@jigyasudham/veto 0.8.0

package/dist/agents/workflow/git-agent.js

@@ -0,0 +1,52 @@
+export function plan(task, context) {
+    const t = (task + ' ' + (context ?? '')).toLowerCase();
+    const isMerge = t.includes('merge') || t.includes('conflict') || t.includes('rebase');
+    const isPR = t.includes('pull request') || t.includes('pr') || t.includes('review');
+    const isCommit = t.includes('commit') || t.includes('stage') || t.includes('message');
+    const approach = isMerge
+        ? 'Resolve merge conflicts by understanding what both sides intended, not just what they changed. Read both versions, understand the goal of each change, then write a resolution that preserves both intentions. Never resolve a conflict by picking one side blindly.'
+        : isPR
+            ? 'Structure the PR to make review fast: one clear title (what changed), a summary paragraph (why), a numbered list of changes (what files/functions), and a test plan. Small PRs merge faster than large ones — if the PR touches more than 10 files, split it.'
+            : isCommit
+                ? 'Write commit messages that explain WHY, not what. The diff shows what changed. The commit message tells future maintainers why. Format: imperative verb subject (50 chars), blank line, body if needed (72 chars per line).'
+                : 'Execute the git operation safely. For destructive operations (reset --hard, force push, branch delete): state the exact command and its consequences before running. Never force-push a shared branch without explicit instruction.';
+    return {
+        agent: 'git-agent',
+        task,
+        tier: 1,
+        approach,
+        steps: [
+            'Identify the git operation needed: commit, branch, merge, rebase, tag, PR',
+            'For destructive operations: state what will be lost and confirm before running',
+            'For commits: stage only the relevant files — never git add -A blindly',
+            'Write a commit message: imperative verb, 50 char subject, body if needed',
+            'For merges: read both sides of each conflict before resolving',
+            'For PRs: title (what), summary (why), change list (how), test plan',
+            'For branch cleanup: verify the branch is fully merged before deleting',
+            'For rebases: ensure the branch is not shared with others before rewriting history',
+        ],
+        checklist: [
+            '[ ] No accidental files staged (check git diff --staged before committing)',
+            '[ ] Commit message is imperative and explains WHY',
+            '[ ] No force-push to shared branches without explicit instruction',
+            '[ ] Merge conflicts resolved by understanding intent, not picking one side',
+            '[ ] Branch verified as merged before deletion',
+            '[ ] .env, credentials, and secrets not included in staged files',
+        ],
+        pitfalls: [
+            'git add -A without reviewing what is staged — accidentally commits secrets or build artifacts',
+            'Commit messages that describe what the diff shows — useless to future maintainers',
+            'Force-pushing a branch others have cloned — rewrites their history',
+            'Resolving merge conflicts by always taking "ours" — loses the other branch\'s intent',
+            'Deleting a branch before verifying it is merged — loses work',
+        ],
+        patterns: [
+            'Why-first commit messages: the diff shows what; the message explains why',
+            'Surgical staging: add specific files, not directories, to keep commits atomic',
+            'Pre-commit diff review: git diff --staged before every commit to catch surprises',
+            'Branch lifecycle: feature → PR → merge → delete (never skip the verify-merged step)',
+        ],
+        duration_estimate: '15-45 minutes',
+    };
+}
+//# sourceMappingURL=git-agent.js.map

package/dist/agents/workflow/reporter.js

@@ -0,0 +1,48 @@
+export function plan(task, context) {
+    const t = (task + ' ' + (context ?? '')).toLowerCase();
+    const isSession = t.includes('session') || t.includes('summary') || t.includes('what was done');
+    const isStatus = t.includes('status') || t.includes('progress') || t.includes('where are we');
+    const approach = isSession
+        ? 'Produce a session summary: what was accomplished, what decisions were made, what is next. Structure: one-sentence headline, bullet list of completed work, bullet list of open items, single next action. Optimised for someone picking up this work cold — they should need to read nothing else.'
+        : isStatus
+            ? 'Produce a status report: current phase, percent complete, what is blocking progress, and the next milestone. Include a risk flag if any blocker has been open for more than one session.'
+            : 'Produce the appropriate report for this context. Default to the session summary format: headline, completed, open, next action.';
+    return {
+        agent: 'reporter',
+        task,
+        tier: 1,
+        approach,
+        steps: [
+            'Identify what type of report is needed: session summary, status report, or decision log',
+            'Collect the facts: what was completed, what decisions were made, what is open',
+            'Write the headline: one sentence that captures the most important thing',
+            'List completed work as bullet points — specific, verifiable ("Auth middleware passing all tests")',
+            'List open items with priority order',
+            'Identify blockers: anything that prevents progress without human input',
+            'State the single next action as a concrete step',
+            'Save to session via veto_session_save if this report closes a work session',
+        ],
+        checklist: [
+            '[ ] Headline captures the most important single thing',
+            '[ ] Completed items are specific and verifiable',
+            '[ ] Open items are prioritised',
+            '[ ] Blockers are explicitly named',
+            '[ ] Next action is a single concrete step',
+            '[ ] Report saved if it closes a session',
+        ],
+        pitfalls: [
+            'Vague completed items ("worked on auth") — not verifiable, not useful',
+            'Listing everything instead of prioritising — buries the important items',
+            'No next action — the person reading the report cannot resume without re-reading everything',
+            'Including implementation details the reader does not need — reports should be scannable in 30 seconds',
+        ],
+        patterns: [
+            'Headline-first: the most important thing should be visible without scrolling',
+            'Scannable structure: headline → done → open → blockers → next — in that order',
+            'One next action: multiple next actions means no prioritisation has happened',
+            'Cold-start test: can someone who has not seen this work pick up where you left off from this report alone?',
+        ],
+        duration_estimate: '10-20 minutes',
+    };
+}
+//# sourceMappingURL=reporter.js.map

package/dist/agents/workflow/search-agent.js

@@ -0,0 +1,39 @@
+export function plan(task, context) {
+    return {
+        agent: 'search-agent',
+        task,
+        tier: 1,
+        approach: 'Search the codebase efficiently by starting with the most specific query and widening only if needed. Check veto_project_map_get first — if the answer is in the project map, no filesystem scan is needed. For symbol search: grep for the exact name. For concept search: grep for 2-3 keywords likely to co-occur. For file discovery: use glob patterns. Never read entire files when a targeted search suffices.',
+        steps: [
+            'Call veto_project_map_get — check if the answer is already in the project map',
+            'If the query is a symbol (function name, class, variable): grep for the exact name',
+            'If the query is a concept: identify 2–3 keywords likely to co-occur in the relevant code',
+            'Grep for keywords with file type filter (e.g. *.ts) to reduce noise',
+            'Read only the matching sections, not entire files',
+            'If nothing found: try synonyms or broader terms',
+            'If still nothing: scan the directory structure for a likely home',
+            'Update veto_project_map_update if the search revealed a gap in the map',
+        ],
+        checklist: [
+            '[ ] Project map checked before any filesystem scan',
+            '[ ] Exact symbol name tried before broad keyword search',
+            '[ ] File type filter applied to grep to reduce noise',
+            '[ ] Only matching sections read, not whole files',
+            '[ ] Project map updated if a previously unknown file was found',
+        ],
+        pitfalls: [
+            'Reading entire files to find one function — wastes context tokens',
+            'Searching without a file type filter — finds matches in node_modules and dist',
+            'Using a broad term as the first query — too many false positives',
+            'Not checking the project map first — may already have the answer',
+        ],
+        patterns: [
+            'Specific-first search: exact symbol → keywords → directory scan',
+            'Context-budgeted reading: read the matching section plus 10 lines of context, not the whole file',
+            'Map-first navigation: the project map is faster than a filesystem scan for known files',
+            'Synonym expansion: if the first query returns nothing, try 2-3 synonyms before giving up',
+        ],
+        duration_estimate: '5-20 minutes',
+    };
+}
+//# sourceMappingURL=search-agent.js.map

package/dist/agents/workflow/task-coordinator.js

@@ -0,0 +1,40 @@
+export function plan(task, context) {
+    return {
+        agent: 'task-coordinator',
+        task,
+        tier: 2,
+        approach: 'Coordinate multi-agent execution: assign tasks to the right worker agents, run independent tasks in parallel via veto_execute_parallel, collect results, reconcile conflicts, and assemble the final output. The coordinator does not do the work — it routes, monitors, and assembles.',
+        steps: [
+            'Receive the task plan from task-planner (or build one if not provided)',
+            'For each task: identify the best worker agent (coder, tester, security-scanner, etc.)',
+            'Group independent tasks that can run in parallel',
+            'Submit parallel group via veto_execute_parallel',
+            'Wait for results — check each result for errors before proceeding',
+            'If a parallel task fails: decide whether to retry, skip, or block the dependent tasks',
+            'Submit the next sequential task or parallel group based on dependency order',
+            'Collect all results and check for conflicts (two agents modify the same file)',
+            'Resolve conflicts: the higher-priority agent wins, or escalate to the human',
+            'Assemble the final output and save the session checkpoint',
+        ],
+        checklist: [
+            '[ ] Each task assigned to the correct worker agent',
+            '[ ] Independent tasks submitted to veto_execute_parallel',
+            '[ ] Each result checked for errors before triggering dependents',
+            '[ ] Conflicts identified and resolved',
+            '[ ] Final session saved via veto_session_save',
+        ],
+        pitfalls: [
+            'Running all tasks sequentially when most could be parallel — wastes time',
+            'Ignoring errors in parallel results and proceeding to dependent tasks — cascading failures',
+            'Assigning the wrong agent type — a coder reviewing security is worse than no review',
+            'Not saving progress after each parallel batch — a failure loses all intermediate work',
+        ],
+        patterns: [
+            'Batch-and-wait: submit all independent tasks in one veto_execute_parallel call, then process results before the next batch',
+            'Fail-fast on blockers: if a critical task fails, stop and report rather than continuing with invalid state',
+            'Agent specialisation: always use the most specific agent available for each task type',
+        ],
+        duration_estimate: '30-90 minutes',
+    };
+}
+//# sourceMappingURL=task-coordinator.js.map

package/dist/agents/workflow/task-planner.js

@@ -0,0 +1,46 @@
+export function plan(task, context) {
+    return {
+        agent: 'task-planner',
+        task,
+        tier: 2,
+        approach: 'Decompose the goal into a concrete, ordered task list where each task is independently completable in 1–4 hours. The output is not a project plan — it is the immediate next N tasks in execution order, each with a clear acceptance criterion. Identify which tasks can run in parallel and which are sequential dependencies.',
+        steps: [
+            'State the goal in one sentence — if you cannot, the goal needs clarifying first',
+            'Identify all constraints: blocked by X, requires Y to exist first, cannot touch Z',
+            'List all deliverables: what files, APIs, tests, or docs must exist when done?',
+            'Break deliverables into tasks of 1–4 hours each — nothing larger',
+            'For each task: write one acceptance criterion ("done when X passes" or "done when Y returns Z")',
+            'Identify dependencies: which tasks must complete before others can start?',
+            'Group independent tasks — these can run in parallel via veto_execute_parallel',
+            'Order the dependent tasks: what is the critical path?',
+            'Identify the single highest-risk task and put it first — fail fast',
+            'Save the task plan via veto_session_save so it survives context switches',
+        ],
+        checklist: [
+            '[ ] Goal stated in one sentence',
+            '[ ] All constraints identified',
+            '[ ] Tasks are 1–4 hours each',
+            '[ ] Every task has an acceptance criterion',
+            '[ ] Dependencies mapped — no implicit ordering',
+            '[ ] Parallel tasks identified',
+            '[ ] Critical path identified',
+            '[ ] Highest-risk task is first',
+            '[ ] Plan saved via veto_session_save',
+        ],
+        pitfalls: [
+            'Tasks too large ("implement auth") — cannot track progress or parallelize',
+            'Tasks too small ("add semicolon") — overhead exceeds value',
+            'Missing acceptance criteria — "done" is subjective without them',
+            'Not identifying blockers upfront — a hidden blocker discovered mid-task stops everything',
+            'Putting the risky unknown task last — you should fail fast, not late',
+        ],
+        patterns: [
+            'Risk-first ordering: the most uncertain task goes first so you discover problems early',
+            'Acceptance-criteria-first: write the criterion before the task to clarify what done means',
+            'Parallel identification: tasks with no shared outputs can always run concurrently',
+            'Four-hour rule: if a task cannot be completed in 4 hours, it contains hidden complexity — split it',
+        ],
+        duration_estimate: '30-60 minutes',
+    };
+}
+//# sourceMappingURL=task-planner.js.map

package/dist/cli.js

@@ -0,0 +1,132 @@
+#!/usr/bin/env node
+// Veto CLI — entry point for `npx veto init`
+// Suppress Node experimental warnings (node:sqlite) for clean UX
+process.removeAllListeners('warning');
+import { mkdirSync, existsSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { homedir } from 'node:os';
+import { fileURLToPath } from 'node:url';
+const VERSION = '0.8.0';
+const VETO_DIR = join(homedir(), '.veto');
+// Simple inline colors (no chalk needed for the init wizard to avoid ESM issues)
+const c = {
+    bold: (s) => `\x1b[1m${s}\x1b[0m`,
+    green: (s) => `\x1b[32m${s}\x1b[0m`,
+    yellow: (s) => `\x1b[33m${s}\x1b[0m`,
+    cyan: (s) => `\x1b[36m${s}\x1b[0m`,
+    dim: (s) => `\x1b[2m${s}\x1b[0m`,
+    red: (s) => `\x1b[31m${s}\x1b[0m`,
+};
+function printBanner() {
+    console.log('');
+    console.log(c.bold(c.cyan('  ██╗   ██╗███████╗████████╗ ██████╗')));
+    console.log(c.bold(c.cyan('  ██║   ██║██╔════╝╚══██╔══╝██╔═══██╗')));
+    console.log(c.bold(c.cyan('  ██║   ██║█████╗     ██║   ██║   ██║')));
+    console.log(c.bold(c.cyan('  ╚██╗ ██╔╝██╔══╝     ██║   ██║   ██║')));
+    console.log(c.bold(c.cyan('   ╚████╔╝ ███████╗   ██║   ╚██████╔╝')));
+    console.log(c.bold(c.cyan('    ╚═══╝  ╚══════╝   ╚═╝    ╚═════╝')));
+    console.log('');
+    console.log(c.dim(`  50 agents. 28 skills. 3 AIs. Self-learning. Zero extra cost.`));
+    console.log(c.dim(`  v${VERSION}`));
+    console.log('');
+}
+async function initCommand() {
+    printBanner();
+    // 1. Create ~/.veto directory
+    if (!existsSync(VETO_DIR)) {
+        mkdirSync(VETO_DIR, { recursive: true });
+        console.log(c.green('  ✓') + ` Created ${VETO_DIR}`);
+    }
+    else {
+        console.log(c.dim('  · ') + `Found existing ${VETO_DIR}`);
+    }
+    // 2. Initialize SQLite database (imports local.ts which auto-creates tables)
+    process.stdout.write('  · Initializing SQLite database...');
+    const { getDb, getDbPath, saveSession } = await import('./memory/local.js');
+    try {
+        const db = getDb();
+        const dbPath = getDbPath();
+        // Smoke test: save + retrieve a test session
+        const { session_id } = saveSession({
+            platform: 'claude',
+            summary: 'Veto initialized',
+            context: 'Initial setup via npx veto init',
+        });
+        const row = db.prepare('SELECT id FROM sessions WHERE id = ?').get(session_id);
+        if (!row)
+            throw new Error('DB smoke test failed');
+        // Clean up test row
+        db.prepare('DELETE FROM sessions WHERE id = ?').run(session_id);
+        console.log(c.green(' ✓'));
+        console.log(c.green('  ✓') + ` Database ready at ${dbPath}`);
+    }
+    catch (err) {
+        console.log(c.red(' ✗'));
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(c.red(`  Error initializing database: ${msg}`));
+        process.exit(1);
+    }
+    // 3. Print Claude Code config snippet
+    // Point to server.js (the MCP server), not cli.js (the init wizard)
+    const cliFile = fileURLToPath(import.meta.url);
+    const distDir = dirname(cliFile);
+    const serverPath = join(distDir, 'server.js').replace(/\\/g, '/');
+    console.log('');
+    console.log(c.bold('  ┌─ Add Veto to your AI CLI or IDE ───────────────────────────────┐'));
+    console.log(c.bold('  │') + '                                                                ' + c.bold('│'));
+    console.log(c.bold('  │') + '  Config file locations:                                        ' + c.bold('│'));
+    console.log(c.bold('  │') + '                                                                ' + c.bold('│'));
+    console.log(c.bold('  │') + c.dim('  Claude Code  →  ~/.claude/mcp_servers.json') + '                   ' + c.bold('│'));
+    console.log(c.bold('  │') + c.dim('  Gemini CLI   →  ~/.gemini/settings.json') + '                      ' + c.bold('│'));
+    console.log(c.bold('  │') + c.dim('  Codex CLI    →  ~/.codex/config.json') + '                         ' + c.bold('│'));
+    console.log(c.bold('  │') + c.dim('  Cursor       →  ~/.cursor/mcp.json') + '                           ' + c.bold('│'));
+    console.log(c.bold('  │') + c.dim('  Windsurf     →  ~/.codeium/windsurf/mcp_config.json') + '           ' + c.bold('│'));
+    console.log(c.bold('  │') + '                                                                ' + c.bold('│'));
+    console.log(c.bold('  │') + '  Claude / Gemini / Codex / Cursor / Windsurf:                  ' + c.bold('│'));
+    console.log(c.bold('  │') + '                                                                ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('  {') + '                                                           ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('    "mcpServers": {') + '                                            ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('      "veto": {') + '                                               ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('        "command": "node",') + '                                    ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan(`        "args": ["${serverPath}"]`) + '              ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('      }') + '                                                       ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('    }') + '                                                         ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('  }') + '                                                           ' + c.bold('│'));
+    console.log(c.bold('  │') + '                                                                ' + c.bold('│'));
+    console.log(c.bold('  │') + '  VS Code → .vscode/mcp.json:                                   ' + c.bold('│'));
+    console.log(c.bold('  │') + '                                                                ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('  {') + '                                                           ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('    "servers": {') + '                                              ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('      "veto": {') + '                                               ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('        "type": "stdio",') + '                                      ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('        "command": "node",') + '                                    ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan(`        "args": ["${serverPath}"]`) + '              ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('      }') + '                                                       ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('    }') + '                                                         ' + c.bold('│'));
+    console.log(c.bold('  │') + c.cyan('  }') + '                                                           ' + c.bold('│'));
+    console.log(c.bold('  │') + '                                                                ' + c.bold('│'));
+    console.log(c.bold('  └────────────────────────────────────────────────────────────────┘'));
+    console.log('');
+    console.log(c.green('  ✓ Veto is ready!'));
+    console.log('');
+    console.log('  Next steps:');
+    console.log(c.dim('  1.') + ' Add the config above to your AI CLI or IDE config file');
+    console.log(c.dim('  2.') + ' Restart the CLI or IDE');
+    console.log(c.dim('  3.') + ' Run: veto_status  — should return { "status": "running", "version": "0.8.0" }');
+    console.log('');
+}
+// ─── Router ────────────────────────────────────────────────────────────────────
+const command = process.argv[2] ?? 'init';
+switch (command) {
+    case 'init':
+        initCommand().catch((err) => {
+            console.error(c.red(`Error: ${err.message}`));
+            process.exit(1);
+        });
+        break;
+    default:
+        console.error(`Unknown command: ${command}`);
+        console.log('Usage: veto init');
+        process.exit(1);
+}
+//# sourceMappingURL=cli.js.map

package/dist/council/decision-engine.js

@@ -0,0 +1,136 @@
+export function decide(votes) {
+    const entries = [
+        ['Lead Developer', votes.lead_dev],
+        ['Product Manager', votes.pm],
+        ['System Architect', votes.architect],
+        ['UX Designer', votes.ux],
+        ["Devil's Advocate", votes.devil],
+        ['Legal & Compliance', votes.legal],
+        ['Security', votes.security],
+    ];
+    // Expert agents — their block is always RED regardless of other votes
+    const CRITICAL = new Set(['Lead Developer', 'System Architect', 'Legal & Compliance', 'Security']);
+    const blockers = entries.filter(([, v]) => v.verdict === 'block');
+    const warners = entries.filter(([, v]) => v.verdict === 'warn');
+    const approvers = entries.filter(([, v]) => v.verdict === 'approve');
+    const criticalBlockers = blockers.filter(([name]) => CRITICAL.has(name));
+    const secondaryBlockers = blockers.filter(([name]) => !CRITICAL.has(name));
+    const criticalApprovers = approvers.filter(([name]) => CRITICAL.has(name));
+    const block_reasons = blockers.map(([, v]) => v.reason);
+    const warnings = [
+        ...blockers.flatMap(([, v]) => v.concerns),
+        ...warners.map(([, v]) => v.reason),
+        ...warners.flatMap(([, v]) => v.concerns),
+    ].filter((w) => typeof w === 'string' && w.length > 0);
+    let final_verdict;
+    if (criticalBlockers.length >= 1) {
+        // Any expert domain agent blocks → RED, no debate
+        final_verdict = 'RED';
+    }
+    else if (secondaryBlockers.length >= 2 && criticalApprovers.length >= 2) {
+        // Business/UX objections vs technical approval — genuine split
+        final_verdict = 'DEADLOCK';
+    }
+    else if (secondaryBlockers.length >= 1 || warners.length >= 1) {
+        // At least one concern but no hard expert block
+        final_verdict = 'YELLOW';
+    }
+    else {
+        final_verdict = 'GREEN';
+    }
+    const recommendations = [
+        ...blockers.map(([, v]) => v.recommendation).filter(Boolean),
+        ...warners.map(([, v]) => v.recommendation).filter(Boolean),
+    ];
+    const recommended = recommendations.length > 0
+        ? recommendations[0]
+        : 'Proceed with standard implementation best practices.';
+    return { final_verdict, block_reasons, warnings, recommended };
+}
+export function formatDebate(task, votes, verdict, block_reasons, warnings, recommended) {
+    const AGENT_ICONS = {
+        lead_dev: '🔵',
+        pm: '🟢',
+        architect: '🏛️ ',
+        ux: '🎨',
+        devil: '😈',
+        legal: '⚖️ ',
+        security: '🔒',
+    };
+    const AGENT_LABELS = {
+        lead_dev: 'Lead Dev:  ',
+        pm: 'PM:        ',
+        architect: 'Architect: ',
+        ux: 'UX:        ',
+        devil: 'Devil:     ',
+        legal: 'Legal:     ',
+        security: 'Security:  ',
+    };
+    const VERDICT_BADGE = {
+        block: '[BLOCKING]',
+        warn: '[WARN]',
+        approve: '[APPROVE]',
+    };
+    const VERDICT_LINE = {
+        GREEN: '✅ VERDICT: GREEN — All clear. Proceed.',
+        YELLOW: '⚠️  VERDICT: YELLOW — Proceed with caution.',
+        RED: '🚫 VERDICT: RED — BLOCKED.',
+        DEADLOCK: '⚖️  VERDICT: DEADLOCK — Council is split. You decide.',
+    };
+    const divider = '─'.repeat(54);
+    const lines = [
+        '',
+        '⚠️  VETO COUNCIL INITIATED',
+        divider,
+        '',
+    ];
+    const keys = ['lead_dev', 'pm', 'architect', 'ux', 'devil', 'legal', 'security'];
+    for (const key of keys) {
+        const vote = votes[key];
+        const icon = AGENT_ICONS[key];
+        const label = AGENT_LABELS[key];
+        const badge = VERDICT_BADGE[vote.verdict];
+        const prefix = `${icon} ${label}`;
+        const indent = '             ';
+        const shortReason = vote.reason.length > 46 ? vote.reason.slice(0, 43) + '...' : vote.reason;
+        lines.push(`${prefix}${shortReason} ${badge}`);
+        for (const concern of vote.concerns.slice(0, 2)) {
+            const short = concern.length > 46 ? concern.slice(0, 43) + '...' : concern;
+            lines.push(`${indent}↳ ${short}`);
+        }
+    }
+    lines.push('');
+    lines.push(divider);
+    lines.push(VERDICT_LINE[verdict]);
+    lines.push('');
+    if (block_reasons.length > 0) {
+        lines.push('🚫 Blocked because:');
+        for (const r of block_reasons) {
+            lines.push(`   • ${r}`);
+        }
+        lines.push('');
+    }
+    if (warnings.length > 0) {
+        const shown = warnings.slice(0, 4);
+        const extra = warnings.length - shown.length;
+        lines.push(`⚠️  Warning${warnings.length > 1 ? 's' : ''}:`);
+        for (const w of shown) {
+            lines.push(`   • ${w}`);
+        }
+        if (extra > 0)
+            lines.push(`   • ...and ${extra} more`);
+        lines.push('');
+    }
+    lines.push(`✅ Recommended: ${recommended}`);
+    if (verdict === 'RED') {
+        lines.push('');
+        lines.push('Override with: proceed anyway [not recommended]');
+    }
+    else if (verdict === 'DEADLOCK') {
+        lines.push('');
+        lines.push('Council is split. Your call: [proceed / abort]');
+    }
+    lines.push('');
+    return lines.join('\n');
+}
+//# sourceMappingURL=decision-engine.js.map

package/dist/council/devil-advocate.js

@@ -0,0 +1,106 @@
+// Devil always warns — never alone blocks, never approves non-trivial tasks
+const PROBES = [
+    {
+        pattern: /auth|login|password|session|jwt|oauth/i,
+        concern: "What happens when auth fails at 2AM? Lockout policy? Account recovery flow?",
+        recommendation: 'Rate-limit auth endpoints. Lock after N failures. Build recovery email flow.',
+    },
+    {
+        pattern: /payment|charge|billing|stripe|invoice|subscription/i,
+        concern: "Idempotency keys? Double-charge prevention? What happens when payment webhook retries?",
+        recommendation: 'Idempotency keys on all payment mutations. Handle webhook duplicates explicitly.',
+    },
+    {
+        pattern: /deploy|release|rollout|push.{0,15}(prod|main|master)/i,
+        concern: "Rollback procedure if this deploy breaks production? How fast can you revert?",
+        recommendation: 'Document rollback runbook before deploying. Consider feature flag as kill switch.',
+    },
+    {
+        pattern: /migrat|schema.?change|alter.?table|add.{0,10}column/i,
+        concern: "Tested down-migration exists? What if this runs mid-traffic on prod?",
+        recommendation: 'Test down-migration on a copy. Use zero-downtime migration patterns (expand/contract).',
+    },
+    {
+        pattern: /\bcache\b|\bredis\b/i,
+        concern: "Cache stampede on cold start? Cache poisoning from bad writes? Invalidation race?",
+        recommendation: 'Probabilistic early expiry prevents stampede. Lock on cache miss for hot keys.',
+    },
+    {
+        pattern: /email|notification|sms|push.?notif/i,
+        concern: "Delivery failure handled? Retry queue? Duplicate notification prevention?",
+        recommendation: 'Add retry queue with exponential backoff. Idempotency key per notification.',
+    },
+    {
+        pattern: /webhook|callback.?url/i,
+        concern: "Webhook replay attacks? Signature verification? What if your handler is slow?",
+        recommendation: 'Verify webhook signatures. Respond 200 immediately, process async.',
+    },
+    {
+        pattern: /\bapi\b|endpoint|http.?client|fetch|axios/i,
+        concern: "External API goes down? Timeout set? Circuit breaker? Fallback behavior?",
+        recommendation: 'Set explicit timeout (3-5s). Circuit breaker for critical external deps.',
+    },
+    {
+        pattern: /file|upload|s3|blob|storage|bucket/i,
+        concern: "Partial upload failure? Storage quota? File type validation before processing?",
+        recommendation: 'Handle partial failures. Alert at 80% storage. Validate file type + scan for malware.',
+    },
+    {
+        pattern: /cron|schedule|job|queue|worker/i,
+        concern: "Job fails silently? Duplicate concurrent runs? Stuck job detection?",
+        recommendation: 'Log all job outcomes. Prevent concurrent runs with distributed lock. Set max duration.',
+    },
+    {
+        pattern: /third.?party|external.{0,15}service|vendor|sdk/i,
+        concern: "Vendor going down? SDK breaking changes? Data you do not control changing format?",
+        recommendation: 'Wrap in adapter layer. Monitor third-party SLA separately. Pin SDK version.',
+    },
+    {
+        pattern: /delete|remove|drop|destroy|purge/i,
+        concern: "Is this reversible? Backup before? What if it runs against wrong environment?",
+        recommendation: 'Soft-delete first (add deleted_at). Hard-delete only after confirmed safe.',
+    },
+    {
+        pattern: /rate.?limit|throttle/i,
+        concern: "What happens when the rate limit is hit? User notified clearly? Retry-After header?",
+        recommendation: 'Return 429 with Retry-After. Show clear user message. Log for monitoring.',
+    },
+    {
+        pattern: /concurren|parallel|race.?condition|mutex|lock/i,
+        concern: "Race condition under concurrent requests? Lock contention under load?",
+        recommendation: 'Test with concurrent load. Use optimistic locking or distributed mutex.',
+    },
+    {
+        pattern: /secret|key|token|credential|api.?key/i,
+        concern: "Rotation strategy? What if this key leaks? Who has access and is it logged?",
+        recommendation: 'Rotate keys on schedule. Audit access logs. Use short-lived tokens where possible.',
+    },
+];
+const GENERIC = {
+    concern: "What is the failure mode here? What breaks at 2AM on a Sunday with no one watching?",
+    recommendation: 'Add monitoring, alerting, and a runbook for when this breaks.',
+};
+const TRIVIAL = /^(rename|fix typo|reorder|reformat|format code|update comment|add comment)\b/i;
+export function analyze(task) {
+    if (TRIVIAL.test(task.trim())) {
+        return { verdict: 'approve', reason: 'Trivial change — no failure modes to probe.', concerns: [] };
+    }
+    const matched = [];
+    for (const probe of PROBES) {
+        if (probe.pattern.test(task)) {
+            matched.push({ concern: probe.concern, recommendation: probe.recommendation });
+        }
+    }
+    // Devil always raises at least one concern for non-trivial tasks
+    if (matched.length === 0) {
+        matched.push(GENERIC);
+    }
+    const top = matched.slice(0, 3); // cap at 3 concerns to avoid flooding
+    return {
+        verdict: 'warn',
+        reason: top[0].concern,
+        concerns: top.slice(1).map(m => m.concern),
+        recommendation: top.map(m => m.recommendation).join(' | '),
+    };
+}
+//# sourceMappingURL=devil-advocate.js.map

package/dist/council/index.js

@@ -0,0 +1,37 @@
+// Council orchestrator — runs all 7 agents in parallel, returns debate result
+import { analyze as leadDevAnalyze } from './lead-developer.js';
+import { analyze as pmAnalyze } from './product-manager.js';
+import { analyze as architectAnalyze } from './system-architect.js';
+import { analyze as uxAnalyze } from './ux-designer.js';
+import { analyze as devilAnalyze } from './devil-advocate.js';
+import { analyze as legalAnalyze } from './legal-compliance.js';
+import { analyze as securityAnalyze } from './security.js';
+import { decide, formatDebate } from './decision-engine.js';
+export async function runDebate(input) {
+    const fullText = input.context ? `${input.task}\n${input.context}` : input.task;
+    // All 7 agents run in parallel — none depend on each other
+    const [lead_dev, pm, architect, ux, devil, legal, security] = await Promise.all([
+        Promise.resolve(leadDevAnalyze(fullText)),
+        Promise.resolve(pmAnalyze(fullText)),
+        Promise.resolve(architectAnalyze(fullText)),
+        Promise.resolve(uxAnalyze(fullText)),
+        Promise.resolve(devilAnalyze(fullText)),
+        Promise.resolve(legalAnalyze(fullText)),
+        Promise.resolve(securityAnalyze(fullText)),
+    ]);
+    const votes = { lead_dev, pm, architect, ux, devil, legal, security };
+    const { final_verdict, block_reasons, warnings, recommended } = decide(votes);
+    const debated_at = new Date().toISOString();
+    const formatted_output = formatDebate(input.task, votes, final_verdict, block_reasons, warnings, recommended);
+    return {
+        task: input.task,
+        final_verdict,
+        votes,
+        recommended,
+        block_reasons,
+        warnings,
+        debated_at,
+        formatted_output,
+    };
+}
+//# sourceMappingURL=index.js.map