@harness-engineering/core 0.21.1 → 0.21.2

package/dist/index.js

@@ -59,7 +59,6 @@ __export(index_exports, {
   ConfirmationSchema: () => ConfirmationSchema,
   ConsoleSink: () => ConsoleSink,
   ConstraintRuleSchema: () => ConstraintRuleSchema,
-  ContentPipeline: () => ContentPipeline,
   ContributingFeatureSchema: () => ContributingFeatureSchema,
   ContributionsSchema: () => ContributionsSchema,
   CouplingCollector: () => CouplingCollector,
@@ -298,7 +297,7 @@ __export(index_exports, {
   resolveRuleSeverity: () => resolveRuleSeverity,
   resolveSessionDir: () => resolveSessionDir,
   resolveStreamPath: () => resolveStreamPath,
-  resolveThresholds: () => resolveThresholds2,
+  resolveThresholds: () => resolveThresholds3,
   runAll: () => runAll,
   runArchitectureAgent: () => runArchitectureAgent,
   runBugDetectionAgent: () => runBugDetectionAgent,
@@ -499,21 +498,11 @@ function validateCommitMessage(message, format = "conventional") {
     issues: []
   });
 }
-function validateConventionalCommit(message) {
-  const lines = message.split("\n");
-  const headerLine = lines[0];
-  if (!headerLine) {
-    const error = createError(
-      "VALIDATION_FAILED",
-      "Commit message header cannot be empty",
-      { message },
-      ["Provide a commit message with at least a header line"]
-    );
-    return (0, import_types.Err)(error);
-  }
+function parseConventionalHeader(message, headerLine) {
   const match = headerLine.match(CONVENTIONAL_PATTERN);
-  if (!match) {
-    const error = createError(
+  if (match) return (0, import_types.Ok)(match);
+  return (0, import_types.Err)(
+    createError(
       "VALIDATION_FAILED",
       "Commit message does not follow conventional format",
       { message, header: headerLine },
@@ -522,13 +511,10 @@ function validateConventionalCommit(message) {
         "Valid types: " + VALID_TYPES.join(", "),
         "Example: feat(core): add new feature"
       ]
-    );
-    return (0, import_types.Err)(error);
-  }
-  const type = match[1];
-  const scope = match[3];
-  const breaking = match[4] === "!";
-  const description = match[5];
+    )
+  );
+}
+function collectCommitIssues(type, description) {
   const issues = [];
   if (!VALID_TYPES.includes(type)) {
     issues.push(`Invalid commit type "${type}". Valid types: ${VALID_TYPES.join(", ")}`);
@@ -536,34 +522,50 @@ function validateConventionalCommit(message) {
   if (!description || description.trim() === "") {
     issues.push("Commit description cannot be empty");
   }
-  let hasBreakingChange = breaking;
-  if (lines.length > 1) {
-    const body = lines.slice(1).join("\n");
-    if (body.includes("BREAKING CHANGE:")) {
-      hasBreakingChange = true;
-    }
+  return issues;
+}
+function hasBreakingChangeInBody(lines) {
+  if (lines.length <= 1) return false;
+  return lines.slice(1).join("\n").includes("BREAKING CHANGE:");
+}
+function validateConventionalCommit(message) {
+  const lines = message.split("\n");
+  const headerLine = lines[0];
+  if (!headerLine) {
+    return (0, import_types.Err)(
+      createError(
+        "VALIDATION_FAILED",
+        "Commit message header cannot be empty",
+        { message },
+        ["Provide a commit message with at least a header line"]
+      )
+    );
   }
+  const matchResult = parseConventionalHeader(message, headerLine);
+  if (!matchResult.ok) return matchResult;
+  const match = matchResult.value;
+  const type = match[1];
+  const scope = match[3];
+  const breaking = match[4] === "!";
+  const description = match[5];
+  const issues = collectCommitIssues(type, description);
   if (issues.length > 0) {
-    let errorMessage = `Commit message validation failed: ${issues.join("; ")}`;
-    if (issues.some((issue) => issue.includes("description cannot be empty"))) {
-      errorMessage = `Commit message validation failed: ${issues.join("; ")}`;
-    }
-    const error = createError(
-      "VALIDATION_FAILED",
-      errorMessage,
-      { message, issues, type, scope },
-      ["Review and fix the validation issues above"]
+    return (0, import_types.Err)(
+      createError(
+        "VALIDATION_FAILED",
+        `Commit message validation failed: ${issues.join("; ")}`,
+        { message, issues, type, scope },
+        ["Review and fix the validation issues above"]
+      )
     );
-    return (0, import_types.Err)(error);
   }
-  const result = {
+  return (0, import_types.Ok)({
     valid: true,
     type,
     ...scope && { scope },
-    breaking: hasBreakingChange,
+    breaking: breaking || hasBreakingChangeInBody(lines),
     issues: []
-  };
-  return (0, import_types.Ok)(result);
+  });
 }
 
 // src/context/types.ts
@@ -1021,6 +1023,47 @@ var NODE_TYPE_TO_CATEGORY = {
   prompt: "systemPrompt",
   system: "systemPrompt"
 };
+function makeZeroWeights() {
+  return {
+    systemPrompt: 0,
+    projectManifest: 0,
+    taskSpec: 0,
+    activeCode: 0,
+    interfaces: 0,
+    reserve: 0
+  };
+}
+function normalizeRatios(ratios) {
+  const sum = Object.values(ratios).reduce((s, r) => s + r, 0);
+  if (sum === 0) return;
+  for (const key of Object.keys(ratios)) {
+    ratios[key] = ratios[key] / sum;
+  }
+}
+function enforceMinimumRatios(ratios, min) {
+  for (const key of Object.keys(ratios)) {
+    if (ratios[key] < min) ratios[key] = min;
+  }
+}
+function applyGraphDensity(ratios, graphDensity) {
+  const weights = makeZeroWeights();
+  for (const [nodeType, count] of Object.entries(graphDensity)) {
+    const category = NODE_TYPE_TO_CATEGORY[nodeType];
+    if (category) weights[category] += count;
+  }
+  const totalWeight = Object.values(weights).reduce((s, w) => s + w, 0);
+  if (totalWeight === 0) return;
+  const MIN = 0.01;
+  for (const key of Object.keys(ratios)) {
+    ratios[key] = weights[key] > 0 ? weights[key] / totalWeight : MIN;
+  }
+  if (ratios.reserve < DEFAULT_RATIOS.reserve) ratios.reserve = DEFAULT_RATIOS.reserve;
+  if (ratios.systemPrompt < DEFAULT_RATIOS.systemPrompt)
+    ratios.systemPrompt = DEFAULT_RATIOS.systemPrompt;
+  normalizeRatios(ratios);
+  enforceMinimumRatios(ratios, MIN);
+  normalizeRatios(ratios);
+}
 function contextBudget(totalTokens, overrides, graphDensity) {
   const ratios = {
     systemPrompt: DEFAULT_RATIOS.systemPrompt,
@@ -1031,50 +1074,7 @@ function contextBudget(totalTokens, overrides, graphDensity) {
     reserve: DEFAULT_RATIOS.reserve
   };
   if (graphDensity) {
-    const categoryWeights = {
-      systemPrompt: 0,
-      projectManifest: 0,
-      taskSpec: 0,
-      activeCode: 0,
-      interfaces: 0,
-      reserve: 0
-    };
-    for (const [nodeType, count] of Object.entries(graphDensity)) {
-      const category = NODE_TYPE_TO_CATEGORY[nodeType];
-      if (category) {
-        categoryWeights[category] += count;
-      }
-    }
-    const totalWeight = Object.values(categoryWeights).reduce((sum, w) => sum + w, 0);
-    if (totalWeight > 0) {
-      const MIN_ALLOCATION = 0.01;
-      for (const key of Object.keys(ratios)) {
-        if (categoryWeights[key] > 0) {
-          ratios[key] = categoryWeights[key] / totalWeight;
-        } else {
-          ratios[key] = MIN_ALLOCATION;
-        }
-      }
-      if (ratios.reserve < DEFAULT_RATIOS.reserve) {
-        ratios.reserve = DEFAULT_RATIOS.reserve;
-      }
-      if (ratios.systemPrompt < DEFAULT_RATIOS.systemPrompt) {
-        ratios.systemPrompt = DEFAULT_RATIOS.systemPrompt;
-      }
-      const ratioSum = Object.values(ratios).reduce((sum, r) => sum + r, 0);
-      for (const key of Object.keys(ratios)) {
-        ratios[key] = ratios[key] / ratioSum;
-      }
-      for (const key of Object.keys(ratios)) {
-        if (ratios[key] < MIN_ALLOCATION) {
-          ratios[key] = MIN_ALLOCATION;
-        }
-      }
-      const finalSum = Object.values(ratios).reduce((sum, r) => sum + r, 0);
-      for (const key of Object.keys(ratios)) {
-        ratios[key] = ratios[key] / finalSum;
-      }
-    }
+    applyGraphDensity(ratios, graphDensity);
   }
   if (overrides) {
     let overrideSum = 0;
@@ -1635,21 +1635,23 @@ function extractBundle(manifest, config) {
 }
 
 // src/constraints/sharing/merge.ts
+function arraysEqual(a, b) {
+  if (a.length !== b.length) return false;
+  return a.every((val, i) => deepEqual(val, b[i]));
+}
+function objectsEqual(a, b) {
+  const keysA = Object.keys(a);
+  const keysB = Object.keys(b);
+  if (keysA.length !== keysB.length) return false;
+  return keysA.every((key) => deepEqual(a[key], b[key]));
+}
 function deepEqual(a, b) {
   if (a === b) return true;
   if (typeof a !== typeof b) return false;
   if (typeof a !== "object" || a === null || b === null) return false;
-  if (Array.isArray(a) && Array.isArray(b)) {
-    if (a.length !== b.length) return false;
-    return a.every((val, i) => deepEqual(val, b[i]));
-  }
+  if (Array.isArray(a) && Array.isArray(b)) return arraysEqual(a, b);
   if (Array.isArray(a) !== Array.isArray(b)) return false;
-  const keysA = Object.keys(a);
-  const keysB = Object.keys(b);
-  if (keysA.length !== keysB.length) return false;
-  return keysA.every(
-    (key) => deepEqual(a[key], b[key])
-  );
+  return objectsEqual(a, b);
 }
 function stringArraysEqual(a, b) {
   if (a.length !== b.length) return false;
@@ -2302,17 +2304,22 @@ async function parseDocumentationFile(path31) {
 function makeInternalSymbol(name, type, line) {
   return { name, type, line, references: 0, calledBy: [] };
 }
+function extractFunctionSymbol(node, line) {
+  if (node.id?.name) return [makeInternalSymbol(node.id.name, "function", line)];
+  return [];
+}
+function extractVariableSymbols(node, line) {
+  return (node.declarations || []).filter((decl) => decl.id?.name).map((decl) => makeInternalSymbol(decl.id.name, "variable", line));
+}
+function extractClassSymbol(node, line) {
+  if (node.id?.name) return [makeInternalSymbol(node.id.name, "class", line)];
+  return [];
+}
 function extractSymbolsFromNode(node) {
   const line = node.loc?.start?.line || 0;
-  if (node.type === "FunctionDeclaration" && node.id?.name) {
-    return [makeInternalSymbol(node.id.name, "function", line)];
-  }
-  if (node.type === "VariableDeclaration") {
-    return (node.declarations || []).filter((decl) => decl.id?.name).map((decl) => makeInternalSymbol(decl.id.name, "variable", line));
-  }
-  if (node.type === "ClassDeclaration" && node.id?.name) {
-    return [makeInternalSymbol(node.id.name, "class", line)];
-  }
+  if (node.type === "FunctionDeclaration") return extractFunctionSymbol(node, line);
+  if (node.type === "VariableDeclaration") return extractVariableSymbols(node, line);
+  if (node.type === "ClassDeclaration") return extractClassSymbol(node, line);
   return [];
 }
 function extractInternalSymbols(ast) {
@@ -2321,21 +2328,17 @@ function extractInternalSymbols(ast) {
   const nodes = body.body;
   return nodes.flatMap(extractSymbolsFromNode);
 }
+function toJSDocComment(comment) {
+  if (comment.type !== "Block" || !comment.value?.startsWith("*")) return null;
+  return { content: comment.value, line: comment.loc?.start?.line || 0 };
+}
 function extractJSDocComments(ast) {
-  const comments = [];
   const body = ast.body;
-  if (body?.comments) {
-    for (const comment of body.comments) {
-      if (comment.type === "Block" && comment.value?.startsWith("*")) {
-        const jsDocComment = {
-          content: comment.value,
-          line: comment.loc?.start?.line || 0
-        };
-        comments.push(jsDocComment);
-      }
-    }
-  }
-  return comments;
+  if (!body?.comments) return [];
+  return body.comments.flatMap((c) => {
+    const doc = toJSDocComment(c);
+    return doc ? [doc] : [];
+  });
 }
 function buildExportMap(files) {
   const byFile = /* @__PURE__ */ new Map();
@@ -2350,41 +2353,42 @@ function buildExportMap(files) {
   }
   return { byFile, byName };
 }
-function extractAllCodeReferences(docs) {
+var CODE_BLOCK_LANGUAGES = /* @__PURE__ */ new Set(["typescript", "ts", "javascript", "js"]);
+function refsFromInlineRefs(doc) {
+  return doc.inlineRefs.map((inlineRef) => ({
+    docFile: doc.path,
+    line: inlineRef.line,
+    column: inlineRef.column,
+    reference: inlineRef.reference,
+    context: "inline"
+  }));
+}
+function refsFromCodeBlock(docPath, block) {
+  if (!CODE_BLOCK_LANGUAGES.has(block.language)) return [];
   const refs = [];
-  for (const doc of docs) {
-    for (const inlineRef of doc.inlineRefs) {
+  const importRegex = /import\s+\{([^}]+)\}\s+from/g;
+  let match;
+  while ((match = importRegex.exec(block.content)) !== null) {
+    const group = match[1];
+    if (group === void 0) continue;
+    for (const name of group.split(",").map((n) => n.trim())) {
       refs.push({
-        docFile: doc.path,
-        line: inlineRef.line,
-        column: inlineRef.column,
-        reference: inlineRef.reference,
-        context: "inline"
+        docFile: docPath,
+        line: block.line,
+        column: 0,
+        reference: name,
+        context: "code-block"
       });
     }
-    for (const block of doc.codeBlocks) {
-      if (block.language === "typescript" || block.language === "ts" || block.language === "javascript" || block.language === "js") {
-        const importRegex = /import\s+\{([^}]+)\}\s+from/g;
-        let match;
-        while ((match = importRegex.exec(block.content)) !== null) {
-          const matchedGroup = match[1];
-          if (matchedGroup === void 0) continue;
-          const names = matchedGroup.split(",").map((n) => n.trim());
-          for (const name of names) {
-            refs.push({
-              docFile: doc.path,
-              line: block.line,
-              column: 0,
-              reference: name,
-              context: "code-block"
-            });
-          }
-        }
-      }
-    }
   }
   return refs;
 }
+function refsFromCodeBlocks(doc) {
+  return doc.codeBlocks.flatMap((block) => refsFromCodeBlock(doc.path, block));
+}
+function extractAllCodeReferences(docs) {
+  return docs.flatMap((doc) => [...refsFromInlineRefs(doc), ...refsFromCodeBlocks(doc)]);
+}
 async function buildSnapshot(config) {
   const startTime = Date.now();
   const parser = config.parser || new TypeScriptParser();
@@ -2590,44 +2594,52 @@ async function checkStructureDrift(snapshot, _config) {
   }
   return drifts;
 }
+function computeDriftSeverity(driftCount) {
+  if (driftCount === 0) return "none";
+  if (driftCount <= 3) return "low";
+  if (driftCount <= 10) return "medium";
+  return "high";
+}
+function buildGraphDriftReport(graphDriftData) {
+  const drifts = [];
+  for (const target of graphDriftData.missingTargets) {
+    drifts.push({
+      type: "api-signature",
+      docFile: target,
+      line: 0,
+      reference: target,
+      context: "graph-missing-target",
+      issue: "NOT_FOUND",
+      details: `Graph node "${target}" has no matching code target`,
+      confidence: "high"
+    });
+  }
+  for (const edge of graphDriftData.staleEdges) {
+    drifts.push({
+      type: "api-signature",
+      docFile: edge.docNodeId,
+      line: 0,
+      reference: edge.codeNodeId,
+      context: `graph-stale-edge:${edge.edgeType}`,
+      issue: "NOT_FOUND",
+      details: `Stale edge from doc "${edge.docNodeId}" to code "${edge.codeNodeId}" (${edge.edgeType})`,
+      confidence: "medium"
+    });
+  }
+  return (0, import_types.Ok)({
+    drifts,
+    stats: {
+      docsScanned: graphDriftData.staleEdges.length,
+      referencesChecked: graphDriftData.staleEdges.length + graphDriftData.missingTargets.length,
+      driftsFound: drifts.length,
+      byType: { api: drifts.length, example: 0, structure: 0 }
+    },
+    severity: computeDriftSeverity(drifts.length)
+  });
+}
 async function detectDocDrift(snapshot, config, graphDriftData) {
   if (graphDriftData) {
-    const drifts2 = [];
-    for (const target of graphDriftData.missingTargets) {
-      drifts2.push({
-        type: "api-signature",
-        docFile: target,
-        line: 0,
-        reference: target,
-        context: "graph-missing-target",
-        issue: "NOT_FOUND",
-        details: `Graph node "${target}" has no matching code target`,
-        confidence: "high"
-      });
-    }
-    for (const edge of graphDriftData.staleEdges) {
-      drifts2.push({
-        type: "api-signature",
-        docFile: edge.docNodeId,
-        line: 0,
-        reference: edge.codeNodeId,
-        context: `graph-stale-edge:${edge.edgeType}`,
-        issue: "NOT_FOUND",
-        details: `Stale edge from doc "${edge.docNodeId}" to code "${edge.codeNodeId}" (${edge.edgeType})`,
-        confidence: "medium"
-      });
-    }
-    const severity2 = drifts2.length === 0 ? "none" : drifts2.length <= 3 ? "low" : drifts2.length <= 10 ? "medium" : "high";
-    return (0, import_types.Ok)({
-      drifts: drifts2,
-      stats: {
-        docsScanned: graphDriftData.staleEdges.length,
-        referencesChecked: graphDriftData.staleEdges.length + graphDriftData.missingTargets.length,
-        driftsFound: drifts2.length,
-        byType: { api: drifts2.length, example: 0, structure: 0 }
-      },
-      severity: severity2
-    });
+    return buildGraphDriftReport(graphDriftData);
   }
   const fullConfig = { ...DEFAULT_DRIFT_CONFIG, ...config };
   const drifts = [];
@@ -2676,6 +2688,23 @@ function resolveImportToFile(importSource, fromFile, snapshot) {
   }
   return null;
 }
+function enqueueResolved(sources, current, snapshot, visited, queue) {
+  for (const item of sources) {
+    if (!item.source) continue;
+    const resolved = resolveImportToFile(item.source, current, snapshot);
+    if (resolved && !visited.has(resolved)) {
+      queue.push(resolved);
+    }
+  }
+}
+function processReachabilityNode(current, snapshot, reachability, visited, queue) {
+  reachability.set(current, true);
+  const sourceFile = snapshot.files.find((f) => f.path === current);
+  if (!sourceFile) return;
+  enqueueResolved(sourceFile.imports, current, snapshot, visited, queue);
+  const reExports = sourceFile.exports.filter((e) => e.isReExport);
+  enqueueResolved(reExports, current, snapshot, visited, queue);
+}
 function buildReachabilityMap(snapshot) {
   const reachability = /* @__PURE__ */ new Map();
   for (const file of snapshot.files) {
@@ -2687,23 +2716,7 @@ function buildReachabilityMap(snapshot) {
     const current = queue.shift();
     if (visited.has(current)) continue;
     visited.add(current);
-    reachability.set(current, true);
-    const sourceFile = snapshot.files.find((f) => f.path === current);
-    if (!sourceFile) continue;
-    for (const imp of sourceFile.imports) {
-      const resolved = resolveImportToFile(imp.source, current, snapshot);
-      if (resolved && !visited.has(resolved)) {
-        queue.push(resolved);
-      }
-    }
-    for (const exp of sourceFile.exports) {
-      if (exp.isReExport && exp.source) {
-        const resolved = resolveImportToFile(exp.source, current, snapshot);
-        if (resolved && !visited.has(resolved)) {
-          queue.push(resolved);
-        }
-      }
-    }
+    processReachabilityNode(current, snapshot, reachability, visited, queue);
   }
   return reachability;
 }
@@ -2773,21 +2786,27 @@ function findDeadExports(snapshot, usageMap, reachability) {
   }
   return deadExports;
 }
+function maxLineOfValue(value) {
+  if (Array.isArray(value)) {
+    return value.reduce((m, item) => Math.max(m, findMaxLineInNode(item)), 0);
+  }
+  if (value && typeof value === "object") {
+    return findMaxLineInNode(value);
+  }
+  return 0;
+}
+function maxLineOfNodeKeys(node) {
+  let max = 0;
+  for (const key of Object.keys(node)) {
+    max = Math.max(max, maxLineOfValue(node[key]));
+  }
+  return max;
+}
 function findMaxLineInNode(node) {
   if (!node || typeof node !== "object") return 0;
   const n = node;
-  let maxLine = n.loc?.end?.line ?? 0;
-  for (const key of Object.keys(node)) {
-    const value = node[key];
-    if (Array.isArray(value)) {
-      for (const item of value) {
-        maxLine = Math.max(maxLine, findMaxLineInNode(item));
-      }
-    } else if (value && typeof value === "object") {
-      maxLine = Math.max(maxLine, findMaxLineInNode(value));
-    }
-  }
-  return maxLine;
+  const locLine = n.loc?.end?.line ?? 0;
+  return Math.max(locLine, maxLineOfNodeKeys(node));
 }
 function countLinesFromAST(ast) {
   if (!ast.body || !Array.isArray(ast.body)) return 1;
@@ -2861,54 +2880,59 @@ function findDeadInternals(snapshot, _reachability) {
   }
   return deadInternals;
 }
-async function detectDeadCode(snapshot, graphDeadCodeData) {
-  if (graphDeadCodeData) {
-    const deadFiles2 = [];
-    const deadExports2 = [];
-    const fileTypes = /* @__PURE__ */ new Set(["file", "module"]);
-    const exportTypes = /* @__PURE__ */ new Set(["function", "class", "method", "interface", "variable"]);
-    for (const node of graphDeadCodeData.unreachableNodes) {
-      if (fileTypes.has(node.type)) {
-        deadFiles2.push({
-          path: node.path || node.id,
-          reason: "NO_IMPORTERS",
-          exportCount: 0,
-          lineCount: 0
-        });
-      } else if (exportTypes.has(node.type)) {
-        const exportType = node.type === "method" ? "function" : node.type;
-        deadExports2.push({
-          file: node.path || node.id,
-          name: node.name,
-          line: 0,
-          type: exportType,
-          isDefault: false,
-          reason: "NO_IMPORTERS"
-        });
-      }
-    }
-    const reachableCount = graphDeadCodeData.reachableNodeIds instanceof Set ? graphDeadCodeData.reachableNodeIds.size : graphDeadCodeData.reachableNodeIds.length;
-    const fileNodes = graphDeadCodeData.unreachableNodes.filter((n) => fileTypes.has(n.type));
-    const exportNodes = graphDeadCodeData.unreachableNodes.filter((n) => exportTypes.has(n.type));
-    const totalFiles = reachableCount + fileNodes.length;
-    const totalExports2 = exportNodes.length + (reachableCount > 0 ? reachableCount : 0);
-    const report2 = {
-      deadExports: deadExports2,
-      deadFiles: deadFiles2,
-      deadInternals: [],
-      unusedImports: [],
-      stats: {
-        filesAnalyzed: totalFiles,
-        entryPointsUsed: [],
-        totalExports: totalExports2,
-        deadExportCount: deadExports2.length,
-        totalFiles,
-        deadFileCount: deadFiles2.length,
-        estimatedDeadLines: 0
-      }
-    };
-    return (0, import_types.Ok)(report2);
+var FILE_TYPES = /* @__PURE__ */ new Set(["file", "module"]);
+var EXPORT_TYPES = /* @__PURE__ */ new Set(["function", "class", "method", "interface", "variable"]);
+function classifyUnreachableNode(node, deadFiles, deadExports) {
+  if (FILE_TYPES.has(node.type)) {
+    deadFiles.push({
+      path: node.path || node.id,
+      reason: "NO_IMPORTERS",
+      exportCount: 0,
+      lineCount: 0
+    });
+  } else if (EXPORT_TYPES.has(node.type)) {
+    const exportType = node.type === "method" ? "function" : node.type;
+    deadExports.push({
+      file: node.path || node.id,
+      name: node.name,
+      line: 0,
+      type: exportType,
+      isDefault: false,
+      reason: "NO_IMPORTERS"
+    });
   }
+}
+function computeGraphReportStats(data, deadFiles, deadExports) {
+  const reachableCount = data.reachableNodeIds instanceof Set ? data.reachableNodeIds.size : data.reachableNodeIds.length;
+  const fileNodes = data.unreachableNodes.filter((n) => FILE_TYPES.has(n.type));
+  const exportNodes = data.unreachableNodes.filter((n) => EXPORT_TYPES.has(n.type));
+  const totalFiles = reachableCount + fileNodes.length;
+  const totalExports = exportNodes.length + (reachableCount > 0 ? reachableCount : 0);
+  return {
+    filesAnalyzed: totalFiles,
+    entryPointsUsed: [],
+    totalExports,
+    deadExportCount: deadExports.length,
+    totalFiles,
+    deadFileCount: deadFiles.length,
+    estimatedDeadLines: 0
+  };
+}
+function buildReportFromGraph(data) {
+  const deadFiles = [];
+  const deadExports = [];
+  for (const node of data.unreachableNodes) {
+    classifyUnreachableNode(node, deadFiles, deadExports);
+  }
+  return {
+    deadExports,
+    deadFiles,
+    deadInternals: [],
+    unusedImports: [],
+    stats: computeGraphReportStats(data, deadFiles, deadExports)
+  };
+}
+function buildReportFromSnapshot(snapshot) {
   const reachability = buildReachabilityMap(snapshot);
   const usageMap = buildExportUsageMap(snapshot);
   const deadExports = findDeadExports(snapshot, usageMap, reachability);
@@ -2920,7 +2944,7 @@ async function detectDeadCode(snapshot, graphDeadCodeData) {
     0
   );
   const estimatedDeadLines = deadFiles.reduce((acc, file) => acc + file.lineCount, 0);
-  const report = {
+  return {
     deadExports,
     deadFiles,
     deadInternals,
@@ -2935,6 +2959,9 @@ async function detectDeadCode(snapshot, graphDeadCodeData) {
       estimatedDeadLines
     }
   };
+}
+async function detectDeadCode(snapshot, graphDeadCodeData) {
+  const report = graphDeadCodeData ? buildReportFromGraph(graphDeadCodeData) : buildReportFromSnapshot(snapshot);
   return (0, import_types.Ok)(report);
 }
 
@@ -3205,26 +3232,28 @@ function findFunctionEnd(lines, startIdx) {
   }
   return lines.length - 1;
 }
-function computeCyclomaticComplexity(body) {
-  let complexity = 1;
-  const decisionPatterns = [
-    /\bif\s*\(/g,
-    /\belse\s+if\s*\(/g,
-    /\bwhile\s*\(/g,
-    /\bfor\s*\(/g,
-    /\bcase\s+/g,
-    /&&/g,
-    /\|\|/g,
-    /\?(?!=)/g,
-    // Ternary ? but not ?. or ??
-    /\bcatch\s*\(/g
-  ];
-  for (const pattern of decisionPatterns) {
+var DECISION_PATTERNS = [
+  /\bif\s*\(/g,
+  /\belse\s+if\s*\(/g,
+  /\bwhile\s*\(/g,
+  /\bfor\s*\(/g,
+  /\bcase\s+/g,
+  /&&/g,
+  /\|\|/g,
+  /\?(?!=)/g,
+  // Ternary ? but not ?. or ??
+  /\bcatch\s*\(/g
+];
+function countDecisionPoints(body) {
+  let count = 0;
+  for (const pattern of DECISION_PATTERNS) {
     const matches = body.match(pattern);
-    if (matches) {
-      complexity += matches.length;
-    }
+    if (matches) count += matches.length;
   }
+  return count;
+}
+function computeCyclomaticComplexity(body) {
+  let complexity = 1 + countDecisionPoints(body);
   const elseIfMatches = body.match(/\belse\s+if\s*\(/g);
   if (elseIfMatches) {
     complexity -= elseIfMatches.length;
@@ -3502,8 +3531,8 @@ function resolveImportSource(source, fromFile, snapshot) {
   }
   return void 0;
 }
-function checkViolations(metrics, config) {
-  const thresholds = {
+function resolveThresholds2(config) {
+  return {
     fanOut: { ...DEFAULT_THRESHOLDS2.fanOut, ...config?.thresholds?.fanOut },
     fanIn: { ...DEFAULT_THRESHOLDS2.fanIn, ...config?.thresholds?.fanIn },
     couplingRatio: { ...DEFAULT_THRESHOLDS2.couplingRatio, ...config?.thresholds?.couplingRatio },
@@ -3512,53 +3541,70 @@ function checkViolations(metrics, config) {
       ...config?.thresholds?.transitiveDependencyDepth
     }
   };
+}
+function checkFanOut(m, threshold) {
+  if (m.fanOut <= threshold) return null;
+  return {
+    file: m.file,
+    metric: "fanOut",
+    value: m.fanOut,
+    threshold,
+    tier: 2,
+    severity: "warning",
+    message: `File has ${m.fanOut} imports (threshold: ${threshold})`
+  };
+}
+function checkFanIn(m, threshold) {
+  if (m.fanIn <= threshold) return null;
+  return {
+    file: m.file,
+    metric: "fanIn",
+    value: m.fanIn,
+    threshold,
+    tier: 3,
+    severity: "info",
+    message: `File is imported by ${m.fanIn} files (threshold: ${threshold})`
+  };
+}
+function checkCouplingRatio(m, threshold) {
+  const totalConnections = m.fanIn + m.fanOut;
+  if (totalConnections <= 5 || m.couplingRatio <= threshold) return null;
+  return {
+    file: m.file,
+    metric: "couplingRatio",
+    value: m.couplingRatio,
+    threshold,
+    tier: 2,
+    severity: "warning",
+    message: `Coupling ratio is ${m.couplingRatio.toFixed(2)} (threshold: ${threshold})`
+  };
+}
+function checkTransitiveDepth(m, threshold) {
+  if (m.transitiveDepth <= threshold) return null;
+  return {
+    file: m.file,
+    metric: "transitiveDependencyDepth",
+    value: m.transitiveDepth,
+    threshold,
+    tier: 3,
+    severity: "info",
+    message: `Transitive dependency depth is ${m.transitiveDepth} (threshold: ${threshold})`
+  };
+}
+function checkMetricViolations(m, thresholds) {
+  const candidates = [
+    checkFanOut(m, thresholds.fanOut.warn),
+    checkFanIn(m, thresholds.fanIn.info),
+    checkCouplingRatio(m, thresholds.couplingRatio.warn),
+    checkTransitiveDepth(m, thresholds.transitiveDependencyDepth.info)
+  ];
+  return candidates.filter((v) => v !== null);
+}
+function checkViolations(metrics, config) {
+  const thresholds = resolveThresholds2(config);
   const violations = [];
   for (const m of metrics) {
-    if (thresholds.fanOut.warn !== void 0 && m.fanOut > thresholds.fanOut.warn) {
-      violations.push({
-        file: m.file,
-        metric: "fanOut",
-        value: m.fanOut,
-        threshold: thresholds.fanOut.warn,
-        tier: 2,
-        severity: "warning",
-        message: `File has ${m.fanOut} imports (threshold: ${thresholds.fanOut.warn})`
-      });
-    }
-    if (thresholds.fanIn.info !== void 0 && m.fanIn > thresholds.fanIn.info) {
-      violations.push({
-        file: m.file,
-        metric: "fanIn",
-        value: m.fanIn,
-        threshold: thresholds.fanIn.info,
-        tier: 3,
-        severity: "info",
-        message: `File is imported by ${m.fanIn} files (threshold: ${thresholds.fanIn.info})`
-      });
-    }
-    const totalConnections = m.fanIn + m.fanOut;
-    if (totalConnections > 5 && thresholds.couplingRatio.warn !== void 0 && m.couplingRatio > thresholds.couplingRatio.warn) {
-      violations.push({
-        file: m.file,
-        metric: "couplingRatio",
-        value: m.couplingRatio,
-        threshold: thresholds.couplingRatio.warn,
-        tier: 2,
-        severity: "warning",
-        message: `Coupling ratio is ${m.couplingRatio.toFixed(2)} (threshold: ${thresholds.couplingRatio.warn})`
-      });
-    }
-    if (thresholds.transitiveDependencyDepth.info !== void 0 && m.transitiveDepth > thresholds.transitiveDependencyDepth.info) {
-      violations.push({
-        file: m.file,
-        metric: "transitiveDependencyDepth",
-        value: m.transitiveDepth,
-        threshold: thresholds.transitiveDependencyDepth.info,
-        tier: 3,
-        severity: "info",
-        message: `Transitive dependency depth is ${m.transitiveDepth} (threshold: ${thresholds.transitiveDependencyDepth.info})`
-      });
-    }
+    violations.push(...checkMetricViolations(m, thresholds));
   }
   return violations;
 }
@@ -3668,48 +3714,52 @@ async function detectSizeBudgetViolations(rootDir, config) {
 }
 
 // src/entropy/fixers/suggestions.ts
+function deadFileSuggestion(file) {
+  return {
+    type: "delete",
+    priority: "high",
+    source: "dead-code",
+    relatedIssues: [`dead-file:${file.path}`],
+    title: `Remove dead file: ${file.path.split("/").pop()}`,
+    description: `This file is not imported by any other file and can be safely removed.`,
+    files: [file.path],
+    steps: [`Delete ${file.path}`, "Run tests to verify no regressions"],
+    whyManual: "File deletion requires verification that no dynamic imports exist"
+  };
+}
+function deadExportSuggestion(exp) {
+  return {
+    type: "refactor",
+    priority: "medium",
+    source: "dead-code",
+    relatedIssues: [`dead-export:${exp.file}:${exp.name}`],
+    title: `Remove unused export: ${exp.name}`,
+    description: `The export "${exp.name}" is not used anywhere. Consider removing it.`,
+    files: [exp.file],
+    steps: [`Remove export "${exp.name}" from ${exp.file}`, "Run tests to verify no regressions"],
+    whyManual: "Export removal may affect external consumers not in scope"
+  };
+}
+function unusedImportSuggestion(imp) {
+  const plural = imp.specifiers.length > 1;
+  return {
+    type: "delete",
+    priority: "medium",
+    source: "dead-code",
+    relatedIssues: [`unused-import:${imp.file}:${imp.specifiers.join(",")}`],
+    title: `Remove unused import${plural ? "s" : ""}: ${imp.specifiers.join(", ")}`,
+    description: `The import${plural ? "s" : ""} from "${imp.source}" ${plural ? "are" : "is"} not used.`,
+    files: [imp.file],
+    steps: imp.isFullyUnused ? [`Remove entire import line from ${imp.file}`] : [`Remove unused specifiers (${imp.specifiers.join(", ")}) from import statement`],
+    whyManual: "Import removal can be auto-fixed"
+  };
+}
 function generateDeadCodeSuggestions(report) {
-  const suggestions = [];
-  for (const file of report.deadFiles) {
-    suggestions.push({
-      type: "delete",
-      priority: "high",
-      source: "dead-code",
-      relatedIssues: [`dead-file:${file.path}`],
-      title: `Remove dead file: ${file.path.split("/").pop()}`,
-      description: `This file is not imported by any other file and can be safely removed.`,
-      files: [file.path],
-      steps: [`Delete ${file.path}`, "Run tests to verify no regressions"],
-      whyManual: "File deletion requires verification that no dynamic imports exist"
-    });
-  }
-  for (const exp of report.deadExports) {
-    suggestions.push({
-      type: "refactor",
-      priority: "medium",
-      source: "dead-code",
-      relatedIssues: [`dead-export:${exp.file}:${exp.name}`],
-      title: `Remove unused export: ${exp.name}`,
-      description: `The export "${exp.name}" is not used anywhere. Consider removing it.`,
-      files: [exp.file],
-      steps: [`Remove export "${exp.name}" from ${exp.file}`, "Run tests to verify no regressions"],
-      whyManual: "Export removal may affect external consumers not in scope"
-    });
-  }
-  for (const imp of report.unusedImports) {
-    suggestions.push({
-      type: "delete",
-      priority: "medium",
-      source: "dead-code",
-      relatedIssues: [`unused-import:${imp.file}:${imp.specifiers.join(",")}`],
-      title: `Remove unused import${imp.specifiers.length > 1 ? "s" : ""}: ${imp.specifiers.join(", ")}`,
-      description: `The import${imp.specifiers.length > 1 ? "s" : ""} from "${imp.source}" ${imp.specifiers.length > 1 ? "are" : "is"} not used.`,
-      files: [imp.file],
-      steps: imp.isFullyUnused ? [`Remove entire import line from ${imp.file}`] : [`Remove unused specifiers (${imp.specifiers.join(", ")}) from import statement`],
-      whyManual: "Import removal can be auto-fixed"
-    });
-  }
-  return suggestions;
+  return [
+    ...report.deadFiles.map(deadFileSuggestion),
+    ...report.deadExports.map(deadExportSuggestion),
+    ...report.unusedImports.map(unusedImportSuggestion)
+  ];
 }
 function generateDriftSuggestions(report) {
   const suggestions = [];
@@ -4152,43 +4202,55 @@ async function createBackup(filePath, backupDir) {
     );
   }
 }
-async function applySingleFix(fix, config) {
+async function applyDeleteFile(fix, config) {
+  if (config.createBackup && config.backupDir) {
+    const backupResult = await createBackup(fix.file, config.backupDir);
+    if (!backupResult.ok) return (0, import_types.Err)({ fix, error: backupResult.error.message });
+  }
+  await unlink2(fix.file);
+  return (0, import_types.Ok)(void 0);
+}
+async function applyDeleteLines(fix) {
+  if (fix.line !== void 0) {
+    const content = await readFile5(fix.file, "utf-8");
+    const lines = content.split("\n");
+    lines.splice(fix.line - 1, 1);
+    await writeFile3(fix.file, lines.join("\n"));
+  }
+}
+async function applyReplace(fix) {
+  if (fix.oldContent && fix.newContent !== void 0) {
+    const content = await readFile5(fix.file, "utf-8");
+    await writeFile3(fix.file, content.replace(fix.oldContent, fix.newContent));
+  }
+}
+async function applyInsert(fix) {
+  if (fix.line !== void 0 && fix.newContent) {
+    const content = await readFile5(fix.file, "utf-8");
+    const lines = content.split("\n");
+    lines.splice(fix.line - 1, 0, fix.newContent);
+    await writeFile3(fix.file, lines.join("\n"));
+  }
+}
+async function applySingleFix(fix, config) {
   if (config.dryRun) {
     return (0, import_types.Ok)(fix);
   }
   try {
     switch (fix.action) {
-      case "delete-file":
-        if (config.createBackup && config.backupDir) {
-          const backupResult = await createBackup(fix.file, config.backupDir);
-          if (!backupResult.ok) {
-            return (0, import_types.Err)({ fix, error: backupResult.error.message });
-          }
-        }
-        await unlink2(fix.file);
+      case "delete-file": {
+        const result = await applyDeleteFile(fix, config);
+        if (!result.ok) return result;
         break;
+      }
       case "delete-lines":
-        if (fix.line !== void 0) {
-          const content = await readFile5(fix.file, "utf-8");
-          const lines = content.split("\n");
-          lines.splice(fix.line - 1, 1);
-          await writeFile3(fix.file, lines.join("\n"));
-        }
+        await applyDeleteLines(fix);
         break;
       case "replace":
-        if (fix.oldContent && fix.newContent !== void 0) {
-          const content = await readFile5(fix.file, "utf-8");
-          const newContent = content.replace(fix.oldContent, fix.newContent);
-          await writeFile3(fix.file, newContent);
-        }
+        await applyReplace(fix);
         break;
       case "insert":
-        if (fix.line !== void 0 && fix.newContent) {
-          const content = await readFile5(fix.file, "utf-8");
-          const lines = content.split("\n");
-          lines.splice(fix.line - 1, 0, fix.newContent);
-          await writeFile3(fix.file, lines.join("\n"));
-        }
+        await applyInsert(fix);
         break;
     }
     return (0, import_types.Ok)(fix);
@@ -4361,6 +4423,21 @@ function applyHotspotDowngrade(finding, hotspot) {
   }
   return finding;
 }
+function mergeGroup(group) {
+  if (group.length === 1) return [group[0]];
+  const deadCode = group.find((f) => f.concern === "dead-code");
+  const arch = group.find((f) => f.concern === "architecture");
+  if (deadCode && arch) {
+    return [
+      {
+        ...deadCode,
+        description: `${deadCode.description} (also violates architecture: ${arch.type})`,
+        suggestion: deadCode.fixAction ? `${deadCode.fixAction} (resolves both dead code and architecture violation)` : deadCode.suggestion
+      }
+    ];
+  }
+  return group;
+}
 function deduplicateCleanupFindings(findings) {
   const byFileAndLine = /* @__PURE__ */ new Map();
   for (const f of findings) {
@@ -4371,21 +4448,7 @@ function deduplicateCleanupFindings(findings) {
   }
   const result = [];
   for (const group of byFileAndLine.values()) {
-    if (group.length === 1) {
-      result.push(group[0]);
-      continue;
-    }
-    const deadCode = group.find((f) => f.concern === "dead-code");
-    const arch = group.find((f) => f.concern === "architecture");
-    if (deadCode && arch) {
-      result.push({
-        ...deadCode,
-        description: `${deadCode.description} (also violates architecture: ${arch.type})`,
-        suggestion: deadCode.fixAction ? `${deadCode.fixAction} (resolves both dead code and architecture violation)` : deadCode.suggestion
-      });
-    } else {
-      result.push(...group);
-    }
+    result.push(...mergeGroup(group));
   }
   return result;
 }
@@ -4758,6 +4821,32 @@ var SKIP_DIRS = /* @__PURE__ */ new Set(["node_modules", "dist", ".git"]);
 var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx"]);
 var FUNCTION_DECL_RE = /(?:export\s+)?(?:async\s+)?function\s+(\w+)/;
 var CONST_DECL_RE = /(?:export\s+)?(?:const|let)\s+(\w+)\s*=/;
+function mergeGraphInferred(highFanInFunctions, seen) {
+  let added = 0;
+  for (const item of highFanInFunctions) {
+    const key = `${item.file}::${item.function}`;
+    if (!seen.has(key)) {
+      seen.set(key, {
+        file: item.file,
+        function: item.function,
+        source: "graph-inferred",
+        fanIn: item.fanIn
+      });
+      added++;
+    }
+  }
+  return added;
+}
+function isCommentOrBlank(line) {
+  return line === "" || line === "*/" || line === "*" || line.startsWith("*") || line.startsWith("//");
+}
+function matchDeclarationName(line) {
+  const funcMatch = line.match(FUNCTION_DECL_RE);
+  if (funcMatch?.[1]) return funcMatch[1];
+  const constMatch = line.match(CONST_DECL_RE);
+  if (constMatch?.[1]) return constMatch[1];
+  return null;
+}
 var CriticalPathResolver = class {
   projectRoot;
   constructor(projectRoot) {
@@ -4770,27 +4859,12 @@ var CriticalPathResolver = class {
       const key = `${entry.file}::${entry.function}`;
       seen.set(key, entry);
     }
-    let graphInferred = 0;
-    if (graphData) {
-      for (const item of graphData.highFanInFunctions) {
-        const key = `${item.file}::${item.function}`;
-        if (!seen.has(key)) {
-          seen.set(key, {
-            file: item.file,
-            function: item.function,
-            source: "graph-inferred",
-            fanIn: item.fanIn
-          });
-          graphInferred++;
-        }
-      }
-    }
+    const graphInferred = graphData ? mergeGraphInferred(graphData.highFanInFunctions, seen) : 0;
     const entries = Array.from(seen.values());
-    const annotatedCount = annotated.length;
     return {
       entries,
       stats: {
-        annotated: annotatedCount,
+        annotated: annotated.length,
         graphInferred,
         total: entries.length
       }
@@ -4817,6 +4891,14 @@ var CriticalPathResolver = class {
       }
     }
   }
+  resolveFunctionName(lines, fromIndex) {
+    for (let j = fromIndex; j < lines.length; j++) {
+      const nextLine = lines[j].trim();
+      if (isCommentOrBlank(nextLine)) continue;
+      return matchDeclarationName(nextLine);
+    }
+    return null;
+  }
   scanFile(filePath, entries) {
     let content;
     try {
@@ -4827,30 +4909,10 @@ var CriticalPathResolver = class {
     const lines = content.split("\n");
     const relativePath = path.relative(this.projectRoot, filePath).replace(/\\/g, "/");
     for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      if (!line.includes("@perf-critical")) continue;
-      for (let j = i + 1; j < lines.length; j++) {
-        const nextLine = lines[j].trim();
-        if (nextLine === "" || nextLine === "*/" || nextLine === "*") continue;
-        if (nextLine.startsWith("*") || nextLine.startsWith("//")) continue;
-        const funcMatch = nextLine.match(FUNCTION_DECL_RE);
-        if (funcMatch && funcMatch[1]) {
-          entries.push({
-            file: relativePath,
-            function: funcMatch[1],
-            source: "annotation"
-          });
-        } else {
-          const constMatch = nextLine.match(CONST_DECL_RE);
-          if (constMatch && constMatch[1]) {
-            entries.push({
-              file: relativePath,
-              function: constMatch[1],
-              source: "annotation"
-            });
-          }
-        }
-        break;
+      if (!lines[i].includes("@perf-critical")) continue;
+      const fnName = this.resolveFunctionName(lines, i + 1);
+      if (fnName) {
+        entries.push({ file: relativePath, function: fnName, source: "annotation" });
       }
     }
   }
@@ -5005,14 +5067,19 @@ function detectFileStatus(part) {
   if (part.includes("rename from")) return "renamed";
   return "modified";
 }
-function parseDiffPart(part) {
+function parseDiffHeader(part) {
   if (!part.trim()) return null;
   const headerMatch = /diff --git a\/(.+?) b\/(.+?)(?:\n|$)/.exec(part);
   if (!headerMatch || !headerMatch[2]) return null;
+  return headerMatch[2];
+}
+function parseDiffPart(part) {
+  const path31 = parseDiffHeader(part);
+  if (!path31) return null;
   const additionRegex = /^\+(?!\+\+)/gm;
   const deletionRegex = /^-(?!--)/gm;
   return {
-    path: headerMatch[2],
+    path: path31,
     status: detectFileStatus(part),
     additions: (part.match(additionRegex) || []).length,
     deletions: (part.match(deletionRegex) || []).length
@@ -5034,100 +5101,136 @@ function parseDiff(diff2) {
     });
   }
 }
-async function analyzeDiff(changes, options, graphImpactData) {
-  if (!options?.enabled) {
-    return (0, import_types.Ok)([]);
+function checkForbiddenPatterns(diff2, forbiddenPatterns, nextId) {
+  const items = [];
+  if (!forbiddenPatterns) return items;
+  for (const forbidden of forbiddenPatterns) {
+    const pattern = typeof forbidden.pattern === "string" ? new RegExp(forbidden.pattern, "g") : forbidden.pattern;
+    if (!pattern.test(diff2)) continue;
+    items.push({
+      id: nextId(),
+      category: "diff",
+      check: `Forbidden pattern: ${forbidden.pattern}`,
+      passed: false,
+      severity: forbidden.severity,
+      details: forbidden.message,
+      suggestion: `Remove occurrences of ${forbidden.pattern}`
+    });
   }
+  return items;
+}
+function checkMaxChangedFiles(files, maxChangedFiles, nextId) {
+  if (!maxChangedFiles || files.length <= maxChangedFiles) return [];
+  return [
+    {
+      id: nextId(),
+      category: "diff",
+      check: `PR size: ${files.length} files changed`,
+      passed: false,
+      severity: "warning",
+      details: `This PR changes ${files.length} files, which exceeds the recommended maximum of ${maxChangedFiles}`,
+      suggestion: "Consider breaking this into smaller PRs"
+    }
+  ];
+}
+function checkFileSizes(files, maxFileSize, nextId) {
   const items = [];
-  let itemId = 0;
-  if (options.forbiddenPatterns) {
-    for (const forbidden of options.forbiddenPatterns) {
-      const pattern = typeof forbidden.pattern === "string" ? new RegExp(forbidden.pattern, "g") : forbidden.pattern;
-      if (pattern.test(changes.diff)) {
-        items.push({
-          id: `diff-${++itemId}`,
-          category: "diff",
-          check: `Forbidden pattern: ${forbidden.pattern}`,
-          passed: false,
-          severity: forbidden.severity,
-          details: forbidden.message,
-          suggestion: `Remove occurrences of ${forbidden.pattern}`
-        });
-      }
+  if (!maxFileSize) return items;
+  for (const file of files) {
+    const totalLines = file.additions + file.deletions;
+    if (totalLines <= maxFileSize) continue;
+    items.push({
+      id: nextId(),
+      category: "diff",
+      check: `File size: ${file.path}`,
+      passed: false,
+      severity: "warning",
+      details: `File has ${totalLines} lines changed, exceeding limit of ${maxFileSize}`,
+      file: file.path,
+      suggestion: "Consider splitting this file into smaller modules"
+    });
+  }
+  return items;
+}
+function checkTestCoverageGraph(files, graphImpactData) {
+  const items = [];
+  for (const file of files) {
+    if (file.status !== "added" || !file.path.endsWith(".ts") || file.path.includes(".test.")) {
+      continue;
     }
+    const hasGraphTest = graphImpactData.affectedTests.some((t) => t.coversFile === file.path);
+    if (hasGraphTest) continue;
+    items.push({
+      id: `test-coverage-${file.path}`,
+      category: "diff",
+      check: "Test coverage (graph)",
+      passed: false,
+      severity: "warning",
+      details: `New file ${file.path} has no test file linked in the graph`,
+      file: file.path
+    });
   }
-  if (options.maxChangedFiles && changes.files.length > options.maxChangedFiles) {
+  return items;
+}
+function checkTestCoverageFilename(files, nextId) {
+  const items = [];
+  const addedSourceFiles = files.filter(
+    (f) => f.status === "added" && f.path.endsWith(".ts") && !f.path.includes(".test.")
+  );
+  const testFiles = files.filter((f) => f.path.includes(".test."));
+  for (const sourceFile of addedSourceFiles) {
+    const expectedTestPath = sourceFile.path.replace(".ts", ".test.ts");
+    const hasTest = testFiles.some(
+      (t) => t.path.includes(expectedTestPath) || t.path.includes(sourceFile.path.replace(".ts", ""))
+    );
+    if (hasTest) continue;
     items.push({
-      id: `diff-${++itemId}`,
+      id: nextId(),
       category: "diff",
-      check: `PR size: ${changes.files.length} files changed`,
+      check: `Test coverage: ${sourceFile.path}`,
       passed: false,
       severity: "warning",
-      details: `This PR changes ${changes.files.length} files, which exceeds the recommended maximum of ${options.maxChangedFiles}`,
-      suggestion: "Consider breaking this into smaller PRs"
+      details: "New source file added without corresponding test file",
+      file: sourceFile.path,
+      suggestion: `Add tests in ${expectedTestPath}`
     });
   }
-  if (options.maxFileSize) {
-    for (const file of changes.files) {
-      const totalLines = file.additions + file.deletions;
-      if (totalLines > options.maxFileSize) {
-        items.push({
-          id: `diff-${++itemId}`,
-          category: "diff",
-          check: `File size: ${file.path}`,
-          passed: false,
-          severity: "warning",
-          details: `File has ${totalLines} lines changed, exceeding limit of ${options.maxFileSize}`,
-          file: file.path,
-          suggestion: "Consider splitting this file into smaller modules"
-        });
-      }
+  return items;
+}
+function checkDocCoverage2(files, graphImpactData) {
+  const items = [];
+  for (const file of files) {
+    if (file.status !== "modified" || !file.path.endsWith(".ts") || file.path.includes(".test.")) {
+      continue;
     }
+    const hasDoc = graphImpactData.affectedDocs.some((d) => d.documentsFile === file.path);
+    if (hasDoc) continue;
+    items.push({
+      id: `doc-coverage-${file.path}`,
+      category: "diff",
+      check: "Documentation coverage (graph)",
+      passed: true,
+      severity: "info",
+      details: `Modified file ${file.path} has no documentation linked in the graph`,
+      file: file.path
+    });
   }
+  return items;
+}
+async function analyzeDiff(changes, options, graphImpactData) {
+  if (!options?.enabled) {
+    return (0, import_types.Ok)([]);
+  }
+  let itemId = 0;
+  const nextId = () => `diff-${++itemId}`;
+  const items = [
+    ...checkForbiddenPatterns(changes.diff, options.forbiddenPatterns, nextId),
+    ...checkMaxChangedFiles(changes.files, options.maxChangedFiles, nextId),
+    ...checkFileSizes(changes.files, options.maxFileSize, nextId)
+  ];
   if (options.checkTestCoverage) {
-    if (graphImpactData) {
-      for (const file of changes.files) {
-        if (file.status === "added" && file.path.endsWith(".ts") && !file.path.includes(".test.")) {
-          const hasGraphTest = graphImpactData.affectedTests.some(
-            (t) => t.coversFile === file.path
-          );
-          if (!hasGraphTest) {
-            items.push({
-              id: `test-coverage-${file.path}`,
-              category: "diff",
-              check: "Test coverage (graph)",
-              passed: false,
-              severity: "warning",
-              details: `New file ${file.path} has no test file linked in the graph`,
-              file: file.path
-            });
-          }
-        }
-      }
-    } else {
-      const addedSourceFiles = changes.files.filter(
-        (f) => f.status === "added" && f.path.endsWith(".ts") && !f.path.includes(".test.")
-      );
-      const testFiles = changes.files.filter((f) => f.path.includes(".test."));
-      for (const sourceFile of addedSourceFiles) {
-        const expectedTestPath = sourceFile.path.replace(".ts", ".test.ts");
-        const hasTest = testFiles.some(
-          (t) => t.path.includes(expectedTestPath) || t.path.includes(sourceFile.path.replace(".ts", ""))
-        );
-        if (!hasTest) {
-          items.push({
-            id: `diff-${++itemId}`,
-            category: "diff",
-            check: `Test coverage: ${sourceFile.path}`,
-            passed: false,
-            severity: "warning",
-            details: "New source file added without corresponding test file",
-            file: sourceFile.path,
-            suggestion: `Add tests in ${expectedTestPath}`
-          });
-        }
-      }
-    }
+    const coverageItems = graphImpactData ? checkTestCoverageGraph(changes.files, graphImpactData) : checkTestCoverageFilename(changes.files, nextId);
+    items.push(...coverageItems);
   }
   if (graphImpactData && graphImpactData.impactScope > 20) {
     items.push({
@@ -5140,22 +5243,7 @@ async function analyzeDiff(changes, options, graphImpactData) {
     });
   }
   if (graphImpactData) {
-    for (const file of changes.files) {
-      if (file.status === "modified" && file.path.endsWith(".ts") && !file.path.includes(".test.")) {
-        const hasDoc = graphImpactData.affectedDocs.some((d) => d.documentsFile === file.path);
-        if (!hasDoc) {
-          items.push({
-            id: `doc-coverage-${file.path}`,
-            category: "diff",
-            check: "Documentation coverage (graph)",
-            passed: true,
-            severity: "info",
-            details: `Modified file ${file.path} has no documentation linked in the graph`,
-            file: file.path
-          });
-        }
-      }
-    }
+    items.push(...checkDocCoverage2(changes.files, graphImpactData));
   }
   return (0, import_types.Ok)(items);
 }
@@ -5739,6 +5827,28 @@ function constraintRuleId(category, scope, description) {
 }
 
 // src/architecture/collectors/circular-deps.ts
+function makeStubParser() {
+  return {
+    name: "typescript",
+    extensions: [".ts", ".tsx"],
+    parseFile: async () => ({ ok: false, error: { code: "PARSE_ERROR", message: "not needed" } }),
+    extractImports: () => ({ ok: false, error: { code: "EXTRACT_ERROR", message: "not needed" } }),
+    extractExports: () => ({ ok: false, error: { code: "EXTRACT_ERROR", message: "not needed" } }),
+    health: async () => ({ ok: true, value: { available: true } })
+  };
+}
+function mapCycleViolations(cycles, rootDir, category) {
+  return cycles.map((cycle) => {
+    const cyclePath = cycle.cycle.map((f) => relativePosix(rootDir, f)).join(" -> ");
+    const firstFile = relativePosix(rootDir, cycle.cycle[0]);
+    return {
+      id: violationId(firstFile, category, cyclePath),
+      file: firstFile,
+      detail: `Circular dependency: ${cyclePath}`,
+      severity: cycle.severity
+    };
+  });
+}
 var CircularDepsCollector = class {
   category = "circular-deps";
   getRules(_config, _rootDir) {
@@ -5754,21 +5864,7 @@ var CircularDepsCollector = class {
   }
   async collect(_config, rootDir) {
     const files = await findFiles("**/*.ts", rootDir);
-    const stubParser = {
-      name: "typescript",
-      extensions: [".ts", ".tsx"],
-      parseFile: async () => ({ ok: false, error: { code: "PARSE_ERROR", message: "not needed" } }),
-      extractImports: () => ({
-        ok: false,
-        error: { code: "EXTRACT_ERROR", message: "not needed" }
-      }),
-      extractExports: () => ({
-        ok: false,
-        error: { code: "EXTRACT_ERROR", message: "not needed" }
-      }),
-      health: async () => ({ ok: true, value: { available: true } })
-    };
-    const graphResult = await buildDependencyGraph(files, stubParser);
+    const graphResult = await buildDependencyGraph(files, makeStubParser());
     if (!graphResult.ok) {
       return [
         {
@@ -5793,16 +5889,7 @@ var CircularDepsCollector = class {
       ];
     }
     const { cycles, largestCycle } = result.value;
-    const violations = cycles.map((cycle) => {
-      const cyclePath = cycle.cycle.map((f) => relativePosix(rootDir, f)).join(" -> ");
-      const firstFile = relativePosix(rootDir, cycle.cycle[0]);
-      return {
-        id: violationId(firstFile, this.category, cyclePath),
-        file: firstFile,
-        detail: `Circular dependency: ${cyclePath}`,
-        severity: cycle.severity
-      };
-    });
+    const violations = mapCycleViolations(cycles, rootDir, this.category);
     return [
       {
         category: this.category,
@@ -5816,6 +5903,30 @@ var CircularDepsCollector = class {
 };
 
 // src/architecture/collectors/layer-violations.ts
+function makeLayerStubParser() {
+  return {
+    name: "typescript",
+    extensions: [".ts", ".tsx"],
+    parseFile: async () => ({ ok: false, error: { code: "PARSE_ERROR", message: "" } }),
+    extractImports: () => ({ ok: false, error: { code: "EXTRACT_ERROR", message: "" } }),
+    extractExports: () => ({ ok: false, error: { code: "EXTRACT_ERROR", message: "" } }),
+    health: async () => ({ ok: true, value: { available: true } })
+  };
+}
+function mapLayerViolations(layerViolations, rootDir, category) {
+  return layerViolations.map((v) => {
+    const relFile = relativePosix(rootDir, v.file);
+    const relImport = relativePosix(rootDir, v.imports);
+    const detail = `${v.fromLayer} -> ${v.toLayer}: ${relFile} imports ${relImport}`;
+    return {
+      id: violationId(relFile, category ?? "", detail),
+      file: relFile,
+      category,
+      detail,
+      severity: "error"
+    };
+  });
+}
 var LayerViolationCollector = class {
   category = "layer-violations";
   getRules(_config, _rootDir) {
@@ -5830,18 +5941,10 @@ var LayerViolationCollector = class {
     ];
   }
   async collect(_config, rootDir) {
-    const stubParser = {
-      name: "typescript",
-      extensions: [".ts", ".tsx"],
-      parseFile: async () => ({ ok: false, error: { code: "PARSE_ERROR", message: "" } }),
-      extractImports: () => ({ ok: false, error: { code: "EXTRACT_ERROR", message: "" } }),
-      extractExports: () => ({ ok: false, error: { code: "EXTRACT_ERROR", message: "" } }),
-      health: async () => ({ ok: true, value: { available: true } })
-    };
     const result = await validateDependencies({
       layers: [],
       rootDir,
-      parser: stubParser,
+      parser: makeLayerStubParser(),
       fallbackBehavior: "skip"
     });
     if (!result.ok) {
@@ -5855,33 +5958,52 @@ var LayerViolationCollector = class {
         }
       ];
     }
-    const layerViolations = result.value.violations.filter(
-      (v) => v.reason === "WRONG_LAYER"
+    const violations = mapLayerViolations(
+      result.value.violations.filter((v) => v.reason === "WRONG_LAYER"),
+      rootDir,
+      this.category
     );
-    const violations = layerViolations.map((v) => {
-      const relFile = relativePosix(rootDir, v.file);
-      const relImport = relativePosix(rootDir, v.imports);
-      const detail = `${v.fromLayer} -> ${v.toLayer}: ${relFile} imports ${relImport}`;
-      return {
-        id: violationId(relFile, this.category, detail),
-        file: relFile,
-        category: this.category,
-        detail,
-        severity: "error"
-      };
-    });
-    return [
-      {
-        category: this.category,
-        scope: "project",
-        value: violations.length,
-        violations
-      }
-    ];
+    return [{ category: this.category, scope: "project", value: violations.length, violations }];
   }
 };
 
 // src/architecture/collectors/complexity.ts
+function buildSnapshot2(files, rootDir) {
+  return {
+    files: files.map((f) => ({
+      path: f,
+      ast: { type: "Program", body: null, language: "typescript" },
+      imports: [],
+      exports: [],
+      internalSymbols: [],
+      jsDocComments: []
+    })),
+    dependencyGraph: { nodes: [], edges: [] },
+    exportMap: { byFile: /* @__PURE__ */ new Map(), byName: /* @__PURE__ */ new Map() },
+    docs: [],
+    codeReferences: [],
+    entryPoints: [],
+    rootDir,
+    config: { rootDir, analyze: {} },
+    buildTime: 0
+  };
+}
+function resolveMaxComplexity(config) {
+  const threshold = config.thresholds.complexity;
+  return typeof threshold === "number" ? threshold : threshold?.max ?? 15;
+}
+function mapComplexityViolations(complexityViolations, rootDir, category) {
+  return complexityViolations.filter((v) => v.severity === "error" || v.severity === "warning").map((v) => {
+    const relFile = relativePosix(rootDir, v.file);
+    return {
+      id: violationId(relFile, category ?? "", `${v.metric}:${v.function}`),
+      file: relFile,
+      category,
+      detail: `${v.metric}=${v.value} in ${v.function} (threshold: ${v.threshold})`,
+      severity: v.severity
+    };
+  });
+}
 var ComplexityCollector = class {
   category = "complexity";
   getRules(_config, _rootDir) {
@@ -5897,32 +6019,11 @@ var ComplexityCollector = class {
   }
   async collect(_config, rootDir) {
     const files = await findFiles("**/*.ts", rootDir);
-    const snapshot = {
-      files: files.map((f) => ({
-        path: f,
-        ast: { type: "Program", body: null, language: "typescript" },
-        imports: [],
-        exports: [],
-        internalSymbols: [],
-        jsDocComments: []
-      })),
-      dependencyGraph: { nodes: [], edges: [] },
-      exportMap: { byFile: /* @__PURE__ */ new Map(), byName: /* @__PURE__ */ new Map() },
-      docs: [],
-      codeReferences: [],
-      entryPoints: [],
-      rootDir,
-      config: { rootDir, analyze: {} },
-      buildTime: 0
-    };
-    const complexityThreshold = _config.thresholds.complexity;
-    const maxComplexity = typeof complexityThreshold === "number" ? complexityThreshold : complexityThreshold?.max ?? 15;
+    const snapshot = buildSnapshot2(files, rootDir);
+    const maxComplexity = resolveMaxComplexity(_config);
     const complexityConfig = {
       thresholds: {
-        cyclomaticComplexity: {
-          error: maxComplexity,
-          warn: Math.floor(maxComplexity * 0.7)
-        }
+        cyclomaticComplexity: { error: maxComplexity, warn: Math.floor(maxComplexity * 0.7) }
       }
     };
     const result = await detectComplexityViolations(snapshot, complexityConfig);
@@ -5938,20 +6039,7 @@ var ComplexityCollector = class {
       ];
     }
     const { violations: complexityViolations, stats } = result.value;
-    const filtered = complexityViolations.filter(
-      (v) => v.severity === "error" || v.severity === "warning"
-    );
-    const violations = filtered.map((v) => {
-      const relFile = relativePosix(rootDir, v.file);
-      const idDetail = `${v.metric}:${v.function}`;
-      return {
-        id: violationId(relFile, this.category, idDetail),
-        file: relFile,
-        category: this.category,
-        detail: `${v.metric}=${v.value} in ${v.function} (threshold: ${v.threshold})`,
-        severity: v.severity
-      };
-    });
+    const violations = mapComplexityViolations(complexityViolations, rootDir, this.category);
     return [
       {
         category: this.category,
@@ -5968,6 +6056,38 @@ var ComplexityCollector = class {
 };
 
 // src/architecture/collectors/coupling.ts
+function buildCouplingSnapshot(files, rootDir) {
+  return {
+    files: files.map((f) => ({
+      path: f,
+      ast: { type: "Program", body: null, language: "typescript" },
+      imports: [],
+      exports: [],
+      internalSymbols: [],
+      jsDocComments: []
+    })),
+    dependencyGraph: { nodes: [], edges: [] },
+    exportMap: { byFile: /* @__PURE__ */ new Map(), byName: /* @__PURE__ */ new Map() },
+    docs: [],
+    codeReferences: [],
+    entryPoints: [],
+    rootDir,
+    config: { rootDir, analyze: {} },
+    buildTime: 0
+  };
+}
+function mapCouplingViolations(couplingViolations, rootDir, category) {
+  return couplingViolations.filter((v) => v.severity === "error" || v.severity === "warning").map((v) => {
+    const relFile = relativePosix(rootDir, v.file);
+    return {
+      id: violationId(relFile, category ?? "", v.metric),
+      file: relFile,
+      category,
+      detail: `${v.metric}=${v.value} (threshold: ${v.threshold})`,
+      severity: v.severity
+    };
+  });
+}
 var CouplingCollector = class {
   category = "coupling";
   getRules(_config, _rootDir) {
@@ -5983,24 +6103,7 @@ var CouplingCollector = class {
   }
   async collect(_config, rootDir) {
     const files = await findFiles("**/*.ts", rootDir);
-    const snapshot = {
-      files: files.map((f) => ({
-        path: f,
-        ast: { type: "Program", body: null, language: "typescript" },
-        imports: [],
-        exports: [],
-        internalSymbols: [],
-        jsDocComments: []
-      })),
-      dependencyGraph: { nodes: [], edges: [] },
-      exportMap: { byFile: /* @__PURE__ */ new Map(), byName: /* @__PURE__ */ new Map() },
-      docs: [],
-      codeReferences: [],
-      entryPoints: [],
-      rootDir,
-      config: { rootDir, analyze: {} },
-      buildTime: 0
-    };
+    const snapshot = buildCouplingSnapshot(files, rootDir);
     const result = await detectCouplingViolations(snapshot);
     if (!result.ok) {
       return [
@@ -6014,20 +6117,7 @@ var CouplingCollector = class {
       ];
     }
     const { violations: couplingViolations, stats } = result.value;
-    const filtered = couplingViolations.filter(
-      (v) => v.severity === "error" || v.severity === "warning"
-    );
-    const violations = filtered.map((v) => {
-      const relFile = relativePosix(rootDir, v.file);
-      const idDetail = `${v.metric}`;
-      return {
-        id: violationId(relFile, this.category, idDetail),
-        file: relFile,
-        category: this.category,
-        detail: `${v.metric}=${v.value} (threshold: ${v.threshold})`,
-        severity: v.severity
-      };
-    });
+    const violations = mapCouplingViolations(couplingViolations, rootDir, this.category);
     return [
       {
         category: this.category,
@@ -6041,6 +6131,30 @@ var CouplingCollector = class {
 };
 
 // src/architecture/collectors/forbidden-imports.ts
+function makeForbiddenStubParser() {
+  return {
+    name: "typescript",
+    extensions: [".ts", ".tsx"],
+    parseFile: async () => ({ ok: false, error: { code: "PARSE_ERROR", message: "" } }),
+    extractImports: () => ({ ok: false, error: { code: "EXTRACT_ERROR", message: "" } }),
+    extractExports: () => ({ ok: false, error: { code: "EXTRACT_ERROR", message: "" } }),
+    health: async () => ({ ok: true, value: { available: true } })
+  };
+}
+function mapForbiddenImportViolations(forbidden, rootDir, category) {
+  return forbidden.map((v) => {
+    const relFile = relativePosix(rootDir, v.file);
+    const relImport = relativePosix(rootDir, v.imports);
+    const detail = `forbidden import: ${relFile} -> ${relImport}`;
+    return {
+      id: violationId(relFile, category ?? "", detail),
+      file: relFile,
+      category,
+      detail,
+      severity: "error"
+    };
+  });
+}
 var ForbiddenImportCollector = class {
   category = "forbidden-imports";
   getRules(_config, _rootDir) {
@@ -6055,18 +6169,10 @@ var ForbiddenImportCollector = class {
     ];
   }
   async collect(_config, rootDir) {
-    const stubParser = {
-      name: "typescript",
-      extensions: [".ts", ".tsx"],
-      parseFile: async () => ({ ok: false, error: { code: "PARSE_ERROR", message: "" } }),
-      extractImports: () => ({ ok: false, error: { code: "EXTRACT_ERROR", message: "" } }),
-      extractExports: () => ({ ok: false, error: { code: "EXTRACT_ERROR", message: "" } }),
-      health: async () => ({ ok: true, value: { available: true } })
-    };
     const result = await validateDependencies({
       layers: [],
       rootDir,
-      parser: stubParser,
+      parser: makeForbiddenStubParser(),
       fallbackBehavior: "skip"
     });
     if (!result.ok) {
@@ -6080,91 +6186,94 @@ var ForbiddenImportCollector = class {
         }
       ];
     }
-    const forbidden = result.value.violations.filter(
-      (v) => v.reason === "FORBIDDEN_IMPORT"
+    const violations = mapForbiddenImportViolations(
+      result.value.violations.filter((v) => v.reason === "FORBIDDEN_IMPORT"),
+      rootDir,
+      this.category
     );
-    const violations = forbidden.map((v) => {
-      const relFile = relativePosix(rootDir, v.file);
-      const relImport = relativePosix(rootDir, v.imports);
-      const detail = `forbidden import: ${relFile} -> ${relImport}`;
-      return {
-        id: violationId(relFile, this.category, detail),
-        file: relFile,
-        category: this.category,
-        detail,
-        severity: "error"
-      };
-    });
-    return [
-      {
-        category: this.category,
-        scope: "project",
-        value: violations.length,
-        violations
-      }
-    ];
+    return [{ category: this.category, scope: "project", value: violations.length, violations }];
   }
 };
 
 // src/architecture/collectors/module-size.ts
 var import_promises2 = require("fs/promises");
 var import_node_path4 = require("path");
-async function discoverModules(rootDir) {
-  const modules = [];
-  async function scanDir(dir) {
-    let entries;
-    try {
-      entries = await (0, import_promises2.readdir)(dir, { withFileTypes: true });
-    } catch {
-      return;
-    }
-    const tsFiles = [];
-    const subdirs = [];
-    for (const entry of entries) {
-      if (entry.name.startsWith(".") || entry.name === "node_modules" || entry.name === "dist") {
-        continue;
-      }
-      const fullPath = (0, import_node_path4.join)(dir, entry.name);
-      if (entry.isDirectory()) {
-        subdirs.push(fullPath);
-      } else if (entry.isFile() && (entry.name.endsWith(".ts") || entry.name.endsWith(".tsx")) && !entry.name.endsWith(".test.ts") && !entry.name.endsWith(".test.tsx") && !entry.name.endsWith(".spec.ts")) {
-        tsFiles.push(fullPath);
-      }
-    }
-    if (tsFiles.length > 0) {
-      let totalLoc = 0;
-      for (const f of tsFiles) {
-        try {
-          const content = await (0, import_promises2.readFile)(f, "utf-8");
-          totalLoc += content.split("\n").filter((line) => line.trim().length > 0).length;
-        } catch {
-        }
-      }
-      modules.push({
-        modulePath: relativePosix(rootDir, dir),
-        fileCount: tsFiles.length,
-        totalLoc,
-        files: tsFiles.map((f) => relativePosix(rootDir, f))
-      });
+function isSkippedEntry(name) {
+  return name.startsWith(".") || name === "node_modules" || name === "dist";
+}
+function isTsSourceFile(name) {
+  if (!name.endsWith(".ts") && !name.endsWith(".tsx")) return false;
+  if (name.endsWith(".test.ts") || name.endsWith(".test.tsx") || name.endsWith(".spec.ts"))
+    return false;
+  return true;
+}
+async function countLoc(filePath) {
+  try {
+    const content = await (0, import_promises2.readFile)(filePath, "utf-8");
+    return content.split("\n").filter((line) => line.trim().length > 0).length;
+  } catch {
+    return 0;
+  }
+}
+async function buildModuleStats(rootDir, dir, tsFiles) {
+  let totalLoc = 0;
+  for (const f of tsFiles) {
+    totalLoc += await countLoc(f);
+  }
+  return {
+    modulePath: relativePosix(rootDir, dir),
+    fileCount: tsFiles.length,
+    totalLoc,
+    files: tsFiles.map((f) => relativePosix(rootDir, f))
+  };
+}
+async function scanDir(rootDir, dir, modules) {
+  let entries;
+  try {
+    entries = await (0, import_promises2.readdir)(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  const tsFiles = [];
+  const subdirs = [];
+  for (const entry of entries) {
+    if (isSkippedEntry(entry.name)) continue;
+    const fullPath = (0, import_node_path4.join)(dir, entry.name);
+    if (entry.isDirectory()) {
+      subdirs.push(fullPath);
+      continue;
     }
-    for (const sub of subdirs) {
-      await scanDir(sub);
+    if (entry.isFile() && isTsSourceFile(entry.name)) {
+      tsFiles.push(fullPath);
     }
   }
-  await scanDir(rootDir);
+  if (tsFiles.length > 0) {
+    modules.push(await buildModuleStats(rootDir, dir, tsFiles));
+  }
+  for (const sub of subdirs) {
+    await scanDir(rootDir, sub, modules);
+  }
+}
+async function discoverModules(rootDir) {
+  const modules = [];
+  await scanDir(rootDir, rootDir, modules);
   return modules;
 }
+function extractThresholds(config) {
+  const thresholds = config.thresholds["module-size"];
+  let maxLoc = Infinity;
+  let maxFiles = Infinity;
+  if (typeof thresholds === "object" && thresholds !== null) {
+    const t = thresholds;
+    if (t.maxLoc !== void 0) maxLoc = t.maxLoc;
+    if (t.maxFiles !== void 0) maxFiles = t.maxFiles;
+  }
+  return { maxLoc, maxFiles };
+}
 var ModuleSizeCollector = class {
   category = "module-size";
   getRules(config, _rootDir) {
-    const thresholds = config.thresholds["module-size"];
-    let maxLoc = Infinity;
-    let maxFiles = Infinity;
-    if (typeof thresholds === "object" && thresholds !== null) {
-      const t = thresholds;
-      if (t.maxLoc !== void 0) maxLoc = t.maxLoc;
-      if (t.maxFiles !== void 0) maxFiles = t.maxFiles;
-    }
+    const { maxLoc, maxFiles } = extractThresholds(config);
     const rules = [];
     if (maxLoc < Infinity) {
       const desc = `Module LOC must not exceed ${maxLoc}`;
@@ -6197,14 +6306,7 @@ var ModuleSizeCollector = class {
   }
   async collect(config, rootDir) {
     const modules = await discoverModules(rootDir);
-    const thresholds = config.thresholds["module-size"];
-    let maxLoc = Infinity;
-    let maxFiles = Infinity;
-    if (typeof thresholds === "object" && thresholds !== null) {
-      const t = thresholds;
-      if (t.maxLoc !== void 0) maxLoc = t.maxLoc;
-      if (t.maxFiles !== void 0) maxFiles = t.maxFiles;
-    }
+    const { maxLoc, maxFiles } = extractThresholds(config);
     return modules.map((mod) => {
       const violations = [];
       if (mod.totalLoc > maxLoc) {
@@ -6254,27 +6356,33 @@ function extractImportSources(content, filePath) {
   }
   return sources;
 }
-async function collectTsFiles(dir) {
-  const results = [];
-  async function scan(d) {
-    let entries;
-    try {
-      entries = await (0, import_promises3.readdir)(d, { withFileTypes: true });
-    } catch {
-      return;
-    }
-    for (const entry of entries) {
-      if (entry.name.startsWith(".") || entry.name === "node_modules" || entry.name === "dist")
-        continue;
-      const fullPath = (0, import_node_path5.join)(d, entry.name);
-      if (entry.isDirectory()) {
-        await scan(fullPath);
-      } else if (entry.isFile() && (entry.name.endsWith(".ts") || entry.name.endsWith(".tsx")) && !entry.name.endsWith(".test.ts") && !entry.name.endsWith(".test.tsx") && !entry.name.endsWith(".spec.ts")) {
-        results.push(fullPath);
-      }
+function isSkippedEntry2(name) {
+  return name.startsWith(".") || name === "node_modules" || name === "dist";
+}
+function isTsSourceFile2(name) {
+  if (!name.endsWith(".ts") && !name.endsWith(".tsx")) return false;
+  return !name.endsWith(".test.ts") && !name.endsWith(".test.tsx") && !name.endsWith(".spec.ts");
+}
+async function scanDir2(d, results) {
+  let entries;
+  try {
+    entries = await (0, import_promises3.readdir)(d, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (isSkippedEntry2(entry.name)) continue;
+    const fullPath = (0, import_node_path5.join)(d, entry.name);
+    if (entry.isDirectory()) {
+      await scanDir2(fullPath, results);
+    } else if (entry.isFile() && isTsSourceFile2(entry.name)) {
+      results.push(fullPath);
     }
   }
-  await scan(dir);
+}
+async function collectTsFiles(dir) {
+  const results = [];
+  await scanDir2(dir, results);
   return results;
 }
 function computeLongestChain(file, graph, visited, memo) {
@@ -6305,34 +6413,42 @@ var DepDepthCollector = class {
       }
     ];
   }
-  async collect(config, rootDir) {
-    const allFiles = await collectTsFiles(rootDir);
+  async buildImportGraph(allFiles) {
     const graph = /* @__PURE__ */ new Map();
     const fileSet = new Set(allFiles);
     for (const file of allFiles) {
       try {
         const content = await (0, import_promises3.readFile)(file, "utf-8");
-        const imports = extractImportSources(content, file).filter((imp) => fileSet.has(imp));
-        graph.set(file, imports);
+        graph.set(
+          file,
+          extractImportSources(content, file).filter((imp) => fileSet.has(imp))
+        );
       } catch {
         graph.set(file, []);
       }
     }
+    return graph;
+  }
+  buildModuleMap(allFiles, rootDir) {
     const moduleMap = /* @__PURE__ */ new Map();
     for (const file of allFiles) {
       const relDir = relativePosix(rootDir, (0, import_node_path5.dirname)(file));
       if (!moduleMap.has(relDir)) moduleMap.set(relDir, []);
       moduleMap.get(relDir).push(file);
     }
+    return moduleMap;
+  }
+  async collect(config, rootDir) {
+    const allFiles = await collectTsFiles(rootDir);
+    const graph = await this.buildImportGraph(allFiles);
+    const moduleMap = this.buildModuleMap(allFiles, rootDir);
     const memo = /* @__PURE__ */ new Map();
     const threshold = typeof config.thresholds["dependency-depth"] === "number" ? config.thresholds["dependency-depth"] : Infinity;
     const results = [];
     for (const [modulePath, files] of moduleMap) {
-      let longestChain = 0;
-      for (const file of files) {
-        const depth = computeLongestChain(file, graph, /* @__PURE__ */ new Set(), memo);
-        if (depth > longestChain) longestChain = depth;
-      }
+      const longestChain = files.reduce((max, file) => {
+        return Math.max(max, computeLongestChain(file, graph, /* @__PURE__ */ new Set(), memo));
+      }, 0);
       const violations = [];
       if (longestChain > threshold) {
         violations.push({
@@ -6429,10 +6545,26 @@ function hasMatchingViolation(rule, violationsByCategory) {
 }
 
 // src/architecture/detect-stale.ts
+function evaluateStaleNode(node, now, cutoff) {
+  const lastViolatedAt = node.lastViolatedAt ?? null;
+  const createdAt = node.createdAt;
+  const comparisonTimestamp = lastViolatedAt ?? createdAt;
+  if (!comparisonTimestamp) return null;
+  const timestampMs = new Date(comparisonTimestamp).getTime();
+  if (timestampMs >= cutoff) return null;
+  const daysSince = Math.floor((now - timestampMs) / (24 * 60 * 60 * 1e3));
+  return {
+    id: node.id,
+    category: node.category,
+    description: node.name ?? "",
+    scope: node.scope ?? "project",
+    lastViolatedAt,
+    daysSinceLastViolation: daysSince
+  };
+}
 function detectStaleConstraints(store, windowDays = 30, category) {
   const now = Date.now();
-  const windowMs = windowDays * 24 * 60 * 60 * 1e3;
-  const cutoff = now - windowMs;
+  const cutoff = now - windowDays * 24 * 60 * 60 * 1e3;
   let constraints = store.findNodes({ type: "constraint" });
   if (category) {
     constraints = constraints.filter((n) => n.category === category);
@@ -6440,22 +6572,8 @@ function detectStaleConstraints(store, windowDays = 30, category) {
   const totalConstraints = constraints.length;
   const staleConstraints = [];
   for (const node of constraints) {
-    const lastViolatedAt = node.lastViolatedAt ?? null;
-    const createdAt = node.createdAt;
-    const comparisonTimestamp = lastViolatedAt ?? createdAt;
-    if (!comparisonTimestamp) continue;
-    const timestampMs = new Date(comparisonTimestamp).getTime();
-    if (timestampMs < cutoff) {
-      const daysSince = Math.floor((now - timestampMs) / (24 * 60 * 60 * 1e3));
-      staleConstraints.push({
-        id: node.id,
-        category: node.category,
-        description: node.name ?? "",
-        scope: node.scope ?? "project",
-        lastViolatedAt,
-        daysSinceLastViolation: daysSince
-      });
-    }
+    const entry = evaluateStaleNode(node, now, cutoff);
+    if (entry) staleConstraints.push(entry);
   }
   staleConstraints.sort((a, b) => b.daysSinceLastViolation - a.daysSinceLastViolation);
   return { staleConstraints, totalConstraints, windowDays };
@@ -6581,44 +6699,57 @@ function collectOrphanedBaselineViolations(baseline, visitedCategories) {
   }
   return resolved;
 }
+function diffCategory(category, agg, baselineCategory, acc) {
+  const baselineViolationIds = new Set(baselineCategory?.violationIds ?? []);
+  const baselineValue = baselineCategory?.value ?? 0;
+  const classified = classifyViolations(agg.violations, baselineViolationIds);
+  acc.newViolations.push(...classified.newViolations);
+  acc.preExisting.push(...classified.preExisting);
+  const currentViolationIds = new Set(agg.violations.map((v) => v.id));
+  acc.resolvedViolations.push(...findResolvedViolations(baselineCategory, currentViolationIds));
+  if (baselineCategory && agg.value > baselineValue) {
+    acc.regressions.push({
+      category,
+      baselineValue,
+      currentValue: agg.value,
+      delta: agg.value - baselineValue
+    });
+  }
+}
 function diff(current, baseline) {
   const aggregated = aggregateByCategory(current);
-  const newViolations = [];
-  const resolvedViolations = [];
-  const preExisting = [];
-  const regressions = [];
+  const acc = {
+    newViolations: [],
+    resolvedViolations: [],
+    preExisting: [],
+    regressions: []
+  };
   const visitedCategories = /* @__PURE__ */ new Set();
   for (const [category, agg] of aggregated) {
     visitedCategories.add(category);
-    const baselineCategory = baseline.metrics[category];
-    const baselineViolationIds = new Set(baselineCategory?.violationIds ?? []);
-    const baselineValue = baselineCategory?.value ?? 0;
-    const classified = classifyViolations(agg.violations, baselineViolationIds);
-    newViolations.push(...classified.newViolations);
-    preExisting.push(...classified.preExisting);
-    const currentViolationIds = new Set(agg.violations.map((v) => v.id));
-    resolvedViolations.push(...findResolvedViolations(baselineCategory, currentViolationIds));
-    if (baselineCategory && agg.value > baselineValue) {
-      regressions.push({
-        category,
-        baselineValue,
-        currentValue: agg.value,
-        delta: agg.value - baselineValue
-      });
-    }
+    diffCategory(category, agg, baseline.metrics[category], acc);
   }
-  resolvedViolations.push(...collectOrphanedBaselineViolations(baseline, visitedCategories));
+  acc.resolvedViolations.push(...collectOrphanedBaselineViolations(baseline, visitedCategories));
   return {
-    passed: newViolations.length === 0 && regressions.length === 0,
-    newViolations,
-    resolvedViolations,
-    preExisting,
-    regressions
+    passed: acc.newViolations.length === 0 && acc.regressions.length === 0,
+    newViolations: acc.newViolations,
+    resolvedViolations: acc.resolvedViolations,
+    preExisting: acc.preExisting,
+    regressions: acc.regressions
   };
 }
 
 // src/architecture/config.ts
-function resolveThresholds2(scope, config) {
+function mergeThresholdCategory(projectValue2, moduleValue) {
+  if (projectValue2 !== void 0 && typeof projectValue2 === "object" && !Array.isArray(projectValue2) && typeof moduleValue === "object" && !Array.isArray(moduleValue)) {
+    return {
+      ...projectValue2,
+      ...moduleValue
+    };
+  }
+  return moduleValue;
+}
+function resolveThresholds3(scope, config) {
   const projectThresholds = {};
   for (const [key, val] of Object.entries(config.thresholds)) {
     projectThresholds[key] = typeof val === "object" && val !== null && !Array.isArray(val) ? { ...val } : val;
@@ -6633,14 +6764,7 @@ function resolveThresholds2(scope, config) {
   const merged = { ...projectThresholds };
   for (const [category, moduleValue] of Object.entries(moduleOverrides)) {
     const projectValue2 = projectThresholds[category];
-    if (projectValue2 !== void 0 && typeof projectValue2 === "object" && !Array.isArray(projectValue2) && typeof moduleValue === "object" && !Array.isArray(moduleValue)) {
-      merged[category] = {
-        ...projectValue2,
-        ...moduleValue
-      };
-    } else {
-      merged[category] = moduleValue;
-    }
+    merged[category] = mergeThresholdCategory(projectValue2, moduleValue);
   }
   return merged;
 }
@@ -7450,18 +7574,10 @@ var PredictionEngine = class {
    */
   predict(options) {
     const opts = this.resolveOptions(options);
-    const timeline = this.timelineManager.load();
-    const snapshots = timeline.snapshots;
-    if (snapshots.length < 3) {
-      throw new Error(
-        `PredictionEngine requires at least 3 snapshots, got ${snapshots.length}. Run "harness snapshot" to capture more data points.`
-      );
-    }
+    const snapshots = this.loadValidatedSnapshots();
     const thresholds = this.resolveThresholds(opts);
     const categoriesToProcess = opts.categories ?? [...ALL_CATEGORIES2];
-    const firstDate = new Date(snapshots[0].capturedAt).getTime();
-    const lastSnapshot = snapshots[snapshots.length - 1];
-    const currentT = (new Date(lastSnapshot.capturedAt).getTime() - firstDate) / (7 * 24 * 60 * 60 * 1e3);
+    const { firstDate, lastSnapshot, currentT } = this.computeTimeOffsets(snapshots);
     const baselines = this.computeBaselines(
       categoriesToProcess,
       thresholds,
@@ -7472,27 +7588,32 @@ var PredictionEngine = class {
     );
     const specImpacts = this.computeSpecImpacts(opts);
     const categories = this.computeAdjustedForecasts(baselines, thresholds, specImpacts, currentT);
-    const warnings = this.generateWarnings(
-      categories,
-      opts.horizon
-    );
-    const stabilityForecast = this.computeStabilityForecast(
-      categories,
-      thresholds,
-      snapshots
-    );
+    const adjustedCategories = categories;
     return {
       generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
       snapshotsUsed: snapshots.length,
-      timelineRange: {
-        from: snapshots[0].capturedAt,
-        to: lastSnapshot.capturedAt
-      },
-      stabilityForecast,
-      categories,
-      warnings
+      timelineRange: { from: snapshots[0].capturedAt, to: lastSnapshot.capturedAt },
+      stabilityForecast: this.computeStabilityForecast(adjustedCategories, thresholds, snapshots),
+      categories: adjustedCategories,
+      warnings: this.generateWarnings(adjustedCategories, opts.horizon)
     };
   }
+  loadValidatedSnapshots() {
+    const timeline = this.timelineManager.load();
+    const snapshots = timeline.snapshots;
+    if (snapshots.length < 3) {
+      throw new Error(
+        `PredictionEngine requires at least 3 snapshots, got ${snapshots.length}. Run "harness snapshot" to capture more data points.`
+      );
+    }
+    return snapshots;
+  }
+  computeTimeOffsets(snapshots) {
+    const firstDate = new Date(snapshots[0].capturedAt).getTime();
+    const lastSnapshot = snapshots[snapshots.length - 1];
+    const currentT = (new Date(lastSnapshot.capturedAt).getTime() - firstDate) / (7 * 24 * 60 * 60 * 1e3);
+    return { firstDate, lastSnapshot, currentT };
+  }
   // --- Private helpers ---
   resolveOptions(options) {
     return {
@@ -7659,31 +7780,40 @@ var PredictionEngine = class {
     for (const category of ALL_CATEGORIES2) {
       const af = categories[category];
       if (!af) continue;
-      const forecast = af.adjusted;
-      const crossing = forecast.thresholdCrossingWeeks;
-      if (crossing === null || crossing <= 0) continue;
-      let severity = null;
-      if (crossing <= criticalWindow && (forecast.confidence === "high" || forecast.confidence === "medium")) {
-        severity = "critical";
-      } else if (crossing <= warningWindow && (forecast.confidence === "high" || forecast.confidence === "medium")) {
-        severity = "warning";
-      } else if (crossing <= horizon) {
-        severity = "info";
-      }
-      if (severity) {
-        const contributingNames = af.contributingFeatures.map((f) => f.name);
-        warnings.push({
-          severity,
-          category,
-          message: `${category} projected to exceed threshold (~${crossing}w, ${forecast.confidence} confidence)`,
-          weeksUntil: crossing,
-          confidence: forecast.confidence,
-          contributingFeatures: contributingNames
-        });
-      }
+      const warning = this.buildCategoryWarning(
+        category,
+        af,
+        criticalWindow,
+        warningWindow,
+        horizon
+      );
+      if (warning) warnings.push(warning);
     }
     return warnings;
   }
+  buildCategoryWarning(category, af, criticalWindow, warningWindow, horizon) {
+    const forecast = af.adjusted;
+    const crossing = forecast.thresholdCrossingWeeks;
+    if (crossing === null || crossing <= 0) return null;
+    const isHighConfidence = forecast.confidence === "high" || forecast.confidence === "medium";
+    let severity = null;
+    if (crossing <= criticalWindow && isHighConfidence) {
+      severity = "critical";
+    } else if (crossing <= warningWindow && isHighConfidence) {
+      severity = "warning";
+    } else if (crossing <= horizon) {
+      severity = "info";
+    }
+    if (!severity) return null;
+    return {
+      severity,
+      category,
+      message: `${category} projected to exceed threshold (~${crossing}w, ${forecast.confidence} confidence)`,
+      weeksUntil: crossing,
+      confidence: forecast.confidence,
+      contributingFeatures: af.contributingFeatures.map((f) => f.name)
+    };
+  }
   /**
    * Compute composite stability forecast by projecting per-category values
    * forward and computing stability scores at each horizon.
@@ -7752,14 +7882,9 @@ var PredictionEngine = class {
       const raw = fs5.readFileSync(roadmapPath, "utf-8");
       const parseResult = parseRoadmap(raw);
       if (!parseResult.ok) return null;
-      const features = [];
-      for (const milestone of parseResult.value.milestones) {
-        for (const feature of milestone.features) {
-          if (feature.status === "planned" || feature.status === "in-progress") {
-            features.push({ name: feature.name, spec: feature.spec });
-          }
-        }
-      }
+      const features = parseResult.value.milestones.flatMap(
+        (m) => m.features.filter((f) => f.status === "planned" || f.status === "in-progress").map((f) => ({ name: f.name, spec: f.spec }))
+      );
       if (features.length === 0) return null;
       return this.estimator.estimateAll(features);
     } catch {
@@ -8410,7 +8535,7 @@ async function saveState(projectPath, state, stream, session) {
 // src/state/learnings-content.ts
 var fs11 = __toESM(require("fs"));
 var path8 = __toESM(require("path"));
-var crypto = __toESM(require("crypto"));
+var crypto2 = __toESM(require("crypto"));
 function parseFrontmatter2(line) {
   const match = line.match(/^<!--\s+hash:([a-f0-9]+)(?:\s+tags:([^\s]+))?\s+-->/);
   if (!match) return null;
@@ -8438,7 +8563,7 @@ function extractIndexEntry(entry) {
   };
 }
 function computeEntryHash(text) {
-  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 8);
+  return crypto2.createHash("sha256").update(text).digest("hex").slice(0, 8);
 }
 function normalizeLearningContent(text) {
   let normalized = text;
@@ -8453,7 +8578,7 @@ function normalizeLearningContent(text) {
   return normalized;
 }
 function computeContentHash(text) {
-  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
+  return crypto2.createHash("sha256").update(text).digest("hex").slice(0, 16);
 }
 function loadContentHashes(stateDir) {
   const hashesPath = path8.join(stateDir, CONTENT_HASHES_FILE);
@@ -8593,7 +8718,7 @@ async function loadRelevantLearnings(projectPath, skillName, stream, session) {
 // src/state/learnings.ts
 var fs13 = __toESM(require("fs"));
 var path10 = __toESM(require("path"));
-var crypto2 = __toESM(require("crypto"));
+var crypto3 = __toESM(require("crypto"));
 async function appendLearning(projectPath, learning, skillName, outcome, stream, session) {
   try {
     const dirResult = await getStateDir(projectPath, stream, session);
@@ -8630,7 +8755,7 @@ async function appendLearning(projectPath, learning, skillName, outcome, stream,
     } else {
       bulletLine = `- **${timestamp}:** ${learning}`;
     }
-    const hash = crypto2.createHash("sha256").update(bulletLine).digest("hex").slice(0, 8);
+    const hash = crypto3.createHash("sha256").update(bulletLine).digest("hex").slice(0, 8);
     const tagsStr = fmTags.length > 0 ? ` tags:${fmTags.join(",")}` : "";
     const frontmatter = `<!-- hash:${hash}${tagsStr} -->`;
     const entry = `
@@ -9341,7 +9466,7 @@ async function updateSessionEntryStatus(projectPath, sessionSlug, section, entry
 }
 function generateEntryId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 8);
+  const random = Buffer.from(crypto.getRandomValues(new Uint8Array(4))).toString("hex");
   return `${timestamp}-${random}`;
 }
 
@@ -9486,15 +9611,25 @@ async function loadEvents(projectPath, options) {
     );
   }
 }
+function phaseTransitionFields(data) {
+  return {
+    from: data?.from ?? "?",
+    to: data?.to ?? "?",
+    suffix: data?.taskCount ? ` (${data.taskCount} tasks)` : ""
+  };
+}
 function formatPhaseTransition(event) {
   const data = event.data;
-  const suffix = data?.taskCount ? ` (${data.taskCount} tasks)` : "";
-  return `phase: ${data?.from ?? "?"} -> ${data?.to ?? "?"}${suffix}`;
+  const { from, to, suffix } = phaseTransitionFields(data);
+  return `phase: ${from} -> ${to}${suffix}`;
+}
+function formatGateChecks(checks) {
+  return checks?.map((c) => `${c.name} ${c.passed ? "Y" : "N"}`).join(", ");
 }
 function formatGateResult(event) {
   const data = event.data;
   const status = data?.passed ? "passed" : "failed";
-  const checks = data?.checks?.map((c) => `${c.name} ${c.passed ? "Y" : "N"}`).join(", ");
+  const checks = formatGateChecks(data?.checks);
   return checks ? `gate: ${status} (${checks})` : `gate: ${status}`;
 }
 function formatHandoffDetail(event) {
@@ -9770,34 +9905,36 @@ function resolveRuleSeverity(ruleId, defaultSeverity, overrides, strict) {
 // src/security/stack-detector.ts
 var fs22 = __toESM(require("fs"));
 var path19 = __toESM(require("path"));
-function detectStack(projectRoot) {
-  const stacks = [];
+function nodeSubStacks(allDeps) {
+  const found = [];
+  if (allDeps.react || allDeps["react-dom"]) found.push("react");
+  if (allDeps.express) found.push("express");
+  if (allDeps.koa) found.push("koa");
+  if (allDeps.fastify) found.push("fastify");
+  if (allDeps.next) found.push("next");
+  if (allDeps.vue) found.push("vue");
+  if (allDeps.angular || allDeps["@angular/core"]) found.push("angular");
+  return found;
+}
+function detectNodeStacks(projectRoot) {
   const pkgJsonPath = path19.join(projectRoot, "package.json");
-  if (fs22.existsSync(pkgJsonPath)) {
-    stacks.push("node");
-    try {
-      const pkgJson = JSON.parse(fs22.readFileSync(pkgJsonPath, "utf-8"));
-      const allDeps = {
-        ...pkgJson.dependencies,
-        ...pkgJson.devDependencies
-      };
-      if (allDeps.react || allDeps["react-dom"]) stacks.push("react");
-      if (allDeps.express) stacks.push("express");
-      if (allDeps.koa) stacks.push("koa");
-      if (allDeps.fastify) stacks.push("fastify");
-      if (allDeps.next) stacks.push("next");
-      if (allDeps.vue) stacks.push("vue");
-      if (allDeps.angular || allDeps["@angular/core"]) stacks.push("angular");
-    } catch {
-    }
+  if (!fs22.existsSync(pkgJsonPath)) return [];
+  const stacks = ["node"];
+  try {
+    const pkgJson = JSON.parse(fs22.readFileSync(pkgJsonPath, "utf-8"));
+    const allDeps = { ...pkgJson.dependencies, ...pkgJson.devDependencies };
+    stacks.push(...nodeSubStacks(allDeps));
+  } catch {
   }
-  const goModPath = path19.join(projectRoot, "go.mod");
-  if (fs22.existsSync(goModPath)) {
+  return stacks;
+}
+function detectStack(projectRoot) {
+  const stacks = [...detectNodeStacks(projectRoot)];
+  if (fs22.existsSync(path19.join(projectRoot, "go.mod"))) {
     stacks.push("go");
   }
-  const requirementsPath = path19.join(projectRoot, "requirements.txt");
-  const pyprojectPath = path19.join(projectRoot, "pyproject.toml");
-  if (fs22.existsSync(requirementsPath) || fs22.existsSync(pyprojectPath)) {
+  const hasPython = fs22.existsSync(path19.join(projectRoot, "requirements.txt")) || fs22.existsSync(path19.join(projectRoot, "pyproject.toml"));
+  if (hasPython) {
     stacks.push("python");
   }
   return stacks;
@@ -10641,6 +10778,56 @@ var SecurityScanner = class {
     });
     return this.scanLinesWithRules(lines, applicableRules, filePath, startLine);
   }
+  /** Build a finding for a suppression comment that is missing its justification. */
+  buildSuppressionFinding(rule, filePath, lineNumber, line) {
+    return {
+      ruleId: rule.id,
+      ruleName: rule.name,
+      category: rule.category,
+      severity: this.config.strict ? "error" : "warning",
+      confidence: "high",
+      file: filePath,
+      line: lineNumber,
+      match: line.trim(),
+      context: line,
+      message: `Suppression of ${rule.id} requires justification: // harness-ignore ${rule.id}: <reason>`,
+      remediation: `Add justification after colon: // harness-ignore ${rule.id}: false positive because ...`
+    };
+  }
+  /** Check one line against a rule's patterns; return a finding or null. */
+  matchRuleLine(rule, resolved, filePath, lineNumber, line) {
+    for (const pattern of rule.patterns) {
+      pattern.lastIndex = 0;
+      if (!pattern.test(line)) continue;
+      return {
+        ruleId: rule.id,
+        ruleName: rule.name,
+        category: rule.category,
+        severity: resolved,
+        confidence: rule.confidence,
+        file: filePath,
+        line: lineNumber,
+        match: line.trim(),
+        context: line,
+        message: rule.message,
+        remediation: rule.remediation,
+        ...rule.references ? { references: rule.references } : {}
+      };
+    }
+    return null;
+  }
+  /** Scan a single line against a resolved rule; push any findings into the array. */
+  scanLineForRule(rule, resolved, line, lineNumber, filePath, findings) {
+    const suppressionMatch = parseHarnessIgnore(line, rule.id);
+    if (suppressionMatch) {
+      if (!suppressionMatch.justification) {
+        findings.push(this.buildSuppressionFinding(rule, filePath, lineNumber, line));
+      }
+      return;
+    }
+    const finding = this.matchRuleLine(rule, resolved, filePath, lineNumber, line);
+    if (finding) findings.push(finding);
+  }
   /**
    * Core scanning loop shared by scanContent and scanContentForFile.
    * Evaluates each rule against each line, handling suppression (FP gate)
@@ -10657,46 +10844,7 @@ var SecurityScanner = class {
       );
       if (resolved === "off") continue;
       for (let i = 0; i < lines.length; i++) {
-        const line = lines[i] ?? "";
-        const suppressionMatch = parseHarnessIgnore(line, rule.id);
-        if (suppressionMatch) {
-          if (!suppressionMatch.justification) {
-            findings.push({
-              ruleId: rule.id,
-              ruleName: rule.name,
-              category: rule.category,
-              severity: this.config.strict ? "error" : "warning",
-              confidence: "high",
-              file: filePath,
-              line: startLine + i,
-              match: line.trim(),
-              context: line,
-              message: `Suppression of ${rule.id} requires justification: // harness-ignore ${rule.id}: <reason>`,
-              remediation: `Add justification after colon: // harness-ignore ${rule.id}: false positive because ...`
-            });
-          }
-          continue;
-        }
-        for (const pattern of rule.patterns) {
-          pattern.lastIndex = 0;
-          if (pattern.test(line)) {
-            findings.push({
-              ruleId: rule.id,
-              ruleName: rule.name,
-              category: rule.category,
-              severity: resolved,
-              confidence: rule.confidence,
-              file: filePath,
-              line: startLine + i,
-              match: line.trim(),
-              context: line,
-              message: rule.message,
-              remediation: rule.remediation,
-              ...rule.references ? { references: rule.references } : {}
-            });
-            break;
-          }
-        }
+        this.scanLineForRule(rule, resolved, lines[i] ?? "", startLine + i, filePath, findings);
       }
     }
     return findings;
@@ -12114,39 +12262,32 @@ function extractConventionRules(bundle) {
       }
     }
   }
-  return rules;
-}
-function findMissingJsDoc(bundle) {
-  const missing = [];
-  for (const cf of bundle.changedFiles) {
-    const lines = cf.content.split("\n");
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      const exportMatch = line.match(
-        /export\s+(?:async\s+)?(?:function|const|class|interface|type)\s+(\w+)/
-      );
-      if (exportMatch) {
-        let hasJsDoc = false;
-        for (let j = i - 1; j >= 0; j--) {
-          const prev = lines[j].trim();
-          if (prev === "") continue;
-          if (prev.endsWith("*/")) {
-            hasJsDoc = true;
-          }
-          break;
-        }
-        if (!hasJsDoc) {
-          missing.push({
-            file: cf.path,
-            line: i + 1,
-            exportName: exportMatch[1]
-          });
-        }
-      }
-    }
-  }
+  return rules;
+}
+var EXPORT_RE = /export\s+(?:async\s+)?(?:function|const|class|interface|type)\s+(\w+)/;
+function hasPrecedingJsDoc(lines, i) {
+  for (let j = i - 1; j >= 0; j--) {
+    const prev = lines[j].trim();
+    if (prev === "") continue;
+    return prev.endsWith("*/");
+  }
+  return false;
+}
+function scanFileForMissingJsDoc(filePath, lines) {
+  const missing = [];
+  for (let i = 0; i < lines.length; i++) {
+    const exportMatch = lines[i].match(EXPORT_RE);
+    if (exportMatch && !hasPrecedingJsDoc(lines, i)) {
+      missing.push({ file: filePath, line: i + 1, exportName: exportMatch[1] });
+    }
+  }
   return missing;
 }
+function findMissingJsDoc(bundle) {
+  return bundle.changedFiles.flatMap(
+    (cf) => scanFileForMissingJsDoc(cf.path, cf.content.split("\n"))
+  );
+}
 function checkMissingJsDoc(bundle, rules) {
   const jsDocRule = rules.find((r) => r.text.toLowerCase().includes("jsdoc"));
   if (!jsDocRule) return [];
@@ -12211,29 +12352,27 @@ function checkChangeTypeSpecific(bundle) {
       return [];
   }
 }
+function checkFileResultTypeConvention(cf, bundle, rule) {
+  const hasTryCatch = cf.content.includes("try {") || cf.content.includes("try{");
+  const usesResult = cf.content.includes("Result<") || cf.content.includes("Result >") || cf.content.includes(": Result");
+  if (!hasTryCatch || usesResult) return null;
+  return {
+    id: makeFindingId("compliance", cf.path, 1, "try-catch not Result"),
+    file: cf.path,
+    lineRange: [1, cf.lines],
+    domain: "compliance",
+    severity: "suggestion",
+    title: "Fallible operation uses try/catch instead of Result type",
+    rationale: `Convention requires using Result type for fallible operations (from ${rule.source}).`,
+    suggestion: "Refactor error handling to use the Result type pattern.",
+    evidence: [`changeType: ${bundle.changeType}`, `Convention rule: "${rule.text}"`],
+    validatedBy: "heuristic"
+  };
+}
 function checkResultTypeConvention(bundle, rules) {
   const resultTypeRule = rules.find((r) => r.text.toLowerCase().includes("result type"));
   if (!resultTypeRule) return [];
-  const findings = [];
-  for (const cf of bundle.changedFiles) {
-    const hasTryCatch = cf.content.includes("try {") || cf.content.includes("try{");
-    const usesResult = cf.content.includes("Result<") || cf.content.includes("Result >") || cf.content.includes(": Result");
-    if (hasTryCatch && !usesResult) {
-      findings.push({
-        id: makeFindingId("compliance", cf.path, 1, "try-catch not Result"),
-        file: cf.path,
-        lineRange: [1, cf.lines],
-        domain: "compliance",
-        severity: "suggestion",
-        title: "Fallible operation uses try/catch instead of Result type",
-        rationale: `Convention requires using Result type for fallible operations (from ${resultTypeRule.source}).`,
-        suggestion: "Refactor error handling to use the Result type pattern.",
-        evidence: [`changeType: ${bundle.changeType}`, `Convention rule: "${resultTypeRule.text}"`],
-        validatedBy: "heuristic"
-      });
-    }
-  }
-  return findings;
+  return bundle.changedFiles.map((cf) => checkFileResultTypeConvention(cf, bundle, resultTypeRule)).filter((f) => f !== null);
 }
 function runComplianceAgent(bundle) {
   const rules = extractConventionRules(bundle);
@@ -12259,53 +12398,58 @@ var BUG_DETECTION_DESCRIPTOR = {
     "Test coverage \u2014 tests for happy path, error paths, and edge cases"
   ]
 };
+function hasPrecedingZeroCheck(lines, i) {
+  const preceding = lines.slice(Math.max(0, i - 3), i).join("\n");
+  return preceding.includes("=== 0") || preceding.includes("!== 0") || preceding.includes("== 0") || preceding.includes("!= 0");
+}
 function detectDivisionByZero(bundle) {
   const findings = [];
   for (const cf of bundle.changedFiles) {
     const lines = cf.content.split("\n");
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i];
-      if (line.match(/[^=!<>]\s*\/\s*[a-zA-Z_]\w*/) && !line.includes("//")) {
-        const preceding = lines.slice(Math.max(0, i - 3), i).join("\n");
-        if (!preceding.includes("=== 0") && !preceding.includes("!== 0") && !preceding.includes("== 0") && !preceding.includes("!= 0")) {
-          findings.push({
-            id: makeFindingId("bug", cf.path, i + 1, "division by zero"),
-            file: cf.path,
-            lineRange: [i + 1, i + 1],
-            domain: "bug",
-            severity: "important",
-            title: "Potential division by zero without guard",
-            rationale: "Division operation found without a preceding zero check on the divisor. This can cause Infinity or NaN at runtime.",
-            suggestion: "Add a check for zero before dividing, or use a safe division utility.",
-            evidence: [`Line ${i + 1}: ${line.trim()}`],
-            validatedBy: "heuristic"
-          });
-        }
-      }
+      if (!line.match(/[^=!<>]\s*\/\s*[a-zA-Z_]\w*/) || line.includes("//")) continue;
+      if (hasPrecedingZeroCheck(lines, i)) continue;
+      findings.push({
+        id: makeFindingId("bug", cf.path, i + 1, "division by zero"),
+        file: cf.path,
+        lineRange: [i + 1, i + 1],
+        domain: "bug",
+        severity: "important",
+        title: "Potential division by zero without guard",
+        rationale: "Division operation found without a preceding zero check on the divisor. This can cause Infinity or NaN at runtime.",
+        suggestion: "Add a check for zero before dividing, or use a safe division utility.",
+        evidence: [`Line ${i + 1}: ${line.trim()}`],
+        validatedBy: "heuristic"
+      });
     }
   }
   return findings;
 }
+function isEmptyCatch(lines, i) {
+  const line = lines[i];
+  if (line.match(/catch\s*\([^)]*\)\s*\{\s*\}/)) return true;
+  return line.match(/catch\s*\([^)]*\)\s*\{/) !== null && i + 1 < lines.length && lines[i + 1].trim() === "}";
+}
 function detectEmptyCatch(bundle) {
   const findings = [];
   for (const cf of bundle.changedFiles) {
     const lines = cf.content.split("\n");
     for (let i = 0; i < lines.length; i++) {
+      if (!isEmptyCatch(lines, i)) continue;
       const line = lines[i];
-      if (line.match(/catch\s*\([^)]*\)\s*\{\s*\}/) || line.match(/catch\s*\([^)]*\)\s*\{/) && i + 1 < lines.length && lines[i + 1].trim() === "}") {
-        findings.push({
-          id: makeFindingId("bug", cf.path, i + 1, "empty catch block"),
-          file: cf.path,
-          lineRange: [i + 1, i + 2],
-          domain: "bug",
-          severity: "important",
-          title: "Empty catch block silently swallows error",
-          rationale: "Catching an error without handling, logging, or re-throwing it hides failures and makes debugging difficult.",
-          suggestion: "Log the error, re-throw it, or handle it explicitly. If intentionally ignoring, add a comment explaining why.",
-          evidence: [`Line ${i + 1}: ${line.trim()}`],
-          validatedBy: "heuristic"
-        });
-      }
+      findings.push({
+        id: makeFindingId("bug", cf.path, i + 1, "empty catch block"),
+        file: cf.path,
+        lineRange: [i + 1, i + 2],
+        domain: "bug",
+        severity: "important",
+        title: "Empty catch block silently swallows error",
+        rationale: "Catching an error without handling, logging, or re-throwing it hides failures and makes debugging difficult.",
+        suggestion: "Log the error, re-throw it, or handle it explicitly. If intentionally ignoring, add a comment explaining why.",
+        evidence: [`Line ${i + 1}: ${line.trim()}`],
+        validatedBy: "heuristic"
+      });
     }
   }
   return findings;
@@ -12363,34 +12507,102 @@ var SECRET_PATTERNS = [
 ];
 var SQL_CONCAT_PATTERN = /(?:SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER)\s+.*?\+\s*\w+|`[^`]*\$\{[^}]*\}[^`]*(?:SELECT|INSERT|UPDATE|DELETE|WHERE)/i;
 var SHELL_EXEC_PATTERN = /(?:exec|execSync|spawn|spawnSync)\s*\(\s*`[^`]*\$\{/;
+function makeEvalFinding(file, lineNum, line) {
+  return {
+    id: makeFindingId("security", file, lineNum, "eval usage CWE-94"),
+    file,
+    lineRange: [lineNum, lineNum],
+    domain: "security",
+    severity: "critical",
+    title: `Dangerous ${"eval"}() or new ${"Function"}() usage`,
+    rationale: `${"eval"}() and new ${"Function"}() execute arbitrary code. If user input reaches these calls, it enables Remote Code Execution (CWE-94).`,
+    suggestion: "Replace eval/Function with a safe alternative (JSON.parse for data, a sandboxed evaluator for expressions).",
+    evidence: [`Line ${lineNum}: ${line.trim()}`],
+    validatedBy: "heuristic",
+    cweId: "CWE-94",
+    owaspCategory: "A03:2021 Injection",
+    confidence: "high",
+    remediation: "Replace eval/Function with a safe alternative (JSON.parse for data, a sandboxed evaluator for expressions).",
+    references: [
+      "https://cwe.mitre.org/data/definitions/94.html",
+      "https://owasp.org/Top10/A03_2021-Injection/"
+    ]
+  };
+}
+function makeSecretFinding(file, lineNum) {
+  return {
+    id: makeFindingId("security", file, lineNum, "hardcoded secret CWE-798"),
+    file,
+    lineRange: [lineNum, lineNum],
+    domain: "security",
+    severity: "critical",
+    title: "Hardcoded secret or API key detected",
+    rationale: "Hardcoded secrets in source code can be extracted from version history even after removal. Use environment variables or a secrets manager (CWE-798).",
+    suggestion: "Move the secret to an environment variable and access it via process.env.",
+    evidence: [`Line ${lineNum}: [secret detected \u2014 value redacted]`],
+    validatedBy: "heuristic",
+    cweId: "CWE-798",
+    owaspCategory: "A07:2021 Identification and Authentication Failures",
+    confidence: "high",
+    remediation: "Move the secret to an environment variable and access it via process.env.",
+    references: [
+      "https://cwe.mitre.org/data/definitions/798.html",
+      "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
+    ]
+  };
+}
+function makeSqlFinding(file, lineNum, line) {
+  return {
+    id: makeFindingId("security", file, lineNum, "SQL injection CWE-89"),
+    file,
+    lineRange: [lineNum, lineNum],
+    domain: "security",
+    severity: "critical",
+    title: "Potential SQL injection via string concatenation",
+    rationale: "Building SQL queries with string concatenation or template literals allows attackers to inject malicious SQL (CWE-89).",
+    suggestion: "Use parameterized queries or a query builder (e.g., Knex, Prisma) instead of string concatenation.",
+    evidence: [`Line ${lineNum}: ${line.trim()}`],
+    validatedBy: "heuristic",
+    cweId: "CWE-89",
+    owaspCategory: "A03:2021 Injection",
+    confidence: "high",
+    remediation: "Use parameterized queries or a query builder (e.g., Knex, Prisma) instead of string concatenation.",
+    references: [
+      "https://cwe.mitre.org/data/definitions/89.html",
+      "https://owasp.org/Top10/A03_2021-Injection/"
+    ]
+  };
+}
+function makeCommandFinding(file, lineNum, line) {
+  return {
+    id: makeFindingId("security", file, lineNum, "command injection CWE-78"),
+    file,
+    lineRange: [lineNum, lineNum],
+    domain: "security",
+    severity: "critical",
+    title: "Potential command injection via shell exec with interpolation",
+    rationale: "Using exec/spawn with template literal interpolation allows attackers to inject shell commands (CWE-78).",
+    suggestion: "Use execFile or spawn with an arguments array instead of shell string interpolation.",
+    evidence: [`Line ${lineNum}: ${line.trim()}`],
+    validatedBy: "heuristic",
+    cweId: "CWE-78",
+    owaspCategory: "A03:2021 Injection",
+    confidence: "high",
+    remediation: "Use execFile or spawn with an arguments array instead of shell string interpolation.",
+    references: [
+      "https://cwe.mitre.org/data/definitions/78.html",
+      "https://owasp.org/Top10/A03_2021-Injection/"
+    ]
+  };
+}
 function detectEvalUsage(bundle) {
   const findings = [];
   for (const cf of bundle.changedFiles) {
     const lines = cf.content.split("\n");
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i];
-      if (EVAL_PATTERN.test(line)) {
-        findings.push({
-          id: makeFindingId("security", cf.path, i + 1, "eval usage CWE-94"),
-          file: cf.path,
-          lineRange: [i + 1, i + 1],
-          domain: "security",
-          severity: "critical",
-          title: `Dangerous ${"eval"}() or new ${"Function"}() usage`,
-          rationale: `${"eval"}() and new ${"Function"}() execute arbitrary code. If user input reaches these calls, it enables Remote Code Execution (CWE-94).`,
-          suggestion: "Replace eval/Function with a safe alternative (JSON.parse for data, a sandboxed evaluator for expressions).",
-          evidence: [`Line ${i + 1}: ${line.trim()}`],
-          validatedBy: "heuristic",
-          cweId: "CWE-94",
-          owaspCategory: "A03:2021 Injection",
-          confidence: "high",
-          remediation: "Replace eval/Function with a safe alternative (JSON.parse for data, a sandboxed evaluator for expressions).",
-          references: [
-            "https://cwe.mitre.org/data/definitions/94.html",
-            "https://owasp.org/Top10/A03_2021-Injection/"
-          ]
-        });
-      }
+      if (!EVAL_PATTERN.test(line)) continue;
+      findings.push(makeEvalFinding(cf.path, i + 1, line));
     }
   }
   return findings;
@@ -12402,31 +12614,9 @@ function detectHardcodedSecrets(bundle) {
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i];
       const codePart = line.includes("//") ? line.slice(0, line.indexOf("//")) : line;
-      for (const pattern of SECRET_PATTERNS) {
-        if (pattern.test(codePart)) {
-          findings.push({
-            id: makeFindingId("security", cf.path, i + 1, "hardcoded secret CWE-798"),
-            file: cf.path,
-            lineRange: [i + 1, i + 1],
-            domain: "security",
-            severity: "critical",
-            title: "Hardcoded secret or API key detected",
-            rationale: "Hardcoded secrets in source code can be extracted from version history even after removal. Use environment variables or a secrets manager (CWE-798).",
-            suggestion: "Move the secret to an environment variable and access it via process.env.",
-            evidence: [`Line ${i + 1}: [secret detected \u2014 value redacted]`],
-            validatedBy: "heuristic",
-            cweId: "CWE-798",
-            owaspCategory: "A07:2021 Identification and Authentication Failures",
-            confidence: "high",
-            remediation: "Move the secret to an environment variable and access it via process.env.",
-            references: [
-              "https://cwe.mitre.org/data/definitions/798.html",
-              "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
-            ]
-          });
-          break;
-        }
-      }
+      const matched = SECRET_PATTERNS.some((p) => p.test(codePart));
+      if (!matched) continue;
+      findings.push(makeSecretFinding(cf.path, i + 1));
     }
   }
   return findings;
@@ -12437,28 +12627,8 @@ function detectSqlInjection(bundle) {
     const lines = cf.content.split("\n");
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i];
-      if (SQL_CONCAT_PATTERN.test(line)) {
-        findings.push({
-          id: makeFindingId("security", cf.path, i + 1, "SQL injection CWE-89"),
-          file: cf.path,
-          lineRange: [i + 1, i + 1],
-          domain: "security",
-          severity: "critical",
-          title: "Potential SQL injection via string concatenation",
-          rationale: "Building SQL queries with string concatenation or template literals allows attackers to inject malicious SQL (CWE-89).",
-          suggestion: "Use parameterized queries or a query builder (e.g., Knex, Prisma) instead of string concatenation.",
-          evidence: [`Line ${i + 1}: ${line.trim()}`],
-          validatedBy: "heuristic",
-          cweId: "CWE-89",
-          owaspCategory: "A03:2021 Injection",
-          confidence: "high",
-          remediation: "Use parameterized queries or a query builder (e.g., Knex, Prisma) instead of string concatenation.",
-          references: [
-            "https://cwe.mitre.org/data/definitions/89.html",
-            "https://owasp.org/Top10/A03_2021-Injection/"
-          ]
-        });
-      }
+      if (!SQL_CONCAT_PATTERN.test(line)) continue;
+      findings.push(makeSqlFinding(cf.path, i + 1, line));
     }
   }
   return findings;
@@ -12469,28 +12639,8 @@ function detectCommandInjection(bundle) {
     const lines = cf.content.split("\n");
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i];
-      if (SHELL_EXEC_PATTERN.test(line)) {
-        findings.push({
-          id: makeFindingId("security", cf.path, i + 1, "command injection CWE-78"),
-          file: cf.path,
-          lineRange: [i + 1, i + 1],
-          domain: "security",
-          severity: "critical",
-          title: "Potential command injection via shell exec with interpolation",
-          rationale: "Using exec/spawn with template literal interpolation allows attackers to inject shell commands (CWE-78).",
-          suggestion: "Use execFile or spawn with an arguments array instead of shell string interpolation.",
-          evidence: [`Line ${i + 1}: ${line.trim()}`],
-          validatedBy: "heuristic",
-          cweId: "CWE-78",
-          owaspCategory: "A03:2021 Injection",
-          confidence: "high",
-          remediation: "Use execFile or spawn with an arguments array instead of shell string interpolation.",
-          references: [
-            "https://cwe.mitre.org/data/definitions/78.html",
-            "https://owasp.org/Top10/A03_2021-Injection/"
-          ]
-        });
-      }
+      if (!SHELL_EXEC_PATTERN.test(line)) continue;
+      findings.push(makeCommandFinding(cf.path, i + 1, line));
     }
   }
   return findings;
@@ -12523,10 +12673,15 @@ function isViolationLine(line) {
   const lower = line.toLowerCase();
   return lower.includes("violation") || lower.includes("layer");
 }
-function createLayerViolationFinding(line, fallbackPath) {
-  const fileMatch = line.match(/(?:in\s+)?(\S+\.(?:ts|tsx|js|jsx))(?::(\d+))?/);
+var VIOLATION_FILE_RE = /(?:in\s+)?(\S+\.(?:ts|tsx|js|jsx))(?::(\d+))?/;
+function extractViolationLocation(line, fallbackPath) {
+  const fileMatch = line.match(VIOLATION_FILE_RE);
   const file = fileMatch?.[1] ?? fallbackPath;
   const lineNum = fileMatch?.[2] ? parseInt(fileMatch[2], 10) : 1;
+  return { file, lineNum };
+}
+function createLayerViolationFinding(line, fallbackPath) {
+  const { file, lineNum } = extractViolationLocation(line, fallbackPath);
   return {
     id: makeFindingId("arch", file, lineNum, "layer violation"),
     file,
@@ -12699,6 +12854,26 @@ function normalizePath(filePath, projectRoot) {
   }
   return normalized;
 }
+function resolveImportPath3(currentFile, importPath) {
+  const dir = path23.dirname(currentFile);
+  let resolved = path23.join(dir, importPath).replace(/\\/g, "/");
+  if (!resolved.match(/\.(ts|tsx|js|jsx)$/)) {
+    resolved += ".ts";
+  }
+  return path23.normalize(resolved).replace(/\\/g, "/");
+}
+function enqueueImports(content, current, visited, queue, maxDepth) {
+  const importRegex = /import\s+.*?from\s+['"]([^'"]+)['"]/g;
+  let match;
+  while ((match = importRegex.exec(content)) !== null) {
+    const importPath = match[1];
+    if (!importPath.startsWith(".")) continue;
+    const resolved = resolveImportPath3(current.file, importPath);
+    if (!visited.has(resolved) && current.depth + 1 <= maxDepth) {
+      queue.push({ file: resolved, depth: current.depth + 1 });
+    }
+  }
+}
 function followImportChain(fromFile, fileContents, maxDepth = 2) {
   const visited = /* @__PURE__ */ new Set();
   const queue = [{ file: fromFile, depth: 0 }];
@@ -12708,82 +12883,63 @@ function followImportChain(fromFile, fileContents, maxDepth = 2) {
     visited.add(current.file);
     const content = fileContents.get(current.file);
     if (!content) continue;
-    const importRegex = /import\s+.*?from\s+['"]([^'"]+)['"]/g;
-    let match;
-    while ((match = importRegex.exec(content)) !== null) {
-      const importPath = match[1];
-      if (!importPath.startsWith(".")) continue;
-      const dir = path23.dirname(current.file);
-      let resolved = path23.join(dir, importPath).replace(/\\/g, "/");
-      if (!resolved.match(/\.(ts|tsx|js|jsx)$/)) {
-        resolved += ".ts";
-      }
-      resolved = path23.normalize(resolved).replace(/\\/g, "/");
-      if (!visited.has(resolved) && current.depth + 1 <= maxDepth) {
-        queue.push({ file: resolved, depth: current.depth + 1 });
-      }
-    }
+    enqueueImports(content, current, visited, queue, maxDepth);
   }
   visited.delete(fromFile);
   return visited;
 }
+function isMechanicallyExcluded(finding, exclusionSet, projectRoot) {
+  const normalizedFile = normalizePath(finding.file, projectRoot);
+  if (exclusionSet.isExcluded(normalizedFile, finding.lineRange)) return true;
+  if (exclusionSet.isExcluded(finding.file, finding.lineRange)) return true;
+  const absoluteFile = path23.isAbsolute(finding.file) ? finding.file : path23.join(projectRoot, finding.file).replace(/\\/g, "/");
+  return exclusionSet.isExcluded(absoluteFile, finding.lineRange);
+}
+async function validateWithGraph(crossFileRefs, graph) {
+  try {
+    for (const ref of crossFileRefs) {
+      const reachable = await graph.isReachable(ref.from, ref.to);
+      if (!reachable) return { result: "discard" };
+    }
+    return { result: "keep" };
+  } catch {
+    return { result: "fallback" };
+  }
+}
+function validateWithHeuristic(finding, crossFileRefs, fileContents, projectRoot) {
+  if (fileContents) {
+    for (const ref of crossFileRefs) {
+      const normalizedFrom = normalizePath(ref.from, projectRoot);
+      const reachable = followImportChain(normalizedFrom, fileContents, 2);
+      const normalizedTo = normalizePath(ref.to, projectRoot);
+      if (reachable.has(normalizedTo)) {
+        return { ...finding, validatedBy: "heuristic" };
+      }
+    }
+  }
+  return {
+    ...finding,
+    severity: DOWNGRADE_MAP[finding.severity],
+    validatedBy: "heuristic"
+  };
+}
+async function processFinding(finding, exclusionSet, graph, projectRoot, fileContents) {
+  if (isMechanicallyExcluded(finding, exclusionSet, projectRoot)) return null;
+  const crossFileRefs = extractCrossFileRefs(finding);
+  if (crossFileRefs.length === 0) return { ...finding };
+  if (graph) {
+    const { result } = await validateWithGraph(crossFileRefs, graph);
+    if (result === "keep") return { ...finding, validatedBy: "graph" };
+    if (result === "discard") return null;
+  }
+  return validateWithHeuristic(finding, crossFileRefs, fileContents, projectRoot);
+}
 async function validateFindings(options) {
   const { findings, exclusionSet, graph, projectRoot, fileContents } = options;
   const validated = [];
   for (const finding of findings) {
-    const normalizedFile = normalizePath(finding.file, projectRoot);
-    if (exclusionSet.isExcluded(normalizedFile, finding.lineRange) || exclusionSet.isExcluded(finding.file, finding.lineRange)) {
-      continue;
-    }
-    const absoluteFile = path23.isAbsolute(finding.file) ? finding.file : path23.join(projectRoot, finding.file).replace(/\\/g, "/");
-    if (exclusionSet.isExcluded(absoluteFile, finding.lineRange)) {
-      continue;
-    }
-    const crossFileRefs = extractCrossFileRefs(finding);
-    if (crossFileRefs.length === 0) {
-      validated.push({ ...finding });
-      continue;
-    }
-    if (graph) {
-      try {
-        let allReachable = true;
-        for (const ref of crossFileRefs) {
-          const reachable = await graph.isReachable(ref.from, ref.to);
-          if (!reachable) {
-            allReachable = false;
-            break;
-          }
-        }
-        if (allReachable) {
-          validated.push({ ...finding, validatedBy: "graph" });
-        }
-        continue;
-      } catch {
-      }
-    }
-    {
-      let chainValidated = false;
-      if (fileContents) {
-        for (const ref of crossFileRefs) {
-          const normalizedFrom = normalizePath(ref.from, projectRoot);
-          const reachable = followImportChain(normalizedFrom, fileContents, 2);
-          const normalizedTo = normalizePath(ref.to, projectRoot);
-          if (reachable.has(normalizedTo)) {
-            chainValidated = true;
-            break;
-          }
-        }
-      }
-      if (chainValidated) {
-        validated.push({ ...finding, validatedBy: "heuristic" });
-      } else {
-        validated.push({
-          ...finding,
-          severity: DOWNGRADE_MAP[finding.severity],
-          validatedBy: "heuristic"
-        });
-      }
-    }
+    const result = await processFinding(finding, exclusionSet, graph, projectRoot, fileContents);
+    if (result !== null) validated.push(result);
   }
   return validated;
 }
@@ -13384,25 +13540,32 @@ function serializeRoadmap(roadmap) {
 function serializeMilestoneHeading(milestone) {
   return milestone.isBacklog ? "## Backlog" : `## ${milestone.name}`;
 }
+function orDash(value) {
+  return value ?? EM_DASH2;
+}
+function listOrDash(items) {
+  return items.length > 0 ? items.join(", ") : EM_DASH2;
+}
+function serializeExtendedLines(feature) {
+  const hasExtended = feature.assignee !== null || feature.priority !== null || feature.externalId !== null;
+  if (!hasExtended) return [];
+  return [
+    `- **Assignee:** ${orDash(feature.assignee)}`,
+    `- **Priority:** ${orDash(feature.priority)}`,
+    `- **External-ID:** ${orDash(feature.externalId)}`
+  ];
+}
 function serializeFeature(feature) {
-  const spec = feature.spec ?? EM_DASH2;
-  const plans = feature.plans.length > 0 ? feature.plans.join(", ") : EM_DASH2;
-  const blockedBy = feature.blockedBy.length > 0 ? feature.blockedBy.join(", ") : EM_DASH2;
   const lines = [
     `### ${feature.name}`,
     "",
     `- **Status:** ${feature.status}`,
-    `- **Spec:** ${spec}`,
+    `- **Spec:** ${orDash(feature.spec)}`,
     `- **Summary:** ${feature.summary}`,
-    `- **Blockers:** ${blockedBy}`,
-    `- **Plan:** ${plans}`
+    `- **Blockers:** ${listOrDash(feature.blockedBy)}`,
+    `- **Plan:** ${listOrDash(feature.plans)}`,
+    ...serializeExtendedLines(feature)
   ];
-  const hasExtended = feature.assignee !== null || feature.priority !== null || feature.externalId !== null;
-  if (hasExtended) {
-    lines.push(`- **Assignee:** ${feature.assignee ?? EM_DASH2}`);
-    lines.push(`- **Priority:** ${feature.priority ?? EM_DASH2}`);
-    lines.push(`- **External-ID:** ${feature.externalId ?? EM_DASH2}`);
-  }
   return lines;
 }
 function serializeAssignmentHistory(records) {
@@ -13436,6 +13599,26 @@ function isRegression(from, to) {
 }
 
 // src/roadmap/sync.ts
+function collectAutopilotStatuses(autopilotPath, featurePlans, allTaskStatuses) {
+  try {
+    const raw = fs24.readFileSync(autopilotPath, "utf-8");
+    const autopilot = JSON.parse(raw);
+    if (!autopilot.phases) return;
+    const linkedPhases = autopilot.phases.filter(
+      (phase) => phase.planPath ? featurePlans.some((p) => p === phase.planPath || phase.planPath.endsWith(p)) : false
+    );
+    for (const phase of linkedPhases) {
+      if (phase.status === "complete") {
+        allTaskStatuses.push("complete");
+      } else if (phase.status === "pending") {
+        allTaskStatuses.push("pending");
+      } else {
+        allTaskStatuses.push("in_progress");
+      }
+    }
+  } catch {
+  }
+}
 function inferStatus(feature, projectPath, allFeatures) {
   if (feature.blockedBy.length > 0) {
     const blockerNotDone = feature.blockedBy.some((blockerName) => {
@@ -13471,26 +13654,7 @@ function inferStatus(feature, projectPath, allFeatures) {
         if (!entry.isDirectory()) continue;
         const autopilotPath = path24.join(sessionsDir, entry.name, "autopilot-state.json");
         if (!fs24.existsSync(autopilotPath)) continue;
-        try {
-          const raw = fs24.readFileSync(autopilotPath, "utf-8");
-          const autopilot = JSON.parse(raw);
-          if (!autopilot.phases) continue;
-          const linkedPhases = autopilot.phases.filter(
-            (phase) => phase.planPath ? feature.plans.some((p) => p === phase.planPath || phase.planPath.endsWith(p)) : false
-          );
-          if (linkedPhases.length > 0) {
-            for (const phase of linkedPhases) {
-              if (phase.status === "complete") {
-                allTaskStatuses.push("complete");
-              } else if (phase.status === "pending") {
-                allTaskStatuses.push("pending");
-              } else {
-                allTaskStatuses.push("in_progress");
-              }
-            }
-          }
-        } catch {
-        }
+        collectAutopilotStatuses(autopilotPath, feature.plans, allTaskStatuses);
       }
     } catch {
     }
@@ -13807,23 +13971,36 @@ var GitHubIssuesSyncAdapter = class {
       return (0, import_types25.Err)(error instanceof Error ? error : new Error(String(error)));
     }
   }
+  buildLabelsParam() {
+    const filterLabels = this.config.labels ?? [];
+    return filterLabels.length > 0 ? `&labels=${filterLabels.join(",")}` : "";
+  }
+  issueToTicketState(issue) {
+    return {
+      externalId: buildExternalId(this.owner, this.repo, issue.number),
+      title: issue.title,
+      status: issue.state,
+      labels: issue.labels.map((l) => l.name),
+      assignee: issue.assignee ? `@${issue.assignee.login}` : null
+    };
+  }
+  async fetchIssuePage(page, labelsParam) {
+    const perPage = 100;
+    return fetchWithRetry(
+      this.fetchFn,
+      `${this.apiBase}/repos/${this.owner}/${this.repo}/issues?state=all&per_page=${perPage}&page=${page}${labelsParam}`,
+      { method: "GET", headers: this.headers() },
+      this.retryOpts
+    );
+  }
   async fetchAllTickets() {
     try {
-      const filterLabels = this.config.labels ?? [];
-      const labelsParam = filterLabels.length > 0 ? `&labels=${filterLabels.join(",")}` : "";
+      const labelsParam = this.buildLabelsParam();
       const tickets = [];
       let page = 1;
       const perPage = 100;
       while (true) {
-        const response = await fetchWithRetry(
-          this.fetchFn,
-          `${this.apiBase}/repos/${this.owner}/${this.repo}/issues?state=all&per_page=${perPage}&page=${page}${labelsParam}`,
-          {
-            method: "GET",
-            headers: this.headers()
-          },
-          this.retryOpts
-        );
+        const response = await this.fetchIssuePage(page, labelsParam);
         if (!response.ok) {
           const text = await response.text();
           return (0, import_types25.Err)(new Error(`GitHub API error ${response.status}: ${text}`));
@@ -13831,13 +14008,7 @@ var GitHubIssuesSyncAdapter = class {
         const data = await response.json();
         const issues = data.filter((d) => !d.pull_request);
         for (const issue of issues) {
-          tickets.push({
-            externalId: buildExternalId(this.owner, this.repo, issue.number),
-            title: issue.title,
-            status: issue.state,
-            labels: issue.labels.map((l) => l.name),
-            assignee: issue.assignee ? `@${issue.assignee.login}` : null
-          });
+          tickets.push(this.issueToTicketState(issue));
         }
         if (data.length < perPage) break;
         page++;
@@ -13932,6 +14103,22 @@ async function syncToExternal(roadmap, adapter, config, prefetchedTickets) {
   }
   return result;
 }
+function applyTicketToFeature(ticketState, feature, config, forceSync, result) {
+  if (ticketState.assignee !== feature.assignee) {
+    result.assignmentChanges.push({
+      feature: feature.name,
+      from: feature.assignee,
+      to: ticketState.assignee
+    });
+    feature.assignee = ticketState.assignee;
+  }
+  const resolvedStatus = resolveReverseStatus(ticketState.status, ticketState.labels, config);
+  if (!resolvedStatus || resolvedStatus === feature.status) return;
+  const newStatus = resolvedStatus;
+  if (!forceSync && isRegression(feature.status, newStatus)) return;
+  if (!forceSync && feature.status === "blocked" && newStatus === "planned") return;
+  feature.status = newStatus;
+}
 async function syncFromExternal(roadmap, adapter, config, options, prefetchedTickets) {
   const result = emptySyncResult();
   const forceSync = options?.forceSync ?? false;
@@ -13958,25 +14145,7 @@ async function syncFromExternal(roadmap, adapter, config, options, prefetchedTic
   for (const ticketState of tickets) {
     const feature = featureByExternalId.get(ticketState.externalId);
     if (!feature) continue;
-    if (ticketState.assignee !== feature.assignee) {
-      result.assignmentChanges.push({
-        feature: feature.name,
-        from: feature.assignee,
-        to: ticketState.assignee
-      });
-      feature.assignee = ticketState.assignee;
-    }
-    const resolvedStatus = resolveReverseStatus(ticketState.status, ticketState.labels, config);
-    if (resolvedStatus && resolvedStatus !== feature.status) {
-      const newStatus = resolvedStatus;
-      if (!forceSync && isRegression(feature.status, newStatus)) {
-        continue;
-      }
-      if (!forceSync && feature.status === "blocked" && newStatus === "planned") {
-        continue;
-      }
-      feature.status = newStatus;
-    }
+    applyTicketToFeature(ticketState, feature, config, forceSync, result);
   }
   return result;
 }
@@ -14024,6 +14193,24 @@ var PRIORITY_RANK = {
 var POSITION_WEIGHT = 0.5;
 var DEPENDENTS_WEIGHT = 0.3;
 var AFFINITY_WEIGHT = 0.2;
+function isEligibleCandidate(feature, allFeatureNames, doneFeatures) {
+  if (feature.status !== "planned" && feature.status !== "backlog") return false;
+  const isBlocked = feature.blockedBy.some((blocker) => {
+    const key = blocker.toLowerCase();
+    return allFeatureNames.has(key) && !doneFeatures.has(key);
+  });
+  return !isBlocked;
+}
+function computeAffinityScore(feature, milestoneName, milestoneMap, userCompletedFeatures) {
+  if (userCompletedFeatures.size === 0) return 0;
+  const completedBlocker = feature.blockedBy.some(
+    (b) => userCompletedFeatures.has(b.toLowerCase())
+  );
+  if (completedBlocker) return 1;
+  const siblings = milestoneMap.get(milestoneName) ?? [];
+  const completedSibling = siblings.some((s) => userCompletedFeatures.has(s));
+  return completedSibling ? 0.5 : 0;
+}
 function scoreRoadmapCandidates(roadmap, options) {
   const allFeatures = roadmap.milestones.flatMap((m) => m.features);
   const allFeatureNames = new Set(allFeatures.map((f) => f.name.toLowerCase()));
@@ -14062,33 +14249,18 @@ function scoreRoadmapCandidates(roadmap, options) {
   const candidates = [];
   let globalPosition = 0;
   for (const ms of roadmap.milestones) {
-    for (let featureIdx = 0; featureIdx < ms.features.length; featureIdx++) {
-      const feature = ms.features[featureIdx];
+    for (const feature of ms.features) {
       globalPosition++;
-      if (feature.status !== "planned" && feature.status !== "backlog") continue;
-      const isBlocked = feature.blockedBy.some((blocker) => {
-        const key = blocker.toLowerCase();
-        return allFeatureNames.has(key) && !doneFeatures.has(key);
-      });
-      if (isBlocked) continue;
+      if (!isEligibleCandidate(feature, allFeatureNames, doneFeatures)) continue;
       const positionScore = 1 - (globalPosition - 1) / totalPositions;
       const deps = dependentsCount.get(feature.name.toLowerCase()) ?? 0;
       const dependentsScore = deps / maxDependents;
-      let affinityScore = 0;
-      if (userCompletedFeatures.size > 0) {
-        const completedBlockers = feature.blockedBy.filter(
-          (b) => userCompletedFeatures.has(b.toLowerCase())
-        );
-        if (completedBlockers.length > 0) {
-          affinityScore = 1;
-        } else {
-          const siblings = milestoneMap.get(ms.name) ?? [];
-          const completedSiblings = siblings.filter((s) => userCompletedFeatures.has(s));
-          if (completedSiblings.length > 0) {
-            affinityScore = 0.5;
-          }
-        }
-      }
+      const affinityScore = computeAffinityScore(
+        feature,
+        ms.name,
+        milestoneMap,
+        userCompletedFeatures
+      );
       const weightedScore = POSITION_WEIGHT * positionScore + DEPENDENTS_WEIGHT * dependentsScore + AFFINITY_WEIGHT * affinityScore;
       const priorityTier = feature.priority ? PRIORITY_RANK[feature.priority] : null;
       candidates.push({
@@ -15150,6 +15322,27 @@ function aggregateByDay(records) {
 // src/usage/jsonl-reader.ts
 var fs30 = __toESM(require("fs"));
 var path29 = __toESM(require("path"));
+function extractTokenUsage(entry, lineNumber) {
+  const tokenUsage = entry.token_usage;
+  if (!tokenUsage || typeof tokenUsage !== "object") {
+    console.warn(
+      `[harness usage] Skipping malformed JSONL line ${lineNumber}: missing token_usage`
+    );
+    return null;
+  }
+  return tokenUsage;
+}
+function applyOptionalFields2(record, entry) {
+  if (entry.cache_creation_tokens != null) {
+    record.cacheCreationTokens = entry.cache_creation_tokens;
+  }
+  if (entry.cache_read_tokens != null) {
+    record.cacheReadTokens = entry.cache_read_tokens;
+  }
+  if (entry.model != null) {
+    record.model = entry.model;
+  }
+}
 function parseLine(line, lineNumber) {
   let entry;
   try {
@@ -15158,13 +15351,8 @@ function parseLine(line, lineNumber) {
     console.warn(`[harness usage] Skipping malformed JSONL line ${lineNumber}`);
     return null;
   }
-  const tokenUsage = entry.token_usage;
-  if (!tokenUsage || typeof tokenUsage !== "object") {
-    console.warn(
-      `[harness usage] Skipping malformed JSONL line ${lineNumber}: missing token_usage`
-    );
-    return null;
-  }
+  const tokenUsage = extractTokenUsage(entry, lineNumber);
+  if (!tokenUsage) return null;
   const inputTokens = tokenUsage.input_tokens ?? 0;
   const outputTokens = tokenUsage.output_tokens ?? 0;
   const record = {
@@ -15176,15 +15364,7 @@ function parseLine(line, lineNumber) {
       totalTokens: inputTokens + outputTokens
     }
   };
-  if (entry.cache_creation_tokens != null) {
-    record.cacheCreationTokens = entry.cache_creation_tokens;
-  }
-  if (entry.cache_read_tokens != null) {
-    record.cacheReadTokens = entry.cache_read_tokens;
-  }
-  if (entry.model != null) {
-    record.model = entry.model;
-  }
+  applyOptionalFields2(record, entry);
   return record;
 }
 function readCostRecords(projectRoot) {
@@ -15219,6 +15399,14 @@ function extractUsage(entry) {
   const usage = message.usage;
   return usage && typeof usage === "object" && !Array.isArray(usage) ? usage : null;
 }
+function applyOptionalCCFields(record, message, usage) {
+  const model = message.model;
+  if (model) record.model = model;
+  const cacheCreate = usage.cache_creation_input_tokens;
+  const cacheRead = usage.cache_read_input_tokens;
+  if (typeof cacheCreate === "number" && cacheCreate > 0) record.cacheCreationTokens = cacheCreate;
+  if (typeof cacheRead === "number" && cacheRead > 0) record.cacheReadTokens = cacheRead;
+}
 function buildRecord(entry, usage) {
   const inputTokens = Number(usage.input_tokens) || 0;
   const outputTokens = Number(usage.output_tokens) || 0;
@@ -15229,12 +15417,7 @@ function buildRecord(entry, usage) {
     tokens: { inputTokens, outputTokens, totalTokens: inputTokens + outputTokens },
     _source: "claude-code"
   };
-  const model = message.model;
-  if (model) record.model = model;
-  const cacheCreate = usage.cache_creation_input_tokens;
-  const cacheRead = usage.cache_read_input_tokens;
-  if (typeof cacheCreate === "number" && cacheCreate > 0) record.cacheCreationTokens = cacheCreate;
-  if (typeof cacheRead === "number" && cacheRead > 0) record.cacheReadTokens = cacheRead;
+  applyOptionalCCFields(record, message, usage);
   return record;
 }
 function parseCCLine(line, filePath, lineNumber) {
@@ -15302,7 +15485,7 @@ function parseCCRecords() {
 }
 
 // src/index.ts
-var VERSION = "0.15.0";
+var VERSION = "0.21.1";
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AGENT_DESCRIPTORS,
@@ -15333,7 +15516,6 @@ var VERSION = "0.15.0";
   ConfirmationSchema,
   ConsoleSink,
   ConstraintRuleSchema,
-  ContentPipeline,
   ContributingFeatureSchema,
   ContributionsSchema,
   CouplingCollector,