npm - avorelo - Versions diffs - 0.1.0 - Mend

avorelo 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

package/LICENSE +21 -0
package/README.md +56 -0
package/bin/avorelo +9 -0
package/package.json +135 -0
package/scripts/README.md +40 -0
package/scripts/cco-dashboard.js +252 -0
package/scripts/cco-status.js +430 -0
package/scripts/lib/activation/account-state.js +37 -0
package/scripts/lib/activation/activation-runner.js +546 -0
package/scripts/lib/activation/activation-self-healing.js +480 -0
package/scripts/lib/activation/activation-state.js +83 -0
package/scripts/lib/activation/activation-summary.js +191 -0
package/scripts/lib/activation/adapters/claude-code.js +77 -0
package/scripts/lib/activation/adapters/codex-cli.js +52 -0
package/scripts/lib/activation/adapters/cursor.js +37 -0
package/scripts/lib/activation/adapters/github-agent.js +39 -0
package/scripts/lib/activation/adapters/terminal.js +42 -0
package/scripts/lib/activation/adapters/vscode.js +39 -0
package/scripts/lib/activation/adapters/windsurf.js +37 -0
package/scripts/lib/activation/ai-surface-detector.js +151 -0
package/scripts/lib/activation/connect-account.js +145 -0
package/scripts/lib/activation/detect-environment.js +75 -0
package/scripts/lib/activation/detect-hosts.js +62 -0
package/scripts/lib/activation/format-activation-output.js +109 -0
package/scripts/lib/activation/next-action.js +43 -0
package/scripts/lib/activation/repair-engine.js +219 -0
package/scripts/lib/activation-distribution-readiness.js +507 -0
package/scripts/lib/adapter-conformance.js +176 -0
package/scripts/lib/adapter-readiness.js +417 -0
package/scripts/lib/adapter-safety-boundaries.js +335 -0
package/scripts/lib/adapter-technical-readiness-gate.js +205 -0
package/scripts/lib/agent-access-governance.js +455 -0
package/scripts/lib/agent-enforcement.js +765 -0
package/scripts/lib/agent-policy-profile.js +210 -0
package/scripts/lib/agent-security/action-evaluator.js +507 -0
package/scripts/lib/agent-security/adapter-registry.js +98 -0
package/scripts/lib/agent-security/auto-policy.js +139 -0
package/scripts/lib/agent-security/bounded-scan.js +93 -0
package/scripts/lib/agent-security/enforcement-adapter.js +174 -0
package/scripts/lib/agent-security/enforcement-engine.js +1129 -0
package/scripts/lib/agent-security/file-write-adapter.js +183 -0
package/scripts/lib/agent-security/file-write-rules.js +178 -0
package/scripts/lib/agent-security/index.js +3342 -0
package/scripts/lib/agent-security/instruction-risk.js +181 -0
package/scripts/lib/agent-security/mcp-action-adapter.js +185 -0
package/scripts/lib/agent-security/mcp-action-rules.js +184 -0
package/scripts/lib/agent-security/package-action-adapter.js +175 -0
package/scripts/lib/agent-security/package-action-rules.js +233 -0
package/scripts/lib/agent-security/performance.js +148 -0
package/scripts/lib/agent-security/permission-minimizer.js +403 -0
package/scripts/lib/agent-security/scan-cache.js +74 -0
package/scripts/lib/agent-security/source-trust.js +146 -0
package/scripts/lib/ai-install-prompt.js +288 -0
package/scripts/lib/ai-workspace-hygiene.js +1499 -0
package/scripts/lib/alpha-activation.js +520 -0
package/scripts/lib/alpha-feedback.js +263 -0
package/scripts/lib/alpha-readiness-gate.js +332 -0
package/scripts/lib/anti-gaming.js +169 -0
package/scripts/lib/artifact-health.js +431 -0
package/scripts/lib/attribution.js +180 -0
package/scripts/lib/audit.js +289 -0
package/scripts/lib/avorelo-skill-registry.js +810 -0
package/scripts/lib/batch-jobs.js +71 -0
package/scripts/lib/brain-pack.js +578 -0
package/scripts/lib/brand-boundary.js +424 -0
package/scripts/lib/brand.js +74 -0
package/scripts/lib/browser-capability.js +1048 -0
package/scripts/lib/browser-proof-preflight.js +321 -0
package/scripts/lib/cache-readiness.js +187 -0
package/scripts/lib/canonical-reentry.js +162 -0
package/scripts/lib/capability-packs.js +314 -0
package/scripts/lib/capability-recommender.js +512 -0
package/scripts/lib/capability-registry.js +1059 -0
package/scripts/lib/carry-forward-surfacing.js +194 -0
package/scripts/lib/ccusage-adapter.js +188 -0
package/scripts/lib/company-loop.js +1149 -0
package/scripts/lib/config.js +637 -0
package/scripts/lib/context-acquisition-plan.js +287 -0
package/scripts/lib/context-budget-guard.js +170 -0
package/scripts/lib/context-budget-scanner.js +257 -0
package/scripts/lib/context-optimizer.js +715 -0
package/scripts/lib/context-reduction-plan.js +178 -0
package/scripts/lib/context-safety.js +88 -0
package/scripts/lib/context-savings-engine.js +158 -0
package/scripts/lib/cost-evidence.js +254 -0
package/scripts/lib/cross-host-install-plan.js +308 -0
package/scripts/lib/cross-host-install-readiness.js +237 -0
package/scripts/lib/cross-host-value-flow.js +268 -0
package/scripts/lib/dashboard.js +900 -0
package/scripts/lib/design-partner-feedback.js +346 -0
package/scripts/lib/entitlements.js +100 -0
package/scripts/lib/execution-packet.js +559 -0
package/scripts/lib/experimentation-events.js +547 -0
package/scripts/lib/external-capability-compliance.js +107 -0
package/scripts/lib/external-user-simulation.js +166 -0
package/scripts/lib/failure-recovery-readiness.js +81 -0
package/scripts/lib/failure-recovery.js +419 -0
package/scripts/lib/feedback-intelligence.js +537 -0
package/scripts/lib/feedback-signals.js +205 -0
package/scripts/lib/file-integrity.js +68 -0
package/scripts/lib/fsx.js +127 -0
package/scripts/lib/full-readiness-gate.js +451 -0
package/scripts/lib/guidance-builder.js +174 -0
package/scripts/lib/hook-apply.js +1019 -0
package/scripts/lib/hook-baseline.js +310 -0
package/scripts/lib/hook-config-preview.js +275 -0
package/scripts/lib/hook-contracts.js +290 -0
package/scripts/lib/hook-safety-boundary-readiness.js +80 -0
package/scripts/lib/host-capability-matrix.js +351 -0
package/scripts/lib/host-support-context.js +254 -0
package/scripts/lib/http-hook-action.js +538 -0
package/scripts/lib/install-ai-readiness.js +84 -0
package/scripts/lib/install-intake-risk.js +1037 -0
package/scripts/lib/install-journey-intelligence.js +329 -0
package/scripts/lib/intervention-guidance.js +57 -0
package/scripts/lib/known-limitations.js +115 -0
package/scripts/lib/l8-path-truth.js +146 -0
package/scripts/lib/launch-hardening-gate.js +436 -0
package/scripts/lib/launch-readiness.js +628 -0
package/scripts/lib/learning-memory.js +686 -0
package/scripts/lib/lifecycle-hooks.js +802 -0
package/scripts/lib/local-package-smoke.js +423 -0
package/scripts/lib/local-pricing.js +299 -0
package/scripts/lib/mcp-enforcement.js +311 -0
package/scripts/lib/mcp-least-privilege-policy.js +303 -0
package/scripts/lib/mcp-tool-inventory.js +388 -0
package/scripts/lib/mcp-tool-risk.js +0 -0
package/scripts/lib/memory.js +335 -0
package/scripts/lib/metrics.js +699 -0
package/scripts/lib/micro-proof.js +133 -0
package/scripts/lib/next-run-context.js +436 -0
package/scripts/lib/operating-value.js +1648 -0
package/scripts/lib/optimization-v3.js +122 -0
package/scripts/lib/orchestration/adapters/_shared.js +49 -0
package/scripts/lib/orchestration/adapters/aider.js +18 -0
package/scripts/lib/orchestration/adapters/claude-code.js +35 -0
package/scripts/lib/orchestration/adapters/codex.js +35 -0
package/scripts/lib/orchestration/adapters/gemini-cli.js +18 -0
package/scripts/lib/orchestration/adapters/git.js +25 -0
package/scripts/lib/orchestration/adapters/index.js +31 -0
package/scripts/lib/orchestration/adapters/lm-studio.js +18 -0
package/scripts/lib/orchestration/adapters/ollama.js +18 -0
package/scripts/lib/orchestration/adapters/opencode.js +18 -0
package/scripts/lib/orchestration/adapters/openrouter.js +18 -0
package/scripts/lib/orchestration/adapters/test-runner.js +25 -0
package/scripts/lib/orchestration/cli.js +438 -0
package/scripts/lib/orchestration/execution-manager.js +279 -0
package/scripts/lib/orchestration/handoff.js +314 -0
package/scripts/lib/orchestration/index.js +456 -0
package/scripts/lib/orchestration/inventory.js +47 -0
package/scripts/lib/orchestration/model-discovery.js +498 -0
package/scripts/lib/orchestration/model-profiler.js +170 -0
package/scripts/lib/orchestration/model-profiles.js +252 -0
package/scripts/lib/orchestration/model-refresh-policy.js +72 -0
package/scripts/lib/orchestration/proof-writer.js +349 -0
package/scripts/lib/orchestration/provider-discovery/aider.js +49 -0
package/scripts/lib/orchestration/provider-discovery/claude-code.js +56 -0
package/scripts/lib/orchestration/provider-discovery/codex.js +49 -0
package/scripts/lib/orchestration/provider-discovery/common.js +186 -0
package/scripts/lib/orchestration/provider-discovery/gemini.js +106 -0
package/scripts/lib/orchestration/provider-discovery/lm-studio.js +118 -0
package/scripts/lib/orchestration/provider-discovery/models-dev.js +12 -0
package/scripts/lib/orchestration/provider-discovery/ollama.js +100 -0
package/scripts/lib/orchestration/provider-discovery/opencode.js +47 -0
package/scripts/lib/orchestration/provider-discovery/openrouter.js +44 -0
package/scripts/lib/orchestration/risk-classifier.js +130 -0
package/scripts/lib/orchestration/routing-policy.js +486 -0
package/scripts/lib/orchestration/settings.js +112 -0
package/scripts/lib/orchestration/state.js +165 -0
package/scripts/lib/orchestration/verification-manager.js +138 -0
package/scripts/lib/output-profiles.js +146 -0
package/scripts/lib/package-content-audit.js +368 -0
package/scripts/lib/package-runtime.js +278 -0
package/scripts/lib/plan-surface.js +53 -0
package/scripts/lib/plans.js +2318 -0
package/scripts/lib/policy-provider.js +27 -0
package/scripts/lib/prelaunch-activation-readiness.js +409 -0
package/scripts/lib/prelaunch-evidence-store.js +816 -0
package/scripts/lib/prelaunch-intelligence.js +869 -0
package/scripts/lib/pricing-experiment.js +118 -0
package/scripts/lib/pro-moment-events.js +77 -0
package/scripts/lib/pro-moment-state.js +227 -0
package/scripts/lib/pro-moments.js +1216 -0
package/scripts/lib/product-learning-events.js +629 -0
package/scripts/lib/project-profile.js +555 -0
package/scripts/lib/prompt-compiler.js +280 -0
package/scripts/lib/prompt-lint.js +32 -0
package/scripts/lib/prompt-suggestions.js +52 -0
package/scripts/lib/proof-canonical.js +398 -0
package/scripts/lib/proof-drilldown.js +383 -0
package/scripts/lib/proof-events.js +342 -0
package/scripts/lib/proof-history.js +243 -0
package/scripts/lib/proof-metrics.js +296 -0
package/scripts/lib/proof-outcome-evidence.js +134 -0
package/scripts/lib/proof-receipt.js +335 -0
package/scripts/lib/proof-record.js +461 -0
package/scripts/lib/public-activation-distribution-gate.js +258 -0
package/scripts/lib/public-cli.js +3891 -0
package/scripts/lib/public-distribution-truth.js +211 -0
package/scripts/lib/public-install-claim-checker.js +294 -0
package/scripts/lib/publish-provenance-readiness.js +283 -0
package/scripts/lib/readiness-delta.js +218 -0
package/scripts/lib/readiness-evidence-closure.js +196 -0
package/scripts/lib/reentry-memory-capture.js +241 -0
package/scripts/lib/reentry-memory-retrieval.js +302 -0
package/scripts/lib/reentry-memory-status.js +146 -0
package/scripts/lib/reentry-memory-store.js +178 -0
package/scripts/lib/reentry-state.js +66 -0
package/scripts/lib/release-candidate-bundle.js +166 -0
package/scripts/lib/remediation.js +81 -0
package/scripts/lib/repo-map.js +391 -0
package/scripts/lib/run-improvements-lifecycle.js +330 -0
package/scripts/lib/run-improvements.js +789 -0
package/scripts/lib/runtime-decision-policy.js +387 -0
package/scripts/lib/safe-path-engine.js +705 -0
package/scripts/lib/safe-run-controller.js +887 -0
package/scripts/lib/score.js +262 -0
package/scripts/lib/seamless-enforcement.js +329 -0
package/scripts/lib/seamless-outcome.js +689 -0
package/scripts/lib/seamless-reality-gate.js +5043 -0
package/scripts/lib/security-risk-classifier.js +511 -0
package/scripts/lib/security-scan.js +384 -0
package/scripts/lib/session-context-optimizer.js +1211 -0
package/scripts/lib/session-timing.js +315 -0
package/scripts/lib/skill-hygiene.js +805 -0
package/scripts/lib/skill-packs.js +161 -0
package/scripts/lib/skills-operating-layer.js +580 -0
package/scripts/lib/smart-work-routing.js +768 -0
package/scripts/lib/source-catalog.js +700 -0
package/scripts/lib/status-value-summary.js +32 -0
package/scripts/lib/support-bundle.js +578 -0
package/scripts/lib/task-continuation.js +440 -0
package/scripts/lib/test-helpers.js +15 -0
package/scripts/lib/tier.js +38 -0
package/scripts/lib/token-context-quality-gate.js +370 -0
package/scripts/lib/token-cost-capture.js +187 -0
package/scripts/lib/token-cost-intelligence.js +358 -0
package/scripts/lib/token-efficiency-evidence.js +213 -0
package/scripts/lib/token-evidence.js +699 -0
package/scripts/lib/tokenish.js +17 -0
package/scripts/lib/tool-output-sandbox.js +304 -0
package/scripts/lib/trust-audit.js +136 -0
package/scripts/lib/unified-events.js +396 -0
package/scripts/lib/upgrade-interruption-recovery.js +407 -0
package/scripts/lib/usage-ledger.js +201 -0
package/scripts/lib/value-ledger.js +130 -0
package/scripts/lib/value-proof-calibration.js +531 -0
package/scripts/lib/visual-qa.js +231 -0
package/scripts/lib/voice-alpha.js +29 -0
package/scripts/lib/work-aware-orchestration.js +976 -0
package/scripts/lib/work-control-receipts.js +577 -0
package/scripts/lib/work-ledger.js +1123 -0
package/scripts/lib/work-panel-preview.js +352 -0
package/scripts/lib/workflow-discipline.js +280 -0
package/scripts/lib/workflow-signals.js +419 -0
package/scripts/lib/workspace-map.js +281 -0
package/scripts/lib/workspace-registry.js +1367 -0
package/scripts/lib/workspace-resolver.js +480 -0

package/scripts/lib/project-profile.js ADDED Viewed

@@ -0,0 +1,555 @@
+"use strict";
+// ── Project Profile ───────────────────────────────────────────────────────────
+//
+// Contract: avorelo.projectProfile.v1
+//
+// Deterministic project profile detection: infers framework, package manager,
+// build/test/dev scripts, deploy provider, and risk boundaries from local files.
+//
+// No network calls. No package installs. No script execution. No secret reading.
+const fs = require("fs");
+const path = require("path");
+const { ensureCcoDirs, safeWriteJson } = require("./fsx");
+const { appendProductLearningEvent } = require("./product-learning-events");
+const CONTRACT = "avorelo.projectProfile.v1";
+const SCHEMA_VERSION = 1;
+const LATEST_PROFILE_REL = ".claude/cco/orchestration/project-profile/latest-profile.json";
+// ── Risk boundary constants ───────────────────────────────────────────────────
+const DEFAULT_BLOCKED_FILES = Object.freeze([
+  ".env",
+  ".env.local",
+  ".env.production",
+  ".env.development",
+  ".env.staging",
+  ".env.test",
+  ".env.server",
+  ".env.client",
+  "*.pem",
+  "*.key",
+  "*.p12",
+  "*.pfx",
+  ".npmrc",
+  ".yarnrc",
+  "secrets.json",
+  "credentials.json",
+  "service-account.json",
+]);
+const DEFAULT_SENSITIVE_DIRS = Object.freeze([
+  "auth",
+  "authentication",
+  "billing",
+  "payments",
+  "payment",
+  "secrets",
+  "secret",
+  "infra",
+  "infrastructure",
+  "api/auth",
+  "api/billing",
+  "api/payments",
+  "api/admin",
+  "server/auth",
+  "server/billing",
+  "src/auth",
+  "src/billing",
+  "src/payments",
+]);
+const DEFAULT_BLOCKED_ACTIONS = Object.freeze([
+  "deploy",
+  "publish",
+  "push_to_production",
+  "run_migrations_production",
+  "delete_database",
+  "drop_table",
+  "truncate_table",
+  "send_email_production",
+  "charge_customer",
+  "run_env_script",
+]);
+const DEFAULT_ALLOWED_ACTIONS = Object.freeze([
+  "file_read",
+  "file_write_with_diff",
+  "run_tests",
+  "run_lint",
+  "run_build",
+  "run_type_check",
+  "git_status",
+  "git_diff",
+  "git_log",
+]);
+// ── Helpers ───────────────────────────────────────────────────────────────────
+function safeReadJson(absPath) {
+  try {
+    if (!fs.existsSync(absPath)) return null;
+    const raw = fs.readFileSync(absPath, "utf8").replace(/^/, "");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function fileExists(cwd, ...parts) {
+  return fs.existsSync(path.join(cwd, ...parts));
+}
+function readText(cwd, ...parts) {
+  try {
+    const absPath = path.join(cwd, ...parts);
+    if (!fs.existsSync(absPath)) return null;
+    return fs.readFileSync(absPath, "utf8");
+  } catch {
+    return null;
+  }
+}
+function nowIso() {
+  return new Date().toISOString();
+}
+// ── Package manager detection ─────────────────────────────────────────────────
+function detectPackageManager(cwd, pkg) {
+  // Check packageManager field in package.json first
+  if (pkg && pkg.packageManager) {
+    const pm = pkg.packageManager;
+    if (pm.startsWith("pnpm")) return "pnpm";
+    if (pm.startsWith("yarn")) return "yarn";
+    if (pm.startsWith("bun")) return "bun";
+    if (pm.startsWith("npm")) return "npm";
+  }
+  // Check lockfiles
+  if (fileExists(cwd, "pnpm-lock.yaml")) return "pnpm";
+  if (fileExists(cwd, "yarn.lock")) return "yarn";
+  if (fileExists(cwd, "bun.lockb") || fileExists(cwd, "bun.lock")) return "bun";
+  if (fileExists(cwd, "package-lock.json")) return "npm";
+  // Has package.json but no lockfile
+  if (pkg) return "npm";
+  return "unknown";
+}
+// ── Framework detection ───────────────────────────────────────────────────────
+function detectFramework(cwd, pkg) {
+  if (!pkg) return "unknown";
+  const deps = {
+    ...((pkg.dependencies) || {}),
+    ...((pkg.devDependencies) || {}),
+  };
+  const scripts = pkg.scripts || {};
+  const hasScript = (name) => Boolean(scripts[name]);
+  const hasDep = (name) => Boolean(deps[name]);
+  // Wasp
+  if (fileExists(cwd, "main.wasp") || fileExists(cwd, ".wasproot")) return "wasp";
+  // Next.js
+  if (hasDep("next")) return "nextjs";
+  // Remix
+  if (hasDep("@remix-run/react") || hasDep("@remix-run/node")) return "remix";
+  // Vite + React
+  if (hasDep("vite") && hasDep("react")) return "vite_react";
+  // Vite generic
+  if (hasDep("vite")) return "vite";
+  // React (CRA or other)
+  if (hasDep("react") && hasDep("react-dom")) return "react";
+  // Vue
+  if (hasDep("vue") || hasDep("@vue/core")) return "vue";
+  // Express
+  if (hasDep("express")) return "express_node";
+  // Node (generic)
+  if (hasScript("start") || hasScript("dev")) return "node";
+  // Static HTML (no package.json framework)
+  if (fileExists(cwd, "index.html") && !pkg) return "static_html";
+  return "node";
+}
+// ── Workspace type detection ──────────────────────────────────────────────────
+function detectWorkspaceType(cwd, pkg) {
+  if (!pkg) return "unknown";
+  // pnpm workspaces
+  if (fileExists(cwd, "pnpm-workspace.yaml")) return "monorepo";
+  // yarn/npm workspaces
+  if (pkg.workspaces) return "monorepo";
+  // Multiple apps directories
+  const appsDir = fileExists(cwd, "apps");
+  const packagesDir = fileExists(cwd, "packages");
+  if (appsDir && packagesDir) return "monorepo";
+  return "single";
+}
+// ── App detection ─────────────────────────────────────────────────────────────
+function detectApps(cwd) {
+  const apps = [];
+  const appsDir = path.join(cwd, "apps");
+  if (fs.existsSync(appsDir)) {
+    try {
+      const entries = fs.readdirSync(appsDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (entry.isDirectory()) {
+          const appPkg = safeReadJson(path.join(appsDir, entry.name, "package.json"));
+          apps.push({
+            name: entry.name,
+            path: `apps/${entry.name}`,
+            framework: detectFramework(path.join(appsDir, entry.name), appPkg),
+          });
+        }
+      }
+    } catch {}
+  }
+  return apps;
+}
+// ── Script detection ──────────────────────────────────────────────────────────
+function detectCommands(pkg) {
+  if (!pkg || !pkg.scripts) {
+    return {
+      build: null,
+      test: null,
+      lint: null,
+      dev: null,
+      preview: null,
+    };
+  }
+  const scripts = pkg.scripts;
+  return {
+    build: scripts.build || scripts["build:prod"] || null,
+    test: scripts.test || scripts["test:unit"] || scripts["test:ci"] || null,
+    lint: scripts.lint || scripts["lint:check"] || null,
+    dev: scripts.dev || scripts.start || scripts.serve || null,
+    preview: scripts.preview || scripts["preview:prod"] || null,
+  };
+}
+// ── Dev server detection ──────────────────────────────────────────────────────
+function detectDevServer(cwd, pkg, framework) {
+  const portGuesses = {
+    nextjs: 3000,
+    vite_react: 5173,
+    vite: 5173,
+    react: 3000,
+    wasp: 3000,
+    remix: 3000,
+    vue: 5173,
+    express_node: 3000,
+    node: 3000,
+  };
+  const scripts = (pkg && pkg.scripts) || {};
+  const hasDevScript = Boolean(scripts.dev || scripts.start);
+  return {
+    detected: hasDevScript || ["nextjs", "vite_react", "vite", "react", "wasp"].includes(framework),
+    defaultPort: portGuesses[framework] || 3000,
+    previewCommand: scripts.preview || scripts.dev || null,
+  };
+}
+// ── Deploy detection ──────────────────────────────────────────────────────────
+function detectDeploy(cwd) {
+  const configFiles = [];
+  let provider = "unknown";
+  if (fileExists(cwd, "netlify.toml")) {
+    configFiles.push("netlify.toml");
+    provider = "netlify";
+  }
+  if (fileExists(cwd, "vercel.json") || fileExists(cwd, ".vercel")) {
+    configFiles.push("vercel.json");
+    provider = provider === "netlify" ? "netlify+vercel" : "vercel";
+  }
+  if (fileExists(cwd, "railway.toml") || fileExists(cwd, "railway.json")) {
+    configFiles.push("railway.toml");
+    provider = provider === "unknown" ? "railway" : provider + "+railway";
+  }
+  if (fileExists(cwd, "fly.toml")) {
+    configFiles.push("fly.toml");
+    provider = provider === "unknown" ? "fly" : provider + "+fly";
+  }
+  return {
+    provider,
+    configFiles,
+    requiresApproval: configFiles.length > 0,
+  };
+}
+// ── Proof defaults ────────────────────────────────────────────────────────────
+function detectProofDefaults(commands, deploy) {
+  const proofSteps = [];
+  if (commands.build) proofSteps.push({ step: "build", command: commands.build, available: true });
+  if (commands.test) proofSteps.push({ step: "test", command: commands.test, available: true });
+  if (commands.lint) proofSteps.push({ step: "lint", command: commands.lint, available: true });
+  if (proofSteps.length === 0) {
+    proofSteps.push({ step: "manual_review", command: null, available: false, note: "not_available" });
+  }
+  return {
+    requiredSteps: proofSteps.filter((s) => s.available).map((s) => s.step),
+    steps: proofSteps,
+    screenshotAvailable: false,
+    deployGateRequired: deploy.requiresApproval,
+  };
+}
+// ── Agent config surfaces ─────────────────────────────────────────────────────
+function detectAgentConfigSurfaces(cwd) {
+  const surfaces = [];
+  if (fileExists(cwd, ".claude", "settings.json")) surfaces.push(".claude/settings.json");
+  if (fileExists(cwd, ".claude", "settings.local.json")) surfaces.push(".claude/settings.local.json");
+  if (fileExists(cwd, "CLAUDE.md")) surfaces.push("CLAUDE.md");
+  if (fileExists(cwd, "AGENTS.md")) surfaces.push("AGENTS.md");
+  if (fileExists(cwd, ".cursorrules")) surfaces.push(".cursorrules");
+  if (fileExists(cwd, ".codex")) surfaces.push(".codex");
+  return surfaces;
+}
+// ── Source signals ────────────────────────────────────────────────────────────
+function buildSourceSignals(cwd, pkg) {
+  const signals = [];
+  if (pkg) signals.push("package.json");
+  if (fileExists(cwd, "main.wasp")) signals.push("main.wasp");
+  if (fileExists(cwd, "netlify.toml")) signals.push("netlify.toml");
+  if (fileExists(cwd, "vercel.json")) signals.push("vercel.json");
+  if (fileExists(cwd, "tsconfig.json")) signals.push("tsconfig.json");
+  if (fileExists(cwd, "vite.config.ts") || fileExists(cwd, "vite.config.js")) signals.push("vite.config");
+  if (fileExists(cwd, "next.config.js") || fileExists(cwd, "next.config.mjs")) signals.push("next.config");
+  if (fileExists(cwd, "schema.prisma")) signals.push("schema.prisma");
+  return signals;
+}
+// ── Risk boundaries ───────────────────────────────────────────────────────────
+function buildRiskBoundaries(cwd, pkg, deploy) {
+  const blockedFiles = [...DEFAULT_BLOCKED_FILES];
+  const sensitiveDirs = [...DEFAULT_SENSITIVE_DIRS];
+  // Add deploy config files to blocked (require explicit approval)
+  if (deploy.configFiles.length > 0) {
+    blockedFiles.push(...deploy.configFiles);
+  }
+  // package-lock.json is risky to auto-modify
+  if (fileExists(cwd, "package-lock.json")) {
+    if (!blockedFiles.includes("package-lock.json")) {
+      blockedFiles.push("package-lock.json");
+    }
+  }
+  // schema.prisma is risky (production DB schema)
+  if (fileExists(cwd, "schema.prisma")) {
+    blockedFiles.push("schema.prisma");
+  }
+  return {
+    blockedFiles: [...new Set(blockedFiles)],
+    sensitiveDirs: [...new Set(sensitiveDirs)],
+    blockedActions: [...DEFAULT_BLOCKED_ACTIONS],
+    allowedDefaultActions: [...DEFAULT_ALLOWED_ACTIONS],
+  };
+}
+// ── Profile status determination ──────────────────────────────────────────────
+function determineStatus(pkg, framework, packageManager) {
+  if (!pkg) return "unknown";
+  if (framework === "unknown" || packageManager === "unknown") return "partial";
+  return "ready";
+}
+// ── Build functions ───────────────────────────────────────────────────────────
+function detectProjectProfile(cwd, options = {}) {
+  const pkgPath = path.join(cwd, "package.json");
+  const pkg = safeReadJson(pkgPath);
+  const packageManager = detectPackageManager(cwd, pkg);
+  const framework = detectFramework(cwd, pkg);
+  const workspaceType = detectWorkspaceType(cwd, pkg);
+  const apps = detectApps(cwd);
+  const commands = detectCommands(pkg);
+  const devServer = detectDevServer(cwd, pkg, framework);
+  const deploy = detectDeploy(cwd);
+  const riskBoundaries = buildRiskBoundaries(cwd, pkg, deploy);
+  const proofDefaults = detectProofDefaults(commands, deploy);
+  const agentConfigSurfaces = detectAgentConfigSurfaces(cwd);
+  const sourceSignals = buildSourceSignals(cwd, pkg);
+  const status = determineStatus(pkg, framework, packageManager);
+  const caveats = [];
+  if (!pkg) caveats.push("No package.json found. Profile is partial.");
+  if (deploy.requiresApproval) caveats.push("Deploy config found. Deploy actions require explicit approval.");
+  caveats.push("Risk boundaries are defaults. Review for project-specific exceptions.");
+  caveats.push("No script execution was performed during profile detection.");
+  return {
+    contract: CONTRACT,
+    schemaVersion: SCHEMA_VERSION,
+    status,
+    framework,
+    packageManager,
+    workspaceType,
+    apps,
+    commands,
+    devServer,
+    deploy,
+    riskBoundaries,
+    proofDefaults,
+    agentConfigSurfaces,
+    sourceSignals,
+    caveats,
+    redacted: true,
+  };
+}
+function buildProjectProfile(cwd, options = {}) {
+  return detectProjectProfile(cwd, options);
+}
+function writeProjectProfile(cwd, profile) {
+  ensureCcoDirs(cwd);
+  const dir = path.join(cwd, ".claude", "cco", "orchestration", "project-profile");
+  fs.mkdirSync(dir, { recursive: true });
+  const absPath = path.join(cwd, LATEST_PROFILE_REL);
+  fs.writeFileSync(absPath, JSON.stringify(profile, null, 2), "utf8");
+  try {
+    appendProductLearningEvent(cwd, {
+      eventName: "project_profile_detected",
+      category: "project_profile",
+      surface: "local",
+      status: "observed",
+      payload: {
+        profileStatus: profile.status,
+        framework: profile.framework,
+        packageManager: profile.packageManager,
+        workspaceType: profile.workspaceType,
+        deployProvider: profile.deploy?.provider || "unknown",
+        deployRequiresApproval: profile.deploy?.requiresApproval || false,
+        proofStepCount: (profile.proofDefaults?.steps || []).filter((s) => s.available).length,
+        sourceSignalCount: (profile.sourceSignals || []).length,
+        agentConfigSurfaceCount: (profile.agentConfigSurfaces || []).length,
+      },
+    });
+  } catch {
+    // non-blocking
+  }
+  return { profilePath: LATEST_PROFILE_REL };
+}
+function buildProjectProfileSurface(cwd, options = {}) {
+  const absPath = path.join(cwd, LATEST_PROFILE_REL);
+  const profile = safeReadJson(absPath);
+  if (!profile) {
+    return {
+      status: "not_run",
+      latestProfilePath: null,
+      framework: null,
+      packageManager: null,
+      buildAvailable: false,
+      testAvailable: false,
+      nextAction: "Run `avorelo project-profile` to detect project profile.",
+    };
+  }
+  return {
+    status: profile.status,
+    latestProfilePath: LATEST_PROFILE_REL,
+    framework: profile.framework,
+    packageManager: profile.packageManager,
+    buildAvailable: Boolean(profile.commands?.build),
+    testAvailable: Boolean(profile.commands?.test),
+    deployProvider: profile.deploy?.provider || "unknown",
+    deployRequiresApproval: profile.deploy?.requiresApproval || false,
+    nextAction: null,
+  };
+}
+function formatProjectProfileText(profile, options = {}) {
+  const lines = [
+    "Avorelo Project Profile",
+    "",
+    `Status:         ${profile.status}`,
+    `Framework:      ${profile.framework}`,
+    `Package Mgr:    ${profile.packageManager}`,
+    `Workspace:      ${profile.workspaceType}`,
+    profile.apps?.length > 0 ? `Apps:           ${profile.apps.map((a) => a.name).join(", ")}` : null,
+    "",
+    "Commands:",
+    profile.commands?.build ? `  build:   ${profile.commands.build}` : "  build:   not detected",
+    profile.commands?.test ? `  test:    ${profile.commands.test}` : "  test:    not detected",
+    profile.commands?.lint ? `  lint:    ${profile.commands.lint}` : "  lint:    not detected",
+    profile.commands?.dev ? `  dev:     ${profile.commands.dev}` : "  dev:     not detected",
+    "",
+    "Deploy:",
+    `  Provider:  ${profile.deploy?.provider || "none"}`,
+    `  Requires approval: ${profile.deploy?.requiresApproval ? "yes" : "no"}`,
+    profile.deploy?.configFiles?.length > 0 ? `  Config:    ${profile.deploy.configFiles.join(", ")}` : null,
+    "",
+    "Risk Boundaries:",
+    `  Blocked files: ${(profile.riskBoundaries?.blockedFiles || []).length} patterns`,
+    `  Sensitive dirs: ${(profile.riskBoundaries?.sensitiveDirs || []).length} dirs`,
+    `  Blocked actions: ${(profile.riskBoundaries?.blockedActions || []).length}`,
+    "",
+    "Proof defaults:",
+    (profile.proofDefaults?.requiredSteps || []).length > 0
+      ? `  Steps: ${profile.proofDefaults.requiredSteps.join(", ")}`
+      : "  Steps: none detected",
+    "",
+    `Profile: ${LATEST_PROFILE_REL}`,
+  ].filter((l) => l !== null);
+  return lines.join("\n") + "\n";
+}
+module.exports = {
+  CONTRACT,
+  SCHEMA_VERSION,
+  LATEST_PROFILE_REL,
+  detectProjectProfile,
+  buildProjectProfile,
+  writeProjectProfile,
+  buildProjectProfileSurface,
+  formatProjectProfileText,
+};