npm - @harness-engineering/cli - Versions diffs - 1.6.2 → 1.8.0 - Mend

@harness-engineering/cli 1.6.2 → 1.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (180) hide show

package/dist/{chunk-USEYPS7F.js → chunk-SJECMKSS.js} RENAMED Viewed

@@ -46,7 +46,7 @@ import { dirname as dirname6, basename as basename4, join as join5 } from "path"
 import { z } from "zod";
 import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
 import { join as join6, dirname as dirname7 } from "path";
-import { execFileSync, execSync } from "child_process";
+import { execFileSync } from "child_process";
 import * as fs2 from "fs";
 import * as path from "path";
 import { appendFileSync, writeFileSync as writeFileSync2, existsSync as existsSync2, mkdirSync as mkdirSync2 } from "fs";
@@ -54,16 +54,26 @@ import { dirname as dirname8 } from "path";
 import { z as z2 } from "zod";
 import * as fs4 from "fs";
 import * as path3 from "path";
-import { execSync as execSync3 } from "child_process";
+import { execSync as execSync2 } from "child_process";
 import * as fs3 from "fs";
 import * as path2 from "path";
-import { execSync as execSync2 } from "child_process";
+import { execSync } from "child_process";
 import { z as z3 } from "zod";
 import * as fs6 from "fs/promises";
 import { z as z4 } from "zod";
 import * as fs5 from "fs";
 import * as path4 from "path";
 import * as path5 from "path";
+import * as path6 from "path";
+import * as path7 from "path";
+import * as path8 from "path";
+import * as fs7 from "fs";
+import * as path9 from "path";
+import { z as z5 } from "zod";
+import * as fs8 from "fs";
+import * as path10 from "path";
+import * as os from "os";
+import { spawn } from "child_process";
 function createError(code, message, details = {}, suggestions = []) {
   return { code, message, details, suggestions };
 }
@@ -72,17 +82,17 @@ function createEntropyError(code, message, details = {}, suggestions = []) {
 }
 var accessAsync = promisify(access);
 var readFileAsync = promisify(readFile);
-async function fileExists(path6) {
+async function fileExists(path11) {
   try {
-    await accessAsync(path6, constants.F_OK);
+    await accessAsync(path11, constants.F_OK);
     return true;
   } catch {
     return false;
   }
 }
-async function readFileContent(path6) {
+async function readFileContent(path11) {
   try {
-    const content = await readFileAsync(path6, "utf-8");
+    const content = await readFileAsync(path11, "utf-8");
     return Ok(content);
   } catch (error) {
     return Err(error);
@@ -126,15 +136,15 @@ function validateConfig(data, schema) {
   let message = "Configuration validation failed";
   const suggestions = [];
   if (firstError) {
-    const path6 = firstError.path.join(".");
-    const pathDisplay = path6 ? ` at "${path6}"` : "";
+    const path11 = firstError.path.join(".");
+    const pathDisplay = path11 ? ` at "${path11}"` : "";
     if (firstError.code === "invalid_type") {
       const received = firstError.received;
       const expected = firstError.expected;
       if (received === "undefined") {
         code = "MISSING_FIELD";
         message = `Missing required field${pathDisplay}: ${firstError.message}`;
-        suggestions.push(`Field "${path6}" is required and must be of type "${expected}"`);
+        suggestions.push(`Field "${path11}" is required and must be of type "${expected}"`);
       } else {
         code = "INVALID_TYPE";
         message = `Invalid type${pathDisplay}: ${firstError.message}`;
@@ -340,30 +350,30 @@ function extractSections(content) {
     return result;
   });
 }
-function isExternalLink(path6) {
-  return path6.startsWith("http://") || path6.startsWith("https://") || path6.startsWith("#") || path6.startsWith("mailto:");
+function isExternalLink(path11) {
+  return path11.startsWith("http://") || path11.startsWith("https://") || path11.startsWith("#") || path11.startsWith("mailto:");
 }
 function resolveLinkPath(linkPath, baseDir) {
   return linkPath.startsWith(".") ? join(baseDir, linkPath) : linkPath;
 }
-async function validateAgentsMap(path6 = "./AGENTS.md") {
+async function validateAgentsMap(path11 = "./AGENTS.md") {
   console.warn(
     "[harness] validateAgentsMap() is deprecated. Use graph-based validation via Assembler.checkCoverage() from @harness-engineering/graph"
   );
-  const contentResult = await readFileContent(path6);
+  const contentResult = await readFileContent(path11);
   if (!contentResult.ok) {
     return Err(
       createError(
         "PARSE_ERROR",
         `Failed to read AGENTS.md: ${contentResult.error.message}`,
-        { path: path6 },
+        { path: path11 },
         ["Ensure the file exists", "Check file permissions"]
       )
     );
   }
   const content = contentResult.value;
   const sections = extractSections(content);
-  const baseDir = dirname(path6);
+  const baseDir = dirname(path11);
   const sectionTitles = sections.map((s) => s.title);
   const missingSections = REQUIRED_SECTIONS.filter(
     (required) => !sectionTitles.some((title) => title.toLowerCase().includes(required.toLowerCase()))
@@ -499,8 +509,8 @@ async function checkDocCoverage(domain, options = {}) {
     );
   }
 }
-function suggestFix(path6, existingFiles) {
-  const targetName = basename2(path6).toLowerCase();
+function suggestFix(path11, existingFiles) {
+  const targetName = basename2(path11).toLowerCase();
   const similar = existingFiles.find((file) => {
     const fileName = basename2(file).toLowerCase();
     return fileName.includes(targetName) || targetName.includes(fileName);
@@ -508,7 +518,7 @@ function suggestFix(path6, existingFiles) {
   if (similar) {
     return `Did you mean "${similar}"?`;
   }
-  return `Create the file "${path6}" or remove the link`;
+  return `Create the file "${path11}" or remove the link`;
 }
 async function validateKnowledgeMap(rootDir = process.cwd()) {
   console.warn(
@@ -1085,8 +1095,8 @@ function createBoundaryValidator(schema, name) {
         return Ok(result.data);
       }
       const suggestions = result.error.issues.map((issue) => {
-        const path6 = issue.path.join(".");
-        return path6 ? `${path6}: ${issue.message}` : issue.message;
+        const path11 = issue.path.join(".");
+        return path11 ? `${path11}: ${issue.message}` : issue.message;
       });
       return Err(
         createError(
@@ -1148,11 +1158,11 @@ function walk(node, visitor) {
 var TypeScriptParser = class {
   name = "typescript";
   extensions = [".ts", ".tsx", ".mts", ".cts"];
-  async parseFile(path6) {
-    const contentResult = await readFileContent(path6);
+  async parseFile(path11) {
+    const contentResult = await readFileContent(path11);
     if (!contentResult.ok) {
       return Err(
-        createParseError("NOT_FOUND", `File not found: ${path6}`, { path: path6 }, [
+        createParseError("NOT_FOUND", `File not found: ${path11}`, { path: path11 }, [
           "Check that the file exists",
           "Verify the path is correct"
         ])
@@ -1162,7 +1172,7 @@ var TypeScriptParser = class {
       const ast = parse(contentResult.value, {
         loc: true,
         range: true,
-        jsx: path6.endsWith(".tsx"),
+        jsx: path11.endsWith(".tsx"),
         errorOnUnknownASTType: false
       });
       return Ok({
@@ -1173,7 +1183,7 @@ var TypeScriptParser = class {
     } catch (e) {
       const error = e;
       return Err(
-        createParseError("SYNTAX_ERROR", `Failed to parse ${path6}: ${error.message}`, { path: path6 }, [
+        createParseError("SYNTAX_ERROR", `Failed to parse ${path11}: ${error.message}`, { path: path11 }, [
           "Check for syntax errors in the file",
           "Ensure valid TypeScript syntax"
         ])
@@ -1453,22 +1463,22 @@ function extractInlineRefs(content) {
   }
   return refs;
 }
-async function parseDocumentationFile(path6) {
-  const contentResult = await readFileContent(path6);
+async function parseDocumentationFile(path11) {
+  const contentResult = await readFileContent(path11);
   if (!contentResult.ok) {
     return Err(
       createEntropyError(
         "PARSE_ERROR",
-        `Failed to read documentation file: ${path6}`,
-        { file: path6 },
+        `Failed to read documentation file: ${path11}`,
+        { file: path11 },
         ["Check that the file exists"]
       )
     );
   }
   const content = contentResult.value;
-  const type = path6.endsWith(".md") ? "markdown" : "text";
+  const type = path11.endsWith(".md") ? "markdown" : "text";
   return Ok({
-    path: path6,
+    path: path11,
     type,
     content,
     codeBlocks: extractCodeBlocks(content),
@@ -3143,6 +3153,40 @@ function createUnusedImportFixes(deadCodeReport) {
     reversible: true
   }));
 }
+function createDeadExportFixes(deadCodeReport) {
+  return deadCodeReport.deadExports.filter((exp) => exp.reason === "NO_IMPORTERS").map((exp) => ({
+    type: "dead-exports",
+    file: exp.file,
+    description: `Remove export keyword from ${exp.name} (${exp.reason})`,
+    action: "replace",
+    oldContent: exp.isDefault ? `export default ${exp.type === "class" ? "class" : exp.type === "function" ? "function" : ""} ${exp.name}` : `export ${exp.type === "class" ? "class" : exp.type === "function" ? "function" : exp.type === "variable" ? "const" : exp.type === "type" ? "type" : exp.type === "interface" ? "interface" : "enum"} ${exp.name}`,
+    newContent: exp.isDefault ? `${exp.type === "class" ? "class" : exp.type === "function" ? "function" : ""} ${exp.name}` : `${exp.type === "class" ? "class" : exp.type === "function" ? "function" : exp.type === "variable" ? "const" : exp.type === "type" ? "type" : exp.type === "interface" ? "interface" : "enum"} ${exp.name}`,
+    safe: true,
+    reversible: true
+  }));
+}
+function createCommentedCodeFixes(blocks) {
+  return blocks.map((block) => ({
+    type: "commented-code",
+    file: block.file,
+    description: `Remove commented-out code block (lines ${block.startLine}-${block.endLine})`,
+    action: "replace",
+    oldContent: block.content,
+    newContent: "",
+    safe: true,
+    reversible: true
+  }));
+}
+function createOrphanedDepFixes(deps) {
+  return deps.map((dep) => ({
+    type: "orphaned-deps",
+    file: dep.packageJsonPath,
+    description: `Remove orphaned dependency: ${dep.name}`,
+    action: "replace",
+    safe: true,
+    reversible: true
+  }));
+}
 function createFixes(deadCodeReport, config) {
   const fullConfig = { ...DEFAULT_FIX_CONFIG, ...config };
   const fixes = [];
@@ -3152,6 +3196,9 @@ function createFixes(deadCodeReport, config) {
   if (fullConfig.fixTypes.includes("unused-imports")) {
     fixes.push(...createUnusedImportFixes(deadCodeReport));
   }
+  if (fullConfig.fixTypes.includes("dead-exports")) {
+    fixes.push(...createDeadExportFixes(deadCodeReport));
+  }
   return fixes;
 }
 function previewFix(fix) {
@@ -3271,6 +3318,129 @@ async function applyFixes(fixes, config) {
     }
   });
 }
+function createForbiddenImportFixes(violations) {
+  return violations.filter((v) => v.alternative !== void 0).map((v) => ({
+    type: "forbidden-import-replacement",
+    file: v.file,
+    description: `Replace forbidden import '${v.forbiddenImport}' with '${v.alternative}'`,
+    action: "replace",
+    line: v.line,
+    oldContent: `from '${v.forbiddenImport}'`,
+    newContent: `from '${v.alternative}'`,
+    safe: true,
+    reversible: true
+  }));
+}
+var ALWAYS_UNSAFE_TYPES = /* @__PURE__ */ new Set([
+  "upward-dependency",
+  "skip-layer-dependency",
+  "circular-dependency",
+  "dead-internal"
+]);
+var idCounter = 0;
+function classifyFinding(input) {
+  idCounter++;
+  const id = `${input.concern === "dead-code" ? "dc" : "arch"}-${idCounter}`;
+  let safety;
+  let safetyReason;
+  let fixAction;
+  let suggestion;
+  if (ALWAYS_UNSAFE_TYPES.has(input.type)) {
+    safety = "unsafe";
+    safetyReason = `${input.type} requires human judgment`;
+    suggestion = "Review and refactor manually";
+  } else if (input.concern === "dead-code") {
+    if (input.isPublicApi) {
+      safety = "unsafe";
+      safetyReason = "Public API export may have external consumers";
+      suggestion = "Deprecate before removing";
+    } else if (input.type === "dead-export" || input.type === "unused-import" || input.type === "commented-code" || input.type === "dead-file") {
+      safety = "safe";
+      safetyReason = "zero importers, non-public";
+      fixAction = input.type === "dead-export" ? "Remove export keyword" : input.type === "dead-file" ? "Delete file" : input.type === "commented-code" ? "Delete commented block" : "Remove import";
+      suggestion = fixAction;
+    } else if (input.type === "orphaned-dep") {
+      safety = "probably-safe";
+      safetyReason = "No imports found, but needs install+test verification";
+      fixAction = "Remove from package.json";
+      suggestion = fixAction;
+    } else {
+      safety = "unsafe";
+      safetyReason = "Unknown dead code type";
+      suggestion = "Manual review required";
+    }
+  } else {
+    if (input.type === "import-ordering") {
+      safety = "safe";
+      safetyReason = "Mechanical reorder, no semantic change";
+      fixAction = "Reorder imports";
+      suggestion = fixAction;
+    } else if (input.type === "forbidden-import" && input.hasAlternative) {
+      safety = "probably-safe";
+      safetyReason = "Alternative configured, needs typecheck+test";
+      fixAction = "Replace with configured alternative";
+      suggestion = fixAction;
+    } else {
+      safety = "unsafe";
+      safetyReason = `${input.type} requires structural changes`;
+      suggestion = "Restructure code to fix violation";
+    }
+  }
+  return {
+    id,
+    concern: input.concern,
+    file: input.file,
+    ...input.line !== void 0 ? { line: input.line } : {},
+    type: input.type,
+    description: input.description,
+    safety,
+    safetyReason,
+    hotspotDowngraded: false,
+    ...fixAction !== void 0 ? { fixAction } : {},
+    suggestion
+  };
+}
+function applyHotspotDowngrade(finding, hotspot) {
+  if (finding.safety !== "safe") return finding;
+  const churn = hotspot.churnMap.get(finding.file) ?? 0;
+  if (churn >= hotspot.topPercentileThreshold) {
+    return {
+      ...finding,
+      safety: "probably-safe",
+      safetyReason: `${finding.safetyReason}; downgraded due to high churn (${churn} commits)`,
+      hotspotDowngraded: true
+    };
+  }
+  return finding;
+}
+function deduplicateCleanupFindings(findings) {
+  const byFileAndLine = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const key = `${f.file}:${f.line ?? "none"}`;
+    const group = byFileAndLine.get(key) ?? [];
+    group.push(f);
+    byFileAndLine.set(key, group);
+  }
+  const result = [];
+  for (const group of byFileAndLine.values()) {
+    if (group.length === 1) {
+      result.push(group[0]);
+      continue;
+    }
+    const deadCode = group.find((f) => f.concern === "dead-code");
+    const arch = group.find((f) => f.concern === "architecture");
+    if (deadCode && arch) {
+      result.push({
+        ...deadCode,
+        description: `${deadCode.description} (also violates architecture: ${arch.type})`,
+        suggestion: deadCode.fixAction ? `${deadCode.fixAction} (resolves both dead code and architecture violation)` : deadCode.suggestion
+      });
+    } else {
+      result.push(...group);
+    }
+  }
+  return result;
+}
 var MustExportRuleSchema = z.object({
   type: z.literal("must-export"),
   names: z.array(z.string())
@@ -3492,7 +3662,7 @@ var BenchmarkRunner = class {
     }
     args.push("--reporter=json");
     try {
-      const rawOutput = execSync(`npx ${args.join(" ")}`, {
+      const rawOutput = execFileSync("npx", args, {
         cwd,
         encoding: "utf-8",
         timeout,
@@ -3726,11 +3896,17 @@ function generateId() {
   if (typeof globalThis !== "undefined" && "crypto" in globalThis && typeof globalThis.crypto.randomUUID === "function") {
     return globalThis.crypto.randomUUID();
   }
-  return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function(c) {
-    const r = Math.random() * 16 | 0;
-    const v = c === "x" ? r : r & 3 | 8;
-    return v.toString(16);
-  });
+  if (typeof globalThis.crypto?.getRandomValues !== "function") {
+    throw new Error(
+      "No cryptographic random source available \u2014 requires Node.js 15+ or a browser with Web Crypto API"
+    );
+  }
+  const bytes = new Uint8Array(16);
+  globalThis.crypto.getRandomValues(bytes);
+  bytes[6] = bytes[6] & 15 | 64;
+  bytes[8] = bytes[8] & 63 | 128;
+  const hex = [...bytes].map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
 }
 var NoOpExecutor = class {
   name = "noop";
@@ -4612,7 +4788,7 @@ function getCurrentBranch(projectPath) {
     return cached.branch;
   }
   try {
-    const branch = execSync2("git rev-parse --abbrev-ref HEAD", {
+    const branch = execSync("git rev-parse --abbrev-ref HEAD", {
       cwd: projectPath,
       stdio: "pipe"
     }).toString().trim();
@@ -5068,10 +5244,21 @@ async function runMechanicalGate(projectPath) {
       }
     }
     const results = [];
+    const SAFE_GATE_COMMAND = /^(?:npm|pnpm|yarn)\s+(?:test|run\s+[\w.-]+|run-script\s+[\w.-]+)$|^go\s+(?:test|build|vet|fmt)\s+[\w./ -]+$|^(?:python|python3)\s+-m\s+[\w.-]+$|^make\s+[\w.-]+$|^cargo\s+(?:test|build|check|clippy)(?:\s+[\w./ -]+)?$|^(?:gradle|mvn)\s+[\w:.-]+$/;
     for (const check of checks) {
+      if (!SAFE_GATE_COMMAND.test(check.command)) {
+        results.push({
+          name: check.name,
+          passed: false,
+          command: check.command,
+          output: `Blocked: command does not match safe gate pattern. Allowed prefixes: npm, npx, pnpm, yarn, go, python, python3, make, cargo, gradle, mvn`,
+          duration: 0
+        });
+        continue;
+      }
       const start = Date.now();
       try {
-        execSync3(check.command, {
+        execSync2(check.command, {
           cwd: projectPath,
           stdio: "pipe",
           timeout: 12e4
@@ -5727,6 +5914,7 @@ var SecurityScanner = class {
       if (resolved === "off") continue;
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i] ?? "";
+        if (line.includes("harness-ignore") && line.includes(rule.id)) continue;
         for (const pattern of rule.patterns) {
           pattern.lastIndex = 0;
           if (pattern.test(line)) {
@@ -6025,6 +6213,1981 @@ async function runCIChecks(input) {
     return Err(error instanceof Error ? error : new Error(String(error)));
   }
 }
+async function runMechanicalChecks(options) {
+  const { projectRoot, config, skip = [], changedFiles } = options;
+  const findings = [];
+  const statuses = {
+    validate: "skip",
+    "check-deps": "skip",
+    "check-docs": "skip",
+    "security-scan": "skip"
+  };
+  if (!skip.includes("validate")) {
+    try {
+      const agentsPath = path6.join(projectRoot, config.agentsMapPath ?? "AGENTS.md");
+      const result = await validateAgentsMap(agentsPath);
+      if (!result.ok) {
+        statuses.validate = "fail";
+        findings.push({
+          tool: "validate",
+          file: agentsPath,
+          message: result.error.message,
+          severity: "error"
+        });
+      } else if (!result.value.valid) {
+        statuses.validate = "fail";
+        if (result.value.errors) {
+          for (const err of result.value.errors) {
+            findings.push({
+              tool: "validate",
+              file: agentsPath,
+              message: err.message,
+              severity: "error"
+            });
+          }
+        }
+        for (const section of result.value.missingSections) {
+          findings.push({
+            tool: "validate",
+            file: agentsPath,
+            message: `Missing section: ${section}`,
+            severity: "warning"
+          });
+        }
+      } else {
+        statuses.validate = "pass";
+      }
+    } catch (err) {
+      statuses.validate = "fail";
+      findings.push({
+        tool: "validate",
+        file: path6.join(projectRoot, "AGENTS.md"),
+        message: err instanceof Error ? err.message : String(err),
+        severity: "error"
+      });
+    }
+  }
+  if (!skip.includes("check-deps")) {
+    try {
+      const rawLayers = config.layers;
+      if (rawLayers && rawLayers.length > 0) {
+        const parser = new TypeScriptParser();
+        const layers = rawLayers.map(
+          (l) => defineLayer(
+            l.name,
+            Array.isArray(l.patterns) ? l.patterns : [l.pattern],
+            l.allowedDependencies
+          )
+        );
+        const result = await validateDependencies({
+          layers,
+          rootDir: projectRoot,
+          parser
+        });
+        if (!result.ok) {
+          statuses["check-deps"] = "fail";
+          findings.push({
+            tool: "check-deps",
+            file: projectRoot,
+            message: result.error.message,
+            severity: "error"
+          });
+        } else if (result.value.violations.length > 0) {
+          statuses["check-deps"] = "fail";
+          for (const v of result.value.violations) {
+            findings.push({
+              tool: "check-deps",
+              file: v.file,
+              line: v.line,
+              message: `Layer violation: ${v.fromLayer} -> ${v.toLayer}: ${v.reason}`,
+              severity: "error"
+            });
+          }
+        } else {
+          statuses["check-deps"] = "pass";
+        }
+      } else {
+        statuses["check-deps"] = "pass";
+      }
+    } catch (err) {
+      statuses["check-deps"] = "fail";
+      findings.push({
+        tool: "check-deps",
+        file: projectRoot,
+        message: err instanceof Error ? err.message : String(err),
+        severity: "error"
+      });
+    }
+  }
+  if (!skip.includes("check-docs")) {
+    try {
+      const docsDir = path6.join(projectRoot, config.docsDir ?? "docs");
+      const result = await checkDocCoverage("project", { docsDir });
+      if (!result.ok) {
+        statuses["check-docs"] = "warn";
+        findings.push({
+          tool: "check-docs",
+          file: docsDir,
+          message: result.error.message,
+          severity: "warning"
+        });
+      } else if (result.value.gaps && result.value.gaps.length > 0) {
+        statuses["check-docs"] = "warn";
+        for (const gap of result.value.gaps) {
+          findings.push({
+            tool: "check-docs",
+            file: gap.file,
+            message: `Undocumented: ${gap.file} (suggested: ${gap.suggestedSection})`,
+            severity: "warning"
+          });
+        }
+      } else {
+        statuses["check-docs"] = "pass";
+      }
+    } catch (err) {
+      statuses["check-docs"] = "warn";
+      findings.push({
+        tool: "check-docs",
+        file: path6.join(projectRoot, "docs"),
+        message: err instanceof Error ? err.message : String(err),
+        severity: "warning"
+      });
+    }
+  }
+  if (!skip.includes("security-scan")) {
+    try {
+      const securityConfig = parseSecurityConfig(config.security);
+      if (!securityConfig.enabled) {
+        statuses["security-scan"] = "skip";
+      } else {
+        const scanner = new SecurityScanner(securityConfig);
+        scanner.configureForProject(projectRoot);
+        const filesToScan = changedFiles ?? [];
+        const scanResult = await scanner.scanFiles(filesToScan);
+        if (scanResult.findings.length > 0) {
+          statuses["security-scan"] = "warn";
+          for (const f of scanResult.findings) {
+            findings.push({
+              tool: "security-scan",
+              file: f.file,
+              line: f.line,
+              ruleId: f.ruleId,
+              message: f.message,
+              severity: f.severity === "info" ? "warning" : f.severity
+            });
+          }
+        } else {
+          statuses["security-scan"] = "pass";
+        }
+      }
+    } catch (err) {
+      statuses["security-scan"] = "warn";
+      findings.push({
+        tool: "security-scan",
+        file: projectRoot,
+        message: err instanceof Error ? err.message : String(err),
+        severity: "warning"
+      });
+    }
+  }
+  const hasErrors = findings.some((f) => f.severity === "error");
+  const stopPipeline = statuses.validate === "fail" || statuses["check-deps"] === "fail";
+  return Ok({
+    pass: !hasErrors,
+    stopPipeline,
+    findings,
+    checks: {
+      validate: statuses.validate,
+      checkDeps: statuses["check-deps"],
+      checkDocs: statuses["check-docs"],
+      securityScan: statuses["security-scan"]
+    }
+  });
+}
+var ExclusionSet = class {
+  /** Findings indexed by file path for O(1) file lookup */
+  byFile;
+  allFindings;
+  constructor(findings) {
+    this.allFindings = [...findings];
+    this.byFile = /* @__PURE__ */ new Map();
+    for (const f of findings) {
+      const existing = this.byFile.get(f.file);
+      if (existing) {
+        existing.push(f);
+      } else {
+        this.byFile.set(f.file, [f]);
+      }
+    }
+  }
+  /**
+   * Returns true if any mechanical finding covers the given file + line range.
+   *
+   * A mechanical finding "covers" a range if:
+   * - The file matches, AND
+   * - The finding has no line (file-level finding — covers everything), OR
+   * - The finding's line falls within [startLine, endLine] inclusive.
+   */
+  isExcluded(file, lineRange) {
+    const fileFindings = this.byFile.get(file);
+    if (!fileFindings) return false;
+    const [start, end] = lineRange;
+    return fileFindings.some((f) => {
+      if (f.line === void 0) return true;
+      return f.line >= start && f.line <= end;
+    });
+  }
+  /** Number of findings in the set */
+  get size() {
+    return this.allFindings.length;
+  }
+  /** Returns a copy of all findings */
+  getFindings() {
+    return [...this.allFindings];
+  }
+};
+function buildExclusionSet(findings) {
+  return new ExclusionSet(findings);
+}
+var PREFIX_PATTERNS = [
+  { pattern: /^(feat|feature)(\([^)]*\))?:/i, type: "feature" },
+  { pattern: /^(fix|bugfix)(\([^)]*\))?:/i, type: "bugfix" },
+  { pattern: /^refactor(\([^)]*\))?:/i, type: "refactor" },
+  { pattern: /^docs?(\([^)]*\))?:/i, type: "docs" }
+];
+var TEST_FILE_PATTERN = /\.(test|spec)\.(ts|tsx|js|jsx|mts|cts)$/;
+var MD_FILE_PATTERN = /\.md$/;
+function detectChangeType(commitMessage, diff) {
+  const trimmed = commitMessage.trim();
+  for (const { pattern, type } of PREFIX_PATTERNS) {
+    if (pattern.test(trimmed)) {
+      return type;
+    }
+  }
+  if (diff.changedFiles.length > 0 && diff.changedFiles.every((f) => MD_FILE_PATTERN.test(f))) {
+    return "docs";
+  }
+  const newNonTestFiles = diff.newFiles.filter((f) => !TEST_FILE_PATTERN.test(f));
+  if (newNonTestFiles.length > 0) {
+    return "feature";
+  }
+  const hasNewTestFile = diff.newFiles.some((f) => TEST_FILE_PATTERN.test(f));
+  if (diff.totalDiffLines < 20 && hasNewTestFile) {
+    return "bugfix";
+  }
+  return "feature";
+}
+var ALL_DOMAINS = ["compliance", "bug", "security", "architecture"];
+var SECURITY_PATTERNS = /auth|crypto|password|secret|token|session|cookie|hash|encrypt|decrypt|sql|shell|exec|eval/i;
+function computeContextBudget(diffLines) {
+  if (diffLines < 20) return diffLines * 3;
+  return diffLines;
+}
+function isWithinProject(absPath, projectRoot) {
+  const resolvedRoot = path7.resolve(projectRoot) + path7.sep;
+  const resolvedPath = path7.resolve(absPath);
+  return resolvedPath.startsWith(resolvedRoot) || resolvedPath === path7.resolve(projectRoot);
+}
+async function readContextFile(projectRoot, filePath, reason) {
+  const absPath = path7.isAbsolute(filePath) ? filePath : path7.join(projectRoot, filePath);
+  if (!isWithinProject(absPath, projectRoot)) return null;
+  const result = await readFileContent(absPath);
+  if (!result.ok) return null;
+  const content = result.value;
+  const lines = content.split("\n").length;
+  const relPath = path7.isAbsolute(filePath) ? path7.relative(projectRoot, filePath) : filePath;
+  return { path: relPath, content, reason, lines };
+}
+function extractImportSources(content) {
+  const sources = [];
+  const importRegex = /(?:import\s+(?:.*?\s+from\s+)?['"]([^'"]+)['"]|require\(\s*['"]([^'"]+)['"]\s*\))/g;
+  let match;
+  while ((match = importRegex.exec(content)) !== null) {
+    const source = match[1] ?? match[2];
+    if (source) sources.push(source);
+  }
+  return sources;
+}
+async function resolveImportPath2(projectRoot, fromFile, importSource) {
+  if (!importSource.startsWith(".")) return null;
+  const fromDir = path7.dirname(path7.join(projectRoot, fromFile));
+  const basePath = path7.resolve(fromDir, importSource);
+  if (!isWithinProject(basePath, projectRoot)) return null;
+  const relBase = path7.relative(projectRoot, basePath);
+  const candidates = [
+    relBase + ".ts",
+    relBase + ".tsx",
+    relBase + ".mts",
+    path7.join(relBase, "index.ts")
+  ];
+  for (const candidate of candidates) {
+    const absCandidate = path7.join(projectRoot, candidate);
+    if (await fileExists(absCandidate)) {
+      return candidate;
+    }
+  }
+  return null;
+}
+async function findTestFiles(projectRoot, sourceFile) {
+  const baseName = path7.basename(sourceFile, path7.extname(sourceFile));
+  const pattern = `**/${baseName}.{test,spec}.{ts,tsx,mts}`;
+  const results = await findFiles(pattern, projectRoot);
+  return results.map((f) => path7.relative(projectRoot, f));
+}
+async function gatherImportContext(projectRoot, changedFiles, budget) {
+  const contextFiles = [];
+  let linesGathered = 0;
+  const seen = new Set(changedFiles.map((f) => f.path));
+  for (const cf of changedFiles) {
+    if (linesGathered >= budget) break;
+    const sources = extractImportSources(cf.content);
+    for (const source of sources) {
+      if (linesGathered >= budget) break;
+      const resolved = await resolveImportPath2(projectRoot, cf.path, source);
+      if (resolved && !seen.has(resolved)) {
+        seen.add(resolved);
+        const contextFile = await readContextFile(projectRoot, resolved, "import");
+        if (contextFile) {
+          contextFiles.push(contextFile);
+          linesGathered += contextFile.lines;
+        }
+      }
+    }
+  }
+  return contextFiles;
+}
+async function gatherGraphDependencyContext(projectRoot, changedFilePaths, graph, budget) {
+  const contextFiles = [];
+  let linesGathered = 0;
+  const seen = new Set(changedFilePaths);
+  for (const filePath of changedFilePaths) {
+    if (linesGathered >= budget) break;
+    let deps;
+    try {
+      deps = await graph.getDependencies(filePath);
+    } catch {
+      continue;
+    }
+    for (const dep of deps) {
+      if (linesGathered >= budget) break;
+      if (seen.has(dep)) continue;
+      seen.add(dep);
+      const contextFile = await readContextFile(projectRoot, dep, "graph-dependency");
+      if (contextFile) {
+        contextFiles.push(contextFile);
+        linesGathered += contextFile.lines;
+      }
+    }
+  }
+  return contextFiles;
+}
+async function gatherTestContext(projectRoot, changedFilePaths, graph) {
+  const testFiles = [];
+  const seen = /* @__PURE__ */ new Set();
+  if (graph) {
+    for (const filePath of changedFilePaths) {
+      let impact;
+      try {
+        impact = await graph.getImpact(filePath);
+      } catch {
+        continue;
+      }
+      for (const testFile of impact.tests) {
+        if (seen.has(testFile)) continue;
+        seen.add(testFile);
+        const cf = await readContextFile(projectRoot, testFile, "test");
+        if (cf) testFiles.push(cf);
+      }
+    }
+  } else {
+    for (const filePath of changedFilePaths) {
+      const found = await findTestFiles(projectRoot, filePath);
+      for (const testFile of found) {
+        if (seen.has(testFile)) continue;
+        seen.add(testFile);
+        const cf = await readContextFile(projectRoot, testFile, "test");
+        if (cf) testFiles.push(cf);
+      }
+    }
+  }
+  return testFiles;
+}
+async function scopeComplianceContext(projectRoot, _changedFiles, options) {
+  const contextFiles = [];
+  const conventionFiles = options.conventionFiles ?? ["CLAUDE.md", "AGENTS.md"];
+  for (const cf of conventionFiles) {
+    const file = await readContextFile(projectRoot, cf, "convention");
+    if (file) contextFiles.push(file);
+  }
+  return contextFiles;
+}
+async function scopeBugContext(projectRoot, changedFiles, budget, options) {
+  const contextFiles = [];
+  const changedPaths = changedFiles.map((f) => f.path);
+  if (options.graph) {
+    const deps = await gatherGraphDependencyContext(
+      projectRoot,
+      changedPaths,
+      options.graph,
+      budget
+    );
+    contextFiles.push(...deps);
+  } else {
+    const deps = await gatherImportContext(projectRoot, changedFiles, budget);
+    contextFiles.push(...deps);
+  }
+  const tests = await gatherTestContext(projectRoot, changedPaths, options.graph);
+  contextFiles.push(...tests);
+  return contextFiles;
+}
+async function scopeSecurityContext(projectRoot, changedFiles, budget, options) {
+  const contextFiles = [];
+  const changedPaths = changedFiles.map((f) => f.path);
+  if (options.graph) {
+    const allPaths = [];
+    for (const filePath of changedPaths) {
+      try {
+        const deps = await options.graph.getDependencies(filePath);
+        allPaths.push(...deps);
+      } catch {
+        continue;
+      }
+    }
+    const uniquePaths = [...new Set(allPaths)];
+    const securityFirst = uniquePaths.sort((a, b) => {
+      const aMatch = SECURITY_PATTERNS.test(a) ? 0 : 1;
+      const bMatch = SECURITY_PATTERNS.test(b) ? 0 : 1;
+      return aMatch - bMatch;
+    });
+    for (const depPath of securityFirst) {
+      if (contextFiles.reduce((sum, f) => sum + f.lines, 0) >= budget) break;
+      const cf = await readContextFile(projectRoot, depPath, "graph-dependency");
+      if (cf) contextFiles.push(cf);
+    }
+  } else {
+    const deps = await gatherImportContext(projectRoot, changedFiles, budget);
+    contextFiles.push(...deps);
+  }
+  return contextFiles;
+}
+async function scopeArchitectureContext(projectRoot, changedFiles, budget, options) {
+  const contextFiles = [];
+  const changedPaths = changedFiles.map((f) => f.path);
+  if (options.graph) {
+    let linesGathered = 0;
+    for (const filePath of changedPaths) {
+      if (linesGathered >= budget) break;
+      let impact;
+      try {
+        impact = await options.graph.getImpact(filePath);
+      } catch {
+        continue;
+      }
+      for (const codePath of impact.code) {
+        if (linesGathered >= budget) break;
+        const cf = await readContextFile(projectRoot, codePath, "graph-impact");
+        if (cf) {
+          contextFiles.push(cf);
+          linesGathered += cf.lines;
+        }
+      }
+    }
+  } else {
+    const deps = await gatherImportContext(projectRoot, changedFiles, budget);
+    contextFiles.push(...deps);
+    if (options.checkDepsOutput) {
+      contextFiles.push({
+        path: "harness-check-deps-output",
+        content: options.checkDepsOutput,
+        lines: options.checkDepsOutput.split("\n").length,
+        reason: "convention"
+      });
+    }
+  }
+  return contextFiles;
+}
+async function scopeContext(options) {
+  const { projectRoot, diff, commitMessage } = options;
+  const changeType = detectChangeType(commitMessage, diff);
+  const budget = computeContextBudget(diff.totalDiffLines);
+  const changedFiles = [];
+  for (const filePath of diff.changedFiles) {
+    const cf = await readContextFile(projectRoot, filePath, "changed");
+    if (cf) changedFiles.push(cf);
+  }
+  const scopers = {
+    compliance: () => scopeComplianceContext(projectRoot, changedFiles, options),
+    bug: () => scopeBugContext(projectRoot, changedFiles, budget, options),
+    security: () => scopeSecurityContext(projectRoot, changedFiles, budget, options),
+    architecture: () => scopeArchitectureContext(projectRoot, changedFiles, budget, options)
+  };
+  const bundles = [];
+  for (const domain of ALL_DOMAINS) {
+    const contextFiles = await scopers[domain]();
+    const contextLines = contextFiles.reduce((sum, f) => sum + f.lines, 0);
+    bundles.push({
+      domain,
+      changeType,
+      changedFiles: [...changedFiles],
+      contextFiles,
+      commitHistory: options.commitHistory ?? [],
+      diffLines: diff.totalDiffLines,
+      contextLines
+    });
+  }
+  return bundles;
+}
+var SEVERITY_RANK = {
+  suggestion: 0,
+  important: 1,
+  critical: 2
+};
+var SEVERITY_ORDER = ["critical", "important", "suggestion"];
+var SEVERITY_LABELS = {
+  critical: "Critical",
+  important: "Important",
+  suggestion: "Suggestion"
+};
+var VALIDATED_BY_RANK = {
+  mechanical: 0,
+  heuristic: 1,
+  graph: 2
+};
+function makeFindingId(domain, file, line, title) {
+  const hash = title.slice(0, 20).replace(/[^a-zA-Z0-9]/g, "");
+  return `${domain}-${file.replace(/[^a-zA-Z0-9]/g, "-")}-${line}-${hash}`;
+}
+var COMPLIANCE_DESCRIPTOR = {
+  domain: "compliance",
+  tier: "standard",
+  displayName: "Compliance",
+  focusAreas: [
+    "Spec alignment \u2014 implementation matches design doc",
+    "API surface \u2014 new public interfaces are minimal and well-named",
+    "Backward compatibility \u2014 no breaking changes without migration path",
+    "Convention adherence \u2014 project conventions from CLAUDE.md/AGENTS.md followed",
+    "Documentation completeness \u2014 all public interfaces documented"
+  ]
+};
+function extractConventionRules(bundle) {
+  const rules = [];
+  const conventionFiles = bundle.contextFiles.filter((f) => f.reason === "convention");
+  for (const file of conventionFiles) {
+    const lines = file.content.split("\n");
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith("- ") || trimmed.startsWith("* ")) {
+        rules.push({ text: trimmed.slice(2).trim(), source: file.path });
+      }
+    }
+  }
+  return rules;
+}
+function findMissingJsDoc(bundle) {
+  const missing = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const exportMatch = line.match(
+        /export\s+(?:async\s+)?(?:function|const|class|interface|type)\s+(\w+)/
+      );
+      if (exportMatch) {
+        let hasJsDoc = false;
+        for (let j = i - 1; j >= 0; j--) {
+          const prev = lines[j].trim();
+          if (prev === "") continue;
+          if (prev.endsWith("*/")) {
+            hasJsDoc = true;
+          }
+          break;
+        }
+        if (!hasJsDoc) {
+          missing.push({
+            file: cf.path,
+            line: i + 1,
+            exportName: exportMatch[1]
+          });
+        }
+      }
+    }
+  }
+  return missing;
+}
+function runComplianceAgent(bundle) {
+  const findings = [];
+  const rules = extractConventionRules(bundle);
+  const jsDocRuleExists = rules.some((r) => r.text.toLowerCase().includes("jsdoc"));
+  if (jsDocRuleExists) {
+    const missingDocs = findMissingJsDoc(bundle);
+    for (const m of missingDocs) {
+      findings.push({
+        id: makeFindingId("compliance", m.file, m.line, `Missing JSDoc ${m.exportName}`),
+        file: m.file,
+        lineRange: [m.line, m.line],
+        domain: "compliance",
+        severity: "important",
+        title: `Missing JSDoc on exported \`${m.exportName}\``,
+        rationale: `Convention requires all exports to have JSDoc comments (from ${rules.find((r) => r.text.toLowerCase().includes("jsdoc"))?.source ?? "conventions"}).`,
+        suggestion: `Add a JSDoc comment above the export of \`${m.exportName}\`.`,
+        evidence: [
+          `changeType: ${bundle.changeType}`,
+          `Convention rule: "${rules.find((r) => r.text.toLowerCase().includes("jsdoc"))?.text ?? ""}"`
+        ],
+        validatedBy: "heuristic"
+      });
+    }
+  }
+  switch (bundle.changeType) {
+    case "feature": {
+      const hasSpecContext = bundle.contextFiles.some(
+        (f) => f.reason === "spec" || f.reason === "convention"
+      );
+      if (!hasSpecContext && bundle.changedFiles.length > 0) {
+        const firstFile = bundle.changedFiles[0];
+        findings.push({
+          id: makeFindingId("compliance", firstFile.path, 1, "No spec for feature"),
+          file: firstFile.path,
+          lineRange: [1, 1],
+          domain: "compliance",
+          severity: "suggestion",
+          title: "No spec/design doc found for feature change",
+          rationale: "Feature changes should reference a spec or design doc to verify alignment. No spec context was included in the review bundle.",
+          evidence: [`changeType: feature`, `contextFiles count: ${bundle.contextFiles.length}`],
+          validatedBy: "heuristic"
+        });
+      }
+      break;
+    }
+    case "bugfix": {
+      if (bundle.commitHistory.length === 0 && bundle.changedFiles.length > 0) {
+        const firstFile = bundle.changedFiles[0];
+        findings.push({
+          id: makeFindingId("compliance", firstFile.path, 1, "Bugfix no history"),
+          file: firstFile.path,
+          lineRange: [1, 1],
+          domain: "compliance",
+          severity: "suggestion",
+          title: "Bugfix without commit history context",
+          rationale: "Bugfix changes benefit from commit history to verify the root cause is addressed, not just the symptom. No commit history was provided.",
+          evidence: [`changeType: bugfix`, `commitHistory entries: ${bundle.commitHistory.length}`],
+          validatedBy: "heuristic"
+        });
+      }
+      break;
+    }
+    case "refactor": {
+      break;
+    }
+    case "docs": {
+      break;
+    }
+  }
+  const resultTypeRule = rules.find((r) => r.text.toLowerCase().includes("result type"));
+  if (resultTypeRule) {
+    for (const cf of bundle.changedFiles) {
+      const hasTryCatch = cf.content.includes("try {") || cf.content.includes("try{");
+      const usesResult = cf.content.includes("Result<") || cf.content.includes("Result >") || cf.content.includes(": Result");
+      if (hasTryCatch && !usesResult) {
+        findings.push({
+          id: makeFindingId("compliance", cf.path, 1, "try-catch not Result"),
+          file: cf.path,
+          lineRange: [1, cf.lines],
+          domain: "compliance",
+          severity: "suggestion",
+          title: "Fallible operation uses try/catch instead of Result type",
+          rationale: `Convention requires using Result type for fallible operations (from ${resultTypeRule.source}).`,
+          suggestion: "Refactor error handling to use the Result type pattern.",
+          evidence: [
+            `changeType: ${bundle.changeType}`,
+            `Convention rule: "${resultTypeRule.text}"`
+          ],
+          validatedBy: "heuristic"
+        });
+      }
+    }
+  }
+  return findings;
+}
+var BUG_DETECTION_DESCRIPTOR = {
+  domain: "bug",
+  tier: "strong",
+  displayName: "Bug Detection",
+  focusAreas: [
+    "Edge cases \u2014 boundary conditions, empty input, max values, null, concurrent access",
+    "Error handling \u2014 errors handled at appropriate level, no silent swallowing",
+    "Logic errors \u2014 off-by-one, incorrect boolean logic, missing early returns",
+    "Race conditions \u2014 concurrent access to shared state",
+    "Resource leaks \u2014 unclosed handles, missing cleanup in error paths",
+    "Type safety \u2014 type mismatches, unsafe casts, missing null checks",
+    "Test coverage \u2014 tests for happy path, error paths, and edge cases"
+  ]
+};
+function detectDivisionByZero(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (line.match(/[^=!<>]\s*\/\s*[a-zA-Z_]\w*/) && !line.includes("//")) {
+        const preceding = lines.slice(Math.max(0, i - 3), i).join("\n");
+        if (!preceding.includes("=== 0") && !preceding.includes("!== 0") && !preceding.includes("== 0") && !preceding.includes("!= 0")) {
+          findings.push({
+            id: makeFindingId("bug", cf.path, i + 1, "division by zero"),
+            file: cf.path,
+            lineRange: [i + 1, i + 1],
+            domain: "bug",
+            severity: "important",
+            title: "Potential division by zero without guard",
+            rationale: "Division operation found without a preceding zero check on the divisor. This can cause Infinity or NaN at runtime.",
+            suggestion: "Add a check for zero before dividing, or use a safe division utility.",
+            evidence: [`Line ${i + 1}: ${line.trim()}`],
+            validatedBy: "heuristic"
+          });
+        }
+      }
+    }
+  }
+  return findings;
+}
+function detectEmptyCatch(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (line.match(/catch\s*\([^)]*\)\s*\{\s*\}/) || line.match(/catch\s*\([^)]*\)\s*\{/) && i + 1 < lines.length && lines[i + 1].trim() === "}") {
+        findings.push({
+          id: makeFindingId("bug", cf.path, i + 1, "empty catch block"),
+          file: cf.path,
+          lineRange: [i + 1, i + 2],
+          domain: "bug",
+          severity: "important",
+          title: "Empty catch block silently swallows error",
+          rationale: "Catching an error without handling, logging, or re-throwing it hides failures and makes debugging difficult.",
+          suggestion: "Log the error, re-throw it, or handle it explicitly. If intentionally ignoring, add a comment explaining why.",
+          evidence: [`Line ${i + 1}: ${line.trim()}`],
+          validatedBy: "heuristic"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function detectMissingTests(bundle) {
+  const findings = [];
+  const hasTestFiles = bundle.contextFiles.some((f) => f.reason === "test");
+  if (!hasTestFiles) {
+    const sourceFiles = bundle.changedFiles.filter(
+      (f) => !f.path.match(/\.(test|spec)\.(ts|tsx|js|jsx)$/)
+    );
+    if (sourceFiles.length > 0) {
+      const firstFile = sourceFiles[0];
+      findings.push({
+        id: makeFindingId("bug", firstFile.path, 1, "no test files"),
+        file: firstFile.path,
+        lineRange: [1, 1],
+        domain: "bug",
+        severity: "suggestion",
+        title: "No test files found for changed source files",
+        rationale: "Changed source files should have corresponding test files. No test files were found in the review context.",
+        evidence: [`Source files without tests: ${sourceFiles.map((f) => f.path).join(", ")}`],
+        validatedBy: "heuristic"
+      });
+    }
+  }
+  return findings;
+}
+function runBugDetectionAgent(bundle) {
+  const findings = [];
+  findings.push(...detectDivisionByZero(bundle));
+  findings.push(...detectEmptyCatch(bundle));
+  findings.push(...detectMissingTests(bundle));
+  return findings;
+}
+var SECURITY_DESCRIPTOR = {
+  domain: "security",
+  tier: "strong",
+  displayName: "Security",
+  focusAreas: [
+    "Input validation \u2014 user input flowing to dangerous sinks (SQL, shell, HTML)",
+    "Authorization \u2014 missing auth checks on new/modified endpoints",
+    "Data exposure \u2014 sensitive data in logs, error messages, API responses",
+    "Authentication bypass \u2014 paths introduced by the change",
+    "Insecure defaults \u2014 new configuration options with unsafe defaults",
+    "Node.js specific \u2014 prototype pollution, ReDoS, path traversal"
+  ]
+};
+var EVAL_PATTERN = /\beval\s*\(|new\s+Function\s*\(/;
+var SECRET_PATTERNS = [
+  /(?:api[_-]?key|secret|password|token|private[_-]?key)\s*=\s*["'][^"']{8,}/i,
+  /["'](?:sk|pk|api|key|secret|token|password)[-_][a-zA-Z0-9]{10,}["']/i
+];
+var SQL_CONCAT_PATTERN = /(?:SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER)\s+.*?\+\s*\w+|`[^`]*\$\{[^}]*\}[^`]*(?:SELECT|INSERT|UPDATE|DELETE|WHERE)/i;
+var SHELL_EXEC_PATTERN = /(?:exec|execSync|spawn|spawnSync)\s*\(\s*`[^`]*\$\{/;
+function detectEvalUsage(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (EVAL_PATTERN.test(line)) {
+        findings.push({
+          id: makeFindingId("security", cf.path, i + 1, "eval usage CWE-94"),
+          file: cf.path,
+          lineRange: [i + 1, i + 1],
+          domain: "security",
+          severity: "critical",
+          title: `Dangerous ${"eval"}() or new ${"Function"}() usage`,
+          rationale: `${"eval"}() and new ${"Function"}() execute arbitrary code. If user input reaches these calls, it enables Remote Code Execution (CWE-94).`,
+          suggestion: "Replace eval/Function with a safe alternative (JSON.parse for data, a sandboxed evaluator for expressions).",
+          evidence: [`Line ${i + 1}: ${line.trim()}`],
+          validatedBy: "heuristic",
+          cweId: "CWE-94",
+          owaspCategory: "A03:2021 Injection",
+          confidence: "high",
+          remediation: "Replace eval/Function with a safe alternative (JSON.parse for data, a sandboxed evaluator for expressions).",
+          references: [
+            "https://cwe.mitre.org/data/definitions/94.html",
+            "https://owasp.org/Top10/A03_2021-Injection/"
+          ]
+        });
+      }
+    }
+  }
+  return findings;
+}
+function detectHardcodedSecrets(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const codePart = line.includes("//") ? line.slice(0, line.indexOf("//")) : line;
+      for (const pattern of SECRET_PATTERNS) {
+        if (pattern.test(codePart)) {
+          findings.push({
+            id: makeFindingId("security", cf.path, i + 1, "hardcoded secret CWE-798"),
+            file: cf.path,
+            lineRange: [i + 1, i + 1],
+            domain: "security",
+            severity: "critical",
+            title: "Hardcoded secret or API key detected",
+            rationale: "Hardcoded secrets in source code can be extracted from version history even after removal. Use environment variables or a secrets manager (CWE-798).",
+            suggestion: "Move the secret to an environment variable and access it via process.env.",
+            evidence: [`Line ${i + 1}: [secret detected \u2014 value redacted]`],
+            validatedBy: "heuristic",
+            cweId: "CWE-798",
+            owaspCategory: "A07:2021 Identification and Authentication Failures",
+            confidence: "high",
+            remediation: "Move the secret to an environment variable and access it via process.env.",
+            references: [
+              "https://cwe.mitre.org/data/definitions/798.html",
+              "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
+            ]
+          });
+          break;
+        }
+      }
+    }
+  }
+  return findings;
+}
+function detectSqlInjection(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (SQL_CONCAT_PATTERN.test(line)) {
+        findings.push({
+          id: makeFindingId("security", cf.path, i + 1, "SQL injection CWE-89"),
+          file: cf.path,
+          lineRange: [i + 1, i + 1],
+          domain: "security",
+          severity: "critical",
+          title: "Potential SQL injection via string concatenation",
+          rationale: "Building SQL queries with string concatenation or template literals allows attackers to inject malicious SQL (CWE-89).",
+          suggestion: "Use parameterized queries or a query builder (e.g., Knex, Prisma) instead of string concatenation.",
+          evidence: [`Line ${i + 1}: ${line.trim()}`],
+          validatedBy: "heuristic",
+          cweId: "CWE-89",
+          owaspCategory: "A03:2021 Injection",
+          confidence: "high",
+          remediation: "Use parameterized queries or a query builder (e.g., Knex, Prisma) instead of string concatenation.",
+          references: [
+            "https://cwe.mitre.org/data/definitions/89.html",
+            "https://owasp.org/Top10/A03_2021-Injection/"
+          ]
+        });
+      }
+    }
+  }
+  return findings;
+}
+function detectCommandInjection(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (SHELL_EXEC_PATTERN.test(line)) {
+        findings.push({
+          id: makeFindingId("security", cf.path, i + 1, "command injection CWE-78"),
+          file: cf.path,
+          lineRange: [i + 1, i + 1],
+          domain: "security",
+          severity: "critical",
+          title: "Potential command injection via shell exec with interpolation",
+          rationale: "Using exec/spawn with template literal interpolation allows attackers to inject shell commands (CWE-78).",
+          suggestion: "Use execFile or spawn with an arguments array instead of shell string interpolation.",
+          evidence: [`Line ${i + 1}: ${line.trim()}`],
+          validatedBy: "heuristic",
+          cweId: "CWE-78",
+          owaspCategory: "A03:2021 Injection",
+          confidence: "high",
+          remediation: "Use execFile or spawn with an arguments array instead of shell string interpolation.",
+          references: [
+            "https://cwe.mitre.org/data/definitions/78.html",
+            "https://owasp.org/Top10/A03_2021-Injection/"
+          ]
+        });
+      }
+    }
+  }
+  return findings;
+}
+function runSecurityAgent(bundle) {
+  const findings = [];
+  findings.push(...detectEvalUsage(bundle));
+  findings.push(...detectHardcodedSecrets(bundle));
+  findings.push(...detectSqlInjection(bundle));
+  findings.push(...detectCommandInjection(bundle));
+  return findings;
+}
+var ARCHITECTURE_DESCRIPTOR = {
+  domain: "architecture",
+  tier: "standard",
+  displayName: "Architecture",
+  focusAreas: [
+    "Layer compliance \u2014 imports flow in the correct direction per architectural layers",
+    "Dependency direction \u2014 modules depend on abstractions, not concretions",
+    "Single Responsibility \u2014 each module has one reason to change",
+    "Pattern consistency \u2014 code follows established codebase patterns",
+    "Separation of concerns \u2014 business logic separated from infrastructure",
+    "DRY violations \u2014 duplicated logic that should be extracted (excluding intentional duplication)"
+  ]
+};
+var LARGE_FILE_THRESHOLD = 300;
+function detectLayerViolations(bundle) {
+  const findings = [];
+  const checkDepsFile = bundle.contextFiles.find((f) => f.path === "harness-check-deps-output");
+  if (!checkDepsFile) return findings;
+  const lines = checkDepsFile.content.split("\n");
+  for (const line of lines) {
+    if (line.toLowerCase().includes("violation") || line.toLowerCase().includes("layer")) {
+      const fileMatch = line.match(/(?:in\s+)?(\S+\.(?:ts|tsx|js|jsx))(?::(\d+))?/);
+      const file = fileMatch?.[1] ?? bundle.changedFiles[0]?.path ?? "unknown";
+      const lineNum = fileMatch?.[2] ? parseInt(fileMatch[2], 10) : 1;
+      findings.push({
+        id: makeFindingId("arch", file, lineNum, "layer violation"),
+        file,
+        lineRange: [lineNum, lineNum],
+        domain: "architecture",
+        severity: "critical",
+        title: "Layer boundary violation detected by check-deps",
+        rationale: `Architectural layer violation: ${line.trim()}. Imports must flow in the correct direction per the project's layer definitions.`,
+        suggestion: "Route the dependency through the correct intermediate layer (e.g., routes -> services -> db, not routes -> db).",
+        evidence: [line.trim()],
+        validatedBy: "heuristic"
+      });
+    }
+  }
+  return findings;
+}
+function detectLargeFiles(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    if (cf.lines > LARGE_FILE_THRESHOLD) {
+      findings.push({
+        id: makeFindingId("arch", cf.path, 1, "large file SRP"),
+        file: cf.path,
+        lineRange: [1, cf.lines],
+        domain: "architecture",
+        severity: "suggestion",
+        title: `Large file (${cf.lines} lines) may violate Single Responsibility`,
+        rationale: `Files over ${LARGE_FILE_THRESHOLD} lines often contain multiple responsibilities. Consider splitting into focused modules.`,
+        suggestion: "Identify distinct responsibilities and extract them into separate modules.",
+        evidence: [`File has ${cf.lines} lines (threshold: ${LARGE_FILE_THRESHOLD})`],
+        validatedBy: "heuristic"
+      });
+    }
+  }
+  return findings;
+}
+function detectCircularImports(bundle) {
+  const findings = [];
+  const changedPaths = new Set(bundle.changedFiles.map((f) => f.path));
+  for (const cf of bundle.changedFiles) {
+    const importRegex = /import\s+.*?from\s+['"]([^'"]+)['"]/g;
+    let match;
+    const imports = /* @__PURE__ */ new Set();
+    while ((match = importRegex.exec(cf.content)) !== null) {
+      const source = match[1];
+      if (source.startsWith(".")) {
+        imports.add(source.replace(/^\.\//, "").replace(/^\.\.\//, ""));
+      }
+    }
+    for (const ctxFile of bundle.contextFiles) {
+      if (ctxFile.reason !== "import" && ctxFile.reason !== "graph-dependency") continue;
+      const ctxImportRegex = /import\s+.*?from\s+['"]([^'"]+)['"]/g;
+      let ctxMatch;
+      while ((ctxMatch = ctxImportRegex.exec(ctxFile.content)) !== null) {
+        const ctxSource = ctxMatch[1];
+        if (ctxSource.startsWith(".")) {
+          for (const changedPath of changedPaths) {
+            const baseName = changedPath.replace(/.*\//, "").replace(/\.(ts|tsx|js|jsx)$/, "");
+            if (ctxSource.includes(baseName) && imports.has(ctxFile.path.replace(/.*\//, "").replace(/\.(ts|tsx|js|jsx)$/, ""))) {
+              findings.push({
+                id: makeFindingId("arch", cf.path, 1, `circular ${ctxFile.path}`),
+                file: cf.path,
+                lineRange: [1, 1],
+                domain: "architecture",
+                severity: "important",
+                title: `Potential circular import between ${cf.path} and ${ctxFile.path}`,
+                rationale: "Circular imports can cause runtime issues (undefined values at import time) and indicate tightly coupled modules that should be refactored.",
+                suggestion: "Extract shared types/interfaces into a separate module that both files can import from.",
+                evidence: [`${cf.path} imports from a module that also imports from ${cf.path}`],
+                validatedBy: "heuristic"
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+  return findings;
+}
+function runArchitectureAgent(bundle) {
+  const findings = [];
+  findings.push(...detectLayerViolations(bundle));
+  findings.push(...detectLargeFiles(bundle));
+  findings.push(...detectCircularImports(bundle));
+  return findings;
+}
+var AGENT_DESCRIPTORS = {
+  compliance: COMPLIANCE_DESCRIPTOR,
+  bug: BUG_DETECTION_DESCRIPTOR,
+  security: SECURITY_DESCRIPTOR,
+  architecture: ARCHITECTURE_DESCRIPTOR
+};
+var AGENT_RUNNERS = {
+  compliance: runComplianceAgent,
+  bug: runBugDetectionAgent,
+  security: runSecurityAgent,
+  architecture: runArchitectureAgent
+};
+async function runAgent(bundle) {
+  const start = Date.now();
+  const runner = AGENT_RUNNERS[bundle.domain];
+  const findings = runner(bundle);
+  const durationMs = Date.now() - start;
+  return {
+    domain: bundle.domain,
+    findings,
+    durationMs
+  };
+}
+async function fanOutReview(options) {
+  const { bundles } = options;
+  if (bundles.length === 0) return [];
+  const results = await Promise.all(bundles.map((bundle) => runAgent(bundle)));
+  return results;
+}
+var DOWNGRADE_MAP = {
+  critical: "important",
+  important: "suggestion",
+  suggestion: "suggestion"
+};
+function extractCrossFileRefs(finding) {
+  const refs = [];
+  const crossFilePattern = /([^\s]+\.(?:ts|tsx|js|jsx))\s+affects\s+([^\s]+\.(?:ts|tsx|js|jsx))/i;
+  for (const ev of finding.evidence) {
+    const match = ev.match(crossFilePattern);
+    if (match) {
+      refs.push({ from: match[1], to: match[2] });
+    }
+  }
+  return refs;
+}
+function normalizePath(filePath, projectRoot) {
+  let normalized = filePath;
+  if (path8.isAbsolute(normalized)) {
+    const root = projectRoot.endsWith(path8.sep) ? projectRoot : projectRoot + path8.sep;
+    if (normalized.startsWith(root)) {
+      normalized = normalized.slice(root.length);
+    }
+  }
+  if (normalized.startsWith("./")) {
+    normalized = normalized.slice(2);
+  }
+  return path8.normalize(normalized);
+}
+function followImportChain(fromFile, fileContents, maxDepth = 2) {
+  const visited = /* @__PURE__ */ new Set();
+  const queue = [{ file: fromFile, depth: 0 }];
+  while (queue.length > 0) {
+    const current = queue.shift();
+    if (visited.has(current.file) || current.depth > maxDepth) continue;
+    visited.add(current.file);
+    const content = fileContents.get(current.file);
+    if (!content) continue;
+    const importRegex = /import\s+.*?from\s+['"]([^'"]+)['"]/g;
+    let match;
+    while ((match = importRegex.exec(content)) !== null) {
+      const importPath = match[1];
+      if (!importPath.startsWith(".")) continue;
+      const dir = path8.dirname(current.file);
+      let resolved = path8.join(dir, importPath);
+      if (!resolved.match(/\.(ts|tsx|js|jsx)$/)) {
+        resolved += ".ts";
+      }
+      resolved = path8.normalize(resolved);
+      if (!visited.has(resolved) && current.depth + 1 <= maxDepth) {
+        queue.push({ file: resolved, depth: current.depth + 1 });
+      }
+    }
+  }
+  visited.delete(fromFile);
+  return visited;
+}
+async function validateFindings(options) {
+  const { findings, exclusionSet, graph, projectRoot, fileContents } = options;
+  const validated = [];
+  for (const finding of findings) {
+    const normalizedFile = normalizePath(finding.file, projectRoot);
+    if (exclusionSet.isExcluded(normalizedFile, finding.lineRange) || exclusionSet.isExcluded(finding.file, finding.lineRange)) {
+      continue;
+    }
+    const absoluteFile = path8.isAbsolute(finding.file) ? finding.file : path8.join(projectRoot, finding.file);
+    if (exclusionSet.isExcluded(absoluteFile, finding.lineRange)) {
+      continue;
+    }
+    const crossFileRefs = extractCrossFileRefs(finding);
+    if (crossFileRefs.length === 0) {
+      validated.push({ ...finding });
+      continue;
+    }
+    if (graph) {
+      try {
+        let allReachable = true;
+        for (const ref of crossFileRefs) {
+          const reachable = await graph.isReachable(ref.from, ref.to);
+          if (!reachable) {
+            allReachable = false;
+            break;
+          }
+        }
+        if (allReachable) {
+          validated.push({ ...finding, validatedBy: "graph" });
+        }
+        continue;
+      } catch {
+      }
+    }
+    {
+      let chainValidated = false;
+      if (fileContents) {
+        for (const ref of crossFileRefs) {
+          const normalizedFrom = normalizePath(ref.from, projectRoot);
+          const reachable = followImportChain(normalizedFrom, fileContents, 2);
+          const normalizedTo = normalizePath(ref.to, projectRoot);
+          if (reachable.has(normalizedTo)) {
+            chainValidated = true;
+            break;
+          }
+        }
+      }
+      if (chainValidated) {
+        validated.push({ ...finding, validatedBy: "heuristic" });
+      } else {
+        validated.push({
+          ...finding,
+          severity: DOWNGRADE_MAP[finding.severity],
+          validatedBy: "heuristic"
+        });
+      }
+    }
+  }
+  return validated;
+}
+function rangesOverlap(a, b, gap) {
+  return a[0] <= b[1] + gap && b[0] <= a[1] + gap;
+}
+function mergeFindings(a, b) {
+  const highestSeverity = SEVERITY_RANK[a.severity] >= SEVERITY_RANK[b.severity] ? a.severity : b.severity;
+  const highestValidatedBy = (VALIDATED_BY_RANK[a.validatedBy] ?? 0) >= (VALIDATED_BY_RANK[b.validatedBy] ?? 0) ? a.validatedBy : b.validatedBy;
+  const longestRationale = a.rationale.length >= b.rationale.length ? a.rationale : b.rationale;
+  const evidenceSet = /* @__PURE__ */ new Set([...a.evidence, ...b.evidence]);
+  const lineRange = [
+    Math.min(a.lineRange[0], b.lineRange[0]),
+    Math.max(a.lineRange[1], b.lineRange[1])
+  ];
+  const domains = /* @__PURE__ */ new Set();
+  domains.add(a.domain);
+  domains.add(b.domain);
+  const suggestion = a.suggestion && b.suggestion ? a.suggestion.length >= b.suggestion.length ? a.suggestion : b.suggestion : a.suggestion ?? b.suggestion;
+  const primaryFinding = SEVERITY_RANK[a.severity] >= SEVERITY_RANK[b.severity] ? a : b;
+  const domainList = [...domains].sort().join(", ");
+  const cleanTitle = primaryFinding.title.replace(/^\[.*?\]\s*/, "");
+  const title = `[${domainList}] ${cleanTitle}`;
+  const merged = {
+    id: primaryFinding.id,
+    file: a.file,
+    // same file for all merged findings
+    lineRange,
+    domain: primaryFinding.domain,
+    severity: highestSeverity,
+    title,
+    rationale: longestRationale,
+    evidence: [...evidenceSet],
+    validatedBy: highestValidatedBy
+  };
+  if (suggestion !== void 0) {
+    merged.suggestion = suggestion;
+  }
+  const cweId = primaryFinding.cweId ?? a.cweId ?? b.cweId;
+  const owaspCategory = primaryFinding.owaspCategory ?? a.owaspCategory ?? b.owaspCategory;
+  const confidence = primaryFinding.confidence ?? a.confidence ?? b.confidence;
+  const remediation = a.remediation && b.remediation ? a.remediation.length >= b.remediation.length ? a.remediation : b.remediation : a.remediation ?? b.remediation;
+  const mergedRefs = [.../* @__PURE__ */ new Set([...a.references ?? [], ...b.references ?? []])];
+  if (cweId !== void 0) merged.cweId = cweId;
+  if (owaspCategory !== void 0) merged.owaspCategory = owaspCategory;
+  if (confidence !== void 0) merged.confidence = confidence;
+  if (remediation !== void 0) merged.remediation = remediation;
+  if (mergedRefs.length > 0) merged.references = mergedRefs;
+  return merged;
+}
+function deduplicateFindings(options) {
+  const { findings, lineGap = 3 } = options;
+  if (findings.length === 0) return [];
+  const byFile = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const existing = byFile.get(f.file);
+    if (existing) {
+      existing.push(f);
+    } else {
+      byFile.set(f.file, [f]);
+    }
+  }
+  const result = [];
+  for (const [, fileFindings] of byFile) {
+    const sorted = [...fileFindings].sort((a, b) => a.lineRange[0] - b.lineRange[0]);
+    const clusters = [];
+    let current = sorted[0];
+    for (let i = 1; i < sorted.length; i++) {
+      const next = sorted[i];
+      if (rangesOverlap(current.lineRange, next.lineRange, lineGap)) {
+        current = mergeFindings(current, next);
+      } else {
+        clusters.push(current);
+        current = next;
+      }
+    }
+    clusters.push(current);
+    result.push(...clusters);
+  }
+  return result;
+}
+function checkEligibility(pr, ciMode) {
+  if (!ciMode) {
+    return { eligible: true };
+  }
+  if (pr.state === "closed") {
+    return { eligible: false, reason: "PR is closed" };
+  }
+  if (pr.state === "merged") {
+    return { eligible: false, reason: "PR is merged" };
+  }
+  if (pr.isDraft) {
+    return { eligible: false, reason: "PR is a draft" };
+  }
+  if (pr.changedFiles.length > 0 && pr.changedFiles.every((f) => f.endsWith(".md"))) {
+    return { eligible: false, reason: "Trivial change: documentation only" };
+  }
+  const priorMatch = pr.priorReviews.find((r) => r.headSha === pr.headSha);
+  if (priorMatch) {
+    return { eligible: false, reason: `Already reviewed at ${priorMatch.headSha}` };
+  }
+  return { eligible: true };
+}
+var DEFAULT_PROVIDER_TIERS = {
+  claude: {
+    fast: "haiku",
+    standard: "sonnet",
+    strong: "opus"
+  },
+  openai: {
+    fast: "gpt-4o-mini",
+    standard: "gpt-4o",
+    strong: "o1"
+  },
+  gemini: {
+    fast: "gemini-flash",
+    standard: "gemini-pro",
+    strong: "gemini-ultra"
+  }
+};
+function resolveModelTier(tier, config, provider) {
+  const configValue = config?.[tier];
+  if (configValue !== void 0) {
+    return configValue;
+  }
+  if (provider) {
+    const providerDefaults = DEFAULT_PROVIDER_TIERS[provider];
+    const defaultValue = providerDefaults[tier];
+    if (defaultValue !== void 0) {
+      return defaultValue;
+    }
+  }
+  return void 0;
+}
+function determineAssessment(findings) {
+  if (findings.length === 0) return "approve";
+  let maxSeverity = "suggestion";
+  for (const f of findings) {
+    if (SEVERITY_RANK[f.severity] > SEVERITY_RANK[maxSeverity]) {
+      maxSeverity = f.severity;
+    }
+  }
+  switch (maxSeverity) {
+    case "critical":
+      return "request-changes";
+    case "important":
+      return "comment";
+    case "suggestion":
+      return "approve";
+  }
+}
+function getExitCode(assessment) {
+  return assessment === "request-changes" ? 1 : 0;
+}
+function formatFindingBlock(finding) {
+  const lines = [];
+  const location = `${finding.file}:L${finding.lineRange[0]}-${finding.lineRange[1]}`;
+  lines.push(`  [${finding.domain}] ${finding.title}`);
+  lines.push(`    Location: ${location}`);
+  lines.push(`    Rationale: ${finding.rationale}`);
+  if (finding.suggestion) {
+    lines.push(`    Suggestion: ${finding.suggestion}`);
+  }
+  return lines.join("\n");
+}
+function formatTerminalOutput(options) {
+  const { findings, strengths } = options;
+  const sections = [];
+  sections.push("## Strengths\n");
+  if (strengths.length === 0) {
+    sections.push("  No specific strengths noted.\n");
+  } else {
+    for (const s of strengths) {
+      const prefix = s.file ? `${s.file}: ` : "";
+      sections.push(`  + ${prefix}${s.description}`);
+    }
+    sections.push("");
+  }
+  sections.push("## Issues\n");
+  let hasIssues = false;
+  for (const severity of SEVERITY_ORDER) {
+    const group = findings.filter((f) => f.severity === severity);
+    if (group.length === 0) continue;
+    hasIssues = true;
+    sections.push(`### ${SEVERITY_LABELS[severity]} (${group.length})
+`);
+    for (const finding of group) {
+      sections.push(formatFindingBlock(finding));
+      sections.push("");
+    }
+  }
+  if (!hasIssues) {
+    sections.push("  No issues found.\n");
+  }
+  const assessment = determineAssessment(findings);
+  const assessmentLabel = assessment === "approve" ? "Approve" : assessment === "comment" ? "Comment" : "Request Changes";
+  sections.push(`## Assessment: ${assessmentLabel}
+`);
+  const issueCount = findings.length;
+  const criticalCount = findings.filter((f) => f.severity === "critical").length;
+  const importantCount = findings.filter((f) => f.severity === "important").length;
+  const suggestionCount = findings.filter((f) => f.severity === "suggestion").length;
+  if (issueCount === 0) {
+    sections.push("  No issues found. The changes look good.");
+  } else {
+    const parts = [];
+    if (criticalCount > 0) parts.push(`${criticalCount} critical`);
+    if (importantCount > 0) parts.push(`${importantCount} important`);
+    if (suggestionCount > 0) parts.push(`${suggestionCount} suggestion(s)`);
+    sections.push(`  Found ${issueCount} issue(s): ${parts.join(", ")}.`);
+  }
+  return sections.join("\n");
+}
+var SMALL_SUGGESTION_LINE_LIMIT = 10;
+function sanitizeMarkdown(text) {
+  return text.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function isSmallSuggestion(suggestion) {
+  if (!suggestion) return false;
+  const lineCount = suggestion.split("\n").length;
+  return lineCount < SMALL_SUGGESTION_LINE_LIMIT;
+}
+function formatGitHubComment(finding) {
+  const severityBadge = `**${finding.severity.toUpperCase()}**`;
+  const header = `${severityBadge} [${finding.domain}] ${sanitizeMarkdown(finding.title)}`;
+  let body;
+  if (isSmallSuggestion(finding.suggestion)) {
+    body = [
+      header,
+      "",
+      sanitizeMarkdown(finding.rationale),
+      "",
+      "```suggestion",
+      finding.suggestion,
+      "```"
+    ].join("\n");
+  } else {
+    const parts = [header, "", `**Rationale:** ${sanitizeMarkdown(finding.rationale)}`];
+    if (finding.suggestion) {
+      parts.push("", `**Suggested approach:** ${sanitizeMarkdown(finding.suggestion)}`);
+    }
+    body = parts.join("\n");
+  }
+  return {
+    path: finding.file,
+    line: finding.lineRange[1],
+    // Comment on end line of range
+    side: "RIGHT",
+    body
+  };
+}
+function formatGitHubSummary(options) {
+  const { findings, strengths } = options;
+  const sections = [];
+  sections.push("## Strengths\n");
+  if (strengths.length === 0) {
+    sections.push("No specific strengths noted.\n");
+  } else {
+    for (const s of strengths) {
+      const prefix = s.file ? `**${s.file}:** ` : "";
+      sections.push(`- ${prefix}${sanitizeMarkdown(s.description)}`);
+    }
+    sections.push("");
+  }
+  sections.push("## Issues\n");
+  let hasIssues = false;
+  for (const severity of SEVERITY_ORDER) {
+    const group = findings.filter((f) => f.severity === severity);
+    if (group.length === 0) continue;
+    hasIssues = true;
+    sections.push(`### ${SEVERITY_LABELS[severity]} (${group.length})
+`);
+    for (const finding of group) {
+      const location = `\`${finding.file}:L${finding.lineRange[0]}-${finding.lineRange[1]}\``;
+      sections.push(`- **${sanitizeMarkdown(finding.title)}** at ${location}`);
+      sections.push(`  ${sanitizeMarkdown(finding.rationale)}`);
+      sections.push("");
+    }
+  }
+  if (!hasIssues) {
+    sections.push("No issues found.\n");
+  }
+  const assessment = determineAssessment(findings);
+  const assessmentLabel = assessment === "approve" ? "Approve" : assessment === "comment" ? "Comment" : "Request Changes";
+  sections.push(`## Assessment: ${assessmentLabel}`);
+  return sections.join("\n");
+}
+async function runReviewPipeline(options) {
+  const {
+    projectRoot,
+    diff,
+    commitMessage,
+    flags,
+    graph,
+    prMetadata,
+    conventionFiles,
+    checkDepsOutput,
+    config = {},
+    commitHistory
+  } = options;
+  if (flags.ci && prMetadata) {
+    const eligibility = checkEligibility(prMetadata, true);
+    if (!eligibility.eligible) {
+      return {
+        skipped: true,
+        ...eligibility.reason != null ? { skipReason: eligibility.reason } : {},
+        stoppedByMechanical: false,
+        findings: [],
+        strengths: [],
+        terminalOutput: `Review skipped: ${eligibility.reason ?? "ineligible"}`,
+        githubComments: [],
+        exitCode: 0
+      };
+    }
+  }
+  let mechanicalResult;
+  let exclusionSet;
+  if (flags.noMechanical) {
+    exclusionSet = buildExclusionSet([]);
+  } else {
+    try {
+      const mechResult = await runMechanicalChecks({
+        projectRoot,
+        config,
+        changedFiles: diff.changedFiles
+      });
+      if (mechResult.ok) {
+        mechanicalResult = mechResult.value;
+        exclusionSet = buildExclusionSet(mechResult.value.findings);
+        if (mechResult.value.stopPipeline) {
+          const mechFindings = mechResult.value.findings.filter((f) => f.severity === "error").map((f) => `  x ${f.tool}: ${f.file}${f.line ? `:${f.line}` : ""} - ${f.message}`).join("\n");
+          const terminalOutput2 = [
+            "## Strengths\n",
+            "  No AI review performed (mechanical checks failed).\n",
+            "## Issues\n",
+            "### Critical (mechanical)\n",
+            mechFindings,
+            "\n## Assessment: Request Changes\n",
+            "  Mechanical checks must pass before AI review."
+          ].join("\n");
+          return {
+            skipped: false,
+            stoppedByMechanical: true,
+            assessment: "request-changes",
+            findings: [],
+            strengths: [],
+            terminalOutput: terminalOutput2,
+            githubComments: [],
+            exitCode: 1,
+            mechanicalResult
+          };
+        }
+      } else {
+        exclusionSet = buildExclusionSet([]);
+      }
+    } catch {
+      exclusionSet = buildExclusionSet([]);
+    }
+  }
+  let contextBundles;
+  try {
+    contextBundles = await scopeContext({
+      projectRoot,
+      diff,
+      commitMessage,
+      ...graph != null ? { graph } : {},
+      ...conventionFiles != null ? { conventionFiles } : {},
+      ...checkDepsOutput != null ? { checkDepsOutput } : {},
+      ...commitHistory != null ? { commitHistory } : {}
+    });
+  } catch {
+    contextBundles = ["compliance", "bug", "security", "architecture"].map((domain) => ({
+      domain,
+      changeType: "feature",
+      changedFiles: [],
+      contextFiles: [],
+      commitHistory: [],
+      diffLines: diff.totalDiffLines,
+      contextLines: 0
+    }));
+  }
+  const agentResults = await fanOutReview({ bundles: contextBundles });
+  const rawFindings = agentResults.flatMap((r) => r.findings);
+  const fileContents = /* @__PURE__ */ new Map();
+  for (const [file, content] of diff.fileDiffs) {
+    fileContents.set(file, content);
+  }
+  const validatedFindings = await validateFindings({
+    findings: rawFindings,
+    exclusionSet,
+    ...graph != null ? { graph } : {},
+    projectRoot,
+    fileContents
+  });
+  const dedupedFindings = deduplicateFindings({ findings: validatedFindings });
+  const strengths = [];
+  const assessment = determineAssessment(dedupedFindings);
+  const exitCode = getExitCode(assessment);
+  const terminalOutput = formatTerminalOutput({
+    findings: dedupedFindings,
+    strengths
+  });
+  let githubComments = [];
+  if (flags.comment) {
+    githubComments = dedupedFindings.map((f) => formatGitHubComment(f));
+  }
+  return {
+    skipped: false,
+    stoppedByMechanical: false,
+    assessment,
+    findings: dedupedFindings,
+    strengths,
+    terminalOutput,
+    githubComments,
+    exitCode,
+    ...mechanicalResult !== void 0 ? { mechanicalResult } : {}
+  };
+}
+var VALID_STATUSES = /* @__PURE__ */ new Set([
+  "backlog",
+  "planned",
+  "in-progress",
+  "done",
+  "blocked"
+]);
+var EM_DASH = "\u2014";
+function parseRoadmap(markdown) {
+  const fmMatch = markdown.match(/^---\n([\s\S]*?)\n---/);
+  if (!fmMatch) {
+    return Err(new Error("Missing or malformed YAML frontmatter"));
+  }
+  const fmResult = parseFrontmatter(fmMatch[1]);
+  if (!fmResult.ok) return fmResult;
+  const body = markdown.slice(fmMatch[0].length);
+  const milestonesResult = parseMilestones(body);
+  if (!milestonesResult.ok) return milestonesResult;
+  return Ok({
+    frontmatter: fmResult.value,
+    milestones: milestonesResult.value
+  });
+}
+function parseFrontmatter(raw) {
+  const lines = raw.split("\n");
+  const map = /* @__PURE__ */ new Map();
+  for (const line of lines) {
+    const idx = line.indexOf(":");
+    if (idx === -1) continue;
+    const key = line.slice(0, idx).trim();
+    const val = line.slice(idx + 1).trim();
+    map.set(key, val);
+  }
+  const project = map.get("project");
+  const versionStr = map.get("version");
+  const lastSynced = map.get("last_synced");
+  const lastManualEdit = map.get("last_manual_edit");
+  if (!project || !versionStr || !lastSynced || !lastManualEdit) {
+    return Err(
+      new Error(
+        "Frontmatter missing required fields: project, version, last_synced, last_manual_edit"
+      )
+    );
+  }
+  const version = parseInt(versionStr, 10);
+  if (isNaN(version)) {
+    return Err(new Error("Frontmatter version must be a number"));
+  }
+  return Ok({ project, version, lastSynced, lastManualEdit });
+}
+function parseMilestones(body) {
+  const milestones = [];
+  const h2Pattern = /^## (.+)$/gm;
+  const h2Matches = [];
+  let match;
+  while ((match = h2Pattern.exec(body)) !== null) {
+    h2Matches.push({ heading: match[1], startIndex: match.index });
+  }
+  for (let i = 0; i < h2Matches.length; i++) {
+    const h2 = h2Matches[i];
+    const nextStart = i + 1 < h2Matches.length ? h2Matches[i + 1].startIndex : body.length;
+    const sectionBody = body.slice(h2.startIndex + h2.heading.length + 4, nextStart);
+    const isBacklog = h2.heading === "Backlog";
+    const milestoneName = isBacklog ? "Backlog" : h2.heading.replace(/^Milestone:\s*/, "");
+    const featuresResult = parseFeatures(sectionBody);
+    if (!featuresResult.ok) return featuresResult;
+    milestones.push({
+      name: milestoneName,
+      isBacklog,
+      features: featuresResult.value
+    });
+  }
+  return Ok(milestones);
+}
+function parseFeatures(sectionBody) {
+  const features = [];
+  const h3Pattern = /^### Feature: (.+)$/gm;
+  const h3Matches = [];
+  let match;
+  while ((match = h3Pattern.exec(sectionBody)) !== null) {
+    h3Matches.push({ name: match[1], startIndex: match.index });
+  }
+  for (let i = 0; i < h3Matches.length; i++) {
+    const h3 = h3Matches[i];
+    const nextStart = i + 1 < h3Matches.length ? h3Matches[i + 1].startIndex : sectionBody.length;
+    const featureBody = sectionBody.slice(
+      h3.startIndex + `### Feature: ${h3.name}`.length,
+      nextStart
+    );
+    const featureResult = parseFeatureFields(h3.name, featureBody);
+    if (!featureResult.ok) return featureResult;
+    features.push(featureResult.value);
+  }
+  return Ok(features);
+}
+function parseFeatureFields(name, body) {
+  const fieldMap = /* @__PURE__ */ new Map();
+  const fieldPattern = /^- \*\*(.+?):\*\* (.+)$/gm;
+  let match;
+  while ((match = fieldPattern.exec(body)) !== null) {
+    fieldMap.set(match[1], match[2]);
+  }
+  const statusRaw = fieldMap.get("Status");
+  if (!statusRaw || !VALID_STATUSES.has(statusRaw)) {
+    return Err(
+      new Error(
+        `Feature "${name}" has invalid status: "${statusRaw ?? "(missing)"}". Valid statuses: ${[...VALID_STATUSES].join(", ")}`
+      )
+    );
+  }
+  const status = statusRaw;
+  const specRaw = fieldMap.get("Spec") ?? EM_DASH;
+  const spec = specRaw === EM_DASH ? null : specRaw;
+  const plansRaw = fieldMap.get("Plans") ?? EM_DASH;
+  const plans = plansRaw === EM_DASH ? [] : plansRaw.split(",").map((p) => p.trim());
+  const blockedByRaw = fieldMap.get("Blocked by") ?? EM_DASH;
+  const blockedBy = blockedByRaw === EM_DASH ? [] : blockedByRaw.split(",").map((b) => b.trim());
+  const summary = fieldMap.get("Summary") ?? "";
+  return Ok({ name, status, spec, plans, blockedBy, summary });
+}
+var EM_DASH2 = "\u2014";
+function serializeRoadmap(roadmap) {
+  const lines = [];
+  lines.push("---");
+  lines.push(`project: ${roadmap.frontmatter.project}`);
+  lines.push(`version: ${roadmap.frontmatter.version}`);
+  lines.push(`last_synced: ${roadmap.frontmatter.lastSynced}`);
+  lines.push(`last_manual_edit: ${roadmap.frontmatter.lastManualEdit}`);
+  lines.push("---");
+  lines.push("");
+  lines.push("# Project Roadmap");
+  for (const milestone of roadmap.milestones) {
+    lines.push("");
+    lines.push(serializeMilestoneHeading(milestone));
+    for (const feature of milestone.features) {
+      lines.push("");
+      lines.push(...serializeFeature(feature));
+    }
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+function serializeMilestoneHeading(milestone) {
+  return milestone.isBacklog ? "## Backlog" : `## Milestone: ${milestone.name}`;
+}
+function serializeFeature(feature) {
+  const spec = feature.spec ?? EM_DASH2;
+  const plans = feature.plans.length > 0 ? feature.plans.join(", ") : EM_DASH2;
+  const blockedBy = feature.blockedBy.length > 0 ? feature.blockedBy.join(", ") : EM_DASH2;
+  return [
+    `### Feature: ${feature.name}`,
+    `- **Status:** ${feature.status}`,
+    `- **Spec:** ${spec}`,
+    `- **Plans:** ${plans}`,
+    `- **Blocked by:** ${blockedBy}`,
+    `- **Summary:** ${feature.summary}`
+  ];
+}
+function inferStatus(feature, projectPath, allFeatures) {
+  if (feature.blockedBy.length > 0) {
+    const blockerNotDone = feature.blockedBy.some((blockerName) => {
+      const blocker = allFeatures.find((f) => f.name.toLowerCase() === blockerName.toLowerCase());
+      return !blocker || blocker.status !== "done";
+    });
+    if (blockerNotDone) return "blocked";
+  }
+  if (feature.plans.length === 0) return null;
+  const allTaskStatuses = [];
+  const featuresWithPlans = allFeatures.filter((f) => f.plans.length > 0);
+  const useRootState = featuresWithPlans.length <= 1;
+  if (useRootState) {
+    const rootStatePath = path9.join(projectPath, ".harness", "state.json");
+    if (fs7.existsSync(rootStatePath)) {
+      try {
+        const raw = fs7.readFileSync(rootStatePath, "utf-8");
+        const state = JSON.parse(raw);
+        if (state.progress) {
+          for (const status of Object.values(state.progress)) {
+            allTaskStatuses.push(status);
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  const sessionsDir = path9.join(projectPath, ".harness", "sessions");
+  if (fs7.existsSync(sessionsDir)) {
+    try {
+      const sessionDirs = fs7.readdirSync(sessionsDir, { withFileTypes: true });
+      for (const entry of sessionDirs) {
+        if (!entry.isDirectory()) continue;
+        const autopilotPath = path9.join(sessionsDir, entry.name, "autopilot-state.json");
+        if (!fs7.existsSync(autopilotPath)) continue;
+        try {
+          const raw = fs7.readFileSync(autopilotPath, "utf-8");
+          const autopilot = JSON.parse(raw);
+          if (!autopilot.phases) continue;
+          const linkedPhases = autopilot.phases.filter(
+            (phase) => phase.planPath ? feature.plans.some((p) => p === phase.planPath || phase.planPath.endsWith(p)) : false
+          );
+          if (linkedPhases.length > 0) {
+            for (const phase of linkedPhases) {
+              if (phase.status === "complete") {
+                allTaskStatuses.push("complete");
+              } else if (phase.status === "pending") {
+                allTaskStatuses.push("pending");
+              } else {
+                allTaskStatuses.push("in_progress");
+              }
+            }
+          }
+        } catch {
+        }
+      }
+    } catch {
+    }
+  }
+  if (allTaskStatuses.length === 0) return null;
+  const allComplete = allTaskStatuses.every((s) => s === "complete");
+  if (allComplete) return "done";
+  const anyStarted = allTaskStatuses.some((s) => s === "in_progress" || s === "complete");
+  if (anyStarted) return "in-progress";
+  return null;
+}
+function syncRoadmap(options) {
+  const { projectPath, roadmap, forceSync } = options;
+  const isManuallyEdited = new Date(roadmap.frontmatter.lastManualEdit) > new Date(roadmap.frontmatter.lastSynced);
+  const skipOverride = isManuallyEdited && !forceSync;
+  const allFeatures = roadmap.milestones.flatMap((m) => m.features);
+  const changes = [];
+  for (const feature of allFeatures) {
+    if (skipOverride) continue;
+    const inferred = inferStatus(feature, projectPath, allFeatures);
+    if (inferred === null) continue;
+    if (inferred === feature.status) continue;
+    changes.push({
+      feature: feature.name,
+      from: feature.status,
+      to: inferred
+    });
+  }
+  return Ok(changes);
+}
+var InteractionTypeSchema = z5.enum(["question", "confirmation", "transition"]);
+var QuestionSchema = z5.object({
+  text: z5.string(),
+  options: z5.array(z5.string()).optional(),
+  default: z5.string().optional()
+});
+var ConfirmationSchema = z5.object({
+  text: z5.string(),
+  context: z5.string()
+});
+var TransitionSchema = z5.object({
+  completedPhase: z5.string(),
+  suggestedNext: z5.string(),
+  reason: z5.string(),
+  artifacts: z5.array(z5.string()),
+  requiresConfirmation: z5.boolean(),
+  summary: z5.string()
+});
+var EmitInteractionInputSchema = z5.object({
+  path: z5.string(),
+  type: InteractionTypeSchema,
+  stream: z5.string().optional(),
+  question: QuestionSchema.optional(),
+  confirmation: ConfirmationSchema.optional(),
+  transition: TransitionSchema.optional()
+});
+function getStatePath() {
+  return path10.join(os.homedir(), ".harness", "update-check.json");
+}
+function isUpdateCheckEnabled(configInterval) {
+  if (process.env["HARNESS_NO_UPDATE_CHECK"] === "1") return false;
+  if (configInterval === 0) return false;
+  return true;
+}
+function shouldRunCheck(state, intervalMs) {
+  if (state === null) return true;
+  return state.lastCheckTime + intervalMs <= Date.now();
+}
+function readCheckState() {
+  try {
+    const raw = fs8.readFileSync(getStatePath(), "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed === "object" && parsed !== null && "lastCheckTime" in parsed && typeof parsed.lastCheckTime === "number" && "currentVersion" in parsed && typeof parsed.currentVersion === "string") {
+      const state = parsed;
+      return {
+        lastCheckTime: state.lastCheckTime,
+        latestVersion: typeof state.latestVersion === "string" ? state.latestVersion : null,
+        currentVersion: state.currentVersion
+      };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function spawnBackgroundCheck(currentVersion) {
+  const statePath = getStatePath();
+  const stateDir = path10.dirname(statePath);
+  const script = `
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+try {
+  const latest = execSync('npm view @harness-engineering/cli dist-tags.latest', {
+    encoding: 'utf-8',
+    timeout: 15000,
+    stdio: ['ignore', 'pipe', 'ignore'],
+  }).trim();
+  const stateDir = ${JSON.stringify(stateDir)};
+  const statePath = ${JSON.stringify(statePath)};
+  fs.mkdirSync(stateDir, { recursive: true });
+  const tmpFile = path.join(stateDir, '.update-check-' + crypto.randomBytes(4).toString('hex') + '.tmp');
+  fs.writeFileSync(tmpFile, JSON.stringify({
+    lastCheckTime: Date.now(),
+    latestVersion: latest || null,
+    currentVersion: ${JSON.stringify(currentVersion)},
+  }), { mode: 0o644 });
+  fs.renameSync(tmpFile, statePath);
+} catch (_) {}
+`.trim();
+  try {
+    const child = spawn(process.execPath, ["-e", script], {
+      detached: true,
+      stdio: "ignore"
+    });
+    child.unref();
+  } catch {
+  }
+}
+function compareVersions(a, b) {
+  const pa = a.split(".").map(Number);
+  const pb = b.split(".").map(Number);
+  for (let i = 0; i < 3; i++) {
+    const na = pa[i] ?? 0;
+    const nb = pb[i] ?? 0;
+    if (na > nb) return 1;
+    if (na < nb) return -1;
+  }
+  return 0;
+}
+function getUpdateNotification(currentVersion) {
+  const state = readCheckState();
+  if (!state) return null;
+  if (!state.latestVersion) return null;
+  if (compareVersions(state.latestVersion, currentVersion) <= 0) return null;
+  return `Update available: v${currentVersion} -> v${state.latestVersion}
+Run "harness update" to upgrade.`;
+}
 var VERSION = "0.8.0";
 export {
@@ -6067,9 +8230,15 @@ export {
   detectSizeBudgetViolations,
   generateSuggestions,
   EntropyAnalyzer,
+  createCommentedCodeFixes,
+  createOrphanedDepFixes,
   createFixes,
   previewFix,
   applyFixes,
+  createForbiddenImportFixes,
+  classifyFinding,
+  applyHotspotDowngrade,
+  deduplicateCleanupFindings,
   PatternConfigSchema,
   EntropyConfigSchema,
   validatePatternConfig,
@@ -6146,5 +8315,46 @@ export {
   goRules,
   SecurityScanner,
   runCIChecks,
+  runMechanicalChecks,
+  ExclusionSet,
+  buildExclusionSet,
+  detectChangeType,
+  scopeContext,
+  COMPLIANCE_DESCRIPTOR,
+  runComplianceAgent,
+  BUG_DETECTION_DESCRIPTOR,
+  runBugDetectionAgent,
+  SECURITY_DESCRIPTOR,
+  runSecurityAgent,
+  ARCHITECTURE_DESCRIPTOR,
+  runArchitectureAgent,
+  AGENT_DESCRIPTORS,
+  fanOutReview,
+  validateFindings,
+  deduplicateFindings,
+  checkEligibility,
+  DEFAULT_PROVIDER_TIERS,
+  resolveModelTier,
+  determineAssessment,
+  getExitCode,
+  formatFindingBlock,
+  formatTerminalOutput,
+  isSmallSuggestion,
+  formatGitHubComment,
+  formatGitHubSummary,
+  runReviewPipeline,
+  parseRoadmap,
+  serializeRoadmap,
+  syncRoadmap,
+  InteractionTypeSchema,
+  QuestionSchema,
+  ConfirmationSchema,
+  TransitionSchema,
+  EmitInteractionInputSchema,
+  isUpdateCheckEnabled,
+  shouldRunCheck,
+  readCheckState,
+  spawnBackgroundCheck,
+  getUpdateNotification,
   VERSION
 };