guardrail-core 1.0.0 → 2.0.0

package/dist/__tests__/autopilot-enterprise.test.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Autopilot Enterprise Workflow Tests
+ *
+ * Tests for git integration, partial apply, rollback, and human-in-loop features.
+ */
+export {};
+//# sourceMappingURL=autopilot-enterprise.test.d.ts.map

package/dist/__tests__/autopilot-enterprise.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"autopilot-enterprise.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/autopilot-enterprise.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}

package/dist/__tests__/autopilot-enterprise.test.js

@@ -0,0 +1,334 @@
+"use strict";
+/**
+ * Autopilot Enterprise Workflow Tests
+ *
+ * Tests for git integration, partial apply, rollback, and human-in-loop features.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const child_process_1 = require("child_process");
+const autopilot_runner_1 = require("../autopilot/autopilot-runner");
+describe('Autopilot Enterprise Workflow', () => {
+    let testDir;
+    let runner;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'autopilot-test-'));
+        runner = new autopilot_runner_1.AutopilotRunner();
+        process.env['GUARDRAIL_SKIP_ENTITLEMENTS'] = '1';
+    });
+    afterEach(() => {
+        if (fs.existsSync(testDir)) {
+            fs.rmSync(testDir, { recursive: true, force: true });
+        }
+        delete process.env['GUARDRAIL_SKIP_ENTITLEMENTS'];
+    });
+    describe('Git Integration', () => {
+        it('should create branch with format guardrail/autopilot-<runId>', async () => {
+            (0, child_process_1.execSync)('git init', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git config user.email "test@test.com"', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git config user.name "Test User"', { cwd: testDir, stdio: 'pipe' });
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");');
+            (0, child_process_1.execSync)('git add .', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git commit -m "initial"', { cwd: testDir, stdio: 'pipe' });
+            const options = {
+                projectPath: testDir,
+                mode: 'apply',
+                profile: 'quick',
+                maxFixes: 5,
+                verify: false,
+                dryRun: false,
+            };
+            const result = await runner.run(options);
+            expect(result.gitBranch).toBeDefined();
+            expect(result.gitBranch).toMatch(/^guardrail\/autopilot-[a-f0-9]+$/);
+            const branches = (0, child_process_1.execSync)('git branch', { cwd: testDir, encoding: 'utf8' });
+            expect(branches).toContain(result.gitBranch);
+        });
+        it('should commit changes with summary and runId', async () => {
+            (0, child_process_1.execSync)('git init', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git config user.email "test@test.com"', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git config user.name "Test User"', { cwd: testDir, stdio: 'pipe' });
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");');
+            (0, child_process_1.execSync)('git add .', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git commit -m "initial"', { cwd: testDir, stdio: 'pipe' });
+            const options = {
+                projectPath: testDir,
+                mode: 'apply',
+                profile: 'quick',
+                maxFixes: 5,
+                verify: false,
+                dryRun: false,
+            };
+            const result = await runner.run(options);
+            expect(result.gitCommit).toBeDefined();
+            expect(result.runId).toBeDefined();
+            const commitMsg = (0, child_process_1.execSync)('git log -1 --pretty=%B', { cwd: testDir, encoding: 'utf8' });
+            expect(commitMsg).toContain('Autopilot fixes applied');
+            expect(commitMsg).toContain(result.runId);
+        });
+        it('should not create branch in dry-run mode', async () => {
+            (0, child_process_1.execSync)('git init', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git config user.email "test@test.com"', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git config user.name "Test User"', { cwd: testDir, stdio: 'pipe' });
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");');
+            (0, child_process_1.execSync)('git add .', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git commit -m "initial"', { cwd: testDir, stdio: 'pipe' });
+            const options = {
+                projectPath: testDir,
+                mode: 'apply',
+                profile: 'quick',
+                maxFixes: 5,
+                verify: false,
+                dryRun: true,
+            };
+            const result = await runner.run(options);
+            expect(result.gitBranch).toBeUndefined();
+            expect(result.gitCommit).toBeUndefined();
+        });
+    });
+    describe('Partial Apply', () => {
+        it('should apply only specified packs with --pack flag', async () => {
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");\n// TODO: fix this');
+            const planOptions = {
+                projectPath: testDir,
+                mode: 'plan',
+                profile: 'quick',
+                maxFixes: 10,
+            };
+            const planResult = await runner.run(planOptions);
+            expect(planResult.mode).toBe('plan');
+            if (planResult.mode === 'plan' && planResult.packs.length > 0) {
+                const firstPackId = planResult.packs[0].id;
+                const applyOptions = {
+                    projectPath: testDir,
+                    mode: 'apply',
+                    profile: 'quick',
+                    maxFixes: 10,
+                    verify: false,
+                    packIds: [firstPackId],
+                };
+                const result = await runner.run(applyOptions);
+                expect(result.packsAttempted).toBe(1);
+                const appliedPackIds = [...new Set(result.appliedFixes.map(f => f.packId))];
+                expect(appliedPackIds).toContain(firstPackId);
+            }
+        });
+        it('should throw error if specified pack IDs do not exist', async () => {
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");');
+            const options = {
+                projectPath: testDir,
+                mode: 'apply',
+                profile: 'quick',
+                maxFixes: 5,
+                verify: false,
+                packIds: ['non-existent-pack-id'],
+            };
+            await expect(runner.run(options)).rejects.toThrow('No packs found matching IDs');
+        });
+        it('should support multiple --pack flags', async () => {
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");\nconsole.warn("warning");');
+            const planOptions = {
+                projectPath: testDir,
+                mode: 'plan',
+                profile: 'quick',
+                maxFixes: 10,
+            };
+            const planResult = await runner.run(planOptions);
+            if (planResult.mode === 'plan' && planResult.packs.length >= 2) {
+                const packIds = planResult.packs.slice(0, 2).map(p => p.id);
+                const applyOptions = {
+                    projectPath: testDir,
+                    mode: 'apply',
+                    profile: 'quick',
+                    maxFixes: 10,
+                    verify: false,
+                    packIds,
+                };
+                const result = await runner.run(applyOptions);
+                expect(result.packsAttempted).toBeLessThanOrEqual(2);
+            }
+        });
+    });
+    describe('Rollback', () => {
+        it('should rollback using git reset when branch exists', async () => {
+            (0, child_process_1.execSync)('git init', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git config user.email "test@test.com"', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git config user.name "Test User"', { cwd: testDir, stdio: 'pipe' });
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");');
+            (0, child_process_1.execSync)('git add .', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git commit -m "initial"', { cwd: testDir, stdio: 'pipe' });
+            const applyOptions = {
+                projectPath: testDir,
+                mode: 'apply',
+                profile: 'quick',
+                maxFixes: 5,
+                verify: false,
+                dryRun: false,
+            };
+            const applyResult = await runner.run(applyOptions);
+            const runId = applyResult.runId;
+            const rollbackOptions = {
+                projectPath: testDir,
+                mode: 'rollback',
+                runId,
+            };
+            const rollbackResult = await runner.run(rollbackOptions);
+            expect(rollbackResult.mode).toBe('rollback');
+            expect(rollbackResult.success).toBe(true);
+            expect(rollbackResult.method).toBe('git-reset');
+            expect(rollbackResult.message).toContain('Successfully rolled back');
+        });
+        it('should rollback using backup restore when git not available', async () => {
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");');
+            const applyOptions = {
+                projectPath: testDir,
+                mode: 'apply',
+                profile: 'quick',
+                maxFixes: 5,
+                verify: false,
+                dryRun: false,
+            };
+            const applyResult = await runner.run(applyOptions);
+            const runId = applyResult.runId;
+            const rollbackOptions = {
+                projectPath: testDir,
+                mode: 'rollback',
+                runId,
+            };
+            const rollbackResult = await runner.run(rollbackOptions);
+            expect(rollbackResult.mode).toBe('rollback');
+            expect(rollbackResult.method).toBe('backup-restore');
+        });
+        it('should require runId for rollback', async () => {
+            const options = {
+                projectPath: testDir,
+                mode: 'rollback',
+            };
+            await expect(runner.run(options)).rejects.toThrow('runId is required for rollback');
+        });
+        it('should fail rollback when runId not found', async () => {
+            const options = {
+                projectPath: testDir,
+                mode: 'rollback',
+                runId: 'non-existent-run-id',
+            };
+            const result = await runner.run(options);
+            expect(result.success).toBe(false);
+            expect(result.message).toContain('Rollback failed');
+        });
+    });
+    describe('Human-in-the-Loop', () => {
+        it('should skip high-risk packs without --force in non-interactive mode', async () => {
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");');
+            const options = {
+                projectPath: testDir,
+                mode: 'apply',
+                profile: 'quick',
+                maxFixes: 5,
+                verify: false,
+                force: false,
+                interactive: false,
+            };
+            const result = await runner.run(options);
+            const highRiskErrors = result.errors.filter(e => e.includes('high risk'));
+            if (highRiskErrors.length > 0) {
+                expect(result.packsFailed).toBeGreaterThan(0);
+            }
+        });
+        it('should apply high-risk packs with --force flag', async () => {
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");');
+            const options = {
+                projectPath: testDir,
+                mode: 'apply',
+                profile: 'quick',
+                maxFixes: 5,
+                verify: false,
+                force: true,
+            };
+            const result = await runner.run(options);
+            const highRiskSkipped = result.errors.filter(e => e.includes('high risk, user declined'));
+            expect(highRiskSkipped.length).toBe(0);
+        });
+        it('should prompt in interactive mode for high-risk packs', async () => {
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");');
+            const options = {
+                projectPath: testDir,
+                mode: 'apply',
+                profile: 'quick',
+                maxFixes: 5,
+                verify: false,
+                interactive: true,
+            };
+            const result = await runner.run(options);
+            expect(result).toBeDefined();
+        });
+    });
+    describe('Branch Naming', () => {
+        it('should use consistent branch naming format', async () => {
+            (0, child_process_1.execSync)('git init', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git config user.email "test@test.com"', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git config user.name "Test User"', { cwd: testDir, stdio: 'pipe' });
+            const testFile = path.join(testDir, 'test.ts');
+            fs.writeFileSync(testFile, 'console.log("test");');
+            (0, child_process_1.execSync)('git add .', { cwd: testDir, stdio: 'pipe' });
+            (0, child_process_1.execSync)('git commit -m "initial"', { cwd: testDir, stdio: 'pipe' });
+            const runId = 'abc123def456';
+            const options = {
+                projectPath: testDir,
+                mode: 'apply',
+                profile: 'quick',
+                maxFixes: 5,
+                verify: false,
+                runId,
+            };
+            const result = await runner.run(options);
+            expect(result.gitBranch).toBe(`guardrail/autopilot-${runId}`);
+        });
+    });
+});

package/dist/autopilot/autopilot-runner.d.ts

@@ -12,10 +12,12 @@
 import { AutopilotOptions, AutopilotResult, AutopilotFinding, AutopilotFixPack } from './types';
 export declare class AutopilotRunner {
     private tempDir;
+    private backupDir;
     constructor();
     run(options: AutopilotOptions): Promise<AutopilotResult>;
     private runPlan;
     private runApply;
+    private runRollback;
     private runScan;
     groupIntoFixPacks(findings: AutopilotFinding[], maxFixes?: number): AutopilotFixPack[];
     private getCategoryName;
@@ -27,6 +29,13 @@ export declare class AutopilotRunner {
     private applyToProject;
     private cleanupWorkspace;
     private findSourceFiles;
+    private isGitRepository;
+    private createGitBranch;
+    private gitBranchExists;
+    private commitChanges;
+    private createBackup;
+    private restoreBackup;
+    private confirmHighRiskPack;
 }
 export declare const autopilotRunner: AutopilotRunner;
 export declare const runAutopilot: (options: AutopilotOptions) => Promise<AutopilotResult>;

package/dist/autopilot/autopilot-runner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"autopilot-runner.d.ts","sourceRoot":"","sources":["../../src/autopilot/autopilot-runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,OAAO,EACL,gBAAgB,EAChB,eAAe,EAGf,gBAAgB,EAChB,gBAAgB,EAMjB,MAAM,SAAS,CAAC;AAKjB,qBAAa,eAAe;IAC1B,OAAO,CAAC,OAAO,CAAS;;IAMlB,GAAG,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;YAiBhD,OAAO;YAoCP,QAAQ;YAyHR,OAAO;IA2ErB,iBAAiB,CAAC,QAAQ,EAAE,gBAAgB,EAAE,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,gBAAgB,EAAE;IAkCtF,OAAO,CAAC,eAAe;IAavB,OAAO,CAAC,sBAAsB;YAahB,mBAAmB;YAyBnB,WAAW;YAkBX,YAAY;YA4BZ,eAAe;YAiCf,cAAc;YAgBd,gBAAgB;IAY9B,OAAO,CAAC,eAAe;CAiBxB;AAED,eAAO,MAAM,eAAe,iBAAwB,CAAC;AACrD,eAAO,MAAM,YAAY,GAAI,SAAS,gBAAgB,6BAAiC,CAAC"}
+{"version":3,"file":"autopilot-runner.d.ts","sourceRoot":"","sources":["../../src/autopilot/autopilot-runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,OAAO,EACL,gBAAgB,EAChB,eAAe,EAIf,gBAAgB,EAChB,gBAAgB,EAMjB,MAAM,SAAS,CAAC;AAKjB,qBAAa,eAAe;IAC1B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,SAAS,CAAS;;IAOpB,GAAG,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;YAmBhD,OAAO;YAoCP,QAAQ;YAkKR,WAAW;YA2DX,OAAO;IA2ErB,iBAAiB,CAAC,QAAQ,EAAE,gBAAgB,EAAE,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,gBAAgB,EAAE;IAkCtF,OAAO,CAAC,eAAe;IAavB,OAAO,CAAC,sBAAsB;YAahB,mBAAmB;YAyBnB,WAAW;YAkBX,YAAY;YA4BZ,eAAe;YAiCf,cAAc;YAgBd,gBAAgB;IAY9B,OAAO,CAAC,eAAe;IAkBvB,OAAO,CAAC,eAAe;YAST,eAAe;IAU7B,OAAO,CAAC,eAAe;YAST,aAAa;YA0Bb,YAAY;YAeZ,aAAa;YAmBb,mBAAmB;CAOlC;AAED,eAAO,MAAM,eAAe,iBAAwB,CAAC;AACrD,eAAO,MAAM,YAAY,GAAI,SAAS,gBAAgB,6BAAiC,CAAC"}

package/dist/autopilot/autopilot-runner.js

@@ -55,8 +55,10 @@ const entitlements_1 = require("../entitlements");
 const entitlements = new entitlements_1.EntitlementsManager();
 class AutopilotRunner {
     tempDir;
+    backupDir;
     constructor() {
         this.tempDir = path.join(os.tmpdir(), 'guardrail-autopilot');
+        this.backupDir = path.join(os.tmpdir(), 'guardrail-autopilot-backups');
     }
     async run(options) {
         if (process.env['GUARDRAIL_SKIP_ENTITLEMENTS'] !== '1') {
@@ -69,6 +71,9 @@ class AutopilotRunner {
         if (options.mode === 'plan') {
             return this.runPlan(options);
         }
+        else if (options.mode === 'rollback') {
+            return this.runRollback(options);
+        }
         else {
             return this.runApply(options);
         }
@@ -104,16 +109,25 @@ class AutopilotRunner {
     }
     async runApply(options) {
         const startTime = new Date();
+        const runId = options.runId || crypto.randomBytes(8).toString('hex');
         const appliedFixes = [];
         const errors = [];
         let verification = null;
+        let gitBranch;
+        let gitCommit;
         options.onProgress?.('scan', 'Running initial scan...');
         const initialScan = await this.runScan(options.projectPath, options.profile || 'ship');
         if (process.env['GUARDRAIL_SKIP_ENTITLEMENTS'] !== '1') {
             await entitlements.trackUsage('scans', 1);
         }
         options.onProgress?.('group', 'Grouping findings into fix packs...');
-        const packs = this.groupIntoFixPacks(initialScan.findings, options.maxFixes);
+        let packs = this.groupIntoFixPacks(initialScan.findings, options.maxFixes);
+        if (options.packIds && options.packIds.length > 0) {
+            packs = packs.filter(p => options.packIds.includes(p.id));
+            if (packs.length === 0) {
+                throw new Error(`No packs found matching IDs: ${options.packIds.join(', ')}`);
+            }
+        }
         if (packs.length === 0) {
             return {
                 mode: 'apply',
@@ -133,6 +147,12 @@ class AutopilotRunner {
                 errors: ['No fixable issues found'],
             };
         }
+        const isGitRepo = this.isGitRepository(options.projectPath);
+        if (isGitRepo && !options.dryRun) {
+            options.onProgress?.('git', 'Creating git branch...');
+            gitBranch = await this.createGitBranch(options.projectPath, runId);
+            await this.createBackup(options.projectPath, runId);
+        }
         let workspacePath = null;
         let packsSucceeded = 0;
         let packsFailed = 0;
@@ -140,6 +160,14 @@ class AutopilotRunner {
             options.onProgress?.('workspace', 'Creating temp workspace...');
             workspacePath = await this.createTempWorkspace(options.projectPath, options.branchStrategy);
             for (const pack of packs) {
+                if (pack.estimatedRisk === 'high' && !options.force) {
+                    const shouldApply = await this.confirmHighRiskPack(pack, options.interactive);
+                    if (!shouldApply) {
+                        errors.push(`Pack ${pack.id} skipped: high risk, user declined`);
+                        packsFailed++;
+                        continue;
+                    }
+                }
                 options.onProgress?.('fix', `Applying ${pack.name}...`);
                 try {
                     const fixes = await this.applyFixPack(workspacePath, pack, options);
@@ -163,6 +191,10 @@ class AutopilotRunner {
                 if (verification.passed && !options.dryRun) {
                     options.onProgress?.('apply', 'Applying changes to project...');
                     await this.applyToProject(options.projectPath, workspacePath);
+                    if (isGitRepo && gitBranch) {
+                        options.onProgress?.('git', 'Committing changes...');
+                        gitCommit = await this.commitChanges(options.projectPath, runId, appliedFixes);
+                    }
                     if (process.env['GUARDRAIL_SKIP_ENTITLEMENTS'] !== '1') {
                         await entitlements.trackUsage('fixRuns', appliedFixes.filter(f => f.success).length);
                     }
@@ -171,6 +203,10 @@ class AutopilotRunner {
             else if (!options.dryRun) {
                 options.onProgress?.('apply', 'Applying changes (unverified)...');
                 await this.applyToProject(options.projectPath, workspacePath);
+                if (isGitRepo && gitBranch) {
+                    options.onProgress?.('git', 'Committing changes...');
+                    gitCommit = await this.commitChanges(options.projectPath, runId, appliedFixes);
+                }
                 if (process.env['GUARDRAIL_SKIP_ENTITLEMENTS'] !== '1') {
                     await entitlements.trackUsage('fixRuns', appliedFixes.filter(f => f.success).length);
                 }
@@ -209,6 +245,67 @@ class AutopilotRunner {
             remainingFindings,
             newScanVerdict,
             errors,
+            runId,
+            gitBranch,
+            gitCommit,
+        };
+    }
+    async runRollback(options) {
+        if (!options.runId) {
+            throw new Error('runId is required for rollback');
+        }
+        const isGitRepo = this.isGitRepository(options.projectPath);
+        const backupPath = path.join(this.backupDir, options.runId);
+        const hasBackup = fs.existsSync(backupPath);
+        let method;
+        let success = false;
+        let message = '';
+        try {
+            if (isGitRepo) {
+                const branchName = `guardrail/autopilot-${options.runId}`;
+                const branchExists = this.gitBranchExists(options.projectPath, branchName);
+                if (branchExists) {
+                    options.onProgress?.('rollback', 'Rolling back via git reset...');
+                    (0, child_process_1.execSync)('git checkout -', { cwd: options.projectPath, stdio: 'pipe' });
+                    (0, child_process_1.execSync)(`git branch -D ${branchName}`, { cwd: options.projectPath, stdio: 'pipe' });
+                    method = 'git-reset';
+                    success = true;
+                    message = `Successfully rolled back git branch ${branchName}`;
+                }
+                else if (hasBackup) {
+                    options.onProgress?.('rollback', 'Rolling back via backup restore...');
+                    await this.restoreBackup(options.projectPath, options.runId);
+                    method = 'backup-restore';
+                    success = true;
+                    message = `Successfully restored from backup`;
+                }
+                else {
+                    throw new Error(`No git branch or backup found for runId: ${options.runId}`);
+                }
+            }
+            else if (hasBackup) {
+                options.onProgress?.('rollback', 'Rolling back via backup restore...');
+                await this.restoreBackup(options.projectPath, options.runId);
+                method = 'backup-restore';
+                success = true;
+                message = `Successfully restored from backup`;
+            }
+            else {
+                throw new Error(`No backup found for runId: ${options.runId}`);
+            }
+        }
+        catch (e) {
+            method = isGitRepo ? 'git-reset' : 'backup-restore';
+            message = `Rollback failed: ${e.message}`;
+        }
+        return {
+            mode: 'rollback',
+            projectPath: options.projectPath,
+            runId: options.runId,
+            timestamp: new Date().toISOString(),
+            success,
+            method,
+            message,
         };
     }
     async runScan(projectPath, _profile) {
@@ -472,6 +569,90 @@ class AutopilotRunner {
         }
         return files;
     }
+    isGitRepository(projectPath) {
+        try {
+            const gitDir = path.join(projectPath, '.git');
+            return fs.existsSync(gitDir);
+        }
+        catch {
+            return false;
+        }
+    }
+    async createGitBranch(projectPath, runId) {
+        const branchName = `guardrail/autopilot-${runId}`;
+        try {
+            (0, child_process_1.execSync)(`git checkout -b ${branchName}`, { cwd: projectPath, stdio: 'pipe' });
+            return branchName;
+        }
+        catch (e) {
+            throw new Error(`Failed to create git branch: ${e.message}`);
+        }
+    }
+    gitBranchExists(projectPath, branchName) {
+        try {
+            const branches = (0, child_process_1.execSync)('git branch --list', { cwd: projectPath, encoding: 'utf8' });
+            return branches.includes(branchName);
+        }
+        catch {
+            return false;
+        }
+    }
+    async commitChanges(projectPath, runId, fixes) {
+        try {
+            const successCount = fixes.filter(f => f.success).length;
+            const packIds = [...new Set(fixes.map(f => f.packId))];
+            const summary = `Autopilot fixes applied (runId: ${runId})`;
+            const details = [
+                ``,
+                `Applied ${successCount} fixes across ${packIds.length} pack(s)`,
+                ``,
+                `Packs:`,
+                ...packIds.map(id => `- ${id}`),
+                ``,
+                `Generated by Guardrail Autopilot`,
+            ].join('\n');
+            (0, child_process_1.execSync)('git add -A', { cwd: projectPath, stdio: 'pipe' });
+            (0, child_process_1.execSync)(`git commit -m "${summary}" -m "${details}"`, { cwd: projectPath, stdio: 'pipe' });
+            const commit = (0, child_process_1.execSync)('git rev-parse HEAD', { cwd: projectPath, encoding: 'utf8' }).trim();
+            return commit;
+        }
+        catch (e) {
+            throw new Error(`Failed to commit changes: ${e.message}`);
+        }
+    }
+    async createBackup(projectPath, runId) {
+        const backupPath = path.join(this.backupDir, runId);
+        await fs.promises.mkdir(backupPath, { recursive: true });
+        const files = this.findSourceFiles(projectPath);
+        for (const file of files) {
+            const relPath = path.relative(projectPath, file);
+            const backupFile = path.join(backupPath, relPath);
+            const backupFileDir = path.dirname(backupFile);
+            await fs.promises.mkdir(backupFileDir, { recursive: true });
+            await fs.promises.copyFile(file, backupFile);
+        }
+    }
+    async restoreBackup(projectPath, runId) {
+        const backupPath = path.join(this.backupDir, runId);
+        if (!fs.existsSync(backupPath)) {
+            throw new Error(`Backup not found for runId: ${runId}`);
+        }
+        const files = this.findSourceFiles(backupPath);
+        for (const file of files) {
+            const relPath = path.relative(backupPath, file);
+            const projectFile = path.join(projectPath, relPath);
+            const projectFileDir = path.dirname(projectFile);
+            await fs.promises.mkdir(projectFileDir, { recursive: true });
+            await fs.promises.copyFile(file, projectFile);
+        }
+        await fs.promises.rm(backupPath, { recursive: true, force: true });
+    }
+    async confirmHighRiskPack(_pack, interactive) {
+        if (!interactive) {
+            return false;
+        }
+        return true;
+    }
 }
 exports.AutopilotRunner = AutopilotRunner;
 exports.autopilotRunner = new AutopilotRunner();

package/dist/autopilot/types.d.ts

@@ -4,7 +4,7 @@
  * Type definitions for the Autopilot batch remediation system.
  * PRO/COMPLIANCE+ feature.
  */
-export type AutopilotMode = 'plan' | 'apply';
+export type AutopilotMode = 'plan' | 'apply' | 'rollback';
 export type AutopilotFixPackCategory = 'security' | 'quality' | 'type-errors' | 'build-blockers' | 'test-failures' | 'placeholders' | 'route-integrity';
 export interface AutopilotFinding {
     id: string;
@@ -35,6 +35,10 @@ export interface AutopilotOptions {
     dryRun?: boolean;
     json?: boolean;
     onProgress?: (stage: string, message: string) => void;
+    packIds?: string[];
+    runId?: string;
+    force?: boolean;
+    interactive?: boolean;
 }
 export interface AutopilotVerificationResult {
     passed: boolean;
@@ -90,8 +94,20 @@ export interface AutopilotApplyResult {
     remainingFindings: number;
     newScanVerdict: 'pass' | 'fail' | 'skipped';
     errors: string[];
+    runId?: string;
+    gitBranch?: string;
+    gitCommit?: string;
 }
-export type AutopilotResult = AutopilotPlanResult | AutopilotApplyResult;
+export interface AutopilotRollbackResult {
+    mode: 'rollback';
+    projectPath: string;
+    runId: string;
+    timestamp: string;
+    success: boolean;
+    method: 'git-reset' | 'backup-restore';
+    message: string;
+}
+export type AutopilotResult = AutopilotPlanResult | AutopilotApplyResult | AutopilotRollbackResult;
 export interface AutopilotScanResult {
     findings: AutopilotFinding[];
     score: number;