midas-mcp 5.5.0 → 5.15.0

package/dist/reality.js

@@ -5,56 +5,204 @@
  * categorizes them by what AI can/cannot do,
  * and generates context-aware prompts for Cursor.
  */
-import { existsSync, readFileSync } from 'fs';
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
 import { join } from 'path';
 import { sanitizePath } from './security.js';
 // ============================================================================
-// REALITY CHECK DEFINITIONS
+// PERSISTENCE
 // ============================================================================
+const MIDAS_DIR = '.midas';
+const REALITY_STATE_FILE = 'reality-checks.json';
+function getRealityStatePath(projectPath) {
+    return join(projectPath, MIDAS_DIR, REALITY_STATE_FILE);
+}
+function loadRealityState(projectPath) {
+    const path = getRealityStatePath(projectPath);
+    if (existsSync(path)) {
+        try {
+            return JSON.parse(readFileSync(path, 'utf-8'));
+        }
+        catch {
+            return { checkStates: {}, lastProfileHash: '' };
+        }
+    }
+    return { checkStates: {}, lastProfileHash: '' };
+}
+function saveRealityState(projectPath, state) {
+    const dir = join(projectPath, MIDAS_DIR);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+    }
+    writeFileSync(getRealityStatePath(projectPath), JSON.stringify(state, null, 2));
+}
+function hashProfile(profile) {
+    // Simple hash to detect profile changes
+    return JSON.stringify(profile).split('').reduce((a, b) => {
+        a = ((a << 5) - a) + b.charCodeAt(0);
+        return a & a;
+    }, 0).toString(36);
+}
+/**
+ * Update the status of a reality check
+ */
+export function updateCheckStatus(projectPath, checkKey, status, skippedReason) {
+    const safePath = sanitizePath(projectPath);
+    const state = loadRealityState(safePath);
+    state.checkStates[checkKey] = {
+        status,
+        updatedAt: new Date().toISOString(),
+        ...(skippedReason ? { skippedReason } : {}),
+    };
+    saveRealityState(safePath, state);
+}
+/**
+ * Get the persisted status for a check
+ */
+export function getCheckStatus(projectPath, checkKey) {
+    const safePath = sanitizePath(projectPath);
+    const state = loadRealityState(safePath);
+    return state.checkStates[checkKey];
+}
+/**
+ * Get all check statuses
+ */
+export function getAllCheckStatuses(projectPath) {
+    const safePath = sanitizePath(projectPath);
+    const state = loadRealityState(safePath);
+    return state.checkStates;
+}
+/**
+ * Reset all check statuses (e.g., when profile changes significantly)
+ */
+export function resetCheckStatuses(projectPath) {
+    const safePath = sanitizePath(projectPath);
+    saveRealityState(safePath, { checkStates: {}, lastProfileHash: '' });
+}
+/**
+ * Map of check keys to the expected generated file paths
+ */
+const EXPECTED_OUTPUTS = {
+    PRIVACY_POLICY: ['docs/privacy-policy.md', 'privacy-policy.md', 'PRIVACY.md'],
+    TERMS_OF_SERVICE: ['docs/terms-of-service.md', 'docs/terms.md', 'TERMS.md'],
+    COOKIE_POLICY: ['docs/cookie-policy.md'],
+    GDPR_COMPLIANCE: ['docs/gdpr-checklist.md', 'docs/gdpr.md'],
+    CCPA_COMPLIANCE: ['docs/ccpa-checklist.md'],
+    AI_DISCLOSURE: ['docs/ai-disclosure.md', 'AI_DISCLOSURE.md'],
+    ACCESSIBILITY: ['docs/accessibility.md', 'docs/a11y.md', 'ACCESSIBILITY.md'],
+    DATA_RETENTION: ['docs/data-retention.md'],
+    INCIDENT_RESPONSE: ['docs/incident-response.md'],
+    OSS_LICENSE: ['LICENSE', 'LICENSE.md', 'docs/license.md'],
+    HIPAA_COMPLIANCE: ['docs/hipaa-checklist.md'],
+    FERPA_COMPLIANCE: ['docs/ferpa-checklist.md'],
+    EU_AI_ACT: ['docs/eu-ai-act-assessment.md'],
+    SBOM: ['sbom.json', 'docs/sbom-readme.md'],
+    DATA_RESIDENCY: ['docs/data-residency.md'],
+};
+/**
+ * Detect if any expected output files exist and auto-complete checks
+ * Returns array of check keys that were auto-completed
+ */
+export function detectGeneratedDocs(projectPath) {
+    const safePath = sanitizePath(projectPath);
+    const state = loadRealityState(safePath);
+    const autoCompleted = [];
+    for (const [checkKey, possibleFiles] of Object.entries(EXPECTED_OUTPUTS)) {
+        // Skip if already completed
+        if (state.checkStates[checkKey]?.status === 'completed')
+            continue;
+        // Check if any of the expected files exist
+        const fileExists = possibleFiles.some(file => existsSync(join(safePath, file)));
+        if (fileExists) {
+            // Auto-complete this check
+            state.checkStates[checkKey] = {
+                status: 'completed',
+                updatedAt: new Date().toISOString(),
+            };
+            autoCompleted.push(checkKey);
+        }
+    }
+    if (autoCompleted.length > 0) {
+        saveRealityState(safePath, state);
+    }
+    return autoCompleted;
+}
+// Legacy tier mapping for backward compatibility
+const TIER_MAPPING = {
+    'generatable': 'ai_assisted',
+    'assistable': 'ai_assisted',
+    'human_only': 'manual',
+    'ai_assisted': 'ai_assisted',
+    'manual': 'manual',
+};
+// Default triggered-by generators based on common profile fields
+const DEFAULT_TRIGGERS = {
+    PRIVACY_POLICY: (p) => p.collectsSensitiveData
+        ? 'Project collects sensitive data (health/financial/biometric)'
+        : 'Project collects user data',
+    TERMS_OF_SERVICE: () => 'Public-facing product',
+    COOKIE_POLICY: (p) => p.targetsEU ? 'Targets EU users' : 'Collects user data',
+    GDPR_COMPLIANCE: (p) => p.targetsEU ? 'Explicitly targets EU users' : 'May have EU users',
+    CCPA_COMPLIANCE: () => 'Targets California or US users',
+    COPPA_COMPLIANCE: () => 'May have users under 13',
+    AI_DISCLOSURE: () => 'Uses AI for decisions or recommendations',
+    PAYMENT_SETUP: () => 'Has payment/subscription features',
+    STRIPE_INTEGRATION: () => 'Has payment processing',
+    APP_STORE: () => 'Distributes via iOS App Store',
+    PLAY_STORE: () => 'Distributes via Google Play Store',
+    ACCESSIBILITY: () => 'Public-facing product should be accessible',
+    DATA_RETENTION: (p) => p.collectsSensitiveData ? 'Handles sensitive data' : 'Collects user data',
+    INCIDENT_RESPONSE: () => 'Production system needs incident handling',
+    OSS_LICENSE: () => 'Open source project needs license',
+    HIPAA_COMPLIANCE: () => 'Healthcare industry + collects user data',
+    FERPA_COMPLIANCE: () => 'Education industry + collects student data',
+    EU_AI_ACT: (p) => p.targetsEU
+        ? 'AI system targeting EU users'
+        : 'AI system in regulated industry (healthcare/education/finance)',
+    SBOM: () => 'Enterprise/finance audience expects supply chain transparency',
+    DATA_RESIDENCY: (p) => p.targetsEU
+        ? 'EU users require data residency documentation (GDPR)'
+        : 'Enterprise customers require data location clarity',
+};
 const REALITY_CHECKS = {
     // ✅ GENERATABLE - AI can draft these
     PRIVACY_POLICY: {
         key: 'PRIVACY_POLICY',
         category: 'Legal',
-        tier: 'generatable',
+        tier: 'ai_assisted',
         headline: 'You need a Privacy Policy',
         explanation: 'You collect user data. Users need to know what you collect, why, and how to delete it.',
         priority: 'critical',
-        promptTemplate: `Create a privacy policy for this project based on the brainlift and PRD.
+        promptTemplate: `Read docs/brainlift.md and docs/prd.md to understand this project. Then create a privacy policy.
 
-We collect: {{dataCollected}}
-Target users: {{targetUsers}}
-Business model: {{businessModel}}
+First, identify from the docs:
+- What user data is collected
+- Why it's collected
+- Who the target users are
+- The business model
 
-Include sections:
+Then create docs/privacy-policy.md with sections:
 - What we collect and why
 - How we use the data
-- Third parties we share with (if any)
-- How long we keep data
+- Third parties we share with
+- Data retention
 - User rights (access, correct, delete)
-- How to contact us
-
-Save to docs/privacy-policy.md
+- Contact information
 
-Add at the top: "DRAFT - Review with a lawyer before publishing"`,
+Add at top: "DRAFT - Review with a lawyer before publishing"`,
         condition: (p) => p.collectsUserData,
     },
     TERMS_OF_SERVICE: {
         key: 'TERMS_OF_SERVICE',
         category: 'Legal',
-        tier: 'generatable',
+        tier: 'ai_assisted',
         headline: 'You need Terms of Service',
         explanation: 'Any public product needs terms defining the rules of use and liability limits.',
         priority: 'high',
-        promptTemplate: `Create terms of service for this project based on the brainlift and PRD.
+        promptTemplate: `Read docs/brainlift.md and docs/prd.md to understand this project. Then create terms of service.
 
-Product type: {{productType}}
-Business model: {{businessModel}}
-Key features: {{keyFeatures}}
-
-Include sections:
+Create docs/terms-of-service.md with sections:
 - Acceptance of terms
-- Description of service
+- Description of service (from what you read)
 - User responsibilities
 - Prohibited uses
 - Intellectual property
@@ -70,7 +218,7 @@ Add at the top: "DRAFT - Review with a lawyer before publishing"`,
     AI_DISCLOSURE: {
         key: 'AI_DISCLOSURE',
         category: 'Transparency',
-        tier: 'generatable',
+        tier: 'ai_assisted',
         headline: 'You need an AI disclosure',
         explanation: 'Users should know when AI is involved and that it can make mistakes.',
         priority: 'high',
@@ -92,7 +240,7 @@ Also add a brief inline disclosure component/text that can be shown in the UI wh
     REFUND_POLICY: {
         key: 'REFUND_POLICY',
         category: 'Business',
-        tier: 'generatable',
+        tier: 'ai_assisted',
         headline: 'You need a refund policy',
         explanation: 'Paid products need clear refund terms to avoid disputes and chargebacks.',
         priority: 'high',
@@ -116,7 +264,7 @@ Save to docs/refund-policy.md`,
     CONTENT_POLICY: {
         key: 'CONTENT_POLICY',
         category: 'Trust',
-        tier: 'generatable',
+        tier: 'ai_assisted',
         headline: 'You need a content policy',
         explanation: 'User-generated content needs rules about what\'s allowed and how violations are handled.',
         priority: 'high',
@@ -138,7 +286,7 @@ Save to docs/content-policy.md`,
     GDPR_COMPLIANCE: {
         key: 'GDPR_COMPLIANCE',
         category: 'Compliance',
-        tier: 'assistable',
+        tier: 'ai_assisted',
         headline: 'GDPR applies to your product',
         explanation: 'You\'re targeting EU users. You need lawful basis for data processing, user consent, and data rights.',
         priority: 'critical',
@@ -169,7 +317,7 @@ Note at top: "This is a technical implementation guide. Legal review required be
     CCPA_COMPLIANCE: {
         key: 'CCPA_COMPLIANCE',
         category: 'Compliance',
-        tier: 'assistable',
+        tier: 'ai_assisted',
         headline: 'CCPA applies to your product',
         explanation: 'California users have rights to know, delete, and opt-out of data sales.',
         priority: 'high',
@@ -192,7 +340,7 @@ Save to docs/ccpa-checklist.md`,
     ACCESSIBILITY: {
         key: 'ACCESSIBILITY',
         category: 'Inclusion',
-        tier: 'assistable',
+        tier: 'ai_assisted',
         headline: 'Consider accessibility (WCAG)',
         explanation: 'Making your product accessible helps more users and may be legally required for some customers.',
         priority: 'medium',
@@ -214,7 +362,7 @@ Save checklist to docs/accessibility-checklist.md`,
     BIAS_ASSESSMENT: {
         key: 'BIAS_ASSESSMENT',
         category: 'Ethics',
-        tier: 'assistable',
+        tier: 'ai_assisted',
         headline: 'AI bias assessment needed',
         explanation: 'AI that makes decisions about people can have unintended bias. Document what you\'ve considered.',
         priority: 'high',
@@ -241,7 +389,7 @@ This is for internal documentation and transparency.`,
     PAYMENT_SETUP: {
         key: 'PAYMENT_SETUP',
         category: 'Business',
-        tier: 'human_only',
+        tier: 'manual',
         headline: 'You need payment processing',
         explanation: 'You want to charge users. You need a payment provider account first.',
         priority: 'critical',
@@ -271,7 +419,7 @@ I have my Stripe API keys ready. Use STRIPE_SECRET_KEY and STRIPE_PUBLISHABLE_KE
     BUSINESS_REGISTRATION: {
         key: 'BUSINESS_REGISTRATION',
         category: 'Legal',
-        tier: 'human_only',
+        tier: 'manual',
         headline: 'Consider business registration',
         explanation: 'If you\'re making money, you may need a business entity for taxes and liability protection.',
         priority: 'medium',
@@ -293,7 +441,7 @@ Once you have your business set up, update your docs:
     TAX_SETUP: {
         key: 'TAX_SETUP',
         category: 'Business',
-        tier: 'human_only',
+        tier: 'manual',
         headline: 'You need tax handling',
         explanation: 'Selling internationally means dealing with VAT, GST, and sales tax. Stripe Tax can help.',
         priority: 'high',
@@ -317,7 +465,7 @@ See Stripe Tax docs for jurisdiction-specific setup.`,
     DOMAIN_SSL: {
         key: 'DOMAIN_SSL',
         category: 'Infrastructure',
-        tier: 'human_only',
+        tier: 'manual',
         headline: 'You need a domain and SSL',
         explanation: 'To launch publicly, you need a domain name and HTTPS.',
         priority: 'high',
@@ -339,7 +487,7 @@ Once you have your domain, update:
     APP_STORE: {
         key: 'APP_STORE',
         category: 'Distribution',
-        tier: 'human_only',
+        tier: 'manual',
         headline: 'App Store submission needed',
         explanation: 'Mobile apps need App Store / Play Store developer accounts and review.',
         priority: 'critical',
@@ -364,7 +512,7 @@ Check that the app follows platform guidelines before submission.`,
     COPPA_COMPLIANCE: {
         key: 'COPPA_COMPLIANCE',
         category: 'Compliance',
-        tier: 'human_only',
+        tier: 'manual',
         headline: 'COPPA compliance required',
         explanation: 'Users under 13 require parental consent and special data handling.',
         priority: 'critical',
@@ -391,7 +539,7 @@ This requires careful legal review - the FTC enforces COPPA strictly.`,
     SOC2: {
         key: 'SOC2',
         category: 'Certification',
-        tier: 'human_only',
+        tier: 'manual',
         headline: 'Enterprise customers may require SOC 2',
         explanation: 'B2B/enterprise sales often require SOC 2 certification to prove security practices.',
         priority: 'medium',
@@ -414,6 +562,119 @@ However, you can prepare by implementing:
 Create a security checklist: docs/security-checklist.md`,
         condition: (p) => p.targetAudience.includes('enterprise'),
     },
+    // ⚠️ ASSISTABLE - Industry-specific regulations
+    HIPAA_COMPLIANCE: {
+        key: 'HIPAA_COMPLIANCE',
+        category: 'Healthcare',
+        tier: 'ai_assisted',
+        headline: 'Healthcare data requires HIPAA compliance',
+        explanation: 'Handling patient health information in the US requires HIPAA compliance. Violations can cost $100-50K per record.',
+        priority: 'critical',
+        alsoNeeded: ['Legal review of BAA', 'Security audit', 'Employee HIPAA training'],
+        promptTemplate: `Read docs/brainlift.md and docs/prd.md. This is a healthcare application that may need HIPAA compliance.
+
+Create docs/hipaa-checklist.md covering:
+1. PHI (Protected Health Information) inventory - what health data do we handle?
+2. Access controls - minimum necessary access
+3. Audit logging - who accessed what PHI, when
+4. Encryption - at rest and in transit
+5. BAA requirements - list of vendors needing Business Associate Agreements
+6. Incident response - breach notification within 60 days
+
+Add warning: "This checklist requires review by a HIPAA compliance officer or healthcare attorney"`,
+        condition: (p) => p.industry.includes('healthcare') && p.collectsUserData,
+    },
+    FERPA_COMPLIANCE: {
+        key: 'FERPA_COMPLIANCE',
+        category: 'Education',
+        tier: 'ai_assisted',
+        headline: 'Education records require FERPA compliance',
+        explanation: 'Student education records in US schools are protected by FERPA. Violations can result in loss of federal funding.',
+        priority: 'critical',
+        alsoNeeded: ['School admin approval', 'Parent consent process', 'Annual notification'],
+        promptTemplate: `Read docs/brainlift.md and docs/prd.md. This is an education application that may need FERPA compliance.
+
+Create docs/ferpa-checklist.md covering:
+1. Education records inventory - what student records do we access/store?
+2. Consent requirements - when do we need parent/student consent?
+3. Directory information policy - what can be disclosed without consent?
+4. Access controls - only authorized school officials
+5. Record keeping - maintain log of disclosures
+6. Annual notification - how schools notify parents/students
+
+Add warning: "This checklist requires review by school legal counsel"`,
+        condition: (p) => p.industry.includes('education') && p.collectsUserData,
+    },
+    EU_AI_ACT: {
+        key: 'EU_AI_ACT',
+        category: 'AI Regulation',
+        tier: 'ai_assisted',
+        headline: 'EU AI Act may apply to your AI system',
+        explanation: 'The EU AI Act regulates AI systems by risk level. High-risk AI (health, education, employment) has strict requirements.',
+        priority: 'high',
+        alsoNeeded: ['Risk classification assessment', 'Technical documentation', 'EU representative if non-EU company'],
+        promptTemplate: `Read docs/brainlift.md and docs/prd.md. This AI system may be subject to the EU AI Act.
+
+Create docs/eu-ai-act-assessment.md covering:
+1. AI use case classification - what does the AI decide or recommend?
+2. Risk level assessment:
+   - Unacceptable (banned): social scoring, subliminal manipulation
+   - High-risk: education, employment, credit, healthcare, law enforcement
+   - Limited risk: chatbots (requires transparency)
+   - Minimal risk: spam filters, games
+3. If high-risk, document:
+   - Data governance requirements
+   - Technical documentation
+   - Record keeping
+   - Human oversight mechanisms
+   - Accuracy, robustness, cybersecurity
+
+Add warning: "This requires legal review for final classification"`,
+        condition: (p) => p.usesAI && (p.targetsEU || p.industry.some(i => ['healthcare', 'education', 'finance'].includes(i))),
+    },
+    SBOM: {
+        key: 'SBOM',
+        category: 'Supply Chain',
+        tier: 'ai_assisted',
+        headline: 'Generate a Software Bill of Materials (SBOM)',
+        explanation: 'An SBOM lists all dependencies in your software. Required by US Executive Order 14028 for government contractors, increasingly expected by enterprise customers.',
+        priority: 'medium',
+        promptTemplate: `Generate a Software Bill of Materials (SBOM) for this project.
+
+Run these commands to generate the SBOM:
+1. For npm: npx @cyclonedx/cyclonedx-npm --output-file sbom.json
+2. Or use: npm sbom --sbom-format cyclonedx
+
+Then create docs/sbom-readme.md explaining:
+- What the SBOM contains
+- How to regenerate it
+- When to update it (after dependency changes)
+- License summary of all dependencies
+
+Add the sbom.json generation to CI/CD pipeline.`,
+        condition: (p) => p.targetAudience.includes('enterprise') || p.industry.includes('finance'),
+    },
+    DATA_RESIDENCY: {
+        key: 'DATA_RESIDENCY',
+        category: 'Compliance',
+        tier: 'ai_assisted',
+        headline: 'Document data residency requirements',
+        explanation: 'If you store data in specific regions, you need to document where data lives. GDPR, data sovereignty laws, and enterprise contracts often require this.',
+        priority: 'high',
+        alsoNeeded: ['Legal review of data transfer agreements', 'Cloud provider region verification'],
+        promptTemplate: `Read docs/brainlift.md and docs/prd.md. Create a data residency documentation.
+
+Create docs/data-residency.md covering:
+1. Where is user data stored? (AWS region, GCP zone, etc.)
+2. Does data cross borders? (US ↔ EU, etc.)
+3. What legal basis for cross-border transfers? (SCCs, adequacy decisions)
+4. Can customers choose data region? (for enterprise)
+5. Where are backups stored?
+6. Third-party services and their data locations (Stripe, analytics, etc.)
+
+Add warning: "Verify regions with your cloud provider dashboard"`,
+        condition: (p) => p.targetsEU || p.targetAudience.includes('enterprise'),
+    },
 };
 // ============================================================================
 // INFERENCE FUNCTIONS
@@ -495,9 +756,9 @@ export function inferProjectProfile(projectPath) {
         hasPayments: ['payment', 'stripe', 'paypal', 'billing', 'checkout', 'purchase', 'monetize', 'pricing page'],
         hasSubscriptions: ['subscription', 'monthly plan', 'yearly plan', 'recurring billing', 'saas'],
         hasUserContent: ['upload', 'user generated', 'ugc', 'user posts', 'comments section', 'community content'],
-        // AI - only when clearly AI-powered
-        usesAI: ['ai-powered', 'artificial intelligence', 'machine learning', 'gpt', 'llm', 'claude api', 'openai api', 'langchain'],
-        aiMakesDecisions: ['ai decides', 'ai recommends', 'automated decision', 'algorithm determines', 'ai-driven'],
+        // AI - detect AI usage with common patterns
+        usesAI: ['ai-powered', 'artificial intelligence', 'machine learning', 'gpt', 'llm', 'claude', 'openai', 'langchain', 'uses ai', 'ai features', 'ai model', 'neural network', 'deep learning', 'genai', 'generative ai'],
+        aiMakesDecisions: ['ai decides', 'ai recommends', 'automated decision', 'algorithm determines', 'ai-driven', 'ai generates', 'ai creates'],
     };
     for (const [key, terms] of Object.entries(keywords)) {
         if (terms.some(term => content.includes(term))) {
@@ -556,10 +817,10 @@ function fillPromptTemplate(template, profile, projectPath) {
     const brainliftPath = join(safePath, 'docs', 'brainlift.md');
     const prdPath = join(safePath, 'docs', 'prd.md');
     if (existsSync(brainliftPath)) {
-        brainliftContent = readFileSync(brainliftPath, 'utf-8').slice(0, 1000);
+        brainliftContent = readFileSync(brainliftPath, 'utf-8'); // Read full doc for accurate inference
     }
     if (existsSync(prdPath)) {
-        prdContent = readFileSync(prdPath, 'utf-8').slice(0, 1000);
+        prdContent = readFileSync(prdPath, 'utf-8'); // Read full doc for accurate inference
     }
     // Build replacements
     const replacements = {
@@ -593,11 +854,22 @@ function fillPromptTemplate(template, profile, projectPath) {
  * Get all applicable reality checks for a project
  */
 export function getRealityChecks(projectPath) {
-    const profile = inferProjectProfile(projectPath);
+    const safePath = sanitizePath(projectPath);
+    // Auto-detect generated docs and mark checks complete (feedback loop)
+    detectGeneratedDocs(safePath);
+    const profile = inferProjectProfile(safePath);
     const checks = [];
+    // Load persisted state (after detection so it includes auto-completions)
+    const persistedState = loadRealityState(safePath);
+    const checkStates = persistedState.checkStates;
     for (const check of Object.values(REALITY_CHECKS)) {
         if (check.condition(profile)) {
-            const cursorPrompt = fillPromptTemplate(check.promptTemplate, profile, projectPath);
+            const cursorPrompt = fillPromptTemplate(check.promptTemplate, profile, safePath);
+            const persisted = checkStates[check.key];
+            // Get triggered-by reason
+            const triggeredBy = check.getTriggeredBy
+                ? check.getTriggeredBy(profile)
+                : DEFAULT_TRIGGERS[check.key]?.(profile) || 'Inferred from project profile';
             checks.push({
                 key: check.key,
                 category: check.category,
@@ -609,28 +881,51 @@ export function getRealityChecks(projectPath) {
                 externalLinks: check.externalLinks,
                 alsoNeeded: check.alsoNeeded,
                 priority: check.priority,
+                triggeredBy,
+                // Add persisted status
+                status: persisted?.status || 'pending',
+                statusUpdatedAt: persisted?.updatedAt,
+                skippedReason: persisted?.skippedReason,
             });
         }
     }
     // Sort by priority and tier
     const priorityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
-    const tierOrder = { human_only: 0, assistable: 1, generatable: 2 };
+    const tierOrder = { manual: 0, ai_assisted: 1 };
     checks.sort((a, b) => {
         const priorityDiff = priorityOrder[a.priority] - priorityOrder[b.priority];
         if (priorityDiff !== 0)
             return priorityDiff;
         return tierOrder[a.tier] - tierOrder[b.tier];
     });
+    // Progressive disclosure: first 2 views show only critical + 2 more
+    const totalAvailable = checks.length;
+    const viewCount = persistedState.viewCount || 0;
+    const isFirstSession = viewCount < 2;
+    // Increment view count
+    const newState = { ...persistedState, viewCount: viewCount + 1 };
+    saveRealityState(safePath, newState);
+    // On first sessions, limit to critical + 2 non-critical
+    let displayChecks = checks;
+    if (isFirstSession && checks.length > 4) {
+        const critical = checks.filter(c => c.priority === 'critical');
+        const nonCritical = checks.filter(c => c.priority !== 'critical').slice(0, 2);
+        displayChecks = [...critical, ...nonCritical];
+    }
     return {
         profile,
-        checks,
+        checks: displayChecks,
         summary: {
-            total: checks.length,
-            critical: checks.filter(c => c.priority === 'critical').length,
-            generatable: checks.filter(c => c.tier === 'generatable').length,
-            assistable: checks.filter(c => c.tier === 'assistable').length,
-            humanOnly: checks.filter(c => c.tier === 'human_only').length,
+            total: displayChecks.length,
+            critical: displayChecks.filter(c => c.priority === 'critical').length,
+            aiAssisted: displayChecks.filter(c => c.tier === 'ai_assisted').length,
+            manual: displayChecks.filter(c => c.tier === 'manual').length,
+            pending: displayChecks.filter(c => c.status === 'pending').length,
+            completed: displayChecks.filter(c => c.status === 'completed').length,
+            skipped: displayChecks.filter(c => c.status === 'skipped').length,
         },
+        totalAvailable,
+        isFirstSession,
     };
 }
 // ============================================================================
@@ -662,48 +957,26 @@ export async function filterChecksWithAI(profile, checks, projectPath) {
     const prdPath = join(safePath, 'docs', 'prd.md');
     const readmePath = join(safePath, 'README.md');
     if (existsSync(brainliftPath)) {
-        docsContent += `## Brainlift:\n${readFileSync(brainliftPath, 'utf-8').slice(0, 2000)}\n\n`;
+        docsContent += `## Brainlift:\n${readFileSync(brainliftPath, 'utf-8').slice(0, 4000)}\n\n`;
     }
     if (existsSync(prdPath)) {
-        docsContent += `## PRD:\n${readFileSync(prdPath, 'utf-8').slice(0, 2000)}\n\n`;
+        docsContent += `## PRD:\n${readFileSync(prdPath, 'utf-8').slice(0, 4000)}\n\n`;
     }
     if (existsSync(readmePath)) {
-        docsContent += `## README:\n${readFileSync(readmePath, 'utf-8').slice(0, 1000)}\n`;
+        docsContent += `## README:\n${readFileSync(readmePath, 'utf-8').slice(0, 2000)}\n`;
     }
     if (!docsContent) {
         // No docs to analyze - return checks as-is
         return { filtered: checks, additions: [], removals: [] };
     }
-    const systemPrompt = `You are a compliance advisor reviewing reality checks for a software project.
-Your job is to FILTER the proposed checks based on the actual project context.
-
-Rules:
-1. REMOVE checks that don't apply (e.g., GDPR for US-only apps, COPPA for adult-only products)
-2. FLAG checks that might apply but need confirmation (add to "maybeAdd" list)
-3. Be CONSERVATIVE: when in doubt, keep the check
-4. Consider industry-specific requirements (healthcare → HIPAA, education → FERPA, etc.)
-5. Consider geographic requirements (EU → GDPR, California → CCPA, etc.)
-
-Respond ONLY with JSON.`;
-    const prompt = `# Project Documentation
-${docsContent}
-
-# Inferred Profile
-${JSON.stringify(profile, null, 2)}
-
-# Proposed Checks
-${checks.map(c => `- ${c.key}: ${c.headline}`).join('\n')}
-
-# All Available Checks (not currently triggered)
-${Object.keys(REALITY_CHECKS).filter(k => !checks.some(c => c.key === k)).map(k => `- ${k}: ${REALITY_CHECKS[k].headline}`).join('\n')}
-
-Review this and respond with:
-{
-  "keep": ["CHECK_KEY", ...],      // Checks that definitely apply
-  "remove": ["CHECK_KEY", ...],   // Checks that don't apply (with reason)
-  "add": ["CHECK_KEY", ...],      // Checks from available list that SHOULD apply
-  "reasoning": "Brief explanation of key decisions"
-}`;
+    // Combined profile validation + check filtering in a single focused prompt
+    const systemPrompt = `Compliance check filter. Given project docs and proposed checks, return JSON only:
+{"keep":["KEY",...], "remove":["KEY",...], "add":["KEY",...]}
+Rules: Remove checks that clearly don't apply. Add missing checks from available list. Be conservative.`;
+    // Compact prompt - less tokens, faster response
+    const proposed = checks.map(c => c.key).join(',');
+    const available = Object.keys(REALITY_CHECKS).filter(k => !checks.some(c => c.key === k)).join(',');
+    const prompt = `Docs:\n${docsContent}\n\nProposed: ${proposed}\nAvailable: ${available}\n\nProfile: ${profile.businessModel}, EU:${profile.targetsEU}, AI:${profile.usesAI}, payments:${profile.hasPayments}`;
     try {
         const response = await chat(prompt, {
             systemPrompt,
@@ -732,10 +1005,17 @@ Review this and respond with:
             return true;
         });
         // Add any checks AI says we're missing
+        const safePath = sanitizePath(projectPath);
+        const persistedState = loadRealityState(safePath);
         for (const key of addKeys) {
             if (REALITY_CHECKS[key] && !filtered.some(c => c.key === key)) {
                 const check = REALITY_CHECKS[key];
                 const cursorPrompt = fillPromptTemplate(check.promptTemplate, profile, projectPath);
+                const persisted = persistedState.checkStates[key];
+                // Get triggered-by reason (AI-added checks)
+                const triggeredBy = check.getTriggeredBy
+                    ? check.getTriggeredBy(profile)
+                    : 'Added by AI analysis of project context';
                 filtered.push({
                     key: check.key,
                     category: check.category,
@@ -747,12 +1027,16 @@ Review this and respond with:
                     externalLinks: check.externalLinks,
                     alsoNeeded: check.alsoNeeded,
                     priority: check.priority,
+                    triggeredBy,
+                    status: persisted?.status || 'pending',
+                    statusUpdatedAt: persisted?.updatedAt,
+                    skippedReason: persisted?.skippedReason,
                 });
             }
         }
         // Re-sort
         const priorityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
-        const tierOrder = { human_only: 0, assistable: 1, generatable: 2 };
+        const tierOrder = { manual: 0, ai_assisted: 1 };
         filtered.sort((a, b) => {
             const priorityDiff = priorityOrder[a.priority] - priorityOrder[b.priority];
             if (priorityDiff !== 0)
@@ -784,9 +1068,11 @@ export async function getRealityChecksWithAI(projectPath) {
             summary: {
                 total: filtered.length,
                 critical: filtered.filter(c => c.priority === 'critical').length,
-                generatable: filtered.filter(c => c.tier === 'generatable').length,
-                assistable: filtered.filter(c => c.tier === 'assistable').length,
-                humanOnly: filtered.filter(c => c.tier === 'human_only').length,
+                aiAssisted: filtered.filter(c => c.tier === 'ai_assisted').length,
+                manual: filtered.filter(c => c.tier === 'manual').length,
+                pending: filtered.filter(c => c.status === 'pending').length,
+                completed: filtered.filter(c => c.status === 'completed').length,
+                skipped: filtered.filter(c => c.status === 'skipped').length,
             },
             aiFiltered: additions.length > 0 || removals.length > 0,
         };
@@ -800,20 +1086,22 @@ export async function getRealityChecksWithAI(projectPath) {
  * Get tier symbol for display
  */
 export function getTierSymbol(tier) {
-    switch (tier) {
-        case 'generatable': return '✅';
-        case 'assistable': return '⚠️';
-        case 'human_only': return '🔴';
+    const mapped = TIER_MAPPING[tier] || tier;
+    switch (mapped) {
+        case 'ai_assisted': return '🤖';
+        case 'manual': return '👤';
+        default: return '❓';
     }
 }
 /**
  * Get tier description
  */
 export function getTierDescription(tier) {
-    switch (tier) {
-        case 'generatable': return 'AI can draft this';
-        case 'assistable': return 'AI can help, needs review';
-        case 'human_only': return 'You need to do this';
+    const mapped = TIER_MAPPING[tier] || tier;
+    switch (mapped) {
+        case 'ai_assisted': return 'AI can help with this';
+        case 'manual': return 'You need to do this yourself';
+        default: return 'Unknown tier';
     }
 }
 //# sourceMappingURL=reality.js.map