@viberaven/cli 1.1.0 → 1.1.1

package/dist/cli.js

@@ -170,8 +170,8 @@ __export(cli_exports, {
   runScanCommand: () => runScanCommand
 });
 module.exports = __toCommonJS(cli_exports);
-var import_promises19 = require("node:fs/promises");
-var import_node_path26 = require("node:path");
+var import_promises21 = require("node:fs/promises");
+var import_node_path28 = require("node:path");
 
 // src/config.ts
 var import_node_os = require("node:os");
@@ -528,8 +528,8 @@ var UPGRADE_REQUIRED = "UPGRADE_REQUIRED";
 var MANUAL_ACTION_REQUIRED = "MANUAL_ACTION_REQUIRED";
 var AGENT_ACTION = "AGENT_ACTION";
 var ERROR = "ERROR";
-function formatAgentStatus(label, message) {
-  return `${label}: ${message}`;
+function formatAgentStatus(label2, message) {
+  return `${label2}: ${message}`;
 }
 
 // src/account.ts
@@ -661,6 +661,9 @@ function promptGapCommand(gapId) {
 function healPlanGapCommand(gapId) {
   return `${PUBLIC_COMMAND} --heal --plan --gap ${gapId}`;
 }
+function healApplyGapCommand(gapId) {
+  return `${PUBLIC_COMMAND} --heal --apply --gap ${gapId}`;
+}
 
 // src/auth.ts
 var PUBLIC_LOGIN_COMMAND = `${PUBLIC_COMMAND} login`;
@@ -1094,7 +1097,7 @@ function createGitignoreMatcher(gitignoreContent) {
   const rules = gitignoreContent.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#") && !line.startsWith("!")).map(parseGitignoreRule);
   return (relPath) => {
     const normalized = relPath.replace(/\\/g, "/").replace(/^\/+/, "");
-    return rules.some((rule) => ruleMatchesPath(rule, normalized));
+    return rules.some((rule2) => ruleMatchesPath(rule2, normalized));
   };
 }
 function parseGitignoreRule(raw) {
@@ -1111,22 +1114,22 @@ function parseGitignoreRule(raw) {
     regex: new RegExp(`^${gitignoreGlobToRegex(pattern)}$`)
   };
 }
-function ruleMatchesPath(rule, relPath) {
-  const candidates = rule.anchored || rule.hasSlash ? [relPath] : relPath.split("/");
-  const directMatch = candidates.some((candidate) => rule.regex.test(candidate));
-  if (directMatch && !rule.directoryOnly) {
+function ruleMatchesPath(rule2, relPath) {
+  const candidates = rule2.anchored || rule2.hasSlash ? [relPath] : relPath.split("/");
+  const directMatch = candidates.some((candidate) => rule2.regex.test(candidate));
+  if (directMatch && !rule2.directoryOnly) {
     return true;
   }
-  if (directMatch && rule.directoryOnly) {
+  if (directMatch && rule2.directoryOnly) {
     return true;
   }
-  if (!rule.directoryOnly) {
+  if (!rule2.directoryOnly) {
     return false;
   }
-  if (rule.anchored || rule.hasSlash) {
-    return relPath === rule.pattern || relPath.startsWith(`${rule.pattern}/`);
+  if (rule2.anchored || rule2.hasSlash) {
+    return relPath === rule2.pattern || relPath.startsWith(`${rule2.pattern}/`);
   }
-  return relPath.split("/").includes(rule.pattern);
+  return relPath.split("/").includes(rule2.pattern);
 }
 function gitignoreGlobToRegex(pattern) {
   let out = "";
@@ -1246,7 +1249,7 @@ function fallbackMapCategoryForGap(category, text) {
 function inferMapCategories(category, title, detail, copyPrompt, explicitPrimary, explicitAffected) {
   const text = [category, title, detail, copyPrompt].filter(Boolean).join(" ");
   const fallback = fallbackMapCategoryForGap(category, text);
-  const matched = MAP_CATEGORY_RULES.filter((rule) => rule.match.test(text)).map((rule) => rule.key);
+  const matched = MAP_CATEGORY_RULES.filter((rule2) => rule2.match.test(text)).map((rule2) => rule2.key);
   const explicit = isProductionMapCategoryKey(explicitPrimary) ? [explicitPrimary] : [];
   const affected = Array.isArray(explicitAffected) ? explicitAffected.filter(isProductionMapCategoryKey) : [];
   const primarySeed = matched[0] ? [matched[0], fallback] : [fallback];
@@ -1291,12 +1294,12 @@ function normalizeGap(v) {
     affectedMapCategories
   };
 }
-function rootGapKey(gap) {
-  const titleKey = slugify(gap.title);
+function rootGapKey(gap2) {
+  const titleKey = slugify(gap2.title);
   if (titleKey) {
     return titleKey;
   }
-  return slugify([gap.category, gap.copyPrompt].join(" ")) || gap.id;
+  return slugify([gap2.category, gap2.copyPrompt].join(" ")) || gap2.id;
 }
 function mergeToolSuggestions(a, b3) {
   const seen = /* @__PURE__ */ new Set();
@@ -1326,17 +1329,17 @@ function mergeRootGaps(a, b3) {
 function dedupeRootGaps(gaps) {
   const byKey = /* @__PURE__ */ new Map();
   const order = [];
-  for (const gap of gaps) {
-    const key = rootGapKey(gap);
+  for (const gap2 of gaps) {
+    const key = rootGapKey(gap2);
     const existing = byKey.get(key);
     if (!existing) {
-      byKey.set(key, gap);
+      byKey.set(key, gap2);
       order.push(key);
       continue;
     }
-    byKey.set(key, mergeRootGaps(existing, gap));
+    byKey.set(key, mergeRootGaps(existing, gap2));
   }
-  return order.map((key) => byKey.get(key)).filter((gap) => Boolean(gap));
+  return order.map((key) => byKey.get(key)).filter((gap2) => Boolean(gap2));
 }
 function normalizeChecklist(v) {
   const defaults = {
@@ -1480,15 +1483,15 @@ function buildLaunchValidationReport(input) {
       promptTemplate: conflict.recommendedAction.promptTemplate
     }))
   );
-  const gapIssues = (input.gaps ?? []).filter((gap) => gap.severity !== "info").map((gap) => {
-    const area = gapArea(gap);
+  const gapIssues = (input.gaps ?? []).filter((gap2) => gap2.severity !== "info").map((gap2) => {
+    const area = gapArea(gap2);
     return {
-      id: `gap-${gap.id}`,
+      id: `gap-${gap2.id}`,
       area,
-      severity: gap.severity,
-      title: gap.title,
-      detail: gap.detail,
-      promptTemplate: gap.severity === "critical" && isLaunchCriticalArea(area) ? "launch-blocker" : "repo-fix"
+      severity: gap2.severity,
+      title: gap2.title,
+      detail: gap2.detail,
+      promptTemplate: gap2.severity === "critical" && isLaunchCriticalArea(area) ? "launch-blocker" : "repo-fix"
     };
   });
   const providerCoverageWarnings = providerCoverageIssues(input.providerTruth);
@@ -1603,8 +1606,8 @@ function isActionableProviderCheckRow(row) {
 function hasCompletedManualConfirmation(row) {
   return row.manualProof.status === "manual-confirmed" || row.roles.some((role) => role === "manual-confirmed");
 }
-function gapArea(gap) {
-  return VERIFICATION_AREAS.includes(gap.primaryMapCategory) ? gap.primaryMapCategory : "appFlow";
+function gapArea(gap2) {
+  return VERIFICATION_AREAS.includes(gap2.primaryMapCategory) ? gap2.primaryMapCategory : "appFlow";
 }
 function isLaunchCriticalArea(area) {
   return LAUNCH_CRITICAL_AREAS.includes(area);
@@ -2073,11 +2076,11 @@ function buildProviderRegistrySnapshot(now = /* @__PURE__ */ new Date()) {
     providers
   };
 }
-function provider(providerKey, label, aliases, areas, productionAreas, iconKey, extras = {}) {
+function provider(providerKey, label2, aliases, areas, productionAreas, iconKey, extras = {}) {
   const sifgTemplateIds = areas.flatMap((area) => sifgTemplatesForRegistryProviderArea(providerKey, area)).map((template) => template.id);
   return {
     provider: providerKey,
-    label,
+    label: label2,
     aliases,
     areas,
     productionAreas,
@@ -2935,14 +2938,14 @@ function detectProductionConnectionEvidence(scan) {
     content: file.isSecret || typeof file.content !== "string" ? "" : file.content,
     lowerContent: file.isSecret || typeof file.content !== "string" ? "" : file.content.toLowerCase()
   }));
-  const secretPathBlob = scan.secretsFound.map((path) => normalizePath(path)).join("\n");
+  const secretPathBlob = scan.secretsFound.map((path3) => normalizePath(path3)).join("\n");
   const pathBlob = `${scan.fileTree}
 ${files.map((file) => file.path).join("\n")}`.toLowerCase();
   const contentBlob = files.map((file) => file.lowerContent).join("\n").slice(0, 12e4);
   const secretsHygieneBlob = `${pathBlob}
 ${secretPathBlob}`;
-  for (const rule of PROVIDER_RULES) {
-    detectProvider(evidence, rule, deps, files, pathBlob);
+  for (const rule2 of PROVIDER_RULES) {
+    detectProvider(evidence, rule2, deps, files, pathBlob);
   }
   detectSecretsHygiene(evidence, secretsHygieneBlob);
   for (const item3 of Object.values(evidence)) {
@@ -2996,55 +2999,55 @@ function buildProductionConnectionContext(choices, evidence) {
   }
   return lines.length > 0 ? lines.join("\n") : "production connections: no selected or detected providers";
 }
-function detectProvider(evidence, rule, deps, files, pathBlob) {
-  if (evidence[rule.area]) {
+function detectProvider(evidence, rule2, deps, files, pathBlob) {
+  if (evidence[rule2.area]) {
     return;
   }
-  const signals = collectSignals(rule, deps, files, pathBlob);
+  const signals = collectSignals(rule2, deps, files, pathBlob);
   if (signals.length === 0) {
     return;
   }
-  evidence[rule.area] = {
-    area: rule.area,
-    provider: rule.provider,
+  evidence[rule2.area] = {
+    area: rule2.area,
+    provider: rule2.provider,
     status: ["detected"],
     signals
   };
 }
-function collectSignals(rule, deps, files, pathBlob) {
+function collectSignals(rule2, deps, files, pathBlob) {
   const signals = [];
   for (const dep of deps) {
-    if ((rule.packages ?? []).some((pattern) => testRegex(pattern, dep))) {
+    if ((rule2.packages ?? []).some((pattern) => testRegex(pattern, dep))) {
       addSignal(signals, `package: ${dep}`);
     }
   }
   const upperContents = files.map((file) => file.content).join("\n").toUpperCase();
-  for (const envName of rule.env ?? []) {
+  for (const envName of rule2.env ?? []) {
     if (upperContents.includes(envName.toUpperCase())) {
       addSignal(signals, `env: ${envName}`);
     }
   }
-  const pathLines = pathBlob.split(/\r?\n/).map((path) => path.trim()).filter(Boolean);
-  for (const path of pathLines) {
-    if ((rule.paths ?? []).some((pattern) => testRegex(pattern, path))) {
-      addSignal(signals, `${pathSignalPrefix(path)}: ${path}`);
+  const pathLines = pathBlob.split(/\r?\n/).map((path3) => path3.trim()).filter(Boolean);
+  for (const path3 of pathLines) {
+    if ((rule2.paths ?? []).some((pattern) => testRegex(pattern, path3))) {
+      addSignal(signals, `${pathSignalPrefix(path3)}: ${path3}`);
     }
   }
   for (const file of files) {
-    for (const importName of rule.imports ?? []) {
+    for (const importName of rule2.imports ?? []) {
       if (containsImport(file.lowerContent, importName)) {
         addSignal(signals, `import: ${importName}`);
       }
     }
-    for (const item3 of rule.content ?? []) {
+    for (const item3 of rule2.content ?? []) {
       if (testRegex(item3.pattern, file.content)) {
         addSignal(signals, item3.signal);
       }
     }
     if (isDocsPath(file.path)) {
-      for (const docsTerm of rule.docs ?? []) {
+      for (const docsTerm of rule2.docs ?? []) {
         if (file.lowerContent.includes(docsTerm.toLowerCase())) {
-          addSignal(signals, `docs: ${file.displayPath} mentions ${rule.label}`);
+          addSignal(signals, `docs: ${file.displayPath} mentions ${rule2.label}`);
           break;
         }
       }
@@ -3056,14 +3059,14 @@ function containsImport(content, importName) {
   const escaped = importName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&").toLowerCase();
   return new RegExp(`(?:from\\s+['"]${escaped}['"]|import\\s*\\(\\s*['"]${escaped}['"]|require\\s*\\(\\s*['"]${escaped}['"])`).test(content);
 }
-function isDocsPath(path) {
-  return /(^|\/)(readme|product|spec)\.md$/.test(path) || /(^|\/)docs\/.*\.md$/.test(path);
+function isDocsPath(path3) {
+  return /(^|\/)(readme|product|spec)\.md$/.test(path3) || /(^|\/)docs\/.*\.md$/.test(path3);
 }
-function pathSignalPrefix(path) {
-  if (/webhook|checkout|billing|api\/|route\.[jt]s$/.test(path)) {
+function pathSignalPrefix(path3) {
+  if (/webhook|checkout|billing|api\/|route\.[jt]s$/.test(path3)) {
     return "route";
   }
-  if (/config|\.json$|\.toml$|\.ya?ml$/.test(path)) {
+  if (/config|\.json$|\.toml$|\.ya?ml$/.test(path3)) {
     return "config";
   }
   return "file";
@@ -3074,19 +3077,19 @@ function addSignal(signals, signal) {
   }
 }
 function freezeProviderRules(rules) {
-  for (const rule of rules) {
-    Object.freeze(rule.packages ?? []);
-    Object.freeze(rule.env ?? []);
-    Object.freeze(rule.paths ?? []);
-    Object.freeze(rule.imports ?? []);
-    Object.freeze(rule.docs ?? []);
-    if (rule.content) {
-      for (const item3 of rule.content) {
+  for (const rule2 of rules) {
+    Object.freeze(rule2.packages ?? []);
+    Object.freeze(rule2.env ?? []);
+    Object.freeze(rule2.paths ?? []);
+    Object.freeze(rule2.imports ?? []);
+    Object.freeze(rule2.docs ?? []);
+    if (rule2.content) {
+      for (const item3 of rule2.content) {
         Object.freeze(item3);
       }
-      Object.freeze(rule.content);
+      Object.freeze(rule2.content);
     }
-    Object.freeze(rule);
+    Object.freeze(rule2);
   }
   return Object.freeze(rules);
 }
@@ -3214,8 +3217,8 @@ function normalizeSelectedAt(value) {
   }
   return null;
 }
-function normalizePath(path) {
-  return path.replace(/\\/g, "/").toLowerCase();
+function normalizePath(path3) {
+  return path3.replace(/\\/g, "/").toLowerCase();
 }
 function isObject(value) {
   return typeof value === "object" && value !== null;
@@ -3243,8 +3246,8 @@ var WEAK_PATH_SEGMENTS = /* @__PURE__ */ new Set([
   "demo"
 ]);
 var TEST_FILE_PATTERN = /\.(test|spec)\.[jt]sx?$/;
-function classifyProviderEvidencePath(path) {
-  const normalized = normalizePath2(path);
+function classifyProviderEvidencePath(path3) {
+  const normalized = normalizePath2(path3);
   const segments = normalized.split("/").filter(Boolean);
   if (isDocsLikePath(normalized) || segments.some((segment) => WEAK_PATH_SEGMENTS.has(segment)) || TEST_FILE_PATTERN.test(normalized)) {
     return "weak";
@@ -3259,14 +3262,14 @@ function buildProviderTruthSnapshot(input) {
   const rowsByArea = {};
   void input.mcpVerifierState;
   void input.verificationLayer;
-  for (const rule of PROVIDER_RULES) {
-    const evidence = collectProviderTruthEvidence(rule, deps, files, pathLines);
-    const selected = choices.choices[rule.area]?.provider === rule.provider;
+  for (const rule2 of PROVIDER_RULES) {
+    const evidence = collectProviderTruthEvidence(rule2, deps, files, pathLines);
+    const selected = choices.choices[rule2.area]?.provider === rule2.provider;
     if (evidence.length === 0 && !selected) {
       continue;
     }
-    const row = buildRow(rule, evidence, selected);
-    rowsByArea[rule.area] = [...rowsByArea[rule.area] ?? [], row];
+    const row = buildRow(rule2, evidence, selected);
+    rowsByArea[rule2.area] = [...rowsByArea[rule2.area] ?? [], row];
   }
   for (const [area, choice] of Object.entries(choices.choices)) {
     if (!choice) {
@@ -3298,32 +3301,32 @@ function buildProviderTruthSnapshot(input) {
     summary
   };
 }
-function collectProviderTruthEvidence(rule, deps, files, pathLines) {
+function collectProviderTruthEvidence(rule2, deps, files, pathLines) {
   const evidence = [];
   for (const dep of deps) {
-    if ((rule.packages ?? []).some((pattern) => testRegex2(pattern, dep))) {
-      addEvidence(evidence, rule, {
+    if ((rule2.packages ?? []).some((pattern) => testRegex2(pattern, dep))) {
+      addEvidence(evidence, rule2, {
         kind: "package-installed",
         strength: "medium",
-        label: `${rule.label} package installed`,
+        label: `${rule2.label} package installed`,
         detail: dep,
         points: 20,
         isRuntimeEvidence: false
       });
     }
   }
-  for (const path of pathLines) {
-    if (!(rule.paths ?? []).some((pattern) => testRegex2(pattern, path))) {
+  for (const path3 of pathLines) {
+    if (!(rule2.paths ?? []).some((pattern) => testRegex2(pattern, path3))) {
       continue;
     }
-    const pathClass = classifyProviderEvidencePath(path);
-    const kind = weakPathKind(path, "active-runtime-route") ?? routeKind(path);
-    addEvidence(evidence, rule, {
+    const pathClass = classifyProviderEvidencePath(path3);
+    const kind = weakPathKind(path3, "active-runtime-route") ?? routeKind(path3);
+    addEvidence(evidence, rule2, {
       kind,
       strength: pathClass === "runtime" ? "strong" : "weak",
-      label: `${rule.label} ${pathClass === "runtime" ? "runtime route or path" : "weak path reference"}`,
-      file: path,
-      points: pathClass === "runtime" ? 35 : weakEvidencePoints(path),
+      label: `${rule2.label} ${pathClass === "runtime" ? "runtime route or path" : "weak path reference"}`,
+      file: path3,
+      points: pathClass === "runtime" ? 35 : weakEvidencePoints(path3),
       isRuntimeEvidence: pathClass === "runtime"
     });
   }
@@ -3331,45 +3334,45 @@ function collectProviderTruthEvidence(rule, deps, files, pathLines) {
     const pathClass = classifyProviderEvidencePath(file.path);
     const sourceContent = pathClass === "runtime" ? file.executableContent : file.content;
     const sourceLowerContent = pathClass === "runtime" ? file.lowerExecutableContent : file.lowerContent;
-    for (const envName of rule.env ?? []) {
+    for (const envName of rule2.env ?? []) {
       if (!sourceContent.toUpperCase().includes(envName.toUpperCase())) {
         continue;
       }
-      addEvidence(evidence, rule, {
+      addEvidence(evidence, rule2, {
         kind: pathClass === "runtime" ? "runtime-env-usage" : "env-name-only",
         strength: pathClass === "runtime" ? "medium" : "weak",
-        label: `${rule.label} env name ${pathClass === "runtime" ? "used in runtime source" : "mentioned outside runtime source"}`,
+        label: `${rule2.label} env name ${pathClass === "runtime" ? "used in runtime source" : "mentioned outside runtime source"}`,
         file: file.displayPath,
         detail: envName,
         points: pathClass === "runtime" ? 20 : weakEvidencePoints(file.path),
         isRuntimeEvidence: pathClass === "runtime"
       });
     }
-    for (const importName of rule.imports ?? []) {
+    for (const importName of rule2.imports ?? []) {
       if (!containsImport2(sourceLowerContent, importName)) {
         continue;
       }
       const weakKind = weakPathKind(file.path, "sdk-import-source");
-      addEvidence(evidence, rule, {
+      addEvidence(evidence, rule2, {
         kind: weakKind ?? "sdk-import-source",
         strength: pathClass === "runtime" ? "strong" : "weak",
-        label: `${rule.label} SDK import ${pathClass === "runtime" ? "in runtime source" : "outside runtime source"}`,
+        label: `${rule2.label} SDK import ${pathClass === "runtime" ? "in runtime source" : "outside runtime source"}`,
         file: file.displayPath,
         detail: importName,
         points: pathClass === "runtime" ? 35 : weakEvidencePoints(file.path),
         isRuntimeEvidence: pathClass === "runtime"
       });
     }
-    for (const item3 of rule.content ?? []) {
+    for (const item3 of rule2.content ?? []) {
       if (!testRegex2(item3.pattern, sourceContent)) {
         continue;
       }
       const strongKind = contentSignalKind(item3.signal);
       const weakKind = weakPathKind(file.path, strongKind);
-      addEvidence(evidence, rule, {
+      addEvidence(evidence, rule2, {
         kind: weakKind ?? strongKind,
         strength: pathClass === "runtime" ? "strong" : "weak",
-        label: `${rule.label} ${pathClass === "runtime" ? "runtime content signal" : "weak content reference"}`,
+        label: `${rule2.label} ${pathClass === "runtime" ? "runtime content signal" : "weak content reference"}`,
         file: file.displayPath,
         detail: item3.signal,
         points: pathClass === "runtime" ? 35 : weakEvidencePoints(file.path),
@@ -3377,14 +3380,14 @@ function collectProviderTruthEvidence(rule, deps, files, pathLines) {
       });
     }
     if (isDocsLikePath(file.path)) {
-      for (const docsTerm of rule.docs ?? []) {
+      for (const docsTerm of rule2.docs ?? []) {
         if (!file.lowerContent.includes(docsTerm.toLowerCase())) {
           continue;
         }
-        addEvidence(evidence, rule, {
+        addEvidence(evidence, rule2, {
           kind: "docs-mention",
           strength: "weak",
-          label: `${rule.label} mentioned in docs`,
+          label: `${rule2.label} mentioned in docs`,
           file: file.displayPath,
           detail: docsTerm,
           points: 4,
@@ -3396,16 +3399,16 @@ function collectProviderTruthEvidence(rule, deps, files, pathLines) {
   }
   return evidence.sort(compareEvidence);
 }
-function buildRow(rule, evidence, selected) {
+function buildRow(rule2, evidence, selected) {
   const score = evidence.reduce((total, item3) => total + item3.points, 0);
   const roles = rolesForEvidence(evidence, selected);
-  applyMcpSupportRoles(rule.provider, roles);
+  applyMcpSupportRoles(rule2.provider, roles);
   const confidence = confidenceForEvidence(evidence, roles);
-  const mcpProof = mcpProofForProvider(rule.provider);
+  const mcpProof = mcpProofForProvider(rule2.provider);
   return {
-    area: rule.area,
-    provider: rule.provider,
-    providerLabel: providerLabel(rule.provider),
+    area: rule2.area,
+    provider: rule2.provider,
+    providerLabel: providerLabel(rule2.provider),
     roles,
     confidence,
     score,
@@ -3662,10 +3665,10 @@ function statusBadgesForRoles(roles, confidence) {
   badges.push(confidence.toUpperCase());
   return badges;
 }
-function addEvidence(evidence, rule, item3) {
+function addEvidence(evidence, rule2, item3) {
   const id = [
-    rule.area,
-    rule.provider,
+    rule2.area,
+    rule2.provider,
     item3.kind,
     item3.file ?? "",
     item3.detail ?? item3.label
@@ -3680,29 +3683,29 @@ function addEvidence(evidence, rule, item3) {
     isManualProof: false
   });
 }
-function weakPathKind(path, fallback) {
-  if (classifyProviderEvidencePath(path) === "runtime") {
+function weakPathKind(path3, fallback) {
+  if (classifyProviderEvidencePath(path3) === "runtime") {
     return null;
   }
-  if (isDocsLikePath(path)) {
+  if (isDocsLikePath(path3)) {
     return "docs-mention";
   }
-  if (/(^|\/)(__tests__|tests)(\/|$)|\.(test|spec)\.[jt]sx?$/.test(normalizePath2(path))) {
+  if (/(^|\/)(__tests__|tests)(\/|$)|\.(test|spec)\.[jt]sx?$/.test(normalizePath2(path3))) {
     return "test-reference";
   }
-  if (/(^|\/)(tmp|out|outputs|videos|marketing|examples|demo)(\/|$)/.test(normalizePath2(path))) {
+  if (/(^|\/)(tmp|out|outputs|videos|marketing|examples|demo)(\/|$)/.test(normalizePath2(path3))) {
     return "tmp-demo-example";
   }
   return fallback;
 }
-function routeKind(path) {
-  if (/webhook/.test(path)) {
+function routeKind(path3) {
+  if (/webhook/.test(path3)) {
     return "webhook-handler";
   }
-  if (/checkout|billing/.test(path)) {
+  if (/checkout|billing/.test(path3)) {
     return "checkout-handler";
   }
-  if (/config|\.json$|\.toml$|\.ya?ml$/.test(path)) {
+  if (/config|\.json$|\.toml$|\.ya?ml$/.test(path3)) {
     return "deployment-config";
   }
   return "active-runtime-route";
@@ -3719,11 +3722,11 @@ function contentSignalKind(signal) {
   }
   return "active-runtime-route";
 }
-function weakEvidencePoints(path) {
-  if (isDocsLikePath(path)) {
+function weakEvidencePoints(path3) {
+  if (isDocsLikePath(path3)) {
     return 4;
   }
-  if (/(^|\/)(__tests__|tests)(\/|$)|\.(test|spec)\.[jt]sx?$/.test(normalizePath2(path))) {
+  if (/(^|\/)(__tests__|tests)(\/|$)|\.(test|spec)\.[jt]sx?$/.test(normalizePath2(path3))) {
     return 6;
   }
   return 8;
@@ -3742,8 +3745,8 @@ function toScannableFile(file) {
 }
 function collectPathLines(scan, files) {
   const paths = /* @__PURE__ */ new Set();
-  for (const path of scan.fileTree.split(/\r?\n/)) {
-    const normalized = normalizePath2(path.trim());
+  for (const path3 of scan.fileTree.split(/\r?\n/)) {
+    const normalized = normalizePath2(path3.trim());
     if (normalized) {
       paths.add(normalized);
     }
@@ -3757,8 +3760,8 @@ function containsImport2(content, importName) {
   const escaped = importName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&").toLowerCase();
   return new RegExp(`(?:from\\s+['"]${escaped}['"]|import\\s*\\(\\s*['"]${escaped}['"]|require\\s*\\(\\s*['"]${escaped}['"])`).test(content);
 }
-function isDocsLikePath(path) {
-  const normalized = normalizePath2(path);
+function isDocsLikePath(path3) {
+  const normalized = normalizePath2(path3);
   return /(^|\/)(readme|product|spec)\.mdx?$/.test(normalized) || /(^|\/)docs\/.*\.mdx?$/.test(normalized);
 }
 function stripComments(content) {
@@ -3770,8 +3773,8 @@ function compareRows(a, b3) {
 function compareEvidence(a, b3) {
   return b3.points - a.points || a.kind.localeCompare(b3.kind) || (a.file ?? "").localeCompare(b3.file ?? "");
 }
-function normalizePath2(path) {
-  return path.replace(/\\/g, "/").toLowerCase();
+function normalizePath2(path3) {
+  return path3.replace(/\\/g, "/").toLowerCase();
 }
 function rowPriority(row) {
   if (row.roles.includes("live-verified")) {
@@ -3966,8 +3969,8 @@ Return ONLY the JSON object \u2014 no markdown, no explanation.
 }
 
 // ../../src/station/envEvidence.ts
-function normalizeEvidencePath(path) {
-  return path.replace(/\\/g, "/");
+function normalizeEvidencePath(path3) {
+  return path3.replace(/\\/g, "/");
 }
 function uniquePaths(paths) {
   return Array.from(new Set(paths.map(normalizeEvidencePath)));
@@ -4035,7 +4038,7 @@ function collectEnvVarEvidence(scan, names) {
         present: true,
         mode,
         source: "non-secret-content",
-        evidence: uniquePaths(contentEvidence).map((path) => `file: ${path}`)
+        evidence: uniquePaths(contentEvidence).map((path3) => `file: ${path3}`)
       };
     }
     if (nonEmptyAssignmentEvidence.length > 0) {
@@ -4044,7 +4047,7 @@ function collectEnvVarEvidence(scan, names) {
         present: true,
         mode: "unknown",
         source: "non-secret-content",
-        evidence: uniquePaths(nonEmptyAssignmentEvidence).map((path) => `file: ${path}`)
+        evidence: uniquePaths(nonEmptyAssignmentEvidence).map((path3) => `file: ${path3}`)
       };
     }
     if (nameOnlyEvidence.length > 0) {
@@ -4053,7 +4056,7 @@ function collectEnvVarEvidence(scan, names) {
         present: true,
         mode: "unknown",
         source: "variable-name-only",
-        evidence: uniquePaths(nameOnlyEvidence).map((path) => `file: ${path}`)
+        evidence: uniquePaths(nameOnlyEvidence).map((path3) => `file: ${path3}`)
       };
     }
     if (secretEvidence.length > 0) {
@@ -4062,7 +4065,7 @@ function collectEnvVarEvidence(scan, names) {
         present: false,
         mode: "unknown",
         source: "secret-file-path",
-        evidence: secretEvidence.map((path) => `secret file: ${path}`)
+        evidence: secretEvidence.map((path3) => `secret file: ${path3}`)
       };
     }
     return {
@@ -4157,10 +4160,10 @@ ${pathBlob}`),
 function visibleFiles(scan) {
   return scan.files.filter((file) => !file.isSecret && typeof file.content === "string");
 }
-function foundOrMissing(id, label, found, evidence) {
+function foundOrMissing(id, label2, found, evidence) {
   return {
     id,
-    label,
+    label: label2,
     status: found ? "found" : "missing",
     evidence: unique(evidence).slice(0, 6)
   };
@@ -4197,7 +4200,7 @@ function evidenceFor(files, pattern) {
   return files.filter((file) => pattern.test(file.content)).map((file) => `file: ${normalizePath3(file.path)}`).slice(0, 6);
 }
 function pathEvidence(scan, pattern) {
-  return scan.files.map((file) => normalizePath3(file.path)).filter((path) => pattern.test(path)).map((path) => `file: ${path}`).slice(0, 6);
+  return scan.files.map((file) => normalizePath3(file.path)).filter((path3) => pattern.test(path3)).map((path3) => `file: ${path3}`).slice(0, 6);
 }
 function isClientReachableFile(file) {
   const content = file.content;
@@ -4213,22 +4216,22 @@ function isClientReachableFile(file) {
 function hasUseClientDirective(content) {
   return /^(?:\s|;|\/\/[^\n]*(?:\n|$)|\/\*[\s\S]*?\*\/)*['"]use client['"]/.test(content);
 }
-function isBrowserOnlyPath(path) {
-  const normalized = normalizePath3(path).toLowerCase();
-  if (isServerOnlyPath(path)) {
+function isBrowserOnlyPath(path3) {
+  const normalized = normalizePath3(path3).toLowerCase();
+  if (isServerOnlyPath(path3)) {
     return false;
   }
   return /(^|\/)(components|hooks|contexts|providers)\//.test(normalized) || /\.(jsx|tsx)$/.test(normalized);
 }
-function isServerOnlyPath(path) {
-  const normalized = normalizePath3(path).toLowerCase();
+function isServerOnlyPath(path3) {
+  const normalized = normalizePath3(path3).toLowerCase();
   return /\/api\/|app\/api\/|pages\/api\/|route\.[jt]s$|\.server\.[jt]sx?$|\/server\//.test(normalized);
 }
-function isEnvOrDocPath(path) {
-  return ENV_OR_DOC_PATH.test(normalizePath3(path).toLowerCase());
+function isEnvOrDocPath(path3) {
+  return ENV_OR_DOC_PATH.test(normalizePath3(path3).toLowerCase());
 }
-function normalizePath3(path) {
-  return path.replace(/\\/g, "/");
+function normalizePath3(path3) {
+  return path3.replace(/\\/g, "/");
 }
 function unique(values) {
   return [...new Set(values)];
@@ -5339,7 +5342,7 @@ ${scan.files.map((file) => file.path).join("\n")}`.replace(/\\/g, "/").toLowerCa
   ];
   const passedCount = items.filter((entry) => entry.status === "passed").length;
   const totalCount = items.length;
-  const readinessPercent = Math.round(passedCount / Math.max(totalCount, 1) * 100);
+  const readinessPercent2 = Math.round(passedCount / Math.max(totalCount, 1) * 100);
   return {
     key: "supabase-database",
     provider: "supabase",
@@ -5350,7 +5353,7 @@ ${scan.files.map((file) => file.path).join("\n")}`.replace(/\\/g, "/").toLowerCa
     items,
     passedCount,
     totalCount,
-    readinessPercent
+    readinessPercent: readinessPercent2
   };
 }
 function visibleFiles2(scan) {
@@ -5361,10 +5364,10 @@ function visibleFiles2(scan) {
     lowerContent: file.content.toLowerCase()
   }));
 }
-function item(id, label, passed, evidence, promptHint) {
+function item(id, label2, passed, evidence, promptHint) {
   return {
     id,
-    label,
+    label: label2,
     status: passed ? "passed" : "missing",
     evidence,
     promptHint
@@ -5394,7 +5397,7 @@ function hasSupabaseClient(files, pathBlob) {
 }
 function clientEvidence(files, pathBlob) {
   const evidence = [];
-  const pathMatch = pathBlob.split(/\r?\n/).find((path) => /(^|\/)(lib|utils|src\/lib|src\/utils)\/supabase\.[jt]s\b/i.test(path));
+  const pathMatch = pathBlob.split(/\r?\n/).find((path3) => /(^|\/)(lib|utils|src\/lib|src\/utils)\/supabase\.[jt]s\b/i.test(path3));
   if (pathMatch) {
     evidence.push(`file: ${pathMatch}`);
   }
@@ -5411,11 +5414,11 @@ function hasSchemaOrMigration(files, pathBlob) {
   return /(^|\n|\/)supabase\/migrations\/[^/\n]+\.sql\b/i.test(pathBlob) || /(^|\n|\/)(migrations?|schema)\/[^/\n]+\.(sql|ts|js)\b/i.test(pathBlob) || files.some((file) => /create\s+table|alter\s+table/i.test(file.content));
 }
 function schemaEvidence(files, pathBlob) {
-  const path = pathBlob.split(/\r?\n/).find(
+  const path3 = pathBlob.split(/\r?\n/).find(
     (entry) => /(^|\/)supabase\/migrations\/[^/]+\.sql\b/i.test(entry) || /(^|\/)(migrations?|schema)\/[^/]+\.(sql|ts|js)\b/i.test(entry)
   );
-  if (path) {
-    return [`schema: ${path}`];
+  if (path3) {
+    return [`schema: ${path3}`];
   }
   const file = files.find((entry) => /create\s+table|alter\s+table/i.test(entry.content));
   return file ? [`schema: ${file.path}`] : [];
@@ -5424,9 +5427,9 @@ function hasRlsEvidence(files, pathBlob) {
   return /\/policies\/|_rls\.sql|\brls\b/i.test(pathBlob) || files.some((file) => /enable\s+row\s+level\s+security|create\s+policy|alter\s+table[\s\S]{0,200}enable\s+row\s+level/i.test(file.content));
 }
 function rlsEvidence(files, pathBlob) {
-  const path = pathBlob.split(/\r?\n/).find((entry) => /\/policies\/|_rls\.sql|\brls\b/i.test(entry));
-  if (path) {
-    return [`rls: ${path}`];
+  const path3 = pathBlob.split(/\r?\n/).find((entry) => /\/policies\/|_rls\.sql|\brls\b/i.test(entry));
+  if (path3) {
+    return [`rls: ${path3}`];
   }
   const file = files.find((entry) => /enable\s+row\s+level\s+security|create\s+policy|alter\s+table[\s\S]{0,200}enable\s+row\s+level/i.test(entry.content));
   return file ? [`rls: ${file.path}`] : [];
@@ -5435,11 +5438,11 @@ function hasGeneratedTypes(files, pathBlob) {
   return /database\.types\.[jt]s\b|supabase.*types\.[jt]s\b|types\/database\.[jt]s\b/i.test(pathBlob) || files.some((file) => /export\s+type\s+database\b|export\s+interface\s+database\b/i.test(file.content));
 }
 function generatedTypeEvidence(files, pathBlob) {
-  const path = pathBlob.split(/\r?\n/).find(
+  const path3 = pathBlob.split(/\r?\n/).find(
     (entry) => /database\.types\.[jt]s\b|supabase.*types\.[jt]s\b|types\/database\.[jt]s\b/i.test(entry)
   );
-  if (path) {
-    return [`types: ${path}`];
+  if (path3) {
+    return [`types: ${path3}`];
   }
   const file = files.find((entry) => /export\s+type\s+database\b|export\s+interface\s+database\b/i.test(entry.content));
   return file ? [`types: ${file.path}`] : [];
@@ -5456,8 +5459,8 @@ function serviceRoleSafetyItem(files) {
     promptHint: "Move service-role usage to server-only code and use public anon keys in frontend clients."
   };
 }
-function isClientExecutedPath(path) {
-  return /\.(tsx|jsx)$/.test(path) || /(^|\/)(components|pages|app|client|frontend|web)\//.test(path) || /\.client\.[jt]sx?$/.test(path);
+function isClientExecutedPath(path3) {
+  return /\.(tsx|jsx)$/.test(path3) || /(^|\/)(components|pages|app|client|frontend|web)\//.test(path3) || /\.client\.[jt]sx?$/.test(path3);
 }
 
 // ../../src/station/stackWiring.ts
@@ -6282,7 +6285,7 @@ function analyzeSecretsHygiene(ctx) {
     promptSubject: "secrets hygiene",
     items: [
       item2("env-example-found", "Env example or docs found", Boolean(ctx.scan.stackSignals.hasEnvExample) || /\.env\.example|env\.example|environment variables/i.test(ctx.pathBlob + "\n" + ctx.contentBlob), pathEvidence2(ctx, /\.env\.example|env\.example/i), "Add an env example or setup docs with variable names only."),
-      item2("secret-files-ignored", "Secret files detected as private", Array.isArray(ctx.scan.secretsFound) && ctx.scan.secretsFound.length > 0, ctx.scan.secretsFound.slice(0, 4).map((path) => `secret file: ${path}`), "Keep real .env files private and out of copied prompts or docs."),
+      item2("secret-files-ignored", "Secret files detected as private", Array.isArray(ctx.scan.secretsFound) && ctx.scan.secretsFound.length > 0, ctx.scan.secretsFound.slice(0, 4).map((path3) => `secret file: ${path3}`), "Keep real .env files private and out of copied prompts or docs."),
       item2("frontend-secrets-clean", "No obvious frontend secret exposure found", unsafePublicSecret.length === 0, unsafePublicSecret.slice(0, 4).map((file) => `unsafe reference: ${file.path}`), "Move secret values and private keys out of frontend/client-executed files."),
       item2("gitignore-env-found", "Env files ignored by git", /\.gitignore/i.test(ctx.pathBlob) && /\.env/i.test(ctx.contentBlob), pathEvidence2(ctx, /\.gitignore/i), "Ensure .gitignore excludes real .env files while keeping .env.example committed."),
       manualItem("production-secret-rotation-checked", "Production secret rotation checked", "Confirm production secrets can be rotated and revoked in provider dashboards.")
@@ -6358,29 +6361,29 @@ function summarize(summary) {
     readinessPercent: Math.round(passedCount / Math.max(totalCount, 1) * 100)
   };
 }
-function item2(id, label, passed, evidence, promptHint) {
+function item2(id, label2, passed, evidence, promptHint) {
   return {
     id,
-    label,
+    label: label2,
     status: passed ? "passed" : "missing",
     evidence,
     promptHint
   };
 }
-function manualItem(id, label, promptHint) {
+function manualItem(id, label2, promptHint) {
   return {
     id,
-    label,
+    label: label2,
     status: "manual",
     evidence: [],
     promptHint
   };
 }
-function secretSafetyItem(ctx, id, label, pattern, promptHint) {
+function secretSafetyItem(ctx, id, label2, pattern, promptHint) {
   const exposed = ctx.files.filter((file) => isClientExecutedPath2(file.normalizedPath) && pattern.test(file.content));
   return {
     id,
-    label,
+    label: label2,
     status: exposed.length > 0 ? "missing" : "passed",
     evidence: exposed.slice(0, 4).map((file) => `unsafe reference: ${file.path}`),
     promptHint
@@ -6405,13 +6408,13 @@ function envEvidence2(ctx, patterns) {
   return evidence.slice(0, 4);
 }
 function pathEvidence2(ctx, pattern) {
-  return ctx.pathBlob.split(/\r?\n/).filter((path) => pattern.test(path)).slice(0, 4).map((path) => `file: ${path}`);
+  return ctx.pathBlob.split(/\r?\n/).filter((path3) => pattern.test(path3)).slice(0, 4).map((path3) => `file: ${path3}`);
 }
 function fileEvidence(ctx, pattern) {
   return ctx.files.filter((file) => pattern.test(file.path) || pattern.test(file.content)).slice(0, 4).map((file) => `file: ${file.path}`);
 }
-function isClientExecutedPath2(path) {
-  return /\.(tsx|jsx)$/.test(path) || /(^|\/)(components|pages|app|client|frontend|web)\//.test(path) || /\.client\.[jt]sx?$/.test(path);
+function isClientExecutedPath2(path3) {
+  return /\.(tsx|jsx)$/.test(path3) || /(^|\/)(components|pages|app|client|frontend|web)\//.test(path3) || /\.client\.[jt]sx?$/.test(path3);
 }
 
 // ../../src/station/verification.ts
@@ -6540,27 +6543,27 @@ function emptyArea(area) {
     manual: []
   };
 }
-function normalizePath4(path) {
-  return path.replace(/\\/g, "/").replace(/^[\s\u2500\u2502\u2514\u251c>*+-]+/u, "").trim().toLowerCase();
+function normalizePath4(path3) {
+  return path3.replace(/\\/g, "/").replace(/^[\s\u2500\u2502\u2514\u251c>*+-]+/u, "").trim().toLowerCase();
 }
-function addFound(area, label, source, detail) {
-  addItem(area, "found", label, source, detail);
+function addFound(area, label2, source, detail) {
+  addItem(area, "found", label2, source, detail);
 }
-function addMissing(area, label, source, detail) {
-  addItem(area, "missing", label, source, detail);
+function addMissing(area, label2, source, detail) {
+  addItem(area, "missing", label2, source, detail);
 }
-function addManual(area, label, source, detail) {
-  addItem(area, "manual", label, source, detail);
+function addManual(area, label2, source, detail) {
+  addItem(area, "manual", label2, source, detail);
 }
-function addItem(area, status, label, source, detail) {
-  const item3 = compactItem(label, status, source, detail);
+function addItem(area, status, label2, source, detail) {
+  const item3 = compactItem(label2, status, source, detail);
   const bucket = area[status];
   if (!bucket.some((existing) => existing.label === item3.label)) {
     bucket.push(item3);
   }
 }
-function compactItem(label, status, source, detail) {
-  return detail ? { label, status, source, detail } : { label, status, source };
+function compactItem(label2, status, source, detail) {
+  return detail ? { label: label2, status, source, detail } : { label: label2, status, source };
 }
 function hasDep(ctx, patterns) {
   return patterns.some((pattern) => {
@@ -6569,7 +6572,7 @@ function hasDep(ctx, patterns) {
   });
 }
 function hasPath(ctx, patterns) {
-  return [...ctx.paths].some((path) => !ctx.secretPaths.has(path) && patterns.some((pattern) => pattern.test(path)));
+  return [...ctx.paths].some((path3) => !ctx.secretPaths.has(path3) && patterns.some((pattern) => pattern.test(path3)));
 }
 function hasContent(ctx, patterns) {
   return patterns.some((pattern) => pattern.test(ctx.contents));
@@ -7138,7 +7141,7 @@ var mockGitHubVerifier = {
         providerObservationMet: false,
         fixType: "mcp-connect",
         severity: "warning",
-        repoSignals: workflows.map((path) => `workflow: ${path}`),
+        repoSignals: workflows.map((path3) => `workflow: ${path3}`),
         providerSignals: ["GitHub Actions API or MCP"],
         requiredEvidence: ["Latest workflow run status on default branch"]
       }),
@@ -7193,7 +7196,7 @@ var mockGitHubVerifier = {
         providerActual: "Not verified (mock \u2014 connect GitHub MCP read-only)",
         severity: "warning",
         suggestedFix: "mcp-connect",
-        evidenceRefs: workflows.map((path) => `workflow: ${path}`)
+        evidenceRefs: workflows.map((path3) => `workflow: ${path3}`)
       }
     ];
   }
@@ -7992,15 +7995,15 @@ async function runProjectScan(options) {
 
 // src/artifacts.ts
 var import_promises5 = require("node:fs/promises");
-var import_node_path9 = require("node:path");
+var import_node_path8 = require("node:path");
 
 // src/capabilities/classify.ts
-function gapText(gap) {
-  return `${gap.id} ${gap.title} ${gap.detail} ${gap.primaryMapCategory}`.toLowerCase();
+function gapText(gap2) {
+  return `${gap2.id} ${gap2.title} ${gap2.detail} ${gap2.primaryMapCategory}`.toLowerCase();
 }
 function statusForGaps(gaps) {
-  if (gaps.some((gap) => gap.severity === "critical")) return "critical";
-  if (gaps.some((gap) => gap.severity === "warning")) return "warning";
+  if (gaps.some((gap2) => gap2.severity === "critical")) return "critical";
+  if (gaps.some((gap2) => gap2.severity === "warning")) return "warning";
   if (gaps.length > 0) return "warning";
   return "unknown";
 }
@@ -8020,12 +8023,12 @@ function capabilityFromArea(area) {
 // src/capabilities/database.ts
 var databasePack = {
   key: "database",
-  classify(gap) {
-    const text = gapText(gap);
+  classify(gap2) {
+    const text = gapText(gap2);
     return /database|supabase|rls|migration|postgres|pooler|query/.test(text);
   },
-  riskTags(gap) {
-    const text = gapText(gap);
+  riskTags(gap2) {
+    const text = gapText(gap2);
     return [
       text.includes("rls") ? "rls" : "",
       text.includes("migration") ? "migration" : "",
@@ -8037,12 +8040,12 @@ var databasePack = {
 // src/capabilities/payments.ts
 var paymentsPack = {
   key: "payments",
-  classify(gap) {
-    const text = gapText(gap);
+  classify(gap2) {
+    const text = gapText(gap2);
     return /payment|stripe|checkout|billing|entitlement|subscription|refund|cancel/.test(text);
   },
-  riskTags(gap) {
-    const text = gapText(gap);
+  riskTags(gap2) {
+    const text = gapText(gap2);
     return [
       text.includes("entitlement") ? "entitlement-source" : "",
       text.includes("checkout") ? "checkout-flow" : "",
@@ -8054,12 +8057,12 @@ var paymentsPack = {
 // src/capabilities/scaling.ts
 var scalingPack = {
   key: "scaling",
-  classify(gap) {
-    const text = gapText(gap);
+  classify(gap2) {
+    const text = gapText(gap2);
     return /serverless|vercel|pooler|rate limit|rate-limit|cache|queue|cron|worker|runtime|connection/.test(text);
   },
-  riskTags(gap) {
-    const text = gapText(gap);
+  riskTags(gap2) {
+    const text = gapText(gap2);
     return [
       text.includes("serverless") || text.includes("vercel") ? "serverless" : "",
       text.includes("pooler") || text.includes("connection") ? "db-connection" : "",
@@ -8071,12 +8074,12 @@ var scalingPack = {
 // src/capabilities/security.ts
 var securityPack = {
   key: "security",
-  classify(gap) {
-    const text = gapText(gap);
+  classify(gap2) {
+    const text = gapText(gap2);
     return /secret|service role|token|api key|auth|authorization|browser-exposed|cors|csrf|session/.test(text);
   },
-  riskTags(gap) {
-    const text = gapText(gap);
+  riskTags(gap2) {
+    const text = gapText(gap2);
     return [
       text.includes("secret") || text.includes("api key") || text.includes("service role") ? "secret-boundary" : "",
       text.includes("auth") || text.includes("authorization") ? "auth-boundary" : "",
@@ -8088,12 +8091,12 @@ var securityPack = {
 // src/capabilities/webhooks.ts
 var webhooksPack = {
   key: "webhooks",
-  classify(gap) {
-    const text = gapText(gap);
+  classify(gap2) {
+    const text = gapText(gap2);
     return /webhook|signature|idempotency|retry|replay|dead-letter/.test(text);
   },
-  riskTags(gap) {
-    const text = gapText(gap);
+  riskTags(gap2) {
+    const text = gapText(gap2);
     return [
       text.includes("signature") ? "signature" : "",
       text.includes("idempotency") ? "idempotency" : "",
@@ -8104,10 +8107,10 @@ var webhooksPack = {
 
 // src/capabilities/index.ts
 var PACKS = [scalingPack, securityPack, webhooksPack, paymentsPack, databasePack];
-function classifyGapCapability(gap) {
-  const direct = PACKS.find((pack) => pack.classify(gap));
+function classifyGapCapability(gap2) {
+  const direct = PACKS.find((pack) => pack.classify(gap2));
   if (direct) return direct.key;
-  return capabilityFromArea(String(gap.primaryMapCategory)) ?? "security";
+  return capabilityFromArea(String(gap2.primaryMapCategory)) ?? "security";
 }
 function summarizeCapabilities(gaps) {
   const result = Object.fromEntries(
@@ -8117,13 +8120,13 @@ function summarizeCapabilities(gaps) {
     ])
   );
   for (const pack of PACKS) {
-    const matching = gaps.filter((gap) => classifyGapCapability(gap) === pack.key);
+    const matching = gaps.filter((gap2) => classifyGapCapability(gap2) === pack.key);
     result[pack.key] = {
       key: pack.key,
       status: statusForGaps(matching),
-      topGapIds: matching.slice(0, 5).map((gap) => gap.id),
+      topGapIds: matching.slice(0, 5).map((gap2) => gap2.id),
       evidenceCount: matching.length,
-      riskTags: unique2(matching.flatMap((gap) => pack.riskTags(gap)))
+      riskTags: unique2(matching.flatMap((gap2) => pack.riskTags(gap2)))
     };
   }
   return result;
@@ -8131,8 +8134,8 @@ function summarizeCapabilities(gaps) {
 
 // src/contracts/contextMap.ts
 function generateContextMap(artifact) {
-  const criticalCount = artifact.gaps.filter((gap) => gap.severity === "critical").length;
-  const warningCount = artifact.gaps.filter((gap) => gap.severity === "warning").length;
+  const criticalCount = artifact.gaps.filter((gap2) => gap2.severity === "critical").length;
+  const warningCount = artifact.gaps.filter((gap2) => gap2.severity === "warning").length;
   return {
     $schema: "https://viberaven.dev/schemas/context-map.schema.json",
     schemaVersion: "v1",
@@ -8165,12 +8168,12 @@ function generateContextMap(artifact) {
       warningCount,
       providerDashboardChecksRequired: true
     },
-    topGaps: artifact.gaps.slice(0, 10).map((gap) => ({
-      id: gap.id,
-      severity: gap.severity,
-      title: gap.title,
-      area: String(gap.primaryMapCategory),
-      promptCommand: promptGapCommand(gap.id)
+    topGaps: artifact.gaps.slice(0, 10).map((gap2) => ({
+      id: gap2.id,
+      severity: gap2.severity,
+      title: gap2.title,
+      area: String(gap2.primaryMapCategory),
+      promptCommand: promptGapCommand(gap2.id)
     }))
   };
 }
@@ -8185,10 +8188,10 @@ function runIdFrom(scannedAt) {
   return `vr_${scannedAt.replace(/\D/g, "").slice(0, 14) || "scan"}`;
 }
 function generateGateResult(artifact, options = {}) {
-  const criticalCount = artifact.gaps.filter((gap) => gap.severity === "critical").length;
-  const warningCount = artifact.gaps.filter((gap) => gap.severity === "warning").length;
+  const criticalCount = artifact.gaps.filter((gap2) => gap2.severity === "critical").length;
+  const warningCount = artifact.gaps.filter((gap2) => gap2.severity === "warning").length;
   const capabilities = summarizeCapabilities(artifact.gaps);
-  const topGapIds = artifact.gaps.slice(0, 10).map((gap) => gap.id);
+  const topGapIds = artifact.gaps.slice(0, 10).map((gap2) => gap2.id);
   const firstGapId = topGapIds[0];
   return {
     $schema: "https://viberaven.dev/schemas/gate-result.schema.json",
@@ -8237,24 +8240,24 @@ function generateGateResult(artifact, options = {}) {
 }
 
 // src/contracts/gapEvidence.ts
-function summarizeGap(gap) {
-  return `${gap.title}. See the tasklist and original scan for redacted detail.`;
+function summarizeGap(gap2) {
+  return `${gap2.title}. See the tasklist and original scan for redacted detail.`;
 }
 function generateGapEvidenceFiles(artifact) {
-  return artifact.gaps.slice(0, 50).map((gap) => ({
-    path: `.viberaven/gaps/${gap.id}.json`,
+  return artifact.gaps.slice(0, 50).map((gap2) => ({
+    path: `.viberaven/gaps/${gap2.id}.json`,
     content: {
       $schema: "https://viberaven.dev/schemas/gap.schema.json",
       schemaVersion: "v1",
-      id: gap.id,
-      severity: gap.severity,
-      capability: classifyGapCapability(gap),
-      title: gap.title,
-      summary: summarizeGap(gap),
-      evidence: [{ kind: String(gap.primaryMapCategory), redacted: true }],
+      id: gap2.id,
+      severity: gap2.severity,
+      capability: classifyGapCapability(gap2),
+      title: gap2.title,
+      summary: summarizeGap(gap2),
+      evidence: [{ kind: String(gap2.primaryMapCategory), redacted: true }],
       commands: {
-        prompt: promptGapCommand(gap.id),
-        healPlan: healPlanGapCommand(gap.id),
+        prompt: promptGapCommand(gap2.id),
+        healPlan: healPlanGapCommand(gap2.id),
         verify: PUBLIC_VERIFY_COMMAND
       },
       providerBoundary: {
@@ -8303,39 +8306,6 @@ var PRODUCTION_MAP_CATEGORY_KEYS_ALL = PRODUCTION_MAP_LANES.map(
   (lane) => lane.extensionKey
 );
 
-// src/playbooks/checkMap.ts
-var CHECK_TO_PLAYBOOK = {
-  "vercel-deployment": "vercel",
-  "vercel-project": "vercel",
-  "supabase-project": "supabase",
-  "supabase-env": "supabase",
-  "stripe-webhook": "stripe",
-  "stripe-product": "stripe",
-  "stripe-keys": "stripe"
-};
-function mapCheckToPlaybook(check) {
-  if (CHECK_TO_PLAYBOOK[check.id]) {
-    return CHECK_TO_PLAYBOOK[check.id];
-  }
-  const providerKey = check.providerKey.toLowerCase();
-  if (providerKey.includes("vercel") || check.area === "deployment") {
-    return "vercel";
-  }
-  if (providerKey.includes("stripe") || check.area === "payments") {
-    return "stripe";
-  }
-  if (providerKey.includes("supabase") && check.area === "auth") {
-    return "auth-supabase";
-  }
-  if (providerKey.includes("supabase") || check.area === "database") {
-    return "supabase";
-  }
-  if (check.area === "auth") {
-    return "auth-supabase";
-  }
-  return "vercel";
-}
-
 // src/playbooks/loadPlaybook.ts
 var import_node_fs5 = require("node:fs");
 var import_promises3 = require("node:fs/promises");
@@ -8446,8 +8416,8 @@ async function loadPlaybook(provider2) {
       `Unknown provider "${provider2}". Available: ${PLAYBOOK_PROVIDERS.join(", ")}`
     );
   }
-  const path = (0, import_node_path5.join)(playbooksRoot(), `${normalized}.json`);
-  const raw = JSON.parse(await (0, import_promises3.readFile)(path, "utf-8"));
+  const path3 = (0, import_node_path5.join)(playbooksRoot(), `${normalized}.json`);
+  const raw = JSON.parse(await (0, import_promises3.readFile)(path3, "utf-8"));
   const playbook = parsePlaybook(raw);
   if (playbook.provider !== normalized) {
     throw new Error(`Playbook file ${normalized}.json has mismatched provider field`);
@@ -8461,8 +8431,8 @@ function loadPlaybookSync(provider2) {
       `Unknown provider "${provider2}". Available: ${PLAYBOOK_PROVIDERS.join(", ")}`
     );
   }
-  const path = (0, import_node_path5.join)(playbooksRoot(), `${normalized}.json`);
-  const raw = JSON.parse((0, import_node_fs5.readFileSync)(path, "utf-8"));
+  const path3 = (0, import_node_path5.join)(playbooksRoot(), `${normalized}.json`);
+  const raw = JSON.parse((0, import_node_fs5.readFileSync)(path3, "utf-8"));
   const playbook = parsePlaybook(raw);
   if (playbook.provider !== normalized) {
     throw new Error(`Playbook file ${normalized}.json has mismatched provider field`);
@@ -8470,28 +8440,35 @@ function loadPlaybookSync(provider2) {
   return playbook;
 }
 
-// src/playbooks/manualChecks.ts
-function isManualProviderCheck(check) {
-  return check.evidenceClass === "manual-dashboard" || check.evidenceClass === "mcp-verifier" || check.evidenceSource === "provider" || check.evidenceSource === "mcp" || check.status === "needs-connection" || check.status === "unknown";
+// src/providers/envKeys.ts
+var PROVIDER_DEFAULT_KEYS = {
+  stripe: ["STRIPE_SECRET_KEY", "STRIPE_WEBHOOK_SECRET"],
+  supabase: [
+    "NEXT_PUBLIC_SUPABASE_URL",
+    "NEXT_PUBLIC_SUPABASE_ANON_KEY",
+    "SUPABASE_SERVICE_ROLE_KEY"
+  ],
+  vercel: []
+};
+var GAP_KEYS = {
+  stripe_webhook_signature_missing: ["STRIPE_WEBHOOK_SECRET"],
+  missing_prod_env_stripe_webhook_secret: ["STRIPE_WEBHOOK_SECRET"],
+  rls_disabled: ["SUPABASE_SERVICE_ROLE_KEY"]
+};
+function normalizeProvider2(provider2) {
+  const normalized = provider2.trim().toLowerCase().replace(/\s+/g, "-");
+  if (normalized === "auth-supabase" || normalized === "supabase-auth") {
+    return "supabase";
+  }
+  return normalized;
 }
-function collectManualChecks(artifact) {
-  const refs = [];
-  for (const area of artifact.missionGraph.areas ?? []) {
-    for (const mission of area.providerMissions) {
-      for (const check of mission.checks) {
-        if (!isManualProviderCheck(check)) {
-          continue;
-        }
-        refs.push({
-          areaLabel: area.label,
-          providerLabel: mission.providerLabel,
-          check,
-          mapCategory: area.key
-        });
-      }
-    }
+function envKeysForGap(gapId, provider2) {
+  const gapKeys = GAP_KEYS[gapId];
+  if (gapKeys) {
+    return [...gapKeys];
   }
-  return refs;
+  const providerKeys = PROVIDER_DEFAULT_KEYS[normalizeProvider2(provider2)];
+  return providerKeys ? [...providerKeys] : [];
 }
 
 // src/tui/menu.ts
@@ -8545,10 +8522,10 @@ function formatTopGapsList(artifact, limit = 10) {
   if (sorted.length === 0) {
     return "No gaps found \u2014 production core looks solid.";
   }
-  return sorted.slice(0, limit).map((gap, index) => {
-    const severity = gap.severity.toUpperCase().padEnd(8);
-    const area = gap.primaryMapCategory.padEnd(12);
-    return `${index + 1}. [${severity}] ${area} ${gap.title}`;
+  return sorted.slice(0, limit).map((gap2, index) => {
+    const severity = gap2.severity.toUpperCase().padEnd(8);
+    const area = gap2.primaryMapCategory.padEnd(12);
+    return `${index + 1}. [${severity}] ${area} ${gap2.title}`;
   }).join("\n");
 }
 async function loadLastArtifact(startDir) {
@@ -8556,405 +8533,673 @@ async function loadLastArtifact(startDir) {
   if (!workspace) {
     throw new ScanNotFoundError(needsScanMessage(startDir));
   }
-  const path = (0, import_node_path6.join)(getProjectArtifactsDir(workspace), "last-scan.json");
+  const path3 = (0, import_node_path6.join)(getProjectArtifactsDir(workspace), "last-scan.json");
   try {
-    const raw = await (0, import_promises4.readFile)(path, "utf-8");
+    const raw = await (0, import_promises4.readFile)(path3, "utf-8");
     return JSON.parse(raw);
   } catch {
     throw new ScanNotFoundError(needsScanMessage(startDir));
   }
 }
 
-// src/resolveNextAction.ts
-var UPGRADE_URL = "https://viberaven.dev/pricing";
-var LOCKED_LANE_LABELS = {
-  deployment: "Deployment",
-  monitoring: "Monitoring / Analytics",
-  security: "Security",
-  testing: "Testing",
-  landing: "Onboarding",
-  errorHandling: "Error handling / observability"
-};
-function unlockedKeys(artifact) {
-  const keys = artifact.usage?.unlockedMapCategoryKeys ?? FREE_TRIAL_UNLOCKED_MAP_CATEGORY_KEYS;
-  return new Set(keys);
+// src/buildTaskList.ts
+var KNOWN_RECIPE_GAP_IDS = /* @__PURE__ */ new Set([
+  // emptyCatch (original recipe)
+  "empty-catch",
+  "empty_catch",
+  "emptyCatch",
+  // W3 env-add recipes
+  "auth_secret_missing",
+  "node_env_not_set",
+  "database_url_missing",
+  // W3 file-create recipes
+  "missing_error_boundary",
+  "missing_health_route",
+  "missing_loading_state",
+  "missing_404_page",
+  // W3 file-patch recipes
+  "missing_csp_header",
+  "missing_rate_limit",
+  "eslint_restricted_imports"
+  // NOTE: 'rls_disabled' is intentionally NOT here — it is provider-action only,
+  // canAutoApply=false, and should be classified as 'provider-action' by buildTaskList.
+]);
+function hasRecipe(gapId) {
+  if (KNOWN_RECIPE_GAP_IDS.has(gapId)) return true;
+  const lower = gapId.toLowerCase();
+  return lower.includes("empty") && lower.includes("catch");
 }
-function resolveNextAction(artifact) {
-  const unlocked = unlockedKeys(artifact);
-  const repoGap = sortGapsByPriority(artifact.gaps).find(
-    (gap) => unlocked.has(gap.primaryMapCategory)
-  );
-  if (repoGap) {
-    return {
-      type: "repo-fix",
-      title: repoGap.title,
-      detail: repoGap.detail,
-      command: `viberaven prompt --gap ${repoGap.id}`
-    };
+function gapToPlaybookProvider(gap2) {
+  const cat = gap2.primaryMapCategory.toLowerCase();
+  if (cat === "deployment") return "vercel";
+  if (cat === "payments") return "stripe";
+  if (cat === "auth") return "auth-supabase";
+  if (cat === "database") return "supabase";
+  const id = gap2.id.toLowerCase();
+  if (id.includes("vercel") || id.includes("deploy")) return "vercel";
+  if (id.includes("stripe") || id.includes("payment")) return "stripe";
+  if (id.includes("supabase") || id.includes("database") || id.includes("db")) return "supabase";
+  if (id.includes("auth")) return "auth-supabase";
+  return void 0;
+}
+function hasPlaybook(gap2) {
+  try {
+    const provider2 = gapToPlaybookProvider(gap2);
+    if (!provider2) return false;
+    return PLAYBOOK_PROVIDERS.includes(provider2);
+  } catch {
+    return false;
   }
-  const manual = collectManualChecks(artifact).find((item3) => unlocked.has(item3.mapCategory));
-  if (manual) {
-    const provider2 = mapCheckToPlaybook(manual.check);
-    let openUrl;
-    try {
-      const playbook = loadPlaybookSync(provider2);
-      openUrl = playbook.steps[0]?.openUrl;
-    } catch {
-      openUrl = void 0;
-    }
+}
+function buildProviderAction(gap2, provider2) {
+  try {
+    const playbook = loadPlaybookSync(provider2);
+    const step = playbook.steps[0];
+    if (!step) return void 0;
     return {
-      type: "provider-guide",
-      title: manual.check.label,
-      detail: manual.check.promptHint || `Configure ${manual.providerLabel} in the provider dashboard (${manual.areaLabel}).`,
       provider: provider2,
-      playbookStep: 1,
-      command: `viberaven guide ${provider2} --step 1`,
-      openUrl
-    };
-  }
-  const lockedGap = sortGapsByPriority(artifact.gaps).find(
-    (gap) => !unlocked.has(gap.primaryMapCategory)
-  );
-  if (lockedGap) {
-    const lane = lockedGap.primaryMapCategory;
-    return {
-      type: "upgrade",
-      title: lockedGap.title,
-      detail: `Free plan covers 6/12 mission map lanes. Upgrade to fix ${LOCKED_LANE_LABELS[lane] ?? lane}.`,
-      lockedLane: lane,
-      upgradeUrl: UPGRADE_URL
-    };
-  }
-  const lockedManual = collectManualChecks(artifact).find((item3) => !unlocked.has(item3.mapCategory));
-  if (lockedManual) {
-    const lane = lockedManual.mapCategory;
-    return {
-      type: "upgrade",
-      title: lockedManual.check.label,
-      detail: `This check is in the ${LOCKED_LANE_LABELS[lane] ?? lane} lane (Pro).`,
-      lockedLane: lane,
-      upgradeUrl: UPGRADE_URL
-    };
-  }
-  if (unlocked.size < 12) {
-    return {
-      type: "done",
-      title: "No blockers in unlocked lanes",
-      detail: "Run scan again after changes. Upgrade for deployment, monitoring, security, testing, and onboarding lanes.",
-      upgradeUrl: UPGRADE_URL
+      dashboardUrl: step.openUrl ?? `https://${provider2}.com`,
+      // PlaybookStep uses `instruction` — map to exactStep
+      exactStep: step.instruction,
+      envKeyName: envKeysForGap(gap2.id, provider2)[0],
+      envKeyExample: void 0,
+      // Use step title as the done signal
+      doneSignal: `${step.title} step completed`,
+      verifyCommand: PUBLIC_VERIFY_COMMAND
     };
+  } catch {
+    return void 0;
   }
-  return {
-    type: "done",
-    title: "No blockers found",
-    detail: "Re-scan after changes to confirm production readiness."
-  };
 }
-
-// src/report/agentSummary.ts
-var UPGRADE_URL2 = "https://viberaven.dev/pricing";
-var LOCKED_LANE_KEYS = [
-  "deployment",
-  "monitoring",
-  "security",
-  "testing",
-  "landing",
-  "errorHandling"
-];
-var SEVERITY_ORDER = {
-  critical: 0,
-  warning: 1,
-  info: 2
-};
-function sortGaps(gaps) {
-  return [...gaps].sort((a, b3) => {
-    const sev = SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b3.severity];
-    if (sev !== 0) {
-      return sev;
+function unlockedKeys(artifact) {
+  const keys = artifact.usage?.unlockedMapCategoryKeys ?? FREE_TRIAL_UNLOCKED_MAP_CATEGORY_KEYS;
+  return new Set(keys);
+}
+function buildTaskList(artifact) {
+  const unlocked = unlockedKeys(artifact);
+  const sorted = sortGapsByPriority(artifact.gaps);
+  return sorted.map((gap2, index) => {
+    const id = `TASK-${String(index + 1).padStart(3, "0")}`;
+    const isLocked = !unlocked.has(gap2.primaryMapCategory);
+    let fixType;
+    if (isLocked) {
+      fixType = "upgrade-required";
+    } else if (hasRecipe(gap2.id)) {
+      fixType = "repo-code";
+    } else if (hasPlaybook(gap2)) {
+      fixType = "provider-action";
+    } else {
+      fixType = "manual-verify";
     }
-    return a.title.localeCompare(b3.title);
+    const base = {
+      id,
+      gapId: gap2.id,
+      severity: gap2.severity,
+      fixType,
+      title: gap2.title,
+      verifyCommand: PUBLIC_VERIFY_COMMAND,
+      requiresUserAction: fixType !== "repo-code"
+    };
+    if (fixType === "repo-code") {
+      base.mcpTool = "viberaven_heal_apply";
+      base.mcpArgs = { gap: gap2.id, yes: true };
+      base.requiresUserAction = false;
+      if (gap2.copyPrompt) {
+        base.exactFix = gap2.copyPrompt.trim();
+      }
+    } else if (fixType === "provider-action") {
+      try {
+        const provider2 = gapToPlaybookProvider(gap2);
+        if (provider2) {
+          const pa = buildProviderAction(gap2, provider2);
+          if (pa) {
+            base.providerAction = pa;
+            base.action = pa.exactStep;
+          }
+        }
+      } catch {
+        base.fixType = "manual-verify";
+      }
+      base.requiresUserAction = true;
+    }
+    return base;
   });
 }
-function generateAgentSummary(artifact) {
-  const lines = [];
-  const topGaps = sortGaps(artifact.gaps).slice(0, 8);
-  lines.push("# VibeRaven agent summary", "");
-  lines.push(`Scanned: \`${artifact.workspacePath}\``);
-  lines.push(`At: ${artifact.scannedAt}`);
-  lines.push(
-    `Production core: **${artifact.productionCorePercent}%** \xB7 Model score: **${artifact.score}** (${artifact.scoreLabel})`
-  );
-  lines.push("");
-  const next = resolveNextAction(artifact);
-  lines.push("## Next action", "");
-  lines.push(`**${next.title}** \u2014 ${next.detail}`);
-  if (next.command) {
-    lines.push(`Command: \`${next.command}\``);
-  }
-  if (next.upgradeUrl) {
-    lines.push(`Upgrade: ${next.upgradeUrl}`);
+function buildTaskListMarkdown(tasks) {
+  if (tasks.length === 0) {
+    return "# VibeRaven Agent Tasklist\n\n_No gaps found \u2014 production core looks solid._\n";
   }
-  lines.push("");
-  const unlockedCount = artifact.usage?.unlockedMapCategoryKeys.length ?? 6;
-  if (unlockedCount < PRODUCTION_MAP_CATEGORY_KEYS_ALL.length) {
-    lines.push("## Locked lanes (Pro)", "");
-    lines.push(
-      "Free plan unlocks 6/12 mission map lanes. Pro unlocks deployment, monitoring, security, testing, onboarding, and error handling."
-    );
-    lines.push("");
-    for (const key of LOCKED_LANE_KEYS) {
-      lines.push(`- ${key}`);
+  const lines = ["# VibeRaven Agent Tasklist", ""];
+  for (const task of tasks) {
+    const severityLabel = task.severity.toUpperCase();
+    lines.push(`## ${task.id} \xB7 ${task.gapId} \xB7 ${severityLabel}`, "");
+    lines.push(`**Fix type:** ${task.fixType}  `);
+    if (task.file) {
+      lines.push(`**File:** \`${task.file}\`  `);
     }
-    lines.push("");
-    lines.push(`Upgrade: ${UPGRADE_URL2}`);
-    lines.push("");
-  }
-  lines.push("## Suggested stack", "");
-  lines.push(
-    "React + Tailwind + shadcn/ui + Supabase + Vercel (agent-default stack for lowest launch friction)"
-  );
-  lines.push("");
-  lines.push("## Summary");
-  lines.push(artifact.summary || "_No summary returned._");
-  lines.push("");
-  lines.push("## Mission map (repo wiring)");
-  lines.push("");
-  lines.push("| Area | Provider | Readiness | Notes |");
-  lines.push("|------|----------|-----------|-------|");
-  for (const area of artifact.missionGraph.areas ?? []) {
-    for (const mission of area.providerMissions) {
-      const failed = mission.checks.filter(
-        (c) => c.status === "missing" || c.status === "failed" || c.status === "needs-connection"
-      ).length;
-      const notes = failed > 0 ? `${failed} open check${failed === 1 ? "" : "s"}` : `${mission.readinessPercent}% repo checks`;
-      lines.push(
-        `| ${area.label} | ${mission.providerLabel} | ${mission.readinessPercent}% | ${notes} |`
-      );
+    if (task.action) {
+      lines.push(`**Action:** ${task.action}  `);
     }
-  }
-  lines.push("");
-  lines.push("## Agent-code actions");
-  if (topGaps.length === 0) {
-    lines.push("_No model gaps returned. Review mission map checks before changing code._");
-  } else {
-    topGaps.forEach((gap, index) => {
-      lines.push(
-        `${index + 1}. **${gap.title}** (\`${gap.id}\`, ${gap.severity}, map: \`${gap.primaryMapCategory}\`)`
-      );
-      lines.push(`   - ${gap.detail}`);
-      lines.push(`   - Command: \`viberaven prompt --gap ${gap.id}\``);
-      if (gap.copyPrompt) {
-        lines.push(`   - Prompt: ${gap.copyPrompt}`);
-      }
-    });
-  }
-  const manualChecks = (artifact.missionGraph.areas ?? []).flatMap(
-    (area) => area.providerMissions.flatMap(
-      (mission) => mission.checks.filter(
-        (check) => check.evidenceClass === "manual-dashboard" || check.evidenceClass === "mcp-verifier" || check.evidenceSource === "provider" || check.evidenceSource === "mcp" || check.status === "needs-connection" || check.status === "unknown"
-      ).map((check) => ({ area: area.label, provider: mission.providerLabel, check }))
-    )
-  );
-  lines.push("");
-  lines.push("## Human-provider actions");
-  if (manualChecks.length === 0) {
-    lines.push("_No manual provider actions were identified in this scan._");
-  } else {
-    manualChecks.slice(0, 8).forEach((item3, index) => {
-      lines.push(`${index + 1}. **${item3.check.label}** (${item3.area} / ${item3.provider})`);
+    if (task.exactFix) {
+      lines.push(`**Exact fix:** ${task.exactFix}  `);
+    } else {
+      lines.push(`**Exact fix:** No automated recipe \u2014 see scanner hint.  `);
+    }
+    lines.push(`**Verify:** \`${task.verifyCommand}\`  `);
+    if (task.mcpTool && task.mcpArgs) {
       lines.push(
-        `   - ${item3.check.promptHint || "Ask the user to confirm this in the provider dashboard or through read-only MCP."}`
+        `**MCP:** \`${task.mcpTool} ${JSON.stringify(task.mcpArgs)}\`  `
       );
-    });
-  }
-  lines.push("");
-  lines.push("Do not claim human-provider actions as repo-code fixes.");
-  lines.push("");
-  lines.push("## Agent workflow");
-  lines.push("1. Read `.viberaven/agent-tasklist.md` first for the production gate.");
-  lines.push("2. Read `.viberaven/launch-playbook.md` for the full checklist.");
-  lines.push("3. Run `viberaven next --json` - one action at a time.");
-  lines.push("4. Repo fix: `viberaven prompt --gap <id>` then implement.");
-  lines.push("5. Provider: `viberaven guide <provider> --step N` and `viberaven open <provider>`.");
-  lines.push(`6. Run \`${PUBLIC_VERIFY_COMMAND}\` to rescan and refresh \`.viberaven/agent-tasklist.md\`.`);
-  lines.push("");
-  if (artifact.usage) {
-    lines.push("## Account usage");
-    lines.push(
-      `- Plan: ${artifact.usage.plan} \xB7 Scans used: ${artifact.usage.used}/${artifact.usage.limit} (${artifact.usage.period})`
-    );
+    }
+    lines.push(`**Requires user action:** ${task.requiresUserAction}`);
+    if (task.providerAction) {
+      const pa = task.providerAction;
+      lines.push("");
+      lines.push("**Provider action:**");
+      lines.push(`- Provider: ${pa.provider}`);
+      lines.push(`- Dashboard: ${pa.dashboardUrl}`);
+      lines.push(`- Step: ${pa.exactStep}`);
+      if (pa.envKeyName) lines.push(`- Env key: \`${pa.envKeyName}\``);
+      if (pa.doneSignal) lines.push(`- Done when: ${pa.doneSignal}`);
+      if (pa.mcpAlternative) lines.push(`- MCP alternative: \`${pa.mcpAlternative}\``);
+    }
     lines.push("");
   }
   return `${lines.join("\n")}
 `;
 }
 
-// src/buildTaskList.ts
-var KNOWN_RECIPE_GAP_IDS = /* @__PURE__ */ new Set([
-  // emptyCatch (original recipe)
-  "empty-catch",
-  "empty_catch",
-  "emptyCatch",
-  // W3 env-add recipes
-  "auth_secret_missing",
-  "node_env_not_set",
-  "database_url_missing",
-  // W3 file-create recipes
-  "missing_error_boundary",
-  "missing_health_route",
-  "missing_loading_state",
-  "missing_404_page",
-  // W3 file-patch recipes
-  "missing_csp_header",
-  "missing_rate_limit",
-  "eslint_restricted_imports"
-  // NOTE: 'rls_disabled' is intentionally NOT here — it is provider-action only,
-  // canAutoApply=false, and should be classified as 'provider-action' by buildTaskList.
-]);
-function hasRecipe(gapId) {
-  if (KNOWN_RECIPE_GAP_IDS.has(gapId)) return true;
-  const lower = gapId.toLowerCase();
-  return lower.includes("empty") && lower.includes("catch");
+// src/sanitizeArtifact.ts
+var INLINE_SECRET_PATTERNS = [
+  /\b(sk_(?:live|test)_[A-Za-z0-9]{12,}|sk-proj-[A-Za-z0-9_-]{16,}|sk-[A-Za-z0-9_-]{20,})\b/g,
+  /\b(whsec_[A-Za-z0-9]{12,}|rk_(?:live|test)_[A-Za-z0-9]{12,})\b/g,
+  /\bghp_[A-Za-z0-9]{36,}\b/g,
+  /\bgithub_pat_[A-Za-z0-9_]{50,}\b/g,
+  /\bxox[bp]-[A-Za-z0-9-]{20,}\b/g,
+  /\bxapp-[A-Za-z0-9-]{20,}\b/g,
+  /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
+  /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g
+];
+var SENSITIVE_ENV_KEYS = /(?:^|_)(?:ACCESS_TOKEN|AUTHORIZATION|API_KEY|SECRET|SECRET_KEY|SERVICE_ROLE_KEY|TOKEN|PASSWORD|PRIVATE_KEY|CREDENTIALS?)(?:$|_)/i;
+function redactString(value) {
+  let out = value;
+  for (const pattern of INLINE_SECRET_PATTERNS) {
+    out = out.replace(pattern, pattern.source.includes("PRIVATE KEY") ? "[REDACTED_PRIVATE_KEY]" : "[REDACTED_SECRET]");
+  }
+  out = out.replace(/\bAuthorization\s*:\s*([A-Za-z][A-Za-z0-9._-]*)\s+[^\s;,]+/gi, "Authorization: $1 [REDACTED]");
+  return out.replace(
+    /\b([A-Za-z0-9_]*(?:ACCESS_TOKEN|AUTHORIZATION|API_KEY|SECRET|SECRET_KEY|SERVICE_ROLE_KEY|TOKEN|PASSWORD|PRIVATE_KEY|CREDENTIALS?)[A-Za-z0-9_]*)\s*=\s*["']?[^"'\s;,]+["']?/gi,
+    "$1=[REDACTED]"
+  );
 }
-function gapToPlaybookProvider(gap) {
-  const cat = gap.primaryMapCategory.toLowerCase();
-  if (cat === "deployment") return "vercel";
-  if (cat === "payments") return "stripe";
-  if (cat === "auth") return "auth-supabase";
-  if (cat === "database") return "supabase";
-  const id = gap.id.toLowerCase();
-  if (id.includes("vercel") || id.includes("deploy")) return "vercel";
-  if (id.includes("stripe") || id.includes("payment")) return "stripe";
-  if (id.includes("supabase") || id.includes("database") || id.includes("db")) return "supabase";
-  if (id.includes("auth")) return "auth-supabase";
-  return void 0;
+function redactUnknown(value) {
+  if (typeof value === "string") {
+    return redactString(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map(redactUnknown);
+  }
+  if (value && typeof value === "object") {
+    const record = value;
+    const next = {};
+    for (const [key, entry] of Object.entries(record)) {
+      if (SENSITIVE_ENV_KEYS.test(key)) {
+        next[key] = "[REDACTED]";
+      } else {
+        next[key] = redactUnknown(entry);
+      }
+    }
+    return next;
+  }
+  return value;
 }
-function hasPlaybook(gap) {
-  try {
-    const provider2 = gapToPlaybookProvider(gap);
-    if (!provider2) return false;
-    return PLAYBOOK_PROVIDERS.includes(provider2);
-  } catch {
+function sanitizeArtifactForDisk(artifact) {
+  return redactUnknown(artifact);
+}
+
+// src/risk/riskMapping.ts
+var OWASP = {
+  promptInjection: "LLM01:2025 Prompt Injection",
+  sensitiveDisclosure: "LLM06:2025 Sensitive Information Disclosure",
+  improperOutputHandling: "LLM05:2025 Improper Output Handling",
+  excessiveAgency: "LLM08:2025 Excessive Agency",
+  unboundedConsumption: "LLM10:2025 Unbounded Consumption"
+};
+var SAFECODE = {
+  dataProtection: "Data protection and least-data exposure",
+  callbackValidation: "Callback validation and message integrity",
+  leastPrivilege: "Least privilege and access control",
+  rateLimiting: "Rate limiting and quota enforcement",
+  outputValidation: "Output validation and encoding",
+  promptBoundary: "Prompt boundary validation"
+};
+function tokenize(text) {
+  return text.toLowerCase().split(/[^a-z0-9]+/).filter(Boolean);
+}
+function hasKeyword(tokens, keyword) {
+  const keywordTokens = tokenize(keyword);
+  if (keywordTokens.length === 0) {
     return false;
   }
+  if (keywordTokens.length === 1) {
+    return tokens.includes(keywordTokens[0]);
+  }
+  const textPhrase = ` ${tokens.join(" ")} `;
+  const keywordPhrase = keywordTokens.join(" ");
+  return textPhrase.includes(` ${keywordPhrase} `);
+}
+function hasAny(tokens, keywords) {
+  return keywords.some((keyword) => hasKeyword(tokens, keyword));
+}
+function addUnique(values, value) {
+  if (!values.includes(value)) {
+    values.push(value);
+  }
+}
+function mapGapToRisk(gap2) {
+  const haystack = `${gap2.id} ${gap2.title} ${gap2.primaryMapCategory}`.toLowerCase();
+  const tokens = tokenize(haystack);
+  const owaspLlm = [];
+  const safecode = [];
+  if (hasAny(tokens, ["prompt injection", "prompt_injection", "jailbreak"])) {
+    addUnique(owaspLlm, OWASP.promptInjection);
+    addUnique(safecode, SAFECODE.promptBoundary);
+  }
+  if (hasAny(tokens, [
+    "rls",
+    "row level security",
+    "data exposure",
+    "sensitive information",
+    "sensitive info",
+    "secret exposure"
+  ])) {
+    addUnique(owaspLlm, OWASP.sensitiveDisclosure);
+    addUnique(safecode, SAFECODE.dataProtection);
+  }
+  if (hasAny(tokens, ["webhook", "callback"]) && hasAny(tokens, ["signature", "signing", "integrity", "payment", "stripe"])) {
+    addUnique(owaspLlm, OWASP.improperOutputHandling);
+    addUnique(safecode, SAFECODE.callbackValidation);
+  }
+  if (hasAny(tokens, ["auth", "access", "permission", "role", "privilege"])) {
+    addUnique(owaspLlm, OWASP.excessiveAgency);
+    addUnique(safecode, SAFECODE.leastPrivilege);
+  }
+  if (hasAny(tokens, ["rate limit", "rate_limit", "quota", "usage limit", "throttle"])) {
+    addUnique(owaspLlm, OWASP.unboundedConsumption);
+    addUnique(safecode, SAFECODE.rateLimiting);
+  }
+  if (hasAny(tokens, ["output handling", "output validation", "sanitize", "escaping", "encoding"])) {
+    addUnique(owaspLlm, OWASP.improperOutputHandling);
+    addUnique(safecode, SAFECODE.outputValidation);
+  }
+  return { owaspLlm, safecode };
 }
-function buildProviderAction(gap, provider2) {
-  try {
-    const playbook = loadPlaybookSync(provider2);
-    const step = playbook.steps[0];
-    if (!step) return void 0;
+
+// src/contracts/prp.ts
+function decisionFromGateStatus(status) {
+  if (status === "clear") return "CLEAR";
+  if (status === "warning") return "WARNING";
+  return "BLOCKED";
+}
+function actionContractFor(task) {
+  if (task.fixType === "repo-code") {
     return {
-      provider: provider2,
-      dashboardUrl: step.openUrl ?? `https://${provider2}.com`,
-      // PlaybookStep uses `instruction` — map to exactStep
-      exactStep: step.instruction,
-      // No envKeyName/envKeyExample in current PlaybookStep schema — leave undefined
-      envKeyName: void 0,
-      envKeyExample: void 0,
-      // Use step title as the done signal
-      doneSignal: `${step.title} step completed`,
-      verifyCommand: PUBLIC_VERIFY_COMMAND,
+      owner: "coding_agent",
+      actionClass: "local_repo_write",
+      command: healApplyGapCommand(task.gapId)
+    };
+  }
+  if (task.fixType === "provider-action") {
+    return {
+      owner: "human",
       actionClass: "manual_provider_step",
-      approvalRequired: true,
-      manualFallback: `Open ${step.openUrl ?? `https://${provider2}.com`} and complete: ${step.instruction}`,
-      copyValues: []
+      command: promptGapCommand(task.gapId)
     };
-  } catch {
-    return void 0;
   }
+  if (task.fixType === "upgrade-required") {
+    return {
+      owner: "human",
+      actionClass: "upgrade_required",
+      command: promptGapCommand(task.gapId)
+    };
+  }
+  if (task.fixType === "manual-verify") {
+    return {
+      owner: "human",
+      actionClass: "local_repo_read",
+      command: promptGapCommand(task.gapId)
+    };
+  }
+  return {
+    owner: "coding_agent",
+    actionClass: "local_repo_read",
+    command: promptGapCommand(task.gapId)
+  };
+}
+function nextActionFromTask(task) {
+  return {
+    id: task.id,
+    gapId: task.gapId,
+    severity: task.severity,
+    title: task.title,
+    fixType: task.fixType,
+    requiresUserAction: task.requiresUserAction,
+    verifyCommand: task.verifyCommand,
+    ...actionContractFor(task)
+  };
+}
+function generateProductionProtocol(artifact, options = {}) {
+  const safeArtifact = sanitizeArtifactForDisk(artifact);
+  const contextMap = generateContextMap(safeArtifact);
+  const tasks = buildTaskList(safeArtifact);
+  return {
+    $schema: "https://viberaven.dev/schemas/prp.schema.json",
+    schemaVersion: "v1",
+    generatedAt: safeArtifact.scannedAt,
+    mode: options.mode ?? "live",
+    decision: decisionFromGateStatus(contextMap.productionGate.status),
+    detectedStack: {
+      archetype: safeArtifact.archetype ?? null,
+      deployment: contextMap.stack.deployment,
+      database: contextMap.stack.database,
+      auth: contextMap.stack.auth,
+      payments: contextMap.stack.payments,
+      monitoring: contextMap.stack.monitoring
+    },
+    findings: safeArtifact.gaps.map((gap2) => ({
+      id: gap2.id,
+      severity: gap2.severity,
+      title: gap2.title,
+      area: String(gap2.primaryMapCategory),
+      riskMapping: mapGapToRisk(gap2)
+    })),
+    nextActions: tasks.map(nextActionFromTask),
+    connectedTools: options.connectedTools ?? {},
+    providerActionsRequired: tasks.some((task) => task.fixType === "provider-action"),
+    verifyCommand: PUBLIC_VERIFY_COMMAND,
+    agentInstructions: [
+      "Read .viberaven/agent-tasklist.md before making launch fixes.",
+      `Apply repo-code nextActions first, then run ${PUBLIC_VERIFY_COMMAND} once per batch.`,
+      "For human-owned actions, use the command to open the focused provider prompt and do not request secrets."
+    ]
+  };
+}
+
+// src/playbooks/checkMap.ts
+var CHECK_TO_PLAYBOOK = {
+  "vercel-deployment": "vercel",
+  "vercel-project": "vercel",
+  "supabase-project": "supabase",
+  "supabase-env": "supabase",
+  "stripe-webhook": "stripe",
+  "stripe-product": "stripe",
+  "stripe-keys": "stripe"
+};
+function mapCheckToPlaybook(check) {
+  if (CHECK_TO_PLAYBOOK[check.id]) {
+    return CHECK_TO_PLAYBOOK[check.id];
+  }
+  const providerKey = check.providerKey.toLowerCase();
+  if (providerKey.includes("vercel") || check.area === "deployment") {
+    return "vercel";
+  }
+  if (providerKey.includes("stripe") || check.area === "payments") {
+    return "stripe";
+  }
+  if (providerKey.includes("supabase") && check.area === "auth") {
+    return "auth-supabase";
+  }
+  if (providerKey.includes("supabase") || check.area === "database") {
+    return "supabase";
+  }
+  if (check.area === "auth") {
+    return "auth-supabase";
+  }
+  return "vercel";
+}
+
+// src/playbooks/manualChecks.ts
+function isManualProviderCheck(check) {
+  return check.evidenceClass === "manual-dashboard" || check.evidenceClass === "mcp-verifier" || check.evidenceSource === "provider" || check.evidenceSource === "mcp" || check.status === "needs-connection" || check.status === "unknown";
 }
+function collectManualChecks(artifact) {
+  const refs = [];
+  for (const area of artifact.missionGraph.areas ?? []) {
+    for (const mission of area.providerMissions) {
+      for (const check of mission.checks) {
+        if (!isManualProviderCheck(check)) {
+          continue;
+        }
+        refs.push({
+          areaLabel: area.label,
+          providerLabel: mission.providerLabel,
+          check,
+          mapCategory: area.key
+        });
+      }
+    }
+  }
+  return refs;
+}
+
+// src/resolveNextAction.ts
+var UPGRADE_URL = "https://viberaven.dev/pricing";
+var LOCKED_LANE_LABELS = {
+  deployment: "Deployment",
+  monitoring: "Monitoring / Analytics",
+  security: "Security",
+  testing: "Testing",
+  landing: "Onboarding",
+  errorHandling: "Error handling / observability"
+};
 function unlockedKeys2(artifact) {
   const keys = artifact.usage?.unlockedMapCategoryKeys ?? FREE_TRIAL_UNLOCKED_MAP_CATEGORY_KEYS;
   return new Set(keys);
 }
-function buildTaskList(artifact) {
+function resolveNextAction(artifact) {
   const unlocked = unlockedKeys2(artifact);
-  const sorted = sortGapsByPriority(artifact.gaps);
-  return sorted.map((gap, index) => {
-    const id = `TASK-${String(index + 1).padStart(3, "0")}`;
-    const isLocked = !unlocked.has(gap.primaryMapCategory);
-    let fixType;
-    if (isLocked) {
-      fixType = "upgrade-required";
-    } else if (hasRecipe(gap.id)) {
-      fixType = "repo-code";
-    } else if (hasPlaybook(gap)) {
-      fixType = "provider-action";
-    } else {
-      fixType = "manual-verify";
+  const repoGap = sortGapsByPriority(artifact.gaps).find(
+    (gap2) => unlocked.has(gap2.primaryMapCategory)
+  );
+  if (repoGap) {
+    return {
+      type: "repo-fix",
+      title: repoGap.title,
+      detail: repoGap.detail,
+      command: `viberaven prompt --gap ${repoGap.id}`
+    };
+  }
+  const manual = collectManualChecks(artifact).find((item3) => unlocked.has(item3.mapCategory));
+  if (manual) {
+    const provider2 = mapCheckToPlaybook(manual.check);
+    let openUrl;
+    try {
+      const playbook = loadPlaybookSync(provider2);
+      openUrl = playbook.steps[0]?.openUrl;
+    } catch {
+      openUrl = void 0;
     }
-    const base = {
-      id,
-      gapId: gap.id,
-      severity: gap.severity,
-      fixType,
-      title: gap.title,
-      verifyCommand: PUBLIC_VERIFY_COMMAND,
-      requiresUserAction: fixType !== "repo-code"
+    return {
+      type: "provider-guide",
+      title: manual.check.label,
+      detail: manual.check.promptHint || `Configure ${manual.providerLabel} in the provider dashboard (${manual.areaLabel}).`,
+      provider: provider2,
+      playbookStep: 1,
+      command: `viberaven guide ${provider2} --step 1`,
+      openUrl
     };
-    if (fixType === "repo-code") {
-      base.mcpTool = "viberaven_heal_apply";
-      base.mcpArgs = { gap: gap.id, yes: true };
-      base.requiresUserAction = false;
-      if (gap.copyPrompt) {
-        base.exactFix = gap.copyPrompt.trim();
-      }
-    } else if (fixType === "provider-action") {
-      try {
-        const provider2 = gapToPlaybookProvider(gap);
-        if (provider2) {
-          const pa = buildProviderAction(gap, provider2);
-          if (pa) {
-            base.providerAction = pa;
-            base.action = pa.exactStep;
-          }
-        }
-      } catch {
-        base.fixType = "manual-verify";
-      }
-      base.requiresUserAction = true;
+  }
+  const lockedGap = sortGapsByPriority(artifact.gaps).find(
+    (gap2) => !unlocked.has(gap2.primaryMapCategory)
+  );
+  if (lockedGap) {
+    const lane = lockedGap.primaryMapCategory;
+    return {
+      type: "upgrade",
+      title: lockedGap.title,
+      detail: `Free plan covers 6/12 mission map lanes. Upgrade to fix ${LOCKED_LANE_LABELS[lane] ?? lane}.`,
+      lockedLane: lane,
+      upgradeUrl: UPGRADE_URL
+    };
+  }
+  const lockedManual = collectManualChecks(artifact).find((item3) => !unlocked.has(item3.mapCategory));
+  if (lockedManual) {
+    const lane = lockedManual.mapCategory;
+    return {
+      type: "upgrade",
+      title: lockedManual.check.label,
+      detail: `This check is in the ${LOCKED_LANE_LABELS[lane] ?? lane} lane (Pro).`,
+      lockedLane: lane,
+      upgradeUrl: UPGRADE_URL
+    };
+  }
+  if (unlocked.size < 12) {
+    return {
+      type: "done",
+      title: "No blockers in unlocked lanes",
+      detail: "Run scan again after changes. Upgrade for deployment, monitoring, security, testing, and onboarding lanes.",
+      upgradeUrl: UPGRADE_URL
+    };
+  }
+  return {
+    type: "done",
+    title: "No blockers found",
+    detail: "Re-scan after changes to confirm production readiness."
+  };
+}
+
+// src/report/agentSummary.ts
+var UPGRADE_URL2 = "https://viberaven.dev/pricing";
+var LOCKED_LANE_KEYS = [
+  "deployment",
+  "monitoring",
+  "security",
+  "testing",
+  "landing",
+  "errorHandling"
+];
+var SEVERITY_ORDER = {
+  critical: 0,
+  warning: 1,
+  info: 2
+};
+function sortGaps(gaps) {
+  return [...gaps].sort((a, b3) => {
+    const sev = SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b3.severity];
+    if (sev !== 0) {
+      return sev;
     }
-    return base;
+    return a.title.localeCompare(b3.title);
   });
 }
-function buildTaskListMarkdown(tasks) {
-  if (tasks.length === 0) {
-    return "# VibeRaven Agent Tasklist\n\n_No gaps found \u2014 production core looks solid._\n";
+function generateAgentSummary(artifact) {
+  const lines = [];
+  const topGaps = sortGaps(artifact.gaps).slice(0, 8);
+  lines.push("# VibeRaven agent summary", "");
+  lines.push(`Scanned: \`${artifact.workspacePath}\``);
+  lines.push(`At: ${artifact.scannedAt}`);
+  lines.push(
+    `Production core: **${artifact.productionCorePercent}%** \xB7 Model score: **${artifact.score}** (${artifact.scoreLabel})`
+  );
+  lines.push("");
+  const next = resolveNextAction(artifact);
+  lines.push("## Next action", "");
+  lines.push(`**${next.title}** \u2014 ${next.detail}`);
+  if (next.command) {
+    lines.push(`Command: \`${next.command}\``);
   }
-  const lines = ["# VibeRaven Agent Tasklist", ""];
-  for (const task of tasks) {
-    const severityLabel = task.severity.toUpperCase();
-    lines.push(`## ${task.id} \xB7 ${task.gapId} \xB7 ${severityLabel}`, "");
-    lines.push(`**Fix type:** ${task.fixType}  `);
-    if (task.file) {
-      lines.push(`**File:** \`${task.file}\`  `);
-    }
-    if (task.action) {
-      lines.push(`**Action:** ${task.action}  `);
-    }
-    if (task.exactFix) {
-      lines.push(`**Exact fix:** ${task.exactFix}  `);
-    } else {
-      lines.push(`**Exact fix:** No automated recipe \u2014 see scanner hint.  `);
+  if (next.upgradeUrl) {
+    lines.push(`Upgrade: ${next.upgradeUrl}`);
+  }
+  lines.push("");
+  const unlockedCount = artifact.usage?.unlockedMapCategoryKeys.length ?? 6;
+  if (unlockedCount < PRODUCTION_MAP_CATEGORY_KEYS_ALL.length) {
+    lines.push("## Locked lanes (Pro)", "");
+    lines.push(
+      "Free plan unlocks 6/12 mission map lanes. Pro unlocks deployment, monitoring, security, testing, onboarding, and error handling."
+    );
+    lines.push("");
+    for (const key of LOCKED_LANE_KEYS) {
+      lines.push(`- ${key}`);
     }
-    lines.push(`**Verify:** \`${task.verifyCommand}\`  `);
-    if (task.mcpTool && task.mcpArgs) {
+    lines.push("");
+    lines.push(`Upgrade: ${UPGRADE_URL2}`);
+    lines.push("");
+  }
+  lines.push("## Suggested stack", "");
+  lines.push(
+    "React + Tailwind + shadcn/ui + Supabase + Vercel (agent-default stack for lowest launch friction)"
+  );
+  lines.push("");
+  lines.push("## Summary");
+  lines.push(artifact.summary || "_No summary returned._");
+  lines.push("");
+  lines.push("## Mission map (repo wiring)");
+  lines.push("");
+  lines.push("| Area | Provider | Readiness | Notes |");
+  lines.push("|------|----------|-----------|-------|");
+  for (const area of artifact.missionGraph.areas ?? []) {
+    for (const mission of area.providerMissions) {
+      const failed = mission.checks.filter(
+        (c) => c.status === "missing" || c.status === "failed" || c.status === "needs-connection"
+      ).length;
+      const notes = failed > 0 ? `${failed} open check${failed === 1 ? "" : "s"}` : `${mission.readinessPercent}% repo checks`;
       lines.push(
-        `**MCP:** \`${task.mcpTool} ${JSON.stringify(task.mcpArgs)}\`  `
+        `| ${area.label} | ${mission.providerLabel} | ${mission.readinessPercent}% | ${notes} |`
       );
     }
-    lines.push(`**Requires user action:** ${task.requiresUserAction}`);
-    if (task.providerAction) {
-      const pa = task.providerAction;
-      lines.push("");
-      lines.push("**Provider action:**");
-      lines.push(`- Provider: ${pa.provider}`);
-      lines.push(`- Dashboard: ${pa.dashboardUrl}`);
-      lines.push(`- Step: ${pa.exactStep}`);
-      if (pa.envKeyName) lines.push(`- Env key: \`${pa.envKeyName}\``);
-      if (pa.doneSignal) lines.push(`- Done when: ${pa.doneSignal}`);
-      if (pa.mcpAlternative) lines.push(`- MCP alternative: \`${pa.mcpAlternative}\``);
-    }
+  }
+  lines.push("");
+  lines.push("## Agent-code actions");
+  if (topGaps.length === 0) {
+    lines.push("_No model gaps returned. Review mission map checks before changing code._");
+  } else {
+    topGaps.forEach((gap2, index) => {
+      lines.push(
+        `${index + 1}. **${gap2.title}** (\`${gap2.id}\`, ${gap2.severity}, map: \`${gap2.primaryMapCategory}\`)`
+      );
+      lines.push(`   - ${gap2.detail}`);
+      lines.push(`   - Command: \`viberaven prompt --gap ${gap2.id}\``);
+      if (gap2.copyPrompt) {
+        lines.push(`   - Prompt: ${gap2.copyPrompt}`);
+      }
+    });
+  }
+  const manualChecks = (artifact.missionGraph.areas ?? []).flatMap(
+    (area) => area.providerMissions.flatMap(
+      (mission) => mission.checks.filter(
+        (check) => check.evidenceClass === "manual-dashboard" || check.evidenceClass === "mcp-verifier" || check.evidenceSource === "provider" || check.evidenceSource === "mcp" || check.status === "needs-connection" || check.status === "unknown"
+      ).map((check) => ({ area: area.label, provider: mission.providerLabel, check }))
+    )
+  );
+  lines.push("");
+  lines.push("## Human-provider actions");
+  if (manualChecks.length === 0) {
+    lines.push("_No manual provider actions were identified in this scan._");
+  } else {
+    manualChecks.slice(0, 8).forEach((item3, index) => {
+      lines.push(`${index + 1}. **${item3.check.label}** (${item3.area} / ${item3.provider})`);
+      lines.push(
+        `   - ${item3.check.promptHint || "Ask the user to confirm this in the provider dashboard or through read-only MCP."}`
+      );
+    });
+  }
+  lines.push("");
+  lines.push("Do not claim human-provider actions as repo-code fixes.");
+  lines.push("");
+  lines.push("## Agent workflow");
+  lines.push("1. Read `.viberaven/agent-tasklist.md` first for the production gate.");
+  lines.push("2. Read `.viberaven/launch-playbook.md` for the full checklist.");
+  lines.push("3. Run `viberaven next --json` - one action at a time.");
+  lines.push("4. Repo fix: `viberaven prompt --gap <id>` then implement.");
+  lines.push("5. Provider: `viberaven guide <provider> --step N` and `viberaven open <provider>`.");
+  lines.push(`6. Run \`${PUBLIC_VERIFY_COMMAND}\` to rescan and refresh \`.viberaven/agent-tasklist.md\`.`);
+  lines.push("");
+  if (artifact.usage) {
+    lines.push("## Account usage");
+    lines.push(
+      `- Plan: ${artifact.usage.plan} \xB7 Scans used: ${artifact.usage.used}/${artifact.usage.limit} (${artifact.usage.period})`
+    );
     lines.push("");
   }
   return `${lines.join("\n")}
@@ -8974,13 +9219,13 @@ function generateLaunchPlaybook(artifact) {
   lines.push(`Generated from scan at ${artifact.scannedAt}. Work top to bottom.`, "");
   lines.push("## Repo fixes (agent code)", "");
   const repoGaps = sortGapsByPriority(artifact.gaps).filter(
-    (gap) => unlocked.has(gap.primaryMapCategory)
+    (gap2) => unlocked.has(gap2.primaryMapCategory)
   );
   if (repoGaps.length === 0) {
     lines.push("_No repo-code gaps in unlocked lanes._", "");
   } else {
-    for (const gap of repoGaps) {
-      lines.push(`- [ ] ${gap.title} \u2014 \`viberaven prompt --gap ${gap.id}\``);
+    for (const gap2 of repoGaps) {
+      lines.push(`- [ ] ${gap2.title} \u2014 \`viberaven prompt --gap ${gap2.id}\``);
     }
     lines.push("");
   }
@@ -9000,14 +9245,14 @@ function generateLaunchPlaybook(artifact) {
   if (!isPro) {
     lines.push("## [Pro] Deployment, monitoring, and full map", "");
     const proGaps = sortGapsByPriority(artifact.gaps).filter(
-      (gap) => !unlocked.has(gap.primaryMapCategory)
+      (gap2) => !unlocked.has(gap2.primaryMapCategory)
     );
     const proManuals = collectManualChecks(artifact).filter((item3) => !unlocked.has(item3.mapCategory));
     if (proGaps.length === 0 && proManuals.length === 0) {
       lines.push("_No Pro-only blockers detected._", "");
     } else {
-      for (const gap of proGaps.slice(0, 6)) {
-        lines.push(`- [ ] ${gap.title} [Pro] \u2014 upgrade at ${UPGRADE_URL3}`);
+      for (const gap2 of proGaps.slice(0, 6)) {
+        lines.push(`- [ ] ${gap2.title} [Pro] \u2014 upgrade at ${UPGRADE_URL3}`);
       }
       for (const item3 of proManuals.slice(0, 6)) {
         lines.push(`- [ ] ${item3.check.label} [Pro] \u2014 upgrade at ${UPGRADE_URL3}`);
@@ -9132,6 +9377,21 @@ function getStationHtml(nonce, cssUri, jsUri, options) {
                 </div>
               </header>
 
+              <section class="studio-launch-hero" aria-label="VibeRaven readiness">
+                <div class="studio-launch-hero__main">
+                  <p class="studio-launch-hero__wordmark">VibeRaven</p>
+                  <div class="studio-launch-hero__decision" id="studio-launch-decision">\u25C7 BLOCKED</div>
+                  <div class="studio-launch-hero__gauge" aria-hidden="true">
+                    <span id="studio-launch-gauge-fill" class="studio-launch-hero__gauge-fill" style="width:25%"></span>
+                  </div>
+                </div>
+                <div class="studio-launch-hero__next">
+                  <span class="studio-launch-hero__next-label">Next action</span>
+                  <strong id="studio-launch-next-action">Run a scan to map production gaps.</strong>
+                  <button type="button" class="studio-launch-hero__verify" data-station-action="rescan">Run verify</button>
+                </div>
+              </section>
+
               <div class="studio-workspace">
                 <nav class="studio-nav-rail" aria-label="Studio areas">
                   <span class="studio-nav-rail__item studio-nav-rail__item--active" aria-label="Architecture">ARCH</span>
@@ -9363,227 +9623,28 @@ var REPORT_ASSET_FILES = [
   "assets/provider-logrocket.svg"
 ];
 
-// src/sanitizeArtifact.ts
-var INLINE_SECRET_PATTERNS = [
-  /\b(sk_(?:live|test)_[A-Za-z0-9]{12,}|sk-proj-[A-Za-z0-9_-]{16,}|sk-[A-Za-z0-9_-]{20,})\b/g,
-  /\b(whsec_[A-Za-z0-9]{12,}|rk_(?:live|test)_[A-Za-z0-9]{12,})\b/g,
-  /\bghp_[A-Za-z0-9]{36,}\b/g,
-  /\bgithub_pat_[A-Za-z0-9_]{50,}\b/g,
-  /\bxox[bp]-[A-Za-z0-9-]{20,}\b/g,
-  /\bxapp-[A-Za-z0-9-]{20,}\b/g,
-  /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
-  /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g
-];
-var SENSITIVE_ENV_KEYS = /(?:^|_)(?:ACCESS_TOKEN|AUTHORIZATION|API_KEY|SECRET|SECRET_KEY|SERVICE_ROLE_KEY|TOKEN|PASSWORD|PRIVATE_KEY|CREDENTIALS?)(?:$|_)/i;
-function redactString(value) {
-  let out = value;
-  for (const pattern of INLINE_SECRET_PATTERNS) {
-    out = out.replace(pattern, pattern.source.includes("PRIVATE KEY") ? "[REDACTED_PRIVATE_KEY]" : "[REDACTED_SECRET]");
-  }
-  out = out.replace(/\bAuthorization\s*:\s*([A-Za-z][A-Za-z0-9._-]*)\s+[^\s;,]+/gi, "Authorization: $1 [REDACTED]");
-  return out.replace(
-    /\b([A-Za-z0-9_]*(?:ACCESS_TOKEN|AUTHORIZATION|API_KEY|SECRET|SECRET_KEY|SERVICE_ROLE_KEY|TOKEN|PASSWORD|PRIVATE_KEY|CREDENTIALS?)[A-Za-z0-9_]*)\s*=\s*["']?[^"'\s;,]+["']?/gi,
-    "$1=[REDACTED]"
-  );
-}
-function redactUnknown(value) {
-  if (typeof value === "string") {
-    return redactString(value);
-  }
-  if (Array.isArray(value)) {
-    return value.map(redactUnknown);
-  }
-  if (value && typeof value === "object") {
-    const record = value;
-    const next = {};
-    for (const [key, entry] of Object.entries(record)) {
-      if (SENSITIVE_ENV_KEYS.test(key)) {
-        next[key] = "[REDACTED]";
-      } else {
-        next[key] = redactUnknown(entry);
-      }
-    }
-    return next;
-  }
-  return value;
-}
-function sanitizeArtifactForDisk(artifact) {
-  return redactUnknown(artifact);
-}
-
-// src/version.ts
-var VERSION = "1.1.0";
-
-// src/prp/buildPrp.ts
-var import_node_path8 = require("node:path");
-
-// src/prp/types.ts
-var PRP_SCHEMA_URL = "https://schemas.viberaven.dev/prp/v0.1/schema.json";
-var PRP_PROTOCOL = "viberaven-production-protocol";
-var PRP_PROTOCOL_VERSION = "0.1.0";
-
-// src/prp/buildPrp.ts
-var ONE_DAY_MS = 24 * 60 * 60 * 1e3;
-var REDACTED = "<redacted>";
-var SENSITIVE_JSON_KEY_PATTERN = /secret|token|api[_-]?key|apikey|password|private[_-]?key|database[_-]?url|connection[_-]?string|service[_-]?role|role[_-]?key/i;
-function buildProductionProtocolReport(options) {
-  const profile = options.profile ?? "launch";
-  const generatedAt = options.artifact.scannedAt;
-  const expiresAt = new Date(new Date(generatedAt).getTime() + ONE_DAY_MS).toISOString();
-  const evidence = buildEvidence(options.artifact);
-  const nextActions = buildNextActions(options.tasks);
-  const findings = buildFindings(options.artifact, nextActions);
-  return {
-    $schema: PRP_SCHEMA_URL,
-    protocol: PRP_PROTOCOL,
-    protocolVersion: PRP_PROTOCOL_VERSION,
-    producer: {
-      name: "viberaven",
-      version: options.producerVersion
-    },
-    subject: {
-      projectName: sanitizePrpText((0, import_node_path8.basename)(options.artifact.workspacePath) || "workspace"),
-      framework: sanitizePrpText(options.artifact.archetype || "unknown"),
-      packageManager: "unknown",
-      deploymentTarget: sanitizePrpText(options.artifact.selectedProviders?.deployment ?? "unknown"),
-      environment: "production"
-    },
-    profile,
-    decision: {
-      status: resolveDecisionStatus(options.artifact),
-      generatedAt,
-      expiresAt,
-      summary: summarizeDecision(options.artifact)
-    },
-    findings,
-    evidence,
-    nextActions,
-    agentInstructions: {
-      mustRead: [".viberaven/prp.json", ".viberaven/mission-map.md", ".viberaven/context-map.json"],
-      doNotDeployUntil: [
-        "decision.status is not blocked",
-        "critical nextActions are resolved or explicitly accepted"
-      ]
-    }
-  };
-}
-function resolveDecisionStatus(artifact) {
-  if (artifact.gaps.some((gap) => gap.severity === "critical")) return "blocked";
-  if (artifact.gaps.some((gap) => gap.severity === "warning")) return "warning";
-  return "clear";
-}
-function summarizeDecision(artifact) {
-  const critical = artifact.gaps.filter((gap) => gap.severity === "critical").length;
-  const warning = artifact.gaps.filter((gap) => gap.severity === "warning").length;
-  if (critical > 0) return `${critical} production blocker${critical === 1 ? "" : "s"} found`;
-  if (warning > 0) return `${warning} production warning${warning === 1 ? "" : "s"} found`;
-  return "No production blockers found";
-}
-function buildEvidence(artifact) {
-  return artifact.gaps.map((gap) => {
-    const gapId = safePrpId(gap.id);
-    return {
-      id: `evidence.${gapId}.repo`,
-      kind: "repo",
-      status: evidenceStatusForGapSeverity(gap.severity),
-      source: sanitizePrpText(String(gap.file ?? gap.primaryMapCategory ?? "repo")),
-      summary: sanitizePrpText(gap.detail || gap.title || gap.id)
-    };
-  });
-}
-function evidenceStatusForGapSeverity(severity) {
-  if (severity === "critical" || severity === "warning") return "missing";
-  return "inconclusive";
-}
-function buildFindings(artifact, nextActions) {
-  return artifact.gaps.map((gap) => {
-    const gapId = safePrpId(gap.id);
-    return {
-      id: gapId,
-      severity: gap.severity,
-      category: sanitizePrpText(String(gap.primaryMapCategory ?? "unknown")),
-      summary: sanitizePrpText(gap.title || gap.id),
-      evidenceRefs: [`evidence.${gapId}.repo`],
-      nextActionRefs: nextActions.some((action) => action.gapId === sanitizePrpText(gap.id)) ? [`action.${gapId}`] : []
-    };
-  });
-}
-function buildNextActions(tasks) {
-  return tasks.map((task) => ({
-    id: `action.${safePrpId(task.gapId)}`,
-    title: sanitizePrpText(task.title),
-    actionClass: actionClassForTask(task),
-    requiresUserAction: task.requiresUserAction,
-    approvalRequired: task.requiresUserAction,
-    verifyCommand: sanitizePrpText(task.verifyCommand || PUBLIC_VERIFY_COMMAND),
-    gapId: sanitizePrpText(task.gapId),
-    provider: sanitizeOptionalPrpText(task.providerAction?.provider),
-    dashboardUrl: sanitizeOptionalPrpText(task.providerAction?.dashboardUrl),
-    manualFallback: sanitizeOptionalPrpText(task.providerAction?.exactStep ?? task.action),
-    mcpTool: sanitizeOptionalPrpText(task.mcpTool),
-    mcpArgs: sanitizePrpJsonObject(task.mcpArgs)
-  }));
-}
-function actionClassForTask(task) {
-  if (task.fixType === "repo-code") return "local_repo_write";
-  if (task.fixType === "provider-action") return "manual_provider_step";
-  if (task.fixType === "manual-verify") return "local_repo_read";
-  return "manual_provider_step";
-}
-function safeId(value) {
-  return value.trim().toLowerCase().replace(/[^a-z0-9]+/g, "_").replace(/^_+|_+$/g, "") || "unknown";
-}
-function safePrpId(value) {
-  return safeId(sanitizePrpText(value));
-}
-function sanitizeOptionalPrpText(value) {
-  return value === void 0 ? void 0 : sanitizePrpText(value);
-}
-function sanitizePrpJsonObject(value) {
-  return value === void 0 ? void 0 : sanitizePrpJsonValue(value);
-}
-function sanitizePrpJsonValue(value) {
-  if (typeof value === "string") return sanitizePrpText(value);
-  if (Array.isArray(value)) return value.map((item3) => sanitizePrpJsonValue(item3));
-  if (value && typeof value === "object") {
-    return Object.fromEntries(
-      Object.entries(value).map(([key, item3]) => [
-        sanitizePrpText(key),
-        SENSITIVE_JSON_KEY_PATTERN.test(key) ? REDACTED : sanitizePrpJsonValue(item3)
-      ])
-    );
-  }
-  return value;
-}
-function sanitizePrpText(value) {
-  return value.replace(/-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g, REDACTED).replace(/\b[a-z][a-z0-9+.-]*:\/\/[^\s/@]+:[^\s/@]+@[^\s,;)]+/gi, REDACTED).replace(/\b(?:postgres(?:ql)?|mongodb(?:\+srv)?|redis(?:s)?|mysql|mariadb):\/\/[^\s/@:]+:[^\s/@]+@[^\s,;)]+/gi, REDACTED).replace(/\b(?:redis(?:s)?):\/\/:[^\s/@]+@[^\s,;)]+/gi, REDACTED).replace(
-    /\b([A-Za-z_][A-Za-z0-9_]*(?:SECRET|TOKEN|PASSWORD|PRIVATE[_-]?KEY|API[_-]?KEY|APIKEY|SERVICE[_-]?ROLE|DATABASE[_-]?URL|CONNECTION[_-]?STRING)[A-Za-z0-9_]*)\s*=\s*(?:"[^"]*"|'[^']*'|[^\s,;]+)/gi,
-    `$1=${REDACTED}`
-  ).replace(/\bBearer\s+[A-Za-z0-9._~+/=-]{8,}/gi, `Bearer ${REDACTED}`).replace(/(^|[^A-Za-z0-9])whsec_[A-Za-z0-9_]+/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])sk_(live|test)_[A-Za-z0-9_]+/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])pk_(live|test)_[A-Za-z0-9_]+/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])sk-(?:proj-)?[A-Za-z0-9_-]{8,}/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])gh[oprsu]_[A-Za-z0-9_]{16,}/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])github_pat_[A-Za-z0-9_]{16,}/g, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9])(sb|supabase|vercel|stripe)_[A-Za-z0-9_]*\d[A-Za-z0-9_]{15,}/gi, `$1${REDACTED}`).replace(/(^|[^A-Za-z0-9_-])[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}(?=$|[^A-Za-z0-9_-])/g, `$1${REDACTED}`).replace(/\b[A-Za-z0-9+/]{32,}={0,2}\b/g, REDACTED);
-}
-
 // src/artifacts.ts
 async function copyReportAssets(reportAssetsDir) {
   const sourceDir = getBundledReportAssetsDir();
-  await (0, import_promises5.mkdir)((0, import_node_path9.join)(reportAssetsDir, "assets"), { recursive: true });
+  await (0, import_promises5.mkdir)((0, import_node_path8.join)(reportAssetsDir, "assets"), { recursive: true });
   for (const rel of REPORT_ASSET_FILES) {
-    await (0, import_promises5.copyFile)((0, import_node_path9.join)(sourceDir, rel), (0, import_node_path9.join)(reportAssetsDir, rel));
+    await (0, import_promises5.copyFile)((0, import_node_path8.join)(sourceDir, rel), (0, import_node_path8.join)(reportAssetsDir, rel));
   }
 }
 async function writeScanArtifacts(options) {
   const cwd = options.cwd ?? options.artifact.workspacePath;
   const dir = getProjectArtifactsDir(cwd);
   await (0, import_promises5.mkdir)(dir, { recursive: true });
-  const jsonPath = (0, import_node_path9.join)(dir, "last-scan.json");
-  const gateResultPath = (0, import_node_path9.join)(dir, "gate-result.json");
-  const contextMapPath = (0, import_node_path9.join)(dir, "context-map.json");
-  const gapsDir = (0, import_node_path9.join)(dir, "gaps");
-  const prpPath = (0, import_node_path9.join)(dir, "prp.json");
-  const tasklistPath = (0, import_node_path9.join)(dir, "agent-tasklist.md");
-  const summaryPath = (0, import_node_path9.join)(dir, "agent-summary.md");
-  const playbookPath = (0, import_node_path9.join)(dir, "launch-playbook.md");
-  const reportPath = (0, import_node_path9.join)(dir, "report.html");
-  const reportAssetsDir = (0, import_node_path9.join)(dir, "report");
+  const jsonPath = (0, import_node_path8.join)(dir, "last-scan.json");
+  const gateResultPath = (0, import_node_path8.join)(dir, "gate-result.json");
+  const contextMapPath = (0, import_node_path8.join)(dir, "context-map.json");
+  const prpPath = (0, import_node_path8.join)(dir, "prp.json");
+  const gapsDir = (0, import_node_path8.join)(dir, "gaps");
+  const tasklistPath = (0, import_node_path8.join)(dir, "agent-tasklist.md");
+  const summaryPath = (0, import_node_path8.join)(dir, "agent-summary.md");
+  const playbookPath = (0, import_node_path8.join)(dir, "launch-playbook.md");
+  const reportPath = (0, import_node_path8.join)(dir, "report.html");
+  const reportAssetsDir = (0, import_node_path8.join)(dir, "report");
   await (0, import_promises5.mkdir)(gapsDir, { recursive: true });
   const safe = sanitizeArtifactForDisk(options.artifact);
   const json = `${JSON.stringify(safe, null, 2)}
@@ -9593,25 +9654,25 @@ async function writeScanArtifacts(options) {
   const html = generateReportHtml(safe);
   const tasks = buildTaskList(safe);
   const tasklist = buildTaskListMarkdown(tasks);
-  const prp = `${JSON.stringify(buildProductionProtocolReport({
-    artifact: safe,
-    tasks,
-    producerVersion: VERSION
-  }), null, 2)}
-`;
   const gateResult = `${JSON.stringify(generateGateResult(safe), null, 2)}
 `;
   const contextMap = `${JSON.stringify(generateContextMap(safe), null, 2)}
+`;
+  const prp = `${JSON.stringify(
+    generateProductionProtocol(safe, { connectedTools: options.connectedTools, mode: options.prpMode }),
+    null,
+    2
+  )}
 `;
   const gapEvidenceFiles = generateGapEvidenceFiles(safe);
   await copyReportAssets(reportAssetsDir);
   await (0, import_promises5.writeFile)(gateResultPath, gateResult, "utf-8");
   await (0, import_promises5.writeFile)(contextMapPath, contextMap, "utf-8");
-  for (const gap of gapEvidenceFiles) {
-    await (0, import_promises5.writeFile)((0, import_node_path9.join)(dir, "gaps", `${gap.content.id}.json`), `${JSON.stringify(gap.content, null, 2)}
+  await (0, import_promises5.writeFile)(prpPath, prp, "utf-8");
+  for (const gap2 of gapEvidenceFiles) {
+    await (0, import_promises5.writeFile)((0, import_node_path8.join)(dir, "gaps", `${gap2.content.id}.json`), `${JSON.stringify(gap2.content, null, 2)}
 `, "utf-8");
   }
-  await (0, import_promises5.writeFile)(prpPath, prp, "utf-8");
   await (0, import_promises5.writeFile)(tasklistPath, tasklist, "utf-8");
   await (0, import_promises5.writeFile)(jsonPath, json, "utf-8");
   await (0, import_promises5.writeFile)(summaryPath, summary, "utf-8");
@@ -9622,8 +9683,8 @@ async function writeScanArtifacts(options) {
     jsonPath,
     gateResultPath,
     contextMapPath,
-    gapsDir,
     prpPath,
+    gapsDir,
     tasklistPath,
     summaryPath,
     playbookPath,
@@ -9659,28 +9720,6 @@ function renderJsonlEvents(result) {
 `;
 }
 
-// src/output/prpSummary.ts
-function renderProductionProtocolSummary(prp) {
-  const nextAction = prp.nextActions[0];
-  const lines = [
-    "",
-    "VibeRaven Production Protocol",
-    "",
-    `Profile: ${prp.profile}`,
-    `Decision: ${prp.decision.status.toUpperCase()}`,
-    "Canonical artifact: .viberaven/prp.json",
-    ""
-  ];
-  if (nextAction) {
-    lines.push("Next action:", nextAction.title, "");
-    lines.push("Why:", prp.decision.summary);
-  } else {
-    lines.push("Next action:", "No production blockers found.", "");
-    lines.push("Why:", prp.decision.summary);
-  }
-  return lines.join("\n");
-}
-
 // src/commands/strictGate.ts
 function exitCodeForStrictGate(result, options = {}) {
   if (result.gate.status === "error") return 2;
@@ -9840,10 +9879,10 @@ function printScanSummary(artifact, paths) {
     const modelGaps = artifact.gaps.filter((g2) => g2.primaryMapCategory === area.key).length;
     const tag = modelGaps > 0 ? `  GAP ${modelGaps}` : open > 0 ? `  ${open} fix` : "";
     const tagColored = tag ? gapTagColor(modelGaps, open)(tag) : "";
-    const label = area.label.padEnd(18);
+    const label2 = area.label.padEnd(18);
     const provider2 = mission.providerLabel.padEnd(14);
     const readiness = readinessColor(mission.readinessPercent)(`${mission.readinessPercent}%`);
-    console.log(`  ${import_picocolors.default.dim(label)} ${provider2} ${readiness}${tagColored}`);
+    console.log(`  ${import_picocolors.default.dim(label2)} ${provider2} ${readiness}${tagColored}`);
   }
   console.log("");
   console.log(import_picocolors.default.bold("Artifacts:"));
@@ -9891,7 +9930,7 @@ function printScanSummary(artifact, paths) {
 
 // src/runnerConnect.ts
 var import_promises6 = require("node:fs/promises");
-var import_node_path10 = require("node:path");
+var import_node_path9 = require("node:path");
 var import_node_child_process3 = require("node:child_process");
 var import_node_crypto = require("node:crypto");
 
@@ -9970,8 +10009,8 @@ function validateSafeFixJobInput(kind, rawInput) {
     }
   };
 }
-function validateSafeFixRelativePath(path) {
-  const trimmed = path.trim();
+function validateSafeFixRelativePath(path3) {
+  const trimmed = path3.trim();
   if (!trimmed) {
     return { ok: false, reason: "Safe fix path must not be empty." };
   }
@@ -9986,11 +10025,11 @@ function validateSafeFixRelativePath(path) {
   if (segments.some((segment) => segment === ".git" || segment === "node_modules")) {
     return { ok: false, reason: "Safe fix path targets a blocked directory." };
   }
-  const basename4 = segments.at(-1)?.toLowerCase() ?? "";
-  if (basename4 !== ".env.example" && (basename4 === ".env" || basename4.startsWith(".env."))) {
+  const basename3 = segments.at(-1)?.toLowerCase() ?? "";
+  if (basename3 !== ".env.example" && (basename3 === ".env" || basename3.startsWith(".env."))) {
     return { ok: false, reason: "Safe fix path targets an environment secret file." };
   }
-  if (isSecretLikeFilename(basename4)) {
+  if (isSecretLikeFilename(basename3)) {
     return { ok: false, reason: "Safe fix path targets a secret-like file." };
   }
   if (!isAllowedSafeFixPath(normalized)) {
@@ -10013,11 +10052,11 @@ var SECRET_VALUE_PATTERNS = [
   /\bwhsec_[A-Za-z0-9]{12,}\b/,
   /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/
 ];
-function isAllowedSafeFixPath(path) {
-  if (path === ".env.example") {
+function isAllowedSafeFixPath(path3) {
+  if (path3 === ".env.example") {
     return true;
   }
-  const segments = path.split("/");
+  const segments = path3.split("/");
   if (segments.length !== 2) {
     return false;
   }
@@ -10239,7 +10278,7 @@ async function createSafeFixFile(job, input, targetPath) {
   } catch {
   }
   try {
-    await (0, import_promises6.mkdir)((0, import_node_path10.dirname)(targetPath), { recursive: true });
+    await (0, import_promises6.mkdir)((0, import_node_path9.dirname)(targetPath), { recursive: true });
     await writeNewFileAtomically(targetPath, input.content);
   } catch {
     return safeFixNeedsUser(job, "SAFE_FIX_WRITE_FAILED", `Could not create ${input.path}.`);
@@ -10307,12 +10346,12 @@ function safeFixNeedsUser(job, code, message) {
   };
 }
 async function resolveSafeFixTarget(workspaceRoot, relativePath) {
-  const root = await (0, import_promises6.realpath)(workspaceRoot).catch(() => (0, import_node_path10.resolve)(workspaceRoot));
-  const target = (0, import_node_path10.resolve)(root, relativePath);
+  const root = await (0, import_promises6.realpath)(workspaceRoot).catch(() => (0, import_node_path9.resolve)(workspaceRoot));
+  const target = (0, import_node_path9.resolve)(root, relativePath);
   if (!isInsideRoot(root, target)) {
     return { ok: false, reason: "Safe fix target escaped the workspace root." };
   }
-  const parent = (0, import_node_path10.dirname)(target);
+  const parent = (0, import_node_path9.dirname)(target);
   const parentReal = await realpathNearestExisting(parent, root);
   if (!isInsideRoot(root, parentReal)) {
     return { ok: false, reason: "Safe fix parent path escaped the workspace root." };
@@ -10323,14 +10362,14 @@ async function resolveSafeFixTarget(workspaceRoot, relativePath) {
   }
   return { ok: true, path: target };
 }
-async function realpathNearestExisting(path, root) {
-  let candidate = path;
+async function realpathNearestExisting(path3, root) {
+  let candidate = path3;
   while (isInsideRoot(root, candidate)) {
     try {
       await (0, import_promises6.lstat)(candidate);
       return (0, import_promises6.realpath)(candidate);
     } catch {
-      const next = (0, import_node_path10.dirname)(candidate);
+      const next = (0, import_node_path9.dirname)(candidate);
       if (next === candidate) {
         break;
       }
@@ -10340,8 +10379,8 @@ async function realpathNearestExisting(path, root) {
   return root;
 }
 function isInsideRoot(root, candidate) {
-  const rel = (0, import_node_path10.relative)(root, candidate);
-  return rel === "" || !rel.startsWith("..") && !(0, import_node_path10.isAbsolute)(rel);
+  const rel = (0, import_node_path9.relative)(root, candidate);
+  return rel === "" || !rel.startsWith("..") && !(0, import_node_path9.isAbsolute)(rel);
 }
 async function writeNewFileAtomically(targetPath, content) {
   const tempPath = tempPathFor(targetPath);
@@ -10362,7 +10401,7 @@ async function replaceFileAtomically(targetPath, content) {
   }
 }
 function tempPathFor(targetPath) {
-  return (0, import_node_path10.join)((0, import_node_path10.dirname)(targetPath), `.${(0, import_node_path10.basename)(targetPath)}.${(0, import_node_crypto.randomUUID)()}.tmp`);
+  return (0, import_node_path9.join)((0, import_node_path9.dirname)(targetPath), `.${(0, import_node_path9.basename)(targetPath)}.${(0, import_node_crypto.randomUUID)()}.tmp`);
 }
 async function executePackageScriptJob(job, scriptName, options) {
   const packageJson = await readPackageJson(options.workspaceRoot);
@@ -10455,8 +10494,8 @@ function buildStationScanProof(kind, artifact) {
     `gaps: ${artifact.gaps.length}`,
     `summary: ${artifact.summary || "No summary returned."}`
   ];
-  for (const gap of artifact.gaps.slice(0, 5)) {
-    evidence.push(`gap: ${gap.title} (${gap.severity})`);
+  for (const gap2 of artifact.gaps.slice(0, 5)) {
+    evidence.push(`gap: ${gap2.title} (${gap2.severity})`);
   }
   for (const area of (artifact.missionGraph.areas ?? []).slice(0, 6)) {
     for (const mission of area.providerMissions.slice(0, 1)) {
@@ -10522,13 +10561,13 @@ function summarizeSafeNoopJob(job) {
     proofItems: [proofItemForJob(job, "runner_summary", "Runner summary", summary, [])]
   };
 }
-function proofItemForJob(job, kind, label, summary, evidence, redactionSecrets = []) {
+function proofItemForJob(job, kind, label2, summary, evidence, redactionSecrets = []) {
   return {
     deploySessionId: job.deploySessionId,
     runnerSessionId: job.runnerSessionId,
     jobId: job.id,
     kind,
-    label,
+    label: label2,
     summary: redactRunnerProofText(summary, redactionSecrets),
     evidence: evidence.map((value) => redactRunnerProofText(value, redactionSecrets)),
     redacted: true
@@ -10536,7 +10575,7 @@ function proofItemForJob(job, kind, label, summary, evidence, redactionSecrets =
 }
 async function readPackageJson(workspaceRoot) {
   try {
-    const raw = await (0, import_promises6.readFile)((0, import_node_path10.join)(workspaceRoot, "package.json"), "utf-8");
+    const raw = await (0, import_promises6.readFile)((0, import_node_path9.join)(workspaceRoot, "package.json"), "utf-8");
     const parsed = JSON.parse(raw);
     if (isRecord6(parsed) && isRecord6(parsed.scripts)) {
       return { scripts: Object.fromEntries(Object.entries(parsed.scripts).filter(([, value]) => typeof value === "string")) };
@@ -10551,10 +10590,10 @@ function packageScriptArgs(command, scriptName) {
   }
   return ["run", scriptName];
 }
-function summarizeCommandOutput(label, result, redactionSecrets = []) {
+function summarizeCommandOutput(label2, result, redactionSecrets = []) {
   const lines = `${result.stdout}
 ${result.stderr ?? ""}`.split(/\r?\n/).map((line) => redactRunnerProofText(line.trim(), redactionSecrets)).filter(Boolean).slice(0, 8);
-  return [`${label} ${result.ok ? "succeeded" : "failed"}`, ...lines];
+  return [`${label2} ${result.ok ? "succeeded" : "failed"}`, ...lines];
 }
 function redactRunnerProofText(value, additionalSecrets = []) {
   let out = redactAdditionalSecrets(value, additionalSecrets);
@@ -10619,7 +10658,7 @@ async function collectLocalRepoMetadata(workspaceRoot, commandRunner = runComman
   const headSha = headResult.ok ? normalizeSha(headResult.stdout) : null;
   const dirty = statusResult.ok ? statusResult.stdout.trim().length > 0 : void 0;
   return {
-    rootName: (0, import_node_path10.basename)(workspaceRoot) || "workspace",
+    rootName: (0, import_node_path9.basename)(workspaceRoot) || "workspace",
     remotes: remoteResult.ok ? parseGitRemotes(remoteResult.stdout) : [],
     branch,
     headSha,
@@ -10637,7 +10676,7 @@ async function detectPackageManager(workspaceRoot) {
   ];
   for (const [manager, file] of checks) {
     try {
-      await (0, import_promises6.access)((0, import_node_path10.join)(workspaceRoot, file));
+      await (0, import_promises6.access)((0, import_node_path9.join)(workspaceRoot, file));
       return manager;
     } catch {
     }
@@ -10828,7 +10867,7 @@ function isRecord6(value) {
 }
 
 // src/tui/runInteractive.ts
-var import_node_path15 = require("node:path");
+var import_node_path14 = require("node:path");
 
 // ../../../../node_modules/@clack/core/dist/index.mjs
 var import_sisteransi = __toESM(require_src(), 1);
@@ -11367,12 +11406,12 @@ var import_picocolors4 = __toESM(require_picocolors());
 function compact(value) {
   return String(value ?? "").replace(/\s+/g, " ").trim();
 }
-function originalHint(gap) {
-  const hint = compact(gap.copyPrompt);
+function originalHint(gap2) {
+  const hint = compact(gap2.copyPrompt);
   return hint ? hint : "No scanner hint was returned for this gap.";
 }
-function buildAgentFixPrompt(artifact, gap) {
-  const affected = [gap.primaryMapCategory, ...gap.affectedMapCategories ?? []].filter(Boolean).filter((value, index, all) => all.indexOf(value) === index).join(", ");
+function buildAgentFixPrompt(artifact, gap2) {
+  const affected = [gap2.primaryMapCategory, ...gap2.affectedMapCategories ?? []].filter(Boolean).filter((value, index, all) => all.indexOf(value) === index).join(", ");
   return [
     "You are an AI coding agent using VibeRaven as the production-readiness map.",
     "",
@@ -11380,11 +11419,11 @@ function buildAgentFixPrompt(artifact, gap) {
     "",
     `Project: ${artifact.workspacePath}`,
     `Current VibeRaven state: production core ${artifact.productionCorePercent}% | score ${artifact.score} (${artifact.scoreLabel})`,
-    `Gap: ${gap.title}`,
-    `Gap id: ${gap.id}`,
-    `Severity: ${gap.severity}`,
-    `Production area: ${gap.primaryMapCategory}${affected ? ` | affected: ${affected}` : ""}`,
-    `Scanner detail: ${compact(gap.detail)}`,
+    `Gap: ${gap2.title}`,
+    `Gap id: ${gap2.id}`,
+    `Severity: ${gap2.severity}`,
+    `Production area: ${gap2.primaryMapCategory}${affected ? ` | affected: ${affected}` : ""}`,
+    `Scanner detail: ${compact(gap2.detail)}`,
     "",
     "Required workflow:",
     "1. Read `.viberaven/agent-summary.md` and `.viberaven/launch-playbook.md` before changing code.",
@@ -11410,10 +11449,13 @@ function buildAgentFixPrompt(artifact, gap) {
     "- Report what changed, what verification passed, and which VibeRaven gap remains next.",
     "",
     "Original scanner hint:",
-    originalHint(gap)
+    originalHint(gap2)
   ].join("\n");
 }
 
+// src/version.ts
+var VERSION = "1.1.1";
+
 // src/commands/guide.ts
 var import_picocolors3 = __toESM(require_picocolors());
 function formatPasteTarget(step) {
@@ -11482,7 +11524,7 @@ async function runGuideCommand(options) {
 
 // src/commands/audit.ts
 var import_promises7 = require("node:fs/promises");
-var import_node_path11 = require("node:path");
+var import_node_path10 = require("node:path");
 var ENV_FILES = [
   ".env",
   ".env.local",
@@ -11582,7 +11624,7 @@ function buildVercelSupabaseAudit(input) {
 }
 async function readIfExists(projectRoot, relativePath) {
   try {
-    const absolutePath = (0, import_node_path11.join)(projectRoot, relativePath);
+    const absolutePath = (0, import_node_path10.join)(projectRoot, relativePath);
     const fileStat = await (0, import_promises7.stat)(absolutePath);
     if (!fileStat.isFile()) {
       return void 0;
@@ -11596,7 +11638,7 @@ async function readIfExists(projectRoot, relativePath) {
   }
 }
 async function collectSqlFiles(projectRoot, root) {
-  const base = (0, import_node_path11.join)(projectRoot, root);
+  const base = (0, import_node_path10.join)(projectRoot, root);
   try {
     const rootStat = await (0, import_promises7.stat)(base);
     if (!rootStat.isDirectory()) {
@@ -11616,17 +11658,17 @@ async function collectSqlFiles(projectRoot, root) {
     for (const entry of entries) {
       if (entry.isDirectory()) {
         if (!SKIP_DIRS.has(entry.name)) {
-          await visit((0, import_node_path11.join)(dir, entry.name));
+          await visit((0, import_node_path10.join)(dir, entry.name));
         }
         continue;
       }
       if (!entry.isFile() || !entry.name.toLowerCase().endsWith(".sql")) {
         continue;
       }
-      const absolutePath = (0, import_node_path11.join)(dir, entry.name);
+      const absolutePath = (0, import_node_path10.join)(dir, entry.name);
       try {
         files.push({
-          path: (0, import_node_path11.relative)(projectRoot, absolutePath).replace(/\\/g, "/"),
+          path: (0, import_node_path10.relative)(projectRoot, absolutePath).replace(/\\/g, "/"),
           content: await (0, import_promises7.readFile)(absolutePath, "utf8")
         });
       } catch {
@@ -11676,7 +11718,7 @@ function renderVercelSupabaseAudit(result) {
 
 // src/commands/initRules.ts
 var import_promises10 = require("node:fs/promises");
-var import_node_path14 = require("node:path");
+var import_node_path13 = require("node:path");
 
 // src/commands/agentRulesBlock.ts
 var VIBERAVEN_BLOCK_START = "<!-- VIBERAVEN:START -->";
@@ -11698,15 +11740,6 @@ Maps repo evidence to OWASP LLM Top 10 launch risks. Supports SAFECode-style dep
 var STACK_FRAMING = `Stack context for this repo: Next.js, Supabase, Vercel, VibeRaven.
 Do NOT deploy to Vercel or ship to production users without running \`${PUBLIC_AGENT_MODE_COMMAND}\`.
 Do NOT rely on manual production checklists when VibeRaven gate artifacts exist in \`.viberaven/\`.`;
-var PRODUCTION_PROTOCOL_RULES = `## VibeRaven Production Protocol
-
-Before making deploy, auth, database, payment, API, or scaling changes:
-
-1. Read \`.viberaven/prp.json\`.
-2. Follow \`.viberaven/mission-map.md\`.
-3. Do not deploy if \`decision.status\` is \`blocked\`.
-4. Fix \`nextActions\` in order.
-5. Re-run \`${PUBLIC_AGENT_MODE_COMMAND}\`.`;
 var AGENT_NEGATIVE_CONSTRAINTS = `## Event-Triggered Production Verification
 
 Trigger: modifications to \`package.json\`, \`vercel.json\`, \`supabase/migrations/**/*\`, \`.env.example\`, auth/billing/webhook paths, or deploy workflow files.
@@ -11732,8 +11765,6 @@ var AGENT_RULES_BODY = `${AGENT_RULES_PREAMBLE}
 
 ${STACK_FRAMING}
 
-${PRODUCTION_PROTOCOL_RULES}
-
 ${AGENT_NEGATIVE_CONSTRAINTS}
 
 ## VibeRaven Production-Readiness Gate
@@ -11783,11 +11814,10 @@ var AGENT_CONTEXT_BODY = `${AGENT_RULES_PREAMBLE}
 
 After \`--agent-mode\`, read these artifacts in order:
 
-1. \`.viberaven/prp.json\`
-2. \`.viberaven/mission-map.md\`
-3. \`.viberaven/agent-tasklist.md\`
-4. \`.viberaven/gate-result.json\`
-5. \`.viberaven/context-map.json\``;
+1. \`.viberaven/mission-map.md\`
+2. \`.viberaven/agent-tasklist.md\`
+3. \`.viberaven/gate-result.json\`
+4. \`.viberaven/context-map.json\``;
 var MISSION_MAP_BODY = `${AGENT_RULES_PREAMBLE}
 
 ## Mission Map loop
@@ -11926,7 +11956,7 @@ function escapeRegExp3(value) {
 
 // src/commands/cursorRulesPack.ts
 var import_promises8 = require("node:fs/promises");
-var import_node_path12 = require("node:path");
+var import_node_path11 = require("node:path");
 var CURSOR_RULES_DIR = ".cursor/rules";
 var LEGACY_CURSOR_RULE_FILE = `${CURSOR_RULES_DIR}/viberaven.mdc`;
 var DOMAIN_PATH_POINTER = "Before editing these files, read `.viberaven/agent-context.md` and `.viberaven/mission-map.md`.";
@@ -12008,27 +12038,27 @@ function renderCursorCoreRulePreview() {
 async function initCursorRulesPack(options) {
   const results = [];
   const pack = buildCursorRulesPack();
-  for (const rule of pack) {
-    const file = `${CURSOR_RULES_DIR}/${rule.filename}`;
-    const path = (0, import_node_path12.join)(options.cwd, file);
-    const existing = await readExistingFile(path);
-    const changed = !existing.exists || existing.content !== rule.content;
+  for (const rule2 of pack) {
+    const file = `${CURSOR_RULES_DIR}/${rule2.filename}`;
+    const path3 = (0, import_node_path11.join)(options.cwd, file);
+    const existing = await readExistingFile(path3);
+    const changed = !existing.exists || existing.content !== rule2.content;
     const action = !existing.exists ? "created" : changed ? "updated" : "unchanged";
     if (!options.dryRun && changed) {
-      await (0, import_promises8.mkdir)((0, import_node_path12.join)(options.cwd, CURSOR_RULES_DIR), { recursive: true });
-      await (0, import_promises8.writeFile)(path, rule.content, "utf-8");
+      await (0, import_promises8.mkdir)((0, import_node_path11.join)(options.cwd, CURSOR_RULES_DIR), { recursive: true });
+      await (0, import_promises8.writeFile)(path3, rule2.content, "utf-8");
     }
-    results.push({ target: "cursor", file, path, action });
+    results.push({ target: "cursor", file, path: path3, action });
   }
-  const legacyPath = (0, import_node_path12.join)(options.cwd, LEGACY_CURSOR_RULE_FILE);
+  const legacyPath = (0, import_node_path11.join)(options.cwd, LEGACY_CURSOR_RULE_FILE);
   if (!options.dryRun && await fileExists(legacyPath)) {
     await (0, import_promises8.rm)(legacyPath, { force: true });
   }
   return results;
 }
-async function readExistingFile(path) {
+async function readExistingFile(path3) {
   try {
-    return { exists: true, content: await (0, import_promises8.readFile)(path, "utf-8") };
+    return { exists: true, content: await (0, import_promises8.readFile)(path3, "utf-8") };
   } catch (error) {
     if (isFileNotFoundError(error)) {
       return { exists: false, content: "" };
@@ -12036,9 +12066,9 @@ async function readExistingFile(path) {
     throw error;
   }
 }
-async function fileExists(path) {
+async function fileExists(path3) {
   try {
-    await (0, import_promises8.access)(path);
+    await (0, import_promises8.access)(path3);
     return true;
   } catch {
     return false;
@@ -12133,14 +12163,14 @@ function getAgentRulesTargets(value) {
 // src/commands/seedPackageJsonScripts.ts
 var import_node_fs7 = require("node:fs");
 var import_promises9 = require("node:fs/promises");
-var import_node_path13 = require("node:path");
+var import_node_path12 = require("node:path");
 var VIBERAVEN_PACKAGE_JSON_SCRIPTS = {
   "viberaven:gate": PUBLIC_AGENT_MODE_COMMAND,
   "viberaven:verify": PUBLIC_VERIFY_COMMAND,
   "viberaven:strict": PUBLIC_STRICT_COMMAND
 };
 async function seedPackageJsonScripts(options) {
-  const packageJsonPath = (0, import_node_path13.join)(options.cwd, "package.json");
+  const packageJsonPath = (0, import_node_path12.join)(options.cwd, "package.json");
   if (!(0, import_node_fs7.existsSync)(packageJsonPath)) {
     return null;
   }
@@ -12189,15 +12219,15 @@ async function initAgentRules(options) {
       continue;
     }
     const file = AGENT_RULE_TARGETS[target].file;
-    const path = (0, import_node_path14.join)(options.cwd, file);
-    const existing = await readExistingFile2(path);
+    const path3 = (0, import_node_path13.join)(options.cwd, file);
+    const existing = await readExistingFile2(path3);
     const injected = injectAgentRulesBlock(existing.content, renderAgentRulesForTarget(target));
     const action = !existing.exists ? "created" : injected.changed ? "updated" : "unchanged";
     if (!options.dryRun && injected.changed) {
-      await (0, import_promises10.mkdir)((0, import_node_path14.dirname)(path), { recursive: true });
-      await (0, import_promises10.writeFile)(path, injected.content, "utf-8");
+      await (0, import_promises10.mkdir)((0, import_node_path13.dirname)(path3), { recursive: true });
+      await (0, import_promises10.writeFile)(path3, injected.content, "utf-8");
     }
-    results.push({ target, file, path, action });
+    results.push({ target, file, path: path3, action });
   }
   const packageJsonScripts = await seedPackageJsonScripts({
     cwd: options.cwd,
@@ -12208,7 +12238,7 @@ async function initAgentRules(options) {
 function renderAgentRulesDryRun(targets) {
   const files = targets.flatMap((target) => {
     if (target === "cursor") {
-      return buildCursorRulesPack().map((rule) => `- cursor: .cursor/rules/${rule.filename}`);
+      return buildCursorRulesPack().map((rule2) => `- cursor: .cursor/rules/${rule2.filename}`);
     }
     return [`- ${target}: ${AGENT_RULE_TARGETS[target].file}`];
   }).join("\n");
@@ -12261,9 +12291,9 @@ function formatAgentRulesInitSummary(output) {
   );
   return lines.join("\n");
 }
-async function readExistingFile2(path) {
+async function readExistingFile2(path3) {
   try {
-    return { exists: true, content: await (0, import_promises10.readFile)(path, "utf-8") };
+    return { exists: true, content: await (0, import_promises10.readFile)(path3, "utf-8") };
   } catch (error) {
     if (isFileNotFoundError2(error)) {
       return { exists: false, content: "" };
@@ -12431,15 +12461,15 @@ async function handleViewGaps(cwd) {
 async function handlePrompt(cwd) {
   try {
     const artifact = await loadLastArtifact(cwd);
-    const gap = pickGap(artifact);
-    if (!gap) {
+    const gap2 = pickGap(artifact);
+    if (!gap2) {
       M2.warn("No gaps to fix. Run a scan or pick a different project.");
       return;
     }
-    const prompt = buildAgentFixPrompt(artifact, gap);
+    const prompt = buildAgentFixPrompt(artifact, gap2);
     try {
       await copyToClipboard(prompt);
-      M2.success(import_picocolors4.default.green(`Copied top prompt to clipboard \u2014 ${gap.title}`));
+      M2.success(import_picocolors4.default.green(`Copied top prompt to clipboard \u2014 ${gap2.title}`));
     } catch (error) {
       M2.warn(error instanceof Error ? error.message : String(error));
       console.log("");
@@ -12571,7 +12601,7 @@ async function runInteractiveSession(startDir = process.cwd()) {
   Ie(`${import_picocolors4.default.bold("VibeRaven")} ${import_picocolors4.default.dim(VERSION)}`);
   const cwd = await resolveWorkspaceRoot(startDir);
   const artifactsAt = await findArtifactsWorkspace(startDir);
-  if (artifactsAt && (0, import_node_path15.resolve)(artifactsAt) !== (0, import_node_path15.resolve)(startDir)) {
+  if (artifactsAt && (0, import_node_path14.resolve)(artifactsAt) !== (0, import_node_path14.resolve)(startDir)) {
     M2.message(import_picocolors4.default.dim(`Using scan from: ${artifactsAt}`));
   } else {
     M2.message(import_picocolors4.default.dim(`Project folder: ${cwd}`));
@@ -12639,11 +12669,11 @@ async function runInteractiveSession(startDir = process.cwd()) {
 
 // src/commands/condense.ts
 var import_promises11 = require("node:fs/promises");
-var import_node_path16 = require("node:path");
+var import_node_path15 = require("node:path");
 async function runCondenseCommand(options) {
   const dir = getProjectArtifactsDir(options.cwd);
-  const artifact = JSON.parse(await (0, import_promises11.readFile)((0, import_node_path16.join)(dir, "last-scan.json"), "utf8"));
-  const contextMapPath = (0, import_node_path16.join)(dir, "context-map.json");
+  const artifact = JSON.parse(await (0, import_promises11.readFile)((0, import_node_path15.join)(dir, "last-scan.json"), "utf8"));
+  const contextMapPath = (0, import_node_path15.join)(dir, "context-map.json");
   await (0, import_promises11.writeFile)(contextMapPath, `${JSON.stringify(generateContextMap(artifact), null, 2)}
 `, "utf8");
   return { contextMapPath };
@@ -12652,15 +12682,15 @@ async function runCondenseCommand(options) {
 // src/heal/apply.ts
 var import_promises13 = require("node:fs/promises");
 var import_node_fs10 = require("node:fs");
-var import_node_path20 = require("node:path");
+var import_node_path19 = require("node:path");
 
 // src/heal/pathSafety.ts
-var import_node_path17 = require("node:path");
+var import_node_path16 = require("node:path");
 var BLOCKED_SEGMENTS = /* @__PURE__ */ new Set([".git", "node_modules", "dist", "build", ".next", ".viberaven"]);
 function assertSafeHealTarget(cwd, target) {
-  const root = (0, import_node_path17.resolve)(cwd);
-  const absolute = (0, import_node_path17.resolve)(root, target);
-  const rel = (0, import_node_path17.relative)(root, absolute);
+  const root = (0, import_node_path16.resolve)(cwd);
+  const absolute = (0, import_node_path16.resolve)(root, target);
+  const rel = (0, import_node_path16.relative)(root, absolute);
   if (rel.startsWith("..") || rel === "" || /^[A-Za-z]:/.test(rel)) {
     throw new Error("Heal target must stay inside the workspace");
   }
@@ -12685,7 +12715,7 @@ function applyEmptyCatchRecipe(source) {
 // src/heal/recipes/index.ts
 var import_node_fs9 = require("node:fs");
 var import_promises12 = require("node:fs/promises");
-var import_node_path19 = require("node:path");
+var import_node_path18 = require("node:path");
 
 // src/heal/recipes/envAuthSecret.ts
 function applyAuthSecretRecipe(source) {
@@ -13067,7 +13097,7 @@ function applyRateLimitRecipe(source, hasUpstash) {
 
 // src/heal/recipes/eslintRestrictedImports.ts
 var import_node_fs8 = require("node:fs");
-var import_node_path18 = require("node:path");
+var import_node_path17 = require("node:path");
 var VIBERAVEN_ESLINT_MARKER = "VibeRaven heal: eslint_restricted_imports";
 var RESTRICTED_IMPORTS_MESSAGE = `Restricted import. Run ${PUBLIC_AGENT_MODE_COMMAND} before substituting packages.`;
 var RESTRICTED_PATHS = [
@@ -13097,7 +13127,7 @@ var ESLINT_CONFIG_CANDIDATES = [
 ];
 function detectEslintConfigFile(cwd) {
   for (const candidate of ESLINT_CONFIG_CANDIDATES) {
-    if ((0, import_node_fs8.existsSync)((0, import_node_path18.join)(cwd, candidate))) {
+    if ((0, import_node_fs8.existsSync)((0, import_node_path17.join)(cwd, candidate))) {
       return candidate;
     }
   }
@@ -13277,7 +13307,7 @@ async function readSourceOrEmpty(absolutePath) {
 }
 async function detectUpstash(cwd) {
   try {
-    const pkgPath = (0, import_node_path19.join)(cwd, "package.json");
+    const pkgPath = (0, import_node_path18.join)(cwd, "package.json");
     if (!(0, import_node_fs9.existsSync)(pkgPath)) return false;
     const raw = await (0, import_promises12.readFile)(pkgPath, "utf8");
     const pkg = JSON.parse(raw);
@@ -13294,7 +13324,7 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   const targetFile = explicitTarget ?? defaultTargetFile(gapId);
   if (targetFile === void 0) return null;
   if (gapId === "auth_secret_missing" || gapId === "node_env_not_set" || gapId === "database_url_missing") {
-    const absolutePath = (0, import_node_path19.join)(cwd, targetFile);
+    const absolutePath = (0, import_node_path18.join)(cwd, targetFile);
     const source = await readSourceOrEmpty(absolutePath);
     let result;
     if (gapId === "auth_secret_missing") result = applyAuthSecretRecipe(source);
@@ -13308,25 +13338,25 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
     };
   }
   if (gapId === "missing_error_boundary") {
-    const absolutePath = (0, import_node_path19.join)(cwd, "app/error.tsx");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/error.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyErrorBoundaryRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_health_route") {
-    const absolutePath = (0, import_node_path19.join)(cwd, "app/api/health/route.ts");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/api/health/route.ts");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyHealthRouteRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_loading_state") {
-    const absolutePath = (0, import_node_path19.join)(cwd, "app/loading.tsx");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/loading.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyLoadingStateRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
   }
   if (gapId === "missing_404_page") {
-    const absolutePath = (0, import_node_path19.join)(cwd, "app/not-found.tsx");
+    const absolutePath = (0, import_node_path18.join)(cwd, "app/not-found.tsx");
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyNotFoundRecipe(source);
     return { ...result, canAutoApply: true, recipeName: gapId };
@@ -13344,10 +13374,10 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   }
   if (gapId === "missing_csp_header") {
     let configFile = "next.config.js";
-    let absolutePath = (0, import_node_path19.join)(cwd, configFile);
+    let absolutePath = (0, import_node_path18.join)(cwd, configFile);
     if (!(0, import_node_fs9.existsSync)(absolutePath)) {
       configFile = "next.config.mjs";
-      absolutePath = (0, import_node_path19.join)(cwd, configFile);
+      absolutePath = (0, import_node_path18.join)(cwd, configFile);
     }
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyCspHeaderRecipe(source);
@@ -13359,7 +13389,7 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
   }
   if (gapId === "missing_rate_limit") {
     const hasUpstash = await detectUpstash(cwd);
-    const middlewarePath = (0, import_node_path19.join)(cwd, "middleware.ts");
+    const middlewarePath = (0, import_node_path18.join)(cwd, "middleware.ts");
     const source = await readSourceOrEmpty(middlewarePath);
     const result = applyRateLimitRecipe(source, hasUpstash);
     return {
@@ -13381,7 +13411,7 @@ async function dispatchRecipeByGapId(gapId, cwd, explicitTarget) {
         recipeName: gapId
       };
     }
-    const absolutePath = (0, import_node_path19.join)(cwd, configFile);
+    const absolutePath = (0, import_node_path18.join)(cwd, configFile);
     const source = await readSourceOrEmpty(absolutePath);
     const result = applyEslintRestrictedImportsRecipe(source, configFile);
     return {
@@ -13456,13 +13486,13 @@ async function applyHeal(options) {
           rollback: { available: false, instructions: "Recipe matched but no change was needed (already applied or file already exists)." }
         };
       }
-      const absoluteTarget = (0, import_node_path20.join)(options.cwd, dispatched.targetFile);
+      const absoluteTarget = (0, import_node_path19.join)(options.cwd, dispatched.targetFile);
       assertSafeHealTarget(options.cwd, dispatched.targetFile);
-      await (0, import_promises13.mkdir)((0, import_node_path20.dirname)(absoluteTarget), { recursive: true });
-      const healDir2 = (0, import_node_path20.join)(options.cwd, ".viberaven", "heal", id);
-      await (0, import_promises13.mkdir)((0, import_node_path20.join)(healDir2, "before"), { recursive: true });
+      await (0, import_promises13.mkdir)((0, import_node_path19.dirname)(absoluteTarget), { recursive: true });
+      const healDir2 = (0, import_node_path19.join)(options.cwd, ".viberaven", "heal", id);
+      await (0, import_promises13.mkdir)((0, import_node_path19.join)(healDir2, "before"), { recursive: true });
       const beforeContent = (0, import_node_fs10.existsSync)(absoluteTarget) ? await (0, import_promises13.readFile)(absoluteTarget, "utf8") : "";
-      await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir2, "before", "target.txt"), beforeContent, "utf8");
+      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "before", "target.txt"), beforeContent, "utf8");
       await (0, import_promises13.writeFile)(absoluteTarget, dispatched.output, "utf8");
       const patch2 = [
         `--- ${dispatched.targetFile}`,
@@ -13473,7 +13503,7 @@ async function applyHeal(options) {
         dispatched.output,
         ""
       ].join("\n");
-      await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir2, "patch.diff"), patch2, "utf8");
+      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "patch.diff"), patch2, "utf8");
       const result2 = {
         $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
         schemaVersion: "v1",
@@ -13484,7 +13514,7 @@ async function applyHeal(options) {
         gapId: options.gapId,
         recipe: dispatched.recipeName,
         target: dispatched.targetFile,
-        changedFiles: [(0, import_node_path20.relative)(options.cwd, absoluteTarget).replace(/\\/g, "/")],
+        changedFiles: [(0, import_node_path19.relative)(options.cwd, absoluteTarget).replace(/\\/g, "/")],
         artifacts: {
           patch: `.viberaven/heal/${id}/patch.diff`,
           result: `.viberaven/heal/${id}/result.json`
@@ -13494,7 +13524,7 @@ async function applyHeal(options) {
           instructions: "Restore .viberaven/heal/<healId>/before/target.txt to the target file or apply the reverse patch."
         }
       };
-      await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir2, "result.json"), `${JSON.stringify(result2, null, 2)}
+      await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir2, "result.json"), `${JSON.stringify(result2, null, 2)}
 `, "utf8");
       return result2;
     }
@@ -13531,9 +13561,9 @@ async function applyHeal(options) {
       rollback: { available: false, instructions: "No supported heal recipe matched this file." }
     };
   }
-  const healDir = (0, import_node_path20.join)(options.cwd, ".viberaven", "heal", id);
-  await (0, import_promises13.mkdir)((0, import_node_path20.join)(healDir, "before"), { recursive: true });
-  await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir, "before", "target.txt"), before, "utf8");
+  const healDir = (0, import_node_path19.join)(options.cwd, ".viberaven", "heal", id);
+  await (0, import_promises13.mkdir)((0, import_node_path19.join)(healDir, "before"), { recursive: true });
+  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "before", "target.txt"), before, "utf8");
   await (0, import_promises13.writeFile)(absolute, recipe.output, "utf8");
   const patch = [
     `--- ${options.target}`,
@@ -13544,7 +13574,7 @@ async function applyHeal(options) {
     recipe.output,
     ""
   ].join("\n");
-  await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir, "patch.diff"), patch, "utf8");
+  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "patch.diff"), patch, "utf8");
   const result = {
     $schema: "https://viberaven.dev/schemas/heal-result.schema.json",
     schemaVersion: "v1",
@@ -13555,7 +13585,7 @@ async function applyHeal(options) {
     gapId: options.gapId,
     recipe: "empty-catch-safe-response",
     target: options.target,
-    changedFiles: [(0, import_node_path20.relative)(options.cwd, absolute).replace(/\\/g, "/")],
+    changedFiles: [(0, import_node_path19.relative)(options.cwd, absolute).replace(/\\/g, "/")],
     artifacts: {
       patch: `.viberaven/heal/${id}/patch.diff`,
       result: `.viberaven/heal/${id}/result.json`
@@ -13565,19 +13595,19 @@ async function applyHeal(options) {
       instructions: "Restore .viberaven/heal/<healId>/before/target.txt to the target file or apply the reverse patch."
     }
   };
-  await (0, import_promises13.writeFile)((0, import_node_path20.join)(healDir, "result.json"), `${JSON.stringify(result, null, 2)}
+  await (0, import_promises13.writeFile)((0, import_node_path19.join)(healDir, "result.json"), `${JSON.stringify(result, null, 2)}
 `, "utf8");
   return result;
 }
 
 // src/heal/plan.ts
 var import_promises14 = require("node:fs/promises");
-var import_node_path21 = require("node:path");
+var import_node_path20 = require("node:path");
 function healId2() {
   return `heal_${(/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14)}`;
 }
 async function writeHealPlan(options) {
-  const dir = (0, import_node_path21.join)(options.cwd, ".viberaven");
+  const dir = (0, import_node_path20.join)(options.cwd, ".viberaven");
   await (0, import_promises14.mkdir)(dir, { recursive: true });
   const id = healId2();
   const target = options.target ?? `gap:${options.gapId}`;
@@ -13605,20 +13635,20 @@ async function writeHealPlan(options) {
     artifacts: { plan: ".viberaven/heal-plan.md" },
     rollback: { available: false, instructions: "No source files were changed." }
   };
-  await (0, import_promises14.writeFile)((0, import_node_path21.join)(dir, "heal-plan.md"), markdown, "utf8");
-  await (0, import_promises14.writeFile)((0, import_node_path21.join)(dir, "heal-plan.json"), `${JSON.stringify(result, null, 2)}
+  await (0, import_promises14.writeFile)((0, import_node_path20.join)(dir, "heal-plan.md"), markdown, "utf8");
+  await (0, import_promises14.writeFile)((0, import_node_path20.join)(dir, "heal-plan.json"), `${JSON.stringify(result, null, 2)}
 `, "utf8");
   return result;
 }
 
 // src/heal/prompt.ts
 var import_promises15 = require("node:fs/promises");
-var import_node_path22 = require("node:path");
+var import_node_path21 = require("node:path");
 function healId3() {
   return `heal_${(/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14)}`;
 }
 async function writeHealPrompt(options) {
-  const dir = (0, import_node_path22.join)(options.cwd, ".viberaven");
+  const dir = (0, import_node_path21.join)(options.cwd, ".viberaven");
   await (0, import_promises15.mkdir)(dir, { recursive: true });
   const id = healId3();
   const target = options.target ?? `gap:${options.gapId}`;
@@ -13646,7 +13676,7 @@ async function writeHealPrompt(options) {
     artifacts: { prompt: ".viberaven/heal-prompt.md" },
     rollback: { available: false, instructions: "No source files were changed." }
   };
-  await (0, import_promises15.writeFile)((0, import_node_path22.join)(dir, "heal-prompt.md"), prompt, "utf8");
+  await (0, import_promises15.writeFile)((0, import_node_path21.join)(dir, "heal-prompt.md"), prompt, "utf8");
   return result;
 }
 
@@ -13733,7 +13763,7 @@ async function runHealCommand(options) {
 // src/stackRecommend.ts
 var import_promises17 = require("node:fs/promises");
 var import_node_fs11 = require("node:fs");
-var import_node_path23 = require("node:path");
+var import_node_path22 = require("node:path");
 var DEFAULT_STACK = {
   frontend: "react",
   ui: "tailwind + shadcn/ui",
@@ -13744,7 +13774,7 @@ var DEFAULT_STACK = {
   reason: "Agent-default stack for lowest launch friction when repo signals are ambiguous"
 };
 async function recommendStack(cwd = process.cwd()) {
-  const pkgPath = (0, import_node_path23.join)(cwd, "package.json");
+  const pkgPath = (0, import_node_path22.join)(cwd, "package.json");
   if (!(0, import_node_fs11.existsSync)(pkgPath)) {
     return DEFAULT_STACK;
   }
@@ -13801,7 +13831,7 @@ async function runInitCommand(options) {
 
 // src/commands/doctorAgents.ts
 var import_promises18 = require("node:fs/promises");
-var import_node_path24 = require("node:path");
+var import_node_path23 = require("node:path");
 var REQUIRED_EXISTENCE_CHECKS = [
   { id: "agents-md", file: "AGENTS.md" },
   { id: "claude-md", file: "CLAUDE.md" },
@@ -13821,7 +13851,7 @@ var STALE_PATTERNS = [
 async function checkAgentInjection(cwd) {
   const checks = [];
   for (const item3 of REQUIRED_EXISTENCE_CHECKS) {
-    const exists = await fileExists2((0, import_node_path24.join)(cwd, item3.file));
+    const exists = await fileExists2((0, import_node_path23.join)(cwd, item3.file));
     checks.push({
       id: item3.id,
       status: exists ? "pass" : "fail",
@@ -13829,17 +13859,17 @@ async function checkAgentInjection(cwd) {
     });
   }
   for (const item3 of OPTIONAL_CURSOR_PACK_CHECKS) {
-    const exists = await fileExists2((0, import_node_path24.join)(cwd, item3.file));
+    const exists = await fileExists2((0, import_node_path23.join)(cwd, item3.file));
     checks.push({
       id: item3.id,
       status: exists ? "pass" : "fail",
       message: exists ? `${item3.file} exists` : `Missing ${item3.file} \u2014 run npx -y viberaven init --agents all`
     });
   }
-  const legacyCursorPath = (0, import_node_path24.join)(cwd, ".cursor/rules/viberaven.mdc");
+  const legacyCursorPath = (0, import_node_path23.join)(cwd, ".cursor/rules/viberaven.mdc");
   if (await fileExists2(legacyCursorPath)) {
     const legacyContent = await (0, import_promises18.readFile)(legacyCursorPath, "utf-8");
-    const hasCoreSplit = await fileExists2((0, import_node_path24.join)(cwd, ".cursor/rules/viberaven-core.mdc"));
+    const hasCoreSplit = await fileExists2((0, import_node_path23.join)(cwd, ".cursor/rules/viberaven-core.mdc"));
     if (!hasCoreSplit || legacyContent.includes("alwaysApply: true")) {
       checks.push({
         id: "cursor-legacy-mdc",
@@ -13850,8 +13880,8 @@ async function checkAgentInjection(cwd) {
   }
   for (const target of CORE_AGENT_INJECTION_TARGETS) {
     const file = target === "cursor" ? ".cursor/rules/viberaven-core.mdc" : AGENT_RULE_TARGETS[target].file;
-    const path = (0, import_node_path24.join)(cwd, file);
-    const exists = await fileExists2(path);
+    const path3 = (0, import_node_path23.join)(cwd, file);
+    const exists = await fileExists2(path3);
     if (!exists) {
       checks.push({
         id: `canonical-${target}`,
@@ -13860,7 +13890,7 @@ async function checkAgentInjection(cwd) {
       });
       continue;
     }
-    const content = await (0, import_promises18.readFile)(path, "utf-8");
+    const content = await (0, import_promises18.readFile)(path3, "utf-8");
     const hasCommand = content.includes(PUBLIC_AGENT_MODE_COMMAND);
     checks.push({
       id: `canonical-${target}`,
@@ -13892,9 +13922,9 @@ function formatDoctorAgentsReport(report) {
   lines.push(report.ok ? "All agent injection checks passed." : "Agent injection checks failed.");
   return lines.join("\n");
 }
-async function fileExists2(path) {
+async function fileExists2(path3) {
   try {
-    await (0, import_promises18.access)(path);
+    await (0, import_promises18.access)(path3);
     return true;
   } catch {
     return false;
@@ -14107,6 +14137,220 @@ async function runAuditCommand(input) {
   return result.status === "pass" ? 0 : 1;
 }
 
+// src/commands/badge.ts
+var import_promises19 = require("node:fs/promises");
+var import_node_path24 = require("node:path");
+
+// src/brand/palette.ts
+var import_picocolors5 = __toESM(require_picocolors());
+var STATUS_GLYPH = {
+  clear: "\u2713",
+  warning: "\u25C8",
+  blocked: "\u25C6",
+  fixable: "\u25B8",
+  manual: "\u25C7",
+  done: "\u2713",
+  pending: "\xB7"
+};
+var DECISION_GLYPH = {
+  CLEAR: STATUS_GLYPH.clear,
+  WARNING: STATUS_GLYPH.warning,
+  BLOCKED: STATUS_GLYPH.blocked
+};
+function identity(text) {
+  return text;
+}
+function colorsFor(mode) {
+  return import_picocolors5.default.createColors(mode === "rich");
+}
+function decisionColor(decision, mode) {
+  const colors = colorsFor(mode);
+  if (decision === "CLEAR") return colors.green;
+  if (decision === "WARNING") return colors.yellow;
+  return colors.red;
+}
+function decisionStyle(decision, mode) {
+  const colorize = mode === "rich" ? decisionColor(decision, mode) : identity;
+  return {
+    glyph: DECISION_GLYPH[decision],
+    label: colorize(decision),
+    colorize
+  };
+}
+function richOrPlain(text, mode, colorize) {
+  return mode === "rich" ? colorize(text) : text;
+}
+var accent = {
+  brand(text, mode) {
+    return richOrPlain(text, mode, colorsFor(mode).cyan);
+  },
+  dim(text, mode) {
+    return richOrPlain(text, mode, colorsFor(mode).dim);
+  },
+  bold(text, mode) {
+    return richOrPlain(text, mode, colorsFor(mode).bold);
+  }
+};
+
+// src/brand/ui.ts
+var import_picocolors6 = __toESM(require_picocolors());
+var ANSI_PATTERN = /\x1b\[[0-9;]*m/g;
+function colorsFor2(mode) {
+  return import_picocolors6.default.createColors(mode === "rich");
+}
+function stripAnsi(value) {
+  return value.replace(ANSI_PATTERN, "");
+}
+function visibleWidth(value) {
+  return stripAnsi(value).length;
+}
+function padVisible(value, width) {
+  return `${value}${" ".repeat(Math.max(0, width - visibleWidth(value)))}`;
+}
+function safeWidth(width) {
+  if (!Number.isFinite(width)) return 1;
+  return Math.max(1, Math.floor(width));
+}
+function clampPercent(percent) {
+  if (Number.isNaN(percent)) return 0;
+  return Math.max(0, Math.min(100, percent));
+}
+function colorizeGaugeFill(text, percent, mode) {
+  const colors = colorsFor2(mode);
+  if (mode !== "rich") return text;
+  if (percent >= 80) return colors.green(text);
+  if (percent >= 50) return colors.yellow(text);
+  return colors.red(text);
+}
+function rule(width, options) {
+  const line = "\u2500".repeat(safeWidth(width));
+  return accent.dim(line, options.mode);
+}
+function box(lines, options) {
+  const content = lines.length > 0 ? lines : [""];
+  const innerWidth = Math.max(1, ...content.map(visibleWidth));
+  const horizontal = "\u2500".repeat(innerWidth + 2);
+  const colors = colorsFor2(options.mode);
+  const border = (value) => options.mode === "rich" ? colors.cyan(value) : value;
+  const body = content.map((line) => border("\u2502") + ` ${padVisible(line, innerWidth)} ` + border("\u2502"));
+  return [border(`\u250C${horizontal}\u2510`), ...body, border(`\u2514${horizontal}\u2518`)].join("\n");
+}
+function gauge(percent, options) {
+  const width = safeWidth(options.width);
+  const clamped = clampPercent(percent);
+  const label2 = `${Math.round(clamped)}%`;
+  const filledWidth = Math.round(clamped / 100 * width);
+  const emptyWidth = width - filledWidth;
+  const filled = colorizeGaugeFill("\u2588".repeat(filledWidth), clamped, options.mode);
+  const empty = accent.dim("\u2591".repeat(emptyWidth), options.mode);
+  return `[${filled}${empty}] ${label2}`;
+}
+function banner(decision, options) {
+  const style = decisionStyle(decision, options.mode);
+  return `${style.glyph} ${style.label}`;
+}
+function kv(key, value, options) {
+  return `${accent.dim(key, options.mode)}: ${value}`;
+}
+
+// src/brand/wordmark.ts
+var DEFAULT_TAGLINE = "production operator for AI-built apps";
+function wordmark(options) {
+  const tagline = options.tagline ?? DEFAULT_TAGLINE;
+  const brand = accent.brand("VibeRaven", options.mode);
+  const mutedTagline = accent.dim(tagline, options.mode);
+  if (options.variant === "compact") {
+    return `${brand} - ${mutedTagline}`;
+  }
+  return [accent.bold(brand, options.mode), mutedTagline].join("\n");
+}
+
+// src/badge/renderBadge.ts
+var COLORS = {
+  CLEAR: "#2ea44f",
+  WARNING: "#dbab09",
+  BLOCKED: "#d1242f"
+};
+function label(prp) {
+  return prp.decision.toLowerCase();
+}
+function renderBadgeSvg(prp) {
+  const text = label(prp);
+  const color = COLORS[prp.decision];
+  const width = 132 + text.length * 7;
+  return `<svg xmlns="http://www.w3.org/2000/svg" width="${width}" height="20" role="img" aria-label="VibeRaven: ${text}">
+  <rect width="${width}" height="20" fill="#24292f"/>
+  <rect x="86" width="${width - 86}" height="20" fill="${color}"/>
+  <g fill="#fff" font-family="Verdana,Geneva,sans-serif" font-size="11">
+    <text x="8" y="14">VibeRaven</text>
+    <text x="94" y="14">${text}</text>
+  </g>
+</svg>`;
+}
+function renderBadgeMarkdown(prp) {
+  const text = label(prp);
+  const date = prp.generatedAt.slice(0, 10);
+  return `[![VibeRaven launch gate: ${text}](.viberaven/badge.svg)](https://viberaven.dev/production-protocol.md?utm_source=badge) \`gate: ${text} - ${date}\``;
+}
+function renderBadgeCard(prp, mode) {
+  const text = label(prp);
+  const date = prp.generatedAt.slice(0, 10);
+  const style = decisionStyle(prp.decision, mode);
+  return box(
+    [
+      wordmark({ variant: "compact", mode, tagline: "launch gate proof" }),
+      `${accent.dim("gate", mode)}: ${style.colorize(text)}`,
+      `${accent.dim("date", mode)}: ${date}`,
+      accent.brand("viberaven.dev", mode)
+    ],
+    { mode }
+  );
+}
+
+// src/brand/renderMode.ts
+function resolveRenderMode(input) {
+  if (input.env.VIBERAVEN_FORCE_RICH === "1") return "rich";
+  if (input.env.VIBERAVEN_PLAIN === "1") return "plain";
+  if (input.env.NO_COLOR !== void 0 && input.env.NO_COLOR !== "") return "plain";
+  if (input.surface === "agent-mode") return "plain";
+  return input.isTTY ? "rich" : "plain";
+}
+function currentRenderMode(surface) {
+  return resolveRenderMode({
+    surface,
+    isTTY: Boolean(process.stdout.isTTY),
+    env: process.env
+  });
+}
+
+// src/commands/badge.ts
+async function runBadgeCommand(options) {
+  const log = options.log ?? ((message) => console.log(message));
+  const artifactDir = (0, import_node_path24.join)(options.cwd, ".viberaven");
+  const prpPath = (0, import_node_path24.join)(artifactDir, "prp.json");
+  let prp;
+  try {
+    prp = JSON.parse(await (0, import_promises19.readFile)(prpPath, "utf8"));
+  } catch {
+    log("No .viberaven/prp.json found. Run: npx -y viberaven --agent-mode");
+    return 1;
+  }
+  if (options.svg) {
+    const outputPath = (0, import_node_path24.join)(artifactDir, "badge.svg");
+    await (0, import_promises19.mkdir)(artifactDir, { recursive: true });
+    await (0, import_promises19.writeFile)(outputPath, renderBadgeSvg(prp), "utf8");
+    log(`Wrote ${outputPath}`);
+    return 0;
+  }
+  if (options.card) {
+    log(renderBadgeCard(prp, currentRenderMode("human-command")));
+    return 0;
+  }
+  log("Add this to your README:");
+  log(renderBadgeMarkdown(prp));
+  return 0;
+}
+
 // src/output/nextActionBlock.ts
 function buildNextActionBlock(tasks, loopState, plan) {
   const batchSize = plan === "pro" ? 10 : 3;
@@ -14201,14 +14445,9 @@ function buildProviderActionBlock(task) {
       dashboardUrl: pa.dashboardUrl,
       exactStep: pa.exactStep,
       envKeyName: pa.envKeyName ?? null,
-      envKeyExample: pa.envKeyExample ?? null,
       doneSignal: pa.doneSignal,
       verifyCommand: task.verifyCommand,
-      mcpAlternative: task.mcpTool ?? pa.mcpAlternative ?? null,
-      actionClass: pa.actionClass ?? "manual_provider_step",
-      approvalRequired: pa.approvalRequired ?? true,
-      manualFallback: pa.manualFallback ?? pa.exactStep,
-      copyValues: pa.copyValues ?? []
+      mcpAlternative: task.mcpTool ?? pa.mcpAlternative ?? null
     }
   };
 }
@@ -14229,6 +14468,225 @@ function printNextActionBlock(block) {
   console.log(NEXT_ACTION_END);
 }
 
+// src/output/operatorBlock.ts
+var OPERATOR_START = "VIBERAVEN_OPERATOR_START";
+var OPERATOR_END = "VIBERAVEN_OPERATOR_END";
+function stackLine(prp) {
+  const parts = Array.from(
+    /* @__PURE__ */ new Set([
+      ...prp.detectedStack.deployment,
+      ...prp.detectedStack.database,
+      ...prp.detectedStack.auth,
+      ...prp.detectedStack.payments,
+      ...prp.detectedStack.monitoring
+    ])
+  );
+  if (parts.length > 0) {
+    return parts.join(" + ");
+  }
+  return prp.detectedStack.archetype ?? "unknown";
+}
+function uniqueEnvNames(tasks) {
+  return Array.from(
+    new Set(
+      tasks.map((task) => task.providerAction?.envKeyName).filter((name) => Boolean(name))
+    )
+  );
+}
+function humanTaskText(task) {
+  if (task.fixType === "provider-action") {
+    return task.providerAction?.exactStep ?? task.title;
+  }
+  if (task.fixType === "upgrade-required") {
+    return `Upgrade required: ${task.action ?? task.exactFix ?? task.title}`;
+  }
+  if (task.fixType === "manual-verify") {
+    return `Manual verification required: ${task.action ?? task.exactFix ?? task.title}`;
+  }
+  return task.title;
+}
+function riskSuffixFor(task, prp) {
+  const topRisk = prp.findings.find((finding) => finding.id === task.gapId)?.riskMapping?.owaspLlm?.[0];
+  return topRisk ? ` (risk: ${topRisk})` : "";
+}
+function readinessPercent(prp) {
+  if (prp.decision === "CLEAR") return 100;
+  if (prp.decision === "WARNING") return 65;
+  return 25;
+}
+function buildPlainOperatorBlock(prp, tasks) {
+  const repoTasks = tasks.filter((task) => task.fixType === "repo-code");
+  const humanTasks = tasks.filter((task) => task.fixType !== "repo-code");
+  const providerTasks = tasks.filter((task) => task.fixType === "provider-action");
+  const nextRepoTask = repoTasks[0];
+  const envNames = uniqueEnvNames(providerTasks);
+  const lines = [];
+  lines.push(`Decision: ${prp.decision}`);
+  lines.push(`Detected stack: ${stackLine(prp)}`);
+  lines.push("");
+  lines.push("What I can fix:");
+  if (repoTasks.length === 0) {
+    lines.push("  (none - no automated repo-code recipes apply)");
+  } else {
+    repoTasks.forEach((task, index) => {
+      lines.push(`  ${index + 1}. ${task.title}${riskSuffixFor(task, prp)}`);
+    });
+  }
+  lines.push("");
+  lines.push("What you must do:");
+  if (humanTasks.length === 0) {
+    lines.push("  (none - no human-owned steps required)");
+  } else {
+    humanTasks.forEach((task, index) => {
+      lines.push(`  ${index + 1}. ${humanTaskText(task)}${riskSuffixFor(task, prp)}`);
+    });
+  }
+  lines.push("");
+  lines.push("Next repo-code fix:");
+  lines.push(
+    nextRepoTask ? `  ${nextRepoTask.title}${riskSuffixFor(nextRepoTask, prp)} -> npx -y viberaven --heal --apply --gap ${nextRepoTask.gapId} --yes` : "  (none)"
+  );
+  lines.push("");
+  lines.push("Provider actions:");
+  if (providerTasks.length === 0) {
+    lines.push("  (none)");
+  } else {
+    providerTasks.forEach((task) => {
+      const providerAction = task.providerAction;
+      if (!providerAction) {
+        lines.push(`  - ${task.title}${riskSuffixFor(task, prp)}`);
+        return;
+      }
+      lines.push(`  - ${providerAction.provider}: ${providerAction.dashboardUrl}`);
+      lines.push(`    Step: ${providerAction.exactStep}${riskSuffixFor(task, prp)}`);
+      lines.push(`    Done when: ${providerAction.doneSignal}`);
+    });
+  }
+  lines.push("");
+  lines.push("Copy these env var names:");
+  lines.push(envNames.length > 0 ? `  ${envNames.join(", ")}` : "  (none)");
+  lines.push("");
+  lines.push(`Verify command: ${prp.verifyCommand}`);
+  lines.push("");
+  lines.push(`Do not deploy until: decision is CLEAR (current: ${prp.decision}). Run the verify command after fixes.`);
+  if (prp.decision === "CLEAR") {
+    lines.push("Share your launch proof: npx -y viberaven badge");
+  }
+  return lines.join("\n");
+}
+function buildRichOperatorBlock(prp, tasks) {
+  const repoTasks = tasks.filter((task) => task.fixType === "repo-code");
+  const humanTasks = tasks.filter((task) => task.fixType !== "repo-code");
+  const providerTasks = tasks.filter((task) => task.fixType === "provider-action");
+  const nextRepoTask = repoTasks[0];
+  const envNames = uniqueEnvNames(providerTasks);
+  const mode = "rich";
+  const lines = [];
+  lines.push(wordmark({ variant: "compact", mode }));
+  lines.push(rule(64, { mode }));
+  lines.push(
+    `${accent.bold("Decision", mode)}: ${banner(prp.decision, { mode })} ${gauge(readinessPercent(prp), {
+      width: 18,
+      mode
+    })}`
+  );
+  lines.push(kv("Detected stack", stackLine(prp), { mode }));
+  lines.push("");
+  lines.push(`${accent.bold("What I can fix", mode)}:`);
+  if (repoTasks.length === 0) {
+    lines.push(`  ${accent.dim("(none - no automated repo-code recipes apply)", mode)}`);
+  } else {
+    repoTasks.forEach((task, index) => {
+      lines.push(`  ${index + 1}. ${task.title}${riskSuffixFor(task, prp)}`);
+    });
+  }
+  lines.push("");
+  lines.push(`${accent.bold("What you must do", mode)}:`);
+  if (humanTasks.length === 0) {
+    lines.push(`  ${accent.dim("(none - no human-owned steps required)", mode)}`);
+  } else {
+    humanTasks.forEach((task, index) => {
+      lines.push(`  ${index + 1}. ${humanTaskText(task)}${riskSuffixFor(task, prp)}`);
+    });
+  }
+  lines.push("");
+  lines.push(`${accent.bold("Next repo-code fix", mode)}:`);
+  lines.push(
+    nextRepoTask ? `  ${nextRepoTask.title}${riskSuffixFor(nextRepoTask, prp)} -> npx -y viberaven --heal --apply --gap ${nextRepoTask.gapId} --yes` : `  ${accent.dim("(none)", mode)}`
+  );
+  lines.push("");
+  lines.push(`${accent.bold("Provider actions", mode)}:`);
+  if (providerTasks.length === 0) {
+    lines.push(`  ${accent.dim("(none)", mode)}`);
+  } else {
+    providerTasks.forEach((task) => {
+      const providerAction = task.providerAction;
+      if (!providerAction) {
+        lines.push(`  - ${task.title}${riskSuffixFor(task, prp)}`);
+        return;
+      }
+      lines.push(`  - ${accent.brand(providerAction.provider, mode)}: ${providerAction.dashboardUrl}`);
+      lines.push(`    ${kv("Step", `${providerAction.exactStep}${riskSuffixFor(task, prp)}`, { mode })}`);
+      lines.push(`    ${kv("Done when", providerAction.doneSignal, { mode })}`);
+    });
+  }
+  lines.push("");
+  lines.push(`${accent.bold("Copy these env var names", mode)}:`);
+  lines.push(envNames.length > 0 ? `  ${envNames.join(", ")}` : `  ${accent.dim("(none)", mode)}`);
+  lines.push("");
+  lines.push(kv("Verify command", prp.verifyCommand, { mode }));
+  lines.push("");
+  lines.push(
+    `${accent.bold("Do not deploy until", mode)}: decision is CLEAR (current: ${banner(
+      prp.decision,
+      { mode }
+    )}). Run the verify command after fixes.`
+  );
+  if (prp.decision === "CLEAR") {
+    lines.push(kv("Share your launch proof", "npx -y viberaven badge", { mode }));
+  }
+  return lines.join("\n");
+}
+function buildOperatorBlock(prp, tasks, mode = "plain") {
+  return mode === "rich" ? buildRichOperatorBlock(prp, tasks) : buildPlainOperatorBlock(prp, tasks);
+}
+function printOperatorBlock(prp, tasks, mode = "plain") {
+  if (mode === "rich") {
+    console.log(buildOperatorBlock(prp, tasks, "rich"));
+  }
+  console.log(OPERATOR_START);
+  console.log(buildOperatorBlock(prp, tasks, "plain"));
+  console.log(OPERATOR_END);
+}
+
+// src/output/celebration.ts
+function renderClearCelebration(prp, mode) {
+  if (prp.decision !== "CLEAR") return "";
+  const verifiedDate = prp.generatedAt.slice(0, 10);
+  const style = decisionStyle("CLEAR", mode);
+  const lines = [
+    `${style.glyph} ${style.label} production gate is clear`,
+    accent.dim(`Verified ${verifiedDate}`, mode),
+    "",
+    `Share your launch proof: ${accent.bold("npx -y viberaven badge", mode)}`
+  ];
+  return [wordmark({ variant: "compact", mode }), box(lines, { mode }), rule(40, { mode })].join("\n");
+}
+
+// src/output/loopProgress.ts
+function safeCount(value) {
+  if (!Number.isFinite(value)) return 0;
+  return Math.max(0, Math.floor(value));
+}
+function renderLoopProgress(input, mode) {
+  if (mode === "plain" && input.silentInPlain) return "";
+  const total = safeCount(input.total);
+  const applied = total > 0 ? Math.min(safeCount(input.applied), total) : safeCount(input.applied);
+  const percent = total === 0 ? 100 : applied / total * 100;
+  const label2 = `${STATUS_GLYPH.fixable} ${input.label}`;
+  return `${accent.bold(label2, mode)}  ${gauge(percent, { width: 12, mode })}  ${applied}/${total}`;
+}
+
 // src/providerMcpBridge.ts
 var import_node_fs12 = require("node:fs");
 var import_node_os2 = require("node:os");
@@ -14270,12 +14728,12 @@ function findServerEntry(servers, provider2) {
 }
 function findProviderMcpConfig(provider2, configPaths) {
   const paths = configPaths ?? resolveConfigPaths();
-  for (const path of paths) {
-    if (!(0, import_node_fs12.existsSync)(path)) {
+  for (const path3 of paths) {
+    if (!(0, import_node_fs12.existsSync)(path3)) {
       continue;
     }
     try {
-      const raw = JSON.parse((0, import_node_fs12.readFileSync)(path, "utf8"));
+      const raw = JSON.parse((0, import_node_fs12.readFileSync)(path3, "utf8"));
       const servers = parseMcpServers(raw);
       if (!servers) {
         continue;
@@ -14289,7 +14747,7 @@ function findProviderMcpConfig(provider2, configPaths) {
         command: typeof server.command === "string" ? server.command : void 0,
         args: Array.isArray(server.args) ? server.args.filter((arg) => typeof arg === "string") : void 0,
         url: typeof server.url === "string" ? server.url : void 0,
-        source: path
+        source: path3
       };
     } catch {
       continue;
@@ -14297,6 +14755,19 @@ function findProviderMcpConfig(provider2, configPaths) {
   }
   return void 0;
 }
+function hasUsableProviderMcpConfig(config) {
+  return Boolean(config.command?.trim() || config.url?.trim());
+}
+function findUsableProviderMcpConfig(provider2, configPaths) {
+  const paths = configPaths ?? resolveConfigPaths();
+  for (const path3 of paths) {
+    const config = findProviderMcpConfig(provider2, [path3]);
+    if (config && hasUsableProviderMcpConfig(config)) {
+      return config;
+    }
+  }
+  return void 0;
+}
 async function verifyProviderGap(options) {
   if (options.plan !== "pro") {
     return {
@@ -14327,6 +14798,254 @@ async function verifyProviderGap(options) {
   };
 }
 
+// src/connectedTools.ts
+var DETECTED_PROVIDERS = ["supabase", "vercel", "stripe", "github"];
+var INSTALL_HINTS = {
+  supabase: "claude mcp add --transport http supabase https://mcp.supabase.com/",
+  vercel: "claude mcp add --transport http vercel https://mcp.vercel.com/",
+  stripe: "claude mcp add --transport http stripe https://mcp.stripe.com/",
+  github: "claude mcp add --transport http github https://api.githubcopilot.com/mcp/"
+};
+var READONLY_PROVIDERS = /* @__PURE__ */ new Set(["vercel"]);
+function isDetectedProvider(provider2) {
+  return DETECTED_PROVIDERS.includes(provider2);
+}
+function installHintFor(provider2) {
+  const normalizedProvider = provider2.toLowerCase().trim();
+  if (isDetectedProvider(normalizedProvider)) {
+    return INSTALL_HINTS[normalizedProvider];
+  }
+  return `Add the ${provider2} MCP server to your agent config.`;
+}
+function detectConnectedTools() {
+  const tools = {};
+  for (const provider2 of DETECTED_PROVIDERS) {
+    const config = findUsableProviderMcpConfig(provider2);
+    if (!config) {
+      tools[`${provider2}Mcp`] = "missing";
+      continue;
+    }
+    tools[`${provider2}Mcp`] = READONLY_PROVIDERS.has(provider2) ? "available_readonly" : "available";
+  }
+  tools.browser = "available";
+  return tools;
+}
+
+// src/demo/runDemo.ts
+var import_node_fs13 = require("node:fs");
+var import_node_path27 = __toESM(require("node:path"));
+
+// src/demo/localRules.ts
+var import_promises20 = require("node:fs/promises");
+var import_node_path26 = __toESM(require("node:path"));
+var DEMO_SCANNED_AT = "2026-06-14T00:00:00.000Z";
+async function readKnownFile(root, relativePath) {
+  try {
+    return await (0, import_promises20.readFile)(import_node_path26.default.join(root, relativePath), "utf8");
+  } catch (error) {
+    const code = error.code;
+    if (code === "ENOENT") return "";
+    throw error;
+  }
+}
+function dependencyNames(packageJson) {
+  if (!packageJson.trim()) return /* @__PURE__ */ new Set();
+  const parsed = JSON.parse(packageJson);
+  return /* @__PURE__ */ new Set([
+    ...Object.keys(parsed.dependencies ?? {}),
+    ...Object.keys(parsed.devDependencies ?? {})
+  ]);
+}
+function stripTypeScriptComments(source) {
+  return source.replace(/\/\*[\s\S]*?\*\//g, "").split("\n").map((line) => {
+    let quote = null;
+    let escaped = false;
+    for (let index = 0; index < line.length - 1; index += 1) {
+      const char = line[index];
+      const next = line[index + 1];
+      if (quote) {
+        if (escaped) {
+          escaped = false;
+        } else if (char === "\\") {
+          escaped = true;
+        } else if (char === quote) {
+          quote = null;
+        }
+        continue;
+      }
+      if (char === '"' || char === "'" || char === "`") {
+        quote = char;
+        continue;
+      }
+      if (char === "/" && next === "/") {
+        return line.slice(0, index);
+      }
+    }
+    return line;
+  }).join("\n");
+}
+function stripSqlComments(source) {
+  return source.replace(/\/\*[\s\S]*?\*\//g, "").replace(/--.*$/gm, "");
+}
+function hasStripeWebhookSignatureVerification(source) {
+  const executable = stripTypeScriptComments(source);
+  return /webhooks\s*\.\s*constructEvent\s*\(/.test(executable) && /Stripe-Signature/.test(executable);
+}
+function hasEnabledRowLevelSecurity(source) {
+  return /enable\s+row\s+level\s+security/i.test(stripSqlComments(source));
+}
+function hasEnvAssignment(source, name) {
+  const pattern = new RegExp(`^\\s*${name}\\s*=`, "m");
+  return pattern.test(source);
+}
+function gap(input) {
+  return {
+    ...input,
+    toolSuggestions: [],
+    mcpSuggestion: null,
+    affectedMapCategories: input.affectedMapCategories ?? []
+  };
+}
+function emptyMissionGraph() {
+  return {
+    areas: [],
+    byArea: {},
+    byProvider: {},
+    repositoryEvidence: {
+      env: [],
+      security: []
+    }
+  };
+}
+async function scanDemoFixture(root) {
+  const [packageJson, stripeWebhook, migration, envExample] = await Promise.all([
+    readKnownFile(root, "package.json"),
+    readKnownFile(root, "app/api/stripe/webhook/route.ts"),
+    readKnownFile(root, "supabase/migrations/0001_init.sql"),
+    readKnownFile(root, ".env.example")
+  ]);
+  const dependencies = dependencyNames(packageJson);
+  const hasNext = dependencies.has("next");
+  const hasSupabase = dependencies.has("@supabase/supabase-js");
+  const hasStripe = dependencies.has("stripe");
+  const selectedProviders = {};
+  if (hasNext) selectedProviders.deployment = "vercel";
+  if (hasSupabase) {
+    selectedProviders.database = "supabase";
+    selectedProviders.auth = "supabase";
+  }
+  if (hasStripe) selectedProviders.payments = "stripe";
+  const gaps = [];
+  if (hasStripe && !hasStripeWebhookSignatureVerification(stripeWebhook)) {
+    gaps.push(
+      gap({
+        id: "stripe_webhook_signature_missing",
+        category: "SECURITY & AUTH",
+        severity: "critical",
+        title: "Verify Stripe webhook signatures",
+        detail: "The demo Stripe webhook handler does not verify the Stripe-Signature header with stripe.webhooks.constructEvent.",
+        copyPrompt: "Update the Stripe webhook route to read the raw request body, read the Stripe-Signature header, and verify events with stripe.webhooks.constructEvent using STRIPE_WEBHOOK_SECRET.",
+        primaryMapCategory: "payments",
+        affectedMapCategories: ["security"]
+      })
+    );
+  }
+  if (hasSupabase && !hasEnabledRowLevelSecurity(migration)) {
+    gaps.push(
+      gap({
+        id: "rls_disabled",
+        category: "DATABASE & DATA",
+        severity: "critical",
+        title: "Enable Supabase row level security",
+        detail: "The demo migration creates application data without enabling row level security.",
+        copyPrompt: "Add alter table statements that enable row level security and add least-privilege policies for the Supabase tables in the demo migration.",
+        primaryMapCategory: "database",
+        affectedMapCategories: ["auth", "security"]
+      })
+    );
+  }
+  if (hasStripe && !hasEnvAssignment(envExample, "STRIPE_WEBHOOK_SECRET")) {
+    gaps.push(
+      gap({
+        id: "missing_prod_env_stripe_webhook_secret",
+        category: "DEPLOYMENT",
+        severity: "warning",
+        title: "Document STRIPE_WEBHOOK_SECRET",
+        detail: "The demo .env.example does not include a STRIPE_WEBHOOK_SECRET assignment.",
+        copyPrompt: "Add STRIPE_WEBHOOK_SECRET to .env.example as an empty variable name so deploy setup documents the required Stripe webhook secret without exposing a value.",
+        primaryMapCategory: "deployment",
+        affectedMapCategories: ["payments"]
+      })
+    );
+  }
+  const hasCriticalGaps = gaps.some((item3) => item3.severity === "critical");
+  return {
+    version: 1,
+    scannedAt: DEMO_SCANNED_AT,
+    workspacePath: root,
+    score: hasCriticalGaps ? 55 : 90,
+    scoreLabel: hasCriticalGaps ? "Needs work" : "Looks solid",
+    summary: `Demo scan: ${gaps.length} launch gap(s) detected by local rules.`,
+    archetype: hasNext && hasSupabase && hasStripe ? "nextjs-supabase-stripe" : "demo-saas",
+    gaps,
+    missionGraph: emptyMissionGraph(),
+    stackWiring: { items: [], byKey: {} },
+    providerRegistry: {
+      version: 1,
+      source: "bundled",
+      generatedAt: DEMO_SCANNED_AT,
+      staleAfterDays: 30,
+      status: "fresh",
+      providers: []
+    },
+    verificationSummary: { byArea: {} },
+    productionCorePercent: hasCriticalGaps ? 40 : 95,
+    selectedProviders
+  };
+}
+
+// src/demo/runDemo.ts
+function bundledFixtureRoot() {
+  const candidates = [
+    import_node_path27.default.join(__dirname, "..", "fixtures", "demo-saas"),
+    import_node_path27.default.join(__dirname, "..", "..", "fixtures", "demo-saas")
+  ];
+  return candidates.find((candidate) => (0, import_node_fs13.existsSync)(import_node_path27.default.join(candidate, "package.json"))) ?? candidates[0];
+}
+async function runDemo(options) {
+  const label2 = options.label ?? "demo";
+  const connectedTools = detectConnectedTools();
+  const fixtureRoot = options.fixtureRoot ?? bundledFixtureRoot();
+  const scannedArtifact = await scanDemoFixture(fixtureRoot);
+  const artifact = {
+    ...scannedArtifact,
+    workspacePath: options.cwd
+  };
+  await writeScanArtifacts({
+    artifact,
+    cwd: options.cwd,
+    connectedTools,
+    prpMode: "demo"
+  });
+  if (options.agentMode) {
+    console.log(
+      label2 === "demo" ? "VibeRaven demo mode - no login, no API spend. Provider verification is simulated." : `VibeRaven ${label2 === "try" ? "Try" : "showcase run"} - no login, no API spend. Provider verification is simulated.`
+    );
+    const prp = generateProductionProtocol(artifact, { mode: "demo", connectedTools });
+    const mode = currentRenderMode("demo");
+    printOperatorBlock(prp, buildTaskList(artifact), mode);
+    const celebration = renderClearCelebration(prp, mode);
+    if (celebration) {
+      console.log(celebration);
+    }
+  } else {
+    console.log(
+      label2 === "demo" ? "VibeRaven demo complete. See .viberaven/prp.json" : `VibeRaven ${label2 === "try" ? "Try" : "showcase run"} complete. See .viberaven/prp.json`
+    );
+  }
+  return 0;
+}
+
 // src/cli.ts
 function printHelp() {
   console.log(`viberaven ${VERSION} \u2014 launch readiness for AI-built apps
@@ -14356,6 +15075,18 @@ Usage:
   viberaven --agent-mode [--json|--jsonl] [path]
                        Agent-first scan; writes tasklist, gate-result, context-map, and per-gap JSON
 
+  viberaven --demo [path]
+                       No-login demo scan over the bundled fixture; writes demo artifacts locally
+
+  viberaven --agent-mode --demo [path]
+                       Demo scan with operator output; no login, no managed API spend
+
+  viberaven try [path]
+                       Free no-login local try run over a bundled fixture; no OpenAI key or managed API spend
+
+  viberaven --showcase --agent-mode [path]
+                       Alias for the no-login local try run
+
   viberaven --strict[=warning] [path]
                        Fail when production gate is not clear; warning mode also fails on warnings
 
@@ -14394,6 +15125,9 @@ Usage:
   viberaven audit --vercel-supabase [--json] [path]
                        Local Vercel/Supabase repo evidence audit (RLS, pooler, secrets)
 
+  viberaven badge [--svg|--card] [path]
+                       Print a README badge, terminal card, or write .viberaven/badge.svg from .viberaven/prp.json
+
 
 
 Agent workflow (Claude Code / Codex):
@@ -14453,16 +15187,62 @@ function parseArgs(argv) {
       continue;
     }
     if (!command) {
-      command = arg;
+      if (isRootModePositional(flags, arg)) {
+        positional.push(arg);
+      } else {
+        command = arg;
+      }
     } else {
       positional.push(arg);
     }
   }
   return { command, flags, positional };
 }
+var KNOWN_COMMANDS = /* @__PURE__ */ new Set([
+  "audit",
+  "badge",
+  "connect",
+  "doctor",
+  "guide",
+  "init",
+  "interactive",
+  "login",
+  "logout",
+  "next",
+  "open",
+  "prompt",
+  "provider-verify",
+  "report",
+  "scan",
+  "stack",
+  "status",
+  "tui",
+  "try",
+  "validate-npm-package",
+  "version",
+  "watch"
+]);
+function isRootModePositional(flags, token) {
+  if (KNOWN_COMMANDS.has(token)) {
+    return false;
+  }
+  return [
+    "agent-mode",
+    "demo",
+    "showcase",
+    "json",
+    "jsonl",
+    "strict",
+    "condense",
+    "verify",
+    "heal"
+  ].some((key) => flags[key] !== void 0);
+}
 function isBooleanFlag(command, key) {
   if ([
     "agent-mode",
+    "demo",
+    "showcase",
     "json",
     "jsonl",
     "condense",
@@ -14480,6 +15260,8 @@ function isBooleanFlag(command, key) {
   if (key === "open" && (command === "" || command === "scan" || command === "report")) return true;
   if (key === "verify" && command === "") return true;
   if (key === "vercel-supabase" && command === "audit") return true;
+  if (key === "svg" && command === "badge") return true;
+  if (key === "card" && command === "badge") return true;
   if (key === "json" && command === "validate-npm-package") return true;
   if (key === "dry-run" && command === "init") return true;
   if (key === "agents" && command === "doctor") return true;
@@ -14499,7 +15281,7 @@ async function guardEarlyVerifyScan(input) {
   if (!verifyLike) {
     return void 0;
   }
-  const workspacePath = input.positional[0] ? (0, import_node_path26.join)(process.cwd(), input.positional[0]) : await resolveWorkspaceRoot(process.cwd());
+  const workspacePath = input.positional[0] ? (0, import_node_path28.join)(process.cwd(), input.positional[0]) : await resolveWorkspaceRoot(process.cwd());
   const loopState = await loadLoopState(workspacePath);
   if (loopState.batchApplied <= 0) {
     return void 0;
@@ -14523,7 +15305,19 @@ async function guardEarlyVerifyScan(input) {
     return void 0;
   }
   const nextTask = remainingRepoCodeTasks[0];
+  const progress = renderLoopProgress(
+    {
+      applied: loopState.batchApplied,
+      total: batchSize,
+      label: "Healing repo gaps",
+      silentInPlain: true
+    },
+    currentRenderMode("human-command")
+  );
   console.error("SCAN_DEFERRED: Local heal batch is not full yet, so VibeRaven is protecting scan quota.");
+  if (progress) {
+    console.error(progress);
+  }
   console.error(`Batch progress: ${loopState.batchApplied}/${batchSize} local heals applied since the last scan.`);
   console.error(`Next local heal: npx -y viberaven --heal --apply --gap ${nextTask.gapId} --yes`);
   console.error("Run verify again after the batch is full, or add --force-scan if the user explicitly wants to spend a scan now.");
@@ -14538,6 +15332,36 @@ function resolveDefaultEntrypointMode(options) {
 function formatScanJsonStdout(artifact) {
   return JSON.stringify(sanitizeArtifactForDisk(artifact), null, 2);
 }
+function providerFromConnectedToolKey(tool) {
+  if (!tool.endsWith("Mcp")) return void 0;
+  return tool.slice(0, -3).toLowerCase();
+}
+function normalizeProviderForConnectedToolHint(provider2) {
+  const lower = provider2.trim().toLowerCase();
+  const tokens = lower.split(/[^a-z0-9]+/).filter(Boolean);
+  for (const knownProvider of ["supabase", "stripe", "vercel", "github"]) {
+    if (lower === knownProvider || tokens.includes(knownProvider)) {
+      return knownProvider;
+    }
+  }
+  return lower;
+}
+function printMissingConnectedToolHints(prp) {
+  const relevantProviders = new Set([
+    ...prp.detectedStack.auth,
+    ...prp.detectedStack.database,
+    ...prp.detectedStack.deployment,
+    ...prp.detectedStack.payments
+  ].map(normalizeProviderForConnectedToolHint));
+  for (const [tool, state] of Object.entries(prp.connectedTools)) {
+    const provider2 = providerFromConnectedToolKey(tool);
+    if (!provider2 || state !== "missing" || !relevantProviders.has(provider2)) {
+      continue;
+    }
+    console.log(`${provider2} MCP is not connected. For stronger verification, add it:`);
+    console.log(`  ${installHintFor(provider2)}`);
+  }
+}
 async function cmdLogin(flags) {
   const apiBaseUrl = resolveApiBaseUrl(typeof flags["api-url"] === "string" ? flags["api-url"] : void 0);
   await runDeviceLogin(apiBaseUrl);
@@ -14575,7 +15399,7 @@ async function cmdStatus(flags, positional) {
     console.log("Not signed in. Run: viberaven login");
     return 1;
   }
-  const startDir = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
   let artifact;
   try {
     artifact = await loadLastArtifact(startDir);
@@ -14729,7 +15553,7 @@ async function cmdWatch(flags) {
   }
 }
 async function runScanCommand(flags, positional, options) {
-  const workspacePath = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : await resolveWorkspaceRoot(process.cwd());
+  const workspacePath = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : await resolveWorkspaceRoot(process.cwd());
   const apiBaseUrl = resolveApiBaseUrl(typeof flags["api-url"] === "string" ? flags["api-url"] : void 0);
   let accessToken;
   try {
@@ -14775,17 +15599,14 @@ async function runScanCommand(flags, positional, options) {
     return { exitCode: 1 };
   }
   const artifact = await enrichArtifactWithAccount(result.artifact, apiBaseUrl, accessToken);
-  const paths = await writeScanArtifacts({ artifact, cwd: workspacePath });
+  const connectedTools = detectConnectedTools();
+  const paths = await writeScanArtifacts({ artifact, cwd: workspacePath, connectedTools });
   if (flags.json && !options?.deferMachineOutput) {
     console.log(formatScanJsonStdout(artifact));
     return { exitCode: 0, artifacts: paths };
   }
   if (!options?.deferMachineOutput) {
     printScanSummary(artifact, paths);
-    if (flags["agent-mode"]) {
-      const prp = JSON.parse(await (0, import_promises19.readFile)(paths.prpPath, "utf8"));
-      console.log(renderProductionProtocolSummary(prp));
-    }
   }
   if (artifact.usage && !options?.deferMachineOutput) {
     console.log(formatUsageLine(artifact.usage));
@@ -14795,6 +15616,14 @@ async function runScanCommand(flags, positional, options) {
     const openGapCount = artifact.gaps.length;
     const updatedState = resetBatch(loopState, openGapCount);
     const tasks = buildTaskList(artifact);
+    const prp = generateProductionProtocol(artifact, { connectedTools });
+    const mode = currentRenderMode("agent-mode");
+    printOperatorBlock(prp, tasks, mode);
+    const celebration = renderClearCelebration(prp, mode);
+    if (celebration) {
+      console.log(celebration);
+    }
+    printMissingConnectedToolHints(prp);
     const plan = artifact.plan ?? "free";
     const block = buildNextActionBlock(tasks, updatedState, plan);
     printNextActionBlock(block);
@@ -14811,7 +15640,7 @@ async function runScanCommand(flags, positional, options) {
   return { exitCode: 0, artifacts: paths };
 }
 async function cmdReport(flags, positional) {
-  const startDir = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
   try {
     const paths = await refreshReportFromDisk(startDir);
     console.log(`Report refreshed: ${paths.reportPath}`);
@@ -14833,7 +15662,7 @@ async function cmdReport(flags, positional) {
   }
 }
 async function cmdPrompt(flags, positional) {
-  const startDir = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
   let artifact;
   try {
     artifact = await loadLastArtifact(startDir);
@@ -14841,26 +15670,26 @@ async function cmdPrompt(flags, positional) {
     console.error(error instanceof Error ? error.message : "No scan found. Run: viberaven scan");
     return 1;
   }
-  const gap = pickGap(artifact, {
+  const gap2 = pickGap(artifact, {
     gapId: typeof flags.gap === "string" ? flags.gap : void 0,
     provider: typeof flags.provider === "string" ? flags.provider : void 0,
     area: typeof flags.area === "string" ? flags.area : void 0
   });
-  if (!gap) {
+  if (!gap2) {
     console.error("No matching gap. Run `viberaven scan` or pass --gap <id>.");
     return 1;
   }
   const skipCopy = flags["no-copy"] === true;
   if (!skipCopy) {
     try {
-      await copyToClipboard(gap.copyPrompt);
-      console.log(`Copied to clipboard: ${gap.title}`);
+      await copyToClipboard(gap2.copyPrompt);
+      console.log(`Copied to clipboard: ${gap2.title}`);
       return 0;
     } catch (error) {
       console.warn(error instanceof Error ? error.message : String(error));
     }
   }
-  console.log(gap.copyPrompt);
+  console.log(gap2.copyPrompt);
   return 0;
 }
 var STACK_AREAS = /* @__PURE__ */ new Set(["database", "auth", "payments", "deployment", "monitoring", "security"]);
@@ -14931,7 +15760,7 @@ async function main() {
   const wantsJsonl = hasFlag(flags, "jsonl");
   const wantsStrict = hasFlag(flags, "strict");
   if (flags.condense) {
-    const cwd = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd();
+    const cwd = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
     const result = await runCondenseCommand({ cwd });
     console.log(`VibeRaven context map refreshed: ${result.contextMapPath}`);
     return 0;
@@ -14949,6 +15778,14 @@ async function main() {
     console.log(JSON.stringify(result, null, 2));
     return result.status.startsWith("refused") || result.status === "failed" ? 1 : 0;
   }
+  if (command === "try") {
+    const cwd = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
+    return runDemo({ cwd, agentMode: true, label: "try" });
+  }
+  if (hasFlag(flags, "demo") || hasFlag(flags, "showcase")) {
+    const cwd = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
+    return runDemo({ cwd, agentMode: isAgentMode, label: hasFlag(flags, "showcase") ? "showcase" : "demo" });
+  }
   if (!command && (isAgentMode || flags.verify === true || wantsJson || wantsJsonl || wantsStrict)) {
     const guardedExitCode = await guardEarlyVerifyScan({ flags, positional, wantsStrict });
     if (guardedExitCode !== void 0) {
@@ -14960,7 +15797,7 @@ async function main() {
       console.error("VibeRaven could not produce machine output because scan artifacts were not written.");
       return 3;
     }
-    const gateResult = scanResult.artifacts && (wantsJson || wantsJsonl || wantsStrict) ? JSON.parse(await (0, import_promises19.readFile)(scanResult.artifacts.gateResultPath, "utf8")) : void 0;
+    const gateResult = scanResult.artifacts && (wantsJson || wantsJsonl || wantsStrict) ? JSON.parse(await (0, import_promises21.readFile)(scanResult.artifacts.gateResultPath, "utf8")) : void 0;
     const strictExitCode = wantsStrict && gateResult ? exitCodeForStrictGate(gateResult, { failOnWarnings: flags.strict === "warning" }) : scanResult.exitCode;
     if (wantsJson && gateResult) {
       process.stdout.write(renderGateResultJson(gateResult));
@@ -14995,7 +15832,7 @@ async function main() {
     case "next":
       return runNextCommand({
         json: Boolean(flags.json),
-        cwd: positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd()
+        cwd: positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd()
       });
     case "guide": {
       const provider2 = positional[0];
@@ -15033,7 +15870,7 @@ async function main() {
     case "provider-verify":
       return cmdProviderVerify(flags, positional);
     case "init": {
-      const cwd = positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd();
+      const cwd = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
       const agents = typeof flags.agents === "string" ? flags.agents : void 0;
       return runInitCommand({
         cwd,
@@ -15047,7 +15884,7 @@ async function main() {
         return 1;
       }
       return runDoctorAgentsCommand({
-        cwd: positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd()
+        cwd: positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd()
       });
     case "validate-npm-package":
       return runValidateNpmPackageCommand({
@@ -15060,9 +15897,15 @@ async function main() {
         return 1;
       }
       return runAuditCommand({
-        cwd: positional[0] ? (0, import_node_path26.join)(process.cwd(), positional[0]) : process.cwd(),
+        cwd: positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd(),
         json: Boolean(flags.json)
       });
+    case "badge":
+      return runBadgeCommand({
+        cwd: positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd(),
+        svg: flags.svg === true,
+        card: flags.card === true
+      });
     default:
       console.error(`Unknown command: ${command}`);
       printHelp();