@viberaven/cli 1.0.5 → 1.1.0

package/dist/cli.js

@@ -31,9 +31,9 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// ../../node_modules/picocolors/picocolors.js
+// ../../../../node_modules/picocolors/picocolors.js
 var require_picocolors = __commonJS({
-  "../../node_modules/picocolors/picocolors.js"(exports2, module2) {
+  "../../../../node_modules/picocolors/picocolors.js"(exports2, module2) {
     var p2 = process || {};
     var argv = p2.argv || [];
     var env = p2.env || {};
@@ -103,9 +103,9 @@ var require_picocolors = __commonJS({
   }
 });
 
-// ../../node_modules/sisteransi/src/index.js
+// ../../../../node_modules/sisteransi/src/index.js
 var require_src = __commonJS({
-  "../../node_modules/sisteransi/src/index.js"(exports2, module2) {
+  "../../../../node_modules/sisteransi/src/index.js"(exports2, module2) {
     "use strict";
     var ESC = "\x1B";
     var CSI = `${ESC}[`;
@@ -171,7 +171,7 @@ __export(cli_exports, {
 });
 module.exports = __toCommonJS(cli_exports);
 var import_promises19 = require("node:fs/promises");
-var import_node_path25 = require("node:path");
+var import_node_path26 = require("node:path");
 
 // src/config.ts
 var import_node_os = require("node:os");
@@ -7992,7 +7992,7 @@ async function runProjectScan(options) {
 
 // src/artifacts.ts
 var import_promises5 = require("node:fs/promises");
-var import_node_path8 = require("node:path");
+var import_node_path9 = require("node:path");
 
 // src/capabilities/classify.ts
 function gapText(gap) {
@@ -8853,7 +8853,11 @@ function buildProviderAction(gap, provider2) {
       envKeyExample: void 0,
       // Use step title as the done signal
       doneSignal: `${step.title} step completed`,
-      verifyCommand: PUBLIC_VERIFY_COMMAND
+      verifyCommand: PUBLIC_VERIFY_COMMAND,
+      actionClass: "manual_provider_step",
+      approvalRequired: true,
+      manualFallback: `Open ${step.openUrl ?? `https://${provider2}.com`} and complete: ${step.instruction}`,
+      copyValues: []
     };
   } catch {
     return void 0;
@@ -9407,27 +9411,179 @@ function sanitizeArtifactForDisk(artifact) {
   return redactUnknown(artifact);
 }
 
+// src/version.ts
+var VERSION = "1.1.0";
+
+// src/prp/buildPrp.ts
+var import_node_path8 = require("node:path");
+
+// src/prp/types.ts
+var PRP_SCHEMA_URL = "https://schemas.viberaven.dev/prp/v0.1/schema.json";
+var PRP_PROTOCOL = "viberaven-production-protocol";
+var PRP_PROTOCOL_VERSION = "0.1.0";
+
+// src/prp/buildPrp.ts
+var ONE_DAY_MS = 24 * 60 * 60 * 1e3;
+var REDACTED = "<redacted>";
+var SENSITIVE_JSON_KEY_PATTERN = /secret|token|api[_-]?key|apikey|password|private[_-]?key|database[_-]?url|connection[_-]?string|service[_-]?role|role[_-]?key/i;
+function buildProductionProtocolReport(options) {
+  const profile = options.profile ?? "launch";
+  const generatedAt = options.artifact.scannedAt;
+  const expiresAt = new Date(new Date(generatedAt).getTime() + ONE_DAY_MS).toISOString();
+  const evidence = buildEvidence(options.artifact);
+  const nextActions = buildNextActions(options.tasks);
+  const findings = buildFindings(options.artifact, nextActions);
+  return {
+    $schema: PRP_SCHEMA_URL,
+    protocol: PRP_PROTOCOL,
+    protocolVersion: PRP_PROTOCOL_VERSION,
+    producer: {
+      name: "viberaven",
+      version: options.producerVersion
+    },
+    subject: {
+      projectName: sanitizePrpText((0, import_node_path8.basename)(options.artifact.workspacePath) || "workspace"),
+      framework: sanitizePrpText(options.artifact.archetype || "unknown"),
+      packageManager: "unknown",
+      deploymentTarget: sanitizePrpText(options.artifact.selectedProviders?.deployment ?? "unknown"),
+      environment: "production"
+    },
+    profile,
+    decision: {
+      status: resolveDecisionStatus(options.artifact),
+      generatedAt,
+      expiresAt,
+      summary: summarizeDecision(options.artifact)
+    },
+    findings,
+    evidence,
+    nextActions,
+    agentInstructions: {
+      mustRead: [".viberaven/prp.json", ".viberaven/mission-map.md", ".viberaven/context-map.json"],
+      doNotDeployUntil: [
+        "decision.status is not blocked",
+        "critical nextActions are resolved or explicitly accepted"
+      ]
+    }
+  };
+}
+function resolveDecisionStatus(artifact) {
+  if (artifact.gaps.some((gap) => gap.severity === "critical")) return "blocked";
+  if (artifact.gaps.some((gap) => gap.severity === "warning")) return "warning";
+  return "clear";
+}
+function summarizeDecision(artifact) {
+  const critical = artifact.gaps.filter((gap) => gap.severity === "critical").length;
+  const warning = artifact.gaps.filter((gap) => gap.severity === "warning").length;
+  if (critical > 0) return `${critical} production blocker${critical === 1 ? "" : "s"} found`;
+  if (warning > 0) return `${warning} production warning${warning === 1 ? "" : "s"} found`;
+  return "No production blockers found";
+}
+function buildEvidence(artifact) {
+  return artifact.gaps.map((gap) => {
+    const gapId = safePrpId(gap.id);
+    return {
+      id: `evidence.${gapId}.repo`,
+      kind: "repo",
+      status: evidenceStatusForGapSeverity(gap.severity),
+      source: sanitizePrpText(String(gap.file ?? gap.primaryMapCategory ?? "repo")),
+      summary: sanitizePrpText(gap.detail || gap.title || gap.id)
+    };
+  });
+}
+function evidenceStatusForGapSeverity(severity) {
+  if (severity === "critical" || severity === "warning") return "missing";
+  return "inconclusive";
+}
+function buildFindings(artifact, nextActions) {
+  return artifact.gaps.map((gap) => {
+    const gapId = safePrpId(gap.id);
+    return {
+      id: gapId,
+      severity: gap.severity,
+      category: sanitizePrpText(String(gap.primaryMapCategory ?? "unknown")),
+      summary: sanitizePrpText(gap.title || gap.id),
+      evidenceRefs: [`evidence.${gapId}.repo`],
+      nextActionRefs: nextActions.some((action) => action.gapId === sanitizePrpText(gap.id)) ? [`action.${gapId}`] : []
+    };
+  });
+}
+function buildNextActions(tasks) {
+  return tasks.map((task) => ({
+    id: `action.${safePrpId(task.gapId)}`,
+    title: sanitizePrpText(task.title),
+    actionClass: actionClassForTask(task),
+    requiresUserAction: task.requiresUserAction,
+    approvalRequired: task.requiresUserAction,
+    verifyCommand: sanitizePrpText(task.verifyCommand || PUBLIC_VERIFY_COMMAND),
+    gapId: sanitizePrpText(task.gapId),
+    provider: sanitizeOptionalPrpText(task.providerAction?.provider),
+    dashboardUrl: sanitizeOptionalPrpText(task.providerAction?.dashboardUrl),
+    manualFallback: sanitizeOptionalPrpText(task.providerAction?.exactStep ?? task.action),
+    mcpTool: sanitizeOptionalPrpText(task.mcpTool),
+    mcpArgs: sanitizePrpJsonObject(task.mcpArgs)
+  }));
+}
+function actionClassForTask(task) {
+  if (task.fixType === "repo-code") return "local_repo_write";
+  if (task.fixType === "provider-action") return "manual_provider_step";
+  if (task.fixType === "manual-verify") return "local_repo_read";
+  return "manual_provider_step";
+}
+function safeId(value) {
+  return value.trim().toLowerCase().replace(/[^a-z0-9]+/g, "_").replace(/^_+|_+$/g, "") || "unknown";
+}
+function safePrpId(value) {
+  return safeId(sanitizePrpText(value));
+}
+function sanitizeOptionalPrpText(value) {
+  return value === void 0 ? void 0 : sanitizePrpText(value);
+}
+function sanitizePrpJsonObject(value) {
+  return value === void 0 ? void 0 : sanitizePrpJsonValue(value);
+}
+function sanitizePrpJsonValue(value) {
+  if (typeof value === "string") return sanitizePrpText(value);
+  if (Array.isArray(value)) return value.map((item3) => sanitizePrpJsonValue(item3));
+  if (value && typeof value === "object") {
+    return Object.fromEntries(
+      Object.entries(value).map(([key, item3]) => [
+        sanitizePrpText(key),
+        SENSITIVE_JSON_KEY_PATTERN.test(key) ? REDACTED : sanitizePrpJsonValue(item3)
+      ])
+    );
+  }
+  return value;
+}
+function sanitizePrpText(value) {
+  return value.replace(/-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g, REDACTED).replace(/\b[a-z][a-z0-9+.-]*:\/\/[^\s/@]+:[^\s/@]+@[^\s,;)]+/gi, REDACTED).replace(/\b(?:postgres(?:ql)?|mongodb(?:\+srv)?|redis(?:s)?|mysql|mariadb):\/\/[^\s/@:]+:[^\s/@]+@[^\s,;)]+/gi, REDACTED).replace(/\b(?:redis(?:s)?):\/\/:[^\s/@]+@[^\s,;)]+/gi, REDACTED).replace(
+    /\b([A-Za-z_][A-Za-z0-9_]*(?:SECRET|TOKEN|PASSWORD|PRIVATE[_-]?KEY|API[_-]?KEY|APIKEY|SERVICE[_-]?ROLE|DATABASE[_-]?URL|CONNECTION[_-]?STRING)[A-Za-z0-9_]*)\s*=\s*(?:"[^"]*"|'[^']*'|[^\s,;]+)/gi,
+    `$1=${REDACTED}`
+  ).replace(/\bBearer\s+[A-Za-z0-9._~+/=-]{8,}/gi, `Bearer ${REDACTED}`).replace(/(^|[^A-Za-z0-9])whsec_[A-Za-z0-9_]+/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])sk_(live|test)_[A-Za-z0-9_]+/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])pk_(live|test)_[A-Za-z0-9_]+/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])sk-(?:proj-)?[A-Za-z0-9_-]{8,}/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])gh[oprsu]_[A-Za-z0-9_]{16,}/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])github_pat_[A-Za-z0-9_]{16,}/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])(sb|supabase|vercel|stripe)_[A-Za-z0-9_]*\d[A-Za-z0-9_]{15,}/gi, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9_-])[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}(?=$|[^A-Za-z0-9_-])/g, `$1${REDACTED}`).replace(/\b[A-Za-z0-9+/]{32,}={0,2}\b/g, REDACTED);
+}
+
 // src/artifacts.ts
 async function copyReportAssets(reportAssetsDir) {
   const sourceDir = getBundledReportAssetsDir();
-  await (0, import_promises5.mkdir)((0, import_node_path8.join)(reportAssetsDir, "assets"), { recursive: true });
+  await (0, import_promises5.mkdir)((0, import_node_path9.join)(reportAssetsDir, "assets"), { recursive: true });
   for (const rel of REPORT_ASSET_FILES) {
-    await (0, import_promises5.copyFile)((0, import_node_path8.join)(sourceDir, rel), (0, import_node_path8.join)(reportAssetsDir, rel));
+    await (0, import_promises5.copyFile)((0, import_node_path9.join)(sourceDir, rel), (0, import_node_path9.join)(reportAssetsDir, rel));
   }
 }
 async function writeScanArtifacts(options) {
   const cwd = options.cwd ?? options.artifact.workspacePath;
   const dir = getProjectArtifactsDir(cwd);
   await (0, import_promises5.mkdir)(dir, { recursive: true });
-  const jsonPath = (0, import_node_path8.join)(dir, "last-scan.json");
-  const gateResultPath = (0, import_node_path8.join)(dir, "gate-result.json");
-  const contextMapPath = (0, import_node_path8.join)(dir, "context-map.json");
-  const gapsDir = (0, import_node_path8.join)(dir, "gaps");
-  const tasklistPath = (0, import_node_path8.join)(dir, "agent-tasklist.md");
-  const summaryPath = (0, import_node_path8.join)(dir, "agent-summary.md");
-  const playbookPath = (0, import_node_path8.join)(dir, "launch-playbook.md");
-  const reportPath = (0, import_node_path8.join)(dir, "report.html");
-  const reportAssetsDir = (0, import_node_path8.join)(dir, "report");
+  const jsonPath = (0, import_node_path9.join)(dir, "last-scan.json");
+  const gateResultPath = (0, import_node_path9.join)(dir, "gate-result.json");
+  const contextMapPath = (0, import_node_path9.join)(dir, "context-map.json");
+  const gapsDir = (0, import_node_path9.join)(dir, "gaps");
+  const prpPath = (0, import_node_path9.join)(dir, "prp.json");
+  const tasklistPath = (0, import_node_path9.join)(dir, "agent-tasklist.md");
+  const summaryPath = (0, import_node_path9.join)(dir, "agent-summary.md");
+  const playbookPath = (0, import_node_path9.join)(dir, "launch-playbook.md");
+  const reportPath = (0, import_node_path9.join)(dir, "report.html");
+  const reportAssetsDir = (0, import_node_path9.join)(dir, "report");
   await (0, import_promises5.mkdir)(gapsDir, { recursive: true });
   const safe = sanitizeArtifactForDisk(options.artifact);
   const json = `${JSON.stringify(safe, null, 2)}
@@ -9437,6 +9593,12 @@ async function writeScanArtifacts(options) {
   const html = generateReportHtml(safe);
   const tasks = buildTaskList(safe);
   const tasklist = buildTaskListMarkdown(tasks);
+  const prp = `${JSON.stringify(buildProductionProtocolReport({
+    artifact: safe,
+    tasks,
+    producerVersion: VERSION
+  }), null, 2)}
+`;
   const gateResult = `${JSON.stringify(generateGateResult(safe), null, 2)}
 `;
   const contextMap = `${JSON.stringify(generateContextMap(safe), null, 2)}
@@ -9446,9 +9608,10 @@ async function writeScanArtifacts(options) {
   await (0, import_promises5.writeFile)(gateResultPath, gateResult, "utf-8");
   await (0, import_promises5.writeFile)(contextMapPath, contextMap, "utf-8");
   for (const gap of gapEvidenceFiles) {
-    await (0, import_promises5.writeFile)((0, import_node_path8.join)(dir, "gaps", `${gap.content.id}.json`), `${JSON.stringify(gap.content, null, 2)}
+    await (0, import_promises5.writeFile)((0, import_node_path9.join)(dir, "gaps", `${gap.content.id}.json`), `${JSON.stringify(gap.content, null, 2)}
 `, "utf-8");
   }
+  await (0, import_promises5.writeFile)(prpPath, prp, "utf-8");
   await (0, import_promises5.writeFile)(tasklistPath, tasklist, "utf-8");
   await (0, import_promises5.writeFile)(jsonPath, json, "utf-8");
   await (0, import_promises5.writeFile)(summaryPath, summary, "utf-8");
@@ -9460,6 +9623,7 @@ async function writeScanArtifacts(options) {
     gateResultPath,
     contextMapPath,
     gapsDir,
+    prpPath,
     tasklistPath,
     summaryPath,
     playbookPath,
@@ -9495,6 +9659,28 @@ function renderJsonlEvents(result) {
 `;
 }
 
+// src/output/prpSummary.ts
+function renderProductionProtocolSummary(prp) {
+  const nextAction = prp.nextActions[0];
+  const lines = [
+    "",
+    "VibeRaven Production Protocol",
+    "",
+    `Profile: ${prp.profile}`,
+    `Decision: ${prp.decision.status.toUpperCase()}`,
+    "Canonical artifact: .viberaven/prp.json",
+    ""
+  ];
+  if (nextAction) {
+    lines.push("Next action:", nextAction.title, "");
+    lines.push("Why:", prp.decision.summary);
+  } else {
+    lines.push("Next action:", "No production blockers found.", "");
+    lines.push("Why:", prp.decision.summary);
+  }
+  return lines.join("\n");
+}
+
 // src/commands/strictGate.ts
 function exitCodeForStrictGate(result, options = {}) {
   if (result.gate.status === "error") return 2;
@@ -9705,7 +9891,7 @@ function printScanSummary(artifact, paths) {
 
 // src/runnerConnect.ts
 var import_promises6 = require("node:fs/promises");
-var import_node_path9 = require("node:path");
+var import_node_path10 = require("node:path");
 var import_node_child_process3 = require("node:child_process");
 var import_node_crypto = require("node:crypto");
 
@@ -9800,11 +9986,11 @@ function validateSafeFixRelativePath(path) {
   if (segments.some((segment) => segment === ".git" || segment === "node_modules")) {
     return { ok: false, reason: "Safe fix path targets a blocked directory." };
   }
-  const basename3 = segments.at(-1)?.toLowerCase() ?? "";
-  if (basename3 !== ".env.example" && (basename3 === ".env" || basename3.startsWith(".env."))) {
+  const basename4 = segments.at(-1)?.toLowerCase() ?? "";
+  if (basename4 !== ".env.example" && (basename4 === ".env" || basename4.startsWith(".env."))) {
     return { ok: false, reason: "Safe fix path targets an environment secret file." };
   }
-  if (isSecretLikeFilename(basename3)) {
+  if (isSecretLikeFilename(basename4)) {
     return { ok: false, reason: "Safe fix path targets a secret-like file." };
   }
   if (!isAllowedSafeFixPath(normalized)) {
@@ -10053,7 +10239,7 @@ async function createSafeFixFile(job, input, targetPath) {
   } catch {
   }
   try {
-    await (0, import_promises6.mkdir)((0, import_node_path9.dirname)(targetPath), { recursive: true });
+    await (0, import_promises6.mkdir)((0, import_node_path10.dirname)(targetPath), { recursive: true });
     await writeNewFileAtomically(targetPath, input.content);
   } catch {
     return safeFixNeedsUser(job, "SAFE_FIX_WRITE_FAILED", `Could not create ${input.path}.`);
@@ -10121,12 +10307,12 @@ function safeFixNeedsUser(job, code, message) {
   };
 }
 async function resolveSafeFixTarget(workspaceRoot, relativePath) {
-  const root = await (0, import_promises6.realpath)(workspaceRoot).catch(() => (0, import_node_path9.resolve)(workspaceRoot));
-  const target = (0, import_node_path9.resolve)(root, relativePath);
+  const root = await (0, import_promises6.realpath)(workspaceRoot).catch(() => (0, import_node_path10.resolve)(workspaceRoot));
+  const target = (0, import_node_path10.resolve)(root, relativePath);
   if (!isInsideRoot(root, target)) {
     return { ok: false, reason: "Safe fix target escaped the workspace root." };
   }
-  const parent = (0, import_node_path9.dirname)(target);
+  const parent = (0, import_node_path10.dirname)(target);
   const parentReal = await realpathNearestExisting(parent, root);
   if (!isInsideRoot(root, parentReal)) {
     return { ok: false, reason: "Safe fix parent path escaped the workspace root." };
@@ -10144,7 +10330,7 @@ async function realpathNearestExisting(path, root) {
       await (0, import_promises6.lstat)(candidate);
       return (0, import_promises6.realpath)(candidate);
     } catch {
-      const next = (0, import_node_path9.dirname)(candidate);
+      const next = (0, import_node_path10.dirname)(candidate);
       if (next === candidate) {
         break;
       }
@@ -10154,8 +10340,8 @@ async function realpathNearestExisting(path, root) {
   return root;
 }
 function isInsideRoot(root, candidate) {
-  const rel = (0, import_node_path9.relative)(root, candidate);
-  return rel === "" || !rel.startsWith("..") && !(0, import_node_path9.isAbsolute)(rel);
+  const rel = (0, import_node_path10.relative)(root, candidate);
+  return rel === "" || !rel.startsWith("..") && !(0, import_node_path10.isAbsolute)(rel);
 }
 async function writeNewFileAtomically(targetPath, content) {
   const tempPath = tempPathFor(targetPath);
@@ -10176,7 +10362,7 @@ async function replaceFileAtomically(targetPath, content) {
   }
 }
 function tempPathFor(targetPath) {
-  return (0, import_node_path9.join)((0, import_node_path9.dirname)(targetPath), `.${(0, import_node_path9.basename)(targetPath)}.${(0, import_node_crypto.randomUUID)()}.tmp`);
+  return (0, import_node_path10.join)((0, import_node_path10.dirname)(targetPath), `.${(0, import_node_path10.basename)(targetPath)}.${(0, import_node_crypto.randomUUID)()}.tmp`);
 }
 async function executePackageScriptJob(job, scriptName, options) {
   const packageJson = await readPackageJson(options.workspaceRoot);
@@ -10350,7 +10536,7 @@ function proofItemForJob(job, kind, label, summary, evidence, redactionSecrets =
 }
 async function readPackageJson(workspaceRoot) {
   try {
-    const raw = await (0, import_promises6.readFile)((0, import_node_path9.join)(workspaceRoot, "package.json"), "utf-8");
+    const raw = await (0, import_promises6.readFile)((0, import_node_path10.join)(workspaceRoot, "package.json"), "utf-8");
     const parsed = JSON.parse(raw);
     if (isRecord6(parsed) && isRecord6(parsed.scripts)) {
       return { scripts: Object.fromEntries(Object.entries(parsed.scripts).filter(([, value]) => typeof value === "string")) };
@@ -10433,7 +10619,7 @@ async function collectLocalRepoMetadata(workspaceRoot, commandRunner = runComman
   const headSha = headResult.ok ? normalizeSha(headResult.stdout) : null;
   const dirty = statusResult.ok ? statusResult.stdout.trim().length > 0 : void 0;
   return {
-    rootName: (0, import_node_path9.basename)(workspaceRoot) || "workspace",
+    rootName: (0, import_node_path10.basename)(workspaceRoot) || "workspace",
     remotes: remoteResult.ok ? parseGitRemotes(remoteResult.stdout) : [],
     branch,
     headSha,
@@ -10451,7 +10637,7 @@ async function detectPackageManager(workspaceRoot) {
   ];
   for (const [manager, file] of checks) {
     try {
-      await (0, import_promises6.access)((0, import_node_path9.join)(workspaceRoot, file));
+      await (0, import_promises6.access)((0, import_node_path10.join)(workspaceRoot, file));
       return manager;
     } catch {
     }
@@ -10642,9 +10828,9 @@ function isRecord6(value) {
 }
 
 // src/tui/runInteractive.ts
-var import_node_path14 = require("node:path");
+var import_node_path15 = require("node:path");
 
-// ../../node_modules/@clack/core/dist/index.mjs
+// ../../../../node_modules/@clack/core/dist/index.mjs
 var import_sisteransi = __toESM(require_src(), 1);
 var import_node_process = require("node:process");
 var g = __toESM(require("node:readline"), 1);
@@ -11002,7 +11188,7 @@ var LD = class extends x {
   }
 };
 
-// ../../node_modules/@clack/prompts/dist/index.mjs
+// ../../../../node_modules/@clack/prompts/dist/index.mjs
 var import_node_process2 = __toESM(require("node:process"), 1);
 var import_picocolors2 = __toESM(require_picocolors(), 1);
 var import_sisteransi2 = __toESM(require_src(), 1);
@@ -11228,9 +11414,6 @@ function buildAgentFixPrompt(artifact, gap) {
   ].join("\n");
 }
 
-// src/version.ts
-var VERSION = "1.0.5";
-
 // src/commands/guide.ts
 var import_picocolors3 = __toESM(require_picocolors());
 function formatPasteTarget(step) {
@@ -11299,7 +11482,7 @@ async function runGuideCommand(options) {
 
 // src/commands/audit.ts
 var import_promises7 = require("node:fs/promises");
-var import_node_path10 = require("node:path");
+var import_node_path11 = require("node:path");
 var ENV_FILES = [
   ".env",
   ".env.local",
@@ -11399,7 +11582,7 @@ function buildVercelSupabaseAudit(input) {
 }
 async function readIfExists(projectRoot, relativePath) {
   try {
-    const absolutePath = (0, import_node_path10.join)(projectRoot, relativePath);
+    const absolutePath = (0, import_node_path11.join)(projectRoot, relativePath);
     const fileStat = await (0, import_promises7.stat)(absolutePath);
     if (!fileStat.isFile()) {
       return void 0;
@@ -11413,7 +11596,7 @@ async function readIfExists(projectRoot, relativePath) {
   }
 }
 async function collectSqlFiles(projectRoot, root) {
-  const base = (0, import_node_path10.join)(projectRoot, root);
+  const base = (0, import_node_path11.join)(projectRoot, root);
   try {
     const rootStat = await (0, import_promises7.stat)(base);
     if (!rootStat.isDirectory()) {
@@ -11433,17 +11616,17 @@ async function collectSqlFiles(projectRoot, root) {
     for (const entry of entries) {
       if (entry.isDirectory()) {
         if (!SKIP_DIRS.has(entry.name)) {
-          await visit((0, import_node_path10.join)(dir, entry.name));
+          await visit((0, import_node_path11.join)(dir, entry.name));
         }
         continue;
       }
       if (!entry.isFile() || !entry.name.toLowerCase().endsWith(".sql")) {
         continue;
       }
-      const absolutePath = (0, import_node_path10.join)(dir, entry.name);
+      const absolutePath = (0, import_node_path11.join)(dir, entry.name);
       try {
         files.push({
-          path: (0, import_node_path10.relative)(projectRoot, absolutePath).replace(/\\/g, "/"),
+          path: (0, import_node_path11.relative)(projectRoot, absolutePath).replace(/\\/g, "/"),
           content: await (0, import_promises7.readFile)(absolutePath, "utf8")
         });
       } catch {
@@ -11493,7 +11676,7 @@ function renderVercelSupabaseAudit(result) {
 
 // src/commands/initRules.ts
 var import_promises10 = require("node:fs/promises");
-var import_node_path13 = require("node:path");
+var import_node_path14 = require("node:path");
 
 // src/commands/agentRulesBlock.ts
 var VIBERAVEN_BLOCK_START = "<!-- VIBERAVEN:START -->";
@@ -11515,6 +11698,15 @@ Maps repo evidence to OWASP LLM Top 10 launch risks. Supports SAFECode-style dep
 var STACK_FRAMING = `Stack context for this repo: Next.js, Supabase, Vercel, VibeRaven.
 Do NOT deploy to Vercel or ship to production users without running \`${PUBLIC_AGENT_MODE_COMMAND}\`.
 Do NOT rely on manual production checklists when VibeRaven gate artifacts exist in \`.viberaven/\`.`;
+var PRODUCTION_PROTOCOL_RULES = `## VibeRaven Production Protocol
+
+Before making deploy, auth, database, payment, API, or scaling changes:
+
+1. Read \`.viberaven/prp.json\`.
+2. Follow \`.viberaven/mission-map.md\`.
+3. Do not deploy if \`decision.status\` is \`blocked\`.
+4. Fix \`nextActions\` in order.
+5. Re-run \`${PUBLIC_AGENT_MODE_COMMAND}\`.`;
 var AGENT_NEGATIVE_CONSTRAINTS = `## Event-Triggered Production Verification
 
 Trigger: modifications to \`package.json\`, \`vercel.json\`, \`supabase/migrations/**/*\`, \`.env.example\`, auth/billing/webhook paths, or deploy workflow files.
@@ -11540,6 +11732,8 @@ var AGENT_RULES_BODY = `${AGENT_RULES_PREAMBLE}
 
 ${STACK_FRAMING}
 
+${PRODUCTION_PROTOCOL_RULES}
+
 ${AGENT_NEGATIVE_CONSTRAINTS}
 
 ## VibeRaven Production-Readiness Gate
@@ -11589,10 +11783,11 @@ var AGENT_CONTEXT_BODY = `${AGENT_RULES_PREAMBLE}
 
 After \`--agent-mode\`, read these artifacts in order:
 
-1. \`.viberaven/mission-map.md\`
-2. \`.viberaven/agent-tasklist.md\`
-3. \`.viberaven/gate-result.json\`
-4. \`.viberaven/context-map.json\``;
+1. \`.viberaven/prp.json\`
+2. \`.viberaven/mission-map.md\`
+3. \`.viberaven/agent-tasklist.md\`
+4. \`.viberaven/gate-result.json\`
+5. \`.viberaven/context-map.json\``;
 var MISSION_MAP_BODY = `${AGENT_RULES_PREAMBLE}
 
 ## Mission Map loop
@@ -11731,7 +11926,7 @@ function escapeRegExp3(value) {
 
 // src/commands/cursorRulesPack.ts
 var import_promises8 = require("node:fs/promises");
-var import_node_path11 = require("node:path");
+var import_node_path12 = require("node:path");
 var CURSOR_RULES_DIR = ".cursor/rules";
 var LEGACY_CURSOR_RULE_FILE = `${CURSOR_RULES_DIR}/viberaven.mdc`;
 var DOMAIN_PATH_POINTER = "Before editing these files, read `.viberaven/agent-context.md` and `.viberaven/mission-map.md`.";
@@ -11815,17 +12010,17 @@ async function initCursorRulesPack(options) {
   const pack = buildCursorRulesPack();
   for (const rule of pack) {
     const file = `${CURSOR_RULES_DIR}/${rule.filename}`;
-    const path = (0, import_node_path11.join)(options.cwd, file);
+    const path = (0, import_node_path12.join)(options.cwd, file);
     const existing = await readExistingFile(path);
     const changed = !existing.exists || existing.content !== rule.content;
     const action = !existing.exists ? "created" : changed ? "updated" : "unchanged";
     if (!options.dryRun && changed) {
-      await (0, import_promises8.mkdir)((0, import_node_path11.join)(options.cwd, CURSOR_RULES_DIR), { recursive: true });
+      await (0, import_promises8.mkdir)((0, import_node_path12.join)(options.cwd, CURSOR_RULES_DIR), { recursive: true });
       await (0, import_promises8.writeFile)(path, rule.content, "utf-8");
     }
     results.push({ target: "cursor", file, path, action });
   }
-  const legacyPath = (0, import_node_path11.join)(options.cwd, LEGACY_CURSOR_RULE_FILE);
+  const legacyPath = (0, import_node_path12.join)(options.cwd, LEGACY_CURSOR_RULE_FILE);
   if (!options.dryRun && await fileExists(legacyPath)) {
     await (0, import_promises8.rm)(legacyPath, { force: true });
   }
@@ -11938,14 +12133,14 @@ function getAgentRulesTargets(value) {
 // src/commands/seedPackageJsonScripts.ts
 var import_node_fs7 = require("node:fs");
 var import_promises9 = require("node:fs/promises");
-var import_node_path12 = require("node:path");
+var import_node_path13 = require("node:path");
 var VIBERAVEN_PACKAGE_JSON_SCRIPTS = {
   "viberaven:gate": PUBLIC_AGENT_MODE_COMMAND,
   "viberaven:verify": PUBLIC_VERIFY_COMMAND,
   "viberaven:strict": PUBLIC_STRICT_COMMAND
 };
 async function seedPackageJsonScripts(options) {
-  const packageJsonPath = (0, import_node_path12.join)(options.cwd, "package.json");
+  const packageJsonPath = (0, import_node_path13.join)(options.cwd, "package.json");
   if (!(0, import_node_fs7.existsSync)(packageJsonPath)) {
     return null;
   }
@@ -11994,12 +12189,12 @@ async function initAgentRules(options) {
       continue;
     }
     const file = AGENT_RULE_TARGETS[target].file;
-    const path = (0, import_node_path13.join)(options.cwd, file);
+    const path = (0, import_node_path14.join)(options.cwd, file);
     const existing = await readExistingFile2(path);
     const injected = injectAgentRulesBlock(existing.content, renderAgentRulesForTarget(target));
     const action = !existing.exists ? "created" : injected.changed ? "updated" : "unchanged";
     if (!options.dryRun && injected.changed) {
-      await (0, import_promises10.mkdir)((0, import_node_path13.dirname)(path), { recursive: true });
+      await (0, import_promises10.mkdir)((0, import_node_path14.dirname)(path), { recursive: true });
       await (0, import_promises10.writeFile)(path, injected.content, "utf-8");
     }
     results.push({ target, file, path, action });
@@ -12376,7 +12571,7 @@ async function runInteractiveSession(startDir = process.cwd()) {
   Ie(`${import_picocolors4.default.bold("VibeRaven")} ${import_picocolors4.default.dim(VERSION)}`);
   const cwd = await resolveWorkspaceRoot(startDir);
   const artifactsAt = await findArtifactsWorkspace(startDir);
-  if (artifactsAt && (0, import_node_path14.resolve)(artifactsAt) !== (0, import_node_path14.resolve)(startDir)) {
+  if (artifactsAt && (0, import_node_path15.resolve)(artifactsAt) !== (0, import_node_path15.resolve)(startDir)) {
     M2.message(import_picocolors4.default.dim(`Using scan from: ${artifactsAt}`));
   } else {
     M2.message(import_picocolors4.default.dim(`Project folder: ${cwd}`));
@@ -12444,11 +12639,11 @@ async function runInteractiveSession(startDir = process.cwd()) {
 
 // src/commands/condense.ts
 var import_promises11 = require("node:fs/promises");
-var import_node_path15 = require("node:path");
+var import_node_path16 = require("node:path");
 async function runCondenseCommand(options) {
   const dir = getProjectArtifactsDir(options.cwd);
-  const artifact = JSON.parse(await (0, import_promises11.readFile)((0, import_node_path15.join)(dir, "last-scan.json"), "utf8"));
-  const contextMapPath = (0, import_node_path15.join)(dir, "context-map.json");
+  const artifact = JSON.parse(await (0, import_promises11.readFile)((0, import_node_path16.join)(dir, "last-scan.json"), "utf8"));
+  const contextMapPath = (0, import_node_path16.join)(dir, "context-map.json");
   await (0, import_promises11.writeFile)(contextMapPath, `${JSON.stringify(generateContextMap(artifact), null, 2)}
 `, "utf8");
   return { contextMapPath };
@@ -12457,15 +12652,15 @@ async function runCondenseCommand(options) {
 // src/heal/apply.ts
 var import_promises13 = require("node:fs/promises");
 var import_node_fs10 = require("node:fs");
-var import_node_path19 = require("node:path");
+var import_node_path20 = require("node:path");
 
 // src/heal/pathSafety.ts
-var import_node_path16 = require("node:path");
+var import_node_path17 = require("node:path");
 var BLOCKED_SEGMENTS = /* @__PURE__ */ new Set([".git", "node_modules", "dist", "build", ".next", ".viberaven"]);
 function assertSafeHealTarget(cwd, target) {
-  const root = (0, import_node_path16.resolve)(cwd);
-  const absolute = (0, import_node_path16.resolve)(root, target);
-  const rel = (0, import_node_path16.relative)(root, absolute);
+  const root = (0, import_node_path17.resolve)(cwd);
+  const absolute = (0, import_node_path17.resolve)(root, target);
+  const rel = (0, import_node_path17.relative)(root, absolute);
   if (rel.startsWith("..") || rel === "" || /^[A-Za-z]:/.test(rel)) {
     throw new Error("Heal target must stay inside the workspace");
   }
@@ -12490,7 +12685,7 @@ function applyEmptyCatchRecipe(source) {
 // src/heal/recipes/index.ts
 var import_node_fs9 = require("node:fs");
 var import_promises12 = require("node:fs/promises");
-var import_node_path18 = require("node:path");
+var import_node_path19 = require("node:path");
 
 // src/heal/recipes/envAuthSecret.ts
 function applyAuthSecretRecipe(source) {
@@ -12872,7 +13067,7 @@ function applyRateLimitRecipe(source, hasUpstash) {
 
 // src/heal/recipes/eslintRestrictedImports.ts
 var import_node_fs8 = require("node:fs");
-var import_node_path17 = require("node:path");
+var import_node_path18 = require("node:path");
 var VIBERAVEN_ESLINT_MARKER = "VibeRaven heal: eslint_restricted_imports";
 var RESTRICTED_IMPORTS_MESSAGE = `Restricted import. Run ${PUBLIC_AGENT_MODE_COMMAND} before substituting packages.`;
 var RESTRICTED_PATHS = [
@@ -12902,7 +13097,7 @@ var ESLINT_CONFIG_CANDIDATES = [
 ];
 function detectEslintConfigFile(cwd) {
   for (const candidate of ESLINT_CONFIG_CANDIDATES) {
-    if ((0, import_node_fs8.existsSync)((0, import_node_path17.join)(cwd, candidate))) {
+    if ((0, import_node_fs8.existsSync)((0, import_node_path18.join)(cwd, candidate))) {
       return candidate;
     }
   }
@@ -13082,7 +13277,7 @@ async function readSourceOrEmpty(absolutePath) {
 }
 async function detectUpstash(cwd) {
   try {
-    const pkgPath = (0, import_node_path18.join)(cwd, "package.json");
+    const pkgPath = (0, import_node_path19.join)(cwd, "package.json");
     if (!(0, import_node_fs9.existsSync)(pkgPath)) return false;
     const raw = await (0, import_promises12.readFile)(pkgPath, "utf8");
     const pkg = JSON.parse(raw);
@@ -13099,7 +13294,7 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   const targetFile = explicitTarget ?? defaultTargetFile(gapId);
   if (targetFile === void 0) return null;
   if (gapId === "auth_secret_missing" || gapId === "node_env_not_set" || gapId === "database_url_missing") {
-    const absolutePath = (0, import_node_path18.join)(cwd, targetFile);
+    const absolutePath = (0, import_node_path19.join)(cwd, targetFile);
     const source = await readSourceOrEmpty(absolutePath);
     let result;
     if (gapId === "auth_secret_missing") result = applyAuthSecretRecipe(source);
@@ -13113,25 +13308,25 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
     };
   }
   if (gapId === "missing_error_boundary") {
-    const absolutePath = (0, import_node_path18.join)(cwd, "app/error.tsx");
+    const absolutePath = (0, import_node_path19.join)(cwd, "app/error.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyErrorBoundaryRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_health_route") {
-    const absolutePath = (0, import_node_path18.join)(cwd, "app/api/health/route.ts");
+    const absolutePath = (0, import_node_path19.join)(cwd, "app/api/health/route.ts");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyHealthRouteRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_loading_state") {
-    const absolutePath = (0, import_node_path18.join)(cwd, "app/loading.tsx");
+    const absolutePath = (0, import_node_path19.join)(cwd, "app/loading.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyLoadingStateRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_404_page") {
-    const absolutePath = (0, import_node_path18.join)(cwd, "app/not-found.tsx");
+    const absolutePath = (0, import_node_path19.join)(cwd, "app/not-found.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyNotFoundRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
@@ -13149,10 +13344,10 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   }
   if (gapId === "missing_csp_header") {
     let configFile = "next.config.js";
-    let absolutePath = (0, import_node_path18.join)(cwd, configFile);
+    let absolutePath = (0, import_node_path19.join)(cwd, configFile);
     if (!(0, import_node_fs9.existsSync)(absolutePath)) {
       configFile = "next.config.mjs";
-      absolutePath = (0, import_node_path18.join)(cwd, configFile);
+      absolutePath = (0, import_node_path19.join)(cwd, configFile);
     }
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyCspHeaderRecipe(source);
@@ -13164,7 +13359,7 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   }
   if (gapId === "missing_rate_limit") {
     const hasUpstash = await detectUpstash(cwd);
-    const middlewarePath = (0, import_node_path18.join)(cwd, "middleware.ts");
+    const middlewarePath = (0, import_node_path19.join)(cwd, "middleware.ts");
     const source = await readSourceOrEmpty(middlewarePath);
     const result = applyRateLimitRecipe(source, hasUpstash);
     return {
@@ -13186,7 +13381,7 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
         recipeName: gapId
       };
     }
-    const absolutePath = (0, import_node_path18.join)(cwd, configFile);
+    const absolutePath = (0, import_node_path19.join)(cwd, configFile);
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyEslintRestrictedImportsRecipe(source, configFile);
     return {
@@ -13261,13 +13456,13 @@ async function applyHeal(options) {
           rollback: { available: false, instructions: "Recipe matched but no change was needed (already applied or file already exists)." }
         };
       }
-      const absoluteTarget = (0, import_node_path19.join)(options.cwd, dispatched.targetFile);
+      const absoluteTarget = (0, import_node_path20.join)(options.cwd, dispatched.targetFile);
       assertSafeHealTarget(options.cwd, dispatched.targetFile);
-      await (0, import_promises13.mkdir)((0, import_node_path19.dirname)(absoluteTarget), { recursive: true });
-      const healDir2 = (0, import_node_path19.join)(options.cwd, ".viberaven", "heal", id);
-      await (0, import_promises13.mkdir)((0, import_node_path19.join)(healDir2, "before"), { recursive: true });
+      await (0, import_promises13.mkdir)((0, import_node_path20.dirname)(absoluteTarget), { recursive: true });
+      const healDir2 = (0, import_node_path20.join)(options.cwd, ".viberaven", "heal", id);
+      await (0, import_promises13.mkdir)((0, import_node_path20.join)(healDir2, "before"), { recursive: true });
       const beforeContent = (0, import_node_fs10.existsSync)(absoluteTarget) ? await (0, import_promises13.readFile)(absoluteTarget, "utf8") : "";
-      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "before", "target.txt"), beforeContent, "utf8");
+      await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir2, "before", "target.txt"), beforeContent, "utf8");
       await (0, import_promises13.writeFile)(absoluteTarget, dispatched.output, "utf8");
       const patch2 = [
         `--- ${dispatched.targetFile}`,
@@ -13278,7 +13473,7 @@ async function applyHeal(options) {
         dispatched.output,
         ""
       ].join("\n");
-      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "patch.diff"), patch2, "utf8");
+      await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir2, "patch.diff"), patch2, "utf8");
       const result2 = {
         $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
         schemaVersion: "v1",
@@ -13289,7 +13484,7 @@ async function applyHeal(options) {
         gapId: options.gapId,
         recipe: dispatched.recipeName,
         target: dispatched.targetFile,
-        changedFiles: [(0, import_node_path19.relative)(options.cwd, absoluteTarget).replace(/\\/g, "/")],
+        changedFiles: [(0, import_node_path20.relative)(options.cwd, absoluteTarget).replace(/\\/g, "/")],
         artifacts: {
           patch: `.viberaven/heal/${id}/patch.diff`,
           result: `.viberaven/heal/${id}/result.json`
@@ -13299,7 +13494,7 @@ async function applyHeal(options) {
           instructions: "Restore .viberaven/heal/<healId>/before/target.txt to the target file or apply the reverse patch."
         }
       };
-      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "result.json"), `${JSON.stringify(result2, null, 2)}
+      await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir2, "result.json"), `${JSON.stringify(result2, null, 2)}
 `, "utf8");
       return result2;
     }
@@ -13336,9 +13531,9 @@ async function applyHeal(options) {
       rollback: { available: false, instructions: "No supported heal recipe matched this file." }
     };
   }
-  const healDir = (0, import_node_path19.join)(options.cwd, ".viberaven", "heal", id);
-  await (0, import_promises13.mkdir)((0, import_node_path19.join)(healDir, "before"), { recursive: true });
-  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "before", "target.txt"), before, "utf8");
+  const healDir = (0, import_node_path20.join)(options.cwd, ".viberaven", "heal", id);
+  await (0, import_promises13.mkdir)((0, import_node_path20.join)(healDir, "before"), { recursive: true });
+  await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir, "before", "target.txt"), before, "utf8");
   await (0, import_promises13.writeFile)(absolute, recipe.output, "utf8");
   const patch = [
     `--- ${options.target}`,
@@ -13349,7 +13544,7 @@ async function applyHeal(options) {
     recipe.output,
     ""
   ].join("\n");
-  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "patch.diff"), patch, "utf8");
+  await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir, "patch.diff"), patch, "utf8");
   const result = {
     $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
     schemaVersion: "v1",
@@ -13360,7 +13555,7 @@ async function applyHeal(options) {
     gapId: options.gapId,
     recipe: "empty-catch-safe-response",
     target: options.target,
-    changedFiles: [(0, import_node_path19.relative)(options.cwd, absolute).replace(/\\/g, "/")],
+    changedFiles: [(0, import_node_path20.relative)(options.cwd, absolute).replace(/\\/g, "/")],
     artifacts: {
       patch: `.viberaven/heal/${id}/patch.diff`,
       result: `.viberaven/heal/${id}/result.json`
@@ -13370,19 +13565,19 @@ async function applyHeal(options) {
       instructions: "Restore .viberaven/heal/<healId>/before/target.txt to the target file or apply the reverse patch."
     }
   };
-  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "result.json"), `${JSON.stringify(result, null, 2)}
+  await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir, "result.json"), `${JSON.stringify(result, null, 2)}
 `, "utf8");
   return result;
 }
 
 // src/heal/plan.ts
 var import_promises14 = require("node:fs/promises");
-var import_node_path20 = require("node:path");
+var import_node_path21 = require("node:path");
 function healId2() {
   return `heal_${(/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14)}`;
 }
 async function writeHealPlan(options) {
-  const dir = (0, import_node_path20.join)(options.cwd, ".viberaven");
+  const dir = (0, import_node_path21.join)(options.cwd, ".viberaven");
   await (0, import_promises14.mkdir)(dir, { recursive: true });
   const id = healId2();
   const target = options.target ?? `gap:${options.gapId}`;
@@ -13410,20 +13605,20 @@ async function writeHealPlan(options) {
     artifacts: { plan: ".viberaven/heal-plan.md" },
     rollback: { available: false, instructions: "No source files were changed." }
   };
-  await (0, import_promises14.writeFile)((0, import_node_path20.join)(dir, "heal-plan.md"), markdown, "utf8");
-  await (0, import_promises14.writeFile)((0, import_node_path20.join)(dir, "heal-plan.json"), `${JSON.stringify(result, null, 2)}
+  await (0, import_promises14.writeFile)((0, import_node_path21.join)(dir, "heal-plan.md"), markdown, "utf8");
+  await (0, import_promises14.writeFile)((0, import_node_path21.join)(dir, "heal-plan.json"), `${JSON.stringify(result, null, 2)}
 `, "utf8");
   return result;
 }
 
 // src/heal/prompt.ts
 var import_promises15 = require("node:fs/promises");
-var import_node_path21 = require("node:path");
+var import_node_path22 = require("node:path");
 function healId3() {
   return `heal_${(/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14)}`;
 }
 async function writeHealPrompt(options) {
-  const dir = (0, import_node_path21.join)(options.cwd, ".viberaven");
+  const dir = (0, import_node_path22.join)(options.cwd, ".viberaven");
   await (0, import_promises15.mkdir)(dir, { recursive: true });
   const id = healId3();
   const target = options.target ?? `gap:${options.gapId}`;
@@ -13451,7 +13646,7 @@ async function writeHealPrompt(options) {
     artifacts: { prompt: ".viberaven/heal-prompt.md" },
     rollback: { available: false, instructions: "No source files were changed." }
   };
-  await (0, import_promises15.writeFile)((0, import_node_path21.join)(dir, "heal-prompt.md"), prompt, "utf8");
+  await (0, import_promises15.writeFile)((0, import_node_path22.join)(dir, "heal-prompt.md"), prompt, "utf8");
   return result;
 }
 
@@ -13538,7 +13733,7 @@ async function runHealCommand(options) {
 // src/stackRecommend.ts
 var import_promises17 = require("node:fs/promises");
 var import_node_fs11 = require("node:fs");
-var import_node_path22 = require("node:path");
+var import_node_path23 = require("node:path");
 var DEFAULT_STACK = {
   frontend: "react",
   ui: "tailwind + shadcn/ui",
@@ -13549,7 +13744,7 @@ var DEFAULT_STACK = {
   reason: "Agent-default stack for lowest launch friction when repo signals are ambiguous"
 };
 async function recommendStack(cwd = process.cwd()) {
-  const pkgPath = (0, import_node_path22.join)(cwd, "package.json");
+  const pkgPath = (0, import_node_path23.join)(cwd, "package.json");
   if (!(0, import_node_fs11.existsSync)(pkgPath)) {
     return DEFAULT_STACK;
   }
@@ -13606,7 +13801,7 @@ async function runInitCommand(options) {
 
 // src/commands/doctorAgents.ts
 var import_promises18 = require("node:fs/promises");
-var import_node_path23 = require("node:path");
+var import_node_path24 = require("node:path");
 var REQUIRED_EXISTENCE_CHECKS = [
   { id: "agents-md", file: "AGENTS.md" },
   { id: "claude-md", file: "CLAUDE.md" },
@@ -13626,7 +13821,7 @@ var STALE_PATTERNS = [
 async function checkAgentInjection(cwd) {
   const checks = [];
   for (const item3 of REQUIRED_EXISTENCE_CHECKS) {
-    const exists = await fileExists2((0, import_node_path23.join)(cwd, item3.file));
+    const exists = await fileExists2((0, import_node_path24.join)(cwd, item3.file));
     checks.push({
       id: item3.id,
       status: exists ? "pass" : "fail",
@@ -13634,17 +13829,17 @@ async function checkAgentInjection(cwd) {
     });
   }
   for (const item3 of OPTIONAL_CURSOR_PACK_CHECKS) {
-    const exists = await fileExists2((0, import_node_path23.join)(cwd, item3.file));
+    const exists = await fileExists2((0, import_node_path24.join)(cwd, item3.file));
     checks.push({
       id: item3.id,
       status: exists ? "pass" : "fail",
       message: exists ? `${item3.file} exists` : `Missing ${item3.file} \u2014 run npx -y viberaven init --agents all`
     });
   }
-  const legacyCursorPath = (0, import_node_path23.join)(cwd, ".cursor/rules/viberaven.mdc");
+  const legacyCursorPath = (0, import_node_path24.join)(cwd, ".cursor/rules/viberaven.mdc");
   if (await fileExists2(legacyCursorPath)) {
     const legacyContent = await (0, import_promises18.readFile)(legacyCursorPath, "utf-8");
-    const hasCoreSplit = await fileExists2((0, import_node_path23.join)(cwd, ".cursor/rules/viberaven-core.mdc"));
+    const hasCoreSplit = await fileExists2((0, import_node_path24.join)(cwd, ".cursor/rules/viberaven-core.mdc"));
     if (!hasCoreSplit || legacyContent.includes("alwaysApply: true")) {
       checks.push({
         id: "cursor-legacy-mdc",
@@ -13655,7 +13850,7 @@ async function checkAgentInjection(cwd) {
   }
   for (const target of CORE_AGENT_INJECTION_TARGETS) {
     const file = target === "cursor" ? ".cursor/rules/viberaven-core.mdc" : AGENT_RULE_TARGETS[target].file;
-    const path = (0, import_node_path23.join)(cwd, file);
+    const path = (0, import_node_path24.join)(cwd, file);
     const exists = await fileExists2(path);
     if (!exists) {
       checks.push({
@@ -14009,7 +14204,11 @@ function buildProviderActionBlock(task) {
       envKeyExample: pa.envKeyExample ?? null,
       doneSignal: pa.doneSignal,
       verifyCommand: task.verifyCommand,
-      mcpAlternative: task.mcpTool ?? pa.mcpAlternative ?? null
+      mcpAlternative: task.mcpTool ?? pa.mcpAlternative ?? null,
+      actionClass: pa.actionClass ?? "manual_provider_step",
+      approvalRequired: pa.approvalRequired ?? true,
+      manualFallback: pa.manualFallback ?? pa.exactStep,
+      copyValues: pa.copyValues ?? []
     }
   };
 }
@@ -14033,7 +14232,7 @@ function printNextActionBlock(block) {
 // src/providerMcpBridge.ts
 var import_node_fs12 = require("node:fs");
 var import_node_os2 = require("node:os");
-var import_node_path24 = require("node:path");
+var import_node_path25 = require("node:path");
 var UPGRADE_URL4 = "https://viberaven.dev/pricing";
 var FALLBACK_COMMAND = "npx -y viberaven audit --vercel-supabase --json";
 var SUPPORTED_PROVIDERS = /* @__PURE__ */ new Set(["supabase", "vercel"]);
@@ -14041,9 +14240,9 @@ var configPathsOverride;
 function defaultMcpConfigPaths() {
   const home = (0, import_node_os2.homedir)();
   return [
-    (0, import_node_path24.join)(home, ".config", "claude", "claude_desktop_config.json"),
-    (0, import_node_path24.join)(home, ".cursor", "mcp.json"),
-    (0, import_node_path24.join)(home, ".gemini", "antigravity", "mcp_config.json")
+    (0, import_node_path25.join)(home, ".config", "claude", "claude_desktop_config.json"),
+    (0, import_node_path25.join)(home, ".cursor", "mcp.json"),
+    (0, import_node_path25.join)(home, ".gemini", "antigravity", "mcp_config.json")
   ];
 }
 function resolveConfigPaths() {
@@ -14300,7 +14499,7 @@ async function guardEarlyVerifyScan(input) {
   if (!verifyLike) {
     return void 0;
   }
-  const workspacePath = input.positional[0] ? (0, import_node_path25.join)(process.cwd(), input.positional[0]) : await resolveWorkspaceRoot(process.cwd());
+  const workspacePath = input.positional[0] ? (0, import_node_path26.join)(process.cwd(), input.positional[0]) : await resolveWorkspaceRoot(process.cwd());
   const loopState = await loadLoopState(workspacePath);
   if (loopState.batchApplied <= 0) {
     return void 0;
@@ -14376,7 +14575,7 @@ async function cmdStatus(flags, positional) {
     console.log("Not signed in. Run: viberaven login");
     return 1;
   }
-  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd();
   let artifact;
   try {
     artifact = await loadLastArtifact(startDir);
@@ -14530,7 +14729,7 @@ async function cmdWatch(flags) {
   }
 }
 async function runScanCommand(flags, positional, options) {
-  const workspacePath = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : await resolveWorkspaceRoot(process.cwd());
+  const workspacePath = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : await resolveWorkspaceRoot(process.cwd());
   const apiBaseUrl = resolveApiBaseUrl(typeof flags["api-url"] === "string" ? flags["api-url"] : void 0);
   let accessToken;
   try {
@@ -14583,6 +14782,10 @@ async function runScanCommand(flags, positional, options) {
   }
   if (!options?.deferMachineOutput) {
     printScanSummary(artifact, paths);
+    if (flags["agent-mode"]) {
+      const prp = JSON.parse(await (0, import_promises19.readFile)(paths.prpPath, "utf8"));
+      console.log(renderProductionProtocolSummary(prp));
+    }
   }
   if (artifact.usage && !options?.deferMachineOutput) {
     console.log(formatUsageLine(artifact.usage));
@@ -14608,7 +14811,7 @@ async function runScanCommand(flags, positional, options) {
   return { exitCode: 0, artifacts: paths };
 }
 async function cmdReport(flags, positional) {
-  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd();
   try {
     const paths = await refreshReportFromDisk(startDir);
     console.log(`Report refreshed: ${paths.reportPath}`);
@@ -14630,7 +14833,7 @@ async function cmdReport(flags, positional) {
   }
 }
 async function cmdPrompt(flags, positional) {
-  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd();
   let artifact;
   try {
     artifact = await loadLastArtifact(startDir);
@@ -14728,7 +14931,7 @@ async function main() {
   const wantsJsonl = hasFlag(flags, "jsonl");
   const wantsStrict = hasFlag(flags, "strict");
   if (flags.condense) {
-    const cwd = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
+    const cwd = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd();
     const result = await runCondenseCommand({ cwd });
     console.log(`VibeRaven context map refreshed: ${result.contextMapPath}`);
     return 0;
@@ -14792,7 +14995,7 @@ async function main() {
     case "next":
       return runNextCommand({
         json: Boolean(flags.json),
-        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd()
+        cwd: positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd()
       });
     case "guide": {
       const provider2 = positional[0];
@@ -14830,7 +15033,7 @@ async function main() {
     case "provider-verify":
       return cmdProviderVerify(flags, positional);
     case "init": {
-      const cwd = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
+      const cwd = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd();
       const agents = typeof flags.agents === "string" ? flags.agents : void 0;
       return runInitCommand({
         cwd,
@@ -14844,7 +15047,7 @@ async function main() {
         return 1;
       }
       return runDoctorAgentsCommand({
-        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd()
+        cwd: positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd()
       });
     case "validate-npm-package":
       return runValidateNpmPackageCommand({
@@ -14857,7 +15060,7 @@ async function main() {
         return 1;
       }
       return runAuditCommand({
-        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd(),
+        cwd: positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd(),
         json: Boolean(flags.json)
       });
     default: