import_path.join)(workspaceRoot, ".viberaven");
-    await (0, import_promises14.mkdir)(dir, { recursive: true });
-    await (0, import_promises14.writeFile)(loopStatePath(workspaceRoot), JSON.stringify(state, null, 2) + "\n", "utf8");
+    await (0, import_promises16.mkdir)(dir, { recursive: true });
+    await (0, import_promises16.writeFile)(loopStatePath(workspaceRoot), JSON.stringify(state, null, 2) + "\n", "utf8");
   } catch (err) {
     console.warn("[VibeRaven] Could not save loop-state.json:", err instanceof Error ? err.message : String(err));
   }
@@ -13118,9 +13536,9 @@ async function runHealCommand(options) {
 }
 // src/stackRecommend.ts
-var import_promises15 = require("node:fs/promises");
-var import_node_fs9 = require("node:fs");
-var import_node_path19 = require("node:path");
+var import_promises17 = require("node:fs/promises");
+var import_node_fs11 = require("node:fs");
+var import_node_path22 = require("node:path");
 var DEFAULT_STACK = {
   frontend: "react",
   ui: "tailwind + shadcn/ui",
@@ -13131,11 +13549,11 @@ var DEFAULT_STACK = {
   reason: "Agent-default stack for lowest launch friction when repo signals are ambiguous"
 };
 async function recommendStack(cwd = process.cwd()) {
-  const pkgPath = (0, import_node_path19.join)(cwd, "package.json");
-  if (!(0, import_node_fs9.existsSync)(pkgPath)) {
+  const pkgPath = (0, import_node_path22.join)(cwd, "package.json");
+  if (!(0, import_node_fs11.existsSync)(pkgPath)) {
     return DEFAULT_STACK;
   }
-  const pkg = JSON.parse(await (0, import_promises15.readFile)(pkgPath, "utf-8"));
+  const pkg = JSON.parse(await (0, import_promises17.readFile)(pkgPath, "utf-8"));
   const deps = { ...pkg.dependencies, ...pkg.devDependencies };
   const names = Object.keys(deps).join(" ").toLowerCase();
   const rec = {
@@ -13177,24 +13595,29 @@ async function runInitCommand(options) {
     console.log(renderAgentRulesDryRun(targets));
     return 0;
   }
-  const results = await initAgentRules({
+  const output = await initAgentRules({
     cwd: options.cwd,
     targets,
     dryRun: false
   });
-  console.log(formatAgentRulesInitSummary(results));
+  console.log(formatAgentRulesInitSummary(output));
   return 0;
 }
 // src/commands/doctorAgents.ts
-var import_promises16 = require("node:fs/promises");
-var import_node_path20 = require("node:path");
+var import_promises18 = require("node:fs/promises");
+var import_node_path23 = require("node:path");
 var REQUIRED_EXISTENCE_CHECKS = [
   { id: "agents-md", file: "AGENTS.md" },
   { id: "claude-md", file: "CLAUDE.md" },
-  { id: "cursor-rule", file: ".cursor/rules/viberaven.mdc" },
+  { id: "cursor-core-rule", file: ".cursor/rules/viberaven-core.mdc" },
   { id: "copilot-instructions", file: ".github/copilot-instructions.md" }
 ];
+var OPTIONAL_CURSOR_PACK_CHECKS = [
+  { id: "cursor-supabase-rule", file: ".cursor/rules/viberaven-supabase-rls.mdc" },
+  { id: "cursor-deploy-rule", file: ".cursor/rules/viberaven-deploy.mdc" },
+  { id: "cursor-payments-rule", file: ".cursor/rules/viberaven-payments.mdc" }
+];
 var STALE_PATTERNS = [
   { id: "stale-beta-scan", pattern: "@beta scan" },
   { id: "stale-viberaven-station", pattern: "viberaven-station" },
@@ -13203,17 +13626,37 @@ var STALE_PATTERNS = [
 async function checkAgentInjection(cwd) {
   const checks = [];
   for (const item3 of REQUIRED_EXISTENCE_CHECKS) {
-    const exists = await fileExists((0, import_node_path20.join)(cwd, item3.file));
+    const exists = await fileExists2((0, import_node_path23.join)(cwd, item3.file));
     checks.push({
       id: item3.id,
       status: exists ? "pass" : "fail",
       message: exists ? `${item3.file} exists` : `Missing ${item3.file}`
     });
   }
+  for (const item3 of OPTIONAL_CURSOR_PACK_CHECKS) {
+    const exists = await fileExists2((0, import_node_path23.join)(cwd, item3.file));
+    checks.push({
+      id: item3.id,
+      status: exists ? "pass" : "fail",
+      message: exists ? `${item3.file} exists` : `Missing ${item3.file} \u2014 run npx -y viberaven init --agents all`
+    });
+  }
+  const legacyCursorPath = (0, import_node_path23.join)(cwd, ".cursor/rules/viberaven.mdc");
+  if (await fileExists2(legacyCursorPath)) {
+    const legacyContent = await (0, import_promises18.readFile)(legacyCursorPath, "utf-8");
+    const hasCoreSplit = await fileExists2((0, import_node_path23.join)(cwd, ".cursor/rules/viberaven-core.mdc"));
+    if (!hasCoreSplit || legacyContent.includes("alwaysApply: true")) {
+      checks.push({
+        id: "cursor-legacy-mdc",
+        status: "fail",
+        message: "Legacy .cursor/rules/viberaven.mdc detected \u2014 run npx -y viberaven init --agents all to migrate to the split Cursor pack"
+      });
+    }
+  }
   for (const target of CORE_AGENT_INJECTION_TARGETS) {
-    const file = AGENT_RULE_TARGETS[target].file;
-    const path = (0, import_node_path20.join)(cwd, file);
-    const exists = await fileExists(path);
+    const file = target === "cursor" ? ".cursor/rules/viberaven-core.mdc" : AGENT_RULE_TARGETS[target].file;
+    const path = (0, import_node_path23.join)(cwd, file);
+    const exists = await fileExists2(path);
     if (!exists) {
       checks.push({
         id: `canonical-${target}`,
@@ -13222,7 +13665,7 @@ async function checkAgentInjection(cwd) {
       });
       continue;
     }
-    const content = await (0, import_promises16.readFile)(path, "utf-8");
+    const content = await (0, import_promises18.readFile)(path, "utf-8");
     const hasCommand = content.includes(PUBLIC_AGENT_MODE_COMMAND);
     checks.push({
       id: `canonical-${target}`,
@@ -13254,9 +13697,9 @@ function formatDoctorAgentsReport(report) {
   lines.push(report.ok ? "All agent injection checks passed." : "Agent injection checks failed.");
   return lines.join("\n");
 }
-async function fileExists(path) {
+async function fileExists2(path) {
   try {
-    await (0, import_promises16.access)(path);
+    await (0, import_promises18.access)(path);
     return true;
   } catch {
     return false;
@@ -13270,6 +13713,205 @@ async function runDoctorAgentsCommand(options) {
   return report.ok ? 0 : 1;
 }
+// src/npm/popularPackages.ts
+var POPULAR_NPM_PACKAGES = [
+  "next",
+  "react",
+  "react-dom",
+  "vue",
+  "@vue/cli",
+  "express",
+  "lodash",
+  "axios",
+  "stripe",
+  "@stripe/stripe-js",
+  "supabase",
+  "@supabase/supabase-js",
+  "@prisma/client",
+  "prisma",
+  "typescript",
+  "eslint",
+  "prettier",
+  "tailwindcss",
+  "vite",
+  "zod",
+  "dotenv",
+  "jsonwebtoken",
+  "bcrypt",
+  "mongoose",
+  "pg",
+  "redis",
+  "ioredis",
+  "winston",
+  "@sentry/node",
+  "@sentry/nextjs",
+  "firebase",
+  "@clerk/nextjs",
+  "openai",
+  "@anthropic-ai/sdk",
+  "vercel",
+  "@vercel/analytics"
+];
+// src/npm/validateNpmPackage.ts
+var REGISTRY_BASE = "https://registry.npmjs.org";
+var NEW_PACKAGE_DAYS = 14;
+var TYPOSQUAT_MAX_DISTANCE = 2;
+var LOW_PUBLISH_COUNT = 3;
+function levenshteinDistance(a, b3) {
+  if (a === b3) return 0;
+  if (a.length === 0) return b3.length;
+  if (b3.length === 0) return a.length;
+  const matrix = Array.from(
+    { length: a.length + 1 },
+    () => Array.from({ length: b3.length + 1 }, () => 0)
+  );
+  for (let i = 0; i <= a.length; i += 1) matrix[i][0] = i;
+  for (let j2 = 0; j2 <= b3.length; j2 += 1) matrix[0][j2] = j2;
+  for (let i = 1; i <= a.length; i += 1) {
+    for (let j2 = 1; j2 <= b3.length; j2 += 1) {
+      const cost = a[i - 1] === b3[j2 - 1] ? 0 : 1;
+      matrix[i][j2] = Math.min(
+        matrix[i - 1][j2] + 1,
+        matrix[i][j2 - 1] + 1,
+        matrix[i - 1][j2 - 1] + cost
+      );
+    }
+  }
+  return matrix[a.length][b3.length];
+}
+function daysSince(isoDate, now = Date.now()) {
+  const created = Date.parse(isoDate);
+  if (!Number.isFinite(created)) return Number.POSITIVE_INFINITY;
+  return (now - created) / (1e3 * 60 * 60 * 24);
+}
+function closestPopularPackage(name) {
+  let best = null;
+  for (const popular of POPULAR_NPM_PACKAGES) {
+    const distance = levenshteinDistance(name, popular);
+    if (distance <= TYPOSQUAT_MAX_DISTANCE && (!best || distance < best.distance)) {
+      best = { pkg: popular, distance };
+    }
+  }
+  return best;
+}
+function buildBase(name) {
+  const normalized = name.trim().toLowerCase();
+  return {
+    name: normalized,
+    registryUrl: `${REGISTRY_BASE}/${encodeURIComponent(normalized)}`,
+    followUpCommand: PUBLIC_AGENT_MODE_COMMAND
+  };
+}
+async function validateNpmPackage(name, options) {
+  const fetchFn = options?.fetch ?? fetch;
+  const now = options?.now ?? Date.now();
+  const base = buildBase(name);
+  if (!base.name) {
+    return {
+      ...base,
+      verdict: "not_found",
+      reasons: ["Package name is empty."]
+    };
+  }
+  let response;
+  try {
+    response = await fetchFn(base.registryUrl);
+  } catch {
+    return {
+      ...base,
+      verdict: "not_found",
+      reasons: ["Could not reach the public npm registry."]
+    };
+  }
+  if (response.status === 404) {
+    return {
+      ...base,
+      verdict: "not_found",
+      reasons: [`Package "${base.name}" was not found on the public npm registry.`]
+    };
+  }
+  if (!response.ok) {
+    return {
+      ...base,
+      verdict: "suspicious",
+      reasons: [`Unexpected npm registry response: HTTP ${response.status}.`]
+    };
+  }
+  const data = await response.json();
+  const reasons = [];
+  let suspicious = false;
+  const created = data.time?.created;
+  if (created) {
+    const ageDays = daysSince(created, now);
+    const closest = closestPopularPackage(base.name);
+    if (ageDays < NEW_PACKAGE_DAYS && closest && closest.pkg !== base.name) {
+      suspicious = true;
+      reasons.push(
+        `Package was published ${Math.max(0, Math.floor(ageDays))} day(s) ago and its name is within ${TYPOSQUAT_MAX_DISTANCE} character edits of popular package "${closest.pkg}".`
+      );
+    }
+  }
+  const description = (data.description ?? "").trim();
+  const maintainerCount = Array.isArray(data.maintainers) ? data.maintainers.length : 0;
+  const publishCount = data.versions ? Object.keys(data.versions).length : 0;
+  if (!description && maintainerCount === 0 && publishCount <= LOW_PUBLISH_COUNT) {
+    suspicious = true;
+    reasons.push(
+      "Package has an empty description, no listed maintainers, and very few published versions."
+    );
+  }
+  if (suspicious) {
+    return { ...base, verdict: "suspicious", reasons };
+  }
+  return {
+    ...base,
+    verdict: "ok",
+    reasons: ["Package exists on the public npm registry with no v1 suspicious signals."]
+  };
+}
+async function validateNpmPackages(names, options) {
+  return Promise.all(names.map((name) => validateNpmPackage(name, options)));
+}
+// src/commands/runValidateNpmPackage.ts
+async function runValidateNpmPackageCommand(options) {
+  const names = options.names.map((name) => name.trim()).filter(Boolean);
+  if (names.length === 0) {
+    console.error("Usage: viberaven validate-npm-package [--json] <package> [package...]");
+    return 1;
+  }
+  const results = names.length === 1 ? [await validateNpmPackage(names[0])] : await validateNpmPackages(names);
+  const payload = names.length === 1 ? results[0] : { results };
+  if (options.json) {
+    console.log(JSON.stringify(payload, null, 2));
+  } else {
+    for (const result of results) {
+      console.log(`${result.name}: ${result.verdict}`);
+      for (const reason of result.reasons) {
+        console.log(`  - ${reason}`);
+      }
+      console.log(`  followUp: ${result.followUpCommand}`);
+    }
+  }
+  const hasBlocking = results.some((result) => result.verdict !== "ok");
+  return hasBlocking ? 2 : 0;
+}
+// src/commands/runAudit.ts
+async function runAuditCommand(input) {
+  const auditInput = await collectVercelSupabaseAuditInput(input.cwd);
+  const result = buildVercelSupabaseAudit(auditInput);
+  if (input.json) {
+    process.stdout.write(`${JSON.stringify(result, null, 2)}
+`);
+  } else {
+    process.stdout.write(`${renderVercelSupabaseAudit(result)}
+`);
+  }
+  return result.status === "pass" ? 0 : 1;
+}
 // src/output/nextActionBlock.ts
 function buildNextActionBlock(tasks, loopState, plan) {
   const batchSize = plan === "pro" ? 10 : 3;
@@ -13389,9 +14031,9 @@ function printNextActionBlock(block) {
 }
 // src/providerMcpBridge.ts
-var import_node_fs10 = require("node:fs");
+var import_node_fs12 = require("node:fs");
 var import_node_os2 = require("node:os");
-var import_node_path21 = require("node:path");
+var import_node_path24 = require("node:path");
 var UPGRADE_URL4 = "https://viberaven.dev/pricing";
 var FALLBACK_COMMAND = "npx -y viberaven audit --vercel-supabase --json";
 var SUPPORTED_PROVIDERS = /* @__PURE__ */ new Set(["supabase", "vercel"]);
@@ -13399,9 +14041,9 @@ var configPathsOverride;
 function defaultMcpConfigPaths() {
   const home = (0, import_node_os2.homedir)();
   return [
-    (0, import_node_path21.join)(home, ".config", "claude", "claude_desktop_config.json"),
-    (0, import_node_path21.join)(home, ".cursor", "mcp.json"),
-    (0, import_node_path21.join)(home, ".gemini", "antigravity", "mcp_config.json")
+    (0, import_node_path24.join)(home, ".config", "claude", "claude_desktop_config.json"),
+    (0, import_node_path24.join)(home, ".cursor", "mcp.json"),
+    (0, import_node_path24.join)(home, ".gemini", "antigravity", "mcp_config.json")
   ];
 }
 function resolveConfigPaths() {
@@ -13430,11 +14072,11 @@ function findServerEntry(servers, provider2) {
 function findProviderMcpConfig(provider2, configPaths) {
   const paths = configPaths ?? resolveConfigPaths();
   for (const path of paths) {
-    if (!(0, import_node_fs10.existsSync)(path)) {
+    if (!(0, import_node_fs12.existsSync)(path)) {
       continue;
     }
     try {
-      const raw = JSON.parse((0, import_node_fs10.readFileSync)(path, "utf8"));
+      const raw = JSON.parse((0, import_node_fs12.readFileSync)(path, "utf8"));
       const servers = parseMcpServers(raw);
       if (!servers) {
         continue;
@@ -13550,6 +14192,9 @@ Usage:
   viberaven doctor --agents [path]
                        Verify agent instruction files and canonical commands
+  viberaven audit --vercel-supabase [--json] [path]
+                       Local Vercel/Supabase repo evidence audit (RLS, pooler, secrets)
 Agent workflow (Claude Code / Codex):
@@ -13636,6 +14281,7 @@ function isBooleanFlag(command, key) {
   if (key === "open" && (command === "" || command === "scan" || command === "report")) return true;
   if (key === "verify" && command === "") return true;
   if (key === "vercel-supabase" && command === "audit") return true;
+  if (key === "json" && command === "validate-npm-package") return true;
   if (key === "dry-run" && command === "init") return true;
   if (key === "agents" && command === "doctor") return true;
   return false;
@@ -13654,7 +14300,7 @@ async function guardEarlyVerifyScan(input) {
   if (!verifyLike) {
     return void 0;
   }
-  const workspacePath = input.positional[0] ? (0, import_node_path22.join)(process.cwd(), input.positional[0]) : await resolveWorkspaceRoot(process.cwd());
+  const workspacePath = input.positional[0] ? (0, import_node_path25.join)(process.cwd(), input.positional[0]) : await resolveWorkspaceRoot(process.cwd());
   const loopState = await loadLoopState(workspacePath);
   if (loopState.batchApplied <= 0) {
     return void 0;
@@ -13730,7 +14376,7 @@ async function cmdStatus(flags, positional) {
     console.log("Not signed in. Run: viberaven login");
     return 1;
   }
-  const startDir = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
   let artifact;
   try {
     artifact = await loadLastArtifact(startDir);
@@ -13884,7 +14530,7 @@ async function cmdWatch(flags) {
   }
 }
 async function runScanCommand(flags, positional, options) {
-  const workspacePath = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : await resolveWorkspaceRoot(process.cwd());
+  const workspacePath = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : await resolveWorkspaceRoot(process.cwd());
   const apiBaseUrl = resolveApiBaseUrl(typeof flags["api-url"] === "string" ? flags["api-url"] : void 0);
   let accessToken;
   try {
@@ -13962,7 +14608,7 @@ async function runScanCommand(flags, positional, options) {
   return { exitCode: 0, artifacts: paths };
 }
 async function cmdReport(flags, positional) {
-  const startDir = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
   try {
     const paths = await refreshReportFromDisk(startDir);
     console.log(`Report refreshed: ${paths.reportPath}`);
@@ -13984,7 +14630,7 @@ async function cmdReport(flags, positional) {
   }
 }
 async function cmdPrompt(flags, positional) {
-  const startDir = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
   let artifact;
   try {
     artifact = await loadLastArtifact(startDir);
@@ -14082,7 +14728,7 @@ async function main() {
   const wantsJsonl = hasFlag(flags, "jsonl");
   const wantsStrict = hasFlag(flags, "strict");
   if (flags.condense) {
-    const cwd = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd();
+    const cwd = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
     const result = await runCondenseCommand({ cwd });
     console.log(`VibeRaven context map refreshed: ${result.contextMapPath}`);
     return 0;
@@ -14111,7 +14757,7 @@ async function main() {
       console.error("VibeRaven could not produce machine output because scan artifacts were not written.");
       return 3;
     }
-    const gateResult = scanResult.artifacts && (wantsJson || wantsJsonl || wantsStrict) ? JSON.parse(await (0, import_promises17.readFile)(scanResult.artifacts.gateResultPath, "utf8")) : void 0;
+    const gateResult = scanResult.artifacts && (wantsJson || wantsJsonl || wantsStrict) ? JSON.parse(await (0, import_promises19.readFile)(scanResult.artifacts.gateResultPath, "utf8")) : void 0;
     const strictExitCode = wantsStrict && gateResult ? exitCodeForStrictGate(gateResult, { failOnWarnings: flags.strict === "warning" }) : scanResult.exitCode;
     if (wantsJson && gateResult) {
       process.stdout.write(renderGateResultJson(gateResult));
@@ -14146,7 +14792,7 @@ async function main() {
     case "next":
       return runNextCommand({
         json: Boolean(flags.json),
-        cwd: positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd()
+        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd()
       });
     case "guide": {
       const provider2 = positional[0];
@@ -14184,7 +14830,7 @@ async function main() {
     case "provider-verify":
       return cmdProviderVerify(flags, positional);
     case "init": {
-      const cwd = positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd();
+      const cwd = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
       const agents = typeof flags.agents === "string" ? flags.agents : void 0;
       return runInitCommand({
         cwd,
@@ -14198,7 +14844,21 @@ async function main() {
         return 1;
       }
       return runDoctorAgentsCommand({
-        cwd: positional[0] ? (0, import_node_path22.join)(process.cwd(), positional[0]) : process.cwd()
+        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd()
+      });
+    case "validate-npm-package":
+      return runValidateNpmPackageCommand({
+        names: positional,
+        json: Boolean(flags.json)
+      });
+    case "audit":
+      if (flags["vercel-supabase"] !== true) {
+        console.error("Usage: viberaven audit --vercel-supabase [--json] [path]");
+        return 1;
+      }
+      return runAuditCommand({
+        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd(),
+        json: Boolean(flags.json)
       });
     default:
       console.error(`Unknown command: ${command}`);