npm - vibecheck-ai - Versions diffs - 2.0.1 → 5.0.0 - Mend

vibecheck-ai 2.0.1 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (456) hide show

package/bin/.generated +25 -0
package/bin/_deprecations.js +463 -0
package/bin/_router.js +46 -0
package/bin/cli-hygiene.js +241 -0
package/bin/dev/run-v2-torture.js +30 -0
package/bin/registry.js +656 -0
package/bin/runners/CLI_REFACTOR_SUMMARY.md +229 -0
package/bin/runners/ENHANCEMENT_GUIDE.md +121 -0
package/bin/runners/REPORT_AUDIT.md +64 -0
package/bin/runners/cli-utils.js +1070 -0
package/bin/runners/context/ai-task-decomposer.js +337 -0
package/bin/runners/context/analyzer.js +513 -0
package/bin/runners/context/api-contracts.js +427 -0
package/bin/runners/context/context-diff.js +342 -0
package/bin/runners/context/context-pruner.js +291 -0
package/bin/runners/context/dependency-graph.js +414 -0
package/bin/runners/context/generators/claude.js +107 -0
package/bin/runners/context/generators/codex.js +108 -0
package/bin/runners/context/generators/copilot.js +119 -0
package/bin/runners/context/generators/cursor-enhanced.js +2525 -0
package/bin/runners/context/generators/cursor.js +514 -0
package/bin/runners/context/generators/mcp.js +169 -0
package/bin/runners/context/generators/windsurf.js +180 -0
package/bin/runners/context/git-context.js +304 -0
package/bin/runners/context/index.js +1110 -0
package/bin/runners/context/insights.js +173 -0
package/bin/runners/context/mcp-server/generate-rules.js +337 -0
package/bin/runners/context/mcp-server/index.js +1176 -0
package/bin/runners/context/mcp-server/package.json +24 -0
package/bin/runners/context/memory.js +200 -0
package/bin/runners/context/monorepo.js +215 -0
package/bin/runners/context/multi-repo-federation.js +404 -0
package/bin/runners/context/patterns.js +253 -0
package/bin/runners/context/proof-context.js +1264 -0
package/bin/runners/context/security-scanner.js +541 -0
package/bin/runners/context/semantic-search.js +350 -0
package/bin/runners/context/shared.js +264 -0
package/bin/runners/context/team-conventions.js +336 -0
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -0
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/change-packet/builder.js +488 -0
package/bin/runners/lib/agent-firewall/change-packet/schema.json +228 -0
package/bin/runners/lib/agent-firewall/change-packet/store.js +200 -0
package/bin/runners/lib/agent-firewall/claims/claim-types.js +21 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +303 -0
package/bin/runners/lib/agent-firewall/claims/patterns.js +24 -0
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/enforcement/gateway.js +1059 -0
package/bin/runners/lib/agent-firewall/enforcement/index.js +98 -0
package/bin/runners/lib/agent-firewall/enforcement/mode.js +318 -0
package/bin/runners/lib/agent-firewall/enforcement/orchestrator.js +484 -0
package/bin/runners/lib/agent-firewall/enforcement/proof-artifact.js +418 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/change-event.schema.json +173 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/intent.schema.json +181 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/verdict.schema.json +222 -0
package/bin/runners/lib/agent-firewall/enforcement/verdict-v2.js +333 -0
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +88 -0
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +75 -0
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +127 -0
package/bin/runners/lib/agent-firewall/evidence/resolver.js +102 -0
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +213 -0
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +145 -0
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +19 -0
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +87 -0
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +184 -0
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +163 -0
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +107 -0
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +68 -0
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +66 -0
package/bin/runners/lib/agent-firewall/index.js +200 -0
package/bin/runners/lib/agent-firewall/integration/index.js +20 -0
package/bin/runners/lib/agent-firewall/integration/ship-gate.js +437 -0
package/bin/runners/lib/agent-firewall/intent/alignment-engine.js +634 -0
package/bin/runners/lib/agent-firewall/intent/auto-detect.js +426 -0
package/bin/runners/lib/agent-firewall/intent/index.js +102 -0
package/bin/runners/lib/agent-firewall/intent/schema.js +352 -0
package/bin/runners/lib/agent-firewall/intent/store.js +283 -0
package/bin/runners/lib/agent-firewall/interception/fs-interceptor.js +502 -0
package/bin/runners/lib/agent-firewall/interception/index.js +23 -0
package/bin/runners/lib/agent-firewall/interceptor/base.js +308 -0
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +34 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/default-policy.json +90 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +103 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +451 -0
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +79 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +227 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +191 -0
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +93 -0
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +57 -0
package/bin/runners/lib/agent-firewall/policy/schema.json +183 -0
package/bin/runners/lib/agent-firewall/policy/verdict.js +54 -0
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +322 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/session/collector.js +451 -0
package/bin/runners/lib/agent-firewall/session/index.js +26 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/agent-firewall/truthpack/index.js +67 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +137 -0
package/bin/runners/lib/agent-firewall/unblock/planner.js +337 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/ai-bridge.js +416 -0
package/bin/runners/lib/analysis-core.js +309 -0
package/bin/runners/lib/analyzers.js +2500 -0
package/bin/runners/lib/api-client.js +269 -0
package/bin/runners/lib/approve-output.js +235 -0
package/bin/runners/lib/artifact-envelope.js +540 -0
package/bin/runners/lib/assets/vibecheck-logo.png +0 -0
package/bin/runners/lib/audit-bridge.js +391 -0
package/bin/runners/lib/auth-shared.js +977 -0
package/bin/runners/lib/auth-truth.js +193 -0
package/bin/runners/lib/auth.js +215 -0
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/backup.js +62 -0
package/bin/runners/lib/billing.js +107 -0
package/bin/runners/lib/checkpoint.js +941 -0
package/bin/runners/lib/claims.js +118 -0
package/bin/runners/lib/classify-output.js +204 -0
package/bin/runners/lib/cleanup/engine.js +571 -0
package/bin/runners/lib/cleanup/index.js +53 -0
package/bin/runners/lib/cleanup/output.js +375 -0
package/bin/runners/lib/cleanup/rules.js +1060 -0
package/bin/runners/lib/cli-output.js +400 -0
package/bin/runners/lib/cli-ui.js +540 -0
package/bin/runners/lib/compliance-bridge-new.js +0 -0
package/bin/runners/lib/compliance-bridge.js +165 -0
package/bin/runners/lib/contracts/auth-contract.js +202 -0
package/bin/runners/lib/contracts/env-contract.js +181 -0
package/bin/runners/lib/contracts/external-contract.js +206 -0
package/bin/runners/lib/contracts/guard.js +168 -0
package/bin/runners/lib/contracts/index.js +89 -0
package/bin/runners/lib/contracts/plan-validator.js +311 -0
package/bin/runners/lib/contracts/route-contract.js +199 -0
package/bin/runners/lib/contracts.js +804 -0
package/bin/runners/lib/default-config.js +127 -0
package/bin/runners/lib/detect.js +89 -0
package/bin/runners/lib/detectors-v2.js +622 -0
package/bin/runners/lib/doctor/autofix.js +254 -0
package/bin/runners/lib/doctor/diagnosis-receipt.js +454 -0
package/bin/runners/lib/doctor/failure-signatures.js +526 -0
package/bin/runners/lib/doctor/fix-script.js +336 -0
package/bin/runners/lib/doctor/index.js +37 -0
package/bin/runners/lib/doctor/modules/build-tools.js +453 -0
package/bin/runners/lib/doctor/modules/dependencies.js +325 -0
package/bin/runners/lib/doctor/modules/index.js +105 -0
package/bin/runners/lib/doctor/modules/network.js +250 -0
package/bin/runners/lib/doctor/modules/os-quirks.js +706 -0
package/bin/runners/lib/doctor/modules/project.js +312 -0
package/bin/runners/lib/doctor/modules/repo-integrity.js +485 -0
package/bin/runners/lib/doctor/modules/runtime.js +224 -0
package/bin/runners/lib/doctor/modules/security.js +350 -0
package/bin/runners/lib/doctor/modules/system.js +213 -0
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -0
package/bin/runners/lib/doctor/reporter.js +262 -0
package/bin/runners/lib/doctor/safe-repair.js +384 -0
package/bin/runners/lib/doctor/service.js +262 -0
package/bin/runners/lib/doctor/types.js +113 -0
package/bin/runners/lib/doctor/ui.js +263 -0
package/bin/runners/lib/doctor-enhanced.js +233 -0
package/bin/runners/lib/doctor-output.js +226 -0
package/bin/runners/lib/doctor-v2.js +608 -0
package/bin/runners/lib/drift.js +425 -0
package/bin/runners/lib/enforcement.js +72 -0
package/bin/runners/lib/engine/ast-cache.js +210 -0
package/bin/runners/lib/engine/auth-extractor.js +211 -0
package/bin/runners/lib/engine/billing-extractor.js +112 -0
package/bin/runners/lib/engine/enforcement-extractor.js +100 -0
package/bin/runners/lib/engine/env-extractor.js +207 -0
package/bin/runners/lib/engine/express-extractor.js +208 -0
package/bin/runners/lib/engine/extractors.js +849 -0
package/bin/runners/lib/engine/index.js +207 -0
package/bin/runners/lib/engine/repo-index.js +514 -0
package/bin/runners/lib/engine/types.js +124 -0
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/attack-detector.js +1192 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/enterprise-detect.js +603 -0
package/bin/runners/lib/enterprise-init.js +942 -0
package/bin/runners/lib/entitlements-v2.js +265 -0
package/bin/runners/lib/entitlements.generated.js +0 -0
package/bin/runners/lib/entitlements.js +340 -0
package/bin/runners/lib/env-resolver.js +417 -0
package/bin/runners/lib/env-template.js +66 -0
package/bin/runners/lib/env.js +189 -0
package/bin/runners/lib/error-handler.js +368 -0
package/bin/runners/lib/error-messages.js +289 -0
package/bin/runners/lib/evidence-pack.js +684 -0
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/extractors/client-calls.js +990 -0
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -0
package/bin/runners/lib/extractors/fastify-routes.js +426 -0
package/bin/runners/lib/extractors/index.js +363 -0
package/bin/runners/lib/extractors/next-routes.js +524 -0
package/bin/runners/lib/extractors/proof-graph.js +431 -0
package/bin/runners/lib/extractors/route-matcher.js +451 -0
package/bin/runners/lib/extractors/truthpack-v2.js +377 -0
package/bin/runners/lib/extractors/ui-bindings.js +547 -0
package/bin/runners/lib/finding-id.js +69 -0
package/bin/runners/lib/finding-sorter.js +89 -0
package/bin/runners/lib/findings-schema.js +281 -0
package/bin/runners/lib/fingerprint.js +377 -0
package/bin/runners/lib/firewall-prompt.js +50 -0
package/bin/runners/lib/fix-output.js +228 -0
package/bin/runners/lib/global-flags.js +250 -0
package/bin/runners/lib/graph/graph-builder.js +265 -0
package/bin/runners/lib/graph/html-renderer.js +413 -0
package/bin/runners/lib/graph/index.js +32 -0
package/bin/runners/lib/graph/runtime-collector.js +215 -0
package/bin/runners/lib/graph/static-extractor.js +518 -0
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/html-proof-report.js +913 -0
package/bin/runners/lib/html-report.js +650 -0
package/bin/runners/lib/init-wizard.js +601 -0
package/bin/runners/lib/interactive-menu.js +1496 -0
package/bin/runners/lib/json-output.js +76 -0
package/bin/runners/lib/llm.js +75 -0
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/meter.js +61 -0
package/bin/runners/lib/missions/briefing.js +427 -0
package/bin/runners/lib/missions/checkpoint.js +753 -0
package/bin/runners/lib/missions/evidence.js +126 -0
package/bin/runners/lib/missions/hardening.js +851 -0
package/bin/runners/lib/missions/plan.js +648 -0
package/bin/runners/lib/missions/safety-gates.js +645 -0
package/bin/runners/lib/missions/schema.js +478 -0
package/bin/runners/lib/missions/templates.js +317 -0
package/bin/runners/lib/next-action.js +560 -0
package/bin/runners/lib/packs/bundle.js +675 -0
package/bin/runners/lib/packs/evidence-pack.js +671 -0
package/bin/runners/lib/packs/pack-factory.js +837 -0
package/bin/runners/lib/packs/permissions-pack.js +686 -0
package/bin/runners/lib/packs/proof-graph-pack.js +779 -0
package/bin/runners/lib/patch.js +40 -0
package/bin/runners/lib/permissions/auth-model.js +213 -0
package/bin/runners/lib/permissions/idor-prover.js +205 -0
package/bin/runners/lib/permissions/index.js +45 -0
package/bin/runners/lib/permissions/matrix-builder.js +198 -0
package/bin/runners/lib/pkgjson.js +28 -0
package/bin/runners/lib/policy.js +295 -0
package/bin/runners/lib/polish/accessibility.js +62 -0
package/bin/runners/lib/polish/analyzer.js +93 -0
package/bin/runners/lib/polish/backend.js +87 -0
package/bin/runners/lib/polish/configuration.js +83 -0
package/bin/runners/lib/polish/documentation.js +83 -0
package/bin/runners/lib/polish/frontend.js +817 -0
package/bin/runners/lib/polish/index.js +27 -0
package/bin/runners/lib/polish/infrastructure.js +80 -0
package/bin/runners/lib/polish/internationalization.js +85 -0
package/bin/runners/lib/polish/libraries.js +180 -0
package/bin/runners/lib/polish/observability.js +75 -0
package/bin/runners/lib/polish/performance.js +64 -0
package/bin/runners/lib/polish/privacy.js +110 -0
package/bin/runners/lib/polish/resilience.js +92 -0
package/bin/runners/lib/polish/security.js +78 -0
package/bin/runners/lib/polish/seo.js +71 -0
package/bin/runners/lib/polish/styles.js +62 -0
package/bin/runners/lib/polish/utils.js +104 -0
package/bin/runners/lib/preflight.js +142 -0
package/bin/runners/lib/prerequisites.js +149 -0
package/bin/runners/lib/prove-output.js +220 -0
package/bin/runners/lib/reality/correlation-detectors.js +359 -0
package/bin/runners/lib/reality/index.js +318 -0
package/bin/runners/lib/reality/request-hashing.js +416 -0
package/bin/runners/lib/reality/request-mapper.js +453 -0
package/bin/runners/lib/reality/safety-rails.js +463 -0
package/bin/runners/lib/reality/semantic-snapshot.js +408 -0
package/bin/runners/lib/reality/toast-detector.js +393 -0
package/bin/runners/lib/reality-findings.js +84 -0
package/bin/runners/lib/reality-output.js +231 -0
package/bin/runners/lib/receipts.js +179 -0
package/bin/runners/lib/redact.js +29 -0
package/bin/runners/lib/replay/capsule-manager.js +154 -0
package/bin/runners/lib/replay/index.js +263 -0
package/bin/runners/lib/replay/player.js +348 -0
package/bin/runners/lib/replay/recorder.js +331 -0
package/bin/runners/lib/report-engine.js +626 -0
package/bin/runners/lib/report-html.js +1233 -0
package/bin/runners/lib/report-output.js +366 -0
package/bin/runners/lib/report-templates.js +967 -0
package/bin/runners/lib/report.js +135 -0
package/bin/runners/lib/route-detection.js +1209 -0
package/bin/runners/lib/route-truth.js +1322 -0
package/bin/runners/lib/safelist/index.js +96 -0
package/bin/runners/lib/safelist/integration.js +334 -0
package/bin/runners/lib/safelist/matcher.js +696 -0
package/bin/runners/lib/safelist/schema.js +948 -0
package/bin/runners/lib/safelist/store.js +438 -0
package/bin/runners/lib/sandbox/index.js +59 -0
package/bin/runners/lib/sandbox/proof-chain.js +399 -0
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -0
package/bin/runners/lib/sandbox/worktree.js +174 -0
package/bin/runners/lib/scan-cache.js +330 -0
package/bin/runners/lib/scan-output-schema.js +344 -0
package/bin/runners/lib/scan-output.js +631 -0
package/bin/runners/lib/scan-runner.js +135 -0
package/bin/runners/lib/schema-validator.js +350 -0
package/bin/runners/lib/schemas/ajv-validator.js +464 -0
package/bin/runners/lib/schemas/contracts.schema.json +160 -0
package/bin/runners/lib/schemas/error-envelope.schema.json +105 -0
package/bin/runners/lib/schemas/finding-v3.schema.json +151 -0
package/bin/runners/lib/schemas/finding.schema.json +100 -0
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -0
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -0
package/bin/runners/lib/schemas/reality-report.schema.json +162 -0
package/bin/runners/lib/schemas/report-artifact.schema.json +120 -0
package/bin/runners/lib/schemas/run-request.schema.json +108 -0
package/bin/runners/lib/schemas/share-pack.schema.json +180 -0
package/bin/runners/lib/schemas/ship-manifest.schema.json +251 -0
package/bin/runners/lib/schemas/ship-report.schema.json +117 -0
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -0
package/bin/runners/lib/schemas/validator.js +465 -0
package/bin/runners/lib/schemas/verdict.schema.json +140 -0
package/bin/runners/lib/score-history.js +282 -0
package/bin/runners/lib/security-bridge.js +249 -0
package/bin/runners/lib/server-usage.js +513 -0
package/bin/runners/lib/share-pack.js +239 -0
package/bin/runners/lib/ship-gate.js +832 -0
package/bin/runners/lib/ship-manifest.js +1153 -0
package/bin/runners/lib/ship-output-enterprise.js +239 -0
package/bin/runners/lib/ship-output.js +1128 -0
package/bin/runners/lib/snippets.js +67 -0
package/bin/runners/lib/status-output.js +340 -0
package/bin/runners/lib/terminal-ui.js +356 -0
package/bin/runners/lib/truth.js +1691 -0
package/bin/runners/lib/ui.js +562 -0
package/bin/runners/lib/unified-cli-output.js +947 -0
package/bin/runners/lib/unified-output.js +197 -0
package/bin/runners/lib/upsell.js +410 -0
package/bin/runners/lib/usage.js +153 -0
package/bin/runners/lib/validate-patch.js +156 -0
package/bin/runners/lib/verdict-engine.js +628 -0
package/bin/runners/lib/verification.js +345 -0
package/bin/runners/lib/why-tree.js +650 -0
package/bin/runners/reality/engine.js +917 -0
package/bin/runners/reality/flows.js +122 -0
package/bin/runners/reality/report.js +378 -0
package/bin/runners/reality/session.js +193 -0
package/bin/runners/runAIAgent.js +229 -0
package/bin/runners/runAgent.d.ts +5 -0
package/bin/runners/runAgent.js +161 -0
package/bin/runners/runAllowlist.js +418 -0
package/bin/runners/runApprove.js +320 -0
package/bin/runners/runAudit.js +692 -0
package/bin/runners/runAuth.js +731 -0
package/bin/runners/runCI.js +353 -0
package/bin/runners/runCheckpoint.js +530 -0
package/bin/runners/runClassify.js +928 -0
package/bin/runners/runCleanup.js +343 -0
package/bin/runners/runContext.d.ts +4 -0
package/bin/runners/runContext.js +175 -0
package/bin/runners/runDoctor.js +877 -0
package/bin/runners/runEvidencePack.js +362 -0
package/bin/runners/runFirewall.d.ts +5 -0
package/bin/runners/runFirewall.js +134 -0
package/bin/runners/runFirewallHook.d.ts +5 -0
package/bin/runners/runFirewallHook.js +56 -0
package/bin/runners/runFix.js +1355 -0
package/bin/runners/runForge.js +451 -0
package/bin/runners/runGuard.js +262 -0
package/bin/runners/runInit.js +1927 -0
package/bin/runners/runIntent.js +906 -0
package/bin/runners/runKickoff.js +878 -0
package/bin/runners/runLabs.js +424 -0
package/bin/runners/runLaunch.js +2000 -0
package/bin/runners/runLink.js +785 -0
package/bin/runners/runMcp.js +1875 -0
package/bin/runners/runPacks.js +2089 -0
package/bin/runners/runPolish.d.ts +4 -0
package/bin/runners/runPolish.js +390 -0
package/bin/runners/runPromptFirewall.js +211 -0
package/bin/runners/runProve.js +1411 -0
package/bin/runners/runQuickstart.js +531 -0
package/bin/runners/runReality.js +2260 -0
package/bin/runners/runReport.js +726 -0
package/bin/runners/runRuntime.js +110 -0
package/bin/runners/runSafelist.js +1190 -0
package/bin/runners/runScan.js +688 -0
package/bin/runners/runShield.js +1282 -0
package/bin/runners/runShip.js +1660 -0
package/bin/runners/runTruth.d.ts +5 -0
package/bin/runners/runTruth.js +101 -0
package/bin/runners/runValidate.js +179 -0
package/bin/runners/runWatch.js +478 -0
package/bin/runners/utils.js +360 -0
package/bin/scan.js +617 -0
package/bin/vibecheck.js +1617 -0
package/dist/guardrail/index.d.ts +2405 -0
package/dist/guardrail/index.js +9747 -0
package/dist/guardrail/index.js.map +1 -0
package/dist/scanner/index.d.ts +282 -0
package/dist/scanner/index.js +3395 -0
package/dist/scanner/index.js.map +1 -0
package/package.json +123 -104
package/README.md +0 -491
package/dist/index.js +0 -99711
package/dist/index.js.map +0 -1

package/bin/registry.js ADDED Viewed

@@ -0,0 +1,656 @@
+/**
+ * Vibecheck CLI Command Registry
+ *
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * VERSION 5.0.0 — CLEAN SURFACE
+ * ═══════════════════════════════════════════════════════════════════════════════
+ *
+ * Single source of truth for the public CLI surface.
+ *
+ * 12 top-level commands. Everything else is a subcommand, alias, or hidden.
+ * Product story: Scan → Ship → Certify
+ *
+ * 2-tier model:
+ * - FREE ($0): Inspect & Observe
+ * - PRO ($49/mo): Fix, Prove & Enforce
+ *
+ * @version 5.0.0
+ */
+"use strict";
+// ─────────────────────────────────────────────────────────────
+// 12 TOP-LEVEL COMMANDS (the only things users see in --help)
+// ─────────────────────────────────────────────────────────────
+const ALLOWED_COMMANDS = new Set([
+  "kickoff",
+  "scan",
+  "ship",
+  "fix",
+  "certify",
+  "report",
+  "reality",
+  "firewall",
+  "ci",
+  "mcp",
+  "config",
+  "doctor",
+]);
+function assertAllowedOnly(obj) {
+  const extras = Object.keys(obj).filter((k) => !ALLOWED_COMMANDS.has(k));
+  if (extras.length) {
+    throw new Error(`Registry contains non-allowed commands: ${extras.join(", ")}`);
+  }
+}
+// ─────────────────────────────────────────────────────────────
+// 12 COMMANDS — Clean Surface
+// ─────────────────────────────────────────────────────────────
+const COMMANDS = {
+  // ══════════════════════════════════════════════════════════════
+  // GETTING STARTED
+  // ══════════════════════════════════════════════════════════════
+  kickoff: {
+    description: "Get started in 60 seconds — detects your project, wires everything, first scan + verdict",
+    longDescription: "One command onboarding: link → detect → config → forge → first scan → first ship result → (optional) connect account. Absorbs init, setup, quickstart, link.",
+    tier: "free",
+    category: "start",
+    runner: () => require("./runners/runKickoff").runKickoff,
+    subcommands: [
+      { name: "link", description: "Bind project (<10s, zero questions)" },
+      { name: "config", description: "Edit project configuration" },
+      { name: "doctor", description: "Check environment health" },
+    ],
+    examples: [
+      { command: "vibecheck kickoff", description: "60-second first run" },
+      { command: "vibecheck kickoff --fast", description: "30-second fast mode" },
+      { command: "vibecheck kickoff --no-ship", description: "Skip ship verdict" },
+    ],
+    related: ["scan", "ship", "doctor"],
+  },
+  doctor: {
+    description: "Environment + dependency + config health check",
+    longDescription: "Comprehensive diagnostics for your development environment.",
+    tier: "free",
+    category: "start",
+    runner: () => require("./runners/runDoctor").runDoctor,
+    examples: [
+      { command: "vibecheck doctor", description: "Run all health checks" },
+      { command: "vibecheck doctor --fix", description: "Auto-fix detected issues" },
+      { command: "vibecheck doctor --json", description: "Output as JSON" },
+    ],
+    related: ["kickoff", "config"],
+  },
+  // ══════════════════════════════════════════════════════════════
+  // CORE LOOP: Scan → Ship → Certify
+  // ══════════════════════════════════════════════════════════════
+  scan: {
+    description: "Analyze your project — find code that LOOKS done but DOESN'T work",
+    longDescription: "The unified analysis command. Detects dead routes, ghost env vars, fake success UI, auth drift, mock landmines, silent failures. Subcommands for targeted scans.",
+    tier: "free",
+    category: "core",
+    runner: () => require("./runners/runScan").runScan,
+    subcommands: [
+      { name: "secrets", description: "Scan for leaked secrets & credentials" },
+      { name: "vulns", description: "Scan dependencies for vulnerabilities (OSV/CVE)" },
+      { name: "routes", description: "Scan for dead/orphan routes" },
+      { name: "env", description: "Scan for ghost environment variables" },
+      { name: "auth", description: "Scan for auth drift & unprotected endpoints" },
+    ],
+    examples: [
+      { command: "vibecheck scan", description: "Full project scan" },
+      { command: "vibecheck scan secrets", description: "Secrets only" },
+      { command: "vibecheck scan vulns", description: "Vulnerability scan" },
+      { command: "vibecheck scan --deep", description: "Deep cross-file analysis" },
+      { command: "vibecheck scan --fail-on critical", description: "CI gate mode" },
+      { command: "vibecheck scan --sarif", description: "SARIF output for GitHub" },
+    ],
+    related: ["ship", "fix", "certify"],
+  },
+  ship: {
+    description: "Verdict engine — SHIP / WARN / BLOCK",
+    longDescription: "The final word on whether your code is ready to ship. Includes preflight mode for comprehensive pre-release validation.",
+    tier: "pro",
+    category: "core",
+    runner: () => require("./runners/runShip").runShip,
+    subcommands: [
+      { name: "preflight", description: "Pre-release validation wizard (last 10 min before deploy)" },
+    ],
+    examples: [
+      { command: "vibecheck ship", description: "Get shipping verdict" },
+      { command: "vibecheck ship --strict", description: "Fail on warnings" },
+      { command: "vibecheck ship preflight", description: "Full pre-release checklist" },
+      { command: "vibecheck ship preflight --ci", description: "CI mode (non-interactive)" },
+    ],
+    related: ["scan", "fix", "certify"],
+  },
+  fix: {
+    description: "Mission-based auto-fix with safety gates",
+    longDescription: "Fix Missions V2 — 'Missions, not chaos'. Small, reversible fix missions with pre-flight/post-flight safety gates, checkpoint-based rollback, and plan-only mode.",
+    tier: "pro",
+    category: "core",
+    runner: () => require("./runners/runFix").runFix,
+    subcommands: [
+      { name: "missions", description: "List fix missions grouped by category" },
+      { name: "checkpoint", description: "Snapshot & restore (time machine)" },
+      { name: "polish", description: "Final production cleanup" },
+    ],
+    examples: [
+      { command: "vibecheck fix", description: "Plan missions (no changes)" },
+      { command: "vibecheck fix --apply", description: "Apply AI fixes with checkpoints" },
+      { command: "vibecheck fix --autopilot --apply", description: "Loop until SHIP or stuck" },
+      { command: "vibecheck fix --rollback M_xxx", description: "Rollback mission" },
+      { command: "vibecheck fix missions", description: "View grouped fix tasks" },
+      { command: "vibecheck fix checkpoint list", description: "List snapshots" },
+      { command: "vibecheck fix checkpoint restore latest", description: "Restore snapshot" },
+    ],
+    related: ["scan", "ship"],
+  },
+  certify: {
+    description: "Full verification chain — ISL + Reality + Chaos + Ship score + badge",
+    longDescription: "The flagship command. Runs the complete proof pipeline: truth → verify → prove → seal → badge. Produces a shareable certification artifact.",
+    tier: "pro",
+    category: "core",
+    runner: () => require("./runners/runProve").runProve,
+    subcommands: [
+      { name: "verify", description: "Run ISL verification only" },
+      { name: "prove", description: "Full proof loop (forge → scan → reality → ship)" },
+      { name: "seal", description: "Generate badge + cryptographic attestation" },
+      { name: "truth", description: "Build/rebuild truthpack artifacts" },
+    ],
+    examples: [
+      { command: "vibecheck certify", description: "Run full certification" },
+      { command: "vibecheck certify --badge", description: "Include badge generation" },
+      { command: "vibecheck certify --reality", description: "Include browser verification" },
+      { command: "vibecheck certify --artifacts", description: "Generate truthpack + evidence" },
+      { command: "vibecheck certify verify", description: "Verification only" },
+      { command: "vibecheck certify seal --format svg", description: "Generate SVG badge" },
+    ],
+    related: ["ship", "reality", "report"],
+  },
+  // ══════════════════════════════════════════════════════════════
+  // EVIDENCE & ENFORCEMENT
+  // ══════════════════════════════════════════════════════════════
+  report: {
+    description: "Generate reports — HTML, SARIF, JSON, PDF, evidence bundles",
+    longDescription: "Produce shareable artifacts: reports, evidence packs, proof graphs, permission matrices. Multiple output formats.",
+    tier: "free",
+    category: "output",
+    runner: () => require("./runners/runPacks").runPacks,
+    subcommands: [
+      { name: "html", description: "Generate HTML report" },
+      { name: "sarif", description: "Generate SARIF for GitHub" },
+      { name: "bundle", description: "ZIP bundle + manifest + HTML index" },
+      { name: "evidence", description: "Bundle videos, traces, screenshots" },
+      { name: "graph", description: "Proof graph with receipt cross-links" },
+      { name: "permissions", description: "AuthZ matrix, roles, protected routes" },
+    ],
+    examples: [
+      { command: "vibecheck report", description: "Default HTML report" },
+      { command: "vibecheck report sarif", description: "SARIF for GitHub integration" },
+      { command: "vibecheck report bundle", description: "Full evidence bundle" },
+      { command: "vibecheck report --output ./reports", description: "Custom output dir" },
+    ],
+    related: ["certify", "scan", "ship"],
+  },
+  reality: {
+    description: "Browser-based runtime verification (Playwright)",
+    longDescription: "Verify your app's actual runtime behavior with Playwright-powered browser testing. Prove what users see is real.",
+    tier: "pro",
+    category: "verify",
+    runner: () => require("./runners/runReality").runReality,
+    subcommands: [
+      { name: "run", description: "Run reality verification (default)" },
+      { name: "replay", description: "Replay a previous reality session" },
+    ],
+    examples: [
+      { command: "vibecheck reality", description: "Auto-detect and test" },
+      { command: "vibecheck reality run --url http://localhost:3000", description: "Test localhost" },
+      { command: "vibecheck reality replay", description: "Replay last session" },
+    ],
+    related: ["certify", "ship"],
+  },
+  firewall: {
+    description: "Agent Firewall — intercept, validate, and enforce AI actions",
+    longDescription: "Unified AI enforcement layer. Control what AI agents can do in your codebase. Observe, protect, or lockdown modes. Intent tracking and drift detection.",
+    tier: "pro",
+    category: "enforce",
+    runner: () => require("./runners/runShield").runShield,
+    subcommands: [
+      { name: "on", description: "Enable firewall (default: observe mode)" },
+      { name: "off", description: "Disable firewall" },
+      { name: "mode", description: "Set mode: observe | protect | lockdown" },
+      { name: "status", description: "Show current firewall status" },
+      { name: "rules", description: "Manage firewall rules / forge AI rules" },
+      { name: "intent", description: "Declare/show/clear current intent" },
+      { name: "approve", description: "Review and approve session changes" },
+    ],
+    examples: [
+      { command: "vibecheck firewall on", description: "Enable in observe mode" },
+      { command: "vibecheck firewall mode protect", description: "Switch to protect mode" },
+      { command: "vibecheck firewall status", description: "Show status + stats" },
+      { command: "vibecheck firewall intent set -s \"fix login bug\"", description: "Set intent" },
+      { command: "vibecheck firewall rules", description: "Manage enforcement rules" },
+      { command: "vibecheck firewall approve", description: "Review AI changes" },
+    ],
+    related: ["scan", "certify", "mcp"],
+  },
+  // ══════════════════════════════════════════════════════════════
+  // AUTOMATION & CONFIG
+  // ══════════════════════════════════════════════════════════════
+  ci: {
+    description: "One-command enterprise CI wiring (GitHub Actions, GitLab, etc.)",
+    longDescription: "Auto-detect your stack and create optimized CI workflows with SARIF output, PR comments, and status checks.",
+    tier: "free",
+    category: "automation",
+    runner: () => require("./runners/runCI").runCI,
+    examples: [
+      { command: "vibecheck ci", description: "Auto-detect and create CI" },
+      { command: "vibecheck ci --dry-run", description: "Preview without creating files" },
+      { command: "vibecheck ci --full", description: "All workflows (scan, ship, e2e, security)" },
+      { command: "vibecheck ci --validate", description: "Validate existing workflows" },
+    ],
+    related: ["scan", "ship", "report"],
+  },
+  mcp: {
+    description: "Start MCP server for AI IDEs (Cursor, Windsurf, Claude)",
+    longDescription: "Launch an MCP server for AI IDE integration. 30+ tools for truth verification, intent tracking, and agent management.",
+    tier: "pro",
+    category: "automation",
+    runner: () => require("./runners/runMcp").runMcp,
+    examples: [
+      { command: "vibecheck mcp", description: "Start MCP server" },
+      { command: "vibecheck mcp --port 3099", description: "Custom port" },
+    ],
+    related: ["firewall", "certify"],
+  },
+  config: {
+    description: "Manage project configuration, safelist, and settings",
+    longDescription: "Central config management. Includes safelist (finding suppression with justification & expiry), project settings, and context management.",
+    tier: "free",
+    category: "automation",
+    runner: () => require("./runners/runSafelist").runSafelist,
+    subcommands: [
+      { name: "safelist", description: "Manage finding suppressions (add, remove, report, clean)" },
+      { name: "context", description: "Manage AI context / truthpack settings" },
+      { name: "auth", description: "Authentication (login, logout, whoami)" },
+    ],
+    examples: [
+      { command: "vibecheck config", description: "Show current config" },
+      { command: "vibecheck config safelist", description: "List safelist entries" },
+      { command: "vibecheck config safelist add --id MOCK_xyz --reason 'Test data'", description: "Suppress finding" },
+      { command: "vibecheck config auth login", description: "Log in to VibeCheck" },
+      { command: "vibecheck config auth whoami", description: "Show current user" },
+    ],
+    related: ["kickoff", "doctor"],
+  },
+};
+// Validate
+assertAllowedOnly(COMMANDS);
+// ─────────────────────────────────────────────────────────────
+// SUBCOMMAND ROUTING
+// ─────────────────────────────────────────────────────────────
+// Maps "parent:sub" → runner require path + export name.
+// main() in vibecheck.js consults this before calling the default runner.
+const SUBCOMMAND_MAP = {
+  // scan subcommands
+  "scan:secrets":   { runner: () => require("./runners/runScan").runScan, prependArgs: ["--category", "secrets"] },
+  "scan:vulns":     { runner: () => require("./runners/runScan").runScan, prependArgs: ["--category", "vulnerabilities"] },
+  "scan:routes":    { runner: () => require("./runners/runScan").runScan, prependArgs: ["--category", "routes"] },
+  "scan:env":       { runner: () => require("./runners/runScan").runScan, prependArgs: ["--category", "env"] },
+  "scan:auth":      { runner: () => require("./runners/runScan").runScan, prependArgs: ["--category", "auth"] },
+  // ship subcommands
+  "ship:preflight": { runner: () => require("./runners/runLaunch").runLaunch },
+  // fix subcommands
+  "fix:missions":   { runner: () => require("./runners/runFix").runFix, prependArgs: ["--list-missions"] },
+  "fix:checkpoint":  { runner: () => require("./runners/runCheckpoint").runCheckpoint },
+  "fix:polish":     { runner: () => require("./runners/runPolish").runPolish },
+  // certify subcommands
+  "certify:verify": { runner: () => require("./runners/runProve").runProve, prependArgs: ["--mode", "verify"] },
+  "certify:prove":  { runner: () => require("./runners/runProve").runProve },
+  "certify:seal":   { runner: () => require("./runners/runShip").runSeal },
+  "certify:truth":  { runner: () => require("./runners/runForge").runForge },
+  // report subcommands
+  "report:html":    { runner: () => require("./runners/runPacks").runPacks, prependArgs: ["report", "--format", "html"] },
+  "report:sarif":   { runner: () => require("./runners/runPacks").runPacks, prependArgs: ["report", "--format", "sarif"] },
+  "report:bundle":  { runner: () => require("./runners/runPacks").runPacks, prependArgs: ["bundle"] },
+  "report:evidence": { runner: () => require("./runners/runPacks").runPacks, prependArgs: ["evidence"] },
+  "report:graph":   { runner: () => require("./runners/runPacks").runPacks, prependArgs: ["graph"] },
+  "report:permissions": { runner: () => require("./runners/runPacks").runPacks, prependArgs: ["permissions"] },
+  // reality subcommands
+  "reality:run":    { runner: () => require("./runners/runReality").runReality },
+  "reality:replay": { runner: () => require("./runners/runReality").runReality, prependArgs: ["--replay"] },
+  // firewall subcommands
+  "firewall:on":      { runner: () => require("./runners/runShield").runShield, prependArgs: ["observe"] },
+  "firewall:off":     { runner: () => require("./runners/runShield").runShield, prependArgs: ["off"] },
+  "firewall:mode":    { runner: () => require("./runners/runShield").runShield },
+  "firewall:status":  { runner: () => require("./runners/runShield").runShield, prependArgs: ["status"] },
+  "firewall:rules":   { runner: () => require("./runners/runForge").runForge },
+  "firewall:intent":  { runner: () => require("./runners/runIntent").runIntent },
+  "firewall:approve": { runner: () => require("./runners/runApprove").runApprove },
+  // config subcommands
+  "config:safelist": { runner: () => require("./runners/runSafelist").runSafelist },
+  "config:context":  { runner: () => require("./runners/runForge").runForge, prependArgs: ["--context-only"] },
+  "config:auth":     { runner: () => require("./runners/runAuth").runAuth },
+};
+// ─────────────────────────────────────────────────────────────
+// HIDDEN COMMANDS — work but don't show in --help
+// ─────────────────────────────────────────────────────────────
+// Power-user / internal pipeline commands that still resolve.
+const HIDDEN_COMMANDS = {
+  checkpoint: { runner: () => require("./runners/runCheckpoint").runCheckpoint },
+  forge:      { runner: () => require("./runners/runForge").runForge },
+  polish:     { runner: () => require("./runners/runPolish").runPolish },
+  auth:       { runner: () => require("./runners/runAuth").runAuth, skipAuth: true },
+  watch:      { runner: () => require("./runners/runWatch").runWatch },
+  labs:       { runner: () => require("./runners/runLabs").runLabs, skipAuth: true },
+  intent:     { runner: () => require("./runners/runIntent").runIntent },
+  approve:    { runner: () => require("./runners/runApprove").runApprove },
+  seal:       { runner: () => require("./runners/runShip").runSeal },
+  prove:      { runner: () => require("./runners/runProve").runProve },
+  safelist:   { runner: () => require("./runners/runSafelist").runSafelist },
+  packs:      { runner: () => require("./runners/runPacks").runPacks },
+  link:       { runner: () => require("./runners/runLink").runLink },
+  audit:      { runner: () => require("./runners/runAudit").runAudit },
+  shield:     { runner: () => require("./runners/runShield").runShield },
+  launch:     { runner: () => require("./runners/runLaunch").runLaunch },
+};
+// ─────────────────────────────────────────────────────────────
+// ALIAS MAP — old names → new 12 top-level commands
+// ─────────────────────────────────────────────────────────────
+const ALIAS_MAP = {
+  // → kickoff
+  "init": "kickoff",
+  "setup": "kickoff",
+  "quickstart": "kickoff",
+  "qs": "kickoff",
+  "start": "kickoff",
+  "onboard": "kickoff",
+  "configure": "kickoff",
+  // → scan
+  "audit": "scan",
+  "check": "scan",
+  "s": "scan",
+  "validate": "scan",
+  // → ship
+  "launch": "ship",
+  "gate": "ship",
+  "ci-gate": "ship",
+  "preflight": "ship",
+  "prelaunch": "ship",
+  // → fix
+  "f": "fix",
+  "repair": "fix",
+  "missions": "fix",
+  // → certify
+  "verify": "certify",
+  "prove": "certify",
+  "seal": "certify",
+  "badge": "certify",
+  "attest": "certify",
+  "truth": "certify",
+  "truthpack": "certify",
+  "p": "certify",
+  // → report
+  "packs": "report",
+  "report": "report",
+  "html": "report",
+  "artifact": "report",
+  "artifacts": "report",
+  "evidence-pack": "report",
+  "bundle": "report",
+  "permissions-pack": "report",
+  "proof-graph": "report",
+  // → reality
+  "browser": "reality",
+  "e2e": "reality",
+  // → firewall
+  "shield": "firewall",
+  "guard": "firewall",
+  "ai-guard": "firewall",
+  "enforce": "firewall",
+  "intent": "firewall",
+  "approve": "firewall",
+  // → config
+  "safelist": "config",
+  "allowlist": "config",
+  "al": "config",
+  "suppress": "config",
+  "context": "config",
+  "ctx": "config",
+  "rules": "config",
+  "ai-rules": "config",
+  "mdc": "config",
+  "brain": "config",
+  // → doctor
+  "health": "doctor",
+  "diag": "doctor",
+  // Hidden shortcuts
+  "checkpoint": "fix",
+  "cp": "fix",
+  "snap": "fix",
+  "snapshot": "fix",
+  "timemachine": "fix",
+  "rollback": "fix",
+  "w": "scan",
+  "dev": "scan",
+  "prod": "fix",
+  "final": "fix",
+  // Auth shortcuts → config
+  "login": "config",
+  "logout": "config",
+  "whoami": "config",
+  "me": "config",
+  "signin": "config",
+  "signout": "config",
+};
+// ─────────────────────────────────────────────────────────────
+// DEPRECATION NOTICES for renamed commands
+// ─────────────────────────────────────────────────────────────
+const DEPRECATION_MAP = {
+  "audit":     { target: "scan", message: "'audit' is now 'scan'" },
+  "check":     { target: "scan", message: "'check' is now 'scan'" },
+  "validate":  { target: "scan", message: "'validate' is now 'scan'" },
+  "launch":    { target: "ship preflight", message: "'launch' is now 'ship preflight'" },
+  "init":      { target: "kickoff", message: "'init' is now 'kickoff'" },
+  "setup":     { target: "kickoff", message: "'setup' is now 'kickoff'" },
+  "quickstart": { target: "kickoff", message: "'quickstart' is now 'kickoff'" },
+  "link":      { target: "kickoff", message: "'link' is now part of 'kickoff'" },
+  "shield":    { target: "firewall", message: "'shield' is now 'firewall'" },
+  "guard":     { target: "firewall", message: "'guard' is now 'firewall'" },
+  "prove":     { target: "certify", message: "'prove' is now 'certify'" },
+  "verify":    { target: "certify", message: "'verify' is now 'certify'" },
+  "seal":      { target: "certify seal", message: "'seal' is now 'certify seal'" },
+  "badge":     { target: "certify seal", message: "'badge' is now 'certify seal'" },
+  "truth":     { target: "certify truth", message: "'truth' is now 'certify truth'" },
+  "truthpack": { target: "certify truth", message: "'truthpack' is now 'certify truth'" },
+  "packs":     { target: "report", message: "'packs' is now 'report'" },
+  "safelist":  { target: "config safelist", message: "'safelist' is now 'config safelist'" },
+  "allowlist": { target: "config safelist", message: "'allowlist' is now 'config safelist'" },
+  "context":   { target: "config context", message: "'context' is now 'config context'" },
+  "ctx":       { target: "config context", message: "'ctx' is now 'config context'" },
+  "forge":     { target: "firewall rules", message: "'forge' is now 'firewall rules' (or still works directly)" },
+  "intent":    { target: "firewall intent", message: "'intent' is now 'firewall intent'" },
+  "approve":   { target: "firewall approve", message: "'approve' is now 'firewall approve'" },
+};
+function isDeprecated(cmd) {
+  return cmd in DEPRECATION_MAP;
+}
+function getDeprecationTarget(cmd) {
+  const dep = DEPRECATION_MAP[cmd];
+  return dep ? dep.target : null;
+}
+function getDeprecationMessage(cmd) {
+  const dep = DEPRECATION_MAP[cmd];
+  return dep ? dep.message : null;
+}
+// All command names (top-level + aliases + hidden)
+const ALL_COMMANDS = new Set([
+  ...Object.keys(COMMANDS),
+  ...Object.keys(ALIAS_MAP),
+  ...Object.keys(HIDDEN_COMMANDS),
+]);
+// ─────────────────────────────────────────────────────────────
+// TIER HELPERS
+// ─────────────────────────────────────────────────────────────
+function isPro(tier) {
+  return tier === "pro";
+}
+function requiresPro(commandName) {
+  const cmd = COMMANDS[commandName];
+  return cmd && cmd.tier === "pro";
+}
+function getFreeCommands() {
+  return Object.entries(COMMANDS)
+    .filter(([, cmd]) => cmd.tier === "free")
+    .map(([name]) => name);
+}
+function getProCommands() {
+  return Object.entries(COMMANDS)
+    .filter(([, cmd]) => cmd.tier === "pro")
+    .map(([name]) => name);
+}
+// ─────────────────────────────────────────────────────────────
+// GETTERS
+// ─────────────────────────────────────────────────────────────
+function getRunner(cmd, opts = {}) {
+  // Check top-level commands first
+  let def = COMMANDS[cmd];
+  // Then check hidden commands
+  if (!def) {
+    def = HIDDEN_COMMANDS[cmd];
+  }
+  if (!def) {
+    return null;
+  }
+  if (!def.runner) {
+    return null;
+  }
+  try {
+    return def.runner();
+  } catch (e) {
+    if (opts.red && opts.reset) {
+      console.error(`${opts.red}× Failed to load runner for ${cmd}: ${e.message}${opts.reset}`);
+    }
+    return null;
+  }
+}
+function getSubcommandRunner(parent, sub) {
+  const key = `${parent}:${sub}`;
+  const def = SUBCOMMAND_MAP[key];
+  if (!def) return null;
+  try {
+    return { runner: def.runner(), prependArgs: def.prependArgs || [] };
+  } catch (e) {
+    return null;
+  }
+}
+function getCommand(name) {
+  return COMMANDS[name] || null;
+}
+function isValidCommand(name) {
+  return name in COMMANDS || name in HIDDEN_COMMANDS;
+}
+function listCommands() {
+  return Object.keys(COMMANDS);
+}
+// ─────────────────────────────────────────────────────────────
+// EXPORTS
+// ─────────────────────────────────────────────────────────────
+module.exports = {
+  // Core data
+  COMMANDS,
+  ALLOWED_COMMANDS,
+  ALIAS_MAP,
+  ALL_COMMANDS,
+  SUBCOMMAND_MAP,
+  HIDDEN_COMMANDS,
+  DEPRECATION_MAP,
+  // Tier helpers
+  isPro,
+  requiresPro,
+  getFreeCommands,
+  getProCommands,
+  // Getters
+  getRunner,
+  getSubcommandRunner,
+  getCommand,
+  isValidCommand,
+  listCommands,
+  // Deprecation
+  isDeprecated,
+  getDeprecationTarget,
+  getDeprecationMessage,
+  getCommandsByTier: (tier) =>
+    Object.entries(COMMANDS)
+      .filter(([, cmd]) => cmd.tier === tier)
+      .map(([name, cmd]) => ({ name, ...cmd })),
+  getCommandsByCategory: (category) =>
+    Object.entries(COMMANDS)
+      .filter(([, cmd]) => cmd.category === category)
+      .map(([name, cmd]) => ({ name, ...cmd })),
+};