npm - vibecheck-ai - Versions diffs - 2.0.1 → 5.0.0 - Mend

vibecheck-ai 2.0.1 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (456) hide show

package/bin/.generated +25 -0
package/bin/_deprecations.js +463 -0
package/bin/_router.js +46 -0
package/bin/cli-hygiene.js +241 -0
package/bin/dev/run-v2-torture.js +30 -0
package/bin/registry.js +656 -0
package/bin/runners/CLI_REFACTOR_SUMMARY.md +229 -0
package/bin/runners/ENHANCEMENT_GUIDE.md +121 -0
package/bin/runners/REPORT_AUDIT.md +64 -0
package/bin/runners/cli-utils.js +1070 -0
package/bin/runners/context/ai-task-decomposer.js +337 -0
package/bin/runners/context/analyzer.js +513 -0
package/bin/runners/context/api-contracts.js +427 -0
package/bin/runners/context/context-diff.js +342 -0
package/bin/runners/context/context-pruner.js +291 -0
package/bin/runners/context/dependency-graph.js +414 -0
package/bin/runners/context/generators/claude.js +107 -0
package/bin/runners/context/generators/codex.js +108 -0
package/bin/runners/context/generators/copilot.js +119 -0
package/bin/runners/context/generators/cursor-enhanced.js +2525 -0
package/bin/runners/context/generators/cursor.js +514 -0
package/bin/runners/context/generators/mcp.js +169 -0
package/bin/runners/context/generators/windsurf.js +180 -0
package/bin/runners/context/git-context.js +304 -0
package/bin/runners/context/index.js +1110 -0
package/bin/runners/context/insights.js +173 -0
package/bin/runners/context/mcp-server/generate-rules.js +337 -0
package/bin/runners/context/mcp-server/index.js +1176 -0
package/bin/runners/context/mcp-server/package.json +24 -0
package/bin/runners/context/memory.js +200 -0
package/bin/runners/context/monorepo.js +215 -0
package/bin/runners/context/multi-repo-federation.js +404 -0
package/bin/runners/context/patterns.js +253 -0
package/bin/runners/context/proof-context.js +1264 -0
package/bin/runners/context/security-scanner.js +541 -0
package/bin/runners/context/semantic-search.js +350 -0
package/bin/runners/context/shared.js +264 -0
package/bin/runners/context/team-conventions.js +336 -0
package/bin/runners/lib/__tests__/entitlements-v2.test.js +295 -0
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/change-packet/builder.js +488 -0
package/bin/runners/lib/agent-firewall/change-packet/schema.json +228 -0
package/bin/runners/lib/agent-firewall/change-packet/store.js +200 -0
package/bin/runners/lib/agent-firewall/claims/claim-types.js +21 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +303 -0
package/bin/runners/lib/agent-firewall/claims/patterns.js +24 -0
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/enforcement/gateway.js +1059 -0
package/bin/runners/lib/agent-firewall/enforcement/index.js +98 -0
package/bin/runners/lib/agent-firewall/enforcement/mode.js +318 -0
package/bin/runners/lib/agent-firewall/enforcement/orchestrator.js +484 -0
package/bin/runners/lib/agent-firewall/enforcement/proof-artifact.js +418 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/change-event.schema.json +173 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/intent.schema.json +181 -0
package/bin/runners/lib/agent-firewall/enforcement/schemas/verdict.schema.json +222 -0
package/bin/runners/lib/agent-firewall/enforcement/verdict-v2.js +333 -0
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +88 -0
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +75 -0
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +127 -0
package/bin/runners/lib/agent-firewall/evidence/resolver.js +102 -0
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +213 -0
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +145 -0
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +19 -0
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +87 -0
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +184 -0
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +163 -0
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +107 -0
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +68 -0
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +66 -0
package/bin/runners/lib/agent-firewall/index.js +200 -0
package/bin/runners/lib/agent-firewall/integration/index.js +20 -0
package/bin/runners/lib/agent-firewall/integration/ship-gate.js +437 -0
package/bin/runners/lib/agent-firewall/intent/alignment-engine.js +634 -0
package/bin/runners/lib/agent-firewall/intent/auto-detect.js +426 -0
package/bin/runners/lib/agent-firewall/intent/index.js +102 -0
package/bin/runners/lib/agent-firewall/intent/schema.js +352 -0
package/bin/runners/lib/agent-firewall/intent/store.js +283 -0
package/bin/runners/lib/agent-firewall/interception/fs-interceptor.js +502 -0
package/bin/runners/lib/agent-firewall/interception/index.js +23 -0
package/bin/runners/lib/agent-firewall/interceptor/base.js +308 -0
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +34 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/default-policy.json +90 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +103 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +451 -0
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +79 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +227 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +191 -0
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +93 -0
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +57 -0
package/bin/runners/lib/agent-firewall/policy/schema.json +183 -0
package/bin/runners/lib/agent-firewall/policy/verdict.js +54 -0
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +322 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/session/collector.js +451 -0
package/bin/runners/lib/agent-firewall/session/index.js +26 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/agent-firewall/truthpack/index.js +67 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +137 -0
package/bin/runners/lib/agent-firewall/unblock/planner.js +337 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/ai-bridge.js +416 -0
package/bin/runners/lib/analysis-core.js +309 -0
package/bin/runners/lib/analyzers.js +2500 -0
package/bin/runners/lib/api-client.js +269 -0
package/bin/runners/lib/approve-output.js +235 -0
package/bin/runners/lib/artifact-envelope.js +540 -0
package/bin/runners/lib/assets/vibecheck-logo.png +0 -0
package/bin/runners/lib/audit-bridge.js +391 -0
package/bin/runners/lib/auth-shared.js +977 -0
package/bin/runners/lib/auth-truth.js +193 -0
package/bin/runners/lib/auth.js +215 -0
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/backup.js +62 -0
package/bin/runners/lib/billing.js +107 -0
package/bin/runners/lib/checkpoint.js +941 -0
package/bin/runners/lib/claims.js +118 -0
package/bin/runners/lib/classify-output.js +204 -0
package/bin/runners/lib/cleanup/engine.js +571 -0
package/bin/runners/lib/cleanup/index.js +53 -0
package/bin/runners/lib/cleanup/output.js +375 -0
package/bin/runners/lib/cleanup/rules.js +1060 -0
package/bin/runners/lib/cli-output.js +400 -0
package/bin/runners/lib/cli-ui.js +540 -0
package/bin/runners/lib/compliance-bridge-new.js +0 -0
package/bin/runners/lib/compliance-bridge.js +165 -0
package/bin/runners/lib/contracts/auth-contract.js +202 -0
package/bin/runners/lib/contracts/env-contract.js +181 -0
package/bin/runners/lib/contracts/external-contract.js +206 -0
package/bin/runners/lib/contracts/guard.js +168 -0
package/bin/runners/lib/contracts/index.js +89 -0
package/bin/runners/lib/contracts/plan-validator.js +311 -0
package/bin/runners/lib/contracts/route-contract.js +199 -0
package/bin/runners/lib/contracts.js +804 -0
package/bin/runners/lib/default-config.js +127 -0
package/bin/runners/lib/detect.js +89 -0
package/bin/runners/lib/detectors-v2.js +622 -0
package/bin/runners/lib/doctor/autofix.js +254 -0
package/bin/runners/lib/doctor/diagnosis-receipt.js +454 -0
package/bin/runners/lib/doctor/failure-signatures.js +526 -0
package/bin/runners/lib/doctor/fix-script.js +336 -0
package/bin/runners/lib/doctor/index.js +37 -0
package/bin/runners/lib/doctor/modules/build-tools.js +453 -0
package/bin/runners/lib/doctor/modules/dependencies.js +325 -0
package/bin/runners/lib/doctor/modules/index.js +105 -0
package/bin/runners/lib/doctor/modules/network.js +250 -0
package/bin/runners/lib/doctor/modules/os-quirks.js +706 -0
package/bin/runners/lib/doctor/modules/project.js +312 -0
package/bin/runners/lib/doctor/modules/repo-integrity.js +485 -0
package/bin/runners/lib/doctor/modules/runtime.js +224 -0
package/bin/runners/lib/doctor/modules/security.js +350 -0
package/bin/runners/lib/doctor/modules/system.js +213 -0
package/bin/runners/lib/doctor/modules/vibecheck.js +394 -0
package/bin/runners/lib/doctor/reporter.js +262 -0
package/bin/runners/lib/doctor/safe-repair.js +384 -0
package/bin/runners/lib/doctor/service.js +262 -0
package/bin/runners/lib/doctor/types.js +113 -0
package/bin/runners/lib/doctor/ui.js +263 -0
package/bin/runners/lib/doctor-enhanced.js +233 -0
package/bin/runners/lib/doctor-output.js +226 -0
package/bin/runners/lib/doctor-v2.js +608 -0
package/bin/runners/lib/drift.js +425 -0
package/bin/runners/lib/enforcement.js +72 -0
package/bin/runners/lib/engine/ast-cache.js +210 -0
package/bin/runners/lib/engine/auth-extractor.js +211 -0
package/bin/runners/lib/engine/billing-extractor.js +112 -0
package/bin/runners/lib/engine/enforcement-extractor.js +100 -0
package/bin/runners/lib/engine/env-extractor.js +207 -0
package/bin/runners/lib/engine/express-extractor.js +208 -0
package/bin/runners/lib/engine/extractors.js +849 -0
package/bin/runners/lib/engine/index.js +207 -0
package/bin/runners/lib/engine/repo-index.js +514 -0
package/bin/runners/lib/engine/types.js +124 -0
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/attack-detector.js +1192 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/enterprise-detect.js +603 -0
package/bin/runners/lib/enterprise-init.js +942 -0
package/bin/runners/lib/entitlements-v2.js +265 -0
package/bin/runners/lib/entitlements.generated.js +0 -0
package/bin/runners/lib/entitlements.js +340 -0
package/bin/runners/lib/env-resolver.js +417 -0
package/bin/runners/lib/env-template.js +66 -0
package/bin/runners/lib/env.js +189 -0
package/bin/runners/lib/error-handler.js +368 -0
package/bin/runners/lib/error-messages.js +289 -0
package/bin/runners/lib/evidence-pack.js +684 -0
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/extractors/client-calls.js +990 -0
package/bin/runners/lib/extractors/fastify-route-dump.js +573 -0
package/bin/runners/lib/extractors/fastify-routes.js +426 -0
package/bin/runners/lib/extractors/index.js +363 -0
package/bin/runners/lib/extractors/next-routes.js +524 -0
package/bin/runners/lib/extractors/proof-graph.js +431 -0
package/bin/runners/lib/extractors/route-matcher.js +451 -0
package/bin/runners/lib/extractors/truthpack-v2.js +377 -0
package/bin/runners/lib/extractors/ui-bindings.js +547 -0
package/bin/runners/lib/finding-id.js +69 -0
package/bin/runners/lib/finding-sorter.js +89 -0
package/bin/runners/lib/findings-schema.js +281 -0
package/bin/runners/lib/fingerprint.js +377 -0
package/bin/runners/lib/firewall-prompt.js +50 -0
package/bin/runners/lib/fix-output.js +228 -0
package/bin/runners/lib/global-flags.js +250 -0
package/bin/runners/lib/graph/graph-builder.js +265 -0
package/bin/runners/lib/graph/html-renderer.js +413 -0
package/bin/runners/lib/graph/index.js +32 -0
package/bin/runners/lib/graph/runtime-collector.js +215 -0
package/bin/runners/lib/graph/static-extractor.js +518 -0
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/html-proof-report.js +913 -0
package/bin/runners/lib/html-report.js +650 -0
package/bin/runners/lib/init-wizard.js +601 -0
package/bin/runners/lib/interactive-menu.js +1496 -0
package/bin/runners/lib/json-output.js +76 -0
package/bin/runners/lib/llm.js +75 -0
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/meter.js +61 -0
package/bin/runners/lib/missions/briefing.js +427 -0
package/bin/runners/lib/missions/checkpoint.js +753 -0
package/bin/runners/lib/missions/evidence.js +126 -0
package/bin/runners/lib/missions/hardening.js +851 -0
package/bin/runners/lib/missions/plan.js +648 -0
package/bin/runners/lib/missions/safety-gates.js +645 -0
package/bin/runners/lib/missions/schema.js +478 -0
package/bin/runners/lib/missions/templates.js +317 -0
package/bin/runners/lib/next-action.js +560 -0
package/bin/runners/lib/packs/bundle.js +675 -0
package/bin/runners/lib/packs/evidence-pack.js +671 -0
package/bin/runners/lib/packs/pack-factory.js +837 -0
package/bin/runners/lib/packs/permissions-pack.js +686 -0
package/bin/runners/lib/packs/proof-graph-pack.js +779 -0
package/bin/runners/lib/patch.js +40 -0
package/bin/runners/lib/permissions/auth-model.js +213 -0
package/bin/runners/lib/permissions/idor-prover.js +205 -0
package/bin/runners/lib/permissions/index.js +45 -0
package/bin/runners/lib/permissions/matrix-builder.js +198 -0
package/bin/runners/lib/pkgjson.js +28 -0
package/bin/runners/lib/policy.js +295 -0
package/bin/runners/lib/polish/accessibility.js +62 -0
package/bin/runners/lib/polish/analyzer.js +93 -0
package/bin/runners/lib/polish/backend.js +87 -0
package/bin/runners/lib/polish/configuration.js +83 -0
package/bin/runners/lib/polish/documentation.js +83 -0
package/bin/runners/lib/polish/frontend.js +817 -0
package/bin/runners/lib/polish/index.js +27 -0
package/bin/runners/lib/polish/infrastructure.js +80 -0
package/bin/runners/lib/polish/internationalization.js +85 -0
package/bin/runners/lib/polish/libraries.js +180 -0
package/bin/runners/lib/polish/observability.js +75 -0
package/bin/runners/lib/polish/performance.js +64 -0
package/bin/runners/lib/polish/privacy.js +110 -0
package/bin/runners/lib/polish/resilience.js +92 -0
package/bin/runners/lib/polish/security.js +78 -0
package/bin/runners/lib/polish/seo.js +71 -0
package/bin/runners/lib/polish/styles.js +62 -0
package/bin/runners/lib/polish/utils.js +104 -0
package/bin/runners/lib/preflight.js +142 -0
package/bin/runners/lib/prerequisites.js +149 -0
package/bin/runners/lib/prove-output.js +220 -0
package/bin/runners/lib/reality/correlation-detectors.js +359 -0
package/bin/runners/lib/reality/index.js +318 -0
package/bin/runners/lib/reality/request-hashing.js +416 -0
package/bin/runners/lib/reality/request-mapper.js +453 -0
package/bin/runners/lib/reality/safety-rails.js +463 -0
package/bin/runners/lib/reality/semantic-snapshot.js +408 -0
package/bin/runners/lib/reality/toast-detector.js +393 -0
package/bin/runners/lib/reality-findings.js +84 -0
package/bin/runners/lib/reality-output.js +231 -0
package/bin/runners/lib/receipts.js +179 -0
package/bin/runners/lib/redact.js +29 -0
package/bin/runners/lib/replay/capsule-manager.js +154 -0
package/bin/runners/lib/replay/index.js +263 -0
package/bin/runners/lib/replay/player.js +348 -0
package/bin/runners/lib/replay/recorder.js +331 -0
package/bin/runners/lib/report-engine.js +626 -0
package/bin/runners/lib/report-html.js +1233 -0
package/bin/runners/lib/report-output.js +366 -0
package/bin/runners/lib/report-templates.js +967 -0
package/bin/runners/lib/report.js +135 -0
package/bin/runners/lib/route-detection.js +1209 -0
package/bin/runners/lib/route-truth.js +1322 -0
package/bin/runners/lib/safelist/index.js +96 -0
package/bin/runners/lib/safelist/integration.js +334 -0
package/bin/runners/lib/safelist/matcher.js +696 -0
package/bin/runners/lib/safelist/schema.js +948 -0
package/bin/runners/lib/safelist/store.js +438 -0
package/bin/runners/lib/sandbox/index.js +59 -0
package/bin/runners/lib/sandbox/proof-chain.js +399 -0
package/bin/runners/lib/sandbox/sandbox-runner.js +205 -0
package/bin/runners/lib/sandbox/worktree.js +174 -0
package/bin/runners/lib/scan-cache.js +330 -0
package/bin/runners/lib/scan-output-schema.js +344 -0
package/bin/runners/lib/scan-output.js +631 -0
package/bin/runners/lib/scan-runner.js +135 -0
package/bin/runners/lib/schema-validator.js +350 -0
package/bin/runners/lib/schemas/ajv-validator.js +464 -0
package/bin/runners/lib/schemas/contracts.schema.json +160 -0
package/bin/runners/lib/schemas/error-envelope.schema.json +105 -0
package/bin/runners/lib/schemas/finding-v3.schema.json +151 -0
package/bin/runners/lib/schemas/finding.schema.json +100 -0
package/bin/runners/lib/schemas/mission-pack.schema.json +206 -0
package/bin/runners/lib/schemas/proof-graph.schema.json +176 -0
package/bin/runners/lib/schemas/reality-report.schema.json +162 -0
package/bin/runners/lib/schemas/report-artifact.schema.json +120 -0
package/bin/runners/lib/schemas/run-request.schema.json +108 -0
package/bin/runners/lib/schemas/share-pack.schema.json +180 -0
package/bin/runners/lib/schemas/ship-manifest.schema.json +251 -0
package/bin/runners/lib/schemas/ship-report.schema.json +117 -0
package/bin/runners/lib/schemas/truthpack-v2.schema.json +303 -0
package/bin/runners/lib/schemas/validator.js +465 -0
package/bin/runners/lib/schemas/verdict.schema.json +140 -0
package/bin/runners/lib/score-history.js +282 -0
package/bin/runners/lib/security-bridge.js +249 -0
package/bin/runners/lib/server-usage.js +513 -0
package/bin/runners/lib/share-pack.js +239 -0
package/bin/runners/lib/ship-gate.js +832 -0
package/bin/runners/lib/ship-manifest.js +1153 -0
package/bin/runners/lib/ship-output-enterprise.js +239 -0
package/bin/runners/lib/ship-output.js +1128 -0
package/bin/runners/lib/snippets.js +67 -0
package/bin/runners/lib/status-output.js +340 -0
package/bin/runners/lib/terminal-ui.js +356 -0
package/bin/runners/lib/truth.js +1691 -0
package/bin/runners/lib/ui.js +562 -0
package/bin/runners/lib/unified-cli-output.js +947 -0
package/bin/runners/lib/unified-output.js +197 -0
package/bin/runners/lib/upsell.js +410 -0
package/bin/runners/lib/usage.js +153 -0
package/bin/runners/lib/validate-patch.js +156 -0
package/bin/runners/lib/verdict-engine.js +628 -0
package/bin/runners/lib/verification.js +345 -0
package/bin/runners/lib/why-tree.js +650 -0
package/bin/runners/reality/engine.js +917 -0
package/bin/runners/reality/flows.js +122 -0
package/bin/runners/reality/report.js +378 -0
package/bin/runners/reality/session.js +193 -0
package/bin/runners/runAIAgent.js +229 -0
package/bin/runners/runAgent.d.ts +5 -0
package/bin/runners/runAgent.js +161 -0
package/bin/runners/runAllowlist.js +418 -0
package/bin/runners/runApprove.js +320 -0
package/bin/runners/runAudit.js +692 -0
package/bin/runners/runAuth.js +731 -0
package/bin/runners/runCI.js +353 -0
package/bin/runners/runCheckpoint.js +530 -0
package/bin/runners/runClassify.js +928 -0
package/bin/runners/runCleanup.js +343 -0
package/bin/runners/runContext.d.ts +4 -0
package/bin/runners/runContext.js +175 -0
package/bin/runners/runDoctor.js +877 -0
package/bin/runners/runEvidencePack.js +362 -0
package/bin/runners/runFirewall.d.ts +5 -0
package/bin/runners/runFirewall.js +134 -0
package/bin/runners/runFirewallHook.d.ts +5 -0
package/bin/runners/runFirewallHook.js +56 -0
package/bin/runners/runFix.js +1355 -0
package/bin/runners/runForge.js +451 -0
package/bin/runners/runGuard.js +262 -0
package/bin/runners/runInit.js +1927 -0
package/bin/runners/runIntent.js +906 -0
package/bin/runners/runKickoff.js +878 -0
package/bin/runners/runLabs.js +424 -0
package/bin/runners/runLaunch.js +2000 -0
package/bin/runners/runLink.js +785 -0
package/bin/runners/runMcp.js +1875 -0
package/bin/runners/runPacks.js +2089 -0
package/bin/runners/runPolish.d.ts +4 -0
package/bin/runners/runPolish.js +390 -0
package/bin/runners/runPromptFirewall.js +211 -0
package/bin/runners/runProve.js +1411 -0
package/bin/runners/runQuickstart.js +531 -0
package/bin/runners/runReality.js +2260 -0
package/bin/runners/runReport.js +726 -0
package/bin/runners/runRuntime.js +110 -0
package/bin/runners/runSafelist.js +1190 -0
package/bin/runners/runScan.js +688 -0
package/bin/runners/runShield.js +1282 -0
package/bin/runners/runShip.js +1660 -0
package/bin/runners/runTruth.d.ts +5 -0
package/bin/runners/runTruth.js +101 -0
package/bin/runners/runValidate.js +179 -0
package/bin/runners/runWatch.js +478 -0
package/bin/runners/utils.js +360 -0
package/bin/scan.js +617 -0
package/bin/vibecheck.js +1617 -0
package/dist/guardrail/index.d.ts +2405 -0
package/dist/guardrail/index.js +9747 -0
package/dist/guardrail/index.js.map +1 -0
package/dist/scanner/index.d.ts +282 -0
package/dist/scanner/index.js +3395 -0
package/dist/scanner/index.js.map +1 -0
package/package.json +123 -104
package/README.md +0 -491
package/dist/index.js +0 -99711
package/dist/index.js.map +0 -1

package/bin/runners/lib/contracts.js ADDED Viewed

@@ -0,0 +1,804 @@
+/**
+ * Contracts Generator + Drift Detector v2
+ *
+ * Generates contracts from truthpack and detects drift between runs.
+ * The hallucination stopper - AI can't invent endpoints, env vars, or auth.
+ */
+"use strict";
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+const { createFinding, getSeverity } = require("./schemas/validator");
+// =============================================================================
+// CONTRACT TYPES
+// =============================================================================
+const CONTRACT_TYPES = {
+  ROUTES: "routes",
+  ENV: "env",
+  AUTH: "auth",
+  EXTERNAL: "external",
+};
+// =============================================================================
+// CONTRACT GENERATION
+// =============================================================================
+/**
+ * Generate all contracts from truthpack
+ */
+function generateContracts(truthpack, options = {}) {
+  const { includeInternal = false } = options;
+  const contracts = {
+    meta: {
+      version: "2.0.0",
+      generatedAt: new Date().toISOString(),
+      truthpackHash: computeHash(JSON.stringify(truthpack)),
+    },
+    routes: generateRouteContract(truthpack),
+    env: generateEnvContract(truthpack),
+    auth: generateAuthContract(truthpack),
+    external: generateExternalContract(truthpack),
+  };
+  // Compute contract hashes
+  contracts.hashes = {
+    routes: computeHash(JSON.stringify(contracts.routes)),
+    env: computeHash(JSON.stringify(contracts.env)),
+    auth: computeHash(JSON.stringify(contracts.auth)),
+    external: computeHash(JSON.stringify(contracts.external)),
+  };
+  return contracts;
+}
+/**
+ * Generate route contract
+ */
+function generateRouteContract(truthpack) {
+  const routes = truthpack?.routes?.server || [];
+  return {
+    endpoints: routes.map(r => ({
+      method: r.method,
+      path: r.path,
+      file: r.file,
+      confidence: r.confidence,
+      authRequired: r.authRequired || false,
+      paidOnly: r.paidOnly || false,
+    })),
+    count: routes.length,
+    byMethod: countByField(routes, "method"),
+    byConfidence: countByField(routes, "confidence"),
+  };
+}
+/**
+ * Generate env contract
+ */
+function generateEnvContract(truthpack) {
+  const env = truthpack?.env || {};
+  const vars = env.vars || [];
+  const declared = env.declared || [];
+  // Classify vars by prefix
+  const classified = {
+    public: vars.filter(v => v.name.startsWith("NEXT_PUBLIC_") || v.name.startsWith("VITE_")),
+    server: vars.filter(v => !v.name.startsWith("NEXT_PUBLIC_") && !v.name.startsWith("VITE_")),
+  };
+  // Required vs optional (heuristic: used in multiple files = required)
+  const required = vars.filter(v => v.usageCount > 1 || v.required);
+  const optional = vars.filter(v => v.usageCount <= 1 && !v.required);
+  return {
+    variables: vars.map(v => ({
+      name: v.name,
+      required: v.required || v.usageCount > 1,
+      public: v.name.startsWith("NEXT_PUBLIC_") || v.name.startsWith("VITE_"),
+      declaredIn: declared.includes(v.name) ? ".env.example" : null,
+      usageCount: v.usageCount || 1,
+    })),
+    count: vars.length,
+    requiredCount: required.length,
+    publicCount: classified.public.length,
+    declared: declared,
+  };
+}
+/**
+ * Generate auth contract
+ */
+function generateAuthContract(truthpack) {
+  const auth = truthpack?.auth || {};
+  return {
+    providers: auth.providers || [],
+    protectedPatterns: auth.nextMatcherPatterns || [],
+    middleware: {
+      next: auth.nextMiddleware?.length > 0,
+      fastify: auth.fastify?.preHandlerHooks?.length > 0,
+    },
+    rbacDetected: auth.rbacPatterns?.length > 0,
+    signals: {
+      sessionChecks: auth.sessionChecks || [],
+      redirects: auth.redirects || [],
+    },
+  };
+}
+/**
+ * Generate external services contract
+ */
+function generateExternalContract(truthpack) {
+  const billing = truthpack?.billing || {};
+  const integrations = truthpack?.integrations || [];
+  return {
+    stripe: {
+      detected: billing.stripeDetected || false,
+      webhookVerified: billing.webhookSignatureVerification || false,
+      products: billing.products || [],
+    },
+    services: integrations.map(i => ({
+      name: i.name,
+      type: i.type,
+      envVars: i.envVars || [],
+    })),
+  };
+}
+// =============================================================================
+// DRIFT DETECTION
+// =============================================================================
+/**
+ * Detect drift between two contract sets
+ */
+function detectDrift(currentContracts, previousContracts, options = {}) {
+  const { strict = false } = options;
+  const findings = [];
+  // Route drift
+  const routeDrift = detectRouteDrift(
+    currentContracts.routes,
+    previousContracts.routes,
+    { strict }
+  );
+  findings.push(...routeDrift);
+  // Env drift
+  const envDrift = detectEnvDrift(
+    currentContracts.env,
+    previousContracts.env,
+    { strict }
+  );
+  findings.push(...envDrift);
+  // Auth drift
+  const authDrift = detectAuthDrift(
+    currentContracts.auth,
+    previousContracts.auth,
+    { strict }
+  );
+  findings.push(...authDrift);
+  // External drift
+  const externalDrift = detectExternalDrift(
+    currentContracts.external,
+    previousContracts.external,
+    { strict }
+  );
+  findings.push(...externalDrift);
+  return {
+    hasDrift: findings.length > 0,
+    findings,
+    summary: {
+      routes: routeDrift.length,
+      env: envDrift.length,
+      auth: authDrift.length,
+      external: externalDrift.length,
+    },
+  };
+}
+/**
+ * Detect route drift
+ */
+function detectRouteDrift(current, previous, options = {}) {
+  const findings = [];
+  const { strict } = options;
+  const currentPaths = new Set(current.endpoints.map(e => `${e.method}:${e.path}`));
+  const previousPaths = new Set(previous.endpoints.map(e => `${e.method}:${e.path}`));
+  // New routes (not in previous)
+  for (const ep of current.endpoints) {
+    const key = `${ep.method}:${ep.path}`;
+    if (!previousPaths.has(key)) {
+      findings.push(createFinding({
+        detectorId: "D_DRIFT_ROUTE_NEW",
+        severity: "INFO",
+        category: "ContractDrift",
+        scope: "contracts",
+        title: `New route added: ${ep.method} ${ep.path}`,
+        why: "Route was added since last contract sync",
+        confidence: "high",
+        path: ep.path,
+        method: ep.method,
+        evidence: [{
+          kind: "file",
+          file: ep.file,
+          reason: "New route definition",
+        }],
+      }));
+    }
+  }
+  // Removed routes (in previous but not current)
+  for (const ep of previous.endpoints) {
+    const key = `${ep.method}:${ep.path}`;
+    if (!currentPaths.has(key)) {
+      findings.push(createFinding({
+        detectorId: "D_DRIFT_ROUTE_REMOVED",
+        severity: strict ? "BLOCK" : "WARN",
+        category: "ContractDrift",
+        scope: "contracts",
+        title: `Route removed: ${ep.method} ${ep.path}`,
+        why: "Route existed in previous contract but is now missing",
+        confidence: "high",
+        path: ep.path,
+        method: ep.method,
+        evidence: [{
+          kind: "file",
+          file: ep.file,
+          reason: "Route no longer exists",
+        }],
+      }));
+    }
+  }
+  // Auth requirement changes
+  for (const ep of current.endpoints) {
+    const key = `${ep.method}:${ep.path}`;
+    const prev = previous.endpoints.find(p => `${p.method}:${p.path}` === key);
+    if (prev && prev.authRequired && !ep.authRequired) {
+      findings.push(createFinding({
+        detectorId: "D_DRIFT_AUTH_REMOVED",
+        severity: "BLOCK",
+        category: "ContractDrift",
+        scope: "contracts",
+        title: `Auth removed from route: ${ep.method} ${ep.path}`,
+        why: "Route previously required auth but no longer does",
+        confidence: "high",
+        path: ep.path,
+        method: ep.method,
+        evidence: [{
+          kind: "file",
+          file: ep.file,
+          reason: "Auth requirement removed",
+        }],
+      }));
+    }
+  }
+  return findings;
+}
+/**
+ * Detect env drift
+ */
+function detectEnvDrift(current, previous, options = {}) {
+  const findings = [];
+  const { strict } = options;
+  const currentVars = new Set(current.variables.map(v => v.name));
+  const previousVars = new Set(previous.variables.map(v => v.name));
+  // New required env vars
+  for (const v of current.variables) {
+    if (v.required && !previousVars.has(v.name)) {
+      findings.push(createFinding({
+        detectorId: "D_DRIFT_ENV_NEW_REQUIRED",
+        severity: strict ? "BLOCK" : "WARN",
+        category: "ContractDrift",
+        scope: "contracts",
+        title: `New required env var: ${v.name}`,
+        why: "New required environment variable added",
+        confidence: "high",
+        evidence: [{
+          kind: "file",
+          reason: `${v.name} is required but not in previous contract`,
+        }],
+      }));
+    }
+  }
+  // Required vars removed (may break existing deployments)
+  for (const v of previous.variables) {
+    if (v.required && !currentVars.has(v.name)) {
+      findings.push(createFinding({
+        detectorId: "D_DRIFT_ENV_REMOVED",
+        severity: "INFO",
+        category: "ContractDrift",
+        scope: "contracts",
+        title: `Env var removed: ${v.name}`,
+        why: "Environment variable no longer used",
+        confidence: "high",
+        evidence: [{
+          kind: "file",
+          reason: `${v.name} was in previous contract but not current`,
+        }],
+      }));
+    }
+  }
+  // Public → Server (security concern)
+  for (const v of current.variables) {
+    const prev = previous.variables.find(p => p.name === v.name);
+    if (prev && prev.public && !v.public) {
+      findings.push(createFinding({
+        detectorId: "D_DRIFT_ENV_PUBLIC_TO_SERVER",
+        severity: "INFO",
+        category: "ContractDrift",
+        scope: "contracts",
+        title: `Env var moved from public to server: ${v.name}`,
+        why: "Variable changed from public to server-only (good for security)",
+        confidence: "medium",
+        evidence: [{
+          kind: "file",
+          reason: `${v.name} prefix changed`,
+        }],
+      }));
+    }
+  }
+  return findings;
+}
+/**
+ * Detect auth drift
+ */
+function detectAuthDrift(current, previous, options = {}) {
+  const findings = [];
+  // Protected patterns removed
+  const currentPatterns = new Set(current.protectedPatterns);
+  const previousPatterns = new Set(previous.protectedPatterns);
+  for (const pattern of previousPatterns) {
+    if (!currentPatterns.has(pattern)) {
+      findings.push(createFinding({
+        detectorId: "D_DRIFT_AUTH_PATTERN_REMOVED",
+        severity: "BLOCK",
+        category: "ContractDrift",
+        scope: "contracts",
+        title: `Protected pattern removed: ${pattern}`,
+        why: "Auth protection pattern was removed from middleware",
+        confidence: "high",
+        evidence: [{
+          kind: "file",
+          reason: `Pattern "${pattern}" no longer in matcher`,
+        }],
+      }));
+    }
+  }
+  // Middleware disabled
+  if (previous.middleware.next && !current.middleware.next) {
+    findings.push(createFinding({
+      detectorId: "D_DRIFT_AUTH_MIDDLEWARE_DISABLED",
+      severity: "BLOCK",
+      category: "ContractDrift",
+      scope: "contracts",
+      title: "Next.js auth middleware disabled",
+      why: "Auth middleware was active but is now disabled",
+      confidence: "high",
+      evidence: [{
+        kind: "file",
+        reason: "middleware.ts no longer exports auth matcher",
+      }],
+    }));
+  }
+  return findings;
+}
+/**
+ * Detect external service drift
+ */
+function detectExternalDrift(current, previous, options = {}) {
+  const findings = [];
+  // Stripe webhook verification removed
+  if (previous.stripe.webhookVerified && !current.stripe.webhookVerified) {
+    findings.push(createFinding({
+      detectorId: "D_DRIFT_STRIPE_VERIFY_REMOVED",
+      severity: "BLOCK",
+      category: "ContractDrift",
+      scope: "contracts",
+      title: "Stripe webhook verification removed",
+      why: "Stripe webhook signature verification was present but removed",
+      confidence: "high",
+      evidence: [{
+        kind: "file",
+        reason: "constructEvent or verifyHeader no longer called",
+      }],
+    }));
+  }
+  return findings;
+}
+// =============================================================================
+// CONTRACT SYNC (ctx sync)
+// =============================================================================
+/**
+ * Sync contracts - generate and save
+ */
+function syncContracts(truthpack, repoRoot) {
+  const contracts = generateContracts(truthpack);
+  const contractsDir = path.join(repoRoot, ".vibecheck", "contracts");
+  fs.mkdirSync(contractsDir, { recursive: true });
+  // Write individual contract files
+  for (const type of Object.values(CONTRACT_TYPES)) {
+    if (contracts[type]) {
+      fs.writeFileSync(
+        path.join(contractsDir, `${type}.json`),
+        JSON.stringify(contracts[type], null, 2)
+      );
+    }
+  }
+  // Write combined contracts
+  fs.writeFileSync(
+    path.join(contractsDir, "contracts.json"),
+    JSON.stringify(contracts, null, 2)
+  );
+  // Write hashes for quick drift check
+  fs.writeFileSync(
+    path.join(contractsDir, "hashes.json"),
+    JSON.stringify(contracts.hashes, null, 2)
+  );
+  return contracts;
+}
+/**
+ * Load previous contracts for drift comparison
+ */
+function loadPreviousContracts(repoRoot) {
+  const contractsPath = path.join(repoRoot, ".vibecheck", "contracts", "contracts.json");
+  if (!fs.existsSync(contractsPath)) {
+    return null;
+  }
+  try {
+    return JSON.parse(fs.readFileSync(contractsPath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+/**
+ * Guard contracts - check for drift and generate findings
+ */
+function guardContracts(truthpack, repoRoot, options = {}) {
+  const previous = loadPreviousContracts(repoRoot);
+  if (!previous) {
+    // No previous contracts, just sync
+    const contracts = syncContracts(truthpack, repoRoot);
+    return {
+      isFirstRun: true,
+      hasDrift: false,
+      findings: [],
+      contracts,
+    };
+  }
+  const current = generateContracts(truthpack);
+  const drift = detectDrift(current, previous, options);
+  // If no blockers, update contracts
+  const hasBlockers = drift.findings.some(f => f.severity === "BLOCK");
+  if (!hasBlockers) {
+    syncContracts(truthpack, repoRoot);
+  }
+  return {
+    isFirstRun: false,
+    hasDrift: drift.hasDrift,
+    hasBlockers,
+    findings: drift.findings,
+    contracts: current,
+    previous,
+  };
+}
+// =============================================================================
+// DRIFT EXPLAINABILITY
+// =============================================================================
+/**
+ * Generate detailed drift explanation with remediation
+ */
+function explainDrift(driftResult) {
+  const { findings, summary } = driftResult;
+  const explanation = {
+    summary: {
+      hasDrift: driftResult.hasDrift,
+      totalChanges: findings.length,
+      byCategory: summary,
+      verdict: findings.some(f => f.severity === "BLOCK") ? "BLOCK" :
+               findings.some(f => f.severity === "WARN") ? "WARN" : "OK",
+    },
+    changes: [],
+    remediation: [],
+  };
+  for (const finding of findings) {
+    const change = {
+      type: getChangeType(finding.detectorId),
+      severity: finding.severity,
+      title: finding.title,
+      why: finding.why || getWhyMessage(finding),
+      impact: getImpactMessage(finding),
+      remediation: getRemediationCommand(finding),
+    };
+    explanation.changes.push(change);
+    if (change.remediation) {
+      explanation.remediation.push(change.remediation);
+    }
+  }
+  return explanation;
+}
+/**
+ * Get change type from detector ID
+ */
+function getChangeType(detectorId) {
+  const types = {
+    "D_DRIFT_ROUTE_NEW": "added",
+    "D_DRIFT_ROUTE_REMOVED": "removed",
+    "D_DRIFT_AUTH_REMOVED": "modified",
+    "D_DRIFT_ENV_NEW_REQUIRED": "added",
+    "D_DRIFT_ENV_REMOVED": "removed",
+    "D_DRIFT_ENV_PUBLIC_TO_SERVER": "modified",
+    "D_DRIFT_AUTH_PATTERN_REMOVED": "removed",
+    "D_DRIFT_AUTH_PATTERN_NEW": "added",
+    "D_DRIFT_EXTERNAL_NEW": "added",
+    "D_DRIFT_EXTERNAL_REMOVED": "removed",
+  };
+  return types[detectorId] || "unknown";
+}
+/**
+ * Get why message for finding
+ */
+function getWhyMessage(finding) {
+  const messages = {
+    "D_DRIFT_ROUTE_NEW": "New endpoint referenced by client but not in previous contract",
+    "D_DRIFT_ROUTE_REMOVED": "Endpoint was in contract but no longer exists in codebase",
+    "D_DRIFT_AUTH_REMOVED": "Route lost auth protection - potential security regression",
+    "D_DRIFT_ENV_NEW_REQUIRED": "New required env var may break deployments without it",
+    "D_DRIFT_ENV_REMOVED": "Env var no longer used - can be cleaned up",
+    "D_DRIFT_AUTH_PATTERN_REMOVED": "Auth protection pattern removed from middleware",
+    "D_DRIFT_AUTH_PATTERN_NEW": "New route pattern added to auth middleware",
+    "D_DRIFT_EXTERNAL_NEW": "New external API dependency detected",
+    "D_DRIFT_EXTERNAL_REMOVED": "External API dependency removed",
+  };
+  return messages[finding.detectorId] || "Contract changed since last sync";
+}
+/**
+ * Get impact message for finding
+ */
+function getImpactMessage(finding) {
+  if (finding.severity === "BLOCK") {
+    return "This change may cause runtime failures or security issues";
+  }
+  if (finding.severity === "WARN") {
+    return "This change should be reviewed before shipping";
+  }
+  return "This change is informational";
+}
+/**
+ * Get remediation command for finding
+ */
+function getRemediationCommand(finding) {
+  const detectorId = finding.detectorId;
+  // If the change is intentional, sync contracts
+  if (detectorId.includes("NEW") || detectorId.includes("ADDED")) {
+    return {
+      ifIntentional: "vibecheck ctx sync",
+      description: "If this change is intentional, sync contracts",
+    };
+  }
+  if (detectorId.includes("REMOVED")) {
+    if (detectorId.includes("ROUTE")) {
+      return {
+        ifIntentional: "vibecheck ctx sync",
+        ifAccidental: `Add route back or remove client call to ${finding.evidence?.[0]?.path || "the endpoint"}`,
+        description: "Route was removed - verify this is intentional",
+      };
+    }
+    if (detectorId.includes("AUTH")) {
+      return {
+        ifIntentional: "vibecheck ctx sync --force",
+        ifAccidental: "Restore auth protection to the route",
+        description: "Auth was removed - this is usually NOT intentional",
+      };
+    }
+  }
+  return {
+    ifIntentional: "vibecheck ctx sync",
+    description: "Review the change and sync if intentional",
+  };
+}
+/**
+ * Write contracts diff to disk
+ */
+function writeContractsDiff(repoRoot, driftResult) {
+  const dir = path.join(repoRoot, ".vibecheck");
+  fs.mkdirSync(dir, { recursive: true });
+  const explanation = explainDrift(driftResult);
+  const diff = {
+    meta: {
+      generatedAt: new Date().toISOString(),
+      verdict: explanation.summary.verdict,
+    },
+    ...explanation,
+  };
+  const diffPath = path.join(dir, "contracts_diff.json");
+  fs.writeFileSync(diffPath, JSON.stringify(diff, null, 2));
+  return { path: diffPath, explanation };
+}
+/**
+ * Print drift report to console
+ */
+function printDriftReport(driftResult) {
+  const explanation = explainDrift(driftResult);
+  console.log("\n" + "=".repeat(60));
+  console.log("📋 CONTRACT DRIFT REPORT");
+  console.log("=".repeat(60));
+  if (!driftResult.hasDrift) {
+    console.log("\n✅ No drift detected - contracts are in sync\n");
+    return;
+  }
+  const verdictEmoji = {
+    BLOCK: "🚫",
+    WARN: "⚠️",
+    OK: "✅",
+  }[explanation.summary.verdict];
+  console.log(`\nVerdict: ${verdictEmoji} ${explanation.summary.verdict}`);
+  console.log(`Changes: ${explanation.summary.totalChanges}`);
+  // Group by severity
+  const blockers = explanation.changes.filter(c => c.severity === "BLOCK");
+  const warnings = explanation.changes.filter(c => c.severity === "WARN");
+  const infos = explanation.changes.filter(c => c.severity === "INFO");
+  if (blockers.length > 0) {
+    console.log("\n🚫 BLOCKERS:");
+    for (const change of blockers) {
+      console.log(`   ${change.type.toUpperCase()}: ${change.title}`);
+      console.log(`   └─ Why: ${change.why}`);
+      if (change.remediation?.ifAccidental) {
+        console.log(`   └─ Fix: ${change.remediation.ifAccidental}`);
+      }
+    }
+  }
+  if (warnings.length > 0) {
+    console.log("\n⚠️  WARNINGS:");
+    for (const change of warnings) {
+      console.log(`   ${change.type.toUpperCase()}: ${change.title}`);
+      console.log(`   └─ Why: ${change.why}`);
+    }
+  }
+  if (infos.length > 0) {
+    console.log("\nℹ️  INFO:");
+    for (const change of infos) {
+      console.log(`   ${change.type.toUpperCase()}: ${change.title}`);
+    }
+  }
+  // Remediation
+  console.log("\n" + "-".repeat(60));
+  console.log("REMEDIATION:");
+  if (explanation.summary.verdict === "BLOCK") {
+    console.log("\n   If changes are INTENTIONAL:");
+    console.log("   $ vibecheck ctx sync --force");
+    console.log("\n   If changes are ACCIDENTAL:");
+    console.log("   - Review the blockers above and fix the issues");
+    console.log("   - Then run: vibecheck ctx sync");
+  } else {
+    console.log("\n   To accept these changes:");
+    console.log("   $ vibecheck ctx sync");
+  }
+  console.log("\n" + "=".repeat(60) + "\n");
+}
+// =============================================================================
+// HELPERS
+// =============================================================================
+function computeHash(content) {
+  return crypto.createHash("sha256").update(content).digest("hex").slice(0, 16);
+}
+function countByField(items, field) {
+  const counts = {};
+  for (const item of items) {
+    const value = item[field] || "unknown";
+    counts[value] = (counts[value] || 0) + 1;
+  }
+  return counts;
+}
+// =============================================================================
+// EXPORTS
+// =============================================================================
+module.exports = {
+  // Contract types
+  CONTRACT_TYPES,
+  // Generation
+  generateContracts,
+  generateRouteContract,
+  generateEnvContract,
+  generateAuthContract,
+  generateExternalContract,
+  // Drift detection
+  detectDrift,
+  detectRouteDrift,
+  detectEnvDrift,
+  detectAuthDrift,
+  detectExternalDrift,
+  // Drift explainability
+  explainDrift,
+  writeContractsDiff,
+  printDriftReport,
+  // Sync/Guard
+  syncContracts,
+  loadPreviousContracts,
+  guardContracts,
+};