@harness-engineering/core 0.15.0 → 0.17.0

package/dist/index.js

@@ -45,6 +45,7 @@ __export(index_exports, {
   BlueprintGenerator: () => BlueprintGenerator,
   BundleConstraintsSchema: () => BundleConstraintsSchema,
   BundleSchema: () => BundleSchema,
+  CACHE_TTL_MS: () => CACHE_TTL_MS,
   COMPLIANCE_DESCRIPTOR: () => COMPLIANCE_DESCRIPTOR,
   CategoryBaselineSchema: () => CategoryBaselineSchema,
   CategoryRegressionSchema: () => CategoryRegressionSchema,
@@ -62,6 +63,7 @@ __export(index_exports, {
   DEFAULT_SECURITY_CONFIG: () => DEFAULT_SECURITY_CONFIG,
   DEFAULT_STATE: () => DEFAULT_STATE,
   DEFAULT_STREAM_INDEX: () => DEFAULT_STREAM_INDEX,
+  DESTRUCTIVE_BASH: () => DESTRUCTIVE_BASH,
   DepDepthCollector: () => DepDepthCollector,
   EXTENSION_MAP: () => EXTENSION_MAP,
   EmitInteractionInputSchema: () => EmitInteractionInputSchema,
@@ -73,9 +75,11 @@ __export(index_exports, {
   ForbiddenImportCollector: () => ForbiddenImportCollector,
   GateConfigSchema: () => GateConfigSchema,
   GateResultSchema: () => GateResultSchema,
+  GitHubIssuesSyncAdapter: () => GitHubIssuesSyncAdapter,
   HandoffSchema: () => HandoffSchema,
   HarnessStateSchema: () => HarnessStateSchema,
   InteractionTypeSchema: () => InteractionTypeSchema,
+  LITELLM_PRICING_URL: () => LITELLM_PRICING_URL,
   LayerViolationCollector: () => LayerViolationCollector,
   LockfilePackageSchema: () => LockfilePackageSchema,
   LockfileSchema: () => LockfileSchema,
@@ -92,6 +96,8 @@ __export(index_exports, {
   RegressionDetector: () => RegressionDetector,
   RuleRegistry: () => RuleRegistry,
   SECURITY_DESCRIPTOR: () => SECURITY_DESCRIPTOR,
+  STALENESS_WARNING_DAYS: () => STALENESS_WARNING_DAYS,
+  STATUS_RANK: () => STATUS_RANK,
   SecurityConfigSchema: () => SecurityConfigSchema,
   SecurityScanner: () => SecurityScanner,
   SharableBoundaryConfigSchema: () => SharableBoundaryConfigSchema,
@@ -108,6 +114,8 @@ __export(index_exports, {
   ViolationSchema: () => ViolationSchema,
   addProvenance: () => addProvenance,
   agentConfigRules: () => agentConfigRules,
+  aggregateByDay: () => aggregateByDay,
+  aggregateBySession: () => aggregateBySession,
   analyzeDiff: () => analyzeDiff,
   analyzeLearningPatterns: () => analyzeLearningPatterns,
   appendFailure: () => appendFailure,
@@ -123,16 +131,22 @@ __export(index_exports, {
   archiveLearnings: () => archiveLearnings,
   archiveSession: () => archiveSession,
   archiveStream: () => archiveStream,
+  assignFeature: () => assignFeature,
   buildDependencyGraph: () => buildDependencyGraph,
   buildExclusionSet: () => buildExclusionSet,
   buildSnapshot: () => buildSnapshot,
+  calculateCost: () => calculateCost,
   checkDocCoverage: () => checkDocCoverage,
   checkEligibility: () => checkEligibility,
   checkEvidenceCoverage: () => checkEvidenceCoverage,
+  checkTaint: () => checkTaint,
   classifyFinding: () => classifyFinding,
   clearEventHashCache: () => clearEventHashCache,
   clearFailuresCache: () => clearFailuresCache,
   clearLearningsCache: () => clearLearningsCache,
+  clearTaint: () => clearTaint,
+  computeOverallSeverity: () => computeOverallSeverity,
+  computeScanExitCode: () => computeScanExitCode,
   configureFeedback: () => configureFeedback,
   constraintRuleId: () => constraintRuleId,
   contextBudget: () => contextBudget,
@@ -182,40 +196,55 @@ __export(index_exports, {
   formatGitHubSummary: () => formatGitHubSummary,
   formatOutline: () => formatOutline,
   formatTerminalOutput: () => formatTerminalOutput,
+  fullSync: () => fullSync,
   generateAgentsMap: () => generateAgentsMap,
   generateSuggestions: () => generateSuggestions,
   getActionEmitter: () => getActionEmitter,
   getExitCode: () => getExitCode,
   getFeedbackConfig: () => getFeedbackConfig,
+  getInjectionPatterns: () => getInjectionPatterns,
+  getModelPrice: () => getModelPrice,
   getOutline: () => getOutline,
   getParser: () => getParser,
   getPhaseCategories: () => getPhaseCategories,
   getStreamForBranch: () => getStreamForBranch,
+  getTaintFilePath: () => getTaintFilePath,
   getUpdateNotification: () => getUpdateNotification,
   goRules: () => goRules,
   injectionRules: () => injectionRules,
+  insecureDefaultsRules: () => insecureDefaultsRules,
+  isDuplicateFinding: () => isDuplicateFinding,
+  isRegression: () => isRegression,
   isSmallSuggestion: () => isSmallSuggestion,
   isUpdateCheckEnabled: () => isUpdateCheckEnabled,
   listActiveSessions: () => listActiveSessions,
   listStreams: () => listStreams,
+  listTaintedSessions: () => listTaintedSessions,
   loadBudgetedLearnings: () => loadBudgetedLearnings,
   loadEvents: () => loadEvents,
   loadFailures: () => loadFailures,
   loadHandoff: () => loadHandoff,
   loadIndexEntries: () => loadIndexEntries,
+  loadPricingData: () => loadPricingData,
   loadRelevantLearnings: () => loadRelevantLearnings,
   loadSessionSummary: () => loadSessionSummary,
   loadState: () => loadState,
   loadStreamIndex: () => loadStreamIndex,
   logAgentAction: () => logAgentAction,
+  mapInjectionFindings: () => mapInjectionFindings,
+  mapSecurityFindings: () => mapSecurityFindings,
+  mapSecuritySeverity: () => mapSecuritySeverity,
   mcpRules: () => mcpRules,
   migrateToStreams: () => migrateToStreams,
   networkRules: () => networkRules,
   nodeRules: () => nodeRules,
+  parseCCRecords: () => parseCCRecords,
   parseDateFromEntry: () => parseDateFromEntry,
   parseDiff: () => parseDiff,
   parseFile: () => parseFile,
   parseFrontmatter: () => parseFrontmatter,
+  parseHarnessIgnore: () => parseHarnessIgnore,
+  parseLiteLLMData: () => parseLiteLLMData,
   parseManifest: () => parseManifest,
   parseRoadmap: () => parseRoadmap,
   parseSecurityConfig: () => parseSecurityConfig,
@@ -226,9 +255,11 @@ __export(index_exports, {
   pruneLearnings: () => pruneLearnings,
   reactRules: () => reactRules,
   readCheckState: () => readCheckState,
+  readCostRecords: () => readCostRecords,
   readLockfile: () => readLockfile,
   readSessionSection: () => readSessionSection,
   readSessionSections: () => readSessionSections,
+  readTaint: () => readTaint,
   removeContributions: () => removeContributions,
   removeProvenance: () => removeProvenance,
   requestMultiplePeerReviews: () => requestMultiplePeerReviews,
@@ -237,6 +268,7 @@ __export(index_exports, {
   resetParserCache: () => resetParserCache,
   resolveFileToLayer: () => resolveFileToLayer,
   resolveModelTier: () => resolveModelTier,
+  resolveReverseStatus: () => resolveReverseStatus,
   resolveRuleSeverity: () => resolveRuleSeverity,
   resolveSessionDir: () => resolveSessionDir,
   resolveStreamPath: () => resolveStreamPath,
@@ -255,15 +287,20 @@ __export(index_exports, {
   saveHandoff: () => saveHandoff,
   saveState: () => saveState,
   saveStreamIndex: () => saveStreamIndex,
+  scanForInjection: () => scanForInjection,
   scopeContext: () => scopeContext,
+  scoreRoadmapCandidates: () => scoreRoadmapCandidates,
   searchSymbols: () => searchSymbols,
   secretRules: () => secretRules,
   serializeRoadmap: () => serializeRoadmap,
   setActiveStream: () => setActiveStream,
+  sharpEdgesRules: () => sharpEdgesRules,
   shouldRunCheck: () => shouldRunCheck,
   spawnBackgroundCheck: () => spawnBackgroundCheck,
   syncConstraintNodes: () => syncConstraintNodes,
+  syncFromExternal: () => syncFromExternal,
   syncRoadmap: () => syncRoadmap,
+  syncToExternal: () => syncToExternal,
   tagUncitedFindings: () => tagUncitedFindings,
   touchStream: () => touchStream,
   trackAction: () => trackAction,
@@ -284,6 +321,7 @@ __export(index_exports, {
   writeConfig: () => writeConfig,
   writeLockfile: () => writeLockfile,
   writeSessionSummary: () => writeSessionSummary,
+  writeTaint: () => writeTaint,
   xssRules: () => xssRules
 });
 module.exports = __toCommonJS(index_exports);
@@ -307,17 +345,17 @@ var import_node_path = require("path");
 var import_glob = require("glob");
 var accessAsync = (0, import_util.promisify)(import_fs.access);
 var readFileAsync = (0, import_util.promisify)(import_fs.readFile);
-async function fileExists(path23) {
+async function fileExists(path26) {
   try {
-    await accessAsync(path23, import_fs.constants.F_OK);
+    await accessAsync(path26, import_fs.constants.F_OK);
     return true;
   } catch {
     return false;
   }
 }
-async function readFileContent(path23) {
+async function readFileContent(path26) {
   try {
-    const content = await readFileAsync(path23, "utf-8");
+    const content = await readFileAsync(path26, "utf-8");
     return (0, import_types.Ok)(content);
   } catch (error) {
     return (0, import_types.Err)(error);
@@ -368,15 +406,15 @@ function validateConfig(data, schema) {
   let message = "Configuration validation failed";
   const suggestions = [];
   if (firstError) {
-    const path23 = firstError.path.join(".");
-    const pathDisplay = path23 ? ` at "${path23}"` : "";
+    const path26 = firstError.path.join(".");
+    const pathDisplay = path26 ? ` at "${path26}"` : "";
     if (firstError.code === "invalid_type") {
       const received = firstError.received;
       const expected = firstError.expected;
       if (received === "undefined") {
         code = "MISSING_FIELD";
         message = `Missing required field${pathDisplay}: ${firstError.message}`;
-        suggestions.push(`Field "${path23}" is required and must be of type "${expected}"`);
+        suggestions.push(`Field "${path26}" is required and must be of type "${expected}"`);
       } else {
         code = "INVALID_TYPE";
         message = `Invalid type${pathDisplay}: ${firstError.message}`;
@@ -592,27 +630,27 @@ function extractSections(content) {
   }
   return sections.map((section) => buildAgentMapSection(section, lines));
 }
-function isExternalLink(path23) {
-  return path23.startsWith("http://") || path23.startsWith("https://") || path23.startsWith("#") || path23.startsWith("mailto:");
+function isExternalLink(path26) {
+  return path26.startsWith("http://") || path26.startsWith("https://") || path26.startsWith("#") || path26.startsWith("mailto:");
 }
 function resolveLinkPath(linkPath, baseDir) {
   return linkPath.startsWith(".") ? (0, import_path.join)(baseDir, linkPath) : linkPath;
 }
-async function validateAgentsMap(path23 = "./AGENTS.md") {
-  const contentResult = await readFileContent(path23);
+async function validateAgentsMap(path26 = "./AGENTS.md") {
+  const contentResult = await readFileContent(path26);
   if (!contentResult.ok) {
     return (0, import_types.Err)(
       createError(
         "PARSE_ERROR",
         `Failed to read AGENTS.md: ${contentResult.error.message}`,
-        { path: path23 },
+        { path: path26 },
         ["Ensure the file exists", "Check file permissions"]
       )
     );
   }
   const content = contentResult.value;
   const sections = extractSections(content);
-  const baseDir = (0, import_path.dirname)(path23);
+  const baseDir = (0, import_path.dirname)(path26);
   const sectionTitles = sections.map((s) => s.title);
   const missingSections = REQUIRED_SECTIONS.filter(
     (required) => !sectionTitles.some((title) => title.toLowerCase().includes(required.toLowerCase()))
@@ -753,8 +791,8 @@ async function checkDocCoverage(domain, options = {}) {
 
 // src/context/knowledge-map.ts
 var import_path3 = require("path");
-function suggestFix(path23, existingFiles) {
-  const targetName = (0, import_path3.basename)(path23).toLowerCase();
+function suggestFix(path26, existingFiles) {
+  const targetName = (0, import_path3.basename)(path26).toLowerCase();
   const similar = existingFiles.find((file) => {
     const fileName = (0, import_path3.basename)(file).toLowerCase();
     return fileName.includes(targetName) || targetName.includes(fileName);
@@ -762,7 +800,7 @@ function suggestFix(path23, existingFiles) {
   if (similar) {
     return `Did you mean "${similar}"?`;
   }
-  return `Create the file "${path23}" or remove the link`;
+  return `Create the file "${path26}" or remove the link`;
 }
 async function validateKnowledgeMap(rootDir = process.cwd()) {
   const agentsPath = (0, import_path3.join)(rootDir, "AGENTS.md");
@@ -1368,8 +1406,8 @@ function createBoundaryValidator(schema, name) {
         return (0, import_types.Ok)(result.data);
       }
       const suggestions = result.error.issues.map((issue) => {
-        const path23 = issue.path.join(".");
-        return path23 ? `${path23}: ${issue.message}` : issue.message;
+        const path26 = issue.path.join(".");
+        return path26 ? `${path26}: ${issue.message}` : issue.message;
       });
       return (0, import_types.Err)(
         createError(
@@ -2001,11 +2039,11 @@ function processExportListSpecifiers(exportDecl, exports2) {
 var TypeScriptParser = class {
   name = "typescript";
   extensions = [".ts", ".tsx", ".mts", ".cts"];
-  async parseFile(path23) {
-    const contentResult = await readFileContent(path23);
+  async parseFile(path26) {
+    const contentResult = await readFileContent(path26);
     if (!contentResult.ok) {
       return (0, import_types.Err)(
-        createParseError("NOT_FOUND", `File not found: ${path23}`, { path: path23 }, [
+        createParseError("NOT_FOUND", `File not found: ${path26}`, { path: path26 }, [
           "Check that the file exists",
           "Verify the path is correct"
         ])
@@ -2015,7 +2053,7 @@ var TypeScriptParser = class {
       const ast = (0, import_typescript_estree.parse)(contentResult.value, {
         loc: true,
         range: true,
-        jsx: path23.endsWith(".tsx"),
+        jsx: path26.endsWith(".tsx"),
         errorOnUnknownASTType: false
       });
       return (0, import_types.Ok)({
@@ -2026,7 +2064,7 @@ var TypeScriptParser = class {
     } catch (e) {
       const error = e;
       return (0, import_types.Err)(
-        createParseError("SYNTAX_ERROR", `Failed to parse ${path23}: ${error.message}`, { path: path23 }, [
+        createParseError("SYNTAX_ERROR", `Failed to parse ${path26}: ${error.message}`, { path: path26 }, [
           "Check for syntax errors in the file",
           "Ensure valid TypeScript syntax"
         ])
@@ -2211,22 +2249,22 @@ function extractInlineRefs(content) {
   }
   return refs;
 }
-async function parseDocumentationFile(path23) {
-  const contentResult = await readFileContent(path23);
+async function parseDocumentationFile(path26) {
+  const contentResult = await readFileContent(path26);
   if (!contentResult.ok) {
     return (0, import_types.Err)(
       createEntropyError(
         "PARSE_ERROR",
-        `Failed to read documentation file: ${path23}`,
-        { file: path23 },
+        `Failed to read documentation file: ${path26}`,
+        { file: path26 },
         ["Check that the file exists"]
       )
     );
   }
   const content = contentResult.value;
-  const type = path23.endsWith(".md") ? "markdown" : "text";
+  const type = path26.endsWith(".md") ? "markdown" : "text";
   return (0, import_types.Ok)({
-    path: path23,
+    path: path26,
     type,
     content,
     codeBlocks: extractCodeBlocks(content),
@@ -9074,6 +9112,208 @@ var mcpRules = [
   }
 ];
 
+// src/security/rules/insecure-defaults.ts
+var insecureDefaultsRules = [
+  {
+    id: "SEC-DEF-001",
+    name: "Security-Sensitive Fallback to Hardcoded Default",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /(?:SECRET|KEY|TOKEN|PASSWORD|SALT|PEPPER|SIGNING|ENCRYPTION|AUTH|JWT|SESSION).*(?:\|\||\?\?)\s*['"][^'"]+['"]/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Security-sensitive variable falls back to a hardcoded default when env var is missing",
+    remediation: "Throw an error if the env var is missing instead of falling back to a default. Use a startup validation check.",
+    references: ["CWE-1188"]
+  },
+  {
+    id: "SEC-DEF-002",
+    name: "TLS/SSL Disabled by Default",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /(?:tls|ssl|https|secure)\s*(?:=|:)\s*(?:false|config\??\.\w+\s*(?:\?\?|&&|\|\|)\s*false)/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs,go,py}",
+    message: "Security feature defaults to disabled; missing configuration degrades to insecure mode",
+    remediation: "Default security features to enabled (true). Require explicit opt-out, not opt-in.",
+    references: ["CWE-1188"]
+  },
+  {
+    id: "SEC-DEF-003",
+    name: "Swallowed Authentication/Authorization Error",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "low",
+    patterns: [
+      // Matches single-line empty catch: catch(e) { } or catch(e) { // ignore }
+      // Note: multi-line catch blocks are handled by AI review, not this rule
+      /catch\s*\([^)]*\)\s*\{\s*(?:\/\/\s*(?:ignore|skip|noop|todo)\b.*)?\s*\}/
+    ],
+    fileGlob: "**/*auth*.{ts,js,mjs,cjs},**/*session*.{ts,js,mjs,cjs},**/*token*.{ts,js,mjs,cjs}",
+    message: "Single-line empty catch block in authentication/authorization code may silently allow unauthorized access. Note: multi-line empty catch blocks are detected by AI review, not this mechanical rule.",
+    remediation: "Re-throw the error or return an explicit denial. Never silently swallow auth errors.",
+    references: ["CWE-754", "CWE-390"]
+  },
+  {
+    id: "SEC-DEF-004",
+    name: "Permissive CORS Fallback",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /(?:origin|cors)\s*(?:=|:)\s*(?:config|options|env)\??\.\w+\s*(?:\?\?|\|\|)\s*['"]\*/
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "CORS origin falls back to wildcard (*) when configuration is missing",
+    remediation: "Default to a restrictive origin list. Require explicit configuration for permissive CORS.",
+    references: ["CWE-942"]
+  },
+  {
+    id: "SEC-DEF-005",
+    name: "Rate Limiting Disabled by Default",
+    category: "insecure-defaults",
+    severity: "info",
+    confidence: "low",
+    patterns: [
+      /(?:rateLimit|rateLimiting|throttle)\s*(?:=|:)\s*(?:config|options|env)\??\.\w+\s*(?:\?\?|\|\|)\s*(?:false|0|null|undefined)/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Rate limiting defaults to disabled when configuration is missing",
+    remediation: "Default to a sensible rate limit. Require explicit opt-out for disabling.",
+    references: ["CWE-770"]
+  }
+];
+
+// src/security/rules/sharp-edges.ts
+var sharpEdgesRules = [
+  // --- Deprecated Crypto APIs ---
+  {
+    id: "SEC-EDGE-001",
+    name: "Deprecated createCipher API",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/crypto\.createCipher\s*\(/],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "crypto.createCipher is deprecated \u2014 uses weak key derivation (no IV)",
+    remediation: "Use crypto.createCipheriv with a random IV and proper key derivation (scrypt/pbkdf2)",
+    references: ["CWE-327"]
+  },
+  {
+    id: "SEC-EDGE-002",
+    name: "Deprecated createDecipher API",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/crypto\.createDecipher\s*\(/],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "crypto.createDecipher is deprecated \u2014 uses weak key derivation (no IV)",
+    remediation: "Use crypto.createDecipheriv with the same IV used for encryption",
+    references: ["CWE-327"]
+  },
+  {
+    id: "SEC-EDGE-003",
+    name: "ECB Mode Selection",
+    category: "sharp-edges",
+    severity: "warning",
+    confidence: "high",
+    patterns: [/-ecb['"]/],
+    fileGlob: "**/*.{ts,js,mjs,cjs,go,py}",
+    message: "ECB mode does not provide semantic security \u2014 identical plaintext blocks produce identical ciphertext",
+    remediation: "Use CBC, CTR, or GCM mode instead of ECB",
+    references: ["CWE-327"]
+  },
+  // --- Unsafe Deserialization ---
+  {
+    id: "SEC-EDGE-004",
+    name: "yaml.load Without Safe Loader",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [
+      /yaml\.load\s*\(/
+      // Python: yaml.load() without SafeLoader
+    ],
+    fileGlob: "**/*.py",
+    message: "yaml.load() executes arbitrary Python objects \u2014 use yaml.safe_load() instead",
+    remediation: "Replace yaml.load() with yaml.safe_load() or yaml.load(data, Loader=SafeLoader). Note: this rule will flag yaml.load(data, Loader=SafeLoader) \u2014 suppress with # harness-ignore SEC-EDGE-004: safe usage with SafeLoader",
+    references: ["CWE-502"]
+  },
+  {
+    id: "SEC-EDGE-005",
+    name: "Pickle/Marshal Deserialization",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/pickle\.loads?\s*\(/, /marshal\.loads?\s*\(/],
+    fileGlob: "**/*.py",
+    message: "pickle/marshal deserialization executes arbitrary code \u2014 never use on untrusted data",
+    remediation: "Use JSON, MessagePack, or Protocol Buffers for untrusted data serialization",
+    references: ["CWE-502"]
+  },
+  // --- TOCTOU (Time-of-Check to Time-of-Use) ---
+  {
+    id: "SEC-EDGE-006",
+    name: "Check-Then-Act File Operation",
+    category: "sharp-edges",
+    severity: "warning",
+    confidence: "medium",
+    // Patterns use .{0,N} since scanner matches single lines only (no multiline mode)
+    patterns: [
+      /(?:existsSync|accessSync|statSync)\s*\([^)]+\).{0,50}(?:readFileSync|writeFileSync|unlinkSync|mkdirSync)\s*\(/
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Check-then-act pattern on filesystem is vulnerable to TOCTOU race conditions",
+    remediation: "Use the operation directly and handle ENOENT/EEXIST errors instead of checking first",
+    references: ["CWE-367"]
+  },
+  {
+    id: "SEC-EDGE-007",
+    name: "Check-Then-Act File Operation (Async)",
+    category: "sharp-edges",
+    severity: "warning",
+    confidence: "medium",
+    // Uses .{0,N} since scanner matches single lines only (no multiline mode)
+    patterns: [/(?:access|stat)\s*\([^)]+\).{0,80}(?:readFile|writeFile|unlink|mkdir)\s*\(/],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Async check-then-act pattern on filesystem is vulnerable to TOCTOU race conditions",
+    remediation: "Use the operation directly with try/catch instead of checking existence first",
+    references: ["CWE-367"]
+  },
+  // --- Stringly-Typed Security ---
+  {
+    id: "SEC-EDGE-008",
+    name: 'JWT Algorithm "none"',
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [
+      /algorithm[s]?\s*[:=]\s*\[?\s*['"]none['"]/i,
+      /alg(?:orithm)?\s*[:=]\s*['"]none['"]/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: 'JWT "none" algorithm disables signature verification entirely',
+    remediation: 'Specify an explicit algorithm (e.g., "HS256", "RS256") and set algorithms allowlist in verify options',
+    references: ["CWE-345"]
+  },
+  {
+    id: "SEC-EDGE-009",
+    name: "DES/RC4 Algorithm Selection",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/['"]\s*(?:des|des-ede|des-ede3|des3|rc4|rc2|blowfish)\s*['"]/i],
+    fileGlob: "**/*.{ts,js,mjs,cjs,go,py}",
+    message: "Weak/deprecated cipher algorithm selected \u2014 DES, RC4, RC2, and Blowfish are broken or deprecated",
+    remediation: "Use AES-256-GCM or ChaCha20-Poly1305",
+    references: ["CWE-327"]
+  }
+];
+
 // src/security/rules/stack/node.ts
 var nodeRules = [
   {
@@ -9187,6 +9427,14 @@ var goRules = [
 ];
 
 // src/security/scanner.ts
+function parseHarnessIgnore(line, ruleId) {
+  if (!line.includes("harness-ignore")) return null;
+  if (!line.includes(ruleId)) return null;
+  const match = line.match(/(?:\/\/|#)\s*harness-ignore\s+(SEC-[A-Z]+-\d+)(?::\s*(.+))?/);
+  if (match?.[1] !== ruleId) return null;
+  const text = match[2]?.trim();
+  return { ruleId, justification: text || null };
+}
 var SecurityScanner = class {
   registry;
   config;
@@ -9203,7 +9451,9 @@ var SecurityScanner = class {
       ...networkRules,
       ...deserializationRules,
       ...agentConfigRules,
-      ...mcpRules
+      ...mcpRules,
+      ...insecureDefaultsRules,
+      ...sharpEdgesRules
     ]);
     this.registry.registerAll([...nodeRules, ...expressRules, ...reactRules, ...goRules]);
     this.activeRules = this.registry.getAll();
@@ -9220,42 +9470,8 @@ var SecurityScanner = class {
    */
   scanContent(content, filePath, startLine = 1) {
     if (!this.config.enabled) return [];
-    const findings = [];
     const lines = content.split("\n");
-    for (const rule of this.activeRules) {
-      const resolved = resolveRuleSeverity(
-        rule.id,
-        rule.severity,
-        this.config.rules ?? {},
-        this.config.strict
-      );
-      if (resolved === "off") continue;
-      for (let i = 0; i < lines.length; i++) {
-        const line = lines[i] ?? "";
-        if (line.includes("harness-ignore") && line.includes(rule.id)) continue;
-        for (const pattern of rule.patterns) {
-          pattern.lastIndex = 0;
-          if (pattern.test(line)) {
-            findings.push({
-              ruleId: rule.id,
-              ruleName: rule.name,
-              category: rule.category,
-              severity: resolved,
-              confidence: rule.confidence,
-              file: filePath,
-              line: startLine + i,
-              match: line.trim(),
-              context: line,
-              message: rule.message,
-              remediation: rule.remediation,
-              ...rule.references ? { references: rule.references } : {}
-            });
-            break;
-          }
-        }
-      }
-    }
-    return findings;
+    return this.scanLinesWithRules(lines, this.activeRules, filePath, startLine);
   }
   async scanFile(filePath) {
     if (!this.config.enabled) return [];
@@ -9264,14 +9480,22 @@ var SecurityScanner = class {
   }
   scanContentForFile(content, filePath, startLine = 1) {
     if (!this.config.enabled) return [];
-    const findings = [];
     const lines = content.split("\n");
     const applicableRules = this.activeRules.filter((rule) => {
       if (!rule.fileGlob) return true;
       const globs = rule.fileGlob.split(",").map((g) => g.trim());
       return globs.some((glob2) => (0, import_minimatch5.minimatch)(filePath, glob2, { dot: true }));
     });
-    for (const rule of applicableRules) {
+    return this.scanLinesWithRules(lines, applicableRules, filePath, startLine);
+  }
+  /**
+   * Core scanning loop shared by scanContent and scanContentForFile.
+   * Evaluates each rule against each line, handling suppression (FP gate)
+   * and pattern matching uniformly.
+   */
+  scanLinesWithRules(lines, rules, filePath, startLine) {
+    const findings = [];
+    for (const rule of rules) {
       const resolved = resolveRuleSeverity(
         rule.id,
         rule.severity,
@@ -9281,7 +9505,25 @@ var SecurityScanner = class {
       if (resolved === "off") continue;
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i] ?? "";
-        if (line.includes("harness-ignore") && line.includes(rule.id)) continue;
+        const suppressionMatch = parseHarnessIgnore(line, rule.id);
+        if (suppressionMatch) {
+          if (!suppressionMatch.justification) {
+            findings.push({
+              ruleId: rule.id,
+              ruleName: rule.name,
+              category: rule.category,
+              severity: this.config.strict ? "error" : "warning",
+              confidence: "high",
+              file: filePath,
+              line: startLine + i,
+              match: line.trim(),
+              context: line,
+              message: `Suppression of ${rule.id} requires justification: // harness-ignore ${rule.id}: <reason>`,
+              remediation: `Add justification after colon: // harness-ignore ${rule.id}: false positive because ...`
+            });
+          }
+          continue;
+        }
         for (const pattern of rule.patterns) {
           pattern.lastIndex = 0;
           if (pattern.test(line)) {
@@ -9327,6 +9569,414 @@ var SecurityScanner = class {
   }
 };
 
+// src/security/injection-patterns.ts
+var hiddenUnicodePatterns = [
+  {
+    ruleId: "INJ-UNI-001",
+    severity: "high",
+    category: "hidden-unicode",
+    description: "Zero-width characters that can hide malicious instructions",
+    // eslint-disable-next-line no-misleading-character-class -- intentional: regex detects zero-width chars for security scanning
+    pattern: /[\u200B\u200C\u200D\uFEFF\u2060]/
+  },
+  {
+    ruleId: "INJ-UNI-002",
+    severity: "high",
+    category: "hidden-unicode",
+    description: "RTL/LTR override characters that can disguise text direction",
+    pattern: /[\u202A-\u202E\u2066-\u2069]/
+  }
+];
+var reRolingPatterns = [
+  {
+    ruleId: "INJ-REROL-001",
+    severity: "high",
+    category: "explicit-re-roling",
+    description: "Instruction to ignore/disregard/forget previous instructions",
+    pattern: /(?:ignore|disregard|forget)\s+(?:all\s+)?(?:previous|prior|above|earlier)\s+(?:instructions?|prompts?|context|rules?|guidelines?)/i
+  },
+  {
+    ruleId: "INJ-REROL-002",
+    severity: "high",
+    category: "explicit-re-roling",
+    description: "Attempt to reassign the AI role",
+    pattern: /you\s+are\s+now\s+(?:a\s+|an\s+)?(?:new\s+)?(?:helpful\s+)?(?:my\s+)?(?:\w+\s+)?(?:assistant|agent|AI|bot|chatbot|system|persona)\b/i
+  },
+  {
+    ruleId: "INJ-REROL-003",
+    severity: "high",
+    category: "explicit-re-roling",
+    description: "Direct instruction override attempt",
+    pattern: /(?:new\s+)?(?:system\s+)?(?:instruction|directive|role|persona)\s*[:=]\s*/i
+  }
+];
+var permissionEscalationPatterns = [
+  {
+    ruleId: "INJ-PERM-001",
+    severity: "high",
+    category: "permission-escalation",
+    description: "Attempt to enable all tools or grant unrestricted access",
+    pattern: /(?:allow|enable|grant)\s+all\s+(?:tools?|permissions?|access)/i
+  },
+  {
+    ruleId: "INJ-PERM-002",
+    severity: "high",
+    category: "permission-escalation",
+    description: "Attempt to disable safety or security features",
+    pattern: /(?:disable|turn\s+off|remove|bypass)\s+(?:all\s+)?(?:safety|security|restrictions?|guardrails?|protections?|checks?)/i
+  },
+  {
+    ruleId: "INJ-PERM-003",
+    severity: "high",
+    category: "permission-escalation",
+    description: "Auto-approve directive that bypasses human review",
+    pattern: /(?:auto[- ]?approve|--no-verify|--dangerously-skip-permissions)/i
+  }
+];
+var encodedPayloadPatterns = [
+  {
+    ruleId: "INJ-ENC-001",
+    severity: "high",
+    category: "encoded-payloads",
+    description: "Base64-encoded string long enough to contain instructions (>=28 chars)",
+    // Match base64 strings of 28+ chars (7+ groups of 4).
+    // Excludes JWT tokens (eyJ prefix) and Bearer-prefixed tokens.
+    pattern: /(?<!Bearer\s)(?<![:])(?<![A-Za-z0-9/])(?!eyJ)(?:[A-Za-z0-9+/]{4}){7,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?(?![A-Za-z0-9/])/
+  },
+  {
+    ruleId: "INJ-ENC-002",
+    severity: "high",
+    category: "encoded-payloads",
+    description: "Hex-encoded string long enough to contain directives (>=20 hex chars)",
+    // Excludes hash-prefixed hex (sha256:, sha512:, md5:, etc.) and hex preceded by 0x.
+    // Note: 40-char git SHA hashes (e.g. in `git log` output) may match — downstream
+    // callers should filter matches of exactly 40 hex chars if scanning git output.
+    pattern: /(?<![:x])(?<![A-Fa-f0-9])(?:[0-9a-fA-F]{2}){10,}(?![A-Fa-f0-9])/
+  }
+];
+var indirectInjectionPatterns = [
+  {
+    ruleId: "INJ-IND-001",
+    severity: "medium",
+    category: "indirect-injection",
+    description: "Instruction to influence future responses",
+    pattern: /(?:when\s+the\s+user\s+asks|if\s+(?:the\s+user|someone|anyone)\s+asks)\s*,?\s*(?:say|respond|reply|answer|tell)/i
+  },
+  {
+    ruleId: "INJ-IND-002",
+    severity: "medium",
+    category: "indirect-injection",
+    description: "Directive to include content in responses",
+    pattern: /(?:include|insert|add|embed|put)\s+(?:this|the\s+following)\s+(?:in|into|to)\s+(?:your|the)\s+(?:response|output|reply|answer)/i
+  },
+  {
+    ruleId: "INJ-IND-003",
+    severity: "medium",
+    category: "indirect-injection",
+    description: "Standing instruction to always respond a certain way",
+    pattern: /always\s+(?:respond|reply|answer|say|output)\s+(?:with|that|by)/i
+  }
+];
+var contextManipulationPatterns = [
+  {
+    ruleId: "INJ-CTX-001",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Claim about system prompt content",
+    pattern: /(?:the\s+)?(?:system\s+prompt|system\s+message|hidden\s+instructions?)\s+(?:says?|tells?|instructs?|contains?|is)/i
+  },
+  {
+    ruleId: "INJ-CTX-002",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Claim about AI instructions",
+    pattern: /your\s+(?:instructions?|directives?|guidelines?|rules?)\s+(?:are|say|tell|state)/i
+  },
+  {
+    ruleId: "INJ-CTX-003",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Fake XML/HTML system or instruction tags",
+    // Case-sensitive: only match lowercase tags to avoid false positives on
+    // React components like <User>, <Context>, <Role> etc.
+    pattern: /<\/?(?:system|instruction|prompt|role|context|tool_call|function_call|assistant|human|user)[^>]*>/
+  },
+  {
+    ruleId: "INJ-CTX-004",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Fake JSON role assignment mimicking chat format",
+    pattern: /[{,]\s*"role"\s*:\s*"(?:system|assistant|function)"/i
+  }
+];
+var socialEngineeringPatterns = [
+  {
+    ruleId: "INJ-SOC-001",
+    severity: "medium",
+    category: "social-engineering",
+    description: "Urgency pressure to bypass checks",
+    pattern: /(?:this\s+is\s+(?:very\s+)?urgent|this\s+is\s+(?:an?\s+)?emergency|do\s+(?:this|it)\s+(?:now|immediately))\b/i
+  },
+  {
+    ruleId: "INJ-SOC-002",
+    severity: "medium",
+    category: "social-engineering",
+    description: "False authority claim",
+    pattern: /(?:the\s+)?(?:admin|administrator|manager|CEO|CTO|owner|supervisor)\s+(?:authorized|approved|said|told|confirmed|requested)/i
+  },
+  {
+    ruleId: "INJ-SOC-003",
+    severity: "medium",
+    category: "social-engineering",
+    description: "Testing pretext to bypass safety",
+    pattern: /(?:for\s+testing\s+purposes?|this\s+is\s+(?:just\s+)?a\s+test|in\s+test\s+mode)\b/i
+  }
+];
+var suspiciousPatterns = [
+  {
+    ruleId: "INJ-SUS-001",
+    severity: "low",
+    category: "suspicious-patterns",
+    description: "Excessive consecutive whitespace (>10 chars) mid-line that may hide content",
+    // Only match whitespace runs not at the start of a line (indentation is normal)
+    pattern: /\S\s{11,}/
+  },
+  {
+    ruleId: "INJ-SUS-002",
+    severity: "low",
+    category: "suspicious-patterns",
+    description: "Repeated delimiters (>5) that may indicate obfuscation",
+    pattern: /([|;,=\-_~`])\1{5,}/
+  },
+  {
+    ruleId: "INJ-SUS-003",
+    severity: "low",
+    category: "suspicious-patterns",
+    description: "Mathematical alphanumeric symbols used as Latin character substitutes",
+    // Mathematical bold/italic/script Unicode ranges (U+1D400-U+1D7FF)
+    pattern: /[\uD835][\uDC00-\uDFFF]/
+  }
+];
+var ALL_PATTERNS = [
+  ...hiddenUnicodePatterns,
+  ...reRolingPatterns,
+  ...permissionEscalationPatterns,
+  ...encodedPayloadPatterns,
+  ...indirectInjectionPatterns,
+  ...contextManipulationPatterns,
+  ...socialEngineeringPatterns,
+  ...suspiciousPatterns
+];
+function scanForInjection(text) {
+  const findings = [];
+  const lines = text.split("\n");
+  for (let lineIdx = 0; lineIdx < lines.length; lineIdx++) {
+    const line = lines[lineIdx];
+    for (const rule of ALL_PATTERNS) {
+      if (rule.pattern.test(line)) {
+        findings.push({
+          severity: rule.severity,
+          ruleId: rule.ruleId,
+          match: line.trim(),
+          line: lineIdx + 1
+        });
+      }
+    }
+  }
+  const severityOrder = {
+    high: 0,
+    medium: 1,
+    low: 2
+  };
+  findings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+  return findings;
+}
+function getInjectionPatterns() {
+  return ALL_PATTERNS;
+}
+var DESTRUCTIVE_BASH = [
+  /\bgit\s+push\b/,
+  /\bgit\s+commit\b/,
+  /\brm\s+-rf?\b/,
+  /\brm\s+-r\b/
+];
+
+// src/security/taint.ts
+var import_node_fs4 = require("fs");
+var import_node_path7 = require("path");
+var TAINT_DURATION_MS = 30 * 60 * 1e3;
+var DEFAULT_SESSION_ID = "default";
+function getTaintFilePath(projectRoot, sessionId) {
+  const id = sessionId || DEFAULT_SESSION_ID;
+  return (0, import_node_path7.join)(projectRoot, ".harness", `session-taint-${id}.json`);
+}
+function readTaint(projectRoot, sessionId) {
+  const filePath = getTaintFilePath(projectRoot, sessionId);
+  let content;
+  try {
+    content = (0, import_node_fs4.readFileSync)(filePath, "utf8");
+  } catch {
+    return null;
+  }
+  let state;
+  try {
+    state = JSON.parse(content);
+  } catch {
+    try {
+      (0, import_node_fs4.unlinkSync)(filePath);
+    } catch {
+    }
+    return null;
+  }
+  if (!state.sessionId || !state.taintedAt || !state.expiresAt || !state.findings) {
+    try {
+      (0, import_node_fs4.unlinkSync)(filePath);
+    } catch {
+    }
+    return null;
+  }
+  return state;
+}
+function checkTaint(projectRoot, sessionId) {
+  const state = readTaint(projectRoot, sessionId);
+  if (!state) {
+    return { tainted: false, expired: false, state: null };
+  }
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(state.expiresAt);
+  if (now >= expiresAt) {
+    const filePath = getTaintFilePath(projectRoot, sessionId);
+    try {
+      (0, import_node_fs4.unlinkSync)(filePath);
+    } catch {
+    }
+    return { tainted: false, expired: true, state };
+  }
+  return { tainted: true, expired: false, state };
+}
+function writeTaint(projectRoot, sessionId, reason, findings, source) {
+  const id = sessionId || DEFAULT_SESSION_ID;
+  const filePath = getTaintFilePath(projectRoot, id);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const dir = (0, import_node_path7.dirname)(filePath);
+  (0, import_node_fs4.mkdirSync)(dir, { recursive: true });
+  const existing = readTaint(projectRoot, id);
+  const maxSeverity = findings.some((f) => f.severity === "high") ? "high" : "medium";
+  const taintFindings = findings.map((f) => ({
+    ruleId: f.ruleId,
+    severity: f.severity,
+    match: f.match,
+    source,
+    detectedAt: now
+  }));
+  const state = {
+    sessionId: id,
+    taintedAt: existing?.taintedAt || now,
+    expiresAt: new Date(Date.now() + TAINT_DURATION_MS).toISOString(),
+    reason,
+    severity: existing?.severity === "high" || maxSeverity === "high" ? "high" : "medium",
+    findings: [...existing?.findings || [], ...taintFindings]
+  };
+  (0, import_node_fs4.writeFileSync)(filePath, JSON.stringify(state, null, 2) + "\n");
+  return state;
+}
+function clearTaint(projectRoot, sessionId) {
+  if (sessionId) {
+    const filePath = getTaintFilePath(projectRoot, sessionId);
+    try {
+      (0, import_node_fs4.unlinkSync)(filePath);
+      return 1;
+    } catch {
+      return 0;
+    }
+  }
+  const harnessDir = (0, import_node_path7.join)(projectRoot, ".harness");
+  let count = 0;
+  try {
+    const files = (0, import_node_fs4.readdirSync)(harnessDir);
+    for (const file of files) {
+      if (file.startsWith("session-taint-") && file.endsWith(".json")) {
+        try {
+          (0, import_node_fs4.unlinkSync)((0, import_node_path7.join)(harnessDir, file));
+          count++;
+        } catch {
+        }
+      }
+    }
+  } catch {
+  }
+  return count;
+}
+function listTaintedSessions(projectRoot) {
+  const harnessDir = (0, import_node_path7.join)(projectRoot, ".harness");
+  const sessions = [];
+  try {
+    const files = (0, import_node_fs4.readdirSync)(harnessDir);
+    for (const file of files) {
+      if (file.startsWith("session-taint-") && file.endsWith(".json")) {
+        const sessionId = file.replace("session-taint-", "").replace(".json", "");
+        const result = checkTaint(projectRoot, sessionId);
+        if (result.tainted) {
+          sessions.push(sessionId);
+        }
+      }
+    }
+  } catch {
+  }
+  return sessions;
+}
+
+// src/security/scan-config-shared.ts
+function mapSecuritySeverity(severity) {
+  if (severity === "error") return "high";
+  if (severity === "warning") return "medium";
+  return "low";
+}
+function computeOverallSeverity(findings) {
+  if (findings.length === 0) return "clean";
+  if (findings.some((f) => f.severity === "high")) return "high";
+  if (findings.some((f) => f.severity === "medium")) return "medium";
+  return "low";
+}
+function computeScanExitCode(results) {
+  for (const r of results) {
+    if (r.overallSeverity === "high") return 2;
+  }
+  for (const r of results) {
+    if (r.overallSeverity === "medium") return 1;
+  }
+  return 0;
+}
+function mapInjectionFindings(injectionFindings) {
+  return injectionFindings.map((f) => ({
+    ruleId: f.ruleId,
+    severity: f.severity,
+    message: `Injection pattern detected: ${f.ruleId}`,
+    match: f.match,
+    ...f.line !== void 0 ? { line: f.line } : {}
+  }));
+}
+function isDuplicateFinding(existing, secFinding) {
+  return existing.some(
+    (e) => e.line === secFinding.line && e.match === secFinding.match.trim() && e.ruleId.split("-")[0] === secFinding.ruleId.split("-")[0]
+  );
+}
+function mapSecurityFindings(secFindings, existing) {
+  const result = [];
+  for (const f of secFindings) {
+    if (!isDuplicateFinding(existing, f)) {
+      result.push({
+        ruleId: f.ruleId,
+        severity: mapSecuritySeverity(f.severity),
+        message: f.message,
+        match: f.match,
+        ...f.line !== void 0 ? { line: f.line } : {}
+      });
+    }
+  }
+  return result;
+}
+
 // src/ci/check-orchestrator.ts
 var path15 = __toESM(require("path"));
 var ALL_CHECKS = [
@@ -9510,7 +10160,7 @@ async function runPerfCheck(projectRoot, config) {
     if (perfReport.complexity) {
       for (const v of perfReport.complexity.violations) {
         issues.push({
-          severity: v.severity === "info" ? "warning" : v.severity,
+          severity: "warning",
           message: `[Tier ${v.tier}] ${v.metric}: ${v.function} in ${v.file} (${v.value} > ${v.threshold})`,
           file: v.file,
           line: v.line
@@ -11517,6 +12167,7 @@ var VALID_STATUSES = /* @__PURE__ */ new Set([
   "blocked"
 ]);
 var EM_DASH = "\u2014";
+var VALID_PRIORITIES = /* @__PURE__ */ new Set(["P0", "P1", "P2", "P3"]);
 function parseRoadmap(markdown) {
   const fmMatch = markdown.match(/^---\n([\s\S]*?)\n---/);
   if (!fmMatch) {
@@ -11527,9 +12178,12 @@ function parseRoadmap(markdown) {
   const body = markdown.slice(fmMatch[0].length);
   const milestonesResult = parseMilestones(body);
   if (!milestonesResult.ok) return milestonesResult;
+  const historyResult = parseAssignmentHistory(body);
+  if (!historyResult.ok) return historyResult;
   return (0, import_types19.Ok)({
     frontmatter: fmResult.value,
-    milestones: milestonesResult.value
+    milestones: milestonesResult.value,
+    assignmentHistory: historyResult.value
   });
 }
 function parseFrontmatter2(raw) {
@@ -11569,12 +12223,17 @@ function parseMilestones(body) {
   const h2Pattern = /^## (.+)$/gm;
   const h2Matches = [];
   let match;
+  let bodyEnd = body.length;
   while ((match = h2Pattern.exec(body)) !== null) {
+    if (match[1] === "Assignment History") {
+      bodyEnd = match.index;
+      break;
+    }
     h2Matches.push({ heading: match[1], startIndex: match.index, fullMatch: match[0] });
   }
   for (let i = 0; i < h2Matches.length; i++) {
     const h2 = h2Matches[i];
-    const nextStart = i + 1 < h2Matches.length ? h2Matches[i + 1].startIndex : body.length;
+    const nextStart = i + 1 < h2Matches.length ? h2Matches[i + 1].startIndex : bodyEnd;
     const sectionBody = body.slice(h2.startIndex + h2.fullMatch.length, nextStart);
     const isBacklog = h2.heading === "Backlog";
     const milestoneName = isBacklog ? "Backlog" : h2.heading.replace(/^Milestone:\s*/, "");
@@ -11640,15 +12299,60 @@ function parseFeatureFields(name, body) {
   const specRaw = fieldMap.get("Spec") ?? EM_DASH;
   const plans = parseListField(fieldMap, "Plans", "Plan");
   const blockedBy = parseListField(fieldMap, "Blocked by", "Blockers");
+  const assigneeRaw = fieldMap.get("Assignee") ?? EM_DASH;
+  const priorityRaw = fieldMap.get("Priority") ?? EM_DASH;
+  const externalIdRaw = fieldMap.get("External-ID") ?? EM_DASH;
+  if (priorityRaw !== EM_DASH && !VALID_PRIORITIES.has(priorityRaw)) {
+    return (0, import_types19.Err)(
+      new Error(
+        `Feature "${name}" has invalid priority: "${priorityRaw}". Valid priorities: ${[...VALID_PRIORITIES].join(", ")}`
+      )
+    );
+  }
   return (0, import_types19.Ok)({
     name,
     status: statusRaw,
     spec: specRaw === EM_DASH ? null : specRaw,
     plans,
     blockedBy,
-    summary: fieldMap.get("Summary") ?? ""
+    summary: fieldMap.get("Summary") ?? "",
+    assignee: assigneeRaw === EM_DASH ? null : assigneeRaw,
+    priority: priorityRaw === EM_DASH ? null : priorityRaw,
+    externalId: externalIdRaw === EM_DASH ? null : externalIdRaw
   });
 }
+function parseAssignmentHistory(body) {
+  const historyMatch = body.match(/^## Assignment History\s*\n/m);
+  if (!historyMatch || historyMatch.index === void 0) return (0, import_types19.Ok)([]);
+  const historyStart = historyMatch.index + historyMatch[0].length;
+  const rawHistoryBody = body.slice(historyStart);
+  const nextH2 = rawHistoryBody.search(/^## /m);
+  const historyBody = nextH2 === -1 ? rawHistoryBody : rawHistoryBody.slice(0, nextH2);
+  const records = [];
+  const lines = historyBody.split("\n");
+  let pastHeader = false;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed.startsWith("|")) continue;
+    if (!pastHeader) {
+      if (trimmed.match(/^\|[-\s|]+\|$/)) {
+        pastHeader = true;
+      }
+      continue;
+    }
+    const cells = trimmed.split("|").map((c) => c.trim()).filter((c) => c.length > 0);
+    if (cells.length < 4) continue;
+    const action = cells[2];
+    if (!["assigned", "completed", "unassigned"].includes(action)) continue;
+    records.push({
+      feature: cells[0],
+      assignee: cells[1],
+      action,
+      date: cells[3]
+    });
+  }
+  return (0, import_types19.Ok)(records);
+}
 
 // src/roadmap/serialize.ts
 var EM_DASH2 = "\u2014";
@@ -11676,6 +12380,10 @@ function serializeRoadmap(roadmap) {
       lines.push(...serializeFeature(feature));
     }
   }
+  if (roadmap.assignmentHistory && roadmap.assignmentHistory.length > 0) {
+    lines.push("");
+    lines.push(...serializeAssignmentHistory(roadmap.assignmentHistory));
+  }
   lines.push("");
   return lines.join("\n");
 }
@@ -11686,7 +12394,7 @@ function serializeFeature(feature) {
   const spec = feature.spec ?? EM_DASH2;
   const plans = feature.plans.length > 0 ? feature.plans.join(", ") : EM_DASH2;
   const blockedBy = feature.blockedBy.length > 0 ? feature.blockedBy.join(", ") : EM_DASH2;
-  return [
+  const lines = [
     `### ${feature.name}`,
     "",
     `- **Status:** ${feature.status}`,
@@ -11695,12 +12403,45 @@ function serializeFeature(feature) {
     `- **Blockers:** ${blockedBy}`,
     `- **Plan:** ${plans}`
   ];
+  const hasExtended = feature.assignee !== null || feature.priority !== null || feature.externalId !== null;
+  if (hasExtended) {
+    lines.push(`- **Assignee:** ${feature.assignee ?? EM_DASH2}`);
+    lines.push(`- **Priority:** ${feature.priority ?? EM_DASH2}`);
+    lines.push(`- **External-ID:** ${feature.externalId ?? EM_DASH2}`);
+  }
+  return lines;
+}
+function serializeAssignmentHistory(records) {
+  const lines = [
+    "## Assignment History",
+    "| Feature | Assignee | Action | Date |",
+    "|---------|----------|--------|------|"
+  ];
+  for (const record of records) {
+    lines.push(`| ${record.feature} | ${record.assignee} | ${record.action} | ${record.date} |`);
+  }
+  return lines;
 }
 
 // src/roadmap/sync.ts
 var fs19 = __toESM(require("fs"));
 var path19 = __toESM(require("path"));
 var import_types20 = require("@harness-engineering/types");
+
+// src/roadmap/status-rank.ts
+var STATUS_RANK = {
+  backlog: 0,
+  planned: 1,
+  blocked: 1,
+  // lateral to planned — sync can move to/from blocked freely
+  "in-progress": 2,
+  done: 3
+};
+function isRegression(from, to) {
+  return STATUS_RANK[to] < STATUS_RANK[from];
+}
+
+// src/roadmap/sync.ts
 function inferStatus(feature, projectPath, allFeatures) {
   if (feature.blockedBy.length > 0) {
     const blockerNotDone = feature.blockedBy.some((blockerName) => {
@@ -11724,88 +12465,509 @@ function inferStatus(feature, projectPath, allFeatures) {
             allTaskStatuses.push(status);
           }
         }
-      } catch {
+      } catch {
+      }
+    }
+  }
+  const sessionsDir = path19.join(projectPath, ".harness", "sessions");
+  if (fs19.existsSync(sessionsDir)) {
+    try {
+      const sessionDirs = fs19.readdirSync(sessionsDir, { withFileTypes: true });
+      for (const entry of sessionDirs) {
+        if (!entry.isDirectory()) continue;
+        const autopilotPath = path19.join(sessionsDir, entry.name, "autopilot-state.json");
+        if (!fs19.existsSync(autopilotPath)) continue;
+        try {
+          const raw = fs19.readFileSync(autopilotPath, "utf-8");
+          const autopilot = JSON.parse(raw);
+          if (!autopilot.phases) continue;
+          const linkedPhases = autopilot.phases.filter(
+            (phase) => phase.planPath ? feature.plans.some((p) => p === phase.planPath || phase.planPath.endsWith(p)) : false
+          );
+          if (linkedPhases.length > 0) {
+            for (const phase of linkedPhases) {
+              if (phase.status === "complete") {
+                allTaskStatuses.push("complete");
+              } else if (phase.status === "pending") {
+                allTaskStatuses.push("pending");
+              } else {
+                allTaskStatuses.push("in_progress");
+              }
+            }
+          }
+        } catch {
+        }
+      }
+    } catch {
+    }
+  }
+  if (allTaskStatuses.length === 0) return null;
+  const allComplete = allTaskStatuses.every((s) => s === "complete");
+  if (allComplete) return "done";
+  const anyStarted = allTaskStatuses.some((s) => s === "in_progress" || s === "complete");
+  if (anyStarted) return "in-progress";
+  return null;
+}
+function syncRoadmap(options) {
+  const { projectPath, roadmap, forceSync } = options;
+  const allFeatures = roadmap.milestones.flatMap((m) => m.features);
+  const changes = [];
+  for (const feature of allFeatures) {
+    const inferred = inferStatus(feature, projectPath, allFeatures);
+    if (inferred === null) continue;
+    if (inferred === feature.status) continue;
+    if (!forceSync && isRegression(feature.status, inferred)) continue;
+    changes.push({
+      feature: feature.name,
+      from: feature.status,
+      to: inferred
+    });
+  }
+  return (0, import_types20.Ok)(changes);
+}
+function applySyncChanges(roadmap, changes) {
+  for (const change of changes) {
+    for (const m of roadmap.milestones) {
+      const feature = m.features.find((f) => f.name.toLowerCase() === change.feature.toLowerCase());
+      if (feature) {
+        feature.status = change.to;
+        break;
+      }
+    }
+  }
+  roadmap.frontmatter.lastSynced = (/* @__PURE__ */ new Date()).toISOString();
+}
+
+// src/roadmap/tracker-sync.ts
+function resolveReverseStatus(externalStatus, labels, config) {
+  const reverseMap = config.reverseStatusMap;
+  if (!reverseMap) return null;
+  if (reverseMap[externalStatus]) {
+    return reverseMap[externalStatus];
+  }
+  const statusLabels = ["in-progress", "blocked", "planned"];
+  const matchingLabels = labels.filter((l) => statusLabels.includes(l));
+  if (matchingLabels.length === 1) {
+    const compoundKey = `${externalStatus}:${matchingLabels[0]}`;
+    if (reverseMap[compoundKey]) {
+      return reverseMap[compoundKey];
+    }
+  }
+  return null;
+}
+
+// src/roadmap/adapters/github-issues.ts
+var import_types21 = require("@harness-engineering/types");
+function parseExternalId(externalId) {
+  const match = externalId.match(/^github:([^/]+)\/([^#]+)#(\d+)$/);
+  if (!match) return null;
+  return { owner: match[1], repo: match[2], number: parseInt(match[3], 10) };
+}
+function buildExternalId(owner, repo, number) {
+  return `github:${owner}/${repo}#${number}`;
+}
+function labelsForStatus(status, config) {
+  const base = config.labels ?? [];
+  const externalStatus = config.statusMap[status];
+  if (externalStatus === "open" && status !== "backlog") {
+    return [...base, status];
+  }
+  return [...base];
+}
+var GitHubIssuesSyncAdapter = class {
+  token;
+  config;
+  fetchFn;
+  apiBase;
+  owner;
+  repo;
+  constructor(options) {
+    this.token = options.token;
+    this.config = options.config;
+    this.fetchFn = options.fetchFn ?? globalThis.fetch;
+    this.apiBase = options.apiBase ?? "https://api.github.com";
+    const repoParts = (options.config.repo ?? "").split("/");
+    if (repoParts.length !== 2 || !repoParts[0] || !repoParts[1]) {
+      throw new Error(`Invalid repo format: "${options.config.repo}". Expected "owner/repo".`);
+    }
+    this.owner = repoParts[0];
+    this.repo = repoParts[1];
+  }
+  headers() {
+    return {
+      Authorization: `Bearer ${this.token}`,
+      Accept: "application/vnd.github+json",
+      "Content-Type": "application/json",
+      "X-GitHub-Api-Version": "2022-11-28"
+    };
+  }
+  async createTicket(feature, milestone) {
+    try {
+      const labels = labelsForStatus(feature.status, this.config);
+      const body = [
+        feature.summary,
+        "",
+        `**Milestone:** ${milestone}`,
+        feature.spec ? `**Spec:** ${feature.spec}` : ""
+      ].filter(Boolean).join("\n");
+      const response = await this.fetchFn(
+        `${this.apiBase}/repos/${this.owner}/${this.repo}/issues`,
+        {
+          method: "POST",
+          headers: this.headers(),
+          body: JSON.stringify({
+            title: feature.name,
+            body,
+            labels
+          })
+        }
+      );
+      if (!response.ok) {
+        const text = await response.text();
+        return (0, import_types21.Err)(new Error(`GitHub API error ${response.status}: ${text}`));
+      }
+      const data = await response.json();
+      const externalId = buildExternalId(this.owner, this.repo, data.number);
+      return (0, import_types21.Ok)({ externalId, url: data.html_url });
+    } catch (error) {
+      return (0, import_types21.Err)(error instanceof Error ? error : new Error(String(error)));
+    }
+  }
+  async updateTicket(externalId, changes) {
+    try {
+      const parsed = parseExternalId(externalId);
+      if (!parsed) return (0, import_types21.Err)(new Error(`Invalid externalId format: "${externalId}"`));
+      const patch = {};
+      if (changes.name !== void 0) patch.title = changes.name;
+      if (changes.summary !== void 0) {
+        const body = [changes.summary, "", changes.spec ? `**Spec:** ${changes.spec}` : ""].filter(Boolean).join("\n");
+        patch.body = body;
+      }
+      if (changes.status !== void 0) {
+        const externalStatus = this.config.statusMap[changes.status];
+        patch.state = externalStatus;
+        patch.labels = labelsForStatus(changes.status, this.config);
+      }
+      const response = await this.fetchFn(
+        `${this.apiBase}/repos/${parsed.owner}/${parsed.repo}/issues/${parsed.number}`,
+        {
+          method: "PATCH",
+          headers: this.headers(),
+          body: JSON.stringify(patch)
+        }
+      );
+      if (!response.ok) {
+        const text = await response.text();
+        return (0, import_types21.Err)(new Error(`GitHub API error ${response.status}: ${text}`));
+      }
+      const data = await response.json();
+      return (0, import_types21.Ok)({ externalId, url: data.html_url });
+    } catch (error) {
+      return (0, import_types21.Err)(error instanceof Error ? error : new Error(String(error)));
+    }
+  }
+  async fetchTicketState(externalId) {
+    try {
+      const parsed = parseExternalId(externalId);
+      if (!parsed) return (0, import_types21.Err)(new Error(`Invalid externalId format: "${externalId}"`));
+      const response = await this.fetchFn(
+        `${this.apiBase}/repos/${parsed.owner}/${parsed.repo}/issues/${parsed.number}`,
+        {
+          method: "GET",
+          headers: this.headers()
+        }
+      );
+      if (!response.ok) {
+        const text = await response.text();
+        return (0, import_types21.Err)(new Error(`GitHub API error ${response.status}: ${text}`));
+      }
+      const data = await response.json();
+      return (0, import_types21.Ok)({
+        externalId,
+        status: data.state,
+        labels: data.labels.map((l) => l.name),
+        assignee: data.assignee ? `@${data.assignee.login}` : null
+      });
+    } catch (error) {
+      return (0, import_types21.Err)(error instanceof Error ? error : new Error(String(error)));
+    }
+  }
+  async fetchAllTickets() {
+    try {
+      const filterLabels = this.config.labels ?? [];
+      const labelsParam = filterLabels.length > 0 ? `&labels=${filterLabels.join(",")}` : "";
+      const tickets = [];
+      let page = 1;
+      const perPage = 100;
+      while (true) {
+        const response = await this.fetchFn(
+          `${this.apiBase}/repos/${this.owner}/${this.repo}/issues?state=all&per_page=${perPage}&page=${page}${labelsParam}`,
+          {
+            method: "GET",
+            headers: this.headers()
+          }
+        );
+        if (!response.ok) {
+          const text = await response.text();
+          return (0, import_types21.Err)(new Error(`GitHub API error ${response.status}: ${text}`));
+        }
+        const data = await response.json();
+        const issues = data.filter((d) => !d.pull_request);
+        for (const issue of issues) {
+          tickets.push({
+            externalId: buildExternalId(this.owner, this.repo, issue.number),
+            status: issue.state,
+            labels: issue.labels.map((l) => l.name),
+            assignee: issue.assignee ? `@${issue.assignee.login}` : null
+          });
+        }
+        if (data.length < perPage) break;
+        page++;
+      }
+      return (0, import_types21.Ok)(tickets);
+    } catch (error) {
+      return (0, import_types21.Err)(error instanceof Error ? error : new Error(String(error)));
+    }
+  }
+  async assignTicket(externalId, assignee) {
+    try {
+      const parsed = parseExternalId(externalId);
+      if (!parsed) return (0, import_types21.Err)(new Error(`Invalid externalId format: "${externalId}"`));
+      const login = assignee.startsWith("@") ? assignee.slice(1) : assignee;
+      const response = await this.fetchFn(
+        `${this.apiBase}/repos/${parsed.owner}/${parsed.repo}/issues/${parsed.number}/assignees`,
+        {
+          method: "POST",
+          headers: this.headers(),
+          body: JSON.stringify({ assignees: [login] })
+        }
+      );
+      if (!response.ok) {
+        const text = await response.text();
+        return (0, import_types21.Err)(new Error(`GitHub API error ${response.status}: ${text}`));
       }
+      return (0, import_types21.Ok)(void 0);
+    } catch (error) {
+      return (0, import_types21.Err)(error instanceof Error ? error : new Error(String(error)));
     }
   }
-  const sessionsDir = path19.join(projectPath, ".harness", "sessions");
-  if (fs19.existsSync(sessionsDir)) {
-    try {
-      const sessionDirs = fs19.readdirSync(sessionsDir, { withFileTypes: true });
-      for (const entry of sessionDirs) {
-        if (!entry.isDirectory()) continue;
-        const autopilotPath = path19.join(sessionsDir, entry.name, "autopilot-state.json");
-        if (!fs19.existsSync(autopilotPath)) continue;
-        try {
-          const raw = fs19.readFileSync(autopilotPath, "utf-8");
-          const autopilot = JSON.parse(raw);
-          if (!autopilot.phases) continue;
-          const linkedPhases = autopilot.phases.filter(
-            (phase) => phase.planPath ? feature.plans.some((p) => p === phase.planPath || phase.planPath.endsWith(p)) : false
-          );
-          if (linkedPhases.length > 0) {
-            for (const phase of linkedPhases) {
-              if (phase.status === "complete") {
-                allTaskStatuses.push("complete");
-              } else if (phase.status === "pending") {
-                allTaskStatuses.push("pending");
-              } else {
-                allTaskStatuses.push("in_progress");
-              }
-            }
-          }
-        } catch {
+};
+
+// src/roadmap/sync-engine.ts
+var fs20 = __toESM(require("fs"));
+function emptySyncResult() {
+  return { created: [], updated: [], assignmentChanges: [], errors: [] };
+}
+async function syncToExternal(roadmap, adapter, _config) {
+  const result = emptySyncResult();
+  for (const milestone of roadmap.milestones) {
+    for (const feature of milestone.features) {
+      if (!feature.externalId) {
+        const createResult = await adapter.createTicket(feature, milestone.name);
+        if (createResult.ok) {
+          feature.externalId = createResult.value.externalId;
+          result.created.push(createResult.value);
+        } else {
+          result.errors.push({ featureOrId: feature.name, error: createResult.error });
+        }
+      } else {
+        const updateResult = await adapter.updateTicket(feature.externalId, feature);
+        if (updateResult.ok) {
+          result.updated.push(feature.externalId);
+        } else {
+          result.errors.push({ featureOrId: feature.externalId, error: updateResult.error });
         }
       }
-    } catch {
     }
   }
-  if (allTaskStatuses.length === 0) return null;
-  const allComplete = allTaskStatuses.every((s) => s === "complete");
-  if (allComplete) return "done";
-  const anyStarted = allTaskStatuses.some((s) => s === "in_progress" || s === "complete");
-  if (anyStarted) return "in-progress";
-  return null;
+  return result;
 }
-var STATUS_RANK = {
-  backlog: 0,
-  planned: 1,
-  blocked: 1,
-  // lateral to planned — sync can move to/from blocked freely
-  "in-progress": 2,
-  done: 3
-};
-function isRegression(from, to) {
-  return STATUS_RANK[to] < STATUS_RANK[from];
+async function syncFromExternal(roadmap, adapter, config, options) {
+  const result = emptySyncResult();
+  const forceSync = options?.forceSync ?? false;
+  const featureByExternalId = /* @__PURE__ */ new Map();
+  for (const milestone of roadmap.milestones) {
+    for (const feature of milestone.features) {
+      if (feature.externalId) {
+        featureByExternalId.set(feature.externalId, feature);
+      }
+    }
+  }
+  if (featureByExternalId.size === 0) return result;
+  const fetchResult = await adapter.fetchAllTickets();
+  if (!fetchResult.ok) {
+    result.errors.push({ featureOrId: "*", error: fetchResult.error });
+    return result;
+  }
+  for (const ticketState of fetchResult.value) {
+    const feature = featureByExternalId.get(ticketState.externalId);
+    if (!feature) continue;
+    if (ticketState.assignee !== feature.assignee) {
+      result.assignmentChanges.push({
+        feature: feature.name,
+        from: feature.assignee,
+        to: ticketState.assignee
+      });
+      feature.assignee = ticketState.assignee;
+    }
+    const resolvedStatus = resolveReverseStatus(ticketState.status, ticketState.labels, config);
+    if (resolvedStatus && resolvedStatus !== feature.status) {
+      const newStatus = resolvedStatus;
+      if (!forceSync && isRegression(feature.status, newStatus)) {
+        continue;
+      }
+      feature.status = newStatus;
+    }
+  }
+  return result;
 }
-function syncRoadmap(options) {
-  const { projectPath, roadmap, forceSync } = options;
+var syncMutex = Promise.resolve();
+async function fullSync(roadmapPath, adapter, config, options) {
+  const previousSync = syncMutex;
+  let releaseMutex;
+  syncMutex = new Promise((resolve7) => {
+    releaseMutex = resolve7;
+  });
+  await previousSync;
+  try {
+    const raw = fs20.readFileSync(roadmapPath, "utf-8");
+    const parseResult = parseRoadmap(raw);
+    if (!parseResult.ok) {
+      return {
+        ...emptySyncResult(),
+        errors: [{ featureOrId: "*", error: parseResult.error }]
+      };
+    }
+    const roadmap = parseResult.value;
+    const pushResult = await syncToExternal(roadmap, adapter, config);
+    const pullResult = await syncFromExternal(roadmap, adapter, config, options);
+    fs20.writeFileSync(roadmapPath, serializeRoadmap(roadmap), "utf-8");
+    return {
+      created: pushResult.created,
+      updated: pushResult.updated,
+      assignmentChanges: pullResult.assignmentChanges,
+      errors: [...pushResult.errors, ...pullResult.errors]
+    };
+  } finally {
+    releaseMutex();
+  }
+}
+
+// src/roadmap/pilot-scoring.ts
+var PRIORITY_RANK = {
+  P0: 0,
+  P1: 1,
+  P2: 2,
+  P3: 3
+};
+var POSITION_WEIGHT = 0.5;
+var DEPENDENTS_WEIGHT = 0.3;
+var AFFINITY_WEIGHT = 0.2;
+function scoreRoadmapCandidates(roadmap, options) {
   const allFeatures = roadmap.milestones.flatMap((m) => m.features);
-  const changes = [];
+  const allFeatureNames = new Set(allFeatures.map((f) => f.name.toLowerCase()));
+  const doneFeatures = new Set(
+    allFeatures.filter((f) => f.status === "done").map((f) => f.name.toLowerCase())
+  );
+  const dependentsCount = /* @__PURE__ */ new Map();
   for (const feature of allFeatures) {
-    const inferred = inferStatus(feature, projectPath, allFeatures);
-    if (inferred === null) continue;
-    if (inferred === feature.status) continue;
-    if (!forceSync && isRegression(feature.status, inferred)) continue;
-    changes.push({
-      feature: feature.name,
-      from: feature.status,
-      to: inferred
-    });
+    for (const blocker of feature.blockedBy) {
+      const key = blocker.toLowerCase();
+      dependentsCount.set(key, (dependentsCount.get(key) ?? 0) + 1);
+    }
   }
-  return (0, import_types20.Ok)(changes);
-}
-function applySyncChanges(roadmap, changes) {
-  for (const change of changes) {
-    for (const m of roadmap.milestones) {
-      const feature = m.features.find((f) => f.name.toLowerCase() === change.feature.toLowerCase());
-      if (feature) {
-        feature.status = change.to;
-        break;
+  const maxDependents = Math.max(1, ...dependentsCount.values());
+  const milestoneMap = /* @__PURE__ */ new Map();
+  for (const ms of roadmap.milestones) {
+    milestoneMap.set(
+      ms.name,
+      ms.features.map((f) => f.name.toLowerCase())
+    );
+  }
+  const userCompletedFeatures = /* @__PURE__ */ new Set();
+  if (options?.currentUser) {
+    const user = options.currentUser.toLowerCase();
+    for (const record of roadmap.assignmentHistory) {
+      if (record.action === "completed" && record.assignee.toLowerCase() === user) {
+        userCompletedFeatures.add(record.feature.toLowerCase());
+      }
+    }
+  }
+  let totalPositions = 0;
+  for (const ms of roadmap.milestones) {
+    totalPositions += ms.features.length;
+  }
+  totalPositions = Math.max(1, totalPositions);
+  const candidates = [];
+  let globalPosition = 0;
+  for (const ms of roadmap.milestones) {
+    for (let featureIdx = 0; featureIdx < ms.features.length; featureIdx++) {
+      const feature = ms.features[featureIdx];
+      globalPosition++;
+      if (feature.status !== "planned" && feature.status !== "backlog") continue;
+      const isBlocked = feature.blockedBy.some((blocker) => {
+        const key = blocker.toLowerCase();
+        return allFeatureNames.has(key) && !doneFeatures.has(key);
+      });
+      if (isBlocked) continue;
+      const positionScore = 1 - (globalPosition - 1) / totalPositions;
+      const deps = dependentsCount.get(feature.name.toLowerCase()) ?? 0;
+      const dependentsScore = deps / maxDependents;
+      let affinityScore = 0;
+      if (userCompletedFeatures.size > 0) {
+        const completedBlockers = feature.blockedBy.filter(
+          (b) => userCompletedFeatures.has(b.toLowerCase())
+        );
+        if (completedBlockers.length > 0) {
+          affinityScore = 1;
+        } else {
+          const siblings = milestoneMap.get(ms.name) ?? [];
+          const completedSiblings = siblings.filter((s) => userCompletedFeatures.has(s));
+          if (completedSiblings.length > 0) {
+            affinityScore = 0.5;
+          }
+        }
       }
+      const weightedScore = POSITION_WEIGHT * positionScore + DEPENDENTS_WEIGHT * dependentsScore + AFFINITY_WEIGHT * affinityScore;
+      const priorityTier = feature.priority ? PRIORITY_RANK[feature.priority] : null;
+      candidates.push({
+        feature,
+        milestone: ms.name,
+        positionScore,
+        dependentsScore,
+        affinityScore,
+        weightedScore,
+        priorityTier
+      });
     }
   }
-  roadmap.frontmatter.lastSynced = (/* @__PURE__ */ new Date()).toISOString();
+  candidates.sort((a, b) => {
+    if (a.priorityTier !== null && b.priorityTier === null) return -1;
+    if (a.priorityTier === null && b.priorityTier !== null) return 1;
+    if (a.priorityTier !== null && b.priorityTier !== null) {
+      if (a.priorityTier !== b.priorityTier) return a.priorityTier - b.priorityTier;
+    }
+    return b.weightedScore - a.weightedScore;
+  });
+  return candidates;
+}
+function assignFeature(roadmap, feature, assignee, date) {
+  if (feature.assignee === assignee) return;
+  if (feature.assignee !== null) {
+    roadmap.assignmentHistory.push({
+      feature: feature.name,
+      assignee: feature.assignee,
+      action: "unassigned",
+      date
+    });
+  }
+  feature.assignee = assignee;
+  roadmap.assignmentHistory.push({
+    feature: feature.name,
+    assignee,
+    action: "assigned",
+    date
+  });
 }
 
 // src/interaction/types.ts
@@ -11838,17 +13000,18 @@ var EmitInteractionInputSchema = import_zod8.z.object({
 });
 
 // src/blueprint/scanner.ts
-var fs20 = __toESM(require("fs/promises"));
+var fs21 = __toESM(require("fs/promises"));
 var path20 = __toESM(require("path"));
 var ProjectScanner = class {
   constructor(rootDir) {
     this.rootDir = rootDir;
   }
+  rootDir;
   async scan() {
     let projectName = path20.basename(this.rootDir);
     try {
       const pkgPath = path20.join(this.rootDir, "package.json");
-      const pkgRaw = await fs20.readFile(pkgPath, "utf-8");
+      const pkgRaw = await fs21.readFile(pkgPath, "utf-8");
       const pkg = JSON.parse(pkgRaw);
       if (pkg.name) projectName = pkg.name;
     } catch {
@@ -11889,7 +13052,7 @@ var ProjectScanner = class {
 };
 
 // src/blueprint/generator.ts
-var fs21 = __toESM(require("fs/promises"));
+var fs22 = __toESM(require("fs/promises"));
 var path21 = __toESM(require("path"));
 var ejs = __toESM(require("ejs"));
 
@@ -11974,13 +13137,13 @@ var BlueprintGenerator = class {
       styles: STYLES,
       scripts: SCRIPTS
     });
-    await fs21.mkdir(options.outputDir, { recursive: true });
-    await fs21.writeFile(path21.join(options.outputDir, "index.html"), html);
+    await fs22.mkdir(options.outputDir, { recursive: true });
+    await fs22.writeFile(path21.join(options.outputDir, "index.html"), html);
   }
 };
 
 // src/update-checker.ts
-var fs22 = __toESM(require("fs"));
+var fs23 = __toESM(require("fs"));
 var path22 = __toESM(require("path"));
 var os = __toESM(require("os"));
 var import_child_process3 = require("child_process");
@@ -11999,7 +13162,7 @@ function shouldRunCheck(state, intervalMs) {
 }
 function readCheckState() {
   try {
-    const raw = fs22.readFileSync(getStatePath(), "utf-8");
+    const raw = fs23.readFileSync(getStatePath(), "utf-8");
     const parsed = JSON.parse(raw);
     if (typeof parsed === "object" && parsed !== null && "lastCheckTime" in parsed && typeof parsed.lastCheckTime === "number" && "currentVersion" in parsed && typeof parsed.currentVersion === "string") {
       const state = parsed;
@@ -12106,9 +13269,9 @@ async function resolveWasmPath(grammarName) {
   const { createRequire } = await import("module");
   const require2 = createRequire(import_meta.url ?? __filename);
   const pkgPath = require2.resolve("tree-sitter-wasms/package.json");
-  const path23 = await import("path");
-  const pkgDir = path23.dirname(pkgPath);
-  return path23.join(pkgDir, "out", `${grammarName}.wasm`);
+  const path26 = await import("path");
+  const pkgDir = path26.dirname(pkgPath);
+  return path26.join(pkgDir, "out", `${grammarName}.wasm`);
 }
 async function loadLanguage(lang) {
   const grammarName = GRAMMAR_MAP[lang];
@@ -12472,6 +13635,489 @@ async function unfoldRange(filePath, startLine, endLine) {
   };
 }
 
+// src/pricing/pricing.ts
+var TOKENS_PER_MILLION = 1e6;
+function parseLiteLLMData(raw) {
+  const dataset = /* @__PURE__ */ new Map();
+  for (const [modelName, entry] of Object.entries(raw)) {
+    if (modelName === "sample_spec") continue;
+    if (entry.mode && entry.mode !== "chat") continue;
+    const inputCost = entry.input_cost_per_token;
+    const outputCost = entry.output_cost_per_token;
+    if (inputCost == null || outputCost == null) continue;
+    const pricing = {
+      inputPer1M: inputCost * TOKENS_PER_MILLION,
+      outputPer1M: outputCost * TOKENS_PER_MILLION
+    };
+    if (entry.cache_read_input_token_cost != null) {
+      pricing.cacheReadPer1M = entry.cache_read_input_token_cost * TOKENS_PER_MILLION;
+    }
+    if (entry.cache_creation_input_token_cost != null) {
+      pricing.cacheWritePer1M = entry.cache_creation_input_token_cost * TOKENS_PER_MILLION;
+    }
+    dataset.set(modelName, pricing);
+  }
+  return dataset;
+}
+function getModelPrice(model, dataset) {
+  if (!model) {
+    console.warn("[harness pricing] No model specified \u2014 cannot look up pricing.");
+    return null;
+  }
+  const pricing = dataset.get(model);
+  if (!pricing) {
+    console.warn(
+      `[harness pricing] No pricing data for model "${model}". Consider updating pricing data.`
+    );
+    return null;
+  }
+  return pricing;
+}
+
+// src/pricing/cache.ts
+var fs24 = __toESM(require("fs/promises"));
+var path23 = __toESM(require("path"));
+
+// src/pricing/fallback.json
+var fallback_default = {
+  _generatedAt: "2026-03-31",
+  _source: "https://raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.json",
+  models: {
+    "claude-opus-4-20250514": {
+      inputPer1M: 15,
+      outputPer1M: 75,
+      cacheReadPer1M: 1.5,
+      cacheWritePer1M: 18.75
+    },
+    "claude-sonnet-4-20250514": {
+      inputPer1M: 3,
+      outputPer1M: 15,
+      cacheReadPer1M: 0.3,
+      cacheWritePer1M: 3.75
+    },
+    "claude-3-5-haiku-20241022": {
+      inputPer1M: 0.8,
+      outputPer1M: 4,
+      cacheReadPer1M: 0.08,
+      cacheWritePer1M: 1
+    },
+    "gpt-4o": {
+      inputPer1M: 2.5,
+      outputPer1M: 10,
+      cacheReadPer1M: 1.25
+    },
+    "gpt-4o-mini": {
+      inputPer1M: 0.15,
+      outputPer1M: 0.6,
+      cacheReadPer1M: 0.075
+    },
+    "gemini-2.0-flash": {
+      inputPer1M: 0.1,
+      outputPer1M: 0.4,
+      cacheReadPer1M: 0.025
+    },
+    "gemini-2.5-pro": {
+      inputPer1M: 1.25,
+      outputPer1M: 10,
+      cacheReadPer1M: 0.3125
+    }
+  }
+};
+
+// src/pricing/cache.ts
+var LITELLM_PRICING_URL = "https://raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.json";
+var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
+var STALENESS_WARNING_DAYS = 7;
+function getCachePath(projectRoot) {
+  return path23.join(projectRoot, ".harness", "cache", "pricing.json");
+}
+function getStalenessMarkerPath(projectRoot) {
+  return path23.join(projectRoot, ".harness", "cache", "staleness-marker.json");
+}
+async function readDiskCache(projectRoot) {
+  try {
+    const raw = await fs24.readFile(getCachePath(projectRoot), "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function writeDiskCache(projectRoot, data) {
+  const cachePath = getCachePath(projectRoot);
+  await fs24.mkdir(path23.dirname(cachePath), { recursive: true });
+  await fs24.writeFile(cachePath, JSON.stringify(data, null, 2));
+}
+async function fetchFromNetwork() {
+  try {
+    const response = await fetch(LITELLM_PRICING_URL);
+    if (!response.ok) return null;
+    const data = await response.json();
+    if (typeof data !== "object" || data === null || Array.isArray(data)) return null;
+    return {
+      fetchedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      data
+    };
+  } catch {
+    return null;
+  }
+}
+function loadFallbackDataset() {
+  const fb = fallback_default;
+  const dataset = /* @__PURE__ */ new Map();
+  for (const [model, pricing] of Object.entries(fb.models)) {
+    dataset.set(model, pricing);
+  }
+  return dataset;
+}
+async function checkAndWarnStaleness(projectRoot) {
+  const markerPath = getStalenessMarkerPath(projectRoot);
+  try {
+    const raw = await fs24.readFile(markerPath, "utf-8");
+    const marker = JSON.parse(raw);
+    const firstUse = new Date(marker.firstFallbackUse).getTime();
+    const now = Date.now();
+    const daysSinceFirstUse = (now - firstUse) / (24 * 60 * 60 * 1e3);
+    if (daysSinceFirstUse > STALENESS_WARNING_DAYS) {
+      console.warn(
+        `[harness pricing] Pricing data is stale \u2014 using bundled fallback for ${Math.floor(daysSinceFirstUse)} days. Connect to the internet to refresh pricing data.`
+      );
+    }
+  } catch {
+    try {
+      await fs24.mkdir(path23.dirname(markerPath), { recursive: true });
+      await fs24.writeFile(
+        markerPath,
+        JSON.stringify({ firstFallbackUse: (/* @__PURE__ */ new Date()).toISOString() })
+      );
+    } catch {
+    }
+  }
+}
+async function clearStalenessMarker(projectRoot) {
+  try {
+    await fs24.unlink(getStalenessMarkerPath(projectRoot));
+  } catch {
+  }
+}
+async function loadPricingData(projectRoot) {
+  const cache = await readDiskCache(projectRoot);
+  if (cache) {
+    const cacheAge = Date.now() - new Date(cache.fetchedAt).getTime();
+    if (cacheAge < CACHE_TTL_MS) {
+      await clearStalenessMarker(projectRoot);
+      return parseLiteLLMData(cache.data);
+    }
+  }
+  const fetched = await fetchFromNetwork();
+  if (fetched) {
+    await writeDiskCache(projectRoot, fetched);
+    await clearStalenessMarker(projectRoot);
+    return parseLiteLLMData(fetched.data);
+  }
+  if (cache) {
+    return parseLiteLLMData(cache.data);
+  }
+  await checkAndWarnStaleness(projectRoot);
+  return loadFallbackDataset();
+}
+
+// src/pricing/calculator.ts
+var MICRODOLLARS_PER_DOLLAR = 1e6;
+var TOKENS_PER_MILLION2 = 1e6;
+function calculateCost(record, dataset) {
+  if (!record.model) return null;
+  const pricing = getModelPrice(record.model, dataset);
+  if (!pricing) return null;
+  let costUSD = 0;
+  costUSD += record.tokens.inputTokens / TOKENS_PER_MILLION2 * pricing.inputPer1M;
+  costUSD += record.tokens.outputTokens / TOKENS_PER_MILLION2 * pricing.outputPer1M;
+  if (record.cacheReadTokens != null && pricing.cacheReadPer1M != null) {
+    costUSD += record.cacheReadTokens / TOKENS_PER_MILLION2 * pricing.cacheReadPer1M;
+  }
+  if (record.cacheCreationTokens != null && pricing.cacheWritePer1M != null) {
+    costUSD += record.cacheCreationTokens / TOKENS_PER_MILLION2 * pricing.cacheWritePer1M;
+  }
+  return Math.round(costUSD * MICRODOLLARS_PER_DOLLAR);
+}
+
+// src/usage/aggregator.ts
+function aggregateBySession(records) {
+  if (records.length === 0) return [];
+  const sessionMap = /* @__PURE__ */ new Map();
+  for (const record of records) {
+    const tagged = record;
+    const id = record.sessionId;
+    if (!sessionMap.has(id)) {
+      sessionMap.set(id, { harnessRecords: [], ccRecords: [], allRecords: [] });
+    }
+    const bucket = sessionMap.get(id);
+    if (tagged._source === "claude-code") {
+      bucket.ccRecords.push(tagged);
+    } else {
+      bucket.harnessRecords.push(tagged);
+    }
+    bucket.allRecords.push(tagged);
+  }
+  const results = [];
+  for (const [sessionId, bucket] of sessionMap) {
+    const hasHarness = bucket.harnessRecords.length > 0;
+    const hasCC = bucket.ccRecords.length > 0;
+    const isMerged = hasHarness && hasCC;
+    const tokenSource = hasHarness ? bucket.harnessRecords : bucket.ccRecords;
+    const tokens = { inputTokens: 0, outputTokens: 0, totalTokens: 0 };
+    let cacheCreation;
+    let cacheRead;
+    let costMicroUSD = 0;
+    let model;
+    for (const r of tokenSource) {
+      tokens.inputTokens += r.tokens.inputTokens;
+      tokens.outputTokens += r.tokens.outputTokens;
+      tokens.totalTokens += r.tokens.totalTokens;
+      if (r.cacheCreationTokens != null) {
+        cacheCreation = (cacheCreation ?? 0) + r.cacheCreationTokens;
+      }
+      if (r.cacheReadTokens != null) {
+        cacheRead = (cacheRead ?? 0) + r.cacheReadTokens;
+      }
+      if (r.costMicroUSD != null && costMicroUSD != null) {
+        costMicroUSD += r.costMicroUSD;
+      } else if (r.costMicroUSD == null) {
+        costMicroUSD = null;
+      }
+      if (!model && r.model) {
+        model = r.model;
+      }
+    }
+    if (!model && hasCC) {
+      for (const r of bucket.ccRecords) {
+        if (r.model) {
+          model = r.model;
+          break;
+        }
+      }
+    }
+    const timestamps = bucket.allRecords.map((r) => r.timestamp).sort();
+    const source = isMerged ? "merged" : hasCC ? "claude-code" : "harness";
+    const session = {
+      sessionId,
+      firstTimestamp: timestamps[0] ?? "",
+      lastTimestamp: timestamps[timestamps.length - 1] ?? "",
+      tokens,
+      costMicroUSD,
+      source
+    };
+    if (model) session.model = model;
+    if (cacheCreation != null) session.cacheCreationTokens = cacheCreation;
+    if (cacheRead != null) session.cacheReadTokens = cacheRead;
+    results.push(session);
+  }
+  results.sort((a, b) => b.firstTimestamp.localeCompare(a.firstTimestamp));
+  return results;
+}
+function aggregateByDay(records) {
+  if (records.length === 0) return [];
+  const dayMap = /* @__PURE__ */ new Map();
+  for (const record of records) {
+    const date = record.timestamp.slice(0, 10);
+    if (!dayMap.has(date)) {
+      dayMap.set(date, {
+        sessions: /* @__PURE__ */ new Set(),
+        tokens: { inputTokens: 0, outputTokens: 0, totalTokens: 0 },
+        costMicroUSD: 0,
+        models: /* @__PURE__ */ new Set()
+      });
+    }
+    const day = dayMap.get(date);
+    day.sessions.add(record.sessionId);
+    day.tokens.inputTokens += record.tokens.inputTokens;
+    day.tokens.outputTokens += record.tokens.outputTokens;
+    day.tokens.totalTokens += record.tokens.totalTokens;
+    if (record.cacheCreationTokens != null) {
+      day.cacheCreation = (day.cacheCreation ?? 0) + record.cacheCreationTokens;
+    }
+    if (record.cacheReadTokens != null) {
+      day.cacheRead = (day.cacheRead ?? 0) + record.cacheReadTokens;
+    }
+    if (record.costMicroUSD != null && day.costMicroUSD != null) {
+      day.costMicroUSD += record.costMicroUSD;
+    } else if (record.costMicroUSD == null) {
+      day.costMicroUSD = null;
+    }
+    if (record.model) {
+      day.models.add(record.model);
+    }
+  }
+  const results = [];
+  for (const [date, day] of dayMap) {
+    const entry = {
+      date,
+      sessionCount: day.sessions.size,
+      tokens: day.tokens,
+      costMicroUSD: day.costMicroUSD,
+      models: Array.from(day.models).sort()
+    };
+    if (day.cacheCreation != null) entry.cacheCreationTokens = day.cacheCreation;
+    if (day.cacheRead != null) entry.cacheReadTokens = day.cacheRead;
+    results.push(entry);
+  }
+  results.sort((a, b) => b.date.localeCompare(a.date));
+  return results;
+}
+
+// src/usage/jsonl-reader.ts
+var fs25 = __toESM(require("fs"));
+var path24 = __toESM(require("path"));
+function parseLine(line, lineNumber) {
+  let entry;
+  try {
+    entry = JSON.parse(line);
+  } catch {
+    console.warn(`[harness usage] Skipping malformed JSONL line ${lineNumber}`);
+    return null;
+  }
+  const tokenUsage = entry.token_usage;
+  if (!tokenUsage || typeof tokenUsage !== "object") {
+    console.warn(
+      `[harness usage] Skipping malformed JSONL line ${lineNumber}: missing token_usage`
+    );
+    return null;
+  }
+  const inputTokens = tokenUsage.input_tokens ?? 0;
+  const outputTokens = tokenUsage.output_tokens ?? 0;
+  const record = {
+    sessionId: entry.session_id ?? "unknown",
+    timestamp: entry.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    tokens: {
+      inputTokens,
+      outputTokens,
+      totalTokens: inputTokens + outputTokens
+    }
+  };
+  if (entry.cache_creation_tokens != null) {
+    record.cacheCreationTokens = entry.cache_creation_tokens;
+  }
+  if (entry.cache_read_tokens != null) {
+    record.cacheReadTokens = entry.cache_read_tokens;
+  }
+  if (entry.model != null) {
+    record.model = entry.model;
+  }
+  return record;
+}
+function readCostRecords(projectRoot) {
+  const costsFile = path24.join(projectRoot, ".harness", "metrics", "costs.jsonl");
+  let raw;
+  try {
+    raw = fs25.readFileSync(costsFile, "utf-8");
+  } catch {
+    return [];
+  }
+  const records = [];
+  const lines = raw.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]?.trim();
+    if (!line) continue;
+    const record = parseLine(line, i + 1);
+    if (record) {
+      records.push(record);
+    }
+  }
+  return records;
+}
+
+// src/usage/cc-parser.ts
+var fs26 = __toESM(require("fs"));
+var path25 = __toESM(require("path"));
+var os2 = __toESM(require("os"));
+function extractUsage(entry) {
+  if (entry.type !== "assistant") return null;
+  const message = entry.message;
+  if (!message || typeof message !== "object") return null;
+  const usage = message.usage;
+  return usage && typeof usage === "object" && !Array.isArray(usage) ? usage : null;
+}
+function buildRecord(entry, usage) {
+  const inputTokens = Number(usage.input_tokens) || 0;
+  const outputTokens = Number(usage.output_tokens) || 0;
+  const message = entry.message;
+  const record = {
+    sessionId: entry.sessionId ?? "unknown",
+    timestamp: entry.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    tokens: { inputTokens, outputTokens, totalTokens: inputTokens + outputTokens },
+    _source: "claude-code"
+  };
+  const model = message.model;
+  if (model) record.model = model;
+  const cacheCreate = usage.cache_creation_input_tokens;
+  const cacheRead = usage.cache_read_input_tokens;
+  if (typeof cacheCreate === "number" && cacheCreate > 0) record.cacheCreationTokens = cacheCreate;
+  if (typeof cacheRead === "number" && cacheRead > 0) record.cacheReadTokens = cacheRead;
+  return record;
+}
+function parseCCLine(line, filePath, lineNumber) {
+  let entry;
+  try {
+    entry = JSON.parse(line);
+  } catch {
+    console.warn(
+      `[harness usage] Skipping malformed CC JSONL line ${lineNumber} in ${path25.basename(filePath)}`
+    );
+    return null;
+  }
+  const usage = extractUsage(entry);
+  if (!usage) return null;
+  return {
+    record: buildRecord(entry, usage),
+    requestId: entry.requestId ?? null
+  };
+}
+function readCCFile(filePath) {
+  let raw;
+  try {
+    raw = fs26.readFileSync(filePath, "utf-8");
+  } catch {
+    return [];
+  }
+  const byRequestId = /* @__PURE__ */ new Map();
+  const noRequestId = [];
+  const lines = raw.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]?.trim();
+    if (!line) continue;
+    const parsed = parseCCLine(line, filePath, i + 1);
+    if (!parsed) continue;
+    if (parsed.requestId) {
+      byRequestId.set(parsed.requestId, parsed.record);
+    } else {
+      noRequestId.push(parsed.record);
+    }
+  }
+  return [...byRequestId.values(), ...noRequestId];
+}
+function parseCCRecords() {
+  const homeDir = process.env.HOME ?? os2.homedir();
+  const projectsDir = path25.join(homeDir, ".claude", "projects");
+  let projectDirs;
+  try {
+    projectDirs = fs26.readdirSync(projectsDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => path25.join(projectsDir, d.name));
+  } catch {
+    return [];
+  }
+  const records = [];
+  for (const dir of projectDirs) {
+    let files;
+    try {
+      files = fs26.readdirSync(dir).filter((f) => f.endsWith(".jsonl")).map((f) => path25.join(dir, f));
+    } catch {
+      continue;
+    }
+    for (const file of files) {
+      records.push(...readCCFile(file));
+    }
+  }
+  return records;
+}
+
 // src/index.ts
 var VERSION = "0.15.0";
 // Annotate the CommonJS export names for ESM import in node:
@@ -12490,6 +14136,7 @@ var VERSION = "0.15.0";
   BlueprintGenerator,
   BundleConstraintsSchema,
   BundleSchema,
+  CACHE_TTL_MS,
   COMPLIANCE_DESCRIPTOR,
   CategoryBaselineSchema,
   CategoryRegressionSchema,
@@ -12507,6 +14154,7 @@ var VERSION = "0.15.0";
   DEFAULT_SECURITY_CONFIG,
   DEFAULT_STATE,
   DEFAULT_STREAM_INDEX,
+  DESTRUCTIVE_BASH,
   DepDepthCollector,
   EXTENSION_MAP,
   EmitInteractionInputSchema,
@@ -12518,9 +14166,11 @@ var VERSION = "0.15.0";
   ForbiddenImportCollector,
   GateConfigSchema,
   GateResultSchema,
+  GitHubIssuesSyncAdapter,
   HandoffSchema,
   HarnessStateSchema,
   InteractionTypeSchema,
+  LITELLM_PRICING_URL,
   LayerViolationCollector,
   LockfilePackageSchema,
   LockfileSchema,
@@ -12537,6 +14187,8 @@ var VERSION = "0.15.0";
   RegressionDetector,
   RuleRegistry,
   SECURITY_DESCRIPTOR,
+  STALENESS_WARNING_DAYS,
+  STATUS_RANK,
   SecurityConfigSchema,
   SecurityScanner,
   SharableBoundaryConfigSchema,
@@ -12553,6 +14205,8 @@ var VERSION = "0.15.0";
   ViolationSchema,
   addProvenance,
   agentConfigRules,
+  aggregateByDay,
+  aggregateBySession,
   analyzeDiff,
   analyzeLearningPatterns,
   appendFailure,
@@ -12568,16 +14222,22 @@ var VERSION = "0.15.0";
   archiveLearnings,
   archiveSession,
   archiveStream,
+  assignFeature,
   buildDependencyGraph,
   buildExclusionSet,
   buildSnapshot,
+  calculateCost,
   checkDocCoverage,
   checkEligibility,
   checkEvidenceCoverage,
+  checkTaint,
   classifyFinding,
   clearEventHashCache,
   clearFailuresCache,
   clearLearningsCache,
+  clearTaint,
+  computeOverallSeverity,
+  computeScanExitCode,
   configureFeedback,
   constraintRuleId,
   contextBudget,
@@ -12627,40 +14287,55 @@ var VERSION = "0.15.0";
   formatGitHubSummary,
   formatOutline,
   formatTerminalOutput,
+  fullSync,
   generateAgentsMap,
   generateSuggestions,
   getActionEmitter,
   getExitCode,
   getFeedbackConfig,
+  getInjectionPatterns,
+  getModelPrice,
   getOutline,
   getParser,
   getPhaseCategories,
   getStreamForBranch,
+  getTaintFilePath,
   getUpdateNotification,
   goRules,
   injectionRules,
+  insecureDefaultsRules,
+  isDuplicateFinding,
+  isRegression,
   isSmallSuggestion,
   isUpdateCheckEnabled,
   listActiveSessions,
   listStreams,
+  listTaintedSessions,
   loadBudgetedLearnings,
   loadEvents,
   loadFailures,
   loadHandoff,
   loadIndexEntries,
+  loadPricingData,
   loadRelevantLearnings,
   loadSessionSummary,
   loadState,
   loadStreamIndex,
   logAgentAction,
+  mapInjectionFindings,
+  mapSecurityFindings,
+  mapSecuritySeverity,
   mcpRules,
   migrateToStreams,
   networkRules,
   nodeRules,
+  parseCCRecords,
   parseDateFromEntry,
   parseDiff,
   parseFile,
   parseFrontmatter,
+  parseHarnessIgnore,
+  parseLiteLLMData,
   parseManifest,
   parseRoadmap,
   parseSecurityConfig,
@@ -12671,9 +14346,11 @@ var VERSION = "0.15.0";
   pruneLearnings,
   reactRules,
   readCheckState,
+  readCostRecords,
   readLockfile,
   readSessionSection,
   readSessionSections,
+  readTaint,
   removeContributions,
   removeProvenance,
   requestMultiplePeerReviews,
@@ -12682,6 +14359,7 @@ var VERSION = "0.15.0";
   resetParserCache,
   resolveFileToLayer,
   resolveModelTier,
+  resolveReverseStatus,
   resolveRuleSeverity,
   resolveSessionDir,
   resolveStreamPath,
@@ -12700,15 +14378,20 @@ var VERSION = "0.15.0";
   saveHandoff,
   saveState,
   saveStreamIndex,
+  scanForInjection,
   scopeContext,
+  scoreRoadmapCandidates,
   searchSymbols,
   secretRules,
   serializeRoadmap,
   setActiveStream,
+  sharpEdgesRules,
   shouldRunCheck,
   spawnBackgroundCheck,
   syncConstraintNodes,
+  syncFromExternal,
   syncRoadmap,
+  syncToExternal,
   tagUncitedFindings,
   touchStream,
   trackAction,
@@ -12729,6 +14412,7 @@ var VERSION = "0.15.0";
   writeConfig,
   writeLockfile,
   writeSessionSummary,
+  writeTaint,
   xssRules,
   ...require("@harness-engineering/types")
 });