npm - vibecheck-ai - Versions diffs - 2.0.1 → 5.0.0 - Mend

vibecheck-ai 2.0.1 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (456) hide show

package/bin/.generated +25 -0
package/bin/_deprecations.js +463 -0
package/bin/_router.js +46 -0
package/bin/cli-hygiene.js +241 -0
package/bin/dev/run-v2-torture.js +30 -0
package/bin/registry.js +656 -0
package/bin/runners/CLI_REFACTOR_SUMMARY.md +229 -0
package/bin/runners/ENHANCEMENT_GUIDE.md +121 -0
package/bin/runners/REPORT_AUDIT.md +64 -0
package/bin/runners/cli-utils.js +1070 -0
package/bin/runners/context/ai-task-decomposer.js +337 -0
package/bin/runners/context/analyzer.js +513 -0
package/bin/runners/context/api-contracts.js +427 -0
package/bin/runners/context/context-diff.js +342 -0
package/bin/runners/context/context-pruner.js +291 -0
package/bin/runners/context/dependency-graph.js +414 -0
package/bin/runners/context/generators/claude.js +107 -0
package/bin/runners/context/generators/codex.js +108 -0
package/bin/runners/context/generators/copilot.js +119 -0
package/bin/runners/context/generators/cursor-enhanced.js +2525 -0
package/bin/runners/context/generators/cursor.js +514 -0
package/bin/runners/context/generators/mcp.js +169 -0
package/bin/runners/context/generators/windsurf.js +180 -0
package/bin/runners/context/git-context.js +304 -0
package/bin/runners/context/index.js +1110 -0
package/bin/runners/context/insights.js +173 -0
package/bin/runners/context/mcp-server/generate-rules.js +337 -0
package/bin/runners/context/mcp-server/index.js +1176 -0
package/bin/runners/context/mcp-server/package.json +24 -0
package/bin/runners/context/memory.js +200 -0
package/bin/runners/context/monorepo.js +215 -0
package/bin/runners/context/multi-repo-federation.js +404 -0
package/bin/runners/context/patterns.js +253 -0
package/bin/runners/context/proof-context.js +1264 -0
package/bin/runners/context/security-scanner.js +541 -0
package/bin/runners/context/semantic-search.js +350 -0
package/bin/runners/context/shared.js +264 -0
package/bin/runners/context/team-conventions.js +336 -0
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -0
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/change-packet/builder.js +488 -0
package/bin/runners/lib/agent-firewall/change-packet/schema.json +228 -0
package/bin/runners/lib/agent-firewall/change-packet/store.js +200 -0
package/bin/runners/lib/agent-firewall/claims/claim-types.js +21 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +303 -0
package/bin/runners/lib/agent-firewall/claims/patterns.js +24 -0
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/enforcement/gateway.js +1059 -0
package/bin/runners/lib/agent-firewall/enforcement/index.js +98 -0
package/bin/runners/lib/agent-firewall/enforcement/mode.js +318 -0
package/bin/runners/lib/agent-firewall/enforcement/orchestrator.js +484 -0
package/bin/runners/lib/agent-firewall/enforcement/proof-artifact.js +418 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/change-event.schema.json +173 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/intent.schema.json +181 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/verdict.schema.json +222 -0
package/bin/runners/lib/agent-firewall/enforcement/verdict-v2.js +333 -0
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +88 -0
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +75 -0
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +127 -0
package/bin/runners/lib/agent-firewall/evidence/resolver.js +102 -0
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +213 -0
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +145 -0
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +19 -0
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +87 -0
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +184 -0
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +163 -0
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +107 -0
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +68 -0
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +66 -0
package/bin/runners/lib/agent-firewall/index.js +200 -0
package/bin/runners/lib/agent-firewall/integration/index.js +20 -0
package/bin/runners/lib/agent-firewall/integration/ship-gate.js +437 -0
package/bin/runners/lib/agent-firewall/intent/alignment-engine.js +634 -0
package/bin/runners/lib/agent-firewall/intent/auto-detect.js +426 -0
package/bin/runners/lib/agent-firewall/intent/index.js +102 -0
package/bin/runners/lib/agent-firewall/intent/schema.js +352 -0
package/bin/runners/lib/agent-firewall/intent/store.js +283 -0
package/bin/runners/lib/agent-firewall/interception/fs-interceptor.js +502 -0
package/bin/runners/lib/agent-firewall/interception/index.js +23 -0
package/bin/runners/lib/agent-firewall/interceptor/base.js +308 -0
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +34 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/default-policy.json +90 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +103 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +451 -0
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +79 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +227 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +191 -0
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +93 -0
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +57 -0
package/bin/runners/lib/agent-firewall/policy/schema.json +183 -0
package/bin/runners/lib/agent-firewall/policy/verdict.js +54 -0
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +322 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/session/collector.js +451 -0
package/bin/runners/lib/agent-firewall/session/index.js +26 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/agent-firewall/truthpack/index.js +67 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +137 -0
package/bin/runners/lib/agent-firewall/unblock/planner.js +337 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/ai-bridge.js +416 -0
package/bin/runners/lib/analysis-core.js +309 -0
package/bin/runners/lib/analyzers.js +2500 -0
package/bin/runners/lib/api-client.js +269 -0
package/bin/runners/lib/approve-output.js +235 -0
package/bin/runners/lib/artifact-envelope.js +540 -0
package/bin/runners/lib/assets/vibecheck-logo.png +0 -0
package/bin/runners/lib/audit-bridge.js +391 -0
package/bin/runners/lib/auth-shared.js +977 -0
package/bin/runners/lib/auth-truth.js +193 -0
package/bin/runners/lib/auth.js +215 -0
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/backup.js +62 -0
package/bin/runners/lib/billing.js +107 -0
package/bin/runners/lib/checkpoint.js +941 -0
package/bin/runners/lib/claims.js +118 -0
package/bin/runners/lib/classify-output.js +204 -0
package/bin/runners/lib/cleanup/engine.js +571 -0
package/bin/runners/lib/cleanup/index.js +53 -0
package/bin/runners/lib/cleanup/output.js +375 -0
package/bin/runners/lib/cleanup/rules.js +1060 -0
package/bin/runners/lib/cli-output.js +400 -0
package/bin/runners/lib/cli-ui.js +540 -0
package/bin/runners/lib/compliance-bridge-new.js +0 -0
package/bin/runners/lib/compliance-bridge.js +165 -0
package/bin/runners/lib/contracts/auth-contract.js +202 -0
package/bin/runners/lib/contracts/env-contract.js +181 -0
package/bin/runners/lib/contracts/external-contract.js +206 -0
package/bin/runners/lib/contracts/guard.js +168 -0
package/bin/runners/lib/contracts/index.js +89 -0
package/bin/runners/lib/contracts/plan-validator.js +311 -0
package/bin/runners/lib/contracts/route-contract.js +199 -0
package/bin/runners/lib/contracts.js +804 -0
package/bin/runners/lib/default-config.js +127 -0
package/bin/runners/lib/detect.js +89 -0
package/bin/runners/lib/detectors-v2.js +622 -0
package/bin/runners/lib/doctor/autofix.js +254 -0
package/bin/runners/lib/doctor/diagnosis-receipt.js +454 -0
package/bin/runners/lib/doctor/failure-signatures.js +526 -0
package/bin/runners/lib/doctor/fix-script.js +336 -0
package/bin/runners/lib/doctor/index.js +37 -0
package/bin/runners/lib/doctor/modules/build-tools.js +453 -0
package/bin/runners/lib/doctor/modules/dependencies.js +325 -0
package/bin/runners/lib/doctor/modules/index.js +105 -0
package/bin/runners/lib/doctor/modules/network.js +250 -0
package/bin/runners/lib/doctor/modules/os-quirks.js +706 -0
package/bin/runners/lib/doctor/modules/project.js +312 -0
package/bin/runners/lib/doctor/modules/repo-integrity.js +485 -0
package/bin/runners/lib/doctor/modules/runtime.js +224 -0
package/bin/runners/lib/doctor/modules/security.js +350 -0
package/bin/runners/lib/doctor/modules/system.js +213 -0
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -0
package/bin/runners/lib/doctor/reporter.js +262 -0
package/bin/runners/lib/doctor/safe-repair.js +384 -0
package/bin/runners/lib/doctor/service.js +262 -0
package/bin/runners/lib/doctor/types.js +113 -0
package/bin/runners/lib/doctor/ui.js +263 -0
package/bin/runners/lib/doctor-enhanced.js +233 -0
package/bin/runners/lib/doctor-output.js +226 -0
package/bin/runners/lib/doctor-v2.js +608 -0
package/bin/runners/lib/drift.js +425 -0
package/bin/runners/lib/enforcement.js +72 -0
package/bin/runners/lib/engine/ast-cache.js +210 -0
package/bin/runners/lib/engine/auth-extractor.js +211 -0
package/bin/runners/lib/engine/billing-extractor.js +112 -0
package/bin/runners/lib/engine/enforcement-extractor.js +100 -0
package/bin/runners/lib/engine/env-extractor.js +207 -0
package/bin/runners/lib/engine/express-extractor.js +208 -0
package/bin/runners/lib/engine/extractors.js +849 -0
package/bin/runners/lib/engine/index.js +207 -0
package/bin/runners/lib/engine/repo-index.js +514 -0
package/bin/runners/lib/engine/types.js +124 -0
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/attack-detector.js +1192 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/enterprise-detect.js +603 -0
package/bin/runners/lib/enterprise-init.js +942 -0
package/bin/runners/lib/entitlements-v2.js +265 -0
package/bin/runners/lib/entitlements.generated.js +0 -0
package/bin/runners/lib/entitlements.js +340 -0
package/bin/runners/lib/env-resolver.js +417 -0
package/bin/runners/lib/env-template.js +66 -0
package/bin/runners/lib/env.js +189 -0
package/bin/runners/lib/error-handler.js +368 -0
package/bin/runners/lib/error-messages.js +289 -0
package/bin/runners/lib/evidence-pack.js +684 -0
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/extractors/client-calls.js +990 -0
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -0
package/bin/runners/lib/extractors/fastify-routes.js +426 -0
package/bin/runners/lib/extractors/index.js +363 -0
package/bin/runners/lib/extractors/next-routes.js +524 -0
package/bin/runners/lib/extractors/proof-graph.js +431 -0
package/bin/runners/lib/extractors/route-matcher.js +451 -0
package/bin/runners/lib/extractors/truthpack-v2.js +377 -0
package/bin/runners/lib/extractors/ui-bindings.js +547 -0
package/bin/runners/lib/finding-id.js +69 -0
package/bin/runners/lib/finding-sorter.js +89 -0
package/bin/runners/lib/findings-schema.js +281 -0
package/bin/runners/lib/fingerprint.js +377 -0
package/bin/runners/lib/firewall-prompt.js +50 -0
package/bin/runners/lib/fix-output.js +228 -0
package/bin/runners/lib/global-flags.js +250 -0
package/bin/runners/lib/graph/graph-builder.js +265 -0
package/bin/runners/lib/graph/html-renderer.js +413 -0
package/bin/runners/lib/graph/index.js +32 -0
package/bin/runners/lib/graph/runtime-collector.js +215 -0
package/bin/runners/lib/graph/static-extractor.js +518 -0
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/html-proof-report.js +913 -0
package/bin/runners/lib/html-report.js +650 -0
package/bin/runners/lib/init-wizard.js +601 -0
package/bin/runners/lib/interactive-menu.js +1496 -0
package/bin/runners/lib/json-output.js +76 -0
package/bin/runners/lib/llm.js +75 -0
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/meter.js +61 -0
package/bin/runners/lib/missions/briefing.js +427 -0
package/bin/runners/lib/missions/checkpoint.js +753 -0
package/bin/runners/lib/missions/evidence.js +126 -0
package/bin/runners/lib/missions/hardening.js +851 -0
package/bin/runners/lib/missions/plan.js +648 -0
package/bin/runners/lib/missions/safety-gates.js +645 -0
package/bin/runners/lib/missions/schema.js +478 -0
package/bin/runners/lib/missions/templates.js +317 -0
package/bin/runners/lib/next-action.js +560 -0
package/bin/runners/lib/packs/bundle.js +675 -0
package/bin/runners/lib/packs/evidence-pack.js +671 -0
package/bin/runners/lib/packs/pack-factory.js +837 -0
package/bin/runners/lib/packs/permissions-pack.js +686 -0
package/bin/runners/lib/packs/proof-graph-pack.js +779 -0
package/bin/runners/lib/patch.js +40 -0
package/bin/runners/lib/permissions/auth-model.js +213 -0
package/bin/runners/lib/permissions/idor-prover.js +205 -0
package/bin/runners/lib/permissions/index.js +45 -0
package/bin/runners/lib/permissions/matrix-builder.js +198 -0
package/bin/runners/lib/pkgjson.js +28 -0
package/bin/runners/lib/policy.js +295 -0
package/bin/runners/lib/polish/accessibility.js +62 -0
package/bin/runners/lib/polish/analyzer.js +93 -0
package/bin/runners/lib/polish/backend.js +87 -0
package/bin/runners/lib/polish/configuration.js +83 -0
package/bin/runners/lib/polish/documentation.js +83 -0
package/bin/runners/lib/polish/frontend.js +817 -0
package/bin/runners/lib/polish/index.js +27 -0
package/bin/runners/lib/polish/infrastructure.js +80 -0
package/bin/runners/lib/polish/internationalization.js +85 -0
package/bin/runners/lib/polish/libraries.js +180 -0
package/bin/runners/lib/polish/observability.js +75 -0
package/bin/runners/lib/polish/performance.js +64 -0
package/bin/runners/lib/polish/privacy.js +110 -0
package/bin/runners/lib/polish/resilience.js +92 -0
package/bin/runners/lib/polish/security.js +78 -0
package/bin/runners/lib/polish/seo.js +71 -0
package/bin/runners/lib/polish/styles.js +62 -0
package/bin/runners/lib/polish/utils.js +104 -0
package/bin/runners/lib/preflight.js +142 -0
package/bin/runners/lib/prerequisites.js +149 -0
package/bin/runners/lib/prove-output.js +220 -0
package/bin/runners/lib/reality/correlation-detectors.js +359 -0
package/bin/runners/lib/reality/index.js +318 -0
package/bin/runners/lib/reality/request-hashing.js +416 -0
package/bin/runners/lib/reality/request-mapper.js +453 -0
package/bin/runners/lib/reality/safety-rails.js +463 -0
package/bin/runners/lib/reality/semantic-snapshot.js +408 -0
package/bin/runners/lib/reality/toast-detector.js +393 -0
package/bin/runners/lib/reality-findings.js +84 -0
package/bin/runners/lib/reality-output.js +231 -0
package/bin/runners/lib/receipts.js +179 -0
package/bin/runners/lib/redact.js +29 -0
package/bin/runners/lib/replay/capsule-manager.js +154 -0
package/bin/runners/lib/replay/index.js +263 -0
package/bin/runners/lib/replay/player.js +348 -0
package/bin/runners/lib/replay/recorder.js +331 -0
package/bin/runners/lib/report-engine.js +626 -0
package/bin/runners/lib/report-html.js +1233 -0
package/bin/runners/lib/report-output.js +366 -0
package/bin/runners/lib/report-templates.js +967 -0
package/bin/runners/lib/report.js +135 -0
package/bin/runners/lib/route-detection.js +1209 -0
package/bin/runners/lib/route-truth.js +1322 -0
package/bin/runners/lib/safelist/index.js +96 -0
package/bin/runners/lib/safelist/integration.js +334 -0
package/bin/runners/lib/safelist/matcher.js +696 -0
package/bin/runners/lib/safelist/schema.js +948 -0
package/bin/runners/lib/safelist/store.js +438 -0
package/bin/runners/lib/sandbox/index.js +59 -0
package/bin/runners/lib/sandbox/proof-chain.js +399 -0
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -0
package/bin/runners/lib/sandbox/worktree.js +174 -0
package/bin/runners/lib/scan-cache.js +330 -0
package/bin/runners/lib/scan-output-schema.js +344 -0
package/bin/runners/lib/scan-output.js +631 -0
package/bin/runners/lib/scan-runner.js +135 -0
package/bin/runners/lib/schema-validator.js +350 -0
package/bin/runners/lib/schemas/ajv-validator.js +464 -0
package/bin/runners/lib/schemas/contracts.schema.json +160 -0
package/bin/runners/lib/schemas/error-envelope.schema.json +105 -0
package/bin/runners/lib/schemas/finding-v3.schema.json +151 -0
package/bin/runners/lib/schemas/finding.schema.json +100 -0
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -0
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -0
package/bin/runners/lib/schemas/reality-report.schema.json +162 -0
package/bin/runners/lib/schemas/report-artifact.schema.json +120 -0
package/bin/runners/lib/schemas/run-request.schema.json +108 -0
package/bin/runners/lib/schemas/share-pack.schema.json +180 -0
package/bin/runners/lib/schemas/ship-manifest.schema.json +251 -0
package/bin/runners/lib/schemas/ship-report.schema.json +117 -0
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -0
package/bin/runners/lib/schemas/validator.js +465 -0
package/bin/runners/lib/schemas/verdict.schema.json +140 -0
package/bin/runners/lib/score-history.js +282 -0
package/bin/runners/lib/security-bridge.js +249 -0
package/bin/runners/lib/server-usage.js +513 -0
package/bin/runners/lib/share-pack.js +239 -0
package/bin/runners/lib/ship-gate.js +832 -0
package/bin/runners/lib/ship-manifest.js +1153 -0
package/bin/runners/lib/ship-output-enterprise.js +239 -0
package/bin/runners/lib/ship-output.js +1128 -0
package/bin/runners/lib/snippets.js +67 -0
package/bin/runners/lib/status-output.js +340 -0
package/bin/runners/lib/terminal-ui.js +356 -0
package/bin/runners/lib/truth.js +1691 -0
package/bin/runners/lib/ui.js +562 -0
package/bin/runners/lib/unified-cli-output.js +947 -0
package/bin/runners/lib/unified-output.js +197 -0
package/bin/runners/lib/upsell.js +410 -0
package/bin/runners/lib/usage.js +153 -0
package/bin/runners/lib/validate-patch.js +156 -0
package/bin/runners/lib/verdict-engine.js +628 -0
package/bin/runners/lib/verification.js +345 -0
package/bin/runners/lib/why-tree.js +650 -0
package/bin/runners/reality/engine.js +917 -0
package/bin/runners/reality/flows.js +122 -0
package/bin/runners/reality/report.js +378 -0
package/bin/runners/reality/session.js +193 -0
package/bin/runners/runAIAgent.js +229 -0
package/bin/runners/runAgent.d.ts +5 -0
package/bin/runners/runAgent.js +161 -0
package/bin/runners/runAllowlist.js +418 -0
package/bin/runners/runApprove.js +320 -0
package/bin/runners/runAudit.js +692 -0
package/bin/runners/runAuth.js +731 -0
package/bin/runners/runCI.js +353 -0
package/bin/runners/runCheckpoint.js +530 -0
package/bin/runners/runClassify.js +928 -0
package/bin/runners/runCleanup.js +343 -0
package/bin/runners/runContext.d.ts +4 -0
package/bin/runners/runContext.js +175 -0
package/bin/runners/runDoctor.js +877 -0
package/bin/runners/runEvidencePack.js +362 -0
package/bin/runners/runFirewall.d.ts +5 -0
package/bin/runners/runFirewall.js +134 -0
package/bin/runners/runFirewallHook.d.ts +5 -0
package/bin/runners/runFirewallHook.js +56 -0
package/bin/runners/runFix.js +1355 -0
package/bin/runners/runForge.js +451 -0
package/bin/runners/runGuard.js +262 -0
package/bin/runners/runInit.js +1927 -0
package/bin/runners/runIntent.js +906 -0
package/bin/runners/runKickoff.js +878 -0
package/bin/runners/runLabs.js +424 -0
package/bin/runners/runLaunch.js +2000 -0
package/bin/runners/runLink.js +785 -0
package/bin/runners/runMcp.js +1875 -0
package/bin/runners/runPacks.js +2089 -0
package/bin/runners/runPolish.d.ts +4 -0
package/bin/runners/runPolish.js +390 -0
package/bin/runners/runPromptFirewall.js +211 -0
package/bin/runners/runProve.js +1411 -0
package/bin/runners/runQuickstart.js +531 -0
package/bin/runners/runReality.js +2260 -0
package/bin/runners/runReport.js +726 -0
package/bin/runners/runRuntime.js +110 -0
package/bin/runners/runSafelist.js +1190 -0
package/bin/runners/runScan.js +688 -0
package/bin/runners/runShield.js +1282 -0
package/bin/runners/runShip.js +1660 -0
package/bin/runners/runTruth.d.ts +5 -0
package/bin/runners/runTruth.js +101 -0
package/bin/runners/runValidate.js +179 -0
package/bin/runners/runWatch.js +478 -0
package/bin/runners/utils.js +360 -0
package/bin/scan.js +617 -0
package/bin/vibecheck.js +1617 -0
package/dist/guardrail/index.d.ts +2405 -0
package/dist/guardrail/index.js +9747 -0
package/dist/guardrail/index.js.map +1 -0
package/dist/scanner/index.d.ts +282 -0
package/dist/scanner/index.js +3395 -0
package/dist/scanner/index.js.map +1 -0
package/package.json +123 -104
package/README.md +0 -491
package/dist/index.js +0 -99711
package/dist/index.js.map +0 -1

package/bin/runners/lib/agent-firewall/intent/alignment-engine.js ADDED Viewed

@@ -0,0 +1,634 @@
+/**
+ * Intent Alignment Engine - Core Enforcement Logic
+ *
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * AGENT FIREWALL™ - INTENT ALIGNMENT ENGINE
+ * ═══════════════════════════════════════════════════════════════════════════════
+ *
+ * For every Change Event:
+ * - Compare change against declared intent
+ * - Enforce STRICT matching rules
+ * - BLOCK if intent is violated
+ *
+ * This is NOT advisory. This is enforcement.
+ *
+ * @module intent/alignment-engine
+ * @version 2.0.0
+ */
+"use strict";
+const path = require("path");
+// Try to load minimatch, fallback to simple pattern matching if not available
+let minimatch = null;
+try {
+  minimatch = require("minimatch").minimatch;
+} catch {
+  // minimatch not available, will use fallback
+}
+/**
+ * Violation codes for machine-readable errors
+ */
+const VIOLATION_CODES = {
+  NO_INTENT: "NO_INTENT_DECLARED",
+  INTENT_EXPIRED: "INTENT_EXPIRED",
+  INTENT_CORRUPTED: "INTENT_INTEGRITY_FAILED",
+  UNDECLARED_ROUTE: "UNDECLARED_ROUTE",
+  UNDECLARED_ENV: "UNDECLARED_ENV_VAR",
+  UNDECLARED_FILE: "UNDECLARED_FILE_CHANGE",
+  CONSTRAINT_VIOLATED: "CONSTRAINT_VIOLATED",
+  SCOPE_VIOLATION: "SCOPE_VIOLATION",
+  DOMAIN_VIOLATION: "DOMAIN_NOT_ALLOWED",
+  PERMISSION_CHANGE: "UNAUTHORIZED_PERMISSION_CHANGE",
+  AUTH_MODIFICATION: "UNAUTHORIZED_AUTH_MODIFICATION",
+  PAYMENT_MODIFICATION: "UNAUTHORIZED_PAYMENT_MODIFICATION",
+  MOCK_DATA_DETECTED: "MOCK_DATA_IN_PRODUCTION_CODE",
+  TODO_DETECTED: "UNRESOLVED_TODO_PLACEHOLDER",
+  FAKE_HANDLER: "FAKE_HANDLER_DETECTED",
+  UI_WITHOUT_BACKEND: "UI_SUCCESS_WITHOUT_BACKEND_PROOF",
+};
+/**
+ * Alignment Check Result
+ * @typedef {Object} AlignmentResult
+ * @property {boolean} aligned - Whether change is aligned with intent
+ * @property {string} decision - PASS or BLOCK
+ * @property {Object[]} violations - Array of violations
+ * @property {string} intent_hash - Hash of intent used for checking
+ */
+/**
+ * Violation object structure
+ * @typedef {Object} Violation
+ * @property {string} code - Machine-readable violation code
+ * @property {string} rule - Human-readable rule name
+ * @property {string} message - Detailed violation message
+ * @property {string} resource - Resource that caused violation
+ * @property {string} intent_ref - Reference to violated intent element
+ * @property {string} severity - Always "block" for violations
+ */
+/**
+ * Check if a path matches any allowed pattern
+ * @param {string} filePath - Path to check
+ * @param {Object[]} allowed_changes - Allowed changes from intent
+ * @returns {boolean} True if allowed
+ */
+function isFileChangeAllowed(filePath, allowed_changes = []) {
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  for (const allowed of allowed_changes) {
+    if (allowed.type === "file_create" || allowed.type === "file_modify" || allowed.type === "file_delete") {
+      // Check exact target match
+      if (allowed.target && allowed.target.replace(/\\/g, "/") === normalizedPath) {
+        return true;
+      }
+      // Check pattern match
+      if (allowed.pattern) {
+        try {
+          // Use minimatch if available, otherwise simple glob
+          if (typeof minimatch === "function") {
+            if (minimatch(normalizedPath, allowed.pattern, { matchBase: true })) {
+              return true;
+            }
+          } else {
+            // Simple pattern matching fallback using placeholders
+            // Use placeholders to avoid escaping issues
+            const regex = new RegExp(
+              "^" + allowed.pattern
+                .replace(/\*\*\//g, "{{DIRSTAR}}")  // Placeholder for **/
+                .replace(/\*\*/g, "{{GLOBSTAR}}")  // Placeholder for **
+                .replace(/\?/g, "{{QMARK}}")       // Placeholder for ?
+                .replace(/\./g, "\\.")             // Escape dots
+                .replace(/\*/g, "[^/]*")           // * matches anything except /
+                .replace(/{{DIRSTAR}}/g, "(?:.*/)?")  // **/ matches zero or more dirs
+                .replace(/{{GLOBSTAR}}/g, ".*")    // ** matches anything
+                .replace(/{{QMARK}}/g, ".") + "$"  // ? matches single char
+            );
+            if (regex.test(normalizedPath)) {
+              return true;
+            }
+          }
+        } catch {
+          // Skip invalid patterns
+        }
+      }
+    }
+  }
+  return false;
+}
+/**
+ * Check if a route is allowed by intent
+ * @param {string} method - HTTP method
+ * @param {string} routePath - Route path
+ * @param {Object[]} allowed_changes - Allowed changes from intent
+ * @returns {boolean} True if allowed
+ */
+function isRouteAllowed(method, routePath, allowed_changes = []) {
+  for (const allowed of allowed_changes) {
+    if (allowed.type === "route_add" || allowed.type === "route_modify") {
+      // Check exact match
+      if (allowed.target === routePath) {
+        return true;
+      }
+      // Check pattern match (e.g., /api/users/*)
+      if (allowed.pattern) {
+        try {
+          const regex = new RegExp(
+            "^" + allowed.pattern
+              .replace(/\*/g, "[^/]+")
+              .replace(/\*\*/g, ".*") + "$"
+          );
+          if (regex.test(routePath)) {
+            return true;
+          }
+        } catch {
+          // Skip invalid patterns
+        }
+      }
+    }
+  }
+  return false;
+}
+/**
+ * Check if env var addition is allowed by intent
+ * @param {string} envVar - Environment variable name
+ * @param {Object[]} allowed_changes - Allowed changes from intent
+ * @returns {boolean} True if allowed
+ */
+function isEnvVarAllowed(envVar, allowed_changes = []) {
+  for (const allowed of allowed_changes) {
+    if (allowed.type === "env_add") {
+      if (allowed.target === envVar) {
+        return true;
+      }
+      // Pattern match (e.g., STRIPE_*)
+      if (allowed.pattern) {
+        try {
+          const regex = new RegExp("^" + allowed.pattern.replace(/\*/g, ".*") + "$");
+          if (regex.test(envVar)) {
+            return true;
+          }
+        } catch {
+          // Skip invalid patterns
+        }
+      }
+    }
+  }
+  return false;
+}
+/**
+ * Check if path is within allowed scope
+ * @param {string} filePath - File path to check
+ * @param {Object} scope - Intent scope restrictions
+ * @returns {boolean} True if within scope
+ */
+function isWithinScope(filePath, scope) {
+  if (!scope) return true; // No scope = everything allowed
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  // Check excluded paths first
+  if (scope.excluded_paths) {
+    for (const excluded of scope.excluded_paths) {
+      const normalizedExcluded = excluded.replace(/\\/g, "/");
+      if (normalizedPath.startsWith(normalizedExcluded) || normalizedPath === normalizedExcluded) {
+        return false;
+      }
+    }
+  }
+  // Check directory restrictions
+  if (scope.directories && scope.directories.length > 0) {
+    const inAllowedDir = scope.directories.some(dir => {
+      const normalizedDir = dir.replace(/\\/g, "/");
+      return normalizedPath.startsWith(normalizedDir);
+    });
+    if (!inAllowedDir) {
+      return false;
+    }
+  }
+  // Check file pattern restrictions
+  if (scope.file_patterns && scope.file_patterns.length > 0) {
+    const matchesPattern = scope.file_patterns.some(pattern => {
+      try {
+        if (typeof minimatch === "function") {
+          return minimatch(normalizedPath, pattern, { matchBase: true });
+        }
+        const regex = new RegExp(
+          "^" + pattern
+            .replace(/\*\*/g, "{{GLOBSTAR}}")
+            .replace(/\*/g, "[^/]*")
+            .replace(/{{GLOBSTAR}}/g, ".*") + "$"
+        );
+        return regex.test(normalizedPath);
+      } catch {
+        return false;
+      }
+    });
+    if (!matchesPattern) {
+      return false;
+    }
+  }
+  return true;
+}
+/**
+ * Check if domain is allowed by intent
+ * @param {string} domain - Domain classification
+ * @param {Object} scope - Intent scope restrictions
+ * @returns {boolean} True if allowed
+ */
+function isDomainAllowed(domain, scope) {
+  if (!scope || !scope.domains || scope.domains.length === 0) {
+    return true; // No domain restrictions
+  }
+  return scope.domains.includes(domain);
+}
+/**
+ * Check constraint violations
+ * @param {string[]} constraints - Intent constraints
+ * @param {Object} changeEvent - Change event to check
+ * @returns {Object[]} Array of constraint violations
+ */
+function checkConstraintViolations(constraints, changeEvent) {
+  const violations = [];
+  for (let i = 0; i < constraints.length; i++) {
+    const constraint = constraints[i].toLowerCase();
+    // No new routes
+    if (constraint.includes("no new routes") || constraint.includes("no_new_routes")) {
+      if (changeEvent.type === "route_add" ||
+          (changeEvent.claims && changeEvent.claims.some(c => c.type === "route"))) {
+        violations.push({
+          code: VIOLATION_CODES.CONSTRAINT_VIOLATED,
+          rule: "constraint_no_new_routes",
+          message: "New route addition blocked by constraint",
+          resource: changeEvent.location,
+          intent_ref: `constraints[${i}]`,
+          severity: "block",
+        });
+      }
+    }
+    // No auth changes
+    if (constraint.includes("no auth") || constraint.includes("no_auth_changes")) {
+      if (changeEvent.domain === "auth" ||
+          (changeEvent.claims && changeEvent.claims.some(c => c.type === "auth_boundary"))) {
+        violations.push({
+          code: VIOLATION_CODES.AUTH_MODIFICATION,
+          rule: "constraint_no_auth_changes",
+          message: "Auth modification blocked by constraint",
+          resource: changeEvent.location,
+          intent_ref: `constraints[${i}]`,
+          severity: "block",
+        });
+      }
+    }
+    // No new environment variables
+    if (constraint.includes("no new env") || constraint.includes("no_env_additions")) {
+      if (changeEvent.type === "env_ref" && !changeEvent.env_exists) {
+        violations.push({
+          code: VIOLATION_CODES.UNDECLARED_ENV,
+          rule: "constraint_no_env_additions",
+          message: `New env var '${changeEvent.resource}' blocked by constraint`,
+          resource: changeEvent.resource,
+          intent_ref: `constraints[${i}]`,
+          severity: "block",
+        });
+      }
+    }
+    // No payment changes
+    if (constraint.includes("no payment") || constraint.includes("no_payment_changes")) {
+      if (changeEvent.domain === "payments") {
+        violations.push({
+          code: VIOLATION_CODES.PAYMENT_MODIFICATION,
+          rule: "constraint_no_payment_changes",
+          message: "Payment code modification blocked by constraint",
+          resource: changeEvent.location,
+          intent_ref: `constraints[${i}]`,
+          severity: "block",
+        });
+      }
+    }
+    // Tests required
+    if (constraint.includes("tests required") || constraint.includes("tests_required")) {
+      if (!changeEvent.includes_tests) {
+        violations.push({
+          code: VIOLATION_CODES.CONSTRAINT_VIOLATED,
+          rule: "constraint_tests_required",
+          message: "Tests required by constraint but none provided",
+          resource: changeEvent.location,
+          intent_ref: `constraints[${i}]`,
+          severity: "block",
+        });
+      }
+    }
+    // Single file only
+    if (constraint.includes("single file") || constraint.includes("single_file_only")) {
+      if (changeEvent.file_count > 1) {
+        violations.push({
+          code: VIOLATION_CODES.CONSTRAINT_VIOLATED,
+          rule: "constraint_single_file",
+          message: `Multiple files (${changeEvent.file_count}) modified but constraint requires single file`,
+          resource: changeEvent.location,
+          intent_ref: `constraints[${i}]`,
+          severity: "block",
+        });
+      }
+    }
+  }
+  return violations;
+}
+/**
+ * Detect code quality violations (mock data, TODOs, fake handlers)
+ * @param {Object} changeEvent - Change event with diff
+ * @returns {Object[]} Array of violations
+ */
+function detectCodeQualityViolations(changeEvent) {
+  const violations = [];
+  const content = changeEvent.diff?.after || changeEvent.content || "";
+  // Mock data detection
+  const mockPatterns = [
+    /mock\s*data/i,
+    /fake\s*response/i,
+    /stub\s*data/i,
+    /dummy\s*data/i,
+    /\[\s*"test"\s*,\s*"data"\s*\]/,
+    /return\s+\{\s*success:\s*true\s*\}/,
+    /setTimeout\s*\(\s*\(\)\s*=>\s*\{[^}]*success/i,
+  ];
+  for (const pattern of mockPatterns) {
+    if (pattern.test(content)) {
+      violations.push({
+        code: VIOLATION_CODES.MOCK_DATA_DETECTED,
+        rule: "no_mock_data",
+        message: "Mock/fake data detected in production code",
+        resource: changeEvent.location,
+        intent_ref: "enforcement_rule",
+        severity: "block",
+      });
+      break;
+    }
+  }
+  // TODO/FIXME detection
+  const todoPattern = /\b(TODO|FIXME|XXX|HACK|BUG)[\s:]/i;
+  if (todoPattern.test(content)) {
+    violations.push({
+      code: VIOLATION_CODES.TODO_DETECTED,
+      rule: "no_todos",
+      message: "Unresolved TODO/FIXME comment detected",
+      resource: changeEvent.location,
+      intent_ref: "enforcement_rule",
+      severity: "block",
+    });
+  }
+  // Fake handler detection
+  const fakeHandlerPatterns = [
+    /async\s+function\s+\w+\s*\([^)]*\)\s*\{\s*\}/,
+    /const\s+\w+\s*=\s*async\s*\([^)]*\)\s*=>\s*\{\s*\}/,
+    /\w+Handler\s*=\s*\(\)\s*=>\s*\{\s*\}/,
+    /notImplemented/i,
+    /throw\s+new\s+Error\s*\(\s*["']not\s+implemented/i,
+  ];
+  for (const pattern of fakeHandlerPatterns) {
+    if (pattern.test(content)) {
+      violations.push({
+        code: VIOLATION_CODES.FAKE_HANDLER,
+        rule: "no_fake_handlers",
+        message: "Empty or placeholder handler detected",
+        resource: changeEvent.location,
+        intent_ref: "enforcement_rule",
+        severity: "block",
+      });
+      break;
+    }
+  }
+  return violations;
+}
+/**
+ * Main alignment check function
+ *
+ * @param {Object} intent - Declared intent
+ * @param {Object} changeEvent - Normalized change event
+ * @returns {AlignmentResult} Alignment result
+ */
+function checkAlignment(intent, changeEvent) {
+  const violations = [];
+  // BLOCK if no intent
+  if (!intent) {
+    return {
+      aligned: false,
+      decision: "BLOCK",
+      violations: [{
+        code: VIOLATION_CODES.NO_INTENT,
+        rule: "intent_required",
+        message: "No intent declared - all changes blocked by default",
+        resource: changeEvent.location || "unknown",
+        intent_ref: "system",
+        severity: "block",
+      }],
+      intent_hash: null,
+    };
+  }
+  // Check intent is the blocking intent
+  if (intent.summary?.includes("NO INTENT DECLARED")) {
+    return {
+      aligned: false,
+      decision: "BLOCK",
+      violations: [{
+        code: VIOLATION_CODES.NO_INTENT,
+        rule: "intent_required",
+        message: "No intent declared - all changes blocked by default",
+        resource: changeEvent.location || "unknown",
+        intent_ref: "system",
+        severity: "block",
+      }],
+      intent_hash: intent.hash,
+    };
+  }
+  // 1. Check file changes against allowed_changes
+  if (changeEvent.type === "file_write" || changeEvent.type === "file_create" || changeEvent.type === "file_modify") {
+    if (intent.allowed_changes && intent.allowed_changes.length > 0) {
+      if (!isFileChangeAllowed(changeEvent.location, intent.allowed_changes)) {
+        violations.push({
+          code: VIOLATION_CODES.UNDECLARED_FILE,
+          rule: "file_change_not_declared",
+          message: `File change not declared in intent: ${changeEvent.location}`,
+          resource: changeEvent.location,
+          intent_ref: "allowed_changes",
+          severity: "block",
+        });
+      }
+    }
+  }
+  // 2. Check routes against allowed_changes
+  if (changeEvent.type === "route_add") {
+    if (!isRouteAllowed(changeEvent.method, changeEvent.resource, intent.allowed_changes)) {
+      violations.push({
+        code: VIOLATION_CODES.UNDECLARED_ROUTE,
+        rule: "route_not_declared",
+        message: `Route not declared in intent: ${changeEvent.method || "?"} ${changeEvent.resource}`,
+        resource: changeEvent.resource,
+        intent_ref: "allowed_changes",
+        severity: "block",
+      });
+    }
+  }
+  // 3. Check env vars against allowed_changes
+  if (changeEvent.type === "env_ref" && !changeEvent.env_exists) {
+    if (!isEnvVarAllowed(changeEvent.resource, intent.allowed_changes)) {
+      violations.push({
+        code: VIOLATION_CODES.UNDECLARED_ENV,
+        rule: "env_var_not_declared",
+        message: `Environment variable not declared in intent or missing: ${changeEvent.resource}`,
+        resource: changeEvent.resource,
+        intent_ref: "allowed_changes",
+        severity: "block",
+      });
+    }
+  }
+  // 4. Check scope restrictions
+  if (intent.scope && changeEvent.location) {
+    if (!isWithinScope(changeEvent.location, intent.scope)) {
+      violations.push({
+        code: VIOLATION_CODES.SCOPE_VIOLATION,
+        rule: "scope_violation",
+        message: `Change outside allowed scope: ${changeEvent.location}`,
+        resource: changeEvent.location,
+        intent_ref: "scope",
+        severity: "block",
+      });
+    }
+  }
+  // 5. Check domain restrictions
+  if (intent.scope && changeEvent.domain) {
+    if (!isDomainAllowed(changeEvent.domain, intent.scope)) {
+      violations.push({
+        code: VIOLATION_CODES.DOMAIN_VIOLATION,
+        rule: "domain_not_allowed",
+        message: `Domain '${changeEvent.domain}' not allowed by intent`,
+        resource: changeEvent.location,
+        intent_ref: "scope.domains",
+        severity: "block",
+      });
+    }
+  }
+  // 6. Check constraints
+  if (intent.constraints && intent.constraints.length > 0) {
+    const constraintViolations = checkConstraintViolations(intent.constraints, changeEvent);
+    violations.push(...constraintViolations);
+  }
+  // 7. Check code quality (mock data, TODOs, fake handlers)
+  const qualityViolations = detectCodeQualityViolations(changeEvent);
+  violations.push(...qualityViolations);
+  // 8. Check UI success without backend proof
+  if (changeEvent.claims) {
+    const uiSuccessClaims = changeEvent.claims.filter(c => c.type === "ui_success_claim");
+    for (const claim of uiSuccessClaims) {
+      if (!claim.backend_verified) {
+        violations.push({
+          code: VIOLATION_CODES.UI_WITHOUT_BACKEND,
+          rule: "ui_success_requires_proof",
+          message: `UI success state without backend proof: ${claim.value || claim.pointer}`,
+          resource: claim.file || changeEvent.location,
+          intent_ref: "enforcement_rule",
+          severity: "block",
+        });
+      }
+    }
+  }
+  // Final decision
+  const aligned = violations.length === 0;
+  return {
+    aligned,
+    decision: aligned ? "PASS" : "BLOCK",
+    violations,
+    intent_hash: intent.hash,
+  };
+}
+/**
+ * Batch alignment check for multiple change events
+ * @param {Object} intent - Declared intent
+ * @param {Object[]} changeEvents - Array of change events
+ * @returns {AlignmentResult} Aggregated alignment result
+ */
+function checkAlignmentBatch(intent, changeEvents) {
+  const allViolations = [];
+  for (const event of changeEvents) {
+    const result = checkAlignment(intent, event);
+    allViolations.push(...result.violations);
+  }
+  // De-duplicate violations by code + resource
+  const seen = new Set();
+  const uniqueViolations = allViolations.filter(v => {
+    const key = `${v.code}:${v.resource}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+  const aligned = uniqueViolations.length === 0;
+  return {
+    aligned,
+    decision: aligned ? "PASS" : "BLOCK",
+    violations: uniqueViolations,
+    intent_hash: intent?.hash || null,
+  };
+}
+module.exports = {
+  checkAlignment,
+  checkAlignmentBatch,
+  isFileChangeAllowed,
+  isRouteAllowed,
+  isEnvVarAllowed,
+  isWithinScope,
+  isDomainAllowed,
+  checkConstraintViolations,
+  detectCodeQualityViolations,
+  VIOLATION_CODES,
+};