@cortexkit/aft 0.39.1 → 0.39.2

package/dist/commands/doctor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/commands/doctor.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAG3D,OAAO,EAEL,KAAK,gBAAgB,EAKtB,MAAM,uBAAuB,CAAC;AAe/B,OAAO,EAAE,KAAK,WAAW,EAAkB,MAAM,qBAAqB,CAAC;AAOvE,MAAM,MAAM,iBAAiB,GAAG,cAAc,GAAG,WAAW,GAAG,cAAc,CAAC;AAE9E,eAAO,MAAM,2BAA2B,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,iBAAiB,CAAA;CAAE,EAapF,CAAC;AAEF,eAAO,MAAM,0BAA0B,EAAE,iBAAiB,EAAqB,CAAC;AAEhF,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,OAAO,CAAC;IACf,GAAG,EAAE,OAAO,CAAC;IACb,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,OAAO,CAAC;IACnB,WAAW,CAAC,EAAE;QACZ,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,QAAQ,CAAC,EAAE;QACT,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,WAAW,CAAC,EAAE;QACZ,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED,MAAM,WAAW,iBAAiB;IAChC,cAAc,CAAC,EAAE,MAAM,WAAW,CAAC;IACnC,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,wBAAsB,SAAS,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAkHvE;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAOnE;AA4BD,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,cAAc,EAAE,EAC1B,OAAO,EAAE,SAAS,iBAAiB,EAAE,EACrC,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,iBAAiB,CAAC,CAgD5B;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAC1C,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,wBAAgB,gBAAgB,IAAI,sBAAsB,CAsDzD;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,QAAQ,GAAG,eAAe,GAAG,QAAQ,GAAG,MAAM,GAAG,SAAS,GAAG,QAAQ,CAAC;IAC5E,OAAO,EAAE,MAAM,CAAC;CACjB;AA0ID,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,cAAc,EAAE,EAC1B,MAAM,EAAE,gBAAgB,GACvB,iBAAiB,EAAE,CAsErB;AAED,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAIvE;AAED,wBAAgB,gCAAgC,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,CAK9F;AAwKD,wBAAgB,yBAAyB,CAAC,CAAC,EAAE,gBAAgB,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,CAK1F;AAsGD,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAIhF;AA4DD,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAG7D"}
+{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/commands/doctor.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAI3D,OAAO,EAEL,KAAK,gBAAgB,EAKtB,MAAM,uBAAuB,CAAC;AAe/B,OAAO,EAAE,KAAK,WAAW,EAAkB,MAAM,qBAAqB,CAAC;AAOvE,MAAM,MAAM,iBAAiB,GAAG,cAAc,GAAG,WAAW,GAAG,cAAc,CAAC;AAE9E,eAAO,MAAM,2BAA2B,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,iBAAiB,CAAA;CAAE,EAapF,CAAC;AAEF,eAAO,MAAM,0BAA0B,EAAE,iBAAiB,EAAqB,CAAC;AAEhF,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,OAAO,CAAC;IACf,GAAG,EAAE,OAAO,CAAC;IACb,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,OAAO,CAAC;IACnB,WAAW,CAAC,EAAE;QACZ,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,QAAQ,CAAC,EAAE;QACT,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,WAAW,CAAC,EAAE;QACZ,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED,MAAM,WAAW,iBAAiB;IAChC,cAAc,CAAC,EAAE,MAAM,WAAW,CAAC;IACnC,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,wBAAsB,SAAS,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAkHvE;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAOnE;AA4BD,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,cAAc,EAAE,EAC1B,OAAO,EAAE,SAAS,iBAAiB,EAAE,EACrC,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,iBAAiB,CAAC,CAgD5B;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAC1C,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,wBAAgB,gBAAgB,IAAI,sBAAsB,CAsDzD;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,QAAQ,GAAG,eAAe,GAAG,QAAQ,GAAG,MAAM,GAAG,SAAS,GAAG,QAAQ,CAAC;IAC5E,OAAO,EAAE,MAAM,CAAC;CACjB;AA0ID,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,cAAc,EAAE,EAC1B,MAAM,EAAE,gBAAgB,GACvB,iBAAiB,EAAE,CAsErB;AAED,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAIvE;AAED,wBAAgB,gCAAgC,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,CAK9F;AAwKD,wBAAgB,yBAAyB,CAAC,CAAC,EAAE,gBAAgB,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,CAK1F;AAsGD,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAIhF;AA4DD,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAG7D"}

package/dist/index.js

@@ -107,7 +107,10 @@ var init_active_logger = __esm(() => {
 // ../aft-bridge/dist/bash-hints.js
 var init_bash_hints = () => {};
 // ../aft-bridge/dist/command-timeouts.js
-var LONG_RUNNING_COMMAND_TIMEOUT_MS;
+function isPassiveCommand(command) {
+  return PASSIVE_COMMANDS.has(command);
+}
+var LONG_RUNNING_COMMAND_TIMEOUT_MS, PASSIVE_COMMANDS, PASSIVE_COMMAND_TIMEOUT_MS = 5000;
 var init_command_timeouts = __esm(() => {
   LONG_RUNNING_COMMAND_TIMEOUT_MS = {
     callers: 60000,
@@ -119,6 +122,7 @@ var init_command_timeouts = __esm(() => {
     glob: 60000,
     semantic_search: 60000
   };
+  PASSIVE_COMMANDS = new Set(["status"]);
 });
 
 // ../aft-bridge/dist/status-bar.js
@@ -161,6 +165,10 @@ function bashTaskIdFrom(response) {
 function tagStderrLine(line) {
   return /^\[aft(-\w+)?\] /.test(line) ? line : `[aft] ${line}`;
 }
+function shouldSurfaceStderrLine(line) {
+  const normalized = line.trim();
+  return !(normalized === `Error in cpuinfo: ${BENIGN_CPUINFO_PROC_CPUINFO_PARSE_FAILURE}` || normalized === BENIGN_CPUINFO_PROC_CPUINFO_PARSE_FAILURE);
+}
 function compareSemver(a, b) {
   const [aMain, aPre] = a.split("-", 2);
   const [bMain, bPre] = b.split("-", 2);
@@ -226,7 +234,7 @@ function clampSemanticTimeout(configOverrides, bridgeTimeoutMs) {
     }
   };
 }
-var DEFAULT_BRIDGE_TIMEOUT_MS = 30000, BRIDGE_HANG_TIMEOUT_THRESHOLD = 2, SEMANTIC_TIMEOUT_SAFETY_MARGIN_MS = 5000, MAX_STDOUT_BUFFER, STDOUT_BUFFER_COMPACT_THRESHOLD, TERMINAL_BASH_STATUSES, BridgeReplacedDuringVersionCheck, BinaryBridge;
+var DEFAULT_BRIDGE_TIMEOUT_MS = 30000, BRIDGE_HANG_TIMEOUT_THRESHOLD = 2, SEMANTIC_TIMEOUT_SAFETY_MARGIN_MS = 5000, MAX_STDOUT_BUFFER, STDOUT_BUFFER_COMPACT_THRESHOLD, TERMINAL_BASH_STATUSES, BENIGN_CPUINFO_PROC_CPUINFO_PARSE_FAILURE = "failed to parse processor information from /proc/cpuinfo", BridgeReplacedDuringVersionCheck, BinaryBridge;
 var init_bridge = __esm(() => {
   init_active_logger();
   init_command_timeouts();
@@ -264,6 +272,7 @@ var init_bridge = __esm(() => {
     _restartCount = 0;
     _shuttingDown = false;
     timeoutMs;
+    hangThreshold;
     maxRestarts;
     configured = false;
     _configurePromise = null;
@@ -288,6 +297,7 @@ var init_bridge = __esm(() => {
       this.binaryPath = binaryPath;
       this.cwd = cwd;
       this.timeoutMs = options?.timeoutMs ?? DEFAULT_BRIDGE_TIMEOUT_MS;
+      this.hangThreshold = options?.hangThreshold ?? BRIDGE_HANG_TIMEOUT_THRESHOLD;
       this.maxRestarts = options?.maxRestarts ?? 3;
       this.configOverrides = clampSemanticTimeout(configOverrides ?? {}, this.timeoutMs);
       this.minVersion = options?.minVersion;
@@ -405,7 +415,9 @@ var init_bridge = __esm(() => {
         if (requestSessionId && options?.configureWarningClient !== undefined) {
           this.configureWarningClients.set(requestSessionId, options.configureWarningClient);
         }
-        const effectiveTimeoutMs = options?.transportTimeoutMs ?? options?.timeoutMs ?? this.timeoutMs;
+        const passive = isPassiveCommand(command);
+        const resolvedTimeoutMs = options?.transportTimeoutMs ?? options?.timeoutMs ?? this.timeoutMs;
+        const effectiveTimeoutMs = passive ? Math.min(resolvedTimeoutMs, PASSIVE_COMMAND_TIMEOUT_MS) : resolvedTimeoutMs;
         const implicitTransportOptions = {
           ...options?.transportTimeoutMs !== undefined || options?.timeoutMs !== undefined ? { transportTimeoutMs: effectiveTimeoutMs } : {},
           markConfiguredOnSuccess: false
@@ -455,7 +467,7 @@ var init_bridge = __esm(() => {
         }
         const line = `${JSON.stringify(request)}
 `;
-        const keepBridgeOnTimeout = options?.keepBridgeOnTimeout === true;
+        const keepBridgeOnTimeout = passive || options?.keepBridgeOnTimeout === true;
         let requestSentAt = Date.now();
         const response = await new Promise((resolve, reject) => {
           const timer = setTimeout(() => {
@@ -477,7 +489,7 @@ var init_bridge = __esm(() => {
             const childActiveSinceRequest = this.lastChildActivityAt > requestSentAt;
             const consecutiveTimeouts = this.consecutiveRequestTimeouts + 1;
             this.consecutiveRequestTimeouts = consecutiveTimeouts;
-            const keepWarm = childActiveSinceRequest || consecutiveTimeouts < BRIDGE_HANG_TIMEOUT_THRESHOLD;
+            const keepWarm = childActiveSinceRequest || consecutiveTimeouts < this.hangThreshold;
             const restartSuffix = keepWarm ? " — bridge kept warm" : " — restarting bridge";
             const timeoutMsg = `Request "${command}" (id=${id}) timed out after ${effectiveTimeoutMs}ms${restartSuffix}`;
             if (requestSessionId) {
@@ -772,7 +784,7 @@ var init_bridge = __esm(() => {
 `)) !== -1) {
         const line = this.stderrBuffer.slice(0, newlineIdx).replace(/\r$/, "");
         this.stderrBuffer = this.stderrBuffer.slice(newlineIdx + 1);
-        if (!line)
+        if (!line || !shouldSurfaceStderrLine(line))
           continue;
         const tagged = tagStderrLine(line);
         this.logVia(tagged);
@@ -782,7 +794,7 @@ var init_bridge = __esm(() => {
     flushStderrBuffer() {
       const line = this.stderrBuffer.replace(/\r$/, "");
       this.stderrBuffer = "";
-      if (!line)
+      if (!line || !shouldSurfaceStderrLine(line))
         return;
       const tagged = tagStderrLine(line);
       this.logVia(tagged);
@@ -1304,6 +1316,7 @@ class BridgePool {
     this.projectConfigLoader = options.projectConfigLoader;
     this.bridgeOptions = {
       timeoutMs: options.timeoutMs,
+      hangThreshold: options.hangThreshold,
       maxRestarts: options.maxRestarts,
       minVersion: options.minVersion,
       onVersionMismatch: options.onVersionMismatch,
@@ -12375,11 +12388,232 @@ var init_binary_cache = __esm(() => {
   init_paths2();
 });
 
-// src/lib/lsp-cache.ts
-import { existsSync as existsSync10, readdirSync as readdirSync5, rmSync as rmSync2, statSync as statSync6 } from "node:fs";
+// src/lib/sanitize.ts
+import { realpathSync as realpathSync2 } from "node:fs";
+import { homedir as homedir8, userInfo } from "node:os";
+function escapeRegex(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function safeRealpath(p2) {
+  try {
+    return realpathSync2(p2);
+  } catch {
+    return null;
+  }
+}
+function isSensitiveKeyName(keyName) {
+  return SENSITIVE_KEY_WORD.test(keyName) || SEGMENTED_KEY_WORD.test(keyName) || CAMEL_CASE_KEY_WORD.test(keyName);
+}
+function redactSecrets(content) {
+  let sanitized = content;
+  sanitized = sanitized.replace(/\b((?:Proxy-)?Authorization[^\S\r\n]*:[^\S\r\n]*(?:Bearer|Basic)[^\S\r\n]+)[A-Za-z0-9._~+/-]+=*/gi, `$1${SECRET_PLACEHOLDER}`);
+  sanitized = sanitized.replace(/\bgithub_pat_[A-Za-z0-9_]+\b/g, SECRET_PLACEHOLDER);
+  sanitized = sanitized.replace(/\bgh(?:p|o|s)_[A-Za-z0-9_]{16,}\b/g, SECRET_PLACEHOLDER);
+  sanitized = sanitized.replace(/\bsk-(?:live-)?[A-Za-z0-9][A-Za-z0-9_-]{7,}\b/g, SECRET_PLACEHOLDER);
+  sanitized = sanitized.replace(JWT_PATTERN, SECRET_PLACEHOLDER);
+  sanitized = sanitized.replace(AWS_ACCESS_KEY_ID_PATTERN, SECRET_PLACEHOLDER);
+  sanitized = sanitized.replace(quotedSensitiveKeyValuePattern, (match, prefix, _keyQuote, keyName, valueQuote) => isSensitiveKeyName(keyName) ? `${prefix}${valueQuote}${SECRET_PLACEHOLDER}${valueQuote}` : match);
+  sanitized = sanitized.replace(unquotedSensitiveKeyValuePattern, (match, prefix, keyName, valueQuote) => isSensitiveKeyName(keyName) ? `${prefix}${valueQuote}${SECRET_PLACEHOLDER}${valueQuote}` : match);
+  sanitized = sanitized.replace(bareSensitiveKeyValuePattern, (match, prefix, keyName) => isSensitiveKeyName(keyName) ? `${prefix}${SECRET_PLACEHOLDER}` : match);
+  sanitized = sanitized.replace(/\b([a-z][a-z0-9+.-]*:\/\/)[^@\s/?#]+@/gi, `$1${URL_CREDENTIAL_PLACEHOLDER}@`);
+  sanitized = sanitized.replace(/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi, "<EMAIL>");
+  return sanitized;
+}
+function sanitizeContent(content) {
+  const username = userInfo().username;
+  const home = homedir8();
+  let sanitized = redactSecrets(content);
+  const cwd = process.cwd();
+  for (const candidate of new Set([cwd, safeRealpath(cwd)])) {
+    if (candidate && candidate !== "/" && candidate !== home) {
+      sanitized = sanitized.replace(new RegExp(escapeRegex(candidate), "g"), "<PROJECT>");
+    }
+  }
+  if (home) {
+    sanitized = sanitized.replace(new RegExp(escapeRegex(home), "g"), "~");
+  }
+  sanitized = sanitized.replace(/\/Users\/[^/\s"']+/g, "/Users/<USER>");
+  sanitized = sanitized.replace(/\/home\/[^/\s"']+/g, "/home/<USER>");
+  sanitized = sanitized.replace(/([A-Za-z]:\\\\Users\\\\)[^\\\\"'\s]+/g, "$1<USER>");
+  sanitized = sanitized.replace(/([A-Za-z]:\\Users\\)[^\\"'\s]+/g, "$1<USER>");
+  sanitized = sanitized.replace(/([A-Za-z]:\/Users\/)[^/\s"']+/g, "$1<USER>");
+  if (username) {
+    sanitized = sanitized.replace(new RegExp(escapeRegex(username), "g"), "<USER>");
+  }
+  return sanitized;
+}
+function sanitizeValue(value) {
+  if (typeof value === "string") {
+    return sanitizeContent(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((entry) => sanitizeValue(entry));
+  }
+  if (value && typeof value === "object") {
+    return Object.fromEntries(Object.entries(value).map(([key, entry]) => [key, sanitizeValue(entry)]));
+  }
+  return value;
+}
+var SECRET_PLACEHOLDER = "<REDACTED_SECRET>", URL_CREDENTIAL_PLACEHOLDER = "***", KEY_NAME = "[A-Za-z_][A-Za-z0-9_.-]*", SENSITIVE_KEY_WORD, SEGMENTED_KEY_WORD, CAMEL_CASE_KEY_WORD, JWT_PATTERN, AWS_ACCESS_KEY_ID_PATTERN, quotedSensitiveKeyValuePattern, unquotedSensitiveKeyValuePattern, bareSensitiveKeyValuePattern;
+var init_sanitize = __esm(() => {
+  SENSITIVE_KEY_WORD = /(?:token|password|secret|api[_-]?key|passwd|pwd|credential)/i;
+  SEGMENTED_KEY_WORD = /(?:^|[_.-])key(?:$|[_.-])/i;
+  CAMEL_CASE_KEY_WORD = /[a-z0-9]Key(?:$|[A-Z_.-])/;
+  JWT_PATTERN = /\beyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g;
+  AWS_ACCESS_KEY_ID_PATTERN = /\b(?:AKIA|ASIA|AGPA|AIDA|AROA)[A-Z0-9]{16}\b/g;
+  quotedSensitiveKeyValuePattern = new RegExp(String.raw`((['"])(${KEY_NAME})\2[^\S\r\n]*:[^\S\r\n]*)(['"])([^'"\r\n]+)\4`, "gi");
+  unquotedSensitiveKeyValuePattern = new RegExp(String.raw`\b((${KEY_NAME})[^\S\r\n]*[=:][^\S\r\n]*)(['"])([^'"\r\n]+)\3`, "gi");
+  bareSensitiveKeyValuePattern = new RegExp(String.raw`\b((${KEY_NAME})[^\S\r\n]*[=:][^\S\r\n]*)([^\s,;&'"]+)`, "gi");
+});
+
+// src/lib/bridge-tool-failures.ts
+import { closeSync as closeSync2, existsSync as existsSync10, openSync as openSync2, readSync as readSync2, statSync as statSync6 } from "node:fs";
+import { tmpdir as tmpdir2 } from "node:os";
 import { join as join10 } from "node:path";
+function resolveBridgePluginLogPath() {
+  const isTestEnv = process.env.BUN_TEST === "1" || false;
+  return join10(tmpdir2(), isTestEnv ? "aft-plugin-test.log" : "aft-plugin.log");
+}
+function tailLogFileBytes(path, maxBytes) {
+  if (!existsSync10(path) || maxBytes <= 0)
+    return "";
+  let fd = null;
+  try {
+    const size = statSync6(path).size;
+    if (size === 0)
+      return "";
+    const readLength = Math.min(size, maxBytes);
+    const position = size - readLength;
+    fd = openSync2(path, "r");
+    const buffer = Buffer.allocUnsafe(readLength);
+    const bytesRead = readSync2(fd, buffer, 0, readLength, position);
+    return buffer.subarray(0, bytesRead).toString("utf-8").trim();
+  } catch {
+    return "";
+  } finally {
+    if (fd !== null) {
+      try {
+        closeSync2(fd);
+      } catch {}
+    }
+  }
+}
+function stripSessionTags(line) {
+  return line.replace(SESSION_TAG_PATTERN, "").replace(/\s+/g, " ").trim();
+}
+function stripPathLikeTokens(label) {
+  let out = label;
+  out = out.replace(/\/(?:Users|home|var|tmp|private|Volumes)\/[^\s"'`,;)]+/gi, "<path>");
+  out = out.replace(/[A-Za-z]:\\(?:Users|Program Files)[^\\s"'`,;)]+/gi, "<path>");
+  out = out.replace(/file:\/\/[^\s"'`,;)]+/gi, "<path>");
+  out = out.replace(/\(id=[^)]+\)/gi, "");
+  return out.replace(/\s+/g, " ").trim();
+}
+function classifyBridgeLogLine(line) {
+  const timeoutMatch = line.match(/Request "([^"]+)"[\s\S]*?timed out after (\d+)ms/i);
+  if (timeoutMatch) {
+    return `${timeoutMatch[1]}: timed out after ${timeoutMatch[2]}ms`;
+  }
+  const lowerTimeout = line.match(/request "([^"]+)" timed out after (\d+)ms/i);
+  if (lowerTimeout) {
+    return `${lowerTimeout[1]}: timed out after ${lowerTimeout[2]}ms`;
+  }
+  if (/Bridge killed after timeout/i.test(line)) {
+    return "bridge killed after timeout";
+  }
+  if (/bridge killed during sibling timeout/i.test(line)) {
+    return "bridge killed during sibling timeout";
+  }
+  if (/restarting bridge/i.test(line)) {
+    return "restarting bridge";
+  }
+  const rpcMatch = line.match(/RPC error:\s*([^\s=]+)/i);
+  if (rpcMatch) {
+    return `rpc: RPC error (${rpcMatch[1]})`;
+  }
+  if (/spawn error/i.test(line)) {
+    return "spawn: spawn error";
+  }
+  if (/failed to spawn/i.test(line)) {
+    return "spawn: failed to spawn";
+  }
+  if (/\bonnx/i.test(line) && /\b(?:error|failed|missing|incompatible)\b/i.test(line)) {
+    return "onnx: onnx runtime error";
+  }
+  if (/\bORT_/i.test(line) && /\b(?:error|failed)\b/i.test(line)) {
+    return "onnx: ORT error";
+  }
+  const codeMatch = line.match(STRUCTURED_CODE_PATTERN);
+  if (codeMatch && /\bERROR\b/.test(line)) {
+    return `code: ${codeMatch[1]}`;
+  }
+  if (/\bERROR\b/.test(line) && /\[aft-plugin\]|\[aft-bridge\]|\[aft-lsp\]|\[aft\]/i.test(line)) {
+    return "error: ERROR log line";
+  }
+  return null;
+}
+function aggregateBridgeToolFailures(logText) {
+  const counts = new Map;
+  if (!logText.trim())
+    return counts;
+  for (const rawLine of logText.split(/\r?\n/)) {
+    if (!stripSessionTags(rawLine))
+      continue;
+    const key = classifyBridgeLogLine(rawLine);
+    if (!key)
+      continue;
+    const sanitizedKey = stripPathLikeTokens(sanitizeContent(key));
+    if (!sanitizedKey)
+      continue;
+    counts.set(sanitizedKey, (counts.get(sanitizedKey) ?? 0) + 1);
+  }
+  return counts;
+}
+function sortFailureKeys(a, b, counts) {
+  const countDiff = (counts.get(b) ?? 0) - (counts.get(a) ?? 0);
+  if (countDiff !== 0)
+    return countDiff;
+  return a.localeCompare(b);
+}
+function formatRecentAftToolFailuresSection(counts, options) {
+  const maxClasses = options?.maxClasses ?? MAX_TOOL_FAILURE_CLASSES;
+  const heading = "### Recent AFT tool failures";
+  if (counts.size === 0) {
+    return `${heading}
+No recent AFT tool failures recorded.`;
+  }
+  const sorted = [...counts.keys()].sort((a, b) => sortFailureKeys(a, b, counts));
+  const shown = sorted.slice(0, maxClasses);
+  const hidden = sorted.length - shown.length;
+  const bullets = shown.map((key) => {
+    const count = counts.get(key) ?? 0;
+    return `- ${key} ×${count}`;
+  });
+  if (hidden > 0) {
+    bullets.push(`- +${hidden} more failure class(es) omitted`);
+  }
+  return [heading, ...bullets].join(`
+`);
+}
+function buildRecentAftToolFailuresSectionFromLog(logPath = resolveBridgePluginLogPath(), options) {
+  const tailBytes = options?.tailBytes ?? BRIDGE_LOG_TAIL_BYTES;
+  const tail = tailLogFileBytes(logPath, tailBytes);
+  const counts = aggregateBridgeToolFailures(tail);
+  return formatRecentAftToolFailuresSection(counts, options);
+}
+var BRIDGE_LOG_TAIL_BYTES, MAX_TOOL_FAILURE_CLASSES = 30, SESSION_TAG_PATTERN, STRUCTURED_CODE_PATTERN;
+var init_bridge_tool_failures = __esm(() => {
+  init_sanitize();
+  BRIDGE_LOG_TAIL_BYTES = 2 * 1024 * 1024;
+  SESSION_TAG_PATTERN = /\[ses_[^\]\s]+\]|\[[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\]/g;
+  STRUCTURED_CODE_PATTERN = /"code"\s*:\s*"([^"]+)"/;
+});
+
+// src/lib/lsp-cache.ts
+import { existsSync as existsSync11, readdirSync as readdirSync5, rmSync as rmSync2, statSync as statSync7 } from "node:fs";
+import { join as join11 } from "node:path";
 function inspectDir(path) {
-  if (!existsSync10(path)) {
+  if (!existsSync11(path)) {
     return { entries: [], totalSize: 0 };
   }
   const entries = [];
@@ -12391,9 +12625,9 @@ function inspectDir(path) {
     return { entries: [], totalSize: 0 };
   }
   for (const name of names) {
-    const full = join10(path, name);
+    const full = join11(path, name);
     try {
-      if (!statSync6(full).isDirectory())
+      if (!statSync7(full).isDirectory())
         continue;
       const size = dirSize(full);
       entries.push({
@@ -12449,8 +12683,8 @@ var init_lsp_cache = __esm(() => {
 });
 
 // src/lib/onnx.ts
-import { existsSync as existsSync11, readdirSync as readdirSync6, readlinkSync, realpathSync as realpathSync2, statSync as statSync7 } from "node:fs";
-import { basename, isAbsolute as isAbsolute2, join as join11, resolve as resolve4, win32 } from "node:path";
+import { existsSync as existsSync12, readdirSync as readdirSync6, readlinkSync, realpathSync as realpathSync3, statSync as statSync8 } from "node:fs";
+import { basename, isAbsolute as isAbsolute2, join as join12, resolve as resolve4, win32 } from "node:path";
 function getOnnxLibraryName() {
   if (process.platform === "darwin")
     return "libonnxruntime.dylib";
@@ -12513,13 +12747,13 @@ function findSystemOnnxRuntime() {
     searchPaths.push(...pathEntriesForPlatform());
     const programFiles = process.env.ProgramFiles ?? "C:\\Program Files";
     const programFilesX86 = process.env["ProgramFiles(x86)"] ?? "C:\\Program Files (x86)";
-    searchPaths.push(join11(programFiles, "onnxruntime", "lib"), join11(programFiles, "Microsoft ONNX Runtime", "lib"), join11(programFiles, "Microsoft Machine Learning", "lib"), join11(programFilesX86, "onnxruntime", "lib"), ...(() => {
+    searchPaths.push(join12(programFiles, "onnxruntime", "lib"), join12(programFiles, "Microsoft ONNX Runtime", "lib"), join12(programFiles, "Microsoft Machine Learning", "lib"), join12(programFilesX86, "onnxruntime", "lib"), ...(() => {
       const nugetPaths = [];
       const userProfile = process.env.USERPROFILE ?? "";
       if (!userProfile)
         return nugetPaths;
-      const nugetPackageDir = join11(userProfile, ".nuget", "packages", "microsoft.ml.onnxruntime");
-      if (!existsSync11(nugetPackageDir))
+      const nugetPackageDir = join12(userProfile, ".nuget", "packages", "microsoft.ml.onnxruntime");
+      if (!existsSync12(nugetPackageDir))
         return nugetPaths;
       try {
         for (const entry of readdirSync6(nugetPackageDir, { withFileTypes: true })) {
@@ -12527,7 +12761,7 @@ function findSystemOnnxRuntime() {
             continue;
           if (entry.name === "__globalPackagesFolder" || entry.name.startsWith("."))
             continue;
-          nugetPaths.push(join11(nugetPackageDir, entry.name, "runtimes", "win-x64", "native"), join11(nugetPackageDir, entry.name, "runtimes", "win-arm64", "native"));
+          nugetPaths.push(join12(nugetPackageDir, entry.name, "runtimes", "win-x64", "native"), join12(nugetPackageDir, entry.name, "runtimes", "win-arm64", "native"));
         }
       } catch {}
       return nugetPaths;
@@ -12557,12 +12791,12 @@ function findSystemOnnxRuntime() {
   return unknownVersionPaths[0] ?? null;
 }
 function findCachedOnnxRuntime(storageDir) {
-  const ortDir = join11(storageDir, "onnxruntime", ONNX_RUNTIME_VERSION);
+  const ortDir = join12(storageDir, "onnxruntime", ONNX_RUNTIME_VERSION);
   const libName = getOnnxLibraryName();
-  if (existsSync11(join11(ortDir, libName)))
+  if (existsSync12(join12(ortDir, libName)))
     return ortDir;
-  const libSubdir = join11(ortDir, "lib");
-  if (existsSync11(join11(libSubdir, libName)))
+  const libSubdir = join12(ortDir, "lib");
+  if (existsSync12(join12(libSubdir, libName)))
     return libSubdir;
   return null;
 }
@@ -12583,7 +12817,7 @@ function parseOrtVersionFromDirectoryPath(value) {
   return null;
 }
 function detectOrtVersion(libDir) {
-  if (!existsSync11(libDir))
+  if (!existsSync12(libDir))
     return null;
   const libName = getOnnxLibraryName();
   try {
@@ -12598,10 +12832,10 @@ function detectOrtVersion(libDir) {
       if (version)
         return version;
     }
-    const base = join11(libDir, libName);
-    if (existsSync11(base)) {
+    const base = join12(libDir, libName);
+    if (existsSync12(base)) {
       try {
-        const real = realpathSync2(base);
+        const real = realpathSync3(base);
         const version = parseOrtVersionFromPath(real) ?? parseOrtVersionFromDirectoryPath(real);
         if (version)
           return version;
@@ -12629,93 +12863,15 @@ function isOrtVersionCompatible(version) {
 var ONNX_RUNTIME_VERSION = "1.24.4", INVALID_ORT_VERSION = "<invalid>", REQUIRED_ORT_MAJOR = 1, REQUIRED_ORT_MIN_MINOR = 20;
 var init_onnx = () => {};
 
-// src/lib/sanitize.ts
-import { realpathSync as realpathSync3 } from "node:fs";
-import { homedir as homedir8, userInfo } from "node:os";
-function escapeRegex(value) {
-  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-function safeRealpath(p2) {
-  try {
-    return realpathSync3(p2);
-  } catch {
-    return null;
-  }
-}
-function isSensitiveKeyName(keyName) {
-  return SENSITIVE_KEY_WORD.test(keyName) || SEGMENTED_KEY_WORD.test(keyName) || CAMEL_CASE_KEY_WORD.test(keyName);
-}
-function redactSecrets(content) {
-  let sanitized = content;
-  sanitized = sanitized.replace(/\b((?:Proxy-)?Authorization[^\S\r\n]*:[^\S\r\n]*(?:Bearer|Basic)[^\S\r\n]+)[A-Za-z0-9._~+/-]+=*/gi, `$1${SECRET_PLACEHOLDER}`);
-  sanitized = sanitized.replace(/\bgithub_pat_[A-Za-z0-9_]+\b/g, SECRET_PLACEHOLDER);
-  sanitized = sanitized.replace(/\bgh(?:p|o|s)_[A-Za-z0-9_]{16,}\b/g, SECRET_PLACEHOLDER);
-  sanitized = sanitized.replace(/\bsk-(?:live-)?[A-Za-z0-9][A-Za-z0-9_-]{7,}\b/g, SECRET_PLACEHOLDER);
-  sanitized = sanitized.replace(JWT_PATTERN, SECRET_PLACEHOLDER);
-  sanitized = sanitized.replace(AWS_ACCESS_KEY_ID_PATTERN, SECRET_PLACEHOLDER);
-  sanitized = sanitized.replace(quotedSensitiveKeyValuePattern, (match, prefix, _keyQuote, keyName, valueQuote) => isSensitiveKeyName(keyName) ? `${prefix}${valueQuote}${SECRET_PLACEHOLDER}${valueQuote}` : match);
-  sanitized = sanitized.replace(unquotedSensitiveKeyValuePattern, (match, prefix, keyName, valueQuote) => isSensitiveKeyName(keyName) ? `${prefix}${valueQuote}${SECRET_PLACEHOLDER}${valueQuote}` : match);
-  sanitized = sanitized.replace(bareSensitiveKeyValuePattern, (match, prefix, keyName) => isSensitiveKeyName(keyName) ? `${prefix}${SECRET_PLACEHOLDER}` : match);
-  sanitized = sanitized.replace(/\b([a-z][a-z0-9+.-]*:\/\/)[^@\s/?#]+@/gi, `$1${URL_CREDENTIAL_PLACEHOLDER}@`);
-  sanitized = sanitized.replace(/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi, "<EMAIL>");
-  return sanitized;
-}
-function sanitizeContent(content) {
-  const username = userInfo().username;
-  const home = homedir8();
-  let sanitized = redactSecrets(content);
-  const cwd = process.cwd();
-  for (const candidate of new Set([cwd, safeRealpath(cwd)])) {
-    if (candidate && candidate !== "/" && candidate !== home) {
-      sanitized = sanitized.replace(new RegExp(escapeRegex(candidate), "g"), "<PROJECT>");
-    }
-  }
-  if (home) {
-    sanitized = sanitized.replace(new RegExp(escapeRegex(home), "g"), "~");
-  }
-  sanitized = sanitized.replace(/\/Users\/[^/\s"']+/g, "/Users/<USER>");
-  sanitized = sanitized.replace(/\/home\/[^/\s"']+/g, "/home/<USER>");
-  sanitized = sanitized.replace(/([A-Za-z]:\\\\Users\\\\)[^\\\\"'\s]+/g, "$1<USER>");
-  sanitized = sanitized.replace(/([A-Za-z]:\\Users\\)[^\\"'\s]+/g, "$1<USER>");
-  sanitized = sanitized.replace(/([A-Za-z]:\/Users\/)[^/\s"']+/g, "$1<USER>");
-  if (username) {
-    sanitized = sanitized.replace(new RegExp(escapeRegex(username), "g"), "<USER>");
-  }
-  return sanitized;
-}
-function sanitizeValue(value) {
-  if (typeof value === "string") {
-    return sanitizeContent(value);
-  }
-  if (Array.isArray(value)) {
-    return value.map((entry) => sanitizeValue(entry));
-  }
-  if (value && typeof value === "object") {
-    return Object.fromEntries(Object.entries(value).map(([key, entry]) => [key, sanitizeValue(entry)]));
-  }
-  return value;
-}
-var SECRET_PLACEHOLDER = "<REDACTED_SECRET>", URL_CREDENTIAL_PLACEHOLDER = "***", KEY_NAME = "[A-Za-z_][A-Za-z0-9_.-]*", SENSITIVE_KEY_WORD, SEGMENTED_KEY_WORD, CAMEL_CASE_KEY_WORD, JWT_PATTERN, AWS_ACCESS_KEY_ID_PATTERN, quotedSensitiveKeyValuePattern, unquotedSensitiveKeyValuePattern, bareSensitiveKeyValuePattern;
-var init_sanitize = __esm(() => {
-  SENSITIVE_KEY_WORD = /(?:token|password|secret|api[_-]?key|passwd|pwd|credential)/i;
-  SEGMENTED_KEY_WORD = /(?:^|[_.-])key(?:$|[_.-])/i;
-  CAMEL_CASE_KEY_WORD = /[a-z0-9]Key(?:$|[A-Z_.-])/;
-  JWT_PATTERN = /\beyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g;
-  AWS_ACCESS_KEY_ID_PATTERN = /\b(?:AKIA|ASIA|AGPA|AIDA|AROA)[A-Z0-9]{16}\b/g;
-  quotedSensitiveKeyValuePattern = new RegExp(String.raw`((['"])(${KEY_NAME})\2[^\S\r\n]*:[^\S\r\n]*)(['"])([^'"\r\n]+)\4`, "gi");
-  unquotedSensitiveKeyValuePattern = new RegExp(String.raw`\b((${KEY_NAME})[^\S\r\n]*[=:][^\S\r\n]*)(['"])([^'"\r\n]+)\3`, "gi");
-  bareSensitiveKeyValuePattern = new RegExp(String.raw`\b((${KEY_NAME})[^\S\r\n]*[=:][^\S\r\n]*)([^\s,;&'"]+)`, "gi");
-});
-
 // src/lib/diagnostics.ts
 import {
   accessSync,
-  closeSync as closeSync2,
+  closeSync as closeSync3,
   constants,
-  existsSync as existsSync12,
-  openSync as openSync2,
-  readSync as readSync2,
-  statSync as statSync8
+  existsSync as existsSync13,
+  openSync as openSync3,
+  readSync as readSync3,
+  statSync as statSync9
 } from "node:fs";
 async function collectDiagnostics(adapters) {
   const cliVersion = getSelfVersion();
@@ -12744,7 +12900,7 @@ async function diagnoseHarness(adapter) {
   const logPath = adapter.getLogFile();
   const pluginCache = adapter.getPluginCacheInfo();
   const storageAccessible = (() => {
-    if (!existsSync12(storage))
+    if (!existsSync13(storage))
       return false;
     try {
       accessSync(storage, constants.R_OK | constants.W_OK);
@@ -12767,14 +12923,14 @@ async function diagnoseHarness(adapter) {
     pluginRegistered: adapter.hasPluginEntry(),
     configPaths,
     aftConfig: {
-      exists: existsSync12(configPaths.aftConfig),
+      exists: existsSync13(configPaths.aftConfig),
       ...aftConfigRead.error ? { parseError: aftConfigRead.error } : {},
       flags: aftFlags
     },
     pluginCache,
     storageDir: {
       path: storage,
-      exists: existsSync12(storage),
+      exists: existsSync13(storage),
       accessible: storageAccessible,
       sizesByKey: describeStorage
     },
@@ -12792,8 +12948,8 @@ async function diagnoseHarness(adapter) {
     },
     logFile: {
       path: logPath,
-      exists: existsSync12(logPath),
-      sizeKb: existsSync12(logPath) ? Math.round(statSync8(logPath).size / 1024) : 0
+      exists: existsSync13(logPath),
+      sizeKb: existsSync13(logPath) ? Math.round(statSync9(logPath).size / 1024) : 0
     }
   };
 }
@@ -12987,15 +13143,15 @@ function formatDiagnosticIssuesSection(report) {
   return lines;
 }
 function tailLogFile(path, lines) {
-  if (!existsSync12(path))
+  if (!existsSync13(path))
     return "";
   if (lines <= 0)
     return "";
   const chunkSize = 64 * 1024;
   let fd = null;
   try {
-    const size = statSync8(path).size;
-    fd = openSync2(path, "r");
+    const size = statSync9(path).size;
+    fd = openSync3(path, "r");
     const chunks = [];
     let position = size;
     let newlineCount = 0;
@@ -13003,7 +13159,7 @@ function tailLogFile(path, lines) {
       const readLength = Math.min(chunkSize, position);
       position -= readLength;
       const buffer = Buffer.allocUnsafe(readLength);
-      const bytesRead = readSync2(fd, buffer, 0, readLength, position);
+      const bytesRead = readSync3(fd, buffer, 0, readLength, position);
       const chunk = bytesRead === readLength ? buffer : buffer.subarray(0, bytesRead);
       chunks.unshift(chunk);
       for (let i = chunk.length - 1;i >= 0; i -= 1) {
@@ -13018,7 +13174,7 @@ function tailLogFile(path, lines) {
   } finally {
     if (fd !== null) {
       try {
-        closeSync2(fd);
+        closeSync3(fd);
       } catch {}
     }
   }
@@ -13077,7 +13233,7 @@ var init_github = () => {};
 function filterLogToSession(logText, sessionId) {
   const bareId = sessionId.replace(/^ses_/, "");
   const keepTokens = [`[ses_${bareId}]`, `[${bareId}]`];
-  return logText.split(/\r?\n/).filter((line) => !SESSION_TAG_PATTERN.test(line) || keepTokens.some((token) => line.includes(token))).join(`
+  return logText.split(/\r?\n/).filter((line) => !SESSION_TAG_PATTERN2.test(line) || keepTokens.some((token) => line.includes(token))).join(`
 `);
 }
 function isErrorLogLine(line) {
@@ -13157,9 +13313,9 @@ function truncateToByteBudget(input, maxBytes) {
   }
   return buf.subarray(0, end).toString("utf8");
 }
-var MAX_GITHUB_BODY_BYTES = 60000, SESSION_TAG_PATTERN, ERROR_LOG_PATTERNS;
+var MAX_GITHUB_BODY_BYTES = 60000, SESSION_TAG_PATTERN2, ERROR_LOG_PATTERNS;
 var init_issue_body = __esm(() => {
-  SESSION_TAG_PATTERN = /\[ses_[^\]\s]+\]|\[[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\]/;
+  SESSION_TAG_PATTERN2 = /\[ses_[^\]\s]+\]|\[[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\]/;
   ERROR_LOG_PATTERNS = [
     /\bcrashed:/i,
     /\bfailed:/i,
@@ -13173,8 +13329,8 @@ var init_issue_body = __esm(() => {
 });
 
 // src/lib/onnx-fix.ts
-import { existsSync as existsSync13, rmSync as rmSync3 } from "node:fs";
-import { join as join12 } from "node:path";
+import { existsSync as existsSync14, rmSync as rmSync3 } from "node:fs";
+import { join as join13 } from "node:path";
 function findOnnxFixCandidates(report) {
   const candidates = [];
   for (const harness of report.harnesses) {
@@ -13182,7 +13338,7 @@ function findOnnxFixCandidates(report) {
       continue;
     if (!harness.storageDir.exists)
       continue;
-    const storageOnnxDir = join12(harness.storageDir.path, "onnxruntime");
+    const storageOnnxDir = join13(harness.storageDir.path, "onnxruntime");
     const systemTooOld = harness.onnxRuntime.systemPath !== null && harness.onnxRuntime.systemCompatible === false;
     const cachedTooOld = harness.onnxRuntime.cachedPath !== null && harness.onnxRuntime.cachedCompatible === false;
     const hasCompatibleCached = harness.onnxRuntime.cachedCompatible === true;
@@ -13191,7 +13347,7 @@ function findOnnxFixCandidates(report) {
         harness,
         reason: `cached ONNX Runtime at ${harness.onnxRuntime.cachedPath} is v${harness.onnxRuntime.cachedVersion}, but AFT requires ${harness.onnxRuntime.requirement}. Clearing forces a fresh download on next start.`,
         storageOnnxDir,
-        storageOnnxBytes: existsSync13(storageOnnxDir) ? dirSize(storageOnnxDir) : 0
+        storageOnnxBytes: existsSync14(storageOnnxDir) ? dirSize(storageOnnxDir) : 0
       });
       continue;
     }
@@ -13200,7 +13356,7 @@ function findOnnxFixCandidates(report) {
         harness,
         reason: `system ONNX Runtime at ${harness.onnxRuntime.systemPath} is v${harness.onnxRuntime.systemVersion}, but AFT requires ${harness.onnxRuntime.requirement}, and no AFT-managed install is present. AFT v0.19.5+ skips incompatible system installs and auto-downloads v1.24 on next start; clearing any stale state here ensures a clean slate.`,
         storageOnnxDir,
-        storageOnnxBytes: existsSync13(storageOnnxDir) ? dirSize(storageOnnxDir) : 0
+        storageOnnxBytes: existsSync14(storageOnnxDir) ? dirSize(storageOnnxDir) : 0
       });
     }
   }
@@ -13230,7 +13386,7 @@ async function runOnnxFix(adapters, report, options = {}) {
   const result = { cleared: 0, bytesReclaimed: 0, errors: [] };
   const rmFn = options.rmFn ?? rmSync3;
   for (const c2 of candidates) {
-    if (!existsSync13(c2.storageOnnxDir)) {
+    if (!existsSync14(c2.storageOnnxDir)) {
       O2.success(`${c2.harness.displayName}: no cached state to clear; restart your harness to trigger a fresh ONNX download`);
       continue;
     }
@@ -13256,10 +13412,10 @@ var init_onnx_fix = __esm(() => {
 });
 
 // src/lib/sessions.ts
-import { existsSync as existsSync14, readdirSync as readdirSync7, readFileSync as readFileSync4, statSync as statSync9 } from "node:fs";
+import { existsSync as existsSync15, readdirSync as readdirSync7, readFileSync as readFileSync4, statSync as statSync10 } from "node:fs";
 import { createRequire as createRequire3 } from "node:module";
 import { homedir as homedir9 } from "node:os";
-import { basename as basename2, join as join13 } from "node:path";
+import { basename as basename2, join as join14 } from "node:path";
 function listRecentSessions(adapter) {
   try {
     if (adapter.kind === "opencode")
@@ -13288,8 +13444,8 @@ function mapOpenCodeSessionRows(rows) {
   }).filter((session) => session !== null).sort((a, b) => b.lastActivity - a.lastActivity).slice(0, MAX_RECENT_SESSIONS);
 }
 function listRecentOpenCodeSessions() {
-  const dbPath = join13(getXdgDataHome(), "opencode", "opencode.db");
-  if (!existsSync14(dbPath))
+  const dbPath = join14(getXdgDataHome(), "opencode", "opencode.db");
+  if (!existsSync15(dbPath))
     return [];
   let db = null;
   try {
@@ -13308,10 +13464,10 @@ function listRecentOpenCodeSessions() {
 }
 function getXdgDataHome() {
   const xdgDataHome = process.env.XDG_DATA_HOME;
-  return xdgDataHome && xdgDataHome.length > 0 ? xdgDataHome : join13(homedir9(), ".local", "share");
+  return xdgDataHome && xdgDataHome.length > 0 ? xdgDataHome : join14(homedir9(), ".local", "share");
 }
 function listRecentPiSessions() {
-  return listPiSessionsFromDir(join13(getHomeDir(), ".pi", "agent", "sessions"));
+  return listPiSessionsFromDir(join14(getHomeDir(), ".pi", "agent", "sessions"));
 }
 function getHomeDir() {
   const envHome = process.platform === "win32" ? process.env.USERPROFILE : process.env.HOME;
@@ -13319,11 +13475,11 @@ function getHomeDir() {
 }
 function listPiSessionsFromDir(sessionsDir) {
   try {
-    if (!existsSync14(sessionsDir))
+    if (!existsSync15(sessionsDir))
       return [];
     const files = collectJsonlFiles(sessionsDir).map((filePath) => {
       try {
-        const stats = statSync9(filePath);
+        const stats = statSync10(filePath);
         return { filePath, mtimeMs: stats.mtimeMs };
       } catch {
         return null;
@@ -13357,7 +13513,7 @@ function collectJsonlFiles(root) {
       continue;
     }
     for (const entry of entries) {
-      const path = join13(dir, entry.name);
+      const path = join14(dir, entry.name);
       if (entry.isDirectory()) {
         stack.push(path);
       } else if (entry.isFile() && entry.name.endsWith(".jsonl")) {
@@ -13457,17 +13613,17 @@ __export(exports_doctor, {
 import { execFileSync } from "node:child_process";
 import {
   chmodSync as chmodSync2,
-  existsSync as existsSync15,
+  existsSync as existsSync16,
   mkdirSync as mkdirSync3,
   mkdtempSync,
   readFileSync as readFileSync5,
   realpathSync as realpathSync4,
   rmSync as rmSync4,
-  statSync as statSync10,
+  statSync as statSync11,
   writeFileSync as writeFileSync2
 } from "node:fs";
-import { tmpdir as tmpdir2 } from "node:os";
-import { join as join14 } from "node:path";
+import { tmpdir as tmpdir3 } from "node:os";
+import { join as join15 } from "node:path";
 async function runDoctor(options) {
   if (options.issue) {
     return runIssueFlow(options.argv);
@@ -13621,7 +13777,7 @@ function clearOldBinaries() {
     errors: [],
     keptVersion: keepTag
   };
-  if (!existsSync15(info.path)) {
+  if (!existsSync16(info.path)) {
     O2.info(`Binary cache: nothing to clear at ${info.path}`);
     return result;
   }
@@ -13631,10 +13787,10 @@ function clearOldBinaries() {
     return result;
   }
   for (const version of stale) {
-    const dir = join14(info.path, version);
+    const dir = join15(info.path, version);
     let bytes = 0;
     try {
-      bytes = statSync10(dir).isDirectory() ? dirSize(dir) : 0;
+      bytes = statSync11(dir).isDirectory() ? dirSize(dir) : 0;
     } catch {
       bytes = 0;
     }
@@ -13956,7 +14112,7 @@ function ensureStorageDirsForRegisteredPlugins(adapters) {
       if (!adapter.isInstalled() || !adapter.hasPluginEntry())
         continue;
       const storageDir = adapter.getStorageDir();
-      if (existsSync15(storageDir))
+      if (existsSync16(storageDir))
         continue;
       mkdirSync3(storageDir, { recursive: true });
       summary.created += 1;
@@ -14059,11 +14215,11 @@ function deriveIssueTitleFromBody(body) {
 function writeIssueReviewFile(body) {
   let reviewDir = null;
   try {
-    reviewDir = mkdtempSync(join14(tmpdir2(), "aft-issue-"));
+    reviewDir = mkdtempSync(join15(tmpdir3(), "aft-issue-"));
     if (process.platform !== "win32") {
       chmodSync2(reviewDir, 448);
     }
-    const outPath = join14(reviewDir, "issue.md");
+    const outPath = join15(reviewDir, "issue.md");
     writeFileSync2(outPath, `${body}
 `, { encoding: "utf8", mode: 384, flag: "wx" });
     return { path: outPath, realPath: realpathSync4(outPath) };
@@ -14152,6 +14308,7 @@ ${scopedTail || "<no log output>"}
   const recentErrorsSection = recentErrorLines.length === 0 ? "_No error-shaped log lines found in recent history._" : ["```", recentErrorLines.join(`
 `), "```"].join(`
 `);
+  const toolFailuresSection = buildRecentAftToolFailuresSectionFromLog();
   const rawBody = [
     "## Description",
     description,
@@ -14169,6 +14326,8 @@ ${scopedTail || "<no log output>"}
     "## Recent errors (last 20, sanitized)",
     recentErrorsSection,
     "",
+    toolFailuresSection,
+    "",
     "## Logs (last 200 lines per harness)",
     logSections,
     "_Usernames and home paths have been stripped from this report._"
@@ -14223,6 +14382,7 @@ var DOCTOR_CLEAR_TARGET_OPTIONS, DOCTOR_FORCE_CLEAR_TARGETS;
 var init_doctor = __esm(async () => {
   init_dist();
   init_binary_cache();
+  init_bridge_tool_failures();
   init_fs_util();
   init_github();
   init_harness_select();

package/dist/lib/bridge-tool-failures.d.ts

@@ -0,0 +1,26 @@
+/** Newest window: tail of the bridge log by bytes (not full file). */
+export declare const BRIDGE_LOG_TAIL_BYTES: number;
+export declare const MAX_TOOL_FAILURE_CLASSES = 30;
+export declare function resolveBridgePluginLogPath(): string;
+/** Read up to `maxBytes` from the end of a log file (UTF-8). */
+export declare function tailLogFileBytes(path: string, maxBytes: number): string;
+export type ToolFailureKey = string;
+/**
+ * Aggregate failure-shaped lines from bridge plugin log text into counts.
+ * Input should be a recent tail only; keys are tool/command + error class.
+ */
+export declare function aggregateBridgeToolFailures(logText: string): Map<ToolFailureKey, number>;
+/**
+ * Render the `### Recent AFT tool failures` markdown section from aggregated counts.
+ */
+export declare function formatRecentAftToolFailuresSection(counts: Map<ToolFailureKey, number>, options?: {
+    maxClasses?: number;
+}): string;
+/**
+ * Build the tool-failures section from the bridge log path (newest tail window).
+ */
+export declare function buildRecentAftToolFailuresSectionFromLog(logPath?: string, options?: {
+    tailBytes?: number;
+    maxClasses?: number;
+}): string;
+//# sourceMappingURL=bridge-tool-failures.d.ts.map

package/dist/lib/bridge-tool-failures.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-tool-failures.d.ts","sourceRoot":"","sources":["../../src/lib/bridge-tool-failures.ts"],"names":[],"mappings":"AAKA,sEAAsE;AACtE,eAAO,MAAM,qBAAqB,QAAkB,CAAC;AAErD,eAAO,MAAM,wBAAwB,KAAK,CAAC;AAO3C,wBAAgB,0BAA0B,IAAI,MAAM,CAGnD;AAED,gEAAgE;AAChE,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAuBvE;AAED,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC;AAmEpC;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,OAAO,EAAE,MAAM,GAAG,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,CAcxF;AAQD;;GAEG;AACH,wBAAgB,kCAAkC,CAChD,MAAM,EAAE,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,EACnC,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAChC,MAAM,CAqBR;AAED;;GAEG;AACH,wBAAgB,wCAAwC,CACtD,OAAO,GAAE,MAAqC,EAC9C,OAAO,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GACpD,MAAM,CAKR"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cortexkit/aft",
-  "version": "0.39.1",
+  "version": "0.39.2",
   "type": "module",
   "description": "Unified CLI for Agent File Tools (AFT) — setup, doctor, and diagnostics across supported agent harnesses (OpenCode, Pi)",
   "license": "MIT",
@@ -24,7 +24,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^1.2.0",
-    "@cortexkit/aft-bridge": "0.39.1",
+    "@cortexkit/aft-bridge": "0.39.2",
     "comment-json": "^4.6.2"
   },
   "devDependencies": {