guardvibe 2.5.0 → 2.7.3

package/build/cli/init.js

@@ -0,0 +1,214 @@
+/**
+ * CLI: guardvibe init <platform>
+ * Sets up MCP server configuration for AI coding hosts.
+ */
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { join, dirname } from "path";
+import { homedir } from "os";
+const GUARDVIBE_MCP_CONFIG = {
+    command: "npx",
+    args: ["-y", "guardvibe"],
+};
+const platforms = {
+    claude: {
+        path: join(process.cwd(), ".claude.json"),
+        description: "Claude Code (.claude.json)",
+    },
+    gemini: {
+        path: join(homedir(), ".gemini", "settings.json"),
+        description: "Gemini CLI (~/.gemini/settings.json)",
+    },
+    cursor: {
+        path: join(process.cwd(), ".cursor", "mcp.json"),
+        description: "Cursor (.cursor/mcp.json)",
+    },
+};
+const SECURITY_RULES = `## Security Rules (enforced by GuardVibe MCP)
+
+### Mandatory checks
+- AFTER writing any API route, Server Action, or database query: use the guardvibe scan_file MCP tool on the file
+- BEFORE committing: use the guardvibe scan_staged MCP tool
+- When GuardVibe reports HIGH or CRITICAL: fix immediately before moving on
+- BEFORE creating a PR: use scan_changed_files to review all changes
+
+### Scan visibility — ALWAYS report GuardVibe results to the user
+- AFTER every scan: ALWAYS tell the user the GuardVibe result, even when clean
+- When issues found: "GuardVibe: [count] issues found ([severity]). Fixing..."
+- When clean: "GuardVibe: scanned [filename] — no issues found."
+- Include the summary stats line from scan output when present
+- NEVER silently consume scan results — the user must see that GuardVibe is protecting their code
+- Periodically (every ~10 scans or at session start): run security_stats tool and share the dashboard with the user
+
+### Writing secure code
+- Every API route handler MUST have auth check before DB access
+- Every POST endpoint MUST have input validation (zod/joi schema)
+- Never pass user input to innerHTML, eval, exec, or raw SQL
+- Never pass user-controlled URLs to fetch() without allowlist validation
+- Always use select: in Prisma/Drizzle queries from Server Actions (never return full objects to client)
+- Always validate redirect URLs against trusted domain allowlist
+- Set security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
+- Verify webhook signatures before processing events
+- Use parameterized queries, never string concatenation/template literals for SQL
+
+### When in doubt
+- Use the guardvibe explain_remediation MCP tool with the rule ID for detailed fix guidance
+- Use the guardvibe check_code MCP tool to verify a code snippet is secure before applying
+`;
+function readJsonFile(filePath) {
+    try {
+        const content = readFileSync(filePath, "utf-8");
+        return JSON.parse(content);
+    }
+    catch {
+        return null;
+    }
+}
+function writeJsonFile(filePath, data) {
+    const dir = dirname(filePath);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+    }
+    writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n", "utf-8");
+}
+function addToGitignore(entries) {
+    const gitignorePath = join(process.cwd(), ".gitignore");
+    let content = "";
+    try {
+        content = readFileSync(gitignorePath, "utf-8");
+    }
+    catch { /* no .gitignore yet */ }
+    const missing = entries.filter(e => !content.split("\n").some(line => line.trim() === e));
+    if (missing.length === 0)
+        return;
+    const block = `\n# GuardVibe (auto-added by guardvibe init)\n${missing.join("\n")}\n`;
+    writeFileSync(gitignorePath, content.trimEnd() + block, "utf-8");
+    console.log(`  [OK] Added ${missing.join(", ")} to .gitignore`);
+}
+function setupClaudeGuide() {
+    const claudeSettingsDir = join(process.cwd(), ".claude");
+    if (!existsSync(claudeSettingsDir))
+        mkdirSync(claudeSettingsDir, { recursive: true });
+    const claudeSettingsPath = join(claudeSettingsDir, "settings.json");
+    const existingSettings = readJsonFile(claudeSettingsPath) || {};
+    if (!existingSettings.hooks)
+        existingSettings.hooks = {};
+    if (!existingSettings.hooks.PostToolUse) {
+        existingSettings.hooks.PostToolUse = [
+            {
+                matcher: "Edit|Write",
+                hooks: [{
+                        type: "command",
+                        command: "jq -r '.tool_input.file_path' | xargs npx -y guardvibe check --format buddy 2>/dev/null || true"
+                    }]
+            }
+        ];
+    }
+    writeJsonFile(claudeSettingsPath, existingSettings);
+    console.log(`  [OK] Claude Code hooks configured (.claude/settings.json)`);
+    const claudeMdPath = join(process.cwd(), "CLAUDE.md");
+    if (existsSync(claudeMdPath)) {
+        const content = readFileSync(claudeMdPath, "utf-8");
+        if (!content.includes("GuardVibe")) {
+            writeFileSync(claudeMdPath, content + "\n" + SECURITY_RULES, "utf-8");
+            console.log(`  [OK] GuardVibe rules added to CLAUDE.md`);
+        }
+    }
+    else {
+        writeFileSync(claudeMdPath, `# Project Guidelines\n\n${SECURITY_RULES}`, "utf-8");
+        console.log(`  [OK] Created CLAUDE.md with security rules`);
+    }
+}
+function setupCursorGuide() {
+    const cursorrules = join(process.cwd(), ".cursorrules");
+    if (existsSync(cursorrules)) {
+        const content = readFileSync(cursorrules, "utf-8");
+        if (!content.includes("GuardVibe")) {
+            writeFileSync(cursorrules, content + "\n" + SECURITY_RULES, "utf-8");
+            console.log(`  [OK] GuardVibe rules added to .cursorrules`);
+        }
+    }
+    else {
+        writeFileSync(cursorrules, SECURITY_RULES, "utf-8");
+        console.log(`  [OK] Created .cursorrules with security rules`);
+    }
+}
+function setupGeminiGuide() {
+    const geminiMd = join(process.cwd(), "GEMINI.md");
+    if (existsSync(geminiMd)) {
+        const content = readFileSync(geminiMd, "utf-8");
+        if (!content.includes("GuardVibe")) {
+            writeFileSync(geminiMd, content + "\n" + SECURITY_RULES, "utf-8");
+            console.log(`  [OK] GuardVibe rules added to GEMINI.md`);
+        }
+    }
+    else {
+        writeFileSync(geminiMd, `# Project Guidelines\n\n${SECURITY_RULES}`, "utf-8");
+        console.log(`  [OK] Created GEMINI.md with security rules`);
+    }
+}
+function setupSecurityGuide(platformName) {
+    if (platformName === "claude")
+        setupClaudeGuide();
+    else if (platformName === "cursor")
+        setupCursorGuide();
+    else if (platformName === "gemini")
+        setupGeminiGuide();
+    const gitignoreEntries = {
+        claude: [".claude.json", ".claude/", "CLAUDE.md"],
+        cursor: [".cursor/", ".cursorrules"],
+        gemini: ["GEMINI.md"],
+    };
+    const entries = gitignoreEntries[platformName] || [];
+    entries.push(".guardvibe/");
+    if (entries.length > 0)
+        addToGitignore(entries);
+}
+function setupPlatform(name) {
+    const platform = platforms[name];
+    if (!platform)
+        return false;
+    const existing = readJsonFile(platform.path);
+    if (existing) {
+        if (!existing.mcpServers) {
+            existing.mcpServers = {};
+        }
+        if (existing.mcpServers["guardvibe"]) {
+            console.log(`  [OK] GuardVibe already configured in ${platform.description}`);
+            setupSecurityGuide(name);
+            return true;
+        }
+        existing.mcpServers["guardvibe"] = GUARDVIBE_MCP_CONFIG;
+        writeJsonFile(platform.path, existing);
+    }
+    else {
+        writeJsonFile(platform.path, {
+            mcpServers: {
+                guardvibe: GUARDVIBE_MCP_CONFIG,
+            },
+        });
+    }
+    console.log(`  [OK] Added MCP server to ${platform.description}`);
+    setupSecurityGuide(name);
+    return true;
+}
+export function runInit(args) {
+    const platform = args[0]?.toLowerCase();
+    if (!platform) {
+        console.error("  [ERR] Please specify a platform: claude, gemini, cursor, or all");
+        process.exit(1);
+    }
+    console.log(`\n  GuardVibe Security Setup\n`);
+    if (platform === "all") {
+        for (const name of Object.keys(platforms)) {
+            setupPlatform(name);
+        }
+    }
+    else if (platforms[platform]) {
+        setupPlatform(platform);
+    }
+    else {
+        console.error(`  [ERR] Unknown platform: ${platform}. Available: claude, gemini, cursor, all`);
+        process.exit(1);
+    }
+    console.log(`\n  [OK] Ready! Start coding securely.\n`);
+}

package/build/cli/remediation.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Host-specific remediation guidance.
+ * Enriches generic findings with platform-tailored fix instructions.
+ */
+import type { HostFinding } from "../server/types.js";
+/**
+ * Enrich a finding's remediation with host-specific fix instructions.
+ * Mutates the finding in place.
+ */
+export declare function enrichRemediation(finding: HostFinding): void;
+/**
+ * Enrich all findings with host-specific remediation.
+ */
+export declare function enrichAllRemediations(findings: HostFinding[]): void;

package/build/cli/remediation.js

@@ -0,0 +1,91 @@
+/**
+ * Host-specific remediation guidance.
+ * Enriches generic findings with platform-tailored fix instructions.
+ */
+const HOST_DETECTION = [
+    { pattern: /\.claude[\\/]|\.claude\.json/i, host: "Claude" },
+    { pattern: /\.cursor[\\/]/i, host: "Cursor" },
+    { pattern: /\.vscode[\\/]/i, host: "VS Code" },
+    { pattern: /\.gemini[\\/]/i, host: "Gemini" },
+    { pattern: /\.codeium[\\/]|windsurf/i, host: "Windsurf" },
+    { pattern: /\.(bashrc|zshrc|profile|bash_profile|zprofile)$/i, host: "Shell" },
+    { pattern: /\.env(\.\w+)?$/i, host: "Env" },
+];
+function detectHost(file) {
+    if (!file)
+        return null;
+    for (const { pattern, host } of HOST_DETECTION) {
+        if (pattern.test(file))
+            return host;
+    }
+    return null;
+}
+// Platform-specific fix instructions per rule ID
+const HOST_REMEDIATION = {
+    VG882: {
+        Claude: "Edit `.claude/settings.json` or `.claude.json` and remove the `ANTHROPIC_BASE_URL` override from the server's `env` block.",
+        Cursor: "Open Cursor Settings > MCP Servers and remove the base URL override from the server configuration.",
+        "VS Code": "Edit `.vscode/mcp.json` or `.vscode/settings.json` and remove the `ANTHROPIC_BASE_URL` entry from the server's env.",
+        Shell: "Remove the `export ANTHROPIC_BASE_URL=...` line from your shell profile. Restart your terminal.",
+        Env: "Remove the `ANTHROPIC_BASE_URL=...` line from the .env file, or add the URL to `trustedBaseUrls` in `.guardviberc`.",
+    },
+    VG883: {
+        Shell: "Remove the `export OPENAI_BASE_URL=...` line from your shell profile. Restart your terminal.",
+        Env: "Remove the `OPENAI_BASE_URL=...` line from the .env file, or add the URL to `trustedBaseUrls` in `.guardviberc`.",
+    },
+    VG884: {
+        Claude: "Edit `.claude/settings.json` > `hooks` section. Replace shell pipes and metacharacters with a simple command. Example:\n  Before: `\"command\": \"curl ... | bash\"`\n  After:  `\"command\": \"npx -y guardvibe check\"`",
+    },
+    VG885: {
+        Claude: "Edit `.claude.json` > `permissions` > `allow` and replace the wildcard `\"*\"` with specific tool names your workflow needs.",
+        Cursor: "Open `.cursor/mcp.json` and restrict `allowedTools` to only the tools you use.",
+        "VS Code": "Edit `.vscode/mcp.json` and restrict `allowedTools` to only the tools you use.",
+    },
+    VG890: {
+        Claude: "Edit `.claude/settings.json` > `hooks` and remove any commands that make network requests (curl, wget, nc). Hooks must only perform local operations.",
+    },
+    VG891: {
+        Claude: "Edit `.claude/settings.json` > `hooks` and remove pipe chains to interpreters (| bash, | python, | node). Write a dedicated script file instead.",
+    },
+    VG892: {
+        Claude: "Edit `.claude.json` > `mcpServers` and replace `file://` URLs with npm package references:\n  Before: `\"url\": \"file:///path/to/server\"`\n  After:  `\"command\": \"npx\", \"args\": [\"-y\", \"package-name\"]`",
+        Cursor: "Edit `.cursor/mcp.json` > `mcpServers` and replace `file://` server URLs with npm packages or HTTPS endpoints.",
+        "VS Code": "Edit `.vscode/mcp.json` and replace `file://` server URLs with npm packages or HTTPS endpoints.",
+    },
+    VG893: {
+        Claude: "Edit `.claude.json` > `permissions` > `allow` and replace broad wildcards (e.g., `Bash(*)`) with specific patterns:\n  Before: `\"Bash(*)\"`\n  After:  `\"Bash(npm test)\", \"Bash(npm run build)\"`",
+    },
+    VG894: {
+        Claude: "Edit `.claude.json` > `mcpServers` and remove references to sensitive paths (.ssh, .aws, .gnupg, /etc). Limit servers to project directory access.",
+        Cursor: "Edit `.cursor/mcp.json` and ensure no MCP server accesses paths outside the project directory.",
+        "VS Code": "Edit `.vscode/mcp.json` and ensure no MCP server accesses paths outside the project directory.",
+    },
+    VG895: {
+        Claude: "Edit `.claude/settings.json` > `hooks` > `PostToolUse` and remove file-modifying commands (cp, mv, rm, chmod). PostToolUse hooks should only observe and report, never modify files.",
+    },
+};
+/**
+ * Enrich a finding's remediation with host-specific fix instructions.
+ * Mutates the finding in place.
+ */
+export function enrichRemediation(finding) {
+    const host = detectHost(finding.file);
+    if (!host)
+        return;
+    const hostFixes = HOST_REMEDIATION[finding.ruleId];
+    if (!hostFixes)
+        return;
+    const specific = hostFixes[host];
+    if (!specific)
+        return;
+    // Append host-specific guidance below generic remediation
+    finding.remediation = `${finding.remediation}\n\n**${host} fix:** ${specific}`;
+}
+/**
+ * Enrich all findings with host-specific remediation.
+ */
+export function enrichAllRemediations(findings) {
+    for (const f of findings) {
+        enrichRemediation(f);
+    }
+}

package/build/cli/scan.d.ts

@@ -0,0 +1,11 @@
+/**
+ * CLI: guardvibe scan [path], guardvibe diff [base], guardvibe check <file>
+ * Also: guardvibe-scan (pre-commit hook / CI entry point)
+ */
+export declare function runScan(): Promise<void>;
+export declare function runDirectoryScan(targetPath: string, flags: Record<string, string | true>): Promise<void>;
+export declare function runDiffScan(base: string, flags: Record<string, string | true>): Promise<void>;
+export declare function runFileCheck(filePath: string, flags: Record<string, string | true>): Promise<void>;
+export declare function handleScanCommand(args: string[]): Promise<void>;
+export declare function handleDiffCommand(args: string[]): Promise<void>;
+export declare function handleCheckCommand(args: string[]): Promise<void>;

package/build/cli/scan.js

@@ -0,0 +1,222 @@
+/**
+ * CLI: guardvibe scan [path], guardvibe diff [base], guardvibe check <file>
+ * Also: guardvibe-scan (pre-commit hook / CI entry point)
+ */
+import { readFileSync, writeFileSync, existsSync, mkdirSync, statSync } from "fs";
+import { resolve, extname, basename, join, dirname } from "path";
+import { parseArgs, shouldFail, validateFormat, getOutputPath, getStringFlag } from "./args.js";
+function safeWriteOutput(outputFile, result) {
+    const dir = dirname(outputFile);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+    }
+    writeFileSync(outputFile, result, "utf-8");
+    console.log(`  [OK] Results written to ${outputFile}`);
+}
+export async function runScan() {
+    const args = process.argv.slice(2);
+    const { flags } = parseArgs(args);
+    const format = validateFormat(flags);
+    const outputFile = getOutputPath(flags);
+    let result;
+    if (format === "sarif") {
+        const { exportSarif } = await import("../tools/export-sarif.js");
+        result = exportSarif(process.cwd());
+    }
+    else {
+        const { scanStaged } = await import("../tools/scan-staged.js");
+        result = scanStaged(process.cwd(), format === "json" ? "json" : "markdown");
+    }
+    if (outputFile) {
+        safeWriteOutput(outputFile, result);
+    }
+    else {
+        console.log(result);
+    }
+    if (format !== "sarif") {
+        const failOn = getStringFlag(flags, "fail-on") ?? "critical";
+        if (shouldFail(result, failOn))
+            process.exit(1);
+    }
+}
+export async function runDirectoryScan(targetPath, flags) {
+    const { scanDirectory } = await import("../tools/scan-directory.js");
+    const format = validateFormat(flags);
+    const outputFile = getOutputPath(flags);
+    const baselinePath = getStringFlag(flags, "baseline");
+    const saveBaseline = flags["save-baseline"] === true || typeof flags["save-baseline"] === "string";
+    const scanPath = resolve(targetPath);
+    let result;
+    if (format === "sarif") {
+        const { exportSarif } = await import("../tools/export-sarif.js");
+        result = exportSarif(scanPath);
+    }
+    else {
+        result = scanDirectory(scanPath, true, [], format === "json" ? "json" : "markdown", undefined, baselinePath ?? undefined);
+    }
+    if (outputFile) {
+        safeWriteOutput(outputFile, result);
+    }
+    else {
+        console.log(result);
+    }
+    if (saveBaseline && format === "json") {
+        const baselineFile = typeof flags["save-baseline"] === "string"
+            ? flags["save-baseline"]
+            : join(scanPath, ".guardvibe-baseline.json");
+        safeWriteOutput(baselineFile, result);
+    }
+    if (format !== "sarif") {
+        const failOn = getStringFlag(flags, "fail-on") ?? "critical";
+        if (shouldFail(result, failOn))
+            process.exit(1);
+    }
+}
+export async function runDiffScan(base, flags) {
+    const { execFileSync } = await import("child_process");
+    const { analyzeCode } = await import("../tools/check-code.js");
+    const { EXTENSION_MAP, CONFIG_FILE_MAP } = await import("../utils/constants.js");
+    const format = validateFormat(flags);
+    const outputFile = getOutputPath(flags);
+    const root = resolve(".");
+    let changedFiles;
+    try {
+        const output = execFileSync("git", ["diff", "--name-only", "--diff-filter=ACMR", base], { cwd: root, encoding: "utf-8" });
+        changedFiles = output.trim().split("\n").filter(Boolean);
+    }
+    catch {
+        console.error("  [ERR] Failed to get git diff. Ensure you're in a git repository.");
+        process.exit(1);
+    }
+    if (changedFiles.length === 0) {
+        console.log("  No changed files to scan.");
+        return;
+    }
+    const allFindings = [];
+    for (const relPath of changedFiles) {
+        const fullPath = resolve(root, relPath);
+        if (!existsSync(fullPath))
+            continue;
+        const ext = extname(relPath).toLowerCase();
+        let language = EXTENSION_MAP[ext];
+        if (!language && basename(relPath).startsWith("Dockerfile"))
+            language = "dockerfile";
+        if (!language)
+            language = CONFIG_FILE_MAP[basename(relPath)];
+        if (!language)
+            continue;
+        try {
+            const content = readFileSync(fullPath, "utf-8");
+            const findings = analyzeCode(content, language, undefined, fullPath, root);
+            for (const f of findings) {
+                allFindings.push({ file: relPath, severity: f.rule.severity, name: f.rule.name, id: f.rule.id, line: f.line, fix: f.rule.fix });
+            }
+        }
+        catch { /* skip */ }
+    }
+    let result;
+    if (format === "json") {
+        const critical = allFindings.filter(f => f.severity === "critical").length;
+        const high = allFindings.filter(f => f.severity === "high").length;
+        const medium = allFindings.filter(f => f.severity === "medium").length;
+        result = JSON.stringify({
+            summary: { total: allFindings.length, critical, high, medium, changedFiles: changedFiles.length, blocked: critical > 0 || high > 0 },
+            findings: allFindings,
+        });
+    }
+    else {
+        const lines = [`# GuardVibe Diff Report`, ``, `Base: ${base}`, `Changed files: ${changedFiles.length}`, `Issues: ${allFindings.length}`, ``];
+        if (allFindings.length === 0) {
+            lines.push(`All changed files passed security checks.`);
+        }
+        else {
+            const sev = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+            allFindings.sort((a, b) => (sev[a.severity] ?? 99) - (sev[b.severity] ?? 99));
+            for (const f of allFindings) {
+                lines.push(`- [${f.severity.toUpperCase()}] **${f.name}** (${f.id}) in ${f.file}:${f.line}`);
+                lines.push(`  Fix: ${f.fix}`);
+            }
+        }
+        result = lines.join("\n");
+    }
+    if (outputFile) {
+        safeWriteOutput(outputFile, result);
+    }
+    else {
+        console.log(result);
+    }
+    const failOn = getStringFlag(flags, "fail-on") ?? "critical";
+    if (failOn !== "none") {
+        const failLevels = {
+            low: ["critical", "high", "medium", "low"],
+            medium: ["critical", "high", "medium"],
+            high: ["critical", "high"],
+            critical: ["critical"],
+        };
+        const levels = failLevels[failOn] || failLevels.critical;
+        if (allFindings.some(f => levels.includes(f.severity)))
+            process.exit(1);
+    }
+}
+export async function runFileCheck(filePath, flags) {
+    const { checkCode } = await import("../tools/check-code.js");
+    const resolved = resolve(filePath);
+    if (!existsSync(resolved)) {
+        console.error(`  [ERR] File not found: ${resolved}`);
+        process.exit(1);
+    }
+    const content = readFileSync(resolved, "utf-8");
+    const ext = extname(resolved).toLowerCase();
+    const extMap = {
+        ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
+        ".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
+        ".py": "python", ".go": "go", ".html": "html", ".sql": "sql",
+        ".sh": "shell", ".bash": "shell", ".yml": "yaml", ".yaml": "yaml",
+        ".tf": "terraform", ".toml": "toml", ".json": "json",
+    };
+    let language = extMap[ext];
+    if (!language && basename(resolved).startsWith("Dockerfile"))
+        language = "dockerfile";
+    if (!language) {
+        console.error(`  [ERR] Unsupported file type: ${ext}`);
+        process.exit(1);
+    }
+    const format = validateFormat(flags);
+    const formatArg = format === "json" ? "json" : format === "buddy" ? "buddy" : "markdown";
+    const result = checkCode(content, language, undefined, resolved, undefined, formatArg);
+    const outputFile = getOutputPath(flags);
+    if (outputFile) {
+        safeWriteOutput(outputFile, result);
+    }
+    else {
+        console.log(result);
+    }
+    const failOn = getStringFlag(flags, "fail-on") ?? "critical";
+    if (shouldFail(result, failOn))
+        process.exit(1);
+}
+export async function handleScanCommand(args) {
+    const { flags, positional } = parseArgs(args);
+    const targetPath = positional[0] ?? ".";
+    if (targetPath !== "." && existsSync(targetPath) && !statSync(targetPath).isDirectory()) {
+        console.log(`  [INFO] "${targetPath}" is a file. Running: guardvibe check ${targetPath}\n`);
+        await runFileCheck(targetPath, flags);
+    }
+    else {
+        await runDirectoryScan(targetPath, flags);
+    }
+}
+export async function handleDiffCommand(args) {
+    const { flags, positional } = parseArgs(args);
+    const base = positional[0] ?? "main";
+    await runDiffScan(base, flags);
+}
+export async function handleCheckCommand(args) {
+    const { flags, positional } = parseArgs(args);
+    const filePath = positional[0];
+    if (!filePath) {
+        console.error("  [ERR] Please specify a file: npx guardvibe check <file>");
+        process.exit(1);
+    }
+    await runFileCheck(filePath, flags);
+}