@hegemonart/get-design-done 1.57.1 → 1.57.2

package/hooks/first-run-nudge.sh

@@ -1,82 +0,0 @@
-#!/usr/bin/env bash
-# get-design-done — first-run nudge (Phase 14.7)
-# SessionStart hook. Silent-on-failure by policy: exits 0 on every error path.
-# Prints exactly one restrained line pointing at /gdd:start when all gates pass,
-# and nothing otherwise.
-
-set -u  # intentionally no -e: we want to fall through to exit 0
-
-# Silent logger — writes nothing by default. Set GDD_NUDGE_DEBUG=1 to enable stderr.
-log() {
-  if [ "${GDD_NUDGE_DEBUG:-0}" = "1" ]; then
-    printf '[gdd first-run-nudge] %s\n' "$*" >&2
-  fi
-}
-
-DESIGN_DIR="$(pwd)/.design"
-STATE="${DESIGN_DIR}/STATE.md"
-CONFIG="${DESIGN_DIR}/config.json"
-DISMISS_FLAG="${HOME:-$USERPROFILE}/.claude/gdd-nudge-dismissed"
-
-# Gate 1 — repo already has GDD state, suppress.
-has_design_state() {
-  [ -f "${CONFIG}" ] || [ -f "${STATE}" ]
-}
-
-# Gate 2 — per-install dismissal flag.
-is_dismissed() {
-  [ -f "${DISMISS_FLAG}" ]
-}
-
-# Gate 3 — STATE.md stage belongs to an active pipeline window.
-# Inherits the shape used by Phase 13.3 update-check.sh.
-read_state_stage() {
-  [ -f "${STATE}" ] || { printf ''; return; }
-  grep -E '^stage:' "${STATE}" 2>/dev/null | head -n1 | \
-    sed -E 's/^stage:[[:space:]]*"?([^"[:space:]]+)"?.*/\1/'
-}
-
-is_active_stage() {
-  local s
-  s="$(read_state_stage)"
-  case "${s}" in
-    plan|design|verify|executing|discussing) return 0 ;;
-    *) return 1 ;;
-  esac
-}
-
-# Gate 4 — recent session history has a gdd:* command. We cannot reliably read
-# session history from a hook in all runtimes; when the signal is unavailable,
-# treat it as "unknown → not suppressed". This preserves the nudge's
-# usefulness without creating false suppression.
-has_recent_gdd_command() {
-  # Placeholder: no portable transcript path exposed to SessionStart hooks today.
-  # Keep the function for future wiring; for now always returns non-zero (unknown).
-  return 1
-}
-
-# MANDATORY sourcing guard: unit tests source this script to test the helper
-# functions without executing the main flow. Non-negotiable.
-if [ "${BASH_SOURCE[0]}" = "$0" ]; then
-  if has_design_state; then
-    log "design state present — suppress"
-    exit 0
-  fi
-  if is_dismissed; then
-    log "dismissal flag present — suppress"
-    exit 0
-  fi
-  if is_active_stage; then
-    log "active stage — suppress"
-    exit 0
-  fi
-  if has_recent_gdd_command; then
-    log "recent gdd:* command detected — suppress"
-    exit 0
-  fi
-  # All gates passed — emit the locked one-line nudge.
-  printf 'Tip: run /gdd:start to let GDD inspect this codebase and suggest one first fix.\n'
-  exit 0
-fi
-# When sourced (BASH_SOURCE != $0), fall through with function definitions loaded
-# and without side effects.

package/hooks/inject-using-gdd.sh

@@ -1,72 +0,0 @@
-#!/usr/bin/env bash
-# hooks/inject-using-gdd.sh — SessionStart per-harness context injector (D-07).
-#
-# The forcing function GDD lacked: on every session start / /clear / compact this
-# reads skills/using-gdd/SKILL.md (the bootstrap discipline contract) and emits it
-# as the host harness's SessionStart "additionalContext" shape so the agent is
-# primed with the 1%-rule + red-flags + skill-priority before it acts.
-#
-# Ported MECHANISM (not content) from obra/superpowers (MIT): one polyglot script,
-# env-var branch, pure-bash escape_for_json (no jq/python dependency). See NOTICE.
-#
-# Three emitted shapes (ONE JSON object on stdout, nothing else):
-#   Cursor       (CURSOR_PLUGIN_ROOT set)        -> {"additional_context": "<escaped>"}
-#   Claude Code  (CLAUDE_PLUGIN_ROOT set, no Cursor)
-#                                                -> {"hookSpecificOutput":
-#                                                     {"hookEventName":"SessionStart",
-#                                                      "additionalContext":"<escaped>"}}
-#   SDK-standard (neither; e.g. COPILOT_CLI)     -> {"additionalContext": "<escaped>"}
-#
-# Branch order: check Cursor BEFORE Claude Code — a Cursor session may also export
-# CLAUDE_PLUGIN_ROOT, and Cursor's own var must win.
-#
-# NO-CASCADE (D-06): this script is wired ONLY under the SessionStart hook event in
-# hooks/hooks.json. Subagent spawns do not fire SessionStart, so the inject cannot
-# cascade into a subagent's context. (Structural guarantee; behavioral proof = P33.)
-
-set -u
-
-# --- Resolve the plugin root so we can locate skills/using-gdd/SKILL.md ---------
-# Prefer the harness-provided roots; fall back to this script's parent dir so the
-# emitter is runnable straight from hooks/ in tests and in bare shells.
-SELF_DIR="$(cd "$(dirname "$0")" && pwd)"
-ROOT="${CURSOR_PLUGIN_ROOT:-${CLAUDE_PLUGIN_ROOT:-${SELF_DIR}/..}}"
-ROOT="${ROOT//\\//}"  # normalize Windows backslashes to forward slashes
-SKILL="${ROOT}/skills/using-gdd/SKILL.md"
-
-# Defensive: if the skill file is missing we must STILL emit a syntactically valid
-# JSON object (an empty additionalContext) so the SessionStart pipeline never
-# breaks on a partial install. Never crash the session start.
-if [[ -r "${SKILL}" ]]; then
-  CONTENT="$(cat "${SKILL}")"
-else
-  CONTENT=""
-fi
-
-# --- escape_for_json (superpowers pattern; pure bash param-substitution) --------
-# Order matters: backslash FIRST (so escapes we add next aren't re-escaped), then
-# double-quote, then the control chars newline / tab / carriage-return. Emits the
-# value WITH surrounding double-quotes so callers can splice it directly.
-escape_for_json() {
-  local s="$1"
-  s="${s//\\/\\\\}"   # \  -> \\
-  s="${s//\"/\\\"}"   # "  -> \"
-  s="${s//$'\t'/\\t}" # tab -> \t
-  s="${s//$'\r'/\\r}" # CR  -> \r
-  s="${s//$'\n'/\\n}" # LF  -> \n  (do last: newlines are the record separator)
-  printf '"%s"' "$s"
-}
-
-ESCAPED="$(escape_for_json "${CONTENT}")"
-
-# --- Branch on harness env vars and emit the matching single JSON object --------
-if [[ -n "${CURSOR_PLUGIN_ROOT:-}" ]]; then
-  # Cursor: top-level additional_context.
-  printf '{"additional_context": %s}\n' "${ESCAPED}"
-elif [[ -n "${CLAUDE_PLUGIN_ROOT:-}" ]]; then
-  # Claude Code: hookSpecificOutput envelope (mirrors hooks/gdd-decision-injector.js).
-  printf '{"hookSpecificOutput": {"hookEventName": "SessionStart", "additionalContext": %s}}\n' "${ESCAPED}"
-else
-  # SDK-standard (COPILOT_CLI or none): top-level additionalContext.
-  printf '{"additionalContext": %s}\n' "${ESCAPED}"
-fi

package/hooks/update-check.sh

@@ -1,251 +0,0 @@
-#!/usr/bin/env bash
-# get-design-done — update check (Phase 13.3)
-# SessionStart hook. Silent-on-failure by policy (D-04): exits 0 on every error path.
-# 24h-cached unauthenticated GET of /releases/latest. Renders .design/update-available.md
-# only when a newer version exists AND it is not dismissed AND stage-guard allows.
-
-set -u  # intentionally no -e: we want to fall through to exit 0
-
-PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
-PLUGIN_ROOT="${PLUGIN_ROOT//\\//}"  # Windows → POSIX slashes
-
-DESIGN_DIR="$(pwd)/.design"
-CACHE="${DESIGN_DIR}/update-cache.json"
-BANNER="${DESIGN_DIR}/update-available.md"
-CONFIG="${DESIGN_DIR}/config.json"
-STATE="${DESIGN_DIR}/STATE.md"
-CACHE_TTL_SECONDS=86400  # 24h
-
-# Silent logger — writes nothing by default. Set GDD_UPDATE_DEBUG=1 to enable stderr.
-log() {
-  if [ "${GDD_UPDATE_DEBUG:-0}" = "1" ]; then
-    printf '[gdd update-check] %s\n' "$*" >&2
-  fi
-}
-
-# Ensure .design/ exists (bootstrap normally creates it; belt+suspenders).
-mkdir -p "${DESIGN_DIR}" 2>/dev/null || exit 0
-
-# ---- Read current plugin version (no jq) ----
-PLUGIN_JSON="${PLUGIN_ROOT}/.claude-plugin/plugin.json"
-
-read_current_tag() {
-  [ -f "${PLUGIN_JSON}" ] || return 1
-  grep -E '^[[:space:]]*"version"[[:space:]]*:' "${PLUGIN_JSON}" | head -n1 | \
-    sed -E 's/.*"version"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/'
-}
-
-# ---- Semver normalizer: "v1.0.7" -> "1 0 7 0"; "v1.0.7.3" -> "1 0 7 3" ----
-normalize_semver() {
-  local t="${1#v}"
-  # strip any -pre/-beta suffix after first hyphen (unauth'd API rarely surfaces these, best-effort)
-  t="${t%%-*}"
-  # Replace dots with spaces; pad to 4 segments
-  # shellcheck disable=SC2086
-  set -- $(printf '%s' "${t}" | tr '.' ' ')
-  local a="${1:-0}" b="${2:-0}" c="${3:-0}" d="${4:-0}"
-  # Sanitize to digits only (POSIX: tr -cd 0-9 — BSD+GNU safe)
-  a="$(printf '%s' "$a" | tr -cd '0-9')"; a="${a:-0}"
-  b="$(printf '%s' "$b" | tr -cd '0-9')"; b="${b:-0}"
-  c="$(printf '%s' "$c" | tr -cd '0-9')"; c="${c:-0}"
-  d="$(printf '%s' "$d" | tr -cd '0-9')"; d="${d:-0}"
-  printf '%s %s %s %s' "$a" "$b" "$c" "$d"
-}
-
-# ---- Classify delta: compare 4-segment tuples ----
-# Args: current_tag latest_tag
-# Prints: "newer|same|older|invalid" + "major|minor|patch|off-cadence|none"
-classify_delta() {
-  local cur lat
-  cur="$(normalize_semver "$1")" || { printf 'invalid none'; return; }
-  lat="$(normalize_semver "$2")" || { printf 'invalid none'; return; }
-  # shellcheck disable=SC2086
-  set -- $cur; local ca="$1" cb="$2" cc="$3" cd="$4"
-  # shellcheck disable=SC2086
-  set -- $lat; local la="$1" lb="$2" lc="$3" ld="$4"
-
-  # Per-segment integer compare (lexicographic per segment by numeric value)
-  if   [ "$la" -gt "$ca" ]; then printf 'newer major'; return
-  elif [ "$la" -lt "$ca" ]; then printf 'older major'; return
-  fi
-  if   [ "$lb" -gt "$cb" ]; then printf 'newer minor'; return
-  elif [ "$lb" -lt "$cb" ]; then printf 'older minor'; return
-  fi
-  if   [ "$lc" -gt "$cc" ]; then printf 'newer patch'; return
-  elif [ "$lc" -lt "$cc" ]; then printf 'older patch'; return
-  fi
-  if   [ "$ld" -gt "$cd" ]; then printf 'newer off-cadence'; return
-  elif [ "$ld" -lt "$cd" ]; then printf 'older off-cadence'; return
-  fi
-  printf 'same none'
-}
-
-# ---- Cache freshness check: returns 0 if fresh (<24h old), 1 if stale or missing ----
-is_cache_fresh() {
-  [ -f "${CACHE}" ] || return 1
-  local now mtime age
-  now="$(date +%s)"
-  # BSD date -r on macOS; GNU stat -c on Linux; fall back to perl then python.
-  if mtime="$(date -r "${CACHE}" +%s 2>/dev/null)"; then :
-  elif mtime="$(stat -c %Y "${CACHE}" 2>/dev/null)"; then :
-  elif mtime="$(perl -e 'print((stat shift)[9])' "${CACHE}" 2>/dev/null)"; then :
-  else return 1
-  fi
-  [ -n "${mtime:-}" ] || return 1
-  age=$((now - mtime))
-  [ "${age}" -lt "${CACHE_TTL_SECONDS}" ]
-}
-
-# ---- Fetch latest release. Writes raw body to stdout on success, nothing on failure. ----
-fetch_latest() {
-  command -v curl >/dev/null 2>&1 || { log "no curl"; return 1; }
-  local url="https://api.github.com/repos/hegemonart/get-design-done/releases/latest"
-  curl -sf --max-time 3 -H 'Accept: application/vnd.github+json' "${url}" 2>/dev/null || return 1
-}
-
-# ---- Extract fields from the release JSON (no jq). Robust to whitespace; fails soft. ----
-extract_tag() {
-  grep -E '"tag_name"[[:space:]]*:' | head -n1 | sed -E 's/.*"tag_name"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/'
-}
-# Body extraction: python3-only. If python3 is absent, we intentionally return empty
-# (D-04 silent-on-failure posture). No awk/sed fallback — JSON string decoding in pure
-# bash is fragile and untested; empty excerpt is the correct degraded state.
-extract_body() {
-  command -v python3 >/dev/null 2>&1 || return 0
-  python3 -c 'import json,sys
-try:
-  d=json.load(sys.stdin)
-  b=d.get("body","") or ""
-  print(b[:500])
-except Exception:
-  pass' 2>/dev/null
-}
-
-# ---- Read .design/STATE.md stage field. Returns "brief"|"explore"|"plan"|"design"|"verify"|"" ----
-# Schema source: reference/STATE-TEMPLATE.md — `stage:` lives in both the frontmatter
-# and the <position> block with identical values per the write contract. We take the
-# first occurrence (head -n1), which is the frontmatter line.
-read_state_stage() {
-  [ -f "${STATE}" ] || { printf ''; return; }
-  grep -E '^stage:' "${STATE}" 2>/dev/null | head -n1 | sed -E 's/^stage:[[:space:]]*"?([^"[:space:]]+)"?.*/\1/'
-}
-
-# ---- Read .design/config.json for update_dismissed. Returns tag or empty. ----
-read_dismissed() {
-  [ -f "${CONFIG}" ] || { printf ''; return; }
-  grep -E '"update_dismissed"[[:space:]]*:' "${CONFIG}" 2>/dev/null | head -n1 | \
-    sed -E 's/.*"update_dismissed"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/'
-}
-
-# ---- Main control flow ----
-# MANDATORY sourcing guard: wrap the entire main flow so that `source update-check.sh`
-# (used by unit tests and interactive debugging) loads the function definitions without
-# executing steps 1-6 and exiting the sourcing shell. This is non-negotiable — the
-# semver self-test acceptance criterion sources this script.
-if [ "${BASH_SOURCE[0]}" = "$0" ]; then
-
-  CURRENT_TAG="$(read_current_tag)" || { log "no plugin.json"; exit 0; }
-  [ -n "${CURRENT_TAG:-}" ] || { log "no current version parsed"; exit 0; }
-  # Normalize to "vX.Y.Z" shape for display (plugin.json stores bare "1.0.7")
-  DISPLAY_CURRENT="v${CURRENT_TAG#v}"
-
-  # Optional --refresh forces a fresh fetch (called by plan 13.3-04's /gdd:check-update --refresh).
-  FORCE_REFRESH=0
-  for arg in "$@"; do
-    case "$arg" in
-      --refresh) FORCE_REFRESH=1 ;;
-    esac
-  done
-
-  # 1. Populate cache if missing/stale or forced.
-  if [ "${FORCE_REFRESH}" -eq 1 ] || ! is_cache_fresh; then
-    RAW="$(fetch_latest)" || RAW=""
-    if [ -n "${RAW}" ]; then
-      LATEST_TAG="$(printf '%s' "${RAW}" | extract_tag)"
-      BODY_EXCERPT="$(printf '%s' "${RAW}" | extract_body)"
-      # Strip control chars defensively (T-13.3-03)
-      BODY_EXCERPT="$(printf '%s' "${BODY_EXCERPT}" | tr -d '\000-\010\013\014\016-\037')"
-      # Strip double-quotes so the JSON round-trip sed read-back cannot be injected via a
-      # crafted release body. Body is display-only — losing quotes is acceptable.
-      BODY_EXCERPT="$(printf '%s' "${BODY_EXCERPT}" | tr -d '"')"
-      # Validate LATEST_TAG is a safe semver string before trusting it (CR-02).
-      if ! printf '%s' "${LATEST_TAG}" | grep -qE '^v?[0-9]+\.[0-9]+(\.[0-9]+)*$'; then
-        log "LATEST_TAG '${LATEST_TAG}' failed semver safety check — aborting cache write"
-        LATEST_TAG=""
-      fi
-      if [ -n "${LATEST_TAG}" ]; then
-        read -r DELTA_STATE DELTA_KIND <<EOF
-$(classify_delta "${DISPLAY_CURRENT}" "${LATEST_TAG}")
-EOF
-        IS_NEWER=false
-        [ "${DELTA_STATE}" = "newer" ] && IS_NEWER=true
-        CHECKED_AT="$(date +%s)"
-        # Write cache atomically (write-to-tmp + rename) — T-13.3-04 mitigation
-        TMP="${CACHE}.tmp.$$"
-        {
-          printf '{\n'
-          printf '  "checked_at": %s,\n' "${CHECKED_AT}"
-          printf '  "current_tag": "%s",\n' "${DISPLAY_CURRENT}"
-          printf '  "latest_tag": "%s",\n' "${LATEST_TAG}"
-          printf '  "delta": "%s",\n' "${DELTA_KIND}"
-          printf '  "is_newer": %s,\n' "${IS_NEWER}"
-          # Escape the body for JSON — backslashes first, then quotes, then newlines.
-          ESC="$(printf '%s' "${BODY_EXCERPT}" | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g' | awk '{printf "%s\\n", $0}')"
-          printf '  "changelog_excerpt": "%s"\n' "${ESC}"
-          printf '}\n'
-        } > "${TMP}" 2>/dev/null && mv "${TMP}" "${CACHE}" 2>/dev/null || rm -f "${TMP}" 2>/dev/null
-      fi
-    fi
-  fi
-
-  # 2. Read cache (whether freshly written or still valid).
-  [ -f "${CACHE}" ] || exit 0  # no cache, nothing to do — silent exit
-
-  C_LATEST="$(grep -E '"latest_tag"' "${CACHE}" 2>/dev/null | head -n1 | sed -E 's/.*"latest_tag"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/')"
-  C_DELTA="$(grep -E '"delta"' "${CACHE}" 2>/dev/null | head -n1 | sed -E 's/.*"delta"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/')"
-  # Allowlist-gate C_DELTA before it reaches any shell context (WR-04).
-  case "${C_DELTA:-}" in
-    major|minor|patch|off-cadence|none) : ;;
-    *) C_DELTA="unknown" ;;
-  esac
-  C_NEWER="$(grep -E '"is_newer"' "${CACHE}" 2>/dev/null | head -n1 | sed -E 's/.*"is_newer"[[:space:]]*:[[:space:]]*(true|false).*/\1/')"
-  C_BODY="$(grep -E '"changelog_excerpt"' "${CACHE}" 2>/dev/null | head -n1 | sed -E 's/.*"changelog_excerpt"[[:space:]]*:[[:space:]]*"(.*)".*/\1/' | sed -E 's/\\n/\n/g')"
-
-  # 3. Gate: if cache says not newer, remove any stale banner and exit.
-  if [ "${C_NEWER:-false}" != "true" ]; then
-    rm -f "${BANNER}" 2>/dev/null
-    exit 0
-  fi
-
-  # 4. Dismissal gate (D-13): if user already dismissed this exact tag, suppress.
-  DISMISSED="$(read_dismissed)"
-  if [ -n "${DISMISSED}" ] && [ "${DISMISSED}" = "${C_LATEST}" ]; then
-    rm -f "${BANNER}" 2>/dev/null
-    exit 0
-  fi
-
-  # 5. State-machine guard (D-11/D-12): suppress during plan|design|verify.
-  STAGE="$(read_state_stage)"
-  case "${STAGE}" in
-    plan|design|verify)
-      rm -f "${BANNER}" 2>/dev/null
-      exit 0
-      ;;
-  esac
-
-  # 6. All gates passed — render the banner atomically.
-  TMP="${BANNER}.tmp.$$"
-  {
-    printf '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n'
-    printf ' 📦 Plugin update: %s → %s (%s)\n' "${DISPLAY_CURRENT}" "${C_LATEST}" "${C_DELTA}"
-    if [ -n "${C_BODY}" ]; then
-      printf '%s\n' "${C_BODY}"
-    fi
-    printf ' Install: /gdd:update   Dismiss: /gdd:check-update --dismiss\n'
-    printf '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n'
-  } > "${TMP}" 2>/dev/null && mv "${TMP}" "${BANNER}" 2>/dev/null || rm -f "${TMP}" 2>/dev/null
-
-  exit 0
-fi
-# When sourced (BASH_SOURCE != $0), fall through with function definitions loaded
-# and without side effects. Sourcing callers must invoke functions explicitly.

package/scripts/lib/audit-aggregator/index.cjs

@@ -1,219 +0,0 @@
-/**
- * audit-aggregator/index.cjs — dedup + score + rank findings from N
- * audit-agents (Plan 23-04).
- *
- * Replaces the prompt-only "trust the agent's score" pattern with a
- * deterministic scoring + dedup function that downstream tooling
- * (`/gdd:audit`, `/gdd:reflect`) can rely on.
- *
- * Dedup key: `${lowercased(normalizePath(file))}::${line ?? 0}::${rule_id}`.
- * Survivor selection on collision:
- *   1. higher confidence wins
- *   2. tie → higher severity (P0 > P1 > P2 > P3)
- *   3. tie → lexicographically earliest agent
- *   4. tie → first-seen
- *
- * Score = severityWeight(severity) * confidence.
- *
- * No external deps. CommonJS to match the rest of scripts/lib/.
- */
-
-'use strict';
-
-const SEVERITY_RANK = { P0: 4, P1: 3, P2: 2, P3: 1 };
-const DEFAULT_WEIGHTS = Object.freeze({ P0: 8, P1: 4, P2: 2, P3: 1 });
-
-/**
- * @typedef {Object} Finding
- * @property {string} file
- * @property {number} [line]
- * @property {string} rule_id
- * @property {'P0'|'P1'|'P2'|'P3'} severity
- * @property {string} summary
- * @property {string} [evidence]
- * @property {string} [agent]
- * @property {number} [confidence]
- * @property {string[]} [merged_from]
- */
-
-/**
- * @typedef {Object} AggregateResult
- * @property {Finding[]} findings
- * @property {Object<string, number>} byRule
- * @property {Object<string, number>} bySeverity
- * @property {Object<string, number>} byFile
- * @property {number} total
- * @property {number} duplicates
- */
-
-/**
- * @typedef {Object} AggregateOptions
- * @property {number} [topN]
- * @property {Object<string, number>} [severityWeights]
- * @property {(a: Finding, b: Finding) => Finding} [merge]
- */
-
-function normalizePath(p) {
-  return String(p).replace(/\\/g, '/').toLowerCase();
-}
-
-let _confidenceWarningEmitted = false;
-
-function clampConfidence(c) {
-  if (c === undefined || c === null) return 1;
-  if (typeof c !== 'number' || Number.isNaN(c)) return 1;
-  if (c < 0) {
-    if (!_confidenceWarningEmitted) {
-      process.emitWarning('audit-aggregator: confidence < 0 clamped to 0', 'AuditAggregator');
-      _confidenceWarningEmitted = true;
-    }
-    return 0;
-  }
-  if (c > 1) {
-    if (!_confidenceWarningEmitted) {
-      process.emitWarning('audit-aggregator: confidence > 1 clamped to 1', 'AuditAggregator');
-      _confidenceWarningEmitted = true;
-    }
-    return 1;
-  }
-  return c;
-}
-
-/**
- * Compute score for a finding.
- *
- * @param {Finding} f
- * @param {Object<string, number>} weights
- * @returns {number}
- */
-function score(f, weights) {
-  const w = (weights && weights[f.severity]) ?? DEFAULT_WEIGHTS[f.severity] ?? 0;
-  return w * clampConfidence(f.confidence);
-}
-
-function validateFinding(f, idx) {
-  if (!f || typeof f !== 'object') {
-    throw new TypeError(`audit-aggregator: input[${idx}] is not an object`);
-  }
-  if (typeof f.file !== 'string' || f.file.length === 0) {
-    throw new TypeError(`audit-aggregator: input[${idx}].file is required (non-empty string)`);
-  }
-  if (typeof f.rule_id !== 'string' || f.rule_id.length === 0) {
-    throw new TypeError(`audit-aggregator: input[${idx}].rule_id is required (non-empty string)`);
-  }
-  if (!(f.severity in SEVERITY_RANK)) {
-    throw new TypeError(
-      `audit-aggregator: input[${idx}].severity must be P0|P1|P2|P3 (got ${JSON.stringify(f.severity)})`,
-    );
-  }
-}
-
-function dedupKey(f) {
-  return `${normalizePath(f.file)}::${f.line ?? 0}::${f.rule_id}`;
-}
-
-function defaultMerge(a, b) {
-  // Higher confidence wins.
-  const ca = clampConfidence(a.confidence);
-  const cb = clampConfidence(b.confidence);
-  if (ca !== cb) return ca > cb ? a : b;
-  // Higher severity wins.
-  const ra = SEVERITY_RANK[a.severity];
-  const rb = SEVERITY_RANK[b.severity];
-  if (ra !== rb) return ra > rb ? a : b;
-  // Lexicographic agent.
-  const aa = a.agent ?? '';
-  const ab = b.agent ?? '';
-  if (aa !== ab) return aa < ab ? a : b;
-  // First-seen wins (a is by convention the existing entry).
-  return a;
-}
-
-/**
- * Aggregate findings.
- *
- * @param {Finding[]} input
- * @param {AggregateOptions} [opts]
- * @returns {AggregateResult}
- */
-function aggregate(input, opts = {}) {
-  if (!Array.isArray(input)) {
-    throw new TypeError('audit-aggregator: input must be an array');
-  }
-  // Reset the once-per-call warning flag so a second call can warn again.
-  _confidenceWarningEmitted = false;
-  const merge = typeof opts.merge === 'function' ? opts.merge : defaultMerge;
-  const weights = { ...DEFAULT_WEIGHTS, ...(opts.severityWeights || {}) };
-
-  /** @type {Map<string, Finding>} */
-  const byKey = new Map();
-  let duplicates = 0;
-  for (let i = 0; i < input.length; i++) {
-    validateFinding(input[i], i);
-    const f = { ...input[i] };
-    const key = dedupKey(f);
-    if (byKey.has(key)) {
-      duplicates += 1;
-      const existing = byKey.get(key);
-      const winner = merge(existing, f);
-      const loser = winner === existing ? f : existing;
-      const mergedFrom = new Set(winner.merged_from || []);
-      if (existing.agent && existing !== winner) mergedFrom.add(existing.agent);
-      if (loser.agent && loser !== winner) mergedFrom.add(loser.agent);
-      // Combine prior merged_from too.
-      for (const a of (loser.merged_from || [])) mergedFrom.add(a);
-      winner.merged_from = Array.from(mergedFrom);
-      byKey.set(key, winner);
-    } else {
-      byKey.set(key, f);
-    }
-  }
-
-  const findings = Array.from(byKey.values()).map((f) => ({ ...f, _score: score(f, weights) }));
-  findings.sort((a, b) => {
-    if (a._score !== b._score) return b._score - a._score;
-    const ra = SEVERITY_RANK[a.severity];
-    const rb = SEVERITY_RANK[b.severity];
-    if (ra !== rb) return rb - ra;
-    if (a.file !== b.file) return a.file < b.file ? -1 : 1;
-    return (a.line ?? 0) - (b.line ?? 0);
-  });
-  // Strip the internal _score field before returning.
-  for (const f of findings) delete f._score;
-
-  const truncated = typeof opts.topN === 'number' && opts.topN >= 0
-    ? findings.slice(0, opts.topN)
-    : findings;
-
-  /** @type {Record<string, number>} */
-  const byRule = {};
-  /** @type {Record<string, number>} */
-  const bySeverity = { P0: 0, P1: 0, P2: 0, P3: 0 };
-  /** @type {Record<string, number>} */
-  const byFile = {};
-  for (const f of truncated) {
-    byRule[f.rule_id] = (byRule[f.rule_id] ?? 0) + 1;
-    bySeverity[f.severity] += 1;
-    const k = normalizePath(f.file);
-    byFile[k] = (byFile[k] ?? 0) + 1;
-  }
-
-  return {
-    findings: truncated,
-    byRule,
-    bySeverity,
-    byFile,
-    total: truncated.length,
-    duplicates,
-  };
-}
-
-module.exports = {
-  aggregate,
-  score,
-  normalizePath,
-  dedupKey,
-  defaultMerge,
-  DEFAULT_WEIGHTS,
-  SEVERITY_RANK,
-};