forgelens 0.1.0

package/dist/cli.js

@@ -0,0 +1,1223 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { Command } from "commander";
+
+// src/clean.ts
+import { readdir, rm } from "fs/promises";
+import { resolve } from "path";
+import readline from "readline/promises";
+import { stdin, stdout } from "process";
+async function runClean(options) {
+  const rootPath = resolve(options.root);
+  const targetPath = resolve(rootPath, options.outDir);
+  ensureSafeDeletePath(rootPath, targetPath);
+  const planned = await listPathsToRemove(targetPath);
+  const log = options.logger?.log ?? console.log;
+  log(`Target output folder: ${targetPath}`);
+  log("Planned removal:");
+  if (planned.length === 0) {
+    log("- (nothing; folder does not exist)");
+    return { targetPath, removed: false, planned };
+  }
+  for (const item of planned) {
+    log(`- ${item}`);
+  }
+  const confirmed = options.yes || await askForConfirmation();
+  if (!confirmed) {
+    log("Clean canceled.");
+    return { targetPath, removed: false, planned };
+  }
+  await rm(targetPath, { recursive: true, force: true });
+  log("Clean complete.");
+  return { targetPath, removed: true, planned };
+}
+function ensureSafeDeletePath(rootPath, targetPath) {
+  if (targetPath === "/" || targetPath === rootPath) {
+    throw new Error("Refusing to delete root path.");
+  }
+  if (!targetPath.startsWith(`${rootPath}/`)) {
+    throw new Error("Refusing to delete outside the selected root folder.");
+  }
+}
+async function listPathsToRemove(targetPath) {
+  const exists = await pathExists(targetPath);
+  if (!exists) {
+    return [];
+  }
+  const items = [targetPath];
+  await walk(targetPath, items);
+  return items;
+}
+async function walk(path, items) {
+  const entries = await readdir(path, { withFileTypes: true });
+  for (const entry of entries) {
+    const fullPath = `${path}/${entry.name}`;
+    items.push(fullPath);
+    if (entry.isDirectory()) {
+      await walk(fullPath, items);
+    }
+  }
+}
+async function askForConfirmation() {
+  const rl = readline.createInterface({ input: stdin, output: stdout });
+  try {
+    const answer = await rl.question("Confirm clean? Type 'yes' to continue: ");
+    return answer.trim().toLowerCase() === "yes";
+  } finally {
+    rl.close();
+  }
+}
+async function pathExists(path) {
+  try {
+    await readdir(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/doctor.ts
+import { access as access2 } from "fs/promises";
+import { resolve as resolve2 } from "path";
+import fg2 from "fast-glob";
+
+// src/detectors/project.ts
+import { access } from "fs/promises";
+import { join } from "path";
+
+// src/utils/fs.ts
+import { mkdir, readFile, writeFile } from "fs/promises";
+import { dirname } from "path";
+async function readTextIfExists(path) {
+  try {
+    return await readFile(path, "utf8");
+  } catch {
+    return null;
+  }
+}
+async function readJsonIfExists(path) {
+  const text = await readTextIfExists(path);
+  if (!text) {
+    return null;
+  }
+  try {
+    return JSON.parse(text);
+  } catch {
+    return null;
+  }
+}
+async function writeText(path, content) {
+  await mkdir(dirname(path), { recursive: true });
+  await writeFile(path, content, "utf8");
+}
+
+// src/detectors/project.ts
+async function detectProject(root) {
+  const packageJsonPath = join(root, "package.json");
+  const pkg = await readJsonIfExists(packageJsonPath);
+  const dependencies = Object.keys(pkg?.dependencies ?? {}).sort();
+  const devDependencies = Object.keys(pkg?.devDependencies ?? {}).sort();
+  const allDeps = /* @__PURE__ */ new Set([...dependencies, ...devDependencies]);
+  const framework = allDeps.has("next") ? "nextjs" : "unknown";
+  const language = await fileExists(join(root, "tsconfig.json")) ? "typescript" : "javascript";
+  const packageManager = await detectPackageManager(root);
+  return {
+    framework,
+    language,
+    packageManager,
+    scripts: pkg?.scripts ?? {},
+    dependencies,
+    devDependencies
+  };
+}
+async function detectPackageManager(root) {
+  if (await fileExists(join(root, "pnpm-lock.yaml"))) {
+    return "pnpm";
+  }
+  if (await fileExists(join(root, "yarn.lock"))) {
+    return "yarn";
+  }
+  if (await fileExists(join(root, "bun.lockb"))) {
+    return "bun";
+  }
+  if (await fileExists(join(root, "package-lock.json"))) {
+    return "npm";
+  }
+  return "unknown";
+}
+async function fileExists(path) {
+  try {
+    await access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/detectors/security.ts
+import fg from "fast-glob";
+import { join as join2 } from "path";
+
+// src/utils/ignore.ts
+var DEFAULT_IGNORED_DIRS = [
+  "node_modules",
+  ".next",
+  "dist",
+  "build",
+  ".git",
+  "coverage",
+  "vendor",
+  "generated"
+];
+function defaultIgnores(outDir) {
+  const normalizedOutDir = normalizeOutDir(outDir);
+  const core = DEFAULT_IGNORED_DIRS.flatMap((dir) => [
+    `${dir}/**`,
+    `**/${dir}/**`
+  ]);
+  return normalizedOutDir ? [...core, `${normalizedOutDir}/**`, `**/${normalizedOutDir}/**`] : core;
+}
+function normalizeOutDir(outDir) {
+  const trimmed = outDir.replace(/^\.\//, "").replace(/\\/g, "/");
+  return trimmed.replace(/^\/+|\/+$/g, "");
+}
+
+// src/detectors/security.ts
+async function detectSecurity(root, outDir) {
+  const ignore = defaultIgnores(outDir);
+  const [envFiles, middlewareFiles, codeFiles] = await Promise.all([
+    fg([".env*", "**/.env*"], { cwd: root, ignore }),
+    fg(["middleware.@(ts|tsx|js|jsx)", "src/middleware.@(ts|tsx|js|jsx)"], {
+      cwd: root,
+      ignore
+    }),
+    fg(["**/*.@(ts|tsx|js|jsx)"], { cwd: root, ignore })
+  ]);
+  const riskyFiles = [];
+  const sensitiveFiles = [];
+  let envUsageCount = 0;
+  for (const file of codeFiles) {
+    const text = await readTextIfExists(join2(root, file));
+    if (!text) {
+      continue;
+    }
+    if (text.includes("process.env")) {
+      envUsageCount += 1;
+    }
+    if (text.includes("eval(") || text.includes("dangerouslySetInnerHTML") || text.includes("child_process")) {
+      riskyFiles.push(file);
+    }
+    if (isSensitiveFile(file, text)) {
+      sensitiveFiles.push(file);
+    }
+  }
+  const notes = [];
+  notes.push(`process.env usage files: ${envUsageCount}`);
+  notes.push(
+    middlewareFiles.length > 0 ? "middleware detected" : "no middleware detected (unknown route protection coverage)"
+  );
+  if (envFiles.length === 0) {
+    notes.push("no .env files detected");
+  }
+  if (sensitiveFiles.length > 0) {
+    const sample = uniqueSorted(sensitiveFiles).slice(0, 8).join(", ");
+    notes.push(`security-sensitive files detected: ${sample}`);
+  }
+  return {
+    envFiles: uniqueSorted(envFiles),
+    middlewareFiles: uniqueSorted(middlewareFiles),
+    riskyFiles: uniqueSorted(riskyFiles),
+    sensitiveFiles: uniqueSorted(sensitiveFiles),
+    notes
+  };
+}
+function isSensitiveFile(file, text) {
+  const lowerFile = file.toLowerCase();
+  if (lowerFile.includes("admin") || lowerFile.includes("auth") || lowerFile.includes("middleware") || lowerFile.includes("/actions.") || lowerFile.includes("/api/")) {
+    return true;
+  }
+  if (text.includes('"use server"') || text.includes("'use server'")) {
+    return true;
+  }
+  return false;
+}
+function uniqueSorted(values) {
+  return [...new Set(values)].sort();
+}
+
+// src/doctor.ts
+async function inspectRepoSafety(options) {
+  const rootPath = resolve2(options.root);
+  const outputFolderPath = resolve2(rootPath, options.outDir);
+  const rootExists = await pathExists2(rootPath);
+  if (!rootExists) {
+    return {
+      rootPath,
+      rootExists: false,
+      packageJsonExists: false,
+      framework: "unknown",
+      packageManager: "unknown",
+      ignoredFoldersConfigured: defaultIgnores(options.outDir).length > 0,
+      outputFolderPath,
+      outputPathValid: isValidOutputPath(rootPath, outputFolderPath),
+      sourceRepoWillNotBeModified: true,
+      networkOrApiRequired: false,
+      envFiles: [],
+      scannableSourceFiles: 0,
+      warnings: ["Root path does not exist."]
+    };
+  }
+  const packageJsonExists = await pathExists2(resolve2(rootPath, "package.json"));
+  const project = await detectProject(rootPath);
+  const security = await detectSecurity(rootPath, options.outDir);
+  const scannableSourceFiles = await detectScannableSourceFiles(rootPath, options.outDir);
+  const warnings = [];
+  if (!packageJsonExists) {
+    warnings.push("No package.json found at root. Check if --root points to the real project root.");
+  }
+  if (scannableSourceFiles === 0) {
+    warnings.push("No scannable source files found after ignore rules.");
+  }
+  return {
+    rootPath,
+    rootExists,
+    packageJsonExists,
+    framework: project.framework,
+    packageManager: project.packageManager,
+    ignoredFoldersConfigured: defaultIgnores(options.outDir).length > 0,
+    outputFolderPath,
+    outputPathValid: isValidOutputPath(rootPath, outputFolderPath),
+    sourceRepoWillNotBeModified: true,
+    networkOrApiRequired: false,
+    envFiles: security.envFiles,
+    scannableSourceFiles,
+    warnings
+  };
+}
+function renderDoctorReport(report) {
+  const lines = [
+    "ForgeLens Doctor",
+    `- Root path exists: ${status(report.rootExists)}`,
+    `- package.json exists: ${status(report.packageJsonExists)}`,
+    `- Detected framework: ${report.framework}`,
+    `- Detected package manager: ${report.packageManager}`,
+    `- Ignored folders configured: ${status(report.ignoredFoldersConfigured)}`,
+    `- Output folder path: ${report.outputFolderPath}`,
+    `- Output folder path valid: ${status(report.outputPathValid)}`,
+    `- Source repo will not be modified: ${status(report.sourceRepoWillNotBeModified)}`,
+    `- Network/API usage needed: ${report.networkOrApiRequired ? "yes" : "no"}`,
+    `- Scannable source files: ${report.scannableSourceFiles}`
+  ];
+  if (report.envFiles.length > 0) {
+    lines.push("- .env files found:");
+    for (const file of report.envFiles) {
+      lines.push(`  - ${file}`);
+    }
+  } else {
+    lines.push("- .env files found: none");
+  }
+  lines.push("- Secret values printed: no");
+  if (report.warnings.length > 0) {
+    lines.push("- Warnings:");
+    for (const warning of report.warnings) {
+      lines.push(`  - ${warning}`);
+    }
+  }
+  return lines.join("\n");
+}
+function status(ok) {
+  return ok ? "ok" : "no";
+}
+async function pathExists2(path) {
+  try {
+    await access2(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isValidOutputPath(root, output) {
+  if (!output || output === root || output === "/") {
+    return false;
+  }
+  return output.startsWith(`${root}/`);
+}
+async function detectScannableSourceFiles(root, outDir) {
+  const files = await fg2(["**/*.@(ts|tsx|js|jsx)"], {
+    cwd: root,
+    ignore: defaultIgnores(outDir)
+  });
+  return files.length;
+}
+
+// src/prompt.ts
+function buildCodexPrompt(outDir = ".forgelens") {
+  return `Use \`${outDir}/FORGE_CONTEXT.md\`, \`${outDir}/ARCHITECTURE_MAP.md\`, \`${outDir}/SECURITY_RULES.md\`, and \`${outDir}/RISK_REPORT.md\` as repo context before editing.`;
+}
+
+// src/scan.ts
+import { isAbsolute, relative, resolve as resolve3 } from "path";
+
+// src/detectors/auth.ts
+import fg3 from "fast-glob";
+import { join as join3 } from "path";
+async function detectAuth(root, outDir) {
+  const ignore = defaultIgnores(outDir);
+  const [codeFiles, authFiles, middlewareFiles, envFiles, pkg] = await Promise.all([
+    fg3(["**/*.@(ts|tsx|js|jsx|mjs|cjs)"], { cwd: root, ignore }),
+    fg3(["**/*auth*.@(ts|tsx|js|jsx|mjs|cjs)", "app/**/auth.@(ts|tsx|js|jsx)"], {
+      cwd: root,
+      ignore
+    }),
+    fg3(["middleware.@(ts|tsx|js|jsx)", "src/middleware.@(ts|tsx|js|jsx)"], {
+      cwd: root,
+      ignore
+    }),
+    fg3([".env*", "**/.env*"], { cwd: root, ignore }),
+    readJsonIfExists(join3(root, "package.json"))
+  ]);
+  const deps = /* @__PURE__ */ new Set([
+    ...Object.keys(pkg?.dependencies ?? {}),
+    ...Object.keys(pkg?.devDependencies ?? {})
+  ]);
+  const codeIndex = await indexCode(root, codeFiles);
+  const providers = [];
+  pushProvider(providers, detectProvider("clerk", deps.has("@clerk/nextjs"), findFiles(codeIndex, /clerk/i), "Clerk dependency or files"));
+  pushProvider(
+    providers,
+    detectProvider(
+      "nextauth-authjs",
+      deps.has("next-auth") || deps.has("@auth/core") || deps.has("@auth/nextjs"),
+      findFiles(codeIndex, /next-auth|\bNextAuth\b|@auth\//),
+      "Auth.js/NextAuth dependency or imports"
+    )
+  );
+  pushProvider(
+    providers,
+    detectProvider(
+      "supabase-auth",
+      deps.has("@supabase/supabase-js"),
+      findFiles(codeIndex, /supabase\.auth|@supabase\/supabase-js|supabase/i),
+      "Supabase auth SDK usage"
+    )
+  );
+  pushProvider(
+    providers,
+    detectProvider(
+      "firebase-auth",
+      deps.has("firebase") || deps.has("firebase-admin") || deps.has("@google-cloud/firestore"),
+      findFiles(codeIndex, /firebase|firestore|getAuth\(|admin\.auth\(/i),
+      "Firebase auth SDK usage"
+    )
+  );
+  pushProvider(
+    providers,
+    detectProvider("lucia", deps.has("lucia"), findFiles(codeIndex, /lucia/i), "Lucia dependency or usage")
+  );
+  pushProvider(
+    providers,
+    detectProvider("better-auth", deps.has("better-auth"), findFiles(codeIndex, /better-auth/i), "Better Auth dependency or usage")
+  );
+  const jwtFiles = findFiles(codeIndex, /\bjwt\b|jsonwebtoken|jose|sign\(|verify\(/i);
+  if (jwtFiles.length > 0) {
+    providers.push({
+      name: "jwt-custom-auth",
+      confidence: deps.has("jsonwebtoken") || deps.has("jose") ? "high" : "medium",
+      evidenceFiles: jwtFiles.slice(0, 12),
+      notes: ["JWT-like auth patterns detected"]
+    });
+  }
+  const cookieSessionFiles = findFiles(codeIndex, /cookies\(|cookie|session|iron-session|next-session/i);
+  if (cookieSessionFiles.length > 0) {
+    providers.push({
+      name: "cookie-session-custom-auth",
+      confidence: deps.has("iron-session") || deps.has("next-session") ? "high" : "medium",
+      evidenceFiles: cookieSessionFiles.slice(0, 12),
+      notes: ["Cookie/session auth patterns detected"]
+    });
+  }
+  if (middlewareFiles.length > 0) {
+    providers.push({
+      name: "middleware-based-auth",
+      confidence: "medium",
+      evidenceFiles: middlewareFiles.slice(0, 12),
+      notes: ["Middleware files detected"]
+    });
+  }
+  const mergedProviders = uniqueSignals(providers);
+  const hasStrongProvider = mergedProviders.some((provider) => provider.name !== "middleware-based-auth");
+  if (!hasStrongProvider && authFiles.length > 0) {
+    mergedProviders.push({
+      name: "custom-auth",
+      confidence: "low",
+      evidenceFiles: authFiles.slice(0, 12),
+      notes: ["Auth-related files found without a clear provider"]
+    });
+  }
+  if (mergedProviders.length === 0) {
+    mergedProviders.push({
+      name: "unknown",
+      confidence: "low",
+      evidenceFiles: [],
+      notes: ["No auth provider signal detected"]
+    });
+  }
+  return {
+    providers: uniqueSignals(mergedProviders),
+    files: uniqueSorted2(authFiles),
+    evidenceFiles: uniqueSorted2([
+      ...authFiles,
+      ...middlewareFiles,
+      ...envFiles,
+      ...mergedProviders.flatMap((provider) => provider.evidenceFiles)
+    ]),
+    middlewareFiles: uniqueSorted2(middlewareFiles),
+    notes: uniqueSorted2(mergedProviders.flatMap((provider) => provider.notes))
+  };
+}
+function detectProvider(name, dependencyMatched, evidenceFiles, note) {
+  const hasEvidenceFiles = evidenceFiles.length > 0;
+  if (!dependencyMatched && !hasEvidenceFiles) {
+    return null;
+  }
+  let confidence = "low";
+  if (dependencyMatched && hasEvidenceFiles) {
+    confidence = "high";
+  } else if (dependencyMatched || hasEvidenceFiles) {
+    confidence = "medium";
+  }
+  return {
+    name,
+    confidence,
+    evidenceFiles: evidenceFiles.slice(0, 12),
+    notes: [note]
+  };
+}
+function pushProvider(target, signal) {
+  if (signal) {
+    target.push(signal);
+  }
+}
+async function indexCode(root, files) {
+  const indexed = [];
+  for (const file of files) {
+    const text = await readTextIfExists(join3(root, file));
+    if (!text) {
+      continue;
+    }
+    indexed.push({ file, text });
+  }
+  return indexed;
+}
+function findFiles(index, pattern) {
+  return uniqueSorted2(index.filter((entry) => pattern.test(entry.text) || pattern.test(entry.file)).map((entry) => entry.file));
+}
+function uniqueSignals(signals) {
+  const map = /* @__PURE__ */ new Map();
+  for (const signal of signals) {
+    const existing = map.get(signal.name);
+    if (!existing) {
+      map.set(signal.name, signal);
+      continue;
+    }
+    map.set(signal.name, {
+      ...signal,
+      confidence: maxConfidence(existing.confidence, signal.confidence),
+      evidenceFiles: uniqueSorted2([...existing.evidenceFiles, ...signal.evidenceFiles]).slice(0, 12),
+      notes: uniqueSorted2([...existing.notes, ...signal.notes])
+    });
+  }
+  return [...map.values()].sort((a, b) => a.name.localeCompare(b.name));
+}
+function maxConfidence(left, right) {
+  const rank = { low: 1, medium: 2, high: 3 };
+  return rank[left] >= rank[right] ? left : right;
+}
+function uniqueSorted2(values) {
+  return [...new Set(values)].sort();
+}
+
+// src/detectors/database.ts
+import fg4 from "fast-glob";
+import { join as join4 } from "path";
+async function detectDatabase(root, outDir) {
+  const ignore = defaultIgnores(outDir);
+  const [
+    prismaFiles,
+    drizzleFiles,
+    typeOrmFiles,
+    mongoFiles,
+    firebaseFiles,
+    supabaseFiles,
+    sqlFiles,
+    migrationFiles,
+    dbClientFiles,
+    pkg
+  ] = await Promise.all([
+    fg4(["prisma/**/*.prisma"], { cwd: root, ignore }),
+    fg4(["drizzle/**/*", "drizzle.config.@(ts|js|mjs|cjs)", "db/drizzle/**/*"], {
+      cwd: root,
+      ignore
+    }),
+    fg4(["ormconfig.@(ts|js|json)", "src/entity/**/*", "**/*.entity.@(ts|js)"], {
+      cwd: root,
+      ignore
+    }),
+    fg4(["**/*mongo*.@(ts|tsx|js|jsx)", "**/*mongoose*.@(ts|tsx|js|jsx)"], {
+      cwd: root,
+      ignore
+    }),
+    fg4(["**/*firebase*.@(ts|tsx|js|jsx)", "**/*firestore*.@(ts|tsx|js|jsx)"], {
+      cwd: root,
+      ignore
+    }),
+    fg4(["supabase/**/*", "**/*supabase*.@(ts|tsx|js|jsx)"], { cwd: root, ignore }),
+    fg4(["**/*.sql"], { cwd: root, ignore }),
+    fg4(["**/migrations/**/*", "**/migration/**/*", "**/migrate/**/*"], { cwd: root, ignore }),
+    fg4(["**/*db*.@(ts|tsx|js|jsx)", "**/*database*.@(ts|tsx|js|jsx)", "**/lib/*sql*.@(ts|tsx|js|jsx)"], {
+      cwd: root,
+      ignore
+    }),
+    readJsonIfExists(join4(root, "package.json"))
+  ]);
+  const deps = /* @__PURE__ */ new Set([
+    ...Object.keys(pkg?.dependencies ?? {}),
+    ...Object.keys(pkg?.devDependencies ?? {})
+  ]);
+  const providers = [];
+  addSignal(
+    providers,
+    "prisma",
+    deps.has("prisma") || deps.has("@prisma/client"),
+    prismaFiles,
+    "Prisma dependency and schema files"
+  );
+  addSignal(
+    providers,
+    "drizzle",
+    deps.has("drizzle-orm") || deps.has("drizzle-kit"),
+    drizzleFiles,
+    "Drizzle dependency and config/files"
+  );
+  addSignal(
+    providers,
+    "supabase",
+    deps.has("@supabase/supabase-js"),
+    supabaseFiles,
+    "Supabase SDK and related files"
+  );
+  addSignal(
+    providers,
+    "typeorm",
+    deps.has("typeorm"),
+    typeOrmFiles,
+    "TypeORM dependency and entity/config files"
+  );
+  addSignal(
+    providers,
+    "mongoose-mongodb",
+    deps.has("mongoose") || deps.has("mongodb"),
+    mongoFiles,
+    "MongoDB/Mongoose dependency and files"
+  );
+  addSignal(
+    providers,
+    "firebase-firestore",
+    deps.has("firebase") || deps.has("firebase-admin") || deps.has("@google-cloud/firestore"),
+    firebaseFiles,
+    "Firebase/Firestore dependency and files"
+  );
+  addSignal(
+    providers,
+    "postgres-client",
+    deps.has("pg") || deps.has("postgres") || deps.has("slonik"),
+    dbClientFiles.filter((f) => /postgres|pg/i.test(f)),
+    "PostgreSQL client dependencies/files"
+  );
+  addSignal(
+    providers,
+    "mysql-client",
+    deps.has("mysql") || deps.has("mysql2"),
+    dbClientFiles.filter((f) => /mysql/i.test(f)),
+    "MySQL client dependencies/files"
+  );
+  addSignal(
+    providers,
+    "sqlite",
+    deps.has("sqlite3") || deps.has("better-sqlite3"),
+    dbClientFiles.filter((f) => /sqlite/i.test(f)),
+    "SQLite dependencies/files"
+  );
+  if (sqlFiles.length > 0 || migrationFiles.length > 0) {
+    providers.push({
+      name: "sql-migrations",
+      confidence: sqlFiles.length > 0 && migrationFiles.length > 0 ? "high" : "medium",
+      evidenceFiles: uniqueSorted3([...sqlFiles, ...migrationFiles]).slice(0, 12),
+      notes: ["SQL files and migration-style paths detected"]
+    });
+  }
+  const hasKnownProvider = providers.some((provider) => provider.name !== "sql-migrations");
+  const customLayerFiles = dbClientFiles.filter(
+    (file) => !/supabase|prisma|drizzle|typeorm|mongo|mongoose|firebase|firestore/i.test(file)
+  );
+  if (!hasKnownProvider && customLayerFiles.length > 0) {
+    providers.push({
+      name: "custom-database-layer",
+      confidence: "low",
+      evidenceFiles: uniqueSorted3(customLayerFiles).slice(0, 12),
+      notes: ["Database-like files found without strong provider signals"]
+    });
+  }
+  if (providers.length === 0) {
+    providers.push({
+      name: "unknown",
+      confidence: "low",
+      evidenceFiles: [],
+      notes: ["No clear database provider detected"]
+    });
+  }
+  const schemaFiles = uniqueSorted3([
+    ...prismaFiles,
+    ...sqlFiles.filter((file) => /schema|setup|init/i.test(file))
+  ]);
+  return {
+    providers: uniqueSignals2(providers),
+    files: uniqueSorted3([
+      ...prismaFiles,
+      ...drizzleFiles,
+      ...typeOrmFiles,
+      ...mongoFiles,
+      ...firebaseFiles,
+      ...supabaseFiles,
+      ...sqlFiles,
+      ...migrationFiles,
+      ...dbClientFiles
+    ]),
+    schemaFiles,
+    migrations: uniqueSorted3(migrationFiles),
+    clientFiles: uniqueSorted3(dbClientFiles),
+    notes: buildDatabaseNotes(uniqueSignals2(providers))
+  };
+}
+function addSignal(target, name, hasDependency, evidenceFiles, note) {
+  const hasFiles = evidenceFiles.length > 0;
+  if (!hasDependency && !hasFiles) {
+    return;
+  }
+  let confidence = "low";
+  if (hasDependency && hasFiles) {
+    confidence = "high";
+  } else if (hasDependency || hasFiles) {
+    confidence = "medium";
+  }
+  target.push({
+    name,
+    confidence,
+    evidenceFiles: uniqueSorted3(evidenceFiles).slice(0, 12),
+    notes: [note]
+  });
+}
+function uniqueSignals2(signals) {
+  const map = /* @__PURE__ */ new Map();
+  for (const signal of signals) {
+    const existing = map.get(signal.name);
+    if (!existing) {
+      map.set(signal.name, signal);
+      continue;
+    }
+    map.set(signal.name, {
+      ...signal,
+      confidence: maxConfidence2(existing.confidence, signal.confidence),
+      evidenceFiles: uniqueSorted3([...existing.evidenceFiles, ...signal.evidenceFiles]).slice(0, 12),
+      notes: uniqueSorted3([...existing.notes, ...signal.notes])
+    });
+  }
+  return [...map.values()].sort((a, b) => a.name.localeCompare(b.name));
+}
+function maxConfidence2(left, right) {
+  const rank = { low: 1, medium: 2, high: 3 };
+  return rank[left] >= rank[right] ? left : right;
+}
+function buildDatabaseNotes(providers) {
+  if (providers.length === 0) {
+    return ["unknown"];
+  }
+  return providers.map((provider) => `${provider.name}: ${provider.confidence} confidence`);
+}
+function uniqueSorted3(values) {
+  return [...new Set(values)].sort();
+}
+
+// src/detectors/routes.ts
+import fg5 from "fast-glob";
+import { posix } from "path";
+var APP_PAGE_GLOBS = [
+  "app/**/page.@(ts|tsx|js|jsx|mdx)",
+  "src/app/**/page.@(ts|tsx|js|jsx|mdx)"
+];
+var APP_API_GLOBS = [
+  "app/**/route.@(ts|tsx|js|jsx)",
+  "src/app/**/route.@(ts|tsx|js|jsx)"
+];
+var PAGES_API_GLOBS = [
+  "pages/api/**/*.@(ts|tsx|js|jsx)",
+  "src/pages/api/**/*.@(ts|tsx|js|jsx)"
+];
+async function detectRoutes(root, outDir) {
+  const ignore = defaultIgnores(outDir);
+  const [appPages, appApiRoutes, pagesApiRoutes] = await Promise.all([
+    fg5(APP_PAGE_GLOBS, { cwd: root, ignore, dot: false }),
+    fg5(APP_API_GLOBS, { cwd: root, ignore, dot: false }),
+    fg5(PAGES_API_GLOBS, { cwd: root, ignore, dot: false })
+  ]);
+  const pageItems = appPages.map((file) => ({
+    kind: "page",
+    route: appPageToRoute(file),
+    file,
+    source: "app"
+  }));
+  const appApiItems = appApiRoutes.map((file) => ({
+    kind: "api",
+    route: appApiToRoute(file),
+    file,
+    source: "app"
+  }));
+  const pagesApiItems = pagesApiRoutes.map((file) => ({
+    kind: "api",
+    route: pagesApiToRoute(file),
+    file,
+    source: "pages"
+  }));
+  return [...pageItems, ...appApiItems, ...pagesApiItems].sort(
+    (a, b) => a.route.localeCompare(b.route)
+  );
+}
+function appPageToRoute(file) {
+  const normalized = file.replace(/\\/g, "/");
+  const rootRelative = stripPrefix(normalized, ["src/app/", "app/"]);
+  const segments = rootRelative.split("/").slice(0, -1);
+  const cleanSegments = segments.filter((segment) => !segment.startsWith("(") && !segment.endsWith(")")).filter((segment) => !segment.startsWith("@"));
+  if (cleanSegments.length === 0) {
+    return "/";
+  }
+  return `/${cleanSegments.join("/")}`;
+}
+function appApiToRoute(file) {
+  const normalized = file.replace(/\\/g, "/");
+  const noPrefix = stripPrefix(normalized, ["src/app/", "app/"]);
+  const withoutFile = noPrefix.replace(/\/route\.[^.]+$/, "");
+  return ensureLeadingSlash(withoutFile);
+}
+function pagesApiToRoute(file) {
+  const normalized = file.replace(/\\/g, "/");
+  const noPrefix = stripPrefix(normalized, ["src/pages/", "pages/"]);
+  const withoutExt = noPrefix.replace(/\.[^.]+$/, "");
+  const withoutIndex = withoutExt.endsWith("/index") ? withoutExt.slice(0, -"/index".length) : withoutExt;
+  return ensureLeadingSlash(posix.join(withoutIndex));
+}
+function ensureLeadingSlash(path) {
+  return path.startsWith("/") ? path : `/${path}`;
+}
+function stripPrefix(path, prefixes) {
+  for (const prefix of prefixes) {
+    if (path.startsWith(prefix)) {
+      return path.slice(prefix.length);
+    }
+  }
+  return path;
+}
+
+// src/detectors/server-actions.ts
+import fg6 from "fast-glob";
+import { join as join5 } from "path";
+var CODE_FILES = "**/*.@(ts|tsx|js|jsx)";
+async function detectServerActions(root, outDir) {
+  const ignore = defaultIgnores(outDir);
+  const files = await fg6([CODE_FILES], { cwd: root, ignore });
+  const matched = [];
+  for (const file of files) {
+    const fullPath = join5(root, file);
+    const text = await readTextIfExists(fullPath);
+    if (!text) {
+      continue;
+    }
+    if (hasUseServerDirective(text)) {
+      matched.push(file);
+    }
+  }
+  const uniqueFiles = [...new Set(matched)].sort();
+  return {
+    count: uniqueFiles.length,
+    files: uniqueFiles
+  };
+}
+function hasUseServerDirective(text) {
+  return text.includes('"use server"') || text.includes("'use server'") || text.includes("`use server`");
+}
+
+// src/writers/markdown.ts
+import { join as join6 } from "path";
+async function writeMarkdownReports(report, outDirAbsolute) {
+  const files = {
+    FORGE_CONTEXT: join6(outDirAbsolute, "FORGE_CONTEXT.md"),
+    ARCHITECTURE_MAP: join6(outDirAbsolute, "ARCHITECTURE_MAP.md"),
+    ROUTES_MAP: join6(outDirAbsolute, "ROUTES_MAP.md"),
+    DATABASE_MAP: join6(outDirAbsolute, "DATABASE_MAP.md"),
+    SERVER_ACTIONS_MAP: join6(outDirAbsolute, "SERVER_ACTIONS_MAP.md"),
+    SECURITY_RULES: join6(outDirAbsolute, "SECURITY_RULES.md"),
+    RISK_REPORT: join6(outDirAbsolute, "RISK_REPORT.md")
+  };
+  await Promise.all([
+    writeText(files.FORGE_CONTEXT, renderForgeContext(report)),
+    writeText(files.ARCHITECTURE_MAP, renderArchitectureMap(report)),
+    writeText(files.ROUTES_MAP, renderRoutesMap(report)),
+    writeText(files.DATABASE_MAP, renderDatabaseMap(report)),
+    writeText(files.SERVER_ACTIONS_MAP, renderServerActionsMap(report)),
+    writeText(files.SECURITY_RULES, renderSecurityRules(report)),
+    writeText(files.RISK_REPORT, renderRiskReport(report))
+  ]);
+  return files;
+}
+function renderForgeContext(report) {
+  return [
+    "# FORGE_CONTEXT",
+    "",
+    `- Root: \`${report.root}\``,
+    `- Scanned at: ${report.scannedAt}`,
+    `- Framework: ${report.project.framework}`,
+    `- Language: ${report.project.language}`,
+    `- Package manager: ${report.project.packageManager}`,
+    `- Route count: ${report.routes.length}`,
+    `- API route count: ${report.routes.filter((r) => r.kind === "api").length}`,
+    `- Server actions: ${report.serverActions.count}`,
+    `- Database providers: ${signalsSummary(report.database.providers)}`,
+    `- Auth providers: ${signalsSummary(report.auth.providers)}`,
+    "",
+    "## Package Scripts",
+    ...renderKeyValueMap(report.project.scripts)
+  ].join("\n");
+}
+function renderArchitectureMap(report) {
+  return [
+    "# ARCHITECTURE_MAP",
+    "",
+    "## Project",
+    `- Framework: ${report.project.framework}`,
+    `- Language: ${report.project.language}`,
+    "",
+    "## Important Areas",
+    `- App/API routes: ${report.routes.length > 0 ? "detected" : "unknown"}`,
+    `- Database: ${report.database.files.length > 0 ? "detected" : "unknown"}`,
+    `- Auth: ${hasNonUnknown(report.auth.providers) ? "detected" : "unknown"}`,
+    `- Middleware: ${report.security.middlewareFiles.length > 0 ? "detected" : "unknown"}`,
+    "",
+    "## Key Files",
+    ...renderListWithFallback(
+      uniqueSorted4([
+        ...report.auth.files,
+        ...report.security.middlewareFiles,
+        ...report.database.schemaFiles,
+        ...report.serverActions.files
+      ]),
+      "unknown"
+    )
+  ].join("\n");
+}
+function renderRoutesMap(report) {
+  const lines = [
+    "# ROUTES_MAP",
+    "",
+    "| Kind | Route | Source | File |",
+    "|---|---|---|---|"
+  ];
+  if (report.routes.length === 0) {
+    lines.push("| unknown | unknown | unknown | unknown |");
+    return lines.join("\n");
+  }
+  for (const route of report.routes) {
+    lines.push(`| ${route.kind} | \`${route.route}\` | ${route.source} | \`${route.file}\` |`);
+  }
+  return lines.join("\n");
+}
+function renderDatabaseMap(report) {
+  return [
+    "# DATABASE_MAP",
+    "",
+    "## Detected Providers",
+    ...renderSignals(report.database.providers),
+    "",
+    "## Schema Files",
+    ...renderListWithFallback(report.database.schemaFiles, "unknown"),
+    "",
+    "## Migration Files",
+    ...renderListWithFallback(report.database.migrations, "unknown"),
+    "",
+    "## Database Clients",
+    ...renderListWithFallback(report.database.clientFiles, "unknown"),
+    "",
+    "## Unknown/Manual Review Notes",
+    ...renderListWithFallback(report.database.notes, "unknown")
+  ].join("\n");
+}
+function renderServerActionsMap(report) {
+  return [
+    "# SERVER_ACTIONS_MAP",
+    "",
+    `- Total files: ${report.serverActions.count}`,
+    "",
+    "## Files",
+    ...renderListWithFallback(report.serverActions.files, "unknown")
+  ].join("\n");
+}
+function renderSecurityRules(report) {
+  const apiRouteFiles = report.routes.filter((route) => route.kind === "api").map((route) => route.file);
+  return [
+    "# SECURITY_RULES",
+    "",
+    "## Auth providers/signals detected",
+    ...renderSignals(report.auth.providers),
+    "",
+    "## Auth evidence files",
+    ...renderListWithFallback(report.auth.evidenceFiles, "unknown"),
+    "",
+    "## Middleware status",
+    ...renderListWithFallback(report.security.middlewareFiles, "unknown"),
+    "",
+    "## Server actions requiring review",
+    ...renderListWithFallback(report.serverActions.files, "unknown"),
+    "",
+    "## API routes requiring review",
+    ...renderListWithFallback(apiRouteFiles, "unknown"),
+    "",
+    "## Environment files (names only)",
+    ...renderListWithFallback(report.security.envFiles, "unknown"),
+    "",
+    "## Admin/security-sensitive areas",
+    ...renderListWithFallback(report.security.sensitiveFiles, "unknown"),
+    "",
+    "## Manual verification checklist",
+    ...buildSecurityChecklist(report).map((item) => `- [ ] ${item}`)
+  ].join("\n");
+}
+function renderRiskReport(report) {
+  const risks = [];
+  const apiRoutes = report.routes.filter((route) => route.kind === "api");
+  const adminRoutes = report.routes.filter(
+    (route) => route.route.includes("/admin") || route.route === "/admin"
+  );
+  const authNames = report.auth.providers.map((provider) => provider.name);
+  if (adminRoutes.length > 0 && report.security.middlewareFiles.length === 0) {
+    risks.push(
+      `Admin routes detected but no middleware: ${adminRoutes.map((route) => `\`${route.file}\``).join(", ")}. Verify authorization guards.`
+    );
+  }
+  if (report.serverActions.count > 0) {
+    risks.push(
+      `Server actions detected (${report.serverActions.count}): ${report.serverActions.files.slice(0, 6).map((file) => `\`${file}\``).join(", ")}. Verify auth and input validation.`
+    );
+  }
+  if (apiRoutes.length > 0) {
+    risks.push(
+      `API routes detected (${apiRoutes.length}): ${apiRoutes.slice(0, 6).map((route) => `\`${route.file}\``).join(", ")}. Verify auth and input validation.`
+    );
+  } else {
+    risks.push("No API routes detected.");
+  }
+  const dbProviders = report.database.providers.filter((provider) => provider.name !== "unknown");
+  if (dbProviders.length > 0) {
+    risks.push(
+      `Database providers detected: ${dbProviders.map((provider) => `${provider.name} (${provider.confidence})`).join(", ")}. Verify credentials are server-only.`
+    );
+  }
+  if (report.security.envFiles.length > 0) {
+    risks.push(
+      `Environment files detected (names only): ${report.security.envFiles.map((file) => `\`${file}\``).join(", ")}.`
+    );
+  }
+  const weakAuthSignals = authNames.filter((name) => name === "unknown" || name === "custom-auth");
+  if (weakAuthSignals.length > 0) {
+    risks.push("Auth provider is custom/unknown. Manual review required.");
+  }
+  if (report.security.riskyFiles.length > 0) {
+    risks.push(
+      `Potential risky patterns found in: ${report.security.riskyFiles.map((file) => `\`${file}\``).join(", ")}.`
+    );
+  }
+  if (risks.length === 0) {
+    risks.push("No obvious static risks found. Dynamic/runtime risks remain unknown.");
+  }
+  return [
+    "# RISK_REPORT",
+    "",
+    "## Summary",
+    ...risks.map((risk) => `- ${risk}`),
+    "",
+    "## Unknowns",
+    "- Authorization guard coverage inside route handlers is unknown.",
+    "- Row-level tenant/account isolation checks are unknown.",
+    "- Runtime secrets handling and deployment config are unknown."
+  ].join("\n");
+}
+function renderSignals(signals) {
+  if (signals.length === 0) {
+    return ["- unknown"];
+  }
+  return signals.flatMap((signal) => {
+    const lines = [`- ${signal.name} (confidence: ${signal.confidence})`];
+    lines.push(`  evidence: ${renderInlineEvidence(signal.evidenceFiles)}`);
+    if (signal.notes.length > 0) {
+      lines.push(`  notes: ${signal.notes.join("; ")}`);
+    }
+    return lines;
+  });
+}
+function renderInlineEvidence(files) {
+  if (files.length === 0) {
+    return "unknown";
+  }
+  return files.map((file) => `\`${file}\``).join(", ");
+}
+function renderKeyValueMap(values) {
+  const entries = Object.entries(values);
+  if (entries.length === 0) {
+    return ["- unknown"];
+  }
+  return entries.sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `- \`${key}\`: \`${value}\``);
+}
+function renderListWithFallback(items, fallback) {
+  if (items.length === 0) {
+    return [`- ${fallback}`];
+  }
+  return items.map((item) => `- \`${item}\``);
+}
+function signalsSummary(signals) {
+  if (signals.length === 0) {
+    return "unknown";
+  }
+  return signals.map((signal) => `${signal.name} (${signal.confidence})`).join(", ");
+}
+function hasNonUnknown(signals) {
+  return signals.some((signal) => signal.name !== "unknown");
+}
+function uniqueSorted4(values) {
+  return [...new Set(values)].sort();
+}
+function buildSecurityChecklist(report) {
+  const checklist = [
+    "Confirm auth checks for admin pages and server actions.",
+    "Confirm API routes validate input and enforce auth.",
+    "Confirm server actions validate input and enforce auth.",
+    "Confirm secrets are never exposed to client code."
+  ];
+  if (report.security.middlewareFiles.length === 0) {
+    checklist.push("Review if middleware is required for route protection.");
+  }
+  return checklist;
+}
+
+// src/scan.ts
+async function scanRepo(root, outDir) {
+  const absoluteRoot = resolve3(root);
+  const [project, routes, database, auth, serverActions, security] = await Promise.all([
+    detectProject(absoluteRoot),
+    detectRoutes(absoluteRoot, outDir),
+    detectDatabase(absoluteRoot, outDir),
+    detectAuth(absoluteRoot, outDir),
+    detectServerActions(absoluteRoot, outDir),
+    detectSecurity(absoluteRoot, outDir)
+  ]);
+  return {
+    root: absoluteRoot,
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    project,
+    routes,
+    database,
+    auth,
+    serverActions,
+    security
+  };
+}
+async function runScan(options) {
+  const rootAbsolute = resolve3(options.root);
+  const outDirAbsolute = resolve3(rootAbsolute, options.outDir);
+  if (options.format !== "markdown") {
+    throw new Error(`Unsupported format: ${options.format}`);
+  }
+  if (!isPathInsideRoot(rootAbsolute, outDirAbsolute)) {
+    throw new Error("Output folder must be inside the selected root folder.");
+  }
+  const report = await scanRepo(rootAbsolute, options.outDir);
+  const files = await writeMarkdownReports(report, outDirAbsolute);
+  return {
+    report,
+    files,
+    outDirAbsolute
+  };
+}
+function isPathInsideRoot(root, target) {
+  const pathFromRoot = relative(root, target);
+  return pathFromRoot !== "" && !pathFromRoot.startsWith("..") && !isAbsolute(pathFromRoot);
+}
+
+// src/cli.ts
+var program = new Command();
+program.name("forgelens").description("Local-first CLI for repo context scanning for AI coding agents").version("0.1.0");
+program.command("scan").description("Scan a repository and generate context markdown files").option("--out <path>", "output folder (inside root)", ".forgelens").option("--root <path>", "repository root path", ".").option("--format <format>", "output format (markdown)", "markdown").option("--verbose", "print scan details", false).addHelpText(
+  "after",
+  "\nExamples:\n  forgelens scan\n  forgelens scan --root . --out .forgelens --verbose"
+).action(async (cmdOptions) => {
+  const options = {
+    outDir: cmdOptions.out,
+    root: cmdOptions.root,
+    format: cmdOptions.format,
+    verbose: Boolean(cmdOptions.verbose)
+  };
+  try {
+    const result = await runScan(options);
+    if (options.verbose) {
+      console.log(`Root: ${result.report.root}`);
+      console.log(`Routes found: ${result.report.routes.length}`);
+      console.log(`Server actions found: ${result.report.serverActions.count}`);
+    }
+    console.log(`ForgeLens scan complete: ${result.outDirAbsolute}`);
+    for (const [name, filePath] of Object.entries(result.files)) {
+      console.log(`- ${name}: ${filePath}`);
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`ForgeLens scan failed: ${message}`);
+    process.exitCode = 1;
+  }
+});
+program.command("doctor").description("Check scan safety/readiness without writing any files").option("--root <path>", "repository root path", ".").option("--out <path>", "output folder that scan would use", ".forgelens").addHelpText("after", "\nExample:\n  forgelens doctor --root . --out .forgelens").action(async (cmdOptions) => {
+  try {
+    const report = await inspectRepoSafety({
+      root: cmdOptions.root,
+      outDir: cmdOptions.out
+    });
+    console.log(renderDoctorReport(report));
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`ForgeLens doctor failed: ${message}`);
+    process.exitCode = 1;
+  }
+});
+program.command("clean").description("Remove only generated output folder").option("--root <path>", "repository root path", ".").option("--out <path>", "output folder to remove", ".forgelens").option("--yes", "skip confirmation prompt", false).addHelpText("after", "\nExample:\n  forgelens clean --out .forgelens --yes").action(async (cmdOptions) => {
+  try {
+    await runClean({
+      root: cmdOptions.root,
+      outDir: cmdOptions.out,
+      yes: Boolean(cmdOptions.yes)
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`ForgeLens clean failed: ${message}`);
+    process.exitCode = 1;
+  }
+});
+var promptCommand = program.command("prompt").description("Print copy-ready prompts for AI coding agents").addHelpText("after", "\nExample:\n  forgelens prompt codex");
+promptCommand.command("codex").description("Print prompt text for Codex using ForgeLens context files").option("--out <path>", "context folder path", ".forgelens").action((cmdOptions) => {
+  console.log(buildCodexPrompt(cmdOptions.out));
+});
+void program.parseAsync(process.argv);