npm - @harness-engineering/cli - Versions diffs - 1.14.0 → 1.16.0 - Mend

@harness-engineering/cli 1.14.0 → 1.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (499) hide show

package/dist/{chunk-ABQHQ6I5.js → chunk-ALFKNAZW.js} RENAMED Viewed

@@ -135,17 +135,17 @@ function resolveFileToLayer(file, layers) {
 }
 var accessAsync = promisify(access);
 var readFileAsync = promisify(readFile);
-async function fileExists(path22) {
+async function fileExists(path26) {
   try {
-    await accessAsync(path22, constants.F_OK);
+    await accessAsync(path26, constants.F_OK);
     return true;
   } catch {
     return false;
   }
 }
-async function readFileContent(path22) {
+async function readFileContent(path26) {
   try {
-    const content = await readFileAsync(path22, "utf-8");
+    const content = await readFileAsync(path26, "utf-8");
     return Ok(content);
   } catch (error) {
     return Err(error);
@@ -1832,6 +1832,7 @@ import * as fs6 from "fs";
 import * as path3 from "path";
 import * as fs9 from "fs";
 import * as path6 from "path";
+import * as crypto from "crypto";
 import * as fs10 from "fs";
 import * as path7 from "path";
 import * as fs11 from "fs";
@@ -1845,26 +1846,40 @@ import * as fs14 from "fs";
 import * as path11 from "path";
 import * as fs15 from "fs";
 import * as path12 from "path";
-import * as fs17 from "fs/promises";
-import { z as z5 } from "zod";
 import * as fs16 from "fs";
 import * as path13 from "path";
+import { z as z5 } from "zod";
+import * as fs18 from "fs/promises";
+import { minimatch as minimatch4 } from "minimatch";
+import { z as z6 } from "zod";
+import * as fs17 from "fs";
 import * as path14 from "path";
+import { readFileSync as readFileSync142, writeFileSync as writeFileSync11, unlinkSync, mkdirSync as mkdirSync11, readdirSync as readdirSync3 } from "fs";
+import { join as join21, dirname as dirname8 } from "path";
 import * as path15 from "path";
 import * as path16 from "path";
 import * as path17 from "path";
-import * as fs18 from "fs";
 import * as path18 from "path";
-import { z as z6 } from "zod";
-import * as fs19 from "fs/promises";
+import * as fs19 from "fs";
 import * as path19 from "path";
+import { z as z7 } from "zod";
 import * as fs20 from "fs/promises";
 import * as path20 from "path";
-import * as ejs from "ejs";
-import * as fs21 from "fs";
+import * as fs21 from "fs/promises";
 import * as path21 from "path";
+import * as ejs from "ejs";
+import * as fs22 from "fs";
+import * as path22 from "path";
 import * as os from "os";
 import { spawn } from "child_process";
+import Parser from "web-tree-sitter";
+import * as fs23 from "fs/promises";
+import * as path23 from "path";
+import * as fs24 from "fs";
+import * as path24 from "path";
+import * as fs25 from "fs";
+import * as path25 from "path";
+import * as os2 from "os";
 async function validateFileStructure(projectPath, conventions) {
   const missing = [];
   const unexpected = [];
@@ -1900,15 +1915,15 @@ function validateConfig(data, schema) {
   let message = "Configuration validation failed";
   const suggestions = [];
   if (firstError) {
-    const path22 = firstError.path.join(".");
-    const pathDisplay = path22 ? ` at "${path22}"` : "";
+    const path26 = firstError.path.join(".");
+    const pathDisplay = path26 ? ` at "${path26}"` : "";
     if (firstError.code === "invalid_type") {
       const received = firstError.received;
       const expected = firstError.expected;
       if (received === "undefined") {
         code = "MISSING_FIELD";
         message = `Missing required field${pathDisplay}: ${firstError.message}`;
-        suggestions.push(`Field "${path22}" is required and must be of type "${expected}"`);
+        suggestions.push(`Field "${path26}" is required and must be of type "${expected}"`);
       } else {
         code = "INVALID_TYPE";
         message = `Invalid type${pathDisplay}: ${firstError.message}`;
@@ -2117,27 +2132,27 @@ function extractSections(content) {
   }
   return sections.map((section) => buildAgentMapSection(section, lines));
 }
-function isExternalLink(path22) {
-  return path22.startsWith("http://") || path22.startsWith("https://") || path22.startsWith("#") || path22.startsWith("mailto:");
+function isExternalLink(path26) {
+  return path26.startsWith("http://") || path26.startsWith("https://") || path26.startsWith("#") || path26.startsWith("mailto:");
 }
 function resolveLinkPath(linkPath, baseDir) {
   return linkPath.startsWith(".") ? join4(baseDir, linkPath) : linkPath;
 }
-async function validateAgentsMap(path22 = "./AGENTS.md") {
-  const contentResult = await readFileContent(path22);
+async function validateAgentsMap(path26 = "./AGENTS.md") {
+  const contentResult = await readFileContent(path26);
   if (!contentResult.ok) {
     return Err(
       createError(
         "PARSE_ERROR",
         `Failed to read AGENTS.md: ${contentResult.error.message}`,
-        { path: path22 },
+        { path: path26 },
         ["Ensure the file exists", "Check file permissions"]
       )
     );
   }
   const content = contentResult.value;
   const sections = extractSections(content);
-  const baseDir = dirname4(path22);
+  const baseDir = dirname4(path26);
   const sectionTitles = sections.map((s) => s.title);
   const missingSections = REQUIRED_SECTIONS.filter(
     (required) => !sectionTitles.some((title) => title.toLowerCase().includes(required.toLowerCase()))
@@ -2271,8 +2286,8 @@ async function checkDocCoverage(domain, options = {}) {
     );
   }
 }
-function suggestFix(path22, existingFiles) {
-  const targetName = basename2(path22).toLowerCase();
+function suggestFix(path26, existingFiles) {
+  const targetName = basename2(path26).toLowerCase();
   const similar = existingFiles.find((file) => {
     const fileName = basename2(file).toLowerCase();
     return fileName.includes(targetName) || targetName.includes(fileName);
@@ -2280,7 +2295,7 @@ function suggestFix(path22, existingFiles) {
   if (similar) {
     return `Did you mean "${similar}"?`;
   }
-  return `Create the file "${path22}" or remove the link`;
+  return `Create the file "${path26}" or remove the link`;
 }
 async function validateKnowledgeMap(rootDir = process.cwd()) {
   const agentsPath = join22(rootDir, "AGENTS.md");
@@ -2623,8 +2638,8 @@ function createBoundaryValidator(schema, name) {
         return Ok(result.data);
       }
       const suggestions = result.error.issues.map((issue) => {
-        const path22 = issue.path.join(".");
-        return path22 ? `${path22}: ${issue.message}` : issue.message;
+        const path26 = issue.path.join(".");
+        return path26 ? `${path26}: ${issue.message}` : issue.message;
       });
       return Err(
         createError(
@@ -3232,11 +3247,11 @@ function processExportListSpecifiers(exportDecl, exports) {
 var TypeScriptParser = class {
   name = "typescript";
   extensions = [".ts", ".tsx", ".mts", ".cts"];
-  async parseFile(path22) {
-    const contentResult = await readFileContent(path22);
+  async parseFile(path26) {
+    const contentResult = await readFileContent(path26);
     if (!contentResult.ok) {
       return Err(
-        createParseError("NOT_FOUND", `File not found: ${path22}`, { path: path22 }, [
+        createParseError("NOT_FOUND", `File not found: ${path26}`, { path: path26 }, [
           "Check that the file exists",
           "Verify the path is correct"
         ])
@@ -3246,7 +3261,7 @@ var TypeScriptParser = class {
       const ast = parse(contentResult.value, {
         loc: true,
         range: true,
-        jsx: path22.endsWith(".tsx"),
+        jsx: path26.endsWith(".tsx"),
         errorOnUnknownASTType: false
       });
       return Ok({
@@ -3257,7 +3272,7 @@ var TypeScriptParser = class {
     } catch (e) {
       const error = e;
       return Err(
-        createParseError("SYNTAX_ERROR", `Failed to parse ${path22}: ${error.message}`, { path: path22 }, [
+        createParseError("SYNTAX_ERROR", `Failed to parse ${path26}: ${error.message}`, { path: path26 }, [
           "Check for syntax errors in the file",
           "Ensure valid TypeScript syntax"
         ])
@@ -3438,22 +3453,22 @@ function extractInlineRefs(content) {
   }
   return refs;
 }
-async function parseDocumentationFile(path22) {
-  const contentResult = await readFileContent(path22);
+async function parseDocumentationFile(path26) {
+  const contentResult = await readFileContent(path26);
   if (!contentResult.ok) {
     return Err(
       createEntropyError(
         "PARSE_ERROR",
-        `Failed to read documentation file: ${path22}`,
-        { file: path22 },
+        `Failed to read documentation file: ${path26}`,
+        { file: path26 },
         ["Check that the file exists"]
       )
     );
   }
   const content = contentResult.value;
-  const type = path22.endsWith(".md") ? "markdown" : "text";
+  const type = path26.endsWith(".md") ? "markdown" : "text";
   return Ok({
-    path: path22,
+    path: path26,
     type,
     content,
     codeBlocks: extractCodeBlocks(content),
@@ -4711,7 +4726,7 @@ var EntropyAnalyzer = class {
 };
 var readFile32 = promisify2(fs3.readFile);
 var writeFile32 = promisify2(fs3.writeFile);
-var unlink2 = promisify2(fs3.unlink);
+var unlink22 = promisify2(fs3.unlink);
 var mkdir22 = promisify2(fs3.mkdir);
 var copyFile2 = promisify2(fs3.copyFile);
 var DEFAULT_FIX_CONFIG = {
@@ -4854,7 +4869,7 @@ async function applySingleFix(fix, config) {
             return Err({ fix, error: backupResult.error.message });
           }
         }
-        await unlink2(fix.file);
+        await unlink22(fix.file);
         break;
       case "delete-lines":
         if (fix.line !== void 0) {
@@ -6490,6 +6505,8 @@ var SESSION_INDEX_FILE = "index.md";
 var SUMMARY_FILE = "summary.md";
 var SESSION_STATE_FILE = "session-state.json";
 var ARCHIVE_DIR = "archive";
+var CONTENT_HASHES_FILE = "content-hashes.json";
+var EVENTS_FILE = "events.jsonl";
 var STREAMS_DIR = "streams";
 var STREAM_NAME_REGEX = /^[a-z0-9][a-z0-9._-]*$/;
 function streamsDir(projectPath) {
@@ -6818,6 +6835,84 @@ async function saveState(projectPath, state, stream, session) {
     );
   }
 }
+function parseFrontmatter(line) {
+  const match = line.match(/^<!--\s+hash:([a-f0-9]+)(?:\s+tags:([^\s]+))?\s+-->/);
+  if (!match) return null;
+  const hash = match[1];
+  const tags = match[2] ? match[2].split(",").filter(Boolean) : [];
+  return { hash, tags };
+}
+function computeEntryHash(text) {
+  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 8);
+}
+function normalizeLearningContent(text) {
+  let normalized = text;
+  normalized = normalized.replace(/\d{4}-\d{2}-\d{2}/g, "");
+  normalized = normalized.replace(/\[skill:[^\]]*\]/g, "");
+  normalized = normalized.replace(/\[outcome:[^\]]*\]/g, "");
+  normalized = normalized.replace(/^[\s]*[-*]\s+/gm, "");
+  normalized = normalized.replace(/\*\*/g, "");
+  normalized = normalized.replace(/:\s*/g, " ");
+  normalized = normalized.toLowerCase();
+  normalized = normalized.replace(/\s+/g, " ").trim();
+  return normalized;
+}
+function computeContentHash(text) {
+  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
+}
+function loadContentHashes(stateDir) {
+  const hashesPath = path6.join(stateDir, CONTENT_HASHES_FILE);
+  if (!fs9.existsSync(hashesPath)) return {};
+  try {
+    const raw = fs9.readFileSync(hashesPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) return {};
+    return parsed;
+  } catch {
+    return {};
+  }
+}
+function saveContentHashes(stateDir, index) {
+  const hashesPath = path6.join(stateDir, CONTENT_HASHES_FILE);
+  fs9.writeFileSync(hashesPath, JSON.stringify(index, null, 2) + "\n");
+}
+function rebuildContentHashes(stateDir) {
+  const learningsPath = path6.join(stateDir, LEARNINGS_FILE);
+  if (!fs9.existsSync(learningsPath)) return {};
+  const content = fs9.readFileSync(learningsPath, "utf-8");
+  const lines = content.split("\n");
+  const index = {};
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const isDatedBullet = /^- \*\*\d{4}-\d{2}-\d{2}/.test(line);
+    if (isDatedBullet) {
+      const learningMatch = line.match(/:\*\*\s*(.+)$/);
+      if (learningMatch?.[1]) {
+        const normalized = normalizeLearningContent(learningMatch[1]);
+        const hash = computeContentHash(normalized);
+        const dateMatch = line.match(/(\d{4}-\d{2}-\d{2})/);
+        index[hash] = { date: dateMatch?.[1] ?? "", line: i + 1 };
+      }
+    }
+  }
+  saveContentHashes(stateDir, index);
+  return index;
+}
+function extractIndexEntry(entry) {
+  const lines = entry.split("\n");
+  const summary = lines[0] ?? entry;
+  const tags = [];
+  const skillMatch = entry.match(/\[skill:([^\]]+)\]/);
+  if (skillMatch?.[1]) tags.push(skillMatch[1]);
+  const outcomeMatch = entry.match(/\[outcome:([^\]]+)\]/);
+  if (outcomeMatch?.[1]) tags.push(outcomeMatch[1]);
+  return {
+    hash: computeEntryHash(entry),
+    tags,
+    summary,
+    fullText: entry
+  };
+}
 var learningsCacheMap = /* @__PURE__ */ new Map();
 function clearLearningsCache() {
   learningsCacheMap.clear();
@@ -6829,27 +6924,55 @@ async function appendLearning(projectPath, learning, skillName, outcome, stream,
     const stateDir = dirResult.value;
     const learningsPath = path6.join(stateDir, LEARNINGS_FILE);
     fs9.mkdirSync(stateDir, { recursive: true });
+    const normalizedContent = normalizeLearningContent(learning);
+    const contentHash = computeContentHash(normalizedContent);
+    const hashesPath = path6.join(stateDir, CONTENT_HASHES_FILE);
+    let contentHashes;
+    if (fs9.existsSync(hashesPath)) {
+      contentHashes = loadContentHashes(stateDir);
+      if (Object.keys(contentHashes).length === 0 && fs9.existsSync(learningsPath)) {
+        contentHashes = rebuildContentHashes(stateDir);
+      }
+    } else if (fs9.existsSync(learningsPath)) {
+      contentHashes = rebuildContentHashes(stateDir);
+    } else {
+      contentHashes = {};
+    }
+    if (contentHashes[contentHash]) {
+      return Ok(void 0);
+    }
     const timestamp = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-    let entry;
+    const fmTags = [];
+    if (skillName) fmTags.push(skillName);
+    if (outcome) fmTags.push(outcome);
+    let bulletLine;
     if (skillName && outcome) {
-      entry = `
-- **${timestamp} [skill:${skillName}] [outcome:${outcome}]:** ${learning}
-`;
+      bulletLine = `- **${timestamp} [skill:${skillName}] [outcome:${outcome}]:** ${learning}`;
     } else if (skillName) {
-      entry = `
-- **${timestamp} [skill:${skillName}]:** ${learning}
-`;
+      bulletLine = `- **${timestamp} [skill:${skillName}]:** ${learning}`;
     } else {
-      entry = `
-- **${timestamp}:** ${learning}
-`;
+      bulletLine = `- **${timestamp}:** ${learning}`;
     }
+    const hash = crypto.createHash("sha256").update(bulletLine).digest("hex").slice(0, 8);
+    const tagsStr = fmTags.length > 0 ? ` tags:${fmTags.join(",")}` : "";
+    const frontmatter = `<!-- hash:${hash}${tagsStr} -->`;
+    const entry = `
+${frontmatter}
+${bulletLine}
+`;
+    let existingLineCount;
     if (!fs9.existsSync(learningsPath)) {
       fs9.writeFileSync(learningsPath, `# Learnings
 ${entry}`);
+      existingLineCount = 1;
     } else {
+      const existingContent = fs9.readFileSync(learningsPath, "utf-8");
+      existingLineCount = existingContent.split("\n").length;
       fs9.appendFileSync(learningsPath, entry);
     }
+    const bulletLine_lineNum = existingLineCount + 2;
+    contentHashes[contentHash] = { date: timestamp ?? "", line: bulletLine_lineNum };
+    saveContentHashes(stateDir, contentHashes);
     learningsCacheMap.delete(learningsPath);
     return Ok(void 0);
   } catch (error) {
@@ -6897,7 +7020,30 @@ function analyzeLearningPatterns(entries) {
   return patterns.sort((a, b) => b.count - a.count);
 }
 async function loadBudgetedLearnings(projectPath, options) {
-  const { intent, tokenBudget = 1e3, skill, session, stream } = options;
+  const { intent, tokenBudget = 1e3, skill, session, stream, depth = "summary" } = options;
+  if (depth === "index") {
+    const indexEntries = [];
+    if (session) {
+      const sessionResult = await loadIndexEntries(projectPath, skill, stream, session);
+      if (sessionResult.ok) indexEntries.push(...sessionResult.value);
+    }
+    const globalResult2 = await loadIndexEntries(projectPath, skill, stream);
+    if (globalResult2.ok) {
+      const sessionHashes = new Set(indexEntries.map((e) => e.hash));
+      const uniqueGlobal = globalResult2.value.filter((e) => !sessionHashes.has(e.hash));
+      indexEntries.push(...uniqueGlobal);
+    }
+    const budgeted2 = [];
+    let totalTokens2 = 0;
+    for (const entry of indexEntries) {
+      const separator = budgeted2.length > 0 ? "\n" : "";
+      const entryCost = estimateTokens(entry.summary + separator);
+      if (totalTokens2 + entryCost > tokenBudget) break;
+      budgeted2.push(entry.summary);
+      totalTokens2 += entryCost;
+    }
+    return Ok(budgeted2);
+  }
   const sortByRecencyAndRelevance = (entries) => {
     return [...entries].sort((a, b) => {
       const dateA = parseDateFromEntry(a) ?? "0000-00-00";
@@ -6916,7 +7062,9 @@ async function loadBudgetedLearnings(projectPath, options) {
   }
   const globalResult = await loadRelevantLearnings(projectPath, skill, stream);
   if (globalResult.ok) {
-    allEntries.push(...sortByRecencyAndRelevance(globalResult.value));
+    const sessionSet = new Set(allEntries.map((e) => e.trim()));
+    const uniqueGlobal = globalResult.value.filter((e) => !sessionSet.has(e.trim()));
+    allEntries.push(...sortByRecencyAndRelevance(uniqueGlobal));
   }
   const budgeted = [];
   let totalTokens = 0;
@@ -6929,6 +7077,68 @@ async function loadBudgetedLearnings(projectPath, options) {
   }
   return Ok(budgeted);
 }
+async function loadIndexEntries(projectPath, skillName, stream, session) {
+  try {
+    const dirResult = await getStateDir(projectPath, stream, session);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const learningsPath = path6.join(stateDir, LEARNINGS_FILE);
+    if (!fs9.existsSync(learningsPath)) {
+      return Ok([]);
+    }
+    const content = fs9.readFileSync(learningsPath, "utf-8");
+    const lines = content.split("\n");
+    const indexEntries = [];
+    let pendingFrontmatter = null;
+    let currentBlock = [];
+    for (const line of lines) {
+      if (line.startsWith("# ")) continue;
+      const fm = parseFrontmatter(line);
+      if (fm) {
+        pendingFrontmatter = fm;
+        continue;
+      }
+      const isDatedBullet = /^- \*\*\d{4}-\d{2}-\d{2}/.test(line);
+      const isHeading = /^## \d{4}-\d{2}-\d{2}/.test(line);
+      if (isDatedBullet || isHeading) {
+        if (pendingFrontmatter) {
+          indexEntries.push({
+            hash: pendingFrontmatter.hash,
+            tags: pendingFrontmatter.tags,
+            summary: line,
+            fullText: ""
+            // Placeholder — full text not loaded in index mode
+          });
+          pendingFrontmatter = null;
+        } else {
+          const idx = extractIndexEntry(line);
+          indexEntries.push({
+            hash: idx.hash,
+            tags: idx.tags,
+            summary: line,
+            fullText: ""
+          });
+        }
+        currentBlock = [line];
+      } else if (line.trim() !== "" && currentBlock.length > 0) {
+        currentBlock.push(line);
+      }
+    }
+    if (skillName) {
+      const filtered = indexEntries.filter(
+        (e) => e.tags.includes(skillName) || e.summary.includes(`[skill:${skillName}]`)
+      );
+      return Ok(filtered);
+    }
+    return Ok(indexEntries);
+  } catch (error) {
+    return Err(
+      new Error(
+        `Failed to load index entries: ${error instanceof Error ? error.message : String(error)}`
+      )
+    );
+  }
+}
 async function loadRelevantLearnings(projectPath, skillName, stream, session) {
   try {
     const dirResult = await getStateDir(projectPath, stream, session);
@@ -6951,6 +7161,7 @@ async function loadRelevantLearnings(projectPath, skillName, stream, session) {
       let currentBlock = [];
       for (const line of lines) {
         if (line.startsWith("# ")) continue;
+        if (/^<!--\s+hash:[a-f0-9]+/.test(line)) continue;
         const isDatedBullet = /^- \*\*\d{4}-\d{2}-\d{2}/.test(line);
         const isHeading = /^## \d{4}-\d{2}-\d{2}/.test(line);
         if (isDatedBullet || isHeading) {
@@ -7060,6 +7271,68 @@ async function pruneLearnings(projectPath, stream) {
     );
   }
 }
+var PROMOTABLE_OUTCOMES = ["gotcha", "decision", "observation"];
+function isGeneralizable(entry) {
+  for (const outcome of PROMOTABLE_OUTCOMES) {
+    if (entry.includes(`[outcome:${outcome}]`)) return true;
+  }
+  return false;
+}
+async function promoteSessionLearnings(projectPath, sessionSlug, stream) {
+  try {
+    const sessionResult = await loadRelevantLearnings(projectPath, void 0, stream, sessionSlug);
+    if (!sessionResult.ok) return sessionResult;
+    const sessionEntries = sessionResult.value;
+    if (sessionEntries.length === 0) {
+      return Ok({ promoted: 0, skipped: 0 });
+    }
+    const toPromote = [];
+    let skipped = 0;
+    for (const entry of sessionEntries) {
+      if (isGeneralizable(entry)) {
+        toPromote.push(entry);
+      } else {
+        skipped++;
+      }
+    }
+    if (toPromote.length === 0) {
+      return Ok({ promoted: 0, skipped });
+    }
+    const dirResult = await getStateDir(projectPath, stream);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const globalPath = path6.join(stateDir, LEARNINGS_FILE);
+    const existingGlobal = fs9.existsSync(globalPath) ? fs9.readFileSync(globalPath, "utf-8") : "";
+    const newEntries = toPromote.filter((entry) => !existingGlobal.includes(entry.trim()));
+    if (newEntries.length === 0) {
+      return Ok({ promoted: 0, skipped: skipped + toPromote.length });
+    }
+    const promotedContent = newEntries.join("\n\n") + "\n";
+    if (!existingGlobal) {
+      fs9.writeFileSync(globalPath, `# Learnings
+${promotedContent}`);
+    } else {
+      fs9.appendFileSync(globalPath, "\n\n" + promotedContent);
+    }
+    learningsCacheMap.delete(globalPath);
+    return Ok({
+      promoted: newEntries.length,
+      skipped: skipped + (toPromote.length - newEntries.length)
+    });
+  } catch (error) {
+    return Err(
+      new Error(
+        `Failed to promote session learnings: ${error instanceof Error ? error.message : String(error)}`
+      )
+    );
+  }
+}
+async function countLearningEntries(projectPath, stream) {
+  const loadResult = await loadRelevantLearnings(projectPath, void 0, stream);
+  if (!loadResult.ok) return 0;
+  return loadResult.value.length;
+}
 var failuresCacheMap = /* @__PURE__ */ new Map();
 function clearFailuresCache() {
   failuresCacheMap.clear();
@@ -7494,6 +7767,146 @@ async function archiveSession(projectPath, sessionSlug) {
     );
   }
 }
+var SkillEventSchema = z5.object({
+  timestamp: z5.string(),
+  skill: z5.string(),
+  session: z5.string().optional(),
+  type: z5.enum(["phase_transition", "decision", "gate_result", "handoff", "error", "checkpoint"]),
+  summary: z5.string(),
+  data: z5.record(z5.unknown()).optional(),
+  refs: z5.array(z5.string()).optional(),
+  contentHash: z5.string().optional()
+});
+function computeEventHash(event, session) {
+  const identity = `${event.skill}|${event.type}|${event.summary}|${session ?? ""}`;
+  return computeContentHash(identity);
+}
+var knownHashesCache = /* @__PURE__ */ new Map();
+function loadKnownHashes(eventsPath) {
+  const cached = knownHashesCache.get(eventsPath);
+  if (cached) return cached;
+  const hashes = /* @__PURE__ */ new Set();
+  if (fs16.existsSync(eventsPath)) {
+    const content = fs16.readFileSync(eventsPath, "utf-8");
+    const lines = content.split("\n").filter((line) => line.trim() !== "");
+    for (const line of lines) {
+      try {
+        const existing = JSON.parse(line);
+        if (existing.contentHash) {
+          hashes.add(existing.contentHash);
+        }
+      } catch {
+      }
+    }
+  }
+  knownHashesCache.set(eventsPath, hashes);
+  return hashes;
+}
+function clearEventHashCache() {
+  knownHashesCache.clear();
+}
+async function emitEvent(projectPath, event, options) {
+  try {
+    const dirResult = await getStateDir(projectPath, options?.stream, options?.session);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const eventsPath = path13.join(stateDir, EVENTS_FILE);
+    fs16.mkdirSync(stateDir, { recursive: true });
+    const contentHash = computeEventHash(event, options?.session);
+    const knownHashes = loadKnownHashes(eventsPath);
+    if (knownHashes.has(contentHash)) {
+      return Ok({ written: false, reason: "duplicate" });
+    }
+    const fullEvent = {
+      ...event,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      contentHash
+    };
+    if (options?.session) {
+      fullEvent.session = options.session;
+    }
+    fs16.appendFileSync(eventsPath, JSON.stringify(fullEvent) + "\n");
+    knownHashes.add(contentHash);
+    return Ok({ written: true });
+  } catch (error) {
+    return Err(
+      new Error(`Failed to emit event: ${error instanceof Error ? error.message : String(error)}`)
+    );
+  }
+}
+async function loadEvents(projectPath, options) {
+  try {
+    const dirResult = await getStateDir(projectPath, options?.stream, options?.session);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const eventsPath = path13.join(stateDir, EVENTS_FILE);
+    if (!fs16.existsSync(eventsPath)) {
+      return Ok([]);
+    }
+    const content = fs16.readFileSync(eventsPath, "utf-8");
+    const lines = content.split("\n").filter((line) => line.trim() !== "");
+    const events = [];
+    for (const line of lines) {
+      try {
+        const parsed = JSON.parse(line);
+        const result = SkillEventSchema.safeParse(parsed);
+        if (result.success) {
+          events.push(result.data);
+        }
+      } catch {
+      }
+    }
+    return Ok(events);
+  } catch (error) {
+    return Err(
+      new Error(`Failed to load events: ${error instanceof Error ? error.message : String(error)}`)
+    );
+  }
+}
+function formatPhaseTransition(event) {
+  const data = event.data;
+  const suffix = data?.taskCount ? ` (${data.taskCount} tasks)` : "";
+  return `phase: ${data?.from ?? "?"} -> ${data?.to ?? "?"}${suffix}`;
+}
+function formatGateResult(event) {
+  const data = event.data;
+  const status = data?.passed ? "passed" : "failed";
+  const checks = data?.checks?.map((c) => `${c.name} ${c.passed ? "Y" : "N"}`).join(", ");
+  return checks ? `gate: ${status} (${checks})` : `gate: ${status}`;
+}
+function formatHandoffDetail(event) {
+  const data = event.data;
+  const direction = data?.toSkill ? ` -> ${data.toSkill}` : "";
+  return `handoff: ${event.summary}${direction}`;
+}
+var EVENT_FORMATTERS = {
+  phase_transition: formatPhaseTransition,
+  gate_result: formatGateResult,
+  decision: (event) => `decision: ${event.summary}`,
+  handoff: formatHandoffDetail,
+  error: (event) => `error: ${event.summary}`,
+  checkpoint: (event) => `checkpoint: ${event.summary}`
+};
+function formatEventTimeline(events, limit = 20) {
+  if (events.length === 0) return "";
+  const recent = events.slice(-limit);
+  return recent.map((event) => {
+    const time = formatTime(event.timestamp);
+    const formatter = EVENT_FORMATTERS[event.type];
+    const detail = formatter ? formatter(event) : event.summary;
+    return `- ${time} [${event.skill}] ${detail}`;
+  }).join("\n");
+}
+function formatTime(timestamp) {
+  try {
+    const date = new Date(timestamp);
+    const hours = String(date.getHours()).padStart(2, "0");
+    const minutes = String(date.getMinutes()).padStart(2, "0");
+    return `${hours}:${minutes}`;
+  } catch {
+    return "??:??";
+  }
+}
 async function executeWorkflow(workflow, executor) {
   const stepResults = [];
   const startTime = Date.now();
@@ -7670,19 +8083,19 @@ var DEFAULT_SECURITY_CONFIG = {
   rules: {},
   exclude: ["**/node_modules/**", "**/dist/**", "**/*.test.ts", "**/fixtures/**"]
 };
-var RuleOverrideSchema = z5.enum(["off", "error", "warning", "info"]);
-var SecurityConfigSchema = z5.object({
-  enabled: z5.boolean().default(true),
-  strict: z5.boolean().default(false),
-  rules: z5.record(z5.string(), RuleOverrideSchema).optional().default({}),
-  exclude: z5.array(z5.string()).optional().default(["**/node_modules/**", "**/dist/**", "**/*.test.ts", "**/fixtures/**"]),
-  external: z5.object({
-    semgrep: z5.object({
-      enabled: z5.union([z5.literal("auto"), z5.boolean()]).default("auto"),
-      rulesets: z5.array(z5.string()).optional()
+var RuleOverrideSchema = z6.enum(["off", "error", "warning", "info"]);
+var SecurityConfigSchema = z6.object({
+  enabled: z6.boolean().default(true),
+  strict: z6.boolean().default(false),
+  rules: z6.record(z6.string(), RuleOverrideSchema).optional().default({}),
+  exclude: z6.array(z6.string()).optional().default(["**/node_modules/**", "**/dist/**", "**/*.test.ts", "**/fixtures/**"]),
+  external: z6.object({
+    semgrep: z6.object({
+      enabled: z6.union([z6.literal("auto"), z6.boolean()]).default("auto"),
+      rulesets: z6.array(z6.string()).optional()
     }).optional(),
-    gitleaks: z5.object({
-      enabled: z5.union([z5.literal("auto"), z5.boolean()]).default("auto")
+    gitleaks: z6.object({
+      enabled: z6.union([z6.literal("auto"), z6.boolean()]).default("auto")
     }).optional()
   }).optional()
 });
@@ -7715,11 +8128,11 @@ function resolveRuleSeverity(ruleId, defaultSeverity, overrides, strict) {
 }
 function detectStack(projectRoot) {
   const stacks = [];
-  const pkgJsonPath = path13.join(projectRoot, "package.json");
-  if (fs16.existsSync(pkgJsonPath)) {
+  const pkgJsonPath = path14.join(projectRoot, "package.json");
+  if (fs17.existsSync(pkgJsonPath)) {
     stacks.push("node");
     try {
-      const pkgJson = JSON.parse(fs16.readFileSync(pkgJsonPath, "utf-8"));
+      const pkgJson = JSON.parse(fs17.readFileSync(pkgJsonPath, "utf-8"));
       const allDeps = {
         ...pkgJson.dependencies,
         ...pkgJson.devDependencies
@@ -7734,13 +8147,13 @@ function detectStack(projectRoot) {
     } catch {
     }
   }
-  const goModPath = path13.join(projectRoot, "go.mod");
-  if (fs16.existsSync(goModPath)) {
+  const goModPath = path14.join(projectRoot, "go.mod");
+  if (fs17.existsSync(goModPath)) {
     stacks.push("go");
   }
-  const requirementsPath = path13.join(projectRoot, "requirements.txt");
-  const pyprojectPath = path13.join(projectRoot, "pyproject.toml");
-  if (fs16.existsSync(requirementsPath) || fs16.existsSync(pyprojectPath)) {
+  const requirementsPath = path14.join(projectRoot, "requirements.txt");
+  const pyprojectPath = path14.join(projectRoot, "pyproject.toml");
+  if (fs17.existsSync(requirementsPath) || fs17.existsSync(pyprojectPath)) {
     stacks.push("python");
   }
   return stacks;
@@ -7802,6 +8215,72 @@ var secretRules = [
     message: "Hardcoded JWT token detected",
     remediation: "Tokens should be fetched at runtime, not embedded in source",
     references: ["CWE-798"]
+  },
+  {
+    id: "SEC-SEC-006",
+    name: "Anthropic API Key",
+    category: "secrets",
+    severity: "error",
+    confidence: "high",
+    patterns: [/sk-ant-api\d{2}-[A-Za-z0-9_-]{20,}/],
+    message: "Hardcoded Anthropic API key detected",
+    remediation: "Use environment variables: process.env.ANTHROPIC_API_KEY",
+    references: ["CWE-798"]
+  },
+  {
+    id: "SEC-SEC-007",
+    name: "OpenAI API Key",
+    category: "secrets",
+    severity: "error",
+    confidence: "high",
+    patterns: [/sk-proj-[A-Za-z0-9_-]{20,}/],
+    message: "Hardcoded OpenAI API key detected",
+    remediation: "Use environment variables: process.env.OPENAI_API_KEY",
+    references: ["CWE-798"]
+  },
+  {
+    id: "SEC-SEC-008",
+    name: "Google API Key",
+    category: "secrets",
+    severity: "error",
+    confidence: "high",
+    patterns: [/AIza[A-Za-z0-9_-]{35}/],
+    message: "Hardcoded Google API key detected",
+    remediation: "Use environment variables or a secrets manager for Google API keys",
+    references: ["CWE-798"]
+  },
+  {
+    id: "SEC-SEC-009",
+    name: "GitHub Personal Access Token",
+    category: "secrets",
+    severity: "error",
+    confidence: "high",
+    patterns: [/gh[pous]_[A-Za-z0-9_]{36,}/],
+    message: "Hardcoded GitHub personal access token detected",
+    remediation: "Use environment variables: process.env.GITHUB_TOKEN",
+    references: ["CWE-798"]
+  },
+  {
+    id: "SEC-SEC-010",
+    name: "Stripe Live Key",
+    category: "secrets",
+    severity: "error",
+    confidence: "high",
+    patterns: [/\b[spr]k_live_[A-Za-z0-9]{24,}/],
+    message: "Hardcoded Stripe live key detected",
+    remediation: "Use environment variables for Stripe keys; never commit live keys",
+    references: ["CWE-798"]
+  },
+  {
+    id: "SEC-SEC-011",
+    name: "Database Connection String with Credentials",
+    category: "secrets",
+    severity: "error",
+    confidence: "high",
+    patterns: [/(?:postgres|mysql|mongodb|redis|amqp|mssql)(?:\+\w+)?:\/\/[^/\s:]+:[^@/\s]+@/i],
+    message: "Database connection string with embedded credentials detected",
+    remediation: "Use environment variables for connection strings; separate credentials from URIs",
+    references: ["CWE-798"]
   }
 ];
 var injectionRules = [
@@ -7975,99 +8454,445 @@ var deserializationRules = [
     references: ["CWE-502"]
   }
 ];
-var nodeRules = [
+var agentConfigRules = [
   {
-    id: "SEC-NODE-001",
-    name: "Prototype Pollution",
-    category: "injection",
+    id: "SEC-AGT-001",
+    name: "Hidden Unicode Characters",
+    category: "agent-config",
+    severity: "error",
+    confidence: "high",
+    patterns: [/\u200B|\u200C|\u200D|\uFEFF|\u2060/],
+    fileGlob: "**/CLAUDE.md,**/AGENTS.md,**/*.yaml",
+    message: "Hidden zero-width Unicode characters detected in agent configuration",
+    remediation: "Remove invisible Unicode characters; they may hide malicious instructions",
+    references: ["CWE-116"]
+  },
+  {
+    id: "SEC-AGT-002",
+    name: "URL Execution Directives",
+    category: "agent-config",
     severity: "warning",
     confidence: "medium",
-    patterns: [
-      /__proto__/,
-      /\bconstructor\s*\[/,
-      /\bprototype\s*\[/,
-      /Object\.assign\s*\(\s*\w+\s*,\s*(?:req|request|body|input|params|query)\b/
-    ],
-    stack: ["node"],
-    message: "Potential prototype pollution via __proto__, constructor, or Object.assign with untrusted input",
-    remediation: "Validate keys against a whitelist, use Object.create(null), or use Map instead of plain objects",
-    references: ["CWE-1321"]
+    patterns: [/\b(?:curl|wget)\s+\S+/i, /\bfetch\s*\(/i],
+    fileGlob: "**/CLAUDE.md,**/AGENTS.md",
+    message: "URL execution directive found in agent configuration",
+    remediation: "Avoid instructing agents to download and execute remote content",
+    references: ["CWE-94"]
   },
   {
-    id: "SEC-NODE-002",
-    name: "NoSQL Injection",
-    category: "injection",
+    id: "SEC-AGT-003",
+    name: "Wildcard Tool Permissions",
+    category: "agent-config",
+    severity: "warning",
+    confidence: "high",
+    patterns: [/(?:Bash|Write|Edit)\s*\(\s*\*\s*\)/],
+    fileGlob: "**/.claude/**,**/settings*.json",
+    message: "Wildcard tool permissions grant unrestricted access",
+    remediation: "Scope tool permissions to specific patterns instead of wildcards",
+    references: ["CWE-250"]
+  },
+  {
+    id: "SEC-AGT-004",
+    name: "Auto-approve Patterns",
+    category: "agent-config",
+    severity: "warning",
+    confidence: "high",
+    patterns: [/\bautoApprove\b/i, /\bauto_approve\b/i],
+    fileGlob: "**/.claude/**,**/.mcp.json",
+    message: "Auto-approve configuration bypasses human review of tool calls",
+    remediation: "Review auto-approved tools carefully; prefer explicit approval for destructive operations",
+    references: ["CWE-862"]
+  },
+  {
+    id: "SEC-AGT-005",
+    name: "Prompt Injection Surface",
+    category: "agent-config",
     severity: "warning",
     confidence: "medium",
-    patterns: [
-      /\.find\s*\(\s*\{[^}]*\$(?:gt|gte|lt|lte|ne|in|nin|regex|where|exists)/,
-      /\.find\s*\(\s*(?:req|request)\.(?:body|query|params)/
-    ],
-    stack: ["node"],
-    message: "Potential NoSQL injection: MongoDB query operators in user input",
-    remediation: "Sanitize input by stripping keys starting with $ before using in queries",
-    references: ["CWE-943"]
-  }
-];
-var expressRules = [
+    patterns: [/\$\{[^}]*\}/, /\{\{[^}]*\}\}/],
+    fileGlob: "**/skill.yaml",
+    message: "Template interpolation syntax in skill YAML may enable prompt injection",
+    remediation: "Avoid dynamic interpolation in skill descriptions; use static text",
+    references: ["CWE-94"]
+  },
   {
-    id: "SEC-EXPRESS-001",
-    name: "Missing Helmet",
-    category: "network",
-    severity: "info",
-    confidence: "low",
-    patterns: [/app\s*=\s*express\s*\(\)/],
-    stack: ["express"],
-    fileGlob: "**/app.{ts,js}",
-    message: "Express app initialization detected \u2014 ensure helmet middleware is applied for security headers",
-    remediation: "Add helmet middleware: app.use(helmet())",
-    references: ["CWE-693"]
+    id: "SEC-AGT-006",
+    name: "Permission Bypass Flags",
+    category: "agent-config",
+    severity: "error",
+    confidence: "high",
+    patterns: [/--dangerously-skip-permissions/, /--no-verify/],
+    fileGlob: "**/CLAUDE.md,**/AGENTS.md,**/.claude/**",
+    message: "Permission bypass flag detected in agent configuration",
+    remediation: "Remove flags that bypass safety checks; they undermine enforcement",
+    references: ["CWE-863"]
   },
   {
-    id: "SEC-EXPRESS-002",
-    name: "Unprotected Route with Body Parsing",
-    category: "network",
-    severity: "info",
+    id: "SEC-AGT-007",
+    name: "Hook Injection Surface",
+    category: "agent-config",
+    severity: "error",
     confidence: "low",
-    patterns: [/app\.(?:post|put|patch)\s*\([^)]*,\s*(?:req|request)\s*(?:,|\))/],
-    stack: ["express"],
-    message: "Express route accepts request body \u2014 ensure input validation and rate limiting are applied",
-    remediation: "Add express-rate-limit and validate request body with Zod/joi",
-    references: ["CWE-770"]
+    patterns: [/\$\(/, /`[^`]+`/, /\s&&\s/, /\s\|\|\s/],
+    fileGlob: "**/settings*.json,**/hooks.json",
+    message: "Shell metacharacters in hook commands may enable command injection",
+    remediation: "Use simple, single-command hooks without shell operators; chain logic inside the script",
+    references: ["CWE-78"]
   }
 ];
-var reactRules = [
+var mcpRules = [
   {
-    id: "SEC-REACT-001",
-    name: "Sensitive Data in Client Storage",
-    category: "secrets",
-    severity: "warning",
+    id: "SEC-MCP-001",
+    name: "Hardcoded MCP Secrets",
+    category: "mcp",
+    severity: "error",
     confidence: "medium",
-    patterns: [
-      /localStorage\.setItem\s*\(\s*['"](?:token|jwt|auth|session|password|secret|key|credential)/i,
-      /sessionStorage\.setItem\s*\(\s*['"](?:token|jwt|auth|session|password|secret|key|credential)/i
-    ],
-    stack: ["react"],
-    message: "Storing sensitive data in browser storage is accessible to XSS attacks",
-    remediation: "Use httpOnly cookies for auth tokens instead of localStorage",
-    references: ["CWE-922"]
-  }
-];
-var goRules = [
+    patterns: [/(?:API_KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL)\s*["']?\s*:\s*["'][^"']{8,}["']/i],
+    fileGlob: "**/.mcp.json",
+    message: "Hardcoded secret detected in MCP server configuration",
+    remediation: "Use environment variable references instead of inline secrets in .mcp.json",
+    references: ["CWE-798"]
+  },
   {
-    id: "SEC-GO-001",
-    name: "Unsafe Pointer Usage",
-    category: "injection",
-    severity: "warning",
+    id: "SEC-MCP-002",
+    name: "Shell Injection in MCP Args",
+    category: "mcp",
+    severity: "error",
     confidence: "medium",
-    patterns: [/unsafe\.Pointer/],
-    stack: ["go"],
-    message: "unsafe.Pointer bypasses Go type safety",
-    remediation: "Avoid unsafe.Pointer unless absolutely necessary; document justification",
-    references: ["CWE-119"]
+    patterns: [/\$\(/, /`[^`]+`/],
+    fileGlob: "**/.mcp.json",
+    message: "Shell metacharacters detected in MCP server arguments",
+    remediation: "Use literal argument values; avoid shell interpolation in MCP args",
+    references: ["CWE-78"]
   },
   {
-    id: "SEC-GO-002",
+    id: "SEC-MCP-003",
+    name: "Network Exposure",
+    category: "mcp",
+    severity: "warning",
+    confidence: "high",
+    patterns: [/0\.0\.0\.0/, /["']\*["']\s*:\s*\d/, /host["']?\s*:\s*["']\*["']/i],
+    fileGlob: "**/.mcp.json",
+    message: "MCP server binding to all network interfaces (0.0.0.0 or wildcard *)",
+    remediation: "Bind to 127.0.0.1 or localhost to restrict access to local machine",
+    references: ["CWE-668"]
+  },
+  {
+    id: "SEC-MCP-004",
+    name: "Typosquatting Vector",
+    category: "mcp",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [/\bnpx\s+(?:-y|--yes)\b/],
+    fileGlob: "**/.mcp.json",
+    message: "npx -y auto-installs packages without confirmation, enabling typosquatting",
+    remediation: "Pin exact package versions or install packages explicitly before use",
+    references: ["CWE-427"]
+  },
+  {
+    id: "SEC-MCP-005",
+    name: "Unencrypted Transport",
+    category: "mcp",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [/http:\/\/(?!localhost\b|127\.0\.0\.1\b)/],
+    fileGlob: "**/.mcp.json",
+    message: "Unencrypted HTTP transport detected for MCP server connection",
+    remediation: "Use https:// for all non-localhost MCP server connections",
+    references: ["CWE-319"]
+  }
+];
+var insecureDefaultsRules = [
+  {
+    id: "SEC-DEF-001",
+    name: "Security-Sensitive Fallback to Hardcoded Default",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /(?:SECRET|KEY|TOKEN|PASSWORD|SALT|PEPPER|SIGNING|ENCRYPTION|AUTH|JWT|SESSION).*(?:\|\||\?\?)\s*['"][^'"]+['"]/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Security-sensitive variable falls back to a hardcoded default when env var is missing",
+    remediation: "Throw an error if the env var is missing instead of falling back to a default. Use a startup validation check.",
+    references: ["CWE-1188"]
+  },
+  {
+    id: "SEC-DEF-002",
+    name: "TLS/SSL Disabled by Default",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /(?:tls|ssl|https|secure)\s*(?:=|:)\s*(?:false|config\??\.\w+\s*(?:\?\?|&&|\|\|)\s*false)/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs,go,py}",
+    message: "Security feature defaults to disabled; missing configuration degrades to insecure mode",
+    remediation: "Default security features to enabled (true). Require explicit opt-out, not opt-in.",
+    references: ["CWE-1188"]
+  },
+  {
+    id: "SEC-DEF-003",
+    name: "Swallowed Authentication/Authorization Error",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "low",
+    patterns: [
+      // Matches single-line empty catch: catch(e) { } or catch(e) { // ignore }
+      // Note: multi-line catch blocks are handled by AI review, not this rule
+      /catch\s*\([^)]*\)\s*\{\s*(?:\/\/\s*(?:ignore|skip|noop|todo)\b.*)?\s*\}/
+    ],
+    fileGlob: "**/*auth*.{ts,js,mjs,cjs},**/*session*.{ts,js,mjs,cjs},**/*token*.{ts,js,mjs,cjs}",
+    message: "Single-line empty catch block in authentication/authorization code may silently allow unauthorized access. Note: multi-line empty catch blocks are detected by AI review, not this mechanical rule.",
+    remediation: "Re-throw the error or return an explicit denial. Never silently swallow auth errors.",
+    references: ["CWE-754", "CWE-390"]
+  },
+  {
+    id: "SEC-DEF-004",
+    name: "Permissive CORS Fallback",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /(?:origin|cors)\s*(?:=|:)\s*(?:config|options|env)\??\.\w+\s*(?:\?\?|\|\|)\s*['"]\*/
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "CORS origin falls back to wildcard (*) when configuration is missing",
+    remediation: "Default to a restrictive origin list. Require explicit configuration for permissive CORS.",
+    references: ["CWE-942"]
+  },
+  {
+    id: "SEC-DEF-005",
+    name: "Rate Limiting Disabled by Default",
+    category: "insecure-defaults",
+    severity: "info",
+    confidence: "low",
+    patterns: [
+      /(?:rateLimit|rateLimiting|throttle)\s*(?:=|:)\s*(?:config|options|env)\??\.\w+\s*(?:\?\?|\|\|)\s*(?:false|0|null|undefined)/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Rate limiting defaults to disabled when configuration is missing",
+    remediation: "Default to a sensible rate limit. Require explicit opt-out for disabling.",
+    references: ["CWE-770"]
+  }
+];
+var sharpEdgesRules = [
+  // --- Deprecated Crypto APIs ---
+  {
+    id: "SEC-EDGE-001",
+    name: "Deprecated createCipher API",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/crypto\.createCipher\s*\(/],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "crypto.createCipher is deprecated \u2014 uses weak key derivation (no IV)",
+    remediation: "Use crypto.createCipheriv with a random IV and proper key derivation (scrypt/pbkdf2)",
+    references: ["CWE-327"]
+  },
+  {
+    id: "SEC-EDGE-002",
+    name: "Deprecated createDecipher API",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/crypto\.createDecipher\s*\(/],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "crypto.createDecipher is deprecated \u2014 uses weak key derivation (no IV)",
+    remediation: "Use crypto.createDecipheriv with the same IV used for encryption",
+    references: ["CWE-327"]
+  },
+  {
+    id: "SEC-EDGE-003",
+    name: "ECB Mode Selection",
+    category: "sharp-edges",
+    severity: "warning",
+    confidence: "high",
+    patterns: [/-ecb['"]/],
+    fileGlob: "**/*.{ts,js,mjs,cjs,go,py}",
+    message: "ECB mode does not provide semantic security \u2014 identical plaintext blocks produce identical ciphertext",
+    remediation: "Use CBC, CTR, or GCM mode instead of ECB",
+    references: ["CWE-327"]
+  },
+  // --- Unsafe Deserialization ---
+  {
+    id: "SEC-EDGE-004",
+    name: "yaml.load Without Safe Loader",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [
+      /yaml\.load\s*\(/
+      // Python: yaml.load() without SafeLoader
+    ],
+    fileGlob: "**/*.py",
+    message: "yaml.load() executes arbitrary Python objects \u2014 use yaml.safe_load() instead",
+    remediation: "Replace yaml.load() with yaml.safe_load() or yaml.load(data, Loader=SafeLoader). Note: this rule will flag yaml.load(data, Loader=SafeLoader) \u2014 suppress with # harness-ignore SEC-EDGE-004: safe usage with SafeLoader",
+    references: ["CWE-502"]
+  },
+  {
+    id: "SEC-EDGE-005",
+    name: "Pickle/Marshal Deserialization",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/pickle\.loads?\s*\(/, /marshal\.loads?\s*\(/],
+    fileGlob: "**/*.py",
+    message: "pickle/marshal deserialization executes arbitrary code \u2014 never use on untrusted data",
+    remediation: "Use JSON, MessagePack, or Protocol Buffers for untrusted data serialization",
+    references: ["CWE-502"]
+  },
+  // --- TOCTOU (Time-of-Check to Time-of-Use) ---
+  {
+    id: "SEC-EDGE-006",
+    name: "Check-Then-Act File Operation",
+    category: "sharp-edges",
+    severity: "warning",
+    confidence: "medium",
+    // Patterns use .{0,N} since scanner matches single lines only (no multiline mode)
+    patterns: [
+      /(?:existsSync|accessSync|statSync)\s*\([^)]+\).{0,50}(?:readFileSync|writeFileSync|unlinkSync|mkdirSync)\s*\(/
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Check-then-act pattern on filesystem is vulnerable to TOCTOU race conditions",
+    remediation: "Use the operation directly and handle ENOENT/EEXIST errors instead of checking first",
+    references: ["CWE-367"]
+  },
+  {
+    id: "SEC-EDGE-007",
+    name: "Check-Then-Act File Operation (Async)",
+    category: "sharp-edges",
+    severity: "warning",
+    confidence: "medium",
+    // Uses .{0,N} since scanner matches single lines only (no multiline mode)
+    patterns: [/(?:access|stat)\s*\([^)]+\).{0,80}(?:readFile|writeFile|unlink|mkdir)\s*\(/],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Async check-then-act pattern on filesystem is vulnerable to TOCTOU race conditions",
+    remediation: "Use the operation directly with try/catch instead of checking existence first",
+    references: ["CWE-367"]
+  },
+  // --- Stringly-Typed Security ---
+  {
+    id: "SEC-EDGE-008",
+    name: 'JWT Algorithm "none"',
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [
+      /algorithm[s]?\s*[:=]\s*\[?\s*['"]none['"]/i,
+      /alg(?:orithm)?\s*[:=]\s*['"]none['"]/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: 'JWT "none" algorithm disables signature verification entirely',
+    remediation: 'Specify an explicit algorithm (e.g., "HS256", "RS256") and set algorithms allowlist in verify options',
+    references: ["CWE-345"]
+  },
+  {
+    id: "SEC-EDGE-009",
+    name: "DES/RC4 Algorithm Selection",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/['"]\s*(?:des|des-ede|des-ede3|des3|rc4|rc2|blowfish)\s*['"]/i],
+    fileGlob: "**/*.{ts,js,mjs,cjs,go,py}",
+    message: "Weak/deprecated cipher algorithm selected \u2014 DES, RC4, RC2, and Blowfish are broken or deprecated",
+    remediation: "Use AES-256-GCM or ChaCha20-Poly1305",
+    references: ["CWE-327"]
+  }
+];
+var nodeRules = [
+  {
+    id: "SEC-NODE-001",
+    name: "Prototype Pollution",
+    category: "injection",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /__proto__/,
+      /\bconstructor\s*\[/,
+      /\bprototype\s*\[/,
+      /Object\.assign\s*\(\s*\w+\s*,\s*(?:req|request|body|input|params|query)\b/
+    ],
+    stack: ["node"],
+    message: "Potential prototype pollution via __proto__, constructor, or Object.assign with untrusted input",
+    remediation: "Validate keys against a whitelist, use Object.create(null), or use Map instead of plain objects",
+    references: ["CWE-1321"]
+  },
+  {
+    id: "SEC-NODE-002",
+    name: "NoSQL Injection",
+    category: "injection",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /\.find\s*\(\s*\{[^}]*\$(?:gt|gte|lt|lte|ne|in|nin|regex|where|exists)/,
+      /\.find\s*\(\s*(?:req|request)\.(?:body|query|params)/
+    ],
+    stack: ["node"],
+    message: "Potential NoSQL injection: MongoDB query operators in user input",
+    remediation: "Sanitize input by stripping keys starting with $ before using in queries",
+    references: ["CWE-943"]
+  }
+];
+var expressRules = [
+  {
+    id: "SEC-EXPRESS-001",
+    name: "Missing Helmet",
+    category: "network",
+    severity: "info",
+    confidence: "low",
+    patterns: [/app\s*=\s*express\s*\(\)/],
+    stack: ["express"],
+    fileGlob: "**/app.{ts,js}",
+    message: "Express app initialization detected \u2014 ensure helmet middleware is applied for security headers",
+    remediation: "Add helmet middleware: app.use(helmet())",
+    references: ["CWE-693"]
+  },
+  {
+    id: "SEC-EXPRESS-002",
+    name: "Unprotected Route with Body Parsing",
+    category: "network",
+    severity: "info",
+    confidence: "low",
+    patterns: [/app\.(?:post|put|patch)\s*\([^)]*,\s*(?:req|request)\s*(?:,|\))/],
+    stack: ["express"],
+    message: "Express route accepts request body \u2014 ensure input validation and rate limiting are applied",
+    remediation: "Add express-rate-limit and validate request body with Zod/joi",
+    references: ["CWE-770"]
+  }
+];
+var reactRules = [
+  {
+    id: "SEC-REACT-001",
+    name: "Sensitive Data in Client Storage",
+    category: "secrets",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /localStorage\.setItem\s*\(\s*['"](?:token|jwt|auth|session|password|secret|key|credential)/i,
+      /sessionStorage\.setItem\s*\(\s*['"](?:token|jwt|auth|session|password|secret|key|credential)/i
+    ],
+    stack: ["react"],
+    message: "Storing sensitive data in browser storage is accessible to XSS attacks",
+    remediation: "Use httpOnly cookies for auth tokens instead of localStorage",
+    references: ["CWE-922"]
+  }
+];
+var goRules = [
+  {
+    id: "SEC-GO-001",
+    name: "Unsafe Pointer Usage",
+    category: "injection",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [/unsafe\.Pointer/],
+    stack: ["go"],
+    message: "unsafe.Pointer bypasses Go type safety",
+    remediation: "Avoid unsafe.Pointer unless absolutely necessary; document justification",
+    references: ["CWE-119"]
+  },
+  {
+    id: "SEC-GO-002",
     name: "Format String Injection",
     category: "injection",
     severity: "warning",
@@ -8079,6 +8904,14 @@ var goRules = [
     references: ["CWE-134"]
   }
 ];
+function parseHarnessIgnore(line, ruleId) {
+  if (!line.includes("harness-ignore")) return null;
+  if (!line.includes(ruleId)) return null;
+  const match = line.match(/(?:\/\/|#)\s*harness-ignore\s+(SEC-[A-Z]+-\d+)(?::\s*(.+))?/);
+  if (match?.[1] !== ruleId) return null;
+  const text = match[2]?.trim();
+  return { ruleId, justification: text || null };
+}
 var SecurityScanner = class {
   registry;
   config;
@@ -8093,7 +8926,11 @@ var SecurityScanner = class {
       ...cryptoRules,
       ...pathTraversalRules,
       ...networkRules,
-      ...deserializationRules
+      ...deserializationRules,
+      ...agentConfigRules,
+      ...mcpRules,
+      ...insecureDefaultsRules,
+      ...sharpEdgesRules
     ]);
     this.registry.registerAll([...nodeRules, ...expressRules, ...reactRules, ...goRules]);
     this.activeRules = this.registry.getAll();
@@ -8102,11 +8939,40 @@ var SecurityScanner = class {
     const stacks = detectStack(projectRoot);
     this.activeRules = this.registry.getForStacks(stacks.length > 0 ? stacks : []);
   }
+  /**
+   * Scan raw content against all active rules. Note: this method does NOT apply
+   * fileGlob filtering — every active rule is evaluated regardless of filePath.
+   * If you are scanning a specific file and want fileGlob-based rule filtering,
+   * use {@link scanFile} instead.
+   */
   scanContent(content, filePath, startLine = 1) {
     if (!this.config.enabled) return [];
-    const findings = [];
     const lines = content.split("\n");
-    for (const rule of this.activeRules) {
+    return this.scanLinesWithRules(lines, this.activeRules, filePath, startLine);
+  }
+  async scanFile(filePath) {
+    if (!this.config.enabled) return [];
+    const content = await fs18.readFile(filePath, "utf-8");
+    return this.scanContentForFile(content, filePath, 1);
+  }
+  scanContentForFile(content, filePath, startLine = 1) {
+    if (!this.config.enabled) return [];
+    const lines = content.split("\n");
+    const applicableRules = this.activeRules.filter((rule) => {
+      if (!rule.fileGlob) return true;
+      const globs = rule.fileGlob.split(",").map((g) => g.trim());
+      return globs.some((glob2) => minimatch4(filePath, glob2, { dot: true }));
+    });
+    return this.scanLinesWithRules(lines, applicableRules, filePath, startLine);
+  }
+  /**
+   * Core scanning loop shared by scanContent and scanContentForFile.
+   * Evaluates each rule against each line, handling suppression (FP gate)
+   * and pattern matching uniformly.
+   */
+  scanLinesWithRules(lines, rules, filePath, startLine) {
+    const findings = [];
+    for (const rule of rules) {
       const resolved = resolveRuleSeverity(
         rule.id,
         rule.severity,
@@ -8116,7 +8982,25 @@ var SecurityScanner = class {
       if (resolved === "off") continue;
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i] ?? "";
-        if (line.includes("harness-ignore") && line.includes(rule.id)) continue;
+        const suppressionMatch = parseHarnessIgnore(line, rule.id);
+        if (suppressionMatch) {
+          if (!suppressionMatch.justification) {
+            findings.push({
+              ruleId: rule.id,
+              ruleName: rule.name,
+              category: rule.category,
+              severity: this.config.strict ? "error" : "warning",
+              confidence: "high",
+              file: filePath,
+              line: startLine + i,
+              match: line.trim(),
+              context: line,
+              message: `Suppression of ${rule.id} requires justification: // harness-ignore ${rule.id}: <reason>`,
+              remediation: `Add justification after colon: // harness-ignore ${rule.id}: false positive because ...`
+            });
+          }
+          continue;
+        }
         for (const pattern of rule.patterns) {
           pattern.lastIndex = 0;
           if (pattern.test(line)) {
@@ -8141,31 +9025,426 @@ var SecurityScanner = class {
     }
     return findings;
   }
-  async scanFile(filePath) {
-    if (!this.config.enabled) return [];
-    const content = await fs17.readFile(filePath, "utf-8");
-    return this.scanContent(content, filePath, 1);
+  async scanFiles(filePaths) {
+    const allFindings = [];
+    let scannedCount = 0;
+    for (const filePath of filePaths) {
+      try {
+        const findings = await this.scanFile(filePath);
+        allFindings.push(...findings);
+        scannedCount++;
+      } catch {
+      }
+    }
+    return {
+      findings: allFindings,
+      scannedFiles: scannedCount,
+      rulesApplied: this.activeRules.length,
+      externalToolsUsed: [],
+      coverage: "baseline"
+    };
+  }
+};
+var hiddenUnicodePatterns = [
+  {
+    ruleId: "INJ-UNI-001",
+    severity: "high",
+    category: "hidden-unicode",
+    description: "Zero-width characters that can hide malicious instructions",
+    // eslint-disable-next-line no-misleading-character-class -- intentional: regex detects zero-width chars for security scanning
+    pattern: /[\u200B\u200C\u200D\uFEFF\u2060]/
+  },
+  {
+    ruleId: "INJ-UNI-002",
+    severity: "high",
+    category: "hidden-unicode",
+    description: "RTL/LTR override characters that can disguise text direction",
+    pattern: /[\u202A-\u202E\u2066-\u2069]/
+  }
+];
+var reRolingPatterns = [
+  {
+    ruleId: "INJ-REROL-001",
+    severity: "high",
+    category: "explicit-re-roling",
+    description: "Instruction to ignore/disregard/forget previous instructions",
+    pattern: /(?:ignore|disregard|forget)\s+(?:all\s+)?(?:previous|prior|above|earlier)\s+(?:instructions?|prompts?|context|rules?|guidelines?)/i
+  },
+  {
+    ruleId: "INJ-REROL-002",
+    severity: "high",
+    category: "explicit-re-roling",
+    description: "Attempt to reassign the AI role",
+    pattern: /you\s+are\s+now\s+(?:a\s+|an\s+)?(?:new\s+)?(?:helpful\s+)?(?:my\s+)?(?:\w+\s+)?(?:assistant|agent|AI|bot|chatbot|system|persona)\b/i
+  },
+  {
+    ruleId: "INJ-REROL-003",
+    severity: "high",
+    category: "explicit-re-roling",
+    description: "Direct instruction override attempt",
+    pattern: /(?:new\s+)?(?:system\s+)?(?:instruction|directive|role|persona)\s*[:=]\s*/i
+  }
+];
+var permissionEscalationPatterns = [
+  {
+    ruleId: "INJ-PERM-001",
+    severity: "high",
+    category: "permission-escalation",
+    description: "Attempt to enable all tools or grant unrestricted access",
+    pattern: /(?:allow|enable|grant)\s+all\s+(?:tools?|permissions?|access)/i
+  },
+  {
+    ruleId: "INJ-PERM-002",
+    severity: "high",
+    category: "permission-escalation",
+    description: "Attempt to disable safety or security features",
+    pattern: /(?:disable|turn\s+off|remove|bypass)\s+(?:all\s+)?(?:safety|security|restrictions?|guardrails?|protections?|checks?)/i
+  },
+  {
+    ruleId: "INJ-PERM-003",
+    severity: "high",
+    category: "permission-escalation",
+    description: "Auto-approve directive that bypasses human review",
+    pattern: /(?:auto[- ]?approve|--no-verify|--dangerously-skip-permissions)/i
+  }
+];
+var encodedPayloadPatterns = [
+  {
+    ruleId: "INJ-ENC-001",
+    severity: "high",
+    category: "encoded-payloads",
+    description: "Base64-encoded string long enough to contain instructions (>=28 chars)",
+    // Match base64 strings of 28+ chars (7+ groups of 4).
+    // Excludes JWT tokens (eyJ prefix) and Bearer-prefixed tokens.
+    pattern: /(?<!Bearer\s)(?<![:])(?<![A-Za-z0-9/])(?!eyJ)(?:[A-Za-z0-9+/]{4}){7,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?(?![A-Za-z0-9/])/
+  },
+  {
+    ruleId: "INJ-ENC-002",
+    severity: "high",
+    category: "encoded-payloads",
+    description: "Hex-encoded string long enough to contain directives (>=20 hex chars)",
+    // Excludes hash-prefixed hex (sha256:, sha512:, md5:, etc.) and hex preceded by 0x.
+    // Note: 40-char git SHA hashes (e.g. in `git log` output) may match — downstream
+    // callers should filter matches of exactly 40 hex chars if scanning git output.
+    pattern: /(?<![:x])(?<![A-Fa-f0-9])(?:[0-9a-fA-F]{2}){10,}(?![A-Fa-f0-9])/
+  }
+];
+var indirectInjectionPatterns = [
+  {
+    ruleId: "INJ-IND-001",
+    severity: "medium",
+    category: "indirect-injection",
+    description: "Instruction to influence future responses",
+    pattern: /(?:when\s+the\s+user\s+asks|if\s+(?:the\s+user|someone|anyone)\s+asks)\s*,?\s*(?:say|respond|reply|answer|tell)/i
+  },
+  {
+    ruleId: "INJ-IND-002",
+    severity: "medium",
+    category: "indirect-injection",
+    description: "Directive to include content in responses",
+    pattern: /(?:include|insert|add|embed|put)\s+(?:this|the\s+following)\s+(?:in|into|to)\s+(?:your|the)\s+(?:response|output|reply|answer)/i
+  },
+  {
+    ruleId: "INJ-IND-003",
+    severity: "medium",
+    category: "indirect-injection",
+    description: "Standing instruction to always respond a certain way",
+    pattern: /always\s+(?:respond|reply|answer|say|output)\s+(?:with|that|by)/i
+  }
+];
+var contextManipulationPatterns = [
+  {
+    ruleId: "INJ-CTX-001",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Claim about system prompt content",
+    pattern: /(?:the\s+)?(?:system\s+prompt|system\s+message|hidden\s+instructions?)\s+(?:says?|tells?|instructs?|contains?|is)/i
+  },
+  {
+    ruleId: "INJ-CTX-002",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Claim about AI instructions",
+    pattern: /your\s+(?:instructions?|directives?|guidelines?|rules?)\s+(?:are|say|tell|state)/i
+  },
+  {
+    ruleId: "INJ-CTX-003",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Fake XML/HTML system or instruction tags",
+    // Case-sensitive: only match lowercase tags to avoid false positives on
+    // React components like <User>, <Context>, <Role> etc.
+    pattern: /<\/?(?:system|instruction|prompt|role|context|tool_call|function_call|assistant|human|user)[^>]*>/
+  },
+  {
+    ruleId: "INJ-CTX-004",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Fake JSON role assignment mimicking chat format",
+    pattern: /[{,]\s*"role"\s*:\s*"(?:system|assistant|function)"/i
+  }
+];
+var socialEngineeringPatterns = [
+  {
+    ruleId: "INJ-SOC-001",
+    severity: "medium",
+    category: "social-engineering",
+    description: "Urgency pressure to bypass checks",
+    pattern: /(?:this\s+is\s+(?:very\s+)?urgent|this\s+is\s+(?:an?\s+)?emergency|do\s+(?:this|it)\s+(?:now|immediately))\b/i
+  },
+  {
+    ruleId: "INJ-SOC-002",
+    severity: "medium",
+    category: "social-engineering",
+    description: "False authority claim",
+    pattern: /(?:the\s+)?(?:admin|administrator|manager|CEO|CTO|owner|supervisor)\s+(?:authorized|approved|said|told|confirmed|requested)/i
+  },
+  {
+    ruleId: "INJ-SOC-003",
+    severity: "medium",
+    category: "social-engineering",
+    description: "Testing pretext to bypass safety",
+    pattern: /(?:for\s+testing\s+purposes?|this\s+is\s+(?:just\s+)?a\s+test|in\s+test\s+mode)\b/i
+  }
+];
+var suspiciousPatterns = [
+  {
+    ruleId: "INJ-SUS-001",
+    severity: "low",
+    category: "suspicious-patterns",
+    description: "Excessive consecutive whitespace (>10 chars) mid-line that may hide content",
+    // Only match whitespace runs not at the start of a line (indentation is normal)
+    pattern: /\S\s{11,}/
+  },
+  {
+    ruleId: "INJ-SUS-002",
+    severity: "low",
+    category: "suspicious-patterns",
+    description: "Repeated delimiters (>5) that may indicate obfuscation",
+    pattern: /([|;,=\-_~`])\1{5,}/
+  },
+  {
+    ruleId: "INJ-SUS-003",
+    severity: "low",
+    category: "suspicious-patterns",
+    description: "Mathematical alphanumeric symbols used as Latin character substitutes",
+    // Mathematical bold/italic/script Unicode ranges (U+1D400-U+1D7FF)
+    pattern: /[\uD835][\uDC00-\uDFFF]/
+  }
+];
+var ALL_PATTERNS = [
+  ...hiddenUnicodePatterns,
+  ...reRolingPatterns,
+  ...permissionEscalationPatterns,
+  ...encodedPayloadPatterns,
+  ...indirectInjectionPatterns,
+  ...contextManipulationPatterns,
+  ...socialEngineeringPatterns,
+  ...suspiciousPatterns
+];
+function scanForInjection(text) {
+  const findings = [];
+  const lines = text.split("\n");
+  for (let lineIdx = 0; lineIdx < lines.length; lineIdx++) {
+    const line = lines[lineIdx];
+    for (const rule of ALL_PATTERNS) {
+      if (rule.pattern.test(line)) {
+        findings.push({
+          severity: rule.severity,
+          ruleId: rule.ruleId,
+          match: line.trim(),
+          line: lineIdx + 1
+        });
+      }
+    }
+  }
+  const severityOrder = {
+    high: 0,
+    medium: 1,
+    low: 2
+  };
+  findings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+  return findings;
+}
+function getInjectionPatterns() {
+  return ALL_PATTERNS;
+}
+var DESTRUCTIVE_BASH = [
+  /\bgit\s+push\b/,
+  /\bgit\s+commit\b/,
+  /\brm\s+-rf?\b/,
+  /\brm\s+-r\b/
+];
+var TAINT_DURATION_MS = 30 * 60 * 1e3;
+var DEFAULT_SESSION_ID = "default";
+function getTaintFilePath(projectRoot, sessionId) {
+  const id = sessionId || DEFAULT_SESSION_ID;
+  return join21(projectRoot, ".harness", `session-taint-${id}.json`);
+}
+function readTaint(projectRoot, sessionId) {
+  const filePath = getTaintFilePath(projectRoot, sessionId);
+  let content;
+  try {
+    content = readFileSync142(filePath, "utf8");
+  } catch {
+    return null;
+  }
+  let state;
+  try {
+    state = JSON.parse(content);
+  } catch {
+    try {
+      unlinkSync(filePath);
+    } catch {
+    }
+    return null;
+  }
+  if (!state.sessionId || !state.taintedAt || !state.expiresAt || !state.findings) {
+    try {
+      unlinkSync(filePath);
+    } catch {
+    }
+    return null;
+  }
+  return state;
+}
+function checkTaint(projectRoot, sessionId) {
+  const state = readTaint(projectRoot, sessionId);
+  if (!state) {
+    return { tainted: false, expired: false, state: null };
+  }
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(state.expiresAt);
+  if (now >= expiresAt) {
+    const filePath = getTaintFilePath(projectRoot, sessionId);
+    try {
+      unlinkSync(filePath);
+    } catch {
+    }
+    return { tainted: false, expired: true, state };
+  }
+  return { tainted: true, expired: false, state };
+}
+function writeTaint(projectRoot, sessionId, reason, findings, source) {
+  const id = sessionId || DEFAULT_SESSION_ID;
+  const filePath = getTaintFilePath(projectRoot, id);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const dir = dirname8(filePath);
+  mkdirSync11(dir, { recursive: true });
+  const existing = readTaint(projectRoot, id);
+  const maxSeverity = findings.some((f) => f.severity === "high") ? "high" : "medium";
+  const taintFindings = findings.map((f) => ({
+    ruleId: f.ruleId,
+    severity: f.severity,
+    match: f.match,
+    source,
+    detectedAt: now
+  }));
+  const state = {
+    sessionId: id,
+    taintedAt: existing?.taintedAt || now,
+    expiresAt: new Date(Date.now() + TAINT_DURATION_MS).toISOString(),
+    reason,
+    severity: existing?.severity === "high" || maxSeverity === "high" ? "high" : "medium",
+    findings: [...existing?.findings || [], ...taintFindings]
+  };
+  writeFileSync11(filePath, JSON.stringify(state, null, 2) + "\n");
+  return state;
+}
+function clearTaint(projectRoot, sessionId) {
+  if (sessionId) {
+    const filePath = getTaintFilePath(projectRoot, sessionId);
+    try {
+      unlinkSync(filePath);
+      return 1;
+    } catch {
+      return 0;
+    }
+  }
+  const harnessDir = join21(projectRoot, ".harness");
+  let count = 0;
+  try {
+    const files = readdirSync3(harnessDir);
+    for (const file of files) {
+      if (file.startsWith("session-taint-") && file.endsWith(".json")) {
+        try {
+          unlinkSync(join21(harnessDir, file));
+          count++;
+        } catch {
+        }
+      }
+    }
+  } catch {
+  }
+  return count;
+}
+function listTaintedSessions(projectRoot) {
+  const harnessDir = join21(projectRoot, ".harness");
+  const sessions = [];
+  try {
+    const files = readdirSync3(harnessDir);
+    for (const file of files) {
+      if (file.startsWith("session-taint-") && file.endsWith(".json")) {
+        const sessionId = file.replace("session-taint-", "").replace(".json", "");
+        const result = checkTaint(projectRoot, sessionId);
+        if (result.tainted) {
+          sessions.push(sessionId);
+        }
+      }
+    }
+  } catch {
+  }
+  return sessions;
+}
+function mapSecuritySeverity(severity) {
+  if (severity === "error") return "high";
+  if (severity === "warning") return "medium";
+  return "low";
+}
+function computeOverallSeverity(findings) {
+  if (findings.length === 0) return "clean";
+  if (findings.some((f) => f.severity === "high")) return "high";
+  if (findings.some((f) => f.severity === "medium")) return "medium";
+  return "low";
+}
+function computeScanExitCode(results) {
+  for (const r of results) {
+    if (r.overallSeverity === "high") return 2;
   }
-  async scanFiles(filePaths) {
-    const allFindings = [];
-    let scannedCount = 0;
-    for (const filePath of filePaths) {
-      try {
-        const findings = await this.scanFile(filePath);
-        allFindings.push(...findings);
-        scannedCount++;
-      } catch {
-      }
+  for (const r of results) {
+    if (r.overallSeverity === "medium") return 1;
+  }
+  return 0;
+}
+function mapInjectionFindings(injectionFindings) {
+  return injectionFindings.map((f) => ({
+    ruleId: f.ruleId,
+    severity: f.severity,
+    message: `Injection pattern detected: ${f.ruleId}`,
+    match: f.match,
+    ...f.line !== void 0 ? { line: f.line } : {}
+  }));
+}
+function isDuplicateFinding(existing, secFinding) {
+  return existing.some(
+    (e) => e.line === secFinding.line && e.match === secFinding.match.trim() && e.ruleId.split("-")[0] === secFinding.ruleId.split("-")[0]
+  );
+}
+function mapSecurityFindings(secFindings, existing) {
+  const result = [];
+  for (const f of secFindings) {
+    if (!isDuplicateFinding(existing, f)) {
+      result.push({
+        ruleId: f.ruleId,
+        severity: mapSecuritySeverity(f.severity),
+        message: f.message,
+        match: f.match,
+        ...f.line !== void 0 ? { line: f.line } : {}
+      });
     }
-    return {
-      findings: allFindings,
-      scannedFiles: scannedCount,
-      rulesApplied: this.activeRules.length,
-      externalToolsUsed: [],
-      coverage: "baseline"
-    };
   }
-};
+  return result;
+}
 var ALL_CHECKS = [
   "validate",
   "deps",
@@ -8178,7 +9457,7 @@ var ALL_CHECKS = [
 ];
 async function runValidateCheck(projectRoot, config) {
   const issues = [];
-  const agentsPath = path14.join(projectRoot, config.agentsMapPath ?? "AGENTS.md");
+  const agentsPath = path15.join(projectRoot, config.agentsMapPath ?? "AGENTS.md");
   const result = await validateAgentsMap(agentsPath);
   if (!result.ok) {
     issues.push({ severity: "error", message: result.error.message });
@@ -8235,7 +9514,7 @@ async function runDepsCheck(projectRoot, config) {
 }
 async function runDocsCheck(projectRoot, config) {
   const issues = [];
-  const docsDir = path14.join(projectRoot, config.docsDir ?? "docs");
+  const docsDir = path15.join(projectRoot, config.docsDir ?? "docs");
   const entropyConfig = config.entropy || {};
   const result = await checkDocCoverage("project", {
     docsDir,
@@ -8347,7 +9626,7 @@ async function runPerfCheck(projectRoot, config) {
     if (perfReport.complexity) {
       for (const v of perfReport.complexity.violations) {
         issues.push({
-          severity: v.severity === "info" ? "warning" : v.severity,
+          severity: "warning",
           message: `[Tier ${v.tier}] ${v.metric}: ${v.function} in ${v.file} (${v.value} > ${v.threshold})`,
           file: v.file,
           line: v.line
@@ -8522,7 +9801,7 @@ async function runMechanicalChecks(options) {
   };
   if (!skip.includes("validate")) {
     try {
-      const agentsPath = path15.join(projectRoot, config.agentsMapPath ?? "AGENTS.md");
+      const agentsPath = path16.join(projectRoot, config.agentsMapPath ?? "AGENTS.md");
       const result = await validateAgentsMap(agentsPath);
       if (!result.ok) {
         statuses.validate = "fail";
@@ -8559,7 +9838,7 @@ async function runMechanicalChecks(options) {
       statuses.validate = "fail";
       findings.push({
         tool: "validate",
-        file: path15.join(projectRoot, "AGENTS.md"),
+        file: path16.join(projectRoot, "AGENTS.md"),
         message: err instanceof Error ? err.message : String(err),
         severity: "error"
       });
@@ -8623,7 +9902,7 @@ async function runMechanicalChecks(options) {
       (async () => {
         const localFindings = [];
         try {
-          const docsDir = path15.join(projectRoot, config.docsDir ?? "docs");
+          const docsDir = path16.join(projectRoot, config.docsDir ?? "docs");
           const result = await checkDocCoverage("project", { docsDir });
           if (!result.ok) {
             statuses["check-docs"] = "warn";
@@ -8650,7 +9929,7 @@ async function runMechanicalChecks(options) {
           statuses["check-docs"] = "warn";
           localFindings.push({
             tool: "check-docs",
-            file: path15.join(projectRoot, "docs"),
+            file: path16.join(projectRoot, "docs"),
             message: err instanceof Error ? err.message : String(err),
             severity: "warning"
           });
@@ -8799,18 +10078,18 @@ function computeContextBudget(diffLines) {
   return diffLines;
 }
 function isWithinProject(absPath, projectRoot) {
-  const resolvedRoot = path16.resolve(projectRoot) + path16.sep;
-  const resolvedPath = path16.resolve(absPath);
-  return resolvedPath.startsWith(resolvedRoot) || resolvedPath === path16.resolve(projectRoot);
+  const resolvedRoot = path17.resolve(projectRoot) + path17.sep;
+  const resolvedPath = path17.resolve(absPath);
+  return resolvedPath.startsWith(resolvedRoot) || resolvedPath === path17.resolve(projectRoot);
 }
 async function readContextFile(projectRoot, filePath, reason) {
-  const absPath = path16.isAbsolute(filePath) ? filePath : path16.join(projectRoot, filePath);
+  const absPath = path17.isAbsolute(filePath) ? filePath : path17.join(projectRoot, filePath);
   if (!isWithinProject(absPath, projectRoot)) return null;
   const result = await readFileContent(absPath);
   if (!result.ok) return null;
   const content = result.value;
   const lines = content.split("\n").length;
-  const relPath = path16.isAbsolute(filePath) ? relativePosix(projectRoot, filePath) : filePath;
+  const relPath = path17.isAbsolute(filePath) ? relativePosix(projectRoot, filePath) : filePath;
   return { path: relPath, content, reason, lines };
 }
 function extractImportSources2(content) {
@@ -8825,18 +10104,18 @@ function extractImportSources2(content) {
 }
 async function resolveImportPath2(projectRoot, fromFile, importSource) {
   if (!importSource.startsWith(".")) return null;
-  const fromDir = path16.dirname(path16.join(projectRoot, fromFile));
-  const basePath = path16.resolve(fromDir, importSource);
+  const fromDir = path17.dirname(path17.join(projectRoot, fromFile));
+  const basePath = path17.resolve(fromDir, importSource);
   if (!isWithinProject(basePath, projectRoot)) return null;
   const relBase = relativePosix(projectRoot, basePath);
   const candidates = [
     relBase + ".ts",
     relBase + ".tsx",
     relBase + ".mts",
-    path16.join(relBase, "index.ts")
+    path17.join(relBase, "index.ts")
   ];
   for (const candidate of candidates) {
-    const absCandidate = path16.join(projectRoot, candidate);
+    const absCandidate = path17.join(projectRoot, candidate);
     if (await fileExists(absCandidate)) {
       return candidate;
     }
@@ -8844,7 +10123,7 @@ async function resolveImportPath2(projectRoot, fromFile, importSource) {
   return null;
 }
 async function findTestFiles(projectRoot, sourceFile) {
-  const baseName = path16.basename(sourceFile, path16.extname(sourceFile));
+  const baseName = path17.basename(sourceFile, path17.extname(sourceFile));
   const pattern = `**/${baseName}.{test,spec}.{ts,tsx,mts}`;
   const results = await findFiles(pattern, projectRoot);
   return results.map((f) => relativePosix(projectRoot, f));
@@ -9657,7 +10936,7 @@ function normalizePath(filePath, projectRoot) {
   let normalized = filePath;
   normalized = normalized.replace(/\\/g, "/");
   const normalizedRoot = projectRoot.replace(/\\/g, "/");
-  if (path17.isAbsolute(normalized)) {
+  if (path18.isAbsolute(normalized)) {
     const root = normalizedRoot.endsWith("/") ? normalizedRoot : normalizedRoot + "/";
     if (normalized.startsWith(root)) {
       normalized = normalized.slice(root.length);
@@ -9682,12 +10961,12 @@ function followImportChain(fromFile, fileContents, maxDepth = 2) {
     while ((match = importRegex.exec(content)) !== null) {
       const importPath = match[1];
       if (!importPath.startsWith(".")) continue;
-      const dir = path17.dirname(current.file);
-      let resolved = path17.join(dir, importPath).replace(/\\/g, "/");
+      const dir = path18.dirname(current.file);
+      let resolved = path18.join(dir, importPath).replace(/\\/g, "/");
       if (!resolved.match(/\.(ts|tsx|js|jsx)$/)) {
         resolved += ".ts";
       }
-      resolved = path17.normalize(resolved).replace(/\\/g, "/");
+      resolved = path18.normalize(resolved).replace(/\\/g, "/");
       if (!visited.has(resolved) && current.depth + 1 <= maxDepth) {
         queue.push({ file: resolved, depth: current.depth + 1 });
       }
@@ -9704,7 +10983,7 @@ async function validateFindings(options) {
     if (exclusionSet.isExcluded(normalizedFile, finding.lineRange) || exclusionSet.isExcluded(finding.file, finding.lineRange)) {
       continue;
     }
-    const absoluteFile = path17.isAbsolute(finding.file) ? finding.file : path17.join(projectRoot, finding.file).replace(/\\/g, "/");
+    const absoluteFile = path18.isAbsolute(finding.file) ? finding.file : path18.join(projectRoot, finding.file).replace(/\\/g, "/");
     if (exclusionSet.isExcluded(absoluteFile, finding.lineRange)) {
       continue;
     }
@@ -10313,7 +11592,7 @@ function parseRoadmap(markdown) {
   if (!fmMatch) {
     return Err(new Error("Missing or malformed YAML frontmatter"));
   }
-  const fmResult = parseFrontmatter(fmMatch[1]);
+  const fmResult = parseFrontmatter2(fmMatch[1]);
   if (!fmResult.ok) return fmResult;
   const body = markdown.slice(fmMatch[0].length);
   const milestonesResult = parseMilestones(body);
@@ -10323,7 +11602,7 @@ function parseRoadmap(markdown) {
     milestones: milestonesResult.value
   });
 }
-function parseFrontmatter(raw) {
+function parseFrontmatter2(raw) {
   const lines = raw.split("\n");
   const map = /* @__PURE__ */ new Map();
   for (const line of lines) {
@@ -10498,10 +11777,10 @@ function inferStatus(feature, projectPath, allFeatures) {
   const featuresWithPlans = allFeatures.filter((f) => f.plans.length > 0);
   const useRootState = featuresWithPlans.length <= 1;
   if (useRootState) {
-    const rootStatePath = path18.join(projectPath, ".harness", "state.json");
-    if (fs18.existsSync(rootStatePath)) {
+    const rootStatePath = path19.join(projectPath, ".harness", "state.json");
+    if (fs19.existsSync(rootStatePath)) {
       try {
-        const raw = fs18.readFileSync(rootStatePath, "utf-8");
+        const raw = fs19.readFileSync(rootStatePath, "utf-8");
         const state = JSON.parse(raw);
         if (state.progress) {
           for (const status of Object.values(state.progress)) {
@@ -10512,16 +11791,16 @@ function inferStatus(feature, projectPath, allFeatures) {
       }
     }
   }
-  const sessionsDir = path18.join(projectPath, ".harness", "sessions");
-  if (fs18.existsSync(sessionsDir)) {
+  const sessionsDir = path19.join(projectPath, ".harness", "sessions");
+  if (fs19.existsSync(sessionsDir)) {
     try {
-      const sessionDirs = fs18.readdirSync(sessionsDir, { withFileTypes: true });
+      const sessionDirs = fs19.readdirSync(sessionsDir, { withFileTypes: true });
       for (const entry of sessionDirs) {
         if (!entry.isDirectory()) continue;
-        const autopilotPath = path18.join(sessionsDir, entry.name, "autopilot-state.json");
-        if (!fs18.existsSync(autopilotPath)) continue;
+        const autopilotPath = path19.join(sessionsDir, entry.name, "autopilot-state.json");
+        if (!fs19.existsSync(autopilotPath)) continue;
         try {
-          const raw = fs18.readFileSync(autopilotPath, "utf-8");
+          const raw = fs19.readFileSync(autopilotPath, "utf-8");
           const autopilot = JSON.parse(raw);
           if (!autopilot.phases) continue;
           const linkedPhases = autopilot.phases.filter(
@@ -10551,17 +11830,26 @@ function inferStatus(feature, projectPath, allFeatures) {
   if (anyStarted) return "in-progress";
   return null;
 }
+var STATUS_RANK = {
+  backlog: 0,
+  planned: 1,
+  blocked: 1,
+  // lateral to planned — sync can move to/from blocked freely
+  "in-progress": 2,
+  done: 3
+};
+function isRegression(from, to) {
+  return STATUS_RANK[to] < STATUS_RANK[from];
+}
 function syncRoadmap(options) {
   const { projectPath, roadmap, forceSync } = options;
-  const isManuallyEdited = new Date(roadmap.frontmatter.lastManualEdit) > new Date(roadmap.frontmatter.lastSynced);
-  const skipOverride = isManuallyEdited && !forceSync;
   const allFeatures = roadmap.milestones.flatMap((m) => m.features);
   const changes = [];
   for (const feature of allFeatures) {
-    if (skipOverride) continue;
     const inferred = inferStatus(feature, projectPath, allFeatures);
     if (inferred === null) continue;
     if (inferred === feature.status) continue;
+    if (!forceSync && isRegression(feature.status, inferred)) continue;
     changes.push({
       feature: feature.name,
       from: feature.status,
@@ -10570,28 +11858,40 @@ function syncRoadmap(options) {
   }
   return Ok(changes);
 }
-var InteractionTypeSchema = z6.enum(["question", "confirmation", "transition"]);
-var QuestionSchema = z6.object({
-  text: z6.string(),
-  options: z6.array(z6.string()).optional(),
-  default: z6.string().optional()
+function applySyncChanges(roadmap, changes) {
+  for (const change of changes) {
+    for (const m of roadmap.milestones) {
+      const feature = m.features.find((f) => f.name.toLowerCase() === change.feature.toLowerCase());
+      if (feature) {
+        feature.status = change.to;
+        break;
+      }
+    }
+  }
+  roadmap.frontmatter.lastSynced = (/* @__PURE__ */ new Date()).toISOString();
+}
+var InteractionTypeSchema = z7.enum(["question", "confirmation", "transition"]);
+var QuestionSchema = z7.object({
+  text: z7.string(),
+  options: z7.array(z7.string()).optional(),
+  default: z7.string().optional()
 });
-var ConfirmationSchema = z6.object({
-  text: z6.string(),
-  context: z6.string()
+var ConfirmationSchema = z7.object({
+  text: z7.string(),
+  context: z7.string()
 });
-var TransitionSchema = z6.object({
-  completedPhase: z6.string(),
-  suggestedNext: z6.string(),
-  reason: z6.string(),
-  artifacts: z6.array(z6.string()),
-  requiresConfirmation: z6.boolean(),
-  summary: z6.string()
+var TransitionSchema = z7.object({
+  completedPhase: z7.string(),
+  suggestedNext: z7.string(),
+  reason: z7.string(),
+  artifacts: z7.array(z7.string()),
+  requiresConfirmation: z7.boolean(),
+  summary: z7.string()
 });
-var EmitInteractionInputSchema = z6.object({
-  path: z6.string(),
+var EmitInteractionInputSchema = z7.object({
+  path: z7.string(),
   type: InteractionTypeSchema,
-  stream: z6.string().optional(),
+  stream: z7.string().optional(),
   question: QuestionSchema.optional(),
   confirmation: ConfirmationSchema.optional(),
   transition: TransitionSchema.optional()
@@ -10601,10 +11901,10 @@ var ProjectScanner = class {
     this.rootDir = rootDir;
   }
   async scan() {
-    let projectName = path19.basename(this.rootDir);
+    let projectName = path20.basename(this.rootDir);
     try {
-      const pkgPath = path19.join(this.rootDir, "package.json");
-      const pkgRaw = await fs19.readFile(pkgPath, "utf-8");
+      const pkgPath = path20.join(this.rootDir, "package.json");
+      const pkgRaw = await fs20.readFile(pkgPath, "utf-8");
       const pkg = JSON.parse(pkgRaw);
       if (pkg.name) projectName = pkg.name;
     } catch {
@@ -10717,13 +12017,13 @@ var BlueprintGenerator = class {
       styles: STYLES,
       scripts: SCRIPTS
     });
-    await fs20.mkdir(options.outputDir, { recursive: true });
-    await fs20.writeFile(path20.join(options.outputDir, "index.html"), html);
+    await fs21.mkdir(options.outputDir, { recursive: true });
+    await fs21.writeFile(path21.join(options.outputDir, "index.html"), html);
   }
 };
 function getStatePath() {
   const home = process.env["HOME"] || os.homedir();
-  return path21.join(home, ".harness", "update-check.json");
+  return path22.join(home, ".harness", "update-check.json");
 }
 function isUpdateCheckEnabled(configInterval) {
   if (process.env["HARNESS_NO_UPDATE_CHECK"] === "1") return false;
@@ -10736,7 +12036,7 @@ function shouldRunCheck(state, intervalMs) {
 }
 function readCheckState() {
   try {
-    const raw = fs21.readFileSync(getStatePath(), "utf-8");
+    const raw = fs22.readFileSync(getStatePath(), "utf-8");
     const parsed = JSON.parse(raw);
     if (typeof parsed === "object" && parsed !== null && "lastCheckTime" in parsed && typeof parsed.lastCheckTime === "number" && "currentVersion" in parsed && typeof parsed.currentVersion === "string") {
       const state = parsed;
@@ -10753,7 +12053,7 @@ function readCheckState() {
 }
 function spawnBackgroundCheck(currentVersion) {
   const statePath = getStatePath();
-  const stateDir = path21.dirname(statePath);
+  const stateDir = path22.dirname(statePath);
   const script = `
 const { execSync } = require('child_process');
 const fs = require('fs');
@@ -10805,7 +12105,858 @@ function getUpdateNotification(currentVersion) {
   return `Update available: v${currentVersion} -> v${state.latestVersion}
 Run "harness update" to upgrade.`;
 }
-var VERSION = "0.14.0";
+var EXTENSION_MAP = {
+  ".ts": "typescript",
+  ".tsx": "typescript",
+  ".mts": "typescript",
+  ".cts": "typescript",
+  ".js": "javascript",
+  ".jsx": "javascript",
+  ".mjs": "javascript",
+  ".cjs": "javascript",
+  ".py": "python"
+};
+function detectLanguage(filePath) {
+  const ext = filePath.slice(filePath.lastIndexOf("."));
+  return EXTENSION_MAP[ext] ?? null;
+}
+var parserCache = /* @__PURE__ */ new Map();
+var initialized = false;
+var GRAMMAR_MAP = {
+  typescript: "tree-sitter-typescript",
+  javascript: "tree-sitter-javascript",
+  python: "tree-sitter-python"
+};
+async function ensureInit() {
+  if (!initialized) {
+    await Parser.init();
+    initialized = true;
+  }
+}
+async function resolveWasmPath(grammarName) {
+  const { createRequire } = await import("module");
+  const require2 = createRequire(import.meta.url ?? __filename);
+  const pkgPath = require2.resolve("tree-sitter-wasms/package.json");
+  const path26 = await import("path");
+  const pkgDir = path26.dirname(pkgPath);
+  return path26.join(pkgDir, "out", `${grammarName}.wasm`);
+}
+async function loadLanguage(lang) {
+  const grammarName = GRAMMAR_MAP[lang];
+  const wasmPath = await resolveWasmPath(grammarName);
+  return Parser.Language.load(wasmPath);
+}
+async function getParser(lang) {
+  const cached = parserCache.get(lang);
+  if (cached) return cached;
+  await ensureInit();
+  const parser = new Parser();
+  const language = await loadLanguage(lang);
+  parser.setLanguage(language);
+  parserCache.set(lang, parser);
+  return parser;
+}
+async function parseFile(filePath) {
+  const lang = detectLanguage(filePath);
+  if (!lang) {
+    return Err({
+      code: "UNSUPPORTED_LANGUAGE",
+      message: `Unsupported file extension: ${filePath}`
+    });
+  }
+  const contentResult = await readFileContent(filePath);
+  if (!contentResult.ok) {
+    return Err({
+      code: "FILE_NOT_FOUND",
+      message: `Cannot read file: ${filePath}`
+    });
+  }
+  try {
+    const parser = await getParser(lang);
+    const tree = parser.parse(contentResult.value);
+    return Ok({ tree, language: lang, source: contentResult.value, filePath });
+  } catch (e) {
+    return Err({
+      code: "PARSE_FAILED",
+      message: `Tree-sitter parse failed for ${filePath}: ${e.message}`
+    });
+  }
+}
+function resetParserCache() {
+  parserCache.clear();
+  initialized = false;
+}
+var TOP_LEVEL_TYPES = {
+  typescript: {
+    function_declaration: "function",
+    class_declaration: "class",
+    interface_declaration: "interface",
+    type_alias_declaration: "type",
+    lexical_declaration: "variable",
+    variable_declaration: "variable",
+    export_statement: "export",
+    import_statement: "import",
+    enum_declaration: "type"
+  },
+  javascript: {
+    function_declaration: "function",
+    class_declaration: "class",
+    lexical_declaration: "variable",
+    variable_declaration: "variable",
+    export_statement: "export",
+    import_statement: "import"
+  },
+  python: {
+    function_definition: "function",
+    class_definition: "class",
+    assignment: "variable",
+    import_statement: "import",
+    import_from_statement: "import"
+  }
+};
+var METHOD_TYPES = {
+  typescript: ["method_definition", "public_field_definition"],
+  javascript: ["method_definition"],
+  python: ["function_definition"]
+};
+var IDENTIFIER_TYPES = /* @__PURE__ */ new Set(["identifier", "property_identifier", "type_identifier"]);
+function findIdentifier(node) {
+  return node.childForFieldName("name") ?? node.children.find((c) => IDENTIFIER_TYPES.has(c.type)) ?? null;
+}
+function getVariableDeclarationName(node) {
+  const declarator = node.children.find((c) => c.type === "variable_declarator");
+  if (!declarator) return null;
+  const id = findIdentifier(declarator);
+  return id?.text ?? null;
+}
+function getExportName(node, source) {
+  const decl = node.children.find(
+    (c) => c.type !== "export" && c.type !== "default" && c.type !== "comment"
+  );
+  return decl ? getNodeName(decl, source) : "<anonymous>";
+}
+function getAssignmentName(node) {
+  const left = node.childForFieldName("left") ?? node.children[0];
+  return left?.text ?? "<anonymous>";
+}
+function getNodeName(node, source) {
+  const id = findIdentifier(node);
+  if (id) return id.text;
+  const isVarDecl = node.type === "lexical_declaration" || node.type === "variable_declaration";
+  if (isVarDecl) return getVariableDeclarationName(node) ?? "<anonymous>";
+  if (node.type === "export_statement") return getExportName(node, source);
+  if (node.type === "assignment") return getAssignmentName(node);
+  return "<anonymous>";
+}
+function getSignature(node, source) {
+  const startLine = node.startPosition.row;
+  const lines = source.split("\n");
+  return (lines[startLine] ?? "").trim();
+}
+function extractMethods(classNode, language, source, filePath) {
+  const methodTypes = METHOD_TYPES[language] ?? [];
+  const body = classNode.childForFieldName("body") ?? classNode.children.find((c) => c.type === "class_body" || c.type === "block");
+  if (!body) return [];
+  return body.children.filter((child) => methodTypes.includes(child.type)).map((child) => ({
+    name: getNodeName(child, source),
+    kind: "method",
+    file: filePath,
+    line: child.startPosition.row + 1,
+    endLine: child.endPosition.row + 1,
+    signature: getSignature(child, source)
+  }));
+}
+function nodeToSymbol(node, kind, source, filePath) {
+  return {
+    name: getNodeName(node, source),
+    kind,
+    file: filePath,
+    line: node.startPosition.row + 1,
+    endLine: node.endPosition.row + 1,
+    signature: getSignature(node, source)
+  };
+}
+function processExportStatement(child, topLevelTypes, lang, source, filePath) {
+  const declaration = child.children.find(
+    (c) => c.type !== "export" && c.type !== "default" && c.type !== ";" && c.type !== "comment"
+  );
+  const kind = declaration ? topLevelTypes[declaration.type] : void 0;
+  if (declaration && kind) {
+    const sym = nodeToSymbol(child, kind, source, filePath);
+    sym.name = getNodeName(declaration, source);
+    if (kind === "class") {
+      sym.children = extractMethods(declaration, lang, source, filePath);
+    }
+    return sym;
+  }
+  return nodeToSymbol(child, "export", source, filePath);
+}
+function extractSymbols(rootNode, lang, source, filePath) {
+  const symbols = [];
+  const topLevelTypes = TOP_LEVEL_TYPES[lang] ?? {};
+  for (const child of rootNode.children) {
+    if (child.type === "export_statement") {
+      symbols.push(processExportStatement(child, topLevelTypes, lang, source, filePath));
+      continue;
+    }
+    const kind = topLevelTypes[child.type];
+    if (!kind || kind === "import") continue;
+    const sym = nodeToSymbol(child, kind, source, filePath);
+    if (kind === "class") {
+      sym.children = extractMethods(child, lang, source, filePath);
+    }
+    symbols.push(sym);
+  }
+  return symbols;
+}
+function buildFailedResult(filePath, lang) {
+  return { file: filePath, language: lang, totalLines: 0, symbols: [], error: "[parse-failed]" };
+}
+async function getOutline(filePath) {
+  const lang = detectLanguage(filePath);
+  if (!lang) return buildFailedResult(filePath, "unknown");
+  const result = await parseFile(filePath);
+  if (!result.ok) return buildFailedResult(filePath, lang);
+  const { tree, source } = result.value;
+  const totalLines = source.split("\n").length;
+  const symbols = extractSymbols(tree.rootNode, lang, source, filePath);
+  return { file: filePath, language: lang, totalLines, symbols };
+}
+function formatOutline(outline) {
+  if (outline.error) {
+    return `${outline.file} ${outline.error}`;
+  }
+  const lines = [`${outline.file} (${outline.totalLines} lines)`];
+  const last = outline.symbols.length - 1;
+  outline.symbols.forEach((sym, i) => {
+    const prefix = i === last ? "\u2514\u2500\u2500" : "\u251C\u2500\u2500";
+    lines.push(`${prefix} ${sym.signature}    :${sym.line}`);
+    if (sym.children) {
+      const childLast = sym.children.length - 1;
+      sym.children.forEach((child, j) => {
+        const childConnector = i === last ? "    " : "\u2502   ";
+        const childPrefix = j === childLast ? "\u2514\u2500\u2500" : "\u251C\u2500\u2500";
+        lines.push(`${childConnector}${childPrefix} ${child.signature}    :${child.line}`);
+      });
+    }
+  });
+  return lines.join("\n");
+}
+function buildGlob(directory, fileGlob) {
+  const dir = directory.replaceAll("\\", "/");
+  if (fileGlob) {
+    return `${dir}/**/${fileGlob}`;
+  }
+  const exts = Object.keys(EXTENSION_MAP).map((e) => e.slice(1));
+  return `${dir}/**/*.{${exts.join(",")}}`;
+}
+function matchesQuery(name, query) {
+  return name.toLowerCase().includes(query.toLowerCase());
+}
+function flattenSymbols(symbols) {
+  const flat = [];
+  for (const sym of symbols) {
+    flat.push(sym);
+    if (sym.children) {
+      flat.push(...sym.children);
+    }
+  }
+  return flat;
+}
+async function searchSymbols(query, directory, fileGlob) {
+  const pattern = buildGlob(directory, fileGlob);
+  let files;
+  try {
+    files = await findFiles(pattern, directory);
+  } catch {
+    files = [];
+  }
+  const matches = [];
+  const skipped = [];
+  for (const file of files) {
+    const lang = detectLanguage(file);
+    if (!lang) {
+      skipped.push(file);
+      continue;
+    }
+    const outline = await getOutline(file);
+    if (outline.error) {
+      skipped.push(file);
+      continue;
+    }
+    const allSymbols = flattenSymbols(outline.symbols);
+    for (const sym of allSymbols) {
+      if (matchesQuery(sym.name, query)) {
+        matches.push({
+          symbol: sym,
+          context: sym.signature
+        });
+      }
+    }
+  }
+  return { query, matches, skipped };
+}
+function findSymbolInList(symbols, name) {
+  for (const sym of symbols) {
+    if (sym.name === name) return sym;
+    if (sym.children) {
+      const found = findSymbolInList(sym.children, name);
+      if (found) return found;
+    }
+  }
+  return null;
+}
+function extractLines(source, startLine, endLine) {
+  const lines = source.split("\n");
+  const start = Math.max(0, startLine - 1);
+  const end = Math.min(lines.length, endLine);
+  return lines.slice(start, end).join("\n");
+}
+function buildFallbackResult(filePath, symbolName, content, language) {
+  const totalLines = content ? content.split("\n").length : 0;
+  return {
+    file: filePath,
+    symbolName,
+    startLine: content ? 1 : 0,
+    endLine: totalLines,
+    content,
+    language,
+    fallback: true,
+    warning: "[fallback: raw content]"
+  };
+}
+async function readContentSafe(filePath) {
+  const result = await readFileContent(filePath);
+  return result.ok ? result.value : "";
+}
+async function unfoldSymbol(filePath, symbolName) {
+  const lang = detectLanguage(filePath);
+  if (!lang) {
+    const content2 = await readContentSafe(filePath);
+    return buildFallbackResult(filePath, symbolName, content2, "unknown");
+  }
+  const outline = await getOutline(filePath);
+  if (outline.error) {
+    const content2 = await readContentSafe(filePath);
+    return buildFallbackResult(filePath, symbolName, content2, lang);
+  }
+  const symbol = findSymbolInList(outline.symbols, symbolName);
+  if (!symbol) {
+    const content2 = await readContentSafe(filePath);
+    return buildFallbackResult(filePath, symbolName, content2, lang);
+  }
+  const parseResult = await parseFile(filePath);
+  if (!parseResult.ok) {
+    const content2 = await readContentSafe(filePath);
+    return {
+      ...buildFallbackResult(
+        filePath,
+        symbolName,
+        extractLines(content2, symbol.line, symbol.endLine),
+        lang
+      ),
+      startLine: symbol.line,
+      endLine: symbol.endLine
+    };
+  }
+  const content = extractLines(parseResult.value.source, symbol.line, symbol.endLine);
+  return {
+    file: filePath,
+    symbolName,
+    startLine: symbol.line,
+    endLine: symbol.endLine,
+    content,
+    language: lang,
+    fallback: false
+  };
+}
+async function unfoldRange(filePath, startLine, endLine) {
+  const lang = detectLanguage(filePath) ?? "unknown";
+  const contentResult = await readFileContent(filePath);
+  if (!contentResult.ok) {
+    return {
+      file: filePath,
+      startLine: 0,
+      endLine: 0,
+      content: "",
+      language: lang,
+      fallback: true,
+      warning: "[fallback: raw content]"
+    };
+  }
+  const totalLines = contentResult.value.split("\n").length;
+  const clampedEnd = Math.min(endLine, totalLines);
+  const content = extractLines(contentResult.value, startLine, clampedEnd);
+  return {
+    file: filePath,
+    startLine,
+    endLine: clampedEnd,
+    content,
+    language: lang,
+    fallback: false
+  };
+}
+var TOKENS_PER_MILLION = 1e6;
+function parseLiteLLMData(raw) {
+  const dataset = /* @__PURE__ */ new Map();
+  for (const [modelName, entry] of Object.entries(raw)) {
+    if (modelName === "sample_spec") continue;
+    if (entry.mode && entry.mode !== "chat") continue;
+    const inputCost = entry.input_cost_per_token;
+    const outputCost = entry.output_cost_per_token;
+    if (inputCost == null || outputCost == null) continue;
+    const pricing = {
+      inputPer1M: inputCost * TOKENS_PER_MILLION,
+      outputPer1M: outputCost * TOKENS_PER_MILLION
+    };
+    if (entry.cache_read_input_token_cost != null) {
+      pricing.cacheReadPer1M = entry.cache_read_input_token_cost * TOKENS_PER_MILLION;
+    }
+    if (entry.cache_creation_input_token_cost != null) {
+      pricing.cacheWritePer1M = entry.cache_creation_input_token_cost * TOKENS_PER_MILLION;
+    }
+    dataset.set(modelName, pricing);
+  }
+  return dataset;
+}
+function getModelPrice(model, dataset) {
+  if (!model) {
+    console.warn("[harness pricing] No model specified \u2014 cannot look up pricing.");
+    return null;
+  }
+  const pricing = dataset.get(model);
+  if (!pricing) {
+    console.warn(
+      `[harness pricing] No pricing data for model "${model}". Consider updating pricing data.`
+    );
+    return null;
+  }
+  return pricing;
+}
+var fallback_default = {
+  _generatedAt: "2026-03-31",
+  _source: "https://raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.json",
+  models: {
+    "claude-opus-4-20250514": {
+      inputPer1M: 15,
+      outputPer1M: 75,
+      cacheReadPer1M: 1.5,
+      cacheWritePer1M: 18.75
+    },
+    "claude-sonnet-4-20250514": {
+      inputPer1M: 3,
+      outputPer1M: 15,
+      cacheReadPer1M: 0.3,
+      cacheWritePer1M: 3.75
+    },
+    "claude-3-5-haiku-20241022": {
+      inputPer1M: 0.8,
+      outputPer1M: 4,
+      cacheReadPer1M: 0.08,
+      cacheWritePer1M: 1
+    },
+    "gpt-4o": {
+      inputPer1M: 2.5,
+      outputPer1M: 10,
+      cacheReadPer1M: 1.25
+    },
+    "gpt-4o-mini": {
+      inputPer1M: 0.15,
+      outputPer1M: 0.6,
+      cacheReadPer1M: 0.075
+    },
+    "gemini-2.0-flash": {
+      inputPer1M: 0.1,
+      outputPer1M: 0.4,
+      cacheReadPer1M: 0.025
+    },
+    "gemini-2.5-pro": {
+      inputPer1M: 1.25,
+      outputPer1M: 10,
+      cacheReadPer1M: 0.3125
+    }
+  }
+};
+var LITELLM_PRICING_URL = "https://raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.json";
+var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
+var STALENESS_WARNING_DAYS = 7;
+function getCachePath(projectRoot) {
+  return path23.join(projectRoot, ".harness", "cache", "pricing.json");
+}
+function getStalenessMarkerPath(projectRoot) {
+  return path23.join(projectRoot, ".harness", "cache", "staleness-marker.json");
+}
+async function readDiskCache(projectRoot) {
+  try {
+    const raw = await fs23.readFile(getCachePath(projectRoot), "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function writeDiskCache(projectRoot, data) {
+  const cachePath = getCachePath(projectRoot);
+  await fs23.mkdir(path23.dirname(cachePath), { recursive: true });
+  await fs23.writeFile(cachePath, JSON.stringify(data, null, 2));
+}
+async function fetchFromNetwork() {
+  try {
+    const response = await fetch(LITELLM_PRICING_URL);
+    if (!response.ok) return null;
+    const data = await response.json();
+    if (typeof data !== "object" || data === null || Array.isArray(data)) return null;
+    return {
+      fetchedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      data
+    };
+  } catch {
+    return null;
+  }
+}
+function loadFallbackDataset() {
+  const fb = fallback_default;
+  const dataset = /* @__PURE__ */ new Map();
+  for (const [model, pricing] of Object.entries(fb.models)) {
+    dataset.set(model, pricing);
+  }
+  return dataset;
+}
+async function checkAndWarnStaleness(projectRoot) {
+  const markerPath = getStalenessMarkerPath(projectRoot);
+  try {
+    const raw = await fs23.readFile(markerPath, "utf-8");
+    const marker = JSON.parse(raw);
+    const firstUse = new Date(marker.firstFallbackUse).getTime();
+    const now = Date.now();
+    const daysSinceFirstUse = (now - firstUse) / (24 * 60 * 60 * 1e3);
+    if (daysSinceFirstUse > STALENESS_WARNING_DAYS) {
+      console.warn(
+        `[harness pricing] Pricing data is stale \u2014 using bundled fallback for ${Math.floor(daysSinceFirstUse)} days. Connect to the internet to refresh pricing data.`
+      );
+    }
+  } catch {
+    try {
+      await fs23.mkdir(path23.dirname(markerPath), { recursive: true });
+      await fs23.writeFile(
+        markerPath,
+        JSON.stringify({ firstFallbackUse: (/* @__PURE__ */ new Date()).toISOString() })
+      );
+    } catch {
+    }
+  }
+}
+async function clearStalenessMarker(projectRoot) {
+  try {
+    await fs23.unlink(getStalenessMarkerPath(projectRoot));
+  } catch {
+  }
+}
+async function loadPricingData(projectRoot) {
+  const cache = await readDiskCache(projectRoot);
+  if (cache) {
+    const cacheAge = Date.now() - new Date(cache.fetchedAt).getTime();
+    if (cacheAge < CACHE_TTL_MS) {
+      await clearStalenessMarker(projectRoot);
+      return parseLiteLLMData(cache.data);
+    }
+  }
+  const fetched = await fetchFromNetwork();
+  if (fetched) {
+    await writeDiskCache(projectRoot, fetched);
+    await clearStalenessMarker(projectRoot);
+    return parseLiteLLMData(fetched.data);
+  }
+  if (cache) {
+    return parseLiteLLMData(cache.data);
+  }
+  await checkAndWarnStaleness(projectRoot);
+  return loadFallbackDataset();
+}
+var MICRODOLLARS_PER_DOLLAR = 1e6;
+var TOKENS_PER_MILLION2 = 1e6;
+function calculateCost(record, dataset) {
+  if (!record.model) return null;
+  const pricing = getModelPrice(record.model, dataset);
+  if (!pricing) return null;
+  let costUSD = 0;
+  costUSD += record.tokens.inputTokens / TOKENS_PER_MILLION2 * pricing.inputPer1M;
+  costUSD += record.tokens.outputTokens / TOKENS_PER_MILLION2 * pricing.outputPer1M;
+  if (record.cacheReadTokens != null && pricing.cacheReadPer1M != null) {
+    costUSD += record.cacheReadTokens / TOKENS_PER_MILLION2 * pricing.cacheReadPer1M;
+  }
+  if (record.cacheCreationTokens != null && pricing.cacheWritePer1M != null) {
+    costUSD += record.cacheCreationTokens / TOKENS_PER_MILLION2 * pricing.cacheWritePer1M;
+  }
+  return Math.round(costUSD * MICRODOLLARS_PER_DOLLAR);
+}
+function aggregateBySession(records) {
+  if (records.length === 0) return [];
+  const sessionMap = /* @__PURE__ */ new Map();
+  for (const record of records) {
+    const tagged = record;
+    const id = record.sessionId;
+    if (!sessionMap.has(id)) {
+      sessionMap.set(id, { harnessRecords: [], ccRecords: [], allRecords: [] });
+    }
+    const bucket = sessionMap.get(id);
+    if (tagged._source === "claude-code") {
+      bucket.ccRecords.push(tagged);
+    } else {
+      bucket.harnessRecords.push(tagged);
+    }
+    bucket.allRecords.push(tagged);
+  }
+  const results = [];
+  for (const [sessionId, bucket] of sessionMap) {
+    const hasHarness = bucket.harnessRecords.length > 0;
+    const hasCC = bucket.ccRecords.length > 0;
+    const isMerged = hasHarness && hasCC;
+    const tokenSource = hasHarness ? bucket.harnessRecords : bucket.ccRecords;
+    const tokens = { inputTokens: 0, outputTokens: 0, totalTokens: 0 };
+    let cacheCreation;
+    let cacheRead;
+    let costMicroUSD = 0;
+    let model;
+    for (const r of tokenSource) {
+      tokens.inputTokens += r.tokens.inputTokens;
+      tokens.outputTokens += r.tokens.outputTokens;
+      tokens.totalTokens += r.tokens.totalTokens;
+      if (r.cacheCreationTokens != null) {
+        cacheCreation = (cacheCreation ?? 0) + r.cacheCreationTokens;
+      }
+      if (r.cacheReadTokens != null) {
+        cacheRead = (cacheRead ?? 0) + r.cacheReadTokens;
+      }
+      if (r.costMicroUSD != null && costMicroUSD != null) {
+        costMicroUSD += r.costMicroUSD;
+      } else if (r.costMicroUSD == null) {
+        costMicroUSD = null;
+      }
+      if (!model && r.model) {
+        model = r.model;
+      }
+    }
+    if (!model && hasCC) {
+      for (const r of bucket.ccRecords) {
+        if (r.model) {
+          model = r.model;
+          break;
+        }
+      }
+    }
+    const timestamps = bucket.allRecords.map((r) => r.timestamp).sort();
+    const source = isMerged ? "merged" : hasCC ? "claude-code" : "harness";
+    const session = {
+      sessionId,
+      firstTimestamp: timestamps[0] ?? "",
+      lastTimestamp: timestamps[timestamps.length - 1] ?? "",
+      tokens,
+      costMicroUSD,
+      source
+    };
+    if (model) session.model = model;
+    if (cacheCreation != null) session.cacheCreationTokens = cacheCreation;
+    if (cacheRead != null) session.cacheReadTokens = cacheRead;
+    results.push(session);
+  }
+  results.sort((a, b) => b.firstTimestamp.localeCompare(a.firstTimestamp));
+  return results;
+}
+function aggregateByDay(records) {
+  if (records.length === 0) return [];
+  const dayMap = /* @__PURE__ */ new Map();
+  for (const record of records) {
+    const date = record.timestamp.slice(0, 10);
+    if (!dayMap.has(date)) {
+      dayMap.set(date, {
+        sessions: /* @__PURE__ */ new Set(),
+        tokens: { inputTokens: 0, outputTokens: 0, totalTokens: 0 },
+        costMicroUSD: 0,
+        models: /* @__PURE__ */ new Set()
+      });
+    }
+    const day = dayMap.get(date);
+    day.sessions.add(record.sessionId);
+    day.tokens.inputTokens += record.tokens.inputTokens;
+    day.tokens.outputTokens += record.tokens.outputTokens;
+    day.tokens.totalTokens += record.tokens.totalTokens;
+    if (record.cacheCreationTokens != null) {
+      day.cacheCreation = (day.cacheCreation ?? 0) + record.cacheCreationTokens;
+    }
+    if (record.cacheReadTokens != null) {
+      day.cacheRead = (day.cacheRead ?? 0) + record.cacheReadTokens;
+    }
+    if (record.costMicroUSD != null && day.costMicroUSD != null) {
+      day.costMicroUSD += record.costMicroUSD;
+    } else if (record.costMicroUSD == null) {
+      day.costMicroUSD = null;
+    }
+    if (record.model) {
+      day.models.add(record.model);
+    }
+  }
+  const results = [];
+  for (const [date, day] of dayMap) {
+    const entry = {
+      date,
+      sessionCount: day.sessions.size,
+      tokens: day.tokens,
+      costMicroUSD: day.costMicroUSD,
+      models: Array.from(day.models).sort()
+    };
+    if (day.cacheCreation != null) entry.cacheCreationTokens = day.cacheCreation;
+    if (day.cacheRead != null) entry.cacheReadTokens = day.cacheRead;
+    results.push(entry);
+  }
+  results.sort((a, b) => b.date.localeCompare(a.date));
+  return results;
+}
+function parseLine(line, lineNumber) {
+  let entry;
+  try {
+    entry = JSON.parse(line);
+  } catch {
+    console.warn(`[harness usage] Skipping malformed JSONL line ${lineNumber}`);
+    return null;
+  }
+  const tokenUsage = entry.token_usage;
+  if (!tokenUsage || typeof tokenUsage !== "object") {
+    console.warn(
+      `[harness usage] Skipping malformed JSONL line ${lineNumber}: missing token_usage`
+    );
+    return null;
+  }
+  const inputTokens = tokenUsage.input_tokens ?? 0;
+  const outputTokens = tokenUsage.output_tokens ?? 0;
+  const record = {
+    sessionId: entry.session_id ?? "unknown",
+    timestamp: entry.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    tokens: {
+      inputTokens,
+      outputTokens,
+      totalTokens: inputTokens + outputTokens
+    }
+  };
+  if (entry.cache_creation_tokens != null) {
+    record.cacheCreationTokens = entry.cache_creation_tokens;
+  }
+  if (entry.cache_read_tokens != null) {
+    record.cacheReadTokens = entry.cache_read_tokens;
+  }
+  if (entry.model != null) {
+    record.model = entry.model;
+  }
+  return record;
+}
+function readCostRecords(projectRoot) {
+  const costsFile = path24.join(projectRoot, ".harness", "metrics", "costs.jsonl");
+  let raw;
+  try {
+    raw = fs24.readFileSync(costsFile, "utf-8");
+  } catch {
+    return [];
+  }
+  const records = [];
+  const lines = raw.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]?.trim();
+    if (!line) continue;
+    const record = parseLine(line, i + 1);
+    if (record) {
+      records.push(record);
+    }
+  }
+  return records;
+}
+function extractUsage(entry) {
+  if (entry.type !== "assistant") return null;
+  const message = entry.message;
+  if (!message || typeof message !== "object") return null;
+  const usage = message.usage;
+  return usage && typeof usage === "object" && !Array.isArray(usage) ? usage : null;
+}
+function buildRecord(entry, usage) {
+  const inputTokens = Number(usage.input_tokens) || 0;
+  const outputTokens = Number(usage.output_tokens) || 0;
+  const message = entry.message;
+  const record = {
+    sessionId: entry.sessionId ?? "unknown",
+    timestamp: entry.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    tokens: { inputTokens, outputTokens, totalTokens: inputTokens + outputTokens },
+    _source: "claude-code"
+  };
+  const model = message.model;
+  if (model) record.model = model;
+  const cacheCreate = usage.cache_creation_input_tokens;
+  const cacheRead = usage.cache_read_input_tokens;
+  if (typeof cacheCreate === "number" && cacheCreate > 0) record.cacheCreationTokens = cacheCreate;
+  if (typeof cacheRead === "number" && cacheRead > 0) record.cacheReadTokens = cacheRead;
+  return record;
+}
+function parseCCLine(line, filePath, lineNumber) {
+  let entry;
+  try {
+    entry = JSON.parse(line);
+  } catch {
+    console.warn(
+      `[harness usage] Skipping malformed CC JSONL line ${lineNumber} in ${path25.basename(filePath)}`
+    );
+    return null;
+  }
+  const usage = extractUsage(entry);
+  if (!usage) return null;
+  return {
+    record: buildRecord(entry, usage),
+    requestId: entry.requestId ?? null
+  };
+}
+function readCCFile(filePath) {
+  let raw;
+  try {
+    raw = fs25.readFileSync(filePath, "utf-8");
+  } catch {
+    return [];
+  }
+  const byRequestId = /* @__PURE__ */ new Map();
+  const noRequestId = [];
+  const lines = raw.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]?.trim();
+    if (!line) continue;
+    const parsed = parseCCLine(line, filePath, i + 1);
+    if (!parsed) continue;
+    if (parsed.requestId) {
+      byRequestId.set(parsed.requestId, parsed.record);
+    } else {
+      noRequestId.push(parsed.record);
+    }
+  }
+  return [...byRequestId.values(), ...noRequestId];
+}
+function parseCCRecords() {
+  const homeDir = process.env.HOME ?? os2.homedir();
+  const projectsDir = path25.join(homeDir, ".claude", "projects");
+  let projectDirs;
+  try {
+    projectDirs = fs25.readdirSync(projectsDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => path25.join(projectsDir, d.name));
+  } catch {
+    return [];
+  }
+  const records = [];
+  for (const dir of projectDirs) {
+    let files;
+    try {
+      files = fs25.readdirSync(dir).filter((f) => f.endsWith(".jsonl")).map((f) => path25.join(dir, f));
+    } catch {
+      continue;
+    }
+    for (const file of files) {
+      records.push(...readCCFile(file));
+    }
+  }
+  return records;
+}
+var VERSION = "0.15.0";
 export {
   ArchMetricCategorySchema,
@@ -10947,14 +13098,19 @@ export {
   updateSessionIndex,
   loadState,
   saveState,
+  parseFrontmatter,
+  extractIndexEntry,
   clearLearningsCache,
   appendLearning,
   parseDateFromEntry,
   analyzeLearningPatterns,
   loadBudgetedLearnings,
+  loadIndexEntries,
   loadRelevantLearnings,
   archiveLearnings,
   pruneLearnings,
+  promoteSessionLearnings,
+  countLearningEntries,
   clearFailuresCache,
   appendFailure,
   loadFailures,
@@ -10970,6 +13126,11 @@ export {
   appendSessionEntry,
   updateSessionEntryStatus,
   archiveSession,
+  SkillEventSchema,
+  clearEventHashCache,
+  emitEvent,
+  loadEvents,
+  formatEventTimeline,
   executeWorkflow,
   runPipeline,
   runMultiTurnPipeline,
@@ -10986,11 +13147,31 @@ export {
   pathTraversalRules,
   networkRules,
   deserializationRules,
+  agentConfigRules,
+  mcpRules,
+  insecureDefaultsRules,
+  sharpEdgesRules,
   nodeRules,
   expressRules,
   reactRules,
   goRules,
+  parseHarnessIgnore,
   SecurityScanner,
+  scanForInjection,
+  getInjectionPatterns,
+  DESTRUCTIVE_BASH,
+  getTaintFilePath,
+  readTaint,
+  checkTaint,
+  writeTaint,
+  clearTaint,
+  listTaintedSessions,
+  mapSecuritySeverity,
+  computeOverallSeverity,
+  computeScanExitCode,
+  mapInjectionFindings,
+  isDuplicateFinding,
+  mapSecurityFindings,
   runCIChecks,
   runMechanicalChecks,
   ExclusionSet,
@@ -11025,6 +13206,7 @@ export {
   parseRoadmap,
   serializeRoadmap,
   syncRoadmap,
+  applySyncChanges,
   InteractionTypeSchema,
   QuestionSchema,
   ConfirmationSchema,
@@ -11038,5 +13220,26 @@ export {
   readCheckState,
   spawnBackgroundCheck,
   getUpdateNotification,
+  EXTENSION_MAP,
+  detectLanguage,
+  getParser,
+  parseFile,
+  resetParserCache,
+  getOutline,
+  formatOutline,
+  searchSymbols,
+  unfoldSymbol,
+  unfoldRange,
+  parseLiteLLMData,
+  getModelPrice,
+  LITELLM_PRICING_URL,
+  CACHE_TTL_MS,
+  STALENESS_WARNING_DAYS,
+  loadPricingData,
+  calculateCost,
+  aggregateBySession,
+  aggregateByDay,
+  readCostRecords,
+  parseCCRecords,
   VERSION
 };