vaspera 2.5.0

package/dist/commands/audits/deps.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deps.d.ts","sourceRoot":"","sources":["../../../src/commands/audits/deps.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,eAAO,MAAM,IAAI,EAAE,gBAsDlB,CAAC"}

package/dist/commands/audits/deps.js

@@ -0,0 +1,56 @@
+export const deps = {
+    name: "deps",
+    description: "Dependency audit — outdated packages, vulnerabilities, unused deps, missing peers",
+    content: `Perform a comprehensive dependency audit.
+
+## 1. Security Vulnerabilities
+- Run \`npm audit\` or \`pnpm audit\`
+- List all vulnerabilities by severity (critical, high, moderate, low)
+- For each: package name, vulnerability, fix available?
+- Run \`npm audit fix\` for safe auto-fixes (no breaking changes)
+- List vulnerabilities that require manual intervention
+
+## 2. Outdated Packages
+- Run \`npm outdated\` or equivalent
+- Categorize:
+  - **CRITICAL**: Major versions behind on security-sensitive packages (next, react, supabase, auth libs)
+  - **RECOMMENDED**: Minor/patch updates available
+  - **OPTIONAL**: Major version updates that may have breaking changes
+- For critical packages, check changelogs for breaking changes
+
+## 3. Unused Dependencies
+- Scan package.json dependencies
+- For each, search the codebase for actual usage
+- List packages that appear unused (no imports found)
+- Check for packages only used in config files (postcss, tailwind plugins, etc.)
+
+## 4. Missing Peer Dependencies
+- Check for peer dependency warnings
+- Ensure all required peers are installed
+
+## 5. Duplicate Packages
+- Check for multiple versions of the same package in node_modules
+- List duplicates and which packages require them
+
+## Output: DEPS-AUDIT.md
+
+### Summary
+- Vulnerabilities: X critical, X high, X moderate
+- Outdated: X packages
+- Unused: X packages (X KB potential savings)
+- Missing peers: X
+
+### Action Items (prioritized)
+1. [CRITICAL] Update package-x to fix CVE-XXXX
+2. [HIGH] Remove unused dep-y
+...
+
+### Safe to Auto-Fix
+List commands that can be run safely:
+\`\`\`bash
+npm audit fix
+npm update package-a package-b
+npm uninstall unused-package
+\`\`\``
+};
+//# sourceMappingURL=deps.js.map

package/dist/commands/audits/deps.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deps.js","sourceRoot":"","sources":["../../../src/commands/audits/deps.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,IAAI,GAAqB;IACpC,IAAI,EAAE,MAAM;IACZ,WAAW,EAAE,mFAAmF;IAChG,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkDJ;CACN,CAAC"}

package/dist/commands/audits/errors.d.ts

@@ -0,0 +1,3 @@
+import type { HardeningCommand } from "../types.js";
+export declare const errors: HardeningCommand;
+//# sourceMappingURL=errors.d.ts.map

package/dist/commands/audits/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../src/commands/audits/errors.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,eAAO,MAAM,MAAM,EAAE,gBA+DpB,CAAC"}

package/dist/commands/audits/errors.js

@@ -0,0 +1,65 @@
+export const errors = {
+    name: "errors",
+    description: "Error handling audit — unhandled promises, missing boundaries, incomplete error states",
+    content: `Audit error handling completeness across the codebase.
+
+## 1. Unhandled Promise Rejections
+Scan every async function and Promise for:
+- await without try/catch
+- .then() without .catch()
+- Promise.all/race/allSettled without error handling
+- Supabase queries without checking .error
+- fetch() calls without checking response.ok
+
+For each: file:line, the async operation, what could fail
+
+## 2. React Error Boundaries
+- Check if root layout has an Error Boundary
+- Check if major data-fetching sections have boundaries
+- Check if error.tsx exists for each route segment (Next.js)
+- Verify boundaries have useful fallback UI, not just "Something went wrong"
+
+## 3. API Route Error Handling
+For every API route and server action:
+- Does it have a top-level try/catch?
+- Does it return consistent error shapes?
+- Does it avoid leaking stack traces to client?
+- Does it log errors with context?
+- Does it return appropriate HTTP status codes?
+
+## 4. Form Error States
+For every form component:
+- Does it display validation errors?
+- Does it handle submission errors?
+- Does it disable submit button during submission?
+- Does it show error messages clearly?
+
+## 5. Data Fetching Error States
+For every component that fetches data:
+- Does it handle loading state?
+- Does it handle error state with retry option?
+- Does it handle empty state?
+- Does it handle partial failures (some data loads, some fails)?
+
+## 6. External Service Failures
+For every external API call (Stripe, SendGrid, etc.):
+- Is there timeout handling?
+- Is there retry logic for transient failures?
+- Is there graceful degradation?
+
+## Output: ERROR-HANDLING-REPORT.md
+
+### Risk Summary
+- Unhandled async operations: X (CRITICAL if > 0)
+- Missing error boundaries: X locations
+- API routes without proper error handling: X
+- Forms without error display: X
+- Components without error states: X
+
+### Critical Fixes Required
+[List each unhandled async operation with fix]
+
+### Recommended Improvements
+[Prioritized list of error handling improvements]`
+};
+//# sourceMappingURL=errors.js.map

package/dist/commands/audits/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../../src/commands/audits/errors.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,MAAM,GAAqB;IACtC,IAAI,EAAE,QAAQ;IACd,WAAW,EAAE,wFAAwF;IACrG,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kDA2DuC;CACjD,CAAC"}

package/dist/commands/audits/index.d.ts

@@ -0,0 +1,3 @@
+import type { HardeningCommand } from "../types.js";
+export declare const COMMANDS: Record<string, HardeningCommand>;
+//# sourceMappingURL=index.d.ts.map

package/dist/commands/audits/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/commands/audits/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAQpD,eAAO,MAAM,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAOrD,CAAC"}

package/dist/commands/audits/index.js

@@ -0,0 +1,15 @@
+import { deps } from "./deps.js";
+import { deadcode } from "./deadcode.js";
+import { errors } from "./errors.js";
+import { secrets } from "./secrets.js";
+import { apiCheck } from "./api-check.js";
+import { perf } from "./perf.js";
+export const COMMANDS = {
+    deps,
+    deadcode,
+    errors,
+    secrets,
+    "api-check": apiCheck,
+    perf,
+};
+//# sourceMappingURL=index.js.map

package/dist/commands/audits/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/commands/audits/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,CAAC,MAAM,QAAQ,GAAqC;IACxD,IAAI;IACJ,QAAQ;IACR,MAAM;IACN,OAAO;IACP,WAAW,EAAE,QAAQ;IACrB,IAAI;CACL,CAAC"}

package/dist/commands/audits/perf.d.ts

@@ -0,0 +1,3 @@
+import type { HardeningCommand } from "../types.js";
+export declare const perf: HardeningCommand;
+//# sourceMappingURL=perf.d.ts.map

package/dist/commands/audits/perf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"perf.d.ts","sourceRoot":"","sources":["../../../src/commands/audits/perf.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,eAAO,MAAM,IAAI,EAAE,gBAmFlB,CAAC"}

package/dist/commands/audits/perf.js

@@ -0,0 +1,85 @@
+export const perf = {
+    name: "perf",
+    description: "Performance audit — N+1 queries, bundle size, missing pagination, unoptimized images",
+    content: `Audit for common performance issues.
+
+## 1. Database Query Analysis
+Scan for N+1 query patterns:
+- Loops that make database calls (for/forEach/map containing await supabase)
+- Multiple sequential queries that could be joined
+- Missing .select() specificity (selecting * when only needing 2 fields)
+- Missing indexes (queries filtering on non-indexed columns)
+
+For Supabase specifically:
+- .single() calls that could fail on 0 or 2+ results
+- Missing .limit() on potentially large result sets
+- Realtime subscriptions on entire tables vs filtered
+
+## 2. Missing Pagination
+Find all data-fetching operations that:
+- Return unbounded arrays
+- Don't accept page/limit parameters
+- Could return 1000+ rows
+
+## 3. Bundle Size Analysis
+- Check for large dependencies imported unnecessarily
+- Identify dynamic imports that should be used (heavy components loaded on all pages)
+- Find barrel imports that include unused code (import { x } from 'lodash' vs 'lodash/x')
+- Check if next/dynamic or React.lazy is used for heavy components
+
+## 4. Image Optimization
+Scan for:
+- Images not using next/image (or equivalent)
+- Missing width/height props (causes layout shift)
+- Large images served without srcset
+- Images in public/ that should be optimized
+- Missing blur placeholder for LCP images
+
+## 5. API Response Size
+Check API routes for:
+- Returning more data than needed (full objects when only ID needed)
+- Missing field selection
+- No response compression
+- Large payloads that should be paginated
+
+## 6. Client-Side Performance
+Scan components for:
+- Heavy computations without useMemo
+- Unnecessary re-renders (object/array literals in deps)
+- Event handlers recreated on every render
+- Missing key props on lists
+- Expensive operations in render (should be in useEffect)
+
+## 7. Caching Opportunities
+Identify:
+- Repeated identical API calls
+- Data that changes rarely but is fetched frequently
+- Missing revalidation strategies
+- No ISR on mostly-static pages
+
+## Output: PERF-AUDIT.md
+
+### Critical Issues (will cause production problems)
+- N+1 queries: X locations
+- Unbounded queries: X locations
+
+### High Impact Improvements
+| Issue | Location | Impact | Fix |
+|-------|----------|--------|-----|
+| N+1 in user list | pages/users.tsx:45 | High | Use .in() query |
+
+### Bundle Size
+- Largest dependencies: [list]
+- Candidates for dynamic import: [list]
+- Unused imports: [list]
+
+### Image Optimization
+- X images not using next/image
+- X images missing dimensions
+
+### Recommended Actions (prioritized by impact)
+1. Fix N+1 query in X
+2. Add pagination to Y endpoint
+3. Dynamic import Z component`
+};
+//# sourceMappingURL=perf.js.map

package/dist/commands/audits/perf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"perf.js","sourceRoot":"","sources":["../../../src/commands/audits/perf.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,IAAI,GAAqB;IACpC,IAAI,EAAE,MAAM;IACZ,WAAW,EAAE,sFAAsF;IACnG,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BA+EmB;CAC7B,CAAC"}

package/dist/commands/audits/secrets.d.ts

@@ -0,0 +1,3 @@
+import type { HardeningCommand } from "../types.js";
+export declare const secrets: HardeningCommand;
+//# sourceMappingURL=secrets.d.ts.map

package/dist/commands/audits/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../../src/commands/audits/secrets.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,eAAO,MAAM,OAAO,EAAE,gBAqErB,CAAC"}

package/dist/commands/audits/secrets.js

@@ -0,0 +1,71 @@
+export const secrets = {
+    name: "secrets",
+    description: "Secrets and environment audit — hardcoded keys, env validation, missing documentation",
+    content: `Audit secrets management and environment configuration.
+
+## 1. Hardcoded Secrets Scan
+Search entire codebase for:
+- API keys (patterns: sk_live, pk_live, api_key=, apiKey:, Bearer)
+- Database URLs (postgres://, mysql://, mongodb://)
+- AWS credentials (AKIA, aws_secret)
+- Private keys (-----BEGIN RSA PRIVATE KEY-----)
+- OAuth secrets (client_secret)
+- Webhook secrets
+- JWT secrets
+- Encryption keys
+- Service account JSON
+
+CRITICAL: Any match in non-env files is a security incident.
+
+## 2. Environment Variable Usage
+Scan for all process.env.* usage:
+- List every environment variable the app expects
+- Check if each has a fallback or throws on missing
+- Check if validation exists (Zod schema, t3-env, etc.)
+- Identify variables used but not documented
+
+## 3. Env File Analysis
+Check .env.example or .env.template:
+- Does it exist?
+- Does it list ALL required variables?
+- Are there variables in code not in the template?
+- Are there template variables no longer used?
+
+## 4. Client-Side Exposure
+In Next.js/React:
+- Check for NEXT_PUBLIC_* variables
+- Ensure no secret should be NEXT_PUBLIC_
+- Verify client-side code doesn't access non-public env vars
+
+## 5. Git History Check
+- Check if .env files were ever committed (even if now in .gitignore)
+- Check if secrets appear in any committed file's history
+- Warn: if secrets were committed, they must be rotated
+
+## 6. Doppler/Secrets Manager Integration
+- Check if using Doppler, Vault, AWS Secrets Manager, etc.
+- Verify all production secrets are in secrets manager, not env files
+- Check for proper environment separation (dev/staging/prod)
+
+## Output: SECRETS-AUDIT.md
+
+### CRITICAL ISSUES (fix immediately)
+- Hardcoded secrets found: [list with file:line]
+- Secrets committed to git history: [list]
+
+### Environment Variables
+| Variable | Used In | Documented | Has Validation |
+|----------|---------|------------|----------------|
+| DATABASE_URL | lib/db.ts | ✓ | ✗ |
+
+### Missing from .env.example
+- STRIPE_WEBHOOK_SECRET
+- RESEND_API_KEY
+
+### Recommendations
+1. Rotate any exposed secrets
+2. Add env validation with Zod
+3. Update .env.example
+4. Set up Doppler for production`
+};
+//# sourceMappingURL=secrets.js.map

package/dist/commands/audits/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../../src/commands/audits/secrets.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,OAAO,GAAqB;IACvC,IAAI,EAAE,SAAS;IACf,WAAW,EAAE,uFAAuF;IACpG,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iCAiEsB;CAChC,CAAC"}

package/dist/commands/certification/certify.d.ts

@@ -0,0 +1,3 @@
+import type { HardeningCommand } from "../types.js";
+export declare const certify: HardeningCommand;
+//# sourceMappingURL=certify.d.ts.map

package/dist/commands/certification/certify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"certify.d.ts","sourceRoot":"","sources":["../../../src/commands/certification/certify.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,eAAO,MAAM,OAAO,EAAE,gBA0GrB,CAAC"}

package/dist/commands/certification/certify.js

@@ -0,0 +1,108 @@
+export const certify = {
+    name: "certify",
+    description: "Full enterprise certification pipeline — runs all agents and produces certification",
+    content: `Run the complete enterprise certification pipeline.
+
+## Overview
+
+This command orchestrates a multi-agent validation process to certify a codebase for enterprise deployment. Multiple specialized agents run in parallel, cross-verify findings, and an adversarial red team validates the results.
+
+## Process
+
+### Phase 1: Initialize Certification
+- Generate certification ID: cert-{project}-{timestamp}
+- Create certification directory: .vaspera/certifications/{id}/
+- Call certification_start to initialize
+
+### Phase 2: Parallel Agent Execution
+Run these agents IN PARALLEL (use Claude Code's Task tool with multiple agents):
+
+1. **Security Agent** - Run /certification-security
+2. **Reliability Agent** - Run /certification-reliability
+3. **TypeSafety Agent** - Run /certification-typesafety
+4. **Performance Agent** - Run /certification-performance
+5. **Quality Agent** - Run /certification-quality
+
+Each agent scans the codebase and outputs findings. There are two modes:
+
+**Option A: Direct MCP (if running in main session)**
+- Agents call agent_submit_finding for each finding
+- Agents call agent_complete with summary
+
+**Option B: JSON Output (if running as subagents via Task tool)**
+Since subagents don't have MCP tool access, they output findings as JSON.
+After ALL agents complete, YOU (the main orchestrator) must:
+1. Parse the JSON output from each subagent's response
+2. Call agent_submit_finding for EACH finding from each agent
+3. Call agent_complete for each agent's summary
+
+The JSON format each agent outputs:
+\`\`\`json
+{
+  "agent": "security",
+  "findings": [...],
+  "summary": {...}
+}
+\`\`\`
+
+Submit each finding and summary via MCP tools before proceeding to Phase 3
+
+### Phase 3: Cross-Verification
+After all 5 agents complete, critical findings must be cross-verified:
+
+**Option A: Automatic (Recommended)**
+- Call certification_cross_verify with mode: "auto"
+- System automatically verifies critical findings based on agent domain overlap
+- Security findings verified by Reliability + RedTeam
+- Reliability findings verified by Security + Quality
+- TypeSafety findings verified by Quality + Performance
+- Performance findings verified by Reliability + Quality
+- Quality findings verified by TypeSafety + Reliability
+
+**Option B: Manual**
+- Use agent_cross_verify for individual findings
+- Required when auto-verification cannot determine validity
+
+**Note:** certification_consensus will auto-trigger cross-verification if blocked
+
+### Phase 4: Red Team
+- Run /certification-redteam agent
+- Has access to all prior findings
+- Challenges clean areas
+- Submits new findings and disputes
+
+### Phase 5: Consensus Calculation
+- Call certification_consensus to calculate scores
+- Auto-cross-verification runs if needed (enabled by default)
+- Weighted scoring: Security 30%, Reliability 25%, TypeSafety 15%, Performance 15%, Quality 10%, RedTeam 5%
+- Determine certification level
+
+### Phase 6: Finalize
+- Call certification_finalize
+- Generate CERTIFICATION.md with full report
+- Generate CERTIFICATION.json for machine reading
+
+## Certification Levels
+
+| Level | Score | Criteria |
+|-------|-------|----------|
+| CERTIFIED | 90-100 | No critical/high issues, red team clear |
+| APPROVED | 70-89 | No critical, high mitigated |
+| REVIEW_REQUIRED | 40-69 | Multiple issues, action required |
+| BLOCKED | 0-39 | Critical vulnerabilities found |
+
+## Output
+
+After completion:
+- .vaspera/certifications/{id}/ - Full audit trail
+- CERTIFICATION.md - Human-readable report
+- CERTIFICATION.json - Machine-readable data
+
+## Important
+
+- Do NOT skip any agent
+- Cross-verification is required for critical findings
+- Red team must complete before finalization
+- Certification expires after 30 days OR when project files change (whichever comes first)`
+};
+//# sourceMappingURL=certify.js.map

package/dist/commands/certification/certify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"certify.js","sourceRoot":"","sources":["../../../src/commands/certification/certify.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,OAAO,GAAqB;IACvC,IAAI,EAAE,SAAS;IACf,WAAW,EAAE,qFAAqF;IAClG,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2FAsGgF;CAC1F,CAAC"}

package/dist/commands/certification/index.d.ts

@@ -0,0 +1,3 @@
+import type { HardeningCommand } from "../types.js";
+export declare const COMMANDS: Record<string, HardeningCommand>;
+//# sourceMappingURL=index.d.ts.map

package/dist/commands/certification/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/commands/certification/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AASpD,eAAO,MAAM,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAQrD,CAAC"}

package/dist/commands/certification/index.js

@@ -0,0 +1,17 @@
+import { certificationSecurity } from "./security.js";
+import { certificationReliability } from "./reliability.js";
+import { certificationTypesafety } from "./typesafety.js";
+import { certificationPerformance } from "./performance.js";
+import { certificationQuality } from "./quality.js";
+import { certificationRedteam } from "./redteam.js";
+import { certify } from "./certify.js";
+export const COMMANDS = {
+    "certification-security": certificationSecurity,
+    "certification-reliability": certificationReliability,
+    "certification-typesafety": certificationTypesafety,
+    "certification-performance": certificationPerformance,
+    "certification-quality": certificationQuality,
+    "certification-redteam": certificationRedteam,
+    certify,
+};
+//# sourceMappingURL=index.js.map

package/dist/commands/certification/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/commands/certification/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,MAAM,CAAC,MAAM,QAAQ,GAAqC;IACxD,wBAAwB,EAAE,qBAAqB;IAC/C,2BAA2B,EAAE,wBAAwB;IACrD,0BAA0B,EAAE,uBAAuB;IACnD,2BAA2B,EAAE,wBAAwB;IACrD,uBAAuB,EAAE,oBAAoB;IAC7C,uBAAuB,EAAE,oBAAoB;IAC7C,OAAO;CACR,CAAC"}

package/dist/commands/certification/performance.d.ts

@@ -0,0 +1,3 @@
+import type { HardeningCommand } from "../types.js";
+export declare const certificationPerformance: HardeningCommand;
+//# sourceMappingURL=performance.d.ts.map

package/dist/commands/certification/performance.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"performance.d.ts","sourceRoot":"","sources":["../../../src/commands/certification/performance.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,eAAO,MAAM,wBAAwB,EAAE,gBAuFtC,CAAC"}

package/dist/commands/certification/performance.js

@@ -0,0 +1,89 @@
+export const certificationPerformance = {
+    name: "certification-performance",
+    description: "Performance validation agent for enterprise certification",
+    content: `You are the PERFORMANCE VALIDATION AGENT for enterprise certification.
+
+Your mission: Find performance issues that will cause production problems at scale.
+
+## What to Scan
+
+### Database Performance
+- N+1 query patterns
+- Missing pagination on large datasets
+- Unbounded result sets
+- Missing database indexes (inferred from query patterns)
+- Inefficient Supabase queries
+
+### Bundle Performance
+- Large dependencies
+- Missing code splitting
+- Barrel imports pulling entire libraries
+- Missing dynamic imports for heavy components
+
+### Rendering Performance
+- Missing React.memo where needed
+- Expensive computations in render
+- Unnecessary re-renders
+- Missing useMemo/useCallback
+- Large list rendering without virtualization
+
+### API Performance
+- Overfetching data
+- Missing response caching
+- No ISR/SSR optimization
+- Large payloads without compression
+
+### Image Performance
+- Unoptimized images
+- Missing next/image usage
+- Missing lazy loading
+- Missing width/height causing CLS
+
+## Execution
+
+1. Search for database query patterns
+2. Analyze bundle imports
+3. Document each finding with:
+   - Unique ID (perf-001, perf-002, etc.)
+   - Evidence with file:line references
+   - Confidence score
+   - Severity
+
+### If you have MCP tool access:
+- Call agent_submit_finding for each finding
+- Call agent_complete with your summary when done
+
+### If running as a subagent (no MCP access):
+Output your findings as JSON at the end in this exact format:
+\`\`\`json
+{
+  "agent": "performance",
+  "findings": [
+    {
+      "id": "perf-001",
+      "severity": "high|medium|low|info|critical",
+      "category": "category name",
+      "file": "path/to/file.ts",
+      "line": 42,
+      "description": "What the issue is",
+      "evidence": "Code snippet or explanation",
+      "confidence": 85
+    }
+  ],
+  "summary": {
+    "total_findings": 3,
+    "by_severity": {"critical": 0, "high": 1, "medium": 2, "low": 0, "info": 0},
+    "confidence_score": 85,
+    "coverage_areas": ["database", "bundle-size"]
+  }
+}
+\`\`\`
+
+## Confidence Scoring
+- 95-100: Measurable performance impact proven
+- 80-94: Will definitely degrade at scale
+- 60-79: High probability performance hit
+- 40-59: May cause issues under specific conditions
+- <40: Optimization opportunity, not a problem`
+};
+//# sourceMappingURL=performance.js.map

package/dist/commands/certification/performance.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"performance.js","sourceRoot":"","sources":["../../../src/commands/certification/performance.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,wBAAwB,GAAqB;IACxD,IAAI,EAAE,2BAA2B;IACjC,WAAW,EAAE,2DAA2D;IACxE,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;+CAmFoC;CAC9C,CAAC"}

package/dist/commands/certification/quality.d.ts

@@ -0,0 +1,3 @@
+import type { HardeningCommand } from "../types.js";
+export declare const certificationQuality: HardeningCommand;
+//# sourceMappingURL=quality.d.ts.map

package/dist/commands/certification/quality.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"quality.d.ts","sourceRoot":"","sources":["../../../src/commands/certification/quality.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,eAAO,MAAM,oBAAoB,EAAE,gBA0FlC,CAAC"}