@viberaven/cli 1.1.4 → 1.1.6

package/dist/cli.js

@@ -31,9 +31,9 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// ../../../../node_modules/picocolors/picocolors.js
+// ../../node_modules/picocolors/picocolors.js
 var require_picocolors = __commonJS({
-  "../../../../node_modules/picocolors/picocolors.js"(exports2, module2) {
+  "../../node_modules/picocolors/picocolors.js"(exports2, module2) {
     var p2 = process || {};
     var argv = p2.argv || [];
     var env = p2.env || {};
@@ -103,9 +103,9 @@ var require_picocolors = __commonJS({
   }
 });
 
-// ../../../../node_modules/sisteransi/src/index.js
+// ../../node_modules/sisteransi/src/index.js
 var require_src = __commonJS({
-  "../../../../node_modules/sisteransi/src/index.js"(exports2, module2) {
+  "../../node_modules/sisteransi/src/index.js"(exports2, module2) {
     "use strict";
     var ESC = "\x1B";
     var CSI = `${ESC}[`;
@@ -170,8 +170,8 @@ __export(cli_exports, {
   runScanCommand: () => runScanCommand
 });
 module.exports = __toCommonJS(cli_exports);
-var import_promises21 = require("node:fs/promises");
-var import_node_path28 = require("node:path");
+var import_promises19 = require("node:fs/promises");
+var import_node_path25 = require("node:path");
 
 // src/config.ts
 var import_node_os = require("node:os");
@@ -528,8 +528,8 @@ var UPGRADE_REQUIRED = "UPGRADE_REQUIRED";
 var MANUAL_ACTION_REQUIRED = "MANUAL_ACTION_REQUIRED";
 var AGENT_ACTION = "AGENT_ACTION";
 var ERROR = "ERROR";
-function formatAgentStatus(label2, message) {
-  return `${label2}: ${message}`;
+function formatAgentStatus(label, message) {
+  return `${label}: ${message}`;
 }
 
 // src/account.ts
@@ -621,12 +621,12 @@ function createOpenCommand(target, platform = process.platform) {
 }
 async function openWithSystemDefault(target) {
   const { command, args, shell } = createOpenCommand(target);
-  await new Promise((resolve6, reject) => {
+  await new Promise((resolve5, reject) => {
     const child = (0, import_node_child_process.spawn)(command, args, { stdio: "ignore", shell });
     child.on("error", reject);
     child.on("exit", (code) => {
       if (code === 0) {
-        resolve6();
+        resolve5();
       } else {
         reject(new Error(`Could not open browser (exit ${code ?? "unknown"}). Open manually: ${target}`));
       }
@@ -661,14 +661,11 @@ function promptGapCommand(gapId) {
 function healPlanGapCommand(gapId) {
   return `${PUBLIC_COMMAND} --heal --plan --gap ${gapId}`;
 }
-function healApplyGapCommand(gapId) {
-  return `${PUBLIC_COMMAND} --heal --apply --gap ${gapId}`;
-}
 
 // src/auth.ts
 var PUBLIC_LOGIN_COMMAND = `${PUBLIC_COMMAND} login`;
 function sleep(ms) {
-  return new Promise((resolve6) => setTimeout(resolve6, ms));
+  return new Promise((resolve5) => setTimeout(resolve5, ms));
 }
 async function runDeviceLogin(apiBaseUrl) {
   const signIn = await startManagedSignIn(apiBaseUrl);
@@ -1097,7 +1094,7 @@ function createGitignoreMatcher(gitignoreContent) {
   const rules = gitignoreContent.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#") && !line.startsWith("!")).map(parseGitignoreRule);
   return (relPath) => {
     const normalized = relPath.replace(/\\/g, "/").replace(/^\/+/, "");
-    return rules.some((rule2) => ruleMatchesPath(rule2, normalized));
+    return rules.some((rule) => ruleMatchesPath(rule, normalized));
   };
 }
 function parseGitignoreRule(raw) {
@@ -1114,22 +1111,22 @@ function parseGitignoreRule(raw) {
     regex: new RegExp(`^${gitignoreGlobToRegex(pattern)}$`)
   };
 }
-function ruleMatchesPath(rule2, relPath) {
-  const candidates = rule2.anchored || rule2.hasSlash ? [relPath] : relPath.split("/");
-  const directMatch = candidates.some((candidate) => rule2.regex.test(candidate));
-  if (directMatch && !rule2.directoryOnly) {
+function ruleMatchesPath(rule, relPath) {
+  const candidates = rule.anchored || rule.hasSlash ? [relPath] : relPath.split("/");
+  const directMatch = candidates.some((candidate) => rule.regex.test(candidate));
+  if (directMatch && !rule.directoryOnly) {
     return true;
   }
-  if (directMatch && rule2.directoryOnly) {
+  if (directMatch && rule.directoryOnly) {
     return true;
   }
-  if (!rule2.directoryOnly) {
+  if (!rule.directoryOnly) {
     return false;
   }
-  if (rule2.anchored || rule2.hasSlash) {
-    return relPath === rule2.pattern || relPath.startsWith(`${rule2.pattern}/`);
+  if (rule.anchored || rule.hasSlash) {
+    return relPath === rule.pattern || relPath.startsWith(`${rule.pattern}/`);
   }
-  return relPath.split("/").includes(rule2.pattern);
+  return relPath.split("/").includes(rule.pattern);
 }
 function gitignoreGlobToRegex(pattern) {
   let out = "";
@@ -1249,7 +1246,7 @@ function fallbackMapCategoryForGap(category, text) {
 function inferMapCategories(category, title, detail, copyPrompt, explicitPrimary, explicitAffected) {
   const text = [category, title, detail, copyPrompt].filter(Boolean).join(" ");
   const fallback = fallbackMapCategoryForGap(category, text);
-  const matched = MAP_CATEGORY_RULES.filter((rule2) => rule2.match.test(text)).map((rule2) => rule2.key);
+  const matched = MAP_CATEGORY_RULES.filter((rule) => rule.match.test(text)).map((rule) => rule.key);
   const explicit = isProductionMapCategoryKey(explicitPrimary) ? [explicitPrimary] : [];
   const affected = Array.isArray(explicitAffected) ? explicitAffected.filter(isProductionMapCategoryKey) : [];
   const primarySeed = matched[0] ? [matched[0], fallback] : [fallback];
@@ -1294,12 +1291,12 @@ function normalizeGap(v) {
     affectedMapCategories
   };
 }
-function rootGapKey(gap2) {
-  const titleKey = slugify(gap2.title);
+function rootGapKey(gap) {
+  const titleKey = slugify(gap.title);
   if (titleKey) {
     return titleKey;
   }
-  return slugify([gap2.category, gap2.copyPrompt].join(" ")) || gap2.id;
+  return slugify([gap.category, gap.copyPrompt].join(" ")) || gap.id;
 }
 function mergeToolSuggestions(a, b3) {
   const seen = /* @__PURE__ */ new Set();
@@ -1329,17 +1326,17 @@ function mergeRootGaps(a, b3) {
 function dedupeRootGaps(gaps) {
   const byKey = /* @__PURE__ */ new Map();
   const order = [];
-  for (const gap2 of gaps) {
-    const key = rootGapKey(gap2);
+  for (const gap of gaps) {
+    const key = rootGapKey(gap);
     const existing = byKey.get(key);
     if (!existing) {
-      byKey.set(key, gap2);
+      byKey.set(key, gap);
       order.push(key);
       continue;
     }
-    byKey.set(key, mergeRootGaps(existing, gap2));
+    byKey.set(key, mergeRootGaps(existing, gap));
   }
-  return order.map((key) => byKey.get(key)).filter((gap2) => Boolean(gap2));
+  return order.map((key) => byKey.get(key)).filter((gap) => Boolean(gap));
 }
 function normalizeChecklist(v) {
   const defaults = {
@@ -1483,15 +1480,15 @@ function buildLaunchValidationReport(input) {
       promptTemplate: conflict.recommendedAction.promptTemplate
     }))
   );
-  const gapIssues = (input.gaps ?? []).filter((gap2) => gap2.severity !== "info").map((gap2) => {
-    const area = gapArea(gap2);
+  const gapIssues = (input.gaps ?? []).filter((gap) => gap.severity !== "info").map((gap) => {
+    const area = gapArea(gap);
     return {
-      id: `gap-${gap2.id}`,
+      id: `gap-${gap.id}`,
       area,
-      severity: gap2.severity,
-      title: gap2.title,
-      detail: gap2.detail,
-      promptTemplate: gap2.severity === "critical" && isLaunchCriticalArea(area) ? "launch-blocker" : "repo-fix"
+      severity: gap.severity,
+      title: gap.title,
+      detail: gap.detail,
+      promptTemplate: gap.severity === "critical" && isLaunchCriticalArea(area) ? "launch-blocker" : "repo-fix"
     };
   });
   const providerCoverageWarnings = providerCoverageIssues(input.providerTruth);
@@ -1606,8 +1603,8 @@ function isActionableProviderCheckRow(row) {
 function hasCompletedManualConfirmation(row) {
   return row.manualProof.status === "manual-confirmed" || row.roles.some((role) => role === "manual-confirmed");
 }
-function gapArea(gap2) {
-  return VERIFICATION_AREAS.includes(gap2.primaryMapCategory) ? gap2.primaryMapCategory : "appFlow";
+function gapArea(gap) {
+  return VERIFICATION_AREAS.includes(gap.primaryMapCategory) ? gap.primaryMapCategory : "appFlow";
 }
 function isLaunchCriticalArea(area) {
   return LAUNCH_CRITICAL_AREAS.includes(area);
@@ -2076,11 +2073,11 @@ function buildProviderRegistrySnapshot(now = /* @__PURE__ */ new Date()) {
     providers
   };
 }
-function provider(providerKey, label2, aliases, areas, productionAreas, iconKey, extras = {}) {
+function provider(providerKey, label, aliases, areas, productionAreas, iconKey, extras = {}) {
   const sifgTemplateIds = areas.flatMap((area) => sifgTemplatesForRegistryProviderArea(providerKey, area)).map((template) => template.id);
   return {
     provider: providerKey,
-    label: label2,
+    label,
     aliases,
     areas,
     productionAreas,
@@ -2218,20 +2215,20 @@ function mapEvidenceSourceToLegacyEvidenceClass(source, status) {
   }
   return "mcp-verifier";
 }
-function isProviderLayerCheck(check) {
-  return check.evidenceSource === "provider" || check.evidenceSource === "mcp";
+function isProviderLayerCheck(check2) {
+  return check2.evidenceSource === "provider" || check2.evidenceSource === "mcp";
 }
-function isRepoLayerCheck(check) {
-  return check.evidenceSource === "repo";
+function isRepoLayerCheck(check2) {
+  return check2.evidenceSource === "repo";
 }
 function computeLayerReadinessPercent(checks, layer) {
   const filtered = checks.filter(
-    (check) => layer === "repo" ? isRepoLayerCheck(check) : isProviderLayerCheck(check)
+    (check2) => layer === "repo" ? isRepoLayerCheck(check2) : isProviderLayerCheck(check2)
   );
   if (filtered.length === 0) {
     return 100;
   }
-  const verified = filtered.filter((check) => check.status === "verified").length;
+  const verified = filtered.filter((check2) => check2.status === "verified").length;
   return Math.round(verified / filtered.length * 100);
 }
 function aggregateReadinessPercents(providerResults) {
@@ -2263,7 +2260,7 @@ function mergeVerificationIntoMissionGraph(graph, layer) {
     if (!mission) {
       continue;
     }
-    if (mission.checks.some((check) => check.verificationCheckId === layerCheck.id || check.id === missionRowId(layerCheck.id))) {
+    if (mission.checks.some((check2) => check2.verificationCheckId === layerCheck.id || check2.id === missionRowId(layerCheck.id))) {
       continue;
     }
     mission.checks.push(verificationCheckToMissionCheck(layerCheck, mission));
@@ -2354,7 +2351,7 @@ function readinessPercentForRepoChecks(checks) {
   if (repoChecks.length === 0) {
     return 100;
   }
-  const verified = repoChecks.filter((check) => isVerifiedMissionCheck(check)).length;
+  const verified = repoChecks.filter((check2) => isVerifiedMissionCheck(check2)).length;
   return Math.round(verified / repoChecks.length * 100);
 }
 function readinessPercentForProviderChecks(checks) {
@@ -2362,29 +2359,29 @@ function readinessPercentForProviderChecks(checks) {
   if (providerChecks.length === 0) {
     return 100;
   }
-  const verified = providerChecks.filter((check) => isVerifiedMissionCheck(check)).length;
+  const verified = providerChecks.filter((check2) => isVerifiedMissionCheck(check2)).length;
   return Math.round(verified / providerChecks.length * 100);
 }
-function isRepoLayerMissionCheck(check) {
-  if (check.evidenceSource === "provider" || check.evidenceSource === "mcp" || check.evidenceSource === "manual") {
+function isRepoLayerMissionCheck(check2) {
+  if (check2.evidenceSource === "provider" || check2.evidenceSource === "mcp" || check2.evidenceSource === "manual") {
     return false;
   }
-  if (check.evidenceSource === "repo") {
+  if (check2.evidenceSource === "repo") {
     return true;
   }
-  return check.evidenceClass === "repo-verified" || check.evidenceClass === "missing-repo-fix";
+  return check2.evidenceClass === "repo-verified" || check2.evidenceClass === "missing-repo-fix";
 }
-function isProviderLayerMissionCheck(check) {
-  if (check.evidenceSource === "provider" || check.evidenceSource === "mcp") {
+function isProviderLayerMissionCheck(check2) {
+  if (check2.evidenceSource === "provider" || check2.evidenceSource === "mcp") {
     return true;
   }
-  return check.evidenceClass === "mcp-verifier";
+  return check2.evidenceClass === "mcp-verifier";
 }
-function isVerifiedMissionCheck(check) {
-  if (check.verificationStatus) {
-    return check.verificationStatus === "verified";
+function isVerifiedMissionCheck(check2) {
+  if (check2.verificationStatus) {
+    return check2.verificationStatus === "verified";
   }
-  return check.status === "passed" || check.status === "user-confirmed";
+  return check2.status === "passed" || check2.status === "user-confirmed";
 }
 function rebuildAreas(providerMissions) {
   const byArea = /* @__PURE__ */ new Map();
@@ -2413,7 +2410,7 @@ function rebuildAreas(providerMissions) {
     const repoReadinessPercent = percentVerified(repoChecks);
     const providerReadinessPercent = percentVerified(providerChecks);
     const criticalCount = missions.flatMap((m2) => m2.checks).filter(
-      (check) => isProviderLayerMissionCheck(check) && (check.verificationStatus === "missing" || check.status === "missing" || check.status === "failed")
+      (check2) => isProviderLayerMissionCheck(check2) && (check2.verificationStatus === "missing" || check2.status === "missing" || check2.status === "failed")
     ).length;
     return {
       key,
@@ -2430,7 +2427,7 @@ function percentVerified(checks) {
   if (checks.length === 0) {
     return 100;
   }
-  const verified = checks.filter((check) => isVerifiedMissionCheck(check)).length;
+  const verified = checks.filter((check2) => isVerifiedMissionCheck(check2)).length;
   return Math.round(verified / checks.length * 100);
 }
 
@@ -2495,7 +2492,7 @@ function toProviderMission(summary) {
     promptSubject: summary.promptSubject,
     readinessPercent: summary.readinessPercent,
     repoReadinessPercent: summary.readinessPercent,
-    providerReadinessPercent: checks.some((check) => check.evidenceClass === "mcp-verifier") ? 0 : 100,
+    providerReadinessPercent: checks.some((check2) => check2.evidenceClass === "mcp-verifier") ? 0 : 100,
     checks
   };
 }
@@ -2540,7 +2537,7 @@ function overlaySifgLeaks(providerMissions, graph) {
   const providerCheckIds = new Map(
     providerMissions.map((mission) => [
       mission.key,
-      new Set(mission.checks.map((check) => check.id))
+      new Set(mission.checks.map((check2) => check2.id))
     ])
   );
   for (const leak of graph.leaks) {
@@ -2559,9 +2556,9 @@ function overlaySifgLeaks(providerMissions, graph) {
       continue;
     }
     const usedCheckIds = providerCheckIds.get(mission.key) ?? /* @__PURE__ */ new Set();
-    const check = toSifgMissionCheck(mission, pipeline, pipelineId, leaks, usedCheckIds);
-    mission.checks.push(check);
-    usedCheckIds.add(check.id);
+    const check2 = toSifgMissionCheck(mission, pipeline, pipelineId, leaks, usedCheckIds);
+    mission.checks.push(check2);
+    usedCheckIds.add(check2.id);
     providerCheckIds.set(mission.key, usedCheckIds);
   }
   for (const mission of providerMissions) {
@@ -2612,11 +2609,11 @@ function stableSifgSuffix(id) {
 }
 function readinessPercentForChecks(checks) {
   const actionableChecks = checks.filter(isActionableCheck);
-  const passed = actionableChecks.filter((check) => check.status === "passed").length;
+  const passed = actionableChecks.filter((check2) => check2.status === "passed").length;
   return Math.round(passed / Math.max(actionableChecks.length, 1) * 100);
 }
-function isActionableCheck(check) {
-  return check.evidenceClass !== "manual-dashboard" && check.evidenceClass !== "mcp-verifier";
+function isActionableCheck(check2) {
+  return check2.evidenceClass !== "manual-dashboard" && check2.evidenceClass !== "mcp-verifier";
 }
 function buildAreas(providerMissions) {
   const byArea = /* @__PURE__ */ new Map();
@@ -2627,15 +2624,15 @@ function buildAreas(providerMissions) {
   }
   return [...byArea.entries()].map(([key, missions]) => {
     const actionableChecks = missions.flatMap((mission) => mission.checks).filter(isActionableCheck);
-    const passed = actionableChecks.filter((check) => check.status === "passed").length;
-    const missing = actionableChecks.filter((check) => check.status === "missing" || check.status === "failed").length;
+    const passed = actionableChecks.filter((check2) => check2.status === "passed").length;
+    const missing = actionableChecks.filter((check2) => check2.status === "missing" || check2.status === "failed").length;
     return {
       key,
       label: AREA_LABELS[key],
       readinessPercent: Math.round(passed / Math.max(actionableChecks.length, 1) * 100),
       repoReadinessPercent: Math.round(passed / Math.max(actionableChecks.length, 1) * 100),
       providerReadinessPercent: missions.some(
-        (mission) => mission.checks.some((check) => check.evidenceClass === "mcp-verifier")
+        (mission) => mission.checks.some((check2) => check2.evidenceClass === "mcp-verifier")
       ) ? 0 : 100,
       criticalCount: missing,
       providerMissions: missions
@@ -2938,14 +2935,14 @@ function detectProductionConnectionEvidence(scan) {
     content: file.isSecret || typeof file.content !== "string" ? "" : file.content,
     lowerContent: file.isSecret || typeof file.content !== "string" ? "" : file.content.toLowerCase()
   }));
-  const secretPathBlob = scan.secretsFound.map((path3) => normalizePath(path3)).join("\n");
+  const secretPathBlob = scan.secretsFound.map((path) => normalizePath(path)).join("\n");
   const pathBlob = `${scan.fileTree}
 ${files.map((file) => file.path).join("\n")}`.toLowerCase();
   const contentBlob = files.map((file) => file.lowerContent).join("\n").slice(0, 12e4);
   const secretsHygieneBlob = `${pathBlob}
 ${secretPathBlob}`;
-  for (const rule2 of PROVIDER_RULES) {
-    detectProvider(evidence, rule2, deps, files, pathBlob);
+  for (const rule of PROVIDER_RULES) {
+    detectProvider(evidence, rule, deps, files, pathBlob);
   }
   detectSecretsHygiene(evidence, secretsHygieneBlob);
   for (const item3 of Object.values(evidence)) {
@@ -2999,55 +2996,55 @@ function buildProductionConnectionContext(choices, evidence) {
   }
   return lines.length > 0 ? lines.join("\n") : "production connections: no selected or detected providers";
 }
-function detectProvider(evidence, rule2, deps, files, pathBlob) {
-  if (evidence[rule2.area]) {
+function detectProvider(evidence, rule, deps, files, pathBlob) {
+  if (evidence[rule.area]) {
     return;
   }
-  const signals = collectSignals(rule2, deps, files, pathBlob);
+  const signals = collectSignals(rule, deps, files, pathBlob);
   if (signals.length === 0) {
     return;
   }
-  evidence[rule2.area] = {
-    area: rule2.area,
-    provider: rule2.provider,
+  evidence[rule.area] = {
+    area: rule.area,
+    provider: rule.provider,
     status: ["detected"],
     signals
   };
 }
-function collectSignals(rule2, deps, files, pathBlob) {
+function collectSignals(rule, deps, files, pathBlob) {
   const signals = [];
   for (const dep of deps) {
-    if ((rule2.packages ?? []).some((pattern) => testRegex(pattern, dep))) {
+    if ((rule.packages ?? []).some((pattern) => testRegex(pattern, dep))) {
       addSignal(signals, `package: ${dep}`);
     }
   }
   const upperContents = files.map((file) => file.content).join("\n").toUpperCase();
-  for (const envName of rule2.env ?? []) {
+  for (const envName of rule.env ?? []) {
     if (upperContents.includes(envName.toUpperCase())) {
       addSignal(signals, `env: ${envName}`);
     }
   }
-  const pathLines = pathBlob.split(/\r?\n/).map((path3) => path3.trim()).filter(Boolean);
-  for (const path3 of pathLines) {
-    if ((rule2.paths ?? []).some((pattern) => testRegex(pattern, path3))) {
-      addSignal(signals, `${pathSignalPrefix(path3)}: ${path3}`);
+  const pathLines = pathBlob.split(/\r?\n/).map((path) => path.trim()).filter(Boolean);
+  for (const path of pathLines) {
+    if ((rule.paths ?? []).some((pattern) => testRegex(pattern, path))) {
+      addSignal(signals, `${pathSignalPrefix(path)}: ${path}`);
     }
   }
   for (const file of files) {
-    for (const importName of rule2.imports ?? []) {
+    for (const importName of rule.imports ?? []) {
       if (containsImport(file.lowerContent, importName)) {
         addSignal(signals, `import: ${importName}`);
       }
     }
-    for (const item3 of rule2.content ?? []) {
+    for (const item3 of rule.content ?? []) {
       if (testRegex(item3.pattern, file.content)) {
         addSignal(signals, item3.signal);
       }
     }
     if (isDocsPath(file.path)) {
-      for (const docsTerm of rule2.docs ?? []) {
+      for (const docsTerm of rule.docs ?? []) {
         if (file.lowerContent.includes(docsTerm.toLowerCase())) {
-          addSignal(signals, `docs: ${file.displayPath} mentions ${rule2.label}`);
+          addSignal(signals, `docs: ${file.displayPath} mentions ${rule.label}`);
           break;
         }
       }
@@ -3059,14 +3056,14 @@ function containsImport(content, importName) {
   const escaped = importName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&").toLowerCase();
   return new RegExp(`(?:from\\s+['"]${escaped}['"]|import\\s*\\(\\s*['"]${escaped}['"]|require\\s*\\(\\s*['"]${escaped}['"])`).test(content);
 }
-function isDocsPath(path3) {
-  return /(^|\/)(readme|product|spec)\.md$/.test(path3) || /(^|\/)docs\/.*\.md$/.test(path3);
+function isDocsPath(path) {
+  return /(^|\/)(readme|product|spec)\.md$/.test(path) || /(^|\/)docs\/.*\.md$/.test(path);
 }
-function pathSignalPrefix(path3) {
-  if (/webhook|checkout|billing|api\/|route\.[jt]s$/.test(path3)) {
+function pathSignalPrefix(path) {
+  if (/webhook|checkout|billing|api\/|route\.[jt]s$/.test(path)) {
     return "route";
   }
-  if (/config|\.json$|\.toml$|\.ya?ml$/.test(path3)) {
+  if (/config|\.json$|\.toml$|\.ya?ml$/.test(path)) {
     return "config";
   }
   return "file";
@@ -3077,19 +3074,19 @@ function addSignal(signals, signal) {
   }
 }
 function freezeProviderRules(rules) {
-  for (const rule2 of rules) {
-    Object.freeze(rule2.packages ?? []);
-    Object.freeze(rule2.env ?? []);
-    Object.freeze(rule2.paths ?? []);
-    Object.freeze(rule2.imports ?? []);
-    Object.freeze(rule2.docs ?? []);
-    if (rule2.content) {
-      for (const item3 of rule2.content) {
+  for (const rule of rules) {
+    Object.freeze(rule.packages ?? []);
+    Object.freeze(rule.env ?? []);
+    Object.freeze(rule.paths ?? []);
+    Object.freeze(rule.imports ?? []);
+    Object.freeze(rule.docs ?? []);
+    if (rule.content) {
+      for (const item3 of rule.content) {
         Object.freeze(item3);
       }
-      Object.freeze(rule2.content);
+      Object.freeze(rule.content);
     }
-    Object.freeze(rule2);
+    Object.freeze(rule);
   }
   return Object.freeze(rules);
 }
@@ -3217,8 +3214,8 @@ function normalizeSelectedAt(value) {
   }
   return null;
 }
-function normalizePath(path3) {
-  return path3.replace(/\\/g, "/").toLowerCase();
+function normalizePath(path) {
+  return path.replace(/\\/g, "/").toLowerCase();
 }
 function isObject(value) {
   return typeof value === "object" && value !== null;
@@ -3246,8 +3243,8 @@ var WEAK_PATH_SEGMENTS = /* @__PURE__ */ new Set([
   "demo"
 ]);
 var TEST_FILE_PATTERN = /\.(test|spec)\.[jt]sx?$/;
-function classifyProviderEvidencePath(path3) {
-  const normalized = normalizePath2(path3);
+function classifyProviderEvidencePath(path) {
+  const normalized = normalizePath2(path);
   const segments = normalized.split("/").filter(Boolean);
   if (isDocsLikePath(normalized) || segments.some((segment) => WEAK_PATH_SEGMENTS.has(segment)) || TEST_FILE_PATTERN.test(normalized)) {
     return "weak";
@@ -3262,14 +3259,14 @@ function buildProviderTruthSnapshot(input) {
   const rowsByArea = {};
   void input.mcpVerifierState;
   void input.verificationLayer;
-  for (const rule2 of PROVIDER_RULES) {
-    const evidence = collectProviderTruthEvidence(rule2, deps, files, pathLines);
-    const selected = choices.choices[rule2.area]?.provider === rule2.provider;
+  for (const rule of PROVIDER_RULES) {
+    const evidence = collectProviderTruthEvidence(rule, deps, files, pathLines);
+    const selected = choices.choices[rule.area]?.provider === rule.provider;
     if (evidence.length === 0 && !selected) {
       continue;
     }
-    const row = buildRow(rule2, evidence, selected);
-    rowsByArea[rule2.area] = [...rowsByArea[rule2.area] ?? [], row];
+    const row = buildRow(rule, evidence, selected);
+    rowsByArea[rule.area] = [...rowsByArea[rule.area] ?? [], row];
   }
   for (const [area, choice] of Object.entries(choices.choices)) {
     if (!choice) {
@@ -3301,32 +3298,32 @@ function buildProviderTruthSnapshot(input) {
     summary
   };
 }
-function collectProviderTruthEvidence(rule2, deps, files, pathLines) {
+function collectProviderTruthEvidence(rule, deps, files, pathLines) {
   const evidence = [];
   for (const dep of deps) {
-    if ((rule2.packages ?? []).some((pattern) => testRegex2(pattern, dep))) {
-      addEvidence(evidence, rule2, {
+    if ((rule.packages ?? []).some((pattern) => testRegex2(pattern, dep))) {
+      addEvidence(evidence, rule, {
         kind: "package-installed",
         strength: "medium",
-        label: `${rule2.label} package installed`,
+        label: `${rule.label} package installed`,
         detail: dep,
         points: 20,
         isRuntimeEvidence: false
       });
     }
   }
-  for (const path3 of pathLines) {
-    if (!(rule2.paths ?? []).some((pattern) => testRegex2(pattern, path3))) {
+  for (const path of pathLines) {
+    if (!(rule.paths ?? []).some((pattern) => testRegex2(pattern, path))) {
       continue;
     }
-    const pathClass = classifyProviderEvidencePath(path3);
-    const kind = weakPathKind(path3, "active-runtime-route") ?? routeKind(path3);
-    addEvidence(evidence, rule2, {
+    const pathClass = classifyProviderEvidencePath(path);
+    const kind = weakPathKind(path, "active-runtime-route") ?? routeKind(path);
+    addEvidence(evidence, rule, {
       kind,
       strength: pathClass === "runtime" ? "strong" : "weak",
-      label: `${rule2.label} ${pathClass === "runtime" ? "runtime route or path" : "weak path reference"}`,
-      file: path3,
-      points: pathClass === "runtime" ? 35 : weakEvidencePoints(path3),
+      label: `${rule.label} ${pathClass === "runtime" ? "runtime route or path" : "weak path reference"}`,
+      file: path,
+      points: pathClass === "runtime" ? 35 : weakEvidencePoints(path),
       isRuntimeEvidence: pathClass === "runtime"
     });
   }
@@ -3334,45 +3331,45 @@ function collectProviderTruthEvidence(rule2, deps, files, pathLines) {
     const pathClass = classifyProviderEvidencePath(file.path);
     const sourceContent = pathClass === "runtime" ? file.executableContent : file.content;
     const sourceLowerContent = pathClass === "runtime" ? file.lowerExecutableContent : file.lowerContent;
-    for (const envName of rule2.env ?? []) {
+    for (const envName of rule.env ?? []) {
       if (!sourceContent.toUpperCase().includes(envName.toUpperCase())) {
         continue;
       }
-      addEvidence(evidence, rule2, {
+      addEvidence(evidence, rule, {
         kind: pathClass === "runtime" ? "runtime-env-usage" : "env-name-only",
         strength: pathClass === "runtime" ? "medium" : "weak",
-        label: `${rule2.label} env name ${pathClass === "runtime" ? "used in runtime source" : "mentioned outside runtime source"}`,
+        label: `${rule.label} env name ${pathClass === "runtime" ? "used in runtime source" : "mentioned outside runtime source"}`,
         file: file.displayPath,
         detail: envName,
         points: pathClass === "runtime" ? 20 : weakEvidencePoints(file.path),
         isRuntimeEvidence: pathClass === "runtime"
       });
     }
-    for (const importName of rule2.imports ?? []) {
+    for (const importName of rule.imports ?? []) {
       if (!containsImport2(sourceLowerContent, importName)) {
         continue;
       }
       const weakKind = weakPathKind(file.path, "sdk-import-source");
-      addEvidence(evidence, rule2, {
+      addEvidence(evidence, rule, {
         kind: weakKind ?? "sdk-import-source",
         strength: pathClass === "runtime" ? "strong" : "weak",
-        label: `${rule2.label} SDK import ${pathClass === "runtime" ? "in runtime source" : "outside runtime source"}`,
+        label: `${rule.label} SDK import ${pathClass === "runtime" ? "in runtime source" : "outside runtime source"}`,
         file: file.displayPath,
         detail: importName,
         points: pathClass === "runtime" ? 35 : weakEvidencePoints(file.path),
         isRuntimeEvidence: pathClass === "runtime"
       });
     }
-    for (const item3 of rule2.content ?? []) {
+    for (const item3 of rule.content ?? []) {
       if (!testRegex2(item3.pattern, sourceContent)) {
         continue;
       }
       const strongKind = contentSignalKind(item3.signal);
       const weakKind = weakPathKind(file.path, strongKind);
-      addEvidence(evidence, rule2, {
+      addEvidence(evidence, rule, {
         kind: weakKind ?? strongKind,
         strength: pathClass === "runtime" ? "strong" : "weak",
-        label: `${rule2.label} ${pathClass === "runtime" ? "runtime content signal" : "weak content reference"}`,
+        label: `${rule.label} ${pathClass === "runtime" ? "runtime content signal" : "weak content reference"}`,
         file: file.displayPath,
         detail: item3.signal,
         points: pathClass === "runtime" ? 35 : weakEvidencePoints(file.path),
@@ -3380,14 +3377,14 @@ function collectProviderTruthEvidence(rule2, deps, files, pathLines) {
       });
     }
     if (isDocsLikePath(file.path)) {
-      for (const docsTerm of rule2.docs ?? []) {
+      for (const docsTerm of rule.docs ?? []) {
         if (!file.lowerContent.includes(docsTerm.toLowerCase())) {
           continue;
         }
-        addEvidence(evidence, rule2, {
+        addEvidence(evidence, rule, {
           kind: "docs-mention",
           strength: "weak",
-          label: `${rule2.label} mentioned in docs`,
+          label: `${rule.label} mentioned in docs`,
           file: file.displayPath,
           detail: docsTerm,
           points: 4,
@@ -3399,16 +3396,16 @@ function collectProviderTruthEvidence(rule2, deps, files, pathLines) {
   }
   return evidence.sort(compareEvidence);
 }
-function buildRow(rule2, evidence, selected) {
+function buildRow(rule, evidence, selected) {
   const score = evidence.reduce((total, item3) => total + item3.points, 0);
   const roles = rolesForEvidence(evidence, selected);
-  applyMcpSupportRoles(rule2.provider, roles);
+  applyMcpSupportRoles(rule.provider, roles);
   const confidence = confidenceForEvidence(evidence, roles);
-  const mcpProof = mcpProofForProvider(rule2.provider);
+  const mcpProof = mcpProofForProvider(rule.provider);
   return {
-    area: rule2.area,
-    provider: rule2.provider,
-    providerLabel: providerLabel(rule2.provider),
+    area: rule.area,
+    provider: rule.provider,
+    providerLabel: providerLabel(rule.provider),
     roles,
     confidence,
     score,
@@ -3665,10 +3662,10 @@ function statusBadgesForRoles(roles, confidence) {
   badges.push(confidence.toUpperCase());
   return badges;
 }
-function addEvidence(evidence, rule2, item3) {
+function addEvidence(evidence, rule, item3) {
   const id = [
-    rule2.area,
-    rule2.provider,
+    rule.area,
+    rule.provider,
     item3.kind,
     item3.file ?? "",
     item3.detail ?? item3.label
@@ -3683,29 +3680,29 @@ function addEvidence(evidence, rule2, item3) {
     isManualProof: false
   });
 }
-function weakPathKind(path3, fallback) {
-  if (classifyProviderEvidencePath(path3) === "runtime") {
+function weakPathKind(path, fallback) {
+  if (classifyProviderEvidencePath(path) === "runtime") {
     return null;
   }
-  if (isDocsLikePath(path3)) {
+  if (isDocsLikePath(path)) {
     return "docs-mention";
   }
-  if (/(^|\/)(__tests__|tests)(\/|$)|\.(test|spec)\.[jt]sx?$/.test(normalizePath2(path3))) {
+  if (/(^|\/)(__tests__|tests)(\/|$)|\.(test|spec)\.[jt]sx?$/.test(normalizePath2(path))) {
     return "test-reference";
   }
-  if (/(^|\/)(tmp|out|outputs|videos|marketing|examples|demo)(\/|$)/.test(normalizePath2(path3))) {
+  if (/(^|\/)(tmp|out|outputs|videos|marketing|examples|demo)(\/|$)/.test(normalizePath2(path))) {
     return "tmp-demo-example";
   }
   return fallback;
 }
-function routeKind(path3) {
-  if (/webhook/.test(path3)) {
+function routeKind(path) {
+  if (/webhook/.test(path)) {
     return "webhook-handler";
   }
-  if (/checkout|billing/.test(path3)) {
+  if (/checkout|billing/.test(path)) {
     return "checkout-handler";
   }
-  if (/config|\.json$|\.toml$|\.ya?ml$/.test(path3)) {
+  if (/config|\.json$|\.toml$|\.ya?ml$/.test(path)) {
     return "deployment-config";
   }
   return "active-runtime-route";
@@ -3722,11 +3719,11 @@ function contentSignalKind(signal) {
   }
   return "active-runtime-route";
 }
-function weakEvidencePoints(path3) {
-  if (isDocsLikePath(path3)) {
+function weakEvidencePoints(path) {
+  if (isDocsLikePath(path)) {
     return 4;
   }
-  if (/(^|\/)(__tests__|tests)(\/|$)|\.(test|spec)\.[jt]sx?$/.test(normalizePath2(path3))) {
+  if (/(^|\/)(__tests__|tests)(\/|$)|\.(test|spec)\.[jt]sx?$/.test(normalizePath2(path))) {
     return 6;
   }
   return 8;
@@ -3745,8 +3742,8 @@ function toScannableFile(file) {
 }
 function collectPathLines(scan, files) {
   const paths = /* @__PURE__ */ new Set();
-  for (const path3 of scan.fileTree.split(/\r?\n/)) {
-    const normalized = normalizePath2(path3.trim());
+  for (const path of scan.fileTree.split(/\r?\n/)) {
+    const normalized = normalizePath2(path.trim());
     if (normalized) {
       paths.add(normalized);
     }
@@ -3760,8 +3757,8 @@ function containsImport2(content, importName) {
   const escaped = importName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&").toLowerCase();
   return new RegExp(`(?:from\\s+['"]${escaped}['"]|import\\s*\\(\\s*['"]${escaped}['"]|require\\s*\\(\\s*['"]${escaped}['"])`).test(content);
 }
-function isDocsLikePath(path3) {
-  const normalized = normalizePath2(path3);
+function isDocsLikePath(path) {
+  const normalized = normalizePath2(path);
   return /(^|\/)(readme|product|spec)\.mdx?$/.test(normalized) || /(^|\/)docs\/.*\.mdx?$/.test(normalized);
 }
 function stripComments(content) {
@@ -3773,8 +3770,8 @@ function compareRows(a, b3) {
 function compareEvidence(a, b3) {
   return b3.points - a.points || a.kind.localeCompare(b3.kind) || (a.file ?? "").localeCompare(b3.file ?? "");
 }
-function normalizePath2(path3) {
-  return path3.replace(/\\/g, "/").toLowerCase();
+function normalizePath2(path) {
+  return path.replace(/\\/g, "/").toLowerCase();
 }
 function rowPriority(row) {
   if (row.roles.includes("live-verified")) {
@@ -3969,8 +3966,8 @@ Return ONLY the JSON object \u2014 no markdown, no explanation.
 }
 
 // ../../src/station/envEvidence.ts
-function normalizeEvidencePath(path3) {
-  return path3.replace(/\\/g, "/");
+function normalizeEvidencePath(path) {
+  return path.replace(/\\/g, "/");
 }
 function uniquePaths(paths) {
   return Array.from(new Set(paths.map(normalizeEvidencePath)));
@@ -4038,7 +4035,7 @@ function collectEnvVarEvidence(scan, names) {
         present: true,
         mode,
         source: "non-secret-content",
-        evidence: uniquePaths(contentEvidence).map((path3) => `file: ${path3}`)
+        evidence: uniquePaths(contentEvidence).map((path) => `file: ${path}`)
       };
     }
     if (nonEmptyAssignmentEvidence.length > 0) {
@@ -4047,7 +4044,7 @@ function collectEnvVarEvidence(scan, names) {
         present: true,
         mode: "unknown",
         source: "non-secret-content",
-        evidence: uniquePaths(nonEmptyAssignmentEvidence).map((path3) => `file: ${path3}`)
+        evidence: uniquePaths(nonEmptyAssignmentEvidence).map((path) => `file: ${path}`)
       };
     }
     if (nameOnlyEvidence.length > 0) {
@@ -4056,7 +4053,7 @@ function collectEnvVarEvidence(scan, names) {
         present: true,
         mode: "unknown",
         source: "variable-name-only",
-        evidence: uniquePaths(nameOnlyEvidence).map((path3) => `file: ${path3}`)
+        evidence: uniquePaths(nameOnlyEvidence).map((path) => `file: ${path}`)
       };
     }
     if (secretEvidence.length > 0) {
@@ -4065,7 +4062,7 @@ function collectEnvVarEvidence(scan, names) {
         present: false,
         mode: "unknown",
         source: "secret-file-path",
-        evidence: secretEvidence.map((path3) => `secret file: ${path3}`)
+        evidence: secretEvidence.map((path) => `secret file: ${path}`)
       };
     }
     return {
@@ -4160,10 +4157,10 @@ ${pathBlob}`),
 function visibleFiles(scan) {
   return scan.files.filter((file) => !file.isSecret && typeof file.content === "string");
 }
-function foundOrMissing(id, label2, found, evidence) {
+function foundOrMissing(id, label, found, evidence) {
   return {
     id,
-    label: label2,
+    label,
     status: found ? "found" : "missing",
     evidence: unique(evidence).slice(0, 6)
   };
@@ -4200,7 +4197,7 @@ function evidenceFor(files, pattern) {
   return files.filter((file) => pattern.test(file.content)).map((file) => `file: ${normalizePath3(file.path)}`).slice(0, 6);
 }
 function pathEvidence(scan, pattern) {
-  return scan.files.map((file) => normalizePath3(file.path)).filter((path3) => pattern.test(path3)).map((path3) => `file: ${path3}`).slice(0, 6);
+  return scan.files.map((file) => normalizePath3(file.path)).filter((path) => pattern.test(path)).map((path) => `file: ${path}`).slice(0, 6);
 }
 function isClientReachableFile(file) {
   const content = file.content;
@@ -4216,22 +4213,22 @@ function isClientReachableFile(file) {
 function hasUseClientDirective(content) {
   return /^(?:\s|;|\/\/[^\n]*(?:\n|$)|\/\*[\s\S]*?\*\/)*['"]use client['"]/.test(content);
 }
-function isBrowserOnlyPath(path3) {
-  const normalized = normalizePath3(path3).toLowerCase();
-  if (isServerOnlyPath(path3)) {
+function isBrowserOnlyPath(path) {
+  const normalized = normalizePath3(path).toLowerCase();
+  if (isServerOnlyPath(path)) {
     return false;
   }
   return /(^|\/)(components|hooks|contexts|providers)\//.test(normalized) || /\.(jsx|tsx)$/.test(normalized);
 }
-function isServerOnlyPath(path3) {
-  const normalized = normalizePath3(path3).toLowerCase();
+function isServerOnlyPath(path) {
+  const normalized = normalizePath3(path).toLowerCase();
   return /\/api\/|app\/api\/|pages\/api\/|route\.[jt]s$|\.server\.[jt]sx?$|\/server\//.test(normalized);
 }
-function isEnvOrDocPath(path3) {
-  return ENV_OR_DOC_PATH.test(normalizePath3(path3).toLowerCase());
+function isEnvOrDocPath(path) {
+  return ENV_OR_DOC_PATH.test(normalizePath3(path).toLowerCase());
 }
-function normalizePath3(path3) {
-  return path3.replace(/\\/g, "/");
+function normalizePath3(path) {
+  return path.replace(/\\/g, "/");
 }
 function unique(values) {
   return [...new Set(values)];
@@ -5364,10 +5361,10 @@ function visibleFiles2(scan) {
     lowerContent: file.content.toLowerCase()
   }));
 }
-function item(id, label2, passed, evidence, promptHint) {
+function item(id, label, passed, evidence, promptHint) {
   return {
     id,
-    label: label2,
+    label,
     status: passed ? "passed" : "missing",
     evidence,
     promptHint
@@ -5397,7 +5394,7 @@ function hasSupabaseClient(files, pathBlob) {
 }
 function clientEvidence(files, pathBlob) {
   const evidence = [];
-  const pathMatch = pathBlob.split(/\r?\n/).find((path3) => /(^|\/)(lib|utils|src\/lib|src\/utils)\/supabase\.[jt]s\b/i.test(path3));
+  const pathMatch = pathBlob.split(/\r?\n/).find((path) => /(^|\/)(lib|utils|src\/lib|src\/utils)\/supabase\.[jt]s\b/i.test(path));
   if (pathMatch) {
     evidence.push(`file: ${pathMatch}`);
   }
@@ -5414,11 +5411,11 @@ function hasSchemaOrMigration(files, pathBlob) {
   return /(^|\n|\/)supabase\/migrations\/[^/\n]+\.sql\b/i.test(pathBlob) || /(^|\n|\/)(migrations?|schema)\/[^/\n]+\.(sql|ts|js)\b/i.test(pathBlob) || files.some((file) => /create\s+table|alter\s+table/i.test(file.content));
 }
 function schemaEvidence(files, pathBlob) {
-  const path3 = pathBlob.split(/\r?\n/).find(
+  const path = pathBlob.split(/\r?\n/).find(
     (entry) => /(^|\/)supabase\/migrations\/[^/]+\.sql\b/i.test(entry) || /(^|\/)(migrations?|schema)\/[^/]+\.(sql|ts|js)\b/i.test(entry)
   );
-  if (path3) {
-    return [`schema: ${path3}`];
+  if (path) {
+    return [`schema: ${path}`];
   }
   const file = files.find((entry) => /create\s+table|alter\s+table/i.test(entry.content));
   return file ? [`schema: ${file.path}`] : [];
@@ -5427,9 +5424,9 @@ function hasRlsEvidence(files, pathBlob) {
   return /\/policies\/|_rls\.sql|\brls\b/i.test(pathBlob) || files.some((file) => /enable\s+row\s+level\s+security|create\s+policy|alter\s+table[\s\S]{0,200}enable\s+row\s+level/i.test(file.content));
 }
 function rlsEvidence(files, pathBlob) {
-  const path3 = pathBlob.split(/\r?\n/).find((entry) => /\/policies\/|_rls\.sql|\brls\b/i.test(entry));
-  if (path3) {
-    return [`rls: ${path3}`];
+  const path = pathBlob.split(/\r?\n/).find((entry) => /\/policies\/|_rls\.sql|\brls\b/i.test(entry));
+  if (path) {
+    return [`rls: ${path}`];
   }
   const file = files.find((entry) => /enable\s+row\s+level\s+security|create\s+policy|alter\s+table[\s\S]{0,200}enable\s+row\s+level/i.test(entry.content));
   return file ? [`rls: ${file.path}`] : [];
@@ -5438,11 +5435,11 @@ function hasGeneratedTypes(files, pathBlob) {
   return /database\.types\.[jt]s\b|supabase.*types\.[jt]s\b|types\/database\.[jt]s\b/i.test(pathBlob) || files.some((file) => /export\s+type\s+database\b|export\s+interface\s+database\b/i.test(file.content));
 }
 function generatedTypeEvidence(files, pathBlob) {
-  const path3 = pathBlob.split(/\r?\n/).find(
+  const path = pathBlob.split(/\r?\n/).find(
     (entry) => /database\.types\.[jt]s\b|supabase.*types\.[jt]s\b|types\/database\.[jt]s\b/i.test(entry)
   );
-  if (path3) {
-    return [`types: ${path3}`];
+  if (path) {
+    return [`types: ${path}`];
   }
   const file = files.find((entry) => /export\s+type\s+database\b|export\s+interface\s+database\b/i.test(entry.content));
   return file ? [`types: ${file.path}`] : [];
@@ -5459,8 +5456,8 @@ function serviceRoleSafetyItem(files) {
     promptHint: "Move service-role usage to server-only code and use public anon keys in frontend clients."
   };
 }
-function isClientExecutedPath(path3) {
-  return /\.(tsx|jsx)$/.test(path3) || /(^|\/)(components|pages|app|client|frontend|web)\//.test(path3) || /\.client\.[jt]sx?$/.test(path3);
+function isClientExecutedPath(path) {
+  return /\.(tsx|jsx)$/.test(path) || /(^|\/)(components|pages|app|client|frontend|web)\//.test(path) || /\.client\.[jt]sx?$/.test(path);
 }
 
 // ../../src/station/stackWiring.ts
@@ -6285,7 +6282,7 @@ function analyzeSecretsHygiene(ctx) {
     promptSubject: "secrets hygiene",
     items: [
       item2("env-example-found", "Env example or docs found", Boolean(ctx.scan.stackSignals.hasEnvExample) || /\.env\.example|env\.example|environment variables/i.test(ctx.pathBlob + "\n" + ctx.contentBlob), pathEvidence2(ctx, /\.env\.example|env\.example/i), "Add an env example or setup docs with variable names only."),
-      item2("secret-files-ignored", "Secret files detected as private", Array.isArray(ctx.scan.secretsFound) && ctx.scan.secretsFound.length > 0, ctx.scan.secretsFound.slice(0, 4).map((path3) => `secret file: ${path3}`), "Keep real .env files private and out of copied prompts or docs."),
+      item2("secret-files-ignored", "Secret files detected as private", Array.isArray(ctx.scan.secretsFound) && ctx.scan.secretsFound.length > 0, ctx.scan.secretsFound.slice(0, 4).map((path) => `secret file: ${path}`), "Keep real .env files private and out of copied prompts or docs."),
       item2("frontend-secrets-clean", "No obvious frontend secret exposure found", unsafePublicSecret.length === 0, unsafePublicSecret.slice(0, 4).map((file) => `unsafe reference: ${file.path}`), "Move secret values and private keys out of frontend/client-executed files."),
       item2("gitignore-env-found", "Env files ignored by git", /\.gitignore/i.test(ctx.pathBlob) && /\.env/i.test(ctx.contentBlob), pathEvidence2(ctx, /\.gitignore/i), "Ensure .gitignore excludes real .env files while keeping .env.example committed."),
       manualItem("production-secret-rotation-checked", "Production secret rotation checked", "Confirm production secrets can be rotated and revoked in provider dashboards.")
@@ -6361,29 +6358,29 @@ function summarize(summary) {
     readinessPercent: Math.round(passedCount / Math.max(totalCount, 1) * 100)
   };
 }
-function item2(id, label2, passed, evidence, promptHint) {
+function item2(id, label, passed, evidence, promptHint) {
   return {
     id,
-    label: label2,
+    label,
     status: passed ? "passed" : "missing",
     evidence,
     promptHint
   };
 }
-function manualItem(id, label2, promptHint) {
+function manualItem(id, label, promptHint) {
   return {
     id,
-    label: label2,
+    label,
     status: "manual",
     evidence: [],
     promptHint
   };
 }
-function secretSafetyItem(ctx, id, label2, pattern, promptHint) {
+function secretSafetyItem(ctx, id, label, pattern, promptHint) {
   const exposed = ctx.files.filter((file) => isClientExecutedPath2(file.normalizedPath) && pattern.test(file.content));
   return {
     id,
-    label: label2,
+    label,
     status: exposed.length > 0 ? "missing" : "passed",
     evidence: exposed.slice(0, 4).map((file) => `unsafe reference: ${file.path}`),
     promptHint
@@ -6408,13 +6405,13 @@ function envEvidence2(ctx, patterns) {
   return evidence.slice(0, 4);
 }
 function pathEvidence2(ctx, pattern) {
-  return ctx.pathBlob.split(/\r?\n/).filter((path3) => pattern.test(path3)).slice(0, 4).map((path3) => `file: ${path3}`);
+  return ctx.pathBlob.split(/\r?\n/).filter((path) => pattern.test(path)).slice(0, 4).map((path) => `file: ${path}`);
 }
 function fileEvidence(ctx, pattern) {
   return ctx.files.filter((file) => pattern.test(file.path) || pattern.test(file.content)).slice(0, 4).map((file) => `file: ${file.path}`);
 }
-function isClientExecutedPath2(path3) {
-  return /\.(tsx|jsx)$/.test(path3) || /(^|\/)(components|pages|app|client|frontend|web)\//.test(path3) || /\.client\.[jt]sx?$/.test(path3);
+function isClientExecutedPath2(path) {
+  return /\.(tsx|jsx)$/.test(path) || /(^|\/)(components|pages|app|client|frontend|web)\//.test(path) || /\.client\.[jt]sx?$/.test(path);
 }
 
 // ../../src/station/verification.ts
@@ -6543,27 +6540,27 @@ function emptyArea(area) {
     manual: []
   };
 }
-function normalizePath4(path3) {
-  return path3.replace(/\\/g, "/").replace(/^[\s\u2500\u2502\u2514\u251c>*+-]+/u, "").trim().toLowerCase();
+function normalizePath4(path) {
+  return path.replace(/\\/g, "/").replace(/^[\s\u2500\u2502\u2514\u251c>*+-]+/u, "").trim().toLowerCase();
 }
-function addFound(area, label2, source, detail) {
-  addItem(area, "found", label2, source, detail);
+function addFound(area, label, source, detail) {
+  addItem(area, "found", label, source, detail);
 }
-function addMissing(area, label2, source, detail) {
-  addItem(area, "missing", label2, source, detail);
+function addMissing(area, label, source, detail) {
+  addItem(area, "missing", label, source, detail);
 }
-function addManual(area, label2, source, detail) {
-  addItem(area, "manual", label2, source, detail);
+function addManual(area, label, source, detail) {
+  addItem(area, "manual", label, source, detail);
 }
-function addItem(area, status, label2, source, detail) {
-  const item3 = compactItem(label2, status, source, detail);
+function addItem(area, status, label, source, detail) {
+  const item3 = compactItem(label, status, source, detail);
   const bucket = area[status];
   if (!bucket.some((existing) => existing.label === item3.label)) {
     bucket.push(item3);
   }
 }
-function compactItem(label2, status, source, detail) {
-  return detail ? { label: label2, status, source, detail } : { label: label2, status, source };
+function compactItem(label, status, source, detail) {
+  return detail ? { label, status, source, detail } : { label, status, source };
 }
 function hasDep(ctx, patterns) {
   return patterns.some((pattern) => {
@@ -6572,7 +6569,7 @@ function hasDep(ctx, patterns) {
   });
 }
 function hasPath(ctx, patterns) {
-  return [...ctx.paths].some((path3) => !ctx.secretPaths.has(path3) && patterns.some((pattern) => pattern.test(path3)));
+  return [...ctx.paths].some((path) => !ctx.secretPaths.has(path) && patterns.some((pattern) => pattern.test(path)));
 }
 function hasContent(ctx, patterns) {
   return patterns.some((pattern) => pattern.test(ctx.contents));
@@ -7141,7 +7138,7 @@ var mockGitHubVerifier = {
         providerObservationMet: false,
         fixType: "mcp-connect",
         severity: "warning",
-        repoSignals: workflows.map((path3) => `workflow: ${path3}`),
+        repoSignals: workflows.map((path) => `workflow: ${path}`),
         providerSignals: ["GitHub Actions API or MCP"],
         requiredEvidence: ["Latest workflow run status on default branch"]
       }),
@@ -7196,7 +7193,7 @@ var mockGitHubVerifier = {
         providerActual: "Not verified (mock \u2014 connect GitHub MCP read-only)",
         severity: "warning",
         suggestedFix: "mcp-connect",
-        evidenceRefs: workflows.map((path3) => `workflow: ${path3}`)
+        evidenceRefs: workflows.map((path) => `workflow: ${path}`)
       }
     ];
   }
@@ -7589,9 +7586,9 @@ function runVerifier(verifier, ctx) {
   }
   const connectionState = verifier.connectStatus(ctx);
   const rawChecks = verifier.runChecks(ctx);
-  const checks = rawChecks.map((check) => ({
-    ...check,
-    status: coerceProviderVerificationStatus(check.status, connectionState)
+  const checks = rawChecks.map((check2) => ({
+    ...check2,
+    status: coerceProviderVerificationStatus(check2.status, connectionState)
   }));
   const diffs = verifier.buildDiffs(ctx);
   return {
@@ -7998,12 +7995,12 @@ var import_promises5 = require("node:fs/promises");
 var import_node_path8 = require("node:path");
 
 // src/capabilities/classify.ts
-function gapText(gap2) {
-  return `${gap2.id} ${gap2.title} ${gap2.detail} ${gap2.primaryMapCategory}`.toLowerCase();
+function gapText(gap) {
+  return `${gap.id} ${gap.title} ${gap.detail} ${gap.primaryMapCategory}`.toLowerCase();
 }
 function statusForGaps(gaps) {
-  if (gaps.some((gap2) => gap2.severity === "critical")) return "critical";
-  if (gaps.some((gap2) => gap2.severity === "warning")) return "warning";
+  if (gaps.some((gap) => gap.severity === "critical")) return "critical";
+  if (gaps.some((gap) => gap.severity === "warning")) return "warning";
   if (gaps.length > 0) return "warning";
   return "unknown";
 }
@@ -8023,12 +8020,12 @@ function capabilityFromArea(area) {
 // src/capabilities/database.ts
 var databasePack = {
   key: "database",
-  classify(gap2) {
-    const text = gapText(gap2);
+  classify(gap) {
+    const text = gapText(gap);
     return /database|supabase|rls|migration|postgres|pooler|query/.test(text);
   },
-  riskTags(gap2) {
-    const text = gapText(gap2);
+  riskTags(gap) {
+    const text = gapText(gap);
     return [
       text.includes("rls") ? "rls" : "",
       text.includes("migration") ? "migration" : "",
@@ -8040,12 +8037,12 @@ var databasePack = {
 // src/capabilities/payments.ts
 var paymentsPack = {
   key: "payments",
-  classify(gap2) {
-    const text = gapText(gap2);
+  classify(gap) {
+    const text = gapText(gap);
     return /payment|stripe|checkout|billing|entitlement|subscription|refund|cancel/.test(text);
   },
-  riskTags(gap2) {
-    const text = gapText(gap2);
+  riskTags(gap) {
+    const text = gapText(gap);
     return [
       text.includes("entitlement") ? "entitlement-source" : "",
       text.includes("checkout") ? "checkout-flow" : "",
@@ -8057,12 +8054,12 @@ var paymentsPack = {
 // src/capabilities/scaling.ts
 var scalingPack = {
   key: "scaling",
-  classify(gap2) {
-    const text = gapText(gap2);
+  classify(gap) {
+    const text = gapText(gap);
     return /serverless|vercel|pooler|rate limit|rate-limit|cache|queue|cron|worker|runtime|connection/.test(text);
   },
-  riskTags(gap2) {
-    const text = gapText(gap2);
+  riskTags(gap) {
+    const text = gapText(gap);
     return [
       text.includes("serverless") || text.includes("vercel") ? "serverless" : "",
       text.includes("pooler") || text.includes("connection") ? "db-connection" : "",
@@ -8074,12 +8071,12 @@ var scalingPack = {
 // src/capabilities/security.ts
 var securityPack = {
   key: "security",
-  classify(gap2) {
-    const text = gapText(gap2);
+  classify(gap) {
+    const text = gapText(gap);
     return /secret|service role|token|api key|auth|authorization|browser-exposed|cors|csrf|session/.test(text);
   },
-  riskTags(gap2) {
-    const text = gapText(gap2);
+  riskTags(gap) {
+    const text = gapText(gap);
     return [
       text.includes("secret") || text.includes("api key") || text.includes("service role") ? "secret-boundary" : "",
       text.includes("auth") || text.includes("authorization") ? "auth-boundary" : "",
@@ -8091,12 +8088,12 @@ var securityPack = {
 // src/capabilities/webhooks.ts
 var webhooksPack = {
   key: "webhooks",
-  classify(gap2) {
-    const text = gapText(gap2);
+  classify(gap) {
+    const text = gapText(gap);
     return /webhook|signature|idempotency|retry|replay|dead-letter/.test(text);
   },
-  riskTags(gap2) {
-    const text = gapText(gap2);
+  riskTags(gap) {
+    const text = gapText(gap);
     return [
       text.includes("signature") ? "signature" : "",
       text.includes("idempotency") ? "idempotency" : "",
@@ -8107,10 +8104,10 @@ var webhooksPack = {
 
 // src/capabilities/index.ts
 var PACKS = [scalingPack, securityPack, webhooksPack, paymentsPack, databasePack];
-function classifyGapCapability(gap2) {
-  const direct = PACKS.find((pack) => pack.classify(gap2));
+function classifyGapCapability(gap) {
+  const direct = PACKS.find((pack) => pack.classify(gap));
   if (direct) return direct.key;
-  return capabilityFromArea(String(gap2.primaryMapCategory)) ?? "security";
+  return capabilityFromArea(String(gap.primaryMapCategory)) ?? "security";
 }
 function summarizeCapabilities(gaps) {
   const result = Object.fromEntries(
@@ -8120,13 +8117,13 @@ function summarizeCapabilities(gaps) {
     ])
   );
   for (const pack of PACKS) {
-    const matching = gaps.filter((gap2) => classifyGapCapability(gap2) === pack.key);
+    const matching = gaps.filter((gap) => classifyGapCapability(gap) === pack.key);
     result[pack.key] = {
       key: pack.key,
       status: statusForGaps(matching),
-      topGapIds: matching.slice(0, 5).map((gap2) => gap2.id),
+      topGapIds: matching.slice(0, 5).map((gap) => gap.id),
       evidenceCount: matching.length,
-      riskTags: unique2(matching.flatMap((gap2) => pack.riskTags(gap2)))
+      riskTags: unique2(matching.flatMap((gap) => pack.riskTags(gap)))
     };
   }
   return result;
@@ -8134,8 +8131,8 @@ function summarizeCapabilities(gaps) {
 
 // src/contracts/contextMap.ts
 function generateContextMap(artifact) {
-  const criticalCount = artifact.gaps.filter((gap2) => gap2.severity === "critical").length;
-  const warningCount = artifact.gaps.filter((gap2) => gap2.severity === "warning").length;
+  const criticalCount = artifact.gaps.filter((gap) => gap.severity === "critical").length;
+  const warningCount = artifact.gaps.filter((gap) => gap.severity === "warning").length;
   return {
     $schema: "https://viberaven.dev/schemas/context-map.schema.json",
     schemaVersion: "v1",
@@ -8168,12 +8165,12 @@ function generateContextMap(artifact) {
       warningCount,
       providerDashboardChecksRequired: true
     },
-    topGaps: artifact.gaps.slice(0, 10).map((gap2) => ({
-      id: gap2.id,
-      severity: gap2.severity,
-      title: gap2.title,
-      area: String(gap2.primaryMapCategory),
-      promptCommand: promptGapCommand(gap2.id)
+    topGaps: artifact.gaps.slice(0, 10).map((gap) => ({
+      id: gap.id,
+      severity: gap.severity,
+      title: gap.title,
+      area: String(gap.primaryMapCategory),
+      promptCommand: promptGapCommand(gap.id)
     }))
   };
 }
@@ -8188,10 +8185,10 @@ function runIdFrom(scannedAt) {
   return `vr_${scannedAt.replace(/\D/g, "").slice(0, 14) || "scan"}`;
 }
 function generateGateResult(artifact, options = {}) {
-  const criticalCount = artifact.gaps.filter((gap2) => gap2.severity === "critical").length;
-  const warningCount = artifact.gaps.filter((gap2) => gap2.severity === "warning").length;
+  const criticalCount = artifact.gaps.filter((gap) => gap.severity === "critical").length;
+  const warningCount = artifact.gaps.filter((gap) => gap.severity === "warning").length;
   const capabilities = summarizeCapabilities(artifact.gaps);
-  const topGapIds = artifact.gaps.slice(0, 10).map((gap2) => gap2.id);
+  const topGapIds = artifact.gaps.slice(0, 10).map((gap) => gap.id);
   const firstGapId = topGapIds[0];
   return {
     $schema: "https://viberaven.dev/schemas/gate-result.schema.json",
@@ -8240,24 +8237,24 @@ function generateGateResult(artifact, options = {}) {
 }
 
 // src/contracts/gapEvidence.ts
-function summarizeGap(gap2) {
-  return `${gap2.title}. See the tasklist and original scan for redacted detail.`;
+function summarizeGap(gap) {
+  return `${gap.title}. See the tasklist and original scan for redacted detail.`;
 }
 function generateGapEvidenceFiles(artifact) {
-  return artifact.gaps.slice(0, 50).map((gap2) => ({
-    path: `.viberaven/gaps/${gap2.id}.json`,
+  return artifact.gaps.slice(0, 50).map((gap) => ({
+    path: `.viberaven/gaps/${gap.id}.json`,
     content: {
       $schema: "https://viberaven.dev/schemas/gap.schema.json",
       schemaVersion: "v1",
-      id: gap2.id,
-      severity: gap2.severity,
-      capability: classifyGapCapability(gap2),
-      title: gap2.title,
-      summary: summarizeGap(gap2),
-      evidence: [{ kind: String(gap2.primaryMapCategory), redacted: true }],
+      id: gap.id,
+      severity: gap.severity,
+      capability: classifyGapCapability(gap),
+      title: gap.title,
+      summary: summarizeGap(gap),
+      evidence: [{ kind: String(gap.primaryMapCategory), redacted: true }],
       commands: {
-        prompt: promptGapCommand(gap2.id),
-        healPlan: healPlanGapCommand(gap2.id),
+        prompt: promptGapCommand(gap.id),
+        healPlan: healPlanGapCommand(gap.id),
         verify: PUBLIC_VERIFY_COMMAND
       },
       providerBoundary: {
@@ -8306,6 +8303,39 @@ var PRODUCTION_MAP_CATEGORY_KEYS_ALL = PRODUCTION_MAP_LANES.map(
   (lane) => lane.extensionKey
 );
 
+// src/playbooks/checkMap.ts
+var CHECK_TO_PLAYBOOK = {
+  "vercel-deployment": "vercel",
+  "vercel-project": "vercel",
+  "supabase-project": "supabase",
+  "supabase-env": "supabase",
+  "stripe-webhook": "stripe",
+  "stripe-product": "stripe",
+  "stripe-keys": "stripe"
+};
+function mapCheckToPlaybook(check2) {
+  if (CHECK_TO_PLAYBOOK[check2.id]) {
+    return CHECK_TO_PLAYBOOK[check2.id];
+  }
+  const providerKey = check2.providerKey.toLowerCase();
+  if (providerKey.includes("vercel") || check2.area === "deployment") {
+    return "vercel";
+  }
+  if (providerKey.includes("stripe") || check2.area === "payments") {
+    return "stripe";
+  }
+  if (providerKey.includes("supabase") && check2.area === "auth") {
+    return "auth-supabase";
+  }
+  if (providerKey.includes("supabase") || check2.area === "database") {
+    return "supabase";
+  }
+  if (check2.area === "auth") {
+    return "auth-supabase";
+  }
+  return "vercel";
+}
+
 // src/playbooks/loadPlaybook.ts
 var import_node_fs5 = require("node:fs");
 var import_promises3 = require("node:fs/promises");
@@ -8416,8 +8446,8 @@ async function loadPlaybook(provider2) {
       `Unknown provider "${provider2}". Available: ${PLAYBOOK_PROVIDERS.join(", ")}`
     );
   }
-  const path3 = (0, import_node_path5.join)(playbooksRoot(), `${normalized}.json`);
-  const raw = JSON.parse(await (0, import_promises3.readFile)(path3, "utf-8"));
+  const path = (0, import_node_path5.join)(playbooksRoot(), `${normalized}.json`);
+  const raw = JSON.parse(await (0, import_promises3.readFile)(path, "utf-8"));
   const playbook = parsePlaybook(raw);
   if (playbook.provider !== normalized) {
     throw new Error(`Playbook file ${normalized}.json has mismatched provider field`);
@@ -8431,8 +8461,8 @@ function loadPlaybookSync(provider2) {
       `Unknown provider "${provider2}". Available: ${PLAYBOOK_PROVIDERS.join(", ")}`
     );
   }
-  const path3 = (0, import_node_path5.join)(playbooksRoot(), `${normalized}.json`);
-  const raw = JSON.parse((0, import_node_fs5.readFileSync)(path3, "utf-8"));
+  const path = (0, import_node_path5.join)(playbooksRoot(), `${normalized}.json`);
+  const raw = JSON.parse((0, import_node_fs5.readFileSync)(path, "utf-8"));
   const playbook = parsePlaybook(raw);
   if (playbook.provider !== normalized) {
     throw new Error(`Playbook file ${normalized}.json has mismatched provider field`);
@@ -8440,35 +8470,28 @@ function loadPlaybookSync(provider2) {
   return playbook;
 }
 
-// src/providers/envKeys.ts
-var PROVIDER_DEFAULT_KEYS = {
-  stripe: ["STRIPE_SECRET_KEY", "STRIPE_WEBHOOK_SECRET"],
-  supabase: [
-    "NEXT_PUBLIC_SUPABASE_URL",
-    "NEXT_PUBLIC_SUPABASE_ANON_KEY",
-    "SUPABASE_SERVICE_ROLE_KEY"
-  ],
-  vercel: []
-};
-var GAP_KEYS = {
-  stripe_webhook_signature_missing: ["STRIPE_WEBHOOK_SECRET"],
-  missing_prod_env_stripe_webhook_secret: ["STRIPE_WEBHOOK_SECRET"],
-  rls_disabled: ["SUPABASE_SERVICE_ROLE_KEY"]
-};
-function normalizeProvider2(provider2) {
-  const normalized = provider2.trim().toLowerCase().replace(/\s+/g, "-");
-  if (normalized === "auth-supabase" || normalized === "supabase-auth") {
-    return "supabase";
-  }
-  return normalized;
+// src/playbooks/manualChecks.ts
+function isManualProviderCheck(check2) {
+  return check2.evidenceClass === "manual-dashboard" || check2.evidenceClass === "mcp-verifier" || check2.evidenceSource === "provider" || check2.evidenceSource === "mcp" || check2.status === "needs-connection" || check2.status === "unknown";
 }
-function envKeysForGap(gapId, provider2) {
-  const gapKeys = GAP_KEYS[gapId];
-  if (gapKeys) {
-    return [...gapKeys];
+function collectManualChecks(artifact) {
+  const refs = [];
+  for (const area of artifact.missionGraph.areas ?? []) {
+    for (const mission of area.providerMissions) {
+      for (const check2 of mission.checks) {
+        if (!isManualProviderCheck(check2)) {
+          continue;
+        }
+        refs.push({
+          areaLabel: area.label,
+          providerLabel: mission.providerLabel,
+          check: check2,
+          mapCategory: area.key
+        });
+      }
+    }
   }
-  const providerKeys = PROVIDER_DEFAULT_KEYS[normalizeProvider2(provider2)];
-  return providerKeys ? [...providerKeys] : [];
+  return refs;
 }
 
 // src/tui/menu.ts
@@ -8493,7 +8516,7 @@ function needsScanMessage(startDir) {
   return [
     "No CLI scan found for this folder.",
     `Looking from: ${cwd}`,
-    'Choose "Make this app production ready", or run the menu from your repo root (where .viberaven/ lives).',
+    'Choose "Scan project", or run the menu from your repo root (where .viberaven/ lives).',
     "VS Code extension scans stay inside the editor \u2014 run a CLI scan once to create .viberaven/ on disk."
   ].join("\n");
 }
@@ -8522,10 +8545,10 @@ function formatTopGapsList(artifact, limit = 10) {
   if (sorted.length === 0) {
     return "No gaps found \u2014 production core looks solid.";
   }
-  return sorted.slice(0, limit).map((gap2, index) => {
-    const severity = gap2.severity.toUpperCase().padEnd(8);
-    const area = gap2.primaryMapCategory.padEnd(12);
-    return `${index + 1}. [${severity}] ${area} ${gap2.title}`;
+  return sorted.slice(0, limit).map((gap, index) => {
+    const severity = gap.severity.toUpperCase().padEnd(8);
+    const area = gap.primaryMapCategory.padEnd(12);
+    return `${index + 1}. [${severity}] ${area} ${gap.title}`;
   }).join("\n");
 }
 async function loadLastArtifact(startDir) {
@@ -8533,504 +8556,64 @@ async function loadLastArtifact(startDir) {
   if (!workspace) {
     throw new ScanNotFoundError(needsScanMessage(startDir));
   }
-  const path3 = (0, import_node_path6.join)(getProjectArtifactsDir(workspace), "last-scan.json");
+  const path = (0, import_node_path6.join)(getProjectArtifactsDir(workspace), "last-scan.json");
   try {
-    const raw = await (0, import_promises4.readFile)(path3, "utf-8");
+    const raw = await (0, import_promises4.readFile)(path, "utf-8");
     return JSON.parse(raw);
   } catch {
     throw new ScanNotFoundError(needsScanMessage(startDir));
   }
 }
 
-// src/buildTaskList.ts
-var KNOWN_RECIPE_GAP_IDS = /* @__PURE__ */ new Set([
-  // emptyCatch (original recipe)
-  "empty-catch",
-  "empty_catch",
-  "emptyCatch",
-  // W3 env-add recipes
-  "auth_secret_missing",
-  "node_env_not_set",
-  "database_url_missing",
-  // W3 file-create recipes
-  "missing_error_boundary",
-  "missing_health_route",
-  "missing_loading_state",
-  "missing_404_page",
-  // W3 file-patch recipes
-  "missing_csp_header",
-  "missing_rate_limit",
-  "eslint_restricted_imports"
-  // NOTE: 'rls_disabled' is intentionally NOT here — it is provider-action only,
-  // canAutoApply=false, and should be classified as 'provider-action' by buildTaskList.
-]);
-function hasRecipe(gapId) {
-  if (KNOWN_RECIPE_GAP_IDS.has(gapId)) return true;
-  const lower = gapId.toLowerCase();
-  return lower.includes("empty") && lower.includes("catch");
-}
-function gapToPlaybookProvider(gap2) {
-  const cat = gap2.primaryMapCategory.toLowerCase();
-  if (cat === "deployment") return "vercel";
-  if (cat === "payments") return "stripe";
-  if (cat === "auth") return "auth-supabase";
-  if (cat === "database") return "supabase";
-  const id = gap2.id.toLowerCase();
-  if (id.includes("vercel") || id.includes("deploy")) return "vercel";
-  if (id.includes("stripe") || id.includes("payment")) return "stripe";
-  if (id.includes("supabase") || id.includes("database") || id.includes("db")) return "supabase";
-  if (id.includes("auth")) return "auth-supabase";
-  return void 0;
-}
-function hasPlaybook(gap2) {
-  try {
-    const provider2 = gapToPlaybookProvider(gap2);
-    if (!provider2) return false;
-    return PLAYBOOK_PROVIDERS.includes(provider2);
-  } catch {
-    return false;
-  }
-}
-function buildProviderAction(gap2, provider2) {
-  try {
-    const playbook = loadPlaybookSync(provider2);
-    const step = playbook.steps[0];
-    if (!step) return void 0;
-    return {
-      provider: provider2,
-      dashboardUrl: step.openUrl ?? `https://${provider2}.com`,
-      // PlaybookStep uses `instruction` — map to exactStep
-      exactStep: step.instruction,
-      envKeyName: envKeysForGap(gap2.id, provider2)[0],
-      envKeyExample: void 0,
-      // Use step title as the done signal
-      doneSignal: `${step.title} step completed`,
-      verifyCommand: PUBLIC_VERIFY_COMMAND
-    };
-  } catch {
-    return void 0;
-  }
-}
+// src/resolveNextAction.ts
+var UPGRADE_URL = "https://viberaven.dev/pricing";
+var LOCKED_LANE_LABELS = {
+  deployment: "Deployment",
+  monitoring: "Monitoring / Analytics",
+  security: "Security",
+  testing: "Testing",
+  landing: "Onboarding",
+  errorHandling: "Error handling / observability"
+};
 function unlockedKeys(artifact) {
   const keys = artifact.usage?.unlockedMapCategoryKeys ?? FREE_TRIAL_UNLOCKED_MAP_CATEGORY_KEYS;
   return new Set(keys);
 }
-function buildTaskList(artifact) {
+function resolveNextAction(artifact) {
   const unlocked = unlockedKeys(artifact);
-  const sorted = sortGapsByPriority(artifact.gaps);
-  return sorted.map((gap2, index) => {
-    const id = `TASK-${String(index + 1).padStart(3, "0")}`;
-    const isLocked = !unlocked.has(gap2.primaryMapCategory);
-    let fixType;
-    if (isLocked) {
-      fixType = "upgrade-required";
-    } else if (hasRecipe(gap2.id)) {
-      fixType = "repo-code";
-    } else if (hasPlaybook(gap2)) {
-      fixType = "provider-action";
-    } else {
-      fixType = "manual-verify";
-    }
-    const base = {
-      id,
-      gapId: gap2.id,
-      severity: gap2.severity,
-      fixType,
-      title: gap2.title,
-      verifyCommand: PUBLIC_VERIFY_COMMAND,
-      requiresUserAction: fixType !== "repo-code"
+  const repoGap = sortGapsByPriority(artifact.gaps).find(
+    (gap) => unlocked.has(gap.primaryMapCategory)
+  );
+  if (repoGap) {
+    return {
+      type: "repo-fix",
+      title: repoGap.title,
+      detail: repoGap.detail,
+      command: `viberaven prompt --gap ${repoGap.id}`
     };
-    if (fixType === "repo-code") {
-      base.mcpTool = "viberaven_heal_apply";
-      base.mcpArgs = { gap: gap2.id, yes: true };
-      base.requiresUserAction = false;
-      if (gap2.copyPrompt) {
-        base.exactFix = gap2.copyPrompt.trim();
-      }
-    } else if (fixType === "provider-action") {
-      try {
-        const provider2 = gapToPlaybookProvider(gap2);
-        if (provider2) {
-          const pa = buildProviderAction(gap2, provider2);
-          if (pa) {
-            base.providerAction = pa;
-            base.action = pa.exactStep;
-          }
-        }
-      } catch {
-        base.fixType = "manual-verify";
-      }
-      base.requiresUserAction = true;
-    }
-    return base;
-  });
-}
-function buildTaskListMarkdown(tasks) {
-  if (tasks.length === 0) {
-    return "# VibeRaven Agent Tasklist\n\n_No gaps found \u2014 production core looks solid._\n";
   }
-  const lines = ["# VibeRaven Agent Tasklist", ""];
-  for (const task of tasks) {
-    const severityLabel = task.severity.toUpperCase();
-    lines.push(`## ${task.id} \xB7 ${task.gapId} \xB7 ${severityLabel}`, "");
-    lines.push(`**Fix type:** ${task.fixType}  `);
-    if (task.file) {
-      lines.push(`**File:** \`${task.file}\`  `);
-    }
-    if (task.action) {
-      lines.push(`**Action:** ${task.action}  `);
-    }
-    if (task.exactFix) {
-      lines.push(`**Exact fix:** ${task.exactFix}  `);
-    } else {
-      lines.push(`**Exact fix:** No automated recipe \u2014 see scanner hint.  `);
-    }
-    lines.push(`**Verify:** \`${task.verifyCommand}\`  `);
-    if (task.mcpTool && task.mcpArgs) {
-      lines.push(
-        `**MCP:** \`${task.mcpTool} ${JSON.stringify(task.mcpArgs)}\`  `
-      );
-    }
-    lines.push(`**Requires user action:** ${task.requiresUserAction}`);
-    if (task.providerAction) {
-      const pa = task.providerAction;
-      lines.push("");
-      lines.push("**Provider action:**");
-      lines.push(`- Provider: ${pa.provider}`);
-      lines.push(`- Dashboard: ${pa.dashboardUrl}`);
-      lines.push(`- Step: ${pa.exactStep}`);
-      if (pa.envKeyName) lines.push(`- Env key: \`${pa.envKeyName}\``);
-      if (pa.doneSignal) lines.push(`- Done when: ${pa.doneSignal}`);
-      if (pa.mcpAlternative) lines.push(`- MCP alternative: \`${pa.mcpAlternative}\``);
+  const manual = collectManualChecks(artifact).find((item3) => unlocked.has(item3.mapCategory));
+  if (manual) {
+    const provider2 = mapCheckToPlaybook(manual.check);
+    let openUrl;
+    try {
+      const playbook = loadPlaybookSync(provider2);
+      openUrl = playbook.steps[0]?.openUrl;
+    } catch {
+      openUrl = void 0;
     }
-    lines.push("");
-  }
-  return `${lines.join("\n")}
-`;
-}
-
-// src/sanitizeArtifact.ts
-var INLINE_SECRET_PATTERNS = [
-  /\b(sk_(?:live|test)_[A-Za-z0-9]{12,}|sk-proj-[A-Za-z0-9_-]{16,}|sk-[A-Za-z0-9_-]{20,})\b/g,
-  /\b(whsec_[A-Za-z0-9]{12,}|rk_(?:live|test)_[A-Za-z0-9]{12,})\b/g,
-  /\bghp_[A-Za-z0-9]{36,}\b/g,
-  /\bgithub_pat_[A-Za-z0-9_]{50,}\b/g,
-  /\bxox[bp]-[A-Za-z0-9-]{20,}\b/g,
-  /\bxapp-[A-Za-z0-9-]{20,}\b/g,
-  /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
-  /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g
-];
-var SENSITIVE_ENV_KEYS = /(?:^|_)(?:ACCESS_TOKEN|AUTHORIZATION|API_KEY|SECRET|SECRET_KEY|SERVICE_ROLE_KEY|TOKEN|PASSWORD|PRIVATE_KEY|CREDENTIALS?)(?:$|_)/i;
-function redactString(value) {
-  let out = value;
-  for (const pattern of INLINE_SECRET_PATTERNS) {
-    out = out.replace(pattern, pattern.source.includes("PRIVATE KEY") ? "[REDACTED_PRIVATE_KEY]" : "[REDACTED_SECRET]");
+    return {
+      type: "provider-guide",
+      title: manual.check.label,
+      detail: manual.check.promptHint || `Configure ${manual.providerLabel} in the provider dashboard (${manual.areaLabel}).`,
+      provider: provider2,
+      playbookStep: 1,
+      command: `viberaven guide ${provider2} --step 1`,
+      openUrl
+    };
   }
-  out = out.replace(/\bAuthorization\s*:\s*([A-Za-z][A-Za-z0-9._-]*)\s+[^\s;,]+/gi, "Authorization: $1 [REDACTED]");
-  return out.replace(
-    /\b([A-Za-z0-9_]*(?:ACCESS_TOKEN|AUTHORIZATION|API_KEY|SECRET|SECRET_KEY|SERVICE_ROLE_KEY|TOKEN|PASSWORD|PRIVATE_KEY|CREDENTIALS?)[A-Za-z0-9_]*)\s*=\s*["']?[^"'\s;,]+["']?/gi,
-    "$1=[REDACTED]"
-  );
-}
-function redactUnknown(value) {
-  if (typeof value === "string") {
-    return redactString(value);
-  }
-  if (Array.isArray(value)) {
-    return value.map(redactUnknown);
-  }
-  if (value && typeof value === "object") {
-    const record = value;
-    const next = {};
-    for (const [key, entry] of Object.entries(record)) {
-      if (SENSITIVE_ENV_KEYS.test(key)) {
-        next[key] = "[REDACTED]";
-      } else {
-        next[key] = redactUnknown(entry);
-      }
-    }
-    return next;
-  }
-  return value;
-}
-function sanitizeArtifactForDisk(artifact) {
-  return redactUnknown(artifact);
-}
-
-// src/risk/riskMapping.ts
-var OWASP = {
-  promptInjection: "LLM01:2025 Prompt Injection",
-  sensitiveDisclosure: "LLM06:2025 Sensitive Information Disclosure",
-  improperOutputHandling: "LLM05:2025 Improper Output Handling",
-  excessiveAgency: "LLM08:2025 Excessive Agency",
-  unboundedConsumption: "LLM10:2025 Unbounded Consumption"
-};
-var SAFECODE = {
-  dataProtection: "Data protection and least-data exposure",
-  callbackValidation: "Callback validation and message integrity",
-  leastPrivilege: "Least privilege and access control",
-  rateLimiting: "Rate limiting and quota enforcement",
-  outputValidation: "Output validation and encoding",
-  promptBoundary: "Prompt boundary validation"
-};
-function tokenize(text) {
-  return text.toLowerCase().split(/[^a-z0-9]+/).filter(Boolean);
-}
-function hasKeyword(tokens, keyword) {
-  const keywordTokens = tokenize(keyword);
-  if (keywordTokens.length === 0) {
-    return false;
-  }
-  if (keywordTokens.length === 1) {
-    return tokens.includes(keywordTokens[0]);
-  }
-  const textPhrase = ` ${tokens.join(" ")} `;
-  const keywordPhrase = keywordTokens.join(" ");
-  return textPhrase.includes(` ${keywordPhrase} `);
-}
-function hasAny(tokens, keywords) {
-  return keywords.some((keyword) => hasKeyword(tokens, keyword));
-}
-function addUnique(values, value) {
-  if (!values.includes(value)) {
-    values.push(value);
-  }
-}
-function mapGapToRisk(gap2) {
-  const haystack = `${gap2.id} ${gap2.title} ${gap2.primaryMapCategory}`.toLowerCase();
-  const tokens = tokenize(haystack);
-  const owaspLlm = [];
-  const safecode = [];
-  if (hasAny(tokens, ["prompt injection", "prompt_injection", "jailbreak"])) {
-    addUnique(owaspLlm, OWASP.promptInjection);
-    addUnique(safecode, SAFECODE.promptBoundary);
-  }
-  if (hasAny(tokens, [
-    "rls",
-    "row level security",
-    "data exposure",
-    "sensitive information",
-    "sensitive info",
-    "secret exposure"
-  ])) {
-    addUnique(owaspLlm, OWASP.sensitiveDisclosure);
-    addUnique(safecode, SAFECODE.dataProtection);
-  }
-  if (hasAny(tokens, ["webhook", "callback"]) && hasAny(tokens, ["signature", "signing", "integrity", "payment", "stripe"])) {
-    addUnique(owaspLlm, OWASP.improperOutputHandling);
-    addUnique(safecode, SAFECODE.callbackValidation);
-  }
-  if (hasAny(tokens, ["auth", "access", "permission", "role", "privilege"])) {
-    addUnique(owaspLlm, OWASP.excessiveAgency);
-    addUnique(safecode, SAFECODE.leastPrivilege);
-  }
-  if (hasAny(tokens, ["rate limit", "rate_limit", "quota", "usage limit", "throttle"])) {
-    addUnique(owaspLlm, OWASP.unboundedConsumption);
-    addUnique(safecode, SAFECODE.rateLimiting);
-  }
-  if (hasAny(tokens, ["output handling", "output validation", "sanitize", "escaping", "encoding"])) {
-    addUnique(owaspLlm, OWASP.improperOutputHandling);
-    addUnique(safecode, SAFECODE.outputValidation);
-  }
-  return { owaspLlm, safecode };
-}
-
-// src/contracts/prp.ts
-function decisionFromGateStatus(status) {
-  if (status === "clear") return "CLEAR";
-  if (status === "warning") return "WARNING";
-  return "BLOCKED";
-}
-function actionContractFor(task) {
-  if (task.fixType === "repo-code") {
-    return {
-      owner: "coding_agent",
-      actionClass: "local_repo_write",
-      command: healApplyGapCommand(task.gapId)
-    };
-  }
-  if (task.fixType === "provider-action") {
-    return {
-      owner: "human",
-      actionClass: "manual_provider_step",
-      command: promptGapCommand(task.gapId)
-    };
-  }
-  if (task.fixType === "upgrade-required") {
-    return {
-      owner: "human",
-      actionClass: "upgrade_required",
-      command: promptGapCommand(task.gapId)
-    };
-  }
-  if (task.fixType === "manual-verify") {
-    return {
-      owner: "human",
-      actionClass: "local_repo_read",
-      command: promptGapCommand(task.gapId)
-    };
-  }
-  return {
-    owner: "coding_agent",
-    actionClass: "local_repo_read",
-    command: promptGapCommand(task.gapId)
-  };
-}
-function nextActionFromTask(task) {
-  return {
-    id: task.id,
-    gapId: task.gapId,
-    severity: task.severity,
-    title: task.title,
-    fixType: task.fixType,
-    requiresUserAction: task.requiresUserAction,
-    verifyCommand: task.verifyCommand,
-    ...actionContractFor(task)
-  };
-}
-function generateProductionProtocol(artifact, options = {}) {
-  const safeArtifact = sanitizeArtifactForDisk(artifact);
-  const contextMap = generateContextMap(safeArtifact);
-  const tasks = buildTaskList(safeArtifact);
-  return {
-    $schema: "https://viberaven.dev/schemas/prp.schema.json",
-    schemaVersion: "v1",
-    generatedAt: safeArtifact.scannedAt,
-    mode: options.mode ?? "live",
-    decision: decisionFromGateStatus(contextMap.productionGate.status),
-    detectedStack: {
-      archetype: safeArtifact.archetype ?? null,
-      deployment: contextMap.stack.deployment,
-      database: contextMap.stack.database,
-      auth: contextMap.stack.auth,
-      payments: contextMap.stack.payments,
-      monitoring: contextMap.stack.monitoring
-    },
-    findings: safeArtifact.gaps.map((gap2) => ({
-      id: gap2.id,
-      severity: gap2.severity,
-      title: gap2.title,
-      area: String(gap2.primaryMapCategory),
-      riskMapping: mapGapToRisk(gap2)
-    })),
-    nextActions: tasks.map(nextActionFromTask),
-    connectedTools: options.connectedTools ?? {},
-    providerActionsRequired: tasks.some((task) => task.fixType === "provider-action"),
-    verifyCommand: PUBLIC_VERIFY_COMMAND,
-    agentInstructions: [
-      "Read .viberaven/agent-tasklist.md before making launch fixes.",
-      `Apply repo-code nextActions first, then run ${PUBLIC_VERIFY_COMMAND} once per batch.`,
-      "For human-owned actions, use the command to open the focused provider prompt and do not request secrets."
-    ]
-  };
-}
-
-// src/playbooks/checkMap.ts
-var CHECK_TO_PLAYBOOK = {
-  "vercel-deployment": "vercel",
-  "vercel-project": "vercel",
-  "supabase-project": "supabase",
-  "supabase-env": "supabase",
-  "stripe-webhook": "stripe",
-  "stripe-product": "stripe",
-  "stripe-keys": "stripe"
-};
-function mapCheckToPlaybook(check) {
-  if (CHECK_TO_PLAYBOOK[check.id]) {
-    return CHECK_TO_PLAYBOOK[check.id];
-  }
-  const providerKey = check.providerKey.toLowerCase();
-  if (providerKey.includes("vercel") || check.area === "deployment") {
-    return "vercel";
-  }
-  if (providerKey.includes("stripe") || check.area === "payments") {
-    return "stripe";
-  }
-  if (providerKey.includes("supabase") && check.area === "auth") {
-    return "auth-supabase";
-  }
-  if (providerKey.includes("supabase") || check.area === "database") {
-    return "supabase";
-  }
-  if (check.area === "auth") {
-    return "auth-supabase";
-  }
-  return "vercel";
-}
-
-// src/playbooks/manualChecks.ts
-function isManualProviderCheck(check) {
-  return check.evidenceClass === "manual-dashboard" || check.evidenceClass === "mcp-verifier" || check.evidenceSource === "provider" || check.evidenceSource === "mcp" || check.status === "needs-connection" || check.status === "unknown";
-}
-function collectManualChecks(artifact) {
-  const refs = [];
-  for (const area of artifact.missionGraph.areas ?? []) {
-    for (const mission of area.providerMissions) {
-      for (const check of mission.checks) {
-        if (!isManualProviderCheck(check)) {
-          continue;
-        }
-        refs.push({
-          areaLabel: area.label,
-          providerLabel: mission.providerLabel,
-          check,
-          mapCategory: area.key
-        });
-      }
-    }
-  }
-  return refs;
-}
-
-// src/resolveNextAction.ts
-var UPGRADE_URL = "https://viberaven.dev/pricing";
-var LOCKED_LANE_LABELS = {
-  deployment: "Deployment",
-  monitoring: "Monitoring / Analytics",
-  security: "Security",
-  testing: "Testing",
-  landing: "Onboarding",
-  errorHandling: "Error handling / observability"
-};
-function unlockedKeys2(artifact) {
-  const keys = artifact.usage?.unlockedMapCategoryKeys ?? FREE_TRIAL_UNLOCKED_MAP_CATEGORY_KEYS;
-  return new Set(keys);
-}
-function resolveNextAction(artifact) {
-  const unlocked = unlockedKeys2(artifact);
-  const repoGap = sortGapsByPriority(artifact.gaps).find(
-    (gap2) => unlocked.has(gap2.primaryMapCategory)
-  );
-  if (repoGap) {
-    return {
-      type: "repo-fix",
-      title: repoGap.title,
-      detail: repoGap.detail,
-      command: `viberaven prompt --gap ${repoGap.id}`
-    };
-  }
-  const manual = collectManualChecks(artifact).find((item3) => unlocked.has(item3.mapCategory));
-  if (manual) {
-    const provider2 = mapCheckToPlaybook(manual.check);
-    let openUrl;
-    try {
-      const playbook = loadPlaybookSync(provider2);
-      openUrl = playbook.steps[0]?.openUrl;
-    } catch {
-      openUrl = void 0;
-    }
-    return {
-      type: "provider-guide",
-      title: manual.check.label,
-      detail: manual.check.promptHint || `Configure ${manual.providerLabel} in the provider dashboard (${manual.areaLabel}).`,
-      provider: provider2,
-      playbookStep: 1,
-      command: `viberaven guide ${provider2} --step 1`,
-      openUrl
-    };
-  }
-  const lockedGap = sortGapsByPriority(artifact.gaps).find(
-    (gap2) => !unlocked.has(gap2.primaryMapCategory)
+  const lockedGap = sortGapsByPriority(artifact.gaps).find(
+    (gap) => !unlocked.has(gap.primaryMapCategory)
   );
   if (lockedGap) {
     const lane = lockedGap.primaryMapCategory;
@@ -9154,22 +8737,22 @@ function generateAgentSummary(artifact) {
   if (topGaps.length === 0) {
     lines.push("_No model gaps returned. Review mission map checks before changing code._");
   } else {
-    topGaps.forEach((gap2, index) => {
+    topGaps.forEach((gap, index) => {
       lines.push(
-        `${index + 1}. **${gap2.title}** (\`${gap2.id}\`, ${gap2.severity}, map: \`${gap2.primaryMapCategory}\`)`
+        `${index + 1}. **${gap.title}** (\`${gap.id}\`, ${gap.severity}, map: \`${gap.primaryMapCategory}\`)`
       );
-      lines.push(`   - ${gap2.detail}`);
-      lines.push(`   - Command: \`viberaven prompt --gap ${gap2.id}\``);
-      if (gap2.copyPrompt) {
-        lines.push(`   - Prompt: ${gap2.copyPrompt}`);
+      lines.push(`   - ${gap.detail}`);
+      lines.push(`   - Command: \`viberaven prompt --gap ${gap.id}\``);
+      if (gap.copyPrompt) {
+        lines.push(`   - Prompt: ${gap.copyPrompt}`);
       }
     });
   }
   const manualChecks = (artifact.missionGraph.areas ?? []).flatMap(
     (area) => area.providerMissions.flatMap(
       (mission) => mission.checks.filter(
-        (check) => check.evidenceClass === "manual-dashboard" || check.evidenceClass === "mcp-verifier" || check.evidenceSource === "provider" || check.evidenceSource === "mcp" || check.status === "needs-connection" || check.status === "unknown"
-      ).map((check) => ({ area: area.label, provider: mission.providerLabel, check }))
+        (check2) => check2.evidenceClass === "manual-dashboard" || check2.evidenceClass === "mcp-verifier" || check2.evidenceSource === "provider" || check2.evidenceSource === "mcp" || check2.status === "needs-connection" || check2.status === "unknown"
+      ).map((check2) => ({ area: area.label, provider: mission.providerLabel, check: check2 }))
     )
   );
   lines.push("");
@@ -9206,6 +8789,174 @@ function generateAgentSummary(artifact) {
 `;
 }
 
+// src/buildTaskList.ts
+var KNOWN_RECIPE_GAP_IDS = /* @__PURE__ */ new Set([
+  // emptyCatch (original recipe)
+  "empty-catch",
+  "empty_catch",
+  "emptyCatch",
+  // W3 env-add recipes
+  "auth_secret_missing",
+  "node_env_not_set",
+  "database_url_missing",
+  // W3 file-create recipes
+  "missing_error_boundary",
+  "missing_health_route",
+  "missing_loading_state",
+  "missing_404_page",
+  // W3 file-patch recipes
+  "missing_csp_header",
+  "missing_rate_limit",
+  "eslint_restricted_imports"
+  // NOTE: 'rls_disabled' is intentionally NOT here — it is provider-action only,
+  // canAutoApply=false, and should be classified as 'provider-action' by buildTaskList.
+]);
+function hasRecipe(gapId) {
+  if (KNOWN_RECIPE_GAP_IDS.has(gapId)) return true;
+  const lower = gapId.toLowerCase();
+  return lower.includes("empty") && lower.includes("catch");
+}
+function gapToPlaybookProvider(gap) {
+  const cat = gap.primaryMapCategory.toLowerCase();
+  if (cat === "deployment") return "vercel";
+  if (cat === "payments") return "stripe";
+  if (cat === "auth") return "auth-supabase";
+  if (cat === "database") return "supabase";
+  const id = gap.id.toLowerCase();
+  if (id.includes("vercel") || id.includes("deploy")) return "vercel";
+  if (id.includes("stripe") || id.includes("payment")) return "stripe";
+  if (id.includes("supabase") || id.includes("database") || id.includes("db")) return "supabase";
+  if (id.includes("auth")) return "auth-supabase";
+  return void 0;
+}
+function hasPlaybook(gap) {
+  try {
+    const provider2 = gapToPlaybookProvider(gap);
+    if (!provider2) return false;
+    return PLAYBOOK_PROVIDERS.includes(provider2);
+  } catch {
+    return false;
+  }
+}
+function buildProviderAction(gap, provider2) {
+  try {
+    const playbook = loadPlaybookSync(provider2);
+    const step = playbook.steps[0];
+    if (!step) return void 0;
+    return {
+      provider: provider2,
+      dashboardUrl: step.openUrl ?? `https://${provider2}.com`,
+      // PlaybookStep uses `instruction` — map to exactStep
+      exactStep: step.instruction,
+      // No envKeyName/envKeyExample in current PlaybookStep schema — leave undefined
+      envKeyName: void 0,
+      envKeyExample: void 0,
+      // Use step title as the done signal
+      doneSignal: `${step.title} step completed`,
+      verifyCommand: PUBLIC_VERIFY_COMMAND
+    };
+  } catch {
+    return void 0;
+  }
+}
+function unlockedKeys2(artifact) {
+  const keys = artifact.usage?.unlockedMapCategoryKeys ?? FREE_TRIAL_UNLOCKED_MAP_CATEGORY_KEYS;
+  return new Set(keys);
+}
+function buildTaskList(artifact) {
+  const unlocked = unlockedKeys2(artifact);
+  const sorted = sortGapsByPriority(artifact.gaps);
+  return sorted.map((gap, index) => {
+    const id = `TASK-${String(index + 1).padStart(3, "0")}`;
+    const isLocked = !unlocked.has(gap.primaryMapCategory);
+    let fixType;
+    if (isLocked) {
+      fixType = "upgrade-required";
+    } else if (hasRecipe(gap.id)) {
+      fixType = "repo-code";
+    } else if (hasPlaybook(gap)) {
+      fixType = "provider-action";
+    } else {
+      fixType = "manual-verify";
+    }
+    const base = {
+      id,
+      gapId: gap.id,
+      severity: gap.severity,
+      fixType,
+      title: gap.title,
+      verifyCommand: PUBLIC_VERIFY_COMMAND,
+      requiresUserAction: fixType !== "repo-code"
+    };
+    if (fixType === "repo-code") {
+      base.mcpTool = "viberaven_heal_apply";
+      base.mcpArgs = { gap: gap.id, yes: true };
+      base.requiresUserAction = false;
+      if (gap.copyPrompt) {
+        base.exactFix = gap.copyPrompt.trim();
+      }
+    } else if (fixType === "provider-action") {
+      try {
+        const provider2 = gapToPlaybookProvider(gap);
+        if (provider2) {
+          const pa = buildProviderAction(gap, provider2);
+          if (pa) {
+            base.providerAction = pa;
+            base.action = pa.exactStep;
+          }
+        }
+      } catch {
+        base.fixType = "manual-verify";
+      }
+      base.requiresUserAction = true;
+    }
+    return base;
+  });
+}
+function buildTaskListMarkdown(tasks) {
+  if (tasks.length === 0) {
+    return "# VibeRaven Agent Tasklist\n\n_No gaps found \u2014 production core looks solid._\n";
+  }
+  const lines = ["# VibeRaven Agent Tasklist", ""];
+  for (const task of tasks) {
+    const severityLabel = task.severity.toUpperCase();
+    lines.push(`## ${task.id} \xB7 ${task.gapId} \xB7 ${severityLabel}`, "");
+    lines.push(`**Fix type:** ${task.fixType}  `);
+    if (task.file) {
+      lines.push(`**File:** \`${task.file}\`  `);
+    }
+    if (task.action) {
+      lines.push(`**Action:** ${task.action}  `);
+    }
+    if (task.exactFix) {
+      lines.push(`**Exact fix:** ${task.exactFix}  `);
+    } else {
+      lines.push(`**Exact fix:** No automated recipe \u2014 see scanner hint.  `);
+    }
+    lines.push(`**Verify:** \`${task.verifyCommand}\`  `);
+    if (task.mcpTool && task.mcpArgs) {
+      lines.push(
+        `**MCP:** \`${task.mcpTool} ${JSON.stringify(task.mcpArgs)}\`  `
+      );
+    }
+    lines.push(`**Requires user action:** ${task.requiresUserAction}`);
+    if (task.providerAction) {
+      const pa = task.providerAction;
+      lines.push("");
+      lines.push("**Provider action:**");
+      lines.push(`- Provider: ${pa.provider}`);
+      lines.push(`- Dashboard: ${pa.dashboardUrl}`);
+      lines.push(`- Step: ${pa.exactStep}`);
+      if (pa.envKeyName) lines.push(`- Env key: \`${pa.envKeyName}\``);
+      if (pa.doneSignal) lines.push(`- Done when: ${pa.doneSignal}`);
+      if (pa.mcpAlternative) lines.push(`- MCP alternative: \`${pa.mcpAlternative}\``);
+    }
+    lines.push("");
+  }
+  return `${lines.join("\n")}
+`;
+}
+
 // src/report/launchPlaybook.ts
 var UPGRADE_URL3 = "https://viberaven.dev/pricing";
 function unlockedSet(artifact) {
@@ -9219,13 +8970,13 @@ function generateLaunchPlaybook(artifact) {
   lines.push(`Generated from scan at ${artifact.scannedAt}. Work top to bottom.`, "");
   lines.push("## Repo fixes (agent code)", "");
   const repoGaps = sortGapsByPriority(artifact.gaps).filter(
-    (gap2) => unlocked.has(gap2.primaryMapCategory)
+    (gap) => unlocked.has(gap.primaryMapCategory)
   );
   if (repoGaps.length === 0) {
     lines.push("_No repo-code gaps in unlocked lanes._", "");
   } else {
-    for (const gap2 of repoGaps) {
-      lines.push(`- [ ] ${gap2.title} \u2014 \`viberaven prompt --gap ${gap2.id}\``);
+    for (const gap of repoGaps) {
+      lines.push(`- [ ] ${gap.title} \u2014 \`viberaven prompt --gap ${gap.id}\``);
     }
     lines.push("");
   }
@@ -9245,14 +8996,14 @@ function generateLaunchPlaybook(artifact) {
   if (!isPro) {
     lines.push("## [Pro] Deployment, monitoring, and full map", "");
     const proGaps = sortGapsByPriority(artifact.gaps).filter(
-      (gap2) => !unlocked.has(gap2.primaryMapCategory)
+      (gap) => !unlocked.has(gap.primaryMapCategory)
     );
     const proManuals = collectManualChecks(artifact).filter((item3) => !unlocked.has(item3.mapCategory));
     if (proGaps.length === 0 && proManuals.length === 0) {
       lines.push("_No Pro-only blockers detected._", "");
     } else {
-      for (const gap2 of proGaps.slice(0, 6)) {
-        lines.push(`- [ ] ${gap2.title} [Pro] \u2014 upgrade at ${UPGRADE_URL3}`);
+      for (const gap of proGaps.slice(0, 6)) {
+        lines.push(`- [ ] ${gap.title} [Pro] \u2014 upgrade at ${UPGRADE_URL3}`);
       }
       for (const item3 of proManuals.slice(0, 6)) {
         lines.push(`- [ ] ${item3.check.label} [Pro] \u2014 upgrade at ${UPGRADE_URL3}`);
@@ -9377,21 +9128,6 @@ function getStationHtml(nonce, cssUri, jsUri, options) {
                 </div>
               </header>
 
-              <section class="studio-launch-hero" aria-label="VibeRaven readiness">
-                <div class="studio-launch-hero__main">
-                  <p class="studio-launch-hero__wordmark">VibeRaven</p>
-                  <div class="studio-launch-hero__decision" id="studio-launch-decision">\u25C7 BLOCKED</div>
-                  <div class="studio-launch-hero__gauge" aria-hidden="true">
-                    <span id="studio-launch-gauge-fill" class="studio-launch-hero__gauge-fill" style="width:25%"></span>
-                  </div>
-                </div>
-                <div class="studio-launch-hero__next">
-                  <span class="studio-launch-hero__next-label">Next action</span>
-                  <strong id="studio-launch-next-action">Run a scan to map production gaps.</strong>
-                  <button type="button" class="studio-launch-hero__verify" data-station-action="rescan">Run verify</button>
-                </div>
-              </section>
-
               <div class="studio-workspace">
                 <nav class="studio-nav-rail" aria-label="Studio areas">
                   <span class="studio-nav-rail__item studio-nav-rail__item--active" aria-label="Architecture">ARCH</span>
@@ -9623,6 +9359,54 @@ var REPORT_ASSET_FILES = [
   "assets/provider-logrocket.svg"
 ];
 
+// src/sanitizeArtifact.ts
+var INLINE_SECRET_PATTERNS = [
+  /\b(sk_(?:live|test)_[A-Za-z0-9]{12,}|sk-proj-[A-Za-z0-9_-]{16,}|sk-[A-Za-z0-9_-]{20,})\b/g,
+  /\b(whsec_[A-Za-z0-9]{12,}|rk_(?:live|test)_[A-Za-z0-9]{12,})\b/g,
+  /\bghp_[A-Za-z0-9]{36,}\b/g,
+  /\bgithub_pat_[A-Za-z0-9_]{50,}\b/g,
+  /\bxox[bp]-[A-Za-z0-9-]{20,}\b/g,
+  /\bxapp-[A-Za-z0-9-]{20,}\b/g,
+  /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
+  /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g
+];
+var SENSITIVE_ENV_KEYS = /(?:^|_)(?:ACCESS_TOKEN|AUTHORIZATION|API_KEY|SECRET|SECRET_KEY|SERVICE_ROLE_KEY|TOKEN|PASSWORD|PRIVATE_KEY|CREDENTIALS?)(?:$|_)/i;
+function redactString(value) {
+  let out = value;
+  for (const pattern of INLINE_SECRET_PATTERNS) {
+    out = out.replace(pattern, pattern.source.includes("PRIVATE KEY") ? "[REDACTED_PRIVATE_KEY]" : "[REDACTED_SECRET]");
+  }
+  out = out.replace(/\bAuthorization\s*:\s*([A-Za-z][A-Za-z0-9._-]*)\s+[^\s;,]+/gi, "Authorization: $1 [REDACTED]");
+  return out.replace(
+    /\b([A-Za-z0-9_]*(?:ACCESS_TOKEN|AUTHORIZATION|API_KEY|SECRET|SECRET_KEY|SERVICE_ROLE_KEY|TOKEN|PASSWORD|PRIVATE_KEY|CREDENTIALS?)[A-Za-z0-9_]*)\s*=\s*["']?[^"'\s;,]+["']?/gi,
+    "$1=[REDACTED]"
+  );
+}
+function redactUnknown(value) {
+  if (typeof value === "string") {
+    return redactString(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map(redactUnknown);
+  }
+  if (value && typeof value === "object") {
+    const record = value;
+    const next = {};
+    for (const [key, entry] of Object.entries(record)) {
+      if (SENSITIVE_ENV_KEYS.test(key)) {
+        next[key] = "[REDACTED]";
+      } else {
+        next[key] = redactUnknown(entry);
+      }
+    }
+    return next;
+  }
+  return value;
+}
+function sanitizeArtifactForDisk(artifact) {
+  return redactUnknown(artifact);
+}
+
 // src/artifacts.ts
 async function copyReportAssets(reportAssetsDir) {
   const sourceDir = getBundledReportAssetsDir();
@@ -9638,7 +9422,6 @@ async function writeScanArtifacts(options) {
   const jsonPath = (0, import_node_path8.join)(dir, "last-scan.json");
   const gateResultPath = (0, import_node_path8.join)(dir, "gate-result.json");
   const contextMapPath = (0, import_node_path8.join)(dir, "context-map.json");
-  const prpPath = (0, import_node_path8.join)(dir, "prp.json");
   const gapsDir = (0, import_node_path8.join)(dir, "gaps");
   const tasklistPath = (0, import_node_path8.join)(dir, "agent-tasklist.md");
   const summaryPath = (0, import_node_path8.join)(dir, "agent-summary.md");
@@ -9657,20 +9440,13 @@ async function writeScanArtifacts(options) {
   const gateResult = `${JSON.stringify(generateGateResult(safe), null, 2)}
 `;
   const contextMap = `${JSON.stringify(generateContextMap(safe), null, 2)}
-`;
-  const prp = `${JSON.stringify(
-    generateProductionProtocol(safe, { connectedTools: options.connectedTools, mode: options.prpMode }),
-    null,
-    2
-  )}
 `;
   const gapEvidenceFiles = generateGapEvidenceFiles(safe);
   await copyReportAssets(reportAssetsDir);
   await (0, import_promises5.writeFile)(gateResultPath, gateResult, "utf-8");
   await (0, import_promises5.writeFile)(contextMapPath, contextMap, "utf-8");
-  await (0, import_promises5.writeFile)(prpPath, prp, "utf-8");
-  for (const gap2 of gapEvidenceFiles) {
-    await (0, import_promises5.writeFile)((0, import_node_path8.join)(dir, "gaps", `${gap2.content.id}.json`), `${JSON.stringify(gap2.content, null, 2)}
+  for (const gap of gapEvidenceFiles) {
+    await (0, import_promises5.writeFile)((0, import_node_path8.join)(dir, "gaps", `${gap.content.id}.json`), `${JSON.stringify(gap.content, null, 2)}
 `, "utf-8");
   }
   await (0, import_promises5.writeFile)(tasklistPath, tasklist, "utf-8");
@@ -9683,7 +9459,6 @@ async function writeScanArtifacts(options) {
     jsonPath,
     gateResultPath,
     contextMapPath,
-    prpPath,
     gapsDir,
     tasklistPath,
     summaryPath,
@@ -9766,12 +9541,12 @@ async function copyToClipboard(text) {
   }
 }
 function pipeToCommand(command, text, extraArgs = []) {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve5, reject) => {
     const child = (0, import_node_child_process2.spawn)(command, extraArgs, { stdio: ["pipe", "ignore", "ignore"] });
     child.on("error", reject);
     child.on("close", (code) => {
       if (code === 0) {
-        resolve6();
+        resolve5();
       } else {
         reject(new Error(`${command} exited with code ${code ?? "unknown"}`));
       }
@@ -9798,9 +9573,9 @@ function missionMatchesProvider(mission, provider2) {
   return normalizeProviderToken2(mission.provider || mission.providerLabel || mission.key) === current || normalizeProviderToken2(mission.providerLabel || mission.provider || mission.key) === current;
 }
 function missionEvidenceScore(mission) {
-  const repoVerified = mission.checks.filter((check) => check.evidenceClass === "repo-verified" || check.status === "passed").length;
+  const repoVerified = mission.checks.filter((check2) => check2.evidenceClass === "repo-verified" || check2.status === "passed").length;
   const missing = mission.checks.filter(
-    (check) => check.evidenceClass === "missing-repo-fix" || check.status === "missing" || check.status === "failed"
+    (check2) => check2.evidenceClass === "missing-repo-fix" || check2.status === "missing" || check2.status === "failed"
   ).length;
   return repoVerified * 100 + (mission.readinessPercent ?? 0) - missing;
 }
@@ -9820,7 +9595,7 @@ function openChecksForMission(mission) {
     return 0;
   }
   return mission.checks.filter(
-    (check) => check.status === "missing" || check.status === "failed" || check.status === "needs-connection"
+    (check2) => check2.status === "missing" || check2.status === "failed" || check2.status === "needs-connection"
   ).length;
 }
 
@@ -9852,7 +9627,7 @@ function manualActionCheckCount(artifact) {
   return (artifact.missionGraph.areas ?? []).reduce((areaTotal, area) => {
     return areaTotal + area.providerMissions.reduce((missionTotal, mission) => {
       return missionTotal + mission.checks.filter(
-        (check) => check.evidenceClass === "manual-dashboard" || check.evidenceClass === "mcp-verifier" || check.evidenceSource === "provider" || check.evidenceSource === "mcp" || check.status === "needs-connection" || check.status === "unknown"
+        (check2) => check2.evidenceClass === "manual-dashboard" || check2.evidenceClass === "mcp-verifier" || check2.evidenceSource === "provider" || check2.evidenceSource === "mcp" || check2.status === "needs-connection" || check2.status === "unknown"
       ).length;
     }, 0);
   }, 0);
@@ -9879,10 +9654,10 @@ function printScanSummary(artifact, paths) {
     const modelGaps = artifact.gaps.filter((g2) => g2.primaryMapCategory === area.key).length;
     const tag = modelGaps > 0 ? `  GAP ${modelGaps}` : open > 0 ? `  ${open} fix` : "";
     const tagColored = tag ? gapTagColor(modelGaps, open)(tag) : "";
-    const label2 = area.label.padEnd(18);
+    const label = area.label.padEnd(18);
     const provider2 = mission.providerLabel.padEnd(14);
     const readiness = readinessColor(mission.readinessPercent)(`${mission.readinessPercent}%`);
-    console.log(`  ${import_picocolors.default.dim(label2)} ${provider2} ${readiness}${tagColored}`);
+    console.log(`  ${import_picocolors.default.dim(label)} ${provider2} ${readiness}${tagColored}`);
   }
   console.log("");
   console.log(import_picocolors.default.bold("Artifacts:"));
@@ -9904,7 +9679,7 @@ function printScanSummary(artifact, paths) {
   if (next.upgradeUrl) {
     console.log(`Upgrade: ${next.upgradeUrl}`);
   }
-  console.log(formatAgentStatus(AGENT_ACTION, "Read .viberaven/agent-tasklist.md, run the next command above, then rescan."));
+  console.log(formatAgentStatus(AGENT_ACTION, "Keep operating: read .viberaven/agent-tasklist.md, apply the next safe repo fix, then continue the VibeRaven loop."));
   console.log("");
   if (artifact.usage) {
     const lanes = artifact.usage.unlockedMapCategoryKeys.length;
@@ -10009,8 +9784,8 @@ function validateSafeFixJobInput(kind, rawInput) {
     }
   };
 }
-function validateSafeFixRelativePath(path3) {
-  const trimmed = path3.trim();
+function validateSafeFixRelativePath(path) {
+  const trimmed = path.trim();
   if (!trimmed) {
     return { ok: false, reason: "Safe fix path must not be empty." };
   }
@@ -10052,11 +9827,11 @@ var SECRET_VALUE_PATTERNS = [
   /\bwhsec_[A-Za-z0-9]{12,}\b/,
   /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/
 ];
-function isAllowedSafeFixPath(path3) {
-  if (path3 === ".env.example") {
+function isAllowedSafeFixPath(path) {
+  if (path === ".env.example") {
     return true;
   }
-  const segments = path3.split("/");
+  const segments = path.split("/");
   if (segments.length !== 2) {
     return false;
   }
@@ -10167,10 +9942,10 @@ function sleepForRunnerPoll(ms, signal) {
   if (signal?.aborted) {
     return Promise.reject(createRunnerWatchAbortError());
   }
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve5, reject) => {
     const timer = setTimeout(() => {
       cleanup();
-      resolve6();
+      resolve5();
     }, ms);
     const onAbort = () => {
       cleanup();
@@ -10362,8 +10137,8 @@ async function resolveSafeFixTarget(workspaceRoot, relativePath) {
   }
   return { ok: true, path: target };
 }
-async function realpathNearestExisting(path3, root) {
-  let candidate = path3;
+async function realpathNearestExisting(path, root) {
+  let candidate = path;
   while (isInsideRoot(root, candidate)) {
     try {
       await (0, import_promises6.lstat)(candidate);
@@ -10494,8 +10269,8 @@ function buildStationScanProof(kind, artifact) {
     `gaps: ${artifact.gaps.length}`,
     `summary: ${artifact.summary || "No summary returned."}`
   ];
-  for (const gap2 of artifact.gaps.slice(0, 5)) {
-    evidence.push(`gap: ${gap2.title} (${gap2.severity})`);
+  for (const gap of artifact.gaps.slice(0, 5)) {
+    evidence.push(`gap: ${gap.title} (${gap.severity})`);
   }
   for (const area of (artifact.missionGraph.areas ?? []).slice(0, 6)) {
     for (const mission of area.providerMissions.slice(0, 1)) {
@@ -10561,13 +10336,13 @@ function summarizeSafeNoopJob(job) {
     proofItems: [proofItemForJob(job, "runner_summary", "Runner summary", summary, [])]
   };
 }
-function proofItemForJob(job, kind, label2, summary, evidence, redactionSecrets = []) {
+function proofItemForJob(job, kind, label, summary, evidence, redactionSecrets = []) {
   return {
     deploySessionId: job.deploySessionId,
     runnerSessionId: job.runnerSessionId,
     jobId: job.id,
     kind,
-    label: label2,
+    label,
     summary: redactRunnerProofText(summary, redactionSecrets),
     evidence: evidence.map((value) => redactRunnerProofText(value, redactionSecrets)),
     redacted: true
@@ -10590,10 +10365,10 @@ function packageScriptArgs(command, scriptName) {
   }
   return ["run", scriptName];
 }
-function summarizeCommandOutput(label2, result, redactionSecrets = []) {
+function summarizeCommandOutput(label, result, redactionSecrets = []) {
   const lines = `${result.stdout}
 ${result.stderr ?? ""}`.split(/\r?\n/).map((line) => redactRunnerProofText(line.trim(), redactionSecrets)).filter(Boolean).slice(0, 8);
-  return [`${label2} ${result.ok ? "succeeded" : "failed"}`, ...lines];
+  return [`${label} ${result.ok ? "succeeded" : "failed"}`, ...lines];
 }
 function redactRunnerProofText(value, additionalSecrets = []) {
   let out = redactAdditionalSecrets(value, additionalSecrets);
@@ -10742,9 +10517,9 @@ function formatRepoMatch(repoMatch) {
   }
 }
 async function runCommand(command, args, cwd) {
-  return new Promise((resolve6) => {
+  return new Promise((resolve5) => {
     (0, import_node_child_process3.execFile)(command, args, { cwd, windowsHide: true }, (error, stdout, stderr) => {
-      resolve6({
+      resolve5({
         ok: !error,
         stdout: String(stdout ?? ""),
         stderr: String(stderr ?? "")
@@ -10869,7 +10644,7 @@ function isRecord6(value) {
 // src/tui/runInteractive.ts
 var import_node_path14 = require("node:path");
 
-// ../../../../node_modules/@clack/core/dist/index.mjs
+// ../../node_modules/@clack/core/dist/index.mjs
 var import_sisteransi = __toESM(require_src(), 1);
 var import_node_process = require("node:process");
 var g = __toESM(require("node:readline"), 1);
@@ -11227,7 +11002,7 @@ var LD = class extends x {
   }
 };
 
-// ../../../../node_modules/@clack/prompts/dist/index.mjs
+// ../../node_modules/@clack/prompts/dist/index.mjs
 var import_node_process2 = __toESM(require("node:process"), 1);
 var import_picocolors2 = __toESM(require_picocolors(), 1);
 var import_sisteransi2 = __toESM(require_src(), 1);
@@ -11406,12 +11181,12 @@ var import_picocolors4 = __toESM(require_picocolors());
 function compact(value) {
   return String(value ?? "").replace(/\s+/g, " ").trim();
 }
-function originalHint(gap2) {
-  const hint = compact(gap2.copyPrompt);
+function originalHint(gap) {
+  const hint = compact(gap.copyPrompt);
   return hint ? hint : "No scanner hint was returned for this gap.";
 }
-function buildAgentFixPrompt(artifact, gap2) {
-  const affected = [gap2.primaryMapCategory, ...gap2.affectedMapCategories ?? []].filter(Boolean).filter((value, index, all) => all.indexOf(value) === index).join(", ");
+function buildAgentFixPrompt(artifact, gap) {
+  const affected = [gap.primaryMapCategory, ...gap.affectedMapCategories ?? []].filter(Boolean).filter((value, index, all) => all.indexOf(value) === index).join(", ");
   return [
     "You are an AI coding agent using VibeRaven as the production-readiness map.",
     "",
@@ -11419,11 +11194,11 @@ function buildAgentFixPrompt(artifact, gap2) {
     "",
     `Project: ${artifact.workspacePath}`,
     `Current VibeRaven state: production core ${artifact.productionCorePercent}% | score ${artifact.score} (${artifact.scoreLabel})`,
-    `Gap: ${gap2.title}`,
-    `Gap id: ${gap2.id}`,
-    `Severity: ${gap2.severity}`,
-    `Production area: ${gap2.primaryMapCategory}${affected ? ` | affected: ${affected}` : ""}`,
-    `Scanner detail: ${compact(gap2.detail)}`,
+    `Gap: ${gap.title}`,
+    `Gap id: ${gap.id}`,
+    `Severity: ${gap.severity}`,
+    `Production area: ${gap.primaryMapCategory}${affected ? ` | affected: ${affected}` : ""}`,
+    `Scanner detail: ${compact(gap.detail)}`,
     "",
     "Required workflow:",
     "1. Read `.viberaven/agent-summary.md` and `.viberaven/launch-playbook.md` before changing code.",
@@ -11449,12 +11224,12 @@ function buildAgentFixPrompt(artifact, gap2) {
     "- Report what changed, what verification passed, and which VibeRaven gap remains next.",
     "",
     "Original scanner hint:",
-    originalHint(gap2)
+    originalHint(gap)
   ].join("\n");
 }
 
 // src/version.ts
-var VERSION = "1.1.4";
+var VERSION = "1.1.6";
 
 // src/commands/guide.ts
 var import_picocolors3 = __toESM(require_picocolors());
@@ -11615,7 +11390,7 @@ function buildVercelSupabaseAudit(input) {
     buildPoolerCheck(input.files),
     buildServiceRoleCheck(input.files)
   ];
-  const status = checks.every((check) => check.status === "pass") ? "pass" : "needs_work";
+  const status = checks.every((check2) => check2.status === "pass") ? "pass" : "needs_work";
   return {
     status,
     summary: status === "pass" ? "Repo evidence passes the local Vercel/Supabase audit checks." : "Repo evidence needs work before claiming Vercel/Supabase production readiness.",
@@ -11702,13 +11477,13 @@ function renderVercelSupabaseAudit(result) {
     "Boundary: this audit uses local repo evidence only. Provider dashboard settings still need manual verification or read-only provider MCP confirmation.",
     ""
   ];
-  for (const check of result.checks) {
-    lines.push(`${check.status === "pass" ? "PASS" : "NEEDS_WORK"} ${check.id}`);
-    lines.push(`  ${check.summary}`);
-    for (const evidence of check.evidence.slice(0, 5)) {
+  for (const check2 of result.checks) {
+    lines.push(`${check2.status === "pass" ? "PASS" : "NEEDS_WORK"} ${check2.id}`);
+    lines.push(`  ${check2.summary}`);
+    for (const evidence of check2.evidence.slice(0, 5)) {
       lines.push(`  - ${evidence}`);
     }
-    if (check.evidence.length === 0) {
+    if (check2.evidence.length === 0) {
       lines.push("  - No local evidence found.");
     }
     lines.push("");
@@ -11740,6 +11515,15 @@ Maps repo evidence to OWASP LLM Top 10 launch risks. Supports SAFECode-style dep
 var STACK_FRAMING = `Stack context for this repo: Next.js, Supabase, Vercel, VibeRaven.
 Do NOT deploy to Vercel or ship to production users without running \`${PUBLIC_AGENT_MODE_COMMAND}\`.
 Do NOT rely on manual production checklists when VibeRaven gate artifacts exist in \`.viberaven/\`.`;
+var PRODUCTION_PROTOCOL = `## VibeRaven Production Protocol
+
+Before making deploy, auth, database, payment, API, or scaling changes:
+
+1. Read \`.viberaven/prp.json\`.
+2. Follow \`.viberaven/mission-map.md\`.
+3. Do not deploy if \`decision.status\` is \`blocked\`.
+4. Fix \`nextActions\` in order.
+5. Re-run \`${PUBLIC_AGENT_MODE_COMMAND}\`.`;
 var AGENT_NEGATIVE_CONSTRAINTS = `## Event-Triggered Production Verification
 
 Trigger: modifications to \`package.json\`, \`vercel.json\`, \`supabase/migrations/**/*\`, \`.env.example\`, auth/billing/webhook paths, or deploy workflow files.
@@ -11765,12 +11549,14 @@ var AGENT_RULES_BODY = `${AGENT_RULES_PREAMBLE}
 
 ${STACK_FRAMING}
 
+${PRODUCTION_PROTOCOL}
+
 ${AGENT_NEGATIVE_CONSTRAINTS}
 
 ## VibeRaven Production-Readiness Gate
 
 - Before running build, compile, cleanup, deployment, vercel, or supabase commands, run \`${PUBLIC_AGENT_MODE_COMMAND}\` first from the project root.
-- Treat VibeRaven as the agent production layer for AI-built apps, especially apps using Vercel, Supabase, auth, database, payments, webhooks, monitoring, rate limits, or environment variables.
+- Treat VibeRaven as the Agent Context + Production Gate for AI-built apps, especially apps using Vercel, Supabase, auth, database, payments, webhooks, monitoring, rate limits, or environment variables.
 - Read \`.viberaven/agent-tasklist.md\` first. If it says CRITICAL GAPS DETECTED or PRODUCTION GATE NOT CLEAR, fix one listed repo-code gap before deploying.
 - Read \`.viberaven/gate-result.json\` for the machine verdict.
 - Read \`.viberaven/context-map.json\` for compact agent context.
@@ -11814,10 +11600,11 @@ var AGENT_CONTEXT_BODY = `${AGENT_RULES_PREAMBLE}
 
 After \`--agent-mode\`, read these artifacts in order:
 
-1. \`.viberaven/mission-map.md\`
-2. \`.viberaven/agent-tasklist.md\`
-3. \`.viberaven/gate-result.json\`
-4. \`.viberaven/context-map.json\``;
+1. \`.viberaven/prp.json\`
+2. \`.viberaven/mission-map.md\`
+3. \`.viberaven/agent-tasklist.md\`
+4. \`.viberaven/gate-result.json\`
+5. \`.viberaven/context-map.json\``;
 var MISSION_MAP_BODY = `${AGENT_RULES_PREAMBLE}
 
 ## Mission Map loop
@@ -12038,17 +11825,17 @@ function renderCursorCoreRulePreview() {
 async function initCursorRulesPack(options) {
   const results = [];
   const pack = buildCursorRulesPack();
-  for (const rule2 of pack) {
-    const file = `${CURSOR_RULES_DIR}/${rule2.filename}`;
-    const path3 = (0, import_node_path11.join)(options.cwd, file);
-    const existing = await readExistingFile(path3);
-    const changed = !existing.exists || existing.content !== rule2.content;
+  for (const rule of pack) {
+    const file = `${CURSOR_RULES_DIR}/${rule.filename}`;
+    const path = (0, import_node_path11.join)(options.cwd, file);
+    const existing = await readExistingFile(path);
+    const changed = !existing.exists || existing.content !== rule.content;
     const action = !existing.exists ? "created" : changed ? "updated" : "unchanged";
     if (!options.dryRun && changed) {
       await (0, import_promises8.mkdir)((0, import_node_path11.join)(options.cwd, CURSOR_RULES_DIR), { recursive: true });
-      await (0, import_promises8.writeFile)(path3, rule2.content, "utf-8");
+      await (0, import_promises8.writeFile)(path, rule.content, "utf-8");
     }
-    results.push({ target: "cursor", file, path: path3, action });
+    results.push({ target: "cursor", file, path, action });
   }
   const legacyPath = (0, import_node_path11.join)(options.cwd, LEGACY_CURSOR_RULE_FILE);
   if (!options.dryRun && await fileExists(legacyPath)) {
@@ -12056,9 +11843,9 @@ async function initCursorRulesPack(options) {
   }
   return results;
 }
-async function readExistingFile(path3) {
+async function readExistingFile(path) {
   try {
-    return { exists: true, content: await (0, import_promises8.readFile)(path3, "utf-8") };
+    return { exists: true, content: await (0, import_promises8.readFile)(path, "utf-8") };
   } catch (error) {
     if (isFileNotFoundError(error)) {
       return { exists: false, content: "" };
@@ -12066,9 +11853,9 @@ async function readExistingFile(path3) {
     throw error;
   }
 }
-async function fileExists(path3) {
+async function fileExists(path) {
   try {
-    await (0, import_promises8.access)(path3);
+    await (0, import_promises8.access)(path);
     return true;
   } catch {
     return false;
@@ -12219,15 +12006,15 @@ async function initAgentRules(options) {
       continue;
     }
     const file = AGENT_RULE_TARGETS[target].file;
-    const path3 = (0, import_node_path13.join)(options.cwd, file);
-    const existing = await readExistingFile2(path3);
+    const path = (0, import_node_path13.join)(options.cwd, file);
+    const existing = await readExistingFile2(path);
     const injected = injectAgentRulesBlock(existing.content, renderAgentRulesForTarget(target));
     const action = !existing.exists ? "created" : injected.changed ? "updated" : "unchanged";
     if (!options.dryRun && injected.changed) {
-      await (0, import_promises10.mkdir)((0, import_node_path13.dirname)(path3), { recursive: true });
-      await (0, import_promises10.writeFile)(path3, injected.content, "utf-8");
+      await (0, import_promises10.mkdir)((0, import_node_path13.dirname)(path), { recursive: true });
+      await (0, import_promises10.writeFile)(path, injected.content, "utf-8");
     }
-    results.push({ target, file, path: path3, action });
+    results.push({ target, file, path, action });
   }
   const packageJsonScripts = await seedPackageJsonScripts({
     cwd: options.cwd,
@@ -12238,7 +12025,7 @@ async function initAgentRules(options) {
 function renderAgentRulesDryRun(targets) {
   const files = targets.flatMap((target) => {
     if (target === "cursor") {
-      return buildCursorRulesPack().map((rule2) => `- cursor: .cursor/rules/${rule2.filename}`);
+      return buildCursorRulesPack().map((rule) => `- cursor: .cursor/rules/${rule.filename}`);
     }
     return [`- ${target}: ${AGENT_RULE_TARGETS[target].file}`];
   }).join("\n");
@@ -12291,40 +12078,9 @@ function formatAgentRulesInitSummary(output) {
   );
   return lines.join("\n");
 }
-async function maybeAutoInstallAgentRules(options) {
-  const existing = await Promise.all([
-    fileExists2((0, import_node_path13.join)(options.cwd, AGENT_RULE_TARGETS.codex.file)),
-    fileExists2((0, import_node_path13.join)(options.cwd, AGENT_RULE_TARGETS.claude.file)),
-    fileExists2((0, import_node_path13.join)(options.cwd, AGENT_RULE_TARGETS.cursor.file))
-  ]);
-  if (existing.some(Boolean)) {
-    return { status: "ready" };
-  }
-  try {
-    const output = await initAgentRules({
-      cwd: options.cwd,
-      targets: ["codex", "claude", "cursor", "agentContext", "missionMap"]
-    });
-    return { status: "installed", output };
-  } catch (error) {
-    return { status: "skipped", reason: error instanceof Error ? error.message : String(error) };
-  }
-}
-function formatAgentRulesBootstrapSummary(result) {
-  if (result.status === "ready") {
-    return "Agent setup: Codex/Claude/Cursor instructions already connected.";
-  }
-  if (result.status === "skipped") {
-    return `Agent setup: skipped (${result.reason})`;
-  }
-  const created = result.output.results.filter((item3) => item3.action === "created").map((item3) => item3.file);
-  const updated = result.output.results.filter((item3) => item3.action === "updated").map((item3) => item3.file);
-  const changed = [...created, ...updated];
-  return changed.length > 0 ? `Agent setup: connected ${changed.join(", ")}.` : "Agent setup: Codex/Claude/Cursor instructions already connected.";
-}
-async function readExistingFile2(path3) {
+async function readExistingFile2(path) {
   try {
-    return { exists: true, content: await (0, import_promises10.readFile)(path3, "utf-8") };
+    return { exists: true, content: await (0, import_promises10.readFile)(path, "utf-8") };
   } catch (error) {
     if (isFileNotFoundError2(error)) {
       return { exists: false, content: "" };
@@ -12332,14 +12088,6 @@ async function readExistingFile2(path3) {
     throw error;
   }
 }
-async function fileExists2(path3) {
-  try {
-    await (0, import_promises10.access)(path3);
-    return true;
-  } catch {
-    return false;
-  }
-}
 function isFileNotFoundError2(error) {
   return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
 }
@@ -12500,15 +12248,15 @@ async function handleViewGaps(cwd) {
 async function handlePrompt(cwd) {
   try {
     const artifact = await loadLastArtifact(cwd);
-    const gap2 = pickGap(artifact);
-    if (!gap2) {
+    const gap = pickGap(artifact);
+    if (!gap) {
       M2.warn("No gaps to fix. Run a scan or pick a different project.");
       return;
     }
-    const prompt = buildAgentFixPrompt(artifact, gap2);
+    const prompt = buildAgentFixPrompt(artifact, gap);
     try {
       await copyToClipboard(prompt);
-      M2.success(import_picocolors4.default.green(`Copied top prompt to clipboard \u2014 ${gap2.title}`));
+      M2.success(import_picocolors4.default.green(`Copied top prompt to clipboard \u2014 ${gap.title}`));
     } catch (error) {
       M2.warn(error instanceof Error ? error.message : String(error));
       console.log("");
@@ -12619,15 +12367,19 @@ async function handleOpenDashboard(cwd) {
 }
 function buildMenuOptions(isSignedIn) {
   return [
-    { value: "scan", label: "Make this app production ready", hint: "Scan, write tasks, start the next fix" },
-    { value: "next", label: "Continue next step", hint: "One action from the last run" },
-    { value: "open-dashboard", label: "Open provider step", hint: "Supabase, Stripe, Vercel, auth" },
-    { value: "guide", label: "Provider setup guide", hint: "Simple dashboard steps" },
-    { value: "agent-rules", label: "Connect this AI agent", hint: "Codex, Claude, Cursor rules" },
+    { value: "next", label: "What's next?", hint: "One action from last scan" },
+    { value: "scan", label: "Scan project", hint: "Map launch readiness" },
+    { value: "open-report", label: "Open report in browser", hint: "Rebuilds UI from last scan" },
+    { value: "guide", label: "Provider guide", hint: "Vercel, Supabase, Stripe steps" },
+    { value: "open-dashboard", label: "Open dashboard", hint: "Browser link for next step" },
+    { value: "gaps", label: "View top gaps", hint: "From last scan" },
+    { value: "prompt", label: "Copy top prompt", hint: "Agent-ready fix prompt" },
+    { value: "agent-rules", label: "Install agent rules", hint: "AGENTS.md, CLAUDE.md, Cursor" },
+    { value: "audit", label: "Vercel/Supabase audit", hint: "RLS, service-role, serverless pooler evidence" },
     {
       value: "auth",
       label: isSignedIn ? "Sign out" : "Sign in",
-      hint: isSignedIn ? "Clear local credentials" : "Use the managed VibeRaven scan"
+      hint: isSignedIn ? "Clear local credentials" : "Device login flow"
     },
     { value: "exit", label: "Exit" }
   ];
@@ -12643,7 +12395,7 @@ async function runInteractiveSession(startDir = process.cwd()) {
     if (!artifactsAt) {
       M2.message(
         import_picocolors4.default.dim(
-          'No .viberaven/ here yet. Choose "Make this app production ready" to start.'
+          "No .viberaven/ here yet. Extension scans are separate \u2014 choose Scan project to write CLI artifacts."
         )
       );
     }
@@ -13886,7 +13638,7 @@ var STALE_PATTERNS = [
 async function checkAgentInjection(cwd) {
   const checks = [];
   for (const item3 of REQUIRED_EXISTENCE_CHECKS) {
-    const exists = await fileExists3((0, import_node_path23.join)(cwd, item3.file));
+    const exists = await fileExists2((0, import_node_path23.join)(cwd, item3.file));
     checks.push({
       id: item3.id,
       status: exists ? "pass" : "fail",
@@ -13894,7 +13646,7 @@ async function checkAgentInjection(cwd) {
     });
   }
   for (const item3 of OPTIONAL_CURSOR_PACK_CHECKS) {
-    const exists = await fileExists3((0, import_node_path23.join)(cwd, item3.file));
+    const exists = await fileExists2((0, import_node_path23.join)(cwd, item3.file));
     checks.push({
       id: item3.id,
       status: exists ? "pass" : "fail",
@@ -13902,9 +13654,9 @@ async function checkAgentInjection(cwd) {
     });
   }
   const legacyCursorPath = (0, import_node_path23.join)(cwd, ".cursor/rules/viberaven.mdc");
-  if (await fileExists3(legacyCursorPath)) {
+  if (await fileExists2(legacyCursorPath)) {
     const legacyContent = await (0, import_promises18.readFile)(legacyCursorPath, "utf-8");
-    const hasCoreSplit = await fileExists3((0, import_node_path23.join)(cwd, ".cursor/rules/viberaven-core.mdc"));
+    const hasCoreSplit = await fileExists2((0, import_node_path23.join)(cwd, ".cursor/rules/viberaven-core.mdc"));
     if (!hasCoreSplit || legacyContent.includes("alwaysApply: true")) {
       checks.push({
         id: "cursor-legacy-mdc",
@@ -13915,8 +13667,8 @@ async function checkAgentInjection(cwd) {
   }
   for (const target of CORE_AGENT_INJECTION_TARGETS) {
     const file = target === "cursor" ? ".cursor/rules/viberaven-core.mdc" : AGENT_RULE_TARGETS[target].file;
-    const path3 = (0, import_node_path23.join)(cwd, file);
-    const exists = await fileExists3(path3);
+    const path = (0, import_node_path23.join)(cwd, file);
+    const exists = await fileExists2(path);
     if (!exists) {
       checks.push({
         id: `canonical-${target}`,
@@ -13925,7 +13677,7 @@ async function checkAgentInjection(cwd) {
       });
       continue;
     }
-    const content = await (0, import_promises18.readFile)(path3, "utf-8");
+    const content = await (0, import_promises18.readFile)(path, "utf-8");
     const hasCommand = content.includes(PUBLIC_AGENT_MODE_COMMAND);
     checks.push({
       id: `canonical-${target}`,
@@ -13943,23 +13695,23 @@ async function checkAgentInjection(cwd) {
     }
   }
   return {
-    ok: checks.every((check) => check.status === "pass"),
+    ok: checks.every((check2) => check2.status === "pass"),
     checks
   };
 }
 function formatDoctorAgentsReport(report) {
   const lines = ["VibeRaven agent injection doctor", ""];
-  for (const check of report.checks) {
-    const icon = check.status === "pass" ? "\u2713" : "\u2717";
-    lines.push(`${icon} ${check.message}`);
+  for (const check2 of report.checks) {
+    const icon = check2.status === "pass" ? "\u2713" : "\u2717";
+    lines.push(`${icon} ${check2.message}`);
   }
   lines.push("");
   lines.push(report.ok ? "All agent injection checks passed." : "Agent injection checks failed.");
   return lines.join("\n");
 }
-async function fileExists3(path3) {
+async function fileExists2(path) {
   try {
-    await (0, import_promises18.access)(path3);
+    await (0, import_promises18.access)(path);
     return true;
   } catch {
     return false;
@@ -14172,216 +13924,8 @@ async function runAuditCommand(input) {
   return result.status === "pass" ? 0 : 1;
 }
 
-// src/commands/badge.ts
-var import_promises19 = require("node:fs/promises");
-var import_node_path24 = require("node:path");
-
-// src/brand/palette.ts
+// src/commands/preview.ts
 var import_picocolors5 = __toESM(require_picocolors());
-var STATUS_GLYPH = {
-  clear: "\u2713",
-  warning: "\u25C8",
-  blocked: "\u25C6",
-  fixable: "\u25B8",
-  manual: "\u25C7",
-  done: "\u2713",
-  pending: "\xB7"
-};
-var DECISION_GLYPH = {
-  CLEAR: STATUS_GLYPH.clear,
-  WARNING: STATUS_GLYPH.warning,
-  BLOCKED: STATUS_GLYPH.blocked
-};
-function identity(text) {
-  return text;
-}
-function colorsFor(mode) {
-  return import_picocolors5.default.createColors(mode === "rich");
-}
-function decisionColor(decision, mode) {
-  const colors = colorsFor(mode);
-  if (decision === "CLEAR") return colors.green;
-  if (decision === "WARNING") return colors.yellow;
-  return colors.red;
-}
-function decisionStyle(decision, mode) {
-  const colorize = mode === "rich" ? decisionColor(decision, mode) : identity;
-  return {
-    glyph: DECISION_GLYPH[decision],
-    label: colorize(decision),
-    colorize
-  };
-}
-function richOrPlain(text, mode, colorize) {
-  return mode === "rich" ? colorize(text) : text;
-}
-var accent = {
-  brand(text, mode) {
-    return richOrPlain(text, mode, colorsFor(mode).cyan);
-  },
-  dim(text, mode) {
-    return richOrPlain(text, mode, colorsFor(mode).dim);
-  },
-  bold(text, mode) {
-    return richOrPlain(text, mode, colorsFor(mode).bold);
-  }
-};
-
-// src/brand/ui.ts
-var import_picocolors6 = __toESM(require_picocolors());
-var ANSI_PATTERN = /\x1b\[[0-9;]*m/g;
-function colorsFor2(mode) {
-  return import_picocolors6.default.createColors(mode === "rich");
-}
-function stripAnsi(value) {
-  return value.replace(ANSI_PATTERN, "");
-}
-function visibleWidth(value) {
-  return stripAnsi(value).length;
-}
-function padVisible(value, width) {
-  return `${value}${" ".repeat(Math.max(0, width - visibleWidth(value)))}`;
-}
-function safeWidth(width) {
-  if (!Number.isFinite(width)) return 1;
-  return Math.max(1, Math.floor(width));
-}
-function clampPercent(percent) {
-  if (Number.isNaN(percent)) return 0;
-  return Math.max(0, Math.min(100, percent));
-}
-function colorizeGaugeFill(text, percent, mode) {
-  const colors = colorsFor2(mode);
-  if (mode !== "rich") return text;
-  if (percent >= 80) return colors.green(text);
-  if (percent >= 50) return colors.yellow(text);
-  return colors.red(text);
-}
-function rule(width, options) {
-  const line = "\u2500".repeat(safeWidth(width));
-  return accent.dim(line, options.mode);
-}
-function box(lines, options) {
-  const content = lines.length > 0 ? lines : [""];
-  const innerWidth = Math.max(1, ...content.map(visibleWidth));
-  const horizontal = "\u2500".repeat(innerWidth + 2);
-  const colors = colorsFor2(options.mode);
-  const border = (value) => options.mode === "rich" ? colors.cyan(value) : value;
-  const body = content.map((line) => border("\u2502") + ` ${padVisible(line, innerWidth)} ` + border("\u2502"));
-  return [border(`\u250C${horizontal}\u2510`), ...body, border(`\u2514${horizontal}\u2518`)].join("\n");
-}
-function gauge(percent, options) {
-  const width = safeWidth(options.width);
-  const clamped = clampPercent(percent);
-  const label2 = `${Math.round(clamped)}%`;
-  const filledWidth = Math.round(clamped / 100 * width);
-  const emptyWidth = width - filledWidth;
-  const filled = colorizeGaugeFill("\u2588".repeat(filledWidth), clamped, options.mode);
-  const empty = accent.dim("\u2591".repeat(emptyWidth), options.mode);
-  return `[${filled}${empty}] ${label2}`;
-}
-function banner(decision, options) {
-  const style = decisionStyle(decision, options.mode);
-  return `${style.glyph} ${style.label}`;
-}
-
-// src/brand/wordmark.ts
-var DEFAULT_TAGLINE = "production operator for AI-built apps";
-function wordmark(options) {
-  const tagline = options.tagline ?? DEFAULT_TAGLINE;
-  const brand = accent.brand("VibeRaven", options.mode);
-  const mutedTagline = accent.dim(tagline, options.mode);
-  if (options.variant === "compact") {
-    return `${brand} - ${mutedTagline}`;
-  }
-  return [accent.bold(brand, options.mode), mutedTagline].join("\n");
-}
-
-// src/badge/renderBadge.ts
-var COLORS = {
-  CLEAR: "#2ea44f",
-  WARNING: "#dbab09",
-  BLOCKED: "#d1242f"
-};
-function label(prp) {
-  return prp.decision.toLowerCase();
-}
-function renderBadgeSvg(prp) {
-  const text = label(prp);
-  const color = COLORS[prp.decision];
-  const width = 132 + text.length * 7;
-  return `<svg xmlns="http://www.w3.org/2000/svg" width="${width}" height="20" role="img" aria-label="VibeRaven: ${text}">
-  <rect width="${width}" height="20" fill="#24292f"/>
-  <rect x="86" width="${width - 86}" height="20" fill="${color}"/>
-  <g fill="#fff" font-family="Verdana,Geneva,sans-serif" font-size="11">
-    <text x="8" y="14">VibeRaven</text>
-    <text x="94" y="14">${text}</text>
-  </g>
-</svg>`;
-}
-function renderBadgeMarkdown(prp) {
-  const text = label(prp);
-  const date = prp.generatedAt.slice(0, 10);
-  return `[![VibeRaven launch gate: ${text}](.viberaven/badge.svg)](https://viberaven.dev/production-protocol.md?utm_source=badge) \`gate: ${text} - ${date}\``;
-}
-function renderBadgeCard(prp, mode) {
-  const text = label(prp);
-  const date = prp.generatedAt.slice(0, 10);
-  const style = decisionStyle(prp.decision, mode);
-  return box(
-    [
-      wordmark({ variant: "compact", mode, tagline: "launch gate proof" }),
-      `${accent.dim("gate", mode)}: ${style.colorize(text)}`,
-      `${accent.dim("date", mode)}: ${date}`,
-      accent.brand("viberaven.dev", mode)
-    ],
-    { mode }
-  );
-}
-
-// src/brand/renderMode.ts
-function resolveRenderMode(input) {
-  if (input.env.VIBERAVEN_FORCE_RICH === "1") return "rich";
-  if (input.env.VIBERAVEN_PLAIN === "1") return "plain";
-  if (input.env.NO_COLOR !== void 0 && input.env.NO_COLOR !== "") return "plain";
-  if (input.surface === "agent-mode") return "plain";
-  return input.isTTY ? "rich" : "plain";
-}
-function currentRenderMode(surface) {
-  return resolveRenderMode({
-    surface,
-    isTTY: Boolean(process.stdout.isTTY),
-    env: process.env
-  });
-}
-
-// src/commands/badge.ts
-async function runBadgeCommand(options) {
-  const log = options.log ?? ((message) => console.log(message));
-  const artifactDir = (0, import_node_path24.join)(options.cwd, ".viberaven");
-  const prpPath = (0, import_node_path24.join)(artifactDir, "prp.json");
-  let prp;
-  try {
-    prp = JSON.parse(await (0, import_promises19.readFile)(prpPath, "utf8"));
-  } catch {
-    log("No .viberaven/prp.json found. Run: npx -y viberaven --agent-mode");
-    return 1;
-  }
-  if (options.svg) {
-    const outputPath = (0, import_node_path24.join)(artifactDir, "badge.svg");
-    await (0, import_promises19.mkdir)(artifactDir, { recursive: true });
-    await (0, import_promises19.writeFile)(outputPath, renderBadgeSvg(prp), "utf8");
-    log(`Wrote ${outputPath}`);
-    return 0;
-  }
-  if (options.card) {
-    log(renderBadgeCard(prp, currentRenderMode("human-command")));
-    return 0;
-  }
-  log("Add this to your README:");
-  log(renderBadgeMarkdown(prp));
-  return 0;
-}
 
 // src/output/nextActionBlock.ts
 function buildNextActionBlock(tasks, loopState, plan) {
@@ -14397,7 +13941,11 @@ function buildNextActionBlock(tasks, loopState, plan) {
     return {
       ...base,
       type: "stalled",
-      title: "Loop stalled \u2014 no gap reduction after 2+ consecutive scans",
+      title: "Loop stalled - no gap reduction after 2+ consecutive scans",
+      agentInstruction: "Stop the scan loop. Explain the blocker plainly, then either guide the provider/user action or report that no safe repo-code recipe is available.",
+      executionPlan: [
+        { kind: "stop", note: "Do not keep spending scans while the loop is stalled." }
+      ],
       requiresUserAction: true,
       stallReason
     };
@@ -14406,42 +13954,67 @@ function buildNextActionBlock(tasks, loopState, plan) {
     return {
       ...base,
       type: "verify",
-      title: "Batch complete \u2014 run verify to rescan before next batch",
+      title: "Batch complete - run verify to rescan before next batch",
+      agentInstruction: "Run verify now, read the refreshed VibeRaven artifacts, then continue with the next safe repo fix or provider step. Do not stop at a summary.",
+      executionPlan: [
+        { kind: "verify", command: "viberaven_verify" },
+        { kind: "continue-loop", note: "After verify, continue until the gate is clear or a provider/user blocker remains." }
+      ],
       mcpTool: "viberaven_verify",
       mcpArgs: {},
       requiresUserAction: false
     };
   }
-  const repoCodeTask = tasks.find((t) => t.fixType === "repo-code" && !t.requiresUserAction);
+  const repoCodeTask = tasks.find((task) => task.fixType === "repo-code" && !task.requiresUserAction);
   if (repoCodeTask) {
+    const fallbackCommand = repoCodeTask.mcpArgs ? `npx -y viberaven --heal --apply --gap ${repoCodeTask.gapId} --yes` : void 0;
     return {
       ...base,
       type: "repo-code",
       gapId: repoCodeTask.gapId,
       title: repoCodeTask.title,
+      agentInstruction: "Apply this repo-code fix now using the MCP tool or fallback command, then continue the local VibeRaven loop. Do not stop at a summary.",
+      executionPlan: [
+        {
+          kind: "apply-repo-fix",
+          command: repoCodeTask.mcpTool ?? fallbackCommand,
+          note: "Patch only this gap and preserve unrelated user changes."
+        },
+        { kind: "continue-loop", note: "Apply remaining safe repo fixes until the batch is full, then verify once." }
+      ],
       mcpTool: repoCodeTask.mcpTool,
       mcpArgs: repoCodeTask.mcpArgs,
-      fallbackCommand: repoCodeTask.mcpArgs ? `npx -y viberaven --heal --apply --gap ${repoCodeTask.gapId} --yes` : void 0,
+      fallbackCommand,
       requiresUserAction: false
     };
   }
-  const providerTask = tasks.find((t) => t.fixType === "provider-action");
+  const providerTask = tasks.find((task) => task.fixType === "provider-action");
   if (providerTask) {
     return {
       ...base,
       type: "provider-action",
       gapId: providerTask.gapId,
       title: providerTask.title,
+      agentInstruction: "Open or present the provider step now. If browser/tool access is available, open the dashboard link for the user; otherwise show the exact step and copy values. Do not keep telling the user to verify until the provider step is done.",
+      executionPlan: [
+        { kind: "open-provider-step", note: "Use VIBERAVEN_PROVIDER_ACTION for the exact dashboard step and URL." },
+        { kind: "wait-for-user", note: "Wait for confirmation or read-only MCP evidence before verifying." }
+      ],
       requiresUserAction: true
     };
   }
-  const upgradeTask = tasks.find((t) => t.fixType === "upgrade-required");
+  const upgradeTask = tasks.find((task) => task.fixType === "upgrade-required");
   if (upgradeTask) {
     return {
       ...base,
       type: "upgrade-required",
       gapId: upgradeTask.gapId,
       title: upgradeTask.title,
+      agentInstruction: "Explain that this production lane needs an upgrade or connected provider evidence. Continue with any remaining unlocked repo-code fixes if present; otherwise stop cleanly.",
+      executionPlan: [
+        { kind: "upgrade", command: "https://viberaven.dev/pricing" },
+        { kind: "stop", note: "Do not pretend locked lanes or provider state were fixed locally." }
+      ],
       requiresUserAction: true,
       upgradeUrl: "https://viberaven.dev/pricing"
     };
@@ -14449,15 +14022,20 @@ function buildNextActionBlock(tasks, loopState, plan) {
   return {
     ...base,
     type: "done",
-    title: "All gaps resolved \u2014 production gate is clear",
+    title: "All gaps resolved - production gate is clear",
+    agentInstruction: "The repo-code gate is clear. Run strict before deploy and still verify provider dashboard state through MCP or the provider dashboard.",
+    executionPlan: [
+      { kind: "verify", command: "npx -y viberaven --strict" },
+      { kind: "stop", note: "Do not deploy until provider dashboard state is verified where applicable." }
+    ],
     requiresUserAction: false
   };
 }
 function resolveStallReason(tasks) {
   if (tasks.length === 0) return "no-recipes";
-  const allUpgradeOrEmpty = tasks.every((t) => t.fixType === "upgrade-required");
+  const allUpgradeOrEmpty = tasks.every((task) => task.fixType === "upgrade-required");
   if (allUpgradeOrEmpty) return "no-recipes";
-  const allProviderAction = tasks.every((t) => t.fixType === "provider-action");
+  const allProviderAction = tasks.every((task) => task.fixType === "provider-action");
   if (allProviderAction) return "provider-action-required";
   return "unknown";
 }
@@ -14477,33 +14055,162 @@ function buildProviderActionBlock(task) {
       dashboardUrl: pa.dashboardUrl,
       exactStep: pa.exactStep,
       envKeyName: pa.envKeyName ?? null,
+      envKeyExample: pa.envKeyExample ?? null,
       doneSignal: pa.doneSignal,
       verifyCommand: task.verifyCommand,
       mcpAlternative: task.mcpTool ?? pa.mcpAlternative ?? null
     }
   };
 }
-function printProviderActionBlock(tasks) {
-  const task = tasks.find(
-    (t) => t.fixType === "provider-action" && t.requiresUserAction === true
-  );
-  if (!task) return;
-  const block = buildProviderActionBlock(task);
-  if (!block) return;
-  console.log(PROVIDER_ACTION_START);
-  console.log(JSON.stringify(block, null, 2));
-  console.log(PROVIDER_ACTION_END);
+function printProviderActionBlock(tasks) {
+  const task = tasks.find(
+    (entry) => entry.fixType === "provider-action" && entry.requiresUserAction === true
+  );
+  if (!task) return;
+  const block = buildProviderActionBlock(task);
+  if (!block) return;
+  console.log(PROVIDER_ACTION_START);
+  console.log(JSON.stringify(block, null, 2));
+  console.log(PROVIDER_ACTION_END);
+}
+function printNextActionBlock(block) {
+  console.log(NEXT_ACTION_START);
+  console.log(JSON.stringify(block, null, 2));
+  console.log(NEXT_ACTION_END);
+}
+
+// src/commands/preview.ts
+function previewArtifact(cwd) {
+  return {
+    version: 1,
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    workspacePath: cwd,
+    score: 42,
+    scoreLabel: "Blocked",
+    summary: "Vercel, Supabase, and Stripe are detected, but launch-critical provider setup is not proven yet.",
+    archetype: "ai-built-saas",
+    plan: "free",
+    productionCorePercent: 40,
+    usage: {
+      plan: "free",
+      remainingPrompts: 0,
+      used: 0,
+      limit: 0,
+      period: "lifetime",
+      unlockedMapCategoryKeys: ["appFlow", "frontend", "backend", "auth", "database", "payments"]
+    },
+    gaps: [
+      {
+        id: "auth_secret_missing",
+        category: "SECURITY & AUTH",
+        severity: "critical",
+        title: "Create production auth secret",
+        detail: "The app needs a production session secret before real users sign in.",
+        copyPrompt: "Generate and document NEXTAUTH_SECRET or the equivalent auth secret for this stack.",
+        toolSuggestions: [],
+        mcpSuggestion: null,
+        primaryMapCategory: "auth",
+        affectedMapCategories: []
+      },
+      {
+        id: "rls_disabled",
+        category: "DATABASE & DATA",
+        severity: "critical",
+        title: "Verify Supabase RLS before launch",
+        detail: "Database access must be protected by Row Level Security or equivalent server-side controls.",
+        copyPrompt: "Open Supabase and verify RLS policies for user-owned tables.",
+        toolSuggestions: [],
+        mcpSuggestion: null,
+        primaryMapCategory: "database",
+        affectedMapCategories: []
+      },
+      {
+        id: "stripe_webhook_secret_missing",
+        category: "PAYMENTS",
+        severity: "critical",
+        title: "Connect Stripe webhook secret",
+        detail: "Stripe webhook signature verification needs STRIPE_WEBHOOK_SECRET before live payments.",
+        copyPrompt: "Create a Stripe webhook endpoint and add STRIPE_WEBHOOK_SECRET to the deployment environment.",
+        toolSuggestions: [],
+        mcpSuggestion: null,
+        primaryMapCategory: "payments",
+        affectedMapCategories: []
+      }
+    ],
+    missionGraph: {
+      areas: [],
+      byArea: {},
+      byProvider: {},
+      repositoryEvidence: { env: [], security: [] }
+    },
+    stackWiring: { items: [], byKey: {} },
+    providerRegistry: {
+      version: 1,
+      source: "bundled",
+      generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      status: "fresh",
+      staleAfterDays: 14,
+      providers: []
+    }
+  };
+}
+function check(done, text) {
+  const mark = done ? import_picocolors5.default.green("[x]") : import_picocolors5.default.yellow("[ ]");
+  return `  ${mark} ${text}`;
 }
-function printNextActionBlock(block) {
-  console.log(NEXT_ACTION_START);
-  console.log(JSON.stringify(block, null, 2));
-  console.log(NEXT_ACTION_END);
+async function runPreviewCommand(options) {
+  const artifact = previewArtifact(options.cwd);
+  const tasks = buildTaskList(artifact);
+  const next = buildNextActionBlock(tasks, {
+    batchApplied: 1,
+    appliedGapIdsSinceScan: ["auth_secret_missing"],
+    lastGapCount: artifact.gaps.length,
+    stalledScans: 0
+  }, "free");
+  if (options.json) {
+    console.log(JSON.stringify({ artifact, tasks, next }, null, 2));
+    return 0;
+  }
+  console.log(import_picocolors5.default.dim(`VibeRaven ${VERSION} preview - local rehearsal, no login or API spend.`));
+  console.log(import_picocolors5.default.bold("VibeRaven"));
+  console.log("Taking this app from demo to production.");
+  console.log("");
+  console.log(`${import_picocolors5.default.bold("Status:")} ${import_picocolors5.default.red("BLOCKED")} | vercel + supabase + stripe | 3 launch gaps`);
+  console.log("");
+  console.log(import_picocolors5.default.bold("Progress"));
+  console.log(check(true, "Understand the stack and launch gaps"));
+  console.log(check(true, "Patch the first repo-owned secret gap"));
+  console.log(check(false, "Open Supabase and verify RLS policies"));
+  console.log(check(false, "Connect Stripe webhook signing secret"));
+  console.log(check(false, "Verify again before launch"));
+  console.log("");
+  console.log(import_picocolors5.default.bold("I can do now"));
+  console.log("  1. Add missing env names and agent rules.");
+  console.log("  2. Prepare focused repo fixes the coding agent can apply.");
+  console.log("  3. Keep the launch loop moving until provider proof is needed.");
+  console.log("");
+  console.log(import_picocolors5.default.bold("I need you for"));
+  console.log("  1. Supabase: open the project and confirm RLS policies.");
+  console.log("  2. Stripe: create or open the webhook endpoint.");
+  console.log("  3. Deployment: paste provider secrets into Vercel or your host.");
+  console.log("");
+  console.log(import_picocolors5.default.bold("Open"));
+  console.log(`  supabase: ${import_picocolors5.default.cyan("https://supabase.com/dashboard")}`);
+  console.log(`  stripe:   ${import_picocolors5.default.cyan("https://dashboard.stripe.com/")}`);
+  console.log("");
+  console.log(`${import_picocolors5.default.bold("Copy env names:")} NEXTAUTH_SECRET, STRIPE_WEBHOOK_SECRET`);
+  console.log(`${import_picocolors5.default.bold("Next:")} I will guide the blocked provider setup, then verify when you confirm it is done.`);
+  if (options.agentMode) {
+    console.log("");
+    console.log(import_picocolors5.default.dim("Agent note: render the checklist above as the live timeline; update [ ] to [x] as work completes."));
+  }
+  return 0;
 }
 
 // src/providerMcpBridge.ts
 var import_node_fs12 = require("node:fs");
 var import_node_os2 = require("node:os");
-var import_node_path25 = require("node:path");
+var import_node_path24 = require("node:path");
 var UPGRADE_URL4 = "https://viberaven.dev/pricing";
 var FALLBACK_COMMAND = "npx -y viberaven audit --vercel-supabase --json";
 var SUPPORTED_PROVIDERS = /* @__PURE__ */ new Set(["supabase", "vercel"]);
@@ -14511,9 +14218,9 @@ var configPathsOverride;
 function defaultMcpConfigPaths() {
   const home = (0, import_node_os2.homedir)();
   return [
-    (0, import_node_path25.join)(home, ".config", "claude", "claude_desktop_config.json"),
-    (0, import_node_path25.join)(home, ".cursor", "mcp.json"),
-    (0, import_node_path25.join)(home, ".gemini", "antigravity", "mcp_config.json")
+    (0, import_node_path24.join)(home, ".config", "claude", "claude_desktop_config.json"),
+    (0, import_node_path24.join)(home, ".cursor", "mcp.json"),
+    (0, import_node_path24.join)(home, ".gemini", "antigravity", "mcp_config.json")
   ];
 }
 function resolveConfigPaths() {
@@ -14541,12 +14248,12 @@ function findServerEntry(servers, provider2) {
 }
 function findProviderMcpConfig(provider2, configPaths) {
   const paths = configPaths ?? resolveConfigPaths();
-  for (const path3 of paths) {
-    if (!(0, import_node_fs12.existsSync)(path3)) {
+  for (const path of paths) {
+    if (!(0, import_node_fs12.existsSync)(path)) {
       continue;
     }
     try {
-      const raw = JSON.parse((0, import_node_fs12.readFileSync)(path3, "utf8"));
+      const raw = JSON.parse((0, import_node_fs12.readFileSync)(path, "utf8"));
       const servers = parseMcpServers(raw);
       if (!servers) {
         continue;
@@ -14560,7 +14267,7 @@ function findProviderMcpConfig(provider2, configPaths) {
         command: typeof server.command === "string" ? server.command : void 0,
         args: Array.isArray(server.args) ? server.args.filter((arg) => typeof arg === "string") : void 0,
         url: typeof server.url === "string" ? server.url : void 0,
-        source: path3
+        source: path
       };
     } catch {
       continue;
@@ -14568,19 +14275,6 @@ function findProviderMcpConfig(provider2, configPaths) {
   }
   return void 0;
 }
-function hasUsableProviderMcpConfig(config) {
-  return Boolean(config.command?.trim() || config.url?.trim());
-}
-function findUsableProviderMcpConfig(provider2, configPaths) {
-  const paths = configPaths ?? resolveConfigPaths();
-  for (const path3 of paths) {
-    const config = findProviderMcpConfig(provider2, [path3]);
-    if (config && hasUsableProviderMcpConfig(config)) {
-      return config;
-    }
-  }
-  return void 0;
-}
 async function verifyProviderGap(options) {
   if (options.plan !== "pro") {
     return {
@@ -14611,581 +14305,6 @@ async function verifyProviderGap(options) {
   };
 }
 
-// src/connectedTools.ts
-var DETECTED_PROVIDERS = ["supabase", "vercel", "stripe", "github"];
-var INSTALL_HINTS = {
-  supabase: "claude mcp add --transport http supabase https://mcp.supabase.com/",
-  vercel: "claude mcp add --transport http vercel https://mcp.vercel.com/",
-  stripe: "claude mcp add --transport http stripe https://mcp.stripe.com/",
-  github: "claude mcp add --transport http github https://api.githubcopilot.com/mcp/"
-};
-var READONLY_PROVIDERS = /* @__PURE__ */ new Set(["vercel"]);
-function isDetectedProvider(provider2) {
-  return DETECTED_PROVIDERS.includes(provider2);
-}
-function installHintFor(provider2) {
-  const normalizedProvider = provider2.toLowerCase().trim();
-  if (isDetectedProvider(normalizedProvider)) {
-    return INSTALL_HINTS[normalizedProvider];
-  }
-  return `Add the ${provider2} MCP server to your agent config.`;
-}
-function detectConnectedTools() {
-  const tools = {};
-  for (const provider2 of DETECTED_PROVIDERS) {
-    const config = findUsableProviderMcpConfig(provider2);
-    if (!config) {
-      tools[`${provider2}Mcp`] = "missing";
-      continue;
-    }
-    tools[`${provider2}Mcp`] = READONLY_PROVIDERS.has(provider2) ? "available_readonly" : "available";
-  }
-  tools.browser = "available";
-  return tools;
-}
-
-// src/output/actionPanelBlock.ts
-var ACTION_PANEL_START = "VIBERAVEN_ACTION_PANEL_START";
-var ACTION_PANEL_END = "VIBERAVEN_ACTION_PANEL_END";
-function stackLine(prp) {
-  const parts = Array.from(
-    /* @__PURE__ */ new Set([
-      ...prp.detectedStack.deployment,
-      ...prp.detectedStack.database,
-      ...prp.detectedStack.auth,
-      ...prp.detectedStack.payments,
-      ...prp.detectedStack.monitoring
-    ])
-  );
-  return parts.length > 0 ? parts.join(" + ") : prp.detectedStack.archetype ?? "unknown";
-}
-function envVarNames(tasks) {
-  return Array.from(
-    new Set(
-      tasks.map((task) => task.providerAction?.envKeyName).filter((name) => Boolean(name))
-    )
-  );
-}
-function humanStep(task) {
-  if (task.fixType === "provider-action") {
-    return task.providerAction?.exactStep ?? task.title;
-  }
-  if (task.fixType === "upgrade-required") {
-    return `Upgrade required: ${task.action ?? task.exactFix ?? task.title}`;
-  }
-  if (task.fixType === "manual-verify") {
-    return `Manual verification required: ${task.action ?? task.exactFix ?? task.title}`;
-  }
-  return task.title;
-}
-function repoTaskTitle(task) {
-  return task.action ?? task.exactFix ?? task.title;
-}
-function parseDecision(value) {
-  if (value === "CLEAR" || value === "WARNING" || value === "BLOCKED") return value;
-  return "BLOCKED";
-}
-function providerFromConnectedToolKey(tool) {
-  if (!tool.endsWith("Mcp")) return void 0;
-  return tool.slice(0, -3).toLowerCase();
-}
-function normalizeProvider3(provider2) {
-  const lower = provider2.trim().toLowerCase();
-  const tokens = lower.split(/[^a-z0-9]+/).filter(Boolean);
-  for (const knownProvider of ["supabase", "stripe", "vercel", "github"]) {
-    if (lower === knownProvider || tokens.includes(knownProvider)) {
-      return knownProvider;
-    }
-  }
-  return lower;
-}
-function toolSetupFor(prp) {
-  const relevantProviders = new Set([
-    ...prp.detectedStack.auth,
-    ...prp.detectedStack.database,
-    ...prp.detectedStack.deployment,
-    ...prp.detectedStack.payments
-  ].map(normalizeProvider3));
-  return Object.entries(prp.connectedTools).flatMap(([tool, state]) => {
-    const provider2 = providerFromConnectedToolKey(tool);
-    if (!provider2 || state !== "missing" || !relevantProviders.has(provider2)) {
-      return [];
-    }
-    return [provider2];
-  }).map((provider2) => ({
-    provider: provider2,
-    command: installHintFor(provider2),
-    reason: "Connect this provider MCP so the agent can verify live provider state when available."
-  }));
-}
-function checklistFor(repoTasks, humanTasks) {
-  return [
-    { label: "Understand the stack and launch gaps", done: true, kind: "scan" },
-    ...repoTasks.slice(0, 3).map((task) => ({
-      label: repoTaskTitle(task),
-      done: false,
-      kind: "repo-code"
-    })),
-    ...humanTasks.slice(0, 3).map((task) => ({
-      label: humanStep(task),
-      done: false,
-      kind: "provider"
-    })),
-    { label: "Verify again before launch", done: false, kind: "verify" }
-  ];
-}
-function mermaidFor(prp, tasks) {
-  const status = prp.decision === "CLEAR" ? "Clear" : prp.decision === "WARNING" ? "Review" : "Blocked";
-  const hasProvider = tasks.some((task) => task.fixType === "provider-action");
-  const hasRepo = tasks.some((task) => task.fixType === "repo-code" && !task.requiresUserAction);
-  const lines = [
-    "flowchart LR",
-    `  app["AI-built app"] --> stack["${stackLine(prp)}"]`,
-    `  stack --> gate["VibeRaven: ${status}"]`
-  ];
-  if (hasRepo) lines.push('  gate --> repo["Repo fixes"]');
-  if (hasProvider) lines.push('  gate --> provider["Provider setup"]');
-  lines.push('  gate --> verify["Verify before launch"]');
-  return lines.join("\n");
-}
-function buildActionPanelBlock(prp, tasks) {
-  const repoTasks = tasks.filter((task) => task.fixType === "repo-code" && !task.requiresUserAction);
-  const humanTasks = tasks.filter((task) => task.fixType !== "repo-code" || task.requiresUserAction);
-  const nextRepoTask = repoTasks[0];
-  const toolSetup = toolSetupFor(prp);
-  const statusLine = [
-    prp.decision,
-    stackLine(prp),
-    `${tasks.length} launch gap${tasks.length === 1 ? "" : "s"}`
-  ].join(" | ");
-  return {
-    VIBERAVEN_ACTION_PANEL: {
-      surface: "native-agent-chat",
-      title: "VibeRaven",
-      statusLine,
-      primaryCommand: nextRepoTask ? `npx -y viberaven --heal --apply --gap ${nextRepoTask.gapId} --yes` : "npx -y viberaven next --json",
-      nextCommand: "npx -y viberaven next --json",
-      verifyCommand: prp.verifyCommand,
-      checklist: checklistFor(repoTasks, humanTasks),
-      mermaidDiagram: mermaidFor(prp, tasks),
-      agentCanDo: repoTasks.length > 0 ? repoTasks.map(repoTaskTitle) : ["No safe repo-code fix is available yet. I will guide the provider steps first."],
-      userMustDo: humanTasks.map((task) => ({
-        provider: task.providerAction?.provider,
-        dashboardUrl: task.providerAction?.dashboardUrl,
-        step: humanStep(task),
-        doneWhen: task.providerAction?.doneSignal
-      })),
-      toolSetup,
-      envVarNames: envVarNames(tasks),
-      agentInstruction: "Render this as a short VibeRaven action message in the native chat. Use the checklist as the live execution timeline and update [ ] to [x] as tasks complete. Present toolSetup as optional connection help, not as a blocker for safe repo fixes. Do not describe the output with internal product labels. Keep the user inside Codex, Claude Code, Cursor, or the terminal. Do not open report.html unless the user explicitly asks for the legacy report."
-    }
-  };
-}
-function nextHumanStep(panel) {
-  const hasRepoFix = panel.agentCanDo.some((item3) => !item3.startsWith("No safe repo-code fix"));
-  if (hasRepoFix) {
-    return "Next: I will apply the first safe repo fix, then verify the launch state.";
-  }
-  if (panel.userMustDo.length > 0) {
-    return "Next: I will guide the blocked provider setup, then verify when you confirm it is done.";
-  }
-  return "Next: I will verify the launch state before deploy.";
-}
-function buildActionPanelCard(block, mode = "plain") {
-  const panel = block.VIBERAVEN_ACTION_PANEL;
-  const agentCanDo = panel.agentCanDo.slice(0, 3);
-  const userMustDo = panel.userMustDo.slice(0, 3);
-  const lines = [];
-  const statusParts = panel.statusLine.split(/\s*\|\s*/);
-  const decision = parseDecision(statusParts[0] ?? "BLOCKED");
-  const rest = statusParts.slice(1).join(" | ");
-  lines.push(accent.bold("VibeRaven", mode));
-  lines.push("Taking this app from demo to production.");
-  lines.push("");
-  lines.push(`Status: ${banner(decision, { mode })}${rest ? ` | ${rest}` : ""}`);
-  lines.push("");
-  lines.push("Progress:");
-  panel.checklist.slice(0, 6).forEach((item3) => {
-    lines.push(`  - [${item3.done ? "x" : " "}] ${item3.label}`);
-  });
-  lines.push("");
-  lines.push("I can do now:");
-  agentCanDo.forEach((item3, index) => {
-    lines.push(`  ${index + 1}. ${item3}`);
-  });
-  lines.push("");
-  lines.push("I need you for:");
-  if (userMustDo.length === 0) {
-    lines.push("  (none)");
-  } else {
-    userMustDo.forEach((item3, index) => {
-      const provider2 = item3.provider ? `${item3.provider}: ` : "";
-      lines.push(`  ${index + 1}. ${provider2}${item3.step}`);
-    });
-  }
-  const links = userMustDo.filter((item3) => item3.dashboardUrl);
-  if (links.length > 0) {
-    lines.push("");
-    lines.push("Open:");
-    links.forEach((item3) => {
-      const label2 = item3.provider ?? "provider";
-      lines.push(`  ${label2}: ${item3.dashboardUrl}`);
-    });
-  }
-  if (panel.envVarNames.length > 0) {
-    lines.push("");
-    lines.push(`Copy env names: ${panel.envVarNames.join(", ")}`);
-  }
-  const toolSetup = panel.toolSetup.slice(0, 3);
-  if (toolSetup.length > 0) {
-    lines.push("");
-    lines.push("Connect tools:");
-    toolSetup.forEach((item3) => {
-      lines.push(`  ${item3.provider}: ${item3.command}`);
-    });
-  }
-  lines.push("");
-  lines.push(nextHumanStep(panel));
-  lines.push("Verify: I will re-check after the repo fix or provider step.");
-  return lines.join("\n");
-}
-function printActionPanelBlock(prp, tasks, mode = "plain") {
-  const block = buildActionPanelBlock(prp, tasks);
-  console.log(buildActionPanelCard(block, mode));
-  console.log(ACTION_PANEL_START);
-  console.log(JSON.stringify(block, null, 2));
-  console.log(ACTION_PANEL_END);
-}
-
-// src/output/celebration.ts
-function renderClearCelebration(prp, mode) {
-  if (prp.decision !== "CLEAR") return "";
-  const verifiedDate = prp.generatedAt.slice(0, 10);
-  const style = decisionStyle("CLEAR", mode);
-  const lines = [
-    `${style.glyph} ${style.label} production gate is clear`,
-    accent.dim(`Verified ${verifiedDate}`, mode),
-    "",
-    `Share your launch proof: ${accent.bold("npx -y viberaven badge", mode)}`
-  ];
-  return [wordmark({ variant: "compact", mode }), box(lines, { mode }), rule(40, { mode })].join("\n");
-}
-
-// src/output/loopProgress.ts
-function safeCount(value) {
-  if (!Number.isFinite(value)) return 0;
-  return Math.max(0, Math.floor(value));
-}
-function renderLoopProgress(input, mode) {
-  if (mode === "plain" && input.silentInPlain) return "";
-  const total = safeCount(input.total);
-  const applied = total > 0 ? Math.min(safeCount(input.applied), total) : safeCount(input.applied);
-  const percent = total === 0 ? 100 : applied / total * 100;
-  const label2 = `${STATUS_GLYPH.fixable} ${input.label}`;
-  return `${accent.bold(label2, mode)}  ${gauge(percent, { width: 12, mode })}  ${applied}/${total}`;
-}
-
-// src/demo/runDemo.ts
-var import_node_fs13 = require("node:fs");
-var import_node_path27 = __toESM(require("node:path"));
-
-// src/demo/localRules.ts
-var import_promises20 = require("node:fs/promises");
-var import_node_path26 = __toESM(require("node:path"));
-var DEMO_SCANNED_AT = "2026-06-14T00:00:00.000Z";
-async function readKnownFile(root, relativePath) {
-  try {
-    return await (0, import_promises20.readFile)(import_node_path26.default.join(root, relativePath), "utf8");
-  } catch (error) {
-    const code = error.code;
-    if (code === "ENOENT") return "";
-    throw error;
-  }
-}
-function dependencyNames(packageJson) {
-  if (!packageJson.trim()) return /* @__PURE__ */ new Set();
-  const parsed = JSON.parse(packageJson);
-  return /* @__PURE__ */ new Set([
-    ...Object.keys(parsed.dependencies ?? {}),
-    ...Object.keys(parsed.devDependencies ?? {})
-  ]);
-}
-function stripTypeScriptComments(source) {
-  return source.replace(/\/\*[\s\S]*?\*\//g, "").split("\n").map((line) => {
-    let quote = null;
-    let escaped = false;
-    for (let index = 0; index < line.length - 1; index += 1) {
-      const char = line[index];
-      const next = line[index + 1];
-      if (quote) {
-        if (escaped) {
-          escaped = false;
-        } else if (char === "\\") {
-          escaped = true;
-        } else if (char === quote) {
-          quote = null;
-        }
-        continue;
-      }
-      if (char === '"' || char === "'" || char === "`") {
-        quote = char;
-        continue;
-      }
-      if (char === "/" && next === "/") {
-        return line.slice(0, index);
-      }
-    }
-    return line;
-  }).join("\n");
-}
-function stripSqlComments(source) {
-  return source.replace(/\/\*[\s\S]*?\*\//g, "").replace(/--.*$/gm, "");
-}
-function hasStripeWebhookSignatureVerification(source) {
-  const executable = stripTypeScriptComments(source);
-  return /webhooks\s*\.\s*constructEvent\s*\(/.test(executable) && /Stripe-Signature/.test(executable);
-}
-function hasEnabledRowLevelSecurity(source) {
-  return /enable\s+row\s+level\s+security/i.test(stripSqlComments(source));
-}
-function hasEnvAssignment(source, name) {
-  const pattern = new RegExp(`^\\s*${name}\\s*=`, "m");
-  return pattern.test(source);
-}
-function gap(input) {
-  return {
-    ...input,
-    toolSuggestions: [],
-    mcpSuggestion: null,
-    affectedMapCategories: input.affectedMapCategories ?? []
-  };
-}
-function emptyMissionGraph() {
-  return {
-    areas: [],
-    byArea: {},
-    byProvider: {},
-    repositoryEvidence: {
-      env: [],
-      security: []
-    }
-  };
-}
-async function scanDemoFixture(root) {
-  const [packageJson, stripeWebhook, migration, envExample] = await Promise.all([
-    readKnownFile(root, "package.json"),
-    readKnownFile(root, "app/api/stripe/webhook/route.ts"),
-    readKnownFile(root, "supabase/migrations/0001_init.sql"),
-    readKnownFile(root, ".env.example")
-  ]);
-  const dependencies = dependencyNames(packageJson);
-  const hasNext = dependencies.has("next");
-  const hasSupabase = dependencies.has("@supabase/supabase-js");
-  const hasStripe = dependencies.has("stripe");
-  const selectedProviders = {};
-  if (hasNext) selectedProviders.deployment = "vercel";
-  if (hasSupabase) {
-    selectedProviders.database = "supabase";
-    selectedProviders.auth = "supabase";
-  }
-  if (hasStripe) selectedProviders.payments = "stripe";
-  const gaps = [];
-  if (hasStripe && !hasStripeWebhookSignatureVerification(stripeWebhook)) {
-    gaps.push(
-      gap({
-        id: "stripe_webhook_signature_missing",
-        category: "SECURITY & AUTH",
-        severity: "critical",
-        title: "Verify Stripe webhook signatures",
-        detail: "The demo Stripe webhook handler does not verify the Stripe-Signature header with stripe.webhooks.constructEvent.",
-        copyPrompt: "Update the Stripe webhook route to read the raw request body, read the Stripe-Signature header, and verify events with stripe.webhooks.constructEvent using STRIPE_WEBHOOK_SECRET.",
-        primaryMapCategory: "payments",
-        affectedMapCategories: ["security"]
-      })
-    );
-  }
-  if (hasSupabase && !hasEnabledRowLevelSecurity(migration)) {
-    gaps.push(
-      gap({
-        id: "rls_disabled",
-        category: "DATABASE & DATA",
-        severity: "critical",
-        title: "Enable Supabase row level security",
-        detail: "The demo migration creates application data without enabling row level security.",
-        copyPrompt: "Add alter table statements that enable row level security and add least-privilege policies for the Supabase tables in the demo migration.",
-        primaryMapCategory: "database",
-        affectedMapCategories: ["auth", "security"]
-      })
-    );
-  }
-  if (hasStripe && !hasEnvAssignment(envExample, "STRIPE_WEBHOOK_SECRET")) {
-    gaps.push(
-      gap({
-        id: "missing_prod_env_stripe_webhook_secret",
-        category: "DEPLOYMENT",
-        severity: "warning",
-        title: "Document STRIPE_WEBHOOK_SECRET",
-        detail: "The demo .env.example does not include a STRIPE_WEBHOOK_SECRET assignment.",
-        copyPrompt: "Add STRIPE_WEBHOOK_SECRET to .env.example as an empty variable name so deploy setup documents the required Stripe webhook secret without exposing a value.",
-        primaryMapCategory: "deployment",
-        affectedMapCategories: ["payments"]
-      })
-    );
-  }
-  const hasCriticalGaps = gaps.some((item3) => item3.severity === "critical");
-  return {
-    version: 1,
-    scannedAt: DEMO_SCANNED_AT,
-    workspacePath: root,
-    score: hasCriticalGaps ? 55 : 90,
-    scoreLabel: hasCriticalGaps ? "Needs work" : "Looks solid",
-    summary: `Demo scan: ${gaps.length} launch gap(s) detected by local rules.`,
-    archetype: hasNext && hasSupabase && hasStripe ? "nextjs-supabase-stripe" : "demo-saas",
-    gaps,
-    missionGraph: emptyMissionGraph(),
-    stackWiring: { items: [], byKey: {} },
-    providerRegistry: {
-      version: 1,
-      source: "bundled",
-      generatedAt: DEMO_SCANNED_AT,
-      staleAfterDays: 30,
-      status: "fresh",
-      providers: []
-    },
-    verificationSummary: { byArea: {} },
-    productionCorePercent: hasCriticalGaps ? 40 : 95,
-    selectedProviders
-  };
-}
-
-// src/demo/runDemo.ts
-var import_picocolors7 = __toESM(require_picocolors());
-function bundledFixtureRoot() {
-  const candidates = [
-    import_node_path27.default.join(__dirname, "..", "fixtures", "demo-saas"),
-    import_node_path27.default.join(__dirname, "..", "..", "fixtures", "demo-saas")
-  ];
-  return candidates.find((candidate) => (0, import_node_fs13.existsSync)(import_node_path27.default.join(candidate, "package.json"))) ?? candidates[0];
-}
-function canUseInteractiveTryMenu(options) {
-  return isPreviewLabel(options.label) && !options.agentMode && !options.openReport && process.stdin.isTTY === true && process.stdout.isTTY === true && process.env.CI !== "true";
-}
-function isPreviewLabel(label2) {
-  return label2 === "preview" || label2 === "try";
-}
-function printTryMenuSummary(input) {
-  const providerStack = Array.from(new Set(Object.values(input.artifact.selectedProviders ?? {}))).filter(Boolean).join(" + ");
-  console.log("");
-  console.log("VibeRaven Preview");
-  console.log("Local production rehearsal. No login or API spend.");
-  console.log("");
-  console.log(`Preview stack: ${input.artifact.archetype}${providerStack ? ` (${providerStack})` : ""}`);
-  console.log(
-    `Decision: BLOCKED | Production core: ${input.artifact.productionCorePercent}% | Gaps: ${input.artifact.gaps.length}`
-  );
-  console.log("");
-  console.log("Menu:");
-  console.log("  1. Show Codex/Claude native agent UI");
-  console.log("     npx -y viberaven preview --agent-mode");
-  console.log("  2. Run VibeRaven on your real app");
-  console.log("     npx -y viberaven --agent-mode");
-  console.log("  3. Open legacy HTML report only if you explicitly want it");
-  console.log("     npx -y viberaven preview --open");
-  console.log("");
-  if (input.opened) {
-    console.log("Opened legacy HTML report in your browser.");
-  }
-  console.log("");
-}
-async function runInteractiveTryMenu(input) {
-  Ie(`${import_picocolors7.default.bold("VibeRaven Preview")} ${import_picocolors7.default.dim("local production rehearsal")}`);
-  M2.message(
-    `Preview stack: ${input.artifact.archetype} | Production core ${input.artifact.productionCorePercent}% | ${input.artifact.gaps.length} gaps`
-  );
-  const action = await ve({
-    message: "What do you want to see?",
-    options: [
-      { value: "agent-output", label: "Show Codex/Claude native UI", hint: "Checklist, provider links, and next step" },
-      { value: "real-app", label: "Run on my real app", hint: "Copy/use the agent command" },
-      { value: "open-report", label: "Open legacy HTML report", hint: "Optional old browser report" },
-      { value: "exit", label: "Exit" }
-    ]
-  });
-  if (pD(action) || action === "exit") {
-    Se(import_picocolors7.default.dim("Run npx -y viberaven preview anytime."));
-    return;
-  }
-  if (action === "open-report") {
-    await openPathInBrowser(input.reportPath);
-    Se(`Opened ${input.reportPath}`);
-    return;
-  }
-  if (action === "agent-output") {
-    const prp = generateProductionProtocol(input.artifact, {
-      mode: "demo",
-      connectedTools: input.connectedTools
-    });
-    const tasks = buildTaskList(input.artifact);
-    printActionPanelBlock(prp, tasks, currentRenderMode("demo"));
-    Se(import_picocolors7.default.dim("This is the output Codex/Claude/Cursor should reason over."));
-    return;
-  }
-  console.log("");
-  console.log("Run this inside Codex, Claude Code, Cursor, Windsurf, or Gemini CLI:");
-  console.log("  npx -y viberaven --agent-mode");
-  console.log("");
-  Se(import_picocolors7.default.dim("The native agent chat stays the main UX. Use report.html only as a legacy fallback."));
-}
-async function runDemo(options) {
-  const label2 = options.label ?? "demo";
-  const connectedTools = detectConnectedTools();
-  const fixtureRoot = options.fixtureRoot ?? bundledFixtureRoot();
-  const scannedArtifact = await scanDemoFixture(fixtureRoot);
-  const artifact = {
-    ...scannedArtifact,
-    workspacePath: options.cwd
-  };
-  const paths = await writeScanArtifacts({
-    artifact,
-    cwd: options.cwd,
-    connectedTools,
-    prpMode: "demo"
-  });
-  let reportOpened = false;
-  if (options.openReport) {
-    try {
-      await openPathInBrowser(paths.reportPath);
-      reportOpened = true;
-    } catch (error) {
-      console.warn(error instanceof Error ? error.message : String(error));
-    }
-  }
-  if (options.agentMode) {
-    console.log(
-      label2 === "demo" ? "VibeRaven demo mode - no login, no API spend. Provider verification is simulated." : isPreviewLabel(label2) ? "VibeRaven Preview - local production rehearsal. Provider verification is simulated." : "VibeRaven showcase run - no login, no API spend. Provider verification is simulated."
-    );
-    const prp = generateProductionProtocol(artifact, { mode: "demo", connectedTools });
-    const mode = currentRenderMode("demo");
-    const tasks = buildTaskList(artifact);
-    const celebration = renderClearCelebration(prp, mode);
-    printActionPanelBlock(prp, tasks, mode);
-    if (celebration) {
-      console.log(celebration);
-    }
-  } else if (isPreviewLabel(label2)) {
-    if (canUseInteractiveTryMenu(options)) {
-      await runInteractiveTryMenu({ artifact, reportPath: paths.reportPath, connectedTools });
-    } else {
-      printTryMenuSummary({ artifact, opened: reportOpened });
-    }
-  } else {
-    console.log(
-      label2 === "demo" ? "VibeRaven demo complete. See .viberaven/prp.json" : "VibeRaven showcase run complete. See .viberaven/prp.json"
-    );
-  }
-  return 0;
-}
-
 // src/cli.ts
 function printHelp() {
   console.log(`viberaven ${VERSION} \u2014 launch readiness for AI-built apps
@@ -15204,6 +14323,9 @@ Usage:
 
   viberaven status
 
+  viberaven preview [--agent-mode] [--json]
+                       Local production rehearsal for videos and onboarding; no login or API spend
+
   viberaven connect --session <id> --token <token> [--once] [--api-url <url>]
                        Handshake, save runner session, then watch for jobs (Ctrl+C to stop)
 
@@ -15213,22 +14335,7 @@ Usage:
   viberaven scan [--open] [--json] [--api-url <url>] [path]
 
   viberaven --agent-mode [--json|--jsonl] [path]
-                       Agent-first production flow for Codex, Claude Code, Cursor, or terminal agents
-
-  viberaven --demo [path]
-                       No-login demo scan over the bundled fixture; writes demo artifacts locally
-
-  viberaven --agent-mode --demo [path]
-                       Demo production flow; no login, no managed API spend
-
-  viberaven preview [--agent-mode] [path]
-                       Local production flow preview with native chat/terminal UX
-
-  viberaven try [--agent-mode] [path]
-                       Alias for preview
-
-  viberaven --showcase --agent-mode [path]
-                       Legacy alias for the local preview run
+                       Agent-first scan; writes tasklist, gate-result, context-map, and per-gap JSON
 
   viberaven --strict[=warning] [path]
                        Fail when production gate is not clear; warning mode also fails on warnings
@@ -15237,7 +14344,7 @@ Usage:
                        Refresh .viberaven/context-map.json from the last scan
 
   viberaven report [--open] [path]
-                       Legacy: rebuild report.html from last scan (no new API scan)
+                       Rebuild report.html from last scan (no new API scan)
 
   viberaven prompt [--gap <id>] [--provider <key>] [--area <key>] [--no-copy]
 
@@ -15268,9 +14375,6 @@ Usage:
   viberaven audit --vercel-supabase [--json] [path]
                        Local Vercel/Supabase repo evidence audit (RLS, pooler, secrets)
 
-  viberaven badge [--svg|--card] [path]
-                       Print a README badge, terminal card, or write .viberaven/badge.svg from .viberaven/prp.json
-
 
 
 Agent workflow (Claude Code / Codex):
@@ -15330,63 +14434,16 @@ function parseArgs(argv) {
       continue;
     }
     if (!command) {
-      if (isRootModePositional(flags, arg)) {
-        positional.push(arg);
-      } else {
-        command = arg;
-      }
+      command = arg;
     } else {
       positional.push(arg);
     }
   }
   return { command, flags, positional };
 }
-var KNOWN_COMMANDS = /* @__PURE__ */ new Set([
-  "audit",
-  "badge",
-  "connect",
-  "doctor",
-  "guide",
-  "init",
-  "interactive",
-  "login",
-  "logout",
-  "next",
-  "open",
-  "prompt",
-  "preview",
-  "provider-verify",
-  "report",
-  "scan",
-  "stack",
-  "status",
-  "tui",
-  "try",
-  "validate-npm-package",
-  "version",
-  "watch"
-]);
-function isRootModePositional(flags, token) {
-  if (KNOWN_COMMANDS.has(token)) {
-    return false;
-  }
-  return [
-    "agent-mode",
-    "demo",
-    "showcase",
-    "json",
-    "jsonl",
-    "strict",
-    "condense",
-    "verify",
-    "heal"
-  ].some((key) => flags[key] !== void 0);
-}
 function isBooleanFlag(command, key) {
   if ([
     "agent-mode",
-    "demo",
-    "showcase",
     "json",
     "jsonl",
     "condense",
@@ -15396,17 +14453,14 @@ function isBooleanFlag(command, key) {
     "apply",
     "yes",
     "no-verify",
-    "force-scan",
-    "ui"
+    "force-scan"
   ].includes(key)) {
     return true;
   }
   if (key === "strict") return true;
-  if (key === "open" && (command === "" || command === "scan" || command === "report" || command === "preview" || command === "try")) return true;
+  if (key === "open" && (command === "" || command === "scan" || command === "report")) return true;
   if (key === "verify" && command === "") return true;
   if (key === "vercel-supabase" && command === "audit") return true;
-  if (key === "svg" && command === "badge") return true;
-  if (key === "card" && command === "badge") return true;
   if (key === "json" && command === "validate-npm-package") return true;
   if (key === "dry-run" && command === "init") return true;
   if (key === "agents" && command === "doctor") return true;
@@ -15418,9 +14472,6 @@ function shouldConsumeLeadingHyphenValue(command, key, value) {
 function hasFlag(flags, key) {
   return flags[key] === true || typeof flags[key] === "string";
 }
-function resolveCliPath(input) {
-  return input ? (0, import_node_path28.resolve)(process.cwd(), input) : process.cwd();
-}
 async function guardEarlyVerifyScan(input) {
   if (input.flags["force-scan"] === true) {
     return void 0;
@@ -15429,7 +14480,7 @@ async function guardEarlyVerifyScan(input) {
   if (!verifyLike) {
     return void 0;
   }
-  const workspacePath = input.positional[0] ? (0, import_node_path28.join)(process.cwd(), input.positional[0]) : await resolveWorkspaceRoot(process.cwd());
+  const workspacePath = input.positional[0] ? (0, import_node_path25.join)(process.cwd(), input.positional[0]) : await resolveWorkspaceRoot(process.cwd());
   const loopState = await loadLoopState(workspacePath);
   if (loopState.batchApplied <= 0) {
     return void 0;
@@ -15453,19 +14504,7 @@ async function guardEarlyVerifyScan(input) {
     return void 0;
   }
   const nextTask = remainingRepoCodeTasks[0];
-  const progress = renderLoopProgress(
-    {
-      applied: loopState.batchApplied,
-      total: batchSize,
-      label: "Healing repo gaps",
-      silentInPlain: true
-    },
-    currentRenderMode("human-command")
-  );
   console.error("SCAN_DEFERRED: Local heal batch is not full yet, so VibeRaven is protecting scan quota.");
-  if (progress) {
-    console.error(progress);
-  }
   console.error(`Batch progress: ${loopState.batchApplied}/${batchSize} local heals applied since the last scan.`);
   console.error(`Next local heal: npx -y viberaven --heal --apply --gap ${nextTask.gapId} --yes`);
   console.error("Run verify again after the batch is full, or add --force-scan if the user explicitly wants to spend a scan now.");
@@ -15490,8 +14529,8 @@ async function cmdLogout() {
 }
 async function cmdProviderVerify(flags, positional) {
   const provider2 = typeof flags.provider === "string" ? flags.provider : positional[0];
-  const check = typeof flags.check === "string" ? flags.check : positional[1];
-  if (!provider2 || !check) {
+  const check2 = typeof flags.check === "string" ? flags.check : positional[1];
+  if (!provider2 || !check2) {
     console.error("Usage: viberaven provider-verify --provider <supabase|vercel> --check <id> [--plan free|pro]");
     return 1;
   }
@@ -15504,7 +14543,7 @@ async function cmdProviderVerify(flags, positional) {
   }
   const result = await verifyProviderGap({
     provider: provider2,
-    check,
+    check: check2,
     cwd: process.cwd(),
     plan
   });
@@ -15517,7 +14556,7 @@ async function cmdStatus(flags, positional) {
     console.log("Not signed in. Run: viberaven login");
     return 1;
   }
-  const startDir = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
   let artifact;
   try {
     artifact = await loadLastArtifact(startDir);
@@ -15671,7 +14710,7 @@ async function cmdWatch(flags) {
   }
 }
 async function runScanCommand(flags, positional, options) {
-  const workspacePath = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : await resolveWorkspaceRoot(process.cwd());
+  const workspacePath = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : await resolveWorkspaceRoot(process.cwd());
   const apiBaseUrl = resolveApiBaseUrl(typeof flags["api-url"] === "string" ? flags["api-url"] : void 0);
   let accessToken;
   try {
@@ -15717,16 +14756,15 @@ async function runScanCommand(flags, positional, options) {
     return { exitCode: 1 };
   }
   const artifact = await enrichArtifactWithAccount(result.artifact, apiBaseUrl, accessToken);
-  const connectedTools = detectConnectedTools();
-  const paths = await writeScanArtifacts({ artifact, cwd: workspacePath, connectedTools });
+  const paths = await writeScanArtifacts({ artifact, cwd: workspacePath });
   if (flags.json && !options?.deferMachineOutput) {
     console.log(formatScanJsonStdout(artifact));
     return { exitCode: 0, artifacts: paths };
   }
-  if (!options?.deferMachineOutput && !flags["agent-mode"]) {
+  if (!options?.deferMachineOutput) {
     printScanSummary(artifact, paths);
   }
-  if (artifact.usage && !options?.deferMachineOutput && !flags["agent-mode"]) {
+  if (artifact.usage && !options?.deferMachineOutput) {
     console.log(formatUsageLine(artifact.usage));
   }
   if (flags["agent-mode"] && !options?.deferMachineOutput) {
@@ -15734,16 +14772,6 @@ async function runScanCommand(flags, positional, options) {
     const openGapCount = artifact.gaps.length;
     const updatedState = resetBatch(loopState, openGapCount);
     const tasks = buildTaskList(artifact);
-    const prp = generateProductionProtocol(artifact, { connectedTools });
-    const mode = currentRenderMode("agent-mode");
-    const bootstrap = await maybeAutoInstallAgentRules({ cwd: workspacePath });
-    console.log(formatAgentRulesBootstrapSummary(bootstrap));
-    console.log("");
-    printActionPanelBlock(prp, tasks, mode);
-    const celebration = renderClearCelebration(prp, mode);
-    if (celebration) {
-      console.log(celebration);
-    }
     const plan = artifact.plan ?? "free";
     const block = buildNextActionBlock(tasks, updatedState, plan);
     printNextActionBlock(block);
@@ -15760,7 +14788,7 @@ async function runScanCommand(flags, positional, options) {
   return { exitCode: 0, artifacts: paths };
 }
 async function cmdReport(flags, positional) {
-  const startDir = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
   try {
     const paths = await refreshReportFromDisk(startDir);
     console.log(`Report refreshed: ${paths.reportPath}`);
@@ -15782,7 +14810,7 @@ async function cmdReport(flags, positional) {
   }
 }
 async function cmdPrompt(flags, positional) {
-  const startDir = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
+  const startDir = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
   let artifact;
   try {
     artifact = await loadLastArtifact(startDir);
@@ -15790,26 +14818,26 @@ async function cmdPrompt(flags, positional) {
     console.error(error instanceof Error ? error.message : "No scan found. Run: viberaven scan");
     return 1;
   }
-  const gap2 = pickGap(artifact, {
+  const gap = pickGap(artifact, {
     gapId: typeof flags.gap === "string" ? flags.gap : void 0,
     provider: typeof flags.provider === "string" ? flags.provider : void 0,
     area: typeof flags.area === "string" ? flags.area : void 0
   });
-  if (!gap2) {
+  if (!gap) {
     console.error("No matching gap. Run `viberaven scan` or pass --gap <id>.");
     return 1;
   }
   const skipCopy = flags["no-copy"] === true;
   if (!skipCopy) {
     try {
-      await copyToClipboard(gap2.copyPrompt);
-      console.log(`Copied to clipboard: ${gap2.title}`);
+      await copyToClipboard(gap.copyPrompt);
+      console.log(`Copied to clipboard: ${gap.title}`);
       return 0;
     } catch (error) {
       console.warn(error instanceof Error ? error.message : String(error));
     }
   }
-  console.log(gap2.copyPrompt);
+  console.log(gap.copyPrompt);
   return 0;
 }
 var STACK_AREAS = /* @__PURE__ */ new Set(["database", "auth", "payments", "deployment", "monitoring", "security"]);
@@ -15880,7 +14908,7 @@ async function main() {
   const wantsJsonl = hasFlag(flags, "jsonl");
   const wantsStrict = hasFlag(flags, "strict");
   if (flags.condense) {
-    const cwd = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
+    const cwd = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
     const result = await runCondenseCommand({ cwd });
     console.log(`VibeRaven context map refreshed: ${result.contextMapPath}`);
     return 0;
@@ -15898,19 +14926,6 @@ async function main() {
     console.log(JSON.stringify(result, null, 2));
     return result.status.startsWith("refused") || result.status === "failed" ? 1 : 0;
   }
-  if (command === "preview" || command === "try") {
-    const cwd = resolveCliPath(positional[0]);
-    return runDemo({
-      cwd,
-      agentMode: isAgentMode,
-      label: command === "preview" ? "preview" : "try",
-      openReport: flags.open === true || flags.ui === true
-    });
-  }
-  if (hasFlag(flags, "demo") || hasFlag(flags, "showcase")) {
-    const cwd = resolveCliPath(positional[0]);
-    return runDemo({ cwd, agentMode: isAgentMode, label: hasFlag(flags, "showcase") ? "showcase" : "demo" });
-  }
   if (!command && (isAgentMode || flags.verify === true || wantsJson || wantsJsonl || wantsStrict)) {
     const guardedExitCode = await guardEarlyVerifyScan({ flags, positional, wantsStrict });
     if (guardedExitCode !== void 0) {
@@ -15922,7 +14937,7 @@ async function main() {
       console.error("VibeRaven could not produce machine output because scan artifacts were not written.");
       return 3;
     }
-    const gateResult = scanResult.artifacts && (wantsJson || wantsJsonl || wantsStrict) ? JSON.parse(await (0, import_promises21.readFile)(scanResult.artifacts.gateResultPath, "utf8")) : void 0;
+    const gateResult = scanResult.artifacts && (wantsJson || wantsJsonl || wantsStrict) ? JSON.parse(await (0, import_promises19.readFile)(scanResult.artifacts.gateResultPath, "utf8")) : void 0;
     const strictExitCode = wantsStrict && gateResult ? exitCodeForStrictGate(gateResult, { failOnWarnings: flags.strict === "warning" }) : scanResult.exitCode;
     if (wantsJson && gateResult) {
       process.stdout.write(renderGateResultJson(gateResult));
@@ -15954,10 +14969,16 @@ async function main() {
       return 0;
     case "status":
       return cmdStatus(flags, positional);
+    case "preview":
+      return runPreviewCommand({
+        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd(),
+        agentMode: flags["agent-mode"] === true,
+        json: Boolean(flags.json)
+      });
     case "next":
       return runNextCommand({
         json: Boolean(flags.json),
-        cwd: positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd()
+        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd()
       });
     case "guide": {
       const provider2 = positional[0];
@@ -15995,7 +15016,7 @@ async function main() {
     case "provider-verify":
       return cmdProviderVerify(flags, positional);
     case "init": {
-      const cwd = positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd();
+      const cwd = positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd();
       const agents = typeof flags.agents === "string" ? flags.agents : void 0;
       return runInitCommand({
         cwd,
@@ -16009,7 +15030,7 @@ async function main() {
         return 1;
       }
       return runDoctorAgentsCommand({
-        cwd: positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd()
+        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd()
       });
     case "validate-npm-package":
       return runValidateNpmPackageCommand({
@@ -16022,15 +15043,9 @@ async function main() {
         return 1;
       }
       return runAuditCommand({
-        cwd: positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd(),
+        cwd: positional[0] ? (0, import_node_path25.join)(process.cwd(), positional[0]) : process.cwd(),
         json: Boolean(flags.json)
       });
-    case "badge":
-      return runBadgeCommand({
-        cwd: positional[0] ? (0, import_node_path28.join)(process.cwd(), positional[0]) : process.cwd(),
-        svg: flags.svg === true,
-        card: flags.card === true
-      });
     default:
       console.error(`Unknown command: ${command}`);
       printHelp();