safelaunch 1.0.21 → 1.0.23

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "safelaunch",
-  "version": "1.0.21",
+  "version": "1.0.23",
   "description": "Validate your environment before every push. Catch missing, empty, and misconfigured env variables before they break production.",
   "main": "index.js",
   "bin": {

package/safelaunch/README.md

@@ -4,7 +4,7 @@
 
 [![npm version](https://badge.fury.io/js/safelaunch.svg)](https://www.npmjs.com/package/safelaunch)
 
-Run one command before you deploy. safelaunch scans your entire project and tells you exactly what will break — before it breaks in production.
+One command scans your project, locks your environment, and blocks bad deploys forever.
 
 Works with **Node.js, Next.js, Vite, and Create React App**.
 
@@ -12,21 +12,21 @@ Works with **Node.js, Next.js, Vite, and Create React App**.
 
 ---
 
-## Try it now — zero setup
+## Get protected in one command
 
 ```bash
-npx safelaunch scan
+npx safelaunch setup
 ```
 
-No installation. No config. Just run it in any JavaScript project.
+No installation. No config. Run it in any JavaScript project.
+
+safelaunch scans your entire project, shows you exactly what would break your next deploy, and once everything is clean — generates your environment manifest and installs a git hook that blocks bad pushes automatically.
 
 ```
-Scanning your project...
+Running safelaunch setup...
 Detected: Next.js
 
-🚨 Safelaunch Scan Report
-
-This project is NOT safe to deploy
+🚨 Issues found — fix these first
 
 3 issues found
 2 critical · 1 warning
@@ -61,22 +61,33 @@ This project is NOT safe to deploy
 
 ────────────────────────────
 
-✅ What's working (5 checks passed)
+💡 Fix the issues above, then run:
+
+   npx safelaunch setup
+```
+
+Fix the issues and run it again — safelaunch will complete the setup automatically:
+
+```
+Running safelaunch setup...
+Detected: Next.js
+
+✅ All checks passed — setting up safelaunch...
+
+────────────────────────────
 
-- Environment file detected
-- No hardcoded secrets found
-- Dependencies installed
-- No duplicate variables
-- NODE_ENV configured
+env.manifest.json   ✅ generated
+git hook            ✅ installed
 
 ────────────────────────────
 
-💡 Next step
+🛡️  You're protected
 
-   Run:
-   safelaunch init
+   safelaunch will validate your environment
+   automatically before every git push.
 
-   Lock this configuration and prevent future breakage
+   To validate manually at any time:
+   safelaunch validate
 ```
 
 ---
@@ -120,36 +131,30 @@ npm install -g safelaunch
 
 ---
 
-## Lock it in permanently
+## Individual commands
 
-Once scan shows you what's broken, lock your configuration so it never breaks again.
+If you want to run steps individually:
 
-**Step 1 — Generate your environment manifest**
+**Quick scan — no setup needed**
+```bash
+safelaunch scan
+```
 
+**Generate your environment manifest**
 ```bash
 safelaunch init
 ```
 
-Scans your codebase and creates an `env.manifest.json` — a contract file that defines exactly what your app needs to run.
-
-**Step 2 — Validate before every deploy**
-
+**Validate against your manifest**
 ```bash
 safelaunch validate
 ```
 
-Checks your live environment against the manifest and tells you exactly what will break before it does.
-
----
-
-## Never think about it again
-
+**Install the git hook manually**
 ```bash
 safelaunch hook install
 ```
 
-Installs a git hook that blocks `git push` automatically if validation fails. Set it once, forget about it.
-
 ---
 
 ## CI Integration

package/safelaunch/bin/safelaunch.js

@@ -9,6 +9,8 @@ if (command === 'validate') {
   require(path.join(__dirname, '../src/init.js'));
 } else if (command === 'scan') {
   require(path.join(__dirname, '../src/scan.js'));
+} else if (command === 'setup') {
+  require(path.join(__dirname, '../src/setup.js'));
 } else if (command === 'hook') {
   const { installHook, uninstallHook } = require(path.join(__dirname, '../src/hook.js'));
   if (subcommand === 'install') {
@@ -22,9 +24,10 @@ if (command === 'validate') {
   }
 } else {
   console.log('\nUsage:');
-  console.log('  safelaunch scan');
-  console.log('  safelaunch init');
-  console.log('  safelaunch validate');
-  console.log('  safelaunch hook install');
+  console.log('  safelaunch setup        (recommended — scans, locks, and protects in one step)');
+  console.log('  safelaunch scan         (quick scan, no setup needed)');
+  console.log('  safelaunch init         (generate env.manifest.json)');
+  console.log('  safelaunch validate     (validate against manifest)');
+  console.log('  safelaunch hook install (install git hook)');
   console.log('  safelaunch hook uninstall\n');
 }

package/safelaunch/src/scan.js

@@ -99,11 +99,12 @@ function detectProjectType(cwd) {
 }
 
 function scanFiles(dir, extensions, pattern, found = new Set()) {
-  const items = fs.readdirSync(dir);
+  let items;
+  try { items = fs.readdirSync(dir); } catch (_) { return found; }
   for (const item of items) {
     if (item === 'node_modules' || item === '.git') continue;
     const full = path.join(dir, item);
-    const stat = fs.statSync(full);
+    let stat; try { stat = fs.statSync(full); } catch (_) { continue; }
     if (stat.isDirectory()) {
       scanFiles(full, extensions, pattern, found);
     } else if (extensions.some(ext => item.endsWith(ext))) {
@@ -139,9 +140,9 @@ function checkDependencies(cwd) {
   const packagePath = path.join(cwd, 'package.json');
   const modulesPath = path.join(cwd, 'node_modules');
   if (!fs.existsSync(packagePath)) return null;
-  if (!fs.existsSync(modulesPath)) return { notInstalled: true, missing: [] };
   const pkg = JSON.parse(fs.readFileSync(packagePath, 'utf8'));
   const deps = Object.keys(pkg.dependencies || {});
+  if (!fs.existsSync(modulesPath)) return deps.length > 0 ? { notInstalled: true, missing: [] } : null;
   const missing = [];
   for (const dep of deps) {
     if (!fs.existsSync(path.join(modulesPath, dep))) missing.push(dep);
@@ -195,11 +196,12 @@ function checkHardcodedSecrets(cwd) {
   const hits = [];
   function walk(dir) {
     try {
-      const items = fs.readdirSync(dir);
+      let items;
+  try { items = fs.readdirSync(dir); } catch (_) { return found; }
       for (const item of items) {
         if (item === 'node_modules' || item === '.git') continue;
         const full = path.join(dir, item);
-        const stat = fs.statSync(full);
+        let stat; try { stat = fs.statSync(full); } catch (_) { continue; }
         if (stat.isDirectory()) {
           walk(full);
         } else if (extensions.some(ext => item.endsWith(ext))) {

package/safelaunch/src/setup.js

@@ -0,0 +1,488 @@
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+const { track, shutdown } = require('./telemetry');
+
+// ─── Shared utilities ─────────────────────────────────────────────────────────
+
+function impactBlock(lines) {
+  return '   Impact:\n' + lines.map(l => '   ' + l).join('\n');
+}
+
+const IMPACT = {
+  missing: (key) => impactBlock([
+    'Your app cannot use ' + key,
+    '\u2192 Will crash or behave incorrectly at runtime'
+  ]),
+  empty: (key) => impactBlock([
+    key + ' is defined but has no value',
+    '\u2192 Your app will treat it as blank \u2014 this will break things'
+  ]),
+  duplicate: (key) => impactBlock([
+    key + ' is defined more than once',
+    '\u2192 The last value silently wins \u2014 likely not what you want'
+  ]),
+  depsNotInstalled: () => impactBlock([
+    'node_modules is missing entirely',
+    '\u2192 Your app will not start'
+  ]),
+  depsDrift: (dep) => impactBlock([
+    dep + ' is in package.json but not installed',
+    '\u2192 Any code that imports it will fail'
+  ]),
+  lockfileMissing: () => impactBlock([
+    'package-lock.json is missing',
+    '\u2192 npm install will resolve different versions each time \u2014 inconsistent deploys'
+  ]),
+  prefixVite: (key) => impactBlock([
+    key + ' is missing the VITE_ prefix',
+    '\u2192 It will not be exposed to the browser \u2014 your frontend will not see it'
+  ]),
+  prefixCra: (key) => impactBlock([
+    key + ' is missing the REACT_APP_ prefix',
+    '\u2192 It will not be exposed to the browser \u2014 your frontend will not see it'
+  ]),
+  noEnvFile: () => impactBlock([
+    'No .env file found',
+    '\u2192 Every environment variable your app needs will be missing'
+  ]),
+  envInGit: (file) => impactBlock([
+    file + ' is committed to your git history',
+    '\u2192 Your secrets are exposed to anyone with repo access'
+  ]),
+  envNotIgnored: () => impactBlock([
+    '.env is not in your .gitignore',
+    '\u2192 You are one git add away from leaking your secrets'
+  ]),
+  envExampleOutOfSync: (keys) => impactBlock([
+    keys.join(', ') + ' are in .env but missing from .env.example',
+    '\u2192 Teammates cloning this repo will not know these vars exist'
+  ]),
+  hardcodedSecret: (file) => impactBlock([
+    'Possible secret found hardcoded in ' + file,
+    '\u2192 Secrets in source code get committed and exposed in version history'
+  ]),
+  buildScriptMissing: () => impactBlock([
+    'No build script found in package.json',
+    '\u2192 Your deploy pipeline will not know how to build this project'
+  ]),
+  uncommittedChanges: () => impactBlock([
+    'You have uncommitted changes',
+    '\u2192 These changes will not be included in your deploy'
+  ]),
+  unpushedCommits: () => impactBlock([
+    'You have commits that have not been pushed',
+    '\u2192 Your deploy may not include your latest changes'
+  ]),
+  typescriptErrors: () => impactBlock([
+    'Your project has TypeScript type errors',
+    '\u2192 These may cause your build to fail in CI or production'
+  ]),
+  configFileMissing: (file) => impactBlock([
+    file + ' is missing',
+    '\u2192 Your framework will not know how to build or run this project'
+  ]),
+};
+
+const DIVIDER = '\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500';
+
+function detectProjectType(cwd) {
+  if (fs.existsSync(path.join(cwd, 'vite.config.js')) ||
+    fs.existsSync(path.join(cwd, 'vite.config.ts'))) return 'vite';
+  if (fs.existsSync(path.join(cwd, 'next.config.js')) ||
+    fs.existsSync(path.join(cwd, 'next.config.ts'))) return 'next';
+  const packagePath = path.join(cwd, 'package.json');
+  if (fs.existsSync(packagePath)) {
+    const pkg = JSON.parse(fs.readFileSync(packagePath, 'utf8'));
+    const deps = Object.assign({}, pkg.dependencies, pkg.devDependencies);
+    if (deps['react-scripts']) return 'cra';
+  }
+  return 'node';
+}
+
+function scanFiles(dir, extensions, pattern, found = new Set()) {
+  let items;
+  try { items = fs.readdirSync(dir); } catch (_) { return found; }
+  for (const item of items) {
+    if (item === 'node_modules' || item === '.git') continue;
+    const full = path.join(dir, item);
+    let stat;
+    try { stat = fs.statSync(full); } catch (_) { continue; }
+    if (stat.isDirectory()) {
+      scanFiles(full, extensions, pattern, found);
+    } else if (extensions.some(ext => item.endsWith(ext))) {
+      const content = fs.readFileSync(full, 'utf8');
+      const matches = content.matchAll(pattern);
+      for (const match of matches) found.add(match[1]);
+    }
+  }
+  return found;
+}
+
+function readEnvDetailed(cwd) {
+  const envPath = path.join(cwd, '.env');
+  if (!fs.existsSync(envPath)) return null;
+  const envVars = {};
+  const duplicates = new Set();
+  const seen = new Set();
+  const lines = fs.readFileSync(envPath, 'utf8').split('\n');
+  for (const line of lines) {
+    const match = line.match(/^([^=]+)=(.*)$/);
+    if (match) {
+      const key = match[1].trim();
+      const val = match[2].trim();
+      if (seen.has(key)) duplicates.add(key);
+      seen.add(key);
+      envVars[key] = val;
+    }
+  }
+  return { envVars, duplicates: [...duplicates] };
+}
+
+function checkDependencies(cwd) {
+  const packagePath = path.join(cwd, 'package.json');
+  const modulesPath = path.join(cwd, 'node_modules');
+  if (!fs.existsSync(packagePath)) return null;
+  const pkg = JSON.parse(fs.readFileSync(packagePath, 'utf8'));
+  const deps = Object.keys(pkg.dependencies || {});
+  if (!fs.existsSync(modulesPath)) return deps.length > 0 ? { notInstalled: true, missing: [] } : null;
+  const missing = [];
+  for (const dep of deps) {
+    if (!fs.existsSync(path.join(modulesPath, dep))) missing.push(dep);
+  }
+  return { notInstalled: false, missing };
+}
+
+function checkLockfile(cwd) {
+  return !fs.existsSync(path.join(cwd, 'package-lock.json')) &&
+         !fs.existsSync(path.join(cwd, 'yarn.lock')) &&
+         !fs.existsSync(path.join(cwd, 'pnpm-lock.yaml'));
+}
+
+function checkEnvInGit(cwd) {
+  try {
+    const tracked = execSync('git ls-files', { cwd, stdio: ['pipe', 'pipe', 'ignore'] }).toString();
+    return tracked.split('\n').filter(f => f === '.env' || /^\.env\.(production|staging|live)$/.test(f));
+  } catch (_) { return []; }
+}
+
+function checkEnvInGitignore(cwd) {
+  const gitignorePath = path.join(cwd, '.gitignore');
+  if (!fs.existsSync(gitignorePath)) return false;
+  return fs.readFileSync(gitignorePath, 'utf8').split('\n').some(line => line.trim() === '.env');
+}
+
+function checkEnvExampleSync(cwd, envVars) {
+  const examplePath = path.join(cwd, '.env.example');
+  if (!fs.existsSync(examplePath)) return [];
+  const exampleKeys = new Set();
+  for (const line of fs.readFileSync(examplePath, 'utf8').split('\n')) {
+    const match = line.match(/^([^=]+)=/);
+    if (match) exampleKeys.add(match[1].trim());
+  }
+  return Object.keys(envVars).filter(k => !exampleKeys.has(k));
+}
+
+function checkHardcodedSecrets(cwd) {
+  const extensions = ['.js', '.ts', '.jsx', '.tsx'];
+  const secretPatterns = [
+    /sk_live_[a-zA-Z0-9]{20,}/,
+    /pk_live_[a-zA-Z0-9]{20,}/,
+    /AKIA[0-9A-Z]{16}/,
+    /-----BEGIN (RSA |EC )?PRIVATE KEY-----/,
+    /ghp_[a-zA-Z0-9]{36}/,
+    /xox[baprs]-[0-9a-zA-Z-]{10,}/,
+  ];
+  const hits = [];
+  function walk(dir) {
+    let items;
+    try { items = fs.readdirSync(dir); } catch (_) { return; }
+    for (const item of items) {
+      if (item === 'node_modules' || item === '.git') continue;
+      const full = path.join(dir, item);
+      let stat;
+      try { stat = fs.statSync(full); } catch (_) { continue; }
+      if (stat.isDirectory()) {
+        walk(full);
+      } else if (extensions.some(ext => item.endsWith(ext))) {
+        const content = fs.readFileSync(full, 'utf8');
+        for (const pattern of secretPatterns) {
+          if (pattern.test(content)) { hits.push(path.relative(cwd, full)); break; }
+        }
+      }
+    }
+  }
+  walk(cwd);
+  return hits;
+}
+
+function checkBuildScript(cwd) {
+  const packagePath = path.join(cwd, 'package.json');
+  if (!fs.existsSync(packagePath)) return false;
+  const pkg = JSON.parse(fs.readFileSync(packagePath, 'utf8'));
+  return !!(pkg.scripts && pkg.scripts.build);
+}
+
+function checkGitStatus(cwd) {
+  try {
+    const status = execSync('git status --porcelain', { cwd, stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim();
+    const uncommitted = status.length > 0;
+    let unpushed = false;
+    try {
+      const ahead = execSync('git log @{u}.. --oneline', { cwd, stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim();
+      unpushed = ahead.length > 0;
+    } catch (_) {}
+    return { uncommitted, unpushed };
+  } catch (_) { return { uncommitted: false, unpushed: false }; }
+}
+
+function checkTypeScript(cwd) {
+  if (!fs.existsSync(path.join(cwd, 'tsconfig.json'))) return false;
+  try {
+    execSync('npx tsc --noEmit', { cwd, stdio: ['pipe', 'pipe', 'ignore'] });
+    return false;
+  } catch (_) { return true; }
+}
+
+function checkRequiredConfigFiles(cwd, projectType) {
+  const missing = [];
+  if (projectType === 'next') {
+    if (!fs.existsSync(path.join(cwd, 'next.config.js')) && !fs.existsSync(path.join(cwd, 'next.config.ts'))) missing.push('next.config.js');
+  }
+  if (projectType === 'vite') {
+    if (!fs.existsSync(path.join(cwd, 'vite.config.js')) && !fs.existsSync(path.join(cwd, 'vite.config.ts'))) missing.push('vite.config.js');
+  }
+  return missing;
+}
+
+function renderIssue(number, title, impact) {
+  return number + '. ' + title + '\n\n' + impact + '\n';
+}
+
+// ─── Generate manifest ────────────────────────────────────────────────────────
+
+function generateManifest(cwd, projectType, found) {
+  const manifestPath = path.join(cwd, 'env.manifest.json');
+  const variables = {};
+  for (const key of [...found].sort()) {
+    variables[key] = { required: true, description: '' };
+  }
+  const manifest = {
+    version: '1',
+    projectType,
+    runtime: { node: process.version.replace('v', '').split('.')[0] },
+    variables
+  };
+  fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2));
+}
+
+// ─── Install hook ─────────────────────────────────────────────────────────────
+
+function installHook(cwd) {
+  const gitDir = path.join(cwd, '.git');
+  if (!fs.existsSync(gitDir)) return false;
+  const hooksDir = path.join(gitDir, 'hooks');
+  const hookPath = path.join(hooksDir, 'pre-push');
+  if (!fs.existsSync(hooksDir)) fs.mkdirSync(hooksDir, { recursive: true });
+  const hookScript = `#!/bin/sh\n# safelaunch pre-push hook\necho ""\necho "Running safelaunch validate..."\necho ""\nsafelaunch validate\nif [ $? -ne 0 ]; then\n  echo ""\n  echo "Push blocked by safelaunch. Fix the issues above before pushing."\n  echo ""\n  exit 1\nfi\n`;
+  if (fs.existsSync(hookPath)) {
+    const existing = fs.readFileSync(hookPath, 'utf8');
+    if (existing.includes('safelaunch validate')) return 'already';
+    fs.appendFileSync(hookPath, '\n' + hookScript);
+  } else {
+    fs.writeFileSync(hookPath, hookScript);
+    fs.chmodSync(hookPath, '755');
+  }
+  return true;
+}
+
+// ─── Main ─────────────────────────────────────────────────────────────────────
+
+async function setup() {
+  const cwd = process.cwd();
+  const projectType = detectProjectType(cwd);
+  const typeLabels = { vite: 'Vite', next: 'Next.js', cra: 'Create React App', node: 'Node.js' };
+
+  console.log('');
+  console.log('Running safelaunch setup...');
+  console.log('Detected: ' + typeLabels[projectType]);
+  console.log('');
+
+  const extensions = ['.js', '.ts', '.jsx', '.tsx', '.vue', '.svelte'];
+  let pattern;
+  if (projectType === 'vite') {
+    pattern = /import\.meta\.env\.([A-Z_][A-Z0-9_]*)/g;
+  } else if (projectType === 'cra') {
+    pattern = /process\.env\.(REACT_APP_[A-Z0-9_]*)/g;
+  } else {
+    pattern = /process\.env\.([A-Z_][A-Z0-9_]*)/g;
+  }
+
+  const found = scanFiles(cwd, extensions, pattern);
+  const result = readEnvDetailed(cwd);
+  const drift = checkDependencies(cwd);
+  const lockfileMissing = checkLockfile(cwd);
+  const envInGit = checkEnvInGit(cwd);
+  const envIgnored = checkEnvInGitignore(cwd);
+  const hardcodedSecrets = checkHardcodedSecrets(cwd);
+  const hasBuildScript = checkBuildScript(cwd);
+  const gitStatus = checkGitStatus(cwd);
+  const hasTypeScriptErrors = checkTypeScript(cwd);
+  const missingConfigFiles = checkRequiredConfigFiles(cwd, projectType);
+
+  let missing = [], empty = [], present = [], duplicates = [], envExampleOutOfSync = [];
+
+  if (result) {
+    const { envVars, duplicates: dups } = result;
+    duplicates = dups;
+    envExampleOutOfSync = checkEnvExampleSync(cwd, envVars);
+    for (const key of [...found].sort()) {
+      if (!(key in envVars)) missing.push(key);
+      else if (envVars[key] === '') empty.push(key);
+      else present.push(key);
+    }
+  } else {
+    missing = [...found].sort();
+  }
+
+  const prefixWarnings = [];
+  for (const key of found) {
+    if (key === 'NODE_ENV') continue;
+    if (projectType === 'vite' && !key.startsWith('VITE_')) prefixWarnings.push({ key, type: 'vite' });
+    if (projectType === 'cra' && !key.startsWith('REACT_APP_')) prefixWarnings.push({ key, type: 'cra' });
+  }
+
+  const criticalIssues = [];
+  const warningIssues = [];
+
+  if (!result) criticalIssues.push({ title: '.env file is missing', impact: IMPACT.noEnvFile() });
+  for (const key of missing) criticalIssues.push({ title: key + ' is missing', impact: IMPACT.missing(key) });
+  for (const key of empty) criticalIssues.push({ title: key + ' is empty', impact: IMPACT.empty(key) });
+  if (drift && drift.notInstalled) criticalIssues.push({ title: 'Dependencies are not installed', impact: IMPACT.depsNotInstalled() });
+  for (const file of envInGit) criticalIssues.push({ title: file + ' is tracked by git', impact: IMPACT.envInGit(file) });
+  for (const file of hardcodedSecrets) criticalIssues.push({ title: 'Hardcoded secret in ' + file, impact: IMPACT.hardcodedSecret(file) });
+  for (const file of missingConfigFiles) criticalIssues.push({ title: file + ' is missing', impact: IMPACT.configFileMissing(file) });
+  if (hasTypeScriptErrors) criticalIssues.push({ title: 'TypeScript errors found', impact: IMPACT.typescriptErrors() });
+
+  if (drift && !drift.notInstalled && drift.missing.length > 0) {
+    for (const dep of drift.missing) warningIssues.push({ title: dep + ' is not installed', impact: IMPACT.depsDrift(dep) });
+  }
+  if (lockfileMissing) warningIssues.push({ title: 'No lockfile found', impact: IMPACT.lockfileMissing() });
+  for (const key of duplicates) warningIssues.push({ title: key + ' is defined more than once', impact: IMPACT.duplicate(key) });
+  for (const { key, type } of prefixWarnings) {
+    if (type === 'vite') warningIssues.push({ title: key + ' is missing VITE_ prefix', impact: IMPACT.prefixVite(key) });
+    else warningIssues.push({ title: key + ' is missing REACT_APP_ prefix', impact: IMPACT.prefixCra(key) });
+  }
+  if (!envIgnored && fs.existsSync(path.join(cwd, '.env'))) warningIssues.push({ title: '.env is not in .gitignore', impact: IMPACT.envNotIgnored() });
+  if (envExampleOutOfSync.length > 0) warningIssues.push({ title: '.env.example is out of sync', impact: IMPACT.envExampleOutOfSync(envExampleOutOfSync) });
+  if (!hasBuildScript && fs.existsSync(path.join(cwd, 'package.json'))) warningIssues.push({ title: 'No build script in package.json', impact: IMPACT.buildScriptMissing() });
+  if (gitStatus.uncommitted) warningIssues.push({ title: 'You have uncommitted changes', impact: IMPACT.uncommittedChanges() });
+  if (gitStatus.unpushed) warningIssues.push({ title: 'You have unpushed commits', impact: IMPACT.unpushedCommits() });
+
+  const totalIssues = criticalIssues.length + warningIssues.length;
+
+  // ── Issues found — stop and show them ──
+
+  if (totalIssues > 0) {
+    const parts = [];
+    if (criticalIssues.length > 0) parts.push(criticalIssues.length + ' critical');
+    if (warningIssues.length > 0) parts.push(warningIssues.length + ' warning' + (warningIssues.length !== 1 ? 's' : ''));
+
+    console.log('\uD83D\uDEA8 Issues found — fix these first');
+    console.log('');
+    console.log(totalIssues + ' issue' + (totalIssues !== 1 ? 's' : '') + ' found');
+    console.log(parts.join(' \u00B7 '));
+    console.log('');
+    console.log(DIVIDER);
+    console.log('');
+
+    if (criticalIssues.length > 0) {
+      console.log('\uD83D\uDEA8 CRITICAL (will break your app)');
+      console.log('');
+      criticalIssues.forEach((issue, i) => {
+        console.log(renderIssue(i + 1, issue.title, issue.impact));
+        if (i < criticalIssues.length - 1) { console.log('---'); console.log(''); }
+      });
+      console.log('');
+      console.log(DIVIDER);
+      console.log('');
+    }
+
+    if (warningIssues.length > 0) {
+      console.log('\u26A0\uFE0F  WARNINGS (may cause issues)');
+      console.log('');
+      const offset = criticalIssues.length;
+      warningIssues.forEach((issue, i) => {
+        console.log(renderIssue(offset + i + 1, issue.title, issue.impact));
+        if (i < warningIssues.length - 1) { console.log('---'); console.log(''); }
+      });
+      console.log('');
+      console.log(DIVIDER);
+      console.log('');
+    }
+
+    console.log('\uD83D\uDCA1 Fix the issues above, then run:');
+    console.log('');
+    console.log('   npx safelaunch setup');
+    console.log('');
+
+    await track('safelaunch_setup_run', {
+      project_type: projectType,
+      passed: false,
+      issues: totalIssues,
+      critical: criticalIssues.length,
+      warnings: warningIssues.length
+    });
+    await shutdown();
+    return;
+  }
+
+  // ── All clean — generate manifest and install hook ──
+
+  console.log('\u2705 All checks passed — setting up safelaunch...');
+  console.log('');
+  console.log(DIVIDER);
+  console.log('');
+
+  // Generate manifest
+  const manifestPath = path.join(cwd, 'env.manifest.json');
+  if (fs.existsSync(manifestPath)) {
+    console.log('env.manifest.json   already exists \u2014 skipping');
+  } else {
+    generateManifest(cwd, projectType, found);
+    console.log('env.manifest.json   \u2705 generated');
+  }
+
+  // Install hook
+  const hookResult = installHook(cwd);
+  if (hookResult === 'already') {
+    console.log('git hook            already installed \u2014 skipping');
+  } else if (hookResult === true) {
+    console.log('git hook            \u2705 installed');
+  } else {
+    console.log('git hook            \u26A0\uFE0F  skipped (not a git repo)');
+  }
+
+  console.log('');
+  console.log(DIVIDER);
+  console.log('');
+  console.log('\uD83D\uDEE1\uFE0F  You\'re protected');
+  console.log('');
+  console.log('   safelaunch will validate your environment');
+  console.log('   automatically before every git push.');
+  console.log('');
+  console.log('   To validate manually at any time:');
+  console.log('   safelaunch validate');
+  console.log('');
+
+  await track('safelaunch_setup_run', {
+    project_type: projectType,
+    passed: true,
+    vars_found: found.size,
+    manifest_created: !fs.existsSync(manifestPath),
+    hook_installed: hookResult === true
+  });
+  await shutdown();
+}
+
+setup();