failproofai 0.0.11-beta.2 → 0.0.11-beta.4

package/dist/cli.mjs

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-import { createRequire } from "node:module";
 var __defProp = Object.defineProperty;
 var __returnValue = (v) => v;
 function __exportSetter(name, newValue) {
@@ -15,14 +14,13 @@ var __export = (target, all) => {
     });
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // package.json
-var version2 = "0.0.11-beta.2";
+var version2 = "0.0.11-beta.4";
 var init_package = () => {};
 
 // src/posthog-key.ts
-var POSTHOG_API_KEY = "phc_Ac1Ww1GqKc0z1SyrRWbmatEeQdlOQIsDEEdP8l8JRgX";
+var POSTHOG_API_KEY = "phc_Ac1Ww1GqKc0z1SyrRWbmatEeQdlOQIsDEEdP8l8JRgX", POSTHOG_PRODUCT = "failproofai-oss";
 
 // src/hooks/hook-telemetry.ts
 var exports_hook_telemetry = {};
@@ -36,7 +34,7 @@ async function trackHookEvent(distinctId, event, properties) {
     api_key: process.env.FAILPROOFAI_POSTHOG_KEY ?? API_KEY,
     event,
     distinct_id: distinctId,
-    properties: { ...properties, $lib: "failproofai-hooks", failproofai_version: version2 }
+    properties: { ...properties, $lib: "failproofai-hooks", failproofai_version: version2, product: POSTHOG_PRODUCT }
   });
   try {
     await fetch(process.env.FAILPROOFAI_POSTHOG_HOST ? `${process.env.FAILPROOFAI_POSTHOG_HOST}/capture/` : CAPTURE_URL, {
@@ -1618,7 +1616,7 @@ function requireCiGreenBeforeStop(ctx) {
     const allChecks = [...workflowRuns, ...thirdPartyChecks, ...commitStatuses];
     if (allChecks.length === 0)
       return allow(`No CI runs found for branch "${branch}".`);
-    const failing = allChecks.filter((r) => r.status === "completed" && r.conclusion !== "success" && r.conclusion !== "skipped" && r.conclusion !== "cancelled");
+    const failing = allChecks.filter((r) => r.status === "completed" && r.conclusion !== "success" && r.conclusion !== "skipped" && r.conclusion !== "cancelled" && r.conclusion !== "neutral");
     if (failing.length > 0) {
       const names = failing.map((r) => `"${r.name}"`).join(", ");
       return deny(`CI checks are failing on branch "${branch}": ${names}. Fix the failing checks now.`);
@@ -2271,7 +2269,7 @@ async function trackHookEvent2(distinctId, event, properties) {
     api_key: process.env.FAILPROOFAI_POSTHOG_KEY ?? API_KEY2,
     event,
     distinct_id: distinctId,
-    properties: { ...properties, $lib: "failproofai-hooks", failproofai_version: version2 }
+    properties: { ...properties, $lib: "failproofai-hooks", failproofai_version: version2, product: POSTHOG_PRODUCT }
   });
   try {
     await fetch(process.env.FAILPROOFAI_POSTHOG_HOST ? `${process.env.FAILPROOFAI_POSTHOG_HOST}/capture/` : CAPTURE_URL2, {
@@ -4885,10 +4883,6 @@ async function parseFileContent(fileContent, source) {
   entries.sort((a, b) => a.timestampMs - b.timestampMs);
   return { entries, rawLines, subagentIds: Array.from(subagentIdSet) };
 }
-async function parseLogContent(fileContent, source = "session") {
-  const result = await parseFileContent(fileContent, source);
-  return result.entries;
-}
 async function parseSessionLog(projectName, sessionId) {
   const projectDir = resolveProjectPath(projectName);
   const projectsPath = getClaudeProjectsPath();
@@ -8730,1768 +8724,549 @@ var init_install_prompt2 = __esm(() => {
   init_telemetry_id2();
 });
 
-// lib/claude-sessions.ts
-import { readdirSync as readdirSync8, statSync as statSync9, existsSync as existsSync12 } from "node:fs";
-import { join as join18, basename as basename4 } from "node:path";
-function getClaudeProjectsRoot() {
-  return getClaudeProjectsPath();
-}
-function listClaudeProjects() {
-  const root = getClaudeProjectsRoot();
-  let entries;
-  try {
-    entries = readdirSync8(root, { withFileTypes: true });
-  } catch {
-    return [];
-  }
-  return entries.filter((e) => e.isDirectory()).map((e) => ({
-    name: e.name,
-    cwd: decodeFolderName(e.name),
-    path: join18(root, e.name)
-  }));
+// lib/telemetry.ts
+function isTelemetryEnabled() {
+  return process.env.FAILPROOFAI_TELEMETRY_DISABLED !== "1";
 }
-function listClaudeTranscripts(project) {
-  const out = [];
-  let entries;
-  try {
-    entries = readdirSync8(project.path, { withFileTypes: true });
-  } catch {
-    return out;
-  }
-  for (const entry of entries) {
-    if (entry.isFile() && entry.name.endsWith(".jsonl")) {
-      const sessionId = entry.name.slice(0, -".jsonl".length);
-      if (!UUID_RE4.test(sessionId))
-        continue;
-      const transcriptPath = join18(project.path, entry.name);
-      try {
-        const s = statSync9(transcriptPath);
-        out.push({
-          projectName: project.name,
-          cwd: project.cwd,
-          sessionId,
-          transcriptPath,
-          mtimeMs: s.mtimeMs,
-          sizeBytes: s.size,
-          isSubagent: false
-        });
-      } catch {}
-    } else if (entry.isDirectory() && UUID_RE4.test(entry.name)) {
-      const subDir = join18(project.path, entry.name, "subagents");
-      if (!existsSync12(subDir))
-        continue;
-      let subEntries;
-      try {
-        subEntries = readdirSync8(subDir, { withFileTypes: true });
-      } catch {
-        continue;
-      }
-      for (const sub of subEntries) {
-        if (!sub.isFile() || !sub.name.endsWith(".jsonl"))
-          continue;
-        const agentId = sub.name.slice(0, -".jsonl".length);
-        const transcriptPath = join18(subDir, sub.name);
-        try {
-          const s = statSync9(transcriptPath);
-          out.push({
-            projectName: project.name,
-            cwd: project.cwd,
-            sessionId: agentId,
-            transcriptPath,
-            mtimeMs: s.mtimeMs,
-            sizeBytes: s.size,
-            isSubagent: true
-          });
-        } catch {}
-      }
-    }
-  }
-  return out;
+function trackEvent(name, properties) {
+  if (!isTelemetryEnabled())
+    return;
+  const client = globalThis.__FAILPROOFAI_POSTHOG__;
+  if (!client)
+    return;
+  client.capture({
+    distinctId: getInstanceId2(),
+    event: name,
+    properties: { ...properties, $lib: "failproofai", failproofai_version: version2, product: POSTHOG_PRODUCT }
+  });
 }
-var UUID_RE4;
-var init_claude_sessions = __esm(() => {
-  init_paths();
-  UUID_RE4 = /^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i;
-});
-
-// src/audit/types.ts
-var AUDIT_TOOL_RESULT_MAX_BYTES, AUDIT_EXAMPLE_MAX_CHARS = 80, AUDIT_MAX_EXAMPLES_PER_NAME = 3;
-var init_types2 = __esm(() => {
-  AUDIT_TOOL_RESULT_MAX_BYTES = 64 * 1024;
+var init_telemetry = __esm(() => {
+  init_telemetry_id2();
+  init_package();
 });
 
-// src/audit/cli-adapters/shared.ts
-function truncateToUtf8Bytes(s, maxBytes) {
-  const buf = Buffer.from(s, "utf-8");
-  if (buf.byteLength <= maxBytes)
-    return s;
-  let end = maxBytes;
-  while (end > 0 && (buf[end] & 192) === 128)
-    end--;
-  return buf.subarray(0, end).toString("utf-8");
-}
-function logEntriesToEvents(entries, ctx) {
-  const events = [];
-  for (const entry of entries) {
-    if (entry.type !== "assistant")
-      continue;
-    for (const block of entry.message.content) {
-      if (block.type !== "tool_use")
-        continue;
-      const rawName = block.name;
-      const canonicalName = canonicalizeToolName(rawName, ctx.cli) ?? rawName;
-      const canonicalInput = canonicalizeToolInput(canonicalName, block.input, ctx.cli);
-      let toolResultText;
-      if (block.result?.content) {
-        toolResultText = truncateToUtf8Bytes(block.result.content, AUDIT_TOOL_RESULT_MAX_BYTES);
-      }
-      events.push({
-        cli: ctx.cli,
-        sessionId: ctx.sessionId,
-        transcriptPath: ctx.transcriptPath,
-        cwd: ctx.cwd,
-        timestamp: entry.timestamp,
-        toolName: canonicalName,
-        rawToolName: rawName,
-        toolInput: canonicalInput ?? {},
-        toolResultText
-      });
-    }
-  }
-  return events;
+// lib/fetch-with-timeout.ts
+function isAbortError(err) {
+  return err instanceof Error && (err.name === "AbortError" || err.name === "TimeoutError");
 }
-var init_shared = __esm(() => {
-  init_tool_name_canonicalize();
-  init_types2();
-});
 
-// src/audit/cli-adapters/claude.ts
-import { readFile as readFile13 } from "node:fs/promises";
-async function listClaudeTranscriptMetadata(opts = {}) {
-  const projectFilter = opts.projects ? new Set(opts.projects) : null;
-  const sinceMs = opts.sinceMs ?? 0;
-  const out = [];
-  for (const project of listClaudeProjects()) {
-    if (projectFilter && !projectFilter.has(project.cwd))
-      continue;
-    let transcripts;
-    try {
-      transcripts = listClaudeTranscripts(project);
-    } catch {
-      continue;
-    }
-    for (const t of transcripts) {
-      if (t.mtimeMs < sinceMs)
-        continue;
-      out.push({
-        cli: "claude",
-        projectName: project.name,
-        sessionId: t.sessionId,
-        transcriptPath: t.transcriptPath,
-        mtimeMs: t.mtimeMs,
-        sizeBytes: t.sizeBytes
-      });
-    }
-  }
-  return out;
+// lib/auth/api-server-client.ts
+function getApiBase() {
+  const raw = process.env.FAILPROOF_API_URL ?? process.env.FAILPROOFAI_API_URL ?? DEFAULT_API_BASE;
+  return raw.replace(/\/+$/, "");
 }
-async function streamClaudeEvents(meta) {
-  let content;
+async function parseError(res) {
+  let body = {};
   try {
-    content = await readFile13(meta.transcriptPath, "utf-8");
-  } catch {
-    return [];
+    body = await res.json();
+  } catch {}
+  const code = body.code ?? `http_${res.status}`;
+  const message = body.message ?? body.detail ?? res.statusText ?? "request failed";
+  let retryAfterSecs = body.retry_after_secs;
+  if (retryAfterSecs === undefined) {
+    const h = res.headers.get("retry-after");
+    if (h) {
+      const n = Number(h);
+      if (Number.isFinite(n))
+        retryAfterSecs = n;
+    }
+  }
+  if (retryAfterSecs !== undefined) {
+    retryAfterSecs = Math.max(0, Math.min(86400, retryAfterSecs));
   }
-  const source = "session";
-  let entries;
+  return new AuthApiError(res.status, code, message, retryAfterSecs);
+}
+function timeoutSignal(extra) {
+  const t = AbortSignal.timeout(REQUEST_TIMEOUT_MS);
+  if (!extra)
+    return t;
+  const anyFn = AbortSignal.any;
+  if (anyFn)
+    return anyFn([t, extra]);
+  const composed = new AbortController;
+  const onAbort = (s) => composed.abort(s.reason);
+  if (t.aborted)
+    onAbort(t);
+  else
+    t.addEventListener("abort", () => onAbort(t), { once: true });
+  if (extra.aborted)
+    onAbort(extra);
+  else
+    extra.addEventListener("abort", () => onAbort(extra), { once: true });
+  return composed.signal;
+}
+function pathFromUrl(url) {
   try {
-    entries = await parseLogContent(content, source);
+    return new URL(url).pathname;
   } catch {
-    return [];
-  }
-  let cwd = "";
-  for (const line of content.split(`
-`, 50)) {
-    if (!line.trim())
-      continue;
-    try {
-      const parsed = JSON.parse(line);
-      if (typeof parsed.cwd === "string" && parsed.cwd.length > 0) {
-        cwd = parsed.cwd;
-        break;
-      }
-    } catch {}
+    return url;
   }
-  return logEntriesToEvents(entries, {
-    cli: "claude",
-    sessionId: meta.sessionId,
-    transcriptPath: meta.transcriptPath,
-    cwd
-  });
 }
-var init_claude = __esm(() => {
-  init_claude_sessions();
-  init_log_entries();
-  init_shared();
-});
-
-// src/audit/cli-adapters/codex.ts
-import { statSync as statSync10 } from "node:fs";
-async function listCodexTranscriptMetadata(opts = {}) {
-  const projectFilter = opts.projects ? new Set(opts.projects) : null;
-  const sinceMs = opts.sinceMs ?? 0;
-  const out = [];
-  const projects = await getCodexProjects();
-  for (const project of projects) {
-    const { cwd, sessions } = await getCodexSessionsByEncodedName(project.name);
-    const effectiveCwd = cwd ?? "";
-    if (projectFilter && !projectFilter.has(effectiveCwd))
-      continue;
-    for (const s of sessions) {
-      const mtimeMs = s.lastModified.getTime();
-      if (mtimeMs < sinceMs)
-        continue;
-      let sizeBytes = 0;
-      try {
-        sizeBytes = statSync10(s.path).size;
-      } catch {}
-      if (!s.sessionId)
-        continue;
-      out.push({
-        cli: "codex",
-        projectName: project.name,
-        sessionId: s.sessionId,
-        transcriptPath: s.path,
-        mtimeMs,
-        sizeBytes
-      });
+async function fetchWithTimeout(url, init) {
+  try {
+    return await fetch(url, { ...init, signal: timeoutSignal(init.signal ?? undefined) });
+  } catch (err) {
+    const isTimeout = isAbortError(err);
+    trackEvent("api_server_unreachable", {
+      kind: isTimeout ? "timeout" : "network",
+      path: pathFromUrl(url),
+      method: typeof init.method === "string" ? init.method : "GET"
+    });
+    if (isTimeout) {
+      throw new AuthApiError(0, "timeout", `request to ${url} timed out after ${REQUEST_TIMEOUT_MS}ms`);
     }
+    throw err;
   }
-  return out;
 }
-async function streamCodexEvents(meta) {
-  const log = await getCodexSessionLog(meta.sessionId);
-  if (!log)
-    return [];
-  return logEntriesToEvents(log.entries, {
-    cli: "codex",
-    sessionId: meta.sessionId,
-    transcriptPath: meta.transcriptPath,
-    cwd: log.cwd ?? ""
+async function postJson(path3, body, init) {
+  const headers = { "content-type": "application/json" };
+  if (init?.accessToken)
+    headers["authorization"] = `Bearer ${init.accessToken}`;
+  const res = await fetchWithTimeout(`${getApiBase()}${path3}`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify(body)
   });
+  if (res.status === 204)
+    return;
+  if (!res.ok)
+    throw await parseError(res);
+  return await res.json();
 }
-var init_codex = __esm(() => {
-  init_codex_projects();
-  init_codex_sessions();
-  init_shared();
-});
-
-// src/audit/cli-adapters/copilot.ts
-import { statSync as statSync11 } from "node:fs";
-async function listCopilotTranscriptMetadata(opts = {}) {
-  const projectFilter = opts.projects ? new Set(opts.projects) : null;
-  const sinceMs = opts.sinceMs ?? 0;
-  const out = [];
-  const projects = await getCopilotProjects();
-  for (const project of projects) {
-    const { cwd, sessions } = await getCopilotSessionsByEncodedName(project.name);
-    const effectiveCwd = cwd ?? "";
-    if (projectFilter && !projectFilter.has(effectiveCwd))
-      continue;
-    for (const s of sessions) {
-      const mtimeMs = s.lastModified.getTime();
-      if (mtimeMs < sinceMs)
-        continue;
-      let sizeBytes = 0;
-      try {
-        sizeBytes = statSync11(s.path).size;
-      } catch {}
-      if (!s.sessionId)
-        continue;
-      out.push({
-        cli: "copilot",
-        projectName: project.name,
-        sessionId: s.sessionId,
-        transcriptPath: s.path,
-        mtimeMs,
-        sizeBytes
-      });
-    }
-  }
-  return out;
-}
-async function streamCopilotEvents(meta) {
-  const log = await getCopilotSessionLog(meta.sessionId);
-  if (!log)
-    return [];
-  return logEntriesToEvents(log.entries, {
-    cli: "copilot",
-    sessionId: meta.sessionId,
-    transcriptPath: meta.transcriptPath,
-    cwd: log.cwd ?? ""
-  });
+async function requestLoginCode(email) {
+  return postJson("/v0/auth/login/request", { email });
 }
-var init_copilot = __esm(() => {
-  init_copilot_projects();
-  init_copilot_sessions();
-  init_shared();
-});
-
-// src/audit/cli-adapters/cursor.ts
-import { statSync as statSync12 } from "node:fs";
-async function listCursorTranscriptMetadata(opts = {}) {
-  const projectFilter = opts.projects ? new Set(opts.projects) : null;
-  const sinceMs = opts.sinceMs ?? 0;
-  const out = [];
-  const projects = await getCursorProjects();
-  for (const project of projects) {
-    const { cwd, sessions } = await getCursorSessionsByEncodedName(project.name);
-    const effectiveCwd = cwd ?? "";
-    if (projectFilter && !projectFilter.has(effectiveCwd))
-      continue;
-    for (const s of sessions) {
-      const mtimeMs = s.lastModified.getTime();
-      if (mtimeMs < sinceMs)
-        continue;
-      let sizeBytes = 0;
-      try {
-        sizeBytes = statSync12(s.path).size;
-      } catch {}
-      if (!s.sessionId)
-        continue;
-      out.push({
-        cli: "cursor",
-        projectName: project.name,
-        sessionId: s.sessionId,
-        transcriptPath: s.path,
-        mtimeMs,
-        sizeBytes
-      });
-    }
-  }
-  return out;
+async function verifyLoginCode(email, code) {
+  return postJson("/v0/auth/login/verify", { email, code });
 }
-async function streamCursorEvents(meta) {
-  const log = await getCursorSessionLog(meta.sessionId);
-  if (!log)
-    return [];
-  return logEntriesToEvents(log.entries, {
-    cli: "cursor",
-    sessionId: meta.sessionId,
-    transcriptPath: meta.transcriptPath,
-    cwd: log.cwd ?? ""
-  });
+async function logoutSession(accessToken, refreshToken) {
+  await postJson("/v0/auth/logout", { refresh_token: refreshToken }, { accessToken });
 }
-var init_cursor = __esm(() => {
-  init_cursor_projects();
-  init_cursor_sessions();
-  init_shared();
+var DEFAULT_API_BASE = "https://api.befailproof.ai", AuthApiError, REQUEST_TIMEOUT_MS = 1e4;
+var init_api_server_client = __esm(() => {
+  init_telemetry();
+  AuthApiError = class AuthApiError extends Error {
+    status;
+    code;
+    retryAfterSecs;
+    constructor(status, code, message, retryAfterSecs) {
+      super(message);
+      this.status = status;
+      this.code = code;
+      this.retryAfterSecs = retryAfterSecs;
+      this.name = "AuthApiError";
+    }
+  };
 });
 
-// lib/opencode-sessions.ts
-import { execFileSync as execFileSync3 } from "node:child_process";
-function runOpenCodeDb2(sql) {
+// lib/atomic-write.ts
+import {
+  chmodSync,
+  existsSync as existsSync12,
+  mkdirSync as mkdirSync6,
+  renameSync as renameSync3,
+  rmSync,
+  statSync as statSync9,
+  writeFileSync as writeFileSync5
+} from "node:fs";
+import { dirname as dirname5 } from "node:path";
+import { randomBytes } from "node:crypto";
+function writeJsonAtomically(filePath, value, opts = {}) {
+  const mode = opts.mode ?? 384;
+  const dirMode = opts.dirMode ?? 448;
+  const dir = dirname5(filePath);
+  if (!existsSync12(dir))
+    mkdirSync6(dir, { recursive: true, mode: dirMode });
+  const tmp = `${filePath}.${process.pid}.${randomBytes(6).toString("hex")}.tmp`;
   try {
-    const stdout = execFileSync3("opencode", ["db", "--format", "json", sql], {
-      encoding: "utf8",
-      timeout: 5000,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    if (!stdout.trim())
-      return [];
-    const parsed = JSON.parse(stdout);
-    if (!Array.isArray(parsed))
-      return null;
-    return parsed;
-  } catch {
-    return null;
+    writeFileSync5(tmp, JSON.stringify(value, null, 2), { mode });
+    try {
+      if ((statSync9(tmp).mode & 63) !== 0)
+        chmodSync(tmp, mode);
+    } catch {}
+    renameSync3(tmp, filePath);
+    try {
+      if ((statSync9(filePath).mode & 63) !== 0)
+        chmodSync(filePath, mode);
+    } catch {}
+  } catch (err) {
+    try {
+      rmSync(tmp, { force: true });
+    } catch {}
+    throw err;
   }
 }
-function isPlainObject(value) {
-  return !!value && typeof value === "object" && !Array.isArray(value);
-}
-function parseDataColumn(raw) {
-  if (typeof raw !== "string" || raw.length === 0)
+var init_atomic_write = () => {};
+
+// lib/auth/auth-store.ts
+import { existsSync as existsSync13, readFileSync as readFileSync10, rmSync as rmSync2 } from "node:fs";
+import { homedir as homedir19 } from "node:os";
+import { join as join18 } from "node:path";
+function getAuthDir() {
+  const override = process.env.FAILPROOFAI_AUTH_DIR;
+  if (override)
+    return override;
+  return join18(homedir19(), ".failproofai");
+}
+function getAuthFilePath() {
+  return join18(getAuthDir(), "auth.json");
+}
+function readAuth() {
+  const p = getAuthFilePath();
+  if (!existsSync13(p))
     return null;
   try {
+    const raw = readFileSync10(p, "utf-8");
     const parsed = JSON.parse(raw);
-    return isPlainObject(parsed) ? parsed : null;
-  } catch {
-    return null;
-  }
-}
-function readContentText(data) {
-  if (typeof data.text === "string")
-    return data.text;
-  if (typeof data.content === "string")
-    return data.content;
-  return "";
-}
-function translateMessage(msgRow, partRows, source) {
-  const msgData = parseDataColumn(msgRow.data) ?? {};
-  const role = typeof msgData.role === "string" ? msgData.role : "system";
-  const date = new Date(msgRow.time_created);
-  const timestamp = date.toISOString();
-  const raw = { uuid: msgRow.id, parentUuid: null };
-  const base = baseEntry(raw, timestamp, date, source);
-  const content = [];
-  let userText = "";
-  for (const p of partRows) {
-    const data = parseDataColumn(p.data);
-    if (!data)
-      continue;
-    const type = typeof data.type === "string" ? data.type : "unknown";
-    if (type === "text") {
-      const text = readContentText(data);
-      if (text) {
-        content.push({ type: "text", text });
-        userText += (userText ? `
-` : "") + text;
-      }
-      continue;
+    if (typeof parsed.access_token !== "string" || typeof parsed.refresh_token !== "string" || typeof parsed.access_expires_at !== "number" || typeof parsed.user !== "object" || !parsed.user || typeof parsed.user.id !== "string" || typeof parsed.user.email !== "string") {
+      return null;
     }
-    if (type === "tool") {
-      const toolName = typeof data.tool === "string" ? data.tool : typeof data.name === "string" ? data.name : "tool";
-      const state = isPlainObject(data.state) ? data.state : null;
-      const input = state && isPlainObject(state.input) ? state.input : isPlainObject(data.input) ? data.input : isPlainObject(data.args) ? data.args : {};
-      const block = {
-        type: "tool_use",
-        id: p.id,
-        name: toolName,
-        input
-      };
-      const status = state && typeof state.status === "string" ? state.status : "";
-      if (state && (status === "completed" || status === "error")) {
-        const errorText = status === "error" && typeof state.error === "string" ? state.error : null;
-        const rawOutput = errorText ?? state.output;
-        const contentText = typeof rawOutput === "string" ? rawOutput : rawOutput != null ? JSON.stringify(rawOutput) : "";
-        const time = isPlainObject(state.time) ? state.time : {};
-        const startMs = typeof time.start === "number" ? time.start : p.time_created;
-        const endMs = typeof time.end === "number" ? time.end : p.time_updated;
-        const durationMs = Math.max(0, endMs - startMs);
-        const date2 = new Date(endMs);
-        block.result = {
-          timestamp: date2.toISOString(),
-          timestampFormatted: formatTimestamp(date2),
-          content: contentText,
-          durationMs,
-          durationFormatted: formatDuration(durationMs)
-        };
+    return {
+      access_token: parsed.access_token,
+      refresh_token: parsed.refresh_token,
+      access_expires_at: parsed.access_expires_at,
+      refresh_expires_at: typeof parsed.refresh_expires_at === "number" ? parsed.refresh_expires_at : parsed.access_expires_at,
+      user: {
+        id: parsed.user.id,
+        email: parsed.user.email
       }
-      content.push(block);
-      continue;
-    }
-    content.push({ type: "text", text: `[opencode ${type}]` });
-  }
-  if (role === "user") {
-    const entry2 = {
-      ...base,
-      type: "user",
-      message: { role: "user", content: userText }
     };
-    return entry2;
-  }
-  if (role === "assistant") {
-    const modelInfo = isPlainObject(msgData.model) ? msgData.model : null;
-    const modelStr = modelInfo && typeof modelInfo.modelID === "string" ? modelInfo.modelID : undefined;
-    const entry2 = {
-      ...base,
-      type: "assistant",
-      message: { role: "assistant", content, model: modelStr }
-    };
-    return entry2;
-  }
-  const entry = {
-    ...base,
-    type: "system",
-    raw: { id: msgRow.id, role, parts: content }
-  };
-  return entry;
-}
-async function getOpenCodeSessionLog(sessionId) {
-  if (!sessionId || !/^[A-Za-z0-9_-]+$/.test(sessionId))
-    return null;
-  const sessions = runOpenCodeDb2(`SELECT id, project_id, slug, directory, title, time_created, time_updated FROM session WHERE id = '${sessionId}'`);
-  if (!sessions || sessions.length === 0)
+  } catch {
     return null;
-  const session = sessions[0];
-  const messages = runOpenCodeDb2(`SELECT id, session_id, time_created, time_updated, data FROM message WHERE session_id = '${sessionId}' ORDER BY time_created ASC`);
-  const parts = runOpenCodeDb2(`SELECT id, message_id, session_id, time_created, time_updated, data FROM part WHERE session_id = '${sessionId}' ORDER BY time_created ASC`);
-  if (!messages)
-    return { entries: [], rawLines: [], cwd: session.directory ?? undefined, filePath: `opencode://${sessionId}` };
-  const partsByMessage = new Map;
-  for (const p of parts ?? []) {
-    let bucket = partsByMessage.get(p.message_id);
-    if (!bucket) {
-      bucket = [];
-      partsByMessage.set(p.message_id, bucket);
-    }
-    bucket.push(p);
   }
-  const entries = [];
-  const rawLines = [];
-  for (const msg of messages) {
-    const partRows = partsByMessage.get(msg.id) ?? [];
-    entries.push(translateMessage(msg, partRows, "session"));
-    const data = parseDataColumn(msg.data);
-    rawLines.push({
-      id: msg.id,
-      session_id: msg.session_id,
-      time_created: msg.time_created,
-      data: data ?? msg.data
-    });
+}
+function writeAuth(auth) {
+  writeJsonAtomically(getAuthFilePath(), auth);
+}
+function deleteAuth() {
+  const p = getAuthFilePath();
+  if (existsSync13(p))
+    rmSync2(p, { force: true });
+}
+function authFromTokenResponse(token, existingUser) {
+  const now = Math.floor(Date.now() / 1000);
+  const user = token.user ?? existingUser;
+  if (!user) {
+    throw new Error("authFromTokenResponse: missing user identity");
   }
   return {
-    entries,
-    rawLines,
-    cwd: session.directory ?? undefined,
-    filePath: `opencode://${sessionId}`
+    access_token: token.access_token,
+    refresh_token: token.refresh_token,
+    access_expires_at: now + token.access_expires_in,
+    refresh_expires_at: now + token.refresh_expires_in,
+    user
   };
 }
-var getCachedOpenCodeSessionLog;
-var init_opencode_sessions = __esm(() => {
-  init_log_entries();
-  getCachedOpenCodeSessionLog = runtimeCache((sessionId) => getOpenCodeSessionLog(sessionId), 30, { maxSize: 50 });
+var inFlightRefreshes;
+var init_auth_store = __esm(() => {
+  init_atomic_write();
+  init_api_server_client();
+  inFlightRefreshes = new Map;
 });
 
-// src/audit/cli-adapters/opencode.ts
-async function listOpenCodeTranscriptMetadata(opts = {}) {
-  const projectFilter = opts.projects ? new Set(opts.projects) : null;
-  const sinceMs = opts.sinceMs ?? 0;
-  const out = [];
-  const projects = await getOpenCodeProjects();
-  for (const project of projects) {
-    const { cwd, sessions } = await getOpenCodeSessionsByEncodedName(project.name);
-    const effectiveCwd = cwd ?? "";
-    if (projectFilter && !projectFilter.has(effectiveCwd))
+// src/auth/cli.ts
+var exports_cli = {};
+__export(exports_cli, {
+  runAuthCli: () => runAuthCli,
+  parseAuthArgs: () => parseAuthArgs
+});
+import * as readline3 from "node:readline";
+function parseAuthArgs(args) {
+  if (args.includes("--help") || args.includes("-h"))
+    return { mode: "help" };
+  const positional = [];
+  const legacy = [];
+  for (const a of args) {
+    if (a === "--help" || a === "-h")
+      continue;
+    if (a in LEGACY_FLAG_TO_SUB) {
+      legacy.push(LEGACY_FLAG_TO_SUB[a]);
       continue;
-    for (const s of sessions) {
-      const mtimeMs = s.lastModified.getTime();
-      if (mtimeMs < sinceMs)
-        continue;
-      if (!s.sessionId)
-        continue;
-      out.push({
-        cli: "opencode",
-        projectName: project.name,
-        sessionId: s.sessionId,
-        transcriptPath: s.path,
-        mtimeMs,
-        sizeBytes: 0
-      });
     }
+    if (a.startsWith("-")) {
+      throw new CliError(`Unknown flag for auth: ${a}
+Run \`failproofai auth help\` for usage.`);
+    }
+    positional.push(a);
+  }
+  const subs = [...positional, ...legacy];
+  if (subs.length === 0)
+    return { mode: "help" };
+  if (subs.length > 1) {
+    throw new CliError(`Pick one of login, logout, whoami.
+Run \`failproofai auth help\` for usage.`);
+  }
+  const sub = subs[0];
+  if (!SUBCOMMANDS.has(sub)) {
+    throw new CliError(`Unknown auth subcommand: ${sub}
+Run \`failproofai auth help\` for usage.`);
+  }
+  return { mode: sub };
+}
+function prompt(question, opts = {}) {
+  const rl = readline3.createInterface({ input: process.stdin, output: process.stdout });
+  if (opts.hidden && process.stdin.isTTY) {
+    const r = rl;
+    const orig = r._writeToOutput.bind(rl);
+    r._writeToOutput = (s) => {
+      if (s.length > 0 && s !== `\r
+` && s !== `
+`)
+        orig("*");
+      else
+        orig(s);
+    };
   }
-  return out;
-}
-async function streamOpenCodeEvents(meta) {
-  const log = await getOpenCodeSessionLog(meta.sessionId);
-  if (!log)
-    return [];
-  return logEntriesToEvents(log.entries, {
-    cli: "opencode",
-    sessionId: meta.sessionId,
-    transcriptPath: meta.transcriptPath,
-    cwd: log.cwd ?? ""
+  return new Promise((resolve12) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      if (opts.hidden && process.stdin.isTTY)
+        process.stdout.write(`
+`);
+      resolve12(answer.trim());
+    });
   });
 }
-var init_opencode = __esm(() => {
-  init_opencode_projects();
-  init_opencode_sessions();
-  init_shared();
-});
-
-// src/audit/cli-adapters/pi.ts
-import { statSync as statSync13 } from "node:fs";
-async function listPiTranscriptMetadata(opts = {}) {
-  const projectFilter = opts.projects ? new Set(opts.projects) : null;
-  const sinceMs = opts.sinceMs ?? 0;
-  const out = [];
-  const projects = await getPiProjects();
-  for (const project of projects) {
-    const { cwd, sessions } = await getPiSessionsByEncodedName(project.name);
-    const effectiveCwd = cwd ?? "";
-    if (projectFilter && !projectFilter.has(effectiveCwd))
-      continue;
-    for (const s of sessions) {
-      const mtimeMs = s.lastModified.getTime();
-      if (mtimeMs < sinceMs)
-        continue;
-      let sizeBytes = 0;
-      try {
-        sizeBytes = statSync13(s.path).size;
-      } catch {}
-      if (!s.sessionId)
-        continue;
-      out.push({
-        cli: "pi",
-        projectName: project.name,
-        sessionId: s.sessionId,
-        transcriptPath: s.path,
-        mtimeMs,
-        sizeBytes
+function emailLooksValid(email) {
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
+}
+async function runLogin() {
+  const existing = readAuth();
+  if (existing) {
+    const nowSecs = Math.floor(Date.now() / 1000);
+    const refreshUsable = existing.refresh_expires_at > nowSecs;
+    if (refreshUsable) {
+      trackHookEvent2(getInstanceId2(), "audit_cli_auth_login_completed", {
+        source: "cli",
+        status: "already_signed_in",
+        user_id: existing.user.id
       });
+      process.stdout.write(`${DIM}already signed in as${RESET} ${existing.user.email} ${DIM}(use \`failproofai auth logout\` to switch accounts)${RESET}
+`);
+      return;
     }
+    process.stdout.write(`${DIM}stored session for ${existing.user.email} has expired — re-authenticating.${RESET}
+`);
+    deleteAuth();
   }
-  return out;
-}
-async function streamPiEvents(meta) {
-  const log = await getPiSessionLog(meta.sessionId);
-  if (!log)
-    return [];
-  return logEntriesToEvents(log.entries, {
-    cli: "pi",
-    sessionId: meta.sessionId,
-    transcriptPath: meta.transcriptPath,
-    cwd: log.cwd ?? ""
+  trackHookEvent2(getInstanceId2(), "audit_cli_auth_login_started", {
+    source: "cli",
+    api_base: getApiBase(),
+    replaced_stale: existing !== null
   });
-}
-var init_pi = __esm(() => {
-  init_pi_projects();
-  init_pi_sessions();
-  init_shared();
-});
+  process.stdout.write(`${PINK}━━ failproofai auth ━━${RESET}
+`);
+  process.stdout.write(`${DIM}api: ${getApiBase()}${RESET}
 
-// src/audit/cli-adapters/gemini.ts
-import { statSync as statSync14 } from "node:fs";
-async function listGeminiTranscriptMetadata(opts = {}) {
-  const projectFilter = opts.projects ? new Set(opts.projects) : null;
-  const sinceMs = opts.sinceMs ?? 0;
-  const out = [];
-  const projects = await getGeminiProjects();
-  for (const project of projects) {
-    const { cwd, sessions } = await getGeminiSessionsByEncodedName(project.name);
-    const effectiveCwd = cwd ?? "";
-    if (projectFilter && !projectFilter.has(effectiveCwd))
+`);
+  let email = "";
+  for (let attempt = 0;attempt < 3; attempt++) {
+    email = await prompt("email: ");
+    if (emailLooksValid(email))
+      break;
+    process.stdout.write(`${RED}that doesn't look like an email — try again.${RESET}
+`);
+    email = "";
+  }
+  if (!email) {
+    trackHookEvent2(getInstanceId2(), "audit_cli_auth_login_completed", {
+      source: "cli",
+      status: "aborted_invalid_email"
+    });
+    throw new CliError("Could not read a valid email after 3 attempts.");
+  }
+  try {
+    const r = await requestLoginCode(email);
+    trackHookEvent2(getInstanceId2(), "audit_otp_requested", {
+      source: "cli",
+      status: "success",
+      expires_in: r.expires_in,
+      resend_available_in: r.resend_available_in
+    });
+    process.stdout.write(`
+${GREEN}code sent.${RESET} ${DIM}check ${email} — expires in ${r.expires_in}s.${RESET}
+`);
+  } catch (err) {
+    const isApi = err instanceof AuthApiError;
+    trackHookEvent2(getInstanceId2(), "audit_otp_requested", {
+      source: "cli",
+      status: "failed",
+      error_code: isApi ? err.code : "upstream_unreachable",
+      http_status: isApi ? err.status : null
+    });
+    if (isApi && err.code === "rate_limited") {
+      throw new CliError(`Rate limited — try again in ${err.retryAfterSecs ?? "a few"} seconds.`);
+    }
+    if (isApi) {
+      throw new CliError(`Login request failed (${err.code}): ${err.message}`);
+    }
+    throw new CliError(`Could not reach the api-server at ${getApiBase()}.
+` + `Check your network, or set FAILPROOF_API_URL to point at a different host.`);
+  }
+  let tokenResp;
+  let verifyAttempts = 0;
+  for (let attempt = 0;attempt < 5; attempt++) {
+    const code = await prompt("code:  ", { hidden: true });
+    if (!code)
       continue;
-    for (const s of sessions) {
-      const mtimeMs = s.lastModified.getTime();
-      if (mtimeMs < sinceMs)
-        continue;
-      let sizeBytes = 0;
-      try {
-        sizeBytes = statSync14(s.path).size;
-      } catch {}
-      if (!s.sessionId)
-        continue;
-      out.push({
-        cli: "gemini",
-        projectName: project.name,
-        sessionId: s.sessionId,
-        transcriptPath: s.path,
-        mtimeMs,
-        sizeBytes
+    verifyAttempts += 1;
+    try {
+      tokenResp = await verifyLoginCode(email, code);
+      break;
+    } catch (err) {
+      const isApi = err instanceof AuthApiError;
+      trackHookEvent2(getInstanceId2(), "audit_otp_verified", {
+        source: "cli",
+        status: "failed",
+        attempt: verifyAttempts,
+        error_code: isApi ? err.code : "upstream_unreachable",
+        http_status: isApi ? err.status : null
       });
+      if (isApi && err.status === 401) {
+        process.stdout.write(`${RED}code rejected — try again.${RESET}
+`);
+        continue;
+      }
+      if (isApi) {
+        throw new CliError(`Verify failed (${err.code}): ${err.message}`);
+      }
+      throw new CliError(`Could not reach the api-server at ${getApiBase()}.`);
     }
   }
-  return out;
-}
-async function streamGeminiEvents(meta) {
-  const log = await getGeminiSessionLog(meta.sessionId);
-  if (!log)
-    return [];
-  return logEntriesToEvents(log.entries, {
-    cli: "gemini",
-    sessionId: meta.sessionId,
-    transcriptPath: meta.transcriptPath,
-    cwd: log.cwd ?? ""
+  if (!tokenResp) {
+    trackHookEvent2(getInstanceId2(), "audit_cli_auth_login_completed", {
+      source: "cli",
+      status: "exhausted_attempts",
+      attempts: verifyAttempts
+    });
+    throw new CliError("Too many bad codes — start over.");
+  }
+  writeAuth(authFromTokenResponse(tokenResp));
+  trackHookEvent2(getInstanceId2(), "audit_otp_verified", {
+    source: "cli",
+    status: "success",
+    attempt: verifyAttempts,
+    user_id: tokenResp.user.id,
+    email: tokenResp.user.email
+  });
+  trackHookEvent2(getInstanceId2(), "audit_user_identity_linked", {
+    source: "cli",
+    user_id: tokenResp.user.id,
+    email: tokenResp.user.email,
+    local_random_id: getInstanceId2(),
+    $set: { email: tokenResp.user.email, user_id: tokenResp.user.id }
+  });
+  trackHookEvent2(getInstanceId2(), "audit_cli_auth_login_completed", {
+    source: "cli",
+    status: "success",
+    attempts: verifyAttempts,
+    user_id: tokenResp.user.id
   });
+  process.stdout.write(`
+${GREEN}✓ signed in as ${tokenResp.user.email}${RESET}
+` + `${DIM}session saved to ~/.failproofai/auth.json (mode 0600)${RESET}
+`);
 }
-var init_gemini = __esm(() => {
-  init_gemini_projects();
-  init_gemini_sessions();
-  init_shared();
-});
-
-// src/audit/cli-adapters/index.ts
-var ADAPTERS;
-var init_cli_adapters = __esm(() => {
-  init_claude();
-  init_codex();
-  init_copilot();
-  init_cursor();
-  init_opencode();
-  init_pi();
-  init_gemini();
-  ADAPTERS = {
-    claude: {
-      cli: "claude",
-      listTranscripts: listClaudeTranscriptMetadata,
-      streamEvents: streamClaudeEvents
-    },
-    codex: {
-      cli: "codex",
-      listTranscripts: listCodexTranscriptMetadata,
-      streamEvents: streamCodexEvents
-    },
-    copilot: {
-      cli: "copilot",
-      listTranscripts: listCopilotTranscriptMetadata,
-      streamEvents: streamCopilotEvents
-    },
-    cursor: {
-      cli: "cursor",
-      listTranscripts: listCursorTranscriptMetadata,
-      streamEvents: streamCursorEvents
-    },
-    opencode: {
-      cli: "opencode",
-      listTranscripts: listOpenCodeTranscriptMetadata,
-      streamEvents: streamOpenCodeEvents
-    },
-    pi: {
-      cli: "pi",
-      listTranscripts: listPiTranscriptMetadata,
-      streamEvents: streamPiEvents
-    },
-    gemini: {
-      cli: "gemini",
-      listTranscripts: listGeminiTranscriptMetadata,
-      streamEvents: streamGeminiEvents
-    }
-  };
-});
-
-// src/audit/detectors/redundant-cd-cwd.ts
-var redundantCdCwd;
-var init_redundant_cd_cwd = __esm(() => {
-  redundantCdCwd = {
-    name: "redundant-cd-cwd",
-    description: "Bash commands prefixed with `cd <cwd> && …` even though commands already run in cwd.",
-    category: "Wasteful",
-    severity: "info",
-    displayTitle: "Prepended cd <cwd> before commands",
-    impact: "Pure waste — your agent's shell already runs in `cwd`.",
-    detect(event) {
-      if (event.toolName !== "Bash")
-        return null;
-      const command = event.toolInput.command;
-      if (typeof command !== "string" || !event.cwd)
-        return null;
-      const trimmed = command.trimStart();
-      const match = /^cd\s+(?:"([^"]+)"|'([^']+)'|(\S+))\s*&&\s*([\s\S]+)$/.exec(trimmed);
-      if (!match)
-        return null;
-      const path3 = (match[1] ?? match[2] ?? match[3] ?? "").replace(/\/+$/, "");
-      const cwd = event.cwd.replace(/\/+$/, "");
-      if (path3 !== cwd)
-        return null;
-      const rest = match[4].trim();
-      return { example: `cd ${path3} && ${rest}` };
-    }
-  };
-});
-
-// src/audit/detectors/prefer-edit-over-read-cat.ts
-var SOURCE_EXT_RE, preferEditOverReadCat;
-var init_prefer_edit_over_read_cat = __esm(() => {
-  SOURCE_EXT_RE = /\.(?:ts|tsx|js|jsx|mjs|cjs|py|go|rs|java|kt|swift|rb|php|c|h|cc|cpp|hpp|cs|scala|sh|bash|zsh|json|yaml|yml|toml|md|txt|sql|html|css|scss|sass)$/i;
-  preferEditOverReadCat = {
-    name: "prefer-edit-over-read-cat",
-    description: "Bash `cat`/`head`/`tail`/`less`/`more` on a single source file — use Read.",
-    category: "Wasteful",
-    severity: "info",
-    displayTitle: "Used `cat`/`head`/`tail` on a source file",
-    impact: "Burns tokens; the Read tool returns content directly without going through Bash output.",
-    detect(event) {
-      if (event.toolName !== "Bash")
-        return null;
-      const command = event.toolInput.command;
-      if (typeof command !== "string")
-        return null;
-      const cmd = command.trim();
-      if (/[|<>;&`$()]/.test(cmd))
-        return null;
-      const match = /^(cat|head|tail|less|more)\s+(?:-\S+\s+)*(?:"([^"]+)"|'([^']+)'|(\S+))\s*$/.exec(cmd);
-      if (!match)
-        return null;
-      const path3 = match[2] ?? match[3] ?? match[4] ?? "";
-      if (!path3)
-        return null;
-      if (/(?:^|\/)\.env(?:\..+)?$/.test(path3))
-        return null;
-      if (!SOURCE_EXT_RE.test(path3))
-        return null;
-      return { example: cmd };
-    }
-  };
-});
-
-// src/audit/detectors/prefer-edit-over-sed-awk.ts
-var preferEditOverSedAwk;
-var init_prefer_edit_over_sed_awk = __esm(() => {
-  preferEditOverSedAwk = {
-    name: "prefer-edit-over-sed-awk",
-    description: "Bash `sed -i`/`awk` in-place edits — use Edit.",
-    category: "Wasteful",
-    severity: "info",
-    displayTitle: "Used sed -i or awk for an in-place edit",
-    impact: "Edit tool is safer and produces a diff the agent can verify.",
-    detect(event) {
-      if (event.toolName !== "Bash")
-        return null;
-      const command = event.toolInput.command;
-      if (typeof command !== "string")
-        return null;
-      const cmd = command.trim();
-      if (/(?:^|\s|;|&&|\|\|)sed\b[^|]*\s-i(?=\b|['"])/.test(cmd)) {
-        return { example: cmd };
-      }
-      if (/(?:^|\s|;|&&|\|\|)awk\b[^|]*\s>\s*\S+/.test(cmd) && !/\|/.test(cmd)) {
-        return { example: cmd };
-      }
-      return null;
-    }
-  };
-});
-
-// src/audit/detectors/prefer-write-over-heredoc.ts
-var preferWriteOverHeredoc;
-var init_prefer_write_over_heredoc = __esm(() => {
-  preferWriteOverHeredoc = {
-    name: "prefer-write-over-heredoc",
-    description: "Bash heredoc / `echo > file` writing multi-line content — use Write.",
-    category: "Wasteful",
-    severity: "info",
-    displayTitle: "Used heredoc / `echo > file` to write a multi-line file",
-    impact: "Write tool handles escaping and is verifiable.",
-    detect(event) {
-      if (event.toolName !== "Bash")
-        return null;
-      const command = event.toolInput.command;
-      if (typeof command !== "string")
-        return null;
-      const cmd = command;
-      if (/<<-?\s*['"]?[A-Za-z_][A-Za-z0-9_]*['"]?\s*>\s*\S/.test(cmd)) {
-        const summary = cmd.replace(/\s+/g, " ").trim().slice(0, 160);
-        return { example: summary };
-      }
-      if (/(?:^|\s|;|&&|\|\|)(?:echo|printf)\s+["'][^"']*\n[^"']*["']\s*>\s*\S/.test(cmd)) {
-        const summary = cmd.replace(/\s+/g, " ").trim().slice(0, 160);
-        return { example: summary };
-      }
-      return null;
-    }
-  };
-});
-
-// src/audit/detectors/sleep-polling-loop.ts
-var SLEEP_THRESHOLD_SECONDS = 30, sleepPollingLoop;
-var init_sleep_polling_loop = __esm(() => {
-  sleepPollingLoop = {
-    name: "sleep-polling-loop",
-    description: "Bash long `sleep` or while-sleep polling loops.",
-    category: "Wasteful",
-    severity: "info",
-    displayTitle: "Used a long sleep or while-sleep polling loop",
-    impact: "Burns wall-clock; better to wait for an explicit signal.",
-    detect(event) {
-      if (event.toolName !== "Bash")
-        return null;
-      const command = event.toolInput.command;
-      if (typeof command !== "string")
-        return null;
-      const cmd = command;
-      if (/\bwhile\b[\s\S]*?\bsleep\b[\s\S]*?\bdone\b/.test(cmd)) {
-        return { example: cmd.replace(/\s+/g, " ").trim().slice(0, 160) };
-      }
-      const match = /\bsleep\s+(\d+(?:\.\d+)?)(m|h|d)?\b/.exec(cmd);
-      if (match) {
-        const n = parseFloat(match[1]);
-        const unit = match[2] ?? "s";
-        const seconds = unit === "m" ? n * 60 : unit === "h" ? n * 3600 : unit === "d" ? n * 86400 : n;
-        if (seconds >= SLEEP_THRESHOLD_SECONDS) {
-          return { example: cmd.replace(/\s+/g, " ").trim().slice(0, 160) };
-        }
-      }
-      return null;
-    }
-  };
-});
-
-// src/audit/detectors/find-from-root.ts
-var RISKY_ROOTS, findFromRoot;
-var init_find_from_root = __esm(() => {
-  RISKY_ROOTS = ["/", "/home", "/usr", "/etc", "/var", "/opt", "/Users"];
-  findFromRoot = {
-    name: "find-from-root",
-    description: "Bash `find` against `/`, `/home`, `/usr`, etc. — scope to cwd instead.",
-    category: "Risky",
-    severity: "warn",
-    displayTitle: "Ran find from /, /home, /usr, etc.",
-    impact: "Filesystem-wide finds exhaust resources and rarely return useful results.",
-    detect(event) {
-      if (event.toolName !== "Bash")
-        return null;
-      const command = event.toolInput.command;
-      if (typeof command !== "string")
-        return null;
-      const cmd = command.trim();
-      const match = /(?:^|[\s;|&])find\s+(?:-\S+\s+)*("[^"]+"|'[^']+'|\S+)/.exec(cmd);
-      if (!match)
-        return null;
-      const raw = match[1].replace(/^["']|["']$/g, "");
-      const stripped = raw.replace(/\/+$/, "") || "/";
-      if (!RISKY_ROOTS.includes(stripped))
-        return null;
-      return { example: cmd.slice(0, 160) };
-    }
-  };
-});
-
-// src/audit/detectors/git-commit-no-verify.ts
-var gitCommitNoVerify;
-var init_git_commit_no_verify = __esm(() => {
-  gitCommitNoVerify = {
-    name: "git-commit-no-verify",
-    description: "git commit invoked with --no-verify / -n, skipping hooks.",
-    category: "Risky",
-    severity: "warn",
-    displayTitle: "Committed with --no-verify",
-    impact: "Skips pre-commit hooks that exist to catch broken or unsafe code.",
-    detect(event) {
-      if (event.toolName !== "Bash")
-        return null;
-      const command = event.toolInput.command;
-      if (typeof command !== "string")
-        return null;
-      const cmd = command;
-      if (!/\bgit\s+commit\b/.test(cmd))
-        return null;
-      if (/\s--no-verify\b/.test(cmd) || /\s-n\b/.test(cmd)) {
-        return { example: cmd.replace(/\s+/g, " ").trim().slice(0, 160) };
-      }
-      return null;
-    }
-  };
-});
-
-// src/audit/detectors/reread-after-edit.ts
-function getState(state) {
-  let s = state[STATE_KEY];
-  if (!s) {
-    s = { countdown: new Map };
-    state[STATE_KEY] = s;
-  }
-  return s;
-}
-var STATE_KEY = "rereadAfterEdit", WINDOW = 5, rereadAfterEdit;
-var init_reread_after_edit = __esm(() => {
-  rereadAfterEdit = {
-    name: "reread-after-edit",
-    description: "Read of a file that was just Edit'd or Write'n in the same session.",
-    category: "Wasteful",
-    severity: "info",
-    displayTitle: "Re-read a file it just edited",
-    impact: "Edit/Write already returned the updated content; the second Read is wasted tokens.",
-    detect(event, sessionState) {
-      const state = getState(sessionState);
-      const filePath = event.toolInput.file_path;
-      const pathStr = typeof filePath === "string" ? filePath : null;
-      for (const [key, n] of state.countdown) {
-        if (n <= 1)
-          state.countdown.delete(key);
-        else
-          state.countdown.set(key, n - 1);
-      }
-      if (!pathStr)
-        return null;
-      if (event.toolName === "Edit" || event.toolName === "Write") {
-        state.countdown.set(pathStr, WINDOW);
-        return null;
-      }
-      if (event.toolName === "Read") {
-        if (state.countdown.has(pathStr)) {
-          state.countdown.delete(pathStr);
-          return { example: `Read ${pathStr} immediately after Edit/Write` };
-        }
-      }
-      return null;
-    }
-  };
-});
-
-// src/audit/detectors/index.ts
-var AUDIT_DETECTORS;
-var init_detectors = __esm(() => {
-  init_redundant_cd_cwd();
-  init_prefer_edit_over_read_cat();
-  init_prefer_edit_over_sed_awk();
-  init_prefer_write_over_heredoc();
-  init_sleep_polling_loop();
-  init_find_from_root();
-  init_git_commit_no_verify();
-  init_reread_after_edit();
-  AUDIT_DETECTORS = [
-    redundantCdCwd,
-    preferEditOverReadCat,
-    preferEditOverSedAwk,
-    preferWriteOverHeredoc,
-    sleepPollingLoop,
-    findFromRoot,
-    gitCommitNoVerify,
-    rereadAfterEdit
-  ];
-});
-
-// src/audit/cache.ts
-import { createHash } from "node:crypto";
-import { existsSync as existsSync13, mkdirSync as mkdirSync6, readFileSync as readFileSync10, writeFileSync as writeFileSync5, chmodSync } from "node:fs";
-import { join as join19 } from "node:path";
-import { homedir as homedir19 } from "node:os";
-function getEngineVersion() {
-  if (cachedEngineVersion)
-    return cachedEngineVersion;
-  const blob = BUILTIN_POLICIES.map((p) => `${p.name}|${p.fn.toString()}`).sort().join(`
-`);
-  cachedEngineVersion = createHash("sha1").update(blob).digest("hex").slice(0, 16);
-  return cachedEngineVersion;
-}
-function getDetectorVersion() {
-  if (cachedDetectorVersion)
-    return cachedDetectorVersion;
-  const blob = AUDIT_DETECTORS.map((d) => `${d.name}|${d.detect.toString()}`).sort().join(`
+async function runLogout() {
+  const existing = readAuth();
+  if (!existing) {
+    trackHookEvent2(getInstanceId2(), "audit_cli_auth_logout_completed", {
+      source: "cli",
+      had_session: false,
+      upstream: "noop"
+    });
+    process.stdout.write(`${DIM}not signed in. nothing to do.${RESET}
 `);
-  cachedDetectorVersion = createHash("sha1").update(blob).digest("hex").slice(0, 16);
-  return cachedDetectorVersion;
-}
-function getCachePathFor(transcriptPath) {
-  const root = join19(homedir19(), ".failproofai", "cache", "audit");
-  const key = createHash("sha1").update(transcriptPath).digest("hex");
-  return join19(root, `${key}.json`);
-}
-function readCachedTranscriptResult(transcriptPath, mtimeMs, sizeBytes) {
-  if (sizeBytes === 0)
-    return null;
-  const cachePath = getCachePathFor(transcriptPath);
-  if (!existsSync13(cachePath))
-    return null;
-  try {
-    const raw = readFileSync10(cachePath, "utf-8");
-    const entry = JSON.parse(raw);
-    if (entry.mtimeMs !== mtimeMs)
-      return null;
-    if (entry.sizeBytes !== sizeBytes)
-      return null;
-    if (entry.engineVersion !== getEngineVersion())
-      return null;
-    if (entry.detectorVersion !== getDetectorVersion())
-      return null;
-    return entry.result;
-  } catch {
-    return null;
-  }
-}
-function writeCachedTranscriptResult(transcriptPath, mtimeMs, sizeBytes, result) {
-  if (sizeBytes === 0)
     return;
-  const cachePath = getCachePathFor(transcriptPath);
+  }
+  let upstream = "revoked";
   try {
-    mkdirSync6(join19(homedir19(), ".failproofai", "cache", "audit"), { recursive: true });
-    const entry = {
-      mtimeMs,
-      sizeBytes,
-      engineVersion: getEngineVersion(),
-      detectorVersion: getDetectorVersion(),
-      result
-    };
-    writeFileSync5(cachePath, JSON.stringify(entry), { encoding: "utf-8", mode: 384 });
-    try {
-      chmodSync(cachePath, 384);
-    } catch {}
-  } catch {}
-}
-var cachedEngineVersion = null, cachedDetectorVersion = null;
-var init_cache = __esm(() => {
-  init_builtin_policies();
-  init_detectors();
-});
-
-// src/audit/replay.ts
-function initReplay() {
-  if (initialized)
-    return;
-  clearPolicies();
-  const enabled = BUILTIN_POLICIES.map((p) => p.name).filter((n) => !SKIP_POLICIES.has(normalizePolicyName(n)));
-  registerBuiltinPolicies(enabled);
-  initialized = true;
-}
-async function replayEvent(event) {
-  if (!initialized)
-    initReplay();
-  const session = {
-    sessionId: event.sessionId,
-    transcriptPath: event.transcriptPath,
-    cwd: event.cwd,
-    cli: event.cli
-  };
-  const baseToolPayload = {
-    tool_name: event.toolName,
-    tool_input: event.toolInput,
-    session_id: event.sessionId,
-    cwd: event.cwd,
-    transcript_path: event.transcriptPath
-  };
-  const out = [];
-  const pre = await evaluatePolicies("PreToolUse", baseToolPayload, session);
-  collectHits(pre, "PreToolUse", out);
-  if (event.toolResultText !== undefined) {
-    const postPayload = { ...baseToolPayload, tool_response: event.toolResultText };
-    const post = await evaluatePolicies("PostToolUse", postPayload, session);
-    collectHits(post, "PostToolUse", out);
+    await logoutSession(existing.access_token, existing.refresh_token);
+  } catch (err) {
+    if (err instanceof AuthApiError && err.status === 401) {} else {
+      upstream = "failed";
+    }
   }
-  return out;
+  deleteAuth();
+  trackHookEvent2(getInstanceId2(), "audit_cli_auth_logout_completed", {
+    source: "cli",
+    had_session: true,
+    upstream,
+    user_id: existing.user.id
+  });
+  process.stdout.write(`${GREEN}✓ signed out as ${existing.user.email}.${RESET}
+`);
 }
-function collectHits(result, eventType, out) {
-  const names = result.policyNames && result.policyNames.length > 0 ? result.policyNames : result.policyName ? [result.policyName] : [];
-  for (const name of names) {
-    out.push({
-      policyName: name,
-      decision: result.decision,
-      reason: result.reason,
-      eventType
+function runWhoami() {
+  const existing = readAuth();
+  if (!existing) {
+    trackHookEvent2(getInstanceId2(), "audit_cli_auth_whoami", {
+      source: "cli",
+      authenticated: false
     });
+    process.stdout.write(`${DIM}not signed in — run \`failproofai auth login\` to sign in.${RESET}
+`);
+    process.exitCode = 1;
+    return;
   }
-}
-var SKIP_POLICIES, initialized = false;
-var init_replay = __esm(() => {
-  init_policy_evaluator();
-  init_builtin_policies();
-  SKIP_POLICIES = new Set(["warn-repeated-tool-calls"].map((n) => normalizePolicyName(n)));
-});
-
-// src/audit/telemetry.ts
-function ageBucketDays(iso) {
-  if (!iso)
-    return null;
-  const ms = Date.now() - new Date(iso).getTime();
-  if (Number.isNaN(ms) || ms < 0)
-    return null;
-  const days = Math.floor(ms / 86400000);
-  if (days <= 0)
-    return 0;
-  if (days <= 1)
-    return 1;
-  if (days <= 7)
-    return 7;
-  if (days <= 30)
-    return 30;
-  if (days <= 90)
-    return 90;
-  if (days <= 365)
-    return 365;
-  return 366;
-}
-function shortName(name) {
-  const slash = name.indexOf("/");
-  return slash >= 0 ? name.slice(slash + 1) : name;
-}
-function trackAuditStarted(opts, outputMode) {
-  trackHookEvent2(getInstanceId2(), "audit_started", {
-    clis_requested: opts.clis ?? "all",
-    since_window: opts.since ?? null,
-    has_project_filter: !!opts.projects?.length,
-    has_policy_filter: !!opts.policies?.length,
-    no_cache: !!opts.noCache,
-    output_mode: outputMode
-  });
-}
-function trackAuditPatternDetected(count) {
-  trackHookEvent2(getInstanceId2(), "audit_pattern_detected", {
-    pattern_name: shortName(count.name),
-    pattern_source: count.source,
-    pattern_category: count.category,
-    hits: count.hits,
-    projects: count.projects,
-    enabled_in_config: count.enabledInConfig,
-    severity: count.severity,
-    first_seen_age_days: ageBucketDays(count.firstSeen),
-    last_seen_age_days: ageBucketDays(count.lastSeen)
+  trackHookEvent2(getInstanceId2(), "audit_cli_auth_whoami", {
+    source: "cli",
+    authenticated: true,
+    user_id: existing.user.id
   });
+  process.stdout.write(`${GREEN}✓${RESET} ${existing.user.email} ${DIM}(${existing.user.id})${RESET}
+`);
 }
-function trackAuditInstallCtaShown(unenabledNames) {
-  if (unenabledNames.length === 0)
+async function runAuthCli(args) {
+  const opts = parseAuthArgs(args);
+  if (opts.mode === "help") {
+    process.stdout.write(HELP);
     return;
-  trackHookEvent2(getInstanceId2(), "audit_install_cta_shown", {
-    unenabled_count: unenabledNames.length,
-    unenabled_pattern_names: unenabledNames.map(shortName)
-  });
-}
-function trackAuditCompleted(result, outputMode) {
-  const enabledHits = result.results.filter((r) => r.source === "builtin" && r.enabledInConfig).reduce((acc, r) => acc + r.hits, 0);
-  const unenabledHits = result.results.filter((r) => r.source === "builtin" && !r.enabledInConfig).reduce((acc, r) => acc + r.hits, 0);
-  const detectorHits = result.results.filter((r) => r.source === "audit-detector").reduce((acc, r) => acc + r.hits, 0);
-  trackHookEvent2(getInstanceId2(), "audit_completed", {
-    duration_ms: result.transcripts.durationMs,
-    transcripts_scanned: result.transcripts.scanned,
-    transcripts_skipped: result.transcripts.skipped,
-    transcripts_errors: result.transcripts.errors,
-    total_hits: result.totals.hits,
-    projects_with_hits: result.totals.projectsWithHits,
-    enabled_builtin_hits: enabledHits,
-    unenabled_builtin_hits: unenabledHits,
-    audit_detector_hits: detectorHits,
-    result_count: result.results.length,
-    clis_scanned: result.scope.cli,
-    since_window: result.scope.since,
-    has_project_filter: result.scope.projects !== "all",
-    output_mode: outputMode
-  });
+  }
+  if (opts.mode === "login")
+    return runLogin();
+  if (opts.mode === "logout")
+    return runLogout();
+  return runWhoami();
 }
-var init_telemetry = __esm(() => {
+var HELP, LEGACY_FLAG_TO_SUB, SUBCOMMANDS, DIM = "\x1B[2m", RESET = "\x1B[0m", PINK = "\x1B[38;5;204m", GREEN = "\x1B[38;5;120m", RED = "\x1B[38;5;197m";
+var init_cli = __esm(() => {
+  init_api_server_client();
+  init_auth_store();
+  init_cli_error();
   init_hook_telemetry2();
   init_telemetry_id2();
-});
+  HELP = `
+failproofai auth — sign in to FailproofAI from the CLI
 
-// src/audit/index.ts
-var exports_audit = {};
-__export(exports_audit, {
-  runAudit: () => runAudit
-});
-function shortPolicyName(name) {
-  const slash = name.indexOf("/");
-  return slash >= 0 ? name.slice(slash + 1) : name;
-}
-function findBuiltin(name) {
-  const short = shortPolicyName(name);
-  for (const p of BUILTIN_POLICIES) {
-    if (p.name === name || shortPolicyName(p.name) === short)
-      return p;
-  }
-  return null;
-}
-function buildInstallHint(name, source, enabled) {
-  if (source === "audit-detector") {
-    return "Audit-only — `failproofai audit` will keep tracking these.";
-  }
-  if (enabled) {
-    return "Already enforced — failproofai is blocking these in real time.";
-  }
-  return `Enable in one command:  failproofai policies --install ${shortPolicyName(name)}`;
-}
-function truncateExample(s) {
-  if (s.length <= AUDIT_EXAMPLE_MAX_CHARS)
-    return s;
-  return s.slice(0, AUDIT_EXAMPLE_MAX_CHARS - 1) + "…";
-}
-function parseSinceOpt(since) {
-  if (!since)
-    return;
-  const m = /^(\d+)\s*([dhm])$/i.exec(since.trim());
-  if (m) {
-    const n = parseInt(m[1], 10);
-    const unit = m[2].toLowerCase();
-    const ms = unit === "d" ? 86400000 : unit === "h" ? 3600000 : 60000;
-    return Date.now() - n * ms;
-  }
-  const t = Date.parse(since);
-  if (!Number.isNaN(t))
-    return t;
-  throw new Error(`Invalid --since value: "${since}" (expected e.g. "7d", "30d", or "2026-04-01")`);
-}
-async function scanOneTranscript(meta) {
-  const empty = {
-    transcriptPath: meta.transcriptPath,
-    cli: meta.cli,
-    projectName: meta.projectName,
-    sessionId: meta.sessionId,
-    mtimeMs: meta.mtimeMs,
-    sizeBytes: meta.sizeBytes,
-    hitsByName: {},
-    examplesByName: {},
-    rangeByName: {}
-  };
-  const events = await ADAPTERS[meta.cli].streamEvents(meta);
-  if (events.length === 0)
-    return empty;
-  const result = empty;
-  const sessionState = {};
-  for (const event of events) {
-    for (const detector of AUDIT_DETECTORS) {
-      const hit = detector.detect(event, sessionState);
-      if (!hit)
-        continue;
-      recordHit(result, detector.name, event.timestamp, event.cwd, truncateExample(hit.example));
-    }
-    let replayHits;
-    try {
-      replayHits = await replayEvent(event);
-    } catch {
-      continue;
-    }
-    for (const hit of replayHits) {
-      const example = formatPolicyExample(hit.policyName, event);
-      recordHit(result, hit.policyName, event.timestamp, event.cwd, truncateExample(example));
-    }
-  }
-  return result;
-}
-function formatPolicyExample(_policyName, event) {
-  if (event.toolName === "Bash") {
-    const command = event.toolInput.command;
-    if (typeof command === "string")
-      return command.replace(/\s+/g, " ");
-  }
-  const filePath = event.toolInput.file_path;
-  if (typeof filePath === "string")
-    return `${event.toolName} ${filePath}`;
-  return `${event.toolName}`;
-}
-function recordHit(result, name, timestamp, cwd, example) {
-  result.hitsByName[name] = (result.hitsByName[name] ?? 0) + 1;
-  const exs = result.examplesByName[name] ?? [];
-  if (exs.length < AUDIT_MAX_EXAMPLES_PER_NAME) {
-    exs.push({ timestamp, cwd, example });
-    result.examplesByName[name] = exs;
-  }
-  const range = result.rangeByName[name];
-  if (!range) {
-    result.rangeByName[name] = { first: timestamp, last: timestamp };
-  } else {
-    if (timestamp < range.first)
-      range.first = timestamp;
-    if (timestamp > range.last)
-      range.last = timestamp;
-  }
-}
-function aggregateResults(perTranscript, enabledBuiltins) {
-  const byName = new Map;
-  for (const t of perTranscript) {
-    for (const [name, count] of Object.entries(t.hitsByName)) {
-      const bucket = byName.get(name) ?? {
-        hits: 0,
-        projects: new Set,
-        examples: []
-      };
-      bucket.hits += count;
-      bucket.projects.add(t.projectName);
-      const tExs = t.examplesByName[name] ?? [];
-      for (const e of tExs) {
-        if (bucket.examples.length < AUDIT_MAX_EXAMPLES_PER_NAME) {
-          bucket.examples.push({ ...e, sessionId: t.sessionId });
-        }
-      }
-      const range = t.rangeByName[name];
-      if (range) {
-        if (!bucket.first || range.first < bucket.first)
-          bucket.first = range.first;
-        if (!bucket.last || range.last > bucket.last)
-          bucket.last = range.last;
-      }
-      byName.set(name, bucket);
-    }
-  }
-  const detectorByName = new Map(AUDIT_DETECTORS.map((d) => [d.name, d]));
-  const out = [];
-  for (const [name, bucket] of byName) {
-    const detector = detectorByName.get(name);
-    const isDetector = !!detector;
-    const builtin = isDetector ? null : findBuiltin(name);
-    const source = isDetector ? "audit-detector" : "builtin";
-    const enabled = isDetector ? false : enabledBuiltins.has(normalizePolicyName(name));
-    const displayTitle = detector?.displayTitle ?? builtin?.displayTitle ?? detector?.description ?? builtin?.description ?? shortPolicyName(name);
-    const impact = detector?.impact ?? builtin?.impact ?? "";
-    out.push({
-      name,
-      source,
-      category: detector?.category ?? builtin?.category ?? "Custom",
-      severity: isDetector ? detector?.severity ?? "info" : "deny",
-      hits: bucket.hits,
-      projects: bucket.projects.size,
-      firstSeen: bucket.first,
-      lastSeen: bucket.last,
-      examples: bucket.examples,
-      displayTitle,
-      impact,
-      enabledInConfig: enabled,
-      installHint: buildInstallHint(name, source, enabled)
-    });
-  }
-  out.sort((a, b) => b.hits - a.hits);
-  return out;
-}
-async function runAudit(opts = {}) {
-  const startedAt = Date.now();
-  initReplay();
-  const outputMode = opts.json ? "json" : opts.noReport ? "text" : "text+markdown";
-  trackAuditStarted(opts, outputMode);
-  const clis = opts.clis ?? Array.from(INTEGRATION_TYPES);
-  const sinceMs = parseSinceOpt(opts.since);
-  const userConfig = readMergedHooksConfig();
-  const enabledBuiltins = new Set((userConfig.enabledPolicies ?? []).map((n) => normalizePolicyName(n)));
-  const allTranscripts = [];
-  for (const cli of clis) {
-    const adapter = ADAPTERS[cli];
-    let list;
-    try {
-      list = await adapter.listTranscripts({ projects: opts.projects, sinceMs });
-    } catch {
-      continue;
-    }
-    allTranscripts.push(...list);
-  }
-  let skipped = 0;
-  let errors = 0;
-  const tasks = allTranscripts.map((meta) => async () => {
-    if (!opts.noCache) {
-      const cached = readCachedTranscriptResult(meta.transcriptPath, meta.mtimeMs, meta.sizeBytes);
-      if (cached)
-        return cached;
-    }
-    try {
-      const fresh = await scanOneTranscript(meta);
-      if (!opts.noCache) {
-        writeCachedTranscriptResult(meta.transcriptPath, meta.mtimeMs, meta.sizeBytes, fresh);
-      }
-      return fresh;
-    } catch {
-      errors++;
-      return {
-        transcriptPath: meta.transcriptPath,
-        cli: meta.cli,
-        projectName: meta.projectName,
-        sessionId: meta.sessionId,
-        mtimeMs: meta.mtimeMs,
-        sizeBytes: meta.sizeBytes,
-        hitsByName: {},
-        examplesByName: {},
-        rangeByName: {}
-      };
-    }
-  });
-  const settled = await batchAll(tasks, TRANSCRIPT_CONCURRENCY);
-  const perTranscript = [];
-  for (const s of settled) {
-    if (s.status === "fulfilled")
-      perTranscript.push(s.value);
-    else
-      skipped++;
-  }
-  let results = aggregateResults(perTranscript, enabledBuiltins);
-  if (opts.policies?.length) {
-    const wanted = new Set(opts.policies.map(shortPolicyName));
-    results = results.filter((r) => wanted.has(shortPolicyName(r.name)));
-  }
-  const totalsHits = results.reduce((sum, r) => sum + r.hits, 0);
-  const projectsWithHits = new Set;
-  for (const t of perTranscript) {
-    if (Object.keys(t.hitsByName).length > 0)
-      projectsWithHits.add(t.projectName);
-  }
-  const auditResult = {
-    version: 1,
-    scannedAt: new Date(startedAt).toISOString(),
-    scope: {
-      cli: clis,
-      projects: opts.projects ?? "all",
-      since: opts.since ?? null
-    },
-    transcripts: {
-      scanned: allTranscripts.length,
-      skipped,
-      errors,
-      durationMs: Date.now() - startedAt
-    },
-    results,
-    totals: {
-      hits: totalsHits,
-      projectsWithHits: projectsWithHits.size
-    }
-  };
-  for (const count of results)
-    trackAuditPatternDetected(count);
-  const unenabledBuiltinNames = results.filter((r) => r.source === "builtin" && !r.enabledInConfig).map((r) => r.name);
-  trackAuditInstallCtaShown(unenabledBuiltinNames);
-  trackAuditCompleted(auditResult, outputMode);
-  return auditResult;
-}
-var TRANSCRIPT_CONCURRENCY = 8;
-var init_audit = __esm(() => {
-  init_builtin_policies();
-  init_hooks_config();
-  init_types();
-  init_cli_adapters();
-  init_detectors();
-  init_cache();
-  init_replay();
-  init_telemetry();
-  init_types2();
-});
+USAGE
+  failproofai auth login         Start the email + OTP login flow
+  failproofai auth logout        Remove ~/.failproofai/auth.json
+  failproofai auth whoami        Print the currently signed-in identity
+  failproofai auth help          Show this help (also: --help, -h)
 
-// src/audit/report.ts
-var exports_report = {};
-__export(exports_report, {
-  formatText: () => formatText,
-  formatMarkdown: () => formatMarkdown,
-  formatJson: () => formatJson
-});
-function noColorEnabled() {
-  if (process.env.NO_COLOR && process.env.NO_COLOR !== "")
-    return true;
-  if (process.env.FORCE_COLOR === "0")
-    return true;
-  return false;
-}
-function stripAnsi(s) {
-  return s.replace(/\x1B\[[0-9;]*m/g, "");
-}
-function formatTimeAgo(iso) {
-  if (!iso)
-    return "—";
-  const ms = Date.now() - new Date(iso).getTime();
-  if (Number.isNaN(ms) || ms < 0)
-    return "—";
-  const m = Math.floor(ms / 60000);
-  if (m < 1)
-    return "just now";
-  if (m < 60)
-    return `${m}m ago`;
-  const h = Math.floor(m / 60);
-  if (h < 24)
-    return `${h}h ago`;
-  const d = Math.floor(h / 24);
-  if (d < 14)
-    return `${d}d ago`;
-  const w = Math.floor(d / 7);
-  if (w < 8)
-    return `${w}w ago`;
-  return `${Math.floor(d / 30)}mo ago`;
-}
-function getWidth() {
-  const cols = process.stdout.columns ?? 80;
-  return Math.max(60, Math.min(78, cols));
-}
-function topBorder(w) {
-  return `╭${"─".repeat(w - 2)}╮`;
-}
-function bottomBorder(w) {
-  return `╰${"─".repeat(w - 2)}╯`;
-}
-function boxLine(text, w) {
-  const inner = w - 4;
-  const visible = stripAnsi(text);
-  const pad = Math.max(0, inner - visible.length);
-  return `│ ${text}${" ".repeat(pad)} │`;
-}
-function divider(w) {
-  return "─".repeat(w);
-}
-function shortName2(name) {
-  const slash = name.indexOf("/");
-  return slash >= 0 ? name.slice(slash + 1) : name;
-}
-function sumHits(rows) {
-  return rows.reduce((acc, r) => acc + r.hits, 0);
-}
-function renderRow(r, opts) {
-  const out = [];
-  const sev = r.severity;
-  const titleColor = sev === "deny" ? ANSI.red : sev === "warn" ? ANSI.red : sev === "info" || sev === "instruct" ? ANSI.yellow : ANSI.cyan;
-  const countStr = String(r.hits).padStart(4);
-  out.push(`  ${titleColor}${ANSI.bold}${countStr}×${ANSI.reset}  ${r.displayTitle}`);
-  if (r.impact) {
-    out.push(`        ${ANSI.dim}${r.impact}${ANSI.reset}`);
-  }
-  out.push(`        ${ANSI.dim}Last seen ${formatTimeAgo(r.lastSeen)} · ${r.projects} project${r.projects === 1 ? "" : "s"}${ANSI.reset}`);
-  if (opts.showExamples && r.examples[0]) {
-    out.push(`        ${ANSI.dim}Example: ${r.examples[0].example}${ANSI.reset}`);
-  }
-  if (r.installHint) {
-    const arrowColor = r.enabledInConfig ? ANSI.green : ANSI.cyan;
-    out.push(`        ${arrowColor}›${ANSI.reset} ${r.installHint}`);
-  }
-  out.push("");
-  return out;
-}
-function formatText(result, opts = {}) {
-  const w = getWidth();
-  const limit = opts.limit ?? 20;
-  const showExamples = !!opts.showExamples;
-  const enabledRows = result.results.filter((r) => r.source === "builtin" && r.enabledInConfig);
-  const unenabledBuiltinRows = result.results.filter((r) => r.source === "builtin" && !r.enabledInConfig);
-  const detectorRows = result.results.filter((r) => r.source === "audit-detector");
-  const slippingRows = [...unenabledBuiltinRows, ...detectorRows].sort((a, b) => b.hits - a.hits);
-  const totalProtected = sumHits(enabledRows);
-  const totalSlipping = sumHits(slippingRows);
-  const totalHits = totalProtected + totalSlipping;
-  const sinceLabel = result.scope.since ? `the last ${result.scope.since}` : "all time";
-  const lines = [];
-  lines.push(`${ANSI.cyan}\uD83D\uDEE1  failproofai audit${ANSI.reset} ${ANSI.dim}[beta]${ANSI.reset}  ·  ${sinceLabel}`);
-  lines.push(`   ${ANSI.dim}${result.transcripts.scanned} sessions · ${result.totals.projectsWithHits} project${result.totals.projectsWithHits === 1 ? "" : "s"} with hits · scanned in ${(result.transcripts.durationMs / 1000).toFixed(1)}s${ANSI.reset}`);
-  lines.push("");
-  if (totalHits === 0) {
-    lines.push(topBorder(w));
-    lines.push(boxLine(`${ANSI.green}\uD83C\uDF89 Clean run!${ANSI.reset}  Nothing matched your policies in this window.`, w));
-    lines.push(bottomBorder(w));
-    lines.push("");
-    return noColorEnabled() ? stripAnsi(lines.join(`
-`)) : lines.join(`
-`);
-  }
-  lines.push(topBorder(w));
-  lines.push(boxLine(`${ANSI.bold}Your agent did ${totalHits} wasteful or risky things in ${sinceLabel}.${ANSI.reset}`, w));
-  if (totalSlipping > 0) {
-    lines.push(boxLine(`${totalSlipping} of those would've been caught if more policies were on.`, w));
-  }
-  lines.push(bottomBorder(w));
-  lines.push("");
-  if (enabledRows.length > 0) {
-    lines.push(`${ANSI.green}✓ ALREADY PROTECTED${ANSI.reset}  ${ANSI.dim}(${totalProtected} action${totalProtected === 1 ? "" : "s"} stopped by your current policies)${ANSI.reset}`);
-    lines.push("");
-    for (const row of enabledRows.slice(0, limit)) {
-      lines.push(...renderRow(row, { showExamples }));
-    }
-    if (enabledRows.length > limit) {
-      lines.push(`  ${ANSI.dim}… ${enabledRows.length - limit} more (use --limit ${enabledRows.length})${ANSI.reset}`);
-      lines.push("");
-    }
-  }
-  if (slippingRows.length > 0) {
-    lines.push(`${ANSI.yellow}○ SLIPPING THROUGH${ANSI.reset}  ${ANSI.dim}(${totalSlipping} action${totalSlipping === 1 ? "" : "s"} caught by audit, not blocked in real time)${ANSI.reset}`);
-    lines.push("");
-    for (const row of slippingRows.slice(0, limit)) {
-      lines.push(...renderRow(row, { showExamples }));
-    }
-    if (slippingRows.length > limit) {
-      lines.push(`  ${ANSI.dim}… ${slippingRows.length - limit} more (use --limit ${slippingRows.length})${ANSI.reset}`);
-      lines.push("");
-    }
-  }
-  lines.push(divider(w));
-  if (unenabledBuiltinRows.length > 0) {
-    const installNames = unenabledBuiltinRows.map((r) => shortName2(r.name));
-    lines.push(`${ANSI.bold}NEXT${ANSI.reset}  Enable the ${installNames.length} unenabled real-time polic${installNames.length === 1 ? "y" : "ies"} in one command:`);
-    lines.push("");
-    lines.push(`      ${ANSI.cyan}failproofai policies --install ${installNames.join(" ")}${ANSI.reset}`);
-    lines.push("");
-  } else if (slippingRows.length > 0) {
-    lines.push(`${ANSI.bold}NEXT${ANSI.reset}  Everything blockable is already enabled. Audit-only findings will show up in your next ${ANSI.cyan}failproofai audit${ANSI.reset}.`);
-    lines.push("");
-  } else {
-    lines.push(`${ANSI.bold}NEXT${ANSI.reset}  ${ANSI.green}You have the relevant policies enabled. failproofai is blocking these in real time.${ANSI.reset}`);
-    lines.push("");
-  }
-  if (!opts.noReport) {
-    const reportPath = opts.reportPath ?? "./failproofai-audit.md";
-    lines.push(`      \uD83D\uDCC4 Shareable report:  ${ANSI.cyan}${reportPath}${ANSI.reset}`);
-  }
-  lines.push(`      ⭐ Star us:           ${ANSI.cyan}https://github.com/FailproofAI/failproofai${ANSI.reset}`);
-  lines.push("");
-  return noColorEnabled() ? stripAnsi(lines.join(`
-`)) : lines.join(`
-`);
-}
-function formatJson(result) {
-  return JSON.stringify(result, null, 2);
-}
-function escapeTableCell(s) {
-  return s.replace(/\\/g, "\\\\").replace(/\|/g, "\\|").replace(/[\r\n]+/g, " ");
-}
-function escapeBackticks(s) {
-  return s.replace(/`/g, "\\`");
-}
-function formatMarkdown(result) {
-  const out = [];
-  const enabledRows = result.results.filter((r) => r.source === "builtin" && r.enabledInConfig);
-  const unenabledBuiltinRows = result.results.filter((r) => r.source === "builtin" && !r.enabledInConfig);
-  const detectorRows = result.results.filter((r) => r.source === "audit-detector");
-  const slippingRows = [...unenabledBuiltinRows, ...detectorRows].sort((a, b) => b.hits - a.hits);
-  const totalProtected = sumHits(enabledRows);
-  const totalSlipping = sumHits(slippingRows);
-  const totalHits = totalProtected + totalSlipping;
-  const sinceLabel = result.scope.since ? `last ${result.scope.since}` : "all time";
-  out.push(`# Agent behavior audit · ${sinceLabel}`);
-  out.push("");
-  out.push("> _Generated by `failproofai audit` (**beta**) — flags and output may change between releases. Going live shortly._");
-  out.push("");
-  out.push(`*Generated ${result.scannedAt} — scanned ${result.transcripts.scanned} sessions across ${result.totals.projectsWithHits} project(s) in ${(result.transcripts.durationMs / 1000).toFixed(1)}s.*`);
-  out.push("");
-  out.push("## TL;DR");
-  out.push("");
-  if (totalHits === 0) {
-    out.push("Clean run — the AI coding agent didn't do anything `failproofai` catches in this window.");
-  } else {
-    out.push(`Over ${result.transcripts.scanned} sessions, my AI coding agent did **${totalHits} things \`failproofai\` would have stopped**: ` + `${totalProtected} were already blocked in real time by my current config; ` + `**${totalSlipping} slipped through** (would've been caught if more policies were on).`);
-  }
-  out.push("");
-  out.push("> [failproofai](https://github.com/FailproofAI/failproofai) is a hook-based policy engine for Claude Code, Codex, Copilot, Cursor, OpenCode, Pi, and Gemini CLI. The `audit` command replays past agent sessions through every builtin policy to surface patterns that were (or could've been) stopped.");
-  out.push("");
-  if (totalHits === 0)
-    return out.join(`
-`);
-  if (enabledRows.length > 0) {
-    out.push(`## ✓ Already protected (${totalProtected} action${totalProtected === 1 ? "" : "s"} stopped)`);
-    out.push("");
-    out.push("These are real-time policies you have on — `failproofai` blocked the agent before each action took effect.");
-    out.push("");
-    out.push("| Issue | Hits | Projects | Last seen | Policy |");
-    out.push("|---|---:|---:|---|---|");
-    for (const r of enabledRows) {
-      out.push(`| ${escapeTableCell(r.displayTitle)} | ${r.hits} | ${r.projects} | ${formatTimeAgo(r.lastSeen)} | \`${escapeTableCell(shortName2(r.name))}\` |`);
-    }
-    out.push("");
-  }
-  if (slippingRows.length > 0) {
-    out.push(`## ○ Slipping through (${totalSlipping} action${totalSlipping === 1 ? "" : "s"} caught by audit, not yet blocked)`);
-    out.push("");
-    out.push("Patterns the audit detected but real-time enforcement isn't on for. The CTA column shows how to fix each.");
-    out.push("");
-    out.push("| Issue | Hits | Projects | Last seen | Fix |");
-    out.push("|---|---:|---:|---|---|");
-    for (const r of slippingRows) {
-      const fix = r.source === "builtin" ? `\`failproofai policies --install ${shortName2(r.name)}\`` : "_audit-only_";
-      out.push(`| ${escapeTableCell(r.displayTitle)} | ${r.hits} | ${r.projects} | ${formatTimeAgo(r.lastSeen)} | ${fix} |`);
-    }
-    out.push("");
-    if (unenabledBuiltinRows.length > 0) {
-      out.push(`### Enable everything in one command`);
-      out.push("");
-      out.push("```bash");
-      out.push(`failproofai policies --install ${unenabledBuiltinRows.map((r) => shortName2(r.name)).join(" ")}`);
-      out.push("```");
-      out.push("");
-    }
-  }
-  const rowsWithExamples = [...enabledRows, ...slippingRows].filter((r) => r.examples.length > 0);
-  if (rowsWithExamples.length > 0) {
-    out.push("## Examples");
-    out.push("");
-    for (const r of rowsWithExamples) {
-      out.push(`### ${escapeBackticks(r.displayTitle)} (\`${escapeBackticks(shortName2(r.name))}\`)`);
-      out.push("");
-      if (r.impact) {
-        out.push(`> ${r.impact}`);
-        out.push("");
-      }
-      for (const e of r.examples) {
-        out.push(`- \`${escapeBackticks(e.example)}\` _(${e.cwd || "?"}, ${formatTimeAgo(e.timestamp)})_`);
-      }
-      out.push("");
-    }
-  }
-  out.push("---");
-  out.push("");
-  out.push("⭐ Star failproofai on GitHub: <https://github.com/FailproofAI/failproofai>");
-  out.push("");
-  return out.join(`
-`);
-}
-var ANSI;
-var init_report = __esm(() => {
-  ANSI = {
-    reset: "\x1B[0m",
-    dim: "\x1B[2m",
-    bold: "\x1B[1m",
-    red: "\x1B[31m",
-    yellow: "\x1B[33m",
-    green: "\x1B[32m",
-    cyan: "\x1B[36m",
-    magenta: "\x1B[35m"
+ENVIRONMENT
+  FAILPROOF_API_URL              Override the api-server base URL
+                                 (default: https://api.befailproof.ai)
+  FAILPROOFAI_AUTH_DIR           Override where auth.json is stored
+                                 (default: ~/.failproofai)
+
+EXAMPLES
+  failproofai auth login
+  failproofai auth whoami
+  failproofai auth logout
+`.trimStart();
+  LEGACY_FLAG_TO_SUB = {
+    "--login": "login",
+    "--logout": "logout",
+    "--whoami": "whoami"
   };
+  SUBCOMMANDS = new Set(["login", "logout", "whoami", "help"]);
 });
 
 // src/hooks/manager.ts
 import { execSync as execSync6 } from "node:child_process";
-import { resolve as resolve12, basename as basename5 } from "node:path";
+import { resolve as resolve12, basename as basename4 } from "node:path";
 import { homedir as homedir20, platform as platform2, arch as arch2, release as release2, hostname as hostname2 } from "node:os";
 function getSettingsPath2(scope, cwd) {
   return claudeCode.getSettingsPath(scope, cwd);
@@ -10729,7 +9504,7 @@ var exports_first_run_nudge = {};
 __export(exports_first_run_nudge, {
   maybeRunFirstRunNudge: () => maybeRunFirstRunNudge
 });
-import * as readline3 from "node:readline";
+import * as readline4 from "node:readline";
 async function emit(event, props) {
   try {
     await trackHookEvent2(getInstanceId2(), event, props);
@@ -10752,7 +9527,7 @@ function clisLabel(detected) {
 }
 async function promptYesNo(stdin, stdout) {
   return new Promise((resolve13) => {
-    const rl = readline3.createInterface({ input: stdin, output: stdout });
+    const rl = readline4.createInterface({ input: stdin, output: stdout });
     let settled = false;
     const finish = (answer) => {
       if (settled)
@@ -10888,14 +9663,14 @@ var init_parse_script_args = () => {};
 
 // scripts/install-diagnosis.mjs
 import { existsSync as existsSync14, readFileSync as readFileSync11, realpathSync } from "node:fs";
-import { dirname as dirname5, resolve as resolve14 } from "node:path";
+import { dirname as dirname6, resolve as resolve14 } from "node:path";
 import { homedir as homedir21, platform as platform3 } from "node:os";
 import { spawnSync } from "node:child_process";
 function findPackageRoot(start) {
   try {
     let dir = realpathSync(start);
     if (existsSync14(dir) && !existsSync14(resolve14(dir, "package.json"))) {
-      dir = dirname5(dir);
+      dir = dirname6(dir);
     }
     while (true) {
       const pkgPath = resolve14(dir, "package.json");
@@ -10906,7 +9681,7 @@ function findPackageRoot(start) {
             return dir;
         } catch {}
       }
-      const parent = dirname5(dir);
+      const parent = dirname6(dir);
       if (parent === dir)
         return null;
       dir = parent;
@@ -11025,7 +9800,7 @@ __export(exports_launch, {
 });
 import { spawn } from "child_process";
 import { realpathSync as realpathSync2, existsSync as existsSync15 } from "node:fs";
-import { resolve as resolve15, dirname as dirname6 } from "node:path";
+import { resolve as resolve15, dirname as dirname7 } from "node:path";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
 function launch(mode) {
   const { loggingLevel, disableTelemetry, allowedDevOrigins, remainingArgs } = parseScriptArgs(process.argv.slice(2));
@@ -11045,7 +9820,7 @@ function launch(mode) {
     process.env.PORT = port;
     process.env.HOSTNAME = "0.0.0.0";
     cmd = "node";
-    const packageRoot = process.env.FAILPROOFAI_PACKAGE_ROOT ?? resolve15(dirname6(realpathSync2(fileURLToPath2(import.meta.url))), "..");
+    const packageRoot = process.env.FAILPROOFAI_PACKAGE_ROOT ?? resolve15(dirname7(realpathSync2(fileURLToPath2(import.meta.url))), "..");
     const serverJsPath = resolve15(packageRoot, ".next/standalone/server.js");
     if (!existsSync15(serverJsPath)) {
       let shadowMessage = null;
@@ -11122,23 +9897,24 @@ var init_cli_error2 = __esm(() => {
 
 // bin/failproofai.mjs
 import { realpathSync as realpathSync3 } from "fs";
-import { dirname as dirname7, resolve as resolve16 } from "path";
+import { dirname as dirname8, resolve as resolve16 } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
 // package.json
-var version = "0.0.11-beta.2";
+var version = "0.0.11-beta.4";
 
 // bin/failproofai.mjs
 if (!process.env.FAILPROOFAI_PACKAGE_ROOT) {
-  process.env.FAILPROOFAI_PACKAGE_ROOT = resolve16(dirname7(realpathSync3(fileURLToPath3(import.meta.url))), "..");
+  process.env.FAILPROOFAI_PACKAGE_ROOT = resolve16(dirname8(realpathSync3(fileURLToPath3(import.meta.url))), "..");
 }
 if (!process.env.FAILPROOFAI_DIST_PATH) {
-  process.env.FAILPROOFAI_DIST_PATH = resolve16(dirname7(realpathSync3(fileURLToPath3(import.meta.url))), "..", "dist");
+  process.env.FAILPROOFAI_DIST_PATH = resolve16(dirname8(realpathSync3(fileURLToPath3(import.meta.url))), "..", "dist");
 }
 var args = process.argv.slice(2);
 if (args[0] === "p")
   args[0] = "policies";
 var _telemetry;
 var lastSubcommand = null;
+var lastPolicyAction = null;
 async function track(name, props) {
   try {
     if (!_telemetry) {
@@ -11178,8 +9954,8 @@ if (hookIdx >= 0) {
   }
 }
 async function runCli() {
-  const SUBCOMMANDS = ["policies", "audit"];
-  if ((args.includes("--help") || args.includes("-h")) && !SUBCOMMANDS.includes(args[0])) {
+  const SUBCOMMANDS2 = ["policies", "policy", "auth"];
+  if ((args.includes("--help") || args.includes("-h")) && !SUBCOMMANDS2.includes(args[0])) {
     const extraArgs = args.filter((a) => a !== "--help" && a !== "-h");
     if (extraArgs.length > 0) {
       throw new CliError3(`Unexpected argument: ${extraArgs[0]}
@@ -11194,6 +9970,9 @@ USAGE
 COMMANDS
   (no args)                      Launch the policy dashboard
 
+  policy add <name>              Enable a single policy (see \`policy --help\`)
+  policy remove <name>           Disable a single policy
+
   policies, p                    List all available policies and their status
   policies --install, -i         Enable policies in agent CLI settings
     [names...]                     Specific policy names to enable
@@ -11216,24 +9995,11 @@ COMMANDS
 
   policies --help, -h            Show this help for the policies command
 
-  audit  (beta)                  Scan past agent CLI transcripts and count
-                                   "stupid behaviors" (env-var checks, force
-                                   pushes, redundant cd <cwd>, sleep loops,
-                                   etc.) per policy / audit detector.
-                                   Going live shortly \u2014 flags + output may
-                                   still change between beta releases.
-    --cli claude|codex|copilot|cursor|opencode|pi|gemini
-                                   Restrict to one or more CLIs (default: all).
-    --project <path>               Restrict to one cwd (repeatable).
-    --since 7d|2026-04-01          Only sessions whose mtime is within window.
-    --policy <name>                Restrict to one policy/detector (repeatable).
-    --limit N                      Top-N rows in the table (default 20).
-    --show-examples                Include one example per row.
-    --report <path>                Markdown report path (default ./failproofai-audit.md).
-    --no-report                    Skip writing the markdown file.
-    --json                         Print JSON to stdout instead of the table.
-    --no-cache                     Bypass the per-transcript cache.
-  audit --help, -h               Show this help for the audit command
+  auth                           Sign in / out of FailproofAI from the CLI.
+    login                          Email + OTP flow; writes ~/.failproofai/auth.json
+    logout                         Revoke this session and remove auth.json
+    whoami                         Print the currently authenticated identity
+  auth --help, -h                Show this help for the auth command
 
   --version, -v                  Print version and exit
   --help, -h                     Show this help message
@@ -11272,7 +10038,7 @@ LINKS
 `.trimStart());
     process.exit(0);
   }
-  if ((args.includes("--version") || args.includes("-v")) && !SUBCOMMANDS.includes(args[0])) {
+  if ((args.includes("--version") || args.includes("-v")) && !SUBCOMMANDS2.includes(args[0])) {
     const extraArgs = args.filter((a) => a !== "--version" && a !== "-v");
     if (extraArgs.length > 0) {
       throw new CliError3(`Unexpected argument: ${extraArgs[0]}
@@ -11481,148 +10247,122 @@ Run \`failproofai policies --help\` for usage.`);
     await track("cli_list_invoked", {});
     process.exit(0);
   }
-  if (args[0] === "audit") {
-    let collectMulti = function(flag, allowSet) {
-      const out = [];
-      const consumed = new Set;
-      for (let i = 0;i < subArgs.length; i++) {
-        if (subArgs[i] !== flag)
-          continue;
-        let seenForThisFlag = 0;
-        for (let j = i + 1;j < subArgs.length; j++) {
-          const v = subArgs[j];
-          if (v.startsWith("-"))
-            break;
-          if (allowSet && !allowSet.has(v))
-            break;
-          out.push(v);
-          consumed.add(j);
-          seenForThisFlag++;
-        }
-        consumed.add(i);
-        if (seenForThisFlag === 0) {
-          throw new CliError3(`Missing value(s) for ${flag}`);
-        }
-      }
-      return { values: out, consumed };
-    }, takeOne = function(flag) {
-      const i = subArgs.indexOf(flag);
-      if (i < 0)
-        return { value: undefined, consumed: new Set };
-      const v = subArgs[i + 1];
-      if (v === undefined || v.startsWith("-")) {
-        throw new CliError3(`Missing value for ${flag}`);
-      }
-      return { value: v, consumed: new Set([i, i + 1]) };
-    };
+  if (args[0] === "auth") {
+    lastSubcommand = "auth";
+    const { runAuthCli: runAuthCli2 } = await Promise.resolve().then(() => (init_cli(), exports_cli));
+    await runAuthCli2(args.slice(1));
+    await track("cli_auth_invoked", { args_count: args.length - 1 });
+    process.exit(process.exitCode ?? 0);
+  }
+  if (args[0] === "policy") {
+    lastSubcommand = "policy";
     const subArgs = args.slice(1);
-    if (subArgs.includes("--help") || subArgs.includes("-h")) {
+    if (subArgs.length === 0 || subArgs.includes("--help") || subArgs.includes("-h")) {
       console.log(`
-failproofai audit (beta) \u2014 scan past agent transcripts for stupid behaviors
-
-  NOTE: This command is in beta. Flags, output format, and the audit-only
-  detector catalog may change before the next stable cut. Going live shortly.
+failproofai policy \u2014 manage a single FailproofAI policy
 
 USAGE
-  failproofai audit [options]
+  failproofai policy add <name>      Enable one policy
+  failproofai policy remove <name>   Disable one policy
 
 OPTIONS
   --cli claude|codex|copilot|cursor|opencode|pi|gemini
-                                 Restrict to one or more CLIs (space-separated or repeated).
-                                 Default: scan all 7.
-  --project <path>               Restrict to sessions whose cwd matches this path. Repeatable.
-  --since 7d|30d|2026-04-01      Only sessions whose mtime is within window.
-  --policy <name>                Restrict to one policy/detector name. Repeatable.
-  --limit N                      Top-N rows in the table (default 20).
-  --show-examples                Include one example command per row in the table.
-  --report <path>                Markdown report path (default: ./failproofai-audit.md).
-  --no-report                    Skip writing the markdown report.
-  --json                         Print JSON to stdout instead of the table.
-  --no-cache                     Bypass the per-transcript result cache.
-  --help, -h                     Show this help
+                                     Agent CLI(s) to apply to; space-separated or repeated.
+                                     Omit to detect installed CLIs and prompt.
+  --scope user|project|local         Config scope (default: user)
+  --beta                             Allow beta policies
 
 EXAMPLES
-  failproofai audit
-  failproofai audit --cli claude --since 30d
-  failproofai audit --policy protect-env-vars --policy block-force-push
-  failproofai audit --json > audit.json
-  failproofai audit --project /home/me/myrepo --show-examples
+  failproofai policy add block-sudo
+  failproofai policy add sanitize-api-keys --scope project
+  failproofai policy add block-force-push --cli claude codex
+  failproofai policy remove block-sudo
 `.trimStart());
       process.exit(0);
     }
+    const action = subArgs[0];
+    if (action !== "add" && action !== "remove") {
+      throw new CliError3(`Unknown policy subcommand: ${action}
+Run \`failproofai policy --help\` for usage.`);
+    }
+    const rest = subArgs.slice(1);
+    const scopeIdx = rest.indexOf("--scope");
+    const scope = scopeIdx >= 0 ? rest[scopeIdx + 1] : "user";
+    if (scopeIdx >= 0 && (!scope || scope.startsWith("-"))) {
+      throw new CliError3("Missing value for --scope. Valid values: user, project, local");
+    }
+    const validScopes = action === "remove" ? ["user", "project", "local", "all"] : ["user", "project", "local"];
+    if (scopeIdx >= 0 && !validScopes.includes(scope)) {
+      throw new CliError3(`Invalid scope: ${scope}. Valid values: ${validScopes.join(", ")}`);
+    }
     const VALID_CLIS = new Set(["claude", "codex", "copilot", "cursor", "opencode", "pi", "gemini"]);
-    const allConsumed = new Set;
-    const cliRes = collectMulti("--cli", VALID_CLIS);
-    cliRes.consumed.forEach((i) => allConsumed.add(i));
-    const projectRes = collectMulti("--project", null);
-    projectRes.consumed.forEach((i) => allConsumed.add(i));
-    const policyRes = collectMulti("--policy", null);
-    policyRes.consumed.forEach((i) => allConsumed.add(i));
-    const sinceRes = takeOne("--since");
-    sinceRes.consumed.forEach((i) => allConsumed.add(i));
-    const limitRes = takeOne("--limit");
-    limitRes.consumed.forEach((i) => allConsumed.add(i));
-    const reportRes = takeOne("--report");
-    reportRes.consumed.forEach((i) => allConsumed.add(i));
-    const showExamples = subArgs.includes("--show-examples");
-    if (showExamples)
-      allConsumed.add(subArgs.indexOf("--show-examples"));
-    const noReport = subArgs.includes("--no-report");
-    if (noReport)
-      allConsumed.add(subArgs.indexOf("--no-report"));
-    const jsonOut = subArgs.includes("--json");
-    if (jsonOut)
-      allConsumed.add(subArgs.indexOf("--json"));
-    const noCache = subArgs.includes("--no-cache");
-    if (noCache)
-      allConsumed.add(subArgs.indexOf("--no-cache"));
-    for (let i = 0;i < subArgs.length; i++) {
-      if (allConsumed.has(i))
-        continue;
-      const arg = subArgs[i];
-      throw new CliError3(`Unexpected argument: ${arg}
-Run \`failproofai audit --help\` for usage.`);
-    }
-    let parsedLimit;
-    if (limitRes.value !== undefined) {
-      parsedLimit = parseInt(limitRes.value, 10);
-      if (!Number.isInteger(parsedLimit) || parsedLimit <= 0) {
-        throw new CliError3(`Invalid value for --limit: "${limitRes.value}". Use a positive integer.`);
-      }
-    }
-    const opts = {
-      clis: cliRes.values.length > 0 ? cliRes.values : undefined,
-      projects: projectRes.values.length > 0 ? projectRes.values : undefined,
-      policies: policyRes.values.length > 0 ? policyRes.values : undefined,
-      since: sinceRes.value,
-      limit: parsedLimit,
-      showExamples,
-      reportPath: reportRes.value ?? "./failproofai-audit.md",
-      noReport: noReport || jsonOut,
-      json: jsonOut,
-      noCache
-    };
-    if (jsonOut && reportRes.value)
-      opts.noReport = false;
-    const { runAudit: runAudit2 } = await Promise.resolve().then(() => (init_audit(), exports_audit));
-    const { formatText: formatText2, formatJson: formatJson2, formatMarkdown: formatMarkdown2 } = await Promise.resolve().then(() => (init_report(), exports_report));
-    const result = await runAudit2(opts);
-    if (jsonOut) {
-      process.stdout.write(formatJson2(result) + `
-`);
+    const cliFlagValues = [];
+    const cliConsumedIdxs = new Set;
+    const cliFlagIdxs = rest.map((a, i) => a === "--cli" ? i : -1).filter((i) => i >= 0);
+    for (const idx of cliFlagIdxs) {
+      let consumed = 0;
+      for (let j = idx + 1;j < rest.length; j++) {
+        const v = rest[j];
+        if (v.startsWith("-"))
+          break;
+        if (!VALID_CLIS.has(v))
+          break;
+        cliFlagValues.push(v);
+        cliConsumedIdxs.add(j);
+        consumed++;
+      }
+      if (consumed === 0) {
+        throw new CliError3("Missing value(s) for --cli. Usage: --cli claude codex copilot cursor opencode pi gemini (or any subset)");
+      }
+    }
+    const includeBeta = rest.includes("--beta");
+    const knownFlags2 = new Set(["--scope", "--cli", "--beta"]);
+    const unknownFlag2 = rest.find((a) => a.startsWith("-") && !knownFlags2.has(a));
+    if (unknownFlag2) {
+      throw new CliError3(`Unknown flag: ${unknownFlag2}
+Run \`failproofai policy --help\` for usage.`);
+    }
+    const consumedIdxs = new Set;
+    if (scopeIdx >= 0)
+      consumedIdxs.add(scopeIdx + 1);
+    for (const i of cliConsumedIdxs)
+      consumedIdxs.add(i);
+    const positional = rest.filter((a, idx) => !a.startsWith("-") && !consumedIdxs.has(idx));
+    if (positional.length === 0) {
+      throw new CliError3(`Missing policy name.
+Usage: failproofai policy ${action} <name>
+Run \`failproofai policies\` to see available names.`);
+    }
+    if (positional.length > 1) {
+      throw new CliError3(`\`policy ${action}\` takes exactly one policy name (got ${positional.length}).
+For multiple policies use \`failproofai policies --${action === "add" ? "install" : "uninstall"} ${positional.join(" ")}\`.`);
+    }
+    const policyName = positional[0];
+    const { resolveTargetClis: resolveTargetClis2 } = await Promise.resolve().then(() => (init_install_prompt2(), exports_install_prompt));
+    const cli = await resolveTargetClis2(cliFlagValues.length > 0 ? cliFlagValues : undefined, action === "add" ? "install" : "uninstall");
+    lastPolicyAction = action;
+    if (action === "add") {
+      const { installHooks: installHooks3 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
+      await installHooks3([policyName], scope, undefined, includeBeta, undefined, undefined, false, cli);
+      await track("cli_policy_add_success", {
+        scope,
+        cli,
+        cli_count: cli.length,
+        policy_name: policyName,
+        include_beta: includeBeta
+      });
     } else {
-      process.stdout.write(formatText2(result, opts));
-    }
-    if (!opts.noReport) {
-      const { writeFileSync: writeFileSync6 } = await import("fs");
-      const { resolve: resolve17 } = await import("path");
-      const reportPath = resolve17(opts.reportPath);
-      writeFileSync6(reportPath, formatMarkdown2(result), "utf-8");
-      if (!jsonOut)
-        process.stdout.write(`
-Report written: ${reportPath}
-`);
+      const { removeHooks: removeHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
+      await removeHooks2([policyName], scope, undefined, { betaOnly: false, removeCustomHooks: false, cli });
+      await track("cli_policy_remove_success", {
+        scope,
+        cli,
+        cli_count: cli.length,
+        policy_name: policyName,
+        beta_only: false
+      });
     }
+    lastPolicyAction = null;
     process.exit(0);
   }
   const knownFlags = ["--version", "-v", "--help", "-h", "--hook"];
@@ -11636,7 +10376,7 @@ Report written: ${reportPath}
           dp[i][j] = a[i - 1] === b[j - 1] ? dp[i - 1][j - 1] : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
       return dp[m][n];
     };
-    const primary = ["--version", "--help", "--hook", "policies", "audit"];
+    const primary = ["--version", "--help", "--hook", "policies", "policy", "auth"];
     const closest = primary.reduce((best, flag) => {
       const dist = levenshtein(unknownFlag, flag);
       return dist < best.dist ? { flag, dist } : best;
@@ -11645,7 +10385,7 @@ Report written: ${reportPath}
 Did you mean: ${closest.flag}?
 Run \`failproofai --help\` for usage details.`);
   }
-  const unknownSubcommand = args.find((a) => !a.startsWith("-") && !SUBCOMMANDS.includes(a));
+  const unknownSubcommand = args.find((a) => !a.startsWith("-") && !SUBCOMMANDS2.includes(a));
   if (unknownSubcommand) {
     throw new CliError3(`Unknown command: ${unknownSubcommand}
 Did you mean: failproofai policies?
@@ -11669,6 +10409,11 @@ try {
       await track("cli_install_failure", { error_type: "cli_error", exit_code: err.exitCode });
     } else if (lastSubcommand === "uninstall") {
       await track("cli_uninstall_failure", { error_type: "cli_error", exit_code: err.exitCode });
+    } else if (lastSubcommand === "policy" && lastPolicyAction) {
+      await track(`cli_policy_${lastPolicyAction}_failure`, {
+        error_type: "cli_error",
+        exit_code: err.exitCode
+      });
     } else {
       await track("cli_parse_error", {
         subcommand: lastSubcommand ?? (args[0] ?? null),
@@ -11683,6 +10428,10 @@ try {
     await track("cli_install_failure", { error_type: err instanceof Error ? err.name : "unknown" });
   } else if (lastSubcommand === "uninstall") {
     await track("cli_uninstall_failure", { error_type: err instanceof Error ? err.name : "unknown" });
+  } else if (lastSubcommand === "policy" && lastPolicyAction) {
+    await track(`cli_policy_${lastPolicyAction}_failure`, {
+      error_type: err instanceof Error ? err.name : "unknown"
+    });
   } else {
     await track("cli_unexpected_error", {
       subcommand: lastSubcommand ?? (args[0] ?? null),