corpus-cli 0.1.0

package/dist/commands/check.d.ts

@@ -0,0 +1 @@
+export declare function runCheck(): Promise<void>;

package/dist/commands/check.js

@@ -0,0 +1,163 @@
+import { readdirSync, readFileSync, existsSync, statSync } from 'fs';
+import { execSync } from 'child_process';
+import path from 'path';
+import { green, red, amber, dim, bold } from '../utils/colors.js';
+function findPolicyFiles(target) {
+    const files = [];
+    // If a specific file was given, just return it
+    if (target && existsSync(target)) {
+        try {
+            const stat = statSync(target);
+            if (stat.isFile()) {
+                return [target];
+            }
+        }
+        catch {
+            // fall through to directory logic
+        }
+    }
+    // Determine directories to scan
+    const dirs = target ? [target] : ['.'];
+    const isTargetMode = Boolean(target);
+    for (const dir of dirs) {
+        if (!existsSync(dir))
+            continue;
+        try {
+            for (const entry of readdirSync(dir)) {
+                const full = path.join(dir, entry);
+                if (isTargetMode) {
+                    // When scanning a specific directory, include all yaml/jac
+                    if (entry.endsWith('.yaml') || entry.endsWith('.yml') || entry.endsWith('.jac')) {
+                        files.push(full);
+                    }
+                }
+                else {
+                    // Default mode: only policy-looking yaml files in CWD
+                    if (entry.match(/corpus.*\.yaml$/) || entry.match(/.*\.policy\.yaml$/) || entry.endsWith('.jac')) {
+                        files.push(full);
+                    }
+                }
+            }
+        }
+        catch { /* ignore */ }
+    }
+    // Also scan standard policy directories when no specific target
+    if (!target) {
+        const policyDirs = ['./policies/builtin', './policies', './policies/examples'];
+        for (const pd of policyDirs) {
+            if (!existsSync(pd))
+                continue;
+            try {
+                for (const entry of readdirSync(pd)) {
+                    const full = path.join(pd, entry);
+                    if (entry.endsWith('.jac') || entry.endsWith('.yaml')) {
+                        if (!files.includes(full)) {
+                            files.push(full);
+                        }
+                    }
+                }
+            }
+            catch { /* ignore */ }
+        }
+    }
+    return files;
+}
+function checkYamlFile(filePath) {
+    try {
+        const raw = readFileSync(filePath, 'utf-8');
+        if (!raw.includes('agent:') || !raw.includes('rules:')) {
+            return { file: filePath, status: 'FAIL', detail: 'Missing agent or rules field' };
+        }
+        const ruleCount = (raw.match(/- name:/g) || []).length;
+        return { file: filePath, status: 'PASS', detail: `${ruleCount} rule${ruleCount !== 1 ? 's' : ''}` };
+    }
+    catch (e) {
+        return { file: filePath, status: 'FAIL', detail: String(e) };
+    }
+}
+function checkJacFile(filePath) {
+    const resolved = path.resolve(filePath);
+    if (!resolved.endsWith('.jac')) {
+        return { file: filePath, status: 'FAIL', detail: 'Not a .jac file' };
+    }
+    try {
+        execSync('jac check ' + JSON.stringify(resolved), { stdio: 'pipe' });
+        return { file: filePath, status: 'PASS', detail: 'validated via Jac' };
+    }
+    catch (e) {
+        const stderr = e instanceof Error && 'stderr' in e ? String(e.stderr) : '';
+        const firstLine = stderr.split('\n')[0] || 'validation failed';
+        if (firstLine.includes('command not found') || firstLine.includes('not found') || firstLine.includes('ENOENT')) {
+            return { file: filePath, status: 'WARN', detail: 'jac not installed (pip install jaseci)' };
+        }
+        return { file: filePath, status: 'FAIL', detail: firstLine.trim() };
+    }
+}
+export async function runCheck() {
+    const args = process.argv.slice(3);
+    let policyPath;
+    for (let i = 0; i < args.length; i++) {
+        switch (args[i]) {
+            case '--help':
+            case '-h':
+                process.stdout.write(`
+  corpus check [options]
+
+  Validate policy files (YAML and Jac) in the current directory.
+
+  Options:
+    --policy-path <path>   Path to a specific policy file or directory
+    --help                 Show this help
+
+  Examples:
+    corpus check                                    Scan CWD for policy files
+    corpus check --policy-path ./my-policy.yaml     Check a specific file
+    corpus check --policy-path ./policies/          Check a specific directory
+
+`);
+                return;
+            case '--policy-path':
+                policyPath = args[++i];
+                break;
+        }
+    }
+    process.stdout.write('\n');
+    process.stdout.write(bold('  CORPUS POLICY CHECK\n'));
+    process.stdout.write('  ' + '\u2550'.repeat(46) + '\n\n');
+    const files = findPolicyFiles(policyPath);
+    if (files.length === 0) {
+        process.stdout.write('  No policy files found.\n');
+        process.stdout.write('  Run ' + green('corpus init') + ' to create one.\n\n');
+        process.exit(1);
+    }
+    const results = [];
+    for (const file of files) {
+        const result = file.endsWith('.jac') ? checkJacFile(file) : checkYamlFile(file);
+        results.push(result);
+        const icon = result.status === 'PASS' ? green('PASS') : result.status === 'WARN' ? amber('WARN') : red('FAIL');
+        const name = file.padEnd(40);
+        process.stdout.write(`  ${name} ${icon}   ${dim(result.detail)}\n`);
+    }
+    const failures = results.filter((r) => r.status === 'FAIL');
+    const warnings = results.filter((r) => r.status === 'WARN');
+    const passes = results.filter((r) => r.status === 'PASS');
+    process.stdout.write('\n');
+    if (failures.length > 0) {
+        process.stdout.write(red(`  ${failures.length} file(s) failed. Fix errors before deploying.\n`));
+        process.stdout.write('\n');
+        process.exit(1);
+    }
+    if (warnings.length > 0 && passes.length > 0) {
+        process.stdout.write(green(`  ${passes.length} file(s) passed`) + `, ${warnings.length} warning(s).\n`);
+    }
+    else if (warnings.length > 0) {
+        process.stdout.write(amber(`  ${warnings.length} file(s) need attention (jac not installed).\n`));
+    }
+    else {
+        process.stdout.write(green(`  All ${passes.length} file(s) passed.\n`));
+    }
+    process.stdout.write('\n');
+    if (failures.length > 0)
+        process.exit(1);
+    process.exit(0);
+}

package/dist/commands/init-graph.d.ts

@@ -0,0 +1,7 @@
+/**
+ * corpus init / corpus graph -- Auto-generate the codebase graph
+ *
+ * Scans your project, builds a graph of every function, module, and relationship.
+ * No configuration needed. One command. Corpus learns your entire codebase.
+ */
+export declare function initGraph(args: string[]): Promise<void>;

package/dist/commands/init-graph.js

@@ -0,0 +1,270 @@
+/**
+ * corpus init / corpus graph -- Auto-generate the codebase graph
+ *
+ * Scans your project, builds a graph of every function, module, and relationship.
+ * No configuration needed. One command. Corpus learns your entire codebase.
+ */
+import { existsSync, writeFileSync, mkdirSync, readFileSync, appendFileSync } from 'fs';
+import { createServer } from 'http';
+import { exec } from 'child_process';
+import path from 'path';
+const C = {
+    reset: '\x1b[0m',
+    bold: '\x1b[1m',
+    dim: '\x1b[2m',
+    green: '\x1b[32m',
+    cyan: '\x1b[36m',
+    red: '\x1b[31m',
+    yellow: '\x1b[33m',
+    magenta: '\x1b[35m',
+    bg_green: '\x1b[42m',
+    bg_red: '\x1b[41m',
+    white: '\x1b[37m',
+};
+function sleep(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+async function animateStep(text, delay = 80) {
+    process.stdout.write(`  ${C.green}\u2713${C.reset} ${text}`);
+    await sleep(delay);
+    process.stdout.write('\n');
+}
+export async function initGraph(args) {
+    const flags = args.filter(a => a.startsWith('--'));
+    const positional = args.filter(a => !a.startsWith('--'));
+    const projectRoot = positional[0] ? path.resolve(positional[0]) : process.cwd();
+    const { buildGraph, saveGraph } = await import('@corpus/core');
+    if (!existsSync(projectRoot)) {
+        console.error(`\n  ${C.red}Error:${C.reset} Directory not found: ${projectRoot}\n`);
+        process.exit(1);
+    }
+    // ── Header ──
+    console.log('');
+    console.log(`  ${C.cyan}${C.bold}CORPUS${C.reset}  ${C.dim}The immune system for vibe-coded software${C.reset}`);
+    console.log(`  ${C.dim}${'─'.repeat(50)}${C.reset}`);
+    console.log('');
+    // ── Scan ──
+    process.stdout.write(`  ${C.dim}Scanning project structure...${C.reset}`);
+    const startTime = Date.now();
+    const graph = buildGraph(projectRoot);
+    const elapsed = Date.now() - startTime;
+    process.stdout.write(`\r  ${C.green}\u2713${C.reset} Scanning project structure... ${C.dim}${elapsed}ms${C.reset}\n`);
+    // ── Animated results ──
+    await animateStep(`Found ${C.bold}${graph.stats.totalFiles}${C.reset} files across ${C.bold}${new Set(graph.nodes.filter(n => n.type === 'module').map(n => n.file.split('/')[0])).size}${C.reset} modules`);
+    await animateStep(`Mapped ${C.bold}${graph.stats.totalFunctions}${C.reset} functions and ${C.bold}${graph.edges.filter(e => e.type === 'calls').length}${C.reset} dependencies`);
+    await animateStep(`Building structural graph...`);
+    // ── Save ──
+    const graphPath = saveGraph(graph, projectRoot);
+    await animateStep(`Graph saved: ${C.bold}${graph.nodes.length}${C.reset} nodes, ${C.bold}${graph.edges.length}${C.reset} edges`);
+    // ── Config ──
+    const corpusDir = path.join(projectRoot, '.corpus');
+    if (!existsSync(corpusDir)) {
+        mkdirSync(corpusDir, { recursive: true });
+    }
+    const configPath = path.join(corpusDir, 'config.json');
+    if (!existsSync(configPath)) {
+        writeFileSync(configPath, JSON.stringify({
+            version: 1,
+            mode: 'watch',
+            autoFix: true,
+            mcpEnabled: true,
+        }, null, 2));
+    }
+    // ── MCP config ──
+    const mcpPath = path.join(projectRoot, '.mcp.json');
+    if (!existsSync(mcpPath)) {
+        writeFileSync(mcpPath, JSON.stringify({
+            mcpServers: {
+                corpus: {
+                    command: 'npx',
+                    args: ['corpus-mcp'],
+                    type: 'stdio',
+                },
+            },
+        }, null, 2));
+        await animateStep(`MCP watchers attached to ${C.cyan}Claude Code${C.reset}, ${C.cyan}Cursor${C.reset}`);
+    }
+    else {
+        const existing = JSON.parse(readFileSync(mcpPath, 'utf-8'));
+        if (!existing.mcpServers?.corpus) {
+            existing.mcpServers = existing.mcpServers || {};
+            existing.mcpServers.corpus = {
+                command: 'npx',
+                args: ['corpus-mcp'],
+                type: 'stdio',
+            };
+            writeFileSync(mcpPath, JSON.stringify(existing, null, 2));
+            await animateStep(`MCP watchers attached to ${C.cyan}Claude Code${C.reset}, ${C.cyan}Cursor${C.reset}`);
+        }
+        else {
+            await animateStep(`MCP already configured`);
+        }
+    }
+    // ── Gitignore ──
+    const gitignorePath = path.join(projectRoot, '.gitignore');
+    if (existsSync(gitignorePath)) {
+        const gitignore = readFileSync(gitignorePath, 'utf-8');
+        if (!gitignore.includes('.corpus')) {
+            appendFileSync(gitignorePath, '\n.corpus/\n');
+        }
+    }
+    // ── Health summary ──
+    const healthColor = graph.stats.healthScore >= 80 ? C.green
+        : graph.stats.healthScore >= 50 ? C.yellow
+            : C.red;
+    console.log('');
+    console.log(`  ${C.dim}${'─'.repeat(50)}${C.reset}`);
+    console.log('');
+    console.log(`  ${C.bold}$ corpus status${C.reset}`);
+    console.log(`  ${C.green}\u25CF${C.reset} Health: ${healthColor}${C.bold}${graph.stats.healthScore}/100${C.reset} ${C.dim}- All systems nominal${C.reset}`);
+    console.log('');
+    console.log(`  ${C.dim}${'─'.repeat(50)}${C.reset}`);
+    console.log('');
+    console.log(`  ${C.bold}What happens next:${C.reset}`);
+    console.log(`  ${C.dim}Every time your AI writes code, Corpus checks it${C.reset}`);
+    console.log(`  ${C.dim}against this graph. If something breaks, Corpus${C.reset}`);
+    console.log(`  ${C.dim}tells the AI to fix it. You never see the bug.${C.reset}`);
+    console.log('');
+    console.log(`  ${C.cyan}corpus watch${C.reset}     ${C.dim}Real-time monitoring${C.reset}`);
+    console.log(`  ${C.cyan}corpus scan${C.reset}      ${C.dim}Security scan${C.reset}`);
+    console.log(`  ${C.cyan}corpus verify${C.reset}    ${C.dim}Trust scores${C.reset}`);
+    console.log('');
+    console.log(`  ${C.dim}Your AI can't break what Corpus protects.${C.reset}`);
+    console.log(`  ${C.bold}No more AI slop.${C.reset}`);
+    console.log('');
+    // ── --open flag: serve graph in browser ──
+    if (flags.includes('--open')) {
+        await serveGraph(projectRoot, graph);
+    }
+}
+async function serveGraph(projectRoot, graph) {
+    const graphJSON = JSON.stringify({
+        nodes: graph.nodes.map((n) => ({
+            id: n.id, name: n.name, type: n.type, file: n.file, line: n.line,
+            exported: n.exported, health: n.health || 'verified', trustScore: n.trustScore || 100,
+            guards: n.guards || [], params: n.params || [],
+        })),
+        edges: graph.edges.map((e) => ({
+            source: e.source, target: e.target, type: e.type,
+        })),
+        stats: graph.stats,
+    });
+    const html = `<!DOCTYPE html>
+<html><head><meta charset="utf-8"><title>Corpus Graph — ${path.basename(projectRoot)}</title>
+<style>
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body { background: #050505; color: #e5e7eb; font-family: system-ui, -apple-system, sans-serif; overflow: hidden; }
+  #info { position: fixed; top: 12px; left: 16px; z-index: 10; font-size: 12px; font-family: ui-monospace, monospace; }
+  #info span { color: #10b981; }
+  #detail { position: fixed; top: 12px; right: 16px; width: 300px; z-index: 10; background: #0a0a0aee; backdrop-filter: blur(8px); border: 1px solid #1f2937; border-radius: 12px; padding: 16px; display: none; font-size: 13px; }
+  #detail h3 { font-size: 15px; font-weight: 700; margin-bottom: 8px; }
+  #detail .file { color: #6b7280; font-family: ui-monospace, monospace; font-size: 11px; margin-bottom: 8px; }
+  #detail .tag { display: inline-block; padding: 2px 8px; border-radius: 6px; font-size: 10px; font-weight: 500; margin-right: 4px; margin-bottom: 4px; }
+  #detail .guards { font-family: ui-monospace, monospace; font-size: 10px; color: #6ee7b7; border-left: 2px solid #10b98140; padding-left: 6px; margin: 2px 0; }
+  #detail .score { color: #10b981; font-size: 20px; font-weight: 700; margin-top: 8px; }
+  #legend { position: fixed; bottom: 16px; left: 16px; display: flex; gap: 12px; font-size: 10px; font-family: ui-monospace, monospace; background: #0a0a0acc; padding: 6px 12px; border-radius: 8px; z-index: 10; }
+  .legend-dot { width: 6px; height: 6px; border-radius: 50%; display: inline-block; margin-right: 4px; }
+</style>
+<script src="https://unpkg.com/force-graph@1.43.5/dist/force-graph.min.js"></script>
+</head><body>
+<div id="info"><span>corpus</span> / ${path.basename(projectRoot)} — <span id="node-count"></span> files, <span id="edge-count"></span> edges</div>
+<div id="detail"></div>
+<div id="legend"></div>
+<div id="graph"></div>
+<script>
+const COLORS = { core:'#3b82f6', cli:'#f97316', web:'#a855f7', 'mcp-server':'#06b6d4', 'sdk-ts':'#eab308', 'sdk-python':'#10b981', functions:'#f43f5e', policies:'#8b5cf6', schema:'#64748b', src:'#3b82f6', lib:'#10b981', app:'#a855f7', components:'#06b6d4', pages:'#eab308', api:'#f43f5e', utils:'#8b5cf6', config:'#64748b', scripts:'#f97316', public:'#10b981', styles:'#a855f7' };
+function getCluster(file) { const p = file.split('/'); if (p[0]==='packages'&&p[1]) return p[1]; if (p[0]==='apps'&&p[1]) return p[1]; return p[0]||'root'; }
+function getColor(file) { return COLORS[getCluster(file)] || '#64748b'; }
+
+const raw = ${graphJSON};
+const modules = raw.nodes.filter(n => n.type === 'module');
+const funcs = raw.nodes.filter(n => n.type === 'function');
+const moduleIds = new Set(modules.map(n => n.id));
+const funcToMod = {};
+raw.nodes.forEach(n => { if (n.type==='function') { const mid='mod:'+n.file; if(moduleIds.has(mid)) funcToMod[n.id]=mid; }});
+
+const edgeSet = new Set();
+const links = [];
+raw.edges.forEach(e => {
+  let s = moduleIds.has(e.source)?e.source:funcToMod[e.source];
+  let t = moduleIds.has(e.target)?e.target:funcToMod[e.target];
+  if(s&&t&&s!==t) { const k=s+'::'+t; if(!edgeSet.has(k)){edgeSet.add(k);links.push({source:s,target:t});}}
+});
+
+const nodes = modules.map(n => {
+  const fc = funcs.filter(f=>f.file===n.file).length;
+  return {...n, cluster:getCluster(n.file), color:getColor(n.file), funcCount:fc, val:Math.max(2,fc+1)};
+});
+
+document.getElementById('node-count').textContent = nodes.length;
+document.getElementById('edge-count').textContent = links.length;
+
+// Legend
+const clusters = [...new Set(nodes.map(n=>n.cluster))];
+const legend = document.getElementById('legend');
+clusters.forEach(c => {
+  const s = document.createElement('span');
+  s.innerHTML = '<span class="legend-dot" style="background:'+( COLORS[c]||'#64748b')+'"></span>'+c;
+  s.style.color = COLORS[c]||'#64748b';
+  legend.appendChild(s);
+});
+
+const Graph = ForceGraph()(document.getElementById('graph'))
+  .graphData({nodes, links})
+  .backgroundColor('#050505')
+  .linkColor(() => 'rgba(255,255,255,0.06)')
+  .linkWidth(0.5)
+  .nodeCanvasObject((node, ctx, globalScale) => {
+    const r = Math.sqrt(node.val)*2.5;
+    ctx.beginPath(); ctx.arc(node.x, node.y, r, 0, 2*Math.PI);
+    ctx.fillStyle = node.color+'90'; ctx.fill();
+    ctx.strokeStyle = node.color; ctx.lineWidth = 0.5/globalScale; ctx.stroke();
+    if(globalScale > 0.8) {
+      ctx.font = (10/globalScale)+'px ui-monospace, monospace';
+      ctx.textAlign='center'; ctx.textBaseline='top';
+      ctx.fillStyle='#ffffffaa';
+      ctx.fillText(node.name, node.x, node.y+r+2);
+    }
+  })
+  .nodePointerAreaPaint((node, color, ctx) => {
+    ctx.beginPath(); ctx.arc(node.x, node.y, Math.sqrt(node.val)*2.5+4, 0, 2*Math.PI);
+    ctx.fillStyle=color; ctx.fill();
+  })
+  .onNodeClick(node => {
+    const d = document.getElementById('detail');
+    const fileFuncs = funcs.filter(f=>f.file===node.file);
+    d.style.display = 'block';
+    d.innerHTML = '<h3>'+node.name+'</h3>'
+      +'<div class="file">'+node.file+':'+node.line+'</div>'
+      +'<div><span class="tag" style="background:'+node.color+'20;color:'+node.color+'">'+node.cluster+'</span>'
+      +'<span class="tag" style="background:#37415120;color:#9ca3af">'+node.type+'</span>'
+      +(node.exported?'<span class="tag" style="background:#10b98120;color:#10b981">exported</span>':'')
+      +'</div>'
+      +(fileFuncs.length?'<div style="margin-top:8px;color:#6b7280;font-size:9px;text-transform:uppercase;letter-spacing:0.05em">Functions ('+fileFuncs.length+')</div>'
+        +fileFuncs.map(f=>'<div style="font-family:ui-monospace,monospace;font-size:10px;color:'+(f.exported?'#a5b4fc':'#6b7280')+';padding:2px 0">'+f.name+(f.guards?.length?' <span style="color:#10b981;font-size:8px">guarded</span>':'')+'</div>').join(''):'')
+      +'<div class="score">'+node.trustScore+'<span style="color:#6b7280;font-size:12px;font-weight:400">/100</span></div>';
+    Graph.centerAt(node.x, node.y, 400);
+    Graph.zoom(3, 400);
+  })
+  .cooldownTicks(80)
+  .d3AlphaDecay(0.03)
+  .d3VelocityDecay(0.3);
+</script></body></html>`;
+    const server = createServer((req, res) => {
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(html);
+    });
+    await new Promise((resolve) => {
+        server.listen(0, () => {
+            const addr = server.address();
+            const port = typeof addr === 'object' && addr ? addr.port : 3456;
+            const url = `http://localhost:${port}`;
+            console.log(`  ${C.cyan}Graph server${C.reset} running at ${C.bold}${url}${C.reset}`);
+            console.log(`  ${C.dim}Press Ctrl+C to stop${C.reset}`);
+            console.log('');
+            // Open browser
+            const cmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
+            exec(`${cmd} ${url}`);
+        });
+    });
+}

package/dist/commands/init.d.ts

@@ -0,0 +1 @@
+export declare function runInit(): Promise<void>;

package/dist/commands/init.js

@@ -0,0 +1,211 @@
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from 'fs';
+import { resolve as resolvePath } from 'path';
+function configureMcp() {
+    const mcpPath = '.mcp.json';
+    let config = {};
+    if (existsSync(mcpPath)) {
+        try {
+            config = JSON.parse(readFileSync(mcpPath, 'utf-8'));
+        }
+        catch { /* invalid json, overwrite */ }
+    }
+    const servers = (config.mcpServers ?? {});
+    if ('corpus' in servers)
+        return; // Already configured
+    // Find the corpus MCP server binary
+    const homeCorpus = `${process.env.HOME}/.corpus/packages/mcp-server/dist/index.js`;
+    const localCorpus = '.corpus/packages/mcp-server/dist/index.js';
+    if (existsSync(homeCorpus)) {
+        servers.corpus = {
+            command: 'node',
+            args: [homeCorpus],
+            type: 'stdio',
+        };
+    }
+    else if (existsSync(localCorpus)) {
+        servers.corpus = {
+            command: 'node',
+            args: [resolvePath(localCorpus)],
+            type: 'stdio',
+        };
+    }
+    else {
+        servers.corpus = {
+            command: 'npx',
+            args: ['corpus-mcp'],
+            type: 'stdio',
+        };
+    }
+    config.mcpServers = servers;
+    writeFileSync(mcpPath, JSON.stringify(config, null, 2) + '\n');
+}
+import { createInterface } from 'readline';
+import path from 'path';
+import { green, bold, dim, cyan } from '../utils/colors.js';
+function ask(rl, question, defaultVal) {
+    return new Promise((resolve) => {
+        rl.question(`  ${question} ${dim(`(${defaultVal})`)}: `, (answer) => {
+            resolve(answer.trim() || defaultVal);
+        });
+    });
+}
+function kebabCase(s) {
+    return s.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
+}
+function installPreCommitHook() {
+    const gitDir = '.git';
+    if (!existsSync(gitDir))
+        return false;
+    const hooksDir = path.join(gitDir, 'hooks');
+    if (!existsSync(hooksDir))
+        mkdirSync(hooksDir, { recursive: true });
+    const hookPath = path.join(hooksDir, 'pre-commit');
+    const hookContent = `#!/bin/sh
+# Corpus pre-commit hook - scans staged files for secrets, PII, and unsafe code
+# Installed by: corpus init --hooks
+
+echo "[corpus] Scanning staged changes..."
+npx corpus scan --staged
+
+EXIT_CODE=$?
+if [ $EXIT_CODE -eq 2 ]; then
+  echo ""
+  echo "[corpus] BLOCKED: Critical security issues found. Fix them before committing."
+  echo "[corpus] Run 'corpus scan' for details, or 'git commit --no-verify' to bypass."
+  exit 1
+elif [ $EXIT_CODE -eq 1 ]; then
+  echo "[corpus] Warnings found. Proceeding with commit."
+fi
+
+exit 0
+`;
+    // Check if hook already exists
+    if (existsSync(hookPath)) {
+        const existing = readFileSync(hookPath, 'utf-8');
+        if (existing.includes('corpus')) {
+            return false; // Already installed
+        }
+        // Append to existing hook
+        writeFileSync(hookPath, existing + '\n' + hookContent);
+    }
+    else {
+        writeFileSync(hookPath, hookContent);
+    }
+    chmodSync(hookPath, '755');
+    return true;
+}
+function installHuskyHook() {
+    const huskyDir = '.husky';
+    if (!existsSync(huskyDir))
+        return false;
+    const hookPath = path.join(huskyDir, 'pre-commit');
+    const hookContent = `npx corpus scan --staged\n`;
+    if (existsSync(hookPath)) {
+        const existing = readFileSync(hookPath, 'utf-8');
+        if (existing.includes('corpus'))
+            return false;
+        writeFileSync(hookPath, existing + '\n' + hookContent);
+    }
+    else {
+        writeFileSync(hookPath, hookContent);
+        chmodSync(hookPath, '755');
+    }
+    return true;
+}
+export async function runInit() {
+    const args = process.argv.slice(3);
+    const wantHooks = args.includes('--hooks');
+    const wantHusky = args.includes('--husky');
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    const policyPath = './corpus.policy.yaml';
+    if (existsSync(policyPath)) {
+        const overwrite = await ask(rl, 'corpus.policy.yaml exists. Overwrite?', 'n');
+        if (overwrite.toLowerCase() !== 'y') {
+            process.stdout.write('  Keeping existing policy file.\n');
+            // Still install hooks if requested
+            if (wantHooks || wantHusky) {
+                installHooks(wantHusky);
+            }
+            rl.close();
+            return;
+        }
+    }
+    const dirName = path.basename(process.cwd());
+    const projectName = await ask(rl, 'Project name', dirName);
+    const projectSlug = await ask(rl, 'Project slug', kebabCase(projectName));
+    // Ask about hooks if not specified via flag
+    let doHooks = wantHooks || wantHusky;
+    if (!doHooks) {
+        const hookAnswer = await ask(rl, 'Install pre-commit hook? (scans before every commit)', 'y');
+        doHooks = hookAnswer.toLowerCase() === 'y';
+    }
+    rl.close();
+    // Write policy file
+    const policyTemplate = `# corpus.policy.yaml
+# Generated by corpus init
+# Scans for: secrets, PII, prompt injection, unsafe code patterns
+
+agent: ${projectSlug}
+version: "1.0"
+
+rules:
+  - name: block_production_writes
+    verdict: BLOCK
+    message: "Production writes require a deployment process."
+    trigger:
+      actionContains: ["prod", "production"]
+
+  - name: confirm_external_calls
+    verdict: CONFIRM
+    message: "This action calls an external service. Proceed?"
+    trigger:
+      actionStartsWith: ["http_request", "webhook_call", "api_call"]
+
+  - name: low_confidence_block
+    verdict: BLOCK
+    blockReason: LOW_CONFIDENCE
+    message: "Not confident enough to act. Please clarify your intent."
+    trigger:
+      contextKey: "confidence"
+      contextValueBelow: 0.50
+`;
+    writeFileSync(policyPath, policyTemplate);
+    // Install hooks
+    let hookResult = '';
+    if (doHooks) {
+        hookResult = installHooks(wantHusky);
+    }
+    // Auto-configure MCP for Claude Code if .mcp.json doesn't have corpus
+    configureMcp();
+    // Print summary
+    process.stdout.write('\n');
+    process.stdout.write(green(bold(`  Corpus initialized for ${projectName}\n`)));
+    process.stdout.write('\n');
+    process.stdout.write(`  Policy file:  ${cyan('corpus.policy.yaml')}\n`);
+    process.stdout.write(`  MCP config:   ${cyan('.mcp.json')} ${dim('(Claude Code / Cursor integration)')}\n`);
+    if (hookResult) {
+        process.stdout.write(`  Pre-commit:   ${green(hookResult)}\n`);
+    }
+    process.stdout.write('\n');
+    process.stdout.write(`  ${bold('What Corpus scans for:')}\n`);
+    process.stdout.write(`    Secrets     API keys, tokens, credentials, database URLs\n`);
+    process.stdout.write(`    PII         Email addresses, phone numbers, SSNs\n`);
+    process.stdout.write(`    Injection   Prompt injection patterns in content\n`);
+    process.stdout.write(`    Safety      eval(), innerHTML, SQL injection, disabled SSL\n`);
+    process.stdout.write(`    AI patterns Inlined env vars, placeholder creds, wildcard CORS\n`);
+    process.stdout.write('\n');
+    process.stdout.write(`  ${bold('Commands:')}\n`);
+    process.stdout.write(`    corpus scan            Scan your codebase now\n`);
+    process.stdout.write(`    corpus scan --staged   Scan only staged changes\n`);
+    process.stdout.write(`    corpus watch           Real-time file watcher\n`);
+    process.stdout.write(`    corpus check           Validate policy files\n`);
+    process.stdout.write('\n');
+}
+function installHooks(useHusky) {
+    if (useHusky) {
+        const installed = installHuskyHook();
+        return installed ? 'Husky pre-commit hook installed' : 'Husky hook already exists';
+    }
+    const installed = installPreCommitHook();
+    return installed ? 'Git pre-commit hook installed' : 'Hook already installed';
+}

package/dist/commands/report.d.ts

@@ -0,0 +1 @@
+export declare function runReport(): Promise<void>;