npm - @harness-engineering/core - Versions diffs - 0.8.0 → 0.9.0 - Mend

@harness-engineering/core 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.mjs CHANGED Viewed

@@ -18,17 +18,17 @@ import { promisify } from "util";
 import { glob } from "glob";
 var accessAsync = promisify(access);
 var readFileAsync = promisify(readFile);
-async function fileExists(path3) {
+async function fileExists(path11) {
   try {
-    await accessAsync(path3, constants.F_OK);
+    await accessAsync(path11, constants.F_OK);
     return true;
   } catch {
     return false;
   }
 }
-async function readFileContent(path3) {
+async function readFileContent(path11) {
   try {
-    const content = await readFileAsync(path3, "utf-8");
+    const content = await readFileAsync(path11, "utf-8");
     return Ok(content);
   } catch (error) {
     return Err(error);
@@ -76,15 +76,15 @@ function validateConfig(data, schema) {
   let message = "Configuration validation failed";
   const suggestions = [];
   if (firstError) {
-    const path3 = firstError.path.join(".");
-    const pathDisplay = path3 ? ` at "${path3}"` : "";
+    const path11 = firstError.path.join(".");
+    const pathDisplay = path11 ? ` at "${path11}"` : "";
     if (firstError.code === "invalid_type") {
       const received = firstError.received;
       const expected = firstError.expected;
       if (received === "undefined") {
         code = "MISSING_FIELD";
         message = `Missing required field${pathDisplay}: ${firstError.message}`;
-        suggestions.push(`Field "${path3}" is required and must be of type "${expected}"`);
+        suggestions.push(`Field "${path11}" is required and must be of type "${expected}"`);
       } else {
         code = "INVALID_TYPE";
         message = `Invalid type${pathDisplay}: ${firstError.message}`;
@@ -297,30 +297,30 @@ function extractSections(content) {
     return result;
   });
 }
-function isExternalLink(path3) {
-  return path3.startsWith("http://") || path3.startsWith("https://") || path3.startsWith("#") || path3.startsWith("mailto:");
+function isExternalLink(path11) {
+  return path11.startsWith("http://") || path11.startsWith("https://") || path11.startsWith("#") || path11.startsWith("mailto:");
 }
 function resolveLinkPath(linkPath, baseDir) {
   return linkPath.startsWith(".") ? join(baseDir, linkPath) : linkPath;
 }
-async function validateAgentsMap(path3 = "./AGENTS.md") {
+async function validateAgentsMap(path11 = "./AGENTS.md") {
   console.warn(
     "[harness] validateAgentsMap() is deprecated. Use graph-based validation via Assembler.checkCoverage() from @harness-engineering/graph"
   );
-  const contentResult = await readFileContent(path3);
+  const contentResult = await readFileContent(path11);
   if (!contentResult.ok) {
     return Err(
       createError(
         "PARSE_ERROR",
         `Failed to read AGENTS.md: ${contentResult.error.message}`,
-        { path: path3 },
+        { path: path11 },
         ["Ensure the file exists", "Check file permissions"]
       )
     );
   }
   const content = contentResult.value;
   const sections = extractSections(content);
-  const baseDir = dirname(path3);
+  const baseDir = dirname(path11);
   const sectionTitles = sections.map((s) => s.title);
   const missingSections = REQUIRED_SECTIONS.filter(
     (required) => !sectionTitles.some((title) => title.toLowerCase().includes(required.toLowerCase()))
@@ -462,8 +462,8 @@ async function checkDocCoverage(domain, options = {}) {
 // src/context/knowledge-map.ts
 import { join as join2, basename as basename2, relative as relative2 } from "path";
-function suggestFix(path3, existingFiles) {
-  const targetName = basename2(path3).toLowerCase();
+function suggestFix(path11, existingFiles) {
+  const targetName = basename2(path11).toLowerCase();
   const similar = existingFiles.find((file) => {
     const fileName = basename2(file).toLowerCase();
     return fileName.includes(targetName) || targetName.includes(fileName);
@@ -471,7 +471,7 @@ function suggestFix(path3, existingFiles) {
   if (similar) {
     return `Did you mean "${similar}"?`;
   }
-  return `Create the file "${path3}" or remove the link`;
+  return `Create the file "${path11}" or remove the link`;
 }
 async function validateKnowledgeMap(rootDir = process.cwd()) {
   console.warn(
@@ -1065,8 +1065,8 @@ function createBoundaryValidator(schema, name) {
         return Ok(result.data);
       }
       const suggestions = result.error.issues.map((issue) => {
-        const path3 = issue.path.join(".");
-        return path3 ? `${path3}: ${issue.message}` : issue.message;
+        const path11 = issue.path.join(".");
+        return path11 ? `${path11}: ${issue.message}` : issue.message;
       });
       return Err(
         createError(
@@ -1135,11 +1135,11 @@ function walk(node, visitor) {
 var TypeScriptParser = class {
   name = "typescript";
   extensions = [".ts", ".tsx", ".mts", ".cts"];
-  async parseFile(path3) {
-    const contentResult = await readFileContent(path3);
+  async parseFile(path11) {
+    const contentResult = await readFileContent(path11);
     if (!contentResult.ok) {
       return Err(
-        createParseError("NOT_FOUND", `File not found: ${path3}`, { path: path3 }, [
+        createParseError("NOT_FOUND", `File not found: ${path11}`, { path: path11 }, [
           "Check that the file exists",
           "Verify the path is correct"
         ])
@@ -1149,7 +1149,7 @@ var TypeScriptParser = class {
       const ast = parse(contentResult.value, {
         loc: true,
         range: true,
-        jsx: path3.endsWith(".tsx"),
+        jsx: path11.endsWith(".tsx"),
         errorOnUnknownASTType: false
       });
       return Ok({
@@ -1160,7 +1160,7 @@ var TypeScriptParser = class {
     } catch (e) {
       const error = e;
       return Err(
-        createParseError("SYNTAX_ERROR", `Failed to parse ${path3}: ${error.message}`, { path: path3 }, [
+        createParseError("SYNTAX_ERROR", `Failed to parse ${path11}: ${error.message}`, { path: path11 }, [
           "Check for syntax errors in the file",
           "Ensure valid TypeScript syntax"
         ])
@@ -1444,22 +1444,22 @@ function extractInlineRefs(content) {
   }
   return refs;
 }
-async function parseDocumentationFile(path3) {
-  const contentResult = await readFileContent(path3);
+async function parseDocumentationFile(path11) {
+  const contentResult = await readFileContent(path11);
   if (!contentResult.ok) {
     return Err(
       createEntropyError(
         "PARSE_ERROR",
-        `Failed to read documentation file: ${path3}`,
-        { file: path3 },
+        `Failed to read documentation file: ${path11}`,
+        { file: path11 },
         ["Check that the file exists"]
       )
     );
   }
   const content = contentResult.value;
-  const type = path3.endsWith(".md") ? "markdown" : "text";
+  const type = path11.endsWith(".md") ? "markdown" : "text";
   return Ok({
-    path: path3,
+    path: path11,
     type,
     content,
     codeBlocks: extractCodeBlocks(content),
@@ -2287,6 +2287,496 @@ async function detectPatternViolations(snapshot, config) {
   });
 }
+// src/entropy/detectors/complexity.ts
+import { readFile as readFile2 } from "fs/promises";
+var DEFAULT_THRESHOLDS = {
+  cyclomaticComplexity: { error: 15, warn: 10 },
+  nestingDepth: { warn: 4 },
+  functionLength: { warn: 50 },
+  parameterCount: { warn: 5 },
+  fileLength: { info: 300 },
+  hotspotPercentile: { error: 95 }
+};
+function extractFunctions(content) {
+  const functions = [];
+  const lines = content.split("\n");
+  const patterns = [
+    // function declarations: function name(params) {
+    /^\s*(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\(([^)]*)\)/,
+    // method declarations: name(params) {
+    /^\s*(?:async\s+)?(\w+)\s*\(([^)]*)\)\s*(?::\s*[^{]+)?\s*\{/,
+    // arrow functions assigned to const/let/var: const name = (params) =>
+    /^\s*(?:export\s+)?(?:const|let|var)\s+(\w+)\s*=\s*(?:async\s+)?\(([^)]*)\)\s*(?::\s*[^=]+)?\s*=>/,
+    // arrow functions assigned to const/let/var with single param: const name = param =>
+    /^\s*(?:export\s+)?(?:const|let|var)\s+(\w+)\s*=\s*(?:async\s+)?(\w+)\s*=>/
+  ];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const pattern of patterns) {
+      const match = line.match(pattern);
+      if (match) {
+        const name = match[1] ?? "anonymous";
+        const paramsStr = match[2] || "";
+        const params = paramsStr.trim() === "" ? 0 : paramsStr.split(",").length;
+        const endLine = findFunctionEnd(lines, i);
+        const body = lines.slice(i, endLine + 1).join("\n");
+        functions.push({
+          name,
+          line: i + 1,
+          params,
+          startLine: i + 1,
+          endLine: endLine + 1,
+          body
+        });
+        break;
+      }
+    }
+  }
+  return functions;
+}
+function findFunctionEnd(lines, startIdx) {
+  let depth = 0;
+  let foundOpen = false;
+  for (let i = startIdx; i < lines.length; i++) {
+    const line = lines[i];
+    for (const ch of line) {
+      if (ch === "{") {
+        depth++;
+        foundOpen = true;
+      } else if (ch === "}") {
+        depth--;
+        if (foundOpen && depth === 0) {
+          return i;
+        }
+      }
+    }
+  }
+  return lines.length - 1;
+}
+function computeCyclomaticComplexity(body) {
+  let complexity = 1;
+  const decisionPatterns = [
+    /\bif\s*\(/g,
+    /\belse\s+if\s*\(/g,
+    /\bwhile\s*\(/g,
+    /\bfor\s*\(/g,
+    /\bcase\s+/g,
+    /&&/g,
+    /\|\|/g,
+    /\?(?!=)/g,
+    // Ternary ? but not ?. or ??
+    /\bcatch\s*\(/g
+  ];
+  for (const pattern of decisionPatterns) {
+    const matches = body.match(pattern);
+    if (matches) {
+      complexity += matches.length;
+    }
+  }
+  const elseIfMatches = body.match(/\belse\s+if\s*\(/g);
+  if (elseIfMatches) {
+    complexity -= elseIfMatches.length;
+  }
+  return complexity;
+}
+function computeNestingDepth(body) {
+  let maxDepth = 0;
+  let currentDepth = 0;
+  let functionBodyStarted = false;
+  for (const ch of body) {
+    if (ch === "{") {
+      if (!functionBodyStarted) {
+        functionBodyStarted = true;
+        continue;
+      }
+      currentDepth++;
+      if (currentDepth > maxDepth) {
+        maxDepth = currentDepth;
+      }
+    } else if (ch === "}") {
+      if (currentDepth > 0) {
+        currentDepth--;
+      }
+    }
+  }
+  return maxDepth;
+}
+async function detectComplexityViolations(snapshot, config, graphData) {
+  const violations = [];
+  const thresholds = {
+    cyclomaticComplexity: {
+      error: config?.thresholds?.cyclomaticComplexity?.error ?? DEFAULT_THRESHOLDS.cyclomaticComplexity.error,
+      warn: config?.thresholds?.cyclomaticComplexity?.warn ?? DEFAULT_THRESHOLDS.cyclomaticComplexity.warn
+    },
+    nestingDepth: {
+      warn: config?.thresholds?.nestingDepth?.warn ?? DEFAULT_THRESHOLDS.nestingDepth.warn
+    },
+    functionLength: {
+      warn: config?.thresholds?.functionLength?.warn ?? DEFAULT_THRESHOLDS.functionLength.warn
+    },
+    parameterCount: {
+      warn: config?.thresholds?.parameterCount?.warn ?? DEFAULT_THRESHOLDS.parameterCount.warn
+    },
+    fileLength: {
+      info: config?.thresholds?.fileLength?.info ?? DEFAULT_THRESHOLDS.fileLength.info
+    }
+  };
+  let totalFunctions = 0;
+  for (const file of snapshot.files) {
+    let content;
+    try {
+      content = await readFile2(file.path, "utf-8");
+    } catch {
+      continue;
+    }
+    const lines = content.split("\n");
+    if (lines.length > thresholds.fileLength.info) {
+      violations.push({
+        file: file.path,
+        function: "<file>",
+        line: 1,
+        metric: "fileLength",
+        value: lines.length,
+        threshold: thresholds.fileLength.info,
+        tier: 3,
+        severity: "info",
+        message: `File has ${lines.length} lines (threshold: ${thresholds.fileLength.info})`
+      });
+    }
+    const functions = extractFunctions(content);
+    totalFunctions += functions.length;
+    for (const fn of functions) {
+      const complexity = computeCyclomaticComplexity(fn.body);
+      if (complexity > thresholds.cyclomaticComplexity.error) {
+        violations.push({
+          file: file.path,
+          function: fn.name,
+          line: fn.line,
+          metric: "cyclomaticComplexity",
+          value: complexity,
+          threshold: thresholds.cyclomaticComplexity.error,
+          tier: 1,
+          severity: "error",
+          message: `Function "${fn.name}" has cyclomatic complexity of ${complexity} (error threshold: ${thresholds.cyclomaticComplexity.error})`
+        });
+      } else if (complexity > thresholds.cyclomaticComplexity.warn) {
+        violations.push({
+          file: file.path,
+          function: fn.name,
+          line: fn.line,
+          metric: "cyclomaticComplexity",
+          value: complexity,
+          threshold: thresholds.cyclomaticComplexity.warn,
+          tier: 2,
+          severity: "warning",
+          message: `Function "${fn.name}" has cyclomatic complexity of ${complexity} (warning threshold: ${thresholds.cyclomaticComplexity.warn})`
+        });
+      }
+      const nestingDepth = computeNestingDepth(fn.body);
+      if (nestingDepth > thresholds.nestingDepth.warn) {
+        violations.push({
+          file: file.path,
+          function: fn.name,
+          line: fn.line,
+          metric: "nestingDepth",
+          value: nestingDepth,
+          threshold: thresholds.nestingDepth.warn,
+          tier: 2,
+          severity: "warning",
+          message: `Function "${fn.name}" has nesting depth of ${nestingDepth} (threshold: ${thresholds.nestingDepth.warn})`
+        });
+      }
+      const fnLength = fn.endLine - fn.startLine + 1;
+      if (fnLength > thresholds.functionLength.warn) {
+        violations.push({
+          file: file.path,
+          function: fn.name,
+          line: fn.line,
+          metric: "functionLength",
+          value: fnLength,
+          threshold: thresholds.functionLength.warn,
+          tier: 2,
+          severity: "warning",
+          message: `Function "${fn.name}" is ${fnLength} lines long (threshold: ${thresholds.functionLength.warn})`
+        });
+      }
+      if (fn.params > thresholds.parameterCount.warn) {
+        violations.push({
+          file: file.path,
+          function: fn.name,
+          line: fn.line,
+          metric: "parameterCount",
+          value: fn.params,
+          threshold: thresholds.parameterCount.warn,
+          tier: 2,
+          severity: "warning",
+          message: `Function "${fn.name}" has ${fn.params} parameters (threshold: ${thresholds.parameterCount.warn})`
+        });
+      }
+      if (graphData) {
+        const hotspot = graphData.hotspots.find(
+          (h) => h.file === file.path && h.function === fn.name
+        );
+        if (hotspot && hotspot.hotspotScore > graphData.percentile95Score) {
+          violations.push({
+            file: file.path,
+            function: fn.name,
+            line: fn.line,
+            metric: "hotspotScore",
+            value: hotspot.hotspotScore,
+            threshold: graphData.percentile95Score,
+            tier: 1,
+            severity: "error",
+            message: `Function "${fn.name}" is a complexity hotspot (score: ${hotspot.hotspotScore}, p95: ${graphData.percentile95Score})`
+          });
+        }
+      }
+    }
+  }
+  const errorCount = violations.filter((v) => v.severity === "error").length;
+  const warningCount = violations.filter((v) => v.severity === "warning").length;
+  const infoCount = violations.filter((v) => v.severity === "info").length;
+  return Ok({
+    violations,
+    stats: {
+      filesAnalyzed: snapshot.files.length,
+      functionsAnalyzed: totalFunctions,
+      violationCount: violations.length,
+      errorCount,
+      warningCount,
+      infoCount
+    }
+  });
+}
+// src/entropy/detectors/coupling.ts
+var DEFAULT_THRESHOLDS2 = {
+  fanOut: { warn: 15 },
+  fanIn: { info: 20 },
+  couplingRatio: { warn: 0.7 },
+  transitiveDependencyDepth: { info: 30 }
+};
+function computeMetricsFromSnapshot(snapshot) {
+  const fanInMap = /* @__PURE__ */ new Map();
+  for (const file of snapshot.files) {
+    for (const imp of file.imports) {
+      const resolved = resolveImportSource(imp.source, file.path, snapshot);
+      if (resolved) {
+        fanInMap.set(resolved, (fanInMap.get(resolved) || 0) + 1);
+      }
+    }
+  }
+  return snapshot.files.map((file) => {
+    const fanOut = file.imports.length;
+    const fanIn = fanInMap.get(file.path) || 0;
+    const total = fanIn + fanOut;
+    const couplingRatio = total > 0 ? fanOut / total : 0;
+    return {
+      file: file.path,
+      fanIn,
+      fanOut,
+      couplingRatio,
+      transitiveDepth: 0
+    };
+  });
+}
+function resolveRelativePath(from, source) {
+  const dir = from.includes("/") ? from.substring(0, from.lastIndexOf("/")) : ".";
+  const parts = dir.split("/");
+  for (const segment of source.split("/")) {
+    if (segment === ".") continue;
+    if (segment === "..") {
+      parts.pop();
+    } else {
+      parts.push(segment);
+    }
+  }
+  return parts.join("/");
+}
+function resolveImportSource(source, fromFile, snapshot) {
+  if (!source.startsWith(".") && !source.startsWith("/")) {
+    return void 0;
+  }
+  const resolved = resolveRelativePath(fromFile, source);
+  const filePaths = snapshot.files.map((f) => f.path);
+  const candidates = [
+    resolved,
+    `${resolved}.ts`,
+    `${resolved}.tsx`,
+    `${resolved}/index.ts`,
+    `${resolved}/index.tsx`
+  ];
+  for (const candidate of candidates) {
+    const match = filePaths.find((fp) => fp === candidate);
+    if (match) return match;
+  }
+  return void 0;
+}
+function checkViolations(metrics, config) {
+  const thresholds = {
+    fanOut: { ...DEFAULT_THRESHOLDS2.fanOut, ...config?.thresholds?.fanOut },
+    fanIn: { ...DEFAULT_THRESHOLDS2.fanIn, ...config?.thresholds?.fanIn },
+    couplingRatio: { ...DEFAULT_THRESHOLDS2.couplingRatio, ...config?.thresholds?.couplingRatio },
+    transitiveDependencyDepth: {
+      ...DEFAULT_THRESHOLDS2.transitiveDependencyDepth,
+      ...config?.thresholds?.transitiveDependencyDepth
+    }
+  };
+  const violations = [];
+  for (const m of metrics) {
+    if (thresholds.fanOut.warn !== void 0 && m.fanOut > thresholds.fanOut.warn) {
+      violations.push({
+        file: m.file,
+        metric: "fanOut",
+        value: m.fanOut,
+        threshold: thresholds.fanOut.warn,
+        tier: 2,
+        severity: "warning",
+        message: `File has ${m.fanOut} imports (threshold: ${thresholds.fanOut.warn})`
+      });
+    }
+    if (thresholds.fanIn.info !== void 0 && m.fanIn > thresholds.fanIn.info) {
+      violations.push({
+        file: m.file,
+        metric: "fanIn",
+        value: m.fanIn,
+        threshold: thresholds.fanIn.info,
+        tier: 3,
+        severity: "info",
+        message: `File is imported by ${m.fanIn} files (threshold: ${thresholds.fanIn.info})`
+      });
+    }
+    const totalConnections = m.fanIn + m.fanOut;
+    if (totalConnections > 5 && thresholds.couplingRatio.warn !== void 0 && m.couplingRatio > thresholds.couplingRatio.warn) {
+      violations.push({
+        file: m.file,
+        metric: "couplingRatio",
+        value: m.couplingRatio,
+        threshold: thresholds.couplingRatio.warn,
+        tier: 2,
+        severity: "warning",
+        message: `Coupling ratio is ${m.couplingRatio.toFixed(2)} (threshold: ${thresholds.couplingRatio.warn})`
+      });
+    }
+    if (thresholds.transitiveDependencyDepth.info !== void 0 && m.transitiveDepth > thresholds.transitiveDependencyDepth.info) {
+      violations.push({
+        file: m.file,
+        metric: "transitiveDependencyDepth",
+        value: m.transitiveDepth,
+        threshold: thresholds.transitiveDependencyDepth.info,
+        tier: 3,
+        severity: "info",
+        message: `Transitive dependency depth is ${m.transitiveDepth} (threshold: ${thresholds.transitiveDependencyDepth.info})`
+      });
+    }
+  }
+  return violations;
+}
+async function detectCouplingViolations(snapshot, config, graphData) {
+  let metrics;
+  if (graphData) {
+    metrics = graphData.files.map((f) => ({
+      file: f.file,
+      fanIn: f.fanIn,
+      fanOut: f.fanOut,
+      couplingRatio: f.couplingRatio,
+      transitiveDepth: f.transitiveDepth
+    }));
+  } else {
+    metrics = computeMetricsFromSnapshot(snapshot);
+  }
+  const violations = checkViolations(metrics, config);
+  const warningCount = violations.filter((v) => v.severity === "warning").length;
+  const infoCount = violations.filter((v) => v.severity === "info").length;
+  return Ok({
+    violations,
+    stats: {
+      filesAnalyzed: metrics.length,
+      violationCount: violations.length,
+      warningCount,
+      infoCount
+    }
+  });
+}
+// src/entropy/detectors/size-budget.ts
+import { readdirSync, statSync } from "fs";
+import { join as join4 } from "path";
+function parseSize(size) {
+  const match = size.trim().match(/^(\d+(?:\.\d+)?)\s*(KB|MB|GB|B)?$/i);
+  if (!match) return 0;
+  const value = parseFloat(match[1]);
+  const unit = (match[2] || "B").toUpperCase();
+  switch (unit) {
+    case "KB":
+      return Math.round(value * 1024);
+    case "MB":
+      return Math.round(value * 1024 * 1024);
+    case "GB":
+      return Math.round(value * 1024 * 1024 * 1024);
+    default:
+      return Math.round(value);
+  }
+}
+function dirSize(dirPath) {
+  let total = 0;
+  let entries;
+  try {
+    entries = readdirSync(dirPath);
+  } catch {
+    return 0;
+  }
+  for (const entry of entries) {
+    if (entry === "node_modules" || entry === ".git") continue;
+    const fullPath = join4(dirPath, entry);
+    try {
+      const stat = statSync(fullPath);
+      if (stat.isDirectory()) {
+        total += dirSize(fullPath);
+      } else if (stat.isFile()) {
+        total += stat.size;
+      }
+    } catch {
+      continue;
+    }
+  }
+  return total;
+}
+async function detectSizeBudgetViolations(rootDir, config) {
+  const budgets = config?.budgets ?? {};
+  const violations = [];
+  let packagesChecked = 0;
+  for (const [pkgPath, budget] of Object.entries(budgets)) {
+    packagesChecked++;
+    const distPath = join4(rootDir, pkgPath, "dist");
+    const currentSize = dirSize(distPath);
+    if (budget.warn) {
+      const budgetBytes = parseSize(budget.warn);
+      if (budgetBytes > 0 && currentSize > budgetBytes) {
+        violations.push({
+          package: pkgPath,
+          currentSize,
+          budgetSize: budgetBytes,
+          unit: "bytes",
+          tier: 2,
+          severity: "warning"
+        });
+      }
+    }
+  }
+  const warningCount = violations.filter((v) => v.severity === "warning").length;
+  const infoCount = violations.filter((v) => v.severity === "info").length;
+  return Ok({
+    violations,
+    stats: {
+      packagesChecked,
+      violationCount: violations.length,
+      warningCount,
+      infoCount
+    }
+  });
+}
 // src/entropy/fixers/suggestions.ts
 function generateDeadCodeSuggestions(report) {
   const suggestions = [];
@@ -2472,12 +2962,57 @@ var EntropyAnalyzer = class {
         analysisErrors.push({ analyzer: "patterns", error: result.error });
       }
     }
+    let complexityReport;
+    if (this.config.analyze.complexity) {
+      const complexityConfig = typeof this.config.analyze.complexity === "object" ? this.config.analyze.complexity : {};
+      const result = await detectComplexityViolations(
+        this.snapshot,
+        complexityConfig,
+        graphOptions?.graphComplexityData
+      );
+      if (result.ok) {
+        complexityReport = result.value;
+      } else {
+        analysisErrors.push({ analyzer: "complexity", error: result.error });
+      }
+    }
+    let couplingReport;
+    if (this.config.analyze.coupling) {
+      const couplingConfig = typeof this.config.analyze.coupling === "object" ? this.config.analyze.coupling : {};
+      const result = await detectCouplingViolations(
+        this.snapshot,
+        couplingConfig,
+        graphOptions?.graphCouplingData
+      );
+      if (result.ok) {
+        couplingReport = result.value;
+      } else {
+        analysisErrors.push({ analyzer: "coupling", error: result.error });
+      }
+    }
+    let sizeBudgetReport;
+    if (this.config.analyze.sizeBudget) {
+      const sizeBudgetConfig = typeof this.config.analyze.sizeBudget === "object" ? this.config.analyze.sizeBudget : {};
+      const result = await detectSizeBudgetViolations(this.config.rootDir, sizeBudgetConfig);
+      if (result.ok) {
+        sizeBudgetReport = result.value;
+      } else {
+        analysisErrors.push({ analyzer: "sizeBudget", error: result.error });
+      }
+    }
     const driftIssues = driftReport?.drifts.length || 0;
     const deadCodeIssues = (deadCodeReport?.deadExports.length || 0) + (deadCodeReport?.deadFiles.length || 0) + (deadCodeReport?.unusedImports.length || 0);
     const patternIssues = patternReport?.violations.length || 0;
     const patternErrors = patternReport?.stats.errorCount || 0;
     const patternWarnings = patternReport?.stats.warningCount || 0;
-    const totalIssues = driftIssues + deadCodeIssues + patternIssues;
+    const complexityIssues = complexityReport?.violations.length || 0;
+    const couplingIssues = couplingReport?.violations.length || 0;
+    const sizeBudgetIssues = sizeBudgetReport?.violations.length || 0;
+    const complexityErrors = complexityReport?.stats.errorCount || 0;
+    const complexityWarnings = complexityReport?.stats.warningCount || 0;
+    const couplingWarnings = couplingReport?.stats.warningCount || 0;
+    const sizeBudgetWarnings = sizeBudgetReport?.stats.warningCount || 0;
+    const totalIssues = driftIssues + deadCodeIssues + patternIssues + complexityIssues + couplingIssues + sizeBudgetIssues;
     const fixableCount = (deadCodeReport?.deadFiles.length || 0) + (deadCodeReport?.unusedImports.length || 0);
     const suggestions = generateSuggestions(deadCodeReport, driftReport, patternReport);
     const duration = Date.now() - startTime;
@@ -2486,8 +3021,8 @@ var EntropyAnalyzer = class {
       analysisErrors,
       summary: {
         totalIssues,
-        errors: patternErrors,
-        warnings: patternWarnings + driftIssues,
+        errors: patternErrors + complexityErrors,
+        warnings: patternWarnings + driftIssues + complexityWarnings + couplingWarnings + sizeBudgetWarnings,
         fixableCount,
         suggestionCount: suggestions.suggestions.length
       },
@@ -2503,6 +3038,15 @@ var EntropyAnalyzer = class {
     if (patternReport) {
       report.patterns = patternReport;
     }
+    if (complexityReport) {
+      report.complexity = complexityReport;
+    }
+    if (couplingReport) {
+      report.coupling = couplingReport;
+    }
+    if (sizeBudgetReport) {
+      report.sizeBudget = sizeBudgetReport;
+    }
     this.report = report;
     return Ok(report);
   }
@@ -2585,8 +3129,8 @@ var EntropyAnalyzer = class {
 // src/entropy/fixers/safe-fixes.ts
 import * as fs from "fs";
 import { promisify as promisify2 } from "util";
-import { dirname as dirname6, basename as basename4, join as join4 } from "path";
-var readFile3 = promisify2(fs.readFile);
+import { dirname as dirname6, basename as basename4, join as join5 } from "path";
+var readFile4 = promisify2(fs.readFile);
 var writeFile2 = promisify2(fs.writeFile);
 var unlink2 = promisify2(fs.unlink);
 var mkdir2 = promisify2(fs.mkdir);
@@ -2618,6 +3162,40 @@ function createUnusedImportFixes(deadCodeReport) {
     reversible: true
   }));
 }
+function createDeadExportFixes(deadCodeReport) {
+  return deadCodeReport.deadExports.filter((exp) => exp.reason === "NO_IMPORTERS").map((exp) => ({
+    type: "dead-exports",
+    file: exp.file,
+    description: `Remove export keyword from ${exp.name} (${exp.reason})`,
+    action: "replace",
+    oldContent: exp.isDefault ? `export default ${exp.type === "class" ? "class" : exp.type === "function" ? "function" : ""} ${exp.name}` : `export ${exp.type === "class" ? "class" : exp.type === "function" ? "function" : exp.type === "variable" ? "const" : exp.type === "type" ? "type" : exp.type === "interface" ? "interface" : "enum"} ${exp.name}`,
+    newContent: exp.isDefault ? `${exp.type === "class" ? "class" : exp.type === "function" ? "function" : ""} ${exp.name}` : `${exp.type === "class" ? "class" : exp.type === "function" ? "function" : exp.type === "variable" ? "const" : exp.type === "type" ? "type" : exp.type === "interface" ? "interface" : "enum"} ${exp.name}`,
+    safe: true,
+    reversible: true
+  }));
+}
+function createCommentedCodeFixes(blocks) {
+  return blocks.map((block) => ({
+    type: "commented-code",
+    file: block.file,
+    description: `Remove commented-out code block (lines ${block.startLine}-${block.endLine})`,
+    action: "replace",
+    oldContent: block.content,
+    newContent: "",
+    safe: true,
+    reversible: true
+  }));
+}
+function createOrphanedDepFixes(deps) {
+  return deps.map((dep) => ({
+    type: "orphaned-deps",
+    file: dep.packageJsonPath,
+    description: `Remove orphaned dependency: ${dep.name}`,
+    action: "replace",
+    safe: true,
+    reversible: true
+  }));
+}
 function createFixes(deadCodeReport, config) {
   const fullConfig = { ...DEFAULT_FIX_CONFIG, ...config };
   const fixes = [];
@@ -2627,6 +3205,9 @@ function createFixes(deadCodeReport, config) {
   if (fullConfig.fixTypes.includes("unused-imports")) {
     fixes.push(...createUnusedImportFixes(deadCodeReport));
   }
+  if (fullConfig.fixTypes.includes("dead-exports")) {
+    fixes.push(...createDeadExportFixes(deadCodeReport));
+  }
   return fixes;
 }
 function previewFix(fix) {
@@ -2647,7 +3228,7 @@ function previewFix(fix) {
   }
 }
 async function createBackup(filePath, backupDir) {
-  const backupPath = join4(backupDir, `${Date.now()}-${basename4(filePath)}`);
+  const backupPath = join5(backupDir, `${Date.now()}-${basename4(filePath)}`);
   try {
     await mkdir2(dirname6(backupPath), { recursive: true });
     await copyFile2(filePath, backupPath);
@@ -2680,7 +3261,7 @@ async function applySingleFix(fix, config) {
         break;
       case "delete-lines":
         if (fix.line !== void 0) {
-          const content = await readFile3(fix.file, "utf-8");
+          const content = await readFile4(fix.file, "utf-8");
           const lines = content.split("\n");
           lines.splice(fix.line - 1, 1);
           await writeFile2(fix.file, lines.join("\n"));
@@ -2688,14 +3269,14 @@ async function applySingleFix(fix, config) {
         break;
       case "replace":
         if (fix.oldContent && fix.newContent !== void 0) {
-          const content = await readFile3(fix.file, "utf-8");
+          const content = await readFile4(fix.file, "utf-8");
           const newContent = content.replace(fix.oldContent, fix.newContent);
           await writeFile2(fix.file, newContent);
         }
         break;
       case "insert":
         if (fix.line !== void 0 && fix.newContent) {
-          const content = await readFile3(fix.file, "utf-8");
+          const content = await readFile4(fix.file, "utf-8");
           const lines = content.split("\n");
           lines.splice(fix.line - 1, 0, fix.newContent);
           await writeFile2(fix.file, lines.join("\n"));
@@ -2747,6 +3328,133 @@ async function applyFixes(fixes, config) {
   });
 }
+// src/entropy/fixers/architecture-fixes.ts
+function createForbiddenImportFixes(violations) {
+  return violations.filter((v) => v.alternative !== void 0).map((v) => ({
+    type: "forbidden-import-replacement",
+    file: v.file,
+    description: `Replace forbidden import '${v.forbiddenImport}' with '${v.alternative}'`,
+    action: "replace",
+    line: v.line,
+    oldContent: `from '${v.forbiddenImport}'`,
+    newContent: `from '${v.alternative}'`,
+    safe: true,
+    reversible: true
+  }));
+}
+// src/entropy/fixers/cleanup-finding.ts
+var ALWAYS_UNSAFE_TYPES = /* @__PURE__ */ new Set([
+  "upward-dependency",
+  "skip-layer-dependency",
+  "circular-dependency",
+  "dead-internal"
+]);
+var idCounter = 0;
+function classifyFinding(input) {
+  idCounter++;
+  const id = `${input.concern === "dead-code" ? "dc" : "arch"}-${idCounter}`;
+  let safety;
+  let safetyReason;
+  let fixAction;
+  let suggestion;
+  if (ALWAYS_UNSAFE_TYPES.has(input.type)) {
+    safety = "unsafe";
+    safetyReason = `${input.type} requires human judgment`;
+    suggestion = "Review and refactor manually";
+  } else if (input.concern === "dead-code") {
+    if (input.isPublicApi) {
+      safety = "unsafe";
+      safetyReason = "Public API export may have external consumers";
+      suggestion = "Deprecate before removing";
+    } else if (input.type === "dead-export" || input.type === "unused-import" || input.type === "commented-code" || input.type === "dead-file") {
+      safety = "safe";
+      safetyReason = "zero importers, non-public";
+      fixAction = input.type === "dead-export" ? "Remove export keyword" : input.type === "dead-file" ? "Delete file" : input.type === "commented-code" ? "Delete commented block" : "Remove import";
+      suggestion = fixAction;
+    } else if (input.type === "orphaned-dep") {
+      safety = "probably-safe";
+      safetyReason = "No imports found, but needs install+test verification";
+      fixAction = "Remove from package.json";
+      suggestion = fixAction;
+    } else {
+      safety = "unsafe";
+      safetyReason = "Unknown dead code type";
+      suggestion = "Manual review required";
+    }
+  } else {
+    if (input.type === "import-ordering") {
+      safety = "safe";
+      safetyReason = "Mechanical reorder, no semantic change";
+      fixAction = "Reorder imports";
+      suggestion = fixAction;
+    } else if (input.type === "forbidden-import" && input.hasAlternative) {
+      safety = "probably-safe";
+      safetyReason = "Alternative configured, needs typecheck+test";
+      fixAction = "Replace with configured alternative";
+      suggestion = fixAction;
+    } else {
+      safety = "unsafe";
+      safetyReason = `${input.type} requires structural changes`;
+      suggestion = "Restructure code to fix violation";
+    }
+  }
+  return {
+    id,
+    concern: input.concern,
+    file: input.file,
+    ...input.line !== void 0 ? { line: input.line } : {},
+    type: input.type,
+    description: input.description,
+    safety,
+    safetyReason,
+    hotspotDowngraded: false,
+    ...fixAction !== void 0 ? { fixAction } : {},
+    suggestion
+  };
+}
+function applyHotspotDowngrade(finding, hotspot) {
+  if (finding.safety !== "safe") return finding;
+  const churn = hotspot.churnMap.get(finding.file) ?? 0;
+  if (churn >= hotspot.topPercentileThreshold) {
+    return {
+      ...finding,
+      safety: "probably-safe",
+      safetyReason: `${finding.safetyReason}; downgraded due to high churn (${churn} commits)`,
+      hotspotDowngraded: true
+    };
+  }
+  return finding;
+}
+function deduplicateCleanupFindings(findings) {
+  const byFileAndLine = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const key = `${f.file}:${f.line ?? "none"}`;
+    const group = byFileAndLine.get(key) ?? [];
+    group.push(f);
+    byFileAndLine.set(key, group);
+  }
+  const result = [];
+  for (const group of byFileAndLine.values()) {
+    if (group.length === 1) {
+      result.push(group[0]);
+      continue;
+    }
+    const deadCode = group.find((f) => f.concern === "dead-code");
+    const arch = group.find((f) => f.concern === "architecture");
+    if (deadCode && arch) {
+      result.push({
+        ...deadCode,
+        description: `${deadCode.description} (also violates architecture: ${arch.type})`,
+        suggestion: deadCode.fixAction ? `${deadCode.fixAction} (resolves both dead code and architecture violation)` : deadCode.suggestion
+      });
+    } else {
+      result.push(...group);
+    }
+  }
+  return result;
+}
 // src/entropy/config/schema.ts
 import { z } from "zod";
 var MustExportRuleSchema = z.object({
@@ -2856,33 +3564,382 @@ function validatePatternConfig(config) {
   return Ok(result.data);
 }
-// src/feedback/telemetry/noop.ts
-var NoOpTelemetryAdapter = class {
-  name = "noop";
-  async health() {
-    return Ok({ available: true, message: "NoOp adapter - no real telemetry" });
+// src/performance/baseline-manager.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { join as join6, dirname as dirname7 } from "path";
+var BaselineManager = class {
+  baselinesPath;
+  constructor(projectRoot) {
+    this.baselinesPath = join6(projectRoot, ".harness", "perf", "baselines.json");
   }
-  async getMetrics() {
-    return Ok([]);
+  /**
+   * Load the baselines file from disk.
+   * Returns null if the file does not exist or contains invalid JSON.
+   */
+  load() {
+    if (!existsSync(this.baselinesPath)) {
+      return null;
+    }
+    try {
+      const raw = readFileSync(this.baselinesPath, "utf-8");
+      return JSON.parse(raw);
+    } catch {
+      return null;
+    }
   }
-  async getTraces() {
-    return Ok([]);
+  /**
+   * Save benchmark results to disk, merging with any existing baselines.
+   * Each result is keyed by `${file}::${name}`.
+   */
+  save(results, commitHash) {
+    const existing = this.load();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const benchmarks = existing?.benchmarks ? { ...existing.benchmarks } : {};
+    for (const result of results) {
+      const key = `${result.file}::${result.name}`;
+      benchmarks[key] = {
+        opsPerSec: result.opsPerSec,
+        meanMs: result.meanMs,
+        p99Ms: result.p99Ms,
+        marginOfError: result.marginOfError
+      };
+    }
+    const file = {
+      version: 1,
+      updatedAt: now,
+      updatedFrom: commitHash,
+      benchmarks
+    };
+    const dir = dirname7(this.baselinesPath);
+    if (!existsSync(dir)) {
+      mkdirSync(dir, { recursive: true });
+    }
+    writeFileSync(this.baselinesPath, JSON.stringify(file, null, 2));
   }
-  async getLogs() {
-    return Ok([]);
+  /**
+   * Remove baselines whose file prefix does not match any of the given bench files.
+   * This cleans up entries for deleted benchmark files.
+   */
+  prune(existingBenchFiles) {
+    const existing = this.load();
+    if (!existing) {
+      return;
+    }
+    const fileSet = new Set(existingBenchFiles);
+    const pruned = {};
+    for (const [key, baseline] of Object.entries(existing.benchmarks)) {
+      const filePrefix = key.split("::")[0];
+      if (fileSet.has(filePrefix)) {
+        pruned[key] = baseline;
+      }
+    }
+    existing.benchmarks = pruned;
+    writeFileSync(this.baselinesPath, JSON.stringify(existing, null, 2));
   }
 };
-// src/shared/uuid.ts
-function generateId() {
-  if (typeof globalThis !== "undefined" && "crypto" in globalThis && typeof globalThis.crypto.randomUUID === "function") {
-    return globalThis.crypto.randomUUID();
+// src/performance/benchmark-runner.ts
+import { execFileSync } from "child_process";
+var BenchmarkRunner = class {
+  /**
+   * Discover .bench.ts files matching the glob pattern.
+   */
+  discover(cwd, glob2) {
+    try {
+      const result = execFileSync(
+        "find",
+        [
+          cwd,
+          "-name",
+          "*.bench.ts",
+          "-not",
+          "-path",
+          "*/node_modules/*",
+          "-not",
+          "-path",
+          "*/dist/*"
+        ],
+        { encoding: "utf-8", timeout: 5e3 }
+      ).trim();
+      if (!result) return [];
+      const files = result.split("\n").filter(Boolean);
+      if (glob2 && glob2 !== "**/*.bench.ts") {
+        return files.filter((f) => f.includes(glob2.replace(/\*/g, "")));
+      }
+      return files;
+    } catch {
+      return [];
+    }
   }
-  return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function(c) {
-    const r = Math.random() * 16 | 0;
-    const v = c === "x" ? r : r & 3 | 8;
-    return v.toString(16);
-  });
+  /**
+   * Run benchmarks via vitest bench and capture results.
+   * Returns parsed BenchmarkResult[] from vitest bench JSON output.
+   */
+  async run(options = {}) {
+    const cwd = options.cwd ?? process.cwd();
+    const timeout = options.timeout ?? 12e4;
+    const glob2 = options.glob;
+    const args = ["vitest", "bench", "--run"];
+    if (glob2) {
+      args.push(glob2);
+    }
+    args.push("--reporter=json");
+    try {
+      const rawOutput = execFileSync("npx", args, {
+        cwd,
+        encoding: "utf-8",
+        timeout,
+        stdio: ["pipe", "pipe", "pipe"]
+      });
+      const results = this.parseVitestBenchOutput(rawOutput);
+      return { results, rawOutput, success: true };
+    } catch (error) {
+      const err = error;
+      const output = err.stdout || err.message || "";
+      const results = this.parseVitestBenchOutput(output);
+      return {
+        results,
+        rawOutput: output,
+        success: results.length > 0
+      };
+    }
+  }
+  /**
+   * Parse vitest bench JSON reporter output into BenchmarkResult[].
+   * Vitest bench JSON output contains testResults with benchmark data.
+   */
+  parseVitestBenchOutput(output) {
+    const results = [];
+    try {
+      const jsonStart = output.indexOf("{");
+      const jsonEnd = output.lastIndexOf("}");
+      if (jsonStart === -1 || jsonEnd === -1) return results;
+      const jsonStr = output.slice(jsonStart, jsonEnd + 1);
+      const parsed = JSON.parse(jsonStr);
+      if (parsed.testResults) {
+        for (const testResult of parsed.testResults) {
+          const file = testResult.name || testResult.filepath || "";
+          if (testResult.assertionResults) {
+            for (const assertion of testResult.assertionResults) {
+              if (assertion.benchmark) {
+                const bench = assertion.benchmark;
+                results.push({
+                  name: assertion.fullName || assertion.title || "unknown",
+                  file: file.replace(process.cwd() + "/", ""),
+                  opsPerSec: Math.round(bench.hz || 0),
+                  meanMs: bench.mean ? bench.mean * 1e3 : 0,
+                  // p99: use actual p99 if available, otherwise estimate as 1.5× mean
+                  p99Ms: bench.p99 ? bench.p99 * 1e3 : bench.mean ? bench.mean * 1e3 * 1.5 : 0,
+                  marginOfError: bench.rme ? bench.rme / 100 : 0.05
+                });
+              }
+            }
+          }
+        }
+      }
+    } catch {
+    }
+    return results;
+  }
+};
+// src/performance/regression-detector.ts
+var RegressionDetector = class {
+  detect(results, baselines, criticalPaths) {
+    const regressions = [];
+    const improvements = [];
+    let newBenchmarks = 0;
+    for (const current of results) {
+      const key = `${current.file}::${current.name}`;
+      const baseline = baselines[key];
+      if (!baseline) {
+        newBenchmarks++;
+        continue;
+      }
+      const regressionPct = (baseline.opsPerSec - current.opsPerSec) / baseline.opsPerSec * 100;
+      const noiseThreshold = (baseline.marginOfError + current.marginOfError) * 100;
+      const withinNoise = Math.abs(regressionPct) <= noiseThreshold;
+      if (regressionPct < 0) {
+        improvements.push({ benchmark: key, improvementPct: Math.abs(regressionPct) });
+        continue;
+      }
+      const isCriticalPath = criticalPaths.entries.some(
+        (e) => current.file.includes(e.file) || current.name === e.function
+      );
+      let tier;
+      let severity;
+      if (isCriticalPath && regressionPct > 5 && !withinNoise) {
+        tier = 1;
+        severity = "error";
+      } else if (regressionPct > 10 && !withinNoise) {
+        tier = 2;
+        severity = "warning";
+      } else {
+        tier = 3;
+        severity = "info";
+      }
+      regressions.push({
+        benchmark: key,
+        current,
+        baseline,
+        regressionPct,
+        isCriticalPath,
+        tier,
+        severity,
+        withinNoise
+      });
+    }
+    return {
+      regressions,
+      improvements,
+      stats: {
+        benchmarksCompared: results.length - newBenchmarks,
+        regressionCount: regressions.filter((r) => !r.withinNoise).length,
+        improvementCount: improvements.length,
+        newBenchmarks
+      }
+    };
+  }
+};
+// src/performance/critical-path.ts
+import * as fs2 from "fs";
+import * as path from "path";
+var SKIP_DIRS = /* @__PURE__ */ new Set(["node_modules", "dist", ".git"]);
+var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx"]);
+var FUNCTION_DECL_RE = /(?:export\s+)?(?:async\s+)?function\s+(\w+)/;
+var CONST_DECL_RE = /(?:export\s+)?(?:const|let)\s+(\w+)\s*=/;
+var CriticalPathResolver = class {
+  projectRoot;
+  constructor(projectRoot) {
+    this.projectRoot = projectRoot;
+  }
+  async resolve(graphData) {
+    const annotated = await this.scanAnnotations();
+    const seen = /* @__PURE__ */ new Map();
+    for (const entry of annotated) {
+      const key = `${entry.file}::${entry.function}`;
+      seen.set(key, entry);
+    }
+    let graphInferred = 0;
+    if (graphData) {
+      for (const item of graphData.highFanInFunctions) {
+        const key = `${item.file}::${item.function}`;
+        if (!seen.has(key)) {
+          seen.set(key, {
+            file: item.file,
+            function: item.function,
+            source: "graph-inferred",
+            fanIn: item.fanIn
+          });
+          graphInferred++;
+        }
+      }
+    }
+    const entries = Array.from(seen.values());
+    const annotatedCount = annotated.length;
+    return {
+      entries,
+      stats: {
+        annotated: annotatedCount,
+        graphInferred,
+        total: entries.length
+      }
+    };
+  }
+  async scanAnnotations() {
+    const entries = [];
+    this.walkDir(this.projectRoot, entries);
+    return entries;
+  }
+  walkDir(dir, entries) {
+    let items;
+    try {
+      items = fs2.readdirSync(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const item of items) {
+      if (item.isDirectory()) {
+        if (SKIP_DIRS.has(item.name)) continue;
+        this.walkDir(path.join(dir, item.name), entries);
+      } else if (item.isFile() && SOURCE_EXTENSIONS.has(path.extname(item.name))) {
+        this.scanFile(path.join(dir, item.name), entries);
+      }
+    }
+  }
+  scanFile(filePath, entries) {
+    let content;
+    try {
+      content = fs2.readFileSync(filePath, "utf-8");
+    } catch {
+      return;
+    }
+    const lines = content.split("\n");
+    const relativePath = path.relative(this.projectRoot, filePath);
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (!line.includes("@perf-critical")) continue;
+      for (let j = i + 1; j < lines.length; j++) {
+        const nextLine = lines[j].trim();
+        if (nextLine === "" || nextLine === "*/" || nextLine === "*") continue;
+        if (nextLine.startsWith("*") || nextLine.startsWith("//")) continue;
+        const funcMatch = nextLine.match(FUNCTION_DECL_RE);
+        if (funcMatch && funcMatch[1]) {
+          entries.push({
+            file: relativePath,
+            function: funcMatch[1],
+            source: "annotation"
+          });
+        } else {
+          const constMatch = nextLine.match(CONST_DECL_RE);
+          if (constMatch && constMatch[1]) {
+            entries.push({
+              file: relativePath,
+              function: constMatch[1],
+              source: "annotation"
+            });
+          }
+        }
+        break;
+      }
+    }
+  }
+};
+// src/feedback/telemetry/noop.ts
+var NoOpTelemetryAdapter = class {
+  name = "noop";
+  async health() {
+    return Ok({ available: true, message: "NoOp adapter - no real telemetry" });
+  }
+  async getMetrics() {
+    return Ok([]);
+  }
+  async getTraces() {
+    return Ok([]);
+  }
+  async getLogs() {
+    return Ok([]);
+  }
+};
+// src/shared/uuid.ts
+function generateId() {
+  if (typeof globalThis !== "undefined" && "crypto" in globalThis && typeof globalThis.crypto.randomUUID === "function") {
+    return globalThis.crypto.randomUUID();
+  }
+  if (typeof globalThis.crypto?.getRandomValues !== "function") {
+    throw new Error(
+      "No cryptographic random source available \u2014 requires Node.js 15+ or a browser with Web Crypto API"
+    );
+  }
+  const bytes = new Uint8Array(16);
+  globalThis.crypto.getRandomValues(bytes);
+  bytes[6] = bytes[6] & 15 | 64;
+  bytes[8] = bytes[8] & 63 | 128;
+  const hex = [...bytes].map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
 }
 // src/feedback/executor/noop.ts
@@ -3543,8 +4600,8 @@ async function requestMultiplePeerReviews(requests) {
 }
 // src/feedback/logging/file-sink.ts
-import { appendFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
-import { dirname as dirname7 } from "path";
+import { appendFileSync, writeFileSync as writeFileSync2, existsSync as existsSync2, mkdirSync as mkdirSync2 } from "fs";
+import { dirname as dirname8 } from "path";
 var FileSink = class {
   name = "file";
   filePath;
@@ -3567,9 +4624,9 @@ var FileSink = class {
   }
   ensureDirectory() {
     if (!this.initialized) {
-      const dir = dirname7(this.filePath);
-      if (!existsSync(dir)) {
-        mkdirSync(dir, { recursive: true });
+      const dir = dirname8(this.filePath);
+      if (!existsSync2(dir)) {
+        mkdirSync2(dir, { recursive: true });
       }
       this.initialized = true;
     }
@@ -3599,8 +4656,8 @@ var FileSink = class {
       this.ensureDirectory();
       const content = this.buffer.join("");
       this.buffer = [];
-      if (this.options.mode === "overwrite" && !existsSync(this.filePath)) {
-        writeFileSync(this.filePath, content);
+      if (this.options.mode === "overwrite" && !existsSync2(this.filePath)) {
+        writeFileSync2(this.filePath, content);
       } else {
         appendFileSync(this.filePath, content);
       }
@@ -3712,22 +4769,296 @@ var DEFAULT_STATE = {
 };
 // src/state/state-manager.ts
-import * as fs2 from "fs";
-import * as path from "path";
+import * as fs4 from "fs";
+import * as path3 from "path";
+import { execSync as execSync2 } from "child_process";
+// src/state/stream-resolver.ts
+import * as fs3 from "fs";
+import * as path2 from "path";
 import { execSync } from "child_process";
+// src/state/stream-types.ts
+import { z as z3 } from "zod";
+var StreamInfoSchema = z3.object({
+  name: z3.string(),
+  branch: z3.string().optional(),
+  createdAt: z3.string(),
+  lastActiveAt: z3.string()
+});
+var StreamIndexSchema = z3.object({
+  schemaVersion: z3.literal(1),
+  activeStream: z3.string().nullable(),
+  streams: z3.record(StreamInfoSchema)
+});
+var DEFAULT_STREAM_INDEX = {
+  schemaVersion: 1,
+  activeStream: null,
+  streams: {}
+};
+// src/state/stream-resolver.ts
 var HARNESS_DIR = ".harness";
+var STREAMS_DIR = "streams";
+var INDEX_FILE = "index.json";
+var STREAM_NAME_REGEX = /^[a-z0-9][a-z0-9._-]*$/;
+function streamsDir(projectPath) {
+  return path2.join(projectPath, HARNESS_DIR, STREAMS_DIR);
+}
+function indexPath(projectPath) {
+  return path2.join(streamsDir(projectPath), INDEX_FILE);
+}
+function validateStreamName(name) {
+  if (!STREAM_NAME_REGEX.test(name)) {
+    return Err(
+      new Error(
+        `Invalid stream name '${name}'. Names must match [a-z0-9][a-z0-9._-]* (lowercase alphanumeric, dots, hyphens, underscores).`
+      )
+    );
+  }
+  return Ok(void 0);
+}
+async function loadStreamIndex(projectPath) {
+  const idxPath = indexPath(projectPath);
+  if (!fs3.existsSync(idxPath)) {
+    return Ok({ ...DEFAULT_STREAM_INDEX, streams: {} });
+  }
+  try {
+    const raw = fs3.readFileSync(idxPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    const result = StreamIndexSchema.safeParse(parsed);
+    if (!result.success) {
+      return Err(new Error(`Invalid stream index: ${result.error.message}`));
+    }
+    return Ok(result.data);
+  } catch (error) {
+    return Err(
+      new Error(
+        `Failed to load stream index: ${error instanceof Error ? error.message : String(error)}`
+      )
+    );
+  }
+}
+async function saveStreamIndex(projectPath, index) {
+  const dir = streamsDir(projectPath);
+  try {
+    fs3.mkdirSync(dir, { recursive: true });
+    fs3.writeFileSync(indexPath(projectPath), JSON.stringify(index, null, 2));
+    return Ok(void 0);
+  } catch (error) {
+    return Err(
+      new Error(
+        `Failed to save stream index: ${error instanceof Error ? error.message : String(error)}`
+      )
+    );
+  }
+}
+var branchCache = /* @__PURE__ */ new Map();
+var BRANCH_CACHE_TTL_MS = 3e4;
+function getCurrentBranch(projectPath) {
+  const cached = branchCache.get(projectPath);
+  if (cached && Date.now() - cached.timestamp < BRANCH_CACHE_TTL_MS) {
+    return cached.branch;
+  }
+  try {
+    const branch = execSync("git rev-parse --abbrev-ref HEAD", {
+      cwd: projectPath,
+      stdio: "pipe"
+    }).toString().trim();
+    branchCache.set(projectPath, { branch, timestamp: Date.now() });
+    return branch;
+  } catch {
+    branchCache.set(projectPath, { branch: null, timestamp: Date.now() });
+    return null;
+  }
+}
+async function resolveStreamPath(projectPath, options) {
+  const idxResult = await loadStreamIndex(projectPath);
+  if (!idxResult.ok) return idxResult;
+  const index = idxResult.value;
+  if (options?.stream) {
+    if (!index.streams[options.stream]) {
+      return Err(
+        new Error(
+          `Stream '${options.stream}' not found. Known streams: ${Object.keys(index.streams).join(", ") || "none"}`
+        )
+      );
+    }
+    return Ok(path2.join(streamsDir(projectPath), options.stream));
+  }
+  const branch = getCurrentBranch(projectPath);
+  if (branch && branch !== "main" && branch !== "master") {
+    for (const [name, info] of Object.entries(index.streams)) {
+      if (info.branch === branch) {
+        return Ok(path2.join(streamsDir(projectPath), name));
+      }
+    }
+  }
+  if (index.activeStream && index.streams[index.activeStream]) {
+    return Ok(path2.join(streamsDir(projectPath), index.activeStream));
+  }
+  return Err(
+    new Error(
+      `Cannot resolve stream. Specify --stream <name> or create a stream. Known streams: ${Object.keys(index.streams).join(", ") || "none"}`
+    )
+  );
+}
+async function touchStream(projectPath, name) {
+  const idxResult = await loadStreamIndex(projectPath);
+  if (!idxResult.ok) return idxResult;
+  const index = idxResult.value;
+  if (!index.streams[name]) {
+    return Err(new Error(`Stream '${name}' not found`));
+  }
+  index.streams[name].lastActiveAt = (/* @__PURE__ */ new Date()).toISOString();
+  index.activeStream = name;
+  return saveStreamIndex(projectPath, index);
+}
+async function createStream(projectPath, name, branch) {
+  const nameCheck = validateStreamName(name);
+  if (!nameCheck.ok) return nameCheck;
+  const idxResult = await loadStreamIndex(projectPath);
+  if (!idxResult.ok) return idxResult;
+  const index = idxResult.value;
+  if (index.streams[name]) {
+    return Err(new Error(`Stream '${name}' already exists`));
+  }
+  const streamPath = path2.join(streamsDir(projectPath), name);
+  try {
+    fs3.mkdirSync(streamPath, { recursive: true });
+  } catch (error) {
+    return Err(
+      new Error(
+        `Failed to create stream directory: ${error instanceof Error ? error.message : String(error)}`
+      )
+    );
+  }
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  index.streams[name] = {
+    name,
+    branch,
+    createdAt: now,
+    lastActiveAt: now
+  };
+  const saveResult = await saveStreamIndex(projectPath, index);
+  if (!saveResult.ok) return saveResult;
+  return Ok(streamPath);
+}
+async function listStreams(projectPath) {
+  const idxResult = await loadStreamIndex(projectPath);
+  if (!idxResult.ok) return idxResult;
+  return Ok(Object.values(idxResult.value.streams));
+}
+async function setActiveStream(projectPath, name) {
+  const idxResult = await loadStreamIndex(projectPath);
+  if (!idxResult.ok) return idxResult;
+  const index = idxResult.value;
+  if (!index.streams[name]) {
+    return Err(new Error(`Stream '${name}' not found`));
+  }
+  index.activeStream = name;
+  return saveStreamIndex(projectPath, index);
+}
+async function archiveStream(projectPath, name) {
+  const idxResult = await loadStreamIndex(projectPath);
+  if (!idxResult.ok) return idxResult;
+  const index = idxResult.value;
+  if (!index.streams[name]) {
+    return Err(new Error(`Stream '${name}' not found`));
+  }
+  const streamPath = path2.join(streamsDir(projectPath), name);
+  const archiveDir = path2.join(projectPath, HARNESS_DIR, "archive", "streams");
+  try {
+    fs3.mkdirSync(archiveDir, { recursive: true });
+    const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+    fs3.renameSync(streamPath, path2.join(archiveDir, `${name}-${date}`));
+  } catch (error) {
+    return Err(
+      new Error(
+        `Failed to archive stream: ${error instanceof Error ? error.message : String(error)}`
+      )
+    );
+  }
+  delete index.streams[name];
+  if (index.activeStream === name) {
+    index.activeStream = null;
+  }
+  return saveStreamIndex(projectPath, index);
+}
+function getStreamForBranch(index, branch) {
+  for (const [name, info] of Object.entries(index.streams)) {
+    if (info.branch === branch) return name;
+  }
+  return null;
+}
+var STATE_FILES = ["state.json", "handoff.json", "learnings.md", "failures.md"];
+async function migrateToStreams(projectPath) {
+  const harnessDir = path2.join(projectPath, HARNESS_DIR);
+  if (fs3.existsSync(indexPath(projectPath))) {
+    return Ok(void 0);
+  }
+  const filesToMove = STATE_FILES.filter((f) => fs3.existsSync(path2.join(harnessDir, f)));
+  if (filesToMove.length === 0) {
+    return Ok(void 0);
+  }
+  const defaultDir = path2.join(streamsDir(projectPath), "default");
+  try {
+    fs3.mkdirSync(defaultDir, { recursive: true });
+    for (const file of filesToMove) {
+      fs3.renameSync(path2.join(harnessDir, file), path2.join(defaultDir, file));
+    }
+  } catch (error) {
+    return Err(
+      new Error(`Migration failed: ${error instanceof Error ? error.message : String(error)}`)
+    );
+  }
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const index = {
+    schemaVersion: 1,
+    activeStream: "default",
+    streams: {
+      default: {
+        name: "default",
+        createdAt: now,
+        lastActiveAt: now
+      }
+    }
+  };
+  return saveStreamIndex(projectPath, index);
+}
+// src/state/state-manager.ts
+var HARNESS_DIR2 = ".harness";
 var STATE_FILE = "state.json";
 var LEARNINGS_FILE = "learnings.md";
 var FAILURES_FILE = "failures.md";
 var HANDOFF_FILE = "handoff.json";
 var GATE_CONFIG_FILE = "gate.json";
-async function loadState(projectPath) {
-  const statePath = path.join(projectPath, HARNESS_DIR, STATE_FILE);
-  if (!fs2.existsSync(statePath)) {
-    return Ok({ ...DEFAULT_STATE });
+var INDEX_FILE2 = "index.json";
+async function getStateDir(projectPath, stream) {
+  const streamsIndexPath = path3.join(projectPath, HARNESS_DIR2, "streams", INDEX_FILE2);
+  const hasStreams = fs4.existsSync(streamsIndexPath);
+  if (stream || hasStreams) {
+    const result = await resolveStreamPath(projectPath, stream ? { stream } : void 0);
+    if (result.ok) {
+      return result;
+    }
+    if (stream) {
+      return result;
+    }
   }
+  return Ok(path3.join(projectPath, HARNESS_DIR2));
+}
+async function loadState(projectPath, stream) {
   try {
-    const raw = fs2.readFileSync(statePath, "utf-8");
+    const dirResult = await getStateDir(projectPath, stream);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const statePath = path3.join(stateDir, STATE_FILE);
+    if (!fs4.existsSync(statePath)) {
+      return Ok({ ...DEFAULT_STATE });
+    }
+    const raw = fs4.readFileSync(statePath, "utf-8");
     const parsed = JSON.parse(raw);
     const result = HarnessStateSchema.safeParse(parsed);
     if (!result.success) {
@@ -3736,18 +5067,18 @@ async function loadState(projectPath) {
     return Ok(result.data);
   } catch (error) {
     return Err(
-      new Error(
-        `Failed to load state from ${statePath}: ${error instanceof Error ? error.message : String(error)}`
-      )
+      new Error(`Failed to load state: ${error instanceof Error ? error.message : String(error)}`)
     );
   }
 }
-async function saveState(projectPath, state) {
-  const harnessDir = path.join(projectPath, HARNESS_DIR);
-  const statePath = path.join(harnessDir, STATE_FILE);
+async function saveState(projectPath, state, stream) {
   try {
-    fs2.mkdirSync(harnessDir, { recursive: true });
-    fs2.writeFileSync(statePath, JSON.stringify(state, null, 2));
+    const dirResult = await getStateDir(projectPath, stream);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const statePath = path3.join(stateDir, STATE_FILE);
+    fs4.mkdirSync(stateDir, { recursive: true });
+    fs4.writeFileSync(statePath, JSON.stringify(state, null, 2));
     return Ok(void 0);
   } catch (error) {
     return Err(
@@ -3755,11 +5086,13 @@ async function saveState(projectPath, state) {
     );
   }
 }
-async function appendLearning(projectPath, learning, skillName, outcome) {
-  const harnessDir = path.join(projectPath, HARNESS_DIR);
-  const learningsPath = path.join(harnessDir, LEARNINGS_FILE);
+async function appendLearning(projectPath, learning, skillName, outcome, stream) {
   try {
-    fs2.mkdirSync(harnessDir, { recursive: true });
+    const dirResult = await getStateDir(projectPath, stream);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const learningsPath = path3.join(stateDir, LEARNINGS_FILE);
+    fs4.mkdirSync(stateDir, { recursive: true });
     const timestamp = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
     let entry;
     if (skillName && outcome) {
@@ -3775,11 +5108,11 @@ async function appendLearning(projectPath, learning, skillName, outcome) {
 - **${timestamp}:** ${learning}
 `;
     }
-    if (!fs2.existsSync(learningsPath)) {
-      fs2.writeFileSync(learningsPath, `# Learnings
+    if (!fs4.existsSync(learningsPath)) {
+      fs4.writeFileSync(learningsPath, `# Learnings
 ${entry}`);
     } else {
-      fs2.appendFileSync(learningsPath, entry);
+      fs4.appendFileSync(learningsPath, entry);
     }
     return Ok(void 0);
   } catch (error) {
@@ -3790,13 +5123,16 @@ ${entry}`);
     );
   }
 }
-async function loadRelevantLearnings(projectPath, skillName) {
-  const learningsPath = path.join(projectPath, HARNESS_DIR, LEARNINGS_FILE);
-  if (!fs2.existsSync(learningsPath)) {
-    return Ok([]);
-  }
+async function loadRelevantLearnings(projectPath, skillName, stream) {
   try {
-    const content = fs2.readFileSync(learningsPath, "utf-8");
+    const dirResult = await getStateDir(projectPath, stream);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const learningsPath = path3.join(stateDir, LEARNINGS_FILE);
+    if (!fs4.existsSync(learningsPath)) {
+      return Ok([]);
+    }
+    const content = fs4.readFileSync(learningsPath, "utf-8");
     const lines = content.split("\n");
     const entries = [];
     let currentBlock = [];
@@ -3830,20 +5166,22 @@ async function loadRelevantLearnings(projectPath, skillName) {
   }
 }
 var FAILURE_LINE_REGEX = /^- \*\*(\d{4}-\d{2}-\d{2}) \[skill:([^\]]+)\] \[type:([^\]]+)\]:\*\* (.+)$/;
-async function appendFailure(projectPath, description, skillName, type) {
-  const harnessDir = path.join(projectPath, HARNESS_DIR);
-  const failuresPath = path.join(harnessDir, FAILURES_FILE);
+async function appendFailure(projectPath, description, skillName, type, stream) {
   try {
-    fs2.mkdirSync(harnessDir, { recursive: true });
+    const dirResult = await getStateDir(projectPath, stream);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const failuresPath = path3.join(stateDir, FAILURES_FILE);
+    fs4.mkdirSync(stateDir, { recursive: true });
     const timestamp = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
     const entry = `
 - **${timestamp} [skill:${skillName}] [type:${type}]:** ${description}
 `;
-    if (!fs2.existsSync(failuresPath)) {
-      fs2.writeFileSync(failuresPath, `# Failures
+    if (!fs4.existsSync(failuresPath)) {
+      fs4.writeFileSync(failuresPath, `# Failures
 ${entry}`);
     } else {
-      fs2.appendFileSync(failuresPath, entry);
+      fs4.appendFileSync(failuresPath, entry);
     }
     return Ok(void 0);
   } catch (error) {
@@ -3854,13 +5192,16 @@ ${entry}`);
     );
   }
 }
-async function loadFailures(projectPath) {
-  const failuresPath = path.join(projectPath, HARNESS_DIR, FAILURES_FILE);
-  if (!fs2.existsSync(failuresPath)) {
-    return Ok([]);
-  }
+async function loadFailures(projectPath, stream) {
   try {
-    const content = fs2.readFileSync(failuresPath, "utf-8");
+    const dirResult = await getStateDir(projectPath, stream);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const failuresPath = path3.join(stateDir, FAILURES_FILE);
+    if (!fs4.existsSync(failuresPath)) {
+      return Ok([]);
+    }
+    const content = fs4.readFileSync(failuresPath, "utf-8");
     const entries = [];
     for (const line of content.split("\n")) {
       const match = line.match(FAILURE_LINE_REGEX);
@@ -3882,23 +5223,25 @@ async function loadFailures(projectPath) {
     );
   }
 }
-async function archiveFailures(projectPath) {
-  const harnessDir = path.join(projectPath, HARNESS_DIR);
-  const failuresPath = path.join(harnessDir, FAILURES_FILE);
-  if (!fs2.existsSync(failuresPath)) {
-    return Ok(void 0);
-  }
+async function archiveFailures(projectPath, stream) {
   try {
-    const archiveDir = path.join(harnessDir, "archive");
-    fs2.mkdirSync(archiveDir, { recursive: true });
+    const dirResult = await getStateDir(projectPath, stream);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const failuresPath = path3.join(stateDir, FAILURES_FILE);
+    if (!fs4.existsSync(failuresPath)) {
+      return Ok(void 0);
+    }
+    const archiveDir = path3.join(stateDir, "archive");
+    fs4.mkdirSync(archiveDir, { recursive: true });
     const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
     let archiveName = `failures-${date}.md`;
     let counter = 2;
-    while (fs2.existsSync(path.join(archiveDir, archiveName))) {
+    while (fs4.existsSync(path3.join(archiveDir, archiveName))) {
       archiveName = `failures-${date}-${counter}.md`;
       counter++;
     }
-    fs2.renameSync(failuresPath, path.join(archiveDir, archiveName));
+    fs4.renameSync(failuresPath, path3.join(archiveDir, archiveName));
     return Ok(void 0);
   } catch (error) {
     return Err(
@@ -3908,12 +5251,14 @@ async function archiveFailures(projectPath) {
     );
   }
 }
-async function saveHandoff(projectPath, handoff) {
-  const harnessDir = path.join(projectPath, HARNESS_DIR);
-  const handoffPath = path.join(harnessDir, HANDOFF_FILE);
+async function saveHandoff(projectPath, handoff, stream) {
   try {
-    fs2.mkdirSync(harnessDir, { recursive: true });
-    fs2.writeFileSync(handoffPath, JSON.stringify(handoff, null, 2));
+    const dirResult = await getStateDir(projectPath, stream);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const handoffPath = path3.join(stateDir, HANDOFF_FILE);
+    fs4.mkdirSync(stateDir, { recursive: true });
+    fs4.writeFileSync(handoffPath, JSON.stringify(handoff, null, 2));
     return Ok(void 0);
   } catch (error) {
     return Err(
@@ -3921,13 +5266,16 @@ async function saveHandoff(projectPath, handoff) {
     );
   }
 }
-async function loadHandoff(projectPath) {
-  const handoffPath = path.join(projectPath, HARNESS_DIR, HANDOFF_FILE);
-  if (!fs2.existsSync(handoffPath)) {
-    return Ok(null);
-  }
+async function loadHandoff(projectPath, stream) {
   try {
-    const raw = fs2.readFileSync(handoffPath, "utf-8");
+    const dirResult = await getStateDir(projectPath, stream);
+    if (!dirResult.ok) return dirResult;
+    const stateDir = dirResult.value;
+    const handoffPath = path3.join(stateDir, HANDOFF_FILE);
+    if (!fs4.existsSync(handoffPath)) {
+      return Ok(null);
+    }
+    const raw = fs4.readFileSync(handoffPath, "utf-8");
     const parsed = JSON.parse(raw);
     const result = HandoffSchema.safeParse(parsed);
     if (!result.success) {
@@ -3941,40 +5289,51 @@ async function loadHandoff(projectPath) {
   }
 }
 async function runMechanicalGate(projectPath) {
-  const harnessDir = path.join(projectPath, HARNESS_DIR);
-  const gateConfigPath = path.join(harnessDir, GATE_CONFIG_FILE);
+  const harnessDir = path3.join(projectPath, HARNESS_DIR2);
+  const gateConfigPath = path3.join(harnessDir, GATE_CONFIG_FILE);
   try {
     let checks = [];
-    if (fs2.existsSync(gateConfigPath)) {
-      const raw = JSON.parse(fs2.readFileSync(gateConfigPath, "utf-8"));
+    if (fs4.existsSync(gateConfigPath)) {
+      const raw = JSON.parse(fs4.readFileSync(gateConfigPath, "utf-8"));
       const config = GateConfigSchema.safeParse(raw);
       if (config.success && config.data.checks) {
         checks = config.data.checks;
       }
     }
     if (checks.length === 0) {
-      const packageJsonPath = path.join(projectPath, "package.json");
-      if (fs2.existsSync(packageJsonPath)) {
-        const pkg = JSON.parse(fs2.readFileSync(packageJsonPath, "utf-8"));
+      const packageJsonPath = path3.join(projectPath, "package.json");
+      if (fs4.existsSync(packageJsonPath)) {
+        const pkg = JSON.parse(fs4.readFileSync(packageJsonPath, "utf-8"));
         const scripts = pkg.scripts || {};
         if (scripts.test) checks.push({ name: "test", command: "npm test" });
         if (scripts.lint) checks.push({ name: "lint", command: "npm run lint" });
         if (scripts.typecheck) checks.push({ name: "typecheck", command: "npm run typecheck" });
         if (scripts.build) checks.push({ name: "build", command: "npm run build" });
       }
-      if (fs2.existsSync(path.join(projectPath, "go.mod"))) {
+      if (fs4.existsSync(path3.join(projectPath, "go.mod"))) {
         checks.push({ name: "test", command: "go test ./..." });
         checks.push({ name: "build", command: "go build ./..." });
       }
-      if (fs2.existsSync(path.join(projectPath, "pyproject.toml")) || fs2.existsSync(path.join(projectPath, "setup.py"))) {
+      if (fs4.existsSync(path3.join(projectPath, "pyproject.toml")) || fs4.existsSync(path3.join(projectPath, "setup.py"))) {
         checks.push({ name: "test", command: "python -m pytest" });
       }
     }
     const results = [];
+    const SAFE_GATE_COMMAND = /^(?:npm|pnpm|yarn)\s+(?:test|run\s+[\w.-]+|run-script\s+[\w.-]+)$|^go\s+(?:test|build|vet|fmt)\s+[\w./ -]+$|^(?:python|python3)\s+-m\s+[\w.-]+$|^make\s+[\w.-]+$|^cargo\s+(?:test|build|check|clippy)(?:\s+[\w./ -]+)?$|^(?:gradle|mvn)\s+[\w:.-]+$/;
     for (const check of checks) {
+      if (!SAFE_GATE_COMMAND.test(check.command)) {
+        results.push({
+          name: check.name,
+          passed: false,
+          command: check.command,
+          output: `Blocked: command does not match safe gate pattern. Allowed prefixes: npm, npx, pnpm, yarn, go, python, python3, make, cargo, gradle, mvn`,
+          duration: 0
+        });
+        continue;
+      }
       const start = Date.now();
       try {
-        execSync(check.command, {
+        execSync2(check.command, {
           cwd: projectPath,
           stdio: "pipe",
           timeout: 12e4
@@ -4157,37 +5516,613 @@ async function runMultiTurnPipeline(initialContext, turnExecutor, options) {
   };
 }
-// src/ci/check-orchestrator.ts
-import * as path2 from "path";
-var ALL_CHECKS = ["validate", "deps", "docs", "entropy", "phase-gate"];
-async function runSingleCheck(name, projectRoot, config) {
-  const start = Date.now();
-  const issues = [];
-  try {
-    switch (name) {
-      case "validate": {
-        const agentsPath = path2.join(projectRoot, config.agentsMapPath ?? "AGENTS.md");
-        const result = await validateAgentsMap(agentsPath);
-        if (!result.ok) {
-          issues.push({ severity: "error", message: result.error.message });
-        } else if (!result.value.valid) {
-          if (result.value.errors) {
-            for (const err of result.value.errors) {
-              issues.push({ severity: "error", message: err.message });
-            }
-          }
-          for (const section of result.value.missingSections) {
-            issues.push({ severity: "warning", message: `Missing section: ${section}` });
-          }
-          for (const link of result.value.brokenLinks) {
-            issues.push({
-              severity: "warning",
-              message: `Broken link: ${link.text} \u2192 ${link.path}`,
-              file: link.path
-            });
-          }
-        }
-        break;
+// src/security/scanner.ts
+import * as fs6 from "fs/promises";
+// src/security/rules/registry.ts
+var RuleRegistry = class {
+  rules = /* @__PURE__ */ new Map();
+  register(rule) {
+    this.rules.set(rule.id, rule);
+  }
+  registerAll(rules) {
+    for (const rule of rules) {
+      this.register(rule);
+    }
+  }
+  getById(id) {
+    return this.rules.get(id);
+  }
+  getAll() {
+    return Array.from(this.rules.values());
+  }
+  getByCategory(category) {
+    return this.getAll().filter((r) => r.category === category);
+  }
+  getForStacks(stacks) {
+    return this.getAll().filter((rule) => {
+      if (!rule.stack || rule.stack.length === 0) return true;
+      return rule.stack.some((s) => stacks.includes(s));
+    });
+  }
+};
+// src/security/config.ts
+import { z as z4 } from "zod";
+// src/security/types.ts
+var DEFAULT_SECURITY_CONFIG = {
+  enabled: true,
+  strict: false,
+  rules: {},
+  exclude: ["**/node_modules/**", "**/dist/**", "**/*.test.ts", "**/fixtures/**"]
+};
+// src/security/config.ts
+var RuleOverrideSchema = z4.enum(["off", "error", "warning", "info"]);
+var SecurityConfigSchema = z4.object({
+  enabled: z4.boolean().default(true),
+  strict: z4.boolean().default(false),
+  rules: z4.record(z4.string(), RuleOverrideSchema).optional().default({}),
+  exclude: z4.array(z4.string()).optional().default(["**/node_modules/**", "**/dist/**", "**/*.test.ts", "**/fixtures/**"]),
+  external: z4.object({
+    semgrep: z4.object({
+      enabled: z4.union([z4.literal("auto"), z4.boolean()]).default("auto"),
+      rulesets: z4.array(z4.string()).optional()
+    }).optional(),
+    gitleaks: z4.object({
+      enabled: z4.union([z4.literal("auto"), z4.boolean()]).default("auto")
+    }).optional()
+  }).optional()
+});
+function parseSecurityConfig(input) {
+  if (input === void 0 || input === null) {
+    return { ...DEFAULT_SECURITY_CONFIG };
+  }
+  const result = SecurityConfigSchema.safeParse(input);
+  if (result.success) {
+    return result.data;
+  }
+  return { ...DEFAULT_SECURITY_CONFIG };
+}
+function resolveRuleSeverity(ruleId, defaultSeverity, overrides, strict) {
+  if (overrides[ruleId] !== void 0) {
+    return overrides[ruleId];
+  }
+  for (const [pattern, override] of Object.entries(overrides)) {
+    if (pattern.endsWith("*")) {
+      const prefix = pattern.slice(0, -1);
+      if (ruleId.startsWith(prefix)) {
+        return override;
+      }
+    }
+  }
+  if (strict && (defaultSeverity === "warning" || defaultSeverity === "info")) {
+    return "error";
+  }
+  return defaultSeverity;
+}
+// src/security/stack-detector.ts
+import * as fs5 from "fs";
+import * as path4 from "path";
+function detectStack(projectRoot) {
+  const stacks = [];
+  const pkgJsonPath = path4.join(projectRoot, "package.json");
+  if (fs5.existsSync(pkgJsonPath)) {
+    stacks.push("node");
+    try {
+      const pkgJson = JSON.parse(fs5.readFileSync(pkgJsonPath, "utf-8"));
+      const allDeps = {
+        ...pkgJson.dependencies,
+        ...pkgJson.devDependencies
+      };
+      if (allDeps.react || allDeps["react-dom"]) stacks.push("react");
+      if (allDeps.express) stacks.push("express");
+      if (allDeps.koa) stacks.push("koa");
+      if (allDeps.fastify) stacks.push("fastify");
+      if (allDeps.next) stacks.push("next");
+      if (allDeps.vue) stacks.push("vue");
+      if (allDeps.angular || allDeps["@angular/core"]) stacks.push("angular");
+    } catch {
+    }
+  }
+  const goModPath = path4.join(projectRoot, "go.mod");
+  if (fs5.existsSync(goModPath)) {
+    stacks.push("go");
+  }
+  const requirementsPath = path4.join(projectRoot, "requirements.txt");
+  const pyprojectPath = path4.join(projectRoot, "pyproject.toml");
+  if (fs5.existsSync(requirementsPath) || fs5.existsSync(pyprojectPath)) {
+    stacks.push("python");
+  }
+  return stacks;
+}
+// src/security/rules/secrets.ts
+var secretRules = [
+  {
+    id: "SEC-SEC-001",
+    name: "AWS Access Key",
+    category: "secrets",
+    severity: "error",
+    confidence: "high",
+    patterns: [/(?:AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16}/],
+    message: "Hardcoded AWS access key detected",
+    remediation: "Use environment variables or a secrets manager",
+    references: ["CWE-798"]
+  },
+  {
+    id: "SEC-SEC-002",
+    name: "Generic API Key/Secret Assignment",
+    category: "secrets",
+    severity: "error",
+    confidence: "high",
+    patterns: [
+      /(?:api[_-]?key|api[_-]?secret|secret[_-]?key|access[_-]?token|auth[_-]?token)\s*[:=]\s*['"][^'"]{8,}['"]/i
+    ],
+    message: "Hardcoded API key or secret detected",
+    remediation: "Use environment variables: process.env.API_KEY",
+    references: ["CWE-798"]
+  },
+  {
+    id: "SEC-SEC-003",
+    name: "Private Key",
+    category: "secrets",
+    severity: "error",
+    confidence: "high",
+    patterns: [/-----BEGIN\s(?:RSA|DSA|EC|OPENSSH|PGP)\s(?:PRIVATE\s)?KEY-----/],
+    message: "Private key detected in source code",
+    remediation: "Store private keys in a secrets manager, never in source",
+    references: ["CWE-321"]
+  },
+  {
+    id: "SEC-SEC-004",
+    name: "Password Assignment",
+    category: "secrets",
+    severity: "error",
+    confidence: "high",
+    patterns: [/(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{4,}['"]/i],
+    message: "Hardcoded password detected",
+    remediation: "Use environment variables or a secrets manager",
+    references: ["CWE-259"]
+  },
+  {
+    id: "SEC-SEC-005",
+    name: "JWT/Bearer Token",
+    category: "secrets",
+    severity: "error",
+    confidence: "high",
+    patterns: [/eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/],
+    message: "Hardcoded JWT token detected",
+    remediation: "Tokens should be fetched at runtime, not embedded in source",
+    references: ["CWE-798"]
+  }
+];
+// src/security/rules/injection.ts
+var injectionRules = [
+  {
+    id: "SEC-INJ-001",
+    name: "eval/Function Constructor",
+    category: "injection",
+    severity: "error",
+    confidence: "high",
+    patterns: [/\beval\s*\(/, /new\s+Function\s*\(/],
+    message: "eval() and Function constructor allow arbitrary code execution",
+    remediation: "Use JSON.parse() for data, or a sandboxed interpreter for dynamic code",
+    references: ["CWE-95"]
+  },
+  {
+    id: "SEC-INJ-002",
+    name: "SQL String Concatenation",
+    category: "injection",
+    severity: "error",
+    confidence: "high",
+    patterns: [
+      /(?:query|execute|prepare)\s*\(\s*['"][^'"]*['"]\s*\+/,
+      /(?:query|execute|prepare)\s*\(\s*`[^`]*\$\{/
+    ],
+    message: "SQL query built with string concatenation or template literals with interpolation",
+    remediation: 'Use parameterized queries: query("SELECT * FROM users WHERE id = $1", [id])',
+    references: ["CWE-89"]
+  },
+  {
+    id: "SEC-INJ-003",
+    name: "Command Injection",
+    category: "injection",
+    severity: "error",
+    confidence: "high",
+    patterns: [
+      /\bexec\s*\(\s*['"][^'"]*['"]\s*\+/,
+      /\bexec\s*\(\s*`[^`]*\$\{/,
+      /\bexecSync\s*\(\s*['"][^'"]*['"]\s*\+/,
+      /\bexecSync\s*\(\s*`[^`]*\$\{/
+    ],
+    message: "Shell command built with string concatenation",
+    remediation: "Use execFile() with argument array instead of exec() with string",
+    references: ["CWE-78"]
+  }
+];
+// src/security/rules/xss.ts
+var xssRules = [
+  {
+    id: "SEC-XSS-001",
+    name: "innerHTML Assignment",
+    category: "xss",
+    severity: "error",
+    confidence: "high",
+    patterns: [/\.innerHTML\s*=/],
+    message: "Direct innerHTML assignment can lead to XSS",
+    remediation: "Use textContent for text, or a sanitizer like DOMPurify for HTML",
+    references: ["CWE-79"]
+  },
+  {
+    id: "SEC-XSS-002",
+    name: "dangerouslySetInnerHTML",
+    category: "xss",
+    severity: "error",
+    confidence: "high",
+    patterns: [/dangerouslySetInnerHTML/],
+    message: "dangerouslySetInnerHTML bypasses React XSS protections",
+    remediation: "Sanitize HTML with DOMPurify before passing to dangerouslySetInnerHTML",
+    references: ["CWE-79"]
+  },
+  {
+    id: "SEC-XSS-003",
+    name: "document.write",
+    category: "xss",
+    severity: "error",
+    confidence: "high",
+    patterns: [/document\.write\s*\(/, /document\.writeln\s*\(/],
+    message: "document.write can lead to XSS and is a legacy API",
+    remediation: "Use DOM APIs: createElement, appendChild, textContent",
+    references: ["CWE-79"]
+  }
+];
+// src/security/rules/crypto.ts
+var cryptoRules = [
+  {
+    id: "SEC-CRY-001",
+    name: "Weak Hash Algorithm",
+    category: "crypto",
+    severity: "error",
+    confidence: "high",
+    patterns: [/createHash\s*\(\s*['"](?:md5|sha1|md4|ripemd160)['"]\s*\)/],
+    message: "MD5 and SHA1 are cryptographically broken for security use",
+    remediation: 'Use SHA-256 or higher: createHash("sha256")',
+    references: ["CWE-328"]
+  },
+  {
+    id: "SEC-CRY-002",
+    name: "Hardcoded Encryption Key",
+    category: "crypto",
+    severity: "error",
+    confidence: "high",
+    patterns: [
+      /(?:encryption[_-]?key|cipher[_-]?key|aes[_-]?key|secret[_-]?key)\s*[:=]\s*['"][^'"]{4,}['"]/i
+    ],
+    message: "Hardcoded encryption key detected",
+    remediation: "Load encryption keys from environment variables or a key management service",
+    references: ["CWE-321"]
+  }
+];
+// src/security/rules/path-traversal.ts
+var pathTraversalRules = [
+  {
+    id: "SEC-PTH-001",
+    name: "Path Traversal Pattern",
+    category: "path-traversal",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /(?:readFile|readFileSync|writeFile|writeFileSync|createReadStream|createWriteStream|access|stat|unlink|rmdir|mkdir)\s*\([^)]*\.{2}[/\\]/,
+      /(?:readFile|readFileSync|writeFile|writeFileSync)\s*\([^)]*\+/
+    ],
+    message: "Potential path traversal: file operation with ../ or string concatenation",
+    remediation: "Use path.resolve() and validate the resolved path stays within the expected directory",
+    references: ["CWE-22"]
+  }
+];
+// src/security/rules/network.ts
+var networkRules = [
+  {
+    id: "SEC-NET-001",
+    name: "CORS Wildcard Origin",
+    category: "network",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [/origin\s*:\s*['"][*]['"]/],
+    message: "CORS wildcard origin allows any website to make requests",
+    remediation: "Restrict CORS to specific trusted origins",
+    references: ["CWE-942"]
+  },
+  {
+    id: "SEC-NET-002",
+    name: "Disabled TLS Verification",
+    category: "network",
+    severity: "warning",
+    confidence: "high",
+    patterns: [/rejectUnauthorized\s*:\s*false/],
+    message: "TLS certificate verification is disabled, enabling MITM attacks",
+    remediation: "Remove rejectUnauthorized: false, or use a proper CA bundle",
+    references: ["CWE-295"]
+  },
+  {
+    id: "SEC-NET-003",
+    name: "Hardcoded HTTP URL",
+    category: "network",
+    severity: "info",
+    confidence: "low",
+    patterns: [/['"]http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)[^'"]+['"]/],
+    message: "Non-TLS HTTP URL detected (excluding localhost)",
+    remediation: "Use HTTPS for all non-local connections",
+    references: ["CWE-319"]
+  }
+];
+// src/security/rules/deserialization.ts
+var deserializationRules = [
+  {
+    id: "SEC-DES-001",
+    name: "Unvalidated JSON Parse",
+    category: "deserialization",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /JSON\.parse\s*\(\s*(?:req|request)\.body/,
+      /JSON\.parse\s*\(\s*(?:event|data|payload|input|body)\b/
+    ],
+    message: "JSON.parse on potentially untrusted input without schema validation",
+    remediation: "Validate parsed data with Zod, ajv, or joi before use",
+    references: ["CWE-502"]
+  }
+];
+// src/security/rules/stack/node.ts
+var nodeRules = [
+  {
+    id: "SEC-NODE-001",
+    name: "Prototype Pollution",
+    category: "injection",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /__proto__/,
+      /\bconstructor\s*\[/,
+      /\bprototype\s*\[/,
+      /Object\.assign\s*\(\s*\w+\s*,\s*(?:req|request|body|input|params|query)\b/
+    ],
+    stack: ["node"],
+    message: "Potential prototype pollution via __proto__, constructor, or Object.assign with untrusted input",
+    remediation: "Validate keys against a whitelist, use Object.create(null), or use Map instead of plain objects",
+    references: ["CWE-1321"]
+  },
+  {
+    id: "SEC-NODE-002",
+    name: "NoSQL Injection",
+    category: "injection",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /\.find\s*\(\s*\{[^}]*\$(?:gt|gte|lt|lte|ne|in|nin|regex|where|exists)/,
+      /\.find\s*\(\s*(?:req|request)\.(?:body|query|params)/
+    ],
+    stack: ["node"],
+    message: "Potential NoSQL injection: MongoDB query operators in user input",
+    remediation: "Sanitize input by stripping keys starting with $ before using in queries",
+    references: ["CWE-943"]
+  }
+];
+// src/security/rules/stack/express.ts
+var expressRules = [
+  {
+    id: "SEC-EXPRESS-001",
+    name: "Missing Helmet",
+    category: "network",
+    severity: "info",
+    confidence: "low",
+    patterns: [/app\s*=\s*express\s*\(\)/],
+    stack: ["express"],
+    fileGlob: "**/app.{ts,js}",
+    message: "Express app initialization detected \u2014 ensure helmet middleware is applied for security headers",
+    remediation: "Add helmet middleware: app.use(helmet())",
+    references: ["CWE-693"]
+  },
+  {
+    id: "SEC-EXPRESS-002",
+    name: "Unprotected Route with Body Parsing",
+    category: "network",
+    severity: "info",
+    confidence: "low",
+    patterns: [/app\.(?:post|put|patch)\s*\([^)]*,\s*(?:req|request)\s*(?:,|\))/],
+    stack: ["express"],
+    message: "Express route accepts request body \u2014 ensure input validation and rate limiting are applied",
+    remediation: "Add express-rate-limit and validate request body with Zod/joi",
+    references: ["CWE-770"]
+  }
+];
+// src/security/rules/stack/react.ts
+var reactRules = [
+  {
+    id: "SEC-REACT-001",
+    name: "Sensitive Data in Client Storage",
+    category: "secrets",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [
+      /localStorage\.setItem\s*\(\s*['"](?:token|jwt|auth|session|password|secret|key|credential)/i,
+      /sessionStorage\.setItem\s*\(\s*['"](?:token|jwt|auth|session|password|secret|key|credential)/i
+    ],
+    stack: ["react"],
+    message: "Storing sensitive data in browser storage is accessible to XSS attacks",
+    remediation: "Use httpOnly cookies for auth tokens instead of localStorage",
+    references: ["CWE-922"]
+  }
+];
+// src/security/rules/stack/go.ts
+var goRules = [
+  {
+    id: "SEC-GO-001",
+    name: "Unsafe Pointer Usage",
+    category: "injection",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [/unsafe\.Pointer/],
+    stack: ["go"],
+    message: "unsafe.Pointer bypasses Go type safety",
+    remediation: "Avoid unsafe.Pointer unless absolutely necessary; document justification",
+    references: ["CWE-119"]
+  },
+  {
+    id: "SEC-GO-002",
+    name: "Format String Injection",
+    category: "injection",
+    severity: "warning",
+    confidence: "medium",
+    patterns: [/fmt\.Sprintf\s*\(\s*\w+[^,)]*\)/],
+    stack: ["go"],
+    message: "Format string may come from user input",
+    remediation: 'Use fmt.Sprintf with a literal format string: fmt.Sprintf("%s", userInput)',
+    references: ["CWE-134"]
+  }
+];
+// src/security/scanner.ts
+var SecurityScanner = class {
+  registry;
+  config;
+  activeRules = [];
+  constructor(config = {}) {
+    this.config = { ...DEFAULT_SECURITY_CONFIG, ...config };
+    this.registry = new RuleRegistry();
+    this.registry.registerAll([
+      ...secretRules,
+      ...injectionRules,
+      ...xssRules,
+      ...cryptoRules,
+      ...pathTraversalRules,
+      ...networkRules,
+      ...deserializationRules
+    ]);
+    this.registry.registerAll([...nodeRules, ...expressRules, ...reactRules, ...goRules]);
+    this.activeRules = this.registry.getAll();
+  }
+  configureForProject(projectRoot) {
+    const stacks = detectStack(projectRoot);
+    this.activeRules = this.registry.getForStacks(stacks.length > 0 ? stacks : []);
+  }
+  scanContent(content, filePath, startLine = 1) {
+    if (!this.config.enabled) return [];
+    const findings = [];
+    const lines = content.split("\n");
+    for (const rule of this.activeRules) {
+      const resolved = resolveRuleSeverity(
+        rule.id,
+        rule.severity,
+        this.config.rules ?? {},
+        this.config.strict
+      );
+      if (resolved === "off") continue;
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i] ?? "";
+        if (line.includes("harness-ignore") && line.includes(rule.id)) continue;
+        for (const pattern of rule.patterns) {
+          pattern.lastIndex = 0;
+          if (pattern.test(line)) {
+            findings.push({
+              ruleId: rule.id,
+              ruleName: rule.name,
+              category: rule.category,
+              severity: resolved,
+              confidence: rule.confidence,
+              file: filePath,
+              line: startLine + i,
+              match: line.trim(),
+              context: line,
+              message: rule.message,
+              remediation: rule.remediation,
+              ...rule.references ? { references: rule.references } : {}
+            });
+            break;
+          }
+        }
+      }
+    }
+    return findings;
+  }
+  async scanFile(filePath) {
+    if (!this.config.enabled) return [];
+    const content = await fs6.readFile(filePath, "utf-8");
+    return this.scanContent(content, filePath, 1);
+  }
+  async scanFiles(filePaths) {
+    const allFindings = [];
+    let scannedCount = 0;
+    for (const filePath of filePaths) {
+      try {
+        const findings = await this.scanFile(filePath);
+        allFindings.push(...findings);
+        scannedCount++;
+      } catch {
+      }
+    }
+    return {
+      findings: allFindings,
+      scannedFiles: scannedCount,
+      rulesApplied: this.activeRules.length,
+      externalToolsUsed: [],
+      coverage: "baseline"
+    };
+  }
+};
+// src/ci/check-orchestrator.ts
+import * as path5 from "path";
+var ALL_CHECKS = [
+  "validate",
+  "deps",
+  "docs",
+  "entropy",
+  "security",
+  "perf",
+  "phase-gate"
+];
+async function runSingleCheck(name, projectRoot, config) {
+  const start = Date.now();
+  const issues = [];
+  try {
+    switch (name) {
+      case "validate": {
+        const agentsPath = path5.join(projectRoot, config.agentsMapPath ?? "AGENTS.md");
+        const result = await validateAgentsMap(agentsPath);
+        if (!result.ok) {
+          issues.push({ severity: "error", message: result.error.message });
+        } else if (!result.value.valid) {
+          if (result.value.errors) {
+            for (const err of result.value.errors) {
+              issues.push({ severity: "error", message: err.message });
+            }
+          }
+          for (const section of result.value.missingSections) {
+            issues.push({ severity: "warning", message: `Missing section: ${section}` });
+          }
+          for (const link of result.value.brokenLinks) {
+            issues.push({
+              severity: "warning",
+              message: `Broken link: ${link.text} \u2192 ${link.path}`,
+              file: link.path
+            });
+          }
+        }
+        break;
       }
       case "deps": {
         const rawLayers = config.layers;
@@ -4221,7 +6156,7 @@ async function runSingleCheck(name, projectRoot, config) {
         break;
       }
       case "docs": {
-        const docsDir = path2.join(projectRoot, config.docsDir ?? "docs");
+        const docsDir = path5.join(projectRoot, config.docsDir ?? "docs");
         const result = await checkDocCoverage("project", { docsDir });
         if (!result.ok) {
           issues.push({ severity: "warning", message: result.error.message });
@@ -4269,6 +6204,68 @@ async function runSingleCheck(name, projectRoot, config) {
         }
         break;
       }
+      case "security": {
+        const securityConfig = parseSecurityConfig(config.security);
+        if (!securityConfig.enabled) break;
+        const scanner = new SecurityScanner(securityConfig);
+        scanner.configureForProject(projectRoot);
+        const { glob: globFn } = await import("glob");
+        const sourceFiles = await globFn("**/*.{ts,tsx,js,jsx,go,py}", {
+          cwd: projectRoot,
+          ignore: securityConfig.exclude ?? [
+            "**/node_modules/**",
+            "**/dist/**",
+            "**/*.test.ts",
+            "**/fixtures/**"
+          ],
+          absolute: true
+        });
+        const scanResult = await scanner.scanFiles(sourceFiles);
+        for (const finding of scanResult.findings) {
+          issues.push({
+            severity: finding.severity === "info" ? "warning" : finding.severity,
+            message: `[${finding.ruleId}] ${finding.message}: ${finding.match}`,
+            file: finding.file,
+            line: finding.line
+          });
+        }
+        break;
+      }
+      case "perf": {
+        const perfAnalyzer = new EntropyAnalyzer({
+          rootDir: projectRoot,
+          analyze: {
+            complexity: true,
+            coupling: true
+          }
+        });
+        const perfResult = await perfAnalyzer.analyze();
+        if (!perfResult.ok) {
+          issues.push({ severity: "warning", message: perfResult.error.message });
+        } else {
+          const perfReport = perfResult.value;
+          if (perfReport.complexity) {
+            for (const v of perfReport.complexity.violations) {
+              issues.push({
+                severity: v.severity === "info" ? "warning" : v.severity,
+                message: `[Tier ${v.tier}] ${v.metric}: ${v.function} in ${v.file} (${v.value} > ${v.threshold})`,
+                file: v.file,
+                line: v.line
+              });
+            }
+          }
+          if (perfReport.coupling) {
+            for (const v of perfReport.coupling.violations) {
+              issues.push({
+                severity: v.severity === "info" ? "warning" : v.severity,
+                message: `[Tier ${v.tier}] ${v.metric}: ${v.file} (${v.value} > ${v.threshold})`,
+                file: v.file
+              });
+            }
+          }
+        }
+        break;
+      }
       case "phase-gate": {
         const phaseGates = config.phaseGates;
         if (!phaseGates?.enabled) {
@@ -4339,75 +6336,2194 @@ async function runCIChecks(input) {
   }
 }
+// src/review/mechanical-checks.ts
+import * as path6 from "path";
+async function runMechanicalChecks(options) {
+  const { projectRoot, config, skip = [], changedFiles } = options;
+  const findings = [];
+  const statuses = {
+    validate: "skip",
+    "check-deps": "skip",
+    "check-docs": "skip",
+    "security-scan": "skip"
+  };
+  if (!skip.includes("validate")) {
+    try {
+      const agentsPath = path6.join(projectRoot, config.agentsMapPath ?? "AGENTS.md");
+      const result = await validateAgentsMap(agentsPath);
+      if (!result.ok) {
+        statuses.validate = "fail";
+        findings.push({
+          tool: "validate",
+          file: agentsPath,
+          message: result.error.message,
+          severity: "error"
+        });
+      } else if (!result.value.valid) {
+        statuses.validate = "fail";
+        if (result.value.errors) {
+          for (const err of result.value.errors) {
+            findings.push({
+              tool: "validate",
+              file: agentsPath,
+              message: err.message,
+              severity: "error"
+            });
+          }
+        }
+        for (const section of result.value.missingSections) {
+          findings.push({
+            tool: "validate",
+            file: agentsPath,
+            message: `Missing section: ${section}`,
+            severity: "warning"
+          });
+        }
+      } else {
+        statuses.validate = "pass";
+      }
+    } catch (err) {
+      statuses.validate = "fail";
+      findings.push({
+        tool: "validate",
+        file: path6.join(projectRoot, "AGENTS.md"),
+        message: err instanceof Error ? err.message : String(err),
+        severity: "error"
+      });
+    }
+  }
+  if (!skip.includes("check-deps")) {
+    try {
+      const rawLayers = config.layers;
+      if (rawLayers && rawLayers.length > 0) {
+        const parser = new TypeScriptParser();
+        const layers = rawLayers.map(
+          (l) => defineLayer(
+            l.name,
+            Array.isArray(l.patterns) ? l.patterns : [l.pattern],
+            l.allowedDependencies
+          )
+        );
+        const result = await validateDependencies({
+          layers,
+          rootDir: projectRoot,
+          parser
+        });
+        if (!result.ok) {
+          statuses["check-deps"] = "fail";
+          findings.push({
+            tool: "check-deps",
+            file: projectRoot,
+            message: result.error.message,
+            severity: "error"
+          });
+        } else if (result.value.violations.length > 0) {
+          statuses["check-deps"] = "fail";
+          for (const v of result.value.violations) {
+            findings.push({
+              tool: "check-deps",
+              file: v.file,
+              line: v.line,
+              message: `Layer violation: ${v.fromLayer} -> ${v.toLayer}: ${v.reason}`,
+              severity: "error"
+            });
+          }
+        } else {
+          statuses["check-deps"] = "pass";
+        }
+      } else {
+        statuses["check-deps"] = "pass";
+      }
+    } catch (err) {
+      statuses["check-deps"] = "fail";
+      findings.push({
+        tool: "check-deps",
+        file: projectRoot,
+        message: err instanceof Error ? err.message : String(err),
+        severity: "error"
+      });
+    }
+  }
+  if (!skip.includes("check-docs")) {
+    try {
+      const docsDir = path6.join(projectRoot, config.docsDir ?? "docs");
+      const result = await checkDocCoverage("project", { docsDir });
+      if (!result.ok) {
+        statuses["check-docs"] = "warn";
+        findings.push({
+          tool: "check-docs",
+          file: docsDir,
+          message: result.error.message,
+          severity: "warning"
+        });
+      } else if (result.value.gaps && result.value.gaps.length > 0) {
+        statuses["check-docs"] = "warn";
+        for (const gap of result.value.gaps) {
+          findings.push({
+            tool: "check-docs",
+            file: gap.file,
+            message: `Undocumented: ${gap.file} (suggested: ${gap.suggestedSection})`,
+            severity: "warning"
+          });
+        }
+      } else {
+        statuses["check-docs"] = "pass";
+      }
+    } catch (err) {
+      statuses["check-docs"] = "warn";
+      findings.push({
+        tool: "check-docs",
+        file: path6.join(projectRoot, "docs"),
+        message: err instanceof Error ? err.message : String(err),
+        severity: "warning"
+      });
+    }
+  }
+  if (!skip.includes("security-scan")) {
+    try {
+      const securityConfig = parseSecurityConfig(config.security);
+      if (!securityConfig.enabled) {
+        statuses["security-scan"] = "skip";
+      } else {
+        const scanner = new SecurityScanner(securityConfig);
+        scanner.configureForProject(projectRoot);
+        const filesToScan = changedFiles ?? [];
+        const scanResult = await scanner.scanFiles(filesToScan);
+        if (scanResult.findings.length > 0) {
+          statuses["security-scan"] = "warn";
+          for (const f of scanResult.findings) {
+            findings.push({
+              tool: "security-scan",
+              file: f.file,
+              line: f.line,
+              ruleId: f.ruleId,
+              message: f.message,
+              severity: f.severity === "info" ? "warning" : f.severity
+            });
+          }
+        } else {
+          statuses["security-scan"] = "pass";
+        }
+      }
+    } catch (err) {
+      statuses["security-scan"] = "warn";
+      findings.push({
+        tool: "security-scan",
+        file: projectRoot,
+        message: err instanceof Error ? err.message : String(err),
+        severity: "warning"
+      });
+    }
+  }
+  const hasErrors = findings.some((f) => f.severity === "error");
+  const stopPipeline = statuses.validate === "fail" || statuses["check-deps"] === "fail";
+  return Ok({
+    pass: !hasErrors,
+    stopPipeline,
+    findings,
+    checks: {
+      validate: statuses.validate,
+      checkDeps: statuses["check-deps"],
+      checkDocs: statuses["check-docs"],
+      securityScan: statuses["security-scan"]
+    }
+  });
+}
+// src/review/exclusion-set.ts
+var ExclusionSet = class {
+  /** Findings indexed by file path for O(1) file lookup */
+  byFile;
+  allFindings;
+  constructor(findings) {
+    this.allFindings = [...findings];
+    this.byFile = /* @__PURE__ */ new Map();
+    for (const f of findings) {
+      const existing = this.byFile.get(f.file);
+      if (existing) {
+        existing.push(f);
+      } else {
+        this.byFile.set(f.file, [f]);
+      }
+    }
+  }
+  /**
+   * Returns true if any mechanical finding covers the given file + line range.
+   *
+   * A mechanical finding "covers" a range if:
+   * - The file matches, AND
+   * - The finding has no line (file-level finding — covers everything), OR
+   * - The finding's line falls within [startLine, endLine] inclusive.
+   */
+  isExcluded(file, lineRange) {
+    const fileFindings = this.byFile.get(file);
+    if (!fileFindings) return false;
+    const [start, end] = lineRange;
+    return fileFindings.some((f) => {
+      if (f.line === void 0) return true;
+      return f.line >= start && f.line <= end;
+    });
+  }
+  /** Number of findings in the set */
+  get size() {
+    return this.allFindings.length;
+  }
+  /** Returns a copy of all findings */
+  getFindings() {
+    return [...this.allFindings];
+  }
+};
+function buildExclusionSet(findings) {
+  return new ExclusionSet(findings);
+}
+// src/review/change-type.ts
+var PREFIX_PATTERNS = [
+  { pattern: /^(feat|feature)(\([^)]*\))?:/i, type: "feature" },
+  { pattern: /^(fix|bugfix)(\([^)]*\))?:/i, type: "bugfix" },
+  { pattern: /^refactor(\([^)]*\))?:/i, type: "refactor" },
+  { pattern: /^docs?(\([^)]*\))?:/i, type: "docs" }
+];
+var TEST_FILE_PATTERN = /\.(test|spec)\.(ts|tsx|js|jsx|mts|cts)$/;
+var MD_FILE_PATTERN = /\.md$/;
+function detectChangeType(commitMessage, diff) {
+  const trimmed = commitMessage.trim();
+  for (const { pattern, type } of PREFIX_PATTERNS) {
+    if (pattern.test(trimmed)) {
+      return type;
+    }
+  }
+  if (diff.changedFiles.length > 0 && diff.changedFiles.every((f) => MD_FILE_PATTERN.test(f))) {
+    return "docs";
+  }
+  const newNonTestFiles = diff.newFiles.filter((f) => !TEST_FILE_PATTERN.test(f));
+  if (newNonTestFiles.length > 0) {
+    return "feature";
+  }
+  const hasNewTestFile = diff.newFiles.some((f) => TEST_FILE_PATTERN.test(f));
+  if (diff.totalDiffLines < 20 && hasNewTestFile) {
+    return "bugfix";
+  }
+  return "feature";
+}
+// src/review/context-scoper.ts
+import * as path7 from "path";
+var ALL_DOMAINS = ["compliance", "bug", "security", "architecture"];
+var SECURITY_PATTERNS = /auth|crypto|password|secret|token|session|cookie|hash|encrypt|decrypt|sql|shell|exec|eval/i;
+function computeContextBudget(diffLines) {
+  if (diffLines < 20) return diffLines * 3;
+  return diffLines;
+}
+function isWithinProject(absPath, projectRoot) {
+  const resolvedRoot = path7.resolve(projectRoot) + path7.sep;
+  const resolvedPath = path7.resolve(absPath);
+  return resolvedPath.startsWith(resolvedRoot) || resolvedPath === path7.resolve(projectRoot);
+}
+async function readContextFile(projectRoot, filePath, reason) {
+  const absPath = path7.isAbsolute(filePath) ? filePath : path7.join(projectRoot, filePath);
+  if (!isWithinProject(absPath, projectRoot)) return null;
+  const result = await readFileContent(absPath);
+  if (!result.ok) return null;
+  const content = result.value;
+  const lines = content.split("\n").length;
+  const relPath = path7.isAbsolute(filePath) ? path7.relative(projectRoot, filePath) : filePath;
+  return { path: relPath, content, reason, lines };
+}
+function extractImportSources(content) {
+  const sources = [];
+  const importRegex = /(?:import\s+(?:.*?\s+from\s+)?['"]([^'"]+)['"]|require\(\s*['"]([^'"]+)['"]\s*\))/g;
+  let match;
+  while ((match = importRegex.exec(content)) !== null) {
+    const source = match[1] ?? match[2];
+    if (source) sources.push(source);
+  }
+  return sources;
+}
+async function resolveImportPath2(projectRoot, fromFile, importSource) {
+  if (!importSource.startsWith(".")) return null;
+  const fromDir = path7.dirname(path7.join(projectRoot, fromFile));
+  const basePath = path7.resolve(fromDir, importSource);
+  if (!isWithinProject(basePath, projectRoot)) return null;
+  const relBase = path7.relative(projectRoot, basePath);
+  const candidates = [
+    relBase + ".ts",
+    relBase + ".tsx",
+    relBase + ".mts",
+    path7.join(relBase, "index.ts")
+  ];
+  for (const candidate of candidates) {
+    const absCandidate = path7.join(projectRoot, candidate);
+    if (await fileExists(absCandidate)) {
+      return candidate;
+    }
+  }
+  return null;
+}
+async function findTestFiles(projectRoot, sourceFile) {
+  const baseName = path7.basename(sourceFile, path7.extname(sourceFile));
+  const pattern = `**/${baseName}.{test,spec}.{ts,tsx,mts}`;
+  const results = await findFiles(pattern, projectRoot);
+  return results.map((f) => path7.relative(projectRoot, f));
+}
+async function gatherImportContext(projectRoot, changedFiles, budget) {
+  const contextFiles = [];
+  let linesGathered = 0;
+  const seen = new Set(changedFiles.map((f) => f.path));
+  for (const cf of changedFiles) {
+    if (linesGathered >= budget) break;
+    const sources = extractImportSources(cf.content);
+    for (const source of sources) {
+      if (linesGathered >= budget) break;
+      const resolved = await resolveImportPath2(projectRoot, cf.path, source);
+      if (resolved && !seen.has(resolved)) {
+        seen.add(resolved);
+        const contextFile = await readContextFile(projectRoot, resolved, "import");
+        if (contextFile) {
+          contextFiles.push(contextFile);
+          linesGathered += contextFile.lines;
+        }
+      }
+    }
+  }
+  return contextFiles;
+}
+async function gatherGraphDependencyContext(projectRoot, changedFilePaths, graph, budget) {
+  const contextFiles = [];
+  let linesGathered = 0;
+  const seen = new Set(changedFilePaths);
+  for (const filePath of changedFilePaths) {
+    if (linesGathered >= budget) break;
+    let deps;
+    try {
+      deps = await graph.getDependencies(filePath);
+    } catch {
+      continue;
+    }
+    for (const dep of deps) {
+      if (linesGathered >= budget) break;
+      if (seen.has(dep)) continue;
+      seen.add(dep);
+      const contextFile = await readContextFile(projectRoot, dep, "graph-dependency");
+      if (contextFile) {
+        contextFiles.push(contextFile);
+        linesGathered += contextFile.lines;
+      }
+    }
+  }
+  return contextFiles;
+}
+async function gatherTestContext(projectRoot, changedFilePaths, graph) {
+  const testFiles = [];
+  const seen = /* @__PURE__ */ new Set();
+  if (graph) {
+    for (const filePath of changedFilePaths) {
+      let impact;
+      try {
+        impact = await graph.getImpact(filePath);
+      } catch {
+        continue;
+      }
+      for (const testFile of impact.tests) {
+        if (seen.has(testFile)) continue;
+        seen.add(testFile);
+        const cf = await readContextFile(projectRoot, testFile, "test");
+        if (cf) testFiles.push(cf);
+      }
+    }
+  } else {
+    for (const filePath of changedFilePaths) {
+      const found = await findTestFiles(projectRoot, filePath);
+      for (const testFile of found) {
+        if (seen.has(testFile)) continue;
+        seen.add(testFile);
+        const cf = await readContextFile(projectRoot, testFile, "test");
+        if (cf) testFiles.push(cf);
+      }
+    }
+  }
+  return testFiles;
+}
+async function scopeComplianceContext(projectRoot, _changedFiles, options) {
+  const contextFiles = [];
+  const conventionFiles = options.conventionFiles ?? ["CLAUDE.md", "AGENTS.md"];
+  for (const cf of conventionFiles) {
+    const file = await readContextFile(projectRoot, cf, "convention");
+    if (file) contextFiles.push(file);
+  }
+  return contextFiles;
+}
+async function scopeBugContext(projectRoot, changedFiles, budget, options) {
+  const contextFiles = [];
+  const changedPaths = changedFiles.map((f) => f.path);
+  if (options.graph) {
+    const deps = await gatherGraphDependencyContext(
+      projectRoot,
+      changedPaths,
+      options.graph,
+      budget
+    );
+    contextFiles.push(...deps);
+  } else {
+    const deps = await gatherImportContext(projectRoot, changedFiles, budget);
+    contextFiles.push(...deps);
+  }
+  const tests = await gatherTestContext(projectRoot, changedPaths, options.graph);
+  contextFiles.push(...tests);
+  return contextFiles;
+}
+async function scopeSecurityContext(projectRoot, changedFiles, budget, options) {
+  const contextFiles = [];
+  const changedPaths = changedFiles.map((f) => f.path);
+  if (options.graph) {
+    const allPaths = [];
+    for (const filePath of changedPaths) {
+      try {
+        const deps = await options.graph.getDependencies(filePath);
+        allPaths.push(...deps);
+      } catch {
+        continue;
+      }
+    }
+    const uniquePaths = [...new Set(allPaths)];
+    const securityFirst = uniquePaths.sort((a, b) => {
+      const aMatch = SECURITY_PATTERNS.test(a) ? 0 : 1;
+      const bMatch = SECURITY_PATTERNS.test(b) ? 0 : 1;
+      return aMatch - bMatch;
+    });
+    for (const depPath of securityFirst) {
+      if (contextFiles.reduce((sum, f) => sum + f.lines, 0) >= budget) break;
+      const cf = await readContextFile(projectRoot, depPath, "graph-dependency");
+      if (cf) contextFiles.push(cf);
+    }
+  } else {
+    const deps = await gatherImportContext(projectRoot, changedFiles, budget);
+    contextFiles.push(...deps);
+  }
+  return contextFiles;
+}
+async function scopeArchitectureContext(projectRoot, changedFiles, budget, options) {
+  const contextFiles = [];
+  const changedPaths = changedFiles.map((f) => f.path);
+  if (options.graph) {
+    let linesGathered = 0;
+    for (const filePath of changedPaths) {
+      if (linesGathered >= budget) break;
+      let impact;
+      try {
+        impact = await options.graph.getImpact(filePath);
+      } catch {
+        continue;
+      }
+      for (const codePath of impact.code) {
+        if (linesGathered >= budget) break;
+        const cf = await readContextFile(projectRoot, codePath, "graph-impact");
+        if (cf) {
+          contextFiles.push(cf);
+          linesGathered += cf.lines;
+        }
+      }
+    }
+  } else {
+    const deps = await gatherImportContext(projectRoot, changedFiles, budget);
+    contextFiles.push(...deps);
+    if (options.checkDepsOutput) {
+      contextFiles.push({
+        path: "harness-check-deps-output",
+        content: options.checkDepsOutput,
+        lines: options.checkDepsOutput.split("\n").length,
+        reason: "convention"
+      });
+    }
+  }
+  return contextFiles;
+}
+async function scopeContext(options) {
+  const { projectRoot, diff, commitMessage } = options;
+  const changeType = detectChangeType(commitMessage, diff);
+  const budget = computeContextBudget(diff.totalDiffLines);
+  const changedFiles = [];
+  for (const filePath of diff.changedFiles) {
+    const cf = await readContextFile(projectRoot, filePath, "changed");
+    if (cf) changedFiles.push(cf);
+  }
+  const scopers = {
+    compliance: () => scopeComplianceContext(projectRoot, changedFiles, options),
+    bug: () => scopeBugContext(projectRoot, changedFiles, budget, options),
+    security: () => scopeSecurityContext(projectRoot, changedFiles, budget, options),
+    architecture: () => scopeArchitectureContext(projectRoot, changedFiles, budget, options)
+  };
+  const bundles = [];
+  for (const domain of ALL_DOMAINS) {
+    const contextFiles = await scopers[domain]();
+    const contextLines = contextFiles.reduce((sum, f) => sum + f.lines, 0);
+    bundles.push({
+      domain,
+      changeType,
+      changedFiles: [...changedFiles],
+      contextFiles,
+      commitHistory: options.commitHistory ?? [],
+      diffLines: diff.totalDiffLines,
+      contextLines
+    });
+  }
+  return bundles;
+}
+// src/review/constants.ts
+var SEVERITY_RANK = {
+  suggestion: 0,
+  important: 1,
+  critical: 2
+};
+var SEVERITY_ORDER = ["critical", "important", "suggestion"];
+var SEVERITY_LABELS = {
+  critical: "Critical",
+  important: "Important",
+  suggestion: "Suggestion"
+};
+var VALIDATED_BY_RANK = {
+  mechanical: 0,
+  heuristic: 1,
+  graph: 2
+};
+function makeFindingId(domain, file, line, title) {
+  const hash = title.slice(0, 20).replace(/[^a-zA-Z0-9]/g, "");
+  return `${domain}-${file.replace(/[^a-zA-Z0-9]/g, "-")}-${line}-${hash}`;
+}
+// src/review/agents/compliance-agent.ts
+var COMPLIANCE_DESCRIPTOR = {
+  domain: "compliance",
+  tier: "standard",
+  displayName: "Compliance",
+  focusAreas: [
+    "Spec alignment \u2014 implementation matches design doc",
+    "API surface \u2014 new public interfaces are minimal and well-named",
+    "Backward compatibility \u2014 no breaking changes without migration path",
+    "Convention adherence \u2014 project conventions from CLAUDE.md/AGENTS.md followed",
+    "Documentation completeness \u2014 all public interfaces documented"
+  ]
+};
+function extractConventionRules(bundle) {
+  const rules = [];
+  const conventionFiles = bundle.contextFiles.filter((f) => f.reason === "convention");
+  for (const file of conventionFiles) {
+    const lines = file.content.split("\n");
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith("- ") || trimmed.startsWith("* ")) {
+        rules.push({ text: trimmed.slice(2).trim(), source: file.path });
+      }
+    }
+  }
+  return rules;
+}
+function findMissingJsDoc(bundle) {
+  const missing = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const exportMatch = line.match(
+        /export\s+(?:async\s+)?(?:function|const|class|interface|type)\s+(\w+)/
+      );
+      if (exportMatch) {
+        let hasJsDoc = false;
+        for (let j = i - 1; j >= 0; j--) {
+          const prev = lines[j].trim();
+          if (prev === "") continue;
+          if (prev.endsWith("*/")) {
+            hasJsDoc = true;
+          }
+          break;
+        }
+        if (!hasJsDoc) {
+          missing.push({
+            file: cf.path,
+            line: i + 1,
+            exportName: exportMatch[1]
+          });
+        }
+      }
+    }
+  }
+  return missing;
+}
+function runComplianceAgent(bundle) {
+  const findings = [];
+  const rules = extractConventionRules(bundle);
+  const jsDocRuleExists = rules.some((r) => r.text.toLowerCase().includes("jsdoc"));
+  if (jsDocRuleExists) {
+    const missingDocs = findMissingJsDoc(bundle);
+    for (const m of missingDocs) {
+      findings.push({
+        id: makeFindingId("compliance", m.file, m.line, `Missing JSDoc ${m.exportName}`),
+        file: m.file,
+        lineRange: [m.line, m.line],
+        domain: "compliance",
+        severity: "important",
+        title: `Missing JSDoc on exported \`${m.exportName}\``,
+        rationale: `Convention requires all exports to have JSDoc comments (from ${rules.find((r) => r.text.toLowerCase().includes("jsdoc"))?.source ?? "conventions"}).`,
+        suggestion: `Add a JSDoc comment above the export of \`${m.exportName}\`.`,
+        evidence: [
+          `changeType: ${bundle.changeType}`,
+          `Convention rule: "${rules.find((r) => r.text.toLowerCase().includes("jsdoc"))?.text ?? ""}"`
+        ],
+        validatedBy: "heuristic"
+      });
+    }
+  }
+  switch (bundle.changeType) {
+    case "feature": {
+      const hasSpecContext = bundle.contextFiles.some(
+        (f) => f.reason === "spec" || f.reason === "convention"
+      );
+      if (!hasSpecContext && bundle.changedFiles.length > 0) {
+        const firstFile = bundle.changedFiles[0];
+        findings.push({
+          id: makeFindingId("compliance", firstFile.path, 1, "No spec for feature"),
+          file: firstFile.path,
+          lineRange: [1, 1],
+          domain: "compliance",
+          severity: "suggestion",
+          title: "No spec/design doc found for feature change",
+          rationale: "Feature changes should reference a spec or design doc to verify alignment. No spec context was included in the review bundle.",
+          evidence: [`changeType: feature`, `contextFiles count: ${bundle.contextFiles.length}`],
+          validatedBy: "heuristic"
+        });
+      }
+      break;
+    }
+    case "bugfix": {
+      if (bundle.commitHistory.length === 0 && bundle.changedFiles.length > 0) {
+        const firstFile = bundle.changedFiles[0];
+        findings.push({
+          id: makeFindingId("compliance", firstFile.path, 1, "Bugfix no history"),
+          file: firstFile.path,
+          lineRange: [1, 1],
+          domain: "compliance",
+          severity: "suggestion",
+          title: "Bugfix without commit history context",
+          rationale: "Bugfix changes benefit from commit history to verify the root cause is addressed, not just the symptom. No commit history was provided.",
+          evidence: [`changeType: bugfix`, `commitHistory entries: ${bundle.commitHistory.length}`],
+          validatedBy: "heuristic"
+        });
+      }
+      break;
+    }
+    case "refactor": {
+      break;
+    }
+    case "docs": {
+      break;
+    }
+  }
+  const resultTypeRule = rules.find((r) => r.text.toLowerCase().includes("result type"));
+  if (resultTypeRule) {
+    for (const cf of bundle.changedFiles) {
+      const hasTryCatch = cf.content.includes("try {") || cf.content.includes("try{");
+      const usesResult = cf.content.includes("Result<") || cf.content.includes("Result >") || cf.content.includes(": Result");
+      if (hasTryCatch && !usesResult) {
+        findings.push({
+          id: makeFindingId("compliance", cf.path, 1, "try-catch not Result"),
+          file: cf.path,
+          lineRange: [1, cf.lines],
+          domain: "compliance",
+          severity: "suggestion",
+          title: "Fallible operation uses try/catch instead of Result type",
+          rationale: `Convention requires using Result type for fallible operations (from ${resultTypeRule.source}).`,
+          suggestion: "Refactor error handling to use the Result type pattern.",
+          evidence: [
+            `changeType: ${bundle.changeType}`,
+            `Convention rule: "${resultTypeRule.text}"`
+          ],
+          validatedBy: "heuristic"
+        });
+      }
+    }
+  }
+  return findings;
+}
+// src/review/agents/bug-agent.ts
+var BUG_DETECTION_DESCRIPTOR = {
+  domain: "bug",
+  tier: "strong",
+  displayName: "Bug Detection",
+  focusAreas: [
+    "Edge cases \u2014 boundary conditions, empty input, max values, null, concurrent access",
+    "Error handling \u2014 errors handled at appropriate level, no silent swallowing",
+    "Logic errors \u2014 off-by-one, incorrect boolean logic, missing early returns",
+    "Race conditions \u2014 concurrent access to shared state",
+    "Resource leaks \u2014 unclosed handles, missing cleanup in error paths",
+    "Type safety \u2014 type mismatches, unsafe casts, missing null checks",
+    "Test coverage \u2014 tests for happy path, error paths, and edge cases"
+  ]
+};
+function detectDivisionByZero(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (line.match(/[^=!<>]\s*\/\s*[a-zA-Z_]\w*/) && !line.includes("//")) {
+        const preceding = lines.slice(Math.max(0, i - 3), i).join("\n");
+        if (!preceding.includes("=== 0") && !preceding.includes("!== 0") && !preceding.includes("== 0") && !preceding.includes("!= 0")) {
+          findings.push({
+            id: makeFindingId("bug", cf.path, i + 1, "division by zero"),
+            file: cf.path,
+            lineRange: [i + 1, i + 1],
+            domain: "bug",
+            severity: "important",
+            title: "Potential division by zero without guard",
+            rationale: "Division operation found without a preceding zero check on the divisor. This can cause Infinity or NaN at runtime.",
+            suggestion: "Add a check for zero before dividing, or use a safe division utility.",
+            evidence: [`Line ${i + 1}: ${line.trim()}`],
+            validatedBy: "heuristic"
+          });
+        }
+      }
+    }
+  }
+  return findings;
+}
+function detectEmptyCatch(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (line.match(/catch\s*\([^)]*\)\s*\{\s*\}/) || line.match(/catch\s*\([^)]*\)\s*\{/) && i + 1 < lines.length && lines[i + 1].trim() === "}") {
+        findings.push({
+          id: makeFindingId("bug", cf.path, i + 1, "empty catch block"),
+          file: cf.path,
+          lineRange: [i + 1, i + 2],
+          domain: "bug",
+          severity: "important",
+          title: "Empty catch block silently swallows error",
+          rationale: "Catching an error without handling, logging, or re-throwing it hides failures and makes debugging difficult.",
+          suggestion: "Log the error, re-throw it, or handle it explicitly. If intentionally ignoring, add a comment explaining why.",
+          evidence: [`Line ${i + 1}: ${line.trim()}`],
+          validatedBy: "heuristic"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function detectMissingTests(bundle) {
+  const findings = [];
+  const hasTestFiles = bundle.contextFiles.some((f) => f.reason === "test");
+  if (!hasTestFiles) {
+    const sourceFiles = bundle.changedFiles.filter(
+      (f) => !f.path.match(/\.(test|spec)\.(ts|tsx|js|jsx)$/)
+    );
+    if (sourceFiles.length > 0) {
+      const firstFile = sourceFiles[0];
+      findings.push({
+        id: makeFindingId("bug", firstFile.path, 1, "no test files"),
+        file: firstFile.path,
+        lineRange: [1, 1],
+        domain: "bug",
+        severity: "suggestion",
+        title: "No test files found for changed source files",
+        rationale: "Changed source files should have corresponding test files. No test files were found in the review context.",
+        evidence: [`Source files without tests: ${sourceFiles.map((f) => f.path).join(", ")}`],
+        validatedBy: "heuristic"
+      });
+    }
+  }
+  return findings;
+}
+function runBugDetectionAgent(bundle) {
+  const findings = [];
+  findings.push(...detectDivisionByZero(bundle));
+  findings.push(...detectEmptyCatch(bundle));
+  findings.push(...detectMissingTests(bundle));
+  return findings;
+}
+// src/review/agents/security-agent.ts
+var SECURITY_DESCRIPTOR = {
+  domain: "security",
+  tier: "strong",
+  displayName: "Security",
+  focusAreas: [
+    "Input validation \u2014 user input flowing to dangerous sinks (SQL, shell, HTML)",
+    "Authorization \u2014 missing auth checks on new/modified endpoints",
+    "Data exposure \u2014 sensitive data in logs, error messages, API responses",
+    "Authentication bypass \u2014 paths introduced by the change",
+    "Insecure defaults \u2014 new configuration options with unsafe defaults",
+    "Node.js specific \u2014 prototype pollution, ReDoS, path traversal"
+  ]
+};
+var EVAL_PATTERN = /\beval\s*\(|new\s+Function\s*\(/;
+var SECRET_PATTERNS = [
+  /(?:api[_-]?key|secret|password|token|private[_-]?key)\s*=\s*["'][^"']{8,}/i,
+  /["'](?:sk|pk|api|key|secret|token|password)[-_][a-zA-Z0-9]{10,}["']/i
+];
+var SQL_CONCAT_PATTERN = /(?:SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER)\s+.*?\+\s*\w+|`[^`]*\$\{[^}]*\}[^`]*(?:SELECT|INSERT|UPDATE|DELETE|WHERE)/i;
+var SHELL_EXEC_PATTERN = /(?:exec|execSync|spawn|spawnSync)\s*\(\s*`[^`]*\$\{/;
+function detectEvalUsage(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (EVAL_PATTERN.test(line)) {
+        findings.push({
+          id: makeFindingId("security", cf.path, i + 1, "eval usage CWE-94"),
+          file: cf.path,
+          lineRange: [i + 1, i + 1],
+          domain: "security",
+          severity: "critical",
+          title: `Dangerous ${"eval"}() or new ${"Function"}() usage`,
+          rationale: `${"eval"}() and new ${"Function"}() execute arbitrary code. If user input reaches these calls, it enables Remote Code Execution (CWE-94).`,
+          suggestion: "Replace eval/Function with a safe alternative (JSON.parse for data, a sandboxed evaluator for expressions).",
+          evidence: [`Line ${i + 1}: ${line.trim()}`],
+          validatedBy: "heuristic",
+          cweId: "CWE-94",
+          owaspCategory: "A03:2021 Injection",
+          confidence: "high",
+          remediation: "Replace eval/Function with a safe alternative (JSON.parse for data, a sandboxed evaluator for expressions).",
+          references: [
+            "https://cwe.mitre.org/data/definitions/94.html",
+            "https://owasp.org/Top10/A03_2021-Injection/"
+          ]
+        });
+      }
+    }
+  }
+  return findings;
+}
+function detectHardcodedSecrets(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const codePart = line.includes("//") ? line.slice(0, line.indexOf("//")) : line;
+      for (const pattern of SECRET_PATTERNS) {
+        if (pattern.test(codePart)) {
+          findings.push({
+            id: makeFindingId("security", cf.path, i + 1, "hardcoded secret CWE-798"),
+            file: cf.path,
+            lineRange: [i + 1, i + 1],
+            domain: "security",
+            severity: "critical",
+            title: "Hardcoded secret or API key detected",
+            rationale: "Hardcoded secrets in source code can be extracted from version history even after removal. Use environment variables or a secrets manager (CWE-798).",
+            suggestion: "Move the secret to an environment variable and access it via process.env.",
+            evidence: [`Line ${i + 1}: [secret detected \u2014 value redacted]`],
+            validatedBy: "heuristic",
+            cweId: "CWE-798",
+            owaspCategory: "A07:2021 Identification and Authentication Failures",
+            confidence: "high",
+            remediation: "Move the secret to an environment variable and access it via process.env.",
+            references: [
+              "https://cwe.mitre.org/data/definitions/798.html",
+              "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
+            ]
+          });
+          break;
+        }
+      }
+    }
+  }
+  return findings;
+}
+function detectSqlInjection(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (SQL_CONCAT_PATTERN.test(line)) {
+        findings.push({
+          id: makeFindingId("security", cf.path, i + 1, "SQL injection CWE-89"),
+          file: cf.path,
+          lineRange: [i + 1, i + 1],
+          domain: "security",
+          severity: "critical",
+          title: "Potential SQL injection via string concatenation",
+          rationale: "Building SQL queries with string concatenation or template literals allows attackers to inject malicious SQL (CWE-89).",
+          suggestion: "Use parameterized queries or a query builder (e.g., Knex, Prisma) instead of string concatenation.",
+          evidence: [`Line ${i + 1}: ${line.trim()}`],
+          validatedBy: "heuristic",
+          cweId: "CWE-89",
+          owaspCategory: "A03:2021 Injection",
+          confidence: "high",
+          remediation: "Use parameterized queries or a query builder (e.g., Knex, Prisma) instead of string concatenation.",
+          references: [
+            "https://cwe.mitre.org/data/definitions/89.html",
+            "https://owasp.org/Top10/A03_2021-Injection/"
+          ]
+        });
+      }
+    }
+  }
+  return findings;
+}
+function detectCommandInjection(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    const lines = cf.content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (SHELL_EXEC_PATTERN.test(line)) {
+        findings.push({
+          id: makeFindingId("security", cf.path, i + 1, "command injection CWE-78"),
+          file: cf.path,
+          lineRange: [i + 1, i + 1],
+          domain: "security",
+          severity: "critical",
+          title: "Potential command injection via shell exec with interpolation",
+          rationale: "Using exec/spawn with template literal interpolation allows attackers to inject shell commands (CWE-78).",
+          suggestion: "Use execFile or spawn with an arguments array instead of shell string interpolation.",
+          evidence: [`Line ${i + 1}: ${line.trim()}`],
+          validatedBy: "heuristic",
+          cweId: "CWE-78",
+          owaspCategory: "A03:2021 Injection",
+          confidence: "high",
+          remediation: "Use execFile or spawn with an arguments array instead of shell string interpolation.",
+          references: [
+            "https://cwe.mitre.org/data/definitions/78.html",
+            "https://owasp.org/Top10/A03_2021-Injection/"
+          ]
+        });
+      }
+    }
+  }
+  return findings;
+}
+function runSecurityAgent(bundle) {
+  const findings = [];
+  findings.push(...detectEvalUsage(bundle));
+  findings.push(...detectHardcodedSecrets(bundle));
+  findings.push(...detectSqlInjection(bundle));
+  findings.push(...detectCommandInjection(bundle));
+  return findings;
+}
+// src/review/agents/architecture-agent.ts
+var ARCHITECTURE_DESCRIPTOR = {
+  domain: "architecture",
+  tier: "standard",
+  displayName: "Architecture",
+  focusAreas: [
+    "Layer compliance \u2014 imports flow in the correct direction per architectural layers",
+    "Dependency direction \u2014 modules depend on abstractions, not concretions",
+    "Single Responsibility \u2014 each module has one reason to change",
+    "Pattern consistency \u2014 code follows established codebase patterns",
+    "Separation of concerns \u2014 business logic separated from infrastructure",
+    "DRY violations \u2014 duplicated logic that should be extracted (excluding intentional duplication)"
+  ]
+};
+var LARGE_FILE_THRESHOLD = 300;
+function detectLayerViolations(bundle) {
+  const findings = [];
+  const checkDepsFile = bundle.contextFiles.find((f) => f.path === "harness-check-deps-output");
+  if (!checkDepsFile) return findings;
+  const lines = checkDepsFile.content.split("\n");
+  for (const line of lines) {
+    if (line.toLowerCase().includes("violation") || line.toLowerCase().includes("layer")) {
+      const fileMatch = line.match(/(?:in\s+)?(\S+\.(?:ts|tsx|js|jsx))(?::(\d+))?/);
+      const file = fileMatch?.[1] ?? bundle.changedFiles[0]?.path ?? "unknown";
+      const lineNum = fileMatch?.[2] ? parseInt(fileMatch[2], 10) : 1;
+      findings.push({
+        id: makeFindingId("arch", file, lineNum, "layer violation"),
+        file,
+        lineRange: [lineNum, lineNum],
+        domain: "architecture",
+        severity: "critical",
+        title: "Layer boundary violation detected by check-deps",
+        rationale: `Architectural layer violation: ${line.trim()}. Imports must flow in the correct direction per the project's layer definitions.`,
+        suggestion: "Route the dependency through the correct intermediate layer (e.g., routes -> services -> db, not routes -> db).",
+        evidence: [line.trim()],
+        validatedBy: "heuristic"
+      });
+    }
+  }
+  return findings;
+}
+function detectLargeFiles(bundle) {
+  const findings = [];
+  for (const cf of bundle.changedFiles) {
+    if (cf.lines > LARGE_FILE_THRESHOLD) {
+      findings.push({
+        id: makeFindingId("arch", cf.path, 1, "large file SRP"),
+        file: cf.path,
+        lineRange: [1, cf.lines],
+        domain: "architecture",
+        severity: "suggestion",
+        title: `Large file (${cf.lines} lines) may violate Single Responsibility`,
+        rationale: `Files over ${LARGE_FILE_THRESHOLD} lines often contain multiple responsibilities. Consider splitting into focused modules.`,
+        suggestion: "Identify distinct responsibilities and extract them into separate modules.",
+        evidence: [`File has ${cf.lines} lines (threshold: ${LARGE_FILE_THRESHOLD})`],
+        validatedBy: "heuristic"
+      });
+    }
+  }
+  return findings;
+}
+function detectCircularImports(bundle) {
+  const findings = [];
+  const changedPaths = new Set(bundle.changedFiles.map((f) => f.path));
+  for (const cf of bundle.changedFiles) {
+    const importRegex = /import\s+.*?from\s+['"]([^'"]+)['"]/g;
+    let match;
+    const imports = /* @__PURE__ */ new Set();
+    while ((match = importRegex.exec(cf.content)) !== null) {
+      const source = match[1];
+      if (source.startsWith(".")) {
+        imports.add(source.replace(/^\.\//, "").replace(/^\.\.\//, ""));
+      }
+    }
+    for (const ctxFile of bundle.contextFiles) {
+      if (ctxFile.reason !== "import" && ctxFile.reason !== "graph-dependency") continue;
+      const ctxImportRegex = /import\s+.*?from\s+['"]([^'"]+)['"]/g;
+      let ctxMatch;
+      while ((ctxMatch = ctxImportRegex.exec(ctxFile.content)) !== null) {
+        const ctxSource = ctxMatch[1];
+        if (ctxSource.startsWith(".")) {
+          for (const changedPath of changedPaths) {
+            const baseName = changedPath.replace(/.*\//, "").replace(/\.(ts|tsx|js|jsx)$/, "");
+            if (ctxSource.includes(baseName) && imports.has(ctxFile.path.replace(/.*\//, "").replace(/\.(ts|tsx|js|jsx)$/, ""))) {
+              findings.push({
+                id: makeFindingId("arch", cf.path, 1, `circular ${ctxFile.path}`),
+                file: cf.path,
+                lineRange: [1, 1],
+                domain: "architecture",
+                severity: "important",
+                title: `Potential circular import between ${cf.path} and ${ctxFile.path}`,
+                rationale: "Circular imports can cause runtime issues (undefined values at import time) and indicate tightly coupled modules that should be refactored.",
+                suggestion: "Extract shared types/interfaces into a separate module that both files can import from.",
+                evidence: [`${cf.path} imports from a module that also imports from ${cf.path}`],
+                validatedBy: "heuristic"
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+  return findings;
+}
+function runArchitectureAgent(bundle) {
+  const findings = [];
+  findings.push(...detectLayerViolations(bundle));
+  findings.push(...detectLargeFiles(bundle));
+  findings.push(...detectCircularImports(bundle));
+  return findings;
+}
+// src/review/agents/index.ts
+var AGENT_DESCRIPTORS = {
+  compliance: COMPLIANCE_DESCRIPTOR,
+  bug: BUG_DETECTION_DESCRIPTOR,
+  security: SECURITY_DESCRIPTOR,
+  architecture: ARCHITECTURE_DESCRIPTOR
+};
+// src/review/fan-out.ts
+var AGENT_RUNNERS = {
+  compliance: runComplianceAgent,
+  bug: runBugDetectionAgent,
+  security: runSecurityAgent,
+  architecture: runArchitectureAgent
+};
+async function runAgent(bundle) {
+  const start = Date.now();
+  const runner = AGENT_RUNNERS[bundle.domain];
+  const findings = runner(bundle);
+  const durationMs = Date.now() - start;
+  return {
+    domain: bundle.domain,
+    findings,
+    durationMs
+  };
+}
+async function fanOutReview(options) {
+  const { bundles } = options;
+  if (bundles.length === 0) return [];
+  const results = await Promise.all(bundles.map((bundle) => runAgent(bundle)));
+  return results;
+}
+// src/review/validate-findings.ts
+import * as path8 from "path";
+var DOWNGRADE_MAP = {
+  critical: "important",
+  important: "suggestion",
+  suggestion: "suggestion"
+};
+function extractCrossFileRefs(finding) {
+  const refs = [];
+  const crossFilePattern = /([^\s]+\.(?:ts|tsx|js|jsx))\s+affects\s+([^\s]+\.(?:ts|tsx|js|jsx))/i;
+  for (const ev of finding.evidence) {
+    const match = ev.match(crossFilePattern);
+    if (match) {
+      refs.push({ from: match[1], to: match[2] });
+    }
+  }
+  return refs;
+}
+function normalizePath(filePath, projectRoot) {
+  let normalized = filePath;
+  if (path8.isAbsolute(normalized)) {
+    const root = projectRoot.endsWith(path8.sep) ? projectRoot : projectRoot + path8.sep;
+    if (normalized.startsWith(root)) {
+      normalized = normalized.slice(root.length);
+    }
+  }
+  if (normalized.startsWith("./")) {
+    normalized = normalized.slice(2);
+  }
+  return path8.normalize(normalized);
+}
+function followImportChain(fromFile, fileContents, maxDepth = 2) {
+  const visited = /* @__PURE__ */ new Set();
+  const queue = [{ file: fromFile, depth: 0 }];
+  while (queue.length > 0) {
+    const current = queue.shift();
+    if (visited.has(current.file) || current.depth > maxDepth) continue;
+    visited.add(current.file);
+    const content = fileContents.get(current.file);
+    if (!content) continue;
+    const importRegex = /import\s+.*?from\s+['"]([^'"]+)['"]/g;
+    let match;
+    while ((match = importRegex.exec(content)) !== null) {
+      const importPath = match[1];
+      if (!importPath.startsWith(".")) continue;
+      const dir = path8.dirname(current.file);
+      let resolved = path8.join(dir, importPath);
+      if (!resolved.match(/\.(ts|tsx|js|jsx)$/)) {
+        resolved += ".ts";
+      }
+      resolved = path8.normalize(resolved);
+      if (!visited.has(resolved) && current.depth + 1 <= maxDepth) {
+        queue.push({ file: resolved, depth: current.depth + 1 });
+      }
+    }
+  }
+  visited.delete(fromFile);
+  return visited;
+}
+async function validateFindings(options) {
+  const { findings, exclusionSet, graph, projectRoot, fileContents } = options;
+  const validated = [];
+  for (const finding of findings) {
+    const normalizedFile = normalizePath(finding.file, projectRoot);
+    if (exclusionSet.isExcluded(normalizedFile, finding.lineRange) || exclusionSet.isExcluded(finding.file, finding.lineRange)) {
+      continue;
+    }
+    const absoluteFile = path8.isAbsolute(finding.file) ? finding.file : path8.join(projectRoot, finding.file);
+    if (exclusionSet.isExcluded(absoluteFile, finding.lineRange)) {
+      continue;
+    }
+    const crossFileRefs = extractCrossFileRefs(finding);
+    if (crossFileRefs.length === 0) {
+      validated.push({ ...finding });
+      continue;
+    }
+    if (graph) {
+      try {
+        let allReachable = true;
+        for (const ref of crossFileRefs) {
+          const reachable = await graph.isReachable(ref.from, ref.to);
+          if (!reachable) {
+            allReachable = false;
+            break;
+          }
+        }
+        if (allReachable) {
+          validated.push({ ...finding, validatedBy: "graph" });
+        }
+        continue;
+      } catch {
+      }
+    }
+    {
+      let chainValidated = false;
+      if (fileContents) {
+        for (const ref of crossFileRefs) {
+          const normalizedFrom = normalizePath(ref.from, projectRoot);
+          const reachable = followImportChain(normalizedFrom, fileContents, 2);
+          const normalizedTo = normalizePath(ref.to, projectRoot);
+          if (reachable.has(normalizedTo)) {
+            chainValidated = true;
+            break;
+          }
+        }
+      }
+      if (chainValidated) {
+        validated.push({ ...finding, validatedBy: "heuristic" });
+      } else {
+        validated.push({
+          ...finding,
+          severity: DOWNGRADE_MAP[finding.severity],
+          validatedBy: "heuristic"
+        });
+      }
+    }
+  }
+  return validated;
+}
+// src/review/deduplicate-findings.ts
+function rangesOverlap(a, b, gap) {
+  return a[0] <= b[1] + gap && b[0] <= a[1] + gap;
+}
+function mergeFindings(a, b) {
+  const highestSeverity = SEVERITY_RANK[a.severity] >= SEVERITY_RANK[b.severity] ? a.severity : b.severity;
+  const highestValidatedBy = (VALIDATED_BY_RANK[a.validatedBy] ?? 0) >= (VALIDATED_BY_RANK[b.validatedBy] ?? 0) ? a.validatedBy : b.validatedBy;
+  const longestRationale = a.rationale.length >= b.rationale.length ? a.rationale : b.rationale;
+  const evidenceSet = /* @__PURE__ */ new Set([...a.evidence, ...b.evidence]);
+  const lineRange = [
+    Math.min(a.lineRange[0], b.lineRange[0]),
+    Math.max(a.lineRange[1], b.lineRange[1])
+  ];
+  const domains = /* @__PURE__ */ new Set();
+  domains.add(a.domain);
+  domains.add(b.domain);
+  const suggestion = a.suggestion && b.suggestion ? a.suggestion.length >= b.suggestion.length ? a.suggestion : b.suggestion : a.suggestion ?? b.suggestion;
+  const primaryFinding = SEVERITY_RANK[a.severity] >= SEVERITY_RANK[b.severity] ? a : b;
+  const domainList = [...domains].sort().join(", ");
+  const cleanTitle = primaryFinding.title.replace(/^\[.*?\]\s*/, "");
+  const title = `[${domainList}] ${cleanTitle}`;
+  const merged = {
+    id: primaryFinding.id,
+    file: a.file,
+    // same file for all merged findings
+    lineRange,
+    domain: primaryFinding.domain,
+    severity: highestSeverity,
+    title,
+    rationale: longestRationale,
+    evidence: [...evidenceSet],
+    validatedBy: highestValidatedBy
+  };
+  if (suggestion !== void 0) {
+    merged.suggestion = suggestion;
+  }
+  const cweId = primaryFinding.cweId ?? a.cweId ?? b.cweId;
+  const owaspCategory = primaryFinding.owaspCategory ?? a.owaspCategory ?? b.owaspCategory;
+  const confidence = primaryFinding.confidence ?? a.confidence ?? b.confidence;
+  const remediation = a.remediation && b.remediation ? a.remediation.length >= b.remediation.length ? a.remediation : b.remediation : a.remediation ?? b.remediation;
+  const mergedRefs = [.../* @__PURE__ */ new Set([...a.references ?? [], ...b.references ?? []])];
+  if (cweId !== void 0) merged.cweId = cweId;
+  if (owaspCategory !== void 0) merged.owaspCategory = owaspCategory;
+  if (confidence !== void 0) merged.confidence = confidence;
+  if (remediation !== void 0) merged.remediation = remediation;
+  if (mergedRefs.length > 0) merged.references = mergedRefs;
+  return merged;
+}
+function deduplicateFindings(options) {
+  const { findings, lineGap = 3 } = options;
+  if (findings.length === 0) return [];
+  const byFile = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const existing = byFile.get(f.file);
+    if (existing) {
+      existing.push(f);
+    } else {
+      byFile.set(f.file, [f]);
+    }
+  }
+  const result = [];
+  for (const [, fileFindings] of byFile) {
+    const sorted = [...fileFindings].sort((a, b) => a.lineRange[0] - b.lineRange[0]);
+    const clusters = [];
+    let current = sorted[0];
+    for (let i = 1; i < sorted.length; i++) {
+      const next = sorted[i];
+      if (rangesOverlap(current.lineRange, next.lineRange, lineGap)) {
+        current = mergeFindings(current, next);
+      } else {
+        clusters.push(current);
+        current = next;
+      }
+    }
+    clusters.push(current);
+    result.push(...clusters);
+  }
+  return result;
+}
+// src/review/eligibility-gate.ts
+function checkEligibility(pr, ciMode) {
+  if (!ciMode) {
+    return { eligible: true };
+  }
+  if (pr.state === "closed") {
+    return { eligible: false, reason: "PR is closed" };
+  }
+  if (pr.state === "merged") {
+    return { eligible: false, reason: "PR is merged" };
+  }
+  if (pr.isDraft) {
+    return { eligible: false, reason: "PR is a draft" };
+  }
+  if (pr.changedFiles.length > 0 && pr.changedFiles.every((f) => f.endsWith(".md"))) {
+    return { eligible: false, reason: "Trivial change: documentation only" };
+  }
+  const priorMatch = pr.priorReviews.find((r) => r.headSha === pr.headSha);
+  if (priorMatch) {
+    return { eligible: false, reason: `Already reviewed at ${priorMatch.headSha}` };
+  }
+  return { eligible: true };
+}
+// src/review/model-tier-resolver.ts
+var DEFAULT_PROVIDER_TIERS = {
+  claude: {
+    fast: "haiku",
+    standard: "sonnet",
+    strong: "opus"
+  },
+  openai: {
+    fast: "gpt-4o-mini",
+    standard: "gpt-4o",
+    strong: "o1"
+  },
+  gemini: {
+    fast: "gemini-flash",
+    standard: "gemini-pro",
+    strong: "gemini-ultra"
+  }
+};
+function resolveModelTier(tier, config, provider) {
+  const configValue = config?.[tier];
+  if (configValue !== void 0) {
+    return configValue;
+  }
+  if (provider) {
+    const providerDefaults = DEFAULT_PROVIDER_TIERS[provider];
+    const defaultValue = providerDefaults[tier];
+    if (defaultValue !== void 0) {
+      return defaultValue;
+    }
+  }
+  return void 0;
+}
+// src/review/output/assessment.ts
+function determineAssessment(findings) {
+  if (findings.length === 0) return "approve";
+  let maxSeverity = "suggestion";
+  for (const f of findings) {
+    if (SEVERITY_RANK[f.severity] > SEVERITY_RANK[maxSeverity]) {
+      maxSeverity = f.severity;
+    }
+  }
+  switch (maxSeverity) {
+    case "critical":
+      return "request-changes";
+    case "important":
+      return "comment";
+    case "suggestion":
+      return "approve";
+  }
+}
+function getExitCode(assessment) {
+  return assessment === "request-changes" ? 1 : 0;
+}
+// src/review/output/format-terminal.ts
+function formatFindingBlock(finding) {
+  const lines = [];
+  const location = `${finding.file}:L${finding.lineRange[0]}-${finding.lineRange[1]}`;
+  lines.push(`  [${finding.domain}] ${finding.title}`);
+  lines.push(`    Location: ${location}`);
+  lines.push(`    Rationale: ${finding.rationale}`);
+  if (finding.suggestion) {
+    lines.push(`    Suggestion: ${finding.suggestion}`);
+  }
+  return lines.join("\n");
+}
+function formatTerminalOutput(options) {
+  const { findings, strengths } = options;
+  const sections = [];
+  sections.push("## Strengths\n");
+  if (strengths.length === 0) {
+    sections.push("  No specific strengths noted.\n");
+  } else {
+    for (const s of strengths) {
+      const prefix = s.file ? `${s.file}: ` : "";
+      sections.push(`  + ${prefix}${s.description}`);
+    }
+    sections.push("");
+  }
+  sections.push("## Issues\n");
+  let hasIssues = false;
+  for (const severity of SEVERITY_ORDER) {
+    const group = findings.filter((f) => f.severity === severity);
+    if (group.length === 0) continue;
+    hasIssues = true;
+    sections.push(`### ${SEVERITY_LABELS[severity]} (${group.length})
+`);
+    for (const finding of group) {
+      sections.push(formatFindingBlock(finding));
+      sections.push("");
+    }
+  }
+  if (!hasIssues) {
+    sections.push("  No issues found.\n");
+  }
+  const assessment = determineAssessment(findings);
+  const assessmentLabel = assessment === "approve" ? "Approve" : assessment === "comment" ? "Comment" : "Request Changes";
+  sections.push(`## Assessment: ${assessmentLabel}
+`);
+  const issueCount = findings.length;
+  const criticalCount = findings.filter((f) => f.severity === "critical").length;
+  const importantCount = findings.filter((f) => f.severity === "important").length;
+  const suggestionCount = findings.filter((f) => f.severity === "suggestion").length;
+  if (issueCount === 0) {
+    sections.push("  No issues found. The changes look good.");
+  } else {
+    const parts = [];
+    if (criticalCount > 0) parts.push(`${criticalCount} critical`);
+    if (importantCount > 0) parts.push(`${importantCount} important`);
+    if (suggestionCount > 0) parts.push(`${suggestionCount} suggestion(s)`);
+    sections.push(`  Found ${issueCount} issue(s): ${parts.join(", ")}.`);
+  }
+  return sections.join("\n");
+}
+// src/review/output/format-github.ts
+var SMALL_SUGGESTION_LINE_LIMIT = 10;
+function sanitizeMarkdown(text) {
+  return text.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function isSmallSuggestion(suggestion) {
+  if (!suggestion) return false;
+  const lineCount = suggestion.split("\n").length;
+  return lineCount < SMALL_SUGGESTION_LINE_LIMIT;
+}
+function formatGitHubComment(finding) {
+  const severityBadge = `**${finding.severity.toUpperCase()}**`;
+  const header = `${severityBadge} [${finding.domain}] ${sanitizeMarkdown(finding.title)}`;
+  let body;
+  if (isSmallSuggestion(finding.suggestion)) {
+    body = [
+      header,
+      "",
+      sanitizeMarkdown(finding.rationale),
+      "",
+      "```suggestion",
+      finding.suggestion,
+      "```"
+    ].join("\n");
+  } else {
+    const parts = [header, "", `**Rationale:** ${sanitizeMarkdown(finding.rationale)}`];
+    if (finding.suggestion) {
+      parts.push("", `**Suggested approach:** ${sanitizeMarkdown(finding.suggestion)}`);
+    }
+    body = parts.join("\n");
+  }
+  return {
+    path: finding.file,
+    line: finding.lineRange[1],
+    // Comment on end line of range
+    side: "RIGHT",
+    body
+  };
+}
+function formatGitHubSummary(options) {
+  const { findings, strengths } = options;
+  const sections = [];
+  sections.push("## Strengths\n");
+  if (strengths.length === 0) {
+    sections.push("No specific strengths noted.\n");
+  } else {
+    for (const s of strengths) {
+      const prefix = s.file ? `**${s.file}:** ` : "";
+      sections.push(`- ${prefix}${sanitizeMarkdown(s.description)}`);
+    }
+    sections.push("");
+  }
+  sections.push("## Issues\n");
+  let hasIssues = false;
+  for (const severity of SEVERITY_ORDER) {
+    const group = findings.filter((f) => f.severity === severity);
+    if (group.length === 0) continue;
+    hasIssues = true;
+    sections.push(`### ${SEVERITY_LABELS[severity]} (${group.length})
+`);
+    for (const finding of group) {
+      const location = `\`${finding.file}:L${finding.lineRange[0]}-${finding.lineRange[1]}\``;
+      sections.push(`- **${sanitizeMarkdown(finding.title)}** at ${location}`);
+      sections.push(`  ${sanitizeMarkdown(finding.rationale)}`);
+      sections.push("");
+    }
+  }
+  if (!hasIssues) {
+    sections.push("No issues found.\n");
+  }
+  const assessment = determineAssessment(findings);
+  const assessmentLabel = assessment === "approve" ? "Approve" : assessment === "comment" ? "Comment" : "Request Changes";
+  sections.push(`## Assessment: ${assessmentLabel}`);
+  return sections.join("\n");
+}
+// src/review/pipeline-orchestrator.ts
+async function runReviewPipeline(options) {
+  const {
+    projectRoot,
+    diff,
+    commitMessage,
+    flags,
+    graph,
+    prMetadata,
+    conventionFiles,
+    checkDepsOutput,
+    config = {},
+    commitHistory
+  } = options;
+  if (flags.ci && prMetadata) {
+    const eligibility = checkEligibility(prMetadata, true);
+    if (!eligibility.eligible) {
+      return {
+        skipped: true,
+        ...eligibility.reason != null ? { skipReason: eligibility.reason } : {},
+        stoppedByMechanical: false,
+        findings: [],
+        strengths: [],
+        terminalOutput: `Review skipped: ${eligibility.reason ?? "ineligible"}`,
+        githubComments: [],
+        exitCode: 0
+      };
+    }
+  }
+  let mechanicalResult;
+  let exclusionSet;
+  if (flags.noMechanical) {
+    exclusionSet = buildExclusionSet([]);
+  } else {
+    try {
+      const mechResult = await runMechanicalChecks({
+        projectRoot,
+        config,
+        changedFiles: diff.changedFiles
+      });
+      if (mechResult.ok) {
+        mechanicalResult = mechResult.value;
+        exclusionSet = buildExclusionSet(mechResult.value.findings);
+        if (mechResult.value.stopPipeline) {
+          const mechFindings = mechResult.value.findings.filter((f) => f.severity === "error").map((f) => `  x ${f.tool}: ${f.file}${f.line ? `:${f.line}` : ""} - ${f.message}`).join("\n");
+          const terminalOutput2 = [
+            "## Strengths\n",
+            "  No AI review performed (mechanical checks failed).\n",
+            "## Issues\n",
+            "### Critical (mechanical)\n",
+            mechFindings,
+            "\n## Assessment: Request Changes\n",
+            "  Mechanical checks must pass before AI review."
+          ].join("\n");
+          return {
+            skipped: false,
+            stoppedByMechanical: true,
+            assessment: "request-changes",
+            findings: [],
+            strengths: [],
+            terminalOutput: terminalOutput2,
+            githubComments: [],
+            exitCode: 1,
+            mechanicalResult
+          };
+        }
+      } else {
+        exclusionSet = buildExclusionSet([]);
+      }
+    } catch {
+      exclusionSet = buildExclusionSet([]);
+    }
+  }
+  let contextBundles;
+  try {
+    contextBundles = await scopeContext({
+      projectRoot,
+      diff,
+      commitMessage,
+      ...graph != null ? { graph } : {},
+      ...conventionFiles != null ? { conventionFiles } : {},
+      ...checkDepsOutput != null ? { checkDepsOutput } : {},
+      ...commitHistory != null ? { commitHistory } : {}
+    });
+  } catch {
+    contextBundles = ["compliance", "bug", "security", "architecture"].map((domain) => ({
+      domain,
+      changeType: "feature",
+      changedFiles: [],
+      contextFiles: [],
+      commitHistory: [],
+      diffLines: diff.totalDiffLines,
+      contextLines: 0
+    }));
+  }
+  const agentResults = await fanOutReview({ bundles: contextBundles });
+  const rawFindings = agentResults.flatMap((r) => r.findings);
+  const fileContents = /* @__PURE__ */ new Map();
+  for (const [file, content] of diff.fileDiffs) {
+    fileContents.set(file, content);
+  }
+  const validatedFindings = await validateFindings({
+    findings: rawFindings,
+    exclusionSet,
+    ...graph != null ? { graph } : {},
+    projectRoot,
+    fileContents
+  });
+  const dedupedFindings = deduplicateFindings({ findings: validatedFindings });
+  const strengths = [];
+  const assessment = determineAssessment(dedupedFindings);
+  const exitCode = getExitCode(assessment);
+  const terminalOutput = formatTerminalOutput({
+    findings: dedupedFindings,
+    strengths
+  });
+  let githubComments = [];
+  if (flags.comment) {
+    githubComments = dedupedFindings.map((f) => formatGitHubComment(f));
+  }
+  return {
+    skipped: false,
+    stoppedByMechanical: false,
+    assessment,
+    findings: dedupedFindings,
+    strengths,
+    terminalOutput,
+    githubComments,
+    exitCode,
+    ...mechanicalResult !== void 0 ? { mechanicalResult } : {}
+  };
+}
+// src/roadmap/parse.ts
+import { Ok as Ok2, Err as Err2 } from "@harness-engineering/types";
+var VALID_STATUSES = /* @__PURE__ */ new Set([
+  "backlog",
+  "planned",
+  "in-progress",
+  "done",
+  "blocked"
+]);
+var EM_DASH = "\u2014";
+function parseRoadmap(markdown) {
+  const fmMatch = markdown.match(/^---\n([\s\S]*?)\n---/);
+  if (!fmMatch) {
+    return Err2(new Error("Missing or malformed YAML frontmatter"));
+  }
+  const fmResult = parseFrontmatter(fmMatch[1]);
+  if (!fmResult.ok) return fmResult;
+  const body = markdown.slice(fmMatch[0].length);
+  const milestonesResult = parseMilestones(body);
+  if (!milestonesResult.ok) return milestonesResult;
+  return Ok2({
+    frontmatter: fmResult.value,
+    milestones: milestonesResult.value
+  });
+}
+function parseFrontmatter(raw) {
+  const lines = raw.split("\n");
+  const map = /* @__PURE__ */ new Map();
+  for (const line of lines) {
+    const idx = line.indexOf(":");
+    if (idx === -1) continue;
+    const key = line.slice(0, idx).trim();
+    const val = line.slice(idx + 1).trim();
+    map.set(key, val);
+  }
+  const project = map.get("project");
+  const versionStr = map.get("version");
+  const lastSynced = map.get("last_synced");
+  const lastManualEdit = map.get("last_manual_edit");
+  if (!project || !versionStr || !lastSynced || !lastManualEdit) {
+    return Err2(
+      new Error(
+        "Frontmatter missing required fields: project, version, last_synced, last_manual_edit"
+      )
+    );
+  }
+  const version = parseInt(versionStr, 10);
+  if (isNaN(version)) {
+    return Err2(new Error("Frontmatter version must be a number"));
+  }
+  return Ok2({ project, version, lastSynced, lastManualEdit });
+}
+function parseMilestones(body) {
+  const milestones = [];
+  const h2Pattern = /^## (.+)$/gm;
+  const h2Matches = [];
+  let match;
+  while ((match = h2Pattern.exec(body)) !== null) {
+    h2Matches.push({ heading: match[1], startIndex: match.index });
+  }
+  for (let i = 0; i < h2Matches.length; i++) {
+    const h2 = h2Matches[i];
+    const nextStart = i + 1 < h2Matches.length ? h2Matches[i + 1].startIndex : body.length;
+    const sectionBody = body.slice(h2.startIndex + h2.heading.length + 4, nextStart);
+    const isBacklog = h2.heading === "Backlog";
+    const milestoneName = isBacklog ? "Backlog" : h2.heading.replace(/^Milestone:\s*/, "");
+    const featuresResult = parseFeatures(sectionBody);
+    if (!featuresResult.ok) return featuresResult;
+    milestones.push({
+      name: milestoneName,
+      isBacklog,
+      features: featuresResult.value
+    });
+  }
+  return Ok2(milestones);
+}
+function parseFeatures(sectionBody) {
+  const features = [];
+  const h3Pattern = /^### Feature: (.+)$/gm;
+  const h3Matches = [];
+  let match;
+  while ((match = h3Pattern.exec(sectionBody)) !== null) {
+    h3Matches.push({ name: match[1], startIndex: match.index });
+  }
+  for (let i = 0; i < h3Matches.length; i++) {
+    const h3 = h3Matches[i];
+    const nextStart = i + 1 < h3Matches.length ? h3Matches[i + 1].startIndex : sectionBody.length;
+    const featureBody = sectionBody.slice(
+      h3.startIndex + `### Feature: ${h3.name}`.length,
+      nextStart
+    );
+    const featureResult = parseFeatureFields(h3.name, featureBody);
+    if (!featureResult.ok) return featureResult;
+    features.push(featureResult.value);
+  }
+  return Ok2(features);
+}
+function parseFeatureFields(name, body) {
+  const fieldMap = /* @__PURE__ */ new Map();
+  const fieldPattern = /^- \*\*(.+?):\*\* (.+)$/gm;
+  let match;
+  while ((match = fieldPattern.exec(body)) !== null) {
+    fieldMap.set(match[1], match[2]);
+  }
+  const statusRaw = fieldMap.get("Status");
+  if (!statusRaw || !VALID_STATUSES.has(statusRaw)) {
+    return Err2(
+      new Error(
+        `Feature "${name}" has invalid status: "${statusRaw ?? "(missing)"}". Valid statuses: ${[...VALID_STATUSES].join(", ")}`
+      )
+    );
+  }
+  const status = statusRaw;
+  const specRaw = fieldMap.get("Spec") ?? EM_DASH;
+  const spec = specRaw === EM_DASH ? null : specRaw;
+  const plansRaw = fieldMap.get("Plans") ?? EM_DASH;
+  const plans = plansRaw === EM_DASH ? [] : plansRaw.split(",").map((p) => p.trim());
+  const blockedByRaw = fieldMap.get("Blocked by") ?? EM_DASH;
+  const blockedBy = blockedByRaw === EM_DASH ? [] : blockedByRaw.split(",").map((b) => b.trim());
+  const summary = fieldMap.get("Summary") ?? "";
+  return Ok2({ name, status, spec, plans, blockedBy, summary });
+}
+// src/roadmap/serialize.ts
+var EM_DASH2 = "\u2014";
+function serializeRoadmap(roadmap) {
+  const lines = [];
+  lines.push("---");
+  lines.push(`project: ${roadmap.frontmatter.project}`);
+  lines.push(`version: ${roadmap.frontmatter.version}`);
+  lines.push(`last_synced: ${roadmap.frontmatter.lastSynced}`);
+  lines.push(`last_manual_edit: ${roadmap.frontmatter.lastManualEdit}`);
+  lines.push("---");
+  lines.push("");
+  lines.push("# Project Roadmap");
+  for (const milestone of roadmap.milestones) {
+    lines.push("");
+    lines.push(serializeMilestoneHeading(milestone));
+    for (const feature of milestone.features) {
+      lines.push("");
+      lines.push(...serializeFeature(feature));
+    }
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+function serializeMilestoneHeading(milestone) {
+  return milestone.isBacklog ? "## Backlog" : `## Milestone: ${milestone.name}`;
+}
+function serializeFeature(feature) {
+  const spec = feature.spec ?? EM_DASH2;
+  const plans = feature.plans.length > 0 ? feature.plans.join(", ") : EM_DASH2;
+  const blockedBy = feature.blockedBy.length > 0 ? feature.blockedBy.join(", ") : EM_DASH2;
+  return [
+    `### Feature: ${feature.name}`,
+    `- **Status:** ${feature.status}`,
+    `- **Spec:** ${spec}`,
+    `- **Plans:** ${plans}`,
+    `- **Blocked by:** ${blockedBy}`,
+    `- **Summary:** ${feature.summary}`
+  ];
+}
+// src/roadmap/sync.ts
+import * as fs7 from "fs";
+import * as path9 from "path";
+import { Ok as Ok3 } from "@harness-engineering/types";
+function inferStatus(feature, projectPath, allFeatures) {
+  if (feature.blockedBy.length > 0) {
+    const blockerNotDone = feature.blockedBy.some((blockerName) => {
+      const blocker = allFeatures.find((f) => f.name.toLowerCase() === blockerName.toLowerCase());
+      return !blocker || blocker.status !== "done";
+    });
+    if (blockerNotDone) return "blocked";
+  }
+  if (feature.plans.length === 0) return null;
+  const allTaskStatuses = [];
+  const featuresWithPlans = allFeatures.filter((f) => f.plans.length > 0);
+  const useRootState = featuresWithPlans.length <= 1;
+  if (useRootState) {
+    const rootStatePath = path9.join(projectPath, ".harness", "state.json");
+    if (fs7.existsSync(rootStatePath)) {
+      try {
+        const raw = fs7.readFileSync(rootStatePath, "utf-8");
+        const state = JSON.parse(raw);
+        if (state.progress) {
+          for (const status of Object.values(state.progress)) {
+            allTaskStatuses.push(status);
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  const sessionsDir = path9.join(projectPath, ".harness", "sessions");
+  if (fs7.existsSync(sessionsDir)) {
+    try {
+      const sessionDirs = fs7.readdirSync(sessionsDir, { withFileTypes: true });
+      for (const entry of sessionDirs) {
+        if (!entry.isDirectory()) continue;
+        const autopilotPath = path9.join(sessionsDir, entry.name, "autopilot-state.json");
+        if (!fs7.existsSync(autopilotPath)) continue;
+        try {
+          const raw = fs7.readFileSync(autopilotPath, "utf-8");
+          const autopilot = JSON.parse(raw);
+          if (!autopilot.phases) continue;
+          const linkedPhases = autopilot.phases.filter(
+            (phase) => phase.planPath ? feature.plans.some((p) => p === phase.planPath || phase.planPath.endsWith(p)) : false
+          );
+          if (linkedPhases.length > 0) {
+            for (const phase of linkedPhases) {
+              if (phase.status === "complete") {
+                allTaskStatuses.push("complete");
+              } else if (phase.status === "pending") {
+                allTaskStatuses.push("pending");
+              } else {
+                allTaskStatuses.push("in_progress");
+              }
+            }
+          }
+        } catch {
+        }
+      }
+    } catch {
+    }
+  }
+  if (allTaskStatuses.length === 0) return null;
+  const allComplete = allTaskStatuses.every((s) => s === "complete");
+  if (allComplete) return "done";
+  const anyStarted = allTaskStatuses.some((s) => s === "in_progress" || s === "complete");
+  if (anyStarted) return "in-progress";
+  return null;
+}
+function syncRoadmap(options) {
+  const { projectPath, roadmap, forceSync } = options;
+  const isManuallyEdited = new Date(roadmap.frontmatter.lastManualEdit) > new Date(roadmap.frontmatter.lastSynced);
+  const skipOverride = isManuallyEdited && !forceSync;
+  const allFeatures = roadmap.milestones.flatMap((m) => m.features);
+  const changes = [];
+  for (const feature of allFeatures) {
+    if (skipOverride) continue;
+    const inferred = inferStatus(feature, projectPath, allFeatures);
+    if (inferred === null) continue;
+    if (inferred === feature.status) continue;
+    changes.push({
+      feature: feature.name,
+      from: feature.status,
+      to: inferred
+    });
+  }
+  return Ok3(changes);
+}
+// src/interaction/types.ts
+import { z as z5 } from "zod";
+var InteractionTypeSchema = z5.enum(["question", "confirmation", "transition"]);
+var QuestionSchema = z5.object({
+  text: z5.string(),
+  options: z5.array(z5.string()).optional(),
+  default: z5.string().optional()
+});
+var ConfirmationSchema = z5.object({
+  text: z5.string(),
+  context: z5.string()
+});
+var TransitionSchema = z5.object({
+  completedPhase: z5.string(),
+  suggestedNext: z5.string(),
+  reason: z5.string(),
+  artifacts: z5.array(z5.string()),
+  requiresConfirmation: z5.boolean(),
+  summary: z5.string()
+});
+var EmitInteractionInputSchema = z5.object({
+  path: z5.string(),
+  type: InteractionTypeSchema,
+  stream: z5.string().optional(),
+  question: QuestionSchema.optional(),
+  confirmation: ConfirmationSchema.optional(),
+  transition: TransitionSchema.optional()
+});
+// src/update-checker.ts
+import * as fs8 from "fs";
+import * as path10 from "path";
+import * as os from "os";
+import { spawn } from "child_process";
+function getStatePath() {
+  return path10.join(os.homedir(), ".harness", "update-check.json");
+}
+function isUpdateCheckEnabled(configInterval) {
+  if (process.env["HARNESS_NO_UPDATE_CHECK"] === "1") return false;
+  if (configInterval === 0) return false;
+  return true;
+}
+function shouldRunCheck(state, intervalMs) {
+  if (state === null) return true;
+  return state.lastCheckTime + intervalMs <= Date.now();
+}
+function readCheckState() {
+  try {
+    const raw = fs8.readFileSync(getStatePath(), "utf-8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed === "object" && parsed !== null && "lastCheckTime" in parsed && typeof parsed.lastCheckTime === "number" && "currentVersion" in parsed && typeof parsed.currentVersion === "string") {
+      const state = parsed;
+      return {
+        lastCheckTime: state.lastCheckTime,
+        latestVersion: typeof state.latestVersion === "string" ? state.latestVersion : null,
+        currentVersion: state.currentVersion
+      };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function spawnBackgroundCheck(currentVersion) {
+  const statePath = getStatePath();
+  const stateDir = path10.dirname(statePath);
+  const script = `
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+try {
+  const latest = execSync('npm view @harness-engineering/cli dist-tags.latest', {
+    encoding: 'utf-8',
+    timeout: 15000,
+    stdio: ['ignore', 'pipe', 'ignore'],
+  }).trim();
+  const stateDir = ${JSON.stringify(stateDir)};
+  const statePath = ${JSON.stringify(statePath)};
+  fs.mkdirSync(stateDir, { recursive: true });
+  const tmpFile = path.join(stateDir, '.update-check-' + crypto.randomBytes(4).toString('hex') + '.tmp');
+  fs.writeFileSync(tmpFile, JSON.stringify({
+    lastCheckTime: Date.now(),
+    latestVersion: latest || null,
+    currentVersion: ${JSON.stringify(currentVersion)},
+  }), { mode: 0o644 });
+  fs.renameSync(tmpFile, statePath);
+} catch (_) {}
+`.trim();
+  try {
+    const child = spawn(process.execPath, ["-e", script], {
+      detached: true,
+      stdio: "ignore"
+    });
+    child.unref();
+  } catch {
+  }
+}
+function compareVersions(a, b) {
+  const pa = a.split(".").map(Number);
+  const pb = b.split(".").map(Number);
+  for (let i = 0; i < 3; i++) {
+    const na = pa[i] ?? 0;
+    const nb = pb[i] ?? 0;
+    if (na > nb) return 1;
+    if (na < nb) return -1;
+  }
+  return 0;
+}
+function getUpdateNotification(currentVersion) {
+  const state = readCheckState();
+  if (!state) return null;
+  if (!state.latestVersion) return null;
+  if (compareVersions(state.latestVersion, currentVersion) <= 0) return null;
+  return `Update available: v${currentVersion} -> v${state.latestVersion}
+Run "harness update" to upgrade.`;
+}
 // src/index.ts
-var VERSION = "0.6.0";
+var VERSION = "0.8.0";
 export {
+  AGENT_DESCRIPTORS,
+  ARCHITECTURE_DESCRIPTOR,
   AgentActionEmitter,
+  BUG_DETECTION_DESCRIPTOR,
+  BaselineManager,
+  BenchmarkRunner,
+  COMPLIANCE_DESCRIPTOR,
   ChecklistBuilder,
+  ConfirmationSchema,
   ConsoleSink,
+  CriticalPathResolver,
+  DEFAULT_PROVIDER_TIERS,
+  DEFAULT_SECURITY_CONFIG,
   DEFAULT_STATE,
+  DEFAULT_STREAM_INDEX,
+  EmitInteractionInputSchema,
   EntropyAnalyzer,
   EntropyConfigSchema,
+  ExclusionSet,
   FailureEntrySchema,
   FileSink,
   GateConfigSchema,
   GateResultSchema,
   HandoffSchema,
   HarnessStateSchema,
+  InteractionTypeSchema,
   NoOpExecutor,
   NoOpSink,
   NoOpTelemetryAdapter,
   PatternConfigSchema,
+  QuestionSchema,
   REQUIRED_SECTIONS,
+  RegressionDetector,
+  RuleRegistry,
+  SECURITY_DESCRIPTOR,
+  SecurityConfigSchema,
+  SecurityScanner,
+  StreamIndexSchema,
+  StreamInfoSchema,
+  TransitionSchema,
   TypeScriptParser,
   VERSION,
   analyzeDiff,
   appendFailure,
   appendLearning,
   applyFixes,
+  applyHotspotDowngrade,
   archiveFailures,
+  archiveStream,
   buildDependencyGraph,
+  buildExclusionSet,
   buildSnapshot,
   checkDocCoverage,
+  checkEligibility,
+  classifyFinding,
   configureFeedback,
   contextBudget,
   contextFilter,
   createBoundaryValidator,
+  createCommentedCodeFixes,
   createError,
   createFixes,
+  createForbiddenImportFixes,
+  createOrphanedDepFixes,
   createParseError,
   createSelfReview,
+  createStream,
+  cryptoRules,
+  deduplicateCleanupFindings,
+  deduplicateFindings,
   defineLayer,
+  deserializationRules,
+  detectChangeType,
   detectCircularDeps,
   detectCircularDepsInFiles,
+  detectComplexityViolations,
+  detectCouplingViolations,
   detectDeadCode,
   detectDocDrift,
   detectPatternViolations,
+  detectSizeBudgetViolations,
+  detectStack,
+  determineAssessment,
   executeWorkflow,
+  expressRules,
   extractMarkdownLinks,
   extractSections,
+  fanOutReview,
+  formatFindingBlock,
+  formatGitHubComment,
+  formatGitHubSummary,
+  formatTerminalOutput,
   generateAgentsMap,
   generateSuggestions,
   getActionEmitter,
+  getExitCode,
   getFeedbackConfig,
   getPhaseCategories,
+  getStreamForBranch,
+  getUpdateNotification,
+  goRules,
+  injectionRules,
+  isSmallSuggestion,
+  isUpdateCheckEnabled,
+  listStreams,
   loadFailures,
   loadHandoff,
   loadRelevantLearnings,
   loadState,
+  loadStreamIndex,
   logAgentAction,
+  migrateToStreams,
+  networkRules,
+  nodeRules,
   parseDiff,
+  parseRoadmap,
+  parseSecurityConfig,
+  parseSize,
+  pathTraversalRules,
   previewFix,
+  reactRules,
+  readCheckState,
   requestMultiplePeerReviews,
   requestPeerReview,
   resetFeedbackConfig,
   resolveFileToLayer,
+  resolveModelTier,
+  resolveRuleSeverity,
+  resolveStreamPath,
+  runArchitectureAgent,
+  runBugDetectionAgent,
   runCIChecks,
+  runComplianceAgent,
+  runMechanicalChecks,
   runMechanicalGate,
   runMultiTurnPipeline,
   runPipeline,
+  runReviewPipeline,
+  runSecurityAgent,
   saveHandoff,
   saveState,
+  saveStreamIndex,
+  scopeContext,
+  secretRules,
+  serializeRoadmap,
+  setActiveStream,
+  shouldRunCheck,
+  spawnBackgroundCheck,
+  syncRoadmap,
+  touchStream,
   trackAction,
   validateAgentsMap,
   validateBoundaries,
@@ -4415,6 +8531,8 @@ export {
   validateConfig,
   validateDependencies,
   validateFileStructure,
+  validateFindings,
   validateKnowledgeMap,
-  validatePatternConfig
+  validatePatternConfig,
+  xssRules
 };