avorelo 0.3.3 → 0.3.5

package/dist/avorelo.mjs

@@ -1702,8 +1702,8 @@ var init_generic = __esm({
         const promptPath = join8(dir, ".avorelo", "prompt.md");
         if (existsSync9(promptPath)) {
           try {
-            const { unlinkSync: unlinkSync5 } = __require("node:fs");
-            unlinkSync5(promptPath);
+            const { unlinkSync: unlinkSync6 } = __require("node:fs");
+            unlinkSync6(promptPath);
             return { removed: [promptPath], preserved: [] };
           } catch {
             return { removed: [], preserved: [promptPath] };
@@ -5510,6 +5510,15 @@ var init_plan_contract = __esm({
         status: "implemented",
         enforcementSurfaces: ["cli", "local-dashboard"],
         privacyBoundary: "local_only"
+      },
+      {
+        key: "artifact_guard_basic",
+        pricingLabel: "Agent artifacts scanned for risks before AI touches the project",
+        tier: "free",
+        included: true,
+        status: "implemented",
+        enforcementSurfaces: ["cli"],
+        privacyBoundary: "local_only"
       }
     ];
     PRO_CAPABILITIES = [
@@ -7325,8 +7334,8 @@ init_run();
 init_work_contract();
 init_receipts();
 init_state_ledger();
-import { writeFileSync as writeFileSync37, mkdirSync as mkdirSync39, existsSync as existsSync62, readFileSync as readFileSync46, appendFileSync as appendFileSync11, rmSync as rmSync3, unlinkSync as unlinkSync4 } from "node:fs";
-import { join as join61 } from "node:path";
+import { writeFileSync as writeFileSync38, mkdirSync as mkdirSync40, existsSync as existsSync64, readFileSync as readFileSync50, appendFileSync as appendFileSync11, rmSync as rmSync3, unlinkSync as unlinkSync5 } from "node:fs";
+import { join as join66 } from "node:path";
 
 // src/avorelo/capabilities/activation/index.ts
 import { mkdtempSync, writeFileSync as writeFileSync11, mkdirSync as mkdirSync11, rmSync as rmSync2, existsSync as existsSync24 } from "node:fs";
@@ -7449,7 +7458,7 @@ function runPreflight(targetDir) {
         label: "npm cache directory accessible",
         passed: false,
         details: "cache path does not exist",
-        recovery: isWindows ? 'Use a temporary cache. PowerShell: $env:npm_config_cache="$env:TEMP\\npm-cache-avorelo"; npx -y avorelo@latest activate. cmd.exe: cmd /c "set npm_config_cache=%TEMP%\\npm-cache-avorelo && npx -y avorelo@latest activate"' : "Use a temporary cache: npm_config_cache=$(mktemp -d) npx -y avorelo@latest activate"
+        recovery: isWindows ? 'Use a temporary cache. PowerShell: $env:npm_config_cache="$env:TEMP\\npm-cache-avorelo"; npx -y avorelo@latest activate --scope project-wide --claim <activation_claim>. cmd.exe: cmd /c "set npm_config_cache=%TEMP%\\npm-cache-avorelo && npx -y avorelo@latest activate --scope project-wide --claim <activation_claim>"' : "Use a temporary cache: npm_config_cache=$(mktemp -d) npx -y avorelo@latest activate --scope project-wide --claim <activation_claim>"
       });
     }
   } catch {
@@ -7458,7 +7467,7 @@ function runPreflight(targetDir) {
       label: "npm cache directory accessible",
       passed: false,
       details: "could not read npm cache config",
-      recovery: isWindows ? 'Use a temporary cache. PowerShell: $env:npm_config_cache="$env:TEMP\\npm-cache-avorelo"; npx -y avorelo@latest activate. cmd.exe: cmd /c "set npm_config_cache=%TEMP%\\npm-cache-avorelo && npx -y avorelo@latest activate"' : "Use a temporary cache: npm_config_cache=$(mktemp -d) npx -y avorelo@latest activate"
+      recovery: isWindows ? 'Use a temporary cache. PowerShell: $env:npm_config_cache="$env:TEMP\\npm-cache-avorelo"; npx -y avorelo@latest activate --scope project-wide --claim <activation_claim>. cmd.exe: cmd /c "set npm_config_cache=%TEMP%\\npm-cache-avorelo && npx -y avorelo@latest activate --scope project-wide --claim <activation_claim>"' : "Use a temporary cache: npm_config_cache=$(mktemp -d) npx -y avorelo@latest activate --scope project-wide --claim <activation_claim>"
     });
   }
   let tempOk = false;
@@ -7487,7 +7496,7 @@ function runPreflight(targetDir) {
         label: "PowerShell execution policy",
         passed: psOk,
         details: `Policy: ${policy}`,
-        recovery: blocked ? "PowerShell is blocking script execution. Use Command Prompt instead:\n  cmd /c npx -y avorelo@latest activate" : void 0
+        recovery: blocked ? "PowerShell is blocking script execution. Use Command Prompt instead:\n  cmd /c npx -y avorelo@latest activate --scope project-wide --claim <activation_claim>" : void 0
       });
     } catch {
       checks.push({ id: "powershell_execution_policy", label: "PowerShell execution policy", passed: true, details: "could not check (non-PowerShell shell)" });
@@ -7518,7 +7527,7 @@ function buildWindowsFallbackCommand() {
     "mkdir %AVORELO_TEMP%",
     "set npm_config_cache=%AVORELO_TEMP%\\npm-cache",
     "cd /d %AVORELO_TEMP%",
-    "npx -y avorelo@latest activate",
+    "npx -y avorelo@latest activate --scope project-wide --claim <activation_claim>",
     "npx -y avorelo@latest status"
   ].join("\n");
 }
@@ -17608,6 +17617,1070 @@ async function sendDueTelemetry(dir, opts) {
   }
 }
 
+// src/avorelo/kernel/agent-artifact-guard/guard-handler.ts
+import { existsSync as existsSync63, readFileSync as readFileSync49 } from "node:fs";
+import { join as join65 } from "node:path";
+
+// src/avorelo/kernel/agent-artifact-guard/index.ts
+import { join as join64 } from "node:path";
+import { readFileSync as readFileSync48 } from "node:fs";
+
+// src/avorelo/kernel/agent-artifact-guard/artifact-discovery.ts
+import { readdirSync as readdirSync18, statSync as statSync13, existsSync as existsSync62 } from "node:fs";
+import { join as join61, relative as relative3, extname as extname2 } from "node:path";
+var SCANNED_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".md",
+  ".js",
+  ".ts",
+  ".json",
+  ".yml",
+  ".yaml",
+  ".sh",
+  ".py",
+  ".txt",
+  ".toml"
+]);
+var IGNORED_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  "dist",
+  ".git",
+  "build",
+  "out",
+  ".next",
+  "__pycache__"
+]);
+var ARTIFACT_PATTERNS = [
+  { kind: "claude-skill", paths: [".claude/skills"], recursive: true },
+  { kind: "claude-instructions", paths: ["CLAUDE.md", ".claude/CLAUDE.md"] },
+  { kind: "codex-instructions", paths: ["AGENTS.md", "CODEX.md", ".codex/CODEX.md"] },
+  { kind: "cursor-rules", paths: [".cursor/rules", ".cursorrules"], recursive: true },
+  { kind: "mcp-config", paths: [".claude/mcp.json", ".cursor/mcp.json", "mcp.json", ".mcp.json"] },
+  { kind: "github-actions", paths: [".github/workflows"], recursive: true },
+  { kind: "package-scripts", paths: ["package.json"] },
+  { kind: "hooks", paths: [".husky", ".git/hooks", ".claude/hooks"], recursive: true }
+];
+function walkDir2(dir, results) {
+  let entries;
+  try {
+    entries = readdirSync18(dir);
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (IGNORED_DIRS.has(entry)) continue;
+    const full = join61(dir, entry);
+    let st;
+    try {
+      st = statSync13(full);
+    } catch {
+      continue;
+    }
+    if (st.isDirectory()) {
+      walkDir2(full, results);
+    } else if (st.isFile() && SCANNED_EXTENSIONS.has(extname2(full).toLowerCase())) {
+      results.push(full);
+    }
+  }
+}
+function discoverArtifacts(projectRoot) {
+  const artifacts = [];
+  for (const pattern of ARTIFACT_PATTERNS) {
+    for (const p of pattern.paths) {
+      const fullPath = join61(projectRoot, p);
+      if (!existsSync62(fullPath)) continue;
+      let st;
+      try {
+        st = statSync13(fullPath);
+      } catch {
+        continue;
+      }
+      if (st.isFile()) {
+        if (SCANNED_EXTENSIONS.has(extname2(fullPath).toLowerCase()) || fullPath.endsWith(".json")) {
+          artifacts.push({
+            kind: pattern.kind,
+            path: relative3(projectRoot, fullPath)
+          });
+        }
+      } else if (st.isDirectory() && pattern.recursive) {
+        const files = [];
+        walkDir2(fullPath, files);
+        for (const f of files) {
+          artifacts.push({
+            kind: pattern.kind,
+            path: relative3(projectRoot, f)
+          });
+        }
+      }
+    }
+  }
+  return artifacts;
+}
+function classifyArtifact(filePath) {
+  const lower = filePath.toLowerCase().replace(/\\/g, "/");
+  if (lower.includes(".claude/skills/")) return "claude-skill";
+  if (lower.includes("claude.md")) return "claude-instructions";
+  if (lower.includes("agents.md") || lower.includes("codex.md")) return "codex-instructions";
+  if (lower.includes(".cursor/rules") || lower.includes(".cursorrules")) return "cursor-rules";
+  if (lower.includes("mcp.json") || lower.includes("mcp.yaml")) return "mcp-config";
+  if (lower.includes(".github/workflows/")) return "github-actions";
+  if (lower === "package.json" || lower.endsWith("/package.json")) return "package-scripts";
+  if (lower.includes(".husky/") || lower.includes("/hooks/")) return "hooks";
+  if (lower.endsWith(".sh")) return "shell-script";
+  return "unknown";
+}
+
+// src/avorelo/kernel/agent-artifact-guard/rules.ts
+var RULES2 = [
+  // --- Destructive commands ---
+  {
+    id: "destructive-rm-rf",
+    title: "Recursive force delete",
+    severity: "critical",
+    category: "destructive-command",
+    pattern: /rm\s+-(r|f|rf|fr)\s/,
+    artifactKinds: "all",
+    description: "Recursively and forcibly deletes files or directories. Can cause irreversible data loss.",
+    recommendedAction: "Remove or scope the delete command. Use safe alternatives with explicit paths."
+  },
+  {
+    id: "destructive-drop-table",
+    title: "SQL DROP TABLE",
+    severity: "critical",
+    category: "destructive-command",
+    pattern: /DROP\s+TABLE/i,
+    artifactKinds: "all",
+    description: "Drops a database table, causing irreversible data loss.",
+    recommendedAction: "Remove DROP TABLE or add explicit safety guards."
+  },
+  {
+    id: "destructive-format-disk",
+    title: "Disk format command",
+    severity: "critical",
+    category: "destructive-command",
+    pattern: /(?:mkfs|format\s+[A-Z]:)/i,
+    artifactKinds: "all",
+    description: "Formats a disk or partition, destroying all data.",
+    recommendedAction: "Remove disk formatting commands from agent artifacts."
+  },
+  // --- Remote code execution ---
+  {
+    id: "rce-curl-pipe-bash",
+    title: "Pipe curl to shell",
+    severity: "critical",
+    category: "remote-code-execution",
+    pattern: /curl\s[^|]*\|\s*(?:bash|sh|zsh)/,
+    artifactKinds: "all",
+    description: "Downloads and immediately executes a remote script. Classic remote code execution vector.",
+    recommendedAction: "Download the script first, review it, then execute separately."
+  },
+  {
+    id: "rce-wget-pipe-sh",
+    title: "Pipe wget to shell",
+    severity: "critical",
+    category: "remote-code-execution",
+    pattern: /wget\s[^|]*\|\s*(?:bash|sh|zsh)/,
+    artifactKinds: "all",
+    description: "Downloads and immediately executes a remote script via wget.",
+    recommendedAction: "Download the script first, review it, then execute separately."
+  },
+  {
+    id: "rce-base64-decode-exec",
+    title: "Base64 decode and execute",
+    severity: "critical",
+    category: "remote-code-execution",
+    pattern: /base64\s+-d\s*\|\s*(?:bash|sh)/,
+    artifactKinds: "all",
+    description: "Decodes an obfuscated payload and pipes it to a shell.",
+    recommendedAction: "Remove obfuscated execution. Use plain, reviewable scripts."
+  },
+  {
+    id: "rce-reverse-shell",
+    title: "Reverse or bind shell",
+    severity: "critical",
+    category: "remote-code-execution",
+    pattern: /(?:nc\s+-e|\/dev\/tcp\/|ncat\s.*-e|socat\s.*exec)/,
+    artifactKinds: "all",
+    description: "Opens an interactive shell to a remote host. Post-exploitation technique.",
+    recommendedAction: "Remove reverse/bind shell commands."
+  },
+  // --- Secret exposure ---
+  {
+    id: "secret-private-key",
+    title: "Private key material",
+    severity: "critical",
+    category: "secret-exposure",
+    pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
+    artifactKinds: "all",
+    description: "Contains or references private key material.",
+    recommendedAction: "Remove private key content. Use secret management instead."
+  },
+  {
+    id: "secret-id-rsa",
+    title: "SSH private key file reference",
+    severity: "critical",
+    category: "secret-exposure",
+    pattern: /(?:id_rsa|id_ed25519|id_ecdsa)(?:\s|$|")/,
+    artifactKinds: "all",
+    description: "References an SSH private key file directly.",
+    recommendedAction: "Use SSH agent or key references instead of direct file paths."
+  },
+  {
+    id: "secret-ssh-dir",
+    title: "SSH directory access",
+    severity: "high",
+    category: "secret-exposure",
+    pattern: /~\/\.ssh\//,
+    artifactKinds: "all",
+    description: "Accesses the SSH directory containing private keys and host configurations.",
+    recommendedAction: "Avoid direct SSH directory access in agent artifacts."
+  },
+  {
+    id: "secret-env-file",
+    title: ".env file reference",
+    severity: "medium",
+    category: "secret-exposure",
+    pattern: /(?:\.env(?:\.\w+)?)\b/,
+    artifactKinds: "all",
+    description: "References a .env file which typically contains secrets and API keys.",
+    recommendedAction: "Review whether the .env reference exposes sensitive values."
+  },
+  {
+    id: "secret-process-env",
+    title: "Environment variable access",
+    severity: "low",
+    category: "secret-exposure",
+    pattern: /process\.env\b/,
+    artifactKinds: "all",
+    description: "Accesses environment variables which may contain secrets.",
+    recommendedAction: "Verify that accessed environment variables do not contain sensitive values."
+  },
+  {
+    id: "secret-api-key-pattern",
+    title: "API key or token pattern",
+    severity: "high",
+    category: "secret-exposure",
+    pattern: /(?:api[_-]?key|api[_-]?secret|auth[_-]?token)\s*[:=]/i,
+    artifactKinds: "all",
+    description: "Contains an API key or authentication token assignment.",
+    recommendedAction: "Move credentials to environment variables or a secret manager."
+  },
+  // --- Privilege escalation ---
+  {
+    id: "priv-sudo",
+    title: "Privilege escalation via sudo",
+    severity: "high",
+    category: "privilege-escalation",
+    pattern: /\bsudo\b/,
+    artifactKinds: "all",
+    description: "Runs commands with elevated privileges.",
+    recommendedAction: "Review whether elevated privileges are necessary. Scope to specific commands."
+  },
+  {
+    id: "priv-chmod-exec",
+    title: "Make file executable",
+    severity: "medium",
+    category: "privilege-escalation",
+    pattern: /chmod\s+\+x/,
+    artifactKinds: "all",
+    description: "Marks a file as executable, often preceding execution of a downloaded binary.",
+    recommendedAction: "Verify the file being made executable is trusted."
+  },
+  // --- Prompt injection / hidden instructions ---
+  {
+    id: "injection-prompt-override",
+    title: "Prompt injection phrasing",
+    severity: "high",
+    category: "prompt-injection",
+    pattern: /(?:ignore\s+(?:all\s+)?(?:previous|prior|above)\s+instructions|you\s+are\s+now\s+a|forget\s+(?:all\s+)?(?:your|previous)\s+instructions|disregard\s+(?:all\s+)?(?:previous|prior)\s+instructions|override\s+(?:all\s+)?(?:safety|security)\s+(?:rules|policies|instructions))/i,
+    artifactKinds: "all",
+    description: "Contains phrasing commonly used in prompt injection attacks to override agent instructions.",
+    recommendedAction: "Remove instruction-override phrasing. Rewrite as direct task instructions."
+  },
+  {
+    id: "injection-do-not-tell",
+    title: "Concealment instruction",
+    severity: "high",
+    category: "hidden-instruction",
+    pattern: /(?:do\s+not\s+tell\s+(?:the\s+)?user|hide\s+(?:this|these)\s+(?:changes?|from)|don'?t\s+(?:mention|reveal|show|disclose)\s+(?:this|these))/i,
+    artifactKinds: "all",
+    description: "Instructs the agent to conceal actions or information from the user.",
+    recommendedAction: "Remove concealment instructions. Agent actions should be transparent."
+  },
+  {
+    id: "injection-skip-tests",
+    title: "Test bypass instruction",
+    severity: "high",
+    category: "hidden-instruction",
+    pattern: /(?:skip\s+(?:all\s+)?tests?|don'?t\s+run\s+tests?|ignore\s+(?:test|lint|check)\s+(?:failures?|errors?|results?)|bypass\s+(?:ci|checks?|validation))/i,
+    artifactKinds: "all",
+    description: "Instructs the agent to skip testing, linting, or validation checks.",
+    recommendedAction: "Remove test-bypass instructions. All changes should be validated."
+  },
+  {
+    id: "injection-ignore-policy",
+    title: "Policy bypass instruction",
+    severity: "high",
+    category: "hidden-instruction",
+    pattern: /(?:ignore\s+(?:all\s+)?polic(?:y|ies)|always\s+approve|auto[_-]?approve\s+(?:all|everything)|skip\s+(?:review|approval))/i,
+    artifactKinds: "all",
+    description: "Instructs the agent to bypass approval policies or auto-approve actions.",
+    recommendedAction: "Remove policy-bypass instructions. Approval workflows should be respected."
+  },
+  {
+    id: "injection-push-to-main",
+    title: "Direct push to main branch",
+    severity: "high",
+    category: "hidden-instruction",
+    pattern: /(?:push\s+(?:directly\s+)?to\s+(?:main|master|production)|force[_-]?push|--force\s+(?:origin\s+)?(?:main|master))/i,
+    artifactKinds: "all",
+    description: "Instructs the agent to push directly to a protected branch or force-push.",
+    recommendedAction: "Use pull requests and standard review workflows instead of direct pushes."
+  },
+  // --- Self-modifying ---
+  {
+    id: "selfmod-modify-own-skill",
+    title: "Self-modifying skill instruction",
+    severity: "high",
+    category: "self-modifying",
+    pattern: /(?:modify\s+(?:this|your\s+own)\s+(?:skill|instructions?|rules?|config)|write\s+(?:to|back\s+to)\s+(?:SKILL|CLAUDE|AGENTS)\.md|update\s+(?:your\s+own|this)\s+(?:skill|config)\s+file)/i,
+    artifactKinds: "all",
+    description: "Instructs the agent to modify its own skill, instructions, or configuration files.",
+    recommendedAction: "Remove self-modification instructions. Agent artifacts should be immutable during execution."
+  },
+  // --- MCP tool poisoning ---
+  {
+    id: "mcp-hidden-instruction",
+    title: "Hidden instruction in MCP tool description",
+    severity: "high",
+    category: "mcp-tool-poisoning",
+    pattern: /(?:when\s+(?:the\s+)?user\s+(?:asks?|requests?)|secretly|silently\s+(?:send|post|upload|forward))/i,
+    artifactKinds: ["mcp-config"],
+    description: "MCP tool description contains instruction-like content that could manipulate agent behavior.",
+    recommendedAction: "Review MCP tool descriptions for hidden instructions. Descriptions should only describe functionality."
+  },
+  // --- Package lifecycle risk ---
+  {
+    id: "pkg-lifecycle-exec",
+    title: "Process execution in package lifecycle script",
+    severity: "high",
+    category: "package-lifecycle-risk",
+    pattern: /(?:child_process|exec|spawn|execSync|spawnSync)\s*\(/,
+    artifactKinds: ["package-scripts", "shell-script"],
+    description: "Package lifecycle script or hook executes arbitrary processes.",
+    recommendedAction: "Review lifecycle scripts for unexpected process execution."
+  },
+  {
+    id: "pkg-lifecycle-network",
+    title: "Network access in package lifecycle script",
+    severity: "high",
+    category: "package-lifecycle-risk",
+    pattern: /(?:fetch|axios|https?\.(?:get|post|request)|XMLHttpRequest|node-fetch)\s*\(/,
+    artifactKinds: ["package-scripts", "shell-script"],
+    description: "Package lifecycle script makes network requests, potentially exfiltrating data.",
+    recommendedAction: "Review lifecycle scripts for unexpected network access."
+  },
+  // --- Network exfiltration ---
+  {
+    id: "network-external-call",
+    title: "External network request",
+    severity: "medium",
+    category: "network-exfiltration",
+    pattern: /\b(?:curl|wget|fetch|axios|requests\.(?:get|post))\b/,
+    artifactKinds: ["claude-skill", "claude-instructions", "cursor-rules", "codex-instructions", "hooks"],
+    description: "Makes an external network request which could exfiltrate data or retrieve malicious payloads.",
+    recommendedAction: "Verify the network call is necessary and targets a trusted endpoint."
+  },
+  // --- Eval / dynamic execution ---
+  {
+    id: "exec-eval",
+    title: "Dynamic code execution",
+    severity: "high",
+    category: "remote-code-execution",
+    pattern: /\b(?:eval|Invoke-Expression|Function\s*\()\s*\(/,
+    artifactKinds: "all",
+    description: "Executes a string as code, enabling injection and obfuscation attacks.",
+    recommendedAction: "Remove eval/dynamic execution. Use explicit, reviewable code paths."
+  },
+  {
+    id: "exec-child-process",
+    title: "Node child_process import",
+    severity: "high",
+    category: "remote-code-execution",
+    pattern: /require\s*\(\s*['"]child_process['"]\s*\)|from\s+['"]child_process['"]/,
+    artifactKinds: "all",
+    description: "Imports Node.js child_process module for arbitrary command execution.",
+    recommendedAction: "Review whether child_process usage is necessary and scoped."
+  },
+  // --- Filesystem access ---
+  {
+    id: "fs-broad-access",
+    title: "Broad filesystem access",
+    severity: "medium",
+    category: "filesystem-access",
+    pattern: /(?:fs\.(?:readdir|rmdir|unlink)Sync|glob\s*\(\s*['"]\/|readdir\s*\(\s*['"]\/)/,
+    artifactKinds: "all",
+    description: "Performs broad filesystem operations that could access or delete files outside the project.",
+    recommendedAction: "Scope filesystem operations to the project directory."
+  },
+  // --- Deploy / publish ---
+  {
+    id: "deploy-npm-publish",
+    title: "npm publish command",
+    severity: "high",
+    category: "deploy-publish",
+    pattern: /npm\s+publish/,
+    artifactKinds: "all",
+    description: "Publishes a package to npm, which is an irreversible public action.",
+    recommendedAction: "Remove automatic publish commands. Publishing should be a deliberate human action."
+  },
+  {
+    id: "deploy-dangerous-action",
+    title: "Dangerous deploy/publish in CI",
+    severity: "high",
+    category: "deploy-publish",
+    pattern: /(?:deploy\s+(?:--)?(?:prod|production)|push\s+(?:to\s+)?(?:prod|production|live))/i,
+    artifactKinds: ["github-actions", "shell-script", "hooks"],
+    description: "Deploys directly to production without explicit approval gates.",
+    recommendedAction: "Add approval gates before production deployments."
+  }
+];
+function getRule(id) {
+  return RULES2.find((r2) => r2.id === id);
+}
+
+// src/avorelo/kernel/agent-artifact-guard/scanner.ts
+var MAX_PREVIEW_LENGTH = 80;
+function safeMatchPreview(match) {
+  let preview = match.trim();
+  if (preview.length > MAX_PREVIEW_LENGTH) {
+    preview = preview.slice(0, MAX_PREVIEW_LENGTH) + "...";
+  }
+  preview = preview.replace(
+    /(?:key|secret|token|password|passwd|pwd)\s*[:=]\s*['"]?[a-zA-Z0-9_\-./+=]{8,}/gi,
+    (m) => {
+      const eqIdx = m.search(/[:=]/);
+      if (eqIdx >= 0) return m.slice(0, eqIdx + 1) + " [REDACTED]";
+      return "[REDACTED]";
+    }
+  );
+  return preview;
+}
+function rulesForArtifact(kind) {
+  return RULES2.filter(
+    (r2) => r2.artifactKinds === "all" || r2.artifactKinds.includes(kind)
+  );
+}
+function scanContent2(content, filePath, artifactKind) {
+  const kind = artifactKind ?? classifyArtifact(filePath);
+  const applicable = rulesForArtifact(kind);
+  const findings = [];
+  const lines = content.split("\n");
+  for (const rule of applicable) {
+    if (rule.multiline) continue;
+    for (let i = 0; i < lines.length; i++) {
+      const match = rule.pattern.exec(lines[i]);
+      if (match) {
+        findings.push({
+          ruleId: rule.id,
+          title: rule.title,
+          severity: rule.severity,
+          category: rule.category,
+          file: filePath,
+          line: i + 1,
+          matchPreview: safeMatchPreview(match[0]),
+          description: rule.description,
+          recommendedAction: rule.recommendedAction,
+          artifactKind: kind
+        });
+      }
+    }
+  }
+  for (const rule of applicable) {
+    if (!rule.multiline) continue;
+    const match = rule.pattern.exec(content);
+    if (match) {
+      const lineNumber = content.slice(0, match.index).split("\n").length;
+      findings.push({
+        ruleId: rule.id,
+        title: rule.title,
+        severity: rule.severity,
+        category: rule.category,
+        file: filePath,
+        line: lineNumber,
+        matchPreview: safeMatchPreview(match[0]),
+        description: rule.description,
+        recommendedAction: rule.recommendedAction,
+        artifactKind: kind
+      });
+    }
+  }
+  findings.sort((a, b) => a.line - b.line);
+  return findings;
+}
+
+// src/avorelo/kernel/agent-artifact-guard/scorer.ts
+var SEVERITY_WEIGHTS = {
+  low: 1,
+  medium: 3,
+  high: 6,
+  critical: 10
+};
+function countBySeverity(findings) {
+  const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+  for (const f of findings) {
+    counts[f.severity]++;
+  }
+  return counts;
+}
+function computeRiskScore(counts) {
+  if (counts.critical > 0) return 10;
+  const weighted = counts.high * SEVERITY_WEIGHTS.high + counts.medium * SEVERITY_WEIGHTS.medium + counts.low * SEVERITY_WEIGHTS.low;
+  if (weighted === 0) return 0;
+  const score = Math.min(9.9, Math.log2(weighted + 1) * 1.5);
+  return Math.round(score * 10) / 10;
+}
+
+// src/avorelo/kernel/agent-artifact-guard/policy.ts
+function evaluatePolicy2(counts, riskScore) {
+  let findingOutcome = "pass";
+  if (counts.critical > 0) findingOutcome = "blocked";
+  else if (counts.high > 0) findingOutcome = "requires_approval";
+  else if (counts.medium > 0) findingOutcome = "warn";
+  let scoreOutcome = "pass";
+  if (riskScore >= 9) scoreOutcome = "blocked";
+  else if (riskScore >= 6) scoreOutcome = "requires_approval";
+  else if (riskScore >= 3) scoreOutcome = "warn";
+  const ORDER = ["pass", "warn", "requires_approval", "blocked"];
+  const findingRank = ORDER.indexOf(findingOutcome);
+  const scoreRank = ORDER.indexOf(scoreOutcome);
+  return ORDER[Math.max(findingRank, scoreRank)];
+}
+function computeNextBestAction(outcome, counts) {
+  switch (outcome) {
+    case "blocked":
+      return `${counts.critical} critical finding(s) must be resolved before proceeding.`;
+    case "requires_approval":
+      return `${counts.high} high-severity finding(s) require review and approval before proceeding.`;
+    case "warn":
+      return `${counts.medium} medium-severity finding(s) detected. Review recommended.`;
+    case "pass":
+      return "No blocking findings. Artifacts are ready for use.";
+  }
+}
+
+// src/avorelo/kernel/agent-artifact-guard/receipt.ts
+import { createHash as createHash18 } from "node:crypto";
+function createReceipt(result3) {
+  return {
+    receiptType: "agent-artifact-guard-v1",
+    scannedAt: result3.scannedAt,
+    projectRootHash: createHash18("sha256").update(result3.projectRoot).digest("hex"),
+    filesScanned: result3.filesScanned,
+    artifacts: result3.artifacts.map((a) => ({ kind: a.kind, path: a.path })),
+    findingSummary: {
+      total: result3.findings.length,
+      ...result3.counts
+    },
+    findings: result3.findings.map((f) => ({
+      ruleId: f.ruleId,
+      severity: f.severity,
+      file: f.file,
+      line: f.line,
+      title: f.title,
+      matchPreview: f.matchPreview,
+      recommendedAction: f.recommendedAction
+    })),
+    riskScore: result3.riskScore,
+    policyOutcome: result3.policyOutcome,
+    nextBestAction: result3.nextBestAction,
+    containsRawPrompt: false,
+    containsRawSource: false,
+    containsRawSecret: false,
+    contentStored: false
+  };
+}
+
+// src/avorelo/kernel/agent-artifact-guard/reporter.ts
+var SEVERITY_BADGE = {
+  critical: "[CRITICAL]",
+  high: "[HIGH]",
+  medium: "[MEDIUM]",
+  low: "[LOW]"
+};
+var OUTCOME_LABEL = {
+  pass: "PASS",
+  warn: "WARN",
+  requires_approval: "REQUIRES APPROVAL",
+  blocked: "BLOCKED"
+};
+function riskBar(score) {
+  const filled = Math.round(score / 10 * 20);
+  return "\u2588".repeat(filled) + "\u2591".repeat(20 - filled);
+}
+function groupByFile(findings) {
+  const map = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const group = map.get(f.file) ?? [];
+    group.push(f);
+    map.set(f.file, group);
+  }
+  return map;
+}
+function renderReport(result3) {
+  const lines = [];
+  lines.push(`Artifact Guard Scan`);
+  lines.push(`Path: ${result3.projectRoot}`);
+  lines.push(`Files scanned: ${result3.filesScanned}`);
+  lines.push(`Artifacts found: ${result3.artifacts.length}`);
+  lines.push(`Findings: ${result3.findings.length}`);
+  lines.push("");
+  if (result3.findings.length > 0) {
+    const grouped = groupByFile(result3.findings);
+    for (const [file, findings] of grouped) {
+      lines.push(`  ${file}`);
+      for (const f of findings) {
+        lines.push(`    L${f.line} ${SEVERITY_BADGE[f.severity]} ${f.title} (${f.ruleId})`);
+        lines.push(`         ${f.matchPreview}`);
+        lines.push(`         ${f.description}`);
+      }
+      lines.push("");
+    }
+  }
+  lines.push(`Risk: ${riskBar(result3.riskScore)} ${result3.riskScore}/10`);
+  lines.push(`Outcome: ${OUTCOME_LABEL[result3.policyOutcome]}`);
+  lines.push("");
+  lines.push(`Next: ${result3.nextBestAction}`);
+  return lines.join("\n");
+}
+function renderSummary(result3) {
+  const parts = [];
+  parts.push(`Artifact Guard: ${OUTCOME_LABEL[result3.policyOutcome]}`);
+  if (result3.findings.length > 0) {
+    const counts = [];
+    if (result3.counts.critical > 0) counts.push(`${result3.counts.critical} critical`);
+    if (result3.counts.high > 0) counts.push(`${result3.counts.high} high`);
+    if (result3.counts.medium > 0) counts.push(`${result3.counts.medium} medium`);
+    if (result3.counts.low > 0) counts.push(`${result3.counts.low} low`);
+    parts.push(`(${counts.join(", ")})`);
+  } else {
+    parts.push("(clean)");
+  }
+  return parts.join(" ");
+}
+function toJson(result3) {
+  return JSON.stringify(result3, null, 2);
+}
+
+// src/avorelo/kernel/agent-artifact-guard/allowlist.ts
+import { readFileSync as readFileSync46 } from "node:fs";
+import { join as join62 } from "node:path";
+function loadAllowlist(projectRoot) {
+  const filePath = join62(projectRoot, ".avorelo", "artifact-guard", "allowlist.json");
+  try {
+    const raw = readFileSync46(filePath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed.entries)) return [];
+    return parsed.entries.filter((e) => typeof e.reason === "string" && e.reason.length > 0);
+  } catch {
+    return [];
+  }
+}
+function isAllowlisted(finding, allowlist) {
+  if (finding.severity === "critical") return false;
+  for (const entry of allowlist) {
+    if (!entry.reason) continue;
+    const ruleMatch = !entry.ruleId || entry.ruleId === finding.ruleId;
+    const fileMatch = !entry.file || finding.file === entry.file || finding.file.startsWith(entry.file);
+    if (ruleMatch && fileMatch) return true;
+  }
+  return false;
+}
+
+// src/avorelo/kernel/agent-artifact-guard/receipt-store.ts
+import { mkdirSync as mkdirSync39, writeFileSync as writeFileSync37, readdirSync as readdirSync19, readFileSync as readFileSync47, unlinkSync as unlinkSync4 } from "node:fs";
+import { join as join63 } from "node:path";
+var RECEIPT_DIR = "artifact-guard";
+var MAX_STORED_RECEIPTS = 50;
+function receiptDir(projectRoot) {
+  return join63(projectRoot, ".avorelo", RECEIPT_DIR);
+}
+function receiptFilename(receipt) {
+  const ts = receipt.scannedAt.replace(/[:.]/g, "-");
+  return `receipt-${ts}.json`;
+}
+function storeReceipt(projectRoot, receipt) {
+  const dir = receiptDir(projectRoot);
+  mkdirSync39(dir, { recursive: true });
+  const filename = receiptFilename(receipt);
+  const filePath = join63(dir, filename);
+  writeFileSync37(filePath, JSON.stringify(receipt, null, 2), "utf-8");
+  pruneOldReceipts(dir);
+  return filePath;
+}
+function loadLatestReceipt(projectRoot) {
+  const dir = receiptDir(projectRoot);
+  let files;
+  try {
+    files = readdirSync19(dir).filter((f) => f.startsWith("receipt-") && f.endsWith(".json"));
+  } catch {
+    return null;
+  }
+  if (files.length === 0) return null;
+  files.sort();
+  const latest = files[files.length - 1];
+  try {
+    const raw = readFileSync47(join63(dir, latest), "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function pruneOldReceipts(dir) {
+  try {
+    const files = readdirSync19(dir).filter((f) => f.startsWith("receipt-") && f.endsWith(".json")).sort();
+    while (files.length > MAX_STORED_RECEIPTS) {
+      const oldest = files.shift();
+      try {
+        unlinkSync4(join63(dir, oldest));
+      } catch {
+        break;
+      }
+    }
+  } catch {
+  }
+}
+
+// src/avorelo/kernel/agent-artifact-guard/index.ts
+function scan(projectRoot, options) {
+  const artifacts = discoverArtifacts(projectRoot);
+  const allFindings = [];
+  for (const artifact of artifacts) {
+    const fullPath = join64(projectRoot, artifact.path);
+    let content;
+    try {
+      content = readFileSync48(fullPath, "utf-8");
+    } catch {
+      continue;
+    }
+    const findings = scanContent2(content, artifact.path, artifact.kind);
+    allFindings.push(...findings);
+  }
+  let effectiveFindings = allFindings;
+  let allowlistedCount = 0;
+  if (options?.applyAllowlist !== false) {
+    const allowlist = loadAllowlist(projectRoot);
+    if (allowlist.length > 0) {
+      effectiveFindings = [];
+      for (const f of allFindings) {
+        if (isAllowlisted(f, allowlist)) {
+          allowlistedCount++;
+        } else {
+          effectiveFindings.push(f);
+        }
+      }
+    }
+  }
+  const counts = countBySeverity(effectiveFindings);
+  const riskScore = computeRiskScore(counts);
+  const policyOutcome = evaluatePolicy2(counts, riskScore);
+  let nextBestAction = computeNextBestAction(policyOutcome, counts);
+  if (allowlistedCount > 0) {
+    nextBestAction += ` (${allowlistedCount} finding(s) allowlisted)`;
+  }
+  return {
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    projectRoot,
+    filesScanned: artifacts.length,
+    artifacts,
+    findings: effectiveFindings,
+    counts,
+    riskScore,
+    policyOutcome,
+    nextBestAction
+  };
+}
+
+// src/avorelo/kernel/agent-artifact-guard/guard-handler.ts
+function checkActivation(dir) {
+  const configPath = join65(dir, ".avorelo", "model-routing", "config.json");
+  try {
+    if (existsSync63(configPath)) {
+      const raw = JSON.parse(readFileSync49(configPath, "utf-8"));
+      return {
+        activated: true,
+        routingMode: raw.mode ?? "seamless",
+        localFirst: raw.localFirst ?? true,
+        registryLoaded: raw.registryLoaded ?? false,
+        cloudRoutingEnabled: raw.cloudRoutingEnabled ?? false,
+        defaultPolicy: raw.defaultPolicy ?? "safety_proof_privacy_before_cost"
+      };
+    }
+  } catch {
+  }
+  return {
+    activated: false,
+    routingMode: "seamless",
+    localFirst: true,
+    registryLoaded: false,
+    cloudRoutingEnabled: false,
+    defaultPolicy: "safety_proof_privacy_before_cost"
+  };
+}
+function getRoutingStatus(state) {
+  return `Routing: ${state.activated ? "active" : "inactive"} (${state.routingMode})`;
+}
+function activationWarning(outcome, nextAction) {
+  switch (outcome) {
+    case "blocked":
+      return `Activation warning: ${nextAction} Activation cannot claim safe readiness.`;
+    case "requires_approval":
+      return `Review needed: ${nextAction}`;
+    case "warn":
+      return `Note: ${nextAction}`;
+    case "pass":
+      return null;
+  }
+}
+function handleActivate(dir, options) {
+  const state = checkActivation(dir);
+  const guardResult = scan(dir);
+  const receipt = createReceipt(guardResult);
+  const receiptPath = storeReceipt(dir, receipt);
+  const guardLine = renderSummary(guardResult);
+  const warning = activationWarning(guardResult.policyOutcome, guardResult.nextBestAction);
+  const lines = [getRoutingStatus(state), guardLine];
+  if (warning) lines.push(warning);
+  lines.push(`Receipt: ${receiptPath}`);
+  if (options.json) {
+    return {
+      exitCode: guardResult.policyOutcome === "blocked" ? 1 : 0,
+      stdout: lines.join("\n"),
+      json: {
+        activated: state.activated,
+        artifactGuard: {
+          policyOutcome: guardResult.policyOutcome,
+          riskScore: guardResult.riskScore,
+          findingsCount: guardResult.findings.length,
+          counts: guardResult.counts,
+          nextBestAction: guardResult.nextBestAction
+        },
+        receiptPath
+      }
+    };
+  }
+  return {
+    exitCode: guardResult.policyOutcome === "blocked" ? 1 : 0,
+    stdout: lines.join("\n")
+  };
+}
+function handleStatus(dir, options) {
+  const state = checkActivation(dir);
+  const status = getRoutingStatus(state);
+  const guardResult = scan(dir);
+  if (options.json) {
+    return {
+      exitCode: 0,
+      stdout: `${status}
+${renderSummary(guardResult)}`,
+      json: {
+        routing: {
+          active: state.activated,
+          mode: state.routingMode,
+          localFirst: state.localFirst
+        },
+        artifactGuard: {
+          policyOutcome: guardResult.policyOutcome,
+          riskScore: guardResult.riskScore,
+          findingsCount: guardResult.findings.length
+        }
+      }
+    };
+  }
+  return { exitCode: 0, stdout: `${status}
+${renderSummary(guardResult)}` };
+}
+function handleDoctor(dir, options) {
+  const state = checkActivation(dir);
+  const guardResult = scan(dir);
+  const lines = [
+    getRoutingStatus(state),
+    `Registry: ${state.registryLoaded ? "loaded" : "not loaded"}`,
+    `Cloud: ${state.cloudRoutingEnabled ? "enabled" : "disabled"}`,
+    `Policy: ${state.defaultPolicy}`,
+    renderSummary(guardResult)
+  ];
+  if (options.json) {
+    return {
+      exitCode: 0,
+      stdout: lines.join("\n"),
+      json: {
+        ...state,
+        artifactGuard: {
+          policyOutcome: guardResult.policyOutcome,
+          riskScore: guardResult.riskScore,
+          findingsCount: guardResult.findings.length,
+          counts: guardResult.counts
+        }
+      }
+    };
+  }
+  return { exitCode: 0, stdout: lines.join("\n") };
+}
+function handleReadiness(dir, options) {
+  const state = checkActivation(dir);
+  const guardResult = scan(dir);
+  const receipt = createReceipt(guardResult);
+  storeReceipt(dir, receipt);
+  const latestReceipt = loadLatestReceipt(dir);
+  const artifactKinds = [...new Set(guardResult.artifacts.map((a) => a.kind))];
+  const highestSeverity = guardResult.counts.critical > 0 ? "critical" : guardResult.counts.high > 0 ? "high" : guardResult.counts.medium > 0 ? "medium" : guardResult.counts.low > 0 ? "low" : "none";
+  const blockingCount = guardResult.counts.critical + guardResult.counts.high;
+  const lines = [
+    `Readiness Check`,
+    ``,
+    `Routing: ${state.activated ? "active" : "inactive"}`,
+    `Artifact Guard: available`,
+    `  Files scanned: ${guardResult.filesScanned}`,
+    `  Artifact kinds: ${artifactKinds.length > 0 ? artifactKinds.join(", ") : "none detected"}`,
+    `  Highest severity: ${highestSeverity}`,
+    `  Policy outcome: ${guardResult.policyOutcome.toUpperCase()}`,
+    `  Blocking findings: ${blockingCount}`,
+    `  Latest receipt: ${latestReceipt ? "available" : "none"}`,
+    `  Next: ${guardResult.nextBestAction}`
+  ];
+  if (guardResult.policyOutcome === "blocked") {
+    lines.push(``);
+    lines.push(`Readiness: NOT READY \u2014 critical findings must be resolved`);
+  } else if (guardResult.policyOutcome === "requires_approval") {
+    lines.push(``);
+    lines.push(`Readiness: REVIEW NEEDED \u2014 high-severity findings require approval`);
+  } else if (guardResult.policyOutcome === "warn") {
+    lines.push(``);
+    lines.push(`Readiness: READY (with warnings)`);
+  } else {
+    lines.push(``);
+    lines.push(`Readiness: READY`);
+  }
+  if (options.json) {
+    return {
+      exitCode: guardResult.policyOutcome === "blocked" ? 1 : 0,
+      stdout: lines.join("\n"),
+      json: {
+        routing: { active: state.activated },
+        artifactGuard: {
+          available: true,
+          filesScanned: guardResult.filesScanned,
+          artifactKinds,
+          highestSeverity,
+          policyOutcome: guardResult.policyOutcome,
+          riskScore: guardResult.riskScore,
+          blockingFindings: blockingCount,
+          counts: guardResult.counts,
+          latestReceipt: latestReceipt ? true : false,
+          nextBestAction: guardResult.nextBestAction
+        },
+        readiness: guardResult.policyOutcome === "blocked" ? "not_ready" : guardResult.policyOutcome === "requires_approval" ? "review_needed" : "ready"
+      }
+    };
+  }
+  return {
+    exitCode: guardResult.policyOutcome === "blocked" ? 1 : 0,
+    stdout: lines.join("\n")
+  };
+}
+function handleReceipt(dir, options) {
+  const sub = options.receiptSubcommand ?? "latest";
+  if (sub === "latest") {
+    const receipt = loadLatestReceipt(dir);
+    if (!receipt) {
+      return { exitCode: 0, stdout: "No artifact guard receipt found. Run `avorelo guard scan` first." };
+    }
+    if (options.json) {
+      return {
+        exitCode: 0,
+        stdout: JSON.stringify(receipt, null, 2),
+        json: receipt
+      };
+    }
+    const lines = [
+      `Latest Artifact Guard Receipt`,
+      `  Type: ${receipt.receiptType}`,
+      `  Scanned: ${receipt.scannedAt}`,
+      `  Files: ${receipt.filesScanned}`,
+      `  Findings: ${receipt.findingSummary.total}`,
+      `  Risk score: ${receipt.riskScore}/10`,
+      `  Outcome: ${receipt.policyOutcome.toUpperCase()}`,
+      `  Next: ${receipt.nextBestAction}`,
+      `  Raw content stored: ${receipt.contentStored}`
+    ];
+    return { exitCode: 0, stdout: lines.join("\n") };
+  }
+  return { exitCode: 2, stdout: "Usage: avorelo receipt latest" };
+}
+function handleGuard(dir, options) {
+  const sub = options.guardSubcommand ?? "scan";
+  if (sub === "explain") {
+    const ruleId = options.guardArgs?.[0];
+    if (!ruleId) {
+      return { exitCode: 2, stdout: "Usage: avorelo guard explain <ruleId>" };
+    }
+    const rule = getRule(ruleId);
+    if (!rule) {
+      return { exitCode: 2, stdout: `Unknown rule: ${ruleId}` };
+    }
+    const lines = [
+      `Rule: ${rule.id}`,
+      `Title: ${rule.title}`,
+      `Severity: ${rule.severity}`,
+      `Category: ${rule.category}`,
+      `Description: ${rule.description}`,
+      `Recommended action: ${rule.recommendedAction}`,
+      `Applies to: ${rule.artifactKinds === "all" ? "all artifact kinds" : rule.artifactKinds.join(", ")}`
+    ];
+    return { exitCode: 0, stdout: lines.join("\n") };
+  }
+  const result3 = scan(dir);
+  const receipt = createReceipt(result3);
+  const receiptPath = storeReceipt(dir, receipt);
+  if (options.json) {
+    return {
+      exitCode: result3.policyOutcome === "blocked" ? 1 : 0,
+      stdout: toJson(result3),
+      json: result3
+    };
+  }
+  if (options.ci) {
+    return {
+      exitCode: result3.policyOutcome === "blocked" ? 1 : 0,
+      stdout: toJson(result3)
+    };
+  }
+  const report = renderReport(result3);
+  return {
+    exitCode: result3.policyOutcome === "blocked" ? 1 : 0,
+    stdout: `${report}
+Receipt: ${receiptPath}`
+  };
+}
+function handleCli(options, dir) {
+  switch (options.command) {
+    case "activate":
+      return handleActivate(dir, options);
+    case "status":
+      return handleStatus(dir, options);
+    case "doctor":
+      return handleDoctor(dir, options);
+    case "guard":
+      return handleGuard(dir, options);
+    case "readiness":
+      return handleReadiness(dir, options);
+    case "receipt":
+      return handleReceipt(dir, options);
+    case "run":
+      return { exitCode: 0, stdout: "run not implemented in guard handler" };
+  }
+}
+
 // src/avorelo/surfaces/cli/avorelo.ts
 function arg(args, name, dflt) {
   const i = args.indexOf(name);
@@ -17695,6 +18768,10 @@ function help() {
     "",
     "  context check [--target <dir>] [--json] [--strict] [--ci]         Agent context integrity check",
     "",
+    "  guard scan [--target <dir>] [--json] [--ci]                       Scan agent artifacts for risks",
+    "  guard explain <rule-id>                                           Explain a detection rule",
+    "  receipt latest [--target <dir>] [--json]                           Show latest artifact guard receipt",
+    "",
     "  dogfood-learning status [--target <dir>] [--json]                 Show learning status",
     "  dogfood-learning preview [--target <dir>] [--json]                Preview sanitized learning payload",
     "  dogfood-learning send [--target <dir>] [--dry-run] [--json]       Send or queue learning signal",
@@ -17738,8 +18815,8 @@ async function cmdActivate(args) {
       const r2 = activate(target, { approve: true });
       persistReceipt(target, r2.receipt);
       const state2 = runFullActivation(target);
-      state2.setupSteps.push({ id: "hooks_installed", label: "Claude Code hooks installed", status: r2.ok ? "passed" : "blocked", evidencePath: join61(target, ".claude", "settings.json") });
-      if (r2.ok) state2.receipts.push({ id: r2.receipt.receiptId, path: join61(target, ".avorelo", "receipts", `${r2.receipt.receiptId}.json`), type: "activation_with_hooks" });
+      state2.setupSteps.push({ id: "hooks_installed", label: "Claude Code hooks installed", status: r2.ok ? "passed" : "blocked", evidencePath: join66(target, ".claude", "settings.json") });
+      if (r2.ok) state2.receipts.push({ id: r2.receipt.receiptId, path: join66(target, ".avorelo", "receipts", `${r2.receipt.receiptId}.json`), type: "activation_with_hooks" });
       persistActivationV2(target, state2);
       process.stdout.write(JSON.stringify({ ok: r2.ok, mode: "activate-with-hooks", target, installed: r2.validate.wellFormed, receipt: r2.receipt.receiptId }, null, 2) + "\n");
       return r2.ok ? 0 : 1;
@@ -17762,7 +18839,7 @@ Activation taxonomy: ${preflight.taxonomy}
     process.stderr.write("Continuing with activation despite warnings...\n\n");
   }
   const state = runFullActivation(target);
-  const contract = createWorkContract({ contractId: "canonical-activate", objective: "full local-first activation", allowedPaths: [join61(target, ".avorelo")], planTier: "Free" });
+  const contract = createWorkContract({ contractId: "canonical-activate", objective: "full local-first activation", allowedPaths: [join66(target, ".avorelo")], planTier: "Free" });
   const ledger = new StateLedger();
   const receipt = writeReceipt(ledger, {
     contractId: contract.contractId,
@@ -17777,7 +18854,7 @@ Activation taxonomy: ${preflight.taxonomy}
     redactionClasses: [],
     receiptId: "rcpt_canonical_activation"
   });
-  state.receipts.push({ id: receipt.receiptId, path: join61(target, ".avorelo", "receipts", `${receipt.receiptId}.json`), type: "canonical_activation" });
+  state.receipts.push({ id: receipt.receiptId, path: join66(target, ".avorelo", "receipts", `${receipt.receiptId}.json`), type: "canonical_activation" });
   persistActivationV2(target, state);
   persistReceipt(target, receipt);
   const detection = runFullDetection(target);
@@ -17790,7 +18867,7 @@ Activation taxonomy: ${preflight.taxonomy}
     `  Mode:       ${state.activationMode}`,
     `  Scope:      ${scope}`,
     `  Status:     ${state.activationStatus}`,
-    `  State:      ${join61(target, ACTIVATION_STATE_DIR, ACTIVATION_STATE_FILE)}`
+    `  State:      ${join66(target, ACTIVATION_STATE_DIR, ACTIVATION_STATE_FILE)}`
   ];
   if (fv.found.length > 0) {
     lines.push("", "  Found:");
@@ -18071,7 +19148,7 @@ function cmdStatus(args) {
     `  activation:   ${state.activationStatus}`,
     `  mode:         ${state.activationMode}`,
     `  contract:     ${state.contract}`,
-    `  state:        ${join61(target, ACTIVATION_STATE_DIR, ACTIVATION_STATE_FILE)}`,
+    `  state:        ${join66(target, ACTIVATION_STATE_DIR, ACTIVATION_STATE_FILE)}`,
     `  hooks:        ${v.installed ? v.wellFormed ? "installed (6/6)" : `partial` : "not installed"}`
   ];
   if (isV2) {
@@ -18144,7 +19221,7 @@ function cmdVerify(args) {
   }
   const input = loadProofInput(target);
   if (input) {
-    const contract = createWorkContract({ contractId: "verify", objective: input.objective ?? "verify real-workflow proof", allowedPaths: [join61(target, "src")], planTier: "Free" });
+    const contract = createWorkContract({ contractId: "verify", objective: input.objective ?? "verify real-workflow proof", allowedPaths: [join66(target, "src")], planTier: "Free" });
     const r2 = evaluateProof({ contract, artifacts: input.artifacts, readbacks: input.readbacks, dir: target, sampleSize: input.sampleSize, receiptId: "rcpt_verify" });
     process.stdout.write(JSON.stringify({ scope: "full", activationState: { valid: true }, proof: { decision: r2.decision, confidence: r2.confidence } }, null, 2) + "\n");
     return r2.decision === "STOP_DONE" ? 0 : 1;
@@ -18153,13 +19230,13 @@ function cmdVerify(args) {
   return 0;
 }
 function cmdSite(args) {
-  const outDir = arg(args, "--out", join61(process.cwd(), ".avorelo", "site"));
+  const outDir = arg(args, "--out", join66(process.cwd(), ".avorelo", "site"));
   const r2 = buildSite(outDir);
   process.stdout.write(JSON.stringify({ ok: r2.ok, outDir: r2.outDir, indexPath: r2.indexPath, pages: r2.pages }, null, 2) + "\n");
   return r2.ok ? 0 : 1;
 }
 function cmdServe(args) {
-  const outDir = arg(args, "--out", join61(process.cwd(), ".avorelo", "site"));
+  const outDir = arg(args, "--out", join66(process.cwd(), ".avorelo", "site"));
   const port = Number(arg(args, "--port", "0"));
   buildSite(outDir);
   serve(outDir, { port: Number.isFinite(port) ? port : 0 }).then((h) => {
@@ -18191,7 +19268,7 @@ function cmdServe(args) {
 }
 function readStdinJson() {
   try {
-    const raw = readFileSync46(0, "utf8");
+    const raw = readFileSync50(0, "utf8");
     return raw.trim() ? JSON.parse(raw) : {};
   } catch {
     return {};
@@ -18215,9 +19292,9 @@ function cmdLifecycleHook(args) {
     const sourceLabel = String(ccEvent.tool_name ?? "").toLowerCase().includes("mcp") ? "tool_output" : "tool_output";
     const r3 = scanContent({ content: toolOutput, sourceKind: sourceLabel });
     try {
-      const dir = join61(cwd, ".avorelo", "secret-boundary");
-      mkdirSync39(dir, { recursive: true });
-      appendFileSync11(join61(dir, "receipts.jsonl"), JSON.stringify(redact(r3.receipt).value) + "\n");
+      const dir = join66(cwd, ".avorelo", "secret-boundary");
+      mkdirSync40(dir, { recursive: true });
+      appendFileSync11(join66(dir, "receipts.jsonl"), JSON.stringify(redact(r3.receipt).value) + "\n");
     } catch {
     }
     process.stdout.write(JSON.stringify({
@@ -18234,13 +19311,13 @@ function cmdLifecycleHook(args) {
   }
   const looksLikeToolRequest = payloadRaw && ccEvent.tool !== void 0 && ccEvent.workingDir !== void 0;
   const req = looksLikeToolRequest ? ccEvent : mapClaudeCodeEvent(ccEvent, cwd);
-  const contract = createWorkContract({ contractId: "hook", objective: "lifecycle hook", allowedPaths: [join61(cwd, "src")], planTier: "Free" });
+  const contract = createWorkContract({ contractId: "hook", objective: "lifecycle hook", allowedPaths: [join66(cwd, "src")], planTier: "Free" });
   const r2 = handleLifecycleHook(event, req, { contract });
   try {
-    const dir = join61(cwd, ".avorelo", "events");
-    mkdirSync39(dir, { recursive: true });
+    const dir = join66(cwd, ".avorelo", "events");
+    mkdirSync40(dir, { recursive: true });
     const entry = redact({ ts: Date.now(), event: r2.event, tool: req.tool, verdict: r2.verdict, reasonCodes: r2.reasonCodes, redactionClasses: r2.redactionClasses, latencyMs: r2.latencyMs }).value;
-    appendFileSync11(join61(dir, "hook-fires.jsonl"), JSON.stringify(entry) + "\n");
+    appendFileSync11(join66(dir, "hook-fires.jsonl"), JSON.stringify(entry) + "\n");
   } catch {
   }
   if (r2.exitCode === 2) {
@@ -18647,13 +19724,13 @@ function cmdTokenCost(args) {
   }
   if (sub === "import" || sub === "validate") {
     const file = arg(args, "--file");
-    if (!file || !existsSync62(file)) {
+    if (!file || !existsSync64(file)) {
       process.stderr.write("Usage: avorelo token-cost " + sub + " --file <path> [--json]\n");
       return 2;
     }
     let parsed;
     try {
-      parsed = JSON.parse(readFileSync46(file, "utf8"));
+      parsed = JSON.parse(readFileSync50(file, "utf8"));
     } catch {
       process.stderr.write("Invalid JSON file.\n");
       return 1;
@@ -18794,9 +19871,9 @@ function cmdContextCheck(args) {
   const ci = args.includes("--ci");
   const wcPath = arg(args, "--work-contract");
   let workContract;
-  if (wcPath && existsSync62(wcPath)) {
+  if (wcPath && existsSync64(wcPath)) {
     try {
-      workContract = JSON.parse(readFileSync46(wcPath, "utf8"));
+      workContract = JSON.parse(readFileSync50(wcPath, "utf8"));
     } catch {
     }
   }
@@ -18854,12 +19931,52 @@ function cmdContext(args) {
   ].filter(Boolean).join("\n"));
   return 0;
 }
+function cmdGuard(args) {
+  const sub = args[0];
+  const target = arg(args, "--target", process.cwd());
+  const asJson = args.includes("--json");
+  const ci = args.includes("--ci");
+  if (sub === "scan") {
+    const output = handleCli(
+      { command: "guard", json: asJson, verbose: false, guardSubcommand: "scan", ci },
+      target
+    );
+    process.stdout.write(output.stdout + "\n");
+    return output.exitCode;
+  }
+  if (sub === "explain") {
+    const ruleId = args[1];
+    const output = handleCli(
+      { command: "guard", json: false, verbose: false, guardSubcommand: "explain", guardArgs: [ruleId] },
+      target
+    );
+    process.stdout.write(output.stdout + "\n");
+    return output.exitCode;
+  }
+  process.stderr.write("Usage: avorelo guard <scan|explain> [args]\n");
+  return 2;
+}
+function cmdReceipt(args) {
+  const sub = args[0];
+  const target = arg(args, "--target", process.cwd());
+  const asJson = args.includes("--json");
+  if (sub === "latest" || sub === void 0) {
+    const output = handleCli(
+      { command: "receipt", json: asJson, verbose: false, receiptSubcommand: "latest" },
+      target
+    );
+    process.stdout.write(output.stdout + "\n");
+    return output.exitCode;
+  }
+  process.stderr.write("Usage: avorelo receipt latest [--target <dir>] [--json]\n");
+  return 2;
+}
 function cmdSecretBoundary(args) {
   const sub = args[0];
   const asJson = args.includes("--json");
   let content = arg(args, "--content");
   const file = arg(args, "--file");
-  if (file && existsSync62(file)) content = readFileSync46(file, "utf8");
+  if (file && existsSync64(file)) content = readFileSync50(file, "utf8");
   if (content === void 0) content = "";
   if (sub === "scan" || sub === void 0) {
     const r2 = scanContent({ content, sourceKind: file ? "file" : "tool_output" });
@@ -18926,7 +20043,7 @@ function cmdExplain(args) {
   const changedFiles = [];
   for (const { adapter } of detected) {
     const surface = adapter.getInstructionSurface(target);
-    if (surface && existsSync62(surface)) changedFiles.push(surface);
+    if (surface && existsSync64(surface)) changedFiles.push(surface);
   }
   if (changedFiles.length > 0) {
     lines.push("  Changed:");
@@ -18940,7 +20057,7 @@ function cmdExplain(args) {
   lines.push("");
   lines.push(`  Hooks: ${hookValidation.installed ? "installed" : "not installed"}`);
   lines.push("  Cloud: off (local-first)");
-  lines.push(`  Receipts: ${join61(target, ".avorelo", "receipts")}`);
+  lines.push(`  Receipts: ${join66(target, ".avorelo", "receipts")}`);
   const sessionStatus = getSessionStatus(target);
   if (sessionStatus) {
     lines.push("");
@@ -19100,7 +20217,7 @@ function cmdFeedback(args) {
   }
   if (sub === "share") {
     const file = arg(args, "--file");
-    if (!file || !existsSync62(file)) {
+    if (!file || !existsSync64(file)) {
       process.stderr.write("Usage: avorelo feedback share --file <bundle-path>\n");
       return 2;
     }
@@ -19404,7 +20521,7 @@ No loop metadata found for ${loopId}.
   if (sub === "doctor") {
     const issues = [];
     const ok = [];
-    if (existsSync62(join61(target, ".git"))) {
+    if (existsSync64(join66(target, ".git"))) {
       ok.push("Git repository detected");
     } else {
       issues.push("Not a git repository \u2014 loop needs git for drift detection");
@@ -19414,12 +20531,12 @@ No loop metadata found for ${loopId}.
     } else {
       issues.push("Claude Code CLI not found \u2014 install it or ensure `claude` is on PATH");
     }
-    const testDir = join61(target, ".avorelo", "loops");
+    const testDir = join66(target, ".avorelo", "loops");
     try {
-      mkdirSync39(testDir, { recursive: true });
-      const testFile = join61(testDir, ".doctor_probe");
-      writeFileSync37(testFile, "probe");
-      unlinkSync4(testFile);
+      mkdirSync40(testDir, { recursive: true });
+      const testFile = join66(testDir, ".doctor_probe");
+      writeFileSync38(testFile, "probe");
+      unlinkSync5(testFile);
       ok.push("Storage writable (.avorelo/loops/)");
     } catch {
       issues.push("Cannot write to .avorelo/loops/ \u2014 check permissions");
@@ -19460,11 +20577,11 @@ function cmdUninstallAll(args) {
   const target = arg(args, "--target", process.cwd());
   const adapterResult = uninstallAll(target);
   const hookResult = uninstall(target);
-  const removed = [...adapterResult.removed, ...hookResult.restored ? [join61(target, ".claude", "settings.json")] : []];
+  const removed = [...adapterResult.removed, ...hookResult.restored ? [join66(target, ".claude", "settings.json")] : []];
   const preserved = adapterResult.preserved;
-  const avoreloDir2 = join61(target, ".avorelo");
+  const avoreloDir2 = join66(target, ".avorelo");
   try {
-    if (existsSync62(avoreloDir2)) {
+    if (existsSync64(avoreloDir2)) {
       rmSync3(avoreloDir2, { recursive: true, force: true });
       removed.push(avoreloDir2);
     }
@@ -20057,7 +21174,7 @@ function cmdConfig(args) {
 function avoreloVersion() {
   for (const rel of ["../package.json", "../../package.json", "../../../package.json", "../../../../package.json"]) {
     try {
-      const pkg = JSON.parse(readFileSync46(join61(import.meta.dirname, rel), "utf8"));
+      const pkg = JSON.parse(readFileSync50(join66(import.meta.dirname, rel), "utf8"));
       if (pkg.name === "avorelo" && pkg.version) return pkg.version;
     } catch {
     }
@@ -20168,6 +21285,10 @@ function main(argv) {
       return cmdReadiness(rest);
     case "loop":
       return cmdLoop(rest);
+    case "guard":
+      return cmdGuard(rest);
+    case "receipt":
+      return cmdReceipt(rest);
     default:
       return help();
   }