@harness-engineering/core 0.28.0 → 0.28.2

package/dist/{analyzer-VY6DJVOU.mjs → analyzer-H3AHBFSL.mjs}

@@ -1,6 +1,6 @@
 import {
   EntropyAnalyzer
-} from "./chunk-BTUDWWB4.mjs";
+} from "./chunk-I2JUTTPH.mjs";
 import "./chunk-MUWJHO2S.mjs";
 import "./chunk-7P6ASYW6.mjs";
 export {

package/dist/{chunk-BTUDWWB4.mjs → chunk-I2JUTTPH.mjs}

@@ -1450,15 +1450,15 @@ function generatePatternSuggestions(report) {
   return suggestions;
 }
 function generateSuggestions(deadCode, drift, patterns) {
-  const suggestions = [];
+  let suggestions = [];
   if (deadCode) {
-    suggestions.push(...generateDeadCodeSuggestions(deadCode));
+    suggestions = suggestions.concat(generateDeadCodeSuggestions(deadCode));
   }
   if (drift) {
-    suggestions.push(...generateDriftSuggestions(drift));
+    suggestions = suggestions.concat(generateDriftSuggestions(drift));
   }
   if (patterns) {
-    suggestions.push(...generatePatternSuggestions(patterns));
+    suggestions = suggestions.concat(generatePatternSuggestions(patterns));
   }
   const priorityOrder = { high: 0, medium: 1, low: 2 };
   suggestions.sort((a, b) => priorityOrder[a.priority] - priorityOrder[b.priority]);

package/dist/index.d.mts

@@ -5874,7 +5874,14 @@ declare class SecurityScanner {
     private buildSuppressionFinding;
     /** Check one line against a rule's patterns; return a finding or null. */
     private matchRuleLine;
-    /** Scan a single line against a resolved rule; push any findings into the array. */
+    /**
+     * Scan a single line against a resolved rule; push any findings into the array.
+     *
+     * Suppression check is two-pass: same line first (trailing-comment style), then the previous
+     * line (the dominant convention: `// harness-ignore` on the line above the flagged code).
+     * Without the prior-line check, every multi-line statement annotated using the over-the-top
+     * convention would slip through and re-trigger the finding.
+     */
     private scanLineForRule;
     /**
      * Core scanning loop shared by scanContent and scanContentForFile.

package/dist/index.d.ts

@@ -5874,7 +5874,14 @@ declare class SecurityScanner {
     private buildSuppressionFinding;
     /** Check one line against a rule's patterns; return a finding or null. */
     private matchRuleLine;
-    /** Scan a single line against a resolved rule; push any findings into the array. */
+    /**
+     * Scan a single line against a resolved rule; push any findings into the array.
+     *
+     * Suppression check is two-pass: same line first (trailing-comment style), then the previous
+     * line (the dominant convention: `// harness-ignore` on the line above the flagged code).
+     * Without the prior-line check, every multi-line statement annotated using the over-the-top
+     * convention would slip through and re-trigger the finding.
+     */
     private scanLineForRule;
     /**
      * Core scanning loop shared by scanContent and scanContentForFile.

package/dist/index.js

@@ -3249,15 +3249,15 @@ function generatePatternSuggestions(report) {
   return suggestions;
 }
 function generateSuggestions(deadCode, drift, patterns) {
-  const suggestions = [];
+  let suggestions = [];
   if (deadCode) {
-    suggestions.push(...generateDeadCodeSuggestions(deadCode));
+    suggestions = suggestions.concat(generateDeadCodeSuggestions(deadCode));
   }
   if (drift) {
-    suggestions.push(...generateDriftSuggestions(drift));
+    suggestions = suggestions.concat(generateDriftSuggestions(drift));
   }
   if (patterns) {
-    suggestions.push(...generatePatternSuggestions(patterns));
+    suggestions = suggestions.concat(generatePatternSuggestions(patterns));
   }
   const priorityOrder = { high: 0, medium: 1, low: 2 };
   suggestions.sort((a, b) => priorityOrder[a.priority] - priorityOrder[b.priority]);
@@ -6102,25 +6102,8 @@ function validateBranchName(branchName, config) {
   }
   if (config.enforceKebabCase) {
     for (const part of slug.split("/")) {
-      const ticketMatch = part.match(TICKET_ID);
-      if (ticketMatch) {
-        const rest = ticketMatch[2];
-        if (rest && !KEBAB_CASE.test(rest)) {
-          return {
-            valid: false,
-            branchName,
-            message: `Branch slug part "${part}" does not follow kebab-case after the ticket ID.`,
-            suggestion: `Ensure the description after "${ticketMatch[1]}" uses kebab-case (lowercase, single hyphens, no leading/trailing hyphen).`
-          };
-        }
-      } else if (!KEBAB_CASE.test(part)) {
-        return {
-          valid: false,
-          branchName,
-          message: `Branch slug part "${part}" must be in kebab-case (lowercase, single hyphens, no leading/trailing hyphen).`,
-          suggestion: `Change "${part}" to match the convention.`
-        };
-      }
+      const kebabFailure = validateKebabSlugPart(part, branchName);
+      if (kebabFailure) return kebabFailure;
     }
   }
   if (typeof config.maxLength === "number" && config.maxLength > 0 && slug.length > config.maxLength) {
@@ -6133,6 +6116,26 @@ function validateBranchName(branchName, config) {
   }
   return { valid: true, branchName };
 }
+function validateKebabSlugPart(part, branchName) {
+  const ticketMatch = part.match(TICKET_ID);
+  if (ticketMatch) {
+    const rest = ticketMatch[2];
+    if (!rest || KEBAB_CASE.test(rest)) return null;
+    return {
+      valid: false,
+      branchName,
+      message: `Branch slug part "${part}" does not follow kebab-case after the ticket ID.`,
+      suggestion: `Ensure the description after "${ticketMatch[1]}" uses kebab-case (lowercase, single hyphens, no leading/trailing hyphen).`
+    };
+  }
+  if (KEBAB_CASE.test(part)) return null;
+  return {
+    valid: false,
+    branchName,
+    message: `Branch slug part "${part}" must be in kebab-case (lowercase, single hyphens, no leading/trailing hyphen).`,
+    suggestion: `Change "${part}" to match the convention.`
+  };
+}
 
 // src/context/doc-coverage.ts
 var import_minimatch2 = require("minimatch");
@@ -8125,15 +8128,21 @@ async function gatherDecayBlock(projectPath) {
   const { TimelineManager: TimelineManager2 } = await Promise.resolve().then(() => (init_timeline_manager(), timeline_manager_exports));
   const mgr = new TimelineManager2(projectPath);
   const trends = mgr.trends();
-  const recentBumps = arrayLen(trends.recentSnapshots);
-  const affected = Array.isArray(trends.topAffected) ? trends.topAffected : [];
-  const topAffected = [];
+  return {
+    recentBumps: arrayLen(trends.recentSnapshots),
+    topAffected: collectTopAffectedLabels(trends.topAffected)
+  };
+}
+var MAX_TOP_AFFECTED = 5;
+function collectTopAffectedLabels(affected) {
+  if (!Array.isArray(affected)) return [];
+  const out = [];
   for (const node of affected) {
     const label = node.id ?? node.name;
-    if (typeof label === "string" && label.length > 0) topAffected.push(label);
-    if (topAffected.length >= 5) break;
+    if (typeof label === "string" && label.length > 0) out.push(label);
+    if (out.length >= MAX_TOP_AFFECTED) break;
   }
-  return { recentBumps, topAffected };
+  return out;
 }
 async function gatherAttentionBlock(projectPath) {
   const sessionsDir = path4.join(projectPath, ".harness", "sessions");
@@ -14639,11 +14648,20 @@ var SecurityScanner = class {
     }
     return null;
   }
-  /** Scan a single line against a resolved rule; push any findings into the array. */
-  scanLineForRule(rule, resolved, line, lineNumber, filePath, findings) {
-    const suppressionMatch = parseHarnessIgnore(line, rule.id);
+  /**
+   * Scan a single line against a resolved rule; push any findings into the array.
+   *
+   * Suppression check is two-pass: same line first (trailing-comment style), then the previous
+   * line (the dominant convention: `// harness-ignore` on the line above the flagged code).
+   * Without the prior-line check, every multi-line statement annotated using the over-the-top
+   * convention would slip through and re-trigger the finding.
+   */
+  scanLineForRule(rule, resolved, line, lineNumber, filePath, findings, priorLine) {
+    const sameLineMatch = parseHarnessIgnore(line, rule.id);
+    const priorLineMatch = !sameLineMatch && priorLine !== void 0 ? parseHarnessIgnore(priorLine, rule.id) : null;
+    const suppressionMatch = sameLineMatch ?? priorLineMatch;
     if (suppressionMatch) {
-      if (!suppressionMatch.justification) {
+      if (!suppressionMatch.justification && sameLineMatch !== null) {
         findings.push(this.buildSuppressionFinding(rule, filePath, lineNumber, line));
       }
       return;
@@ -14667,7 +14685,15 @@ var SecurityScanner = class {
       );
       if (resolved === "off") continue;
       for (let i = 0; i < lines.length; i++) {
-        this.scanLineForRule(rule, resolved, lines[i] ?? "", startLine + i, filePath, findings);
+        this.scanLineForRule(
+          rule,
+          resolved,
+          lines[i] ?? "",
+          startLine + i,
+          filePath,
+          findings,
+          i > 0 ? lines[i - 1] : void 0
+        );
       }
     }
     return findings;
@@ -19782,13 +19808,20 @@ function arraysEqual2(a, b) {
 // src/roadmap/tracker/adapters/github-issues.ts
 function metaFromFeatureFields(src) {
   const meta = {};
-  if (src.spec !== void 0 && src.spec !== null) meta.spec = src.spec;
-  if (src.plans && src.plans.length > 0) meta.plan = src.plans[0];
-  if (src.blockedBy && src.blockedBy.length > 0) meta.blocked_by = src.blockedBy;
-  if (src.priority !== void 0 && src.priority !== null) meta.priority = src.priority;
-  if (src.milestone !== void 0 && src.milestone !== null) meta.milestone = src.milestone;
+  assignNonNullish(meta, "spec", src.spec);
+  if (hasItems(src.plans)) meta.plan = src.plans[0];
+  if (hasItems(src.blockedBy)) meta.blocked_by = src.blockedBy;
+  assignNonNullish(meta, "priority", src.priority);
+  assignNonNullish(meta, "milestone", src.milestone);
   return meta;
 }
+function assignNonNullish(meta, key, value) {
+  if (value === void 0 || value === null) return;
+  meta[key] = value;
+}
+function hasItems(arr) {
+  return Array.isArray(arr) && arr.length > 0;
+}
 function buildCreateMeta(feature) {
   return metaFromFeatureFields(feature);
 }
@@ -20449,33 +20482,42 @@ function featureToNewInput(feature, milestone) {
   return input;
 }
 function metaToPatch(feature, expected) {
-  const patch = {};
-  patch.summary = feature.summary;
-  if (expected.spec !== void 0) patch.spec = expected.spec ?? null;
-  if (expected.plan !== void 0 && expected.plan != null) patch.plans = [expected.plan];
-  if (expected.blocked_by !== void 0) patch.blockedBy = expected.blocked_by ?? [];
-  if (expected.priority !== void 0) patch.priority = expected.priority ?? null;
-  if (expected.milestone !== void 0) patch.milestone = expected.milestone ?? null;
+  const patch = { summary: feature.summary };
+  assignIfPresent(patch, "spec", expected.spec, null);
+  if (expected.plan != null) patch.plans = [expected.plan];
+  assignIfPresent(patch, "blockedBy", expected.blocked_by, []);
+  assignIfPresent(patch, "priority", expected.priority, null);
+  assignIfPresent(patch, "milestone", expected.milestone, null);
   return patch;
 }
+function assignIfPresent(patch, key, value, fallback2) {
+  if (value === void 0) return;
+  patch[key] = value ?? fallback2;
+}
 function formatDiff(actual, expected) {
-  const keys = /* @__PURE__ */ new Set();
-  const collect = (m) => {
-    for (const k of Object.keys(m)) {
-      const v = m[k];
-      if (v !== void 0 && v !== null && !(Array.isArray(v) && v.length === 0)) keys.add(k);
-    }
-  };
-  collect(actual);
-  collect(expected);
+  const keys = collectPresentKeys(actual, expected);
   const changed = [];
-  for (const key of [...keys].sort()) {
+  for (const key of keys) {
     const a = actual[key];
     const e = expected[key];
     if (JSON.stringify(a ?? null) !== JSON.stringify(e ?? null)) changed.push(key);
   }
   return changed.join(",");
 }
+function hasMeaningfulValue(value) {
+  if (value === void 0 || value === null) return false;
+  if (Array.isArray(value) && value.length === 0) return false;
+  return true;
+}
+function collectPresentKeys(...metas) {
+  const keys = /* @__PURE__ */ new Set();
+  for (const m of metas) {
+    for (const [k, v] of Object.entries(m)) {
+      if (hasMeaningfulValue(v)) keys.add(k);
+    }
+  }
+  return [...keys].sort();
+}
 function mapAction(action) {
   switch (action) {
     case "assigned":
@@ -22166,20 +22208,43 @@ var RETRY_BACKOFFS_MS = [1e3, 2e3, 4e3];
 function toUnixNanoString(ns) {
   return ns.toString(10);
 }
+function encodeAttributeValue(value) {
+  if (typeof value === "string") return { stringValue: value };
+  if (typeof value === "boolean") return { boolValue: value };
+  if (typeof value === "number") {
+    return Number.isInteger(value) ? { intValue: String(value) } : { doubleValue: value };
+  }
+  return null;
+}
+var DEFAULT_FLUSH_INTERVAL_MS = 2e3;
+var DEFAULT_BATCH_SIZE = 64;
+var defaultFetch = (...args) => globalThis.fetch(...args);
+var defaultWarn = (...args) => console.warn(...args);
+function resolveOTLPOptions(opts) {
+  const {
+    endpoint,
+    enabled = true,
+    headers = {},
+    flushIntervalMs = DEFAULT_FLUSH_INTERVAL_MS,
+    batchSize = DEFAULT_BATCH_SIZE,
+    fetchImpl = defaultFetch,
+    warn = defaultWarn
+  } = opts;
+  return {
+    endpoint,
+    enabled,
+    headers: { "Content-Type": "application/json", ...headers },
+    flushIntervalMs,
+    batchSize,
+    fetchImpl,
+    warn
+  };
+}
 function attributesToOTLP(attrs) {
   const out = [];
   for (const [key, value] of Object.entries(attrs)) {
-    if (typeof value === "string") {
-      out.push({ key, value: { stringValue: value } });
-    } else if (typeof value === "boolean") {
-      out.push({ key, value: { boolValue: value } });
-    } else if (typeof value === "number") {
-      if (Number.isInteger(value)) {
-        out.push({ key, value: { intValue: String(value) } });
-      } else {
-        out.push({ key, value: { doubleValue: value } });
-      }
-    }
+    const encoded = encodeAttributeValue(value);
+    if (encoded) out.push({ key, value: encoded });
   }
   return out;
 }
@@ -22195,13 +22260,14 @@ var OTLPExporter = class {
   timer = null;
   inFlightFlushes = /* @__PURE__ */ new Set();
   constructor(opts) {
-    this.endpoint = opts.endpoint;
-    this.enabled = opts.enabled !== false;
-    this.headers = { "Content-Type": "application/json", ...opts.headers ?? {} };
-    this.flushIntervalMs = opts.flushIntervalMs ?? 2e3;
-    this.batchSize = opts.batchSize ?? 64;
-    this.fetchImpl = opts.fetchImpl ?? globalThis.fetch.bind(globalThis);
-    this.warn = opts.warn ?? ((...a) => console.warn(...a));
+    const resolved = resolveOTLPOptions(opts);
+    this.endpoint = resolved.endpoint;
+    this.enabled = resolved.enabled;
+    this.headers = resolved.headers;
+    this.flushIntervalMs = resolved.flushIntervalMs;
+    this.batchSize = resolved.batchSize;
+    this.fetchImpl = resolved.fetchImpl;
+    this.warn = resolved.warn;
   }
   /**
    * O(1) buffer push. When `enabled === false` this is a no-op. If the
@@ -22284,36 +22350,32 @@ var OTLPExporter = class {
    * tests; not part of the supported API surface.
    */
   spansToOTLPJSON(spans) {
-    return {
-      resourceSpans: [
-        {
-          resource: {
-            attributes: [{ key: "service.name", value: { stringValue: "harness" } }]
-          },
-          scopeSpans: [
-            {
-              scope: { name: "harness" },
-              spans: spans.map((s) => {
-                const span = {
-                  traceId: s.traceId,
-                  spanId: s.spanId,
-                  name: s.name,
-                  kind: s.kind,
-                  startTimeUnixNano: toUnixNanoString(s.startTimeNs),
-                  endTimeUnixNano: toUnixNanoString(s.endTimeNs),
-                  attributes: attributesToOTLP(s.attributes)
-                };
-                if (s.parentSpanId !== void 0) span["parentSpanId"] = s.parentSpanId;
-                if (s.statusCode !== void 0) span["status"] = { code: s.statusCode };
-                return span;
-              })
-            }
-          ]
-        }
-      ]
+    const scopeSpan = {
+      scope: { name: "harness" },
+      spans: spans.map(spanToOTLP)
+    };
+    const resourceSpan = {
+      resource: { attributes: SERVICE_NAME_ATTR },
+      scopeSpans: [scopeSpan]
     };
+    return { resourceSpans: [resourceSpan] };
   }
 };
+var SERVICE_NAME_ATTR = [{ key: "service.name", value: { stringValue: "harness" } }];
+function spanToOTLP(s) {
+  const span = {
+    traceId: s.traceId,
+    spanId: s.spanId,
+    name: s.name,
+    kind: s.kind,
+    startTimeUnixNano: toUnixNanoString(s.startTimeNs),
+    endTimeUnixNano: toUnixNanoString(s.endTimeNs),
+    attributes: attributesToOTLP(s.attributes)
+  };
+  if (s.parentSpanId !== void 0) span["parentSpanId"] = s.parentSpanId;
+  if (s.statusCode !== void 0) span["status"] = { code: s.statusCode };
+  return span;
+}
 
 // src/telemetry/exporter/types.ts
 var SpanKind = /* @__PURE__ */ ((SpanKind2) => {
@@ -22429,15 +22491,22 @@ var PII_TOKENS = [
 var PII_FIELD_DENYLIST = new RegExp(`^(?:${PII_TOKENS.join("|")})$`, "i");
 var PII_LINE_RE = new RegExp(`\\b(?:${PII_TOKENS.join("|")})\\b`, "i");
 var ALLOWED_SET = new Set(ALLOWED_FIELD_KEYS);
-function isSanitizedResult(value) {
-  if (!value || typeof value !== "object") return false;
-  const v = value;
-  if (!v.fields || typeof v.fields !== "object") return false;
-  for (const k of Object.keys(v.fields)) {
+function isObject(value) {
+  return Boolean(value) && typeof value === "object";
+}
+function hasAllowedFieldKeys(fields) {
+  for (const k of Object.keys(fields)) {
     if (!ALLOWED_SET.has(k)) return false;
     if (PII_FIELD_DENYLIST.test(k)) return false;
   }
-  if (!v.distributions || typeof v.distributions !== "object") return false;
+  return true;
+}
+function isSanitizedResult(value) {
+  if (!isObject(value)) return false;
+  const { fields, distributions } = value;
+  if (!isObject(fields)) return false;
+  if (!hasAllowedFieldKeys(fields)) return false;
+  if (!isObject(distributions)) return false;
   return true;
 }
 function assertSanitized(value) {

package/dist/index.mjs

@@ -27,7 +27,7 @@ import {
   detectSizeBudgetViolations,
   generateSuggestions,
   parseSize
-} from "./chunk-BTUDWWB4.mjs";
+} from "./chunk-I2JUTTPH.mjs";
 import {
   EXTENSION_MAP,
   Err,
@@ -1779,25 +1779,8 @@ function validateBranchName(branchName, config) {
   }
   if (config.enforceKebabCase) {
     for (const part of slug.split("/")) {
-      const ticketMatch = part.match(TICKET_ID);
-      if (ticketMatch) {
-        const rest = ticketMatch[2];
-        if (rest && !KEBAB_CASE.test(rest)) {
-          return {
-            valid: false,
-            branchName,
-            message: `Branch slug part "${part}" does not follow kebab-case after the ticket ID.`,
-            suggestion: `Ensure the description after "${ticketMatch[1]}" uses kebab-case (lowercase, single hyphens, no leading/trailing hyphen).`
-          };
-        }
-      } else if (!KEBAB_CASE.test(part)) {
-        return {
-          valid: false,
-          branchName,
-          message: `Branch slug part "${part}" must be in kebab-case (lowercase, single hyphens, no leading/trailing hyphen).`,
-          suggestion: `Change "${part}" to match the convention.`
-        };
-      }
+      const kebabFailure = validateKebabSlugPart(part, branchName);
+      if (kebabFailure) return kebabFailure;
     }
   }
   if (typeof config.maxLength === "number" && config.maxLength > 0 && slug.length > config.maxLength) {
@@ -1810,6 +1793,26 @@ function validateBranchName(branchName, config) {
   }
   return { valid: true, branchName };
 }
+function validateKebabSlugPart(part, branchName) {
+  const ticketMatch = part.match(TICKET_ID);
+  if (ticketMatch) {
+    const rest = ticketMatch[2];
+    if (!rest || KEBAB_CASE.test(rest)) return null;
+    return {
+      valid: false,
+      branchName,
+      message: `Branch slug part "${part}" does not follow kebab-case after the ticket ID.`,
+      suggestion: `Ensure the description after "${ticketMatch[1]}" uses kebab-case (lowercase, single hyphens, no leading/trailing hyphen).`
+    };
+  }
+  if (KEBAB_CASE.test(part)) return null;
+  return {
+    valid: false,
+    branchName,
+    message: `Branch slug part "${part}" must be in kebab-case (lowercase, single hyphens, no leading/trailing hyphen).`,
+    suggestion: `Change "${part}" to match the convention.`
+  };
+}
 
 // src/context/doc-coverage.ts
 import { minimatch as minimatch2 } from "minimatch";
@@ -3650,7 +3653,7 @@ function arrayLen(arr) {
   return Array.isArray(arr) ? arr.length : 0;
 }
 async function gatherEntropyBlock(projectPath) {
-  const { EntropyAnalyzer: EntropyAnalyzer2 } = await import("./analyzer-VY6DJVOU.mjs");
+  const { EntropyAnalyzer: EntropyAnalyzer2 } = await import("./analyzer-H3AHBFSL.mjs");
   const analyzer = new EntropyAnalyzer2({
     rootDir: projectPath,
     include: ["src/**/*.ts", "src/**/*.tsx", "packages/*/src/**/*.ts"],
@@ -3671,15 +3674,21 @@ async function gatherDecayBlock(projectPath) {
   const { TimelineManager: TimelineManager2 } = await import("./timeline-manager-FPYKJRHR.mjs");
   const mgr = new TimelineManager2(projectPath);
   const trends = mgr.trends();
-  const recentBumps = arrayLen(trends.recentSnapshots);
-  const affected = Array.isArray(trends.topAffected) ? trends.topAffected : [];
-  const topAffected = [];
+  return {
+    recentBumps: arrayLen(trends.recentSnapshots),
+    topAffected: collectTopAffectedLabels(trends.topAffected)
+  };
+}
+var MAX_TOP_AFFECTED = 5;
+function collectTopAffectedLabels(affected) {
+  if (!Array.isArray(affected)) return [];
+  const out = [];
   for (const node of affected) {
     const label = node.id ?? node.name;
-    if (typeof label === "string" && label.length > 0) topAffected.push(label);
-    if (topAffected.length >= 5) break;
+    if (typeof label === "string" && label.length > 0) out.push(label);
+    if (out.length >= MAX_TOP_AFFECTED) break;
   }
-  return { recentBumps, topAffected };
+  return out;
 }
 async function gatherAttentionBlock(projectPath) {
   const sessionsDir = path4.join(projectPath, ".harness", "sessions");
@@ -9090,11 +9099,20 @@ var SecurityScanner = class {
     }
     return null;
   }
-  /** Scan a single line against a resolved rule; push any findings into the array. */
-  scanLineForRule(rule, resolved, line, lineNumber, filePath, findings) {
-    const suppressionMatch = parseHarnessIgnore(line, rule.id);
+  /**
+   * Scan a single line against a resolved rule; push any findings into the array.
+   *
+   * Suppression check is two-pass: same line first (trailing-comment style), then the previous
+   * line (the dominant convention: `// harness-ignore` on the line above the flagged code).
+   * Without the prior-line check, every multi-line statement annotated using the over-the-top
+   * convention would slip through and re-trigger the finding.
+   */
+  scanLineForRule(rule, resolved, line, lineNumber, filePath, findings, priorLine) {
+    const sameLineMatch = parseHarnessIgnore(line, rule.id);
+    const priorLineMatch = !sameLineMatch && priorLine !== void 0 ? parseHarnessIgnore(priorLine, rule.id) : null;
+    const suppressionMatch = sameLineMatch ?? priorLineMatch;
     if (suppressionMatch) {
-      if (!suppressionMatch.justification) {
+      if (!suppressionMatch.justification && sameLineMatch !== null) {
         findings.push(this.buildSuppressionFinding(rule, filePath, lineNumber, line));
       }
       return;
@@ -9118,7 +9136,15 @@ var SecurityScanner = class {
       );
       if (resolved === "off") continue;
       for (let i = 0; i < lines.length; i++) {
-        this.scanLineForRule(rule, resolved, lines[i] ?? "", startLine + i, filePath, findings);
+        this.scanLineForRule(
+          rule,
+          resolved,
+          lines[i] ?? "",
+          startLine + i,
+          filePath,
+          findings,
+          i > 0 ? lines[i - 1] : void 0
+        );
       }
     }
     return findings;
@@ -14224,13 +14250,20 @@ function arraysEqual2(a, b) {
 // src/roadmap/tracker/adapters/github-issues.ts
 function metaFromFeatureFields(src) {
   const meta = {};
-  if (src.spec !== void 0 && src.spec !== null) meta.spec = src.spec;
-  if (src.plans && src.plans.length > 0) meta.plan = src.plans[0];
-  if (src.blockedBy && src.blockedBy.length > 0) meta.blocked_by = src.blockedBy;
-  if (src.priority !== void 0 && src.priority !== null) meta.priority = src.priority;
-  if (src.milestone !== void 0 && src.milestone !== null) meta.milestone = src.milestone;
+  assignNonNullish(meta, "spec", src.spec);
+  if (hasItems(src.plans)) meta.plan = src.plans[0];
+  if (hasItems(src.blockedBy)) meta.blocked_by = src.blockedBy;
+  assignNonNullish(meta, "priority", src.priority);
+  assignNonNullish(meta, "milestone", src.milestone);
   return meta;
 }
+function assignNonNullish(meta, key, value) {
+  if (value === void 0 || value === null) return;
+  meta[key] = value;
+}
+function hasItems(arr) {
+  return Array.isArray(arr) && arr.length > 0;
+}
 function buildCreateMeta(feature) {
   return metaFromFeatureFields(feature);
 }
@@ -14891,33 +14924,42 @@ function featureToNewInput(feature, milestone) {
   return input;
 }
 function metaToPatch(feature, expected) {
-  const patch = {};
-  patch.summary = feature.summary;
-  if (expected.spec !== void 0) patch.spec = expected.spec ?? null;
-  if (expected.plan !== void 0 && expected.plan != null) patch.plans = [expected.plan];
-  if (expected.blocked_by !== void 0) patch.blockedBy = expected.blocked_by ?? [];
-  if (expected.priority !== void 0) patch.priority = expected.priority ?? null;
-  if (expected.milestone !== void 0) patch.milestone = expected.milestone ?? null;
+  const patch = { summary: feature.summary };
+  assignIfPresent(patch, "spec", expected.spec, null);
+  if (expected.plan != null) patch.plans = [expected.plan];
+  assignIfPresent(patch, "blockedBy", expected.blocked_by, []);
+  assignIfPresent(patch, "priority", expected.priority, null);
+  assignIfPresent(patch, "milestone", expected.milestone, null);
   return patch;
 }
+function assignIfPresent(patch, key, value, fallback2) {
+  if (value === void 0) return;
+  patch[key] = value ?? fallback2;
+}
 function formatDiff(actual, expected) {
-  const keys = /* @__PURE__ */ new Set();
-  const collect = (m) => {
-    for (const k of Object.keys(m)) {
-      const v = m[k];
-      if (v !== void 0 && v !== null && !(Array.isArray(v) && v.length === 0)) keys.add(k);
-    }
-  };
-  collect(actual);
-  collect(expected);
+  const keys = collectPresentKeys(actual, expected);
   const changed = [];
-  for (const key of [...keys].sort()) {
+  for (const key of keys) {
     const a = actual[key];
     const e = expected[key];
     if (JSON.stringify(a ?? null) !== JSON.stringify(e ?? null)) changed.push(key);
   }
   return changed.join(",");
 }
+function hasMeaningfulValue(value) {
+  if (value === void 0 || value === null) return false;
+  if (Array.isArray(value) && value.length === 0) return false;
+  return true;
+}
+function collectPresentKeys(...metas) {
+  const keys = /* @__PURE__ */ new Set();
+  for (const m of metas) {
+    for (const [k, v] of Object.entries(m)) {
+      if (hasMeaningfulValue(v)) keys.add(k);
+    }
+  }
+  return [...keys].sort();
+}
 function mapAction(action) {
   switch (action) {
     case "assigned":
@@ -16595,20 +16637,43 @@ var RETRY_BACKOFFS_MS = [1e3, 2e3, 4e3];
 function toUnixNanoString(ns) {
   return ns.toString(10);
 }
+function encodeAttributeValue(value) {
+  if (typeof value === "string") return { stringValue: value };
+  if (typeof value === "boolean") return { boolValue: value };
+  if (typeof value === "number") {
+    return Number.isInteger(value) ? { intValue: String(value) } : { doubleValue: value };
+  }
+  return null;
+}
+var DEFAULT_FLUSH_INTERVAL_MS = 2e3;
+var DEFAULT_BATCH_SIZE = 64;
+var defaultFetch = (...args) => globalThis.fetch(...args);
+var defaultWarn = (...args) => console.warn(...args);
+function resolveOTLPOptions(opts) {
+  const {
+    endpoint,
+    enabled = true,
+    headers = {},
+    flushIntervalMs = DEFAULT_FLUSH_INTERVAL_MS,
+    batchSize = DEFAULT_BATCH_SIZE,
+    fetchImpl = defaultFetch,
+    warn = defaultWarn
+  } = opts;
+  return {
+    endpoint,
+    enabled,
+    headers: { "Content-Type": "application/json", ...headers },
+    flushIntervalMs,
+    batchSize,
+    fetchImpl,
+    warn
+  };
+}
 function attributesToOTLP(attrs) {
   const out = [];
   for (const [key, value] of Object.entries(attrs)) {
-    if (typeof value === "string") {
-      out.push({ key, value: { stringValue: value } });
-    } else if (typeof value === "boolean") {
-      out.push({ key, value: { boolValue: value } });
-    } else if (typeof value === "number") {
-      if (Number.isInteger(value)) {
-        out.push({ key, value: { intValue: String(value) } });
-      } else {
-        out.push({ key, value: { doubleValue: value } });
-      }
-    }
+    const encoded = encodeAttributeValue(value);
+    if (encoded) out.push({ key, value: encoded });
   }
   return out;
 }
@@ -16624,13 +16689,14 @@ var OTLPExporter = class {
   timer = null;
   inFlightFlushes = /* @__PURE__ */ new Set();
   constructor(opts) {
-    this.endpoint = opts.endpoint;
-    this.enabled = opts.enabled !== false;
-    this.headers = { "Content-Type": "application/json", ...opts.headers ?? {} };
-    this.flushIntervalMs = opts.flushIntervalMs ?? 2e3;
-    this.batchSize = opts.batchSize ?? 64;
-    this.fetchImpl = opts.fetchImpl ?? globalThis.fetch.bind(globalThis);
-    this.warn = opts.warn ?? ((...a) => console.warn(...a));
+    const resolved = resolveOTLPOptions(opts);
+    this.endpoint = resolved.endpoint;
+    this.enabled = resolved.enabled;
+    this.headers = resolved.headers;
+    this.flushIntervalMs = resolved.flushIntervalMs;
+    this.batchSize = resolved.batchSize;
+    this.fetchImpl = resolved.fetchImpl;
+    this.warn = resolved.warn;
   }
   /**
    * O(1) buffer push. When `enabled === false` this is a no-op. If the
@@ -16713,36 +16779,32 @@ var OTLPExporter = class {
    * tests; not part of the supported API surface.
    */
   spansToOTLPJSON(spans) {
-    return {
-      resourceSpans: [
-        {
-          resource: {
-            attributes: [{ key: "service.name", value: { stringValue: "harness" } }]
-          },
-          scopeSpans: [
-            {
-              scope: { name: "harness" },
-              spans: spans.map((s) => {
-                const span = {
-                  traceId: s.traceId,
-                  spanId: s.spanId,
-                  name: s.name,
-                  kind: s.kind,
-                  startTimeUnixNano: toUnixNanoString(s.startTimeNs),
-                  endTimeUnixNano: toUnixNanoString(s.endTimeNs),
-                  attributes: attributesToOTLP(s.attributes)
-                };
-                if (s.parentSpanId !== void 0) span["parentSpanId"] = s.parentSpanId;
-                if (s.statusCode !== void 0) span["status"] = { code: s.statusCode };
-                return span;
-              })
-            }
-          ]
-        }
-      ]
+    const scopeSpan = {
+      scope: { name: "harness" },
+      spans: spans.map(spanToOTLP)
+    };
+    const resourceSpan = {
+      resource: { attributes: SERVICE_NAME_ATTR },
+      scopeSpans: [scopeSpan]
     };
+    return { resourceSpans: [resourceSpan] };
   }
 };
+var SERVICE_NAME_ATTR = [{ key: "service.name", value: { stringValue: "harness" } }];
+function spanToOTLP(s) {
+  const span = {
+    traceId: s.traceId,
+    spanId: s.spanId,
+    name: s.name,
+    kind: s.kind,
+    startTimeUnixNano: toUnixNanoString(s.startTimeNs),
+    endTimeUnixNano: toUnixNanoString(s.endTimeNs),
+    attributes: attributesToOTLP(s.attributes)
+  };
+  if (s.parentSpanId !== void 0) span["parentSpanId"] = s.parentSpanId;
+  if (s.statusCode !== void 0) span["status"] = { code: s.statusCode };
+  return span;
+}
 
 // src/telemetry/exporter/types.ts
 var SpanKind = /* @__PURE__ */ ((SpanKind2) => {
@@ -16858,15 +16920,22 @@ var PII_TOKENS = [
 var PII_FIELD_DENYLIST = new RegExp(`^(?:${PII_TOKENS.join("|")})$`, "i");
 var PII_LINE_RE = new RegExp(`\\b(?:${PII_TOKENS.join("|")})\\b`, "i");
 var ALLOWED_SET = new Set(ALLOWED_FIELD_KEYS);
-function isSanitizedResult(value) {
-  if (!value || typeof value !== "object") return false;
-  const v = value;
-  if (!v.fields || typeof v.fields !== "object") return false;
-  for (const k of Object.keys(v.fields)) {
+function isObject(value) {
+  return Boolean(value) && typeof value === "object";
+}
+function hasAllowedFieldKeys(fields) {
+  for (const k of Object.keys(fields)) {
     if (!ALLOWED_SET.has(k)) return false;
     if (PII_FIELD_DENYLIST.test(k)) return false;
   }
-  if (!v.distributions || typeof v.distributions !== "object") return false;
+  return true;
+}
+function isSanitizedResult(value) {
+  if (!isObject(value)) return false;
+  const { fields, distributions } = value;
+  if (!isObject(fields)) return false;
+  if (!hasAllowedFieldKeys(fields)) return false;
+  if (!isObject(distributions)) return false;
   return true;
 }
 function assertSanitized(value) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@harness-engineering/core",
-  "version": "0.28.0",
+  "version": "0.28.2",
   "description": "Core library for Harness Engineering toolkit",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -51,8 +51,8 @@
     "web-tree-sitter": "^0.24.7",
     "yaml": "^2.8.3",
     "zod": "^3.25.76",
-    "@harness-engineering/graph": "0.9.0",
-    "@harness-engineering/types": "0.14.0"
+    "@harness-engineering/graph": "0.10.0",
+    "@harness-engineering/types": "0.15.0"
   },
   "devDependencies": {
     "@types/ejs": "^3.1.5",