npm - @amistio/cli - Versions diffs - 0.1.10 → 0.1.12 - Mend

@amistio/cli 0.1.10 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -20,6 +20,10 @@ var itemTypeSchema = z.enum([
   "repositoryLink",
   "brainDocument",
   "generatedDraft",
+  "issue",
+  "securityScan",
+  "securityFinding",
+  "securityPostureSnapshot",
   "syncCursor",
   "syncConflict",
   "workItem",
@@ -66,11 +70,22 @@ var workStatusSchema = z.enum([
 ]);
 var sourceSchema = z.enum(["web", "repo", "generated", "runner"]);
 var executionModeSchema = z.enum(["localRunner", "cloudSandbox"]);
-var workKindSchema = z.enum(["brainGeneration", "implementation", "planRevision", "assistantQuestion", "impactPreview"]);
+var workKindSchema = z.enum(["brainGeneration", "implementation", "planRevision", "assistantQuestion", "impactPreview", "issueDiagnosis", "securityPostureScan"]);
 var generatedDraftStatusSchema = z.enum(["queued", "generating", "reviewing", "approved", "rejected", "changesRequested", "failed"]);
 var assistantQuestionModeSchema = z.enum(["brainOnly", "sourceAware"]);
 var impactRiskLevelSchema = z.enum(["low", "medium", "high", "critical"]);
 var impactReportStatusSchema = z.enum(["queued", "running", "completed", "failed", "stale"]);
+var issueCategorySchema = z.enum(["bug", "regression", "brokenWorkflow", "security", "operational", "other"]);
+var issueSeveritySchema = z.enum(["low", "medium", "high", "critical"]);
+var issueStatusSchema = z.enum(["queued", "diagnosing", "analysisReady", "approved", "changesRequested", "rejected", "implementationQueued", "implemented", "failed"]);
+var issueApprovalStateSchema = z.enum(["proposed", "approved", "changesRequested", "rejected", "implemented", "blocked"]);
+var securityScanStatusSchema = z.enum(["queued", "running", "completed", "failed", "stale", "skipped"]);
+var securityScanSourceSchema = z.enum(["nightly", "manual"]);
+var securityFindingCategorySchema = z.enum(["owasp", "dependency", "supplyChain", "secretHygiene", "authentication", "authorization", "tenantIsolation", "headers", "redirects", "csrf", "cors", "ciCd", "logging", "runnerBoundary", "other"]);
+var securityFindingSeveritySchema = z.enum(["info", "low", "medium", "high", "critical"]);
+var securityFindingConfidenceSchema = z.enum(["low", "medium", "high"]);
+var securityFindingStatusSchema = z.enum(["open", "planReady", "approved", "changesRequested", "dismissed", "acceptedRisk", "remediationQueued", "resolved", "failed"]);
+var securityApprovalStateSchema = z.enum(["proposed", "approved", "changesRequested", "dismissed", "acceptedRisk", "implemented", "blocked"]);
 var activityEventTypeSchema = z.enum([
   "commandSubmitted",
   "generationQueued",
@@ -89,6 +104,19 @@ var activityEventTypeSchema = z.enum([
   "impactPreviewCompleted",
   "impactPreviewFailed",
   "impactPreviewStale",
+  "issueDiagnosisQueued",
+  "issueDiagnosisCompleted",
+  "issueDiagnosisFailed",
+  "issueReview",
+  "issueImplementationQueued",
+  "securityScanQueued",
+  "securityScanStarted",
+  "securityScanCompleted",
+  "securityScanFailed",
+  "securityFindingOpened",
+  "securityFindingReviewed",
+  "securityRemediationPlanCreated",
+  "securityRemediationQueued",
   "handoffExported"
 ]);
 var activityEventActorSchema = z.enum(["webUser", "runner", "cli", "system"]);
@@ -338,6 +366,9 @@ var workItemSchema = baseItemSchema.extend({
   approvedByUserId: z.string().min(1).optional(),
   sourceWish: z.string().min(1).optional(),
   generatedDraftId: z.string().min(1).optional(),
+  issueId: z.string().min(1).optional(),
+  securityScanId: z.string().min(1).optional(),
+  securityFindingId: z.string().min(1).optional(),
   repositoryLinkId: z.string().min(1).optional(),
   reviewThreadId: z.string().min(1).optional(),
   reviewDocumentId: z.string().min(1).optional(),
@@ -386,6 +417,7 @@ var runnerHeartbeatItemSchema = baseItemSchema.extend({
   mode: z.enum(["foreground", "background"]).optional(),
   hostname: z.string().min(1).optional(),
   runnerName: z.string().min(1).optional(),
+  supportedWorkKinds: z.array(workKindSchema).optional(),
   supportsBranchIsolation: z.boolean().optional(),
   supportsGitWorktreeIsolation: z.boolean().optional(),
   currentWorkItemId: z.string().min(1).optional(),
@@ -720,6 +752,148 @@ var impactPreviewResultSchema = z.object({
   analyzedRepoRevision: z.number().int().nonnegative().optional(),
   repoFingerprint: z.string().min(1).optional()
 });
+var issueDiagnosisResultSchema = z.object({
+  summary: z.string().trim().min(1),
+  impact: z.string().trim().min(1),
+  evidence: z.array(z.string().trim().min(1)).default([]),
+  affectedSurfaces: z.array(z.string().trim().min(1)).default([]),
+  rootCauseAnalysis: z.string().trim().min(1),
+  falsifiableHypothesis: z.string().trim().min(1).optional(),
+  nextCheck: z.string().trim().min(1).optional(),
+  proposedFix: z.string().trim().min(1),
+  expectedBehavior: z.string().trim().min(1),
+  verificationPlan: z.array(z.string().trim().min(1)).min(1),
+  riskLevel: impactRiskLevelSchema.default("medium"),
+  likelyPaths: z.array(impactPathSchema).default([]),
+  approvalState: issueApprovalStateSchema.default("proposed")
+});
+var issueItemSchema = baseItemSchema.extend({
+  type: z.literal("issue"),
+  projectId: z.string().min(1),
+  issueId: z.string().min(1),
+  title: z.string().trim().min(1).max(200),
+  description: z.string().trim().min(1).max(12e3),
+  category: issueCategorySchema.default("bug"),
+  severity: issueSeveritySchema.default("medium"),
+  status: issueStatusSchema,
+  approvalState: issueApprovalStateSchema.default("proposed"),
+  submittedByUserId: z.string().min(1).optional(),
+  repositoryLinkId: z.string().min(1).optional(),
+  diagnosisWorkItemId: z.string().min(1).optional(),
+  implementationWorkItemId: z.string().min(1).optional(),
+  diagnosis: issueDiagnosisResultSchema.optional(),
+  reviewNotes: z.string().trim().min(1).optional(),
+  approvedByUserId: z.string().min(1).optional(),
+  approvedAt: isoDateTimeSchema.optional(),
+  requestedChangesByUserId: z.string().min(1).optional(),
+  requestedChangesAt: isoDateTimeSchema.optional(),
+  rejectedByUserId: z.string().min(1).optional(),
+  rejectedAt: isoDateTimeSchema.optional(),
+  diagnosedAt: isoDateTimeSchema.optional(),
+  runnerId: z.string().min(1).optional(),
+  lastDiagnosisError: z.string().optional()
+});
+var securityStandardReferenceSchema = z.object({
+  standard: z.string().trim().min(1).max(120),
+  control: z.string().trim().min(1).max(160),
+  url: z.string().url().optional()
+});
+var securitySeverityCountsSchema = z.object({
+  info: z.number().int().nonnegative().default(0),
+  low: z.number().int().nonnegative().default(0),
+  medium: z.number().int().nonnegative().default(0),
+  high: z.number().int().nonnegative().default(0),
+  critical: z.number().int().nonnegative().default(0)
+});
+var defaultSecuritySeverityCounts = { info: 0, low: 0, medium: 0, high: 0, critical: 0 };
+var securityCategorySummarySchema = z.object({
+  category: securityFindingCategorySchema,
+  status: z.enum(["pass", "warning", "fail", "unknown"]),
+  summary: z.string().trim().min(1).max(600)
+});
+var securityFindingResultSchema = z.object({
+  title: z.string().trim().min(1).max(200),
+  category: securityFindingCategorySchema,
+  severity: securityFindingSeveritySchema,
+  confidence: securityFindingConfidenceSchema.default("medium"),
+  summary: z.string().trim().min(1).max(2e3),
+  standardReferences: z.array(securityStandardReferenceSchema).default([]),
+  affectedSurfaces: z.array(z.string().trim().min(1).max(300)).default([]),
+  evidence: z.array(z.string().trim().min(1).max(600)).default([]),
+  recommendedRemediation: z.string().trim().min(1).max(4e3),
+  verificationPlan: z.array(z.string().trim().min(1).max(300)).min(1),
+  safePaths: z.array(z.string().trim().min(1).max(300)).default([]),
+  status: securityFindingStatusSchema.default("open")
+});
+var securityPostureScanResultSchema = z.object({
+  summary: z.string().trim().min(1).max(2e3),
+  baselineVersion: z.string().trim().min(1).max(80),
+  postureScore: z.number().min(0).max(100).optional(),
+  postureGrade: z.enum(["A", "B", "C", "D", "F", "Unknown"]).default("Unknown"),
+  categorySummaries: z.array(securityCategorySummarySchema).default([]),
+  findings: z.array(securityFindingResultSchema).default([]),
+  verificationPlan: z.array(z.string().trim().min(1).max(300)).min(1)
+});
+var securityScanItemSchema = baseItemSchema.extend({
+  type: z.literal("securityScan"),
+  projectId: z.string().min(1),
+  securityScanId: z.string().min(1),
+  scheduledDate: z.string().regex(/^\d{4}-\d{2}-\d{2}$/),
+  source: securityScanSourceSchema,
+  status: securityScanStatusSchema,
+  baselineVersion: z.string().trim().min(1).max(80).default("amistio-security-baseline-v1"),
+  workItemId: z.string().min(1).optional(),
+  runnerId: z.string().min(1).optional(),
+  findingIds: z.array(z.string().min(1)).default([]),
+  summary: z.string().trim().min(1).max(2e3).optional(),
+  severityCounts: securitySeverityCountsSchema.default(defaultSecuritySeverityCounts),
+  startedAt: isoDateTimeSchema.optional(),
+  completedAt: isoDateTimeSchema.optional(),
+  failedAt: isoDateTimeSchema.optional(),
+  error: z.string().max(1e3).optional()
+});
+var securityFindingItemSchema = baseItemSchema.extend({
+  type: z.literal("securityFinding"),
+  projectId: z.string().min(1),
+  securityFindingId: z.string().min(1),
+  securityScanId: z.string().min(1),
+  title: z.string().trim().min(1).max(200),
+  category: securityFindingCategorySchema,
+  severity: securityFindingSeveritySchema,
+  confidence: securityFindingConfidenceSchema.default("medium"),
+  status: securityFindingStatusSchema,
+  approvalState: securityApprovalStateSchema.default("proposed"),
+  summary: z.string().trim().min(1).max(2e3),
+  standardReferences: z.array(securityStandardReferenceSchema).default([]),
+  affectedSurfaces: z.array(z.string().trim().min(1).max(300)).default([]),
+  evidence: z.array(z.string().trim().min(1).max(600)).default([]),
+  safePaths: z.array(z.string().trim().min(1).max(300)).default([]),
+  recommendedRemediation: z.string().trim().min(1).max(4e3),
+  verificationPlan: z.array(z.string().trim().min(1).max(300)).min(1),
+  remediationPlanDocumentId: z.string().min(1).optional(),
+  remediationPromptDocumentId: z.string().min(1).optional(),
+  implementationWorkItemId: z.string().min(1).optional(),
+  reviewNotes: z.string().trim().min(1).optional(),
+  reviewedByUserId: z.string().min(1).optional(),
+  reviewedAt: isoDateTimeSchema.optional(),
+  resolvedAt: isoDateTimeSchema.optional(),
+  lastReviewAction: z.enum(["approve", "requestChanges", "dismiss", "acceptRisk", "reopen"]).optional()
+});
+var securityPostureSnapshotItemSchema = baseItemSchema.extend({
+  type: z.literal("securityPostureSnapshot"),
+  projectId: z.string().min(1),
+  securityPostureSnapshotId: z.string().min(1),
+  latestScanId: z.string().min(1).optional(),
+  status: z.enum(["unknown", "fresh", "stale", "running", "failed"]),
+  baselineVersion: z.string().trim().min(1).max(80).default("amistio-security-baseline-v1"),
+  postureScore: z.number().min(0).max(100).optional(),
+  postureGrade: z.enum(["A", "B", "C", "D", "F", "Unknown"]).default("Unknown"),
+  severityCounts: securitySeverityCountsSchema.default(defaultSecuritySeverityCounts),
+  categorySummaries: z.array(securityCategorySummarySchema).default([]),
+  lastScannedAt: isoDateTimeSchema.optional(),
+  nextScheduledAt: isoDateTimeSchema.optional(),
+  summary: z.string().trim().min(1).max(2e3).optional()
+});
 var activityEventItemSchema = baseItemSchema.extend({
   type: z.literal("activityEvent"),
   projectId: z.string().min(1),
@@ -734,6 +908,9 @@ var activityEventItemSchema = baseItemSchema.extend({
   occurredAt: isoDateTimeSchema,
   relatedWorkItemId: z.string().min(1).optional(),
   relatedDocumentId: z.string().min(1).optional(),
+  relatedIssueId: z.string().min(1).optional(),
+  relatedSecurityScanId: z.string().min(1).optional(),
+  relatedSecurityFindingId: z.string().min(1).optional(),
   generatedDraftId: z.string().min(1).optional(),
   runnerId: z.string().min(1).optional(),
   repositoryLinkId: z.string().min(1).optional(),
@@ -790,6 +967,10 @@ var projectItemUnionSchema = z.discriminatedUnion("type", [
   repositoryLinkItemSchema,
   brainDocumentItemSchema,
   generatedDraftItemSchema,
+  issueItemSchema,
+  securityScanItemSchema,
+  securityFindingItemSchema,
+  securityPostureSnapshotItemSchema,
   syncCursorItemSchema,
   syncConflictItemSchema,
   workItemSchema,
@@ -1527,6 +1708,13 @@ var ApiClient = class {
       { method: "GET" }
     );
   }
+  async listIssues(projectId) {
+    return this.request(
+      `/projects/${projectId}/issues`,
+      z3.object({ issues: z3.array(issueItemSchema) }),
+      { method: "GET" }
+    );
+  }
   async pushBrainDocuments(projectId, documents) {
     return this.request(
       `/projects/${projectId}/brain-documents`,
@@ -1684,6 +1872,26 @@ var ApiClient = class {
       }
     );
   }
+  async submitIssueDiagnosisResult(projectId, workItemId, result) {
+    return this.request(
+      `/projects/${projectId}/work-items/${workItemId}/issue-result`,
+      z3.object({ issue: issueItemSchema, workItem: workItemSchema }),
+      {
+        method: "POST",
+        body: JSON.stringify(result)
+      }
+    );
+  }
+  async submitSecurityPostureScanResult(projectId, workItemId, result) {
+    return this.request(
+      `/projects/${projectId}/work-items/${workItemId}/security-result`,
+      z3.object({ scan: securityScanItemSchema, findings: z3.array(securityFindingItemSchema), snapshot: securityPostureSnapshotItemSchema, workItem: workItemSchema }),
+      {
+        method: "POST",
+        body: JSON.stringify(result)
+      }
+    );
+  }
   async request(urlPath, schema, init) {
     const response = await fetch(resolveApiUrl(this.options.apiUrl, urlPath), {
       ...init,
@@ -3652,6 +3860,10 @@ var assistantAnswerStart = "AMISTIO_ASSISTANT_ANSWER_START";
 var assistantAnswerEnd = "AMISTIO_ASSISTANT_ANSWER_END";
 var impactPreviewStart = "AMISTIO_IMPACT_PREVIEW_START";
 var impactPreviewEnd = "AMISTIO_IMPACT_PREVIEW_END";
+var issueDiagnosisStart = "AMISTIO_ISSUE_DIAGNOSIS_START";
+var issueDiagnosisEnd = "AMISTIO_ISSUE_DIAGNOSIS_END";
+var securityPostureStart = "AMISTIO_SECURITY_POSTURE_START";
+var securityPostureEnd = "AMISTIO_SECURITY_POSTURE_END";
 function createWorkExecutionPrompt(workItem, context) {
   if (workItem.workKind === "brainGeneration") {
     return createBrainGenerationPrompt(workItem);
@@ -3665,6 +3877,12 @@ function createWorkExecutionPrompt(workItem, context) {
   if (workItem.workKind === "impactPreview") {
     return createImpactPreviewPrompt(workItem, context?.impactPreview);
   }
+  if (workItem.workKind === "issueDiagnosis") {
+    return createIssueDiagnosisPrompt(workItem, context?.issueDiagnosis);
+  }
+  if (workItem.workKind === "securityPostureScan") {
+    return createSecurityPostureScanPrompt(workItem, context?.securityPostureScan);
+  }
   return [
     "# Amistio Work Execution",
     "",
@@ -3693,6 +3911,113 @@ function createWorkExecutionPrompt(workItem, context) {
     "- Run relevant verification commands when feasible and summarize results."
   ].join("\n");
 }
+function createSecurityPostureScanPrompt(workItem, context) {
+  const approvedContext = (context?.documents ?? []).filter((document) => document.status === "approved" || document.syncState === "approved" || document.syncState === "synced").slice(0, 20).map((document) => [
+    `### ${document.title}`,
+    `documentId: ${document.documentId}`,
+    `documentType: ${document.documentType}`,
+    `repoPath: ${document.repoPath}`,
+    `revision: ${document.revision}`,
+    document.content.slice(0, 3e3)
+  ].join("\n")).join("\n\n");
+  return [
+    "# Amistio Security Posture Scan",
+    "",
+    "You are running locally through the Amistio CLI inside the user's repository.",
+    "Run a read-only security posture scan and produce approval-gated remediation findings.",
+    "Do not modify files, create branches, commit, run implementation prompts, install packages, perform exploit attempts, call external services, or make unaudited network calls.",
+    "Use only safe local inspection and focused diagnostic commands that do not expose secrets.",
+    "",
+    "## Work Item",
+    "",
+    `Title: ${workItem.title}`,
+    `Work item ID: ${workItem.workItemId}`,
+    `Project ID: ${workItem.projectId}`,
+    `Security scan ID: ${workItem.securityScanId ?? "unknown"}`,
+    "",
+    "## Scan Request",
+    "",
+    workItem.sourceWish ?? "Run the Amistio security baseline.",
+    "",
+    "## Approved Project Brain Context",
+    "",
+    approvedContext || "No approved project-brain records were loaded. Inspect local repository files as needed and explain the gap in the summary.",
+    "",
+    "## Baseline Requirements",
+    "",
+    "- Cover OWASP Top 10 and OWASP ASVS Level 1 style controls.",
+    "- Check dependency and supply-chain posture: audit advisories, lockfiles, CI verification, release provenance, and trusted publishing where applicable.",
+    "- Check secret and credential hygiene using redacted evidence only.",
+    "- Check authentication, authorization, tenant isolation, redirects/callbacks, CSRF, CORS, security headers, logging redaction, and rate limiting.",
+    "- Check Amistio controls: local-runner-only execution, supported work-kind gates, approval gates, worktree isolation, runner credential binding, and redacted telemetry.",
+    "",
+    "## Data Safety",
+    "",
+    "- Persist summaries, controls, repository-relative paths, and redacted evidence only.",
+    "- Do not include raw source, secrets, env vars, command lines, process lists, absolute local paths, credential values, tokens, provider sessions, or exploit payloads.",
+    "- Use safePaths for repo-relative paths only; never include /absolute paths or ../ traversal.",
+    "",
+    "## Output Contract",
+    "",
+    "Print exactly one JSON object between the markers below. The CLI will submit only this structured scan result back to Amistio.",
+    "",
+    securityPostureStart,
+    '{"summary":"Security posture is mostly healthy, but dependency advisory review is not automated.","baselineVersion":"amistio-security-baseline-v1","postureScore":82,"postureGrade":"B","categorySummaries":[{"category":"dependency","status":"warning","summary":"Dependency audit automation is incomplete."}],"findings":[{"title":"Dependency audit is not enforced in CI","category":"dependency","severity":"medium","confidence":"high","summary":"The repository has a lockfile, but CI does not appear to fail on known vulnerable dependencies.","standardReferences":[{"standard":"OWASP ASVS","control":"V14.2 Dependency"}],"affectedSurfaces":["CI verification"],"evidence":["No dependency audit step was found in the CI verification summary."],"recommendedRemediation":"Add a dependency advisory check to the existing verification pipeline and document how failures are handled.","verificationPlan":["Run the updated CI verification command locally","Confirm a known advisory fails the check in a controlled test"],"safePaths":["package.json","pnpm-lock.yaml"]}],"verificationPlan":["Run focused dependency and CI checks","Review Security panel findings for approval"]}',
+    securityPostureEnd,
+    "",
+    "Do not put Markdown fences around the markers. Do not implement remediation."
+  ].join("\n");
+}
+function createIssueDiagnosisPrompt(workItem, context) {
+  const issue = context?.issue;
+  const approvedContext = (context?.documents ?? []).filter((document) => document.status === "approved" || document.syncState === "approved" || document.syncState === "synced").slice(0, 16).map((document) => [
+    `### ${document.title}`,
+    `documentId: ${document.documentId}`,
+    `documentType: ${document.documentType}`,
+    `repoPath: ${document.repoPath}`,
+    `revision: ${document.revision}`,
+    document.content.slice(0, 3e3)
+  ].join("\n")).join("\n\n");
+  return [
+    "# Amistio Issue Diagnosis",
+    "",
+    "You are running locally through the Amistio CLI inside the user's repository.",
+    "Diagnose the submitted bug or operational issue and prepare the approval-gated fix analysis.",
+    "This is a diagnosis-only task. Do not modify files, create branches, run implementation commands, or commit changes.",
+    "",
+    "## Submitted Issue",
+    "",
+    `Issue ID: ${workItem.issueId ?? issue?.issueId ?? "unknown"}`,
+    `Title: ${issue?.title ?? workItem.title}`,
+    `Category: ${issue?.category ?? "bug"}`,
+    `Severity: ${issue?.severity ?? "medium"}`,
+    "",
+    issue?.description ?? workItem.sourceWish ?? workItem.title,
+    "",
+    "## Approved Project Brain Context",
+    "",
+    approvedContext || "No approved project-brain records were loaded. Inspect local repository files as needed and explain the gap in evidence.",
+    "",
+    "## Analysis Requirements",
+    "",
+    "- Document user-visible impact and concrete evidence or reproduction status.",
+    "- Name affected surfaces and likely paths using concise path summaries only.",
+    "- Provide rootCauseAnalysis. If unconfirmed, include falsifiableHypothesis and nextCheck.",
+    "- Propose the fix and expected behavior, then provide a verification plan.",
+    "- Keep repository source and secrets local. Do not include raw source dumps, credentials, local secret paths, or provider session references.",
+    "- Leave approvalState as proposed. Implementation must wait for user approval in Amistio.",
+    "",
+    "## Output Contract",
+    "",
+    "Print exactly one JSON object between the markers below. The CLI will submit only this structured diagnosis back to Amistio.",
+    "",
+    issueDiagnosisStart,
+    '{"summary":"The issue is caused by a missing state transition in the workspace action flow.","impact":"Users see a submitted action but no follow-up analysis appears.","evidence":["Reproduced by submitting an issue from the workspace UI"],"affectedSurfaces":["Workspace UI","Runner claim API"],"rootCauseAnalysis":"The issue path queues normal implementation work instead of diagnosis work.","falsifiableHypothesis":"Adding issueDiagnosis work and a dedicated result route will produce analysis without source mutation.","nextCheck":"Run focused web and CLI typechecks after wiring the route.","proposedFix":"Add a first-class issue diagnosis work kind, result parser, and approval-gated implementation queue.","expectedBehavior":"Submitted issues show a complete analysis and only queue implementation after approval.","verificationPlan":["Run shared, web, and CLI typechecks","Submit an issue with a compatible runner and verify analysis appears"],"riskLevel":"medium","likelyPaths":[{"repoPath":"src/apps/web/legacy/api/projects/[projectId]/issues.ts","reason":"Issue submission and approval route"}],"approvalState":"proposed"}',
+    issueDiagnosisEnd,
+    "",
+    "Do not put Markdown fences around the markers. Do not implement the fix."
+  ].join("\n");
+}
 function createImpactPreviewPrompt(workItem, context) {
   const implementationPrompt = context?.implementationPrompt;
   const approvedContext = (context?.documents ?? []).filter((document) => document.status === "approved" || document.syncState === "approved" || document.syncState === "synced").slice(0, 16).map((document) => [
@@ -3869,6 +4194,26 @@ function parseImpactPreviewResult(output) {
   const parsed = JSON.parse(stripJsonFence(payload));
   return impactPreviewResultSchema.parse(parsed);
 }
+function parseIssueDiagnosisResult(output) {
+  const start = output.indexOf(issueDiagnosisStart);
+  const end = output.indexOf(issueDiagnosisEnd, start + issueDiagnosisStart.length);
+  if (start === -1 || end === -1 || end <= start) {
+    throw new Error("Local AI diagnosis did not return an Amistio issue diagnosis block.");
+  }
+  const payload = output.slice(start + issueDiagnosisStart.length, end).trim();
+  const parsed = JSON.parse(stripJsonFence(payload));
+  return issueDiagnosisResultSchema.parse(parsed);
+}
+function parseSecurityPostureScanResult(output) {
+  const start = output.indexOf(securityPostureStart);
+  const end = output.indexOf(securityPostureEnd, start + securityPostureStart.length);
+  if (start === -1 || end === -1 || end <= start) {
+    throw new Error("Local AI scan did not return an Amistio security posture block.");
+  }
+  const payload = output.slice(start + securityPostureStart.length, end).trim();
+  const parsed = JSON.parse(stripJsonFence(payload));
+  return securityPostureScanResultSchema.parse(parsed);
+}
 function createBrainGenerationPrompt(workItem) {
   const wish = workItem.sourceWish ?? workItem.title;
   return [
@@ -4412,6 +4757,39 @@ async function runOfficialCliUpdate() {
   }
   return { succeeded: false, message: "Official Amistio CLI update command failed.", error: result.output || `npm exited with code ${result.exitCode}.` };
 }
+async function runOfficialCliUpdateWithRuntimeRefresh(options) {
+  const updateResult = await (options.runUpdate ?? runOfficialCliUpdate)();
+  if (!updateResult.succeeded) {
+    return updateResult;
+  }
+  if (options.mode === "foreground") {
+    return {
+      succeeded: true,
+      stopRunner: true,
+      message: `${updateResult.message} Restart the local runner command to load the updated CLI version.`
+    };
+  }
+  if (!options.restartBackgroundRunner) {
+    return {
+      succeeded: false,
+      message: `${updateResult.message} Background runner restart was not available after update. Restart the runner manually to load the updated CLI version.`,
+      error: "Background runner restart hook was not provided."
+    };
+  }
+  const restartResult = await options.restartBackgroundRunner();
+  if (restartResult.succeeded) {
+    return {
+      succeeded: true,
+      stopRunner: true,
+      message: `${updateResult.message} ${restartResult.message}`
+    };
+  }
+  return {
+    succeeded: false,
+    message: `${updateResult.message} Background runner restart failed after update. Restart the runner manually to load the updated CLI version.`,
+    error: restartResult.error ?? restartResult.message
+  };
+}
 function runOfficialUpdateProcess(command, args, timeoutMs) {
   return new Promise((resolve) => {
     const child = spawn4(command, args, { stdio: ["ignore", "pipe", "pipe"] });
@@ -4548,6 +4926,7 @@ var DEFAULT_MAX_PREFLIGHT_ATTEMPTS = 3;
 var DEFAULT_TOOL_TIMEOUT_SECONDS = 30 * 60;
 var RUNNER_WORK_LEASE_SECONDS = 300;
 var RUNNER_WORK_LEASE_RENEWAL_MS = 12e4;
+var runnerSupportedWorkKinds = ["brainGeneration", "implementation", "planRevision", "assistantQuestion", "impactPreview", "issueDiagnosis", "securityPostureScan"];
 program.name("amistio").description("Amistio project brain CLI").version(CLI_VERSION);
 program.command("init").description("Create Amistio control-plane folders for a new project").option("--root <path>", "Repository root", defaultRoot).action(async (options) => {
   const created = await initControlPlane(options.root);
@@ -5510,6 +5889,42 @@ async function runNextWorkItem({
       return recordFinalizationFailure({ apiClient, error, isolationTelemetry, projectId, repositoryLinkId, runnerId, sessionContext, toolConfig, toolName: preview.toolName, workItem: result.workItem, durationMs: Date.now() - startedAt });
     }
   }
+  if (result.workItem.workKind === "issueDiagnosis") {
+    try {
+      return await finalizeIssueDiagnosisWork({
+        apiClient,
+        durationMs: Date.now() - startedAt,
+        projectId,
+        repositoryLinkId,
+        runnerId,
+        sessionContext,
+        toolConfig,
+        toolName: preview.toolName,
+        toolResult,
+        workItem: result.workItem
+      });
+    } catch (error) {
+      return recordFinalizationFailure({ apiClient, error, isolationTelemetry, projectId, repositoryLinkId, runnerId, sessionContext, toolConfig, toolName: preview.toolName, workItem: result.workItem, durationMs: Date.now() - startedAt });
+    }
+  }
+  if (result.workItem.workKind === "securityPostureScan") {
+    try {
+      return await finalizeSecurityPostureScanWork({
+        apiClient,
+        durationMs: Date.now() - startedAt,
+        projectId,
+        repositoryLinkId,
+        runnerId,
+        sessionContext,
+        toolConfig,
+        toolName: preview.toolName,
+        toolResult,
+        workItem: result.workItem
+      });
+    } catch (error) {
+      return recordFinalizationFailure({ apiClient, error, isolationTelemetry, projectId, repositoryLinkId, runnerId, sessionContext, toolConfig, toolName: preview.toolName, workItem: result.workItem, durationMs: Date.now() - startedAt });
+    }
+  }
   const finalStatus = toolResult.exitCode === 0 ? "completed" : "failed";
   const durationMs = Date.now() - startedAt;
   const failureExcerpt = toolResult.exitCode === 0 ? void 0 : truncateLogExcerpt(toolResult.stderr || toolResult.stdout);
@@ -5712,6 +6127,7 @@ async function recordRunnerMilestone(apiClient, projectId, workItem, runnerId, r
     repositoryLinkId,
     relatedWorkItemId: workItem.workItemId,
     ...workItem.reviewDocumentId ? { relatedDocumentId: workItem.reviewDocumentId } : workItem.impactDocumentId ? { relatedDocumentId: workItem.impactDocumentId } : {},
+    ...workItem.issueId ? { relatedIssueId: workItem.issueId } : {},
     ...workItem.generatedDraftId ? { generatedDraftId: workItem.generatedDraftId } : {},
     ...input
   }).catch(() => void 0);
@@ -5759,7 +6175,10 @@ async function executeRunnerCommand(command, context) {
   if (command.commandKind === "restart") {
     return restartCurrentRunner(context);
   }
-  return runOfficialCliUpdate();
+  return runOfficialCliUpdateWithRuntimeRefresh({
+    mode: currentRunnerMode(),
+    restartBackgroundRunner: () => restartCurrentRunner(context)
+  });
 }
 async function restartCurrentRunner(context) {
   if (currentRunnerMode() !== "background") {
@@ -6047,6 +6466,178 @@ ${toolResult.stderr}`);
   console.error(previewError ?? "Local runner impact preview failed.");
   return { status: "failed", exitCode: toolResult.exitCode || 1 };
 }
+async function finalizeIssueDiagnosisWork({
+  apiClient,
+  durationMs,
+  projectId,
+  repositoryLinkId,
+  runnerId,
+  sessionContext,
+  toolConfig,
+  toolName,
+  toolResult,
+  workItem
+}) {
+  let diagnosis = void 0;
+  let diagnosisError;
+  if (toolResult.exitCode === 0) {
+    try {
+      diagnosis = parseIssueDiagnosisResult(`${toolResult.stdout}
+${toolResult.stderr}`);
+    } catch (error) {
+      diagnosisError = errorMessage3(error);
+    }
+  } else {
+    diagnosisError = truncateLogExcerpt(toolResult.stderr || toolResult.stdout) || `${toolName} exited with code ${toolResult.exitCode}.`;
+  }
+  const finalStatus = diagnosis ? "completed" : "failed";
+  const updatedToolSession = await finalizeToolSession({
+    apiClient,
+    projectId,
+    status: finalStatus,
+    runnerId,
+    workItemId: workItem.workItemId,
+    stdout: toolResult.stdout,
+    ...sessionContext.toolSession ? { session: sessionContext.toolSession } : {},
+    ...toolResult.messageCount !== void 0 ? { messageCount: toolResult.messageCount } : {},
+    ...toolResult.tokensIn !== void 0 ? { tokensIn: toolResult.tokensIn } : {},
+    ...toolResult.tokensOut !== void 0 ? { tokensOut: toolResult.tokensOut } : {},
+    ...toolResult.costUsd !== void 0 ? { costUsd: toolResult.costUsd } : {}
+  });
+  const sessionTelemetry = {
+    sessionPolicy: sessionContext.policy,
+    sessionDecision: sessionContext.decision,
+    sessionDecisionReason: sessionContext.reason,
+    ...updatedToolSession ? { toolSessionId: updatedToolSession.toolSessionId } : {},
+    ...updatedToolSession?.sessionGroupKey ? { sessionGroupKey: updatedToolSession.sessionGroupKey } : {}
+  };
+  if (diagnosis) {
+    const result = await apiClient.submitIssueDiagnosisResult(projectId, workItem.workItemId, {
+      status: "completed",
+      runnerId,
+      idempotencyKey: `issue_${workItem.workItemId}_${randomUUID()}`,
+      diagnosis,
+      tool: toolName,
+      durationMs,
+      ...sessionTelemetry,
+      message: `${toolName} returned an issue root-cause analysis.`
+    });
+    await recordRunnerMilestone(apiClient, projectId, workItem, runnerId, repositoryLinkId, {
+      status: "completed",
+      summary: `${toolName} returned an issue root-cause analysis.`,
+      idempotencyKey: `runner_milestone_issue_completed_${workItem.workItemId}_${result.workItem.idempotencyKey}`,
+      metadata: { tool: toolName, durationMs, riskLevel: diagnosis.riskLevel, likelyPathCount: diagnosis.likelyPaths.length, verificationSummary: diagnosis.verificationPlan.join(" | ") }
+    });
+    await apiClient.sendRunnerHeartbeat(projectId, runnerId, repositoryLinkId, "online", runnerHeartbeatMetadata(toolConfig));
+    console.log("Issue diagnosis returned for approval.");
+    return { status: "completed", exitCode: 0 };
+  }
+  const failedResult = await apiClient.submitIssueDiagnosisResult(projectId, workItem.workItemId, {
+    status: "failed",
+    runnerId,
+    idempotencyKey: `issue_${workItem.workItemId}_${randomUUID()}`,
+    tool: toolName,
+    durationMs,
+    ...sessionTelemetry,
+    message: `${toolName} did not produce a valid issue diagnosis.`,
+    ...diagnosisError ? { error: diagnosisError } : {}
+  });
+  await recordRunnerMilestone(apiClient, projectId, workItem, runnerId, repositoryLinkId, {
+    status: "failed",
+    summary: diagnosisError ?? `${toolName} did not produce a valid issue diagnosis.`,
+    idempotencyKey: `runner_milestone_issue_failed_${workItem.workItemId}_${failedResult.workItem.idempotencyKey}`,
+    metadata: { tool: toolName, durationMs, verificationSummary: "Issue diagnosis output did not include valid structured JSON." }
+  });
+  await apiClient.sendRunnerHeartbeat(projectId, runnerId, repositoryLinkId, "online", runnerHeartbeatMetadata(toolConfig));
+  console.error(diagnosisError ?? "Local runner issue diagnosis failed.");
+  return { status: "failed", exitCode: toolResult.exitCode || 1 };
+}
+async function finalizeSecurityPostureScanWork({
+  apiClient,
+  durationMs,
+  projectId,
+  repositoryLinkId,
+  runnerId,
+  sessionContext,
+  toolConfig,
+  toolName,
+  toolResult,
+  workItem
+}) {
+  let scanResult = void 0;
+  let scanError;
+  if (toolResult.exitCode === 0) {
+    try {
+      scanResult = parseSecurityPostureScanResult(`${toolResult.stdout}
+${toolResult.stderr}`);
+    } catch (error) {
+      scanError = errorMessage3(error);
+    }
+  } else {
+    scanError = truncateLogExcerpt(toolResult.stderr || toolResult.stdout) || `${toolName} exited with code ${toolResult.exitCode}.`;
+  }
+  const finalStatus = scanResult ? "completed" : "failed";
+  const updatedToolSession = await finalizeToolSession({
+    apiClient,
+    projectId,
+    status: finalStatus,
+    runnerId,
+    workItemId: workItem.workItemId,
+    stdout: toolResult.stdout,
+    ...sessionContext.toolSession ? { session: sessionContext.toolSession } : {},
+    ...toolResult.messageCount !== void 0 ? { messageCount: toolResult.messageCount } : {},
+    ...toolResult.tokensIn !== void 0 ? { tokensIn: toolResult.tokensIn } : {},
+    ...toolResult.tokensOut !== void 0 ? { tokensOut: toolResult.tokensOut } : {},
+    ...toolResult.costUsd !== void 0 ? { costUsd: toolResult.costUsd } : {}
+  });
+  const sessionTelemetry = {
+    sessionPolicy: sessionContext.policy,
+    sessionDecision: sessionContext.decision,
+    sessionDecisionReason: sessionContext.reason,
+    ...updatedToolSession ? { toolSessionId: updatedToolSession.toolSessionId } : {},
+    ...updatedToolSession?.sessionGroupKey ? { sessionGroupKey: updatedToolSession.sessionGroupKey } : {}
+  };
+  if (scanResult) {
+    const result = await apiClient.submitSecurityPostureScanResult(projectId, workItem.workItemId, {
+      status: "completed",
+      runnerId,
+      idempotencyKey: `security_${workItem.workItemId}_${randomUUID()}`,
+      result: scanResult,
+      tool: toolName,
+      durationMs,
+      ...sessionTelemetry,
+      message: `${toolName} returned a security posture scan.`
+    });
+    await recordRunnerMilestone(apiClient, projectId, workItem, runnerId, repositoryLinkId, {
+      status: "completed",
+      summary: `${toolName} returned a security posture scan.`,
+      idempotencyKey: `runner_milestone_security_completed_${workItem.workItemId}_${result.workItem.idempotencyKey}`,
+      metadata: { tool: toolName, durationMs, findingCount: scanResult.findings.length, critical: result.scan.severityCounts.critical, high: result.scan.severityCounts.high, verificationSummary: scanResult.verificationPlan.join(" | ") }
+    });
+    await apiClient.sendRunnerHeartbeat(projectId, runnerId, repositoryLinkId, "online", runnerHeartbeatMetadata(toolConfig));
+    console.log("Security posture scan returned for review.");
+    return { status: "completed", exitCode: 0 };
+  }
+  const failedResult = await apiClient.submitSecurityPostureScanResult(projectId, workItem.workItemId, {
+    status: "failed",
+    runnerId,
+    idempotencyKey: `security_${workItem.workItemId}_${randomUUID()}`,
+    tool: toolName,
+    durationMs,
+    ...sessionTelemetry,
+    message: `${toolName} did not produce a valid security posture scan.`,
+    ...scanError ? { error: scanError } : {}
+  });
+  await recordRunnerMilestone(apiClient, projectId, workItem, runnerId, repositoryLinkId, {
+    status: "failed",
+    summary: scanError ?? `${toolName} did not produce a valid security posture scan.`,
+    idempotencyKey: `runner_milestone_security_failed_${workItem.workItemId}_${failedResult.workItem.idempotencyKey}`,
+    metadata: { tool: toolName, durationMs, verificationSummary: "Security posture output did not include valid structured JSON." }
+  });
+  await apiClient.sendRunnerHeartbeat(projectId, runnerId, repositoryLinkId, "online", runnerHeartbeatMetadata(toolConfig));
+  console.error(scanError ?? "Local runner security posture scan failed.");
+  return { status: "failed", exitCode: toolResult.exitCode || 1 };
+}
 async function createRunnerWorkPrompt(apiClient, projectId, workItem) {
   if (workItem.workKind === "assistantQuestion") {
     const [{ documents: documents2 }, { messages: messages2 }] = await Promise.all([
@@ -6068,6 +6659,25 @@ async function createRunnerWorkPrompt(apiClient, projectId, workItem) {
       }
     });
   }
+  if (workItem.workKind === "issueDiagnosis") {
+    const [{ documents: documents2 }, { issues }] = await Promise.all([
+      apiClient.listBrainDocuments(projectId),
+      apiClient.listIssues(projectId)
+    ]);
+    const issue = issues.find((item) => item.issueId === workItem.issueId || item.id === workItem.issueId);
+    return createWorkExecutionPrompt(workItem, {
+      issueDiagnosis: {
+        documents: documents2,
+        ...issue ? { issue } : {}
+      }
+    });
+  }
+  if (workItem.workKind === "securityPostureScan") {
+    const { documents: documents2 } = await apiClient.listBrainDocuments(projectId);
+    return createWorkExecutionPrompt(workItem, {
+      securityPostureScan: { documents: documents2 }
+    });
+  }
   if (workItem.workKind !== "planRevision" || !workItem.reviewDocumentId) {
     return createWorkExecutionPrompt(workItem);
   }
@@ -6545,6 +7155,7 @@ function toRunnerToolCapabilities(tools) {
 function runnerIsolationCapabilityMetadata() {
   return {
     machineId: runnerMachineId(),
+    supportedWorkKinds: runnerSupportedWorkKinds,
     supportsBranchIsolation: true,
     supportsGitWorktreeIsolation: true
   };