npm - vibecheck-ai - Versions diffs - 2.0.1 → 5.0.0 - Mend

vibecheck-ai 2.0.1 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (456) hide show

package/bin/.generated +25 -0
package/bin/_deprecations.js +463 -0
package/bin/_router.js +46 -0
package/bin/cli-hygiene.js +241 -0
package/bin/dev/run-v2-torture.js +30 -0
package/bin/registry.js +656 -0
package/bin/runners/CLI_REFACTOR_SUMMARY.md +229 -0
package/bin/runners/ENHANCEMENT_GUIDE.md +121 -0
package/bin/runners/REPORT_AUDIT.md +64 -0
package/bin/runners/cli-utils.js +1070 -0
package/bin/runners/context/ai-task-decomposer.js +337 -0
package/bin/runners/context/analyzer.js +513 -0
package/bin/runners/context/api-contracts.js +427 -0
package/bin/runners/context/context-diff.js +342 -0
package/bin/runners/context/context-pruner.js +291 -0
package/bin/runners/context/dependency-graph.js +414 -0
package/bin/runners/context/generators/claude.js +107 -0
package/bin/runners/context/generators/codex.js +108 -0
package/bin/runners/context/generators/copilot.js +119 -0
package/bin/runners/context/generators/cursor-enhanced.js +2525 -0
package/bin/runners/context/generators/cursor.js +514 -0
package/bin/runners/context/generators/mcp.js +169 -0
package/bin/runners/context/generators/windsurf.js +180 -0
package/bin/runners/context/git-context.js +304 -0
package/bin/runners/context/index.js +1110 -0
package/bin/runners/context/insights.js +173 -0
package/bin/runners/context/mcp-server/generate-rules.js +337 -0
package/bin/runners/context/mcp-server/index.js +1176 -0
package/bin/runners/context/mcp-server/package.json +24 -0
package/bin/runners/context/memory.js +200 -0
package/bin/runners/context/monorepo.js +215 -0
package/bin/runners/context/multi-repo-federation.js +404 -0
package/bin/runners/context/patterns.js +253 -0
package/bin/runners/context/proof-context.js +1264 -0
package/bin/runners/context/security-scanner.js +541 -0
package/bin/runners/context/semantic-search.js +350 -0
package/bin/runners/context/shared.js +264 -0
package/bin/runners/context/team-conventions.js +336 -0
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -0
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/change-packet/builder.js +488 -0
package/bin/runners/lib/agent-firewall/change-packet/schema.json +228 -0
package/bin/runners/lib/agent-firewall/change-packet/store.js +200 -0
package/bin/runners/lib/agent-firewall/claims/claim-types.js +21 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +303 -0
package/bin/runners/lib/agent-firewall/claims/patterns.js +24 -0
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/enforcement/gateway.js +1059 -0
package/bin/runners/lib/agent-firewall/enforcement/index.js +98 -0
package/bin/runners/lib/agent-firewall/enforcement/mode.js +318 -0
package/bin/runners/lib/agent-firewall/enforcement/orchestrator.js +484 -0
package/bin/runners/lib/agent-firewall/enforcement/proof-artifact.js +418 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/change-event.schema.json +173 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/intent.schema.json +181 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/verdict.schema.json +222 -0
package/bin/runners/lib/agent-firewall/enforcement/verdict-v2.js +333 -0
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +88 -0
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +75 -0
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +127 -0
package/bin/runners/lib/agent-firewall/evidence/resolver.js +102 -0
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +213 -0
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +145 -0
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +19 -0
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +87 -0
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +184 -0
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +163 -0
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +107 -0
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +68 -0
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +66 -0
package/bin/runners/lib/agent-firewall/index.js +200 -0
package/bin/runners/lib/agent-firewall/integration/index.js +20 -0
package/bin/runners/lib/agent-firewall/integration/ship-gate.js +437 -0
package/bin/runners/lib/agent-firewall/intent/alignment-engine.js +634 -0
package/bin/runners/lib/agent-firewall/intent/auto-detect.js +426 -0
package/bin/runners/lib/agent-firewall/intent/index.js +102 -0
package/bin/runners/lib/agent-firewall/intent/schema.js +352 -0
package/bin/runners/lib/agent-firewall/intent/store.js +283 -0
package/bin/runners/lib/agent-firewall/interception/fs-interceptor.js +502 -0
package/bin/runners/lib/agent-firewall/interception/index.js +23 -0
package/bin/runners/lib/agent-firewall/interceptor/base.js +308 -0
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +34 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/default-policy.json +90 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +103 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +451 -0
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +79 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +227 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +191 -0
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +93 -0
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +57 -0
package/bin/runners/lib/agent-firewall/policy/schema.json +183 -0
package/bin/runners/lib/agent-firewall/policy/verdict.js +54 -0
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +322 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/session/collector.js +451 -0
package/bin/runners/lib/agent-firewall/session/index.js +26 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/agent-firewall/truthpack/index.js +67 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +137 -0
package/bin/runners/lib/agent-firewall/unblock/planner.js +337 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/ai-bridge.js +416 -0
package/bin/runners/lib/analysis-core.js +309 -0
package/bin/runners/lib/analyzers.js +2500 -0
package/bin/runners/lib/api-client.js +269 -0
package/bin/runners/lib/approve-output.js +235 -0
package/bin/runners/lib/artifact-envelope.js +540 -0
package/bin/runners/lib/assets/vibecheck-logo.png +0 -0
package/bin/runners/lib/audit-bridge.js +391 -0
package/bin/runners/lib/auth-shared.js +977 -0
package/bin/runners/lib/auth-truth.js +193 -0
package/bin/runners/lib/auth.js +215 -0
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/backup.js +62 -0
package/bin/runners/lib/billing.js +107 -0
package/bin/runners/lib/checkpoint.js +941 -0
package/bin/runners/lib/claims.js +118 -0
package/bin/runners/lib/classify-output.js +204 -0
package/bin/runners/lib/cleanup/engine.js +571 -0
package/bin/runners/lib/cleanup/index.js +53 -0
package/bin/runners/lib/cleanup/output.js +375 -0
package/bin/runners/lib/cleanup/rules.js +1060 -0
package/bin/runners/lib/cli-output.js +400 -0
package/bin/runners/lib/cli-ui.js +540 -0
package/bin/runners/lib/compliance-bridge-new.js +0 -0
package/bin/runners/lib/compliance-bridge.js +165 -0
package/bin/runners/lib/contracts/auth-contract.js +202 -0
package/bin/runners/lib/contracts/env-contract.js +181 -0
package/bin/runners/lib/contracts/external-contract.js +206 -0
package/bin/runners/lib/contracts/guard.js +168 -0
package/bin/runners/lib/contracts/index.js +89 -0
package/bin/runners/lib/contracts/plan-validator.js +311 -0
package/bin/runners/lib/contracts/route-contract.js +199 -0
package/bin/runners/lib/contracts.js +804 -0
package/bin/runners/lib/default-config.js +127 -0
package/bin/runners/lib/detect.js +89 -0
package/bin/runners/lib/detectors-v2.js +622 -0
package/bin/runners/lib/doctor/autofix.js +254 -0
package/bin/runners/lib/doctor/diagnosis-receipt.js +454 -0
package/bin/runners/lib/doctor/failure-signatures.js +526 -0
package/bin/runners/lib/doctor/fix-script.js +336 -0
package/bin/runners/lib/doctor/index.js +37 -0
package/bin/runners/lib/doctor/modules/build-tools.js +453 -0
package/bin/runners/lib/doctor/modules/dependencies.js +325 -0
package/bin/runners/lib/doctor/modules/index.js +105 -0
package/bin/runners/lib/doctor/modules/network.js +250 -0
package/bin/runners/lib/doctor/modules/os-quirks.js +706 -0
package/bin/runners/lib/doctor/modules/project.js +312 -0
package/bin/runners/lib/doctor/modules/repo-integrity.js +485 -0
package/bin/runners/lib/doctor/modules/runtime.js +224 -0
package/bin/runners/lib/doctor/modules/security.js +350 -0
package/bin/runners/lib/doctor/modules/system.js +213 -0
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -0
package/bin/runners/lib/doctor/reporter.js +262 -0
package/bin/runners/lib/doctor/safe-repair.js +384 -0
package/bin/runners/lib/doctor/service.js +262 -0
package/bin/runners/lib/doctor/types.js +113 -0
package/bin/runners/lib/doctor/ui.js +263 -0
package/bin/runners/lib/doctor-enhanced.js +233 -0
package/bin/runners/lib/doctor-output.js +226 -0
package/bin/runners/lib/doctor-v2.js +608 -0
package/bin/runners/lib/drift.js +425 -0
package/bin/runners/lib/enforcement.js +72 -0
package/bin/runners/lib/engine/ast-cache.js +210 -0
package/bin/runners/lib/engine/auth-extractor.js +211 -0
package/bin/runners/lib/engine/billing-extractor.js +112 -0
package/bin/runners/lib/engine/enforcement-extractor.js +100 -0
package/bin/runners/lib/engine/env-extractor.js +207 -0
package/bin/runners/lib/engine/express-extractor.js +208 -0
package/bin/runners/lib/engine/extractors.js +849 -0
package/bin/runners/lib/engine/index.js +207 -0
package/bin/runners/lib/engine/repo-index.js +514 -0
package/bin/runners/lib/engine/types.js +124 -0
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/attack-detector.js +1192 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/enterprise-detect.js +603 -0
package/bin/runners/lib/enterprise-init.js +942 -0
package/bin/runners/lib/entitlements-v2.js +265 -0
package/bin/runners/lib/entitlements.generated.js +0 -0
package/bin/runners/lib/entitlements.js +340 -0
package/bin/runners/lib/env-resolver.js +417 -0
package/bin/runners/lib/env-template.js +66 -0
package/bin/runners/lib/env.js +189 -0
package/bin/runners/lib/error-handler.js +368 -0
package/bin/runners/lib/error-messages.js +289 -0
package/bin/runners/lib/evidence-pack.js +684 -0
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/extractors/client-calls.js +990 -0
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -0
package/bin/runners/lib/extractors/fastify-routes.js +426 -0
package/bin/runners/lib/extractors/index.js +363 -0
package/bin/runners/lib/extractors/next-routes.js +524 -0
package/bin/runners/lib/extractors/proof-graph.js +431 -0
package/bin/runners/lib/extractors/route-matcher.js +451 -0
package/bin/runners/lib/extractors/truthpack-v2.js +377 -0
package/bin/runners/lib/extractors/ui-bindings.js +547 -0
package/bin/runners/lib/finding-id.js +69 -0
package/bin/runners/lib/finding-sorter.js +89 -0
package/bin/runners/lib/findings-schema.js +281 -0
package/bin/runners/lib/fingerprint.js +377 -0
package/bin/runners/lib/firewall-prompt.js +50 -0
package/bin/runners/lib/fix-output.js +228 -0
package/bin/runners/lib/global-flags.js +250 -0
package/bin/runners/lib/graph/graph-builder.js +265 -0
package/bin/runners/lib/graph/html-renderer.js +413 -0
package/bin/runners/lib/graph/index.js +32 -0
package/bin/runners/lib/graph/runtime-collector.js +215 -0
package/bin/runners/lib/graph/static-extractor.js +518 -0
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/html-proof-report.js +913 -0
package/bin/runners/lib/html-report.js +650 -0
package/bin/runners/lib/init-wizard.js +601 -0
package/bin/runners/lib/interactive-menu.js +1496 -0
package/bin/runners/lib/json-output.js +76 -0
package/bin/runners/lib/llm.js +75 -0
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/meter.js +61 -0
package/bin/runners/lib/missions/briefing.js +427 -0
package/bin/runners/lib/missions/checkpoint.js +753 -0
package/bin/runners/lib/missions/evidence.js +126 -0
package/bin/runners/lib/missions/hardening.js +851 -0
package/bin/runners/lib/missions/plan.js +648 -0
package/bin/runners/lib/missions/safety-gates.js +645 -0
package/bin/runners/lib/missions/schema.js +478 -0
package/bin/runners/lib/missions/templates.js +317 -0
package/bin/runners/lib/next-action.js +560 -0
package/bin/runners/lib/packs/bundle.js +675 -0
package/bin/runners/lib/packs/evidence-pack.js +671 -0
package/bin/runners/lib/packs/pack-factory.js +837 -0
package/bin/runners/lib/packs/permissions-pack.js +686 -0
package/bin/runners/lib/packs/proof-graph-pack.js +779 -0
package/bin/runners/lib/patch.js +40 -0
package/bin/runners/lib/permissions/auth-model.js +213 -0
package/bin/runners/lib/permissions/idor-prover.js +205 -0
package/bin/runners/lib/permissions/index.js +45 -0
package/bin/runners/lib/permissions/matrix-builder.js +198 -0
package/bin/runners/lib/pkgjson.js +28 -0
package/bin/runners/lib/policy.js +295 -0
package/bin/runners/lib/polish/accessibility.js +62 -0
package/bin/runners/lib/polish/analyzer.js +93 -0
package/bin/runners/lib/polish/backend.js +87 -0
package/bin/runners/lib/polish/configuration.js +83 -0
package/bin/runners/lib/polish/documentation.js +83 -0
package/bin/runners/lib/polish/frontend.js +817 -0
package/bin/runners/lib/polish/index.js +27 -0
package/bin/runners/lib/polish/infrastructure.js +80 -0
package/bin/runners/lib/polish/internationalization.js +85 -0
package/bin/runners/lib/polish/libraries.js +180 -0
package/bin/runners/lib/polish/observability.js +75 -0
package/bin/runners/lib/polish/performance.js +64 -0
package/bin/runners/lib/polish/privacy.js +110 -0
package/bin/runners/lib/polish/resilience.js +92 -0
package/bin/runners/lib/polish/security.js +78 -0
package/bin/runners/lib/polish/seo.js +71 -0
package/bin/runners/lib/polish/styles.js +62 -0
package/bin/runners/lib/polish/utils.js +104 -0
package/bin/runners/lib/preflight.js +142 -0
package/bin/runners/lib/prerequisites.js +149 -0
package/bin/runners/lib/prove-output.js +220 -0
package/bin/runners/lib/reality/correlation-detectors.js +359 -0
package/bin/runners/lib/reality/index.js +318 -0
package/bin/runners/lib/reality/request-hashing.js +416 -0
package/bin/runners/lib/reality/request-mapper.js +453 -0
package/bin/runners/lib/reality/safety-rails.js +463 -0
package/bin/runners/lib/reality/semantic-snapshot.js +408 -0
package/bin/runners/lib/reality/toast-detector.js +393 -0
package/bin/runners/lib/reality-findings.js +84 -0
package/bin/runners/lib/reality-output.js +231 -0
package/bin/runners/lib/receipts.js +179 -0
package/bin/runners/lib/redact.js +29 -0
package/bin/runners/lib/replay/capsule-manager.js +154 -0
package/bin/runners/lib/replay/index.js +263 -0
package/bin/runners/lib/replay/player.js +348 -0
package/bin/runners/lib/replay/recorder.js +331 -0
package/bin/runners/lib/report-engine.js +626 -0
package/bin/runners/lib/report-html.js +1233 -0
package/bin/runners/lib/report-output.js +366 -0
package/bin/runners/lib/report-templates.js +967 -0
package/bin/runners/lib/report.js +135 -0
package/bin/runners/lib/route-detection.js +1209 -0
package/bin/runners/lib/route-truth.js +1322 -0
package/bin/runners/lib/safelist/index.js +96 -0
package/bin/runners/lib/safelist/integration.js +334 -0
package/bin/runners/lib/safelist/matcher.js +696 -0
package/bin/runners/lib/safelist/schema.js +948 -0
package/bin/runners/lib/safelist/store.js +438 -0
package/bin/runners/lib/sandbox/index.js +59 -0
package/bin/runners/lib/sandbox/proof-chain.js +399 -0
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -0
package/bin/runners/lib/sandbox/worktree.js +174 -0
package/bin/runners/lib/scan-cache.js +330 -0
package/bin/runners/lib/scan-output-schema.js +344 -0
package/bin/runners/lib/scan-output.js +631 -0
package/bin/runners/lib/scan-runner.js +135 -0
package/bin/runners/lib/schema-validator.js +350 -0
package/bin/runners/lib/schemas/ajv-validator.js +464 -0
package/bin/runners/lib/schemas/contracts.schema.json +160 -0
package/bin/runners/lib/schemas/error-envelope.schema.json +105 -0
package/bin/runners/lib/schemas/finding-v3.schema.json +151 -0
package/bin/runners/lib/schemas/finding.schema.json +100 -0
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -0
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -0
package/bin/runners/lib/schemas/reality-report.schema.json +162 -0
package/bin/runners/lib/schemas/report-artifact.schema.json +120 -0
package/bin/runners/lib/schemas/run-request.schema.json +108 -0
package/bin/runners/lib/schemas/share-pack.schema.json +180 -0
package/bin/runners/lib/schemas/ship-manifest.schema.json +251 -0
package/bin/runners/lib/schemas/ship-report.schema.json +117 -0
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -0
package/bin/runners/lib/schemas/validator.js +465 -0
package/bin/runners/lib/schemas/verdict.schema.json +140 -0
package/bin/runners/lib/score-history.js +282 -0
package/bin/runners/lib/security-bridge.js +249 -0
package/bin/runners/lib/server-usage.js +513 -0
package/bin/runners/lib/share-pack.js +239 -0
package/bin/runners/lib/ship-gate.js +832 -0
package/bin/runners/lib/ship-manifest.js +1153 -0
package/bin/runners/lib/ship-output-enterprise.js +239 -0
package/bin/runners/lib/ship-output.js +1128 -0
package/bin/runners/lib/snippets.js +67 -0
package/bin/runners/lib/status-output.js +340 -0
package/bin/runners/lib/terminal-ui.js +356 -0
package/bin/runners/lib/truth.js +1691 -0
package/bin/runners/lib/ui.js +562 -0
package/bin/runners/lib/unified-cli-output.js +947 -0
package/bin/runners/lib/unified-output.js +197 -0
package/bin/runners/lib/upsell.js +410 -0
package/bin/runners/lib/usage.js +153 -0
package/bin/runners/lib/validate-patch.js +156 -0
package/bin/runners/lib/verdict-engine.js +628 -0
package/bin/runners/lib/verification.js +345 -0
package/bin/runners/lib/why-tree.js +650 -0
package/bin/runners/reality/engine.js +917 -0
package/bin/runners/reality/flows.js +122 -0
package/bin/runners/reality/report.js +378 -0
package/bin/runners/reality/session.js +193 -0
package/bin/runners/runAIAgent.js +229 -0
package/bin/runners/runAgent.d.ts +5 -0
package/bin/runners/runAgent.js +161 -0
package/bin/runners/runAllowlist.js +418 -0
package/bin/runners/runApprove.js +320 -0
package/bin/runners/runAudit.js +692 -0
package/bin/runners/runAuth.js +731 -0
package/bin/runners/runCI.js +353 -0
package/bin/runners/runCheckpoint.js +530 -0
package/bin/runners/runClassify.js +928 -0
package/bin/runners/runCleanup.js +343 -0
package/bin/runners/runContext.d.ts +4 -0
package/bin/runners/runContext.js +175 -0
package/bin/runners/runDoctor.js +877 -0
package/bin/runners/runEvidencePack.js +362 -0
package/bin/runners/runFirewall.d.ts +5 -0
package/bin/runners/runFirewall.js +134 -0
package/bin/runners/runFirewallHook.d.ts +5 -0
package/bin/runners/runFirewallHook.js +56 -0
package/bin/runners/runFix.js +1355 -0
package/bin/runners/runForge.js +451 -0
package/bin/runners/runGuard.js +262 -0
package/bin/runners/runInit.js +1927 -0
package/bin/runners/runIntent.js +906 -0
package/bin/runners/runKickoff.js +878 -0
package/bin/runners/runLabs.js +424 -0
package/bin/runners/runLaunch.js +2000 -0
package/bin/runners/runLink.js +785 -0
package/bin/runners/runMcp.js +1875 -0
package/bin/runners/runPacks.js +2089 -0
package/bin/runners/runPolish.d.ts +4 -0
package/bin/runners/runPolish.js +390 -0
package/bin/runners/runPromptFirewall.js +211 -0
package/bin/runners/runProve.js +1411 -0
package/bin/runners/runQuickstart.js +531 -0
package/bin/runners/runReality.js +2260 -0
package/bin/runners/runReport.js +726 -0
package/bin/runners/runRuntime.js +110 -0
package/bin/runners/runSafelist.js +1190 -0
package/bin/runners/runScan.js +688 -0
package/bin/runners/runShield.js +1282 -0
package/bin/runners/runShip.js +1660 -0
package/bin/runners/runTruth.d.ts +5 -0
package/bin/runners/runTruth.js +101 -0
package/bin/runners/runValidate.js +179 -0
package/bin/runners/runWatch.js +478 -0
package/bin/runners/utils.js +360 -0
package/bin/scan.js +617 -0
package/bin/vibecheck.js +1617 -0
package/dist/guardrail/index.d.ts +2405 -0
package/dist/guardrail/index.js +9747 -0
package/dist/guardrail/index.js.map +1 -0
package/dist/scanner/index.d.ts +282 -0
package/dist/scanner/index.js +3395 -0
package/dist/scanner/index.js.map +1 -0
package/package.json +123 -104
package/README.md +0 -491
package/dist/index.js +0 -99711
package/dist/index.js.map +0 -1

package/bin/runners/lib/engine/auth-extractor.js ADDED Viewed

@@ -0,0 +1,211 @@
+// bin/runners/lib/engine/auth-extractor.js
+// Optimized auth/middleware extraction using RepoIndex
+const path = require("path");
+const fs = require("fs");
+const crypto = require("crypto");
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+function evidenceFromContent(content, fileRel, lineNo, reason) {
+  if (!content) return null;
+  const lines = content.split(/\r?\n/);
+  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
+  const snippet = lines[idx] || "";
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${lineNo}-${lineNo}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+function findLineMatches(code, regex) {
+  const out = [];
+  const lines = code.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    if (regex.test(lines[i])) out.push(i + 1);
+  }
+  return out;
+}
+function guessAuthSignalsFromCode(code) {
+  const signals = [];
+  const patterns = [
+    { key: "next_middleware", rx: /\bNextResponse\.(redirect|rewrite)\b/ },
+    { key: "next_auth", rx: /\bgetServerSession\b|\bNextAuth\b|\bauth\(\)\b/ },
+    { key: "clerk", rx: /\bclerkMiddleware\b|\bauthMiddleware\b|@clerk\/nextjs/ },
+    { key: "supabase", rx: /\bcreateRouteHandlerClient\b|\bcreateServerClient\b|@supabase/ },
+    { key: "jwt_verify", rx: /\b(jwtVerify|verifyJWT|verifyToken|authorization|bearer)\b/i },
+    { key: "session", rx: /\b(session|cookie|setCookie|getCookie)\b/i },
+    { key: "rbac", rx: /\b(role|roles|permissions|rbac|isAdmin|adminOnly)\b/i },
+    { key: "fastify_hook", rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/ },
+    { key: "fastify_jwt", rx: /@fastify\/jwt|fastify-jwt|fastify\.jwt/i },
+  ];
+  for (const p of patterns) {
+    if (p.rx.test(code)) signals.push(p.key);
+  }
+  return Array.from(new Set(signals));
+}
+/**
+ * Resolve Next.js middleware using RepoIndex
+ * @param {import('./repo-index').RepoIndex} index
+ * @returns {Array}
+ */
+function extractNextMiddleware(index) {
+  // Find middleware.ts/js files
+  const middlewareFiles = index.files.filter(f =>
+    /^(src\/)?middleware\.(ts|tsx|js|jsx)$/.test(f.rel)
+  );
+  const middlewares = [];
+  for (const file of middlewareFiles) {
+    const content = index.getContent(file.abs);
+    if (!content) continue;
+    const matcherLines = findLineMatches(content, /\bmatcher\b/);
+    const redirectLines = findLineMatches(content, /\bNextResponse\.(redirect|rewrite)\b/);
+    const evidence = [];
+    for (const ln of matcherLines.slice(0, 5)) {
+      evidence.push(evidenceFromContent(content, file.rel, ln, "Next middleware matcher config"));
+    }
+    for (const ln of redirectLines.slice(0, 5)) {
+      evidence.push(evidenceFromContent(content, file.rel, ln, "Next middleware redirect/rewrite"));
+    }
+    const matcher = [];
+    const matcherBlock = content.match(/matcher\s*:\s*(\[[\s\S]*?\])/);
+    if (matcherBlock && matcherBlock[1]) {
+      const raw = matcherBlock[1];
+      const strings = Array.from(raw.matchAll(/['"`]([^'"`]+)['"`]/g)).map(m => m[1]);
+      matcher.push(...strings);
+    }
+    middlewares.push({
+      file: file.rel,
+      matcher,
+      signals: guessAuthSignalsFromCode(content),
+      evidence
+    });
+  }
+  return middlewares;
+}
+/**
+ * Resolve Fastify auth signals using RepoIndex
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Array} truthpackRoutes - Server routes from truthpack
+ * @returns {Object}
+ */
+function extractFastifyAuthSignals(index, truthpackRoutes) {
+  const handlerFiles = new Set((truthpackRoutes || []).map(r => r.handler).filter(Boolean));
+  const signals = [];
+  const evidence = [];
+  for (const fileRel of handlerFiles) {
+    // Try to get content from index first (fast path)
+    const fileAbs = path.join(index.repoRoot, fileRel);
+    let content = index.getContent(fileAbs);
+    // Fall back to direct read if not in index
+    if (!content) {
+      try {
+        content = fs.readFileSync(fileAbs, "utf8");
+      } catch {
+        continue;
+      }
+    }
+    const sigs = guessAuthSignalsFromCode(content);
+    if (!sigs.length) continue;
+    for (const s of sigs) signals.push({ type: s, file: fileRel });
+    const authLinePatterns = [
+      { rx: /\.addHook\(\s*['"](onRequest|preHandler|preValidation)['"]/, reason: "Fastify hook likely used for auth" },
+      { rx: /\b(jwtVerify|authorization|bearer)\b/i, reason: "JWT/Authorization verification signal" },
+      { rx: /@fastify\/jwt|fastify\.jwt/i, reason: "Fastify JWT plugin signal" },
+      { rx: /\b(isAdmin|adminOnly|permissions|rbac)\b/i, reason: "RBAC/permissions signal" },
+    ];
+    const lines = content.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      for (const p of authLinePatterns) {
+        if (p.rx.test(line)) {
+          evidence.push(evidenceFromContent(content, fileRel, i + 1, p.reason));
+        }
+      }
+      if (evidence.length > 30) break;
+    }
+  }
+  const uniqueTypes = Array.from(new Set(signals.map(s => s.type)));
+  return {
+    signalTypes: uniqueTypes,
+    signals,
+    evidence
+  };
+}
+function matcherCoversPath(matcherList, p) {
+  if (!Array.isArray(matcherList) || !matcherList.length) return false;
+  const pathStr = p.startsWith("/") ? p : `/${p}`;
+  return matcherList.some(m => {
+    if (!m) return false;
+    if (m.includes(":path*")) {
+      const prefix = m.split(":path*")[0].replace(/\/$/, "");
+      return pathStr.startsWith(prefix || "/");
+    }
+    if (m.includes("(.*)")) {
+      const prefix = m.split("(.*)")[0].replace(/\/$/, "");
+      return pathStr.startsWith(prefix || "/");
+    }
+    if (m === pathStr) return true;
+    if (pathStr.startsWith(m.endsWith("/") ? m : m + "/")) return true;
+    return false;
+  });
+}
+/**
+ * Build auth truth using RepoIndex (optimized)
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Array} serverRoutes
+ * @returns {Object}
+ */
+function buildAuthTruthV2(index, serverRoutes) {
+  const middlewares = extractNextMiddleware(index);
+  const matchers = middlewares.flatMap(mw => mw.matcher || []);
+  const fastify = extractFastifyAuthSignals(index, serverRoutes);
+  return {
+    nextMiddleware: middlewares,
+    nextMatcherPatterns: matchers,
+    fastify,
+    helpers: {
+      matcherCoversPath: "runtime-only"
+    }
+  };
+}
+module.exports = {
+  buildAuthTruthV2,
+  extractNextMiddleware,
+  extractFastifyAuthSignals,
+  matcherCoversPath,
+  guessAuthSignalsFromCode,
+};

package/bin/runners/lib/engine/billing-extractor.js ADDED Viewed

@@ -0,0 +1,112 @@
+// bin/runners/lib/engine/billing-extractor.js
+// Optimized billing/Stripe extraction using RepoIndex
+const path = require("path");
+const crypto = require("crypto");
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+function evidenceFromContent(content, fileRel, lineNo, reason) {
+  if (!content) return null;
+  const lines = content.split(/\r?\n/);
+  const idx = Math.max(0, Math.min(lines.length - 1, lineNo - 1));
+  const snippet = lines[idx] || "";
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${lineNo}-${lineNo}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+function findLineMatches(code, regex) {
+  const out = [];
+  const lines = code.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    if (regex.test(lines[i])) out.push(i + 1);
+  }
+  return out;
+}
+function classifyStripeSignals(code) {
+  return {
+    usesStripeSdk: /\bstripe\b/i.test(code) && /from\s+['"]stripe['"]|require\(['"]stripe['"]\)/.test(code),
+    webhookConstructEvent: /\bconstructEvent(Async)?\b/.test(code) || /\bstripe\.webhooks\.constructEvent\b/.test(code),
+    readsStripeSignatureHeader: /stripe-signature/i.test(code) || /\bStripe-Signature\b/.test(code),
+    rawBodySignal:
+      /\bbodyParser\s*:\s*false\b/.test(code) ||
+      /\breq\.(text|arrayBuffer)\(\)/.test(code) ||
+      /\brawBody\b/.test(code) || /\brequest\.raw\b/.test(code) || /\bcontentTypeParser\b/i.test(code),
+    idempotencySignal:
+      /\bevent\.id\b/.test(code) && /\b(prisma|db|redis|cache|processed|dedupe|idempotent)\b/i.test(code) ||
+      /\bidempotenc(y|e)\b/i.test(code)
+  };
+}
+/**
+ * Build billing truth using RepoIndex (optimized)
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Object} stats
+ * @returns {Object}
+ */
+function buildBillingTruthV2(index, stats) {
+  // Use token prefilter - only scan files that mention stripe
+  const candidateAbs = index.getByAnyToken(["stripe", "Stripe"]);
+  // Filter to JS/TS files
+  const jsExtensions = new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
+  const files = candidateAbs.filter(abs => {
+    const ext = path.extname(abs).toLowerCase();
+    return jsExtensions.has(ext);
+  });
+  const webhookCandidates = [];
+  const stripeFiles = [];
+  for (const fileAbs of files) {
+    const fileRel = index.relPath(fileAbs);
+    const content = index.getContent(fileAbs);
+    if (!content) continue;
+    const signals = classifyStripeSignals(content);
+    if (signals.usesStripeSdk) stripeFiles.push(fileRel);
+    if (signals.webhookConstructEvent || signals.readsStripeSignatureHeader) {
+      const ev = [];
+      const lines1 = findLineMatches(content, /\bconstructEvent(Async)?\b|stripe\.webhooks\.constructEvent/);
+      const lines2 = findLineMatches(content, /stripe-signature|Stripe-Signature/i);
+      const lines3 = findLineMatches(content, /bodyParser\s*:\s*false|req\.(text|arrayBuffer)\(|rawBody|contentTypeParser/i);
+      const lines4 = findLineMatches(content, /event\.id|idempotenc(y|e)|dedupe|processed/i);
+      for (const ln of lines1.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Stripe webhook signature constructEvent signal"));
+      for (const ln of lines2.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Stripe-Signature header usage signal"));
+      for (const ln of lines3.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Raw body handling signal (required for Stripe verification)"));
+      for (const ln of lines4.slice(0, 3)) ev.push(evidenceFromContent(content, fileRel, ln, "Idempotency/dedupe signal (event replay protection)"));
+      webhookCandidates.push({
+        file: fileRel,
+        signals,
+        evidence: ev
+      });
+    }
+  }
+  const hasStripe = stripeFiles.length > 0;
+  return {
+    hasStripe,
+    stripeFiles: stripeFiles.slice(0, 200),
+    webhookCandidates,
+    summary: {
+      webhookHandlersFound: webhookCandidates.length,
+      verifiedWebhookHandlers: webhookCandidates.filter(w => w.signals.webhookConstructEvent && w.signals.rawBodySignal).length,
+      idempotentWebhookHandlers: webhookCandidates.filter(w => w.signals.idempotencySignal).length
+    }
+  };
+}
+module.exports = { buildBillingTruthV2 };

package/bin/runners/lib/engine/enforcement-extractor.js ADDED Viewed

@@ -0,0 +1,100 @@
+// bin/runners/lib/engine/enforcement-extractor.js
+// Optimized enforcement extraction using RepoIndex
+const path = require("path");
+const fs = require("fs");
+const ENFORCE_HINTS = [
+  "enforceFeature",
+  "enforceLimit",
+  "getEntitlements",
+  "requirePlan",
+  "requireTier",
+  "requireSubscription",
+  "checkAccess",
+  "entitlements",
+  "plan",
+  "tier",
+  "subscription",
+  "stripe",
+  "credits"
+];
+function looksPaidSurface(routePath) {
+  const p = String(routePath || "");
+  return (
+    p.includes("/api/ship") ||
+    p.includes("/api/verdict") ||
+    p.includes("/api/fix") ||
+    p.includes("/api/autopilot") ||
+    p.includes("/api/missions") ||
+    p.includes("/api/pr") ||
+    p.includes("/api/credits") ||
+    p.includes("/api/billing") ||
+    p.includes("/api/stripe") ||
+    p.includes("/api/entitlements")
+  );
+}
+/**
+ * Check if handler has enforcement signal using RepoIndex
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {string} handlerRel
+ * @returns {{ ok: boolean, hits: string[] }}
+ */
+function handlerHasEnforcementSignalV2(index, handlerRel) {
+  const fileAbs = path.join(index.repoRoot, handlerRel);
+  // Try to get content from index first (fast path)
+  let content = index.getContent(fileAbs);
+  // Fall back to direct read if not in index
+  if (!content) {
+    try {
+      content = fs.readFileSync(fileAbs, "utf8");
+    } catch {
+      return { ok: false, hits: [] };
+    }
+  }
+  const hits = ENFORCE_HINTS.filter(k => content.includes(k));
+  return { ok: hits.length > 0, hits };
+}
+/**
+ * Build enforcement truth using RepoIndex (optimized)
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Array} serverRoutes
+ * @returns {Object}
+ */
+function buildEnforcementTruthV2(index, serverRoutes) {
+  const checked = [];
+  const routeList = serverRoutes || [];
+  for (const r of routeList) {
+    if (!r.handler) continue;
+    if (!looksPaidSurface(r.path)) continue;
+    const res = handlerHasEnforcementSignalV2(index, r.handler);
+    checked.push({
+      method: r.method,
+      path: r.path,
+      handler: r.handler,
+      enforced: res.ok,
+      hits: res.hits
+    });
+  }
+  return {
+    checkedCount: checked.length,
+    enforcedCount: checked.filter(x => x.enforced).length,
+    missingCount: checked.filter(x => !x.enforced).length,
+    checks: checked
+  };
+}
+module.exports = {
+  buildEnforcementTruthV2,
+  ENFORCE_HINTS,
+  looksPaidSurface,
+};

package/bin/runners/lib/engine/env-extractor.js ADDED Viewed

@@ -0,0 +1,207 @@
+// bin/runners/lib/engine/env-extractor.js
+// Optimized env var extraction using RepoIndex
+const path = require("path");
+const fs = require("fs");
+const crypto = require("crypto");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { globalASTCache } = require("./ast-cache");
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+function isEnvName(s) {
+  return typeof s === "string" && /^[A-Z0-9_]+$/.test(s);
+}
+function extractEnvFromMemberExpr(node) {
+  if (!t.isMemberExpression(node)) return null;
+  // process.env.NAME
+  if (t.isMemberExpression(node.object) &&
+      t.isIdentifier(node.object.object, { name: "process" }) &&
+      t.isIdentifier(node.object.property, { name: "env" }) &&
+      t.isIdentifier(node.property)) {
+    return node.property.name;
+  }
+  // process.env["NAME"]
+  if (t.isMemberExpression(node.object) &&
+      t.isIdentifier(node.object.object, { name: "process" }) &&
+      t.isIdentifier(node.object.property, { name: "env" }) &&
+      t.isStringLiteral(node.property)) {
+    return node.property.value;
+  }
+  // import.meta.env.NAME
+  if (t.isMemberExpression(node.object) &&
+      t.isMemberExpression(node.object.object) &&
+      t.isIdentifier(node.object.object.object, { name: "import" }) &&
+      t.isIdentifier(node.object.object.property, { name: "meta" }) &&
+      t.isIdentifier(node.object.property, { name: "env" }) &&
+      t.isIdentifier(node.property)) {
+    return node.property.name;
+  }
+  return null;
+}
+function detectDefaultSignals(parentPath) {
+  const p = parentPath?.parentPath;
+  if (!p) return { hasDefault: false };
+  if (p.isLogicalExpression() && (p.node.operator === "||" || p.node.operator === "??")) {
+    return { hasDefault: true };
+  }
+  if (p.isConditionalExpression()) return { hasDefault: true };
+  if (p.isAssignmentExpression() && p.node.operator === "||=") return { hasDefault: true };
+  return { hasDefault: false };
+}
+function evidenceFromContent(content, fileRel, loc, reason) {
+  if (!loc || !content) return null;
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(1, loc.start?.line || 1);
+  const end = Math.max(start, loc.end?.line || start);
+  const snippet = lines.slice(start - 1, end).join("\n");
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${start}-${end}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+function parseDotEnvLike(content) {
+  const out = new Set();
+  const lines = content.split(/\r?\n/);
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (!line || line.startsWith("#")) continue;
+    const l = line.startsWith("export ") ? line.slice(7).trim() : line;
+    const eq = l.indexOf("=");
+    if (eq <= 0) continue;
+    const key = l.slice(0, eq).trim();
+    if (isEnvName(key)) out.add(key);
+  }
+  return out;
+}
+/**
+ * Extract env var usage using RepoIndex
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Object} stats
+ * @returns {Object} - Map of env var name to usage info
+ */
+function extractEnvUsage(index, stats) {
+  // Use token prefilter - only scan files that reference process.env or import.meta.env
+  const candidateAbs = index.getByAnyToken(["process.env", "import.meta.env"]);
+  // Filter to JS/TS files
+  const jsExtensions = new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
+  const files = candidateAbs.filter(abs => {
+    const ext = path.extname(abs).toLowerCase();
+    return jsExtensions.has(ext);
+  });
+  const usageMap = {};
+  for (const fileAbs of files) {
+    const fileRel = index.relPath(fileAbs);
+    const content = index.getContent(fileAbs);
+    if (!content) continue;
+    const { ast, error } = globalASTCache.parse(content, fileAbs);
+    if (error || !ast) {
+      stats.parseErrors++;
+      continue;
+    }
+    try {
+      traverse(ast, {
+        MemberExpression(p) {
+          const name = extractEnvFromMemberExpr(p.node);
+          if (!name || !isEnvName(name)) return;
+          usageMap[name] = usageMap[name] || { name, references: [], signals: { hasDefault: false } };
+          const ev = evidenceFromContent(content, fileRel, p.node.loc, `Env usage: ${name}`);
+          if (ev) usageMap[name].references.push(ev);
+          const sig = detectDefaultSignals(p);
+          if (sig.hasDefault) usageMap[name].signals.hasDefault = true;
+        }
+      });
+    } catch {
+      stats.parseErrors++;
+    }
+  }
+  return usageMap;
+}
+/**
+ * Extract declared env vars from .env files
+ * @param {string} repoRoot
+ * @returns {{ declared: string[], sources: string[] }}
+ */
+function extractEnvDeclared(repoRoot) {
+  const candidates = [
+    ".env.example", ".env.template", ".env.sample",
+    ".env.local.example", ".env.development.example",
+    ".env"
+  ];
+  const declared = new Set();
+  const sources = [];
+  for (const rel of candidates) {
+    const abs = path.join(repoRoot, rel);
+    try {
+      if (!fs.existsSync(abs)) continue;
+      const content = fs.readFileSync(abs, "utf8");
+      const keys = parseDotEnvLike(content);
+      if (keys.size) {
+        for (const k of keys) declared.add(k);
+        sources.push(rel);
+      }
+    } catch {}
+  }
+  return { declared: Array.from(declared).sort(), sources };
+}
+/**
+ * Build env truth using RepoIndex (optimized)
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Object} stats
+ * @returns {Object}
+ */
+function buildEnvTruthV2(index, stats) {
+  const usageMap = extractEnvUsage(index, stats);
+  const declared = extractEnvDeclared(index.repoRoot);
+  const used = Object.values(usageMap).sort((a, b) => a.name.localeCompare(b.name));
+  const vars = used.map(u => ({
+    name: u.name,
+    required: !u.signals?.hasDefault,
+    references: u.references || [],
+    notes: u.signals?.hasDefault ? "Has default/fallback usage signal" : ""
+  }));
+  return {
+    vars,
+    declared: declared.declared,
+    declaredSources: declared.sources
+  };
+}
+module.exports = {
+  extractEnvUsage,
+  extractEnvDeclared,
+  buildEnvTruthV2,
+};