paqad-ai 0.1.2 → 0.1.3

package/dist/cli/index.js

@@ -96,7 +96,12 @@ var PATHS = {
   CLAUDE_MD: "CLAUDE.md",
   AGENTS_MD: "AGENTS.md",
   GEMINI_MD: "GEMINI.md",
-  SCRIPTS_DIR: "scripts"
+  SCRIPTS_DIR: "scripts",
+  HOOKS_DIR: ".paqad/hooks",
+  LOGS_DIR: ".paqad/logs",
+  LOCKS_DIR: ".paqad/locks",
+  AUTO_UPDATE_LOG: ".paqad/logs/auto-update.log",
+  HOOKS_SILENT_UPDATE: ".paqad/hooks/silent-update.sh"
 };
 var REGISTRIES = [
   "module-registry.md",
@@ -4137,8 +4142,10 @@ function writeFrameworkMetadata(projectRoot, version) {
   mkdirSync2(dirname11(join21(projectRoot, PATHS.FRAMEWORK_VERSION)), {
     recursive: true
   });
-  writeFileSync2(join21(projectRoot, PATHS.FRAMEWORK_VERSION), `${version}
-`);
+  const content = `version=${version}
+updated_at=${(/* @__PURE__ */ new Date()).toISOString()}
+`;
+  writeFileSync2(join21(projectRoot, PATHS.FRAMEWORK_VERSION), content);
   writeFileSync2(join21(projectRoot, PATHS.FRAMEWORK_PATH), `${resolveFrameworkInstallPath()}
 `);
 }
@@ -5518,6 +5525,10 @@ function writeGeneratedFiles(projectRoot, files) {
   return { written, skipped };
 }
 
+// src/onboarding/orchestrator.ts
+import { readFileSync as readFileSync12 } from "fs";
+import { join as join33 } from "path";
+
 // src/resolver/resolver.ts
 import fg2 from "fast-glob";
 import { basename as basename3, extname, relative as relative3 } from "pathe";
@@ -6393,6 +6404,17 @@ var OnboardingOrchestrator = class {
         stack_profile: selections.stack_profile
       })
     );
+    const silentUpdateSrc = join33(runtimeRoot, "..", "hooks", "silent-update.sh");
+    try {
+      const hookContent = readFileSync12(silentUpdateSrc, "utf8");
+      generatedFiles.push({
+        path: PATHS.HOOKS_SILENT_UPDATE,
+        content: hookContent,
+        autoUpdate: true,
+        executable: true
+      });
+    } catch {
+    }
     const writeResult = writeGeneratedFiles(options.projectRoot, generatedFiles);
     const drift = await writeStackArtifacts(
       options.projectRoot,
@@ -6403,6 +6425,7 @@ var OnboardingOrchestrator = class {
     writeProjectProfile2(options.projectRoot, profile);
     writeGitignore(options.projectRoot);
     writeDetectionReport(options.projectRoot, detection);
+    writeFrameworkMetadata(options.projectRoot, VERSION);
     bootstrapFramework(options.projectRoot);
     const manifestPath = writeOnboardingManifest(options.projectRoot, {
       framework_version: VERSION,
@@ -6676,7 +6699,7 @@ function buildRustCommands(usingCompose) {
 }
 
 // src/onboarding/scaffold-generator.ts
-import { join as join33 } from "path";
+import { join as join34 } from "path";
 
 // src/templates/registry.ts
 import fg4 from "fast-glob";
@@ -6684,8 +6707,8 @@ import { basename as basename4, relative as relative5 } from "pathe";
 
 // src/onboarding/scaffold-generator.ts
 var FEATURE_TEMPLATE_TARGETS = [
-  ["business.md.hbs", join33(PATHS.MODULE_FEATURES_DIR, "core", "business.md")],
-  ["technical.md.hbs", join33(PATHS.MODULE_FEATURES_DIR, "core", "technical.md")]
+  ["business.md.hbs", join34(PATHS.MODULE_FEATURES_DIR, "core", "business.md")],
+  ["technical.md.hbs", join34(PATHS.MODULE_FEATURES_DIR, "core", "technical.md")]
 ];
 
 // src/packs/manager.ts
@@ -6699,14 +6722,14 @@ import {
   writeFileSync as writeFileSync5
 } from "fs";
 import { homedir as homedir2 } from "os";
-import { join as join34, resolve as resolve2 } from "path";
+import { join as join35, resolve as resolve2 } from "path";
 import { execa } from "execa";
 var SOURCE_ORDER2 = ["built-in", "global", "project"];
 function resolvePackManagerRoots(projectRoot = process.cwd(), overrides = {}) {
   return {
     runtimeRoot: overrides.runtimeRoot ?? getRuntimeRoot(),
-    globalPacksRoot: overrides.globalPacksRoot ?? process.env.PAQAD_GLOBAL_PACKS_ROOT ?? join34(homedir2(), ".paqad", "packs"),
-    projectPacksRoot: overrides.projectPacksRoot ?? join34(projectRoot, ".paqad", "packs"),
+    globalPacksRoot: overrides.globalPacksRoot ?? process.env.PAQAD_GLOBAL_PACKS_ROOT ?? join35(homedir2(), ".paqad", "packs"),
+    projectPacksRoot: overrides.projectPacksRoot ?? join35(projectRoot, ".paqad", "packs"),
     registryUrl: overrides.registryUrl ?? process.env.PAQAD_PACK_REGISTRY_URL
   };
 }
@@ -6754,7 +6777,7 @@ async function installPack(source, options = {}) {
   if (!pack.validation.valid) {
     throw new Error(formatValidationIssues(pack.validation.issues));
   }
-  const destination = join34(installRoot, pack.manifest.name);
+  const destination = join35(installRoot, pack.manifest.name);
   rmSync2(destination, { recursive: true, force: true });
   cpSync(candidateRoot, destination, { recursive: true });
   const installed = loader.validatePack(destination, scope === "project" ? "project" : "global");
@@ -6766,12 +6789,12 @@ async function installPack(source, options = {}) {
 function removePack(name, projectRoot = process.cwd(), scope = "global", overrides = {}) {
   const roots = resolvePackManagerRoots(projectRoot, overrides);
   const targetRoot = scope === "project" ? roots.projectPacksRoot : roots.globalPacksRoot;
-  const target = join34(targetRoot, name);
+  const target = join35(targetRoot, name);
   if (existsSync15(target)) {
     rmSync2(target, { recursive: true, force: true });
     return;
   }
-  const builtInRoot = join34(roots.runtimeRoot, "capabilities", "coding", "stacks", name);
+  const builtInRoot = join35(roots.runtimeRoot, "capabilities", "coding", "stacks", name);
   if (existsSync15(builtInRoot)) {
     throw new Error(
       `Cannot remove built-in pack "${name}"; remove a global or project override instead`
@@ -6789,14 +6812,14 @@ function validatePackAt(path) {
 function createPack(name, options = {}) {
   const destinationRoot = options.destinationRoot ?? process.cwd();
   const ecosystem = options.ecosystem ?? "node";
-  const packRoot = join34(destinationRoot, name);
+  const packRoot = join35(destinationRoot, name);
   if (existsSync15(packRoot)) {
     throw new Error(`Pack scaffold already exists at ${packRoot}`);
   }
-  mkdirSync5(join34(packRoot, "rules"), { recursive: true });
-  writeFileSync5(join34(packRoot, "pack.yaml"), renderPackTemplate(name, ecosystem));
+  mkdirSync5(join35(packRoot, "rules"), { recursive: true });
+  writeFileSync5(join35(packRoot, "pack.yaml"), renderPackTemplate(name, ecosystem));
   writeFileSync5(
-    join34(packRoot, "rules", "conventions.md"),
+    join35(packRoot, "rules", "conventions.md"),
     `# ${name}
 
 Document project-specific conventions for the ${name} stack here.
@@ -6813,7 +6836,7 @@ function listPackNamesForSource(source, roots) {
 }
 function resolveSourceRoot(source, roots) {
   if (source === "built-in") {
-    return join34(roots.runtimeRoot, "capabilities", "coding", "stacks");
+    return join35(roots.runtimeRoot, "capabilities", "coding", "stacks");
   }
   return source === "global" ? roots.globalPacksRoot : roots.projectPacksRoot;
 }
@@ -6839,7 +6862,7 @@ function looksLikeGitUrl(source) {
   return source.startsWith("http://") || source.startsWith("https://") || source.startsWith("ssh://") || source.startsWith("git@") || source.startsWith("file://") || source.endsWith(".git");
 }
 async function clonePackSource(source) {
-  const tempRoot = mkdtempSync(join34(homedir2(), ".paqad-pack-clone-"));
+  const tempRoot = mkdtempSync(join35(homedir2(), ".paqad-pack-clone-"));
   try {
     await execa("git", ["clone", "--depth", "1", source, tempRoot]);
   } catch (error) {
@@ -6849,11 +6872,11 @@ async function clonePackSource(source) {
   return findPackRoot(tempRoot);
 }
 function findPackRoot(root) {
-  const rootManifest = join34(root, "pack.yaml");
+  const rootManifest = join35(root, "pack.yaml");
   if (existsSync15(rootManifest)) {
     return root;
   }
-  const candidates = readdirSync3(root, { withFileTypes: true }).filter((entry) => entry.isDirectory()).map((entry) => join34(root, entry.name)).filter((candidate) => existsSync15(join34(candidate, "pack.yaml")));
+  const candidates = readdirSync3(root, { withFileTypes: true }).filter((entry) => entry.isDirectory()).map((entry) => join35(root, entry.name)).filter((candidate) => existsSync15(join35(candidate, "pack.yaml")));
   if (candidates.length === 1) {
     return candidates[0];
   }
@@ -6954,13 +6977,13 @@ async function queryOsv(packages) {
 // src/pentest/progress-tracker.ts
 import { existsSync as existsSync17 } from "fs";
 import { mkdir as mkdir12, readdir as readdir4, readFile as readFile16, writeFile as writeFile12 } from "fs/promises";
-import { dirname as dirname17, join as join36 } from "path";
+import { dirname as dirname17, join as join37 } from "path";
 
 // src/pentest/shared.ts
 import { createHash as createHash7 } from "crypto";
 import { existsSync as existsSync16 } from "fs";
 import { mkdir as mkdir11, readFile as readFile15, readdir as readdir3, writeFile as writeFile11 } from "fs/promises";
-import { basename as basename5, dirname as dirname16, join as join35, relative as relative6 } from "path";
+import { basename as basename5, dirname as dirname16, join as join36, relative as relative6 } from "path";
 import { execa as execa2 } from "execa";
 import fg5 from "fast-glob";
 function toLocalTimestamp(date) {
@@ -7024,7 +7047,7 @@ async function discoverTargetUrl(projectRoot, stack, explicit) {
   }
   const envFiles = [".env", ".env.local", ".env.example"];
   for (const envFile of envFiles) {
-    const path = join35(projectRoot, envFile);
+    const path = join36(projectRoot, envFile);
     if (!existsSync16(path)) {
       continue;
     }
@@ -7046,9 +7069,9 @@ async function discoverTargetUrl(projectRoot, stack, explicit) {
   return null;
 }
 async function runProjectScript(projectRoot, scriptName, env, logDir) {
-  const scriptPath = join35(projectRoot, PATHS.SCRIPTS_DIR, scriptName);
-  const stdoutPath = join35(logDir, `${scriptName}.stdout.log`);
-  const stderrPath = join35(logDir, `${scriptName}.stderr.log`);
+  const scriptPath = join36(projectRoot, PATHS.SCRIPTS_DIR, scriptName);
+  const stdoutPath = join36(logDir, `${scriptName}.stdout.log`);
+  const stderrPath = join36(logDir, `${scriptName}.stderr.log`);
   await mkdir11(logDir, { recursive: true });
   if (!existsSync16(scriptPath)) {
     await writeFile11(stdoutPath, "");
@@ -7078,7 +7101,7 @@ async function runProjectScript(projectRoot, scriptName, env, logDir) {
   };
 }
 async function loadModuleDocs(projectRoot, focusModules = []) {
-  const moduleRoot = join35(projectRoot, PATHS.MODULES_DIR);
+  const moduleRoot = join36(projectRoot, PATHS.MODULES_DIR);
   if (!existsSync16(moduleRoot)) {
     return [];
   }
@@ -7147,7 +7170,7 @@ function inferSourceArtifacts(baseDir, scriptResults) {
   return [
     ...new Set(
       artifacts.map(
-        (artifact) => artifact.startsWith(".") ? artifact : relative6(dirname16(baseDir), join35(dirname16(baseDir), artifact))
+        (artifact) => artifact.startsWith(".") ? artifact : relative6(dirname16(baseDir), join36(dirname16(baseDir), artifact))
       )
     )
   ];
@@ -7221,7 +7244,7 @@ var PentestProgressTracker = class {
     };
   }
   async load(projectRoot, runId) {
-    const target = join36(projectRoot, PATHS.PENTEST_RUNS_DIR, runId, "progress.json");
+    const target = join37(projectRoot, PATHS.PENTEST_RUNS_DIR, runId, "progress.json");
     if (!existsSync17(target)) {
       return null;
     }
@@ -7233,7 +7256,7 @@ var PentestProgressTracker = class {
     return parsed;
   }
   async save(projectRoot, progress) {
-    const target = join36(projectRoot, PATHS.PENTEST_RUNS_DIR, progress.run_id, "progress.json");
+    const target = join37(projectRoot, PATHS.PENTEST_RUNS_DIR, progress.run_id, "progress.json");
     progress.updated_at = (/* @__PURE__ */ new Date()).toISOString();
     await mkdir12(dirname17(target), { recursive: true });
     await writeFile12(target, `${JSON.stringify(progress, null, 2)}
@@ -7292,7 +7315,7 @@ var PentestProgressTracker = class {
     return step.status === "completed" && step.input_hash === inputHash;
   }
   async findIncompleteRun(projectRoot, workflow, sourceReportPath) {
-    const runsDir = join36(projectRoot, PATHS.PENTEST_RUNS_DIR);
+    const runsDir = join37(projectRoot, PATHS.PENTEST_RUNS_DIR);
     if (!existsSync17(runsDir)) {
       return null;
     }
@@ -7335,15 +7358,15 @@ var PentestProgressTracker = class {
   }
 };
 function runArtifactsDir(projectRoot, runId) {
-  return join36(projectRoot, PATHS.PENTEST_RUNS_DIR, runId, "artifacts");
+  return join37(projectRoot, PATHS.PENTEST_RUNS_DIR, runId, "artifacts");
 }
 function runLogsDir(projectRoot, runId) {
-  return join36(projectRoot, PATHS.PENTEST_RUNS_DIR, runId, "logs");
+  return join37(projectRoot, PATHS.PENTEST_RUNS_DIR, runId, "logs");
 }
 
 // src/pipeline/lane-runner.ts
 import { mkdir as mkdir16, writeFile as writeFile16 } from "fs/promises";
-import { dirname as dirname20, join as join42 } from "path";
+import { dirname as dirname20, join as join43 } from "path";
 
 // src/pipeline/phases/shared.ts
 function createPassResult(phase, summary, context, artifacts = [`handoff:${context.phases.length + 1}`]) {
@@ -7463,12 +7486,12 @@ var LoadDocsPhase = class {
 
 // src/workflows/pentest.ts
 import { mkdir as mkdir13, writeFile as writeFile13 } from "fs/promises";
-import { join as join39, relative as relative7 } from "path";
+import { join as join40, relative as relative7 } from "path";
 
 // src/pentest/findings.ts
 import { existsSync as existsSync18 } from "fs";
 import { readFile as readFile17 } from "fs/promises";
-import { join as join37 } from "path";
+import { join as join38 } from "path";
 function createFinding(input) {
   return {
     id: "",
@@ -7638,11 +7661,264 @@ function buildModuleFindings(docs, tests) {
         );
       }
     }
+    const authMechanismTests = extractRelevantTestPaths(tests, moduleDoc.module, [
+      "algorithm",
+      "expir",
+      "signature",
+      "refresh",
+      "revok",
+      "logout",
+      "session.invalidat",
+      "alg:none",
+      "jwt"
+    ]);
+    if (hasAtLeast(lowered, 2, [
+      "jwt",
+      "token",
+      "bearer",
+      "session",
+      "cookie",
+      "oauth",
+      "saml",
+      "oidc",
+      "sanctum"
+    ])) {
+      if (authMechanismTests.length === 0) {
+        findings.push(
+          createFinding({
+            title: `Auth token lifecycle checks are thin for ${moduleDoc.module}`,
+            description: "Module docs describe authentication tokens, sessions, or OAuth flows, but the current tests do not show evidence of token expiry, signature validation, session invalidation, or logout handling.",
+            impact: "high",
+            effort: "medium",
+            possible_solution_direction: "Add tests for token expiry enforcement, alg:none rejection, session invalidation on logout, and refresh token rotation for the documented auth flows.",
+            how_to_reproduce: [
+              `Review ${moduleDoc.paths.join(", ")} for token or session handling.`,
+              "Search tests for algorithm, expiry, signature, revocation, and logout coverage for that module."
+            ],
+            impact_area: [...moduleDoc.paths, `module:${moduleDoc.module}`],
+            evidence: [
+              ...moduleDoc.paths.map((path) => `Doc evidence: ${path}`),
+              "No matching auth token lifecycle test evidence found for this module."
+            ],
+            category: "auth-mechanism",
+            status: "open",
+            confidence: 0.71,
+            source_types: ["docs", "tests"],
+            affected_modules: [moduleDoc.module],
+            affected_packages: [],
+            runtime_required: false,
+            manual_follow_up: true
+          })
+        );
+      }
+    }
+    const ssrfTests = extractRelevantTestPaths(tests, moduleDoc.module, [
+      "ssrf",
+      "redirect",
+      "allowlist",
+      "block",
+      "internal",
+      "private",
+      "localhost",
+      "metadata"
+    ]);
+    if (hasAtLeast(lowered, 2, [
+      "url",
+      "redirect",
+      "callback",
+      "webhook",
+      "fetch",
+      "http",
+      "proxy",
+      "curl",
+      "axios"
+    ])) {
+      if (ssrfTests.length === 0) {
+        findings.push(
+          createFinding({
+            title: `Outbound request / redirect surface lacks abuse validation for ${moduleDoc.module}`,
+            description: "Module docs describe outbound HTTP calls, URL parameters, webhooks, or redirect flows, but the current tests do not show evidence of SSRF prevention, redirect allowlist validation, or private-range blocking.",
+            impact: "high",
+            effort: "medium",
+            possible_solution_direction: "Add tests that verify SSRF prevention (blocked private ranges, redirect chain validation) and open-redirect protection for the documented outbound request surfaces.",
+            how_to_reproduce: [
+              `Review ${moduleDoc.paths.join(", ")} for URL, redirect, or webhook parameter handling.`,
+              "Test with SSRF payloads: 127.0.0.1, 169.254.169.254, [::1], redirect chain to internal IP."
+            ],
+            impact_area: [...moduleDoc.paths, `module:${moduleDoc.module}`],
+            evidence: [
+              ...moduleDoc.paths.map((path) => `Doc evidence: ${path}`),
+              "No matching SSRF or redirect validation test evidence found for this module."
+            ],
+            category: "input-validation",
+            status: "open",
+            confidence: 0.7,
+            source_types: ["docs", "tests"],
+            affected_modules: [moduleDoc.module],
+            affected_packages: [],
+            runtime_required: false,
+            manual_follow_up: true
+          })
+        );
+      }
+    }
+    const massAssignTests = extractRelevantTestPaths(tests, moduleDoc.module, [
+      "mass",
+      "assign",
+      "fillable",
+      "guarded",
+      "allowlist",
+      "forbidden",
+      "attr_protected",
+      "protected"
+    ]);
+    if (hasAtLeast(lowered, 2, [
+      "fill",
+      "create",
+      "update",
+      "patch",
+      "assign",
+      "body",
+      "request",
+      "fillable",
+      "guarded"
+    ])) {
+      if (massAssignTests.length === 0) {
+        findings.push(
+          createFinding({
+            title: `Mass assignment protection evidence is absent for ${moduleDoc.module}`,
+            description: "Module docs describe model creation or update flows accepting request body fields, but the current tests do not show evidence of mass assignment protection (fillable allowlist, guarded fields, or forbidden-field rejection).",
+            impact: "medium",
+            effort: "low",
+            possible_solution_direction: "Verify the model uses an explicit $fillable allowlist or $guarded blocklist. Add tests that confirm unintended fields (is_admin, role, price, balance) are rejected when submitted in the request body.",
+            how_to_reproduce: [
+              `Review ${moduleDoc.paths.join(", ")} for model create/update operations.`,
+              "Submit a PATCH/POST request with extra privileged fields: is_admin=true, role=admin, price=0."
+            ],
+            impact_area: [...moduleDoc.paths, `module:${moduleDoc.module}`],
+            evidence: [
+              ...moduleDoc.paths.map((path) => `Doc evidence: ${path}`),
+              "No matching mass assignment protection test evidence found for this module."
+            ],
+            category: "input-validation",
+            status: "open",
+            confidence: 0.68,
+            source_types: ["docs", "tests"],
+            affected_modules: [moduleDoc.module],
+            affected_packages: [],
+            runtime_required: false,
+            manual_follow_up: false
+          })
+        );
+      }
+    }
+    const cryptoTests = extractRelevantTestPaths(tests, moduleDoc.module, [
+      "crypto",
+      "encrypt",
+      "hash.strength",
+      "key.rotation",
+      "salt",
+      "entropy",
+      "randomBytes",
+      "bcrypt",
+      "argon"
+    ]);
+    if (hasAtLeast(lowered, 2, [
+      "encrypt",
+      "decrypt",
+      "hash",
+      "md5",
+      "sha1",
+      "secret",
+      "key",
+      "cipher",
+      "aes",
+      "rsa",
+      "hmac"
+    ])) {
+      if (cryptoTests.length === 0) {
+        findings.push(
+          createFinding({
+            title: `Cryptographic implementation lacks verification coverage for ${moduleDoc.module}`,
+            description: "Module docs describe encryption, hashing, or key management, but the current tests do not show evidence of cryptographic strength validation (algorithm checks, key rotation, salt uniqueness, or secure PRNG usage).",
+            impact: "high",
+            effort: "medium",
+            possible_solution_direction: "Add tests that verify password hashing uses bcrypt/argon2 with a sufficient cost factor, encryption uses a secure algorithm with a randomly generated IV, and tokens are generated with a cryptographically secure PRNG.",
+            how_to_reproduce: [
+              `Review ${moduleDoc.paths.join(", ")} for cryptographic operations.`,
+              "Check for MD5/SHA1 password hashing, hardcoded IVs, or Math.random() for token generation."
+            ],
+            impact_area: [...moduleDoc.paths, `module:${moduleDoc.module}`],
+            evidence: [
+              ...moduleDoc.paths.map((path) => `Doc evidence: ${path}`),
+              "No matching cryptographic strength or key management test evidence found for this module."
+            ],
+            category: "cryptographic",
+            status: "open",
+            confidence: 0.67,
+            source_types: ["docs", "tests"],
+            affected_modules: [moduleDoc.module],
+            affected_packages: [],
+            runtime_required: false,
+            manual_follow_up: true
+          })
+        );
+      }
+    }
+    const loggingTests = extractRelevantTestPaths(tests, moduleDoc.module, [
+      "audit",
+      "log.assert",
+      "event.dispatch",
+      "trail",
+      "activity",
+      "log.entry",
+      "logged",
+      "event"
+    ]);
+    if (hasAtLeast(lowered, 2, [
+      "log",
+      "audit",
+      "event",
+      "track",
+      "monitor",
+      "alert",
+      "sentry",
+      "activity"
+    ])) {
+      if (loggingTests.length === 0) {
+        findings.push(
+          createFinding({
+            title: `Security-relevant actions lack audit logging evidence for ${moduleDoc.module}`,
+            description: "Module docs describe operations that should be audited (authentication, financial transactions, admin actions, or data exports), but the current tests do not show evidence of audit log assertions or event dispatch verification.",
+            impact: "medium",
+            effort: "medium",
+            possible_solution_direction: "Add tests that assert audit log entries are written for high-value actions with actor identity, IP, and timestamp. Verify sensitive data (passwords, tokens) is not included in log output.",
+            how_to_reproduce: [
+              `Review ${moduleDoc.paths.join(", ")} for operations that must be auditable.`,
+              "Check logging configuration and assert that log entries are created with sufficient context for forensic analysis."
+            ],
+            impact_area: [...moduleDoc.paths, `module:${moduleDoc.module}`],
+            evidence: [
+              ...moduleDoc.paths.map((path) => `Doc evidence: ${path}`),
+              "No matching audit logging or event dispatch test evidence found for this module."
+            ],
+            category: "logging-monitoring",
+            status: "open",
+            confidence: 0.65,
+            source_types: ["docs", "tests"],
+            affected_modules: [moduleDoc.module],
+            affected_packages: [],
+            runtime_required: false,
+            manual_follow_up: false
+          })
+        );
+      }
+    }
   }
   return findings;
 }
 async function buildSecretFindings(artifactDir) {
-  const path = join37(artifactDir, "secrets", "matches.txt");
+  const path = join38(artifactDir, "secrets", "matches.txt");
   if (!existsSync18(path)) {
     return [];
   }
@@ -7743,6 +8019,9 @@ function evaluateRetestStatus(sourceFinding, currentFindings, runtimeStatus, blo
 function hasAny(content, tokens) {
   return tokens.some((token) => content.includes(token));
 }
+function hasAtLeast(content, count, tokens) {
+  return tokens.filter((token) => content.includes(token)).length >= count;
+}
 function normalizeImpact(content) {
   const lowered = content.toLowerCase();
   if (lowered.includes("critical") || lowered.includes("remote code execution") || lowered.includes("credential") || lowered.includes("auth bypass")) {
@@ -7755,8 +8034,8 @@ function normalizeImpact(content) {
 }
 async function readNativeAuditFindings(artifactDir) {
   const findings = [];
-  const dependencyDir = join37(artifactDir, "dependencies");
-  const npmAudit = await readJsonMaybe(join37(dependencyDir, "npm-audit.json"));
+  const dependencyDir = join38(artifactDir, "dependencies");
+  const npmAudit = await readJsonMaybe(join38(dependencyDir, "npm-audit.json"));
   for (const [name, vulnerability] of Object.entries(npmAudit?.vulnerabilities ?? {})) {
     const via = (vulnerability.via ?? []).find((entry) => typeof entry === "object");
     findings.push({
@@ -7768,7 +8047,7 @@ async function readNativeAuditFindings(artifactDir) {
       details: via?.url ?? ""
     });
   }
-  const pnpmAudit = await readJsonMaybe(join37(dependencyDir, "pnpm-audit.json"));
+  const pnpmAudit = await readJsonMaybe(join38(dependencyDir, "pnpm-audit.json"));
   for (const advisory of Object.values(pnpmAudit?.advisories ?? {})) {
     findings.push({
       package_name: advisory.module_name ?? "unknown",
@@ -7779,7 +8058,7 @@ async function readNativeAuditFindings(artifactDir) {
       details: advisory.overview ?? ""
     });
   }
-  const composerAudit = await readJsonMaybe(join37(dependencyDir, "composer-audit.json"));
+  const composerAudit = await readJsonMaybe(join38(dependencyDir, "composer-audit.json"));
   if (Array.isArray(composerAudit?.advisories)) {
     for (const advisory of composerAudit.advisories) {
       findings.push({
@@ -7828,10 +8107,33 @@ async function readJsonMaybe(path) {
 
 // src/pentest/file-check-mapper.ts
 var GENERIC_SECURITY_MAP = [
-  { glob: "**/auth*", checks: ["permission-boundary-review", "runtime-surface-probing"] },
+  {
+    glob: "**/auth*",
+    checks: ["permission-boundary-review", "runtime-surface-probing", "auth-mechanism-review"]
+  },
   { glob: "**/guard*", checks: ["permission-boundary-review"] },
-  { glob: "**/.env*", checks: ["runtime-surface-probing"] },
-  { glob: "**/config*", checks: ["runtime-surface-probing"] }
+  { glob: "**/.env*", checks: ["runtime-surface-probing", "cryptographic-review"] },
+  { glob: "**/config*", checks: ["runtime-surface-probing"] },
+  // Auth / session files
+  { glob: "**/jwt*", checks: ["auth-mechanism-review"] },
+  { glob: "**/token*", checks: ["auth-mechanism-review"] },
+  { glob: "**/passport*", checks: ["auth-mechanism-review"] },
+  { glob: "**/session*", checks: ["auth-mechanism-review"] },
+  // GraphQL schema and resolvers
+  { glob: "**/*.graphql", checks: ["input-validation-review", "permission-boundary-review"] },
+  { glob: "**/schema.graphql", checks: ["input-validation-review", "permission-boundary-review"] },
+  { glob: "**/resolvers/**", checks: ["input-validation-review", "permission-boundary-review"] },
+  // Logging and audit
+  { glob: "**/log*", checks: ["logging-monitoring-review"] },
+  { glob: "**/audit*", checks: ["logging-monitoring-review"] },
+  { glob: "**/monitor*", checks: ["logging-monitoring-review"] },
+  // Cryptography
+  { glob: "**/*crypt*", checks: ["cryptographic-review"] },
+  { glob: "**/*cipher*", checks: ["cryptographic-review"] },
+  { glob: "**/*hash*", checks: ["cryptographic-review"] },
+  // File uploads and input
+  { glob: "**/upload*", checks: ["input-validation-review"] },
+  { glob: "**/file*", checks: ["input-validation-review"] }
 ];
 var FileCheckMapper = class {
   constructor(frameworks, projectRoot) {
@@ -7892,7 +8194,7 @@ var FileCheckMapper = class {
 
 // src/pentest/incremental-scanner.ts
 import { readFile as readFile18 } from "fs/promises";
-import { join as join38 } from "path";
+import { join as join39 } from "path";
 import { createHash as createHash8 } from "crypto";
 import { execa as execa3 } from "execa";
 var IncrementalScanner = class {
@@ -7926,7 +8228,7 @@ var IncrementalScanner = class {
     }
   }
   async gitDiff(projectRoot, lastRunId) {
-    const progressPath = join38(projectRoot, ".paqad", "pentest", "runs", lastRunId, "progress.json");
+    const progressPath = join39(projectRoot, ".paqad", "pentest", "runs", lastRunId, "progress.json");
     let baseCommit;
     try {
       const raw = await readFile18(progressPath, "utf8");
@@ -7943,7 +8245,7 @@ var IncrementalScanner = class {
     return result.stdout.split("\n").map((f) => f.trim()).filter(Boolean);
   }
   async hashDiff(projectRoot, lastRunId) {
-    const manifestPath = join38(projectRoot, ".paqad", "pentest", "runs", lastRunId, "progress.json");
+    const manifestPath = join39(projectRoot, ".paqad", "pentest", "runs", lastRunId, "progress.json");
     let fileManifest = {};
     try {
       const raw = await readFile18(manifestPath, "utf8");
@@ -7955,7 +8257,7 @@ var IncrementalScanner = class {
     const changed = [];
     for (const [filePath, storedHash] of Object.entries(fileManifest)) {
       try {
-        const content = await readFile18(join38(projectRoot, filePath), "utf8");
+        const content = await readFile18(join39(projectRoot, filePath), "utf8");
         const currentHash = createHash8("sha256").update(content).digest("hex");
         if (currentHash !== storedHash) {
           changed.push(filePath);
@@ -7968,11 +8270,11 @@ var IncrementalScanner = class {
   }
   async warnIfFullScanStale(projectRoot, thresholdDays) {
     try {
-      const runsDir = join38(projectRoot, ".paqad", "pentest", "runs");
+      const runsDir = join39(projectRoot, ".paqad", "pentest", "runs");
       const { readdir: readdir8 } = await import("fs/promises");
       const runs = await readdir8(runsDir).catch(() => []);
       for (const run of runs.sort().reverse()) {
-        const progressPath = join38(runsDir, run, "progress.json");
+        const progressPath = join39(runsDir, run, "progress.json");
         try {
           const raw = await readFile18(progressPath, "utf8");
           const progress = JSON.parse(raw);
@@ -8170,8 +8472,8 @@ var PentestWorkflow = class {
       await this.tracker.save(options.projectRoot, progress);
       const docs = await loadModuleDocs(options.projectRoot, focusModules);
       const tests = await loadTests(options.projectRoot, focusModules);
-      const docsPath = join39(artifactsDir, "docs-summary.json");
-      const testsPath = join39(artifactsDir, "tests-summary.json");
+      const docsPath = join40(artifactsDir, "docs-summary.json");
+      const testsPath = join40(artifactsDir, "tests-summary.json");
       await writeJson(docsPath, docs);
       await writeJson(
         testsPath,
@@ -8272,7 +8574,7 @@ var PentestWorkflow = class {
         progressRunId: progress.run_id,
         reportTimestamp: new Date(progress.started_at)
       });
-      const findingIndexPath = join39(
+      const findingIndexPath = join40(
         options.projectRoot,
         PATHS.PENTEST_RUNS_DIR,
         progress.run_id,
@@ -8289,7 +8591,7 @@ var PentestWorkflow = class {
     }
     if (report === null) {
       const existingSidecar = progress.sidecar_path ? await readJsonIfExists(
-        join39(options.projectRoot, progress.sidecar_path)
+        join40(options.projectRoot, progress.sidecar_path)
       ) : null;
       report = existingSidecar;
     }
@@ -8304,18 +8606,18 @@ var PentestWorkflow = class {
       this.tracker.markStepRunning(progress, "write-report", writeHash);
       await this.tracker.save(options.projectRoot, progress);
       await writeJson(
-        join39(options.projectRoot, PATHS.PENTEST_RUNS_DIR, progress.run_id, "report-preview.json"),
+        join40(options.projectRoot, PATHS.PENTEST_RUNS_DIR, progress.run_id, "report-preview.json"),
         { report_id: report.report_id, findings: report.findings.length }
       );
-      await writeJson(join39(options.projectRoot, report.sidecar_path), report);
+      await writeJson(join40(options.projectRoot, report.sidecar_path), report);
       await writeJson(
-        join39(options.projectRoot, PATHS.PENTEST_RUNS_DIR, progress.run_id, "blocked-checks.json"),
+        join40(options.projectRoot, PATHS.PENTEST_RUNS_DIR, progress.run_id, "blocked-checks.json"),
         report.blocked_checks
       );
-      await mkdir13(join39(options.projectRoot, PATHS.PENTEST_DIR), { recursive: true });
+      await mkdir13(join40(options.projectRoot, PATHS.PENTEST_DIR), { recursive: true });
       const markdown = buildPentestMarkdown(report);
-      await writeJson(join39(options.projectRoot, report.sidecar_path), report);
-      await writeFile13(join39(options.projectRoot, report.report_path), markdown);
+      await writeJson(join40(options.projectRoot, report.sidecar_path), report);
+      await writeFile13(join40(options.projectRoot, report.report_path), markdown);
       this.tracker.markStepCompleted(
         progress,
         "write-report",
@@ -8342,7 +8644,7 @@ async function buildCurrentPentestReport(input) {
   const docs = await loadModuleDocs(input.projectRoot, input.focusModules);
   const tests = await loadTests(input.projectRoot, input.focusModules);
   const osvFindings = await queryOsv(input.snapshot.packages);
-  const osvPath = join39(input.artifactsDir, "dependencies", "osv-results.json");
+  const osvPath = join40(input.artifactsDir, "dependencies", "osv-results.json");
   await writeJson(osvPath, osvFindings);
   const dependencyFindings = await buildDependencyFindings(
     input.snapshot,
@@ -8351,7 +8653,7 @@ async function buildCurrentPentestReport(input) {
   );
   const moduleFindings = buildModuleFindings(docs, tests);
   const secretFindings = await buildSecretFindings(input.artifactsDir);
-  const runtimePayload = await readJsonIfExists(join39(input.artifactsDir, "runtime", "runtime-checks.json"));
+  const runtimePayload = await readJsonIfExists(join40(input.artifactsDir, "runtime", "runtime-checks.json"));
   const runtimeStatus = input.targetUrl ? runtimePayload?.reachable ? {
     target_url: input.targetUrl,
     status: "reachable",
@@ -8377,8 +8679,8 @@ async function buildCurrentPentestReport(input) {
     ...runtimeFindings
   ]);
   const timestamp = toLocalTimestamp(input.reportTimestamp);
-  const reportPath = join39(PATHS.PENTEST_DIR, `${timestamp}.md`);
-  const sidecarPath = join39(PATHS.PENTEST_DIR, `${timestamp}.json`);
+  const reportPath = join40(PATHS.PENTEST_DIR, `${timestamp}.md`);
+  const sidecarPath = join40(PATHS.PENTEST_DIR, `${timestamp}.json`);
   const stack = getPrimaryStack({
     routing: { domain: "coding" },
     stack_profile: input.snapshot.profile
@@ -8431,9 +8733,9 @@ async function buildCurrentPentestReport(input) {
     raw_evidence_paths: [
       relative7(input.projectRoot, osvPath),
       ...[
-        join39(PATHS.PENTEST_RUNS_DIR, input.progressRunId, "finding-index.json"),
-        join39(PATHS.PENTEST_RUNS_DIR, input.progressRunId, "artifacts", "docs-summary.json"),
-        join39(PATHS.PENTEST_RUNS_DIR, input.progressRunId, "artifacts", "tests-summary.json")
+        join40(PATHS.PENTEST_RUNS_DIR, input.progressRunId, "finding-index.json"),
+        join40(PATHS.PENTEST_RUNS_DIR, input.progressRunId, "artifacts", "docs-summary.json"),
+        join40(PATHS.PENTEST_RUNS_DIR, input.progressRunId, "artifacts", "tests-summary.json")
       ]
     ]
   };
@@ -8473,7 +8775,7 @@ var PentestPhase = class {
 
 // src/workflows/pentest-retest.ts
 import { mkdir as mkdir14, writeFile as writeFile14 } from "fs/promises";
-import { dirname as dirname18, join as join40 } from "path";
+import { dirname as dirname18, join as join41 } from "path";
 var RETEST_STEPS = [
   { id: "load-source-report", title: "Load source pentest report" },
   { id: "rerun-evidence", title: "Collect fresh evidence for source findings" },
@@ -8494,7 +8796,7 @@ var PentestRetestWorkflow = class {
     }
     const normalizedSourcePath = normalizeSidecarPath(sourceReportPath);
     const sourceSidecar = await readJsonIfExists(
-      join40(options.projectRoot, normalizedSourcePath)
+      join41(options.projectRoot, normalizedSourcePath)
     );
     if (sourceSidecar === null) {
       throw new Error(`Source pentest sidecar not found at ${normalizedSourcePath}`);
@@ -8519,12 +8821,12 @@ var PentestRetestWorkflow = class {
     if (!this.tracker.shouldSkipStep(progress, "load-source-report", sourceHash)) {
       this.tracker.markStepRunning(progress, "load-source-report", sourceHash);
       await this.tracker.save(options.projectRoot, progress);
-      const sourceCopy = join40(artifactsDir, "source-report.json");
+      const sourceCopy = join41(artifactsDir, "source-report.json");
       await writeJson(sourceCopy, sourceSidecar);
       this.tracker.markStepCompleted(
         progress,
         "load-source-report",
-        [join40(PATHS.PENTEST_RUNS_DIR, progress.run_id, "artifacts", "source-report.json")],
+        [join41(PATHS.PENTEST_RUNS_DIR, progress.run_id, "artifacts", "source-report.json")],
         [...RETEST_SKILLS.source].map(skillPath)
       );
       await this.tracker.save(options.projectRoot, progress);
@@ -8541,7 +8843,7 @@ var PentestRetestWorkflow = class {
         PENTEST_RUN_ID: progress.run_id,
         PENTEST_ARTIFACT_DIR: artifactsDir,
         PENTEST_TARGET_URL: targetUrl ?? "",
-        PENTEST_SOURCE_REPORT: join40(options.projectRoot, normalizedSourcePath),
+        PENTEST_SOURCE_REPORT: join41(options.projectRoot, normalizedSourcePath),
         PENTEST_DB_CONNECTION_NAME: options.dbConnectionName ?? ""
       };
       const scriptResults = await Promise.all([
@@ -8590,8 +8892,8 @@ var PentestRetestWorkflow = class {
         ...currentReport,
         report_id: toReportId("RETEST", new Date(progress.started_at)),
         workflow: "pentest-retest",
-        report_path: join40(PATHS.PENTEST_RETEST_DIR, `${timestamp}-${sourceSlug}.md`),
-        sidecar_path: join40(PATHS.PENTEST_RETEST_DIR, `${timestamp}-${sourceSlug}.json`),
+        report_path: join41(PATHS.PENTEST_RETEST_DIR, `${timestamp}-${sourceSlug}.md`),
+        sidecar_path: join41(PATHS.PENTEST_RETEST_DIR, `${timestamp}-${sourceSlug}.json`),
         source_report_path: normalizedSourcePath,
         source_report_id: sourceSidecar.report_id,
         findings: retestFindings,
@@ -8604,7 +8906,7 @@ var PentestRetestWorkflow = class {
           ...[...RETEST_SKILLS.source, ...RETEST_SKILLS.evaluate].map(skillPath)
         ]
       };
-      const findingIndexPath = join40(
+      const findingIndexPath = join41(
         options.projectRoot,
         PATHS.PENTEST_RUNS_DIR,
         progress.run_id,
@@ -8614,14 +8916,14 @@ var PentestRetestWorkflow = class {
       this.tracker.markStepCompleted(
         progress,
         "evaluate-source-findings",
-        [join40(PATHS.PENTEST_RUNS_DIR, progress.run_id, "finding-index.json")],
+        [join41(PATHS.PENTEST_RUNS_DIR, progress.run_id, "finding-index.json")],
         [...RETEST_SKILLS.evaluate].map(skillPath)
       );
       await this.tracker.save(options.projectRoot, progress);
     }
     if (retestReport === null) {
       const existing = progress.sidecar_path ? await readJsonIfExists(
-        join40(options.projectRoot, progress.sidecar_path)
+        join41(options.projectRoot, progress.sidecar_path)
       ) : null;
       retestReport = existing;
     }
@@ -8635,12 +8937,12 @@ var PentestRetestWorkflow = class {
     if (!this.tracker.shouldSkipStep(progress, "write-report", writeHash)) {
       this.tracker.markStepRunning(progress, "write-report", writeHash);
       await this.tracker.save(options.projectRoot, progress);
-      await writeJson(join40(options.projectRoot, retestReport.sidecar_path), retestReport);
-      await mkdir14(dirname18(join40(options.projectRoot, retestReport.report_path)), {
+      await writeJson(join41(options.projectRoot, retestReport.sidecar_path), retestReport);
+      await mkdir14(dirname18(join41(options.projectRoot, retestReport.report_path)), {
         recursive: true
       });
       await writeFile14(
-        join40(options.projectRoot, retestReport.report_path),
+        join41(options.projectRoot, retestReport.report_path),
         buildPentestMarkdown(retestReport)
       );
       this.tracker.markStepCompleted(
@@ -8718,7 +9020,7 @@ var ProjectQuestionPhase = class {
 
 // src/workflows/root-cause-analysis.ts
 import { mkdir as mkdir15, writeFile as writeFile15 } from "fs/promises";
-import { dirname as dirname19, join as join41 } from "path";
+import { dirname as dirname19, join as join42 } from "path";
 var DEFAULT_TITLE_SLUG = "root-cause-analysis";
 var RCA_SECTIONS = [
   "Summary",
@@ -8737,8 +9039,8 @@ var RootCauseAnalysisWorkflow = class {
   async run(options) {
     const title = deriveTitle(options.classification.request_text);
     const filename = `${toLocalTimestamp2(/* @__PURE__ */ new Date())}-${slugify2(title) || DEFAULT_TITLE_SLUG}.md`;
-    const relativePath = join41(PATHS.RCA_DIR, filename);
-    const outputPath = join41(options.projectRoot, relativePath);
+    const relativePath = join42(PATHS.RCA_DIR, filename);
+    const outputPath = join42(options.projectRoot, relativePath);
     await mkdir15(dirname19(outputPath), { recursive: true });
     await writeFile15(outputPath, buildRcaDocument(title, options.classification));
     return {
@@ -8887,22 +9189,22 @@ var DEFAULT_PHASES = {
 
 // src/pipeline/stream-truncator.ts
 import { appendFile, mkdir as mkdir17 } from "fs/promises";
-import { join as join43, dirname as dirname21 } from "path";
+import { join as join44, dirname as dirname21 } from "path";
 
 // src/resolver/deduplicator.ts
 import { createHash as createHash9 } from "crypto";
 import { readFile as readFile19, writeFile as writeFile17, mkdir as mkdir18 } from "fs/promises";
-import { join as join44, dirname as dirname22 } from "path";
+import { join as join45, dirname as dirname22 } from "path";
 
 // src/scripts/generator.ts
 import { chmodSync as chmodSync2 } from "fs";
 import { mkdir as mkdir19, writeFile as writeFile18 } from "fs/promises";
-import { dirname as dirname23, join as join45 } from "path";
+import { dirname as dirname23, join as join46 } from "path";
 
 // src/skills/cache-manager.ts
 import { createHash as createHash10 } from "crypto";
 import { mkdir as mkdir20, readFile as readFile20, readdir as readdir5, rm as rm2, stat as stat3, writeFile as writeFile19 } from "fs/promises";
-import { join as join46 } from "path";
+import { join as join47 } from "path";
 import fg6 from "fast-glob";
 
 // src/skills/frontmatter-parser.ts
@@ -8927,24 +9229,49 @@ var conditionalProcessor = new ConditionalSectionProcessor();
 
 // src/skills/index-generator.ts
 import { mkdir as mkdir21, readFile as readFile21, writeFile as writeFile20 } from "fs/promises";
-import { dirname as dirname24, join as join47, relative as relative8 } from "path";
+import { dirname as dirname24, join as join48, relative as relative8 } from "path";
 import fg7 from "fast-glob";
 
 // src/skills/loader.ts
 import { readFile as readFile22 } from "fs/promises";
 import { basename as basename6 } from "pathe";
 
+// src/update/audit.ts
+import { appendFileSync, mkdirSync as mkdirSync6 } from "fs";
+import { dirname as dirname25, join as join49 } from "path";
+function auditPath(projectRoot) {
+  return join49(projectRoot, PATHS.AUDIT_LOG);
+}
+function ts() {
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+function appendAuditLog2(projectRoot, previous, updated) {
+  const path = auditPath(projectRoot);
+  mkdirSync6(dirname25(path), { recursive: true });
+  const line = `[${ts()}] INFO silent-update previous=${previous ?? "unknown"} updated=${updated}
+`;
+  appendFileSync(path, line);
+}
+function appendAuditLogFailure(projectRoot, previous, target, error) {
+  const path = auditPath(projectRoot);
+  mkdirSync6(dirname25(path), { recursive: true });
+  const sanitized = error.replace(/"/g, "'");
+  const line = `[${ts()}] WARN silent-update-failed previous=${previous ?? "unknown"} target=${target} error="${sanitized}"
+`;
+  appendFileSync(path, line);
+}
+
 // src/update/updater.ts
-import { chmodSync as chmodSync3, existsSync as existsSync19, mkdirSync as mkdirSync6, readFileSync as readFileSync12, writeFileSync as writeFileSync6 } from "fs";
+import { chmodSync as chmodSync3, existsSync as existsSync19, mkdirSync as mkdirSync7, readFileSync as readFileSync13, writeFileSync as writeFileSync6 } from "fs";
 import { mkdtemp, readdir as readdir6, readFile as readFile23, rm as rm3 } from "fs/promises";
 import { tmpdir } from "os";
-import { dirname as dirname25, join as join48, relative as relative9 } from "path";
+import { dirname as dirname26, join as join50, relative as relative9 } from "path";
 var FrameworkUpdater = class {
   constructor(options = {}) {
     this.options = options;
   }
   async run(projectRoot) {
-    const previousVersion = readText(join48(projectRoot, PATHS.FRAMEWORK_VERSION));
+    const previousVersion = readText(join50(projectRoot, PATHS.FRAMEWORK_VERSION));
     const manifest = readManifest(projectRoot);
     const artifactPolicy = new Map(
       manifest?.generated_artifacts.map((artifact) => [artifact.path, artifact.auto_update]) ?? []
@@ -8954,18 +9281,18 @@ var FrameworkUpdater = class {
     const skipped = [];
     const newScripts = [];
     for (const candidate of candidates) {
-      const target = join48(projectRoot, candidate.path);
+      const target = join50(projectRoot, candidate.path);
       const existed = existsSync19(target);
       const autoUpdate = artifactPolicy.get(candidate.path) ?? candidate.autoUpdate;
       if (existed && autoUpdate === false) {
         skipped.push({
           path: candidate.path,
-          before: readFileSync12(target, "utf8"),
+          before: readFileSync13(target, "utf8"),
           after: candidate.content
         });
         continue;
       }
-      mkdirSync6(dirname25(target), { recursive: true });
+      mkdirSync7(dirname26(target), { recursive: true });
       writeFileSync6(target, candidate.content);
       if (candidate.executable === true) {
         chmodSync3(target, 493);
@@ -8975,9 +9302,13 @@ var FrameworkUpdater = class {
         newScripts.push(candidate.path);
       }
     }
-    mkdirSync6(dirname25(join48(projectRoot, PATHS.FRAMEWORK_VERSION)), { recursive: true });
-    writeFileSync6(join48(projectRoot, PATHS.FRAMEWORK_VERSION), `${VERSION}
-`);
+    mkdirSync7(dirname26(join50(projectRoot, PATHS.FRAMEWORK_VERSION)), { recursive: true });
+    writeFileSync6(
+      join50(projectRoot, PATHS.FRAMEWORK_VERSION),
+      `version=${VERSION}
+updated_at=${(/* @__PURE__ */ new Date()).toISOString()}
+`
+    );
     return {
       previous_version: previousVersion,
       target_version: VERSION,
@@ -8996,7 +9327,7 @@ var FrameworkUpdater = class {
     if (profile === null) {
       throw new Error("Cannot update framework-managed artifacts without a project profile");
     }
-    const tempRoot = await mkdtemp(join48(tmpdir(), "paqad-ai-update-"));
+    const tempRoot = await mkdtemp(join50(tmpdir(), "paqad-ai-update-"));
     try {
       const result = await new OnboardingOrchestrator().run({
         projectRoot: tempRoot,
@@ -9016,11 +9347,11 @@ var FrameworkUpdater = class {
   }
 };
 function readManifest(projectRoot) {
-  const path = join48(projectRoot, PATHS.ONBOARDING_MANIFEST);
+  const path = join50(projectRoot, PATHS.ONBOARDING_MANIFEST);
   if (!existsSync19(path)) {
     return null;
   }
-  return JSON.parse(readFileSync12(path, "utf8"));
+  return JSON.parse(readFileSync13(path, "utf8"));
 }
 function readProfile(projectRoot) {
   return readProjectProfile(projectRoot);
@@ -9029,14 +9360,16 @@ function readText(path) {
   if (!existsSync19(path)) {
     return null;
   }
-  return readFileSync12(path, "utf8").trim();
+  const raw = readFileSync13(path, "utf8");
+  const match = raw.match(/^version=(.+)$/m);
+  return match ? match[1].trim() : raw.trim();
 }
 async function collectFiles(root, generated) {
   const paths = generated.length > 0 ? generated : await walk3(root);
   return Promise.all(
     paths.map(async (file) => ({
       path: file,
-      content: await readFile23(join48(root, file), "utf8"),
+      content: await readFile23(join50(root, file), "utf8"),
       autoUpdate: true,
       executable: file.startsWith("scripts/")
     }))
@@ -9046,7 +9379,7 @@ async function walk3(root, current = root) {
   const entries = await readdir6(current, { withFileTypes: true });
   const files = [];
   for (const entry of entries) {
-    const absolute = join48(current, entry.name);
+    const absolute = join50(current, entry.name);
     if (entry.isDirectory()) {
       files.push(...await walk3(root, absolute));
       continue;
@@ -9058,30 +9391,30 @@ async function walk3(root, current = root) {
 
 // src/verification/gates/documentation-freshness.ts
 import { existsSync as existsSync20 } from "fs";
-import { join as join49 } from "path";
+import { join as join51 } from "path";
 var STALENESS_WINDOW_MS2 = 1e3 * 60 * 60 * 24 * 7;
 
 // src/patterns/pattern-store.ts
 import { readFile as readFile24, writeFile as writeFile21, mkdir as mkdir22, unlink } from "fs/promises";
-import { join as join50, dirname as dirname26 } from "path";
+import { join as join52, dirname as dirname27 } from "path";
 import { homedir as homedir3 } from "os";
-var GLOBAL_PATTERNS_DIR = join50(homedir3(), ".paqad", "patterns");
+var GLOBAL_PATTERNS_DIR = join52(homedir3(), ".paqad", "patterns");
 var PatternStore = class {
   get indexPath() {
-    return join50(GLOBAL_PATTERNS_DIR, "index.json");
+    return join52(GLOBAL_PATTERNS_DIR, "index.json");
   }
   get entriesDir() {
-    return join50(GLOBAL_PATTERNS_DIR, "entries");
+    return join52(GLOBAL_PATTERNS_DIR, "entries");
   }
   async save(pattern) {
     await mkdir22(this.entriesDir, { recursive: true });
-    const entryPath = join50(this.entriesDir, `${pattern.id}.json`);
+    const entryPath = join52(this.entriesDir, `${pattern.id}.json`);
     await writeFile21(entryPath, JSON.stringify(pattern, null, 2), "utf8");
     await this.updateIndex(pattern);
   }
   async load(id) {
     try {
-      const raw = await readFile24(join50(this.entriesDir, `${id}.json`), "utf8");
+      const raw = await readFile24(join52(this.entriesDir, `${id}.json`), "utf8");
       return JSON.parse(raw);
     } catch {
       return null;
@@ -9111,12 +9444,12 @@ var PatternStore = class {
     } else {
       index.entries.push(entry);
     }
-    await mkdir22(dirname26(this.indexPath), { recursive: true });
+    await mkdir22(dirname27(this.indexPath), { recursive: true });
     await writeFile21(this.indexPath, JSON.stringify(index, null, 2), "utf8");
   }
   async delete(id) {
     try {
-      await unlink(join50(this.entriesDir, `${id}.json`));
+      await unlink(join52(this.entriesDir, `${id}.json`));
     } catch {
     }
     const index = await this.loadIndex();
@@ -9216,16 +9549,16 @@ ${p.solution}
 
 // src/workflows/template-loader.ts
 import { readFile as readFile25, readdir as readdir7 } from "fs/promises";
-import { join as join51 } from "path";
+import { join as join53 } from "path";
 import YAML6 from "yaml";
 
 // src/workflows/engine.ts
 import { readFile as readFile26, writeFile as writeFile23, mkdir as mkdir23 } from "fs/promises";
-import { join as join52, dirname as dirname27 } from "path";
+import { join as join54, dirname as dirname28 } from "path";
 import { randomUUID as randomUUID3 } from "crypto";
 
 // src/index.ts
-var VERSION = "0.1.0";
+var VERSION = "0.1.3";
 
 // src/cli/commands/capabilities.ts
 import { Command } from "commander";
@@ -9401,8 +9734,8 @@ function createPacksCommand() {
 
 // src/cli/commands/refresh.ts
 import { Command as Command7 } from "commander";
-import { readFileSync as readFileSync13, writeFileSync as writeFileSync7 } from "fs";
-import { join as join53 } from "path";
+import { readFileSync as readFileSync14, writeFileSync as writeFileSync7 } from "fs";
+import { join as join55 } from "path";
 function createRefreshCommand() {
   return new Command7("refresh").description("Refresh derived framework artifacts").option("--project-root <path>", "Project root", process.cwd()).option("--design-system", "Refresh design-system markdown from design tokens").option("--stack", "Refresh the cached stack snapshot").action(async (options) => {
     const shouldRefreshDesignSystem = options.designSystem ?? true;
@@ -9438,14 +9771,14 @@ function createRefreshCommand() {
   });
 }
 function writeRefreshDrift(projectRoot, refreshDrift) {
-  const path = join53(projectRoot, PATHS.STACK_DRIFT);
+  const path = join55(projectRoot, PATHS.STACK_DRIFT);
   const current = readExistingJson(path);
   writeFileSync7(path, `${JSON.stringify({ ...current ?? {}, ...refreshDrift }, null, 2)}
 `);
 }
 function readExistingJson(path) {
   try {
-    return JSON.parse(readFileSync13(path, "utf8"));
+    return JSON.parse(readFileSync14(path, "utf8"));
   } catch {
     return null;
   }
@@ -9454,9 +9787,25 @@ function readExistingJson(path) {
 // src/cli/commands/update.ts
 import { Command as Command8 } from "commander";
 function createUpdateCommand() {
-  return new Command8("update").description("Update framework-managed artifacts").option("--project-root <path>", "Project root", process.cwd()).action(async (options) => {
-    const report = await new FrameworkUpdater().run(options.projectRoot);
-    console.log(JSON.stringify(report, null, 2));
+  return new Command8("update").description("Update framework-managed artifacts").option("--project-root <path>", "Project root", process.cwd()).option("--silent", "Suppress output; write results to audit log only").action(async (options) => {
+    try {
+      const report = await new FrameworkUpdater().run(options.projectRoot);
+      if (!options.silent) {
+        console.log(JSON.stringify(report, null, 2));
+      }
+      appendAuditLog2(options.projectRoot, report.previous_version, report.target_version);
+    } catch (err) {
+      if (!options.silent) {
+        throw err;
+      }
+      appendAuditLogFailure(
+        options.projectRoot,
+        null,
+        VERSION,
+        err instanceof Error ? err.message : String(err)
+      );
+      process.exit(0);
+    }
   });
 }