monora-ai 2.0.0 → 2.1.3

package/dist/cli.js

@@ -46,6 +46,7 @@ const readline = __importStar(require("readline"));
 const yaml = __importStar(require("js-yaml"));
 const axios_1 = __importDefault(require("axios"));
 const config_1 = require("./config");
+const init_1 = require("./cli/init");
 const autodetect_1 = require("./autodetect");
 const report_1 = require("./report");
 const ai_act_report_1 = require("./ai_act_report");
@@ -55,29 +56,50 @@ const trust_package_1 = require("./trust_package");
 const schema_validation_1 = require("./schema_validation");
 const verify_1 = require("./verify");
 const signing_1 = require("./signing");
+const aims_governance_1 = require("./aims_governance");
+const control_backbone_1 = require("./control_backbone");
 const diagnostics_1 = require("./cli/diagnostics");
+const doctor_1 = require("./cli/doctor");
+const fix_1 = require("./cli/fix");
 const compat_1 = require("./compat");
 const standards_1 = require("./standards");
 const standards_ingest_1 = require("./standards_ingest");
+const runtime_1 = require("./runtime");
+const onboarding_1 = require("./onboarding");
+const schemaInference_1 = require("./schemaInference");
+const model_1 = require("./model");
+const spec_1 = require("./spec");
+const complianceTargets_1 = require("./complianceTargets");
 function usage() {
-    console.log('Usage:');
-    console.log('  monora init [--path monora.yml] [--format yaml|json] [--yes] [--force]');
-    console.log('  monora validate [--config monora.yml] [--json]');
-    console.log('  monora doctor [--config monora.yml] [--json] [--no-network]');
-    console.log('  monora report --input <events.jsonl> --output <report.json> [--format json|markdown] [--config monora.yml] [--no-schema] [--no-verify] [--no-signature-verify]');
-    console.log('  monora usage-report --input <events.jsonl> --output <usage.json> [--format json|markdown] [--no-schema]');
-    console.log('  monora security-review --input <events.jsonl> --output <security.json> [--config monora.yml] [--no-schema] [--sign gpg --gpg-key <id> --bundle <bundle.json>]');
-    console.log('  monora trust-package --input <events.jsonl> --trace-id <trace_id> --output <trust.json> [--config monora.yml] [--no-schema] [--no-verify] [--no-signature-verify] [--sign gpg --gpg-key <id>]');
-    console.log('  monora ai-act-report --input <events.jsonl> --output <report.json> [--format json|markdown] [--config monora.yml] [--no-schema]');
-    console.log('  monora verify --input <events.jsonl> [--config monora.yml] [--no-schema] [--no-verify] [--no-signature-verify] [--no-sequence] [--pretty]');
-    console.log('  monora retry-queue [--config monora.yml] [--path ./monora_http_queue] [--json] [--clear]');
-    console.log('  monora compat-report [--baseline <manifest.json>] [--output <report.json>] [--pretty]');
-    console.log('  monora standards-wizard [--standard SOC2] [--template <claims.json>] [--output <claims.json>] [--input <events.jsonl>] [--config monora.yml] [--report <report.pdf>] [--yes]');
-    console.log('  monora standards-ingest --report <report.pdf> [--output <ingest.json>] [--text-out <report.txt>] [--ocr] [--pretty]');
-    console.log('  monora standards-excerpt --ingest <ingest.json> --claims <claims.json> --excerpts <excerpts.json> [--output <claims.json>] [--pretty]');
-    console.log('  monora standards-suggest --ingest <ingest.json> --claims <claims.json> [--output <suggestions.json>] [--max-per-claim 2] [--window 160] [--pretty]');
-    console.log('  monora standards-review --ingest <ingest.json> --claims <claims.json> --output <claims.json> [--max-per-claim 2] [--window 160] [--yes]');
-    console.log('  monora standards-check --input <events.jsonl> [--config monora.yml] [--report <report.pdf>] [--claims <claims.json>] [--output <report.json>] [--pretty] [--max-calls 25]');
+    console.log('Usage: npx monora-ai <command> [options]\n');
+    console.log('Commands:');
+    console.log('  init [--path monora.yml] [--format yaml|json] [--yes] [--force] [--advanced] [--preset minimal|dev|production]');
+    console.log('  start [-- <command>]         Zero-code instrumentation');
+    console.log('  validate [--config monora.yml] [--json] [--mode strict|lenient|warn-only]');
+    console.log('  doctor [--config monora.yml] [--json] [--no-network]');
+    console.log('  config fix [--config monora.yml] [--dry-run] [--no-network]');
+    console.log('  report --input <events.jsonl> --output <report.json> [--format json|markdown] [--config monora.yml] [--no-schema] [--no-verify] [--no-signature-verify]');
+    console.log('  usage-report --input <events.jsonl> --output <usage.json> [--format json|markdown] [--no-schema]');
+    console.log('  security-review --input <events.jsonl> --output <security.json> [--config monora.yml] [--no-schema] [--sign gpg --gpg-key <id> --bundle <bundle.json>]');
+    console.log('  trust-package --input <events.jsonl> --trace-id <trace_id> --output <trust.json> [--config monora.yml] [options...]');
+    console.log('  aims <subcommand> [--state <aims_state.json>]');
+    console.log('  ai-act-report --input <events.jsonl> --output <report.json> [--format json|markdown] [--config monora.yml] [--no-schema]');
+    console.log('  verify --input <events.jsonl> [--config monora.yml] [--no-schema] [--no-verify] [--no-signature-verify] [--no-sequence] [--pretty]');
+    console.log('  retry-queue [--config monora.yml] [--path ./monora_http_queue] [--json] [--clear]');
+    console.log('  compat-report [--baseline <manifest.json>] [--output <report.json>] [--pretty]');
+    console.log('  standards-wizard [--standard SOC2] [--template <claims.json>] [--output <claims.json>] [--input <events.jsonl>]');
+    console.log('  onboard <init|validate|complete|status> [--config monora.yml] [options]');
+    console.log('  schema infer --input <events.jsonl> --output <spec.json> [--model-name <name>] [--model-version <ver>] [--compliance-target <framework>]... [--sample-size <n>] [--no-pii] [--report <inference_report.json>] [--contract <schema_contract.json>]');
+    console.log('  model create --input <events.jsonl> --output <model.json> [--model-name <name>] [--model-version <ver>] [--compliance-target <framework>]... [--risk-category minimal|limited|high|unacceptable] [--intended-use <text>] [--owner <id>] [--tag <value>]... [--sample-size <n>] [--no-pii] [--config-out <monora.yml|json>] [--config-format yaml|json] [--contract-out <schema_contract.json>]');
+    console.log('  production-check [--config monora.yml] [--json] [--fix]');
+    console.log('  detect-env [--json]');
+    console.log('  upgrade-preset --from <preset> --to <preset> [--output monora.yml] [--json]');
+    console.log('\nExamples:');
+    console.log('  npx monora-ai init                    # Quick setup wizard');
+    console.log('  npx monora-ai init --preset minimal   # Minimal config preset');
+    console.log('  npx monora-ai onboard init            # Initialize onboarding contract');
+    console.log('  npx monora-ai start -- npm run dev    # Zero-code instrumentation');
+    console.log('  npx monora-ai doctor                  # Diagnose config issues');
 }
 function parseArgs(argv) {
     const args = argv.slice(2);
@@ -96,6 +118,21 @@ function getFlagValue(args, flag) {
 function hasFlag(args, flag) {
     return args.includes(flag);
 }
+function getFlagValues(args, flag) {
+    const values = [];
+    for (let i = 0; i < args.length; i++) {
+        if (args[i] !== flag) {
+            continue;
+        }
+        const next = args[i + 1];
+        if (!next || next.startsWith('--')) {
+            throw new Error(`Missing value for ${flag}`);
+        }
+        values.push(next);
+        i += 1;
+    }
+    return values;
+}
 function createInterface() {
     return readline.createInterface({
         input: process.stdin,
@@ -130,6 +167,108 @@ function parseList(raw) {
         .map((item) => item.trim())
         .filter((item) => item.length > 0);
 }
+function parseOptionalList(raw) {
+    if (!raw) {
+        return [];
+    }
+    return parseList(raw.replace(/;/g, ','));
+}
+function parseJsonObject(raw) {
+    if (!raw) {
+        return undefined;
+    }
+    let payload;
+    try {
+        payload = JSON.parse(raw);
+    }
+    catch (error) {
+        throw new Error(`Invalid metadata JSON: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
+        throw new Error('Metadata JSON must be an object');
+    }
+    return payload;
+}
+function normalizeInitPreset(value) {
+    if (!value) {
+        return undefined;
+    }
+    const normalized = value.toLowerCase();
+    if (normalized === 'development') {
+        return 'dev';
+    }
+    if (normalized === 'dev' || normalized === 'minimal' || normalized === 'production') {
+        return normalized;
+    }
+    throw new Error(`Invalid preset '${value}'. Valid presets: minimal, dev, production`);
+}
+function normalizeValidationMode(value) {
+    if (!value) {
+        return undefined;
+    }
+    const normalized = value.toLowerCase();
+    if (normalized === 'strict')
+        return 'strict';
+    if (normalized === 'lenient')
+        return 'lenient';
+    if (normalized === 'warn-only' || normalized === 'warn' || normalized === 'warn_only') {
+        return 'warn-only';
+    }
+    throw new Error(`Invalid validation mode '${value}'. Valid modes: strict, lenient, warn-only`);
+}
+const ROTATION_COMMENT = [
+    '# File sink rotation options:',
+    '# - rotation: none (default), daily, size',
+    '# - When rotation is enabled, set symlink: true to keep stable paths:',
+    '#   - <path> (e.g., monora_events.jsonl)',
+    '#   - <path>.latest (e.g., monora_events.latest.jsonl)',
+    '#',
+].join('\n');
+function renderConfigOutput(config, format) {
+    if (format === 'json') {
+        return JSON.stringify(config, null, 2);
+    }
+    const body = yaml.dump(config, { sortKeys: false, noRefs: true });
+    return `${ROTATION_COMMENT}\n${body}`;
+}
+async function askSinkSelection(rl, defaults) {
+    console.log('? Which sinks do you want to enable? (Use space to select)');
+    const markers = {
+        file: defaults.includes('file') ? '◉' : '◯',
+        stdout: defaults.includes('stdout') ? '◉' : '◯',
+        https: defaults.includes('https') ? '◉' : '◯',
+    };
+    console.log(`  ${markers.file} File (monora_events.jsonl)`);
+    console.log(`  ${markers.stdout} Stdout (pretty to console)`);
+    console.log(`  ${markers.https} HTTPS (requires endpoint URL)`);
+    const raw = await ask(rl, 'Selections (file stdout https)', defaults.join(' '));
+    const normalized = raw
+        .split(/[\\s,]+/)
+        .map((entry) => entry.trim().toLowerCase())
+        .filter((entry) => entry.length > 0);
+    const selected = new Set();
+    const add = (value) => {
+        selected.add(value);
+    };
+    for (const token of normalized) {
+        if (token === '1' || token.startsWith('f')) {
+            add('file');
+        }
+        else if (token === '2' || token.startsWith('s')) {
+            add('stdout');
+        }
+        else if (token === '3' || token.startsWith('h')) {
+            add('https');
+        }
+    }
+    if (selected.size === 0) {
+        defaults.forEach((item) => add(item));
+    }
+    if (selected.size === 0) {
+        add('file');
+    }
+    return Array.from(selected.values());
+}
 const ENV_PATTERN = /\$\{([^}]+)\}/g;
 function isValidEndpoint(endpoint) {
     try {
@@ -191,8 +330,7 @@ function checkFileWritable(filePath) {
     try {
         const dir = path.dirname(filePath) || '.';
         fs.mkdirSync(dir, { recursive: true });
-        const handle = fs.openSync(filePath, 'a');
-        fs.closeSync(handle);
+        fs.accessSync(dir, fs.constants.W_OK);
         return { ok: true };
     }
     catch (error) {
@@ -221,92 +359,228 @@ async function testHttpEndpoint(endpoint, headers, label) {
         console.warn(`Warning: test POST to ${label} failed: ${message}`);
     }
 }
-function buildConfig(answers) {
-    const config = (0, config_1.loadConfig)({ envPrefix: 'MONORA_WIZARD_' });
-    config.defaults = {
-        ...config.defaults,
-        service_name: answers.service_name,
-        environment: answers.environment,
-    };
-    const sinks = [];
-    if (answers.stdout_sink) {
-        sinks.push({ type: 'stdout', format: 'json' });
-    }
-    if (answers.file_sink) {
-        sinks.push({
-            type: 'file',
-            path: answers.file_path || './monora_events.jsonl',
-            rotation: 'daily',
-            max_size_mb: 100,
-            batch_size: 100,
-            flush_interval_sec: 5.0,
-        });
+/**
+ * Streamlined 3-question wizard for quick setup.
+ * Uses AI-powered detection for smart defaults.
+ */
+async function runStreamlinedWizard(configPath, format, assumeYes) {
+    console.log('\n\x1b[36m=== Monora Setup ===\x1b[0m\n');
+    console.log('Analyzing your project...\n');
+    // Run comprehensive detection
+    const detection = (0, autodetect_1.detectFramework)();
+    const serviceName = (0, autodetect_1.detectServiceName)() || 'monora-app';
+    const env = (0, autodetect_1.detectEnvironment)();
+    // Display detection results
+    console.log('\x1b[32mDetected:\x1b[0m');
+    console.log(`  Service:     ${serviceName}`);
+    if (detection.framework) {
+        console.log(`  Framework:   ${detection.framework}`);
+    }
+    console.log(`  Environment: ${env}`);
+    if (detection.aiSdks.length > 0) {
+        console.log(`  AI SDKs:     ${detection.aiSdks.map(s => s.name).join(', ')}`);
+    }
+    if (detection.cloudPlatform) {
+        console.log(`  Platform:    ${detection.cloudPlatform}`);
+    }
+    if (detection.typescript) {
+        console.log(`  TypeScript:  yes`);
     }
-    if (answers.https_sink && answers.https_endpoint) {
-        const headers = {};
-        if (answers.https_auth_header) {
-            headers.Authorization = answers.https_auth_header;
+    console.log('');
+    // Run AI analysis if API key available
+    let aiAnalysis = null;
+    const hasAIKey = process.env.ANTHROPIC_API_KEY || process.env.OPENAI_API_KEY;
+    const aiAnalysisEnabled = ['true', '1', 'yes'].includes(String(process.env.MONORA_AI_ANALYSIS_ENABLED || '').toLowerCase());
+    if (hasAIKey && aiAnalysisEnabled) {
+        console.log('Running AI-powered analysis...');
+        aiAnalysis = await (0, autodetect_1.analyzeProjectWithAI)();
+        if (aiAnalysis) {
+            console.log(`\x1b[33mAI suggests:\x1b[0m ${aiAnalysis.reasoning}`);
+            if (aiAnalysis.complianceHints.length > 0) {
+                console.log(`  Compliance: ${aiAnalysis.complianceHints.join(', ')}`);
+            }
         }
-        sinks.push({
-            type: 'https',
-            endpoint: answers.https_endpoint,
-            headers,
-            batch_size: 50,
-            timeout_sec: 10.0,
-            retry_attempts: 3,
-            backoff_base_sec: 0.5,
-        });
+        console.log('');
     }
-    config.sinks = sinks.length > 0 ? sinks : [{ type: 'stdout', format: 'json' }];
-    config.policies = {
-        ...config.policies,
-        model_allowlist: answers.allowlist || [],
-        model_denylist: answers.denylist || [],
-        enforce: true,
-    };
-    config.instrumentation = {
-        ...config.instrumentation,
-        enabled: answers.enable_instrumentation,
-        default_purpose: answers.instrumentation_purpose,
-    };
-    config.data_handling = {
-        ...config.data_handling,
-        enabled: answers.enable_data_handling,
-        mode: (answers.data_handling_mode || 'redact'),
-        rules: answers.enable_data_handling
-            ? [
-                {
-                    name: 'email',
-                    pattern: '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}',
-                    replace: '[REDACTED_EMAIL]',
-                    classifications: ['confidential', 'secret'],
-                    apply_to: ['request', 'response'],
-                },
-            ]
-            : [],
-    };
-    config.alerts = {
-        ...config.alerts,
-        violation_webhook: answers.violation_webhook || undefined,
-        headers: answers.alerts_auth_header ? { Authorization: answers.alerts_auth_header } : {},
-    };
-    config.error_handling = {
-        ...config.error_handling,
-        queue_full_mode: answers.queue_full_mode,
-    };
-    config.buffering = {
-        ...config.buffering,
-        queue_full_timeout_sec: answers.queue_full_timeout_sec === undefined ? config.buffering?.queue_full_timeout_sec : answers.queue_full_timeout_sec,
+    else if (hasAIKey && !aiAnalysisEnabled) {
+        console.log('AI analysis is disabled. Set MONORA_AI_ANALYSIS_ENABLED=true to enable it.\n');
+    }
+    // Collect 3 required questions
+    let email = '';
+    let company = '';
+    let role = '';
+    if (assumeYes) {
+        // Use environment variables or empty
+        email = process.env.MONORA_EMAIL || '';
+        company = process.env.MONORA_COMPANY || '';
+        role = process.env.MONORA_ROLE || '';
+        console.log('Using environment variables for attribution...');
+    }
+    else {
+        const rl = createInterface();
+        try {
+            console.log('\x1b[36mQuick setup (3 questions):\x1b[0m');
+            email = (await ask(rl, '  Work email (for updates)', '')).trim();
+            company = (await ask(rl, '  Company name', '')).trim();
+            role = (await ask(rl, '  Your role', '')).trim();
+        }
+        finally {
+            rl.close();
+        }
+    }
+    console.log('');
+    // Build smart configuration
+    const config = (0, autodetect_1.buildSmartConfig)(detection, aiAnalysis, { email, company, role });
+    // Write configuration
+    const output = renderConfigOutput(config, format);
+    fs.writeFileSync(configPath, output, 'utf-8');
+    console.log(`\x1b[32mConfiguration saved to ${configPath}\x1b[0m\n`);
+    // Clear next steps
+    console.log('\x1b[36m=== Next Steps ===\x1b[0m\n');
+    console.log('To start tracing with zero code changes:');
+    console.log('\x1b[33m  npx monora-ai start\x1b[0m\n');
+    console.log('Or wrap your existing command:');
+    console.log('\x1b[33m  npx monora-ai start -- npm run dev\x1b[0m\n');
+    console.log('Or add to package.json scripts:');
+    console.log('  "scripts": {');
+    console.log('    "dev": "npx monora-ai start -- node server.js"');
+    console.log('  }\n');
+    if (detection.aiSdks.length > 0) {
+        console.log(`Auto-instrumentation enabled for: ${detection.aiSdks.map(s => s.name).join(', ')}`);
+    }
+    console.log('\nFor advanced configuration, run: \x1b[33mnpx monora-ai init --advanced\x1b[0m');
+}
+/**
+ * Run a command with Monora instrumentation enabled.
+ * Zero-code instrumentation using NODE_OPTIONS.
+ */
+async function runStart(args) {
+    const { spawn } = await Promise.resolve().then(() => __importStar(require('child_process')));
+    // Find the separator '--' for the user command
+    const separatorIndex = args.indexOf('--');
+    let userCommand;
+    if (separatorIndex >= 0) {
+        userCommand = args.slice(separatorIndex + 1);
+    }
+    else if (args.length > 0) {
+        userCommand = args;
+    }
+    else {
+        // No command provided - try to find package.json start script
+        const packageJsonPath = path.join(process.cwd(), 'package.json');
+        if (fs.existsSync(packageJsonPath)) {
+            try {
+                const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+                if (pkg.scripts?.start) {
+                    console.log('\x1b[36mNo command specified, running npm start...\x1b[0m\n');
+                    userCommand = ['npm', 'start'];
+                }
+                else if (pkg.scripts?.dev) {
+                    console.log('\x1b[36mNo command specified, running npm run dev...\x1b[0m\n');
+                    userCommand = ['npm', 'run', 'dev'];
+                }
+                else {
+                    console.error('Error: No command specified and no start/dev script found in package.json');
+                    console.log('\nUsage: npx monora-ai start -- <command>');
+                    console.log('       npx monora-ai start -- npm run dev');
+                    console.log('       npx monora-ai start -- node server.js');
+                    process.exit(1);
+                }
+            }
+            catch {
+                console.error('Error: No command specified');
+                process.exit(1);
+            }
+        }
+        else {
+            console.error('Error: No command specified');
+            console.log('\nUsage: npx monora-ai start -- <command>');
+            process.exit(1);
+        }
+    }
+    // Find the register module path
+    let registerPath;
+    try {
+        // Try to find monora-ai/register
+        registerPath = require.resolve('monora-ai/register');
+    }
+    catch {
+        // Fall back to local path for development
+        registerPath = path.resolve(__dirname, 'register.js');
+        if (!fs.existsSync(registerPath)) {
+            // Try TypeScript version
+            registerPath = path.resolve(__dirname, 'register.ts');
+        }
+    }
+    // Check for config file
+    const configPath = fs.existsSync('monora.yml')
+        ? 'monora.yml'
+        : fs.existsSync('monora.json')
+            ? 'monora.json'
+            : null;
+    // Build environment
+    const env = {
+        ...process.env,
+        MONORA_AUTO_INIT: 'true',
     };
-    return config;
+    if (configPath) {
+        env.MONORA_CONFIG_PATH = configPath;
+    }
+    // Add register to NODE_OPTIONS
+    const existingNodeOptions = process.env.NODE_OPTIONS || '';
+    const escapedRegisterPath = registerPath.replace(/"/g, '\\"');
+    env.NODE_OPTIONS = `${existingNodeOptions} --require "${escapedRegisterPath}"`.trim();
+    console.log('\x1b[36m=== Monora Start ===\x1b[0m\n');
+    console.log('Instrumentation: \x1b[32menabled\x1b[0m');
+    if (configPath) {
+        console.log(`Config: ${configPath}`);
+    }
+    else {
+        console.log('Config: auto-detected');
+    }
+    console.log(`Running: ${userCommand.join(' ')}\n`);
+    console.log('\x1b[90m--- Application Output ---\x1b[0m\n');
+    // Spawn the user command
+    const child = spawn(userCommand[0], userCommand.slice(1), {
+        env,
+        stdio: 'inherit',
+        shell: true,
+    });
+    child.on('exit', (code) => {
+        process.exit(code ?? 0);
+    });
+    child.on('error', (err) => {
+        console.error(`Failed to start command: ${err.message}`);
+        process.exit(1);
+    });
 }
-async function runInitWizard(configPath, format, assumeYes, force) {
+async function runInitWizard(configPath, format, assumeYes, force, advanced = false, preset) {
     if (fs.existsSync(configPath) && !force) {
         if (assumeYes) {
             console.error(`${configPath} already exists. Use --force to overwrite.`);
             process.exit(1);
         }
     }
+    if (preset) {
+        const detectedService = (0, autodetect_1.detectServiceName)() || path.basename(process.cwd()) || 'monora-app';
+        const config = (0, init_1.buildPresetConfig)(preset, { serviceName: detectedService });
+        const output = renderConfigOutput(config, format);
+        fs.writeFileSync(configPath, output, 'utf-8');
+        console.log(`\nMonora config written to ${configPath}`);
+        console.log(`Preset: ${preset}`);
+        console.log('\n=== Next Steps ===\n');
+        console.log('Use the generated config file:');
+        console.log(`  import { init } from 'monora-ai';`);
+        console.log(`  init({ configPath: '${configPath}' });`);
+        console.log('');
+        console.log('Generate reports with:');
+        console.log('  npx monora-ai report --input ./monora_events.jsonl --output monora_report.json');
+        return;
+    }
+    // Use streamlined wizard by default (unless --advanced)
+    if (!advanced) {
+        return runStreamlinedWizard(configPath, format, assumeYes);
+    }
     // Auto-detect project info
     const detectedService = (0, autodetect_1.detectServiceName)() || path.basename(process.cwd()) || 'monora-app';
     const detectedEnv = (0, autodetect_1.detectEnvironment)();
@@ -324,22 +598,22 @@ async function runInitWizard(configPath, format, assumeYes, force) {
     }
     console.log('');
     // Generate smart defaults based on detection
-    const smartAllowlist = detectedSdks.includes('openai') && detectedSdks.includes('anthropic')
-        ? ['gpt-4*', 'gpt-4o*', 'claude-3-*']
-        : detectedSdks.includes('openai')
-            ? ['gpt-4*', 'gpt-4o*', 'o1-*']
-            : detectedSdks.includes('anthropic')
-                ? ['claude-3-*', 'claude-sonnet-4-*', 'claude-opus-4-*']
-                : [];
+    const smartAllowlist = [...init_1.DEFAULT_ALLOWLIST_PATTERNS];
     let answers;
     if (assumeYes) {
         // Smart defaults for --yes mode
         answers = {
             service_name: detectedService,
             environment: detectedEnv,
-            stdout_sink: detectedEnv === 'dev',
+            stdout_sink: false,
+            stdout_format: 'pretty',
             file_sink: true,
-            file_path: detectedEnv === 'production' ? './logs/monora_events.jsonl' : './monora_events.jsonl',
+            file_path: detectedEnv === 'production'
+                ? './logs/monora_events.jsonl'
+                : detectedEnv === 'poc'
+                    ? './monora_poc_events.jsonl'
+                    : './monora_events.jsonl',
+            file_rotation: 'none',
             https_sink: false,
             enable_policies: smartAllowlist.length > 0,
             allowlist: smartAllowlist,
@@ -348,9 +622,30 @@ async function runInitWizard(configPath, format, assumeYes, force) {
             instrumentation_purpose: 'general',
             enable_data_handling: false,
             data_handling_mode: 'redact',
-            violation_webhook: null,
+            violation_webhook: undefined,
             queue_full_mode: 'warn',
-            queue_full_timeout_sec: null,
+            queue_full_timeout_sec: undefined,
+            enable_attribution: false,
+            attribution_company: undefined,
+            attribution_role: undefined,
+            attribution_email: undefined,
+            attribution_source: undefined,
+            attribution_use_case: undefined,
+            attribution_team_size: undefined,
+            attribution_business_owner: undefined,
+            attribution_data_categories: [],
+            telemetry_enabled: false,
+            telemetry_send_data: false,
+            telemetry_data_residency: undefined,
+            enable_audit_metadata: false,
+            audit_use_case_name: undefined,
+            audit_business_owner: undefined,
+            audit_data_categories: [],
+            audit_risk_level: 'medium',
+            audit_compliance_frameworks: [],
+            audit_review_date: undefined,
+            audit_reviewer: undefined,
+            audit_notes: undefined,
         };
         console.log('Using smart defaults based on auto-detection...\n');
         if (answers.file_sink && answers.file_path) {
@@ -364,23 +659,33 @@ async function runInitWizard(configPath, format, assumeYes, force) {
     else {
         const rl = createInterface();
         try {
+            const selectedSinks = await askSinkSelection(rl, ['file']);
+            let stdoutSelected = selectedSinks.includes('stdout');
+            if (!stdoutSelected) {
+                stdoutSelected = await confirm(rl, 'Enable console output?', false);
+            }
             answers = {
                 service_name: await ask(rl, 'Service name', detectedService),
-                environment: await ask(rl, 'Environment (dev/staging/production)', detectedEnv),
-                stdout_sink: await confirm(rl, 'Enable stdout sink?', detectedEnv === 'dev'),
-                file_sink: await confirm(rl, 'Enable file sink?', true),
-                https_sink: await confirm(rl, 'Enable HTTPS sink?', false),
+                environment: await ask(rl, 'Environment (dev/poc/staging/production)', detectedEnv),
+                stdout_sink: stdoutSelected,
+                stdout_format: 'pretty',
+                file_sink: selectedSinks.includes('file'),
+                file_rotation: 'none',
+                https_sink: selectedSinks.includes('https'),
                 enable_policies: await confirm(rl, 'Configure model allowlist?', smartAllowlist.length > 0),
                 allowlist: [],
                 denylist: [],
                 enable_instrumentation: await confirm(rl, 'Enable auto-instrumentation?', detectedSdks.length > 0),
                 enable_data_handling: await confirm(rl, 'Enable data redaction rules?', false),
                 queue_full_mode: await ask(rl, 'Queue overflow mode (warn/raise/block)', 'warn'),
+                enable_attribution: false,
             };
             if (answers.file_sink) {
                 const defaultPath = answers.environment === 'production'
                     ? './logs/monora_events.jsonl'
-                    : './monora_events.jsonl';
+                    : answers.environment === 'poc'
+                        ? './monora_poc_events.jsonl'
+                        : './monora_events.jsonl';
                 answers.file_path = await ask(rl, 'File sink path', defaultPath);
                 if (answers.file_path) {
                     const fileCheck = checkFileWritable(answers.file_path);
@@ -419,7 +724,7 @@ async function runInitWizard(configPath, format, assumeYes, force) {
             if (answers.enable_policies) {
                 const defaultAllowlist = smartAllowlist.length > 0
                     ? smartAllowlist.join(',')
-                    : 'gpt-4*,claude-3-*';
+                    : init_1.DEFAULT_ALLOWLIST_PATTERNS.join(',');
                 answers.allowlist = parseList(await ask(rl, 'Allowlist patterns (comma-separated)', defaultAllowlist));
                 answers.denylist = parseList(await ask(rl, 'Denylist patterns (comma-separated)', ''));
             }
@@ -463,7 +768,7 @@ async function runInitWizard(configPath, format, assumeYes, force) {
                 while (true) {
                     const timeout = await ask(rl, 'Queue full timeout (seconds, blank for no timeout)', '');
                     if (!timeout) {
-                        answers.queue_full_timeout_sec = null;
+                        answers.queue_full_timeout_sec = undefined;
                         break;
                     }
                     const parsed = Number(timeout);
@@ -474,15 +779,54 @@ async function runInitWizard(configPath, format, assumeYes, force) {
                     console.warn('Please enter a valid number or leave blank.');
                 }
             }
+            console.log('\nOptional attribution & compliance metadata:');
+            console.log('Shared info helps improve Monora; nothing is sent unless you opt in.\n');
+            answers.enable_attribution = await confirm(rl, 'Provide optional project attribution info?', true);
+            if (answers.enable_attribution) {
+                answers.attribution_company = (await ask(rl, 'Company name (optional)', '')).trim() || null;
+                answers.attribution_role = (await ask(rl, 'Role (optional)', '')).trim() || null;
+                answers.attribution_email = (await ask(rl, 'Work email (optional)', '')).trim() || null;
+                answers.attribution_source = (await ask(rl, 'How did you find Monora? (optional)', '')).trim() || null;
+                answers.attribution_use_case = (await ask(rl, 'Use case (optional)', '')).trim() || null;
+                answers.attribution_team_size = (await ask(rl, 'Team size (solo/small/medium/large, optional)', '')).trim() || null;
+                answers.attribution_business_owner = (await ask(rl, 'Business owner (optional)', '')).trim() || null;
+                const categories = (await ask(rl, 'Data categories touched (comma-separated, optional)', '')).trim();
+                answers.attribution_data_categories = categories ? parseList(categories) : [];
+            }
+            answers.telemetry_enabled = await confirm(rl, 'Enable anonymous usage telemetry?', false);
+            if (answers.telemetry_enabled) {
+                answers.telemetry_send_data = await confirm(rl, 'Allow sending anonymized usage data to Monora?', false);
+                if (answers.telemetry_send_data) {
+                    answers.telemetry_data_residency = (await ask(rl, 'Telemetry data residency (us/eu)', 'us')).trim();
+                }
+                else {
+                    answers.telemetry_data_residency = undefined;
+                }
+            }
+            else {
+                answers.telemetry_send_data = false;
+                answers.telemetry_data_residency = undefined;
+            }
+            answers.enable_audit_metadata = await confirm(rl, 'Add audit metadata for compliance?', false);
+            if (answers.enable_audit_metadata) {
+                answers.audit_use_case_name = (await ask(rl, 'Audit use case name (optional)', '')).trim() || null;
+                answers.audit_business_owner = (await ask(rl, 'Audit business owner (optional)', '')).trim() || null;
+                const auditCategories = (await ask(rl, 'Audit data categories (comma-separated, optional)', '')).trim();
+                answers.audit_data_categories = auditCategories ? parseList(auditCategories) : [];
+                answers.audit_risk_level = (await ask(rl, 'Audit risk level (low/medium/high/critical)', 'medium')).trim();
+                const frameworks = (await ask(rl, 'Compliance frameworks (comma-separated, optional)', '')).trim();
+                answers.audit_compliance_frameworks = frameworks ? parseList(frameworks) : [];
+                answers.audit_review_date = (await ask(rl, 'Review date (optional)', '')).trim() || null;
+                answers.audit_reviewer = (await ask(rl, 'Reviewer (optional)', '')).trim() || null;
+                answers.audit_notes = (await ask(rl, 'Notes (optional)', '')).trim() || null;
+            }
         }
         finally {
             rl.close();
         }
     }
-    const config = buildConfig(answers);
-    const output = format === 'json'
-        ? JSON.stringify(config, null, 2)
-        : yaml.dump(config, { sortKeys: false, noRefs: true });
+    const config = (0, init_1.buildWizardConfig)(answers);
+    const output = renderConfigOutput(config, format);
     fs.writeFileSync(configPath, output, 'utf-8');
     console.log(`\nMonora config written to ${configPath}`);
     console.log('\n=== Next Steps ===\n');
@@ -496,6 +840,10 @@ async function runInitWizard(configPath, format, assumeYes, force) {
     console.log(`  import { init } from 'monora-ai';`);
     console.log(`  init({ configPath: '${configPath}' });`);
     console.log('');
+    console.log('Generate reports with:');
+    console.log('  npx monora-ai report --input ./monora_events.jsonl --output monora_report.json');
+    console.log('  (If rotation is enabled, use ./monora_events.latest.jsonl)');
+    console.log('');
     if (detectedSdks.length > 0) {
         console.log(`Detected SDKs (${detectedSdks.join(', ')}) will be auto-instrumented.`);
     }
@@ -503,11 +851,14 @@ async function runInitWizard(configPath, format, assumeYes, force) {
 function parseInitOptions(args) {
     const configPath = getFlagValue(args, '--path') || 'monora.yml';
     const format = getFlagValue(args, '--format') || 'yaml';
+    const preset = normalizeInitPreset(getFlagValue(args, '--preset'));
     return {
         path: configPath,
         format: format === 'json' ? 'json' : 'yaml',
         yes: hasFlag(args, '--yes'),
         force: hasFlag(args, '--force'),
+        advanced: hasFlag(args, '--advanced'),
+        preset,
     };
 }
 function parseReportOptions(args) {
@@ -553,6 +904,7 @@ function parseSecurityReviewOptions(args) {
     };
 }
 function parseTrustPackageOptions(args) {
+    const target = Number(getFlagValue(args, '--control-coverage-target') || '0.9');
     return {
         input: getFlagValue(args, '--input'),
         traceId: getFlagValue(args, '--trace-id'),
@@ -561,6 +913,17 @@ function parseTrustPackageOptions(args) {
         sign: getFlagValue(args, '--sign') || undefined,
         gpgKey: getFlagValue(args, '--gpg-key'),
         gpgHome: getFlagValue(args, '--gpg-home'),
+        evidenceManifest: getFlagValue(args, '--evidence-manifest'),
+        evidenceRuntime: hasFlag(args, '--evidence-runtime'),
+        evidenceStandard: getFlagValue(args, '--evidence-standard') || undefined,
+        evidenceNoLineage: hasFlag(args, '--evidence-no-lineage'),
+        evidenceNoHashChain: hasFlag(args, '--evidence-no-hash-chain'),
+        evidenceNoWorkflowState: hasFlag(args, '--evidence-no-workflow-state'),
+        evidenceNoAimsState: hasFlag(args, '--evidence-no-aims-state'),
+        controlCatalog: getFlagValue(args, '--control-catalog'),
+        controlWorkflowState: getFlagValue(args, '--control-workflow-state'),
+        controlCoverageTarget: Number.isFinite(target) ? target : 0.9,
+        controlCoverage: getFlagValue(args, '--control-coverage'),
         schema: !hasFlag(args, '--no-schema'),
         verify: !hasFlag(args, '--no-verify'),
         signatureVerify: !hasFlag(args, '--no-signature-verify'),
@@ -867,7 +1230,7 @@ async function runReport(options) {
         verifySignatures(events, config);
     }
     const policies = config.policies || undefined;
-    const report = (0, report_1.buildReport)(events, policies);
+    const report = (0, report_1.buildReport)(events, policies, config.registry);
     if (options.format === 'markdown') {
         (0, report_1.writeMarkdown)(options.output, report);
     }
@@ -961,7 +1324,19 @@ async function runTrustPackage(options) {
     if (options.signatureVerify) {
         verifySignatures(events, config);
     }
-    let trustPackage = (0, trust_package_1.buildTrustPackage)(options.traceId, events, config);
+    let trustPackage = (0, trust_package_1.buildTrustPackage)(options.traceId, events, config, {
+        evidenceManifestPath: options.evidenceManifest,
+        evidenceManifestAuto: options.evidenceRuntime,
+        evidenceManifestStandard: options.evidenceStandard,
+        evidenceManifestIncludeLineage: !options.evidenceNoLineage,
+        evidenceManifestIncludeHashChain: !options.evidenceNoHashChain,
+        evidenceManifestIncludeWorkflowState: !options.evidenceNoWorkflowState,
+        evidenceManifestIncludeAimsState: !options.evidenceNoAimsState,
+        controlCatalogPath: options.controlCatalog,
+        controlWorkflowStatePath: options.controlWorkflowState,
+        controlCoverageTarget: options.controlCoverageTarget,
+        controlCoveragePath: options.controlCoverage,
+    });
     if (options.sign) {
         if (options.sign !== 'gpg') {
             console.error(`Unsupported signing type: ${options.sign}`);
@@ -982,6 +1357,342 @@ async function runTrustPackage(options) {
     (0, trust_package_1.writeTrustPackage)(options.output, trustPackage);
     console.log(`Trust package generated: ${options.output}`);
 }
+function loadAimsStateIfPresent(statePath) {
+    if (!statePath) {
+        return;
+    }
+    if (!fs.existsSync(statePath)) {
+        return;
+    }
+    (0, aims_governance_1.loadAimsGovernanceState)(statePath, { replaceRuntime: true });
+}
+function saveAimsStateIfPresent(statePath) {
+    if (!statePath) {
+        return;
+    }
+    (0, aims_governance_1.exportAimsGovernanceState)(statePath);
+}
+function emitAimsJson(payload) {
+    console.log(JSON.stringify(payload, null, 2));
+}
+async function runAims(args) {
+    const subcommand = args[0];
+    const subArgs = args.slice(1);
+    if (!subcommand) {
+        usage();
+        process.exit(1);
+    }
+    const statePath = getFlagValue(subArgs, '--state');
+    loadAimsStateIfPresent(statePath);
+    const required = (flag) => {
+        const value = getFlagValue(subArgs, flag);
+        if (!value) {
+            throw new Error(`Missing required flag: ${flag}`);
+        }
+        return value;
+    };
+    if (subcommand === 'summary') {
+        emitAimsJson((0, aims_governance_1.getAimsGovernanceSummary)());
+        return;
+    }
+    if (subcommand === 'export-state') {
+        const outputPath = required('--output');
+        const payload = (0, aims_governance_1.exportAimsGovernanceState)(outputPath);
+        emitAimsJson({ state_type: payload.state_type, output: outputPath });
+        return;
+    }
+    if (subcommand === 'import-state') {
+        const inputPath = required('--input');
+        const payload = (0, aims_governance_1.loadAimsGovernanceState)(inputPath, { replaceRuntime: true });
+        const policyCount = Array.isArray(payload.policies) ? payload.policies.length : 0;
+        const concernCount = Array.isArray(payload.concern_reports) ? payload.concern_reports.length : 0;
+        emitAimsJson({
+            input: inputPath,
+            policies: policyCount,
+            concerns: concernCount,
+        });
+        return;
+    }
+    if (subcommand === 'policy-create') {
+        const policy = (0, aims_governance_1.createPolicyDocument)({
+            policyId: required('--policy-id'),
+            title: required('--title'),
+            owner: required('--owner'),
+            reviewFrequencyDays: Number(getFlagValue(subArgs, '--review-frequency-days') || '365'),
+            controlIds: parseOptionalList(getFlagValue(subArgs, '--control-ids')),
+            metadata: parseJsonObject(getFlagValue(subArgs, '--metadata')),
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(policy);
+        return;
+    }
+    if (subcommand === 'policy-add-version') {
+        const version = (0, aims_governance_1.addPolicyVersion)({
+            policyId: required('--policy-id'),
+            changeSummary: required('--change-summary'),
+            createdBy: required('--created-by'),
+            content: getFlagValue(subArgs, '--content'),
+            artifactPath: getFlagValue(subArgs, '--artifact-path'),
+            requiredReviewers: parseOptionalList(getFlagValue(subArgs, '--required-reviewers')),
+            metadata: parseJsonObject(getFlagValue(subArgs, '--metadata')),
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(version);
+        return;
+    }
+    if (subcommand === 'policy-submit') {
+        const version = (0, aims_governance_1.submitPolicyVersion)({
+            policyId: required('--policy-id'),
+            versionId: required('--version-id'),
+            submittedBy: required('--submitted-by'),
+            reviewerChain: parseOptionalList(getFlagValue(subArgs, '--reviewer-chain')),
+            note: getFlagValue(subArgs, '--note'),
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(version);
+        return;
+    }
+    if (subcommand === 'policy-approve') {
+        const version = (0, aims_governance_1.approvePolicyVersion)({
+            policyId: required('--policy-id'),
+            versionId: required('--version-id'),
+            approver: required('--approver'),
+            note: getFlagValue(subArgs, '--note'),
+            force: hasFlag(subArgs, '--force'),
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(version);
+        return;
+    }
+    if (subcommand === 'policy-reject') {
+        const version = (0, aims_governance_1.rejectPolicyVersion)({
+            policyId: required('--policy-id'),
+            versionId: required('--version-id'),
+            reviewer: required('--reviewer'),
+            note: required('--note'),
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(version);
+        return;
+    }
+    if (subcommand === 'policy-review') {
+        const version = (0, aims_governance_1.recordPolicyReview)({
+            policyId: required('--policy-id'),
+            versionId: required('--version-id'),
+            reviewer: required('--reviewer'),
+            summary: required('--summary'),
+            outcome: getFlagValue(subArgs, '--outcome') || 'accepted',
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(version);
+        return;
+    }
+    if (subcommand === 'policy-list') {
+        emitAimsJson((0, aims_governance_1.listPolicyDocuments)());
+        return;
+    }
+    if (subcommand === 'policy-get') {
+        const policy = (0, aims_governance_1.getPolicyDocument)(required('--policy-id'));
+        if (!policy) {
+            throw new Error(`Policy not found: ${required('--policy-id')}`);
+        }
+        emitAimsJson(policy);
+        return;
+    }
+    if (subcommand === 'policy-workflows') {
+        const policyId = getFlagValue(subArgs, '--policy-id');
+        const buildStatus = (policy) => {
+            const workflowMap = { ...(policy.workflow_ids || {}) };
+            if (Object.keys(workflowMap).length === 0) {
+                const workflows = (0, control_backbone_1.listWorkflowTasks)({}).filter((workflow) => workflow.metadata?.policy_id === policy.policy_id);
+                for (const workflow of workflows) {
+                    workflowMap[workflow.control_id] = workflow.workflow_id;
+                }
+            }
+            const entries = Object.entries(workflowMap).sort(([a], [b]) => a.localeCompare(b)).map(([controlId, workflowId]) => {
+                const workflow = (0, control_backbone_1.getWorkflowTask)(workflowId);
+                if (!workflow) {
+                    return { control_id: controlId, workflow_id: workflowId, status: 'missing' };
+                }
+                return {
+                    control_id: controlId,
+                    workflow_id: workflow.workflow_id,
+                    status: workflow.status,
+                    owner: workflow.owner,
+                    due_at: workflow.due_at,
+                    updated_at: workflow.updated_at,
+                };
+            });
+            return {
+                policy_id: policy.policy_id,
+                title: policy.title,
+                owner: policy.owner,
+                active_version_id: policy.active_version_id,
+                workflows: entries,
+            };
+        };
+        if (policyId) {
+            const policy = (0, aims_governance_1.getPolicyDocument)(policyId);
+            if (!policy) {
+                throw new Error(`Policy not found: ${policyId}`);
+            }
+            emitAimsJson(buildStatus(policy));
+            return;
+        }
+        emitAimsJson((0, aims_governance_1.listPolicyDocuments)().map((policy) => buildStatus(policy)));
+        return;
+    }
+    if (subcommand === 'policy-approvals') {
+        const policyId = getFlagValue(subArgs, '--policy-id');
+        const versionId = getFlagValue(subArgs, '--version-id');
+        if (versionId && !policyId) {
+            throw new Error('--version-id requires --policy-id');
+        }
+        const policies = policyId ? [(0, aims_governance_1.getPolicyDocument)(policyId)] : (0, aims_governance_1.listPolicyDocuments)();
+        const payload = policies.map((policy) => {
+            if (!policy) {
+                throw new Error(`Policy not found: ${policyId}`);
+            }
+            const versions = (policy.versions || [])
+                .filter((version) => !versionId || version.version_id === versionId)
+                .map((version) => ({
+                version_id: version.version_id,
+                version_number: version.version_number,
+                status: version.status,
+                submitted_at: version.submitted_at,
+                approved_at: version.approved_at,
+                approved_by: version.approved_by,
+                required_reviewers: version.required_reviewers,
+                approvals: version.approvals,
+                review_history: version.review_history,
+            }));
+            return {
+                policy_id: policy.policy_id,
+                title: policy.title,
+                owner: policy.owner,
+                active_version_id: policy.active_version_id,
+                versions,
+            };
+        });
+        emitAimsJson(payload);
+        return;
+    }
+    if (subcommand === 'policy-due') {
+        emitAimsJson((0, aims_governance_1.getDuePolicyReviews)({
+            referenceTime: getFlagValue(subArgs, '--reference-time'),
+        }));
+        return;
+    }
+    if (subcommand === 'context-record') {
+        const record = (0, aims_governance_1.recordAimsContext)({
+            scope: required('--scope'),
+            approvedBy: required('--approved-by'),
+            interestedParties: parseOptionalList(getFlagValue(subArgs, '--interested-parties')),
+            internalIssues: parseOptionalList(getFlagValue(subArgs, '--internal-issues')),
+            externalIssues: parseOptionalList(getFlagValue(subArgs, '--external-issues')),
+            objectives: parseOptionalList(getFlagValue(subArgs, '--objectives')),
+            reviewFrequencyDays: Number(getFlagValue(subArgs, '--review-frequency-days') || '365'),
+            metadata: parseJsonObject(getFlagValue(subArgs, '--metadata')),
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(record);
+        return;
+    }
+    if (subcommand === 'context-get') {
+        emitAimsJson((0, aims_governance_1.getAimsContext)() || {});
+        return;
+    }
+    if (subcommand === 'raci-register') {
+        const entry = (0, aims_governance_1.registerRaciEntry)({
+            functionName: required('--function-name'),
+            owner: required('--owner'),
+            accountable: parseOptionalList(required('--accountable')),
+            responsible: parseOptionalList(required('--responsible')),
+            consulted: parseOptionalList(getFlagValue(subArgs, '--consulted')),
+            informed: parseOptionalList(getFlagValue(subArgs, '--informed')),
+            controlIds: parseOptionalList(getFlagValue(subArgs, '--control-ids')),
+            notes: getFlagValue(subArgs, '--notes'),
+            metadata: parseJsonObject(getFlagValue(subArgs, '--metadata')),
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(entry);
+        return;
+    }
+    if (subcommand === 'raci-list') {
+        emitAimsJson((0, aims_governance_1.listRaciEntries)());
+        return;
+    }
+    if (subcommand === 'training-record') {
+        const record = (0, aims_governance_1.recordGovernanceTraining)({
+            userId: required('--user-id'),
+            topic: required('--topic'),
+            recordedBy: required('--recorded-by'),
+            completedAt: getFlagValue(subArgs, '--completed-at'),
+            controlIds: parseOptionalList(getFlagValue(subArgs, '--control-ids')),
+            notes: getFlagValue(subArgs, '--notes'),
+            metadata: parseJsonObject(getFlagValue(subArgs, '--metadata')),
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(record);
+        return;
+    }
+    if (subcommand === 'training-list') {
+        emitAimsJson((0, aims_governance_1.listGovernanceTrainingRecords)());
+        return;
+    }
+    if (subcommand === 'concern-file') {
+        const report = (0, aims_governance_1.fileConcernReport)({
+            title: required('--title'),
+            description: required('--description'),
+            reportedBy: required('--reported-by'),
+            severity: getFlagValue(subArgs, '--severity') || 'medium',
+            assignedTo: getFlagValue(subArgs, '--assigned-to'),
+            controlIds: parseOptionalList(getFlagValue(subArgs, '--control-ids')),
+            tags: parseOptionalList(getFlagValue(subArgs, '--tags')),
+            metadata: parseJsonObject(getFlagValue(subArgs, '--metadata')),
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(report);
+        return;
+    }
+    if (subcommand === 'concern-update') {
+        const report = (0, aims_governance_1.updateConcernReport)({
+            concernId: required('--concern-id'),
+            actor: required('--actor'),
+            status: required('--status'),
+            note: getFlagValue(subArgs, '--note'),
+            assignedTo: getFlagValue(subArgs, '--assigned-to'),
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(report);
+        return;
+    }
+    if (subcommand === 'concern-resolve') {
+        const report = (0, aims_governance_1.resolveConcernReport)({
+            concernId: required('--concern-id'),
+            resolvedBy: required('--resolved-by'),
+            resolutionSummary: required('--resolution-summary'),
+            close: !hasFlag(subArgs, '--no-close'),
+        });
+        saveAimsStateIfPresent(statePath);
+        emitAimsJson(report);
+        return;
+    }
+    if (subcommand === 'concern-list') {
+        const status = getFlagValue(subArgs, '--status');
+        emitAimsJson((0, aims_governance_1.listConcernReports)({ status: status }));
+        return;
+    }
+    if (subcommand === 'concern-get') {
+        const report = (0, aims_governance_1.getConcernReport)(required('--concern-id'));
+        if (!report) {
+            throw new Error(`Concern not found: ${required('--concern-id')}`);
+        }
+        emitAimsJson(report);
+        return;
+    }
+    throw new Error(`Unsupported aims subcommand: ${subcommand}`);
+}
 async function runVerify(options) {
     if (!options.input) {
         usage();
@@ -1086,9 +1797,12 @@ async function runVerify(options) {
 async function runValidate(args) {
     const configPath = getFlagValue(args, '--config') || 'monora.yml';
     const asJson = hasFlag(args, '--json');
+    const modeArg = normalizeValidationMode(getFlagValue(args, '--mode'));
     try {
         const config = (0, config_1.loadConfig)({ configPath });
-        const results = (0, diagnostics_1.validateConfig)(config);
+        const env = config.defaults?.environment || 'dev';
+        const mode = modeArg || (env === 'production' ? 'strict' : 'lenient');
+        const results = (0, diagnostics_1.validateConfig)(config, { mode });
         const exitCode = (0, diagnostics_1.emitResults)(results, { json: asJson });
         process.exit(exitCode);
     }
@@ -1102,9 +1816,8 @@ async function runDoctor(args) {
     const asJson = hasFlag(args, '--json');
     const noNetwork = hasFlag(args, '--no-network');
     try {
-        const config = (0, config_1.loadConfig)({ configPath });
-        const results = (0, diagnostics_1.doctorChecks)(config, { checkNetwork: !noNetwork });
-        const exitCode = (0, diagnostics_1.emitResults)(results, { json: asJson });
+        const results = await (0, doctor_1.doctorChecks)(configPath, { checkNetwork: !noNetwork });
+        const exitCode = (0, doctor_1.emitDoctorResults)(results, { json: asJson });
         process.exit(exitCode);
     }
     catch (error) {
@@ -1112,6 +1825,49 @@ async function runDoctor(args) {
         process.exit(1);
     }
 }
+async function runConfigFix(args) {
+    const configPath = getFlagValue(args, '--config') || 'monora.yml';
+    const dryRun = hasFlag(args, '--dry-run');
+    const noNetwork = hasFlag(args, '--no-network');
+    try {
+        const result = await (0, fix_1.fixConfigFile)(configPath, {
+            dryRun,
+            checkNetwork: !noNetwork,
+        });
+        if (!result.ok) {
+            for (const error of result.errors) {
+                console.error(`Error: ${error}`);
+            }
+            process.exit(1);
+        }
+        if (result.changes.length === 0) {
+            console.log('No fixes required.');
+            return;
+        }
+        console.log('Applied fixes:');
+        for (const change of result.changes) {
+            console.log(`  - ${change}`);
+        }
+        if (result.warnings.length > 0) {
+            console.log('Warnings:');
+            for (const warning of result.warnings) {
+                console.log(`  - ${warning}`);
+            }
+        }
+        if (dryRun) {
+            console.log('\nDry run only (no files written).');
+            return;
+        }
+        if (result.backupPath) {
+            console.log(`Backup written to ${result.backupPath}`);
+        }
+        console.log(`Updated config saved to ${configPath}`);
+    }
+    catch (error) {
+        console.error(`Error: ${error?.message || error}`);
+        process.exit(1);
+    }
+}
 async function runCompatReport(args) {
     const baselinePath = getFlagValue(args, '--baseline');
     const outputPath = getFlagValue(args, '--output');
@@ -1333,7 +2089,7 @@ async function runStandardsExcerpt(args) {
         process.exit(1);
     }
     try {
-        const payload = (0, standards_ingest_1.applyExcerpts)({ ingestPath, claimsPath, excerptsPath });
+        const payload = await (0, standards_ingest_1.applyExcerpts)({ ingestPath, claimsPath, excerptsPath });
         const output = JSON.stringify(payload, null, pretty ? 2 : undefined);
         if (outputPath) {
             fs.writeFileSync(outputPath, output, 'utf-8');
@@ -1445,7 +2201,7 @@ async function runStandardsReview(args) {
         rl.close();
     }
     try {
-        const updated = (0, standards_ingest_1.applyExcerptSelections)({
+        const updated = await (0, standards_ingest_1.applyExcerptSelections)({
             ingestPath,
             claimsPath,
             selections,
@@ -1494,6 +2250,415 @@ async function runStandardsCheck(args) {
         process.exit(1);
     }
 }
+function normalizeComplianceTargets(values) {
+    const normalized = values
+        .map((value) => value.trim().toLowerCase().replace(/-/g, '_'))
+        .filter(Boolean);
+    const invalid = normalized.filter((value) => !(0, complianceTargets_1.isFrameworkSupported)(value));
+    if (invalid.length > 0) {
+        throw new Error(`Unsupported compliance target(s): ${invalid.join(', ')}`);
+    }
+    return normalized;
+}
+async function runSchema(args) {
+    const subcommand = args[0];
+    const subArgs = args.slice(1);
+    if (!subcommand || subcommand === '--help' || subcommand === '-h') {
+        console.log('Usage: npx monora-ai schema infer [options]');
+        console.log('  infer --input <events.jsonl> --output <spec.json> [--model-name <name>] [--model-version <ver>] [--compliance-target <framework>]... [--sample-size <n>] [--no-pii] [--report <inference_report.json>] [--contract <schema_contract.json>]');
+        process.exit(1);
+    }
+    if (subcommand !== 'infer') {
+        console.error(`Unknown schema subcommand: ${subcommand}`);
+        process.exit(1);
+    }
+    const inputPath = getFlagValue(subArgs, '--input');
+    const outputPath = getFlagValue(subArgs, '--output');
+    const modelName = getFlagValue(subArgs, '--model-name');
+    const modelVersion = getFlagValue(subArgs, '--model-version') || '1.0.0';
+    const sampleSizeRaw = getFlagValue(subArgs, '--sample-size');
+    const sampleSize = sampleSizeRaw ? Number(sampleSizeRaw) : 100;
+    const noPii = hasFlag(subArgs, '--no-pii');
+    const reportPath = getFlagValue(subArgs, '--report');
+    const contractPath = getFlagValue(subArgs, '--contract');
+    if (!inputPath || !outputPath) {
+        console.error('Error: --input and --output are required for schema infer.');
+        process.exit(1);
+    }
+    if (!Number.isFinite(sampleSize) || sampleSize <= 0) {
+        console.error('Error: --sample-size must be > 0.');
+        process.exit(1);
+    }
+    let complianceTargets = [];
+    try {
+        complianceTargets = normalizeComplianceTargets(getFlagValues(subArgs, '--compliance-target'));
+    }
+    catch (error) {
+        console.error(`Error: ${error?.message || error}`);
+        process.exit(1);
+    }
+    try {
+        const spec = (0, schemaInference_1.inferSchemaFromFile)(inputPath, {
+            modelName: modelName || undefined,
+            modelVersion,
+            complianceTargets,
+            detectPii: !noPii,
+            sampleSize,
+        });
+        const outputResolved = path.resolve(outputPath);
+        fs.mkdirSync(path.dirname(outputResolved), { recursive: true });
+        fs.writeFileSync(outputResolved, JSON.stringify((0, spec_1.specToDict)(spec), null, 2), 'utf-8');
+        console.log(`Wrote inferred schema spec to ${outputPath}`);
+        if (contractPath) {
+            const contractResolved = path.resolve(contractPath);
+            fs.mkdirSync(path.dirname(contractResolved), { recursive: true });
+            fs.writeFileSync(contractResolved, JSON.stringify((0, spec_1.specToSchemaContract)(spec), null, 2), 'utf-8');
+            console.log(`Wrote schema contract to ${contractPath}`);
+        }
+        if (reportPath) {
+            const reportResolved = path.resolve(reportPath);
+            fs.mkdirSync(path.dirname(reportResolved), { recursive: true });
+            const events = (0, schemaInference_1.loadEventsFromFile)(inputPath);
+            const report = (0, schemaInference_1.generateInferenceReport)(events, sampleSize);
+            fs.writeFileSync(reportResolved, JSON.stringify(report, null, 2), 'utf-8');
+            console.log(`Wrote inference report to ${reportPath}`);
+        }
+    }
+    catch (error) {
+        console.error(`Error: ${error?.message || error}`);
+        process.exit(1);
+    }
+}
+async function runModel(args) {
+    const subcommand = args[0];
+    const subArgs = args.slice(1);
+    if (!subcommand || subcommand === '--help' || subcommand === '-h') {
+        console.log('Usage: npx monora-ai model create [options]');
+        console.log('  create --input <events.jsonl> --output <model.json> [--model-name <name>] [--model-version <ver>] [--compliance-target <framework>]... [--risk-category minimal|limited|high|unacceptable] [--intended-use <text>] [--owner <id>] [--tag <value>]... [--sample-size <n>] [--no-pii] [--config-out <monora.yml|json>] [--config-format yaml|json] [--contract-out <schema_contract.json>]');
+        process.exit(1);
+    }
+    if (subcommand !== 'create') {
+        console.error(`Unknown model subcommand: ${subcommand}`);
+        process.exit(1);
+    }
+    const inputPath = getFlagValue(subArgs, '--input');
+    const outputPath = getFlagValue(subArgs, '--output');
+    const modelName = getFlagValue(subArgs, '--model-name') || 'unnamed-model';
+    const modelVersion = getFlagValue(subArgs, '--model-version') || '1.0.0';
+    const riskCategory = getFlagValue(subArgs, '--risk-category') || 'limited';
+    const intendedUse = getFlagValue(subArgs, '--intended-use');
+    const owner = getFlagValue(subArgs, '--owner');
+    const sampleSizeRaw = getFlagValue(subArgs, '--sample-size');
+    const sampleSize = sampleSizeRaw ? Number(sampleSizeRaw) : 100;
+    const noPii = hasFlag(subArgs, '--no-pii');
+    const configOut = getFlagValue(subArgs, '--config-out');
+    const configFormat = (getFlagValue(subArgs, '--config-format') || 'yaml').toLowerCase();
+    const contractOut = getFlagValue(subArgs, '--contract-out');
+    if (!inputPath || !outputPath) {
+        console.error('Error: --input and --output are required for model create.');
+        process.exit(1);
+    }
+    if (!Number.isFinite(sampleSize) || sampleSize <= 0) {
+        console.error('Error: --sample-size must be > 0.');
+        process.exit(1);
+    }
+    if (!['minimal', 'limited', 'high', 'unacceptable'].includes(riskCategory)) {
+        console.error("Error: --risk-category must be one of minimal|limited|high|unacceptable.");
+        process.exit(1);
+    }
+    if (!['yaml', 'json'].includes(configFormat)) {
+        console.error("Error: --config-format must be one of yaml|json.");
+        process.exit(1);
+    }
+    let complianceTargets = [];
+    let tags = [];
+    try {
+        complianceTargets = normalizeComplianceTargets(getFlagValues(subArgs, '--compliance-target'));
+        tags = getFlagValues(subArgs, '--tag');
+    }
+    catch (error) {
+        console.error(`Error: ${error?.message || error}`);
+        process.exit(1);
+    }
+    try {
+        const model = (0, model_1.modelFromData)({
+            source: inputPath,
+            modelName,
+            modelVersion,
+            complianceTargets,
+            riskCategory: riskCategory,
+            intendedUse: intendedUse || undefined,
+            owner: owner || undefined,
+            tags,
+            detectPii: !noPii,
+            sampleSize,
+        });
+        (0, model_1.saveModel)(model, outputPath);
+        console.log(`Wrote model to ${outputPath}`);
+        if (configOut) {
+            (0, model_1.saveConfig)(model, configOut, configFormat);
+            console.log(`Wrote generated config to ${configOut}`);
+        }
+        if (contractOut) {
+            (0, model_1.saveSchemaContract)(model, contractOut);
+            console.log(`Wrote schema contract to ${contractOut}`);
+        }
+    }
+    catch (error) {
+        console.error(`Error: ${error?.message || error}`);
+        process.exit(1);
+    }
+}
+async function runOnboard(args) {
+    const subcommand = args[0];
+    const subArgs = args.slice(1);
+    if (!subcommand || subcommand === '--help' || subcommand === '-h') {
+        console.log('Usage: npx monora-ai onboard <init|validate|complete|status> [options]');
+        console.log('  init [--config monora.yml] [--yes] [--force]');
+        console.log('  validate [--config monora.yml] [--input events.jsonl] [--output result.json] [--pretty]');
+        console.log('  complete [--config monora.yml] [--completed-by name] [--output result.json] [--pretty]');
+        console.log('  status [--config monora.yml] [--pretty]');
+        process.exit(1);
+    }
+    if (subcommand === 'init') {
+        const configPath = getFlagValue(subArgs, '--config') || 'monora.yml';
+        const acceptDefaults = hasFlag(subArgs, '--yes');
+        const force = hasFlag(subArgs, '--force');
+        if (fs.existsSync(configPath) && !force) {
+            if (acceptDefaults) {
+                console.error(`${configPath} already exists. Use --force to overwrite.`);
+                process.exit(1);
+            }
+            const rl = createInterface();
+            const overwrite = await confirm(rl, `${configPath} already exists. Overwrite?`, false);
+            rl.close();
+            if (!overwrite) {
+                console.error('Aborted.');
+                process.exit(1);
+            }
+        }
+        const config = (0, config_1.loadConfig)({ configPath });
+        const onboardingDefaults = (config.onboarding || {});
+        let onboardingEnabled = true;
+        let requiredInProd = true;
+        let logsPath = String(onboardingDefaults?.artifacts?.production_logs_path || './monora_events.jsonl');
+        let schemaPath = String(onboardingDefaults?.artifacts?.schema_contract_path || './onboarding/schema_contract.json');
+        let datasetSamplePath = null;
+        let baselineReportsDir = String(onboardingDefaults?.artifacts?.baseline_reports_dir || './monora_reports/onboarding');
+        let standards = ['SOC2', 'GDPR', 'ISO27001'];
+        let bundles = ['core_observability', 'soc2_access', 'gdpr_privacy', 'iso27001_security'];
+        let toggles = {
+            identity_tracking: true,
+            risk_tracking: true,
+            bias_tracking: false,
+            oversight_tracking: true,
+            data_governance_tracking: true,
+            lifecycle_tracking: true,
+        };
+        let roles = {
+            inputs: ['body.prompt'],
+            outputs: ['body.response'],
+            metadata: ['event_type', 'service_name', 'timestamp'],
+            identifiers: ['event_id', 'trace_id', 'span_id'],
+        };
+        if (!acceptDefaults) {
+            const rl = createInterface();
+            try {
+                onboardingEnabled = await confirm(rl, 'Enable onboarding?', true);
+                requiredInProd = await confirm(rl, 'Require completed onboarding in production?', true);
+                logsPath = await ask(rl, 'Production logs path', logsPath);
+                schemaPath = await ask(rl, 'Schema contract path', schemaPath);
+                const datasetRaw = (await ask(rl, 'Dataset sample path (optional)', '')).trim();
+                datasetSamplePath = datasetRaw || null;
+                baselineReportsDir = await ask(rl, 'Baseline reports output directory', baselineReportsDir);
+                standards = parseOptionalList(await ask(rl, 'Standards (comma-separated)', 'SOC2,GDPR,ISO27001'));
+                if (standards.length === 0) {
+                    standards = ['SOC2', 'GDPR', 'ISO27001'];
+                }
+                bundles = parseOptionalList(await ask(rl, 'Enrichment bundles (comma-separated)', 'core_observability,soc2_access,gdpr_privacy,iso27001_security'));
+                if (bundles.length === 0) {
+                    bundles = ['core_observability', 'soc2_access', 'gdpr_privacy', 'iso27001_security'];
+                }
+                toggles = {
+                    identity_tracking: await confirm(rl, 'Enable identity tracking?', true),
+                    risk_tracking: await confirm(rl, 'Enable risk tracking?', true),
+                    bias_tracking: await confirm(rl, 'Enable bias tracking?', false),
+                    oversight_tracking: await confirm(rl, 'Enable oversight tracking?', true),
+                    data_governance_tracking: await confirm(rl, 'Enable data governance tracking?', true),
+                    lifecycle_tracking: await confirm(rl, 'Enable lifecycle tracking?', true),
+                };
+                const inputs = parseOptionalList(await ask(rl, 'Model spec input fields (comma-separated)', 'body.prompt'));
+                const outputs = parseOptionalList(await ask(rl, 'Model spec output fields (comma-separated)', 'body.response'));
+                const metadata = parseOptionalList(await ask(rl, 'Model spec metadata fields (comma-separated)', 'event_type,service_name,timestamp'));
+                const identifiers = parseOptionalList(await ask(rl, 'Model spec identifiers (comma-separated)', 'event_id,trace_id,span_id'));
+                roles = {
+                    inputs: inputs.length > 0 ? inputs : ['body.prompt'],
+                    outputs: outputs.length > 0 ? outputs : ['body.response'],
+                    metadata: metadata.length > 0 ? metadata : ['event_type', 'service_name', 'timestamp'],
+                    identifiers: identifiers.length > 0 ? identifiers : ['event_id', 'trace_id', 'span_id'],
+                };
+            }
+            finally {
+                rl.close();
+            }
+        }
+        else {
+            const enrichmentsDefaults = (config.enrichments || {});
+            const bundlesDefault = Array.isArray(enrichmentsDefaults.bundles)
+                ? enrichmentsDefaults.bundles
+                : bundles;
+            bundles = bundlesDefault.map((value) => String(value).trim()).filter(Boolean);
+            if (bundles.length === 0) {
+                bundles = ['core_observability', 'soc2_access', 'gdpr_privacy', 'iso27001_security'];
+            }
+            const toggleDefaults = enrichmentsDefaults.toggles && typeof enrichmentsDefaults.toggles === 'object'
+                ? enrichmentsDefaults.toggles
+                : {};
+            toggles = {
+                identity_tracking: Boolean(toggleDefaults.identity_tracking ?? toggles.identity_tracking),
+                risk_tracking: Boolean(toggleDefaults.risk_tracking ?? toggles.risk_tracking),
+                bias_tracking: Boolean(toggleDefaults.bias_tracking ?? toggles.bias_tracking),
+                oversight_tracking: Boolean(toggleDefaults.oversight_tracking ?? toggles.oversight_tracking),
+                data_governance_tracking: Boolean(toggleDefaults.data_governance_tracking ?? toggles.data_governance_tracking),
+                lifecycle_tracking: Boolean(toggleDefaults.lifecycle_tracking ?? toggles.lifecycle_tracking),
+            };
+        }
+        config.onboarding = {
+            enabled: onboardingEnabled,
+            required_in_production: requiredInProd,
+            status: 'draft',
+            standards,
+            artifacts: {
+                production_logs_path: logsPath,
+                schema_contract_path: schemaPath,
+                dataset_sample_path: datasetSamplePath,
+                baseline_reports_dir: baselineReportsDir,
+            },
+            validation: {
+                min_log_records: 100,
+                required_field_presence_threshold: 0.95,
+                type_conformance_threshold: 0.90,
+            },
+            completion: {
+                completed_at: null,
+                completed_by: null,
+                last_validated_at: null,
+            },
+        };
+        config.model_spec = (0, onboarding_1.buildModelSpec)({
+            schemaRef: schemaPath,
+            roles,
+        });
+        config.enrichments = {
+            profile: 'recommended',
+            bundles,
+            toggles,
+        };
+        const enrichmentPlan = (0, onboarding_1.resolveEnrichmentPlan)(config, { apply: true });
+        const ext = path.extname(configPath).toLowerCase();
+        const raw = ext === '.json'
+            ? JSON.stringify(config, null, 2)
+            : yaml.dump(config, { sortKeys: false });
+        fs.writeFileSync(configPath, raw, 'utf-8');
+        const configDir = path.dirname(path.resolve(configPath));
+        const schemaAbs = path.resolve(configDir, schemaPath);
+        fs.mkdirSync(path.dirname(schemaAbs), { recursive: true });
+        if (!fs.existsSync(schemaAbs)) {
+            const schemaTemplate = {
+                schema: {
+                    type: 'object',
+                    properties: {
+                        body: {
+                            type: 'object',
+                            properties: {
+                                prompt: { type: 'string' },
+                                response: { type: 'string' },
+                            },
+                        },
+                    },
+                },
+                roles,
+            };
+            fs.writeFileSync(schemaAbs, JSON.stringify(schemaTemplate, null, 2), 'utf-8');
+        }
+        try {
+            const state = (0, runtime_1.getState)();
+            if (state && typeof state.emitInternal === 'function') {
+                state.emitInternal({
+                    event_type: 'onboarding_started',
+                    body: {
+                        config_path: configPath,
+                        standards,
+                        schema_contract_path: schemaPath,
+                        bundles,
+                    },
+                    purpose: 'governance',
+                });
+            }
+        }
+        catch {
+            // no-op
+        }
+        console.log(`Onboarding config initialized in ${configPath}`);
+        console.log(`Schema contract template: ${schemaAbs}`);
+        if (Array.isArray(enrichmentPlan.unapplied_settings) && enrichmentPlan.unapplied_settings.length > 0) {
+            console.log(`Warning: unresolved enrichment settings: ${enrichmentPlan.unapplied_settings.length}`);
+        }
+        return;
+    }
+    if (subcommand === 'validate') {
+        const configPath = getFlagValue(subArgs, '--config') || 'monora.yml';
+        const inputPathOverride = getFlagValue(subArgs, '--input');
+        const outputPath = getFlagValue(subArgs, '--output');
+        const pretty = hasFlag(subArgs, '--pretty');
+        const result = (0, onboarding_1.validateOnboarding)({
+            configPath,
+            inputPathOverride: inputPathOverride || undefined,
+            persist: true,
+        });
+        const output = JSON.stringify(result, null, pretty ? 2 : undefined);
+        if (outputPath) {
+            fs.writeFileSync(outputPath, output, 'utf-8');
+        }
+        else {
+            console.log(output);
+        }
+        if (result.status !== 'validated') {
+            process.exit(1);
+        }
+        return;
+    }
+    if (subcommand === 'complete') {
+        const configPath = getFlagValue(subArgs, '--config') || 'monora.yml';
+        const completedBy = getFlagValue(subArgs, '--completed-by');
+        const outputPath = getFlagValue(subArgs, '--output');
+        const pretty = hasFlag(subArgs, '--pretty');
+        const result = (0, onboarding_1.completeOnboarding)({
+            configPath,
+            completedBy: completedBy || undefined,
+        });
+        const output = JSON.stringify(result, null, pretty ? 2 : undefined);
+        if (outputPath) {
+            fs.writeFileSync(outputPath, output, 'utf-8');
+        }
+        else {
+            console.log(output);
+        }
+        if (result.status !== 'completed') {
+            process.exit(1);
+        }
+        return;
+    }
+    if (subcommand === 'status') {
+        const configPath = getFlagValue(subArgs, '--config') || 'monora.yml';
+        const pretty = hasFlag(subArgs, '--pretty');
+        const result = (0, onboarding_1.getOnboardingStatus)({ configPath });
+        console.log(JSON.stringify(result, null, pretty ? 2 : undefined));
+        return;
+    }
+    console.error(`Unknown onboard subcommand: ${subcommand}`);
+    process.exit(1);
+}
 const RETRY_QUEUE_STATS_FILENAME = '.monora_retry_queue_stats.json';
 function resolveRetryQueuePaths(config, overridePath) {
     const warnings = [];
@@ -1674,6 +2839,284 @@ async function runRetryQueue(args) {
         process.exit(1);
     }
 }
+async function runProductionCheck(args) {
+    const configPath = getFlagValue(args, '--config') || 'monora.yml';
+    const jsonOutput = hasFlag(args, '--json');
+    const showFix = hasFlag(args, '--fix');
+    // Detect environment
+    const envDetection = (0, config_1.detectEnvironment)();
+    const suggestedPreset = (0, config_1.suggestPreset)();
+    // Load config
+    let config;
+    try {
+        config = (0, config_1.loadConfig)({ configPath });
+    }
+    catch {
+        config = (0, config_1.loadConfig)({});
+    }
+    const checks = [];
+    // Check 1: Signing enabled
+    const signingEnabled = config.signing?.enabled === true;
+    checks.push({
+        name: 'signing_enabled',
+        passed: signingEnabled,
+        message: signingEnabled
+            ? 'Event signing is enabled'
+            : 'Event signing is disabled - events cannot be verified for authenticity',
+        fix: signingEnabled ? undefined : 'Set signing.enabled: true and configure signing.key_env or signing.key_file',
+    });
+    // Check 2: WAL enabled
+    const walEnabled = config.wal?.enabled === true;
+    checks.push({
+        name: 'wal_enabled',
+        passed: walEnabled,
+        message: walEnabled
+            ? 'Write-ahead log is enabled for crash resilience'
+            : 'Write-ahead log is disabled - events may be lost on crash',
+        fix: walEnabled ? undefined : 'Set wal.enabled: true',
+    });
+    // Check 3: Hash chain verification
+    const verifyOnShutdown = config.immutability?.verify_on_shutdown === true;
+    const verifyOnEmit = config.immutability?.verify_on_emit === true;
+    const hasVerification = verifyOnShutdown || verifyOnEmit;
+    checks.push({
+        name: 'hash_verification',
+        passed: hasVerification,
+        message: hasVerification
+            ? `Hash chain verification enabled (on_emit: ${verifyOnEmit}, on_shutdown: ${verifyOnShutdown})`
+            : 'Hash chain verification is disabled - tampering may go undetected',
+        fix: hasVerification ? undefined : 'Set immutability.verify_on_shutdown: true',
+    });
+    // Check 4: No stdout sink in production
+    const sinks = config.sinks || [];
+    const hasStdoutSink = sinks.some((s) => s.type === 'stdout');
+    const stdoutOk = envDetection.environment !== 'production' || !hasStdoutSink;
+    checks.push({
+        name: 'no_stdout_in_production',
+        passed: stdoutOk,
+        message: stdoutOk
+            ? hasStdoutSink
+                ? 'Stdout sink is acceptable in non-production environment'
+                : 'No stdout sink configured'
+            : 'Stdout sink detected in production - events may be lost',
+        fix: stdoutOk ? undefined : 'Replace stdout sink with file or https sink for production',
+    });
+    // Check 5: Has persistent sink
+    const hasPersistentSink = sinks.some((s) => s.type === 'file' || s.type === 'https');
+    checks.push({
+        name: 'persistent_sink',
+        passed: hasPersistentSink,
+        message: hasPersistentSink
+            ? 'Persistent sink (file or https) is configured'
+            : 'No persistent sink configured - events will not be stored',
+        fix: hasPersistentSink ? undefined : 'Add a file or https sink to persist events',
+    });
+    // Check 6: Environment explicitly set
+    const envExplicit = config.defaults?.environment && config.defaults.environment !== 'dev';
+    checks.push({
+        name: 'environment_set',
+        passed: !!envExplicit,
+        message: envExplicit
+            ? `Environment explicitly set to: ${config.defaults?.environment}`
+            : 'Environment defaults to "dev" - consider setting explicitly',
+        fix: envExplicit ? undefined : 'Set defaults.environment to your target environment',
+    });
+    // Check 7: Service name set
+    const hasServiceName = !!config.defaults?.service_name;
+    checks.push({
+        name: 'service_name_set',
+        passed: hasServiceName,
+        message: hasServiceName
+            ? `Service name set: ${config.defaults?.service_name}`
+            : 'Service name not set - events will be harder to identify',
+        fix: hasServiceName ? undefined : 'Set defaults.service_name to identify your service',
+    });
+    // Build result
+    const passedCount = checks.filter((c) => c.passed).length;
+    const result = {
+        passed: passedCount === checks.length,
+        environment: {
+            detected: envDetection.environment,
+            source: envDetection.source,
+            confidence: envDetection.confidence,
+            suggested_preset: suggestedPreset,
+        },
+        checks,
+        summary: {
+            total: checks.length,
+            passed: passedCount,
+            failed: checks.length - passedCount,
+        },
+    };
+    if (jsonOutput) {
+        console.log(JSON.stringify(result, null, 2));
+    }
+    else {
+        console.log('\n=== Monora Production Readiness Check ===\n');
+        console.log('Environment Detection:');
+        console.log(`  Detected: ${result.environment.detected}`);
+        console.log(`  Source: ${result.environment.source}`);
+        console.log(`  Confidence: ${result.environment.confidence}`);
+        console.log(`  Suggested preset: ${result.environment.suggested_preset}`);
+        console.log('');
+        console.log('Checks:');
+        for (const check of checks) {
+            const status = check.passed ? '✓' : '✗';
+            const color = check.passed ? '\x1b[32m' : '\x1b[31m';
+            const reset = '\x1b[0m';
+            console.log(`  ${color}${status}${reset} ${check.name}: ${check.message}`);
+            if (!check.passed && showFix && check.fix) {
+                console.log(`    → Fix: ${check.fix}`);
+            }
+        }
+        console.log('');
+        console.log('Summary:');
+        console.log(`  Total: ${result.summary.total}`);
+        console.log(`  Passed: ${result.summary.passed}`);
+        console.log(`  Failed: ${result.summary.failed}`);
+        console.log('');
+        if (result.passed) {
+            console.log('\x1b[32m✓ All production readiness checks passed!\x1b[0m');
+        }
+        else {
+            console.log('\x1b[33m⚠ Some checks failed. Run with --fix to see remediation steps.\x1b[0m');
+        }
+    }
+    if (!result.passed) {
+        process.exit(1);
+    }
+}
+async function runDetectEnv(args) {
+    const jsonOutput = hasFlag(args, '--json');
+    const detection = (0, config_1.detectEnvironment)();
+    const suggested = (0, config_1.suggestPreset)();
+    if (jsonOutput) {
+        console.log(JSON.stringify({
+            ...detection,
+            suggested_preset: suggested,
+        }, null, 2));
+    }
+    else {
+        console.log(`Environment: ${detection.environment}`);
+        console.log(`Source: ${detection.source}`);
+        console.log(`Confidence: ${detection.confidence}`);
+        console.log(`Suggested preset: ${suggested}`);
+        if (Object.keys(detection.context || {}).length > 0) {
+            console.log('Context:');
+            for (const [key, value] of Object.entries(detection.context || {})) {
+                console.log(`  ${key}: ${value}`);
+            }
+        }
+    }
+}
+function diffConfigs(from, to, prefix = '') {
+    const diffs = [];
+    const allKeys = new Set([...Object.keys(from), ...Object.keys(to)]);
+    for (const key of allKeys) {
+        const path = prefix ? `${prefix}.${key}` : key;
+        const fromVal = from[key];
+        const toVal = to[key];
+        if (fromVal === undefined && toVal !== undefined) {
+            diffs.push({ path, from: undefined, to: toVal, action: 'add' });
+        }
+        else if (fromVal !== undefined && toVal === undefined) {
+            diffs.push({ path, from: fromVal, to: undefined, action: 'remove' });
+        }
+        else if (typeof fromVal === 'object' && typeof toVal === 'object' && fromVal !== null && toVal !== null && !Array.isArray(fromVal) && !Array.isArray(toVal)) {
+            diffs.push(...diffConfigs(fromVal, toVal, path));
+        }
+        else if (JSON.stringify(fromVal) !== JSON.stringify(toVal)) {
+            diffs.push({ path, from: fromVal, to: toVal, action: 'change' });
+        }
+    }
+    return diffs;
+}
+const VALID_PRESETS = [
+    'minimal', 'dev', 'development', 'production', 'compliance', 'poc',
+    'strict_enterprise', 'default_secure', 'experimental', 'audit_first', 'low_latency'
+];
+async function runUpgradePreset(args) {
+    const fromPreset = getFlagValue(args, '--from');
+    const toPreset = getFlagValue(args, '--to');
+    const outputPath = getFlagValue(args, '--output');
+    const jsonOutput = hasFlag(args, '--json');
+    if (!fromPreset || !toPreset) {
+        console.error('Error: --from and --to presets are required');
+        console.error('Usage: monora upgrade-preset --from <preset> --to <preset>');
+        console.error(`Valid presets: ${VALID_PRESETS.join(', ')}`);
+        process.exit(1);
+    }
+    if (!VALID_PRESETS.includes(fromPreset)) {
+        console.error(`Error: Invalid --from preset '${fromPreset}'`);
+        console.error(`Valid presets: ${VALID_PRESETS.join(', ')}`);
+        process.exit(1);
+    }
+    if (!VALID_PRESETS.includes(toPreset)) {
+        console.error(`Error: Invalid --to preset '${toPreset}'`);
+        console.error(`Valid presets: ${VALID_PRESETS.join(', ')}`);
+        process.exit(1);
+    }
+    const fromConfig = (0, config_1.getPresetConfig)(fromPreset);
+    const toConfig = (0, config_1.getPresetConfig)(toPreset);
+    const diffs = diffConfigs(fromConfig, toConfig);
+    const result = {
+        from_preset: fromPreset,
+        to_preset: toPreset,
+        changes: diffs.map(d => ({
+            path: d.path,
+            action: d.action,
+            from: d.from,
+            to: d.to,
+        })),
+        summary: {
+            total: diffs.length,
+            added: diffs.filter(d => d.action === 'add').length,
+            removed: diffs.filter(d => d.action === 'remove').length,
+            changed: diffs.filter(d => d.action === 'change').length,
+        },
+    };
+    if (jsonOutput) {
+        console.log(JSON.stringify(result, null, 2));
+    }
+    else {
+        console.log(`\n=== Upgrade from '${fromPreset}' to '${toPreset}' ===\n`);
+        if (diffs.length === 0) {
+            console.log('No configuration changes required.');
+        }
+        else {
+            console.log('Configuration changes:\n');
+            for (const diff of diffs) {
+                const actionColor = diff.action === 'add' ? '\x1b[32m+' : diff.action === 'remove' ? '\x1b[31m-' : '\x1b[33m~';
+                const reset = '\x1b[0m';
+                console.log(`${actionColor} ${diff.path}${reset}`);
+                if (diff.action === 'change') {
+                    console.log(`    from: ${JSON.stringify(diff.from)}`);
+                    console.log(`    to:   ${JSON.stringify(diff.to)}`);
+                }
+                else if (diff.action === 'add') {
+                    console.log(`    value: ${JSON.stringify(diff.to)}`);
+                }
+                else if (diff.action === 'remove') {
+                    console.log(`    was: ${JSON.stringify(diff.from)}`);
+                }
+            }
+            console.log(`\nSummary: ${result.summary.total} changes`);
+            console.log(`  Added: ${result.summary.added}`);
+            console.log(`  Removed: ${result.summary.removed}`);
+            console.log(`  Changed: ${result.summary.changed}`);
+        }
+        if (outputPath) {
+            const ext = path.extname(outputPath).toLowerCase();
+            const content = ext === '.json' ? JSON.stringify(toConfig, null, 2) : yaml.dump(toConfig);
+            fs.writeFileSync(outputPath, content, 'utf-8');
+            console.log(`\nWrote '${toPreset}' preset configuration to: ${outputPath}`);
+        }
+        else {
+            console.log('\nTo apply this preset, run:');
+            console.log(`  monora upgrade-preset --from ${fromPreset} --to ${toPreset} --output monora.yml`);
+        }
+    }
+}
 async function main() {
     const parsed = parseArgs(process.argv);
     if (!parsed.command || parsed.command === '--help' || parsed.command === '-h') {
@@ -1688,6 +3131,15 @@ async function main() {
         await runDoctor(parsed.args);
         return;
     }
+    if (parsed.command === 'config') {
+        const subcommand = parsed.args[0];
+        if (subcommand === 'fix') {
+            await runConfigFix(parsed.args.slice(1));
+            return;
+        }
+        usage();
+        process.exit(1);
+    }
     if (parsed.command === 'init') {
         const options = parseInitOptions(parsed.args);
         if (fs.existsSync(options.path) && !options.force && !options.yes) {
@@ -1699,7 +3151,12 @@ async function main() {
                 process.exit(1);
             }
         }
-        await runInitWizard(options.path, options.format, options.yes, options.force);
+        await runInitWizard(options.path, options.format, options.yes, options.force, options.advanced, options.preset);
+        return;
+    }
+    // New 'start' command for zero-code instrumentation
+    if (parsed.command === 'start') {
+        await runStart(parsed.args);
         return;
     }
     if (parsed.command === 'report') {
@@ -1718,6 +3175,10 @@ async function main() {
         await runTrustPackage(parseTrustPackageOptions(parsed.args));
         return;
     }
+    if (parsed.command === 'aims') {
+        await runAims(parsed.args);
+        return;
+    }
     if (parsed.command === 'ai-act-report') {
         await runAIActReport(parseAIActReportOptions(parsed.args));
         return;
@@ -1758,6 +3219,30 @@ async function main() {
         await runStandardsCheck(parsed.args);
         return;
     }
+    if (parsed.command === 'onboard') {
+        await runOnboard(parsed.args);
+        return;
+    }
+    if (parsed.command === 'schema') {
+        await runSchema(parsed.args);
+        return;
+    }
+    if (parsed.command === 'model') {
+        await runModel(parsed.args);
+        return;
+    }
+    if (parsed.command === 'production-check') {
+        await runProductionCheck(parsed.args);
+        return;
+    }
+    if (parsed.command === 'detect-env') {
+        await runDetectEnv(parsed.args);
+        return;
+    }
+    if (parsed.command === 'upgrade-preset') {
+        await runUpgradePreset(parsed.args);
+        return;
+    }
     usage();
 }
 main().catch((err) => {