fraim-framework 2.0.177 → 2.0.179

package/dist/src/cli/distribution/marketplace-bundles.js

@@ -0,0 +1,576 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateMarketplaceBundles = validateMarketplaceBundles;
+const fs_1 = require("fs");
+const path_1 = __importDefault(require("path"));
+const TARGET_ROOT = path_1.default.join('marketplaces', 'fraim');
+const ACCEPTANCE_EVIDENCE_PATH = path_1.default.join('docs', 'evidence', '674-marketplace-acceptance.md');
+const POLICY_PAGE_PATHS = [
+    path_1.default.join('fraim-pro', 'privacy', 'index.html'),
+    path_1.default.join('fraim-pro', 'terms', 'index.html')
+];
+const ROOT_CURSOR_MARKETPLACE_PATH = path_1.default.join('.cursor-plugin', 'marketplace.json');
+const ROOT_COPILOT_MARKETPLACE_PATH = path_1.default.join('.github', 'plugin', 'marketplace.json');
+const REQUIRED_TARGET_IDS = [
+    'openai-apps',
+    'codex-plugin',
+    'official-mcp-registry',
+    'cursor-plugin',
+    'vscode-copilot-agent-plugin',
+    'gemini-cli-extension'
+];
+const ACCEPTED_LOCAL_STATUSES = new Set(['package-prepared', 'submission-ready', 'submitted']);
+const TEXT_EXTENSIONS = new Set(['.json', '.md', '.txt', '.toml', '.yaml', '.yml']);
+const SECRET_PATTERNS = [
+    { label: 'OpenAI-style API key', pattern: /sk-[A-Za-z0-9_-]{20,}/ },
+    { label: 'FRAIM API key assignment', pattern: /FRAIM_API_KEY\s*[:=]/i },
+    { label: 'bearer authorization header', pattern: /Authorization:\s*Bearer/i },
+    { label: 'stored access token value', pattern: /"access_token"\s*:\s*"[A-Za-z0-9_-]{8,}"/i },
+];
+function normalizeRelPath(value) {
+    return value.replace(/\\/g, '/');
+}
+function toRelPath(repoRoot, absolutePath) {
+    return normalizeRelPath(path_1.default.relative(repoRoot, absolutePath));
+}
+function makeResult() {
+    return {
+        ok: false,
+        targets: [],
+        checkedFiles: [],
+        errors: [],
+        warnings: []
+    };
+}
+function addIssue(issues, filePath, message) {
+    issues.push({ path: normalizeRelPath(filePath), message });
+}
+function markChecked(result, relPath) {
+    const normalized = normalizeRelPath(relPath);
+    if (!result.checkedFiles.includes(normalized)) {
+        result.checkedFiles.push(normalized);
+    }
+}
+function resolveRepoPath(repoRoot, relPath) {
+    return path_1.default.resolve(repoRoot, relPath);
+}
+function assertFile(repoRoot, relPath, result) {
+    markChecked(result, relPath);
+    const absolutePath = resolveRepoPath(repoRoot, relPath);
+    if (!(0, fs_1.existsSync)(absolutePath) || !(0, fs_1.statSync)(absolutePath).isFile()) {
+        addIssue(result.errors, relPath, 'required file is missing');
+        return false;
+    }
+    return true;
+}
+function readJsonObject(repoRoot, relPath, result) {
+    if (!assertFile(repoRoot, relPath, result)) {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse((0, fs_1.readFileSync)(resolveRepoPath(repoRoot, relPath), 'utf8'));
+        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+            addIssue(result.errors, relPath, 'must contain a JSON object');
+            return null;
+        }
+        return parsed;
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        addIssue(result.errors, relPath, `invalid JSON: ${message}`);
+        return null;
+    }
+}
+function asObject(value) {
+    return value && typeof value === 'object' && !Array.isArray(value)
+        ? value
+        : null;
+}
+function asArray(value) {
+    return Array.isArray(value) ? value : [];
+}
+function stringValue(value) {
+    return typeof value === 'string' && value.trim() ? value : null;
+}
+function readPackageVersion(repoRoot, result) {
+    const relPath = 'package.json';
+    const packageJson = readJsonObject(repoRoot, relPath, result);
+    return packageJson ? stringValue(packageJson.version) : null;
+}
+function requireHttpsUrl(value, relPath, field, result) {
+    const url = stringValue(value);
+    if (!url) {
+        addIssue(result.errors, relPath, `${field} must be a non-empty string`);
+        return null;
+    }
+    if (!url.startsWith('https://')) {
+        addIssue(result.errors, relPath, `${field} must be an https URL`);
+    }
+    return url;
+}
+function assertEqual(actual, expected, relPath, field, result) {
+    if (actual !== expected) {
+        addIssue(result.errors, relPath, `${field} must be ${JSON.stringify(expected)}`);
+    }
+}
+function assertRelativeAsset(repoRoot, baseRelPath, rawPath, relPath, field, result) {
+    const assetPath = stringValue(rawPath);
+    if (!assetPath) {
+        addIssue(result.errors, relPath, `${field} must be a non-empty relative path`);
+        return;
+    }
+    const normalized = assetPath.replace(/\\/g, '/');
+    if (path_1.default.posix.isAbsolute(normalized) || normalized.split('/').includes('..')) {
+        addIssue(result.errors, relPath, `${field} must stay inside the package`);
+        return;
+    }
+    const absolutePath = resolveRepoPath(repoRoot, path_1.default.join(baseRelPath, normalized));
+    const targetRelPath = toRelPath(repoRoot, absolutePath);
+    markChecked(result, targetRelPath);
+    if (!(0, fs_1.existsSync)(absolutePath) || !(0, fs_1.statSync)(absolutePath).isFile()) {
+        addIssue(result.errors, relPath, `${field} points to missing file ${normalized}`);
+    }
+}
+function walkTextFiles(basePath) {
+    if (!(0, fs_1.existsSync)(basePath))
+        return [];
+    const files = [];
+    for (const entry of (0, fs_1.readdirSync)(basePath, { withFileTypes: true })) {
+        const fullPath = path_1.default.join(basePath, entry.name);
+        if (entry.isDirectory()) {
+            files.push(...walkTextFiles(fullPath));
+            continue;
+        }
+        if (entry.isFile() && TEXT_EXTENSIONS.has(path_1.default.extname(entry.name).toLowerCase())) {
+            files.push(fullPath);
+        }
+    }
+    return files;
+}
+function scanForSecrets(repoRoot, relPath, result) {
+    const absolutePath = resolveRepoPath(repoRoot, relPath);
+    const files = (0, fs_1.existsSync)(absolutePath) && (0, fs_1.statSync)(absolutePath).isDirectory()
+        ? walkTextFiles(absolutePath)
+        : [absolutePath];
+    for (const filePath of files) {
+        if (!(0, fs_1.existsSync)(filePath) || !(0, fs_1.statSync)(filePath).isFile())
+            continue;
+        if (!TEXT_EXTENSIONS.has(path_1.default.extname(filePath).toLowerCase()))
+            continue;
+        const fileRelPath = toRelPath(repoRoot, filePath);
+        markChecked(result, fileRelPath);
+        const content = (0, fs_1.readFileSync)(filePath, 'utf8');
+        for (const secretPattern of SECRET_PATTERNS) {
+            if (secretPattern.pattern.test(content)) {
+                addIssue(result.errors, fileRelPath, `contains possible secret: ${secretPattern.label}`);
+            }
+        }
+    }
+}
+function validateTargetEntries(repoRoot, relPath, targets, result) {
+    result.targets = targets
+        .map((target) => asObject(target)?.id)
+        .filter((id) => typeof id === 'string');
+    for (const requiredTargetId of REQUIRED_TARGET_IDS) {
+        if (!result.targets.includes(requiredTargetId)) {
+            addIssue(result.errors, relPath, `missing target ${requiredTargetId}`);
+        }
+    }
+    for (const target of targets) {
+        const targetObject = asObject(target);
+        if (!targetObject)
+            continue;
+        const targetId = stringValue(targetObject.id) || '<unknown>';
+        const packagePath = stringValue(targetObject.packagePath);
+        if (!packagePath) {
+            addIssue(result.errors, relPath, `target ${targetId} packagePath must be set`);
+            continue;
+        }
+        if (!(0, fs_1.existsSync)(resolveRepoPath(repoRoot, packagePath))) {
+            addIssue(result.errors, relPath, `target ${targetId} packagePath does not exist`);
+        }
+        const status = stringValue(targetObject.status);
+        if (!status || !ACCEPTED_LOCAL_STATUSES.has(status)) {
+            addIssue(result.warnings, relPath, `target ${targetId} has unexpected status ${JSON.stringify(targetObject.status)}`);
+        }
+    }
+}
+function validateTargetMatrix(repoRoot, result) {
+    const relPath = path_1.default.join(TARGET_ROOT, 'marketplace-targets.json');
+    const targetMatrix = readJsonObject(repoRoot, relPath, result);
+    if (!targetMatrix) {
+        return { remoteMcpUrl: null, oauthAuthorizationServer: null, productVersion: null };
+    }
+    assertEqual(targetMatrix.schema, 'fraim-marketplace-targets-v1', relPath, 'schema', result);
+    assertEqual(targetMatrix.issue, 674, relPath, 'issue', result);
+    const product = asObject(targetMatrix.product);
+    const remoteMcp = asObject(targetMatrix.remoteMcp);
+    if (!product) {
+        addIssue(result.errors, relPath, 'product must be an object');
+    }
+    if (!remoteMcp) {
+        addIssue(result.errors, relPath, 'remoteMcp must be an object');
+    }
+    const productVersion = product ? stringValue(product.packageVersion) : null;
+    if (!productVersion) {
+        addIssue(result.errors, relPath, 'product.packageVersion must be set');
+    }
+    const packageVersion = readPackageVersion(repoRoot, result);
+    if (productVersion && packageVersion) {
+        assertEqual(productVersion, packageVersion, relPath, 'product.packageVersion', result);
+    }
+    const remoteMcpUrl = remoteMcp
+        ? requireHttpsUrl(remoteMcp.url, relPath, 'remoteMcp.url', result)
+        : null;
+    const oauthAuthorizationServer = remoteMcp
+        ? requireHttpsUrl(remoteMcp.oauthAuthorizationServer, relPath, 'remoteMcp.oauthAuthorizationServer', result)
+        : null;
+    validateTargetEntries(repoRoot, relPath, asArray(targetMatrix.targets), result);
+    return { remoteMcpUrl, oauthAuthorizationServer, productVersion };
+}
+function validateOpenAiAssets(repoRoot, openAiRoot, result) {
+    assertFile(repoRoot, path_1.default.join(openAiRoot, 'README.md'), result);
+    assertFile(repoRoot, path_1.default.join(openAiRoot, 'review-checklist.md'), result);
+    for (const asset of [
+        'assets/icon-512.png',
+        'assets/logo.png',
+        'assets/screenshot-workspace.png',
+        'assets/screenshot-signin.png',
+        'assets/screenshot-delegation.png'
+    ]) {
+        assertFile(repoRoot, path_1.default.join(openAiRoot, asset), result);
+    }
+}
+function validateOpenAiPacketFields(packet, relPath, targetDetails, result) {
+    const app = asObject(packet.app);
+    const mcp = asObject(packet.mcp);
+    const reviewNotes = asObject(packet.reviewNotes);
+    if (!app) {
+        addIssue(result.errors, relPath, 'app must be an object');
+    }
+    else {
+        assertEqual(app.name, 'FRAIM', relPath, 'app.name', result);
+        requireHttpsUrl(app.website, relPath, 'app.website', result);
+        requireHttpsUrl(app.privacyPolicy, relPath, 'app.privacyPolicy', result);
+        requireHttpsUrl(app.termsOfService, relPath, 'app.termsOfService', result);
+    }
+    if (!mcp) {
+        addIssue(result.errors, relPath, 'mcp must be an object');
+    }
+    else {
+        assertEqual(mcp.serverUrl, targetDetails.remoteMcpUrl, relPath, 'mcp.serverUrl', result);
+        assertEqual(mcp.authorizationServer, targetDetails.oauthAuthorizationServer, relPath, 'mcp.authorizationServer', result);
+        const auth = asObject(mcp.auth);
+        assertEqual(auth?.type, 'OAuth 2.1 PKCE', relPath, 'mcp.auth.type', result);
+    }
+    if (!reviewNotes) {
+        addIssue(result.errors, relPath, 'reviewNotes must be an object');
+    }
+    else {
+        assertEqual(reviewNotes.credentialsStoredInRepo, false, relPath, 'reviewNotes.credentialsStoredInRepo', result);
+        assertEqual(reviewNotes.reviewerDemoAccountRequired, true, relPath, 'reviewNotes.reviewerDemoAccountRequired', result);
+    }
+    const testCases = asArray(packet.testCases);
+    if (testCases.length < 3) {
+        addIssue(result.errors, relPath, 'at least three reviewer test cases are required');
+    }
+}
+function validateOpenAiPacket(repoRoot, result, targetDetails) {
+    const openAiRoot = path_1.default.join(TARGET_ROOT, 'openai');
+    const relPath = path_1.default.join(openAiRoot, 'submission-packet.json');
+    const packet = readJsonObject(repoRoot, relPath, result);
+    validateOpenAiAssets(repoRoot, openAiRoot, result);
+    if (!packet)
+        return;
+    assertEqual(packet.schema, 'fraim-openai-app-submission-packet-v1', relPath, 'schema', result);
+    validateOpenAiPacketFields(packet, relPath, targetDetails, result);
+}
+function validatePolicyPages(repoRoot, result) {
+    for (const relPath of POLICY_PAGE_PATHS) {
+        if (!assertFile(repoRoot, relPath, result)) {
+            continue;
+        }
+        const content = (0, fs_1.readFileSync)(resolveRepoPath(repoRoot, relPath), 'utf8');
+        if (!content.includes('FRAIM')) {
+            addIssue(result.errors, relPath, 'policy page must identify FRAIM');
+        }
+        if (!content.includes('support@fraimworks.ai')) {
+            addIssue(result.errors, relPath, 'policy page must include support contact');
+        }
+    }
+}
+function validateCodexMarketplace(marketplace, marketplaceRelPath, result) {
+    if (!marketplace)
+        return;
+    assertEqual(marketplace.name, 'fraim-openai-codex', marketplaceRelPath, 'name', result);
+    const entries = asArray(marketplace.plugins);
+    const fraimEntry = entries
+        .map((entry) => asObject(entry))
+        .find((entry) => entry?.name === 'fraim');
+    if (!fraimEntry) {
+        addIssue(result.errors, marketplaceRelPath, 'plugins must include fraim');
+        return;
+    }
+    const source = asObject(fraimEntry.source);
+    assertEqual(source?.source, 'local', marketplaceRelPath, 'fraim.source.source', result);
+    assertEqual(source?.path, './plugins/fraim', marketplaceRelPath, 'fraim.source.path', result);
+}
+function validateCodexManifestInterface(repoRoot, pluginRoot, manifestRelPath, manifestInterface, result) {
+    requireHttpsUrl(manifestInterface.websiteURL, manifestRelPath, 'interface.websiteURL', result);
+    requireHttpsUrl(manifestInterface.privacyPolicyURL, manifestRelPath, 'interface.privacyPolicyURL', result);
+    requireHttpsUrl(manifestInterface.termsOfServiceURL, manifestRelPath, 'interface.termsOfServiceURL', result);
+    assertRelativeAsset(repoRoot, pluginRoot, manifestInterface.composerIcon, manifestRelPath, 'interface.composerIcon', result);
+    assertRelativeAsset(repoRoot, pluginRoot, manifestInterface.logo, manifestRelPath, 'interface.logo', result);
+    const prompts = asArray(manifestInterface.defaultPrompt);
+    if (prompts.length === 0 || prompts.length > 3) {
+        addIssue(result.errors, manifestRelPath, 'interface.defaultPrompt must contain one to three prompts');
+    }
+    for (const [index, prompt] of prompts.entries()) {
+        if (!stringValue(prompt) || String(prompt).length > 128) {
+            addIssue(result.errors, manifestRelPath, `interface.defaultPrompt[${index}] must be a non-empty string of at most 128 characters`);
+        }
+    }
+    for (const [index, screenshot] of asArray(manifestInterface.screenshots).entries()) {
+        assertRelativeAsset(repoRoot, pluginRoot, screenshot, manifestRelPath, `interface.screenshots[${index}]`, result);
+    }
+}
+function validateCodexManifest(repoRoot, pluginRoot, manifest, manifestRelPath, productVersion, result) {
+    if (!manifest)
+        return;
+    assertEqual(manifest.name, 'fraim', manifestRelPath, 'name', result);
+    assertEqual(manifest.version, productVersion, manifestRelPath, 'version', result);
+    assertEqual(manifest.skills, './skills/', manifestRelPath, 'skills', result);
+    assertEqual(manifest.mcpServers, './.mcp.json', manifestRelPath, 'mcpServers', result);
+    const manifestInterface = asObject(manifest.interface);
+    if (!manifestInterface) {
+        addIssue(result.errors, manifestRelPath, 'interface must be an object');
+        return;
+    }
+    validateCodexManifestInterface(repoRoot, pluginRoot, manifestRelPath, manifestInterface, result);
+}
+function validateCodexMcpConfig(mcpConfig, mcpRelPath, remoteMcpUrl, result) {
+    if (!mcpConfig)
+        return;
+    const servers = asObject(mcpConfig.mcpServers);
+    const fraimServer = asObject(servers?.fraim);
+    if (!fraimServer) {
+        addIssue(result.errors, mcpRelPath, 'mcpServers.fraim must be configured');
+        return;
+    }
+    assertEqual(fraimServer.type, 'http', mcpRelPath, 'mcpServers.fraim.type', result);
+    assertEqual(fraimServer.url, remoteMcpUrl, mcpRelPath, 'mcpServers.fraim.url', result);
+    if ('headers' in fraimServer || 'env' in fraimServer) {
+        addIssue(result.errors, mcpRelPath, 'mcpServers.fraim must not embed headers or env credentials');
+    }
+}
+function validateCodexSkill(repoRoot, skillRelPath, result) {
+    assertFile(repoRoot, skillRelPath, result);
+    const skillPath = resolveRepoPath(repoRoot, skillRelPath);
+    if (!(0, fs_1.existsSync)(skillPath))
+        return;
+    const skillContent = (0, fs_1.readFileSync)(skillPath, 'utf8');
+    if (!/^---\r?\n/.test(skillContent)) {
+        addIssue(result.errors, skillRelPath, 'skill must start with YAML frontmatter');
+    }
+    if (!skillContent.includes('seekMentoring')) {
+        addIssue(result.errors, skillRelPath, 'skill should preserve FRAIM phase mentoring guidance');
+    }
+}
+function validateFrontmatterMarkdown(repoRoot, relPath, result) {
+    assertFile(repoRoot, relPath, result);
+    const filePath = resolveRepoPath(repoRoot, relPath);
+    if (!(0, fs_1.existsSync)(filePath))
+        return;
+    const content = (0, fs_1.readFileSync)(filePath, 'utf8');
+    if (!/^---\r?\n/.test(content)) {
+        addIssue(result.errors, relPath, 'markdown file must start with YAML frontmatter');
+    }
+}
+function validateCodexPackage(repoRoot, result, targetDetails) {
+    const codexRoot = path_1.default.join(TARGET_ROOT, 'codex');
+    const marketplaceRelPath = path_1.default.join(codexRoot, '.agents', 'plugins', 'marketplace.json');
+    const pluginRoot = path_1.default.join(codexRoot, 'plugins', 'fraim');
+    const manifestRelPath = path_1.default.join(pluginRoot, '.codex-plugin', 'plugin.json');
+    const mcpRelPath = path_1.default.join(pluginRoot, '.mcp.json');
+    const skillRelPath = path_1.default.join(pluginRoot, 'skills', 'fraim', 'SKILL.md');
+    const marketplace = readJsonObject(repoRoot, marketplaceRelPath, result);
+    const manifest = readJsonObject(repoRoot, manifestRelPath, result);
+    const mcpConfig = readJsonObject(repoRoot, mcpRelPath, result);
+    validateCodexMarketplace(marketplace, marketplaceRelPath, result);
+    validateCodexManifest(repoRoot, pluginRoot, manifest, manifestRelPath, targetDetails.productVersion, result);
+    validateCodexMcpConfig(mcpConfig, mcpRelPath, targetDetails.remoteMcpUrl, result);
+    validateCodexSkill(repoRoot, skillRelPath, result);
+}
+function validateSimpleMarketplaceManifest(marketplace, marketplaceRelPath, expectedName, expectedSource, productVersion, result) {
+    if (!marketplace)
+        return;
+    assertEqual(marketplace.name, expectedName, marketplaceRelPath, 'name', result);
+    if (!asObject(marketplace.owner)) {
+        addIssue(result.errors, marketplaceRelPath, 'owner must be an object');
+    }
+    const entries = asArray(marketplace.plugins);
+    const fraimEntry = entries
+        .map((entry) => asObject(entry))
+        .find((entry) => entry?.name === 'fraim');
+    if (!fraimEntry) {
+        addIssue(result.errors, marketplaceRelPath, 'plugins must include fraim');
+        return;
+    }
+    assertEqual(fraimEntry.source, expectedSource, marketplaceRelPath, 'fraim.source', result);
+    assertEqual(fraimEntry.version, productVersion, marketplaceRelPath, 'fraim.version', result);
+}
+function validateMcpRegistryPackage(repoRoot, result, targetDetails) {
+    const registryRoot = path_1.default.join(TARGET_ROOT, 'mcp-registry');
+    const serverRelPath = path_1.default.join(registryRoot, 'server.json');
+    const serverJson = readJsonObject(repoRoot, serverRelPath, result);
+    assertFile(repoRoot, path_1.default.join(registryRoot, 'README.md'), result);
+    if (!serverJson)
+        return;
+    requireHttpsUrl(serverJson.$schema, serverRelPath, '$schema', result);
+    assertEqual(serverJson.name, 'io.github.mathursrus/fraim', serverRelPath, 'name', result);
+    assertEqual(serverJson.title, 'FRAIM', serverRelPath, 'title', result);
+    assertEqual(serverJson.version, targetDetails.productVersion, serverRelPath, 'version', result);
+    requireHttpsUrl(serverJson.websiteUrl, serverRelPath, 'websiteUrl', result);
+    const repository = asObject(serverJson.repository);
+    assertEqual(repository?.url, 'https://github.com/mathursrus/FRAIM', serverRelPath, 'repository.url', result);
+    assertEqual(repository?.source, 'github', serverRelPath, 'repository.source', result);
+    const remotes = asArray(serverJson.remotes);
+    const fraimRemote = remotes.map((remote) => asObject(remote)).find((remote) => remote?.url === targetDetails.remoteMcpUrl);
+    if (!fraimRemote) {
+        addIssue(result.errors, serverRelPath, 'remotes must include the FRAIM remote MCP URL');
+        return;
+    }
+    assertEqual(fraimRemote.type, 'streamable-http', serverRelPath, 'remotes.fraim.type', result);
+    if ('headers' in fraimRemote) {
+        addIssue(result.errors, serverRelPath, 'remotes.fraim must not embed headers');
+    }
+}
+function validateCursorPackage(repoRoot, result, targetDetails) {
+    const cursorRoot = path_1.default.join(TARGET_ROOT, 'cursor');
+    const targetMarketplaceRelPath = path_1.default.join(cursorRoot, '.cursor-plugin', 'marketplace.json');
+    const pluginRoot = path_1.default.join(cursorRoot, 'plugins', 'fraim');
+    const manifestRelPath = path_1.default.join(pluginRoot, '.cursor-plugin', 'plugin.json');
+    const mcpRelPath = path_1.default.join(pluginRoot, 'mcp.json');
+    const ruleRelPath = path_1.default.join(pluginRoot, 'rules', 'fraim.mdc');
+    const skillRelPath = path_1.default.join(pluginRoot, 'skills', 'fraim', 'SKILL.md');
+    const commandRelPath = path_1.default.join(pluginRoot, 'commands', 'fraim.md');
+    const rootMarketplace = readJsonObject(repoRoot, ROOT_CURSOR_MARKETPLACE_PATH, result);
+    const targetMarketplace = readJsonObject(repoRoot, targetMarketplaceRelPath, result);
+    const manifest = readJsonObject(repoRoot, manifestRelPath, result);
+    const mcpConfig = readJsonObject(repoRoot, mcpRelPath, result);
+    assertFile(repoRoot, path_1.default.join(cursorRoot, 'README.md'), result);
+    assertFile(repoRoot, path_1.default.join(pluginRoot, 'README.md'), result);
+    validateSimpleMarketplaceManifest(rootMarketplace, ROOT_CURSOR_MARKETPLACE_PATH, 'fraim-marketplace', 'marketplaces/fraim/cursor/plugins/fraim', targetDetails.productVersion, result);
+    validateSimpleMarketplaceManifest(targetMarketplace, targetMarketplaceRelPath, 'fraim-marketplace', 'plugins/fraim', targetDetails.productVersion, result);
+    if (manifest) {
+        assertEqual(manifest.name, 'fraim', manifestRelPath, 'name', result);
+        assertEqual(manifest.version, targetDetails.productVersion, manifestRelPath, 'version', result);
+        assertEqual(manifest.rules, 'rules/', manifestRelPath, 'rules', result);
+        assertEqual(manifest.skills, 'skills/', manifestRelPath, 'skills', result);
+        assertEqual(manifest.commands, 'commands/', manifestRelPath, 'commands', result);
+        assertEqual(manifest.mcpServers, 'mcp.json', manifestRelPath, 'mcpServers', result);
+        assertRelativeAsset(repoRoot, pluginRoot, manifest.logo, manifestRelPath, 'logo', result);
+    }
+    if (mcpConfig) {
+        const servers = asObject(mcpConfig.mcpServers);
+        const fraimServer = asObject(servers?.fraim);
+        if (!fraimServer) {
+            addIssue(result.errors, mcpRelPath, 'mcpServers.fraim must be configured');
+        }
+        else {
+            assertEqual(fraimServer.url, targetDetails.remoteMcpUrl, mcpRelPath, 'mcpServers.fraim.url', result);
+            if ('headers' in fraimServer || 'env' in fraimServer || 'auth' in fraimServer) {
+                addIssue(result.errors, mcpRelPath, 'mcpServers.fraim must not embed credentials');
+            }
+        }
+    }
+    assertFile(repoRoot, ruleRelPath, result);
+    const rulePath = resolveRepoPath(repoRoot, ruleRelPath);
+    if ((0, fs_1.existsSync)(rulePath)) {
+        const ruleContent = (0, fs_1.readFileSync)(rulePath, 'utf8');
+        if (!/^---\r?\n/.test(ruleContent) || !ruleContent.includes('alwaysApply: true')) {
+            addIssue(result.errors, ruleRelPath, 'Cursor rule must include alwaysApply frontmatter');
+        }
+    }
+    validateCodexSkill(repoRoot, skillRelPath, result);
+    validateFrontmatterMarkdown(repoRoot, commandRelPath, result);
+}
+function validateCopilotPackage(repoRoot, result, targetDetails) {
+    const vscodeRoot = path_1.default.join(TARGET_ROOT, 'vscode');
+    const pluginRoot = path_1.default.join(vscodeRoot, 'plugins', 'fraim');
+    const manifestRelPath = path_1.default.join(pluginRoot, 'plugin.json');
+    const mcpRelPath = path_1.default.join(pluginRoot, '.mcp.json');
+    const skillRelPath = path_1.default.join(pluginRoot, 'skills', 'fraim', 'SKILL.md');
+    const commandRelPath = path_1.default.join(pluginRoot, 'commands', 'fraim.md');
+    const rootMarketplace = readJsonObject(repoRoot, ROOT_COPILOT_MARKETPLACE_PATH, result);
+    const manifest = readJsonObject(repoRoot, manifestRelPath, result);
+    const mcpConfig = readJsonObject(repoRoot, mcpRelPath, result);
+    assertFile(repoRoot, path_1.default.join(vscodeRoot, 'README.md'), result);
+    assertFile(repoRoot, path_1.default.join(pluginRoot, 'README.md'), result);
+    validateSimpleMarketplaceManifest(rootMarketplace, ROOT_COPILOT_MARKETPLACE_PATH, 'fraim-copilot-marketplace', 'marketplaces/fraim/vscode/plugins/fraim', targetDetails.productVersion, result);
+    if (manifest) {
+        assertEqual(manifest.name, 'fraim', manifestRelPath, 'name', result);
+        assertEqual(manifest.version, targetDetails.productVersion, manifestRelPath, 'version', result);
+        assertEqual(manifest.skills, 'skills/', manifestRelPath, 'skills', result);
+        assertEqual(manifest.commands, 'commands/', manifestRelPath, 'commands', result);
+        assertEqual(manifest.mcpServers, '.mcp.json', manifestRelPath, 'mcpServers', result);
+    }
+    validateCodexMcpConfig(mcpConfig, mcpRelPath, targetDetails.remoteMcpUrl, result);
+    validateCodexSkill(repoRoot, skillRelPath, result);
+    validateFrontmatterMarkdown(repoRoot, commandRelPath, result);
+}
+function validateGeminiPackage(repoRoot, result, targetDetails) {
+    const geminiRoot = path_1.default.join(TARGET_ROOT, 'gemini');
+    const extensionRoot = path_1.default.join(geminiRoot, 'extension');
+    const manifestRelPath = path_1.default.join(extensionRoot, 'gemini-extension.json');
+    const commandRelPath = path_1.default.join(extensionRoot, 'commands', 'fraim.toml');
+    const skillRelPath = path_1.default.join(extensionRoot, 'skills', 'fraim', 'SKILL.md');
+    const manifest = readJsonObject(repoRoot, manifestRelPath, result);
+    assertFile(repoRoot, path_1.default.join(geminiRoot, 'README.md'), result);
+    assertFile(repoRoot, path_1.default.join(extensionRoot, 'GEMINI.md'), result);
+    assertFile(repoRoot, commandRelPath, result);
+    validateCodexSkill(repoRoot, skillRelPath, result);
+    if (!manifest)
+        return;
+    assertEqual(manifest.name, 'fraim', manifestRelPath, 'name', result);
+    assertEqual(manifest.version, targetDetails.productVersion, manifestRelPath, 'version', result);
+    assertEqual(manifest.contextFileName, 'GEMINI.md', manifestRelPath, 'contextFileName', result);
+    const servers = asObject(manifest.mcpServers);
+    const fraimServer = asObject(servers?.fraim);
+    if (!fraimServer) {
+        addIssue(result.errors, manifestRelPath, 'mcpServers.fraim must be configured');
+        return;
+    }
+    assertEqual(fraimServer.httpUrl, targetDetails.remoteMcpUrl, manifestRelPath, 'mcpServers.fraim.httpUrl', result);
+    if ('headers' in fraimServer || 'env' in fraimServer) {
+        addIssue(result.errors, manifestRelPath, 'mcpServers.fraim must not embed credentials');
+    }
+}
+function validateMarketplaceBundles(repoRoot = process.cwd()) {
+    const result = makeResult();
+    assertFile(repoRoot, path_1.default.join(TARGET_ROOT, 'README.md'), result);
+    assertFile(repoRoot, ACCEPTANCE_EVIDENCE_PATH, result);
+    const targetDetails = validateTargetMatrix(repoRoot, result);
+    validateOpenAiPacket(repoRoot, result, targetDetails);
+    validatePolicyPages(repoRoot, result);
+    validateCodexPackage(repoRoot, result, targetDetails);
+    validateMcpRegistryPackage(repoRoot, result, targetDetails);
+    validateCursorPackage(repoRoot, result, targetDetails);
+    validateCopilotPackage(repoRoot, result, targetDetails);
+    validateGeminiPackage(repoRoot, result, targetDetails);
+    scanForSecrets(repoRoot, TARGET_ROOT, result);
+    scanForSecrets(repoRoot, ROOT_CURSOR_MARKETPLACE_PATH, result);
+    scanForSecrets(repoRoot, ROOT_COPILOT_MARKETPLACE_PATH, result);
+    scanForSecrets(repoRoot, ACCEPTANCE_EVIDENCE_PATH, result);
+    for (const policyPagePath of POLICY_PAGE_PATHS) {
+        scanForSecrets(repoRoot, policyPagePath, result);
+    }
+    result.checkedFiles.sort();
+    result.errors.sort((a, b) => `${a.path}:${a.message}`.localeCompare(`${b.path}:${b.message}`));
+    result.warnings.sort((a, b) => `${a.path}:${a.message}`.localeCompare(`${b.path}:${b.message}`));
+    result.ok = result.errors.length === 0;
+    return result;
+}

package/dist/src/cli/fraim.js

@@ -44,6 +44,7 @@ const list_1 = require("./commands/list");
 const setup_1 = require("./commands/setup");
 const init_project_1 = require("./commands/init-project");
 const add_ide_1 = require("./commands/add-ide");
+const add_surface_1 = require("./commands/add-surface");
 const add_provider_1 = require("./commands/add-provider");
 const override_1 = require("./commands/override");
 const list_overridable_1 = require("./commands/list-overridable");
@@ -89,6 +90,7 @@ program.addCommand(list_1.listCommand);
 program.addCommand(setup_1.setupCommand);
 program.addCommand(init_project_1.initProjectCommand);
 program.addCommand(add_ide_1.addIDECommand);
+program.addCommand(add_surface_1.addSurfaceCommand);
 program.addCommand(add_provider_1.addProviderCommand);
 program.addCommand(override_1.overrideCommand);
 program.addCommand(list_overridable_1.listOverridableCommand);

package/dist/src/cli/mcp/ide-formats.js

@@ -219,12 +219,14 @@ class CodexFormat {
         for (const [key, server] of servers) {
             if (server.url) {
                 // HTTP server
-                const token = server.headers?.Authorization?.replace('Bearer ', '') || '';
-                const escapedToken = this.escapeToml(token);
+                const authHeader = server.headers?.Authorization;
                 const escapedUrl = this.escapeToml(server.url);
                 sections.push(`[mcp_servers.${key}]`);
                 sections.push(`url = "${escapedUrl}"`);
-                sections.push(`http_headers = { Authorization = "Bearer ${escapedToken}" }`);
+                // OAuth-first providers (e.g. GitHub) have no Authorization header — IDE manages auth
+                if (authHeader) {
+                    sections.push(`http_headers = { Authorization = "${this.escapeToml(authHeader)}" }`);
+                }
                 sections.push('');
             }
             else {

package/dist/src/cli/mcp/mcp-server-registry.js

@@ -81,18 +81,25 @@ async function buildProviderMCPServer(providerId, token, config) {
     }
 }
 /**
- * Build an HTTP MCP server
+ * Build an HTTP MCP server.
+ * When authHeaderTemplate is absent the provider uses IDE-native OAuth (e.g. GitHub);
+ * write a URL-only entry so the IDE handles the OAuth flow on first tool use.
  */
 function buildHTTPServer(mcpConfig, token) {
     if (!mcpConfig.url) {
         throw new Error('HTTP MCP server requires url');
     }
-    const authHeader = mcpConfig.authHeaderTemplate?.replace('{token}', token) || `Bearer ${token}`;
+    if (!mcpConfig.authHeaderTemplate) {
+        return {
+            type: 'http',
+            url: mcpConfig.url
+        };
+    }
     return {
         type: 'http',
         url: mcpConfig.url,
         headers: {
-            Authorization: authHeader
+            Authorization: mcpConfig.authHeaderTemplate.replace('{token}', token)
         }
     };
 }

package/dist/src/cli/providers/local-provider-registry.js

@@ -22,12 +22,11 @@ const LOCAL_PROVIDERS = [
         description: 'GitHub repository and issue management',
         capabilities: ['code', 'issues', 'integrated'],
         docsUrl: 'https://docs.github.com',
-        setupInstructions: 'Create a Personal Access Token at https://github.com/settings/tokens',
+        setupInstructions: 'Run "fraim add-provider github" — your IDE handles OAuth automatically on first use',
         hasAdditionalConfig: false,
         mcpServer: {
             type: 'http',
-            url: 'https://api.githubcopilot.com/mcp/',
-            authHeaderTemplate: 'Bearer {token}'
+            url: 'https://api.githubcopilot.com/mcp/'
         }
     },
     {