sentinelayer-cli 0.1.0 → 0.1.2

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "sentinelayer-cli",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Scaffold Sentinelayer spec/prompt/guide artifacts with secure browser auth and token bootstrap.",
   "type": "module",
   "scripts": {
-    "check": "node --check bin/sentinelayer-cli.js && node --check bin/create-sentinelayer.js && node --check bin/sl.js && node --check src/cli.js && node --check src/legacy-cli.js && node --check src/commands/config.js && node --check src/commands/ingest.js && node --check src/commands/spec.js && node --check src/commands/prompt.js && node --check src/commands/scan.js && node --check src/commands/guide.js && node --check src/commands/cost.js && node --check src/commands/telemetry.js && node --check src/commands/auth.js && node --check src/commands/watch.js && node --check src/commands/mcp.js && node --check src/commands/plugin.js && node --check src/commands/ai.js && node --check src/commands/review.js && node --check src/commands/chat.js && node --check src/commands/policy.js && node --check src/commands/swarm.js && node --check src/commands/daemon.js && node --check src/commands/audit.js && node --check src/config/service.js && node --check src/ingest/engine.js && node --check src/spec/generator.js && node --check src/spec/regenerate.js && node --check src/spec/templates.js && node --check src/prompt/generator.js && node --check src/scan/generator.js && node --check src/guide/generator.js && node --check src/cost/tracker.js && node --check src/cost/history.js && node --check src/cost/budget.js && node --check src/ai/client.js && node --check src/ai/aidenid.js && node --check src/ai/identity-store.js && node --check src/ai/domain-target-store.js && node --check src/ai/site-store.js && node --check src/review/local-review.js && node --check src/review/ai-review.js && node --check src/review/report.js && node --check src/review/replay.js && node --check src/audit/registry.js && node --check src/audit/orchestrator.js && node --check src/audit/package.js && node --check src/audit/replay.js && node --check src/audit/agents/security.js && node --check src/audit/agents/architecture.js && node --check src/audit/agents/testing.js && node --check src/audit/agents/performance.js && node --check src/audit/agents/compliance.js && node --check src/audit/agents/documentation.js && node --check src/swarm/registry.js && node --check src/swarm/factory.js && node --check src/swarm/runtime.js && node --check src/swarm/scenario-dsl.js && node --check src/swarm/dashboard.js && node --check src/swarm/report.js && node --check src/swarm/pentest.js && node --check src/daemon/error-worker.js && node --check src/daemon/assignment-ledger.js && node --check src/daemon/jira-lifecycle.js && node --check src/daemon/budget-governor.js && node --check src/daemon/operator-control.js && node --check src/daemon/artifact-lineage.js && node --check src/daemon/ast-parser-layer.js && node --check src/daemon/callgraph-overlay.js && node --check src/daemon/hybrid-mapper.js && node --check src/daemon/reliability-lane.js && node --check src/daemon/watchdog.js && node --check src/telemetry/ledger.js && node --check src/auth/http.js && node --check src/auth/session-store.js && node --check src/auth/service.js && node --check src/mcp/registry.js && node --check src/memory/blackboard.js && node --check src/memory/retrieval.js && node --check src/plugin/manifest.js && node --check src/policy/packs.js && node --check src/ui/markdown.js && node --check src/ui/progress.js && node --check src/agents/jules/tools/file-read.js && node --check src/agents/jules/tools/grep.js && node --check src/agents/jules/tools/glob.js && node --check src/agents/jules/tools/shell.js && node --check src/agents/jules/tools/file-edit.js && node --check src/agents/jules/tools/dispatch.js && node --check src/agents/jules/tools/index.js && node --check src/agents/jules/tools/frontend-analyze.js && node --check src/agents/jules/swarm/sub-agent.js && node --check src/agents/jules/swarm/file-scanner.js && node --check src/agents/jules/swarm/pattern-hunter.js && node --check src/agents/jules/swarm/index.js && node --check src/agents/jules/swarm/orchestrator.js && node --check src/agents/jules/config/definition.js && node --check src/agents/jules/loop.js && node --check src/agents/jules/stream.js && node --check src/agents/jules/fix-cycle.js && node --check src/agents/jules/error-intake.js && node --check src/agents/jules/tools/runtime-audit.js && node --check src/agents/jules/config/system-prompt.js && node --check src/agents/jules/tools/auth-audit.js",
+    "check": "node --check bin/sentinelayer-cli.js && node --check bin/create-sentinelayer.js && node --check bin/sl.js && node --check src/cli.js && node --check src/legacy-cli.js && node --check src/commands/config.js && node --check src/commands/ingest.js && node --check src/commands/spec.js && node --check src/commands/prompt.js && node --check src/commands/scan.js && node --check src/commands/guide.js && node --check src/commands/cost.js && node --check src/commands/telemetry.js && node --check src/commands/auth.js && node --check src/commands/watch.js && node --check src/commands/mcp.js && node --check src/commands/plugin.js && node --check src/commands/ai.js && node --check src/commands/review.js && node --check src/commands/chat.js && node --check src/commands/policy.js && node --check src/commands/swarm.js && node --check src/commands/daemon.js && node --check src/commands/audit.js && node --check src/config/service.js && node --check src/ingest/engine.js && node --check src/spec/generator.js && node --check src/spec/regenerate.js && node --check src/spec/templates.js && node --check src/prompt/generator.js && node --check src/scan/generator.js && node --check src/guide/generator.js && node --check src/cost/tracker.js && node --check src/cost/history.js && node --check src/cost/budget.js && node --check src/ai/client.js && node --check src/ai/aidenid.js && node --check src/ai/identity-store.js && node --check src/ai/domain-target-store.js && node --check src/ai/site-store.js && node --check src/review/local-review.js && node --check src/review/ai-review.js && node --check src/review/report.js && node --check src/review/replay.js && node --check src/audit/registry.js && node --check src/audit/orchestrator.js && node --check src/audit/package.js && node --check src/audit/replay.js && node --check src/audit/agents/security.js && node --check src/audit/agents/architecture.js && node --check src/audit/agents/testing.js && node --check src/audit/agents/performance.js && node --check src/audit/agents/compliance.js && node --check src/audit/agents/documentation.js && node --check src/swarm/registry.js && node --check src/swarm/factory.js && node --check src/swarm/runtime.js && node --check src/swarm/scenario-dsl.js && node --check src/swarm/dashboard.js && node --check src/swarm/report.js && node --check src/swarm/pentest.js && node --check src/daemon/error-worker.js && node --check src/daemon/assignment-ledger.js && node --check src/daemon/jira-lifecycle.js && node --check src/daemon/budget-governor.js && node --check src/daemon/operator-control.js && node --check src/daemon/artifact-lineage.js && node --check src/daemon/ast-parser-layer.js && node --check src/daemon/callgraph-overlay.js && node --check src/daemon/hybrid-mapper.js && node --check src/daemon/reliability-lane.js && node --check src/daemon/watchdog.js && node --check src/telemetry/ledger.js && node --check src/auth/http.js && node --check src/auth/session-store.js && node --check src/auth/service.js && node --check src/mcp/registry.js && node --check src/memory/blackboard.js && node --check src/memory/retrieval.js && node --check src/plugin/manifest.js && node --check src/policy/packs.js && node --check src/ui/markdown.js && node --check src/ui/progress.js && node --check src/agents/jules/tools/file-read.js && node --check src/agents/jules/tools/grep.js && node --check src/agents/jules/tools/glob.js && node --check src/agents/jules/tools/shell.js && node --check src/agents/jules/tools/file-edit.js && node --check src/agents/jules/tools/dispatch.js && node --check src/agents/jules/tools/index.js && node --check src/agents/jules/tools/frontend-analyze.js && node --check src/agents/jules/swarm/sub-agent.js && node --check src/agents/jules/swarm/file-scanner.js && node --check src/agents/jules/swarm/pattern-hunter.js && node --check src/agents/jules/swarm/index.js && node --check src/agents/jules/swarm/orchestrator.js && node --check src/agents/jules/config/definition.js && node --check src/agents/jules/loop.js && node --check src/agents/jules/stream.js && node --check src/agents/jules/fix-cycle.js && node --check src/agents/jules/error-intake.js && node --check src/agents/jules/tools/runtime-audit.js && node --check src/agents/jules/config/system-prompt.js && node --check src/agents/jules/tools/auth-audit.js && node --check src/auth/gate.js && node --check src/telemetry/sync.js && node --check src/telemetry/session-tracker.js && node --check src/interactive/workspace.js && node --check src/interactive/auto-ingest.js && node --check src/interactive/action-menu.js && node --check src/interactive/index.js && node --check src/daemon/ingest-refresh.js",
     "test": "npm run test:unit && npm run test:e2e",
     "test:unit": "node --test tests/unit*.test.mjs",
     "test:e2e": "node --test tests/e2e.test.mjs",

package/src/agents/jules/tools/runtime-audit.js

@@ -18,7 +18,7 @@ const LIGHTHOUSE_TIMEOUT_MS = 120000;
  * @param {{ operation: string, url?: string, path?: string }} input
  * @returns {object} Structured result per operation
  */
-export function runtimeAudit(input) {
+export async function runtimeAudit(input) {
   if (!RUNTIME_OPS.has(input.operation)) {
     throw new RuntimeAuditError(
       "Unknown operation: " + input.operation + ". Valid: " + [...RUNTIME_OPS].join(", "),
@@ -49,7 +49,7 @@ const RUNTIME_DISPATCH = {
  * Run Lighthouse via npx (no install required).
  * Returns performance, accessibility, best-practices, SEO scores + key metrics.
  */
-function lighthouseScan(input) {
+async function lighthouseScan(input) {
   const url = input.url;
   if (!url) {
     throw new RuntimeAuditError("lighthouse_scan requires a url parameter");
@@ -58,6 +58,13 @@ function lighthouseScan(input) {
     throw new RuntimeAuditError("Invalid URL: " + url);
   }
 
+  // Prefer SentinelLayer API scanner (authenticated, server-side Lighthouse).
+  // Falls back to local npx lighthouse if API unavailable.
+  try {
+    const apiResult = await callScannerApi(url);
+    if (apiResult.available) return apiResult;
+  } catch { /* API unavailable — fall back to local */ }
+
   try {
     const outputPath = path.join(
       input.path || process.cwd(),
@@ -76,6 +83,7 @@ function lighthouseScan(input) {
       encoding: "utf-8",
       timeout: LIGHTHOUSE_TIMEOUT_MS,
       stdio: ["pipe", "pipe", "pipe"],
+      shell: true, // Windows: npx is npx.cmd, needs shell resolution
     });
 
     if (!fs.existsSync(outputPath)) {
@@ -401,6 +409,82 @@ function sanitizeUrlForShell(url) {
   }
 }
 
+/**
+ * Call the SentinelLayer API scanner endpoint for server-side Lighthouse.
+ * Requires authenticated session (token from sl auth login).
+ * Returns structured result or throws if unavailable.
+ */
+async function callScannerApi(url) {
+  let session;
+  try {
+    const { readStoredSession } = await import("../../../auth/session-store.js");
+    session = await readStoredSession();
+  } catch { /* session read failed */ }
+
+  if (!session || !session.token) {
+    return { available: false, reason: "Not authenticated — run sl auth login" };
+  }
+
+  const apiUrl = session.apiUrl || "https://api.sentinelayer.com";
+  const scanEndpoint = apiUrl + "/api/v1/scan/url";
+
+  // Submit scan
+  const submitResponse = await fetch(scanEndpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": "Bearer " + session.token,
+    },
+    body: JSON.stringify({ url, scan_type: "lighthouse" }),
+    signal: AbortSignal.timeout(15000),
+  });
+
+  if (!submitResponse.ok) {
+    return { available: false, reason: "Scanner API returned " + submitResponse.status };
+  }
+
+  const submitData = await submitResponse.json();
+  const scanId = submitData.scan_id || submitData.id;
+  if (!scanId) {
+    return { available: false, reason: "Scanner did not return scan_id" };
+  }
+
+  // Poll for completion (max 90s)
+  const pollUrl = apiUrl + "/api/v1/scan/url/" + scanId;
+  for (let attempt = 0; attempt < 30; attempt++) {
+    await new Promise(r => setTimeout(r, 3000));
+    try {
+      const pollResponse = await fetch(pollUrl, {
+        headers: { "Authorization": "Bearer " + session.token },
+        signal: AbortSignal.timeout(10000),
+      });
+      if (!pollResponse.ok) continue;
+      const pollData = await pollResponse.json();
+      if (pollData.status === "completed" || pollData.status === "complete") {
+        const scores = pollData.scores || pollData.lighthouse_scores || {};
+        return {
+          available: true,
+          source: "sentinelayer-api",
+          scanId,
+          reportPath: null,
+          scores: {
+            performance: scores.performance ?? null,
+            accessibility: scores.accessibility ?? null,
+            bestPractices: scores.best_practices ?? scores.bestPractices ?? null,
+            seo: scores.seo ?? null,
+          },
+          metrics: pollData.metrics || {},
+          opportunities: pollData.opportunities || [],
+        };
+      }
+      if (pollData.status === "failed" || pollData.status === "error") {
+        return { available: false, reason: "Scanner reported failure: " + (pollData.error || pollData.status) };
+      }
+    } catch { /* poll failed, retry */ }
+  }
+  return { available: false, reason: "Scanner timed out after 90s" };
+}
+
 export class RuntimeAuditError extends Error {
   constructor(message) {
     super(message);

package/src/auth/gate.js

@@ -0,0 +1,92 @@
+import process from "node:process";
+import pc from "picocolors";
+import { readStoredSession } from "./session-store.js";
+
+/**
+ * Auth gate — ensures user is logged in before running any command.
+ *
+ * Commands that bypass auth:
+ * - auth login, auth status, auth --help
+ * - --help, --version, -h, -v
+ * - config (read-only config inspection)
+ *
+ * All other commands require a valid session.
+ * If not authenticated, prints instructions and exits.
+ */
+
+const AUTH_BYPASS_COMMANDS = new Set([
+  "auth",      // auth subcommands handle their own auth
+  "--help",
+  "-h",
+  "--version",
+  "-v",
+]);
+
+// Commands that work without auth (read-only, no API calls)
+const NO_AUTH_REQUIRED = new Set([
+  "config",    // local config inspection
+]);
+
+/**
+ * Check if the current command requires authentication.
+ * Returns true if auth is required but user is not logged in.
+ *
+ * @param {string[]} args - CLI arguments (after normalization)
+ * @returns {Promise<{ authenticated: boolean, session: object|null, bypassReason: string|null }>}
+ */
+export async function checkAuthGate(args) {
+  const first = String(args[0] || "").trim().toLowerCase();
+
+  // Bypass commands
+  if (!first || AUTH_BYPASS_COMMANDS.has(first)) {
+    return { authenticated: true, session: null, bypassReason: "auth_bypass_command" };
+  }
+
+  if (NO_AUTH_REQUIRED.has(first)) {
+    return { authenticated: true, session: null, bypassReason: "no_auth_required" };
+  }
+
+  // CI/test bypass — allows automated testing without auth
+  if (process.env.SENTINELAYER_CLI_SKIP_AUTH === "1" || process.env.CI === "true") {
+    return { authenticated: true, session: null, bypassReason: "env_bypass" };
+  }
+
+  // Check for stored session
+  try {
+    const session = await readStoredSession();
+    if (session && session.token) {
+      // Check if token is expired
+      if (session.tokenExpiresAt) {
+        const expiresAt = new Date(session.tokenExpiresAt).getTime();
+        if (expiresAt < Date.now()) {
+          return { authenticated: false, session: null, bypassReason: null };
+        }
+      }
+      return { authenticated: true, session, bypassReason: null };
+    }
+  } catch {
+    // Session read failed — treat as not authenticated
+  }
+
+  return { authenticated: false, session: null, bypassReason: null };
+}
+
+/**
+ * Print auth required message and exit.
+ */
+export function printAuthRequired() {
+  console.error("");
+  console.error(pc.bold(pc.red("Authentication required.")));
+  console.error("");
+  console.error("  Log in to SentinelLayer to use CLI commands:");
+  console.error("");
+  console.error("    " + pc.cyan("sl auth login"));
+  console.error("");
+  console.error("  This opens your browser to authenticate via GitHub or Google.");
+  console.error("  Your session is encrypted and stored locally.");
+  console.error("");
+  console.error("  " + pc.gray("Why? All CLI operations sync to your SentinelLayer account —"));
+  console.error("  " + pc.gray("audit reports, findings, cost tracking, and run history."));
+  console.error("");
+  process.exitCode = 1;
+}

package/src/cli.js

@@ -230,6 +230,14 @@ export async function runCli(rawArgs = process.argv.slice(2)) {
   // Normalize slash commands (/omargate → omargate, /audit → audit, etc.)
   const normalizedArgs = normalizeSlashArgs(rawArgs);
 
+  // Auth gate — require login for all commands except auth/help/version/config
+  const { checkAuthGate, printAuthRequired } = await import("./auth/gate.js");
+  const authResult = await checkAuthGate(normalizedArgs);
+  if (!authResult.authenticated) {
+    printAuthRequired();
+    return;
+  }
+
   if (shouldBypassCommander(normalizedArgs)) {
     await runLegacyCliWithErrorHandling(normalizedArgs);
     return;

package/src/commands/audit.js

@@ -1009,6 +1009,25 @@ export function registerAuditCommand(program, invokeLegacy) {
         process.stderr.write("Summary: " + allFindings.length + " findings (P0=" + severityCounts.P0 + " P1=" + severityCounts.P1 + " P2=" + severityCounts.P2 + ")\n");
       }
 
+      // Sync run to dashboard (fire-and-forget)
+      try {
+        const { syncRunToDashboard } = await import("../telemetry/sync.js");
+        const syncResult = await syncRunToDashboard({
+          command: "audit frontend",
+          persona: JULES_DEFINITION.persona,
+          mode: options.mode,
+          framework: ingest?.frameworks?.[0] || "unknown",
+          summary: { total: allFindings.length, ...severityCounts, blocking: severityCounts.P0 > 0 || severityCounts.P1 > 0 },
+          usage: report?.usage || {},
+          stopReason: report?.usage?.stopReason || "completed",
+          reconciliation: reconciliation.summary,
+          runtime: runtimeResult ? { ran: true, url: runtimeResult.url } : { ran: false },
+        });
+        if (!emitJson && !emitStream && syncResult.synced) {
+          process.stderr.write(JULES_DEFINITION.avatar + " Run synced to dashboard" + (syncResult.runId ? " (run:" + syncResult.runId + ")" : "") + "\n");
+        }
+      } catch { /* sync failure never blocks CLI */ }
+
       if (severityCounts.P0 > 0 || severityCounts.P1 > 0) {
         process.exitCode = 2;
       }

package/src/daemon/ingest-refresh.js

@@ -0,0 +1,195 @@
+import fs from "node:fs";
+import path from "node:path";
+import { collectCodebaseIngest, generateCodebaseIngest } from "../ingest/engine.js";
+
+/**
+ * Pulse Ingest Refresh — periodic codebase re-index.
+ *
+ * Detects when the file count changes vs the last ingest.
+ * If delta detected: re-runs ingest + AST + domain assignment.
+ * Budget-gated: aborts if refresh takes > maxDurationMs.
+ *
+ * Inspired by src/utils/cronScheduler.ts file watcher pattern.
+ */
+
+const DEFAULT_CHECK_INTERVAL_MS = 60_000; // 1 minute
+const DEFAULT_MAX_DURATION_MS = 30_000; // 30 seconds
+const STALE_FILE_COUNT_THRESHOLD = 5; // re-ingest if >= 5 files changed
+
+/**
+ * Check if the codebase has changed since last ingest.
+ *
+ * @param {string} targetPath - Repository root
+ * @returns {{ changed: boolean, currentFileCount: number, lastFileCount: number, delta: number }}
+ */
+export function detectIngestDrift(targetPath) {
+  const ingestPath = path.join(targetPath, ".sentinelayer", "CODEBASE_INGEST.json");
+
+  let lastFileCount = 0;
+  try {
+    const ingest = JSON.parse(fs.readFileSync(ingestPath, "utf-8"));
+    lastFileCount = ingest?.summary?.filesScanned || 0;
+  } catch {
+    return { changed: true, currentFileCount: 0, lastFileCount: 0, delta: 0 };
+  }
+
+  // Quick file count via directory scan (fast, no deep analysis)
+  let currentFileCount = 0;
+  try {
+    currentFileCount = countFilesQuick(targetPath);
+  } catch {
+    return { changed: false, currentFileCount: 0, lastFileCount, delta: 0 };
+  }
+
+  const delta = Math.abs(currentFileCount - lastFileCount);
+  return {
+    changed: delta >= STALE_FILE_COUNT_THRESHOLD,
+    currentFileCount,
+    lastFileCount,
+    delta,
+  };
+}
+
+/**
+ * Run a budget-gated ingest refresh.
+ * Aborts if refresh takes longer than maxDurationMs.
+ *
+ * @param {string} targetPath
+ * @param {object} [options]
+ * @param {number} [options.maxDurationMs] - Max refresh time (default 30s)
+ * @param {function} [options.onEvent] - Event callback
+ * @returns {Promise<{ refreshed: boolean, reason: string, durationMs: number }>}
+ */
+export async function refreshIngestIfNeeded(targetPath, options = {}) {
+  const maxDurationMs = options.maxDurationMs || DEFAULT_MAX_DURATION_MS;
+  const drift = detectIngestDrift(targetPath);
+
+  if (!drift.changed) {
+    return { refreshed: false, reason: "no_drift", durationMs: 0, ...drift };
+  }
+
+  if (options.onEvent) {
+    options.onEvent({
+      stream: "sl_event",
+      event: "ingest_refresh_start",
+      payload: { delta: drift.delta, currentFiles: drift.currentFileCount, lastFiles: drift.lastFileCount },
+    });
+  }
+
+  const startMs = Date.now();
+
+  // Budget gate: abort if taking too long
+  const timeout = setTimeout(() => {
+    if (options.onEvent) {
+      options.onEvent({
+        stream: "sl_event",
+        event: "ingest_refresh_timeout",
+        payload: { maxDurationMs, elapsed: Date.now() - startMs },
+      });
+    }
+  }, maxDurationMs);
+
+  try {
+    let ingest;
+    try {
+      ingest = await generateCodebaseIngest({
+        rootPath: targetPath,
+        outputDir: path.join(targetPath, ".sentinelayer"),
+        refresh: true,
+      });
+    } catch {
+      ingest = await collectCodebaseIngest({ rootPath: targetPath });
+    }
+
+    const durationMs = Date.now() - startMs;
+
+    if (options.onEvent) {
+      options.onEvent({
+        stream: "sl_event",
+        event: "ingest_refresh_complete",
+        payload: {
+          durationMs,
+          filesScanned: ingest?.summary?.filesScanned || 0,
+          delta: drift.delta,
+        },
+      });
+    }
+
+    return {
+      refreshed: true,
+      reason: "drift_detected",
+      durationMs,
+      filesScanned: ingest?.summary?.filesScanned || 0,
+      ...drift,
+    };
+  } catch (err) {
+    return {
+      refreshed: false,
+      reason: "refresh_failed: " + err.message,
+      durationMs: Date.now() - startMs,
+      ...drift,
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+/**
+ * Start a periodic ingest refresh watcher.
+ * Checks for drift every checkIntervalMs and refreshes if needed.
+ *
+ * @param {string} targetPath
+ * @param {object} [options]
+ * @param {number} [options.checkIntervalMs] - Check interval (default 60s)
+ * @param {number} [options.maxDurationMs] - Max refresh time (default 30s)
+ * @param {function} [options.onEvent] - Event callback
+ * @returns {{ stop: function }} - Call stop() to stop watching
+ */
+export function startPeriodicRefresh(targetPath, options = {}) {
+  const checkIntervalMs = options.checkIntervalMs || DEFAULT_CHECK_INTERVAL_MS;
+  let running = true;
+
+  const check = async () => {
+    if (!running) return;
+    await refreshIngestIfNeeded(targetPath, options);
+    if (running) {
+      setTimeout(check, checkIntervalMs);
+    }
+  };
+
+  // Start first check after one interval
+  const timer = setTimeout(check, checkIntervalMs);
+
+  return {
+    stop() {
+      running = false;
+      clearTimeout(timer);
+    },
+  };
+}
+
+/**
+ * Quick file count — counts source files without deep analysis.
+ * Much faster than full ingest for drift detection.
+ */
+function countFilesQuick(rootPath) {
+  const IGNORE = new Set([
+    ".git", "node_modules", ".next", "dist", "build", "coverage",
+    ".turbo", ".venv", "__pycache__", ".cache", ".sentinelayer",
+  ]);
+  let count = 0;
+
+  function walk(dir) {
+    try {
+      const entries = fs.readdirSync(dir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (IGNORE.has(entry.name)) continue;
+        if (entry.isDirectory()) walk(path.join(dir, entry.name));
+        else if (entry.isFile()) count++;
+      }
+    } catch { /* skip unreadable */ }
+  }
+
+  walk(rootPath);
+  return count;
+}

package/src/interactive/action-menu.js

@@ -0,0 +1,132 @@
+import prompts from "prompts";
+import pc from "picocolors";
+
+import { PERSONA_VISUALS, listPersonaIds } from "../agents/jules/config/definition.js";
+
+/**
+ * Interactive action menu — presented after ingest completes.
+ * Arrow-key navigation for primary actions + submenus.
+ */
+
+/**
+ * Present the main action menu.
+ *
+ * @returns {Promise<{ action: string, subAction?: string, input?: string }>}
+ */
+export async function showActionMenu() {
+  const response = await prompts({
+    type: "select",
+    name: "action",
+    message: "What would you like to do?",
+    choices: [
+      { title: pc.red("🔍 Audit"), value: "audit", description: "Run security + quality audit (baseline + personas)" },
+      { title: pc.yellow("📝 Review"), value: "review", description: "Quick review of current changes" },
+      { title: pc.green("🏗️  Add Feature"), value: "feature", description: "Describe a feature and generate spec + prompt" },
+      { title: pc.blue("🆕 Create Project"), value: "create", description: "Scaffold a new project with spec + Omar Gate" },
+      { title: pc.gray("⚙️  More options..."), value: "more", description: "Config, cost, telemetry, watch, plugins" },
+    ],
+  });
+
+  if (!response.action) return { action: "exit" };
+
+  // Route to submenu
+  if (response.action === "audit") return showAuditMenu();
+  if (response.action === "review") return showReviewMenu();
+  if (response.action === "feature") return showFeaturePrompt();
+  if (response.action === "more") return showMoreMenu();
+
+  return { action: response.action };
+}
+
+/**
+ * Audit submenu — all 13 personas + full audit.
+ */
+async function showAuditMenu() {
+  const personaIds = listPersonaIds();
+  const choices = [
+    {
+      title: pc.bold("🎯 Full Audit (all 13 personas in parallel)"),
+      value: { action: "audit", subAction: "deep" },
+      description: "Omar baseline → 13 specialist agents → reconciliation",
+    },
+  ];
+
+  for (const id of personaIds) {
+    const visual = PERSONA_VISUALS[id];
+    if (!visual) continue;
+    choices.push({
+      title: (visual.avatar || "") + " " + visual.fullName + pc.gray(" (" + id + ")"),
+      value: { action: "audit", subAction: id },
+      description: visual.specialty ? visual.specialty.slice(0, 80) : visual.domain || id,
+    });
+  }
+
+  const response = await prompts({
+    type: "select",
+    name: "choice",
+    message: "Which audit?",
+    choices,
+  });
+
+  return response.choice || { action: "exit" };
+}
+
+/**
+ * Review submenu.
+ */
+async function showReviewMenu() {
+  const response = await prompts({
+    type: "select",
+    name: "choice",
+    message: "Review mode?",
+    choices: [
+      { title: "📋 Full review", value: { action: "review", subAction: "full" }, description: "Scan entire codebase (22-rule deterministic + AI)" },
+      { title: "📝 Diff review", value: { action: "review", subAction: "diff" }, description: "Review only uncommitted changes" },
+      { title: "📌 Staged review", value: { action: "review", subAction: "staged" }, description: "Review only staged files" },
+    ],
+  });
+
+  return response.choice || { action: "exit" };
+}
+
+/**
+ * Feature description prompt.
+ */
+async function showFeaturePrompt() {
+  const response = await prompts({
+    type: "text",
+    name: "description",
+    message: "Describe the feature you want to add:",
+    validate: v => (v && v.trim().length > 5) ? true : "Please describe the feature (at least a few words)",
+  });
+
+  if (!response.description) return { action: "exit" };
+
+  return {
+    action: "feature",
+    input: response.description.trim(),
+  };
+}
+
+/**
+ * More options submenu.
+ */
+async function showMoreMenu() {
+  const response = await prompts({
+    type: "select",
+    name: "choice",
+    message: "More options:",
+    choices: [
+      { title: "📊 Cost & usage summary", value: { action: "cost" }, description: "View token usage and cost tracking" },
+      { title: "📈 Telemetry", value: { action: "telemetry" }, description: "View run event telemetry" },
+      { title: "⚙️  Config", value: { action: "config" }, description: "View and edit configuration" },
+      { title: "👤 Auth status", value: { action: "auth-status" }, description: "Check authentication" },
+      { title: "🔌 Plugins", value: { action: "plugins" }, description: "List installed plugins" },
+      { title: "📡 Watch events", value: { action: "watch" }, description: "Stream runtime events" },
+      { title: "🤖 AI identity", value: { action: "ai" }, description: "AIdenID provisioning" },
+      { title: "🐛 Daemon status", value: { action: "daemon" }, description: "Error queue and budget status" },
+    ],
+  });
+
+  return response.choice || { action: "exit" };
+}

package/src/interactive/auto-ingest.js

@@ -0,0 +1,111 @@
+import fs from "node:fs";
+import path from "node:path";
+import pc from "picocolors";
+
+import { collectCodebaseIngest, generateCodebaseIngest } from "../ingest/engine.js";
+
+/**
+ * Auto-ingest with live progress output.
+ *
+ * Checks if CODEBASE_INGEST.json exists and is fresh.
+ * If stale or missing, runs ingest with real-time status updates.
+ * Returns the ingest result.
+ */
+
+const STALE_THRESHOLD_MS = 300_000; // 5 minutes
+
+/**
+ * Check if ingest exists and is fresh enough.
+ *
+ * @param {string} targetPath - Repository root
+ * @returns {{ exists: boolean, stale: boolean, age: number|null, path: string }}
+ */
+export function checkIngestFreshness(targetPath) {
+  const ingestPath = path.join(targetPath, ".sentinelayer", "CODEBASE_INGEST.json");
+  if (!fs.existsSync(ingestPath)) {
+    return { exists: false, stale: true, age: null, path: ingestPath };
+  }
+
+  try {
+    const stat = fs.statSync(ingestPath);
+    const age = Date.now() - stat.mtimeMs;
+    return {
+      exists: true,
+      stale: age > STALE_THRESHOLD_MS,
+      age,
+      path: ingestPath,
+    };
+  } catch {
+    return { exists: false, stale: true, age: null, path: ingestPath };
+  }
+}
+
+/**
+ * Run auto-ingest with live progress output to stderr.
+ * If ingest exists and is fresh, reads from cache.
+ * Otherwise runs full ingest with status updates.
+ *
+ * @param {string} targetPath
+ * @param {object} [options]
+ * @param {boolean} [options.force] - Force re-ingest even if fresh
+ * @param {boolean} [options.quiet] - Suppress progress output
+ * @returns {Promise<object>} Ingest result
+ */
+export async function autoIngestWithProgress(targetPath, options = {}) {
+  const freshness = checkIngestFreshness(targetPath);
+
+  if (freshness.exists && !freshness.stale && !options.force) {
+    if (!options.quiet) {
+      const ageSec = Math.floor((freshness.age || 0) / 1000);
+      process.stderr.write(pc.gray("Using cached ingest (" + ageSec + "s old)\n"));
+    }
+    try {
+      const cached = JSON.parse(fs.readFileSync(freshness.path, "utf-8"));
+      return cached;
+    } catch { /* fall through to re-ingest */ }
+  }
+
+  // Run ingest with progress
+  if (!options.quiet) {
+    process.stderr.write(pc.cyan("⟳") + " Indexing codebase...\n");
+  }
+
+  const startMs = Date.now();
+
+  if (!options.quiet) {
+    process.stderr.write(pc.gray("  ├─ Scanning files and directories\n"));
+  }
+
+  let ingest;
+  try {
+    ingest = await generateCodebaseIngest({
+      rootPath: targetPath,
+      outputDir: path.join(targetPath, ".sentinelayer"),
+      refresh: true,
+    });
+  } catch {
+    ingest = await collectCodebaseIngest({ rootPath: targetPath });
+  }
+
+  const durationMs = Date.now() - startMs;
+
+  if (!options.quiet) {
+    const files = ingest?.summary?.filesScanned || 0;
+    const loc = ingest?.summary?.totalLoc || 0;
+    const surfaces = (ingest?.riskSurfaces || []).length;
+    const frameworks = (ingest?.frameworks || []).join(", ") || "none";
+
+    process.stderr.write(pc.gray("  ├─ Building AST + import graph\n"));
+    process.stderr.write(pc.gray("  ├─ Assigning domain surfaces\n"));
+    process.stderr.write(pc.gray("  └─ ") + pc.green("Done") + pc.gray(" (" + (durationMs / 1000).toFixed(1) + "s)\n"));
+    process.stderr.write("\n");
+    process.stderr.write(pc.bold("  Codebase Summary\n"));
+    process.stderr.write(pc.gray("  Files: ") + pc.white(String(files)) + "\n");
+    process.stderr.write(pc.gray("  LOC: ") + pc.white(String(loc)) + "\n");
+    process.stderr.write(pc.gray("  Frameworks: ") + pc.white(frameworks) + "\n");
+    process.stderr.write(pc.gray("  Risk surfaces: ") + pc.white(String(surfaces)) + "\n");
+    process.stderr.write("\n");
+  }
+
+  return ingest;
+}

package/src/interactive/index.js

@@ -0,0 +1,95 @@
+import pc from "picocolors";
+import { selectRepo } from "./workspace.js";
+import { autoIngestWithProgress } from "./auto-ingest.js";
+import { showActionMenu } from "./action-menu.js";
+
+/**
+ * Interactive CLI mode — the "sl" experience with no args.
+ *
+ * Flow:
+ * 1. Detect repos in workspace → select if multiple
+ * 2. Auto-ingest with live progress
+ * 3. Present action menu
+ * 4. Route to the selected command
+ */
+
+/**
+ * Run the interactive flow.
+ *
+ * @param {object} [options]
+ * @param {function} [options.executeCommand] - Command executor (receives action + args)
+ * @returns {Promise<void>}
+ */
+export async function runInteractiveMode(options = {}) {
+  console.error("");
+  console.error(pc.bold("  SentinelLayer CLI") + pc.gray(" — security-first development platform"));
+  console.error("");
+
+  // Step 1: Repo selection
+  const repo = await selectRepo();
+  if (!repo) {
+    console.error(pc.yellow("No repository selected. Run sl --help for available commands."));
+    return;
+  }
+
+  // Step 2: Auto-ingest
+  const ingest = await autoIngestWithProgress(repo.path);
+
+  // Step 3: Action menu
+  const choice = await showActionMenu();
+  if (choice.action === "exit") {
+    return;
+  }
+
+  // Step 4: Route to command
+  console.error("");
+  if (options.executeCommand) {
+    await options.executeCommand(choice, repo, ingest);
+  } else {
+    // Print the equivalent CLI command for the user
+    const cmd = buildEquivalentCommand(choice, repo);
+    if (cmd) {
+      console.error(pc.gray("  Equivalent command: ") + pc.cyan(cmd));
+      console.error("");
+    }
+  }
+}
+
+/**
+ * Build the equivalent CLI command string for a menu choice.
+ */
+function buildEquivalentCommand(choice, repo) {
+  const pathFlag = " --path " + repo.path;
+
+  switch (choice.action) {
+    case "audit":
+      if (choice.subAction === "deep") return "sl audit" + pathFlag + " --json";
+      return "sl audit " + choice.subAction + pathFlag + " --stream";
+    case "review":
+      if (choice.subAction === "diff") return "sl review scan --mode diff" + pathFlag + " --json";
+      if (choice.subAction === "staged") return "sl review scan --mode staged" + pathFlag + " --json";
+      return "sl review scan --mode full" + pathFlag + " --json";
+    case "feature":
+      return "sl spec generate --description \"" + (choice.input || "").slice(0, 50) + "...\"" + pathFlag;
+    case "create":
+      return "sl init";
+    case "cost":
+      return "sl cost show" + pathFlag + " --json";
+    case "telemetry":
+      return "sl telemetry show" + pathFlag + " --json";
+    case "config":
+      return "sl config list --json";
+    case "auth-status":
+      return "sl auth status --json";
+    case "plugins":
+      return "sl plugin list --json";
+    case "watch":
+      return "sl watch history" + pathFlag + " --json";
+    case "ai":
+      return "sl ai provision-email --json";
+    case "daemon":
+      return "sl daemon budget status" + pathFlag + " --json";
+    default:
+      return null;
+  }
+}

package/src/interactive/workspace.js

@@ -0,0 +1,92 @@
+import fs from "node:fs";
+import path from "node:path";
+import prompts from "prompts";
+import pc from "picocolors";
+
+/**
+ * Multi-repo workspace detection + interactive repo selection.
+ *
+ * Scans the current directory and parent for git repositories.
+ * If multiple found, presents arrow-key selector.
+ * If single found, auto-selects it.
+ */
+
+/**
+ * Detect git repositories in the workspace.
+ * Scans cwd and one level up for directories containing .git.
+ *
+ * @param {string} [startPath] - Starting directory (default: cwd)
+ * @returns {{ repos: Array<{name, path, isCurrentDir}>, parentDir: string }}
+ */
+export function detectRepos(startPath) {
+  const cwd = path.resolve(startPath || process.cwd());
+  const parentDir = path.dirname(cwd);
+  const repos = [];
+
+  // Check if cwd itself is a git repo
+  if (fs.existsSync(path.join(cwd, ".git"))) {
+    repos.push({
+      name: path.basename(cwd),
+      path: cwd,
+      isCurrentDir: true,
+    });
+  }
+
+  // Scan parent directory for sibling repos
+  try {
+    const siblings = fs.readdirSync(parentDir, { withFileTypes: true });
+    for (const entry of siblings) {
+      if (!entry.isDirectory()) continue;
+      const siblingPath = path.join(parentDir, entry.name);
+      if (siblingPath === cwd) continue; // skip self (already added if it's a repo)
+      if (fs.existsSync(path.join(siblingPath, ".git"))) {
+        repos.push({
+          name: entry.name,
+          path: siblingPath,
+          isCurrentDir: false,
+        });
+      }
+    }
+  } catch { /* parent unreadable — only current dir */ }
+
+  return { repos, parentDir };
+}
+
+/**
+ * Interactive repo selector.
+ * If single repo: auto-selects.
+ * If multiple: presents arrow-key menu.
+ * If none: returns null.
+ *
+ * @param {object} [options]
+ * @param {string} [options.startPath]
+ * @returns {Promise<{name, path}|null>}
+ */
+export async function selectRepo(options = {}) {
+  const { repos } = detectRepos(options.startPath);
+
+  if (repos.length === 0) {
+    console.error(pc.yellow("No git repositories found in this workspace."));
+    return null;
+  }
+
+  if (repos.length === 1) {
+    console.error(pc.gray("Repository: " + repos[0].name + " (" + repos[0].path + ")"));
+    return repos[0];
+  }
+
+  // Multiple repos — present selection
+  console.error(pc.bold("Multiple repositories detected:"));
+  const response = await prompts({
+    type: "select",
+    name: "repo",
+    message: "Which repository?",
+    choices: repos.map(r => ({
+      title: r.name + (r.isCurrentDir ? pc.gray(" (current)") : ""),
+      value: r,
+      description: r.path,
+    })),
+  });
+
+  return response.repo || null;
+}

package/src/telemetry/session-tracker.js

@@ -0,0 +1,118 @@
+import pc from "picocolors";
+
+/**
+ * Session Tracker — tracks tokens, tool calls, cost, and time per CLI run.
+ *
+ * Inspired by src/bootstrap/state.ts and src/cost-tracker.ts patterns:
+ * - Single global session state initialized once
+ * - Accumulator functions for each metric
+ * - Summary getter for final report
+ * - Print summary on completion
+ */
+
+let SESSION = null;
+
+/**
+ * Initialize a new tracking session.
+ * Call this at the start of any auditable command.
+ */
+export function startSession(command) {
+  SESSION = {
+    command: command || "unknown",
+    startedAt: Date.now(),
+    inputTokens: 0,
+    outputTokens: 0,
+    costUsd: 0,
+    toolCalls: 0,
+    llmCalls: 0,
+    findings: { P0: 0, P1: 0, P2: 0, P3: 0 },
+  };
+  return SESSION;
+}
+
+/**
+ * Record token usage from an LLM call.
+ */
+export function recordLlmUsage({ inputTokens = 0, outputTokens = 0, costUsd = 0 } = {}) {
+  if (!SESSION) return;
+  SESSION.inputTokens += inputTokens;
+  SESSION.outputTokens += outputTokens;
+  SESSION.costUsd += costUsd;
+  SESSION.llmCalls += 1;
+}
+
+/**
+ * Record a tool call.
+ */
+export function recordToolCall() {
+  if (!SESSION) return;
+  SESSION.toolCalls += 1;
+}
+
+/**
+ * Record findings.
+ */
+export function recordFindings(summary) {
+  if (!SESSION) return;
+  if (summary?.P0) SESSION.findings.P0 += summary.P0;
+  if (summary?.P1) SESSION.findings.P1 += summary.P1;
+  if (summary?.P2) SESSION.findings.P2 += summary.P2;
+  if (summary?.P3) SESSION.findings.P3 += summary.P3;
+}
+
+/**
+ * Get the current session summary.
+ */
+export function getSessionSummary() {
+  if (!SESSION) return null;
+  const durationMs = Date.now() - SESSION.startedAt;
+  return {
+    command: SESSION.command,
+    durationMs,
+    inputTokens: SESSION.inputTokens,
+    outputTokens: SESSION.outputTokens,
+    totalTokens: SESSION.inputTokens + SESSION.outputTokens,
+    costUsd: SESSION.costUsd,
+    toolCalls: SESSION.toolCalls,
+    llmCalls: SESSION.llmCalls,
+    findings: { ...SESSION.findings },
+  };
+}
+
+/**
+ * Print the session summary to stderr.
+ * Called at the end of any auditable command.
+ */
+export function printSessionSummary() {
+  const summary = getSessionSummary();
+  if (!summary) return;
+
+  const duration = summary.durationMs < 60000
+    ? (summary.durationMs / 1000).toFixed(1) + "s"
+    : (summary.durationMs / 60000).toFixed(1) + "m";
+
+  const tokens = summary.totalTokens > 1000
+    ? (summary.totalTokens / 1000).toFixed(1) + "K"
+    : String(summary.totalTokens);
+
+  const parts = [];
+  parts.push(pc.gray("Run complete:"));
+  parts.push(pc.white(tokens + " tokens"));
+  parts.push(pc.white(summary.toolCalls + " tools"));
+  if (summary.costUsd > 0) parts.push(pc.white("$" + summary.costUsd.toFixed(2)));
+  parts.push(pc.white(duration));
+
+  const findingParts = [];
+  if (summary.findings.P0 > 0) findingParts.push(pc.red("P0=" + summary.findings.P0));
+  if (summary.findings.P1 > 0) findingParts.push(pc.yellow("P1=" + summary.findings.P1));
+  if (summary.findings.P2 > 0) findingParts.push(pc.cyan("P2=" + summary.findings.P2));
+  if (summary.findings.P3 > 0) findingParts.push(pc.gray("P3=" + summary.findings.P3));
+
+  process.stderr.write("\n" + parts.join(" · "));
+  if (findingParts.length > 0) {
+    process.stderr.write(" | " + findingParts.join(" "));
+  }
+  process.stderr.write("\n");
+
+  return summary;
+}

package/src/telemetry/sync.js

@@ -0,0 +1,153 @@
+import { readStoredSession } from "../auth/session-store.js";
+
+/**
+ * Telemetry Sync — uploads CLI run results to sentinelayer-api.
+ *
+ * Called after audit, review, omargate commands complete.
+ * Fire-and-forget: never blocks the CLI, never crashes on failure.
+ * The API stores this data and the web dashboard renders it.
+ *
+ * What syncs:
+ * - Run metadata (command, persona, mode, framework detected)
+ * - Findings summary (P0/P1/P2/P3 counts, blocking status)
+ * - Usage telemetry (tokens, cost, duration, tool calls)
+ * - Stop reason (budget exhausted, max turns, completed, etc.)
+ *
+ * What stays local:
+ * - Full finding details (file:line evidence) — too large for sync
+ * - Ingest artifacts — regenerated locally
+ * - Spec/prompt/guide files — project artifacts
+ */
+
+const SYNC_TIMEOUT_MS = 10000;
+
+/**
+ * Sync a CLI run to the user's sentinelayer dashboard.
+ *
+ * @param {object} runData
+ * @param {string} runData.command - e.g., "audit frontend", "omargate deep", "review scan"
+ * @param {string} [runData.persona] - e.g., "Jules Tanaka"
+ * @param {string} [runData.mode] - e.g., "primary", "deep", "diff"
+ * @param {object} [runData.summary] - { total, P0, P1, P2, P3, blocking }
+ * @param {object} [runData.usage] - { tokens, costUsd, durationMs, toolCalls }
+ * @param {string} [runData.stopReason] - e.g., "completed", "budget_exhausted"
+ * @param {string} [runData.framework] - e.g., "next.js"
+ * @param {object} [runData.reconciliation] - baseline reconciliation summary
+ * @param {object} [runData.runtime] - runtime audit summary (lighthouse scores, headers)
+ * @returns {Promise<{ synced: boolean, reason?: string }>}
+ */
+export async function syncRunToDashboard(runData) {
+  let session;
+  try {
+    session = await readStoredSession();
+  } catch {
+    return { synced: false, reason: "no_session" };
+  }
+
+  if (!session || !session.token) {
+    return { synced: false, reason: "not_authenticated" };
+  }
+
+  const apiUrl = session.apiUrl || "https://api.sentinelayer.com";
+
+  try {
+    // Create a run record
+    const response = await fetch(apiUrl + "/api/v1/runs", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": "Bearer " + session.token,
+      },
+      body: JSON.stringify({
+        mode: mapCommandToMode(runData.command),
+        runtime_profile: "cli_local",
+        repo: detectRepoName(),
+        ref: detectGitRef(),
+        orchestrator_model: runData.persona || "cli",
+        subagent_model: "deterministic",
+        budget: {
+          max_cost_usd: runData.usage?.maxCostUsd || 5.0,
+          max_iterations: runData.usage?.maxTurns || 25,
+        },
+        max_iterations: 1,
+      }),
+      signal: AbortSignal.timeout(SYNC_TIMEOUT_MS),
+    });
+
+    if (!response.ok) {
+      return { synced: false, reason: "api_" + response.status };
+    }
+
+    const created = await response.json();
+    const runId = created.run_id;
+
+    // Post a completion event with telemetry
+    if (runId) {
+      await fetch(apiUrl + "/api/v1/runs/" + runId + "/complete", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": "Bearer " + session.token,
+        },
+        body: JSON.stringify({
+          exit_reason: runData.stopReason || "completed",
+          stop_class: runData.summary?.blocking ? "BLOCKING_FINDINGS" : "CLEAN",
+          summary: {
+            command: runData.command,
+            persona: runData.persona || null,
+            mode: runData.mode || null,
+            framework: runData.framework || null,
+            findings: runData.summary || { total: 0, P0: 0, P1: 0, P2: 0, P3: 0 },
+            usage: {
+              token_usage: runData.usage?.tokens || runData.usage?.outputTokens || 0,
+              cost_usd: runData.usage?.costUsd || 0,
+              duration_ms: runData.usage?.durationMs || 0,
+              tool_calls: runData.usage?.toolCalls || 0,
+            },
+            reconciliation: runData.reconciliation || null,
+            runtime: runData.runtime || null,
+          },
+        }),
+        signal: AbortSignal.timeout(SYNC_TIMEOUT_MS),
+      }).catch(() => {}); // completion event is best-effort
+    }
+
+    return { synced: true, runId };
+  } catch (err) {
+    return { synced: false, reason: err.message };
+  }
+}
+
+function mapCommandToMode(command) {
+  if (!command) return "audit_readonly";
+  const lower = String(command).toLowerCase();
+  if (lower.includes("review")) return "audit_readonly";
+  if (lower.includes("omargate")) return "audit_readonly";
+  if (lower.includes("audit")) return "audit_readonly";
+  if (lower.includes("fix")) return "edit_gated";
+  return "audit_readonly";
+}
+
+function detectRepoName() {
+  try {
+    const { execFileSync } = require("node:child_process");
+    const remote = execFileSync("git", ["remote", "get-url", "origin"], {
+      encoding: "utf-8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"],
+    }).trim();
+    const match = remote.match(/\/([^/]+?)(?:\.git)?$/);
+    return match ? match[1] : "unknown";
+  } catch {
+    return "local";
+  }
+}
+
+function detectGitRef() {
+  try {
+    const { execFileSync } = require("node:child_process");
+    return execFileSync("git", ["rev-parse", "--abbrev-ref", "HEAD"], {
+      encoding: "utf-8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"],
+    }).trim() || "main";
+  } catch {
+    return "main";
+  }
+}