npm - @harness-engineering/core - Versions diffs - 0.15.0 → 0.17.0 - Mend

@harness-engineering/core 0.15.0 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +1 -0
package/dist/architecture/matchers.d.mts +1 -1
package/dist/architecture/matchers.d.ts +1 -1
package/dist/index.d.mts +467 -85
package/dist/index.d.ts +467 -85
package/dist/index.js +1834 -150
package/dist/index.mjs +1744 -98
package/dist/{matchers-Dj1t5vpg.d.mts → matchers-D20x48U9.d.mts} +46 -46
package/dist/{matchers-Dj1t5vpg.d.ts → matchers-D20x48U9.d.ts} +46 -46
package/package.json +14 -14

package/dist/index.mjs CHANGED Viewed

@@ -84,15 +84,15 @@ function validateConfig(data, schema) {
   let message = "Configuration validation failed";
   const suggestions = [];
   if (firstError) {
-    const path23 = firstError.path.join(".");
-    const pathDisplay = path23 ? ` at "${path23}"` : "";
+    const path26 = firstError.path.join(".");
+    const pathDisplay = path26 ? ` at "${path26}"` : "";
     if (firstError.code === "invalid_type") {
       const received = firstError.received;
       const expected = firstError.expected;
       if (received === "undefined") {
         code = "MISSING_FIELD";
         message = `Missing required field${pathDisplay}: ${firstError.message}`;
-        suggestions.push(`Field "${path23}" is required and must be of type "${expected}"`);
+        suggestions.push(`Field "${path26}" is required and must be of type "${expected}"`);
       } else {
         code = "INVALID_TYPE";
         message = `Invalid type${pathDisplay}: ${firstError.message}`;
@@ -308,27 +308,27 @@ function extractSections(content) {
   }
   return sections.map((section) => buildAgentMapSection(section, lines));
 }
-function isExternalLink(path23) {
-  return path23.startsWith("http://") || path23.startsWith("https://") || path23.startsWith("#") || path23.startsWith("mailto:");
+function isExternalLink(path26) {
+  return path26.startsWith("http://") || path26.startsWith("https://") || path26.startsWith("#") || path26.startsWith("mailto:");
 }
 function resolveLinkPath(linkPath, baseDir) {
   return linkPath.startsWith(".") ? join(baseDir, linkPath) : linkPath;
 }
-async function validateAgentsMap(path23 = "./AGENTS.md") {
-  const contentResult = await readFileContent(path23);
+async function validateAgentsMap(path26 = "./AGENTS.md") {
+  const contentResult = await readFileContent(path26);
   if (!contentResult.ok) {
     return Err(
       createError(
         "PARSE_ERROR",
         `Failed to read AGENTS.md: ${contentResult.error.message}`,
-        { path: path23 },
+        { path: path26 },
         ["Ensure the file exists", "Check file permissions"]
       )
     );
   }
   const content = contentResult.value;
   const sections = extractSections(content);
-  const baseDir = dirname(path23);
+  const baseDir = dirname(path26);
   const sectionTitles = sections.map((s) => s.title);
   const missingSections = REQUIRED_SECTIONS.filter(
     (required) => !sectionTitles.some((title) => title.toLowerCase().includes(required.toLowerCase()))
@@ -469,8 +469,8 @@ async function checkDocCoverage(domain, options = {}) {
 // src/context/knowledge-map.ts
 import { join as join2, basename as basename2 } from "path";
-function suggestFix(path23, existingFiles) {
-  const targetName = basename2(path23).toLowerCase();
+function suggestFix(path26, existingFiles) {
+  const targetName = basename2(path26).toLowerCase();
   const similar = existingFiles.find((file) => {
     const fileName = basename2(file).toLowerCase();
     return fileName.includes(targetName) || targetName.includes(fileName);
@@ -478,7 +478,7 @@ function suggestFix(path23, existingFiles) {
   if (similar) {
     return `Did you mean "${similar}"?`;
   }
-  return `Create the file "${path23}" or remove the link`;
+  return `Create the file "${path26}" or remove the link`;
 }
 async function validateKnowledgeMap(rootDir = process.cwd()) {
   const agentsPath = join2(rootDir, "AGENTS.md");
@@ -830,8 +830,8 @@ function createBoundaryValidator(schema, name) {
         return Ok(result.data);
       }
       const suggestions = result.error.issues.map((issue) => {
-        const path23 = issue.path.join(".");
-        return path23 ? `${path23}: ${issue.message}` : issue.message;
+        const path26 = issue.path.join(".");
+        return path26 ? `${path26}: ${issue.message}` : issue.message;
       });
       return Err(
         createError(
@@ -1463,11 +1463,11 @@ function processExportListSpecifiers(exportDecl, exports) {
 var TypeScriptParser = class {
   name = "typescript";
   extensions = [".ts", ".tsx", ".mts", ".cts"];
-  async parseFile(path23) {
-    const contentResult = await readFileContent(path23);
+  async parseFile(path26) {
+    const contentResult = await readFileContent(path26);
     if (!contentResult.ok) {
       return Err(
-        createParseError("NOT_FOUND", `File not found: ${path23}`, { path: path23 }, [
+        createParseError("NOT_FOUND", `File not found: ${path26}`, { path: path26 }, [
           "Check that the file exists",
           "Verify the path is correct"
         ])
@@ -1477,7 +1477,7 @@ var TypeScriptParser = class {
       const ast = parse(contentResult.value, {
         loc: true,
         range: true,
-        jsx: path23.endsWith(".tsx"),
+        jsx: path26.endsWith(".tsx"),
         errorOnUnknownASTType: false
       });
       return Ok({
@@ -1488,7 +1488,7 @@ var TypeScriptParser = class {
     } catch (e) {
       const error = e;
       return Err(
-        createParseError("SYNTAX_ERROR", `Failed to parse ${path23}: ${error.message}`, { path: path23 }, [
+        createParseError("SYNTAX_ERROR", `Failed to parse ${path26}: ${error.message}`, { path: path26 }, [
           "Check for syntax errors in the file",
           "Ensure valid TypeScript syntax"
         ])
@@ -1673,22 +1673,22 @@ function extractInlineRefs(content) {
   }
   return refs;
 }
-async function parseDocumentationFile(path23) {
-  const contentResult = await readFileContent(path23);
+async function parseDocumentationFile(path26) {
+  const contentResult = await readFileContent(path26);
   if (!contentResult.ok) {
     return Err(
       createEntropyError(
         "PARSE_ERROR",
-        `Failed to read documentation file: ${path23}`,
-        { file: path23 },
+        `Failed to read documentation file: ${path26}`,
+        { file: path26 },
         ["Check that the file exists"]
       )
     );
   }
   const content = contentResult.value;
-  const type = path23.endsWith(".md") ? "markdown" : "text";
+  const type = path26.endsWith(".md") ? "markdown" : "text";
   return Ok({
-    path: path23,
+    path: path26,
     type,
     content,
     codeBlocks: extractCodeBlocks(content),
@@ -7003,6 +7003,208 @@ var mcpRules = [
   }
 ];
+// src/security/rules/insecure-defaults.ts
+var insecureDefaultsRules = [
+  {
+    id: "SEC-DEF-001",
+    name: "Security-Sensitive Fallback to Hardcoded Default",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /(?:SECRET|KEY|TOKEN|PASSWORD|SALT|PEPPER|SIGNING|ENCRYPTION|AUTH|JWT|SESSION).*(?:\|\||\?\?)\s*['"][^'"]+['"]/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Security-sensitive variable falls back to a hardcoded default when env var is missing",
+    remediation: "Throw an error if the env var is missing instead of falling back to a default. Use a startup validation check.",
+    references: ["CWE-1188"]
+  },
+  {
+    id: "SEC-DEF-002",
+    name: "TLS/SSL Disabled by Default",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /(?:tls|ssl|https|secure)\s*(?:=|:)\s*(?:false|config\??\.\w+\s*(?:\?\?|&&|\|\|)\s*false)/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs,go,py}",
+    message: "Security feature defaults to disabled; missing configuration degrades to insecure mode",
+    remediation: "Default security features to enabled (true). Require explicit opt-out, not opt-in.",
+    references: ["CWE-1188"]
+  },
+  {
+    id: "SEC-DEF-003",
+    name: "Swallowed Authentication/Authorization Error",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "low",
+    patterns: [
+      // Matches single-line empty catch: catch(e) { } or catch(e) { // ignore }
+      // Note: multi-line catch blocks are handled by AI review, not this rule
+      /catch\s*\([^)]*\)\s*\{\s*(?:\/\/\s*(?:ignore|skip|noop|todo)\b.*)?\s*\}/
+    ],
+    fileGlob: "**/*auth*.{ts,js,mjs,cjs},**/*session*.{ts,js,mjs,cjs},**/*token*.{ts,js,mjs,cjs}",
+    message: "Single-line empty catch block in authentication/authorization code may silently allow unauthorized access. Note: multi-line empty catch blocks are detected by AI review, not this mechanical rule.",
+    remediation: "Re-throw the error or return an explicit denial. Never silently swallow auth errors.",
+    references: ["CWE-754", "CWE-390"]
+  },
+  {
+    id: "SEC-DEF-004",
+    name: "Permissive CORS Fallback",
+    category: "insecure-defaults",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /(?:origin|cors)\s*(?:=|:)\s*(?:config|options|env)\??\.\w+\s*(?:\?\?|\|\|)\s*['"]\*/
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "CORS origin falls back to wildcard (*) when configuration is missing",
+    remediation: "Default to a restrictive origin list. Require explicit configuration for permissive CORS.",
+    references: ["CWE-942"]
+  },
+  {
+    id: "SEC-DEF-005",
+    name: "Rate Limiting Disabled by Default",
+    category: "insecure-defaults",
+    severity: "info",
+    confidence: "low",
+    patterns: [
+      /(?:rateLimit|rateLimiting|throttle)\s*(?:=|:)\s*(?:config|options|env)\??\.\w+\s*(?:\?\?|\|\|)\s*(?:false|0|null|undefined)/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Rate limiting defaults to disabled when configuration is missing",
+    remediation: "Default to a sensible rate limit. Require explicit opt-out for disabling.",
+    references: ["CWE-770"]
+  }
+];
+// src/security/rules/sharp-edges.ts
+var sharpEdgesRules = [
+  // --- Deprecated Crypto APIs ---
+  {
+    id: "SEC-EDGE-001",
+    name: "Deprecated createCipher API",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/crypto\.createCipher\s*\(/],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "crypto.createCipher is deprecated \u2014 uses weak key derivation (no IV)",
+    remediation: "Use crypto.createCipheriv with a random IV and proper key derivation (scrypt/pbkdf2)",
+    references: ["CWE-327"]
+  },
+  {
+    id: "SEC-EDGE-002",
+    name: "Deprecated createDecipher API",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/crypto\.createDecipher\s*\(/],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "crypto.createDecipher is deprecated \u2014 uses weak key derivation (no IV)",
+    remediation: "Use crypto.createDecipheriv with the same IV used for encryption",
+    references: ["CWE-327"]
+  },
+  {
+    id: "SEC-EDGE-003",
+    name: "ECB Mode Selection",
+    category: "sharp-edges",
+    severity: "warning",
+    confidence: "high",
+    patterns: [/-ecb['"]/],
+    fileGlob: "**/*.{ts,js,mjs,cjs,go,py}",
+    message: "ECB mode does not provide semantic security \u2014 identical plaintext blocks produce identical ciphertext",
+    remediation: "Use CBC, CTR, or GCM mode instead of ECB",
+    references: ["CWE-327"]
+  },
+  // --- Unsafe Deserialization ---
+  {
+    id: "SEC-EDGE-004",
+    name: "yaml.load Without Safe Loader",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [
+      /yaml\.load\s*\(/
+      // Python: yaml.load() without SafeLoader
+    ],
+    fileGlob: "**/*.py",
+    message: "yaml.load() executes arbitrary Python objects \u2014 use yaml.safe_load() instead",
+    remediation: "Replace yaml.load() with yaml.safe_load() or yaml.load(data, Loader=SafeLoader). Note: this rule will flag yaml.load(data, Loader=SafeLoader) \u2014 suppress with # harness-ignore SEC-EDGE-004: safe usage with SafeLoader",
+    references: ["CWE-502"]
+  },
+  {
+    id: "SEC-EDGE-005",
+    name: "Pickle/Marshal Deserialization",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/pickle\.loads?\s*\(/, /marshal\.loads?\s*\(/],
+    fileGlob: "**/*.py",
+    message: "pickle/marshal deserialization executes arbitrary code \u2014 never use on untrusted data",
+    remediation: "Use JSON, MessagePack, or Protocol Buffers for untrusted data serialization",
+    references: ["CWE-502"]
+  },
+  // --- TOCTOU (Time-of-Check to Time-of-Use) ---
+  {
+    id: "SEC-EDGE-006",
+    name: "Check-Then-Act File Operation",
+    category: "sharp-edges",
+    severity: "warning",
+    confidence: "medium",
+    // Patterns use .{0,N} since scanner matches single lines only (no multiline mode)
+    patterns: [
+      /(?:existsSync|accessSync|statSync)\s*\([^)]+\).{0,50}(?:readFileSync|writeFileSync|unlinkSync|mkdirSync)\s*\(/
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Check-then-act pattern on filesystem is vulnerable to TOCTOU race conditions",
+    remediation: "Use the operation directly and handle ENOENT/EEXIST errors instead of checking first",
+    references: ["CWE-367"]
+  },
+  {
+    id: "SEC-EDGE-007",
+    name: "Check-Then-Act File Operation (Async)",
+    category: "sharp-edges",
+    severity: "warning",
+    confidence: "medium",
+    // Uses .{0,N} since scanner matches single lines only (no multiline mode)
+    patterns: [/(?:access|stat)\s*\([^)]+\).{0,80}(?:readFile|writeFile|unlink|mkdir)\s*\(/],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: "Async check-then-act pattern on filesystem is vulnerable to TOCTOU race conditions",
+    remediation: "Use the operation directly with try/catch instead of checking existence first",
+    references: ["CWE-367"]
+  },
+  // --- Stringly-Typed Security ---
+  {
+    id: "SEC-EDGE-008",
+    name: 'JWT Algorithm "none"',
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [
+      /algorithm[s]?\s*[:=]\s*\[?\s*['"]none['"]/i,
+      /alg(?:orithm)?\s*[:=]\s*['"]none['"]/i
+    ],
+    fileGlob: "**/*.{ts,js,mjs,cjs}",
+    message: 'JWT "none" algorithm disables signature verification entirely',
+    remediation: 'Specify an explicit algorithm (e.g., "HS256", "RS256") and set algorithms allowlist in verify options',
+    references: ["CWE-345"]
+  },
+  {
+    id: "SEC-EDGE-009",
+    name: "DES/RC4 Algorithm Selection",
+    category: "sharp-edges",
+    severity: "error",
+    confidence: "high",
+    patterns: [/['"]\s*(?:des|des-ede|des-ede3|des3|rc4|rc2|blowfish)\s*['"]/i],
+    fileGlob: "**/*.{ts,js,mjs,cjs,go,py}",
+    message: "Weak/deprecated cipher algorithm selected \u2014 DES, RC4, RC2, and Blowfish are broken or deprecated",
+    remediation: "Use AES-256-GCM or ChaCha20-Poly1305",
+    references: ["CWE-327"]
+  }
+];
 // src/security/rules/stack/node.ts
 var nodeRules = [
   {
@@ -7116,6 +7318,14 @@ var goRules = [
 ];
 // src/security/scanner.ts
+function parseHarnessIgnore(line, ruleId) {
+  if (!line.includes("harness-ignore")) return null;
+  if (!line.includes(ruleId)) return null;
+  const match = line.match(/(?:\/\/|#)\s*harness-ignore\s+(SEC-[A-Z]+-\d+)(?::\s*(.+))?/);
+  if (match?.[1] !== ruleId) return null;
+  const text = match[2]?.trim();
+  return { ruleId, justification: text || null };
+}
 var SecurityScanner = class {
   registry;
   config;
@@ -7132,7 +7342,9 @@ var SecurityScanner = class {
       ...networkRules,
       ...deserializationRules,
       ...agentConfigRules,
-      ...mcpRules
+      ...mcpRules,
+      ...insecureDefaultsRules,
+      ...sharpEdgesRules
     ]);
     this.registry.registerAll([...nodeRules, ...expressRules, ...reactRules, ...goRules]);
     this.activeRules = this.registry.getAll();
@@ -7149,42 +7361,8 @@ var SecurityScanner = class {
    */
   scanContent(content, filePath, startLine = 1) {
     if (!this.config.enabled) return [];
-    const findings = [];
     const lines = content.split("\n");
-    for (const rule of this.activeRules) {
-      const resolved = resolveRuleSeverity(
-        rule.id,
-        rule.severity,
-        this.config.rules ?? {},
-        this.config.strict
-      );
-      if (resolved === "off") continue;
-      for (let i = 0; i < lines.length; i++) {
-        const line = lines[i] ?? "";
-        if (line.includes("harness-ignore") && line.includes(rule.id)) continue;
-        for (const pattern of rule.patterns) {
-          pattern.lastIndex = 0;
-          if (pattern.test(line)) {
-            findings.push({
-              ruleId: rule.id,
-              ruleName: rule.name,
-              category: rule.category,
-              severity: resolved,
-              confidence: rule.confidence,
-              file: filePath,
-              line: startLine + i,
-              match: line.trim(),
-              context: line,
-              message: rule.message,
-              remediation: rule.remediation,
-              ...rule.references ? { references: rule.references } : {}
-            });
-            break;
-          }
-        }
-      }
-    }
-    return findings;
+    return this.scanLinesWithRules(lines, this.activeRules, filePath, startLine);
   }
   async scanFile(filePath) {
     if (!this.config.enabled) return [];
@@ -7193,14 +7371,22 @@ var SecurityScanner = class {
   }
   scanContentForFile(content, filePath, startLine = 1) {
     if (!this.config.enabled) return [];
-    const findings = [];
     const lines = content.split("\n");
     const applicableRules = this.activeRules.filter((rule) => {
       if (!rule.fileGlob) return true;
       const globs = rule.fileGlob.split(",").map((g) => g.trim());
       return globs.some((glob) => minimatch4(filePath, glob, { dot: true }));
     });
-    for (const rule of applicableRules) {
+    return this.scanLinesWithRules(lines, applicableRules, filePath, startLine);
+  }
+  /**
+   * Core scanning loop shared by scanContent and scanContentForFile.
+   * Evaluates each rule against each line, handling suppression (FP gate)
+   * and pattern matching uniformly.
+   */
+  scanLinesWithRules(lines, rules, filePath, startLine) {
+    const findings = [];
+    for (const rule of rules) {
       const resolved = resolveRuleSeverity(
         rule.id,
         rule.severity,
@@ -7210,7 +7396,25 @@ var SecurityScanner = class {
       if (resolved === "off") continue;
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i] ?? "";
-        if (line.includes("harness-ignore") && line.includes(rule.id)) continue;
+        const suppressionMatch = parseHarnessIgnore(line, rule.id);
+        if (suppressionMatch) {
+          if (!suppressionMatch.justification) {
+            findings.push({
+              ruleId: rule.id,
+              ruleName: rule.name,
+              category: rule.category,
+              severity: this.config.strict ? "error" : "warning",
+              confidence: "high",
+              file: filePath,
+              line: startLine + i,
+              match: line.trim(),
+              context: line,
+              message: `Suppression of ${rule.id} requires justification: // harness-ignore ${rule.id}: <reason>`,
+              remediation: `Add justification after colon: // harness-ignore ${rule.id}: false positive because ...`
+            });
+          }
+          continue;
+        }
         for (const pattern of rule.patterns) {
           pattern.lastIndex = 0;
           if (pattern.test(line)) {
@@ -7256,6 +7460,414 @@ var SecurityScanner = class {
   }
 };
+// src/security/injection-patterns.ts
+var hiddenUnicodePatterns = [
+  {
+    ruleId: "INJ-UNI-001",
+    severity: "high",
+    category: "hidden-unicode",
+    description: "Zero-width characters that can hide malicious instructions",
+    // eslint-disable-next-line no-misleading-character-class -- intentional: regex detects zero-width chars for security scanning
+    pattern: /[\u200B\u200C\u200D\uFEFF\u2060]/
+  },
+  {
+    ruleId: "INJ-UNI-002",
+    severity: "high",
+    category: "hidden-unicode",
+    description: "RTL/LTR override characters that can disguise text direction",
+    pattern: /[\u202A-\u202E\u2066-\u2069]/
+  }
+];
+var reRolingPatterns = [
+  {
+    ruleId: "INJ-REROL-001",
+    severity: "high",
+    category: "explicit-re-roling",
+    description: "Instruction to ignore/disregard/forget previous instructions",
+    pattern: /(?:ignore|disregard|forget)\s+(?:all\s+)?(?:previous|prior|above|earlier)\s+(?:instructions?|prompts?|context|rules?|guidelines?)/i
+  },
+  {
+    ruleId: "INJ-REROL-002",
+    severity: "high",
+    category: "explicit-re-roling",
+    description: "Attempt to reassign the AI role",
+    pattern: /you\s+are\s+now\s+(?:a\s+|an\s+)?(?:new\s+)?(?:helpful\s+)?(?:my\s+)?(?:\w+\s+)?(?:assistant|agent|AI|bot|chatbot|system|persona)\b/i
+  },
+  {
+    ruleId: "INJ-REROL-003",
+    severity: "high",
+    category: "explicit-re-roling",
+    description: "Direct instruction override attempt",
+    pattern: /(?:new\s+)?(?:system\s+)?(?:instruction|directive|role|persona)\s*[:=]\s*/i
+  }
+];
+var permissionEscalationPatterns = [
+  {
+    ruleId: "INJ-PERM-001",
+    severity: "high",
+    category: "permission-escalation",
+    description: "Attempt to enable all tools or grant unrestricted access",
+    pattern: /(?:allow|enable|grant)\s+all\s+(?:tools?|permissions?|access)/i
+  },
+  {
+    ruleId: "INJ-PERM-002",
+    severity: "high",
+    category: "permission-escalation",
+    description: "Attempt to disable safety or security features",
+    pattern: /(?:disable|turn\s+off|remove|bypass)\s+(?:all\s+)?(?:safety|security|restrictions?|guardrails?|protections?|checks?)/i
+  },
+  {
+    ruleId: "INJ-PERM-003",
+    severity: "high",
+    category: "permission-escalation",
+    description: "Auto-approve directive that bypasses human review",
+    pattern: /(?:auto[- ]?approve|--no-verify|--dangerously-skip-permissions)/i
+  }
+];
+var encodedPayloadPatterns = [
+  {
+    ruleId: "INJ-ENC-001",
+    severity: "high",
+    category: "encoded-payloads",
+    description: "Base64-encoded string long enough to contain instructions (>=28 chars)",
+    // Match base64 strings of 28+ chars (7+ groups of 4).
+    // Excludes JWT tokens (eyJ prefix) and Bearer-prefixed tokens.
+    pattern: /(?<!Bearer\s)(?<![:])(?<![A-Za-z0-9/])(?!eyJ)(?:[A-Za-z0-9+/]{4}){7,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?(?![A-Za-z0-9/])/
+  },
+  {
+    ruleId: "INJ-ENC-002",
+    severity: "high",
+    category: "encoded-payloads",
+    description: "Hex-encoded string long enough to contain directives (>=20 hex chars)",
+    // Excludes hash-prefixed hex (sha256:, sha512:, md5:, etc.) and hex preceded by 0x.
+    // Note: 40-char git SHA hashes (e.g. in `git log` output) may match — downstream
+    // callers should filter matches of exactly 40 hex chars if scanning git output.
+    pattern: /(?<![:x])(?<![A-Fa-f0-9])(?:[0-9a-fA-F]{2}){10,}(?![A-Fa-f0-9])/
+  }
+];
+var indirectInjectionPatterns = [
+  {
+    ruleId: "INJ-IND-001",
+    severity: "medium",
+    category: "indirect-injection",
+    description: "Instruction to influence future responses",
+    pattern: /(?:when\s+the\s+user\s+asks|if\s+(?:the\s+user|someone|anyone)\s+asks)\s*,?\s*(?:say|respond|reply|answer|tell)/i
+  },
+  {
+    ruleId: "INJ-IND-002",
+    severity: "medium",
+    category: "indirect-injection",
+    description: "Directive to include content in responses",
+    pattern: /(?:include|insert|add|embed|put)\s+(?:this|the\s+following)\s+(?:in|into|to)\s+(?:your|the)\s+(?:response|output|reply|answer)/i
+  },
+  {
+    ruleId: "INJ-IND-003",
+    severity: "medium",
+    category: "indirect-injection",
+    description: "Standing instruction to always respond a certain way",
+    pattern: /always\s+(?:respond|reply|answer|say|output)\s+(?:with|that|by)/i
+  }
+];
+var contextManipulationPatterns = [
+  {
+    ruleId: "INJ-CTX-001",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Claim about system prompt content",
+    pattern: /(?:the\s+)?(?:system\s+prompt|system\s+message|hidden\s+instructions?)\s+(?:says?|tells?|instructs?|contains?|is)/i
+  },
+  {
+    ruleId: "INJ-CTX-002",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Claim about AI instructions",
+    pattern: /your\s+(?:instructions?|directives?|guidelines?|rules?)\s+(?:are|say|tell|state)/i
+  },
+  {
+    ruleId: "INJ-CTX-003",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Fake XML/HTML system or instruction tags",
+    // Case-sensitive: only match lowercase tags to avoid false positives on
+    // React components like <User>, <Context>, <Role> etc.
+    pattern: /<\/?(?:system|instruction|prompt|role|context|tool_call|function_call|assistant|human|user)[^>]*>/
+  },
+  {
+    ruleId: "INJ-CTX-004",
+    severity: "medium",
+    category: "context-manipulation",
+    description: "Fake JSON role assignment mimicking chat format",
+    pattern: /[{,]\s*"role"\s*:\s*"(?:system|assistant|function)"/i
+  }
+];
+var socialEngineeringPatterns = [
+  {
+    ruleId: "INJ-SOC-001",
+    severity: "medium",
+    category: "social-engineering",
+    description: "Urgency pressure to bypass checks",
+    pattern: /(?:this\s+is\s+(?:very\s+)?urgent|this\s+is\s+(?:an?\s+)?emergency|do\s+(?:this|it)\s+(?:now|immediately))\b/i
+  },
+  {
+    ruleId: "INJ-SOC-002",
+    severity: "medium",
+    category: "social-engineering",
+    description: "False authority claim",
+    pattern: /(?:the\s+)?(?:admin|administrator|manager|CEO|CTO|owner|supervisor)\s+(?:authorized|approved|said|told|confirmed|requested)/i
+  },
+  {
+    ruleId: "INJ-SOC-003",
+    severity: "medium",
+    category: "social-engineering",
+    description: "Testing pretext to bypass safety",
+    pattern: /(?:for\s+testing\s+purposes?|this\s+is\s+(?:just\s+)?a\s+test|in\s+test\s+mode)\b/i
+  }
+];
+var suspiciousPatterns = [
+  {
+    ruleId: "INJ-SUS-001",
+    severity: "low",
+    category: "suspicious-patterns",
+    description: "Excessive consecutive whitespace (>10 chars) mid-line that may hide content",
+    // Only match whitespace runs not at the start of a line (indentation is normal)
+    pattern: /\S\s{11,}/
+  },
+  {
+    ruleId: "INJ-SUS-002",
+    severity: "low",
+    category: "suspicious-patterns",
+    description: "Repeated delimiters (>5) that may indicate obfuscation",
+    pattern: /([|;,=\-_~`])\1{5,}/
+  },
+  {
+    ruleId: "INJ-SUS-003",
+    severity: "low",
+    category: "suspicious-patterns",
+    description: "Mathematical alphanumeric symbols used as Latin character substitutes",
+    // Mathematical bold/italic/script Unicode ranges (U+1D400-U+1D7FF)
+    pattern: /[\uD835][\uDC00-\uDFFF]/
+  }
+];
+var ALL_PATTERNS = [
+  ...hiddenUnicodePatterns,
+  ...reRolingPatterns,
+  ...permissionEscalationPatterns,
+  ...encodedPayloadPatterns,
+  ...indirectInjectionPatterns,
+  ...contextManipulationPatterns,
+  ...socialEngineeringPatterns,
+  ...suspiciousPatterns
+];
+function scanForInjection(text) {
+  const findings = [];
+  const lines = text.split("\n");
+  for (let lineIdx = 0; lineIdx < lines.length; lineIdx++) {
+    const line = lines[lineIdx];
+    for (const rule of ALL_PATTERNS) {
+      if (rule.pattern.test(line)) {
+        findings.push({
+          severity: rule.severity,
+          ruleId: rule.ruleId,
+          match: line.trim(),
+          line: lineIdx + 1
+        });
+      }
+    }
+  }
+  const severityOrder = {
+    high: 0,
+    medium: 1,
+    low: 2
+  };
+  findings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+  return findings;
+}
+function getInjectionPatterns() {
+  return ALL_PATTERNS;
+}
+var DESTRUCTIVE_BASH = [
+  /\bgit\s+push\b/,
+  /\bgit\s+commit\b/,
+  /\brm\s+-rf?\b/,
+  /\brm\s+-r\b/
+];
+// src/security/taint.ts
+import { readFileSync as readFileSync14, writeFileSync as writeFileSync11, unlinkSync, mkdirSync as mkdirSync11, readdirSync as readdirSync3 } from "fs";
+import { join as join21, dirname as dirname8 } from "path";
+var TAINT_DURATION_MS = 30 * 60 * 1e3;
+var DEFAULT_SESSION_ID = "default";
+function getTaintFilePath(projectRoot, sessionId) {
+  const id = sessionId || DEFAULT_SESSION_ID;
+  return join21(projectRoot, ".harness", `session-taint-${id}.json`);
+}
+function readTaint(projectRoot, sessionId) {
+  const filePath = getTaintFilePath(projectRoot, sessionId);
+  let content;
+  try {
+    content = readFileSync14(filePath, "utf8");
+  } catch {
+    return null;
+  }
+  let state;
+  try {
+    state = JSON.parse(content);
+  } catch {
+    try {
+      unlinkSync(filePath);
+    } catch {
+    }
+    return null;
+  }
+  if (!state.sessionId || !state.taintedAt || !state.expiresAt || !state.findings) {
+    try {
+      unlinkSync(filePath);
+    } catch {
+    }
+    return null;
+  }
+  return state;
+}
+function checkTaint(projectRoot, sessionId) {
+  const state = readTaint(projectRoot, sessionId);
+  if (!state) {
+    return { tainted: false, expired: false, state: null };
+  }
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(state.expiresAt);
+  if (now >= expiresAt) {
+    const filePath = getTaintFilePath(projectRoot, sessionId);
+    try {
+      unlinkSync(filePath);
+    } catch {
+    }
+    return { tainted: false, expired: true, state };
+  }
+  return { tainted: true, expired: false, state };
+}
+function writeTaint(projectRoot, sessionId, reason, findings, source) {
+  const id = sessionId || DEFAULT_SESSION_ID;
+  const filePath = getTaintFilePath(projectRoot, id);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const dir = dirname8(filePath);
+  mkdirSync11(dir, { recursive: true });
+  const existing = readTaint(projectRoot, id);
+  const maxSeverity = findings.some((f) => f.severity === "high") ? "high" : "medium";
+  const taintFindings = findings.map((f) => ({
+    ruleId: f.ruleId,
+    severity: f.severity,
+    match: f.match,
+    source,
+    detectedAt: now
+  }));
+  const state = {
+    sessionId: id,
+    taintedAt: existing?.taintedAt || now,
+    expiresAt: new Date(Date.now() + TAINT_DURATION_MS).toISOString(),
+    reason,
+    severity: existing?.severity === "high" || maxSeverity === "high" ? "high" : "medium",
+    findings: [...existing?.findings || [], ...taintFindings]
+  };
+  writeFileSync11(filePath, JSON.stringify(state, null, 2) + "\n");
+  return state;
+}
+function clearTaint(projectRoot, sessionId) {
+  if (sessionId) {
+    const filePath = getTaintFilePath(projectRoot, sessionId);
+    try {
+      unlinkSync(filePath);
+      return 1;
+    } catch {
+      return 0;
+    }
+  }
+  const harnessDir = join21(projectRoot, ".harness");
+  let count = 0;
+  try {
+    const files = readdirSync3(harnessDir);
+    for (const file of files) {
+      if (file.startsWith("session-taint-") && file.endsWith(".json")) {
+        try {
+          unlinkSync(join21(harnessDir, file));
+          count++;
+        } catch {
+        }
+      }
+    }
+  } catch {
+  }
+  return count;
+}
+function listTaintedSessions(projectRoot) {
+  const harnessDir = join21(projectRoot, ".harness");
+  const sessions = [];
+  try {
+    const files = readdirSync3(harnessDir);
+    for (const file of files) {
+      if (file.startsWith("session-taint-") && file.endsWith(".json")) {
+        const sessionId = file.replace("session-taint-", "").replace(".json", "");
+        const result = checkTaint(projectRoot, sessionId);
+        if (result.tainted) {
+          sessions.push(sessionId);
+        }
+      }
+    }
+  } catch {
+  }
+  return sessions;
+}
+// src/security/scan-config-shared.ts
+function mapSecuritySeverity(severity) {
+  if (severity === "error") return "high";
+  if (severity === "warning") return "medium";
+  return "low";
+}
+function computeOverallSeverity(findings) {
+  if (findings.length === 0) return "clean";
+  if (findings.some((f) => f.severity === "high")) return "high";
+  if (findings.some((f) => f.severity === "medium")) return "medium";
+  return "low";
+}
+function computeScanExitCode(results) {
+  for (const r of results) {
+    if (r.overallSeverity === "high") return 2;
+  }
+  for (const r of results) {
+    if (r.overallSeverity === "medium") return 1;
+  }
+  return 0;
+}
+function mapInjectionFindings(injectionFindings) {
+  return injectionFindings.map((f) => ({
+    ruleId: f.ruleId,
+    severity: f.severity,
+    message: `Injection pattern detected: ${f.ruleId}`,
+    match: f.match,
+    ...f.line !== void 0 ? { line: f.line } : {}
+  }));
+}
+function isDuplicateFinding(existing, secFinding) {
+  return existing.some(
+    (e) => e.line === secFinding.line && e.match === secFinding.match.trim() && e.ruleId.split("-")[0] === secFinding.ruleId.split("-")[0]
+  );
+}
+function mapSecurityFindings(secFindings, existing) {
+  const result = [];
+  for (const f of secFindings) {
+    if (!isDuplicateFinding(existing, f)) {
+      result.push({
+        ruleId: f.ruleId,
+        severity: mapSecuritySeverity(f.severity),
+        message: f.message,
+        match: f.match,
+        ...f.line !== void 0 ? { line: f.line } : {}
+      });
+    }
+  }
+  return result;
+}
 // src/ci/check-orchestrator.ts
 import * as path15 from "path";
 var ALL_CHECKS = [
@@ -7439,7 +8051,7 @@ async function runPerfCheck(projectRoot, config) {
     if (perfReport.complexity) {
       for (const v of perfReport.complexity.violations) {
         issues.push({
-          severity: v.severity === "info" ? "warning" : v.severity,
+          severity: "warning",
           message: `[Tier ${v.tier}] ${v.metric}: ${v.function} in ${v.file} (${v.value} > ${v.threshold})`,
           file: v.file,
           line: v.line
@@ -9446,6 +10058,7 @@ var VALID_STATUSES = /* @__PURE__ */ new Set([
   "blocked"
 ]);
 var EM_DASH = "\u2014";
+var VALID_PRIORITIES = /* @__PURE__ */ new Set(["P0", "P1", "P2", "P3"]);
 function parseRoadmap(markdown) {
   const fmMatch = markdown.match(/^---\n([\s\S]*?)\n---/);
   if (!fmMatch) {
@@ -9456,9 +10069,12 @@ function parseRoadmap(markdown) {
   const body = markdown.slice(fmMatch[0].length);
   const milestonesResult = parseMilestones(body);
   if (!milestonesResult.ok) return milestonesResult;
+  const historyResult = parseAssignmentHistory(body);
+  if (!historyResult.ok) return historyResult;
   return Ok2({
     frontmatter: fmResult.value,
-    milestones: milestonesResult.value
+    milestones: milestonesResult.value,
+    assignmentHistory: historyResult.value
   });
 }
 function parseFrontmatter2(raw) {
@@ -9498,12 +10114,17 @@ function parseMilestones(body) {
   const h2Pattern = /^## (.+)$/gm;
   const h2Matches = [];
   let match;
+  let bodyEnd = body.length;
   while ((match = h2Pattern.exec(body)) !== null) {
+    if (match[1] === "Assignment History") {
+      bodyEnd = match.index;
+      break;
+    }
     h2Matches.push({ heading: match[1], startIndex: match.index, fullMatch: match[0] });
   }
   for (let i = 0; i < h2Matches.length; i++) {
     const h2 = h2Matches[i];
-    const nextStart = i + 1 < h2Matches.length ? h2Matches[i + 1].startIndex : body.length;
+    const nextStart = i + 1 < h2Matches.length ? h2Matches[i + 1].startIndex : bodyEnd;
     const sectionBody = body.slice(h2.startIndex + h2.fullMatch.length, nextStart);
     const isBacklog = h2.heading === "Backlog";
     const milestoneName = isBacklog ? "Backlog" : h2.heading.replace(/^Milestone:\s*/, "");
@@ -9569,15 +10190,60 @@ function parseFeatureFields(name, body) {
   const specRaw = fieldMap.get("Spec") ?? EM_DASH;
   const plans = parseListField(fieldMap, "Plans", "Plan");
   const blockedBy = parseListField(fieldMap, "Blocked by", "Blockers");
+  const assigneeRaw = fieldMap.get("Assignee") ?? EM_DASH;
+  const priorityRaw = fieldMap.get("Priority") ?? EM_DASH;
+  const externalIdRaw = fieldMap.get("External-ID") ?? EM_DASH;
+  if (priorityRaw !== EM_DASH && !VALID_PRIORITIES.has(priorityRaw)) {
+    return Err2(
+      new Error(
+        `Feature "${name}" has invalid priority: "${priorityRaw}". Valid priorities: ${[...VALID_PRIORITIES].join(", ")}`
+      )
+    );
+  }
   return Ok2({
     name,
     status: statusRaw,
     spec: specRaw === EM_DASH ? null : specRaw,
     plans,
     blockedBy,
-    summary: fieldMap.get("Summary") ?? ""
+    summary: fieldMap.get("Summary") ?? "",
+    assignee: assigneeRaw === EM_DASH ? null : assigneeRaw,
+    priority: priorityRaw === EM_DASH ? null : priorityRaw,
+    externalId: externalIdRaw === EM_DASH ? null : externalIdRaw
   });
 }
+function parseAssignmentHistory(body) {
+  const historyMatch = body.match(/^## Assignment History\s*\n/m);
+  if (!historyMatch || historyMatch.index === void 0) return Ok2([]);
+  const historyStart = historyMatch.index + historyMatch[0].length;
+  const rawHistoryBody = body.slice(historyStart);
+  const nextH2 = rawHistoryBody.search(/^## /m);
+  const historyBody = nextH2 === -1 ? rawHistoryBody : rawHistoryBody.slice(0, nextH2);
+  const records = [];
+  const lines = historyBody.split("\n");
+  let pastHeader = false;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed.startsWith("|")) continue;
+    if (!pastHeader) {
+      if (trimmed.match(/^\|[-\s|]+\|$/)) {
+        pastHeader = true;
+      }
+      continue;
+    }
+    const cells = trimmed.split("|").map((c) => c.trim()).filter((c) => c.length > 0);
+    if (cells.length < 4) continue;
+    const action = cells[2];
+    if (!["assigned", "completed", "unassigned"].includes(action)) continue;
+    records.push({
+      feature: cells[0],
+      assignee: cells[1],
+      action,
+      date: cells[3]
+    });
+  }
+  return Ok2(records);
+}
 // src/roadmap/serialize.ts
 var EM_DASH2 = "\u2014";
@@ -9605,6 +10271,10 @@ function serializeRoadmap(roadmap) {
       lines.push(...serializeFeature(feature));
     }
   }
+  if (roadmap.assignmentHistory && roadmap.assignmentHistory.length > 0) {
+    lines.push("");
+    lines.push(...serializeAssignmentHistory(roadmap.assignmentHistory));
+  }
   lines.push("");
   return lines.join("\n");
 }
@@ -9615,7 +10285,7 @@ function serializeFeature(feature) {
   const spec = feature.spec ?? EM_DASH2;
   const plans = feature.plans.length > 0 ? feature.plans.join(", ") : EM_DASH2;
   const blockedBy = feature.blockedBy.length > 0 ? feature.blockedBy.join(", ") : EM_DASH2;
-  return [
+  const lines = [
     `### ${feature.name}`,
     "",
     `- **Status:** ${feature.status}`,
@@ -9624,12 +10294,45 @@ function serializeFeature(feature) {
     `- **Blockers:** ${blockedBy}`,
     `- **Plan:** ${plans}`
   ];
+  const hasExtended = feature.assignee !== null || feature.priority !== null || feature.externalId !== null;
+  if (hasExtended) {
+    lines.push(`- **Assignee:** ${feature.assignee ?? EM_DASH2}`);
+    lines.push(`- **Priority:** ${feature.priority ?? EM_DASH2}`);
+    lines.push(`- **External-ID:** ${feature.externalId ?? EM_DASH2}`);
+  }
+  return lines;
+}
+function serializeAssignmentHistory(records) {
+  const lines = [
+    "## Assignment History",
+    "| Feature | Assignee | Action | Date |",
+    "|---------|----------|--------|------|"
+  ];
+  for (const record of records) {
+    lines.push(`| ${record.feature} | ${record.assignee} | ${record.action} | ${record.date} |`);
+  }
+  return lines;
 }
 // src/roadmap/sync.ts
 import * as fs19 from "fs";
 import * as path19 from "path";
 import { Ok as Ok3 } from "@harness-engineering/types";
+// src/roadmap/status-rank.ts
+var STATUS_RANK = {
+  backlog: 0,
+  planned: 1,
+  blocked: 1,
+  // lateral to planned — sync can move to/from blocked freely
+  "in-progress": 2,
+  done: 3
+};
+function isRegression(from, to) {
+  return STATUS_RANK[to] < STATUS_RANK[from];
+}
+// src/roadmap/sync.ts
 function inferStatus(feature, projectPath, allFeatures) {
   if (feature.blockedBy.length > 0) {
     const blockerNotDone = feature.blockedBy.some((blockerName) => {
@@ -9687,25 +10390,14 @@ function inferStatus(feature, projectPath, allFeatures) {
         }
       }
     } catch {
-    }
-  }
-  if (allTaskStatuses.length === 0) return null;
-  const allComplete = allTaskStatuses.every((s) => s === "complete");
-  if (allComplete) return "done";
-  const anyStarted = allTaskStatuses.some((s) => s === "in_progress" || s === "complete");
-  if (anyStarted) return "in-progress";
-  return null;
-}
-var STATUS_RANK = {
-  backlog: 0,
-  planned: 1,
-  blocked: 1,
-  // lateral to planned — sync can move to/from blocked freely
-  "in-progress": 2,
-  done: 3
-};
-function isRegression(from, to) {
-  return STATUS_RANK[to] < STATUS_RANK[from];
+    }
+  }
+  if (allTaskStatuses.length === 0) return null;
+  const allComplete = allTaskStatuses.every((s) => s === "complete");
+  if (allComplete) return "done";
+  const anyStarted = allTaskStatuses.some((s) => s === "in_progress" || s === "complete");
+  if (anyStarted) return "in-progress";
+  return null;
 }
 function syncRoadmap(options) {
   const { projectPath, roadmap, forceSync } = options;
@@ -9737,6 +10429,438 @@ function applySyncChanges(roadmap, changes) {
   roadmap.frontmatter.lastSynced = (/* @__PURE__ */ new Date()).toISOString();
 }
+// src/roadmap/tracker-sync.ts
+function resolveReverseStatus(externalStatus, labels, config) {
+  const reverseMap = config.reverseStatusMap;
+  if (!reverseMap) return null;
+  if (reverseMap[externalStatus]) {
+    return reverseMap[externalStatus];
+  }
+  const statusLabels = ["in-progress", "blocked", "planned"];
+  const matchingLabels = labels.filter((l) => statusLabels.includes(l));
+  if (matchingLabels.length === 1) {
+    const compoundKey = `${externalStatus}:${matchingLabels[0]}`;
+    if (reverseMap[compoundKey]) {
+      return reverseMap[compoundKey];
+    }
+  }
+  return null;
+}
+// src/roadmap/adapters/github-issues.ts
+import { Ok as Ok4, Err as Err3 } from "@harness-engineering/types";
+function parseExternalId(externalId) {
+  const match = externalId.match(/^github:([^/]+)\/([^#]+)#(\d+)$/);
+  if (!match) return null;
+  return { owner: match[1], repo: match[2], number: parseInt(match[3], 10) };
+}
+function buildExternalId(owner, repo, number) {
+  return `github:${owner}/${repo}#${number}`;
+}
+function labelsForStatus(status, config) {
+  const base = config.labels ?? [];
+  const externalStatus = config.statusMap[status];
+  if (externalStatus === "open" && status !== "backlog") {
+    return [...base, status];
+  }
+  return [...base];
+}
+var GitHubIssuesSyncAdapter = class {
+  token;
+  config;
+  fetchFn;
+  apiBase;
+  owner;
+  repo;
+  constructor(options) {
+    this.token = options.token;
+    this.config = options.config;
+    this.fetchFn = options.fetchFn ?? globalThis.fetch;
+    this.apiBase = options.apiBase ?? "https://api.github.com";
+    const repoParts = (options.config.repo ?? "").split("/");
+    if (repoParts.length !== 2 || !repoParts[0] || !repoParts[1]) {
+      throw new Error(`Invalid repo format: "${options.config.repo}". Expected "owner/repo".`);
+    }
+    this.owner = repoParts[0];
+    this.repo = repoParts[1];
+  }
+  headers() {
+    return {
+      Authorization: `Bearer ${this.token}`,
+      Accept: "application/vnd.github+json",
+      "Content-Type": "application/json",
+      "X-GitHub-Api-Version": "2022-11-28"
+    };
+  }
+  async createTicket(feature, milestone) {
+    try {
+      const labels = labelsForStatus(feature.status, this.config);
+      const body = [
+        feature.summary,
+        "",
+        `**Milestone:** ${milestone}`,
+        feature.spec ? `**Spec:** ${feature.spec}` : ""
+      ].filter(Boolean).join("\n");
+      const response = await this.fetchFn(
+        `${this.apiBase}/repos/${this.owner}/${this.repo}/issues`,
+        {
+          method: "POST",
+          headers: this.headers(),
+          body: JSON.stringify({
+            title: feature.name,
+            body,
+            labels
+          })
+        }
+      );
+      if (!response.ok) {
+        const text = await response.text();
+        return Err3(new Error(`GitHub API error ${response.status}: ${text}`));
+      }
+      const data = await response.json();
+      const externalId = buildExternalId(this.owner, this.repo, data.number);
+      return Ok4({ externalId, url: data.html_url });
+    } catch (error) {
+      return Err3(error instanceof Error ? error : new Error(String(error)));
+    }
+  }
+  async updateTicket(externalId, changes) {
+    try {
+      const parsed = parseExternalId(externalId);
+      if (!parsed) return Err3(new Error(`Invalid externalId format: "${externalId}"`));
+      const patch = {};
+      if (changes.name !== void 0) patch.title = changes.name;
+      if (changes.summary !== void 0) {
+        const body = [changes.summary, "", changes.spec ? `**Spec:** ${changes.spec}` : ""].filter(Boolean).join("\n");
+        patch.body = body;
+      }
+      if (changes.status !== void 0) {
+        const externalStatus = this.config.statusMap[changes.status];
+        patch.state = externalStatus;
+        patch.labels = labelsForStatus(changes.status, this.config);
+      }
+      const response = await this.fetchFn(
+        `${this.apiBase}/repos/${parsed.owner}/${parsed.repo}/issues/${parsed.number}`,
+        {
+          method: "PATCH",
+          headers: this.headers(),
+          body: JSON.stringify(patch)
+        }
+      );
+      if (!response.ok) {
+        const text = await response.text();
+        return Err3(new Error(`GitHub API error ${response.status}: ${text}`));
+      }
+      const data = await response.json();
+      return Ok4({ externalId, url: data.html_url });
+    } catch (error) {
+      return Err3(error instanceof Error ? error : new Error(String(error)));
+    }
+  }
+  async fetchTicketState(externalId) {
+    try {
+      const parsed = parseExternalId(externalId);
+      if (!parsed) return Err3(new Error(`Invalid externalId format: "${externalId}"`));
+      const response = await this.fetchFn(
+        `${this.apiBase}/repos/${parsed.owner}/${parsed.repo}/issues/${parsed.number}`,
+        {
+          method: "GET",
+          headers: this.headers()
+        }
+      );
+      if (!response.ok) {
+        const text = await response.text();
+        return Err3(new Error(`GitHub API error ${response.status}: ${text}`));
+      }
+      const data = await response.json();
+      return Ok4({
+        externalId,
+        status: data.state,
+        labels: data.labels.map((l) => l.name),
+        assignee: data.assignee ? `@${data.assignee.login}` : null
+      });
+    } catch (error) {
+      return Err3(error instanceof Error ? error : new Error(String(error)));
+    }
+  }
+  async fetchAllTickets() {
+    try {
+      const filterLabels = this.config.labels ?? [];
+      const labelsParam = filterLabels.length > 0 ? `&labels=${filterLabels.join(",")}` : "";
+      const tickets = [];
+      let page = 1;
+      const perPage = 100;
+      while (true) {
+        const response = await this.fetchFn(
+          `${this.apiBase}/repos/${this.owner}/${this.repo}/issues?state=all&per_page=${perPage}&page=${page}${labelsParam}`,
+          {
+            method: "GET",
+            headers: this.headers()
+          }
+        );
+        if (!response.ok) {
+          const text = await response.text();
+          return Err3(new Error(`GitHub API error ${response.status}: ${text}`));
+        }
+        const data = await response.json();
+        const issues = data.filter((d) => !d.pull_request);
+        for (const issue of issues) {
+          tickets.push({
+            externalId: buildExternalId(this.owner, this.repo, issue.number),
+            status: issue.state,
+            labels: issue.labels.map((l) => l.name),
+            assignee: issue.assignee ? `@${issue.assignee.login}` : null
+          });
+        }
+        if (data.length < perPage) break;
+        page++;
+      }
+      return Ok4(tickets);
+    } catch (error) {
+      return Err3(error instanceof Error ? error : new Error(String(error)));
+    }
+  }
+  async assignTicket(externalId, assignee) {
+    try {
+      const parsed = parseExternalId(externalId);
+      if (!parsed) return Err3(new Error(`Invalid externalId format: "${externalId}"`));
+      const login = assignee.startsWith("@") ? assignee.slice(1) : assignee;
+      const response = await this.fetchFn(
+        `${this.apiBase}/repos/${parsed.owner}/${parsed.repo}/issues/${parsed.number}/assignees`,
+        {
+          method: "POST",
+          headers: this.headers(),
+          body: JSON.stringify({ assignees: [login] })
+        }
+      );
+      if (!response.ok) {
+        const text = await response.text();
+        return Err3(new Error(`GitHub API error ${response.status}: ${text}`));
+      }
+      return Ok4(void 0);
+    } catch (error) {
+      return Err3(error instanceof Error ? error : new Error(String(error)));
+    }
+  }
+};
+// src/roadmap/sync-engine.ts
+import * as fs20 from "fs";
+function emptySyncResult() {
+  return { created: [], updated: [], assignmentChanges: [], errors: [] };
+}
+async function syncToExternal(roadmap, adapter, _config) {
+  const result = emptySyncResult();
+  for (const milestone of roadmap.milestones) {
+    for (const feature of milestone.features) {
+      if (!feature.externalId) {
+        const createResult = await adapter.createTicket(feature, milestone.name);
+        if (createResult.ok) {
+          feature.externalId = createResult.value.externalId;
+          result.created.push(createResult.value);
+        } else {
+          result.errors.push({ featureOrId: feature.name, error: createResult.error });
+        }
+      } else {
+        const updateResult = await adapter.updateTicket(feature.externalId, feature);
+        if (updateResult.ok) {
+          result.updated.push(feature.externalId);
+        } else {
+          result.errors.push({ featureOrId: feature.externalId, error: updateResult.error });
+        }
+      }
+    }
+  }
+  return result;
+}
+async function syncFromExternal(roadmap, adapter, config, options) {
+  const result = emptySyncResult();
+  const forceSync = options?.forceSync ?? false;
+  const featureByExternalId = /* @__PURE__ */ new Map();
+  for (const milestone of roadmap.milestones) {
+    for (const feature of milestone.features) {
+      if (feature.externalId) {
+        featureByExternalId.set(feature.externalId, feature);
+      }
+    }
+  }
+  if (featureByExternalId.size === 0) return result;
+  const fetchResult = await adapter.fetchAllTickets();
+  if (!fetchResult.ok) {
+    result.errors.push({ featureOrId: "*", error: fetchResult.error });
+    return result;
+  }
+  for (const ticketState of fetchResult.value) {
+    const feature = featureByExternalId.get(ticketState.externalId);
+    if (!feature) continue;
+    if (ticketState.assignee !== feature.assignee) {
+      result.assignmentChanges.push({
+        feature: feature.name,
+        from: feature.assignee,
+        to: ticketState.assignee
+      });
+      feature.assignee = ticketState.assignee;
+    }
+    const resolvedStatus = resolveReverseStatus(ticketState.status, ticketState.labels, config);
+    if (resolvedStatus && resolvedStatus !== feature.status) {
+      const newStatus = resolvedStatus;
+      if (!forceSync && isRegression(feature.status, newStatus)) {
+        continue;
+      }
+      feature.status = newStatus;
+    }
+  }
+  return result;
+}
+var syncMutex = Promise.resolve();
+async function fullSync(roadmapPath, adapter, config, options) {
+  const previousSync = syncMutex;
+  let releaseMutex;
+  syncMutex = new Promise((resolve5) => {
+    releaseMutex = resolve5;
+  });
+  await previousSync;
+  try {
+    const raw = fs20.readFileSync(roadmapPath, "utf-8");
+    const parseResult = parseRoadmap(raw);
+    if (!parseResult.ok) {
+      return {
+        ...emptySyncResult(),
+        errors: [{ featureOrId: "*", error: parseResult.error }]
+      };
+    }
+    const roadmap = parseResult.value;
+    const pushResult = await syncToExternal(roadmap, adapter, config);
+    const pullResult = await syncFromExternal(roadmap, adapter, config, options);
+    fs20.writeFileSync(roadmapPath, serializeRoadmap(roadmap), "utf-8");
+    return {
+      created: pushResult.created,
+      updated: pushResult.updated,
+      assignmentChanges: pullResult.assignmentChanges,
+      errors: [...pushResult.errors, ...pullResult.errors]
+    };
+  } finally {
+    releaseMutex();
+  }
+}
+// src/roadmap/pilot-scoring.ts
+var PRIORITY_RANK = {
+  P0: 0,
+  P1: 1,
+  P2: 2,
+  P3: 3
+};
+var POSITION_WEIGHT = 0.5;
+var DEPENDENTS_WEIGHT = 0.3;
+var AFFINITY_WEIGHT = 0.2;
+function scoreRoadmapCandidates(roadmap, options) {
+  const allFeatures = roadmap.milestones.flatMap((m) => m.features);
+  const allFeatureNames = new Set(allFeatures.map((f) => f.name.toLowerCase()));
+  const doneFeatures = new Set(
+    allFeatures.filter((f) => f.status === "done").map((f) => f.name.toLowerCase())
+  );
+  const dependentsCount = /* @__PURE__ */ new Map();
+  for (const feature of allFeatures) {
+    for (const blocker of feature.blockedBy) {
+      const key = blocker.toLowerCase();
+      dependentsCount.set(key, (dependentsCount.get(key) ?? 0) + 1);
+    }
+  }
+  const maxDependents = Math.max(1, ...dependentsCount.values());
+  const milestoneMap = /* @__PURE__ */ new Map();
+  for (const ms of roadmap.milestones) {
+    milestoneMap.set(
+      ms.name,
+      ms.features.map((f) => f.name.toLowerCase())
+    );
+  }
+  const userCompletedFeatures = /* @__PURE__ */ new Set();
+  if (options?.currentUser) {
+    const user = options.currentUser.toLowerCase();
+    for (const record of roadmap.assignmentHistory) {
+      if (record.action === "completed" && record.assignee.toLowerCase() === user) {
+        userCompletedFeatures.add(record.feature.toLowerCase());
+      }
+    }
+  }
+  let totalPositions = 0;
+  for (const ms of roadmap.milestones) {
+    totalPositions += ms.features.length;
+  }
+  totalPositions = Math.max(1, totalPositions);
+  const candidates = [];
+  let globalPosition = 0;
+  for (const ms of roadmap.milestones) {
+    for (let featureIdx = 0; featureIdx < ms.features.length; featureIdx++) {
+      const feature = ms.features[featureIdx];
+      globalPosition++;
+      if (feature.status !== "planned" && feature.status !== "backlog") continue;
+      const isBlocked = feature.blockedBy.some((blocker) => {
+        const key = blocker.toLowerCase();
+        return allFeatureNames.has(key) && !doneFeatures.has(key);
+      });
+      if (isBlocked) continue;
+      const positionScore = 1 - (globalPosition - 1) / totalPositions;
+      const deps = dependentsCount.get(feature.name.toLowerCase()) ?? 0;
+      const dependentsScore = deps / maxDependents;
+      let affinityScore = 0;
+      if (userCompletedFeatures.size > 0) {
+        const completedBlockers = feature.blockedBy.filter(
+          (b) => userCompletedFeatures.has(b.toLowerCase())
+        );
+        if (completedBlockers.length > 0) {
+          affinityScore = 1;
+        } else {
+          const siblings = milestoneMap.get(ms.name) ?? [];
+          const completedSiblings = siblings.filter((s) => userCompletedFeatures.has(s));
+          if (completedSiblings.length > 0) {
+            affinityScore = 0.5;
+          }
+        }
+      }
+      const weightedScore = POSITION_WEIGHT * positionScore + DEPENDENTS_WEIGHT * dependentsScore + AFFINITY_WEIGHT * affinityScore;
+      const priorityTier = feature.priority ? PRIORITY_RANK[feature.priority] : null;
+      candidates.push({
+        feature,
+        milestone: ms.name,
+        positionScore,
+        dependentsScore,
+        affinityScore,
+        weightedScore,
+        priorityTier
+      });
+    }
+  }
+  candidates.sort((a, b) => {
+    if (a.priorityTier !== null && b.priorityTier === null) return -1;
+    if (a.priorityTier === null && b.priorityTier !== null) return 1;
+    if (a.priorityTier !== null && b.priorityTier !== null) {
+      if (a.priorityTier !== b.priorityTier) return a.priorityTier - b.priorityTier;
+    }
+    return b.weightedScore - a.weightedScore;
+  });
+  return candidates;
+}
+function assignFeature(roadmap, feature, assignee, date) {
+  if (feature.assignee === assignee) return;
+  if (feature.assignee !== null) {
+    roadmap.assignmentHistory.push({
+      feature: feature.name,
+      assignee: feature.assignee,
+      action: "unassigned",
+      date
+    });
+  }
+  feature.assignee = assignee;
+  roadmap.assignmentHistory.push({
+    feature: feature.name,
+    assignee,
+    action: "assigned",
+    date
+  });
+}
 // src/interaction/types.ts
 import { z as z7 } from "zod";
 var InteractionTypeSchema = z7.enum(["question", "confirmation", "transition"]);
@@ -9767,17 +10891,18 @@ var EmitInteractionInputSchema = z7.object({
 });
 // src/blueprint/scanner.ts
-import * as fs20 from "fs/promises";
+import * as fs21 from "fs/promises";
 import * as path20 from "path";
 var ProjectScanner = class {
   constructor(rootDir) {
     this.rootDir = rootDir;
   }
+  rootDir;
   async scan() {
     let projectName = path20.basename(this.rootDir);
     try {
       const pkgPath = path20.join(this.rootDir, "package.json");
-      const pkgRaw = await fs20.readFile(pkgPath, "utf-8");
+      const pkgRaw = await fs21.readFile(pkgPath, "utf-8");
       const pkg = JSON.parse(pkgRaw);
       if (pkg.name) projectName = pkg.name;
     } catch {
@@ -9818,7 +10943,7 @@ var ProjectScanner = class {
 };
 // src/blueprint/generator.ts
-import * as fs21 from "fs/promises";
+import * as fs22 from "fs/promises";
 import * as path21 from "path";
 import * as ejs from "ejs";
@@ -9903,13 +11028,13 @@ var BlueprintGenerator = class {
       styles: STYLES,
       scripts: SCRIPTS
     });
-    await fs21.mkdir(options.outputDir, { recursive: true });
-    await fs21.writeFile(path21.join(options.outputDir, "index.html"), html);
+    await fs22.mkdir(options.outputDir, { recursive: true });
+    await fs22.writeFile(path21.join(options.outputDir, "index.html"), html);
   }
 };
 // src/update-checker.ts
-import * as fs22 from "fs";
+import * as fs23 from "fs";
 import * as path22 from "path";
 import * as os from "os";
 import { spawn } from "child_process";
@@ -9928,7 +11053,7 @@ function shouldRunCheck(state, intervalMs) {
 }
 function readCheckState() {
   try {
-    const raw = fs22.readFileSync(getStatePath(), "utf-8");
+    const raw = fs23.readFileSync(getStatePath(), "utf-8");
     const parsed = JSON.parse(raw);
     if (typeof parsed === "object" && parsed !== null && "lastCheckTime" in parsed && typeof parsed.lastCheckTime === "number" && "currentVersion" in parsed && typeof parsed.currentVersion === "string") {
       const state = parsed;
@@ -10034,9 +11159,9 @@ async function resolveWasmPath(grammarName) {
   const { createRequire } = await import("module");
   const require2 = createRequire(import.meta.url ?? __filename);
   const pkgPath = require2.resolve("tree-sitter-wasms/package.json");
-  const path23 = await import("path");
-  const pkgDir = path23.dirname(pkgPath);
-  return path23.join(pkgDir, "out", `${grammarName}.wasm`);
+  const path26 = await import("path");
+  const pkgDir = path26.dirname(pkgPath);
+  return path26.join(pkgDir, "out", `${grammarName}.wasm`);
 }
 async function loadLanguage(lang) {
   const grammarName = GRAMMAR_MAP[lang];
@@ -10400,6 +11525,489 @@ async function unfoldRange(filePath, startLine, endLine) {
   };
 }
+// src/pricing/pricing.ts
+var TOKENS_PER_MILLION = 1e6;
+function parseLiteLLMData(raw) {
+  const dataset = /* @__PURE__ */ new Map();
+  for (const [modelName, entry] of Object.entries(raw)) {
+    if (modelName === "sample_spec") continue;
+    if (entry.mode && entry.mode !== "chat") continue;
+    const inputCost = entry.input_cost_per_token;
+    const outputCost = entry.output_cost_per_token;
+    if (inputCost == null || outputCost == null) continue;
+    const pricing = {
+      inputPer1M: inputCost * TOKENS_PER_MILLION,
+      outputPer1M: outputCost * TOKENS_PER_MILLION
+    };
+    if (entry.cache_read_input_token_cost != null) {
+      pricing.cacheReadPer1M = entry.cache_read_input_token_cost * TOKENS_PER_MILLION;
+    }
+    if (entry.cache_creation_input_token_cost != null) {
+      pricing.cacheWritePer1M = entry.cache_creation_input_token_cost * TOKENS_PER_MILLION;
+    }
+    dataset.set(modelName, pricing);
+  }
+  return dataset;
+}
+function getModelPrice(model, dataset) {
+  if (!model) {
+    console.warn("[harness pricing] No model specified \u2014 cannot look up pricing.");
+    return null;
+  }
+  const pricing = dataset.get(model);
+  if (!pricing) {
+    console.warn(
+      `[harness pricing] No pricing data for model "${model}". Consider updating pricing data.`
+    );
+    return null;
+  }
+  return pricing;
+}
+// src/pricing/cache.ts
+import * as fs24 from "fs/promises";
+import * as path23 from "path";
+// src/pricing/fallback.json
+var fallback_default = {
+  _generatedAt: "2026-03-31",
+  _source: "https://raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.json",
+  models: {
+    "claude-opus-4-20250514": {
+      inputPer1M: 15,
+      outputPer1M: 75,
+      cacheReadPer1M: 1.5,
+      cacheWritePer1M: 18.75
+    },
+    "claude-sonnet-4-20250514": {
+      inputPer1M: 3,
+      outputPer1M: 15,
+      cacheReadPer1M: 0.3,
+      cacheWritePer1M: 3.75
+    },
+    "claude-3-5-haiku-20241022": {
+      inputPer1M: 0.8,
+      outputPer1M: 4,
+      cacheReadPer1M: 0.08,
+      cacheWritePer1M: 1
+    },
+    "gpt-4o": {
+      inputPer1M: 2.5,
+      outputPer1M: 10,
+      cacheReadPer1M: 1.25
+    },
+    "gpt-4o-mini": {
+      inputPer1M: 0.15,
+      outputPer1M: 0.6,
+      cacheReadPer1M: 0.075
+    },
+    "gemini-2.0-flash": {
+      inputPer1M: 0.1,
+      outputPer1M: 0.4,
+      cacheReadPer1M: 0.025
+    },
+    "gemini-2.5-pro": {
+      inputPer1M: 1.25,
+      outputPer1M: 10,
+      cacheReadPer1M: 0.3125
+    }
+  }
+};
+// src/pricing/cache.ts
+var LITELLM_PRICING_URL = "https://raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.json";
+var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
+var STALENESS_WARNING_DAYS = 7;
+function getCachePath(projectRoot) {
+  return path23.join(projectRoot, ".harness", "cache", "pricing.json");
+}
+function getStalenessMarkerPath(projectRoot) {
+  return path23.join(projectRoot, ".harness", "cache", "staleness-marker.json");
+}
+async function readDiskCache(projectRoot) {
+  try {
+    const raw = await fs24.readFile(getCachePath(projectRoot), "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function writeDiskCache(projectRoot, data) {
+  const cachePath = getCachePath(projectRoot);
+  await fs24.mkdir(path23.dirname(cachePath), { recursive: true });
+  await fs24.writeFile(cachePath, JSON.stringify(data, null, 2));
+}
+async function fetchFromNetwork() {
+  try {
+    const response = await fetch(LITELLM_PRICING_URL);
+    if (!response.ok) return null;
+    const data = await response.json();
+    if (typeof data !== "object" || data === null || Array.isArray(data)) return null;
+    return {
+      fetchedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      data
+    };
+  } catch {
+    return null;
+  }
+}
+function loadFallbackDataset() {
+  const fb = fallback_default;
+  const dataset = /* @__PURE__ */ new Map();
+  for (const [model, pricing] of Object.entries(fb.models)) {
+    dataset.set(model, pricing);
+  }
+  return dataset;
+}
+async function checkAndWarnStaleness(projectRoot) {
+  const markerPath = getStalenessMarkerPath(projectRoot);
+  try {
+    const raw = await fs24.readFile(markerPath, "utf-8");
+    const marker = JSON.parse(raw);
+    const firstUse = new Date(marker.firstFallbackUse).getTime();
+    const now = Date.now();
+    const daysSinceFirstUse = (now - firstUse) / (24 * 60 * 60 * 1e3);
+    if (daysSinceFirstUse > STALENESS_WARNING_DAYS) {
+      console.warn(
+        `[harness pricing] Pricing data is stale \u2014 using bundled fallback for ${Math.floor(daysSinceFirstUse)} days. Connect to the internet to refresh pricing data.`
+      );
+    }
+  } catch {
+    try {
+      await fs24.mkdir(path23.dirname(markerPath), { recursive: true });
+      await fs24.writeFile(
+        markerPath,
+        JSON.stringify({ firstFallbackUse: (/* @__PURE__ */ new Date()).toISOString() })
+      );
+    } catch {
+    }
+  }
+}
+async function clearStalenessMarker(projectRoot) {
+  try {
+    await fs24.unlink(getStalenessMarkerPath(projectRoot));
+  } catch {
+  }
+}
+async function loadPricingData(projectRoot) {
+  const cache = await readDiskCache(projectRoot);
+  if (cache) {
+    const cacheAge = Date.now() - new Date(cache.fetchedAt).getTime();
+    if (cacheAge < CACHE_TTL_MS) {
+      await clearStalenessMarker(projectRoot);
+      return parseLiteLLMData(cache.data);
+    }
+  }
+  const fetched = await fetchFromNetwork();
+  if (fetched) {
+    await writeDiskCache(projectRoot, fetched);
+    await clearStalenessMarker(projectRoot);
+    return parseLiteLLMData(fetched.data);
+  }
+  if (cache) {
+    return parseLiteLLMData(cache.data);
+  }
+  await checkAndWarnStaleness(projectRoot);
+  return loadFallbackDataset();
+}
+// src/pricing/calculator.ts
+var MICRODOLLARS_PER_DOLLAR = 1e6;
+var TOKENS_PER_MILLION2 = 1e6;
+function calculateCost(record, dataset) {
+  if (!record.model) return null;
+  const pricing = getModelPrice(record.model, dataset);
+  if (!pricing) return null;
+  let costUSD = 0;
+  costUSD += record.tokens.inputTokens / TOKENS_PER_MILLION2 * pricing.inputPer1M;
+  costUSD += record.tokens.outputTokens / TOKENS_PER_MILLION2 * pricing.outputPer1M;
+  if (record.cacheReadTokens != null && pricing.cacheReadPer1M != null) {
+    costUSD += record.cacheReadTokens / TOKENS_PER_MILLION2 * pricing.cacheReadPer1M;
+  }
+  if (record.cacheCreationTokens != null && pricing.cacheWritePer1M != null) {
+    costUSD += record.cacheCreationTokens / TOKENS_PER_MILLION2 * pricing.cacheWritePer1M;
+  }
+  return Math.round(costUSD * MICRODOLLARS_PER_DOLLAR);
+}
+// src/usage/aggregator.ts
+function aggregateBySession(records) {
+  if (records.length === 0) return [];
+  const sessionMap = /* @__PURE__ */ new Map();
+  for (const record of records) {
+    const tagged = record;
+    const id = record.sessionId;
+    if (!sessionMap.has(id)) {
+      sessionMap.set(id, { harnessRecords: [], ccRecords: [], allRecords: [] });
+    }
+    const bucket = sessionMap.get(id);
+    if (tagged._source === "claude-code") {
+      bucket.ccRecords.push(tagged);
+    } else {
+      bucket.harnessRecords.push(tagged);
+    }
+    bucket.allRecords.push(tagged);
+  }
+  const results = [];
+  for (const [sessionId, bucket] of sessionMap) {
+    const hasHarness = bucket.harnessRecords.length > 0;
+    const hasCC = bucket.ccRecords.length > 0;
+    const isMerged = hasHarness && hasCC;
+    const tokenSource = hasHarness ? bucket.harnessRecords : bucket.ccRecords;
+    const tokens = { inputTokens: 0, outputTokens: 0, totalTokens: 0 };
+    let cacheCreation;
+    let cacheRead;
+    let costMicroUSD = 0;
+    let model;
+    for (const r of tokenSource) {
+      tokens.inputTokens += r.tokens.inputTokens;
+      tokens.outputTokens += r.tokens.outputTokens;
+      tokens.totalTokens += r.tokens.totalTokens;
+      if (r.cacheCreationTokens != null) {
+        cacheCreation = (cacheCreation ?? 0) + r.cacheCreationTokens;
+      }
+      if (r.cacheReadTokens != null) {
+        cacheRead = (cacheRead ?? 0) + r.cacheReadTokens;
+      }
+      if (r.costMicroUSD != null && costMicroUSD != null) {
+        costMicroUSD += r.costMicroUSD;
+      } else if (r.costMicroUSD == null) {
+        costMicroUSD = null;
+      }
+      if (!model && r.model) {
+        model = r.model;
+      }
+    }
+    if (!model && hasCC) {
+      for (const r of bucket.ccRecords) {
+        if (r.model) {
+          model = r.model;
+          break;
+        }
+      }
+    }
+    const timestamps = bucket.allRecords.map((r) => r.timestamp).sort();
+    const source = isMerged ? "merged" : hasCC ? "claude-code" : "harness";
+    const session = {
+      sessionId,
+      firstTimestamp: timestamps[0] ?? "",
+      lastTimestamp: timestamps[timestamps.length - 1] ?? "",
+      tokens,
+      costMicroUSD,
+      source
+    };
+    if (model) session.model = model;
+    if (cacheCreation != null) session.cacheCreationTokens = cacheCreation;
+    if (cacheRead != null) session.cacheReadTokens = cacheRead;
+    results.push(session);
+  }
+  results.sort((a, b) => b.firstTimestamp.localeCompare(a.firstTimestamp));
+  return results;
+}
+function aggregateByDay(records) {
+  if (records.length === 0) return [];
+  const dayMap = /* @__PURE__ */ new Map();
+  for (const record of records) {
+    const date = record.timestamp.slice(0, 10);
+    if (!dayMap.has(date)) {
+      dayMap.set(date, {
+        sessions: /* @__PURE__ */ new Set(),
+        tokens: { inputTokens: 0, outputTokens: 0, totalTokens: 0 },
+        costMicroUSD: 0,
+        models: /* @__PURE__ */ new Set()
+      });
+    }
+    const day = dayMap.get(date);
+    day.sessions.add(record.sessionId);
+    day.tokens.inputTokens += record.tokens.inputTokens;
+    day.tokens.outputTokens += record.tokens.outputTokens;
+    day.tokens.totalTokens += record.tokens.totalTokens;
+    if (record.cacheCreationTokens != null) {
+      day.cacheCreation = (day.cacheCreation ?? 0) + record.cacheCreationTokens;
+    }
+    if (record.cacheReadTokens != null) {
+      day.cacheRead = (day.cacheRead ?? 0) + record.cacheReadTokens;
+    }
+    if (record.costMicroUSD != null && day.costMicroUSD != null) {
+      day.costMicroUSD += record.costMicroUSD;
+    } else if (record.costMicroUSD == null) {
+      day.costMicroUSD = null;
+    }
+    if (record.model) {
+      day.models.add(record.model);
+    }
+  }
+  const results = [];
+  for (const [date, day] of dayMap) {
+    const entry = {
+      date,
+      sessionCount: day.sessions.size,
+      tokens: day.tokens,
+      costMicroUSD: day.costMicroUSD,
+      models: Array.from(day.models).sort()
+    };
+    if (day.cacheCreation != null) entry.cacheCreationTokens = day.cacheCreation;
+    if (day.cacheRead != null) entry.cacheReadTokens = day.cacheRead;
+    results.push(entry);
+  }
+  results.sort((a, b) => b.date.localeCompare(a.date));
+  return results;
+}
+// src/usage/jsonl-reader.ts
+import * as fs25 from "fs";
+import * as path24 from "path";
+function parseLine(line, lineNumber) {
+  let entry;
+  try {
+    entry = JSON.parse(line);
+  } catch {
+    console.warn(`[harness usage] Skipping malformed JSONL line ${lineNumber}`);
+    return null;
+  }
+  const tokenUsage = entry.token_usage;
+  if (!tokenUsage || typeof tokenUsage !== "object") {
+    console.warn(
+      `[harness usage] Skipping malformed JSONL line ${lineNumber}: missing token_usage`
+    );
+    return null;
+  }
+  const inputTokens = tokenUsage.input_tokens ?? 0;
+  const outputTokens = tokenUsage.output_tokens ?? 0;
+  const record = {
+    sessionId: entry.session_id ?? "unknown",
+    timestamp: entry.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    tokens: {
+      inputTokens,
+      outputTokens,
+      totalTokens: inputTokens + outputTokens
+    }
+  };
+  if (entry.cache_creation_tokens != null) {
+    record.cacheCreationTokens = entry.cache_creation_tokens;
+  }
+  if (entry.cache_read_tokens != null) {
+    record.cacheReadTokens = entry.cache_read_tokens;
+  }
+  if (entry.model != null) {
+    record.model = entry.model;
+  }
+  return record;
+}
+function readCostRecords(projectRoot) {
+  const costsFile = path24.join(projectRoot, ".harness", "metrics", "costs.jsonl");
+  let raw;
+  try {
+    raw = fs25.readFileSync(costsFile, "utf-8");
+  } catch {
+    return [];
+  }
+  const records = [];
+  const lines = raw.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]?.trim();
+    if (!line) continue;
+    const record = parseLine(line, i + 1);
+    if (record) {
+      records.push(record);
+    }
+  }
+  return records;
+}
+// src/usage/cc-parser.ts
+import * as fs26 from "fs";
+import * as path25 from "path";
+import * as os2 from "os";
+function extractUsage(entry) {
+  if (entry.type !== "assistant") return null;
+  const message = entry.message;
+  if (!message || typeof message !== "object") return null;
+  const usage = message.usage;
+  return usage && typeof usage === "object" && !Array.isArray(usage) ? usage : null;
+}
+function buildRecord(entry, usage) {
+  const inputTokens = Number(usage.input_tokens) || 0;
+  const outputTokens = Number(usage.output_tokens) || 0;
+  const message = entry.message;
+  const record = {
+    sessionId: entry.sessionId ?? "unknown",
+    timestamp: entry.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    tokens: { inputTokens, outputTokens, totalTokens: inputTokens + outputTokens },
+    _source: "claude-code"
+  };
+  const model = message.model;
+  if (model) record.model = model;
+  const cacheCreate = usage.cache_creation_input_tokens;
+  const cacheRead = usage.cache_read_input_tokens;
+  if (typeof cacheCreate === "number" && cacheCreate > 0) record.cacheCreationTokens = cacheCreate;
+  if (typeof cacheRead === "number" && cacheRead > 0) record.cacheReadTokens = cacheRead;
+  return record;
+}
+function parseCCLine(line, filePath, lineNumber) {
+  let entry;
+  try {
+    entry = JSON.parse(line);
+  } catch {
+    console.warn(
+      `[harness usage] Skipping malformed CC JSONL line ${lineNumber} in ${path25.basename(filePath)}`
+    );
+    return null;
+  }
+  const usage = extractUsage(entry);
+  if (!usage) return null;
+  return {
+    record: buildRecord(entry, usage),
+    requestId: entry.requestId ?? null
+  };
+}
+function readCCFile(filePath) {
+  let raw;
+  try {
+    raw = fs26.readFileSync(filePath, "utf-8");
+  } catch {
+    return [];
+  }
+  const byRequestId = /* @__PURE__ */ new Map();
+  const noRequestId = [];
+  const lines = raw.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]?.trim();
+    if (!line) continue;
+    const parsed = parseCCLine(line, filePath, i + 1);
+    if (!parsed) continue;
+    if (parsed.requestId) {
+      byRequestId.set(parsed.requestId, parsed.record);
+    } else {
+      noRequestId.push(parsed.record);
+    }
+  }
+  return [...byRequestId.values(), ...noRequestId];
+}
+function parseCCRecords() {
+  const homeDir = process.env.HOME ?? os2.homedir();
+  const projectsDir = path25.join(homeDir, ".claude", "projects");
+  let projectDirs;
+  try {
+    projectDirs = fs26.readdirSync(projectsDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => path25.join(projectsDir, d.name));
+  } catch {
+    return [];
+  }
+  const records = [];
+  for (const dir of projectDirs) {
+    let files;
+    try {
+      files = fs26.readdirSync(dir).filter((f) => f.endsWith(".jsonl")).map((f) => path25.join(dir, f));
+    } catch {
+      continue;
+    }
+    for (const file of files) {
+      records.push(...readCCFile(file));
+    }
+  }
+  return records;
+}
 // src/index.ts
 var VERSION = "0.15.0";
 export {
@@ -10417,6 +12025,7 @@ export {
   BlueprintGenerator,
   BundleConstraintsSchema,
   BundleSchema,
+  CACHE_TTL_MS,
   COMPLIANCE_DESCRIPTOR,
   CategoryBaselineSchema,
   CategoryRegressionSchema,
@@ -10434,6 +12043,7 @@ export {
   DEFAULT_SECURITY_CONFIG,
   DEFAULT_STATE,
   DEFAULT_STREAM_INDEX,
+  DESTRUCTIVE_BASH,
   DepDepthCollector,
   EXTENSION_MAP,
   EmitInteractionInputSchema,
@@ -10445,9 +12055,11 @@ export {
   ForbiddenImportCollector,
   GateConfigSchema,
   GateResultSchema,
+  GitHubIssuesSyncAdapter,
   HandoffSchema,
   HarnessStateSchema,
   InteractionTypeSchema,
+  LITELLM_PRICING_URL,
   LayerViolationCollector,
   LockfilePackageSchema,
   LockfileSchema,
@@ -10464,6 +12076,8 @@ export {
   RegressionDetector,
   RuleRegistry,
   SECURITY_DESCRIPTOR,
+  STALENESS_WARNING_DAYS,
+  STATUS_RANK,
   SecurityConfigSchema,
   SecurityScanner,
   SharableBoundaryConfigSchema,
@@ -10480,6 +12094,8 @@ export {
   ViolationSchema,
   addProvenance,
   agentConfigRules,
+  aggregateByDay,
+  aggregateBySession,
   analyzeDiff,
   analyzeLearningPatterns,
   appendFailure,
@@ -10495,16 +12111,22 @@ export {
   archiveLearnings,
   archiveSession,
   archiveStream,
+  assignFeature,
   buildDependencyGraph,
   buildExclusionSet,
   buildSnapshot,
+  calculateCost,
   checkDocCoverage,
   checkEligibility,
   checkEvidenceCoverage,
+  checkTaint,
   classifyFinding,
   clearEventHashCache,
   clearFailuresCache,
   clearLearningsCache,
+  clearTaint,
+  computeOverallSeverity,
+  computeScanExitCode,
   configureFeedback,
   constraintRuleId,
   contextBudget,
@@ -10554,40 +12176,55 @@ export {
   formatGitHubSummary,
   formatOutline,
   formatTerminalOutput,
+  fullSync,
   generateAgentsMap,
   generateSuggestions,
   getActionEmitter,
   getExitCode,
   getFeedbackConfig,
+  getInjectionPatterns,
+  getModelPrice,
   getOutline,
   getParser,
   getPhaseCategories,
   getStreamForBranch,
+  getTaintFilePath,
   getUpdateNotification,
   goRules,
   injectionRules,
+  insecureDefaultsRules,
+  isDuplicateFinding,
+  isRegression,
   isSmallSuggestion,
   isUpdateCheckEnabled,
   listActiveSessions,
   listStreams,
+  listTaintedSessions,
   loadBudgetedLearnings,
   loadEvents,
   loadFailures,
   loadHandoff,
   loadIndexEntries,
+  loadPricingData,
   loadRelevantLearnings,
   loadSessionSummary,
   loadState,
   loadStreamIndex,
   logAgentAction,
+  mapInjectionFindings,
+  mapSecurityFindings,
+  mapSecuritySeverity,
   mcpRules,
   migrateToStreams,
   networkRules,
   nodeRules,
+  parseCCRecords,
   parseDateFromEntry,
   parseDiff,
   parseFile,
   parseFrontmatter,
+  parseHarnessIgnore,
+  parseLiteLLMData,
   parseManifest,
   parseRoadmap,
   parseSecurityConfig,
@@ -10598,9 +12235,11 @@ export {
   pruneLearnings,
   reactRules,
   readCheckState,
+  readCostRecords,
   readLockfile,
   readSessionSection,
   readSessionSections,
+  readTaint,
   removeContributions,
   removeProvenance,
   requestMultiplePeerReviews,
@@ -10609,6 +12248,7 @@ export {
   resetParserCache,
   resolveFileToLayer,
   resolveModelTier,
+  resolveReverseStatus,
   resolveRuleSeverity,
   resolveSessionDir,
   resolveStreamPath,
@@ -10627,15 +12267,20 @@ export {
   saveHandoff,
   saveState,
   saveStreamIndex,
+  scanForInjection,
   scopeContext,
+  scoreRoadmapCandidates,
   searchSymbols,
   secretRules,
   serializeRoadmap,
   setActiveStream,
+  sharpEdgesRules,
   shouldRunCheck,
   spawnBackgroundCheck,
   syncConstraintNodes,
+  syncFromExternal,
   syncRoadmap,
+  syncToExternal,
   tagUncitedFindings,
   touchStream,
   trackAction,
@@ -10656,5 +12301,6 @@ export {
   writeConfig,
   writeLockfile,
   writeSessionSummary,
+  writeTaint,
   xssRules
 };